Chapter 29 - Building a Wireless LAN

Question 1

True or False. A VLAN is mapped to a WLAN.

Answer 1

True. A Dynamic Interface needs to be created for each WLAN.

Question 2

True or False. You can only access an APs management interface via Telnet or SSH.

Answer 2

False. You can also use HTTP and HTTPS. For LAPs you need to access the connected WLCs interface to manage it.

Question 3

What are the different types of physical ports on a WLC?

Answer 3

• Service Port - Used for out-of-band management, system recovery, and initial boot functions. Always has to connect to a switch port that is in access mode. Also best practice to connect to an access port that is part of the management VLAN.
• Distribution System Port - Used to connect the WLC to a DS for all AP data traffic. Normally connects to a switch port that is in trunk mode. All of these ports can be configured together as a single LAG (Link Aggregation Group) which allows for failover and load balancing.
• Console Port - Used for out-of-band management, system recovery, and initial boot functions. Terminal emulator must be configured as 9600 baud rate, 8 data bits, 1 stop bit, in order to access. Can be RJ45 and/or USB
• Redundancy port - Used to connect to a peer controller for high availability operation (failover).

Question 4

True or False. WLC LAGs support standard EtherChannel protocols (e.g. LACP, PAGP).

Answer 4

False. The switch they connect to must have its EtherChannel mode set to ‘on’.

Question 5

What are the different types of interfaces/logical interfaces in a WLC?

Answer 5

• Management Interface - IP used for in band management traffic such as RADIUS authentication (to login to the WLC), WLC to WLC communication, HTTP, HTTPS, and SSH sessons, SNMP, NTP, syslog, etc. Also used to terminate the CAPWAP tunnels between the controller and its APs. (CAPWAP type management and logging into the WLC to configure type management).
• Redundancy Management Interface - The management IP of a redundant WLC that is part of a high availability pair of controllers. The active WLC uses the management interface address while the standy WLC uses the redundancy management address.
• Virtual Interface - IP address facing wireless clients. Used when a client requests an IP and the WLC needs to provide an address from the correct pool as if it were the server (DHCP Relay), performing client web authentication, and supporting client mobility. The virtual interface IP address is only used for communications between the controller and wireless clients. It never appears as the source or destination address of a packet that goes out through the distribution ports and on to the local network. A commonly used address is 10.1.1.1 as it is not supposed to be routable and is also private. All WLCs in a single mobility group should have this IP as the same.
• Service Port Interface - Bound to the service port and used for out-of-band management. Only port available when the WLC is booting.
• Dynamic Interface - Used to connect a VLAN to a WLAN. For every WLAN created you must also create a Dynamic Interface. These must be part of different subnets.

Question 6

What is a Mobility Group?

Answer 6

• A group of WLCs that define a seamless roaming area for clients, exchange information about said clients, and forward this information when roaming occurs between APs served by different WLCs. They also share information about their connected APs so that each controller does not treat other controller’s APs as rogue.
• WLCs in the same mobility group should be configured with the same Virtual Interface IP.

Question 7

How many WLANs can a Cisco WLC support?

Answer 7

512, however, only 16 can be active at a time.

Question 8

How often are WLAN beacons sent?

Answer 8

10 times per second

Question 9

What do APs use to broadcast the existence of a WLAN?

Answer 9

Beacons

Question 10

List downsides of having too many WLANs active at a time

Answer 10

• The more WLANs there are, the more management beacons are sent, the less airtime there is for actual traffic to be sent by wireless clients

Question 11

True or False. EAP based wireless security systems require RADIUS/TACACs+ .

Answer 11

True.

Question 12

When setting up a RADIUS server in a Cisco WLC, what are the two types of users that can be authenticated?

Answer 12

• Network Users - Wireless Clients
• Management - Administrators that will be configuring the WLC

Question 13

What are the security types available when configuring a WLAN on a Cisco WLC?

Answer 13

• None - Open Authentication
• WPA + WPA2 - Wifi protected access WPA or WPA2
• 802.1x - EAP authentication with dynamic WEP
• Static WEP - WEP key security
• Static WEP + 802.1x - EAP authentication or static WEP
• CKIP - Cisco Key Integrity Protocol
• None + EAP Passthrough - Open Authentication with remote EAP authentication

Question 14

What are the different options for QoS when setting up a WLAN in a Cisco WLC?

Answer 14

• Platinum - Favor Voice
• Gold - Favor Video
• Silver - Best Effort (default when creating a WLAN)
• Bronze - Background

Question 15

What does the Enable Session Timeout setting do in the Advanced section of a Cisco WLC?

Answer 15

• Configures the length of time that a client’s session will last for before it is required to reauthenticate.
• Default is 1800 seconds (30 mins)
• Can be completely disabled

Question 16

What are Wireless Exclusion Policies and what behaviour do they look out for?

Answer 16

• Policies configured on a WLAN that (by default) block clients for 60 seconds as a deterrent to any malicious activity
• They look out for:
  - Excessive 802.11 association failures
  - Wireless 802.11 authentication failures
  - 802.1x authentication failures
  - Web authentication failures
  - IP address theft or reuse

Question 17

True or False. By default, management access is allowed from WLANs.

Answer 17

False. The only way to gain management access is via the wired interfaces. This can be changed by going to the Management tab of the WLC and enabling ‘Enable Controller Management to be accessible from Wireless Clients’.

Question 18

What is DHCP option 43 used for?

Answer 18

• Option 43 can be used to provide vendor specific information to DHCP clients.
• In a wireless setup, it can be used to tell the APs what IP address their WLC is at. This is useful if the APs are in a different subnet to the WLC.

Question 19

True or False. It is good practice to set the switchports that connect to the APs as access for the management VLAN.

Answer 19

True.

Question 20

When logged into the terminal of a WLC, what does autoinstall do?

Answer 20

Allows you to automatically download the config of a WLC from a TFTP server.

Question 21

When logged into the terminal of a WLC, what is the Virtual Gateway IP Address?

Answer 21

The address used when the WLC communicates directly with wireless clients (e.g. when relaying DHCP requests)

Question 22

When logged into the terminal of a WLC, what is the Multicast IP address?

Answer 22

The address used when forwarding traffic to all APs.

Question 23

True or False. When configuring a WLC via the terminal, the regulatory domain must match that of the APs connecting to it.

Answer 23

True. This can be found in the model name of the AP. It will be formatted as XXX-XXXXXXXX-<regulatorydomain>-XX.</regulatorydomain>

If the regulatory domain says ‘E’ this means Europe. You can configure it in the WLC as any European country.

Question 24

In the context of a WLC, what is the difference between an interface and a port?

Answer 24

An interface is logical, whereas a port is physical.

Question 25

In WLC configuration, what needs to be configured in order to allow a WLAN to work with a physical VLAN?

Answer 25

• An Interface under the Controller > Interfaces menu with the relevant IP information
• A WLAN under the WLANs menu linked to the relevant interface

Question 26

In WLC configuration, what does Web Policy under WLANs > Security > Layer 3 do?

Answer 26

• Means that even if the user is allowed to authenticate and associate with an AP, they will also receive a web based authentication request. These can be set as:
• Authentication - When a client attempts to access a web page, they will need to enter a username and password.
• Passthrough - When a client attempts to access a web page, they don’t need to enter a username and password, however, a warning is displayed and the user just has to accept in order to gain access.
• Conditional Web Redirect or Splash Page Web Redirect - Require 802.1x authentication.

Question 27

True or False. If you create a WLC ACL, this is enabled by default.

Answer 27

False. Once the ACL is created under Access Control Lists, you need to got to Access Control Lists > CPU Access Control Lists, enable ‘Enable CPU ACL’, and select the ACL you want to take effect. These only affect access to the WLC for management purposes.

Question 28

In WLC configuration, what are the different types of WLAN you can setup when first creating a WLAN?

Answer 28

• Normal - A WLAN which people in your company who work for your company will connect to.
• Guest - A WLAN which guests in your company will connect to.
• Remote - A WLAN for wired ports on the WLC. Wired clients can also be authenticated by the WLC.

Question 29

List 802.11 Management frames

Answer 29

• Beacons
• Probe request and response
• Association request and response
• Authentication request and response
• Deauth
• Reassociation request and response
• Announcement traffic

Question 30

What interfaces is available while a WLC is booting?

Answer 30

Service port interface