My family and I spent Christmas (2016) and New Year (2017) in the Philippines. I was expecting a cool climate (at least in the morning) but it was generally hot during our stay. Most of the time we're in BGC Taguig hanging out with friends and relatives. I always look forward to authentic Filipino food whenever I go back home. We also had a quirky but memorable dinner at Cafe Juanita in Kapitolyo Pasig. I'm done with CTWS exam last year and now preparing for my CWNA which would probably my first IT cert for 2017. I'm still deciding whether to get CWSP this year or take it when my CWNA is about to expire. Taking CWSP will renew and extend my CWNA for another three years.
Autonomous WLAN Architecture
For many years, the conventional access point was a standalone WLAN portal device where all three planes of operation existed and operated on the edge of the network architecture. These APs are often referred to as fat APs, or standalone APs. However, the most common industry term for the traditional access point is autonomous AP.
All configuration settings exist in the autonomous access point itself, and therefore, the management plane resides individually in each autonomous AP. All encryption and decryption mechanisms and MAC layer mechanisms also operate within the autonomous AP. The distribution system service (DSS) and integration service (IS) that you learned about in Chapter 7 both function within an autonomous AP. The data plane also resides in each autonomous AP because all user traffic is forwarded locally by each individual access point. As shown in Figure 10.13, legacy autonomous APs have little shared control plane mechanisms.
An autonomous access point contains at least two physical interfaces: usually a radio frequency (RF) radio card and a 10/100/1000 Ethernet port. The majority of the time, these physical interfaces are bridged together by a virtual interface known as a bridged virtual interface (BVI). The BVI is assigned an IP address that is shared by two or more physical interfaces. Access points operate as layer 2 devices; however, they still need a layer 3 address for connectivity to an IP network. The BVI is the management interface of an AP.
An autonomous access point typically encompasses both the 802.11 protocol stack and the 802.3 protocol stack. These APs might have some of the following features:
* Multiple management interfaces, such as command line, web GUI, and SNMP
* WEP, WPA, and WPA2 security capabilities
* WMM quality-of-service capabilities
* Fixed or detachable antennas
* Filtering options, such as MAC and protocol
* Connectivity modes, such as root, repeater, bridge, and scanner
* Removable radio cards
* Multiple radio card and dual-frequency capability: 2.4 GHz and 5 GHz
* Adjustable or automated transmit power and channel setting
* 802.1Q VLAN support
* IEEE standards support
* 802.3af or 802.3at POE support
Autonomous APs might have some of the following advanced features:
* Built-in RADIUS and user databases
* VPN client and/or server support
* DHCP server
* Captive web portals
Autonomous APs are deployed at the access layer and typically are powered by a PoE-capable access layer switch. The integration service within an autonomous AP translates the 802.11 traffic into 802.3 traffic. The autonompus AP was the foundation that WLAN architects deployed for many years. However, most enterprise deployments of autonomous APs were replaced by a centralized architecture utilizing a WLAN controller
I was asked to create a MAC filter on an autonomous AP and only allow a single wireless MAC address of a VIP client. You first create a MAC address access list, which is in the 700-799 number range and bind it on the radio interface using the dot11 association mac-list command.
ap#show dot11 associations
802.11 Client Stations on Dot11Radio0:
SSID [CORPORATE] :
MAC Address IP address Device Name Parent State
0026.5a0e.3123 10.100.146.129 ccx-client - self Assoc // JUST ALLOW THIS
10a5.d0e0.7456 10.100.146.133 ccx-client - self Assoc
ap#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
ap(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<700-799> 48-bit MAC address access list
dynamic-extended Extend the dynamic ACL absolute timer
rate-limit Simple rate-limit specific access list
ap(config)#access-list 701 ?
deny Specify packets to reject
permit Specify packets to forward
ap(config)#access-list 701 permit ?
H.H.H 48-bit hardware address
ap(config)#access-list 701 permit 0026.5a0e.3123 ?
H.H.H 48-bit hardware address mask
<cr>
ap(config)#access-list 701 permit 0026.5a0e.3123 0000.0000.0000
ap(config)#
ap(config)#dot11 association ?
mac-list filter client with a MAC address access list
ap(config)#dot11 association mac-list ?
<700-799> Ethernet address access list
ap(config)#dot11 association mac-list 701 // APPLY TO RADIO INTERFACE
ap(config)#
*Oct 28 09:49:01.194: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 10a5.d0e0.7456
*Oct 28 09:49:01.194: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station d025.988f.7789
*Oct 28 09:49:01.374: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Oct 28 09:49:01.403: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Oct 28 09:49:01.414: %DOT11-4-MAXRETRIES: Packet to client 10a5.d0e0.7456 reached max retries, removing the client
*Oct 28 10:12:04.141: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 0026.5a0e.3123 Associated KEY_MGMT[NONE]
ap#show dot11 associations
802.11 Client Stations on Dot11Radio0:
SSID [CORPORATE] :
MAC Address IP address Device Name Parent State
0026.5a0e.3123 10.100.146.129 ccx-client - self Assoc
To setup MAC filter in the Autonomous AP web GUI, go to Security > Advance Security > Association Access List > Define Filter. Type the Filter Index (starts in ACL number 700 and ends 799) > type the MAC address in dotted hexadecimal format (HHHH.HHHH.HHHH) > under Action choose either Forward or Block > Add > Apply.
Autonomous WLAN Architecture
For many years, the conventional access point was a standalone WLAN portal device where all three planes of operation existed and operated on the edge of the network architecture. These APs are often referred to as fat APs, or standalone APs. However, the most common industry term for the traditional access point is autonomous AP.
All configuration settings exist in the autonomous access point itself, and therefore, the management plane resides individually in each autonomous AP. All encryption and decryption mechanisms and MAC layer mechanisms also operate within the autonomous AP. The distribution system service (DSS) and integration service (IS) that you learned about in Chapter 7 both function within an autonomous AP. The data plane also resides in each autonomous AP because all user traffic is forwarded locally by each individual access point. As shown in Figure 10.13, legacy autonomous APs have little shared control plane mechanisms.
An autonomous access point contains at least two physical interfaces: usually a radio frequency (RF) radio card and a 10/100/1000 Ethernet port. The majority of the time, these physical interfaces are bridged together by a virtual interface known as a bridged virtual interface (BVI). The BVI is assigned an IP address that is shared by two or more physical interfaces. Access points operate as layer 2 devices; however, they still need a layer 3 address for connectivity to an IP network. The BVI is the management interface of an AP.
An autonomous access point typically encompasses both the 802.11 protocol stack and the 802.3 protocol stack. These APs might have some of the following features:
* Multiple management interfaces, such as command line, web GUI, and SNMP
* WEP, WPA, and WPA2 security capabilities
* WMM quality-of-service capabilities
* Fixed or detachable antennas
* Filtering options, such as MAC and protocol
* Connectivity modes, such as root, repeater, bridge, and scanner
* Removable radio cards
* Multiple radio card and dual-frequency capability: 2.4 GHz and 5 GHz
* Adjustable or automated transmit power and channel setting
* 802.1Q VLAN support
* IEEE standards support
* 802.3af or 802.3at POE support
Autonomous APs might have some of the following advanced features:
* Built-in RADIUS and user databases
* VPN client and/or server support
* DHCP server
* Captive web portals
Autonomous APs are deployed at the access layer and typically are powered by a PoE-capable access layer switch. The integration service within an autonomous AP translates the 802.11 traffic into 802.3 traffic. The autonompus AP was the foundation that WLAN architects deployed for many years. However, most enterprise deployments of autonomous APs were replaced by a centralized architecture utilizing a WLAN controller
I was asked to create a MAC filter on an autonomous AP and only allow a single wireless MAC address of a VIP client. You first create a MAC address access list, which is in the 700-799 number range and bind it on the radio interface using the dot11 association mac-list command.
ap#show dot11 associations
802.11 Client Stations on Dot11Radio0:
SSID [CORPORATE] :
MAC Address IP address Device Name Parent State
0026.5a0e.3123 10.100.146.129 ccx-client - self Assoc // JUST ALLOW THIS
10a5.d0e0.7456 10.100.146.133 ccx-client - self Assoc
ap#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
ap(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<700-799> 48-bit MAC address access list
dynamic-extended Extend the dynamic ACL absolute timer
rate-limit Simple rate-limit specific access list
ap(config)#access-list 701 ?
deny Specify packets to reject
permit Specify packets to forward
ap(config)#access-list 701 permit ?
H.H.H 48-bit hardware address
ap(config)#access-list 701 permit 0026.5a0e.3123 ?
H.H.H 48-bit hardware address mask
<cr>
ap(config)#access-list 701 permit 0026.5a0e.3123 0000.0000.0000
ap(config)#
ap(config)#dot11 association ?
mac-list filter client with a MAC address access list
ap(config)#dot11 association mac-list ?
<700-799> Ethernet address access list
ap(config)#dot11 association mac-list 701 // APPLY TO RADIO INTERFACE
ap(config)#
*Oct 28 09:49:01.194: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 10a5.d0e0.7456
*Oct 28 09:49:01.194: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station d025.988f.7789
*Oct 28 09:49:01.374: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Oct 28 09:49:01.403: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Oct 28 09:49:01.414: %DOT11-4-MAXRETRIES: Packet to client 10a5.d0e0.7456 reached max retries, removing the client
*Oct 28 10:12:04.141: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 0026.5a0e.3123 Associated KEY_MGMT[NONE]
ap#show dot11 associations
802.11 Client Stations on Dot11Radio0:
SSID [CORPORATE] :
MAC Address IP address Device Name Parent State
0026.5a0e.3123 10.100.146.129 ccx-client - self Assoc
To setup MAC filter in the Autonomous AP web GUI, go to Security > Advance Security > Association Access List > Define Filter. Type the Filter Index (starts in ACL number 700 and ends 799) > type the MAC address in dotted hexadecimal format (HHHH.HHHH.HHHH) > under Action choose either Forward or Block > Add > Apply.
No comments:
Post a Comment