Plaining For Wireless Network

If you're planning to deploy wireless access points in a networking project then I congrats you, you still have lots of works to be done before you get to configuring the access points

There are lots of things to consider if you're in a networking project, the location of the access points, channels to use, are there radio interferences in the locations, etc.

You need to do wireless site survey in a network project, see they even created their own science for this work.

To talk about wireless site survey could take its own blogs, books, tools and even specialized certification if you want to do it properly and professionally.
The tools software and hardware don't come in cheap I'm telling you.

There are softwares that can do wireless site survey, they can visually show you the range of access points that are installed in the site. Few that I've seen in work before are from ekahau and visiwave.

On the top of this post is the sample report from visiwave and the left picture here is from ekahau.

These pictures show you the range of the wireless access points on site. They're kinda like heat meter or something. With these you can then determine the best placement for the access points that can reach all clients.

From my experience not all of these softwares work with your wireless cards, so keep in mind before purchasing these softwares, do they support your wireless cards or not.

There also hardwares that can help you do the site survey and these hardwares can also scan for radio interferences such as that come from oven microwave, cordless phones, etc.
You got to check on yellowjacket from bvssystem, these things are cool.

The people in bvssystem integrates HP iPaq PDA with their yellowjacket to be used as wireless site survey tool.
This one is in the form of Tablet PC for spectrum analysis:

Both softwares and hardwares can provide you with detailed reports of the wireless site survey result.

Now that's when you're working in a network project, if you want to deploy wireless access points in your home or SOHO, you don't need to do all that troubles.

Next post I want to talk about the things to consider if you want to install wireless access points in your home or SOHO.

Get To Know CIsco Aironet Wireless Access Point

Ah, I just love these things the Cisco Aironet Wireless Access Points, on the left one you can see the Cisco Aironet 1240AG Access Point, one among every other Cisco Aironet series.

This is the very first Cisco device that I got, I thought that at least I can integrate it with my existing non-Cisco home network.

1240AG is not the prettiest access point that you can get, but I like the shape anyway. It reminds me of liquor bottles that I used to see in the movies.

Now why would you want to buy Cisco Aironet, it costs about ten times or more than the average home usage access points like Linksys or D-Link.

These Aironet things are great, for the 1240AG, it has one Fast Ethernet port and one console port.
It doesn't come with integrated antennas, you have to buy them. You can use the 802.11G antennas and/or 802.11A antennas. This gives you flexibility in choosing the antennas, you can even use both if you want to.
Mind you that not all countries allow the use of 802.11A standard.

The console port as usual used for configuring the Cisco Aironet Access Point through CLI. You can also use web browser to configure the Access Point, different from other Cisco devices' web interfaces, the Aironet web interface offers rich features configuration.
Other Cisco devices have not that good appearances, you definitely prefer configuring other Cisco devices through CLI.

Below is the example of the Cisco Aironet web interface:


Unlike other Cisco devices, Cisco Aironet Access Points are by default configure to accept IP address from DHCP server, if you have DHCP server in your LAN, that's great.
Just plug in a cable to connect the access point to your LAN and as soon as it receives IP address you can do configuration for it.

One tip, for the Cisco Aironet 1100 series Access Points, they have a default IP address of 10.0.0.1 that last for just 5 minutes.
So during that 5 minutes you can configure your computer NIC for an IP address of 10.0.0.2 or other, and connect a network cable from your computer NIC to the ethernet port of the access point.
Open the web browser and type in the 10.0.0.1 address, then you can do some configuration. Remember this only last for 5 minutes, after that the access point will request IP address from DHCP address indefinitely.

Now what other features the Aironet Access Points have, many features that the average home usage access points don't have.

You can configure the Access Points to be an Intrusion Detection System (IDS) to protect your network, use it for scanning your network for rogue access points that your neighbour use for stealing your bandwidth, and they also offer the powerful 802.1x to authenticate clients.

You can also set your own transmit power and data rates of the wireless radio interfaces.

Configure several SSIDs to segment your network. Each SSID can be correlated with VLAN. Provide SSID for your guests, another SSID for your home users, and a special SSID just for administration purpose.
Want another SSID? a special SSID just for handling your VoIP packets, cool.

If you have several Cisco Aironet Access Points in your disposal, set them up so your users can roam all over the place and jump from one area of access point to another without loosing connection.

Have hundreds of Aironet Access Points in a project? You don't need to configure them one by one. Upgrade or request from Cisco for Aironet with Cisco IOS Lightweight enable mode.
With Ligthweight feature and wireless LAN controller you just need to make one configuration on the wireless LAN controller and it will send the configuration to all access points in your network.
Saves you from lot of works.

So many features to tell, to try out all these features get your own Cisco Aironet Wireless Access Points now. You won't be sorry if you're a true techies, except that your wallet would be thinner a bit.

The Danger of Broadcost Storm and the Solution

If you've taken the Cisco Academy program or been in the network world for a while, you must have heard about broadcast storm.

Broadcast storm is a state in a network where a frame broadcast in a switch environment is continually being flooded through the network.

This is mostly happen in a switch environment where you have redundant connection between switches, remember that routers segment or isolate broadcast between networks.

Redundant connections are important if you want to create a backup path between switches. If one path fails the other will take over.
This won't work out with switches that don't have any loop avoidance mechanism.

This is how a broadcast storm can happen, I have two switches connected with redundant links and one switch connected to a client and the other switch connected to a server.

Then the client sends a broadcast, say an Address Resolution Protocol or ARP to find out where the location of the server like this, pay attention to the red arrow, pretend that the arrow is a broadcast frame sent by the client.


Remember the rule of a switch, a switch forwards a broadcast frame to all ports except the port where it receives the request.

The Switch A receives the frame and forward it to the two links it has:


The broadcast frame received by the Switch B from two different ports and forward it again to other ports including the port where the Server is attached.

But it doesn't stop there, the frames are flooded again back to Switch A and back to the client.


From now on, back again to picture 2 then 3 and so on, this will keep going on forever until you shutdown the network.
This condition can also be called switch loop and it leads to broadcast storm.
Most likely you can find a question about this in the CCNA exam.

Luckily Cisco switches have loop avoidance mechanism called Spanning Tree Protocol or STP.

What STP does is eliminating loops in the network while allowing redundant links, the switches in the network will send out BPDU or Bridge Protocol Data Unit.

BPDU is like a boomerang send out to all ports in the switch. The BPDUs will travel all over the network and when the switch receive the BPDU it sent, then the switch knows that switch loop is occuring in the network and will block one of the ports where the loop occured.

Actually there's a set of session needed just to explain STP, there's even books specialized to explain STP considering that STP is very important in a redundant network.

STP eliminates redundant links in your network that's it, but if you don't carefully design your network even if you're using Cisco devices, your network will someday experience a melt down.

There's a great article about a network meltdown in a hospital related to STP that you can read here. In a hospital!! Man, that's serious business, we're talking about people lives here.
So the case study can be a valuable resource for you, just read it.

This happened to me once when I went on a client. They're just a small office kinda like SOHO, they're not using Cisco devices, they just using network devices from Linksys and D-Link.

So they called me and said for some reason the network went down.

After checking the network for a while, no problem with the configuration and the cabling but still no connectivity.
Then after tracing all the cables - it was not exactly a neat cabling they have there - I found that one cable was connected end to end to the same switch which created the broadcast storm.

So the moral of this story, it's very easy to take down an entire network with just a single network cable, especially if the networks are using average home usage network devices .

No need to say that it is very important to keep the physical security of your network devices. You can't trust the employees again nowadays.

Adding Switch to Cisco Home Lab 5

Configure Router as DHCP Server for VLANs
Now this part of configuration is the most fun part of all. I just love the way that one router accepts requests from clients on different VLANs (with different subnets), and the router gives away the addresses based on what VLAN a client resides.
That's just cool, your average home usage routers can't do this kind of stuff, most of the average home usage routers can do is just give away IP addresses for one network.
At the previous post, I posted about how to make a router to be DHCP server. Now this post is similar but I'm going to make the router to give away IP addresses for clients on different networks.
The configuration is also the same, but now I'm going to make several IP DHCP pool. The amazing thing is that the router can differentiate each client request for IP address.
The router listens to the requests, which request comes from which sub interface (subnet or VLAN).
Then the router takes the available IP address from the DHCP pool and tells the client that it's now using this IP address.
At this example I'm using four networks in my local area network. I won't be giving away the addresses for the VLAN 5 since I'm only going to assign the IP addresses for management purpose only - I'll assign the addresses statically on the networking devices.
The 3 networks left, the VLAN 10, 20, and 30 IP addresses are configured using DHCP server.
Same as before, you need to exclude the IP addresses that you don't want to give out through DHCP. I conserve the first ten addresses for each network, I probably need it for something else in the future.

router> enable
router# configure terminal
router (config)# ip dhcp excluded-address 192.168.10.1 192.168.10.10
router (config)# ip dhcp excluded-address 192.168.20.1 192.168.20.10
router (config)# ip dhcp excluded-address 192.168.30.1 192.168.30.10

Now the DHCP will give out addresses to the clients starting from XXX.XXX.XXX.11
Next is to configure the DHCP pools for respective VLANs:

router (config)# ip dhcp pool OFFICE
router (dhcp-config)# network 192.168.10.0 255.255.255.0
router (dhcp-config)# default-router 192.168.10.1
router (dhcp-config)# dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
router (config)# ip dhcp pool HOME
router (dhcp-config)# network 192.168.20.0 255.255.255.0
router (dhcp-config)# default-router 192.168.20.1
router (dhcp-config)# dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
router (config)# ip dhcp pool OFFICE
router (dhcp-config)# network 192.168.30.0 255.255.255.0
router (dhcp-config)# default-router 192.168.30.1
router (dhcp-config)# dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

You can set the dns-server option to point to up to 6 dns servers.
The default-router command tells the clients to set the ip default gateway to point to the router's sub interface.
At this point, if you can ping all the sub interfaces of the router from the switch, the router will give IP addresses for requests coming from the clients for DHCP service.
The router differentiates the requests like this, if a request coming from the sub interface ethernet 0/1.10, then the router will give the IP address according to the ip address on that interface (192.168.10.0 network).
After this you need to configure the router for internet connection, if you haven't done it before.
Remember to apply access-list that allows all networks you have in the LAN to be translated by the NAT.

Adding Switch to Cisco Home Lab 4

Configure Router for InterVLAN routing
If you only configure VLAN on the 2950 or other layer 2 switches, the clients can only communicate with other clients within the same VLAN.
If you want them to be able to communicate with other clients on different VLANs, then you need to

configure a router for interVLAN routing.
Configuration of router for interVLAN routing often called router on a stick. The reason is the clients that want to communicate with other clients on different VLANs need to go through the router first and the router will route the packets to the appropriate VLANs back through the same line.

The disadvantage of this is that single line going to the router will be filled by requests from one VLAN going to other VLAN, and the router will be set for handling the routing for this.

No problem for the small LAN, but if you have a huge number of clients, you need to consider using Layer 3 or multilayer switches (Cisco Catalyst 3550 series or above) for interVLAN routing.

The concept of layer 3 switch routing is something that you'd find on the CCNP level, not the CCNA.
I don't have layer 3 switch, the cheapest one I can find in my local area is more than $600 yikes. But the configuration is so easy, I'll only want to give you some snippets later.
For now lets configure the router to do interVLAN routing.
We know that routers have limited amount of physical interfaces right? The 2611 have a default of 2 ethernet interfaces.
One interface is going to the internet and the other is supposedly connected to the internal LAN.
How come one interface can handle multiple VLANs a.k.a. multiple networks with different subnets.
There's a genius way to get around this, that is by using logical sub interfaces. That one port can be logically devided into many sub interfaces.
Each sub interface will handle one VLAN/subnet.

NOTE:
Previously the interVLAN routing can only be done by routers with Fast Ethernet interfaces (100 Mbps) and not intended for Ethernet interfaces (10 Mbps) due to small bandwidth consideration. But now we can configure it on the ethernet ports also.
Before configuring the router, lets see again how the network diagram looks like:

So we need to define four sub interfaces and the respective IP addresses, we also need to define the VLAN assigned to the sub interface using encapsulation dot1q VLAN_NUMBER, where the VLAN_NUMBER is the VLAN ID for the sub interface.
You need to define the VLAN first on the sub interface, then you can assign IP address there.
You don't need to assign IP address for the main interface ethernet 0/0 but do no shutdown and the sub interfaces will automatically apply the same no shutdown.
here's how we configure them:
router> enable
router# configure terminal
router (config)# interface ethernet0/0
router (config-if)# no ip address
router (config-if)# no shutdown
router (config-if)# interface ethernet0/1.5
router (config-subif)# encapsulation dot1q 5
router (config-subif)# ip address 192.168.5.1 255.255.255.0
router (config-subif)# interface ethernet0/1.10
router (config-subif)# encapsulation dot1q 10
router (config-subif)# ip address 192.168.10.1 255.255.255.0
router (config-subif)# interface ethernet0/1.20
router (config-subif)# encapsulation dot1q 20
router (config-subif)# ip address 192.168.20.1 255.255.255.0
router (config-subif)# interface ethernet0/1.30
router (config-subif)# encapsulation dot1q 30
router (config-subif)# ip address 192.168.30.1 255.255.255.0



You can give sub interface number up to 4294967295, the reason is it gives you the flexibility on naming the sub interface to match the VLAN ID. You can easily identify the sub interface e0/1.5 is for VLAN 5 and so on.
Oh, don't forget to do the no shutdown command on the main interface ethernet 0/1, it will also do no shutdown for the sub interfaces.
Now if you can successfully ping the interface VLAN 5 on the switch (192.168.5.2 in this example) then you are done configuring the router for interVLAN routing.
For configuring interVLAN routing on Layer 3 switches you have to make interface VLAN for every VLAN that you want to route and give them IP addresses.
Layer3Switch> enable
Layer3Switch# configure terminal
Layer3Switch (config)# interface VLAN 5
Layer3Switch (config-if)# ip address 192.168.5.1 255.255.255.0
Layer3Switch (config-if)# no shutdown


Do this for every VLAN that you want to route, you don't need to configure sub interfaces on the router.
The layer 3 switch will do the routing for the VLANs without ever need to send anything to the router first.
But you need to activate the ip routing feature on the switch first, if it's not already activated using:
Layer3Switch (config)# ip routing


Very simple right?

Last things left is to configure the router for additional configuration, DHCP server for each subnet, connect to the cable internet, and other details on the next post

Adding Switch to Cisco Home Lab 3

Assigning Switch Ports to VLANs

After configuring VLANs on Cisco switch, now we need to assign the switch ports to VLANs.
We need to assign which ports should be in which VLAN, remember VLAN = broadcast domain = subnet.
So before making your own VLANs, consider the IP addressing scheme and which computer should be in which broadcast domain or network.
Next step is to configure the trunk port to connect to the router and access port to connect the switch ports to our clients' PCs or other network devices.

The trunk port is needed to carry all VLANs or selected VLANs (you can decide which VLANs are allowed to cross the trunk link) in one port and the native VLAN is assigned to "tag" untagged frames with the ID of the native VLAN.
You should also configure trunk if you want to connect a switch to another switch, you have to configure trunk port on both switches.
For the access port, one access port can only be a member for 1 VLAN, anything plug in to the access port will be assign with the configured VLAN ID.
You need to remember though, the devices attaced to the switch ports don't know anything about VLAN, it is only something the switch knows.
Before a frames are sent to the clients, the VLANs tags are stripped from the frames.
In this example I configure the FastEthernet port 0/1 to be the trunk port that connects to the router.
C2950> enable
C2950# configure terminal
C2950 (config)# interface fa0/1
C2950 (config-if)# switchport mode trunk
 
At this point you already configured the port FastEthernet or fa 0/1 to be trunk port.
There are two encapsulation method for trunking, the ISL which is proprietary method from Cisco - only for Cisco devices and the 802.1Q or dot1q for short which is the multi-vendor encapsulation method.
Since the 2950 switches only support dot1q method you don't need to define it again but if your switch support both methods then you need to configure it using switchport trunk encapsulation dot1q or you can replace the dot1q with isl if you want to use ISL.
Next is to define the native VLAN and if you want to, you can define which VLANs are allowed to cross that trunk port:
C2950 (config-if)# switchport trunk native vlan 5
C2950 (config-if)# switchport trunk allowed vlan add 5, 10, 20, 30

You can add or remove vlans on the trunk port, by default the trunk will carry all VLANs.
Finished with the trunk port configuration, now we assign ports to the VLANs we created. You can assign the ports one by one like this: 
C2950 (config)# interface fa0/2
C2950 (config-if)# switchport mode access
C2950 (config-if)# switchport access vlan 10 

Or you can define a range of interfaces at once, say I want to configure port 0/2 to 0/8 as the access port for VLAN 10, then I just have to do this: 

C2950 (config)# interface range fa0/2 - 8
C2950 (config-if-range)# switchport mode access
C2950 (config-if-range)# switchport access vlan 10

Do the same thing with the VLAN 20 - the home network VLAN:

C2950 (config)# interface range fa0/9 - 16
C2950 (config-if-range)# switchport mode access
C2950 (config-if-range)# switchport access vlan 20

Very handy command right?
One trick I can give you, if you want to configure some ports that are not in sequential order, like you want to configure port 2 to 5 and 10 to 15 and port 24, you can do it like this:

C2950 (config)# interface range fa0/1 - 5, fa0/1 - 15, fa0/24

There, you successfully created access ports for VLAN 10 and 20. For the VLAN 30 or the VLAN used for wireless network, I need to safe it for another time since configuring wireless network with Cisco devices takes some tricks.
Now we're done with the Cisco switch configuration, next thing to do is configuring the router to accept VLANs and be DHCP server for all the networks.

Adding Switch to Cisco Home Lab 2

Configuring VLANs

I'll start the configuration of adding switch to my Cisco home lab by configuring the switch first. At the previous tutorial series, I posted about how to connect Cisco router to cable internet, and now here's how the network will look like again when added a switch to it:

The network will have 4 VLANs, with the VLAN 5 acting as the native VLAN.
By default, the native VLAN of Cisco switches is VLAN 1, you might want to change the native VLAN from VLAN 1 to other VLAN since there a security concern about this.
You can read a nice article about native VLAN security concern from cisco.
In 2950 switches, you have to type in these commands to create VLANs:

C2950> enable
C2950# configure terminal
C2950 (config)# vlan 5
C2950 (config-vlan)# name MANAGEMENT
C2950 (config-vlan)# vlan 10
C2950 (config-vlan)# name OFFICE
C2950 (config-vlan)# vlan 20
C2950 (config-vlan)# name HOME
C2950 (config-vlan)# vlan 30
C2950 (config-vlan)# name WIRELESS

You can verify that you successfully created the VLANs by issuing this command:
C2950# show vlan

Now to set the VLAN 5 as the native VLAN and assign it to be the native VLAN, we should do this:
C2950 (config)# interface VLAN 5
C2950 (config-if)# ip address 192.168.5.2 255.255.255.0
C2950 (config-if)# no shutdown
 
By issuing the no shutdown command, the VLAN 1 will be automatically shutdown and replaced by the VLAN 5.
Assigning an IP address to the VLAN other than VLAN 1 will make that VLAN as management VLAN so your switch can be accessible for configuration using telnet.
You can only alter the Native VLAN from VLAN 1 to other VLAN but you can't delete the VLAN 1.
Next thing you need to do is assigning those VLANs to the switch's ports.