5
Mobile Access Router and Mesh Networks Design Guide
OL-11823-01
Introduction
Table 1 shows the setup of WMICs on the Cisco 3230 Mobile Access router.
Table 2 shows the setup of serial interfaces on the Cisco 3230 Mobile Access router.
Table 3 shows the setup of Fast Ethernet interfaces on the Cisco 3230 Mobile Access router.
Ta b l e 1WMIC Ports
Internal Wiring Ports Radio Type
WMIC 1 (W1) FastEthernet 0/0 2.4GHz
WMIC 2 (W2) FastEthernet 2/3 2.4GHz
WMIC 3 (W3) FastEthernet 2/2 4.9GHz
Ta b l e 2SMIC Ports
Internal Wiring Ports Interface Type
Serial 0 Serial 1/0 DSCC4 Serial
Serial 1 Serial 1/1 DSCC4 Serial
Internal Serial 1/2 DSCC4 Serial
Internal Serial 1/3 DSCC4 Serial
6
Mobile Access Router and Mesh Networks Design Guide
OL-11823-01
Introduction
MAR3200 WMIC Features
Table 4 highlights the software features of WMICs running Cisco IOS.
Ta b l e 3Fast Ethernet Ports
Internal Wiring Ports Interface Type
Internal WMIC 1 Fast Ethernet 0/0 Fast Ethernet
FE0X Fast Ethernet 2/0 Fast Ethernet
FE1X Fast Ethernet 2/1 Fast Ethernet
Internal WMIC 3 Fast Ethernet 2/2 Fast Ethernet
Internal WMIC 2 Fast Ethernet 2/3 Fast Ethernet
Ta b l e 4 WMIC IOS Software Features
Feature Description
VLANs Allows dot1Q VLAN trunking on both wireless and Ethernet interfaces. Up
to 32 VLANs can be supported per system.
QoS Use this feature to support quality of service for prioritizing traffic on the
wireless interface. The WMIC supports required elements of Wi-Fi
Multimedia (WMM) for QoS, which improves the user experience for audio,
video, and voice applications over a Wi-Fi wireless connection and is a
subset of the IEEE 802.11e QoS specification. WMM supports QoS
prioritized media access through the Enhanced Distributed Channel Access
(EDCA) method.
Multiple BSSIDs Supports up to 8 BSSIDs in access point mode.
RADIUS accounting When running the WMIC in access point (AP) mode you can enable
accounting on the WMIC to send accounting data about authenticated
wireless client devices to a RADIUS server on your network.
TACAC S+
administrator
authentication
TACACS+ for server-based, detailed accounting information and flexible
administrative control over authentication and authorization processes. It
provides secure, centralized validation of administrators attempting to gain
access to your WMIC.
Enhanced security Supports three advanced security features:
• WEP keys: Message Integrity Check (MIC) and WEP key hashing CKIP
• WPA
• WPA2
Enhanced
authentication services
Allows non-root bridges or workgroup bridges to authenticate to the network
like other wireless client devices.
After a network username and password for the non-root bridge or
workgroup bridge are set, (LEAP), EAP-TLS or EAP-FAST can be used for
authentication in dynamic WEP, WPA, or WPA2 configurations.
802.1x supplicant In AP mode, the Mobile Access Router supports standard 802.1x EAP types
for WLAN clients.
7
Mobile Access Router and Mesh Networks Design Guide
OL-11823-01
Introduction
Universal Workgroup Bridge Considerations
The Cisco Compatible eXtensions (CCX) program delivers advanced WLAN system level capabilities
and Cisco-specific WLAN innovations to third party Wi-Fi-enabled laptops, WLAN adapter cards,
PDAs, WI-FI phones, and application specific devices (ASDs). The 2.4 GHz WMIC provides CCX client
support. When the 2.4 GHz WMIC is configured as a universal workgroup bridge client, it does not
identify itself as a CCX client. However, it does support CCX features.
Table 5 lists the supported
features.
Fast secure roaming Fast, secure roaming using Cisco Centralized Key Management (CCKM) in
Work Group Bridge mode and Universal Work Group Bridge mode.
Universal workgroup
bridge
Supports interoperability with non-Cisco APs.
Repeater mode Allows the access point to act as a wireless repeater to extend the coverage
area of the wireless network.
Table 4 WMIC IOS Software Features (continued)
Ta b l e 5 CCX Version Feature Support
Feature v1 v2 v3 v4 AP WGB
WGB
Client
Security
Wi-Fi Protected Access (WPA) X X X X X X
IEEE 802.11i - WPA2 X X X X X
WEP X X X X X X X
IEEE 802.1X X X X X X X X
LEAP X X X X X X X
EAP-FAST X X X X X
CKIP (encryption) X X X
Wi-Fi Protected Access (WPA):
802.1X + WPA TKIP
X X X X X X
With LEAP X X X X X X
With EAP-FAST X X X X X
IEEE 802.11i- WPA2:
802.1X+AE
X X X X X
With LEAP X X X X X
With EAP-FAST X X X X X
CCKM EAP-TLS X X X X
EAP-FAST X X X X
Mobility
AP-assisted roaming X X X X X X
Fast re-authentication via
CCKM, with LEAP
X X X X X X
8
Mobile Access Router and Mesh Networks Design Guide
OL-11823-01
Using the MAR with a Cisco 1500 Mesh AP Network
MAR3200 Management Options
You can use the WMIC management system through the following interfaces:
• The IOS command-line interface (CLI), which you use through a PC running terminal emulation
software or a Telnet/SSH session.
• Simple Network Management Protocol (SNMP).
• Web GUI management.
Using the MAR with a Cisco 1500 Mesh AP Network
The Universal Workgroup Bridge feature for the Cisco MAR3200 WMIC allows the WMIC radio to
associate to non-Aironet based access points. It also supports a majority of CCXv4 client features. In the
version 4.0 software release for the Cisco Wireless LAN Controller (WLC), and Mesh APs,
enhancements have been added to support Cisco 1230, 1240, 1130, or 3200 products associating to the
Cisco 1500 as a workgroup bridge (WGB). These two feature updates allow the MAR to act as a client
to the 1500 Mesh AP networks or Light Weight Access Point Protocol (LWAPP) WLAN networks
enabling new solutions for public safety, commercial transportation, and defense markets. The MAR not
only has Fast Ethernet and Serial interface connections for other client devices, but can also use them to
connect to other network devices for backhaul purposes.
Fast re-authentication via
CCKM with EAP-FAST
X X X X X
MBSSID X X
Keep-Alive X X X
QoS and VLANs
Interoperability with APs that
support multiple SSIDs and
VLANs
X X X X X X
Wi-Fi Multimedia (WMM) X X X X X
Performance and Management
AP-specified maximum
transmit power
X X X X X X
Recognition of proxy ARP
information element (For ASP)
X X X
Client Utility Standardization
Link test X X X X
Table 5 CCX Version Feature Support (continued)
9
Mobile Access Router and Mesh Networks Design Guide
OL-11823-01
Using the MAR with a Cisco 1500 Mesh AP Network
Vehicle Network Example
This section describes a simple application for the MAR3200 in a Mesh network using its universal
workgroup bridge feature to connect to the Mesh WLAN.
Figure 4 illustrates this example.
• A Cisco 3200 Series router installed in a mobile unit allows the client devices in and around the
vehicle to stay connected while the vehicle is roaming.
• WMICs in vehicle-mounted Cisco 3200 Series routers are configured as access points to provide
connectivity for 802.11b/g and 4.9-GHz wireless clients.
• Ethernet interfaces are used to connect any in-vehicle wired clients, such as a laptop, camera, or
telematics devices, to the network.
• Another WMIC is configured as a Universal Workgroup Bridge for connectivity to a Mesh AP,
allowing transparent association and authentication through a root device in the architecture as the
vehicle moves about.
• Serial interfaces provide connectivity to wireless WAN modems that connect to cellular networks
such as CDMA or GPRS. The Wireless 802.11 connections are treated as preferred services because
they offer the most bandwidth. However, when a WLAN connection is not available, cellular
technology provides a backup link. Connection priority can be set by routing priority, or by the
priority for Mobile IP.
Figure 4 Vehicle Network Example
Simple Universal Bridge Client Data Path
The IP devices connected to the MAR are not aware that they are part of a mobile network. When they
must communicate with another node in the network, their traffic is sent to their default gateway, the
Cisco 3200 Series router. The Cisco 3200 Series router forwards the traffic to the Mesh APs WLAN, the
mesh AP then encapsulates the data packets in LWAPP and forwards them through the network to the
controller.
As shown in Figure 5, the Cisco 3200 Series router sends traffic over the Universal Bridge Client WLAN
backhaul link. This traffic then crosses the WLAN to the controller where it is then forwarded out the
controller interface to the wired network. Return traffic destined for any client attached to the MAR
Mesh Network
190902
8
0
2.
1
1
10
Mobile Access Router and Mesh Networks Design Guide
OL-11823-01
Using the MAR with a Cisco 1500 Mesh AP Network
would be forwarded via a static route pointing back to the controller of the Mesh network. Figure 6
shows the return path to the MAR. Mobile IP eliminates the need for static routing and is covered later
in this document. NAT can be used in simple deployments when Mobile IP is not available.
The data path example shown in Figure 5, and previously described, represents the traffic in a pure
Layer 2 Mesh when the MAR is using only the WMIC for backhaul. If the deployment calls for more
complexity (such as secondary cellular backhaul links) then Mobile IP is required.
When the WMIC is used as a Universal Bridge Client, it sets up its wireless connections the same way
any wireless client does.
Figure 5 Simple Layer 2 Data Path Example
Figure 6 Client Return Data Path
190903
8
0
2.
1
1
MAP
RAP
MAR
WLC
Client
190904
8
0
2.
1
1
MAP
RAP
MAR
WLC
Client
11
Mobile Access Router and Mesh Networks Design Guide
OL-11823-01
Configuration Examples
Configuration Examples
This section provides configuration examples for the Cisco 3200 Series router.
Connect to the Cisco 3200 Series Router
Attach the console cable to both the serial port of your PC and the Mobile Access router console port
(DB9 socket). Use a straight-through DB9-to-DB9 cable.
Configure the IP Address, DHCP, and VLAN on the MAR
Step 1 Connect to and log in to the MAR. Create a loopback interface and assign an IP address:
bridge(config)# int loopback 0
bridge(config-if)# ip address 24.24.24.24 255.255.255.255
Step 2 To create VLAN 2 in the VLAN database, enter:
bridge# vlan database
Step 3 Configure the VLAN 3 and VLAN 2 interfaces. VLAN 3 is used for the 2.4 GHz WMIC2 (W2) which
is acting as AP and VLAN 2 is used for the 4.9GHz WMIC (W3). Configure FA2/0, FA2/1 and FA2/3
to be in VLAN 3, and FA 2/2 to be in VLAN 2.
Step 4 Create VLAN 4 in the VLAN database for connection between WMIC 1 and the MARC.
Step 5 Configure the DHCP server for VLAN 3 using following commands:
bridge(config)# ip dhcp pool mypool
bridge(dhcp-config)# network 10.40.10.0 /28
bridge(dhcp-config)# default-router 10.40.10.1
bridge(config)# ip dhcp excluded-address 10.40.10.1 10.40.10.3
Step 6 Verify that the wired client on VLAN 3 has been assigned a DHCP IP address in the 10.40.10.0/28
subnet.
Connected to Interface Radio Type VLAN Description
PC FastEthernet2/0 None 3 Fast Ethernet link for end device
WMIC 1 (W1) FastEthernet0/0 2.4GHz 4 2.4 GHz Universal Work Group Bridge
connection to Mesh Network
WMIC 2 (W2) FastEthernet2/3 2.4GHz 3 Provide 2.4 GHz AP Hotspot around the
mobile router
WMIC 3 (W3) FastEthernet2/2 4.9GHz 2 4.9GHz uplink as Workgroup Bridge
12
Mobile Access Router and Mesh Networks Design Guide
OL-11823-01
Configuration Examples
WMIC Configurations
This section provides information on the various WMIC configurations.
WMIC Universal Bridge Client Configuration
The WMIC can be configured as a universal workgroup bridge. In this role, the WMIC has the following
functionality:
• Associates to the IOS and non-IOS access points.
• Interoperability—A universal workgroup bridge can forward routing traffic using a non-Cisco root
device as a universal client. The universal workgroup bridge appears as a normal wireless client to
the root device. As a root device, the WMIC supports Cisco-compatible extension clients, with all
CCXv3 features and many CCXv4 features.
To configure the WMIC as a Universal Workgroup Bridge, enter the following command:
bridge(config)# station-role workgroup-bridge universal [mac address]
Note You must use the mac-address of the associated VLAN that the WMIC is bridged to. As an example, we
will use the mac-address of VLAN 1. To acquire the MAC address of VLAN 1, console in to the MARs
router card and enter the show mac-address-table command.
WMIC Bridge Configuration
The WMIC can be configured as a bridge. There are three install modes: automatic, root, and non-root:
• Automatic mode activates the bridge install and alignment mode, and specifies that the device
automatically determines the network role. If the device is able to associate to another Cisco root
device within 60 seconds, it assumes a non-root bridge role; otherwise it assumes a root device role.
The device can be configured into root device or non-root bridge modes to avoid the 60-second
automatic detection phase.
• Root mode specifies that the device is operating as a root device and connects directly to the main
Ethernet LAN network. In this mode, the unit accepts associations from other Cisco bridges and
wireless client devices.
• Non-root mode specifies that the device is operating as a non-root bridge, and that it connects to a
remote LAN network, and that it must associate with a Cisco root device by using the wireless
interface. Bride mode is the only mode that supports the distance command.
The distance command specifies the distance from a root device to its clients (non-root bridges
and/or workgroup bridges). The distance setting adjusts the time out values to account for the time
required for radio signals for radio signals to travel from a root device to its clients (non-root bridges
and/or workgroup bridges). In installation mode, the default distance setting a 2.4-GHz WMIC is 99
km for maximum delay spread during antenna alignment. In other modes, the default distance
setting is 0 km. Changing to a different mode sets the distance to the default distance. If more than
one non-root bridge (or workgroup bridge) communicates with the root device, enter the distance
from the root device to the non-root bridge (or work-group bridge) that is farthest away. Enter a
value from 0 to 99 km for a 2.4-GHz WMIC or 0 to 3 km for a 4.9-GHz WMIC. You do not need to
adjust this setting on non-root bridges.
13
Mobile Access Router and Mesh Networks Design Guide
OL-11823-01
Configuration Examples
To configure the WMIC to determine is role automatically, perform the following steps:
Step 1 To enter global configuration mode, enter:
bridge# configure terminal
Step 2 To enter configuration mode for the radio interface, enter:
bridge(config)# interface dot11radio
port
Step 3 To configure the WMICs bridge role, enter the following commands:
bridge(config-if)# station-role {root [bridge |
bridge(config-if)# non-root workgroup-bridge install [automatic | root | non-root]}
The station-role command specifies that role of the WMIC is chosen based on the device to which it is
associated.
Set the WMIC role:
• To specify that MAR3200 WMIC operates as the root bridge device, use the station-role root
bridge command. This mode does not support wireless client associations.
• To specify that the MAR3200 WMIC operates in workgroup bridge mode, use the station-role
workgroup-bridge command. As a workgroup bridge, the device associates to an Aironet access
point or bridge as a client and provides a wireless LAN connection for devices connected to its
Ethernet port.
Step 4 Enter a distance setting from 0 to 99 km for a 2.4-GHz WMIC or 0 to 3 km for a 4.9-GHz WMIC:
bridge(config-if)# distance
kilometers
Step 5 Use the mobile station command to configure a non-root bridge or workgroup bridge as a mobile
station. When this feature is enabled, the bridge scans for a new parent association when it encounters a
poor Received Signal Strength Indicator (RSSI), excessive radio interference, or a high frame-loss
percentage. Using these criteria, the WMIC searches for a new root association and roams to a new root
device before it loses its current association. When the mobile station setting is disabled (the default
setting) the WMIC does not search for a new association until it loses its current association.
Step 6 Enter the end command to complete the configuration.
Step 7 To make a backup copy of the configuration, enter:
bridge# copy running-config startup-config
Configuring the WMIC to Serve as an Access Point
The WMIC can be configured as a root access point. In this role, it accepts associations from wireless
clients. This can be a useful configuration if you are planning to deploy a mobile hotspot.
To configure the WMIC as an access point, perform the following steps:
Step 1 To enter global configuration mode, enter:
bridge# configure terminal
Step 2 To specify the interface configuration mode for the radio interface, enter:
bridge(config)# interface dot11radio port
14
Mobile Access Router and Mesh Networks Design Guide
OL-11823-01
Security
Step 3 To specify the SSID the AP will use, enter:
bridge(config-if)# ssid
given ssid
Step 4 To specify the authentication type to be used, enter:
bridge(config-if)# authentication open
Step 5 To specify the radio channel the AP will operate on, enter:
bridge(config-if)# channel 11
Step 6 To specify for the WMIC to function as a root access point, enter:
bridge(config-if)# station-role root access-point
Step 7 Enter the end command to complete the configuration.
Step 8 To make a backup copy of the configuration, enter:
bridge# copy running-config startup-config
Security
This section describes the security features of the WMIC.
Authentication Types
This section describes the authentication types that you can configure on the WMIC. The authentication
types are tied to the SSID that you configure on the WMIC. Before wireless devices can communicate,
they must authenticate to each other using open, 802.1x/EAP based or shared-key authentication. For
maximum security, wireless devices should also authenticate to your network using EAP authentication,
an authentication type that relies on the presence of an authentication server on your network.
The WMIC uses four authentication mechanisms or types and can use more than one at the same time.
These sections explain each authentication type:
• Open Authentication to the WMIC, page 14
• Shared Key Authentication to the WMIC, page 15
• EAP Authentication to the Network, page 15
• MAC Address Authentication to the Network, page 17
Open Authentication to the WMIC
Open authentication allows any wireless device to authenticate and then attempt to communicate with
another wireless device. Open authentication does not rely on a RADIUS server on your network.
Figure 7 shows the authentication sequence between a non-root bridge and a root device using open
authentication. In this example, the non-root bridge's WEP key does not match the bridge's key, so it can
authenticate but it cannot pass data.
Không có nhận xét nào:
Đăng nhận xét