Cisco Cisco Aironet 350 Mini-PCI Wireless LAN Client Adapter Guia Do Desenho
4-19
Enterprise Mobility 4.1 Design Guide
OL-14435-01
Chapter 4 Cisco Unified Wireless Network Architecture—Base Security Features
Cisco Unified Wireless Network Architecture
illustrates one of the primary features of the architecture: how LAPs use the LWAPP
protocol to communicate with and tunnel traffic to a WLC.
Figure 4-14
LAP and WLC Connection
LWAPP has three primary functions:
•
Control and management of the LAP
•
Tunneling of WLAN client traffic to the WLC
•
Collection of 802.11 data for the management of the Cisco Unified Wireless System
LWAPP Features
The easier a system is to deploy and manage, the easier it will be to manage the security associated with
that system. Early implementers of WLAN systems that used “fat” APs (standalone) found that the
implementation and configuration of such APs is equivalent to deploying and managing hundreds of
individual firewalls, each requiring constant attention to ensure correct firmware, configuration, and
safeguarding. Even worse, APs are often deployed in physically unsecured areas where theft of an AP
could result in someone accessing its configuration to gain information to aid in some other form of
malicious activity.
that system. Early implementers of WLAN systems that used “fat” APs (standalone) found that the
implementation and configuration of such APs is equivalent to deploying and managing hundreds of
individual firewalls, each requiring constant attention to ensure correct firmware, configuration, and
safeguarding. Even worse, APs are often deployed in physically unsecured areas where theft of an AP
could result in someone accessing its configuration to gain information to aid in some other form of
malicious activity.
LWAPP addresses deployment, configuration, and physical security issues by doing the following:
•
Removing direct user interaction and management of the AP. Instead, the AP is managed by the
WLC through its LWAPP connection. This moves the configuration and firmware functions to the
WLC, which can be further centralized through the use of the WCS.
WLC through its LWAPP connection. This moves the configuration and firmware functions to the
WLC, which can be further centralized through the use of the WCS.
•
Having the AP download its configuration from the WLC, and be automatically updated when
configuration changes occur on the WLC.
configuration changes occur on the WLC.
•
Having the AP synchronize its firmware with its WLC, ensuring that the AP is always running the
correct software version.
correct software version.
•
Storing sensitive configuration data at the WLC, and storing only IP address information on the AP.
In this way, if the AP is physically compromised, there is no configuration information resident in
NVRAM that can be used to perform further malicious activity.
In this way, if the AP is physically compromised, there is no configuration information resident in
NVRAM that can be used to perform further malicious activity.
•
Mutually authenticating LAPs to WLCs, and AES encrypting the LWAPP control channel.
In addition to the security benefits described above, tunneling WLAN traffic in an LWAPP-based
architecture improves the ease of deployment without compromising the overall security of the solution.
LAPs that support multiple WLAN VLANs can be deployed on access layer switches without requiring
architecture improves the ease of deployment without compromising the overall security of the solution.
LAPs that support multiple WLAN VLANs can be deployed on access layer switches without requiring
190671
LWAPP
LWAPP
LWAPP
LWAPP
LW
APP
LW
APP
Layer 2 or
Layer 3
Network