Join Telegram Study Group ▷
SPOTO focus on IT certification training for 16 years. We always offer latest tips and valuable study materials for every engineers. Subscribe us and get the more news.
(1) Adopt a unified management wireless network architecture to ensure wireless network maintainability, security, QoS, wireless roaming and other functional requirements, without changing the existing network topology.
(2) Focus on the actual application to ensure the quality of the wireless AP signal access point in the signal coverage area.
(3) Adopting the adopted network protocol standard: Currently, the 802.11 series standard is widely adopted in WLANs. Therefore, the WLAN needs to support 802.11g (54M bandwidth) or above to provide a relatively stable network communication service for practical applications.
(4) Security, authentication and management requirements: To prevent unauthorized users from accessing the wireless network to prevent illegal interception of wireless LAN data streams, wireless networks must have corresponding security measures.
Mainly includes: user authentication, physical address (MAC) filtering, service area identifier (SSD) matching, wired equivalent security (WEP), Layer 2 isolation, WPA support, etc.; user authentication requirements to distinguish internal company personnel (using domain users) , accessible to the network), foreign users (no authentication required, only access to specific networks) and mobile terminals that do not use users (such as wireless scanners, no authentication, access to all networks), and policy-based user access control .
(5) Product capability requirements: with wireless committee approval certificate; products support AES, WEP encryption and other security standards, wireless controllers require the ability to manage 200 APs; roaming switching; support reliable operation in more complex indoor environments.
(6) AP power supply: An access switch that does not have PoE function can also use a Poe-like power supply mode to directly supply power to the wireless AP, thus solving the power access function of the AP.
Wireless network construction
According to the design requirements, we adopted the unified management of the "thin AP" wireless network architecture. The so-called "thin AP" means that each AP is solely responsible for RF and communication work. Its function is a simple RF underlying sensor device. The RF signals received by all APs are encoded by 802.11 and then passed through the Ethernet through the encrypted tunneling protocol. The network is transmitted to the wireless controller, and the wireless controller encrypts, verifies, and controls the encoding to a higher level. Therefore, the "slim AP" wireless network has the characteristics of unified management and scalability, automatic RF management and load balancing.
The entire wireless network is mainly composed of a wireless controller, a wireless access point (AP), a wireless management system, and a Radius authentication server. The wireless controller centrally configures and manages the entire wireless network. The entire network AP accepts unified management, and the AP and the following users are allocated to access layer switches according to policies. The wireless network management system provides functions such as optimization of the wireless network, troubleshooting, user tracking, and security monitoring. The Radius authentication server provides user access authentication. This networking mode maintains the structure of the original network and is simple, flexible, and easy to expand.
At the core layer of the network, two wireless controllers are connected to two core switches respectively. Clustering technology is used to configure and manage the entire wireless network through any wireless controller. It is not necessary to configure each wireless controller. Reduce the occurrence of an asynchronous failure between two wireless controllers, and configure system redundancy backup. When one wireless controller fails, the other wireless controller automatically receives the AP managed by the faulty device to ensure the wireless network. The normal operation and improved reliability. The wireless network management system RFMS server and Radius authentication server access the core switch.
The APs in each coverage area is connected to the access switch through the wireless network. The wireless AP automatically downloads the configuration from the wireless controller. All APs are plug and play, convenient to deploy, and easy to maintain. The power supply of the AP adopts the PoE power supply module so that the access switch without the PoE function can also directly supply power to the wireless AP by using a Poe-like power supply mode, thereby solving the power access function of the wireless AP and greatly reducing the wireless system of the AP. Difficulty in the wiring.
To distinguish the service types of different users and improve the security of wireless access, we use virtual AP technology to simultaneously broadcast three SSIDs for three different types of users: internal employees, external users, and production mobile terminals. Each SSID adopts different encryption. Authentication method and access control policy. At the same time, the coverage of each SSID is restricted. The SSID used by internal employees covers the whole company. The SSID used by external users can only cover the conference room and the reception room, and the production mobile terminal SSID covers the production area.
To achieve access control of network resources by different users, we assign a VLAN to each SSID on the core switch and configure corresponding routing and access control policies. Assignment VLAN 42 is used for wireless network management, and the IP addresses of the wireless controller, management system, and authentication server belong to this subnet. VLAN 43 is used for the company's internal employee SSID, which provides access to company-authorized resources and applications. VLAN 44 is used for external user SSIDs and only has access to the Internet. VLAN 7 is used to produce the mobile terminal SSID and has access to all networks. Different users accessing different SSIDs will automatically obtain the IP address of the corresponding VLAN and be granted different network access rights.
To implement communication between multiple VLANs in the wireless network, the core switch corresponding to the wireless controller should enable the trunk function of the VLAN and configure it in trunk mode. The access switch connected to the AP and the DHCP server is in different subnets. You need to enable the DHCP relay function of the access switch and configure the corresponding DHCP server address. The access port of the access switch connected to the AP should enable the access function of the wireless network management VLAN (VLAN 42), configure the port to be in Access mode, and divide it into VLAN 42.
In addition to using multiple SSIDs to differentiate different users and configure different access control policies, we also use different user authentication and encryption methods to improve the security of the wireless network. The company's internal employees use AD+IAS's 802.1x authentication and WPA-PSK communication encryption to manage users while ensuring security. External users use key authentication and WEP encryption to ensure a certain level of security and convenience. Fast wireless service; production mobile terminal uses MAC address authentication and WPA-PSK for encryption.
To enhance the security of the wireless network, we also use bandwidth to control the bandwidth that external users can use. On the one hand, it can limit its possession of network resources. On the other hand, when the client has a virus, its virus The attack does not take up the entire bandwidth of the network.
We use network load balancing and automatic failover to increase the availability of wireless networks. Network load balancing distributes wireless users or terminals to nearby APs within wireless coverage. Within the coverage of an AP, the bandwidth of the wireless connection is shared, that is, the greater the number of wireless terminals, the smaller the bandwidth that each terminal can share. It is necessary to ensure that the transmission of each wireless terminal must limit the number of wireless terminals on one AP or the sum of AP bandwidth transmissions or the upper bandwidth limit of each wireless terminal. Load balancing can effectively alleviate the burden of a single AP and effectively use neighboring APs to access, thus ensuring the quality of applications. The automatic fault recovery function can detect whether the AP on the network is invalid in real time. When it is found that there is an AP failure, the wireless controller can automatically adjust the power (coverage) of the adjacent AP to take over the work of the failed AP.
After the company's unified wireless network is built, it not only meets the requirements of the company's production and office wireless applications but also acts as an extension of the wired network, making the expansion of the enterprise LAN more flexible and simple.
