Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Simple Wireless LAN: Example 1a, Not Compliant

advertisement 
Penn State Wireless
LAN Design Examples
Table of Contents
Getting Help ................................................................................................................................................................................................3
Note About IP Address Assignments ..........................................................................................................................................................3
Simple Wireless LAN: Example 1, Compliant ............................................................................................................................................4
Simple Wireless LAN: Example 1a, Not Compliant ...................................................................................................................................5
Simple Wireless LAN: Example 1b, Not Compliant ...................................................................................................................................6
Simple Wireless LAN: Example 1c, Not Compliant ...................................................................................................................................7
Simple Wireless LAN: Example 1d, Not Compliant ...................................................................................................................................8
Simple Wireless LAN: Example 1e, Not Compliant ...................................................................................................................................9
Simple Wireless LAN: Example 1f, Not Compliant .................................................................................................................................10
Multiple LANs: Example 2, Compliant.....................................................................................................................................................11
Multiple LANs: Example 2a, Not Compliant ............................................................................................................................................12
Multiple LANs: Example 2b, Not Compliant ............................................................................................................................................13
Multiple LANs: Example 2c, Not Compliant ............................................................................................................................................14
Multiple LANs and Closets: Example 3, Compliant .................................................................................................................................15
Multiple LANs and Closets: Example 3a, Not Compliant ........................................................................................................................16
Two or More Customers in Same Building: Example 4, Compliant .........................................................................................................17
Two or More Customers in Same Building: Example 4a, Not Compliant ................................................................................................18
Customer Owned Router and DHCP server: Example 5, Compliant ........................................................................................................19
Customer Owned Router and DHCP server: Example 5a, Not Compliant................................................................................................20
Customer Owned Router and DHCP server: Example 5b, Not Compliant ...............................................................................................21
Customer Owned Router and DHCP server: Example 5c, Not Compliant................................................................................................22
Customer Owned Router and DHCP server: Example 5d, Not Compliant ...............................................................................................23
Customer Owned Router and DHCP server: Example 5e, Not Compliant................................................................................................24
Customer Owned Router and DHCP server: Example 5f, Not Compliant ................................................................................................25
Customer Owned Router and DHCP server: Example 5g, Not Compliant ...............................................................................................26
Customer Owned Router and DHCP server: Example 5h, Not Compliant ...............................................................................................27
This LAN is not compliant because the customer has not installed ACLs on all Penn State Wireless LAN interfaces, or ACLs allow
unauthenticated access to other local LANs or other Penn State Wireless Assist LANs. .........................................................................27
Customer Owned Router, TNS DHCP: Example 6, Compliant ................................................................................................................28
Customer Owned Router and DHCP Server, Multiple Wireless Penn State Wireless LANs: Example 7, Compliant ..............................29
Customer Owned Router, TNS Provided DHCP Server, Multiple Wireless Penn State Wireless LANs: Example 8, Compliant............30
Customer Owned Router with Departmental VPN: Example 9, Compliant ..............................................................................................31
Penn State Wireless Assist Criteria Checklist ...........................................................................................................................................32
Wireless Indicator Signs ............................................................................................................................................................................34
LAN diagrams were created by Kurt Jeschke,
Telecommunications and Networking Services (TNS), a unit of ITS
Information Technology Services (ITS)
http://its.psu.edu/
November 2006
Information Technology Services (ITS)
Page 2
http://its.psu.edu/wireless/
Getting Help

If you have set up a non-ITS wireless network in a college or department, and would like to enhance the
security of your network, call (814) 865-6580 or complete the request form on the following Web page:
https://www4.tns.its.psu.edu/forms/spDesignReqForm.html

If you work in a college or department, and do not have a wireless network, but are interested in setting
one up, contact the ITS Consultant for your area: http://css.its.psu.edu/cs/itsanalysts.html

If you have general questions about using wireless services at Penn State, such as configuring your
computer to receive a wireless signal, contact the ITS Help Desk; see
http://css.its.psu.edu/consulting/consult.html for contact information.

If you believe your computer is configured properly, but cannot access Penn State Wireless, contact your
local Wireless LAN support person. To find out who your contact is, please login with your Penn State
Access Account at https://www4.tns.its.psu.edu/scripts/wireless/ and then select the location where you
are attempting to use the service.

If you have questions about this document or the ITS Web site, please let us know through our contact
form: http://ask.psu.edu/its.html —or contact the ITS Help Desk; see
http://css.its.psu.edu/consulting/consult.html for contact information.
Note About IP Address Assignments
The IP address subnet for the wireless devices’ DHCP pool must be from private address space. The addresses in
this subnet can only be assigned via DHCP, and only to wireless devices on the Penn State Wireless LAN.
(Obviously, the Penn State Wireless LAN router interface is the only permitted exception to this requirement.)
IP addresses for the Penn State Wireless Access Points and all Penn State Wireless LAN switches need to be
assigned from a subnet other than that of the wireless devices’ DHCP pool.
While it is not required, it is strongly recommended that the subnet used for the Penn State Wireless Access
Points and all Penn State Wireless LAN switches is from private address space. Having these addresses assigned
from private address space increases security and allows Penn State to better utilize its IPv4 address pools.
Information Technology Services (ITS)
Page 3
http://its.psu.edu/wireless/
Simple Wireless LAN: Example 1, Compliant
This configuration includes:

One Telecommunications closet with one Penn State Wireless Assist LAN.

TNS provided DHCP service using private IP address space for wireless devices.

Penn State Wireless Assist LAN directly attached to Integrated Backbone (IB) uplink.
Information Technology Services (ITS)
Page 4
http://its.psu.edu/wireless/
Simple Wireless LAN: Example 1a, Not Compliant
This configuration is not compliant, because only Penn State Wireless Access Points and Penn State Wireless
LAN switches can be connected to a Penn State Wireless Assist LAN.
Any device that is not a Penn State Wireless Access Point or a Penn State Wireless LAN switch must be
removed from the LAN before it can be compliant with the Penn State Wireless Assist Criteria Checklist (Item
#3, Bullet #1).
Information Technology Services (ITS)
Page 5
http://its.psu.edu/wireless/
Simple Wireless LAN: Example 1b, Not Compliant
This configuration is not compliant because there are devices other than Penn State Wireless Access Points and
Penn State Wireless LAN switches on the Penn State Wireless Assist LAN.
Unless a customer maintains a router that has DHCP forwarding (sometimes called DHCP helper) capability,
TNS must provide the DHCP service. Shortly, with the introduction of the DHCP Transport Service, a customer
can provide DHCP service for the wireless devices on their Penn State Wireless Assist LAN.
See Example 2a for more detail.
Information Technology Services (ITS)
Page 6
http://its.psu.edu/wireless/
Simple Wireless LAN: Example 1c, Not Compliant
This configuration is not compliant because Access Points are not compatible with IEEE standard 802.11b.
Access Points are not capable of being secured with a password. Access Points do not have their SSID set to
"pennstate". Access Points are not managed by a secure wired management station, or any combination of the
four.
To be compliant, Penn State Wireless Assist Access Points must meet all of the requirements listed in the Penn
State Wireless Assist Criteria Checklist, particularly those in item #2.
Information Technology Services (ITS)
Page 7
http://its.psu.edu/wireless/
Simple Wireless LAN: Example 1d, Not Compliant
This configuration is not compliant because the wireless device's IP addresses, supplied by DHCP, are not
assigned from private address space.
To be compliant with the Penn State Wireless Assist Criteria Checklist (item #3, bullet #4) wireless devices
must be assigned, via DHCP, a private IP address, from a pool provided by TNS.
Information Technology Services (ITS)
Page 8
http://its.psu.edu/wireless/
Simple Wireless LAN: Example 1e, Not Compliant
This configuration is not compliant because Penn State Wireless Access Points, Penn State Wireless LAN
switches, and wireless devices are assigned from the same subnet.
To be compliant with the Penn State Wireless Assist Criteria Checklist (item #3, bullet #5) wireless devices
must be assigned from a different subnet than the subnet used by the Penn State Wireless Access Points and
Penn State Wireless LAN switches.
Information Technology Services (ITS)
Page 9
http://its.psu.edu/wireless/
Simple Wireless LAN: Example 1f, Not Compliant
This configuration is not compliant because access controls are present that prevent all Penn State faculty, staff,
and students with a valid Penn State Access Account from using the Penn State Wireless Assist service.
To be compliant with the Penn State Wireless Assist Criteria Checklist (item #2, bullet #1) no mechanism may
be employed in the system that prevents any user with a valid Penn State Access Account from accessing the
network in a manner consistent with ITS Penn State Wireless Complete.
Information Technology Services (ITS)
Page 10
http://its.psu.edu/wireless/
Multiple LANs: Example 2, Compliant
This LAN has the following configuration:

One multiple closet LAN and one Penn State Wireless Assist LAN.

TNS provided DHCP service using private IP address space for wireless devices.

The Penn State Wireless Assist LAN is directly attached to its own TNS maintained backbone uplink.

The multiple closet LAN, with no Penn State Wireless devices, has its own IB uplink.
Information Technology Services (ITS)
Page 11
http://its.psu.edu/wireless/
Multiple LANs: Example 2a, Not Compliant
This configuration is not compliant. Currently, unless the customer maintains a router that has DHCP forwarding
(sometimes called DHCP helper) capability, TNS must provide the DHCP service.
When the DHCP Transport Service is available, this method of providing DHCP service to a Penn State
Wireless Assist LAN will be possible and compliant.
Information Technology Services (ITS)
Page 12
http://its.psu.edu/wireless/
Multiple LANs: Example 2b, Not Compliant
This configuration is not compliant. As shown in Example 1a, only Penn State Wireless Access Points and Penn
State Wireless LAN switches can be connected to an Penn State Wireless Assist LAN.
To be compliant with the Penn State Wireless Assist Criteria Checklist (item #3, bullet #1), all devices that are
not Penn State Wireless LAN switches or Penn State Wireless Access Points need to be removed from the LAN.
Alternatively, the Penn State Wireless Access Points could be moved onto another LAN, with its own backbone
uplink as shown in Example 2 and Example 3.
Information Technology Services (ITS)
Page 13
http://its.psu.edu/wireless/
Multiple LANs: Example 2c, Not Compliant
This configuration is not compliant. Access Points in MDF Closet, IDF Closet #1 and IDF Closet #2 are
connected to a non-Penn State Wireless Assist LAN and cannot participate in the Penn State Wireless Assist
service.
To be compliant with the Penn State Wireless Assist Criteria Checklist (item #3, bullet #1), Penn State Wireless
Access Points and Penn State Wireless LAN switches must be on a wireless-only LAN segment.
Information Technology Services (ITS)
Page 14
http://its.psu.edu/wireless/
Multiple LANs and Closets: Example 3, Compliant
This LAN has the following configuration:

Penn State Wireless Assist LAN directly attached to TNS maintained backbone uplink.

The other LAN, with no Penn State Wireless devices, has its own IB uplink.
Information Technology Services (ITS)
Page 15
http://its.psu.edu/wireless/
Multiple LANs and Closets: Example 3a, Not Compliant
This LAN is not compliant. Access Points in IDF Closet #1 and IDF Closet #2, which are not connected to the
Penn State Wireless Assist LAN, cannot participate in the Penn State Wireless Assist Service.
See Examples 2b and 2c for further details.
Information Technology Services (ITS)
Page 16
http://its.psu.edu/wireless/
Two or More Customers in Same Building: Example 4, Compliant
This LAN has the following configuration:

A single, multiple-tenant building, where two different departments want to manage and maintain their
own Penn State Wireless Assist LAN.

TNS provided DHCP.

Each customer provides an IB uplink for their Penn State Wireless Assist LAN.
Information Technology Services (ITS)
Page 17
http://its.psu.edu/wireless/
Two or More Customers in Same Building: Example 4a, Not Compliant
This LAN is not compliant because only Penn State Wireless Access Points and Penn State Wireless LAN
switches can be connected to a Penn State Wireless Assist LAN.
See Examples 2b and 2c for further details.
Information Technology Services (ITS)
Page 18
http://its.psu.edu/wireless/
Customer Owned Router and DHCP server: Example 5, Compliant
This LAN has the following configuration:

One Penn State Wireless Assist LAN that spans three telecommunications closets.

Customer provides DHCP Service.

Customer provides Penn State Wireless Assist LAN uplink to a customer maintained router.
Information Technology Services (ITS)
Page 19
http://its.psu.edu/wireless/
Customer Owned Router and DHCP server: Example 5a, Not Compliant
This LAN is not compliant because the Penn State Wireless Assist ACLs are missing from the Wireless Penn
State Wireless Assist LAN uplink to the customer maintained router.
To be compliant with the Penn State Wireless Assist Criteria Checklist (item #3, bullet #2), the required ACL
filters must be active on the customer provided Penn State Wireless Assist LAN uplink.
Information Technology Services (ITS)
Page 20
http://its.psu.edu/wireless/
Customer Owned Router and DHCP server: Example 5b, Not Compliant
This LAN is not compliant because the Penn State Wireless Assist Access device IP Address pool, based on
subnet information provided to TNS for the Penn State Wireless ACLs, are routed across other interfaces.
To be compliant with the Penn State Wireless Assist Criteria Checklist (item #3, bullet #1), all Penn State
Wireless Assist related subnet information provided to TNS must be consistent with the customer’s routers
forwarding tables.
Information Technology Services (ITS)
Page 21
http://its.psu.edu/wireless/
Customer Owned Router and DHCP server: Example 5c, Not Compliant
This example is similar to 5b. Subnet information provided to TNS for the Penn State Wireless ACLs applied to
the IB uplink is not consistent with the routes defined in the router. In this example, the IP pool for access points
and switches is shared with devices on other LANs.
To be compliant with the Penn State Wireless Assist Criteria Checklist (item #3, bullet #1), all Penn State
Wireless Assist related subnet information provided to TNS must be consistent with the customer's routers
forwarding tables.
Information Technology Services (ITS)
Page 22
http://its.psu.edu/wireless/
Customer Owned Router and DHCP server: Example 5d, Not Compliant
This LAN is not compliant. Penn State Wireless Assist wireless devices are assigned from a public IP address
space.
To be compliant with the Penn State Wireless Assist Criteria Checklist (item #3, bullet #4), wireless clients must
be assigned private address space acquired through TNS.
Information Technology Services (ITS)
Page 23
http://its.psu.edu/wireless/
Customer Owned Router and DHCP server: Example 5e, Not Compliant
This LAN is not compliant. Wireless devices’ IP addresses are assigned IP addresses in the same subnet as the
Penn State Wireless Access Points and Penn State Wireless LAN switches.
To be compliant with the Penn State Wireless Assist Criteria Checklist (item #3, bullet #5), IP addresses for
LAN components must be assigned from a subnet other than that of the wireless clients.
Information Technology Services (ITS)
Page 24
http://its.psu.edu/wireless/
Customer Owned Router and DHCP server: Example 5f, Not Compliant
This LAN is not compliant because the customer is maintaining a DHCP server in a manner not consistent with
the requirements of University Policy AD20, not maintaining DHCP logs, or both.
To be compliant with the Penn State Wireless Assist Criteria Checklist (item #3, bullet #3), the customer must
administer the DHCP server in accordance with the requirements of Policy AD20 and keep the server logs for at
least one year.
Information Technology Services (ITS)
Page 25
http://its.psu.edu/wireless/
Customer Owned Router and DHCP server: Example 5g, Not Compliant
This LAN is not compliant because the customer is using NAT, Proxy ARP, inaccurate DNS entries, inaccurate
static routes, or a combination of these methods to redirect the ITS Penn State Wireless VPN client to a VPN
device other than the proper Penn State Wireless Complete VPN device at the particular Penn State location.
To be compliant with the Penn State Wireless Criteria Checklist (item #3, bullet #2), the service must use the
Penn State Wireless Complete VPN device.
Information Technology Services (ITS)
Page 26
http://its.psu.edu/wireless/
Customer Owned Router and DHCP server: Example 5h, Not Compliant
This LAN is not compliant because the customer has not installed
ACLs on all Penn State Wireless LAN interfaces, or ACLs allow
unauthenticated access to other local LANs or other Penn State
Wireless Assist LANs.
Information Technology Services (ITS)
Page 27
http://its.psu.edu/wireless/
Customer Owned Router, TNS DHCP: Example 6, Compliant
This LAN has the following configuration:

One Penn State Wireless Assist LAN that spans three telecommunications closets.

TNS provided DHCP service.

Customer provided Penn State Wireless Assist LAN uplink to a customer maintained router.
Information Technology Services (ITS)
Page 28
http://its.psu.edu/wireless/
Customer Owned Router and DHCP Server, Multiple Wireless
Penn State Wireless LANs: Example 7, Compliant
This LAN has the following configuration:

Three independent Penn State Wireless Assist LANs.

Customer Provided DHCP.

Three customer provided Penn State Wireless LAN uplinks.
Information Technology Services (ITS)
Page 29
http://its.psu.edu/wireless/
Customer Owned Router, TNS Provided DHCP Server, Multiple
Wireless Penn State Wireless LANs: Example 8, Compliant
This LAN has the following configuration:

Three independent Penn State Wireless Assist LANs.

TNS provided DHCP service.

Three customer provided Penn State Wireless LAN uplinks.
Information Technology Services (ITS)
Page 30
http://its.psu.edu/wireless/
Customer Owned Router with Departmental VPN:
Example 9, Compliant
This LAN has the following configuration:

Customer is allowing access to the Penn State Wireless Complete VPN device at the particular Penn
State campus and another VPN device operated by them in accordance with AD-20.

The Departmental VPN does not use the same Group Access name as the Penn State Wireless service.

The Departmental VPN is not directly connected (Layer 2) to the same LAN as the Access Points.
Information Technology Services (ITS)
Page 31
http://its.psu.edu/wireless/
Penn State Wireless Assist Criteria Checklist
1. Administration of the local wireless LAN
 Only an existing Administrative, Technical or Security contact in the applicable building may request Penn State
Wireless Assist.
 The building in which the service is to be provided must have a designated wireless LAN contact for 1)
administrative, 2) technical, and 3) security issues. Contact availability information must also be provided for
coverage from 8 a.m. through 5 p.m., Monday through Friday.
 The intended coverage area for the wireless network utilizing Penn State Wireless Assist must be identified (either
by room number or other adequate physical description) to permit reasonable troubleshooting support.
 Designation of the coverage areas must be kept up-to-date, with an annual review. Notification will be sent by ITS
to the wireless LAN contact.
 The wireless LAN must be registered with ITS by the Administrative, Technical or Security contact.
2. Configuration of an access point
 No mechanism may be employed in the system that impedes any user with a valid Penn State Access Account
from accessing the network in a manner consistent with Penn State Wireless Complete. (Examples include using
MAC addresses or other addresses that prohibit access.)
 All access points on the Penn State Wireless Assist LAN segment must be compatible with IEEE standard
802.11b, include password protection as stated in University Policy AD20, have their SSID set to "pennstate", be
configured in "bridging" mode, and have no local access controls other than the SSID.
 All management of the access points must be from secured wired management stations only.
3. Other technical items
While the use of VLANs as a software configurable method of providing segmentation between wired and wireless
LAN segments is not explicitly forbidden, their use for this purpose is discouraged. Because VLANs add a significant
level of complexity to the LAN enviroment, and thus the increased likelyhood of a misconfiguration, they add a level of
unnecessary risk. Individual departments that elect to use VLANs for this purpose must be aware of the increased risk
introduced by VLANs and set appropriate management controls to insure that the risk is minimized.
 Individual departments are responsible for providing a separate wireless-only LAN segment with its own layer 3
interface. (This can be in the form of a port from a router for the LAN, or a separate connection to Penn State's
Integrated Backbone.)
 If a customer-managed router is used to terminate the wireless LAN segments, the following access control list
(i.e. filters) must be applied to the router interface that connects to the wireless LAN segment:
 Allow packet forwarding from the wireless segment only for the IP address subnet that is assigned to the
wireless LAN segment. (source address filtering)
 Allow packet forwarding for the DNS protocol only to the DNS server.
 Allow packet forwarding for the DHCP protocol only to the DHCP server.
 Allow packet forwarding for the NTP protocol to the appropriate NTP server.
 Allow packet forwarding of all other port and protocols only to the Penn State Wireless Complete VPN
server appropriate to the campus, and any departmentally controlled VPN server that is administered in
accordance with AD-20. No departmentally controlled VPN may use the same Group Access name as the
Penn State Wireless Complete VPN.
 As described in RFC2644/BCP34, disable forwarding packets addressed to the broadcast addresses of
the directly connected subnets.
 If a local DHCP server is used to provide IP addresses for clients on the local wireless LAN segment, then that
DHCP server must:
 Be administered in accordance with AD20 and its logs must be maintained for at least one year.
 IP addresses assigned to wireless clients must use private address space acquired through TNS.
 IP addresses for LAN components (access points and switches) must be assigned from a subnet other than that of
the wireless clients.
I acknowledge that my wireless LAN is compliant with the Penn State Wireless Assist criteria. I understand that if this LAN
is found to be noncompliant at any time, the service may be terminated without prior notification. Penn State Wireless
Assist will not be reinstated unless the LAN fully meets the above criteria. In addition, I agree to register the wireless LAN
at https://www4.tns.its.psu.edu/scripts/wnr.
Administrative Wireless Contact: ________________________________________________Date: _________________
Information Technology Services (ITS)
Page 32
http://its.psu.edu/wireless/
Note: This form should accompany the TSR for Penn State Wireless Assist.
Information Technology Services (ITS)
Page 33
http://its.psu.edu/wireless/
Wireless Indicator Signs
Help increase awareness of Penn State Wireless coverage areas. ITS invites campuses, colleges and departments
to download and post the signs shown below in wireless areas. Three wireless “signal” signs are available to
indicate Penn State Wireless coverage: on campus, in a specific building, or in a surrounding area. Both
8.5"x11" and 11"x17" signs are available. Signs can be downloaded at the following Web site:
http://its.psu.edu/wireless/signs.html
Need help? See page 3 for contact information.
Information Technology Services (ITS)
Page 34
http://its.psu.edu/wireless/
Related documents
wireless - Home and Learn
wireless - Home and Learn
Dr. Luk R. Arnaut
Dr. Luk R. Arnaut
Wireless structural health monitoring system(Literature review
Wireless structural health monitoring system(Literature review
POSITION DESCRIPTION - Walton County School District
POSITION DESCRIPTION - Walton County School District
8th Semester Course Outcomes
8th Semester Course Outcomes
TASK - ict4u.net
TASK - ict4u.net
Faculty of Computer Science & Engineering
Faculty of Computer Science & Engineering
Download
advertisement