Cisco Romania Blog
Share
tweet

Cisco Romania Blog > Securitate

Securitate

Ghid de bune practici: rețele wireless


20/12/2017

Notă: Recomandările prezentate mai jos pot fi configurate prin simpla selectare a butonului de activare corespunzător celor mai bune practici din lista WLC, începând cu versiunea 8.1 (Home> Best Practices).

N.B.: Pentru o mai mare ușurință în procesul de configurare a fost păstrată versiunea în limba engleză a acestui ghid. Vă rugăm să parcurgeți etapele descrise mai jos.

Network side (Infrastructure)

  1. Use PortFast on AP Connected Switch Ports https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4000/8-2glx/configuration/guide/stp_enha.html#wp1019884
  2. Configure the switchports in “access mode” for the APs in local mode.
  • For the switchports in trunk mode, that go to the APs in FlexConnect mode (that do local switching) and to the WLCs, always prune the VLANs to allow only those VLANS configured on the FlexConnect AP and WLC.
    • switchport nonegotiate command on those trunks to disable Dynamic Trunking Protocol (DTP)

WLC

  1. Use VLAN Tagging for Management Interface
  • (Cisco Controller) >config interface vlan management <vlan-id>
  • VLAN is allowed on the switchport and tagged by the trunk (non-native VLAN)
  1. WLAN not on Management Interface (we recommend non-management WLANs to be mapped to dynamic interfaces to split user traffic from management traffic)
  2. Use a second WLC for High Availability (reduce downtime in the wireless networks)
  3. It is recommended to use restart instead of reset system for the following scenarios to reduce network and service downtime and provide better serviceability

Security

  1. Disable Management over Wireless

(Cisco Controller) > config network mgmt-via-wireless disable

  1. Peer-to-peer Blocking

(Cisco Controller) >config wlan peer-blocking { disable | drop | forward-upstream} <wlan_id>

  1. We recommend that you use WPA2+AES instead of WPA+AES and TKIP because WPA2+AES provides greater security

Rogue

  1. Define Appropriate Malicious Rogue AP Rules
  • Any rogue APs using managed SSIDs, the same as your wireless infrastructure, must be marked as “Malicious”
  • Minimum RSSI >-70 dBm (not recommended for venues shared by various tenants)
  1. Identify and Update Friendly Rogue AP List Regularly
  2. Implement Auto Switchport Tracing (SPT) as Rogue AP Mitigation Scheme

Wireless RF

  1. Disable Low Data Rates

Consider disabling the 802.11b data rates (1, 2, 5.5, and 11Mbps)

Wireless>802.11b/g/n>Disable the low data rates.

  1. Lower the Number of SSIDs to prevent RF pollution (recommend a maximum of 4 per AP)
  2. Enable Client Load Balancing (don’t enable this feature for voice WLAN)

(Cisco Controller) >config load-balancing window <0-20> (recommended >5)

(Cisco Controller) >config wlan load-balance allow enable <WLAN id>

  1. Enable Band Selection

(Cisco Controller) >config wlan band-select allow enable <WLAN id>

  1. DCA – Dynamic Channel Assignment – is enabled by default

(Cisco Controller) >config 802.11a channel global auto

(Cisco Controller) >config 802.11b channel global auto

  1. DCA Restart – if this is a new installation or you have made major changes to DCA (channel widths or adding new APs). Attention, this can be a disruptive process!

(Cisco Controller) >config advanced 802.11a channel global restart

(Cisco Controller) >config advanced 802.11b channel global restart

  1. Auto Transmit Power Control (TPC) – use the Automatic setting to allow best transmit power for each radio. TPCv1 recommended in most cases

(Cisco Controller) >config 802.11a|b txPower global auto

  1. Auto Coverage Hole Detection (CHD)
  2. Disable the 802.11 network as follows:
  3. Go to Wireless > 802.11a/n/ac or 802.11b/g/n > Network to open the 802.11a (or 802.11b/g) Global Parameters page.
  4. Uncheck the 802.11a (or 802.11b/g) Network Status check box.
  5. Click Apply.
  6. Go to Wireless > 802.11a/n/ac or 802.11b/g/n > RRM > Coverage to open the 802.11a/ac (or 802.11b/g/n) > RRM > Coverage page.
  7. Click Enable Coverage Hole Detection.
  8. Click Apply
  9. Best Channel Width – instead of manually choosing 20, 40,80 or 160Mhz, DBS select the widest Channel Width with the highest Client Data rates, lowest channel utilization per radio

(Cisco Controller) >config advanced 802.11a channel dca chan-width best

  1. CleanAir should be enabled in order to effectively detect and mitigate RF interference

(Cisco Controller) >config 802.11{a|b} cleanair enable network

  1. For voice deployment, an RSSI of -67dBm is recommended at the edge of the cell, and anSNR of at least 25dB
Tags:
Lăsați un comentariu