CCSP SelfStudy CCSP CSI: Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

Medium WLAN Design

The medium WLAN design overlays wireless on top of the Campus module within the SAFE medium-sized network design model and does not offer high availability. Refer to Chapter 15, "Designing Medium-Sized SAFE Networks," for further details on the SAFE medium-sized network.

The medium-sized network design also assumes that all WLAN devices are connected to a single IP subnet that has access to the majority of the services available to the medium wired network.

EAP Design and Its Alternatives

In the medium WLAN EAP design, wireless access points connect to existing Layer 2 access switches located in the medium Campus module.

Figure 20-7 illustrates the medium EAP WLAN design.

The RADIUS and DHCP server also are deployed in the Campus module but sit on a separate subnet off the central Layer 3 switch.

Wireless EAP users require DHCP and RADIUS authentication services to access the medium-sized network. In the branch medium arrangement, these services may reside at the corporate headend.

The process of accessing the medium-sized network is the same as that outlined in the generic EAP WLAN design.

The following are possible design alternatives in the medium EAP WLAN design model:

• Implement local DHCP and RADIUS services at medium WLAN networks located at branches, to provide redundancy in case the main corporate office link fails.

• Utilize wireless VLANs on access points as a means of providing VLAN assignments for users and user groups through the RADIUS server. Segregating users into specific groups enables you to define group-specific security policies.

IPSec VPN Design and Its Alternatives

The IPSec VPN design used in the medium-size network differs only slightly from that shown in the large-enterprise design. This difference is primarily in the way the VPN gateway connects the WLAN to the wired infrastructure. In this design, the VPN gateway connects to the Campus module Layer 3 switch through two VLANs. This design is based on a cost-effective solution reflective of what most likely would be adopted in a medium-size business.

NOTE

Using a single switch to provide both interfaces of the VPN gateway introduces some security risks and is contrary to some of the switch axioms.

The public interface of the VPN gateway connects to a VLAN on the Layer 2 access switches, which, in turn, are connected to the wireless access points. The private interface of the VPN gateway connects to a separate VLAN that is connected directly to the Layer 3 switch.

The RADIUS and DHCP servers also are deployed in the Campus module but sit on a separate subnet off the central Layer 3 switch. The VPN gateway is configured to relay these services.

The process of accessing the medium-sized network is the same as that outlined in the generic IPSec WLAN design.

Figure 20-8 illustrates the medium IPSec VPN WLAN design.

The following are possible design alternatives in the medium IPSec WLAN design model:

• Add another layer of security behind the VPN gateway by using a NIDS sensor on a transit VLAN that terminates on a firewall.

• Connect the VPN gateway directly to the wireless access points through a dedicated switching infrastructure instead of using a VLAN off the Layer 3 switch.

Refer to the earlier section on network management within the large-enterprise WLAN EAP design for details on the issues related to network management within IPSec VPN design.