Well, we had all heard the rumors that it was coming down the line, and today Cisco decided to make it official just ahead of Cisco Live. Something very interesting thing about this update -no doubt as a result of really listening to the community's voice in regards to the things that threaten the enterprise most these days- is that they've added a heavy emphasis on Bring Your Own Device (BYOD) over wireless threats. With the addition of a Wireless Lan Controller (WLC) and at least a single AP, along with the Identity Services Engine (ISE). For those of you who may not be familiar with the ISE, this is basically an evolution of a few devices combined into one - it is sort of a mix of the ACS, NAC Appliance and NAC Profiler. However, it is NOT a replacement for the ACS, namely because it does not do TACACS+, instead only supporting RADIUS for 802.1x and NAC. This is the reason that Cisco decided to leave ACS server in there - but upgrading it to v5.x (most likely 5.3). Also, if you happen to not have any experience with wireless technologies in general - you're in luck! INE is releasing our 20-hour CCNA Wireless class later today, which covers Lightweight Access Points (LWAP) being controlled by WLCs, and those WLCs being controlled by higher-up Wireless Control System (WCS). In fact, since I've mentioned the WCS, it's quite interesting that Cisco (in sort of a nonchalant way) mentions that the ASA firewalls may be configured by "Cisco Prime Tools". If you aren't familiar with Cisco Prime, it is basically the new branding of Cisco's network management as a whole. LMS would now fall under Prime, something called Prime NCS (evolution of Cisco's WCS), and Prime Tools fall under the new Prime branding.

There's also a smidge of Voice device authentication as well, though it doesn't even begin to really touch on Unified Communications security - something I still think will largely be addressed in the next CCIE Voice update. Basically they have a 7900 phone (probably 7965) and you do NOT have to configure the Unified Communications Manager (UCM) server to get it to work, you only have to dot1x authenticate it onto the wired network. Basically setup the ISE or ACS to auth it and interact with the actual phone display to input your credentials. Don't be concerned - it's nothing difficult at all.

Cisco also (finally) introduces their IronPort acquisition to the exam, by way of the S-series Web Security Appliance (WSA). This device goes way beyond days of old where you blocked or allowed certain websites, but rather digs deep into the functionality of websites and web-based applications and provides 'acceptable use enforcement' of these sites or webapps. Take for example Facebook. Many (if not most) companies these days have a social presence and use Facebook as a tool to conduct business, but that doesn't mean they want their users surfing FB all day. The WSA allows strategic enforcement of what is and is not allowed to occur via these type web sites. It also blocks against threats such as malware.

They mention simply including "VPN Client Software" which will no doubt be the Cisco Secure Services Client v5 installed on one or possibly more Windows 7 virtual desktops placed around the topology. This would make sense for both wired and wireless 802.1x authentication with the ACS/ISE. Something we also go into in the new 20-hour CCNA Wireless class I just recorded a few weeks back. Question is whether AnyConnect Secure Mobility Client will also be tested. It's not in there per-se, but that doesn't mean it isn't possible.

The addition of at least one 2911 ISR-G2 only makes sense, as IOS version 15.2 can't be run on an older ISRs (making me wonder why the inclusion of the older ISR is even there, save maybe that there are far more deployed currently).

Links to both the new v4 blueprint and v4 hardware/software equipment list, as well as a more detailed checklist for studying:

CCIE Security v4 Blueprint

CCIE Security v4 Equipment List

CCIE Security v4 Checklist

There are obviously still a lot of questions that need to be answered by Cisco to have a complete and full picture of this new version of the prestigious CCIE Security exam, and those will no doubt be addressed during the 8-hour seminar this Sunday at Cisco Live in San Diego. I should note that this 8-hour session is an additional charge ($799) on top of your normal admittance to the convention - it is not considered a "breakout session", all of which come included with your convention pass. Some obvious questions might be:

  • Will we need to know how to configure ASA via Prime Tools, or is that simply another option?
  • How many Windows 7 desktops will there be, and will we be using AnyConnect NAM on them or something like CSSC?
  • Will there be both ASA and ASA-x versions? And if so, what would be the reason? (ASA-X series runs 8.6, whereas ASA only goes up to 8.4, amongst other things
  • And many others we'll come up with and have asked and answered

You can be sure that INE will be there, tweeting and live-blogging from the event.
Follow me and stay updated throughout the conference!


Once I catch my breath and look back at one of our popular INE courses like the CCNA Wireless course, I can delve a bit deeper into certain subjects that we did not have time for in the course. This is one of those moments. Let us get more detailed about Cisco's implementation of Radio Resource Management (RRM) in the Cisco Unified Wireless Network architecture.

Radio Resource Mangement

In today's wireless LAN infrastructures, of course users want more and more bandwidth in a greater and greater coverage area. This is tricky to implement, however, since adding more and more powerful access points can actually do more harm than good for throughput. The goal of Cisco's Radio Resource Management is to act like a Radio Frequency engineer built-in to the equipment. RRM allows the Cisco Unified Wireless equipment to continuously monitor the Radio Frequency environment and adjust things like channel assignments and and power levels to ensure optimal coverage and throughput. The exciting goal here is to make the wireless infrastructure "self-healing".

Here is how Cisco RRM works from a high level:

  • Wireless LAN Controllers (WLCs) are provisioned with a consistent RF Group Name. This is an an ASCII name to identify those WLCs and APs that are all part of the same wireless system.
  • APs periodically send out RRM Neighbor Messages to each other that are passed up to the Wireless LAN controllers as well. These messages are authenticated for security purposes and provide the controllers with a complete picture of all of the devices in the RF Group. From these devices an RF Group Leader is elected.
  • Note that these RRM Neighbor Messages play a critical role in other Cisco Unified Wireless Network capabilities such as Over-the- Air Provisioning (OTAP) and Rogue AP Classification.
  • Once the RF Group is understood, a series of algorithms are run to optimize AP configurations in the RF Group. It is the RF Group Leader that is responsible for these periodic math assignments. (This sounds like a great job for our own Petr Lapukhov!)
  • You should also note that RRM with its RF Grouping is seperate and disctinct from Mobility Grouping.

What are the algorithms that the RF Group Leader will be busy with?

  • Dynamic Channel Assignment Algorithm - using metrics of load measurements, noise, interference, signal strength
  • Transmit Power Control Algorithm
  • Coverage Hole Detection and Correction Algorithm

These are facts we should know about RRM at the CCNA Wireless level. Be sure to use the CCNA Wireless category drop down list here on the blog for more great articles on this exciting field of Cisco networking.


Encoding and Modulating

Questions Only

What form of CSMA does 802.11 use?

What does DCF stand for?

Your wireless station heres someone transmit and waits the duration heard plus what value?

What logically seperates WLANs?

Name three requirements to roam between two autonomous APS.

What method causes changes to the characteristics of the RF signal?

What method changes the RF to make 0 and 1s?

What is the strength of a radio signal called?

What is the timing of the signal between peaks called?

How often the signal repeats in a second is called what?

What is the most popular frequency range for WLAN used today?

How many channels are used in the 2.4 GHz range?

How wide is each channel in the 2.4 GHz range?

What is the sending of 11 bits with each data bit?

Complimentary Code Keying is used with what speeds?

How many bits per symbol do you have with Differential Binary Phase Shifting?

How many bits per symbol encoded per symbol with DQPSK?

OFDM is used in which two 802.11 standards?

What is the technology used in 802.11n that uses multiple antenna?

As a client moves away from an AP, what happenes to the sending and receiving rate?

Questions and Answers

What form of CSMA does 802.11 use?

Collision Avoidance

What does DCF stand for?

Distributed Coordinated Function

Your wireless station heres someone transmit and waits the duration heard plus what value?

DCF Inter Frame Spacing (DIFS)

What logically seperates WLANs?

Service Set Identifiers (SSIDs)

Name three requirements to roam between two autonomous APS.

Sames SSID; Non-overlapping channels; 15% overlap

What method causes changes to the characteristics of the RF signal?


What method changes the RF to make 0 and 1s?


What is the strength of a radio signal called?


What is the timing of the signal between peaks called?


How often the signal repeats in a second is called what?


What is the most popular frequency range for WLAN used today?

2.4 GHz

How many channels are used in the 2.4 GHz range?


How wide is each channel in the 2.4 GHz range?

22 MHz

What is the sending of 11 bits with each data bit?

Barker Code

Complimentary Code Keying is used with what speeds?

5.5 Mbps and 11 Mbps

How many bits per symbol do you have with Differential Binary Phase Shifting?


How many bits per symbol encoded per symbol with DQPSK?


OFDM is used in which two 802.11 standards?

802.11a and 802.11g

What is the technology used in 802.11n that uses multiple antenna?


As a client moves away from an AP, what happenes to the sending and receiving rate?

Shifts down with Dynamic Rate Shifting


For success designing and implementing Cisco Wireless solutions, a CCNA Wireless student needs to be familiar with the options for various wireless topologies. Two were defined by the 802.11 committees, while others were made possible thanks to excellent developments by wireless vendors like Cisco Systems.

wireless (Custom)

The 802.11 Topologies

Ad Hoc Mode

While not popular, it is possible to have wireless devices communicate directly with no central device managing the communications. This is called the Ad Hoc network topology and is one of the two topologies defined by the 802.11 committees. In the Ad Hoc type topology, one device sets a group name and radio parameters, and another device uses this information to connect to the wireless network.

This type of wireless network topology is referred to as an Independent Basic Service Set (IBSS). This is easy to remember as we know the devices are working independently of an access point (AP).

Network Infrastructure Mode

When an access point is used to create the network, the official term is network infrastructure mode for the network. There is a Basic Service Set (BSS) setup that uses a single access point, or the Extended Service Set (ESS) that uses multiple access points in order to extend the reach of the wireless network.

Access points running in the network infrastructure mode are often described as a cross between hubs and bridges. The APs act like hubs in that they service a single collision domain and must operate in a half duplex fashion. Fortunately for the AP, it does possess intelligence beyond a simple hub, however, and processes frames and forwards these based on MAC address information.

Vendor-Specific Topology Extensions

Workgroup Bridge

Perhaps your network contains clients that you want to connect to the wired infrastructure but these devices are in a location where it is difficult to extend actual physical wires. This is the perfect time to have the access point function as a workgroup bridge. The access point extends the wired LAN out to these wireless devices.


In this case, the job of the access point is to strengthen the wireless signal from another access point. Perhaps it is strengthening the signal of an access point acting in the workgroup bridge role. When repeaters are used, there must be overlap in the access point cell coverage. In order to provide optimal performance, the overlap needs to be 50%.

Outdoor Wireless Bridge

These access points are typically used within a few miles of each other and are used to connect two or more LANs. The Cisco technology allows the configuration of point-to-point or point-to-multipoint topologies.

Outdoor Mesh Networks

The outdoor mesh network features an access point acting as a root device. This AP has an Ethernet connection to a distribution network and it associates with a Wireless LAN Controller (WLC). The other access points in the design act as mesh APs. All these devices need is power and can act as repeaters as required in order to allow all devices to reach the root access point. While the IEEE is working on a mesh standard called 802.11s, the Cisco solution features Adaptive Wireless Path Protocol (AWPP). AWPP promotes the mesh devices finding the best path back to the root AP.


We wanted to provide our students with advance notification of some upcoming online classes here at INE. While we hope to see many students in the actual live events, on-demand versions will indeed be made available the week following the live, online version.

Join the INE Experts Online in September and October

September 13 - 17th, 2010     CCNA Wireless 5-Day Bootcamp

September 15 - 17th, 2010     Security for CCIE R&S Candidates 3-Day Bootcamp

September 29 - Oct 1, 2010    IPv4/IPv6 Multicast 3-Day Bootcamp

October 4 - 9th, 2010              Online 6-Day CCIE R&S Bootcamp with K. Barker and A. Sequeira


We all remember from the wireless section of CCENT that we need to update the firmware of our devices to ensure they are running as efficiently and reliabably as possible. This Training Simulation from the course walks you through the steps on a common Linksys router. Just click the link below to use the simulation and enjoy!

Updating Linksys Firmware


In an attempt to enhance the wireless security environment, especially in light of problems with Wireless Encryption Protection, SSID Cloaking and MAC Address Filtering were quickly implemented.

The Service Set Identifier (SSID) Cloaking feature is a very simple configuration change to the Access Points. Typically, a checkbox in the administration software allows the device to broadcast the SSID or not broadcast the SSID. The idea is that a casual observer of the wireless networks in range does not see the SSID, they will have no idea it exists, and not attempt to associate with any of its Access Points. As you can probably detect already, this is a vey weak security configuration, in fact, some would argue it is no security at all. Again, just protecting the network from a casual observer. You should also notice the overhead it adds to administration. Each legitimate client must be provided the SSID for input into the client system that needs to connect.

The main problem with SSID Cloaking as a security mechanism was how easily it could be foiled by a hacker. The 802.11 standard allows a wireless client to send a NULL string as a SSID to the Access Point. When the Access Point receives the NULL string, it responds with the SSID configured for cloaking (oops!).

MAC Address Filtering was another approach to wireless security in the first generation. The idea here is that you collect the MAC addresses of the systems that you want to legitimately access the network. You then have the Access Points limit activity to only those addresses. Once again, we immediately see a glaring administrative overhead problem when it comes to maintaining tables of legitimate MAC addresses. The main problem with this approach, however, lies in the fact that a MAC address is very, very easily spoofed (falsified). Therefore, once legitimate devices have their MAC addresses compromised, hackers can easily join the network using a spoofed address.


Wireless certainly exploded onto the networking scene, unlike other technologies that took years to catch on. However, with wireless came huge challenges for securing the wireless network. After all, having potentially sensitive network data traveling through the air as radio waves immediately presented massive concerns.

As a Cisco Certified Entry-level Networking Technician, you are expected to have an intimate knowledge about the consecutive generations of wireless security. Of particular focus should be the shortcomings of the various technologies that led to the creation of new and superior security methodologies. This blog post will provide you with the information you need to know about the first generation. Obviously, this blog post was taken from our CCENT course materials.

The first generation of security featured the following technologies or methods:

  • Wireless Encryption Protection (WEP)
  • SSID Cloaking
  • MAC Address Filtering

This post will focus on WEP, while follow up post(s) will focus on SSID Cloaking and MAC Address Filtering.

WEP security defined encryption and authentication between the Wireless Access Point and the Wireless Client(s) using a 64-bit static key (password). Typically, anytime that you see the word static associated with network security keys (passwords), you should immediately think about a few things. First, you should think that it will be very easy to setup, and certainly, static WEP is very simple to configure. Second, you should think that a static password configuration for security is not scalable. As you add more and more access points and more and more clients, you have an administrative burden of setting the appropriate passwords manually on all of those devices. Moreover, lets not even think about a security policy that requires you to change all of those passwords every 30 days. Third, you should think about static being pretty dangerous. If someone does learn that static password, they can compromise many systems that all rely on it.

Here is a list worth committing to memory; it is a list of some of the problems with WEP that gave rise to more powerful technologies:

  • Too basic of encryption that proved too easily compromised
  • Lacking in strong authentication
  • Static keys
  • A lack of scalability

In an attempt to enhance security in WEP environments, note that administrators implemented SSID Cloaking and MAC Address Filtering. These technologies will be covered shortly in our blog.

NOTE: In our CCENT course, you can get hands on experience setting, and breaking, these various forms of first generation wireless security.


Before this exciting news, a quick introduction. My name is Josh Finke, Director of Operations for Internetwork Expert. Along with Brian Dennis and Brian McGahan, I am currently attending CiscoLive Networkers 2008 in Orlando Florida.

After speaking with multiple Cisco employees within the wireless group, the Wireless CCIE has been confirmed. Beta candidate registration should begin this fall, along with a blueprint release. Beginning early 2009 the Wireless CCIE beta testing will begin! As of now, topics of the test are expected to cover all aspects of wireless from design through implementation including the implications of security, routing and switching and voice technologies. Check back often for any additional information!

Subscribe to INE Blog Updates