CCNA Wireless 200-355 Official Cert Guide (2016)

---

1. Which one of the following should be used to contain visitors and transient users of a wireless network?

a. WPA2 enterprise

b. Guest WLAN

c. One-time WEP

d. Broadcast SSID

2. Suppose a data WLAN and a guest WLAN are configured on a controller and mapped to two VLANs. Which one of the following is a true statement?

a. The controller can route traffic between the two WLANs.

b. The controller will bridge traffic between the two WLANs.

c. The controller cannot route packets between the two WLANs.

d. The controller can route packets between the two WLANs, but not the two VLANs.

3. To create a guest WLAN, which one of the following must be configured on a wireless controller?

a. A private WLAN

b. A guest mobility group

c. A guest BSS

d. A regular WLAN

4. Which one of the following correctly finishes this sentence? By default, all guest WLANs defined on controllers in an enterprise...

a. are merged into one VLAN and subnet.

b. are connected by CAPWAP tunnels.

c. must be assigned the same WLAN ID number.

d. are isolated from each other.

5. Which one of the following is necessary to merge guest WLANs from multiple controllers onto a common guest WLAN on a controller?

a. RF group

b. Global WLAN

c. Mobility anchor

d. Master controller

e. Prime Infrastructure templates

6. In a wireless guest network, which one of the following statements is correct?

a. A client associates with a guest mobility anchor controller and is tunneled to a guest foreign controller.

b. A client associates with a guest foreign controller and is tunneled to a guest mobility anchor controller.

c. A client associates with a guest mobility anchor and then must reassociate with a guest foreign controller.

d. A client associates with a guest foreign controller and then must reassociate with a guest mobility anchor controller.

7. Which of the following pairs of phrases makes this sentence correct? You can configure _____________ as a ______________ for a guest WLAN.

a. only one controller, mobility anchor

b. multiple controllers, mobility anchor

c. a mobility anchor, foreign controller

d. a foreign controller, mobility anchor

Foundation Topics

Guest Network Overview

Wireless LANs are usually configured to support specific groups of clients or client devices. For example, one WLAN might support wireless users in the Engineering department, even if that department is scattered in several buildings or locations. Other WLANs might support a sales staff, teachers, students, and so on. These examples segment wireless users by function or the need to access certain enterprise resources. Each WLAN might have a different set of security policies from the others.

You might also decide to create WLANs to support different types of wireless devices. For example, one WLAN could be configured to support all medical devices in a hospital that can use only Wi-Fi Protected Access Version 2 (WPA2) with a pre-shared key (PSK). A separate WLAN could be created for users with medical devices that support WPA2 Enterprise, with digital certificates. In these cases, WLANs are created according to the wireless device capabilities.

As a wireless network administrator, you might be asked to provide connectivity for users who do not fall into any convenient category. Guest users are normally temporary visitors who need to access a wireless network to make their work and their time onsite more convenient. Because guests are not regular, trusted employees, you should always try to offer some basic network access while containing and isolating them from the trusted portion of your network.

In Figure 16-1, both guests and engineering staff are able to use the same wireless infrastructure, while the two user groups are kept isolated from each other. The engineering users can communicate directly with the company resources. However, the guest users are commonly placed within a demilitarized zone (DMZ) that has limited access and is secured by a firewall.

Figure 16-1 Isolating Guest Wireless Users from Other User Groups

Building a guest wireless network might seem like a complex task; however, it is really no different from building any other WLAN that is tailored for a user community. The trick is to provide the appropriate degree of isolation from the rest of the enterprise network.

The guest WLAN can be bound to a guest VLAN that is isolated from other VLANs, as shown in Figure 16-2. Before guest users can access the guest WLAN, they should be authenticated somehow. In addition, before they can access resources on any other WLAN or VLAN, a router or firewall should permit and provide the access.

Figure 16-2 Isolation Between a Guest and Other WLANs

In Figure 16-2, the Guest WLAN advertises service set identifier (SSID) Guest and is bound to the controller’s Guest interface on VLAN 20. The same access point (AP) and controller infrastructure has an Engineering WLAN that is bound to the controller’s Engineering interface on VLAN 100.

Because all web browsers on all platforms use HTTP and HTTPS, the web browser is a universal interface for users to be authenticated before granting them wireless access. Cisco wireless LAN controllers (WLCs) support web authentication for this purpose. Users are presented with a web authentication splash page that includes a challenge for credentials.

Web authentication can be handled locally on the WLC for smaller environments through local web authentication (LWA). You can configure LWA in the following modes:

LWA with an internal database on the WLC

LWA with an external database on a RADIUS or LDAP server

LWA with an external redirect after authentication

LWA with an external splash page redirect, using an internal database on the WLC

When there are many controllers providing web authentication, it makes sense to use LWA with an external database on a RADIUS server, keeping the user database centralized. The next logical progression is to move the web authentication page onto the central server too. This is calledcentral web authentication (CWA).

Scaling the Guest Network

Building a guest WLAN on a single controller is straightforward. The guest WLAN is just like any other WLAN defined on the controller. In larger installations, you might have more than one controller. In that case, each guest WLAN terminates on its own controller, making it difficult to isolate all guest clients in a single DMZ or behind a single firewall.

Recall from Chapter 12, “Understanding Roaming,” that Cisco WLCs can support Layer 3 roaming by automatically building a tunnel between the first controller a client associates with and the controller where the client is currently located. In effect, the client is tunneled from a foreign controller back to the original anchor controller. This same tunneling strategy can be leveraged to funnel guest clients from any controller into a mobility anchor controller where guests share a common IP subnet and security policies.

Where Layer 3 roaming builds controller-to-controller tunnels to follow clients as they move, mobility anchors are configured ahead of time so that guest clients will be tunneled to one or more predetermined anchor controllers. Figure 16-3 illustrates the concept with three WLCs. Each WLC is configured with its own guest WLAN, but only WLC-1 is identified as a mobility anchor. The other two, WLC-2 and WLC-3, become foreign controllers that point to WLC-1 as their mobility anchor controller. Regardless of which controller a guest user joins, the user will be tunneled to the anchor and connected into the guest VLAN. You can also identify several mobility anchors so that guest users can be distributed across them to balance the load.

Figure 16-3 Using Mobility Anchors to Consolidate Guest Wireless Clients