Lan design Examples Table of Contents




Дата канвертавання28.04.2016
Памер45.25 Kb.


Penn State Wireless



LAN Design Examples



Table of Contents

Getting Help 4

Note About IP Address Assignments 4

Simple Wireless LAN: Example 1, Compliant 5

Simple Wireless LAN: Example 1a, Not Compliant 6

Simple Wireless LAN: Example 1b, Not Compliant 7

Simple Wireless LAN: Example 1c, Not Compliant 8

Simple Wireless LAN: Example 1d, Not Compliant 9

Simple Wireless LAN: Example 1e, Not Compliant 10

Simple Wireless LAN: Example 1f, Not Compliant 11

Multiple LANs: Example 2, Compliant 12

Multiple LANs: Example 2a, Not Compliant 13

Multiple LANs: Example 2b, Not Compliant 14

Multiple LANs: Example 2c, Not Compliant 15

Multiple LANs and Closets: Example 3, Compliant 16

Multiple LANs and Closets: Example 3a, Not Compliant 17

Two or More Customers in Same Building: Example 4, Compliant 18

Two or More Customers in Same Building: Example 4a, Not Compliant 19

Customer Owned Router and DHCP server: Example 5, Compliant 20

Customer Owned Router and DHCP server: Example 5a, Not Compliant 21

Customer Owned Router and DHCP server: Example 5b, Not Compliant 22

Customer Owned Router and DHCP server: Example 5c, Not Compliant 23

Customer Owned Router and DHCP server: Example 5d, Not Compliant 24

Customer Owned Router and DHCP server: Example 5e, Not Compliant 25

Customer Owned Router and DHCP server: Example 5f, Not Compliant 26

Customer Owned Router and DHCP server: Example 5g, Not Compliant 27

Customer Owned Router and DHCP server: Example 5h, Not Compliant 28

This LAN is not compliant because the customer has not installed ACLs on all Penn State Wireless LAN interfaces, or ACLs allow unauthenticated access to other local LANs or other Penn State Wireless Assist LANs. 28

Customer Owned Router, TNS DHCP: Example 6, Compliant 29

Customer Owned Router and DHCP Server, Multiple Wireless
Penn State Wireless LANs: Example 7, Compliant 30


Customer Owned Router, TNS Provided DHCP Server, Multiple Wireless Penn State Wireless LANs: Example 8, Compliant 31

Customer Owned Router with Departmental VPN:
Example 9, Compliant 32


Penn State Wireless Assist Criteria Checklist 33

Wireless Indicator Signs 35

LAN diagrams were created by Kurt Jeschke,


Telecommunications and Networking Services (TNS), a unit of ITS

Information Technology Services (ITS)


http://its.psu.edu/
November 2006

Getting Help


  • If you have set up a non-ITS wireless network in a college or department, and would like to enhance the security of your network, call (814) 865-6580 or complete the request form on the following Web page: https://www4.tns.its.psu.edu/forms/spDesignReqForm.html

  • If you work in a college or department, and do not have a wireless network, but are interested in setting one up, contact the ITS Consultant for your area: http://css.its.psu.edu/cs/itsanalysts.html

  • If you have general questions about using wireless services at Penn State, such as configuring your computer to receive a wireless signal, contact the ITS Help Desk; see http://css.its.psu.edu/consulting/consult.html for contact information.

  • If you believe your computer is configured properly, but cannot access Penn State Wireless, contact your local Wireless LAN support person. To find out who your contact is, please login with your Penn State Access Account at https://www4.tns.its.psu.edu/scripts/wireless/ and then select the location where you are attempting to use the service.

  • If you have questions about this document or the ITS Web site, please let us know through our contact form: http://ask.psu.edu/its.html —or contact the ITS Help Desk; see http://css.its.psu.edu/consulting/consult.html for contact information.


Note About IP Address Assignments


The IP address subnet for the wireless devices’ DHCP pool must be from private address space. The addresses in this subnet can only be assigned via DHCP, and only to wireless devices on the Penn State Wireless LAN. (Obviously, the Penn State Wireless LAN router interface is the only permitted exception to this requirement.)

IP addresses for the Penn State Wireless Access Points and all Penn State Wireless LAN switches need to be assigned from a subnet other than that of the wireless devices’ DHCP pool.

While it is not required, it is strongly recommended that the subnet used for the Penn State Wireless Access Points and all Penn State Wireless LAN switches is from private address space. Having these addresses assigned from private address space increases security and allows Penn State to better utilize its IPv4 address pools.

Simple Wireless LAN: Example 1, Compliant


This configuration includes:



  • One Telecommunications closet with one Penn State Wireless Assist LAN.

  • TNS provided DHCP service using private IP address space for wireless devices.

  • Penn State Wireless Assist LAN directly attached to Integrated Backbone (IB) uplink.


Simple Wireless LAN: Example 1a, Not Compliant


This configuration is not compliant, because only Penn State Wireless Access Points and Penn State Wireless LAN switches can be connected to a Penn State Wireless Assist LAN.

Any device that is not a Penn State Wireless Access Point or a Penn State Wireless LAN switch must be removed from the LAN before it can be compliant with the Penn State Wireless Assist Criteria Checklist (Item #3, Bullet #1).

Simple Wireless LAN: Example 1b, Not Compliant


This configuration is not compliant because there are devices other than Penn State Wireless Access Points and Penn State Wireless LAN switches on the Penn State Wireless Assist LAN.

Unless a customer maintains a router that has DHCP forwarding (sometimes called DHCP helper) capability, TNS must provide the DHCP service. Shortly, with the introduction of the DHCP Transport Service, a customer can provide DHCP service for the wireless devices on their Penn State Wireless Assist LAN.

See Example 2a for more detail.


Simple Wireless LAN: Example 1c, Not Compliant


This configuration is not compliant because Access Points are not compatible with IEEE standard 802.11b. Access Points are not capable of being secured with a password. Access Points do not have their SSID set to "pennstate". Access Points are not managed by a secure wired management station, or any combination of the four.

To be compliant, Penn State Wireless Assist Access Points must meet all of the requirements listed in the Penn State Wireless Assist Criteria Checklist, particularly those in item #2.

Simple Wireless LAN: Example 1d, Not Compliant


This configuration is not compliant because the wireless device's IP addresses, supplied by DHCP, are not assigned from private address space.

To be compliant with the Penn State Wireless Assist Criteria Checklist (item #3, bullet #4) wireless devices must be assigned, via DHCP, a private IP address, from a pool provided by TNS.

Simple Wireless LAN: Example 1e, Not Compliant


This configuration is not compliant because Penn State Wireless Access Points, Penn State Wireless LAN switches, and wireless devices are assigned from the same subnet.

To be compliant with the Penn State Wireless Assist Criteria Checklist (item #3, bullet #5) wireless devices must be assigned from a different subnet than the subnet used by the Penn State Wireless Access Points and Penn State Wireless LAN switches.

Simple Wireless LAN: Example 1f, Not Compliant


This configuration is not compliant because access controls are present that prevent all Penn State faculty, staff, and students with a valid Penn State Access Account from using the Penn State Wireless Assist service.

To be compliant with the Penn State Wireless Assist Criteria Checklist (item #2, bullet #1) no mechanism may be employed in the system that prevents any user with a valid Penn State Access Account from accessing the network in a manner consistent with ITS Penn State Wireless Complete.

Multiple LANs: Example 2, Compliant


This LAN has the following configuration:



  • One multiple closet LAN and one Penn State Wireless Assist LAN.

  • TNS provided DHCP service using private IP address space for wireless devices.

  • The Penn State Wireless Assist LAN is directly attached to its own TNS maintained backbone uplink.

  • The multiple closet LAN, with no Penn State Wireless devices, has its own IB uplink.

Multiple LANs: Example 2a, Not Compliant


This configuration is not compliant. Currently, unless the customer maintains a router that has DHCP forwarding (sometimes called DHCP helper) capability, TNS must provide the DHCP service.

When the DHCP Transport Service is available, this method of providing DHCP service to a Penn State Wireless Assist LAN will be possible and compliant.

Multiple LANs: Example 2b, Not Compliant


This configuration is not compliant. As shown in Example 1a, only Penn State Wireless Access Points and Penn State Wireless LAN switches can be connected to an Penn State Wireless Assist LAN.

To be compliant with the Penn State Wireless Assist Criteria Checklist (item #3, bullet #1), all devices that are not Penn State Wireless LAN switches or Penn State Wireless Access Points need to be removed from the LAN. Alternatively, the Penn State Wireless Access Points could be moved onto another LAN, with its own backbone uplink as shown in Example 2 and Example 3.

Multiple LANs: Example 2c, Not Compliant


This configuration is not compliant. Access Points in MDF Closet, IDF Closet #1 and IDF Closet #2 are connected to a non-Penn State Wireless Assist LAN and cannot participate in the Penn State Wireless Assist service.

To be compliant with the Penn State Wireless Assist Criteria Checklist (item #3, bullet #1), Penn State Wireless Access Points and Penn State Wireless LAN switches must be on a wireless-only LAN segment.

Multiple LANs and Closets: Example 3, Compliant


This LAN has the following configuration:



  • Penn State Wireless Assist LAN directly attached to TNS maintained backbone uplink.

  • The other LAN, with no Penn State Wireless devices, has its own IB uplink.

Multiple LANs and Closets: Example 3a, Not Compliant


This LAN is not compliant. Access Points in IDF Closet #1 and IDF Closet #2, which are not connected to the Penn State Wireless Assist LAN, cannot participate in the Penn State Wireless Assist Service.

See Examples 2b and 2c for further details.

Two or More Customers in Same Building: Example 4, Compliant


This LAN has the following configuration:



  • A single, multiple-tenant building, where two different departments want to manage and maintain their own Penn State Wireless Assist LAN.

  • TNS provided DHCP.

  • Each customer provides an IB uplink for their Penn State Wireless Assist LAN.

Two or More Customers in Same Building: Example 4a, Not Compliant


This LAN is not compliant because only Penn State Wireless Access Points and Penn State Wireless LAN switches can be connected to a Penn State Wireless Assist LAN.

See Examples 2b and 2c for further details.

Customer Owned Router and DHCP server: Example 5, Compliant


This LAN has the following configuration:



  • One Penn State Wireless Assist LAN that spans three telecommunications closets.

  • Customer provides DHCP Service.

  • Customer provides Penn State Wireless Assist LAN uplink to a customer maintained router.


Customer Owned Router and DHCP server: Example 5a, Not Compliant


This LAN is not compliant because the Penn State Wireless Assist ACLs are missing from the Wireless Penn State Wireless Assist LAN uplink to the customer maintained router.

To be compliant with the Penn State Wireless Assist Criteria Checklist (item #3, bullet #2), the required ACL filters must be active on the customer provided Penn State Wireless Assist LAN uplink.

Customer Owned Router and DHCP server: Example 5b, Not Compliant


This LAN is not compliant because the Penn State Wireless Assist Access device IP Address pool, based on subnet information provided to TNS for the Penn State Wireless ACLs, are routed across other interfaces.

To be compliant with the Penn State Wireless Assist Criteria Checklist (item #3, bullet #1), all Penn State Wireless Assist related subnet information provided to TNS must be consistent with the customer’s routers forwarding tables.

Customer Owned Router and DHCP server: Example 5c, Not Compliant


This example is similar to 5b. Subnet information provided to TNS for the Penn State Wireless ACLs applied to the IB uplink is not consistent with the routes defined in the router. In this example, the IP pool for access points and switches is shared with devices on other LANs.

To be compliant with the Penn State Wireless Assist Criteria Checklist (item #3, bullet #1), all Penn State Wireless Assist related subnet information provided to TNS must be consistent with the customer's routers forwarding tables.

Customer Owned Router and DHCP server: Example 5d, Not Compliant


This LAN is not compliant. Penn State Wireless Assist wireless devices are assigned from a public IP address space.

To be compliant with the Penn State Wireless Assist Criteria Checklist (item #3, bullet #4), wireless clients must be assigned private address space acquired through TNS.

Customer Owned Router and DHCP server: Example 5e, Not Compliant


This LAN is not compliant. Wireless devices’ IP addresses are assigned IP addresses in the same subnet as the Penn State Wireless Access Points and Penn State Wireless LAN switches.

To be compliant with the Penn State Wireless Assist Criteria Checklist (item #3, bullet #5), IP addresses for LAN components must be assigned from a subnet other than that of the wireless clients.

Customer Owned Router and DHCP server: Example 5f, Not Compliant


This LAN is not compliant because the customer is maintaining a DHCP server in a manner not consistent with the requirements of University Policy AD20, not maintaining DHCP logs, or both.

To be compliant with the Penn State Wireless Assist Criteria Checklist (item #3, bullet #3), the customer must administer the DHCP server in accordance with the requirements of Policy AD20 and keep the server logs for at least one year.

Customer Owned Router and DHCP server: Example 5g, Not Compliant


This LAN is not compliant because the customer is using NAT, Proxy ARP, inaccurate DNS entries, inaccurate static routes, or a combination of these methods to redirect the ITS Penn State Wireless VPN client to a VPN device other than the proper Penn State Wireless Complete VPN device at the particular Penn State location.

To be compliant with the Penn State Wireless Criteria Checklist (item #3, bullet #2), the service must use the Penn State Wireless Complete VPN device.

Customer Owned Router and DHCP server: Example 5h, Not Compliant



This LAN is not compliant because the customer has not installed ACLs on all Penn State Wireless LAN interfaces, or ACLs allow unauthenticated access to other local LANs or other Penn State Wireless Assist LANs.

Customer Owned Router, TNS DHCP: Example 6, Compliant


This LAN has the following configuration:



  • One Penn State Wireless Assist LAN that spans three telecommunications closets.

  • TNS provided DHCP service.

  • Customer provided Penn State Wireless Assist LAN uplink to a customer maintained router.


Customer Owned Router and DHCP Server, Multiple Wireless
Penn State Wireless LANs: Example 7, Compliant


This LAN has the following configuration:



  • Three independent Penn State Wireless Assist LANs.

  • Customer Provided DHCP.

  • Three customer provided Penn State Wireless LAN uplinks.


Customer Owned Router, TNS Provided DHCP Server, Multiple Wireless Penn State Wireless LANs: Example 8, Compliant


This LAN has the following configuration:



  • Three independent Penn State Wireless Assist LANs.

  • TNS provided DHCP service.

  • Three customer provided Penn State Wireless LAN uplinks.


Customer Owned Router with Departmental VPN:
Example 9, Compliant


This LAN has the following configuration:



  • Customer is allowing access to the Penn State Wireless Complete VPN device at the particular Penn State campus and another VPN device operated by them in accordance with AD-20.

  • The Departmental VPN does not use the same Group Access name as the Penn State Wireless service.

  • The Departmental VPN is not directly connected (Layer 2) to the same LAN as the Access Points.


Penn State Wireless Assist Criteria Checklist



1. Administration of the local wireless LAN

  • Only an existing Administrative, Technical or Security contact in the applicable building may request Penn State Wireless Assist.

  • The building in which the service is to be provided must have a designated wireless LAN contact for 1) administrative, 2) technical, and 3) security issues. Contact availability information must also be provided for coverage from 8 a.m. through 5 p.m., Monday through Friday.

  • The intended coverage area for the wireless network utilizing Penn State Wireless Assist must be identified (either by room number or other adequate physical description) to permit reasonable troubleshooting support.

  • Designation of the coverage areas must be kept up-to-date, with an annual review. Notification will be sent by ITS to the wireless LAN contact.

  • The wireless LAN must be registered with ITS by the Administrative, Technical or Security contact.


2. Configuration of an access point

  • No mechanism may be employed in the system that impedes any user with a valid Penn State Access Account from accessing the network in a manner consistent with Penn State Wireless Complete. (Examples include using MAC addresses or other addresses that prohibit access.)

  • All access points on the Penn State Wireless Assist LAN segment must be compatible with IEEE standard 802.11b, include password protection as stated in University Policy AD20, have their SSID set to "pennstate", be configured in "bridging" mode, and have no local access controls other than the SSID.

  • All management of the access points must be from secured wired management stations only.


3. Other technical items

While the use of VLANs as a software configurable method of providing segmentation between wired and wireless LAN segments is not explicitly forbidden, their use for this purpose is discouraged. Because VLANs add a significant level of complexity to the LAN enviroment, and thus the increased likelyhood of a misconfiguration, they add a level of unnecessary risk. Individual departments that elect to use VLANs for this purpose must be aware of the increased risk introduced by VLANs and set appropriate management controls to insure that the risk is minimized.



  • Individual departments are responsible for providing a separate wireless-only LAN segment with its own layer 3 interface. (This can be in the form of a port from a router for the LAN, or a separate connection to Penn State's Integrated Backbone.)

  • If a customer-managed router is used to terminate the wireless LAN segments, the following access control list (i.e. filters) must be applied to the router interface that connects to the wireless LAN segment:

  • Allow packet forwarding from the wireless segment only for the IP address subnet that is assigned to the wireless LAN segment. (source address filtering)

  • Allow packet forwarding for the DNS protocol only to the DNS server.

  • Allow packet forwarding for the DHCP protocol only to the DHCP server.

  • Allow packet forwarding for the NTP protocol to the appropriate NTP server.

  • Allow packet forwarding of all other port and protocols only to the Penn State Wireless Complete VPN server appropriate to the campus, and any departmentally controlled VPN server that is administered in accordance with AD-20. No departmentally controlled VPN may use the same Group Access name as the Penn State Wireless Complete VPN.

  • As described in RFC2644/BCP34, disable forwarding packets addressed to the broadcast addresses of the directly connected subnets.

  • If a local DHCP server is used to provide IP addresses for clients on the local wireless LAN segment, then that DHCP server must:

  • Be administered in accordance with AD20 and its logs must be maintained for at least one year.

  • IP addresses assigned to wireless clients must use private address space acquired through TNS.

  • IP addresses for LAN components (access points and switches) must be assigned from a subnet other than that of the wireless clients.

I acknowledge that my wireless LAN is compliant with the Penn State Wireless Assist criteria. I understand that if this LAN is found to be noncompliant at any time, the service may be terminated without prior notification. Penn State Wireless Assist will not be reinstated unless the LAN fully meets the above criteria. In addition, I agree to register the wireless LAN at https://www4.tns.its.psu.edu/scripts/wnr.
Administrative Wireless Contact: ________________________________________________Date: _________________
Note: This form should accompany the TSR for Penn State Wireless Assist.

Wireless Indicator Signs


Help increase awareness of Penn State Wireless coverage areas. ITS invites campuses, colleges and departments to download and post the signs shown below in wireless areas. Three wireless “signal” signs are available to indicate Penn State Wireless coverage: on campus, in a specific building, or in a surrounding area. Both 8.5"x11" and 11"x17" signs are available. Signs can be downloaded at the following Web site: http://its.psu.edu/wireless/signs.html



Need help? See page 3 for contact information.




База данных защищена авторским правом ©shkola.of.by 2016
звярнуцца да адміністрацыі

    Галоўная старонка