Filter
Top Products
WS 2000 Use Cases 9-33
Field Office Use Case
A Field Office Example
Background
Leo is the network administrator, system administrator, and IT professional for a field office with 60 employees. The users
include sales people, sales engineers, office administration and customer support people. All of the sales personnel have
laptops and many of them have personal digital assistants (PDAs).
The office is connected to the Internet and to corporate through a frame relay link. Between the office network and the frame
relay, there is a router and a virtual private network (VPN) appliance. All traffic to corporate is encrypted by the VPN
appliance. Traffic to other addresses passes straight through.
Leo installed a wireless access point about six months ago and quickly found that many employees preferred to use it.
However, the throughput of the lone unit was not enough to service 40 or so users and coverage was weak in many areas
of the building. In addition, Leo was doing user authentication by maintaining a list of permissible user MAC addresses on
the access point. This required modifications to the list once or twice a week. Recently, when a laptop was stolen, Leo could
not determine which MAC address to remove from the list for several hours. He concluded that a better method of user
authentication was needed. Also, the data encryption on the old access point was WEP and WEP encryption can be broken
with several hours of data encrypted with the same key. Leo changes the key every week, but some users complain when
last week’s key does not work anymore.
Leo has decided to upgrade to a WS 2000 wireless switch. He will have four Access Ports, one in the administration office
area, one in the sales office area, one in the sales engineering area, and one in the engineers’ demonstration room.
Throughput and coverage will increase significantly. Leo will convert to 802.1x/EAP-TTLS user authentication through the
corporate RADIUS server and convert to WPA2 encryption, improving security considerably and reducing maintenance
significantly.
Leo’s company is also growing. Corporate has rented an expansion office for engineering in another part of the same
building. Leo needs to establish secure communication with from the engineering subnet to this expansion office. The other
office will also have a WS 2000, so Leo will establish a direct VPN link to that WS 2000 and use the VPN as the secure
communication link.
The following links show the tasks that Leo will carry out to complete the wireless upgrade.
The Plan
Each WS 2000 WLAN has exactly one security policy, where a security policy is defined as a user authentication method
and a data encryption method. Because each WLAN can have one and only one security policy, WLAN configuration is
usually defined by the security needs of the installation. If two groups of users require different security policies, then they
must associate to the WS 2000 through different WLANs. See the retail case study for an example of an installation where
different security needs drive the need for separate WLANs.
In this situation, all of Leo’s users will use the same security system: 802.1x/EAP-TTLS user authentication and WPA data
encryption. Leo can set up the WLANs in any way that is convenient.
Corporate has given Leo three static IP addresses for the wireless network. He will configure the WS 2000 as a DHCP server
giving out internal-use-only IP addresses and use network address translation (NAT) in the switch to convert the outward-
bound traffic to one of the static IP addresses.