UNIVERSITY OF NAIROBI

FACULTY OF ENGINERING

DEPARTMENT OF ELECTRICAL AND ELECTRONICS ENGINEERING

FEE 560: FINAL YEAR PROJECT

PROJECT: 068

WIRELESS LOCAL AREA NETWORK DESIGN

DOCUMENTATION

SUPERVISOR: DR. CYRUS WEKESA

EXAMINER: DR G.S.O ODHIAMBO

DONE BY: GITAU AYUB MAKIMEI

F17/10456/03

ACADEMIC YEAR 2008/2009

A project submitted in partial fulfillment of the requirement for the award of B.Sc
Degree in Electrical & Electronics Engineering, University of Nairobi
 DEDICATION

I dedicate this project to my family for their invaluable support throughout

my study period

ii
 ACKNOWLEDGEMENT
The completion of this work would not have been possible without the assistance of

many people who devoted their time, energy and knowledge. Very special thanks to DR.

CYRUS WEKESA, lecturer, School of Engineering, University of Nairobi and

supervisor of my project, for discussions, counsel and guiding me from the beginning to

end of this study.

My appreciation also goes to my parents and entire family for their constant support

throughout the tumultuous pursuit of my academic goals. Special thanks to Mr. Kogi and

the ICT- center Team for their assistance during the research work.

I thank God for everything.

iii
Contents
Table of abbreviations……………………………………………………………………vi
ABSTRACT…………………………………………………………………………….viii
CHAPTER ONE: Introduction ........................................................................................ 1
1.1 Functional Specification for the UONWLAN infrastructure ................................... 2
CHAPTER TWO: Literature review ................................................................................ 4
2.1 Current Wireless Network standards ...................................................................... 4
2.2 Wireless LAN Requirements ................................................................................. 6
2.3 WLAN Components .............................................................................................. 7
2.3.1 Wireless station ............................................................................................... 7
2.3.2 Access Point (AP) ........................................................................................... 8
2.3.3 Wireless LAN Controllers ............................................................................... 9
2.3.4 WLAN Range ................................................................................................. 9
2.3.5 Channels and roaming ................................................................................... 10
2.4 WLAN Technology and architecture.................................................................... 11
2.4.1 Narrowband Technology ............................................................................... 11
2.4.2 Spread spectrum Technology ........................................................................ 12
2.4.3 Frequency Hopping Spread Spectrum ........................................................... 12
2.4.4 Direct Sequence Spread Spectrum................................................................. 12
2.5 WLAN architecture ............................................................................................. 13
2.5.1 Adhoc mod ................................................................................................... 13
2.5.2 Infrastructure network ................................................................................... 14
2.6 Virtual LANs ....................................................................................................... 15
2.7 Configuring VLANs ............................................................................................ 16
2.7.1 Configuring Static VLANs ............................................................................ 16
2.8 Types of VLAN membership ............................................................................... 17
2.8.1 Layer 1 VLAN: Membership by Port ............................................................ 17
2.8.2 Layer 2 VLAN: Membership by MAC Address ............................................ 18
2.8.3 Layer 2 VLAN: Membership by Protocol Type ............................................. 18
2.8.4 Layer 3 VLAN: Membership by IP Subnet Address ...................................... 18
2.8.5 Higher Layer VLANs .................................................................................... 20
2.9 Types of Connections .......................................................................................... 20
2.9.1 Trunk Link .................................................................................................... 20
2.9.2 Access Link .................................................................................................. 20
2.9.3 Hybrid Link .................................................................................................. 21
2.10 Security of 802.11 wireless LANS ..................................................................... 22
2.10.1 Basic security services ................................................................................ 22
2.10.2 Wi-Fi Protected Access (WPA and WPA2) ................................................. 22
2.10.3 Features of WPA2 security.......................................................................... 23
CHAPTER THREE: The UON network topology and WLAN design ........................... 25
3.1 Overview ............................................................................................................. 25
3.2 Layered Approach ............................................................................................... 26
3.3 Logical design view ............................................................................................. 26

iv
 3.4 ICT Center:.......................................................................................................... 28
3.5 Core servers ......................................................................................................... 29
3.7 VLAN classification ............................................................................................ 30
3.8 Main Campus scenario ......................................................................................... 34
3.8.1 Administration block..................................................................................... 35
3.8.2 JKML zone ................................................................................................... 36
3.8.3 Faculty of engineering................................................................................... 37
3.9 Membership access .............................................................................................. 39
3.10 Connection of the workstations .......................................................................... 39
3.11 Student portal .................................................................................................... 40
3.12 UON WLAN security measures ......................................................................... 40
3.12.1 Use of VLANs ............................................................................................ 40
3.12.2 Mac addressing ........................................................................................... 40
3.12.3 Use of RADIUS authentification ................................................................. 41
3.12.4 Use of security switches and firewall........................................................... 41
3.12.3 reduced broadcasting strength of APs where possible .................................. 42
CHAPTER FOUR: Conclusion ..................................................................................... 43
4.1 Solution benefits .................................................................................................. 43
4.2 User experience ................................................................................................... 44
4.3 Recommendation ................................................................................................. 44

v
 Table of abbreviations
AES Advanced Encryption Standard
AES-CCMP Advanced Encryption Standard-Counter-
Mode/CBC-MAC Protocol
AP Access Point
BSS Basic Service Set
DES Data Encryption Standard
EAP-TLS Extensible Authentication Protocol-
Transport Layer Security
IEEE Institute of Electrical and Electronics
Engineers
IP Internet Protocol
MAC Media Access Controller
PCMCIA Personal Computer Memory Card
International Association
RADIUS Remote Authentication Dial-In User
Service
SSID Service Set ID
USB Universal Serial Bus
WEP Wireless Equivalent Privacy
WIDS Wireless Intrusion Detection System
Wi-Fi Wireless Fidelity
WLAN Wireless Local Area Network
WPA Wi-Fi Protected Access
WPA2 Wi-Fi Protected Access 2
UON University of Nairobi
EAP Extensible Authentication Protocol
TPID Tag Protocol identifier
TCI Tag Control Information
FTP file transfer protocol
KDN Kenya Data Networks
IBSS Independent Basic Service Set
DSSS Direct Sequence Spread Spectrum
FHSS Frequency Hopping Spread Spectrum

SSID service set identifier

WLC Wireless LAN Controller
NIC Network Interface Card
Wi-Fi Wireless Fidelity
WiMAX Worldwide Interoperability for Microwave
Access
MIMO Multiple Input Multiple Output
QoS Quality of Service
HCF High Carrier Frequency

vi
HCCA HCF Controlled Channel Access
EDCA Enhanced Distributed Channel Access
OFDM Orthogonal Frequency Division
Multiplexing
ICT Information Communication Technology
ISM Industrial Scientific Medical
JKML Jomo Kenyatta Memorial Library

vii
ABSTRACT
The objective of this project is to understand the current network topology of UON and to
come up with a design of a local wireless network for the University of Nairobi (UON
WLAN) built upon the 802.11 wireless network standards.
Design methodology included the analyzing of requirements that the entire campus
fraternity needs. Inter-network structure was then developed and addressing and naming
conventions set up. All of these are covered in chapter four of this report.
It was found out that, 18 access points are required to cover the entire main campus
airspace, the JKML and faculty of engineering. These APs will be operating in the 2.4
GHz ISM band with adjacent APs being on different channels to avoid crosstalk and
interference.
UON WLAN will serve to provide community-oriented communication and forums with
services provided from a central server, and also act as a gateway for high-speed, low-
cost Internet access. The installed network will comprise of a scalable node-based server
architecture situated in the ICT center in Chiromo Campus, and a number of wireless
devices situated in convenient locations within the entire university. The server-ware will
provide library services, archiving and media services, accessible to the local University
network, as well as providing access to the Internet. These services will be delivered to
locations within the University of Nairobi wireless network. Internet access will initially
be delivered through broadband Internet service providers, with a view to the use of other
equipment, such as fiber for ultra-broadband connectivity, as and when the need arises.

viii
ix
CHAPTER ONE: INTRODUCTION

Wireless LANs (WLANs) utilizes electromagnetic waves, particularly spread-spectrum

technology based on radio waves, to transfer information between devices in a limited
area. Wireless technology provides users with network connectivity without being
tethered off of a wired network. WLANs, like their wired counterparts, are developed to
provide high bandwidth to users in a limited geographical area.

WLANs provide an alternative to the high installation and maintenance costs incurred by
traditional additions, deletions, and changes experienced in wired LAN infrastructures.
Physical and environmental necessity is another driving factor in favor of WLANs.
Typically, new building architectures are planned with network connectivity factored into
the building requirements. However, users inhabiting existing buildings may find it
infeasible to retrofit existing structures for wired network access. Lastly, the operational
environment may not accommodate a wired network, or the network may be temporary
and operational for a very short time, making the installation of a wired network
impractical. Examples where this is true include ad hoc networking needs such as
conference registration centers and campus classrooms.

The UON WLAN design focuses itself in people’s mobility, allowing students and
lecturers to have an efficient and clever access to services and contents that the
University gives out. In this way, all of the University services are being virtually
duplicated in order to build a virtual University which allows its users to fulfill all of their
needs.
The solution is drawn in a way that the access to the information and to the services will
be possible under any circumstance, by having a high degree of redundancy in the level
of components and in the level of hardware and communications. This solution provides
infrastructure support for the University to deliver the following application services:
• Mail Server
• Application Server

1
 • SQL Server
• Intranet & Extranet Web Servers
• Internet Server, Proxy Server
• Security, Authentication and Remote Access
Facing that, the web technology is the most adequate tool to build the platform that
aggregates the several system components.
In this interface there are informatics resources of several natures and accessibilities,
from html files to full databases. With the installations of access points, the access
conditions which allow users to interact among themselves and to the University services
are created.
§ A recent report from In-Stat shows that the wireless market has grown from 140
million wireless chipsets a year in 2005 to 430 million in 2009. The emergence of
new security standards has also increased confidence in WLANs. Users are
becoming more familiar with the technology and are increasingly expecting
wireless access to be available. There is a wide range of products and standards
involved in WLAN technology and more continue to emerge.

1.1Functional Specification for the UONWLAN infrastructure

Ø Secure wireless networks shall complement rather than replace an institution’s wired
network
While wireless technologies allow a high degree of flexibility in accessing the
institution’s network, they should be viewed as technologies that support the institution’s
wired network, media-rich applications and services that place high demands on the
institution’s network will be best met via a wired network.
Ø Institutions should provide secure wireless access to curriculum and administration
resources from a wide range of work spaces in the institution
In order to achieve complete flexibility of working within the institution, a student or
lecturer needs to be able to gain access to networked resources from all work spaces. To
allow flexible access to the institution’s ICT services, a wide area of wireless coverage of
the institution will be needed. Wireless networking technologies allow access to
networked resources when fixed access to the network is not possible, practical or even

2
desirable. Careful planning of what areas need wireless coverage will be required to
ensure that flexible working via wireless technologies is achieved.
Ø Design criteria
• Wireless networking equipment shall conform to the IEEE 802.11a/b/g standards.
• Wireless networks shall be secured.

3
CHAPTER TWO: LITERATURE REVIEW

2.1 Current Wireless Network standards

a) IEEE 802.11b
802.11b is the most mature and widely deployed wireless network standard. It is also the
standard used by most public wireless “hotspots”.
• It operates in the 2.4GHz spectrum
• Has a nominal data transfer rate of 11Mbps. In practice the actual data transmission rate
is approximately 4-7Mbps, which is shared by all clients using an access point.
• Provides 3 non-overlapping channels
b) IEEE 802.11a
802.11a has two bands that are open for wireless LAN services. Band A for indoor use
(5.15GHz to 5.35 GHz, 200mW) and Band B for indoor and outdoor use (5.47 GHz to
5.725 GHz 1W)
802.11a has:
• Nominal data rate of 54Mbps with actual rates of between 17-28Mbps.
• has a signal range of about 50 metres from an access point and data rates begin to drop
at a range of 10-15 metres from the access point (dependent on environment and
equipment).
• uses OFDM
• The 5 GHz band provides much greater spectrum than the 2.4 GHz band. This results in
802.11a being able to deploy eight non-overlapping.
It is particularly suited to environments with multiple users using applications with high
data throughput.
c) IEEE 802.11g
It is intended to offer the same data rates as 802.11a (54Mbps), whilst working in the
same frequency range as 802.11b (2.4GHz) for backwards compatibility.
802.11g:
• operates in the 2.4GHz spectrum

4
• has nominal data speeds of 54Mbps
• has actual data speeds of 18-30Mbps. These drop to around 60% of the available data
rate in the presence of 802.11b equipment
• Offers three non-overlapping channels
• is backwards compatible with 802.11b equipment.
• is less power efficient than 802.11b, so 802.11b may continue to be more common in
some mobile devices such as PDAs
• uses Orthogonal Frequency Division Multiplexing (OFDM), so benefits from some
resiliency to RF interference and multi-path distortion
d) IEEE 802.11h
This is an addition to the 802.11a standard. It includes Transmit Power Control (TPC) to
limit transmission power and Dynamic Frequency Selection (DFS) to protect sensitive
frequencies. These changes protect security of military and satellite radar networks
sharing some of this spectrum. It is possible to use 802.11h to reduce AP cell sizes by
increasing the density of AP coverage.
e) IEEE 802.11e
There are two strands to the standard.
i. Enhanced Distributed Channel Access (EDCA)
ii. HCF Controlled Channel Access (HCCA).
EDCA prioritizes transmission of packets and reduces transmission times according to
different access categories, but provides no service guarantees. HCCA centrally manages
access by polling clients and scheduling a time for transmission, reducing contention.
HCCA uses traffic classes and precise QoS parameters can be set for individual
applications. EDCA is expected to be implemented on all equipment, but HCCA may be
reserved for particularly time sensitive applications such as VoIP.
f) 802.11n
802.11n uses Multiple Input Multiple Output (MIMO) technology. MIMO involves the
use of at least 2 antennas for transmitting data and an equal or greater number for
receiving. The multiple antennas are tuned to the same channel, but each transmits a
different data stream. However there are cost and power implications in having multiple
RF units.

5
 g) 802.11r
IEEE 802.11r is a standard in development for fast roaming between access points. In
secure WLANs the requirement to re-authenticate with each access point as a user moves
around creates a delay that can disrupt low latency applications such as voice and video.
h) 802.11s
This is a standard for wireless mesh networks particularly to cover large areas of towns
and cities, or in rural areas.
i) 802.16/ WiMAX
WiMAX (Worldwide Interoperability for Microwave Access) is a high speed wireless
technology based on IEEE 802.16 standards. WiMAX is intended to provide wireless
broadband coverage over a large area and has built in quality of service (QoS) and
security features. WiMAX can work in licensed and unlicensed spectrum and in-line of-
sight and non-line-of-sight implementations. It should offer wireless broadband access at
a theoretical shared peak rate of 72Mbps and a maximum range of 50km.
j) Ultra-Wideband
Ultra-Wideband (UWB) is an emerging wireless technology intended to provide high
speed, low power wireless connections (100Mbps-2Ghz) over short distances (10m). It is
expected to be used for cable replacement applications and for multimedia networking in
the home. Ultra- Wideband is based on pulsing a signal in very short bursts across a very
wide bandwidth. Data is sent by altering the amplitude, phase or position of the pulses.
k) ZigBee/ 802.15.4
ZigBee is a wireless sensor network technology specification based on the IEEE 802.15.4
standard. It is a low cost, low power, low data rate wireless networking standard for
sensor and control networks.

2.2 Wireless LAN Requirements

A wireless LAN must meet some requirements typical of any LAN;

· High capability
· Ability to cover short distances

6
 · Full connectivity among attached stations.
· Broadcast Capability
In addition there are a number of requirements specific to wireless LAN environment:
Ø Throughput:
The MAC protocol should make as efficient use as possible of the wireless media to
maximize capacity.
Ø Number of nodes
The wireless LAN may need to support hundreds of nodes across multiple cells.
Ø Service Area
A typical coverage area for WLAN has a diameter of 100 to 300 meters.
Ø Connection to backbone LAN
For infrastructure WLAN this is easily accomplished through the access points (AP) that
connect to both type of LAN
Ø Power consumption
Mobile workers use battery and powered work stations that need to have a long battery
life cycle when used with wireless adapters. Typical wireless LAN implementations have
features to reduce power consumptions while not using the network, such as sleep mode.
Ø Transmission Robustness And Security
Unless properly design a WLAN may be interference prone and easily eavesdropped. The
design of a WLAN must permit reliable transmission even in noisy environment and
should provide some level of security from eavesdropping.

2.3 WLAN Components

A wireless LAN comprises of three main types of components.
Ø Wireless Station
Ø Access point
Ø Wireless LAN controllers

2.3.1 Wireless station

7
A wireless station or client is typically a laptop or notebook personal computer (PC) with
Wireless Network Interface Card (NIC). A WLAN client may also be a desktop or
handheld device within publicly addressed area.

2.3.2 Access Point (AP)

The access point (AP) functions as a base station for the wireless network aggregating
multiple wireless stations to the wired network. Access Points (AP) may also provide a
bridging function. Bridging connects two or more networks together and allows them to
communicate.
Bridging involves:
a).Point –to-Point bridging:
In a point-to-Point architecture two LANs are connected to each other via the LANs
respective APs as shown in Fig. 2.0

Fig. 2.0 P-t-P architecture

In the example, wireless data is being transmitted from Laptop A to Laptop B, from one
building to the next using each building’s appropriately positioned AP. Laptop A
connects to the closest AP within the building A. The receiving AP in building A then
transmits the data (over the wired LAN) to the AP bridge located on the building. That
AP Bridge then transmits the data to the bridge on nearby building B. The building’s AP
Bridge then sends the data over its wired LAN to Laptop B.
b)Multipoint Bridging:
One student on a LAN is connected to several other subnets on another LAN via each
subnets AP. For example, if a computer on Subnet A needed to connect to computers on
Subnets B, C, and D, Subnet A’s AP would connect to B’s, C’s, and D’s respective APs.

8
Enterprises may use bridging to connect LANs between different buildings on corporate
campuses. Bridging AP devices are typically placed on top of buildings to achieve greater
antenna reception.

2.3.3 Wireless LAN Controllers

The AP grouping feature of the WLC allows a single WLAN to be supported across
multiple dynamic interfaces (VLANs) on the controller. This is done when a group of
APs is mapped to a specific dynamic interface. APs can be grouped logically by
employee workgroup or physically by location. AP Group VLANs are used in a setup
where a Universal WLAN service set identifier [SSID] is required but clients need to be
differentiated (placed on different interfaces configured on the WLC) by virtue of
physical LAPs they associate with.
When a client joins a WLAN, the interface used is determined by the LAP it is associated
with, and by looking up the AP Group VLAN and WLAN for that LAP. The AP Group
VLANs feature is an additional method used to limit the broadcast domains to a
minimum. This helps to manage load balancing and bandwidth allocation more
effectively.

2.3.4 WLAN Range

The reliable coverage range for 802.11 WLANs depends on several factors;
· Data rate required and capacity.
· Sources of RF interference.
· Physical area characteristics.
Theoretical ranges are from 25meters (11Mbps) in a closed office, to 485meters (1Mbps)
in open area. Through empirical analysis the typical range for connectivity of
802.11equipment, is approximates 25 meters (163 feet) indoors. A range of 100 meters in
open space makes WLAN the ideal technology for many campus applications. It is
important to recognize that special high gain antennas can increase the range of several
miles.

9
 Fig.2.1 range of typical WLAN

2.3.5 Channels and roaming

The 802.11b and 802.11g standards working in the 2.4 GHz frequency range have 13
channels available. However, to avoid crosstalk and interference there are effectively
only 3 non-overlapping channels that can be used (usually set at 1, 6 and 11).
Adjacent APs need to be set to different channels. This means that only 3 access points
can be used in parallel; Channel 6, Channel 11 and Channel 1.

Fig.2.2channel settings of adjacent AP

10
As 802.11b/g and 802.11a operate in a different frequency range they are not compatible
with each other. However, 802.11b/g and 802.11a networks can be used side by side to
increase capacity. In general both 802.11b and 802.11g (as they work in the 2.4GHz
frequency) have a greater range than 802.11a. In practice, to obtain the same network
coverage, the user may require up to four times as many access points when using an
802.11a network.
If 802.11g devices and 802.11b devices are in dialogue with each other then the data rates
will be dictated by the 802.11b device. If two or more 802.11g devices are in dialogue
with each other but there are 802.11b devices in the same network, then 802.11g data
rates will drop but may well still be more than the practical rates of 802.11b. There are
802.11g access points, or dual or tri-band access point incorporating 802.11g which can
be set to only recognize 802.11g equipment. This obviously prevents the 802.11b
equipment from working on the 802.11g network but there are times when this may be
desirable.

2.4 WLAN TECHNOLOGY AND ARCHITECTURE

There is a wide range of diverse, technology options available. The important
technologies used to deploy a wide-wireless area network are:

2.4.1 Narrowband Technology

A narrowband radio system transmits and receives user information on a specific radio
frequency. Narrowband radio keeps the radio signal frequency as narrow as possible just
to pass the information. Undesirable crosstalk between communications channels is
avoided by carefully coordinating different Users on different channel frequencies. In a
radio system, privacy and non interference are accomplished by the use of separate radio
frequencies.

2.4.2 Spread spectrum Technology

Spread Spectrum is a modulation technique that spreads the data transmission across the
entire available frequency band. By spreading the signal across the entire band, the signal
becomes less vulnerable to noise or interference. Spread spectrum also permits many

11
users to share the same frequency band with Minimal interference from other users or
from devices (such as microwave ovens). The goal is to use more bandwidth than the
system really needs for transmission to reduce the impact of localised interferences (bad
frequencies) on the system. The original 802.11 standard had specifications for 1Mbps
and 2Mbps wireless Ethernet transmissions using Spread Spectrum in the 2.4 GHz band
(ISM-band). The transmissions use 100 milli watts maximum. There are two different
types of spread spectrum transmissions defined for the Physical Layer;
Ø Frequency Hopping Spread Spectrum (FHSS)
Ø Direct Sequence Spread Spectrum (DSSS)

2.4.3 Frequency Hopping Spread Spectrum

With FHSS, transmitters and receivers are synchronized to hop from channel to channel
in predetermined (pseudo random) sequence. The predefined hopping sequence is only
known to the transmitting and receiving station. By doing so, it is very difficult for
someone to catch up the signal. In the 802.11 standard, 79 channels are defined within the
2.4GHz band. If one channel is jammed, the data is simply retransmitted on the next
channel in the hopping sequence. Networks using 802.11 and FHSS are limited to
maximum 2Mbps.Properly synchronized; the net effect is to maintain a single logical
channel. To an unintended receiver, FHSS appears to be short-duration impulse noise.

2.4.4 Direct Sequence Spread Spectrum

Under DSSS the information to be transmitted is divided into small pieces. These small
pieces are spread across the entire available frequency band. The pieces of information
are encoded by using a redundant pattern, called a chip. This chip is only known by the
transmitting and receiving device. This makes it difficult for an intruder to intercept and
decipher wireless data encoded in this manner. The redundant pattern also makes it
possible to recover data without retransmitting it if one or more bits are damaged. This
means that the signal is less susceptible for interference.
The longer the chip, the greater the probability that the original data can be recovered (of
course, the more bandwidth required). Even if one or more bits in the chip are damaged

12
during transmission, statistical techniques embedded in the radio can recover the original
data without the need for retransmission. To an unintended receiver, DSSS appears as
low-power signal.

2.5 WLAN ARCHITECTURE

The IEEE standard permits devices to establish either peer-to-peer network (P2P), or
network based on fixed access point (AP) where mobile nodes can communicate. Hence
the standard defines two basic network topologies;
§ Adhoc or independent network.
§ Infrastructure network.

2.5.1 Adhoc mod

Only wireless devices are present in this network, that is, no APs are required. It is meant
to easily interconnect mobile devices that are in the same area. Client stations are
grouped in to a single geographic area, like, for example in the same room. Beaconing
and synchronization are handled by a station (laptop).Some enhancements are not
available to the ad hoc network such as relying frames between two stations that cannot
hear each other. The interconnected devices in the Ad hoc mode are referred to as
Independent Basic Service Set (IBSS).
The Ad hoc configuration is similar to a peer-to-peer office network in which no node is
required to function as a server. Fig2.3 shows the Ad hoc topology.

Fig.2.3. Adhoc topology

13
2.5.2 Infrastructure network

This is the fundamental 802.11 WLAN topology. The Infrastructure is meant to extend
the range of the wired LAN to Wireless LAN cells. A laptop or other moving device may
move from cells to cell (from AP to AP) while maintaining access to resources of the
LAN. This topology is useful for providing wireless coverage of building or campus area.
A WLAN environment has wireless client station that use radio modems to communicate
to an access point (AP). Fig.2.4 shows a rough sketch of the infrastructure network.
STA3
AP- Access Point
STA- station

STA4
AP2

AP1
Distribution
STA1

STA2

Fig.2.4 Infrastructure network

The client stations are generally equipped with Network Interface Card (NIC) .By
deploying multiple Access Point’s with overlapping coverage areas organizations can
achieve broad network coverage. WLAN technology can be used to replace wired LAN
totally and to extend LAN infrastructure. Most WLANs operate in the Infrastructure
mode described above. The device characterized as a station in wireless LAN system first
has to identify the available access points and networks. This is done through monitoring
beacon frames from access points announcing themselves or actively probing for a
particular network by probe frames. The station chooses a network from those available
and goes through an authentication process with the access point.

Once the access point and the station have verified each other the association process is
started. Association allows the access point and station to exchange information and
capabilities. The Access Point uses this information and shares it with other access points
in the network to disseminate knowledge of station’s current location on the network.
Only after association is complete can other station transmit or receive frames on the
network.

14
In Infrastructure mode, all network traffic from wireless stations on the network goes
through an access point to reach the destination on either the wired or wireless LAN.
Access to the network is managed using Carrier Sense Multiple Access & Collision
Avoidance (CSMA/CA) protocol. The Station will listen for data transmission for
specified period of time before attempting to transmit; this is carrier sense medium access
portion of the protocol. The station must wait a specific period of time, after the networks
becomes clear before transmitting. This delay plus the receiving station transmitting an
acknowledgement indicating a successful reception form the collision avoidance portion
of the protocol. In Infrastructure mode, either the sender or receiver is always the access
point. The periodic beacon frames sent by the access point handle synchronization
between stations on network. These frames contain the access point’s clock value at the
time of transmission so can be used to check for drift at the receiving station.
Synchronization is required for various reasons having to do with the wireless protocols
and modulation schemes.

2.6 VIRTUAL LANs

Virtual LANs are logical group of devices, defined by software. VLANs allow network
administrators to re-segment their networks without physically rearranging the devices or
network connections. A Virtual LAN (VLAN) is the best way to reduce overall network
traffic spawning from each department. Specifying VLAN rules in switches logically
groups each department together. VLANs can be viewed as a group of devices on
different physical LAN segments which can communicate with each other as if they were
all on the same physical LAN segment.
Although VLANs are commonly used to create individual broadcast domains and/or
separate IP subnets, it can be useful for a server to have a presence on more than one
VLAN simultaneously. Several products support multiple VLANs on per port or per
interface basis, allowing very flexible network configurations.

2.7 Configuring VLANs

VLANs can be created according to various criteria, but each VLAN must be assigned a
VLAN tag or VLAN ID (VID). The VID is a 12-bit identifier between 1 and 4094 that
identifies a unique VLAN. For each network interface (ixge0, ixge1, ixge2 and so on),

15
4094 possible VLAN IDs can be selected. Only 512 unique IDs can be used
simultaneously.
Tagging an Ethernet frame requires the addition of a tag header to the frame. The header
is inserted immediately following the destination MAC address and the Source MAC
address. The tag header consists of two bytes of Ethernet Tag Protocol identifier (TPID,
0x8100) and two bytes of Tag Control Information (TCI). Fig 2.5 shows the Ethernet Tag
Header format.

Fig 2.5 Ethernet Tag Header Format

By default, a single VLAN is configured for every port, which groups all ports into the
same broadcast domain, just as if there were no VLANs at all, VLAN tagging for the
switch port turned off.

2.7.1 Configuring Static VLANs

a) One hostname is created for each VLAN that will be configured for each adapter
on the server.
The following naming format is used, which includes both the VID and the physical point
of attachment (PPA):
VLAN logical PPA = 1000 * VID + Device PPA
Example: ixge123000 = 1000*123 + ixge
this format limits the maximum number of PPAs (instances) that can be configured to
1000 in the /etc/path_to_inst file.

16
For example, on a server with the Sun 10-Gigabit Ethernet adapter having an instance of
0, belonging to a member of two VLANs, with VID 123 and 224, you would use
ixge123000 and ixge224000, respectively, as the two VLAN PPAs.
b) the ifconfig command is used to configure a VLAN virtual device, for example:

# ifconfig ixge123000 plumb up

# ifconfig ixge4000 plumb up

c) On the switch, VLAN tagging and VLAN ports are set to coincide with the
VLANs that are set up on the server.

2.8 Types of VLAN membership

VLAN membership can be classified by port, MAC address, and protocol type.

2.8.1 Layer 1 VLAN: Membership by Port

Membership in a VLAN can be defined based on the ports that belong to the VLAN. For
example, in a bridge with four ports, ports 1, 2, and 4 belong to VLAN 1 and port 3
belongs to VLAN 2 as shown in table1.

Table 1: Assignment of ports to different VLANs

Port VLAN

1 1

2 1

3 2

4 1

17
The main disadvantage of this method is that it does not allow for user mobility. If a user
moves to a different location away from the assigned bridge, the network manager must
reconfigure the VLAN.

2.8.2 Layer 2 VLAN: Membership by MAC Address

Here, membership in a VLAN is based on the MAC address of the workstation. The
switch tracks the MAC addresses which belong to each VLAN as shown in table2. Since
MAC addresses form a part of the workstation's network interface card, when a
workstation is moved, no reconfiguration is needed to allow the workstation to remain in
the same VLAN. This is unlike Layer 1 VLANs where membership tables must be
reconfigured. The main problem with this method is that VLAN membership must be
assigned initially but this offers a better security measure.

2.8.3 Layer 2 VLAN: Membership by Protocol Type

VLAN membership for Layer 2 VLANs can also be based on the protocol type field
found in the Layer 2 header as shown in table 3.

2.8.4 Layer 3 VLAN: Membership by IP Subnet Address

Membership is based on the Layer 3 header. The network IP subnet address can be used
to classify VLAN membership as shown in table 4.
In this method, IP addresses are used only as a mapping to determine membership in
VLANs. No other processing of IP addresses is done.
In Layer 3 VLANs, users can move their workstations without reconfiguring their
network addresses.

18
 Table 2: Assignment of MAC addresses to different VLANs.

MAC Address VLAN

12563498746 1

2389234873743 2

3045834758445 2

5483573475843 1

Table 3: Assignment of protocols to different VLANs

Protocol VLAN

IP 1

IPX 2

Table 4: Assignment of IP subnet addresses to different VLANs.

IP Subnet VLAN

23.2.24 1

26.21.35 2

19
2.8.5 Higher Layer VLANs

It is also possible to define VLAN membership based on applications or service, or any

combination thereof. For example, file transfer protocol (FTP) applications can be
executed on one VLAN and telnet applications on another VLAN.
The 802.1Q draft standard defines Layer 1 and Layer 2 VLANs only. Protocol type based
VLANs and higher layer VLANs have been allowed for, but are not defined in this
standard. As a result, these VLANs will remain proprietary.

2.9 Types of Connections

Devices on a VLAN can be connected in three ways based on whether the connected
devices are VLAN-aware or VLAN-unaware. VLAN-aware device is one which
understands VLAN memberships.

2.9.1 Trunk Link

All the devices connected to a trunk link, including workstations, must be VLAN-aware.
All frames on a trunk link must have a special header attached. These special frames are
called tagged frames.

Fig.2.6: Trunk link between two VLAN-aware bridges.

2.9.2 Access Link

An access link connects a VLAN-unaware device to the port of a VLAN-aware bridge.

All frames on access links must be implicitly tagged (untagged) as shown in Fig2.7. The

20
VLAN-unaware device can be a LAN segment with VLAN-unaware workstations or it
can be a number of LAN segments containing VLAN-unaware devices (legacy LAN).

Fig.2.7: Access link between a VLAN-aware bridge and a VLAN-unaware device.

2.9.3 Hybrid Link

This is a combination of the previous two links. This is a link where both VLAN-aware
and VLAN-unaware devices are attached as shown in fig 2.8. A hybrid link can have both
tagged and untagged frames, but all the frames for a specific VLAN must be either
tagged or untagged.

Fig.2.8: Hybrid link containing both VLAN-aware and VLAN-unaware devices.

2.10 SECURITY OF 802.11 WIRELESS LANS

The IEEE 802.11 specification identified several services to provide a secure operating
environment. The security services are provided largely by the Wired Equivalent Privacy
(WEP) protocol to protect link-level data during wireless transmission between clients
and access points. WEP does not provide end-to-end security, but only for the wireless
portion of the connection.

21
2.10.1 Basic security services

The three basic security services defined by IEEE for the WLAN environment are as
follows:
· Authentication
The primary goal is to provide a security service to verify the identity of
communicating client stations. This provides access control to the network by denying
access to client stations that cannot authenticate properly.
· Privacy
Privacy is a second goal of WLAN security. The intent is to prevent information
compromise from passive attack.
· Integrity
Security service developed to ensure that messages are not modified in transit
between the wireless clients and the access point in an active attack.

2.10.2 Wi-Fi Protected Access (WPA and WPA2)

Wi-Fi Protected Access is a certification program created by the Wi-Fi Alliance to

indicate compliance with the security protocol created by the Wi-Fi Alliance to secure
wireless computer networks. This protocol was created in response to several serious
weaknesses researchers had found in the previous system, Wired Equivalent Privacy
(WEP).The protocol implements the majority of the IEEE 802.11i standard, and was
intended as an intermediate measure to take the place of WEP while 802.11i was
prepared. Specifically, the Temporal Key Integrity Protocol (TKIP) was brought into
WPA. TKIP could be implemented on pre-WPA wireless network interface cards.

2.10.3 Features of WPA2 security

The following security features are included in the WPA2 standard:

a) WPA2 authentication
802.1 x authentications are required in WPA2. For environments without a Remote
Authentication Dial-In User Service (RADIUS) infrastructure, WPA2 supports the use of
a pre-shared key. For environments with a RADIUS infrastructure, Extensible
Authentication Protocol (EAP) and RADIUS is supported.

22
 b) WPA and WPA2 key management
With 802.1x, the rekeying of unicast encryption keys is optional. Additionally, 802.11
and 802.1x provide no mechanism to change the global encryption key used for multicast
and broadcast traffic. With WPA, rekeying of both unicast and global encryption keys is
required. For the unicast encryption key, the Temporal Key Integrity Protocol (TKIP)
changes the key for every frame and the change is synchronized between the wireless
client and the wireless access point (AP). For the global encryption key, WPA includes a
facility for the wireless AP to advertise the changed key to the connected wireless clients.
WPA2 replaced WPA; WPA2 implements the mandatory elements of 802.11i. In
particular, it introduces a new AES-based algorithm, CCMP, which is considered fully
secure.
c) Temporal Key Integrity Protocol (TKIP)
For 802.11, Wired Equivalent Privacy (WEP) encryption is optional. For WPA2,
encryption using TKIP is required. TKIP replaces WEP with a new encryption algorithm
that is stronger than the WEP algorithm but that uses the calculation facilities present on
existing wireless devices to perform encryption operations. TKIP also provides for the
following:
· The verification of the security configuration after the encryption keys are
determined.
· The synchronized changing of the unicast encryption key for each frame.
· The determination of a unique starting unicast encryption key for each pre-shared
key authentication.
d) Michael
With 802.11 and WEP, data integrity is provided by a 32-bit integrity check value (ICV)
that is appended to the 802.11 payload and encrypted with WEP. Although the ICV is
encrypted, you can use cryptanalysis to change bits in the encrypted payload and update
the encrypted ICV without being detected by the receiver.
With WPA, a method known as Michael specifies a new algorithm that calculates an 8-
byte message integrity code (MIC) using the calculation facilities available on existing
wireless devices. The MIC is placed between the data portion of the IEEE 802.11 frame
and the 4-byte ICV. The MIC field is encrypted together with the frame data and the ICV.

23
 e) AES support
WPA2 defines the use of Advanced Encryption Standard (AES) as an additional
replacement for WEP encryption. Because you may not be able to add AES support
through a firmware update to existing wireless equipment, support for AES is optional.
f) Supporting a mixture of WPA2 and WEP wireless clients
To support the gradual transition of WEP-based wireless networks to WPA, a wireless
AP can support both WEP and WPA2 clients at the same time. During the association,
the wireless AP determines which clients use WEP and which clients use WPA2. The
support of a mixture of WEP and WPA clients is problematic. The global encryption key
is not dynamic because WEP-based clients cannot support it. All other benefits to the
WPA clients are maintained, including integrity.
g) Remote Access Dialing User Service (RADIUS)
RADIUS is a widely deployed protocol for network access authentication,
authorization and accounting (AAA). RADIUS is simple, efficient and easy to implement
making it possible for RADIUS to fit into the most inexpensive embedded devices. In
terms of security, RADIUS includes its own application-layer integrity protection and
authentication, as well as confidentiality for "hidden attributes".

24
CHAPTER THREE: THE UON NETWORK TOPOLOGY AND
WLAN DESIGN
3.1 Overview
There are three main areas of the University campus that drive the requirements of
wireless access-solution; these are Students, Lecturers and University Services.
Ø Students require the ability to have:
• Full access to university services at any given time
• Easy methods for exchange of information
• Constants access to research and organizational tools
• Buy online books at lower prices
• e-Learning
Ø Lectures require the ability to:
• Full access to university services at any given time (online inscriptions, etc.);
• Exchange of information.
• Research and organizational tools
• Provide “e-Books”
• “e-Learning”
Ø University Services need:
• Optimize resources and efficiency at any given time.
• Knowledge and information exchange.
• Management tools.
• Information and transactions for lectures and students.
• Interaction with the Ministry of Science and Higher Education.
• “e-Learning”.
Two types of information are considered:
• Internal administration information and Management of the University Students,
with restricted access to internal staff, and with access protection via.
• Scientific Information made available via lectures and students, and via all the
information library and online scientific magazines subscription.

25
Each student, lecturer or university employee has a single unique access code (login and
password). Once logged on they will have access to those services that their status and
login ID is enabled for.
LIBRARY: Using the university portal it is possible to make a search in all the scientific
information produced by the university (studies, information about the departments,
articles, etc), information created and made available by lecturers and students.
VIRTUAL UNIVERSITY: Is a set of interconnected information between the university
and the students and lectures, like schedules, curricular plans, financial information, will
be available, making possible to free the students and lectures from the normal working
time of these services.
E-MAIL / WEB MAIL – The student will have one e-mail account that can be used to
communicate with the lecturers and other students.
STORAGE AREA: Each student will have their own personal data area, in the file server,
with security and backup of the information. This area can be used for the student to
archive information that is necessary for their studies.
PORTAL: A portal where the lectures will publish their own web pages will be available.

3.2 Layered Approach

Campus LAN architecture may span up to three layers, from desktop devices connected
to wiring closet switches at the access layer to the core layer at the center of a large
campus LAN. The hierarchical topology segments the network into physical building
blocks, simplifying operation and increasing availability. Fig 3.0 interprets connection
from access layer to the core area.

3.3 Logical design view

The overall network of the UONWLAN can logically be presented as in fig. 3.1. Core
servers are situated at the ICT center in Chiromo campus. All the servers are connected to
an authentication gateway then routed to the core router. The main entry points of the
different campuses are then connected to this router. All of the campuses are already
connected by services offered by KDN through high speed fiber optic cables. Main
campus and Chiromo campus are the only campuses connected directly to the ICT center
via high speed optic fiber cable.

26
Fig.3.0: The Layered Approach

27
 Fig. 3.1: A logical representation of the campuses connections’ to the core servers.

3.4 ICT Center:

The main computing facility in the computer center houses the following central
resources: Internet connectivity, Main mail server, Student mail server, Proxy servers,
DNS servers and Web server. In addition to these services, the following equipments
should also be present; Switches and routers. ICT centre is then connected to different
campuses of UON as shown in fig.3.1.

28
3.5 Core servers

a) Authentication Server (AAA server).

Instead of requiring every Network Access Server (NAS) to maintain a list of authorized
usernames and passwords, RADIUS Access-Requests are forwarded to an Authentication
Server. This architecture design makes it possible to create a central user database,
consolidating decision-making at a single point, while allowing calls to be supported by a
large, physically distributed set of NASs.

When a user connects, the NAS sends a RADIUS Access-Request message to the AAA
Server, relaying information like the user's name and password, type of connection (port),
NAS identity, and a message Authenticator. Upon receipt, the AAA Server uses the
packet source, NAS identity, and Authenticator to determine whether the NAS is
permitted to send requests. If so, the AAA Server tries to find the user's name in its
database. It then applies the password and other attributes carried in the Access-Request
to decide whether access should be granted to this user.

b) DHCP servers
This is the server dedicated to assigning IP addresses to the wireless network clients.
After accessing the UONWLAN, the DHCP server automatically assigns you a unique IP
address.

3.6 Distribution network

Main switches of connected campuses are located at the main entry points of the
respective campuses. The Catalyst 3750G switch from Cisco systems is a reliable model
that can now be used to distribute to the various endpoints. The Catalyst 3750G controller
switch adds security and management enhancements to attached wireless networks. The
switch provides 24 POE (power-over-Ethernet) ports and two Gigabit Ethernet uplinks.
Many devices, including VoIP phones, video cameras, security and telemetry equipment,
can be powered in this fashion. PoE simplifies installation in that there’s no need to run a
separate power feed to a given network device, and installation costs are similarly
reduced.

29
The integrated wireless controller adds new levels of security, including features such as
intrusion detection, RF (radio frequency) management for self-configuration, and self-
healing, and will allow users to roam between access points and across bridged networks.
Main campus network is as shown in figure 6.2. The main switch is located at the JKML
building, and then distributed to various departmental switches where APs are connected.

3.7 VLAN classification

Students, lectures, staff and different departments are grouped into different VLANs;
Students are connected to the same VLAN called “LibServ”. The LibServ VLAN has
access to library services servers, authentification servers, mail servers and proxy servers.
The LibServ VLAN group has access to all the services supported by the accessed
servers.
Departmental front offices are all grouped into another VLAN called “MainOFc”. This
VLAN has access to separate servers with their respective department’s students’
information. This information may include name of student, level of study, hostel of
residence, room number, fee balance and other services that define their area of work.
Lectures are also grouped into a different VLAN called “DoN”. The DoN VLAN has
access to servers accessed with the LibServ VLAN in addition to extra supportive
materials that deem important to the lectures after consultations.
More VLANs can be set up when need arises.

30
 Fig 3.2: structure of UON WLAN

If a department has users in different locations, they need access to servers and printers as
if they were all in the same building. Figure 3.3 illustrates this concept, logically grouping
the VLANs by function, traffic patterns, and workgroups.
This network is independent of physical location and group users into logical
workgroups.

31
LibServ VLAN is represented by “L”. Their primary function is to access database, for
example lecture notes. Admin VLAN is comprised of users that require access to local
servers and the mainframe, these are administrator staff that have the right to configure,
add or change a clients access to the UON WLAN network; it’s denoted by letter “X”.
MainOFc VLAN has users on different parts of the University with access to a different
server and is shown as “M”. VLANs 1 and 2 represent different departments with servers
in their respective buildings. Any inter-VLAN traffic must first traverse a layer-3 device
in order to communicate with another VLAN. Thus, logical segmentation not only
optimizes bandwidth utilization, but also provides security by isolating segments behind
layer-3 devices, which typically can filter traffic using access control lists (ACLs).
Even if two nodes share a common IP subnet, they will not be able to directly
communicate if they are in separate VLANs.

Figure 3.4 shows different VLANs accessing the network via a single AP. The physical
LAN network consists of switches, access points, controllers, servers and clients. The
LAN is logically organized into different VLANs that are connected to the main network
by an AP. The figure shows four VLANs accessing the same AP but routed to different
servers.

32
 Fig. 3.3 logically grouped VLANs

Figure 3.4: different VLANs accessing the network via a single AP but routed to different servers

33
Due to the tagging VLAN capabilities of these devices, the data sever is able to
communicate with more than one VLAN in the network, but continues to maintain
broadcast separation between all of them.

· The Administrative Server is available to Admin VLAN only. It is isolated from

all traffic on other VLANs.
· Front office computers are attached to a shared media hub that is then connected
to the switch. VLAN tagging is enabled on switch ports that create trunk links to
other VLAN-aware Ethernet switches, or on ports connected to tag-capable end-
stations, such as servers or workstations with VLAN-aware adapters.

3.8 Main Campus scenario

Main entry point of the backbone network for main campus is at the Jomo Kenyatta
memorial library (JKML), which is connected to ICT centre through fiber link as shown
in Fig.3.2. Main library should have servers that host management applications and
should be also accessed by users from UoN campuses. JKML library should have a
VLAN Member Policy Server. The VMPS is used to handle the on-the-spot port
configuration of every switch participating on the VLAN network.
Various departments are then connected from this central entry point and switched to
their respective blocks. According to the IEEE, VLANs define broadcast domains in a
Layer 2 network. Layer 2 switches create broadcast domains based on the configuration
of the switch. Each broadcast domain is a distinct virtual bridge within a switch.

Proper APs positioning on the campus environment result in total coverage by the
wireless network as shown in figure 3.5. We have the entire outside surrounding covered.
The numbers 1, 6 and 11 denote channels 1, 6 and 11 respectively. Access points are
placed on top of buildings at the center of the shown coverage rings. The rings have a
radius of 50m thus covering a distance of 100m in open space. Red dots at the center of
the rings pinpoint the exact location of APs.

34
 Fig 3.5: aerial view of main campus wireless coverage area
One AP is placed on Gandhi wing depicted as GW in fig 3.5 and set to channel 1.
Another AP is put up on the building housing the bookshop (BS). Hyslop H, fountain of
knowledge area (FG), 844 building and education building (EB) all have APs placed on
their roof tops with overlapping channels set in a way that no interference result from
other neighboring APs.

3.8.1 Administration block

Administration block houses main offices of the entire university. This calls for more
services. Voice services with QoS should be added on top of data service that is to be
delivered wirelessly. Conversational voice has much more stringent delay requirements
than any other application. The traffic streams generated by voice and data applications

35
have very different characteristics and it is even more challenging to meet the
requirements of both types of traffic with one network if excellent voice quality is to be
achieved. A mixed voice and data environment deployed with the current 802.11 standard
without any Quality of Service (QoS) mechanism is unlikely to result in satisfactory
experience, especially for the voice users.

A workaround involves separating voice and data traffic users by frequency bands; This
approach is implemented with multi-mode APs and requires two channels per cell, one in
the 2.4-GHz band and another one in the 5-GHz band. Dual-band access points with two
radios can simultaneously support both 2.4 GHz (802.11b/g) and 5 GHz (802.11a) RF
bands, therefore all IP phones will be configured to use the 5GHz band. This yields good
voice quality over the WLAN on the administration block. QoS allows for prioritized
traffic management, IT administrator will assign different priority levels to different
users. Network administrators may assign a lower priority to visitors sharing the network,
provide more resources to employees working on critical tasks, and applications like
video streaming or teleconferencing can be effectively achieved.

3.8.2 JKML zone

Jomo Kenyatta Memorial Library is the main research center in main campus. It can
accommodate a large number of students. Although it offers a vast list of services, its
only access is limited to computer labs fixed in the various departments and four
computers inside the library. JKML has five flours (basement, ground, first, second and
third) each spanning a length of about 50 meters and a height of 3 meters.
With one access point covering a radius of approximately 25 meters, each floor will have
1 AP placed as shown in Fig.3.6. The whole library will be adequately covered with
wireless access. Ground floor has one AP running on channel 1, first floor has one AP
running on channel 11, second floor one AP running on channel 6 and finally third floor
one AP running on channel 1. APs are placed such that no similar channels overlap and
such that the whole library is covered.

36
Amount of co-channel coverage overlap is determined by both AP placement and AP
frequency assignment. Coverage area is in terms of specified received signal strength.
This threshold level is selected in order to provide an adequate signal- to-noise ratio
(S/N) and some additional margin. If one measures an ambient noise level of –95 dBm
and a 10 dB S/N is needed to ensure excellent performance, then an extra 5 dB margin is
allowed for noise levels higher than –95 dBm. In this case one would select a threshold of
–80 dBm.

Fig. 3.6 A linear array of APs with coverage area

3.8.3 Faculty of engineering

Faculty of engineering has four departments and numerous lecture rooms in three blocks;
Electrical and electronics department, mechanical department and civil department.
These are connected to the JKML through Ethernet link. Each block has one switch in the
ground floor. This switch in ground floor is connected to a switch in each floor. The
American wing building has a length of 50m. With an AP covering a radius of 25m, 2

37
APs can be used to effectively cover the entire building and its surrounding as shown
figure 3.7. The APs are positioned on the second floor on near far ends; therefore equal
broadcasting power is achieved on the left and right sides of the building. The figure
shows a sketch of front view of the building.

Fig 3.7: front view sketch showing coverage area

.
Figure 3.8 shows the entire interior of the same building (American wing) as covered by
wireless network. Students can roam freely within the building while achieving an
efficient through-put from the two access points.

Fig 3.8: interior view of building coverage area

38
3.9 Membership access
Membership in the UON WLAN is based on the MAC addressing of a workstation. The
MAC address of a station is registered by an administrator and the required VLAN
membership assigned. The switch tracks the MAC addresses which belong to each
VLAN as shown in table 5. Since MAC addresses form a part of the workstation's
network interface card, when a workstation is moved, no reconfiguration is needed to
allow the workstation to remain in the same VLAN.
The 802.1Q draft standard defines Layer 1 and Layer 2 VLANs only. Protocol type based
VLANs and higher layer VLANs have been allowed for, but are not defined in this
standard. As a result, these VLANs will remain proprietary.

Table 5: Assignment of MAC addresses to different VLANs.

MAC Address VLAN

1212354145121 L

2389234873743 X

3045834758445 L

5483573475843 M

3.10 Connection of the workstations

Hybrid link connection is used. This is a link where both VLAN-aware and VLAN-
unaware devices are attached as shown in fig. 3.9. A hybrid link can have both tagged
and untagged frames, but all the frames for a specific VLAN must be either tagged or
untagged.

39
 Fig.3.9: Hybrid link containing both VLAN-aware and VLAN-unaware devices.

3.11 Student portal

The Student portal is a gateway to numerous services (e-mail, login to computer rooms,
distance education tools, study results), which a student will need during studies at
University of Nairobi. A username, an e-mail address and a password, is given to
students which they may use during the whole study time even in case of changing of a
course or place of studies. The same identification is used when logging in on computers
at school or when reading e-mails at home

3.12 UON WLAN security measures

3.12.1 Use of VLANs

VLANs help to secure and control access of data to specific personnel. For example the
student VLAN is not supposed to access servers with administration data.

3.12.2 Mac addressing

For one to be configured to use the UON WLAN, he or she should contact the network
administrator with their portable devices for the Mac addresses of their devices to be
registered and assigned the required VLAN.
The VMPS server contains a database of all workstation MAC addresses, along with the
associated VLAN the MAC address belongs to. This way, we essentially have a VLAN-
to-MAC address mapping. Table 6 shows an example of mapping relationship that exists
in the VMPS server. As shown, each MAC address, which translates to a host on the
network, is mapped to a VLAN, allowing this host to move inside the network,

40
connecting to any switch that is part of the VMPS network and maintain its VLAN
configuration.

Table 6: mapping of MAC address to VLAN membership by the VMPS

3.12.3 Use of RADIUS authentification

RADIUS, an IETF standard security management protocol, enables control over which
users can connect to a network, and over what resources they can access. Wireless-
optimized extensions to RADIUS enable wireless users to be strongly authenticated at
access points using X.509 digital certificates. Administrators can enforce policies on user
sessions, to specify the length of an encryption key and the time interval for its auto-
renegotiation. Collectively, these features can negate most of WEP’s known
vulnerabilities and exponentially increase the complexity and difficulty of intrusion
attempts.

3.12.4 Use of security switches and firewall.

Security switches are stationed between APs and the network as shown in fig3.10. Every
station connecting to the network has to pass through a security switch for verification
purposes.

41
 Fig 3.10; placement of security switches and firewall in a wireless network

3.12.3 reduced broadcasting strength of APs where possible

The broadcast strength of WLAN access points is reduced, when possible, to keep it
within the necessary area of coverage only. Coverage of unintended areas is avoided. APs
are configured to ignore probe requests with a null SSID, thus requiring the client know
this value before being able to connect to the network.

42
CHAPTER FOUR: CONCLUSION
With this UONWLAN design, students can have a powerful work tool that can be used to
queries, researches, university projects and several other activities. As bigger is the use of
these equipments from the students, more will be their degree of freedom and work
capability.
The computerization of our teaching staff is a UoN competitive advantage, since it
creates an extremely dynamic and flexible work environment, allowing lecturers be in a
permanent contact and interaction with their students, which is the fundamental basis to
e-learning.
For being equipped with wireless network the campuses of our University have the
following advantages:
· Interaction among students and teachers
· The low implementation cost, when compared to the process of laying a physical
network, knowing that the major costs would be always derived from the
workmanship, the project to do so, and making changes in the buildings structure
(gutters, ditches, cabling, and so on). The maintenance and administration of a
wireless network it’s more easy and effective than a physical one which relieves
some of the existing overload in our ICT Centre.
The main functions/applications that can be deployed in the wireless network are:
§ Digital Library
§ Publisher and virtual Bookstore
§ Virtual lecturer’s administrative services
§ Virtual student’s administrative services
§ Web-mail
§ E-learning

4.1 Solution benefits

With an anytime, anywhere access to one’s personal and private information, as well as a
permanent contact with one’s fellow colleagues or teachers and to internal and external
databases furnished by the University’s Documentation and Information Service (without
the need to be physically present in that service), the mobile users achieve a great degree

43
of freedom and at the same time have the possibility of permanently accessing those
contents.
Permanent and immediate access from anywhere in our University campuses to the
information that the University gives out with its consequent:
a. Mobility
b. Flexibility
c. Readiness
d. Fastness
e. Bigger interaction among them
f. Greater work capacity
g. Greater proficiency of contents
h. Services decentralization
i. Easier technology to set up and maintain, and, consequently more
profitable

4.2 User experience

The UON WLAN can deliver a very different user experience in the Education campus.
It enables students to access information and study no matter where they are in the
campus and no matter what time it is.

4.3 Recommendation
Building by building AP positioning-plan is needed for effective service rendering.
Students’ hostels can be covered effectively by placing APs securely and appropriately in
the respective building.

The experience of understanding the UON network topology and designing a WLAN has
been invaluable. Through the process of this project, practical knowledge has been gained
about realistic projects in industry. After having such a positive experience, the future
seems promising and bright.

44
References
[1] Tom Carpenter, Joel Barrett: Certified Wireless Network Administrator Official
Study Guide, 4th edition, published by: Tata McGraw-Hill Publishing Company Limited.
2007
[2] Todd Lammle,: Cisco Certified Network Associate Study Guide, 6th edition,
published by: Wiley publishing, Inc. 2007

[3] David Passmore, John Freeman, ``The Virtual LAN Technology Report,'' March 7,
1997, http://www.3com.com/nsc/200374.html

[4] IEEE, ``Draft Standard for Virtual Bridge Local Area Networks,'' P802.1Q/D1, May
16, 1997,

[5] Mathias Hein, David Griffiths, Orna Berry, ``Switching Technology in the Local
Network: From LAN to Switched LAN to Virtual LAN,'' February 1997,

[6] Std. IEEE 802.11b-1999, Supplement to Information technology--

Telecommunications and information exchange between systems--Local and metropolitan
area networks—Specific requirements--Part 11: Wireless LAN Medium Access Control
(MAC) and Physical Layer (PHY) Specifications: Higher Speed Physical Layer (PHY)
Extension in the 2.4 GHz band,
September 1999.

[7] Trapeze Networks: www.rsleads.com/309cn-262

[8] www.hp.com/rnd/pdf_html/wirelessLANsite_assessment.htm

[9] http://en.wikipedia.org/wiki/WLAN

45