Cisco Fast Secure Roaming (Fsr); Using Virtual Lans; Mac Filtering And Authentication; Firewalls And Traffic Filtering - Polycom SpectraLink 8020 Deployment Manual

Deploying SpectraLink 8020/8030
Wireless Telephones
July 2009
acquisition. Once the handset has re-acquired the network after a hard handoff, soft handoffs will resume
as long as CCKM is used and WLAN connectivity is maintained. CCKM must be properly configured on
the Cisco APs. Consult the
operation.
5.3.3

Cisco Fast Secure Roaming (FSR)

Cisco‟s Fast Secure Roaming (FSR) mechanism uses a combination of standards-based and proprietary
security components including Cisco Client Key Management (CCKM) (see Section 5.3.2.4), LEAP
authentication, Michael message integrity check (MIC) and Temporal Key Integrity Protocol (TKIP). FSR
provides strong security measures for authentication, privacy and data integrity along with fast AP
roaming on Cisco APs.
5.4

Using Virtual LANs

Virtual LANs (VLANs) can be used to segregate traffic into different security classes. By using separate
VLANs, data traffic can utilize the most robust but processing-intensive security methods. In order for
voice to operate efficiently in a WLAN, it is critical that it be separated from the data traffic by using
VLANs, mapped to WLAN SSIDs.
The 802.1Q standard establishes a method for inserting VLAN membership information into Ethernet
frames via header-information tags. SpectraLink infrastructure equipment and SVP do not generate or
forward these tags, but are otherwise compatible with 802.1Q up to the Ethernet switch ports used for the
SpectraLink equipment.
5.5

MAC Filtering and Authentication

Most access points can be configured to allow or deny association of wireless clients based on their
unique MAC address, which can be used as a method of securing the WLAN. This process generally
works well, but can cause some performance issues on some APs and is never recommended when
using voice on a WLAN.
5.6

Firewalls and Traffic Filtering

The traffic filtering capabilities of firewalls, Ethernet switches and wireless controllers can also be used as
an additional security layer if configured to allow only certain types of traffic to pass onto specific areas of
the LAN. To properly provide access control, it is necessary to understand the type of IP traffic used by
the SpectraLink handsets. When using SpectraLink Telephony Gateways to interface to a traditional PBX
or an SVP Server in an IP PBX implementation, the handset uses the SpectraLink Radio IP Protocol (IP
ID 119).
While the SpectraLink handset will generally work through a firewall if the appropriate ports are made
available, this is never recommended. Firewalls create a great deal of jitter in the network which can
severely limit the successful, on-time delivery of audio packets to the wireless telephone. Additionally, the
use of ICMP redirects is not supported because of the extreme delay this can result when the gateway of
the SVP Server or handsets is changed dynamically. SpectraLink handset requires less than one
millisecond of jitter from the SVP Server to handset. This will be difficult to achieve if there are multiple
„hops‟ between the SVP Server and handset.
For an IP telephony server interface, the ports used depend on the IP telephony protocol of the telephony
switch interface. The SpectraLink Wireless Telephones, Telephony Gateways and SVP Server use TCP
and UDP and other common IP protocols from time to time. These include DHCP, DNS, WINS, TFTP,
FTP, NTP, Telnet, ARP and ICMP. Polycom uses proprietary UDP channels between the infrastructure
components i.e. UDP ports 5454 - 5458. The push-to-talk (PTT) mode of the SpectraLink 8030 Wireless
©2009 Polycom, Inc. All rights reserved.
Polycom and the Polycom logo are registered trademarks of Polycom, Inc. All other trademarks are the property of Polycom, Inc. or their respective companies.
VIEW Configuration Guide
38
Best Practices Guide
for your Cisco products to ensure proper