BRKEWN-2010.pdf

© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public

Design and Deployment of Enterprise

WLANsBRKEWN-2010

2

Sujit Ghosh, CCIE #7204

Manager, Technical MarketingWireless Networking Business Unit


Agenda

Controller-Based Architecture Overview

Mobility in the Cisco Unified WLAN Architecture

Architecture Building Blocks

Deploying the Cisco Unified Wireless Architecture

3


Agenda





4


Centralized Wireless LAN ArchitectureWhat Is CAPWAP?

CAPWAP: Control and Provisioning of Wireless Access Points is used

between APs and WLAN controller and based on LWAPP

CAPWAP carries control and data traffic between the two

‒ Control plane is DTLS encrypted

‒ Data plane is DTLS encrypted (optional)

LWAPP-enabled access points can discover and join a CAPWAP

controller, and conversion to a CAPWAP controller is seamless

CAPWAP is not supported on Layer 2 mode deployment

CAPWAP Controller

Wi-Fi Client

Business Application

Control Plane

Data Plane

Access Point

5


CAPWAP ModesSplit MAC

The CAPWAP protocol supports two modes of operation

‒ Split MAC (centralized mode)

‒ Local MAC (H-REAP or FlexConnect)

Split MAC

WTP ACSTA

Wireless PhyMAC Sublayer

CAPWAPData Plane

Wireless Frame

802.3 Frame

6


CAPWAP ModesLocal MAC

Local MAC mode of operation allows for the data frames to be

either locally bridged or tunneled as 802.3 frames

Tunneled as 802.3 frames

Wireless PhyMAC Sublayer

Wireless Frame 802.3 Frame

802.3 FrameCAPWAP

Data Plane

Tunneled local MAC is not supported by Cisco

H-REAP/FlexConnect support locally bridged MAC and split MAC per SSID

WTP ACSTA

7


CAPWAP State Machine

DiscoveryReset

Image Data

Config

Run

AP Boots UP

DTLSSetup

Join

8


AP Controller Discovery

Layer 2 join procedure attempted on LWAPP APs

‒(CAPWAP does not support Layer 2 APs)

‒Broadcast message sent to discover controller on a

local subnet

Layer 3 join process on CAPWAP APs and on LWAPP APs

after Layer 2 fails

‒Previously learned or primed controllers

‒Subnet broadcast

‒DHCP option 43

‒DNS lookup

Controller Discovery Order

9


Efficient CAPWAP Operation

Define the Wireless Access Point Device DHCP Scopes

Default router IP Address for Access Point scope

Helper address (forwarding UDP 5246 to the WLCs management

interface)

Domain name

Appropriate DHCP Lease timer for Aps

Pool sizes for WLAN devices in accordance to different types of sites

If NAT is used, static 1-to-1 NAT to an outside address is

recommended

Best Practices

10


Sample Port Configuration

interface GigabitEthernet<port>

description <WLC name>

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan <vlan-list>

switchport mode trunk

switchport nonegotiate

mls qos trust cos

spanning-tree portfast trunk

Controller Port AP Port Configuration

ip forward-protocol udp 5246

interface vlan <SVC>

ip helper-address <WLC1managementInterface>

ip helper-address <WLC2managementInterface>

11


6.0, 7.0, 7.1, 7.2 ? Which Version Should I Use?

WLC 5508 supports 6.0, 7.0 and 7.1 & 7.2

WLC7500, WiSM-2 and WLC2504 only supported

in 7.0 onwards

6.0.202 is the latest MD

7.0.220 will be tested for AssureWave (Blue

Ribbon)

7.1.91 or 7.2 (preferred) is needed for AP3600

12


Agenda





13


Mobility Defined

Mobility is a key reason for wireless networks

Mobility means the end-user device is capable of moving

location in the networked environment

Roaming occurs when a wireless client moves association

from one AP and re-associates to another, typically because

it‘s mobile!

Mobility presents new challenges:

‒ Need to scale the architecture to support client roaming—roaming

can occur intra-controller and inter-controller

‒ Need to support client roaming that is seamless (fast) and preserves

security

14


Scaling the Architecture with Mobility Groups

Mobility Group allows controllers to peer with each other to support seamless

roaming across controller boundaries

APs learn the IPs of the other members of the mobility group after the CAPWAP

Join process

Support for up to

24 controllers,

3600 APs per

mobility group

Mobility messages

exchanged

between

controllers

Data tunneled between

controllers in EtherIP (RFC 3378)

Eth

ern

et in

IP T

un

nel

Mobility Messages

Controller-CMAC: AA:AA:AA:AA:AA:03

Mobility Group Name: MyMobilityGroup

Mobility Group Neighbors:Controller-A, AA:AA:AA:AA:AA:01Controller-B, AA:AA:AA:AA:AA:02

Controller-AMAC: AA:AA:AA:AA:AA:01


Mobility Group Neighbors:Controller-B, AA:AA:AA:AA:AA:02Controller-C, AA:AA:AA:AA:AA:03

Controller-BMAC: AA:AA:AA:AA:AA:02


Mobility Group Neighbors:Controller-A, AA:AA:AA:AA:AA:01Controller-C, AA:AA:AA:AA:AA:03

15


Scaling the Architecture with Mobility Groups

One

WLC NetworkMobility Group

Mobility Domain

24 WLCs in a

Mobility GroupMobility Group (7.2)

Mobility Group (7.0)

Mobility Group (6.0)

72 WLCs in a

Mobility Domain

With Inter Release Controller Mobility (IRCM) roaming is supported between 6.0, 7.0 and 7.2

16


How Long Does an STA Roam Take?

Time it takes for:

‒Client to disassociate +

‒Probe for and select a new AP +

‒802.11 Association +

‒802.1X/EAP Authentication +

‒Rekeying +

‒IP address (re) acquisition

All this can be on the order of seconds… Can we make this faster?

17


Roaming Requirements

Roaming must be fast … Latency can be introduced by:

‒ Client channel scanning and AP selection algorithms

‒ Re-authentication of client device and re-keying

‒ Refreshing of IP address

Roaming must maintain security

‒ Open auth, static WEP—session continues on new AP

‒ WPA/WPAv2 Personal—New session key for encryption derived via standard

handshakes

‒ 802.1x, 802.11i, WPA/WPAv2 Enterprise—Client must be re-authenticated and

new session key derived for encryption

18


How Are We Going to Make Roaming Faster?

Eliminating the (re)IP address acquisition challenge

Eliminating full 802.1X/EAP reauthentication

Focus on Where We Can Have the Biggest Impact

19


Intra-Controller Roaming:Layer 2

WLC-1 WLC-2

WLC-1 Client Database


Mobility Message Exchange

Preroaming Data Path

Client Data (MAC, IP, QoS, Security)

VLAN X

Intra-Controller roam happens when an AP moves association between APs joined to the same controller

Client must be re-authenticated and new security session established

20


Intra-Controller Roaming:Layer 2 (Cont.)

WLC-1 WLC-2




Roaming Data Path


VLAN X

Client Roams to a Different AP

Client database entry with new AP and appropriate security context

No IP address refresh needed

21


Intra-Controller Roaming:Layer 3

WLC-1 WLC-2

WLC-1 Client Database WLC-2 Client Database



VLAN XClient Data (MAC, IP, QoS, Security)


VLAN Z

22


Client Roaming Between Subnets:Layer 3 (Cont.)

WLC-1 WLC-2




VLAN X



VLAN Z


Foreign Controller

Anchor Controller

Data Tunnel

Client Roams to a Different AP

23


Roaming: Inter-Controller

L3 inter-controller roam: STA moves association between APs joined to the different

controllers but client traffic bridged onto different subnets

Client must be re-authenticated and new security session established

Client database entry copied to new controller – entry exists in both WLC client DBs

Original controller tagged as the ―anchor‖, new controller tagged as the ―foreign‖

WLCs must be in same mobility group or domain

No IP address refresh needed

Symmetric traffic path established -- asymmetric option has been eliminated as of 6.0

release

Account for mobility message exchange in network design

Layer 3

24


How Are We Going to Make Roaming Faster?

Eliminating the (re)IP address acquisition challenge

Eliminating full 802.1X/EAP reauthentication

Focus on Where We Can Have the Biggest Impact

25


Fast Secure RoamingStandard Wi-Fi Secure Roaming

802.1X authentication in wireless today requires

three ―end-to-end‖ transactions with an overall

transaction time of > 500 ms

802.1X authentication in wireless today requires a

roaming client to reauthenticate, incurring an

additional 500+ ms to the roam

Note: Mechanism Is Needed to Centralize Key Distribution

Cisco AAA Server (ACS or ISE)

WAN

AP1AP2

1. 802.1X Initial Authentication Transaction2. 802.1X

Reauthenti-cation After Roaming

26


Cisco Centralized Key Management (CCKM)

Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available, especially

with application specific devices (ASDs)

CCKM ported to CUWN architecture in 3.2 release

In highly controlled test environments, CCKM roam times consistently measure

in the 5-8 msec range!

CCKM is most widely implemented in ASDs, especially VoWLAN devices

To work across WLCs, WLCs must be in the same mobility group

CCX-based laptops may not fully support CCKM – depends on supplicant

capabilities

CCKM is standardized in 802.11R, but no clients available yet

27


What is 802.11r ?

An IEEE standard which defines a new concept of roaming

Handshake with the new AP is done even before the client roams

More secure due to 3 levels of key hierarchy

Standard defines 2 methods of roaming – Over-the-air and Over-the-DS

The Association-Response Frame is expanded therefore older client drivers

may not understand the 11r response frame. Therefore in some customer

sites to have 11r roaming may require an additional SSID.

New in 7.2MR128


Fast Transition 802.11r Roaming Comparison

Pairwise Master Key ID(PMKID) Roam

is 10 Packets Long.

802.11r Action Packet Exchange Occurs

Before the Roam. Therefore the Roam is 2

Packets Long.

The Action Frames are new to 802.11r and the Association Frames are modified.

29


Pre-Authenticated Secure Roam by WLAN

802.11r Over the Air roaming 802.11r Over the DS roaming

AP1

Client

Roaming direction

Associated with

old AP

AP2, 3, 4

802.11 FT auth req

802.11 FT auth resp

Reassociation Req

Reassociation Resp

AP1

Client

Roaming direction

Associated with

old AP

AP2, 3.,

4

Action frame FT req

Action frame FT resp

Reassociation Req

Reassociation Resp

Preauth information

• Two modes of roaming in 11r

30


802.11r

To enable 11r, check Fast

Transition in Layer2 security

Add ‗Over the DS‘ if you

choose to reduce the over the

air transactions

Adding a WPA2 will provide

the option of support for 11r

Select the key management

type -> FT 802.1X or FT PSK

31


Designing a Mobility Group/Domain

Less roaming is better – clients and apps are happier

While clients are authenticating/roaming, WLC CPU is doing the

processing – not as much of a big deal for 5508 which has dedicated

management/control processor

L3 roaming & fast roaming clients consume client DB slots on multiple

controllers – consider ―worst case‖ scenarios in designing roaming

domain size

Leverage natural roaming domain boundaries

Mobility Message transport selection: multicast vs. unicast

Make sure the right ports and protocols are allowed

Design Considerations

32


3K AP Setup in WNBU

33


Agenda





34


Device Support

AP3600

800 Series ISR

Other Highlights

IPv6 Mobility

802.11u/MSAP

11n throughput enhancements

Flex: ACL, AAA override,P2P

CleanAir classifiers

TrustSec SXP

Others

WiPS Rogue & Wi-Fi Direct AP Groups and Profiles

CleanAir Enhancements for serviceability, PDA Enhancements,

Unclassified Interferers in AQ

OEAP600 enhancements with WLC manual power,

Channel, Disable etherport

Flex: Fast roaming for voice clients

Flexconnect: Efficient AP upgrade

Stadium Vision Mobile with larger DTIM queue and

dynamic multicast data-rates per AP

NEC-CAC for KTS SIP clients

TPCv2/RRM enhancements

Videostream QoS alloy

Support for ISE 1.1 CCX Lite

WiSM2/7500

WiSM2 Scale 1000 APs

WiSM2 20 Gbps

7500 Scale 3000 APs

7500 DTLS/OEAP support

7500 High throughput

7500 Context-aware

CUWN 7.2 Release - Key Controller Features

35


CUWN 7.2 MR1 Release

802.11r Support

External Webauth for FlexConnect Mode AP

Outdoor RAPs to operate in Local mode & FlexConnect mode

36


6500 as Borderless Services Node (BSN)

Cisco WiSM-2 and Sup 2T

Agg 6k

Access2k/3k/4k

BSN providessingle point of management

Provides Service Virtualization, Wired / Wireless Integration and Secure Access

Security

Wireless

Security

Wireless

Catalyst 6500

10GbE Core

ASA-SMNAM3WiSM2

Specifications at a Glance

Access Points 100–1000

Clients 15,000 and 5000 tags

I/O 20G

APs in Mobility

Domain

72,000

APs in Mob Group 24,000

Chassis Level Scale7,000 APs and

105,000 Clients

Concurrent AP Joins 1000

Physical Controller 1

Power 225 W

• Sup 720 and Sup 2T support

Sup 720 Software Version 12.2(33)SXJ2

Sup 2T Software Version 15.0(1)SY1

37


Controller Portfolio

5500 WiSM-2

Number of Access Points 12, 25, 50, 100, 250, 500 500, 1000(7.2)

Throughput Up to 8 Gbps Up to 10 Gbps / 20 Gbps (7.2)

Clients Up to 7000 Up to 10,000

Concurrent AP Upgrades/Joins Up to 500 Up to 500

Network I/OUp to 8

1 Gbps SFPsCisco Catalyst 6000 Series Backplane

Mobility Domain Size Up to 36,000 APs Up to 36,000 Aps, 72,000 AP(7.2)

Number of Controllers per Physical Device 1 1

Power Consumption 125W 225W

AP Count Upgrade via Licensing Yes Yes

Encrypted Data Link

Between AP and ControllerYes Yes

OfficeExtend Solution Yes Yes

38


Cost Effective Entry Level Controllers2500 Wireless Controller and SRE modules in ISR G2

Access Points 5-50

Clients 500

Throughput 500 Mbps

Deployment Model Local and FlexConnect

Form Factor Desktop

IO Interface 4x 1GE

Upgrade Licenses 5, 25

Access Points ISM: 5-10

SM: 5-50

Clients 500

Throughput 500 Mbps

Deployment Model Local and FlexConnect

Form Factor SRE (ISM/SM)

Upgrade Licenses 5, 25

Device Supported On 1941, 2900 and 3900 Series

ISR G2

39


AP 3600

802.11n WiFi

With CleanAirtechnology

Business-Ready Mission CriticalBest in Class

Mission Critical

AP 3500AP 1260AP 1140AP 1040

OfficeExtend AP 600

Teleworker

Access Points Portfolio

40


AP 3600 - 3 Spatial Stream 3x3 MIMO Access

Points

4x4 MIMO ANTENNA DESIGN, 3 SPATIAL STREAMS

Redundant antenna design for more speed and reliability

CLIENTLINK 2.0 for 802.11n

Improves performance to all mobile devices: including 802.11a/g and 802.11n

– 1SS, 2SS & 3SS

Enhanced CLEANAIR TECHNOLOGY

New, more powerful full-spectrum analysis while serving data traffic

Cisco Aironet 3600 Series Access Points

41


3600 Series 3500 Series 1260 Series 1140 Series 1040 Series 600 Series 1550 Series

Data Rate 450 Mbps 300 Mbps 300 Mbps 300 Mbps 300 Mbps 300 Mbps 300 Mbps

Radio Design 4X4:3 2X3:2 2x3:2 2x3:2 2X2:2 2X2:2 2x3:2

CleanAir

ClientLink ClientLink 2.0 on 2.4

BandSelect

VideoStream

Rogue AP Detection

Adaptive wIPS

OfficeExtend

FlexConnect

Wireless Mesh

Data Uplink (Mbps) 10/100/1000 10/100/1000 10/100/1000 10/100/1000 10/100/1000 10/100 10/100/1000

Power 802.3af

Supports 802.3at

802.3af 802.3af 802.3af 802.3af 100 to 240 VAC, 50-

60 Hz

By Model Number:

See AP AAG

Temperature Range in Celsius (i) -0 to 40° C

(e) -20 to 55°C

(i) -0 to 40° C

(e) -20 to 55°C

-20 to 55°C -0 to 40°C -0 to 40°C 0 to 40°C -40 to 131°C

Cisco Aironet 802.11n Access Points Indoor and Outdoor - Feature Comparison Matrix

42


Agenda





43


Deploying the Cisco Unified Wireless

Architecture Controller Redundancy and AP Load Balancing

Understanding AP Groups

IPv6 Deployment with Controllers

Branch Office Designs

Guest Access Deployment

Home Office Design

44


Deploying the Cisco Unified Wireless

Architecture Controller Redundancy and AP Load Balancing





Home Office Design

45


Controller RedundancyDynamic

WLC1

WLC2

AP1 AP2 AP3

AP4 AP5 AP6

AP7 AP8 AP9

Rely on CAPWAP to load-balance APs across controllers and populate APs with backup controllers

Results in dynamic ―salt-and-pepper‖ design

Design works better when controllers are ―clustered‖ in a centralized design

Pros‒ Easy to deploy and configure—less upfront

work

‒ APs dynamically load-balance (though never perfectly)

Cons‒ More intercontroller roaming

‒ Bigger operational challenges due to unpredictability

‒ Longer failover times

‒ No ―fallback‖ option in the event of controller failure

Cisco‘s general recommendation is: Only for Layer 2 roaming

Use deterministic redundancy instead of dynamic redundancy

46


Controller RedundancyDeterministic

Administrator statically assigns APs

a primary, secondary, and/or tertiary

controller

‒Assigned from controller interface (per AP)

or WCS (template-based)

Pros

‒Predictability—easier operational

management

‒More network stability

‒More flexible and powerful redundancy

design options

‒Faster failover times

‒―Fallback‖ option in the case of failover

Con

‒More upfront planning and configuration

This is Cisco‘s recommended best

practice

WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C

Primary: WLAN-Controller-ASecondary: WLAN-Controller-BTertiary: WLAN-Controller-C

Primary: WLAN-Controller-BSecondary: WLAN-Controller-CTertiary: WLAN-Controller-A

Primary: WLAN-Controller-CSecondary: WLAN-Controller-ATertiary: WLAN-Controller-B

47


Controller RedundancyMost Common (N+1)

Redundant WLC in a

geographically separate location

Layer-3 connectivity between the

AP connected to primary WLC

and the redundant WLC

Redundant WLC need not be

part of the same mobility group

Configure high availability (HA) to

detect failure and faster failover

Use AP priority in case of over

subscription of redundant WLC

APs Configured With:Primary: WLAN-Controller-1Secondary: WLAN-Controller-BKP


APs Configured With:Primary: WLAN-Controller-nSecondary: WLAN-Controller-BKP

WLAN-Controller-1

WLAN-Controller-2

WLAN-Controller-n

WLAN-Controller-BKP

NOC or Data Center

48


Controller RedundancyArchitecture Resiliency

Resiliency N:1 Redundancy

N:N Redundancy N:N:1 Redundancy

WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C

Primary: WLAN-Controller-ASecondary: WLAN-Controller-BTertiary: WLAN-Controller-C

Primary: WLAN-Controller-BSecondary: WLAN-Controller-CTertiary: WLAN-Controller-A

Primary: WLAN-Controller-CSecondary: WLAN-Controller-ATertiary: WLAN-Controller-B

WLAN-Controller-1

WLAN-Controller-2

WLAN-Controller-n



APs Configured With:Primary: WLAN-Controller-nSecondary: WLAN-Controller-BKP

WLAN-Controller-BKPNOC or Data Center

WLAN-Controller-A

WLAN-Controller-B

APs Configured With:Primary: WLAN-Controller-ASecondary: WLAN-Controller-BTertiary: WLAN-Controller-BKP

APs Configured With:Primary: WLAN-Controller-BSecondary: WLAN-Controller-ATertiary: WLAN-Controller-BKP

WLAN-Controller-BKPNOC or Data Center

WLAN-Controller-A

WLAN-Controller-B

APs Configured With:Primary: WLAN-Controller-ASecondary: WLAN-Controller-B

APs Configured With:Primary: WLAN-Controller-BSecondary: WLAN-Controller-A

49


SiSi SiSi

High Availability Using Cisco 5508Hardware Failure of WLC5508

APs are connected to

primary WLC 5508

In case of hardware failure

of WLC 5508

AP‘s fall back to secondary

WLC 5508

Traffic flows through the

secondary WLC 5508 and

primary core switch

SiSi SiSi

Primary

WLC5508

Secondary

WLC5508

50


High Availability Using WiSM-2Uplink Failure on Primary Switch

In case of uplink failure of the

primary switch

Standby switch becomes the

active HSRP switch

APs are still connected to

primary WiSM

Traffic flows through the new

HSRP active switch

SiSi SiSi

Primary

WiSM-2

Active

HSRP Switch

Standby

HSRP Switch

New Active

HSRP Switch

51


High Availability Using WiSM-2Hardware Failure of WiSM-2

APs are connected to primary WiSM-2

In case of hardware failure of primary

WiSM-2

AP‘s fall back to secondary WiSM-2

Traffic flows through the secondary

WiSM-2 and primary core switch

SiSi SiSi

Primary

WiSM-2

Secondary

WiSM-2

52


Redundancy Using VSS and Cisco 5508

Cisco 5508 WLC can be attached to a Cisco

Catalyst VSS switch pair

4 ports of Cisco 5508 are connected to active

VSS switch

2nd set of 4 ports of Cisco 5508 is connected to

standby VSS switch

In case of failure of primary switch traffic

continues to flow through secondary switch in the

VSS pair

Catalyst VSS Pair

Cisco 5508

53


Core Options – 6500 VSS w/L2 Access, Nexus w/L3 Access

Data Center

Core/ Distribution

Access

SiSi SiSi

Wireless Services

SiSiSiSi

Authentication

Wireless Services

SiSiSiSi

Catalyst 6500 VSS

Nexus 7000

• Layer 2 to Access Layer

• Single Configuration

• Multi-Chassis Etherchannel load-balancing

• Layer 3 to Access Layer

• Higher 10 Gigabit Capacity

• More extensive virtualization capabilities

• Equal Cost Multipath Load-balancing

Dual physical links appear logically as a single link

Authentication

ISP1 ISP2 ISP1 ISP2

55


Controller Redundancy – High Availability

High Availability Principles :

AP is registered with a WLC and maintain a backup list of WLC.

AP use heartbeats to validate WLC connectivity

AP use Primary Discovery message to validate backup WLC list

When AP loose 3 heartbeats it start join process to first backup WLC candidate

Candidate Backup WLC is the first alive WLC in this order : primary, secondary, tertiary, global primary, global secondary.

AP does not re-initiate discovery process.

Primary WLC

Secondary WLC

New Timers 7.2

Heartbeat Timeout 1-30 secs

Fast Heartbeat Timer 1-10 secs

AP Retransmit Interval 2-5 secs

AP Retransmit with FH Enabled 3-8 Times

AP Fallback to next WLC 12 secs

56


AP Failover Priority

In case of WLC failure, backup

WLC suddenly receives

multiple Discover and Join

response from Aps

In a failover situation when the

backup controller is saturated,

the higher priority access

points are allowed to join the

backup controller by disjoining

the lower priority access

points.

Enable AP Failover Priority Globally

Wireless > Access Points > Global Configuration > AP Failover Priority

Assign Priority on per AP basis

WLC > All APs > Details for AP > High Availability

57


AP Pre-Image Download

Since most CAPWAP APs can download

and keep more than one image of 4–5 MB

each

AP pre-image download allows

AP to download code while it is operational

Pre-Image download operation

1. Upgrade the image on the controller

2. Don‘t reboot the controller

3. Issue AP pre-image download command

4. Once all AP images are downloaded

5. Reboot the controller

6. AP now rejoins the controller

without rebootHow Much Time You Save?

Access Points

Cisco WLAN Controller

CA

PW

AP

-L3

AP

Pre

-im

age

Do

wn

load

AP

Jo

ins

Wit

ho

ut

Do

wn

load

58


Access PointAccess Point

Access Switches

Distribution Switches

(standalone –

using routing,

HSRP, STP)Auxiliary Switches

Wireless ControllerWireless Controller

Mobility

Service

Engine

SNMP SNMP

NMSPNMSP

SiSiSiSi

SiSiSiSiSiSiSiSiSiSiSiSi

Network

Control

System

Network

Control

System

Mobility

Service

Engine

SiSiSiSiSiSi

SOAP/XML/SNMP SOAP/XML/SNMP

SiSiSiSiSiSi

Data Centre

VLAN 20,21,22VLAN 10,11,12

• Extremely Resilient

• Rapid reconvergence

on Link Loss due to

extensive use of

EtherChannel

• Option in Aux switch for

use of dual Supervisors

for improved availability



Access Switches


(VSS pair)

Auxiliary Switches


Mobility

Service

Engine

SNMP SNMP

NMSPNMSP

Network

Control

System

Network

Control

System

Mobility

Service

Engine

SiSiSiSiSiSi

SOAP/XML/SNMP SOAP/XML/SNMP

SiSiSiSiSiSi

Data Centre

VLAN 20,21,22VLAN 10,11,12

• Option for use of VSS

for even greater

resiliency, as well

as a simplified design

• Rapid reconvergence

on Link Loss due to

extensive use of

EtherChannel

• Option to eliminate

Aux switches in this

design, as controllers

are dual-homed to

VSS switch pair


Internet Edge


Access Switches


(standalone –

using routing,

HSRP, STP)Auxiliary Switches

SiSiSiSi

SiSiSiSiSiSiSiSiSiSiSiSi

SiSiSiSiSiSi SiSiSiSiSiSi

VLAN 20,21,22VLAN 10,11,12


EoIP TunnelsEoIP Tunnels

Anchor

Wireless

Controller

Guest

DHCP/DNS

Server

Guest

DHCP/DNS

Server

Guest WLANs are configured with Auto

Anchor

Internet

• Option showing use of

Anchor controllers for

use with Guest SSIDs

Anchor

Wireless

Controller


Controller Redundancy and AP Load Balancing





Home Office Design


62


AP-Groups - Default AP-Group

The first 16 WLANs created (WLAN IDs 1–16) on the WLC are

included in the default AP-Group

Default AP-Group cannot be modified

APs with no assignment to an specific AP-Group will use the Default

AP-Group

The 17th and higher WLAN (WLAN IDs 17 and up) can be assigned to

any AP-Groups

Any given WLAN can be mapped to different dynamic interfaces in

different AP-Groups

WLC 2106 (AP groups: 50), WLC 2504 (AP groups:50)

WLC 4400 and WiSM (AP groups: 300),

WLC 5508 & WiSM-2 (AP groups: 500),

WLC 7500 (AP Groups : 500)

63


AP-Grouping in Campus

Data CenterWAN Internet

Access

Distribution

Core

Distribution

Access

SiSi SiSi SiSi SiSi SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSi SiSi

WLC-2WLC-1

VLAN 100 / 21

CAPWAP

Single SSID = Employee

VLAN 100 VLAN 100 VLAN 100

64


AP-Grouping in Campus


Access

Distribution

Core

Distribution

Access


SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSi SiSi

AP-Group-2 AP-Group-3AP-Group-1

WLC-2WLC-1

VLAN 80 /23VLAN 70 /23VLAN 60 /23

VLAN 100/21

CAPWAP

VLAN 60VLAN 70 VLAN 80


65


Network Name

Default AP Group

Only WLANs 1–16 Will Be Added in Default AP Group

Default AP-Group

66


AP Group 1

AP Group 2

AP Group 3

Multiple AP-Groups

67


Interface-Groups (aka VLAN Select)

Interface-groups allows for a WLAN to be mapped to a single interface or multiple interfaces

Clients associating to this WLAN get an IP address from a pool of subnets identified by the interfaces in round

robin fashion

Extends current AP group and AAA override, with multiple interfaces using interface groups

Controllers Interface-Groups/Interfaces

WiSM-2, 5508, 7500, 2500 64/64

WiSM, 4400 32/32

2100 and 2504 4/4

68


Interface-Grouping in Campus


Access

Distribution

Core

Distribution

Access


SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSi SiSi

Int-Group-2 Int-Group-3Int-Group-1

WLC-2WLC-1

VLAN 80 /23VLAN 81 /23

VLAN 70 /23VLAN 71 /23

VLAN 60 /23VLAN 61 / 23

VLAN 100/21

LWAPP/CAPWAP

VLAN 60VLAN 61VLAN 70VLAN 71 VLAN 80VLAN 81


69


Interface Group 1

Interface Group 2

Interface Group 3

Multiple Interface-Groups

70


RF-Profiles7.2

RF Profiles allow the administrator to tune groups of AP‘s sharing a

common coverage zone together.

Selectively changing how RRM will operate the AP‘s within that coverage zone

• RF Profiles are created for either the 2.4 GHz radio or 5GHz radio

Profiles are applied to groups of AP‘s belonging to an AP Group, in which all AP‘s in the

group will have the same Profile Settings

• There are two components to this feature:

RF Profile – New in 7.2 providing administrative control over:

o Min/Max TPC values

o TPCv1 Threshold

o TPCv2 Threshold

o Data Rates

71


RF Profiles

Create an RF profile for a or

b/g radio

Select if required the

minimum and/or Maximum

TPC settings

Select a custom TPC power

threshold for either Version 1

or Version 2 of TPC

Select the data rates to be

applied to the AP‘s

72


RF-Profile in Campus 7.2


Access

Distribution

Core

Distribution

Access


SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSi SiSi

RF-Profile-2 RF-Profile-3RF-Profile-1

WLC-2WLC-1

VLAN 80 /23VLAN 81 /23

VLAN 70 /23VLAN 71 /23

VLAN 60 /23VLAN 61 / 23

LWAPP/CAPWAP

VLAN 60VLAN 61VLAN 70VLAN 71 VLAN 80VLAN 81


73


RF Profile -1

RF Profile -2

RF Profile -3

Multiple RF-Profiles

74


Design Recommendations

Use 5508 with N+1 redundancy (recommended) or WISM2 with N+N redundancy

Use Link Aggregation across multiple chassis or line cards for N+1 redundancy when using 5508 WLAN controllers

Use large subnets (e.g., /21) to minimize L3 roaming or VLAN Select (aka Interface Groups)

Group APs on controllers to minimize inter-controller roaming (i.e. create natural roaming boundaries)

Use separate controllers or AP groups for low-volume legacy devices (e.g., 802.11b ticket scanners)

Software version 7.2.103.0 or higher

NCS 1.1 for Network Management75







Home Office Design


77


IPv6 - Phased Implementation

IPv4-only

IPv4 and IPv6 Co-existence

(Servers and Clients will Be Dual-Stack)

IPv6-only

But Dual Stack Clients Are Here Now…

78

http://www.google.com/imgres?imgurl=http://www.amaczone.com/images/image_large/Apple_MacBook_Pro_MB134LL-A_15-4-inch_Laptop_-2-5_GHz_Intel_Core_2_Duo_Processor-_2_GB_RAM-_250_GB_Hard_Drive-_DVD-CD_SuperDrive-291.jpg&imgrefurl=http://www.amaczone.com/category/Apple iPod/pg-4-0&usg=__2j5ay1ry5-cN_Ecir_FBE5Uv7iE=&h=334&w=500&sz=20&hl=en&start=27&itbs=1&tbnid=GImeBvKJZNIR1M:&tbnh=87&tbnw=130&prev=/images?q=mac+pro+laptop&start=20&hl=en&sa=N&gbv=2&ndsp=20&tbs=isch:1


Wireless IPv6 Support - Pre-v7.2

In releases prior to 7.2, enabling IPv6 bridging provided a limited solution with no Layer 3 mobility and non-optimized delivery of essential ICMPv6 messages to clients.

CAPWAP Tunnel

IPv6 ICMPv6 multicast messages sent

to all clients (including L3 roamed

clients) at low data rates.

All IPv6 packets are bridged on

the VLAN transmitting

unnecessary ICMPv6 messages

in both directions.

79


Wireless IPv6 Support - Post-v7.2

In releases 7.2, the controller now processes ICMPv6 messages allowing for optimized delivery, Layer 3 mobility and first hop security.

CAPWAP Tunnel

IPv6 ICMPv6 multicast messages

are unicast to each client at high

data rates.

IPv6 ICMPv6 messages are

interpreted by the controller and

forwarded only as needed.

80


Wireless IPv6 Client Support

Supports IPv4, Dual Stack and Native IPv6 clients on single WLAN simultaneously

Supports the following IPv6 address assignment for wireless clients:‒ IPv6 Stateless Autoconfiguration [SLAAC]

‒ Stateless, Stateful DHCPv6

‒ Static IPv6 configuration

Supports up to 8 IPv6 addresses per client

Clients will be able to pass traffic once IPv4 or IPv6 address assignment is completed after successful authentication

CAPWAPIPv4

IPv6

EthernetVLAN

Ethernet

IPv

6

CAPWAP Tunnel

IP

v4802.11

IPv4

IPv4IPv6802.11

IPv6802.11

81


IPv6 Client Connectivity on Multiple WLANs

Access Points keep track of individual clients and unicast the Router Advertisement to the clients depending on the WLAN they belong to.

Access Point support up to 16 WLANs/SSIDs for dual stack clients.

To maintain proper routing capability, mobile clients need to have proper global unique unicast prefix from router within their own network.

VLAN = 100

VLAN = 200

RAVLAN = 100

RAVLAN = 200

Router 1

Router 2

CAPWAP Tunnel

VLAN Pool VLAN 100 VLAN 200

82


Cisco Supports Many IPv6 Addresses Per Client

Support for many IPv6 addresses per client is necessary because:

‒ Clients can have multiple address types per interface

‒ Clients can be assigned addresses via multiple methods such as SLAAC and DHCPv6

‒ Most clients automatically generate a temporary address in addition to assigned addresses.

Up to 8 IPv6 Addresses

are Tracked per Client.

83


Use Case #1: Mobility

Challenge

Solution

Benefits

Dropped connections when roaming to a different network

Intelligent IPv6 packets processing

RA follows roaming clients through mobility tunnel

Reliable connectivity while roaming

Differentiator Seamless layer-3 mobility for IPv6 clients

7.2

84


How Does Cisco Solve IPv6 Mobility?

To address this issue, the roaming client must be able to receive the original router advertisement.

The anchor controller sends the RA to the foreign in the mobility tunnel.

When the Access Point receives the RA, it will convert the multicast RA to unicast (MC2UC) and send RA to each client individually.

Router 1

Router 2

CAPWAPTunnel

AnchorWLC

ForeignWLC

MobilityTunnel

RouterAdvertisement

Router Advertisement

RoamingClient

CAPWAPTunnel

85


New IPv6 Addresses Learning with Mobility

IPv6 address is always learned at the anchor either through DHCPv6 or NDP

DHCPv6 packets from a roamed client at the foreign controller will be tunneled to the anchor controller, which will learn the IPv6 address from the DHCPv6 replies.

Similarly NDP messages for a roamed client are processed at the anchor controller.

Whenever a new IPv6 address is learned at the anchor the new address is sent in a mobility message to the foreign controller.

CAPWAPTunnel

Router 1

Router 2

CAPWAPTunnel

AnchorWLC

ForeignWLC

MobilityTunnel

DHCPv6 / RS

DHCPv6 / RA Reply

RoamingClient

86


Testing IPv6-Only Client Mobility with Cisco

Clients – Windows 7 (SP1) with only IPv6 Enabled

Before

Roaming

During

Roaming

After

Roaming

Client Keeps IPv6 Address and

Connectivity is Seamless

IPv6 PING

Continues

87


Use Case #2: Security

Rogue DHCP Server

Rogue Router

Announcement(RA)

Challenge

Solution

Benefits

Vulnerabilities originated from client community

First Hop Security blocks rogue announcements

IPv6 ACLs provides IPv6 traffic control

Increased network availability and reliability

Lower operational cost

Differentiator Proactively block known threats from wireless side

7.2

88


IPv6 ACL Support

Up to 128 ACL (64 for IPv4 and 64 for IPv6) supported

Two ACL profiles (one for IPv4 and one for IPv6) are supported per dual stack client

ACL profiles for wireless clients can be configured on Wireless Controller or provided by AAA Server.‒ AAA server can send both IPv4 and IPv6 ACL attributes for dual stack clients after successful

user authentication.

Counters are maintained on ACL matches for operational/maintenance purposes.

CAPWAP Tunnel

89


IPv6 ACL Configuration

A separate IPv4 and IPv6 ACL can be applied on a per-WLAN basis.

90


Use Case #3: Efficiency

Challenge

Solution

Benefits

Chatty IPv6 packets, busy network, high CPU

Intelligent processing of IPv6 packets with proxy and rate limit

Increase radio efficiency, decrease processing load on router

High number of packetsLess number of packets

Differentiator 50% NDP reduction on wireless and 25% on wired side

7.2

91


First Hop Optimization for Wireless IPv6 Clients

CAPWAPIPv4

IPv6

Ethernet

IPv6VLAN

Ethernet

IPv6

802.11802.11

CAPWAPTunnel

Neighbor SolicitationNeighbor Solicitation (NS) Suppression Respond to NS with cache binding table entry.Proxy Neighbor Advertisement

Router Advertisement(Periodic)

Rate Limiting/Throttling

NeighborDiscoveryCaching

92


First Hop Security / Efficiency Configuration

93


Use Case #4: Client Management

Challenge

Solution

Benefits

Client visibility is vital for Troubleshooting, Planning & Security

NCS tracks IPv6 client addresses, client IP version distribution and

trending; MSE tracks IPv6 client locations

Prepare admin for IPv6 troubleshooting, address planning

Provide client traceability

Differentiator Management system for wired + wireless, IPv4 + IPv6

7.2

94


Cisco NCS 1.1 Provides Comprehensive IPv6 Client Visibility and Monitoring

Security –

Identification of

Clients Acting as

IPv6 Routers

Insight – Identification of

IPv4, Dual-Stack or IPv6-

Only Client Types

Visibility – Recognition of

IPv6 Global and Link

Local Addresses

95


Cisco NCS 1.1 Provides a Rich IPv6 Session History

Since IPv6 clients can change addresses so often (sometimes 1 per day with temporary addresses), they need to be tracked over time.

This is needed for tracking down attacks or copyright infringement violations that need to be audited all the way back to the user.

NCS Logs both

current and

past IPv6

Addresses

96







‒ Understanding FlexConnect AP Deployment

‒ Understanding Branch Controller Deployment


Home Office Design

97


Branch Office DeploymentFlexConnect

Hybrid architecture

Single management and

control point

‒Centralized traffic

(split MAC)

‒Or

‒Local traffic (local MAC)

HA will preserve local traffic

only

WAN

Central Site

Remote Office

CentralizedTraffic

CentralizedTraffic

LocalTraffic

98


FlexConnect Design Considerations

WAN limitations apply

For YourReference

99


FlexConnect Design Considerations

Some features are not available in standalone mode or in local switching mode

‒MAC/Web Auth in standalone mode

‒Central Web Authentication in local switching mode

‒Mesh AP

‒WGB & Universal WGB

‒VideoStream

‒IPv6 L3 Mobility

‒SXP TrustSec

‒AAA ACL & QoS override

‒See full list in « H-REAP Feature Matrix »http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b3690b.shtml

Features limitations apply

100

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b3690b.shtml


Key Differentiation WAN Tolerance

• High Latency Networks

• WAN Survivability

Security

802.1x based port authentication

Voice support

• Voice CAC

• OKC/CCKM

Economies of Scale for Lean Branches

Flex 7500 Wireless Controller

Access Points 300 - 3,000

Clients 30,000

Branches 1000

Access Points / Branch 50

Deployment Model FlexConnect

Form Factor 1 RU

IO Interface 2x 10GE

Upgrade Licenses 100, 200, 500, 1K

New

101


Understanding FlexConnect Groups

FlexConnect groups allow sharing of:

‒CCKM fast roaming keys

‒Local user authentication

‒Local EAP authentication

‒Efficient Image Download

Scaling information

WAN

Central Site

Remote Site

FlexConnect Group 1

FlexConnect Group 2

Remote Site

ScalingFlex

7500CT-5508 WiSM2 CT-2504

FlexConnect

Groups1000 100 100 20

AP per Flex

Group50 25 25 25

102


FlexConnect Improvements in 7.2

Smart AP Image Upgrade

ACL‘s on FlexConnect AP

AAA Over-ride of VLAN - dynamic VLAN assignment for locally

switched clients

FlexConnect Re-branding

Fast Roaming for Voice Clients

Peer to Peer Blocking

103


WAN

FlexConnect Smart AP Image Upgrade Description

Smart AP Image Upgrade use a

« master » AP in each FlexConnect

Group to download the code.

Other FlexConnect AP download the

code from the master locally

1.Download WLC upgraded firmware (will become

primary)

2.Force the « boot image »

to be the secondary (and not the newly upgraded

one) to avoid parallel download of all AP in case of

unexpected WLC reboot

3.WLC elect a master AP in each FlexConnect

Group (can be also set manually)

Remote Site-1 Remote Site-N

Wireless Control System

Wireless LAN Controller

Primary Secondary

Firmware Image

New

OldNewNewOld

Central Site

Master APNew in 7.2104


FlexConnect Smart AP Image Upgrade Configuration

―FlexConnect AP Upgrade‖ checkbox has to be enabled for each FlexConnect Group.By default, Master AP for each FlexConnect Group is selected using Lower-MAC algorithm.One Master select per AP type.

Enable Efficient AP Image

Upgrade

Master AP Selection is

Optional

Random Backoff Interval

(100-300sec) between

each retry

Valid Range is 1-63

New in 7.2106


Local Switching Access Lists

Support for ACL in FlexConnect local

switching mode

ACL mapped to local VLAN per AP or

FlexConnect Group

512 FlexConnect ACL per WLC

16 ingress ACL & 16 egress ACL per

AP

64 ACL rules per ACL

No IPv6 ACL

Description

New in 7.2

Remote Site

WAN

Central Site

ApplicationServer

107


Local Switching Access Lists

ACL rule creation and application for FlexConnect is identical

to WLC rule creation for Local Mode

Configuration

New in 7.2

Step 2

Step 1

Click to add ACL rules Step 3

Provision to assign separate Inbound & Outbound ACLs

108


Local Switching Peer-to-Peer Blocking

Support for Peer-to-Peer

blocking in FlexConnect AP

Apply for clients on same

FlexConnect AP

P2P blocking modes : disable

or drop

For P2P blocking inter-AP

use ACL or Private VLAN

fonction

Description

New in 7.2

Remote Site

WAN

Central Site

ApplicationServer

109


Local Switching Peer-to-Peer Blocking

Configuration

New in 7.2

Multiple Policy Touch Points

Both modes of operation will drop the

packet @ AP for Local Switching enabled

WLAN

* Central Switching WLAN will support ―Forward - UpStream‖ and will send the packet to the next upstream node connected to WLC

110


FlexConnect AAA VLAN Override

AAA VLAN Override with local or

central authentication

Up to 16 VLANs per FlexConnect

AP

VLAN ID must be enabled per AP

or FlexConnect Group

If VLAN ID does not exist, default

VLAN is used

QoS and ACL Override is

not supported.

Description

New in 7.2

Remote Site

WAN

Central Site

FlexConnect Group 1

Central RADIUS

ApplicationServer

VLAN 3

VLAN 7

VLAN 3

VLAN 7

111


FlexConnect AAA VLAN Override

Configuration

New in 7.2

WAN

ISE

Create Sub-Interface on FlexConnect AP

IETF 81IETF 64IETF 65

112


CorporateWAN

Flex APCentralized WLC

Local network

Local network

Local DHCP/DNS server

1. Flex pre-auth ACL is configured at the WLAN (for web auth only), Flex-Group or AP level

3. Client associates to locally switched WLAN4. DHCP traffic is allowed and switched locally to the orange VLAN, client gets IP from local

network5. Client browses to www.cisco.com, DNS requests is allowed and switched locally

1.2.

3. and 4.

5

2. ACL is pushed to AP automatically. Traffic that is allowed by the ACL is locally switched, other traffic is sent to the WLC (DNS and DHCP are allowed by default)

FlexConnect External WebAuth

113

http://www.cisco.com


CorporateWAN

Centralized WLC

Local network

Local network

Local DHCP/DNS server

1. Flex pre-auth ACL is configured at the WLAN (for web auth only), Flex-Group or AP level

2. ACL is pushed to AP automatically. Traffic that is allowed by the ACL is locally switched, other traffic is sent to the WLC (DNS and DHCP are allowed by default)

3. Client associates to locally switched WLAN4. DHCP traffic is allowed and switched locally to the orange VLAN, client gets IP from local

network5. Client browses to www.cisco.com, DNS requests is allowed and switched locally6. HTTP traffic to www.cisco.com is not allowed by ACL so it goes to WLC in CAPWAP tunnel7. WLC redirect traffic to external web page8. Clients open HTTP session to external server, the traffic is allowed by ACL and hence is

locally switched

CAPWAP tunnel (data)

6. and 7.8.

http://redirect

FlexConnect External WebAuth

114

http://www.cisco.com


Branch

WAN

URL/ACL

URL/ACL

Radius Auth

COA/VLAN 109

COA/VLAN 109

Radius AuthWebauth

COA/VLAN Assignment

VLAN 110

Policy – Laptop – VLAN 109Policy – iPad - VLAN 110

FlexConnect and ISE

During initial 802.1x from ISE, client is provided with URL/ACL for ISE

Clients does webauth with ISE

Once device is profiled, ISE uses COA to assign device specific VLAN

115


FlexConnect and AP1500 (Outdoor)

Indoor AP Parity with Outdoor RAP (1520 & 1550) only

• Local Mode

• FlexConnect Mode

• No MAP functionality in this release

Flex Mode will have support for Central and Local Switching

Controller

L3/L2 switch MAP(Mesh AP)

RAP(Root AP) Backhaul 5GHz

Local or FlexConnect

116






‒ Understanding FlexConnect AP Deployment

‒ Understanding Branch Controller Deployment


Home Office Design


117


Small Office

E-Mail

Branch Office WLAN Controller Options

Appliance controllers

‒Cisco 2504-12

‒Cisco 5508-12, 5508-25

Integrated controller

‒WLAN controller module (WLCM-2) for ISR G2

Headquarters

Branch Office

Internet VPN

MPLS

ATM

Frame Relay

Number of Users: 100–500Number of APs: 5–25

Number of Users: 20–100Number of APs: 1–5

WCS

118


Small Office

E-Mail

Headquarters

Branch Office

Branch Office WLAN Controller Options

Cisco Unified Wireless Network with controller-based

Multiple Integrated WAN options on ISR

Consistent branch-HQ services, features, and

performance

Standardized branch configuration extends the

unified wired and wireless network

Branch configuration management from central WCS

WCS Cisco 2504 ***

WLCM-2 ****AP Count Vary Depending on Channel Utilization and Data Rates

Internet VPN

MPLS

ATM

Frame Relay

119


When to Choose WLC 2504?

WLC2504 should be used in the branch for the following reasons compared to HREAP solution:

• If you need cookie cutter configuration for every branch site

• If you need Layer-3 roaming in the branch site

• If you need VideoStream technology in the branch site

• If you need to implement VLAN Select in the branch site

• If you need to implement Static IP mobility in the branch site

• If you want WGB support in the branch site

• If you want MESH AP support in the branch site

120







Home Office Design


121



Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers

Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN

No need to define the guest VLANs on the switches connected to the remote controllers

Original guest‘s Ethernet frame maintained across CAPWAP and EoIP tunnels

Redundant EoIP tunnels to the Anchor WLC

2504 series and WLCM-2 models cannot terminate EoIP connections (no anchor role)

Wireless LANController

Cisco ASA Firewall

Guest

CAPWAP

EoIP “Guest Tunnel”

Internet

Guest

DMZ or Anchor Wireless Controller

WLAN Controller Deployments with EoIP Tunnel

122


Guest Access Deployment with 7.0.0116

Campus CoreEtherIP“Guest Tunnel”

EtherIP“Guest Tunnel”

Internet

Guest Secure Guest Secure

SiSi SiSiSecure Secure

WirelessVLANs/Interface Gr

Foreign WLCs

Anchor1Anchor2

WirelessVLAN-1/WLANA

WirelessVLAN2/WLANA

WirelessVLAN3/WLANA

WirelessVLAN-4/WLANA

ACS/ISE

DHCP servers in DMZw/VLAN-DHCP scopes

DHCP servers in DMZw/VLAN-DHCP scopes

DHCP servers in Corew/VLAN DHCP scopes

SiSi

123







Home Office Designs


124


E-Mail

Headquarters

Internet VPN

MPLS

ATM

Frame Relay

Home Office DesignOEAP AP Cisco controller installed in the DMZ of the

corporate network

OfficeExtend AP (OEAP) installed at

teleworker‘s home

Corporate access to employee over centrally

configured SSID

Family Internet access over a locally

configured SSID

WLC 5508/WiSM-2 / WLC7500

WCS

125


OEAP 600

802.11n AP with dual concurrent 2.4GHz and 5GHz radios for teleworker home

4 local Ethernet ports

1 Corporate-bound port, 3 for local Ethernet devices

Up to 4 clients behind the corporate port

Corporate SSID and user-configurable Personal SSID

Traffic segmenting supported (corporate vs. personal traffic)

Local DHCP and NAT support

Control and data plane encryption

126


Summary – Key Takeways

Take advantage of the standards (CAPWAP, DTLS,802.11 i, e, k, r…..)

Wide range of architecture / design choices

Brand new controller (WiSM-2, WLC 7500, WLC 2504) portfolio with investment

protection

Take advantage of innovations from Cisco (CleanAir, BandSelect, ClientLink,

Security, CCX, FlexConnect, etc)

Cisco‘s investment into technology – NCS, ISE, New hardware, cloud controller,

CiUS

127


Documentation

Aironet 600 Series OEAP Access Point Configuration Guide

‒ http://www.cisco.com/en/US/products/ps11579/products_tech_note09186a0080b7f10e.shtml

Wireless Services Module 2 (WiSM2) Deployment Guide

‒ http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080b7c904.shtml

• Flex7500 Deployment guidehttp://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml

Wireless, LAN (WLAN) Configuration Examples and TechNotes

‒ http://www.cisco.com/en/US/tech/tk722/tk809/tech_configuration_examples_list.html

H-REAP Deployment Guide

‒ http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml

VLAN Select Deployment Guide

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b78900.shtml

128

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080b7c904.shtml

http://www.cisco.com/en/US/tech/tk722/tk809/tech_configuration_examples_list.html

http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml


Complete Your Online

Session Evaluation Give us your feedback and you

could win fabulous prizes.

Winners announced daily.

Receive 20 Passport points for each

session evaluation you complete.

Complete your session evaluation

online now (open a browser through

our wireless network to access our

portal) or visit one of the Internet

stations throughout the Convention

Center.

Don‘t forget to activate your

Cisco Live Virtual account for access to

all session material, communities, and

on-demand and live activities throughout

the year. Activate your account at the

Cisco booth in the World of Solutions or visit

www.ciscolive.com.

129

http://www.ciscolive.com


Final Thoughts

Get hands-on experience with the Walk-in Labs located in World of Solutions,

booth 1042

Come see demos of many key solutions and products in the main Cisco booth

2924

Visit www.ciscoLive365.com after the event for updated PDFs, on-demand

session videos, networking, and more!

Follow Cisco Live! using social media:

‒ Facebook: https://www.facebook.com/ciscoliveus

‒ Twitter: https://twitter.com/#!/CiscoLive

‒ LinkedIn Group: http://linkd.in/CiscoLI

130

http://www.ciscolive365.com/

https://www.facebook.com/ciscoliveus

https://twitter.com/

http://linkd.in/CiscoLI


Documents

BRKEWN-2010.pdf