Upload
elton-curay
View
45
Download
7
Tags:
Embed Size (px)
Citation preview
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Design and Deployment of Enterprise
WLANsBRKEWN-2010
2
Sujit Ghosh, CCIE #7204
Manager, Technical MarketingWireless Networking Business Unit
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Agenda
Controller-Based Architecture Overview
Mobility in the Cisco Unified WLAN Architecture
Architecture Building Blocks
Deploying the Cisco Unified Wireless Architecture
3
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Agenda
Controller-Based Architecture Overview
Mobility in the Cisco Unified WLAN Architecture
Architecture Building Blocks
Deploying the Cisco Unified Wireless Architecture
4
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Centralized Wireless LAN ArchitectureWhat Is CAPWAP?
CAPWAP: Control and Provisioning of Wireless Access Points is used
between APs and WLAN controller and based on LWAPP
CAPWAP carries control and data traffic between the two
‒ Control plane is DTLS encrypted
‒ Data plane is DTLS encrypted (optional)
LWAPP-enabled access points can discover and join a CAPWAP
controller, and conversion to a CAPWAP controller is seamless
CAPWAP is not supported on Layer 2 mode deployment
CAPWAP Controller
Wi-Fi Client
Business Application
Control Plane
Data Plane
Access Point
5
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
CAPWAP ModesSplit MAC
The CAPWAP protocol supports two modes of operation
‒ Split MAC (centralized mode)
‒ Local MAC (H-REAP or FlexConnect)
Split MAC
WTP ACSTA
Wireless PhyMAC Sublayer
CAPWAPData Plane
Wireless Frame
802.3 Frame
6
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
CAPWAP ModesLocal MAC
Local MAC mode of operation allows for the data frames to be
either locally bridged or tunneled as 802.3 frames
Tunneled as 802.3 frames
Wireless PhyMAC Sublayer
Wireless Frame 802.3 Frame
802.3 FrameCAPWAP
Data Plane
Tunneled local MAC is not supported by Cisco
H-REAP/FlexConnect support locally bridged MAC and split MAC per SSID
WTP ACSTA
7
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
CAPWAP State Machine
DiscoveryReset
Image Data
Config
Run
AP Boots UP
DTLSSetup
Join
8
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
AP Controller Discovery
Layer 2 join procedure attempted on LWAPP APs
‒(CAPWAP does not support Layer 2 APs)
‒Broadcast message sent to discover controller on a
local subnet
Layer 3 join process on CAPWAP APs and on LWAPP APs
after Layer 2 fails
‒Previously learned or primed controllers
‒Subnet broadcast
‒DHCP option 43
‒DNS lookup
Controller Discovery Order
9
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Efficient CAPWAP Operation
Define the Wireless Access Point Device DHCP Scopes
Default router IP Address for Access Point scope
Helper address (forwarding UDP 5246 to the WLCs management
interface)
Domain name
Appropriate DHCP Lease timer for Aps
Pool sizes for WLAN devices in accordance to different types of sites
If NAT is used, static 1-to-1 NAT to an outside address is
recommended
Best Practices
10
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Sample Port Configuration
interface GigabitEthernet<port>
description <WLC name>
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan <vlan-list>
switchport mode trunk
switchport nonegotiate
mls qos trust cos
spanning-tree portfast trunk
Controller Port AP Port Configuration
ip forward-protocol udp 5246
interface vlan <SVC>
ip helper-address <WLC1managementInterface>
ip helper-address <WLC2managementInterface>
11
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
6.0, 7.0, 7.1, 7.2 ? Which Version Should I Use?
WLC 5508 supports 6.0, 7.0 and 7.1 & 7.2
WLC7500, WiSM-2 and WLC2504 only supported
in 7.0 onwards
6.0.202 is the latest MD
7.0.220 will be tested for AssureWave (Blue
Ribbon)
7.1.91 or 7.2 (preferred) is needed for AP3600
12
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Agenda
Controller-Based Architecture Overview
Mobility in the Cisco Unified WLAN Architecture
Architecture Building Blocks
Deploying the Cisco Unified Wireless Architecture
13
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Mobility Defined
Mobility is a key reason for wireless networks
Mobility means the end-user device is capable of moving
location in the networked environment
Roaming occurs when a wireless client moves association
from one AP and re-associates to another, typically because
it‘s mobile!
Mobility presents new challenges:
‒ Need to scale the architecture to support client roaming—roaming
can occur intra-controller and inter-controller
‒ Need to support client roaming that is seamless (fast) and preserves
security
14
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Scaling the Architecture with Mobility Groups
Mobility Group allows controllers to peer with each other to support seamless
roaming across controller boundaries
APs learn the IPs of the other members of the mobility group after the CAPWAP
Join process
Support for up to
24 controllers,
3600 APs per
mobility group
Mobility messages
exchanged
between
controllers
Data tunneled between
controllers in EtherIP (RFC 3378)
Eth
ern
et in
IP T
un
nel
Mobility Messages
Controller-CMAC: AA:AA:AA:AA:AA:03
Mobility Group Name: MyMobilityGroup
Mobility Group Neighbors:Controller-A, AA:AA:AA:AA:AA:01Controller-B, AA:AA:AA:AA:AA:02
Controller-AMAC: AA:AA:AA:AA:AA:01
Mobility Group Name: MyMobilityGroup
Mobility Group Neighbors:Controller-B, AA:AA:AA:AA:AA:02Controller-C, AA:AA:AA:AA:AA:03
Controller-BMAC: AA:AA:AA:AA:AA:02
Mobility Group Name: MyMobilityGroup
Mobility Group Neighbors:Controller-A, AA:AA:AA:AA:AA:01Controller-C, AA:AA:AA:AA:AA:03
15
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Scaling the Architecture with Mobility Groups
One
WLC NetworkMobility Group
Mobility Domain
24 WLCs in a
Mobility GroupMobility Group (7.2)
Mobility Group (7.0)
Mobility Group (6.0)
72 WLCs in a
Mobility Domain
With Inter Release Controller Mobility (IRCM) roaming is supported between 6.0, 7.0 and 7.2
16
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
How Long Does an STA Roam Take?
Time it takes for:
‒Client to disassociate +
‒Probe for and select a new AP +
‒802.11 Association +
‒802.1X/EAP Authentication +
‒Rekeying +
‒IP address (re) acquisition
All this can be on the order of seconds… Can we make this faster?
17
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Roaming Requirements
Roaming must be fast … Latency can be introduced by:
‒ Client channel scanning and AP selection algorithms
‒ Re-authentication of client device and re-keying
‒ Refreshing of IP address
Roaming must maintain security
‒ Open auth, static WEP—session continues on new AP
‒ WPA/WPAv2 Personal—New session key for encryption derived via standard
handshakes
‒ 802.1x, 802.11i, WPA/WPAv2 Enterprise—Client must be re-authenticated and
new session key derived for encryption
18
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
How Are We Going to Make Roaming Faster?
Eliminating the (re)IP address acquisition challenge
Eliminating full 802.1X/EAP reauthentication
Focus on Where We Can Have the Biggest Impact
19
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Intra-Controller Roaming:Layer 2
WLC-1 WLC-2
WLC-1 Client Database
WLC-2 Client Database
Mobility Message Exchange
Preroaming Data Path
Client Data (MAC, IP, QoS, Security)
VLAN X
Intra-Controller roam happens when an AP moves association between APs joined to the same controller
Client must be re-authenticated and new security session established
20
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Intra-Controller Roaming:Layer 2 (Cont.)
WLC-1 WLC-2
WLC-1 Client Database
WLC-2 Client Database
Mobility Message Exchange
Roaming Data Path
Client Data (MAC, IP, QoS, Security)
VLAN X
Client Roams to a Different AP
Client database entry with new AP and appropriate security context
No IP address refresh needed
21
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Intra-Controller Roaming:Layer 3
WLC-1 WLC-2
WLC-1 Client Database WLC-2 Client Database
Mobility Message Exchange
Preroaming Data Path
VLAN XClient Data (MAC, IP, QoS, Security)
Client Data (MAC, IP, QoS, Security)
VLAN Z
22
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Client Roaming Between Subnets:Layer 3 (Cont.)
WLC-1 WLC-2
WLC-1 Client Database
WLC-2 Client Database
Preroaming Data Path
VLAN X
Client Data (MAC, IP, QoS, Security)
Client Data (MAC, IP, QoS, Security)
VLAN Z
Mobility Message Exchange
Foreign Controller
Anchor Controller
Data Tunnel
Client Roams to a Different AP
23
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Roaming: Inter-Controller
L3 inter-controller roam: STA moves association between APs joined to the different
controllers but client traffic bridged onto different subnets
Client must be re-authenticated and new security session established
Client database entry copied to new controller – entry exists in both WLC client DBs
Original controller tagged as the ―anchor‖, new controller tagged as the ―foreign‖
WLCs must be in same mobility group or domain
No IP address refresh needed
Symmetric traffic path established -- asymmetric option has been eliminated as of 6.0
release
Account for mobility message exchange in network design
Layer 3
24
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
How Are We Going to Make Roaming Faster?
Eliminating the (re)IP address acquisition challenge
Eliminating full 802.1X/EAP reauthentication
Focus on Where We Can Have the Biggest Impact
25
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Fast Secure RoamingStandard Wi-Fi Secure Roaming
802.1X authentication in wireless today requires
three ―end-to-end‖ transactions with an overall
transaction time of > 500 ms
802.1X authentication in wireless today requires a
roaming client to reauthenticate, incurring an
additional 500+ ms to the roam
Note: Mechanism Is Needed to Centralize Key Distribution
Cisco AAA Server (ACS or ISE)
WAN
AP1AP2
1. 802.1X Initial Authentication Transaction2. 802.1X
Reauthenti-cation After Roaming
26
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Cisco Centralized Key Management (CCKM)
Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available, especially
with application specific devices (ASDs)
CCKM ported to CUWN architecture in 3.2 release
In highly controlled test environments, CCKM roam times consistently measure
in the 5-8 msec range!
CCKM is most widely implemented in ASDs, especially VoWLAN devices
To work across WLCs, WLCs must be in the same mobility group
CCX-based laptops may not fully support CCKM – depends on supplicant
capabilities
CCKM is standardized in 802.11R, but no clients available yet
27
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
What is 802.11r ?
An IEEE standard which defines a new concept of roaming
Handshake with the new AP is done even before the client roams
More secure due to 3 levels of key hierarchy
Standard defines 2 methods of roaming – Over-the-air and Over-the-DS
The Association-Response Frame is expanded therefore older client drivers
may not understand the 11r response frame. Therefore in some customer
sites to have 11r roaming may require an additional SSID.
New in 7.2MR128
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Fast Transition 802.11r Roaming Comparison
Pairwise Master Key ID(PMKID) Roam
is 10 Packets Long.
802.11r Action Packet Exchange Occurs
Before the Roam. Therefore the Roam is 2
Packets Long.
The Action Frames are new to 802.11r and the Association Frames are modified.
29
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Pre-Authenticated Secure Roam by WLAN
802.11r Over the Air roaming 802.11r Over the DS roaming
AP1
Client
Roaming direction
Associated with
old AP
AP2, 3, 4
802.11 FT auth req
802.11 FT auth resp
Reassociation Req
Reassociation Resp
AP1
Client
Roaming direction
Associated with
old AP
AP2, 3.,
4
Action frame FT req
Action frame FT resp
Reassociation Req
Reassociation Resp
Preauth information
• Two modes of roaming in 11r
30
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
802.11r
To enable 11r, check Fast
Transition in Layer2 security
Add ‗Over the DS‘ if you
choose to reduce the over the
air transactions
Adding a WPA2 will provide
the option of support for 11r
Select the key management
type -> FT 802.1X or FT PSK
31
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Designing a Mobility Group/Domain
Less roaming is better – clients and apps are happier
While clients are authenticating/roaming, WLC CPU is doing the
processing – not as much of a big deal for 5508 which has dedicated
management/control processor
L3 roaming & fast roaming clients consume client DB slots on multiple
controllers – consider ―worst case‖ scenarios in designing roaming
domain size
Leverage natural roaming domain boundaries
Mobility Message transport selection: multicast vs. unicast
Make sure the right ports and protocols are allowed
Design Considerations
32
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
3K AP Setup in WNBU
33
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Agenda
Controller-Based Architecture Overview
Mobility in the Cisco Unified WLAN Architecture
Architecture Building Blocks
Deploying the Cisco Unified Wireless Architecture
34
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Device Support
AP3600
800 Series ISR
Other Highlights
IPv6 Mobility
802.11u/MSAP
11n throughput enhancements
Flex: ACL, AAA override,P2P
CleanAir classifiers
TrustSec SXP
Others
WiPS Rogue & Wi-Fi Direct AP Groups and Profiles
CleanAir Enhancements for serviceability, PDA Enhancements,
Unclassified Interferers in AQ
OEAP600 enhancements with WLC manual power,
Channel, Disable etherport
Flex: Fast roaming for voice clients
Flexconnect: Efficient AP upgrade
Stadium Vision Mobile with larger DTIM queue and
dynamic multicast data-rates per AP
NEC-CAC for KTS SIP clients
TPCv2/RRM enhancements
Videostream QoS alloy
Support for ISE 1.1 CCX Lite
WiSM2/7500
WiSM2 Scale 1000 APs
WiSM2 20 Gbps
7500 Scale 3000 APs
7500 DTLS/OEAP support
7500 High throughput
7500 Context-aware
CUWN 7.2 Release - Key Controller Features
35
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
CUWN 7.2 MR1 Release
802.11r Support
External Webauth for FlexConnect Mode AP
Outdoor RAPs to operate in Local mode & FlexConnect mode
36
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
6500 as Borderless Services Node (BSN)
Cisco WiSM-2 and Sup 2T
Agg 6k
Access2k/3k/4k
BSN providessingle point of management
Provides Service Virtualization, Wired / Wireless Integration and Secure Access
Security
Wireless
Security
Wireless
Catalyst 6500
10GbE Core
ASA-SMNAM3WiSM2
Specifications at a Glance
Access Points 100–1000
Clients 15,000 and 5000 tags
I/O 20G
APs in Mobility
Domain
72,000
APs in Mob Group 24,000
Chassis Level Scale7,000 APs and
105,000 Clients
Concurrent AP Joins 1000
Physical Controller 1
Power 225 W
• Sup 720 and Sup 2T support
Sup 720 Software Version 12.2(33)SXJ2
Sup 2T Software Version 15.0(1)SY1
37
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Controller Portfolio
5500 WiSM-2
Number of Access Points 12, 25, 50, 100, 250, 500 500, 1000(7.2)
Throughput Up to 8 Gbps Up to 10 Gbps / 20 Gbps (7.2)
Clients Up to 7000 Up to 10,000
Concurrent AP Upgrades/Joins Up to 500 Up to 500
Network I/OUp to 8
1 Gbps SFPsCisco Catalyst 6000 Series Backplane
Mobility Domain Size Up to 36,000 APs Up to 36,000 Aps, 72,000 AP(7.2)
Number of Controllers per Physical Device 1 1
Power Consumption 125W 225W
AP Count Upgrade via Licensing Yes Yes
Encrypted Data Link
Between AP and ControllerYes Yes
OfficeExtend Solution Yes Yes
38
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Cost Effective Entry Level Controllers2500 Wireless Controller and SRE modules in ISR G2
Access Points 5-50
Clients 500
Throughput 500 Mbps
Deployment Model Local and FlexConnect
Form Factor Desktop
IO Interface 4x 1GE
Upgrade Licenses 5, 25
Access Points ISM: 5-10
SM: 5-50
Clients 500
Throughput 500 Mbps
Deployment Model Local and FlexConnect
Form Factor SRE (ISM/SM)
Upgrade Licenses 5, 25
Device Supported On 1941, 2900 and 3900 Series
ISR G2
39
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
AP 3600
802.11n WiFi
With CleanAirtechnology
Business-Ready Mission CriticalBest in Class
Mission Critical
AP 3500AP 1260AP 1140AP 1040
OfficeExtend AP 600
Teleworker
Access Points Portfolio
40
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
AP 3600 - 3 Spatial Stream 3x3 MIMO Access
Points
4x4 MIMO ANTENNA DESIGN, 3 SPATIAL STREAMS
Redundant antenna design for more speed and reliability
CLIENTLINK 2.0 for 802.11n
Improves performance to all mobile devices: including 802.11a/g and 802.11n
– 1SS, 2SS & 3SS
Enhanced CLEANAIR TECHNOLOGY
New, more powerful full-spectrum analysis while serving data traffic
Cisco Aironet 3600 Series Access Points
41
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
3600 Series 3500 Series 1260 Series 1140 Series 1040 Series 600 Series 1550 Series
Data Rate 450 Mbps 300 Mbps 300 Mbps 300 Mbps 300 Mbps 300 Mbps 300 Mbps
Radio Design 4X4:3 2X3:2 2x3:2 2x3:2 2X2:2 2X2:2 2x3:2
CleanAir
ClientLink ClientLink 2.0 on 2.4
BandSelect
VideoStream
Rogue AP Detection
Adaptive wIPS
OfficeExtend
FlexConnect
Wireless Mesh
Data Uplink (Mbps) 10/100/1000 10/100/1000 10/100/1000 10/100/1000 10/100/1000 10/100 10/100/1000
Power 802.3af
Supports 802.3at
802.3af 802.3af 802.3af 802.3af 100 to 240 VAC, 50-
60 Hz
By Model Number:
See AP AAG
Temperature Range in Celsius (i) -0 to 40° C
(e) -20 to 55°C
(i) -0 to 40° C
(e) -20 to 55°C
-20 to 55°C -0 to 40°C -0 to 40°C 0 to 40°C -40 to 131°C
Cisco Aironet 802.11n Access Points Indoor and Outdoor - Feature Comparison Matrix
42
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Agenda
Controller-Based Architecture Overview
Mobility in the Cisco Unified WLAN Architecture
Architecture Building Blocks
Deploying the Cisco Unified Wireless Architecture
43
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Deploying the Cisco Unified Wireless
Architecture Controller Redundancy and AP Load Balancing
Understanding AP Groups
IPv6 Deployment with Controllers
Branch Office Designs
Guest Access Deployment
Home Office Design
44
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Deploying the Cisco Unified Wireless
Architecture Controller Redundancy and AP Load Balancing
Understanding AP Groups
IPv6 Deployment with Controllers
Branch Office Designs
Guest Access Deployment
Home Office Design
45
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Controller RedundancyDynamic
WLC1
WLC2
AP1 AP2 AP3
AP4 AP5 AP6
AP7 AP8 AP9
Rely on CAPWAP to load-balance APs across controllers and populate APs with backup controllers
Results in dynamic ―salt-and-pepper‖ design
Design works better when controllers are ―clustered‖ in a centralized design
Pros‒ Easy to deploy and configure—less upfront
work
‒ APs dynamically load-balance (though never perfectly)
Cons‒ More intercontroller roaming
‒ Bigger operational challenges due to unpredictability
‒ Longer failover times
‒ No ―fallback‖ option in the event of controller failure
Cisco‘s general recommendation is: Only for Layer 2 roaming
Use deterministic redundancy instead of dynamic redundancy
46
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Controller RedundancyDeterministic
Administrator statically assigns APs
a primary, secondary, and/or tertiary
controller
‒Assigned from controller interface (per AP)
or WCS (template-based)
Pros
‒Predictability—easier operational
management
‒More network stability
‒More flexible and powerful redundancy
design options
‒Faster failover times
‒―Fallback‖ option in the case of failover
Con
‒More upfront planning and configuration
This is Cisco‘s recommended best
practice
WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C
Primary: WLAN-Controller-ASecondary: WLAN-Controller-BTertiary: WLAN-Controller-C
Primary: WLAN-Controller-BSecondary: WLAN-Controller-CTertiary: WLAN-Controller-A
Primary: WLAN-Controller-CSecondary: WLAN-Controller-ATertiary: WLAN-Controller-B
47
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Controller RedundancyMost Common (N+1)
Redundant WLC in a
geographically separate location
Layer-3 connectivity between the
AP connected to primary WLC
and the redundant WLC
Redundant WLC need not be
part of the same mobility group
Configure high availability (HA) to
detect failure and faster failover
Use AP priority in case of over
subscription of redundant WLC
APs Configured With:Primary: WLAN-Controller-1Secondary: WLAN-Controller-BKP
APs Configured With:Primary: WLAN-Controller-2Secondary: WLAN-Controller-BKP
APs Configured With:Primary: WLAN-Controller-nSecondary: WLAN-Controller-BKP
WLAN-Controller-1
WLAN-Controller-2
WLAN-Controller-n
WLAN-Controller-BKP
NOC or Data Center
48
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Controller RedundancyArchitecture Resiliency
Resiliency N:1 Redundancy
N:N Redundancy N:N:1 Redundancy
WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C
Primary: WLAN-Controller-ASecondary: WLAN-Controller-BTertiary: WLAN-Controller-C
Primary: WLAN-Controller-BSecondary: WLAN-Controller-CTertiary: WLAN-Controller-A
Primary: WLAN-Controller-CSecondary: WLAN-Controller-ATertiary: WLAN-Controller-B
WLAN-Controller-1
WLAN-Controller-2
WLAN-Controller-n
APs Configured With:Primary: WLAN-Controller-1Secondary: WLAN-Controller-BKP
APs Configured With:Primary: WLAN-Controller-2Secondary: WLAN-Controller-BKP
APs Configured With:Primary: WLAN-Controller-nSecondary: WLAN-Controller-BKP
WLAN-Controller-BKPNOC or Data Center
WLAN-Controller-A
WLAN-Controller-B
APs Configured With:Primary: WLAN-Controller-ASecondary: WLAN-Controller-BTertiary: WLAN-Controller-BKP
APs Configured With:Primary: WLAN-Controller-BSecondary: WLAN-Controller-ATertiary: WLAN-Controller-BKP
WLAN-Controller-BKPNOC or Data Center
WLAN-Controller-A
WLAN-Controller-B
APs Configured With:Primary: WLAN-Controller-ASecondary: WLAN-Controller-B
APs Configured With:Primary: WLAN-Controller-BSecondary: WLAN-Controller-A
49
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
SiSi SiSi
High Availability Using Cisco 5508Hardware Failure of WLC5508
APs are connected to
primary WLC 5508
In case of hardware failure
of WLC 5508
AP‘s fall back to secondary
WLC 5508
Traffic flows through the
secondary WLC 5508 and
primary core switch
SiSi SiSi
Primary
WLC5508
Secondary
WLC5508
50
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
High Availability Using WiSM-2Uplink Failure on Primary Switch
In case of uplink failure of the
primary switch
Standby switch becomes the
active HSRP switch
APs are still connected to
primary WiSM
Traffic flows through the new
HSRP active switch
SiSi SiSi
Primary
WiSM-2
Active
HSRP Switch
Standby
HSRP Switch
New Active
HSRP Switch
51
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
High Availability Using WiSM-2Hardware Failure of WiSM-2
APs are connected to primary WiSM-2
In case of hardware failure of primary
WiSM-2
AP‘s fall back to secondary WiSM-2
Traffic flows through the secondary
WiSM-2 and primary core switch
SiSi SiSi
Primary
WiSM-2
Secondary
WiSM-2
52
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Redundancy Using VSS and Cisco 5508
Cisco 5508 WLC can be attached to a Cisco
Catalyst VSS switch pair
4 ports of Cisco 5508 are connected to active
VSS switch
2nd set of 4 ports of Cisco 5508 is connected to
standby VSS switch
In case of failure of primary switch traffic
continues to flow through secondary switch in the
VSS pair
Catalyst VSS Pair
Cisco 5508
53
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Core Options – 6500 VSS w/L2 Access, Nexus w/L3 Access
Data Center
Core/ Distribution
Access
SiSi SiSi
Wireless Services
SiSiSiSi
Authentication
Wireless Services
SiSiSiSi
Catalyst 6500 VSS
Nexus 7000
• Layer 2 to Access Layer
• Single Configuration
• Multi-Chassis Etherchannel load-balancing
• Layer 3 to Access Layer
• Higher 10 Gigabit Capacity
• More extensive virtualization capabilities
• Equal Cost Multipath Load-balancing
Dual physical links appear logically as a single link
Authentication
ISP1 ISP2 ISP1 ISP2
55
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Controller Redundancy – High Availability
High Availability Principles :
AP is registered with a WLC and maintain a backup list of WLC.
AP use heartbeats to validate WLC connectivity
AP use Primary Discovery message to validate backup WLC list
When AP loose 3 heartbeats it start join process to first backup WLC candidate
Candidate Backup WLC is the first alive WLC in this order : primary, secondary, tertiary, global primary, global secondary.
AP does not re-initiate discovery process.
Primary WLC
Secondary WLC
New Timers 7.2
Heartbeat Timeout 1-30 secs
Fast Heartbeat Timer 1-10 secs
AP Retransmit Interval 2-5 secs
AP Retransmit with FH Enabled 3-8 Times
AP Fallback to next WLC 12 secs
56
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
AP Failover Priority
In case of WLC failure, backup
WLC suddenly receives
multiple Discover and Join
response from Aps
In a failover situation when the
backup controller is saturated,
the higher priority access
points are allowed to join the
backup controller by disjoining
the lower priority access
points.
Enable AP Failover Priority Globally
Wireless > Access Points > Global Configuration > AP Failover Priority
Assign Priority on per AP basis
WLC > All APs > Details for AP > High Availability
57
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
AP Pre-Image Download
Since most CAPWAP APs can download
and keep more than one image of 4–5 MB
each
AP pre-image download allows
AP to download code while it is operational
Pre-Image download operation
1. Upgrade the image on the controller
2. Don‘t reboot the controller
3. Issue AP pre-image download command
4. Once all AP images are downloaded
5. Reboot the controller
6. AP now rejoins the controller
without rebootHow Much Time You Save?
Access Points
Cisco WLAN Controller
CA
PW
AP
-L3
AP
Pre
-im
age
Do
wn
load
AP
Jo
ins
Wit
ho
ut
Do
wn
load
58
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Access PointAccess Point
Access Switches
Distribution Switches
(standalone –
using routing,
HSRP, STP)Auxiliary Switches
Wireless ControllerWireless Controller
Mobility
Service
Engine
SNMP SNMP
NMSPNMSP
SiSiSiSi
SiSiSiSiSiSiSiSiSiSiSiSi
Network
Control
System
Network
Control
System
Mobility
Service
Engine
SiSiSiSiSiSi
SOAP/XML/SNMP SOAP/XML/SNMP
SiSiSiSiSiSi
Data Centre
VLAN 20,21,22VLAN 10,11,12
• Extremely Resilient
• Rapid reconvergence
on Link Loss due to
extensive use of
EtherChannel
• Option in Aux switch for
use of dual Supervisors
for improved availability
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Access PointAccess Point
Access Switches
Distribution Switches
(VSS pair)
Auxiliary Switches
Wireless ControllerWireless Controller
Mobility
Service
Engine
SNMP SNMP
NMSPNMSP
Network
Control
System
Network
Control
System
Mobility
Service
Engine
SiSiSiSiSiSi
SOAP/XML/SNMP SOAP/XML/SNMP
SiSiSiSiSiSi
Data Centre
VLAN 20,21,22VLAN 10,11,12
• Option for use of VSS
for even greater
resiliency, as well
as a simplified design
• Rapid reconvergence
on Link Loss due to
extensive use of
EtherChannel
• Option to eliminate
Aux switches in this
design, as controllers
are dual-homed to
VSS switch pair
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Internet Edge
Access PointAccess Point
Access Switches
Distribution Switches
(standalone –
using routing,
HSRP, STP)Auxiliary Switches
SiSiSiSi
SiSiSiSiSiSiSiSiSiSiSiSi
SiSiSiSiSiSi SiSiSiSiSiSi
VLAN 20,21,22VLAN 10,11,12
Wireless ControllerWireless Controller
EoIP TunnelsEoIP Tunnels
Anchor
Wireless
Controller
Guest
DHCP/DNS
Server
Guest
DHCP/DNS
Server
Guest WLANs are configured with Auto
Anchor
Internet
• Option showing use of
Anchor controllers for
use with Guest SSIDs
Anchor
Wireless
Controller
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Controller Redundancy and AP Load Balancing
Understanding AP Groups
IPv6 Deployment with Controllers
Branch Office Designs
Guest Access Deployment
Home Office Design
Deploying the Cisco Unified Wireless Architecture
62
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
AP-Groups - Default AP-Group
The first 16 WLANs created (WLAN IDs 1–16) on the WLC are
included in the default AP-Group
Default AP-Group cannot be modified
APs with no assignment to an specific AP-Group will use the Default
AP-Group
The 17th and higher WLAN (WLAN IDs 17 and up) can be assigned to
any AP-Groups
Any given WLAN can be mapped to different dynamic interfaces in
different AP-Groups
WLC 2106 (AP groups: 50), WLC 2504 (AP groups:50)
WLC 4400 and WiSM (AP groups: 300),
WLC 5508 & WiSM-2 (AP groups: 500),
WLC 7500 (AP Groups : 500)
63
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
AP-Grouping in Campus
Data CenterWAN Internet
Access
Distribution
Core
Distribution
Access
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
WLC-2WLC-1
VLAN 100 / 21
CAPWAP
Single SSID = Employee
VLAN 100 VLAN 100 VLAN 100
64
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
AP-Grouping in Campus
Data CenterWAN Internet
Access
Distribution
Core
Distribution
Access
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
AP-Group-2 AP-Group-3AP-Group-1
WLC-2WLC-1
VLAN 80 /23VLAN 70 /23VLAN 60 /23
VLAN 100/21
CAPWAP
VLAN 60VLAN 70 VLAN 80
Single SSID = Employee
65
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Network Name
Default AP Group
Only WLANs 1–16 Will Be Added in Default AP Group
Default AP-Group
66
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
AP Group 1
AP Group 2
AP Group 3
Multiple AP-Groups
67
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Interface-Groups (aka VLAN Select)
Interface-groups allows for a WLAN to be mapped to a single interface or multiple interfaces
Clients associating to this WLAN get an IP address from a pool of subnets identified by the interfaces in round
robin fashion
Extends current AP group and AAA override, with multiple interfaces using interface groups
Controllers Interface-Groups/Interfaces
WiSM-2, 5508, 7500, 2500 64/64
WiSM, 4400 32/32
2100 and 2504 4/4
68
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Interface-Grouping in Campus
Data CenterWAN Internet
Access
Distribution
Core
Distribution
Access
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
Int-Group-2 Int-Group-3Int-Group-1
WLC-2WLC-1
VLAN 80 /23VLAN 81 /23
VLAN 70 /23VLAN 71 /23
VLAN 60 /23VLAN 61 / 23
VLAN 100/21
LWAPP/CAPWAP
VLAN 60VLAN 61VLAN 70VLAN 71 VLAN 80VLAN 81
Single SSID = Employee
69
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Interface Group 1
Interface Group 2
Interface Group 3
Multiple Interface-Groups
70
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
RF-Profiles7.2
RF Profiles allow the administrator to tune groups of AP‘s sharing a
common coverage zone together.
Selectively changing how RRM will operate the AP‘s within that coverage zone
• RF Profiles are created for either the 2.4 GHz radio or 5GHz radio
Profiles are applied to groups of AP‘s belonging to an AP Group, in which all AP‘s in the
group will have the same Profile Settings
• There are two components to this feature:
RF Profile – New in 7.2 providing administrative control over:
o Min/Max TPC values
o TPCv1 Threshold
o TPCv2 Threshold
o Data Rates
71
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
RF Profiles
Create an RF profile for a or
b/g radio
Select if required the
minimum and/or Maximum
TPC settings
Select a custom TPC power
threshold for either Version 1
or Version 2 of TPC
Select the data rates to be
applied to the AP‘s
72
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
RF-Profile in Campus 7.2
Data CenterWAN Internet
Access
Distribution
Core
Distribution
Access
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
RF-Profile-2 RF-Profile-3RF-Profile-1
WLC-2WLC-1
VLAN 80 /23VLAN 81 /23
VLAN 70 /23VLAN 71 /23
VLAN 60 /23VLAN 61 / 23
LWAPP/CAPWAP
VLAN 60VLAN 61VLAN 70VLAN 71 VLAN 80VLAN 81
Single SSID = Employee
73
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
RF Profile -1
RF Profile -2
RF Profile -3
Multiple RF-Profiles
74
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Design Recommendations
Use 5508 with N+1 redundancy (recommended) or WISM2 with N+N redundancy
Use Link Aggregation across multiple chassis or line cards for N+1 redundancy when using 5508 WLAN controllers
Use large subnets (e.g., /21) to minimize L3 roaming or VLAN Select (aka Interface Groups)
Group APs on controllers to minimize inter-controller roaming (i.e. create natural roaming boundaries)
Use separate controllers or AP groups for low-volume legacy devices (e.g., 802.11b ticket scanners)
Software version 7.2.103.0 or higher
NCS 1.1 for Network Management75
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Controller Redundancy and AP Load Balancing
Understanding AP Groups
IPv6 Deployment with Controllers
Branch Office Designs
Guest Access Deployment
Home Office Design
Deploying the Cisco Unified Wireless Architecture
77
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
IPv6 - Phased Implementation
IPv4-only
IPv4 and IPv6 Co-existence
(Servers and Clients will Be Dual-Stack)
IPv6-only
But Dual Stack Clients Are Here Now…
78
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Wireless IPv6 Support - Pre-v7.2
In releases prior to 7.2, enabling IPv6 bridging provided a limited solution with no Layer 3 mobility and non-optimized delivery of essential ICMPv6 messages to clients.
CAPWAP Tunnel
IPv6 ICMPv6 multicast messages sent
to all clients (including L3 roamed
clients) at low data rates.
All IPv6 packets are bridged on
the VLAN transmitting
unnecessary ICMPv6 messages
in both directions.
79
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Wireless IPv6 Support - Post-v7.2
In releases 7.2, the controller now processes ICMPv6 messages allowing for optimized delivery, Layer 3 mobility and first hop security.
CAPWAP Tunnel
IPv6 ICMPv6 multicast messages
are unicast to each client at high
data rates.
IPv6 ICMPv6 messages are
interpreted by the controller and
forwarded only as needed.
80
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Wireless IPv6 Client Support
Supports IPv4, Dual Stack and Native IPv6 clients on single WLAN simultaneously
Supports the following IPv6 address assignment for wireless clients:‒ IPv6 Stateless Autoconfiguration [SLAAC]
‒ Stateless, Stateful DHCPv6
‒ Static IPv6 configuration
Supports up to 8 IPv6 addresses per client
Clients will be able to pass traffic once IPv4 or IPv6 address assignment is completed after successful authentication
CAPWAPIPv4
IPv6
EthernetVLAN
Ethernet
IPv
6
CAPWAP Tunnel
IP
v4802.11
IPv4
IPv4IPv6802.11
IPv6802.11
81
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
IPv6 Client Connectivity on Multiple WLANs
Access Points keep track of individual clients and unicast the Router Advertisement to the clients depending on the WLAN they belong to.
Access Point support up to 16 WLANs/SSIDs for dual stack clients.
To maintain proper routing capability, mobile clients need to have proper global unique unicast prefix from router within their own network.
VLAN = 100
VLAN = 200
RAVLAN = 100
RAVLAN = 200
Router 1
Router 2
CAPWAP Tunnel
VLAN Pool VLAN 100 VLAN 200
82
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Cisco Supports Many IPv6 Addresses Per Client
Support for many IPv6 addresses per client is necessary because:
‒ Clients can have multiple address types per interface
‒ Clients can be assigned addresses via multiple methods such as SLAAC and DHCPv6
‒ Most clients automatically generate a temporary address in addition to assigned addresses.
Up to 8 IPv6 Addresses
are Tracked per Client.
83
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Use Case #1: Mobility
Challenge
Solution
Benefits
Dropped connections when roaming to a different network
Intelligent IPv6 packets processing
RA follows roaming clients through mobility tunnel
Reliable connectivity while roaming
Differentiator Seamless layer-3 mobility for IPv6 clients
7.2
84
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
How Does Cisco Solve IPv6 Mobility?
To address this issue, the roaming client must be able to receive the original router advertisement.
The anchor controller sends the RA to the foreign in the mobility tunnel.
When the Access Point receives the RA, it will convert the multicast RA to unicast (MC2UC) and send RA to each client individually.
Router 1
Router 2
CAPWAPTunnel
AnchorWLC
ForeignWLC
MobilityTunnel
RouterAdvertisement
Router Advertisement
RoamingClient
CAPWAPTunnel
85
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
New IPv6 Addresses Learning with Mobility
IPv6 address is always learned at the anchor either through DHCPv6 or NDP
DHCPv6 packets from a roamed client at the foreign controller will be tunneled to the anchor controller, which will learn the IPv6 address from the DHCPv6 replies.
Similarly NDP messages for a roamed client are processed at the anchor controller.
Whenever a new IPv6 address is learned at the anchor the new address is sent in a mobility message to the foreign controller.
CAPWAPTunnel
Router 1
Router 2
CAPWAPTunnel
AnchorWLC
ForeignWLC
MobilityTunnel
DHCPv6 / RS
DHCPv6 / RA Reply
RoamingClient
86
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Testing IPv6-Only Client Mobility with Cisco
Clients – Windows 7 (SP1) with only IPv6 Enabled
Before
Roaming
During
Roaming
After
Roaming
Client Keeps IPv6 Address and
Connectivity is Seamless
IPv6 PING
Continues
87
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Use Case #2: Security
Rogue DHCP Server
Rogue Router
Announcement(RA)
Challenge
Solution
Benefits
Vulnerabilities originated from client community
First Hop Security blocks rogue announcements
IPv6 ACLs provides IPv6 traffic control
Increased network availability and reliability
Lower operational cost
Differentiator Proactively block known threats from wireless side
7.2
88
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
IPv6 ACL Support
Up to 128 ACL (64 for IPv4 and 64 for IPv6) supported
Two ACL profiles (one for IPv4 and one for IPv6) are supported per dual stack client
ACL profiles for wireless clients can be configured on Wireless Controller or provided by AAA Server.‒ AAA server can send both IPv4 and IPv6 ACL attributes for dual stack clients after successful
user authentication.
Counters are maintained on ACL matches for operational/maintenance purposes.
CAPWAP Tunnel
89
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
IPv6 ACL Configuration
A separate IPv4 and IPv6 ACL can be applied on a per-WLAN basis.
90
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Use Case #3: Efficiency
Challenge
Solution
Benefits
Chatty IPv6 packets, busy network, high CPU
Intelligent processing of IPv6 packets with proxy and rate limit
Increase radio efficiency, decrease processing load on router
High number of packetsLess number of packets
Differentiator 50% NDP reduction on wireless and 25% on wired side
7.2
91
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
First Hop Optimization for Wireless IPv6 Clients
CAPWAPIPv4
IPv6
Ethernet
IPv6VLAN
Ethernet
IPv6
802.11802.11
CAPWAPTunnel
Neighbor SolicitationNeighbor Solicitation (NS) Suppression Respond to NS with cache binding table entry.Proxy Neighbor Advertisement
Router Advertisement(Periodic)
Rate Limiting/Throttling
NeighborDiscoveryCaching
92
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
First Hop Security / Efficiency Configuration
93
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Use Case #4: Client Management
Challenge
Solution
Benefits
Client visibility is vital for Troubleshooting, Planning & Security
NCS tracks IPv6 client addresses, client IP version distribution and
trending; MSE tracks IPv6 client locations
Prepare admin for IPv6 troubleshooting, address planning
Provide client traceability
Differentiator Management system for wired + wireless, IPv4 + IPv6
7.2
94
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Cisco NCS 1.1 Provides Comprehensive IPv6 Client Visibility and Monitoring
Security –
Identification of
Clients Acting as
IPv6 Routers
Insight – Identification of
IPv4, Dual-Stack or IPv6-
Only Client Types
Visibility – Recognition of
IPv6 Global and Link
Local Addresses
95
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Cisco NCS 1.1 Provides a Rich IPv6 Session History
Since IPv6 clients can change addresses so often (sometimes 1 per day with temporary addresses), they need to be tracked over time.
This is needed for tracking down attacks or copyright infringement violations that need to be audited all the way back to the user.
NCS Logs both
current and
past IPv6
Addresses
96
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Deploying the Cisco Unified Wireless Architecture
Controller Redundancy and AP Load Balancing
Understanding AP Groups
IPv6 Deployment with Controllers
Branch Office Designs
‒ Understanding FlexConnect AP Deployment
‒ Understanding Branch Controller Deployment
Guest Access Deployment
Home Office Design
97
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Branch Office DeploymentFlexConnect
Hybrid architecture
Single management and
control point
‒Centralized traffic
(split MAC)
‒Or
‒Local traffic (local MAC)
HA will preserve local traffic
only
WAN
Central Site
Remote Office
CentralizedTraffic
CentralizedTraffic
LocalTraffic
98
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
FlexConnect Design Considerations
WAN limitations apply
For YourReference
99
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
FlexConnect Design Considerations
Some features are not available in standalone mode or in local switching mode
‒MAC/Web Auth in standalone mode
‒Central Web Authentication in local switching mode
‒Mesh AP
‒WGB & Universal WGB
‒VideoStream
‒IPv6 L3 Mobility
‒SXP TrustSec
‒AAA ACL & QoS override
‒See full list in « H-REAP Feature Matrix »http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b3690b.shtml
Features limitations apply
100
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Key Differentiation WAN Tolerance
• High Latency Networks
• WAN Survivability
Security
802.1x based port authentication
Voice support
• Voice CAC
• OKC/CCKM
Economies of Scale for Lean Branches
Flex 7500 Wireless Controller
Access Points 300 - 3,000
Clients 30,000
Branches 1000
Access Points / Branch 50
Deployment Model FlexConnect
Form Factor 1 RU
IO Interface 2x 10GE
Upgrade Licenses 100, 200, 500, 1K
New
101
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Understanding FlexConnect Groups
FlexConnect groups allow sharing of:
‒CCKM fast roaming keys
‒Local user authentication
‒Local EAP authentication
‒Efficient Image Download
Scaling information
WAN
Central Site
Remote Site
FlexConnect Group 1
FlexConnect Group 2
Remote Site
ScalingFlex
7500CT-5508 WiSM2 CT-2504
FlexConnect
Groups1000 100 100 20
AP per Flex
Group50 25 25 25
102
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
FlexConnect Improvements in 7.2
Smart AP Image Upgrade
ACL‘s on FlexConnect AP
AAA Over-ride of VLAN - dynamic VLAN assignment for locally
switched clients
FlexConnect Re-branding
Fast Roaming for Voice Clients
Peer to Peer Blocking
103
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
WAN
FlexConnect Smart AP Image Upgrade Description
Smart AP Image Upgrade use a
« master » AP in each FlexConnect
Group to download the code.
Other FlexConnect AP download the
code from the master locally
1.Download WLC upgraded firmware (will become
primary)
2.Force the « boot image »
to be the secondary (and not the newly upgraded
one) to avoid parallel download of all AP in case of
unexpected WLC reboot
3.WLC elect a master AP in each FlexConnect
Group (can be also set manually)
Remote Site-1 Remote Site-N
Wireless Control System
Wireless LAN Controller
Primary Secondary
Firmware Image
New
OldNewNewOld
Central Site
Master APNew in 7.2104
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
FlexConnect Smart AP Image Upgrade Configuration
―FlexConnect AP Upgrade‖ checkbox has to be enabled for each FlexConnect Group.By default, Master AP for each FlexConnect Group is selected using Lower-MAC algorithm.One Master select per AP type.
Enable Efficient AP Image
Upgrade
Master AP Selection is
Optional
Random Backoff Interval
(100-300sec) between
each retry
Valid Range is 1-63
New in 7.2106
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Local Switching Access Lists
Support for ACL in FlexConnect local
switching mode
ACL mapped to local VLAN per AP or
FlexConnect Group
512 FlexConnect ACL per WLC
16 ingress ACL & 16 egress ACL per
AP
64 ACL rules per ACL
No IPv6 ACL
Description
New in 7.2
Remote Site
WAN
Central Site
ApplicationServer
107
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Local Switching Access Lists
ACL rule creation and application for FlexConnect is identical
to WLC rule creation for Local Mode
Configuration
New in 7.2
Step 2
Step 1
Click to add ACL rules Step 3
Provision to assign separate Inbound & Outbound ACLs
108
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Local Switching Peer-to-Peer Blocking
Support for Peer-to-Peer
blocking in FlexConnect AP
Apply for clients on same
FlexConnect AP
P2P blocking modes : disable
or drop
For P2P blocking inter-AP
use ACL or Private VLAN
fonction
Description
New in 7.2
Remote Site
WAN
Central Site
ApplicationServer
109
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Local Switching Peer-to-Peer Blocking
Configuration
New in 7.2
Multiple Policy Touch Points
Both modes of operation will drop the
packet @ AP for Local Switching enabled
WLAN
* Central Switching WLAN will support ―Forward - UpStream‖ and will send the packet to the next upstream node connected to WLC
110
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
FlexConnect AAA VLAN Override
AAA VLAN Override with local or
central authentication
Up to 16 VLANs per FlexConnect
AP
VLAN ID must be enabled per AP
or FlexConnect Group
If VLAN ID does not exist, default
VLAN is used
QoS and ACL Override is
not supported.
Description
New in 7.2
Remote Site
WAN
Central Site
FlexConnect Group 1
Central RADIUS
ApplicationServer
VLAN 3
VLAN 7
VLAN 3
VLAN 7
111
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
FlexConnect AAA VLAN Override
Configuration
New in 7.2
WAN
ISE
Create Sub-Interface on FlexConnect AP
IETF 81IETF 64IETF 65
112
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
CorporateWAN
Flex APCentralized WLC
Local network
Local network
Local DHCP/DNS server
1. Flex pre-auth ACL is configured at the WLAN (for web auth only), Flex-Group or AP level
3. Client associates to locally switched WLAN4. DHCP traffic is allowed and switched locally to the orange VLAN, client gets IP from local
network5. Client browses to www.cisco.com, DNS requests is allowed and switched locally
1.2.
3. and 4.
5
2. ACL is pushed to AP automatically. Traffic that is allowed by the ACL is locally switched, other traffic is sent to the WLC (DNS and DHCP are allowed by default)
FlexConnect External WebAuth
113
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
CorporateWAN
Centralized WLC
Local network
Local network
Local DHCP/DNS server
1. Flex pre-auth ACL is configured at the WLAN (for web auth only), Flex-Group or AP level
2. ACL is pushed to AP automatically. Traffic that is allowed by the ACL is locally switched, other traffic is sent to the WLC (DNS and DHCP are allowed by default)
3. Client associates to locally switched WLAN4. DHCP traffic is allowed and switched locally to the orange VLAN, client gets IP from local
network5. Client browses to www.cisco.com, DNS requests is allowed and switched locally6. HTTP traffic to www.cisco.com is not allowed by ACL so it goes to WLC in CAPWAP tunnel7. WLC redirect traffic to external web page8. Clients open HTTP session to external server, the traffic is allowed by ACL and hence is
locally switched
CAPWAP tunnel (data)
6. and 7.8.
http://redirect
FlexConnect External WebAuth
114
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Branch
WAN
URL/ACL
URL/ACL
Radius Auth
COA/VLAN 109
COA/VLAN 109
Radius AuthWebauth
COA/VLAN Assignment
VLAN 110
Policy – Laptop – VLAN 109Policy – iPad - VLAN 110
FlexConnect and ISE
During initial 802.1x from ISE, client is provided with URL/ACL for ISE
Clients does webauth with ISE
Once device is profiled, ISE uses COA to assign device specific VLAN
115
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
FlexConnect and AP1500 (Outdoor)
Indoor AP Parity with Outdoor RAP (1520 & 1550) only
• Local Mode
• FlexConnect Mode
• No MAP functionality in this release
Flex Mode will have support for Central and Local Switching
Controller
L3/L2 switch MAP(Mesh AP)
RAP(Root AP) Backhaul 5GHz
Local or FlexConnect
116
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Controller Redundancy and AP Load Balancing
Understanding AP Groups
IPv6 Deployment with Controllers
Branch Office Designs
‒ Understanding FlexConnect AP Deployment
‒ Understanding Branch Controller Deployment
Guest Access Deployment
Home Office Design
Deploying the Cisco Unified Wireless Architecture
117
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Small Office
Branch Office WLAN Controller Options
Appliance controllers
‒Cisco 2504-12
‒Cisco 5508-12, 5508-25
Integrated controller
‒WLAN controller module (WLCM-2) for ISR G2
Headquarters
Branch Office
Internet VPN
MPLS
ATM
Frame Relay
Number of Users: 100–500Number of APs: 5–25
Number of Users: 20–100Number of APs: 1–5
WCS
118
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Small Office
Headquarters
Branch Office
Branch Office WLAN Controller Options
Cisco Unified Wireless Network with controller-based
Multiple Integrated WAN options on ISR
Consistent branch-HQ services, features, and
performance
Standardized branch configuration extends the
unified wired and wireless network
Branch configuration management from central WCS
WCS Cisco 2504 ***
WLCM-2 ****AP Count Vary Depending on Channel Utilization and Data Rates
Internet VPN
MPLS
ATM
Frame Relay
119
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
When to Choose WLC 2504?
WLC2504 should be used in the branch for the following reasons compared to HREAP solution:
• If you need cookie cutter configuration for every branch site
• If you need Layer-3 roaming in the branch site
• If you need VideoStream technology in the branch site
• If you need to implement VLAN Select in the branch site
• If you need to implement Static IP mobility in the branch site
• If you want WGB support in the branch site
• If you want MESH AP support in the branch site
120
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Controller Redundancy and AP Load Balancing
Understanding AP Groups
IPv6 Deployment with Controllers
Branch Office Designs
Guest Access Deployment
Home Office Design
Deploying the Cisco Unified Wireless Architecture
121
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Guest Access Deployment
Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers
Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN
No need to define the guest VLANs on the switches connected to the remote controllers
Original guest‘s Ethernet frame maintained across CAPWAP and EoIP tunnels
Redundant EoIP tunnels to the Anchor WLC
2504 series and WLCM-2 models cannot terminate EoIP connections (no anchor role)
Wireless LANController
Cisco ASA Firewall
Guest
CAPWAP
EoIP “Guest Tunnel”
Internet
Guest
DMZ or Anchor Wireless Controller
WLAN Controller Deployments with EoIP Tunnel
122
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Guest Access Deployment with 7.0.0116
Campus CoreEtherIP“Guest Tunnel”
EtherIP“Guest Tunnel”
Internet
Guest Secure Guest Secure
SiSi SiSiSecure Secure
WirelessVLANs/Interface Gr
Foreign WLCs
Anchor1Anchor2
WirelessVLAN-1/WLANA
WirelessVLAN2/WLANA
WirelessVLAN3/WLANA
WirelessVLAN-4/WLANA
ACS/ISE
DHCP servers in DMZw/VLAN-DHCP scopes
DHCP servers in DMZw/VLAN-DHCP scopes
DHCP servers in Corew/VLAN DHCP scopes
SiSi
123
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Controller Redundancy and AP Load Balancing
Understanding AP Groups
IPv6 Deployment with Controllers
Branch Office Designs
Guest Access Deployment
Home Office Designs
Deploying the Cisco Unified Wireless Architecture
124
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Headquarters
Internet VPN
MPLS
ATM
Frame Relay
Home Office DesignOEAP AP Cisco controller installed in the DMZ of the
corporate network
OfficeExtend AP (OEAP) installed at
teleworker‘s home
Corporate access to employee over centrally
configured SSID
Family Internet access over a locally
configured SSID
WLC 5508/WiSM-2 / WLC7500
WCS
125
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
OEAP 600
802.11n AP with dual concurrent 2.4GHz and 5GHz radios for teleworker home
4 local Ethernet ports
1 Corporate-bound port, 3 for local Ethernet devices
Up to 4 clients behind the corporate port
Corporate SSID and user-configurable Personal SSID
Traffic segmenting supported (corporate vs. personal traffic)
Local DHCP and NAT support
Control and data plane encryption
126
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Summary – Key Takeways
Take advantage of the standards (CAPWAP, DTLS,802.11 i, e, k, r…..)
Wide range of architecture / design choices
Brand new controller (WiSM-2, WLC 7500, WLC 2504) portfolio with investment
protection
Take advantage of innovations from Cisco (CleanAir, BandSelect, ClientLink,
Security, CCX, FlexConnect, etc)
Cisco‘s investment into technology – NCS, ISE, New hardware, cloud controller,
CiUS
127
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Documentation
Aironet 600 Series OEAP Access Point Configuration Guide
‒ http://www.cisco.com/en/US/products/ps11579/products_tech_note09186a0080b7f10e.shtml
Wireless Services Module 2 (WiSM2) Deployment Guide
‒ http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080b7c904.shtml
• Flex7500 Deployment guidehttp://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml
Wireless, LAN (WLAN) Configuration Examples and TechNotes
‒ http://www.cisco.com/en/US/tech/tk722/tk809/tech_configuration_examples_list.html
H-REAP Deployment Guide
‒ http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml
VLAN Select Deployment Guide
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b78900.shtml
128
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Complete Your Online
Session Evaluation Give us your feedback and you
could win fabulous prizes.
Winners announced daily.
Receive 20 Passport points for each
session evaluation you complete.
Complete your session evaluation
online now (open a browser through
our wireless network to access our
portal) or visit one of the Internet
stations throughout the Convention
Center.
Don‘t forget to activate your
Cisco Live Virtual account for access to
all session material, communities, and
on-demand and live activities throughout
the year. Activate your account at the
Cisco booth in the World of Solutions or visit
www.ciscolive.com.
129
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2010 Cisco Public
Final Thoughts
Get hands-on experience with the Walk-in Labs located in World of Solutions,
booth 1042
Come see demos of many key solutions and products in the main Cisco booth
2924
Visit www.ciscoLive365.com after the event for updated PDFs, on-demand
session videos, networking, and more!
Follow Cisco Live! using social media:
‒ Facebook: https://www.facebook.com/ciscoliveus
‒ Twitter: https://twitter.com/#!/CiscoLive
‒ LinkedIn Group: http://linkd.in/CiscoLI
130
© 2012 Cisco and/or its affiliates. All rights reserved.BRKEWN-2012 Cisco Public