Design and Deployment of Enterprise WLANsd2zmdbbm9feqrf.cloudfront.net/2011/anz/pdf/BRKEWN-2010.pdf · BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco

BRKEWN-2010

Design and Deployment of Enterprise WLANs

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 2

Controller-based Architecture Overview

LWAPP & CAPWAP

Mobility in the Cisco Unified WLAN Architecture

Architecture Building Blocks

Deploying the Cisco Unified Wireless Architecture

Where to place a controller ?



LWAPP & CAPWAP






Understanding WLAN Controllers—1st/2nd

Generation vs. 3rd Generation Approach 1st/2nd generation—APs act

as 802.1Q translational bridge, putting client traffic on local VLANs

3rd generation—Controller bridges client traffic centrally

1st/2nd Generation

3rd GenerationData VLAN

Voice VLAN

Management VLAN

LWAPP

/CAPWAP

Tunnel

Data VLAN

Voice VLAN

Management VLAN



LWAPP & CAPWAP

Protocol Overview

LWAPP & CAPWAP AP Discovery and Join Process

LWAPP & CAPWAP Operations






LWAPP

Centralised Wireless LAN ArchitectureWhat is LWAPP? LWAPP - Light Weight Access Point Protocol is used between APs and WLAN

Controller

LWAPP carries control and data traffic between the two

– Control plane is AES-CCM encrypted

– Data plane is not encrypted

It facilitates centralised management and automated configuration

Open, standards-based protocol (Submitted to IETF CAPWAP WG)

Access Point Controller

WiFi Client

Business Application

Control Plane

Data Plane


CAPWAP

Centralised Wireless LAN ArchitectureWhat is CAPWAP? CAPWAP - Control And Provisioning of Wireless Access Points is used between APs

and WLAN Controller and based on LWAPP

CAPWAP carries control and data traffic between the two

– Control plane is DTLS encrypted

– Data plane is DTLS encrypted (Optional)

LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless

CAPWAP is not supported on Layer-2 mode deployment

Access Point Controller

WiFi Client

Business Application

Control Plane

Data Plane


CAPWAP ModesSplit MAC

The CAPWAP protocol supports two modes of operation :

– Split MAC (Centralised mode) and

– Local MAC (H-REAP)

Split MAC

WTP ACSTA

Wireless Phy

MAC Sublayer

CAPWAP

Data Plane

Wireless Frame

802.3 Frame


CAPWAP ModesLocal MAC

Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames

Locally bridged

WTP ACSTA

Wireless Phy

MAC Sublayer

Wireless Frame

802.3 Frame


CAPWAP ModesLocal MAC

Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames

Tunneled as 802.3 frames:

WTP ACSTA

Wireless Phy

MAC Sublayer

Wireless Frame 802.3 Frame

802.3 FrameCAPWAP

Data Plane

Tunneled Local MAC is not supported by Cisco

H-REAP Support Locally bridged MAC & Split MAC per SSID


CAPWAP State Machine

AP Boots UP

Discovery

DTLSSetup

Reset

Image Data

Config

Run

Join


AP Controller Discovery

Controller discovery order:

• Layer 2 join procedure attempted on LWAPP APs

•(CAPWAP does not support Layer 2 APs)

•Broadcast message sent to discover controller on a local subnet

• Layer 3 join process on CAPWAP APs and on LWAPP APs after Layer 2 fails

•Previously learned or primed controllers

•Subnet broadcast

•DHCP option 43

•DNS lookup


AP Controller Discovery: DHCP Option

DHCP Offer

DHCP Request

1

2

3

DHCP Server

DHCP Offer Contains

Option 43 for ControllerLayer 3 CAPWAP

Discovery Request Broadcast

Layer 3 CAPWAP

Discovery Responses


AP Controller Discovery: DNS Option

DHCP Offer

DHCP Request

DHCP Server

DHCP Offer

Contains

DNS Server or Servers

DNS Server

CISCO-CAPWAP-CONTROLLER.localdomain

192.168.1.2

192.168.1.2

12

3

4


WLAN Controller Selection Algorithm

LWAPP or CAPWAP Discovery Response contains important information from the WLAN Controller:

– Controller name, controller type, controller AP capacity, current AP load, ―Master Controller‖ status and AP Manager IP address or addresses

AP selects a controller to join using the following decision criteria:

1. Attempt to join a WLAN Controller configured as a ―Master‖ controller

2. Attempt to join a WLAN Controller with matching name of previously configured primary, secondary, or tertiary controller name

3. Attempt to join the WLAN Controller with the greatest excess AP capacity (dynamic load balancing)

Option #2 and option #3 allow for two approaches to controller redundancy and AP load balancing—Deterministic and Dynamic


LWAPP / CAPWAP Control Messages for Join Process

LWAPP or CAPWAP Join Request—AP sends this messages to selected controller (sent to AP Manager Interface IP Address)

LWAPP or CAPWAP Join Response—If controller validates AP request, it sends the LWAPP Join Response indicating that the AP is now registered with that controller

LWAPP or CAPWAP Join Request

LWAPP or CAPWAP Join Response


Configuration PhaseFirmware and Configuration download

Firmware is downloaded by the AP fromthe WLC

Firmware downloaded only if needed, AP reboots after the download

Firmware digitally signed by Cisco

Network configuration is downloaded by the AP from the WLC

Configuration is encrypted in the LWAPP/ CAPWAP Tunnel

Configuration is appliedAccess Points

Cisco WLAN Controller

LW

AP

P-L

3

Fir

mw

are

Do

wn

load

Co

nfi

gu

rati

on

Do

wn

load


Path-MTU DiscoveryDiscovery During Discovery Phase

Initial path MTU discovery is done during the Discovery message

Discovery message will be send from AP to WLC padded up to 1485 bytes with DF bit set

If WLC receives the message, controller will send a Discovery RESPONSE back padded up to 1485 bytes, AP will update MTU 1485

If the Discovery request with padded bytes of 1485 does NOT reach the WLC, AP will time out after 3 secs will send a new Discovery request without padding

AP will Discovery controller with either 1485 or 576 MTU, it can be changed only after AP is in RUN state

AP WLC

Discovery RequestRequestPadd 1485

Response Padd 1485Discovery Response

MTU Discovery : 1485

AP WLC

Discovery RequestRequestPadding

MTU Discovery : 576

3 sec timeout

Discovery RequestRequest

Discovery ResponseResponse


Difference between LWAPP and CAPWAPNote: From Controller code 5.2 Onwards, We Ship Only CAPWAP

Description LWAPP CAPWAP

Fragmentation/Re-assembly Relies on IpV4 CAPWAP itself does both

Path-MTU Discovery Not supported Has a robust P-MTU discovery mechanism, can also detect dynamic

MTU changes

Control Channel Encryption between AP and WLC

Yes (using AES) Yes (Using DTLS)

Data Channel Encryption between AP and WLC

No Yes (using DTLS)

UDP Ports 12222, 12223 5246 (ctrl) 5247 (data)


Downgrade to LWAPP

If WLC is downgraded back to LWAPP code, All CAPWAP APs will initially start CAPWAP Discovery

Since there is no CAPWAP WLC in the network, CAPWAP APs will do CAPWAP Discovery=5 retries, with configurable timer (1-10) between each retry

Upon no CAPWAP Discovery response, CAPWAP AP will now try to fallback to LWAPP Discovery mechanism and Discover LWAPP WLC

AP 1040, 1140, 1260 and 3500 cannot fallback to LWAPP mode

CAPWAP AP

LWAPP

WLC

LWAPP Join RequestLWAPP

LWAPP Join ResponseLWAPP

LWAPP Download FwLWAPP

LWAPP AP

LWAPP Join RequestLWAPP

LWAPP Join ResponseLWAPP

CAPWAP Discover RequestCAPWAP

CAPWAP Discover RequestCAPWAP



LWAPP & CAPWAP






Mobility Defined

Mobility is a key reason for wireless networks

Mobility means the end-user device is capable of moving location in the networked environment

Roaming occurs when a wireless client moves association from one AP and re-associates to another, typically because it’s mobile!

Mobility presents new challenges:

–Need to scale the architecture to support client roaming—roaming can occur intra-controller and inter-controller

–Need to support client roaming that is seamless (fast) and preserves security


Scaling the Architecture with Mobility Groups Mobility Group allows controllers

to peer with each-other to support seamless roaming across controller boundaries

APs learn the IPs of the other members of the mobility group after the LWAPP Join process

Support for up to 24 controllers, 3600 APs per mobility group

Mobility messages exchanged between controllers

Data tunneled between controllers in EtherIP (RFC 3378)


Increased Mobility Scalability

Roaming is supported across 3 mobility groups (3 * 24 =72 controllers)

With Inter Release Controller Mobility (IRCM) roaming is supported between 4.2.207 & 6.0.188 & 7.0


How Long Does a STA Roam Take?

Time it takes for:

–Client to disassociate +

–Probe for and select a new AP +

–802.11 Association +

–802.1X/EAP Authentication +

–Rekeying +

–IP address (re) acquisition

All this can be on the order of seconds… Can we make this faster?


Roaming Requirements

Roaming must be fast … Latency can be introduced by:

–Client channel scanning and AP selection algorithms

–Re-authentication of client device and re-keying

–Refreshing of IP address

Roaming must maintain security

–Open auth, static WEP—session continues on new AP

–WPA/WPAv2 Personal—New session key for encryption derived via standard handshakes

–802.1x, 802.11i, WPA/WPAv2 Enterprise—Client must be re-authenticated and new session key derived for encryption


How are we going to make roaming faster?

Focus on where we can have the biggest impact… Eliminating the (re)IP address acquisition challenge

Eliminating full 802.1X/EAP reauthentication


Intra-Controller Roaming

Intra-Controller roam happens when an AP moves association between APs joined to the same controller

Client must be re-authenticated and new security session established

Controller updates client database entry with new AP and appropriate security context

No IP address refresh needed


Layer-2 Roaming—Inter-Controller

L2 Inter-Controller roam happens when an AP moves association between APs joined to the different controllers but client traffic bridged onto the same subnet


Client database entry moved to new controller



Layer-3 Roaming—Symmetric Mobility

Foreign controllers will send Layer 3 roaming client’s packet back to its anchor controller through EtherIP tunnelling

Source IP address of the packet will be the foreign controller’s management IP address

Upstream routers that have Reverse Path Forwarding (RPF) will forward on packets


Roaming: Inter-Controller

L3 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto different subnets


Client database entry copied to new controller – entry exists in both WLC

client DBs

Original controller tagged as the ―anchor‖, new controller tagged as the ―foreign‖

WLCs must be in same mobility group or domain


Symmetric traffic path established -- asymmetric option has been eliminated as of 6.0 release

Account for mobility message exchange in network design

Layer 3


How are we going to make roaming faster?

Focus on where we can have the biggest impact… Eliminating the (re)IP address acquisition challenge

Eliminating full 802.1X/EAP reauthentication


Fast Secure RoamingStandard Wi-Fi Secure Roaming

1. 802.1X authentication in wireless today requires three ―end-to-end‖ transactions with an overall transaction time of > 500ms

2. 802.1X authentication in wireless today requires a roaming clientto re-authenticate, incurring an additional 500+ ms to the roam

Cisco ACS AAA

Server

WAN

AP1AP2

1. 802.1X Initial

Authentication

Transaction2. 802.1X Re-Authentication

After Roaming

Note: Mechanism Is Needed to Centralise Key Distribution


Cisco Centralised Key Management (CCKM)

Cisco introduced CCKM in CCXv2 (pre-802.11I), so widely available, especially with application specific devices (ASDs)

CCKM originally a core feature of the ―Structured Wireless Aware Network‖ (SWAN) architecture

CCKM ported to CUWN architecture in 3.2 release

In highly controlled test environments, CCKM roam times consistently measure in the 5-8 msec range!

CCKM is most widely implemented in ASDs, especially VoWLAN devices

To work across WLCs, WLCs must be in the same mobility group

CCX-based laptops may not fully support CCKM – depends on supplicant capabilities

CCKM is standardised in 802.11R, but no clients available yet


Fast Secure RoamingWPA2/802.11i Pairwise Master Key (PMK) Caching

WPA2 and 802.11i specify a mechanism to prevent excessive key management and 802.1X

requests from roaming clients

From the 802.11i specification:

– Whenever an AP and a STA have successfully passed dot1x-based authentication, both of them may cache the

PMK record to be used later

– When a STA is (re-)associates to an AP, it may attach a list of

PMK IDs (which were derived via dot1x process with this AP before)

in the (re)association request frame

– When PMK ID exists, AP can use them to retrieve PMK record from its own PMK cache, if PMK is found, and

matches the STA MAC address;

AP can bypass dot1x authentication process, and directly starts WPA2 four-way key handshake session with

the STA

– PMK cache records will be kept for one hour for non-associated STAs


OKC/PKC

Requires client/supplicant support

Supported in Windows since XP SP2

Many ASDs support OKC and/or PKC

Check on client support for TKIP vs. CCMP – mostly CCMP only

Enabled by default on WLCs with WPAv2

Requires WLCs to be in the same mobility group

Important design note: pre-positioning of roaming clients consumes spots in client DB

In highly controlled test environments, OKC/PKC roam times consistently measure in the 10-20 msec range!

Key Data Points


How Long Does a Client Really Take to Roam? Time to roam =

–Client to disassociate +

–Probe for and select a new AP +

–802.11 Association +

–Mobility message exchange between WLCs +

–Reauthentication +

–Rekeying +

– IP address (re) acquisition

Network latency will have an impact on these times – consideration for controller placement

With a fast secure roaming technology, roam times under 150 msecs are consistently achievable, though mileage may vary


How Often Do Clients Roam?

It depends… types of clients and applications

Most client devices are designed to be ―nomadic‖ rather than ―mobile‖, though proliferation of small form factor, ―smart‖ devices will probably change this…

Nomadic clients usually are programmed to try to avoid roaming… so set your expectations accordingly

―SWAG‖ design rule of thumb: 10-20 roams per second for every 5000 clients


Designing a Mobility Group/Domain

Less roaming is better – clients and apps are happier

While clients are authenticating/roaming, WLC CPU is doing the processing –not as much of a big deal for 5508 which has dedicated management/control processor

L3 roaming & fast roaming clients consume client DB slots on multiple controllers – consider ―worst case‖ scenarios in designing roaming domain size

Leverage natural roaming domain boundaries

Mobility Message transport selection: multicast vs. unicast

Make sure the right ports and protocols are allowed

Design Considerations



LWAPP & CAPWAP






CUWN 7.0 ReleaseKey Controller Features

5500 Series Wireless Controller

- Support for up to 500 Access Points

- Simplified Licensing

- Enhanced Access Point Update and Joining Capability

Cisco VideoStream Technology

Passive Client Support

Cisco CleanAir Technology


Cisco 5500 Series Wireless Controller Enhancements - Optimised for 802.11n

Supports new 3500 Series Aironet Access Points with CleanAir

New licensing allows for enhanced scale-as-you-grow and feature flexibility

– Upgrade 500 APs simultaneously

– Supports OfficeExtend, DTLS Encryption and Wireless Mesh in base license

Integrates seamlessly into the Cisco Unified Wireless Network

Control plane scalability

Supports innovative technology including VideoStream and Cisco M-Drive, BandSelect and ClientLink

Specifications At-a-Glance

Access Points 12 – 500

Devices 7,000

Mobility Scale 36,000 APs in Mobility Domain

Form 1 RU Appliance

Interfaces 8 GigE Ports

Introducing:

500 AP Support


Simplified Licensing

Base AP License

Base Count: 12, 25, 50, 100, 250 and 500 Access Points + Adder AP counts of 25, 50, 100, 250 (up to a total maximum of 500)

Now Includes

• OfficeExtend Access Point support

• Enterprise Wireless Mesh Access Point support

• CAPWAP Data Encryption

Single License Type: ―Base License‖

WPLUS Features now part of ―Base License‖

WPLUS Licenses not required any more

Licensing model supports ―Capacity Adder Licenses‖

25, 50, 100, 250 AP capacity Adder Licenses which could be added to any of the

base count licenses


WiSM2 - For Catalyst 6500

Enhanced Operational Savings

–Higher Scale

–Reduced downtime during upgrades

–Single Controller

Higher Performance

– Throughput

– Concurrent Rich Media application flows

Maximise Catalyst 6K Investment

– Supervisor & Service Module Refresh



Clients 10,000

I/O 10G

Chassis Level Scale3,500 APs & 70,000 Clients

Concurrent AP Joins 500

No. of Phy Controller 1

Power 225 W


Feature Rich Entry level Controller

–802.11n Ready

–Guest Access

–Wireless IPS

Unsurpassed Performance & Scale for Entry level Controller

–Support high end RF Excellence (CleanAir APs)

–5500 Style Licensing

Cisco 2500 Series Wireless Controller



Devices 500

Throughput 300Mbps

Form FactorDesktop w/ optional Rack Mount

I/O 2x1GE; 2x1GE PoE


Cisco Wireless Controller Module 2 on SRE Maximise on ISR G2 Investment

–Lower Cap-Ex/Op-Ex

–Wired/Wireless solution

Wireless Entry level Controller Performance on ISR platform

–802.11n Ready

–Support high end RF Excellence (CleanAirAPs)

–5500 Style Licensing



Devices 500

Throughput 300Mbps

Form Factor SRE Module on ISR G2

I/O ISR backplane


Controller Comparison5500 WiSM-2

# of Access Points 12, 25, 50, 100, 250, 500 500

Throughput Up to 8 Gbps Up to `0 Gbps

Clients Up to 7,000 Up to 10,000

Concurrent AP upgrades/joins Up to 500 Up to 500

Network I/O Up to 8, 1 Gbps SFPs Cat6k back plane

Mobility domain size Up to 36,000 APs Up to 36,800 APs

# of controllers per physical device 1 1

Power Consumption 125W 225W

AP count upgrade via licensing Yes Yes

Encrypted data link between AP and controller

Yes Yes

OfficeExtend Solution Yes Yes


Enhanced AP Update and Joining Capability

Feature

Ability to handle up to 500 simultaneous AP joins and AP image downloads

Benefit

Increased availability of the network by reducing the network downtime significantly

Simultaneous 500 AP Joins & Image

downloads

Cisco 5508


Features

Video Streaming with Reliable Multicast

– Improves quality and scale of streaming content

– Stream Prioritisation ensures important video content takes precedence over others

– Resource Reservation Control used to prevent channel oversubscription

Benefits

Improved video delivery to Wi-Fi endpoints by providing

– Reliability for streaming

– Quality of Service

– Channel capacity management

– Prioritization and protection

– Better scalability

Cisco VideoStream Technology


Passive Client Support

Problem:

–Client devices such as Zebra Printers, Hobart Scales etc.. Are deployed using static IP addresses

–Information regarding the presence passive devices is not available from the network

Solution:

–The new ―Passive Client ― feature will allow ARP requests and ARP responses to be exchanged between wired and wireless side on a per VLAN /WLAN basis

AP Controller


Access Point Modes

CAPWAP Access Points can operate on various mode

• Local Mode – it is the default mode where AP services clients and monitors the network

• Monitor – dedicated mode of the AP for rouge detection and IDS signature matches

– - Advance WiPS – uses WCS/MSE and dedicated monitor mode of AP

– - ELM ( Enhanced Local Mode) – uses WCS/MSE and local mode of AP

• H-REAP – Remote office deployment

• OEAP – Home office deployment

• Bridge – Outdoor and Indoor MESH deployment


Access Point Modes Configuration

AP modes are software configurations in controller

AP mode can be changed directly from controller or management platform (WCS)


Introducing CleanAir

Detect and Classify

Mitigate

Locate

Cisco CleanAir

A system-wide feature that uses silicon-level intelligence to automatically mitigate the impact of wireless interference, optimise network performance and reduce troubleshooting costs


Detect and Classify

What is CleanAir?

Cisco CleanAir

High-resolution interference detection and classification logic built-in to Cisco’s 802.11n Wi-Fi chip design. Inline operation with no CPU or performance impact.

100

63

35

97

90

20

Uniquely identify and track multiple interferers

Assess unique impact to Wi-Fi performance

Monitor Air Quality


MitigateWireless LAN Controller

What is CleanAir?

Cisco CleanAir

Cisco CleanAir Technology integrates interference information from the AP into the entire system.

Classification processed on Access Point

Interference impact and data sent to WLC for real-time action

WCS and MSE store data for location, history, and troubleshooting

Maintain Air Quality

GOODPOOR

CH 1 CH 11

LocateWCS, MSE

Visualise and Troubleshoot


1130

$699

Carp

ete

d

R

uggedis

ed

11abg 11n + CleanAir11n

12421260

3500e

3500i1140

Introduction of new indoor Access Points

$899

1250

Limited Lifetime Hardware Warranty

1040



LWAPP & CAPWAP







Connecting Controllers and APs to Networks

Controller Redundancy and AP Load Balancing

Understanding AP Groups

IPv6 Deployment with Controllers

Branch Office Designs


Understanding WLAN Controllers—The WLAN Controller as a Network Device

WLAN controller

–For wireless end-user devices, the controller is a 802.1Q bridge that takes traffic of the air and puts it on a VLAN

–From the perspective of the AP, the controller is an LWAPP or CAPWAP tunnel end-point with an IP address

–From the perspective of the network, it’s a layer-2 device connected via one or more 802.1Q trunk interfaces

The AP connects to an access port—no concept of VLAN’s at the AP necessary.

Data VLAN

Voice VLAN

Management

VLAN

CAPWAP

Tunnel


Understanding WLAN Controllers—The WLAN Controller as a Network Device

Three Important Concepts to Understand:

Port—Physical connection to a neighbour switch/router

Interface—Logical connection mapping to a VLAN on the neighbourswitch/router

–Management interface

–AP Manager interface(s)

–Dynamic interface(s)

–Virtual interface

–Service interface

WLAN—Entity that maps an SSID to an interface at the controller, along with security, QoS, radio policies, and other wireless networking parameters


Controller Interfaces

There are five different interface types to consider

–Management – Communication (HTTP/HTTPS/SNMP/Radius)

–AP Management (Not required in Cisco 5508 Controller)

–Dynamic Interfaces – VLAN interfaces

–Virtual - Mobility Management, DHCP Relay, Layer 3 Security

–Service Port – Out of band management Management InterfaceIn-band Management traffic

Dynamic InterfaceBridge for Client Traffic to/from Wired

Network

802.1Q

Virtual

Service PortOut of Band Management traffic

AP Manager InterfaceIn-band traffic between AP and WLC


Connecting the WLAN Controller to the Network

Options - Link aggregation (LAG) or no LAG

–LAG supported on 5508, 440x, WiSM, Cisco 3750G integrated WLAN controller switch

–LAG is the only option for WiSM, Cisco 3750G integrated WLAN controller switch

440x-based controller allows 48 APs per port in the absence of LAG

Use multiple ―AP Manager‖ interfaces to support more than 48 APs on the WLC without LAG—LWAPP algorithm will load balance APs across the AP managers

LAG allows use of 1 ―AP Manager‖ interface by load-balancing traffic across an EtherChannel interface


Link Aggregation—Dynamic AP Manager Interface No EtherChannel mode

negotiation (LACP, PAgP):

–Set ―etherchannel mode on‖ for neighbouringswitchports

Requires ip-src-dst load balancing for the switch Etherchannel

Packets are forwarded out the same port they arrived on

1 LAG group per WLCis supported

Management

Interface

Cisco 5508

Port 1 Port 8Port 2 Port 3 Port 4 Port 5 Port 6 Port 7

LAG


Cisco 5508 WLC can be attached to a Catalyst VSS switch

Increased availability with Link Aggregation across two separate physical catalyst 6500

Simpler configuration on Catalyst Switch

Automatic load balancing of traffic between two switches

Catalyst WiSM blades are supported on VSS enabled switches

Link Aggregation - VSS Support

Cisco 5508 Cisco 5508

Catalyst VSS Pair









Controller Redundancy - Dynamic

Rely on LWAPP to load-balance APsacross controllers and populate APs with backup controllers

Results in dynamic ―salt-and-pepper‖ design

Design works better when controllers are ―clustered‖ in a centralised design

Pros:– Easy to deploy and configure—less upfront work– APs dynamically load-balance (though never perfectly)

Cons:– More inter-controller roaming– Bigger operational challenges due to unpredictability– Longer failover times– No ―Fallback‖ option in the event of controller failure

Cisco’s general recommendation is: Only for Layer 2 Roaming

Use deterministic redundancy instead of dynamic redundancy


Controller Redundancy - Deterministic

Administrator statically assigns APs a primary, secondary, and/or tertiary controller

–Assigned from controller interface (per AP) or WCS (template-based)

Pro–Predictability—Easier operational management

–More network stability

–More flexible and powerful redundancy design options

–Faster failover times

–―Fallback‖ option in the case of failover

Con–More upfront planning and configuration

This is Cisco’s recommended best practice!


Controller Redundancy – Architecture Resilency

N:N:1 RedundancyN:N Redundancy

N:1 RedundancyResiliency


Controller Redundancy – High Availability

Central Backup

Wireless LAN

Controller

Central Cisco Secure

Access Control Server (ACS)

Remote Wireless LAN

Controller

Branch Office #3 Mobility

Group 3Branch Office #4 Mobility

Group 4

Remote Wireless LAN

Controller

Branch Office #2

Mobility Group 2

Remote Wireless LAN

Controller

WAN

Branch Office #1

Mobility Group 1


Controller Redundancy – High Availability

High Availability Principles :

AP is registered with a WLC and maintain a backup list of WLC.

AP use heartbeats to validate WLC connectivity

AP use Primary Discovery message to validate backup WLC list

When AP loose 3 heartbeats it start join process to first backup WLC candidate

Candidate Backup WLC is the first alive WLC in this order : primary, secondary, tertiary, global primary, global secondary.

AP do not re-initiate discovery process.

Primary WLC

Secondary WLC


Controller Redundancy – AP Failover Priority

Features

Assign priorities to APs: Critical, High, Medium, Low

Critical priority APs get precedence over all other APs when joining a controller

In a failover situation, a higher priority AP will be allowed in ahead of all other APs

If controller is full, existing lower priority APs will be dropped to accommodate higher priority APs

AP Priority: Critical

AP Priority: Medium

Controller

Critical AP fails over

Medium priority

AP dropped


AP Pre-image Download in 7.0

Since most CAPWAP APs can download and

keep more than one image of 4-5MB each

AP Pre-image download allows AP to download

code while it is operational

Pre-image download operation

1. Upgrade the image on the controller

2. Don’t reboot the controller

3. Issue AP Pre-image download command

4. Once all AP images are downloaded

5. Reboot the controller

6. AP now re-joins the controller without re-boot

Access Points

Cisco WLAN Controller

CA

PW

AP

-L3

AP

Pre

-im

ag

eD

ow

nlo

ad

AP

Jo

ins

wit

ho

ut

Do

wn

lao

d

How much time you save ?


Configure AP Pre-image Download

Upgrade the image on the controller and don’t reboot

Currently we have two images on the controller

(Cisco Controller) >show boot

Primary Boot Image............................... 7.0.94.156 (default)

(active)Backup Boot Image................................ 7.0.94.131


Configure AP Pre-image DownloadWireless > AP > Global Configuration

AP now starts pre-

downloading

Perform primary image

pre-download on the AP

AP now swaps image

after reboot of the

controller









AP-GroupsDefault AP-Group

The first 16 WLANs created (WLAN IDs 1-16) on the WLC are included in the default AP-Group

Default AP-Group cannot be modified

APs with no assignment to an specific AP-Group will use the Default AP-Group

The 17th and higher WLAN (WLAN IDs 17 and up) can be assigned to any AP-Groups

Any given WLAN can be mapped to different dynamic interfaces in different AP-Groups

WLC 2106 (AP groups: 50) , WLC 4400 and WiSM (AP groups: 300), WLC 5508 (AP groups: 500)


AP-Grouping In Campus

Data CentreWAN Internet

Access

Distribution

Core

Distribution

Access

SiSi SiSi SiSi SiSi SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSi SiSi

WLC-2WLC-1

VLAN 100 / 21

LWAPP/CAPWAP

Single SSID =

Employee

VLAN 100 VLAN 100 VLAN 100


AP-Grouping In Campus


Access

Distribution

Core

Distribution

Access


SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSi SiSi

AP-Group-2 AP-Group-3AP-Group-1

WLC-2WLC-1

VLAN 80 /23VLAN 70 /23VLAN 60 /23

VLAN 100

/21

LWAPP/CAPWAP

VLAN 60

VLAN 70

VLAN 80

Single SSID =

Employee


Default AP-Group

Network Name

Default AP Group

Only WLAN’s 1-16 will be added in

Default AP Group


Multiple AP-Group’s

AP Group 1

AP Group 2

AP Group 3


Interface-Groups 7.0MR1

Interface-groups allows for a WLAN to be mapped to a single interface OR multiple interfaces

Clients associating to this WLAN get an IP address from a pool of subnets identified by the interfaces in round robin fashion

Extends current AP group and AAA override, with multiple interfaces using interface groups

WLC 2106 (Interface groups: 4) , WLC 4400 and WiSM (AP groups: 32), WLC 5508 and WiSM-2 (AP groups: 64)


Interface-Grouping In Campus 7.0MR1


Access

Distribution

Core

Distribution

Access


SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSi SiSi

Int-Group-2 Int-Group-3Int-Group-1

WLC-2WLC-1

VLAN 80 /23

VLAN 81 /23

VLAN 70 /23

VLAN 71 /23

VLAN 60 /23

VLAN 61 / 23

VLAN 100

/21

LWAPP/CAPWAP

VLAN 60

VLAN 61

VLAN 70

VLAN 71

VLAN 80

VLAN 81Single SSID =

Employee


Multiple Interface-Group’s 7.0MR1

Interface Group 1

Interface Group 2

Interface Group 3









IPv6 over IPv4 Tunnelling Prior to WLC 6.0 release, IPv6 pass-thru is only supported but no L2 security can be

enabled on IPv6 WLAN

With WLC 6.0 release, IPv6 pass-thru with Layer-2 security supported

To use IPv6 bridging, Ethernet Multicast Mode (EMM) must be enabled on the controller

IPv6 packets are tunneled over CAPWAP IPv4 tunnel

Same WLAN can support both IPv4 and IPv6 clients

IPv6 pass-thru and IPv4 Webauth is also supported on same WLAN

IPv6 is not supported with guest mobility anchor tunnelling

Ethernet II | IPv4|CAPWAP|802.11|IPv6802.11|IPv6

Client IPv6 traffic

tunneled over IPv4 and

bridged to Ethernet

Ethernet II | IPv6

CAPWAP Tunnel


IPv6 Configuration on WLC 6.X

Enable IPv6 on the WLAN and multicast on the WLC


IPv6 Client Details

IPv6 Client Details on the WLC

IPv6 Client Details from dual-stack (Vista) client


IPv6 Switch Detailsip multicast-routing distributed

ipv6 unicast-routingipv6 dhcp ping packets 5

ipv6 dhcp pool ipv6poolwlan address prefix 2001::/64 lifetime 1600 800 dns-server 2001::1 domain-name contose.com

!

interface Vlan70 ip address 70.1.200.1 255.255.0.0 ip pim sparse-dense-mode ipv6 address 2001::/64 eui-64 ipv6 enable ipv6 nd prefix 2001::/64 300 200 no-autoconfig ipv6 nd managed-config-flag ipv6 nd other-config-flag ipv6 dhcp server ipv6poolwlan

!

interface GigabitEthernet1/0/2 description Cisco 5508 WLC switchport trunk encapsulation dot1q switchport trunk native vlan 60 switchport trunk allowed vlan 60,70switchport mode trunk

#show ipv6 dhcp bindingClient: FE80::A134:D55E:5F76:1075 (Vlan70) DUID: 00010001117BB813001C25A200A9 IA NA: IA ID 0x1400216A, T1 400, T2 640

Address: 2001::381E:8796:7406:D954 preferred lifetime 800, valid lifetime 1600

expires at Dec 16 2010 01:12 PM (1571 seconds)








Understanding HREAP (Hybrid REAP AP) Deployment

Understanding Branch Controller Deployment


Branch Office Deployment— HREAP

Hybrid Architecture

Single Management & Control point

–Centralised Traffic (Split MAC)

–Or

–Local Traffic (Local MAC)

HA will preserve local traffic only

WAN

Central Site

Remote

Office

Centralised

Traffic

Centralised

Traffic

Local

Traffic


H-REAP Glossary

Connected mode - When H-REAP can reach Controller (connected state), it gets help from controller to complete client authentication.

Standalone mode - When controller is not reachable by H-REAP, it goes into standalone state and does client authentication by itself.

Local Switching – Data traffic switched onto local VLANs for an SSID

Central Switching – Data traffic tunneled back to WLC for an SSID


H-REAP Design Considerations

Some WAN limitations apply :

• RTT must be below 300ms data (100ms voice)

• Minimum 500 bytes WAN MTU (with maximum 4 fragmented packets)

Some features are not available in standalone mode or in local switching mode :

–ACL in local switching, MAC / Web Auth in standalone mode, PMKcaching (OKC), …

See full list in « H-REAP Feature Matrix »http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b3690b.shtml


Configure H-REAP ModeStep 1 : Configure Access Point mode

Enable H-REAP Mode per AP

Supported AP : AP-1130, AP-1240, AP-1040, AP-1140, AP-1260, AP-1250, AP-3500


Configure H-REAP Local SwitchingStep 2 : Enable Local Switching per WLAN

Only WLAN with ―Local Switching‖ enabled will allow local switching at the H-REAP AP


Configure H-REAP VLAN MappingStep 3 : H-REAP Specific Configuration

H-REAP AP can be connected on an access port (using native VLAN) or connected to a 802.1Q trunk port

VLAN Mapping is a per AP configuration on WLC and by AP Group using Templates on a WCS


Configure H-REAP VLAN MappingStep 4 : Per AP SSID to VLAN Mapping

Mapping of SSID to 802.1Q VLAN is done per H-REAP AP :

Use WCS for configuration with templates


Understanding H-REAP Groups

WLC Support up to 20 H-REAP Groups

Each H-REAP Group support up to 25 H-REAP AP

H-REAP Groups allow sharing of :

–CCKM Fast Roaming keys

–Local User authentication

–Local EAP authentication

WAN

Central Site

Remote SiteRemote Site

H-REAP Group 1

H-REAP Group 2


H-REAP Groups and CCKM Keys

CCKM keys are stored on HREAP AP’s for layer-2 fast roaming

The HREAP AP’s will receive the CCKM keys from the WLC

If a HREAP AP boots up in the STANDALONE mode, it will not get the CCKM keys from the WLC and fast roaming is not supported

WAN

Central Site


H-REAP Group 1 H-REAP Group 2

Radius Server

CCKM Keys


H-REAP Groups and CCKM Keys

Add a new H-

REAP Group

Add AP’s to the

H-REAP Group


H-REAP Groups and Local EAP

In case of WAN of failure (Standalone mode) HREAP AP’s can act like a Local EAP server

In a HREAP-Group we can store 100 usernames and act like a local EAP server

LEAP and EAP-FAST is the only supported EAP type in standalone mode

WAN

Central Site


H-REAP Group 1 H-REAP Group 2

Radius Server

Local EAP Server


H-REAP Groups and Local EAP

Add the H-REAP AP to the group and enable AP Local Authentication

Add the username and password to be

stored on the HREAP AP


H-REAP Groups and Local Radius Server

In case of WAN of failure (Standalone mode) HREAP AP’s can authenticate from a Local Radius Server

Only session-timeout radius attribute (attribute 27) is supported in the standalone mode

Radius accounting is not supported in standalone mode

WAN

Central Site

Remote Site

Remote Site

H-REAP Group 1

H-REAP Group 2

Radius Server

Radius Server


H-REAP Groups and Local Radius Server

Add IP address

of the remote

radius server in

the WLC

(10.20.20.12)

Select the

remote radius

server details in

HREAP Group

of the remote


Case Study – HREAP Retail Design

Requirements for the Store Design

Up-to-5 AP per site.

L2 connectivity between the AP

Access local services in the store (servers, printers, etc)

WLAN Services :

–SSID for Stores :

• Security type = WPA-PSK

• Will be the same SSID for all the stores, but different keys per store

• Local Switching

–SSID for Employees :

• Security type = WPA/TKIP or WPA/AES

• Central RADIUS authentication

• Central Switching

WAN link :

– Bandwidth : 512 kbps

– RTT : 100 msec

– MTU : 1400 bytes


Data Centre

Store-1

WAN

Local Resource

H-REAP

CT-5508

Cluster

RADIUS

Scanners

(WPA-PSK)

SSID-Store-1SSID-Employee

(WPA2)

LapTops

(WPA2)

Store-N

H-REAP

Scanners

(WPA-PSK)

SSID-Store -NSSID-Employee

(WPA2)

LapTops

(WPA2)

WLAN 17 : Store-1

•SSID= Store-1

•WPA-PSK=123

…

WLAN 17+N : Store-N

•SSID=Store-N

•WPA-PSK=321

WLAN 1 : Data

•SSID=Employee

•WPA/Radius

Local Resource


Data Centre

Store-1

WAN

H-REAP

Scanners

(WPA-PSK)

SSID-Store-1SSID-Employee

(WPA2)

LapTops

(WPA2)

AP-Group-1

Store-N

H-REAP

Scanners

(WPA-PSK)

SSID-Store-NSSID-Employee

(WPA2)

LapTops

(WPA2)

AP-Group-NLocal Resource Local Resource

AP Group 1 : Store-1

•WLANs : Store-1

…

AP Group N : Store-N

•WLANs : Store-N

CT-5508

Cluster

RADIUS


Case Study – HREAP Retail Design

Create WLAN for Employee and for each store (local switching)

Create AP Group for each store and add AP-1 / WLAN-17 for Store-1, etc

Map locally switched WLAN to a VLAN per store








Understanding HREAP (Hybrid REAP AP) Deployment

Understanding Branch Controller Deployment


Small Office

E-Mail

Branch Office WLAN Controller Options

Headquarters

Branch Office

Internet VPN

MPLS

ATM

Frame Relay

No. of. Users – 100-500No. of AP’s – 5-25

No. of. Users – 20-100No. of AP’s – 1 -5

Appliance controllers

Cisco 2106, 2112, 2125

Cisco 5508-12, 5508-25

Integrated controller

WLAN controller module (WLCM) for ISR

WCS


Small Office

E-Mail

Headquarters

Branch Office

Internet VPN

MPLS

ATM

Frame Relay

Branch Office WLAN Controller Options

WCS

Cisco Unified Wireless Network with Controller-based

Multiple Integrated WAN options on ISR

Consistent branch-HQ services, features, and performance

Standardised branch configuration extends the unified wired and wireless network

Branch configuration management from central WCS

** AP count vary depending on channel utilisation and data rates

Cisco 5508-12 ***

WLCM-6/12 ***








Home Office Designs


E-Mail

Headquarters

Internet VPN

MPLS

ATM

Frame Relay

Home Office Design– OEAP AP

CAPWAPCAPWAP

WLC 5508

Cisco 5508 controller installed in the DMZ of the corporate network

OfficeExtend AP (OEAP) installed at teleworkers home

Corporate access to employee over centrally configured SSID

Family Internet access over alocally configured SSID

Currently supported on AP1130 or AP1140 and WLC 5508 only

WCS


Configure the AP1130or AP 1140 in the HREAP mode

Enable OEAP option for the HREAP AP

Data encryption is enabled automatically once we enable OEAP on an AP

Home Office Solution – OEAP AP


Aironet 600 Series OfficeExtend AP

Dual band 802.11n AP for the homes

Proven hardware design

Validated OEAP Features / Function

Supported by 5508, WiSM2, 2500

7.67‖ x 6.92‖ x 1.45‖

Available worldwide (all reg domains)

Target FCS: Q1CY11


Features

Supports up to 2 corporate SSIDs

Supports up to 15 wireless clients

User-configured personal SSID

Control and data plane encryption

RF channel / power are set automatically at power up

Corporate client cannot access personal / local resources (i.e. home printer)

No RRM, wIPS, Rogue Detection, Location, Guest Services


Interfaces

4 Additional Ethernet ports

–Dedicated Ethernet port for corporate-bound device

–Remaining 3-ports are for personal use

USB port is disabled initially

Cradle for vertical placement

On/Off Switch

No PoE support


Cisco 600 Series OEAP (ports)


Simplified Provisioning

Setting existing APs into OEAP mode requires multiple reboots

OEAP 600 will be preset into OEAP mode during manufacturing

IT first sets MAC addresses of the allowed OEAP 600 into controller

Employees takes unopened OEAP home and connects a computer into Ethernet port. Splash screen prompts user to enter controller IP address

OEAP 600 is then provisioned automatically


Sample screen shots - login

Default DHCP scope of the OEAP is 10.0.0.X, so browse to

https://10.0.0.1 to get the admin page of OEAP on port 1,2,3

https://10.0.0.1


Configuration - System This is where you can configure and choose Radio interface


Configuration – DMZ Controller Information

Home Users

enter IP address

of the DMZ

OEAP

Controller

This is where the customer will enter the IP address of Corporate

Controller


Home Office Design - Cisco Virtual Office Express Architecture

Simplified Head-End VPN

Head-EndCisco ISR (2800/3800) or

Cisco 7206 VXR with VSA or

WLC

SOHOCisco 800 or 1800

Spoke Routers

Corporate

Network

Simplified Head-End VPN Design

Cisco Enhanced Easy VPN with advanced QoSintegration provides secure transport, facilitating voice and video applications (with option of per SA QoS)

Multiple options for head-end to allow for large concentration of site and with high throughput

Remote site presence: Cisco 870, 880, 890 or 1800 Series ISR and Cisco Unified IP Phones 7900 Series.

Head-end presence: 2800, 3800, 7200, or ASR series

Headend (Optional): Wireless LAN Controller, WCS, Configuration Engine


Recommended ProductsSmall/Medium Branch

Cisco Unified Wireless Network (H-REAP)

Remote site: Aironet 1130,1140,1240,1250 Series Access Point; Integrated AP on 880 or 890, ASA 5505

Headend: 5500 Series WLAN Controller or Cisco Catalyst 6500 Series Series Wireless Services Module (WiSM)

Cisco Wireless Control System (WCS)

Cisco Integrated ISR

Integrated AP on 800 & 1800 ISRs

Aironet AP and standalone controller options (2100/5500)


SOHO/Premier Teleworker

Cisco OfficeExtend Solution

5500 Series Wireless LAN Controller

Aironet 1130 or 1140 Series Access Point

CVO Express

Remote site: Cisco 870*, 880, 890 or 1800 Series ISR; Cisco Unified IP Phones 7900 Series

Headend: Cisco 2800, 3800, 7200, or ASR Series;

Headend (Optional): Wireless LAN Controller, WCS, Configuration Engine

*autonomous only

Medium/Large Branch

Cisco Integrated ISR

Wireless Controller Module for Cisco 2800/3800 ISR

Aironet AP and standalone controller options (5500)




LWAPP & CAPWAP






Single Building – Distribution/Core

WLC in distribution/core

Most of the time : L2 Roaming

WLCSiSi SiSi

WLC

L2

CAPWAP


WLCWLC

Wireless Building Block

SiSi SiSi

L2

Campus – Centralised WLCOverview

Centralised WLC

Concept of Wireless Building Block

No Wireless VLANseverywhere

Better performance with L2 Mobility

Recommended design

L3

SiSi SiSi SiSi SiSi

CAPWAP

L3L3Building 1 Building 2

Core

SiSi SiSi

Data Centre

SiSi

SiSi

CAPWAP


WLCWLC

Wireless Building Block

SiSi SiSi

L2

Campus – Centralised WLCHigh Availability

Easy HA strategies

AP HA at WLC Level (no individual AP HA configuration)

Depending on Network size :

– N+N Strategy

– N+1 Strategy

L3

SiSi SiSi SiSi SiSi

L3L3Building 1 Building 2

Core

SiSi SiSi

Data Centre

SiSi

SiSi

CAPWAP CAPWAP


Campus – Centralised WLCPro / Cons

Pro

–Cisco Recommended Design for a Campus

–Better performance with L2 Mobility

–Simple High Availability Strategies (WLC Level)

–Wireless ―Insertion point‖ to the wired network clearly identified in the ―Wireless Building Block‖

–Easier control (ACL, QoS, …) and easier to add advanced ―access control‖ like Firewall, NAC OOB, IDS/IPS, NAM, …

Cons

–All wireless traffic centralised to a single point (hub-and-spoke design)

–Might be price sensitive for small campus


Campus – Distributed WLCOverview

Distributed WLC or WiSM

Each building as its own WLC

Each building can have its own Mobility group

Wireless insertion at distribution layer

Several distributed Wireless VLANsacross the Campus

WLCWLC

L3

SiSi SiSi

SiSi SiSiSiSi SiSi

Core

L3L3

Data Centre

SiSi

SiSi


Campus – Distributed WLCHigh Availability

N+1 HA Strategy

Wireless Users in failover situation are in different VLAN/Subnet

Better to have only one WLC per building to limit L3 roaming and failover at the same time (see after)

WLCWLC

L3

SiSi SiSi

SiSi SiSiSiSi SiSi

Core

L3L3

Data Centre

SiSi

SiSi


Campus – Distributed WLCPros / Cons

Pros

–No need for a wireless building block (cost ?)

–No LWAPP traffic in core network in normal operation

Cons

–If radio continuity between buildings, all WLC need to be in a single mobility group

–L3 roaming inside the building (less performance versus L2 roaming)

–Control features (ACL, FW, NAC, …) need to be distributed in each building

–More complex Failover strategies, more complex to troubleshoot


Cisco Unified Wireless NetworkFlexible, Resilient, Scalable Architecture

Access

Network

Distribution

Network

Teleworker/S

OHO

OfficeExtend AP

Branch OfficeUnified WLC Options:

5508, 440x, 210x

3750G Unified WLC

WLCM Module

Hybrid REAP

Standalone AP

DMZ Guest Controller

440x, 5508 WLC

Network Core or Data Centre

Centralised WLC Design440x, 5508 WLC, WiSM Unified WLC

Distributed WLC Design

440x, 5508 WLC,

WiSM Unified WLC

Highly Distributed Design

3750G Unified WLC

Enterprise Hybrid REAP

Data Centre

Internet

Internet

Unified

Outdoor/Indoor

Access

Unified Management: Wireless Control System

Services Platform: Mobility Services Engine


Documentation

Deploying Cisco 440X Series Wireless LAN Controllers–http://www.cisco.com/en/US/docs/wireless/technology/controller/deployment/guide/dep.html

Configuring a Cisco Wireless Services Module (WiSM) and Wireless Control System (WCS)

–http://www.cisco.com/en/US/docs/wireless/technology/wism/technical/reference/appnote.html

Wireless, LAN (WLAN) Configuration Examples and TechNotes

–http://www.cisco.com/en/US/tech/tk722/tk809/tech_configuration_examples_list.html

H-REAP Deployment Guide–<http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml>

http://www.cisco.com/en/US/tech/tk722/tk809/tech_configuration_examples_list.html


Q & A


Complete Your Online Session Evaluation

Complete your session evaluation:

Directly from your mobile device by visiting www.ciscoliveaustralia.com/mobile and login by entering your badge ID (located on the front of your badge)

Visit one of the Cisco Live internet stations located throughout the venue

Open a browser on your own computer to access the Cisco Live onsite portal

http://www.ciscoliveaustralia.com/mobile


Meet the Engineer

To make the most of your time at Networkers at Cisco Live 2010, schedule a Face-to-Face Meeting with a top Cisco Engineer.

Designed to provide a "big picture" perspective as well as "in-depth" technology discussions, these face-to-face meetings will provide fascinating dialogue and a wealth ofvaluable insights and ideas.

Visit the Meeting Centre reception desk located in the Meeting Centre in World of Solutions


BRKEWN-2018 Recommended Reading


HREAP MatrixWAN Up (Central

switching)

WAN Up

(Local switching)

WAN Down (Standalone)

Open/Static WEP Yes Yes Yes

WPA-PSK Yes Yes Yes

802.1x (WPA/WPA2) Yes Yes Yes

MAC Authentication Yes Yes No

CCKM Fast Roaming Yes Yes Yes for connected clients.

No for new clients.

PMK Fast

Roaming/OKC/PKC

No No No


HREAP Matrix

WAN Up (Central

switching)

WAN Up (Local

switching)


Data DTLS Yes N/A N/A

Local EAP On HREAP No No Yes

(LEAP/EAP-FAST)

Backup Radius No No Yes

MIC/SSC Yes Yes N/A


HREAP Matrix

WAN Up (Central

Switching)

WAN Up (Local

switching)


Internal Webauth Yes Yes No

External Webauth Yes No No

CleanAir (SI on 3500) Yes Yes No

Syslog Yes Yes Yes

WGB Support No No No

AP Group VLANs Yes N/A N/A

DFS/802.11h Yes Yes Yes


Cisco Aironet Access Point PortfolioBusiness Mobility Rich MediaRich MediaBusiness

ReadyMission Critical

1040 1140 1240 1250 1260 3500i 3500e

CleanAir ASIC No No No No No Yes Yes

Data Uplink (Mbps) 10/100/1000 10/100/1000 10/100 10/100/1000 10/100/1000 10/100/1000 10/100/1000

Power 802.3af 802.3af 802.3afePoE

802.3af*802.3af 802.3af 802.3af

Installation Carpeted Carpeted Rugged Rugged Rugged Carpeted Rugged

Temp Rangein Celsius

0 to 40° 0 to 40° -20 to 55° -20 to 55° -20 to 55° 0 to 40° -20 to 55°

Antennas Internal Internal External External External Internal External

Wi-Fi standards a/b/g/n a/b/g/n a/b/g a/b/g/n a/b/g/n a/b/g/n a/b/g/n

DRAM 128 MB 128 MB 32 MB 64 MB 128 MB 128 MB 128 MB

Flash 32 MB 32 MB 16 MB 32 MB 32 MB 32 MB 32 MB

DFS (pulse detection) .08 µs .08 µs .05 µs .08 µs .08 µs .05 µs .05 µs

Ltd. Lifetime Warranty Yes Yes No Yes Yes Yes Yes

•802.3af fully powers single radio AP1250 or provides 1x3 performance on a dual radio 1250

Documents

Design and Deployment of Enterprise WLANsd2zmdbbm9feqrf.cloudfront.net/2011/anz/pdf/BRKEWN-2010.pdf · BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco