Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
BRKEWN-2010
Design and Deployment of Enterprise WLANs
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 2
Controller-based Architecture Overview
LWAPP & CAPWAP
Mobility in the Cisco Unified WLAN Architecture
Architecture Building Blocks
Deploying the Cisco Unified Wireless Architecture
Where to place a controller ?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 3
Controller-based Architecture Overview
LWAPP & CAPWAP
Mobility in the Cisco Unified WLAN Architecture
Architecture Building Blocks
Deploying the Cisco Unified Wireless Architecture
Where to place a controller ?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 4
Understanding WLAN Controllers—1st/2nd
Generation vs. 3rd Generation Approach 1st/2nd generation—APs act
as 802.1Q translational bridge, putting client traffic on local VLANs
3rd generation—Controller bridges client traffic centrally
1st/2nd Generation
3rd GenerationData VLAN
Voice VLAN
Management VLAN
LWAPP
/CAPWAP
Tunnel
Data VLAN
Voice VLAN
Management VLAN
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 5
Controller-based Architecture Overview
LWAPP & CAPWAP
Protocol Overview
LWAPP & CAPWAP AP Discovery and Join Process
LWAPP & CAPWAP Operations
Mobility in the Cisco Unified WLAN Architecture
Architecture Building Blocks
Deploying the Cisco Unified Wireless Architecture
Where to place a controller ?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 6
LWAPP
Centralised Wireless LAN ArchitectureWhat is LWAPP? LWAPP - Light Weight Access Point Protocol is used between APs and WLAN
Controller
LWAPP carries control and data traffic between the two
– Control plane is AES-CCM encrypted
– Data plane is not encrypted
It facilitates centralised management and automated configuration
Open, standards-based protocol (Submitted to IETF CAPWAP WG)
Access Point Controller
WiFi Client
Business Application
Control Plane
Data Plane
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 7
CAPWAP
Centralised Wireless LAN ArchitectureWhat is CAPWAP? CAPWAP - Control And Provisioning of Wireless Access Points is used between APs
and WLAN Controller and based on LWAPP
CAPWAP carries control and data traffic between the two
– Control plane is DTLS encrypted
– Data plane is DTLS encrypted (Optional)
LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless
CAPWAP is not supported on Layer-2 mode deployment
Access Point Controller
WiFi Client
Business Application
Control Plane
Data Plane
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 8
CAPWAP ModesSplit MAC
The CAPWAP protocol supports two modes of operation :
– Split MAC (Centralised mode) and
– Local MAC (H-REAP)
Split MAC
WTP ACSTA
Wireless Phy
MAC Sublayer
CAPWAP
Data Plane
Wireless Frame
802.3 Frame
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 9
CAPWAP ModesLocal MAC
Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames
Locally bridged
WTP ACSTA
Wireless Phy
MAC Sublayer
Wireless Frame
802.3 Frame
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 10
CAPWAP ModesLocal MAC
Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames
Tunneled as 802.3 frames:
WTP ACSTA
Wireless Phy
MAC Sublayer
Wireless Frame 802.3 Frame
802.3 FrameCAPWAP
Data Plane
Tunneled Local MAC is not supported by Cisco
H-REAP Support Locally bridged MAC & Split MAC per SSID
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 11
CAPWAP State Machine
AP Boots UP
Discovery
DTLSSetup
Reset
Image Data
Config
Run
Join
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 12
AP Controller Discovery
Controller discovery order:
• Layer 2 join procedure attempted on LWAPP APs
•(CAPWAP does not support Layer 2 APs)
•Broadcast message sent to discover controller on a local subnet
• Layer 3 join process on CAPWAP APs and on LWAPP APs after Layer 2 fails
•Previously learned or primed controllers
•Subnet broadcast
•DHCP option 43
•DNS lookup
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 13
AP Controller Discovery: DHCP Option
DHCP Offer
DHCP Request
1
2
3
DHCP Server
DHCP Offer Contains
Option 43 for ControllerLayer 3 CAPWAP
Discovery Request Broadcast
Layer 3 CAPWAP
Discovery Responses
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 14
AP Controller Discovery: DNS Option
DHCP Offer
DHCP Request
DHCP Server
DHCP Offer
Contains
DNS Server or Servers
DNS Server
CISCO-CAPWAP-CONTROLLER.localdomain
192.168.1.2
192.168.1.2
12
3
4
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 15
WLAN Controller Selection Algorithm
LWAPP or CAPWAP Discovery Response contains important information from the WLAN Controller:
– Controller name, controller type, controller AP capacity, current AP load, ―Master Controller‖ status and AP Manager IP address or addresses
AP selects a controller to join using the following decision criteria:
1. Attempt to join a WLAN Controller configured as a ―Master‖ controller
2. Attempt to join a WLAN Controller with matching name of previously configured primary, secondary, or tertiary controller name
3. Attempt to join the WLAN Controller with the greatest excess AP capacity (dynamic load balancing)
Option #2 and option #3 allow for two approaches to controller redundancy and AP load balancing—Deterministic and Dynamic
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 16
LWAPP / CAPWAP Control Messages for Join Process
LWAPP or CAPWAP Join Request—AP sends this messages to selected controller (sent to AP Manager Interface IP Address)
LWAPP or CAPWAP Join Response—If controller validates AP request, it sends the LWAPP Join Response indicating that the AP is now registered with that controller
LWAPP or CAPWAP Join Request
LWAPP or CAPWAP Join Response
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 17
Configuration PhaseFirmware and Configuration download
Firmware is downloaded by the AP fromthe WLC
Firmware downloaded only if needed, AP reboots after the download
Firmware digitally signed by Cisco
Network configuration is downloaded by the AP from the WLC
Configuration is encrypted in the LWAPP/ CAPWAP Tunnel
Configuration is appliedAccess Points
Cisco WLAN Controller
LW
AP
P-L
3
Fir
mw
are
Do
wn
load
Co
nfi
gu
rati
on
Do
wn
load
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 18
Path-MTU DiscoveryDiscovery During Discovery Phase
Initial path MTU discovery is done during the Discovery message
Discovery message will be send from AP to WLC padded up to 1485 bytes with DF bit set
If WLC receives the message, controller will send a Discovery RESPONSE back padded up to 1485 bytes, AP will update MTU 1485
If the Discovery request with padded bytes of 1485 does NOT reach the WLC, AP will time out after 3 secs will send a new Discovery request without padding
AP will Discovery controller with either 1485 or 576 MTU, it can be changed only after AP is in RUN state
AP WLC
Discovery RequestRequestPadd 1485
Response Padd 1485Discovery Response
MTU Discovery : 1485
AP WLC
Discovery RequestRequestPadding
MTU Discovery : 576
3 sec timeout
Discovery RequestRequest
Discovery ResponseResponse
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 19
Difference between LWAPP and CAPWAPNote: From Controller code 5.2 Onwards, We Ship Only CAPWAP
Description LWAPP CAPWAP
Fragmentation/Re-assembly Relies on IpV4 CAPWAP itself does both
Path-MTU Discovery Not supported Has a robust P-MTU discovery mechanism, can also detect dynamic
MTU changes
Control Channel Encryption between AP and WLC
Yes (using AES) Yes (Using DTLS)
Data Channel Encryption between AP and WLC
No Yes (using DTLS)
UDP Ports 12222, 12223 5246 (ctrl) 5247 (data)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 20
Downgrade to LWAPP
If WLC is downgraded back to LWAPP code, All CAPWAP APs will initially start CAPWAP Discovery
Since there is no CAPWAP WLC in the network, CAPWAP APs will do CAPWAP Discovery=5 retries, with configurable timer (1-10) between each retry
Upon no CAPWAP Discovery response, CAPWAP AP will now try to fallback to LWAPP Discovery mechanism and Discover LWAPP WLC
AP 1040, 1140, 1260 and 3500 cannot fallback to LWAPP mode
CAPWAP AP
LWAPP
WLC
LWAPP Join RequestLWAPP
LWAPP Join ResponseLWAPP
LWAPP Download FwLWAPP
LWAPP AP
LWAPP Join RequestLWAPP
LWAPP Join ResponseLWAPP
CAPWAP Discover RequestCAPWAP
CAPWAP Discover RequestCAPWAP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 21
Controller-based Architecture Overview
LWAPP & CAPWAP
Mobility in the Cisco Unified WLAN Architecture
Architecture Building Blocks
Deploying the Cisco Unified Wireless Architecture
Where to place a controller ?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 22
Mobility Defined
Mobility is a key reason for wireless networks
Mobility means the end-user device is capable of moving location in the networked environment
Roaming occurs when a wireless client moves association from one AP and re-associates to another, typically because it’s mobile!
Mobility presents new challenges:
–Need to scale the architecture to support client roaming—roaming can occur intra-controller and inter-controller
–Need to support client roaming that is seamless (fast) and preserves security
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 23
Scaling the Architecture with Mobility Groups Mobility Group allows controllers
to peer with each-other to support seamless roaming across controller boundaries
APs learn the IPs of the other members of the mobility group after the LWAPP Join process
Support for up to 24 controllers, 3600 APs per mobility group
Mobility messages exchanged between controllers
Data tunneled between controllers in EtherIP (RFC 3378)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 24
Increased Mobility Scalability
Roaming is supported across 3 mobility groups (3 * 24 =72 controllers)
With Inter Release Controller Mobility (IRCM) roaming is supported between 4.2.207 & 6.0.188 & 7.0
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 25
How Long Does a STA Roam Take?
Time it takes for:
–Client to disassociate +
–Probe for and select a new AP +
–802.11 Association +
–802.1X/EAP Authentication +
–Rekeying +
–IP address (re) acquisition
All this can be on the order of seconds… Can we make this faster?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 26
Roaming Requirements
Roaming must be fast … Latency can be introduced by:
–Client channel scanning and AP selection algorithms
–Re-authentication of client device and re-keying
–Refreshing of IP address
Roaming must maintain security
–Open auth, static WEP—session continues on new AP
–WPA/WPAv2 Personal—New session key for encryption derived via standard handshakes
–802.1x, 802.11i, WPA/WPAv2 Enterprise—Client must be re-authenticated and new session key derived for encryption
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 27
How are we going to make roaming faster?
Focus on where we can have the biggest impact… Eliminating the (re)IP address acquisition challenge
Eliminating full 802.1X/EAP reauthentication
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 28
Intra-Controller Roaming
Intra-Controller roam happens when an AP moves association between APs joined to the same controller
Client must be re-authenticated and new security session established
Controller updates client database entry with new AP and appropriate security context
No IP address refresh needed
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 29
Layer-2 Roaming—Inter-Controller
L2 Inter-Controller roam happens when an AP moves association between APs joined to the different controllers but client traffic bridged onto the same subnet
Client must be re-authenticated and new security session established
Client database entry moved to new controller
No IP address refresh needed
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 30
Layer-3 Roaming—Symmetric Mobility
Foreign controllers will send Layer 3 roaming client’s packet back to its anchor controller through EtherIP tunnelling
Source IP address of the packet will be the foreign controller’s management IP address
Upstream routers that have Reverse Path Forwarding (RPF) will forward on packets
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 31
Roaming: Inter-Controller
L3 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto different subnets
Client must be re-authenticated and new security session established
Client database entry copied to new controller – entry exists in both WLC
client DBs
Original controller tagged as the ―anchor‖, new controller tagged as the ―foreign‖
WLCs must be in same mobility group or domain
No IP address refresh needed
Symmetric traffic path established -- asymmetric option has been eliminated as of 6.0 release
Account for mobility message exchange in network design
Layer 3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 32
How are we going to make roaming faster?
Focus on where we can have the biggest impact… Eliminating the (re)IP address acquisition challenge
Eliminating full 802.1X/EAP reauthentication
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 33
Fast Secure RoamingStandard Wi-Fi Secure Roaming
1. 802.1X authentication in wireless today requires three ―end-to-end‖ transactions with an overall transaction time of > 500ms
2. 802.1X authentication in wireless today requires a roaming clientto re-authenticate, incurring an additional 500+ ms to the roam
Cisco ACS AAA
Server
WAN
AP1AP2
1. 802.1X Initial
Authentication
Transaction2. 802.1X Re-Authentication
After Roaming
Note: Mechanism Is Needed to Centralise Key Distribution
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 34
Cisco Centralised Key Management (CCKM)
Cisco introduced CCKM in CCXv2 (pre-802.11I), so widely available, especially with application specific devices (ASDs)
CCKM originally a core feature of the ―Structured Wireless Aware Network‖ (SWAN) architecture
CCKM ported to CUWN architecture in 3.2 release
In highly controlled test environments, CCKM roam times consistently measure in the 5-8 msec range!
CCKM is most widely implemented in ASDs, especially VoWLAN devices
To work across WLCs, WLCs must be in the same mobility group
CCX-based laptops may not fully support CCKM – depends on supplicant capabilities
CCKM is standardised in 802.11R, but no clients available yet
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 35
Fast Secure RoamingWPA2/802.11i Pairwise Master Key (PMK) Caching
WPA2 and 802.11i specify a mechanism to prevent excessive key management and 802.1X
requests from roaming clients
From the 802.11i specification:
– Whenever an AP and a STA have successfully passed dot1x-based authentication, both of them may cache the
PMK record to be used later
– When a STA is (re-)associates to an AP, it may attach a list of
PMK IDs (which were derived via dot1x process with this AP before)
in the (re)association request frame
– When PMK ID exists, AP can use them to retrieve PMK record from its own PMK cache, if PMK is found, and
matches the STA MAC address;
AP can bypass dot1x authentication process, and directly starts WPA2 four-way key handshake session with
the STA
– PMK cache records will be kept for one hour for non-associated STAs
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 36
OKC/PKC
Requires client/supplicant support
Supported in Windows since XP SP2
Many ASDs support OKC and/or PKC
Check on client support for TKIP vs. CCMP – mostly CCMP only
Enabled by default on WLCs with WPAv2
Requires WLCs to be in the same mobility group
Important design note: pre-positioning of roaming clients consumes spots in client DB
In highly controlled test environments, OKC/PKC roam times consistently measure in the 10-20 msec range!
Key Data Points
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 38
How Long Does a Client Really Take to Roam? Time to roam =
–Client to disassociate +
–Probe for and select a new AP +
–802.11 Association +
–Mobility message exchange between WLCs +
–Reauthentication +
–Rekeying +
– IP address (re) acquisition
Network latency will have an impact on these times – consideration for controller placement
With a fast secure roaming technology, roam times under 150 msecs are consistently achievable, though mileage may vary
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 39
How Often Do Clients Roam?
It depends… types of clients and applications
Most client devices are designed to be ―nomadic‖ rather than ―mobile‖, though proliferation of small form factor, ―smart‖ devices will probably change this…
Nomadic clients usually are programmed to try to avoid roaming… so set your expectations accordingly
―SWAG‖ design rule of thumb: 10-20 roams per second for every 5000 clients
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 40
Designing a Mobility Group/Domain
Less roaming is better – clients and apps are happier
While clients are authenticating/roaming, WLC CPU is doing the processing –not as much of a big deal for 5508 which has dedicated management/control processor
L3 roaming & fast roaming clients consume client DB slots on multiple controllers – consider ―worst case‖ scenarios in designing roaming domain size
Leverage natural roaming domain boundaries
Mobility Message transport selection: multicast vs. unicast
Make sure the right ports and protocols are allowed
Design Considerations
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 41
Controller-based Architecture Overview
LWAPP & CAPWAP
Mobility in the Cisco Unified WLAN Architecture
Architecture Building Blocks
Deploying the Cisco Unified Wireless Architecture
Where to place a controller ?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 42
CUWN 7.0 ReleaseKey Controller Features
5500 Series Wireless Controller
- Support for up to 500 Access Points
- Simplified Licensing
- Enhanced Access Point Update and Joining Capability
Cisco VideoStream Technology
Passive Client Support
Cisco CleanAir Technology
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 43
Cisco 5500 Series Wireless Controller Enhancements - Optimised for 802.11n
Supports new 3500 Series Aironet Access Points with CleanAir
New licensing allows for enhanced scale-as-you-grow and feature flexibility
– Upgrade 500 APs simultaneously
– Supports OfficeExtend, DTLS Encryption and Wireless Mesh in base license
Integrates seamlessly into the Cisco Unified Wireless Network
Control plane scalability
Supports innovative technology including VideoStream and Cisco M-Drive, BandSelect and ClientLink
Specifications At-a-Glance
Access Points 12 – 500
Devices 7,000
Mobility Scale 36,000 APs in Mobility Domain
Form 1 RU Appliance
Interfaces 8 GigE Ports
Introducing:
500 AP Support
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 44
Simplified Licensing
Base AP License
Base Count: 12, 25, 50, 100, 250 and 500 Access Points + Adder AP counts of 25, 50, 100, 250 (up to a total maximum of 500)
Now Includes
• OfficeExtend Access Point support
• Enterprise Wireless Mesh Access Point support
• CAPWAP Data Encryption
Single License Type: ―Base License‖
WPLUS Features now part of ―Base License‖
WPLUS Licenses not required any more
Licensing model supports ―Capacity Adder Licenses‖
25, 50, 100, 250 AP capacity Adder Licenses which could be added to any of the
base count licenses
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 45
WiSM2 - For Catalyst 6500
Enhanced Operational Savings
–Higher Scale
–Reduced downtime during upgrades
–Single Controller
Higher Performance
– Throughput
– Concurrent Rich Media application flows
Maximise Catalyst 6K Investment
– Supervisor & Service Module Refresh
Specifications At-a-Glance
Access Points 100 – 500
Clients 10,000
I/O 10G
Chassis Level Scale3,500 APs & 70,000 Clients
Concurrent AP Joins 500
No. of Phy Controller 1
Power 225 W
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 46
Feature Rich Entry level Controller
–802.11n Ready
–Guest Access
–Wireless IPS
Unsurpassed Performance & Scale for Entry level Controller
–Support high end RF Excellence (CleanAir APs)
–5500 Style Licensing
Cisco 2500 Series Wireless Controller
Specifications At-a-Glance
Access Points 5 – 50
Devices 500
Throughput 300Mbps
Form FactorDesktop w/ optional Rack Mount
I/O 2x1GE; 2x1GE PoE
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 47
Cisco Wireless Controller Module 2 on SRE Maximise on ISR G2 Investment
–Lower Cap-Ex/Op-Ex
–Wired/Wireless solution
Wireless Entry level Controller Performance on ISR platform
–802.11n Ready
–Support high end RF Excellence (CleanAirAPs)
–5500 Style Licensing
Specifications At-a-Glance
Access Points 5 – 50
Devices 500
Throughput 300Mbps
Form Factor SRE Module on ISR G2
I/O ISR backplane
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 48
Controller Comparison5500 WiSM-2
# of Access Points 12, 25, 50, 100, 250, 500 500
Throughput Up to 8 Gbps Up to `0 Gbps
Clients Up to 7,000 Up to 10,000
Concurrent AP upgrades/joins Up to 500 Up to 500
Network I/O Up to 8, 1 Gbps SFPs Cat6k back plane
Mobility domain size Up to 36,000 APs Up to 36,800 APs
# of controllers per physical device 1 1
Power Consumption 125W 225W
AP count upgrade via licensing Yes Yes
Encrypted data link between AP and controller
Yes Yes
OfficeExtend Solution Yes Yes
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 49
Enhanced AP Update and Joining Capability
Feature
Ability to handle up to 500 simultaneous AP joins and AP image downloads
Benefit
Increased availability of the network by reducing the network downtime significantly
Simultaneous 500 AP Joins & Image
downloads
Cisco 5508
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 50
Features
Video Streaming with Reliable Multicast
– Improves quality and scale of streaming content
– Stream Prioritisation ensures important video content takes precedence over others
– Resource Reservation Control used to prevent channel oversubscription
Benefits
Improved video delivery to Wi-Fi endpoints by providing
– Reliability for streaming
– Quality of Service
– Channel capacity management
– Prioritization and protection
– Better scalability
Cisco VideoStream Technology
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 51
Passive Client Support
Problem:
–Client devices such as Zebra Printers, Hobart Scales etc.. Are deployed using static IP addresses
–Information regarding the presence passive devices is not available from the network
Solution:
–The new ―Passive Client ― feature will allow ARP requests and ARP responses to be exchanged between wired and wireless side on a per VLAN /WLAN basis
AP Controller
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 52
Access Point Modes
CAPWAP Access Points can operate on various mode
• Local Mode – it is the default mode where AP services clients and monitors the network
• Monitor – dedicated mode of the AP for rouge detection and IDS signature matches
– - Advance WiPS – uses WCS/MSE and dedicated monitor mode of AP
– - ELM ( Enhanced Local Mode) – uses WCS/MSE and local mode of AP
• H-REAP – Remote office deployment
• OEAP – Home office deployment
• Bridge – Outdoor and Indoor MESH deployment
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 53
Access Point Modes Configuration
AP modes are software configurations in controller
AP mode can be changed directly from controller or management platform (WCS)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 54
Introducing CleanAir
Detect and Classify
Mitigate
Locate
Cisco CleanAir
A system-wide feature that uses silicon-level intelligence to automatically mitigate the impact of wireless interference, optimise network performance and reduce troubleshooting costs
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 55
Detect and Classify
What is CleanAir?
Cisco CleanAir
High-resolution interference detection and classification logic built-in to Cisco’s 802.11n Wi-Fi chip design. Inline operation with no CPU or performance impact.
100
63
35
97
90
20
Uniquely identify and track multiple interferers
Assess unique impact to Wi-Fi performance
Monitor Air Quality
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 56
MitigateWireless LAN Controller
What is CleanAir?
Cisco CleanAir
Cisco CleanAir Technology integrates interference information from the AP into the entire system.
Classification processed on Access Point
Interference impact and data sent to WLC for real-time action
WCS and MSE store data for location, history, and troubleshooting
Maintain Air Quality
GOODPOOR
CH 1 CH 11
LocateWCS, MSE
Visualise and Troubleshoot
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 57
1130
$699
Carp
ete
d
R
uggedis
ed
11abg 11n + CleanAir11n
12421260
3500e
3500i1140
Introduction of new indoor Access Points
$899
1250
Limited Lifetime Hardware Warranty
1040
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 58
Controller-based Architecture Overview
LWAPP & CAPWAP
Mobility in the Cisco Unified WLAN Architecture
Architecture Building Blocks
Deploying the Cisco Unified Wireless Architecture
Where to place a controller ?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 59
Deploying the Cisco Unified Wireless Architecture
Connecting Controllers and APs to Networks
Controller Redundancy and AP Load Balancing
Understanding AP Groups
IPv6 Deployment with Controllers
Branch Office Designs
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 60
Understanding WLAN Controllers—The WLAN Controller as a Network Device
WLAN controller
–For wireless end-user devices, the controller is a 802.1Q bridge that takes traffic of the air and puts it on a VLAN
–From the perspective of the AP, the controller is an LWAPP or CAPWAP tunnel end-point with an IP address
–From the perspective of the network, it’s a layer-2 device connected via one or more 802.1Q trunk interfaces
The AP connects to an access port—no concept of VLAN’s at the AP necessary.
Data VLAN
Voice VLAN
Management
VLAN
CAPWAP
Tunnel
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 61
Understanding WLAN Controllers—The WLAN Controller as a Network Device
Three Important Concepts to Understand:
Port—Physical connection to a neighbour switch/router
Interface—Logical connection mapping to a VLAN on the neighbourswitch/router
–Management interface
–AP Manager interface(s)
–Dynamic interface(s)
–Virtual interface
–Service interface
WLAN—Entity that maps an SSID to an interface at the controller, along with security, QoS, radio policies, and other wireless networking parameters
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 62
Controller Interfaces
There are five different interface types to consider
–Management – Communication (HTTP/HTTPS/SNMP/Radius)
–AP Management (Not required in Cisco 5508 Controller)
–Dynamic Interfaces – VLAN interfaces
–Virtual - Mobility Management, DHCP Relay, Layer 3 Security
–Service Port – Out of band management Management InterfaceIn-band Management traffic
Dynamic InterfaceBridge for Client Traffic to/from Wired
Network
802.1Q
Virtual
Service PortOut of Band Management traffic
AP Manager InterfaceIn-band traffic between AP and WLC
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 63
Connecting the WLAN Controller to the Network
Options - Link aggregation (LAG) or no LAG
–LAG supported on 5508, 440x, WiSM, Cisco 3750G integrated WLAN controller switch
–LAG is the only option for WiSM, Cisco 3750G integrated WLAN controller switch
440x-based controller allows 48 APs per port in the absence of LAG
Use multiple ―AP Manager‖ interfaces to support more than 48 APs on the WLC without LAG—LWAPP algorithm will load balance APs across the AP managers
LAG allows use of 1 ―AP Manager‖ interface by load-balancing traffic across an EtherChannel interface
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 64
Link Aggregation—Dynamic AP Manager Interface No EtherChannel mode
negotiation (LACP, PAgP):
–Set ―etherchannel mode on‖ for neighbouringswitchports
Requires ip-src-dst load balancing for the switch Etherchannel
Packets are forwarded out the same port they arrived on
1 LAG group per WLCis supported
Management
Interface
Cisco 5508
Port 1 Port 8Port 2 Port 3 Port 4 Port 5 Port 6 Port 7
LAG
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 65
Cisco 5508 WLC can be attached to a Catalyst VSS switch
Increased availability with Link Aggregation across two separate physical catalyst 6500
Simpler configuration on Catalyst Switch
Automatic load balancing of traffic between two switches
Catalyst WiSM blades are supported on VSS enabled switches
Link Aggregation - VSS Support
Cisco 5508 Cisco 5508
Catalyst VSS Pair
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 66
Deploying the Cisco Unified Wireless Architecture
Connecting Controllers and APs to Networks
Controller Redundancy and AP Load Balancing
Understanding AP Groups
IPv6 Deployment with Controllers
Branch Office Designs
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 67
Controller Redundancy - Dynamic
Rely on LWAPP to load-balance APsacross controllers and populate APs with backup controllers
Results in dynamic ―salt-and-pepper‖ design
Design works better when controllers are ―clustered‖ in a centralised design
Pros:– Easy to deploy and configure—less upfront work– APs dynamically load-balance (though never perfectly)
Cons:– More inter-controller roaming– Bigger operational challenges due to unpredictability– Longer failover times– No ―Fallback‖ option in the event of controller failure
Cisco’s general recommendation is: Only for Layer 2 Roaming
Use deterministic redundancy instead of dynamic redundancy
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 68
Controller Redundancy - Deterministic
Administrator statically assigns APs a primary, secondary, and/or tertiary controller
–Assigned from controller interface (per AP) or WCS (template-based)
Pro–Predictability—Easier operational management
–More network stability
–More flexible and powerful redundancy design options
–Faster failover times
–―Fallback‖ option in the case of failover
Con–More upfront planning and configuration
This is Cisco’s recommended best practice!
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 69
Controller Redundancy – Architecture Resilency
N:N:1 RedundancyN:N Redundancy
N:1 RedundancyResiliency
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 70
Controller Redundancy – High Availability
Central Backup
Wireless LAN
Controller
Central Cisco Secure
Access Control Server (ACS)
Remote Wireless LAN
Controller
Branch Office #3 Mobility
Group 3Branch Office #4 Mobility
Group 4
Remote Wireless LAN
Controller
Branch Office #2
Mobility Group 2
Remote Wireless LAN
Controller
WAN
Branch Office #1
Mobility Group 1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 71
Controller Redundancy – High Availability
High Availability Principles :
AP is registered with a WLC and maintain a backup list of WLC.
AP use heartbeats to validate WLC connectivity
AP use Primary Discovery message to validate backup WLC list
When AP loose 3 heartbeats it start join process to first backup WLC candidate
Candidate Backup WLC is the first alive WLC in this order : primary, secondary, tertiary, global primary, global secondary.
AP do not re-initiate discovery process.
Primary WLC
Secondary WLC
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 72
Controller Redundancy – AP Failover Priority
Features
Assign priorities to APs: Critical, High, Medium, Low
Critical priority APs get precedence over all other APs when joining a controller
In a failover situation, a higher priority AP will be allowed in ahead of all other APs
If controller is full, existing lower priority APs will be dropped to accommodate higher priority APs
AP Priority: Critical
AP Priority: Medium
Controller
Critical AP fails over
Medium priority
AP dropped
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 73
AP Pre-image Download in 7.0
Since most CAPWAP APs can download and
keep more than one image of 4-5MB each
AP Pre-image download allows AP to download
code while it is operational
Pre-image download operation
1. Upgrade the image on the controller
2. Don’t reboot the controller
3. Issue AP Pre-image download command
4. Once all AP images are downloaded
5. Reboot the controller
6. AP now re-joins the controller without re-boot
Access Points
Cisco WLAN Controller
CA
PW
AP
-L3
AP
Pre
-im
ag
eD
ow
nlo
ad
AP
Jo
ins
wit
ho
ut
Do
wn
lao
d
How much time you save ?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 74
Configure AP Pre-image Download
Upgrade the image on the controller and don’t reboot
Currently we have two images on the controller
(Cisco Controller) >show boot
Primary Boot Image............................... 7.0.94.156 (default)
(active)Backup Boot Image................................ 7.0.94.131
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 75
Configure AP Pre-image DownloadWireless > AP > Global Configuration
AP now starts pre-
downloading
Perform primary image
pre-download on the AP
AP now swaps image
after reboot of the
controller
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 76
Deploying the Cisco Unified Wireless Architecture
Connecting Controllers and APs to Networks
Controller Redundancy and AP Load Balancing
Understanding AP Groups
IPv6 Deployment with Controllers
Branch Office Designs
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 77
AP-GroupsDefault AP-Group
The first 16 WLANs created (WLAN IDs 1-16) on the WLC are included in the default AP-Group
Default AP-Group cannot be modified
APs with no assignment to an specific AP-Group will use the Default AP-Group
The 17th and higher WLAN (WLAN IDs 17 and up) can be assigned to any AP-Groups
Any given WLAN can be mapped to different dynamic interfaces in different AP-Groups
WLC 2106 (AP groups: 50) , WLC 4400 and WiSM (AP groups: 300), WLC 5508 (AP groups: 500)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 78
AP-Grouping In Campus
Data CentreWAN Internet
Access
Distribution
Core
Distribution
Access
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
WLC-2WLC-1
VLAN 100 / 21
LWAPP/CAPWAP
Single SSID =
Employee
VLAN 100 VLAN 100 VLAN 100
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 79
AP-Grouping In Campus
Data CentreWAN Internet
Access
Distribution
Core
Distribution
Access
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
AP-Group-2 AP-Group-3AP-Group-1
WLC-2WLC-1
VLAN 80 /23VLAN 70 /23VLAN 60 /23
VLAN 100
/21
LWAPP/CAPWAP
VLAN 60
VLAN 70
VLAN 80
Single SSID =
Employee
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 80
Default AP-Group
Network Name
Default AP Group
Only WLAN’s 1-16 will be added in
Default AP Group
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 81
Multiple AP-Group’s
AP Group 1
AP Group 2
AP Group 3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 82
Interface-Groups 7.0MR1
Interface-groups allows for a WLAN to be mapped to a single interface OR multiple interfaces
Clients associating to this WLAN get an IP address from a pool of subnets identified by the interfaces in round robin fashion
Extends current AP group and AAA override, with multiple interfaces using interface groups
WLC 2106 (Interface groups: 4) , WLC 4400 and WiSM (AP groups: 32), WLC 5508 and WiSM-2 (AP groups: 64)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 83
Interface-Grouping In Campus 7.0MR1
Data CentreWAN Internet
Access
Distribution
Core
Distribution
Access
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
Int-Group-2 Int-Group-3Int-Group-1
WLC-2WLC-1
VLAN 80 /23
VLAN 81 /23
VLAN 70 /23
VLAN 71 /23
VLAN 60 /23
VLAN 61 / 23
VLAN 100
/21
LWAPP/CAPWAP
VLAN 60
VLAN 61
VLAN 70
VLAN 71
VLAN 80
VLAN 81Single SSID =
Employee
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 84
Multiple Interface-Group’s 7.0MR1
Interface Group 1
Interface Group 2
Interface Group 3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 85
Deploying the Cisco Unified Wireless Architecture
Connecting Controllers and APs to Networks
Controller Redundancy and AP Load Balancing
Understanding AP Groups
IPv6 Deployment with Controllers
Branch Office Designs
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 86
IPv6 over IPv4 Tunnelling Prior to WLC 6.0 release, IPv6 pass-thru is only supported but no L2 security can be
enabled on IPv6 WLAN
With WLC 6.0 release, IPv6 pass-thru with Layer-2 security supported
To use IPv6 bridging, Ethernet Multicast Mode (EMM) must be enabled on the controller
IPv6 packets are tunneled over CAPWAP IPv4 tunnel
Same WLAN can support both IPv4 and IPv6 clients
IPv6 pass-thru and IPv4 Webauth is also supported on same WLAN
IPv6 is not supported with guest mobility anchor tunnelling
Ethernet II | IPv4|CAPWAP|802.11|IPv6802.11|IPv6
Client IPv6 traffic
tunneled over IPv4 and
bridged to Ethernet
Ethernet II | IPv6
CAPWAP Tunnel
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 87
IPv6 Configuration on WLC 6.X
Enable IPv6 on the WLAN and multicast on the WLC
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 88
IPv6 Client Details
IPv6 Client Details on the WLC
IPv6 Client Details from dual-stack (Vista) client
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 89
IPv6 Switch Detailsip multicast-routing distributed
ipv6 unicast-routingipv6 dhcp ping packets 5
ipv6 dhcp pool ipv6poolwlan address prefix 2001::/64 lifetime 1600 800 dns-server 2001::1 domain-name contose.com
!
interface Vlan70 ip address 70.1.200.1 255.255.0.0 ip pim sparse-dense-mode ipv6 address 2001::/64 eui-64 ipv6 enable ipv6 nd prefix 2001::/64 300 200 no-autoconfig ipv6 nd managed-config-flag ipv6 nd other-config-flag ipv6 dhcp server ipv6poolwlan
!
interface GigabitEthernet1/0/2 description Cisco 5508 WLC switchport trunk encapsulation dot1q switchport trunk native vlan 60 switchport trunk allowed vlan 60,70switchport mode trunk
#show ipv6 dhcp bindingClient: FE80::A134:D55E:5F76:1075 (Vlan70) DUID: 00010001117BB813001C25A200A9 IA NA: IA ID 0x1400216A, T1 400, T2 640
Address: 2001::381E:8796:7406:D954 preferred lifetime 800, valid lifetime 1600
expires at Dec 16 2010 01:12 PM (1571 seconds)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 90
Deploying the Cisco Unified Wireless Architecture
Connecting Controllers and APs to Networks
Controller Redundancy and AP Load Balancing
Understanding AP Groups
IPv6 Deployment with Controllers
Branch Office Designs
Understanding HREAP (Hybrid REAP AP) Deployment
Understanding Branch Controller Deployment
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 91
Branch Office Deployment— HREAP
Hybrid Architecture
Single Management & Control point
–Centralised Traffic (Split MAC)
–Or
–Local Traffic (Local MAC)
HA will preserve local traffic only
WAN
Central Site
Remote
Office
Centralised
Traffic
Centralised
Traffic
Local
Traffic
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 92
H-REAP Glossary
Connected mode - When H-REAP can reach Controller (connected state), it gets help from controller to complete client authentication.
Standalone mode - When controller is not reachable by H-REAP, it goes into standalone state and does client authentication by itself.
Local Switching – Data traffic switched onto local VLANs for an SSID
Central Switching – Data traffic tunneled back to WLC for an SSID
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 93
H-REAP Design Considerations
Some WAN limitations apply :
• RTT must be below 300ms data (100ms voice)
• Minimum 500 bytes WAN MTU (with maximum 4 fragmented packets)
Some features are not available in standalone mode or in local switching mode :
–ACL in local switching, MAC / Web Auth in standalone mode, PMKcaching (OKC), …
See full list in « H-REAP Feature Matrix »http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b3690b.shtml
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 94
Configure H-REAP ModeStep 1 : Configure Access Point mode
Enable H-REAP Mode per AP
Supported AP : AP-1130, AP-1240, AP-1040, AP-1140, AP-1260, AP-1250, AP-3500
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 95
Configure H-REAP Local SwitchingStep 2 : Enable Local Switching per WLAN
Only WLAN with ―Local Switching‖ enabled will allow local switching at the H-REAP AP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 96
Configure H-REAP VLAN MappingStep 3 : H-REAP Specific Configuration
H-REAP AP can be connected on an access port (using native VLAN) or connected to a 802.1Q trunk port
VLAN Mapping is a per AP configuration on WLC and by AP Group using Templates on a WCS
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 97
Configure H-REAP VLAN MappingStep 4 : Per AP SSID to VLAN Mapping
Mapping of SSID to 802.1Q VLAN is done per H-REAP AP :
Use WCS for configuration with templates
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 98
Understanding H-REAP Groups
WLC Support up to 20 H-REAP Groups
Each H-REAP Group support up to 25 H-REAP AP
H-REAP Groups allow sharing of :
–CCKM Fast Roaming keys
–Local User authentication
–Local EAP authentication
WAN
Central Site
Remote SiteRemote Site
H-REAP Group 1
H-REAP Group 2
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 99
H-REAP Groups and CCKM Keys
CCKM keys are stored on HREAP AP’s for layer-2 fast roaming
The HREAP AP’s will receive the CCKM keys from the WLC
If a HREAP AP boots up in the STANDALONE mode, it will not get the CCKM keys from the WLC and fast roaming is not supported
WAN
Central Site
Remote SiteRemote Site
H-REAP Group 1 H-REAP Group 2
Radius Server
CCKM Keys
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 100
H-REAP Groups and CCKM Keys
Add a new H-
REAP Group
Add AP’s to the
H-REAP Group
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 101
H-REAP Groups and Local EAP
In case of WAN of failure (Standalone mode) HREAP AP’s can act like a Local EAP server
In a HREAP-Group we can store 100 usernames and act like a local EAP server
LEAP and EAP-FAST is the only supported EAP type in standalone mode
WAN
Central Site
Remote SiteRemote Site
H-REAP Group 1 H-REAP Group 2
Radius Server
Local EAP Server
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 102
H-REAP Groups and Local EAP
Add the H-REAP AP to the group and enable AP Local Authentication
Add the username and password to be
stored on the HREAP AP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 103
H-REAP Groups and Local Radius Server
In case of WAN of failure (Standalone mode) HREAP AP’s can authenticate from a Local Radius Server
Only session-timeout radius attribute (attribute 27) is supported in the standalone mode
Radius accounting is not supported in standalone mode
WAN
Central Site
Remote Site
Remote Site
H-REAP Group 1
H-REAP Group 2
Radius Server
Radius Server
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 104
H-REAP Groups and Local Radius Server
Add IP address
of the remote
radius server in
the WLC
(10.20.20.12)
Select the
remote radius
server details in
HREAP Group
of the remote
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 105
Case Study – HREAP Retail Design
Requirements for the Store Design
Up-to-5 AP per site.
L2 connectivity between the AP
Access local services in the store (servers, printers, etc)
WLAN Services :
–SSID for Stores :
• Security type = WPA-PSK
• Will be the same SSID for all the stores, but different keys per store
• Local Switching
–SSID for Employees :
• Security type = WPA/TKIP or WPA/AES
• Central RADIUS authentication
• Central Switching
WAN link :
– Bandwidth : 512 kbps
– RTT : 100 msec
– MTU : 1400 bytes
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 106
Data Centre
Store-1
WAN
Local Resource
H-REAP
CT-5508
Cluster
RADIUS
Scanners
(WPA-PSK)
SSID-Store-1SSID-Employee
(WPA2)
LapTops
(WPA2)
Store-N
H-REAP
Scanners
(WPA-PSK)
SSID-Store -NSSID-Employee
(WPA2)
LapTops
(WPA2)
WLAN 17 : Store-1
•SSID= Store-1
•WPA-PSK=123
…
WLAN 17+N : Store-N
•SSID=Store-N
•WPA-PSK=321
WLAN 1 : Data
•SSID=Employee
•WPA/Radius
Local Resource
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 107
Data Centre
Store-1
WAN
H-REAP
Scanners
(WPA-PSK)
SSID-Store-1SSID-Employee
(WPA2)
LapTops
(WPA2)
AP-Group-1
Store-N
H-REAP
Scanners
(WPA-PSK)
SSID-Store-NSSID-Employee
(WPA2)
LapTops
(WPA2)
AP-Group-NLocal Resource Local Resource
AP Group 1 : Store-1
•WLANs : Store-1
…
AP Group N : Store-N
•WLANs : Store-N
CT-5508
Cluster
RADIUS
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 108
Case Study – HREAP Retail Design
Create WLAN for Employee and for each store (local switching)
Create AP Group for each store and add AP-1 / WLAN-17 for Store-1, etc
Map locally switched WLAN to a VLAN per store
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 109
Deploying the Cisco Unified Wireless Architecture
Connecting Controllers and APs to Networks
Controller Redundancy and AP Load Balancing
Understanding AP Groups
IPv6 Deployment with Controllers
Branch Office Designs
Understanding HREAP (Hybrid REAP AP) Deployment
Understanding Branch Controller Deployment
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 110
Small Office
Branch Office WLAN Controller Options
Headquarters
Branch Office
Internet VPN
MPLS
ATM
Frame Relay
No. of. Users – 100-500No. of AP’s – 5-25
No. of. Users – 20-100No. of AP’s – 1 -5
Appliance controllers
Cisco 2106, 2112, 2125
Cisco 5508-12, 5508-25
Integrated controller
WLAN controller module (WLCM) for ISR
WCS
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 111
Small Office
Headquarters
Branch Office
Internet VPN
MPLS
ATM
Frame Relay
Branch Office WLAN Controller Options
WCS
Cisco Unified Wireless Network with Controller-based
Multiple Integrated WAN options on ISR
Consistent branch-HQ services, features, and performance
Standardised branch configuration extends the unified wired and wireless network
Branch configuration management from central WCS
** AP count vary depending on channel utilisation and data rates
Cisco 5508-12 ***
WLCM-6/12 ***
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 112
Deploying the Cisco Unified Wireless Architecture
Connecting Controllers and APs to Networks
Controller Redundancy and AP Load Balancing
Understanding AP Groups
IPv6 Deployment with Controllers
Branch Office Designs
Home Office Designs
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 113
Headquarters
Internet VPN
MPLS
ATM
Frame Relay
Home Office Design– OEAP AP
CAPWAPCAPWAP
WLC 5508
Cisco 5508 controller installed in the DMZ of the corporate network
OfficeExtend AP (OEAP) installed at teleworkers home
Corporate access to employee over centrally configured SSID
Family Internet access over alocally configured SSID
Currently supported on AP1130 or AP1140 and WLC 5508 only
WCS
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 114
Configure the AP1130or AP 1140 in the HREAP mode
Enable OEAP option for the HREAP AP
Data encryption is enabled automatically once we enable OEAP on an AP
Home Office Solution – OEAP AP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 115
Aironet 600 Series OfficeExtend AP
Dual band 802.11n AP for the homes
Proven hardware design
Validated OEAP Features / Function
Supported by 5508, WiSM2, 2500
7.67‖ x 6.92‖ x 1.45‖
Available worldwide (all reg domains)
Target FCS: Q1CY11
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 116
Features
Supports up to 2 corporate SSIDs
Supports up to 15 wireless clients
User-configured personal SSID
Control and data plane encryption
RF channel / power are set automatically at power up
Corporate client cannot access personal / local resources (i.e. home printer)
No RRM, wIPS, Rogue Detection, Location, Guest Services
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 117
Interfaces
4 Additional Ethernet ports
–Dedicated Ethernet port for corporate-bound device
–Remaining 3-ports are for personal use
USB port is disabled initially
Cradle for vertical placement
On/Off Switch
No PoE support
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 118
Cisco 600 Series OEAP (ports)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 119
Simplified Provisioning
Setting existing APs into OEAP mode requires multiple reboots
OEAP 600 will be preset into OEAP mode during manufacturing
IT first sets MAC addresses of the allowed OEAP 600 into controller
Employees takes unopened OEAP home and connects a computer into Ethernet port. Splash screen prompts user to enter controller IP address
OEAP 600 is then provisioned automatically
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 120
Sample screen shots - login
Default DHCP scope of the OEAP is 10.0.0.X, so browse to
https://10.0.0.1 to get the admin page of OEAP on port 1,2,3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 121
Configuration - System This is where you can configure and choose Radio interface
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 122
Configuration – DMZ Controller Information
Home Users
enter IP address
of the DMZ
OEAP
Controller
This is where the customer will enter the IP address of Corporate
Controller
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 123
Home Office Design - Cisco Virtual Office Express Architecture
Simplified Head-End VPN
Head-EndCisco ISR (2800/3800) or
Cisco 7206 VXR with VSA or
WLC
SOHOCisco 800 or 1800
Spoke Routers
Corporate
Network
Simplified Head-End VPN Design
Cisco Enhanced Easy VPN with advanced QoSintegration provides secure transport, facilitating voice and video applications (with option of per SA QoS)
Multiple options for head-end to allow for large concentration of site and with high throughput
Remote site presence: Cisco 870, 880, 890 or 1800 Series ISR and Cisco Unified IP Phones 7900 Series.
Head-end presence: 2800, 3800, 7200, or ASR series
Headend (Optional): Wireless LAN Controller, WCS, Configuration Engine
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 124
Recommended ProductsSmall/Medium Branch
Cisco Unified Wireless Network (H-REAP)
Remote site: Aironet 1130,1140,1240,1250 Series Access Point; Integrated AP on 880 or 890, ASA 5505
Headend: 5500 Series WLAN Controller or Cisco Catalyst 6500 Series Series Wireless Services Module (WiSM)
Cisco Wireless Control System (WCS)
Cisco Integrated ISR
Integrated AP on 800 & 1800 ISRs
Aironet AP and standalone controller options (2100/5500)
Cisco Wireless Control System (WCS)
SOHO/Premier Teleworker
Cisco OfficeExtend Solution
5500 Series Wireless LAN Controller
Aironet 1130 or 1140 Series Access Point
CVO Express
Remote site: Cisco 870*, 880, 890 or 1800 Series ISR; Cisco Unified IP Phones 7900 Series
Headend: Cisco 2800, 3800, 7200, or ASR Series;
Headend (Optional): Wireless LAN Controller, WCS, Configuration Engine
*autonomous only
Medium/Large Branch
Cisco Integrated ISR
Wireless Controller Module for Cisco 2800/3800 ISR
Aironet AP and standalone controller options (5500)
Cisco Wireless Control System (WCS)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 125
Controller-based Architecture Overview
LWAPP & CAPWAP
Mobility in the Cisco Unified WLAN Architecture
Architecture Building Blocks
Deploying the Cisco Unified Wireless Architecture
Where to place a controller ?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 126
Single Building – Distribution/Core
WLC in distribution/core
Most of the time : L2 Roaming
WLCSiSi SiSi
WLC
L2
CAPWAP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 127
WLCWLC
Wireless Building Block
SiSi SiSi
L2
Campus – Centralised WLCOverview
Centralised WLC
Concept of Wireless Building Block
No Wireless VLANseverywhere
Better performance with L2 Mobility
Recommended design
L3
SiSi SiSi SiSi SiSi
CAPWAP
L3L3Building 1 Building 2
Core
SiSi SiSi
Data Centre
SiSi
SiSi
CAPWAP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 128
WLCWLC
Wireless Building Block
SiSi SiSi
L2
Campus – Centralised WLCHigh Availability
Easy HA strategies
AP HA at WLC Level (no individual AP HA configuration)
Depending on Network size :
– N+N Strategy
– N+1 Strategy
L3
SiSi SiSi SiSi SiSi
L3L3Building 1 Building 2
Core
SiSi SiSi
Data Centre
SiSi
SiSi
CAPWAP CAPWAP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 129
Campus – Centralised WLCPro / Cons
Pro
–Cisco Recommended Design for a Campus
–Better performance with L2 Mobility
–Simple High Availability Strategies (WLC Level)
–Wireless ―Insertion point‖ to the wired network clearly identified in the ―Wireless Building Block‖
–Easier control (ACL, QoS, …) and easier to add advanced ―access control‖ like Firewall, NAC OOB, IDS/IPS, NAM, …
Cons
–All wireless traffic centralised to a single point (hub-and-spoke design)
–Might be price sensitive for small campus
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 130
Campus – Distributed WLCOverview
Distributed WLC or WiSM
Each building as its own WLC
Each building can have its own Mobility group
Wireless insertion at distribution layer
Several distributed Wireless VLANsacross the Campus
WLCWLC
L3
SiSi SiSi
SiSi SiSiSiSi SiSi
Core
L3L3
Data Centre
SiSi
SiSi
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 131
Campus – Distributed WLCHigh Availability
N+1 HA Strategy
Wireless Users in failover situation are in different VLAN/Subnet
Better to have only one WLC per building to limit L3 roaming and failover at the same time (see after)
WLCWLC
L3
SiSi SiSi
SiSi SiSiSiSi SiSi
Core
L3L3
Data Centre
SiSi
SiSi
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 132
Campus – Distributed WLCPros / Cons
Pros
–No need for a wireless building block (cost ?)
–No LWAPP traffic in core network in normal operation
Cons
–If radio continuity between buildings, all WLC need to be in a single mobility group
–L3 roaming inside the building (less performance versus L2 roaming)
–Control features (ACL, FW, NAC, …) need to be distributed in each building
–More complex Failover strategies, more complex to troubleshoot
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 133
Cisco Unified Wireless NetworkFlexible, Resilient, Scalable Architecture
Access
Network
Distribution
Network
Teleworker/S
OHO
OfficeExtend AP
Branch OfficeUnified WLC Options:
5508, 440x, 210x
3750G Unified WLC
WLCM Module
Hybrid REAP
Standalone AP
DMZ Guest Controller
440x, 5508 WLC
Network Core or Data Centre
Centralised WLC Design440x, 5508 WLC, WiSM Unified WLC
Distributed WLC Design
440x, 5508 WLC,
WiSM Unified WLC
Highly Distributed Design
3750G Unified WLC
Enterprise Hybrid REAP
Data Centre
Internet
Internet
Unified
Outdoor/Indoor
Access
Unified Management: Wireless Control System
Services Platform: Mobility Services Engine
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 134
Documentation
Deploying Cisco 440X Series Wireless LAN Controllers–http://www.cisco.com/en/US/docs/wireless/technology/controller/deployment/guide/dep.html
Configuring a Cisco Wireless Services Module (WiSM) and Wireless Control System (WCS)
–http://www.cisco.com/en/US/docs/wireless/technology/wism/technical/reference/appnote.html
Wireless, LAN (WLAN) Configuration Examples and TechNotes
–http://www.cisco.com/en/US/tech/tk722/tk809/tech_configuration_examples_list.html
H-REAP Deployment Guide–<http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml>
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 135
Q & A
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 136
Complete Your Online Session Evaluation
Complete your session evaluation:
Directly from your mobile device by visiting www.ciscoliveaustralia.com/mobile and login by entering your badge ID (located on the front of your badge)
Visit one of the Cisco Live internet stations located throughout the venue
Open a browser on your own computer to access the Cisco Live onsite portal
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 137
Meet the Engineer
To make the most of your time at Networkers at Cisco Live 2010, schedule a Face-to-Face Meeting with a top Cisco Engineer.
Designed to provide a "big picture" perspective as well as "in-depth" technology discussions, these face-to-face meetings will provide fascinating dialogue and a wealth ofvaluable insights and ideas.
Visit the Meeting Centre reception desk located in the Meeting Centre in World of Solutions
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 138
BRKEWN-2018 Recommended Reading
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 140
HREAP MatrixWAN Up (Central
switching)
WAN Up
(Local switching)
WAN Down (Standalone)
Open/Static WEP Yes Yes Yes
WPA-PSK Yes Yes Yes
802.1x (WPA/WPA2) Yes Yes Yes
MAC Authentication Yes Yes No
CCKM Fast Roaming Yes Yes Yes for connected clients.
No for new clients.
PMK Fast
Roaming/OKC/PKC
No No No
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 141
HREAP Matrix
WAN Up (Central
switching)
WAN Up (Local
switching)
WAN Down (Standalone)
Data DTLS Yes N/A N/A
Local EAP On HREAP No No Yes
(LEAP/EAP-FAST)
Backup Radius No No Yes
MIC/SSC Yes Yes N/A
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 142
HREAP Matrix
WAN Up (Central
Switching)
WAN Up (Local
switching)
WAN Down (Standalone)
Internal Webauth Yes Yes No
External Webauth Yes No No
CleanAir (SI on 3500) Yes Yes No
Syslog Yes Yes Yes
WGB Support No No No
AP Group VLANs Yes N/A N/A
DFS/802.11h Yes Yes Yes
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 143
Cisco Aironet Access Point PortfolioBusiness Mobility Rich MediaRich MediaBusiness
ReadyMission Critical
1040 1140 1240 1250 1260 3500i 3500e
CleanAir ASIC No No No No No Yes Yes
Data Uplink (Mbps) 10/100/1000 10/100/1000 10/100 10/100/1000 10/100/1000 10/100/1000 10/100/1000
Power 802.3af 802.3af 802.3afePoE
802.3af*802.3af 802.3af 802.3af
Installation Carpeted Carpeted Rugged Rugged Rugged Carpeted Rugged
Temp Rangein Celsius
0 to 40° 0 to 40° -20 to 55° -20 to 55° -20 to 55° 0 to 40° -20 to 55°
Antennas Internal Internal External External External Internal External
Wi-Fi standards a/b/g/n a/b/g/n a/b/g a/b/g/n a/b/g/n a/b/g/n a/b/g/n
DRAM 128 MB 128 MB 32 MB 64 MB 128 MB 128 MB 128 MB
Flash 32 MB 32 MB 16 MB 32 MB 32 MB 32 MB 32 MB
DFS (pulse detection) .08 µs .08 µs .05 µs .08 µs .08 µs .05 µs .05 µs
Ltd. Lifetime Warranty Yes Yes No Yes Yes Yes Yes
•802.3af fully powers single radio AP1250 or provides 1x3 performance on a dual radio 1250