BRKEWN-2010 - Design and Deployment of Enterprise WLANs

7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs

1/107

2011 Cisco and/or its affiliates. All rights reserved. 2012 Cisco and/or its affiliates. All rights reserved.

Design and Deploymentof Enterprise WLANs

Isaac EstradaNetwork Consulting Engineer WWWP

Advanced Services

Septiembre 12, 2013

San Jos, Costa Rica


2/107


If you fail to Plan, you Plan t


3/107

2012 Cisco and/or its affiliates. All rights reserved.

Agenda

Wireless RF Design Overview

Controller-Based Architecture Overview

Mobility in the Cisco Unified WLAN Archi

Architecture Building Blocks

Deploying the Cisco Unified Wireless Arc


4/107


An RF site survey is the first step in thedeployment of a wireless network, and it is themost important step to ensure desired operation.

Wireless RF Design

Is a Site Survey even Needed?


5/107


WLAN Requirements

WLAN Applications:

Data (Email, Databases, Web, etc)

VoWLAN

Streaming video

Location Based Services

Security, QoS, WMM, etc

WLAN Client Types Laptops Smartphones

Tablets / Handhelds

Protocol Requirements

802.11b/g 2.4 GHz

802.11a 5 GHz

802.11n (2.4/5 GHz)

Protocol Pros and Cons

Business requirements

s


6/107


WLAN Requirements

RF Coverage Information: RF coverage inside and outside

Identify and select RF coverage areas

User Density

Current and Future Wireless users and devices

Identify and classify correctly density areas (Cubicles,Auditoriums, conference room, etc)

Mobile vs. Mobility

Expected Throughput 802.11b is typically 5.5 Mb/s

802.11g is typically 20 Mb/s

802.11g is typically 6 Mb/s with 802.11b clients present

802.11a is typically 22 Mb/s

802.11n expected (>100 Mb/s)

Coverage and Capacity Requirements


7/107

Conducting a SpectrumAnalysis

Conducting Active Sit

Pre Site Survey Analysis (Active)


8/107

Using the right Access Points and Antenn

AIR-CAP3502E-x-K9Cisco Aironet 3500 Series Access Point

AIR-CAP3502I-x-K9Cisco Aironet 3500 Series Access Point

AIR-CAP3602E-x-K9Cisco Aironet 3500 Series Access Point


9/107

WLAN Performance Analysis

Conducting Passive S

Post Site Survey Analysis (Passive)


10/107 2012 Cisco and/or its affiliates. All rights reserved.

Controller-BasedArchitecture

Overview



AgendaCisco Unified Wireless Principles

Components

Wireless LAN Controller

Aironet Access points

Management (Prime Infrastructure)

Mobility Service Engine (MSE)

Principles

AP must have CAPWAPconnectivity with WLC

Configurationdownloaded to AP by WLC

All Wi-Fi traffic isforwarded to the WLC

Cisco AP

CiscoPI

MSE

Campus

Network



Centralized Wireless LAN Architecture

What is CAPWAP?

CAPWAP: Control and Provisioning of Wireless Access Points is used beWLAN controller and based on LWAPP

CAPWAP carries control and data traffic between the two

Control plane is DTLS encrypted

Data plane is DTLS encrypted (optional)

LWAPP-enabled access points can discover and join a CAPWAP controllconversion to a CAPWAP controller is seamless

CAPWAP ControllerWi-Fi Client

Control Plane

Data Plane

Access

Point



CAPWAP State Machine

DiscoveryReset

Image Data

Config

AP Boots UP

DTLSSetup

Join


14/107


AP Controller Discovery

Layer 2 join procedure attempted on LWAPP APs

(CAPWAP does not support Layer 2 APs)

Broadcast message sent to discover controller on alocal subnet

Layer 3 join process on CAPWAP APs and on LWAPP APLayer 2 fails

Previously learned or primed controllers

Subnet broadcast

DHCP option 43

DNS lookup

Controller Discovery Order


15/107


Efficient CAPWAP Operation

Define the Wireless Access Point Device DHCP Scopes

Default router IP Address for Access Point scope

Helper address (forwarding UDP 5246 to the WLCs manainterface)

Domain name

Appropriate DHCP Lease timer for Aps

Pool sizes for WLAN devices in accordance to different tysites

If NAT is used, static 1-to-1 NAT to an outside address isrecommended

Best Practices


16/107


Mobility in the CiscoUnified WLAN

Architecture


17/107


Mobility Defined

Mobility is a key reason for wireless networks

Mobility means the end-user device is capable of moving lothe networked environment

Roamingoccurs when a wireless client moves association fAP and re-associates to another, typically because its mob

Mobility presents new challenges:

Need to scale the architecture to support client roamingroamoccur intra-controller and inter-controller

Need to support client roaming that is seamless (fast) and pressecurity


18/107


Scaling the Architecture with Mobility Gro Mobility Group allows controllers to peer with each other to support sea

roaming across controller boundaries

APs learn the IPs of the other members of the mobility group after the CJoin process

Support for up to24 controllers,24000 APs permobility group

Mobility messagesexchangedbetweencontrollers

Data tunneled betweencontrollers in EtherIP (RFC 3378)

EthernetinIPTunnel

Controller-CMAC: AA:AA:AA:AA:AA:03

Mobility Group Name: MyMobilityGroup

Mobility Group Neighbors:Controller-A, AA:AA:AA:AA:AA:01Controller-B, AA:AA:AA:AA:AA:02

Controller-AMAC: AA:AA:AA:AA:AA:01

Mobility Group Name: MyMobilityGroup

Mobility Group Neighbors:Controller-B, AA:AA:AA:AA:AA:02Controller-C, AA:AA:AA:AA:AA:03

Controller-BMAC: AA:AA:AA:AA:AA:02

Mobility Group Name: MyMobilityGro

Mobility Group Neighbors:Controller-A, AA:AA:AA:AA:AA:01Controller-C, AA:AA:AA:AA:AA:03


19/107


Scaling the Architecture with Mobility Gro

One

WLC NetworkMobility Group

Mob

24 WLCs in a

Mobility Group

Mob

Mob

Mob

72

Mo

With Inter Release Controller Mobility (IRCM) roaming is

supported between 7.3 7.4 and 7.5


20/107


How Long Does an Client Roam Take?

Time it takes for:

Client to disassociate +

Probe for and select a new AP +

802.11 Association +

802.1X/EAP Authentication +

Rekeying +

IP address (re) acquisition

All this can be on the order of seconds Can we make th


21/107


Roaming Requirements

Roaming must be fast Latency can be introduced by:

Client channel scanning and AP selection algorithms

Re-authentication of client device and re-keying

Refreshing of IP address

Roaming must maintain security

Open auth, static WEPsession continues on new AP

WPA/WPAv2 PersonalNew session key for encryption derived via standa

802.1x, 802.11i, WPA/WPAv2 EnterpriseClient must be re-authenticated session key derived for encryption


22/107


Layer 2 Roaming: Inter-Controller

WLC-1 WLC-2

WLC-1 ClientDatabase

WLC-2 Client Database

Mobility Message Exchange

Roaming DataPath

Client Data (MAC,IP, QoS, Security)

VLAN X

Client Roams to a Different

AP

Clieentrandsec

No refr


23/107


Layer 3 Roaming: Inter-Controller

WLC-1

WLC-1 ClientDatabase

WLC-2 Client Datab

Preroaming DataPath

VLAN XClient Data (MAC, IP,QoS, Security)

Client Data (MAC,IP, QoS, Security)

VLAN Z

Mobility Message Exchange

FoAnchor ControllerData Tunnel

,

Client Roams to a

Different AP


24/107


Roaming: Inter-ControllerLayer 3

L3 inter-controller roam: STA moves association between APs joined to the dcontrollers but client traffic bridged onto different subnets

Client must be re-authenticated and new security session established

Client database entry copiedto new controller entry exists in both WLC clie

Original controller tagged as the anchor, new controller tagged as the fore

WLCs must be in same mobility group or domain

No IP address refresh needed

Symmetric traffic path established -- asymmetric option has been eliminatedrelease

Account for mobility message exchange in network design


25/107

How Are We Going to Make Roaming Fas

Eliminating the (re)IP address acquisitionchallenge

Eliminating full 802.1X/EAP

reauthentication


26/107

Fast Secure RoamingStandard Wi-Fi Secure Roaming

Note: Mechanism Is Needed to Centralize Key Distribution

802.1X authentication in wirelesend-to-end transactions with atime of > 500 ms

802.1X authentication in wirelesroaming client to reauthenticate

500+ ms to the roamCisco AAAServer

(ACS or

ISE)

WAN

AP1AP2

1. 802.1X Initial

Authentication

Transaction2. 802.1X

Reauthenti-

cation After

Roaming


27/107


Cisco Centralized Key Management (CC

Cisco introduced CCKM in CCXv2 so widely available, especially with applic

devices (ASDs)

CCKM ported to CUWN architecture in 3.2 release

In highly controlled test environments, CCKM roam times consistently measumsec range!

CCKM is most widely implemented in ASDs, especially VoWLAN devices

To work across WLCs, WLCs must be in the same mobility group

CCX-based laptops may not fully support CCKM depends on supplicant ca

CCKM is standardized in 802.11r, Apple iOS 6.0


28/107


IEEE 802.11r Introduction

IEEE Standard for Fast Transition (FT)

Introduces a new concept of roaming where the handshake with the new APbefore the client roams to the target AP.

The initial handshake allows the client and APs to do PTK calculation in advareducing roaming time.

The pre-created PTK keys are applied to the client and AP once the client doassociation request / response exchange with new target AP.

802.11r provides 2 ways of roaming: Over-the-Air

Over-the-DS (Distribution System)

The FT (Fast Transition) key hierarchy is designed to allow the client to maktransitions between APs without the need to re-authenticate at every AP.

WLAN configuration will have new AKM type called FT (Fast Transition)


29/107


802.11r Fast Transition (FT)WLAN Authentication Configuration

Legacy clients may not associate with a WLAN that has 802.11r

enabled along with 802.11i. If the driver or the supplicant that isresponsible for parsing the Robust Security Network InformationElement (RSN IE) is old and confused by the additional AKM(Authentication Key Management) suites advertised in the IE (IE48),the driver will not attempt to start the association process.

Due to this limitation, legacy clients cannot send association

requests to WLANs with a FT PSK or FT 802.1x configuration.These legacy clients, however, can still associate with non-802.11rWLANs.

Therefore the recommendation is to have a new unique WLAN. Withunique SSIDs for the addition 802.11r FT WPA clients. And anadditional WLAN for the 802.11r FT 802.1x clients.

An iPhoneAuthentica

both of the

because ois NOTrec

A non-6.0associate


30/107


Multiple WLANs for Multiple Auth Types Each with a Uniq

802.1x & 802.1x FT WLANs Unique SSIDs PSK & PSK FT WLANs With


31/107


Designing a Mobility Group/DomainDesign Considerations

Less roaming is better clients and apps are happier

While clients are authenticating/roaming, WLC CPU is doing the prnot as much of a big deal for 5508 which has dedicated managemeprocessor

L3 roaming & fast roaming clients consume client DB slots on multcontrollers consider worst case scenarios in designing roaming

Leverage natural roaming domain boundaries

Mobility Message transport selection: multicast vs. unicast

Make sure the right ports and protocols are allowed


32/107


ArchitectureBuilding Blocks


33/107


s/w release

UnifiedAccessWLANInfrastructure

WLC 8500Target customer - SP

802.11rL2 Fast Roaming

ISE - Flex integrationFlex / Local Mode parity with

ISE

Outdoor AP Internal Antenna

AP 2600802.11n G2

AP1600802.11n G2

Controller Resiliency- AP SSOHA Licensing

Scale Flex75006K APs

Virtual Controller

AP3600Security Module

7.2MR1 7.3 7.4

FlexConnect Split Tunneling

802.11r Flex Modes

Bi-directional rate-limiting

Voice/Video:11n CAC

Local andFlexConnect support on RAP

Outdoor AP Honeywellintegration

Outdoor APUni Band Antenna

Pro

May 2012 Sep 2012 Dec 2012

F

Application visibility and control(AVC)

Bonjour Services DirectoryPhase 1

AP neighbor list(Subset of 802.11k)

Scale WLC 2500

Guest Anchor on WLC2500

LAG on Flex7500, WLC 8500,WLC 2500

HA Licensing, N:1

PMIPv6 on WLC

802.11w (local mode)Protected Mgmt Frame

Bo

Gu

OE

CUWN Release - Key Controller Features


34/107


SRE WLCM250 APs

500 Clients

5500500 APs

7000 Clients

Flex75003000 Aps

30000 Clients

Scale (# of clients, APs)

Features/P

erformance

Multi-arch

Support Fle

85006000 APs

64000 Clients

New(7.3)

Virtual Controller200 APs

3000 Clients

New(7.3)

Flex75006000 Aps

64000 Clients

New(7.3)

250050 APs500 Clients

WiSM21000 APs

15000 Clients

Controller Product Portfolio


35/107


ENTERPRISECLASS

MISSIONCRITICAL

TELEWORKER

Enterprise Class Performance

Video/Voice/Multi-Media

Any Device/BYOD

Optimised

Client Scalability

RF Interference Mitigation

Hig

Inve

802

HD

Bes

Basic Connectivity

Deployment Flexibilit y

Entry Level Sm/Med Sm/Med/Large Me

New

Q2FY13

Cisco Aironet Access Points


36/107

2012 Cisco and/or its affiliates. All rights reserved.1 sco an /or s a a es r s r ser ve

AP Model

(availability)

3600 Series 2600 Series 1600 Series

(Q4)

Max Data Rate 1.3 Gbps 450 Mbps 300 Mbps

Radio Design(MIMO: Spatial Streams) .11n: 4X4:3.11ac: 3x3:3 3X4:3 3X3:2

CleanAir *

ClientLink ClientLink 2.0 ClientLink 2.0 ClientLink 2.0

BandSelect

VideoStream

Rogue AP Detection

Adaptive wIPS

OfficeExtend

FlexConnect

Wireless Mesh

Autonomous

Power 802.3af 802.3af 802.3af

Wi-Fi Standards 802.11 a/b/g/n/ac 802.11 a/b/g/n 802.11 a/b/g/n

Cisco Aironet 802.11n Indoor Access Poin


37/107


Which Version Should I Use? 6.0, 7.0, 7.2, 7.3

WLC 5508 supports 6.0, 7.0 and 7.2 &

WLC7500, WiSM-2 and WLC2504 onlsupported in 7.0 onwards

7.0.220 is the latest MD AssureWaveRibbon)

Please note the current revision of 77.0.235.3 which is the recommendedyou today

AP3660+11ac (7.5), AP1600(7.4), AP2AP 3600(7.2)


38/107


Deploying theCisco UnifiedWireless

Architecture


39/107



Client Profiling

High Availability

Understanding AP Groups / RF Groups

Application Visibility

Branch Office Designs

Guest Access Deployment

Home Office Design


40/107



Client Profiling

High Availability





Home Office Design


41/107


Client Profiling

ISE offers a rich set of BYOD features: e.g. device identifonboarding, posture and policy

Customers who do not deploy ISE but still require some ofeatures directly in WLC:

Native profiling of identifying network end devices based on prHTTP, DHCP

Device-based policies enforcement per user or per device polinetwork.

Statistics based on per user or per device end points and policapplicable per device.


42/107


Client Profiling on WLC

WLC-based local policy consists of 2 separate elements.

Profilingcan be based on: Role - defining user type or the user group the user belongs to.

Device type e.g. Windows, OS_X, iPad, iPhone, Android, etc.

EAP Type - check what EAP method the client is getting connecte

Actionis policy that can be enforced after profiling:

VLAN - override WLAN interface with VLAN id on WLC QoS level override WLAN QoS

ACL override with named ACL

Session timeout override WLAN session timeout value

Time of day policy override based on time of the day, else defau

7.5 release contains 88 pre-existing profiles:


43/107


Configuring Client Profiles

Client profiling uses pre-existing profiles in the controller

Custom profiles are not supported in this release

Wireless clients are profiled based on the MAC OUI, DHCP,HTTP DHCP is required for DHCP profiling, Webauth for HTTP user agent

7.5 release contains 88 pre-existing profiles:

(Cisco Controller) >show profiling policy summary

Number of Built-in Classification Profiles: 88ID Name Parent Min CM Valid

==== ================================================ ====== ====== =====

0 Android None

1 Apple-Device None

2 Apple-MacBook 1

3 Apple-iPad 1

4 Apple-iPhone 1

/


44/107


Local Client Profiling Configuration

At the WLAN level, enable Local Client Profiling (DHCP and HTTPDHCP required is checked automatically when selecting DHCP profiling

config wlan profiling {local | radius} {dhcp | http | all}

(Cisco Controller) >config wlan profiling local all enable 1


45/107


Client Profiles

When profiling is enabled, a client Device Type can be shown on W

... ...

(Cisco Controller) >show client summary devicetype

Number of Clients................................ 3

MAC Address AP Name Status Device Type

----------------- ---------------- ------------- --------------------------------

14:10:9f:ea:b8:c2 AP3600MM Associated OS_X-Workstation

c8:d7:19:34:7e:dd AP3600MM Associated Windows7-Workstatio

d8:d1:cb:9a:28:f8 AP3600MM Associated Apple-iPhone


46/107


Security Local Policies


47/107



Client Profiling

High Availability



Bonjour Gateway

IPv6 Deployment with Controllers



Home Office Design


48/107


Controller RedundancyMost Common (N+1)

Redundant WLC in a geographicallyseparate location

Layer-3 connectivity between the APconnected to primary WLC and theredundant WLC

Redundant WLC need not be part ofthe same mobility group

Configure high availability (HA) todetect failure and faster failover

Use AP priority in case of over

subscription of redundant WLC

WLAN-Controller-1

WLAN-Controller-2

WLAN-Controller-n

WLAN-Controller-BKP

NOC or Data Centre

Controller Redundancy High Availability


49/107


Controller Redundancy High Availability

High Availability Principles :

AP is registered with a WLC andmaintain a backup list of WLC.

AP use heartbeats to validate WLCconnectivity

AP use Primary Discovery message tovalidate backup WLC list

When AP loose 3 heartbeats it start joinprocess to first backup WLC candidate

Candidate Backup WLC is the first aliveWLC in this order : primary, secondary,tertiary, global primary, global secondary.

AP does not re-initiate discoveryprocess.

Primary WLC

Secondary WLC

New Ti

Heartbeat Timeout 1-30 se

Fast Heartbeat Timer 1-10 se

AP Retransm it Interval 2-5 se

AP Retransm it wit h FH Enab led 3-8 Tim

AP Fallb ack to next WLC 12 sec


50/107


HA-SKU controller allowed for use as secondary controller for 90 days without

If HA feature disabled the controller used as secondary controller for the maximsupported APs.

Note: HA-SKU ; 5508 50AP, WiSM2 100AP, 7500/8500 300AP will work as Standby

This feature enables HA-SKU controller as secondary contro

Primary Controller WiSM-2 #2License Count:500

APs connected: 500

Primary Controller-5508 #1

License Count: 100

APs connected: 90

Primary Controller -2500 #3

License Count: 75

APs connected: 25

Backup Controller WLC Max AP supp

HA-SKU as secondary WLC (AP-SSO dis


51/107


HA-SKU as secondary WLC - configurati


52/107

Model is 1:1 (Active : Hot-Standby)

Supported on 5500 / 7500 / 8500 and WiSM-2

Same hardware and software version

Two new interfaces

Redundancy Port

Redundancy Management Interface

Same management IP on Active and Standby

Static & dynamic system configurationssynced to standby.

AP information synced to the

Synced when AP Joins changes.

AP CAPWAP re-join is avo

Detection time : 5-996 msec

3-4 seconds for management

Back-to-back Connectivity on

Port between the two WLCs

Clients are de-authenticated to re-associate

High Availability AP SSO support 7.3/7.4

Effective service downtime = Detection time + Switch Over

(Network recovery/convergence) + Client re-association time


53/107


Clients information is synced to the Standby

Client information is synced when client moves to RUN state.

Client re-association is avoided on switch over

Fully authenticated clients(RUN state) are synced to the peer.

The intermediate client state events are not synced

Transient clients are dis-associated after switch over.

Effective service downtime = Detection time + Switch Over Time(Network recovery/convergence)

Clients information is synced to the Standby

Client information is synced when client moves to RUN state.

Client re-association is avoided on switch over

Fully authenticated clients(RUN state) are synced to the peer.

The intermediate client state events are not synced

Transient clients are dis-associated after switch over.

Stateful HA with Client SSO

ffective service downtime = Detection time + Switch Over TimeNetwork recovery convergence


54/107

Act

Hot

Acti

Hot S

RP 1

RP 2

Redundancy

Port

Connectivity

5500/7500/8500 WLC have dedicated

Redundancy Port which is used tosynch configuration from Active toStandby WLC

Keepalives are sent on RP port fromStandby to Active WLC every 100 msec(default timer) to check the health of

Active WLC.

ICMP packets are also sent every onesecond from each WLC to checkreachability to gateway usingRedundant Management interface.

HA Connectivity on 5500 / 7500 / 8500 W

Flex 7500

WLC 5500


55/107

WiSM-2 WLC have dedicatedRedundancy Vlan which is used to

synch configuration from Active toStandby WLC

Keepalives are sent on RedundancyVlan from Standby to Active WLC every100 msec (default timer) to check thehealth of Active WLC.

To achieve HA between WiSM-2 WLCsit can be deployed in single chassis ORcan also be deployed between multiplechassis using VSS as well as byextending Redundancy Vlan betweentwo chassis.

High Availability Connectivity on WiSM-2

Slot 8: Activ

Slot 9: Hot S


56/107

Web-GUI Configuration


57/107

configure interface address management

configure interface address redundancy-management peer-redundancy-managem

configure redundancy unit [primary | secondary]

configure redundancy mode [sso | disable]

configure redundancy t imer keep-alive-timer (default 100 milli-sec)

configure redundancy timer peer-search-timer (default 120 sec)

CLI Configuration Commands


58/107


1. Two 5508 , 7500 or 8500 connected via back-to-back RP port in the same data cen

2. Two 5508 , 7500 or 8500 connected via RP port over L2 VLAN/fiber in the same orcenter

3. Two 5508, 7500 or 8500 connected to a VSS pair.

4. Two WiSM-2 on the same chassis

5. Two WiSM-2 on different chassis with redundancy VLAN extended over L2 network

6. Two WiSM-2 on different chassis in VSS mode

Supported HA Topologies 7.5


59/107


WLC 5508/7500/8500 Back-to-back RP Co

Configuration on Prima

configure interface add

9.5.56.2 255.255.255.0


redundancy-mana

peer-redundancy-

configure redundancy u

configure redundancy m

Configuration on Hot S

configure interface add9.5.56.3 255.255.255.0


redundancy-mana

peer-redundancy-

configure redundancy u

configure redundancy m

Management GW is moni tored w ith 12 pings ( ~15 sec)


60/107


WLC 5508/7500/8500 RP Connectivity via

. RTT Latency : 80 ms or less default ; Bandwidth: 60 Mbps or more ; MTU: 1500

Configuration on Prima


9.5.56.2 255.255.255.0


redundancy-mana

peer-redundancy

configure redundancy


Configuration on Hot S

configure interface add9.5.56.3 255.255.255.0


redundancy-mana

peer-redundancy




61/107


WiSM-2 connectivity over L2 Redundancy

Configuration on Cat6k

wism service-vlan 192 ( servicwism redundancy-vlan 169 ( r

wism module 6 controller 1 all

VLAN )


62/107


Switch-1(VSS Active)

Switch-2(VSS Standby)

Data Plane Active

Control Plane Active

FWSM Acti ve

WiSM-2 Active

Data Plane Active

Control Plane Stand

WiSM-2 Backup

VSL

Failover/State Sync VLAN

Virtual Switch System (VSS)

WiSM-2 in a VSS Pair

FWSM Standby


63/107

Standby

Cisco 5508

Cisco Catalyst VSS Pair

Cisco 5508Cisco 5508

WLC 5508/7500/8500 Connected to VSS


64/107

5500 / 7500 / 8500 : RP Connectivity between Active and Standby

Via Switches ( 7.5 )

Back-to-back ( 7.3, 7.4, 7.5 )

WiSM-2 : single 6500 chassis OR different chassis using VSS setup/extending redu

RTT latency on Redundancy Link : 80 milliseconds or less. 80% of keepalive timer.

Preferred MTU on Redundancy Link : 1500 or above.

Bandwidth on Redundancy Link : 60Mbps or more.

Recommended to have Redundancy Link and RMI Connectivity between WLCs on d

switches or on different L2 networks

Keepalive/Peer Discovery timers should be left with default timer values for better pe

Default box failover detection time is 3 *100 = 300+60 = 360 +jitter (12 msec)= ~400

SSO Behavior and Recommendations


65/107



Client Profiling

High Availability





Home Office Design


66/107


AP-Groups - Default AP-Group

The first 16 WLANs created (WLAN IDs 116) on the WLC are incldefault AP-Group

Default AP-Group cannot be modified

APs with no assignment to an specific AP-Group will use the Defau

The 17th and higher WLAN (WLAN IDs 17 and up) can be assigneGroups

Any given WLAN can be mapped to different dynamic interfaces inGroups

WLC 2106 (AP groups: 50), WLC 2504 (AP groups:50)WLC 4400 and WiSM (AP groups: 300),WLC 5508 & WiSM-2 (AP groups: 500),WLC 7500 (AP Groups : 500)

AP-Grouping in Campus


67/107


AP Grouping in Campus

Data CentreWAN Internet

SiSi SiSi SiSi SiSi SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSi SiSi

WLC-2WLC-1

VLAN 100 /21

SingleSSID =

Employee

VLAN 100 VLAN 100 VLAN 100

CAPWAP

AP-Grouping in Campus


68/107


p g p



SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSi SiSi

AP-Group-2 AP-Group-3AP-Group-1

WLC-2WLC-1

VLAN 80 /23VLAN 70 /23VLAN 60 /23

VLAN 100/21

CAPWAP

VLAN 60VLAN 70

VLAN 80

SingleSSID =

Employee


69/107


Network Name

Default AP Group

Only WLANs 116 Will BeAdded in Default AP

Group

Default AP-Group


70/107


AP Group 1

AP Group 2

AP Group 3

Multiple AP-Groups


71/107


RF-Profiles7.2 and 7.3 Release

RF Profiles allow the administrator to tune groups of APs sharing a

coverage zone together. Selectively changing how RRM will operate the APs within that coverage z

RF Profiles are created for either the 2.4 GHz radio or 5GHz radio

Profiles are applied to groups of APs belonging to an AP Group, in which agroup will have the same Profile Settings

There are two components to this feature: RF Profile New in 7.2 providing administrative control over:

Min/Max TPC values

TPCv1 Threshold

TPCv2 Threshold

Data Rates

High Density

Client Load Balancing


72/107


Low Density Profile

A normal profile can be built

to match your exact Criteria You may wish to increase the

mandatory data Rate tomatch your coverage (higherif dense, lower if sparse)

Change the RRM coverage

thresholds to match yourexact architecture

Make a custom loadbalancing plan that suits theenvironment


73/107


High Density Profile

For High Density, RF profileswill differ significantly

Enforce Minimum PowerTPCv1-2 thresholds hotter

Higher MandaMore Disabled


74/107


High Density Profile cont.

Custom Fixed Mcast

parameters

Higher Load Balancingwindow

Higher BandSelectthresholds (prevents alot of un-necessary

work)

RF Profile in Campus


75/107


RF-Profile in Campus



SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSi SiSi

RF-Profile-2 RF-Profile-3RF-Profile-1

WLC-2WLC-1

VLAN 80 /23

VLAN 81 /23

VLAN 70 /23

VLAN 71 /23

VLAN 60 /23

VLAN 61 / 23

LWAPP/CAPWAP

VLAN 60VLAN 61

VLAN 70VLAN 71

VLAN 80VLAN 81

SingleSSID =

Employee


76/107


RF Profile -1

RF Profile -2

RF Profile -3

Multiple RF-Profiles


77/107



Client Profiling High Availability





Home Office Design


78/107


Application Visibility & Control

WLC

What applications are in the air?

Why is my key application running slow?

How do I support a new application for a set of user

Congestion!

Real Time

Interactive

Non-Real Time

Non-Business


79/107


NBAR supported features

Classification : Identification of Application/Protocol, supports Stateful L4 - L7 cla

can classify 1039 applications.

AVC (Application Visibility Control): Provides visibility of classified traffic and als

control the same, using Drop OR Mark (DSCP) action. Action DROP (Traffic for that application will be dropped) Action MARK(Particular applications can be marked with different QOS profiles availa

administrator can custom define DSCP value for that application)

AVC Marking overrides all other QoS markings

NetFlow: Updating NBAR stats to Netflow collector like Cisco Prime Assurance M

NBAR is supported on 2500, 5500, 7500, 8500 and WiSM2 controllers on Local a

WLC can support 16 AVC profiles

WLAN can support only 1 AVC profile and each profile can contain 32 rules, thus

support 32 application actions of mark or drop.


80/107


Enabling AVC

AVC enabled on per WLAN basis

Global summary of topapplications on ControllerMonitor screen


81/107


AVC Profile

Custom AVC

Profiles created todo traffic shaping

Apply the custom profile per WLAN

N tfl M it


82/107


Netflow Monitor

Configuring Netflow Exporter on the Controller and apply to WLAN


83/107


AVC Summary

Application Statistics per WLAN with more details UP/Down Stream


84/107


Client Profiling

High Availability Understanding AP Groups / RF Groups




Home Office Design


B h Offi D l t


85/107


Branch Office DeploymentFlexConnect

Hybrid architecture

Single management and control point Centralized trafic

Local traffic

HA will preserve local traffic only

WAN

CentralizedTraffic

LocalTraffic

FlexConnect Design Considerations


86/107


FlexConnect Design ConsiderationsWAN Limitations Apply

DeploymentType WAN Bandwidth(Min) WAN RTTLatency (Max) Max APs perBranch

Data 128 kbps 300 ms 5

Data+Voice 128 kbps 100 ms 5

Data 128 kbps 1 sec 1

Monitor

128 kbps

2 sec

5

Data 1.44 Mbps 1 sec 50

Data+Voice 1.44 Mbps 100 ms 50

Monitor 1.44 Mbps 2 sec 50

Economies of Scale for Lean Branche


87/107

2012 Cisco and/or its affiliates. All rights reserved. 201 . .

Key Differentiatio WAN Tolerance

High Latency Netwo

WAN Survivability

Security

802.1x based port auth Voice support

Voice CAC

OKC/CCKM

Economies of Scale for Lean Branche

Flex 7500 Wireless Controller

Access Points 300 - 6,000

Clients 64,000

Branches 2000

Access Points / Branch 100

Deployment Model FlexConnect

Form Factor 1 RU

IO Interface 2x 10GE

Upgrade Licenses 100, 200, 500, 1K

U d t di Fl C t G


88/107


Understanding FlexConnect Groups

FlexConnect groups allow sharing of:

CCKM/OKC fast roaming keys

Local/backup RADIUS servers IP/keys Local user authentication

Local EAP authentication

AAA-Override for Local Switching

Smart Image Upgrade

Scaling information

FlexConnect Group 1

Remote Site

WAN

Central Site

ScalingFlex

7500CT-5508 WiSM2 CT-2504

FlexConnectGroups

2000 100 100 30

AP per Group 100 25 25 25

EAP TLS/PEAP Overview


89/107


EAP-TLS/PEAP Overview

Local Authentication on FlexConnect AP

FlexConnect AP contacting RADIUS Server FlexConnect AP acting as RADIUS Server

EAP Methods when AP acting as RADIUS Server: LEAP, EAP-FAST, PEAP,

PEAP and EAP-TLS Support in

Standalone Mode

Local Authentication Continued support for RADIUS Servers on FlexConnect Group.

RADIUS Server Configuration takes precedence over FlexConnect AP acting Server.

Access points 1040, 1140, 1520, 1550, 1600, 3500, 3600, 2600, 1250, 1260,


90/107


PEAP/EAP-TLS Web-GUI

Enable AP Local Authentication

Radius Server configured on the FlexConnect group takes precedenLocal Authentication

Local Switching Access Lists


91/107


Local Switching Access Lists

Support for ACL in FlexConnect local

switching mode

ACL mapped to local VLAN per AP orFlexConnect Group

512 FlexConnect ACL per WLC

16 ingress ACL & 16 egress ACL per AP 64 ACL rules per ACL

No IPv6 ACL

New in 7.2

Remote Site

WAN

Cent

Local S itching Access Lists Config ration


92/107


Local Switching Access Lists Configuration

ACL rule creation and application for FlexConnect isidentical to WLC rule creation for Local Mode

New in 7.2

Step 2

Step 1

Click to add

ACL ru les Step 3

Provisio

Inboun


93/107


Local Switching Peer-to-Peer Blocking

Support for Peer-to-Peer blocking inFlexConnect AP

Apply for clients on same FlexConnectAP

P2P blocking modes : disable or drop For P2P blocking inter-AP use ACL or

Private VLAN fonction

New in 7.2

Remote Site

WAN

Cent

FlexConnect AAA VLAN Override


94/107



AAA VLAN Override with local or

central authentication

Up to 16 VLANs per FlexConnect AP

VLAN ID must be enabled per AP orFlexConnect Group

If VLAN ID does not exist, defaultVLAN is used

QoS and ACL Override isnot supported.

New in 7.2

Remote Site

WAN

Cent

FlexConnect Group 1

Central RADIUS

Appl icationServer

VLAN 3

VLAN 3VLAN 7



95/107



New in 7.2

WAN

VLAN109

Create S

FlexC

IETF 81IETF 64IETF 65

E t l W bA th ith L l S it hi


96/107


External WebAuth with Local Switching

Provides L3 Web Redirect from locally

switched vlan

Reduces WAN traffic by locallyswitching guest traffic

Flexible and centralized web portalcreation for multiple sites

Provides flexible use of Conditional andSplash Page Web Redirect

FlexConnect AP must be in Connectedstate with Centralized Controller to work

Remote Site

WAN

Cent

FlexConnect Group 1

VLAN

503

Internet

WebServer

Fl C t ACL S lit T li


97/107


FlexConnect ACL Split Tunneling

Split tunneling allow some traffic to be locally switched although the

defined as centrally switched

Split tunneling is using a NAT/PAT feature with ACL to perform the switching

Split tunneling is using the AP IP@ for the NAT/PAT feature

WLCFlexConnect AP

CAPWAP

WAN

Central Server

Central Traffic

Local Printer

NAT/PATACL

Local Traffic

Fl C t d AP1500 (O td )


98/107

FlexConnect and AP1500 (Outdoor)

Indoor AP Parity with Outdoor RAP (1520 & 1550) only

Local Mode

FlexConnect Mode

No MAP functionality in this release

Flex Mode will have support for Central and Local Switching

Controller

L3/L2 switch MAP(Mesh AP)RAP(Root AP) Backhaul 5GHzo Backhaul 5GHz

Local or

FlexConnect

D l i th Ci U ifi d Wi l A hit


99/107


Client Profiling

High Availability



Bonjour Gateway

IPv6 Deployment with Controllers


Understanding FlexConnect AP Deployment

Understanding Branch Controller Deployment


Home Office Design

Deploying the Cisco Unified Wireless Archit

B h Offi WLAN C t ll O ti


100/107


E-Mail

Branch Office WLAN Controller Options

Appliance controllers

Cisco 2504-12

Cisco 5508-12, 5508-25

Integrated controller

WLAN controller module (WLCM-2) for ISR G2

Virtual WLC (vWLC)

Headquarters

BO

Internet VPN

MPLS

ATM

Frame Relay

Number of UseNumber of AP

Number of Users

Number of APs:

WCS



101/107


Sm

O

E-Mail

Headquarters

B

O


Cisco Unified Wireless Network with controller-based

Multiple Integrated WAN options on ISR

Consistent branch-HQ services, features, andperformance

Standardised branch configuration extends theunified wired and wireless network

Branch configuration management from central

WCS

**AP Count Vary Depending on Channel

Utilisation and Data Rates

WCSCis

WL

Internet VPN

MPLS

ATM

Frame Relay

D l i th Ci U ifi d Wi l A


102/107






Home Office Design




103/107


Guest Access DeploymentWLAN Controller Deployments with EoIP Tunnel

Use of up to 71 EoIP tunnels to logically segment andtransport the guest traffic between remote and anchorcontrollers

Other traffic (employee for example) still locally bridgedat the remote controller on the corresponding VLAN

No need to define the guest VLANson the switches connected to theremote controllers

Original guests Ethernet frame maintained acrossCAPWAP and EoIP tunnels

Redundant EoIP tunnels to theAnchor WLC

With 7.4 release 2504 series EoIP connections canterminate 10 EoIP tunnels

Cisco ASAFirewall

Guest

CAPWAP

EoIPGuest

Tunnel

Inte

G

Deploying the Cisco Unified Wireless Archi


104/107






Home Office Designs

Deploying the Cisco Unified Wireless Archi

Home Office Design


105/107


E-Mail

Headquarters

Internet VPN

Home Office DesignOEAP AP Cisco controller installed

the corporate network

OfficeExtend AP (OEAP

teleworkers home

Corporate access to empcentrally configured SSID

Family Internet access oconfigured SSID

WLC 5508/WiSM-2 / WLC7500

WCS

2012 Cisco and/or its affiliates. All rights reserve

Summary Key Takeways


106/107


Summary Key Takeways

RF Plan and Design base on Business requirements

Take advantage of the standards (CAPWAP, DTLS,802.11 i,

Wide range of architecture / design choices

Brand new controllers (WiSM-2, WLC 7500,WLC 8500, WLC

WLC) portfolio with investment protection Take advantage of innovations from Cisco (CleanAir, BandS

ClientLink, Security, CCX, FlexConnect, etc)

Ciscos investment into technology Cisco Prime, ISE, NewCloud controller


107/107

Thank you.

Date post:	19-Feb-2018
Category:	Documents
Upload:	elvis-gonzales
View:	216 times
Download:	1 times

BRKEWN-2010 - Design and Deployment of Enterprise WLANs

Documents