Design and Deployment of Enterprise WLANs

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 1

Design and Deployment of Enterprise WLANs BRKEWN-2010

Sujit Ghosh, CCIE #7204 Manager, Technical Marketing Wireless Networking Business Unit


Agenda

§ Controller-Based Architecture Overview

§ Mobility in the Cisco Unified WLAN Architecture

§ Architecture Building Blocks

§ Deploying the Cisco Unified Wireless Architecture


Agenda






Understanding WLAN Controllers 1st/2nd Generation vs. 3rd Generation Approach

§  1st/2nd generation: APs act as 802.1Q translational bridge, putting client traffic on local VLANs

§  3rd generation: Controller bridges client traffic centrally

1st/2nd Generation

Data VLAN

Voice VLAN

Management VLAN

3rd Generation Data VLAN

Voice VLAN

Management VLAN

LWAPP/CAPWAP Tunnel


Centralized Wireless LAN Architecture What Is CAPWAP?

§  CAPWAP: Control and Provisioning of Wireless Access Points is used between APs and WLAN controller and based on LWAPP

§  CAPWAP carries control and data traffic between the two Control plane is DTLS encrypted

Data plane is DTLS encrypted (optional)

§  LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless

§  CAPWAP is not supported on Layer 2 mode deployment

CAPWAP Controller

Wi-Fi Client

Business Application

Control Plane

Data Plane Access Point


CAPWAP Modes Split MAC

§ The CAPWAP protocol supports two modes of operation

Split MAC (centralized mode) Local MAC (H-REAP)

§ Split MAC

WTP AC STA

Wireless Phy MAC Sublayer

CAPWAP Data Plane

Wireless Frame

802.3 Frame


CAPWAP Modes Local MAC

§  Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames

§  Locally bridged

WTP AC


Wireless Frame

802.3 Frame

STA


CAPWAP Modes Local MAC

§  Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames

§ Tunneled as 802.3 frames


Wireless Frame 802.3 Frame

802.3 Frame CAPWAP

Data Plane

§ Tunneled local MAC is not supported by Cisco § H-REAP support locally bridged MAC and split

MAC per SSID

WTP AC STA


CAPWAP State Machine

Discovery Reset

Image Data

Config

Run

AP Boots UP

DTLS Setup

Join


AP Controller Discovery

§  Layer 2 join procedure attempted on LWAPP APs (CAPWAP does not support Layer 2 APs) Broadcast message sent to discover controller on a local subnet

§  Layer 3 join process on CAPWAP APs and on LWAPP APs after Layer 2 fails

Previously learned or primed controllers Subnet broadcast DHCP option 43 DNS lookup

Controller Discovery Order


AP Controller Discovery: DHCP Option

DHCP Offer

DHCP Request

1

2

3

DHCP Server

DHCP Offer Contains Option 43 for Controller Layer 3 CAPWAP

Discovery Request Broadcast

Layer 3 CAPWAP Discovery Responses


AP Controller Discovery: DNS Option

DHCP Offer

DHCP Request

DHCP Offer Contains

DNS Server or Servers

CISCO-CAPWAP-CONTROLLER.localdomain 192.168.1.2

192.168.1.2

1 2

3

4

DNS Server DHCP Server


WLAN Controller Selection Algorithm

§  CAPWAP Discovery Response contains important information from the WLAN Controller

Controller name, controller type, controller AP capacity, current AP load, “Master Controller” status, and AP Manager IP address or addresses

§  AP selects a controller to join using the following decision criteria

1.  Attempt to join a WLAN Controller configured as a “Master” controller

2.  Attempt to join a WLAN Controller with matching name of previously configured primary, secondary, or tertiary controller name

3.  Attempt to join the WLAN Controller with the greatest excess AP capacity (dynamic load balancing)

§  Option #2 and option #3 allow for two approaches to controller redundancy and AP load balancing: deterministic and dynamic


CAPWAP Control Messages for Join Process

§  CAPWAP Join Request: AP sends this messages to selected controller (sent to AP Manager Interface IP address)

§  CAPWAP Join Response: If controller validates AP request, it sends the CAPWAP Join Response indicating that the AP is now registered with that controller

CAPWAP Join Request

CAPWAP Join Response


Configuration Phase Firmware and Configuration Download

§ Firmware is downloaded by the AP from the WLC

Firmware downloaded only if needed, AP reboots after the download Firmware digitally signed by Cisco

§ Network configuration is downloaded by the AP from the WLC

Configuration is encrypted in the CAPWAP tunnel Configuration is applied

Cisco WLAN Controller

LWA

PP

-L3

Firm

war

e D

ownl

oad

Con

figur

atio

n D

ownl

oad

Access Points


4.2, 6.0, 7.0? Which Version Should I Use?

§ WLC 5508 supports 6.0, 7.0.98 and 7.0.116

§ WLC7500, WiSM-2 and WLC2504 only supported in 7.0.116

§  6.0.202 is the latest MD §  7.0.116 will be tested for

AssureWave (Blue Ribbon) § Please note the current revision

of 7.0- 7.0.116.0 which is the recommended one for you today


Agenda






Mobility Defined

§ Mobility is a key reason for wireless networks

§ Mobility means the end-user device is capable of moving location in the networked environment

§ Roaming occurs when a wireless client moves association from one AP and re-associates to another, typically because it’s mobile!

§ Mobility presents new challenges: Need to scale the architecture to support client roaming—roaming can occur intra-controller and inter-controller Need to support client roaming that is seamless (fast) and preserves security


Scaling the Architecture with Mobility Groups

§  Mobility Group allows controllers to peer with each other to support seamless roaming across controller boundaries

§  APs learn the IPs of the other members of the mobility group after the LWAPP Join process

§  Support for up to 24 controllers, 3600 APs per mobility group

§  Mobility messages exchanged between controllers

§  Data tunneled between controllers in EtherIP (RFC 3378)

Eth

erne

t in

IP T

unne

l

Mobility Messages

Controller-C MAC: AA:AA:AA:AA:AA:03 Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 Controller-B, AA:AA:AA:AA:AA:02

Controller-A MAC: AA:AA:AA:AA:AA:01 Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-B, AA:AA:AA:AA:AA:02 Controller-C, AA:AA:AA:AA:AA:03

Controller-B MAC: AA:AA:AA:AA:AA:02 Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 Controller-C, AA:AA:AA:AA:AA:03


Increased Mobility Scalability

§  Roaming is supported across three mobility groups (3 * 24 = 72 controllers)

§  With Inter Release Controller Mobility (IRCM) roaming is supported between 4.2.207 and 6.0.188 and 7.0

Eth

erne

t in

IP T

unne

l

Mobility Sub-Domain 2

Eth

erne

t in

IP T

unne

l


Eth

erne

t in

IP T

unne

l


Mobility Messages


How Long Does an STA Roam Take?

§ Time it takes for: Client to disassociate + Probe for and select a new AP + 802.11 Association + 802.1X/EAP Authentication + Rekeying + IP address (re) acquisition

§ All this can be on the order of seconds… Can we make this faster?


Roaming Requirements

§ Roaming must be fast … Latency can be introduced by:

Client channel scanning and AP selection algorithms Re-authentication of client device and re-keying Refreshing of IP address

§ Roaming must maintain security Open auth, static WEP—session continues on new AP WPA/WPAv2 Personal—New session key for encryption derived via standard handshakes 802.1x, 802.11i, WPA/WPAv2 Enterprise—Client must be re-authenticated and new session key derived for encryption


How Are We Going to Make Roaming Faster?

§ Eliminating the (re)IP address acquisition challenge

§ Eliminating full 802.1X/EAP reauthentication

Focus on Where We Can Have the Biggest Impact


Intra-Controller Roaming: Layer 2

WLC-1 WLC-2

WLC-1 Client Database


Mobility Message Exchange

Preroaming Data Path

Client Data (MAC, IP, QoS, Security)

VLAN X

§  Intra-Controller roam happens when an AP moves association between APs joined to the same controller

§  Client must be re-authenticated and new security session established


Intra-Controller Roaming: Layer 2 (Cont.)

WLC-1 WLC-2




Roaming Data Path


VLAN X

Client Roams to a Different AP

§  Client database entry with new AP and appropriate security context

§  No IP address refresh needed


Intra-Controller Roaming: Layer 3

WLC-1 WLC-2





VLAN X Client Data (MAC, IP, QoS, Security)


VLAN Z


Client Roaming Between Subnets: Layer 3 (Cont.)

WLC-1 WLC-2




VLAN X Client Data (MAC, IP, QoS, Security)


VLAN Z


Foreign

Controller Anchor

Controller Data Tunnel

Client Roams to a Different AP


Static IP Mobility with 7.0.116

Mobility Group-2

Mobility Group-1

VLAN X

WLC-1 WLC-2




Pre Roaming Data Path


VLAN Z

Client Data (MAC, IP, QoS,

Security)

Foreign Controller

Anchor Controller

Encrypted Data Tunnel

Client with Static IP on VLAN X Dis-Associates from This AP

Client with Static IP on VLAN X Associates on This AP


Static IP Mobility with 7.0.116

GUI Configuration


Roaming: Inter-Controller

§  L3 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto different subnets

§  Client must be re-authenticated and new security session established

§  Client database entry copied to new controller – entry exists in both WLC client DBs

§  Original controller tagged as the “anchor”, new controller tagged as the “foreign”

§  WLCs must be in same mobility group or domain

§  No IP address refresh needed

§  Symmetric traffic path established -- asymmetric option has been eliminated as of 6.0 release

§  Account for mobility message exchange in network design

Layer 3


How Are We Going to Make Roaming Faster?

ü Eliminating the (re)IP address acquisition challenge

§ Eliminating full 802.1X/EAP reauthentication

Focus on Where We Can Have the Biggest Impact


Fast Secure Roaming Standard Wi-Fi Secure Roaming

§  802.1X authentication in wireless today requires three “end-to-end” transactions with an overall transaction time of > 500 ms

§  802.1X authentication in wireless today requires a roaming client to reauthenticate, incurring an additional 500+ ms to the roam

Note: Mechanism Is Needed to Centralize Key Distribution

Cisco AAA Server (ACS or ISE)

WAN

AP1 AP2

1. 802.1X Initial Authentication Transaction

2. 802.1X Reauthenti-cation After Roaming


Cisco Centralized Key Management (CCKM) §  Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available,

especially with application specific devices (ASDs)

§  CCKM originally a core feature of the “Structured Wireless Aware Network” (SWAN) architecture

§  CCKM ported to CUWN architecture in 3.2 release

§  In highly controlled test environments, CCKM roam times consistently measure in the 5-8 msec range!

§  CCKM is most widely implemented in ASDs, especially VoWLAN devices

§  To work across WLCs, WLCs must be in the same mobility group

§  CCX-based laptops may not fully support CCKM – depends on supplicant capabilities

§  CCKM is standardized in 802.11R, but no clients available yet


Fast Secure Roaming WPA2/802.11i Pairwise Master Key (PMK) Caching

§  WPA2 and 802.11i specify a mechanism to prevent excessive key management and 802.1X requests from roaming clients

§  From the 802.11i specification: Whenever an AP and a STA have successfully passed dot1x-based authentication, both of them may cache the PMK record to be used later When a STA is (re-)associates to an AP, it may attach a list of PMK IDs (which were derived via dot1x process with this AP before) in the (re)association request frame When PMK ID exists, AP can use them to retrieve PMK record from its own PMK cache, if PMK is found, and matches the STA MAC address; AP can bypass dot1x authentication process, and directly starts WPA2 four-way key handshake session with the STA

PMK cache records will be kept for one hour for non-associated STAs


OKC/PKC

§  Requires client/supplicant support §  Supported in Windows since XP SP2

§  Many ASDs support OKC and/or PKC

§  Check on client support for TKIP vs. CCMP – mostly CCMP only

§  Enabled by default on WLCs with WPAv2

§  Requires WLCs to be in the same mobility group §  Important design note: pre-positioning of roaming clients

consumes spots in client DB

§  In highly controlled test environments, OKC/PKC roam times consistently measure in the 10-20 msec range!

Key Data Points


How Long Does a Client Really Take to Roam?

§  Time to roam = Client to disassociate + Probe for and select a new AP + 802.11 Association + Mobility message exchange between WLCs + Reauthentication + Rekeying + IP address (re) acquisition

§  Network latency will have an impact on these times – consideration for controller placement

§  With a fast secure roaming technology, roam times under 150 msecs are consistently achievable, though mileage may vary


How Often Do Clients Roam?

§  It depends… types of clients and applications

§ Most client devices are designed to be “nomadic” rather than “mobile”, though proliferation of small form factor, “smart” devices will probably change this…

§ Nomadic clients usually are programmed to try to avoid roaming… so set your expectations accordingly

§ Design rule of thumb: 10-20 roams per second for every 5000 clients


Designing a Mobility Group/Domain

§  Less roaming is better – clients and apps are happier §  While clients are authenticating/roaming, WLC CPU is

doing the processing – not as much of a big deal for 5508 which has dedicated management/control processor

§  L3 roaming & fast roaming clients consume client DB slots on multiple controllers – consider “worst case” scenarios in designing roaming domain size

§  Leverage natural roaming domain boundaries

§  Mobility Message transport selection: multicast vs. unicast

§  Make sure the right ports and protocols are allowed

Design Considerations


Agenda






CUWN 7.0.116 Release Key Controller Features Device Support WLC-WiSM2 WLC-7500 WLC-2500 WLCM-2 AP600 / AP1550

Flexconnect Features Scale and Groups

Local Auth

Fault Tolerance

Opportunistic Key Caching

Others Client Limit on WLAN Encrypting Neighbor Packets Increased RF Group Scalability Rogue Containment Enhancement RF Group Leader Flexibility PSB Password Enhancements Webauth on Mac Filter Failure Static IP Mobility Web Authentication Proxy CCX S60 Location Improvements DHCP Option 60 Voice Diagnostics

Local-Mode Features wIPS ELM 11n Indoor Mesh 2.4 GHz Backhaul VLAN Select FIPS


CUWN 7.0.116 Release Key Controller Features Device Support WLC-WiSM2 WLC-7500 WLC-2500 WLCM-2 AP600 / AP1550


Local Auth

Fault Tolerance





WiSM2 For Cisco Catalyst 6500 Series

§  Enhanced operational savings Higher scale

Reduced downtime during upgrades

Single controller

§  Higher performance Throughput

Concurrent rich-media application flows

§  Maximize Cisco Catalyst 6000 Series investment

Supervisor and service module refresh

Specifications At-a-Glance

Access Points 100–500

Clients 10,000

I/O 10G

Chassis-Level Scale 3500 APs and 70,000 Clients

Concurrent AP Joins 500

Number of Phy Controllers 1

Power 225W


Key Attributes Ø Best in class performance

Industry-leading encrypted throughput

Ø Enhanced Operational Savings Upgrades 500 AP within mins Fails over 500 APs within seconds

Ø Enhanced rich media performance

Multiple concurrent low-latency media flows

Enterprise-Grade WLC5508 for the Campus

Access Points 12-500 Clients 7,000 Form-Factor 1 RU IO Interface 8x 1GE Ports, LAG Upgrade Licenses 25, 50,100, 250

Cisco 5500 Series Wireless Controller


Controller Comparison

5500 WiSM-2 Number of Access Points 12, 25, 50, 100, 250, 500 500

Throughput Up to 8 Gbps Up to 10 Gbps

Clients Up to 7000 Up to 10,000

Concurrent AP Upgrades/Joins Up to 500 Up to 500

Network I/O Up to 8 1 Gbps SFPs

Cisco Catalyst 6000 Series Backplane

Mobility Domain Size Up to 36,000 APs Up to 36,000 APs

Number of Controllers per Physical Device 1 1

Power Consumption 125W 225W

AP Count Upgrade via Licensing Yes Yes

Encrypted Data Link Between AP and Controller Yes Yes

OfficeExtend Solution Yes Yes


Key Attributes Ø  Ability to ‘scale the network as

you grow’ with licensing Ø  Part of a PCI certified

architecture Ø Ability to support various

deployment modes

Cost Effective Entry Level Controllers

2500 Wireless Controller

Access Points 5-50 Clients 500 Throughput 500 Mbps Deployment Model Local and

FlexConnect Form Factor Desktop IO Interface 4x 1GE Upgrade Licenses 5, 25

New


Wireless Controller on ISR G2/SRE

Key Attributes • Single Box for branch services • Consistency of functionality and management with controllers

Access Points ISM: 5-10 SM: 5-50

Clients 500 Throughput 500 Mbps Deployment Model Local and FlexConnect Form Factor SRE (ISM/SM) Upgrade Licenses 5, 25 Device Supported On

1941, 2900 and 3900 Series ISR G2

New


CleanAir Access Point

Detect and Classify

Mitigate

Locate

Cisco CleanAir

A System-Wide Feature that Uses Silicon-Level Intelligence to Automatically Mitigate the Impact of Wireless Interference, Optimize Network Performance, and Reduce Troubleshooting Costs


What Is CleanAir?

Cisco CleanAir

High-Resolution Interference Detection and Classification Logic Built in to Cisco’s 802.11n Wi-Fi Chip Design; Inline Operation with no CPU or Performance Impact

Detect and Classify

100

63

35

97

90

20

§  Uniquely identify and track multiple interferers

§  Assess unique impact to Wi-Fi performance

§  Monitor air quality


What Is CleanAir?

§  Classification processed on access point

§  Interference impact and data sent to WLC for real-time action

§  WCS and MSE store data for location, history, and troubleshooting

Cisco CleanAir

Cisco CleanAir Technology Integrates Interference Information from the AP into the Entire System

Mitigate Wireless LAN Controller

Locate WCS, MSE

Maintain Air Quality

GOOD POOR

CH 1 CH 11 Visualize and Troubleshoot


Car

pete

d

Rug

gedi

zed

Teleworker 11n + CleanAir 11n

1260 3500e

3500i 1140

Limited Lifetime Hardware Warranty

1040

Access Points Portfolio

New 600


2x3 MIMO 11n Speed Provide Higher Coverage and Throughput

CleanAir and ClientLink Technology Avoids Interference, Delivers Stronger Signals to Clients

Flexible Deployment Access or Mesh Network, Fiber, UTP or Wireless Backhaul

New


Cisco Aironet 1550 Series Outdoor AP

1552E 1552H 1552C 1552I 802.11 b/g/n

802.11 a/n

Standard

External

802.11b/g/n

802.11a/n

Hazardous Loc.

External

802.11b/g/n

802. 11a/n

Cable Modem

Integrated

802.11b/g/n

802.11a/n

Standard

Integrated

2.4 GHz

5 GHz

Type

Antenna

§  2 Radios 2.4/5 GHz

§  2 Tx, 3 Rx

§  MIMO, 2 SS

§  3x Dual-Band Ant.

MIMO Multiple-In, Multiple-Out SS Spatial Streams


CUWN 7.0.116 Release Key Controller Features Device Support WLC-WiSM2 WLC-7500 WLC-2500 WLCM-2 AP600/AP1550


Local Auth

Fault Tolerance





Adaptive wIPS Components and Functions

Monitoring, Reporting

Over-the-Air Detection

wIPS AP Management

Complex Attack Analysis, Forensics, Events

AP Attack Detection

24x7 Scanning

WLC Configuration

MSE Alarm Archival

Capture Storage

WCS Centralized Monitoring

Historic Reporting


Cisco Adaptive Wireless IPS with “Enhanced Local Mode (ELM)”

•  Adaptive wIPS scanning in data serving access points

•  Provides protection without needing a separate overlay network.

•  Available as a free SW download for existing wIPS Monitor Mode customers.

•  ELM supported APs: 1040, 1140, 1250, 1260 & 3500

Without ELM With ELM Data Serving Monitor Mode Single Data and WIPS AP


WIPS Monitor Mode/ CleanAir MMAP + WIPS MM

Local Mode

WIPS Monitor Mode or CleanAir MM + WIPS MM on CleanAir AP: Recommendation – Ratio of

1:5 MMAP to Local Mode APs

Option A Option B

Deployment Recommendation

Turn on ELM on All APs (Including CleanAir)

Enhanced Local Mode


•  Centralized Policy

•  Distributed Enforcement

•  AAA Services

•  Posture Assessment

•  Guest Access Services

•  Device Profiling

•  Monitoring

•  Troubleshooting

•  Reporting

ACS

NAC Profiler

NAC Guest

NAC Manager

NAC Server

Identity Services Engine

*Current NAC and ACS Hardware Platform Is Software Upgradable to ISE

TrustSec 2.0 and Identity Services Engine


ISE Integrated Device Profiling

“iPad Template”

Custom Template

Visibility for Wired and Wireless Devices

Simplified “Device Category” Policy

New Device Templates via

Subscription Feeds


CAPWAP CAPWAP

§  Users, using the same SSID, can be associated to different wired VLAN interfaces after EAP authentication

§  Employee using corporate laptop with their AD user id can be assigned to VLAN 30 to have full access to the network

§  Employee using personal iPad/iPhone with their AD user id can be assigned to VLAN 40 to have internet access only

Same-SSID

802.1Q Trunk

VLAN 30

VLAN 40

EAP Authentication 1

Accept with VLAN 30 2

EAP Authentication 3

Accept with VLAN 40 4

ISE ISE

Corporate Resources

Internet

Employee

Employee



§ Example: VLAN 30 (Corporate access ) VLAN 40 (Internet access)

Corporate

Internet



Laptop Assign VLAN 30

iPad Assign VLAN 40

•  ISE Setup – Authorization Profiles redirect VLAN, Override ACL, CoA…



§ WLC CoA Setup – Pre-Auth ACL, allows ALL client traffic to ISE

§ WLAN – Dot1X, AAA Override and Radius NAC enabled.

Permit ANY to ISE (IP Addr)



§  RADIUS probe (information about authentication, authorization and accounting requests from Network Access

§  DHCP (helper or span) §  HTTP user agent (span)

Customizable Profiles



Agenda






Deploying the Cisco Unified Wireless Architecture

§ Controller Redundancy and AP Load Balancing

§ Understanding AP Groups

§  IPv6 Deployment with Controllers

§ Branch Office Designs

§ Guest Access Deployment

§ Home Office Design










Controller Redundancy Dynamic

§  Rely on CAPWAP to load-balance APs across controllers and populate APs with backup controllers

§  Results in dynamic “salt-and-pepper” design

§  Design works better when controllers are “clustered” in a centralized design

§  Pros Easy to deploy and configure—less upfront work APs dynamically load-balance (though never perfectly)

§  Cons More intercontroller roaming Bigger operational challenges due to unpredictability Longer failover times No “fallback” option in the event of controller failure

§  Cisco’s general recommendation is: Only for Layer 2 roaming

§  Use deterministic redundancy instead of dynamic redundancy


Controller Redundancy Deterministic

§  Administrator statically assigns APs a primary, secondary, and/or tertiary controller

Assigned from controller interface (per AP) or WCS (template-based)

§  Pros Predictability—easier operational management More network stability More flexible and powerful redundancy design options Faster failover times “Fallback” option in the case of failover

§  Con More upfront planning and configuration

§  This is Cisco’s recommended best practice

WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C

Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Tertiary: WLAN-Controller-C

Primary: WLAN-Controller-B Secondary: WLAN-Controller-C Tertiary: WLAN-Controller-A

Primary: WLAN-Controller-C Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-B


Controller Redundancy Architecture Resiliency

Resiliency N:1 Redundancy

N:N Redundancy N:N:1 Redundancy

WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C

Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Tertiary: WLAN-Controller-C

Primary: WLAN-Controller-B Secondary: WLAN-Controller-C Tertiary: WLAN-Controller-A

Primary: WLAN-Controller-C Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-B

WLAN-Controller-1

WLAN-Controller-2

WLAN-Controller-n

APs Configured With: Primary: WLAN-Controller-1 Secondary: WLAN-Controller-BKP

APs Configured With: Primary: WLAN-Controller-2 Secondary: WLAN-Controller-BKP

APs Configured With: Primary: WLAN-Controller-n Secondary: WLAN-Controller-BKP

WLAN-Controller-BKP NOC or Data Center

WLAN-Controller-A

WLAN-Controller-B

APs Configured With: Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Tertiary: WLAN-Controller-BKP

APs Configured With: Primary: WLAN-Controller-B Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-BKP

WLAN-Controller-BKP NOC or Data Center

WLAN-Controller-A

WLAN-Controller-B

APs Configured With: Primary: WLAN-Controller-A Secondary: WLAN-Controller-B

APs Configured With: Primary: WLAN-Controller-B Secondary: WLAN-Controller-A


SiSi SiSi

High Availability Using Cisco 5508

SiSi SiSi

Primary WLC5508

Secondary WLC5508

§ APs are connected to primary WLC 5508

§  In case of hardware failure of WLC 5508

§ AP’s fall back to secondary WLC 5508

§ Traffic flows through the secondary WLC 5508 and primary core switch


High Availability Using WiSM: Uplink Failure on Primary Switch

SiSi SiSi

S N

Primary WiSM

Active HSRP Switch

Standby HSRP Switch

New Active HSRP Switch

§  In case of uplink failure of the primary switch

§ Standby switch becomes the active HSRP switch

§ APs are still connected to primary WiSM

§ Traffic flows thru the new HSRP active switch


High Availability Using WiSM-2

SiSi SiSi

Primary WiSM

Secondary WiSM

§ APs are connected to primary WiSM

§  In case of hardware failure of primary WiSM

§ AP’s fall back to secondary WiSM

§ Traffic flows thru the secondary WiSM and primary core switch


VSS and Cisco 5508

§  Cisco 5508 WLC can be attached to a Cisco Catalyst VSS switch

§  4 ports of Cisco 5508 are connected to active VSS switch

§  2nd set of 4 ports of Cisco 5508 is connected to standby VSS switch

§  In case of failure of primary switch traffic continues to flow through secondary switch in the VSS pair

Catalyst VSS Pair

Cisco 5508


Switch-1 (VSS Active)

Switch-2 (VSS Standby)

Data Plane Active

Control Plane Active

FWSM Active

WiSM-2 Active

Data Plane Active

Control Plane Standby

WiSM-2 Standby

VSL

Failover/State Sync VLAN

Virtual Switch System (VSS)

VSS and WiSM-2

FWSM Standby


Controller Redundancy High Availability

§  AP is registered with a WLC and maintain a backup list of WLC

§  AP use heartbeats to validate WLC connectivity

§  AP use Primary Discovery message to validate backup WLC list

§  When AP lose three heartbeats it start join process to first backup WLC candidate

§  Candidate Backup WLC is the first alive WLC in this order: primary, secondary, tertiary, global primary, global secondary

§  AP do not re-initiate discovery process

High Availability Principles Primary WLC

Secondary WLC


Controller Redundancy High Availability with 7.0.116

To Accommodate Both Local and Remote Settings, There Are Configurable Options Provided, so that Administrator Can Fine Tune the Settings Based on the Requirements

New Timers Old Timers-5508 Old Timers-Non-5508 Heartbeat: 1-30 Seconds 10-30 Seconds 1-30 Seconds Fast Heartbeat Timeout: 1-10 Seconds 3-10 Seconds 1-10 Seconds AP Retransmit Interval: 2-5 Seconds 3 Seconds 3 Seconds AP Retrans with FH Enabled: 3-8 Times 3 Times 3 Times AP Retrans with FH Disabled: 3-8 Times 5 Times 5 Times AP Fallback to next WLC 12 Seconds 35 Seconds 35 Seconds


AP Pre-Image Download in 7.0

§  Since most CAPWAP APs can download and keep more than one image of 4–5 MB each

§  AP pre-image download allows AP to download code while it is operational

§  Pre-Image download operation 1.  Upgrade the image on the controller

2.  Don’t reboot the controller

3.  Issue AP pre-image download command

4.  Once all AP images are downloaded

5.  Reboot the controller

6.  AP now rejoins the controller without reboot How Much Time You Save?

Access Points

Cisco WLAN Controller

CA

PW

AP

-L3

AP

Pre

-imag

e D

ownl

oad

AP

Join

s W

ithou

t Dow

nloa

d


§ Upgrade the image on the controller and don’t reboot

§ Currently we have two images on the controller (Cisco Controller) >show boot Primary Boot Image............................... 7.0.116.0 (default) (active) Backup Boot Image................................ 7.0.98.0

Configure AP Pre-Image Download


Configure AP Pre-Image Download Wireless > AP > Global Configuration

Perform Primary Image Predownloaded on the AP

AP Now Starts Predownloading

AP Now Swaps Image After Reboot of the Controller










AP-Groups Default AP-Group

§  The first 16 WLANs created (WLAN IDs 1–16) on the WLC are included in the default AP-Group

§  Default AP-Group cannot be modified §  APs with no assignment to an specific AP-Group will use the

Default AP-Group §  The 17th and higher WLAN (WLAN IDs 17 and up) can be

assigned to any AP-Groups §  Any given WLAN can be mapped to different dynamic

interfaces in different AP-Groups §  WLC 2106 (AP groups: 50), WLC 2504 (AP groups:50)

WLC 4400 and WiSM (AP groups: 300), WLC 5508 & WiSM-2 (AP groups: 500), WLC 7500 (AP Groups : 500)


AP-Grouping in Campus

Data Center WAN Internet Access

Distribution

Core

Distribution

Access

SiSi SiSi SiSi SiSi SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSi SiSi

WLC-2 WLC-1

VLAN 100 / 21

CAPWAP

Single SSID =

Employee

VLAN 100 VLAN 100 VLAN 100


AP-Grouping in Campus


Distribution

Core

Distribution

Access


SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSi SiSi

AP-Group-2 AP-Group-3 AP-Group-1

WLC-2 WLC-1

VLAN 80 /23 VLAN 70 /23 VLAN 60 /23

VLAN 100 /21

CAPWAP

VLAN 60 VLAN 70 VLAN 80

Single SSID =

Employee


Network Name

Default AP Group

Only WLANs 1–16 Will Be Added in Default AP Group

Default AP-Group


AP Group 1

AP Group 2

AP Group 3

Multiple AP-Groups


Interface-Groups 7.0.116

§  Interface-groups allows for a WLAN to be mapped to a single interface or multiple interfaces

§  Clients associating to this WLAN get an IP address from a pool of subnets identified by the interfaces in round robin fashion

§  Extends current AP group and AAA override, with multiple interfaces using interface groups

§  Controllers Interface-Groups/Interfaces

WiSM-2, 5508, 7500, 2500 64/64

WiSM, 4400 32/32

2100 and 2504 4/4


Interface-Grouping in Campus 7.0.116


Distribution

Core

Distribution

Access


SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSi SiSi

Int-Group-2 Int-Group-3 Int-Group-1

WLC-2 WLC-1

VLAN 80 /23 VLAN 81 /23

VLAN 70 /23 VLAN 71 /23

VLAN 60 /23 VLAN 61 / 23

VLAN 100 /21

LWAPP/CAPWAP

VLAN 60 VLAN 61 VLAN 70 VLAN 71 VLAN 80 VLAN 81

Single SSID =

Employee


Multiple Interface-Groups 7.0.116

Interface Group 1

Interface Group 2

Interface Group 3










IPv6 over IPv4 Tunneling

§  Prior to WLC 6.0 release, IPv6 pass-thru is only supported but no L2 security can be enabled on IPv6 WLAN

§  With WLC 6.0 release, IPv6 pass-thru with Layer 2 security supported

§  To use IPv6 bridging, Ethernet Multicast Mode (EMM) must be enabled on the controller

§  IPv6 packets are tunneled over CAPWAP IPv4 tunnel

§  Same WLAN can support both IPv4 and IPv6 clients

§  IPv6 pass-thru and IPv4 Webauth is also supported on same WLAN

§  IPv6 is not supported with guest mobility anchor tunneling

Ethernet II | IPv4 | CAPWAP | 802.11 | IPv6 802.11| IPv6

Client IPv6 Traffic Tunneled over IPv4 and Bridged to Ethernet

Ethernet II | IPv6

CAPWAP Tunnel


IPv6 Configuration on WLC 6.X

§ Enable IPv6 on the WLAN and multicast on the WLC


IPv6 Client Details

§  IPv6 client details on the WLC

§  IPv6 client details from dual-stack (Vista) client






§ Branch Office Designs Understanding HREAP (Hybrid) REAP AP Deployment Understanding Branch Controller Deployment




Branch Office Deployment HREAP

§ Hybrid architecture

§ Single management and control point

Centralized traffic (split MAC) Or Local traffic (local MAC)

§ HA will preserve local traffic only

WAN

Central Site

Remote Office

Centralized Traffic

Centralized Traffic

Local Traffic


H-REAP Design Considerations

§ Some WAN limitations apply RTT must be below 300 ms data (100 ms voice) Minimum 500 bytes WAN MTU (with maximum four fragmented packets)

§ Some features are not available in standalone mode or in local switching mode

ACL in local switching, MAC/Web Auth in standalone mode, PMK caching (OKC) See full list in « H-REAP Feature Matrix » http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b3690b.shtml


Configure H-REAP Mode Step 1: Configure Access Point Mode

§ Enable H-REAP mode per AP

§ Supported AP: AP-1130, AP-1240, AP-1040, AP-1140, AP-1260, AP-1250, AP-3500


Configure H-REAP Local Switching Step 2: Enable Local Switching per WLAN

§ Only WLAN with “Local Switching” enabled will allow local switching at the H-REAP AP


Configure H-REAP VLAN Mapping Step 3: H-REAP Specific Configuration

§ H-REAP AP can be connected on an access port (using native VLAN) or connected to a 802.1Q trunk port

§ VLAN mapping is a per AP configuration on WLC and by AP group using templates on a WCS


Configure H-REAP VLAN Mapping Step 4: Per AP SSID to VLAN Mapping

§ Mapping of SSID to 802.1Q VLAN is done per H-REAP AP

§ Use WCS for configuration with templates


Key Differentiation Ø  WAN Tolerance

•  High Latency Networks

•  WAN Survivability Ø  Security

802.1x based port authentication Ø  Voice support

•  Voice CAC

•  OKC/CCKM

Economies of Scale for Lean Branches Flex 7500 Wireless Controller

Access Points 300-2,000 Clients 20,000 Branches 500 Access Points / Branch 50 Deployment Model FlexConnect Form Factor 1 RU IO Interface 2x 10GE Upgrade Licenses 100, 200, 500, 1K

New


Understanding H-REAP Groups

§  WLC supports up to 20 H-REAP groups

§  Each H-REAP group supports up to 25 H-REAP APs

§  H-REAP groups allow sharing of: CCKM fast roaming keys Local user authentication Local EAP authentication

WAN

Central Site

Remote Site

H-REAP Group 1

H-REAP Group 2

Remote Site


H-REAP Groups and CCKM Keys

§  CCKM keys are stored on HREAP APs for Layer 2 fast roaming

§  The HREAP APs will receive the CCKM keys from the WLC

§  If a HREAP AP boots up in the standalone mode, it will not get the CCKM keys from the WLC and fast roaming is not supported

WAN

Central Site

Remote Site H-REAP Group 1 H-REAP

Group 2

Remote Site

RADIUS Server

CCKM Keys


Add a New H-REAP Group

Add APs to the H-REAP Group

H-REAP Groups and CCKM Keys


H-REAP Groups and Local EAP

§  In case of WAN of failure (standalone mode) HREAP APs can act like a local EAP server

§  In a HREAP-Group we can store 100 usernames and act like a local EAP server

§  LEAP and EAP-FAST is the only supported EAP type in standalone mode

WAN

Central Site

Remote Site H-REAP Group 1 H-REAP

Group 2

Remote Site

RADIUS Server

Local EAP Server


Add the H-REAP AP to the Group and Enable AP Local Authentication

Add the Username and Password to Be Stored on the HREAP AP

H-REAP Groups and Local EAP


H-REAP Groups and Local RADIUS Server

§  In case of WAN of failure (standalone mode) HREAP APs can authenticate from a local RADIUS server

§  Only session-timeout RADIUS attribute (attribute 27) is supported in the standalone mode

§  RADIUS accounting is not supported in standalone mode

WAN

Central Site

Remote Site

H-REAP Group 2

RADIUS Server

RADIUS Server

H-REAP Group 1

Remote Site


Add IP Address of the Remote RADIUS Server in the WLC (10.20.20.12)

Select the Remote RADIUS Server Details in HREAP Group of the Remote

H-REAP Groups and Local RADIUS Server


FlexConnect Improvements in New 7.0.116

§ WAN Survivability FlexConnect AP provides wireless access and services to clients when the connection to the primary WLC fails

§ Local Authentication Allows for the authentication capability to exist directly at the AP in FlexConnect instead of the WLC

§  Improved Scale Group Scale: Max HREAP groups increased to 500 (7500s) and 100 (5500s) APs per Group: 50 (7500s) and 25 (5500s)

§ Fast Roaming in Remote Branches Opportunistic Key Caching (OKC) between APs in a branch


Flex 7500 vs. 5500/WiSM2

FlexConnect (H-REAP)

Flex 7500 5500/WiSM2

APs Managed 2,000 500/500

Clients Supported 20,000 7,000/10,000

Number of H-REAP Groups 500 100

APs per H-REAP Group 50 25

Number of AP Groups 500 500

APs per RRM Group 4,000 1,000

WLAN’s 512 512

WLAN per H-REAP Group 16 16


Controller Portfolio Comprehensive Solution for All Segments

Lean Branch

Campus and Full Service Branch

2500

WLCM2

5500

WiSM2

Scale

Feat

ures

/Per

form

ance

NEW

NEW

NEW

NEW


Management

Controllers

Access Points

Mobility Services

WCS

WLC

Cisco WLAN Solution Components






§ Branch Office Designs Understanding HREAP (Hybrid) REAP AP Deployment) Understanding Branch Controller Deployment

§ Guest Access Deployment § Home Office Design


Small Office

E-Mail

Branch Office WLAN Controller Options

§  Appliance controllers Cisco 2504-12

Cisco 5508-12, 5508-25

§  Integrated controller WLAN controller module (WLCM-2) for ISR G2

Headquarters

Branch Office

Internet VPN

MPLS ATM

Frame Relay

Number of Users: 100–500 Number of APs: 5–25

Number of Users: 20–100 Number of APs: 1–5

WCS


Small Office

E-Mail

Headquarters

Branch Office

Branch Office WLAN Controller Options

§  Cisco Unified Wireless Network with controller-based

§  Multiple Integrated WAN options on ISR §  Consistent branch-HQ services, features,

and performance §  Standardized branch configuration extends

the unified wired and wireless network §  Branch configuration management from

central WCS

WCS Cisco 2504 ***

WLCM-2 ** **AP Count Vary Depending on Channel Utilization and Data Rates

Internet VPN

MPLS ATM

Frame Relay


When to Choose WLC 2504? §  WLC2504 should be used in the branch for the following reasons

compared to HREAP solution:

•  If you need cookie cutter configuration for every branch site •  If you need Layer-3 roaming in the branch site •  If you need VideoStream technology in the branch site •  If you need to implement VLAN Select in the branch site •  If you need to implement Static IP mobility in the branch site •  If you need to implement ACL in the branch site •  If you need to implement peer to peer blocking in the branch site •  If you want WGB support in the branch site •  If you want MESH AP support in the branch site










Guest Access Deployment

§  Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers

§  Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN

§  No need to define the guest VLANs on the switches connected to the remote controllers

§  Original guest’s Ethernet frame maintained across LWAPP/CAPWAP and EoIP tunnels

§  Redundant EoIP tunnels to the Anchor WLC

§  2504 series and WLCM-2 models cannot terminate EoIP connections (no anchor role

Wireless LAN Controller

Cisco ASA Firewall

Guest

CAPWAP

EoIP “Guest Tunnel”

Internet

Guest

DMZ or Anchor Wireless Controller

WLAN Controller Deployments with EoIP Tunnel


Guest Access Deployment with 7.0.0116

Campus Core EtherIP

“Guest Tunnel”

EtherIP “Guest Tunnel”

Internet

Guest Secure Guest Secure

SiSi SiSiSecure Secure

Wireless VLANs/Interface Gr

Foreign WLCs

Anchor1 Anchor2

Wireless VLAN-B

Wireless VLAN-1/WLANA

Wireless VLAN2/WLANA

Wireless VLAN3/WLANA

Wireless VLAN-4/WLANA

ACS/ISE

DHCP servers in DMZ w/VLAN-DHCP scopes

DHCP servers in DMZ w/VLAN-DHCP scopes

DHCP servers in Core w/VLAN DHCP scopes

SiSi


Interface Group and Auto Anchor Mobility Using 7.0.116

§  Clients joining a foreign WLC which is exported to an anchor WLC and mapped to an interface group will get an IP address in round robin method inside the interface group

§  Clients joining a foreign WLC which is exported to an anchor WLC and mapped to an interface will get an IP address from that interface only

§  Clients roaming between two or more foreign controllers mapped to a single anchor WLC with an interface group configured will be able to maintain its IP address


Interface Group and Auto Anchor Mobility Using 7.0.116 Configure Subnet/Address Assignment Based on Foreign Site/Location in Guest Anchor Setup, Command Will Be: §  CLI: config wlan mobility foreign-map add <wlan-id> < mac

address > <interface/interface group>

§  GUI: A New option is created under WLAN- “Foreign Maps”








§ Home Office Designs


E-Mail

Headquarters

Internet VPN

MPLS ATM

Frame Relay

Home Office Design OEAP AP

§  Cisco controller installed in the DMZ of the corporate network

§  OfficeExtend AP (OEAP) installed at teleworker’s home

§  Corporate access to employee over centrally configured SSID

§  Family Internet access over a locally configured SSID

WLC 5508/WiSM-2

WCS


OEAP 600

§  802.11n AP with dual concurrent 2.4GHz and 5GHz radios for teleworker home

§  4 local Ethernet ports

§  1 Corporate-bound port, 3 for local Ethernet devices

§  Up to 4 clients behind the corporate port

§  Corporate SSID and user-configurable Personal SSID

§  Traffic segmenting supported (corporate vs. personal traffic)

§  Local DHCP and NAT support

§  Control and data plane encryption


OEAP 600

§  802.1X and MAC filtering support

§  Can be pre-provisioned by IT (batch setup, zero touch for end user) or locally provisioned by end user

§  Easy GUI setup with Corporate SSID ready in minutes

§  Desktop (horizontal) or cradle (vertical) orientation

§  Supported by all WLC 5508, 2500 and WiSM2 platforms and WCS

§  Hardware Limited Lifetime Warranty


User Configuration – Easy Setup

Internet Routable IP Address

Two Setup Options Available: 1) Zero Touch (IT staged) or … 2) User Configured (Controller IP Address Entry)


Sample Screen Shots Login

§ Default DHCP scope of the OEAP is 10.0.0.X, so browse to https://10.0.0.1 to get the admin page of OEAP on port 1,2,3


Home Office Design Cisco Virtual Office Express Architecture

§  Simplified head-end VPN design

§  Cisco enhanced easy VPN with advanced QoS integration provides secure transport, facilitating voice and video applications (with option of per SA QoS)

§  Multiple options for head-end to allow for large concentration of site and with high throughput

§  Remote site presence: Cisco 870, 880, 890, or 1800 series ISR and Cisco Unified IP phones 7900 series

§  Head-end presence: 2800, 3800, 7200, or ASR series

§  Headend (optional): wireless LAN controller, WCS, configuration engine

Simplified Head-End VPN

Head-End Cisco ISR (2800/3800) or Cisco 7206 VXR with VSA or WLC

SOHO Cisco 800 or 1800 Spoke Routers

Corporate Network


Cisco Unified Wireless Network Flexible, Resilient, Scalable Architecture

Access Network

Distribution Network

Teleworker/SOHO

OfficeExtend AP

Branch Office

Unified WLC Options: 5508, 440x, 210x 3750G Unified WLC WLCM Module Hybrid REAP Standalone AP

DMZ Guest Controller

440x, 5508 WLC

Network Core or Data Center Centralized WLC Design

440x, 5508 WLC, WiSM Unified WLC

Distributed WLC Design

440x, 5508 WLC, WiSM Unified WLC

Highly Distributed Design

3750G Unified WLC Enterprise Hybrid REAP

Data Center

Internet

Internet

Unified Outdoor/Indoor Access

Unified Management: Wireless Control System Services Platform: Mobility Services Engine


Summary – Key Takeways

§ Take advantage of the standards (CAPWAP, DTLS,802.11 i, e, k, r…..)

§ Wide range of architecture / design choices

§ Brand new controller (WiSM-2, WLC 7500, WLC 2504) portfolio with investment protection

§ Take advantage of innovations from Cisco (CleanAir, BandSelect, ClientLink, Security, CCX, FlexConnect, etc)

§ Cisco’s investment into technology – NCS, ISE, New hardware, cloud controller, CiUS


Documentation

§  Aironet 600 Series OEAP Access Point Configuration Guide http://www.cisco.com/en/US/products/ps11579/products_tech_note09186a0080b7f10e.shtml

§  Wireless Services Module 2 (WiSM2) Deployment Guide http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080b7c904.shtml

• Flex7500 Deployment guide http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml

§  Wireless, LAN (WLAN) Configuration Examples and TechNotes

http://www.cisco.com/en/US/tech/tk722/tk809/tech_configuration_examples_list.html

§  H-REAP Deployment Guide http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml

§  VLAN Select Deployment Guide http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b78900.shtml


Complete Your Online Session Evaluation

§  Receive 25 Cisco Preferred Access points for each session evaluation you complete.

§  Give us your feedback and you could win fabulous prizes. Points are calculated on a daily basis. Winners will be notified by email after July 22nd.

§  Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

§  Don’t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.


Visit the Cisco Store for Related Titles

http://theciscostores.com



Thank you.

Date post:	26-Dec-2014
Category:	Documents
Upload:	cisco-wireless
View:	11,979 times
Download:	7 times

Design and Deployment of Enterprise WLANs

Documents