Date post: | 26-Dec-2014 |
Category: |
Documents |
Upload: | cisco-wireless |
View: | 11,979 times |
Download: | 7 times |
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 1
Design and Deployment of Enterprise WLANs BRKEWN-2010
Sujit Ghosh, CCIE #7204 Manager, Technical Marketing Wireless Networking Business Unit
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 2
Agenda
§ Controller-Based Architecture Overview
§ Mobility in the Cisco Unified WLAN Architecture
§ Architecture Building Blocks
§ Deploying the Cisco Unified Wireless Architecture
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 3
Agenda
§ Controller-Based Architecture Overview
§ Mobility in the Cisco Unified WLAN Architecture
§ Architecture Building Blocks
§ Deploying the Cisco Unified Wireless Architecture
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 4
Understanding WLAN Controllers 1st/2nd Generation vs. 3rd Generation Approach
§ 1st/2nd generation: APs act as 802.1Q translational bridge, putting client traffic on local VLANs
§ 3rd generation: Controller bridges client traffic centrally
1st/2nd Generation
Data VLAN
Voice VLAN
Management VLAN
3rd Generation Data VLAN
Voice VLAN
Management VLAN
LWAPP/CAPWAP Tunnel
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 5
Centralized Wireless LAN Architecture What Is CAPWAP?
§ CAPWAP: Control and Provisioning of Wireless Access Points is used between APs and WLAN controller and based on LWAPP
§ CAPWAP carries control and data traffic between the two Control plane is DTLS encrypted
Data plane is DTLS encrypted (optional)
§ LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless
§ CAPWAP is not supported on Layer 2 mode deployment
CAPWAP Controller
Wi-Fi Client
Business Application
Control Plane
Data Plane Access Point
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 6
CAPWAP Modes Split MAC
§ The CAPWAP protocol supports two modes of operation
Split MAC (centralized mode) Local MAC (H-REAP)
§ Split MAC
WTP AC STA
Wireless Phy MAC Sublayer
CAPWAP Data Plane
Wireless Frame
802.3 Frame
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 7
CAPWAP Modes Local MAC
§ Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames
§ Locally bridged
WTP AC
Wireless Phy MAC Sublayer
Wireless Frame
802.3 Frame
STA
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 8
CAPWAP Modes Local MAC
§ Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames
§ Tunneled as 802.3 frames
Wireless Phy MAC Sublayer
Wireless Frame 802.3 Frame
802.3 Frame CAPWAP
Data Plane
§ Tunneled local MAC is not supported by Cisco § H-REAP support locally bridged MAC and split
MAC per SSID
WTP AC STA
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 9
CAPWAP State Machine
Discovery Reset
Image Data
Config
Run
AP Boots UP
DTLS Setup
Join
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 10
AP Controller Discovery
§ Layer 2 join procedure attempted on LWAPP APs (CAPWAP does not support Layer 2 APs) Broadcast message sent to discover controller on a local subnet
§ Layer 3 join process on CAPWAP APs and on LWAPP APs after Layer 2 fails
Previously learned or primed controllers Subnet broadcast DHCP option 43 DNS lookup
Controller Discovery Order
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 11
AP Controller Discovery: DHCP Option
DHCP Offer
DHCP Request
1
2
3
DHCP Server
DHCP Offer Contains Option 43 for Controller Layer 3 CAPWAP
Discovery Request Broadcast
Layer 3 CAPWAP Discovery Responses
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 12
AP Controller Discovery: DNS Option
DHCP Offer
DHCP Request
DHCP Offer Contains
DNS Server or Servers
CISCO-CAPWAP-CONTROLLER.localdomain 192.168.1.2
192.168.1.2
1 2
3
4
DNS Server DHCP Server
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 13
WLAN Controller Selection Algorithm
§ CAPWAP Discovery Response contains important information from the WLAN Controller
Controller name, controller type, controller AP capacity, current AP load, “Master Controller” status, and AP Manager IP address or addresses
§ AP selects a controller to join using the following decision criteria
1. Attempt to join a WLAN Controller configured as a “Master” controller
2. Attempt to join a WLAN Controller with matching name of previously configured primary, secondary, or tertiary controller name
3. Attempt to join the WLAN Controller with the greatest excess AP capacity (dynamic load balancing)
§ Option #2 and option #3 allow for two approaches to controller redundancy and AP load balancing: deterministic and dynamic
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 14
CAPWAP Control Messages for Join Process
§ CAPWAP Join Request: AP sends this messages to selected controller (sent to AP Manager Interface IP address)
§ CAPWAP Join Response: If controller validates AP request, it sends the CAPWAP Join Response indicating that the AP is now registered with that controller
CAPWAP Join Request
CAPWAP Join Response
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 15
Configuration Phase Firmware and Configuration Download
§ Firmware is downloaded by the AP from the WLC
Firmware downloaded only if needed, AP reboots after the download Firmware digitally signed by Cisco
§ Network configuration is downloaded by the AP from the WLC
Configuration is encrypted in the CAPWAP tunnel Configuration is applied
Cisco WLAN Controller
LWA
PP
-L3
Firm
war
e D
ownl
oad
Con
figur
atio
n D
ownl
oad
Access Points
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 16
4.2, 6.0, 7.0? Which Version Should I Use?
§ WLC 5508 supports 6.0, 7.0.98 and 7.0.116
§ WLC7500, WiSM-2 and WLC2504 only supported in 7.0.116
§ 6.0.202 is the latest MD § 7.0.116 will be tested for
AssureWave (Blue Ribbon) § Please note the current revision
of 7.0- 7.0.116.0 which is the recommended one for you today
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 17
Agenda
§ Controller-Based Architecture Overview
§ Mobility in the Cisco Unified WLAN Architecture
§ Architecture Building Blocks
§ Deploying the Cisco Unified Wireless Architecture
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 18
Mobility Defined
§ Mobility is a key reason for wireless networks
§ Mobility means the end-user device is capable of moving location in the networked environment
§ Roaming occurs when a wireless client moves association from one AP and re-associates to another, typically because it’s mobile!
§ Mobility presents new challenges: Need to scale the architecture to support client roaming—roaming can occur intra-controller and inter-controller Need to support client roaming that is seamless (fast) and preserves security
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 19
Scaling the Architecture with Mobility Groups
§ Mobility Group allows controllers to peer with each other to support seamless roaming across controller boundaries
§ APs learn the IPs of the other members of the mobility group after the LWAPP Join process
§ Support for up to 24 controllers, 3600 APs per mobility group
§ Mobility messages exchanged between controllers
§ Data tunneled between controllers in EtherIP (RFC 3378)
Eth
erne
t in
IP T
unne
l
Mobility Messages
Controller-C MAC: AA:AA:AA:AA:AA:03 Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 Controller-B, AA:AA:AA:AA:AA:02
Controller-A MAC: AA:AA:AA:AA:AA:01 Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-B, AA:AA:AA:AA:AA:02 Controller-C, AA:AA:AA:AA:AA:03
Controller-B MAC: AA:AA:AA:AA:AA:02 Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 Controller-C, AA:AA:AA:AA:AA:03
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 20
Increased Mobility Scalability
§ Roaming is supported across three mobility groups (3 * 24 = 72 controllers)
§ With Inter Release Controller Mobility (IRCM) roaming is supported between 4.2.207 and 6.0.188 and 7.0
Eth
erne
t in
IP T
unne
l
Mobility Sub-Domain 2
Eth
erne
t in
IP T
unne
l
Mobility Sub-Domain 1
Eth
erne
t in
IP T
unne
l
Mobility Sub-Domain 3
Mobility Messages
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 21
How Long Does an STA Roam Take?
§ Time it takes for: Client to disassociate + Probe for and select a new AP + 802.11 Association + 802.1X/EAP Authentication + Rekeying + IP address (re) acquisition
§ All this can be on the order of seconds… Can we make this faster?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 22
Roaming Requirements
§ Roaming must be fast … Latency can be introduced by:
Client channel scanning and AP selection algorithms Re-authentication of client device and re-keying Refreshing of IP address
§ Roaming must maintain security Open auth, static WEP—session continues on new AP WPA/WPAv2 Personal—New session key for encryption derived via standard handshakes 802.1x, 802.11i, WPA/WPAv2 Enterprise—Client must be re-authenticated and new session key derived for encryption
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 23
How Are We Going to Make Roaming Faster?
§ Eliminating the (re)IP address acquisition challenge
§ Eliminating full 802.1X/EAP reauthentication
Focus on Where We Can Have the Biggest Impact
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 24
Intra-Controller Roaming: Layer 2
WLC-1 WLC-2
WLC-1 Client Database
WLC-2 Client Database
Mobility Message Exchange
Preroaming Data Path
Client Data (MAC, IP, QoS, Security)
VLAN X
§ Intra-Controller roam happens when an AP moves association between APs joined to the same controller
§ Client must be re-authenticated and new security session established
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 25
Intra-Controller Roaming: Layer 2 (Cont.)
WLC-1 WLC-2
WLC-1 Client Database
WLC-2 Client Database
Mobility Message Exchange
Roaming Data Path
Client Data (MAC, IP, QoS, Security)
VLAN X
Client Roams to a Different AP
§ Client database entry with new AP and appropriate security context
§ No IP address refresh needed
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 26
Intra-Controller Roaming: Layer 3
WLC-1 WLC-2
WLC-1 Client Database
WLC-2 Client Database
Mobility Message Exchange
Preroaming Data Path
VLAN X Client Data (MAC, IP, QoS, Security)
Client Data (MAC, IP, QoS, Security)
VLAN Z
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 27
Client Roaming Between Subnets: Layer 3 (Cont.)
WLC-1 WLC-2
WLC-1 Client Database
WLC-2 Client Database
Preroaming Data Path
VLAN X Client Data (MAC, IP, QoS, Security)
Client Data (MAC, IP, QoS, Security)
VLAN Z
Mobility Message Exchange
Foreign
Controller Anchor
Controller Data Tunnel
Client Roams to a Different AP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 28
Static IP Mobility with 7.0.116
Mobility Group-2
Mobility Group-1
VLAN X
WLC-1 WLC-2
WLC-1 Client Database
WLC-2 Client Database
Mobility Message Exchange
Pre Roaming Data Path
Client Data (MAC, IP, QoS, Security)
VLAN Z
Client Data (MAC, IP, QoS,
Security)
Foreign Controller
Anchor Controller
Encrypted Data Tunnel
Client with Static IP on VLAN X Dis-Associates from This AP
Client with Static IP on VLAN X Associates on This AP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 29
Static IP Mobility with 7.0.116
GUI Configuration
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 30
Roaming: Inter-Controller
§ L3 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto different subnets
§ Client must be re-authenticated and new security session established
§ Client database entry copied to new controller – entry exists in both WLC client DBs
§ Original controller tagged as the “anchor”, new controller tagged as the “foreign”
§ WLCs must be in same mobility group or domain
§ No IP address refresh needed
§ Symmetric traffic path established -- asymmetric option has been eliminated as of 6.0 release
§ Account for mobility message exchange in network design
Layer 3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 31
How Are We Going to Make Roaming Faster?
ü Eliminating the (re)IP address acquisition challenge
§ Eliminating full 802.1X/EAP reauthentication
Focus on Where We Can Have the Biggest Impact
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 32
Fast Secure Roaming Standard Wi-Fi Secure Roaming
§ 802.1X authentication in wireless today requires three “end-to-end” transactions with an overall transaction time of > 500 ms
§ 802.1X authentication in wireless today requires a roaming client to reauthenticate, incurring an additional 500+ ms to the roam
Note: Mechanism Is Needed to Centralize Key Distribution
Cisco AAA Server (ACS or ISE)
WAN
AP1 AP2
1. 802.1X Initial Authentication Transaction
2. 802.1X Reauthenti-cation After Roaming
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 33
Cisco Centralized Key Management (CCKM) § Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available,
especially with application specific devices (ASDs)
§ CCKM originally a core feature of the “Structured Wireless Aware Network” (SWAN) architecture
§ CCKM ported to CUWN architecture in 3.2 release
§ In highly controlled test environments, CCKM roam times consistently measure in the 5-8 msec range!
§ CCKM is most widely implemented in ASDs, especially VoWLAN devices
§ To work across WLCs, WLCs must be in the same mobility group
§ CCX-based laptops may not fully support CCKM – depends on supplicant capabilities
§ CCKM is standardized in 802.11R, but no clients available yet
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 34
Fast Secure Roaming WPA2/802.11i Pairwise Master Key (PMK) Caching
§ WPA2 and 802.11i specify a mechanism to prevent excessive key management and 802.1X requests from roaming clients
§ From the 802.11i specification: Whenever an AP and a STA have successfully passed dot1x-based authentication, both of them may cache the PMK record to be used later When a STA is (re-)associates to an AP, it may attach a list of PMK IDs (which were derived via dot1x process with this AP before) in the (re)association request frame When PMK ID exists, AP can use them to retrieve PMK record from its own PMK cache, if PMK is found, and matches the STA MAC address; AP can bypass dot1x authentication process, and directly starts WPA2 four-way key handshake session with the STA
PMK cache records will be kept for one hour for non-associated STAs
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 35
OKC/PKC
§ Requires client/supplicant support § Supported in Windows since XP SP2
§ Many ASDs support OKC and/or PKC
§ Check on client support for TKIP vs. CCMP – mostly CCMP only
§ Enabled by default on WLCs with WPAv2
§ Requires WLCs to be in the same mobility group § Important design note: pre-positioning of roaming clients
consumes spots in client DB
§ In highly controlled test environments, OKC/PKC roam times consistently measure in the 10-20 msec range!
Key Data Points
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 36
How Long Does a Client Really Take to Roam?
§ Time to roam = Client to disassociate + Probe for and select a new AP + 802.11 Association + Mobility message exchange between WLCs + Reauthentication + Rekeying + IP address (re) acquisition
§ Network latency will have an impact on these times – consideration for controller placement
§ With a fast secure roaming technology, roam times under 150 msecs are consistently achievable, though mileage may vary
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 37
How Often Do Clients Roam?
§ It depends… types of clients and applications
§ Most client devices are designed to be “nomadic” rather than “mobile”, though proliferation of small form factor, “smart” devices will probably change this…
§ Nomadic clients usually are programmed to try to avoid roaming… so set your expectations accordingly
§ Design rule of thumb: 10-20 roams per second for every 5000 clients
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 38
Designing a Mobility Group/Domain
§ Less roaming is better – clients and apps are happier § While clients are authenticating/roaming, WLC CPU is
doing the processing – not as much of a big deal for 5508 which has dedicated management/control processor
§ L3 roaming & fast roaming clients consume client DB slots on multiple controllers – consider “worst case” scenarios in designing roaming domain size
§ Leverage natural roaming domain boundaries
§ Mobility Message transport selection: multicast vs. unicast
§ Make sure the right ports and protocols are allowed
Design Considerations
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 39
Agenda
§ Controller-Based Architecture Overview
§ Mobility in the Cisco Unified WLAN Architecture
§ Architecture Building Blocks
§ Deploying the Cisco Unified Wireless Architecture
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 40
CUWN 7.0.116 Release Key Controller Features Device Support WLC-WiSM2 WLC-7500 WLC-2500 WLCM-2 AP600 / AP1550
Flexconnect Features Scale and Groups
Local Auth
Fault Tolerance
Opportunistic Key Caching
Others Client Limit on WLAN Encrypting Neighbor Packets Increased RF Group Scalability Rogue Containment Enhancement RF Group Leader Flexibility PSB Password Enhancements Webauth on Mac Filter Failure Static IP Mobility Web Authentication Proxy CCX S60 Location Improvements DHCP Option 60 Voice Diagnostics
Local-Mode Features wIPS ELM 11n Indoor Mesh 2.4 GHz Backhaul VLAN Select FIPS
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 41
CUWN 7.0.116 Release Key Controller Features Device Support WLC-WiSM2 WLC-7500 WLC-2500 WLCM-2 AP600 / AP1550
Flexconnect Features Scale and Groups
Local Auth
Fault Tolerance
Opportunistic Key Caching
Others Client Limit on WLAN Encrypting Neighbor Packets Increased RF Group Scalability Rogue Containment Enhancement RF Group Leader Flexibility PSB Password Enhancements Webauth on Mac Filter Failure Static IP Mobility Web Authentication Proxy CCX S60 Location Improvements DHCP Option 60 Voice Diagnostics
Local-Mode Features wIPS ELM 11n Indoor Mesh 2.4 GHz Backhaul VLAN Select FIPS
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 42
WiSM2 For Cisco Catalyst 6500 Series
§ Enhanced operational savings Higher scale
Reduced downtime during upgrades
Single controller
§ Higher performance Throughput
Concurrent rich-media application flows
§ Maximize Cisco Catalyst 6000 Series investment
Supervisor and service module refresh
Specifications At-a-Glance
Access Points 100–500
Clients 10,000
I/O 10G
Chassis-Level Scale 3500 APs and 70,000 Clients
Concurrent AP Joins 500
Number of Phy Controllers 1
Power 225W
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 43
Key Attributes Ø Best in class performance
Industry-leading encrypted throughput
Ø Enhanced Operational Savings Upgrades 500 AP within mins Fails over 500 APs within seconds
Ø Enhanced rich media performance
Multiple concurrent low-latency media flows
Enterprise-Grade WLC5508 for the Campus
Access Points 12-500 Clients 7,000 Form-Factor 1 RU IO Interface 8x 1GE Ports, LAG Upgrade Licenses 25, 50,100, 250
Cisco 5500 Series Wireless Controller
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 44
Controller Comparison
5500 WiSM-2 Number of Access Points 12, 25, 50, 100, 250, 500 500
Throughput Up to 8 Gbps Up to 10 Gbps
Clients Up to 7000 Up to 10,000
Concurrent AP Upgrades/Joins Up to 500 Up to 500
Network I/O Up to 8 1 Gbps SFPs
Cisco Catalyst 6000 Series Backplane
Mobility Domain Size Up to 36,000 APs Up to 36,000 APs
Number of Controllers per Physical Device 1 1
Power Consumption 125W 225W
AP Count Upgrade via Licensing Yes Yes
Encrypted Data Link Between AP and Controller Yes Yes
OfficeExtend Solution Yes Yes
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 45
Key Attributes Ø Ability to ‘scale the network as
you grow’ with licensing Ø Part of a PCI certified
architecture Ø Ability to support various
deployment modes
Cost Effective Entry Level Controllers
2500 Wireless Controller
Access Points 5-50 Clients 500 Throughput 500 Mbps Deployment Model Local and
FlexConnect Form Factor Desktop IO Interface 4x 1GE Upgrade Licenses 5, 25
New
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 46
Wireless Controller on ISR G2/SRE
Key Attributes • Single Box for branch services • Consistency of functionality and management with controllers
Access Points ISM: 5-10 SM: 5-50
Clients 500 Throughput 500 Mbps Deployment Model Local and FlexConnect Form Factor SRE (ISM/SM) Upgrade Licenses 5, 25 Device Supported On
1941, 2900 and 3900 Series ISR G2
New
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 47
CleanAir Access Point
Detect and Classify
Mitigate
Locate
Cisco CleanAir
A System-Wide Feature that Uses Silicon-Level Intelligence to Automatically Mitigate the Impact of Wireless Interference, Optimize Network Performance, and Reduce Troubleshooting Costs
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 48
What Is CleanAir?
Cisco CleanAir
High-Resolution Interference Detection and Classification Logic Built in to Cisco’s 802.11n Wi-Fi Chip Design; Inline Operation with no CPU or Performance Impact
Detect and Classify
100
63
35
97
90
20
§ Uniquely identify and track multiple interferers
§ Assess unique impact to Wi-Fi performance
§ Monitor air quality
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 49
What Is CleanAir?
§ Classification processed on access point
§ Interference impact and data sent to WLC for real-time action
§ WCS and MSE store data for location, history, and troubleshooting
Cisco CleanAir
Cisco CleanAir Technology Integrates Interference Information from the AP into the Entire System
Mitigate Wireless LAN Controller
Locate WCS, MSE
Maintain Air Quality
GOOD POOR
CH 1 CH 11 Visualize and Troubleshoot
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 50
Car
pete
d
Rug
gedi
zed
Teleworker 11n + CleanAir 11n
1260 3500e
3500i 1140
Limited Lifetime Hardware Warranty
1040
Access Points Portfolio
New 600
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 51
2x3 MIMO 11n Speed Provide Higher Coverage and Throughput
CleanAir and ClientLink Technology Avoids Interference, Delivers Stronger Signals to Clients
Flexible Deployment Access or Mesh Network, Fiber, UTP or Wireless Backhaul
New
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 52
Cisco Aironet 1550 Series Outdoor AP
1552E 1552H 1552C 1552I 802.11 b/g/n
802.11 a/n
Standard
External
802.11b/g/n
802.11a/n
Hazardous Loc.
External
802.11b/g/n
802. 11a/n
Cable Modem
Integrated
802.11b/g/n
802.11a/n
Standard
Integrated
2.4 GHz
5 GHz
Type
Antenna
§ 2 Radios 2.4/5 GHz
§ 2 Tx, 3 Rx
§ MIMO, 2 SS
§ 3x Dual-Band Ant.
MIMO Multiple-In, Multiple-Out SS Spatial Streams
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 53
CUWN 7.0.116 Release Key Controller Features Device Support WLC-WiSM2 WLC-7500 WLC-2500 WLCM-2 AP600/AP1550
Flexconnect Features Scale and Groups
Local Auth
Fault Tolerance
Opportunistic Key Caching
Others Client Limit on WLAN Encrypting Neighbor Packets Increased RF Group Scalability Rogue Containment Enhancement RF Group Leader Flexibility PSB Password Enhancements Webauth on Mac Filter Failure Static IP Mobility Web Authentication Proxy CCX S60 Location Improvements DHCP Option 60 Voice Diagnostics
Local-Mode Features wIPS ELM 11n Indoor Mesh 2.4 GHz Backhaul VLAN Select FIPS
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 54
Adaptive wIPS Components and Functions
Monitoring, Reporting
Over-the-Air Detection
wIPS AP Management
Complex Attack Analysis, Forensics, Events
AP Attack Detection
24x7 Scanning
WLC Configuration
MSE Alarm Archival
Capture Storage
WCS Centralized Monitoring
Historic Reporting
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 55
Cisco Adaptive Wireless IPS with “Enhanced Local Mode (ELM)”
• Adaptive wIPS scanning in data serving access points
• Provides protection without needing a separate overlay network.
• Available as a free SW download for existing wIPS Monitor Mode customers.
• ELM supported APs: 1040, 1140, 1250, 1260 & 3500
Without ELM With ELM Data Serving Monitor Mode Single Data and WIPS AP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 56
WIPS Monitor Mode/ CleanAir MMAP + WIPS MM
Local Mode
WIPS Monitor Mode or CleanAir MM + WIPS MM on CleanAir AP: Recommendation – Ratio of
1:5 MMAP to Local Mode APs
Option A Option B
Deployment Recommendation
Turn on ELM on All APs (Including CleanAir)
Enhanced Local Mode
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 57
• Centralized Policy
• Distributed Enforcement
• AAA Services
• Posture Assessment
• Guest Access Services
• Device Profiling
• Monitoring
• Troubleshooting
• Reporting
ACS
NAC Profiler
NAC Guest
NAC Manager
NAC Server
Identity Services Engine
*Current NAC and ACS Hardware Platform Is Software Upgradable to ISE
TrustSec 2.0 and Identity Services Engine
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 58
ISE Integrated Device Profiling
“iPad Template”
Custom Template
Visibility for Wired and Wireless Devices
Simplified “Device Category” Policy
New Device Templates via
Subscription Feeds
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 59
CAPWAP CAPWAP
§ Users, using the same SSID, can be associated to different wired VLAN interfaces after EAP authentication
§ Employee using corporate laptop with their AD user id can be assigned to VLAN 30 to have full access to the network
§ Employee using personal iPad/iPhone with their AD user id can be assigned to VLAN 40 to have internet access only
Same-SSID
802.1Q Trunk
VLAN 30
VLAN 40
EAP Authentication 1
Accept with VLAN 30 2
EAP Authentication 3
Accept with VLAN 40 4
ISE ISE
Corporate Resources
Internet
Employee
Employee
ISE Integrated Device Profiling
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 60
§ Example: VLAN 30 (Corporate access ) VLAN 40 (Internet access)
Corporate
Internet
ISE Integrated Device Profiling
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 61
Laptop Assign VLAN 30
iPad Assign VLAN 40
• ISE Setup – Authorization Profiles redirect VLAN, Override ACL, CoA…
ISE Integrated Device Profiling
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 62
§ WLC CoA Setup – Pre-Auth ACL, allows ALL client traffic to ISE
§ WLAN – Dot1X, AAA Override and Radius NAC enabled.
Permit ANY to ISE (IP Addr)
ISE Integrated Device Profiling
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 63
§ RADIUS probe (information about authentication, authorization and accounting requests from Network Access
§ DHCP (helper or span) § HTTP user agent (span)
Customizable Profiles
ISE Integrated Device Profiling
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 64
Agenda
§ Controller-Based Architecture Overview
§ Mobility in the Cisco Unified WLAN Architecture
§ Architecture Building Blocks
§ Deploying the Cisco Unified Wireless Architecture
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 65
Deploying the Cisco Unified Wireless Architecture
§ Controller Redundancy and AP Load Balancing
§ Understanding AP Groups
§ IPv6 Deployment with Controllers
§ Branch Office Designs
§ Guest Access Deployment
§ Home Office Design
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 66
Deploying the Cisco Unified Wireless Architecture
§ Controller Redundancy and AP Load Balancing
§ Understanding AP Groups
§ IPv6 Deployment with Controllers
§ Branch Office Designs
§ Guest Access Deployment
§ Home Office Design
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 67
Controller Redundancy Dynamic
§ Rely on CAPWAP to load-balance APs across controllers and populate APs with backup controllers
§ Results in dynamic “salt-and-pepper” design
§ Design works better when controllers are “clustered” in a centralized design
§ Pros Easy to deploy and configure—less upfront work APs dynamically load-balance (though never perfectly)
§ Cons More intercontroller roaming Bigger operational challenges due to unpredictability Longer failover times No “fallback” option in the event of controller failure
§ Cisco’s general recommendation is: Only for Layer 2 roaming
§ Use deterministic redundancy instead of dynamic redundancy
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 68
Controller Redundancy Deterministic
§ Administrator statically assigns APs a primary, secondary, and/or tertiary controller
Assigned from controller interface (per AP) or WCS (template-based)
§ Pros Predictability—easier operational management More network stability More flexible and powerful redundancy design options Faster failover times “Fallback” option in the case of failover
§ Con More upfront planning and configuration
§ This is Cisco’s recommended best practice
WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C
Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Tertiary: WLAN-Controller-C
Primary: WLAN-Controller-B Secondary: WLAN-Controller-C Tertiary: WLAN-Controller-A
Primary: WLAN-Controller-C Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-B
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 69
Controller Redundancy Architecture Resiliency
Resiliency N:1 Redundancy
N:N Redundancy N:N:1 Redundancy
WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C
Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Tertiary: WLAN-Controller-C
Primary: WLAN-Controller-B Secondary: WLAN-Controller-C Tertiary: WLAN-Controller-A
Primary: WLAN-Controller-C Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-B
WLAN-Controller-1
WLAN-Controller-2
WLAN-Controller-n
APs Configured With: Primary: WLAN-Controller-1 Secondary: WLAN-Controller-BKP
APs Configured With: Primary: WLAN-Controller-2 Secondary: WLAN-Controller-BKP
APs Configured With: Primary: WLAN-Controller-n Secondary: WLAN-Controller-BKP
WLAN-Controller-BKP NOC or Data Center
WLAN-Controller-A
WLAN-Controller-B
APs Configured With: Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Tertiary: WLAN-Controller-BKP
APs Configured With: Primary: WLAN-Controller-B Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-BKP
WLAN-Controller-BKP NOC or Data Center
WLAN-Controller-A
WLAN-Controller-B
APs Configured With: Primary: WLAN-Controller-A Secondary: WLAN-Controller-B
APs Configured With: Primary: WLAN-Controller-B Secondary: WLAN-Controller-A
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 70
SiSi SiSi
High Availability Using Cisco 5508
SiSi SiSi
Primary WLC5508
Secondary WLC5508
§ APs are connected to primary WLC 5508
§ In case of hardware failure of WLC 5508
§ AP’s fall back to secondary WLC 5508
§ Traffic flows through the secondary WLC 5508 and primary core switch
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 71
High Availability Using WiSM: Uplink Failure on Primary Switch
SiSi SiSi
S N
Primary WiSM
Active HSRP Switch
Standby HSRP Switch
New Active HSRP Switch
§ In case of uplink failure of the primary switch
§ Standby switch becomes the active HSRP switch
§ APs are still connected to primary WiSM
§ Traffic flows thru the new HSRP active switch
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 72
High Availability Using WiSM-2
SiSi SiSi
Primary WiSM
Secondary WiSM
§ APs are connected to primary WiSM
§ In case of hardware failure of primary WiSM
§ AP’s fall back to secondary WiSM
§ Traffic flows thru the secondary WiSM and primary core switch
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 73
VSS and Cisco 5508
§ Cisco 5508 WLC can be attached to a Cisco Catalyst VSS switch
§ 4 ports of Cisco 5508 are connected to active VSS switch
§ 2nd set of 4 ports of Cisco 5508 is connected to standby VSS switch
§ In case of failure of primary switch traffic continues to flow through secondary switch in the VSS pair
Catalyst VSS Pair
Cisco 5508
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 74
Switch-1 (VSS Active)
Switch-2 (VSS Standby)
Data Plane Active
Control Plane Active
FWSM Active
WiSM-2 Active
Data Plane Active
Control Plane Standby
WiSM-2 Standby
VSL
Failover/State Sync VLAN
Virtual Switch System (VSS)
VSS and WiSM-2
FWSM Standby
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 75
Controller Redundancy High Availability
§ AP is registered with a WLC and maintain a backup list of WLC
§ AP use heartbeats to validate WLC connectivity
§ AP use Primary Discovery message to validate backup WLC list
§ When AP lose three heartbeats it start join process to first backup WLC candidate
§ Candidate Backup WLC is the first alive WLC in this order: primary, secondary, tertiary, global primary, global secondary
§ AP do not re-initiate discovery process
High Availability Principles Primary WLC
Secondary WLC
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 76
Controller Redundancy High Availability with 7.0.116
To Accommodate Both Local and Remote Settings, There Are Configurable Options Provided, so that Administrator Can Fine Tune the Settings Based on the Requirements
New Timers Old Timers-5508 Old Timers-Non-5508 Heartbeat: 1-30 Seconds 10-30 Seconds 1-30 Seconds Fast Heartbeat Timeout: 1-10 Seconds 3-10 Seconds 1-10 Seconds AP Retransmit Interval: 2-5 Seconds 3 Seconds 3 Seconds AP Retrans with FH Enabled: 3-8 Times 3 Times 3 Times AP Retrans with FH Disabled: 3-8 Times 5 Times 5 Times AP Fallback to next WLC 12 Seconds 35 Seconds 35 Seconds
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 77
AP Pre-Image Download in 7.0
§ Since most CAPWAP APs can download and keep more than one image of 4–5 MB each
§ AP pre-image download allows AP to download code while it is operational
§ Pre-Image download operation 1. Upgrade the image on the controller
2. Don’t reboot the controller
3. Issue AP pre-image download command
4. Once all AP images are downloaded
5. Reboot the controller
6. AP now rejoins the controller without reboot How Much Time You Save?
Access Points
Cisco WLAN Controller
CA
PW
AP
-L3
AP
Pre
-imag
e D
ownl
oad
AP
Join
s W
ithou
t Dow
nloa
d
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 78
§ Upgrade the image on the controller and don’t reboot
§ Currently we have two images on the controller (Cisco Controller) >show boot Primary Boot Image............................... 7.0.116.0 (default) (active) Backup Boot Image................................ 7.0.98.0
Configure AP Pre-Image Download
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 79
Configure AP Pre-Image Download Wireless > AP > Global Configuration
Perform Primary Image Predownloaded on the AP
AP Now Starts Predownloading
AP Now Swaps Image After Reboot of the Controller
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 80
Deploying the Cisco Unified Wireless Architecture
§ Controller Redundancy and AP Load Balancing
§ Understanding AP Groups
§ IPv6 Deployment with Controllers
§ Branch Office Designs
§ Guest Access Deployment
§ Home Office Design
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 81
AP-Groups Default AP-Group
§ The first 16 WLANs created (WLAN IDs 1–16) on the WLC are included in the default AP-Group
§ Default AP-Group cannot be modified § APs with no assignment to an specific AP-Group will use the
Default AP-Group § The 17th and higher WLAN (WLAN IDs 17 and up) can be
assigned to any AP-Groups § Any given WLAN can be mapped to different dynamic
interfaces in different AP-Groups § WLC 2106 (AP groups: 50), WLC 2504 (AP groups:50)
WLC 4400 and WiSM (AP groups: 300), WLC 5508 & WiSM-2 (AP groups: 500), WLC 7500 (AP Groups : 500)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 82
AP-Grouping in Campus
Data Center WAN Internet Access
Distribution
Core
Distribution
Access
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
WLC-2 WLC-1
VLAN 100 / 21
CAPWAP
Single SSID =
Employee
VLAN 100 VLAN 100 VLAN 100
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 83
AP-Grouping in Campus
Data Center WAN Internet Access
Distribution
Core
Distribution
Access
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
AP-Group-2 AP-Group-3 AP-Group-1
WLC-2 WLC-1
VLAN 80 /23 VLAN 70 /23 VLAN 60 /23
VLAN 100 /21
CAPWAP
VLAN 60 VLAN 70 VLAN 80
Single SSID =
Employee
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 84
Network Name
Default AP Group
Only WLANs 1–16 Will Be Added in Default AP Group
Default AP-Group
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 85
AP Group 1
AP Group 2
AP Group 3
Multiple AP-Groups
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 86
Interface-Groups 7.0.116
§ Interface-groups allows for a WLAN to be mapped to a single interface or multiple interfaces
§ Clients associating to this WLAN get an IP address from a pool of subnets identified by the interfaces in round robin fashion
§ Extends current AP group and AAA override, with multiple interfaces using interface groups
§ Controllers Interface-Groups/Interfaces
WiSM-2, 5508, 7500, 2500 64/64
WiSM, 4400 32/32
2100 and 2504 4/4
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 87
Interface-Grouping in Campus 7.0.116
Data Center WAN Internet Access
Distribution
Core
Distribution
Access
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
Int-Group-2 Int-Group-3 Int-Group-1
WLC-2 WLC-1
VLAN 80 /23 VLAN 81 /23
VLAN 70 /23 VLAN 71 /23
VLAN 60 /23 VLAN 61 / 23
VLAN 100 /21
LWAPP/CAPWAP
VLAN 60 VLAN 61 VLAN 70 VLAN 71 VLAN 80 VLAN 81
Single SSID =
Employee
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 88
Multiple Interface-Groups 7.0.116
Interface Group 1
Interface Group 2
Interface Group 3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 89
Deploying the Cisco Unified Wireless Architecture
§ Controller Redundancy and AP Load Balancing
§ Understanding AP Groups
§ IPv6 Deployment with Controllers
§ Branch Office Designs
§ Guest Access Deployment
§ Home Office Design
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 90
IPv6 over IPv4 Tunneling
§ Prior to WLC 6.0 release, IPv6 pass-thru is only supported but no L2 security can be enabled on IPv6 WLAN
§ With WLC 6.0 release, IPv6 pass-thru with Layer 2 security supported
§ To use IPv6 bridging, Ethernet Multicast Mode (EMM) must be enabled on the controller
§ IPv6 packets are tunneled over CAPWAP IPv4 tunnel
§ Same WLAN can support both IPv4 and IPv6 clients
§ IPv6 pass-thru and IPv4 Webauth is also supported on same WLAN
§ IPv6 is not supported with guest mobility anchor tunneling
Ethernet II | IPv4 | CAPWAP | 802.11 | IPv6 802.11| IPv6
Client IPv6 Traffic Tunneled over IPv4 and Bridged to Ethernet
Ethernet II | IPv6
CAPWAP Tunnel
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 91
IPv6 Configuration on WLC 6.X
§ Enable IPv6 on the WLAN and multicast on the WLC
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 92
IPv6 Client Details
§ IPv6 client details on the WLC
§ IPv6 client details from dual-stack (Vista) client
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 93
Deploying the Cisco Unified Wireless Architecture
§ Controller Redundancy and AP Load Balancing
§ Understanding AP Groups
§ IPv6 Deployment with Controllers
§ Branch Office Designs Understanding HREAP (Hybrid) REAP AP Deployment Understanding Branch Controller Deployment
§ Guest Access Deployment
§ Home Office Design
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 94
Branch Office Deployment HREAP
§ Hybrid architecture
§ Single management and control point
Centralized traffic (split MAC) Or Local traffic (local MAC)
§ HA will preserve local traffic only
WAN
Central Site
Remote Office
Centralized Traffic
Centralized Traffic
Local Traffic
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 95
H-REAP Design Considerations
§ Some WAN limitations apply RTT must be below 300 ms data (100 ms voice) Minimum 500 bytes WAN MTU (with maximum four fragmented packets)
§ Some features are not available in standalone mode or in local switching mode
ACL in local switching, MAC/Web Auth in standalone mode, PMK caching (OKC) See full list in « H-REAP Feature Matrix » http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b3690b.shtml
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 96
Configure H-REAP Mode Step 1: Configure Access Point Mode
§ Enable H-REAP mode per AP
§ Supported AP: AP-1130, AP-1240, AP-1040, AP-1140, AP-1260, AP-1250, AP-3500
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 97
Configure H-REAP Local Switching Step 2: Enable Local Switching per WLAN
§ Only WLAN with “Local Switching” enabled will allow local switching at the H-REAP AP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 98
Configure H-REAP VLAN Mapping Step 3: H-REAP Specific Configuration
§ H-REAP AP can be connected on an access port (using native VLAN) or connected to a 802.1Q trunk port
§ VLAN mapping is a per AP configuration on WLC and by AP group using templates on a WCS
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 99
Configure H-REAP VLAN Mapping Step 4: Per AP SSID to VLAN Mapping
§ Mapping of SSID to 802.1Q VLAN is done per H-REAP AP
§ Use WCS for configuration with templates
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 100
Key Differentiation Ø WAN Tolerance
• High Latency Networks
• WAN Survivability Ø Security
802.1x based port authentication Ø Voice support
• Voice CAC
• OKC/CCKM
Economies of Scale for Lean Branches Flex 7500 Wireless Controller
Access Points 300-2,000 Clients 20,000 Branches 500 Access Points / Branch 50 Deployment Model FlexConnect Form Factor 1 RU IO Interface 2x 10GE Upgrade Licenses 100, 200, 500, 1K
New
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 101
Understanding H-REAP Groups
§ WLC supports up to 20 H-REAP groups
§ Each H-REAP group supports up to 25 H-REAP APs
§ H-REAP groups allow sharing of: CCKM fast roaming keys Local user authentication Local EAP authentication
WAN
Central Site
Remote Site
H-REAP Group 1
H-REAP Group 2
Remote Site
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 102
H-REAP Groups and CCKM Keys
§ CCKM keys are stored on HREAP APs for Layer 2 fast roaming
§ The HREAP APs will receive the CCKM keys from the WLC
§ If a HREAP AP boots up in the standalone mode, it will not get the CCKM keys from the WLC and fast roaming is not supported
WAN
Central Site
Remote Site H-REAP Group 1 H-REAP
Group 2
Remote Site
RADIUS Server
CCKM Keys
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 103
Add a New H-REAP Group
Add APs to the H-REAP Group
H-REAP Groups and CCKM Keys
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 104
H-REAP Groups and Local EAP
§ In case of WAN of failure (standalone mode) HREAP APs can act like a local EAP server
§ In a HREAP-Group we can store 100 usernames and act like a local EAP server
§ LEAP and EAP-FAST is the only supported EAP type in standalone mode
WAN
Central Site
Remote Site H-REAP Group 1 H-REAP
Group 2
Remote Site
RADIUS Server
Local EAP Server
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 105
Add the H-REAP AP to the Group and Enable AP Local Authentication
Add the Username and Password to Be Stored on the HREAP AP
H-REAP Groups and Local EAP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 106
H-REAP Groups and Local RADIUS Server
§ In case of WAN of failure (standalone mode) HREAP APs can authenticate from a local RADIUS server
§ Only session-timeout RADIUS attribute (attribute 27) is supported in the standalone mode
§ RADIUS accounting is not supported in standalone mode
WAN
Central Site
Remote Site
H-REAP Group 2
RADIUS Server
RADIUS Server
H-REAP Group 1
Remote Site
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 107
Add IP Address of the Remote RADIUS Server in the WLC (10.20.20.12)
Select the Remote RADIUS Server Details in HREAP Group of the Remote
H-REAP Groups and Local RADIUS Server
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 108
FlexConnect Improvements in New 7.0.116
§ WAN Survivability FlexConnect AP provides wireless access and services to clients when the connection to the primary WLC fails
§ Local Authentication Allows for the authentication capability to exist directly at the AP in FlexConnect instead of the WLC
§ Improved Scale Group Scale: Max HREAP groups increased to 500 (7500s) and 100 (5500s) APs per Group: 50 (7500s) and 25 (5500s)
§ Fast Roaming in Remote Branches Opportunistic Key Caching (OKC) between APs in a branch
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 109
Flex 7500 vs. 5500/WiSM2
FlexConnect (H-REAP)
Flex 7500 5500/WiSM2
APs Managed 2,000 500/500
Clients Supported 20,000 7,000/10,000
Number of H-REAP Groups 500 100
APs per H-REAP Group 50 25
Number of AP Groups 500 500
APs per RRM Group 4,000 1,000
WLAN’s 512 512
WLAN per H-REAP Group 16 16
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 110
Controller Portfolio Comprehensive Solution for All Segments
Lean Branch
Campus and Full Service Branch
2500
WLCM2
5500
WiSM2
Scale
Feat
ures
/Per
form
ance
NEW
NEW
NEW
NEW
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 111
Management
Controllers
Access Points
Mobility Services
WCS
WLC
Cisco WLAN Solution Components
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 112
Deploying the Cisco Unified Wireless Architecture
§ Controller Redundancy and AP Load Balancing
§ Understanding AP Groups
§ IPv6 Deployment with Controllers
§ Branch Office Designs Understanding HREAP (Hybrid) REAP AP Deployment) Understanding Branch Controller Deployment
§ Guest Access Deployment § Home Office Design
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 113
Small Office
Branch Office WLAN Controller Options
§ Appliance controllers Cisco 2504-12
Cisco 5508-12, 5508-25
§ Integrated controller WLAN controller module (WLCM-2) for ISR G2
Headquarters
Branch Office
Internet VPN
MPLS ATM
Frame Relay
Number of Users: 100–500 Number of APs: 5–25
Number of Users: 20–100 Number of APs: 1–5
WCS
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 114
Small Office
Headquarters
Branch Office
Branch Office WLAN Controller Options
§ Cisco Unified Wireless Network with controller-based
§ Multiple Integrated WAN options on ISR § Consistent branch-HQ services, features,
and performance § Standardized branch configuration extends
the unified wired and wireless network § Branch configuration management from
central WCS
WCS Cisco 2504 ***
WLCM-2 ** **AP Count Vary Depending on Channel Utilization and Data Rates
Internet VPN
MPLS ATM
Frame Relay
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 115
When to Choose WLC 2504? § WLC2504 should be used in the branch for the following reasons
compared to HREAP solution:
• If you need cookie cutter configuration for every branch site • If you need Layer-3 roaming in the branch site • If you need VideoStream technology in the branch site • If you need to implement VLAN Select in the branch site • If you need to implement Static IP mobility in the branch site • If you need to implement ACL in the branch site • If you need to implement peer to peer blocking in the branch site • If you want WGB support in the branch site • If you want MESH AP support in the branch site
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 116
Deploying the Cisco Unified Wireless Architecture
§ Controller Redundancy and AP Load Balancing
§ Understanding AP Groups
§ IPv6 Deployment with Controllers
§ Branch Office Designs
§ Guest Access Deployment
§ Home Office Design
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 117
Guest Access Deployment
§ Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers
§ Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN
§ No need to define the guest VLANs on the switches connected to the remote controllers
§ Original guest’s Ethernet frame maintained across LWAPP/CAPWAP and EoIP tunnels
§ Redundant EoIP tunnels to the Anchor WLC
§ 2504 series and WLCM-2 models cannot terminate EoIP connections (no anchor role
Wireless LAN Controller
Cisco ASA Firewall
Guest
CAPWAP
EoIP “Guest Tunnel”
Internet
Guest
DMZ or Anchor Wireless Controller
WLAN Controller Deployments with EoIP Tunnel
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 118
Guest Access Deployment with 7.0.0116
Campus Core EtherIP
“Guest Tunnel”
EtherIP “Guest Tunnel”
Internet
Guest Secure Guest Secure
SiSi SiSiSecure Secure
Wireless VLANs/Interface Gr
Foreign WLCs
Anchor1 Anchor2
Wireless VLAN-B
Wireless VLAN-1/WLANA
Wireless VLAN2/WLANA
Wireless VLAN3/WLANA
Wireless VLAN-4/WLANA
ACS/ISE
DHCP servers in DMZ w/VLAN-DHCP scopes
DHCP servers in DMZ w/VLAN-DHCP scopes
DHCP servers in Core w/VLAN DHCP scopes
SiSi
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 119
Interface Group and Auto Anchor Mobility Using 7.0.116
§ Clients joining a foreign WLC which is exported to an anchor WLC and mapped to an interface group will get an IP address in round robin method inside the interface group
§ Clients joining a foreign WLC which is exported to an anchor WLC and mapped to an interface will get an IP address from that interface only
§ Clients roaming between two or more foreign controllers mapped to a single anchor WLC with an interface group configured will be able to maintain its IP address
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 120
Interface Group and Auto Anchor Mobility Using 7.0.116 Configure Subnet/Address Assignment Based on Foreign Site/Location in Guest Anchor Setup, Command Will Be: § CLI: config wlan mobility foreign-map add <wlan-id> < mac
address > <interface/interface group>
§ GUI: A New option is created under WLAN- “Foreign Maps”
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 121
Deploying the Cisco Unified Wireless Architecture
§ Controller Redundancy and AP Load Balancing
§ Understanding AP Groups
§ IPv6 Deployment with Controllers
§ Branch Office Designs
§ Guest Access Deployment
§ Home Office Designs
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 122
Headquarters
Internet VPN
MPLS ATM
Frame Relay
Home Office Design OEAP AP
§ Cisco controller installed in the DMZ of the corporate network
§ OfficeExtend AP (OEAP) installed at teleworker’s home
§ Corporate access to employee over centrally configured SSID
§ Family Internet access over a locally configured SSID
WLC 5508/WiSM-2
WCS
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 123
OEAP 600
§ 802.11n AP with dual concurrent 2.4GHz and 5GHz radios for teleworker home
§ 4 local Ethernet ports
§ 1 Corporate-bound port, 3 for local Ethernet devices
§ Up to 4 clients behind the corporate port
§ Corporate SSID and user-configurable Personal SSID
§ Traffic segmenting supported (corporate vs. personal traffic)
§ Local DHCP and NAT support
§ Control and data plane encryption
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 124
OEAP 600
§ 802.1X and MAC filtering support
§ Can be pre-provisioned by IT (batch setup, zero touch for end user) or locally provisioned by end user
§ Easy GUI setup with Corporate SSID ready in minutes
§ Desktop (horizontal) or cradle (vertical) orientation
§ Supported by all WLC 5508, 2500 and WiSM2 platforms and WCS
§ Hardware Limited Lifetime Warranty
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 125
User Configuration – Easy Setup
Internet Routable IP Address
Two Setup Options Available: 1) Zero Touch (IT staged) or … 2) User Configured (Controller IP Address Entry)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 126
Sample Screen Shots Login
§ Default DHCP scope of the OEAP is 10.0.0.X, so browse to https://10.0.0.1 to get the admin page of OEAP on port 1,2,3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 127
Home Office Design Cisco Virtual Office Express Architecture
§ Simplified head-end VPN design
§ Cisco enhanced easy VPN with advanced QoS integration provides secure transport, facilitating voice and video applications (with option of per SA QoS)
§ Multiple options for head-end to allow for large concentration of site and with high throughput
§ Remote site presence: Cisco 870, 880, 890, or 1800 series ISR and Cisco Unified IP phones 7900 series
§ Head-end presence: 2800, 3800, 7200, or ASR series
§ Headend (optional): wireless LAN controller, WCS, configuration engine
Simplified Head-End VPN
Head-End Cisco ISR (2800/3800) or Cisco 7206 VXR with VSA or WLC
SOHO Cisco 800 or 1800 Spoke Routers
Corporate Network
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 128
Cisco Unified Wireless Network Flexible, Resilient, Scalable Architecture
Access Network
Distribution Network
Teleworker/SOHO
OfficeExtend AP
Branch Office
Unified WLC Options: 5508, 440x, 210x 3750G Unified WLC WLCM Module Hybrid REAP Standalone AP
DMZ Guest Controller
440x, 5508 WLC
Network Core or Data Center Centralized WLC Design
440x, 5508 WLC, WiSM Unified WLC
Distributed WLC Design
440x, 5508 WLC, WiSM Unified WLC
Highly Distributed Design
3750G Unified WLC Enterprise Hybrid REAP
Data Center
Internet
Internet
Unified Outdoor/Indoor Access
Unified Management: Wireless Control System Services Platform: Mobility Services Engine
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 129
Summary – Key Takeways
§ Take advantage of the standards (CAPWAP, DTLS,802.11 i, e, k, r…..)
§ Wide range of architecture / design choices
§ Brand new controller (WiSM-2, WLC 7500, WLC 2504) portfolio with investment protection
§ Take advantage of innovations from Cisco (CleanAir, BandSelect, ClientLink, Security, CCX, FlexConnect, etc)
§ Cisco’s investment into technology – NCS, ISE, New hardware, cloud controller, CiUS
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 130
Documentation
§ Aironet 600 Series OEAP Access Point Configuration Guide http://www.cisco.com/en/US/products/ps11579/products_tech_note09186a0080b7f10e.shtml
§ Wireless Services Module 2 (WiSM2) Deployment Guide http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080b7c904.shtml
• Flex7500 Deployment guide http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml
§ Wireless, LAN (WLAN) Configuration Examples and TechNotes
http://www.cisco.com/en/US/tech/tk722/tk809/tech_configuration_examples_list.html
§ H-REAP Deployment Guide http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml
§ VLAN Select Deployment Guide http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b78900.shtml
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 131
Complete Your Online Session Evaluation
§ Receive 25 Cisco Preferred Access points for each session evaluation you complete.
§ Give us your feedback and you could win fabulous prizes. Points are calculated on a daily basis. Winners will be notified by email after July 22nd.
§ Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
§ Don’t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 132
Visit the Cisco Store for Related Titles
http://theciscostores.com
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 133
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2010 134
Thank you.