advertisement
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide
Cisco SWAN Framework Overview
Term
Access Point-Based
WDS Architecture
Switch-Based WDS
Architecture mGRE
CCKM
802.1X/EAP
Cisco LEAP
EAP-FAST
ACU
ADU
Table 1 Acronyms, Terms, and Definitions
Definition
The Access Point-Based WDS architecture is an architecture with Layer 2 WLAN control domains, where WDS is hosted on Cisco Aironet access points.
The Switch-Based WDS architecture is an architecture with
Layer 3 WLAN control domains, where the WDS is hosted on the WLSM.
Multipoint Generic Route Encapsulation — A tunneling encapsulation type defined by IETF RFC that is leveraged by the Cisco SWAN framework switch-based WDS solution.
Cisco Centralized Key Management — A Cisco- defined encryption key management scheme that enables fast secure roaming within a WLAN control domain.
802.1X is an IEEE defined mechanism for port access control, and extensible authentication protocol (EAP) is an authentication protocol defined by IETF RFC. EAP is generic enough to be implemented in a number of ways, including
Cisco LEAP, EAP-FAST, PEAP, EAP-TLS, and EAP-TTLS.
The combination of 802.1X port access control and EAP authentication type is used to secure access to the WLAN.
A Cisco-defined EAP type for secure access to the WLAN
A Cisco-defined EAP type for secure access to the WLAN
Cisco Aironet Client Utility
Cisco Aironet Desktop Utility
Cisco SWAN Framework Overview
•
•
•
•
Cisco SWAN provides the framework to integrate and extend wired and wireless networks to deliver the lowest possible total cost of ownership for companies deploying WLANs. Cisco SWAN extends
"wireless awareness" into important elements of the network infrastructure, providing the same level of security, scalability, reliability, ease of deployment, and management for wireless LANs that organizations have come to expect from their wired LANs.
The Cisco SWAN framework addresses two key issues with managing and operating WLANs: fast secure
WLAN client roaming and radio management. Fast secure roaming allows WLAN clients to move association from one access point to another with little or no service disruption. Cisco SWAN radio management characterizes the radio transmission environment and responds to the conditions of the environment.
The Cisco SWAN framework can be visualized as a layered model. The Cisco SWAN framework layers are:
Management Layer
Wireless Domain Services Layer
Infrastructure Access Point Layer
Wireless Client Layer
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide
OL-6217-01 7
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide
Cisco SWAN Framework Overview
The Cisco SWAN framework introduces WLCCP to facilitate control messaging between the framework components. Figure 1 illustrates the conceptual model of the Cisco SWAN framework, including the
WLCCP messaging protocol. As shown in Figure 1, each layer is implemented in specific Cisco products.
Figure 1 Cisco SWAN Layers
The management layer supplies the processing of RM data from the lower layers, controlling and managing the radio coverage environment. This data is also used for securing the radio coverage environment by detecting rogue access points and wireless clients. Authentication, Authorization, and
Accounting (AAA) services are also placed in the management layer.
The required management layer component is the CiscoWorks WLSE. An optional component is the
CiscoSecure ACS. Other products with functionality equivalent to ACS may be used in Cisco SWAN.
The WDS layer provides critical services: WLAN client context awareness, fast secure roaming, and aggregation of radio management data from the infrastructure access point and client layer. WDS is implemented in supporting versions of Cisco IOS for the Cisco Aironet 1100 and 1200 series access points and on the special Cisco IOS running on the wireless LAN service module for the Catalyst 6500 switch platform. The solution architecture dictates whether to use the WDS access point or the WLSM implementation.
The infrastructure access point layer facilitates WLAN client access to the wired-network, radio downlink encryption, and radio management data collection, including on-going radio monitoring.
The client layer includes all wireless clients. Advanced SWAN framework features take advantage of client-side capabilities to allow for radio measurement collection from the WLAN clients and fast secure roaming.
8
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide
OL-6217-01
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide
Cisco SWAN Framework Overview
Figure 2 represents a logical, hierarchical view of the SWAN framework that clearly illustrates the importance of the WDS layer.
Figure 2 Cisco SWAN Logical View
WLSE
WLCCP messages
ACS
WLAN control domain
WDS
WLCCP messages
802.1x
authenticator
RADIUS control domain
WDS
WLCCP messages
WLAN control domain
OL-6217-01
Data packets
IP IP
WDS are configured to run on a supporting device—either a Cisco Aironet 1100 or 1200 for a Layer 2 architectural solution or the WLSM for an switch-based, Layer 3 solution. In both cases, infrastructure access points register with the WDS using special WLCCP messages.
Once registered, the infrastructure access points forward client association, authentication, and roaming information through the WDS via WLCCP MN registration messages, allowing the WDS to control and track wireless clients. If client authentication is implemented via any 802.1x with EAP (such as Cisco
LEAP, EAP-FAST, PEAP, EAP-TLS, or EAP-TTLS), the WDS performs an additional important role by acting as the 802.1x authenticator for all wireless clients. In 802.1x authentication transactions, the WDS communicates directly with the RADIUS server. Any valid wireless client associated with an infrastructure access point and registered with the WDS.
A WDS, its registered infrastructure access points, and registered clients make up a WLAN control domain. Wireless clients can seamlessly roam between access points within a WLAN control domain. A
WDS also collects radio management data from the infrastructure access points and, potentially, the
MNs within the WLAN control domain via special WLCCP radio management (WLCCP-RM) messages. This data is aggregated by the WDS and passed on to the WLSE in WLCCP-RM messages.
The WLSE uses this RM data to control and manage the radio coverage environment and to detect rogue access points and clients.
Cisco SWAN offers two basic WLAN architectures: an architecture supporting a Layer 2 WLAN control domain and an architecture supporting a Layer 3 WLAN control domain. The Layer 2 architecture leverages access point-based WDS. This architecture is called the access point-based WDS solution. The
Layer 3 architecture leverages WLSM-based WDS and is called the switch-based WDS solution.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide
9
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide
Cisco SWAN Framework Overview
Figure 3 shows the access point-based WDS solution.
Figure 3 Access Point-Based WDS Solution
In the access point-based WDS solution, infrastructure access points discover the WDS via special
WLCCP multicast messages. You must have an access point running WDS on each Layer 2 subnet. The solution supports up to 30 infrastructure access points when the WDS-host access point is also serving wireless clients and up to 60 infrastructure access points when the WDS-host access point is not serving wireless clients. The access point-based WDS solution facilitates seamless MN roaming across a Layer
2 WLAN control context.
Figure 4 shows the switch-based WDS solution.
10
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide
OL-6217-01
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide
Figure 4 Switch-Based WDS Solution
Cisco SWAN Framework Overview
In the switch-based WDS solution, mGRE tunnels are built from the Catalyst 6500 switch hosting the
WLSM where the WDS is running. Wireless client data is tunneled to the Catalyst 6500 switch where it is forwarded appropriately. The mGRE tunnel legs are built when the infrastructure access points register with the WDS on the WLSM. Wireless client authentication and MN registration WLCCP messages are forwarded to the WLSM for centralized processing. Unlike wireless client data traffic, WLCCP messages are not forwarded on the mGRE tunnel legs. Rather, these messages traverse the network like standard IP packets. The switch-based WDS architecture offers complete control and data plane separation, which are essential elements to true network scalability. The switch-based WDS solution facilitates seamless roaming across a Layer 3 WLAN control context and supports up to 300 registered infrastructure access points and 6000 MNs per WLSM.
CISCO SWAN Framework Components
The Cisco SWAN framework has software and hardware components.
The software components are:
•
•
WDS
WLCCP
The hardware components are:
•
•
WDS-host devices
Infrastructure access points
OL-6217-01
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide
11
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide
Cisco SWAN Framework Overview
•
•
WLSE
Cisco and Cisco compatible clients
Software Components
There are two software components essential to the operation of the Cisco SWAN framework: WDS and
WLCCP.
WLCCP
WLCCP is a Cisco-defined control protocol that allows control communication between the Cisco
SWAN components. WLCCP messages are used to authenticate and register Cisco SWAN components, constructing the Cisco SWAN control topology. The WLCCP messages are used in WLAN client association and authentication, and re-association and re-authentication during client roaming.
WLCCP-RM is used to transfer radio measurement data between the Cisco SWAN components. A technical discussion of WLCCP is beyond the scope of this document.
WDS
WDS are a set of IOS services that define a WLAN control domain. Within a WLAN control domain, all infrastructure access points register with the WDS. After registration, 802.1x WLAN client authentications are forwarded through the WDS. Infrastructure access points register their associated
WLAN clients with the WDS, so the WDS tracks all WLAN clients within the WLAN control domain.
WDS also collects radio management data from infrastructure access points (and optionally mobile nodes), aggregates data, and forwards them to the CiscoWorks WLSE for intelligent processing. WDS can be implemented on an access point or on the WLSM.
Hardware Components
The hardware required to implement the Cisco SWAN framework includes WDS hosting devices, infrastructure access points, and the CiscoWorks WLSE. Optional hardware components include WLAN client devices: Cisco Aironet client adapters and devices certified as part of the Cisco Compatible
Extensions program.
WDS-Host Devices
WDS can be hosted on an access point or on the WLSM. WDS is supported on the Cisco Aironet 1100 and 1200 series IOS-based access points for the access point-based WDS solution. WDS is supported on the WLSM for the switch-based WDS solution.
Infrastructure Access Points
Infrastructure access points register with the WDS within the WLAN control domain. The Cisco Aironet
350, 1100, and 1200 series IOS-based access points are supported as infrastructure access points in the access point-based WDS solution. Cisco Aironet 1100 and 1200 series IOS-based access points are supported as infrastructure access points in the switch-based WDS solution.
12
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide
OL-6217-01
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 5 Audience
- 6 Acroymns and Terms
- 7 Cisco SWAN Framework Overview
- 11 CISCO SWAN Framework Components
- 12 Software Components
- 12 WLCCP
- 12 WDS
- 12 Hardware Components
- 12 WDS-Host Devices
- 12 Infrastructure Access Points
- 13 Cisco Wireless LAN Solution Engine (CiscoWorks WLSE)
- 13 WLAN Client Devices
- 13 Implementing the Cisco SWAN Framework
- 14 Common Tasks
- 14 Configuring the CiscoSecure ACS Server for Infrastructure Authentication
- 16 Adding Username and Password Credentials
- 17 Configuring the Local RADIUS Server on the Access Point for Infrastructure Authentication
- 18 Configuring the AAA Server to Support WLAN Client Authentication
- 18 Preparing the CiscoWorks WLSE for Managing WLAN Devices
- 21 Configuring Advanced Discovery Options
- 21 Using Automatic Configuration
- 21 Access Point-Based WDS Solution Configuration
- 21 Configuring the WDS Access Point
- 23 Configuring the Infrastructure Access Point
- 24 Managing the Access Points with the CiscoWorks WLSE
- 25 Validating the Configuration
- 25 Switch-Based WDS Solution Configuration
- 25 Configuring the Catalyst 6500 Supervisor 720
- 26 Configuring the WDS on the WLSM
- 28 Configuring the Infrastructure Access Points
- 29 Managing the WLSM and Access Points with the CiscoWorks WLSE
- 29 Validating the Setup
- 31 Fast Secure Roaming with CCKM
- 32 When Not Using Multiple Authentication Types, Encryption Types, or VLANs
- 32 When Using Multiple Encryption Types or VLANs
- 33 Configuring ACU to use CCKM
- 34 Cisco SWAN Radio Management Features
- 35 Preparing to Use Cisco SWAN Radio Management
- 36 Cisco SWAN Radio Management Features