Wireless Mobility CL12 EWN Template

Wireless Mobility CL12 EWN Template
Design and Deployment of
Enterprise WLANs
BRKEWN-2010
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
2
Agenda
 Controller-Based Architecture Overview
 Mobility in the Cisco Unified WLAN Architecture
 Architecture Building Blocks
 Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
3
Agenda
 Controller-Based Architecture Overview
 Mobility in the Cisco Unified WLAN Architecture
 Architecture Building Blocks
 Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
4
Centralised Wireless LAN Architecture
What Is CAPWAP?
 CAPWAP: Control and Provisioning of Wireless Access Points is used
between APs and WLAN controller and based on LWAPP
 CAPWAP carries control and data traffic between the two
‒ Control plane is DTLS encrypted
‒ Data plane is DTLS encrypted (optional)
 LWAPP-enabled access points can discover and join a CAPWAP
controller, and conversion to a CAPWAP controller is seamless
 CAPWAP is not supported on Layer 2 mode deployment
Business
Application
Data Plane
CAPWAP
Wi-Fi Client
Access
Point
BRKEWN-2010
Controller
Control Plane
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
5
CAPWAP Modes
Split MAC
 The CAPWAP protocol supports two modes of operation
‒ Split MAC (centralised mode)
‒ Local MAC (H-REAP or FlexConnect)
 Split MAC
Wireless Frame
Wireless Phy
MAC Sublayer
STA
BRKEWN-2010
CAPWAP
Data Plane
WTP
© 2013 Cisco and/or its affiliates. All rights reserved.
802.3 Frame
AC
Cisco Public
6
CAPWAP Modes
Local MAC
 Local MAC mode of operation allows for the data frames to
be either locally bridged or tunneled as 802.3 frames
 Tunneled as 802.3 frames
STA
Wireless Frame
802.3 Frame
Wireless Phy
MAC Sublayer
CAPWAP
Data Plane
WTP
802.3 Frame
AC
 Tunnelled local MAC is not supported by Cisco
 H-REAP/FlexConnect support locally bridged MAC and split
MAC per SSID
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
7
CAPWAP State Machine
AP Boots UP
Reset
Discovery
Image Data
DTLS
Setup
Join
BRKEWN-2010
Run
Config
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
8
AP Controller Discovery
Controller Discovery Order
 Layer 2 join procedure attempted on LWAPP APs
‒(CAPWAP does not support Layer 2 APs)
‒Broadcast message sent to discover controller on a
local subnet
 Layer 3 join process on CAPWAP APs and on LWAPP APs
after Layer 2 fails
‒Previously learned or primed controllers
‒Subnet broadcast
‒DHCP option 43
‒DNS lookup
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
9
Efficient CAPWAP Operation
Best Practices
 Define the Wireless Access Point Device DHCP Scopes
 Default router IP Address for Access Point scope
 Helper address (forwarding UDP 5246 to the WLCs management
interface)
 Domain name
 Appropriate DHCP Lease timer for Aps
 Pool sizes for WLAN devices in accordance to different types of sites
 If NAT is used, static 1-to-1 NAT to an outside address is
recommended
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
10
Sample Port Configuration
Controller Port
AP Port Configuration
interface GigabitEthernet<port>
ip forward-protocol udp 5246
description <WLC name>
interface vlan <SVC>
switchport
ip helper-address <WLC1managementInterface>
switchport trunk encapsulation dot1q
ip helper-address <WLC2managementInterface>
switchport trunk allowed vlan <vlan-list>
switchport mode trunk
switchport nonegotiate
mls qos trust cos
spanning-tree portfast trunk
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
11
6.0, 7.0, 7.2, 7.3 ? Which Version Should I Use?
 WLC 5508 supports 6.0, 7.0 and 7.2 & 7.3
 WLC7500, WiSM-2 and WLC2504 only
supported in 7.0 onwards
 7.0.220 is the latest MD AssureWave (Blue
Ribbon)
 Please note the current revision of 7.07.0.235.3 which is the recommended one for
you today
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
12
Agenda
 Controller-Based Architecture Overview
 Mobility in the Cisco Unified WLAN Architecture
 Architecture Building Blocks
 Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
13
Mobility Defined
 Mobility is a key reason for wireless networks
 Mobility means the end-user device is capable of moving
location in the networked environment
 Roaming occurs when a wireless client moves association
from one AP and re-associates to another, typically because
it’s mobile!
 Mobility presents new challenges:
‒ Need to scale the architecture to support client roaming—roaming
can occur intra-controller and inter-controller
‒ Need to support client roaming that is seamless (fast) and preserves
security
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
14
Scaling the Architecture with
Mobility Groups
 Mobility Group allows controllers to peer with each other to support seamless
roaming across controller boundaries
 APs learn the IPs of the other members of the mobility group after the
CAPWAP Join process
Controller-B
MAC: AA:AA:AA:AA:AA:02
Controller-A
MAC: AA:AA:AA:AA:AA:01
Mobility Group Neighbors:
Controller-A, AA:AA:AA:AA:AA:01
Controller-C, AA:AA:AA:AA:AA:03
Mobility Group Name: MyMobilityGroup
Ethernet in IP Tunnel
 Support for up to
24 controllers,
24000 APs per
mobility group
Mobility Group Name: MyMobilityGroup
Mobility Group Neighbors:
Controller-B, AA:AA:AA:AA:AA:02
Controller-C, AA:AA:AA:AA:AA:03
 Mobility messages
exchanged
between
controllers
Controller-C
MAC: AA:AA:AA:AA:AA:03
Mobility Group Name: MyMobilityGroup
 Data tunneled between
controllers in EtherIP (RFC 3378)
Mobility Group Neighbors:
Controller-A, AA:AA:AA:AA:AA:01
Controller-B, AA:AA:AA:AA:AA:02
Mobility Messages
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
15
Scaling the Architecture with Mobility
Groups
Mobility Domain
Mobility Group (7.0)
With Inter Release Controller Mobility (IRCM)
roaming is supported between 7.0, 7.2 and 7.3
One
WLC Network
Mobility Group (7.2)
Mobility Group
24 WLCs in a
Mobility Group
Mobility Group (7.3)
72 WLCs in a
Mobility Domain
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
16
How Long Does an STA Roam Take?
 Time it takes for:
‒Client to disassociate +
‒Probe for and select a new AP +
‒802.11 Association +
‒802.1X/EAP Authentication +
‒Rekeying +
‒IP address (re) acquisition
 All this can be on the order of seconds… Can we make this faster?
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
17
Roaming Requirements
 Roaming must be fast … Latency can be introduced by:
‒ Client channel scanning and AP selection algorithms
‒ Re-authentication of client device and re-keying
‒ Refreshing of IP address
 Roaming must maintain security
‒ Open auth, static WEP—session continues on new AP
‒ WPA/WPAv2 Personal—New session key for encryption derived via standard
handshakes
‒ 802.1x, 802.11i, WPA/WPAv2 Enterprise—Client must be re-authenticated and
new session key derived for encryption
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
18
How Are We Going to Make Roaming
Faster?
Focus on Where We Can Have the Biggest Impact
 Eliminating the (re)IP address acquisition challenge
 Eliminating full 802.1X/EAP reauthentication
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
19
Intra-Controller Roaming:
Layer 2
WLC-1 Client
Database
WLC-1
VLAN X
Client Data (MAC,
IP, QoS, Security)
WLC-2 Client
Database
Mobility Message Exchange
Preroaming
Data Path
WLC-2
Intra-Controller
roam happens when
an AP moves
association between
APs joined to the
same controller
Client must be reauthenticated and
new security
session established
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
20
Intra-Controller Roaming:
Layer 2 (Cont.)
VLAN X
Client Data WLC-2 Client
Database
(MAC, IP,
QoS,
Mobility MessageSecurity)
Exchange
WLC-1 Client
Database
WLC-1
Roaming
Data Path
WLC-2
 Client database entry with
new AP and appropriate
security context
 No IP address refresh
needed
Client Roams to a
Different AP
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
21
Intra-Controller Roaming:
Layer 3
VLAN X
VLAN Z
WLC-1 Client Database Client Data (MAC, IP, QoS,
Security)
WLC-1
Client Data (MAC, IP,
QoS, Security)
WLC-2 Client Database
WLC-2
Mobility Message Exchange
Preroaming Data Path
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
22
Client Roaming Between Subnets:
Layer 3 (Cont.)
VLAN X
VLAN Z
WLC-1 Client Client Data
Database (MAC, IP, QoS,
Mobility Message Exchange
Security)
WLC-1
Anchor
Controller
Preroaming
Data Path
Client Data
(MAC, IP,
QoS,
Security)
WLC-2 Client
Database
Data Tunnel
WLC-2
Foreign
Controller
Client Roams to a
Different AP
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
23
Roaming: Inter-Controller
Layer 3
 L3 inter-controller roam: STA moves association between APs joined to the different
controllers but client traffic bridged onto different subnets
 Client must be re-authenticated and new security session established
 Client database entry copied to new controller – entry exists in both WLC client DBs
 Original controller tagged as the “anchor”, new controller tagged as the “foreign”
 WLCs must be in same mobility group or domain
 No IP address refresh needed
 Symmetric traffic path established -- asymmetric option has been eliminated as of 6.0
release
 Account for mobility message exchange in network design
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
24
How Are We Going to Make Roaming
Faster?
Focus on Where We Can Have the Biggest Impact
Eliminating the (re)IP address acquisition challenge
 Eliminating full 802.1X/EAP reauthentication
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
25
Fast Secure Roaming
Standard Wi-Fi Secure Roaming
 802.1X authentication in wireless today requires
three “end-to-end” transactions with an overall
transaction time of > 500 ms
WAN
Cisco AAA
Server (ACS
or ISE)
2. 802.1X
Reauthentication After
Roaming
AP2
 802.1X authentication in wireless today requires a
roaming client to reauthenticate, incurring an
additional 500+ ms to the roam
1. 802.1X Initial
Authentication
Transaction
AP1
Note: Mechanism Is Needed to Centralise Key Distribution
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
26
Cisco Centralised Key Management
(CCKM)
 Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available,
especially with application specific devices (ASDs)
 CCKM ported to CUWN architecture in 3.2 release
 In highly controlled test environments, CCKM roam times consistently
measure in the 5-8 msec range!
 CCKM is most widely implemented in ASDs, especially VoWLAN devices
 To work across WLCs, WLCs must be in the same mobility group
 CCX-based laptops may not fully support CCKM – depends on supplicant
capabilities
 CCKM is standardised in 802.11r, Apple iOS 6.0
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
27
802.11r Introduction
• IEEE Standard for Fast Roaming – CCKM / OKC.
• Introduces a new concept of roaming where the handshake with the new AP is done even
before the client roams to the target AP.
• The initial handshake allows the client and APs to do PTK calculation in advance, thus reducing
roaming time.
• The pre-created PTK keys are applied to the client and AP once the client does the reassociation request / response exchange with new target AP.
• 802.11r provides 2 ways of roaming:
1. Over-the-Air
2. Over-the-DS (Distribution System)
• The FT (Fast Transition) key hierarchy is designed to allow the client to make fast BSS
transitions between APs without the need to re-authenticate at every AP.
• WLAN configuration will have new AKM type called FT (Fast Transition)
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
802.11r – Fast Transition (FT)
WLAN Authentication Configuration
Legacy clients may not associate with a WLAN that has 802.11r
enabled along with 802.11i. If the driver or the supplicant that is
responsible for parsing the Robust Security Network Information
Element (RSN IE) is old and confused by the additional AKM
(Authentication Key Management) suites advertised in the IE
(IE48), the driver will not attempt to start the association
process.
An iPhone with 6.0 iOS
could Authenticate to
WLAN with both of these
AKM’s. But because of
legacy clients this is NOT
recommended.
A non-6.0 iOS client can’t
associate.
Due to this limitation, legacy clients cannot send association
requests to WLANs with a FT PSK or FT 802.1x configuration.
These legacy clients, however, can still associate with non-802.11r
WLANs.
Therefore the recommendation is to have a new unique WLAN.
With unique SSIDs for the addition 802.11r FT WPA clients. And
an additional WLAN for the 802.11r FT 802.1x clients.
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
PSK & FT PSK Authentication Types
 RSN (Robust Security Network
Information Exchange)
 AKMP (Authentication Key
‒
Management Protocol)
 PSK (Pre Shared Key)
 AKMP – 02 is PSK
 AKMP – 04 is Fast Transition PSK
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
802.1x & FT 802.1x Authentication Types
• AKMP – 01 is 802.1x
• AKMP – 03 is
Fast Transition 802.1x
• The Mobility Domain ID is
different for each Mobility Domain
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Example of the Recommended WLAN
Configurations if using 802.11r -- Fast Transition .
 The next page shows our configuration recommendation for adding 802.11r Fast
Transition support to your Wi-Fi network.
 These examples show a unique SSID for the two authentication types that crossover
with the two new authentication types add by 802.11r.
 Our recommendation is have unique SSIDs for each of the types. Legacy clients that
cannot do 802.11r can become confused by the additional information of 802.11r.
 This type of thing has happened before in 802.11. When 802.11g was approved, there
were some 802.11b clients that were not 802.11g aware. And 802.11g had to be
disabled to allow those clients to join the Wi-Fi network.
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Multiple WLANs for Multiple Auth Types Each with a Unique
SSID
802.1x & 802.1x FT WLANs Unique SSIDs
BRKEWN-2010
PSK & PSK FT WLANs With Unique SSIDs
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Limitations with 802.11r BSS Fast
Transition
 This feature is supported only on open and WPA2 configured WLANs.
 Legacy client don’t know the 802.11r elements in Probe and Association
Responses.
•
The above packet decode shows “Element ID: 48” used by 802.11r
•
And therefore will not associate to 802.11r enabled WLANs.
 The workaround is to enable or upgrade the driver of the legacy client to work
with the new 802.11r AKMs. After which the legacy clients can successfully
associate with 802.11r enabled WLANs.
 Another workaround is to add with a unique SSID security settings for FT.
(Shown in the WLAN Security Configuration Screens.)
 To avoid any Denial of Service (DoS) attack, each controller allows a
maximum of three Fast Transition handshakes with different APs.
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Designing a Mobility Group/Domain
Design Considerations
 Less roaming is better – clients and apps are happier
 While clients are authenticating/roaming, WLC CPU is doing the
processing – not as much of a big deal for 5508 which has dedicated
management/control processor
 L3 roaming & fast roaming clients consume client DB slots on multiple
controllers – consider “worst case” scenarios in designing roaming
domain size
 Leverage natural roaming domain boundaries
 Mobility Message transport selection: multicast vs. unicast
 Make sure the right ports and protocols are allowed
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
35
Agenda
 Controller-Based Architecture Overview
 Mobility in the Cisco Unified WLAN Architecture
 Architecture Building Blocks
 Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
36
CUWN Release - Key Controller Features
September 2012
May 2012
S/W
Release
7.3
7.2MR1
Unified Access
WLAN Infrastructure
Outdoor AP Internal
Antenna
Outdoor AP Honeywell integration
802.11r
L2 Fast Roaming
Q1 CY13
7.4
AP 2600
802.11n G2
AP1600
802.11n G2
Outdoor AP
Uni Band Antenna
AP3600
Security Module
WLC 8500
Target customer - SP
Application visibility and control (AVC)
Virtual Controller
Bonjour Gateway
Scale Flex7500
6K APs
Voice Enterprise Certification**
HA - AP SSO
HA Licensing
Scale WLC 2500
ISE -Flex integration
Flex / Local Mode parity with ISE
FlexConnect Split Tunneling
HA Licensing, N:1
802.11r – Flex Modes
LAG on Flex7500, WLC 8500, WLC 2500
Bi-directional rate-limiting
Local and
FlexConnect support on RAP
Voice/Video:
11n CAC
Guest Anchor on WLC2500
PMIPv6 on WLC
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Controller Product Portfolio
Multi-architecture capable
Support Flex and Local-mode
New
(7.3)
Features /
Performance
WiSM2
5500
500 APs
7000 Clients
2500
50 APs
500 Clients
SRE – WLCM2
1000 APs
15000 Clients
8500
6000 APs
64000 Clients
FlexConnect
New
(7.3)
50 APs
500 Clients
Flex7500
Virtual Controller
3000
6000 Aps
30000
64000 Clients
New
(7.3)
200 APs
3000 Clients
Scale (# of clients, APs)
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Roadmap is highly confidential
and reflects current plan. Subject to change without notice
Virtual Controller
Midmarket-Focused Solution
Product Scope
Target Market
•
5 to 200 AP support, 3,000 clients
•
Mid-market with spare compute platform
•
One AP adder license
•
Alternative to Flex 7500 for
customers with fewer branches
•
FlexConnect mode only
•
Partner/MSP-hosted Wi-Fi service
•
NOT for large campus
Cisco Mobility in a BOX
•
Support on VMware ESX/ESXi at
FCS (similar to NCS and MSE)
•
Support on Cisco UCS C-Series and
B-Series and equivalent servers
Pricing
vWLC
vNCS
ESX ESXi Hypervisor
•
Base SKU (with five AP licenses) = $750
•
One AP Adder license = $150
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
UCS/x86 Servers
Cisco Public
vMSE
Cisco 8510 Series Controller
Optimised for High-Scale Deployments
New in 7.3
 High scale for SP and large campus
deployments
Access Points
3000–6,000
‒ 6,000 local mode APs and
64,000 clients in 1RU*
Clients
64,000
‒ 4K VLANs
Branches/Locations
6,000 (2,000 Groups)
Access Points per
FlexConnect Group
100
Deployment Model
Local, FlexConnect, and Mesh
Form Factor
1 RU
IO Interface and Redundancy
Dual Redundant
10GE Ports*
Power Options
AC and DC*
Power Redundancy
Dual Redundant Power
Supplies Installed*
*Unique 8500 features
BRKEWN-2010
 Rich features with deployment flexibility
(7.3 release)
‒ High availability with subsecond
stateful switchover Outdoor AP support
‒ FlexConnect, local mode,
and mesh support*
‒ 3G packet core integration: PMIPv6 MAG
solution with ASR5K (LMA)
‒ FlexConnect with HS2.0 for 3G offload
Cisco
© 2013 Cisco and/or its affiliates. All rights reserved.
Roadmap is highly confidential
andPublic
reflects current plan. Subject to change without notice
Cisco Aironet Access Points
New
Q2FY
13
•
•
•
•
Basic Connectivity
Deployment Flexibility
Entry Level
BRKEWN-2010
•
Enterprise Class
Performance
Video/Voice/Multi-Media
Sm/Med
Any Device/BYOD
Optimised
Client Scalability
RF Interference
Mitigation
•
•
Sm/Med/Large
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
•
•
•
•
•
High Client Density
Investment Protection
802.11ac Support
HD Video/VDI
Best In Class Security
Med/Large Enterprise
Cisco Aironet 802.11n Indoor Access Point
* Basic SI only, ** Future Support
AP Model
(availability)
3600 Series
2600 Series
1600 Series
(Q4)
600 Series
1.3 Gbps
450 Mbps
300 Mbps
300 Mbps
.11n: 4X4:3
.11ac: 3x3:3
3X4:3
3X3:2
2X2:2
CleanAir
✔
✔
*
ClientLink
ClientLink 2.0
ClientLink 2.0
ClientLink 2.0
BandSelect
✔
✔
✔
VideoStream
✔
✔
✔
Rogue AP Detection
✔
✔
✔
Adaptive wIPS
✔
✔
✔
✔
OfficeExtend
✔
✔
✔
✔
FlexConnect
✔
✔
✔
✔
Wireless Mesh
✔
✔
✔
Autonomous
✔
✔
✔
802.3af
802.3af
802.3af
100 to 240 VAC, 50-60
Hz
802.11 a/b/g/n/ac
802.11 a/b/g/n
802.11 a/b/g/n
802.11 a/b/g/n
Max Data Rate
Radio Design
(MIMO: Spatial Streams)
Power
Wi-Fi Standards
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Agenda
 Controller-Based Architecture Overview
 Mobility in the Cisco Unified WLAN Architecture
 Architecture Building Blocks
 Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
43
Deploying the Cisco Unified Wireless
Architecture
 High Availability
 Understanding AP Groups / RF Groups
 Application Visibility
 Bonjour Gateway
 IPv6 Deployment with Controllers
 Branch Office Designs
 Guest Access Deployment
 Home Office Design
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
44
Deploying the Cisco Unified Wireless
Architecture
 High Availability
 Understanding AP Groups / RF Groups
 Application Visibility
 Bonjour Gateway
 IPv6 Deployment with Controllers
 Branch Office Designs
 Guest Access Deployment
 Home Office Design
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
45
Controller Redundancy
Most Common (N+1)
 Redundant WLC in a
geographically separate location
 Layer-3 connectivity between the
AP connected to primary WLC
and the redundant WLC
WLAN-Controller-1
APs Configured With:
Primary: WLAN-Controller-1
Secondary: WLAN-Controller-BKP
WLAN-Controller-2
NOC or Data Centre
APs Configured With:
Primary: WLAN-Controller-2
Secondary: WLAN-Controller-BKP
WLAN-Controller-BKP
 Redundant WLC need not be
part of the same mobility group
WLAN-Controller-n
APs Configured With:
Primary: WLAN-Controller-n
Secondary: WLAN-Controller-BKP
 Configure high availability (HA) to
detect failure and faster failover
 Use AP priority in case of over
subscription of redundant WLC
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
46
Controller Redundancy – High Availability
 High Availability Principles :
 AP is registered with a WLC and
maintain a backup list of WLC.
 AP use heartbeats to validate WLC
connectivity
 AP use Primary Discovery message
to validate backup WLC list
 When AP loose 3 heartbeats it start
join process to first backup WLC
candidate
 Candidate Backup WLC is the first
alive WLC in this order : primary,
secondary, tertiary, global primary,
global secondary.
 AP does not re-initiate discovery
process.
BRKEWN-2010
Primary WLC
Secondary WLC
New Timers 7.2
Heartbeat Timeout
1-30 secs
Fast Heartbeat Timer
1-10 secs
AP Retransmit Interval
2-5 secs
AP Retransmit with FH Enabled
3-8 Times
AP Fallback
© 2013 Cisco and/or its affiliates. All rights
reserved. to next WLC
12 secs
Cisco Public
47
True High Availability in 7.3 release
 Box to Box High Availability i.e. 1:1
 One WLC in Active state and Second WLC in Hot Standby State monitors the
health of Active WLC via Redundant Port
 Configuration on Active is synched to Standby WLC via Redundant Port
 Both the WLC shares the same set of configuration including the IP Address of
management interface.
 APs CAPWAP State (Only APs which are in RUN state) also synched. APs does
not go in Discovery state when Active WLC fails
 Downtime between failover reduced to 5 - 1000 msec in case of Box failover and
up to 3 seconds in case of Network Issues
 Supported on 5500 / 7500 / 8500 and WiSM-2
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
HA Connectivity on 5500 / 7500 / 8500 WLC
 5500/7500/8500 WLC have
dedicated Redundancy Port
which is used to synch
configuration from Active to
Standby WLC
 Keepalives are sent on RP port
from Standby to Active WLC every
100 msec (default timer) to check
the health of Active WLC.
 ICMP packets are also sent every
one second from each WLC to
check reachability to gateway
using Redundant Management
interface.
BRKEWN-2010
Active Controller
WLC 5500
RP 1
Redundancy
Port
Connectivity
Hot Stand-by Controller
RP 2
Flex 7500
© 2013 Cisco and/or its affiliates. All rights reserved.
Redundancy
Port
Active Controller
Hot Stand-by Controller
Cisco Public
High Availability Connectivity on WiSM-2 WLC
 WiSM-2 WLC have dedicated
Redundancy Vlan which is used
to synch configuration from Active
to Standby WLC
 Keepalives are sent on
Redundancy Vlan from Standby to
Active WLC every 100 msec
(default timer) to check the health
of Active WLC.
 To achieve HA between WiSM-2
WLCs it can be deployed in single
chassis OR can also be deployed
between multiple chassis using
VSS as well as by extending
Redundancy Vlan between two
chassis.
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Slot 8: Active WiSM-2
Slot 9: Hot Stand-By WiSM-2
Cisco Public
High Availability Configuration
 By default HA is disabled.
 Configure Redundant Management and Peer Redundant Management IP first before
enabling AP SSO
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
High Availability Configuration
 Configure AP SSO selecting “Enable” from drop down
All other optional
configuration like
Service Port Peer IP,
Mobility MAC
Address, Keep Alive
and Peer Search
Timer can be
configured on same
page
 To Reset Peer WLC click on Commands -> Redundancy -> Reset Peer
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
AP SSO with Legacy High Availability
 AP SSO can be deployed with Secondary and Tertiary Controllers
 Both Active and Standby combined in AP SSO setup should be configured as primary.
 On failure of both Active and Standby WLC in AP SSO setup, APs will fall back to
secondary and further to configured tertiary controller.
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
HA-SKU as secondary WLC
(with AP-SSO disabled)
 This feature enables HA-SKU controller as secondary controller
 HA-SKU controller allowed for use as secondary controller for 90 days without nagging
 If HA feature disabled the controller used as secondary controller for the maximum
capacity of supported APs.
Note: HA-SKU ; 5508 50AP, WiSM2 100AP, 7500/8500 300AP will work as Standby
Primary Controller-5508 #1
License Count: 100
APs connected: 90
Primary Controller – WiSM-2 #2
License Count:500
APs connected: 500
Backup Controller -5508
WLC Max AP support : 500
Primary Controller -2500 #3
License Count: 75
APs connected: 25
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
HA-SKU as secondary WLC - configuration
 CLI Secondary: config redundancy unit secondary
 CLI Primary: config ap primary-base <Switch Name> <Cisco AP> <Switch IP Addr>'

GUI configuration:
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Deploying the Cisco Unified Wireless
Architecture
 High Availability
 Understanding AP Groups / RF Groups
 Application Visibility
 Bonjour Gateway
 IPv6 Deployment with Controllers
 Branch Office Designs
 Guest Access Deployment
 Home Office Design
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
56
AP-Groups - Default AP-Group
 The first 16 WLANs created (WLAN IDs 1–16) on the WLC are
included in the default AP-Group
 Default AP-Group cannot be modified
 APs with no assignment to an specific AP-Group will use the Default
AP-Group
 The 17th and higher WLAN (WLAN IDs 17 and up) can be assigned to
any AP-Groups
 Any given WLAN can be mapped to different dynamic interfaces in
different AP-Groups
 WLC 2106 (AP groups: 50), WLC 2504 (AP groups:50)
WLC 4400 and WiSM (AP groups: 300),
WLC 5508 & WiSM-2 (AP groups: 500),
WLC 7500 (AP Groups : 500)
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
57
AP-Grouping in Campus
VLAN 100
VLAN 100
VLAN 100
Access
Si
Si
Si
Si
Si
Si
Distribution
CAPWAP
Si
Si
Core
Si
Si
Si
VLAN 100 /
21
Si
Si
Distribution
Si
Access
Single SSID =
Employee
WLC-1
BRKEWN-2010
Internet
Data Centre
WAN
WLC-2
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
58
AP-Grouping in Campus
AP-Group-1
VLAN 60 /23
AP-Group-2
AP-Group-3
VLAN 70 /23
VLAN 80 /23
Access
Si
Si
Si
Si
Si
Si
Distribution
CAPWAP
Si
Si
Si
VLAN 100
/21
Si
Single SSID =
Employee
Si
VLAN 60
VLAN 70
VLAN 80
WLC-1
Si
Si
Distribution
Access
Internet
Data Centre
WAN
BRKEWN-2010
Core
Si
WLC-2
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
59
Default AP-Group
Network Name
Default AP Group
Only WLANs 1–16 Will
Be Added in Default AP
Group
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
60
Multiple AP-Groups
AP Group 1
AP Group 2
AP Group 3
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
61
RF-Profiles
7.2 and 7.3
 RF Profiles allow the administrator to tune groups of AP’s sharing a
common coverage zone together.
 Selectively changing how RRM will operate the AP’s within that coverage zone
• RF Profiles are created for either the 2.4 GHz radio or 5GHz radio
 Profiles are applied to groups of AP’s belonging to an AP Group, in which all AP’s in the group
will have the same Profile Settings
• There are two components to this feature:
 RF Profile – New in 7.2 providing administrative control over:
o Min/Max TPC values
o TPCv1 Threshold
o TPCv2 Threshold
o Data Rates
o High Density
o Client Load Balancing
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
62
RF Profiles
 Create an RF profile for a or
b/g radio
 Select if required the
minimum and/or Maximum
TPC settings
 Select a custom TPC power
threshold for either Version 1
or Version 2 of TPC
 Select the data rates to be
applied to the AP’s
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
63
RF-Profile in Campus
RF-Profile-1
VLAN 60 /23
VLAN 61 / 23
Si
Si
RF-Profile-2
RF-Profile-3
VLAN 70 /23
VLAN 71 /23
VLAN 80 /23
VLAN 81 /23
Si
Si
Si
Access
Si
Distribution
LWAPP/CAPWAP
Si
Si
Si
Si
Single SSID =
Employee
Data Centre
WAN
WLC-1
BRKEWN-2010
Core
Si
Si
VLAN 60
VLAN 61
VLAN 70
VLAN 71
VLAN 80
VLAN 81
Si
Si
Distribution
Access
Internet
WLC-2
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
64
Multiple RF-Profiles
RF Profile -1
RF Profile -2
RF Profile -3
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
65
Deploying the Cisco Unified Wireless
Architecture
 High Availability
 Understanding AP Groups / RF Groups
 Application Visibility
 Bonjour Gateway
 IPv6 Deployment with Controllers
 Branch Office Designs
 Guest Access Deployment
 Home Office Design
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
66
Application Visibility & Control
Congestion!
WLC
WAN
Real Time
Interactive
Non-Real Time
Non-Business
What applications are in the air?
Why is my key application running slow?
How do I support a new application for a set of users?
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
NBAR supported features
•
Classification : Identification of Application/Protocol, supports Stateful L4 - L7 classification. WLC can
classify 1039 applications.
•
AVC (Application Visibility Control): Provides visibility of classified traffic and also gives an option to
control the same, using – Drop OR Mark (DSCP) action.
•
•
•
•
•
Action DROP (Traffic for that application will be dropped)
•
Action MARK (Particular applications can be marked with different QOS profiles available on WLC OR administrator can custom
define DSCP value for that application)
•
AVC Marking overrides all other QoS markings
NetFlow:
Updating NBAR stats to Netflow collector like Cisco Prime Assurance Manager (PAM)
NBAR is supported on 2500, 5500, 7500, 8500 and WiSM2 controllers on Local and Flex Mode APs
WLC can support 16 AVC profiles
WLAN can support only 1 AVC profile and each profile can contain 32 rules, thus each WLAN can
support 32 application actions of mark or drop.
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Enabling AVC
•
•
AVC enabled on per WLAN basis
Global summary of top
applications on Controller Monitor
screen
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
AVC Application
•
1000 + applications can be detected by default
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
AVC Profile
•
•
Custom AVC Profiles created to do traffic shaping
Apply the custom profile per WLAN
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
•
Netflow Monitor
Configuring Netflow Exporter on the Controller and apply to WLAN
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
AVC Summary
•
Application Statistics per WLAN with more details UP/Down Streams
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Deploying the Cisco Unified Wireless
Architecture
 High Availability
 Understanding AP Groups / RF Groups
 Application Visibility
 Bonjour Gateway
 IPv6 Deployment with Controllers
 Branch Office Designs
 Guest Access Deployment
 Home Office Design
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
74
The Protocol Problem
•
Why Bonjour services need modifications?
Bonjour
• Apple service discovery protocol
• mDNS packets advertise and discover
services clients
• Does not cross subnets or VLANs.
Result: Clients can’t see services on other
subnets
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Deployment Challenges
Bonjour is Link-Local Multicast and
can’t be Routed
VLAN X
224.0.0.251
VLAN Y
CAPWAP Tunnel
224.0.0.251
VLAN X
Apple TV
• Bonjour is link local multicast and thus forwarded on Local L2 domain
• AirPlay (Apple TV) and AirPrint supported only on a single VLAN
• mDNS operates at UDP port 5353 and sent to the reserved group addresses:
IPv4 Group Address – 224.0.0.251
IPv6 Group Address – FF02::FB
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Bonjour mDNS GW on WLC
 Step 1 – Listen for Bonjour Services
Bonjour Advertisement
VLAN 20
Apple TV
CAPWAP Tunnel
iPad
Bonjour Advertisement
AirPrint
Offered
VLAN 99
VLAN 23
AirPrint
• In 7.4 Bonjour Services with mDNS gateway on the controller don’t require multicast services to
be enabled.
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Bonjour mDNS GW on WLC
 Step 2 – Bonjour Services cached on Controller
VLAN 20
Bonjour Cache:
AirPlay – VLAN 20
AirPrint – VLAN 23
Apple TV
VLAN 99
AirPrint
Offered
CAPWAP Tunnel
iPad
VLAN 23
AirPrint
With deployment of mDNS gateway Bonjour Services don’t flood subnet with mDNS
advertisements
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Bonjour GW on WLC
 Step 3 – Listen for Client Service Queries for Services
Bonjour Cache:
AirPlay – VLAN 20
AirPrint – VLAN 23
VLAN 20
Apple TV
CAPWAP Tunnel
VLAN 23
VLAN 99
iPad
Bonjour Query
AirPrint
WLC will snoop all Bonjour discovery packets and will not forward the same on AIR or
Infra network
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Bonjour GW on WLC
 Step 4 – Respond to Client Queries for Bonjour Services
Bonjour Response From
Controller
VLAN 20
Bonjour Cache:
AirPlay – VLAN 20
AirPrint – VLAN 23
Apple TV
CAPWAP Tunnel
VLAN 23
VLAN 99
iPad
AirPrint
Only Clients that require Bonjour services will receive those services
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Bonjour Services Directory Policy
Capabilities
The Bonjour Policy
Profile is a list of
allowed network
applications. (i.e.
AirPlay or Printing)
Service Policy
The Bonjour service profile provides
filtering to allow only certain WLANs,
Interfaces or Interface Groups to
access specific service types.
AirPrint
AirPlay
File
Share
Enforced via Multiple Methods
Per WLAN
BRKEWN-2010
Per VLAN (AP
Group)
© 2013 Cisco and/or its affiliates. All rights reserved.
Per Interface
Group
Cisco Public
Bonjour and Guest Anchoring
Foreign
Controller
AirPlay
CAPWAP Tunnel
AirPlay
Guest WLAN
CAPWAPTunnel
DMZ
(Anchored)
Apple TV
VLAN
Guest
VLAN
Anchor
Controller
AirPlay
Apple TV
(Wired)
 The guest WLAN will be able to see Bonjour services advertised to the anchor controller.
 The Bonjour queries and advertisements will be sent inside the CAPWAP tunnel.
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Bonjour L3 Roaming
AirPlay
Foreign
Controller
CAPWAP Tunnel
AirPlay
Roaming
Client
Mobility
EoIP Tunnel
AirPlay
CAPWAP Tunnel
Anchor
Controller
 Layer 3 roaming works across EoIP tunnel to ensure users moving amongst APs
on different controllers continue to see the devices they saw on the original
controller.
 The Bonjour services on the anchor controller will be displayed to the client
including both wired and wireless devices.
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Configuring mDNS Snooping
 Enable mDNS snooping globally and add services
Maximum of 100 services can be configured *
* Subject to change by FCS
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Configure mDNS profile per WLAN
 Create custom profile per WLAN
Enable mDNS snooping profile on
the desired VLAN or WLAN
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Summary of Bonjour enabled devices
 Bonjour enabled devices advertising service is shown as Domain Name
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Deploying the Cisco Unified Wireless
Architecture
 High Availability
 Understanding AP Groups / RF Groups
 Application Visibility
 Bonjour Gateway
 IPv6 Deployment with Controllers
 Branch Office Designs
 Guest Access Deployment
 Home Office Design
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
87
Wireless IPv6 Support - Pre-v7.2
CAPWAP Tunnel
IPv6 ICMPv6 multicast messages
sent to all clients (including L3
roamed clients) at low data rates.
All IPv6 packets are bridged on
the VLAN transmitting
unnecessary ICMPv6 messages
in both directions.
 In releases prior to 7.2, enabling IPv6 bridging provided a limited
solution with no Layer 3 mobility and non-optimised delivery of
essential ICMPv6 messages to clients.
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
88
Wireless IPv6 Support - Post-v7.2
CAPWAP Tunnel
IPv6 ICMPv6 multicast
messages are unicast to each
client at high data rates.
IPv6 ICMPv6 messages are
interpreted by the controller and
forwarded only as needed.
 In releases 7.2, the controller now processes ICMPv6 messages
allowing for optimised delivery, Layer 3 mobility and first hop security.
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
89
Wireless IPv6 Client Support
IPv
IPv6
802.114
IPv IP
6802.11v4
CAPWAP
IPv4
Ethernet
IPv6 IPv4
VLAN
Ethernet
CAPWAP Tunnel
IPv6
802.11
 Supports IPv4, Dual Stack and Native IPv6 clients on single WLAN simultaneously
 Supports the following IPv6 address assignment for wireless clients:
‒ IPv6 Stateless Autoconfiguration [SLAAC]
‒ Stateless, Stateful DHCPv6
‒ Static IPv6 configuration
 Supports up to 8 IPv6 addresses per client
 Clients will be able to pass traffic once IPv4 or IPv6 address assignment is completed after
successful authentication
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
90
IPv6 Client Connectivity on Multiple
WLANs
VLAN Pool
VLAN 100
Router 1
VLAN 200
RA
VLAN = 100
VLAN = 100
CAPWAP
Tunnel
RA
VLAN = 200
VLAN = 200
Router 2
 Access Points keep track of individual clients and unicast the Router Advertisement to the clients
depending on the WLAN they belong to.
 Access Point support up to 16 WLANs/SSIDs for dual stack clients.
 To maintain proper routing capability, mobile clients need to have proper global unique unicast prefix
from router within their own network.
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
91
Cisco Supports Many IPv6 Addresses Per
Client
Up to 8 IPv6 Addresses
are Tracked per Client.
 Support for many IPv6 addresses per client is necessary because:
‒ Clients can have multiple address types per interface
‒ Clients can be assigned addresses via multiple methods such as SLAAC and DHCPv6
‒ Most clients automatically generate a temporary address in addition to assigned addresses.
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
92
Deploying the Cisco Unified Wireless
Architecture
 High Availability
 Understanding AP Groups / RF Groups
 Application Visibility
 Bonjour Gateway
 IPv6 Deployment with Controllers
 Branch Office Designs
‒ Understanding FlexConnect AP Deployment
‒ Understanding Branch Controller Deployment
 Guest Access Deployment
 Home Office Design
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
93
Branch Office Deployment
FlexConnect
 Hybrid architecture
Central Site
Centralised
Traffic
Centralised
Traffic
 Single management and
control point
‒Centralised traffic
(split MAC)
‒Or
WAN
‒Local traffic (local MAC)
 HA will preserve local traffic
only
Local
Traffic
Remote Office
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
94
FlexConnect Design Considerations
For Your
Reference
WAN limitations apply
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
95
Economies of Scale for Lean Branches
Flex 7500 Wireless Controller
Key Differentiation
 WAN Tolerance
• High Latency Networks
Access Points
Clients
64,000
Branches
2000
Access Points / Branch
100
Deployment Model
FlexConnect
Form Factor
1 RU
IO Interface
2x 10GE
Upgrade Licenses
100, 200, 500, 1K
BRKEWN-2010
• WAN Survivability
300 - 6,000
 Security
802.1x based port authentication
 Voice support
© 2013 Cisco and/or its affiliates. All rights reserved.
• Voice CAC
• OKC/CCKM
Cisco Public
96
Flex 7500 Scale Update
(7.2 vs. 7.3)
Scalability
7.2
7.3
Total APs
3000
6000
Total Clients
30,000
64,000
Total FlexConnect Group
1000
2000
Maximum APs per FlexConnect Group
50
100
Total Rogue AP
12000
24000
Total Rogue Client
15000
32000
Number of Vlan Support
512
4095
Number of RFID
20000
50000
Maximum APs per RRM Group
6000
12000
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Understanding FlexConnect Groups
 FlexConnect groups allow sharing of:
Central Site
‒CCKM fast roaming keys
‒Local user authentication
‒Local EAP authentication
‒Efficient Image Download
WAN
Remote Site
FlexConnect
Group 2
 Scaling information
Scaling
Flex
7500
CT-5508
WiSM2
CT-2504
FlexConnect
Groups
1000
100
100
20
AP per Flex
Group
50
25
25
25
BRKEWN-2010
Remote Site
© 2013 Cisco and/or its affiliates. All rights reserved.
FlexConnect
Group 1
Cisco Public
98
FlexConnect Improvements in 7.2
 Smart AP Image Upgrade
 ACL’s on FlexConnect AP
 AAA Over-ride of VLAN - dynamic VLAN assignment for locally
switched clients
 FlexConnect Re-branding
 Fast Roaming for Voice Clients
 Peer to Peer Blocking
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
99
FlexConnect Smart AP Image Upgrade
Description
Firmware Image
Smart AP Image Upgrade use a
« master » AP in each FlexConnect
Group to download the code.
New
Old
Primary
New
Other FlexConnect AP download the
code from the master locally
Wireless Control
System
Central Site
Old
New
Secondary
Wireless LAN
Controller
1.Download WLC upgraded firmware (will become
primary)
2.Force the « boot image »
to be the secondary (and not the newly upgraded Remote Site-1
one) to avoid parallel download of all AP in case of
unexpected WLC reboot
WAN
Remote Site-N
3.WLC elect a master AP in each FlexConnect
Group (can be also set manually)
New in 7.2
BRKEWN-2010
Master AP
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
100
FlexConnect Smart AP Image Upgrade
Configuration
Enable Efficient AP
Image Upgrade
Valid Range is 1-63
Random Backoff Interval
(100-300sec) between
each retry
Master AP Selection is
Optional
“FlexConnect AP Upgrade” checkbox has to be enabled for each FlexConnect
Group.
By default, Master AP for each FlexConnect Group is selected using Lower-MAC
algorithm.
One Master select per AP type.
New in 7.2
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
101
Local Switching Access Lists
Description
Central Site
 Support for ACL in FlexConnect local
switching mode
 ACL mapped to local VLAN per AP or
FlexConnect Group
WAN
 512 FlexConnect ACL per WLC
 16 ingress ACL & 16 egress ACL per
AP
Remote Site
Application
Server
 64 ACL rules per ACL
 No IPv6 ACL
New in 7.2
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
102
Local Switching Access Lists
Configuration
 ACL rule creation and application for FlexConnect is identical
to WLC rule creation for Local Mode
Step 1
Step
2
Click to add ACL
rules
Step
3
Provision to assign separate Inbound &
Outbound ACLs
New in 7.2
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
103
Local Switching Peer-to-Peer Blocking
Description
Central Site
 Support for Peer-to-Peer
blocking in FlexConnect AP
 Apply for clients on same
FlexConnect AP
 P2P blocking modes :
disable or drop
WAN
Remote Site
Application
Server
 For P2P blocking inter-AP
use ACL or Private VLAN
fonction
New in 7.2
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
104
FlexConnect AAA VLAN Override
Description
Central Site
 AAA VLAN Override with local or
central authentication
Central RADIUS
 Up to 16 VLANs per FlexConnect
AP
 VLAN ID must be enabled per AP
or FlexConnect Group
 If VLAN ID does not exist, default
VLAN is used
VLAN 3
VLAN 7
WAN
Application
Server
Remote Site
VLAN 3
 QoS and ACL Override is
not supported.
VLAN 7
FlexConnect Group 1
New in 7.2
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
105
FlexConnect AAA VLAN Override
Configuration
IETF 65
IETF 64
IETF 81
WAN
ISE
Create Sub-Interface on FlexConnect
AP
New in 7.2
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
106
Flex: External Web Auth with Local Switching
 What: starting with 7.2 MR1 it is possible for WLC to perform Web authentication
with an external server on a locally switched WLAN
 Why: This addresses Retail and Hot Spot requirement where the portal is
centralised but the traffic needs to exit locally to save WAN bandwidth
 How: A pre-auth Flex ACL at the AP is used to match the traffic that is allowed to
be locally switched before authentication is completed.
Central site
Remote site
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Flex: Local Split Tunnelling
 What: on a centrally switched WLAN, this feature gives the flexibility to decide
what traffic gets tunneled to WLC and what traffic is bridged locally at the AP
 Why: Local Spilt Tunnelling improves WAN bandwidth utilisation and may simplify
subnet/routing design for remote sites.
 How: Flex ACL is used to match traffic for local switching. Port Address
Translation (PAT) is used to switch packets to the local LAN using BVI’s IP
address.
No ACL
ACL
match
match
SSID
Centrally
switched
Local
network
Data CAPWAP
Tunnel
Corporate
WAN
Flex AP
Central
network
Local Servers
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Centralised
WLC
Central servers
(Apps,DHCP, DNS,
etc)
Flex: WGB/uWGB support for Local
switching
 What: this feature extends support of CUWN for WGB/uWGB associated to a
locally switched WLAN on Flex mode APs
 Why: simplifies deployment of wired-only devices in remote locations when traffic
is designed to stay local. Manufacturing is the main Vertical
 How: this capability has been extended to Flex APs for locally switched WLANs;
no configuration required. WGB is supported on an IOS AP: 1240, 1130,
1140,1260,1250.
VLAN
Trunking
SSID
Locally
switched
WGB
client
WGB
Local
network
Corporate
WAN
Flex AP
Centralised
WLC
DHCP/
Local Servers
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
FlexConnect and AP1500 (Outdoor)
L3/L2 switch
RAP
(Root AP)
Local or
FlexConnect
Backhaul 5GHz
MAP
(Mesh AP)
Controller
 Indoor AP Parity with Outdoor RAP (1520 & 1550) only
• Local Mode
• FlexConnect Mode
• No MAP functionality in this release

BRKEWN-2010
Flex Mode will have support for Central and Local Switching
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
110
Deploying the Cisco Unified Wireless
Architecture
 High Availability
 Understanding AP Groups / RF Groups
 Application Visibility
 Bonjour Gateway
 IPv6 Deployment with Controllers
 Branch Office Designs
‒ Understanding FlexConnect AP Deployment
‒ Understanding Branch Controller Deployment
 Guest Access Deployment
 Home Office Design
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
111
Branch Office WLAN Controller
Number
of
Users:
100–500
Options
Number of APs: 5–25
WCS
E-Mail
Branch
Office
MPLS
ATM
Frame Relay
Headquarters
 Appliance controllers
Internet VPN
‒Cisco 2504-12
Small
Office
‒Cisco 5508-12, 5508-25
 Integrated controller
‒WLAN controller module (WLCM-2) for ISR G2
 Virtual WLC (vWLC)
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Number of Users: 20–100
Number of APs: 1–5
Cisco Public
112
Branch Office WLAN Controller
Options
WCS
E-Mail
Cisco 2504 or vWLC***
Branch
Office
MPLS
ATM
Frame Relay
Headquarters
Small
Office
 Cisco Unified Wireless Network with controller-based
 Multiple Integrated WAN options on ISR
 Consistent branch-HQ services, features, and
performance
Internet VPN
 Standardised branch configuration extends the
unified wired and wireless network
WLCM-2 or vWLC**
 Branch configuration management from central WCS
**AP Count Vary Depending on Channel Utilisation and Data Rates
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
113
Deploying the Cisco Unified Wireless
Architecture
 High Availability
 Understanding AP Groups / RF Groups
 Application Visibility
 Bonjour Gateway
 IPv6 Deployment with Controllers
 Branch Office Designs
 Guest Access Deployment
 Home Office Design
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
114
Guest Access Deployment
WLAN Controller Deployments with EoIP Tunnel
 Use of up to 71 EoIP tunnels to logically segment
and transport the guest traffic between remote
and anchor controllers
 Other traffic (employee for example) still locally
Cisco ASA
bridged at the remote controller on the
Firewall
corresponding VLAN
EoIP
 No need to define the guest VLANs
“Guest
on the switches connected to the
Tunnel”
remote controllers
CAPWAP
 Original guest’s Ethernet frame maintained
across CAPWAP and EoIP tunnels
 Redundant EoIP tunnels to the
Anchor WLC
 2504 series and WLCM-2 models cannot
terminate EoIP connections (no anchor role)
Guest
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Internet
DMZ or Anchor
Wireless Controller
Wireless
LAN
Controller
Guest
115
Deploying the Cisco Unified Wireless
Architecture
 High Availability
 Understanding AP Groups / RF Groups
 Application Visibility
 Bonjour Gateway
 IPv6 Deployment with Controllers
 Branch Office Designs
 Guest Access Deployment
 Home Office Designs
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
116
Home Office Design
OEAP AP
 Cisco controller installed in the DMZ of the
corporate network
WLC 5508/WiSM-2 / WLC7500
WCS
E-Mail
Headquarters
 OfficeExtend AP (OEAP) installed at
teleworker’s home
 Corporate access to employee over centrally
configured SSID
 Family Internet access over a locally
configured SSID
Internet VPN
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
117
OEAP 600
 802.11n AP with dual concurrent 2.4GHz and 5GHz radios for
teleworker home
 4 local Ethernet ports
 1 Corporate-bound port, 3 for local Ethernet devices
 Up to 4 clients behind the corporate port
 Corporate SSID and user-configurable Personal SSID
 Traffic segmenting supported (corporate vs.
personal traffic)
 Local DHCP and NAT support
 Control and data plane encryption
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
118
Summary – Key Takeways
 Take advantage of the standards (CAPWAP, DTLS,802.11 i, e, k, r…..)
 Wide range of architecture / design choices
 Brand new controllers (WiSM-2, WLC 7500,WLC 8500, WLC 2504, Virtual WLC)
portfolio with investment protection
 Take advantage of innovations from Cisco (CleanAir, BandSelect, ClientLink,
Security, CCX, FlexConnect, etc)
 Cisco’s investment into technology – Cisco Prime, ISE, New hardware, Cloud
controller
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
119
Documentation
Virtual WLC Deployment Guide http://www.cisco.com/en/US/products/ps12723/products_tech_note09186a0080bd2d04.shtml
HA Deployment Guide http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bd3504.shtml
Flex 7500 Deployment Guide http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml
AP2600 Deployment Guide : http://www.cisco.com/en/US/products/ps11983/products_tech_note09186a0080bd3d10.shtml
Wireless Bi-Directional Rate Limiting Deployment Guide
: http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bd3900.shtml
WLC8500 Deployment Guide: http://www.cisco.com/en/US/products/ps12722/products_tech_note09186a0080bd6504.shtml
WiSM-2 :
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080bb2500.shtml
Flex7500 Deployment Guide
http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml
Bonjour Deployment Guide
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_tech_note09186a0080bb1d7c.shtml
MSE HA Deployment Guide : http://www.cisco.com/en/US/products/ps9742/products_tech_note09186a0080bb490d.shtml
MSE Virtual Appliance Deployment Guide :
http://www.cisco.com/en/US/products/ps9742/products_tech_note09186a0080bb497f.shtml
IPv6 Deployment Guide http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bae506.shtml
VLAN Select Deployment Guide :
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bb4900.shtml
BRKEWN-2010
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
120
Q&A
Complete Your Online Session
Evaluation
Give us your feedback and
receive a Cisco Live 2013 Polo
Shirt!
Complete your Overall Event Survey and 5
Session Evaluations.
 Directly from your mobile device on the
Cisco Live Mobile App
 By visiting the Cisco Live Mobile Site
www.ciscoliveaustralia.com/mobile
 Visit any Cisco Live Internet Station located
throughout the venue
Polo Shirts can be collected in the World of
Solutions on Friday 8 March 12:00pm-2:00pm
BRKEWN-2010
Don’t forget to activate your
Cisco Live 365 account for
access to all session material,
communities, and on-demand and live activities throughout
the year. Log into your Cisco Live portal and click the
"Enter Cisco Live 365" button.
www.ciscoliveaustralia.com/portal/login.ww
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
122
Presentation_ID
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement