Cisco Unified Wireless Network Overview
Cisco Unified Wireless Network Overview Steve Acker Wireless Advanced Services Network Consulting Engineer CCIE#14097 CISSP#86844 CWSP BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 Agenda Controller-Based Architecture Overview Mobility in the Cisco Unified WLAN Architecture Architecture Building Blocks Deploying the Cisco Unified Wireless Architecture BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Agenda Controller-Based Architecture Overview Mobility in the Cisco Unified WLAN Architecture Architecture Building Blocks Deploying the Cisco Unified Wireless Architecture BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Cisco Unified Wireless Network Architecture Overview 802.11n and 802.11a/g Highly scalable Mobility Services Engine (MSE) Wireless Control System (WCS) CAPWAP Standalone Access Points Wireless LAN Controller Monitor and migrate standalone access points Easily configure – WLAN controllers using SNMP – Access points using CAPWAP 802.11n Lightweight Access Points Client Devices and Wi-Fi Tags BRKEWN-2010 Real-time RF visibility and control © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public Built-in support for Mobility Services – Context–Aware Services (Location) – Adaptive Wireless Intrusion Prevention System (wIPS) Wired and wireless guest access 4 Understanding WLAN Controllers 1st/2nd Generation vs. 3rd Generation Approach 1st/2nd Generation 1st/2nd generation: APs act as 802.1Q translational bridge, putting client traffic on local VLANs Data VLAN Management VLAN 3rd generation: Controller bridges client traffic centrally Voice VLAN 3rd Generation Data VLAN Management VLAN LWAPP/CAPWAP Tunnel BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Voice VLAN Cisco Public 5 Centralized Wireless LAN Architecture What Is CAPWAP? CAPWAP: Control and Provisioning of Wireless Access Points is used between APs and WLAN controller and based on LWAPP CAPWAP carries control and data traffic between the two Control plane is DTLS encrypted (Datagram Transport Layer Security) Data plane is DTLS encrypted (optional) LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless Business Application Access Point Data Plane CAPWAP Controller Wi-Fi Client Control Plane BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 CAPWAP Modes Split MAC The CAPWAP protocol supports two modes of operation Split MAC (centralized mode) Local MAC (H-REAP) Split MAC Wireless Frame Wireless Phy MAC Sublayer STA BRKEWN-2010 CAPWAP Data Plane AP © 2011 Cisco and/or its affiliates. All rights reserved. 802.3 Frame WLC Cisco Public 7 CAPWAP Modes – Split MAC One of the key concepts of the LWAPP is concept of split MAC The Real Time RF part of the 802.11 protocol operation is managed by the LWAPP AP Non Real Time parts of the 802.11 protocol are managed by the WLC. BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 CAPWAP Modes - Local MAC Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames Locally bridged Wireless Frame Wireless Phy MAC Sublayer STA BRKEWN-2010 802.3 Frame AP © 2011 Cisco and/or its affiliates. All rights reserved. WLC Cisco Public 9 CAPWAP Modes – Local MAC Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames Tunneled as 802.3 frames STA Wireless Frame 802.3 Frame Wireless Phy MAC Sublayer CAPWAP Data Plane AP 802.3 Frame WLC H-REAP support locally bridged MAC and split MAC per SSID BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 CAPWAP State Machine AP Boots UP Reset Discovery Image Data DTLS Setup Run Join BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Config Cisco Public 11 AP Controller Discovery Controller Discovery Order Layer 2 join procedure attempted on LWAPP APs (CAPWAP does not support Layer 2 APs) Broadcast message sent to discover controller on a local subnet Layer 3 join process on CAPWAP APs and on LWAPP APs after Layer 2 fails Previously learned or primed controllers Subnet broadcast DHCP option 43 DNS lookup BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 AP Controller Discovery: DHCP Option DHCP Server DHCP Offer 1 DHCP Request 2 Layer 3 CAPWAP Discovery Request Broadcast 3 BRKEWN-2010 DHCP Offer Contains Option 43 for Controller Layer 3 CAPWAP Discovery Responses © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 AP Controller Discovery: DNS Option DNS Server DHCP Server DHCP Request CISCO-CAPWAP-CONTROLLER.localdomain 192.168.1.2 2 1 DHCP Offer with Option 15 to give APs the Local Domain name 192.168.1.2 3 DHCP Offer Contains DNS Server or Servers 4 BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 WLAN Controller Selection Algorithm CAPWAP Discovery Response contains important information from the WLAN Controller Controller name, controller type, controller AP capacity, current AP load, “Master Controller” status, and AP Manager IP address or addresses AP selects a controller to join using the following decision criteria 1. Attempt to join a WLAN Controller configured as a “Master” controller 2. Attempt to join a WLAN Controller with matching name of previously configured primary, secondary, or tertiary controller name 3. Attempt to join the WLAN Controller with the greatest excess AP capacity (dynamic load balancing) Option #2 and option #3 allow for two approaches to controller redundancy and AP load balancing: deterministic and dynamic BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 CAPWAP Control Messages for Join Process CAPWAP Join Request: AP sends this messages to selected controller (sent to AP Manager Interface IP address) CAPWAP Join Request CAPWAP Join Response: If controller validates AP request, it sends the CAPWAP Join Response indicating that the AP is now registered with that controller CAPWAP Join Response BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Configuration Phase Firmware and Configuration Download Firmware is downloaded by the AP from the WLC LWAPP-L3 Network configuration is downloaded by the AP from the WLC Firmware Download Firmware digitally signed by Cisco Configuration Download Firmware downloaded only if needed, AP reboots after the download Cisco WLAN Controller Configuration is encrypted in the CAPWAP tunnel Configuration is applied BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Access Points Cisco Public 17 Which Software Version Should I Use? WLC 5508 supports 6.0 and 7.0 WLC7500, WiSM-2 and WLC2504 only supported in 7.0.116 and up BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Agenda Controller-Based Architecture Overview Mobility in the Cisco Unified WLAN Architecture Architecture Building Blocks Deploying the Cisco Unified Wireless Architecture BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Mobility Defined Mobility is a key reason for wireless networks Mobility means the end-user device is capable of moving its location in the networked environment Roaming occurs when a wireless client moves association from one AP and re-associates to another, typically because it’s mobile! Mobility presents new challenges: Need to scale the architecture to support client roaming— roaming can occur intra-controller and inter-controller Need to support client roaming that is seamless (fast) and preserves security BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Scaling the Architecture with Mobility Groups Mobility Group allows controllers to peer with each other to support seamless roaming across controller boundaries APs learn the IPs of the other members of the mobility group after the LWAPP Join process Controller-B MAC: AA:AA:AA:AA:AA:02 Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 Controller-C, AA:AA:AA:AA:AA:03 Controller-A MAC: AA:AA:AA:AA:AA:01 Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-B, AA:AA:AA:AA:AA:02 Controller-C, AA:AA:AA:AA:AA:03 Mobility messages exchanged between controllers Ethernet in IP Tunnel Support for up to 24 controllers, 3600 APs per mobility group Controller-C MAC: AA:AA:AA:AA:AA:03 Mobility Group Name: MyMobilityGroup Data tunneled between controllers in EtherIP (RFC 3378) Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 Controller-B, AA:AA:AA:AA:AA:02 Mobility Messages BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Increased Mobility Scalability Roaming is supported across three mobility groups (3 * 24 = 72 controllers) With Inter Release Controller Mobility (IRCM) roaming is supported between 4.2.207 and 6.0.188 and 7.0 Ethernet in IP Tunnel Mobility Sub-Domain 1 Ethernet in IP Tunnel Mobility Sub-Domain 3 Ethernet in IP Tunnel Mobility Sub-Domain 2 Mobility Messages BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 How Long Does an STA Roam Take? Time it takes for: Client to disassociate + Probe for and select a new AP + 802.11 Association + 802.1X/EAP Authentication + Rekeying + IP address (re) acquisition All this can be on the order of seconds… Can we make this faster? BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 Roaming Requirements Roaming must be fast … Latency can be introduced by: Client channel scanning and AP selection algorithms Re-authentication of client device and re-keying Refreshing of IP address Roaming must maintain security Open auth, static WEP—session continues on new AP WPA/WPAv2 Personal—New session key for encryption derived via standard handshakes 802.1x, 802.11i, WPA/WPAv2 Enterprise—Client must be reauthenticated and new session key derived for encryption BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 How Are We Going to Make Roaming Faster? Focus on Where We Can Have the Biggest Impact Eliminating the (re)IP address acquisition challenge Eliminating full 802.1X/EAP reauthentication BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Intra-Controller Roaming: Layer 3 VLAN X VLAN Z WLC-1 Client Client Data Database (MAC, IP, QoS, Security) WLC-1 Client Data WLC-2 Client Database (MAC, IP, QoS, Security) Mobility Message Exchange WLC-2 Preroaming Data Path BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 Client Roaming Between Subnets: Layer 3 (Cont.) VLAN X VLAN Z WLC-1 Client Client Data Database (MAC, IP, QoS, Security) Client Data WLC-2 Client Database (MAC, IP, QoS, Security) Mobility Message Exchange WLC-1 WLC-2 Anchor Controller Data Tunnel Foreign Controller Preroaming Data Path Client Roams to a Different AP BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 Roaming: Inter-Controller Layer 3 L3 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto different subnets Client must be re-authenticated and new security session established Client database entry copied to new controller – entry exists in both WLC client DBs Original controller tagged as the “anchor”, new controller tagged as the “foreign” WLCs must be in same mobility group or domain No IP address refresh needed Account for mobility message exchange in network design BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 How Are We Going to Make Roaming Faster? Focus on Where We Can Have the Biggest Impact Eliminating the (re)IP address acquisition challenge Eliminating full 802.1X/EAP reauthentication BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 Fast Secure Roaming Standard Wi-Fi Secure Roaming 802.1X authentication in wireless today requires three “end-to-end” transactions with an overall transaction time of > 500 ms WAN Cisco AAA Server (ACS or ISE) 2. 802.1X Reauthentication After Roaming AP2 802.1X authentication in wireless today requires a roaming client to reauthenticate, incurring an additional 500+ ms to the roam 1. 802.1X Initial Authentication Transaction AP1 Note: Mechanism Is Needed to Centralize Key Distribution BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 Cisco Centralized Key Management (CCKM) Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available, especially with application specific devices (ASDs) CCKM ported to CUWN architecture in 3.2 release In highly controlled test environments, CCKM roam times consistently measure in the 5-8 msec range! To work across WLCs, WLCs must be in the same mobility group When a client device roams, he WLC forwards the client's security credentials to the new AP. BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Fast Secure Roaming WPA2/802.11i Pairwise Master Key (PMK) Caching WPA2 and 802.11i specify a mechanism to prevent excessive key management and 802.1X requests from roaming clients From the 802.11i specification: Whenever an AP and a STA have successfully passed dot1x-based authentication, both of them may cache the PMK record to be used later. However, if a client has not roamed to a particular access point during its current working session, it must then authenticate to that specific access point using 802.1x. When a STA is (re-)associates to an AP, it may attach a list of PMK IDs (which were derived via dot1x process with this AP before) in the (re)association request frame When PMK ID exists, AP can use them to retrieve PMK record from its own PMK cache, if PMK is found, and matches the STA MAC address; AP can bypass dot1x authentication process, and directly starts WPA2 four-way key handshake session with the STA BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 OKC/PKC Key Data Points A client device can skip the 802.1x authentication with an access point and only needs to perform the 4 way handshake when roaming to access points that are centrally managed by the same WLC. Supported in Windows since XP SP2 Enabled by default on WLCs with WPAv2 Requires WLCs to be in the same mobility group In highly controlled test environments, OKC/PKC roam times consistently measure in the 10-20 msec range! BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 How Long Does a Client Really Take to Roam? Time to roam = Client to disassociate + Probe for and select a new AP + 802.11 Association + Mobility message exchange between WLCs + Reauthentication + Rekeying + IP address (re) acquisition Network latency will have an impact on these times – consideration for controller placement With a fast secure roaming technology, roam times under 150 msecs are consistently achievable, though mileage may vary BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 How Often Do Clients Roam? It depends… types of clients and applications Most client devices are designed to be “nomadic” rather than “mobile”, though proliferation of small form factor, “smart” devices will probably change this… Nomadic clients usually are programmed to try to avoid roaming… so set your expectations accordingly Design rule of thumb: 10-20 roams per second for every 5000 clients BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 Designing a Mobility Group/Domain Design Considerations Less roaming is better – clients and apps are happier While clients are authenticating/roaming, WLC CPU is doing the processing – not as much of a big deal for 5508 which has dedicated management/control processor L3 roaming & fast roaming clients consume client DB slots on multiple controllers – consider “worst case” scenarios in designing roaming domain size Leverage natural roaming domain boundaries Make sure the right ports and protocols are allowed BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Agenda Controller-Based Architecture Overview Mobility in the Cisco Unified WLAN Architecture Architecture Building Blocks Deploying the Cisco Unified Wireless Architecture BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 TrustSec 2.0 and Identity Services Engine • Centralized Policy • Distributed Enforcement ACS • AAA Services NAC Profiler • Posture Assessment • Guest Access Services NAC Guest NAC Manager • Device Profiling Identity Services Engine • Monitoring • Troubleshooting NAC Server • Reporting *Current NAC and ACS Hardware Platform Is Software Upgradable to ISE BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 ISE Integrated Device Profiling “iPad Template” Custom Template Visibility for Wired and Wireless Devices BRKEWN-2010 Simplified “Device Category” Policy © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public New Device Templates via Subscription Feeds 39 ISE Integrated Device Profiling Users, using the same SSID, can be associated to different wired VLAN interfaces after EAP authentication Employee using corporate laptop with their AD user id can be assigned to VLAN 30 to have full access to the network Employee using personal iPad/iPhone with their AD user id can be assigned to VLAN 40 to have internet access only ISE ISE 1 EAP Authentication 2 Accept with VLAN 30 4 Accept with VLAN 40 Employee Corporate Resources VLAN 30 CAPWAP Same-SSID 802.1Q TrunkVLAN 40 Employee BRKEWN-2010 3 EAP Authentication © 2011 Cisco and/or its affiliates. All rights reserved. Internet Cisco Public 40 ISE Integrated Device Profiling Example: VLAN 30 (Corporate access ) VLAN 40 (Internet access) Corporate Internet BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 ISE Integrated Device Profiling • ISE Setup – Authorization Profiles redirect VLAN, Override ACL, CoA… Laptop Assign VLAN 30 iPad Assign VLAN 40 BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 ISE Integrated Device Profiling WLC CoA Setup – Pre-Auth ACL, allows ALL client traffic to ISE WLAN – Dot1X, AAA Override and Radius NAC enabled. Permit ANY to ISE (IP ( Addr)) BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 ISE Integrated Device Profiling RADIUS probe (information about authentication, authorization and accounting requests from Network Access DHCP (helper or span) HTTP user agent (span) Customizable Profiles BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 Agenda Controller-Based Architecture Overview Mobility in the Cisco Unified WLAN Architecture Architecture Building Blocks Deploying the Cisco Unified Wireless Architecture BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 Deploying the Cisco Unified Wireless Architecture Controller Redundancy and AP Load Balancing Understanding AP Groups IPv6 Deployment with Controllers Branch Office Designs Guest Access Deployment Home Office Design BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 Deploying the Cisco Unified Wireless Architecture Controller Redundancy and AP Load Balancing Understanding AP Groups IPv6 Deployment with Controllers Branch Office Designs Guest Access Deployment Home Office Design BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 Controller Redundancy Dynamic Rely on CAPWAP to load-balance APs across controllers and populate APs with backup controllers Results in dynamic “salt-and-pepper” design Design works better when controllers are “clustered” in a centralized design Pros Easy to deploy and configure—less upfront work APs dynamically load-balance (though never perfectly) Cons More intercontroller roaming Bigger operational challenges due to unpredictability Longer failover times No “fallback” option in the event of controller failure Cisco’s general recommendation is: Only for Layer 2 roaming Use deterministic redundancy instead of dynamic redundancy BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 Controller Redundancy Deterministic WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C Administrator statically assigns APs a primary, secondary, and/or tertiary controller Assigned from controller interface (per AP) or WCS (template-based) Pros Predictability—easier operational management More network stability Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Tertiary: WLAN-Controller-C Primary: WLAN-Controller-B Secondary: WLAN-Controller-C Tertiary: WLAN-Controller-A More flexible and powerful redundancy design options Primary: WLAN-Controller-C Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-B Faster failover times “Fallback” option in the case of failover Con More upfront planning and configuration This is Cisco’s recommended best practice BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 High Availability Using Cisco 5508 Si Si Si Si Primary WLC5508 BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. APs are connected to primary WLC 5508 In case of hardware failure of WLC 5508 AP’s fall back to secondary WLC Secondary 5508 WLC5508 Traffic flows through the secondary WLC 5508 and primary core switch Cisco Public 50 High Availability Using WiSM: Uplink Failure on Primary Switch S N Si Si Active HSRP Switch Primary WiSM BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. In case of uplink failure of the primary switch Standby switch Standby becomes the HSRP Switch active HSRP New Active switch HSRP Switch APs are still connected to primary WiSM Traffic flows thru the new HSRP active switch Cisco Public 51 High Availability Using WiSM-2 Si Primary WiSM BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Si Secondary WiSM Cisco Public APs are connected to primary WiSM In case of hardware failure of primary WiSM AP’s fall back to secondary WiSM Traffic flows thru the secondary WiSM and primary core switch 52 VSS and Cisco 5508 Cisco 5508 WLC can be attached to a Cisco Catalyst VSS switch 4 ports of Cisco 5508 are connected to active VSS switch 2nd set of 4 ports of Cisco 5508 is connected to standby VSS switch In case of failure of primary switch traffic continues to flow through secondary switch in the VSS pair BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Catalyst VSS Pair Cisco 5508 Cisco Public 53 VSS and WiSM-2 Virtual Switch System (VSS) Switch-1 (VSS Active) Switch-2 (VSS Standby) Control Plane Active Data Plane Active BRKEWN-2010 Control Plane Standby VSL Failover/State Sync VLAN Data Plane Active FWSM Active FWSM Standby WiSM-2 Active WiSM-2 Standby © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 Controller Redundancy High Availability High Availability Principles Primary WLC AP is registered with a WLC and maintain a backup list of WLC AP use heartbeats to validate WLC connectivity AP use Primary Discovery message to validate backup WLC list When AP lose three heartbeats it start join process to first backup WLC candidate Secondary WLC Candidate Backup WLC is the first alive WLC in this order: primary, secondary, tertiary, global primary, global secondary AP do not re-initiate discovery process BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 Controller Redundancy High Availability with 7.0 To Accommodate Both Local and Remote Settings, There Are Configurable Options Provided, so that Administrator Can Fine Tune the Settings Based on the Requirements New Timers Heartbeat: Fast Heartbeat Timeout: AP Retransmit Interval: AP Retrans with FH Enabled: AP Retrans with FH Disabled: AP Fallback to next WLC BRKEWN-2010 1-30 Seconds 1-10 Seconds 2-5 Seconds 3-8 Times 3-8 Times 12 Seconds © 2011 Cisco and/or its affiliates. All rights reserved. Old Timers-5508 10-30 Seconds 3-10 Seconds 3 Seconds 3 Times 5 Times 35 Seconds Cisco Public Old Timers-Non-5508 1-30 Seconds 1-10 Seconds 3 Seconds 3 Times 5 Times 35 Seconds 56 AP Pre-Image Download in 7.0 1. Upgrade the image on the controller 2. Don’t reboot the controller CAPWAP-L3 Pre-Image download operation AP Pre-image Download AP pre-image download allows AP to download code while it is operational Cisco WLAN Controller AP Joins Without Download Since most CAPWAP APs can download and keep more than one image of 4–5 MB each 3. Issue AP pre-image download command 4. Once all AP images are downloaded 5. Reboot the controller Access Points 6. AP now rejoins the controller without reboot BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. How Much Time You Save? Cisco Public 57 Configure AP Pre-Image Download Upgrade the image on the controller and don’t reboot Currently we have two images on the controller (Cisco Controller) >show boot Primary Boot Image............................... 7.0.116.0 (default) (active) Backup Boot Image................................ 7.0.98.0 BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 Configure AP Pre-Image Download Wireless > AP > Global Configuration Perform Primary Image Predownloaded on the AP AP Now Starts Predownloading AP Now Swaps Image After Reboot of the Controller BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 59 Deploying the Cisco Unified Wireless Architecture Controller Redundancy and AP Load Balancing Understanding AP Groups IPv6 Deployment with Controllers Branch Office Designs Guest Access Deployment Home Office Design BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 60 AP-Groups Default AP-Group The first 16 WLANs created (WLAN IDs 1–16) on the WLC are included in the default AP-Group Default AP-Group cannot be modified APs with no assignment to an specific AP-Group will use the Default AP-Group The 17th and higher WLAN (WLAN IDs 17 and up) can be assigned to any AP-Groups Any given WLAN can be mapped to different dynamic interfaces in different AP-Groups WLC 2106 (AP groups: 50), WLC 2504 (AP groups:50) WLC 4400 and WiSM (AP groups: 300), WLC 5508 & WiSM-2 (AP groups: 500), WLC 7500 (AP Groups : 500) BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 61 Default AP-Group Network Name Default AP Group Only WLANs 1–16 Will Be Added in Default AP Group BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 62 Multiple AP-Groups AP Group 1 AP Group 2 AP Group 3 BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 Interface-Groups 7.0 Interface-groups allows for a WLAN to be mapped to a single interface or multiple interfaces Clients associating to this WLAN get an IP address from a pool of subnets identified by the interfaces in round robin fashion Extends current AP group and AAA override, with multiple interfaces using interface groups Controllers Interface-Groups/Interfaces WiSM-2, 5508, 7500, 2500 64/64 WiSM, 4400 32/32 2100 and 2504 4/4 BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 64 Deploying the Cisco Unified Wireless Architecture Controller Redundancy and AP Load Balancing Understanding AP Groups IPv6 Deployment with Controllers Branch Office Designs Guest Access Deployment Home Office Design BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 65 IPv6 over IPv4 Tunneling Prior to WLC 6.0 release, IPv6 pass-thru is only supported but no L2 security can be enabled on IPv6 WLAN With WLC 6.0 release, IPv6 pass-thru with Layer 2 security supported To use IPv6 bridging, Ethernet Multicast Mode (EMM) must be enabled on the controller IPv6 packets are tunneled over CAPWAP IPv4 tunnel Same WLAN can support both IPv4 and IPv6 clients IPv6 pass-thru and IPv4 Webauth is also supported on same WLAN IPv6 is not supported with guest mobility anchor tunneling Client IPv6 Traffic Tunneled over IPv4 and Bridged to Ethernet Ethernet II | IPv6 CAPWAP Tunnel 802.11| IPv6 BRKEWN-2010 Ethernet II | IPv4 | CAPWAP | 802.11 | IPv6 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 66 IPv6 Configuration on WLC 6.X Enable IPv6 on the WLAN and multicast on the WLC BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 67 Deploying the Cisco Unified Wireless Architecture Controller Redundancy and AP Load Balancing Understanding AP Groups IPv6 Deployment with Controllers Branch Office Designs (HREAP/FlexConnect) Understanding HREAP (Hybrid) REAP AP Deployment Understanding Branch Controller Deployment Guest Access Deployment Home Office Design BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 68 Branch Office Deployment HREAP/FlexConnect Hybrid architecture Central Site Centralized Traffic Centralized Traffic Single management and control point Centralized traffic (split MAC) Or WAN Local traffic (local MAC) HA will preserve local traffic only Local Traffic Remote Office BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 H-REAP Design Considerations Some WAN limitations apply RTT must be below 300 ms data (100 ms voice) Minimum 500 bytes WAN MTU (with maximum four fragmented packets) Some features are not available in standalone mode or in local switching mode ACL in local switching, MAC/Web Auth in standalone mode, PMK caching (OKC) See full list in « H-REAP Feature Matrix » http://www.cisco.com/en/US/products/ps6366/products_tech _note09186a0080b3690b.shtml BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 70 Understanding H-REAP Groups WLC supports up to 20 H-REAP groups Central Site Each H-REAP group supports up to 25 H-REAP APs H-REAP groups allow sharing of: CCKM fast roaming keys Local user authentication WAN Remote Site Local EAP authentication Remote Site H-REAP Group 2 H-REAP Group 1 BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 71 FlexConnect Improvements in New 7.0.116 WAN Survivability FlexConnect AP provides wireless access and services to clients when the connection to the primary WLC fails Local Authentication Allows for the authentication capability to exist directly at the AP in FlexConnect instead of the WLC Improved Scale Group Scale: Max HREAP groups increased to 500 (7500s) and 100 (5500s) APs per Group: 50 (7500s) and 25 (5500s) Fast Roaming in Remote Branches Opportunistic Key Caching (OKC) between APs in a branch BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 72 Deploying the Cisco Unified Wireless Architecture Controller Redundancy and AP Load Balancing Understanding AP Groups IPv6 Deployment with Controllers Branch Office Designs Understanding HREAP/FlexConnect Deployment Understanding Branch Controller Deployment Guest Access Deployment Home Office Design BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 73 Branch Office WLAN Controller Options Number of Users: 100–500 Number of APs: 5–25 WCS E-Mail Headquarters Appliance controllers MPLS ATM Frame Relay Branch Office Internet VPN Small Office Cisco 2504-12 Cisco 5508-12, 5508-25 Integrated controller Number of Users: 20–100 Number of APs: 1–5 WLAN controller module (WLCM-2) for ISR G2 BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 74 Branch Office WLAN Controller Options Cisco 2504 *** WCS E-Mail Branch Office MPLS ATM Frame Relay Headquarters Small Office Cisco Unified Wireless Network with controller-based Multiple Integrated WAN options on ISR Consistent branch-HQ services, features, and performance Standardized branch configuration extends the unified wired and wireless network Branch configuration management from central WCS BRKEWN-2010 Internet VPN WLCM-2 ** **AP Count Vary Depending on Channel Utilization and Data Rates © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 75 Deploying the Cisco Unified Wireless Architecture Controller Redundancy and AP Load Balancing Understanding AP Groups IPv6 Deployment with Controllers Branch Office Designs Guest Access Deployment Home Office Design BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 76 Guest Access Deployment WLAN Controller Deployments with EoIP Tunnel Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN No need to define the guest VLANs on the switches connected to the remote controllers Original guest’s Ethernet frame maintained across LWAPP/CAPWAP and EoIP tunnels Redundant EoIP tunnels to the Anchor WLC Internet DMZ or Anchor Wireless Controller Cisco ASA Firewall EoIP “Guest Tunnel” Wireless LAN Controller CAPWAP 2504 series and WLCM-2 models cannot terminate EoIP connections (no anchor role Guest BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public Guest 77 Summary – Key Takeways Take advantage of the standards (CAPWAP, DTLS,802.11 i, e, k, r…..) Wide range of architecture / design choices Brand new controller (WiSM-2, WLC 7500, WLC 2504) portfolio with investment protection Take advantage of innovations from Cisco (CleanAir, BandSelect, ClientLink, Security, CCX, FlexConnect, etc) Cisco’s investment into technology – NCS, ISE, New hardware, cloud controller, CiUS BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 78 Documentation Wireless Services Module 2 (WiSM2) Deployment Guide http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080b7c904.shtml • Flex7500 Deployment guide http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml Wireless, LAN (WLAN) Configuration Examples and TechNotes http://www.cisco.com/en/US/tech/tk722/tk809/tech_configuration_examples_list.html H-REAP Deployment Guide http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml VLAN Select Deployment Guide http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b78900.shtml BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 79 Thank you. BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project
Related manuals
Download PDF
advertisement