Cisco Unified Wireless Network Overview

Cisco Unified Wireless Network Overview
Cisco Unified Wireless
Network Overview
Steve Acker
Wireless Advanced Services
Network Consulting Engineer
CCIE#14097
CISSP#86844
CWSP
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
1
Agenda
 Controller-Based Architecture Overview
 Mobility in the Cisco Unified WLAN Architecture
 Architecture Building Blocks
 Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
2
Agenda
 Controller-Based Architecture Overview
 Mobility in the Cisco Unified WLAN Architecture
 Architecture Building Blocks
 Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
3
Cisco Unified Wireless Network
Architecture Overview
 802.11n and 802.11a/g
 Highly scalable
Mobility Services
Engine (MSE)
Wireless Control
System (WCS)
CAPWAP
Standalone
Access Points
Wireless
LAN
Controller
 Monitor and migrate
standalone access
points
 Easily configure
– WLAN controllers
using SNMP
– Access points
using CAPWAP
802.11n
Lightweight Access Points
Client Devices
and Wi-Fi Tags
BRKEWN-2010
 Real-time RF visibility
and control
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
 Built-in support for
Mobility Services
– Context–Aware
Services (Location)
– Adaptive Wireless
Intrusion Prevention
System (wIPS)
 Wired and wireless
guest access
4
Understanding WLAN Controllers
1st/2nd Generation vs. 3rd Generation Approach
1st/2nd Generation
 1st/2nd generation: APs act
as 802.1Q translational
bridge, putting client traffic
on local VLANs
Data VLAN
Management VLAN
 3rd generation: Controller
bridges client traffic centrally
Voice VLAN
3rd Generation
Data VLAN
Management VLAN
LWAPP/CAPWAP
Tunnel
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Voice VLAN
Cisco Public
5
Centralized Wireless LAN Architecture
What Is CAPWAP?
 CAPWAP: Control and Provisioning of Wireless Access Points is
used between APs and WLAN controller and based on LWAPP
 CAPWAP carries control and data traffic between the two
Control plane is DTLS encrypted (Datagram Transport Layer Security)
Data plane is DTLS encrypted (optional)
 LWAPP-enabled access points can discover and join a CAPWAP
controller, and conversion to a CAPWAP controller is seamless
Business
Application
Access
Point
Data Plane
CAPWAP
Controller
Wi-Fi Client
Control Plane
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
6
CAPWAP Modes
Split MAC
 The CAPWAP protocol supports two modes of
operation
Split MAC (centralized mode)
Local MAC (H-REAP)
 Split MAC
Wireless Frame
Wireless Phy
MAC Sublayer
STA
BRKEWN-2010
CAPWAP
Data Plane
AP
© 2011 Cisco and/or its affiliates. All rights reserved.
802.3 Frame
WLC
Cisco Public
7
CAPWAP Modes – Split MAC
 One of the key concepts of the LWAPP is concept
of split MAC
 The Real Time RF part of the 802.11 protocol
operation is managed by the LWAPP AP
 Non Real Time parts of the 802.11 protocol are
managed by the WLC.
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
8
CAPWAP Modes - Local MAC
 Local MAC mode of operation allows for the data
frames to be either locally bridged or tunneled as
802.3 frames
 Locally bridged
Wireless Frame
Wireless Phy
MAC Sublayer
STA
BRKEWN-2010
802.3 Frame
AP
© 2011 Cisco and/or its affiliates. All rights reserved.
WLC
Cisco Public
9
CAPWAP Modes – Local MAC
 Local MAC mode of operation allows for the data
frames to be either locally bridged or tunneled as
802.3 frames
 Tunneled as 802.3 frames
STA
Wireless Frame
802.3 Frame
Wireless Phy
MAC Sublayer
CAPWAP
Data Plane
AP
802.3 Frame
WLC
 H-REAP support locally bridged MAC and split
MAC per SSID
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
10
CAPWAP State Machine
AP Boots UP
Reset
Discovery
Image Data
DTLS
Setup
Run
Join
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Config
Cisco Public
11
AP Controller Discovery
Controller Discovery Order
 Layer 2 join procedure attempted on LWAPP APs
(CAPWAP does not support Layer 2 APs)
Broadcast message sent to discover controller on a
local subnet
 Layer 3 join process on CAPWAP APs and on
LWAPP APs after Layer 2 fails
Previously learned or primed controllers
Subnet broadcast
DHCP option 43
DNS lookup
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
12
AP Controller Discovery: DHCP Option
DHCP Server
DHCP Offer
1
DHCP Request
2
Layer 3 CAPWAP
Discovery Request Broadcast
3
BRKEWN-2010
DHCP Offer Contains
Option 43 for Controller
Layer 3 CAPWAP
Discovery Responses
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
13
AP Controller Discovery: DNS Option
DNS Server
DHCP Server
DHCP Request
CISCO-CAPWAP-CONTROLLER.localdomain
192.168.1.2
2
1
DHCP Offer with
Option 15
to give APs the
Local Domain
name
192.168.1.2
3
DHCP Offer
Contains
DNS Server or Servers
4
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
14
WLAN Controller Selection Algorithm
 CAPWAP Discovery Response contains important information
from the WLAN Controller
Controller name, controller type, controller AP capacity, current AP load,
“Master Controller” status, and AP Manager IP address or addresses
 AP selects a controller to join using the following decision
criteria
1. Attempt to join a WLAN Controller configured as a “Master” controller
2. Attempt to join a WLAN Controller with matching name of previously
configured primary, secondary, or tertiary controller name
3. Attempt to join the WLAN Controller with the greatest excess AP
capacity (dynamic load balancing)
 Option #2 and option #3 allow for two approaches to controller
redundancy and AP load balancing: deterministic and dynamic
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
15
CAPWAP Control Messages
for Join Process
 CAPWAP Join Request: AP sends this messages to selected
controller (sent to AP Manager Interface IP address)
CAPWAP Join Request
 CAPWAP Join Response: If controller validates AP request, it
sends the CAPWAP Join Response indicating that the AP is
now registered with that controller
CAPWAP Join Response
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
16
Configuration Phase
Firmware and Configuration Download
 Firmware is downloaded by the
AP from the WLC
LWAPP-L3
 Network configuration is
downloaded by the AP from
the WLC
Firmware Download
Firmware digitally signed by Cisco
Configuration Download
Firmware downloaded only if needed,
AP reboots after the download
Cisco WLAN Controller
Configuration is encrypted in the
CAPWAP tunnel
Configuration is applied
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Access Points
Cisco Public
17
Which Software Version Should I Use?
 WLC 5508 supports 6.0 and 7.0
 WLC7500, WiSM-2 and WLC2504
only supported in 7.0.116 and up
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
18
Agenda
 Controller-Based Architecture Overview
 Mobility in the Cisco Unified WLAN Architecture
 Architecture Building Blocks
 Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
19
Mobility Defined
 Mobility is a key reason for wireless networks
 Mobility means the end-user device is capable of
moving its location in the networked environment
 Roaming occurs when a wireless client moves
association from one AP and re-associates to
another, typically because it’s mobile!
 Mobility presents new challenges:
Need to scale the architecture to support client roaming—
roaming can occur intra-controller and inter-controller
Need to support client roaming that is seamless (fast) and
preserves security
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
20
Scaling the Architecture
with Mobility Groups
 Mobility Group allows controllers to peer with each other to
support seamless roaming across controller boundaries
 APs learn the IPs of the other members of the mobility group
after the LWAPP Join process
Controller-B
MAC: AA:AA:AA:AA:AA:02
Mobility Group Name: MyMobilityGroup
Mobility Group Neighbors:
Controller-A, AA:AA:AA:AA:AA:01
Controller-C, AA:AA:AA:AA:AA:03
Controller-A
MAC: AA:AA:AA:AA:AA:01
Mobility Group Name: MyMobilityGroup
Mobility Group Neighbors:
Controller-B, AA:AA:AA:AA:AA:02
Controller-C, AA:AA:AA:AA:AA:03
 Mobility messages
exchanged
between
controllers
Ethernet in IP Tunnel
 Support for up to
24 controllers,
3600 APs per
mobility group
Controller-C
MAC: AA:AA:AA:AA:AA:03
Mobility Group Name: MyMobilityGroup
 Data tunneled between
controllers in EtherIP (RFC 3378)
Mobility Group Neighbors:
Controller-A, AA:AA:AA:AA:AA:01
Controller-B, AA:AA:AA:AA:AA:02
Mobility Messages
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
21
Increased Mobility Scalability
 Roaming is supported across three mobility groups
(3 * 24 = 72 controllers)
 With Inter Release Controller Mobility (IRCM) roaming is
supported between 4.2.207 and 6.0.188 and 7.0
Ethernet in IP Tunnel
Mobility Sub-Domain 1
Ethernet in IP Tunnel
Mobility Sub-Domain 3
Ethernet in IP Tunnel
Mobility Sub-Domain 2
Mobility Messages
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
22
How Long Does an STA Roam Take?
 Time it takes for:
Client to disassociate +
Probe for and select a new AP +
802.11 Association +
802.1X/EAP Authentication +
Rekeying +
IP address (re) acquisition
 All this can be on the order of seconds… Can we
make this faster?
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
23
Roaming Requirements
 Roaming must be fast … Latency can be
introduced by:
Client channel scanning and AP selection algorithms
Re-authentication of client device and re-keying
Refreshing of IP address
 Roaming must maintain security
Open auth, static WEP—session continues on new AP
WPA/WPAv2 Personal—New session key for encryption
derived via standard handshakes
802.1x, 802.11i, WPA/WPAv2 Enterprise—Client must be reauthenticated and new session key derived for encryption
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
24
How Are We Going to Make Roaming
Faster?
Focus on Where We Can Have the Biggest Impact
 Eliminating the (re)IP address acquisition challenge
 Eliminating full 802.1X/EAP reauthentication
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
25
Intra-Controller Roaming:
Layer 3
VLAN X
VLAN Z
WLC-1 Client Client Data
Database (MAC, IP, QoS,
Security)
WLC-1
Client Data WLC-2 Client
Database
(MAC, IP,
QoS, Security)
Mobility Message Exchange
WLC-2
Preroaming
Data Path
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
26
Client Roaming Between Subnets:
Layer 3 (Cont.)
VLAN X
VLAN Z
WLC-1 Client Client Data
Database (MAC, IP, QoS,
Security)
Client Data WLC-2 Client
Database
(MAC, IP,
QoS, Security)
Mobility Message Exchange
WLC-1
WLC-2
Anchor
Controller
Data Tunnel
Foreign
Controller
Preroaming
Data Path
Client Roams to
a Different AP
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
27
Roaming: Inter-Controller
Layer 3
 L3 inter-controller roam: STA moves association between APs joined
to the different controllers but client traffic bridged onto different
subnets
 Client must be re-authenticated and new security session established
 Client database entry copied to new controller – entry exists in both
WLC client DBs
 Original controller tagged as the “anchor”, new controller tagged as
the “foreign”
 WLCs must be in same mobility group or domain
 No IP address refresh needed
 Account for mobility message exchange in network design
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
28
How Are We Going to Make Roaming
Faster?
Focus on Where We Can Have the Biggest Impact
Eliminating the (re)IP address acquisition challenge
 Eliminating full 802.1X/EAP reauthentication
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
29
Fast Secure Roaming
Standard Wi-Fi Secure Roaming
 802.1X authentication in wireless today
requires three “end-to-end” transactions
with an overall transaction time of > 500 ms
WAN
Cisco AAA
Server
(ACS or
ISE)
2. 802.1X
Reauthentication After
Roaming
AP2
 802.1X authentication in wireless today
requires a roaming client to reauthenticate,
incurring an additional 500+ ms to the roam
1. 802.1X Initial
Authentication
Transaction
AP1
Note: Mechanism Is Needed to Centralize Key Distribution
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
30
Cisco Centralized Key Management
(CCKM)
 Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available,
especially with application specific devices (ASDs)
 CCKM ported to CUWN architecture in 3.2 release
 In highly controlled test environments, CCKM roam times
consistently measure in the 5-8 msec range!
 To work across WLCs, WLCs must be in the same mobility group
 When a client device roams, he WLC forwards the client's security
credentials to the new AP.
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
31
Fast Secure Roaming
WPA2/802.11i Pairwise Master Key (PMK) Caching
 WPA2 and 802.11i specify a mechanism to prevent excessive
key management and 802.1X requests from roaming clients
 From the 802.11i specification:
Whenever an AP and a STA have successfully passed dot1x-based
authentication, both of them may cache the PMK record to be used
later.
However, if a client has not roamed to a particular access point during
its current working session, it must then authenticate to that specific
access point using 802.1x.
When a STA is (re-)associates to an AP, it may attach a list of
PMK IDs (which were derived via dot1x process with this AP before)
in the (re)association request frame
When PMK ID exists, AP can use them to retrieve PMK record from its
own PMK cache, if PMK is found, and matches the STA MAC address;
AP can bypass dot1x authentication process, and directly starts WPA2
four-way key handshake session with the STA
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
32
OKC/PKC
Key Data Points
 A client device can skip the 802.1x authentication
with an access point and only needs to perform the
4 way handshake when roaming to access points
that are centrally managed by the same WLC.
 Supported in Windows since XP SP2
 Enabled by default on WLCs with WPAv2
 Requires WLCs to be in the same mobility group
 In highly controlled test environments, OKC/PKC
roam times consistently measure in the 10-20 msec
range!
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
33
How Long Does a Client Really
Take to Roam?
 Time to roam =
Client to disassociate +
Probe for and select a new AP +
802.11 Association +
Mobility message exchange between WLCs +
Reauthentication +
Rekeying +
IP address (re) acquisition
 Network latency will have an impact on these times –
consideration for controller placement
 With a fast secure roaming technology, roam times
under 150 msecs are consistently achievable, though
mileage may vary
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
34
How Often Do Clients Roam?
 It depends… types of clients and applications
 Most client devices are designed to be “nomadic”
rather than “mobile”, though proliferation of small
form factor, “smart” devices will probably change
this…
 Nomadic clients usually are programmed to try to
avoid roaming… so set your expectations
accordingly
 Design rule of thumb: 10-20 roams per second for
every 5000 clients
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
35
Designing a Mobility Group/Domain
Design Considerations
 Less roaming is better – clients and apps are
happier
 While clients are authenticating/roaming, WLC CPU
is doing the processing – not as much of a big deal
for 5508 which has dedicated management/control
processor
 L3 roaming & fast roaming clients consume client
DB slots on multiple controllers – consider “worst
case” scenarios in designing roaming domain size
 Leverage natural roaming domain boundaries
 Make sure the right ports and protocols are allowed
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
36
Agenda
 Controller-Based Architecture Overview
 Mobility in the Cisco Unified WLAN Architecture
 Architecture Building Blocks
 Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
37
TrustSec 2.0 and Identity Services Engine
• Centralized Policy
• Distributed Enforcement
ACS
• AAA Services
NAC
Profiler
• Posture Assessment
• Guest Access Services
NAC
Guest
NAC
Manager
• Device Profiling
Identity
Services
Engine
• Monitoring
• Troubleshooting
NAC
Server
• Reporting
*Current NAC and ACS Hardware
Platform Is Software Upgradable to ISE
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
38
ISE Integrated Device Profiling
“iPad Template”
Custom Template
Visibility for Wired and
Wireless Devices
BRKEWN-2010
Simplified “Device
Category” Policy
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
New Device
Templates via
Subscription Feeds
39
ISE Integrated Device Profiling

Users, using the same SSID, can be associated to different
wired VLAN interfaces after EAP authentication

Employee using corporate laptop with their AD user id can be
assigned to VLAN 30 to have full access to the network

Employee using personal iPad/iPhone with their AD user id can
be assigned to VLAN 40 to have internet access only
ISE
ISE
1 EAP Authentication
2 Accept with VLAN 30
4 Accept with VLAN 40
Employee
Corporate
Resources
VLAN 30
CAPWAP
Same-SSID
802.1Q TrunkVLAN 40
Employee
BRKEWN-2010
3 EAP Authentication
© 2011 Cisco and/or its affiliates. All rights reserved.
Internet
Cisco Public
40
ISE Integrated Device Profiling
 Example:
VLAN 30 (Corporate access )
VLAN 40 (Internet access)
Corporate
Internet
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
41
ISE Integrated Device Profiling
• ISE Setup – Authorization Profiles redirect VLAN, Override ACL,
CoA…
Laptop Assign VLAN 30
iPad Assign VLAN 40
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
42
ISE Integrated Device Profiling
 WLC CoA Setup – Pre-Auth ACL, allows ALL client traffic
to ISE
 WLAN – Dot1X, AAA Override and Radius NAC enabled.
Permit ANY to ISE
(IP
( Addr))
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
43
ISE Integrated Device Profiling
 RADIUS probe (information
about authentication,
authorization and
accounting requests from
Network Access
 DHCP (helper or span)
 HTTP user agent (span)
Customizable Profiles
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
44
Agenda
 Controller-Based Architecture Overview
 Mobility in the Cisco Unified WLAN Architecture
 Architecture Building Blocks
 Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
45
Deploying the Cisco Unified
Wireless Architecture
 Controller Redundancy and AP Load Balancing
 Understanding AP Groups
 IPv6 Deployment with Controllers
 Branch Office Designs
 Guest Access Deployment
 Home Office Design
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
46
Deploying the Cisco Unified
Wireless Architecture
 Controller Redundancy and AP Load Balancing
 Understanding AP Groups
 IPv6 Deployment with Controllers
 Branch Office Designs
 Guest Access Deployment
 Home Office Design
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
47
Controller Redundancy
Dynamic
 Rely on CAPWAP to load-balance APs
across controllers and populate APs with
backup controllers
 Results in dynamic “salt-and-pepper”
design
 Design works better when controllers are
“clustered” in a centralized design
 Pros
Easy to deploy and configure—less upfront work
APs dynamically load-balance (though never
perfectly)
 Cons
More intercontroller roaming
Bigger operational challenges due to unpredictability
Longer failover times
No “fallback” option in the event of controller failure
 Cisco’s general recommendation is:
Only for Layer 2 roaming
 Use deterministic redundancy instead of
dynamic redundancy
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
48
Controller Redundancy
Deterministic
WLAN-Controller-A
WLAN-Controller-B
WLAN-Controller-C
 Administrator statically assigns
APs a primary, secondary,
and/or tertiary controller
Assigned from controller interface
(per AP) or WCS (template-based)
 Pros
Predictability—easier operational
management
More network stability
Primary: WLAN-Controller-A
Secondary: WLAN-Controller-B
Tertiary: WLAN-Controller-C
Primary: WLAN-Controller-B
Secondary: WLAN-Controller-C
Tertiary: WLAN-Controller-A
More flexible and powerful
redundancy design options
Primary: WLAN-Controller-C
Secondary: WLAN-Controller-A
Tertiary: WLAN-Controller-B
Faster failover times
“Fallback” option in the case of
failover
 Con
More upfront planning and
configuration
 This is Cisco’s recommended
best practice
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
49
High Availability Using Cisco 5508
Si
Si
Si
Si
Primary
WLC5508
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
 APs are
connected to
primary WLC 5508
 In case of
hardware failure of
WLC 5508
 AP’s fall back to
secondary WLC
Secondary 5508
WLC5508
 Traffic flows
through the
secondary WLC
5508 and primary
core switch
Cisco Public
50
High Availability Using WiSM:
Uplink Failure on Primary Switch
S
N
Si
Si
Active
HSRP Switch
Primary
WiSM
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
 In case of uplink
failure of the
primary switch
 Standby switch
Standby becomes the
HSRP Switch active HSRP
New Active switch
HSRP Switch
 APs are still
connected to
primary WiSM
 Traffic flows thru
the new HSRP
active switch
Cisco Public
51
High Availability Using WiSM-2
Si
Primary
WiSM
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Si
Secondary
WiSM
Cisco Public
 APs are
connected to
primary WiSM
 In case of
hardware failure
of primary WiSM
 AP’s fall back to
secondary WiSM
 Traffic flows thru
the secondary
WiSM and
primary core
switch
52
VSS and Cisco 5508
 Cisco 5508 WLC can be attached
to a Cisco Catalyst VSS switch
 4 ports of Cisco 5508 are
connected to active VSS switch
 2nd set of 4 ports of Cisco 5508 is
connected to standby VSS switch
 In case of failure of primary
switch traffic continues to flow
through secondary switch in the
VSS pair
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Catalyst
VSS Pair
Cisco 5508
Cisco Public
53
VSS and WiSM-2
Virtual Switch System (VSS)
Switch-1
(VSS Active)
Switch-2
(VSS Standby)
Control Plane Active
Data Plane Active
BRKEWN-2010
Control Plane Standby
VSL
Failover/State Sync VLAN
Data Plane Active
FWSM Active
FWSM Standby
WiSM-2 Active
WiSM-2 Standby
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
54
Controller Redundancy
High Availability
High Availability Principles
Primary WLC
 AP is registered with a WLC and
maintain a backup list of WLC
 AP use heartbeats to validate
WLC connectivity
 AP use Primary Discovery
message to validate backup
WLC list
 When AP lose three heartbeats it
start join process to first backup
WLC candidate
Secondary WLC
 Candidate Backup WLC is the
first alive WLC in this order:
primary, secondary, tertiary,
global primary, global secondary
 AP do not re-initiate discovery
process
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
55
Controller Redundancy
High Availability with 7.0
To Accommodate Both Local and Remote Settings, There Are Configurable Options
Provided, so that Administrator Can Fine Tune the Settings Based on the Requirements
New Timers
Heartbeat:
Fast Heartbeat Timeout:
AP Retransmit Interval:
AP Retrans with FH Enabled:
AP Retrans with FH Disabled:
AP Fallback to next WLC
BRKEWN-2010
1-30 Seconds
1-10 Seconds
2-5 Seconds
3-8 Times
3-8 Times
12 Seconds
© 2011 Cisco and/or its affiliates. All rights reserved.
Old Timers-5508
10-30 Seconds
3-10 Seconds
3 Seconds
3 Times
5 Times
35 Seconds
Cisco Public
Old Timers-Non-5508
1-30 Seconds
1-10 Seconds
3 Seconds
3 Times
5 Times
35 Seconds
56
AP Pre-Image Download in 7.0
1. Upgrade the image on the controller
2. Don’t reboot the controller
CAPWAP-L3
 Pre-Image download operation
AP Pre-image Download
 AP pre-image download allows
AP to download code while it is
operational
Cisco WLAN Controller
AP Joins Without Download
 Since most CAPWAP APs can
download and keep more than one
image of 4–5 MB each
3. Issue AP pre-image download command
4. Once all AP images are downloaded
5. Reboot the controller
Access Points
6. AP now rejoins the controller
without reboot
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
How Much Time You Save?
Cisco Public
57
Configure AP Pre-Image Download
 Upgrade the image on the controller and don’t reboot
 Currently we have two images on the controller
(Cisco Controller) >show boot
Primary Boot Image............................... 7.0.116.0 (default) (active)
Backup Boot Image................................ 7.0.98.0
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
58
Configure AP Pre-Image Download
Wireless > AP > Global Configuration
Perform Primary Image
Predownloaded on the AP
AP Now Starts
Predownloading
AP Now Swaps Image
After Reboot of the
Controller
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
59
Deploying the Cisco Unified
Wireless Architecture
 Controller Redundancy and AP Load Balancing
 Understanding AP Groups
 IPv6 Deployment with Controllers
 Branch Office Designs
 Guest Access Deployment
 Home Office Design
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
60
AP-Groups
Default AP-Group
 The first 16 WLANs created (WLAN IDs 1–16) on the WLC
are included in the default AP-Group
 Default AP-Group cannot be modified
 APs with no assignment to an specific AP-Group will use the
Default AP-Group
 The 17th and higher WLAN (WLAN IDs 17 and up) can be
assigned to any AP-Groups
 Any given WLAN can be mapped to different dynamic
interfaces in different AP-Groups
 WLC 2106 (AP groups: 50), WLC 2504 (AP groups:50)
WLC 4400 and WiSM (AP groups: 300),
WLC 5508 & WiSM-2 (AP groups: 500),
WLC 7500 (AP Groups : 500)
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
61
Default AP-Group
Network Name
Default AP Group
Only WLANs 1–16
Will Be Added in
Default AP Group
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
62
Multiple AP-Groups
AP Group 1
AP Group 2
AP Group 3
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
63
Interface-Groups
7.0
 Interface-groups allows for a WLAN to be mapped to a single interface or
multiple interfaces
 Clients associating to this WLAN get an IP address from a pool of subnets
identified by the interfaces in round
robin fashion
 Extends current AP group and AAA override, with multiple interfaces using
interface groups
 Controllers
Interface-Groups/Interfaces
WiSM-2, 5508, 7500, 2500
64/64
WiSM, 4400
32/32
2100 and 2504
4/4
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
64
Deploying the Cisco Unified
Wireless Architecture
 Controller Redundancy and AP Load Balancing
 Understanding AP Groups
 IPv6 Deployment with Controllers
 Branch Office Designs
 Guest Access Deployment
 Home Office Design
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
65
IPv6 over IPv4 Tunneling
 Prior to WLC 6.0 release, IPv6 pass-thru is only supported but no L2 security
can be enabled on IPv6 WLAN
 With WLC 6.0 release, IPv6 pass-thru with Layer 2 security supported
 To use IPv6 bridging, Ethernet Multicast Mode (EMM) must be enabled on the
controller
 IPv6 packets are tunneled over CAPWAP IPv4 tunnel
 Same WLAN can support both IPv4 and IPv6 clients
 IPv6 pass-thru and IPv4 Webauth is also supported on same WLAN
 IPv6 is not supported with guest mobility anchor tunneling
Client IPv6 Traffic
Tunneled over IPv4 and
Bridged to Ethernet
Ethernet II | IPv6
CAPWAP Tunnel
802.11| IPv6
BRKEWN-2010
Ethernet II | IPv4 | CAPWAP | 802.11 | IPv6
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
66
IPv6 Configuration on WLC 6.X
 Enable IPv6 on the WLAN and multicast on the WLC
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
67
Deploying the Cisco Unified
Wireless Architecture
 Controller Redundancy and AP Load Balancing
 Understanding AP Groups
 IPv6 Deployment with Controllers
 Branch Office Designs (HREAP/FlexConnect)
Understanding HREAP (Hybrid) REAP AP Deployment
Understanding Branch Controller Deployment
 Guest Access Deployment
 Home Office Design
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
68
Branch Office Deployment
HREAP/FlexConnect
 Hybrid architecture
Central Site
Centralized
Traffic
Centralized
Traffic
 Single management
and control point
Centralized traffic
(split MAC)
Or
WAN
Local traffic (local MAC)
 HA will preserve local
traffic only
Local
Traffic
Remote
Office
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
69
H-REAP Design Considerations
 Some WAN limitations apply
RTT must be below 300 ms data (100 ms voice)
Minimum 500 bytes WAN MTU (with maximum four
fragmented packets)
 Some features are not available in standalone
mode or in local switching mode
ACL in local switching, MAC/Web Auth in standalone mode,
PMK caching (OKC)
See full list in « H-REAP Feature Matrix »
http://www.cisco.com/en/US/products/ps6366/products_tech
_note09186a0080b3690b.shtml
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
70
Understanding H-REAP Groups
 WLC supports up to 20 H-REAP groups
Central Site
 Each H-REAP group supports
up to 25 H-REAP APs
 H-REAP groups allow sharing of:
CCKM fast roaming keys
Local user authentication
WAN
Remote Site
Local EAP authentication
Remote Site
H-REAP
Group 2
H-REAP
Group 1
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
71
FlexConnect Improvements in New 7.0.116
 WAN Survivability
FlexConnect AP provides wireless access and services to clients
when the connection to the primary WLC fails
 Local Authentication
Allows for the authentication capability to exist directly at the AP in
FlexConnect instead of the WLC
 Improved Scale
Group Scale: Max HREAP groups increased to 500 (7500s) and 100
(5500s)
APs per Group: 50 (7500s) and 25 (5500s)
 Fast Roaming in Remote Branches
Opportunistic Key Caching (OKC) between APs in a branch
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
72
Deploying the Cisco Unified
Wireless Architecture
 Controller Redundancy and AP Load Balancing
 Understanding AP Groups
 IPv6 Deployment with Controllers
 Branch Office Designs
Understanding HREAP/FlexConnect Deployment
Understanding Branch Controller Deployment
 Guest Access Deployment
 Home Office Design
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
73
Branch Office WLAN Controller Options
Number of Users: 100–500
Number of APs: 5–25
WCS
E-Mail
Headquarters
 Appliance controllers
MPLS
ATM
Frame Relay
Branch
Office
Internet VPN
Small
Office
Cisco 2504-12
Cisco 5508-12, 5508-25
 Integrated controller
Number of Users: 20–100
Number of APs: 1–5
WLAN controller module (WLCM-2) for
ISR G2
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
74
Branch Office WLAN Controller Options
Cisco 2504 ***
WCS
E-Mail
Branch
Office
MPLS
ATM
Frame Relay
Headquarters
Small
Office
 Cisco Unified Wireless Network with
controller-based
 Multiple Integrated WAN options on ISR
 Consistent branch-HQ services, features,
and performance
 Standardized branch configuration extends
the unified wired and wireless network
 Branch configuration management from
central WCS
BRKEWN-2010
Internet VPN
WLCM-2 **
**AP Count Vary Depending on Channel Utilization and Data Rates
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
75
Deploying the Cisco Unified
Wireless Architecture
 Controller Redundancy and AP Load Balancing
 Understanding AP Groups
 IPv6 Deployment with Controllers
 Branch Office Designs
 Guest Access Deployment
 Home Office Design
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
76
Guest Access Deployment
WLAN Controller Deployments with EoIP Tunnel
 Use of up to 71 EoIP tunnels to logically
segment and transport the guest traffic
between remote and anchor controllers
 Other traffic (employee for example) still
locally bridged at the remote controller on the
corresponding VLAN
 No need to define the guest VLANs
on the switches connected to the
remote controllers
 Original guest’s Ethernet frame maintained
across LWAPP/CAPWAP and EoIP tunnels
 Redundant EoIP tunnels to the
Anchor WLC
Internet
DMZ or Anchor
Wireless Controller
Cisco ASA
Firewall
EoIP
“Guest Tunnel”
Wireless LAN
Controller
CAPWAP
 2504 series and WLCM-2 models cannot
terminate EoIP connections (no anchor role
Guest
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Guest
77
Summary – Key Takeways
 Take advantage of the standards (CAPWAP,
DTLS,802.11 i, e, k, r…..)
 Wide range of architecture / design choices
 Brand new controller (WiSM-2, WLC 7500, WLC
2504) portfolio with investment protection
 Take advantage of innovations from Cisco
(CleanAir, BandSelect, ClientLink, Security, CCX,
FlexConnect, etc)
 Cisco’s investment into technology – NCS, ISE,
New hardware, cloud controller, CiUS
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
78
Documentation
 Wireless Services Module 2 (WiSM2) Deployment Guide
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080b7c904.shtml
• Flex7500 Deployment guide
http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml
 Wireless, LAN (WLAN) Configuration Examples
and TechNotes
http://www.cisco.com/en/US/tech/tk722/tk809/tech_configuration_examples_list.html
 H-REAP Deployment Guide
http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml
 VLAN Select Deployment Guide
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b78900.shtml
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
79
Thank you.
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
80
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement