Cisco Unified Wireless Network Overview - DFW Cisco Users
Transcript of Cisco Unified Wireless Network Overview - DFW Cisco Users
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 1
Cisco Unified Wireless Network Overview
Steve AckerWireless Advanced ServicesNetwork Consulting EngineerCCIE#14097CISSP#86844CWSP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 2
Agenda
Controller-Based Architecture Overview
Mobility in the Cisco Unified WLAN Architecture
Architecture Building Blocks
Deploying the Cisco Unified Wireless Architecture
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 3
Agenda
Controller-Based Architecture Overview
Mobility in the Cisco Unified WLAN Architecture
Architecture Building Blocks
Deploying the Cisco Unified Wireless Architecture
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 4
Lightweight Access Points
Wireless LAN
Controller
Wireless Control System (WCS)
Mobility Services Engine (MSE)
CAPWAP
Cisco Unified Wireless NetworkArchitecture Overview
802.11n and 802.11a/g
Highly scalable
Real-time RF visibility and control
Monitor and migrate standalone access points
Easily configure– WLAN controllers
using SNMP– Access points
using CAPWAP
Built-in support for Mobility Services
– Context–Aware Services (Location)
– Adaptive Wireless Intrusion Prevention System (wIPS)
Wired and wireless guest access
Client Devices and Wi-Fi Tags
802.11nStandalone
Access Points
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 5
Understanding WLAN Controllers 1st/2nd Generation vs. 3rd Generation Approach
1st/2nd generation: APs act as 802.1Q translational bridge, putting client traffic on local VLANs
3rd generation: Controller bridges client traffic centrally
1st/2nd Generation
Data VLAN
Voice VLAN
Management VLAN
3rd GenerationData VLAN
Voice VLAN
Management VLAN
LWAPP/CAPWAPTunnel
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 6
Centralized Wireless LAN ArchitectureWhat Is CAPWAP?
CAPWAP: Control and Provisioning of Wireless Access Points is used between APs and WLAN controller and based on LWAPP
CAPWAP carries control and data traffic between the twoControl plane is DTLS encrypted (Datagram Transport Layer Security)Data plane is DTLS encrypted (optional)
LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless
CAPWAP Controller
Wi-Fi Client
Business Application
Control Plane
Data PlaneAccess Point
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 7
CAPWAP ModesSplit MAC
The CAPWAP protocol supports two modes of operation
Split MAC (centralized mode)Local MAC (H-REAP)
Split MAC
AP WLCSTA
Wireless PhyMAC Sublayer
CAPWAPData Plane
Wireless Frame
802.3 Frame
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 8
CAPWAP Modes – Split MAC
One of the key concepts of the LWAPP is concept of split MAC
The Real Time RF part of the 802.11 protocol operation is managed by the LWAPP AP
Non Real Time parts of the 802.11 protocol are managed by the WLC.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 9
CAPWAP Modes - Local MAC
Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames
Locally bridged
AP WLC
Wireless PhyMAC Sublayer
Wireless Frame
802.3 Frame
STA
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 10
CAPWAP Modes – Local MAC
Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames Tunneled as 802.3 frames
Wireless PhyMAC Sublayer
Wireless Frame 802.3 Frame
802.3 FrameCAPWAP
Data Plane
H-REAP support locally bridged MAC and split MAC per SSID
AP WLCSTA
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 11
CAPWAP State Machine
DiscoveryReset
Image Data
Config
Run
AP Boots UP
DTLSSetup
Join
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 12
AP Controller Discovery
Layer 2 join procedure attempted on LWAPP APs(CAPWAP does not support Layer 2 APs)Broadcast message sent to discover controller on a local subnet
Layer 3 join process on CAPWAP APs and on LWAPP APs after Layer 2 fails
Previously learned or primed controllersSubnet broadcastDHCP option 43DNS lookup
Controller Discovery Order
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 13
AP Controller Discovery: DHCP Option
DHCP Offer
DHCP Request
1
2
3
DHCP Server
DHCP Offer ContainsOption 43 for ControllerLayer 3 CAPWAP
Discovery Request Broadcast
Layer 3 CAPWAP Discovery Responses
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 14
AP Controller Discovery: DNS Option
DHCP Offer withOption 15
to give APs the Local Domain
name
DHCP Request
DHCP Offer Contains
DNS Server or Servers
CISCO-CAPWAP-CONTROLLER.localdomain192.168.1.2
192.168.1.2
12
3
4
DNS Server DHCP Server
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 15
WLAN Controller Selection Algorithm
CAPWAP Discovery Response contains important information from the WLAN Controller
Controller name, controller type, controller AP capacity, current AP load, “Master Controller” status, and AP Manager IP address or addresses
AP selects a controller to join using the following decision criteria
1. Attempt to join a WLAN Controller configured as a “Master” controller
2. Attempt to join a WLAN Controller with matching name of previously configured primary, secondary, or tertiary controller name
3. Attempt to join the WLAN Controller with the greatest excess AP capacity (dynamic load balancing)
Option #2 and option #3 allow for two approaches to controller redundancy and AP load balancing: deterministic and dynamic
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 16
CAPWAP Control Messages for Join Process
CAPWAP Join Request: AP sends this messages to selected controller (sent to AP Manager Interface IP address)
CAPWAP Join Response: If controller validates AP request, it sends the CAPWAP Join Response indicating that the AP is now registered with that controller
CAPWAP Join Request
CAPWAP Join Response
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 17
Configuration PhaseFirmware and Configuration Download
Firmware is downloaded by the AP from the WLC
Firmware downloaded only if needed, AP reboots after the downloadFirmware digitally signed by Cisco
Network configuration is downloaded by the AP from the WLC
Configuration is encrypted in the CAPWAP tunnel Configuration is applied
Cisco WLAN Controller
LWA
PP
-L3
Firm
war
e D
ownl
oad
Con
figur
atio
n D
ownl
oad
Access Points
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 18
Which Software Version Should I Use?
WLC 5508 supports 6.0 and 7.0 WLC7500, WiSM-2 and WLC2504
only supported in 7.0.116 and up
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 19
Agenda
Controller-Based Architecture Overview
Mobility in the Cisco Unified WLAN Architecture
Architecture Building Blocks
Deploying the Cisco Unified Wireless Architecture
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 20
Mobility Defined
Mobility is a key reason for wireless networks
Mobility means the end-user device is capable of moving its location in the networked environment
Roaming occurs when a wireless client moves association from one AP and re-associates to another, typically because it’s mobile! Mobility presents new challenges:
Need to scale the architecture to support client roaming—roaming can occur intra-controller and inter-controllerNeed to support client roaming that is seamless (fast) and preserves security
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 21
Scaling the Architecture with Mobility Groups
Mobility Group allows controllers to peer with each other to support seamless roaming across controller boundaries
APs learn the IPs of the other members of the mobility group after the LWAPP Join process
Support for up to 24 controllers, 3600 APs per mobility group
Mobility messages exchanged between controllers
Data tunneled between controllers in EtherIP (RFC 3378)
Eth
erne
t in
IP T
unne
l
Mobility Messages
Controller-CMAC: AA:AA:AA:AA:AA:03
Mobility Group Name: MyMobilityGroup
Mobility Group Neighbors:Controller-A, AA:AA:AA:AA:AA:01Controller-B, AA:AA:AA:AA:AA:02
Controller-AMAC: AA:AA:AA:AA:AA:01
Mobility Group Name: MyMobilityGroup
Mobility Group Neighbors:Controller-B, AA:AA:AA:AA:AA:02Controller-C, AA:AA:AA:AA:AA:03
Controller-BMAC: AA:AA:AA:AA:AA:02
Mobility Group Name: MyMobilityGroup
Mobility Group Neighbors:Controller-A, AA:AA:AA:AA:AA:01Controller-C, AA:AA:AA:AA:AA:03
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 22
Increased Mobility Scalability
Roaming is supported across three mobility groups (3 * 24 = 72 controllers)
With Inter Release Controller Mobility (IRCM) roaming is supported between 4.2.207 and 6.0.188 and 7.0
Ethe
rnet
in IP
Tun
nel
Mobility Sub-Domain 2
Ethe
rnet
in IP
Tun
nel
Mobility Sub-Domain 1
Ethe
rnet
in IP
Tun
nel
Mobility Sub-Domain 3
Mobility Messages
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 23
How Long Does an STA Roam Take?
Time it takes for:Client to disassociate +Probe for and select a new AP +802.11 Association +802.1X/EAP Authentication +Rekeying +IP address (re) acquisition
All this can be on the order of seconds… Can we make this faster?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 24
Roaming Requirements
Roaming must be fast … Latency can be introduced by:
Client channel scanning and AP selection algorithmsRe-authentication of client device and re-keyingRefreshing of IP address
Roaming must maintain securityOpen auth, static WEP—session continues on new APWPA/WPAv2 Personal—New session key for encryption derived via standard handshakes802.1x, 802.11i, WPA/WPAv2 Enterprise—Client must be re-authenticated and new session key derived for encryption
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 25
How Are We Going to Make Roaming Faster?
Eliminating the (re)IP address acquisition challenge
Eliminating full 802.1X/EAP reauthentication
Focus on Where We Can Have the Biggest Impact
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 26
Intra-Controller Roaming:Layer 3
WLC-1 WLC-2
WLC-1 Client Database
WLC-2 Client Database
Mobility Message Exchange
Preroaming Data Path
VLAN XClient Data (MAC, IP, QoS, Security)
Client Data (MAC, IP, QoS, Security)
VLAN Z
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 27
Client Roaming Between Subnets:Layer 3 (Cont.)
WLC-1 WLC-2
WLC-1 Client Database
WLC-2 Client Database
Preroaming Data Path
VLAN XClient Data (MAC, IP, QoS, Security)
Client Data (MAC, IP, QoS, Security)
VLAN Z
Mobility Message Exchange
Foreign Controller
Anchor Controller Data Tunnel
Client Roams to a Different AP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 28
Roaming: Inter-Controller
L3 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto different subnets
Client must be re-authenticated and new security session established
Client database entry copied to new controller – entry exists in both WLC client DBs
Original controller tagged as the “anchor”, new controller tagged as the “foreign”
WLCs must be in same mobility group or domain
No IP address refresh needed
Account for mobility message exchange in network design
Layer 3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 29
How Are We Going to Make Roaming Faster?
Eliminating the (re)IP address acquisition challenge
Eliminating full 802.1X/EAP reauthentication
Focus on Where We Can Have the Biggest Impact
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 30
Fast Secure RoamingStandard Wi-Fi Secure Roaming
802.1X authentication in wireless today requires three “end-to-end” transactions with an overall transaction time of > 500 ms
802.1X authentication in wireless today requires a roaming client to reauthenticate, incurring an additional 500+ ms to the roam
Note: Mechanism Is Needed to Centralize Key Distribution
Cisco AAA Server (ACS or ISE)
WAN
AP1AP2
1. 802.1X Initial Authentication Transaction2. 802.1X
Reauthenti-cation After Roaming
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 31
Cisco Centralized Key Management (CCKM) Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available,
especially with application specific devices (ASDs)
CCKM ported to CUWN architecture in 3.2 release
In highly controlled test environments, CCKM roam times consistently measure in the 5-8 msec range!
To work across WLCs, WLCs must be in the same mobility group
When a client device roams, he WLC forwards the client's security credentials to the new AP.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 32
Fast Secure RoamingWPA2/802.11i Pairwise Master Key (PMK) Caching
WPA2 and 802.11i specify a mechanism to prevent excessive key management and 802.1X requests from roaming clients
From the 802.11i specification:Whenever an AP and a STA have successfully passed dot1x-based authentication, both of them may cache the PMK record to be used later. However, if a client has not roamed to a particular access point during its current working session, it must then authenticate to that specific access point using 802.1x.When a STA is (re-)associates to an AP, it may attach a list of PMK IDs (which were derived via dot1x process with this AP before) in the (re)association request frame When PMK ID exists, AP can use them to retrieve PMK record from its own PMK cache, if PMK is found, and matches the STA MAC address; AP can bypass dot1x authentication process, and directly starts WPA2 four-way key handshake session with the STA
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 33
OKC/PKC
A client device can skip the 802.1x authentication with an access point and only needs to perform the 4 way handshake when roaming to access points that are centrally managed by the same WLC.
Supported in Windows since XP SP2
Enabled by default on WLCs with WPAv2
Requires WLCs to be in the same mobility group
In highly controlled test environments, OKC/PKC roam times consistently measure in the 10-20 msecrange!
Key Data Points
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 34
How Long Does a Client Really Take to Roam? Time to roam =
Client to disassociate +Probe for and select a new AP +802.11 Association +Mobility message exchange between WLCs +Reauthentication +Rekeying +IP address (re) acquisition
Network latency will have an impact on these times –consideration for controller placement With a fast secure roaming technology, roam times
under 150 msecs are consistently achievable, though mileage may vary
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 35
How Often Do Clients Roam?
It depends… types of clients and applications
Most client devices are designed to be “nomadic” rather than “mobile”, though proliferation of small form factor, “smart” devices will probably change this…
Nomadic clients usually are programmed to try to avoid roaming… so set your expectations accordingly
Design rule of thumb: 10-20 roams per second for every 5000 clients
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 36
Designing a Mobility Group/Domain
Less roaming is better – clients and apps are happier While clients are authenticating/roaming, WLC CPU
is doing the processing – not as much of a big deal for 5508 which has dedicated management/control processor L3 roaming & fast roaming clients consume client
DB slots on multiple controllers – consider “worst case” scenarios in designing roaming domain size Leverage natural roaming domain boundaries Make sure the right ports and protocols are allowed
Design Considerations
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 37
Agenda
Controller-Based Architecture Overview
Mobility in the Cisco Unified WLAN Architecture
Architecture Building Blocks
Deploying the Cisco Unified Wireless Architecture
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 38
• Centralized Policy
• Distributed Enforcement
• AAA Services
• Posture Assessment
• Guest Access Services
• Device Profiling
• Monitoring
• Troubleshooting
• Reporting
ACS
NAC Profiler
NAC Guest
NAC Manager
NAC Server
Identity Services Engine
*Current NAC and ACS Hardware Platform Is Software Upgradable to ISE
TrustSec 2.0 and Identity Services Engine
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 39
ISE Integrated Device Profiling
“iPad Template”
Custom Template
Visibility for Wired and Wireless Devices
Simplified “Device Category” Policy
New Device Templates via
Subscription Feeds
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 40
CAPWAPCAPWAP
Users, using the same SSID, can be associated to different wired VLAN interfaces after EAP authentication
Employee using corporate laptop with their AD user id can be assigned to VLAN 30 to have full access to the network
Employee using personal iPad/iPhone with their AD user id can be assigned to VLAN 40 to have internet access only
Same-SSID
802.1Q Trunk
VLAN 30
VLAN 40
EAP Authentication1
Accept with VLAN 302
EAP Authentication3
Accept with VLAN 404
ISEISE
Corporate Resources
Internet
Employee
Employee
ISE Integrated Device Profiling
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 41
Example:VLAN 30 (Corporate access )VLAN 40 (Internet access)
Corporate
Internet
ISE Integrated Device Profiling
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 42
Laptop Assign VLAN 30
iPad Assign VLAN 40
• ISE Setup – Authorization Profiles redirect VLAN, Override ACL, CoA…
ISE Integrated Device Profiling
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 43
WLC CoA Setup – Pre-Auth ACL, allows ALL client traffic to ISEWLAN – Dot1X, AAA Override and Radius NAC enabled.
( )Permit ANY to ISE
(IP Addr)
ISE Integrated Device Profiling
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 44
RADIUS probe (information about authentication, authorization and accounting requests from Network Access
DHCP (helper or span) HTTP user agent (span)
Customizable Profiles
ISE Integrated Device Profiling
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 45
Agenda
Controller-Based Architecture Overview
Mobility in the Cisco Unified WLAN Architecture
Architecture Building Blocks
Deploying the Cisco Unified Wireless Architecture
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 46
Deploying the Cisco Unified Wireless Architecture
Controller Redundancy and AP Load Balancing
Understanding AP Groups
IPv6 Deployment with Controllers
Branch Office Designs
Guest Access Deployment
Home Office Design
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 47
Deploying the Cisco Unified Wireless Architecture
Controller Redundancy and AP Load Balancing
Understanding AP Groups
IPv6 Deployment with Controllers
Branch Office Designs
Guest Access Deployment
Home Office Design
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 48
Controller RedundancyDynamic
Rely on CAPWAP to load-balance APs across controllers and populate APs with backup controllers
Results in dynamic “salt-and-pepper” design
Design works better when controllers are “clustered” in a centralized design
ProsEasy to deploy and configure—less upfront workAPs dynamically load-balance (though never perfectly)
ConsMore intercontroller roamingBigger operational challenges due to unpredictabilityLonger failover timesNo “fallback” option in the event of controller failure
Cisco’s general recommendation is: Only for Layer 2 roaming
Use deterministic redundancy instead of dynamic redundancy
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 49
Controller RedundancyDeterministic
Administrator statically assigns APs a primary, secondary, and/or tertiary controller
Assigned from controller interface (per AP) or WCS (template-based)
ProsPredictability—easier operational managementMore network stabilityMore flexible and powerful redundancy design optionsFaster failover times“Fallback” option in the case of failover
ConMore upfront planning and configuration
This is Cisco’s recommended best practice
WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C
Primary: WLAN-Controller-ASecondary: WLAN-Controller-BTertiary: WLAN-Controller-C
Primary: WLAN-Controller-BSecondary: WLAN-Controller-CTertiary: WLAN-Controller-A
Primary: WLAN-Controller-CSecondary: WLAN-Controller-ATertiary: WLAN-Controller-B
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 50
SiSi SiSi
High Availability Using Cisco 5508
SiSi SiSi
PrimaryWLC5508
SecondaryWLC5508
APs are connected to primary WLC 5508 In case of
hardware failure of WLC 5508 AP’s fall back to
secondary WLC 5508 Traffic flows
through the secondary WLC 5508 and primary core switch
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 51
High Availability Using WiSM:Uplink Failure on Primary Switch
SiSi SiSi
S N
PrimaryWiSM
ActiveHSRP Switch
StandbyHSRP Switch
New ActiveHSRP Switch
In case of uplink failure of the primary switch Standby switch
becomes the active HSRP switch APs are still
connected to primary WiSM Traffic flows thru
the new HSRP active switch
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 52
High Availability Using WiSM-2
SiSi SiSi
PrimaryWiSM
SecondaryWiSM
APs are connected to primary WiSM In case of
hardware failure of primary WiSM AP’s fall back to
secondary WiSM Traffic flows thru
the secondary WiSM and primary core switch
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 53
VSS and Cisco 5508
Cisco 5508 WLC can be attached to a Cisco Catalyst VSS switch
4 ports of Cisco 5508 are connected to active VSS switch
2nd set of 4 ports of Cisco 5508 is connected to standby VSS switch
In case of failure of primary switch traffic continues to flow through secondary switch in the VSS pair
Catalyst VSS Pair
Cisco 5508
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 54
Switch-1(VSS Active)
Switch-2(VSS Standby)
Data Plane Active
Control Plane Active
FWSM Active
WiSM-2 Active
Data Plane Active
Control Plane Standby
WiSM-2 Standby
VSL
Failover/State Sync VLAN
Virtual Switch System (VSS)
VSS and WiSM-2
FWSM Standby
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 55
Controller RedundancyHigh Availability
AP is registered with a WLC and maintain a backup list of WLC
AP use heartbeats to validate WLC connectivity
AP use Primary Discovery message to validate backup WLC list
When AP lose three heartbeats it start join process to first backup WLC candidate
Candidate Backup WLC is the first alive WLC in this order: primary, secondary, tertiary, global primary, global secondary
AP do not re-initiate discovery process
High Availability Principles Primary WLC
Secondary WLC
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 56
Controller RedundancyHigh Availability with 7.0
To Accommodate Both Local and Remote Settings, There Are Configurable Options Provided, so that Administrator Can Fine Tune the Settings Based on the Requirements
New Timers Old Timers-5508 Old Timers-Non-5508Heartbeat: 1-30 Seconds 10-30 Seconds 1-30 SecondsFast Heartbeat Timeout: 1-10 Seconds 3-10 Seconds 1-10 SecondsAP Retransmit Interval: 2-5 Seconds 3 Seconds 3 SecondsAP Retrans with FH Enabled: 3-8 Times 3 Times 3 TimesAP Retrans with FH Disabled: 3-8 Times 5 Times 5 TimesAP Fallback to next WLC 12 Seconds 35 Seconds 35 Seconds
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 57
AP Pre-Image Download in 7.0
Since most CAPWAP APs can download and keep more than one image of 4–5 MB each
AP pre-image download allows AP to download code while it is operational
Pre-Image download operation1. Upgrade the image on the controller
2. Don’t reboot the controller
3. Issue AP pre-image download command
4. Once all AP images are downloaded
5. Reboot the controller
6. AP now rejoins the controller without reboot How Much Time You Save?
Access Points
Cisco WLAN Controller
CA
PW
AP
-L3
AP
Pre
-imag
e D
ownl
oad
AP
Join
s W
ithou
t Dow
nloa
d
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 58
Upgrade the image on the controller and don’t reboot
Currently we have two images on the controller(Cisco Controller) >show bootPrimary Boot Image............................... 7.0.116.0 (default) (active)Backup Boot Image................................ 7.0.98.0
Configure AP Pre-Image Download
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 59
Configure AP Pre-Image DownloadWireless > AP > Global Configuration
Perform Primary Image Predownloaded on the AP
AP Now Starts Predownloading
AP Now Swaps Image After Reboot of the Controller
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 60
Deploying the Cisco Unified Wireless Architecture
Controller Redundancy and AP Load Balancing
Understanding AP Groups
IPv6 Deployment with Controllers
Branch Office Designs
Guest Access Deployment
Home Office Design
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 61
AP-GroupsDefault AP-Group
The first 16 WLANs created (WLAN IDs 1–16) on the WLC are included in the default AP-Group
Default AP-Group cannot be modified APs with no assignment to an specific AP-Group will use the
Default AP-Group The 17th and higher WLAN (WLAN IDs 17 and up) can be
assigned to any AP-Groups Any given WLAN can be mapped to different dynamic
interfaces in different AP-Groups WLC 2106 (AP groups: 50), WLC 2504 (AP groups:50)
WLC 4400 and WiSM (AP groups: 300),WLC 5508 & WiSM-2 (AP groups: 500), WLC 7500 (AP Groups : 500)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 62
Network Name
Default AP Group
Only WLANs 1–16 Will Be Added in Default AP Group
Default AP-Group
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 63
AP Group 1
AP Group 2
AP Group 3
Multiple AP-Groups
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 64
Interface-Groups7.0
Interface-groups allows for a WLAN to be mapped to a single interface ormultiple interfaces
Clients associating to this WLAN get an IP address from a pool of subnets identified by the interfaces in round robin fashion
Extends current AP group and AAA override, with multiple interfaces using interface groups
Controllers Interface-Groups/Interfaces
WiSM-2, 5508, 7500, 2500 64/64
WiSM, 4400 32/32
2100 and 2504 4/4
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 65
Deploying the Cisco Unified Wireless Architecture
Controller Redundancy and AP Load Balancing
Understanding AP Groups
IPv6 Deployment with Controllers
Branch Office Designs
Guest Access Deployment
Home Office Design
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 66
IPv6 over IPv4 Tunneling
Prior to WLC 6.0 release, IPv6 pass-thru is only supported but no L2 security can be enabled on IPv6 WLAN
With WLC 6.0 release, IPv6 pass-thru with Layer 2 security supported
To use IPv6 bridging, Ethernet Multicast Mode (EMM) must be enabled on the controller
IPv6 packets are tunneled over CAPWAP IPv4 tunnel
Same WLAN can support both IPv4 and IPv6 clients
IPv6 pass-thru and IPv4 Webauth is also supported on same WLAN
IPv6 is not supported with guest mobility anchor tunneling
Ethernet II | IPv4 | CAPWAP | 802.11 | IPv6802.11| IPv6
Client IPv6 Traffic Tunneled over IPv4 and Bridged to Ethernet
Ethernet II | IPv6
CAPWAP Tunnel
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 67
IPv6 Configuration on WLC 6.X
Enable IPv6 on the WLAN and multicast on the WLC
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 68
Deploying the Cisco Unified Wireless Architecture
Controller Redundancy and AP Load Balancing
Understanding AP Groups
IPv6 Deployment with Controllers
Branch Office Designs (HREAP/FlexConnect)Understanding HREAP (Hybrid) REAP AP DeploymentUnderstanding Branch Controller Deployment
Guest Access Deployment
Home Office Design
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 69
Branch Office DeploymentHREAP/FlexConnect
Hybrid architecture
Single management and control point
Centralized traffic (split MAC)OrLocal traffic (local MAC)
HA will preserve local traffic only
WAN
Central Site
Remote Office
CentralizedTraffic
CentralizedTraffic
LocalTraffic
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 70
H-REAP Design Considerations
Some WAN limitations applyRTT must be below 300 ms data (100 ms voice)Minimum 500 bytes WAN MTU (with maximum four fragmented packets)
Some features are not available in standalone mode or in local switching mode
ACL in local switching, MAC/Web Auth in standalone mode, PMK caching (OKC)See full list in « H-REAP Feature Matrix »http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b3690b.shtml
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 71
Understanding H-REAP Groups
WLC supports up to 20 H-REAP groups
Each H-REAP group supports up to 25 H-REAP APs
H-REAP groups allow sharing of:CCKM fast roaming keysLocal user authenticationLocal EAP authentication
WAN
Central Site
Remote Site
H-REAP Group 1
H-REAP Group 2
Remote Site
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 72
FlexConnect Improvements in New 7.0.116
WAN SurvivabilityFlexConnect AP provides wireless access and services to clients when the connection to the primary WLC fails
Local AuthenticationAllows for the authentication capability to exist directly at the AP in FlexConnect instead of the WLC
Improved ScaleGroup Scale: Max HREAP groups increased to 500 (7500s) and 100 (5500s)APs per Group: 50 (7500s) and 25 (5500s)
Fast Roaming in Remote BranchesOpportunistic Key Caching (OKC) between APs in a branch
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 73
Deploying the Cisco Unified Wireless Architecture
Controller Redundancy and AP Load Balancing
Understanding AP Groups
IPv6 Deployment with Controllers
Branch Office DesignsUnderstanding HREAP/FlexConnect DeploymentUnderstanding Branch Controller Deployment
Guest Access Deployment Home Office Design
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 74
Small Office
Branch Office WLAN Controller Options
Appliance controllersCisco 2504-12
Cisco 5508-12, 5508-25
Integrated controllerWLAN controller module (WLCM-2) for ISR G2
Headquarters
Branch Office
Internet VPN
MPLSATM
Frame Relay
Number of Users: 100–500Number of APs: 5–25
Number of Users: 20–100Number of APs: 1–5
WCS
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 75
Small Office
Headquarters
Branch Office
Branch Office WLAN Controller Options
Cisco Unified Wireless Network with controller-based
Multiple Integrated WAN options on ISR Consistent branch-HQ services, features,
and performance Standardized branch configuration extends
the unified wired and wireless network Branch configuration management from
central WCS
WCS Cisco 2504 ***
WLCM-2 ****AP Count Vary Depending on Channel Utilization and Data Rates
Internet VPN
MPLSATM
Frame Relay
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 76
Deploying the Cisco Unified Wireless Architecture
Controller Redundancy and AP Load Balancing
Understanding AP Groups
IPv6 Deployment with Controllers
Branch Office Designs
Guest Access Deployment
Home Office Design
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 77
Guest Access Deployment
Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers
Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN
No need to define the guest VLANs on the switches connected to the remote controllers
Original guest’s Ethernet frame maintained across LWAPP/CAPWAP and EoIP tunnels
Redundant EoIP tunnels to the Anchor WLC
2504 series and WLCM-2 models cannot terminate EoIP connections (no anchor role
Wireless LANController
Cisco ASA Firewall
Guest
CAPWAP
EoIP “Guest Tunnel”
Internet
Guest
DMZ or Anchor Wireless Controller
WLAN Controller Deployments with EoIP Tunnel
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 78
Summary – Key Takeways
Take advantage of the standards (CAPWAP, DTLS,802.11 i, e, k, r…..)
Wide range of architecture / design choices
Brand new controller (WiSM-2, WLC 7500, WLC 2504) portfolio with investment protection
Take advantage of innovations from Cisco (CleanAir, BandSelect, ClientLink, Security, CCX, FlexConnect, etc)
Cisco’s investment into technology – NCS, ISE, New hardware, cloud controller, CiUS
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 79
Documentation
Wireless Services Module 2 (WiSM2) Deployment Guidehttp://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080b7c904.shtml
• Flex7500 Deployment guidehttp://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml
Wireless, LAN (WLAN) Configuration Examples and TechNotes
http://www.cisco.com/en/US/tech/tk722/tk809/tech_configuration_examples_list.html
H-REAP Deployment Guidehttp://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml
VLAN Select Deployment Guidehttp://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b78900.shtml
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 80
Thank you.