Deploying Enterprise WLANs with Cisco Controllers

Design and Deployment of
Enterprise WLANs
BRKEWN-2010
Sujit Ghosh, CCIE #7204
Manager, Technical Marketing
Wireless Networking Business Unit

BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

Agenda

§  Controller-Based Architecture Overview
§  Mobility in the Cisco Unified WLAN Architecture
§  Architecture Building Blocks
§  Deploying the Cisco Unified Wireless Architecture


Agenda



Understanding WLAN Controllers
1st/2nd Generation vs. 3rd Generation Approach
1st/2nd Generation
§  1st/2nd generation: APs act
as 802.1Q translational Data VLAN

bridge, putting client traffic
on local VLANs Management VLAN

§  3rd generation: Controller
bridges client traffic centrally Voice VLAN

3rd Generation
Data VLAN

Management VLAN

LWAPP/CAPWAP
Tunnel Voice VLAN


Centralized Wireless LAN Architecture
What Is CAPWAP?

§  CAPWAP: Control and Provisioning of Wireless Access Points is
used between APs and WLAN controller and based on LWAPP
§  CAPWAP carries control and data traffic between the two
Control plane is DTLS encrypted
Data plane is DTLS encrypted (optional)

§  LWAPP-enabled access points can discover and join a
CAPWAP controller, and conversion to a CAPWAP controller is
seamless
Business
§  CAPWAP is not supported on Layer 2 mode deployment Application

Data Plane
Access
Point CAPWAP Controller

Wi-Fi Client

Control Plane


CAPWAP Modes
Split MAC

§  The CAPWAP protocol supports two modes of
operation
Split MAC (centralized mode)
Local MAC (H-REAP)

§  Split MAC
Wireless Frame

Wireless Phy CAPWAP
MAC Sublayer Data Plane 802.3 Frame

STA WTP AC


CAPWAP Modes
Local MAC

§  Local MAC mode of operation allows for the data
frames to be either locally bridged or tunneled as
802.3 frames
§  Locally bridged
Wireless Frame

Wireless Phy
MAC Sublayer 802.3 Frame

STA WTP AC


CAPWAP Modes
Local MAC

§  Local MAC mode of operation allows for the data
frames to be either locally bridged or tunneled as
802.3 frames
§  Tunneled as 802.3 frames
Wireless Frame 802.3 Frame

Wireless Phy CAPWAP
MAC Sublayer Data Plane 802.3 Frame

STA WTP AC

§  Tunneled local MAC is not supported by Cisco
§  H-REAP support locally bridged MAC and split
MAC per SSID

CAPWAP State Machine

AP Boots UP

Reset
Discovery

Image Data
DTLS
Setup
Run

Join Config


AP Controller Discovery
Controller Discovery Order
§  Layer 2 join procedure attempted on LWAPP APs
(CAPWAP does not support Layer 2 APs)
Broadcast message sent to discover controller on a
local subnet

§  Layer 3 join process on CAPWAP APs and on
LWAPP APs after Layer 2 fails
Previously learned or primed controllers
Subnet broadcast
DHCP option 43
DNS lookup


AP Controller Discovery: DHCP Option
DHCP Server

DHCP Offer

1

DHCP Request

2

DHCP Offer Contains
Layer 3 CAPWAP
Option 43 for Controller
Discovery Request Broadcast

3 Layer 3 CAPWAP
Discovery Responses


AP Controller Discovery: DNS Option
DNS Server DHCP Server

CISCO-CAPWAP-CONTROLLER.localdomain DHCP Request
192.168.1.2 2
1 DHCP Offer

192.168.1.2

3
DHCP Offer
Contains
DNS Server or Servers
4


WLAN Controller Selection Algorithm

§  CAPWAP Discovery Response contains important information
from the WLAN Controller
Controller name, controller type, controller AP capacity, current AP load,
“Master Controller” status, and AP Manager IP address or addresses

§  AP selects a controller to join using the following decision
criteria
1.  Attempt to join a WLAN Controller configured as a “Master” controller

2.  Attempt to join a WLAN Controller with matching name of previously
configured primary, secondary, or tertiary controller name

3.  Attempt to join the WLAN Controller with the greatest excess AP
capacity (dynamic load balancing)

§  Option #2 and option #3 allow for two approaches to controller
redundancy and AP load balancing: deterministic and dynamic


CAPWAP Control Messages
for Join Process

§  CAPWAP Join Request: AP sends this messages to selected
controller (sent to AP Manager Interface IP address)

CAPWAP Join Request

§  CAPWAP Join Response: If controller validates AP request, it
sends the CAPWAP Join Response indicating that the AP is
now registered with that controller

CAPWAP Join Response


Configuration Phase
Firmware and Configuration Download

§  Firmware is downloaded by the Cisco WLAN Controller
AP from the WLC
Firmware downloaded only if needed,

Configuration Download
AP reboots after the download

Firmware Download
Firmware digitally signed by Cisco

LWAPP-L3
§  Network configuration is
downloaded by the AP from
the WLC
Configuration is encrypted in the
CAPWAP tunnel
Configuration is applied
Access Points


4.2, 6.0, 7.0? Which Version Should I Use?

§  WLC 5508 supports 6.0, 7.0.98
and 7.0.116
§  WLC7500, WiSM-2 and WLC2504
only supported in 7.0.116
§  6.0.202 is the latest MD
§  7.0.116 will be tested for
AssureWave (Blue Ribbon)
§  Please note the current revision
of 7.0- 7.0.116.0 which is the
recommended one for you today


Agenda



Mobility Defined

§  Mobility is a key reason for wireless networks
§  Mobility means the end-user device is capable of
moving location in the networked environment
§  Roaming occurs when a wireless client moves
association from one AP and re-associates to
another, typically because it’s mobile!
§  Mobility presents new challenges:
Need to scale the architecture to support client roaming—
roaming can occur intra-controller and inter-controller
Need to support client roaming that is seamless (fast) and
preserves security


Scaling the Architecture
with Mobility Groups

§  Mobility Group allows controllers to peer with each other to
support seamless roaming across controller boundaries
§  APs learn the IPs of the other members of the mobility group
after the LWAPP Join process Controller-B
MAC: AA:AA:AA:AA:AA:02

Mobility Group Name: MyMobilityGroup

§  Support for up to Mobility Group Neighbors:
Controller-A, AA:AA:AA:AA:AA:01

24 controllers,
Controller-C, AA:AA:AA:AA:AA:03
Controller-A

3600 APs per Mobility Group Name: MyMobilityGroup

Mobility Group Neighbors:

mobility group

Ethernet in IP Tunnel
Controller-B, AA:AA:AA:AA:AA:02
Controller-C, AA:AA:AA:AA:AA:03

§  Mobility messages
exchanged
between Controller-C

controllers Mobility Group Name: MyMobilityGroup

Mobility Group Neighbors:
Controller-A, AA:AA:AA:AA:AA:01
Controller-B, AA:AA:AA:AA:AA:02

§  Data tunneled between
controllers in EtherIP (RFC 3378)
Mobility Messages


Increased Mobility Scalability

§  Roaming is supported across three mobility groups
(3 * 24 = 72 controllers)
§  With Inter Release Controller Mobility (IRCM) roaming is
supported between 4.2.207 and 6.0.188 and 7.0

Mobility Sub-Domain 1

Ethernet in IP Tunnel Mobility Sub-Domain 3

Mobility Sub-Domain 2

Mobility Messages


How Long Does an STA Roam Take?

§  Time it takes for:
Client to disassociate +
Probe for and select a new AP +
802.11 Association +
802.1X/EAP Authentication +
Rekeying +
IP address (re) acquisition

§  All this can be on the order of seconds… Can we
make this faster?


Roaming Requirements

§  Roaming must be fast … Latency can be introduced
by:
Client channel scanning and AP selection algorithms
Re-authentication of client device and re-keying
Refreshing of IP address

§  Roaming must maintain security
Open auth, static WEP—session continues on new AP
WPA/WPAv2 Personal—New session key for encryption
derived via standard handshakes
802.1x, 802.11i, WPA/WPAv2 Enterprise—Client must be re-
authenticated and new session key derived for encryption


How Are We Going to Make Roaming
Faster?
Focus on Where We Can Have the Biggest Impact

§  Eliminating the (re)IP address acquisition challenge
§  Eliminating full 802.1X/EAP reauthentication


Intra-Controller Roaming:
Layer 2
VLAN X
WLC-1 Client Client Data WLC-2 Client
Database (MAC, IP, Database
QoS,
§  Intra-Controller roam
Security) happens when an AP
WLC-1
Mobility Message
WLC- moves association
2 between APs joined to
Exchange
the same controller

Preroaming §  Client must be re-
Data Path authenticated and new
security session
established


Layer 2 (Cont.)
VLAN X
WLC-1 Client Client Data WLC-2 Client
Database (MAC, IP, Database
QoS, Security)

WLC-1 WLC-2
Mobility Message Exchange

Roaming
Data Path
§  Client database entry
with new AP and
appropriate security
context
§  No IP address refresh
Client Roams to
needed
a Different AP


Layer 3

VLAN X VLAN Z
WLC-1 Client Client Data Client Data WLC-2 Client
Database (MAC, IP, QoS, (MAC, IP, Database
Security) QoS, Security)

WLC-1 WLC-2

Preroaming
Data Path


Client Roaming Between Subnets:
Layer 3 (Cont.)

VLAN X VLAN Z
WLC-1 Client Client Data Client Data WLC-2 Client
Database (MAC, IP, QoS, (MAC, IP, Database
Security) QoS, Security)
WLC-1 WLC-2

Anchor Foreign
Controller Data Tunnel
Controller

Preroaming
Data Path

Client Roams to
a Different AP


Static IP Mobility with 7.0.116
VLAN X VLAN Z
WLC-1 Client WLC-2 Client
Mobility Database Database Mobility
Client Data Client Data
Group-1 (MAC, IP, QoS, (MAC, IP, QoS, Group-2
Security) Security)
WLC-1 Mobility Message Exchange WLC-2

Anchor Encrypted Data Tunnel Foreign
Controller Controller

Pre Roaming
Data Path

Client with Static IP
Client with Static IP on on VLAN X
VLAN X Dis-Associates Associates on
from This AP This AP


Static IP Mobility with 7.0.116
GUI Configuration


Roaming: Inter-Controller
Layer 3
§  L3 inter-controller roam: STA moves association between APs joined
to the different controllers but client traffic bridged onto different
subnets
§  Client must be re-authenticated and new security session established
§  Client database entry copied to new controller – entry exists in both
WLC client DBs
§  Original controller tagged as the “anchor”, new controller tagged as
the “foreign”
§  WLCs must be in same mobility group or domain
§  No IP address refresh needed
§  Symmetric traffic path established -- asymmetric option has been
eliminated as of 6.0 release
§  Account for mobility message exchange in network design


How Are We Going to Make Roaming
Faster?
Focus on Where We Can Have the Biggest Impact

ü Eliminating the (re)IP address acquisition challenge
§  Eliminating full 802.1X/EAP reauthentication


Fast Secure Roaming
Standard Wi-Fi Secure Roaming
§  802.1X authentication in wireless today
requires three “end-to-end” transactions
with an overall transaction time of > 500 ms

§  802.1X authentication in wireless today
WAN requires a roaming client to reauthenticate,
incurring an additional 500+ ms to the roam
Cisco AAA
Server
(ACS or
ISE)

1. 802.1X Initial
Authentication
AP2 Transaction AP1
2. 802.1X
Reauthenti-
cation After
Roaming

Note: Mechanism Is Needed to Centralize Key Distribution

Cisco Centralized Key Management
(CCKM)
§  Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available,
especially with application specific devices (ASDs)
§  CCKM originally a core feature of the “Structured Wireless Aware
Network” (SWAN) architecture
§  CCKM ported to CUWN architecture in 3.2 release
§  In highly controlled test environments, CCKM roam times
consistently measure in the 5-8 msec range!
§  CCKM is most widely implemented in ASDs, especially VoWLAN
devices
§  To work across WLCs, WLCs must be in the same mobility group
§  CCX-based laptops may not fully support CCKM – depends on
supplicant capabilities
§  CCKM is standardized in 802.11R, but no clients available yet


Fast Secure Roaming
WPA2/802.11i Pairwise Master Key (PMK) Caching

§  WPA2 and 802.11i specify a mechanism to prevent excessive key
management and 802.1X requests from roaming clients
§  From the 802.11i specification:
Whenever an AP and a STA have successfully passed dot1x-based
authentication, both of them may cache the PMK record to be used
later
When a STA is (re-)associates to an AP, it may attach a list of
PMK IDs (which were derived via dot1x process with this AP before)
in the (re)association request frame
When PMK ID exists, AP can use them to retrieve PMK record from its
own PMK cache, if PMK is found, and matches the STA MAC address;
AP can bypass dot1x authentication process, and directly starts WPA2
four-way key handshake session with the STA
PMK cache records will be kept for one hour for non-associated STAs


OKC/PKC
Key Data Points
§  Requires client/supplicant support
§  Supported in Windows since XP SP2
§  Many ASDs support OKC and/or PKC
§  Check on client support for TKIP vs. CCMP – mostly
CCMP only
§  Enabled by default on WLCs with WPAv2
§  Requires WLCs to be in the same mobility group
§  Important design note: pre-positioning of roaming clients
consumes spots in client DB
§  In highly controlled test environments, OKC/PKC roam
times consistently measure in the 10-20 msec range!


How Long Does a Client Really
Take to Roam?
§  Time to roam =
Client to disassociate +
Probe for and select a new AP +
802.11 Association +
Mobility message exchange between WLCs +
Reauthentication +
Rekeying +
IP address (re) acquisition
§  Network latency will have an impact on these times –
consideration for controller placement
§  With a fast secure roaming technology, roam times
under 150 msecs are consistently achievable, though
mileage may vary


How Often Do Clients Roam?

§  It depends… types of clients and applications
§  Most client devices are designed to be “nomadic”
rather than “mobile”, though proliferation of small
form factor, “smart” devices will probably change
this…
§  Nomadic clients usually are programmed to try to
avoid roaming… so set your expectations
accordingly
§  Design rule of thumb: 10-20 roams per second for
every 5000 clients


Designing a Mobility Group/Domain
Design Considerations
§  Less roaming is better – clients and apps are happier
§  While clients are authenticating/roaming, WLC CPU is
doing the processing – not as much of a big deal for
5508 which has dedicated management/control
processor
§  L3 roaming & fast roaming clients consume client DB
slots on multiple controllers – consider “worst case”
scenarios in designing roaming domain size
§  Leverage natural roaming domain boundaries
§  Mobility Message transport selection: multicast vs.
unicast
§  Make sure the right ports and protocols are allowed


Agenda



CUWN 7.0.116 Release
Key Controller Features
Device Support Local-Mode Features Flexconnect Features
WLC-WiSM2 wIPS ELM Scale and Groups
WLC-7500 11n Indoor Mesh Local Auth
WLC-2500 2.4 GHz Backhaul Fault Tolerance
WLCM-2 VLAN Select Opportunistic Key Caching
AP600 / AP1550 FIPS

Others
Client Limit on WLAN Encrypting Neighbor Packets
Increased RF Group Scalability Rogue Containment Enhancement
RF Group Leader Flexibility PSB Password Enhancements
Webauth on Mac Filter Failure Static IP Mobility
Web Authentication Proxy CCX S60 Location Improvements
DHCP Option 60 Voice Diagnostics


AP600 / AP1550 FIPS

Others


WiSM2
For Cisco Catalyst 6500 Series

§  Enhanced operational savings
Higher scale
Reduced downtime during upgrades
Single controller
Specifications At-a-Glance
§  Higher performance
Access Points 100–500
Throughput
Clients 10,000
Concurrent rich-media
application flows I/O 10G

§  Maximize Cisco Catalyst 6000 Chassis-Level Scale
3500 APs and
70,000 Clients
Series investment
Supervisor and service Concurrent AP Joins 500
module refresh Number of Phy
1
Controllers

Power 225W


Enterprise-Grade WLC5508 for the Campus

Cisco 5500 Series Wireless Controller
Key Attributes
Ø Best in class performance
Industry-leading encrypted
throughput
Ø Enhanced Operational Savings
Upgrades 500 AP within mins
Access Points 12-500 Fails over 500 APs within seconds
Clients 7,000 Ø Enhanced rich media
Form-Factor 1 RU performance
IO Interface 8x 1GE Ports, LAG Multiple concurrent low-latency
media flows
Upgrade Licenses 25, 50,100, 250


Controller Comparison

5500 WiSM-2
Number of Access Points 12, 25, 50, 100, 250, 500 500

Throughput Up to 8 Gbps Up to 10 Gbps

Clients Up to 7000 Up to 10,000

Concurrent AP Upgrades/Joins Up to 500 Up to 500
Up to 8 Cisco Catalyst 6000 Series
Network I/O
1 Gbps SFPs Backplane
Mobility Domain Size Up to 36,000 APs Up to 36,000 APs
Number of Controllers per
1 1
Physical Device
Power Consumption 125W 225W

AP Count Upgrade via Licensing Yes Yes
Encrypted Data Link
Yes Yes
Between AP and Controller
OfficeExtend Solution Yes Yes


Cost Effective Entry Level Controllers

2500 Wireless Controller
New

Key Attributes
Ø  Ability to scale the network as
you grow with licensing
Access Points 5-50
Ø  Part of a PCI certified
Clients 500
architecture
Throughput 500 Mbps
Ø Ability to support various
Deployment Model Local and deployment modes
FlexConnect
Form Factor Desktop
IO Interface 4x 1GE
Upgrade Licenses 5, 25


Wireless Controller on ISR G2/SRE

New

Access Points ISM: 5-10
SM: 5-50 Key Attributes
Clients 500 • Single Box for branch services
Throughput 500 Mbps • Consistency of functionality and
Deployment Model Local and FlexConnect management with controllers
Form Factor SRE (ISM/SM)
Upgrade Licenses 5, 25
Device Supported 1941, 2900 and 3900
On Series ISR G2


CleanAir Access Point

Detect and Classify

Locate

Mitigate

A System-Wide Feature that Uses Silicon-Level Intelligence to
Cisco
Automatically Mitigate the Impact of Wireless Interference, Optimize
CleanAir Network Performance, and Reduce Troubleshooting Costs

What Is CleanAir?

Detect and Classify
97

100 §  Uniquely identify and
63 track multiple
90 interferers
20
§  Assess unique impact
35
to Wi-Fi performance
§  Monitor air quality

High-Resolution Interference Detection and Classification Logic
Cisco
Built in to Cisco’s 802.11n Wi-Fi Chip Design; Inline Operation
CleanAir with no CPU or Performance Impact

What Is CleanAir?

Locate Mitigate
WCS, MSE Wireless LAN Controller

POOR GOOD
§  Classification processed
on access point
§  Interference impact and Maintain Air Quality
data sent to WLC for
real-time action
§  WCS and MSE store Visualize and Troubleshoot CH 1 CH 11
data for location, history,
and troubleshooting

Cisco Cisco CleanAir Technology Integrates Interference Information
CleanAir from the AP into the Entire System

Access Points Portfolio

Teleworker 11n 11n + CleanAir
Limited Lifetime Hardware Warranty
1260 3500e
Ruggedized

New 1040 1140 3500i
600
Carpeted


New

2x3 MIMO 11n Speed
Provide Higher Coverage and Throughput

CleanAir and ClientLink Technology
Avoids Interference, Delivers Stronger Signals to Clients

Flexible Deployment
Access or Mesh Network, Fiber, UTP or Wireless Backhaul


Cisco Aironet 1550 Series Outdoor AP

§  2 Radios 2.4/5 GHz
§  2 Tx, 3 Rx
§  MIMO, 2 SS
§  3x Dual-Band Ant.

1552E 1552H 1552C 1552I
2.4 GHz 802.11 b/g/n 802.11b/g/n 802.11b/g/n 802.11b/g/n

5 GHz 802.11 a/n 802.11a/n 802. 11a/n 802.11a/n

Type Standard Hazardous Loc. Cable Modem Standard

Antenna External External Integrated Integrated

MIMO Multiple-In, Multiple-Out
SS BRKEWN-2010
Spatial Streams © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

AP600/AP1550 FIPS

Others


Adaptive wIPS
Components and Functions

AP Attack
Detection
24x7
Scanning
Over-the-Air Detection

WLC Configuration
wIPS AP Management

MSE Alarm
Archival
Capture
Storage
Complex Attack Analysis,
Forensics, Events

WCS Centralized
Monitoring
Historic
Reporting
Monitoring,
Reporting


Cisco Adaptive Wireless IPS with “Enhanced Local Mode
(ELM)”
•  Adaptive wIPS scanning in data serving access points

•  Provides protection without needing a separate overlay network.

•  Available as a free SW download for existing wIPS Monitor Mode customers.

•  ELM supported APs: 1040, 1140, 1250, 1260 & 3500

Without ELM With ELM
Data Serving Monitor Mode Single Data and WIPS AP


Deployment Recommendation
Option A Option B

Enhanced
Local Mode Local Mode

WIPS Monitor
Mode/
CleanAir
MMAP +
WIPS MM

WIPS Monitor Mode or CleanAir MM Turn on ELM on All APs
+ WIPS MM on CleanAir AP: (Including CleanAir)
Recommendation – Ratio of
1:5 MMAP to Local Mode APs


TrustSec 2.0 and Identity Services Engine
•  Centralized Policy
ACS •  Distributed Enforcement
•  AAA Services
NAC
Profiler •  Posture Assessment

NAC
•  Guest Access Services
Guest
•  Device Profiling
Identity
NAC Services •  Monitoring
Manager Engine
•  Troubleshooting
NAC
Server •  Reporting

*Current NAC and ACS Hardware
Platform Is Software Upgradable to ISE

ISE Integrated Device Profiling

“iPad Template”

Custom Template

Visibility for Wired and Simplified “Device New Device
Wireless Devices Category” Policy Templates via
Subscription Feeds


§  Users, using the same SSID, can be associated to different
wired VLAN interfaces after EAP authentication
§  Employee using corporate laptop with their AD user id can be
assigned to VLAN 30 to have full access to the network
§  Employee using personal iPad/iPhone with their AD user id can
be assigned to VLAN 40 to have internet access only

ISE
ISE
1 EAP Authentication

4 Accept with VLAN 40
2 Accept with VLAN 30 Corporate
Employee Resources

VLAN 30
CAPWAP
Same-SSID

802.1Q TrunkVLAN 40
3 EAP Authentication Internet
Employee



§  Example:
VLAN 30 (Corporate access )
VLAN 40 (Internet access)

Corporate

Internet


•  ISE Setup – Authorization Profiles redirect VLAN, Override ACL,
CoA…

Laptop Assign VLAN 30

iPad Assign VLAN 40


§ WLC CoA Setup – Pre-Auth ACL, allows ALL client traffic
to ISE
§ WLAN – Dot1X, AAA Override and Radius NAC enabled.
Permit ANY to ISE
(IP Addr)


§  RADIUS probe (information
about authentication,
authorization and
accounting requests from
Network Access
§  DHCP (helper or span)
§  HTTP user agent (span)

Customizable Profiles


Agenda



Deploying the Cisco Unified
Wireless Architecture

§  Controller Redundancy and AP Load Balancing
§  Understanding AP Groups
§  IPv6 Deployment with Controllers
§  Branch Office Designs
§  Guest Access Deployment
§  Home Office Design


Controller Redundancy
Dynamic

§  Rely on CAPWAP to load-balance APs
across controllers and populate APs with
backup controllers
§  Results in dynamic “salt-and-pepper”
design
§  Design works better when controllers are
“clustered” in a centralized design
§  Pros
Easy to deploy and configure—less upfront work
APs dynamically load-balance (though never
perfectly)
§  Cons
More intercontroller roaming
Bigger operational challenges due to unpredictability
Longer failover times
No “fallback” option in the event of controller failure
§  Cisco’s general recommendation is:
Only for Layer 2 roaming
§  Use deterministic redundancy instead of
dynamic redundancy

Deterministic

WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C §  Administrator statically assigns
APs a primary, secondary, and/
or tertiary controller
Assigned from controller interface
(per AP) or WCS (template-based)
§  Pros
Predictability—easier operational
management
More network stability
Primary: WLAN-Controller-A Primary: WLAN-Controller-B Primary: WLAN-Controller-C More flexible and powerful
Secondary: WLAN-Controller-B Secondary: WLAN-Controller-C Secondary: WLAN-Controller-A
Tertiary: WLAN-Controller-C Tertiary: WLAN-Controller-A Tertiary: WLAN-Controller-B redundancy design options
Faster failover times
“Fallback” option in the case of
failover
§  Con
More upfront planning and
configuration
§  This is Cisco’s recommended
best practice

Architecture Resiliency
Resiliency N:1 Redundancy
WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C

WLAN-Controller-1 APs Configured With:
Primary: WLAN-Controller-1
Secondary: WLAN-Controller-BKP
NOC or Data Center
WLAN-Controller-BKP

WLAN-Controller-2 APs Configured With:
Primary: WLAN-Controller-2

WLAN-Controller-n APs Configured With:
Primary: WLAN-Controller-n

Primary: WLAN-Controller-A Primary: WLAN-Controller-B Primary: WLAN-Controller-C
Secondary: WLAN-Controller-B Secondary: WLAN-Controller-C Secondary: WLAN-Controller-A
Tertiary: WLAN-Controller-C Tertiary: WLAN-Controller-A Tertiary: WLAN-Controller-B

N:N Redundancy N:N:1 Redundancy
APs Configured With:
WLAN-Controller-A APs Configured With: WLAN-Controller-A Primary: WLAN-Controller-A
Primary: WLAN-Controller-A
Secondary: WLAN-Controller-B
Secondary: WLAN-Controller-B
NOC or Data Center Tertiary: WLAN-Controller-BKP
WLAN-Controller-BKP

WLAN-Controller-B WLAN-Controller-B APs Configured With:
APs Configured With: Primary: WLAN-Controller-B
Primary: WLAN-Controller-B
Secondary: WLAN-Controller-A
Secondary: WLAN-Controller-A
Tertiary: WLAN-Controller-BKP


High Availability Using Cisco 5508
§  APs are connected
to primary WLC
5508
Si Si §  In case of
hardware failure of
WLC 5508
§  AP’s fall back to
Si Si secondary WLC
Primary Secondary 5508
WLC5508
WLC5508
§  Traffic flows
through the
secondary WLC
5508 and primary
core switch


High Availability Using WiSM:
Uplink Failure on Primary Switch
§  In case of uplink
S N
failure of the
primary switch
Si Si
§  Standby switch
Active Standby becomes the
HSRP Switch HSRP Switch active HSRP

New Active switch
Primary
WiSM
HSRP Switch
§  APs are still
connected to
primary WiSM
§  Traffic flows thru
the new HSRP
active switch


High Availability Using WiSM-2
§  APs are
connected to
primary WiSM
Si Si
§  In case of
hardware failure
of primary WiSM
Primary Secondary
WiSM WiSM §  AP’s fall back to
secondary WiSM
§  Traffic flows thru
the secondary
WiSM and
primary core
switch


VSS and Cisco 5508

§  Cisco 5508 WLC can be attached
to a Cisco Catalyst VSS switch
§  4 ports of Cisco 5508 are
connected to active VSS switch
§  2nd set of 4 ports of Cisco 5508 is
connected to standby VSS switch Catalyst
VSS Pair
§  In case of failure of primary switch
traffic continues to flow through
secondary switch in the VSS pair
Cisco 5508


VSS and WiSM-2

Virtual Switch System (VSS)

Switch-1 Switch-2
(VSS Active) (VSS Standby)

Control Plane Active VSL Control Plane Standby

Data Plane Active Data Plane Active
Failover/State Sync VLAN

FWSM Active FWSM Standby

WiSM-2 Active WiSM-2 Standby


High Availability
High Availability Principles Primary WLC
§  AP is registered with a WLC and
maintain a backup list of WLC
§  AP use heartbeats to validate
WLC connectivity
§  AP use Primary Discovery
message to validate backup
WLC list
§  When AP lose three heartbeats it Secondary WLC
start join process to first backup
WLC candidate
§  Candidate Backup WLC is the
first alive WLC in this order:
primary, secondary, tertiary,
global primary, global secondary
§  AP do not re-initiate discovery
process

High Availability with 7.0.116

To Accommodate Both Local and Remote Settings, There Are Configurable Options
Provided, so that Administrator Can Fine Tune the Settings Based on the Requirements
New Timers Old Timers-5508 Old Timers-Non-5508
Heartbeat: 1-30 Seconds 10-30 Seconds 1-30 Seconds
Fast Heartbeat Timeout: 1-10 Seconds 3-10 Seconds 1-10 Seconds
AP Retransmit Interval: 2-5 Seconds 3 Seconds 3 Seconds
AP Retrans with FH Enabled: 3-8 Times 3 Times 3 Times
AP Retrans with FH Disabled: 3-8 Times 5 Times 5 Times
AP Fallback to next WLC 12 Seconds 35 Seconds 35 Seconds

AP Pre-Image Download in 7.0

§  Since most CAPWAP APs can Cisco WLAN Controller
download and keep more than one
image of 4–5 MB each

AP Joins Without Download

AP Pre-image Download
§  AP pre-image download allows
AP to download code while it is

CAPWAP-L3
operational
§  Pre-Image download operation
1.  Upgrade the image on the controller
2.  Don’t reboot the controller
3.  Issue AP pre-image download command
4.  Once all AP images are downloaded
5.  Reboot the controller
Access Points
6.  AP now rejoins the controller
without reboot How Much Time You Save?


Configure AP Pre-Image Download

§  Upgrade the image on the controller and don’t reboot

§  Currently we have two images on the controller
(Cisco Controller) >show boot
Primary Boot Image............................... 7.0.116.0 (default) (active)
Backup Boot Image................................ 7.0.98.0


Configure AP Pre-Image Download
Wireless > AP > Global Configuration

Perform Primary Image
Predownloaded on the AP

AP Now Starts
Predownloading

AP Now Swaps Image
After Reboot of the
Controller


AP-Groups
Default AP-Group

§  The first 16 WLANs created (WLAN IDs 1–16) on the WLC
are included in the default AP-Group
§  Default AP-Group cannot be modified
§  APs with no assignment to an specific AP-Group will use the
Default AP-Group
§  The 17th and higher WLAN (WLAN IDs 17 and up) can be
assigned to any AP-Groups
§  Any given WLAN can be mapped to different dynamic
interfaces in different AP-Groups
§  WLC 2106 (AP groups: 50), WLC 2504 (AP groups:50)
WLC 4400 and WiSM (AP groups: 300),
WLC 5508 & WiSM-2 (AP groups: 500),
WLC 7500 (AP Groups : 500)


AP-Grouping in Campus
VLAN 100 VLAN 100 VLAN 100

Access

Si Si Si Si Si Si

Distribution

CAPWAP

Core
Si Si

Si Si
VLAN 100 / 21
Si Si Distribution
Si Si

Access
Single WAN Data Center Internet
SSID = WLC-1 WLC-2
Employee

AP-Grouping in Campus
AP-Group-1 AP-Group-2 AP-Group-3
VLAN 60 /23 VLAN 70 /23 VLAN 80 /23

Access

Si Si Si Si Si Si

Distribution

CAPWAP

Core
Si Si

Si Si
VLAN 100 VLAN 60 Si Si Distribution
Si Si
/21 VLAN 70
VLAN 80

Access
SSID = WLC-1 WLC-2
Employee

Default AP-Group

Network Name

Default AP Group

Only WLANs 1–16
Will Be Added in
Default AP Group


Multiple AP-Groups

AP Group 1

AP Group 2

AP Group 3


Interface-Groups
7.0.116

§  Interface-groups allows for a WLAN to be mapped to a single interface or
multiple interfaces
§  Clients associating to this WLAN get an IP address from a pool of subnets
identified by the interfaces in round
robin fashion
§  Extends current AP group and AAA override, with multiple interfaces using
interface groups
§  Controllers Interface-Groups/Interfaces
WiSM-2, 5508, 7500, 2500 64/64
WiSM, 4400 32/32
2100 and 2504 4/4


Interface-Grouping in Campus 7.0.116
Int-Group-1 Int-Group-2 Int-Group-3

VLAN 60 /23 VLAN 70 /23 VLAN 80 /23
VLAN 61 / 23 VLAN 71 /23 VLAN 81 /23
Access

Si Si Si Si Si Si

Distribution

LWAPP/CAPWAP

Core
Si Si

Si Si
VLAN 100 VLAN 60 Si Si Distribution
Si Si
/21 VLAN 61
VLAN 70
VLAN 71
VLAN 80
VLAN 81
Access
SSID = WLC-1 WLC-2
Employee

Multiple Interface-Groups 7.0.116

Interface
Group 1

Interface
Group 2

Interface
Group 3

IPv6 over IPv4 Tunneling

§  Prior to WLC 6.0 release, IPv6 pass-thru is only supported but no L2 security
can be enabled on IPv6 WLAN

§  With WLC 6.0 release, IPv6 pass-thru with Layer 2 security supported

§  To use IPv6 bridging, Ethernet Multicast Mode (EMM) must be enabled on the
controller

§  IPv6 packets are tunneled over CAPWAP IPv4 tunnel

§  Same WLAN can support both IPv4 and IPv6 clients

§  IPv6 pass-thru and IPv4 Webauth is also supported on same WLAN

§  IPv6 is not supported with guest mobility anchor tunneling
Client IPv6 Traffic Ethernet II | IPv6
Tunneled over IPv4 and
Bridged to Ethernet

CAPWAP Tunnel

802.11| IPv6 Ethernet II | IPv4 | CAPWAP | 802.11 | IPv6


IPv6 Configuration on WLC 6.X

§  Enable IPv6 on the WLAN and multicast on the WLC


IPv6 Client Details

§  IPv6 client details on the WLC

§  IPv6 client details from dual-stack (Vista) client



Understanding HREAP (Hybrid) REAP AP Deployment
Understanding Branch Controller Deployment



Branch Office Deployment
HREAP
Central Site
Centralized
§  Hybrid architecture Traffic
Centralized
Traffic
§  Single management
and control point
Centralized traffic
(split MAC)
Or
WAN
Local traffic (local MAC)

§  HA will preserve local Local
traffic only Traffic

Remote
Office


H-REAP Design Considerations

§  Some WAN limitations apply
RTT must be below 300 ms data (100 ms voice)
Minimum 500 bytes WAN MTU (with maximum four
fragmented packets)

§  Some features are not available in standalone
mode or in local switching mode
ACL in local switching, MAC/Web Auth in standalone mode,
PMK caching (OKC)
See full list in « H-REAP Feature Matrix »
http://www.cisco.com/en/US/products/ps6366/
products_tech_note09186a0080b3690b.shtml


Configure H-REAP Mode
Step 1: Configure Access Point Mode

§  Enable H-REAP mode per AP
§  Supported AP: AP-1130, AP-1240, AP-1040,
AP-1140, AP-1260, AP-1250, AP-3500


Configure H-REAP Local Switching
Step 2: Enable Local Switching per WLAN

§  Only WLAN with “Local Switching” enabled will
allow local switching at the H-REAP AP


Configure H-REAP VLAN Mapping
Step 3: H-REAP Specific Configuration

§  H-REAP AP can be connected on an access port
(using native VLAN) or connected to a 802.1Q
trunk port
§  VLAN mapping is a per AP configuration on WLC
and by AP group using templates on a WCS


Configure H-REAP VLAN Mapping
Step 4: Per AP SSID to VLAN Mapping

§  Mapping of SSID to 802.1Q VLAN is done per
H-REAP AP

§  Use WCS for configuration with templates


Economies of Scale for Lean Branches
Flex 7500 Wireless Controller
New

Key Differentiation
Ø  WAN Tolerance
•  High Latency Networks
Access Points 300-2,000 •  WAN Survivability
Clients 20,000 Ø  Security
Branches 500 802.1x based port authentication
Access Points / Branch 50 Ø  Voice support
Deployment Model FlexConnect •  Voice CAC
Form Factor 1 RU •  OKC/CCKM
IO Interface 2x 10GE
Upgrade Licenses 100, 200, 500, 1K


Understanding H-REAP Groups

§  WLC supports up to 20 H-REAP groups
Central Site

§  Each H-REAP group supports
up to 25 H-REAP APs
§  H-REAP groups allow sharing of:
CCKM fast roaming keys
Local user authentication Remote Site WAN Remote Site
Local EAP authentication H-REAP
Group 2

H-REAP
Group 1


Deploying Enterprise WLANs with Cisco Controllers

Deploying Enterprise WLANs with Cisco Controllers

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (20)

Semelhante a Deploying Enterprise WLANs with Cisco Controllers

Semelhante a Deploying Enterprise WLANs with Cisco Controllers (20)

Mais de Cisco Mobility

Mais de Cisco Mobility (20)

Último

Último (20)

Deploying Enterprise WLANs with Cisco Controllers