Design and Deployment of Enterprise WLANs

August 30, 2017 | Author: Cisco Wireless | Category: Wireless Lan, I Pv6, Radius, Wireless Access Point, Ieee 802.11
Share Embed Donate


Short Description

Learn everything you need to know about designing and deploying Cisco wireless networks for enterprise in this in-depth ...

Description

Design and Deployment of Enterprise WLANs BRKEWN-2010 Sujit Ghosh, CCIE #7204 Manager, Technical Marketing Wireless Networking Business Unit

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

1

Agenda §  Controller-Based Architecture Overview §  Mobility in the Cisco Unified WLAN Architecture §  Architecture Building Blocks §  Deploying the Cisco Unified Wireless Architecture

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

2

Agenda §  Controller-Based Architecture Overview §  Mobility in the Cisco Unified WLAN Architecture §  Architecture Building Blocks §  Deploying the Cisco Unified Wireless Architecture

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

3

Understanding WLAN Controllers

1st/2nd Generation vs. 3rd Generation Approach 1st/2nd Generation

§  1st/2nd generation: APs act as 802.1Q translational bridge, putting client traffic on local VLANs

Data VLAN

Management VLAN

§  3rd generation: Controller bridges client traffic centrally

Voice VLAN

3rd Generation

Data VLAN

Management VLAN

LWAPP/CAPWAP Tunnel

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Voice VLAN

Cisco Public

4

Centralized Wireless LAN Architecture What Is CAPWAP?

§  CAPWAP: Control and Provisioning of Wireless Access Points is used between APs and WLAN controller and based on LWAPP §  CAPWAP carries control and data traffic between the two Control plane is DTLS encrypted Data plane is DTLS encrypted (optional)

§  LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless §  CAPWAP is not supported on Layer 2 mode deployment Access Point

Business Application

Data Plane

CAPWAP

Controller

Wi-Fi Client

Control Plane BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

5

CAPWAP Modes Split MAC

§  The CAPWAP protocol supports two modes of operation Split MAC (centralized mode) Local MAC (H-REAP)

§  Split MAC Wireless Frame Wireless Phy MAC Sublayer

STA

BRKEWN-2010

CAPWAP Data Plane

WTP

© 2011 Cisco and/or its affiliates. All rights reserved.

802.3 Frame

AC

Cisco Public

6

CAPWAP Modes Local MAC

§  Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames §  Locally bridged Wireless Frame Wireless Phy MAC Sublayer

STA

BRKEWN-2010

802.3 Frame

WTP

© 2011 Cisco and/or its affiliates. All rights reserved.

AC

Cisco Public

7

CAPWAP Modes Local MAC

§  Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames §  Tunneled as 802.3 frames

STA

Wireless Frame

802.3 Frame

Wireless Phy MAC Sublayer

CAPWAP Data Plane

WTP

802.3 Frame

AC

§  Tunneled local MAC is not supported by Cisco §  H-REAP support locally bridged MAC and split MAC per SSID BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

8

CAPWAP State Machine AP Boots UP Reset

Discovery Image Data

DTLS Setup

Join

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Run

Config

Cisco Public

9

AP Controller Discovery Controller Discovery Order §  Layer 2 join procedure attempted on LWAPP APs (CAPWAP does not support Layer 2 APs) Broadcast message sent to discover controller on a local subnet

§  Layer 3 join process on CAPWAP APs and on LWAPP APs after Layer 2 fails Previously learned or primed controllers Subnet broadcast DHCP option 43 DNS lookup

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

10

AP Controller Discovery: DHCP Option DHCP Server

DHCP Offer 1 DHCP Request

2 Layer 3 CAPWAP Discovery Request Broadcast 3

BRKEWN-2010

DHCP Offer Contains Option 43 for Controller

Layer 3 CAPWAP Discovery Responses © 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

11

AP Controller Discovery: DNS Option DNS Server

DHCP Server

DHCP Request

CISCO-CAPWAP-CONTROLLER.localdomain 192.168.1.2

2

1

DHCP Offer

192.168.1.2

3 DHCP Offer Contains DNS Server or Servers 4

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

12

WLAN Controller Selection Algorithm §  CAPWAP Discovery Response contains important information from the WLAN Controller Controller name, controller type, controller AP capacity, current AP load, “Master Controller” status, and AP Manager IP address or addresses

§  AP selects a controller to join using the following decision criteria 1.  Attempt to join a WLAN Controller configured as a “Master” controller 2.  Attempt to join a WLAN Controller with matching name of previously configured primary, secondary, or tertiary controller name 3.  Attempt to join the WLAN Controller with the greatest excess AP capacity (dynamic load balancing)

§  Option #2 and option #3 allow for two approaches to controller redundancy and AP load balancing: deterministic and dynamic BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

13

CAPWAP Control Messages for Join Process §  CAPWAP Join Request: AP sends this messages to selected controller (sent to AP Manager Interface IP address) CAPWAP Join Request

§  CAPWAP Join Response: If controller validates AP request, it sends the CAPWAP Join Response indicating that the AP is now registered with that controller CAPWAP Join Response

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

14

Configuration Phase

Firmware and Configuration Download §  Firmware is downloaded by the AP from the WLC

LWAPP-L3

§  Network configuration is downloaded by the AP from the WLC

Firmware Download

Firmware digitally signed by Cisco

Configuration Download

Firmware downloaded only if needed, AP reboots after the download

Cisco WLAN Controller

Configuration is encrypted in the CAPWAP tunnel Configuration is applied

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Access Points

Cisco Public

15

4.2, 6.0, 7.0? Which Version Should I Use?

§  WLC 5508 supports 6.0, 7.0.98 and 7.0.116 §  WLC7500, WiSM-2 and WLC2504 only supported in 7.0.116 §  6.0.202 is the latest MD §  7.0.116 will be tested for AssureWave (Blue Ribbon) §  Please note the current revision of 7.0- 7.0.116.0 which is the recommended one for you today BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

16

Agenda §  Controller-Based Architecture Overview §  Mobility in the Cisco Unified WLAN Architecture §  Architecture Building Blocks §  Deploying the Cisco Unified Wireless Architecture

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

17

Mobility Defined §  Mobility is a key reason for wireless networks §  Mobility means the end-user device is capable of moving location in the networked environment §  Roaming occurs when a wireless client moves association from one AP and re-associates to another, typically because it’s mobile! §  Mobility presents new challenges: Need to scale the architecture to support client roaming— roaming can occur intra-controller and inter-controller Need to support client roaming that is seamless (fast) and preserves security

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

18

Scaling the Architecture with Mobility Groups §  Mobility Group allows controllers to peer with each other to support seamless roaming across controller boundaries §  APs learn the IPs of the other members of the mobility group after the LWAPP Join process Controller-B MAC: AA:AA:AA:AA:AA:02

Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 Controller-C, AA:AA:AA:AA:AA:03 Controller-A MAC: AA:AA:AA:AA:AA:01 Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-B, AA:AA:AA:AA:AA:02 Controller-C, AA:AA:AA:AA:AA:03

§  Mobility messages exchanged between controllers

Ethernet in IP Tunnel

§  Support for up to 24 controllers, 3600 APs per mobility group

Controller-C MAC: AA:AA:AA:AA:AA:03 Mobility Group Name: MyMobilityGroup

§  Data tunneled between controllers in EtherIP (RFC 3378)

Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 Controller-B, AA:AA:AA:AA:AA:02

Mobility Messages BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

19

Increased Mobility Scalability §  Roaming is supported across three mobility groups (3 * 24 = 72 controllers) §  With Inter Release Controller Mobility (IRCM) roaming is supported between 4.2.207 and 6.0.188 and 7.0

Ethernet in IP Tunnel

Mobility Sub-Domain 1

Ethernet in IP Tunnel

Mobility Sub-Domain 3

Ethernet in IP Tunnel

Mobility Sub-Domain 2

Mobility Messages BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

20

How Long Does an STA Roam Take? §  Time it takes for: Client to disassociate + Probe for and select a new AP + 802.11 Association + 802.1X/EAP Authentication + Rekeying + IP address (re) acquisition

§  All this can be on the order of seconds… Can we make this faster?

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

21

Roaming Requirements §  Roaming must be fast … Latency can be introduced by: Client channel scanning and AP selection algorithms Re-authentication of client device and re-keying Refreshing of IP address

§  Roaming must maintain security Open auth, static WEP—session continues on new AP WPA/WPAv2 Personal—New session key for encryption derived via standard handshakes 802.1x, 802.11i, WPA/WPAv2 Enterprise—Client must be reauthenticated and new session key derived for encryption

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

22

How Are We Going to Make Roaming Faster? Focus on Where We Can Have the Biggest Impact

§  Eliminating the (re)IP address acquisition challenge §  Eliminating full 802.1X/EAP reauthentication

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

23

Intra-Controller Roaming: Layer 2 VLAN X WLC-1 Client Client Data Database (MAC, IP,

WLC-2 Client Database

QoS, Security) WLC-1

WLC2

Mobility Message Exchange

§  Client must be reauthenticated and new security session established

Preroaming Data Path

BRKEWN-2010

§  Intra-Controller roam happens when an AP moves association between APs joined to the same controller

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

24

Intra-Controller Roaming: Layer 2 (Cont.) VLAN X Client Data WLC-2 Client Database (MAC, IP, QoS, Security)

WLC-1 Client Database

WLC-1

WLC-2

Mobility Message Exchange

Roaming Data Path

§  No IP address refresh needed

Client Roams to a Different AP

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

§  Client database entry with new AP and appropriate security context

Cisco Public

25

Intra-Controller Roaming: Layer 3 VLAN X

VLAN Z

WLC-1 Client Client Data Database (MAC, IP, QoS, Security) WLC-1

Client Data WLC-2 Client Database (MAC, IP, QoS, Security)

Mobility Message Exchange

WLC-2

Preroaming Data Path

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

26

Client Roaming Between Subnets: Layer 3 (Cont.) VLAN X

VLAN Z

WLC-1 Client Client Data Database (MAC, IP, QoS, Security) WLC-1

Client Data WLC-2 Client Database (MAC, IP, QoS, Security)

Mobility Message Exchange

Anchor Controller

Data Tunnel

WLC-2 Foreign Controller

Preroaming Data Path

Client Roams to a Different AP

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

27

Static IP Mobility with 7.0.116 VLAN X

Mobility Group-1

VLAN Z

WLC-1 Client Database

WLC-2 Client Database

Client Data (MAC, IP, QoS, Security)

Client Data (MAC, IP, QoS, Security)

Mobility Message Exchange

WLC-1

Encrypted Data Tunnel

Anchor Controller

Mobility Group-2 WLC-2 Foreign Controller

Pre Roaming Data Path

Client with Static IP on VLAN X Associates on This AP

Client with Static IP on VLAN X Dis-Associates from This AP BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

28

Static IP Mobility with 7.0.116 GUI Configuration

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

29

Roaming: Inter-Controller Layer 3 §  L3 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto different subnets §  Client must be re-authenticated and new security session established §  Client database entry copied to new controller – entry exists in both WLC client DBs §  Original controller tagged as the “anchor”, new controller tagged as the “foreign” §  WLCs must be in same mobility group or domain §  No IP address refresh needed §  Symmetric traffic path established -- asymmetric option has been eliminated as of 6.0 release §  Account for mobility message exchange in network design BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

30

How Are We Going to Make Roaming Faster? Focus on Where We Can Have the Biggest Impact

ü Eliminating the (re)IP address acquisition challenge §  Eliminating full 802.1X/EAP reauthentication

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

31

Fast Secure Roaming

Standard Wi-Fi Secure Roaming §  802.1X authentication in wireless today requires three “end-to-end” transactions with an overall transaction time of > 500 ms WAN Cisco AAA Server (ACS or ISE)

2. 802.1X Reauthentication After Roaming

AP2

§  802.1X authentication in wireless today requires a roaming client to reauthenticate, incurring an additional 500+ ms to the roam

1. 802.1X Initial Authentication Transaction

AP1

Note: Mechanism Is Needed to Centralize Key Distribution BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

32

Cisco Centralized Key Management (CCKM) §  Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available, especially with application specific devices (ASDs) §  CCKM originally a core feature of the “Structured Wireless Aware Network” (SWAN) architecture §  CCKM ported to CUWN architecture in 3.2 release §  In highly controlled test environments, CCKM roam times consistently measure in the 5-8 msec range! §  CCKM is most widely implemented in ASDs, especially VoWLAN devices §  To work across WLCs, WLCs must be in the same mobility group §  CCX-based laptops may not fully support CCKM – depends on supplicant capabilities §  CCKM is standardized in 802.11R, but no clients available yet

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

33

Fast Secure Roaming

WPA2/802.11i Pairwise Master Key (PMK) Caching §  WPA2 and 802.11i specify a mechanism to prevent excessive key management and 802.1X requests from roaming clients §  From the 802.11i specification: Whenever an AP and a STA have successfully passed dot1x-based authentication, both of them may cache the PMK record to be used later When a STA is (re-)associates to an AP, it may attach a list of PMK IDs (which were derived via dot1x process with this AP before) in the (re)association request frame When PMK ID exists, AP can use them to retrieve PMK record from its own PMK cache, if PMK is found, and matches the STA MAC address; AP can bypass dot1x authentication process, and directly starts WPA2 four-way key handshake session with the STA PMK cache records will be kept for one hour for non-associated STAs

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

34

OKC/PKC Key Data Points §  Requires client/supplicant support §  Supported in Windows since XP SP2 §  Many ASDs support OKC and/or PKC §  Check on client support for TKIP vs. CCMP – mostly CCMP only §  Enabled by default on WLCs with WPAv2 §  Requires WLCs to be in the same mobility group §  Important design note: pre-positioning of roaming clients consumes spots in client DB §  In highly controlled test environments, OKC/PKC roam times consistently measure in the 10-20 msec range! BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

35

How Long Does a Client Really Take to Roam? §  Time to roam = Client to disassociate + Probe for and select a new AP + 802.11 Association + Mobility message exchange between WLCs + Reauthentication + Rekeying + IP address (re) acquisition

§  Network latency will have an impact on these times – consideration for controller placement §  With a fast secure roaming technology, roam times under 150 msecs are consistently achievable, though mileage may vary

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

36

How Often Do Clients Roam? §  It depends… types of clients and applications §  Most client devices are designed to be “nomadic” rather than “mobile”, though proliferation of small form factor, “smart” devices will probably change this… §  Nomadic clients usually are programmed to try to avoid roaming… so set your expectations accordingly §  Design rule of thumb: 10-20 roams per second for every 5000 clients

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

37

Designing a Mobility Group/Domain Design Considerations §  Less roaming is better – clients and apps are happier §  While clients are authenticating/roaming, WLC CPU is doing the processing – not as much of a big deal for 5508 which has dedicated management/control processor §  L3 roaming & fast roaming clients consume client DB slots on multiple controllers – consider “worst case” scenarios in designing roaming domain size §  Leverage natural roaming domain boundaries §  Mobility Message transport selection: multicast vs. unicast §  Make sure the right ports and protocols are allowed BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

38

Agenda §  Controller-Based Architecture Overview §  Mobility in the Cisco Unified WLAN Architecture §  Architecture Building Blocks §  Deploying the Cisco Unified Wireless Architecture

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

39

CUWN 7.0.116 Release Key Controller Features Device Support

Local-Mode Features

Flexconnect Features

WLC-WiSM2

wIPS ELM

Scale and Groups

WLC-7500

11n Indoor Mesh

Local Auth

WLC-2500

2.4 GHz Backhaul

Fault Tolerance

WLCM-2

VLAN Select

Opportunistic Key Caching

AP600 / AP1550

FIPS

Others Client Limit on WLAN

Encrypting Neighbor Packets

Increased RF Group Scalability

Rogue Containment Enhancement

RF Group Leader Flexibility

PSB Password Enhancements

Webauth on Mac Filter Failure

Static IP Mobility

Web Authentication Proxy

CCX S60 Location Improvements

DHCP Option 60

Voice Diagnostics

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

40

CUWN 7.0.116 Release Key Controller Features Device Support

Local-Mode Features

Flexconnect Features

WLC-WiSM2

wIPS ELM

Scale and Groups

WLC-7500

11n Indoor Mesh

Local Auth

WLC-2500

2.4 GHz Backhaul

Fault Tolerance

WLCM-2

VLAN Select

Opportunistic Key Caching

AP600 / AP1550

FIPS

Others Client Limit on WLAN

Encrypting Neighbor Packets

Increased RF Group Scalability

Rogue Containment Enhancement

RF Group Leader Flexibility

PSB Password Enhancements

Webauth on Mac Filter Failure

Static IP Mobility

Web Authentication Proxy

CCX S60 Location Improvements

DHCP Option 60

Voice Diagnostics

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

41

WiSM2

For Cisco Catalyst 6500 Series §  Enhanced operational savings Higher scale Reduced downtime during upgrades Single controller

Specifications At-a-Glance

§  Higher performance

Access Points

100–500

Clients

10,000

I/O

10G

Chassis-Level Scale

3500 APs and 70,000 Clients

Concurrent AP Joins

500

Number of Phy Controllers

1

Power

225W

Throughput Concurrent rich-media application flows

§  Maximize Cisco Catalyst 6000 Series investment Supervisor and service module refresh

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

42

Enterprise-Grade WLC5508 for the Campus

Cisco 5500 Series Wireless Controller

Key Attributes Ø Best in class performance Industry-leading encrypted throughput

Ø Enhanced Operational Savings Upgrades 500 AP within mins Access Points

12-500

Clients

7,000

Form-Factor

1 RU

IO Interface

8x 1GE Ports, LAG

Upgrade Licenses

25, 50,100, 250

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Fails over 500 APs within seconds

Ø Enhanced rich media performance Multiple concurrent low-latency media flows

Cisco Public

43

Controller Comparison 5500

WiSM-2

Number of Access Points

12, 25, 50, 100, 250, 500

500

Throughput

Up to 8 Gbps

Up to 10 Gbps

Clients

Up to 7000

Up to 10,000

Concurrent AP Upgrades/Joins

Up to 500

Up to 500

Network I/O

Up to 8 1 Gbps SFPs

Cisco Catalyst 6000 Series Backplane

Mobility Domain Size

Up to 36,000 APs

Up to 36,000 APs

Number of Controllers per Physical Device

1

1

Power Consumption

125W

225W

AP Count Upgrade via Licensing

Yes

Yes

Encrypted Data Link Between AP and Controller

Yes

Yes

OfficeExtend Solution

Yes

Yes

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

44

Cost Effective Entry Level Controllers 2500 Wireless Controller New

Key Attributes Access Points

5-50

Clients

500

Throughput

500 Mbps

Deployment Model

Local and FlexConnect

Form Factor

Desktop

IO Interface

4x 1GE

Upgrade Licenses

5, 25

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Ø  Ability to scale the network as you grow with licensing Ø  Part of a PCI certified architecture Ø Ability to support various deployment modes

Cisco Public

45

Wireless Controller on ISR G2/SRE New

Access Points

ISM: SM:

Clients

500

Throughput

500 Mbps

Deployment Model

Local and FlexConnect

Form Factor

SRE (ISM/SM)

Upgrade Licenses

5, 25

Device Supported On

1941, 2900 and 3900 Series ISR G2

BRKEWN-2010

5-10 5-50

© 2011 Cisco and/or its affiliates. All rights reserved.

Key Attributes • Single Box for branch services • Consistency of functionality and management with controllers

Cisco Public

46

CleanAir Access Point Detect and Classify Locate Mitigate

Cisco CleanAir BRKEWN-2010

A System-Wide Feature that Uses Silicon-Level Intelligence to Automatically Mitigate the Impact of Wireless Interference, Optimize Network Performance, and Reduce Troubleshooting Costs © 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

47

What Is CleanAir? Detect and Classify 97

§  Uniquely identify and track multiple interferers

100 63 90 20 35

§  Assess unique impact to Wi-Fi performance §  Monitor air quality

Cisco CleanAir BRKEWN-2010

High-Resolution Interference Detection and Classification Logic Built in to Cisco’s 802.11n Wi-Fi Chip Design; Inline Operation with no CPU or Performance Impact © 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

48

What Is CleanAir? Locate

Mitigate

WCS, MSE

Wireless LAN Controller

§  Classification processed on access point

Maintain Air Quality

§  Interference impact and data sent to WLC for real-time action §  WCS and MSE store data for location, history, and troubleshooting

Cisco CleanAir BRKEWN-2010

GOOD

POOR

Visualize and Troubleshoot

CH 1

CH 11

Cisco CleanAir Technology Integrates Interference Information from the AP into the Entire System © 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

49

Access Points Portfolio 11n

Teleworker

11n + CleanAir

Limited Lifetime Hardware Warranty

Ruggedized

1260

Carpeted

New

BRKEWN-2010

1140

1040 600

© 2011 Cisco and/or its affiliates. All rights reserved.

3500e

Cisco Public

3500i

50

New 2x3 MIMO 11n Speed Provide Higher Coverage and Throughput

CleanAir and ClientLink Technology Avoids Interference, Delivers Stronger Signals to Clients

Flexible Deployment Access or Mesh Network, Fiber, UTP or Wireless Backhaul

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

51

Cisco Aironet 1550 Series Outdoor AP

§  2 Radios 2.4/5 GHz §  2 Tx, 3 Rx §  MIMO, 2 SS §  3x Dual-Band Ant.

1552E

1552H

1552C

1552I

802.11 b/g/n

802.11b/g/n

802.11b/g/n

802.11b/g/n

5 GHz

802.11 a/n

802.11a/n

802. 11a/n

802.11a/n

Type

Standard

Hazardous Loc.

Cable Modem

Standard

External

External

Integrated

Integrated

2.4 GHz

Antenna

MIMO Multiple-In, Multiple-Out BRKEWN-2010 SS Spatial Streams

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

52

CUWN 7.0.116 Release Key Controller Features Device Support

Local-Mode Features

Flexconnect Features

WLC-WiSM2

wIPS ELM

Scale and Groups

WLC-7500

11n Indoor Mesh

Local Auth

WLC-2500

2.4 GHz Backhaul

Fault Tolerance

WLCM-2

VLAN Select

Opportunistic Key Caching

AP600/AP1550

FIPS

Others Client Limit on WLAN

Encrypting Neighbor Packets

Increased RF Group Scalability

Rogue Containment Enhancement

RF Group Leader Flexibility

PSB Password Enhancements

Webauth on Mac Filter Failure

Static IP Mobility

Web Authentication Proxy

CCX S60 Location Improvements

DHCP Option 60

Voice Diagnostics

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

53

Adaptive wIPS

Components and Functions

AP

Attack Detection

24x7 Scanning Over-the-Air Detection

WLC

Configuration wIPS AP Management

MSE

Alarm Archival

WCS

Centralized Monitoring

Capture Storage Complex Attack Analysis, Forensics, Events

Historic Reporting Monitoring, Reporting

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

54

Cisco Adaptive Wireless IPS with “Enhanced Local Mode (ELM)” •  Adaptive wIPS scanning in data serving access points •  Provides protection without needing a separate overlay network. •  Available as a free SW download for existing wIPS Monitor Mode customers. •  ELM supported APs: 1040, 1140, 1250, 1260 & 3500

Without ELM Data Serving

BRKEWN-2010

With ELM

Monitor Mode

© 2011 Cisco and/or its affiliates. All rights reserved.

Single Data and WIPS AP

Cisco Public

55

Deployment Recommendation Option B

Option A

Enhanced Local Mode

Local Mode

WIPS Monitor Mode/ CleanAir MMAP + WIPS MM

WIPS Monitor Mode or CleanAir MM + WIPS MM on CleanAir AP: Recommendation – Ratio of 1:5 MMAP to Local Mode APs

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Turn on ELM on All APs (Including CleanAir)

Cisco Public

56

TrustSec 2.0 and Identity Services Engine •  Centralized Policy •  Distributed Enforcement

ACS

•  AAA Services NAC Profiler

•  Posture Assessment •  Guest Access Services

NAC Guest NAC Manager

•  Device Profiling Identity Services Engine

NAC Server

•  Monitoring •  Troubleshooting •  Reporting

*Current NAC and ACS Hardware Platform Is Software Upgradable to ISE BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

57

ISE Integrated Device Profiling

“iPad Template”

Custom Template

Visibility for Wired and Wireless Devices BRKEWN-2010

Simplified “Device Category” Policy

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

New Device Templates via Subscription Feeds 58

ISE Integrated Device Profiling § 

Users, using the same SSID, can be associated to different wired VLAN interfaces after EAP authentication

§ 

Employee using corporate laptop with their AD user id can be assigned to VLAN 30 to have full access to the network

§ 

Employee using personal iPad/iPhone with their AD user id can be assigned to VLAN 40 to have internet access only ISE

ISE

1 EAP Authentication

Employee

2 Accept with VLAN 30

4 Accept with VLAN 40

Corporate Resources

VLAN 30 Same-SSID

CAPWAP

802.1Q TrunkVLAN 40 Employee

BRKEWN-2010

3 EAP Authentication

© 2011 Cisco and/or its affiliates. All rights reserved.

Internet

Cisco Public

59

ISE Integrated Device Profiling §  Example: VLAN 30 (Corporate access ) VLAN 40 (Internet access)

Corporate Internet

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

60

ISE Integrated Device Profiling •  ISE Setup – Authorization Profiles redirect VLAN, Override ACL,

CoA…

Laptop Assign VLAN 30

iPad Assign VLAN 40

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

61

ISE Integrated Device Profiling § WLC CoA Setup – Pre-Auth ACL, allows ALL client traffic to ISE

§ WLAN – Dot1X, AAA Override and Radius NAC enabled. Permit ANY to ISE (IP Addr)

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

62

ISE Integrated Device Profiling §  RADIUS probe (information about authentication, authorization and accounting requests from Network Access §  DHCP (helper or span) §  HTTP user agent (span)

Customizable Profiles

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

63

Agenda §  Controller-Based Architecture Overview §  Mobility in the Cisco Unified WLAN Architecture §  Architecture Building Blocks §  Deploying the Cisco Unified Wireless Architecture

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

64

Deploying the Cisco Unified Wireless Architecture §  Controller Redundancy and AP Load Balancing §  Understanding AP Groups §  IPv6 Deployment with Controllers §  Branch Office Designs §  Guest Access Deployment §  Home Office Design

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

65

Deploying the Cisco Unified Wireless Architecture §  Controller Redundancy and AP Load Balancing §  Understanding AP Groups §  IPv6 Deployment with Controllers §  Branch Office Designs §  Guest Access Deployment §  Home Office Design

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

66

Controller Redundancy Dynamic

§  Rely on CAPWAP to load-balance APs across controllers and populate APs with backup controllers §  Results in dynamic “salt-and-pepper” design §  Design works better when controllers are “clustered” in a centralized design §  Pros Easy to deploy and configure—less upfront work APs dynamically load-balance (though never perfectly)

§  Cons More intercontroller roaming Bigger operational challenges due to unpredictability Longer failover times No “fallback” option in the event of controller failure

§  Cisco’s general recommendation is: Only for Layer 2 roaming §  Use deterministic redundancy instead of dynamic redundancy BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

67

Controller Redundancy Deterministic WLAN-Controller-A

WLAN-Controller-B

WLAN-Controller-C

§  Administrator statically assigns APs a primary, secondary, and/ or tertiary controller Assigned from controller interface (per AP) or WCS (template-based)

§  Pros Predictability—easier operational management More network stability Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Tertiary: WLAN-Controller-C

Primary: WLAN-Controller-B Secondary: WLAN-Controller-C Tertiary: WLAN-Controller-A

More flexible and powerful redundancy design options

Primary: WLAN-Controller-C Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-B

Faster failover times “Fallback” option in the case of failover

§  Con More upfront planning and configuration

§  This is Cisco’s recommended best practice BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

68

Controller Redundancy Architecture Resiliency Resiliency WLAN-Controller-A

WLAN-Controller-B

N:1 Redundancy WLAN-Controller-C

WLAN-Controller-1

APs Configured With: Primary: WLAN-Controller-1 Secondary: WLAN-Controller-BKP

WLAN-Controller-2

APs Configured With: Primary: WLAN-Controller-2 Secondary: WLAN-Controller-BKP

WLAN-Controller-n

APs Configured With: Primary: WLAN-Controller-n Secondary: WLAN-Controller-BKP

NOC or Data Center WLAN-Controller-BKP

Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Tertiary: WLAN-Controller-C

Primary: WLAN-Controller-B Secondary: WLAN-Controller-C Tertiary: WLAN-Controller-A

Primary: WLAN-Controller-C Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-B

N:N Redundancy WLAN-Controller-A

APs Configured With: Primary: WLAN-Controller-A Secondary: WLAN-Controller-B

N:N:1 Redundancy WLAN-Controller-A

NOC or Data Center

APs Configured With: Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Tertiary: WLAN-Controller-BKP

WLAN-Controller-BKP

WLAN-Controller-B

BRKEWN-2010

WLAN-Controller-B

APs Configured With: Primary: WLAN-Controller-B Secondary: WLAN-Controller-A

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

APs Configured With: Primary: WLAN-Controller-B Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-BKP

69

High Availability Using Cisco 5508

Si

Si

Si

Si

Primary WLC5508

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

§  APs are connected to primary WLC 5508 §  In case of hardware failure of WLC 5508 §  AP’s fall back to secondary WLC Secondary 5508 WLC5508 §  Traffic flows through the secondary WLC 5508 and primary core switch Cisco Public

70

High Availability Using WiSM: Uplink Failure on Primary Switch S

N

Si

Si

Active HSRP Switch Primary WiSM

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

§  In case of uplink failure of the primary switch §  Standby switch Standby becomes the HSRP Switch active HSRP New Active switch HSRP Switch §  APs are still connected to primary WiSM §  Traffic flows thru the new HSRP active switch Cisco Public

71

High Availability Using WiSM-2

Si

Primary WiSM

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Si

Secondary WiSM

Cisco Public

§  APs are connected to primary WiSM §  In case of hardware failure of primary WiSM §  AP’s fall back to secondary WiSM §  Traffic flows thru the secondary WiSM and primary core switch 72

VSS and Cisco 5508 §  Cisco 5508 WLC can be attached to a Cisco Catalyst VSS switch §  4 ports of Cisco 5508 are connected to active VSS switch §  2nd set of 4 ports of Cisco 5508 is connected to standby VSS switch §  In case of failure of primary switch traffic continues to flow through secondary switch in the VSS pair

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Catalyst VSS Pair

Cisco 5508

Cisco Public

73

VSS and WiSM-2

Virtual Switch System (VSS)

Switch-1 (VSS Active)

Switch-2 (VSS Standby)

Control Plane Active

Data Plane Active

BRKEWN-2010

Control Plane Standby

VSL

Failover/State Sync VLAN

Data Plane Active

FWSM Active

FWSM Standby

WiSM-2 Active

WiSM-2 Standby

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

74

Controller Redundancy High Availability

High Availability Principles

Primary WLC

§  AP is registered with a WLC and maintain a backup list of WLC §  AP use heartbeats to validate WLC connectivity §  AP use Primary Discovery message to validate backup WLC list §  When AP lose three heartbeats it start join process to first backup WLC candidate

Secondary WLC

§  Candidate Backup WLC is the first alive WLC in this order: primary, secondary, tertiary, global primary, global secondary §  AP do not re-initiate discovery process BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

75

Controller Redundancy High Availability with 7.0.116

To Accommodate Both Local and Remote Settings, There Are Configurable Options Provided, so that Administrator Can Fine Tune the Settings Based on the Requirements New Timers Heartbeat: Fast Heartbeat Timeout: AP Retransmit Interval: AP Retrans with FH Enabled: AP Retrans with FH Disabled:

AP Fallback to next WLC BRKEWN-2010

1-30 Seconds 1-10 Seconds 2-5 Seconds 3-8 Times 3-8 Times 12 Seconds

© 2011 Cisco and/or its affiliates. All rights reserved.

Old Timers-5508

10-30 Seconds 3-10 Seconds 3 Seconds 3 Times 5 Times 35 Seconds Cisco Public

Old Timers-Non-5508

1-30 Seconds 1-10 Seconds 3 Seconds 3 Times 5 Times 35 Seconds 76

AP Pre-Image Download in 7.0

1.  Upgrade the image on the controller 2.  Don’t reboot the controller

CAPWAP-L3

§  Pre-Image download operation

AP Pre-image Download

§  AP pre-image download allows AP to download code while it is operational

Cisco WLAN Controller

AP Joins Without Download

§  Since most CAPWAP APs can download and keep more than one image of 4–5 MB each

3.  Issue AP pre-image download command 4.  Once all AP images are downloaded 5.  Reboot the controller

Access Points

6.  AP now rejoins the controller without reboot BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

How Much Time You Save? Cisco Public

77

Configure AP Pre-Image Download §  Upgrade the image on the controller and don’t reboot

§  Currently we have two images on the controller (Cisco Controller) >show boot Primary Boot Image............................... 7.0.116.0 (default) (active) Backup Boot Image................................ 7.0.98.0 BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

78

Configure AP Pre-Image Download Wireless > AP > Global Configuration

Perform Primary Image Predownloaded on the AP

AP Now Starts Predownloading

AP Now Swaps Image After Reboot of the Controller

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

79

Deploying the Cisco Unified Wireless Architecture §  Controller Redundancy and AP Load Balancing §  Understanding AP Groups §  IPv6 Deployment with Controllers §  Branch Office Designs §  Guest Access Deployment §  Home Office Design

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

80

AP-Groups

Default AP-Group §  The first 16 WLANs created (WLAN IDs 1–16) on the WLC are included in the default AP-Group §  Default AP-Group cannot be modified §  APs with no assignment to an specific AP-Group will use the Default AP-Group §  The 17th and higher WLAN (WLAN IDs 17 and up) can be assigned to any AP-Groups §  Any given WLAN can be mapped to different dynamic interfaces in different AP-Groups §  WLC 2106 (AP groups: 50), WLC 2504 (AP groups:50) WLC 4400 and WiSM (AP groups: 300), WLC 5508 & WiSM-2 (AP groups: 500), WLC 7500 (AP Groups : 500)

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

81

AP-Grouping in Campus VLAN 100

VLAN 100

VLAN 100

Access

Si

Si

Si

Si

Si

Si

Distribution

CAPWAP

Core Si

Si

Si

VLAN 100 / 21

Si

Si Si

Si

Distribution

Si

Access Single SSID = Employee

BRKEWN-2010

Internet

Data Center

WAN WLC-1

© 2011 Cisco and/or its affiliates. All rights reserved.

WLC-2 Cisco Public

82

AP-Grouping in Campus AP-Group-1

AP-Group-2

AP-Group-3

VLAN 60 /23

VLAN 70 /23

VLAN 80 /23

Access

Si

Si

Si

Si

Si

Si

Distribution

CAPWAP

Core Si

Si

Si

VLAN 100 /21

Si

Si

Si

Si

VLAN 60 VLAN 70 VLAN 80

Si

Distribution

Access Single SSID = Employee

BRKEWN-2010

Internet

Data Center

WAN WLC-1

© 2011 Cisco and/or its affiliates. All rights reserved.

WLC-2 Cisco Public

83

Default AP-Group Network Name

Default AP Group

Only WLANs 1–16 Will Be Added in Default AP Group

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

84

Multiple AP-Groups

AP Group 1

AP Group 2

AP Group 3

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

85

Interface-Groups 7.0.116

§  Interface-groups allows for a WLAN to be mapped to a single interface or multiple interfaces §  Clients associating to this WLAN get an IP address from a pool of subnets identified by the interfaces in round robin fashion §  Extends current AP group and AAA override, with multiple interfaces using interface groups §  Controllers

Interface-Groups/Interfaces

WiSM-2, 5508, 7500, 2500

64/64

WiSM, 4400

32/32

2100 and 2504

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

4/4

Cisco Public

86

Interface-Grouping in Campus 7.0.116 Int-Group-1

VLAN 60 /23 VLAN 61 / 23

Si

Si

Int-Group-2

Int-Group-3

VLAN 70 /23 VLAN 71 /23

VLAN 80 /23 VLAN 81 /23

Si

Si

Si

Access

Si

Distribution

LWAPP/CAPWAP

Core Si

Si

Single SSID = Employee

Si

VLAN 100 /21

Si

Si

Si

VLAN 60 VLAN 61 VLAN 70 VLAN 71 VLAN 80 VLAN 81

WLC-1 © 2011 Cisco and/or its affiliates. All rights reserved.

Si

Distribution

Access Internet

Data Center

WAN

BRKEWN-2010

Si

WLC-2 Cisco Public

87

Multiple Interface-Groups 7.0.116 Interface Group 1

Interface Group 2

Interface Group 3 BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

88

Deploying the Cisco Unified Wireless Architecture §  Controller Redundancy and AP Load Balancing §  Understanding AP Groups §  IPv6 Deployment with Controllers §  Branch Office Designs §  Guest Access Deployment §  Home Office Design

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

89

IPv6 over IPv4 Tunneling §  Prior to WLC 6.0 release, IPv6 pass-thru is only supported but no L2 security can be enabled on IPv6 WLAN §  With WLC 6.0 release, IPv6 pass-thru with Layer 2 security supported §  To use IPv6 bridging, Ethernet Multicast Mode (EMM) must be enabled on the controller §  IPv6 packets are tunneled over CAPWAP IPv4 tunnel §  Same WLAN can support both IPv4 and IPv6 clients §  IPv6 pass-thru and IPv4 Webauth is also supported on same WLAN §  IPv6 is not supported with guest mobility anchor tunneling Client IPv6 Traffic Tunneled over IPv4 and Bridged to Ethernet

Ethernet II | IPv6

CAPWAP Tunnel

802.11| IPv6 BRKEWN-2010

Ethernet II | IPv4 | CAPWAP | 802.11 | IPv6

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

90

IPv6 Configuration on WLC 6.X §  Enable IPv6 on the WLAN and multicast on the WLC

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

91

IPv6 Client Details §  IPv6 client details on the WLC

§  IPv6 client details from dual-stack (Vista) client

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

92

Deploying the Cisco Unified Wireless Architecture §  Controller Redundancy and AP Load Balancing §  Understanding AP Groups §  IPv6 Deployment with Controllers §  Branch Office Designs Understanding HREAP (Hybrid) REAP AP Deployment Understanding Branch Controller Deployment

§  Guest Access Deployment §  Home Office Design

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

93

Branch Office Deployment HREAP

§  Hybrid architecture

Central Site

Centralized Traffic

Centralized Traffic

§  Single management and control point Centralized traffic (split MAC) Or

WAN

Local traffic (local MAC)

§  HA will preserve local traffic only

Local Traffic

Remote Office

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

94

H-REAP Design Considerations §  Some WAN limitations apply RTT must be below 300 ms data (100 ms voice) Minimum 500 bytes WAN MTU (with maximum four fragmented packets)

§  Some features are not available in standalone mode or in local switching mode ACL in local switching, MAC/Web Auth in standalone mode, PMK caching (OKC) See full list in « H-REAP Feature Matrix » http://www.cisco.com/en/US/products/ps6366/ products_tech_note09186a0080b3690b.shtml

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

95

Configure H-REAP Mode

Step 1: Configure Access Point Mode §  Enable H-REAP mode per AP §  Supported AP: AP-1130, AP-1240, AP-1040, AP-1140, AP-1260, AP-1250, AP-3500

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

96

Configure H-REAP Local Switching Step 2: Enable Local Switching per WLAN

§  Only WLAN with “Local Switching” enabled will allow local switching at the H-REAP AP

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

97

Configure H-REAP VLAN Mapping Step 3: H-REAP Specific Configuration

§  H-REAP AP can be connected on an access port (using native VLAN) or connected to a 802.1Q trunk port §  VLAN mapping is a per AP configuration on WLC and by AP group using templates on a WCS

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

98

Configure H-REAP VLAN Mapping Step 4: Per AP SSID to VLAN Mapping

§  Mapping of SSID to 802.1Q VLAN is done per H-REAP AP

§  Use WCS for configuration with templates BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

99

Economies of Scale for Lean Branches Flex 7500 Wireless Controller New

Key Differentiation Ø  WAN Tolerance •  High Latency Networks Access Points

300-2,000

Clients

20,000

Branches

500

Access Points / Branch

50

Deployment Model

FlexConnect

•  Voice CAC

Form Factor

1 RU

•  OKC/CCKM

IO Interface

2x 10GE

Upgrade Licenses

100, 200, 500, 1K

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

•  WAN Survivability

Ø  Security 802.1x based port authentication

Ø  Voice support

Cisco Public

100

Understanding H-REAP Groups §  WLC supports up to 20 H-REAP groups

Central Site

§  Each H-REAP group supports up to 25 H-REAP APs §  H-REAP groups allow sharing of: CCKM fast roaming keys Local user authentication

WAN

Remote Site

Local EAP authentication

Remote Site H-REAP Group 2

H-REAP Group 1

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

101

H-REAP Groups and CCKM Keys CCKM Keys

§  CCKM keys are stored on HREAP APs for Layer 2 fast roaming

Central Site

RADIUS Server

§  The HREAP APs will receive the CCKM keys from the WLC §  If a HREAP AP boots up in the standalone mode, it will not get the CCKM keys from the WLC and fast roaming is not supported

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Remote Site H-REAP Group 1

Cisco Public

WAN

Remote Site H-REAP Group 2

102

H-REAP Groups and CCKM Keys Add a New H-REAP Group

Add APs to the H-REAP Group

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

103

H-REAP Groups and Local EAP §  In case of WAN of failure (standalone mode) HREAP APs can act like a local EAP server

Central Site

RADIUS Server

§  In a HREAP-Group we can store 100 usernames and act like a local EAP server §  LEAP and EAP-FAST is the only supported EAP type in standalone mode

Remote Site H-REAP Group 1

WAN

Remote Site H-REAP Group 2

Local EAP Server

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

104

H-REAP Groups and Local EAP

Add the H-REAP AP to the Group and Enable AP Local Authentication

Add the Username and Password to Be Stored on the HREAP AP

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

105

H-REAP Groups and Local RADIUS Server §  In case of WAN of failure (standalone mode) HREAP APs can authenticate from a local RADIUS server §  Only session-timeout RADIUS attribute (attribute 27) is supported in the standalone mode

Central Site

WAN

RADIUS Server

RADIUS Server

Remote Site H-REAP Group 2

§  RADIUS accounting is not supported in standalone mode H-REAP Group 1 Remote Site BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

106

H-REAP Groups and Local RADIUS Server Add IP Address of the Remote RADIUS Server in the WLC (10.20.20.12)

Select the Remote RADIUS Server Details in HREAP Group of the Remote

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

107

FlexConnect Improvements in New 7.0.116 §  WAN Survivability FlexConnect AP provides wireless access and services to clients when the connection to the primary WLC fails

§  Local Authentication Allows for the authentication capability to exist directly at the AP in FlexConnect instead of the WLC

§  Improved Scale Group Scale: Max HREAP groups increased to 500 (7500s) and 100 (5500s) APs per Group: 50 (7500s) and 25 (5500s)

§  Fast Roaming in Remote Branches Opportunistic Key Caching (OKC) between APs in a branch BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

108

Flex 7500 vs. 5500/WiSM2  

FlexConnect (H-REAP)   Flex 7500  

5500/WiSM2  

APs Managed  

2,000  

500/500  

Clients Supported  

20,000  

7,000/10,000  

Number of H-REAP Groups  

500  

100  

APs per H-REAP Group  

50  

25  

Number of AP Groups  

500  

500  

APs per RRM Group  

4,000  

1,000  

WLAN’s  

512  

512  

WLAN per H-REAP Group  

16  

16  

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

109

Controller Portfolio

Comprehensive Solution for All Segments NEW

Features/Performance

Campus and Full Service Branch WiSM2

NEW

5500 2500

NEW

NEW Lean Branch

WLCM2

Scale BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

110

Cisco WLAN Solution Components Management WCS

Mobility Services

Controllers WLC

Access Points

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

111

Deploying the Cisco Unified Wireless Architecture §  Controller Redundancy and AP Load Balancing §  Understanding AP Groups §  IPv6 Deployment with Controllers §  Branch Office Designs Understanding HREAP (Hybrid) REAP AP Deployment) Understanding Branch Controller Deployment

§  Guest Access Deployment §  Home Office Design

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

112

Branch Office WLAN Controller Options Number of Users: 100–500 Number of APs: 5–25

WCS E-Mail

Headquarters

§  Appliance controllers

MPLS ATM Frame Relay

Internet VPN

Cisco 2504-12

Branch Office

Small Office

Cisco 5508-12, 5508-25

§  Integrated controller

Number of Users: 20–100 Number of APs: 1–5

WLAN controller module (WLCM-2) for ISR G2 BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

113

Branch Office WLAN Controller Options Cisco 2504 ***

WCS E-Mail

Branch Office MPLS ATM Frame Relay

Headquarters

Small Office

§  Cisco Unified Wireless Network with controller-based §  Multiple Integrated WAN options on ISR §  Consistent branch-HQ services, features, and performance §  Standardized branch configuration extends the unified wired and wireless network §  Branch configuration management from central WCS BRKEWN-2010

Internet VPN

WLCM-2 ** **AP Count Vary Depending on Channel Utilization and Data Rates

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

114

When to Choose WLC 2504? §  WLC2504 should be used in the branch for the following reasons compared to HREAP solution: •  •  •  •  •  •  •  •  • 

If you need cookie cutter configuration for every branch site If you need Layer-3 roaming in the branch site If you need VideoStream technology in the branch site If you need to implement VLAN Select in the branch site If you need to implement Static IP mobility in the branch site If you need to implement ACL in the branch site If you need to implement peer to peer blocking in the branch site If you want WGB support in the branch site If you want MESH AP support in the branch site

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

115

Deploying the Cisco Unified Wireless Architecture §  Controller Redundancy and AP Load Balancing §  Understanding AP Groups §  IPv6 Deployment with Controllers §  Branch Office Designs §  Guest Access Deployment §  Home Office Design

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

116

Guest Access Deployment WLAN Controller Deployments with EoIP Tunnel §  Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers §  Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN §  No need to define the guest VLANs on the switches connected to the remote controllers §  Original guest’s Ethernet frame maintained across LWAPP/CAPWAP and EoIP tunnels

Internet DMZ or Anchor Wireless Controller Cisco ASA Firewall EoIP “Guest Tunnel” Wireless LAN Controller CAPWAP

§  Redundant EoIP tunnels to the Anchor WLC §  2504 series and WLCM-2 models cannot terminate EoIP connections (no anchor role Guest BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Guest 117

Guest Access Deployment with 7.0.0116 DHCP servers in DMZ w/VLAN-DHCP scopes

DHCP servers in DMZ w/VLAN-DHCP scopes

Internet

Anchor2

Campus Core

Wireless VLAN-1/WLANA

Anchor1 EtherIP “Guest Tunnel”

EtherIP ACS/ISE

Si

“Guest Tunnel”

Wireless VLAN2/WLANA

DHCP servers in Core w/VLAN DHCP scopes

Si Secure

Wireless VLAN3/WLANA

Si Secure

Wireless VLAN-4/WLANA

Foreign WLCs

Wireless VLANs/Interface Gr

Guest

BRKEWN-2010

Secure

© 2011 Cisco and/or its affiliates. All rights reserved.

Guest

Cisco Public

Secure

118

Interface Group and Auto Anchor Mobility Using 7.0.116 §  Clients joining a foreign WLC which is exported to an anchor WLC and mapped to an interface group will get an IP address in round robin method inside the interface group §  Clients joining a foreign WLC which is exported to an anchor WLC and mapped to an interface will get an IP address from that interface only §  Clients roaming between two or more foreign controllers mapped to a single anchor WLC with an interface group configured will be able to maintain its IP address

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

119

Interface Group and Auto Anchor Mobility Using 7.0.116 Configure Subnet/Address Assignment Based on Foreign Site/Location in Guest Anchor Setup, Command Will Be: §  CLI: config wlan mobility foreign-map add < mac address > §  GUI: A New option is created under WLAN- “Foreign Maps”

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

120

Deploying the Cisco Unified Wireless Architecture §  Controller Redundancy and AP Load Balancing §  Understanding AP Groups §  IPv6 Deployment with Controllers §  Branch Office Designs §  Guest Access Deployment §  Home Office Designs

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

121

Home Office Design OEAP AP

§  Cisco controller installed in the DMZ of the corporate network

WLC 5508/WiSM-2 WCS

E-Mail

Headquarters

§  OfficeExtend AP (OEAP) installed at teleworker’s home MPLS §  Corporate access to employee over ATM centrally configured SSID

§ 

Frame Relay Family

Internet access over a locally configured SSID

Internet VPN

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

122

OEAP 600 §  802.11n AP with dual concurrent 2.4GHz and 5GHz radios for teleworker home §  4 local Ethernet ports §  1 Corporate-bound port, 3 for local Ethernet devices §  Up to 4 clients behind the corporate port §  Corporate SSID and user-configurable Personal SSID §  Traffic segmenting supported (corporate vs. personal traffic) §  Local DHCP and NAT support §  Control and data plane encryption

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

123

OEAP 600 §  802.1X and MAC filtering support §  Can be pre-provisioned by IT (batch setup, zero touch for end user) or locally provisioned by end user §  Easy GUI setup with Corporate SSID ready in minutes §  Desktop (horizontal) or cradle (vertical) orientation §  Supported by all WLC 5508, 2500 and WiSM2 platforms and WCS §  Hardware Limited Lifetime Warranty

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

124

User Configuration – Easy Setup Two Setup Options Available: 1) Zero Touch (IT staged) or … 2) User Configured (Controller IP Address Entry)

Internet Routable IP Address

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

125

Sample Screen Shots Login

§  Default DHCP scope of the OEAP is 10.0.0.X, so browse to https://10.0.0.1 to get the admin page of OEAP on port 1,2,3

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

126

Home Office Design

Cisco Virtual Office Express Architecture Simplified Head-End VPN

SOHO Cisco 800 or 1800 Spoke Routers

Head-End Cisco ISR (2800/3800) or Cisco 7206 VXR with VSA or WLC

Corporate Network

§  Simplified head-end VPN design §  Cisco enhanced easy VPN with advanced QoS integration provides secure transport, facilitating voice and video applications (with option of per SA QoS) §  Multiple options for head-end to allow for large concentration of site and with high throughput §  Remote site presence: Cisco 870, 880, 890, or 1800 series ISR and Cisco Unified IP phones 7900 series §  Head-end presence: 2800, 3800, 7200, or ASR series §  Headend (optional): wireless LAN controller, WCS, configuration engine

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

127

Cisco Unified Wireless Network

Flexible, Resilient, Scalable Architecture Unified Outdoor/ Indoor Access Highly Distributed Design

Access Network

3750G Unified WLC Enterprise Hybrid REAP Distributed WLC Design

Distribution Network

440x, 5508 WLC, WiSM Unified WLC Network Core or Data Center Centralized WLC Design

Teleworker/ SOHO

440x, 5508 WLC, WiSM Unified WLC

OfficeExtend AP

Internet

DMZ Guest Controller 440x, 5508 WLC

Branch Office Unified WLC Options: 5508, 440x, 210x 3750G Unified WLC WLCM Module

Data Center Internet

Hybrid REAP Standalone AP

BRKEWN-2010

Unified Management: Wireless Control System Services Platform: Mobility Services Engine © 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

128

Summary – Key Takeways §  Take advantage of the standards (CAPWAP, DTLS, 802.11 i, e, k, r…..) §  Wide range of architecture / design choices §  Brand new controller (WiSM-2, WLC 7500, WLC 2504) portfolio with investment protection §  Take advantage of innovations from Cisco (CleanAir, BandSelect, ClientLink, Security, CCX, FlexConnect, etc) §  Cisco’s investment into technology – NCS, ISE, New hardware, cloud controller, CiUS

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

129

Documentation §  Aironet 600 Series OEAP Access Point Configuration Guide http://www.cisco.com/en/US/products/ps11579/products_tech_note09186a0080b7f10e.shtml

§  Wireless Services Module 2 (WiSM2) Deployment Guide http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080b7c904.shtml

• Flex7500 Deployment guide http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml

§  Wireless, LAN (WLAN) Configuration Examples and TechNotes http://www.cisco.com/en/US/tech/tk722/tk809/tech_configuration_examples_list.html

§  H-REAP Deployment Guide http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml

§  VLAN Select Deployment Guide http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b78900.shtml

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

130

Complete Your Online Session Evaluation §  Receive 25 Cisco Preferred Access points for each session evaluation you complete. §  Give us your feedback and you could win fabulous prizes. Points are calculated on a daily basis. Winners will be notified by email after July 22nd. §  Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center. §  Don’t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

131

Visit the Cisco Store for Related Titles http://theciscostores.com

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

132

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

133

Thank you.

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

134

View more...

Comments

Copyright ©2017 KUPDF Inc.