Design and Deployment of Enterprise WLANs
Short Description
Learn everything you need to know about designing and deploying Cisco wireless networks for enterprise in this in-depth ...
Description
Design and Deployment of Enterprise WLANs BRKEWN-2010 Sujit Ghosh, CCIE #7204 Manager, Technical Marketing Wireless Networking Business Unit
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
1
Agenda § Controller-Based Architecture Overview § Mobility in the Cisco Unified WLAN Architecture § Architecture Building Blocks § Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
2
Agenda § Controller-Based Architecture Overview § Mobility in the Cisco Unified WLAN Architecture § Architecture Building Blocks § Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
3
Understanding WLAN Controllers
1st/2nd Generation vs. 3rd Generation Approach 1st/2nd Generation
§ 1st/2nd generation: APs act as 802.1Q translational bridge, putting client traffic on local VLANs
Data VLAN
Management VLAN
§ 3rd generation: Controller bridges client traffic centrally
Voice VLAN
3rd Generation
Data VLAN
Management VLAN
LWAPP/CAPWAP Tunnel
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Voice VLAN
Cisco Public
4
Centralized Wireless LAN Architecture What Is CAPWAP?
§ CAPWAP: Control and Provisioning of Wireless Access Points is used between APs and WLAN controller and based on LWAPP § CAPWAP carries control and data traffic between the two Control plane is DTLS encrypted Data plane is DTLS encrypted (optional)
§ LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless § CAPWAP is not supported on Layer 2 mode deployment Access Point
Business Application
Data Plane
CAPWAP
Controller
Wi-Fi Client
Control Plane BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
5
CAPWAP Modes Split MAC
§ The CAPWAP protocol supports two modes of operation Split MAC (centralized mode) Local MAC (H-REAP)
§ Split MAC Wireless Frame Wireless Phy MAC Sublayer
STA
BRKEWN-2010
CAPWAP Data Plane
WTP
© 2011 Cisco and/or its affiliates. All rights reserved.
802.3 Frame
AC
Cisco Public
6
CAPWAP Modes Local MAC
§ Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames § Locally bridged Wireless Frame Wireless Phy MAC Sublayer
STA
BRKEWN-2010
802.3 Frame
WTP
© 2011 Cisco and/or its affiliates. All rights reserved.
AC
Cisco Public
7
CAPWAP Modes Local MAC
§ Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames § Tunneled as 802.3 frames
STA
Wireless Frame
802.3 Frame
Wireless Phy MAC Sublayer
CAPWAP Data Plane
WTP
802.3 Frame
AC
§ Tunneled local MAC is not supported by Cisco § H-REAP support locally bridged MAC and split MAC per SSID BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
8
CAPWAP State Machine AP Boots UP Reset
Discovery Image Data
DTLS Setup
Join
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Run
Config
Cisco Public
9
AP Controller Discovery Controller Discovery Order § Layer 2 join procedure attempted on LWAPP APs (CAPWAP does not support Layer 2 APs) Broadcast message sent to discover controller on a local subnet
§ Layer 3 join process on CAPWAP APs and on LWAPP APs after Layer 2 fails Previously learned or primed controllers Subnet broadcast DHCP option 43 DNS lookup
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
10
AP Controller Discovery: DHCP Option DHCP Server
DHCP Offer 1 DHCP Request
2 Layer 3 CAPWAP Discovery Request Broadcast 3
BRKEWN-2010
DHCP Offer Contains Option 43 for Controller
Layer 3 CAPWAP Discovery Responses © 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
11
AP Controller Discovery: DNS Option DNS Server
DHCP Server
DHCP Request
CISCO-CAPWAP-CONTROLLER.localdomain 192.168.1.2
2
1
DHCP Offer
192.168.1.2
3 DHCP Offer Contains DNS Server or Servers 4
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
12
WLAN Controller Selection Algorithm § CAPWAP Discovery Response contains important information from the WLAN Controller Controller name, controller type, controller AP capacity, current AP load, “Master Controller” status, and AP Manager IP address or addresses
§ AP selects a controller to join using the following decision criteria 1. Attempt to join a WLAN Controller configured as a “Master” controller 2. Attempt to join a WLAN Controller with matching name of previously configured primary, secondary, or tertiary controller name 3. Attempt to join the WLAN Controller with the greatest excess AP capacity (dynamic load balancing)
§ Option #2 and option #3 allow for two approaches to controller redundancy and AP load balancing: deterministic and dynamic BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
13
CAPWAP Control Messages for Join Process § CAPWAP Join Request: AP sends this messages to selected controller (sent to AP Manager Interface IP address) CAPWAP Join Request
§ CAPWAP Join Response: If controller validates AP request, it sends the CAPWAP Join Response indicating that the AP is now registered with that controller CAPWAP Join Response
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
14
Configuration Phase
Firmware and Configuration Download § Firmware is downloaded by the AP from the WLC
LWAPP-L3
§ Network configuration is downloaded by the AP from the WLC
Firmware Download
Firmware digitally signed by Cisco
Configuration Download
Firmware downloaded only if needed, AP reboots after the download
Cisco WLAN Controller
Configuration is encrypted in the CAPWAP tunnel Configuration is applied
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Access Points
Cisco Public
15
4.2, 6.0, 7.0? Which Version Should I Use?
§ WLC 5508 supports 6.0, 7.0.98 and 7.0.116 § WLC7500, WiSM-2 and WLC2504 only supported in 7.0.116 § 6.0.202 is the latest MD § 7.0.116 will be tested for AssureWave (Blue Ribbon) § Please note the current revision of 7.0- 7.0.116.0 which is the recommended one for you today BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
16
Agenda § Controller-Based Architecture Overview § Mobility in the Cisco Unified WLAN Architecture § Architecture Building Blocks § Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
17
Mobility Defined § Mobility is a key reason for wireless networks § Mobility means the end-user device is capable of moving location in the networked environment § Roaming occurs when a wireless client moves association from one AP and re-associates to another, typically because it’s mobile! § Mobility presents new challenges: Need to scale the architecture to support client roaming— roaming can occur intra-controller and inter-controller Need to support client roaming that is seamless (fast) and preserves security
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
18
Scaling the Architecture with Mobility Groups § Mobility Group allows controllers to peer with each other to support seamless roaming across controller boundaries § APs learn the IPs of the other members of the mobility group after the LWAPP Join process Controller-B MAC: AA:AA:AA:AA:AA:02
Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 Controller-C, AA:AA:AA:AA:AA:03 Controller-A MAC: AA:AA:AA:AA:AA:01 Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-B, AA:AA:AA:AA:AA:02 Controller-C, AA:AA:AA:AA:AA:03
§ Mobility messages exchanged between controllers
Ethernet in IP Tunnel
§ Support for up to 24 controllers, 3600 APs per mobility group
Controller-C MAC: AA:AA:AA:AA:AA:03 Mobility Group Name: MyMobilityGroup
§ Data tunneled between controllers in EtherIP (RFC 3378)
Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 Controller-B, AA:AA:AA:AA:AA:02
Mobility Messages BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
19
Increased Mobility Scalability § Roaming is supported across three mobility groups (3 * 24 = 72 controllers) § With Inter Release Controller Mobility (IRCM) roaming is supported between 4.2.207 and 6.0.188 and 7.0
Ethernet in IP Tunnel
Mobility Sub-Domain 1
Ethernet in IP Tunnel
Mobility Sub-Domain 3
Ethernet in IP Tunnel
Mobility Sub-Domain 2
Mobility Messages BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
20
How Long Does an STA Roam Take? § Time it takes for: Client to disassociate + Probe for and select a new AP + 802.11 Association + 802.1X/EAP Authentication + Rekeying + IP address (re) acquisition
§ All this can be on the order of seconds… Can we make this faster?
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
21
Roaming Requirements § Roaming must be fast … Latency can be introduced by: Client channel scanning and AP selection algorithms Re-authentication of client device and re-keying Refreshing of IP address
§ Roaming must maintain security Open auth, static WEP—session continues on new AP WPA/WPAv2 Personal—New session key for encryption derived via standard handshakes 802.1x, 802.11i, WPA/WPAv2 Enterprise—Client must be reauthenticated and new session key derived for encryption
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
22
How Are We Going to Make Roaming Faster? Focus on Where We Can Have the Biggest Impact
§ Eliminating the (re)IP address acquisition challenge § Eliminating full 802.1X/EAP reauthentication
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
23
Intra-Controller Roaming: Layer 2 VLAN X WLC-1 Client Client Data Database (MAC, IP,
WLC-2 Client Database
QoS, Security) WLC-1
WLC2
Mobility Message Exchange
§ Client must be reauthenticated and new security session established
Preroaming Data Path
BRKEWN-2010
§ Intra-Controller roam happens when an AP moves association between APs joined to the same controller
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
24
Intra-Controller Roaming: Layer 2 (Cont.) VLAN X Client Data WLC-2 Client Database (MAC, IP, QoS, Security)
WLC-1 Client Database
WLC-1
WLC-2
Mobility Message Exchange
Roaming Data Path
§ No IP address refresh needed
Client Roams to a Different AP
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
§ Client database entry with new AP and appropriate security context
Cisco Public
25
Intra-Controller Roaming: Layer 3 VLAN X
VLAN Z
WLC-1 Client Client Data Database (MAC, IP, QoS, Security) WLC-1
Client Data WLC-2 Client Database (MAC, IP, QoS, Security)
Mobility Message Exchange
WLC-2
Preroaming Data Path
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
26
Client Roaming Between Subnets: Layer 3 (Cont.) VLAN X
VLAN Z
WLC-1 Client Client Data Database (MAC, IP, QoS, Security) WLC-1
Client Data WLC-2 Client Database (MAC, IP, QoS, Security)
Mobility Message Exchange
Anchor Controller
Data Tunnel
WLC-2 Foreign Controller
Preroaming Data Path
Client Roams to a Different AP
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
27
Static IP Mobility with 7.0.116 VLAN X
Mobility Group-1
VLAN Z
WLC-1 Client Database
WLC-2 Client Database
Client Data (MAC, IP, QoS, Security)
Client Data (MAC, IP, QoS, Security)
Mobility Message Exchange
WLC-1
Encrypted Data Tunnel
Anchor Controller
Mobility Group-2 WLC-2 Foreign Controller
Pre Roaming Data Path
Client with Static IP on VLAN X Associates on This AP
Client with Static IP on VLAN X Dis-Associates from This AP BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
28
Static IP Mobility with 7.0.116 GUI Configuration
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
29
Roaming: Inter-Controller Layer 3 § L3 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto different subnets § Client must be re-authenticated and new security session established § Client database entry copied to new controller – entry exists in both WLC client DBs § Original controller tagged as the “anchor”, new controller tagged as the “foreign” § WLCs must be in same mobility group or domain § No IP address refresh needed § Symmetric traffic path established -- asymmetric option has been eliminated as of 6.0 release § Account for mobility message exchange in network design BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
30
How Are We Going to Make Roaming Faster? Focus on Where We Can Have the Biggest Impact
ü Eliminating the (re)IP address acquisition challenge § Eliminating full 802.1X/EAP reauthentication
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
31
Fast Secure Roaming
Standard Wi-Fi Secure Roaming § 802.1X authentication in wireless today requires three “end-to-end” transactions with an overall transaction time of > 500 ms WAN Cisco AAA Server (ACS or ISE)
2. 802.1X Reauthentication After Roaming
AP2
§ 802.1X authentication in wireless today requires a roaming client to reauthenticate, incurring an additional 500+ ms to the roam
1. 802.1X Initial Authentication Transaction
AP1
Note: Mechanism Is Needed to Centralize Key Distribution BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
32
Cisco Centralized Key Management (CCKM) § Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available, especially with application specific devices (ASDs) § CCKM originally a core feature of the “Structured Wireless Aware Network” (SWAN) architecture § CCKM ported to CUWN architecture in 3.2 release § In highly controlled test environments, CCKM roam times consistently measure in the 5-8 msec range! § CCKM is most widely implemented in ASDs, especially VoWLAN devices § To work across WLCs, WLCs must be in the same mobility group § CCX-based laptops may not fully support CCKM – depends on supplicant capabilities § CCKM is standardized in 802.11R, but no clients available yet
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
33
Fast Secure Roaming
WPA2/802.11i Pairwise Master Key (PMK) Caching § WPA2 and 802.11i specify a mechanism to prevent excessive key management and 802.1X requests from roaming clients § From the 802.11i specification: Whenever an AP and a STA have successfully passed dot1x-based authentication, both of them may cache the PMK record to be used later When a STA is (re-)associates to an AP, it may attach a list of PMK IDs (which were derived via dot1x process with this AP before) in the (re)association request frame When PMK ID exists, AP can use them to retrieve PMK record from its own PMK cache, if PMK is found, and matches the STA MAC address; AP can bypass dot1x authentication process, and directly starts WPA2 four-way key handshake session with the STA PMK cache records will be kept for one hour for non-associated STAs
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
34
OKC/PKC Key Data Points § Requires client/supplicant support § Supported in Windows since XP SP2 § Many ASDs support OKC and/or PKC § Check on client support for TKIP vs. CCMP – mostly CCMP only § Enabled by default on WLCs with WPAv2 § Requires WLCs to be in the same mobility group § Important design note: pre-positioning of roaming clients consumes spots in client DB § In highly controlled test environments, OKC/PKC roam times consistently measure in the 10-20 msec range! BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
35
How Long Does a Client Really Take to Roam? § Time to roam = Client to disassociate + Probe for and select a new AP + 802.11 Association + Mobility message exchange between WLCs + Reauthentication + Rekeying + IP address (re) acquisition
§ Network latency will have an impact on these times – consideration for controller placement § With a fast secure roaming technology, roam times under 150 msecs are consistently achievable, though mileage may vary
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
36
How Often Do Clients Roam? § It depends… types of clients and applications § Most client devices are designed to be “nomadic” rather than “mobile”, though proliferation of small form factor, “smart” devices will probably change this… § Nomadic clients usually are programmed to try to avoid roaming… so set your expectations accordingly § Design rule of thumb: 10-20 roams per second for every 5000 clients
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
37
Designing a Mobility Group/Domain Design Considerations § Less roaming is better – clients and apps are happier § While clients are authenticating/roaming, WLC CPU is doing the processing – not as much of a big deal for 5508 which has dedicated management/control processor § L3 roaming & fast roaming clients consume client DB slots on multiple controllers – consider “worst case” scenarios in designing roaming domain size § Leverage natural roaming domain boundaries § Mobility Message transport selection: multicast vs. unicast § Make sure the right ports and protocols are allowed BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
38
Agenda § Controller-Based Architecture Overview § Mobility in the Cisco Unified WLAN Architecture § Architecture Building Blocks § Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
39
CUWN 7.0.116 Release Key Controller Features Device Support
Local-Mode Features
Flexconnect Features
WLC-WiSM2
wIPS ELM
Scale and Groups
WLC-7500
11n Indoor Mesh
Local Auth
WLC-2500
2.4 GHz Backhaul
Fault Tolerance
WLCM-2
VLAN Select
Opportunistic Key Caching
AP600 / AP1550
FIPS
Others Client Limit on WLAN
Encrypting Neighbor Packets
Increased RF Group Scalability
Rogue Containment Enhancement
RF Group Leader Flexibility
PSB Password Enhancements
Webauth on Mac Filter Failure
Static IP Mobility
Web Authentication Proxy
CCX S60 Location Improvements
DHCP Option 60
Voice Diagnostics
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
40
CUWN 7.0.116 Release Key Controller Features Device Support
Local-Mode Features
Flexconnect Features
WLC-WiSM2
wIPS ELM
Scale and Groups
WLC-7500
11n Indoor Mesh
Local Auth
WLC-2500
2.4 GHz Backhaul
Fault Tolerance
WLCM-2
VLAN Select
Opportunistic Key Caching
AP600 / AP1550
FIPS
Others Client Limit on WLAN
Encrypting Neighbor Packets
Increased RF Group Scalability
Rogue Containment Enhancement
RF Group Leader Flexibility
PSB Password Enhancements
Webauth on Mac Filter Failure
Static IP Mobility
Web Authentication Proxy
CCX S60 Location Improvements
DHCP Option 60
Voice Diagnostics
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
41
WiSM2
For Cisco Catalyst 6500 Series § Enhanced operational savings Higher scale Reduced downtime during upgrades Single controller
Specifications At-a-Glance
§ Higher performance
Access Points
100–500
Clients
10,000
I/O
10G
Chassis-Level Scale
3500 APs and 70,000 Clients
Concurrent AP Joins
500
Number of Phy Controllers
1
Power
225W
Throughput Concurrent rich-media application flows
§ Maximize Cisco Catalyst 6000 Series investment Supervisor and service module refresh
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
42
Enterprise-Grade WLC5508 for the Campus
Cisco 5500 Series Wireless Controller
Key Attributes Ø Best in class performance Industry-leading encrypted throughput
Ø Enhanced Operational Savings Upgrades 500 AP within mins Access Points
12-500
Clients
7,000
Form-Factor
1 RU
IO Interface
8x 1GE Ports, LAG
Upgrade Licenses
25, 50,100, 250
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Fails over 500 APs within seconds
Ø Enhanced rich media performance Multiple concurrent low-latency media flows
Cisco Public
43
Controller Comparison 5500
WiSM-2
Number of Access Points
12, 25, 50, 100, 250, 500
500
Throughput
Up to 8 Gbps
Up to 10 Gbps
Clients
Up to 7000
Up to 10,000
Concurrent AP Upgrades/Joins
Up to 500
Up to 500
Network I/O
Up to 8 1 Gbps SFPs
Cisco Catalyst 6000 Series Backplane
Mobility Domain Size
Up to 36,000 APs
Up to 36,000 APs
Number of Controllers per Physical Device
1
1
Power Consumption
125W
225W
AP Count Upgrade via Licensing
Yes
Yes
Encrypted Data Link Between AP and Controller
Yes
Yes
OfficeExtend Solution
Yes
Yes
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
44
Cost Effective Entry Level Controllers 2500 Wireless Controller New
Key Attributes Access Points
5-50
Clients
500
Throughput
500 Mbps
Deployment Model
Local and FlexConnect
Form Factor
Desktop
IO Interface
4x 1GE
Upgrade Licenses
5, 25
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Ø Ability to scale the network as you grow with licensing Ø Part of a PCI certified architecture Ø Ability to support various deployment modes
Cisco Public
45
Wireless Controller on ISR G2/SRE New
Access Points
ISM: SM:
Clients
500
Throughput
500 Mbps
Deployment Model
Local and FlexConnect
Form Factor
SRE (ISM/SM)
Upgrade Licenses
5, 25
Device Supported On
1941, 2900 and 3900 Series ISR G2
BRKEWN-2010
5-10 5-50
© 2011 Cisco and/or its affiliates. All rights reserved.
Key Attributes • Single Box for branch services • Consistency of functionality and management with controllers
Cisco Public
46
CleanAir Access Point Detect and Classify Locate Mitigate
Cisco CleanAir BRKEWN-2010
A System-Wide Feature that Uses Silicon-Level Intelligence to Automatically Mitigate the Impact of Wireless Interference, Optimize Network Performance, and Reduce Troubleshooting Costs © 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
47
What Is CleanAir? Detect and Classify 97
§ Uniquely identify and track multiple interferers
100 63 90 20 35
§ Assess unique impact to Wi-Fi performance § Monitor air quality
Cisco CleanAir BRKEWN-2010
High-Resolution Interference Detection and Classification Logic Built in to Cisco’s 802.11n Wi-Fi Chip Design; Inline Operation with no CPU or Performance Impact © 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
48
What Is CleanAir? Locate
Mitigate
WCS, MSE
Wireless LAN Controller
§ Classification processed on access point
Maintain Air Quality
§ Interference impact and data sent to WLC for real-time action § WCS and MSE store data for location, history, and troubleshooting
Cisco CleanAir BRKEWN-2010
GOOD
POOR
Visualize and Troubleshoot
CH 1
CH 11
Cisco CleanAir Technology Integrates Interference Information from the AP into the Entire System © 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
49
Access Points Portfolio 11n
Teleworker
11n + CleanAir
Limited Lifetime Hardware Warranty
Ruggedized
1260
Carpeted
New
BRKEWN-2010
1140
1040 600
© 2011 Cisco and/or its affiliates. All rights reserved.
3500e
Cisco Public
3500i
50
New 2x3 MIMO 11n Speed Provide Higher Coverage and Throughput
CleanAir and ClientLink Technology Avoids Interference, Delivers Stronger Signals to Clients
Flexible Deployment Access or Mesh Network, Fiber, UTP or Wireless Backhaul
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
51
Cisco Aironet 1550 Series Outdoor AP
§ 2 Radios 2.4/5 GHz § 2 Tx, 3 Rx § MIMO, 2 SS § 3x Dual-Band Ant.
1552E
1552H
1552C
1552I
802.11 b/g/n
802.11b/g/n
802.11b/g/n
802.11b/g/n
5 GHz
802.11 a/n
802.11a/n
802. 11a/n
802.11a/n
Type
Standard
Hazardous Loc.
Cable Modem
Standard
External
External
Integrated
Integrated
2.4 GHz
Antenna
MIMO Multiple-In, Multiple-Out BRKEWN-2010 SS Spatial Streams
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
52
CUWN 7.0.116 Release Key Controller Features Device Support
Local-Mode Features
Flexconnect Features
WLC-WiSM2
wIPS ELM
Scale and Groups
WLC-7500
11n Indoor Mesh
Local Auth
WLC-2500
2.4 GHz Backhaul
Fault Tolerance
WLCM-2
VLAN Select
Opportunistic Key Caching
AP600/AP1550
FIPS
Others Client Limit on WLAN
Encrypting Neighbor Packets
Increased RF Group Scalability
Rogue Containment Enhancement
RF Group Leader Flexibility
PSB Password Enhancements
Webauth on Mac Filter Failure
Static IP Mobility
Web Authentication Proxy
CCX S60 Location Improvements
DHCP Option 60
Voice Diagnostics
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
53
Adaptive wIPS
Components and Functions
AP
Attack Detection
24x7 Scanning Over-the-Air Detection
WLC
Configuration wIPS AP Management
MSE
Alarm Archival
WCS
Centralized Monitoring
Capture Storage Complex Attack Analysis, Forensics, Events
Historic Reporting Monitoring, Reporting
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
54
Cisco Adaptive Wireless IPS with “Enhanced Local Mode (ELM)” • Adaptive wIPS scanning in data serving access points • Provides protection without needing a separate overlay network. • Available as a free SW download for existing wIPS Monitor Mode customers. • ELM supported APs: 1040, 1140, 1250, 1260 & 3500
Without ELM Data Serving
BRKEWN-2010
With ELM
Monitor Mode
© 2011 Cisco and/or its affiliates. All rights reserved.
Single Data and WIPS AP
Cisco Public
55
Deployment Recommendation Option B
Option A
Enhanced Local Mode
Local Mode
WIPS Monitor Mode/ CleanAir MMAP + WIPS MM
WIPS Monitor Mode or CleanAir MM + WIPS MM on CleanAir AP: Recommendation – Ratio of 1:5 MMAP to Local Mode APs
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Turn on ELM on All APs (Including CleanAir)
Cisco Public
56
TrustSec 2.0 and Identity Services Engine • Centralized Policy • Distributed Enforcement
ACS
• AAA Services NAC Profiler
• Posture Assessment • Guest Access Services
NAC Guest NAC Manager
• Device Profiling Identity Services Engine
NAC Server
• Monitoring • Troubleshooting • Reporting
*Current NAC and ACS Hardware Platform Is Software Upgradable to ISE BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
57
ISE Integrated Device Profiling
“iPad Template”
Custom Template
Visibility for Wired and Wireless Devices BRKEWN-2010
Simplified “Device Category” Policy
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
New Device Templates via Subscription Feeds 58
ISE Integrated Device Profiling §
Users, using the same SSID, can be associated to different wired VLAN interfaces after EAP authentication
§
Employee using corporate laptop with their AD user id can be assigned to VLAN 30 to have full access to the network
§
Employee using personal iPad/iPhone with their AD user id can be assigned to VLAN 40 to have internet access only ISE
ISE
1 EAP Authentication
Employee
2 Accept with VLAN 30
4 Accept with VLAN 40
Corporate Resources
VLAN 30 Same-SSID
CAPWAP
802.1Q TrunkVLAN 40 Employee
BRKEWN-2010
3 EAP Authentication
© 2011 Cisco and/or its affiliates. All rights reserved.
Internet
Cisco Public
59
ISE Integrated Device Profiling § Example: VLAN 30 (Corporate access ) VLAN 40 (Internet access)
Corporate Internet
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
60
ISE Integrated Device Profiling • ISE Setup – Authorization Profiles redirect VLAN, Override ACL,
CoA…
Laptop Assign VLAN 30
iPad Assign VLAN 40
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
61
ISE Integrated Device Profiling § WLC CoA Setup – Pre-Auth ACL, allows ALL client traffic to ISE
§ WLAN – Dot1X, AAA Override and Radius NAC enabled. Permit ANY to ISE (IP Addr)
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
62
ISE Integrated Device Profiling § RADIUS probe (information about authentication, authorization and accounting requests from Network Access § DHCP (helper or span) § HTTP user agent (span)
Customizable Profiles
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
63
Agenda § Controller-Based Architecture Overview § Mobility in the Cisco Unified WLAN Architecture § Architecture Building Blocks § Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
64
Deploying the Cisco Unified Wireless Architecture § Controller Redundancy and AP Load Balancing § Understanding AP Groups § IPv6 Deployment with Controllers § Branch Office Designs § Guest Access Deployment § Home Office Design
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
65
Deploying the Cisco Unified Wireless Architecture § Controller Redundancy and AP Load Balancing § Understanding AP Groups § IPv6 Deployment with Controllers § Branch Office Designs § Guest Access Deployment § Home Office Design
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
66
Controller Redundancy Dynamic
§ Rely on CAPWAP to load-balance APs across controllers and populate APs with backup controllers § Results in dynamic “salt-and-pepper” design § Design works better when controllers are “clustered” in a centralized design § Pros Easy to deploy and configure—less upfront work APs dynamically load-balance (though never perfectly)
§ Cons More intercontroller roaming Bigger operational challenges due to unpredictability Longer failover times No “fallback” option in the event of controller failure
§ Cisco’s general recommendation is: Only for Layer 2 roaming § Use deterministic redundancy instead of dynamic redundancy BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
67
Controller Redundancy Deterministic WLAN-Controller-A
WLAN-Controller-B
WLAN-Controller-C
§ Administrator statically assigns APs a primary, secondary, and/ or tertiary controller Assigned from controller interface (per AP) or WCS (template-based)
§ Pros Predictability—easier operational management More network stability Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Tertiary: WLAN-Controller-C
Primary: WLAN-Controller-B Secondary: WLAN-Controller-C Tertiary: WLAN-Controller-A
More flexible and powerful redundancy design options
Primary: WLAN-Controller-C Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-B
Faster failover times “Fallback” option in the case of failover
§ Con More upfront planning and configuration
§ This is Cisco’s recommended best practice BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
68
Controller Redundancy Architecture Resiliency Resiliency WLAN-Controller-A
WLAN-Controller-B
N:1 Redundancy WLAN-Controller-C
WLAN-Controller-1
APs Configured With: Primary: WLAN-Controller-1 Secondary: WLAN-Controller-BKP
WLAN-Controller-2
APs Configured With: Primary: WLAN-Controller-2 Secondary: WLAN-Controller-BKP
WLAN-Controller-n
APs Configured With: Primary: WLAN-Controller-n Secondary: WLAN-Controller-BKP
NOC or Data Center WLAN-Controller-BKP
Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Tertiary: WLAN-Controller-C
Primary: WLAN-Controller-B Secondary: WLAN-Controller-C Tertiary: WLAN-Controller-A
Primary: WLAN-Controller-C Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-B
N:N Redundancy WLAN-Controller-A
APs Configured With: Primary: WLAN-Controller-A Secondary: WLAN-Controller-B
N:N:1 Redundancy WLAN-Controller-A
NOC or Data Center
APs Configured With: Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Tertiary: WLAN-Controller-BKP
WLAN-Controller-BKP
WLAN-Controller-B
BRKEWN-2010
WLAN-Controller-B
APs Configured With: Primary: WLAN-Controller-B Secondary: WLAN-Controller-A
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
APs Configured With: Primary: WLAN-Controller-B Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-BKP
69
High Availability Using Cisco 5508
Si
Si
Si
Si
Primary WLC5508
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
§ APs are connected to primary WLC 5508 § In case of hardware failure of WLC 5508 § AP’s fall back to secondary WLC Secondary 5508 WLC5508 § Traffic flows through the secondary WLC 5508 and primary core switch Cisco Public
70
High Availability Using WiSM: Uplink Failure on Primary Switch S
N
Si
Si
Active HSRP Switch Primary WiSM
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
§ In case of uplink failure of the primary switch § Standby switch Standby becomes the HSRP Switch active HSRP New Active switch HSRP Switch § APs are still connected to primary WiSM § Traffic flows thru the new HSRP active switch Cisco Public
71
High Availability Using WiSM-2
Si
Primary WiSM
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Si
Secondary WiSM
Cisco Public
§ APs are connected to primary WiSM § In case of hardware failure of primary WiSM § AP’s fall back to secondary WiSM § Traffic flows thru the secondary WiSM and primary core switch 72
VSS and Cisco 5508 § Cisco 5508 WLC can be attached to a Cisco Catalyst VSS switch § 4 ports of Cisco 5508 are connected to active VSS switch § 2nd set of 4 ports of Cisco 5508 is connected to standby VSS switch § In case of failure of primary switch traffic continues to flow through secondary switch in the VSS pair
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Catalyst VSS Pair
Cisco 5508
Cisco Public
73
VSS and WiSM-2
Virtual Switch System (VSS)
Switch-1 (VSS Active)
Switch-2 (VSS Standby)
Control Plane Active
Data Plane Active
BRKEWN-2010
Control Plane Standby
VSL
Failover/State Sync VLAN
Data Plane Active
FWSM Active
FWSM Standby
WiSM-2 Active
WiSM-2 Standby
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
74
Controller Redundancy High Availability
High Availability Principles
Primary WLC
§ AP is registered with a WLC and maintain a backup list of WLC § AP use heartbeats to validate WLC connectivity § AP use Primary Discovery message to validate backup WLC list § When AP lose three heartbeats it start join process to first backup WLC candidate
Secondary WLC
§ Candidate Backup WLC is the first alive WLC in this order: primary, secondary, tertiary, global primary, global secondary § AP do not re-initiate discovery process BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
75
Controller Redundancy High Availability with 7.0.116
To Accommodate Both Local and Remote Settings, There Are Configurable Options Provided, so that Administrator Can Fine Tune the Settings Based on the Requirements New Timers Heartbeat: Fast Heartbeat Timeout: AP Retransmit Interval: AP Retrans with FH Enabled: AP Retrans with FH Disabled:
AP Fallback to next WLC BRKEWN-2010
1-30 Seconds 1-10 Seconds 2-5 Seconds 3-8 Times 3-8 Times 12 Seconds
© 2011 Cisco and/or its affiliates. All rights reserved.
Old Timers-5508
10-30 Seconds 3-10 Seconds 3 Seconds 3 Times 5 Times 35 Seconds Cisco Public
Old Timers-Non-5508
1-30 Seconds 1-10 Seconds 3 Seconds 3 Times 5 Times 35 Seconds 76
AP Pre-Image Download in 7.0
1. Upgrade the image on the controller 2. Don’t reboot the controller
CAPWAP-L3
§ Pre-Image download operation
AP Pre-image Download
§ AP pre-image download allows AP to download code while it is operational
Cisco WLAN Controller
AP Joins Without Download
§ Since most CAPWAP APs can download and keep more than one image of 4–5 MB each
3. Issue AP pre-image download command 4. Once all AP images are downloaded 5. Reboot the controller
Access Points
6. AP now rejoins the controller without reboot BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
How Much Time You Save? Cisco Public
77
Configure AP Pre-Image Download § Upgrade the image on the controller and don’t reboot
§ Currently we have two images on the controller (Cisco Controller) >show boot Primary Boot Image............................... 7.0.116.0 (default) (active) Backup Boot Image................................ 7.0.98.0 BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
78
Configure AP Pre-Image Download Wireless > AP > Global Configuration
Perform Primary Image Predownloaded on the AP
AP Now Starts Predownloading
AP Now Swaps Image After Reboot of the Controller
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
79
Deploying the Cisco Unified Wireless Architecture § Controller Redundancy and AP Load Balancing § Understanding AP Groups § IPv6 Deployment with Controllers § Branch Office Designs § Guest Access Deployment § Home Office Design
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
80
AP-Groups
Default AP-Group § The first 16 WLANs created (WLAN IDs 1–16) on the WLC are included in the default AP-Group § Default AP-Group cannot be modified § APs with no assignment to an specific AP-Group will use the Default AP-Group § The 17th and higher WLAN (WLAN IDs 17 and up) can be assigned to any AP-Groups § Any given WLAN can be mapped to different dynamic interfaces in different AP-Groups § WLC 2106 (AP groups: 50), WLC 2504 (AP groups:50) WLC 4400 and WiSM (AP groups: 300), WLC 5508 & WiSM-2 (AP groups: 500), WLC 7500 (AP Groups : 500)
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
81
AP-Grouping in Campus VLAN 100
VLAN 100
VLAN 100
Access
Si
Si
Si
Si
Si
Si
Distribution
CAPWAP
Core Si
Si
Si
VLAN 100 / 21
Si
Si Si
Si
Distribution
Si
Access Single SSID = Employee
BRKEWN-2010
Internet
Data Center
WAN WLC-1
© 2011 Cisco and/or its affiliates. All rights reserved.
WLC-2 Cisco Public
82
AP-Grouping in Campus AP-Group-1
AP-Group-2
AP-Group-3
VLAN 60 /23
VLAN 70 /23
VLAN 80 /23
Access
Si
Si
Si
Si
Si
Si
Distribution
CAPWAP
Core Si
Si
Si
VLAN 100 /21
Si
Si
Si
Si
VLAN 60 VLAN 70 VLAN 80
Si
Distribution
Access Single SSID = Employee
BRKEWN-2010
Internet
Data Center
WAN WLC-1
© 2011 Cisco and/or its affiliates. All rights reserved.
WLC-2 Cisco Public
83
Default AP-Group Network Name
Default AP Group
Only WLANs 1–16 Will Be Added in Default AP Group
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
84
Multiple AP-Groups
AP Group 1
AP Group 2
AP Group 3
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
85
Interface-Groups 7.0.116
§ Interface-groups allows for a WLAN to be mapped to a single interface or multiple interfaces § Clients associating to this WLAN get an IP address from a pool of subnets identified by the interfaces in round robin fashion § Extends current AP group and AAA override, with multiple interfaces using interface groups § Controllers
Interface-Groups/Interfaces
WiSM-2, 5508, 7500, 2500
64/64
WiSM, 4400
32/32
2100 and 2504
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
4/4
Cisco Public
86
Interface-Grouping in Campus 7.0.116 Int-Group-1
VLAN 60 /23 VLAN 61 / 23
Si
Si
Int-Group-2
Int-Group-3
VLAN 70 /23 VLAN 71 /23
VLAN 80 /23 VLAN 81 /23
Si
Si
Si
Access
Si
Distribution
LWAPP/CAPWAP
Core Si
Si
Single SSID = Employee
Si
VLAN 100 /21
Si
Si
Si
VLAN 60 VLAN 61 VLAN 70 VLAN 71 VLAN 80 VLAN 81
WLC-1 © 2011 Cisco and/or its affiliates. All rights reserved.
Si
Distribution
Access Internet
Data Center
WAN
BRKEWN-2010
Si
WLC-2 Cisco Public
87
Multiple Interface-Groups 7.0.116 Interface Group 1
Interface Group 2
Interface Group 3 BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
88
Deploying the Cisco Unified Wireless Architecture § Controller Redundancy and AP Load Balancing § Understanding AP Groups § IPv6 Deployment with Controllers § Branch Office Designs § Guest Access Deployment § Home Office Design
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
89
IPv6 over IPv4 Tunneling § Prior to WLC 6.0 release, IPv6 pass-thru is only supported but no L2 security can be enabled on IPv6 WLAN § With WLC 6.0 release, IPv6 pass-thru with Layer 2 security supported § To use IPv6 bridging, Ethernet Multicast Mode (EMM) must be enabled on the controller § IPv6 packets are tunneled over CAPWAP IPv4 tunnel § Same WLAN can support both IPv4 and IPv6 clients § IPv6 pass-thru and IPv4 Webauth is also supported on same WLAN § IPv6 is not supported with guest mobility anchor tunneling Client IPv6 Traffic Tunneled over IPv4 and Bridged to Ethernet
Ethernet II | IPv6
CAPWAP Tunnel
802.11| IPv6 BRKEWN-2010
Ethernet II | IPv4 | CAPWAP | 802.11 | IPv6
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
90
IPv6 Configuration on WLC 6.X § Enable IPv6 on the WLAN and multicast on the WLC
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
91
IPv6 Client Details § IPv6 client details on the WLC
§ IPv6 client details from dual-stack (Vista) client
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
92
Deploying the Cisco Unified Wireless Architecture § Controller Redundancy and AP Load Balancing § Understanding AP Groups § IPv6 Deployment with Controllers § Branch Office Designs Understanding HREAP (Hybrid) REAP AP Deployment Understanding Branch Controller Deployment
§ Guest Access Deployment § Home Office Design
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
93
Branch Office Deployment HREAP
§ Hybrid architecture
Central Site
Centralized Traffic
Centralized Traffic
§ Single management and control point Centralized traffic (split MAC) Or
WAN
Local traffic (local MAC)
§ HA will preserve local traffic only
Local Traffic
Remote Office
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
94
H-REAP Design Considerations § Some WAN limitations apply RTT must be below 300 ms data (100 ms voice) Minimum 500 bytes WAN MTU (with maximum four fragmented packets)
§ Some features are not available in standalone mode or in local switching mode ACL in local switching, MAC/Web Auth in standalone mode, PMK caching (OKC) See full list in « H-REAP Feature Matrix » http://www.cisco.com/en/US/products/ps6366/ products_tech_note09186a0080b3690b.shtml
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
95
Configure H-REAP Mode
Step 1: Configure Access Point Mode § Enable H-REAP mode per AP § Supported AP: AP-1130, AP-1240, AP-1040, AP-1140, AP-1260, AP-1250, AP-3500
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
96
Configure H-REAP Local Switching Step 2: Enable Local Switching per WLAN
§ Only WLAN with “Local Switching” enabled will allow local switching at the H-REAP AP
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
97
Configure H-REAP VLAN Mapping Step 3: H-REAP Specific Configuration
§ H-REAP AP can be connected on an access port (using native VLAN) or connected to a 802.1Q trunk port § VLAN mapping is a per AP configuration on WLC and by AP group using templates on a WCS
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
98
Configure H-REAP VLAN Mapping Step 4: Per AP SSID to VLAN Mapping
§ Mapping of SSID to 802.1Q VLAN is done per H-REAP AP
§ Use WCS for configuration with templates BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
99
Economies of Scale for Lean Branches Flex 7500 Wireless Controller New
Key Differentiation Ø WAN Tolerance • High Latency Networks Access Points
300-2,000
Clients
20,000
Branches
500
Access Points / Branch
50
Deployment Model
FlexConnect
• Voice CAC
Form Factor
1 RU
• OKC/CCKM
IO Interface
2x 10GE
Upgrade Licenses
100, 200, 500, 1K
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
• WAN Survivability
Ø Security 802.1x based port authentication
Ø Voice support
Cisco Public
100
Understanding H-REAP Groups § WLC supports up to 20 H-REAP groups
Central Site
§ Each H-REAP group supports up to 25 H-REAP APs § H-REAP groups allow sharing of: CCKM fast roaming keys Local user authentication
WAN
Remote Site
Local EAP authentication
Remote Site H-REAP Group 2
H-REAP Group 1
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
101
H-REAP Groups and CCKM Keys CCKM Keys
§ CCKM keys are stored on HREAP APs for Layer 2 fast roaming
Central Site
RADIUS Server
§ The HREAP APs will receive the CCKM keys from the WLC § If a HREAP AP boots up in the standalone mode, it will not get the CCKM keys from the WLC and fast roaming is not supported
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Remote Site H-REAP Group 1
Cisco Public
WAN
Remote Site H-REAP Group 2
102
H-REAP Groups and CCKM Keys Add a New H-REAP Group
Add APs to the H-REAP Group
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
103
H-REAP Groups and Local EAP § In case of WAN of failure (standalone mode) HREAP APs can act like a local EAP server
Central Site
RADIUS Server
§ In a HREAP-Group we can store 100 usernames and act like a local EAP server § LEAP and EAP-FAST is the only supported EAP type in standalone mode
Remote Site H-REAP Group 1
WAN
Remote Site H-REAP Group 2
Local EAP Server
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
104
H-REAP Groups and Local EAP
Add the H-REAP AP to the Group and Enable AP Local Authentication
Add the Username and Password to Be Stored on the HREAP AP
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
105
H-REAP Groups and Local RADIUS Server § In case of WAN of failure (standalone mode) HREAP APs can authenticate from a local RADIUS server § Only session-timeout RADIUS attribute (attribute 27) is supported in the standalone mode
Central Site
WAN
RADIUS Server
RADIUS Server
Remote Site H-REAP Group 2
§ RADIUS accounting is not supported in standalone mode H-REAP Group 1 Remote Site BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
106
H-REAP Groups and Local RADIUS Server Add IP Address of the Remote RADIUS Server in the WLC (10.20.20.12)
Select the Remote RADIUS Server Details in HREAP Group of the Remote
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
107
FlexConnect Improvements in New 7.0.116 § WAN Survivability FlexConnect AP provides wireless access and services to clients when the connection to the primary WLC fails
§ Local Authentication Allows for the authentication capability to exist directly at the AP in FlexConnect instead of the WLC
§ Improved Scale Group Scale: Max HREAP groups increased to 500 (7500s) and 100 (5500s) APs per Group: 50 (7500s) and 25 (5500s)
§ Fast Roaming in Remote Branches Opportunistic Key Caching (OKC) between APs in a branch BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
108
Flex 7500 vs. 5500/WiSM2
FlexConnect (H-REAP) Flex 7500
5500/WiSM2
APs Managed
2,000
500/500
Clients Supported
20,000
7,000/10,000
Number of H-REAP Groups
500
100
APs per H-REAP Group
50
25
Number of AP Groups
500
500
APs per RRM Group
4,000
1,000
WLAN’s
512
512
WLAN per H-REAP Group
16
16
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
109
Controller Portfolio
Comprehensive Solution for All Segments NEW
Features/Performance
Campus and Full Service Branch WiSM2
NEW
5500 2500
NEW
NEW Lean Branch
WLCM2
Scale BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
110
Cisco WLAN Solution Components Management WCS
Mobility Services
Controllers WLC
Access Points
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
111
Deploying the Cisco Unified Wireless Architecture § Controller Redundancy and AP Load Balancing § Understanding AP Groups § IPv6 Deployment with Controllers § Branch Office Designs Understanding HREAP (Hybrid) REAP AP Deployment) Understanding Branch Controller Deployment
§ Guest Access Deployment § Home Office Design
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
112
Branch Office WLAN Controller Options Number of Users: 100–500 Number of APs: 5–25
WCS E-Mail
Headquarters
§ Appliance controllers
MPLS ATM Frame Relay
Internet VPN
Cisco 2504-12
Branch Office
Small Office
Cisco 5508-12, 5508-25
§ Integrated controller
Number of Users: 20–100 Number of APs: 1–5
WLAN controller module (WLCM-2) for ISR G2 BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
113
Branch Office WLAN Controller Options Cisco 2504 ***
WCS E-Mail
Branch Office MPLS ATM Frame Relay
Headquarters
Small Office
§ Cisco Unified Wireless Network with controller-based § Multiple Integrated WAN options on ISR § Consistent branch-HQ services, features, and performance § Standardized branch configuration extends the unified wired and wireless network § Branch configuration management from central WCS BRKEWN-2010
Internet VPN
WLCM-2 ** **AP Count Vary Depending on Channel Utilization and Data Rates
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
114
When to Choose WLC 2504? § WLC2504 should be used in the branch for the following reasons compared to HREAP solution: • • • • • • • • •
If you need cookie cutter configuration for every branch site If you need Layer-3 roaming in the branch site If you need VideoStream technology in the branch site If you need to implement VLAN Select in the branch site If you need to implement Static IP mobility in the branch site If you need to implement ACL in the branch site If you need to implement peer to peer blocking in the branch site If you want WGB support in the branch site If you want MESH AP support in the branch site
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
115
Deploying the Cisco Unified Wireless Architecture § Controller Redundancy and AP Load Balancing § Understanding AP Groups § IPv6 Deployment with Controllers § Branch Office Designs § Guest Access Deployment § Home Office Design
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
116
Guest Access Deployment WLAN Controller Deployments with EoIP Tunnel § Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers § Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN § No need to define the guest VLANs on the switches connected to the remote controllers § Original guest’s Ethernet frame maintained across LWAPP/CAPWAP and EoIP tunnels
Internet DMZ or Anchor Wireless Controller Cisco ASA Firewall EoIP “Guest Tunnel” Wireless LAN Controller CAPWAP
§ Redundant EoIP tunnels to the Anchor WLC § 2504 series and WLCM-2 models cannot terminate EoIP connections (no anchor role Guest BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Guest 117
Guest Access Deployment with 7.0.0116 DHCP servers in DMZ w/VLAN-DHCP scopes
DHCP servers in DMZ w/VLAN-DHCP scopes
Internet
Anchor2
Campus Core
Wireless VLAN-1/WLANA
Anchor1 EtherIP “Guest Tunnel”
EtherIP ACS/ISE
Si
“Guest Tunnel”
Wireless VLAN2/WLANA
DHCP servers in Core w/VLAN DHCP scopes
Si Secure
Wireless VLAN3/WLANA
Si Secure
Wireless VLAN-4/WLANA
Foreign WLCs
Wireless VLANs/Interface Gr
Guest
BRKEWN-2010
Secure
© 2011 Cisco and/or its affiliates. All rights reserved.
Guest
Cisco Public
Secure
118
Interface Group and Auto Anchor Mobility Using 7.0.116 § Clients joining a foreign WLC which is exported to an anchor WLC and mapped to an interface group will get an IP address in round robin method inside the interface group § Clients joining a foreign WLC which is exported to an anchor WLC and mapped to an interface will get an IP address from that interface only § Clients roaming between two or more foreign controllers mapped to a single anchor WLC with an interface group configured will be able to maintain its IP address
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
119
Interface Group and Auto Anchor Mobility Using 7.0.116 Configure Subnet/Address Assignment Based on Foreign Site/Location in Guest Anchor Setup, Command Will Be: § CLI: config wlan mobility foreign-map add < mac address > § GUI: A New option is created under WLAN- “Foreign Maps”
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
120
Deploying the Cisco Unified Wireless Architecture § Controller Redundancy and AP Load Balancing § Understanding AP Groups § IPv6 Deployment with Controllers § Branch Office Designs § Guest Access Deployment § Home Office Designs
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
121
Home Office Design OEAP AP
§ Cisco controller installed in the DMZ of the corporate network
WLC 5508/WiSM-2 WCS
E-Mail
Headquarters
§ OfficeExtend AP (OEAP) installed at teleworker’s home MPLS § Corporate access to employee over ATM centrally configured SSID
§
Frame Relay Family
Internet access over a locally configured SSID
Internet VPN
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
122
OEAP 600 § 802.11n AP with dual concurrent 2.4GHz and 5GHz radios for teleworker home § 4 local Ethernet ports § 1 Corporate-bound port, 3 for local Ethernet devices § Up to 4 clients behind the corporate port § Corporate SSID and user-configurable Personal SSID § Traffic segmenting supported (corporate vs. personal traffic) § Local DHCP and NAT support § Control and data plane encryption
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
123
OEAP 600 § 802.1X and MAC filtering support § Can be pre-provisioned by IT (batch setup, zero touch for end user) or locally provisioned by end user § Easy GUI setup with Corporate SSID ready in minutes § Desktop (horizontal) or cradle (vertical) orientation § Supported by all WLC 5508, 2500 and WiSM2 platforms and WCS § Hardware Limited Lifetime Warranty
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
124
User Configuration – Easy Setup Two Setup Options Available: 1) Zero Touch (IT staged) or … 2) User Configured (Controller IP Address Entry)
Internet Routable IP Address
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
125
Sample Screen Shots Login
§ Default DHCP scope of the OEAP is 10.0.0.X, so browse to https://10.0.0.1 to get the admin page of OEAP on port 1,2,3
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
126
Home Office Design
Cisco Virtual Office Express Architecture Simplified Head-End VPN
SOHO Cisco 800 or 1800 Spoke Routers
Head-End Cisco ISR (2800/3800) or Cisco 7206 VXR with VSA or WLC
Corporate Network
§ Simplified head-end VPN design § Cisco enhanced easy VPN with advanced QoS integration provides secure transport, facilitating voice and video applications (with option of per SA QoS) § Multiple options for head-end to allow for large concentration of site and with high throughput § Remote site presence: Cisco 870, 880, 890, or 1800 series ISR and Cisco Unified IP phones 7900 series § Head-end presence: 2800, 3800, 7200, or ASR series § Headend (optional): wireless LAN controller, WCS, configuration engine
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
127
Cisco Unified Wireless Network
Flexible, Resilient, Scalable Architecture Unified Outdoor/ Indoor Access Highly Distributed Design
Access Network
3750G Unified WLC Enterprise Hybrid REAP Distributed WLC Design
Distribution Network
440x, 5508 WLC, WiSM Unified WLC Network Core or Data Center Centralized WLC Design
Teleworker/ SOHO
440x, 5508 WLC, WiSM Unified WLC
OfficeExtend AP
Internet
DMZ Guest Controller 440x, 5508 WLC
Branch Office Unified WLC Options: 5508, 440x, 210x 3750G Unified WLC WLCM Module
Data Center Internet
Hybrid REAP Standalone AP
BRKEWN-2010
Unified Management: Wireless Control System Services Platform: Mobility Services Engine © 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
128
Summary – Key Takeways § Take advantage of the standards (CAPWAP, DTLS, 802.11 i, e, k, r…..) § Wide range of architecture / design choices § Brand new controller (WiSM-2, WLC 7500, WLC 2504) portfolio with investment protection § Take advantage of innovations from Cisco (CleanAir, BandSelect, ClientLink, Security, CCX, FlexConnect, etc) § Cisco’s investment into technology – NCS, ISE, New hardware, cloud controller, CiUS
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
129
Documentation § Aironet 600 Series OEAP Access Point Configuration Guide http://www.cisco.com/en/US/products/ps11579/products_tech_note09186a0080b7f10e.shtml
§ Wireless Services Module 2 (WiSM2) Deployment Guide http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080b7c904.shtml
• Flex7500 Deployment guide http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml
§ Wireless, LAN (WLAN) Configuration Examples and TechNotes http://www.cisco.com/en/US/tech/tk722/tk809/tech_configuration_examples_list.html
§ H-REAP Deployment Guide http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml
§ VLAN Select Deployment Guide http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b78900.shtml
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
130
Complete Your Online Session Evaluation § Receive 25 Cisco Preferred Access points for each session evaluation you complete. § Give us your feedback and you could win fabulous prizes. Points are calculated on a daily basis. Winners will be notified by email after July 22nd. § Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center. § Don’t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
131
Visit the Cisco Store for Related Titles http://theciscostores.com
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
132
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
133
Thank you.
BRKEWN-2010
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
134
View more...
Comments
