Design and Deployment of Enterprise Wirlesss Networks

6,476 views
6,261 views

Published on

Learn everything you need to know about designing and deploying Cisco wireless networks for enterprise in this in-depth technical guide. Learn More: http://www.cisco.com/go/wireless

Published in: Technology, Education

Design and Deployment of Enterprise Wirlesss Networks

  1. 1. Design and Deployment ofEnterprise WLANsBRKEWN-2010Sujit Ghosh, CCIE #7204Manager, Technical MarketingWireless Networking Business Unit BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
  2. 2. Agenda§  Controller-Based Architecture Overview§  Mobility in the Cisco Unified WLAN Architecture§  Architecture Building Blocks§  Deploying the Cisco Unified Wireless ArchitectureBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
  3. 3. Agenda§  Controller-Based Architecture Overview§  Mobility in the Cisco Unified WLAN Architecture§  Architecture Building Blocks§  Deploying the Cisco Unified Wireless ArchitectureBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
  4. 4. Understanding WLAN Controllers1st/2nd Generation vs. 3rd Generation Approach 1st/2nd Generation§  1st/2nd generation: APs act as 802.1Q translational Data VLAN bridge, putting client traffic on local VLANs Management VLAN§  3rd generation: Controller bridges client traffic centrally Voice VLAN 3rd Generation Data VLAN Management VLAN LWAPP/CAPWAP Tunnel Voice VLANBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
  5. 5. Centralized Wireless LAN Architecture What Is CAPWAP? §  CAPWAP: Control and Provisioning of Wireless Access Points is used between APs and WLAN controller and based on LWAPP §  CAPWAP carries control and data traffic between the two Control plane is DTLS encrypted Data plane is DTLS encrypted (optional) §  LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless Business §  CAPWAP is not supported on Layer 2 mode deployment Application Data Plane Access Point CAPWAP ControllerWi-Fi Client Control Plane BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
  6. 6. CAPWAP ModesSplit MAC§  The CAPWAP protocol supports two modes of operation Split MAC (centralized mode) Local MAC (H-REAP)§  Split MAC Wireless Frame Wireless Phy CAPWAP MAC Sublayer Data Plane 802.3 FrameSTA WTP ACBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
  7. 7. CAPWAP ModesLocal MAC§  Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames§  Locally bridged Wireless Frame Wireless Phy MAC Sublayer 802.3 FrameSTA WTP ACBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
  8. 8. CAPWAP ModesLocal MAC§  Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames§  Tunneled as 802.3 frames Wireless Frame 802.3 Frame Wireless Phy CAPWAP MAC Sublayer Data Plane 802.3 FrameSTA WTP AC§  Tunneled local MAC is not supported by Cisco§  H-REAP support locally bridged MAC and split MAC per SSIDBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
  9. 9. CAPWAP State Machine AP Boots UP Reset Discovery Image Data DTLS Setup Run Join ConfigBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
  10. 10. AP Controller DiscoveryController Discovery Order§  Layer 2 join procedure attempted on LWAPP APs (CAPWAP does not support Layer 2 APs) Broadcast message sent to discover controller on a local subnet§  Layer 3 join process on CAPWAP APs and on LWAPP APs after Layer 2 fails Previously learned or primed controllers Subnet broadcast DHCP option 43 DNS lookupBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
  11. 11. AP Controller Discovery: DHCP Option DHCP Server DHCP Offer 1 DHCP Request 2 DHCP Offer Contains Layer 3 CAPWAP Option 43 for Controller Discovery Request Broadcast 3 Layer 3 CAPWAP Discovery ResponsesBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
  12. 12. AP Controller Discovery: DNS Option DNS Server DHCP Server CISCO-CAPWAP-CONTROLLER.localdomain DHCP Request 192.168.1.2 2 1 DHCP Offer192.168.1.2 3 DHCP Offer Contains DNS Server or Servers 4BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
  13. 13. WLAN Controller Selection Algorithm§  CAPWAP Discovery Response contains important information from the WLAN Controller Controller name, controller type, controller AP capacity, current AP load, “Master Controller” status, and AP Manager IP address or addresses§  AP selects a controller to join using the following decision criteria 1.  Attempt to join a WLAN Controller configured as a “Master” controller 2.  Attempt to join a WLAN Controller with matching name of previously configured primary, secondary, or tertiary controller name 3.  Attempt to join the WLAN Controller with the greatest excess AP capacity (dynamic load balancing)§  Option #2 and option #3 allow for two approaches to controller redundancy and AP load balancing: deterministic and dynamicBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
  14. 14. CAPWAP Control Messagesfor Join Process§  CAPWAP Join Request: AP sends this messages to selected controller (sent to AP Manager Interface IP address) CAPWAP Join Request§  CAPWAP Join Response: If controller validates AP request, it sends the CAPWAP Join Response indicating that the AP is now registered with that controller CAPWAP Join ResponseBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
  15. 15. Configuration PhaseFirmware and Configuration Download§  Firmware is downloaded by the Cisco WLAN Controller AP from the WLC Firmware downloaded only if needed, Configuration Download AP reboots after the download Firmware Download Firmware digitally signed by Cisco LWAPP-L3§  Network configuration is downloaded by the AP from the WLC Configuration is encrypted in the CAPWAP tunnel Configuration is applied Access PointsBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
  16. 16. 4.2, 6.0, 7.0? Which Version Should I Use? §  WLC 5508 supports 6.0, 7.0.98 and 7.0.116 §  WLC7500, WiSM-2 and WLC2504 only supported in 7.0.116 §  6.0.202 is the latest MD §  7.0.116 will be tested for AssureWave (Blue Ribbon) §  Please note the current revision of 7.0- 7.0.116.0 which is the recommended one for you today BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
  17. 17. Agenda§  Controller-Based Architecture Overview§  Mobility in the Cisco Unified WLAN Architecture§  Architecture Building Blocks§  Deploying the Cisco Unified Wireless ArchitectureBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
  18. 18. Mobility Defined§  Mobility is a key reason for wireless networks§  Mobility means the end-user device is capable of moving location in the networked environment§  Roaming occurs when a wireless client moves association from one AP and re-associates to another, typically because it’s mobile!§  Mobility presents new challenges: Need to scale the architecture to support client roaming— roaming can occur intra-controller and inter-controller Need to support client roaming that is seamless (fast) and preserves securityBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
  19. 19. Scaling the Architecturewith Mobility Groups§  Mobility Group allows controllers to peer with each other to support seamless roaming across controller boundaries§  APs learn the IPs of the other members of the mobility group after the LWAPP Join process Controller-B MAC: AA:AA:AA:AA:AA:02 Mobility Group Name: MyMobilityGroup§  Support for up to Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 24 controllers, Controller-C, AA:AA:AA:AA:AA:03 Controller-A MAC: AA:AA:AA:AA:AA:01 3600 APs per Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: mobility group Ethernet in IP Tunnel Controller-B, AA:AA:AA:AA:AA:02 Controller-C, AA:AA:AA:AA:AA:03§  Mobility messages exchanged between Controller-C MAC: AA:AA:AA:AA:AA:03 controllers Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 Controller-B, AA:AA:AA:AA:AA:02§  Data tunneled between controllers in EtherIP (RFC 3378) Mobility MessagesBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
  20. 20. Increased Mobility Scalability§  Roaming is supported across three mobility groups (3 * 24 = 72 controllers)§  With Inter Release Controller Mobility (IRCM) roaming is supported between 4.2.207 and 6.0.188 and 7.0 Mobility Sub-Domain 1 Ethernet in IP Tunnel Mobility Sub-Domain 3 Ethernet in IP Tunnel Mobility Sub-Domain 2 Ethernet in IP Tunnel Mobility MessagesBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
  21. 21. How Long Does an STA Roam Take?§  Time it takes for: Client to disassociate + Probe for and select a new AP + 802.11 Association + 802.1X/EAP Authentication + Rekeying + IP address (re) acquisition§  All this can be on the order of seconds… Can we make this faster?BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
  22. 22. Roaming Requirements§  Roaming must be fast … Latency can be introduced by: Client channel scanning and AP selection algorithms Re-authentication of client device and re-keying Refreshing of IP address§  Roaming must maintain security Open auth, static WEP—session continues on new AP WPA/WPAv2 Personal—New session key for encryption derived via standard handshakes 802.1x, 802.11i, WPA/WPAv2 Enterprise—Client must be re- authenticated and new session key derived for encryptionBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
  23. 23. How Are We Going to Make RoamingFaster?Focus on Where We Can Have the Biggest Impact§  Eliminating the (re)IP address acquisition challenge§  Eliminating full 802.1X/EAP reauthenticationBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
  24. 24. Intra-Controller Roaming: Layer 2 VLAN X WLC-1 Client Client Data WLC-2 Client Database (MAC, IP, Database QoS, §  Intra-Controller roam Security) happens when an APWLC-1 Mobility Message WLC- moves association 2 between APs joined to Exchange the same controller Preroaming §  Client must be re- Data Path authenticated and new security session established BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
  25. 25. Intra-Controller Roaming: Layer 2 (Cont.) VLAN X WLC-1 Client Client Data WLC-2 Client Database (MAC, IP, Database QoS, Security)WLC-1 WLC-2 Mobility Message Exchange Roaming Data Path §  Client database entry with new AP and appropriate security context §  No IP address refresh Client Roams to needed a Different AP BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
  26. 26. Intra-Controller Roaming: Layer 3 VLAN X VLAN Z WLC-1 Client Client Data Client Data WLC-2 Client Database (MAC, IP, QoS, (MAC, IP, Database Security) QoS, Security)WLC-1 WLC-2 Mobility Message Exchange Preroaming Data Path BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
  27. 27. Client Roaming Between Subnets: Layer 3 (Cont.) VLAN X VLAN Z WLC-1 Client Client Data Client Data WLC-2 Client Database (MAC, IP, QoS, (MAC, IP, Database Security) QoS, Security) Mobility Message ExchangeWLC-1 WLC-2 Anchor Foreign Controller Data Tunnel Controller Preroaming Data Path Client Roams to a Different AP BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
  28. 28. Static IP Mobility with 7.0.116 VLAN X VLAN Z WLC-1 Client WLC-2 Client Mobility Database Database Mobility Client Data Client Data Group-1 (MAC, IP, QoS, (MAC, IP, QoS, Group-2 Security) Security) WLC-1 Mobility Message Exchange WLC-2 Anchor Encrypted Data Tunnel Foreign Controller Controller Pre Roaming Data Path Client with Static IPClient with Static IP on on VLAN XVLAN X Dis-Associates Associates onfrom This AP This AP BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
  29. 29. Static IP Mobility with 7.0.116 GUI Configuration BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
  30. 30. Roaming: Inter-ControllerLayer 3§  L3 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto different subnets§  Client must be re-authenticated and new security session established§  Client database entry copied to new controller – entry exists in both WLC client DBs§  Original controller tagged as the “anchor”, new controller tagged as the “foreign”§  WLCs must be in same mobility group or domain§  No IP address refresh needed§  Symmetric traffic path established -- asymmetric option has been eliminated as of 6.0 release§  Account for mobility message exchange in network designBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
  31. 31. How Are We Going to Make RoamingFaster?Focus on Where We Can Have the Biggest Impactü Eliminating the (re)IP address acquisition challenge§  Eliminating full 802.1X/EAP reauthenticationBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
  32. 32. Fast Secure Roaming Standard Wi-Fi Secure Roaming §  802.1X authentication in wireless today requires three “end-to-end” transactions with an overall transaction time of > 500 ms §  802.1X authentication in wireless today WAN requires a roaming client to reauthenticate, incurring an additional 500+ ms to the roam Cisco AAA Server (ACS or ISE) 1. 802.1X Initial Authentication AP2 Transaction AP12. 802.1X Reauthenti- cation After Roaming Note: Mechanism Is Needed to Centralize Key Distribution BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
  33. 33. Cisco Centralized Key Management(CCKM)§  Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available, especially with application specific devices (ASDs)§  CCKM originally a core feature of the “Structured Wireless Aware Network” (SWAN) architecture§  CCKM ported to CUWN architecture in 3.2 release§  In highly controlled test environments, CCKM roam times consistently measure in the 5-8 msec range!§  CCKM is most widely implemented in ASDs, especially VoWLAN devices§  To work across WLCs, WLCs must be in the same mobility group§  CCX-based laptops may not fully support CCKM – depends on supplicant capabilities§  CCKM is standardized in 802.11R, but no clients available yetBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
  34. 34. Fast Secure RoamingWPA2/802.11i Pairwise Master Key (PMK) Caching§  WPA2 and 802.11i specify a mechanism to prevent excessive key management and 802.1X requests from roaming clients§  From the 802.11i specification: Whenever an AP and a STA have successfully passed dot1x-based authentication, both of them may cache the PMK record to be used later When a STA is (re-)associates to an AP, it may attach a list of PMK IDs (which were derived via dot1x process with this AP before) in the (re)association request frame When PMK ID exists, AP can use them to retrieve PMK record from its own PMK cache, if PMK is found, and matches the STA MAC address; AP can bypass dot1x authentication process, and directly starts WPA2 four-way key handshake session with the STA PMK cache records will be kept for one hour for non-associated STAsBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
  35. 35. OKC/PKCKey Data Points§  Requires client/supplicant support§  Supported in Windows since XP SP2§  Many ASDs support OKC and/or PKC§  Check on client support for TKIP vs. CCMP – mostly CCMP only§  Enabled by default on WLCs with WPAv2§  Requires WLCs to be in the same mobility group§  Important design note: pre-positioning of roaming clients consumes spots in client DB§  In highly controlled test environments, OKC/PKC roam times consistently measure in the 10-20 msec range!BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
  36. 36. How Long Does a Client ReallyTake to Roam?§  Time to roam = Client to disassociate + Probe for and select a new AP + 802.11 Association + Mobility message exchange between WLCs + Reauthentication + Rekeying + IP address (re) acquisition§  Network latency will have an impact on these times – consideration for controller placement§  With a fast secure roaming technology, roam times under 150 msecs are consistently achievable, though mileage may varyBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
  37. 37. How Often Do Clients Roam?§  It depends… types of clients and applications§  Most client devices are designed to be “nomadic” rather than “mobile”, though proliferation of small form factor, “smart” devices will probably change this…§  Nomadic clients usually are programmed to try to avoid roaming… so set your expectations accordingly§  Design rule of thumb: 10-20 roams per second for every 5000 clientsBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
  38. 38. Designing a Mobility Group/DomainDesign Considerations§  Less roaming is better – clients and apps are happier§  While clients are authenticating/roaming, WLC CPU is doing the processing – not as much of a big deal for 5508 which has dedicated management/control processor§  L3 roaming & fast roaming clients consume client DB slots on multiple controllers – consider “worst case” scenarios in designing roaming domain size§  Leverage natural roaming domain boundaries§  Mobility Message transport selection: multicast vs. unicast§  Make sure the right ports and protocols are allowedBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
  39. 39. Agenda§  Controller-Based Architecture Overview§  Mobility in the Cisco Unified WLAN Architecture§  Architecture Building Blocks§  Deploying the Cisco Unified Wireless ArchitectureBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
  40. 40. CUWN 7.0.116 ReleaseKey Controller FeaturesDevice Support Local-Mode Features Flexconnect FeaturesWLC-WiSM2 wIPS ELM Scale and GroupsWLC-7500 11n Indoor Mesh Local AuthWLC-2500 2.4 GHz Backhaul Fault ToleranceWLCM-2 VLAN Select Opportunistic Key CachingAP600 / AP1550 FIPSOthersClient Limit on WLAN Encrypting Neighbor PacketsIncreased RF Group Scalability Rogue Containment EnhancementRF Group Leader Flexibility PSB Password EnhancementsWebauth on Mac Filter Failure Static IP MobilityWeb Authentication Proxy CCX S60 Location ImprovementsDHCP Option 60 Voice Diagnostics BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
  41. 41. CUWN 7.0.116 ReleaseKey Controller FeaturesDevice Support Local-Mode Features Flexconnect FeaturesWLC-WiSM2 wIPS ELM Scale and GroupsWLC-7500 11n Indoor Mesh Local AuthWLC-2500 2.4 GHz Backhaul Fault ToleranceWLCM-2 VLAN Select Opportunistic Key CachingAP600 / AP1550 FIPSOthersClient Limit on WLAN Encrypting Neighbor PacketsIncreased RF Group Scalability Rogue Containment EnhancementRF Group Leader Flexibility PSB Password EnhancementsWebauth on Mac Filter Failure Static IP MobilityWeb Authentication Proxy CCX S60 Location ImprovementsDHCP Option 60 Voice Diagnostics BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
  42. 42. WiSM2For Cisco Catalyst 6500 Series§  Enhanced operational savings Higher scale Reduced downtime during upgrades Single controller Specifications At-a-Glance§  Higher performance Access Points 100–500 Throughput Clients 10,000 Concurrent rich-media application flows I/O 10G§  Maximize Cisco Catalyst 6000 Chassis-Level Scale 3500 APs and 70,000 Clients Series investment Supervisor and service Concurrent AP Joins 500 module refresh Number of Phy 1 Controllers Power 225WBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
  43. 43. Enterprise-Grade WLC5508 for the Campus Cisco 5500 Series Wireless Controller Key Attributes Ø Best in class performance Industry-leading encrypted throughput Ø Enhanced Operational Savings Upgrades 500 AP within minsAccess Points 12-500 Fails over 500 APs within secondsClients 7,000 Ø Enhanced rich mediaForm-Factor 1 RU performanceIO Interface 8x 1GE Ports, LAG Multiple concurrent low-latency media flowsUpgrade Licenses 25, 50,100, 250 BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
  44. 44. Controller Comparison 5500 WiSM-2 Number of Access Points 12, 25, 50, 100, 250, 500 500 Throughput Up to 8 Gbps Up to 10 Gbps Clients Up to 7000 Up to 10,000 Concurrent AP Upgrades/Joins Up to 500 Up to 500 Up to 8 Cisco Catalyst 6000 Series Network I/O 1 Gbps SFPs Backplane Mobility Domain Size Up to 36,000 APs Up to 36,000 APs Number of Controllers per 1 1 Physical Device Power Consumption 125W 225WAP Count Upgrade via Licensing Yes Yes Encrypted Data Link Yes Yes Between AP and Controller OfficeExtend Solution Yes Yes BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
  45. 45. Cost Effective Entry Level Controllers2500 Wireless Controller New Key Attributes Ø  Ability to scale the network as you grow with licensingAccess Points 5-50 Ø  Part of a PCI certifiedClients 500 architectureThroughput 500 Mbps Ø Ability to support variousDeployment Model Local and deployment modes FlexConnectForm Factor DesktopIO Interface 4x 1GEUpgrade Licenses 5, 25 BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
  46. 46. Wireless Controller on ISR G2/SRE NewAccess Points ISM: 5-10 SM: 5-50 Key AttributesClients 500 • Single Box for branch servicesThroughput 500 Mbps • Consistency of functionality andDeployment Model Local and FlexConnect management with controllersForm Factor SRE (ISM/SM)Upgrade Licenses 5, 25Device Supported 1941, 2900 and 3900On Series ISR G2 BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
  47. 47. CleanAir Access Point Detect and Classify Locate Mitigate A System-Wide Feature that Uses Silicon-Level Intelligence to Cisco Automatically Mitigate the Impact of Wireless Interference, Optimize CleanAir Network Performance, and Reduce Troubleshooting Costs BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
  48. 48. What Is CleanAir? Detect and Classify 97 100 §  Uniquely identify and 63 track multiple 90 interferers 20 §  Assess unique impact 35 to Wi-Fi performance §  Monitor air quality High-Resolution Interference Detection and Classification Logic Cisco Built in to Cisco’s 802.11n Wi-Fi Chip Design; Inline OperationCleanAir with no CPU or Performance Impact BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
  49. 49. What Is CleanAir? Locate Mitigate WCS, MSE Wireless LAN Controller POOR GOOD§  Classification processed on access point§  Interference impact and Maintain Air Quality data sent to WLC for real-time action§  WCS and MSE store Visualize and Troubleshoot CH 1 CH 11 data for location, history, and troubleshooting Cisco Cisco CleanAir Technology Integrates Interference InformationCleanAir from the AP into the Entire System BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
  50. 50. Access Points Portfolio Teleworker 11n 11n + CleanAir Limited Lifetime Hardware Warranty 1260 3500eRuggedized New 1040 1140 3500i 600Carpeted BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
  51. 51. New 2x3 MIMO 11n Speed Provide Higher Coverage and Throughput CleanAir and ClientLink Technology Avoids Interference, Delivers Stronger Signals to Clients Flexible Deployment Access or Mesh Network, Fiber, UTP or Wireless BackhaulBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
  52. 52. Cisco Aironet 1550 Series Outdoor AP §  2 Radios 2.4/5 GHz §  2 Tx, 3 Rx §  MIMO, 2 SS §  3x Dual-Band Ant. 1552E 1552H 1552C 1552I2.4 GHz 802.11 b/g/n 802.11b/g/n 802.11b/g/n 802.11b/g/n 5 GHz 802.11 a/n 802.11a/n 802. 11a/n 802.11a/n Type Standard Hazardous Loc. Cable Modem StandardAntenna External External Integrated IntegratedMIMO Multiple-In, Multiple-OutSS BRKEWN-2010 Spatial Streams © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
  53. 53. CUWN 7.0.116 ReleaseKey Controller FeaturesDevice Support Local-Mode Features Flexconnect FeaturesWLC-WiSM2 wIPS ELM Scale and GroupsWLC-7500 11n Indoor Mesh Local AuthWLC-2500 2.4 GHz Backhaul Fault ToleranceWLCM-2 VLAN Select Opportunistic Key CachingAP600/AP1550 FIPSOthersClient Limit on WLAN Encrypting Neighbor PacketsIncreased RF Group Scalability Rogue Containment EnhancementRF Group Leader Flexibility PSB Password EnhancementsWebauth on Mac Filter Failure Static IP MobilityWeb Authentication Proxy CCX S60 Location ImprovementsDHCP Option 60 Voice Diagnostics BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
  54. 54. Adaptive wIPSComponents and Functions AP Attack Detection 24x7 Scanning Over-the-Air Detection WLC Configuration wIPS AP Management MSE Alarm Archival Capture Storage Complex Attack Analysis, Forensics, Events WCS Centralized Monitoring Historic Reporting Monitoring, ReportingBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
  55. 55. Cisco Adaptive Wireless IPS with “Enhanced Local Mode(ELM)” •  Adaptive wIPS scanning in data serving access points •  Provides protection without needing a separate overlay network. •  Available as a free SW download for existing wIPS Monitor Mode customers. •  ELM supported APs: 1040, 1140, 1250, 1260 & 3500 Without ELM With ELM Data Serving Monitor Mode Single Data and WIPS AP BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
  56. 56. Deployment Recommendation Option A Option B Enhanced Local Mode Local Mode WIPS Monitor Mode/ CleanAir MMAP + WIPS MM WIPS Monitor Mode or CleanAir MM Turn on ELM on All APs + WIPS MM on CleanAir AP: (Including CleanAir) Recommendation – Ratio of 1:5 MMAP to Local Mode APs BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
  57. 57. TrustSec 2.0 and Identity Services Engine •  Centralized Policy ACS •  Distributed Enforcement •  AAA Services NAC Profiler •  Posture Assessment NAC •  Guest Access Services Guest •  Device Profiling Identity NAC Services •  Monitoring Manager Engine •  Troubleshooting NAC Server •  Reporting *Current NAC and ACS HardwarePlatform Is Software Upgradable to ISE BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
  58. 58. ISE Integrated Device Profiling “iPad Template” Custom Template Visibility for Wired and Simplified “Device New Device Wireless Devices Category” Policy Templates via Subscription Feeds BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
  59. 59. ISE Integrated Device Profiling §  Users, using the same SSID, can be associated to different wired VLAN interfaces after EAP authentication §  Employee using corporate laptop with their AD user id can be assigned to VLAN 30 to have full access to the network §  Employee using personal iPad/iPhone with their AD user id can be assigned to VLAN 40 to have internet access only ISE ISE 1 EAP Authentication 4 Accept with VLAN 40 2 Accept with VLAN 30 CorporateEmployee Resources VLAN 30 CAPWAP Same-SSID 802.1Q TrunkVLAN 40 3 EAP Authentication InternetEmployee BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
  60. 60. ISE Integrated Device Profiling §  Example: VLAN 30 (Corporate access ) VLAN 40 (Internet access) Corporate Internet BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
  61. 61. ISE Integrated Device Profiling •  ISE Setup – Authorization Profiles redirect VLAN, Override ACL, CoA… Laptop Assign VLAN 30 iPad Assign VLAN 40 BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
  62. 62. ISE Integrated Device Profiling § WLC CoA Setup – Pre-Auth ACL, allows ALL client traffic to ISE § WLAN – Dot1X, AAA Override and Radius NAC enabled. Permit ANY to ISE (IP Addr) BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
  63. 63. ISE Integrated Device Profiling §  RADIUS probe (information about authentication, authorization and accounting requests from Network Access §  DHCP (helper or span) §  HTTP user agent (span) Customizable Profiles BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
  64. 64. Agenda§  Controller-Based Architecture Overview§  Mobility in the Cisco Unified WLAN Architecture§  Architecture Building Blocks§  Deploying the Cisco Unified Wireless ArchitectureBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
  65. 65. Deploying the Cisco UnifiedWireless Architecture§  Controller Redundancy and AP Load Balancing§  Understanding AP Groups§  IPv6 Deployment with Controllers§  Branch Office Designs§  Guest Access Deployment§  Home Office DesignBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
  66. 66. Deploying the Cisco UnifiedWireless Architecture§  Controller Redundancy and AP Load Balancing§  Understanding AP Groups§  IPv6 Deployment with Controllers§  Branch Office Designs§  Guest Access Deployment§  Home Office DesignBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
  67. 67. Controller RedundancyDynamic§  Rely on CAPWAP to load-balance APs across controllers and populate APs with backup controllers§  Results in dynamic “salt-and-pepper” design§  Design works better when controllers are “clustered” in a centralized design§  Pros Easy to deploy and configure—less upfront work APs dynamically load-balance (though never perfectly)§  Cons More intercontroller roaming Bigger operational challenges due to unpredictability Longer failover times No “fallback” option in the event of controller failure§  Cisco’s general recommendation is: Only for Layer 2 roaming§  Use deterministic redundancy instead of dynamic redundancyBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
  68. 68. Controller Redundancy Deterministic WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C §  Administrator statically assigns APs a primary, secondary, and/ or tertiary controller Assigned from controller interface (per AP) or WCS (template-based) §  Pros Predictability—easier operational management More network stabilityPrimary: WLAN-Controller-A Primary: WLAN-Controller-B Primary: WLAN-Controller-C More flexible and powerfulSecondary: WLAN-Controller-B Secondary: WLAN-Controller-C Secondary: WLAN-Controller-ATertiary: WLAN-Controller-C Tertiary: WLAN-Controller-A Tertiary: WLAN-Controller-B redundancy design options Faster failover times “Fallback” option in the case of failover §  Con More upfront planning and configuration §  This is Cisco’s recommended best practice BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
  69. 69. Controller Redundancy Architecture Resiliency Resiliency N:1 Redundancy WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C WLAN-Controller-1 APs Configured With: Primary: WLAN-Controller-1 Secondary: WLAN-Controller-BKP NOC or Data Center WLAN-Controller-BKP WLAN-Controller-2 APs Configured With: Primary: WLAN-Controller-2 Secondary: WLAN-Controller-BKP WLAN-Controller-n APs Configured With: Primary: WLAN-Controller-n Secondary: WLAN-Controller-BKPPrimary: WLAN-Controller-A Primary: WLAN-Controller-B Primary: WLAN-Controller-CSecondary: WLAN-Controller-B Secondary: WLAN-Controller-C Secondary: WLAN-Controller-ATertiary: WLAN-Controller-C Tertiary: WLAN-Controller-A Tertiary: WLAN-Controller-B N:N Redundancy N:N:1 Redundancy APs Configured With: WLAN-Controller-A APs Configured With: WLAN-Controller-A Primary: WLAN-Controller-A Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Secondary: WLAN-Controller-B NOC or Data Center Tertiary: WLAN-Controller-BKP WLAN-Controller-BKP WLAN-Controller-B WLAN-Controller-B APs Configured With: APs Configured With: Primary: WLAN-Controller-B Primary: WLAN-Controller-B Secondary: WLAN-Controller-A Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-BKP BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
  70. 70. High Availability Using Cisco 5508 §  APs are connected to primary WLC 5508 Si Si §  In case of hardware failure of WLC 5508 §  AP’s fall back to Si Si secondary WLC Primary Secondary 5508 WLC5508 WLC5508 §  Traffic flows through the secondary WLC 5508 and primary core switchBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
  71. 71. High Availability Using WiSM:Uplink Failure on Primary Switch §  In case of uplink S N failure of the primary switch Si Si §  Standby switch Active Standby becomes the HSRP Switch HSRP Switch active HSRP New Active switch Primary WiSM HSRP Switch §  APs are still connected to primary WiSM §  Traffic flows thru the new HSRP active switchBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
  72. 72. High Availability Using WiSM-2 §  APs are connected to primary WiSM Si Si §  In case of hardware failure of primary WiSM Primary Secondary WiSM WiSM §  AP’s fall back to secondary WiSM §  Traffic flows thru the secondary WiSM and primary core switchBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
  73. 73. VSS and Cisco 5508§  Cisco 5508 WLC can be attached to a Cisco Catalyst VSS switch§  4 ports of Cisco 5508 are connected to active VSS switch§  2nd set of 4 ports of Cisco 5508 is connected to standby VSS switch Catalyst VSS Pair§  In case of failure of primary switch traffic continues to flow through secondary switch in the VSS pair Cisco 5508 BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
  74. 74. VSS and WiSM-2 Virtual Switch System (VSS) Switch-1 Switch-2 (VSS Active) (VSS Standby) Control Plane Active VSL Control Plane Standby Data Plane Active Data Plane Active Failover/State Sync VLAN FWSM Active FWSM Standby WiSM-2 Active WiSM-2 StandbyBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
  75. 75. Controller RedundancyHigh AvailabilityHigh Availability Principles Primary WLC§  AP is registered with a WLC and maintain a backup list of WLC§  AP use heartbeats to validate WLC connectivity§  AP use Primary Discovery message to validate backup WLC list§  When AP lose three heartbeats it Secondary WLC start join process to first backup WLC candidate§  Candidate Backup WLC is the first alive WLC in this order: primary, secondary, tertiary, global primary, global secondary§  AP do not re-initiate discovery processBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
  76. 76. Controller RedundancyHigh Availability with 7.0.116 To Accommodate Both Local and Remote Settings, There Are Configurable Options Provided, so that Administrator Can Fine Tune the Settings Based on the Requirements New Timers Old Timers-5508 Old Timers-Non-5508 Heartbeat: 1-30 Seconds 10-30 Seconds 1-30 Seconds Fast Heartbeat Timeout: 1-10 Seconds 3-10 Seconds 1-10 Seconds AP Retransmit Interval: 2-5 Seconds 3 Seconds 3 Seconds AP Retrans with FH Enabled: 3-8 Times 3 Times 3 Times AP Retrans with FH Disabled: 3-8 Times 5 Times 5 Times AP Fallback to next WLC 12 Seconds 35 Seconds 35 Seconds BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
  77. 77. AP Pre-Image Download in 7.0§  Since most CAPWAP APs can Cisco WLAN Controller download and keep more than one image of 4–5 MB each AP Joins Without Download AP Pre-image Download§  AP pre-image download allows AP to download code while it is CAPWAP-L3 operational§  Pre-Image download operation 1.  Upgrade the image on the controller 2.  Don’t reboot the controller 3.  Issue AP pre-image download command 4.  Once all AP images are downloaded 5.  Reboot the controller Access Points 6.  AP now rejoins the controller without reboot How Much Time You Save?BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
  78. 78. Configure AP Pre-Image Download§  Upgrade the image on the controller and don’t reboot§  Currently we have two images on the controller (Cisco Controller) >show boot Primary Boot Image............................... 7.0.116.0 (default) (active) Backup Boot Image................................ 7.0.98.0BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
  79. 79. Configure AP Pre-Image Download Wireless > AP > Global ConfigurationPerform Primary ImagePredownloaded on the APAP Now StartsPredownloadingAP Now Swaps ImageAfter Reboot of theControllerBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
  80. 80. Deploying the Cisco UnifiedWireless Architecture§  Controller Redundancy and AP Load Balancing§  Understanding AP Groups§  IPv6 Deployment with Controllers§  Branch Office Designs§  Guest Access Deployment§  Home Office DesignBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
  81. 81. AP-GroupsDefault AP-Group§  The first 16 WLANs created (WLAN IDs 1–16) on the WLC are included in the default AP-Group§  Default AP-Group cannot be modified§  APs with no assignment to an specific AP-Group will use the Default AP-Group§  The 17th and higher WLAN (WLAN IDs 17 and up) can be assigned to any AP-Groups§  Any given WLAN can be mapped to different dynamic interfaces in different AP-Groups§  WLC 2106 (AP groups: 50), WLC 2504 (AP groups:50) WLC 4400 and WiSM (AP groups: 300), WLC 5508 & WiSM-2 (AP groups: 500), WLC 7500 (AP Groups : 500)BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
  82. 82. AP-Grouping in Campus VLAN 100 VLAN 100 VLAN 100 Access Si Si Si Si Si Si DistributionCAPWAP Core Si Si Si Si VLAN 100 / 21 Si Si Distribution Si Si Access Single WAN Data Center Internet SSID = WLC-1 WLC-2 Employee BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
  83. 83. AP-Grouping in Campus AP-Group-1 AP-Group-2 AP-Group-3 VLAN 60 /23 VLAN 70 /23 VLAN 80 /23 Access Si Si Si Si Si Si DistributionCAPWAP Core Si Si Si Si VLAN 100 VLAN 60 Si Si Distribution Si Si /21 VLAN 70 VLAN 80 Access Single WAN Data Center Internet SSID = WLC-1 WLC-2 Employee BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
  84. 84. Default AP-GroupNetwork NameDefault AP GroupOnly WLANs 1–16Will Be Added inDefault AP GroupBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
  85. 85. Multiple AP-GroupsAP Group 1AP Group 2AP Group 3BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
  86. 86. Interface-Groups7.0.116§  Interface-groups allows for a WLAN to be mapped to a single interface or multiple interfaces§  Clients associating to this WLAN get an IP address from a pool of subnets identified by the interfaces in round robin fashion§  Extends current AP group and AAA override, with multiple interfaces using interface groups§  Controllers Interface-Groups/Interfaces WiSM-2, 5508, 7500, 2500 64/64 WiSM, 4400 32/32 2100 and 2504 4/4BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
  87. 87. Interface-Grouping in Campus 7.0.116 Int-Group-1 Int-Group-2 Int-Group-3 VLAN 60 /23 VLAN 70 /23 VLAN 80 /23 VLAN 61 / 23 VLAN 71 /23 VLAN 81 /23 Access Si Si Si Si Si Si DistributionLWAPP/CAPWAP Core Si Si Si Si VLAN 100 VLAN 60 Si Si Distribution Si Si /21 VLAN 61 VLAN 70 VLAN 71 VLAN 80 VLAN 81 Access Single WAN Data Center Internet SSID = WLC-1 WLC-2 Employee BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
  88. 88. Multiple Interface-Groups 7.0.116Interface Group 1Interface Group 2Interface Group 3 BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
  89. 89. Deploying the Cisco UnifiedWireless Architecture§  Controller Redundancy and AP Load Balancing§  Understanding AP Groups§  IPv6 Deployment with Controllers§  Branch Office Designs§  Guest Access Deployment§  Home Office DesignBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
  90. 90. IPv6 over IPv4 Tunneling§  Prior to WLC 6.0 release, IPv6 pass-thru is only supported but no L2 security can be enabled on IPv6 WLAN§  With WLC 6.0 release, IPv6 pass-thru with Layer 2 security supported§  To use IPv6 bridging, Ethernet Multicast Mode (EMM) must be enabled on the controller§  IPv6 packets are tunneled over CAPWAP IPv4 tunnel§  Same WLAN can support both IPv4 and IPv6 clients§  IPv6 pass-thru and IPv4 Webauth is also supported on same WLAN§  IPv6 is not supported with guest mobility anchor tunneling Client IPv6 Traffic Ethernet II | IPv6 Tunneled over IPv4 and Bridged to Ethernet CAPWAP Tunnel 802.11| IPv6 Ethernet II | IPv4 | CAPWAP | 802.11 | IPv6BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
  91. 91. IPv6 Configuration on WLC 6.X§  Enable IPv6 on the WLAN and multicast on the WLCBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
  92. 92. IPv6 Client Details§  IPv6 client details on the WLC§  IPv6 client details from dual-stack (Vista) clientBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
  93. 93. Deploying the Cisco UnifiedWireless Architecture§  Controller Redundancy and AP Load Balancing§  Understanding AP Groups§  IPv6 Deployment with Controllers§  Branch Office Designs Understanding HREAP (Hybrid) REAP AP Deployment Understanding Branch Controller Deployment§  Guest Access Deployment§  Home Office DesignBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
  94. 94. Branch Office DeploymentHREAP Central Site Centralized§  Hybrid architecture Traffic Centralized Traffic§  Single management and control point Centralized traffic (split MAC) Or WAN Local traffic (local MAC)§  HA will preserve local Local traffic only Traffic Remote OfficeBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
  95. 95. H-REAP Design Considerations§  Some WAN limitations apply RTT must be below 300 ms data (100 ms voice) Minimum 500 bytes WAN MTU (with maximum four fragmented packets)§  Some features are not available in standalone mode or in local switching mode ACL in local switching, MAC/Web Auth in standalone mode, PMK caching (OKC) See full list in « H-REAP Feature Matrix » http://www.cisco.com/en/US/products/ps6366/ products_tech_note09186a0080b3690b.shtmlBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
  96. 96. Configure H-REAP ModeStep 1: Configure Access Point Mode§  Enable H-REAP mode per AP§  Supported AP: AP-1130, AP-1240, AP-1040, AP-1140, AP-1260, AP-1250, AP-3500BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
  97. 97. Configure H-REAP Local SwitchingStep 2: Enable Local Switching per WLAN§  Only WLAN with “Local Switching” enabled will allow local switching at the H-REAP APBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
  98. 98. Configure H-REAP VLAN MappingStep 3: H-REAP Specific Configuration§  H-REAP AP can be connected on an access port (using native VLAN) or connected to a 802.1Q trunk port§  VLAN mapping is a per AP configuration on WLC and by AP group using templates on a WCSBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
  99. 99. Configure H-REAP VLAN MappingStep 4: Per AP SSID to VLAN Mapping§  Mapping of SSID to 802.1Q VLAN is done per H-REAP AP§  Use WCS for configuration with templatesBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 99

×