Design and Deployment of Enterprise Wirlesss Networks
Upcoming SlideShare
Loading in...5
×
 

Design and Deployment of Enterprise Wirlesss Networks

on

  • 2,620 views

Learn everything you need to know about designing and deploying Cisco wireless networks for enterprise in this in-depth technical guide. Learn More: http://www.cisco.com/go/wireless

Learn everything you need to know about designing and deploying Cisco wireless networks for enterprise in this in-depth technical guide. Learn More: http://www.cisco.com/go/wireless

Statistics

Views

Total Views
2,620
Views on SlideShare
2,619
Embed Views
1

Actions

Likes
5
Downloads
376
Comments
0

1 Embed 1

http://www.linkedin.com 1

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Design and Deployment of Enterprise Wirlesss Networks Design and Deployment of Enterprise Wirlesss Networks Presentation Transcript

  • Design and Deployment ofEnterprise WLANsBRKEWN-2010Sujit Ghosh, CCIE #7204Manager, Technical MarketingWireless Networking Business Unit BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
  • Agenda§  Controller-Based Architecture Overview§  Mobility in the Cisco Unified WLAN Architecture§  Architecture Building Blocks§  Deploying the Cisco Unified Wireless ArchitectureBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
  • Agenda§  Controller-Based Architecture Overview§  Mobility in the Cisco Unified WLAN Architecture§  Architecture Building Blocks§  Deploying the Cisco Unified Wireless ArchitectureBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
  • Understanding WLAN Controllers1st/2nd Generation vs. 3rd Generation Approach 1st/2nd Generation§  1st/2nd generation: APs act as 802.1Q translational Data VLAN bridge, putting client traffic on local VLANs Management VLAN§  3rd generation: Controller bridges client traffic centrally Voice VLAN 3rd Generation Data VLAN Management VLAN LWAPP/CAPWAP Tunnel Voice VLANBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
  • Centralized Wireless LAN Architecture What Is CAPWAP? §  CAPWAP: Control and Provisioning of Wireless Access Points is used between APs and WLAN controller and based on LWAPP §  CAPWAP carries control and data traffic between the two Control plane is DTLS encrypted Data plane is DTLS encrypted (optional) §  LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless Business §  CAPWAP is not supported on Layer 2 mode deployment Application Data Plane Access Point CAPWAP ControllerWi-Fi Client Control Plane BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
  • CAPWAP ModesSplit MAC§  The CAPWAP protocol supports two modes of operation Split MAC (centralized mode) Local MAC (H-REAP)§  Split MAC Wireless Frame Wireless Phy CAPWAP MAC Sublayer Data Plane 802.3 FrameSTA WTP ACBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
  • CAPWAP ModesLocal MAC§  Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames§  Locally bridged Wireless Frame Wireless Phy MAC Sublayer 802.3 FrameSTA WTP ACBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
  • CAPWAP ModesLocal MAC§  Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames§  Tunneled as 802.3 frames Wireless Frame 802.3 Frame Wireless Phy CAPWAP MAC Sublayer Data Plane 802.3 FrameSTA WTP AC§  Tunneled local MAC is not supported by Cisco§  H-REAP support locally bridged MAC and split MAC per SSIDBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
  • CAPWAP State Machine AP Boots UP Reset Discovery Image Data DTLS Setup Run Join ConfigBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
  • AP Controller DiscoveryController Discovery Order§  Layer 2 join procedure attempted on LWAPP APs (CAPWAP does not support Layer 2 APs) Broadcast message sent to discover controller on a local subnet§  Layer 3 join process on CAPWAP APs and on LWAPP APs after Layer 2 fails Previously learned or primed controllers Subnet broadcast DHCP option 43 DNS lookupBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
  • AP Controller Discovery: DHCP Option DHCP Server DHCP Offer 1 DHCP Request 2 DHCP Offer Contains Layer 3 CAPWAP Option 43 for Controller Discovery Request Broadcast 3 Layer 3 CAPWAP Discovery ResponsesBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
  • AP Controller Discovery: DNS Option DNS Server DHCP Server CISCO-CAPWAP-CONTROLLER.localdomain DHCP Request 192.168.1.2 2 1 DHCP Offer192.168.1.2 3 DHCP Offer Contains DNS Server or Servers 4BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
  • WLAN Controller Selection Algorithm§  CAPWAP Discovery Response contains important information from the WLAN Controller Controller name, controller type, controller AP capacity, current AP load, “Master Controller” status, and AP Manager IP address or addresses§  AP selects a controller to join using the following decision criteria 1.  Attempt to join a WLAN Controller configured as a “Master” controller 2.  Attempt to join a WLAN Controller with matching name of previously configured primary, secondary, or tertiary controller name 3.  Attempt to join the WLAN Controller with the greatest excess AP capacity (dynamic load balancing)§  Option #2 and option #3 allow for two approaches to controller redundancy and AP load balancing: deterministic and dynamicBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
  • CAPWAP Control Messagesfor Join Process§  CAPWAP Join Request: AP sends this messages to selected controller (sent to AP Manager Interface IP address) CAPWAP Join Request§  CAPWAP Join Response: If controller validates AP request, it sends the CAPWAP Join Response indicating that the AP is now registered with that controller CAPWAP Join ResponseBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
  • Configuration PhaseFirmware and Configuration Download§  Firmware is downloaded by the Cisco WLAN Controller AP from the WLC Firmware downloaded only if needed, Configuration Download AP reboots after the download Firmware Download Firmware digitally signed by Cisco LWAPP-L3§  Network configuration is downloaded by the AP from the WLC Configuration is encrypted in the CAPWAP tunnel Configuration is applied Access PointsBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
  • 4.2, 6.0, 7.0? Which Version Should I Use? §  WLC 5508 supports 6.0, 7.0.98 and 7.0.116 §  WLC7500, WiSM-2 and WLC2504 only supported in 7.0.116 §  6.0.202 is the latest MD §  7.0.116 will be tested for AssureWave (Blue Ribbon) §  Please note the current revision of 7.0- 7.0.116.0 which is the recommended one for you today BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
  • Agenda§  Controller-Based Architecture Overview§  Mobility in the Cisco Unified WLAN Architecture§  Architecture Building Blocks§  Deploying the Cisco Unified Wireless ArchitectureBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
  • Mobility Defined§  Mobility is a key reason for wireless networks§  Mobility means the end-user device is capable of moving location in the networked environment§  Roaming occurs when a wireless client moves association from one AP and re-associates to another, typically because it’s mobile!§  Mobility presents new challenges: Need to scale the architecture to support client roaming— roaming can occur intra-controller and inter-controller Need to support client roaming that is seamless (fast) and preserves securityBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
  • Scaling the Architecturewith Mobility Groups§  Mobility Group allows controllers to peer with each other to support seamless roaming across controller boundaries§  APs learn the IPs of the other members of the mobility group after the LWAPP Join process Controller-B MAC: AA:AA:AA:AA:AA:02 Mobility Group Name: MyMobilityGroup§  Support for up to Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 24 controllers, Controller-C, AA:AA:AA:AA:AA:03 Controller-A MAC: AA:AA:AA:AA:AA:01 3600 APs per Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: mobility group Ethernet in IP Tunnel Controller-B, AA:AA:AA:AA:AA:02 Controller-C, AA:AA:AA:AA:AA:03§  Mobility messages exchanged between Controller-C MAC: AA:AA:AA:AA:AA:03 controllers Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 Controller-B, AA:AA:AA:AA:AA:02§  Data tunneled between controllers in EtherIP (RFC 3378) Mobility MessagesBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
  • Increased Mobility Scalability§  Roaming is supported across three mobility groups (3 * 24 = 72 controllers)§  With Inter Release Controller Mobility (IRCM) roaming is supported between 4.2.207 and 6.0.188 and 7.0 Mobility Sub-Domain 1 Ethernet in IP Tunnel Mobility Sub-Domain 3 Ethernet in IP Tunnel Mobility Sub-Domain 2 Ethernet in IP Tunnel Mobility MessagesBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
  • How Long Does an STA Roam Take?§  Time it takes for: Client to disassociate + Probe for and select a new AP + 802.11 Association + 802.1X/EAP Authentication + Rekeying + IP address (re) acquisition§  All this can be on the order of seconds… Can we make this faster?BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
  • Roaming Requirements§  Roaming must be fast … Latency can be introduced by: Client channel scanning and AP selection algorithms Re-authentication of client device and re-keying Refreshing of IP address§  Roaming must maintain security Open auth, static WEP—session continues on new AP WPA/WPAv2 Personal—New session key for encryption derived via standard handshakes 802.1x, 802.11i, WPA/WPAv2 Enterprise—Client must be re- authenticated and new session key derived for encryptionBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
  • How Are We Going to Make RoamingFaster?Focus on Where We Can Have the Biggest Impact§  Eliminating the (re)IP address acquisition challenge§  Eliminating full 802.1X/EAP reauthenticationBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
  • Intra-Controller Roaming: Layer 2 VLAN X WLC-1 Client Client Data WLC-2 Client Database (MAC, IP, Database QoS, §  Intra-Controller roam Security) happens when an APWLC-1 Mobility Message WLC- moves association 2 between APs joined to Exchange the same controller Preroaming §  Client must be re- Data Path authenticated and new security session established BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
  • Intra-Controller Roaming: Layer 2 (Cont.) VLAN X WLC-1 Client Client Data WLC-2 Client Database (MAC, IP, Database QoS, Security)WLC-1 WLC-2 Mobility Message Exchange Roaming Data Path §  Client database entry with new AP and appropriate security context §  No IP address refresh Client Roams to needed a Different AP BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
  • Intra-Controller Roaming: Layer 3 VLAN X VLAN Z WLC-1 Client Client Data Client Data WLC-2 Client Database (MAC, IP, QoS, (MAC, IP, Database Security) QoS, Security)WLC-1 WLC-2 Mobility Message Exchange Preroaming Data Path BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
  • Client Roaming Between Subnets: Layer 3 (Cont.) VLAN X VLAN Z WLC-1 Client Client Data Client Data WLC-2 Client Database (MAC, IP, QoS, (MAC, IP, Database Security) QoS, Security) Mobility Message ExchangeWLC-1 WLC-2 Anchor Foreign Controller Data Tunnel Controller Preroaming Data Path Client Roams to a Different AP BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
  • Static IP Mobility with 7.0.116 VLAN X VLAN Z WLC-1 Client WLC-2 Client Mobility Database Database Mobility Client Data Client Data Group-1 (MAC, IP, QoS, (MAC, IP, QoS, Group-2 Security) Security) WLC-1 Mobility Message Exchange WLC-2 Anchor Encrypted Data Tunnel Foreign Controller Controller Pre Roaming Data Path Client with Static IPClient with Static IP on on VLAN XVLAN X Dis-Associates Associates onfrom This AP This AP BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
  • Static IP Mobility with 7.0.116 GUI Configuration BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
  • Roaming: Inter-ControllerLayer 3§  L3 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto different subnets§  Client must be re-authenticated and new security session established§  Client database entry copied to new controller – entry exists in both WLC client DBs§  Original controller tagged as the “anchor”, new controller tagged as the “foreign”§  WLCs must be in same mobility group or domain§  No IP address refresh needed§  Symmetric traffic path established -- asymmetric option has been eliminated as of 6.0 release§  Account for mobility message exchange in network designBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
  • How Are We Going to Make RoamingFaster?Focus on Where We Can Have the Biggest Impactü Eliminating the (re)IP address acquisition challenge§  Eliminating full 802.1X/EAP reauthenticationBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
  • Fast Secure Roaming Standard Wi-Fi Secure Roaming §  802.1X authentication in wireless today requires three “end-to-end” transactions with an overall transaction time of > 500 ms §  802.1X authentication in wireless today WAN requires a roaming client to reauthenticate, incurring an additional 500+ ms to the roam Cisco AAA Server (ACS or ISE) 1. 802.1X Initial Authentication AP2 Transaction AP12. 802.1X Reauthenti- cation After Roaming Note: Mechanism Is Needed to Centralize Key Distribution BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
  • Cisco Centralized Key Management(CCKM)§  Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available, especially with application specific devices (ASDs)§  CCKM originally a core feature of the “Structured Wireless Aware Network” (SWAN) architecture§  CCKM ported to CUWN architecture in 3.2 release§  In highly controlled test environments, CCKM roam times consistently measure in the 5-8 msec range!§  CCKM is most widely implemented in ASDs, especially VoWLAN devices§  To work across WLCs, WLCs must be in the same mobility group§  CCX-based laptops may not fully support CCKM – depends on supplicant capabilities§  CCKM is standardized in 802.11R, but no clients available yetBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
  • Fast Secure RoamingWPA2/802.11i Pairwise Master Key (PMK) Caching§  WPA2 and 802.11i specify a mechanism to prevent excessive key management and 802.1X requests from roaming clients§  From the 802.11i specification: Whenever an AP and a STA have successfully passed dot1x-based authentication, both of them may cache the PMK record to be used later When a STA is (re-)associates to an AP, it may attach a list of PMK IDs (which were derived via dot1x process with this AP before) in the (re)association request frame When PMK ID exists, AP can use them to retrieve PMK record from its own PMK cache, if PMK is found, and matches the STA MAC address; AP can bypass dot1x authentication process, and directly starts WPA2 four-way key handshake session with the STA PMK cache records will be kept for one hour for non-associated STAsBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
  • OKC/PKCKey Data Points§  Requires client/supplicant support§  Supported in Windows since XP SP2§  Many ASDs support OKC and/or PKC§  Check on client support for TKIP vs. CCMP – mostly CCMP only§  Enabled by default on WLCs with WPAv2§  Requires WLCs to be in the same mobility group§  Important design note: pre-positioning of roaming clients consumes spots in client DB§  In highly controlled test environments, OKC/PKC roam times consistently measure in the 10-20 msec range!BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
  • How Long Does a Client ReallyTake to Roam?§  Time to roam = Client to disassociate + Probe for and select a new AP + 802.11 Association + Mobility message exchange between WLCs + Reauthentication + Rekeying + IP address (re) acquisition§  Network latency will have an impact on these times – consideration for controller placement§  With a fast secure roaming technology, roam times under 150 msecs are consistently achievable, though mileage may varyBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
  • How Often Do Clients Roam?§  It depends… types of clients and applications§  Most client devices are designed to be “nomadic” rather than “mobile”, though proliferation of small form factor, “smart” devices will probably change this…§  Nomadic clients usually are programmed to try to avoid roaming… so set your expectations accordingly§  Design rule of thumb: 10-20 roams per second for every 5000 clientsBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
  • Designing a Mobility Group/DomainDesign Considerations§  Less roaming is better – clients and apps are happier§  While clients are authenticating/roaming, WLC CPU is doing the processing – not as much of a big deal for 5508 which has dedicated management/control processor§  L3 roaming & fast roaming clients consume client DB slots on multiple controllers – consider “worst case” scenarios in designing roaming domain size§  Leverage natural roaming domain boundaries§  Mobility Message transport selection: multicast vs. unicast§  Make sure the right ports and protocols are allowedBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
  • Agenda§  Controller-Based Architecture Overview§  Mobility in the Cisco Unified WLAN Architecture§  Architecture Building Blocks§  Deploying the Cisco Unified Wireless ArchitectureBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
  • CUWN 7.0.116 ReleaseKey Controller FeaturesDevice Support Local-Mode Features Flexconnect FeaturesWLC-WiSM2 wIPS ELM Scale and GroupsWLC-7500 11n Indoor Mesh Local AuthWLC-2500 2.4 GHz Backhaul Fault ToleranceWLCM-2 VLAN Select Opportunistic Key CachingAP600 / AP1550 FIPSOthersClient Limit on WLAN Encrypting Neighbor PacketsIncreased RF Group Scalability Rogue Containment EnhancementRF Group Leader Flexibility PSB Password EnhancementsWebauth on Mac Filter Failure Static IP MobilityWeb Authentication Proxy CCX S60 Location ImprovementsDHCP Option 60 Voice Diagnostics BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
  • CUWN 7.0.116 ReleaseKey Controller FeaturesDevice Support Local-Mode Features Flexconnect FeaturesWLC-WiSM2 wIPS ELM Scale and GroupsWLC-7500 11n Indoor Mesh Local AuthWLC-2500 2.4 GHz Backhaul Fault ToleranceWLCM-2 VLAN Select Opportunistic Key CachingAP600 / AP1550 FIPSOthersClient Limit on WLAN Encrypting Neighbor PacketsIncreased RF Group Scalability Rogue Containment EnhancementRF Group Leader Flexibility PSB Password EnhancementsWebauth on Mac Filter Failure Static IP MobilityWeb Authentication Proxy CCX S60 Location ImprovementsDHCP Option 60 Voice Diagnostics BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
  • WiSM2For Cisco Catalyst 6500 Series§  Enhanced operational savings Higher scale Reduced downtime during upgrades Single controller Specifications At-a-Glance§  Higher performance Access Points 100–500 Throughput Clients 10,000 Concurrent rich-media application flows I/O 10G§  Maximize Cisco Catalyst 6000 Chassis-Level Scale 3500 APs and 70,000 Clients Series investment Supervisor and service Concurrent AP Joins 500 module refresh Number of Phy 1 Controllers Power 225WBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
  • Enterprise-Grade WLC5508 for the Campus Cisco 5500 Series Wireless Controller Key Attributes Ø Best in class performance Industry-leading encrypted throughput Ø Enhanced Operational Savings Upgrades 500 AP within minsAccess Points 12-500 Fails over 500 APs within secondsClients 7,000 Ø Enhanced rich mediaForm-Factor 1 RU performanceIO Interface 8x 1GE Ports, LAG Multiple concurrent low-latency media flowsUpgrade Licenses 25, 50,100, 250 BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
  • Controller Comparison 5500 WiSM-2 Number of Access Points 12, 25, 50, 100, 250, 500 500 Throughput Up to 8 Gbps Up to 10 Gbps Clients Up to 7000 Up to 10,000 Concurrent AP Upgrades/Joins Up to 500 Up to 500 Up to 8 Cisco Catalyst 6000 Series Network I/O 1 Gbps SFPs Backplane Mobility Domain Size Up to 36,000 APs Up to 36,000 APs Number of Controllers per 1 1 Physical Device Power Consumption 125W 225WAP Count Upgrade via Licensing Yes Yes Encrypted Data Link Yes Yes Between AP and Controller OfficeExtend Solution Yes Yes BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
  • Cost Effective Entry Level Controllers2500 Wireless Controller New Key Attributes Ø  Ability to scale the network as you grow with licensingAccess Points 5-50 Ø  Part of a PCI certifiedClients 500 architectureThroughput 500 Mbps Ø Ability to support variousDeployment Model Local and deployment modes FlexConnectForm Factor DesktopIO Interface 4x 1GEUpgrade Licenses 5, 25 BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
  • Wireless Controller on ISR G2/SRE NewAccess Points ISM: 5-10 SM: 5-50 Key AttributesClients 500 • Single Box for branch servicesThroughput 500 Mbps • Consistency of functionality andDeployment Model Local and FlexConnect management with controllersForm Factor SRE (ISM/SM)Upgrade Licenses 5, 25Device Supported 1941, 2900 and 3900On Series ISR G2 BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
  • CleanAir Access Point Detect and Classify Locate Mitigate A System-Wide Feature that Uses Silicon-Level Intelligence to Cisco Automatically Mitigate the Impact of Wireless Interference, Optimize CleanAir Network Performance, and Reduce Troubleshooting Costs BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
  • What Is CleanAir? Detect and Classify 97 100 §  Uniquely identify and 63 track multiple 90 interferers 20 §  Assess unique impact 35 to Wi-Fi performance §  Monitor air quality High-Resolution Interference Detection and Classification Logic Cisco Built in to Cisco’s 802.11n Wi-Fi Chip Design; Inline OperationCleanAir with no CPU or Performance Impact BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
  • What Is CleanAir? Locate Mitigate WCS, MSE Wireless LAN Controller POOR GOOD§  Classification processed on access point§  Interference impact and Maintain Air Quality data sent to WLC for real-time action§  WCS and MSE store Visualize and Troubleshoot CH 1 CH 11 data for location, history, and troubleshooting Cisco Cisco CleanAir Technology Integrates Interference InformationCleanAir from the AP into the Entire System BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
  • Access Points Portfolio Teleworker 11n 11n + CleanAir Limited Lifetime Hardware Warranty 1260 3500eRuggedized New 1040 1140 3500i 600Carpeted BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
  • New 2x3 MIMO 11n Speed Provide Higher Coverage and Throughput CleanAir and ClientLink Technology Avoids Interference, Delivers Stronger Signals to Clients Flexible Deployment Access or Mesh Network, Fiber, UTP or Wireless BackhaulBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
  • Cisco Aironet 1550 Series Outdoor AP §  2 Radios 2.4/5 GHz §  2 Tx, 3 Rx §  MIMO, 2 SS §  3x Dual-Band Ant. 1552E 1552H 1552C 1552I2.4 GHz 802.11 b/g/n 802.11b/g/n 802.11b/g/n 802.11b/g/n 5 GHz 802.11 a/n 802.11a/n 802. 11a/n 802.11a/n Type Standard Hazardous Loc. Cable Modem StandardAntenna External External Integrated IntegratedMIMO Multiple-In, Multiple-OutSS BRKEWN-2010 Spatial Streams © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
  • CUWN 7.0.116 ReleaseKey Controller FeaturesDevice Support Local-Mode Features Flexconnect FeaturesWLC-WiSM2 wIPS ELM Scale and GroupsWLC-7500 11n Indoor Mesh Local AuthWLC-2500 2.4 GHz Backhaul Fault ToleranceWLCM-2 VLAN Select Opportunistic Key CachingAP600/AP1550 FIPSOthersClient Limit on WLAN Encrypting Neighbor PacketsIncreased RF Group Scalability Rogue Containment EnhancementRF Group Leader Flexibility PSB Password EnhancementsWebauth on Mac Filter Failure Static IP MobilityWeb Authentication Proxy CCX S60 Location ImprovementsDHCP Option 60 Voice Diagnostics BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
  • Adaptive wIPSComponents and Functions AP Attack Detection 24x7 Scanning Over-the-Air Detection WLC Configuration wIPS AP Management MSE Alarm Archival Capture Storage Complex Attack Analysis, Forensics, Events WCS Centralized Monitoring Historic Reporting Monitoring, ReportingBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
  • Cisco Adaptive Wireless IPS with “Enhanced Local Mode(ELM)” •  Adaptive wIPS scanning in data serving access points •  Provides protection without needing a separate overlay network. •  Available as a free SW download for existing wIPS Monitor Mode customers. •  ELM supported APs: 1040, 1140, 1250, 1260 & 3500 Without ELM With ELM Data Serving Monitor Mode Single Data and WIPS AP BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
  • Deployment Recommendation Option A Option B Enhanced Local Mode Local Mode WIPS Monitor Mode/ CleanAir MMAP + WIPS MM WIPS Monitor Mode or CleanAir MM Turn on ELM on All APs + WIPS MM on CleanAir AP: (Including CleanAir) Recommendation – Ratio of 1:5 MMAP to Local Mode APs BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
  • TrustSec 2.0 and Identity Services Engine •  Centralized Policy ACS •  Distributed Enforcement •  AAA Services NAC Profiler •  Posture Assessment NAC •  Guest Access Services Guest •  Device Profiling Identity NAC Services •  Monitoring Manager Engine •  Troubleshooting NAC Server •  Reporting *Current NAC and ACS HardwarePlatform Is Software Upgradable to ISE BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
  • ISE Integrated Device Profiling “iPad Template” Custom Template Visibility for Wired and Simplified “Device New Device Wireless Devices Category” Policy Templates via Subscription Feeds BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
  • ISE Integrated Device Profiling §  Users, using the same SSID, can be associated to different wired VLAN interfaces after EAP authentication §  Employee using corporate laptop with their AD user id can be assigned to VLAN 30 to have full access to the network §  Employee using personal iPad/iPhone with their AD user id can be assigned to VLAN 40 to have internet access only ISE ISE 1 EAP Authentication 4 Accept with VLAN 40 2 Accept with VLAN 30 CorporateEmployee Resources VLAN 30 CAPWAP Same-SSID 802.1Q TrunkVLAN 40 3 EAP Authentication InternetEmployee BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
  • ISE Integrated Device Profiling §  Example: VLAN 30 (Corporate access ) VLAN 40 (Internet access) Corporate Internet BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
  • ISE Integrated Device Profiling •  ISE Setup – Authorization Profiles redirect VLAN, Override ACL, CoA… Laptop Assign VLAN 30 iPad Assign VLAN 40 BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
  • ISE Integrated Device Profiling § WLC CoA Setup – Pre-Auth ACL, allows ALL client traffic to ISE § WLAN – Dot1X, AAA Override and Radius NAC enabled. Permit ANY to ISE (IP Addr) BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
  • ISE Integrated Device Profiling §  RADIUS probe (information about authentication, authorization and accounting requests from Network Access §  DHCP (helper or span) §  HTTP user agent (span) Customizable Profiles BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
  • Agenda§  Controller-Based Architecture Overview§  Mobility in the Cisco Unified WLAN Architecture§  Architecture Building Blocks§  Deploying the Cisco Unified Wireless ArchitectureBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
  • Deploying the Cisco UnifiedWireless Architecture§  Controller Redundancy and AP Load Balancing§  Understanding AP Groups§  IPv6 Deployment with Controllers§  Branch Office Designs§  Guest Access Deployment§  Home Office DesignBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
  • Deploying the Cisco UnifiedWireless Architecture§  Controller Redundancy and AP Load Balancing§  Understanding AP Groups§  IPv6 Deployment with Controllers§  Branch Office Designs§  Guest Access Deployment§  Home Office DesignBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
  • Controller RedundancyDynamic§  Rely on CAPWAP to load-balance APs across controllers and populate APs with backup controllers§  Results in dynamic “salt-and-pepper” design§  Design works better when controllers are “clustered” in a centralized design§  Pros Easy to deploy and configure—less upfront work APs dynamically load-balance (though never perfectly)§  Cons More intercontroller roaming Bigger operational challenges due to unpredictability Longer failover times No “fallback” option in the event of controller failure§  Cisco’s general recommendation is: Only for Layer 2 roaming§  Use deterministic redundancy instead of dynamic redundancyBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
  • Controller Redundancy Deterministic WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C §  Administrator statically assigns APs a primary, secondary, and/ or tertiary controller Assigned from controller interface (per AP) or WCS (template-based) §  Pros Predictability—easier operational management More network stabilityPrimary: WLAN-Controller-A Primary: WLAN-Controller-B Primary: WLAN-Controller-C More flexible and powerfulSecondary: WLAN-Controller-B Secondary: WLAN-Controller-C Secondary: WLAN-Controller-ATertiary: WLAN-Controller-C Tertiary: WLAN-Controller-A Tertiary: WLAN-Controller-B redundancy design options Faster failover times “Fallback” option in the case of failover §  Con More upfront planning and configuration §  This is Cisco’s recommended best practice BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
  • Controller Redundancy Architecture Resiliency Resiliency N:1 Redundancy WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C WLAN-Controller-1 APs Configured With: Primary: WLAN-Controller-1 Secondary: WLAN-Controller-BKP NOC or Data Center WLAN-Controller-BKP WLAN-Controller-2 APs Configured With: Primary: WLAN-Controller-2 Secondary: WLAN-Controller-BKP WLAN-Controller-n APs Configured With: Primary: WLAN-Controller-n Secondary: WLAN-Controller-BKPPrimary: WLAN-Controller-A Primary: WLAN-Controller-B Primary: WLAN-Controller-CSecondary: WLAN-Controller-B Secondary: WLAN-Controller-C Secondary: WLAN-Controller-ATertiary: WLAN-Controller-C Tertiary: WLAN-Controller-A Tertiary: WLAN-Controller-B N:N Redundancy N:N:1 Redundancy APs Configured With: WLAN-Controller-A APs Configured With: WLAN-Controller-A Primary: WLAN-Controller-A Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Secondary: WLAN-Controller-B NOC or Data Center Tertiary: WLAN-Controller-BKP WLAN-Controller-BKP WLAN-Controller-B WLAN-Controller-B APs Configured With: APs Configured With: Primary: WLAN-Controller-B Primary: WLAN-Controller-B Secondary: WLAN-Controller-A Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-BKP BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
  • High Availability Using Cisco 5508 §  APs are connected to primary WLC 5508 Si Si §  In case of hardware failure of WLC 5508 §  AP’s fall back to Si Si secondary WLC Primary Secondary 5508 WLC5508 WLC5508 §  Traffic flows through the secondary WLC 5508 and primary core switchBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
  • High Availability Using WiSM:Uplink Failure on Primary Switch §  In case of uplink S N failure of the primary switch Si Si §  Standby switch Active Standby becomes the HSRP Switch HSRP Switch active HSRP New Active switch Primary WiSM HSRP Switch §  APs are still connected to primary WiSM §  Traffic flows thru the new HSRP active switchBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
  • High Availability Using WiSM-2 §  APs are connected to primary WiSM Si Si §  In case of hardware failure of primary WiSM Primary Secondary WiSM WiSM §  AP’s fall back to secondary WiSM §  Traffic flows thru the secondary WiSM and primary core switchBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
  • VSS and Cisco 5508§  Cisco 5508 WLC can be attached to a Cisco Catalyst VSS switch§  4 ports of Cisco 5508 are connected to active VSS switch§  2nd set of 4 ports of Cisco 5508 is connected to standby VSS switch Catalyst VSS Pair§  In case of failure of primary switch traffic continues to flow through secondary switch in the VSS pair Cisco 5508 BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
  • VSS and WiSM-2 Virtual Switch System (VSS) Switch-1 Switch-2 (VSS Active) (VSS Standby) Control Plane Active VSL Control Plane Standby Data Plane Active Data Plane Active Failover/State Sync VLAN FWSM Active FWSM Standby WiSM-2 Active WiSM-2 StandbyBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
  • Controller RedundancyHigh AvailabilityHigh Availability Principles Primary WLC§  AP is registered with a WLC and maintain a backup list of WLC§  AP use heartbeats to validate WLC connectivity§  AP use Primary Discovery message to validate backup WLC list§  When AP lose three heartbeats it Secondary WLC start join process to first backup WLC candidate§  Candidate Backup WLC is the first alive WLC in this order: primary, secondary, tertiary, global primary, global secondary§  AP do not re-initiate discovery processBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
  • Controller RedundancyHigh Availability with 7.0.116 To Accommodate Both Local and Remote Settings, There Are Configurable Options Provided, so that Administrator Can Fine Tune the Settings Based on the Requirements New Timers Old Timers-5508 Old Timers-Non-5508 Heartbeat: 1-30 Seconds 10-30 Seconds 1-30 Seconds Fast Heartbeat Timeout: 1-10 Seconds 3-10 Seconds 1-10 Seconds AP Retransmit Interval: 2-5 Seconds 3 Seconds 3 Seconds AP Retrans with FH Enabled: 3-8 Times 3 Times 3 Times AP Retrans with FH Disabled: 3-8 Times 5 Times 5 Times AP Fallback to next WLC 12 Seconds 35 Seconds 35 Seconds BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
  • AP Pre-Image Download in 7.0§  Since most CAPWAP APs can Cisco WLAN Controller download and keep more than one image of 4–5 MB each AP Joins Without Download AP Pre-image Download§  AP pre-image download allows AP to download code while it is CAPWAP-L3 operational§  Pre-Image download operation 1.  Upgrade the image on the controller 2.  Don’t reboot the controller 3.  Issue AP pre-image download command 4.  Once all AP images are downloaded 5.  Reboot the controller Access Points 6.  AP now rejoins the controller without reboot How Much Time You Save?BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
  • Configure AP Pre-Image Download§  Upgrade the image on the controller and don’t reboot§  Currently we have two images on the controller (Cisco Controller) >show boot Primary Boot Image............................... 7.0.116.0 (default) (active) Backup Boot Image................................ 7.0.98.0BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
  • Configure AP Pre-Image Download Wireless > AP > Global ConfigurationPerform Primary ImagePredownloaded on the APAP Now StartsPredownloadingAP Now Swaps ImageAfter Reboot of theControllerBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
  • Deploying the Cisco UnifiedWireless Architecture§  Controller Redundancy and AP Load Balancing§  Understanding AP Groups§  IPv6 Deployment with Controllers§  Branch Office Designs§  Guest Access Deployment§  Home Office DesignBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
  • AP-GroupsDefault AP-Group§  The first 16 WLANs created (WLAN IDs 1–16) on the WLC are included in the default AP-Group§  Default AP-Group cannot be modified§  APs with no assignment to an specific AP-Group will use the Default AP-Group§  The 17th and higher WLAN (WLAN IDs 17 and up) can be assigned to any AP-Groups§  Any given WLAN can be mapped to different dynamic interfaces in different AP-Groups§  WLC 2106 (AP groups: 50), WLC 2504 (AP groups:50) WLC 4400 and WiSM (AP groups: 300), WLC 5508 & WiSM-2 (AP groups: 500), WLC 7500 (AP Groups : 500)BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
  • AP-Grouping in Campus VLAN 100 VLAN 100 VLAN 100 Access Si Si Si Si Si Si DistributionCAPWAP Core Si Si Si Si VLAN 100 / 21 Si Si Distribution Si Si Access Single WAN Data Center Internet SSID = WLC-1 WLC-2 Employee BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
  • AP-Grouping in Campus AP-Group-1 AP-Group-2 AP-Group-3 VLAN 60 /23 VLAN 70 /23 VLAN 80 /23 Access Si Si Si Si Si Si DistributionCAPWAP Core Si Si Si Si VLAN 100 VLAN 60 Si Si Distribution Si Si /21 VLAN 70 VLAN 80 Access Single WAN Data Center Internet SSID = WLC-1 WLC-2 Employee BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
  • Default AP-GroupNetwork NameDefault AP GroupOnly WLANs 1–16Will Be Added inDefault AP GroupBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
  • Multiple AP-GroupsAP Group 1AP Group 2AP Group 3BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
  • Interface-Groups7.0.116§  Interface-groups allows for a WLAN to be mapped to a single interface or multiple interfaces§  Clients associating to this WLAN get an IP address from a pool of subnets identified by the interfaces in round robin fashion§  Extends current AP group and AAA override, with multiple interfaces using interface groups§  Controllers Interface-Groups/Interfaces WiSM-2, 5508, 7500, 2500 64/64 WiSM, 4400 32/32 2100 and 2504 4/4BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
  • Interface-Grouping in Campus 7.0.116 Int-Group-1 Int-Group-2 Int-Group-3 VLAN 60 /23 VLAN 70 /23 VLAN 80 /23 VLAN 61 / 23 VLAN 71 /23 VLAN 81 /23 Access Si Si Si Si Si Si DistributionLWAPP/CAPWAP Core Si Si Si Si VLAN 100 VLAN 60 Si Si Distribution Si Si /21 VLAN 61 VLAN 70 VLAN 71 VLAN 80 VLAN 81 Access Single WAN Data Center Internet SSID = WLC-1 WLC-2 Employee BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
  • Multiple Interface-Groups 7.0.116Interface Group 1Interface Group 2Interface Group 3 BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
  • Deploying the Cisco UnifiedWireless Architecture§  Controller Redundancy and AP Load Balancing§  Understanding AP Groups§  IPv6 Deployment with Controllers§  Branch Office Designs§  Guest Access Deployment§  Home Office DesignBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
  • IPv6 over IPv4 Tunneling§  Prior to WLC 6.0 release, IPv6 pass-thru is only supported but no L2 security can be enabled on IPv6 WLAN§  With WLC 6.0 release, IPv6 pass-thru with Layer 2 security supported§  To use IPv6 bridging, Ethernet Multicast Mode (EMM) must be enabled on the controller§  IPv6 packets are tunneled over CAPWAP IPv4 tunnel§  Same WLAN can support both IPv4 and IPv6 clients§  IPv6 pass-thru and IPv4 Webauth is also supported on same WLAN§  IPv6 is not supported with guest mobility anchor tunneling Client IPv6 Traffic Ethernet II | IPv6 Tunneled over IPv4 and Bridged to Ethernet CAPWAP Tunnel 802.11| IPv6 Ethernet II | IPv4 | CAPWAP | 802.11 | IPv6BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
  • IPv6 Configuration on WLC 6.X§  Enable IPv6 on the WLAN and multicast on the WLCBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
  • IPv6 Client Details§  IPv6 client details on the WLC§  IPv6 client details from dual-stack (Vista) clientBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
  • Deploying the Cisco UnifiedWireless Architecture§  Controller Redundancy and AP Load Balancing§  Understanding AP Groups§  IPv6 Deployment with Controllers§  Branch Office Designs Understanding HREAP (Hybrid) REAP AP Deployment Understanding Branch Controller Deployment§  Guest Access Deployment§  Home Office DesignBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
  • Branch Office DeploymentHREAP Central Site Centralized§  Hybrid architecture Traffic Centralized Traffic§  Single management and control point Centralized traffic (split MAC) Or WAN Local traffic (local MAC)§  HA will preserve local Local traffic only Traffic Remote OfficeBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
  • H-REAP Design Considerations§  Some WAN limitations apply RTT must be below 300 ms data (100 ms voice) Minimum 500 bytes WAN MTU (with maximum four fragmented packets)§  Some features are not available in standalone mode or in local switching mode ACL in local switching, MAC/Web Auth in standalone mode, PMK caching (OKC) See full list in « H-REAP Feature Matrix » http://www.cisco.com/en/US/products/ps6366/ products_tech_note09186a0080b3690b.shtmlBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
  • Configure H-REAP ModeStep 1: Configure Access Point Mode§  Enable H-REAP mode per AP§  Supported AP: AP-1130, AP-1240, AP-1040, AP-1140, AP-1260, AP-1250, AP-3500BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
  • Configure H-REAP Local SwitchingStep 2: Enable Local Switching per WLAN§  Only WLAN with “Local Switching” enabled will allow local switching at the H-REAP APBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
  • Configure H-REAP VLAN MappingStep 3: H-REAP Specific Configuration§  H-REAP AP can be connected on an access port (using native VLAN) or connected to a 802.1Q trunk port§  VLAN mapping is a per AP configuration on WLC and by AP group using templates on a WCSBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
  • Configure H-REAP VLAN MappingStep 4: Per AP SSID to VLAN Mapping§  Mapping of SSID to 802.1Q VLAN is done per H-REAP AP§  Use WCS for configuration with templatesBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
  • Economies of Scale for Lean BranchesFlex 7500 Wireless Controller New Key Differentiation Ø  WAN Tolerance •  High Latency NetworksAccess Points 300-2,000 •  WAN SurvivabilityClients 20,000 Ø  SecurityBranches 500 802.1x based port authenticationAccess Points / Branch 50 Ø  Voice supportDeployment Model FlexConnect •  Voice CACForm Factor 1 RU •  OKC/CCKMIO Interface 2x 10GEUpgrade Licenses 100, 200, 500, 1K BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
  • Understanding H-REAP Groups§  WLC supports up to 20 H-REAP groups Central Site§  Each H-REAP group supports up to 25 H-REAP APs§  H-REAP groups allow sharing of: CCKM fast roaming keys Local user authentication Remote Site WAN Remote Site Local EAP authentication H-REAP Group 2 H-REAP Group 1BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
  • H-REAP Groups and CCKM Keys CCKM Keys§  CCKM keys are stored on HREAP Central Site APs for Layer 2 fast roaming RADIUS Server§  The HREAP APs will receive the CCKM keys from the WLC§  If a HREAP AP boots up in the standalone Remote Site WAN mode, it will not get the H-REAP Remote Site CCKM keys from the Group 1 H-REAP Group 2 WLC and fast roaming is not supportedBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
  • H-REAP Groups and CCKM KeysAdd a NewH-REAP GroupAdd APs to theH-REAP GroupBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
  • H-REAP Groups and Local EAP§  In case of WAN of failure (standalone mode) HREAP APs Central Site RADIUS Server can act like a local EAP server§  In a HREAP-Group we can store 100 usernames and act like a local EAP server§  LEAP and EAP-FAST is Remote Site WAN Remote Site the only supported EAP H-REAP Group 1 H-REAP type in standalone mode Group 2 Local EAP ServerBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
  • H-REAP Groups and Local EAPAdd the H-REAP APto the Group andEnable AP LocalAuthenticationAdd the Usernameand Password toBe Stored on theHREAP APBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
  • H-REAP Groups andLocal RADIUS Server§  In case of WAN of failure (standalone mode) HREAP APs Central Site RADIUS Server can authenticate from a local RADIUS server§  Only session-timeout RADIUS attribute (attribute 27) is supported in the RADIUS Server WAN standalone mode Remote Site H-REAP§  RADIUS accounting Group 2 is not supported in standalone mode H-REAP Group 1 Remote SiteBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
  • H-REAP Groups andLocal RADIUS ServerAdd IP Address of theRemote RADIUSServer in the WLC(10.20.20.12)Select the RemoteRADIUS ServerDetails in HREAPGroup of the RemoteBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
  • FlexConnect Improvements in New 7.0.116§  WAN Survivability FlexConnect AP provides wireless access and services to clients when the connection to the primary WLC fails§  Local Authentication Allows for the authentication capability to exist directly at the AP in FlexConnect instead of the WLC§  Improved Scale Group Scale: Max HREAP groups increased to 500 (7500s) and 100 (5500s) APs per Group: 50 (7500s) and 25 (5500s)§  Fast Roaming in Remote Branches Opportunistic Key Caching (OKC) between APs in a branch BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
  • Flex 7500 vs. 5500/WiSM2   FlexConnect (H-REAP)   Flex 7500   5500/WiSM2  APs Managed   2,000   500/500  Clients Supported   20,000   7,000/10,000  Number of H-REAP Groups   500   100  APs per H-REAP Group   50   25  Number of AP Groups   500   500  APs per RRM Group   4,000   1,000  WLAN’s   512   512  WLAN per H-REAP Group   16   16   BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
  • Controller Portfolio Comprehensive Solution for All Segments NEW Campus and Full Service BranchFeatures/Performance WiSM2 NEW 5500 2500 NEW NEW WLCM2 Lean Branch Scale BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
  • Cisco WLAN Solution Components Management WCS Mobility Services Controllers WLCAccessPoints BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
  • Deploying the Cisco UnifiedWireless Architecture§  Controller Redundancy and AP Load Balancing§  Understanding AP Groups§  IPv6 Deployment with Controllers§  Branch Office Designs Understanding HREAP (Hybrid) REAP AP Deployment) Understanding Branch Controller Deployment§  Guest Access Deployment§  Home Office DesignBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
  • Branch Office WLAN Controller Options Number of Users: 100–500 WCS Number of APs: 5–25 E-Mail Branch MPLS Office ATM Headquarters Frame Relay§  Appliance controllers Internet VPN Small Cisco 2504-12 Office Cisco 5508-12, 5508-25§  Integrated controller Number of Users: 20–100 WLAN controller module (WLCM-2) for Number of APs: 1–5 ISR G2 BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
  • Branch Office WLAN Controller Options WCS Cisco 2504 *** E-Mail Branch Office MPLS ATM Headquarters Frame Relay Small§  Cisco Unified Wireless Network with Office controller-based Internet VPN§  Multiple Integrated WAN options on ISR§  Consistent branch-HQ services, features, and performance§  Standardized branch configuration extends the unified wired and wireless network§  Branch configuration management from WLCM-2 ** central WCS **AP Count Vary Depending on Channel Utilization and Data Rates BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
  • When to Choose WLC 2504?§  WLC2504 should be used in the branch for the following reasons compared to HREAP solution: •  If you need cookie cutter configuration for every branch site •  If you need Layer-3 roaming in the branch site •  If you need VideoStream technology in the branch site •  If you need to implement VLAN Select in the branch site •  If you need to implement Static IP mobility in the branch site •  If you need to implement ACL in the branch site •  If you need to implement peer to peer blocking in the branch site •  If you want WGB support in the branch site •  If you want MESH AP support in the branch site BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
  • Deploying the Cisco UnifiedWireless Architecture§  Controller Redundancy and AP Load Balancing§  Understanding AP Groups§  IPv6 Deployment with Controllers§  Branch Office Designs§  Guest Access Deployment§  Home Office DesignBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
  • Guest Access Deployment WLAN Controller Deployments with EoIP Tunnel Internet§  Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic DMZ or Anchor between remote and anchor controllers Wireless Controller§  Other traffic (employee for example) still Cisco ASA locally bridged at the remote controller on the Firewall corresponding VLAN EoIP “Guest Tunnel”§  No need to define the guest VLANs on the switches connected to the Wireless LAN Controller remote controllers§  Original guest’s Ethernet frame maintained CAPWAP across LWAPP/CAPWAP and EoIP tunnels§  Redundant EoIP tunnels to the Anchor WLC§  2504 series and WLCM-2 models cannot terminate EoIP connections (no anchor role Guest Guest BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
  • Guest Access Deployment with 7.0.0116 DHCP servers in DMZ DHCP servers in DMZ w/VLAN-DHCP scopes w/VLAN-DHCP scopes Internet Anchor2 Anchor1 EtherIP “Guest Campus Tunnel” EtherIP Core ACS/ISE “Guest Si Tunnel” DHCP servers in Core w/VLAN DHCP scopes Wireless WirelessWireless VLAN3/WLANA VLAN-4/WLANA WirelessVLAN-1/WLANA VLAN2/WLANA Secure Si Secure Si Foreign WLCs Wireless VLANs/Interface Gr Guest Secure Guest Secure BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
  • Interface Group and Auto Anchor Mobility Using 7.0.116§  Clients joining a foreign WLC which is exported to an anchor WLC and mapped to an interface group will get an IP address in round robin method inside the interface group§  Clients joining a foreign WLC which is exported to an anchor WLC and mapped to an interface will get an IP address from that interface only§  Clients roaming between two or more foreign controllers mapped to a single anchor WLC with an interface group configured will be able to maintain its IP address BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
  • Interface Group and Auto Anchor MobilityUsing 7.0.116Configure Subnet/Address Assignment Based on ForeignSite/Location in Guest Anchor Setup, Command Will Be:§  CLI: config wlan mobility foreign-map add <wlan-id> < mac address > <interface/interface group>§  GUI: A New option is created under WLAN- “Foreign Maps” BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
  • Deploying the Cisco UnifiedWireless Architecture§  Controller Redundancy and AP Load Balancing§  Understanding AP Groups§  IPv6 Deployment with Controllers§  Branch Office Designs§  Guest Access Deployment§  Home Office DesignsBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
  • Home Office DesignOEAP AP §  Cisco controller installed in the DMZ of the corporate network WLC 5508/WiSM-2E-Mail WCS §  OfficeExtend AP (OEAP) installed at teleworker’s home §  Corporate access to employee over MPLS Headquarters centrally configured SSID ATM Frame §  Family Relay Internet access over a locally configured SSID Internet VPNBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
  • OEAP 600§  802.11n AP with dual concurrent 2.4GHz and 5GHz radios for teleworker home§  4 local Ethernet ports§  1 Corporate-bound port, 3 for local Ethernet devices§  Up to 4 clients behind the corporate port§  Corporate SSID and user-configurable Personal SSID§  Traffic segmenting supported (corporate vs. personal traffic)§  Local DHCP and NAT support§  Control and data plane encryption BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
  • OEAP 600§  802.1X and MAC filtering support§  Can be pre-provisioned by IT (batch setup, zero touch for end user) or locally provisioned by end user§  Easy GUI setup with Corporate SSID ready in minutes§  Desktop (horizontal) or cradle (vertical) orientation§  Supported by all WLC 5508, 2500 and WiSM2 platforms and WCS§  Hardware Limited Lifetime Warranty BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
  • User Configuration – Easy SetupTwo Setup Options Available:1) Zero Touch (IT staged) or …2) User Configured (Controller IP Address Entry) Internet Routable IP Address BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
  • Sample Screen ShotsLogin§  Default DHCP scope of the OEAP is 10.0.0.X, so browse to https://10.0.0.1 to get the admin page of OEAP on port 1,2,3BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
  • Home Office DesignCisco Virtual Office Express Architecture §  Simplified head-end VPN design Simplified Head-End VPN §  Cisco enhanced easy VPN with advanced QoS integration provides SOHO secure transport, facilitating voice Cisco 800 or 1800 and video applications (with option of Spoke Routers per SA QoS) §  Multiple options for head-end to allow for large concentration of site and Head-End with high throughput Cisco ISR (2800/3800) or Cisco 7206 VXR with VSA or WLC §  Remote site presence: Cisco 870, 880, 890, or 1800 series ISR and Cisco Unified IP phones 7900 series §  Head-end presence: 2800, 3800, Corporate 7200, or ASR series Network §  Headend (optional): wireless LAN controller, WCS, configuration engineBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
  • Cisco Unified Wireless Network Flexible, Resilient, Scalable ArchitectureUnified Outdoor/Indoor Access Highly Distributed Design Access Network 3750G Unified WLC Enterprise Hybrid REAP Distributed WLC Design Distribution Network 440x, 5508 WLC, WiSM Unified WLC Teleworker/ Network Core or Data Center SOHO Centralized WLC Design 440x, 5508 WLC, WiSM Unified WLC OfficeExtend AP Internet DMZ Guest Controller 440x, 5508 WLC Branch Office Data Center Unified WLC Options: 5508, 440x, 210x 3750G Unified WLC Internet WLCM Module Hybrid REAP Unified Management: Wireless Control System Standalone AP Services Platform: Mobility Services Engine BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
  • Summary – Key Takeways §  Take advantage of the standards (CAPWAP, DTLS, 802.11 i, e, k, r…..) §  Wide range of architecture / design choices §  Brand new controller (WiSM-2, WLC 7500, WLC 2504) portfolio with investment protection §  Take advantage of innovations from Cisco (CleanAir, BandSelect, ClientLink, Security, CCX, FlexConnect, etc) §  Cisco’s investment into technology – NCS, ISE, New hardware, cloud controller, CiUS BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
  • Documentation§  Aironet 600 Series OEAP Access Point Configuration Guide http://www.cisco.com/en/US/products/ps11579/products_tech_note09186a0080b7f10e.shtml§  Wireless Services Module 2 (WiSM2) Deployment Guide http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080b7c904.shtml • Flex7500 Deployment guide http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml§  Wireless, LAN (WLAN) Configuration Examples and TechNotes http://www.cisco.com/en/US/tech/tk722/tk809/tech_configuration_examples_list.html§  H-REAP Deployment Guide http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml§  VLAN Select Deployment Guide http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b78900.shtmlBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
  • Complete Your OnlineSession Evaluation§  Receive 25 Cisco Preferred Access points for each session evaluation you complete.§  Give us your feedback and you could win fabulous prizes. Points are calculated on a daily basis. Winners will be notified by email after July 22nd.§  Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.§  Don’t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
  • Visit the Cisco Store for Related Titles http://theciscostores.comBRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
  • BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
  • Thank you.BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 134