design and deployment of enterprise wlansfaculty.ccc.edu/mmoizuddin/cisco live...

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

1

© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-201014667_05_2008_x1 2

Design and Deployment of Enterprise WLANs

BRKAGG-2010


2

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3BRKAGG-201014667_05_2008_x1

What You Will Learn

Theory of Operations of the Cisco Unified WLAN Architecture

Lightweight Access Point Protocol (LWAPP)

WLAN Controllers (WLC)

Mobility

Qos and Multicast

Design and Deployment Guidelines for the Cisco Unified WLAN Architecture

Campus

Branch Office


What You Should Already Know

Cisco networking basics (routing and switching)

Campus network design concepts

802.11 WLAN fundamentals

RF basics

WLAN security


3


What We Won’t Cover

Autonomous access points and WLSE

WLAN security in depth

RF security (rogue AP detection, W-IDS)

Wireless control system (WCS)

Location-based services

Outdoor (bridging and mesh)

Marketing pitch

Roadmap

LWAPP basics (touch)


Session Agenda

Understanding the Cisco Unified Wireless ArchitectureLightweight Access Point Protocol

Understanding Mobility

Understanding Qos and Multicast

Deploying the Cisco Unified Wireless ArchitectureConnecting Controllers and APs to Networks

Campus WLAN Controller Designs

Branch Office WLAN Controller Designs

Migration from Autonomous APs to the Controller-Based Architecture


4


Cisco’s Evolving Wireless Technology

Unified Wired+Wireless

Integrated and Unified Security (AAA, NAC, SDN, IDS/IPS, etc.)Exploding Number of Wi-Fi Clients (Laptops, Dual-Mode PCS Phones, Video PDAs)Higher-Capacity, Higher-Density WLANs (Pico Cells)Unified Wired+Wireless Support for Applications (Voice/Video, Location Services, AAA)Extending Networking Outdoors (Mesh, Outdoor AP, Etc.)Enterprise Scale and Reliability

Centralized Management and ControlLayer 2/3 MobilityWireless IDS/IPSHierarchical Approach for ScalabilityVoice Support

CentralizedWLAN Systems

Best in Class Range/ ThroughputEnterprise-Class SecurityCapital Efficiency

Wireless Connectivity

2000—Present 2003—Present 2005—Future


Wireless LAN Mobility Services

Security Guest Voice Location

Guest networks for customers, partners, and auditors

Vendor replenishment networks

Public access networks

Automatic, 24 x 7 security and compliance monitoring for breaches via wireless medium

Network access control based on user location

Asset management

Location-based content distribution

Streamlined workflow using historical location data

Real-time mobile voice communications

Improved collaboration via mobile unified communications

Faster customer service response

Pervasive Wireless Network


5


LWAPP Overview


Section Agenda

Quick FactsLWAPP JoinWireless LAN Controller BasicsCentralized vs. Local SwitchingMobilityLocationWCS FundamentalsData Delivery

Unicast/MulticastTCP/UDP

“However Beautiful the Strategy, You Should Occasionally Look at the Results.” — Winston Churchill


6


Quick Facts

WLCIPv4/IPv6Multicast/QoSMore 5000 clients512VLAN supportBeyond 150 access-points24 WLCs per mobility group500 roguesRRM/AutoRFPER WLANDTIM support

Location

RSSI and TDOA methods

10,000 devices

Open API

MultivendorRFID support

WCSWindows 2003/Linux3000 access-points40,000 events

WCS Navigator20 WCS managers30,000 access-pointsNetwork-wide search capability


Section Agenda

Controller-Based Architecture Overview

Lightweight Access Point Protocol (LWAPP)Protocol Overview

LWAPP AP Discovery and Join Process

LWAPP Operations

Mobility in the Cisco Unified WLAN Architecture

Qos Implementation in LWAPP

Multicast Behavior in LWAPP

Architecture Building Blocks


7


The LWAPP Join State Machine (Simplified)

LWAPP defines a state machine that governs the AP and controller behavior

Major states:Discovery—AP looks for a controller

Join—AP attempts to establish a secured relationship with a controller

Image Data—AP downloads code from controller

Config—AP receives configuration from controller

Run—AP and controller operate normally and service data

Reset—AP clears state and starts over

Note: LWAPP/CAPWAP RFCdefines other states


Central Switching vs. Local Switching

Hybrid REAPDevices that require local connectivity

Normal LWAPP/CAPWAPdata flowCentral switching of all other traffic

Hybrid REAP Data VLAN

Voice VLAN

Management VLAN

Local VLAN

LWAPPTunnel

Centrally SwitchedLocally Switched


8


Section Agenda




LWAPP Operations


QoS Implementation in LWAPP




Mobility Defined

Mobility is the “killer app” for WLANs

Mobility—end-user device is portable but still capable of being connected to networked resources

Roaming occurs when a wireless client moves association from one AP and reassociates to another

Mobility/roaming presents new challenges:Architecture must scale to support client roaming

Client roaming must be fast and preserve security, QoS, etc.


9


How Clients Connect

AP handles real-time 802.11 control and managementNon-real time 802.11 handled at controller—including association/reassociationController is the 802.1x authenticatorController centrally stores client QoS, security context802.11 data frames are encrypted/decrypted at the RF interface“Action frames” are management frames as defined by 802.11

Ingress/Egress Point from/to

Upstream Switched/Routed

Wired Network (802.1Q Trunk)

LWAPPTunnel

Switched/Routed Wired Network

Lightweight Access Point

Wireless LAN

Controller

Control Messages

Data Encapsulation


Scaling the Architecture with Mobility Groups

Controllers “peer” to support seamless campus roaming

APs learn the IPs of the other members of the mobility group after the LWAPP join process

Support for up to 24 controllers, 3600 APsper mobility group

Mobility messages exchanged between controllers

Data tunneled between controllers in EtherIP(RFC 3378)


10


Scaling the Architecture with Mobility List Members

Mobility lists allows controllers to peer with controllers outside their mobility group to support seamless roaming across controller mobility boundaries

Support for up to 72 controllers, 10,800 APsacross mobility lists

Multicast messages are exchanged between mobility groups


Intra-Controller Roaming

Intra-controller roam happens when an AP moves association between APs joined to the same controller

Client must be reauthenticated and new security session established

Controller updates client database entry with new AP and appropriate security context

No IP address refresh needed


11


Layer-2 Roaming—Inter-Controller

L2 inter-controller roam happens when an AP moves association between APs joined to the different controllers but client traffic bridged onto the same subnet

Client must be reauthenticated and new security session establishedClient database entry movedto new controllerNo IP address refresh needed


Layer-3 Roaming—Inter-Controller

L3 inter-controller roam happens when an AP moves association between APs joined to the different controllers but client traffic bridged onto different subnet

Client must be reauthenticated and new security session establishedClient database entry copied to new controllerOriginal controller tagged as the “anchor”New controller tagged as the “foreign”No IP address refresh neededAsymmetric traffic path established


12


Layer-3 Roaming—Symmetric Mobility (4.1)

Foreign controllers will send layer 3 roaming client’s packet back to its anchor controller through EtherIP tunneling Source IP address of the packet will be the foreign controller’s management IP addressUpstream routers that have Reverse Path Forwarding (RPF) will forward on packets Configurable option in software release 4.1


Roaming must be fast… latency can be introduced by:Client channel scanning and AP selection algorithms

Reauthentication of client device and rekeying

Refreshing of IP address

Roaming must maintain securityOpen auth, static WEP—session continues on new AP

WPA/WPAv2 personal—new session key for encryption derived via standard handshakes

802.1x, 802.11i, WPA/WPAv2 enterprise—client must be reauthenticated and new session key derived for encryption

Roaming Requirements


13


Fast Secure Roaming

Client channel scanning and AP selection algorithms—improved via CCX features

Refreshing of IP address—irrelevant in controller-based architecture!

Reauthentication of client device and rekeyingCisco centralized key management (CCKM)Proactive key caching (PKC)


Supporting Roaming—Design Best Practices and Caveats

Minimize intercontroller roaming in your designs

Design the network for 10 msec RTT latency between controllers

Intercontroller layer-2 roaming is more efficient than layer-3 roaming

Layer-3 roaming—consider the effects of things like RPF and stateful security features in your designs

Use PKC and/or CCKM to speed up and secure roaming

Client roaming behavior—mileage varies by vendor, driver, supplicant. Look for CCXv4 feature-set.


14


Section Agenda




LWAPP Operations






QoS Overview

Ensures packets receive the proper QoS handling end-to-end

Makes sure packet will maintain QoS information as it traverses network

Policing of 802.11e UP / 802.1p and IP DSCP values ensures end-points conform to network QoS policies

Uses Cisco’s AVVID packet marking mappings and IEEE mappings as appropriate

Supported on Cisco 2000, 4100, and 4400 series WLANcontrollers; wireless services module (WiSM); wireless LAN controller module

Supported on Cisco Aironet 1000, 1130, 1200, 1230, 1240, and 1500 series lightweight access points

Support for Cisco 7920/7921, Spectalink phones


15


QoS Description

Support for layer 3 IP-differentiated services code point (DSCP) marking of packets

WLAN data is tunneled between AP and WLAN controller via LWAPP

To maintain the original QoS classification across this tunnel, the QoS settings of the encapsulated data packet must be appropriately mapped to the layer 2 (802.1p) and layer 3 (IP DSCP) fields of the outer tunnel packet

802.1p UP Outer

IP DSCPOuter

LWAPPEncapsulated

Incoming 802.1p UP

IP DSCPInner.


LWAPP QoS

Ensures that packets receive the proper QoS handling from end to end

Policing of 802.11e UP / 802.1p and IP DSCP values ensures that wireless endpoints conform to network QoS policies

LWAPP Encapsulated

LWAPP Tunnels SiSiSiSiSiSi

WLC

AP

Ethernet Switch

802.11e DSCP Payload DSCP PayloadDSCP 802.1p DSCP Payload

802.11e DSCP Payload DSCP 802.1p DSCP Payload802.1p

12

3 4

LWAPP EncapsulatedDSCP Payload


16


Each Level Has a Configurable per Bandwidth Contract Rate

Quality of Service (QoS) Configurable Profiles

Per-user data bandwidth contract—configurable peak and average data rate enforced in the Network Processing Unit (NPU) for non-UDP trafficPer-user real-time bandwidth contract—configurable peak and average data rate enforced in the NPU for UDP traffic


Quality of Service (QoS) Configurable Profiles (Cont.)

Maximum RF usage per AP (%)—defined maximum percentage of air bandwidth given to a user level

Queue depth—defined depth of queue for a particular user level that will cause packets in excess of the defined value to be dropped

Each Level Has a Configurable Air QoS Rates


17


Controller > QoS Profiles > Edit

Controller > QoS Profiles > Edit

802.1p tag is applied to wired side to allow proper precedence to be applied to traffic across entire network infrastructure


WLANs > Edit

WMM Options

QoS Options


18


Configuring Controller Web

For 7921 phone support, both AP-CAC-Limit and client CAC-Limit available as options

WMM and client CAC limit cannot be configured in the same WLAN


VoIP Phone Support

To View Dot11-Phone Mode Configuration

(Cisco Controller) >show wlan 2

WLAN Identifier.................................. 2Network Name (SSID).............................. WLAN2Status........................................... Enabled

.

.

.Quality of Service............................... Platinum (voice)WMM.............................................. Required802.11e.......................................... DisabledDot11-Phone Mode (7920).......................... ap-cac-limitWired Protocol................................... NoneIPv6 Support..................................... DisabledRadio Policy..................................... 802.11B and 802.1G onlySecurity

802.11 Authentication:........................ Open SystemStatic WEP Keys............................... enabled

Key Index:...................................... 1Encryption:..................................... 104-bit WEP

Configuration Commands Available from the Command Line


19


Section Agenda




LWAPP Operations






Multicast Delivery Method

Improved multicast performance over wireless networks

Multicast packet replication occurs only at points in the network where it is required, saving wired network bandwidth

One Multicast Packet In LWAPP Tunnels

One Multicast Packet InLWAPP

Multicast Group

One LWAPP MulticastPacket Out

Three LWAPP UnicastPackets Out

Unicast Mechanism

Multicast Mechanism

Network ReplicatesPacket as Needed


20


Multicast Mode Selection

Multicast mode and multicast group configured on WLCgeneral interface


LWAPP Stationary Client

IGMP joinClient sends an IGMP join which travels through the access-point to the wireless LAN Controller (WLC). The WLC then forwards the IGMP join through the upstream switch to the PIM-enabled router.

IGMP leaveWith a client who gracefully leaves the multicast group. The client will send an IGMP leave through the access-point tothe WLC. The WLC will forward this IGMPleave through the upstream switch to the PIM-enabled router. The PIM-enabled router will then send a group specific query for other interested clients before pruning group from subnet.

IGMP

IGMP

Stationary Client Or a Client that Never Roams from the Same Wireless LAN Controller

McastTraffic


21


LWAPP Stationary Client

Multicast sourceIf the client is the source of a multicast group, the traffic will flood across all access-points on the same controller. The multicast traffic will also be forwarded upstream through the connected switch to the PIM-enabled Router. The PIM-enabled router will do an RPF check before processing the packet further.

McastTraffic

Stationary Client Or a Client that Never Roams from the Same Wireless LAN Controller


LWAPP Roaming Client Layer 2

IGMP joinClient sends an IGMP Join which travels through the access-point to the wireless LAN controller (WLC). The WLC then forwards the IGMP join through the upstream switch to the PIM-enabled router.

IGMP snoopingSwitch CAM entry is created for specific multicast group toward controller 1

IGM

P X

IGM

P

Snooping Switch Is Blocking Multicast Traffic Toward All Other Ports

General IGMP Query Sent from the WLCto the Client, Allowing Traffic to Flow

Multicast

McastTraffic


22


LWAPP Layer 3 Roaming ClientClient Roaming at Layer 3 with 4.0.217

IGMP join/leaveBoth the initial join and leave (if a graceful leave happens) will be processed the same as any other join or leave. Once a client has roamed, neither the infrastructure nor the client are required to send a “new” join to verify traffic follows?? No audio

Multicast sourceClient that is the source of the multicast group the upstream router will drop the packet as the source address was received on the wrong interface

Mcast Traffic

??

X


Section Agenda




LWAPP Operations






23


Components of Centralized Architecture

WLCCisco unified wireless LAN controllers aggregrate WLAN client traffic and control the wireless network

APsLightweight access points are used in all unified wireless architectures and provides client wireless access, and tunneling to the WLC

WCSCisco wireless control system provides centralized management, RF planning and visualization tools, and location services


Cisco Compatible ExtensionsThe Standard for Client Advancement

http://www.cisco.com/go/ciscocompatible/wireless

Over 90% of Client Devices Cisco Compatible

Client DevicesClient Devices

FeaturesAssured compatibility with 400+ devices

Standards-based

Enhanced security, mobility, and performance

Supports mobility services i.e., location, voice

BenefitsAccelerates innovation

Supports diverse enterprise applications

Ensures multivendor interoperability

Enables simplified deployment of mobile WLAN clients


24


Cisco Secure Services Client

Single Client for Uniform Security and Services

Key features:802.1X authentication for wired and wireless devicesWindows XP/2000 support

EAP:EAP-FAST, EAP-MD5, PEAP-MSCHAP, PEAP-GTC, EAP-TLS, EAP-TTLS, Cisco LEAP

Encryption:WEP, dynamic WEP, TKIP, AES

Standards:WPA and WPA2

FeaturesUnified wired and wireless client

Support for industry standards

Endpoint integrity

Single sign-on capable

Enabling of group policies

Administrative control

BenefitsReduces client software

Simple, secure device connectivity

Minimizes chances of network compromise from infected devices

Reduces complexity

Restricts unauthorized network access

Centralized provisioningSSC


Proven Platform for Mobile AccessIndoor Access Points

1130AG 1000

Indoor Rugged Access Points

1500

1240AG 1230AG

Outdoor Access Points/Bridges

1400 1300

1121BG

Access Points Features

Industry’s best range and throughput

Enterprise class security

Many configuration options

Simultaneous air monitoring and traffic delivery

Wide-area networking for outdoor areas

BenefitsZero touch management

No dedicated air monitors

Supports all deployment scenarios (indoor and outdoor)

From secure coverage to advanced services


25


Wireless Integrated Services Module (WiSM)

Network Core

Delivering Network Unification

Wireless LAN Controller for

ISR Series Routers2106 Wireless LAN

Controller

Branch Office

Hybrid Remote Edge Access Points (H-REAP)

Remote Office

Catalyst 3750GIntegrated WLAN Controller

Intelligent Access

4400 Wireless LAN Controller

Distribution

Lower TCO

Scalability High Availability

Ease of Deployment

Investment Protection

Cisco Unified Wireless Network

Flexibility


Cisco Wireless Controller Family

Cisco WiSM300 APs

Deployment Size>=100 APs>=25 APs>=2-6 APs

Cisco 21066 APs

ISR WLC Module6 AP

>=12 APs

H-REAP

>=50 APs

Cisco 375025 APs

Cisco 375050 APs

<300 APs

ISR WLC Module8 - 12 APs

Cisco 4404 100 APs

Cisco 4402-5050 APs

Cisco 4402-12 12 APs

Cisco 4402-2525 APs


26


Cisco Wireless Control System (WCS)World-Class Network Management

FeaturesClient troubleshooting (via CCX)Planning, configuration, monitoring, location, IDS/IPS, and troubleshooting Hierarchical maps Intuitive GUI and templatesPolicy-based networking (QoS, security, RRM, etc.)

BenefitsLower OPEX and CAPEX

Better visibility and control of the air space

Consolidate functionality into a single management system

Determines location and voice readiness


802.11n—Yet Again Higher Rates

Extends both 802.11a and 802.11gBoth 2.4 GHz and 5 GHz64 new bit rates up to 600 Mbps

Entirely new radio using MIMO technologyCurrent radios use a single Tx and Rx, implement Rx diversity11n uses multiple Tx and Rx, simultaneously, combining multiple received signals to improve quality

In working group balloting, sponsor ballot mid 2008, approval mid 2009*Draft-11n certification launched by WiFi Alliance (WFA) in June this year

Cisco is in WFA Draft-11n testbed

*Always Subject to Change


27


Network Design Overview


Section Agenda

Connecting Controllers and APs to Networks

Controller Redundancy and AP Load Balancing

Campus WLAN Controller Designs

Branch Office WLAN Controller Designs

Migrating from Autonomous APs to the Controller-Based Architecture


28


Understanding WLAN Controllers—The WLAN Controller as a Network Device

WLAN controllerFor wireless end-user devices, the controller is a 802.1Q bridge that takes traffic of the air and puts it on a VLANFrom the perspective of the AP, the controller is an LWAPP tunnel end-point with an IP addressFrom the perspective of the network, it’s a layer-2 device connected via one or more 802.1Q trunk interfaces

The AP connects to an access port—no concept of VLANs at the AP necessary

Data VLAN

Voice VLAN

Management VLAN

LWAPPTunnel


Understanding WLAN Controllers—The WLAN Controller as a Network Device

Port—physical connection to a neighbor switch/routerInterface—logical connection mapping to a VLAN on the neighbor switch/router

Management interfaceAP manager interface(s)Dynamic interface(s)Virtual interfaceService interface

WLAN—entity that maps an SSID to an interface at the controller, along with security, QoS, radio policies, and other wireless networking parameters

Three Important Concepts to Understand:


29


Welcome to the Cisco Wizard Configuration ToolUse the '-' character to backupSystem Name [Cisco_44:36:c3]:Enter Administrative User Name (24 characters max): adminEnter Administrative Password (24 characters max): admin

Service Interface IP Address Configuration [none][DHCP]: <ENTER>Enable Link Aggregation (LAG) [yes][NO]:noEnter Port number : 1Management Interface IP Address: 10.10.80.3Management Interface Netmask: 255.255.255.0Management Interface Default Router: 10.10.80.1Management Interface VLAN Identifier (0 = untagged): 0Management Interface Port Num [1 to 2]: 1Management Interface DHCP Server IP Address: 10.10.80.1AP Transport Mode [layer2][LAYER3]: layer3AP Manager Interface IP Address: 10.10.80.4AP-Manager is on Management subnet, using same valuesAP Manager Interface DHCP Server (10.10.80.1):<ENTER>Virtual Gateway IP Address: 1.1.1.1Mobility/RF Group Name: mobile-1Enable Symmetric Mobility Tunneling: NoNetwork Name (SSID): secure-1Allow Static IP Addresses [YES][no]:<ENTER>Configure a RADIUS Server now? [YES][no]:<ENTER>Enter the RADIUS Server's Address: 10.10.10.12Enter the RADIUS Server's Port [1812]:<ENTER>Enter the RADIUS Server's Secret: ciscoEnter Country Code (enter 'help' for a list of countries) [US]:<ENTER>Enable 802.11b Network [YES][no]:<ENTER>Enable 802.11a Network [YES][no]:<ENTER>Enable 802.11g Network [YES][no]:<ENTER>Enable Auto-RF [YES][no]:<ENTER

Initial Controller Configuration

Service Port

Management Port

AP Manager Port

Virtual Gateway


Initial Configuration Screen of WLC


30


Connecting the WLAN Controller to the Network

Options—Link aggregation (LAG) or no LAGLAG supported on 440x, WiSM, Cisco 3750G integrated WLANcontroller switch

LAG is the only option for WiSM, Cisco 3750G integrated WLANcontroller switch

440x-based controller allows 48 APs per port in the absence of LAG

Use multiple “AP manager” interfaces to support more than 48 APs on the WLC without LAG—LWAPP algorithm will load balance APs across the AP managers

LAG allows use of 1 “AP manager” interface by load-balancing traffic across an EtherChannel interface


Multiple AP Manager Interfaces


31


Link Aggregation—Single AP Manager Interface

No EtherChannel mode negotiation (LACP, PAgP):

Set “etherchannel mode on” for neighboring switchports

Requires ip-src-dst load balancing for the switch Etherchannel

Default on 6K

Default on 3750 is scr-mac

Packets are forwarded out the same port they arrived on

One LAG group per WLCis supported


Putting It All Together


32


Cisco WiSM Configuration

IOS version 12.2(18)SXF8 or above version which requires 512-MB memory and 128-MB flash

The data ports (1 Gbps*8 = 8 Gbps) and service ports (1 Gbps*2 = 2 Gbps) are connected at the back plane, no physical connections at the front

Service-port needs to configured in case of the Cisco WiSM with an IP address and should be part of a different VLAN

LAG is a must for Cisco WiSM, so make sure you create two separate port-channels

LED


Section Agenda



Design Considerations



33



LWAPP discovery response includes the controller’s sysName, controller type, controller AP capacity, current AP load, “master controller” status, AP manager IP address(es) and number of APs joined to the AP managerRecall: AP makes join decision based on this information in LWAPP discovery response:

1. If AP has been previously configured with a primary, secondary, and/or tertiary controller, the AP will attempt to join these first (specified by controller sysName)

2. Attempt to join a WLAN controller configured as a “master” controller

3. Attempt to join the WLAN controller with the greatest excess AP capacity, using least loaded AP manager

#1 and #3 allow for two approaches to controller redundancy and AP load balancing—dynamic and deterministic


Dynamic Redundancy

Rely on LWAPP to load-balance APsacross controllers and populate APswith backup controllersResults in dynamic “salt-and-pepper” designDesign works better when controllers are “clustered” in a centralized design Pros:

Easy to deploy and configure—less upfront workAPs dynamically load-balance (though never perfectly)

Cons:More inter-controller roamingBigger operational challenges due to unpredictabilityLonger failover timesNo “fallback” option in the event of controller failure

Cisco’s general recommendation is: don’t do this! Use deterministic redundancy instead of dynamic redundancy


34


Deterministic Redundancy

Administrator statically assigns APs a primary, secondary, and/or tertiary controller

Assigned from controller interface (per AP) or WCS (template-based)

ProPredictability—easier operational managementMore network stabilityMore flexible and powerful redundancy design optionsFaster failover times“Fallback” option in the case of failover

ConMore upfront planning and configuration

This is Cisco’s recommended best practice!


Controller Redundancy Designs—N:1


35


Section Agenda






First Question!Applications

Design for the needs of the applications

Look at the protocols used

Look at the minimum requirements of each

Read the application notes!

What Is the Network for?


36


Design Verticals

Each site is uniqueHealthcare requirements

Highest use of multicastCritical data over voice

RetailMixture of carpet and warehouse plus PCI requirements

EnterpriseVoice is the critical application

ManufacturingWorst radio environment

Many others plus hybrids of each


Campus WLAN Controller Options

Standalone appliance controller

Routed network exists on another platform

Dot1Q trunk to switched/routed network

Integrated controllerRouted network can exist on the same platform

Layer 2 connection is internal

Layer 2 or 3 connection to network routed network

440x

Cisco 3750G Integrated WLANController

WiSM

Integrated

Appliance


37


Where to Place a WLAN Controller?Distributed Designs

WiSM(s) or 440x WLANcontroller(s) connected at distribution layerController redundancyKey design considerations:

Spanning treeHSRP/GLBPTraffic flow

Load balancingResiliency

Access layer “collapsed” into distribution layer

Access layer IP addressingAccess layer features needto be implemented in the distribution layer

Mobility!

Layer 2

VoiceDataVoiceAccess Subnets

Clients

DataAP AP

WLAN Client Subnets


Healthcare

Multicast is number one protocol

Always under construction

Numerous non-802.11 radio devices

Δ need for RF policy over an 802.11 Policy

Intranet

Building DFDistribution Layer

Core

Clinic or Remote office

Depending Upon Size HREAP or Controller

Deployment

IDFFirst Floor

IDFThird Floor


38


Retail

PCI compliance!!

Carpeted and warehouse environment

Use of small Handheld equipment

Internet

Large StoreSmall Store

HeadQuarters

HREAP for Less than 3

Access Points

Small Controller with More

Access-Points


Enterprise Requirements

Voice is the essential applicationData for e-mail and other non-latency sensitive applicationsVideo is on the rise

SiSi SiSi

Intranet/Internet

IDFFirst Floor

IDFFifth Floor

IDFThird Floor

Building DFDistribution Layer

Core


39


Manufacturing

Multipath intensive environment

Can benefit from both indoor mesh and the standard central solution

HREAP could be used for small solutions Internet

Large Manufacturing

Site

Small Manufacturing

Site

Headquarters

Small Controller with More

Access-Points


Distributed vs. Centralized Design

General recommendation is centralized designUse integrated platform(s)—WiSM for small/medium/large, Cisco 3750G Integrated WLAN Controller for small/medium

Choose the design that makes the most sense for youCurrent network and policies

Future growth plans

Distributed designs may work well with existing networks


40


Branch Office Deployment—Hybrid REAP

Supported on 1130 and 1240 AP platforms

Allows bridging/tagging of traffic locally (local switching) by WLAN

Allows simultaneous tunneling of traffic to WLC (central switching) by WLAN

“Connected mode”—LWAPP control centralized

“Standalone mode” (WAN outage)Locally switched WLANs stay up

Some lost functionality

100 msecs latency between APs and WLC

H-REAP APs should be connected to trunk ports—allow only the relevant, locally switched VLANs

No optimization for:Fast, secure roaming (CCKM, PKC)

Voice (no CAC or TSPEC support in standalone mode)

Design Considerations:


Sample HREAP Network


41


H-REAP WLAN Configuration

Configure the WLAN for H-REAP operation


H-REAP AP Configuration

Select a desired AP...


42


H-REAP AP Configuration (Cont.)

... and set it to H-REAP mode and enter VLAN info

Enable VLAN Support and Enter the Native

VLAN Information


H-REAP AP Configuration (Cont.)

... and configure local VLAN tagging

Set the VLAN ID per Locally Switched WLAN

WLANs with LOCAL SWITCHING Are Not Configurable


43


Branch Office WLAN Controller Options

Appliance controllersCisco 2106—support 6 APs

Cisco 4402-12, 4402-24

Integrated controllerWLAN controller module (WLCM) for ISR

Cisco 3750 integrated WLAN controller (support for 25, 50 APs)

2106440x

Cisco 3750 Integrated WLANController

Integrated

Appliance

WLCM in ISR


Section Agenda






44


Upgrading Autonomous Access Points to LWAPP Mode

Basic AP upgrade process:Use Cisco-provided upgrade tool to load “LWAPP recovery IOS image”onto the AP(s)AP joins a controller, downloads full LWAPP IOS image

LWAPP IOS upgrade is supported on the following platforms:

1120G series (802.11B/G)1200 series, including 1210, 1230 (802.11B/G and/or 2nd generation 802.11A radios—RM21A, RM22A)1130AG1240AGBR1310 (only AP mode is supported in LWAPP)

Only layer-3 LWAPP mode is supportedRoll-back to autonomous-mode is supported


LWAPP Upgrade Requirements

Ensure the AP’s hardware is supportedThe AP is running IOS release 12.3(7)JA, or laterThe controller is running 3.1, or later and telnet is enabled

Each AP’s information is input into a text file in the following format:

ap-ip-address,telnet-username,telnet-user-password,enable-passwordap-ip-address,telnet-username,telnet-user-password,enable-password

…

(WLC_CLI) >config network telnet enable

In the WLC GUI, Go to: Management | Telnet-SSH

and Enable Telnet

or


45


Using the LWAPP Upgrade Tool

AP upgrade tool

Point the Upgrade Tool to the AP csv text file

Make sure the time is correctly set

1–5 APs may be upgraded simultaneously. Their completion

status bars are shown here.

AP upgrade process status

Telnet must be enabled on a WLC

APs with static IP addresses will rely on DNS to find WLCs across router hops

Ensure the latest IOS LWAPP (JX) image is available via TFTP

Click for AP MAC and SSC output


Upgrading Autonomous Access Points to LWAPP Mode—Self-Signed Certificates

LWAPP join process assumes X.509 certificates and factory installed public/private keys

All Cisco APs manufactured after July 18, 2005 have “Manufacturing Installed Certificates” (MIC)

Cisco Aironet APs manufactured prior to July 18, 2005 do not have factory installed public/private keys and certificates

Upgrade tool issues commands to AP to have it generate an RSAkey pair and a self-signed certificate (SSC) and installs the root CAs so that the AP can authenticate controllers

SSCs must be individually authorized on each controller

Upgrade tool extracts the public key and can install it on one controller. It also stores an AP MAC, public key tuple in a CSV file that can be imported into WCS and other controllers

http://www.cisco.com/en/US/partner/products/hw/wireless/ps430/prod_technical_reference09186a00804fc3dc.html


46


Upgrading Autonomous Access Points to LWAPP Mode—Best Practices

Basic upgrade strategy:Deploy, validate controllers and WCSPlan an LWAPP discovery strategy so APs can discover controllersTest the process in a lab or on low-traffic, easy-to-troubleshoot APs to validate the procedureDo the migration during a change window and allow time for troubleshootingSave the CSV file(s) with the MAC/public key mappings even if you import them to WCS

Migrate APs in logical blocks rather then en masseTake caveats to coexistence into considerationEvaluate tolerance for downtime


Upgrading Autonomous Access Points to LWAPPMode—Planning the LWAPP Discovery Strategy

Options for discovery when upgrading autonomous access points to LWAPP:

Local subnet broadcast of LWAPP discovery request

Vendor-specific DHCP option 43

DNS resolution of “CISCO-LWAPP-CONTROLLER.localdomain”

Console port priming commands (valid only with LWAPP recovery IOS image)

OTAP is not supported in the LWAPP recovery IOS image

Most autonomous Cisco Aironet APs are deployed with static IP addresses

AP preserves static IP address, default gateway, sysName, DNS server, domain name during the upgrade process

Many Cisco customers have chosen to erase the AP configurations before upgrading and migrate to DHCP addresses instead of static IP addresses


47


Upgrading Autonomous Access Points to LWAPP Mode—WLSM and WiSM Coexistence

WLSM and WiSM can coexist in the same 650x chassis

Minimum software requirements: (not recommended)Supervisor 720: 12.2(18)SXF2

WLSM: version 1.4.1

WiSM: 3.2.116.x

http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example09186a008073614c.shtml


Coexistence Between Autonomous Access Point and Controller-Based Architecture

No seamless roaming between architectures

No coordination between WLSE radio management (RM) and Cisco Unified Architecture RRM

RM and RRM algorithms should account for contention

Each architecture may report other’s APs as rogue

Consider network architectural impact and any necessary changes very carefully

Upgraded APs should be connected to access ports instead of trunk ports

May need to clean-up and harvest old, unnecessary VLANs and IP subnets

Plan out new IP addressing schemes for wireless clients and APs


48


AssureWave


AssureWave

Full vertical application testing with partner equipment

Define pass failure with details beyond standard software testing

Testing done in-house and at partner facilities

HealthCare, Retail, and Manufacturing


49


Example Vertical Test Bed


Q and A


50


Documentation

Deploying Cisco 440X Series Wireless LAN Controllers<http://www.cisco.com/en/US/products/ps6366/prod_technical_reference09186a00806cfa96.html>

Configuring a Cisco Wireless Services Module (WiSM) and Wireless Control System (WCS)

http://www.cisco.com/en/US/products/hw/modules/ps2706/prod_technical_reference09186a0080702fe2.html

H-REAP Deployment Guide<http://www.cisco.com/en/US/partner/tech/tk722/tk809/technologies_configuration_example09186a00807cc3b8.shtml>

Wireless, LAN (WLAN) Configuration Examples and TechNotes

<http://www.cisco.com/en/US/partner/tech/tk722/tk809/tech_configuration_examples_list.html>


Recommended Reading

Continue your Cisco Live learning experience with further reading from Cisco Press

Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company Store


51


Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Passport points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.

Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.



design and deployment of enterprise wlansfaculty.ccc.edu/mmoizuddin/cisco live...

Documents