Cisco Unified Wireless Networks. Overview.

Cisco Unified Wireless Network Overview
Steve Acker Wireless Advanced Services Network Consulting Engineer CCIE#14097 CISSP#86844 CWSP
BRKEWN-2010
2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Agenda
Controller-Based Architecture Overview Mobility in the Cisco Unified WLAN Architecture Architecture Building Blocks Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
Cisco Public
Agenda
BRKEWN-2010
Cisco Public
Cisco Unified Wireless Network

Architecture Overview
802.11n and 802.11a/g Highly scalable
Mobility Services Engine (MSE) Wireless Control System (WCS) Wireless LAN Controller
Real-time RF visibility and control Monitor and migrate standalone access points Easily configure
WLAN controllers using SNMP Access points using CAPWAP
CAPWAP
Standalone Access Points
802.11n
Built-in support for Mobility Services

ContextAware Services (Location) Adaptive Wireless Intrusion Prevention System (wIPS)
Lightweight Access Points
Client Devices and Wi-Fi Tags

BRKEWN-2010 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Wired and wireless guest access

4
Understanding WLAN Controllers

1st/2nd Generation vs. 3rd Generation Approach
1st/2nd generation: APs act as 802.1Q translational bridge, putting client traffic on local VLANs 3rd generation: Controller bridges client traffic centrally
1st/2nd Generation
Data VLAN
Management VLAN
Voice VLAN
3rd Generation
Data VLAN
Management VLAN
LWAPP/CAPWAP Tunnel
Voice VLAN
BRKEWN-2010
Cisco Public
Centralized Wireless LAN Architecture

What Is CAPWAP?
CAPWAP: Control and Provisioning of Wireless Access Points is used between APs and WLAN controller and based on LWAPP CAPWAP carries control and data traffic between the two
Control plane is DTLS encrypted (Datagram Transport Layer Security) Data plane is DTLS encrypted (optional)
LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless
Business Application Access Point Wi-Fi Client Data Plane
CAPWAP
Controller
Control Plane
CAPWAP Modes
Split MAC The CAPWAP protocol supports two modes of operation
Split MAC (centralized mode) Local MAC (H-REAP)
Split MAC
Wireless Frame Wireless Phy MAC Sublayer CAPWAP Data Plane
802.3 Frame
STA
AP
WLC
BRKEWN-2010
Cisco Public
CAPWAP Modes Split MAC

One of the key concepts of the LWAPP is concept of split MAC The Real Time RF part of the 802.11 protocol operation is managed by the LWAPP AP Non Real Time parts of the 802.11 protocol are managed by the WLC.
BRKEWN-2010
Cisco Public
CAPWAP Modes - Local MAC

Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames Locally bridged
Wireless Frame Wireless Phy MAC Sublayer
802.3 Frame
STA
AP
WLC
BRKEWN-2010
Cisco Public
CAPWAP Modes Local MAC

Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames Tunneled as 802.3 frames
Wireless Frame Wireless Phy MAC Sublayer 802.3 Frame CAPWAP Data Plane
802.3 Frame
STA
AP
WLC
H-REAP support locally bridged MAC and split MAC per SSID
10
CAPWAP State Machine

AP Boots UP
Reset
Discovery
Image Data
DTLS Setup
Run
Join
Config
BRKEWN-2010
Cisco Public
11
AP Controller Discovery
Controller Discovery Order Layer 2 join procedure attempted on LWAPP APs
(CAPWAP does not support Layer 2 APs) Broadcast message sent to discover controller on a local subnet
Layer 3 join process on CAPWAP APs and on LWAPP APs after Layer 2 fails
Previously learned or primed controllers Subnet broadcast DHCP option 43 DNS lookup
BRKEWN-2010
Cisco Public
12
AP Controller Discovery: DHCP Option

DHCP Server
DHCP Offer 1 DHCP Request
2 Layer 3 CAPWAP Discovery Request Broadcast 3 Layer 3 CAPWAP Discovery Responses

2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
DHCP Offer Contains Option 43 for Controller
BRKEWN-2010
13
AP Controller Discovery: DNS Option

DNS Server DHCP Server
CISCO-CAPWAP-CONTROLLER.localdomain 192.168.1.2
DHCP Request 2 1
DHCP Offer with Option 15 to give APs the Local Domain name
192.168.1.2
3 DHCP Offer Contains DNS Server or Servers 4
BRKEWN-2010
Cisco Public
14
WLAN Controller Selection Algorithm

CAPWAP Discovery Response contains important information from the WLAN Controller
Controller name, controller type, controller AP capacity, current AP load, Master Controller status, and AP Manager IP address or addresses
AP selects a controller to join using the following decision criteria

1. Attempt to join a WLAN Controller configured as a Master controller 2. Attempt to join a WLAN Controller with matching name of previously configured primary, secondary, or tertiary controller name 3. Attempt to join the WLAN Controller with the greatest excess AP capacity (dynamic load balancing)
Option #2 and option #3 allow for two approaches to controller redundancy and AP load balancing: deterministic and dynamic
15
CAPWAP Control Messages for Join Process

CAPWAP Join Request: AP sends this messages to selected controller (sent to AP Manager Interface IP address)
CAPWAP Join Request
CAPWAP Join Response: If controller validates AP request, it sends the CAPWAP Join Response indicating that the AP is now registered with that controller
CAPWAP Join Response
BRKEWN-2010
Cisco Public
16
Configuration Phase
Firmware and Configuration Download Firmware is downloaded by the AP from the WLC
Configuration Download
Cisco WLAN Controller
Network configuration is downloaded by the AP from the WLC

Configuration is encrypted in the CAPWAP tunnel Configuration is applied
Access Points
BRKEWN-2010
Cisco Public
LWAPP-L3
Firmware digitally signed by Cisco
Firmware Download
Firmware downloaded only if needed, AP reboots after the download
17
Which Software Version Should I Use?
WLC 5508 supports 6.0 and 7.0 WLC7500, WiSM-2 and WLC2504 only supported in 7.0.116 and up
BRKEWN-2010
Cisco Public
18
Agenda
BRKEWN-2010
Cisco Public
19
Mobility Defined
Mobility is a key reason for wireless networks Mobility means the end-user device is capable of moving its location in the networked environment Roaming occurs when a wireless client moves association from one AP and re-associates to another, typically because its mobile! Mobility presents new challenges:
Need to scale the architecture to support client roaming roaming can occur intra-controller and inter-controller Need to support client roaming that is seamless (fast) and preserves security
BRKEWN-2010
Cisco Public
20
Scaling the Architecture with Mobility Groups

Mobility Group allows controllers to peer with each other to support seamless roaming across controller boundaries APs learn the IPs of the other members of the mobility group after the LWAPP Join process
Controller-B MAC: AA:AA:AA:AA:AA:02
Mobility messages exchanged between controllers Data tunneled between controllers in EtherIP (RFC 3378)
Controller-C MAC: AA:AA:AA:AA:AA:03 Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 Controller-B, AA:AA:AA:AA:AA:02
Ethernet in IP Tunnel
Support for up to 24 controllers, 3600 APs per mobility group
Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 Controller-C, AA:AA:AA:AA:AA:03 Controller-A MAC: AA:AA:AA:AA:AA:01 Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-B, AA:AA:AA:AA:AA:02 Controller-C, AA:AA:AA:AA:AA:03
Mobility Messages
21
Increased Mobility Scalability

Roaming is supported across three mobility groups (3 * 24 = 72 controllers) With Inter Release Controller Mobility (IRCM) roaming is supported between 4.2.207 and 6.0.188 and 7.0
Mobility Sub-Domain 1
Ethernet in IP Tunnel
Ethernet in IP Tunnel Ethernet in IP Tunnel
Mobility Messages BRKEWN-2010 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
22
How Long Does an STA Roam Take?

Time it takes for:
Client to disassociate + Probe for and select a new AP + 802.11 Association + 802.1X/EAP Authentication + Rekeying + IP address (re) acquisition
All this can be on the order of seconds Can we make this faster?
BRKEWN-2010
Cisco Public
23
Roaming Requirements
Roaming must be fast Latency can be introduced by:
Client channel scanning and AP selection algorithms Re-authentication of client device and re-keying Refreshing of IP address
Roaming must maintain security

Open auth, static WEPsession continues on new AP WPA/WPAv2 PersonalNew session key for encryption derived via standard handshakes 802.1x, 802.11i, WPA/WPAv2 EnterpriseClient must be reauthenticated and new session key derived for encryption
BRKEWN-2010
Cisco Public
24
How Are We Going to Make Roaming Faster?

Focus on Where We Can Have the Biggest Impact
Eliminating the (re)IP address acquisition challenge Eliminating full 802.1X/EAP reauthentication
BRKEWN-2010
Cisco Public
25
Intra-Controller Roaming: Layer 3

VLAN X
WLC-1 Client Client Data Database (MAC, IP, QoS, Security) WLC-1
VLAN Z
Client Data WLC-2 Client Database (MAC, IP, QoS, Security) WLC-2
Mobility Message Exchange
Preroaming Data Path
BRKEWN-2010
Cisco Public
26
Client Roaming Between Subnets: Layer 3 (Cont.)

VLAN X
WLC-1 Client Client Data Database (MAC, IP, QoS, Security)
Mobility Message Exchange
VLAN Z
Client Data WLC-2 Client Database (MAC, IP, QoS, Security) WLC-2 Data Tunnel Foreign Controller
WLC-1 Anchor Controller Preroaming Data Path
Client Roams to a Different AP
BRKEWN-2010
Cisco Public
27
Roaming: Inter-Controller
Layer 3
L3 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto different subnets Client must be re-authenticated and new security session established Client database entry copied to new controller entry exists in both WLC client DBs Original controller tagged as the anchor, new controller tagged as the foreign WLCs must be in same mobility group or domain No IP address refresh needed Account for mobility message exchange in network design
BRKEWN-2010
Cisco Public
28
How Are We Going to Make Roaming Faster?

Focus on Where We Can Have the Biggest Impact
Eliminating the (re)IP address acquisition challenge Eliminating full 802.1X/EAP reauthentication
BRKEWN-2010
Cisco Public
29
Fast Secure Roaming

Standard Wi-Fi Secure Roaming
802.1X authentication in wireless today requires three end-to-end transactions with an overall transaction time of > 500 ms
WAN Cisco AAA Server (ACS or ISE)
802.1X authentication in wireless today requires a roaming client to reauthenticate, incurring an additional 500+ ms to the roam
2. 802.1X Reauthentication After Roaming
AP2
1. 802.1X Initial Authentication Transaction
AP1
Note: Mechanism Is Needed to Centralize Key Distribution

30
Cisco Centralized Key Management (CCKM)

Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available, especially with application specific devices (ASDs) CCKM ported to CUWN architecture in 3.2 release In highly controlled test environments, CCKM roam times consistently measure in the 5-8 msec range! To work across WLCs, WLCs must be in the same mobility group When a client device roams, he WLC forwards the client's security credentials to the new AP.
BRKEWN-2010
Cisco Public
31
Fast Secure Roaming

WPA2/802.11i Pairwise Master Key (PMK) Caching
WPA2 and 802.11i specify a mechanism to prevent excessive key management and 802.1X requests from roaming clients From the 802.11i specification:
Whenever an AP and a STA have successfully passed dot1x-based authentication, both of them may cache the PMK record to be used later. However, if a client has not roamed to a particular access point during its current working session, it must then authenticate to that specific access point using 802.1x. When a STA is (re-)associates to an AP, it may attach a list of PMK IDs (which were derived via dot1x process with this AP before) in the (re)association request frame When PMK ID exists, AP can use them to retrieve PMK record from its own PMK cache, if PMK is found, and matches the STA MAC address; AP can bypass dot1x authentication process, and directly starts WPA2 four-way key handshake session with the STA
BRKEWN-2010
Cisco Public
32
OKC/PKC
Key Data Points A client device can skip the 802.1x authentication with an access point and only needs to perform the 4 way handshake when roaming to access points that are centrally managed by the same WLC. Supported in Windows since XP SP2 Enabled by default on WLCs with WPAv2 Requires WLCs to be in the same mobility group In highly controlled test environments, OKC/PKC roam times consistently measure in the 10-20 msec range!
BRKEWN-2010
Cisco Public
33
How Long Does a Client Really Take to Roam?

Time to roam =
Client to disassociate + Probe for and select a new AP + 802.11 Association + Mobility message exchange between WLCs + Reauthentication + Rekeying + IP address (re) acquisition
Network latency will have an impact on these times consideration for controller placement With a fast secure roaming technology, roam times under 150 msecs are consistently achievable, though mileage may vary
BRKEWN-2010
Cisco Public
34
How Often Do Clients Roam?

It depends types of clients and applications Most client devices are designed to be nomadic rather than mobile, though proliferation of small form factor, smart devices will probably change this Nomadic clients usually are programmed to try to avoid roaming so set your expectations accordingly Design rule of thumb: 10-20 roams per second for every 5000 clients
BRKEWN-2010
Cisco Public
35
Designing a Mobility Group/Domain

Design Considerations Less roaming is better clients and apps are happier While clients are authenticating/roaming, WLC CPU is doing the processing not as much of a big deal for 5508 which has dedicated management/control processor L3 roaming & fast roaming clients consume client DB slots on multiple controllers consider worst case scenarios in designing roaming domain size Leverage natural roaming domain boundaries Make sure the right ports and protocols are allowed
BRKEWN-2010
Cisco Public
36
Agenda
BRKEWN-2010
Cisco Public
37
TrustSec 2.0 and Identity Services Engine

Centralized Policy
ACS
Distributed Enforcement AAA Services Posture Assessment Guest Access Services Device Profiling
Identity Services Engine
NAC Profiler NAC Guest NAC Manager NAC Server
Monitoring Troubleshooting Reporting
*Current NAC and ACS Hardware Platform Is Software Upgradable to ISE

38
ISE Integrated Device Profiling
iPad Template
Custom Template
Visibility for Wired and Wireless Devices

BRKEWN-2010
Simplified Device Category Policy

Cisco Public
New Device Templates via Subscription Feeds

39

Users, using the same SSID, can be associated to different wired VLAN interfaces after EAP authentication Employee using corporate laptop with their AD user id can be assigned to VLAN 30 to have full access to the network Employee using personal iPad/iPhone with their AD user id can be assigned to VLAN 40 to have internet access only
ISE
ISE
1 EAP Authentication 2 Accept with VLAN 30 Employee VLAN 30

CAPWAP
4 Accept with VLAN 40
Corporate Resources
Same-SSID 802.1Q TrunkVLAN 40 Employee 3 EAP Authentication

Internet
BRKEWN-2010
Cisco Public
40

Example:
VLAN 30 (Corporate access ) VLAN 40 (Internet access)
Corporate
Internet
BRKEWN-2010
Cisco Public
41

ISE Setup Authorization Profiles redirect VLAN, Override ACL,
CoA
Laptop Assign VLAN 30
iPad Assign VLAN 40
BRKEWN-2010
Cisco Public
42

WLC CoA Setup Pre-Auth ACL, allows ALL client traffic
to ISE
WLAN Dot1X, AAA Override and Radius NAC enabled.

Permit ANY to ISE (IP ( Addr) )
BRKEWN-2010
Cisco Public
43

RADIUS probe (information about authentication, authorization and accounting requests from Network Access DHCP (helper or span) HTTP user agent (span)
Customizable Profiles
BRKEWN-2010
Cisco Public
44
Agenda
BRKEWN-2010
Cisco Public
45
Deploying the Cisco Unified Wireless Architecture

Controller Redundancy and AP Load Balancing Understanding AP Groups IPv6 Deployment with Controllers Branch Office Designs Guest Access Deployment Home Office Design
BRKEWN-2010
Cisco Public
46

BRKEWN-2010
Cisco Public
47
Controller Redundancy
Dynamic
Rely on CAPWAP to load-balance APs across controllers and populate APs with backup controllers Results in dynamic salt-and-pepper design Design works better when controllers are clustered in a centralized design Pros
Easy to deploy and configureless upfront work APs dynamically load-balance (though never perfectly)
Cons
More intercontroller roaming Bigger operational challenges due to unpredictability Longer failover times No fallback option in the event of controller failure
Ciscos general recommendation is: Only for Layer 2 roaming Use deterministic redundancy instead of dynamic redundancy
48
Deterministic
WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C
Administrator statically assigns APs a primary, secondary, and/or tertiary controller

Assigned from controller interface (per AP) or WCS (template-based)
Pros
Predictabilityeasier operational management More network stability
Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Tertiary: WLAN-Controller-C Primary: WLAN-Controller-B Secondary: WLAN-Controller-C Tertiary: WLAN-Controller-A Primary: WLAN-Controller-C Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-B
More flexible and powerful redundancy design options Faster failover times Fallback option in the case of failover
Con
More upfront planning and configuration
This is Ciscos recommended best practice

49
High Availability Using Cisco 5508

APs are connected to primary WLC 5508 In case of hardware failure of WLC 5508 APs fall back to secondary WLC Secondary 5508 WLC5508 Traffic flows through the secondary WLC 5508 and primary core switch
Cisco Public
Si
Si
Si
Si
Primary WLC5508
BRKEWN-2010
50
High Availability Using WiSM: Uplink Failure on Primary Switch

S N
Si
Si
Active HSRP Switch Primary WiSM
In case of uplink failure of the primary switch Standby switch Standby becomes the HSRP Switch active HSRP New Active switch HSRP Switch APs are still connected to primary WiSM Traffic flows thru the new HSRP active switch
Cisco Public
BRKEWN-2010
51
High Availability Using WiSM-2

APs are connected to primary WiSM In case of hardware failure of primary WiSM APs fall back to secondary WiSM Traffic flows thru the secondary WiSM and primary core switch
52
Si
Si
Primary WiSM
Secondary WiSM
BRKEWN-2010
Cisco Public
VSS and Cisco 5508

Cisco 5508 WLC can be attached to a Cisco Catalyst VSS switch 4 ports of Cisco 5508 are connected to active VSS switch 2nd set of 4 ports of Cisco 5508 is connected to standby VSS switch In case of failure of primary switch traffic continues to flow through secondary switch in the VSS pair
Catalyst VSS Pair
Cisco 5508
BRKEWN-2010
Cisco Public
53
VSS and WiSM-2
Virtual Switch System (VSS)
Switch-1 (VSS Active) Control Plane Active VSL
Switch-2 (VSS Standby) Control Plane Standby
Data Plane Active
Failover/State Sync VLAN
Data Plane Active
FWSM Active
FWSM Standby
WiSM-2 Active
WiSM-2 Standby
BRKEWN-2010
Cisco Public
54
High Availability High Availability Principles
AP is registered with a WLC and maintain a backup list of WLC AP use heartbeats to validate WLC connectivity AP use Primary Discovery message to validate backup WLC list When AP lose three heartbeats it start join process to first backup WLC candidate Candidate Backup WLC is the first alive WLC in this order: primary, secondary, tertiary, global primary, global secondary AP do not re-initiate discovery process
Primary WLC
Secondary WLC
55
High Availability with 7.0
To Accommodate Both Local and Remote Settings, There Are Configurable Options Provided, so that Administrator Can Fine Tune the Settings Based on the Requirements
New Timers Heartbeat: Fast Heartbeat Timeout: AP Retransmit Interval: AP Retrans with FH Enabled: AP Retrans with FH Disabled: Old Timers-5508 Old Timers-Non-5508
AP Fallback to next WLC

BRKEWN-2010
1-30 Seconds 1-10 Seconds 2-5 Seconds 3-8 Times 3-8 Times 12 Seconds
10-30 Seconds 3-10 Seconds 3 Seconds 3 Times 5 Times 35 Seconds

Cisco Public
1-30 Seconds 1-10 Seconds 3 Seconds 3 Times 5 Times 35 Seconds

56
AP Pre-Image Download in 7.0

Since most CAPWAP APs can download and keep more than one image of 45 MB each AP pre-image download allows AP to download code while it is operational Pre-Image download operation
1. Upgrade the image on the controller 2. Dont reboot the controller 3. Issue AP pre-image download command 4. Once all AP images are downloaded 5. Reboot the controller 6. AP now rejoins the controller without reboot
Cisco WLAN Controller
AP Joins Without Download
AP Pre-image Download
Access Points
How Much Time You Save?

57
CAPWAP-L3
Configure AP Pre-Image Download

Upgrade the image on the controller and dont reboot
Currently we have two images on the controller

(Cisco Controller) >show boot Primary Boot Image............................... 7.0.116.0 (default) (active) Backup Boot Image................................ 7.0.98.0
58
Configure AP Pre-Image Download

Wireless > AP > Global Configuration
Perform Primary Image Predownloaded on the AP
AP Now Starts Predownloading
AP Now Swaps Image After Reboot of the Controller
BRKEWN-2010
Cisco Public
59

BRKEWN-2010
Cisco Public
60
AP-Groups
Default AP-Group
The first 16 WLANs created (WLAN IDs 116) on the WLC are included in the default AP-Group Default AP-Group cannot be modified APs with no assignment to an specific AP-Group will use the Default AP-Group The 17th and higher WLAN (WLAN IDs 17 and up) can be assigned to any AP-Groups Any given WLAN can be mapped to different dynamic interfaces in different AP-Groups
WLC 2106 (AP groups: 50), WLC 2504 (AP groups:50) WLC 4400 and WiSM (AP groups: 300), WLC 5508 & WiSM-2 (AP groups: 500), WLC 7500 (AP Groups : 500)
BRKEWN-2010
Cisco Public
61
Default AP-Group
Network Name
Default AP Group
Only WLANs 116 Will Be Added in Default AP Group
BRKEWN-2010
Cisco Public
62
Multiple AP-Groups
AP Group 1
AP Group 2
AP Group 3
BRKEWN-2010
Cisco Public
63
Interface-Groups
7.0
Interface-groups allows for a WLAN to be mapped to a single interface or multiple interfaces Clients associating to this WLAN get an IP address from a pool of subnets identified by the interfaces in round robin fashion Extends current AP group and AAA override, with multiple interfaces using interface groups Controllers WiSM-2, 5508, 7500, 2500 WiSM, 4400 2100 and 2504 Interface-Groups/Interfaces 64/64 32/32 4/4
BRKEWN-2010
Cisco Public
64

BRKEWN-2010
Cisco Public
65
IPv6 over IPv4 Tunneling

Prior to WLC 6.0 release, IPv6 pass-thru is only supported but no L2 security can be enabled on IPv6 WLAN With WLC 6.0 release, IPv6 pass-thru with Layer 2 security supported To use IPv6 bridging, Ethernet Multicast Mode (EMM) must be enabled on the controller IPv6 packets are tunneled over CAPWAP IPv4 tunnel Same WLAN can support both IPv4 and IPv6 clients IPv6 pass-thru and IPv4 Webauth is also supported on same WLAN IPv6 is not supported with guest mobility anchor tunneling
Client IPv6 Traffic Tunneled over IPv4 and Bridged to Ethernet
CAPWAP Tunnel
Ethernet II | IPv6
802.11| IPv6
BRKEWN-2010
Ethernet II | IPv4 | CAPWAP | 802.11 | IPv6

Cisco Public
66
IPv6 Configuration on WLC 6.X

Enable IPv6 on the WLAN and multicast on the WLC
BRKEWN-2010
Cisco Public
67

Controller Redundancy and AP Load Balancing Understanding AP Groups IPv6 Deployment with Controllers Branch Office Designs (HREAP/FlexConnect)
Understanding HREAP (Hybrid) REAP AP Deployment Understanding Branch Controller Deployment
Guest Access Deployment Home Office Design
BRKEWN-2010
Cisco Public
68
Branch Office Deployment

HREAP/FlexConnect Hybrid architecture Single management and control point
Centralized traffic (split MAC) Or Local traffic (local MAC)
WAN
Centralized Traffic
Central Site
Centralized Traffic
HA will preserve local traffic only
Local Traffic
Remote Office
BRKEWN-2010
Cisco Public
69
H-REAP Design Considerations

Some WAN limitations apply
RTT must be below 300 ms data (100 ms voice) Minimum 500 bytes WAN MTU (with maximum four fragmented packets)
Some features are not available in standalone mode or in local switching mode
ACL in local switching, MAC/Web Auth in standalone mode, PMK caching (OKC) See full list in H-REAP Feature Matrix http://www.cisco.com/en/US/products/ps6366/products_tech _note09186a0080b3690b.shtml
BRKEWN-2010
Cisco Public
70
Understanding H-REAP Groups

WLC supports up to 20 H-REAP groups
Central Site
Each H-REAP group supports up to 25 H-REAP APs H-REAP groups allow sharing of:
CCKM fast roaming keys Local user authentication Local EAP authentication
Remote Site
WAN
Remote Site H-REAP Group 2
H-REAP Group 1
BRKEWN-2010
Cisco Public
71
FlexConnect Improvements in New 7.0.116

WAN Survivability
FlexConnect AP provides wireless access and services to clients when the connection to the primary WLC fails
Local Authentication
Allows for the authentication capability to exist directly at the AP in FlexConnect instead of the WLC
Improved Scale
Group Scale: Max HREAP groups increased to 500 (7500s) and 100 (5500s) APs per Group: 50 (7500s) and 25 (5500s)
Fast Roaming in Remote Branches

Opportunistic Key Caching (OKC) between APs in a branch
72

Controller Redundancy and AP Load Balancing Understanding AP Groups IPv6 Deployment with Controllers Branch Office Designs
Understanding HREAP/FlexConnect Deployment Understanding Branch Controller Deployment
Guest Access Deployment Home Office Design
BRKEWN-2010
Cisco Public
73
Branch Office WLAN Controller Options

WCS E-Mail
Number of Users: 100500 Number of APs: 525
Headquarters
MPLS ATM Frame Relay
Branch Office
Appliance controllers
Cisco 2504-12 Cisco 5508-12, 5508-25
Internet VPN
Small Office
Integrated controller
WLAN controller module (WLCM-2) for ISR G2
Number of Users: 20100 Number of APs: 15

74
Branch Office WLAN Controller Options

WCS E-Mail
Cisco 2504 *** Branch Office

MPLS ATM Frame Relay
Headquarters
Cisco Unified Wireless Network with controller-based Multiple Integrated WAN options on ISR Consistent branch-HQ services, features, and performance Standardized branch configuration extends the unified wired and wireless network Branch configuration management from central WCS
BRKEWN-2010
Small Office
Internet VPN
WLCM-2 **
**AP Count Vary Depending on Channel Utilization and Data Rates
Cisco Public
75

BRKEWN-2010
Cisco Public
76
Guest Access Deployment

WLAN Controller Deployments with EoIP Tunnel Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN No need to define the guest VLANs on the switches connected to the remote controllers Original guests Ethernet frame maintained across LWAPP/CAPWAP and EoIP tunnels Redundant EoIP tunnels to the Anchor WLC 2504 series and WLCM-2 models cannot terminate EoIP connections (no anchor role
Guest
Internet
DMZ or Anchor Wireless Controller
Cisco ASA Firewall EoIP Guest Tunnel Wireless LAN Controller CAPWAP
Guest 77
Summary Key Takeways

Take advantage of the standards (CAPWAP, DTLS,802.11 i, e, k, r..) Wide range of architecture / design choices Brand new controller (WiSM-2, WLC 7500, WLC 2504) portfolio with investment protection Take advantage of innovations from Cisco (CleanAir, BandSelect, ClientLink, Security, CCX, FlexConnect, etc) Ciscos investment into technology NCS, ISE, New hardware, cloud controller, CiUS
BRKEWN-2010
Cisco Public
78
Documentation
Wireless Services Module 2 (WiSM2) Deployment Guide
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080b7c904.shtml
Flex7500 Deployment guide

http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml
Wireless, LAN (WLAN) Configuration Examples and TechNotes

http://www.cisco.com/en/US/tech/tk722/tk809/tech_configuration_examples_list.html
H-REAP Deployment Guide

http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml
VLAN Select Deployment Guide

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b78900.shtml
BRKEWN-2010
Cisco Public
79
Thank you.
BRKEWN-2010
Cisco Public
80

Cisco Unified Wireless Networks. Overview.

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Cisco Unified Wireless Networks. Overview.

Caricato da

Copyright:

Formati disponibili

Cisco Unified Wireless Network Overview

2011 Cisco and/or its affiliates. All rights reserved.

2011 Cisco and/or its affiliates. All rights reserved.

2011 Cisco and/or its affiliates. All rights reserved.