Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Steve Acker Wireless Advanced Services Network Consulting Engineer CCIE#14097 CISSP#86844 CWSP
BRKEWN-2010
Cisco Public
Agenda
Controller-Based Architecture Overview Mobility in the Cisco Unified WLAN Architecture Architecture Building Blocks Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
Cisco Public
Agenda
Controller-Based Architecture Overview Mobility in the Cisco Unified WLAN Architecture Architecture Building Blocks Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
Cisco Public
Real-time RF visibility and control Monitor and migrate standalone access points Easily configure
WLAN controllers using SNMP Access points using CAPWAP
CAPWAP
802.11n
Management VLAN
Voice VLAN
3rd Generation
Data VLAN
Management VLAN
LWAPP/CAPWAP Tunnel
Voice VLAN
BRKEWN-2010
Cisco Public
LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless
Business Application Access Point Wi-Fi Client Data Plane
CAPWAP
Controller
Control Plane
BRKEWN-2010 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
CAPWAP Modes
Split MAC The CAPWAP protocol supports two modes of operation
Split MAC (centralized mode) Local MAC (H-REAP)
Split MAC
Wireless Frame Wireless Phy MAC Sublayer CAPWAP Data Plane
802.3 Frame
STA
AP
WLC
BRKEWN-2010
Cisco Public
BRKEWN-2010
Cisco Public
802.3 Frame
STA
AP
WLC
BRKEWN-2010
Cisco Public
802.3 Frame
STA
AP
WLC
H-REAP support locally bridged MAC and split MAC per SSID
BRKEWN-2010 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
10
Discovery
Image Data
DTLS Setup
Run
Join
Config
BRKEWN-2010
Cisco Public
11
AP Controller Discovery
Controller Discovery Order Layer 2 join procedure attempted on LWAPP APs
(CAPWAP does not support Layer 2 APs) Broadcast message sent to discover controller on a local subnet
Layer 3 join process on CAPWAP APs and on LWAPP APs after Layer 2 fails
Previously learned or primed controllers Subnet broadcast DHCP option 43 DNS lookup
BRKEWN-2010
Cisco Public
12
BRKEWN-2010
13
CISCO-CAPWAP-CONTROLLER.localdomain 192.168.1.2
DHCP Request 2 1
DHCP Offer with Option 15 to give APs the Local Domain name
192.168.1.2
BRKEWN-2010
Cisco Public
14
Option #2 and option #3 allow for two approaches to controller redundancy and AP load balancing: deterministic and dynamic
BRKEWN-2010 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
15
CAPWAP Join Response: If controller validates AP request, it sends the CAPWAP Join Response indicating that the AP is now registered with that controller
CAPWAP Join Response
BRKEWN-2010
Cisco Public
16
Configuration Phase
Firmware and Configuration Download Firmware is downloaded by the AP from the WLC
Configuration Download
Access Points
BRKEWN-2010
Cisco Public
LWAPP-L3
Firmware Download
17
WLC 5508 supports 6.0 and 7.0 WLC7500, WiSM-2 and WLC2504 only supported in 7.0.116 and up
BRKEWN-2010
Cisco Public
18
Agenda
Controller-Based Architecture Overview Mobility in the Cisco Unified WLAN Architecture Architecture Building Blocks Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
Cisco Public
19
Mobility Defined
Mobility is a key reason for wireless networks Mobility means the end-user device is capable of moving its location in the networked environment Roaming occurs when a wireless client moves association from one AP and re-associates to another, typically because its mobile! Mobility presents new challenges:
Need to scale the architecture to support client roaming roaming can occur intra-controller and inter-controller Need to support client roaming that is seamless (fast) and preserves security
BRKEWN-2010
Cisco Public
20
Mobility messages exchanged between controllers Data tunneled between controllers in EtherIP (RFC 3378)
BRKEWN-2010 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Controller-C MAC: AA:AA:AA:AA:AA:03 Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 Controller-B, AA:AA:AA:AA:AA:02
Ethernet in IP Tunnel
Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 Controller-C, AA:AA:AA:AA:AA:03 Controller-A MAC: AA:AA:AA:AA:AA:01 Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-B, AA:AA:AA:AA:AA:02 Controller-C, AA:AA:AA:AA:AA:03
Mobility Messages
21
Mobility Sub-Domain 3
Ethernet in IP Tunnel Ethernet in IP Tunnel
Mobility Sub-Domain 2
Mobility Messages BRKEWN-2010 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
22
All this can be on the order of seconds Can we make this faster?
BRKEWN-2010
Cisco Public
23
Roaming Requirements
Roaming must be fast Latency can be introduced by:
Client channel scanning and AP selection algorithms Re-authentication of client device and re-keying Refreshing of IP address
BRKEWN-2010
Cisco Public
24
Eliminating the (re)IP address acquisition challenge Eliminating full 802.1X/EAP reauthentication
BRKEWN-2010
Cisco Public
25
VLAN Z
Client Data WLC-2 Client Database (MAC, IP, QoS, Security) WLC-2
BRKEWN-2010
Cisco Public
26
VLAN Z
Client Data WLC-2 Client Database (MAC, IP, QoS, Security) WLC-2 Data Tunnel Foreign Controller
BRKEWN-2010
Cisco Public
27
Roaming: Inter-Controller
Layer 3
L3 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto different subnets Client must be re-authenticated and new security session established Client database entry copied to new controller entry exists in both WLC client DBs Original controller tagged as the anchor, new controller tagged as the foreign WLCs must be in same mobility group or domain No IP address refresh needed Account for mobility message exchange in network design
BRKEWN-2010
Cisco Public
28
Eliminating the (re)IP address acquisition challenge Eliminating full 802.1X/EAP reauthentication
BRKEWN-2010
Cisco Public
29
802.1X authentication in wireless today requires a roaming client to reauthenticate, incurring an additional 500+ ms to the roam
AP2
AP1
30
BRKEWN-2010
Cisco Public
31
BRKEWN-2010
Cisco Public
32
OKC/PKC
Key Data Points A client device can skip the 802.1x authentication with an access point and only needs to perform the 4 way handshake when roaming to access points that are centrally managed by the same WLC. Supported in Windows since XP SP2 Enabled by default on WLCs with WPAv2 Requires WLCs to be in the same mobility group In highly controlled test environments, OKC/PKC roam times consistently measure in the 10-20 msec range!
BRKEWN-2010
Cisco Public
33
Network latency will have an impact on these times consideration for controller placement With a fast secure roaming technology, roam times under 150 msecs are consistently achievable, though mileage may vary
BRKEWN-2010
Cisco Public
34
BRKEWN-2010
Cisco Public
35
BRKEWN-2010
Cisco Public
36
Agenda
Controller-Based Architecture Overview Mobility in the Cisco Unified WLAN Architecture Architecture Building Blocks Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
Cisco Public
37
Distributed Enforcement AAA Services Posture Assessment Guest Access Services Device Profiling
Identity Services Engine
38
iPad Template
Custom Template
ISE
Corporate Resources
BRKEWN-2010
Cisco Public
40
Corporate
Internet
BRKEWN-2010
Cisco Public
41
CoA
BRKEWN-2010
Cisco Public
42
BRKEWN-2010
Cisco Public
43
Customizable Profiles
BRKEWN-2010
Cisco Public
44
Agenda
Controller-Based Architecture Overview Mobility in the Cisco Unified WLAN Architecture Architecture Building Blocks Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
Cisco Public
45
BRKEWN-2010
Cisco Public
46
BRKEWN-2010
Cisco Public
47
Controller Redundancy
Dynamic
Rely on CAPWAP to load-balance APs across controllers and populate APs with backup controllers Results in dynamic salt-and-pepper design Design works better when controllers are clustered in a centralized design Pros
Easy to deploy and configureless upfront work APs dynamically load-balance (though never perfectly)
Cons
More intercontroller roaming Bigger operational challenges due to unpredictability Longer failover times No fallback option in the event of controller failure
Ciscos general recommendation is: Only for Layer 2 roaming Use deterministic redundancy instead of dynamic redundancy
BRKEWN-2010 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
48
Controller Redundancy
Deterministic
WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C
Pros
Predictabilityeasier operational management More network stability
Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Tertiary: WLAN-Controller-C Primary: WLAN-Controller-B Secondary: WLAN-Controller-C Tertiary: WLAN-Controller-A Primary: WLAN-Controller-C Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-B
More flexible and powerful redundancy design options Faster failover times Fallback option in the case of failover
Con
More upfront planning and configuration
49
Si
Si
Si
Si
Primary WLC5508
BRKEWN-2010
50
Si
Si
In case of uplink failure of the primary switch Standby switch Standby becomes the HSRP Switch active HSRP New Active switch HSRP Switch APs are still connected to primary WiSM Traffic flows thru the new HSRP active switch
Cisco Public
BRKEWN-2010
51
Si
Si
Primary WiSM
Secondary WiSM
BRKEWN-2010
Cisco Public
Cisco 5508
BRKEWN-2010
Cisco Public
53
FWSM Active
FWSM Standby
WiSM-2 Active
WiSM-2 Standby
BRKEWN-2010
Cisco Public
54
Controller Redundancy
High Availability High Availability Principles
AP is registered with a WLC and maintain a backup list of WLC AP use heartbeats to validate WLC connectivity AP use Primary Discovery message to validate backup WLC list When AP lose three heartbeats it start join process to first backup WLC candidate Candidate Backup WLC is the first alive WLC in this order: primary, secondary, tertiary, global primary, global secondary AP do not re-initiate discovery process
BRKEWN-2010 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Primary WLC
Secondary WLC
55
Controller Redundancy
High Availability with 7.0
To Accommodate Both Local and Remote Settings, There Are Configurable Options Provided, so that Administrator Can Fine Tune the Settings Based on the Requirements
New Timers Heartbeat: Fast Heartbeat Timeout: AP Retransmit Interval: AP Retrans with FH Enabled: AP Retrans with FH Disabled: Old Timers-5508 Old Timers-Non-5508
1-30 Seconds 1-10 Seconds 2-5 Seconds 3-8 Times 3-8 Times 12 Seconds
AP Pre-image Download
Access Points
CAPWAP-L3
58
BRKEWN-2010
Cisco Public
59
BRKEWN-2010
Cisco Public
60
AP-Groups
Default AP-Group
The first 16 WLANs created (WLAN IDs 116) on the WLC are included in the default AP-Group Default AP-Group cannot be modified APs with no assignment to an specific AP-Group will use the Default AP-Group The 17th and higher WLAN (WLAN IDs 17 and up) can be assigned to any AP-Groups Any given WLAN can be mapped to different dynamic interfaces in different AP-Groups
WLC 2106 (AP groups: 50), WLC 2504 (AP groups:50) WLC 4400 and WiSM (AP groups: 300), WLC 5508 & WiSM-2 (AP groups: 500), WLC 7500 (AP Groups : 500)
BRKEWN-2010
Cisco Public
61
Default AP-Group
Network Name
Default AP Group
BRKEWN-2010
Cisco Public
62
Multiple AP-Groups
AP Group 1
AP Group 2
AP Group 3
BRKEWN-2010
Cisco Public
63
Interface-Groups
7.0
Interface-groups allows for a WLAN to be mapped to a single interface or multiple interfaces Clients associating to this WLAN get an IP address from a pool of subnets identified by the interfaces in round robin fashion Extends current AP group and AAA override, with multiple interfaces using interface groups Controllers WiSM-2, 5508, 7500, 2500 WiSM, 4400 2100 and 2504 Interface-Groups/Interfaces 64/64 32/32 4/4
BRKEWN-2010
Cisco Public
64
BRKEWN-2010
Cisco Public
65
Ethernet II | IPv6
802.11| IPv6
BRKEWN-2010
66
BRKEWN-2010
Cisco Public
67
BRKEWN-2010
Cisco Public
68
Central Site
Centralized Traffic
Local Traffic
Remote Office
BRKEWN-2010
Cisco Public
69
Some features are not available in standalone mode or in local switching mode
ACL in local switching, MAC/Web Auth in standalone mode, PMK caching (OKC) See full list in H-REAP Feature Matrix http://www.cisco.com/en/US/products/ps6366/products_tech _note09186a0080b3690b.shtml
BRKEWN-2010
Cisco Public
70
Each H-REAP group supports up to 25 H-REAP APs H-REAP groups allow sharing of:
CCKM fast roaming keys Local user authentication Local EAP authentication
Remote Site
WAN
H-REAP Group 1
BRKEWN-2010
Cisco Public
71
Local Authentication
Allows for the authentication capability to exist directly at the AP in FlexConnect instead of the WLC
Improved Scale
Group Scale: Max HREAP groups increased to 500 (7500s) and 100 (5500s) APs per Group: 50 (7500s) and 25 (5500s)
72
BRKEWN-2010
Cisco Public
73
Headquarters
Branch Office
Appliance controllers
Cisco 2504-12 Cisco 5508-12, 5508-25
Internet VPN
Small Office
Integrated controller
WLAN controller module (WLCM-2) for ISR G2
BRKEWN-2010 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Headquarters
Cisco Unified Wireless Network with controller-based Multiple Integrated WAN options on ISR Consistent branch-HQ services, features, and performance Standardized branch configuration extends the unified wired and wireless network Branch configuration management from central WCS
BRKEWN-2010
Small Office
Internet VPN
WLCM-2 **
**AP Count Vary Depending on Channel Utilization and Data Rates
Cisco Public
75
BRKEWN-2010
Cisco Public
76
Internet
DMZ or Anchor Wireless Controller
Cisco ASA Firewall EoIP Guest Tunnel Wireless LAN Controller CAPWAP
Guest 77
BRKEWN-2010
Cisco Public
78
Documentation
Wireless Services Module 2 (WiSM2) Deployment Guide
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080b7c904.shtml
BRKEWN-2010
Cisco Public
79
Thank you.
BRKEWN-2010
Cisco Public
80