You are on page 1of 80

Cisco Unified Wireless Network Overview

Steve Acker Wireless Advanced Services Network Consulting Engineer CCIE#14097 CISSP#86844 CWSP

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

1

Agenda
 Controller-Based Architecture Overview  Mobility in the Cisco Unified WLAN Architecture  Architecture Building Blocks  Deploying the Cisco Unified Wireless Architecture

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

2

Agenda
 Controller-Based Architecture Overview  Mobility in the Cisco Unified WLAN Architecture  Architecture Building Blocks  Deploying the Cisco Unified Wireless Architecture

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

3

Cisco Unified Wireless Network
Architecture Overview
 802.11n and 802.11a/g  Highly scalable
Mobility Services Engine (MSE) Wireless Control System (WCS) Wireless LAN Controller

 Real-time RF visibility and control  Monitor and migrate standalone access points  Easily configure
– WLAN controllers using SNMP – Access points using CAPWAP

CAPWAP

Standalone Access Points

802.11n

 Built-in support for Mobility Services
– Context–Aware Services (Location) – Adaptive Wireless Intrusion Prevention System (wIPS)

Lightweight Access Points

Client Devices and Wi-Fi Tags
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

 Wired and wireless guest access
4

putting client traffic on local VLANs  3rd generation: Controller bridges client traffic centrally 1st/2nd Generation Data VLAN Management VLAN Voice VLAN 3rd Generation Data VLAN Management VLAN LWAPP/CAPWAP Tunnel Voice VLAN BRKEWN-2010 © 2011 Cisco and/or its affiliates.1Q translational bridge. Cisco Public 5 .Understanding WLAN Controllers 1st/2nd Generation vs. 3rd Generation Approach  1st/2nd generation: APs act as 802. All rights reserved.

and conversion to a CAPWAP controller is seamless Business Application Access Point Wi-Fi Client Data Plane CAPWAP Controller Control Plane BRKEWN-2010 © 2011 Cisco and/or its affiliates. Cisco Public 6 . All rights reserved.Centralized Wireless LAN Architecture What Is CAPWAP?  CAPWAP: Control and Provisioning of Wireless Access Points is used between APs and WLAN controller and based on LWAPP  CAPWAP carries control and data traffic between the two Control plane is DTLS encrypted (Datagram Transport Layer Security) Data plane is DTLS encrypted (optional)  LWAPP-enabled access points can discover and join a CAPWAP controller.

3 Frame STA AP WLC BRKEWN-2010 © 2011 Cisco and/or its affiliates.CAPWAP Modes Split MAC  The CAPWAP protocol supports two modes of operation Split MAC (centralized mode) Local MAC (H-REAP)  Split MAC Wireless Frame Wireless Phy MAC Sublayer CAPWAP Data Plane 802. All rights reserved. Cisco Public 7 .

Cisco Public 8 .11 protocol are managed by the WLC. All rights reserved.CAPWAP Modes – Split MAC  One of the key concepts of the LWAPP is concept of split MAC  The Real Time RF part of the 802.11 protocol operation is managed by the LWAPP AP  Non Real Time parts of the 802. BRKEWN-2010 © 2011 Cisco and/or its affiliates.

CAPWAP Modes . Cisco Public 9 .Local MAC  Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802. All rights reserved.3 frames  Locally bridged Wireless Frame Wireless Phy MAC Sublayer 802.3 Frame STA AP WLC BRKEWN-2010 © 2011 Cisco and/or its affiliates.

Cisco Public 10 . All rights reserved.3 frames Wireless Frame Wireless Phy MAC Sublayer 802.CAPWAP Modes – Local MAC  Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames  Tunneled as 802.3 Frame STA AP WLC  H-REAP support locally bridged MAC and split MAC per SSID BRKEWN-2010 © 2011 Cisco and/or its affiliates.3 Frame CAPWAP Data Plane 802.

All rights reserved. Cisco Public 11 .CAPWAP State Machine AP Boots UP Reset Discovery Image Data DTLS Setup Run Join Config BRKEWN-2010 © 2011 Cisco and/or its affiliates.

AP Controller Discovery Controller Discovery Order  Layer 2 join procedure attempted on LWAPP APs (CAPWAP does not support Layer 2 APs) Broadcast message sent to discover controller on a local subnet  Layer 3 join process on CAPWAP APs and on LWAPP APs after Layer 2 fails Previously learned or primed controllers Subnet broadcast DHCP option 43 DNS lookup BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 .

All rights reserved.AP Controller Discovery: DHCP Option DHCP Server DHCP Offer 1 DHCP Request 2 Layer 3 CAPWAP Discovery Request Broadcast 3 Layer 3 CAPWAP Discovery Responses © 2011 Cisco and/or its affiliates. Cisco Public DHCP Offer Contains Option 43 for Controller BRKEWN-2010 13 .

1.1.AP Controller Discovery: DNS Option DNS Server DHCP Server CISCO-CAPWAP-CONTROLLER. Cisco Public 14 .2 DHCP Request 2 1 DHCP Offer with Option 15 to give APs the Local Domain name 192.168.168. All rights reserved.localdomain 192.2 3 DHCP Offer Contains DNS Server or Servers 4 BRKEWN-2010 © 2011 Cisco and/or its affiliates.

Attempt to join the WLAN Controller with the greatest excess AP capacity (dynamic load balancing)  Option #2 and option #3 allow for two approaches to controller redundancy and AP load balancing: deterministic and dynamic BRKEWN-2010 © 2011 Cisco and/or its affiliates. and AP Manager IP address or addresses  AP selects a controller to join using the following decision criteria 1. controller type. or tertiary controller name 3. All rights reserved. current AP load. controller AP capacity. Attempt to join a WLAN Controller configured as a “Master” controller 2. secondary. “Master Controller” status. Attempt to join a WLAN Controller with matching name of previously configured primary.WLAN Controller Selection Algorithm  CAPWAP Discovery Response contains important information from the WLAN Controller Controller name. Cisco Public 15 .

CAPWAP Control Messages for Join Process  CAPWAP Join Request: AP sends this messages to selected controller (sent to AP Manager Interface IP address) CAPWAP Join Request  CAPWAP Join Response: If controller validates AP request. All rights reserved. Cisco Public 16 . it sends the CAPWAP Join Response indicating that the AP is now registered with that controller CAPWAP Join Response BRKEWN-2010 © 2011 Cisco and/or its affiliates.

Cisco Public LWAPP-L3 Firmware digitally signed by Cisco Firmware Download Firmware downloaded only if needed.Configuration Phase Firmware and Configuration Download  Firmware is downloaded by the AP from the WLC Configuration Download Cisco WLAN Controller  Network configuration is downloaded by the AP from the WLC Configuration is encrypted in the CAPWAP tunnel Configuration is applied Access Points BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. AP reboots after the download 17 .

Which Software Version Should I Use?  WLC 5508 supports 6.116 and up BRKEWN-2010 © 2011 Cisco and/or its affiliates.0  WLC7500.0. All rights reserved. WiSM-2 and WLC2504 only supported in 7. Cisco Public 18 .0 and 7.

Cisco Public 19 . All rights reserved.Agenda  Controller-Based Architecture Overview  Mobility in the Cisco Unified WLAN Architecture  Architecture Building Blocks  Deploying the Cisco Unified Wireless Architecture BRKEWN-2010 © 2011 Cisco and/or its affiliates.

All rights reserved. Cisco Public 20 .Mobility Defined  Mobility is a key reason for wireless networks  Mobility means the end-user device is capable of moving its location in the networked environment  Roaming occurs when a wireless client moves association from one AP and re-associates to another. typically because it’s mobile!  Mobility presents new challenges: Need to scale the architecture to support client roaming— roaming can occur intra-controller and inter-controller Need to support client roaming that is seamless (fast) and preserves security BRKEWN-2010 © 2011 Cisco and/or its affiliates.

All rights reserved. AA:AA:AA:AA:AA:03 Mobility Messages 21 . AA:AA:AA:AA:AA:01 Controller-C. Cisco Public Controller-C MAC: AA:AA:AA:AA:AA:03 Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-A. AA:AA:AA:AA:AA:02 Ethernet in IP Tunnel  Support for up to 24 controllers.Scaling the Architecture with Mobility Groups  Mobility Group allows controllers to peer with each other to support seamless roaming across controller boundaries  APs learn the IPs of the other members of the mobility group after the LWAPP Join process Controller-B MAC: AA:AA:AA:AA:AA:02  Mobility messages exchanged between controllers  Data tunneled between controllers in EtherIP (RFC 3378) BRKEWN-2010 © 2011 Cisco and/or its affiliates. AA:AA:AA:AA:AA:02 Controller-C. 3600 APs per mobility group Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-A. AA:AA:AA:AA:AA:01 Controller-B. AA:AA:AA:AA:AA:03 Controller-A MAC: AA:AA:AA:AA:AA:01 Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-B.

Cisco Public 22 .Increased Mobility Scalability  Roaming is supported across three mobility groups (3 * 24 = 72 controllers)  With Inter Release Controller Mobility (IRCM) roaming is supported between 4.0.0 Mobility Sub-Domain 1 Ethernet in IP Tunnel Mobility Sub-Domain 3 Ethernet in IP Tunnel Ethernet in IP Tunnel Mobility Sub-Domain 2 Mobility Messages BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved.2.188 and 7.207 and 6.

11 Association + 802.1X/EAP Authentication + Rekeying + IP address (re) acquisition  All this can be on the order of seconds… Can we make this faster? BRKEWN-2010 © 2011 Cisco and/or its affiliates. Cisco Public 23 . All rights reserved.How Long Does an STA Roam Take?  Time it takes for: Client to disassociate + Probe for and select a new AP + 802.

1x. 802. WPA/WPAv2 Enterprise—Client must be reauthenticated and new session key derived for encryption BRKEWN-2010 © 2011 Cisco and/or its affiliates. Cisco Public 24 .11i. static WEP—session continues on new AP WPA/WPAv2 Personal—New session key for encryption derived via standard handshakes 802.Roaming Requirements  Roaming must be fast … Latency can be introduced by: Client channel scanning and AP selection algorithms Re-authentication of client device and re-keying Refreshing of IP address  Roaming must maintain security Open auth. All rights reserved.

Cisco Public 25 . All rights reserved.How Are We Going to Make Roaming Faster? Focus on Where We Can Have the Biggest Impact  Eliminating the (re)IP address acquisition challenge  Eliminating full 802.1X/EAP reauthentication BRKEWN-2010 © 2011 Cisco and/or its affiliates.

Security) WLC-2 Mobility Message Exchange Preroaming Data Path BRKEWN-2010 © 2011 Cisco and/or its affiliates. QoS. QoS.Intra-Controller Roaming: Layer 3 VLAN X WLC-1 Client Client Data Database (MAC. All rights reserved. Cisco Public 26 . IP. IP. Security) WLC-1 VLAN Z Client Data WLC-2 Client Database (MAC.

Security) Mobility Message Exchange VLAN Z Client Data WLC-2 Client Database (MAC. QoS. All rights reserved.Client Roaming Between Subnets: Layer 3 (Cont. Cisco Public 27 . IP. IP. Security) WLC-2 Data Tunnel Foreign Controller WLC-1 Anchor Controller Preroaming Data Path Client Roams to a Different AP BRKEWN-2010 © 2011 Cisco and/or its affiliates. QoS.) VLAN X WLC-1 Client Client Data Database (MAC.

Cisco Public 28 . new controller tagged as the “foreign”  WLCs must be in same mobility group or domain  No IP address refresh needed  Account for mobility message exchange in network design BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved.Roaming: Inter-Controller Layer 3  L3 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto different subnets  Client must be re-authenticated and new security session established  Client database entry copied to new controller – entry exists in both WLC client DBs  Original controller tagged as the “anchor”.

All rights reserved. Cisco Public 29 .1X/EAP reauthentication BRKEWN-2010 © 2011 Cisco and/or its affiliates.How Are We Going to Make Roaming Faster? Focus on Where We Can Have the Biggest Impact Eliminating the (re)IP address acquisition challenge  Eliminating full 802.

incurring an additional 500+ ms to the roam 2.1X Initial Authentication Transaction AP1 Note: Mechanism Is Needed to Centralize Key Distribution BRKEWN-2010 © 2011 Cisco and/or its affiliates. 802. All rights reserved.1X authentication in wireless today requires a roaming client to reauthenticate. Cisco Public 30 .Fast Secure Roaming Standard Wi-Fi Secure Roaming  802.1X authentication in wireless today requires three “end-to-end” transactions with an overall transaction time of > 500 ms WAN Cisco AAA Server (ACS or ISE)  802. 802.1X Reauthentication After Roaming AP2 1.

CCKM roam times consistently measure in the 5-8 msec range!  To work across WLCs.2 release  In highly controlled test environments.11i). Cisco Public 31 . WLCs must be in the same mobility group  When a client device roams. BRKEWN-2010 © 2011 Cisco and/or its affiliates.Cisco Centralized Key Management (CCKM)  Cisco introduced CCKM in CCXv2 (pre-802. especially with application specific devices (ASDs)  CCKM ported to CUWN architecture in 3. All rights reserved. so widely available. he WLC forwards the client's security credentials to the new AP.

if PMK is found.1X requests from roaming clients  From the 802. both of them may cache the PMK record to be used later. it must then authenticate to that specific access point using 802. AP can use them to retrieve PMK record from its own PMK cache.11i specification: Whenever an AP and a STA have successfully passed dot1x-based authentication.11i Pairwise Master Key (PMK) Caching  WPA2 and 802.11i specify a mechanism to prevent excessive key management and 802. All rights reserved. When a STA is (re-)associates to an AP.Fast Secure Roaming WPA2/802. Cisco Public 32 .1x. However. and matches the STA MAC address. and directly starts WPA2 four-way key handshake session with the STA BRKEWN-2010 © 2011 Cisco and/or its affiliates. if a client has not roamed to a particular access point during its current working session. AP can bypass dot1x authentication process. it may attach a list of PMK IDs (which were derived via dot1x process with this AP before) in the (re)association request frame When PMK ID exists.

All rights reserved. OKC/PKC roam times consistently measure in the 10-20 msec range! BRKEWN-2010 © 2011 Cisco and/or its affiliates. Cisco Public 33 .  Supported in Windows since XP SP2  Enabled by default on WLCs with WPAv2  Requires WLCs to be in the same mobility group  In highly controlled test environments.1x authentication with an access point and only needs to perform the 4 way handshake when roaming to access points that are centrally managed by the same WLC.OKC/PKC Key Data Points  A client device can skip the 802.

11 Association + Mobility message exchange between WLCs + Reauthentication + Rekeying + IP address (re) acquisition  Network latency will have an impact on these times – consideration for controller placement  With a fast secure roaming technology.How Long Does a Client Really Take to Roam?  Time to roam = Client to disassociate + Probe for and select a new AP + 802. Cisco Public 34 . All rights reserved. though mileage may vary BRKEWN-2010 © 2011 Cisco and/or its affiliates. roam times under 150 msecs are consistently achievable.

though proliferation of small form factor. Cisco Public 35 . All rights reserved.How Often Do Clients Roam?  It depends… types of clients and applications  Most client devices are designed to be “nomadic” rather than “mobile”. “smart” devices will probably change this…  Nomadic clients usually are programmed to try to avoid roaming… so set your expectations accordingly  Design rule of thumb: 10-20 roams per second for every 5000 clients BRKEWN-2010 © 2011 Cisco and/or its affiliates.

WLC CPU is doing the processing – not as much of a big deal for 5508 which has dedicated management/control processor  L3 roaming & fast roaming clients consume client DB slots on multiple controllers – consider “worst case” scenarios in designing roaming domain size  Leverage natural roaming domain boundaries  Make sure the right ports and protocols are allowed BRKEWN-2010 © 2011 Cisco and/or its affiliates.Designing a Mobility Group/Domain Design Considerations  Less roaming is better – clients and apps are happier  While clients are authenticating/roaming. Cisco Public 36 . All rights reserved.

Agenda  Controller-Based Architecture Overview  Mobility in the Cisco Unified WLAN Architecture  Architecture Building Blocks  Deploying the Cisco Unified Wireless Architecture BRKEWN-2010 © 2011 Cisco and/or its affiliates. Cisco Public 37 . All rights reserved.

0 and Identity Services Engine • Centralized Policy ACS • Distributed Enforcement • AAA Services • Posture Assessment • Guest Access Services • Device Profiling Identity Services Engine NAC Profiler NAC Guest NAC Manager NAC Server • Monitoring • Troubleshooting • Reporting *Current NAC and ACS Hardware Platform Is Software Upgradable to ISE BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved.TrustSec 2. Cisco Public 38 .

All rights reserved. .ISE Integrated Device Profiling “iPad Template” Custom Template Visibility for Wired and Wireless Devices BRKEWN-2010 Simplified “Device Category” Policy Cisco Public New Device Templates via Subscription Feeds 39 © 2011 Cisco and/or its affiliates.

ISE Integrated Device Profiling    Users. All rights reserved. can be associated to different wired VLAN interfaces after EAP authentication Employee using corporate laptop with their AD user id can be assigned to VLAN 30 to have full access to the network Employee using personal iPad/iPhone with their AD user id can be assigned to VLAN 40 to have internet access only ISE ISE 1 EAP Authentication 2 Accept with VLAN 30 Employee VLAN 30 CAPWAP 4 Accept with VLAN 40 Corporate Resources Same-SSID 802.1Q TrunkVLAN 40 Employee 3 EAP Authentication Internet BRKEWN-2010 © 2011 Cisco and/or its affiliates. Cisco Public 40 . using the same SSID.

Cisco Public 41 . All rights reserved.ISE Integrated Device Profiling  Example: VLAN 30 (Corporate access ) VLAN 40 (Internet access) Corporate Internet BRKEWN-2010 © 2011 Cisco and/or its affiliates.

Cisco Public 42 .ISE Integrated Device Profiling • ISE Setup – Authorization Profiles redirect VLAN. All rights reserved. CoA… Laptop Assign VLAN 30 iPad Assign VLAN 40 BRKEWN-2010 © 2011 Cisco and/or its affiliates. Override ACL.

Cisco Public 43 . All rights reserved.ISE Integrated Device Profiling  WLC CoA Setup – Pre-Auth ACL. allows ALL client traffic to ISE  WLAN – Dot1X. AAA Override and Radius NAC enabled. Permit ANY to ISE (IP ( Addr) ) BRKEWN-2010 © 2011 Cisco and/or its affiliates.

Cisco Public 44 . All rights reserved. authorization and accounting requests from Network Access  DHCP (helper or span)  HTTP user agent (span) Customizable Profiles BRKEWN-2010 © 2011 Cisco and/or its affiliates.ISE Integrated Device Profiling  RADIUS probe (information about authentication.

Agenda  Controller-Based Architecture Overview  Mobility in the Cisco Unified WLAN Architecture  Architecture Building Blocks  Deploying the Cisco Unified Wireless Architecture BRKEWN-2010 © 2011 Cisco and/or its affiliates. Cisco Public 45 . All rights reserved.

Deploying the Cisco Unified Wireless Architecture  Controller Redundancy and AP Load Balancing  Understanding AP Groups  IPv6 Deployment with Controllers  Branch Office Designs  Guest Access Deployment  Home Office Design BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 .

Cisco Public 47 .Deploying the Cisco Unified Wireless Architecture  Controller Redundancy and AP Load Balancing  Understanding AP Groups  IPv6 Deployment with Controllers  Branch Office Designs  Guest Access Deployment  Home Office Design BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved.

All rights reserved. Cisco Public 48 .Controller Redundancy Dynamic  Rely on CAPWAP to load-balance APs across controllers and populate APs with backup controllers  Results in dynamic “salt-and-pepper” design  Design works better when controllers are “clustered” in a centralized design  Pros Easy to deploy and configure—less upfront work APs dynamically load-balance (though never perfectly)  Cons More intercontroller roaming Bigger operational challenges due to unpredictability Longer failover times No “fallback” option in the event of controller failure  Cisco’s general recommendation is: Only for Layer 2 roaming  Use deterministic redundancy instead of dynamic redundancy BRKEWN-2010 © 2011 Cisco and/or its affiliates.

and/or tertiary controller Assigned from controller interface (per AP) or WCS (template-based)  Pros Predictability—easier operational management More network stability Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Tertiary: WLAN-Controller-C Primary: WLAN-Controller-B Secondary: WLAN-Controller-C Tertiary: WLAN-Controller-A Primary: WLAN-Controller-C Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-B More flexible and powerful redundancy design options Faster failover times “Fallback” option in the case of failover  Con More upfront planning and configuration  This is Cisco’s recommended best practice BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved.Controller Redundancy Deterministic WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C  Administrator statically assigns APs a primary. Cisco Public 49 . secondary.

50 .High Availability Using Cisco 5508  APs are connected to primary WLC 5508  In case of hardware failure of WLC 5508  AP’s fall back to secondary WLC Secondary 5508 WLC5508  Traffic flows through the secondary WLC 5508 and primary core switch Cisco Public Si Si Si Si Primary WLC5508 BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved.

51 . All rights reserved.High Availability Using WiSM: Uplink Failure on Primary Switch S N Si Si Active HSRP Switch Primary WiSM  In case of uplink failure of the primary switch  Standby switch Standby becomes the HSRP Switch active HSRP New Active switch HSRP Switch  APs are still connected to primary WiSM  Traffic flows thru the new HSRP active switch Cisco Public BRKEWN-2010 © 2011 Cisco and/or its affiliates.

High Availability Using WiSM-2
 APs are connected to primary WiSM  In case of hardware failure of primary WiSM  AP’s fall back to secondary WiSM  Traffic flows thru the secondary WiSM and primary core switch
52

Si

Si

Primary WiSM

Secondary WiSM

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

VSS and Cisco 5508
 Cisco 5508 WLC can be attached to a Cisco Catalyst VSS switch  4 ports of Cisco 5508 are connected to active VSS switch  2nd set of 4 ports of Cisco 5508 is connected to standby VSS switch  In case of failure of primary switch traffic continues to flow through secondary switch in the VSS pair

Catalyst VSS Pair

Cisco 5508

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

53

VSS and WiSM-2

Virtual Switch System (VSS)

Switch-1 (VSS Active) Control Plane Active VSL

Switch-2 (VSS Standby) Control Plane Standby

Data Plane Active

Failover/State Sync VLAN

Data Plane Active

FWSM Active

FWSM Standby

WiSM-2 Active

WiSM-2 Standby

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

54

Controller Redundancy
High Availability High Availability Principles
 AP is registered with a WLC and maintain a backup list of WLC  AP use heartbeats to validate WLC connectivity  AP use Primary Discovery message to validate backup WLC list  When AP lose three heartbeats it start join process to first backup WLC candidate  Candidate Backup WLC is the first alive WLC in this order: primary, secondary, tertiary, global primary, global secondary  AP do not re-initiate discovery process
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

Primary WLC

Secondary WLC

55

All rights reserved.Controller Redundancy High Availability with 7. There Are Configurable Options Provided.0 To Accommodate Both Local and Remote Settings. . so that Administrator Can Fine Tune the Settings Based on the Requirements New Timers Heartbeat: Fast Heartbeat Timeout: AP Retransmit Interval: AP Retrans with FH Enabled: AP Retrans with FH Disabled: Old Timers-5508 Old Timers-Non-5508 AP Fallback to next WLC BRKEWN-2010 1-30 Seconds 1-10 Seconds 2-5 Seconds 3-8 Times 3-8 Times 12 Seconds 10-30 Seconds 3-10 Seconds 3 Seconds 3 Times 5 Times 35 Seconds Cisco Public 1-30 Seconds 1-10 Seconds 3 Seconds 3 Times 5 Times 35 Seconds 56 © 2011 Cisco and/or its affiliates.

Upgrade the image on the controller 2. Cisco Public Cisco WLAN Controller AP Joins Without Download AP Pre-image Download Access Points How Much Time You Save? 57 CAPWAP-L3 . Issue AP pre-image download command 4.0  Since most CAPWAP APs can download and keep more than one image of 4–5 MB each  AP pre-image download allows AP to download code while it is operational  Pre-Image download operation 1. Reboot the controller 6. All rights reserved. Don’t reboot the controller 3.AP Pre-Image Download in 7. AP now rejoins the controller without reboot BRKEWN-2010 © 2011 Cisco and/or its affiliates. Once all AP images are downloaded 5.

..98......... 7.......0..... 7.0..0 BRKEWN-2010 © 2011 Cisco and/or its affiliates.................Configure AP Pre-Image Download  Upgrade the image on the controller and don’t reboot  Currently we have two images on the controller (Cisco Controller) >show boot Primary Boot Image...0 (default) (active) Backup Boot Image........... All rights reserved..... Cisco Public 58 .....116.....

All rights reserved. Cisco Public 59 .Configure AP Pre-Image Download Wireless > AP > Global Configuration Perform Primary Image Predownloaded on the AP AP Now Starts Predownloading AP Now Swaps Image After Reboot of the Controller BRKEWN-2010 © 2011 Cisco and/or its affiliates.

All rights reserved. Cisco Public 60 .Deploying the Cisco Unified Wireless Architecture  Controller Redundancy and AP Load Balancing  Understanding AP Groups  IPv6 Deployment with Controllers  Branch Office Designs  Guest Access Deployment  Home Office Design BRKEWN-2010 © 2011 Cisco and/or its affiliates.

AP-Groups Default AP-Group  The first 16 WLANs created (WLAN IDs 1–16) on the WLC are included in the default AP-Group  Default AP-Group cannot be modified  APs with no assignment to an specific AP-Group will use the Default AP-Group  The 17th and higher WLAN (WLAN IDs 17 and up) can be assigned to any AP-Groups  Any given WLAN can be mapped to different dynamic interfaces in different AP-Groups  WLC 2106 (AP groups: 50). Cisco Public 61 . WLC 5508 & WiSM-2 (AP groups: 500). All rights reserved. WLC 7500 (AP Groups : 500) BRKEWN-2010 © 2011 Cisco and/or its affiliates. WLC 2504 (AP groups:50) WLC 4400 and WiSM (AP groups: 300).

Default AP-Group Network Name Default AP Group Only WLANs 1–16 Will Be Added in Default AP Group BRKEWN-2010 © 2011 Cisco and/or its affiliates. Cisco Public 62 . All rights reserved.

Multiple AP-Groups AP Group 1 AP Group 2 AP Group 3 BRKEWN-2010 © 2011 Cisco and/or its affiliates. Cisco Public 63 . All rights reserved.

All rights reserved. 7500. 2500 WiSM. Cisco Public 64 . with multiple interfaces using interface groups  Controllers WiSM-2.Interface-Groups 7. 4400 2100 and 2504 Interface-Groups/Interfaces 64/64 32/32 4/4 BRKEWN-2010 © 2011 Cisco and/or its affiliates. 5508.0  Interface-groups allows for a WLAN to be mapped to a single interface or multiple interfaces  Clients associating to this WLAN get an IP address from a pool of subnets identified by the interfaces in round robin fashion  Extends current AP group and AAA override.

All rights reserved. Cisco Public 65 .Deploying the Cisco Unified Wireless Architecture  Controller Redundancy and AP Load Balancing  Understanding AP Groups  IPv6 Deployment with Controllers  Branch Office Designs  Guest Access Deployment  Home Office Design BRKEWN-2010 © 2011 Cisco and/or its affiliates.

IPv6 over IPv4 Tunneling  Prior to WLC 6.11| IPv6 BRKEWN-2010 Ethernet II | IPv4 | CAPWAP | 802. IPv6 pass-thru is only supported but no L2 security can be enabled on IPv6 WLAN  With WLC 6. IPv6 pass-thru with Layer 2 security supported  To use IPv6 bridging.0 release.0 release.11 | IPv6 Cisco Public © 2011 Cisco and/or its affiliates. All rights reserved. Ethernet Multicast Mode (EMM) must be enabled on the controller  IPv6 packets are tunneled over CAPWAP IPv4 tunnel  Same WLAN can support both IPv4 and IPv6 clients  IPv6 pass-thru and IPv4 Webauth is also supported on same WLAN  IPv6 is not supported with guest mobility anchor tunneling Client IPv6 Traffic Tunneled over IPv4 and Bridged to Ethernet CAPWAP Tunnel Ethernet II | IPv6 802. 66 .

IPv6 Configuration on WLC 6. All rights reserved. Cisco Public 67 .X  Enable IPv6 on the WLAN and multicast on the WLC BRKEWN-2010 © 2011 Cisco and/or its affiliates.

Cisco Public 68 . All rights reserved.Deploying the Cisco Unified Wireless Architecture  Controller Redundancy and AP Load Balancing  Understanding AP Groups  IPv6 Deployment with Controllers  Branch Office Designs (HREAP/FlexConnect) Understanding HREAP (Hybrid) REAP AP Deployment Understanding Branch Controller Deployment  Guest Access Deployment  Home Office Design BRKEWN-2010 © 2011 Cisco and/or its affiliates.

Branch Office Deployment HREAP/FlexConnect  Hybrid architecture  Single management and control point Centralized traffic (split MAC) Or Local traffic (local MAC) WAN Centralized Traffic Central Site Centralized Traffic  HA will preserve local traffic only Local Traffic Remote Office BRKEWN-2010 © 2011 Cisco and/or its affiliates. Cisco Public 69 . All rights reserved.

shtml BRKEWN-2010 © 2011 Cisco and/or its affiliates.cisco. Cisco Public 70 . MAC/Web Auth in standalone mode.H-REAP Design Considerations  Some WAN limitations apply RTT must be below 300 ms data (100 ms voice) Minimum 500 bytes WAN MTU (with maximum four fragmented packets)  Some features are not available in standalone mode or in local switching mode ACL in local switching.com/en/US/products/ps6366/products_tech _note09186a0080b3690b. PMK caching (OKC) See full list in « H-REAP Feature Matrix » http://www. All rights reserved.

All rights reserved.Understanding H-REAP Groups  WLC supports up to 20 H-REAP groups Central Site  Each H-REAP group supports up to 25 H-REAP APs  H-REAP groups allow sharing of: CCKM fast roaming keys Local user authentication Local EAP authentication Remote Site WAN Remote Site H-REAP Group 2 H-REAP Group 1 BRKEWN-2010 © 2011 Cisco and/or its affiliates. Cisco Public 71 .

Cisco Public 72 .116  WAN Survivability FlexConnect AP provides wireless access and services to clients when the connection to the primary WLC fails  Local Authentication Allows for the authentication capability to exist directly at the AP in FlexConnect instead of the WLC  Improved Scale Group Scale: Max HREAP groups increased to 500 (7500s) and 100 (5500s) APs per Group: 50 (7500s) and 25 (5500s)  Fast Roaming in Remote Branches Opportunistic Key Caching (OKC) between APs in a branch BRKEWN-2010 © 2011 Cisco and/or its affiliates.0. All rights reserved.FlexConnect Improvements in New 7.

Cisco Public 73 . All rights reserved.Deploying the Cisco Unified Wireless Architecture  Controller Redundancy and AP Load Balancing  Understanding AP Groups  IPv6 Deployment with Controllers  Branch Office Designs Understanding HREAP/FlexConnect Deployment Understanding Branch Controller Deployment  Guest Access Deployment  Home Office Design BRKEWN-2010 © 2011 Cisco and/or its affiliates.

Cisco Public Number of Users: 20–100 Number of APs: 1–5 74 . 5508-25 Internet VPN Small Office  Integrated controller WLAN controller module (WLCM-2) for ISR G2 BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved.Branch Office WLAN Controller Options WCS E-Mail Number of Users: 100–500 Number of APs: 5–25 Headquarters MPLS ATM Frame Relay Branch Office  Appliance controllers Cisco 2504-12 Cisco 5508-12.

Branch Office WLAN Controller Options WCS E-Mail Cisco 2504 *** Branch Office MPLS ATM Frame Relay Headquarters  Cisco Unified Wireless Network with controller-based  Multiple Integrated WAN options on ISR  Consistent branch-HQ services. All rights reserved. and performance  Standardized branch configuration extends the unified wired and wireless network  Branch configuration management from central WCS BRKEWN-2010 Small Office Internet VPN WLCM-2 ** **AP Count Vary Depending on Channel Utilization and Data Rates Cisco Public © 2011 Cisco and/or its affiliates. features. 75 .

Cisco Public 76 . All rights reserved.Deploying the Cisco Unified Wireless Architecture  Controller Redundancy and AP Load Balancing  Understanding AP Groups  IPv6 Deployment with Controllers  Branch Office Designs  Guest Access Deployment  Home Office Design BRKEWN-2010 © 2011 Cisco and/or its affiliates.

Guest Access Deployment WLAN Controller Deployments with EoIP Tunnel  Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers  Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN  No need to define the guest VLANs on the switches connected to the remote controllers  Original guest’s Ethernet frame maintained across LWAPP/CAPWAP and EoIP tunnels  Redundant EoIP tunnels to the Anchor WLC  2504 series and WLCM-2 models cannot terminate EoIP connections (no anchor role Guest BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public Internet DMZ or Anchor Wireless Controller Cisco ASA Firewall EoIP “Guest Tunnel” Wireless LAN Controller CAPWAP Guest 77 .

CiUS BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. ISE.)  Wide range of architecture / design choices  Brand new controller (WiSM-2. e. k. FlexConnect. Security. BandSelect.802. etc)  Cisco’s investment into technology – NCS. CCX. Cisco Public 78 .Summary – Key Takeways  Take advantage of the standards (CAPWAP. WLC 2504) portfolio with investment protection  Take advantage of innovations from Cisco (CleanAir. cloud controller. WLC 7500. r…. New hardware. DTLS. ClientLink..11 i.

Documentation  Wireless Services Module 2 (WiSM2) Deployment Guide http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080b7c904.com/en/US/tech/tk722/tk809/tech_configuration_examples_list.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved.shtml  VLAN Select Deployment Guide http://www.html  H-REAP Deployment Guide http://www.shtml • Flex7500 Deployment guide http://www.cisco.shtml  Wireless.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b78900. LAN (WLAN) Configuration Examples and TechNotes http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123. Cisco Public 79 .

Cisco Public 80 . All rights reserved. BRKEWN-2010 © 2011 Cisco and/or its affiliates.Thank you.