5 Detail Description of Technology Used

Understanding WLAN Controllers

1st/2nd generation: APs act as 802.1Q translational bridge, putting client traffic on local
VLANs.

Centralized Wireless LAN Architecture

 CAPWAP: Control and Provisioning of Wireless Access Points is used between APs
and WLAN controller and based on LWAPP.
 CAPWAP carries control and data traffic between the two Control plane is DTLS
encrypted Data plane is DTLS encrypted (optional)
 LWAPP-enabled access points can discover and join a CAPWAP controller, and
conversion to a CAPWAP controller is seamless
 CAPWAP is not supported on Layer 2 mode deployment

CAPWAP State Machine

AP Controller Discovery: DHCP Option
 Layer 2 join procedure attempted on LWAPP APs (CAPWAP does not support Layer
2 APs)
 Broadcast message sent to discover controller on a local subnet
 Layer 3 join process on CAPWAP APs and on LWAPP APs after Layer 2 fails
Previously learned or primed controllers
 Subnet broadcast DHCP option 43 DNS lookup

AP Controller Discovery: DNS Option

  CAPWAP Discovery Response contains important information from the WLAN
Controller Controller name, controller type, controller AP capacity, current AP load,
“Master Controller” status, and AP Manager IP address or addresses.
 AP selects a controller to join using the following decision criteria
 Attempt to join a WLAN Controller configured as a “Master” controller
 Attempt to join a WLAN Controller with matching name of previously
configured primary, secondary, or tertiary controller name
 Attempt to join the WLAN Controller with the greatest excess AP capacity
(dynamic load balancing)
 CAPWAP Join Request: AP sends this messages to selected controller (sent
to AP Manager Interface IP address)
 CAPWAP Join Response: If controller validates AP request, it sends the
CAPWAP Join Response indicating that the AP is now registered with that
controller

 Configuration Phase Firmware and Configuration Download

 Firmware is downloaded by the AP from the WLC Firmware downloaded only
if needed, AP reboots after the download Firmware digitally signed by Cisco.
 Network configuration is downloaded by the AP from the WLC Configuration
is encrypted in the CAPWAP tunnel Configuration is applied

Mobility Defined
 Mobility is a key reason for wireless networks. Mobility means the end-user device is
capable of moving location in the networked environment.
 Roaming occurs when a wireless client moves association from one AP and re-
associates to another, typically because it’s mobile.
 Mobility presents new challenges: Need to scale the architecture to support client
roaming— roaming can occur intra-controller and inter-controller Need to support
client roaming that is seamless (fast) and preserves security
Scaling the Architecture with Mobility Groups
 Mobility Group allows controllers to peer with each other to support seamless
roaming across controller boundaries.
 APs learn the IPs of the other members of the mobility group after the LWAPP Join
process
 Support for up to 24 controllers, 3600 APs per mobility group ! Mobility messages
exchanged between controllers
 Data tunneled between controllers in EtherIP (RFC 3378)

Roaming Requirements
 Roaming must be fast, Latency can be introduced by: Client channel scanning and
AP selection algorithms Re-authentication of client device and re-keying Refreshing
of IP addresS
 Roaming must maintain security Open auth, static WEP—session continues on new
AP WPA/WPAv2 Personal—New session key for encryption derived via standard
handshakes 802.1x, 802.11i, WPA/WPAv2 Enterprise—Client must be
reauthenticated and new session key derived for encryption
 Eliminating the (re)IP address acquisition challenge. Eliminating full 802.1X/EAP
reauthentication

Intra-Controller Roaming: Layer 2

 Intra-Controller roam happens when an AP moves association between APs joined
to the same controller
  Client must be reauthenticated and new security session established Client database
entry with new AP and appropriate security context. No IP address refresh needed

Intra-Controller Roaming: Layer 3

 L3 inter-controller roam: STA moves association between APs joined to the different
controllers but client traffic bridged onto different subnets
 Client must be re-authenticated and new security session established. Client
database entry copied to new controller – entry exists in both WLC client DBs.
 Original controller tagged as the “anchor”, new controller tagged as the “foreign”,
WLCs must be in same mobility group or domain.
 No IP address refresh needed. Symmetric traffic path established -- asymmetric
option has been eliminated as of 6.0 release. Account for mobility message
exchange in network design. 802.1X authentication in wireless today requires three
“end-to-end” transactions with an overall transaction time of > 500 ms ! 802.1X
authentication in wireless today requires a roaming client to reauthenticate, incurring
an additional 500+ ms to the roam.
ISE Architecture

Appliance Design
 Client will be using Virtual Machines (VMs) for their ISE deployment. There will be
three different build specs used for theses. There will be a build for Admin Nodes,
Monitoring nodes and PSN nodes. Below are the three builds specs used for each
VM.

Admin Node Specs (Build 1):

 2 Processors Quad-core 2.0 GHz
 300 GB HDD
 32GB of memory
 1 Gigabit NICs

Monitoring (Mnt) Node Specs (Build 2):

 2 Processors Quad-core 2.0 GHz
 600 GB HDD
 32GB of memory
 1 Gigabit NICs

Policy (PSN) Specs (Build 3):

 2 Processor Quad-core 2.0 GHz
 300GB HD
 4GB of memory
 2 Gigabit NIC2

ISE Appliance Breakdown

The Cisco ISE deployment for the Client ISE Deployment will consist of the following:
 ISE Admin Nodes
 (1) Primary Admin Node (Pri PAN) in Client’s datacenter
 (1) Secondary Admin Node (Sec PAN) in Client’s datacenter
ISE Monitoring Nodes
 (1) Primary Monitoring Node (Pri Mnt) in Client’s datacenter
 (1) Secondary Monitoring Node (Sec Mnt) in Client’s datacenter
ISE Policy Services Node
 (1) Policy Services Node (PSN) in DMZ at Client’s datacenter

ISE Objectives

 Users, using the same SSID, can be associated to different wired VLAN interfaces
after EAP authentication.
 Employee using corporate laptop with their AD user id can be assigned to have full
access to the network.
 Employee using personal iPad/iPhone with their AD user id can be assigned to
Guest to have internet access only.

Above fig explains how guest users and employees can be assigned different vlan’s to provide network connectivity.

 The objective of the ISE Deployment is to integrate Identity Based Network Solutions
(IBNS) into Wireless Guest network architecture.
 The ISE deployment will integrate with the following services:
 Microsoft Active Directory
 Client Certificate Authority (GeoTrust Certificate)

Wireless Channels

Channels in 2.4GHz

 There are only 3 non overlapping channels in 2.4GHz radios and this is the reason
this band congested and currently we are seeing this band as over populated.
 CHANNE NORTH
EUROPE
L AMERICA JAPAN
(ETSI)
NUMBER (FCC) 
1 ✔ ✔ ✔
2 ✔ ✔ ✔
3 ✔ ✔ ✔
4 ✔ ✔ ✔
5 ✔ ✔ ✔
6 ✔ ✔ ✔
7 ✔ ✔ ✔
8 ✔ ✔ ✔
9 ✔ ✔ ✔
10 ✔ ✔ ✔
11 ✔ ✔ ✔
12 No ✔ ✔
13 No ✔ ✔
14 No No 802.11b only

Channels in 5GHz

 There are around 19 to 21 non overlapping channels in 5GHz band, meanwhile

2.4GHz radios are considered as traditional wireless network because of over
population in 2.4GHz network and channel limitations.
 Now a day’s wireless network have evolved and 5GHz band is widely used because
the new technologies like 802.11n/ac which works in 5GHz band and we have many
non-overlapping channels in 5GHz band compared with 2.4GHz band.
NORTH
CHANNEL FREQUENCY
AMERICA EUROPE (ETSI) JAPAN
NUMBER MHZ
(FCC) 
36 5180 ✔ Indoors ✔
40 5200 ✔ Indoors ✔
44 5220 ✔ Indoors ✔
48 5240 ✔ Indoors ✔
52 5260 DFS Indoors / DFS / TPC DFS / TPC
56 5280 DFS Indoors / DFS / TPC DFS / TPC
60 5300 DFS Indoors / DFS / TPC DFS / TPC
64 5320 DFS Indoors / DFS / TPC DFS / TPC
100 5500 DFS DFS / TPC DFS / TPC
104 5520 DFS DFS / TPC DFS / TPC
108 5540 DFS DFS / TPC DFS / TPC
112 5560 DFS DFS / TPC DFS / TPC
116 5580 DFS DFS / TPC DFS / TPC
120 5600 No Access DFS / TPC DFS / TPC
 124 5620 No Access DFS / TPC DFS / TPC
128 5640 No Access DFS / TPC DFS / TPC
132 5660 DFS DFS / TPC DFS / TPC
136 5680 DFS DFS / TPC DFS / TPC
140 5700 DFS DFS / TPC DFS / TPC
149 5745 ✔ SRD No Access
153 5765 ✔ SRD No Access
157 5785 ✔ SRD No Access
161 5805 ✔ SRD No Access
165 5825 ✔ SRD No Access

Cell Over-Lapping

 While doing site survey, vendors have to ensure there is proper overlapping
approximately 15 to 20%, this is enable seamless client roaming from one AP to
another AP without any interruptions in connection.

Co-Channel Interference

 When we have many AP in same floor it needs to be installed with proper

overlapping and to be configured to use different non overlapping channels.
 In 2.4GHz band we have 3 non overlapping channel which is 1, 6 and 11.
 In 5GHz band we have around 19 to 21 non overlapping channel
Channel Planning

 Did you notice none of the same channel is overlapping in above diagram, in some
high density wireless environment we may end up reusing the same channel, when
the same channel overlaps then it is considered as co-channel interference and
wireless network is not going to work well.
 Usually this channel planning job is taken care by RRM in WLC automatically, but I
want to explain the issues in co-channel interference to everyone, that is the reason
we are talking about co-channel interference here.
 Please note as already mentioned in high density wireless environments sometimes
it may be difficult to reuse same channels and it will end up with co-channel
interference.

5.5.4 Antenna Recommendations

 In Normal office environments we can deploy AP with dipole antenna, if the office
environment is high density, then it is recommended to use internal antenna AP, if
the environment is warehouse with high ceiling, plant, cold storage we have to seek
for antenna recommendations from the site survey vendors, because there are many
different types of antenna which can be used with cisco AP and vendors can
recommend the best by emulating the environment through active survey.