Design and Deployment of Enterprise WLANs

BRKEWN-2010 Sujit Ghosh, CCIE #7204
Manager, Technical Marketing Wireless Networking Business Unit

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

1

Agenda
§  Controller-Based Architecture Overview §  Mobility in the Cisco Unified WLAN Architecture §  Architecture Building Blocks §  Deploying the Cisco Unified Wireless Architecture

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

2

Agenda
§  Controller-Based Architecture Overview §  Mobility in the Cisco Unified WLAN Architecture §  Architecture Building Blocks §  Deploying the Cisco Unified Wireless Architecture

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

3

Understanding WLAN Controllers
§  1st/2nd generation: APs act as 802.1Q translational bridge, putting client traffic on local VLANs §  3rd generation: Controller bridges client traffic centrally
3rd Generation

1st/2nd Generation vs. 3rd Generation Approach
1st/2nd Generation
Data VLAN

Management VLAN

Voice VLAN

Data VLAN

Management VLAN

LWAPP/CAPWAP Tunnel

Voice VLAN

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

4

Centralized Wireless LAN Architecture
What Is CAPWAP?
§  CAPWAP: Control and Provisioning of Wireless Access Points is used between APs and WLAN controller and based on LWAPP §  CAPWAP carries control and data traffic between the two
Control plane is DTLS encrypted Data plane is DTLS encrypted (optional)

§  LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless §  CAPWAP is not supported on Layer 2 mode deployment
Access Point Wi-Fi Client Data Plane Business Application

CAPWAP

Controller

Control Plane
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

5

CAPWAP Modes
Split MAC §  The CAPWAP protocol supports two modes of operation
Split MAC (centralized mode) Local MAC (H-REAP)

§  Split MAC
Wireless Frame Wireless Phy MAC Sublayer CAPWAP Data Plane 802.3 Frame

STA

WTP

AC

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

6

CAPWAP Modes
Local MAC §  Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames §  Locally bridged
Wireless Frame Wireless Phy MAC Sublayer

802.3 Frame

STA

WTP

AC

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

7

CAPWAP Modes
Local MAC §  Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames §  Tunneled as 802.3 frames
Wireless Frame Wireless Phy MAC Sublayer 802.3 Frame CAPWAP Data Plane 802.3 Frame

STA

WTP

AC

§  Tunneled local MAC is not supported by Cisco §  H-REAP support locally bridged MAC and split MAC per SSID
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

8

CAPWAP State Machine
AP Boots UP
Reset

Discovery
Image Data

DTLS Setup

Run

Join

Config

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

9

AP Controller Discovery
Controller Discovery Order §  Layer 2 join procedure attempted on LWAPP APs
(CAPWAP does not support Layer 2 APs) Broadcast message sent to discover controller on a local subnet

§  Layer 3 join process on CAPWAP APs and on LWAPP APs after Layer 2 fails
Previously learned or primed controllers Subnet broadcast DHCP option 43 DNS lookup

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

10

AP Controller Discovery: DHCP Option
DHCP Server

DHCP Offer 1 DHCP Request

2 Layer 3 CAPWAP Discovery Request Broadcast 3 Layer 3 CAPWAP Discovery Responses
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

DHCP Offer Contains Option 43 for Controller

BRKEWN-2010

11

AP Controller Discovery: DNS Option
DNS Server DHCP Server

CISCO-CAPWAP-CONTROLLER.localdomain 192.168.1.2

DHCP Request 2 1 DHCP Offer

192.168.1.2

3 DHCP Offer Contains DNS Server or Servers 4

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

12

WLAN Controller Selection Algorithm
§  CAPWAP Discovery Response contains important information from the WLAN Controller
Controller name, controller type, controller AP capacity, current AP load, “Master Controller” status, and AP Manager IP address or addresses

§  AP selects a controller to join using the following decision criteria
1.  Attempt to join a WLAN Controller configured as a “Master” controller 2.  Attempt to join a WLAN Controller with matching name of previously configured primary, secondary, or tertiary controller name 3.  Attempt to join the WLAN Controller with the greatest excess AP capacity (dynamic load balancing)

§  Option #2 and option #3 allow for two approaches to controller redundancy and AP load balancing: deterministic and dynamic
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

13

CAPWAP Control Messages for Join Process
§  CAPWAP Join Request: AP sends this messages to selected controller (sent to AP Manager Interface IP address)
CAPWAP Join Request

§  CAPWAP Join Response: If controller validates AP request, it sends the CAPWAP Join Response indicating that the AP is now registered with that controller
CAPWAP Join Response

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

14

Configuration Phase

Firmware and Configuration Download §  Firmware is downloaded by the AP from the WLC
Configuration Download

Cisco WLAN Controller

§  Network configuration is downloaded by the AP from the WLC
Configuration is encrypted in the CAPWAP tunnel Configuration is applied

Access Points

LWAPP-L3

Firmware digitally signed by Cisco

Firmware Download

Firmware downloaded only if needed, AP reboots after the download

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

15

4.2, 6.0, 7.0? Which Version Should I Use?

§  WLC 5508 supports 6.0, 7.0.98 and 7.0.116 §  WLC7500, WiSM-2 and WLC2504 only supported in 7.0.116 §  6.0.202 is the latest MD §  7.0.116 will be tested for AssureWave (Blue Ribbon) §  Please note the current revision of 7.0- 7.0.116.0 which is the recommended one for you today
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

16

Agenda
§  Controller-Based Architecture Overview §  Mobility in the Cisco Unified WLAN Architecture §  Architecture Building Blocks §  Deploying the Cisco Unified Wireless Architecture

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

17

Mobility Defined
§  Mobility is a key reason for wireless networks §  Mobility means the end-user device is capable of moving location in the networked environment §  Roaming occurs when a wireless client moves association from one AP and re-associates to another, typically because it’s mobile! §  Mobility presents new challenges:
Need to scale the architecture to support client roaming— roaming can occur intra-controller and inter-controller Need to support client roaming that is seamless (fast) and preserves security

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

18

Scaling the Architecture with Mobility Groups
§  Mobility Group allows controllers to peer with each other to support seamless roaming across controller boundaries §  APs learn the IPs of the other members of the mobility group after the LWAPP Join process
Controller-B MAC: AA:AA:AA:AA:AA:02

§  Mobility messages exchanged between controllers §  Data tunneled between controllers in EtherIP (RFC 3378)
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

Controller-C MAC: AA:AA:AA:AA:AA:03 Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 Controller-B, AA:AA:AA:AA:AA:02

Ethernet in IP Tunnel

§  Support for up to 24 controllers, 3600 APs per mobility group

Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 Controller-C, AA:AA:AA:AA:AA:03 Controller-A MAC: AA:AA:AA:AA:AA:01 Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-B, AA:AA:AA:AA:AA:02 Controller-C, AA:AA:AA:AA:AA:03

Mobility Messages

19

Increased Mobility Scalability
§  Roaming is supported across three mobility groups (3 * 24 = 72 controllers) §  With Inter Release Controller Mobility (IRCM) roaming is supported between 4.2.207 and 6.0.188 and 7.0
Mobility Sub-Domain 1
Ethernet in IP Tunnel

Mobility Sub-Domain 3
Ethernet in IP Tunnel Ethernet in IP Tunnel

Mobility Sub-Domain 2

Mobility Messages BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

20

How Long Does an STA Roam Take?
§  Time it takes for:
Client to disassociate + Probe for and select a new AP + 802.11 Association + 802.1X/EAP Authentication + Rekeying + IP address (re) acquisition

§  All this can be on the order of seconds… Can we make this faster?

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

21

Roaming Requirements
§  Roaming must be fast … Latency can be introduced by:
Client channel scanning and AP selection algorithms Re-authentication of client device and re-keying Refreshing of IP address

§  Roaming must maintain security
Open auth, static WEP—session continues on new AP WPA/WPAv2 Personal—New session key for encryption derived via standard handshakes 802.1x, 802.11i, WPA/WPAv2 Enterprise—Client must be reauthenticated and new session key derived for encryption

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

22

How Are We Going to Make Roaming Faster?
Focus on Where We Can Have the Biggest Impact

§  Eliminating the (re)IP address acquisition challenge §  Eliminating full 802.1X/EAP reauthentication

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

23

Intra-Controller Roaming: Layer 2
VLAN X
WLC-1 Client Client Data Database (MAC, IP, QoS, Security) WLC-1 Mobility Message Exchange WLC2 WLC-2 Client Database

§  Intra-Controller roam happens when an AP moves association between APs joined to the same controller §  Client must be reauthenticated and new security session established

Preroaming Data Path

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

24

Intra-Controller Roaming: Layer 2 (Cont.)
VLAN X
WLC-1 Client Database Client Data WLC-2 Client Database (MAC, IP, QoS, Security) Mobility Message Exchange WLC-2

WLC-1

Roaming Data Path

§  Client database entry with new AP and appropriate security context §  No IP address refresh needed

Client Roams to a Different AP

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

25

Intra-Controller Roaming: Layer 3
VLAN X
WLC-1 Client Client Data Database (MAC, IP, QoS, Security) WLC-1

VLAN Z
Client Data WLC-2 Client Database (MAC, IP, QoS, Security) WLC-2

Mobility Message Exchange

Preroaming Data Path

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

26

Client Roaming Between Subnets: Layer 3 (Cont.)
VLAN X
WLC-1 Client Client Data Database (MAC, IP, QoS, Security) WLC-1 Anchor Controller Preroaming Data Path
Mobility Message Exchange

VLAN Z
Client Data WLC-2 Client Database (MAC, IP, QoS, Security) WLC-2 Foreign Controller

Data Tunnel

Client Roams to a Different AP

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

27

Static IP Mobility with 7.0.116
VLAN X VLAN Z WLC-2 Client Database
Client Data (MAC, IP, QoS, Security)

Mobility Group-1
WLC-1 Anchor Controller Pre Roaming Data Path

WLC-1 Client Database

Client Data (MAC, IP, QoS, Security)

Mobility Group-2
WLC-2 Foreign Controller

Mobility Message Exchange

Encrypted Data Tunnel

Client with Static IP on VLAN X Dis-Associates from This AP
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

Client with Static IP on VLAN X Associates on This AP
28

Static IP Mobility with 7.0.116
GUI Configuration

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

29

Roaming: Inter-Controller
Layer 3
§  L3 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto different subnets §  Client must be re-authenticated and new security session established §  Client database entry copied to new controller – entry exists in both WLC client DBs §  Original controller tagged as the “anchor”, new controller tagged as the “foreign” §  WLCs must be in same mobility group or domain §  No IP address refresh needed §  Symmetric traffic path established -- asymmetric option has been eliminated as of 6.0 release §  Account for mobility message exchange in network design
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

30

How Are We Going to Make Roaming Faster?
Focus on Where We Can Have the Biggest Impact

ü Eliminating the (re)IP address acquisition challenge §  Eliminating full 802.1X/EAP reauthentication

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

31

Fast Secure Roaming

Standard Wi-Fi Secure Roaming
§  802.1X authentication in wireless today requires three “end-to-end” transactions with an overall transaction time of > 500 ms
WAN Cisco AAA Server (ACS or ISE)

§  802.1X authentication in wireless today requires a roaming client to reauthenticate, incurring an additional 500+ ms to the roam

2. 802.1X Reauthentication After Roaming

AP2

1. 802.1X Initial Authentication Transaction

AP1

Note: Mechanism Is Needed to Centralize Key Distribution
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

32

Cisco Centralized Key Management (CCKM)
§  Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available, especially with application specific devices (ASDs) §  CCKM originally a core feature of the “Structured Wireless Aware Network” (SWAN) architecture §  CCKM ported to CUWN architecture in 3.2 release §  In highly controlled test environments, CCKM roam times consistently measure in the 5-8 msec range! §  CCKM is most widely implemented in ASDs, especially VoWLAN devices §  To work across WLCs, WLCs must be in the same mobility group §  CCX-based laptops may not fully support CCKM – depends on supplicant capabilities §  CCKM is standardized in 802.11R, but no clients available yet

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

33

Fast Secure Roaming

WPA2/802.11i Pairwise Master Key (PMK) Caching
§  WPA2 and 802.11i specify a mechanism to prevent excessive key management and 802.1X requests from roaming clients §  From the 802.11i specification:
Whenever an AP and a STA have successfully passed dot1x-based authentication, both of them may cache the PMK record to be used later When a STA is (re-)associates to an AP, it may attach a list of PMK IDs (which were derived via dot1x process with this AP before) in the (re)association request frame When PMK ID exists, AP can use them to retrieve PMK record from its own PMK cache, if PMK is found, and matches the STA MAC address; AP can bypass dot1x authentication process, and directly starts WPA2 four-way key handshake session with the STA PMK cache records will be kept for one hour for non-associated STAs

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

34

OKC/PKC
Key Data Points
§  Requires client/supplicant support §  Supported in Windows since XP SP2 §  Many ASDs support OKC and/or PKC §  Check on client support for TKIP vs. CCMP – mostly CCMP only §  Enabled by default on WLCs with WPAv2 §  Requires WLCs to be in the same mobility group §  Important design note: pre-positioning of roaming clients consumes spots in client DB §  In highly controlled test environments, OKC/PKC roam times consistently measure in the 10-20 msec range!
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

35

How Long Does a Client Really Take to Roam?
§  Time to roam =
Client to disassociate + Probe for and select a new AP + 802.11 Association + Mobility message exchange between WLCs + Reauthentication + Rekeying + IP address (re) acquisition

§  Network latency will have an impact on these times – consideration for controller placement §  With a fast secure roaming technology, roam times under 150 msecs are consistently achievable, though mileage may vary

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

36

How Often Do Clients Roam?
§  It depends… types of clients and applications §  Most client devices are designed to be “nomadic” rather than “mobile”, though proliferation of small form factor, “smart” devices will probably change this… §  Nomadic clients usually are programmed to try to avoid roaming… so set your expectations accordingly §  Design rule of thumb: 10-20 roams per second for every 5000 clients

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

37

Designing a Mobility Group/Domain
Design Considerations
§  Less roaming is better – clients and apps are happier §  While clients are authenticating/roaming, WLC CPU is doing the processing – not as much of a big deal for 5508 which has dedicated management/control processor §  L3 roaming & fast roaming clients consume client DB slots on multiple controllers – consider “worst case” scenarios in designing roaming domain size §  Leverage natural roaming domain boundaries §  Mobility Message transport selection: multicast vs. unicast §  Make sure the right ports and protocols are allowed
BRKEWN-2010 Cisco Public

© 2011 Cisco and/or its affiliates. All rights reserved.

38

Agenda
§  Controller-Based Architecture Overview §  Mobility in the Cisco Unified WLAN Architecture §  Architecture Building Blocks §  Deploying the Cisco Unified Wireless Architecture

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

39

CUWN 7.0.116 Release
Key Controller Features
Device Support WLC-WiSM2 WLC-7500 WLC-2500 WLCM-2 AP600 / AP1550 Others Client Limit on WLAN Increased RF Group Scalability RF Group Leader Flexibility Webauth on Mac Filter Failure Web Authentication Proxy DHCP Option 60 Encrypting Neighbor Packets Rogue Containment Enhancement PSB Password Enhancements Static IP Mobility CCX S60 Location Improvements Voice Diagnostics wIPS ELM 11n Indoor Mesh 2.4 GHz Backhaul VLAN Select FIPS Local-Mode Features Flexconnect Features Scale and Groups Local Auth Fault Tolerance Opportunistic Key Caching

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

40

CUWN 7.0.116 Release
Key Controller Features
Device Support WLC-WiSM2 WLC-7500 WLC-2500 WLCM-2 AP600 / AP1550 Others Client Limit on WLAN Increased RF Group Scalability RF Group Leader Flexibility Webauth on Mac Filter Failure Web Authentication Proxy DHCP Option 60 Encrypting Neighbor Packets Rogue Containment Enhancement PSB Password Enhancements Static IP Mobility CCX S60 Location Improvements Voice Diagnostics wIPS ELM 11n Indoor Mesh 2.4 GHz Backhaul VLAN Select FIPS Local-Mode Features Flexconnect Features Scale and Groups Local Auth Fault Tolerance Opportunistic Key Caching

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

41

WiSM2

For Cisco Catalyst 6500 Series
§  Enhanced operational savings
Higher scale Reduced downtime during upgrades Single controller Specifications At-a-Glance
Access Points Clients I/O Chassis-Level Scale Concurrent AP Joins Number of Phy Controllers Power
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

§  Higher performance
Throughput Concurrent rich-media application flows

100–500 10,000 10G 3500 APs and 70,000 Clients 500 1 225W
42

§  Maximize Cisco Catalyst 6000 Series investment
Supervisor and service module refresh

Enterprise-Grade WLC5508 for the Campus

Cisco 5500 Series Wireless Controller

Key Attributes
Ø Best in class performance
Industry-leading encrypted throughput

Ø Enhanced Operational Savings
Upgrades 500 AP within mins Access Points Clients Form-Factor IO Interface Upgrade Licenses 12-500 7,000 1 RU 8x 1GE Ports, LAG 25, 50,100, 250 Fails over 500 APs within seconds

Ø Enhanced rich media performance
Multiple concurrent low-latency media flows

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

43

Controller Comparison
5500
Number of Access Points Throughput Clients Concurrent AP Upgrades/Joins Network I/O Mobility Domain Size Number of Controllers per Physical Device Power Consumption AP Count Upgrade via Licensing Encrypted Data Link Between AP and Controller OfficeExtend Solution
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved.

WiSM-2
500 Up to 10 Gbps Up to 10,000 Up to 500 Cisco Catalyst 6000 Series Backplane Up to 36,000 APs 1 225W Yes Yes Yes
Cisco Public

12, 25, 50, 100, 250, 500 Up to 8 Gbps Up to 7000 Up to 500 Up to 8 1 Gbps SFPs Up to 36,000 APs 1 125W Yes Yes Yes

44

Cost Effective Entry Level Controllers
2500 Wireless Controller
New

Key Attributes
Access Points Clients Throughput Deployment Model Form Factor IO Interface Upgrade Licenses 5-50 500 500 Mbps Local and FlexConnect Desktop 4x 1GE 5, 25

Ø  Ability to scale the network as you grow with licensing Ø  Part of a PCI certified architecture Ø Ability to support various deployment modes

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

45

Wireless Controller on ISR G2/SRE
New

Access Points Clients Throughput Deployment Model Form Factor Upgrade Licenses Device Supported On

ISM: SM: 500

5-10 5-50

Key Attributes
• Single Box for branch services • Consistency of functionality and management with controllers

500 Mbps Local and FlexConnect SRE (ISM/SM) 5, 25 1941, 2900 and 3900 Series ISR G2

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

46

CleanAir Access Point
Detect and Classify Locate Mitigate

Cisco CleanAir
BRKEWN-2010

A System-Wide Feature that Uses Silicon-Level Intelligence to Automatically Mitigate the Impact of Wireless Interference, Optimize Network Performance, and Reduce Troubleshooting Costs
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

47

What Is CleanAir?
Detect and Classify
97 100 63 90 20 35

§  Uniquely identify and track multiple interferers §  Assess unique impact to Wi-Fi performance §  Monitor air quality

Cisco CleanAir
BRKEWN-2010

High-Resolution Interference Detection and Classification Logic Built in to Cisco’s 802.11n Wi-Fi Chip Design; Inline Operation with no CPU or Performance Impact
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

48

What Is CleanAir?
Locate
WCS, MSE

Mitigate
Wireless LAN Controller

§  Classification processed on access point §  Interference impact and data sent to WLC for real-time action §  WCS and MSE store data for location, history, and troubleshooting
Visualize and Troubleshoot

POOR

GOOD

Maintain Air Quality

CH 1

CH 11

Cisco CleanAir
BRKEWN-2010

Cisco CleanAir Technology Integrates Interference Information from the AP into the Entire System
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

49

Access Points Portfolio
Teleworker Ruggedized 11n
1260

11n + CleanAir
3500e

Limited Lifetime Hardware Warranty

New

1040 600

1140

3500i

Carpeted

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

50

New 2x3 MIMO 11n Speed
Provide Higher Coverage and Throughput

CleanAir and ClientLink Technology
Avoids Interference, Delivers Stronger Signals to Clients

Flexible Deployment
Access or Mesh Network, Fiber, UTP or Wireless Backhaul

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

51

Cisco Aironet 1550 Series Outdoor AP

§  2 Radios 2.4/5 GHz §  2 Tx, 3 Rx §  MIMO, 2 SS §  3x Dual-Band Ant.

1552E
2.4 GHz 5 GHz Type Antenna 802.11 b/g/n 802.11 a/n Standard External

1552H
802.11b/g/n 802.11a/n Hazardous Loc. External

1552C
802.11b/g/n 802. 11a/n Cable Modem Integrated

1552I
802.11b/g/n 802.11a/n Standard Integrated

MIMO Multiple-In, Multiple-Out BRKEWN-2010 SS Spatial Streams

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

52

CUWN 7.0.116 Release
Key Controller Features
Device Support WLC-WiSM2 WLC-7500 WLC-2500 WLCM-2 AP600/AP1550 Others Client Limit on WLAN Increased RF Group Scalability RF Group Leader Flexibility Webauth on Mac Filter Failure Web Authentication Proxy DHCP Option 60 Encrypting Neighbor Packets Rogue Containment Enhancement PSB Password Enhancements Static IP Mobility CCX S60 Location Improvements Voice Diagnostics wIPS ELM 11n Indoor Mesh 2.4 GHz Backhaul VLAN Select FIPS Local-Mode Features Flexconnect Features Scale and Groups Local Auth Fault Tolerance Opportunistic Key Caching

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

53

Adaptive wIPS

Components and Functions

AP WLC MSE WCS
BRKEWN-2010

Attack Detection

24x7 Scanning
Over-the-Air Detection

Configuration
wIPS AP Management

Alarm Archival

Capture Storage
Complex Attack Analysis, Forensics, Events

Centralized Monitoring

Historic Reporting
Monitoring, Reporting

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

54

Cisco Adaptive Wireless IPS with “Enhanced Local Mode (ELM)”
•  Adaptive wIPS scanning in data serving access points •  Provides protection without needing a separate overlay network. •  Available as a free SW download for existing wIPS Monitor Mode customers. •  ELM supported APs: 1040, 1140, 1250, 1260 & 3500

Without ELM
Data Serving Monitor Mode

With ELM
Single Data and WIPS AP

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

55

Deployment Recommendation
Option A Option B

Local Mode

Enhanced Local Mode

WIPS Monitor Mode/ CleanAir MMAP + WIPS MM

WIPS Monitor Mode or CleanAir MM + WIPS MM on CleanAir AP: Recommendation – Ratio of 1:5 MMAP to Local Mode APs

Turn on ELM on All APs (Including CleanAir)

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

56

TrustSec 2.0 and Identity Services Engine
•  Centralized Policy
ACS

•  Distributed Enforcement •  AAA Services •  Posture Assessment •  Guest Access Services •  Device Profiling
Identity Services Engine

NAC Profiler NAC Guest NAC Manager NAC Server

•  Monitoring •  Troubleshooting •  Reporting

*Current NAC and ACS Hardware Platform Is Software Upgradable to ISE
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

57

ISE Integrated Device Profiling

“iPad Template”

Custom Template

Visibility for Wired and Wireless Devices
BRKEWN-2010

Simplified “Device Category” Policy
Cisco Public

New Device Templates via Subscription Feeds
58

© 2011 Cisco and/or its affiliates. All rights reserved.

ISE Integrated Device Profiling
§  §  §  Users, using the same SSID, can be associated to different wired VLAN interfaces after EAP authentication Employee using corporate laptop with their AD user id can be assigned to VLAN 30 to have full access to the network Employee using personal iPad/iPhone with their AD user id can be assigned to VLAN 40 to have internet access only
ISE

ISE

1 EAP Authentication 2 Accept with VLAN 30 4 Accept with VLAN 40 VLAN 30 Same-SSID
CAPWAP

Employee

Corporate Resources

802.1Q TrunkVLAN 40 Employee 3 EAP Authentication
Internet

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

59

ISE Integrated Device Profiling
§  Example:
VLAN 30 (Corporate access ) VLAN 40 (Internet access)

Corporate Internet

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

60

ISE Integrated Device Profiling
•  ISE Setup – Authorization Profiles redirect VLAN, Override ACL,

CoA…

Laptop Assign VLAN 30

iPad Assign VLAN 40

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

61

ISE Integrated Device Profiling
§ WLC CoA Setup – Pre-Auth ACL, allows ALL client traffic
to ISE

§ WLAN – Dot1X, AAA Override and Radius NAC enabled.
Permit ANY to ISE (IP Addr)

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

62

ISE Integrated Device Profiling
§  RADIUS probe (information about authentication, authorization and accounting requests from Network Access §  DHCP (helper or span) §  HTTP user agent (span)

Customizable Profiles

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

63

Agenda
§  Controller-Based Architecture Overview §  Mobility in the Cisco Unified WLAN Architecture §  Architecture Building Blocks §  Deploying the Cisco Unified Wireless Architecture

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

64

Deploying the Cisco Unified Wireless Architecture
§  Controller Redundancy and AP Load Balancing §  Understanding AP Groups §  IPv6 Deployment with Controllers §  Branch Office Designs §  Guest Access Deployment §  Home Office Design

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

65

Deploying the Cisco Unified Wireless Architecture
§  Controller Redundancy and AP Load Balancing §  Understanding AP Groups §  IPv6 Deployment with Controllers §  Branch Office Designs §  Guest Access Deployment §  Home Office Design

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

66

Controller Redundancy
Dynamic
§  Rely on CAPWAP to load-balance APs across controllers and populate APs with backup controllers §  Results in dynamic “salt-and-pepper” design §  Design works better when controllers are “clustered” in a centralized design §  Pros
Easy to deploy and configure—less upfront work APs dynamically load-balance (though never perfectly)

§  Cons
More intercontroller roaming Bigger operational challenges due to unpredictability Longer failover times No “fallback” option in the event of controller failure

§  Cisco’s general recommendation is: Only for Layer 2 roaming §  Use deterministic redundancy instead of dynamic redundancy
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

67

Controller Redundancy
Deterministic
WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C

§  Administrator statically assigns APs a primary, secondary, and/ or tertiary controller
Assigned from controller interface (per AP) or WCS (template-based)

§  Pros
Predictability—easier operational management More network stability
Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Tertiary: WLAN-Controller-C Primary: WLAN-Controller-B Secondary: WLAN-Controller-C Tertiary: WLAN-Controller-A Primary: WLAN-Controller-C Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-B

More flexible and powerful redundancy design options Faster failover times “Fallback” option in the case of failover

§  Con
More upfront planning and configuration

§  This is Cisco’s recommended best practice
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

68

Controller Redundancy
Architecture Resiliency
Resiliency
WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C

N:1 Redundancy
WLAN-Controller-1 APs Configured With: Primary: WLAN-Controller-1 Secondary: WLAN-Controller-BKP

NOC or Data Center
WLAN-Controller-BKP WLAN-Controller-2

APs Configured With: Primary: WLAN-Controller-2 Secondary: WLAN-Controller-BKP

WLAN-Controller-n

APs Configured With: Primary: WLAN-Controller-n Secondary: WLAN-Controller-BKP

Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Tertiary: WLAN-Controller-C

Primary: WLAN-Controller-B Secondary: WLAN-Controller-C Tertiary: WLAN-Controller-A

Primary: WLAN-Controller-C Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-B

N:N Redundancy
WLAN-Controller-A APs Configured With: Primary: WLAN-Controller-A Secondary: WLAN-Controller-B

N:N:1 Redundancy
WLAN-Controller-A

NOC or Data Center
WLAN-Controller-BKP

APs Configured With: Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Tertiary: WLAN-Controller-BKP

WLAN-Controller-B

APs Configured With: Primary: WLAN-Controller-B Secondary: WLAN-Controller-A

WLAN-Controller-B

APs Configured With: Primary: WLAN-Controller-B Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-BKP

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

69

High Availability Using Cisco 5508
§  APs are connected to primary WLC 5508 §  In case of hardware failure of WLC 5508 §  AP’s fall back to secondary WLC Secondary 5508 WLC5508 §  Traffic flows through the secondary WLC 5508 and primary core switch
Cisco Public

Si

Si

Si

Si

Primary WLC5508

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

70

High Availability Using WiSM: Uplink Failure on Primary Switch
S N

Si

Si

Active HSRP Switch Primary WiSM

§  In case of uplink failure of the primary switch §  Standby switch Standby becomes the HSRP Switch active HSRP New Active switch HSRP Switch §  APs are still connected to primary WiSM §  Traffic flows thru the new HSRP active switch
Cisco Public

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

71

High Availability Using WiSM-2
§  APs are connected to primary WiSM §  In case of hardware failure of primary WiSM §  AP’s fall back to secondary WiSM §  Traffic flows thru the secondary WiSM and primary core switch
72

Si

Si

Primary WiSM

Secondary WiSM

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

VSS and Cisco 5508
§  Cisco 5508 WLC can be attached to a Cisco Catalyst VSS switch §  4 ports of Cisco 5508 are connected to active VSS switch §  2nd set of 4 ports of Cisco 5508 is connected to standby VSS switch §  In case of failure of primary switch traffic continues to flow through secondary switch in the VSS pair

Catalyst VSS Pair

Cisco 5508

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

73

VSS and WiSM-2

Virtual Switch System (VSS)

Switch-1 (VSS Active) Control Plane Active VSL

Switch-2 (VSS Standby) Control Plane Standby

Data Plane Active

Failover/State Sync VLAN

Data Plane Active

FWSM Active

FWSM Standby

WiSM-2 Active

WiSM-2 Standby

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

74

Controller Redundancy
High Availability High Availability Principles
§  AP is registered with a WLC and maintain a backup list of WLC §  AP use heartbeats to validate WLC connectivity §  AP use Primary Discovery message to validate backup WLC list §  When AP lose three heartbeats it start join process to first backup WLC candidate §  Candidate Backup WLC is the first alive WLC in this order: primary, secondary, tertiary, global primary, global secondary §  AP do not re-initiate discovery process
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

Primary WLC

Secondary WLC

75

Controller Redundancy
High Availability with 7.0.116

To Accommodate Both Local and Remote Settings, There Are Configurable Options Provided, so that Administrator Can Fine Tune the Settings Based on the Requirements
New Timers Heartbeat: Fast Heartbeat Timeout: AP Retransmit Interval: AP Retrans with FH Enabled: AP Retrans with FH Disabled: Old Timers-5508 Old Timers-Non-5508

AP Fallback to next WLC
BRKEWN-2010

1-30 Seconds 1-10 Seconds 2-5 Seconds 3-8 Times 3-8 Times 12 Seconds

10-30 Seconds 3-10 Seconds 3 Seconds 3 Times 5 Times 35 Seconds
Cisco Public

1-30 Seconds 1-10 Seconds 3 Seconds 3 Times 5 Times 35 Seconds
76

© 2011 Cisco and/or its affiliates. All rights reserved.

AP Pre-Image Download in 7.0
§  Since most CAPWAP APs can download and keep more than one image of 4–5 MB each §  AP pre-image download allows AP to download code while it is operational §  Pre-Image download operation
1.  Upgrade the image on the controller 2.  Don’t reboot the controller 3.  Issue AP pre-image download command 4.  Once all AP images are downloaded 5.  Reboot the controller 6.  AP now rejoins the controller without reboot
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco WLAN Controller

AP Joins Without Download

AP Pre-image Download

Access Points

How Much Time You Save?
77

CAPWAP-L3

Configure AP Pre-Image Download
§  Upgrade the image on the controller and don’t reboot

§  Currently we have two images on the controller
(Cisco Controller) >show boot Primary Boot Image............................... 7.0.116.0 (default) (active) Backup Boot Image................................ 7.0.98.0
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

78

Configure AP Pre-Image Download
Wireless > AP > Global Configuration

Perform Primary Image Predownloaded on the AP

AP Now Starts Predownloading

AP Now Swaps Image After Reboot of the Controller

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

79

Deploying the Cisco Unified Wireless Architecture
§  Controller Redundancy and AP Load Balancing §  Understanding AP Groups §  IPv6 Deployment with Controllers §  Branch Office Designs §  Guest Access Deployment §  Home Office Design

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

80

AP-Groups

Default AP-Group
§  The first 16 WLANs created (WLAN IDs 1–16) on the WLC are included in the default AP-Group §  Default AP-Group cannot be modified §  APs with no assignment to an specific AP-Group will use the Default AP-Group §  The 17th and higher WLAN (WLAN IDs 17 and up) can be assigned to any AP-Groups §  Any given WLAN can be mapped to different dynamic interfaces in different AP-Groups
§  WLC 2106 (AP groups: 50), WLC 2504 (AP groups:50) WLC 4400 and WiSM (AP groups: 300), WLC 5508 & WiSM-2 (AP groups: 500), WLC 7500 (AP Groups : 500)

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

81

AP-Grouping in Campus
VLAN 100 VLAN 100 VLAN 100

Access

Si

Si

Si

Si

Si

Si

Distribution

CAPWAP

Core
Si Si

Si

Si

VLAN 100 / 21

Si Si Si

Si

Distribution

Access
Single SSID = Employee

WAN WLC-1

Data Center WLC-2
Cisco Public © 2011 Cisco and/or its affiliates. All rights reserved.

Internet
82

BRKEWN-2010

AP-Grouping in Campus
AP-Group-1
VLAN 60 /23

AP-Group-2
VLAN 70 /23

AP-Group-3
VLAN 80 /23

Access

Si

Si

Si

Si

Si

Si

Distribution

CAPWAP

Core
Si Si

Si

Si

VLAN 100 /21

Si

Si

VLAN 60 VLAN 70 VLAN 80

Si

Si

Distribution

Access
Single SSID = Employee

WAN WLC-1

Data Center WLC-2
Cisco Public © 2011 Cisco and/or its affiliates. All rights reserved.

Internet
83

BRKEWN-2010

Default AP-Group
Network Name

Default AP Group

Only WLANs 1–16 Will Be Added in Default AP Group

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

84

Multiple AP-Groups

AP Group 1

AP Group 2

AP Group 3

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

85

Interface-Groups
7.0.116
§  Interface-groups allows for a WLAN to be mapped to a single interface or multiple interfaces §  Clients associating to this WLAN get an IP address from a pool of subnets identified by the interfaces in round robin fashion §  Extends current AP group and AAA override, with multiple interfaces using interface groups §  Controllers WiSM-2, 5508, 7500, 2500 WiSM, 4400 2100 and 2504 Interface-Groups/Interfaces 64/64 32/32 4/4

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

86

Interface-Grouping in Campus 7.0.116
Int-Group-1 Int-Group-2 Int-Group-3

VLAN 60 /23 VLAN 61 / 23

VLAN 70 /23 VLAN 71 /23

VLAN 80 /23 VLAN 81 /23

Access

Si

Si

Si

Si

Si

Si

Distribution

LWAPP/CAPWAP

Core
Si Si

Si

Si

VLAN 100 /21

Si

Si

VLAN 60 VLAN 61 VLAN 70 VLAN 71 VLAN 80 VLAN 81

Si

Si

Distribution

Access
Internet

Single SSID = Employee

WAN WLC-1

Data Center WLC-2
Cisco Public © 2011 Cisco and/or its affiliates. All rights reserved.

BRKEWN-2010

87

Multiple Interface-Groups 7.0.116
Interface Group 1

Interface Group 2

Interface Group 3
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

88

Deploying the Cisco Unified Wireless Architecture
§  Controller Redundancy and AP Load Balancing §  Understanding AP Groups §  IPv6 Deployment with Controllers §  Branch Office Designs §  Guest Access Deployment §  Home Office Design

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

89

IPv6 over IPv4 Tunneling
§  Prior to WLC 6.0 release, IPv6 pass-thru is only supported but no L2 security can be enabled on IPv6 WLAN §  With WLC 6.0 release, IPv6 pass-thru with Layer 2 security supported §  To use IPv6 bridging, Ethernet Multicast Mode (EMM) must be enabled on the controller §  IPv6 packets are tunneled over CAPWAP IPv4 tunnel §  Same WLAN can support both IPv4 and IPv6 clients §  IPv6 pass-thru and IPv4 Webauth is also supported on same WLAN §  IPv6 is not supported with guest mobility anchor tunneling
Client IPv6 Traffic Tunneled over IPv4 and Bridged to Ethernet
CAPWAP Tunnel

Ethernet II | IPv6

802.11| IPv6
BRKEWN-2010

Ethernet II | IPv4 | CAPWAP | 802.11 | IPv6
Cisco Public

© 2011 Cisco and/or its affiliates. All rights reserved.

90

IPv6 Configuration on WLC 6.X
§  Enable IPv6 on the WLAN and multicast on the WLC

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

91

IPv6 Client Details
§  IPv6 client details on the WLC

§  IPv6 client details from dual-stack (Vista) client

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

92

Deploying the Cisco Unified Wireless Architecture
§  Controller Redundancy and AP Load Balancing §  Understanding AP Groups §  IPv6 Deployment with Controllers §  Branch Office Designs
Understanding HREAP (Hybrid) REAP AP Deployment Understanding Branch Controller Deployment

§  Guest Access Deployment §  Home Office Design

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

93

Branch Office Deployment
HREAP §  Hybrid architecture §  Single management and control point
Centralized traffic (split MAC) Or Local traffic (local MAC)
WAN
Centralized Traffic

Central Site
Centralized Traffic

§  HA will preserve local traffic only

Local Traffic

Remote Office

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

94

H-REAP Design Considerations
§  Some WAN limitations apply
RTT must be below 300 ms data (100 ms voice) Minimum 500 bytes WAN MTU (with maximum four fragmented packets)

§  Some features are not available in standalone mode or in local switching mode
ACL in local switching, MAC/Web Auth in standalone mode, PMK caching (OKC) See full list in « H-REAP Feature Matrix » http://www.cisco.com/en/US/products/ps6366/ products_tech_note09186a0080b3690b.shtml

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

95

Configure H-REAP Mode
§  Enable H-REAP mode per AP

Step 1: Configure Access Point Mode

§  Supported AP: AP-1130, AP-1240, AP-1040, AP-1140, AP-1260, AP-1250, AP-3500

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

96

Configure H-REAP Local Switching
Step 2: Enable Local Switching per WLAN §  Only WLAN with “Local Switching” enabled will allow local switching at the H-REAP AP

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

97

Configure H-REAP VLAN Mapping
Step 3: H-REAP Specific Configuration §  H-REAP AP can be connected on an access port (using native VLAN) or connected to a 802.1Q trunk port §  VLAN mapping is a per AP configuration on WLC and by AP group using templates on a WCS

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

98

Configure H-REAP VLAN Mapping
Step 4: Per AP SSID to VLAN Mapping §  Mapping of SSID to 802.1Q VLAN is done per H-REAP AP

§  Use WCS for configuration with templates
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

99

Economies of Scale for Lean Branches
Flex 7500 Wireless Controller
New

Key Differentiation
Ø  WAN Tolerance
•  High Latency Networks Access Points Clients Branches Access Points / Branch Deployment Model Form Factor IO Interface Upgrade Licenses 300-2,000 20,000 500 50 FlexConnect 1 RU 2x 10GE 100, 200, 500, 1K •  WAN Survivability

Ø  Security
802.1x based port authentication

Ø  Voice support
•  Voice CAC •  OKC/CCKM

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

100

Understanding H-REAP Groups
§  WLC supports up to 20 H-REAP groups §  Each H-REAP group supports up to 25 H-REAP APs §  H-REAP groups allow sharing of:
CCKM fast roaming keys Local user authentication Local EAP authentication
Remote Site Central Site

WAN

Remote Site H-REAP Group 2

H-REAP Group 1

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

101

H-REAP Groups and CCKM Keys
CCKM Keys

§  CCKM keys are stored on HREAP APs for Layer 2 fast roaming §  The HREAP APs will receive the CCKM keys from the WLC §  If a HREAP AP boots up in the standalone mode, it will not get the CCKM keys from the WLC and fast roaming is not supported

Central Site

RADIUS Server

Remote Site H-REAP Group 1

WAN

Remote Site H-REAP Group 2

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

102

H-REAP Groups and CCKM Keys
Add a New H-REAP Group

Add APs to the H-REAP Group

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

103

H-REAP Groups and Local EAP
§  In case of WAN of failure (standalone mode) HREAP APs can act like a local EAP server §  In a HREAP-Group we can store 100 usernames and act like a local EAP server §  LEAP and EAP-FAST is the only supported EAP type in standalone mode
Remote Site H-REAP Group 1 Central Site

RADIUS Server

WAN

Remote Site H-REAP Group 2

Local EAP Server

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

104

H-REAP Groups and Local EAP

Add the H-REAP AP to the Group and Enable AP Local Authentication

Add the Username and Password to Be Stored on the HREAP AP

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

105

H-REAP Groups and Local RADIUS Server
§  In case of WAN of failure (standalone mode) HREAP APs can authenticate from a local RADIUS server §  Only session-timeout RADIUS attribute (attribute 27) is supported in the standalone mode §  RADIUS accounting is not supported in standalone mode
H-REAP Group 1 Remote Site
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

Central Site

RADIUS Server

RADIUS Server

WAN

Remote Site H-REAP Group 2

106

H-REAP Groups and Local RADIUS Server
Add IP Address of the Remote RADIUS Server in the WLC (10.20.20.12)

Select the Remote RADIUS Server Details in HREAP Group of the Remote

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

107

FlexConnect Improvements in New 7.0.116
§  WAN Survivability
FlexConnect AP provides wireless access and services to clients when the connection to the primary WLC fails

§  Local Authentication
Allows for the authentication capability to exist directly at the AP in FlexConnect instead of the WLC

§  Improved Scale
Group Scale: Max HREAP groups increased to 500 (7500s) and 100 (5500s) APs per Group: 50 (7500s) and 25 (5500s)

§  Fast Roaming in Remote Branches
Opportunistic Key Caching (OKC) between APs in a branch
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

108

Flex 7500 vs. 5500/WiSM2
  FlexConnect (H-REAP)   Flex 7500   APs Managed   Clients Supported   Number of H-REAP Groups   APs per H-REAP Group   Number of AP Groups   APs per RRM Group   WLAN’s   WLAN per H-REAP Group  
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved.

5500/WiSM2   500/500   7,000/10,000   100   25   500   1,000   512   16  
109

2,000   20,000   500   50   500   4,000   512   16  
Cisco Public

Controller Portfolio

Comprehensive Solution for All Segments
NEW
Campus and Full Service Branch

Features/Performance

NEW

WiSM2

5500 2500

NEW
WLCM2

NEW
Lean Branch

Scale
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

110

Cisco WLAN Solution Components
Management
WCS

Mobility Services

Controllers
WLC

Access Points

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

111

Deploying the Cisco Unified Wireless Architecture
§  Controller Redundancy and AP Load Balancing §  Understanding AP Groups §  IPv6 Deployment with Controllers §  Branch Office Designs
Understanding HREAP (Hybrid) REAP AP Deployment) Understanding Branch Controller Deployment

§  Guest Access Deployment §  Home Office Design

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

112

Branch Office WLAN Controller Options
WCS E-Mail

Number of Users: 100–500 Number of APs: 5–25

Headquarters

MPLS ATM Frame Relay

Branch Office

§  Appliance controllers
Cisco 2504-12 Cisco 5508-12, 5508-25

Internet VPN

Small Office

§  Integrated controller
WLAN controller module (WLCM-2) for ISR G2
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

Number of Users: 20–100 Number of APs: 1–5
113

Branch Office WLAN Controller Options
WCS E-Mail

Cisco 2504 *** Branch Office

Headquarters

MPLS ATM Frame Relay

§  Cisco Unified Wireless Network with controller-based §  Multiple Integrated WAN options on ISR §  Consistent branch-HQ services, features, and performance §  Standardized branch configuration extends the unified wired and wireless network §  Branch configuration management from central WCS
BRKEWN-2010

Small Office
Internet VPN

WLCM-2 **
**AP Count Vary Depending on Channel Utilization and Data Rates
Cisco Public

© 2011 Cisco and/or its affiliates. All rights reserved.

114

When to Choose WLC 2504?
§  WLC2504 should be used in the branch for the following reasons compared to HREAP solution: •  •  •  •  •  •  •  •  •  If you need cookie cutter configuration for every branch site If you need Layer-3 roaming in the branch site If you need VideoStream technology in the branch site If you need to implement VLAN Select in the branch site If you need to implement Static IP mobility in the branch site If you need to implement ACL in the branch site If you need to implement peer to peer blocking in the branch site If you want WGB support in the branch site If you want MESH AP support in the branch site

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

115

Deploying the Cisco Unified Wireless Architecture
§  Controller Redundancy and AP Load Balancing §  Understanding AP Groups §  IPv6 Deployment with Controllers §  Branch Office Designs §  Guest Access Deployment §  Home Office Design

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

116

Guest Access Deployment
WLAN Controller Deployments with EoIP Tunnel §  Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers §  Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN §  No need to define the guest VLANs on the switches connected to the remote controllers §  Original guest’s Ethernet frame maintained across LWAPP/CAPWAP and EoIP tunnels §  Redundant EoIP tunnels to the Anchor WLC §  2504 series and WLCM-2 models cannot terminate EoIP connections (no anchor role
Guest
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

Internet
DMZ or Anchor Wireless Controller
Cisco ASA Firewall EoIP “Guest Tunnel” Wireless LAN Controller CAPWAP

Guest 117

Guest Access Deployment with 7.0.0116
DHCP servers in DMZ w/VLAN-DHCP scopes Internet DHCP servers in DMZ w/VLAN-DHCP scopes

Anchor2

Anchor1
EtherIP “Guest Tunnel”
Si

Campus Core

EtherIP ACS/ISE

“Guest Tunnel”

DHCP servers in Core w/VLAN DHCP scopes

Wireless VLAN-1/WLANA

Wireless VLAN2/WLANA

Si Secure

Si Secure

Wireless VLAN3/WLANA

Wireless VLAN-4/WLANA

Foreign WLCs

Wireless VLANs/Interface Gr

Guest

Secure

Guest

Secure

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

118

Interface Group and Auto Anchor Mobility Using 7.0.116
§  Clients joining a foreign WLC which is exported to an anchor WLC and mapped to an interface group will get an IP address in round robin method inside the interface group §  Clients joining a foreign WLC which is exported to an anchor WLC and mapped to an interface will get an IP address from that interface only §  Clients roaming between two or more foreign controllers mapped to a single anchor WLC with an interface group configured will be able to maintain its IP address

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

119

Interface Group and Auto Anchor Mobility Using 7.0.116
Configure Subnet/Address Assignment Based on Foreign Site/Location in Guest Anchor Setup, Command Will Be:
§  CLI: config wlan mobility foreign-map add <wlan-id> < mac address > <interface/interface group> §  GUI: A New option is created under WLAN- “Foreign Maps”

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

120

Deploying the Cisco Unified Wireless Architecture
§  Controller Redundancy and AP Load Balancing §  Understanding AP Groups §  IPv6 Deployment with Controllers §  Branch Office Designs §  Guest Access Deployment §  Home Office Designs

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

121

Home Office Design
OEAP AP
WLC 5508/WiSM-2 E-Mail WCS

§  Cisco controller installed in the DMZ of the corporate network §  OfficeExtend AP (OEAP) installed at teleworker’s home
MPLS §  Corporate access to employee over ATM centrally configured SSID

Headquarters

§ 

Internet access over a locally configured SSID

Frame Relay Family

Internet VPN

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

122

OEAP 600
§  802.11n AP with dual concurrent 2.4GHz and 5GHz radios for teleworker home §  4 local Ethernet ports §  1 Corporate-bound port, 3 for local Ethernet devices §  Up to 4 clients behind the corporate port §  Corporate SSID and user-configurable Personal SSID §  Traffic segmenting supported (corporate vs. personal traffic) §  Local DHCP and NAT support §  Control and data plane encryption

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

123

OEAP 600
§  802.1X and MAC filtering support §  Can be pre-provisioned by IT (batch setup, zero touch for end user) or locally provisioned by end user §  Easy GUI setup with Corporate SSID ready in minutes §  Desktop (horizontal) or cradle (vertical) orientation §  Supported by all WLC 5508, 2500 and WiSM2 platforms and WCS §  Hardware Limited Lifetime Warranty

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

124

User Configuration – Easy Setup
Two Setup Options Available: 1) Zero Touch (IT staged) or … 2) User Configured (Controller IP Address Entry)

Internet Routable IP Address

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

125

Sample Screen Shots
Login §  Default DHCP scope of the OEAP is 10.0.0.X, so browse to https://10.0.0.1 to get the admin page of OEAP on port 1,2,3

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

126

Home Office Design
Simplified Head-End VPN

Cisco Virtual Office Express Architecture
§  Simplified head-end VPN design §  Cisco enhanced easy VPN with advanced QoS integration provides secure transport, facilitating voice and video applications (with option of per SA QoS) §  Multiple options for head-end to allow for large concentration of site and with high throughput §  Remote site presence: Cisco 870, 880, 890, or 1800 series ISR and Cisco Unified IP phones 7900 series §  Head-end presence: 2800, 3800, 7200, or ASR series §  Headend (optional): wireless LAN controller, WCS, configuration engine
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

SOHO
Cisco 800 or 1800 Spoke Routers

Head-End
Cisco ISR (2800/3800) or Cisco 7206 VXR with VSA or WLC

Corporate Network

127

Cisco Unified Wireless Network
Unified Outdoor/ Indoor Access

Flexible, Resilient, Scalable Architecture

Access Network

Highly Distributed Design 3750G Unified WLC Enterprise Hybrid REAP Distributed WLC Design 440x, 5508 WLC, WiSM Unified WLC Network Core or Data Center Centralized WLC Design 440x, 5508 WLC, WiSM Unified WLC

Distribution Network

Teleworker/ SOHO OfficeExtend AP

Internet Branch Office Unified WLC Options: 5508, 440x, 210x 3750G Unified WLC WLCM Module Hybrid REAP Standalone AP Data Center Internet

DMZ Guest Controller 440x, 5508 WLC

Unified Management: Wireless Control System Services Platform: Mobility Services Engine
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

BRKEWN-2010

128

Summary – Key Takeways
§  Take advantage of the standards (CAPWAP, DTLS, 802.11 i, e, k, r…..) §  Wide range of architecture / design choices §  Brand new controller (WiSM-2, WLC 7500, WLC 2504) portfolio with investment protection §  Take advantage of innovations from Cisco (CleanAir, BandSelect, ClientLink, Security, CCX, FlexConnect, etc) §  Cisco’s investment into technology – NCS, ISE, New hardware, cloud controller, CiUS

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

129

Documentation
§  Aironet 600 Series OEAP Access Point Configuration Guide
http://www.cisco.com/en/US/products/ps11579/products_tech_note09186a0080b7f10e.shtml

§  Wireless Services Module 2 (WiSM2) Deployment Guide
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080b7c904.shtml

• Flex7500 Deployment guide
http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml

§  Wireless, LAN (WLAN) Configuration Examples and TechNotes
http://www.cisco.com/en/US/tech/tk722/tk809/tech_configuration_examples_list.html

§  H-REAP Deployment Guide
http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml

§  VLAN Select Deployment Guide
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b78900.shtml

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

130

Complete Your Online Session Evaluation
§  Receive 25 Cisco Preferred Access points for each session evaluation you complete. §  Give us your feedback and you could win fabulous prizes. Points are calculated on a daily basis. Winners will be notified by email after July 22nd. §  Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center. §  Don’t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

131

Visit the Cisco Store for Related Titles http://theciscostores.com

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

132

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

133

Thank you.

BRKEWN-2010

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

134