WIRELESS NETWORKING UPDATE

Joe Young Systems Engineer

© 2005 Cisco Systems, Inc. All rights reserved.

Cisco Wireless LAN Product Portfolio
Two Solutions Today Merging into a Single System
Today¶s Distributed Solution
Management

Today¶s Lightweight Solution
Cisco Wireless Control System (WCS)

CiscoWorks WLSE

CiscoWorks WLSE Express

Cisco 2000 WLAN Controller

Control
Catalyst 6500 Series WLSM Cisco 1100, 1130, 1200, 1230, 1300 Access Points Today ± Autonomous Future - Hybrid

Cisco 4400 WLAN Controller

Access

Cisco 1000 Access Point Today/Future ± Lightweight (LWAPP)

Applications
Cisco Compatible Client Devices
© 2005 Cisco Systems, Inc. All rights reserved.

Cisco Airespace Centralized WLAN Solution

© 2005 Cisco Systems, Inc. All rights reserved.

Basic Concept

WLAN Controller
WCS WLAN MGMT System

L2/L3 Ethernet Switch

Lightweight Access Points

© 2005 Cisco Systems, Inc. All rights reserved.

Cisco Delivers Dynamic, Resilient RF Management
Self Configuration, Self Optimization, Self Healing

Management Plane

Cisco Wireless Control System (WCS)

Radio Resource Management Control Plane
Mobility Management User Load Management Interference Detection / Avoidance Rogue/Detection Containment Automatic Channel Management Transmit Power Coverage Hole Management

RF Domain

Data Plane

4400

4100

2006

1030

1010

Airespace Hardware Layer

© 2005 Cisco Systems, Inc. All rights reserved.

Solving the Wireless, Security and Management Problem
‡ Easiest to Deploy and Operate
Best WLAN management tools on the market (from planning to operations) Real-time RF Management

‡ Proven security for any enterprise environment
Wireless prevention Real-time WLAN protection

‡ Best-in-class Performance
Designed for converged voice and data applications

‡ Integrated, accurate, location tracking ‡ Designed for heterogeneous environments
Lots of Different Clients

© 2005 Cisco Systems, Inc. All rights reserved.

LWAPP - Splitting the functions
Airespace Switch/Appliance ‡ ‡ ‡ ‡ Security Policies QoS Policies RF Management Mobility Management Switch/Routed Network

Remote RF interface Access Points
IETF¶s LWAPP spec can be found at: http://www.airespace.com/html/lwapp.txt

© 2005 Cisco Systems, Inc. All rights reserved.

LWAPP
‡ Discovery
Prime the AP Subnet Broadcast Over the Air DHCP (option 43)

‡ Join
Jumbo¶s supported? No ± Fragment all large packets into a big (1500 byte) and small fragment (both LWAPP encapsulated) This is why the AP manager interface is a separate IP address from MGMT interface

‡ Reliable Link Established
Authenticated Key exchange using x.509 certificates Control traffic is encrypted using AES-CCM Data traffic is LWAPP encapsulated ± not encrypted

© 2005 Cisco Systems, Inc. All rights reserved.

No Single Point of Failure
WLAN Controller Redundancy

Cisco WLAN Controller

CiscoAccess Point

‡ AP¶s retain channel & power settings in memory as long as still powered ‡ Automatic self healing ‡ NOTE ± No management system required
© 2005 Cisco Systems, Inc. All rights reserved.

No Single Point of Failure
AP Redundancy

Cisco WLAN Controller

Ethernet Switch

Cisco Access Point

© 2005 Cisco Systems, Inc. All rights reserved.

Real-Time RF Management
Dynamic Channel Assignment Dynamic Power Optimization RF channel ³1´ RF channel ³2´ RF channel ³3´

NEIGHBOR MESSAGES Controller IP/mobility group Operating channel Sent at full power Authenticated
© 2005 Cisco Systems, Inc. All rights reserved.

Allows the system to Avoid interference/Improve performance Eliminate coverage holes Optimize coverage area

Real-time Configuration Management
Minimize the Impact of Noise and Interference
Channel 1

Channel 11 Interference

Channel 11

Channel 1

Channel 6

12
© 2005 Cisco Systems, Inc. All rights reserved.

Better Network Performance
Dynamic Load Sharing Solving Performance & Capacity problems in high density areas (e.g. conference rooms, cafeteria)«

13
© 2005 Cisco Systems, Inc. All rights reserved.

Better Network Performance
Dynamic Load Sharing Solving Performance & Capacity problems in high density areas (e.g. conference rooms, cafeteria)«

14
© 2005 Cisco Systems, Inc. All rights reserved.

Better Network Performance
Dynamic Load Sharing Solving Performance & Capacity problems in high density areas (e.g. conference rooms, cafeteria)«

15
© 2005 Cisco Systems, Inc. All rights reserved.

Mobility/RF Groups
Mobility group = Berkley Mobility group = Berkley

Mobility Table B ipaddrA MAC A ipaddrB MAC B

A

B

Mobility Table B ipaddrA MAC A ipaddrB MAC B

‡ AP¶s on different controllers can¶t hear each other ‡ No RF grouping ‡ Bld ± Bld roaming supported if the client meets the session timeout value
© 2005 Cisco Systems, Inc. All rights reserved.

Mobility/RF Groups (2)
Mobility group = Berkley Mobility group = Berkley

Mobility Table B ipaddrA MAC A ipaddrB MAC B

A

B

Mobility Table B ipaddrA MAC A ipaddrB MAC B

< -80dbm

‡ AP¶s on different controllers hear neighbor messages at < -80dbm ‡ Group the RF domains ‡ Channel and Power will be computed as a group

© 2005 Cisco Systems, Inc. All rights reserved.

Inter-switch Mobility(L2)

A

‡ Transparent to client ‡ Same DHCP Address maintained

© 2005 Cisco Systems, Inc. All rights reserved.

Inter Switch Mobility

Anchor

A Tunnel IP/IP

B

Foreign

‡ Mobility Announce (Groupcast) ‡ Anchor transfer with client IP address staying the same ‡ Client traffic sent to Anchor and passed through tunnel to Foreign controller
Special handling for ARP¶s, etc.

© 2005 Cisco Systems, Inc. All rights reserved.

AP Groups/Site Specific VLANs

© 2005 Cisco Systems, Inc. All rights reserved.

AP V

LWAPP Access Points
Indoor Access Points
Features
‡ Industry¶s best range and throughput ‡ Enterprise class security ‡ Many configuration options ‡ Simultaneous air monitoring and traffic delivery ‡ Wide area networking for outdoor areas

Access Points

1130AG

1000

1121BG

Indoor Rugged Access Points

1240AG

1230AG

Benefits
‡ Zero touch management ‡ No dedicated air monitors ‡ Supports all deployment scenarios (indoor and outdoor) ‡ From secure coverage to advanced services

Outdoor Access Points/Bridges

1500

1400

1300

© 2005 Cisco Systems, Inc. All rights reserved.

Lightweight APs
Cisco Lightweight Access Points
LWAPP enabled (zero touch config.) No serial port on 1000 series What is stored in NV RAM? Primary, secondary & tertiary controller addresses Antenna configuration Real-time RF monitoring ± ALL channels scanned while offering service Can scan country channels only or all channels During Scan all 802.11 packets are collected and characterized as to rogue beacons, rogue clients, 802.11 interference and matched against IDS signatures.

© 2005 Cisco Systems, Inc. All rights reserved.

Wireless LAN Controllers
Wireless LAN Controllers
Network Unification Features
‡ Enterprise scalability and reliability

4400

2000

‡ Real-time RF Management ‡ Multi-layered security ‡ Mobility management ‡ Standalone and integrated options

Catalyst 6500 Series Wireless Services Module (WiSM)

WiSM

Benefits
‡ Up to 1500 APs per Cat 6K chassis ‡ Cost effective solution for main, branch, and remote campuses as well as SMB ‡ Ideal for data, voice, and video ‡ Wired and wireless integration

Switch and Router Platforms

Integrated Services Routers WLCM

Catalyst 3750G Integrated WLC Switch

© 2005 Cisco Systems, Inc. All rights reserved.

Rogue Policies
‡ Rogue Policies
Determine on-network? RLDP (Rogue Location Discovery Protocol) Rogue Collector Auto Contain if AP doesn¶t meet AP policy Validate Rogue Clients against AAA

© 2005 Cisco Systems, Inc. All rights reserved.

Rogue Location Discovery Protocol (RLDP)

DHCP Rogue AP IP Address

Connect

© 2005 Cisco Systems, Inc. All rights reserved.

Rogue Collector

Service & monitoring

Rogue Client

Airespace AP

Rogue Collector Trunked - No RF service-

Detected Rogue AP

‡ Rogue detector compares Rogue client MAC¶s to Rogue table

© 2005 Cisco Systems, Inc. All rights reserved.

A Complete Solution for Handling Rogues

1. Detect Rogue AP (generate alarm)

2. Assess Rogue AP (Identity, Location, ..)

3. Contain Rogue AP

4. View Historical Report

Can be automated Multiple rogues contained simultaneously ACS validates that no valid clients are associate to rogue
© 2005 Cisco Systems, Inc. All rights reserved.

Real-Time Intrusion Protection (IPS)
‡ Signature Library ± flat file ± easy to update ‡ Airespace resources dedicated to maintaining library updates (future) ‡ No WLAN down-time ‡ No separate air monitors required

© 2005 Cisco Systems, Inc. All rights reserved.

Peer to Peer Blocking Mode

Airespace AP

Servers
Airespace Switch

X

© 2005 Cisco Systems, Inc. All rights reserved.

Identity Networking «

User: maria Group: Marketing ACL: Corp_1 QoS: Gold

User traffic is carried to WLC via LWAPP

Single SSID

Controller uses Radius server to determine user¶s Identity. This information is used for QoS and security policies.

© 2005 Cisco Systems, Inc. All rights reserved.

Cisco Wireless Control System (WCS)
Best-in-Class WLAN Systems Management

‡ WLAN Planning and Design ‡ Easy to use configuration templates
Point and click security and QoS assignments

‡ Graphical heat maps ‡ Device tracking and mapping ‡ Detailed alarms and reporting tools

© 2005 Cisco Systems, Inc. All rights reserved.

Built-in WLAN Planning/Monitoring

‡ Accurate RF prediction
AP placement Performance analysis

‡ Detailed heat maps for easy analysis

© 2005 Cisco Systems, Inc. All rights reserved.

Location Tracking Services
‡ 1st integrated location solution ‡ Real-time location services
± Asset tracking ± Rogue AP and device location ± E911 services

‡ Advanced RF fingerprinting for greater accuracy ‡ Simultaneous real-time tracking 10,000+ devices ‡ API Third Party Applications ‡ RF capacity management ‡ Intuitive management GUI

Cisco 2700 Series Wireless Location Appliance
© 2005 Cisco Systems, Inc. All rights reserved.

Guest Access Control
Cisco WLAN Controller Deployments
‡ LWAPP tunnel is a layer 2 tunnel (encapsulates original Ethernet frame) Same LWAPP tunnel used for data traffic of different SSIDs Control and Data traffic tunneled to the Controller via LWAPP: data uses UDP 12222, control uses UDP 12223 Data traffic bridged on a unique VLAN corresponding to each SSID Traffic isolation provided by VLANs is valid up to the switch where the controller is connected Guest Emp
© 2005 Cisco Systems, Inc. All rights reserved.

WiSM

WLAN Controller

‡ ‡

Si

LWAPP
Si

Campus Core
Si

LWAPP

‡

‡

Wireless VLAN¶s

Guest Emp

Path Isolation
WLAN Controller Deployments with EoIP Tunnel
‡ Use of EoIP tunnels to logically segment and transport the guest traffic between edge and anchor controllers ‡ Other traffic (Employee for example) still locally bridged on the corresponding VLAN ‡ No need to define the Guest VLANs on the switches connected to the edge controllers ‡ Original Guest¶s Ethernet frame maintained across LWAPP and EoIP tunnels ‡ EoIP supported across all WLAN Controllers ‡ 2006 model can¶t terminate EoIP connections (no anchor role)
© 2005 Cisco Systems, Inc. All rights reserved.

Internet

Guest WLAN Controller (Anchor)

EtherIP ³Guest Tunnel´

Si

EtherIP ³Guest Tunnel´

Campus Core
Si Emp Si Emp

LWAPP

LWAPP

Wireless VLAN¶s

Guest Emp

Guest Emp

Controller Guest Access Components Overview
1. Back-End Segmentation (Mobility Anchor) ‡ Separate the Guest traffic from the corporate internal traffic via EoIP tunnels Lobby ambassador/host portal ‡ Guest user creation and token generation ‡ Web Portal - Internal or External Customizable Guest Screen ‡ Fully Customizable Guest Login Screen
LWAPP LWAPP Internet
WCS

2.

EtherIP ³Guest Tunnel´

Si

Campus Core
Si

EtherIP ³Guest Tunnel´

Emp

Emp
Si

3.

4.

Wireless Back-End Authentication VLAN¶s ‡ Local User Database ‡ External AAA authentication capable Guest Emp
© 2005 Cisco Systems, Inc. All rights reserved.

Guest Emp

New Guest Features in WLAN Controller
‡ Lobby Ambassador account role in WCS for guest user credential creation, monitoring, and deletion
Guest user-ids and passwords auto-generated or manually defined Guest user account manageable via SNMP

‡

Fully Customizable Login Screen downloadable to controller
Image file will replace the original Web Authentication page on controller TFTP download of 1MB of tar file for the Webpage

© 2005 Cisco Systems, Inc. All rights reserved.

Lobby Ambassador Feature in WCS
Internet

‡ Lobby Ambassador (LA) role created which only allows access to the Lobby Administrator screen in WCS ‡ Runs on Controller and WCS ‡ Traps sent to notify when guest user account expires

WCS

Guest

Si

Campus Core Emp
Si

Emp

Si

LWAPP

LWAPP

Wireless VLAN¶s Guest Emp Guest Emp

© 2005 Cisco Systems, Inc. All rights reserved.

Add a ³guest´ user on the WLC
‡ Guest User List New

© 2005 Cisco Systems, Inc. All rights reserved.

Web Portal ± Internal to WLC
‡ Internal web login page in WLC
Internet WLC

Guest

Campus Core
i Emp i Emp

LWAPP

Wireless VLAN¶s Guest Emp Guest Emp

© 2005 Cisco Systems, Inc. All rights reserved.

 

   

i

LWAPP

Web Portal ± External Web Server
‡ Web portal in an external web server
Internet External Web Server WLC

Guest

Si

Campus Core
Si Emp Si Si Emp Si

LWAPP

LWAPP

Wireless VLAN¶s Guest Emp Guest Emp

© 2005 Cisco Systems, Inc. All rights reserved.

Web Login Page On the Client
‡ Wireless Guest user associates to the Guest SSID ‡ Initiates a browser connection to any website ‡ Web Login page will displayed
Internet WCS
Si

WLC

Guest

Campus Core
Si Emp Si Emp

LWAPP

LWAPP

Wireless VLAN¶s Guest Emp Guest Emp

Guest Wireless Client

© 2005 Cisco Systems, Inc. All rights reserved.

Configuring Customized WebAuth in WCS
WC
¢
i

‡ Download the sample file and upload a customized web page in WCS

Internet

WLC

Guest

Campus Core Emp Emp
¡
i i

LWAPP

Wireless VLAN¶s Guest Emp Guest Emp

© 2005 Cisco Systems, Inc. All rights reserved.

¡ ¡

LWAPP

Thank You

© 2005 Cisco Systems, Inc. All rights reserved.