Brkewn 2010

Design and Deployment of Enterprise WLANs
BRKEWN-2010 Sujit Ghosh, CCIE #7204

Manager, Technical Marketing Wireless Networking Business Unit
BRKEWN-2010
2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Agenda
Controller-Based Architecture Overview Mobility in the Cisco Unified WLAN Architecture Architecture Building Blocks Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
Cisco Public
Agenda
BRKEWN-2010
Cisco Public
Centralized Wireless LAN Architecture

What Is CAPWAP?
CAPWAP: Control and Provisioning of Wireless Access Points is used between APs and WLAN controller and based on LWAPP CAPWAP carries control and data traffic between the two
Control plane is DTLS encrypted
Data plane is DTLS encrypted (optional)
LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless
CAPWAP is not supported on Layer 2 mode deployment
Business Application
CAPWAP
Wi-Fi Client Access Point
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Data Plane Controller
Control Plane
Cisco Public
5
CAPWAP Modes
Split MAC
The CAPWAP protocol supports two modes of operation

Split MAC (centralized mode) Local MAC (H-REAP or FlexConnect)
Split MAC
Wireless Frame Wireless Phy MAC Sublayer CAPWAP Data Plane
802.3 Frame
STA
WTP
AC
BRKEWN-2010
Cisco Public
CAPWAP Modes
Local MAC
Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames
Tunneled as 802.3 frames
Wireless Frame
Wireless Phy MAC Sublayer
802.3 Frame
CAPWAP Data Plane 802.3 Frame
STA
WTP
AC
Tunneled local MAC is not supported by Cisco

H-REAP/FlexConnect support locally bridged MAC and split MAC per SSID
Cisco Public
CAPWAP State Machine

AP Boots UP
Reset
Discovery
DTLS Setup Join
Image Data
Run
Config
BRKEWN-2010
Cisco Public
AP Controller Discovery
Controller Discovery Order
Layer 2 join procedure attempted on LWAPP APs
(CAPWAP does not support Layer 2 APs) Broadcast message sent to discover controller on a local subnet
Layer 3 join process on CAPWAP APs and on LWAPP APs after Layer 2 fails
Previously learned or primed controllers
Subnet broadcast DHCP option 43
DNS lookup
Cisco Public
Efficient CAPWAP Operation

Best Practices
Define the Wireless Access Point Device DHCP Scopes Default router IP Address for Access Point scope Helper address (forwarding UDP 5246 to the WLCs management interface) Domain name Appropriate DHCP Lease timer for Aps
Pool sizes for WLAN devices in accordance to different types of sites

If NAT is used, static 1-to-1 NAT to an outside address is recommended
BRKEWN-2010
Cisco Public
10
Sample Port Configuration

Controller Port
interface GigabitEthernet<port>
description <WLC name> switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan <vlan-list> switchport mode trunk switchport nonegotiate
AP Port Configuration
ip forward-protocol udp 5246
interface vlan <SVC> ip helper-address <WLC1managementInterface> ip helper-address <WLC2managementInterface>
mls qos trust cos

spanning-tree portfast trunk
BRKEWN-2010
Cisco Public
11
6.0, 7.0, 7.1, 7.2 ? Which Version Should I Use?

WLC 5508 supports 6.0, 7.0 and 7.1 & 7.2
WLC7500, WiSM-2 and WLC2504 only supported in 7.0 onwards

6.0.202 is the latest MD
7.0.220 will be tested for AssureWave (Blue Ribbon)

7.1.91 or 7.2 (preferred) is needed for AP3600
BRKEWN-2010
Cisco Public
12
Agenda
BRKEWN-2010
Cisco Public
13
Mobility Defined
Mobility is a key reason for wireless networks Mobility means the end-user device is capable of moving location in the networked environment
Roaming occurs when a wireless client moves association from one AP and re-associates to another, typically because its mobile! Mobility presents new challenges:
Need to scale the architecture to support client roamingroaming can occur intra-controller and inter-controller
Need to support client roaming that is seamless (fast) and preserves security
Cisco Public
14
Scaling the Architecture with Mobility Groups

Mobility Group allows controllers to peer with each other to support seamless roaming across controller boundaries APs learn the IPs of the other members of the mobility group after the CAPWAP Join process
Controller-B MAC: AA:AA:AA:AA:AA:02
Mobility Group Neighbors: Controller-B, AA:AA:AA:AA:AA:02 Controller-C, AA:AA:AA:AA:AA:03
Mobility messages exchanged between controllers Data tunneled between controllers in EtherIP (RFC 3378)
Controller-C MAC: AA:AA:AA:AA:AA:03 Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 Controller-B, AA:AA:AA:AA:AA:02
Ethernet in IP Tunnel
Support for up to 24 controllers, 3600 APs per mobility group
Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 Controller-C, AA:AA:AA:AA:AA:03
Controller-A MAC: AA:AA:AA:AA:AA:01
Mobility Group Name: MyMobilityGroup
Mobility Messages
Cisco Public
15
Scaling the Architecture with Mobility Groups

With Inter Release Controller Mobility (IRCM) roaming is supported between 6.0, 7.0 and 7.2
Mobility Domain
Mobility Group (6.0)
One WLC Network
Mobility Group
24 WLCs in a Mobility Group
72 WLCs in a Mobility Domain

Cisco Public
16
How Long Does an STA Roam Take?

Time it takes for:
Client to disassociate + Probe for and select a new AP + 802.11 Association + 802.1X/EAP Authentication + Rekeying + IP address (re) acquisition
All this can be on the order of seconds Can we make this faster?
BRKEWN-2010
Cisco Public
17
Roaming Requirements
Roaming must be fast Latency can be introduced by:
Client channel scanning and AP selection algorithms Re-authentication of client device and re-keying Refreshing of IP address
Roaming must maintain security

Open auth, static WEPsession continues on new AP
WPA/WPAv2 PersonalNew session key for encryption derived via standard handshakes
802.1x, 802.11i, WPA/WPAv2 EnterpriseClient must be re-authenticated and new session key derived for encryption
Cisco Public
18
How Are We Going to Make Roaming Faster?

Focus on Where We Can Have the Biggest Impact
Eliminating the (re)IP address acquisition challenge Eliminating full 802.1X/EAP reauthentication
BRKEWN-2010
Cisco Public
19
Intra-Controller Roaming:
Layer 2
WLC-1 Client Database VLAN X Client Data (MAC, IP, QoS, Security) WLC-2 Client Database
WLC-1
Mobility Message Exchange
WLC-2
Preroaming Data Path
Intra-Controller roam happens when an AP moves association between APs joined to the same controller Client must be reauthenticated and new security session established
BRKEWN-2010
Cisco Public
20
Layer 2 (Cont.)
VLAN X
WLC-1 Client Database WLC-1
Client Data WLC-2 Client (MAC, IP, QoS, Database Security) Mobility Message Exchange
WLC-2
Roaming Data Path
Client database entry with new AP and appropriate security context

No IP address refresh needed
Client Roams to a Different AP
BRKEWN-2010
Cisco Public
21
Layer 3
VLAN X
WLC-1 Client Database Client Data (MAC, IP, QoS, Security)
VLAN Z
Client Data (MAC, IP, QoS, Security)
WLC-2 Client Database
WLC-1
Mobility Message Exchange
WLC-2
Preroaming Data Path
BRKEWN-2010
Cisco Public
22
Client Roaming Between Subnets:

Layer 3 (Cont.)
VLAN X VLAN Z
WLC-1 Anchor Controller Preroaming Data Path
WLC-1 Client Client Data Database (MAC, IP, QoS, Mobility Security) Message Exchange
Data Tunnel
WLC-2 Client Client Data (MAC, IP, QoS, Database Security)
WLC-2
Foreign Controller
Client Roams to a Different AP
BRKEWN-2010
Cisco Public
23
Roaming: Inter-Controller
Layer 3
L3 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto different subnets Client must be re-authenticated and new security session established Client database entry copied to new controller entry exists in both WLC client DBs Original controller tagged as the anchor, new controller tagged as the foreign WLCs must be in same mobility group or domain No IP address refresh needed Symmetric traffic path established -- asymmetric option has been eliminated as of 6.0 release Account for mobility message exchange in network design
BRKEWN-2010
Cisco Public
24
How Are We Going to Make Roaming Faster?
Focus on Where We Can Have the Biggest Impact

Eliminating the (re)IP address acquisition challenge Eliminating full 802.1X/EAP reauthentication
BRKEWN-2010
Cisco Public
25
Fast Secure Roaming

Standard Wi-Fi Secure Roaming
802.1X authentication in wireless today requires three end-to-end transactions with an overall transaction time of > 500 ms
WAN
Cisco AAA Server (ACS or ISE) 1. 802.1X Initial Authentication Transaction
802.1X authentication in wireless today requires a roaming client to reauthenticate, incurring an additional 500+ ms to the roam
2. 802.1X Reauthentication After Roaming
AP2
AP1
Note: Mechanism Is Needed to Centralize Key Distribution

Cisco Public
26
Cisco Centralized Key Management (CCKM)

Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available, especially with application specific devices (ASDs) CCKM ported to CUWN architecture in 3.2 release In highly controlled test environments, CCKM roam times consistently measure in the 5-8 msec range! CCKM is most widely implemented in ASDs, especially VoWLAN devices To work across WLCs, WLCs must be in the same mobility group CCX-based laptops may not fully support CCKM depends on supplicant capabilities CCKM is standardized in 802.11R, but no clients available yet
BRKEWN-2010
Cisco Public
27
What is 802.11r ?
An IEEE standard which defines a new concept of roaming Handshake with the new AP is done even before the client roams More secure due to 3 levels of key hierarchy Standard defines 2 methods of roaming Over-the-air and Over-the-DS The Association-Response Frame is expanded therefore older client drivers may not understand the 11r response frame. Therefore in some customer sites to have 11r roaming may require an additional SSID.
New in 7.2MR1
Cisco Public
28
Fast Transition 802.11r Roaming Comparison

The Action Frames are new to 802.11r and the Association Frames are modified. 802.11r Action Packet Exchange Occurs Pairwise Master Key ID(PMKID) Roam Before the Roam. Therefore the Roam is 2 is 10 Packets Long. Packets Long.
BRKEWN-2010
Cisco Public
29
Pre-Authenticated Secure Roam by WLAN

Two modes of roaming in 11r
802.11r Over the Air roaming
802.11r Over the DS roaming

Preauth information
q re FT e m sp fra re n io FT ct A e ith m w fra d n te i a AP oc ld ss o io ct
AP1
p res Ta uth 1F Ta 2.1 eq F 80 nR . 11 2 atio 80 e sp o ci ss nR a tio Re ci a sso ea R
req th u
AP2, 3, 4
AP1
a Re
ss
ati o ci
on
q Re e nR
sp
AP2, 3., 4
BRKEWN-2010
A ith w d te i a AP oc ld ss o
Client
Re
ci sso
atio
Client
Roaming direction
Roaming direction
Cisco Public
30
802.11r
To enable 11r, check Fast Transition in Layer2 security Add Over the DS if you choose to reduce the over the air transactions Adding a WPA2 will provide the option of support for 11r
Select the key management type -> FT 802.1X or FT PSK
BRKEWN-2010
Cisco Public
31
Designing a Mobility Group/Domain

Design Considerations
Less roaming is better clients and apps are happier While clients are authenticating/roaming, WLC CPU is doing the processing not as much of a big deal for 5508 which has dedicated management/control processor
L3 roaming & fast roaming clients consume client DB slots on multiple controllers consider worst case scenarios in designing roaming domain size Leverage natural roaming domain boundaries
Mobility Message transport selection: multicast vs. unicast Make sure the right ports and protocols are allowed
BRKEWN-2010
Cisco Public
32
3K AP Setup in WNBU
BRKEWN-2010
Cisco Public
33
Agenda
BRKEWN-2010
Cisco Public
34
CUWN 7.2 Release - Key Controller Features

Device Support WiSM2/7500 WiSM2 Scale 1000 APs WiSM2 20 Gbps 7500 Scale 3000 APs 7500 DTLS/OEAP support 7500 High throughput 7500 Context-aware
Others WiPS Rogue & Wi-Fi Direct CleanAir Enhancements for serviceability, PDA Enhancements, Unclassified Interferers in AQ Flex: Fast roaming for voice clients Flexconnect: Efficient AP upgrade NEC-CAC for KTS SIP clients TPCv2/RRM enhancements Support for ISE 1.1
Other Highlights IPv6 Mobility 802.11u/MSAP 11n throughput enhancements Flex: ACL, AAA override,P2P
AP3600
800 Series ISR
CleanAir classifiers
TrustSec SXP
AP Groups and Profiles OEAP600 enhancements with WLC manual power, Channel, Disable etherport Stadium Vision Mobile with larger DTIM queue and dynamic multicast data-rates per AP Videostream QoS alloy CCX Lite
Cisco Public
35
CUWN 7.2 MR1 Release

802.11r Support External Webauth for FlexConnect Mode AP Outdoor RAPs to operate in Local mode & FlexConnect mode
BRKEWN-2010
Cisco Public
36
Cisco WiSM-2 and Sup 2T

6500 as Borderless Services Node (BSN)
WiSM2
NAM3
ASA-SM
Provides Service Virtualization, Wired / Wireless Integration and Secure Access

Catalyst 6500 10GbE Core
Specifications at a Glance
Access Points Clients I/O APs in Mobility Domain 1001000 15,000 and 5000 tags 20G 72,000 24,000 7,000 APs and 105,000 Clients
Agg 6k
Wireless
Security Wireless Security
APs in Mob Group Chassis Level Scale
BSN provides single point of management
Concurrent AP Joins
Physical Controller Power
1000
1 225 W
Access 2k/3k/4k
Sup 720 and Sup 2T support

Sup 720 Software Version 12.2(33)SXJ2 Sup 2T Software Version 15.0(1)SY1
37
BRKEWN-2010
Cisco Public
Controller Portfolio
5500
Number of Access Points Throughput Clients Concurrent AP Upgrades/Joins Network I/O Mobility Domain Size Number of Controllers per Physical Device Power Consumption AP Count Upgrade via Licensing Encrypted Data Link Between AP and Controller OfficeExtend Solution
BRKEWN-2010
WiSM-2
500, 1000(7.2) Up to 10 Gbps / 20 Gbps (7.2) Up to 10,000 Up to 500 Cisco Catalyst 6000 Series Backplane Up to 36,000 Aps, 72,000 AP(7.2) 1 225W Yes Yes Yes
Cisco Public
38
12, 25, 50, 100, 250, 500 Up to 8 Gbps Up to 7000 Up to 500 Up to 8 1 Gbps SFPs Up to 36,000 APs 1 125W Yes Yes Yes
Cost Effective Entry Level Controllers

2500 Wireless Controller and SRE modules in ISR G2
Access Points Access Points Clients Throughput 5-50 500 500 Mbps Clients Throughput
ISM: SM: 500
5-10 5-50
500 Mbps
Deployment Model
Form Factor IO Interface Upgrade Licenses
Local and FlexConnect

Desktop 4x 1GE 5, 25
Deployment Model
Form Factor Upgrade Licenses Device Supported On
Local and FlexConnect

SRE (ISM/SM) 5, 25 1941, 2900 and 3900 Series ISR G2
BRKEWN-2010
Cisco Public
39
Access Points Portfolio

Teleworker Business-Ready
Mission Critical
Best in Class Mission Critical
AP 1040 OfficeExtend AP 600
AP 3500 AP 1260 AP 1140
AP 3600
With CleanAir technology
802.11n WiFi
Cisco Public
40
AP 3600 - 3 Spatial Stream 3x3 MIMO Access Points

4x4 MIMO ANTENNA DESIGN, 3 SPATIAL STREAMS
Redundant antenna design for more speed and reliability
CLIENTLINK 2.0 for 802.11n

Improves performance to all mobile devices: including 802.11a/g and 802.11n 1SS, 2SS & 3SS
Cisco Aironet 3600 Series Access Points
Enhanced CLEANAIR TECHNOLOGY

New, more powerful full-spectrum analysis while serving data traffic
BRKEWN-2010
Cisco Public
41
Cisco Aironet 802.11n Access Points

Indoor and Outdoor - Feature Comparison Matrix
3600 Series
Data Rate Radio Design CleanAir ClientLink
450 Mbps 4X4:3
3500 Series
300 Mbps 2X3:2
1260 Series
300 Mbps 2x3:2
1140 Series
300 Mbps 2x3:2
1040 Series
300 Mbps 2X2:2
600 Series
300 Mbps 2X2:2
1550 Series
300 Mbps 2x3:2 on 2.4
ClientLink 2.0
BandSelect
VideoStream Rogue AP Detection Adaptive wIPS OfficeExtend FlexConnect Wireless Mesh Data Uplink (Mbps) Power
10/100/1000 802.3af 10/100 100 to 240 VAC, 5060 Hz 0 to 40C 10/100/1000 By Model Number: See AP AAG -40 to 131C
10/100/1000 802.3af Supports 802.3at (i) -0 to 40 C (e) -20 to 55C
10/100/1000 802.3af
10/100/1000 802.3af
10/100/1000 802.3af
Temperature Range in Celsius
(i) -0 to 40 C (e) -20 to 55C
-20 to 55C
-0 to 40C
-0 to 40C
BRKEWN-2010
Cisco Public
42
Agenda
BRKEWN-2010
Cisco Public
43
Deploying the Cisco Unified Wireless Architecture

Controller Redundancy and AP Load Balancing Understanding AP Groups IPv6 Deployment with Controllers Branch Office Designs Guest Access Deployment Home Office Design
BRKEWN-2010
Cisco Public
44

BRKEWN-2010
Cisco Public
45
Controller Redundancy
Dynamic
Rely on CAPWAP to load-balance APs across controllers and populate APs with backup controllers Results in dynamic salt-and-pepper design Design works better when controllers are clustered in a centralized design Pros
Easy to deploy and configureless upfront work APs dynamically load-balance (though never perfectly)
WLC1
AP1
AP2
AP3
Cons
More intercontroller roaming Bigger operational challenges due to unpredictability Longer failover times No fallback option in the event of controller failure
AP4
AP5
AP6
AP7
AP8
AP9 WLC2
Ciscos general recommendation is: Only for Layer 2 roaming Use deterministic redundancy instead of dynamic redundancy
Cisco Public
46
Deterministic
WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C
Administrator statically assigns APs a primary, secondary, and/or tertiary controller

Assigned from controller interface (per AP) or WCS (template-based)
Pros
Predictabilityeasier operational management
More network stability
Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Tertiary: WLAN-Controller-C Primary: WLAN-Controller-B Secondary: WLAN-Controller-C Tertiary: WLAN-Controller-A Primary: WLAN-Controller-C Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-B
More flexible and powerful redundancy design options Faster failover times Fallback option in the case of failover
Con
More upfront planning and configuration
BRKEWN-2010
This is Ciscos recommended best practiceCisco Public
47
Most Common (N+1)
Redundant WLC in a geographically separate location Layer-3 connectivity between the AP connected to primary WLC and the redundant WLC Redundant WLC need not be part of the same mobility group
NOC or Data Center
WLAN-Controller-BKP
WLAN-Controller-1
APs Configured With: Primary: WLAN-Controller-1 Secondary: WLAN-Controller-BKP
WLAN-Controller-2 APs Configured With: Primary: WLAN-Controller-2 Secondary: WLAN-Controller-BKP
WLAN-Controller-n APs Configured With: Primary: WLAN-Controller-n Secondary: WLAN-Controller-BKP
Configure high availability (HA) to detect failure and faster failover

Use AP priority in case of over subscription of redundant WLC
Cisco Public
48
Architecture Resiliency
Resiliency
WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C WLAN-Controller-1
N:1 Redundancy
NOC or Data Center
WLAN-Controller-BKP WLAN-Controller-2
APs Configured With: Primary: WLAN-Controller-1 Secondary: WLAN-Controller-BKP

APs Configured With: Primary: WLAN-Controller-2 Secondary: WLAN-Controller-BKP APs Configured With: Primary: WLAN-Controller-n Secondary: WLAN-Controller-BKP
WLAN-Controller-n Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Tertiary: WLAN-Controller-C Primary: WLAN-Controller-B Secondary: WLAN-Controller-C Tertiary: WLAN-Controller-A Primary: WLAN-Controller-C Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-B
N:N Redundancy
WLAN-Controller-A APs Configured With: Primary: WLAN-Controller-A Secondary: WLAN-Controller-B
N:N:1 Redundancy
WLAN-Controller-A
NOC or Data Center

WLAN-Controller-BKP
APs Configured With: Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Tertiary: WLAN-Controller-BKP
WLAN-Controller-B
APs Configured With: Primary: WLAN-Controller-B Secondary: WLAN-Controller-A
WLAN-Controller-B
APs Configured With: Primary: WLAN-Controller-B Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-BKP
BRKEWN-2010
Cisco Public
49
High Availability Using Cisco 5508

Hardware Failure of WLC5508
APs are connected to primary WLC 5508

Si Si
In case of hardware failure of WLC 5508
Si
Si
APs fall back to secondary WLC 5508

Secondary WLC5508
Primary WLC5508
Traffic flows through the secondary WLC 5508 and primary core switch
BRKEWN-2010
Cisco Public
50
High Availability Using WiSM-2

Uplink Failure on Primary Switch
In case of uplink failure of the primary switch

Si Si
Active HSRP Switch
Standby HSRP Switch New Active HSRP Switch
Standby switch becomes the active HSRP switch
Primary WiSM-2
APs are still connected to primary WiSM

Traffic flows through the new HSRP active switch
BRKEWN-2010
Cisco Public
51
High Availability Using WiSM-2

Hardware Failure of WiSM-2
APs are connected to primary WiSM-2

Si Si
In case of hardware failure of primary WiSM-2 APs fall back to secondary WiSM-2
Secondary WiSM-2
Primary WiSM-2
Traffic flows through the secondary WiSM-2 and primary core switch
BRKEWN-2010
Cisco Public
52
Redundancy Using VSS and Cisco 5508

Cisco 5508 WLC can be attached to a Cisco Catalyst VSS switch pair 4 ports of Cisco 5508 are connected to active VSS switch 2nd set of 4 ports of Cisco 5508 is connected to standby VSS switch In case of failure of primary switch traffic continues to flow through secondary switch in the VSS pair Catalyst VSS Pair
Cisco 5508
BRKEWN-2010
Cisco Public
53
Core Options 6500 VSS w/L2 Access, Nexus w/L3 Access

Access Core/ Distribution Data Center
Si Si Si Si
Dual physical links appear logically as a single link

Si Si
Catalyst 6500 VSS
Nexus 7000
Authentication
Wireless Services
Authentication Wireless Services
ISP1
ISP2
ISP1
ISP2
Layer 2 to Access Layer Single Configuration Multi-Chassis Etherchannel load-balancing
Layer 3 to Access Layer Higher 10 Gigabit Capacity More extensive virtualization capabilities
Equal Cost Multipath Load-balancing

Cisco Public
55
Controller Redundancy High Availability

High Availability Principles :
AP is registered with a WLC and maintain a backup list of WLC. AP use heartbeats to validate WLC connectivity AP use Primary Discovery message to validate backup WLC list When AP loose 3 heartbeats it start join process to first backup WLC candidate Candidate Backup WLC is the first alive WLC in this order : primary, secondary, tertiary, global primary, global secondary. AP does not re-initiate discovery process.
BRKEWN-2010
Primary WLC
Secondary WLC
New Timers 7.2 Heartbeat Timeout Fast Heartbeat Timer AP Retransmit Interval AP Retransmit with FH Enabled AP Fallback to next WLC 1-30 secs 1-10 secs 2-5 secs 3-8 Times 12 secs
Cisco Public
56
AP Failover Priority
In case of WLC failure, backup WLC suddenly receives multiple Discover and Join response from Aps
Enable AP Failover Priority Globally Wireless > Access Points > Global Configuration > AP Failover Priority
In a failover situation when the backup controller is saturated, the higher priority access points are allowed to join the backup controller by disjoining the lower priority access points.
Assign Priority on per AP basis WLC > All APs > Details for AP > High Availability
BRKEWN-2010
Cisco Public
57
AP Pre-Image Download
Since most CAPWAP APs can download and keep more than one image of 45 MB each AP pre-image download allows AP to download code while it is operational Pre-Image download operation
1. 2. 3. 4. 5. 6. Upgrade the image on the controller Dont reboot the controller Issue AP pre-image download command Once all AP images are downloaded Reboot the controller AP now rejoins the controller without reboot
Cisco WLAN Controller

AP Joins Without Download AP Pre-image Download
Access Points How Much Time You Save?

Cisco Public
58
BRKEWN-2010
CAPWAP-L3
Access Point
Access Point
Access Switches
VLAN 10,11,12
Si
Si
VLAN 20,21,22
Extremely Resilient Rapid reconvergence on Link Loss due to extensive use of EtherChannel Option in Aux switch for use of dual Supervisors for improved availability
Distribution Switches (standalone using routing, HSRP, STP) Auxiliary Switches

Si Si
Si
Si
Wireless Controller NMSP Mobility SNMP Service Engine SOAP/XML/SNMP Network Control System
Wireless Controller NMSP Mobility Service SNMP Engine SOAP/XML/SNMP Network Control System
Data Centre
BRKEWN-2010
Cisco Public
Access Point
Access Point
Option for use of VSS for even greater resiliency, as well as a simplified design Rapid reconvergence on Link Loss due to extensive use of EtherChannel Option to eliminate Aux switches in this design, as controllers are dual-homed to VSS switch pair
Access Switches
VLAN 10,11,12
Si
Si
VLAN 20,21,22
Distribution Switches (VSS pair)
Auxiliary Switches
Wireless Controller NMSP Mobility SNMP Service Engine SOAP/XML/SNMP Network Control System
Wireless Controller NMSP Mobility Service SNMP Engine SOAP/XML/SNMP Network Control System
Data Centre
BRKEWN-2010
Cisco Public
Access Point
Access Point
Access Switches
VLAN 10,11,12
Si
Si
VLAN 20,21,22
Distribution Switches (standalone using routing, HSRP, STP) Auxiliary Switches

Si Si
Option showing use of Anchor controllers for use with Guest SSIDs
Si
Guest WLANs are configured with Auto Anchor
Si
Wireless Controller EoIP Tunnels Anchor Wireless Controller Guest DHCP/DNS Server
Wireless Controller EoIP Tunnels
Anchor Wireless Controller
Internet Edge
Guest DHCP/DNS Server
Internet
BRKEWN-2010
Cisco Public

BRKEWN-2010
Cisco Public
62
AP-Groups - Default AP-Group

The first 16 WLANs created (WLAN IDs 116) on the WLC are included in the default AP-Group Default AP-Group cannot be modified APs with no assignment to an specific AP-Group will use the Default AP-Group The 17th and higher WLAN (WLAN IDs 17 and up) can be assigned to any AP-Groups
Any given WLAN can be mapped to different dynamic interfaces in different AP-Groups
WLC 2106 (AP groups: 50), WLC 2504 (AP groups:50) WLC 4400 and WiSM (AP groups: 300), WLC 5508 & WiSM-2 (AP groups: 500), WLC 7500 (AP Groups : 500)
Cisco Public
63
AP-Grouping in Campus
VLAN 100 VLAN 100 VLAN 100 Access
Si Si Si Si Si Si
Distribution CAPWAP
Si Si
Core
Si
Si
Si
Si
VLAN 100 / 21
Single SSID = Employee
Distribution
Si
Si
Access
WAN WLC-1
BRKEWN-2010
Data Center WLC-2

Internet
Cisco Public
64
AP-Grouping in Campus
AP-Group-1
VLAN 60 /23
AP-Group-2
VLAN 70 /23
AP-Group-3
VLAN 80 /23
Access
Si Si Si Si Si Si
Distribution CAPWAP
Si Si
Core
Si
Si
VLAN 100 /21

Si
Si
VLAN 60 VLAN 70 VLAN 80

WLC-2
Si
Si
Distribution
Access
Internet
Cisco Public
65
WAN WLC-1
BRKEWN-2010
Data Center
Default AP-Group
Network Name
Default AP Group
Only WLANs 116 Will Be Added in Default AP Group
BRKEWN-2010
Cisco Public
66
Multiple AP-Groups
AP Group 1
AP Group 2
AP Group 3
BRKEWN-2010
Cisco Public
67
Interface-Groups (aka VLAN Select)

Interface-groups allows for a WLAN to be mapped to a single interface or multiple interfaces
Clients associating to this WLAN get an IP address from a pool of subnets identified by the interfaces in round robin fashion
Extends current AP group and AAA override, with multiple interfaces using interface groups Controllers Interface-Groups/Interfaces
WiSM-2, 5508, 7500, 2500

WiSM, 4400 2100 and 2504
64/64
32/32 4/4
BRKEWN-2010
Cisco Public
68
Interface-Grouping in Campus
Int-Group-1
VLAN 60 /23 VLAN 61 / 23
Si Si
Int-Group-2
VLAN 70 /23 VLAN 71 /23
Si Si Si
Int-Group-3
VLAN 80 /23 VLAN 81 /23

Si
Access
Distribution LWAPP/CAPWAP
Si Si
Core
Si
Si
VLAN 100 /21

Si
Si
WAN WLC-1
BRKEWN-2010
Data Center
VLAN 60 VLAN 61 VLAN 70 VLAN 71 VLAN 80 VLAN 81
Si
Si
Distribution
Access
Internet
Cisco Public
69
WLC-2
Multiple Interface-Groups
Interface Group 1
Interface Group 2
Interface Group 3
BRKEWN-2010
Cisco Public
70
RF-Profiles
7.2
RF Profiles allow the administrator to tune groups of APs sharing a common coverage zone together.
Selectively changing how RRM will operate the APs within that coverage zone
RF Profiles are created for either the 2.4 GHz radio or 5GHz radio
Profiles are applied to groups of APs belonging to an AP Group, in which all APs in the group will have the same Profile Settings
There are two components to this feature:

RF Profile New in 7.2 providing administrative control over:
o Min/Max TPC values
o TPCv1 Threshold o TPCv2 Threshold o Data Rates
BRKEWN-2010
Cisco Public
71
RF Profiles
Create an RF profile for a or b/g radio Select if required the minimum and/or Maximum TPC settings Select a custom TPC power threshold for either Version 1 or Version 2 of TPC Select the data rates to be applied to the APs
BRKEWN-2010
Cisco Public
72
RF-Profile in Campus 7.2

RF-Profile-1
VLAN 60 /23 VLAN 61 / 23
Si Si
RF-Profile-2
VLAN 70 /23 VLAN 71 /23
Si Si Si
RF-Profile-3
VLAN 80 /23 VLAN 81 /23

Si
Access
Distribution LWAPP/CAPWAP
Si Si
Core
Si
Si Si Si
WAN WLC-1
BRKEWN-2010
Data Center
VLAN 60 VLAN 61 VLAN 70 VLAN 71 VLAN 80 VLAN 81
Si
Si
Distribution
Access
Internet
Cisco Public
73
WLC-2
Multiple RF-Profiles
RF Profile -1
RF Profile -2
RF Profile -3
BRKEWN-2010
Cisco Public
74
Design Recommendations
Use 5508 with N+1 redundancy (recommended) or WISM2 with N+N redundancy Use Link Aggregation across multiple chassis or line cards for N+1 redundancy when using 5508 WLAN controllers Use large subnets (e.g., /21) to minimize L3 roaming or VLAN Select (aka Interface Groups) Group APs on controllers to minimize inter-controller roaming (i.e. create natural roaming boundaries) Use separate controllers or AP groups for low-volume legacy devices (e.g., 802.11b ticket scanners) Software version 7.2.103.0 or higher NCS 1.1 for Network Management
Cisco Public
75

BRKEWN-2010
Cisco Public
77
IPv6 - Phased Implementation
IPv4only
IPv4 and IPv6 Co-existence

(Servers and Clients will Be Dual-Stack)
IPv6only
But Dual Stack Clients Are Here Now
BRKEWN-2010
Cisco Public
78
Wireless IPv6 Support - Pre-v7.2
CAPWAP Tunnel
IPv6 ICMPv6 multicast messages sent to all clients (including L3 roamed clients) at low data rates.
All IPv6 packets are bridged on the VLAN transmitting unnecessary ICMPv6 messages in both directions.
In releases prior to 7.2, enabling IPv6 bridging provided a limited solution with no Layer 3 mobility and non-optimized delivery of essential ICMPv6 messages to clients.
Cisco Public
79
Wireless IPv6 Support - Post-v7.2
CAPWAP Tunnel
IPv6 ICMPv6 multicast messages are unicast to each client at high data rates.
IPv6 ICMPv6 messages are interpreted by the controller and forwarded only as needed.
In releases 7.2, the controller now processes ICMPv6 messages allowing for optimized delivery, Layer 3 mobility and first hop security.
Cisco Public
80
Wireless IPv6 Client Support

IPv IP v4 802.11 6
IPv6 IPv4 802.11 CAPWAP IPv4 Ethernet
IPv6 IPv4 VLAN Ethernet
CAPWAP Tunnel
802.11
IPv6
Supports IPv4, Dual Stack and Native IPv6 clients on single WLAN simultaneously Supports the following IPv6 address assignment for wireless clients:
IPv6 Stateless Autoconfiguration [SLAAC] Stateless, Stateful DHCPv6 Static IPv6 configuration
Supports up to 8 IPv6 addresses per client Clients will be able to pass traffic once IPv4 or IPv6 address assignment is completed after successful authentication
Cisco Public
81
IPv6 Client Connectivity on Multiple WLANs

VLAN Pool
VLAN 100 VLAN 200 Router 1
VLAN = 100
RA VLAN = 100
CAPWAP Tunnel
VLAN = 200
RA VLAN = 200
Router 2 Access Points keep track of individual clients and unicast the Router Advertisement to the clients depending on the WLAN they belong to.
Access Point support up to 16 WLANs/SSIDs for dual stack clients. To maintain proper routing capability, mobile clients need to have proper global unique unicast prefix from router within their own network.
Cisco Public
82
Cisco Supports Many IPv6 Addresses Per Client
Up to 8 IPv6 Addresses are Tracked per Client.
Support for many IPv6 addresses per client is necessary because:

Clients can have multiple address types per interface
Clients can be assigned addresses via multiple methods such as SLAAC and DHCPv6
Most clients automatically generate a temporary address in addition to assigned addresses.
Cisco Public
83
Use Case #1: Mobility

Challenge
Solution
7.2
Dropped connections when roaming to a different network
Intelligent IPv6 packets processing RA follows roaming clients through mobility tunnel Reliable connectivity while roaming
Seamless layer-3 mobility for IPv6 clients
Benefits
Differentiator
BRKEWN-2010
Cisco Public
84
How Does Cisco Solve IPv6 Mobility?

Anchor WLC
CAPWAP Tunnel Roaming Client CAPWAP Tunnel Router Advertisement Mobility Tunnel
Router Advertisement
Router 1
Router 2
Foreign WLC
To address this issue, the roaming client must be able to receive the original router advertisement. The anchor controller sends the RA to the foreign in the mobility tunnel. When the Access Point receives the RA, it will convert the multicast RA to unicast (MC2UC) and send RA to each client individually.
BRKEWN-2010
Cisco Public
85
New IPv6 Addresses Learning with Mobility

Anchor WLC CAPWAP Tunnel Roaming Client CAPWAP Tunnel Foreign WLC IPv6 address is always learned at the anchor either through DHCPv6 or NDP DHCPv6 packets from a roamed client at the foreign controller will be tunneled to the anchor controller, which will learn the IPv6 address from the DHCPv6 replies. Similarly NDP messages for a roamed client are processed at the anchor controller. DHCPv6 / RS Mobility Tunnel
Router 1
DHCPv6 / RA Reply
Router 2
Whenever a new IPv6 address is learned at the anchor the new address is sent in a mobility message to the foreign controller.
Cisco Public
86
Testing IPv6-Only Client Mobility with Cisco

Before Roaming During Roaming IPv6 PING Continues
Client Keeps IPv6 Address and Connectivity is Seamless

After Roaming
Clients Windows 7 (SP1) with only IPv6 Enabled

Cisco Public
87
Use Case #2: Security

Challenge Solution Benefits Differentiator
7.2
Vulnerabilities originated from client community

First Hop Security blocks rogue announcements IPv6 ACLs provides IPv6 traffic control Increased network availability and reliability Lower operational cost
Proactively block known threats from wireless side
Rogue Router Announcement(RA) Rogue DHCP Server

88
BRKEWN-2010
Cisco Public
IPv6 ACL Support
CAPWAP Tunnel
Up to 128 ACL (64 for IPv4 and 64 for IPv6) supported
Two ACL profiles (one for IPv4 and one for IPv6) are supported per dual stack client
ACL profiles for wireless clients can be configured on Wireless Controller or provided by AAA Server.
AAA server can send both IPv4 and IPv6 ACL attributes for dual stack clients after successful user authentication.
Counters are maintained on ACL matches for operational/maintenance purposes.

Cisco Public
89
IPv6 ACL Configuration

A separate IPv4 and IPv6 ACL can be applied on a per-WLAN basis.
BRKEWN-2010
Cisco Public
90
Use Case #3: Efficiency

Challenge
Solution Benefits Differentiator
7.2
Chatty IPv6 packets, busy network, high CPU Intelligent processing of IPv6 packets with proxy and rate limit
Increase radio efficiency, decrease processing load on router

50% NDP reduction on wireless and 25% on wired side
High number of packets Less number of packets
BRKEWN-2010
Cisco Public
91
First Hop Optimization for Wireless IPv6 Clients

IPv6 VLAN Ethernet IPv6 802.11 CAPWAP Tunnel
IPv6 802.11 CAPWAP IPv4 Ethernet
Rate Limiting/ Throttling Neighbor Discovery Caching
Router Advertisement (Periodic) Neighbor Solicitation Proxy Neighbor Advertisement

Neighbor Solicitation (NS) Suppression Respond to NS with cache binding table entry.
BRKEWN-2010
Cisco Public
92
First Hop Security / Efficiency Configuration
BRKEWN-2010
Cisco Public
93
Use Case #4: Client Management

Challenge
Solution Client visibility is vital for Troubleshooting, Planning & Security
7.2
Benefits
Differentiator
NCS tracks IPv6 client addresses, client IP version distribution and trending; MSE tracks IPv6 client locations Prepare admin for IPv6 troubleshooting, address planning Provide client traceability
Management system for wired + wireless, IPv4 + IPv6
BRKEWN-2010
Cisco Public
94
Cisco NCS 1.1 Provides Comprehensive IPv6 Client Visibility and Monitoring
Visibility Recognition of IPv6 Global and Link Local Addresses
Insight Identification of IPv4, Dual-Stack or IPv6Only Client Types

Security Identification of Clients Acting as IPv6 Routers

Cisco Public
95
Cisco NCS 1.1 Provides a Rich IPv6 Session History

NCS Logs both current and past IPv6 Addresses
Since IPv6 clients can change addresses so often (sometimes 1 per day with temporary addresses), they need to be tracked over time. This is needed for tracking down attacks or copyright infringement violations that need to be audited all the way back to the user.
Cisco Public
96

Controller Redundancy and AP Load Balancing Understanding AP Groups IPv6 Deployment with Controllers Branch Office Designs
Understanding FlexConnect AP Deployment Understanding Branch Controller Deployment
Guest Access Deployment Home Office Design
BRKEWN-2010
Cisco Public
97
Branch Office Deployment

FlexConnect
Hybrid architecture Single management and control point

Centralized traffic (split MAC) Or Local traffic (local MAC)
Centralized Traffic
Central Site
Centralized Traffic
WAN
Local Traffic
HA will preserve local traffic only
Remote Office
BRKEWN-2010
Cisco Public
98
FlexConnect Design Considerations

WAN limitations apply
For Your Reference
BRKEWN-2010
Cisco Public
99
FlexConnect Design Considerations

Features limitations apply
Some features are not available in standalone mode or in local switching mode
MAC/Web Auth in standalone mode Central Web Authentication in local switching mode
Mesh AP
WGB & Universal WGB VideoStream
IPv6 L3 Mobility
SXP TrustSec AAA ACL & QoS override See full list in H-REAP Feature Matrix
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b3690b.shtml
BRKEWN-2010
Cisco Public
100
Economies of Scale for Lean Branches

Flex 7500 Wireless Controller
New
Key Differentiation
WAN Tolerance High Latency Networks
Access Points
300 - 3,000
WAN Survivability
Security 802.1x based port authentication
Clients
Branches Access Points / Branch Deployment Model Form Factor IO Interface Upgrade Licenses
BRKEWN-2010
30,000
1000 50 FlexConnect 1 RU 2x 10GE 100, 200, 500, 1K
Voice support
Voice CAC OKC/CCKM
Cisco Public
101
Understanding FlexConnect Groups

FlexConnect groups allow sharing of:
CCKM fast roaming keys Local user authentication Local EAP authentication Efficient Image Download
Remote Site
Central Site
WAN
Remote Site FlexConnect Group 2
Scaling information
Scaling FlexConnect Groups AP per Flex Group Flex 7500 1000 CT-5508 WiSM2 CT-2504
100
100
20
50
25
25
25
FlexConnect Group 1
Cisco Public
102
BRKEWN-2010
FlexConnect Improvements in 7.2

Smart AP Image Upgrade ACLs on FlexConnect AP AAA Over-ride of VLAN - dynamic VLAN assignment for locally switched clients FlexConnect Re-branding Fast Roaming for Voice Clients
Peer to Peer Blocking
BRKEWN-2010
Cisco Public
103
FlexConnect Smart AP Image Upgrade

Description
Firmware Image
Smart AP Image Upgrade use a master AP in each FlexConnect Group to download the code. Other FlexConnect AP download the code from the master locally
1.Download WLC upgraded firmware (will become primary)
New Wireless Control System
New Old Primary
Old New Secondary
Central Site
Wireless LAN Controller
2.Force the boot image to be the secondary (and not the newly upgraded Remote Site-1 one) to avoid parallel download of all AP in case of unexpected WLC reboot 3.WLC elect a master AP in each FlexConnect Group (can be also set manually)
New in 7.2
WAN
Remote Site-N
Master AP
Cisco Public
104
FlexConnect Smart AP Image Upgrade

Configuration
Enable Efficient AP Image Upgrade
Random Backoff Interval (100-300sec) between each retry
Valid Range is 1-63
Master AP Selection is Optional
FlexConnect AP Upgrade checkbox has to be enabled for each FlexConnect Group. By default, Master AP for each FlexConnect Group is selected using Lower-MAC algorithm. One Master select per AP type.
New in 7.2
Cisco Public
106
Local Switching Access Lists

Description
Support for ACL in FlexConnect local switching mode
ACL mapped to local VLAN per AP or FlexConnect Group 512 FlexConnect ACL per WLC 16 ingress ACL & 16 egress ACL per AP 64 ACL rules per ACL No IPv6 ACL
New in 7.2
Central Site
WAN
Remote Site
Application Server
Cisco Public
107
Local Switching Access Lists

Configuration
ACL rule creation and application for FlexConnect is identical to WLC rule creation for Local Mode
Step 1 Step 2
Click to add ACL rules
Step 3
Provision to assign separate Inbound & Outbound ACLs
New in 7.2
Cisco Public
108
Local Switching Peer-to-Peer Blocking

Description
Support for Peer-to-Peer blocking in FlexConnect AP Apply for clients on same FlexConnect AP P2P blocking modes : disable or drop
Remote Site
Central Site
WAN
For P2P blocking inter-AP use ACL or Private VLAN fonction

New in 7.2
Application Server
Cisco Public
109
Local Switching Peer-to-Peer Blocking

Configuration
Both modes of operation will drop the packetMultiple Policy Touch Points @ AP for Local Switching enabled WLAN
* Central Switching WLAN will support Forward - UpStream and will send the packet to the next upstream node connected to WLC
New in 7.2
Cisco Public
110
FlexConnect AAA VLAN Override

Description
AAA VLAN Override with local or central authentication
Up to 16 VLANs per FlexConnect AP VLAN ID must be enabled per AP or FlexConnect Group
Central RADIUS
VLAN 3 Central Site
VLAN 7
WAN
Application Server Remote Site
If VLAN ID does not exist, default VLAN is used

QoS and ACL Override is not supported.
VLAN 3 VLAN 7
FlexConnect Group 1
New in 7.2
Cisco Public
111
FlexConnect AAA VLAN Override

Configuration
IETF 65 IETF 64 IETF 81
WAN ISE
Create Sub-Interface on FlexConnect AP
New in 7.2
Cisco Public
112
FlexConnect External WebAuth

Local DHCP/DNS server 1. Flex pre-auth ACL is configured at the WLAN (for web auth only), Flex-Group or AP level 2. ACL is pushed to AP automatically. Traffic that is allowed by the ACL is locally switched, other traffic is sent to the WLC (DNS and DHCP are allowed by default)
Local network
2.
3. and 4.
1.
Corporate WAN
Flex AP 5 3. Client associates to locally switched WLAN 4. DHCP traffic is allowed and switched locally to the orange VLAN, client gets IP from local network 5. Client browses to www.cisco.com, DNS requests is allowed and switched locally Centralized WLC
Local network
BRKEWN-2010
Cisco Public
113
FlexConnect External WebAuth

Local DHCP/DNS server 1. Flex pre-auth ACL is configured at the WLAN (for web auth only), Flex-Group or AP level 2. ACL is pushed to AP automatically. Traffic that is allowed by the ACL is locally switched, other traffic is sent to the WLC (DNS and DHCP are allowed by default)
Local network
http://redirect CAPWAP tunnel (data) Corporate
WAN
8. 6. and 7.
Centralized WLC
Local network
3. Client associates to locally switched WLAN 4. DHCP traffic is allowed and switched locally to the orange VLAN, client gets IP from local network 5. Client browses to www.cisco.com, DNS requests is allowed and switched locally 6. HTTP traffic to www.cisco.com is not allowed by ACL so it goes to WLC in CAPWAP tunnel 7. WLC redirect traffic to external web page 8. Clients open HTTP session to external server, the traffic is allowed by ACL and hence is locally switched
Cisco Public
114
FlexConnect and ISE

URL/ACL
Radius Auth WAN
Policy Laptop VLAN 109 Policy iPad - VLAN 110
During initial 802.1x from ISE, client is provided with URL/ACL for ISE Clients does webauth with ISE Once device is profiled, ISE uses COA to assign device specific VLAN
COA/VLAN 109
Branch URL/ACL COA/VLAN 109 VLAN 110
Radius Auth Webauth COA/VLAN Assignment

Cisco Public
115
BRKEWN-2010
FlexConnect and AP1500 (Outdoor)

Local or FlexConnect
L3/L2 switch
RAP
(Root AP)
Backhaul 5GHz
MAP
(Mesh AP)
Controller
Indoor AP Parity with Outdoor RAP (1520 & 1550) only Local Mode FlexConnect Mode No MAP functionality in this release Flex Mode will have support for Central and Local Switching
BRKEWN-2010
Cisco Public
116

Controller Redundancy and AP Load Balancing Understanding AP Groups IPv6 Deployment with Controllers Branch Office Designs
Understanding FlexConnect AP Deployment Understanding Branch Controller Deployment
Guest Access Deployment

Home Office Design
BRKEWN-2010
Cisco Public
117
Branch Office WLAN Controller Options

WCS
Number of Users: 100500 Number of APs: 525
E-Mail
MPLS ATM Frame Relay
Branch Office
Headquarters
Appliance controllers
Cisco 2504-12 Cisco 5508-12, 5508-25
Internet VPN
Small Office Number of Users: 20100 Number of APs: 15

Cisco Public
118
Integrated controller
WLAN controller module (WLCM-2) for ISR G2
Branch Office WLAN Controller Options

WCS E-Mail
MPLS ATM Frame Relay
Cisco 2504 ***

Branch Office
Headquarters
Cisco Unified Wireless Network with controller-based
Multiple Integrated WAN options on ISR

Consistent branch-HQ services, features, and performance Standardized branch configuration extends the unified wired and wireless network Branch configuration management from central WCS
BRKEWN-2010
Small Office
Internet VPN
WLCM-2 **
**AP Count Vary Depending on Channel Utilization and Data Rates
Cisco Public
119
When to Choose WLC 2504?

WLC2504 should be used in the branch for the following reasons compared to HREAP solution: If you need cookie cutter configuration for every branch site If you need Layer-3 roaming in the branch site If you need VideoStream technology in the branch site If you need to implement VLAN Select in the branch site If you need to implement Static IP mobility in the branch site If you want WGB support in the branch site If you want MESH AP support in the branch site
BRKEWN-2010
Cisco Public
120

BRKEWN-2010
Cisco Public
121
Guest Access Deployment

WLAN Controller Deployments with EoIP Tunnel
Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers Other traffic (employee for example) still locally Cisco ASA bridged at the remote controller on the Firewall corresponding VLAN EoIP No need to define the guest VLANs Guest Tunnel on the switches connected to the remote controllers CAPWAP Original guests Ethernet frame maintained across CAPWAP and EoIP tunnels Redundant EoIP tunnels to the Anchor WLC 2504 series and WLCM-2 models cannot terminate EoIP connections (no anchor role)
Guest
Internet
DMZ or Anchor Wireless Controller
Wireless LAN Controller
Guest
122
Cisco Public
Guest Access Deployment with 7.0.0116

DHCP servers in DMZ w/VLAN-DHCP scopes Internet DHCP servers in DMZ w/VLAN-DHCP scopes
Anchor2
Campus Core
ACS/ISE
EtherIP Guest Tunnel
Si
Anchor1 EtherIP Guest Tunnel
DHCP servers in Core w/VLAN DHCP scopesWireless

Si Secure Si Secure
Wireless VLAN-1/WLANA
Wireless VLAN2/WLANA
Wireless VLAN3/WLANA
VLAN-4/WLANA
Foreign WLCs
Wireless VLANs/Interface Gr
Guest
Secure
Guest
Secure
BRKEWN-2010
Cisco Public
123

Controller Redundancy and AP Load Balancing Understanding AP Groups IPv6 Deployment with Controllers Branch Office Designs Guest Access Deployment Home Office Designs
BRKEWN-2010
Cisco Public
124
Home Office Design

OEAP AP
WLC 5508/WiSM-2 / WLC7500 WCS E-Mail
Cisco controller installed in the DMZ of the corporate network
OfficeExtend AP (OEAP) installed at teleworkers home

Corporate access to employee over centrally MPLS configured SSID
Headquarters
ATM Family Internet access over a locally Frame configured SSID Relay
Internet VPN
BRKEWN-2010
Cisco Public
125
OEAP 600
802.11n AP with dual concurrent 2.4GHz and 5GHz radios for teleworker home 4 local Ethernet ports 1 Corporate-bound port, 3 for local Ethernet devices Up to 4 clients behind the corporate port Corporate SSID and user-configurable Personal SSID Traffic segmenting supported (corporate vs. personal traffic) Local DHCP and NAT support Control and data plane encryption
Cisco Public
126
Summary Key Takeways

Take advantage of the standards (CAPWAP, DTLS,802.11 i, e, k, r..) Wide range of architecture / design choices Brand new controller (WiSM-2, WLC 7500, WLC 2504) portfolio with investment protection Take advantage of innovations from Cisco (CleanAir, BandSelect, ClientLink, Security, CCX, FlexConnect, etc) Ciscos investment into technology NCS, ISE, New hardware, cloud controller, CiUS
BRKEWN-2010
Cisco Public
127
Documentation
Aironet 600 Series OEAP Access Point Configuration Guide http://www.cisco.com/en/US/products/ps11579/products_tech_note09186a0080b7f10e.shtml Wireless Services Module 2 (WiSM2) Deployment Guide http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080b7c904.shtml
Flex7500 Deployment guide http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml

Wireless, LAN (WLAN) Configuration Examples and TechNotes http://www.cisco.com/en/US/tech/tk722/tk809/tech_configuration_examples_list.html H-REAP Deployment Guide http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml
VLAN Select Deployment Guide http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b78900.shtml

Cisco Public
128
Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Dont forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.
BRKEWN-2010
Cisco Public
129
Final Thoughts
Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042 Come see demos of many key solutions and products in the main Cisco booth 2924
Visit www.ciscoLive365.com after the event for updated PDFs, on-demand session videos, networking, and more!
Follow Cisco Live! using social media:
Facebook: https://www.facebook.com/ciscoliveus
Twitter: https://twitter.com/#!/CiscoLive LinkedIn Group: http://linkd.in/CiscoLI
BRKEWN-2010
Cisco Public
130
BRKEWN-2012
Cisco Public

Brkewn 2010

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Brkewn 2010

Загружено:

Авторское право:

Доступные форматы

Design and Deployment of Enterprise WLANs

BRKEWN-2010 Sujit Ghosh, CCIE #7204

2012 Cisco and/or its affiliates. All rights reserved.

2012 Cisco and/or its affiliates. All rights reserved.

2012 Cisco and/or its affiliates. All rights reserved.

Centralized Wireless LAN Architecture

Data plane is DTLS encrypted (optional)

CAPWAP is not supported on Layer 2 mode deployment

Data Plane Controller

The CAPWAP protocol supports two modes of operation

2012 Cisco and/or its affiliates. All rights reserved.

Tunneled local MAC is not supported by Cisco

CAPWAP State Machine

DTLS Setup Join

2012 Cisco and/or its affiliates. All rights reserved.

Efficient CAPWAP Operation

Pool sizes for WLAN devices in accordance to different types of sites

2012 Cisco and/or its affiliates. All rights reserved.

Sample Port Configuration

mls qos trust cos

2012 Cisco and/or its affiliates. All rights reserved.

6.0, 7.0, 7.1, 7.2 ? Which Version Should I Use?

WLC7500, WiSM-2 and WLC2504 only supported in 7.0 onwards

7.0.220 will be tested for AssureWave (Blue Ribbon)

2012 Cisco and/or its affiliates. All rights reserved.

2012 Cisco and/or its affiliates. All rights reserved.

Scaling the Architecture with Mobility Groups

Mobility Group Neighbors: Controller-B, AA:AA:AA:AA:AA:02 Controller-C, AA:AA:AA:AA:AA:03

Support for up to 24 controllers, 3600 APs per mobility group

Controller-A MAC: AA:AA:AA:AA:AA:01

Mobility Group Name: MyMobilityGroup

Scaling the Architecture with Mobility Groups

One WLC Network

Mobility Group (7.0)

24 WLCs in a Mobility Group

Mobility Group (7.2)

72 WLCs in a Mobility Domain

How Long Does an STA Roam Take?

2012 Cisco and/or its affiliates. All rights reserved.

Roaming must maintain security

How Are We Going to Make Roaming Faster?

2012 Cisco and/or its affiliates. All rights reserved.

Mobility Message Exchange

Preroaming Data Path

2012 Cisco and/or its affiliates. All rights reserved.

WLC-1 Client Database WLC-1

Roaming Data Path

Client database entry with new AP and appropriate security context

Client Roams to a Different AP

2012 Cisco and/or its affiliates. All rights reserved.

WLC-2 Client Database

Mobility Message Exchange

Preroaming Data Path

2012 Cisco and/or its affiliates. All rights reserved.

Client Roaming Between Subnets:

WLC-1 Anchor Controller Preroaming Data Path

WLC-2 Client Client Data (MAC, IP, QoS, Database Security)

Client Roams to a Different AP

2012 Cisco and/or its affiliates. All rights reserved.

2012 Cisco and/or its affiliates. All rights reserved.

How Are We Going to Make Roaming Faster?

Focus on Where We Can Have the Biggest Impact