Brkagg 2010

Design and Deployment of Enterprise WLANs
BRKAGG-2010
Presentation_ID
2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
Design and Deployment of Enterprise WLANs

BRKAGG-2010
Presentation_ID
Cisco Public
What You Will Learn

Theory of operations of the Cisco Unified WLAN Architecture
Lightweight access point protocol (LWAPP) WLAN controllers (WLC)
Mobility
QoSand Multicast
Design and deployment guidelines for the Cisco Unified WLAN Architecture
Campus Branch office
BRKAGG-2010 Presentation_ID
Cisco Public
What You Should Already Know

Cisco networking basics (routing and switching)
Campus network design concepts 802.11 WLAN fundamentals RF basics WLAN security
Cisco Public
What We Wont Cover

Autonomous access points and WLSE WLAN security in depth RF security (rogue AP detection, W-IDS) Wireless control system (WCS) Location-based services Roadmap LWAPP Basics (touch)
Outdoor (bridging and mesh)

Marketing pitch
BRKAGG-2010 Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Session Agenda
Understanding the Cisco Unified Wireless Architecture
Lightweight Access Point Protocol Understanding Mobility Understanding Qos and Multicast
Deploying the Cisco Unified Wireless Architecture

Connecting Controllers and APs to Networks
Campus WLAN Controller Designs Branch Office WLAN Controller Designs
Migration from Autonomous APs to the Controller-based Architecture
Cisco Public
Ciscos Evolving Wireless Technology

Unified Wired+Wireless
Centralized WLAN Systems Wireless Connectivity

Centralized Management and Control Layer 2/3 Mobility Wireless IDS/IPS
Integrated and Unified Security (AAA, NAC, SDN, IDS/IPS, etc) Exploding Number of Wi-Fi Clients (Laptops, DualMode PCS Phones, Video PDAs) Higher-Capacity, Higher-Density WLANs (Pico Cells) Unified Wired+Wireless Support for Applications (Voice/Video, Location Services, AAA) Extending Networking Outdoors (Mesh, Outdoor AP, Etc.) Enterprise Scale and Reliability
Hierarchical Approach for Scalability

Voice Support Best in Class Range/ Throughput Enterprise-Class Security Capital Efficiency
2000 - Present
BRKAGG-2010 Presentation_ID 2008 Cisco Systems, Inc. All rights reserved.
2003 - Present
Cisco Public
2005 - Future
7
Wireless LAN Mobility Services

Security Guest Voice Location
Automatic, 24 x 7 Network access control

based on user location security and compliance monitoring for breaches via wireless medium
Guest networks Vendor replenishment

networks for customers, partners and auditors
Real-time mobile voice Improved collaboration Faster customer service

response via mobile unified communications communications
Asset management Location-based content Streamlined workflow

using historical location data
distribution
Public access networks
Pervasive Wireless Network

Cisco Public
LWAPP Overview
Cisco Public
Section Agenda
However beautiful the strategy, you should occasionally look at the results. Winston Churchill
Quick Facts
LWAPP Join Wireless LAN Controller Basics Centralized vs Local Switching Mobility Location
WCS Fundamentals
Data Delivery
Unicast/Multicast TCP/UDP
Cisco Public
10
Quick Facts
WLC IPv4/IPv6 Multicast/QoS More 5000 Clients 512VLAN Support WCS Windows 2003/Linux 3000 Access-Points 40,000 Events Location RSSI and TDOA Methods 10,000 devices Open API Multi-Vendor RFID support WCS Navigator 20 WCS Managers 30,000 Access-Points
Beyond 150 Access-Points

24 WLCs per Mobility Group 72 WLCs with Mobility Lists 500 Rogues
Network Wide Search Capability Radio Resource Management

PER WLAN DTIM Support
Cisco Public
11
Section Agenda
Controller-based Architecture Overview Lightweight Access Point Protocol (LWAPP)
Protocol Overview LWAPP AP Discovery and Join Process LWAPP Operations
Mobility in the Cisco Unified WLAN Architecture

Qos implementation in LWAPP Multicast behavior in LWAPP Architecture Building Blocks
Cisco Public
12
The LWAPP Join

State Machine (Simplified)
LWAPP defines a state machine that governs the AP and controller behavior Major states:
DiscoveryAP looks for a controller
JoinAP attempts to establish a secured relationship with a controller

Image DataAP downloads code from controller ConfigAP receives configuration from controller RunAP and controller operate normally and service data ResetAP clears state and starts over
Note: LWAPP/CAPWAP RFC defines other states
Cisco Public
13
Central Switching VS Local Switching

Hybrid REAP Devices that require local connectivity Normal LWAPP/CAPWAP Data Flow Central switching of all other traffic
Hybrid REAP
Data VLAN
LWAPP
Tunnel
Management VLAN
Local VLAN Voice VLAN
Locally Switched
Centrally Switched
14
Section Agenda

QoSimplementation in LWAPP Multicast behavior in LWAPP Architecture Building Blocks
Cisco Public
15
Mobility Defined
Mobility is the killer app for WLANs Mobilityend-user device is portable but still capable of being connected to networked resources Roaming occurs when a wireless client moves association from one AP and re-associates to another Mobility/roaming presents new challenges:
Architecture must scale to support client roaming Client roaming must be fast and preserve security, QoS, etc.
Cisco Public
16
How Clients Connect

AP handles real-time 802.11 control and management
Switched/Routed Wired Network
Lightweight Access Point LWAPP Tunnel Wireless LAN Controller
Non-real time 802.11 handled at controllerincluding association/re-association Controller is the 802.1x authenticator Controller centrally stores client QoS, security context
Control Messages
Data Encapsulation
Ingress/Egress point from/to upstream switched/routed wired network (802.1Q trunk)
802.11 data frames are encrypted/decrypted at the RF interface Action frames are management frames as defined by 802.11
Cisco Public
17
Scaling the Architecture with Mobility Groups

Controllers peer to support seamless campus roaming APs learn the IPs of the other members of the mobility group after the LWAPP Join process Support for up to 24 controllers, 3600 APs per mobility group Mobility messages exchanged between controllers Data tunneled between controllers in EtherIP (RFC 3378)
Cisco Public
18
Scaling the Architecture

with Mobility List Members
Mobility Lists allows controllers to peer with Controllers outside their mobility Group to support seamless roaming across controller Mobility boundaries Support for up to 72 controllers, 10,800 APs across mobility Lists Multicast messages are exchanged between Mobility Groups
Cisco Public
19
Intra-Controller Roaming
Intra-controller roam happens when an AP moves association between APs joined to the same controller Client must be reauthenticated and new security session established Controller updates client database entry with new AP and appropriate security context No IP address refresh needed
Cisco Public
20
Layer-2 RoamingInter-Controller
L2 inter-controller roam happens when an AP moves association between APs joined to the different controllers but client traffic bridged onto the same subnet
Client must be re-authenticated and new security session established Client database entry moved to new controller No IP address refresh needed
21
Layer-3 RoamingInter-Controller
Client must be re-authenticated and new security session established Client database entry copied to new controller Original controller tagged as the anchor New controller tagged as the foreign No IP address refresh needed Asymmetric traffic path established
L3 inter-controller roam happens when an AP moves association between APs joined to the different controllers but client traffic bridged onto different subnet
22
Layer-3 RoamingSymmetric Mobility (4.1)
Foreign controllers will send Layer 3 roaming clients packet back to its anchor controller through EtherIP tunneling Source IP address of the packet will be the foreign controllers management IP address Upstream routers that have Reverse Path Forwarding (RPF) will forward on packets Configurable option in software release 4.1
23
Roaming Requirements
Roaming must be fast Latency can be introduced by:
Client channel scanning and AP selection algorithms Re-authentication of client device and re-keying Refreshing of IP address
Roaming must maintain security

Open auth, static WEP Session continues on new AP
WPA/WPAv2 personal New session key for encryption derived via standard handshakes
802.1x, 802.11i, WPA/WPAv2 enterprise Client must be reauthenticated and new session key derived for encryption
Cisco Public
24
Fast Secure Roaming

Client channel scanning and AP selection algorithms Improved via CCX features Refreshing of IP addressIrrelevant in controllerbased architecture! Re-authentication of client device and re-keying
Cisco centralized key management (CCKM) Proactive key caching (PKC)
Cisco Public
25
Supporting RoamingDesign Best Practices and Caveats

Minimize inter-controller roaming in your designs Design the network for 10msec RTT latency between controllers Inter-controller layer-2 roaming is more efficient than layer-3 roaming Layer-3 roamingconsider the effects of things like RPF and stateful security features in your designs Use PKC and/or CCKM to speed up and secure roaming Client roaming behaviormileage varies by vendor, driver, supplicant. Look for CCXv4 feature-set
26
Section Agenda

Cisco Public
27
QoS Overview
Ensures packets receive the proper QoS handling end-to-end Makes sure packet will maintain QoS information as it traverses network
Policing of 802.11e UP / 802.1p and IP DSCP values ensures endpoints conform to network QoS policies
Uses Ciscos AVVID packet marking mappings and IEEE mappings as appropriate Supported on Cisco 2000, 4100, and 4400 series WLAN controllers; wireless services module (WiSM); wireless LAN controller module
Supported on Cisco Aironet 1000, 1130, 1200, 1230, 1240, and 1500 series lightweight access points
Support for Cisco 7920/7921,Spectalink phones
28
QoS Description
Support for layer 3 IP differentiated services code point (DSCP) marking of packets WLAN data is tunneled between AP and WLAN controller via LWAPP To maintain the original QoS classification across this tunnel, the QoS settings of the encapsulated data packet must be appropriately mapped to the Layer 2 (802.1p) and Layer 3 (IP DSCP) fields of the outer tunnel packet.
802.1p UP Outer
IP DSCP Outer
LWAPP encapsulated
Incoming 802.1p UP
IP DSCP Inner.
Cisco Public
29
LWAPP QoS
LWAPP Encapsulated 802.11e DSCP Payload 802.1p DSCP DSCP Payload 802.1p DSCP Payload
LWAPP Tunnels
Si
WLC Ethernet Switch
AP
3
LWAPP Encapsulated 802.11e DSCP Payload DSCP
4
802.1p DSCP Payload DSCP Payload
Ensures that packets receive the proper QoS handling from end to end Policing of 802.11e UP / 802.1p and IP DSCP values ensures that wireless endpoints conform to network QoS policies
30
Quality of Service (QoS) Configurable Profiles

Each Level Has a Configurable per Bandwidth Contract Rate
Per-user data bandwidth contract configurable peak and average data rate enforced in the Network Processing Unit (NPU) for non-UDP traffic
Per-user real-time bandwidth contract configurable peak and average data rate enforced in the NPU for UDP traffic
Cisco Public
31
Quality of Service (QoS) Configurable Profiles (Cont.)

Each Level Has a Configurable Air QoS Rates
Maximum RF usage per AP (%) defined maximum percentage of air bandwidth given to a user level Queue depth defined depth of queue for a particular user level that will cause packets in excess of the defined value to be dropped
Cisco Public
32
Controller > QoS Profiles > Edit
Controller > QoS Profiles > Edit
802.1p tag is applied to wired side to allow proper precedence to be applied to traffic across entire network infrastructure
33
WLANs > Edit

QoS Options
WMM Options
Cisco Public
34
Configuring Controller Web

For 7921 phone support, both AP-CAC-Limit and client CAC-Limit available as options WMM and client CAC limit cannot be configured in the same WLAN
Cisco Public
35
VoIP Phone Support

Configuration Commands Available from the Command Line
To view Dot11-Phone Mode configuration
(Cisco Controller) >show wlan 2 WLAN Identifier.................................. 2 Network Name (SSID).............................. WLAN2 Status........................................... Enabled . . . Quality of Service............................... Platinum (voice) WMM.............................................. Required 802.11e.......................................... Disabled Dot11-Phone Mode (7920).......................... ap-cac-limit Wired Protocol................................... None IPv6 Support..................................... Disabled Radio Policy..................................... 802.11B and 802.1G only Security 802.11 Authentication:........................ Open System Static WEP Keys............................... enabled Key Index:...................................... 1 Encryption:..................................... 104-bit WEP
Cisco Public
36
Section Agenda

Cisco Public
37
Multicast Delivery Method

Unicast Mechanism
Three LWAPP Unicast Packets Out
One Multicast Packet In
LWAPP Tunnels
Multicast Mechanism
One Multicast Packet In
LWAPP Multicast Group
One LWAPP Multicast Packet Out
Network Replicates Packet as Needed
Improved multicast performance over wireless networks Multicast packet replication occurs only at points in the network where it is required, saving wired network bandwidth
38
Multicast Mode Selection

Multicast mode and multicast group configured on WLC general interface
Cisco Public
39
LWAPP Stationary Client

Stationary Client
Or a Client That Never Roams from the Same Wireless LAN Controller
Mcast Traffic
IGMP join
Client Sends an IGMP Join which travels through the access-point to the Wireless LAN Controller (WLC). The WLC then forwards the IGMP join through the upstream switch to the PIM enabled router
IGMP
IGMP leave
With a client who gracefully leaves the multicast group. The client will send an IGMP leave through the accesspoint to the WLC. The WLC will forward this IGMP leave through the upstream switch to the PIM enabled router. The PIM enabled router will then send a group specific query for other interested clients before pruning group from subnet.
IGMP
Cisco Public
40
LWAPP Stationary Client

Stationary Client
Or a Client That Never Roams from the Same Wireless LAN Controller
Mcast Traffic
Multicast source
If the client is the source of a multicast group, the traffic will flood across all access-points on the same controller. The multicast traffic will also be forwarded upstream through the connected switch to the PIM enabled Router. The PIM enabled router will do an RPF check before processing the packet further.
Cisco Public
41
LWAPP Roaming Client

Layer 2
IGMP join
Client sends an IGMP Join which travels through the access-point to the wireless LAN controller (WLC). The WLC then forwards the IGMP join through the upstream switch to the PIM enabled router
IGMP Mcast Traffic
IGMP snooping
Switch CAM entry is created for specific multicast group toward controller 1
IGMP
Snooping Switch is Blocking Multicast Traffic Toward All Other Ports
General IGMP Query Sent From the WLC to the Client, Allowing Traffic to Flow
Multicast
Cisco Public
42
LWAPP Layer 3 Roaming Client

Client Roaming at Layer 3 with 4.0.217
IGMP join/leave
Mcast Traffic
Both the initial join and leave (if a graceful leave happens) will be processed the same as any other join or leave. Once a client has roamed, neither the infrastructure nor the client are required to send a new join to verify traffic follows?? No Audio
Multicast source
Client that is the Source of the multicast group the upstream router will drop the packet as the source address was received on the wrong interface.
??
Cisco Public
43
Section Agenda

Cisco Public
44
Components of Centralized Architecture
WLC
Cisco Unified Wireless LAN controllers aggregrate WLAN client traffic and control the Wireless network
APs
Lightweight access points are used in all unified wireless architectures and provides client wireless access, and tunneling to the WLC.
WCS
Cisco Wireless Control System provides centralized management, RF planning and visualization tools, and location services
45
Cisco Compatible Extensions

The Standard for Client Advancement
Over 90% of Client Devices Cisco Compatible
Client Devices
Client Devices
Features
Assured compatibility with 400+ devices

Standards-based Enhanced security, mobility, and performance Supports Mobility Services i.e.. Location, voice
Benefits
Accelerates innovation Supports diverse enterprise applications Ensures multi-vendor interoperability Enables simplified deployment of mobile WLAN clients
http://www.cisco.com/go/ciscocompatible/wireless
Cisco Public
46
Single Client for Uniform Security and Services

Cisco Secure Services Client
Key Features:
802.1X authentication for wired and wireless devices Windows XP/2000 support
Features
Unified wired and wireless client Support for industry standards
Endpoint integrity
Single sign-on capable Enabling of group policies Administrative control
EAP:
EAP-FAST, EAP-MD5, PEAPMSCHAP, PEAP-GTC, EAPTLS, EAP-TTLS, Cisco LEAP
Encryption:
WEP, Dynamic WEP, TKIP, AES
Benefits
Reduces client software Simple, secure device connectivity Minimizes chances of network compromise from infected devices Reduces complexity Restricts unauthorized network access
SSC
Standards:
WPA and WPA2
Centralized provisioning
47
Cisco Public
Proven Platform for Mobile Access

Indoor Access Points Features Access Points
1130AG
1121BG
Industrys best range and throughput Enterprise class security Many configuration options Simultaneous air monitoring and traffic delivery Wide area networking for outdoor areas
Indoor Rugged Access Points
Benefits
1240AG 1250AGN 1230AG
Outdoor Access Points/Bridges
Zero touch management No dedicated air monitors Supports all deployment scenarios (indoor and outdoor) From secure coverage to advanced services
1500
1400
1300
Cisco Public
48
Delivering Network Unification

Catalyst 3750G Integrated WLAN Controller 4400 Wireless LAN Controller Wireless Integrated Services Module (WiSM)
Intelligent Access
Ease of Deployment
Distribution
Network Core
Lower TCO
Scalability
Cisco Unified Wireless Network
High Availability
Flexibility
Investment Protection
Branch Office
Remote Office
Wireless LAN Controller for ISR Series Routers
2106 Wireless LAN Controller
Hybrid Remote Edge Access Points (HREAP)
Cisco Public
49
Cisco Wireless Controller Family

Cisco 3750 50 APs
ISR WLC Module 8 - 12 APs
Cisco 3750 25 APs Cisco 4402-50 50 APs
Cisco 4404 100 APs
Cisco WiSM 300 APs
Cisco 4402-25 25 APs ISR WLC Module 6 AP Cisco 4402-12 12 APs
Cisco 2106 6 APs
H-REAP
>=2-6 APs
>=12 APs
>=25 APs
>=50 APs
>=100 APs
<300 APs
Deployment Size
50
Cisco Wireless Control System (WCS)

World-Class Network Management
Features
Client troubleshooting (via CCX) Planning, configuration, monitoring, location, IDS/IPS, and troubleshooting Hierarchical maps Intuitive GUI and templates Policy based networking (QoS, security, RRM, etc.)
Benefits
Lower OPEX and CAPEX Better visibility and control of the air space Consolidate functionality into a single management system Determines location and voice readiness
Cisco Public
51
802.11n yet again higher rates

Extends both 802.11a and 802.11g
Both 2.4 GHz and 5.8 GHz
64 new bit rates up to 600 Mbps
Entirely new radio using MIMO technology

Current radios use a single Tx and Rx, implement Rx diversity 11n uses multiple Tx and Rx, simultaneously, combining multiple received signals to improve quality
In working group balloting, sponsor ballot mid 2008, approval mid 2009* Draft-11n certification launched by WiFi Alliance (WFA) in June of 2008
Cisco is in the WFA Draft-11n test bed
*ALWAYS subject to change
Cisco Public
52
Network Design Overview
Cisco Public
53
Section Agenda
Connecting Controllers and APs to Networks Controller Redundancy and AP Load Balancing Campus WLAN Controller Designs Branch Office WLAN Controller Designs Migrating from Autonomous APs to the Controllerbased Architecture
Cisco Public
54
Understanding WLAN ControllersThe WLAN Controller as a Network Device

Data VLAN
LWAPP
Tunnel
Management VLAN
Voice VLAN
WLAN controller
For wireless end-user devices, the controller is a 802.1Q bridge that takes traffic of the air and puts it on a VLAN From the perspective of the AP, the controller is an LWAPP tunnel end-point with an IP address From the perspective of the network, its a layer-2 device connected via one or more 802.1Q trunk interfaces
The AP connects to an access portno concept of VLANsat the AP necessary.

Cisco Public
55
Understanding WLAN ControllersThe WLAN Controller as a Network Device

Three Important Concepts to Understand:
PortPhysical connection to a neighbor switch/router InterfaceLogical connection mapping to a VLAN on the neighbor switch/router
Management interface AP Manager interface(s) Dynamic interface(s) Virtual interface Service interface
WLANEntity that maps an SSID to an interface at the controller, along with security, QoS, radio policies, and other wireless networking parameters
56
Initial Controller Configuration

Welcome to the Cisco Wizard Configuration Tool Use the '-' character to backup System Name [Cisco_44:36:c3]: Enter Administrative User Name (24 characters max): admin Enter Administrative Password (24 characters max): admin Service Interface IP Address Configuration [none][DHCP]: <ENTER> Enable Link Aggregation (LAG) [yes][NO]:no Enter Port number : 1 Management Interface IP Address: 10.10.80.3 Management Interface Netmask: 255.255.255.0 Management Interface Default Router: 10.10.80.1 Management Interface VLAN Identifier (0 = untagged): 0 Management Interface Port Num [1 to 2]: 1 Management Interface DHCP Server IP Address: 10.10.80.1 AP Transport Mode [layer2][LAYER3]: layer3 AP Manager Interface IP Address: 10.10.80.4 AP-Manager is on Management subnet, using same values AP Manager Interface DHCP Server (10.10.80.1):<ENTER> Virtual Gateway IP Address: 1.1.1.1 Mobility/RF Group Name: mobile-1 Enable Symmetric Mobility Tunneling: No Network Name (SSID): secure-1 Allow Static IP Addresses [YES][no]:<ENTER> Configure a RADIUS Server now? [YES][no]:<ENTER> Enter the RADIUS Server's Address: 10.10.10.12 Enter the RADIUS Server's Port [1812]:<ENTER> Enter the RADIUS Server's Secret: cisco Enter Country Code (enter 'help' for a list of countries) [US]:<ENTER> Enable 802.11b Network [YES][no]:<ENTER> Enable 802.11a Network [YES][no]:<ENTER> Enable 802.11g Network [YES][no]:<ENTER> Enable Auto-RF [YES][no]:<ENTER BRKAGG-2010
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Service Port
Management Port
AP Manager Port
Virtual Gateway
57
Initial Configuration Screen of WLC
Cisco Public
58
Connecting the WLAN Controller to the Network

Options - Link aggregation (LAG) or no LAG
LAG supported on 440x, WiSM, Cisco 3750G integrated WLAN controller switch
LAG is the only option for WiSM, Cisco 3750G integrated WLAN controller switch
440x-based controller allows 48 APs per port in the absence of LAG Use multiple AP Manager interfaces to support more than 48 APs on the WLC without LAGLWAPP algorithm will load balance APs across the AP managers
LAG allows use of 1 AP Manager interface by loadbalancing traffic across an EtherChannel interface
Cisco Public
59
Multiple AP Manager Interfaces
Cisco Public
60
Link Aggregation Single AP Manager Interface

No EtherChannel mode negotiation (LACP, PAgP):
Set etherchannel mode on for neighboring switchports
Requires ip-src-dst load balancing for the switch Etherchannel

Default on 6K
Default on 3750 is scr-mac
Packets are forwarded out the same port they arrived on
1 LAG group per WLC is supported
Cisco Public
61
Putting It All Together
Cisco Public
62
Cisco WiSM Configuration

IOS version 12.2(18)SXF8 or above version which requires 512 MB memory and 128 MB flash The data ports (1Gbps*8 = 8Gbps) and service ports (1Gbps*2 = 2Gbps) are connected at the back plane, no physical connections at the front Service-port is used for OOB management and should be part of a different VLAN.
LAG is a must for Cisco WiSM, so make sure you create two separate port-channels
LED
Cisco Public
63
Section Agenda
Connecting Controllers and APs to Networks Controller Redundancy and AP Load Balancing Design Considerations Migration from Autonomous APs to the Controllerbased Architecture
Cisco Public
64
Controller Redundancy and AP Load Balancing

LWAPP discovery response includes the controllers sysName, controller type, controller AP capacity, current AP load, Master Controller status, AP manager IP address(es) and number of APs joined to the AP manager Recall: AP makes join decision based on this information in LWAPP discovery response:
1. If AP has been previously configured with a primary, secondary, and/or tertiary controller, the AP will attempt to join these first (specified by controller sysName) Attempt to join a WLAN controller configured as a Master controller Attempt to join the WLAN controller with the greatest excess AP capacity, using least loaded AP manager
2. 3.
#1 and #3 allow for two approaches to controller redundancy and AP load balancingdynamic and deterministic
Cisco Public
65
Dynamic Redundancy
Rely on LWAPP to load-balance APs across controllers and populate APs with backup controllers Results in dynamic salt-andpepper design Design works better when controllers are clustered in a centralized design Pros:
Easy to deploy and configure less upfront work APs dynamically load-balance (though never perfectly)
Cons:
More inter-controller roaming Bigger operational challenges due to unpredictability Longer failover times No Fallback option in the event of controller failure
Ciscos general recommendation is:Only for Layer 2 Roaming Use deterministic redundancy instead of dynamic redundancy
66
Deterministic Redundancy
Administrator statically assigns APs a primary, secondary, and/or tertiary controller
Assigned from controller interface (per AP) or WCS (template-based)
Pro
PredictabilityEasier operational management More network stability More flexible and powerful redundancy design options Faster failover times Fallback option in the case of failover
Con
More upfront planning and configuration
This is Ciscos recommended best practice!
Cisco Public
67
Controller Redundancy DesignsN:1
Cisco Public
68
Section Agenda
Cisco Public
69
First Question! Applications

What is the Network for?
Design for the needs of the applications

Look at the protocols used Look at the minimum requirements of each
READ the Application Notes!
Cisco Public
70
Design Verticals
Each site is unique Healthcare Requirements
Highest use of Multicast Critical Data over Voice
Retail
Mixture of Carpet and Warehouse plus PCI Requirements
Enterprise
Voice is the critical application
Manufacturing
Worst Radio Environment
Many Others plus Hybrids of each

71
Campus WLAN Controller Options

Standalone appliance controller
Routed network exists on another platform Dot1Q trunk to switched/routed network
440x
Appliance
Integrated controller
Routed network can exist on the same platform Layer 2 connection is internal
Cisco 3750G Integrated WLAN Controller
WiSM
Layer 2 or 3 connection to network routed network

Integrated
Cisco Public
72
Where to Place a WLAN Controller?

Distributed Designs
WLAN Client Subnets
WiSM(s) or 440x WLAN controller(s) connected at distribution layer Controller redundancy Key design considerations:
Spanning tree HSRP/GLBP Traffic flow Load balancing Resiliency Access layer collapsed into distribution layer Access layer IP addressing Access layer features need to be implemented in the distribution layer
Clients
Layer 2
Voice AP
Data
Voice
Access Subnets
Data AP
Mobility!
73
Healthcare
Multicast is Number one Protocol
Depending upon size HREAP or Controller Deployment
Clinic or Remote office
Always Under Construction

Numerous Non-802.11 Radio devices NEED for RF policy over an 802.11 Policy.
Core
Intranet
Building DF Distribution Layer
IDF First Floor

IDF Third Floor
74
Retail
PCI COMPLIANCE!! Carpeted and Warehouse environment
HeadQuarters
Use of small Handheld equipment

HREAP for less than 3 Access Points
Internet
Small Controller with More AccessPoints
Small Store
Large Store
Cisco Public
75
Enterprise Requirements
Voice is the essential Application
Core
Data for E-mail and other non-latency sensitive applications

Si
Intranet/Inter net
Building DF Distribution Layer

Si
Video is on the rise.
IDF First Floor IDF Fifth Floor

2008 Cisco Systems, Inc. All rights reserved. Cisco Public
IDF Third Floor
76
Manufacturing
Multipath intensive environment
Can benefit from both indoor mesh and the standard central solution
HREAP could be used for small solutions
Internet
Headquarters
Small Controller with More AccessPoints
Small Manufacturing Site

Large Manufacturing Site

77
Distributed vs. Centralized Design

General recommendation is Centralized Design
Use integrated platform(s)WiSM for small/medium/large, Cisco 3750G Integrated WLAN Controller for small/medium
Choose the design that makes the most sense for you
Current network and policies Future growth plans
Distributed designs may work well with existing networks
Cisco Public
78
Branch Office Deployment Hybrid REAP

Design Considerations:
Supported on 1130 and 1240 AP platforms Allows bridging/tagging of traffic locally (local switching) by WLAN Allows simultaneous tunneling of traffic to WLC (central switching) by WLAN Connected ModeLWAPP control centralized Standalone Mode (WAN outage)
Locally switched WLANs stay up Some lost functionality
100 msecs latency between APs and WLC H-REAP APs should be connected to trunk portsallow only the relevant, locally switched VLANs No optimization for:
Fast, secure roaming (CCKM, PKC) Voice (no CAC or TSPEC support in standalone mode)
79
Sample HREAP Network
Cisco Public
80
H-REAP WLAN Configuration

Configure the WLAN for H-REAP operation
Cisco Public
81
H-REAP AP Configuration
Select a desired AP...
Cisco Public
82
H-REAP AP Configuration (Cont.)

... and set it to H-REAP mode and enter VLAN info
Enable VLAN Support and Enter the Native VLAN Information
Cisco Public
83
H-REAP AP Configuration (Cont.)

... and configure local VLAN tagging
Set the VLAN ID per Locally Switched WLAN
WLANs with LOCAL SWITCHING Are Not Configurable
Cisco Public
84
Branch Office WLAN Controller Options

Appliance controllers
Cisco 2106Support 6 APs Cisco 4402-12, 4402-24 2106
440x
Appliance
Integrated controller
WLAN controller module (WLCM) for ISR Cisco 3750 integrated WLAN controller (support for 25, 50 APs)
WLCM in ISR
Cisco 3750 Integrated WLAN Controller
Integrated
Cisco Public
85
Section Agenda
Cisco Public
86
Upgrading Autonomous Access Points to LWAPP Mode

Basic AP upgrade process:
Use Cisco-provided upgrade tool to load LWAPP Recovery IOS Image onto the AP(s) AP joins a controller, downloads full LWAPP IOS image
LWAPP IOS upgrade is supported on the following platforms:

1120G series (802.11B/G)
1200 series, including 1210, 1230 (802.11B/G and/or 2nd generation 802.11A radiosRM21A, RM22A) 1130AG 1240AG BR1310 (only AP mode is supported in LWAPP)
Only layer-3 LWAPP mode is supported Roll-back to autonomous-mode is supported

87
LWAPP Upgrade Requirements

Ensure the APs hardware is supported The AP is running IOS release 12.3(7)JA, or later The controller is running 3.1, or later and telnet is enabled
(WLC_CLI) >config network telnet enable
or
Each APs information is input into a text file in the following format:
ap-ip-address,telnet-username,telnet-user-password,enable-password ap-ip-address,telnet-username,telnet-user-password,enable-password
In the WLC GUI, Go to: Management | Telnet-SSH and Enable Telnet.
Cisco Public
88
Using the LWAPP Upgrade Tool

AP upgrade tool
Point the Upgrade Tool to the AP csv text file Ensure the latest IOS LWAPP (JX) image is available via TFTP
Telnet must be enabled on a WLC
Make sure the time is correctly set
APs with static IP addresses will rely on DNS to find WLCs across router hops
1 5 APs may be upgraded simultaneously. Their completion status bars are shown here.
AP upgrade process status Click for AP MAC and SSC output

Cisco Public
89
Upgrading Autonomous Access Points to LWAPP ModeSelf-signed Certificates

LWAPP join process assumes X.509 certificates and factory installed public/private keys
All Cisco APs manufactured after July 18, 2005 have Manufacturing Installed Certificates (MIC) Cisco Aironet APs manufactured prior to July 18, 2005 do not have factory installed public/private keys and certificates
Upgrade tool issues commands to AP to have it generate an RSA key pair and a self-signed certificate (SSC) and installs the root CAs so that the AP can authenticate controllers SSCs must be individually authorized on each controller Upgrade tool extracts the public key and can install it on 1 controller. It also stores an AP MAC, public key tuple in a CSV file that can be imported into WCS and other controllers http://www.cisco.com/en/US/partner/products/hw/wireless/ps430/pr od_technical_reference09186a00804fc3dc.html
90
Upgrading Autonomous Access Points to LWAPP ModeBest Practices

Basic upgrade strategy:
Deploy, validate controllers and WCS Plan an LWAPP discovery strategy so APs can discover controllers Test the process in a lab or on low-traffic, easy-to-troubleshoot APs to validate the procedure Do the migration during a change window and allow time for troubleshooting Save the CSV file(s) with the MAC/Public Key mappings even if you import them to WCS
Migrate APs in logical blocks rather then en masse

Take caveats to co-existence into consideration Evaluate tolerance for downtime
91
Upgrading Autonomous Access Points to LWAPP ModePlanning the LWAPP Discovery Strategy
Options for discovery when upgrading autonomous access points to LWAPP:
Local subnet broadcast of LWAPP discovery request Vendor-specific DHCP option 43 DNS resolution of CISCO-LWAPP-CONTROLLER.localdomain Console port priming commands (valid only with LWAPP recovery IOS image) OTAP is not supported in the LWAPP recovery IOS image
Most autonomous Cisco Aironet APs are deployed with static IP addresses
AP preserves static IP address, default gateway, sysName, DNS server, domain name during the upgrade process
Many Cisco customers have chosen to erase the AP configurations before upgrading and migrate to DHCP addresses instead of static IP addresses
92
Upgrading Autonomous Access Points to LWAPP ModeWLSM and WiSM Co-Existence

WLSM and WiSM can co-exist in the same 650x chassis Minimum software requirements: (NOT RECOMMENDED)
Supervisor 720: 12.2(18)SXF2 WLSM: Version 1.4.1 WiSM: 3.2.116.x
http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example 09186a008073614c.shtml
93
Coexistence Between Autonomous Access Point and Controller-Based Architecture

No seamless roaming between architectures No coordination between WLSE radio management (RM) and Cisco Unified Architecture RRM
RM and RRM algorithms should account for contention
Each architecture may report others APs as rogue
Consider network architectural impact and any necessary changes very carefully
Upgraded APs should be connected to access ports instead of trunk ports May need to clean-up and harvest old, unnecessary VLANs and IP subnets
Plan out new IP addressing schemes for wireless clients and APs
94
AssureWave
Cisco Public
95
AssureWave
HealthCare, Retail and Manufacturing
Full Vertical application testing with Partner Equipment

Define pass failure with details beyond standard Software Testing Testing done in-house AND at Partner facilities
Cisco Public
96
EXAMPLE Vertical Test Bed
Cisco Public
97
Cisco Public
98

Brkagg 2010

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Brkagg 2010

Загружено:

Авторское право:

Доступные форматы

Design and Deployment of Enterprise WLANs

2009 Cisco Systems, Inc. All rights reserved.

Design and Deployment of Enterprise WLANs

2009 Cisco Systems, Inc. All rights reserved.

What You Will Learn

2008 Cisco Systems, Inc. All rights reserved.

What You Should Already Know

2008 Cisco Systems, Inc. All rights reserved.

What We Wont Cover

Outdoor (bridging and mesh)

Deploying the Cisco Unified Wireless Architecture

Migration from Autonomous APs to the Controller-based Architecture

2008 Cisco Systems, Inc. All rights reserved.

Ciscos Evolving Wireless Technology

Centralized WLAN Systems Wireless Connectivity

Hierarchical Approach for Scalability

Wireless LAN Mobility Services

Automatic, 24 x 7 Network access control

Guest networks Vendor replenishment

Real-time mobile voice Improved collaboration Faster customer service

Asset management Location-based content Streamlined workflow

Public access networks

Pervasive Wireless Network

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

Beyond 150 Access-Points

Network Wide Search Capability Radio Resource Management

2008 Cisco Systems, Inc. All rights reserved.

Mobility in the Cisco Unified WLAN Architecture

2008 Cisco Systems, Inc. All rights reserved.

The LWAPP Join

JoinAP attempts to establish a secured relationship with a controller

Note: LWAPP/CAPWAP RFC defines other states

2008 Cisco Systems, Inc. All rights reserved.

Central Switching VS Local Switching

Local VLAN Voice VLAN

Mobility in the Cisco Unified WLAN Architecture

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

How Clients Connect

Ingress/Egress point from/to upstream switched/routed wired network (802.1Q trunk)

2008 Cisco Systems, Inc. All rights reserved.

Scaling the Architecture with Mobility Groups

2008 Cisco Systems, Inc. All rights reserved.

Scaling the Architecture

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

Layer-3 RoamingSymmetric Mobility (4.1)

Roaming must maintain security

2008 Cisco Systems, Inc. All rights reserved.

Fast Secure Roaming

2008 Cisco Systems, Inc. All rights reserved.

Supporting RoamingDesign Best Practices and Caveats

Mobility in the Cisco Unified WLAN Architecture

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

Quality of Service (QoS) Configurable Profiles

2008 Cisco Systems, Inc. All rights reserved.

Quality of Service (QoS) Configurable Profiles (Cont.)

2008 Cisco Systems, Inc. All rights reserved.

Controller > QoS Profiles > Edit

Controller > QoS Profiles > Edit