Cisco Wireless LAN Controller

Agenda: WLC
• Introduction
• WLC Hardware appliance
• Cisco wireless controller features
• WLC & AP Selection Algorithm
• AP Deployment modes
• WLC & Lightweight AP initial config
• WLC GUI Overview
• Inter controller Roaming
• Anchor WLC
• Basic Troubleshooting of WLC
• Q&A

2
Introduction :Wireless LAN Controller

Sr No. Wireless controller 2500 series 5500 series

Small or
1 Target deployments midsize Midsize to large enterprise
2 Max Access Points 75 500
3 Max Client Support 1000 7000
4 Max Throughput 1Gbps 8Gbps
5 Max WLANs 16 512
6 Max VLANs 16 512
Max Power
7 Consumption 80 W 125W
8 QoS Yes Yes

3
 Introduction :Cisco 5500 Series Wireless
LAN Controller
The Cisco® 5500 Series Wireless Controller is a highly scalable and flexible
platform that enables system wide services for mission-critical wireless networking
in medium-sized to large enterprises and campus environments. Designed for
802.11ac and 802.11n performance and maximum scalability, the 5500 Series
offers enhanced uptime with:

● RF visibility and protection

● The ability to simultaneously manage up to 500 access points
● Superior performance for reliable streaming video and toll-quality voice
● Sub-second stateful failover of all access points and clients from the primary
to standby controller.

4
WLC Hardware appliance

5
Cisco Wireless controller features
 Scalability : Supports 12, 25, 50,100, 250, or 500 access points for
business-critical wireless services at locations of all sizes
 High Performance: Wired speed, non-blocking performance for
802.11n and optimized for 802.11ac networks
 High Availability: An optional redundant power supply that helps to
ensure maximum availability.
 Mobility, Security and Management for IPv6 & Dual-Stack Clients:
 Secure, reliable wireless connectivity and consistent end-user
experience
 Increased network availability through proactive blocking of known
threats Equips administrators for troubleshooting, planning, and client
traceability from a common wired and wireless management system
 Comprehensive End-to-End Security: Offers control and provisioning
of wireless access points (CAPWAP)-compliant DTLS encryption to
help ensure full-line-rate encryption between access points and
controllers across remote WAN/LAN links.
6
 WLC& AP Selection Algorithm
Centralized Wireless LAN Architecture:
What Is CAPWAP?

• CAPWAP—Control and provisioning of access point protocol is used

between Aps and WLAN controller

• Wireless APs search for a controller by sending discovery request

messages. Upon receiving a discovery request, the controller replies
with a discovery response. At this point, the two devices establish a
secure connection using the Datagram Transport Layer Security (DTLS)
protocol to exchange CAPWAP control and data messages. Control
messages contain information and instructions related to WLAN
management, while Data messages encapsulate forwarded
wireless frames.

7
 WLC& AP Selection Algorithm
• CAPWAP Discovery Response contains important
information from the WLAN Controller:

• Controller sys Name, controller type, controller AP capacity,

current AP load, “Master Controller” status, AP Manager IP
address(es) and number of APs joined to the AP Manager

• AP selects a controller to join using the following

decision criteria to pick a controller from
candidate list:
1. Primary, secondary, and/or tertiary controller—configured on
AP, specified by the Controller sysName
2. Join “Master” controller

8
 AP Deployment Modes
• Unified Mode :
In local mode, an AP creates two CAPWAP tunnels to the WLC. One is for
management, the other is data traffic. Local mode APs all traffic goes to the
controller. APs are “lightweight,” which means that they cannot act
independently of a wireless LAN controller (WLC). The WLC manages the
AP configurations and firmware. The APs are “zero touch” deployed, and
individual configuration of APs is not necessary.

• Autonomous mode:
A cisco autonomous access point basically runs on its own & are managed
individually.

• Monitor mode:
Monitor mode is a feature designed to allow specified LWAPP-enabled APs
to exclude themselves from handling data traffic between clients and the
infrastructure.

• Sniffer mode:
An LWAPP that operates in Sniffer mode functions as a sniffer and captures
and forwards all the packets on a particular channel to a remote machine
that runs Airopeek. These packets contain information on timestamp, signal
strength, packet size. 9
 Flex connect AP
• Flex Connect mode : (previously known as Hybrid Remote Edge
Access Point or H-REAP) is a wireless solution for branch office and
remote office deployments. It enables customers to configure and
control access points in a branch or remote office from the corporate
office through a wide area network (WAN) link without deploying a
controller in each office. The Flex Connect access points can switch
client data traffic locally and perform client authentication locally when
their connection to the controller is lost. When they are connected to the
controller, they can also send traffic back to the controller.

10
 AP Operation Mechanism
Central Authentication Central Switching:

With central authentication and central switching, the controller is

responsible for client authentications, associations, and bridging the client
traffic to the network. Central authentication with central switching is valid
only when the AP is in connected mode.
When the AP changes to standalone mode, all clients are disconnected
from the WLAN and no new clients are allowed on that WLAN until
LWAPP/CAPWAP communications with the controller are restored and the
AP returns to connected mode.

Central Authentication Local Switching:

With central authentication local switching, the controller is responsible for

the client authentication and associations, but the AP directly bridges client
traffic to the local network. Web authentication is a good example of this.
The guest users are redirected to the web auth page on the controller, pass
authentication, and then the AP bridges the traffic to the local VLAN.
Central authentication local switching is valid only when the AP is in
connected mode.
11
 AP Operation Mechanism (cont’d)
Local Authentication Local Switching:

Local authentication local switching means that the AP can handle

authentication configured on the WLAN. An example would be open (no
authentication) or preshared key, such as WPA1-PSK and WPA2-PSK. The
AP directly bridges client traffic to the local network.
When the AP is in connected mode, the controller still handles the
authentications and associations. When the AP switches to standalone
mode, the responsibility of authentication and association is transferred to
the AP. Local authentication local switching is valid only when the AP is in
standalone mode.

12
WLC and Lightweight AP Configuration

These are the basic steps to getting the controller and APs online:

Have a DHCP server present so that the APs can acquire a network
address.

 Configure the WLC for basic operation.

 Configure the switch for the WLC.

 Configure the switch for the APs.

 Register the lightweight APs to the WLCs.

13
Configuration Example
 We will use this sample topology to walk through the basic steps of
getting the controller and APs online.

14
WLAN Controller Web Login

https://<ip-addr>

15
WLAN Controller Web Login
Tabs:
WLANs WIRELESS MANAGEMENT
Provides WLAN Provides access Provides
configurations point integration into
such as SSIDs configurations, the network such
and security clients as IP addressing
policies for all management, and SNMP
user groups and various RF
settings

MONITOR CONTROLLER SECURITY COMMANDS

Provides a view Provides controller- Provides Provides
of this controller, wide configurations integration into administrative
its access points, such as DHCP security structure options such as
and wireless Configuration and such as RADIUS upgrades and
clients mobility settings connectivity backups

16
Monitor > Summary

17
WLC : Monitor > Statistics > Ports

18
WLC : Monitor > Ports > View Stats

19
WLANs

20
WLANs > Edit

21
Interfaces > Edit

22
Wireless > All APs > AP Detail (Cont.)

23
Management

24
Commands

25
 Intra-Controller Roaming
Intra-controller roam
happens when an AP
moves association
between APs joined to
the same controller

• Client must be re-authenticated

and new security session
Established.

• Controller updates client

database entry with new
AP and appropriate
security context.

• No IP address refresh
needed.

26
 Anchor WLC Overview
A WLC is located in the enterprise DMZ where it performs an "anchor" function. This
anchor controller is responsible for terminating EoIP tunnels that originate from
other campus WLCs throughout the network. These "foreign" controllers are
responsible for termination, management, and standard operation of the various
WLANs provisioned throughout the enterprise, including one or more guest WLANs.
Guest WLANs, instead of being switched locally to a corresponding VLAN, are
instead transported via an EoIP tunnel to the anchor controller. Specifically, guest
WLAN data frames are encapsulated using CAPWAP from the AP to the foreign
controller and then encapsulated in EoIP from the foreign WLC to a guest VLAN
defined on the anchor WLC. In this way, guest user traffic is forwarded to the
Internet transparently, with no visibility by, or interaction with, other traffic in the
enterprise.

27
 Basic Troubleshooting of WLC
• show Sysinfo:
To display high-level Cisco wireless LAN controller information, use the show
sysinfo command.

• show ap join stats summary

To display the last join error detail for a specific access point, use the show ap join
stats summary command.

• show ap summary
To display a summary of all lightweight access points attached to the controller, use
the show ap summary command.

• show ap wlan
To display the Basic Service Set Identifier (BSSID) value for each WLAN defined on
an access point, use the show ap wlan command.

• show boot
To display the primary and backup software build numbers with an indication of
which is active, use the show boot command.

28
 Basic Troubleshooting of WLC
• show client summary
To display a summary of clients associated with a Cisco lightweight access point,
use the show client summary command.

• show cpu
To display current WLAN controller CPU usage information, use the show
cpu command.
show cpu

• show license capacity

To display the maximum number of access points allowed for this license on the
Cisco 5500 Series Controller, the number of access points currently joined to the
controller, and the number of access points that can still join the controller, use
the show license capacity command.

29
Q&A

30
Thank You

31