brkagg-2010

7/29/2019 brkagg-2010

1/98

2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 1

Design and Deployment of EnterpriseWLANs

BRKAGG-2010

7/29/2019 brkagg-2010

2/98

2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 2

Design and Deployment of EnterpriseWLANs

BRKAGG-2010

7/29/2019 brkagg-2010

3/98

2008 Cisco Systems, Inc. All rights reserved. Cisco Publ ic 3BRKAGG-2010

Presentation_ID

What You Will Learn

Theory of operations of the Cisco Unified WLAN Architecture

Lightweight access point protocol (LWAPP)

WLAN controllers (WLC)

Mobility

QoSand Multicast

Design and deployment guidelines for the Cisco Unified WLANArchitecture

Campus

Branch office

7/29/2019 brkagg-2010

4/98


Presentation_ID

What You Should Already Know

Cisco networking basics (routing and switching)

Campus network design concepts

802.11 WLAN fundamentals

RF basics

WLAN security

7/29/2019 brkagg-2010

5/98


Presentation_ID

What We Wont Cover

Autonomous access pointsand WLSE

WLAN security in depth

RF security (rogue APdetection, W-IDS)

Wireless control system(WCS)

Location-based services

Outdoor (bridging andmesh)

Marketing pitch

Roadmap

LWAPP Basics (touch)

7/29/2019 brkagg-2010

6/98


Presentation_ID

Session Agenda

Understanding the Cisco Unified Wireless Architecture

Lightweight Access Point Protocol

Understanding Mobility

Understanding Qos and Multicast Deploying the Cisco Unified Wireless Architecture

Connecting Controllers and APs to Networks

Campus WLAN Controller Designs

Branch Office WLAN Controller Designs

Migration from Autonomous APs to the Controller-basedArchitecture

7/29/2019 brkagg-2010

7/98 2008 Cisco Systems, Inc. All rights reserved. Cisco Publ ic 7

BRKAGG-2010

Presentation_ID

Ciscos Evolving Wireless Technology

Unified Wired+Wireless

Integrated and Unified Security (AAA, NAC, SDN,IDS/IPS, etc)

Exploding Number of Wi-Fi Clients (Laptops, Dual-Mode PCS Phones, Video PDAs)

Higher-Capacity, Higher-Density WLANs (PicoCells)

Unified Wired+Wireless Support for Applications(Voice/Video, Location Services, AAA)

Extending Networking Outdoors (Mesh, Outdoor AP,Etc.)

Enterprise Scale and Reliability

Centralized Management and Control

Layer 2/3 Mobility

Wireless IDS/IPS

Hierarchical Approach for Scalability

Voice Support

Centralized

WLAN Systems

Best in Class Range/ Throughput

Enterprise-Class Security

Capital Efficiency

Wireless Connectivity

2000 - Present 2003 - Present 2005 - Future

7/29/2019 brkagg-2010


BRKAGG-2010

Presentation_ID

Wireless LAN Mobility Services

Security Guest Voice Location

Guest networksfor customers, partnersand auditors

Vendor replenishmentnetworks

Public access networks

Automatic, 24 x 7security and compliancemonitoring for breachesvia wireless medium

Network access controlbased on user location

Asset managementLocation-based content

distribution

Streamlined workflowusing historical locationdata

Real-time mobile voicecommunications

Improved collaborationvia mobile unifiedcommunications

Faster customer serviceresponse

Pervasive Wireless Network

7/29/2019 brkagg-2010


BRKAGG-2010

Presentation_ID

LWAPP Overview

7/29/2019 brkagg-2010


BRKAGG-2010

Presentation_ID

Section Agenda

Quick Facts

LWAPP Join

Wireless LAN Controller Basics

Centralized vs Local Switching

Mobility

Location

WCS Fundamentals

Data Delivery

Unicast/Multicast

TCP/UDP

However beautiful the strategy, you should occasionally

look at the results. Winston Churchill

7/29/2019 brkagg-2010

11/98 2008 Cisco Systems, Inc. All rights reserved. Cisco Publ ic 11BRKAGG-2010

Presentation_ID

Quick Facts

WCS

Windows 2003/Linux

3000 Access-Points

40,000 Events

WCS Navigator

20 WCS Managers

30,000 Access-Points

Network Wide SearchCapability

WLC

IPv4/IPv6

Multicast/QoS

More 5000 Clients

512VLAN Support

Beyond 150 Access-Points

24 WLCs per Mobility Group

72 WLCs with Mobility Lists

500 Rogues

Radio Resource Management

PER WLAN DTIM Support

Location

RSSI and TDOA Methods

10,000 devices

Open API

Multi-Vendor RFID support

7/29/2019 brkagg-2010


Presentation_ID

Section Agenda

Controller-based Architecture Overview

Lightweight Access Point Protocol (LWAPP)

Protocol Overview

LWAPP AP Discovery and Join ProcessLWAPP Operations

Mobility in the Cisco Unified WLAN Architecture

Qos implementation in LWAPP

Multicast behavior in LWAPP

Architecture Building Blocks

7/29/2019 brkagg-2010


Presentation_ID

The LWAPP JoinState Machine (Simplified)

LWAPP defines a state machine thatgoverns the AP and controllerbehavior

Major states:

DiscoveryAP looks for a controller

JoinAP attempts to establish a securedrelationship with a controller

Image DataAP downloads code from

controllerConfigAP receives configuration from

controller

RunAP and controller operate normally andservice data

ResetAP clears state and starts over

Note: LWAPP/CAPWAP RFCdefines other states

7/29/2019 brkagg-2010


Presentation_ID

Central Switching VS Local Switching

Hybrid REAP

Devices that requirelocal connectivity

Hybrid REAP

Normal LWAPP/CAPWAPData Flow

Central switching of all othertraffic

Data VLAN

Voice VLAN

Management VLAN

Local VLAN

LWAPPTunnel

Centrally SwitchedLocally Switched

7/29/2019 brkagg-2010


Presentation_ID

Section Agenda



Protocol Overview



QoSimplementation in LWAPP



7/29/2019 brkagg-2010


Presentation_ID

Mobility Defined

Mobility is the killer app for WLANs

Mobilityend-user device is portable but still capable ofbeing connected to networked resources

Roaming occurs when a wireless client movesassociation from one AP and re-associates to another

Mobility/roaming presents new challenges:

Architecture must scale to support client roaming

Client roaming must be fast and preserve security, QoS, etc.

7/29/2019 brkagg-2010


Presentation_ID

How Clients Connect

AP handles real-time 802.11control and management

Non-real time 802.11 handledat controllerincludingassociation/re-association

Controller is the 802.1xauthenticator

Controller centrally storesclient QoS, security context

802.11 data frames are

encrypted/decrypted at the RFinterface

Action frames aremanagement frames asdefined by 802.11

LWAPP Tunnel

Ingress/Egress pointfrom/to upstreamswitched/routed wirednetwork (802.1Q trunk)

Switched/Routed Wired Network

LightweightAccess Point

Wireless LANController

Control Messages

Data Encapsulation

7/29/2019 brkagg-2010


Presentation_ID

Scaling the Architecture withMobility Groups

Controllers peer tosupport seamlesscampus roaming

APs learn the IPs ofthe other members ofthe mobility group after

the LWAPP Joinprocess

Support for up to 24controllers, 3600 APsper mobility group

Mobility messages

exchanged betweencontrollers

Data tunneled betweencontrollers in EtherIP(RFC 3378)

7/29/2019 brkagg-2010


BRKAGG-2010

Presentation_ID

Scaling the Architecturewith Mobility List Members

Mobility Lists allowscontrollers to peer withControllers outsidetheir mobility Group tosupport seamlessroaming acrosscontroller Mobilityboundaries

Support for up to 72controllers, 10,800 APsacross mobility Lists

Multicast messagesare exchangedbetween Mobility

Groups

7/29/2019 brkagg-2010


BRKAGG-2010

Presentation_ID

Intra-Controller Roaming

Intra-controller roamhappens when an APmoves associationbetween APs joined tothe same controller

Client must be re-authenticated and newsecurity sessionestablished

Controller updates clientdatabase entry with new

AP and appropriatesecurity context

No IP address refreshneeded

7/29/2019 brkagg-2010


BRKAGG-2010

Presentation_ID

Layer-2 RoamingInter-Controller

L2 inter-controller roam happens when an APmoves association between APs joined to thedifferent controllers but client traffic bridgedonto the same subnet

Client must be re-authenticated andnew security session established

Client database entry moved to newcontroller

No IP address refresh needed

7/29/2019 brkagg-2010


BRKAGG-2010

Presentation_ID

Layer-3 RoamingInter-Controller

L3 inter-controller roam happens when an APmoves association between APs joined to thedifferent controllers but client traffic bridgedonto different subnet

Client must be re-authenticated and newsecurity session established

Client database entry copied to newcontroller

Original controller tagged as the anchor New controller tagged as the foreign No IP address refresh needed Asymmetric traffic path established

7/29/2019 brkagg-2010


BRKAGG-2010

Presentation_ID

Foreign controllers will send Layer 3roaming clients packet back to itsanchor controller through EtherIPtunneling

Source IP address of the packet willbe the foreign controllers

management IP address

Upstream routers that haveReverse Path Forwarding (RPF) willforward on packets

Configurable option in software

release 4.1

Layer-3 RoamingSymmetric Mobility (4.1)

7/29/2019 brkagg-2010


BRKAGG-2010

Presentation_ID

Roaming Requirements

Roaming must be fast Latency can be introduced by:

Client channel scanning and AP selection algorithms

Re-authentication of client device and re-keying

Refreshing of IP address

Roaming must maintain security

Open auth, static WEP Session continues on new AP

WPA/WPAv2 personal New session key for encryption

derived via standard handshakes802.1x, 802.11i, WPA/WPAv2 enterprise Client must be re-authenticated and new session key derived for encryption

7/29/2019 brkagg-2010

25/98


Presentation_ID

Fast Secure Roaming

Client channel scanning and AP selection algorithmsImproved via CCX features

Refreshing of IP addressIrrelevant in controller-based architecture!

Re-authentication of client device and re-keying

Cisco centralized key management (CCKM)

Proactive key caching (PKC)

7/29/2019 brkagg-2010

26/98


Presentation_ID

Supporting RoamingDesign BestPractices and Caveats

Minimize inter-controller roaming in your designs

Design the network for 10msec RTT latencybetween controllers

Inter-controller layer-2 roaming is more efficient thanlayer-3 roaming

Layer-3 roamingconsider the effects of things likeRPF and stateful security features in your designs

Use PKC and/or CCKM to speed up and secureroaming

Client roaming behaviormileage varies by vendor,driver, supplicant. Look for CCXv4 feature-set

7/29/2019 brkagg-2010

27/98


Presentation_ID

Section Agenda



Protocol Overview






7/29/2019 brkagg-2010

28/98


Presentation_ID

QoS Overview

Ensures packets receive the proper QoS handling end-to-end

Makes sure packet will maintain QoS information as it traversesnetwork

Policing of 802.11e UP / 802.1p and IP DSCP values ensures end-

points conform to network QoS policies Uses Ciscos AVVID packet marking mappings and IEEE

mappings as appropriate

Supported on Cisco 2000, 4100, and 4400 series WLANcontrollers; wireless services module (WiSM); wireless LAN

controller module

Supported on Cisco Aironet 1000, 1130, 1200, 1230, 1240, and1500 series lightweight access points

Support for Cisco 7920/7921,Spectalink phones

7/29/2019 brkagg-2010

29/98


Presentation_ID

QoS Description

Support for layer 3 IP differentiated services code point (DSCP)marking of packets

WLAN data is tunneled between AP and WLAN controller viaLWAPP

To maintain the original QoS classification across this tunnel, theQoS settings of the encapsulated data packet must beappropriately mapped to the Layer 2 (802.1p) and Layer 3 (IPDSCP) fields of the outer tunnel packet.

802.1p UP

Outer

IP DSCP

OuterLWAPP

encapsulatedIncoming 802.1p UP IP DSCP

Inner.

7/29/2019 brkagg-2010

30/98


Presentation_ID

LWAPP QoS

Ensures that packets receive the proper QoS handling from end to end

Policing of 802.11e UP / 802.1p and IP DSCP values ensures thatwireless endpoints conform to network QoS policies

LWAPP Encapsulated

LWAPP TunnelsSiSiSiSiSiSi

WLC

AP

Ethernet Switch

802.11e DSCP Payload DSCP PayloadDSCP 802.1p DSCP Payload

LWAPP Encapsulated

802.11e DSCP Payload DSCP PayloadDSCP802.1p DSCP Payload

802.1p

12

3 4

7/29/2019 brkagg-2010

31/98


Presentation_ID

Quality of Service (QoS)Configurable Profiles

Per-user data bandwidth contract configurable peak and average datarate enforced in the Network Processing Unit (NPU) for non-UDP traffic

Per-user real-time bandwidth contract configurable peak and averagedata rate enforced in the NPU for UDP traffic

Each Level Has a Configurable per Bandwidth Contract

Rate

7/29/2019 brkagg-2010

32/98


Presentation_ID

Quality of Service (QoS)Configurable Profiles (Cont.)

Maximum RF usage per AP (%) defined maximum percentage of airbandwidth given to a user level

Queue depth defined depth of queue for a particular user level that willcause packets in excess of the defined value to be dropped

Each Level Has a Configurable Air QoS Rates

7/29/2019 brkagg-2010

33/98


Presentation_ID

Controller > QoS Profiles > Edit

802.1p tag is applied to wired side to allow proper precedence tobe applied to traffic across entire network infrastructure

Controller > QoS Profiles > Edit

7/29/2019 brkagg-2010

34/98


Presentation_ID

WLANs > Edit

WMM Options

QoS Options

7/29/2019 brkagg-2010

35/98


Presentation_ID

Configuring Controller Web

For 7921 phone support, both AP-CAC-Limit and client CAC-Limitavailable as options

WMM and client CAC limit cannot be configured in the same WLAN

7/29/2019 brkagg-2010

36/98


Presentation_ID

VoIP Phone SupportConfiguration Commands Available from the Command

Line

To view Dot11-Phone Mode configuration

(Cisco Controller) >show wlan 2

WLAN Identifier.................................. 2Network Name (SSID).............................. WLAN2Status........................................... Enabled

.

.

.Quality of Service............................... Platinum (voice)WMM.............................................. Required802.11e.......................................... DisabledDot11-Phone Mode (7920).......................... ap-cac-limit

Wired Protocol................................... NoneIPv6 Support..................................... DisabledRadio Policy..................................... 802.11B and 802.1G onlySecurity

802.11 Authentication:........................ Open SystemStatic WEP Keys............................... enabled

Key Index:...................................... 1Encryption:..................................... 104-bit WEP

7/29/2019 brkagg-2010

37/98


Presentation_ID

Section Agenda



Protocol Overview






7/29/2019 brkagg-2010

38/98


Presentation_ID

Multicast Delivery Method

Improved multicast performance over wireless networks

Multicast packet replication occurs only at points in the networkwhere it is required, saving wired network bandwidth

One Multicast Packet InLWAPP Tunnels

One Multicast Packet InLWAPP

Multicast Group

One LWAPP MulticastPacket Out

Three LWAPP UnicastPackets Out

Unicast Mechanism

Multicast Mechanism

Network Replicates

Packet as Needed

7/29/2019 brkagg-2010

39/98


Presentation_ID

Multicast Mode Selection

Multicast mode and multicast group configured on WLC general interface

7/29/2019 brkagg-2010

40/98


Presentation_ID

LWAPP Stationary Client

IGMP join

Client Sends an IGMP Join which travels through theaccess-point to the Wireless LAN Controller (WLC).The WLC then forwards the IGMP join through theupstream switch to the PIM enabled router

IGMP leave

With a client who gracefully leaves the multicast group.The client will send an IGMP leave through the access-

point to the WLC. The WLC will forward this IGMPleave through the upstream switch to the PIM enabledrouter. The PIM enabled router will then send a groupspecific query for other interested clients before pruninggroup from subnet.

IGMP

IGMP

Mcast Traffic

Stationary Client

Or a Client That Never Roams from the Same Wireless LAN Controller

7/29/2019 brkagg-2010

41/98


Presentation_ID

LWAPP Stationary Client

Multicast source

If the client is the source of a multicast group, thetraffic will flood across all access-points on thesame controller. The multicast traffic will also beforwarded upstream through the connectedswitch to the PIM enabled Router. The PIMenabled router will do an RPF check beforeprocessing the packet further.

Mcast Traffic

Stationary Client

Or a Client That Never Roams from the Same Wireless LAN Controller

7/29/2019 brkagg-2010

42/98


Presentation_ID

LWAPP Roaming ClientLayer 2

IGMP joinClient sends an IGMP Join which travels through theaccess-point to the wireless LAN controller (WLC). TheWLC then forwards the IGMP join through the upstreamswitch to the PIM enabled router

IGMP snooping

Switch CAM entry is created for specific multicast grouptoward controller 1

IGMP

Mcast Traffic

X

IGM

P

Snooping Switch is Blocking Multicast Traffic Toward All OtherPorts

General IGMP Query Sent From the WLC to the Client, AllowingTraffic to Flow

Multicast

7/29/2019 brkagg-2010

43/98


Presentation_ID

LWAPP Layer 3 Roaming Client

IGMP join/leaveBoth the initial join and leave (if agraceful leave happens) will beprocessed the same as any other join orleave. Once a client has roamed, neitherthe infrastructure nor the client are

required to send a new join to verifytraffic follows?? No Audio

Multicast source

Client that is the Source of the multicastgroup the upstream router will drop thepacket as the source address wasreceived on the wrong interface.

Mcast Traffic

??

X

Client Roaming at Layer 3 with 4.0.217

7/29/2019 brkagg-2010

44/98


Presentation_ID

Section Agenda



Protocol Overview






7/29/2019 brkagg-2010

45/98


Presentation_ID

Components of Centralized Architecture

WLC

Cisco Unified Wireless LAN controllers aggregrate WLAN client trafficand control the Wireless network

APs

Lightweight access points are used in all unified wireless architecturesand provides client wireless access, and tunneling to the WLC.

WCS

Cisco Wireless Control System provides centralized management, RFplanning and visualization tools, and location services

7/29/2019 brkagg-2010

46/98


Presentation_ID

Cisco Compatible ExtensionsThe Standard for Client Advancement

http://www.cisco.com/go/ciscocompatible/wireless

Over 90% of Client Devices Cisco Compatible

Client Devices

Client Devices

Features Assured compatibility with 400+ devices Standards-based Enhanced security, mobility, and performance Supports Mobility Services i.e.. Location, voice

Benefits Accelerates innovation Supports diverse enterprise applications

Ensures multi-vendor interoperability Enables simplified deployment of mobile WLAN clients

Single Client for
http://www.sony.com/VAIOBXhttp://www1.us.dell.com/content/products/productdetails.aspx/inspn_8500?c=us&cs=555&l=en&s=biz

7/29/2019 brkagg-2010

47/98


Presentation_ID

Cisco Secure Services Client

Single Client forUniform Security and Services

Features

Unified wired and wireless client

Support for industry standards

Endpoint integrity

Single sign-on capable

Enabling of group policies

Administrative control

Benefits

Reduces client software

Simple, secure device connectivity

Minimizes chances of network compromisefrom infected devices

Reduces complexity

Restricts unauthorized network access

Centralized provisioningSSC

Key Features:802.1X authentication for wiredand wireless devices

Windows XP/2000 support

EAP:

EAP-FAST, EAP-MD5, PEAP-MSCHAP, PEAP-GTC, EAP-TLS, EAP-TTLS, Cisco LEAP

Encryption:

WEP, Dynamic WEP,TKIP, AES

Standards:

WPA and WPA2

7/29/2019 brkagg-2010

48/98


Presentation_ID

Proven Platform for Mobile Access

Indoor Access Points

1130AG

Indoor Rugged Access Points

1500

1240AG 1230AG

Outdoor Access Points/Bridges

1400 1300

1121BG

Access Points

Features Industrys best range and throughput Enterprise class security Many configuration options Simultaneous air monitoring and traffic delivery Wide area networking for outdoor areas

Benefits Zero touch management No dedicated air monitors

Supports all deployment scenarios (indoor and outdoor) From secure coverage to advanced services

1250AGN

7/29/2019 brkagg-2010

49/98


Presentation_ID

Wireless Integrated ServicesModule (WiSM)

Network Core

Delivering Network Unification

Wireless LAN Controller forISR Series Routers 2106 Wireless LAN

Controller

Branch Office

Hybrid Remote Edge Access Points (H-REAP)

Remote Office

Catalyst 3750GIntegrated WLAN Controller

Intelligent Access

4400 Wireless LANController

Distribution

Lower TCO

ScalabilityHigh

Availability

Ease ofDeployment

Investment

Protection

Cisco Unified

Wireless Network

Flexibility

7/29/2019 brkagg-2010

50/98


Presentation_ID

Cisco Wireless Controller Family

Cisco WiSM300 APs

Deployment Size

>=100 APs>=25 APs>=2-6 APs

Cisco 21066 APs

ISR WLC Module6 AP

>=12 APs

H-REAP

>=50 APs

Cisco 375025 APs

Cisco 375050 APs

7/29/2019 brkagg-2010

51/98


Presentation_ID

Cisco Wireless Control System (WCS)

World-Class Network Management

Features Client troubleshooting (via CCX) Planning, configuration, monitoring, location, IDS/IPS, and

troubleshooting

Hierarchical maps Intuitive GUI and templates Policy based networking (QoS, security, RRM, etc.)

Benefits Lower OPEX and CAPEX Better visibility and control of the air space

Consolidate functionality into a single management system Determines location and voice readiness

7/29/2019 brkagg-2010

52/98


Presentation_ID

802.11n yet again higher rates

Extends both 802.11a and 802.11g

Both 2.4 GHz and 5.8 GHz

64 new bit rates up to 600 Mbps

Entirely new radio using MIMO technology

Current radios use a single Tx and Rx, implement Rx diversity

11n uses multiple Tx and Rx, simultaneously, combining multiple receivedsignals to improve quality

In working group balloting, sponsor ballot mid 2008, approval mid 2009*

Draft-11n certification launched by WiFi Alliance (WFA) in June of 2008

Cisco is in the WFA Draft-11n test bed

*ALWAYS subject to change

7/29/2019 brkagg-2010

53/98


Presentation_ID

Network Design Overview

7/29/2019 brkagg-2010

54/98


Presentation_ID

Section Agenda


Controller Redundancy and AP Load Balancing

Campus WLAN Controller Designs

Branch Office WLAN Controller Designs

Migrating from Autonomous APs to the Controller-based Architecture

Understanding WLAN ControllersThe

7/29/2019 brkagg-2010

55/98


Presentation_ID

Understanding WLAN ControllersTheWLAN Controller as a Network Device

WLAN controller

For wireless end-user devices, the controller is a 802.1Q bridge that takes traffic of the air andputs it on a VLAN

From the perspective of the AP, the controller is an LWAPP tunnel end-point with an IP address

From the perspective of the network, its a layer-2 device connected via one or more 802.1Qtrunk interfaces

The AP connects to an access portno concept of VLANsatthe AP necessary.

Data VLAN

Voice VLAN

Management VLANLWAPPTunnel

Understanding WLAN ControllersThe

7/29/2019 brkagg-2010

56/98


Presentation_ID

Understanding WLAN ControllersTheWLAN Controller as a Network Device

PortPhysical connection to a neighbor switch/router

InterfaceLogical connection mapping to a VLAN onthe neighbor switch/router

Management interface

AP Manager interface(s)

Dynamic interface(s)

Virtual interface

Service interface

WLANEntity that maps an SSID to an interface at thecontroller, along with security, QoS, radio policies, andother wireless networking parameters

Three Important Concepts to Understand:

7/29/2019 brkagg-2010

57/98


Presentation_ID

Welcome to the Cisco Wizard Configuration Tool

Use the '-' character to backup

System Name [Cisco_44:36:c3]:Enter Administrative User Name (24 characters max): adminEnter Administrative Password (24 characters max): admin

Service Interface IP Address Configuration [none][DHCP]:

Enable Link Aggregation (LAG) [yes][NO]:noEnter Port number : 1

Management Interface IP Address: 10.10.80.3Management Interface Netmask: 255.255.255.0Management Interface Default Router: 10.10.80.1

Management Interface VLAN Identifier (0 = untagged): 0Management Interface Port Num [1 to 2]: 1Management Interface DHCP Server IP Address: 10.10.80.1

AP Transport Mode [layer2][LAYER3]: layer3AP Manager Interface IP Address: 10.10.80.4AP-Manager is on Management subnet, using same values

AP Manager Interface DHCP Server (10.10.80.1):

Virtual Gateway IP Address: 1.1.1.1Mobility/RF Group Name: mobile-1Enable Symmetric Mobility Tunneling: No

Network Name (SSID): secure-1Allow Static IP Addresses [YES][no]:

Configure a RADIUS Server now? [YES][no]:

Enter the RADIUS Server's Address: 10.10.10.12Enter the RADIUS Server's Port [1812]:

Enter the RADIUS Server's Secret: ciscoEnter Country Code (enter 'help' for a list of countries) [US]:

Enable 802.11b Network [YES][no]:

Enable 802.11a Network [YES][no]:

Enable 802.11g Network [YES][no]:

Enable Auto-RF [YES][no]:

7/29/2019 brkagg-2010

58/98


Presentation_ID

Initial Configuration Screen of WLC

Connecting the WLAN Controller

7/29/2019 brkagg-2010

59/98


Presentation_ID

Connecting the WLAN Controllerto the Network

Options - Link aggregation (LAG) or no LAGLAG supported on 440x, WiSM, Cisco 3750G integrated WLANcontroller switch

LAG is the only option for WiSM, Cisco 3750G integrated WLANcontroller switch

440x-based controller allows 48 APs per port in the absenceof LAG

Use multiple AP Manager interfaces to support more than48 APs on the WLC without LAGLWAPP algorithm will

load balance APs across the AP managers

LAG allows use of 1 AP Manager interface by load-balancing traffic across an EtherChannel interface

7/29/2019 brkagg-2010

60/98


Presentation_ID

Multiple AP Manager Interfaces

Link Aggregation

7/29/2019 brkagg-2010

61/98


Presentation_ID

Link AggregationSingle AP Manager Interface

No EtherChannel modenegotiation (LACP, PAgP):

Set etherchannel mode on forneighboring switchports

Requires ip-src-dst loadbalancing for the switch

Etherchannel

Default on 6K

Default on 3750 is scr-mac

Packets are forwardedout the same port they

arrived on

1 LAG group per WLCis supported

7/29/2019 brkagg-2010

62/98


Presentation_ID

Putting It All Together

7/29/2019 brkagg-2010

63/98


Presentation_ID

Cisco WiSM Configuration

IOS version 12.2(18)SXF8 or above version which requires 512MB memory and 128 MB flash

The data ports (1Gbps*8 = 8Gbps) and service ports (1Gbps*2 =2Gbps) are connected at the back plane, no physical connectionsat the front

Service-port is used for OOB management and should be part of adifferent VLAN.

LAG is a must for Cisco WiSM, so make sure you create twoseparate port-channels

LED

7/29/2019 brkagg-2010

64/98


Presentation_ID

Section Agenda



Design Considerations

Migration from Autonomous APs to the Controller-based Architecture

Controller Redundancy

7/29/2019 brkagg-2010

65/98


Presentation_ID

Controller Redundancyand AP Load Balancing

LWAPP discovery response includes the controllers sysName,controller type, controller AP capacity, current AP load, MasterController status, AP manager IP address(es) and number of APs

joined to the AP manager

Recall: AP makes join decision based on this information in

LWAPP discovery response:1. If AP has been previously configured with a primary, secondary, and/or

tertiary controller, the AP will attempt to join these first (specified bycontroller sysName)

2. Attempt to join a WLAN controller configured as a Master controller

3. Attempt to join the WLAN controller with the greatest excess AP capacity,using least loaded AP manager

#1 and #3 allow for two approaches to controller redundancy andAP load balancingdynamic and deterministic

7/29/2019 brkagg-2010

66/98


Presentation_ID

Dynamic Redundancy

Rely on LWAPP to load-balance APsacross controllers and populate APswith backup controllers

Results in dynamic salt-and-pepper design

Design works better when controllersare clustered in a centralized design

Pros:Easy to deploy and configure

less upfront work

APs dynamically load-balance(though never perfectly)

Cons:More inter-controller roaming

Bigger operational challenges due

to unpredictabilityLonger failover times

No Fallback option in the event ofcontroller failure

Ciscos general recommendationis:Only for Layer 2 Roaming

Use deterministic redundancy instead

of dynamic redundancy

7/29/2019 brkagg-2010

67/98


Presentation_ID

Deterministic Redundancy

Administrator statically assigns APs a primary,secondary, and/or tertiary controller

Assigned from controller interface (per AP) or WCS(template-based)

ProPredictabilityEasier operational management

More network stability

More flexible and powerful redundancy design options

Faster failover timesFallback option in the case of failover

ConMore upfront planning and configuration

This is Ciscos recommended best practice!

7/29/2019 brkagg-2010

68/98


Presentation_ID

Controller Redundancy DesignsN:1

7/29/2019 brkagg-2010

69/98


Presentation_ID

Section Agenda





First Question!

7/29/2019 brkagg-2010

70/98


Presentation_ID

QApplicationsWhat is the Network for?

Design for the needs of the applications

Look at the protocols used

Look at the minimum requirements of each

READ the Application Notes!

7/29/2019 brkagg-2010

71/98

7/29/2019 brkagg-2010

72/98


Presentation_ID

Campus WLAN Controller Options

Standalone appliancecontroller

Routed network exists onanother platform

Dot1Q trunk to switched/routed

network

Integrated controller

Routed network can exist onthe same platform

Layer 2 connection is internal

Layer 2 or 3 connection tonetwork routed network

440x

Cisco 3750GIntegrated WLANController

WiSM

Integrated

Appliance

Where to Place a WLAN Controller?

7/29/2019 brkagg-2010

73/98


Presentation_ID

Where to Place a WLAN Controller?Distributed Designs

WiSM(s) or 440x WLANcontroller(s) connected atdistribution layer

Controller redundancy

Key design considerations:

Spanning tree

HSRP/GLBP

Traffic flow

Load balancing

Resiliency

Access layer collapsed intodistribution layer

Access layer IP addressing

Access layer features need tobe implemented in thedistribution layer

Mobility!

Layer 2

VoiceDataVoice

Access Subnets

Clients

Data

AP AP

WLAN Client Subnets

7/29/2019 brkagg-2010

74/98


Presentation_ID

Healthcare

Multicast is Number oneProtocol

Always UnderConstruction

Numerous Non-802.11

Radio devices

NEED for RF policyover an 802.11 Policy.

Intranet

IDF

First Floor

IDF

Third Floor

Building DFDistribution Layer

Core

Clinic orRemoteoffice

Depending upon sizeHREAP or Controller

Deployment

7/29/2019 brkagg-2010

75/98


Presentation_ID

Retail

PCI COMPLIANCE!!

Carpeted and Warehouseenvironment

Use of small Handheldequipment

Internet

Large StoreSmall Store

HeadQuarters

HREAP for lessthan 3 Access

Points

SmallController withMore Access-

Points

7/29/2019 brkagg-2010

76/98


Presentation_ID

Enterprise Requirements

Voice is the essentialApplication

Data for E-mail and othernon-latency sensitiveapplications

Video is on the rise.SiSi

Intranet/Internet

IDFFirst Floor

IDFFifth Floor

IDFThird Floor

Building DF

Distribution Layer

Core

7/29/2019 brkagg-2010

77/98


Presentation_ID

Manufacturing

Multipath intensiveenvironment

Can benefit from both indoormesh and the standardcentral solution

HREAP could be used forsmall solutions

Internet

LargeManufacturing

Site

SmallManufacturing

Site

Headquarters

SmallController withMore Access-

Points

7/29/2019 brkagg-2010

78/98


Presentation_ID

Distributed vs. Centralized Design

General recommendation is Centralized DesignUse integrated platform(s)WiSM for small/medium/large,Cisco 3750G Integrated WLAN Controller for small/medium

Choose the design that makes the most sense for you

Current network and policies

Future growth plans

Distributed designs may work well with existingnetworks

Branch Office Deployment

7/29/2019 brkagg-2010

79/98


Presentation_ID

Hybrid REAP

Supported on 1130 and 1240 AP platforms Allows bridging/tagging of traffic locally (local switching) by WLAN

Allows simultaneous tunneling of traffic to WLC (central switching)by WLAN

Connected ModeLWAPP control centralized

Standalone Mode (WAN outage)

Locally switched WLANs stay up

Some lost functionality

100 msecs latency between APs and WLC

H-REAP APs should be connected to trunk portsallow only the relevant,locally switched VLANs

No optimization for:

Fast, secure roaming (CCKM, PKC)

Voice (no CAC or TSPEC support in standalone mode)

Design Considerations:

7/29/2019 brkagg-2010

80/98


Presentation_ID

Sample HREAP Network

7/29/2019 brkagg-2010

81/98


Presentation_ID

H-REAP WLAN Configuration

Configure the WLAN for H-REAP operation

7/29/2019 brkagg-2010

82/98


Presentation_ID

H-REAP AP Configuration

Select a desired AP...

7/29/2019 brkagg-2010

83/98


Presentation_ID

H-REAP AP Configuration (Cont.)

... and set it to H-REAP mode and enter VLAN info

Enable VLAN Support and Enter theNative VLAN Information

7/29/2019 brkagg-2010

84/98

7/29/2019 brkagg-2010

85/98


Presentation_ID

Branch Office WLAN Controller Options

Appliance controllersCisco 2106Support 6 APs

Cisco 4402-12, 4402-24

Integrated controller

WLAN controller module(WLCM) for ISR

Cisco 3750 integratedWLAN controller (support for

25, 50 APs)

2106

440x

Cisco 3750 IntegratedWLAN Controller

Integrated

Appliance

WLCM in ISR

S i A d

7/29/2019 brkagg-2010

86/98


Presentation_ID

Section Agenda





Upgrading Autonomous Access Pointst LWAPP M d

7/29/2019 brkagg-2010

87/98


Presentation_ID

to LWAPP Mode

Basic AP upgrade process:Use Cisco-provided upgrade tool to load LWAPP Recovery IOSImage onto the AP(s)

AP joins a controller, downloads full LWAPP IOS image

LWAPP IOS upgrade is supported on the following

platforms:1120G series (802.11B/G)

1200 series, including 1210, 1230 (802.11B/G and/or 2nd generation802.11A radiosRM21A, RM22A)

1130AG

1240AG

BR1310 (only AP mode is supported in LWAPP)

Only layer-3 LWAPP mode is supported

Roll-back to autonomous-mode is supported

LWAPP U d R i t

7/29/2019 brkagg-2010

88/98


Presentation_ID

LWAPP Upgrade Requirements

Ensure the APs hardware is supported The AP is running IOS release 12.3(7)JA, or later

The controller is running 3.1, or later and telnet is enabled

Each APs information is input into a text file in the followingformat:

ap-ip-address,telnet-username,telnet-user-password,enable-password

ap-ip-address,telnet-username,telnet-user-password,enable-password

(WLC_CLI) >config network telnet enable

In the WLC GUI, Go to: Management |Telnet-SSH and Enable Telnet.

or

U i th LWAPP U d T l

7/29/2019 brkagg-2010

89/98


Presentation_ID

Using the LWAPP Upgrade Tool

AP upgrade tool

Point the Upgrade Tool to the AP csvtext file

Make sure the time is correctly set

1 5 APs may be upgraded simultaneously. Theircompletion status bars are shown here.

AP upgrade process status

Telnet must be enabled on a WLC

APs with static IP addresses will rely on DNS to find WLCsacross router hops

Ensure the latest IOS LWAPP (JX) image is availablevia TFTP

Click for AP MAC and SSC output

Upgrading Autonomous Access Points toLWAPP M d S lf i d C tifi t

7/29/2019 brkagg-2010

90/98


Presentation_ID

LWAPP ModeSelf-signed Certificates

LWAPP join process assumes X.509 certificates and factoryinstalled public/private keys

All Cisco APs manufactured after July 18, 2005 have Manufacturing InstalledCertificates (MIC)

Cisco Aironet APs manufactured prior to July 18, 2005 do not have factoryinstalled public/private keys and certificates

Upgrade tool issues commands to AP to have it generate an RSAkey pair and a self-signed certificate (SSC) and installs the rootCAs so that the AP can authenticate controllers

SSCs must be individually authorized on each controller

Upgrade tool extracts the public key and can install it on 1controller. It also stores an AP MAC, public key tuple in a CSV filethat can be imported into WCS and other controllers

http://www.cisco.com/en/US/partner/products/hw/wireless/ps430/prod_technical_reference09186a00804fc3dc.html

Upgrading Autonomous Access Pointst LWAPP M d B t P ti
http://www.cisco.com/en/US/partner/products/hw/wireless/ps430/prod_technical_reference09186a00804fc3dc.htmlhttp://www.cisco.com/en/US/partner/products/hw/wireless/ps430/prod_technical_reference09186a00804fc3dc.htmlhttp://www.cisco.com/en/US/partner/products/hw/wireless/ps430/prod_technical_reference09186a00804fc3dc.htmlhttp://www.cisco.com/en/US/partner/products/hw/wireless/ps430/prod_technical_reference09186a00804fc3dc.html

7/29/2019 brkagg-2010

91/98


Presentation_ID

to LWAPP ModeBest Practices

Basic upgrade strategy:Deploy, validate controllers and WCS

Plan an LWAPP discovery strategy so APs can discovercontrollers

Test the process in a lab or on low-traffic, easy-to-troubleshootAPs to validate the procedure

Do the migration during a change window and allow time fortroubleshooting

Save the CSV file(s) with the MAC/Public Key mappings even if

you import them to WCS Migrate APs in logical blocks rather then en masse

Take caveats to co-existence into consideration

Evaluate tolerance for downtime

Upgrading Autonomous Access Points to LWAPP

7/29/2019 brkagg-2010

92/98


Presentation_ID

ModePlanning the LWAPP Discovery Strategy

Options for discovery when upgrading autonomous access pointsto LWAPP:

Local subnet broadcast of LWAPP discovery request

Vendor-specific DHCP option 43

DNS resolution of CISCO-LWAPP-CONTROLLER.localdomain

Console port priming commands (valid only with LWAPP recovery IOS image)

OTAP is not supported in the LWAPP recovery IOS image

Most autonomous Cisco Aironet APs are deployed with static IPaddresses

AP preserves static IP address, default gateway, sysName, DNS server,domain name during the upgrade process

Many Cisco customers have chosen to erase the APconfigurations before upgrading and migrate to DHCP addressesinstead of static IP addresses

Upgrading Autonomous Access Points toLWAPP M d WLSM d WiSM C E i t

7/29/2019 brkagg-2010

93/98


Presentation_ID

LWAPP ModeWLSM and WiSM Co-Existence

WLSM and WiSM can co-exist in the same 650x chassis

Minimum software requirements: (NOT RECOMMENDED)

Supervisor 720: 12.2(18)SXF2

WLSM: Version 1.4.1

WiSM: 3.2.116.x

http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example

09186a008073614c.shtml

Coexistence Between Autonomous AccessP i t d C t ll B d A hit t
http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example09186a008073614c.shtmlhttp://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example09186a008073614c.shtmlhttp://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example09186a008073614c.shtmlhttp://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example09186a008073614c.shtmlhttp://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example09186a008073614c.shtml

7/29/2019 brkagg-2010

94/98


Presentation_ID

Point and Controller-Based Architecture

No seamless roaming between architectures No coordination between WLSE radio management (RM)

and Cisco Unified Architecture RRM

RM and RRM algorithms should account for contention

Each architecture may report others APs as rogue

Consider network architectural impact and any necessarychanges very carefully

Upgraded APs should be connected to access ports instead oftrunk ports

May need to clean-up and harvest old, unnecessary VLANs andIP subnets

Plan out new IP addressing schemes for wireless clientsand APs

7/29/2019 brkagg-2010

95/98


Presentation_ID

AssureWave

AssureWave

7/29/2019 brkagg-2010

96/98


Presentation_ID

AssureWaveHealthCare, Retail and Manufacturing

Full Vertical application testing with Partner Equipment

Define pass failure with details beyond standardSoftware Testing

Testing done in-house AND at Partner facilities

EXAMPLE Vertical Test Bed
http://www.intermec.com/index.aspxhttp://images.google.com/imgres?imgurl=http://www.starmed-ulm.de/images/unternehmen/logo_draeger.gif&imgrefurl=http://www.starmed-ulm.de/unternehmen/partner/index.php&h=65&w=218&sz=4&hl=en&start=8&tbnid=58aghh2TSYYSVM:&tbnh=32&tbnw=107&prev=/images?q=Draeger+logo&gbv=2&svnum=10&hl=enhttp://images.google.com/imgres?imgurl=http://www.dsi.unifi.it/osspl06/images/philips.gif&imgrefurl=http://www.dsi.unifi.it/osspl06/program.html&h=39&w=153&sz=2&hl=en&start=4&tbnid=7BsSkxyRt8NU2M:&tbnh=24&tbnw=96&prev=/images?q=Philips+Medical+logo&gbv=2&svnum=10&hl=enhttp://images.google.com/imgres?imgurl=http://www.infomedltd.co.uk/images/main_site/logos/ge_sponsor_logo.gif&imgrefurl=http://www.infomedltd.co.uk/sponsors.htm&h=115&w=150&sz=6&hl=en&start=13&tbnid=h9YSg0BS-DosPM:&tbnh=74&tbnw=96&prev=/images?q=GE+HealthCare+logo&gbv=2&svnum=10&hl=enhttp://images.google.com/imgres?imgurl=http://www.datascansystems.com/images/handheld_logo.gif&imgrefurl=http://www.datascansystems.com/hand_held_products.htm&h=81&w=311&sz=5&hl=en&start=1&tbnid=klWZkOVqZ8GIbM:&tbnh=30&tbnw=117&prev=/images?q=handheld+logo&gbv=2&svnum=10&hl=enhttp://images.google.com/imgres?imgurl=http://technology.beloblog.com/archives/apple%20logo.jpg&imgrefurl=http://technology.beloblog.com/archives/apple/&h=226&w=187&sz=5&hl=en&start=3&tbnid=DSPqME1VcBLbVM:&tbnh=108&tbnw=89&prev=/images?q=apple+logo&gbv=2&svnum=10&hl=enhttp://images.google.com/imgres?imgurl=http://www.ieeevtc.org/vtc2006fall/sponsor-logos/RIM_logo_blue.jpg&imgrefurl=http://www.ieeevtc.org/vtc2006fall/patrons.php&h=131&w=303&sz=13&hl=en&start=7&tbnid=ljTGUcez7FF6hM:&tbnh=50&tbnw=116&prev=/images?q=RIM+logo&gbv=2&svnum=10&hl=enhttp://images.google.com/imgres?imgurl=http://cellandsatellite.com/images/nokia_logo.gif&imgrefurl=http://cellandsatellite.com/index.php?cPath=603_866_881&h=188&w=300&sz=7&hl=en&start=9&tbnid=_pzlmVKjNBZ8sM:&tbnh=73&tbnw=116&prev=/images?q=nokia+logo&gbv=2&svnum=10&hl=enhttp://www.aeroscout.com/

7/29/2019 brkagg-2010

97/98


Presentation_ID

EXAMPLE Vertical Test Bed

7/29/2019 brkagg-2010

98/98

brkagg-2010

Documents