Contenu connexe Similaire à Design and Deployment of Enterprise Wirlesss Networks (20) Plus de Cisco Mobility (20) Design and Deployment of Enterprise Wirlesss Networks1. Design and Deployment of
Enterprise WLANs
BRKEWN-2010
Sujit Ghosh, CCIE #7204
Manager, Technical Marketing
Wireless Networking Business Unit
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
2. Agenda
§ Controller-Based Architecture Overview
§ Mobility in the Cisco Unified WLAN Architecture
§ Architecture Building Blocks
§ Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
3. Agenda
§ Controller-Based Architecture Overview
§ Mobility in the Cisco Unified WLAN Architecture
§ Architecture Building Blocks
§ Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
4. Understanding WLAN Controllers
1st/2nd Generation vs. 3rd Generation Approach
1st/2nd Generation
§ 1st/2nd generation: APs act
as 802.1Q translational Data VLAN
bridge, putting client traffic
on local VLANs Management VLAN
§ 3rd generation: Controller
bridges client traffic centrally Voice VLAN
3rd Generation
Data VLAN
Management VLAN
LWAPP/CAPWAP
Tunnel Voice VLAN
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
5. Centralized Wireless LAN Architecture
What Is CAPWAP?
§ CAPWAP: Control and Provisioning of Wireless Access Points is
used between APs and WLAN controller and based on LWAPP
§ CAPWAP carries control and data traffic between the two
Control plane is DTLS encrypted
Data plane is DTLS encrypted (optional)
§ LWAPP-enabled access points can discover and join a
CAPWAP controller, and conversion to a CAPWAP controller is
seamless
Business
§ CAPWAP is not supported on Layer 2 mode deployment Application
Data Plane
Access
Point CAPWAP Controller
Wi-Fi Client
Control Plane
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
6. CAPWAP Modes
Split MAC
§ The CAPWAP protocol supports two modes of
operation
Split MAC (centralized mode)
Local MAC (H-REAP)
§ Split MAC
Wireless Frame
Wireless Phy CAPWAP
MAC Sublayer Data Plane 802.3 Frame
STA WTP AC
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
7. CAPWAP Modes
Local MAC
§ Local MAC mode of operation allows for the data
frames to be either locally bridged or tunneled as
802.3 frames
§ Locally bridged
Wireless Frame
Wireless Phy
MAC Sublayer 802.3 Frame
STA WTP AC
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
8. CAPWAP Modes
Local MAC
§ Local MAC mode of operation allows for the data
frames to be either locally bridged or tunneled as
802.3 frames
§ Tunneled as 802.3 frames
Wireless Frame 802.3 Frame
Wireless Phy CAPWAP
MAC Sublayer Data Plane 802.3 Frame
STA WTP AC
§ Tunneled local MAC is not supported by Cisco
§ H-REAP support locally bridged MAC and split
MAC per SSID
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
9. CAPWAP State Machine
AP Boots UP
Reset
Discovery
Image Data
DTLS
Setup
Run
Join Config
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
10. AP Controller Discovery
Controller Discovery Order
§ Layer 2 join procedure attempted on LWAPP APs
(CAPWAP does not support Layer 2 APs)
Broadcast message sent to discover controller on a
local subnet
§ Layer 3 join process on CAPWAP APs and on
LWAPP APs after Layer 2 fails
Previously learned or primed controllers
Subnet broadcast
DHCP option 43
DNS lookup
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
11. AP Controller Discovery: DHCP Option
DHCP Server
DHCP Offer
1
DHCP Request
2
DHCP Offer Contains
Layer 3 CAPWAP
Option 43 for Controller
Discovery Request Broadcast
3 Layer 3 CAPWAP
Discovery Responses
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
12. AP Controller Discovery: DNS Option
DNS Server DHCP Server
CISCO-CAPWAP-CONTROLLER.localdomain DHCP Request
192.168.1.2 2
1 DHCP Offer
192.168.1.2
3
DHCP Offer
Contains
DNS Server or Servers
4
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
13. WLAN Controller Selection Algorithm
§ CAPWAP Discovery Response contains important information
from the WLAN Controller
Controller name, controller type, controller AP capacity, current AP load,
“Master Controller” status, and AP Manager IP address or addresses
§ AP selects a controller to join using the following decision
criteria
1. Attempt to join a WLAN Controller configured as a “Master” controller
2. Attempt to join a WLAN Controller with matching name of previously
configured primary, secondary, or tertiary controller name
3. Attempt to join the WLAN Controller with the greatest excess AP
capacity (dynamic load balancing)
§ Option #2 and option #3 allow for two approaches to controller
redundancy and AP load balancing: deterministic and dynamic
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
14. CAPWAP Control Messages
for Join Process
§ CAPWAP Join Request: AP sends this messages to selected
controller (sent to AP Manager Interface IP address)
CAPWAP Join Request
§ CAPWAP Join Response: If controller validates AP request, it
sends the CAPWAP Join Response indicating that the AP is
now registered with that controller
CAPWAP Join Response
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
15. Configuration Phase
Firmware and Configuration Download
§ Firmware is downloaded by the Cisco WLAN Controller
AP from the WLC
Firmware downloaded only if needed,
Configuration Download
AP reboots after the download
Firmware Download
Firmware digitally signed by Cisco
LWAPP-L3
§ Network configuration is
downloaded by the AP from
the WLC
Configuration is encrypted in the
CAPWAP tunnel
Configuration is applied
Access Points
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
16. 4.2, 6.0, 7.0? Which Version Should I Use?
§ WLC 5508 supports 6.0, 7.0.98
and 7.0.116
§ WLC7500, WiSM-2 and WLC2504
only supported in 7.0.116
§ 6.0.202 is the latest MD
§ 7.0.116 will be tested for
AssureWave (Blue Ribbon)
§ Please note the current revision
of 7.0- 7.0.116.0 which is the
recommended one for you today
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
17. Agenda
§ Controller-Based Architecture Overview
§ Mobility in the Cisco Unified WLAN Architecture
§ Architecture Building Blocks
§ Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
18. Mobility Defined
§ Mobility is a key reason for wireless networks
§ Mobility means the end-user device is capable of
moving location in the networked environment
§ Roaming occurs when a wireless client moves
association from one AP and re-associates to
another, typically because it’s mobile!
§ Mobility presents new challenges:
Need to scale the architecture to support client roaming—
roaming can occur intra-controller and inter-controller
Need to support client roaming that is seamless (fast) and
preserves security
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
19. Scaling the Architecture
with Mobility Groups
§ Mobility Group allows controllers to peer with each other to
support seamless roaming across controller boundaries
§ APs learn the IPs of the other members of the mobility group
after the LWAPP Join process Controller-B
MAC: AA:AA:AA:AA:AA:02
Mobility Group Name: MyMobilityGroup
§ Support for up to Mobility Group Neighbors:
Controller-A, AA:AA:AA:AA:AA:01
24 controllers,
Controller-C, AA:AA:AA:AA:AA:03
Controller-A
MAC: AA:AA:AA:AA:AA:01
3600 APs per Mobility Group Name: MyMobilityGroup
Mobility Group Neighbors:
mobility group
Ethernet in IP Tunnel
Controller-B, AA:AA:AA:AA:AA:02
Controller-C, AA:AA:AA:AA:AA:03
§ Mobility messages
exchanged
between Controller-C
MAC: AA:AA:AA:AA:AA:03
controllers Mobility Group Name: MyMobilityGroup
Mobility Group Neighbors:
Controller-A, AA:AA:AA:AA:AA:01
Controller-B, AA:AA:AA:AA:AA:02
§ Data tunneled between
controllers in EtherIP (RFC 3378)
Mobility Messages
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
20. Increased Mobility Scalability
§ Roaming is supported across three mobility groups
(3 * 24 = 72 controllers)
§ With Inter Release Controller Mobility (IRCM) roaming is
supported between 4.2.207 and 6.0.188 and 7.0
Mobility Sub-Domain 1
Ethernet in IP Tunnel Mobility Sub-Domain 3
Ethernet in IP Tunnel
Mobility Sub-Domain 2
Ethernet in IP Tunnel
Mobility Messages
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
21. How Long Does an STA Roam Take?
§ Time it takes for:
Client to disassociate +
Probe for and select a new AP +
802.11 Association +
802.1X/EAP Authentication +
Rekeying +
IP address (re) acquisition
§ All this can be on the order of seconds… Can we
make this faster?
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
22. Roaming Requirements
§ Roaming must be fast … Latency can be introduced
by:
Client channel scanning and AP selection algorithms
Re-authentication of client device and re-keying
Refreshing of IP address
§ Roaming must maintain security
Open auth, static WEP—session continues on new AP
WPA/WPAv2 Personal—New session key for encryption
derived via standard handshakes
802.1x, 802.11i, WPA/WPAv2 Enterprise—Client must be re-
authenticated and new session key derived for encryption
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
23. How Are We Going to Make Roaming
Faster?
Focus on Where We Can Have the Biggest Impact
§ Eliminating the (re)IP address acquisition challenge
§ Eliminating full 802.1X/EAP reauthentication
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
24. Intra-Controller Roaming:
Layer 2
VLAN X
WLC-1 Client Client Data WLC-2 Client
Database (MAC, IP, Database
QoS,
§ Intra-Controller roam
Security) happens when an AP
WLC-1
Mobility Message
WLC- moves association
2 between APs joined to
Exchange
the same controller
Preroaming § Client must be re-
Data Path authenticated and new
security session
established
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
25. Intra-Controller Roaming:
Layer 2 (Cont.)
VLAN X
WLC-1 Client Client Data WLC-2 Client
Database (MAC, IP, Database
QoS, Security)
WLC-1 WLC-2
Mobility Message Exchange
Roaming
Data Path
§ Client database entry
with new AP and
appropriate security
context
§ No IP address refresh
Client Roams to
needed
a Different AP
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
26. Intra-Controller Roaming:
Layer 3
VLAN X VLAN Z
WLC-1 Client Client Data Client Data WLC-2 Client
Database (MAC, IP, QoS, (MAC, IP, Database
Security) QoS, Security)
WLC-1 WLC-2
Mobility Message Exchange
Preroaming
Data Path
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
27. Client Roaming Between Subnets:
Layer 3 (Cont.)
VLAN X VLAN Z
WLC-1 Client Client Data Client Data WLC-2 Client
Database (MAC, IP, QoS, (MAC, IP, Database
Security) QoS, Security)
Mobility Message Exchange
WLC-1 WLC-2
Anchor Foreign
Controller Data Tunnel
Controller
Preroaming
Data Path
Client Roams to
a Different AP
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
28. Static IP Mobility with 7.0.116
VLAN X VLAN Z
WLC-1 Client WLC-2 Client
Mobility Database Database Mobility
Client Data Client Data
Group-1 (MAC, IP, QoS, (MAC, IP, QoS, Group-2
Security) Security)
WLC-1 Mobility Message Exchange WLC-2
Anchor Encrypted Data Tunnel Foreign
Controller Controller
Pre Roaming
Data Path
Client with Static IP
Client with Static IP on on VLAN X
VLAN X Dis-Associates Associates on
from This AP This AP
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
29. Static IP Mobility with 7.0.116
GUI Configuration
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
30. Roaming: Inter-Controller
Layer 3
§ L3 inter-controller roam: STA moves association between APs joined
to the different controllers but client traffic bridged onto different
subnets
§ Client must be re-authenticated and new security session established
§ Client database entry copied to new controller – entry exists in both
WLC client DBs
§ Original controller tagged as the “anchor”, new controller tagged as
the “foreign”
§ WLCs must be in same mobility group or domain
§ No IP address refresh needed
§ Symmetric traffic path established -- asymmetric option has been
eliminated as of 6.0 release
§ Account for mobility message exchange in network design
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
31. How Are We Going to Make Roaming
Faster?
Focus on Where We Can Have the Biggest Impact
ü Eliminating the (re)IP address acquisition challenge
§ Eliminating full 802.1X/EAP reauthentication
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
32. Fast Secure Roaming
Standard Wi-Fi Secure Roaming
§ 802.1X authentication in wireless today
requires three “end-to-end” transactions
with an overall transaction time of > 500 ms
§ 802.1X authentication in wireless today
WAN requires a roaming client to reauthenticate,
incurring an additional 500+ ms to the roam
Cisco AAA
Server
(ACS or
ISE)
1. 802.1X Initial
Authentication
AP2 Transaction AP1
2. 802.1X
Reauthenti-
cation After
Roaming
Note: Mechanism Is Needed to Centralize Key Distribution
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
33. Cisco Centralized Key Management
(CCKM)
§ Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available,
especially with application specific devices (ASDs)
§ CCKM originally a core feature of the “Structured Wireless Aware
Network” (SWAN) architecture
§ CCKM ported to CUWN architecture in 3.2 release
§ In highly controlled test environments, CCKM roam times
consistently measure in the 5-8 msec range!
§ CCKM is most widely implemented in ASDs, especially VoWLAN
devices
§ To work across WLCs, WLCs must be in the same mobility group
§ CCX-based laptops may not fully support CCKM – depends on
supplicant capabilities
§ CCKM is standardized in 802.11R, but no clients available yet
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
34. Fast Secure Roaming
WPA2/802.11i Pairwise Master Key (PMK) Caching
§ WPA2 and 802.11i specify a mechanism to prevent excessive key
management and 802.1X requests from roaming clients
§ From the 802.11i specification:
Whenever an AP and a STA have successfully passed dot1x-based
authentication, both of them may cache the PMK record to be used
later
When a STA is (re-)associates to an AP, it may attach a list of
PMK IDs (which were derived via dot1x process with this AP before)
in the (re)association request frame
When PMK ID exists, AP can use them to retrieve PMK record from its
own PMK cache, if PMK is found, and matches the STA MAC address;
AP can bypass dot1x authentication process, and directly starts WPA2
four-way key handshake session with the STA
PMK cache records will be kept for one hour for non-associated STAs
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
35. OKC/PKC
Key Data Points
§ Requires client/supplicant support
§ Supported in Windows since XP SP2
§ Many ASDs support OKC and/or PKC
§ Check on client support for TKIP vs. CCMP – mostly
CCMP only
§ Enabled by default on WLCs with WPAv2
§ Requires WLCs to be in the same mobility group
§ Important design note: pre-positioning of roaming clients
consumes spots in client DB
§ In highly controlled test environments, OKC/PKC roam
times consistently measure in the 10-20 msec range!
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
36. How Long Does a Client Really
Take to Roam?
§ Time to roam =
Client to disassociate +
Probe for and select a new AP +
802.11 Association +
Mobility message exchange between WLCs +
Reauthentication +
Rekeying +
IP address (re) acquisition
§ Network latency will have an impact on these times –
consideration for controller placement
§ With a fast secure roaming technology, roam times
under 150 msecs are consistently achievable, though
mileage may vary
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
37. How Often Do Clients Roam?
§ It depends… types of clients and applications
§ Most client devices are designed to be “nomadic”
rather than “mobile”, though proliferation of small
form factor, “smart” devices will probably change
this…
§ Nomadic clients usually are programmed to try to
avoid roaming… so set your expectations
accordingly
§ Design rule of thumb: 10-20 roams per second for
every 5000 clients
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
38. Designing a Mobility Group/Domain
Design Considerations
§ Less roaming is better – clients and apps are happier
§ While clients are authenticating/roaming, WLC CPU is
doing the processing – not as much of a big deal for
5508 which has dedicated management/control
processor
§ L3 roaming & fast roaming clients consume client DB
slots on multiple controllers – consider “worst case”
scenarios in designing roaming domain size
§ Leverage natural roaming domain boundaries
§ Mobility Message transport selection: multicast vs.
unicast
§ Make sure the right ports and protocols are allowed
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
39. Agenda
§ Controller-Based Architecture Overview
§ Mobility in the Cisco Unified WLAN Architecture
§ Architecture Building Blocks
§ Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
40. CUWN 7.0.116 Release
Key Controller Features
Device Support Local-Mode Features Flexconnect Features
WLC-WiSM2 wIPS ELM Scale and Groups
WLC-7500 11n Indoor Mesh Local Auth
WLC-2500 2.4 GHz Backhaul Fault Tolerance
WLCM-2 VLAN Select Opportunistic Key Caching
AP600 / AP1550 FIPS
Others
Client Limit on WLAN Encrypting Neighbor Packets
Increased RF Group Scalability Rogue Containment Enhancement
RF Group Leader Flexibility PSB Password Enhancements
Webauth on Mac Filter Failure Static IP Mobility
Web Authentication Proxy CCX S60 Location Improvements
DHCP Option 60 Voice Diagnostics
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
41. CUWN 7.0.116 Release
Key Controller Features
Device Support Local-Mode Features Flexconnect Features
WLC-WiSM2 wIPS ELM Scale and Groups
WLC-7500 11n Indoor Mesh Local Auth
WLC-2500 2.4 GHz Backhaul Fault Tolerance
WLCM-2 VLAN Select Opportunistic Key Caching
AP600 / AP1550 FIPS
Others
Client Limit on WLAN Encrypting Neighbor Packets
Increased RF Group Scalability Rogue Containment Enhancement
RF Group Leader Flexibility PSB Password Enhancements
Webauth on Mac Filter Failure Static IP Mobility
Web Authentication Proxy CCX S60 Location Improvements
DHCP Option 60 Voice Diagnostics
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
42. WiSM2
For Cisco Catalyst 6500 Series
§ Enhanced operational savings
Higher scale
Reduced downtime during upgrades
Single controller
Specifications At-a-Glance
§ Higher performance
Access Points 100–500
Throughput
Clients 10,000
Concurrent rich-media
application flows I/O 10G
§ Maximize Cisco Catalyst 6000 Chassis-Level Scale
3500 APs and
70,000 Clients
Series investment
Supervisor and service Concurrent AP Joins 500
module refresh Number of Phy
1
Controllers
Power 225W
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
43. Enterprise-Grade WLC5508 for the Campus
Cisco 5500 Series Wireless Controller
Key Attributes
Ø Best in class performance
Industry-leading encrypted
throughput
Ø Enhanced Operational Savings
Upgrades 500 AP within mins
Access Points 12-500 Fails over 500 APs within seconds
Clients 7,000 Ø Enhanced rich media
Form-Factor 1 RU performance
IO Interface 8x 1GE Ports, LAG Multiple concurrent low-latency
media flows
Upgrade Licenses 25, 50,100, 250
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
44. Controller Comparison
5500 WiSM-2
Number of Access Points 12, 25, 50, 100, 250, 500 500
Throughput Up to 8 Gbps Up to 10 Gbps
Clients Up to 7000 Up to 10,000
Concurrent AP Upgrades/Joins Up to 500 Up to 500
Up to 8 Cisco Catalyst 6000 Series
Network I/O
1 Gbps SFPs Backplane
Mobility Domain Size Up to 36,000 APs Up to 36,000 APs
Number of Controllers per
1 1
Physical Device
Power Consumption 125W 225W
AP Count Upgrade via Licensing Yes Yes
Encrypted Data Link
Yes Yes
Between AP and Controller
OfficeExtend Solution Yes Yes
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
45. Cost Effective Entry Level Controllers
2500 Wireless Controller
New
Key Attributes
Ø Ability to scale the network as
you grow with licensing
Access Points 5-50
Ø Part of a PCI certified
Clients 500
architecture
Throughput 500 Mbps
Ø Ability to support various
Deployment Model Local and deployment modes
FlexConnect
Form Factor Desktop
IO Interface 4x 1GE
Upgrade Licenses 5, 25
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
46. Wireless Controller on ISR G2/SRE
New
Access Points ISM: 5-10
SM: 5-50 Key Attributes
Clients 500 • Single Box for branch services
Throughput 500 Mbps • Consistency of functionality and
Deployment Model Local and FlexConnect management with controllers
Form Factor SRE (ISM/SM)
Upgrade Licenses 5, 25
Device Supported 1941, 2900 and 3900
On Series ISR G2
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
47. CleanAir Access Point
Detect and Classify
Locate
Mitigate
A System-Wide Feature that Uses Silicon-Level Intelligence to
Cisco
Automatically Mitigate the Impact of Wireless Interference, Optimize
CleanAir Network Performance, and Reduce Troubleshooting Costs
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
48. What Is CleanAir?
Detect and Classify
97
100 § Uniquely identify and
63 track multiple
90 interferers
20
§ Assess unique impact
35
to Wi-Fi performance
§ Monitor air quality
High-Resolution Interference Detection and Classification Logic
Cisco
Built in to Cisco’s 802.11n Wi-Fi Chip Design; Inline Operation
CleanAir with no CPU or Performance Impact
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
49. What Is CleanAir?
Locate Mitigate
WCS, MSE Wireless LAN Controller
POOR GOOD
§ Classification processed
on access point
§ Interference impact and Maintain Air Quality
data sent to WLC for
real-time action
§ WCS and MSE store Visualize and Troubleshoot CH 1 CH 11
data for location, history,
and troubleshooting
Cisco Cisco CleanAir Technology Integrates Interference Information
CleanAir from the AP into the Entire System
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
50. Access Points Portfolio
Teleworker 11n 11n + CleanAir
Limited Lifetime Hardware Warranty
1260 3500e
Ruggedized
New 1040 1140 3500i
600
Carpeted
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
51. New
2x3 MIMO 11n Speed
Provide Higher Coverage and Throughput
CleanAir and ClientLink Technology
Avoids Interference, Delivers Stronger Signals to Clients
Flexible Deployment
Access or Mesh Network, Fiber, UTP or Wireless Backhaul
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
52. Cisco Aironet 1550 Series Outdoor AP
§ 2 Radios 2.4/5 GHz
§ 2 Tx, 3 Rx
§ MIMO, 2 SS
§ 3x Dual-Band Ant.
1552E 1552H 1552C 1552I
2.4 GHz 802.11 b/g/n 802.11b/g/n 802.11b/g/n 802.11b/g/n
5 GHz 802.11 a/n 802.11a/n 802. 11a/n 802.11a/n
Type Standard Hazardous Loc. Cable Modem Standard
Antenna External External Integrated Integrated
MIMO Multiple-In, Multiple-Out
SS BRKEWN-2010
Spatial Streams © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
53. CUWN 7.0.116 Release
Key Controller Features
Device Support Local-Mode Features Flexconnect Features
WLC-WiSM2 wIPS ELM Scale and Groups
WLC-7500 11n Indoor Mesh Local Auth
WLC-2500 2.4 GHz Backhaul Fault Tolerance
WLCM-2 VLAN Select Opportunistic Key Caching
AP600/AP1550 FIPS
Others
Client Limit on WLAN Encrypting Neighbor Packets
Increased RF Group Scalability Rogue Containment Enhancement
RF Group Leader Flexibility PSB Password Enhancements
Webauth on Mac Filter Failure Static IP Mobility
Web Authentication Proxy CCX S60 Location Improvements
DHCP Option 60 Voice Diagnostics
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
54. Adaptive wIPS
Components and Functions
AP Attack
Detection
24x7
Scanning
Over-the-Air Detection
WLC Configuration
wIPS AP Management
MSE Alarm
Archival
Capture
Storage
Complex Attack Analysis,
Forensics, Events
WCS Centralized
Monitoring
Historic
Reporting
Monitoring,
Reporting
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
55. Cisco Adaptive Wireless IPS with “Enhanced Local Mode
(ELM)”
• Adaptive wIPS scanning in data serving access points
• Provides protection without needing a separate overlay network.
• Available as a free SW download for existing wIPS Monitor Mode customers.
• ELM supported APs: 1040, 1140, 1250, 1260 & 3500
Without ELM With ELM
Data Serving Monitor Mode Single Data and WIPS AP
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
56. Deployment Recommendation
Option A Option B
Enhanced
Local Mode Local Mode
WIPS Monitor
Mode/
CleanAir
MMAP +
WIPS MM
WIPS Monitor Mode or CleanAir MM Turn on ELM on All APs
+ WIPS MM on CleanAir AP: (Including CleanAir)
Recommendation – Ratio of
1:5 MMAP to Local Mode APs
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
57. TrustSec 2.0 and Identity Services Engine
• Centralized Policy
ACS • Distributed Enforcement
• AAA Services
NAC
Profiler • Posture Assessment
NAC
• Guest Access Services
Guest
• Device Profiling
Identity
NAC Services • Monitoring
Manager Engine
• Troubleshooting
NAC
Server • Reporting
*Current NAC and ACS Hardware
Platform Is Software Upgradable to ISE
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
58. ISE Integrated Device Profiling
“iPad Template”
Custom Template
Visibility for Wired and Simplified “Device New Device
Wireless Devices Category” Policy Templates via
Subscription Feeds
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
59. ISE Integrated Device Profiling
§ Users, using the same SSID, can be associated to different
wired VLAN interfaces after EAP authentication
§ Employee using corporate laptop with their AD user id can be
assigned to VLAN 30 to have full access to the network
§ Employee using personal iPad/iPhone with their AD user id can
be assigned to VLAN 40 to have internet access only
ISE
ISE
1 EAP Authentication
4 Accept with VLAN 40
2 Accept with VLAN 30 Corporate
Employee Resources
VLAN 30
CAPWAP
Same-SSID
802.1Q TrunkVLAN 40
3 EAP Authentication Internet
Employee
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
60. ISE Integrated Device Profiling
§ Example:
VLAN 30 (Corporate access )
VLAN 40 (Internet access)
Corporate
Internet
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
61. ISE Integrated Device Profiling
• ISE Setup – Authorization Profiles redirect VLAN, Override ACL,
CoA…
Laptop Assign VLAN 30
iPad Assign VLAN 40
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
62. ISE Integrated Device Profiling
§ WLC CoA Setup – Pre-Auth ACL, allows ALL client traffic
to ISE
§ WLAN – Dot1X, AAA Override and Radius NAC enabled.
Permit ANY to ISE
(IP Addr)
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
63. ISE Integrated Device Profiling
§ RADIUS probe (information
about authentication,
authorization and
accounting requests from
Network Access
§ DHCP (helper or span)
§ HTTP user agent (span)
Customizable Profiles
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
64. Agenda
§ Controller-Based Architecture Overview
§ Mobility in the Cisco Unified WLAN Architecture
§ Architecture Building Blocks
§ Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
65. Deploying the Cisco Unified
Wireless Architecture
§ Controller Redundancy and AP Load Balancing
§ Understanding AP Groups
§ IPv6 Deployment with Controllers
§ Branch Office Designs
§ Guest Access Deployment
§ Home Office Design
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
66. Deploying the Cisco Unified
Wireless Architecture
§ Controller Redundancy and AP Load Balancing
§ Understanding AP Groups
§ IPv6 Deployment with Controllers
§ Branch Office Designs
§ Guest Access Deployment
§ Home Office Design
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
67. Controller Redundancy
Dynamic
§ Rely on CAPWAP to load-balance APs
across controllers and populate APs with
backup controllers
§ Results in dynamic “salt-and-pepper”
design
§ Design works better when controllers are
“clustered” in a centralized design
§ Pros
Easy to deploy and configure—less upfront work
APs dynamically load-balance (though never
perfectly)
§ Cons
More intercontroller roaming
Bigger operational challenges due to unpredictability
Longer failover times
No “fallback” option in the event of controller failure
§ Cisco’s general recommendation is:
Only for Layer 2 roaming
§ Use deterministic redundancy instead of
dynamic redundancy
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
68. Controller Redundancy
Deterministic
WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C § Administrator statically assigns
APs a primary, secondary, and/
or tertiary controller
Assigned from controller interface
(per AP) or WCS (template-based)
§ Pros
Predictability—easier operational
management
More network stability
Primary: WLAN-Controller-A Primary: WLAN-Controller-B Primary: WLAN-Controller-C More flexible and powerful
Secondary: WLAN-Controller-B Secondary: WLAN-Controller-C Secondary: WLAN-Controller-A
Tertiary: WLAN-Controller-C Tertiary: WLAN-Controller-A Tertiary: WLAN-Controller-B redundancy design options
Faster failover times
“Fallback” option in the case of
failover
§ Con
More upfront planning and
configuration
§ This is Cisco’s recommended
best practice
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
69. Controller Redundancy
Architecture Resiliency
Resiliency N:1 Redundancy
WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C
WLAN-Controller-1 APs Configured With:
Primary: WLAN-Controller-1
Secondary: WLAN-Controller-BKP
NOC or Data Center
WLAN-Controller-BKP
WLAN-Controller-2 APs Configured With:
Primary: WLAN-Controller-2
Secondary: WLAN-Controller-BKP
WLAN-Controller-n APs Configured With:
Primary: WLAN-Controller-n
Secondary: WLAN-Controller-BKP
Primary: WLAN-Controller-A Primary: WLAN-Controller-B Primary: WLAN-Controller-C
Secondary: WLAN-Controller-B Secondary: WLAN-Controller-C Secondary: WLAN-Controller-A
Tertiary: WLAN-Controller-C Tertiary: WLAN-Controller-A Tertiary: WLAN-Controller-B
N:N Redundancy N:N:1 Redundancy
APs Configured With:
WLAN-Controller-A APs Configured With: WLAN-Controller-A Primary: WLAN-Controller-A
Primary: WLAN-Controller-A
Secondary: WLAN-Controller-B
Secondary: WLAN-Controller-B
NOC or Data Center Tertiary: WLAN-Controller-BKP
WLAN-Controller-BKP
WLAN-Controller-B WLAN-Controller-B APs Configured With:
APs Configured With: Primary: WLAN-Controller-B
Primary: WLAN-Controller-B
Secondary: WLAN-Controller-A
Secondary: WLAN-Controller-A
Tertiary: WLAN-Controller-BKP
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
70. High Availability Using Cisco 5508
§ APs are connected
to primary WLC
5508
Si Si § In case of
hardware failure of
WLC 5508
§ AP’s fall back to
Si Si secondary WLC
Primary Secondary 5508
WLC5508
WLC5508
§ Traffic flows
through the
secondary WLC
5508 and primary
core switch
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
71. High Availability Using WiSM:
Uplink Failure on Primary Switch
§ In case of uplink
S N
failure of the
primary switch
Si Si
§ Standby switch
Active Standby becomes the
HSRP Switch HSRP Switch active HSRP
New Active switch
Primary
WiSM
HSRP Switch
§ APs are still
connected to
primary WiSM
§ Traffic flows thru
the new HSRP
active switch
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
72. High Availability Using WiSM-2
§ APs are
connected to
primary WiSM
Si Si
§ In case of
hardware failure
of primary WiSM
Primary Secondary
WiSM WiSM § AP’s fall back to
secondary WiSM
§ Traffic flows thru
the secondary
WiSM and
primary core
switch
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
73. VSS and Cisco 5508
§ Cisco 5508 WLC can be attached
to a Cisco Catalyst VSS switch
§ 4 ports of Cisco 5508 are
connected to active VSS switch
§ 2nd set of 4 ports of Cisco 5508 is
connected to standby VSS switch Catalyst
VSS Pair
§ In case of failure of primary switch
traffic continues to flow through
secondary switch in the VSS pair
Cisco 5508
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
74. VSS and WiSM-2
Virtual Switch System (VSS)
Switch-1 Switch-2
(VSS Active) (VSS Standby)
Control Plane Active VSL Control Plane Standby
Data Plane Active Data Plane Active
Failover/State Sync VLAN
FWSM Active FWSM Standby
WiSM-2 Active WiSM-2 Standby
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
75. Controller Redundancy
High Availability
High Availability Principles Primary WLC
§ AP is registered with a WLC and
maintain a backup list of WLC
§ AP use heartbeats to validate
WLC connectivity
§ AP use Primary Discovery
message to validate backup
WLC list
§ When AP lose three heartbeats it Secondary WLC
start join process to first backup
WLC candidate
§ Candidate Backup WLC is the
first alive WLC in this order:
primary, secondary, tertiary,
global primary, global secondary
§ AP do not re-initiate discovery
process
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
76. Controller Redundancy
High Availability with 7.0.116
To Accommodate Both Local and Remote Settings, There Are Configurable Options
Provided, so that Administrator Can Fine Tune the Settings Based on the Requirements
New Timers Old Timers-5508 Old Timers-Non-5508
Heartbeat: 1-30 Seconds 10-30 Seconds 1-30 Seconds
Fast Heartbeat Timeout: 1-10 Seconds 3-10 Seconds 1-10 Seconds
AP Retransmit Interval: 2-5 Seconds 3 Seconds 3 Seconds
AP Retrans with FH Enabled: 3-8 Times 3 Times 3 Times
AP Retrans with FH Disabled: 3-8 Times 5 Times 5 Times
AP Fallback to next WLC 12 Seconds 35 Seconds 35 Seconds
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
77. AP Pre-Image Download in 7.0
§ Since most CAPWAP APs can Cisco WLAN Controller
download and keep more than one
image of 4–5 MB each
AP Joins Without Download
AP Pre-image Download
§ AP pre-image download allows
AP to download code while it is
CAPWAP-L3
operational
§ Pre-Image download operation
1. Upgrade the image on the controller
2. Don’t reboot the controller
3. Issue AP pre-image download command
4. Once all AP images are downloaded
5. Reboot the controller
Access Points
6. AP now rejoins the controller
without reboot How Much Time You Save?
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
78. Configure AP Pre-Image Download
§ Upgrade the image on the controller and don’t reboot
§ Currently we have two images on the controller
(Cisco Controller) >show boot
Primary Boot Image............................... 7.0.116.0 (default) (active)
Backup Boot Image................................ 7.0.98.0
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
79. Configure AP Pre-Image Download
Wireless > AP > Global Configuration
Perform Primary Image
Predownloaded on the AP
AP Now Starts
Predownloading
AP Now Swaps Image
After Reboot of the
Controller
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
80. Deploying the Cisco Unified
Wireless Architecture
§ Controller Redundancy and AP Load Balancing
§ Understanding AP Groups
§ IPv6 Deployment with Controllers
§ Branch Office Designs
§ Guest Access Deployment
§ Home Office Design
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
81. AP-Groups
Default AP-Group
§ The first 16 WLANs created (WLAN IDs 1–16) on the WLC
are included in the default AP-Group
§ Default AP-Group cannot be modified
§ APs with no assignment to an specific AP-Group will use the
Default AP-Group
§ The 17th and higher WLAN (WLAN IDs 17 and up) can be
assigned to any AP-Groups
§ Any given WLAN can be mapped to different dynamic
interfaces in different AP-Groups
§ WLC 2106 (AP groups: 50), WLC 2504 (AP groups:50)
WLC 4400 and WiSM (AP groups: 300),
WLC 5508 & WiSM-2 (AP groups: 500),
WLC 7500 (AP Groups : 500)
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
82. AP-Grouping in Campus
VLAN 100 VLAN 100 VLAN 100
Access
Si Si Si Si Si Si
Distribution
CAPWAP
Core
Si Si
Si Si
VLAN 100 / 21
Si Si Distribution
Si Si
Access
Single WAN Data Center Internet
SSID = WLC-1 WLC-2
Employee
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
83. AP-Grouping in Campus
AP-Group-1 AP-Group-2 AP-Group-3
VLAN 60 /23 VLAN 70 /23 VLAN 80 /23
Access
Si Si Si Si Si Si
Distribution
CAPWAP
Core
Si Si
Si Si
VLAN 100 VLAN 60 Si Si Distribution
Si Si
/21 VLAN 70
VLAN 80
Access
Single WAN Data Center Internet
SSID = WLC-1 WLC-2
Employee
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
84. Default AP-Group
Network Name
Default AP Group
Only WLANs 1–16
Will Be Added in
Default AP Group
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
85. Multiple AP-Groups
AP Group 1
AP Group 2
AP Group 3
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
86. Interface-Groups
7.0.116
§ Interface-groups allows for a WLAN to be mapped to a single interface or
multiple interfaces
§ Clients associating to this WLAN get an IP address from a pool of subnets
identified by the interfaces in round
robin fashion
§ Extends current AP group and AAA override, with multiple interfaces using
interface groups
§ Controllers Interface-Groups/Interfaces
WiSM-2, 5508, 7500, 2500 64/64
WiSM, 4400 32/32
2100 and 2504 4/4
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
87. Interface-Grouping in Campus 7.0.116
Int-Group-1 Int-Group-2 Int-Group-3
VLAN 60 /23 VLAN 70 /23 VLAN 80 /23
VLAN 61 / 23 VLAN 71 /23 VLAN 81 /23
Access
Si Si Si Si Si Si
Distribution
LWAPP/CAPWAP
Core
Si Si
Si Si
VLAN 100 VLAN 60 Si Si Distribution
Si Si
/21 VLAN 61
VLAN 70
VLAN 71
VLAN 80
VLAN 81
Access
Single WAN Data Center Internet
SSID = WLC-1 WLC-2
Employee
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
89. Deploying the Cisco Unified
Wireless Architecture
§ Controller Redundancy and AP Load Balancing
§ Understanding AP Groups
§ IPv6 Deployment with Controllers
§ Branch Office Designs
§ Guest Access Deployment
§ Home Office Design
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
90. IPv6 over IPv4 Tunneling
§ Prior to WLC 6.0 release, IPv6 pass-thru is only supported but no L2 security
can be enabled on IPv6 WLAN
§ With WLC 6.0 release, IPv6 pass-thru with Layer 2 security supported
§ To use IPv6 bridging, Ethernet Multicast Mode (EMM) must be enabled on the
controller
§ IPv6 packets are tunneled over CAPWAP IPv4 tunnel
§ Same WLAN can support both IPv4 and IPv6 clients
§ IPv6 pass-thru and IPv4 Webauth is also supported on same WLAN
§ IPv6 is not supported with guest mobility anchor tunneling
Client IPv6 Traffic Ethernet II | IPv6
Tunneled over IPv4 and
Bridged to Ethernet
CAPWAP Tunnel
802.11| IPv6 Ethernet II | IPv4 | CAPWAP | 802.11 | IPv6
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
91. IPv6 Configuration on WLC 6.X
§ Enable IPv6 on the WLAN and multicast on the WLC
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
92. IPv6 Client Details
§ IPv6 client details on the WLC
§ IPv6 client details from dual-stack (Vista) client
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
93. Deploying the Cisco Unified
Wireless Architecture
§ Controller Redundancy and AP Load Balancing
§ Understanding AP Groups
§ IPv6 Deployment with Controllers
§ Branch Office Designs
Understanding HREAP (Hybrid) REAP AP Deployment
Understanding Branch Controller Deployment
§ Guest Access Deployment
§ Home Office Design
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
94. Branch Office Deployment
HREAP
Central Site
Centralized
§ Hybrid architecture Traffic
Centralized
Traffic
§ Single management
and control point
Centralized traffic
(split MAC)
Or
WAN
Local traffic (local MAC)
§ HA will preserve local Local
traffic only Traffic
Remote
Office
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
95. H-REAP Design Considerations
§ Some WAN limitations apply
RTT must be below 300 ms data (100 ms voice)
Minimum 500 bytes WAN MTU (with maximum four
fragmented packets)
§ Some features are not available in standalone
mode or in local switching mode
ACL in local switching, MAC/Web Auth in standalone mode,
PMK caching (OKC)
See full list in « H-REAP Feature Matrix »
http://www.cisco.com/en/US/products/ps6366/
products_tech_note09186a0080b3690b.shtml
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
96. Configure H-REAP Mode
Step 1: Configure Access Point Mode
§ Enable H-REAP mode per AP
§ Supported AP: AP-1130, AP-1240, AP-1040,
AP-1140, AP-1260, AP-1250, AP-3500
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
97. Configure H-REAP Local Switching
Step 2: Enable Local Switching per WLAN
§ Only WLAN with “Local Switching” enabled will
allow local switching at the H-REAP AP
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
98. Configure H-REAP VLAN Mapping
Step 3: H-REAP Specific Configuration
§ H-REAP AP can be connected on an access port
(using native VLAN) or connected to a 802.1Q
trunk port
§ VLAN mapping is a per AP configuration on WLC
and by AP group using templates on a WCS
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
99. Configure H-REAP VLAN Mapping
Step 4: Per AP SSID to VLAN Mapping
§ Mapping of SSID to 802.1Q VLAN is done per
H-REAP AP
§ Use WCS for configuration with templates
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
100. Economies of Scale for Lean Branches
Flex 7500 Wireless Controller
New
Key Differentiation
Ø WAN Tolerance
• High Latency Networks
Access Points 300-2,000 • WAN Survivability
Clients 20,000 Ø Security
Branches 500 802.1x based port authentication
Access Points / Branch 50 Ø Voice support
Deployment Model FlexConnect • Voice CAC
Form Factor 1 RU • OKC/CCKM
IO Interface 2x 10GE
Upgrade Licenses 100, 200, 500, 1K
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
101. Understanding H-REAP Groups
§ WLC supports up to 20 H-REAP groups
Central Site
§ Each H-REAP group supports
up to 25 H-REAP APs
§ H-REAP groups allow sharing of:
CCKM fast roaming keys
Local user authentication Remote Site WAN Remote Site
Local EAP authentication H-REAP
Group 2
H-REAP
Group 1
BRKEWN-2010 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 101