Wireless Branch Office Network Architecture

Architecturing Network
for Branch Offices with
Cisco Wireless
BRKEWN-2016

BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

Abstract

 This session focuses on the architecture concepts
of the branch office WLAN deployments,
emphasising the core technologies that drive and
enable mobility in retail, banking, education,
entreprise or managed wlan services. Topics
covered include in-depth protocol description of H-
Reap/FlexConnect, all deployment options in
practice, and are based on customer case studies
for their application into the branch environment.


Deploying Cisco’s FlexConnect
Wireless Branch Solution
Increases Business Resiliency


Agenda

 Cisco Unified Wireless Principles (Reminder)
 Branches Using Remote Controllers
 Understanding H-REAP Mode and Limitations
 Understanding AP Groups and H-REAP Groups
 Designing a Resilient Network
 Operating an H-REAP–Based Branch Network
 Retail Case Study


Agenda

 Cisco Unified Wireless Principles


Cisco Unified Wireless Principles
WCS
 Components
• Wireless LAN controllers
• Aironet access points Wireless LAN
Controllers
• Management System (WCS)
MSE
• Mobility Service Engine
(MSE)
Campus
 Principles Network

• AP must have CAPWAP
connectivity with WLC
• Configuration Aironet
downloaded to AP by WLC Access Point

• All Wi-Fi traffic is
forwarded to the WLC


Agenda



Branch Designs Using Remote Controllers
Overview
Central Site Backup Central
 Branches can also have Controller

local remote controllers
 Small form factors WLC
are available to have
« small campus » :
WLC-25xx or integrated WAN
controller modules in
ISR/ISR-G2 WLC-25xx WLCM for
ISR/ISR-G2

 High-availability design
with central backup
controller is supported;
WAN limitations may
apply

Remote Site A Remote Site B


Branch Designs Using Remote Controllers
Advantages

 Cookie cutter configuration for every branch site
 Layer-3 roaming within the branch
 ACL in the branch site
 Peer to peer blocking
 WGB support
 Reliable Multicast (filtering)
 Dynamic VLAN

Note: If you have ISR/ISR G2 at branch site then it is recommended to
use the IOS Firewall at edge for unified access policies.


Agenda



CAPWAP Overview
Control and Provisioning of Wireless Access Point

 CAPWAP is a standard, interoperable protocol that enables an
Access Controller (AC) to manage a collection of Wireless
Termination Points (WTPs)
 CAPWAP carries control and data traffic between the two
Control plane is DTLS encrypted
Data plane is DTLS encrypted (optional)

 CAPWAP supports only Layer 3 mode deployments

Business
Application

Data Plane
Access
Point CAPWAP Controller

Wi-Fi Client

Control Plane


CAPWAP Modes
Split MAC

 The CAPWAP protocol supports two modes of
operation
Split MAC (Centralized Mode)
Local MAC (H-REAP/FlexConnect)

 Split MAC
Wireless Frame

Wireless Phy CAPWAP
MAC Sublayer Data Plane 802.3 Frame

STA WTP AC


CAPWAP Modes
Local MAC

 Local MAC mode of operation allows for the data
frames to be either locally bridged or tunneled as
802.3 frames
 Locally bridged
Wireless Frame

Wireless Phy
MAC Sublayer 802.3 Frame

STA WTP AC

 H-REAP support locally bridged MAC and split
MAC per SSID

CAPWAP Modes
Local MAC

 Local MAC mode of operation allows for the data
frames to be either locally bridged or tunneled as
802.3 frames
 Tunneled as 802.3 frames
Wireless Frame 802.3 Frame

Wireless Phy CAPWAP
MAC Sublayer Data Plane 802.3 Frame

STA WTP AC

 Tunneled local MAC is not supported by Cisco


H-REAP Glossary

 Connected mode – When H-REAP can reach
Controller (connected state), it gets help from
controller to complete client authentication.
 Standalone mode – When controller is not
reachable by H-REAP, it goes into standalone state
and does client authentication by itself.

 Local Switching – Data traffic switched onto local
VLANs for an SSID
 Central Switching – Data traffic tunneled back to
WLC for an SSID


Branch Office Deployment
HREAP – Hybrid Remote Edge Access Point
Central Site
 Hybrid architecture Cluster of
Centralized WLC
 Single management Traffic
Centralized
and control point Traffic

 Data Traffic Switching
Centralized traffic
(split MAC)
Or
WAN
Local traffic (local MAC)

 HA will preserve local
Local
traffic only Traffic

 Traffic Switching is
Remote
configured per AP and Office
per WLAN (SSID)

Configure H-REAP Mode
Step 1: Configure Access Point Mode

 Enable H-REAP mode per AP
 Supported AP: AP-1130, AP-1240, AP-1040,
AP-1140, AP-1260, AP-1250, AP-3500


Configure H-REAP Local Switching
Step 2: Enable Local Switching per WLAN

 Only WLAN with “Local Switching” enabled will
allow local switching at the H-REAP AP


Configure H-REAP VLAN Mapping
Step 3: H-REAP Specific Configuration

 H-REAP AP can be connected on an access port
(using native VLAN) or connected to a 802.1Q
trunk port
 VLAN mapping is a per AP configuration on WLC
and by AP group using templates on a WCS


Step 4: Per AP SSID to VLAN Mapping

 Mapping of SSID to 802.1Q VLAN is done per
H-REAP AP

 Use WCS for configuration with templates


Step 4: Using WCS

 With WCS, Configuration can be applied to all H-REAP AP
with one template


H-REAP Design Considerations

 Some WAN limitations apply
RTT must be below 300 ms data (100 ms voice)
Minimum 500 bytes WAN MTU (with maximum four
fragmented packets)

 Some features are not available in standalone
mode or in local switching mode
ACL in local switching
MAC/Web Auth in standalone mode
See full list in « H-REAP Feature Matrix »
http://www.cisco.com/en/US/products/ps6366/products_tec
h_note09186a0080b3690b.shtml


Economies of Scale for Lean Branches
Flex 7500 Wireless Controller
New

Key Differentiation
 WAN Tolerance
• High Latency Networks
Access Points 300-2,000 • WAN Survivability
Clients 20,000  Security
Branches 500 802.1x based port authentication
Access Points / Branch 50  Voice support
Deployment Model FlexConnect • Voice CAC
Form Factor 1 RU • OKC/CCKM
IO Interface 2x 10GE
Upgrade Licenses 100, 200, 500, 1K


FlexConnect Improvements in New 7.0.116

 WAN Survivability
FlexConnect AP provides wireless access and services to clients
when the connection to the primary WLC fails

 Local Authentication
Allows for the authentication capability to exist directly at the AP in
FlexConnect instead of the WLC

 Improved Scale
Group Scale: Max HREAP groups increased to 500 (7500s) and 100
(5500s)
APs per Group: 50 (7500s) and 25 (5500s)

 Fast roaming in remote branches
Opportunistic Key Caching (OKC) between APs in a branch


Agenda



Understanding AP Groups
Overview AP Group 1
Central Site
Flex 7500
 AP groups is a logical
concept of grouping AP
which deliver similar
Wi-Fi services; these
services can be:
By physical location, WAN
and/or
By functional services Remote Site A Remote Site B
(data, voice, guest, …)

 Same AP groups need AP Group 2 AP Group 3

to be defined in all WLC
of a mobility group


Understanding AP Groups
Rules to Know

 Rules to know :
• One AP can be in only one AP Group
• One WLAN(SSID) can be in several AP Groups
• WLAN with ID 1-16 can not be removed from the ‘default-group’
• WLAN with ID greater than 16 will never be part of the ‘default-
group’
• All AP with no AP Group name or an unknown AP Group name will
be part of the ‘default-group’

 Well known mistakes :
• Create no AP group, but create a WLAN with ID 17+.
• Having AP groups defined, Create WLAN with ID 17+ but never
map the WLAN to any AP Group.


AP Groups
Configuration: Create a New Group


AP Groups
Configuration: Add AP to Group


AP Groups Usage
@ Internet

Per Location SSID Guest-Access
AP Group 1
Central Site
 AP groups give the
ability to enable Wi-Fi Corporate-Voice

Services (WLAN)
based on physical
location
 Example Corporate-Data

WAN/MAN
Central Site
Corporate-Voice,
Corporate-Data, Manufacturing Plan
Store
Guest-Access
Manufacturing Plan
AP Group 3
Corporate-Voice,
Corporate-Data,
Scanners
Scanners
Store
AP Group 2 Corporate-Data
Corporate-Data,
Guest-Access
Guest-Access


AP Groups Usage
Per AP Group SSID to VLAN Mapping

 AP groups give the VLAN-1

ability to statically map AP Group 1
Central Site
Wi-Fi service (WLAN) to
VLAN based on VLAN-2

physical location
 Users see the same VLAN-3

Wi-Fi service on all sites
but IP@ can be used for WAN/MAN
monitoring or filtering Corporate-Data

Manufacturing
 Can also be used to Plan Store

have smaller Wi-Fi AP Group 2 AP Group 3

subnets

Corporate-Data
Corporate-Data


AP Groups
Configuration/VLAN Mapping


AP Groups
Scaling

New
Scaling Flex 7500 WLC 5508 WLC 4400 WLC 2100

# AP Groups 500 500 300 50

# WLAN
512 512 512 512
(SSID)

# VLAN
512 512 512 512
(Interfaces)


Understanding H-REAP Groups
Overview
Central Site
Flex 7500
 H-REAP groups allow sharing of: Cluster

 CCKM/OKC fast roaming keys
 Local backup RADIUS servers
IP/keys
 Local user authentication
 Local EAP authentication WAN

 Scaling information Remote Site Remote Site

 500 H-REAP groups for Flex 7500
 50 AP per H-REAP group H-REAP Group 2

H-REAP Group 1


H-REAP Groups and CCKM/OKC Keys
CCKM Keys

 CCKM/OKC keys are stored on
Central Site
HREAP APs for Layer 2 fast roaming RADIUS Server

 The HREAP APs will receive the
CCKM/OKC keys from the WLC
 If a HREAP AP boots up
in the standalone Remote Site WAN
mode, it will not get the H-REAP
Remote Site

CCKM keys from the Group 1 H-REAP
Group 2
WLC and fast roaming
is not supported


H-REAP Groups and CCKM Keys

Add a New
H-REAP Group

Add APs to the
H-REAP Group


Agenda



H-REAP Backup Scenario
WAN Failure
Central Site

 H-REAP will backup on local
switched mode
No impact for locally switched SSIDs
Disconnection of centrally switched SSIDs clients

 Static authentication keys are locally
WAN
stored in H-REAP AP
 Lost features
Remote Site
RRM, WIDS, location, other AP modes
Web authentication, NAC
Application
Server


WLC Failure
 H-REAP will first backup on local Central Site

switched mode
No impact for locally switched SSIDs
Disconnection of centrally switched
SSIDs clients

 CCKM roaming allowed in
H-REAP group WAN

 H-REAP AP will then search
for backup WLC; when backup Remote Site

WLC is found, H-REAP AP will
resync with WLC and Application
Server
resume client session with central
traffic.
 Client session with Local Traffic
are not impacted during resync
with Backup WLC.

H-REAP Group: Local Backup RADIUS
Backup Scenario
Central Site

 Normal authentication is done
centrally Central RADIUS

 On WAN failure, AP
authenticate new client with
locally defined RADIUS server
WAN
 Existing connected clients
stay connected Local Backup
RADIUS Remote Site
 Clients can roam with
CCKM fast roaming, or
Reauthentication
H-REAP Group 1

CCKM Fast Roaming


H-REAP Group: Local Backup RADIUS
Configuration

 Define primary and secondary local backup
RADIUS server per H-REAP group


H-REAP Group: Local Backup Authentication
Backup Scenario
Central Site
 Normal authentication is
done centrally Central RADIUS

 On WAN failure, AP
authenticate new client with
its local database
 Each H-REAP AP has a WAN
copy of the local user DB
 Existing authenticated clients Remote Site

stay connected
 Clients can roam with:
CCKM fast roaming, or H-REAP Group 1

Local re-authentication

! Only LEAP and EAP-FAST Supported CCKM Fast Roaming


H-REAP Group: Local Backup Authentication
Configuration

 Define users (max 100) and passwords
 Define EAP parameters (LEAP or EAP-FAST)


WAN Down Behavior (Bootup Standalone Mode)

 Central Switched WLANs will shutdown
 Web-auth WLANs will shutdown
 Local Switched WLANs will be up :
Only Open, Shared and WPA-PSK are allowed.
Local 802.1x allowed with local authentication or local
RADIUS

 Unsupported features
RRM, CCKM, WIDS, Location, Other AP Mode, NAC.


Not Supported Backup Scenario
! AP Changing Mode on Failure
Central Site

 AP can not automatically
change from local mode to
H-REAP mode on local WLC
failure
Changing mode is a configuration
task of the AP
WAN
 Why it does not make sense
Need for dual configuration at the Remote Site

switch level (access port for central,
802.1Q for H-REAP) Application
Server
Lost controller features
when going to H-REAP
If you accept H-REAP locally,
then don’t but local WLC

! Not Supported Backup Scenario


Not Supported Backup Scenario
! Auto-Enabling Backup Local Switching
Central Site

 H-REAP AP can not be configured with Primary
Application
two SSID with same name; one in central Server

switching mode, one in local switching
mode; when central switching is down,
local switched SSID becomes active
Changing enable status of an SSID is a WAN
configuration task of the WLC level

 Cisco recommends using Local Remote Site

Switching. Why? H-REAP AP

SSID “Data”
(Central Switching)
Fault Tolerance will always keep client Backup
Application
connection UP. Server

SSID “Data”
! Not Supported Backup Scenario (Local Switching)
Disable Enable


Failover Matrix

WAN Up WAN Down
Feature
(Connected) (Standalone)
Static Security Keys
Yes Yes
(WEP, WPA2/PSK)

802.1x/EAP Yes Yes

Yes
RADIUS Yes
(local RADIUS Backup)

Local Authentication Yes New Yes

Yes
OKC Fast Roaming Yes New
(not new clients)

WebAuth & MAC Auth Yes No


Agenda

 Operating an H-REAP Based Branch Network


Monitor H-REAP Latency

 RTT for H-REAP AP must be 300ms maximum
 Latency tool will help monitor WAN latency


Upgrading an H-REAP Deployment
Concerns

 Sites using H-REAP AP are usually sites with low WAN
bandwidth
 Each site may have small number of AP, but an
enterprise may have a lot of branches
 Upgrading ~2000 AP through a low bandwidth WAN is a
challenge :
• Time needed to download all the AP firmware
• Exhaust of the WAN link
• Risk of failures during the download


Safe Process
Firmware Image

Use “Pre-Download” 7.0
6.0 7.0
6.0
Primary Secondary
Feature and Control the 7.0

Process Before Effectively Wireless Control Wireless LAN
Do the Upgrade System
Central Site Controller

1.Download WLC upgraded
firmware (will become primary)

2.Force the « boot image »
to be the secondary (and not the
newly upgraded one) to avoid WAN
parallel download of all AP in case
Remote Site-1 Remote Site-N
of unexpected
WLC reboot


Safe Process (Cont…)
Firmware Image

3. « Pre-download » the AP
firmware in the secondary 7.0
6.0 7.0
6.0
« boot image » (will not Primary Secondary

disrupt the actual service)—
Can be started AP per AP to Wireless Control
System
Wireless LAN
Central Site Controller
limit WAN exhaust
4. Check that all the H-REAP
AP are up-to-date (all
download succeed)
5. Swap the « boot image » WAN
of the AP to the new one, AP Firmware Image
Remote Site-1 Remote Site-N
change the « boot image »
of the WLC to the new one
7.0
6.0 7.0
6.0

6. Reboot the controller Primary Secondary


Agenda



Customer Requirements
 ~1000 Medium stores (“Supermarket”)
 Up to 5 AP per store.
 L2 connectivity between the AP. AP on access port (no 802.1Q
trunk today)
 Existing local resources (servers, …)
 WLAN Services :
SSID for Scanners :
• WPA-PSK will be used on scanners
• Same SSID name for all the stores, but different key per store
• Local Switching in the store
SSID for Laptops :
• WPA/TKIP or WPA2/AES for laptops
• Same SSID name and VLAN for all the stores
• Central RADIUS authentication
• Central Switching

RADIUS
CT-5508 Data Center
Cluster
WLAN 17 : Store 1 WLAN 200 : Store-Data
 SSID=Scanner  SSID=Laptop
 WPA-PSK=XYZ  WPA/RADIUS
 Local VLAN=native  Central VLAN=Tag-
…
WLAN 17+N : Store-N
 SSID=Scanner
 WPA-PSK=ZYX
 Local VLAN=native
WAN

Store-1 Store-N
Local Resource Local Resource

1000 Stores
H-REAP H-REAP

SSID-Scanner SSID-Scanner
(Key-Store-1) SSID-Laptop (Key-Store-N) SSID-Laptop
(WPA2) (WPA2)

Scanners Laptops Scanners Laptops
(WPA-PSK) (WPA2) (WPA-PSK) (WPA2)

RADIUS
CT-5508 Data Center
Cluster
AP Group 1 : Store 1
 WLANs : Store-1
Store-data
…
AP Group N : Store-N
 SSID=Scanner
 WLANs : Store-N
Store-data
WAN

Store-1 Store-N
Local Resource AP-Group-1 Local Resource AP-Group-N

1000 Stores
H-REAP H-REAP

SSID-Scanner SSID-Scanner
(Key-Store-1) SSID-Laptop (Key-Store-N) SSID-Laptop
(WPA2) (WPA2)

Scanners Laptops Scanners Laptops
(WPA-PSK) (WPA2) (WPA-PSK) (WPA2)

Project Scale
 1000 Stores with an average of 5 AP per store : 5000 AP
 10 x CT-5508-500 to support 5000 AP
 1000 Stores means :
• 1000 WLAN profiles with 1000 same SSID for Scanners each with a different
WPA2-PSK key per store (*)
• 1 WLAN profile with same SSID for Laptops with central switching and central
WPA/Radius authentication
• 1000 AP Groups to map the WLAN profiles on each store

 Capabilities to be supported by CT-5508-500 for this case study :
• 100 Stores managed by a CT-5508
• 100 different WLAN Profiles with same H-REAP SSID per CT
• 100 AP Groups per CT
• No H-REAP Groups for phase 1


Summary

 Cisco Unified Wireless Network based on
Controllers deliver Wireless Branch Solution
 H-REAP is the feature designed to solve remote
connectivity and WAN constraints
 Several Failover Scenario are targeted to offer
Survivability of Small Remote Sites

Deployment Guide URL- http://www.cisco.com/*****


Deploying Cisco’s FlexConnect
Wireless Branch Solution
Increases Business Resiliency


Wireless Branch Office Network Architecture

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (19)

Similar to Wireless Branch Office Network Architecture

Similar to Wireless Branch Office Network Architecture (20)

More from Cisco Mobility

More from Cisco Mobility (8)

Recently uploaded

Recently uploaded (20)

Wireless Branch Office Network Architecture