cisco unified wireless network overview - dfw cisco users

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 1

Cisco Unified Wireless Network Overview

Steve AckerWireless Advanced ServicesNetwork Consulting EngineerCCIE#14097CISSP#86844CWSP


Agenda

Controller-Based Architecture Overview

Mobility in the Cisco Unified WLAN Architecture

Architecture Building Blocks

Deploying the Cisco Unified Wireless Architecture


Agenda






Lightweight Access Points

Wireless LAN

Controller

Wireless Control System (WCS)

Mobility Services Engine (MSE)

CAPWAP

Cisco Unified Wireless NetworkArchitecture Overview

802.11n and 802.11a/g

Highly scalable

Real-time RF visibility and control

Monitor and migrate standalone access points

Easily configure– WLAN controllers

using SNMP– Access points

using CAPWAP

Built-in support for Mobility Services

– Context–Aware Services (Location)

– Adaptive Wireless Intrusion Prevention System (wIPS)

Wired and wireless guest access

Client Devices and Wi-Fi Tags

802.11nStandalone

Access Points


Understanding WLAN Controllers 1st/2nd Generation vs. 3rd Generation Approach

1st/2nd generation: APs act as 802.1Q translational bridge, putting client traffic on local VLANs

3rd generation: Controller bridges client traffic centrally

1st/2nd Generation

Data VLAN

Voice VLAN

Management VLAN

3rd GenerationData VLAN

Voice VLAN

Management VLAN

LWAPP/CAPWAPTunnel


Centralized Wireless LAN ArchitectureWhat Is CAPWAP?

CAPWAP: Control and Provisioning of Wireless Access Points is used between APs and WLAN controller and based on LWAPP

CAPWAP carries control and data traffic between the twoControl plane is DTLS encrypted (Datagram Transport Layer Security)Data plane is DTLS encrypted (optional)

LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless

CAPWAP Controller

Wi-Fi Client

Business Application

Control Plane

Data PlaneAccess Point


CAPWAP ModesSplit MAC

The CAPWAP protocol supports two modes of operation

Split MAC (centralized mode)Local MAC (H-REAP)

Split MAC

AP WLCSTA

Wireless PhyMAC Sublayer

CAPWAPData Plane

Wireless Frame

802.3 Frame


CAPWAP Modes – Split MAC

One of the key concepts of the LWAPP is concept of split MAC

The Real Time RF part of the 802.11 protocol operation is managed by the LWAPP AP

Non Real Time parts of the 802.11 protocol are managed by the WLC.


CAPWAP Modes - Local MAC

Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames

Locally bridged

AP WLC


Wireless Frame

802.3 Frame

STA


CAPWAP Modes – Local MAC

Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames Tunneled as 802.3 frames


Wireless Frame 802.3 Frame

802.3 FrameCAPWAP

Data Plane

H-REAP support locally bridged MAC and split MAC per SSID

AP WLCSTA


CAPWAP State Machine

DiscoveryReset

Image Data

Config

Run

AP Boots UP

DTLSSetup

Join


AP Controller Discovery

Layer 2 join procedure attempted on LWAPP APs(CAPWAP does not support Layer 2 APs)Broadcast message sent to discover controller on a local subnet

Layer 3 join process on CAPWAP APs and on LWAPP APs after Layer 2 fails

Previously learned or primed controllersSubnet broadcastDHCP option 43DNS lookup

Controller Discovery Order


AP Controller Discovery: DHCP Option

DHCP Offer

DHCP Request

1

2

3

DHCP Server

DHCP Offer ContainsOption 43 for ControllerLayer 3 CAPWAP

Discovery Request Broadcast

Layer 3 CAPWAP Discovery Responses


AP Controller Discovery: DNS Option

DHCP Offer withOption 15

to give APs the Local Domain

name

DHCP Request

DHCP Offer Contains

DNS Server or Servers

CISCO-CAPWAP-CONTROLLER.localdomain192.168.1.2

192.168.1.2

12

3

4

DNS Server DHCP Server


WLAN Controller Selection Algorithm

CAPWAP Discovery Response contains important information from the WLAN Controller

Controller name, controller type, controller AP capacity, current AP load, “Master Controller” status, and AP Manager IP address or addresses

AP selects a controller to join using the following decision criteria

1. Attempt to join a WLAN Controller configured as a “Master” controller

2. Attempt to join a WLAN Controller with matching name of previously configured primary, secondary, or tertiary controller name

3. Attempt to join the WLAN Controller with the greatest excess AP capacity (dynamic load balancing)

Option #2 and option #3 allow for two approaches to controller redundancy and AP load balancing: deterministic and dynamic


CAPWAP Control Messages for Join Process

CAPWAP Join Request: AP sends this messages to selected controller (sent to AP Manager Interface IP address)

CAPWAP Join Response: If controller validates AP request, it sends the CAPWAP Join Response indicating that the AP is now registered with that controller

CAPWAP Join Request

CAPWAP Join Response


Configuration PhaseFirmware and Configuration Download

Firmware is downloaded by the AP from the WLC

Firmware downloaded only if needed, AP reboots after the downloadFirmware digitally signed by Cisco

Network configuration is downloaded by the AP from the WLC

Configuration is encrypted in the CAPWAP tunnel Configuration is applied

Cisco WLAN Controller

LWA

PP

-L3

Firm

war

e D

ownl

oad

Con

figur

atio

n D

ownl

oad

Access Points


Which Software Version Should I Use?

WLC 5508 supports 6.0 and 7.0 WLC7500, WiSM-2 and WLC2504

only supported in 7.0.116 and up


Agenda






Mobility Defined

Mobility is a key reason for wireless networks

Mobility means the end-user device is capable of moving its location in the networked environment

Roaming occurs when a wireless client moves association from one AP and re-associates to another, typically because it’s mobile! Mobility presents new challenges:

Need to scale the architecture to support client roaming—roaming can occur intra-controller and inter-controllerNeed to support client roaming that is seamless (fast) and preserves security


Scaling the Architecture with Mobility Groups

Mobility Group allows controllers to peer with each other to support seamless roaming across controller boundaries

APs learn the IPs of the other members of the mobility group after the LWAPP Join process

Support for up to 24 controllers, 3600 APs per mobility group

Mobility messages exchanged between controllers

Data tunneled between controllers in EtherIP (RFC 3378)

Eth

erne

t in

IP T

unne

l

Mobility Messages

Controller-CMAC: AA:AA:AA:AA:AA:03

Mobility Group Name: MyMobilityGroup

Mobility Group Neighbors:Controller-A, AA:AA:AA:AA:AA:01Controller-B, AA:AA:AA:AA:AA:02

Controller-AMAC: AA:AA:AA:AA:AA:01


Mobility Group Neighbors:Controller-B, AA:AA:AA:AA:AA:02Controller-C, AA:AA:AA:AA:AA:03

Controller-BMAC: AA:AA:AA:AA:AA:02


Mobility Group Neighbors:Controller-A, AA:AA:AA:AA:AA:01Controller-C, AA:AA:AA:AA:AA:03


Increased Mobility Scalability

Roaming is supported across three mobility groups (3 * 24 = 72 controllers)

With Inter Release Controller Mobility (IRCM) roaming is supported between 4.2.207 and 6.0.188 and 7.0

Ethe

rnet

in IP

Tun

nel

Mobility Sub-Domain 2

Ethe

rnet

in IP

Tun

nel


Ethe

rnet

in IP

Tun

nel


Mobility Messages


How Long Does an STA Roam Take?

Time it takes for:Client to disassociate +Probe for and select a new AP +802.11 Association +802.1X/EAP Authentication +Rekeying +IP address (re) acquisition

All this can be on the order of seconds… Can we make this faster?


Roaming Requirements

Roaming must be fast … Latency can be introduced by:

Client channel scanning and AP selection algorithmsRe-authentication of client device and re-keyingRefreshing of IP address

Roaming must maintain securityOpen auth, static WEP—session continues on new APWPA/WPAv2 Personal—New session key for encryption derived via standard handshakes802.1x, 802.11i, WPA/WPAv2 Enterprise—Client must be re-authenticated and new session key derived for encryption


How Are We Going to Make Roaming Faster?

Eliminating the (re)IP address acquisition challenge

Eliminating full 802.1X/EAP reauthentication

Focus on Where We Can Have the Biggest Impact


Intra-Controller Roaming:Layer 3

WLC-1 WLC-2

WLC-1 Client Database


Mobility Message Exchange

Preroaming Data Path

VLAN XClient Data (MAC, IP, QoS, Security)

Client Data (MAC, IP, QoS, Security)

VLAN Z


Client Roaming Between Subnets:Layer 3 (Cont.)

WLC-1 WLC-2



Preroaming Data Path

VLAN XClient Data (MAC, IP, QoS, Security)

Client Data (MAC, IP, QoS, Security)

VLAN Z

Mobility Message Exchange

Foreign Controller

Anchor Controller Data Tunnel

Client Roams to a Different AP


Roaming: Inter-Controller

L3 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto different subnets

Client must be re-authenticated and new security session established

Client database entry copied to new controller – entry exists in both WLC client DBs

Original controller tagged as the “anchor”, new controller tagged as the “foreign”

WLCs must be in same mobility group or domain

No IP address refresh needed

Account for mobility message exchange in network design

Layer 3


How Are We Going to Make Roaming Faster?

Eliminating the (re)IP address acquisition challenge

Eliminating full 802.1X/EAP reauthentication

Focus on Where We Can Have the Biggest Impact


Fast Secure RoamingStandard Wi-Fi Secure Roaming

802.1X authentication in wireless today requires three “end-to-end” transactions with an overall transaction time of > 500 ms

802.1X authentication in wireless today requires a roaming client to reauthenticate, incurring an additional 500+ ms to the roam

Note: Mechanism Is Needed to Centralize Key Distribution

Cisco AAA Server (ACS or ISE)

WAN

AP1AP2

1. 802.1X Initial Authentication Transaction2. 802.1X

Reauthenti-cation After Roaming


Cisco Centralized Key Management (CCKM) Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available,

especially with application specific devices (ASDs)

CCKM ported to CUWN architecture in 3.2 release

In highly controlled test environments, CCKM roam times consistently measure in the 5-8 msec range!

To work across WLCs, WLCs must be in the same mobility group

When a client device roams, he WLC forwards the client's security credentials to the new AP.


Fast Secure RoamingWPA2/802.11i Pairwise Master Key (PMK) Caching

WPA2 and 802.11i specify a mechanism to prevent excessive key management and 802.1X requests from roaming clients

From the 802.11i specification:Whenever an AP and a STA have successfully passed dot1x-based authentication, both of them may cache the PMK record to be used later. However, if a client has not roamed to a particular access point during its current working session, it must then authenticate to that specific access point using 802.1x.When a STA is (re-)associates to an AP, it may attach a list of PMK IDs (which were derived via dot1x process with this AP before) in the (re)association request frame When PMK ID exists, AP can use them to retrieve PMK record from its own PMK cache, if PMK is found, and matches the STA MAC address; AP can bypass dot1x authentication process, and directly starts WPA2 four-way key handshake session with the STA


OKC/PKC

A client device can skip the 802.1x authentication with an access point and only needs to perform the 4 way handshake when roaming to access points that are centrally managed by the same WLC.

Supported in Windows since XP SP2

Enabled by default on WLCs with WPAv2

Requires WLCs to be in the same mobility group

In highly controlled test environments, OKC/PKC roam times consistently measure in the 10-20 msecrange!

Key Data Points


How Long Does a Client Really Take to Roam? Time to roam =

Client to disassociate +Probe for and select a new AP +802.11 Association +Mobility message exchange between WLCs +Reauthentication +Rekeying +IP address (re) acquisition

Network latency will have an impact on these times –consideration for controller placement With a fast secure roaming technology, roam times

under 150 msecs are consistently achievable, though mileage may vary


How Often Do Clients Roam?

It depends… types of clients and applications

Most client devices are designed to be “nomadic” rather than “mobile”, though proliferation of small form factor, “smart” devices will probably change this…

Nomadic clients usually are programmed to try to avoid roaming… so set your expectations accordingly

Design rule of thumb: 10-20 roams per second for every 5000 clients


Designing a Mobility Group/Domain

Less roaming is better – clients and apps are happier While clients are authenticating/roaming, WLC CPU

is doing the processing – not as much of a big deal for 5508 which has dedicated management/control processor L3 roaming & fast roaming clients consume client

DB slots on multiple controllers – consider “worst case” scenarios in designing roaming domain size Leverage natural roaming domain boundaries Make sure the right ports and protocols are allowed

Design Considerations


Agenda






• Centralized Policy

• Distributed Enforcement

• AAA Services

• Posture Assessment

• Guest Access Services

• Device Profiling

• Monitoring

• Troubleshooting

• Reporting

ACS

NAC Profiler

NAC Guest

NAC Manager

NAC Server

Identity Services Engine

*Current NAC and ACS Hardware Platform Is Software Upgradable to ISE

TrustSec 2.0 and Identity Services Engine


ISE Integrated Device Profiling

“iPad Template”

Custom Template

Visibility for Wired and Wireless Devices

Simplified “Device Category” Policy

New Device Templates via

Subscription Feeds


CAPWAPCAPWAP

Users, using the same SSID, can be associated to different wired VLAN interfaces after EAP authentication

Employee using corporate laptop with their AD user id can be assigned to VLAN 30 to have full access to the network

Employee using personal iPad/iPhone with their AD user id can be assigned to VLAN 40 to have internet access only

Same-SSID

802.1Q Trunk

VLAN 30

VLAN 40

EAP Authentication1

Accept with VLAN 302

EAP Authentication3

Accept with VLAN 404

ISEISE

Corporate Resources

Internet

Employee

Employee



Example:VLAN 30 (Corporate access )VLAN 40 (Internet access)

Corporate

Internet



Laptop Assign VLAN 30

iPad Assign VLAN 40

• ISE Setup – Authorization Profiles redirect VLAN, Override ACL, CoA…



WLC CoA Setup – Pre-Auth ACL, allows ALL client traffic to ISEWLAN – Dot1X, AAA Override and Radius NAC enabled.

( )Permit ANY to ISE

(IP Addr)



RADIUS probe (information about authentication, authorization and accounting requests from Network Access

DHCP (helper or span) HTTP user agent (span)

Customizable Profiles



Agenda







Controller Redundancy and AP Load Balancing

Understanding AP Groups

IPv6 Deployment with Controllers

Branch Office Designs

Guest Access Deployment

Home Office Design








Home Office Design


Controller RedundancyDynamic

Rely on CAPWAP to load-balance APs across controllers and populate APs with backup controllers

Results in dynamic “salt-and-pepper” design

Design works better when controllers are “clustered” in a centralized design

ProsEasy to deploy and configure—less upfront workAPs dynamically load-balance (though never perfectly)

ConsMore intercontroller roamingBigger operational challenges due to unpredictabilityLonger failover timesNo “fallback” option in the event of controller failure

Cisco’s general recommendation is: Only for Layer 2 roaming

Use deterministic redundancy instead of dynamic redundancy


Controller RedundancyDeterministic

Administrator statically assigns APs a primary, secondary, and/or tertiary controller

Assigned from controller interface (per AP) or WCS (template-based)

ProsPredictability—easier operational managementMore network stabilityMore flexible and powerful redundancy design optionsFaster failover times“Fallback” option in the case of failover

ConMore upfront planning and configuration

This is Cisco’s recommended best practice

WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C

Primary: WLAN-Controller-ASecondary: WLAN-Controller-BTertiary: WLAN-Controller-C

Primary: WLAN-Controller-BSecondary: WLAN-Controller-CTertiary: WLAN-Controller-A

Primary: WLAN-Controller-CSecondary: WLAN-Controller-ATertiary: WLAN-Controller-B


SiSi SiSi

High Availability Using Cisco 5508

SiSi SiSi

PrimaryWLC5508

SecondaryWLC5508

APs are connected to primary WLC 5508 In case of

hardware failure of WLC 5508 AP’s fall back to

secondary WLC 5508 Traffic flows

through the secondary WLC 5508 and primary core switch


High Availability Using WiSM:Uplink Failure on Primary Switch

SiSi SiSi

S N

PrimaryWiSM

ActiveHSRP Switch

StandbyHSRP Switch

New ActiveHSRP Switch

In case of uplink failure of the primary switch Standby switch

becomes the active HSRP switch APs are still

connected to primary WiSM Traffic flows thru

the new HSRP active switch


High Availability Using WiSM-2

SiSi SiSi

PrimaryWiSM

SecondaryWiSM

APs are connected to primary WiSM In case of

hardware failure of primary WiSM AP’s fall back to

secondary WiSM Traffic flows thru

the secondary WiSM and primary core switch


VSS and Cisco 5508

Cisco 5508 WLC can be attached to a Cisco Catalyst VSS switch

4 ports of Cisco 5508 are connected to active VSS switch

2nd set of 4 ports of Cisco 5508 is connected to standby VSS switch

In case of failure of primary switch traffic continues to flow through secondary switch in the VSS pair

Catalyst VSS Pair

Cisco 5508


Switch-1(VSS Active)

Switch-2(VSS Standby)

Data Plane Active

Control Plane Active

FWSM Active

WiSM-2 Active

Data Plane Active

Control Plane Standby

WiSM-2 Standby

VSL

Failover/State Sync VLAN

Virtual Switch System (VSS)

VSS and WiSM-2

FWSM Standby


Controller RedundancyHigh Availability

AP is registered with a WLC and maintain a backup list of WLC

AP use heartbeats to validate WLC connectivity

AP use Primary Discovery message to validate backup WLC list

When AP lose three heartbeats it start join process to first backup WLC candidate

Candidate Backup WLC is the first alive WLC in this order: primary, secondary, tertiary, global primary, global secondary

AP do not re-initiate discovery process

High Availability Principles Primary WLC

Secondary WLC


Controller RedundancyHigh Availability with 7.0

To Accommodate Both Local and Remote Settings, There Are Configurable Options Provided, so that Administrator Can Fine Tune the Settings Based on the Requirements

New Timers Old Timers-5508 Old Timers-Non-5508Heartbeat: 1-30 Seconds 10-30 Seconds 1-30 SecondsFast Heartbeat Timeout: 1-10 Seconds 3-10 Seconds 1-10 SecondsAP Retransmit Interval: 2-5 Seconds 3 Seconds 3 SecondsAP Retrans with FH Enabled: 3-8 Times 3 Times 3 TimesAP Retrans with FH Disabled: 3-8 Times 5 Times 5 TimesAP Fallback to next WLC 12 Seconds 35 Seconds 35 Seconds


AP Pre-Image Download in 7.0

Since most CAPWAP APs can download and keep more than one image of 4–5 MB each

AP pre-image download allows AP to download code while it is operational

Pre-Image download operation1. Upgrade the image on the controller

2. Don’t reboot the controller

3. Issue AP pre-image download command

4. Once all AP images are downloaded

5. Reboot the controller

6. AP now rejoins the controller without reboot How Much Time You Save?

Access Points

Cisco WLAN Controller

CA

PW

AP

-L3

AP

Pre

-imag

e D

ownl

oad

AP

Join

s W

ithou

t Dow

nloa

d


Upgrade the image on the controller and don’t reboot

Currently we have two images on the controller(Cisco Controller) >show bootPrimary Boot Image............................... 7.0.116.0 (default) (active)Backup Boot Image................................ 7.0.98.0

Configure AP Pre-Image Download


Configure AP Pre-Image DownloadWireless > AP > Global Configuration

Perform Primary Image Predownloaded on the AP

AP Now Starts Predownloading

AP Now Swaps Image After Reboot of the Controller








Home Office Design


AP-GroupsDefault AP-Group

The first 16 WLANs created (WLAN IDs 1–16) on the WLC are included in the default AP-Group

Default AP-Group cannot be modified APs with no assignment to an specific AP-Group will use the

Default AP-Group The 17th and higher WLAN (WLAN IDs 17 and up) can be

assigned to any AP-Groups Any given WLAN can be mapped to different dynamic

interfaces in different AP-Groups WLC 2106 (AP groups: 50), WLC 2504 (AP groups:50)

WLC 4400 and WiSM (AP groups: 300),WLC 5508 & WiSM-2 (AP groups: 500), WLC 7500 (AP Groups : 500)


Network Name

Default AP Group

Only WLANs 1–16 Will Be Added in Default AP Group

Default AP-Group


AP Group 1

AP Group 2

AP Group 3

Multiple AP-Groups


Interface-Groups7.0

Interface-groups allows for a WLAN to be mapped to a single interface ormultiple interfaces

Clients associating to this WLAN get an IP address from a pool of subnets identified by the interfaces in round robin fashion

Extends current AP group and AAA override, with multiple interfaces using interface groups

Controllers Interface-Groups/Interfaces

WiSM-2, 5508, 7500, 2500 64/64

WiSM, 4400 32/32

2100 and 2504 4/4








Home Office Design


IPv6 over IPv4 Tunneling

Prior to WLC 6.0 release, IPv6 pass-thru is only supported but no L2 security can be enabled on IPv6 WLAN

With WLC 6.0 release, IPv6 pass-thru with Layer 2 security supported

To use IPv6 bridging, Ethernet Multicast Mode (EMM) must be enabled on the controller

IPv6 packets are tunneled over CAPWAP IPv4 tunnel

Same WLAN can support both IPv4 and IPv6 clients

IPv6 pass-thru and IPv4 Webauth is also supported on same WLAN

IPv6 is not supported with guest mobility anchor tunneling

Ethernet II | IPv4 | CAPWAP | 802.11 | IPv6802.11| IPv6

Client IPv6 Traffic Tunneled over IPv4 and Bridged to Ethernet

Ethernet II | IPv6

CAPWAP Tunnel


IPv6 Configuration on WLC 6.X

Enable IPv6 on the WLAN and multicast on the WLC






Branch Office Designs (HREAP/FlexConnect)Understanding HREAP (Hybrid) REAP AP DeploymentUnderstanding Branch Controller Deployment


Home Office Design


Branch Office DeploymentHREAP/FlexConnect

Hybrid architecture

Single management and control point

Centralized traffic (split MAC)OrLocal traffic (local MAC)

HA will preserve local traffic only

WAN

Central Site

Remote Office

CentralizedTraffic

CentralizedTraffic

LocalTraffic


H-REAP Design Considerations

Some WAN limitations applyRTT must be below 300 ms data (100 ms voice)Minimum 500 bytes WAN MTU (with maximum four fragmented packets)

Some features are not available in standalone mode or in local switching mode

ACL in local switching, MAC/Web Auth in standalone mode, PMK caching (OKC)See full list in « H-REAP Feature Matrix »http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b3690b.shtml


Understanding H-REAP Groups

WLC supports up to 20 H-REAP groups

Each H-REAP group supports up to 25 H-REAP APs

H-REAP groups allow sharing of:CCKM fast roaming keysLocal user authenticationLocal EAP authentication

WAN

Central Site

Remote Site

H-REAP Group 1

H-REAP Group 2

Remote Site


FlexConnect Improvements in New 7.0.116

WAN SurvivabilityFlexConnect AP provides wireless access and services to clients when the connection to the primary WLC fails

Local AuthenticationAllows for the authentication capability to exist directly at the AP in FlexConnect instead of the WLC

Improved ScaleGroup Scale: Max HREAP groups increased to 500 (7500s) and 100 (5500s)APs per Group: 50 (7500s) and 25 (5500s)

Fast Roaming in Remote BranchesOpportunistic Key Caching (OKC) between APs in a branch






Branch Office DesignsUnderstanding HREAP/FlexConnect DeploymentUnderstanding Branch Controller Deployment

Guest Access Deployment Home Office Design


Small Office

E-Mail

Branch Office WLAN Controller Options

Appliance controllersCisco 2504-12

Cisco 5508-12, 5508-25

Integrated controllerWLAN controller module (WLCM-2) for ISR G2

Headquarters

Branch Office

Internet VPN

MPLSATM

Frame Relay

Number of Users: 100–500Number of APs: 5–25

Number of Users: 20–100Number of APs: 1–5

WCS


Small Office

E-Mail

Headquarters

Branch Office

Branch Office WLAN Controller Options

Cisco Unified Wireless Network with controller-based

Multiple Integrated WAN options on ISR Consistent branch-HQ services, features,

and performance Standardized branch configuration extends

the unified wired and wireless network Branch configuration management from

central WCS

WCS Cisco 2504 ***

WLCM-2 ****AP Count Vary Depending on Channel Utilization and Data Rates

Internet VPN

MPLSATM

Frame Relay








Home Office Design



Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers

Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN

No need to define the guest VLANs on the switches connected to the remote controllers

Original guest’s Ethernet frame maintained across LWAPP/CAPWAP and EoIP tunnels

Redundant EoIP tunnels to the Anchor WLC

2504 series and WLCM-2 models cannot terminate EoIP connections (no anchor role

Wireless LANController

Cisco ASA Firewall

Guest

CAPWAP

EoIP “Guest Tunnel”

Internet

Guest

DMZ or Anchor Wireless Controller

WLAN Controller Deployments with EoIP Tunnel


Summary – Key Takeways

Take advantage of the standards (CAPWAP, DTLS,802.11 i, e, k, r…..)

Wide range of architecture / design choices

Brand new controller (WiSM-2, WLC 7500, WLC 2504) portfolio with investment protection

Take advantage of innovations from Cisco (CleanAir, BandSelect, ClientLink, Security, CCX, FlexConnect, etc)

Cisco’s investment into technology – NCS, ISE, New hardware, cloud controller, CiUS


Documentation

Wireless Services Module 2 (WiSM2) Deployment Guidehttp://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080b7c904.shtml

• Flex7500 Deployment guidehttp://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml

Wireless, LAN (WLAN) Configuration Examples and TechNotes

http://www.cisco.com/en/US/tech/tk722/tk809/tech_configuration_examples_list.html

H-REAP Deployment Guidehttp://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml

VLAN Select Deployment Guidehttp://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b78900.shtml


Thank you.

cisco unified wireless network overview - dfw cisco users

Documents