wireless branch office network architecture

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2018 1

BRKEWN-2016

Architecturing Network for Branch Offices with Cisco Wireless


Abstract

This session focuses on the architecture concepts of the branch office WLAN deployments, emphasising the core technologies that drive and enable mobility in retail, banking, education, entreprise or managed wlan services. Topics covered include in-depth protocol description of H-Reap/FlexConnect, all deployment options in practice, and are based on customer case studies for their application into the branch environment.


Deploying Cisco’s FlexConnect Wireless Branch Solution

Increases Business Resiliency


Agenda

Cisco Unified Wireless Principles (Reminder)

Branches Using Remote Controllers

Understanding H-REAP Mode and Limitations

Understanding AP Groups and H-REAP Groups

Designing a Resilient Network

Operating an H-REAP–Based Branch Network

Retail Case Study


Agenda

Cisco Unified Wireless Principles






Retail Case Study


Cisco Unified Wireless Principles

Components

• Wireless LAN controllers

• Aironet access points

• Management System (WCS)

• Mobility Service Engine (MSE)

Principles

• AP must have CAPWAP connectivity with WLC

• Configuration downloaded to AP by WLC

• All Wi-Fi traffic is forwarded to the WLC

Wireless LAN

Controllers

Aironet

Access Point

WCS

MSE

Campus

Network


Agenda







Retail Case Study


Branch Designs Using Remote ControllersOverview

Branches can also have local remote controllers

Small form factors WLC are available to have « small campus » : WLC-25xx or integrated controller modules in ISR/ISR-G2

High-availability design with central backup controller is supported; WAN limitations may apply

Remote Site BRemote Site A

WLC-25xx WLCM for

ISR/ISR-G2

Backup Central

Controller

WAN

Central Site


Branch Designs Using Remote ControllersAdvantages

Cookie cutter configuration for every branch site

Layer-3 roaming within the branch

ACL in the branch site

Peer to peer blocking

WGB support

Reliable Multicast (filtering)

Dynamic VLAN

Note: If you have ISR/ISR G2 at branch site then it is recommended to use the IOS Firewall at edge for unified access policies.


Agenda







Retail Case Study


CAPWAP is a standard, interoperable protocol that enables an Access Controller (AC) to manage a collection of Wireless Termination Points (WTPs)

CAPWAP carries control and data traffic between the two

Control plane is DTLS encrypted

Data plane is DTLS encrypted (optional)

CAPWAP supports only Layer 3 mode deployments

CAPWAP

CAPWAP OverviewControl and Provisioning of Wireless Access Point

Controller

Wi-Fi Client

Business

Application

Control Plane

Data PlaneAccess

Point


CAPWAP ModesSplit MAC

The CAPWAP protocol supports two modes of operation

Split MAC (Centralized Mode)

Local MAC (H-REAP/FlexConnect)

Split MAC

WTP ACSTA

Wireless Phy

MAC Sublayer

CAPWAP

Data Plane

Wireless Frame

802.3 Frame


CAPWAP ModesLocal MAC

Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames

Locally bridged

WTP AC

Wireless Phy

MAC Sublayer

Wireless Frame

802.3 Frame

STA

H-REAP support locally bridged MAC and split MAC per SSID


CAPWAP ModesLocal MAC

Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames

Tunneled as 802.3 frames

Wireless Phy

MAC Sublayer

Wireless Frame 802.3 Frame

802.3 Frame

CAPWAP

Data Plane

Tunneled local MAC is not supported by Cisco

WTP ACSTA


H-REAP Glossary

Connected mode – When H-REAP can reach Controller (connected state), it gets help from controller to complete client authentication.

Standalone mode – When controller is not reachable by H-REAP, it goes into standalone state and does client authentication by itself.

Local Switching – Data traffic switched onto local VLANs for an SSID

Central Switching – Data traffic tunneled back to WLC for an SSID


Branch Office DeploymentHREAP – Hybrid Remote Edge Access Point

Hybrid architecture

Single management and control point

Data Traffic Switching

Centralized traffic (split MAC)

Or

Local traffic (local MAC)

HA will preserve local traffic only

Traffic Switching is configured per AP and per WLAN (SSID)

WAN

Central Site

Remote

Office

Centralized

Traffic

Centralized

Traffic

Local

Traffic

Cluster of

WLC


Configure H-REAP ModeStep 1: Configure Access Point Mode

Enable H-REAP mode per AP

Supported AP: AP-1130, AP-1240, AP-1040, AP-1140, AP-1260, AP-1250, AP-3500


Configure H-REAP Local SwitchingStep 2: Enable Local Switching per WLAN

Only WLAN with “Local Switching” enabled will allow local switching at the H-REAP AP


Configure H-REAP VLAN MappingStep 3: H-REAP Specific Configuration

H-REAP AP can be connected on an access port (using native VLAN) or connected to a 802.1Q trunk port

VLAN mapping is a per AP configuration on WLC and by AP group using templates on a WCS


Configure H-REAP VLAN Mapping Step 4: Per AP SSID to VLAN Mapping

Mapping of SSID to 802.1Q VLAN is done per H-REAP AP

Use WCS for configuration with templates


Configure H-REAP VLAN MappingStep 4: Using WCS

With WCS, Configuration can be applied to all H-REAP AP with one template


H-REAP Design Considerations

Some WAN limitations apply

RTT must be below 300 ms data (100 ms voice)

Minimum 500 bytes WAN MTU (with maximum four fragmented packets)

Some features are not available in standalone mode or in local switching mode

ACL in local switching

MAC/Web Auth in standalone mode

See full list in « H-REAP Feature Matrix »http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b3690b.shtml

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b3690b.shtml

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b3690b.shtml


Key Differentiation WAN Tolerance

• High Latency Networks

• WAN Survivability

Security

802.1x based port authentication

Voice support

• Voice CAC

• OKC/CCKM

Economies of Scale for Lean Branches

Flex 7500 Wireless Controller

Access Points 300-2,000

Clients 20,000

Branches 500

Access Points / Branch 50

Deployment Model FlexConnect

Form Factor 1 RU

IO Interface 2x 10GE

Upgrade Licenses 100, 200, 500, 1K

New


FlexConnect Improvements in New 7.0.116

WAN Survivability

FlexConnect AP provides wireless access and services to clients when the connection to the primary WLC fails

Local Authentication

Allows for the authentication capability to exist directly at the AP in FlexConnect instead of the WLC

Improved Scale

Group Scale: Max HREAP groups increased to 500 (7500s) and 100 (5500s)

APs per Group: 50 (7500s) and 25 (5500s)

Fast roaming in remote branches

Opportunistic Key Caching (OKC) between APs in a branch


Agenda







Retail Case Study


Understanding AP Groups

AP groups is a logical concept of grouping AP which deliver similar Wi-Fi services; these services can be:

By physical location, and/or

By functional services (data, voice, guest, …)

Same AP groups need to be defined in all WLC of a mobility group

Overview

Remote Site A Remote Site B

Central Site

WAN

AP Group 1

AP Group 2 AP Group 3

Flex 7500


Understanding AP GroupsRules to Know

Rules to know :

• One AP can be in only one AP Group

• One WLAN(SSID) can be in several AP Groups

• WLAN with ID 1-16 can not be removed from the ‘default-group’

• WLAN with ID greater than 16 will never be part of the ‘default-group’

• All AP with no AP Group name or an unknown AP Group name will be part of the ‘default-group’

Well known mistakes :

• Create no AP group, but create a WLAN with ID 17+.

• Having AP groups defined, Create WLAN with ID 17+ but never map the WLAN to any AP Group.


AP Groups

Configuration: Create a New Group


AP Groups

Configuration: Add AP to Group


WAN/MAN

AP Groups Usage

AP groups give the ability to enable Wi-Fi Services (WLAN) based on physical location

Example

Central Site

Corporate-Voice,

Corporate-Data, Guest-Access

Manufacturing Plan

Corporate-Voice, Corporate-Data, Scanners

Store

Corporate-Data, Guest-Access

Per Location SSIDCentral Site

StoreManufacturing Plan

AP Group 2

AP Group 3

AP Group 1

Corporate-Voice

Guest-Access

Corporate-Data

Guest-Access

Corporate-Data

@ Internet

Scanners


AP Groups UsagePer AP Group SSID to VLAN Mapping

AP groups give the ability to statically map Wi-Fi service (WLAN) to VLAN based on physical location

Users see the same Wi-Fi service on all sites but IP@ can be used for monitoring or filtering

Can also be used to have smaller Wi-Fi subnets

Corporate-Data

Corporate-Data

Corporate-Data

VLAN-1

VLAN-2

VLAN-3

Manufacturing

Plan Store

Central Site

WAN/MAN

AP Group 1

AP Group 2 AP Group 3


AP Groups

Configuration/VLAN Mapping


AP GroupsScaling

Scaling Flex 7500 WLC 5508 WLC 4400 WLC 2100

# AP Groups 500 500 300 50

# WLAN

(SSID)512 512 512 512

# VLAN

(Interfaces)512 512 512 512

New


Understanding H-REAP GroupsOverview

H-REAP groups allow sharing of:

CCKM/OKC fast roaming keys

Local backup RADIUS servers IP/keys

Local user authentication

Local EAP authentication

Scaling information

500 H-REAP groups for Flex 7500

50 AP per H-REAP group

H-REAP Group 1

Remote Site Remote Site

WAN

Central Site

H-REAP Group 2

Flex 7500

Cluster


H-REAP Groups and CCKM/OKC Keys

CCKM/OKC keys are stored on HREAP APs for Layer 2 fast roaming

The HREAP APs will receive the CCKM/OKC keys from the WLC

If a HREAP AP boots up in the standalonemode, it will not get the CCKM keys from the WLC and fast roaming is not supported

WAN

Central Site

Remote SiteH-REAP

Group 1 H-REAP

Group 2

Remote Site

RADIUS Server

CCKM Keys


Add a New

H-REAP Group

Add APs to the

H-REAP Group

H-REAP Groups and CCKM Keys


Agenda







Retail Case Study


H-REAP Backup ScenarioWAN Failure

H-REAP will backup on local switched mode

No impact for locally switched SSIDs

Disconnection of centrally switched SSIDs clients

Static authentication keys are locally stored in H-REAP AP

Lost features

RRM, WIDS, location, other AP modes

Web authentication, NAC

Remote Site

WAN

Central Site

Application

Server


H-REAP Backup ScenarioWLC Failure

H-REAP will first backup on local switched mode

No impact for locally switched SSIDs

Disconnection of centrally switched SSIDs clients

CCKM roaming allowed in H-REAP group

H-REAP AP will then search for backup WLC; when backup WLC is found, H-REAP AP will resync with WLC and resume client session with central traffic.

Client session with Local Traffic are not impacted during resync with Backup WLC.

Remote Site

WAN

Central Site

Application

Server


H-REAP Group: Local Backup RADIUSBackup Scenario

Normal authentication is done centrally

On WAN failure, AP authenticate new client with locally defined RADIUS server

Existing connected clients stay connected

Clients can roam with

CCKM fast roaming, or

Reauthentication

Remote Site

WAN

Central Site

H-REAP Group 1

Central RADIUS

Local Backup

RADIUS

CCKM Fast Roaming


H-REAP Group: Local Backup RADIUSConfiguration

Define primary and secondary local backup RADIUS server per H-REAP group


H-REAP Group: Local Backup AuthenticationBackup Scenario

Normal authentication is done centrally

On WAN failure, AP authenticate new client with its local database

Each H-REAP AP has a copy of the local user DB

Existing authenticated clients stay connected

Clients can roam with:

CCKM fast roaming, or

Local re-authentication

Only LEAP and EAP-FAST Supported!

Remote Site

WAN

Central Site

Central RADIUS

CCKM Fast Roaming

H-REAP Group 1


H-REAP Group: Local Backup AuthenticationConfiguration

Define users (max 100) and passwords

Define EAP parameters (LEAP or EAP-FAST)


H-REAP Backup ScenarioWAN Down Behavior (Bootup Standalone Mode)

Central Switched WLANs will shutdown

Web-auth WLANs will shutdown

Local Switched WLANs will be up :

Only Open, Shared and WPA-PSK are allowed.

Local 802.1x allowed with local authentication or local RADIUS

Unsupported features

RRM, CCKM, WIDS, Location, Other AP Mode, NAC.


Not Supported Backup ScenarioAP Changing Mode on Failure

AP can not automatically change from local mode to H-REAP mode on local WLC failure

Changing mode is a configuration task of the AP

Why it does not make sense

Need for dual configuration at the switch level (access port for central, 802.1Q for H-REAP)

Lost controller features when going to H-REAP

If you accept H-REAP locally, then don’t but local WLC

!

Remote Site

Central Site

WAN

Application

Server

Not Supported Backup Scenario!


H-REAP AP can not be configured with two SSID with same name; one in central switching mode, one in local switching mode; when central switching is down, local switched SSID becomes active

Changing enable status of an SSID is a configuration task of the WLC level

Cisco recommends using Local Switching. Why?

Fault Tolerance will always keep client connection UP.

Not Supported Backup ScenarioAuto-Enabling Backup Local Switching

Remote Site

Central Site

Backup

Application

Server

SSID “Data”(Central Switching)

SSID “Data”(Local Switching)

H-REAP AP

Disable Enable

Primary

Application

Server

Not Supported Backup Scenario!

!

WAN


Failover Matrix

FeatureWAN Up

(Connected)

WAN Down

(Standalone)

Static Security Keys

(WEP, WPA2/PSK)Yes Yes

802.1x/EAP Yes Yes

RADIUS YesYes

(local RADIUS Backup)

Local Authentication Yes Yes

OKC Fast Roaming YesYes

(not new clients)

WebAuth & MAC Auth Yes No

New

New


Agenda






Operating an H-REAP Based Branch Network

Retail Case Study


RTT for H-REAP AP must be 300ms maximum

Latency tool will help monitor WAN latency

Monitor H-REAP Latency


Upgrading an H-REAP DeploymentConcerns

Sites using H-REAP AP are usually sites with low WAN bandwidth

Each site may have small number of AP, but an enterprise may have a lot of branches

Upgrading ~2000 AP through a low bandwidth WAN is a challenge :

• Time needed to download all the AP firmware

• Exhaust of the WAN link

• Risk of failures during the download


WAN

Upgrading an H-REAP DeploymentSafe Process

Use “Pre-Download”Feature and Control the Process Before Effectively Do the Upgrade

1.Download WLC upgraded firmware (will become primary)

2.Force the « boot image » to be the secondary (and not the newly upgraded one) to avoid parallel download of all AP in case of unexpected WLC reboot

Remote Site-1 Remote Site-N

Wireless Control

SystemWireless LAN

Controller

Primary Secondary

Firmware Image

7.0

6.07.07.06.0

Central Site


WAN

3. « Pre-download » the AP firmware in the secondary « boot image » (will not disrupt the actual service)—Can be started AP per AP to limit WAN exhaust

4. Check that all the H-REAP AP are up-to-date (all download succeed)

5. Swap the « boot image » of the AP to the new one, change the « boot image » of the WLC to the new one

6. Reboot the controller

6.07.07.06.0

6.07.07.06.0

Central Site

Remote Site-1 Remote Site-N

Wireless Control

SystemWireless LAN

Controller

Primary Secondary

Firmware Image

Primary Secondary

AP Firmware Image

Upgrading an H-REAP DeploymentSafe Process (Cont…)


Agenda







Retail Case Study


Customer Requirements

~1000 Medium stores (“Supermarket”)

Up to 5 AP per store.

L2 connectivity between the AP. AP on access port (no 802.1Q trunk today)

Existing local resources (servers, …)

WLAN Services :

SSID for Scanners :

• WPA-PSK will be used on scanners

• Same SSID name for all the stores, but different key per store

• Local Switching in the store

SSID for Laptops :

• WPA/TKIP or WPA2/AES for laptops

• Same SSID name and VLAN for all the stores

• Central RADIUS authentication

• Central Switching


Data Center

Store-1

WAN

Local Resource

H-REAP

CT-5508

Cluster

RADIUS

Scanners

(WPA-PSK)

SSID-Scanner

(Key-Store-1) SSID-Laptop

(WPA2)

Laptops

(WPA2)

Store-N

H-REAP

Scanners

(WPA-PSK)

SSID-Scanner

(Key-Store-N) SSID-Laptop

(WPA2)

Laptops

(WPA2)

1000 Stores

Local Resource

WLAN 17 : Store 1 SSID=Scanner

WPA-PSK=XYZ

Local VLAN=native

…

WLAN 17+N : Store-N SSID=Scanner

WPA-PSK=ZYX

Local VLAN=native

WLAN 200 : Store-Data SSID=Laptop

WPA/RADIUS

Central VLAN=Tag-


Data Center

Store-1

WAN

H-REAP

Scanners

(WPA-PSK)

SSID-Scanner

(Key-Store-1) SSID-Laptop

(WPA2)

Laptops

(WPA2)

AP-Group-1

Store-N

H-REAP

Scanners

(WPA-PSK)

SSID-Scanner

(Key-Store-N) SSID-Laptop

(WPA2)

Laptops

(WPA2)

AP-Group-N

1000 Stores

Local Resource Local Resource

CT-5508

ClusterAP Group 1 : Store 1 WLANs : Store-1

Store-data

…

AP Group N : Store-N SSID=Scanner

WLANs : Store-N

Store-data

RADIUS


Project Scale

1000 Stores with an average of 5 AP per store : 5000 AP

10 x CT-5508-500 to support 5000 AP

1000 Stores means :

• 1000 WLAN profiles with 1000 same SSID for Scanners each with a different WPA2-PSK key per store (*)

• 1 WLAN profile with same SSID for Laptops with central switching and central WPA/Radius authentication

• 1000 AP Groups to map the WLAN profiles on each store

Capabilities to be supported by CT-5508-500 for this case study :

• 100 Stores managed by a CT-5508

• 100 different WLAN Profiles with same H-REAP SSID per CT

• 100 AP Groups per CT

• No H-REAP Groups for phase 1

Summary


Summary

Cisco Unified Wireless Network based on Controllers deliver Wireless Branch Solution

H-REAP is the feature designed to solve remote connectivity and WAN constraints

Several Failover Scenario are targeted to offer Survivability of Small Remote Sites

Deployment Guide URL- http://www.cisco.com/*****


Deploying Cisco’s FlexConnect Wireless Branch Solution

Increases Business Resiliency

wireless branch office network architecture

Technology