The world is going to wireless …
Wireless Networking Part 2 CCNP Switch Hossein Shamloo
WLAN Architecture Traditional WLAN Architecture Traditional WLAN architecture centers around the wireless access point. Each AP serves as the central hub of its own BSS, where clients located with the AP cell gain an association. The traffic to and from each client has to pass through the AP to reach any other part of the network.
WLAN Architecture Traditional WLAN Architecture Notice that even though an AP is centrally positioned to support its clients, it is quite isolated and self-sufficient. Each AP must be configured individually, although many APs might be configured with identical network policies. Each AP also operates independently. the AP handles its own use of radio frequency (RF) channels, clients associate with the AP directly, the AP enforces any security policies unassisted, and so on
WLAN Architecture Traditional WLAN Architecture Cisco calls this an autonomous mode AP
WLAN Architecture Traditional WLAN Architecture Because each AP is autonomous, managing security over the wireless network can be difficult. Each autonomous AP handles its own security policies, with no central point of entry between the wireless and wired networks. That means no convenient place exists for monitoring traffic for things like intrusion detection and prevention, quality of service, bandwidth policing, and so on
WLAN Architecture Traditional WLAN Architecture
WLAN Architecture Traditional WLAN Architecture In the figure, SSID A and SSID B are offered on two APs. The two SSIDs correspond to VLAN A and VLAN B, respectively. The APs must be connected to a common switched network that extends VLANs A and B at Layer 2. This is done by carrying VLANs A and B over an 802.1Q trunk link to each AP. Because SSIDs and their VLANs must be extended at Layer 2, you should consider how they are extended throughout the switched network. In Figure 15-7, SSID A and VLAN A have been shaded everywhere they appear. Naturally, they form a contiguous path that appears on both APs so that wireless clients can use SSID A in either location or while roaming between the two
WLAN Architecture Traditional WLAN Architecture In the figure, SSID A and SSID B are offered on two APs. The two SSIDs correspond to VLAN A and VLAN B, respectively. The APs must be connected to a common switched network that extends VLANs A and B at Layer 2. This is done by carrying VLANs A and B over an 802.1Q trunk link to each AP. Because SSIDs and their VLANs must be extended at Layer 2, you should consider how they are extended throughout the switched network. In Figure 15-7, SSID A and VLAN A have been shaded everywhere they appear. Naturally, they form a contiguous path that appears on both APs so that wireless clients can use SSID A in either location or while roaming between the two
WLAN Architecture Traditional WLAN Architecture This concept becomes important when you think about extending SSIDs to many APs over a larger network
WLAN Architecture Cisco Unified Wireless Network Architecture Cisco has collected a complete set of functions that are integral to wireless LANs and called them the Cisco Unified Wireless Network This new architecture offers the following capabilities, which are centralized so that they affect wireless LAN devices located anywhere in the network: ■ WLAN security ■ WLAN deployment ■ WLAN management ■ WLAN control
WLAN Architecture Cisco Unified Wireless Network Architecture
WLAN Architecture Cisco Unified Wireless Network Architecture To centralize these aspects of a WLAN, many of the functions found within autonomous APs have to be shifted toward some central location.
WLAN Architecture Cisco UWNA Vs Legacy Model Notice that they have been grouped by real-time processes on the left and management processes on the right
WLAN Architecture Cisco Unified Wireless Network Architecture Real-Time operation and management function The real-time processes involve actually sending and receiving frames, AP beacons, and probe messages. Data encryption is also handled in a real-time, per- packet basis. The AP must interact with wireless clients at the MAC layer. These functions must stay with the AP hardware, closest to the clients. The management functions are not integral to handling frames over the RF channels but are things that should be centrally administered. Therefore, those functions are moved to a centrally located platform away from the AP
WLAN Architecture Cisco Unified Wireless Network Architecture In the Cisco unified wireless network, a lightweight access point (LAP) performs only the real-time operation.
WLAN Architecture Cisco Unified Wireless Network Architecture The management functions are all performed on a wireless LAN controller (WLC)
WLAN Architecture Cisco Unified Wireless Network Architecture How does an LAP bind with a WLC to form a complete working access point?
WLAN Architecture Cisco Unified Wireless Network Architecture The two devices must bring up a tunnel between them to carry related messages and also client data.
WLAN Architecture Cisco Unified Wireless Network Architecture Remember that the LAP and WLC can be located on the same VLAN or IP subnet, but they don’t have to be. Instead, they can be located on two entirely different IP subnets in two entirely different locations.
WLAN Architecture Cisco Unified Wireless Network Architecture The tunnel makes this all possible by encapsulating the data between the LAP and WLC within new IP packets. The tunneled data can then be switched or routed across the campus network.
WLAN Architecture Cisco Unified Wireless Network Architecture The LAP and WLC pair uses either the Lightweight Access Point Protocol (LWAPP, developed by Cisco) or the Control and Provisioning Wireless Access Points protocol as the tunneling mechanism (CAPWAP, defined in RFC 4118)
WLAN Architecture Cisco Unified Wireless Network Architecture these protocols consist of the two tunnels shown in Figure :
WLAN Architecture Cisco Unified Wireless Network Architecture these protocols consist of the two tunnels shown in Figure : ■ Control messages—Exchanges that are used to configure the LAP and manage its operation. The control messages are authenticated and encrypted so that the LAP is securely controlled by only the WLC ■ Data—Packets to and from wireless clients associated with the LAP. The data is encapsulated within the LWAPP or CAPWAP protocol but is not encrypted or otherwise secured between the LAP and WLC.
WLAN Architecture Cisco Unified Wireless Network Architecture Tip: Although Cisco developed LWAPP, it submitted the protocol as an IETF draft. The result is the CAPWAP standard in RFC LWAPP uses UDP destination ports and on the WLC end. Similarly, CAPWAP uses UDP ports 5246 and 5247.
WLC Functions ■ Dynamic channel assignment— The WLC chooses and configures the RF channel used by each LAP based on other active access points in the area. ■ Transmit power optimization— The WLC sets the transmit power of each LAP based on the coverage area needed. Transmit power is also automatically adjusted periodically. ■ Self-healing wireless coverage— If an LAP radio dies, the coverage hole is “healed” by turning up the transmit power of surrounding LAPs automatically. ■ Flexible client roaming— Clients can roam at either Layer 2 or Layer 3 with very fast roaming times. ■ Dynamic client load balancing— If two or more LAPs are positioned to cover the same geographic area, the WLC can associate clients with the least used LAP. This distributes the client load across the LAPs.
WLC Functions ■ RF monitoring— The WLC manages each LAP so that it scans channels to monitor the RF usage. By listening to a channel, the WLC can remotely gather information about RF interference, noise, signals from surrounding LAPs, and signals from rogue APs or ad-hoc clients. ■ Security management—The WLC can require wireless clients to obtain an IP address from a trusted DHCP server before allowing them to associate and access the WLAN.
Cisco WLC Platforms and Capabilities
Cisco Wireless Control System (WCS) You can also deploy several WLCs in a network to handle a large number of LAPs. In addition, Multiple WLCs offer some redundancy so that LAPs can recover from a WLC failure. Managing several WLCs can require a significant effort, due to the number of LAPs and clients to be managed and monitored The Cisco Wireless Control System (WCS) is an optional server platform that can be used as a single GUI front-end to all the WLCs in a network.
Cisco Wireless Control System (WCS)
The WCS can be teamed with the Cisco Wireless Location Appliance to track the location of thousands of wireless clients. You can even deploy active RFID tags to track objects as they move around in the wireless coverage area.
RFID revolution of scanning …
Screen clipping taken: 2010/06/02; 11:26 AM
RFID revolution of scanning … Screen clipping taken: 2010/06/02; 11:26 AM
Lightweight AP Operation The LAP is designed to be a “zero-touch” configuration. The LAP must find a WLC and obtain all of its configuration parameters, so you never have to actually configure it through its console port or over the network.
Lightweight AP Operation Step by Step Step 1. The LAP obtains an IP address from a DHCP server. Step 2. The LAP learns the IP addresses of any available WLCs. Step 3. The LAP sends a join request to the first WLC in its list of addresses. If that one fails to answer, the next WLC is tried. When a WLC accepts the LAP, it sends a join reply back to the LAP, effectively binding the two devices. Step 4. The WLC compares the LAP’s code image release to the code release stored locally. If they differ, the LAP downloads the code image stored on the WLC and reboots itself. Step 5. The WLC and LAP build a secure LWAPP or CAPWAP tunnel for management traffic and an LWAPP or CAPWAP tunnel (not secured) for wireless client data.
Lightweight AP Operation the LAP can maintain a list of up to three WLCs (primary, secondary, and tertiary) As the LAP boots, it tries to contact each WLC address in sequential order.
Lightweight AP Operation Tip: When an LAP is cut off from a WLC, client associations are normally dropped and no data can pass over the WLAN between clients. Cisco Hybrid Remote Edge Access Point (HREAP) is a special case for remote sites where the LAPs are separated from the WLC by a WAN link. With HREAP, the remote LAPs can keep operating even while the WAN link is down and their WLC is not available, much like an autonomous AP would do. This allows wireless users to keep communicating within the remote site until the link (and WLC) is restored.
Traffic Patterns in a Cisco Unified Wireless Network Because the LAPs connect to the wired network through logical LWAPP or CAPWAP tunnels, the traffic patterns into and out of the WLAN are different than traditional WLANs
Traffic Patterns in a Cisco Unified Wireless Network
That traffic must go from Client A through the LAP, through the LWAPP or CAPWAP tunnel, into the WLC, back through the tunnel, through the LAP and on to Client B. This further illustrates what a vital role the WLC plays in the unified infrastructure Traffic from Client A to a host somewhere on the network travels through the LAP, through the tunnel to the WLC, and then out onto the switched campus network
Roaming in a Cisco Unified Wireless Network Remember that the LAP handles mostly real-time wireless duties, so it will just pass the client’s association requests on up to the WLC. In effect, the wireless clients negotiate their associations with the WLC directly. This is important for two reasons: ■ All client associations can be managed in a central location. ■ Client roaming becomes faster and easier; associations can be maintained or handed off at the controller level.
Roaming in a Cisco Unified Wireless Network With autonomous APs, a client roams by moving its association from one AP to another. The client must negotiate the move with each AP independently, and the APs must also make sure any buffered data from the client is passed along to follow the association.
Roaming in a Cisco Unified Wireless Network With LAPs, a client still roams by moving its association. From the client’s point of view, the association moves from AP to AP; actually it moves from WLC to WLC, according to the AP-WLC bindings.
Roaming in a Cisco Unified Wireless Network Intracontroller Roaming
Roaming in a Cisco Unified Wireless Network Intracontroller Roaming
Roaming in a Cisco Unified Wireless Network Intracontroller Roaming In the figure, the client has moved its association to WLC1 through AP2. Although the AP has changed, the same controller is providing the association and the LWAPP or CAPWAP tunnel. This is known as an intracontroller roam, where the client’s association stays within the same controller
Roaming in a Cisco Unified Wireless Network Intercontroller Roaming In some cases, a client might roam from one controller to another
Roaming in a Cisco Unified Wireless Network Intercontroller Roaming
Roaming in a Cisco Unified Wireless Network Intercontroller Roaming
Roaming in a Cisco Unified Wireless Network Intercontroller Roaming When the client moves into AP2’s cell, the same SSID is found, and the client can move its association to WLC2. As long as the two controllers (WLC1 and WLC2) are located in the same IP subnet, they can easily hand off the client’s association. This is done through a mobility message exchange where information about the client is transferred from one WLC to the other, as shown in next Figure
Roaming in a Cisco Unified Wireless Network Intercontroller Roaming
Roaming in a Cisco Unified Wireless Network Intercontroller Roaming When the mobility exchange occurs, the client begins using the LWAPP or CAPWAP tunnel between AP2 and WLC2. The client’s IP address has not changed; in fact, the roaming process was completely transparent to the client.
Roaming in a Cisco Unified Wireless Network Intercontroller Roaming Now consider the scenario shown in next Figure. The two controllers WLC1 and WLC2 are located in different IP subnets, shown as VLAN A and VLAN B.
Roaming in a Cisco Unified Wireless Network Intercontroller Roaming
Roaming in a Cisco Unified Wireless Network Intercontroller Roaming
Roaming in a Cisco Unified Wireless Network Intercontroller Roaming When the client travels into the cell provided by AP2, something interesting happens. In the Figure, the client moves its association over to WLC2, through AP2, which offers access to VLAN B. The client’s IP address has remained constant, but WLC1 and WLC2 are not located on the same subnet or VLAN. Therefore, the client’s IP address has moved into a foreign subnet.
Roaming in a Cisco Unified Wireless Network Intercontroller Roaming The two controllers must begin working together to provide continuing service for the client, without requiring the client to obtain a new address. The two controllers bring up an Ether-IP tunnel between them for the specific purpose of carrying some of the client’s traffic. The Ether-IP tunnel is simply a way that the controllers can encapsulate MAC layer data inside an IP packet, using IP protocol 97. To move packets to and from the client, one controller encapsulates packets and sends them to the other controller. Packets received over the tunnel are unencapsulated by the other controller, where they reappear in their original form. (Ether-IP tunnels are defined in RFC 3378.)
Roaming in a Cisco Unified Wireless Network Intercontroller Roaming
Roaming in a Cisco Unified Wireless Network Intercontroller Roaming All the client’s traffic will not be able to travel over the same path. Traffic leaving the client travels over the LWAPP or CAPWAP tunnel from AP2 to WLC2 and onto VLAN B, as you might expect. Even though the client has an IP address that is foreign to its new VLAN, it can still send packets onto the foreign VLAN. Traffic coming toward the client takes a different path. In Figure 19-13, traffic enters the switch on VLAN A and is forwarded to WLC1. Why does it enter VLAN A and not VLAN B, where the client is now located? Remember that the client is still using an IP address it obtained on VLAN A, so it will continue to appear in VLAN A—no matter where it roams within the wireless network. Traffic being sent to the client’s destination address on VLAN A must be forwarded onto VLAN A. Therefore, WLC1 must accept that traffic and forward it onto the appropriate controller that has a current association with the client. WLC1 sends the traffic through the Ether-IP tunnel to WLC2, which in turn sends the traffic through the tunnel to AP2 and to the client
Roaming in a Cisco Unified Wireless Network Intercontroller Roaming Because the client originally joined the WLAN on WLC1, WLC1 will always refer to itself as the client’s anchor point. Any controller that is serving the client from a different subnet is known as a foreign agent.
Roaming in a Cisco Unified Wireless Network Intercontroller Roaming As the client continues to roam, the anchor WLC will follow its movement by shifting the Ether-IP tunnel to connect with the client’s foreign WLC