Documente Academic
Documente Profesional
Documente Cultură
BRKEWN-2010
Cisco Public
Agenda
Controller-Based Architecture Overview Mobility in the Cisco Unified WLAN Architecture Architecture Building Blocks Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
Cisco Public
Agenda
Controller-Based Architecture Overview Mobility in the Cisco Unified WLAN Architecture Architecture Building Blocks Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
Cisco Public
CAPWAP: Control and Provisioning of Wireless Access Points is used between APs and WLAN controller and based on LWAPP CAPWAP carries control and data traffic between the two
Control plane is DTLS encrypted
LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless
Business Application
CAPWAP
Wi-Fi Client Access Point
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Control Plane
Cisco Public
5
CAPWAP Modes
Split MAC
Split MAC
Wireless Frame Wireless Phy MAC Sublayer CAPWAP Data Plane
802.3 Frame
STA
WTP
AC
BRKEWN-2010
Cisco Public
CAPWAP Modes
Local MAC
Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames
Tunneled as 802.3 frames
Wireless Frame
Wireless Phy MAC Sublayer
802.3 Frame
CAPWAP Data Plane 802.3 Frame
STA
WTP
AC
Cisco Public
Discovery
Image Data
Run
Config
BRKEWN-2010
Cisco Public
AP Controller Discovery
Controller Discovery Order
Layer 2 join procedure attempted on LWAPP APs
(CAPWAP does not support Layer 2 APs) Broadcast message sent to discover controller on a local subnet
Layer 3 join process on CAPWAP APs and on LWAPP APs after Layer 2 fails
Previously learned or primed controllers
Subnet broadcast DHCP option 43
DNS lookup
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
BRKEWN-2010
Cisco Public
10
AP Port Configuration
ip forward-protocol udp 5246
interface vlan <SVC> ip helper-address <WLC1managementInterface> ip helper-address <WLC2managementInterface>
BRKEWN-2010
Cisco Public
11
BRKEWN-2010
Cisco Public
12
Agenda
Controller-Based Architecture Overview Mobility in the Cisco Unified WLAN Architecture Architecture Building Blocks Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
Cisco Public
13
Mobility Defined
Mobility is a key reason for wireless networks Mobility means the end-user device is capable of moving location in the networked environment
Roaming occurs when a wireless client moves association from one AP and re-associates to another, typically because its mobile! Mobility presents new challenges:
Need to scale the architecture to support client roamingroaming can occur intra-controller and inter-controller
Need to support client roaming that is seamless (fast) and preserves security
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
14
Mobility messages exchanged between controllers Data tunneled between controllers in EtherIP (RFC 3378)
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Controller-C MAC: AA:AA:AA:AA:AA:03 Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 Controller-B, AA:AA:AA:AA:AA:02
Ethernet in IP Tunnel
Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 Controller-C, AA:AA:AA:AA:AA:03
Mobility Messages
Cisco Public
15
Mobility Group
Cisco Public
16
All this can be on the order of seconds Can we make this faster?
BRKEWN-2010
Cisco Public
17
Roaming Requirements
Roaming must be fast Latency can be introduced by:
Client channel scanning and AP selection algorithms Re-authentication of client device and re-keying Refreshing of IP address
WPA/WPAv2 PersonalNew session key for encryption derived via standard handshakes
802.1x, 802.11i, WPA/WPAv2 EnterpriseClient must be re-authenticated and new session key derived for encryption
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
18
Eliminating the (re)IP address acquisition challenge Eliminating full 802.1X/EAP reauthentication
BRKEWN-2010
Cisco Public
19
Intra-Controller Roaming:
Layer 2
WLC-1 Client Database VLAN X Client Data (MAC, IP, QoS, Security) WLC-2 Client Database
WLC-1
WLC-2
Intra-Controller roam happens when an AP moves association between APs joined to the same controller Client must be reauthenticated and new security session established
BRKEWN-2010
Cisco Public
20
Intra-Controller Roaming:
Layer 2 (Cont.)
VLAN X
Client Data WLC-2 Client (MAC, IP, QoS, Database Security) Mobility Message Exchange
WLC-2
BRKEWN-2010
Cisco Public
21
Intra-Controller Roaming:
Layer 3
VLAN X
WLC-1 Client Database Client Data (MAC, IP, QoS, Security)
VLAN Z
Client Data (MAC, IP, QoS, Security)
WLC-1
WLC-2
BRKEWN-2010
Cisco Public
22
WLC-1 Client Client Data Database (MAC, IP, QoS, Mobility Security) Message Exchange
Data Tunnel
WLC-2
Foreign Controller
BRKEWN-2010
Cisco Public
23
Roaming: Inter-Controller
Layer 3
L3 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto different subnets Client must be re-authenticated and new security session established Client database entry copied to new controller entry exists in both WLC client DBs Original controller tagged as the anchor, new controller tagged as the foreign WLCs must be in same mobility group or domain No IP address refresh needed Symmetric traffic path established -- asymmetric option has been eliminated as of 6.0 release Account for mobility message exchange in network design
BRKEWN-2010
Cisco Public
24
BRKEWN-2010
Cisco Public
25
WAN
Cisco AAA Server (ACS or ISE) 1. 802.1X Initial Authentication Transaction
802.1X authentication in wireless today requires a roaming client to reauthenticate, incurring an additional 500+ ms to the roam
AP2
AP1
Cisco Public
26
BRKEWN-2010
Cisco Public
27
What is 802.11r ?
An IEEE standard which defines a new concept of roaming Handshake with the new AP is done even before the client roams More secure due to 3 levels of key hierarchy Standard defines 2 methods of roaming Over-the-air and Over-the-DS The Association-Response Frame is expanded therefore older client drivers may not understand the 11r response frame. Therefore in some customer sites to have 11r roaming may require an additional SSID.
New in 7.2MR1
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
28
BRKEWN-2010
Cisco Public
29
AP1
req th u
AP2, 3, 4
AP1
a Re
ss
ati o ci
on
q Re e nR
sp
AP2, 3., 4
BRKEWN-2010
A ith w d te i a AP oc ld ss o
Client
Re
ci sso
atio
Client
Roaming direction
Roaming direction
Cisco Public
30
802.11r
To enable 11r, check Fast Transition in Layer2 security Add Over the DS if you choose to reduce the over the air transactions Adding a WPA2 will provide the option of support for 11r
BRKEWN-2010
Cisco Public
31
L3 roaming & fast roaming clients consume client DB slots on multiple controllers consider worst case scenarios in designing roaming domain size Leverage natural roaming domain boundaries
Mobility Message transport selection: multicast vs. unicast Make sure the right ports and protocols are allowed
BRKEWN-2010
Cisco Public
32
3K AP Setup in WNBU
BRKEWN-2010
Cisco Public
33
Agenda
Controller-Based Architecture Overview Mobility in the Cisco Unified WLAN Architecture Architecture Building Blocks Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
Cisco Public
34
Other Highlights IPv6 Mobility 802.11u/MSAP 11n throughput enhancements Flex: ACL, AAA override,P2P
AP3600
800 Series ISR
CleanAir classifiers
TrustSec SXP
AP Groups and Profiles OEAP600 enhancements with WLC manual power, Channel, Disable etherport Stadium Vision Mobile with larger DTIM queue and dynamic multicast data-rates per AP Videostream QoS alloy CCX Lite
Cisco Public
35
BRKEWN-2010
Cisco Public
36
WiSM2
NAM3
ASA-SM
Specifications at a Glance
Access Points Clients I/O APs in Mobility Domain 1001000 15,000 and 5000 tags 20G 72,000 24,000 7,000 APs and 105,000 Clients
Agg 6k
Wireless
Security Wireless Security
Concurrent AP Joins
Physical Controller Power
1000
1 225 W
Access 2k/3k/4k
BRKEWN-2010
Cisco Public
Controller Portfolio
5500
Number of Access Points Throughput Clients Concurrent AP Upgrades/Joins Network I/O Mobility Domain Size Number of Controllers per Physical Device Power Consumption AP Count Upgrade via Licensing Encrypted Data Link Between AP and Controller OfficeExtend Solution
BRKEWN-2010
WiSM-2
500, 1000(7.2) Up to 10 Gbps / 20 Gbps (7.2) Up to 10,000 Up to 500 Cisco Catalyst 6000 Series Backplane Up to 36,000 Aps, 72,000 AP(7.2) 1 225W Yes Yes Yes
Cisco Public
38
12, 25, 50, 100, 250, 500 Up to 8 Gbps Up to 7000 Up to 500 Up to 8 1 Gbps SFPs Up to 36,000 APs 1 125W Yes Yes Yes
2012 Cisco and/or its affiliates. All rights reserved.
Access Points Access Points Clients Throughput 5-50 500 500 Mbps Clients Throughput
5-10 5-50
500 Mbps
Deployment Model
Form Factor IO Interface Upgrade Licenses
Deployment Model
Form Factor Upgrade Licenses Device Supported On
BRKEWN-2010
Cisco Public
39
Mission Critical
AP 3600
802.11n WiFi
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
40
BRKEWN-2010
Cisco Public
41
3500 Series
300 Mbps 2X3:2
1260 Series
300 Mbps 2x3:2
1140 Series
300 Mbps 2x3:2
1040 Series
300 Mbps 2X2:2
600 Series
300 Mbps 2X2:2
1550 Series
300 Mbps 2x3:2 on 2.4
ClientLink 2.0
BandSelect
VideoStream Rogue AP Detection Adaptive wIPS OfficeExtend FlexConnect Wireless Mesh Data Uplink (Mbps) Power
10/100/1000 802.3af 10/100 100 to 240 VAC, 5060 Hz 0 to 40C 10/100/1000 By Model Number: See AP AAG -40 to 131C
10/100/1000 802.3af
10/100/1000 802.3af
10/100/1000 802.3af
-20 to 55C
-0 to 40C
-0 to 40C
BRKEWN-2010
Cisco Public
42
Agenda
Controller-Based Architecture Overview Mobility in the Cisco Unified WLAN Architecture Architecture Building Blocks Deploying the Cisco Unified Wireless Architecture
BRKEWN-2010
Cisco Public
43
BRKEWN-2010
Cisco Public
44
BRKEWN-2010
Cisco Public
45
Controller Redundancy
Dynamic
Rely on CAPWAP to load-balance APs across controllers and populate APs with backup controllers Results in dynamic salt-and-pepper design Design works better when controllers are clustered in a centralized design Pros
Easy to deploy and configureless upfront work APs dynamically load-balance (though never perfectly)
WLC1
AP1
AP2
AP3
Cons
More intercontroller roaming Bigger operational challenges due to unpredictability Longer failover times No fallback option in the event of controller failure
AP4
AP5
AP6
AP7
AP8
AP9 WLC2
Ciscos general recommendation is: Only for Layer 2 roaming Use deterministic redundancy instead of dynamic redundancy
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
46
Controller Redundancy
Deterministic
WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C
Pros
Predictabilityeasier operational management
More network stability
Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Tertiary: WLAN-Controller-C Primary: WLAN-Controller-B Secondary: WLAN-Controller-C Tertiary: WLAN-Controller-A Primary: WLAN-Controller-C Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-B
More flexible and powerful redundancy design options Faster failover times Fallback option in the case of failover
Con
More upfront planning and configuration
BRKEWN-2010
47
Controller Redundancy
Most Common (N+1)
Redundant WLC in a geographically separate location Layer-3 connectivity between the AP connected to primary WLC and the redundant WLC Redundant WLC need not be part of the same mobility group
NOC or Data Center
WLAN-Controller-BKP
WLAN-Controller-1
Cisco Public
48
Controller Redundancy
Architecture Resiliency
Resiliency
WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C WLAN-Controller-1
N:1 Redundancy
NOC or Data Center
WLAN-Controller-BKP WLAN-Controller-2
WLAN-Controller-n Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Tertiary: WLAN-Controller-C Primary: WLAN-Controller-B Secondary: WLAN-Controller-C Tertiary: WLAN-Controller-A Primary: WLAN-Controller-C Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-B
N:N Redundancy
WLAN-Controller-A APs Configured With: Primary: WLAN-Controller-A Secondary: WLAN-Controller-B
N:N:1 Redundancy
WLAN-Controller-A
WLAN-Controller-B
WLAN-Controller-B
BRKEWN-2010
Cisco Public
49
Si
Si
Primary WLC5508
Traffic flows through the secondary WLC 5508 and primary core switch
BRKEWN-2010
Cisco Public
50
Primary WiSM-2
BRKEWN-2010
Cisco Public
51
In case of hardware failure of primary WiSM-2 APs fall back to secondary WiSM-2
Secondary WiSM-2
Primary WiSM-2
Traffic flows through the secondary WiSM-2 and primary core switch
BRKEWN-2010
Cisco Public
52
Cisco 5508
BRKEWN-2010
Cisco Public
53
Nexus 7000
Authentication
Wireless Services
ISP1
ISP2
ISP1
ISP2
Layer 3 to Access Layer Higher 10 Gigabit Capacity More extensive virtualization capabilities
Cisco Public
55
Primary WLC
Secondary WLC
New Timers 7.2 Heartbeat Timeout Fast Heartbeat Timer AP Retransmit Interval AP Retransmit with FH Enabled AP Fallback to next WLC 1-30 secs 1-10 secs 2-5 secs 3-8 Times 12 secs
Cisco Public
56
AP Failover Priority
In case of WLC failure, backup WLC suddenly receives multiple Discover and Join response from Aps
Enable AP Failover Priority Globally Wireless > Access Points > Global Configuration > AP Failover Priority
In a failover situation when the backup controller is saturated, the higher priority access points are allowed to join the backup controller by disjoining the lower priority access points.
Assign Priority on per AP basis WLC > All APs > Details for AP > High Availability
BRKEWN-2010
Cisco Public
57
AP Pre-Image Download
Since most CAPWAP APs can download and keep more than one image of 45 MB each AP pre-image download allows AP to download code while it is operational Pre-Image download operation
1. 2. 3. 4. 5. 6. Upgrade the image on the controller Dont reboot the controller Issue AP pre-image download command Once all AP images are downloaded Reboot the controller AP now rejoins the controller without reboot
2012 Cisco and/or its affiliates. All rights reserved.
BRKEWN-2010
CAPWAP-L3
Access Point
Access Point
Access Switches
VLAN 10,11,12
Si
Si
VLAN 20,21,22
Extremely Resilient Rapid reconvergence on Link Loss due to extensive use of EtherChannel Option in Aux switch for use of dual Supervisors for improved availability
Si
Si
Wireless Controller NMSP Mobility SNMP Service Engine SOAP/XML/SNMP Network Control System
Wireless Controller NMSP Mobility Service SNMP Engine SOAP/XML/SNMP Network Control System
Data Centre
BRKEWN-2010
Cisco Public
Access Point
Access Point
Option for use of VSS for even greater resiliency, as well as a simplified design Rapid reconvergence on Link Loss due to extensive use of EtherChannel Option to eliminate Aux switches in this design, as controllers are dual-homed to VSS switch pair
Access Switches
VLAN 10,11,12
Si
Si
VLAN 20,21,22
Auxiliary Switches
Wireless Controller NMSP Mobility SNMP Service Engine SOAP/XML/SNMP Network Control System
Wireless Controller NMSP Mobility Service SNMP Engine SOAP/XML/SNMP Network Control System
Data Centre
BRKEWN-2010
Cisco Public
Access Point
Access Point
Access Switches
VLAN 10,11,12
Si
Si
VLAN 20,21,22
Option showing use of Anchor controllers for use with Guest SSIDs
Si
Si
Wireless Controller EoIP Tunnels Anchor Wireless Controller Guest DHCP/DNS Server
Internet Edge
Guest DHCP/DNS Server
Internet
2012 Cisco and/or its affiliates. All rights reserved.
BRKEWN-2010
Cisco Public
BRKEWN-2010
Cisco Public
62
Any given WLAN can be mapped to different dynamic interfaces in different AP-Groups
WLC 2106 (AP groups: 50), WLC 2504 (AP groups:50) WLC 4400 and WiSM (AP groups: 300), WLC 5508 & WiSM-2 (AP groups: 500), WLC 7500 (AP Groups : 500)
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
63
AP-Grouping in Campus
VLAN 100 VLAN 100 VLAN 100 Access
Si Si Si Si Si Si
Distribution CAPWAP
Si Si
Core
Si
Si
Si
Si
VLAN 100 / 21
Single SSID = Employee
Distribution
Si
Si
Access
WAN WLC-1
BRKEWN-2010
Internet
Cisco Public
64
AP-Grouping in Campus
AP-Group-1
VLAN 60 /23
AP-Group-2
VLAN 70 /23
AP-Group-3
VLAN 80 /23
Access
Si Si Si Si Si Si
Distribution CAPWAP
Si Si
Core
Si
Si
Si
Si
Si
Si
Distribution
Access
Internet
Cisco Public
65
WAN WLC-1
BRKEWN-2010
Data Center
2012 Cisco and/or its affiliates. All rights reserved.
Default AP-Group
Network Name
Default AP Group
BRKEWN-2010
Cisco Public
66
Multiple AP-Groups
AP Group 1
AP Group 2
AP Group 3
BRKEWN-2010
Cisco Public
67
Clients associating to this WLAN get an IP address from a pool of subnets identified by the interfaces in round robin fashion
Extends current AP group and AAA override, with multiple interfaces using interface groups Controllers Interface-Groups/Interfaces
64/64
32/32 4/4
BRKEWN-2010
Cisco Public
68
Interface-Grouping in Campus
Int-Group-1
VLAN 60 /23 VLAN 61 / 23
Si Si
Int-Group-2
VLAN 70 /23 VLAN 71 /23
Si Si Si
Int-Group-3
Access
Distribution LWAPP/CAPWAP
Si Si
Core
Si
Si
Si
Si
WAN WLC-1
BRKEWN-2010
Data Center
Si
Si
Distribution
Access
Internet
Cisco Public
69
WLC-2
2012 Cisco and/or its affiliates. All rights reserved.
Multiple Interface-Groups
Interface Group 1
Interface Group 2
Interface Group 3
BRKEWN-2010
Cisco Public
70
RF-Profiles
7.2
RF Profiles allow the administrator to tune groups of APs sharing a common coverage zone together.
Selectively changing how RRM will operate the APs within that coverage zone
RF Profiles are created for either the 2.4 GHz radio or 5GHz radio
Profiles are applied to groups of APs belonging to an AP Group, in which all APs in the group will have the same Profile Settings
BRKEWN-2010
Cisco Public
71
RF Profiles
Create an RF profile for a or b/g radio Select if required the minimum and/or Maximum TPC settings Select a custom TPC power threshold for either Version 1 or Version 2 of TPC Select the data rates to be applied to the APs
BRKEWN-2010
Cisco Public
72
RF-Profile-2
VLAN 70 /23 VLAN 71 /23
Si Si Si
RF-Profile-3
Access
Distribution LWAPP/CAPWAP
Si Si
Core
Si
Si Si Si
WAN WLC-1
BRKEWN-2010
Data Center
Si
Si
Distribution
Access
Internet
Cisco Public
73
WLC-2
2012 Cisco and/or its affiliates. All rights reserved.
Multiple RF-Profiles
RF Profile -1
RF Profile -2
RF Profile -3
BRKEWN-2010
Cisco Public
74
Design Recommendations
Use 5508 with N+1 redundancy (recommended) or WISM2 with N+N redundancy Use Link Aggregation across multiple chassis or line cards for N+1 redundancy when using 5508 WLAN controllers Use large subnets (e.g., /21) to minimize L3 roaming or VLAN Select (aka Interface Groups) Group APs on controllers to minimize inter-controller roaming (i.e. create natural roaming boundaries) Use separate controllers or AP groups for low-volume legacy devices (e.g., 802.11b ticket scanners) Software version 7.2.103.0 or higher NCS 1.1 for Network Management
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
75
BRKEWN-2010
Cisco Public
77
IPv4only
IPv6only
BRKEWN-2010
Cisco Public
78
CAPWAP Tunnel
IPv6 ICMPv6 multicast messages sent to all clients (including L3 roamed clients) at low data rates.
All IPv6 packets are bridged on the VLAN transmitting unnecessary ICMPv6 messages in both directions.
In releases prior to 7.2, enabling IPv6 bridging provided a limited solution with no Layer 3 mobility and non-optimized delivery of essential ICMPv6 messages to clients.
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
79
CAPWAP Tunnel
IPv6 ICMPv6 multicast messages are unicast to each client at high data rates.
IPv6 ICMPv6 messages are interpreted by the controller and forwarded only as needed.
In releases 7.2, the controller now processes ICMPv6 messages allowing for optimized delivery, Layer 3 mobility and first hop security.
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
80
CAPWAP Tunnel
802.11
IPv6
Supports IPv4, Dual Stack and Native IPv6 clients on single WLAN simultaneously Supports the following IPv6 address assignment for wireless clients:
IPv6 Stateless Autoconfiguration [SLAAC] Stateless, Stateful DHCPv6 Static IPv6 configuration
Supports up to 8 IPv6 addresses per client Clients will be able to pass traffic once IPv4 or IPv6 address assignment is completed after successful authentication
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
81
VLAN = 100
RA VLAN = 100
CAPWAP Tunnel
VLAN = 200
RA VLAN = 200
Router 2 Access Points keep track of individual clients and unicast the Router Advertisement to the clients depending on the WLAN they belong to.
Access Point support up to 16 WLANs/SSIDs for dual stack clients. To maintain proper routing capability, mobile clients need to have proper global unique unicast prefix from router within their own network.
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
82
Clients can be assigned addresses via multiple methods such as SLAAC and DHCPv6
Most clients automatically generate a temporary address in addition to assigned addresses.
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
83
7.2
Intelligent IPv6 packets processing RA follows roaming clients through mobility tunnel Reliable connectivity while roaming
Seamless layer-3 mobility for IPv6 clients
Benefits
Differentiator
BRKEWN-2010
Cisco Public
84
CAPWAP Tunnel Roaming Client CAPWAP Tunnel Router Advertisement Mobility Tunnel
Router Advertisement
Router 1
Router 2
Foreign WLC
To address this issue, the roaming client must be able to receive the original router advertisement. The anchor controller sends the RA to the foreign in the mobility tunnel. When the Access Point receives the RA, it will convert the multicast RA to unicast (MC2UC) and send RA to each client individually.
BRKEWN-2010
Cisco Public
85
Router 1
DHCPv6 / RA Reply
Router 2
Whenever a new IPv6 address is learned at the anchor the new address is sent in a mobility message to the foreign controller.
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
86
Cisco Public
87
7.2
BRKEWN-2010
Cisco Public
CAPWAP Tunnel
Two ACL profiles (one for IPv4 and one for IPv6) are supported per dual stack client
ACL profiles for wireless clients can be configured on Wireless Controller or provided by AAA Server.
AAA server can send both IPv4 and IPv6 ACL attributes for dual stack clients after successful user authentication.
Cisco Public
89
BRKEWN-2010
Cisco Public
90
7.2
Chatty IPv6 packets, busy network, high CPU Intelligent processing of IPv6 packets with proxy and rate limit
BRKEWN-2010
Cisco Public
91
BRKEWN-2010
Cisco Public
92
BRKEWN-2010
Cisco Public
93
7.2
Benefits
Differentiator
NCS tracks IPv6 client addresses, client IP version distribution and trending; MSE tracks IPv6 client locations Prepare admin for IPv6 troubleshooting, address planning Provide client traceability
Management system for wired + wireless, IPv4 + IPv6
BRKEWN-2010
Cisco Public
94
Cisco NCS 1.1 Provides Comprehensive IPv6 Client Visibility and Monitoring
Visibility Recognition of IPv6 Global and Link Local Addresses
Since IPv6 clients can change addresses so often (sometimes 1 per day with temporary addresses), they need to be tracked over time. This is needed for tracking down attacks or copyright infringement violations that need to be audited all the way back to the user.
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
96
BRKEWN-2010
Cisco Public
97
Centralized Traffic
Central Site
Centralized Traffic
WAN
Local Traffic
Remote Office
BRKEWN-2010
Cisco Public
98
BRKEWN-2010
Cisco Public
99
Mesh AP
WGB & Universal WGB VideoStream
IPv6 L3 Mobility
SXP TrustSec AAA ACL & QoS override See full list in H-REAP Feature Matrix
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b3690b.shtml
BRKEWN-2010
Cisco Public
100
Key Differentiation
WAN Tolerance High Latency Networks
Access Points
300 - 3,000
WAN Survivability
Security 802.1x based port authentication
Clients
Branches Access Points / Branch Deployment Model Form Factor IO Interface Upgrade Licenses
BRKEWN-2010
30,000
1000 50 FlexConnect 1 RU 2x 10GE 100, 200, 500, 1K
Voice support
Voice CAC OKC/CCKM
Cisco Public
101
Central Site
WAN
Scaling information
Scaling FlexConnect Groups AP per Flex Group Flex 7500 1000 CT-5508 WiSM2 CT-2504
100
100
20
50
25
25
25
FlexConnect Group 1
Cisco Public
102
BRKEWN-2010
BRKEWN-2010
Cisco Public
103
Smart AP Image Upgrade use a master AP in each FlexConnect Group to download the code. Other FlexConnect AP download the code from the master locally
1.Download WLC upgraded firmware (will become primary)
Central Site
2.Force the boot image to be the secondary (and not the newly upgraded Remote Site-1 one) to avoid parallel download of all AP in case of unexpected WLC reboot 3.WLC elect a master AP in each FlexConnect Group (can be also set manually)
New in 7.2
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
WAN
Remote Site-N
Master AP
Cisco Public
104
FlexConnect AP Upgrade checkbox has to be enabled for each FlexConnect Group. By default, Master AP for each FlexConnect Group is selected using Lower-MAC algorithm. One Master select per AP type.
New in 7.2
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
106
Central Site
WAN
Remote Site
Application Server
Cisco Public
107
Step 3
Provision to assign separate Inbound & Outbound ACLs
New in 7.2
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
108
Central Site
WAN
Application Server
Cisco Public
109
Both modes of operation will drop the packetMultiple Policy Touch Points @ AP for Local Switching enabled WLAN
* Central Switching WLAN will support Forward - UpStream and will send the packet to the next upstream node connected to WLC
New in 7.2
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
110
VLAN 7
WAN
Application Server Remote Site
VLAN 3 VLAN 7
FlexConnect Group 1
New in 7.2
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
111
WAN ISE
New in 7.2
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
112
Local network
2.
3. and 4.
1.
Corporate WAN
Flex AP 5 3. Client associates to locally switched WLAN 4. DHCP traffic is allowed and switched locally to the orange VLAN, client gets IP from local network 5. Client browses to www.cisco.com, DNS requests is allowed and switched locally Centralized WLC
Local network
BRKEWN-2010
Cisco Public
113
Local network
WAN
8. 6. and 7.
Centralized WLC
Local network
3. Client associates to locally switched WLAN 4. DHCP traffic is allowed and switched locally to the orange VLAN, client gets IP from local network 5. Client browses to www.cisco.com, DNS requests is allowed and switched locally 6. HTTP traffic to www.cisco.com is not allowed by ACL so it goes to WLC in CAPWAP tunnel 7. WLC redirect traffic to external web page 8. Clients open HTTP session to external server, the traffic is allowed by ACL and hence is locally switched
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
114
During initial 802.1x from ISE, client is provided with URL/ACL for ISE Clients does webauth with ISE Once device is profiled, ISE uses COA to assign device specific VLAN
COA/VLAN 109
BRKEWN-2010
L3/L2 switch
RAP
(Root AP)
Backhaul 5GHz
MAP
(Mesh AP)
Controller
Indoor AP Parity with Outdoor RAP (1520 & 1550) only Local Mode FlexConnect Mode No MAP functionality in this release Flex Mode will have support for Central and Local Switching
BRKEWN-2010
Cisco Public
116
BRKEWN-2010
Cisco Public
117
E-Mail
MPLS ATM Frame Relay
Branch Office
Headquarters
Appliance controllers
Cisco 2504-12 Cisco 5508-12, 5508-25
Internet VPN
Integrated controller
WLAN controller module (WLCM-2) for ISR G2
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Headquarters
Small Office
Internet VPN
WLCM-2 **
**AP Count Vary Depending on Channel Utilization and Data Rates
Cisco Public
119
BRKEWN-2010
Cisco Public
120
BRKEWN-2010
Cisco Public
121
Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers Other traffic (employee for example) still locally Cisco ASA bridged at the remote controller on the Firewall corresponding VLAN EoIP No need to define the guest VLANs Guest Tunnel on the switches connected to the remote controllers CAPWAP Original guests Ethernet frame maintained across CAPWAP and EoIP tunnels Redundant EoIP tunnels to the Anchor WLC 2504 series and WLCM-2 models cannot terminate EoIP connections (no anchor role)
Guest
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Internet
DMZ or Anchor Wireless Controller
Guest
122
Cisco Public
Anchor2
Campus Core
ACS/ISE
Si
Wireless VLAN-1/WLANA
Wireless VLAN2/WLANA
Wireless VLAN3/WLANA
VLAN-4/WLANA
Foreign WLCs
Wireless VLANs/Interface Gr
Guest
Secure
Guest
Secure
BRKEWN-2010
Cisco Public
123
BRKEWN-2010
Cisco Public
124
Headquarters
ATM Family Internet access over a locally Frame configured SSID Relay
Internet VPN
BRKEWN-2010
Cisco Public
125
OEAP 600
802.11n AP with dual concurrent 2.4GHz and 5GHz radios for teleworker home 4 local Ethernet ports 1 Corporate-bound port, 3 for local Ethernet devices Up to 4 clients behind the corporate port Corporate SSID and user-configurable Personal SSID Traffic segmenting supported (corporate vs. personal traffic) Local DHCP and NAT support Control and data plane encryption
BRKEWN-2010 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
126
BRKEWN-2010
Cisco Public
127
Documentation
Aironet 600 Series OEAP Access Point Configuration Guide http://www.cisco.com/en/US/products/ps11579/products_tech_note09186a0080b7f10e.shtml Wireless Services Module 2 (WiSM2) Deployment Guide http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080b7c904.shtml
Cisco Public
128
Dont forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.
BRKEWN-2010
Cisco Public
129
Final Thoughts
Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042 Come see demos of many key solutions and products in the main Cisco booth 2924
Visit www.ciscoLive365.com after the event for updated PDFs, on-demand session videos, networking, and more!
Follow Cisco Live! using social media:
Facebook: https://www.facebook.com/ciscoliveus
Twitter: https://twitter.com/#!/CiscoLive LinkedIn Group: http://linkd.in/CiscoLI
BRKEWN-2010
Cisco Public
130
BRKEWN-2012
Cisco Public