cisco unified wireless networks. overview

2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2010 1

Cisco Unified Wireless Network Overview

Steve AckerWireless Advanced ServicesNetwork Consulting EngineerCCIE#14097CISSP#86844CWSP


Agenda

Controller-Based Architecture Overview Mobility in the Cisco Unified WLAN Architecture Architecture Building Blocks Deploying the Cisco Unified Wireless Architecture


Agenda



Lightweight Access Points

Wireless LAN

Controller

Wireless Control System (WCS)

Mobility Services Engine (MSE)

CAPWAP

Cisco Unified Wireless NetworkArchitecture Overview

802.11n and 802.11a/g Highly scalable Real-time RF visibility

and control

Monitor and migrate standalone access points

Easily configure WLAN controllers

using SNMP Access points

using CAPWAP

Built-in support for Mobility Services

ContextAware Services (Location)

Adaptive Wireless Intrusion Prevention System (wIPS)

Wired and wireless guest access

Client Devices and Wi-Fi Tags

802.11nStandalone

Access Points


Understanding WLAN Controllers 1st/2nd Generation vs. 3rd Generation Approach

1st/2nd generation: APs act as 802.1Q translational bridge, putting client traffic on local VLANs

3rd generation: Controller bridges client traffic centrally

1st/2nd Generation

Data VLAN

Voice VLAN

Management VLAN

3rd GenerationData VLAN

Voice VLAN

Management VLAN

LWAPP/CAPWAPTunnel


Centralized Wireless LAN ArchitectureWhat Is CAPWAP?

CAPWAP: Control and Provisioning of Wireless Access Points is used between APs and WLAN controller and based on LWAPP

CAPWAP carries control and data traffic between the twoControl plane is DTLS encrypted (Datagram Transport Layer Security)Data plane is DTLS encrypted (optional)

LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless

CAPWAP ControllerWi-Fi Client

Business Application

Control Plane

Data PlaneAccess Point


CAPWAP ModesSplit MAC

The CAPWAP protocol supports two modes of operation

Split MAC (centralized mode)Local MAC (H-REAP)

Split MAC

AP WLCSTA

Wireless PhyMAC Sublayer

CAPWAPData Plane

Wireless Frame

802.3 Frame


CAPWAP Modes Split MAC

One of the key concepts of the LWAPP is concept of split MAC

The Real Time RF part of the 802.11 protocol operation is managed by the LWAPP AP

Non Real Time parts of the 802.11 protocol are managed by the WLC.


CAPWAP Modes - Local MAC

Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames

Locally bridged

AP WLC


Wireless Frame

802.3 Frame

STA


CAPWAP Modes Local MAC

Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames

Tunneled as 802.3 frames


Wireless Frame 802.3 Frame

802.3 FrameCAPWAP

Data Plane

H-REAP support locally bridged MAC and split MAC per SSID

AP WLCSTA


CAPWAP State Machine

DiscoveryReset

Image Data

Config

Run

AP Boots UP

DTLSSetup

Join


AP Controller Discovery

Layer 2 join procedure attempted on LWAPP APs(CAPWAP does not support Layer 2 APs)Broadcast message sent to discover controller on a local subnet

Layer 3 join process on CAPWAP APs and on LWAPP APs after Layer 2 fails

Previously learned or primed controllersSubnet broadcastDHCP option 43DNS lookup

Controller Discovery Order


AP Controller Discovery: DHCP Option

DHCP Offer

DHCP Request

1

2

3

DHCP Server

DHCP Offer ContainsOption 43 for ControllerLayer 3 CAPWAP Discovery Request Broadcast

Layer 3 CAPWAP Discovery Responses


AP Controller Discovery: DNS Option

DHCP Offer withOption 15

to give APs the Local Domain

name

DHCP Request

DHCP Offer Contains

DNS Server or Servers

CISCO-CAPWAP-CONTROLLER.localdomain192.168.1.2

192.168.1.2

12

3

4

DNS Server DHCP Server


WLAN Controller Selection Algorithm

CAPWAP Discovery Response contains important information from the WLAN Controller

Controller name, controller type, controller AP capacity, current AP load, Master Controller status, and AP Manager IP address or addresses

AP selects a controller to join using the following decision criteria

1. Attempt to join a WLAN Controller configured as a Master controller

2. Attempt to join a WLAN Controller with matching name of previously configured primary, secondary, or tertiary controller name

3. Attempt to join the WLAN Controller with the greatest excess AP capacity (dynamic load balancing)

Option #2 and option #3 allow for two approaches to controller redundancy and AP load balancing: deterministic and dynamic


CAPWAP Control Messages for Join Process

CAPWAP Join Request: AP sends this messages to selected controller (sent to AP Manager Interface IP address)

CAPWAP Join Response: If controller validates AP request, it sends the CAPWAP Join Response indicating that the AP is now registered with that controller

CAPWAP Join Request

CAPWAP Join Response


Configuration PhaseFirmware and Configuration Download

Firmware is downloaded by the AP from the WLC

Firmware downloaded only if needed, AP reboots after the downloadFirmware digitally signed by Cisco

Network configuration is downloaded by the AP from the WLC

Configuration is encrypted in the CAPWAP tunnel Configuration is applied

Cisco WLAN Controller

L

W

A

P

P

-

L

3

F

i

r

m

w

a

r

e

D

o

w

n

l

o

a

d

C

o

n

f

i

g

u

r

a

t

i

o

n

D

o

w

n

l

o

a

d

Access Points


Which Software Version Should I Use?

WLC 5508 supports 6.0 and 7.0 WLC7500, WiSM-2 and WLC2504

only supported in 7.0.116 and up


Agenda



Mobility Defined

Mobility is a key reason for wireless networks Mobility means the end-user device is capable of

moving its location in the networked environment

Roaming occurs when a wireless client moves association from one AP and re-associates to another, typically because its mobile!

Mobility presents new challenges:Need to scale the architecture to support client roamingroaming can occur intra-controller and inter-controllerNeed to support client roaming that is seamless (fast) and preserves security


Scaling the Architecture with Mobility Groups

Mobility Group allows controllers to peer with each other to support seamless roaming across controller boundaries

APs learn the IPs of the other members of the mobility group after the LWAPP Join process

Support for up to 24 controllers, 3600 APs per mobility group

Mobility messages exchanged between controllers

Data tunneled between controllers in EtherIP (RFC 3378)

E

t

h

e

r

n

e

t

i

n

I

P

T

u

n

n

e

l

Mobility Messages

Controller-CMAC: AA:AA:AA:AA:AA:03

Mobility Group Name: MyMobilityGroup

Mobility Group Neighbors:Controller-A, AA:AA:AA:AA:AA:01Controller-B, AA:AA:AA:AA:AA:02

Controller-AMAC: AA:AA:AA:AA:AA:01


Mobility Group Neighbors:Controller-B, AA:AA:AA:AA:AA:02Controller-C, AA:AA:AA:AA:AA:03

Controller-BMAC: AA:AA:AA:AA:AA:02


Mobility Group Neighbors:Controller-A, AA:AA:AA:AA:AA:01Controller-C, AA:AA:AA:AA:AA:03


Increased Mobility Scalability

Roaming is supported across three mobility groups (3 * 24 = 72 controllers)

With Inter Release Controller Mobility (IRCM) roaming is supported between 4.2.207 and 6.0.188 and 7.0

E

t

h

e

r

n

e

t

i

n

I

P

T

u

n

n

e

l

Mobility Sub-Domain 2

E

t

h

e

r

n

e

t

i

n

I

P

T

u

n

n

e

l


E

t

h

e

r

n

e

t

i

n

I

P

T

u

n

n

e

l


Mobility Messages


How Long Does an STA Roam Take?

Time it takes for:Client to disassociate +Probe for and select a new AP +802.11 Association +802.1X/EAP Authentication +Rekeying +IP address (re) acquisition

All this can be on the order of seconds Can we make this faster?


Roaming Requirements

Roaming must be fast Latency can be introduced by:

Client channel scanning and AP selection algorithmsRe-authentication of client device and re-keyingRefreshing of IP address

Roaming must maintain securityOpen auth, static WEPsession continues on new APWPA/WPAv2 PersonalNew session key for encryption derived via standard handshakes802.1x, 802.11i, WPA/WPAv2 EnterpriseClient must be re-authenticated and new session key derived for encryption


How Are We Going to Make Roaming Faster?

Eliminating the (re)IP address acquisition challenge Eliminating full 802.1X/EAP reauthentication

Focus on Where We Can Have the Biggest Impact


Intra-Controller Roaming:Layer 3

WLC-1 WLC-2

WLC-1 Client Database


Mobility Message Exchange

Preroaming Data Path

VLAN XClient Data (MAC, IP, QoS, Security)

Client Data (MAC, IP, QoS, Security)

VLAN Z


Client Roaming Between Subnets:Layer 3 (Cont.)

WLC-1 WLC-2



Preroaming Data Path

VLAN XClient Data (MAC, IP, QoS, Security)

Client Data (MAC, IP, QoS, Security)

VLAN Z

Mobility Message Exchange

Foreign Controller

Anchor Controller Data Tunnel

Client Roams to a Different AP


Roaming: Inter-Controller

L3 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto different subnets

Client must be re-authenticated and new security session established Client database entry copied to new controller entry exists in both

WLC client DBs

Original controller tagged as the anchor, new controller tagged as the foreign

WLCs must be in same mobility group or domain No IP address refresh needed Account for mobility message exchange in network design

Layer 3


How Are We Going to Make Roaming Faster?

Eliminating the (re)IP address acquisition challenge Eliminating full 802.1X/EAP reauthentication

Focus on Where We Can Have the Biggest Impact


Fast Secure RoamingStandard Wi-Fi Secure Roaming

802.1X authentication in wireless today requires three end-to-end transactions with an overall transaction time of > 500 ms

802.1X authentication in wireless today requires a roaming client to reauthenticate, incurring an additional 500+ ms to the roam

Note: Mechanism Is Needed to Centralize Key Distribution

Cisco AAA Server (ACS or ISE)

WAN

AP1AP2

1. 802.1X Initial Authentication Transaction2. 802.1X

Reauthenti-cation After Roaming


Cisco Centralized Key Management (CCKM) Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available,

especially with application specific devices (ASDs)

CCKM ported to CUWN architecture in 3.2 release In highly controlled test environments, CCKM roam times

consistently measure in the 5-8 msec range!

To work across WLCs, WLCs must be in the same mobility group When a client device roams, he WLC forwards the client's security

credentials to the new AP.


Fast Secure RoamingWPA2/802.11i Pairwise Master Key (PMK) Caching

WPA2 and 802.11i specify a mechanism to prevent excessive key management and 802.1X requests from roaming clients

From the 802.11i specification:Whenever an AP and a STA have successfully passed dot1x-based authentication, both of them may cache the PMK record to be used later. However, if a client has not roamed to a particular access point during its current working session, it must then authenticate to that specific access point using 802.1x.When a STA is (re-)associates to an AP, it may attach a list of PMK IDs (which were derived via dot1x process with this AP before) in the (re)association request frame When PMK ID exists, AP can use them to retrieve PMK record from its own PMK cache, if PMK is found, and matches the STA MAC address; AP can bypass dot1x authentication process, and directly starts WPA2 four-way key handshake session with the STA


OKC/PKC

A client device can skip the 802.1x authentication with an access point and only needs to perform the 4 way handshake when roaming to access points that are centrally managed by the same WLC.

Supported in Windows since XP SP2 Enabled by default on WLCs with WPAv2 Requires WLCs to be in the same mobility group In highly controlled test environments, OKC/PKC

roam times consistently measure in the 10-20 msecrange!

Key Data Points


How Long Does a Client Really Take to Roam? Time to roam =

Client to disassociate +Probe for and select a new AP +802.11 Association +Mobility message exchange between WLCs +Reauthentication +Rekeying +IP address (re) acquisition

Network latency will have an impact on these times consideration for controller placement

With a fast secure roaming technology, roam times under 150 msecs are consistently achievable, though mileage may vary


How Often Do Clients Roam?

It depends types of clients and applications Most client devices are designed to be nomadic

rather than mobile, though proliferation of small form factor, smart devices will probably change this

Nomadic clients usually are programmed to try to avoid roaming so set your expectations accordingly

Design rule of thumb: 10-20 roams per second for every 5000 clients


Designing a Mobility Group/Domain

Less roaming is better clients and apps are happier

While clients are authenticating/roaming, WLC CPU is doing the processing not as much of a big deal for 5508 which has dedicated management/control processor

L3 roaming & fast roaming clients consume client DB slots on multiple controllers consider worst case scenarios in designing roaming domain size

Leverage natural roaming domain boundaries Make sure the right ports and protocols are allowed

Design Considerations


Agenda



Centralized Policy

Distributed Enforcement

AAA Services

Posture Assessment

Guest Access Services

Device Profiling

Monitoring

Troubleshooting

Reporting

ACS

NAC Profiler

NAC Guest

NAC Manager

NAC Server

Identity Services Engine

*Current NAC and ACS Hardware Platform Is Software Upgradable to ISE

TrustSec 2.0 and Identity Services Engine


ISE Integrated Device Profiling

iPad Template

Custom Template

Visibility for Wired and Wireless Devices

Simplified Device Category Policy

New Device Templates via

Subscription Feeds


CAPWAPCAPWAP

Users, using the same SSID, can be associated to different wired VLAN interfaces after EAP authentication

Employee using corporate laptop with their AD user id can be assigned to VLAN 30 to have full access to the network

Employee using personal iPad/iPhone with their AD user id can be assigned to VLAN 40 to have internet access only

Same-SSID

802.1Q Trunk

VLAN 30

VLAN 40

EAP Authentication1

Accept with VLAN 302

EAP Authentication3

Accept with VLAN 404

ISEISE

Corporate Resources

Internet

Employee

Employee



Example:VLAN 30 (Corporate access )VLAN 40 (Internet access)

Corporate

Internet



Laptop Assign VLAN 30

iPad Assign VLAN 40

ISE Setup Authorization Profiles redirect VLAN, Override ACL, CoA



WLC CoA Setup Pre-Auth ACL, allows ALL client traffic to ISEWLAN Dot1X, AAA Override and Radius NAC enabled.

( )Permit ANY to ISE

(IP Addr)



RADIUS probe (information about authentication, authorization and accounting requests from Network Access

DHCP (helper or span) HTTP user agent (span)

Customizable Profiles



Agenda



Deploying the Cisco Unified Wireless Architecture

Controller Redundancy and AP Load Balancing Understanding AP Groups IPv6 Deployment with Controllers Branch Office Designs Guest Access Deployment Home Office Design


Controller RedundancyDynamic

Rely on CAPWAP to load-balance APs across controllers and populate APs with backup controllers

Results in dynamic salt-and-pepper design

Design works better when controllers are clustered in a centralized design

ProsEasy to deploy and configureless upfront workAPs dynamically load-balance (though never perfectly)

ConsMore intercontroller roamingBigger operational challenges due to unpredictabilityLonger failover timesNo fallback option in the event of controller failure

Ciscos general recommendation is: Only for Layer 2 roaming

Use deterministic redundancy instead of dynamic redundancy


Controller RedundancyDeterministic

Administrator statically assigns APs a primary, secondary, and/or tertiary controller

Assigned from controller interface (per AP) or WCS (template-based)

ProsPredictabilityeasier operational managementMore network stabilityMore flexible and powerful redundancy design optionsFaster failover timesFallback option in the case of failover

ConMore upfront planning and configuration

This is Ciscos recommended best practice

WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C

Primary: WLAN-Controller-ASecondary: WLAN-Controller-BTertiary: WLAN-Controller-C

Primary: WLAN-Controller-BSecondary: WLAN-Controller-CTertiary: WLAN-Controller-A

Primary: WLAN-Controller-CSecondary: WLAN-Controller-ATertiary: WLAN-Controller-B


SiSi SiSi

High Availability Using Cisco 5508

SiSi SiSi

PrimaryWLC5508

SecondaryWLC5508

APs are connected to primary WLC 5508

In case of hardware failure of WLC 5508

APs fall back to secondary WLC 5508

Traffic flows through the secondary WLC 5508 and primary core switch


High Availability Using WiSM:Uplink Failure on Primary Switch

SiSi SiSi

S N

PrimaryWiSM

ActiveHSRP Switch

StandbyHSRP Switch

New ActiveHSRP Switch

In case of uplink failure of the primary switch

Standby switch becomes the active HSRP switch

APs are still connected to primary WiSM

Traffic flows thru the new HSRP active switch


High Availability Using WiSM-2

SiSi SiSi

PrimaryWiSM

SecondaryWiSM

APs are connected to primary WiSM

In case of hardware failure of primary WiSM

APs fall back to secondary WiSM

Traffic flows thru the secondary WiSM and primary core switch


VSS and Cisco 5508

Cisco 5508 WLC can be attached to a Cisco Catalyst VSS switch

4 ports of Cisco 5508 are connected to active VSS switch

2nd set of 4 ports of Cisco 5508 is connected to standby VSS switch

In case of failure of primary switch traffic continues to flow through secondary switch in the VSS pair

Catalyst VSS Pair

Cisco 5508


Switch-1(VSS Active)

Switch-2(VSS Standby)

Data Plane Active

Control Plane Active

FWSM Active

WiSM-2 Active

Data Plane Active

Control Plane Standby

WiSM-2 Standby

VSL

Failover/State Sync VLAN

Virtual Switch System (VSS)

VSS and WiSM-2

FWSM Standby


Controller RedundancyHigh Availability

AP is registered with a WLC and maintain a backup list of WLC

AP use heartbeats to validate WLC connectivity

AP use Primary Discovery message to validate backup WLC list

When AP lose three heartbeats it start join process to first backup WLC candidate

Candidate Backup WLC is the first alive WLC in this order: primary, secondary, tertiary, global primary, global secondary

AP do not re-initiate discovery process

High Availability Principles Primary WLC

Secondary WLC


Controller RedundancyHigh Availability with 7.0

To Accommodate Both Local and Remote Settings, There Are Configurable Options Provided, so that Administrator Can Fine Tune the Settings Based on the Requirements

New Timers Old Timers-5508 Old Timers-Non-5508Heartbeat: 1-30 Seconds 10-30 Seconds 1-30 SecondsFast Heartbeat Timeout: 1-10 Seconds 3-10 Seconds 1-10 SecondsAP Retransmit Interval: 2-5 Seconds 3 Seconds 3 SecondsAP Retrans with FH Enabled: 3-8 Times 3 Times 3 TimesAP Retrans with FH Disabled: 3-8 Times 5 Times 5 TimesAP Fallback to next WLC 12 Seconds 35 Seconds 35 Seconds


AP Pre-Image Download in 7.0

Since most CAPWAP APs can download and keep more than one image of 45 MB each

AP pre-image download allows AP to download code while it is operational

Pre-Image download operation1. Upgrade the image on the controller

2. Dont reboot the controller

3. Issue AP pre-image download command

4. Once all AP images are downloaded

5. Reboot the controller

6. AP now rejoins the controller without reboot How Much Time You Save?

Access Points

Cisco WLAN Controller

C

A

P

W

A

P

-

L

3

A

P

P

r

e

-

i

m

a

g

e

D

o

w

n

l

o

a

d

A

P

J

o

i

n

s

W

i

t

h

o

u

t

D

o

w

n

l

o

a

d


Upgrade the image on the controller and dont reboot

Currently we have two images on the controller(Cisco Controller) >show bootPrimary Boot Image............................... 7.0.116.0 (default) (active)Backup Boot Image................................ 7.0.98.0

Configure AP Pre-Image Download


Configure AP Pre-Image DownloadWireless > AP > Global Configuration

Perform Primary Image Predownloaded on the AP

AP Now Starts Predownloading

AP Now Swaps Image After Reboot of the Controller


AP-GroupsDefault AP-Group

The first 16 WLANs created (WLAN IDs 116) on the WLC are included in the default AP-Group

Default AP-Group cannot be modified APs with no assignment to an specific AP-Group will use the

Default AP-Group The 17th and higher WLAN (WLAN IDs 17 and up) can be

assigned to any AP-Groups Any given WLAN can be mapped to different dynamic

interfaces in different AP-Groups WLC 2106 (AP groups: 50), WLC 2504 (AP groups:50)

WLC 4400 and WiSM (AP groups: 300),WLC 5508 & WiSM-2 (AP groups: 500), WLC 7500 (AP Groups : 500)


Network Name

Default AP Group

Only WLANs 116 Will Be Added in Default AP Group

Default AP-Group


AP Group 1

AP Group 2

AP Group 3

Multiple AP-Groups


Interface-Groups7.0

Interface-groups allows for a WLAN to be mapped to a single interface ormultiple interfaces

Clients associating to this WLAN get an IP address from a pool of subnets identified by the interfaces in round robin fashion

Extends current AP group and AAA override, with multiple interfaces using interface groups

Controllers Interface-Groups/InterfacesWiSM-2, 5508, 7500, 2500 64/64

WiSM, 4400 32/32

2100 and 2504 4/4


IPv6 over IPv4 Tunneling

Prior to WLC 6.0 release, IPv6 pass-thru is only supported but no L2 security can be enabled on IPv6 WLAN

With WLC 6.0 release, IPv6 pass-thru with Layer 2 security supported To use IPv6 bridging, Ethernet Multicast Mode (EMM) must be enabled on the

controller

IPv6 packets are tunneled over CAPWAP IPv4 tunnel Same WLAN can support both IPv4 and IPv6 clients IPv6 pass-thru and IPv4 Webauth is also supported on same WLAN IPv6 is not supported with guest mobility anchor tunneling

Ethernet II | IPv4 | CAPWAP | 802.11 | IPv6802.11| IPv6

Client IPv6 Traffic Tunneled over IPv4 and Bridged to Ethernet

Ethernet II | IPv6

CAPWAP Tunnel


IPv6 Configuration on WLC 6.X

Enable IPv6 on the WLAN and multicast on the WLC



Controller Redundancy and AP Load Balancing Understanding AP Groups IPv6 Deployment with Controllers Branch Office Designs (HREAP/FlexConnect)

Understanding HREAP (Hybrid) REAP AP DeploymentUnderstanding Branch Controller Deployment

Guest Access Deployment Home Office Design


Branch Office DeploymentHREAP/FlexConnect

Hybrid architecture Single management

and control pointCentralized traffic (split MAC)OrLocal traffic (local MAC)

HA will preserve local traffic only

WAN

Central Site

Remote Office

CentralizedTraffic

CentralizedTraffic

LocalTraffic


H-REAP Design Considerations

Some WAN limitations applyRTT must be below 300 ms data (100 ms voice)Minimum 500 bytes WAN MTU (with maximum four fragmented packets)

Some features are not available in standalone mode or in local switching mode

ACL in local switching, MAC/Web Auth in standalone mode, PMK caching (OKC)See full list in H-REAP Feature Matrix http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b3690b.shtml


Understanding H-REAP Groups

WLC supports up to 20 H-REAP groups Each H-REAP group supports

up to 25 H-REAP APs

H-REAP groups allow sharing of:CCKM fast roaming keysLocal user authenticationLocal EAP authentication

WAN

Central Site

Remote Site

H-REAP Group 1

H-REAP Group 2

Remote Site


FlexConnect Improvements in New 7.0.116

WAN SurvivabilityFlexConnect AP provides wireless access and services to clients when the connection to the primary WLC fails

Local AuthenticationAllows for the authentication capability to exist directly at the AP in FlexConnect instead of the WLC

Improved ScaleGroup Scale: Max HREAP groups increased to 500 (7500s) and 100 (5500s)APs per Group: 50 (7500s) and 25 (5500s)

Fast Roaming in Remote BranchesOpportunistic Key Caching (OKC) between APs in a branch



Controller Redundancy and AP Load Balancing Understanding AP Groups IPv6 Deployment with Controllers Branch Office Designs

Understanding HREAP/FlexConnect DeploymentUnderstanding Branch Controller Deployment

Guest Access Deployment Home Office Design


Small Office

E-Mail

Branch Office WLAN Controller Options

Appliance controllersCisco 2504-12

Cisco 5508-12, 5508-25

Integrated controllerWLAN controller module (WLCM-2) for ISR G2

Headquarters

Branch Office

Internet VPN

MPLSATM

Frame Relay

Number of Users: 100500Number of APs: 525

Number of Users: 20100Number of APs: 15

WCS


Small Office

E-Mail

Headquarters

Branch Office

Branch Office WLAN Controller Options

Cisco Unified Wireless Network with controller-based

Multiple Integrated WAN options on ISR Consistent branch-HQ services, features,

and performance Standardized branch configuration extends

the unified wired and wireless network Branch configuration management from

central WCS

WCS Cisco 2504 ***

WLCM-2 ****AP Count Vary Depending on Channel Utilization and Data Rates

Internet VPN

MPLSATM

Frame Relay


Guest Access Deployment

Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers

Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN

No need to define the guest VLANs on the switches connected to the remote controllers

Original guests Ethernet frame maintained across LWAPP/CAPWAP and EoIP tunnels

Redundant EoIP tunnels to the Anchor WLC

2504 series and WLCM-2 models cannot terminate EoIP connections (no anchor role

Wireless LANController

Cisco ASA Firewall

Guest

CAPWAP

EoIP Guest Tunnel

Internet

Guest

DMZ or Anchor Wireless Controller

WLAN Controller Deployments with EoIP Tunnel


Summary Key Takeways

Take advantage of the standards (CAPWAP, DTLS,802.11 i, e, k, r..)

Wide range of architecture / design choices Brand new controller (WiSM-2, WLC 7500, WLC

2504) portfolio with investment protection

Take advantage of innovations from Cisco (CleanAir, BandSelect, ClientLink, Security, CCX, FlexConnect, etc)

Ciscos investment into technology NCS, ISE, New hardware, cloud controller, CiUS


Documentation

Wireless Services Module 2 (WiSM2) Deployment Guidehttp://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080b7c904.shtml

Flex7500 Deployment guidehttp://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml

Wireless, LAN (WLAN) Configuration Examples and TechNotes

http://www.cisco.com/en/US/tech/tk722/tk809/tech_configuration_examples_list.html

H-REAP Deployment Guidehttp://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml

VLAN Select Deployment Guidehttp://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b78900.shtml


Thank you.

cisco unified wireless networks. overview

Documents

cisco andor

cisco publicbrkewn

lwapp capwap

capwap protocol

capwap modessplit mac

capwap modes split mac

nstandalone access points

snmp access points