Wireless Update Partner SE VT - Talk 2 Cisco
Transcript of Wireless Update Partner SE VT - Talk 2 Cisco
© 2010 Cisco Systems, Inc. All rights reserved. 1
Wireless Update
Partner SE VT
Wireless LAN Design
- H-REAP, OEAP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 2
Agenda
Centralized WLAN Design
H-REAP
OEAP
SBA Design Guides
Q&A
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 3
Understanding WLAN Controllers—1st/2nd
Generation vs. 3rd Generation Approach
1st/2nd generation—APs act as 802.1Q translational bridge, putting client traffic on local VLANs
3rd generation—Controller bridges client traffic centrally
1st/2nd Generation
3rd GenerationData VLAN
Voice VLAN
Management VLAN
LWAPP
/CAPWAP
Tunnel
Data VLAN
Voice VLAN
Management VLAN
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 4
CAPWAP ModesSplit MAC
The CAPWAP protocol supports two modes of operation:
Split MAC (Centralized mode) and
Local MAC (H-REAP)
Split MAC:
WTP ACSTA
Wireless Phy
MAC Sublayer
CAPWAP
Data Plane
Wireless Frame
802.3 Frame
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 5
CAPWAP ModesLocal MAC
Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames
Locally bridged:
WTP ACSTA
Wireless Phy
MAC Sublayer
Wireless Frame
802.3 Frame
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 6
Single Building – Distribution/Core
WLC in distribution/core
Most of the time : L2 Roaming
WLCSiSi SiSi
WLC
L2
CAPWAP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 7
WLCWLC
Wireless Building Block
SiSi SiSi
L2
Campus – Centralized WLCOverview
Centralized WLC
Concept of Wireless Building Block
No Wireless VLANs everywhere
Better performance with L2 Mobility
Recommended design L3
SiSi SiSi SiSi SiSi
CAPWAP
L3L3Building 1 Building 2
Core
SiSi SiSi
Data Center
SiSi
SiSi
CAPWAP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 8
Campus – Distributed WLCOverview
Distributed WLC or WiSM
Each building has its own WLC
Each building can have its own Mobility group
Wireless insertion at distribution layer
Several distributed Wireless VLANs across the Campus
WLCWLC
L3
SiSi SiSi
SiSi SiSiSiSi SiSi
Core
L3L3
Data Center
SiSi
SiSi
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 9
Understanding H-REAP
Hybrid Architecture
Single Management & Control point
Centralized Traffic (Split MAC)
Or
Local Traffic (Local MAC)
HA will preserve local traffic only
WAN
Central Site
Remote
Office
Centralized
Traffic
Centralized
Traffic
Local
Traffic
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 10
Branch Office Deployment—Hybrid REAP
Design Considerations:
Supported on 1130, 1140, 1240, 1250, 1260, 3500i/e AP platforms
Allows bridging/tagging of traffic locally (local switching) by WLAN
Allows simultaneous tunneling of traffic to WLC (central switching) by WLAN
―Connected Mode‖—LWAPP control centralized
―Standalone Mode‖ (WAN outage)
Locally switched WLANs stay up
Some lost functionality
supported max latency up to 300 msecs latency between APs and WLC / up to 100 msecs for data+voice / up to 2 sec for local switching (with limitations)
H-REAP APs should be connected to trunk ports—allow only the relevant, locally switched VLANs
No optimization for:
Fast, secure roaming (CCKM, PKC)
Voice (no CAC or TSPEC support in standalone mode)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 11
H-REAP Local MACPer SSID Local MAC
Enabling ―Local Switching‖ mode on per SSID :
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 12
H-REAP Local MACPer AP SSID to VLAN Mapping Mapping of SSID to 802.1Q VLAN is done per H-REAP
AP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 13
Understanding H-REAP Groups
WLC Support up to 20 H-REAP Groups
Each H-REAP Group support up to 25 H-REAP AP
H-REAP Groups allow sharing of :
CCKM Fast Roaming keys
Local User authentication
Local EAP authentication
WAN
Central Site
Remote SiteRemote Site
H-REAP Group 1
H-REAP Group 2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 14
H-REAP Groups and CCKM Keys
CCKM keys are stored on HREAP AP’s for layer-2 fast roaming
The HREAP AP’s will receive the CCKM keys from the WLC
If a HREAP AP boots up in the STANDALONE mode, it will not get the CCKM keys from the WLC and fast roaming is not supported
WAN
Central Site
Remote SiteRemote Site
H-REAP Group 1 H-REAP Group 2
Radius Server
CCKM Keys
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 15
H-REAP Groups and Local EAP
In case of WAN of failure (Standalone mode) HREAP AP’s can act like a Local EAP server
In a HREAP-Group we can store 100 usernames and act like a local EAP server
LEAP and EAP-FAST is the only supported EAP type in standalone mode
WAN
Central Site
Remote SiteRemote Site
H-REAP Group 1 H-REAP Group 2
Radius Server
Local EAP Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 16
H-REAP Groups and Local Radius Server
In case of WAN of failure (Standalone mode) HREAP AP’s can authenticate from a Local Radius Server
Only session-timeout radius attribute (attribute 27) is supported in the standalone mode
Radius accounting is not supported in standalone mode
WAN
Central Site
Remote Site
Remote Site
H-REAP Group 1
H-REAP Group 2
Radius Server
Radius Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 17
Case Study – HREAP Retail Design
Requirements for the Store Design
Up-to-5 AP per site.
L2 connectivity between the AP
Access local services in the store (servers, printers, etc)
WLAN Services :
SSID for Stores :
• Security type = WPA-PSK
• Will be the same SSID for all the stores, but different keys per store
• Local Switching
SSID for Employees :
• Security type = WPA/TKIP or WPA/AES
• Central RADIUS authentication
• Central Switching
WAN link :
– Bandwidth : 512 kbps
– RTT : 100 msec
– MTU : 1400 bytes
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 18
Datacenter
Store-1
WAN
Local Resource
H-REAP
CT-5508
Cluster
RADIUS
Scanners
(WPA-PSK)
SSID-Store-1
SSID-Employee
(WPA2)
LapTops
(WPA2)
Store-N
H-REAP
Scanners
(WPA-PSK)
SSID-Store -N
SSID-Employee
(WPA2)
LapTops
(WPA2)
WLAN 17 : Store-1
•SSID= Store-1
•WPA-PSK=123
…
WLAN 17+N : Store-N
•SSID=Store-N
•WPA-PSK=321
WLAN 1 : Data
•SSID=Employee
•WPA/Radius
Local Resource
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 19
Datacenter
Store-1
WAN
H-REAP
Scanners
(WPA-PSK)
SSID-Store-1
SSID-Employee
(WPA2)
LapTops
(WPA2)
AP-Group-1
Store-N
H-REAP
Scanners
(WPA-PSK)
SSID-Store-N
SSID-Employee
(WPA2)
LapTops
(WPA2)
AP-Group-NLocal Resource Local Resource
AP Group 1 : Store-1
•WLANs : Store-1
…
AP Group N : Store-N
•WLANs : Store-N
CT-5508
Cluster
RADIUS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 20
Case Study – HREAP Retail Design
Create WLAN for Employee and for each store (local switching)
Create AP Group for each store and add AP-1 / WLAN-17 for Store-1, etc
Map locally switched WLAN to a VLAN per store
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 21
OfficeExtend Solution Highlights
Features
Scalable up to 500 APs per Wireless Controller
WCS provisioning for mass deployment
Personal SSID for non-corporate use
Ease of deployment with no special configuration needed on the Wireless Controller
Encryption of data at line rate, no encryption module needed
Supports UC wireless phones
OfficeExtend Solution
Key Benefits Secure, convenient, cost-effective
mobile teleworker solution enabling a consistent mobility experience
Ease of deployment for IT; plug and play for end user
802.11n 1140 AP and 1130 AP supported
Solution Elements
5508 Wireless Controller
1130 AP; 1140 AP
Management through WCS
5508 Wireless
Controller1140 AP 1130 AP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 22
5508
Internet
Secure Encryption
Take the Corporate Network With You Seamlessly and Securely
AP1130, AP1140
OfficeExtend Solution
Secure Secure DTLS Encryption Between AP and Corporate Network Over the WANAP Can Call Home to Automatically Set Up Secure TunnelReduce Costs Through Telecommuting, Reduced Cell Phone Charges, and Lower OpEx
Simple
Cost Effective
Corporate Office
Home, Hotel, Anywhere
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 23
What Is OEAP Solution ?
Controller (Cisco Wireless 5508 Controller)
Support for 500 Office Extend AP per controller
AP (AP 1131 & AP 1140)
Data encryption in software (AP1130) and in hardware (AP1140)
LED changes to display the AP status
Latency based Join
Link latency detection
Disable Telnet and SSH Access to AP
Disable Rogue Detection
Local SSID
WLC GUI and WCS.
Configuration, reporting, troubleshoot and diagnostic enhancements
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 24
Aironet 600 Series OfficeExtend AP
Dual band 802.11n AP for the homes
Proven hardware design
Validated OEAP Features / Function
Supported by 5508, WiSM2, 2500
7.67‖ x 6.92‖ x 1.45‖
Available worldwide (all reg domains)
Target FCS: Q1CY11
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 25
Target 100 – 1000 Users (5-15 Servers)
CCNA Target Technical Level
Baseline Configuration Ready for Policy Development
Ready for Advances Technologies and Services
Smart Business Architecture - Foundation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 27
Published Design Guideswww.cisco.com/go/sba