Escolar Documentos
Profissional Documentos
Cultura Documentos
2012
2011 Cisco and/or its affiliates. All rights reserved.
Cisco Connect
2012
2011 Cisco and/or its affiliates. All rights reserved.
Cisco
Cisco
Confidential
Connect
Agenda
Wireless RF Design Overview
Controller-Based Architecture Overview
Mobility in the Cisco Unified WLAN Architecture
Architecture Building Blocks
Deploying the Cisco Unified Wireless Architecture
2012 Cisco and/or its affiliates. All rights reserved.
Cisco Connect
Wireless RF Design
An RF site survey is the first step in the
deployment of a wireless network, and it is the
most important step to ensure desired operation.
Cisco Connect
WLAN Requirements
Business requirements
WLAN Applications:
Protocol Requirements
Cisco Connect
WLAN Requirements
Coverage and Capacity Requirements
RF Coverage Information:
RF coverage inside and outside
Identify and select RF coverage areas
User Density
Current and Future Wireless users and devices
Identify and classify correctly density areas (Cubicles,
Auditoriums, conference room, etc)
Mobile vs. Mobility
Expected Throughput
Cisco Connect
Analysis
AIR CAP3502E x
AIR-CAP3502E-x-K9
Cisco Aironet 3500 Series Access Point
AIR-CAP3502I-x-K9
Cisco Aironet 3500 Series Access Point
AIR CAP3602E x
AIR-CAP3602E-x-K9
Cisco Aironet 3500 Series Access Point
Controller-Based
Architecture
Overview
Cisco Connect
10
Agenda
Cisco Unified Wireless Principles
Cisco PI
Components
MSE
Campus
Network
Cisco AP
Cisco Connect
11
Business
Application
Data Plane
Controller
CAPWAP
Wi-Fi Client
Access
Point
2012 Cisco and/or its affiliates. All rights reserved.
Control Plane
Cisco Connect
12
12
Discovery
Image Data
DTLS
Setup
Join
2012 Cisco and/or its affiliates. All rights reserved.
Run
Config
Cisco Connect
13
13
AP Controller Discovery
Controller Discovery Order
Layer 2 join procedure attempted on LWAPP APs
(CAPWAP does not support Layer 2 APs)
Broadcast message sent to discover controller on a
local subnet
Layer 3 join process on CAPWAP APs and on LWAPP APs after
Layer 2 fails
Cisco Connect
14
14
interface)
Domain name
Appropriate DHCP Lease timer for Aps
Pool sizes for WLAN devices in accordance to different types of
sites
If NAT is used, static 1-to-1 NAT to an outside address is
recommended
2012 Cisco and/or its affiliates. All rights reserved.
Cisco Connect
15
15
Cisco Connect
16
Mobility Defined
Mobility is a key reason for wireless networks
Mobility means the end-user device is capable of moving location in
Cisco Connect
17
17
Join process
Controller-B
MAC: AA:AA:AA:AA:AA:02
Mobility Group Name: MyMobilityGroup
Support for up to
Controller-A
MAC: AA:AA:AA:AA:AA:01
Mobility Group Name: MyMobilityGroup
Ethernet in IP Tunnel
24 controllers,
24000 APs per
mobility group
Mobility messages
exchanged
between
controllers
Controller-C
MAC: AA:AA:AA:AA:AA:03
Mobility Group Name: MyMobilityGroup
Mobility Messages
Cisco Connect
18
18
One
WLC Network
Mobility Group
24 WLCs in a
Mobility Group
72 WLCs in a
Mobility Domain
2012 Cisco and/or its affiliates. All rights reserved.
Cisco Connect
19
19
Cisco Connect
20
20
Roaming Requirements
Roaming must be fast Latency can be introduced by:
Client channel scanning and AP selection algorithms
Re-authentication of client device and re-keying
Refreshing of IP address
Cisco Connect
21
21
WLC-1 Client
Database
WLC-1
WLC-2
Roaming Data
Path
Client database
entry with new AP
and appropriate
security context
No IP address
refresh needed
Cisco Connect
22
22
VLAN Z
Client Data (MAC, IP,
P,
QoS,, Security)
y)
WLC-1
Anchor Controller
Data Tunnel
WLC-2
Foreign Controller
Preroaming Data
Path
Client Roams to a
Different AP
2012 Cisco and/or its affiliates. All rights reserved.
Cisco Connect
23
23
Roaming: Inter-Controller
Layer 3
L3 inter-controller roam: STA moves association between APs joined to the different
release
Account for mobility message exchange in network design
2012 Cisco and/or its affiliates. All rights reserved.
Cisco Connect
24
24
challenge
Eliminating full 802.1X/EAP
reauthentication
WAN
Cisco AAA
Server
(ACS or
ISE)
2. 802.1X
Reauthentication After
Roaming
AP2
1. 802.1X Initial
Authentication
Transaction
AP1
devices (ASDs)
CCKM ported to CUWN architecture in 3.2 release
In highly controlled test environments, CCKM roam times consistently measure in the 5-8
msec range!
CCKM is most widely implemented in ASDs, especially VoWLAN devices
To work across WLCs, WLCs must be in the same mobility group
CCX-based laptops may not fully support CCKM depends on supplicant capabilities
CCKM is standardized in 802.11r, Apple iOS 6.0
2012 Cisco and/or its affiliates. All rights reserved.
Cisco Connect
27
27
The FT (Fast Transition) key hierarchy is designed to allow the client to make fast BSS
Cisco Connect
28
28
Cisco
Cisco
Confidential
Connect
29
Multiple WLANs for Multiple Auth Types Each with a Unique SSID
q SSIDs
PSK & PSK FT WLANs With Unique
Connect
Cisco Co
Cisco
Connec
nnectt
30
not as much of a big deal for 5508 which has dedicated management/control
processor
L3 roaming & fast roaming clients consume client DB slots on multiple
controllers consider worst case scenarios in designing roaming domain size
Leverage natural roaming domain boundaries
Mobility Message transport selection: multicast vs. unicast
Make sure the right ports and protocols are allowed
Cisco Connect
31
31
Architecture
Building Blocks
2012
2011 Cisco and/or its affiliates. All rights reserved.
Cisco
Cisco
Confidential
Connect
32
s/w release
May 2012
Sep 2012
Dec 2012
7.2MR1
7.3
7.4
7.5
AP 2600
802.11n G2
AP1600
802.11n G2
AP3600
11ac module
Outdoor AP
AP3600
Security Module
AP 700
Outdoor AP Honeywell
integration
WLC 8500
Target customer - SP
Virtual Controller
802.11r
L2 Fast Roaming
Local and
FlexConnect support on RAP
Scale Flex7500
6K APs
HA Licensing, N:1
Bi-directional rate-limiting
Voice/Video:
11n CAC
PMIPv6 on WLC
2012 Cisco and/or its affiliates. All rights reserved.
May 2013
Controller Resiliency
Client SSO
Over any L2
Bonjour Services Directory
Phase 2
FlexConnect Additions:
LAG on Flex7500, WLC 8500,
WLC 2500
33
Features / Performance
New
(7.3)
WiSM2
5500
500 APs
7000 Clients
2500
50 APs
500 Clients
SRE WLCM2
1000 APs
15000 Clients
8500
6000 APs
64000 Clients
FlexConnect
New
(7.3)
50 APs
500 Clients
Flex7500
Virtual Controller
3000
6000 Aps
30000
64000 Clients
New
(7.3)
200 APs
3000 Clients
Cisco Connect
34
BEST
IN CLASS
New
Q2FY
13
Any Device/BYOD
Optimised
Client Scalability
RF Interference Mitigation
Basic Connectivity
Deployment Flexibility
Entry Level
Sm/Med
Sm/Med/Large
Med/Large Enterprise
Cisco Connect
35
35
3600 Series
2600 Series
1600 Series
(Q4)
600 Series
1.3 Gbps
450 Mbps
300 Mbps
300 Mbps
.11n: 4X4:3
.11ac: 3x3:3
3X4:3
3X3:2
2X2:2
CleanAir
ClientLink
ClientLink 2.0
ClientLink 2.0
ClientLink 2.0
BandSelect
VideoStream
Rogue AP Detection
Adaptive wIPS
OfficeExtend
FlexConnect
Wireless Mesh
Autonomous
802.3af
802.3af
802.3af
802.11 a/b/g/n/ac
802.11 a/b/g/n
802.11 a/b/g/n
802.11 a/b/g/n
Power
Wi-Fi Standards
20
2012
12 Ci
C
Cisco
isco and/or
isco
and/
and
d/or
/or its
it affiliates.
affili
affi
ffiliat
ff
li tes All rights
liates
right
righ
i hts
ts reserved.
reserved
reser
d
Cisco
Connect
Cisc
Ci
o Connec
Co
C
nnectt
36
36
Ribbon)
Please note the current revision of 7.0-
AP 3600(7.2)
2012 Cisco and/or its affiliates. All rights reserved.
Cisco Connect
37
37
Deploying the
Cisco Unified
Wireless
Architecture
2012
2011 Cisco and/or its affiliates. All rights reserved.
Cisco
Cisco
Confidential
Connect
38
Cisco Connect
39
Cisco Connect
40
Client Profiling
ISE offers a rich set of BYOD features: e.g. device identification,
Cisco Connect
41
Cisco Connect
42
42
0 Android
1 Apple-Device
2 Apple-MacBook
3 Apple-iPad
4 Apple-iPhone
None
None
1
1
1
30
10
20
20
20
Yes
Yes
Yes
Yes
Yes
/
2012 Cisco and/or its affiliates. All rights reserved.
Cisco Connect
43
43
config wlan profiling {local | radius} {dhcp | http | all} <wlan ID>
(Cisco Controller) >config wlan profiling local all enable
20
2012 Cisco and/or its affiliates. All rights
g
reserved.
1
Cisco Connect
on
nn
44
44
Client Profiles
When profiling is enabled, a client Device Type can be shown on WLAN.
Number of Clients................................ 3
MAC Address
AP Name
Status
Device Type
----------------- ---------------- ------------- --------------------------------
14:10:9f:ea:b8:c2 AP3600MM
c8:d7:19:34:7e:dd AP3600MM
d8:d1:cb:9a:28:f8 AP3600MM
20
2012
12 C
Cisco
isco and/or
and/or its affiliates.
affiliat
affi
liates
liat
es. All rights
righ
g ts reserved.
rreser
eserved
eser
ved.
Associated
Associated
Associated
OS_X-Workstation
Windows7-Workstation
Apple-iPhone
Cisco Connect
45
45
Cisco
Connect
C
isco Co
onne
46
46
Cisco Connect
47
47
Controller Redundancy
Most Common (N+1)
Redundant WLC in a geographically
WLAN-Controller-1
separate location
Layer-3 connectivity between the AP
WLAN-Controller-2
WLAN-Controller-BKP
WLAN-Controller-n
Cisco Connect
48
48
Primary WLC
Secondary WLC
1-30 secs
1-10 secs
AP Retransmit Interval
2-5 secs
3-8 Times
12 secs
Cisco Connect
49
49
supported APs.
Note: HA-SKU ; 5508 50AP, WiSM2 100AP, 7500/8500 300AP will work as Standby
Primary Controller-5508 #1
License Count: 100
APs connected: 90
Primary Controller WiSM-2 #2
License Count:500
APs connected: 500
Cisco Connect
50
50
Cisco Connect
51
51
synced to standby.
y
to re-associate
E
Effective
service downtime = Detection time + Switch Over Time
((Network
Network recovery/convergence)
Cisco Connect
53
53
Active Controller
WLC 5500
RP 1
Redundancy
Port
Connectivity
RP 2
Active Controller
Web-GUI Configuration
Two 5508 , 7500 or 8500 connected via back-to-back RP port in the same data center
2.
Two 5508 , 7500 or 8500 connected via RP port over L2 VLAN/fiber in the same or different data
center
3.
4.
5.
Two WiSM-2 on different chassis with redundancy VLAN extended over L2 network
6.
Cisco Connect
58
58
Cisco Connect
59
Cisco Connect
60
Cisco Connect
61
Switch-1
(
(VSS
Active))
Control Plane Active
Switch-2
(
y)
(VSS
Standby)
VSL
FWSM Active
FWSM Standby
WiSM-2 Active
WiSM-2 Backup
Cisco Connect
62
62
Catalyst
VSS Pair
L2/L3
Distribution
Cisco 5508
Standby
Cisco 5508
Cisco 5508
Standby
Cisco 5508
Access
Cisco Connect
65
65
default AP-Group
Default AP-Group cannot be modified
APs with no assignment to an specific AP-Group will use the Default AP-Group
The 17th and higher WLAN (WLAN IDs 17 and up) can be assigned to any AP-
Groups
Any given WLAN can be mapped to different dynamic interfaces in different AP-
Groups
WLC 2106 (AP groups: 50), WLC 2504 (AP groups:50)
Cisco Connect
66
66
AP-Grouping in Campus
VLAN 100
VLAN 100
VLAN 100
Access
Si
Si
Si
Si
Si
Si
Distribution
CAPWAP
Core
Si
Si
Si
Si
Si
VLAN 100 /
21
Si
Si
Distribution
Si
Access
Single
SSID =
Employee
Internet
Data Centre
WAN
WLC-1
WLC-2
Cisco Connect
67
67
AP-Grouping in Campus
AP-Group-1
VLAN 60 /23
AP-Group-2
AP-Group-3
VLAN 70 /23
VLAN 80 /23
Access
Si
Si
Si
Si
Si
Si
Distribution
CAPWAP
Core
Si
Si
Si
Si
VLAN 100
/21
Si
Si
VLAN 60
VLAN 70
VLAN 80
Si
Si
Distribution
Access
Single
SSID =
Employee
Internet
Data Centre
WAN
WLC-1
WLC-2
Cisco Connect
68
68
Default AP-Group
Network Name
Default AP Group
Cisco Connect
69
Multiple AP-Groups
AP Group 1
AP Group 2
AP Group 3
Cisco Connect
70
70
RF-Profiles
7.2 and 7.3 Release
RF Profiles allow the administrator to tune groups of APs sharing a common
RF Profiles are created for either the 2.4 GHz radio or 5GHz radio
Profiles are applied to groups of APs belonging to an AP Group, in which all APs in the
group will have the same Profile Settings
TPCv1 Threshold
TPCv2 Threshold
Data Rates
High Density
Cisco Connect
71
71
Cisco Connect
72
72
Cisco Connect
73
73
parameters
Higher Load Balancing
window
Higher BandSelect
thresholds (prevents a
lot of un-necessary
work)
Cisco Connect
74
74
RF-Profile in Campus
RF-Profile-1
VLAN 60 /23
VLAN 61 / 23
Si
Si
RF-Profile-2
RF-Profile-3
VLAN 70 /23
VLAN 71 /23
VLAN 80 /23
VLAN 81 /23
Si
Si
Si
Access
Si
Distribution
LWAPP/CAPWAP
Core
Si
Si
Si
Si
Si
Single
SSID =
Employee
VLAN 60
VLAN 61
VLAN 70
VLAN 71
VLAN 80
VLAN 81
WLC-1
Si
Si
Distribution
Access
Internet
Data Centre
WAN
Si
WLC-2
Cisco Connect
75
75
Multiple RF-Profiles
RF Profile -1
RF Profile -2
RF Profile -3
Cisco Connect
76
76
Cisco Connect
77
77
WLC
WAN
Real Time
Interactive
Non-Real Time
Non-Business
Cisco Connect
78
78
AVC (Application Visibility Control): Provides visibility of classified traffic and also gives an option to
control the same, using Drop OR Mark (DSCP) action.
Action DROP (Traffic for that application will be dropped)
Action MARK (Particular applications can be marked with different QOS profiles available on WLC OR
administrator can custom define DSCP value for that application)
AVC Marking overrides all other QoS markings
NetFlow: Updating NBAR stats to Netflow collector like Cisco Prime Assurance Manager (PAM).
NBAR is supported on 2500, 5500, 7500, 8500 and WiSM2 controllers on Local and Flex Mode APs
WLC can support 16 AVC profiles
WLAN can support only 1 AVC profile and each profile can contain 32 rules, thus each WLAN can
support 32 application actions of mark or drop.
Cisco Connect
79
Enabling AVC
AVC enabled on per WLAN basis
Cisco Connect
80
80
AVC Profile
Custom AVC
Profiles created to
do traffic shaping
Cisco Connect
81
81
Netflow Monitor
Configuring Netflow Exporter on the Controller and apply to WLAN
Connect
Cisco C
Cisco
Co
onnect
nect
82
82
AVC Summary
Application Statistics per WLAN with more details UP/Down Streams
Cisco Connect
83
83
Cisco Connect
84
84
Centralized
Traffic
Hybrid architecture
Single management and control point
Centralized trafic
Local traffic
Centralized
Traffic
WAN
Local
Traffic
Remote Office
Cisco Connect
85
85
WAN Bandwidth
(Min)
WAN RTT
Latency (Max)
Data
128 kbps
300 ms
25
Data+Voice
128 kbps
100 ms
25
Data
128 kbps
1 sec
Monitor
128 kbps
2 sec
N/A
Data
1.44 Mbps
1 sec
50
1000
Data+Voice
1.44 Mbps
100 ms
50
1000
Monitor
1.44 Mbps
2 sec
50
1000
Cisco Connect
86
300 - 6,000
WAN Survivability
Security
Clients
64,000
Branches
2000
100
Deployment Model
FlexConnect
Voice CAC
Form Factor
1 RU
OKC/CCKM
IO Interface
2x 10GE
Upgrade Licenses
2012
012 Cisco and/or its affiliates
affiliates. All rights reserved
reserved.
Cisco Connect
87
87
WAN
Remote Site
Remote Site
Scaling information
Flex 7500
Cluster
FlexConnect Group 2
Scaling
Flex
7500
CT-5508
WiSM2
CT-2504
FlexConnect
Groups
2000
100
100
30
AP per Group
100
25
25
25
FlexConnect Group 1
Cisco Connect
88
88
EAP-TLS/PEAP Overview
Local Authentication on FlexConnect AP
New
(7.5)
Server.
Access points 1040, 1140, 1520, 1550, 1600, 3500, 3600, 2600, 1250, 1260, are supported
2012 Cisco and/or its affiliates. All rights reserved.
Cisco Connect
89
89
PEAP/EAP-TLS Web-GUI
New
(7.5)
Local Authentication
Cisco Connect
90
90
switching mode
ACL mapped to local VLAN per AP or
FlexConnect Group
WAN
Remote Site
Application
Server
No IPv6 ACL
New in 7.2
2012 Cisco and/or its affiliates. All rights reserved.
Cisco Connect
91
91
Click to add
ACL rules
New in 7.2
2012 Cisco and/or its affiliates. All rights reserved.
Step 3
Provision to assign separate
Inbound & Outbound ACLs
Cisco Connect
92
92
FlexConnect AP
WAN
AP
Remote Site
Application
Server
Cisco Connect
93
93
central authentication
Up to 16 VLANs per FlexConnect AP
Central RADIUS
VLAN 3
VLAN 7
WAN
FlexConnect Group
Application
Server
Remote Site
VLAN is used
VLAN 3
VLAN 7
not supported.
FlexConnect Group 1
New in 7.2
2012 Cisco and/or its affiliates. All rights reserved.
Cisco Connect
94
94
VLA
N 10
9
WAN
ISE
Create Sub-Interface on
FlexConnect AP
New in 7.2
2012 Cisco and/or its affiliates. All rights reserved.
Cisco Connect
95
95
New in
7.2.110
switched vlan
Reduces WAN traffic by locally
switching guest traffic
Flexible and centralized web portal
creation for multiple sites
WebServer
WAN
Internet
Remote Site
VLAN
503
VLAN 7
FlexConnect Group 1
Cisco Connect
96
96
NAT/PAT
ACL
CAPWAP
WLC
Central Traffic
WAN
Central Server
Local Traffic
Local Printer
Cisco Connect
97
97
Local or
FlexConnect
RAP
(Root
ot A
AP)
P)
Backhaul 5GHz
MAP
(Mesh AP)
Controller
Flex Mode will have support for Central and Local Switching
Cisco Connect
99
99
WCS
E-Mail
Headquarters
MPLS
ATM
Frame Relay
Branch
Office
Appliance controllers
Cisco 2504-12
Cisco 5508-12, 5508-25
Internet VPN
Small
Office
Integrated controller
WLAN controller module (WLCM-2) for ISR G2
Cisco Connect
100
100
WCS
E-Mail
Branch
Office
Headquarters
MPLS
ATM
Frame Relay
Small
Office
based
Multiple Integrated WAN options on ISR
Internet VPN
performance
Standardised branch configuration extends the
WLCM-2 or vWLC**
WCS
Cisco Connect
101
101
Cisco Connect
102
102
DMZ or Anchor
Wireless Controller
Cisco ASA
Firewall
EoIP
Guest
Tunnel
CAPWAP
Wireless
LAN
Controller
Anchor WLC
With 7.4 release 2504 series EoIP connections can
Guest
Guest
Cisco Connect
103
103
Cisco Connect
104
104
teleworkers home
Corporate access to employee over
Headquarters
configured SSID
Internet VPN
Cisco Connect
105
105
Cloud controller
2012 Cisco and/or its affiliates. All rights reserved.
Cisco Connect
106
106
Thank you.
Cisco Connect
107