WIRELESS NETWORKING UPDATE

Joe Young
Systems Engineer

© 2005 Cisco Systems, Inc. All rights reserved.

 Cisco Wireless LAN Product Portfolio
Two Solutions Today Merging into a Single System

Today’s Distributed Solution Today’s Lightweight Solution

Cisco Wireless
Management Control System
CiscoWorks CiscoWorks (WCS)
WLSE WLSE Express

Cisco 2000 WLAN

Controller
Control
Catalyst 6500 Cisco 4400 WLAN
Series WLSM Controller

Cisco 1100, 1130, 1200,

Cisco 1000 Access Point
1230, 1300 Access Points Access Today/Future –
Today – Autonomous
Lightweight (LWAPP)
Future - Hybrid

Applications

Cisco Compatible Client Devices

© 2005 Cisco Systems, Inc. All rights reserved.
 Cisco Airespace
Centralized WLAN Solution

© 2005 Cisco Systems, Inc. All rights reserved.

Basic Concept

WLAN Controller
WCS
WLAN MGMT
System

L2/L3 Ethernet Switch

Lightweight
Access Points

© 2005 Cisco Systems, Inc. All rights reserved.

 Cisco Delivers Dynamic, Resilient RF Management

Self Configuration, Self Optimization, Self Healing

Management Cisco Wireless Control

Plane System (WCS)

Radio Resource Management

Control
Interference Detection / Avoidance
Plane Mobility Management
Rogue/Detection Containment
Transmit Power
User Load Management
Automatic Channel Management
Coverage Hole Management RF Domain

Data
Plane
4400 4100 2006
1030 1010

Airespace Hardware Layer

© 2005 Cisco Systems, Inc. All rights reserved.

 Solving the Wireless, Security and Management
Problem

• Easiest to Deploy and Operate

Best WLAN management tools on the market (from planning to operations)
Real-time RF Management
• Proven security for any enterprise environment
Wireless prevention
Real-time WLAN protection
• Best-in-class Performance
Designed for converged voice and data applications
• Integrated, accurate, location tracking
• Designed for heterogeneous environments
Lots of Different Clients

© 2005 Cisco Systems, Inc. All rights reserved.

 LWAPP - Splitting the functions
Airespace
Switch/Appliance

• Security Policies
• QoS Policies
• RF Management
• Mobility Management

LW
AP
Switch/Routed

P
Network

Remote RF interface
Access Points

IETF’s LWAPP spec can be found at: http://www.airespace.com/html/lwapp.txt

© 2005 Cisco Systems, Inc. All rights reserved.

LWAPP
• Discovery
Prime the AP
Subnet Broadcast
Over the Air
DHCP (option 43)
• Join
Jumbo’s supported?
No – Fragment all large packets into a big (1500 byte) and small
fragment (both LWAPP encapsulated)
This is why the AP manager interface is a separate IP address from
MGMT interface
• Reliable Link Established
Authenticated Key exchange using x.509 certificates
Control traffic is encrypted using AES-CCM
Data traffic is LWAPP encapsulated – not encrypted

© 2005 Cisco Systems, Inc. All rights reserved.

No Single Point of Failure
WLAN Controller Redundancy

Cisco WLAN Controller

CiscoAccess Point

• AP’s retain channel & power settings in memory as long as still powered
• Automatic self healing
• NOTE – No management system required

© 2005 Cisco Systems, Inc. All rights reserved.

No Single Point of Failure
AP Redundancy

Cisco WLAN Controller

Ethernet Switch

Cisco
Access Point

© 2005 Cisco Systems, Inc. All rights reserved.

 Real-Time RF Management

Dynamic RF channel “1”

Channel
RF channel “2”
Assignment
RF channel “3”
Dynamic
Power
Optimization

• NEIGHBOR MESSAGES • Allows the system to

• Controller • Avoid interference/Improve
IP/mobility group performance
• Operating channel • Eliminate coverage holes
• Sent at full power • Optimize coverage area
• Authenticated
© 2005 Cisco Systems, Inc. All rights reserved.
 Real-time Configuration Management
Minimize the Impact Channel 11
of Noise and Interference Interference

Channel 1 Channel 11

Channel 1 Channel 6

12
© 2005 Cisco Systems, Inc. All rights reserved.
 Better Network Performance
Dynamic Load Sharing

Solving Performance & Capacity problems in high density

areas (e.g. conference rooms, cafeteria)…

13
© 2005 Cisco Systems, Inc. All rights reserved.
 Better Network Performance
Dynamic Load Sharing

Solving Performance & Capacity problems in high density

areas (e.g. conference rooms, cafeteria)…

14
© 2005 Cisco Systems, Inc. All rights reserved.
 Better Network Performance
Dynamic Load Sharing

Solving Performance & Capacity problems in high density

areas (e.g. conference rooms, cafeteria)…

15
© 2005 Cisco Systems, Inc. All rights reserved.
 Mobility/RF Groups
Mobility group = Berkley Mobility group = Berkley

Mobility Table B Mobility Table B

ipaddrA MAC A A B ipaddrA MAC A
ipaddrB MAC B ipaddrB MAC B

• AP’s on different controllers can’t hear each other

• No RF grouping
• Bld – Bld roaming supported if the client meets the session timeout value

© 2005 Cisco Systems, Inc. All rights reserved.

 Mobility/RF Groups (2)
Mobility group = Berkley Mobility group = Berkley

Mobility Table B Mobility Table B

ipaddrA MAC A A B ipaddrA MAC A
ipaddrB MAC B ipaddrB MAC B

< -80dbm

• AP’s on different controllers hear neighbor messages at < -80dbm

• Group the RF domains
• Channel and Power will be computed as a group

© 2005 Cisco Systems, Inc. All rights reserved.

Inter-switch Mobility(L2)

• Transparent to client
• Same DHCP Address maintained

© 2005 Cisco Systems, Inc. All rights reserved.

Inter Switch Mobility

Anchor A B Foreign
Tunnel
IP/IP

• Mobility Announce (Groupcast)

• Anchor transfer with client IP address staying the same
• Client traffic sent to Anchor and passed through tunnel to Foreign controller
Special handling for ARP’s, etc.

© 2005 Cisco Systems, Inc. All rights reserved.

AP Groups/Site Specific VLANs

Single SSID “secure”

Spanning Campus
AP Group:
VLAN 62
AP Group: AP Group:
VLAN 61 VLAN 63

VLAN 61 VLAN 62 VLAN 63

© 2005 Cisco Systems, Inc. All rights reserved.

LWAPP Access Points
Indoor Access Points Access Points
Features
• Industry’s best range and throughput
• Enterprise class security
1130AG 1000 1121BG
• Many configuration options
• Simultaneous air monitoring and traffic
Indoor Rugged Access Points
delivery
• Wide area networking for outdoor areas

Benefits
1240AG 1230AG • Zero touch management
• No dedicated air monitors
Outdoor Access Points/Bridges
• Supports all deployment scenarios
(indoor and outdoor)
• From secure coverage to advanced
services
1500 1400 1300

© 2005 Cisco Systems, Inc. All rights reserved.

Lightweight APs
Cisco Lightweight Access Points
• LWAPP enabled (zero touch config.)
• No serial port on 1000 series
• What is stored in NV RAM?
• Primary, secondary & tertiary controller
addresses
• Antenna configuration
• Real-time RF monitoring – ALL channels scanned
while offering service
• Can scan country channels only or all
channels
• During Scan all 802.11 packets are
collected and characterized as to rogue
beacons, rogue clients, 802.11
interference and matched against IDS
signatures.

© 2005 Cisco Systems, Inc. All rights reserved.

Wireless LAN Controllers
Wireless LAN Controllers
4400
Catalyst 6500 Series Wireless
Services Module (WiSM)
WiSM
Switch and Router Platforms
Integrated Services
Routers WLCM
© 2005 Cisco Systems, Inc. All rights reserved.
Network Unification
Features
• Enterprise scalability and reliability
2000
• Real-time RF Management
• Multi-layered security
• Mobility management
• Standalone and integrated options
Benefits
• Up to 1500 APs per Cat 6K chassis
• Cost effective solution for main,
branch, and remote campuses as well
as SMB
• Ideal for data, voice, and video
• Wired and wireless integration
Catalyst 3750G
Integrated WLC
Switch
Rogue Policies

• Rogue Policies
Determine on-network?
RLDP (Rogue Location Discovery Protocol)
Rogue Collector
Auto Contain if AP doesn’t meet AP policy
Validate Rogue Clients against AAA

© 2005 Cisco Systems, Inc. All rights reserved.

Rogue Location Discovery Protocol
(RLDP)

DHCP
Rogue AP
IP Address

Connect

© 2005 Cisco Systems, Inc. All rights reserved.

Rogue Collector

Rogue Client
Service & monitoring

Airespace
AP Detected
Rogue Rogue AP
Trunked
Collector
- No RF service-

• Rogue detector compares Rogue client MAC’s to Rogue table

© 2005 Cisco Systems, Inc. All rights reserved.

 A Complete Solution for
Handling Rogues

1. Detect Rogue AP 2. Assess Rogue AP 3. Contain Rogue AP 4. View Historical

(generate alarm) (Identity, Location, ..) Report

• Can be automated
• Multiple rogues contained
simultaneously
• ACS validates that no valid
clients are associate to rogue

© 2005 Cisco Systems, Inc. All rights reserved.

 Real-Time Intrusion Protection (IPS)

• Signature Library – flat file –

easy to update
• Airespace resources
dedicated to maintaining
library updates (future)
• No WLAN
down-time
• No separate air monitors
required

© 2005 Cisco Systems, Inc. All rights reserved.

 Peer to Peer Blocking Mode

Airespace
AP

Servers
Airespace
Switch
X

© 2005 Cisco Systems, Inc. All rights reserved.

 Identity Networking …

User traffic
is carried
to WLC
User: maria via LWAPP
Group: Marketing
ACL: Corp_1
QoS: Gold

Controller uses
Radius server to
determine user’s
Identity.
This information
Single SSID is used for QoS and
security policies.

© 2005 Cisco Systems, Inc. All rights reserved.

Cisco Wireless Control System (WCS)
Best-in-Class WLAN Systems Management

• WLAN Planning and Design

• Easy to use
configuration templates
Point and click security
and QoS assignments

• Graphical heat maps

• Device tracking and mapping
• Detailed alarms
and reporting tools

© 2005 Cisco Systems, Inc. All rights reserved.

Built-in WLAN Planning/Monitoring

• Accurate RF prediction
AP placement
Performance analysis
• Detailed heat maps
for easy analysis

© 2005 Cisco Systems, Inc. All rights reserved.

Location Tracking Services
• 1st integrated location solution
• Real-time location services
– Asset tracking
– Rogue AP and device location
– E911 services

• Advanced RF fingerprinting for

greater accuracy
• Simultaneous real-time tracking
10,000+ devices
• API Third Party Applications
• RF capacity management
• Intuitive management GUI

Cisco 2700 Series Wireless Location Appliance

© 2005 Cisco Systems, Inc. All rights reserved.

 Guest Access Control
Cisco WLAN Controller Deployments

WiSM WLAN Controller

• LWAPP tunnel is a layer 2 tunnel
(encapsulates original Ethernet
frame)
• Same LWAPP tunnel used for data
traffic of different SSIDs Si

• Control and Data traffic tunneled to Campus

the Controller via LWAPP: data Core
uses UDP 12222, control uses UDP LWAPP LWAPP
12223
Si Si
• Data traffic bridged on a unique
VLAN corresponding to each SSID
• Traffic isolation provided by VLANs
is valid up to the switch where the
Wireless
controller is connected
VLAN’s

Guest Emp Guest Emp

© 2005 Cisco Systems, Inc. All rights reserved.
 Path Isolation
WLAN Controller Deployments with EoIP Tunnel
• Use of EoIP tunnels to logically segment and transport Internet Guest WLAN
the guest traffic between edge and anchor controllers
Controller (Anchor)
• Other traffic (Employee for example) still locally
bridged on the corresponding VLAN
• No need to define the Guest VLANs on the switches
connected to the edge controllers
EtherIP EtherIP
• Original Guest’s Ethernet frame maintained across “Guest Si “Guest
LWAPP and EoIP tunnels Tunnel” Tunnel”
• EoIP supported across all WLAN Controllers Campus
• 2006 model can’t terminate EoIP connections (no Core
anchor role)

Emp
Si Emp
Si

LWAPP LWAPP

Wireless
VLAN’s

Guest Emp Guest Emp

© 2005 Cisco Systems, Inc. All rights reserved.
 Controller Guest Access Components
Overview

1. Back-End Segmentation (Mobility Internet

Anchor)
• Separate the Guest traffic from the WCS
corporate internal traffic via EoIP
tunnels
EtherIP Si
EtherIP
“Guest “Guest
Tunnel” Tunnel”
2. Lobby ambassador/host portal Campus
• Guest user creation and token Core
generation
• Web Portal - Internal or External Emp
Si
Emp
Si

3. Customizable Guest Screen

• Fully Customizable Guest Login Screen
LWAPP LWAPP
4. Back-End Authentication Wireless
• Local User Database VLAN’s
• External AAA authentication capable Guest Emp Guest Emp

© 2005 Cisco Systems, Inc. All rights reserved.

New Guest Features in WLAN Controller

• Lobby Ambassador account role in WCS for guest

user credential creation, monitoring, and deletion
Guest user-ids and passwords auto-generated or
manually defined
Guest user account manageable via SNMP

• Fully Customizable Login Screen downloadable to

controller
Image file will replace the original Web Authentication
page on controller
TFTP download of 1MB of tar file for the Webpage

© 2005 Cisco Systems, Inc. All rights reserved.

 Lobby Ambassador Feature in WCS
Internet

• Lobby Ambassador (LA) role created which only WCS Guest

allows access to the Lobby Administrator screen in
WCS Si

Campus
• Runs on Controller and WCS Core

• Traps sent to notify when guest user account expires Si

Emp
Si
Emp

LWAPP LWAPP
Wireless
VLAN’s
Guest Emp Guest Emp

© 2005 Cisco Systems, Inc. All rights reserved.

Add a “guest” user on the WLC
• Guest User List  New

© 2005 Cisco Systems, Inc. All rights reserved.

 Web Portal – Internal to WLC

• Internal web login page in WLC

Internet
WLC
Guest

Si

Campus
Core

Si
Si Si
Emp Emp

LWAPP LWAPP
Wireless
Wireless
VLAN’s

Guest Emp Guest Emp

© 2005 Cisco Systems, Inc. All rights reserved.

 Web Portal – External Web Server

• Web portal in an external web server

Internet
WLC
External
Web Guest
Server

Si

Campus
Core

Si
Si Si
Emp
Emp Emp

LWAPP LWAPP
Wireless
VLAN’s
VLAN’s

Guest Emp Guest Emp

© 2005 Cisco Systems, Inc. All rights reserved.

 Web Login Page On the Client
• Wireless Guest user associates to the Guest SSID
• Initiates a browser connection to any website
• Web Login page will displayed Internet
WLC
WCS
Guest

Si

Campus
Core

Si Si
Emp
Emp Emp

LWAPP LWAPP
Wireless
VLAN’s
VLAN’s

Guest Emp Guest Emp

Guest Wireless
Client

© 2005 Cisco Systems, Inc. All rights reserved.

 Configuring Customized WebAuth in WCS

• Download the sample file and upload Internet WLC

WCS Guest

a customized web page in WCS Si

Campus
Core

Si Si
Emp
Emp Emp
Emp

LWAPP LWAPP
Wireless
Wireless
VLAN’s
Guest Emp Guest Emp

© 2005 Cisco Systems, Inc. All rights reserved.

Thank You

© 2005 Cisco Systems, Inc. All rights reserved.