Cisco Unified Wireless Network Best CCNP Training Institute in Delhi

Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192

This section covers the Cisco UWN architecture, LWAPP, WLAN controller components, roaming, and mobility groups. Cisco UWN components provide scalable wireless LAN solutions using WLAN controllers to manage lightweight access points. The CCDA must understand how these components work with each other, how they scale, and how roaming and mobility groups work.

Cisco UWN Architecture

With the explosion of wireless solutions in and out of the enterprise, designers must create solutions that provide mobility and business services while maintaining network security. The Cisco Unified Wireless Network (UWN) architecture combines elements of wireless and wired networks to deliver scalable, manageable, and secure WLANs. As shown in Figure 4-2, the Cisco UWN architecture is composed of five network elements:

Figure 4-2. Cisco UWN Architecture

[View full size image]

• Client devices— These include laptops, workstations, IP phones, PDAs, and manufacturing devices to access the WLAN.
• Access points— These devices provide access to the wireless network. APs are placed in strategic locations to minimize interference.
• Network unification— The WLAN system should be able to support wireless applications by providing security policies, QoS, intrusion prevention, and radio frequency (RF) management. Cisco WLAN controllers provide this functionality and integration into all major switching and routing platforms.
• Network management— The Cisco Wireless Control System (WCS) provides a central management tool that lets you design, control, and monitor wireless networks.
• Mobility services— These include guest access, location services, voice services, and threat detection and mitigation.

Cisco UWN provides the following benefits:

• Reduced Total Cost of Ownership (TCO)
• Enhanced visibility control
• Dynamic RF management
• WLAN security
• Unified wired and wireless network
• Enterprise mobility
• Enhanced productivity and collaboration

LWAPP

Lightweight Access Point Protocol (LWAPP) is a draft Internet Engineering Task Force (IETF) standard for control messaging for setup, authentication, and operations between access points (AP) and wireless LAN controllers (WLC).

With Cisco's UWN Split-MAC operation, the control and data messages are split. Lightweight Access Points (LWAP) communicate with the WLCs using control messages over the wired network. LWAPP data messages are encapsulated and forwarded to and from wireless clients. The WLC manages multiple APs, providing configuration information and firmware updates as needed.

LWAP MAC functions are

• 802.11— Beacons, probe response
• 802.11 Control— Packet acknowledgment and transmission
• 802.11e— Frame queuing and packet prioritization
• 802.11i— MAC layer data encryption/decryption

Controller MAC functions are

• 802.11 MAC Management— Association requests and actions
• 802.11e Resource Reservation— To reserve resources for specific applications
• 802.11i— Authentication and key management

In the LWAPP RFC draft, LWAPP control messages can be transported at Layer 2 tunnels or Layer 3 tunnels. Layer 2 LWAPP tunnels were the first method developed in which the APs did not require an IP address. The disadvantage of Layer 2 LWAPP was that the WLC needed to be on every subnet on which the AP resides. Layer 2 LWAPP is a deprecated solution for Cisco. Layer 3 LWAPP is the preferred solution.

Note

Layer 2 LWAPP tunnels use Ethertype code 0xBBBB.

As shown in Figure 4-3, Layer 3 LWAPP tunnels are used between the LWAP and the WLC. Messages from the WLC use UDP port 12223 for control and UDP port 12222 for data messages. In this solution, access points require an IP address, but the WLC does not need to reside on the same segment.

Figure 4-3. Layer 3 LWAPP

LWAPP Access Point Modes

LWAPP access points operate in one of six different modes:

• Local mode— This is the default mode of operation. In this mode, every 180 seconds the AP spends 60 milliseconds on channels it does not operate on. During this 60 ms, the AP performs noise floor measurements, measures interference, and scans for IDS events.
• Remote Edge AP (REAP) mode— This mode enables an LWAP to reside across a WAN link and still be able to communicate with the WLC and provide the functionality of a regular LWAP. Currently, REAP mode is supported only on the 1030 LWAPs.
• Monitor mode— Monitor mode is a feature designed to allow specified LWAPP-enabled APs to exclude themselves from handling data traffic between clients and the infrastructure. They instead act as dedicated sensors for location-based services (LBS), rogue access point detection, and intrusion detection (IDS). When APs are in Monitor mode, they cannot serve clients and continuously cycle through all configured channels, listening to each channel for approximately 60 ms.
• Rogue detector mode— LWAPs that operate in Rogue Detector mode monitor the rogue APs. They do not transmit or contain rogue APs. The idea is that the rogue detector (RD) should be able to see all the VLANs in the network, because rogue APs can be connected to any of the VLANs in the network (thus, we connect it to a trunk port). The switch sends all the rogue AP/client MAC address lists to the RD. The RD then forwards those to the WLC to compare with the MAC addresses of clients that the WLC APs have heard over the air. If the MAC addresses match, the WLC knows that the rogue AP to which those clients are connected is on the wired network.
• Sniffer mode— An LWAPP that operates in Sniffer mode functions as a sniffer and captures and forwards all the packets on a particular channel to a remote machine that runs AiroPeek. These packets contain information on the time stamp, signal strength, packet size, and so on. The Sniffer feature can be enabled only if you run AiroPeek, a third-party network analyzer software that supports decoding of data packets.
• Bridge mode— The Bridge mode feature on the Cisco 1030 (typically indoor usage) and 1500 access points (typically outdoor mesh usage) provides cost-effective, high-bandwidth wireless bridging connectivity. Applications supported are point-to-point bridging, point-to-multipoint bridging, point-to-point wireless access with integrated wireless backhaul, and point-to-multipoint wireless access with integrated wireless backhaul.

LWAPP Discovery

When LWAPs are placed on the network, they first perform DHCP discovery to obtain an IP address. Then Layer 3 LWAPP discovery is attempted. If there is no WLC response, the access point reboots and repeats this process. The Layer 3 LWAPP discovery algorithm is as follows:

1. The AP sends a Layer 3 LWAPP Discovery Request.
2. All WLCs that receive the Discovery Request reply with a unicast LWAPP Discovery Response Message.
3. The AP compiles a list of WLCs.
4. The AP selects a WLC based on certain criteria.
5. The AP validates the selected WLC and sends an LWAPP Join Response. An encryption key is selected, and future messages are encrypted.

Layer 3 Discovery Requests are sent as listed:

• Local subnet broadcast
• Unicast LWAPP Discovery Requests to WLC IP addresses advertised by other APs
• To previously stored WLC IP addresses
• To IP addresses learned by DHCP option 43
• To IP addresses learned by DNS resolution of CISCO-LWAPP-CONTROLLER.locadomain

The selected WLC is based on the following:

• Previously configured primary, secondary, and/or tertiary WLCs
• The WLC configured as the Master controller
• The WLC with the most capacity for AP associations

WLAN Authentication

Wireless clients first associate to an access point. Then wireless clients need to authenticate with an authentication server before the access point allows access to services. As shown in Figure 4-4, the authentication server resides in the wired infrastructure. An EAP/RADIUS tunnel occurs between the WLC and the authentication server. Cisco's Secure Access Control Server (ACS) using EAP is an example of an authentication server.

Figure 4-4. WLAN Authentication

Authentication Options

Wireless clients communicate with the authentication server using EAP. Each EAP type has advantages and disadvantages. Trade-offs exist between the security provided, EAP type manageability, the operating systems supported, the client devices supported, the client software and authentication messaging overhead, certificate requirements, user ease of use, and WLAN infrastructure device support. The following summarizes the authentication options:

• EAP-Transport Layer Security (EAP-TLS) is an IETF open standard that is well-supported among wireless vendors but rarely deployed. It uses PKI to secure communications to the RADIUS authentication server using TLS and digital certificates.
• Protected Extensible Authentication Protocol (PEAP) is a joint proposal by Cisco Systems, Microsoft, and RSA Security as an open standard. PEAP/MSCHAPv2 is the most common version, and it is widely available in products and widely deployed. It is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication. PEAP-GTC allows more generic authentication to a number of databases such as Novell Directory Services (NDS).
• EAP-Tunneled TLS (EAP-TTLS) was codeveloped by Funk Software and Certicom. It is widely supported across platforms and offers very good security, using PKI certificates only on the authentication server.
• Cisco Lightweight Extensible Authentication Protocol (LEAP) is an early proprietary EAP method supported in the Cisco Certified Extensions (CCX) program. It is vulnerable to dictionary attacks.
• EAP-Flexible Authentication via Secure Tunneling (EAP-FAST) is a proposal by Cisco Systems to fix the weaknesses of LEAP. EAP-FAST uses a Protected Access Credential (PAC), and use of server certificates is optional. EAP-FAST has three phases. Phase 0 is an optional phase in which the PAC can be provisioned manually or dynamically. In Phase 1, the client and the AAA server use the PAC to establish the TLS tunnel. In Phase 2, the client sends user information across the tunnel.

WLAN Controller Components

The CCDA candidate must understand the three major components of WLCs:

• Wireless LANs
• Interfaces
• Ports

Wireless LANs are identified by unique SSID network names. The LAN is a logical entity. Each WLAN is assigned to an interface in the WLC. Each WLAN is configured with radio policies, QoS, and other WLAN parameters.

A WLC interface is a logical connection that maps to a VLAN on the wired network. Each interface is configured with a unique IP address, default gateways, physical ports, VLAN tag, and DHCP server.

The port is a physical connection to the neighboring switch or router. By default, each port is an IEEE 802.1Q trunk port. There may be multiple ports on a WLC into a single port-channel interface. These ports can be aggregated using Link Aggregation (LAG). Some WLCs have a service port that is used for out-of-band management. Figure 4-5 shows the WLC components.

Figure 4-5. WLAN Controller Components

[View full size image]

WLC Interface Types

A WLC has five interface types:

• Management interface is used for in-band management, connectivity to AAA, and Layer 2 discovery and association.
• Service-port interface is used for out-of-band management. It is an optional interface that is statically configured.
• AP manager interface is used for Layer 3 discovery and association. It has the source IP address of the AP that is statically configured.
• Dynamic interface is analogous to VLANs and is designated for WLAN client data.
• Virtual interface is used for Layer 3 security authentication, DHCP relay support, and mobility management.

AP Controller Equipment Scaling

Cisco provides different solutions to support the differing numbers of access points present in enterprise customers. Standalone devices, modules for integrated services routers (ISR), and modules for 6500 switches support numerous APs. Table 4-3 lists the platforms and the number of APs supported.

Table 4-3. WLAN Controller Platforms

Platform	Number of Supported Access Points
Cisco 2000 series WLC	6
Cisco WLC for ISRs	6
Catalyst 3750 Integrated WLC	50
Cisco 4400 series WLC	100
Cisco 6500 series WLC Module	300

Roaming and Mobility Groups

The primary reason to have wireless networks is the ability to access network resources from common areas and in areas difficult to run cables. End clients might want to move from one location to another. Mobility allows users to access the network from several locations. Roaming occurs when the wireless client changes association from one access point to another. The challenge is to scale the wireless network to allow client roaming. Roaming can be intracontroller or intercontroller.

Intracontroller Roaming

Intracontroller roaming, shown in Figure 4-6, occurs when a client moves association from one AP to another AP that is joined to the same WLC. The WLC updates the client database with the new associated AP and does not change the client's IP address. If required, clients are reauthenticated, and a new security association is established. The client database remains on the same WLC.

Figure 4-6. Intracontroller Roaming

Layer 2 Intercontroller Roaming

Intercontroller roaming occurs when a client moves association from one AP to another AP that is joined to a different WLC. The Layer 2 roam occurs when the client traffic is bridged to the same IP subnet. Figure 4-7 shows Layer 2 intercontroller roaming. Traffic remains of the same IP subnet, and no IP address changes to the client occur. The client database is moved from WLC1 to WLC2. The client is reauthenticated, and a new security session is established.

Figure 4-7. Layer 2 Intercontroller Roaming

Layer 3 Intercontroller Roaming

With Layer 3 intercontroller roaming, shown in Figure 4-8, a client moves association from one AP to another AP that is joined to a different WLC. Then the traffic is bridged onto a different IP subnet. When the client associates to AP2, WLC2 then exchanges mobility messages with WLC1. The original client database is not moved to WLC. Instead, WLC1 marks the client with an "Anchor" entry in its database. The database entry is copied to WLC2's database and is marked as a "Foreign" entry. The wireless client maintains its original IP address and is reauthenticated. A new security session is then established.

Figure 4-8. Layer 3 Intercontroller Roaming

Client traffic then routes in an asymmetric manner. Traffic from the client is forwarded by the Foreign WLC, but traffic to the client arrives at the Anchor WLC, which forwards it through an Ethernet-in-IP (EtherIP) tunnel to the Foreign WLC. The Foreign WLC forwards the data traffic to the client.

Mobility Groups

When you assign WLCs to mobility groups, the WLCs dynamically exchange mobility messages and tunnel data via EtherIP. Mobility groups support up to 24 controllers. The upper limit of APs is bounded by the controller types and the number of APs supported by each controller. Each WLC is configured with a list of the members in the mobility group. The WLCs exchange messages using UDP port 16666 for unencrypted messages or UDP port 16667 for encrypted messages. As an example of the scalability, if 24 Cisco 2000 WLCs are used, 24 * 6 = 144 APs are supported.

Cisco recommends minimizing intercontroller roaming in the network. It is also recommended that there be less than 10 ms of round-trip time latency between controllers. Cisco also states that Layer 2 roaming is more efficient than Layer 3 roaming because of the asymmetric communication of Layer 3 roaming.