The world is going to wireless …. Wireless Networking Part 2 CCNP Switch Hossein Shamloo.

The world is going to wireless …

Wireless NetworkingPart 2

CCNP Switch

Hossein Shamloo

WLAN ArchitectureTraditional WLAN Architecture

Traditional WLAN architecture centers around the wireless access point. Each AP serves as the central hub of its own BSS, where clients located with the AP cell gain an association. The traffic to and from each client has to pass through the AP to reach any other part of the network.


Notice that even though an AP is centrally positioned to support its clients, it is quite isolated and self-sufficient. Each AP must be configured individually, although many APsmight be configured with identical network policies. Each AP also operates independently.

the AP handles its own use of radio frequency (RF) channels, clients associate withthe AP directly, the AP enforces any security policies unassisted, and so on


Cisco calls this an autonomous mode AP


Because each AP is autonomous, managing security over the wireless network can be difficult. Each autonomous AP handles its own security policies, with no central point of entry between the wireless and wired networks. That means no convenient place exists for monitoring traffic for things like intrusion detection and prevention, quality of service, bandwidth policing, and so on



In the figure, SSID A and SSID B are offered on two APs. The two SSIDs correspond to VLAN A and VLAN B, respectively. The APs must be connected to a common switched network that extends VLANs A and B at Layer 2. This is done by carrying VLANs A and B over an 802.1Q trunk link to each AP. Because SSIDs and their VLANs must be extended at Layer 2, you should consider how they are extended throughout the switched network. In Figure 15-7, SSID A and VLAN A have been shaded everywhere they appear. Naturally, they form a contiguous path that appears on both APs so that wireless clients can use SSID A in either location or while roaming between the two


In the figure, SSID A and SSID B are offered on two APs. The two SSIDs correspond to VLAN A and VLAN B, respectively. The APs must be connected to a common switched network that extends VLANs A and B at Layer 2. This is done by carrying VLANs A and B over an 802.1Q trunk link to each AP. Because SSIDs and their VLANs must be extended at Layer 2, you should consider how they are extended throughout the switched network. In Figure 15-7, SSID A and VLAN A have been shaded everywhere they appear. Naturally, they form a contiguous path that appears on both APs so that wireless clients can use SSID A in either location or while roaming between the two


This concept becomes important when you think about extending SSIDs to many APs over a larger

network

WLAN ArchitectureCisco Unified Wireless Network Architecture

Cisco has collected a complete set of functions that are integral to wireless LANs and called them the Cisco Unified Wireless Network

This new architecture offers the following capabilities, which are centralized so that they affect wireless LAN devices located anywhere in the network:

■ WLAN security ■ WLAN deployment ■ WLAN management ■ WLAN control



To centralize these aspects of a WLAN, many of the functions found within autonomous APs have to be shifted toward some central location.

WLAN ArchitectureCisco UWNA Vs Legacy Model

Notice that they have been grouped by real-time processes on the left and management processes on the right


Real-Time operation and management function

The real-time processes involve actually sending and receiving 802.11 frames, AP beacons, and probe messages. Data encryption is also handled in a real-time, per-packet basis. The AP must interact with wireless clients at the MAC layer. These functions must stay with the AP hardware, closest to the clients.

The management functions are not integral to handling frames over the RF channels but are things that should be centrally administered. Therefore, those functions are moved to a centrally located platform away from the AP


In the Cisco unified wireless network, a lightweight access point (LAP) performs only the real-time 802.11 operation.


The management functions are all performed on a wireless LAN controller (WLC)


How does an LAP bind with a WLC to form a complete working access point?


The two devices must bring up a tunnel between them to carry 802.11-related messages and also client data.


Remember that the LAP and WLC can be located on the same VLAN or IP subnet, but they don’t have to be. Instead, they can be located on two entirely different IPsubnets in two entirely different locations.


The tunnel makes this all possible by encapsulating the data between the LAP and WLC within new IP packets. The tunneled data can then be switched or routed across the campus network.


The LAP and WLC pair uses either the Lightweight Access Point Protocol (LWAPP, developed by Cisco)

or the Control and Provisioning Wireless Access Points protocol as the tunneling mechanism(CAPWAP, defined in RFC 4118)


these protocols consist of the two tunnels shown in Figure :


these protocols consist of the two tunnels shown in Figure :

■ Control messages—Exchanges that are used to configure the LAP and manage its operation. The control messages are authenticated and encrypted so that the LAP is securely controlled by only the WLC

■ Data—Packets to and from wireless clients associated with the LAP. The data is encapsulated within the LWAPP or CAPWAP protocol but is not encrypted or otherwise secured between the LAP and WLC.


Tip: Although Cisco developed LWAPP, it submitted the protocol as an IETF draft. The result is the CAPWAP standard in RFC 4118. LWAPP uses UDP destination ports 12222 and 12223 on the WLC end. Similarly, CAPWAP uses UDP ports 5246 and 5247.

WLC Functions

■ Dynamic channel assignment— The WLC chooses and configures the RF channel used by each LAP based on other active access points in the area.

■ Transmit power optimization— The WLC sets the transmit power of each LAP based on the coverage area needed. Transmit power is also automatically adjusted periodically.

■ Self-healing wireless coverage— If an LAP radio dies, the coverage hole is “healed” by turning up the transmit power of surrounding LAPs automatically.

■ Flexible client roaming— Clients can roam at either Layer 2 or Layer 3 with very fast roaming times.

■ Dynamic client load balancing— If two or more LAPs are positioned to cover the same geographic area, the WLC can associate clients with the least used LAP. This distributes the client load across the LAPs.

WLC Functions

■ RF monitoring— The WLC manages each LAP so that it scans channels to monitor the RF usage. By listening to a channel, the WLC can remotely gather information about RF interference, noise, signals from surrounding LAPs, and signals from rogue APs or ad-hoc clients.

■ Security management—The WLC can require wireless clients to obtain an IP address from a trusted DHCP server before allowing them to associate and access the WLAN.

Cisco WLC Platforms and Capabilities

Cisco Wireless Control System (WCS)

You can also deploy several WLCs in a network to handle a large number of LAPs. In addition,Multiple WLCs offer some redundancy so that LAPs can recover from a WLC failure.

Managing several WLCs can require a significant effort, due to the number of LAPs andclients to be managed and monitored

The Cisco Wireless Control System (WCS) is an optional server platform that can be used as a single GUI front-end to all the WLCs in a network.



The WCS can be teamed with the Cisco Wireless Location Appliance to track the location of thousands of wireless clients. You can even deploy active 802.11 RFID tags to track objects as they move around in the wireless coverage area.

RFID revolution of scanning …





Screen clipping taken :2010/06/02 ;11:26 AM


Screen clipping taken :2010/06/02 ;11:26 AM

Lightweight AP Operation

The LAP is designed to be a “zero-touch” configuration. The LAP must find a WLC and obtain all of its configuration parameters, so you never have to actually configure it through its console port or over the network.

Lightweight AP OperationStep by Step

Step 1. The LAP obtains an IP address from a DHCP server.

Step 2. The LAP learns the IP addresses of any available WLCs.

Step 3. The LAP sends a join request to the first WLC in its list of addresses. If that one fails to answer, the next WLC is tried. When a WLC accepts the LAP, it sends a join reply back to the LAP, effectively binding the two devices.

Step 4. The WLC compares the LAP’s code image release to the code release stored locally. If they differ, the LAP downloads the code image stored on the WLC and reboots itself.

Step 5. The WLC and LAP build a secure LWAPP or CAPWAP tunnel for management traffic and an LWAPP or CAPWAP tunnel (not secured) for wireless client data.


the LAP can maintain a list of up to three WLCs (primary, secondary, and tertiary)

As the LAP boots, it tries to contact each WLC address in sequential order.


Tip: When an LAP is cut off from a WLC, client associations are normally dropped and no data can pass over the WLAN between clients.Cisco Hybrid Remote Edge Access Point (HREAP) is a special case for remote sites where the LAPs are separated from the WLC by a WAN link. With HREAP, the remote LAPs can keep operating even while the WAN link is down and their WLC is not available, much like an autonomous AP would do. This allows wireless users to keep communicating within the remote site until the link (and WLC) is restored.

Traffic Patterns in a Cisco Unified Wireless Network

Because the LAPs connect to the wired network through logical LWAPP or CAPWAP tunnels, the traffic patterns into and out of the WLAN are different than traditional WLANs



That traffic must go from Client A through the LAP, through the LWAPP or CAPWAP tunnel, into the WLC, back through the tunnel, through the LAP and on to Client B. This further illustrates what a vital role the WLC plays in the unified infrastructure

Traffic from Client A to a host somewhere on the network travels through the LAP, through the tunnel to the WLC, and then out onto the switched campus network

Roaming in a Cisco Unified Wireless Network

Remember that the LAP handles mostly real-time wireless duties, so it will just pass the client’s association requests on up to the WLC. In effect, the wireless clients negotiate their associations with the WLC directly.

This is important for two reasons:

■ All client associations can be managed in a central location.

■ Client roaming becomes faster and easier; associations can be maintained or handed off at the controller level.


With autonomous APs, a client roams by moving its association from one AP to another.

The client must negotiate the move with each AP independently, and the APs must also make sure any buffered data from the client is passed along to follow the association.


With LAPs, a client still roams by moving its association. From the client’s point of view,the association moves from AP to AP; actually it moves from WLC to WLC, according tothe AP-WLC bindings.

Roaming in a Cisco Unified Wireless NetworkIntracontroller Roaming



In the figure, the client has moved its association to WLC1 through AP2. Although the AP has changed, the same controller is providing the association and the LWAPP or CAPWAP tunnel. This is known as an intracontroller roam, where the client’s association stays within the same controller

Roaming in a Cisco Unified Wireless NetworkIntercontroller Roaming

In some cases, a client might roam from one controller to another




When the client moves into AP2’s cell, the same SSID is found, and the client can move its association to WLC2. As long as the two controllers (WLC1 and WLC2) are located in the same IP subnet, they can easily hand off the client’s association. This is done through a mobility message exchange where information about the client is transferred from one WLC to the other, as shown in next Figure



When the mobility exchange occurs, the client begins using the LWAPP or CAPWAP tunnel between AP2 and WLC2. The client’s IP address has not changed; in fact, the roaming process was completely transparent to the client.


Now consider the scenario shown in next Figure. The two controllers WLC1 and WLC2are located in different IP subnets, shown as VLAN A and VLAN B.




When the client travels into the cell provided by AP2, something interesting happens. In the Figure , the client moves its association over to WLC2, through AP2, which offers access to VLAN B. The client’s IP address has remained constant, but WLC1 and WLC2 are not located on the same subnet or VLAN. Therefore, the client’s IP address has moved into a foreign subnet.


The two controllers must begin working together to provide continuing service for theclient, without requiring the client to obtain a new address. The two controllers bring up an Ether-IP tunnel between them for the specific purpose of carrying some of the client’s traffic. The Ether-IP tunnel is simply a way that the controllers can encapsulate MAC layer data inside an IP packet, using IP protocol 97. To move packets to and from the client, one controller encapsulates packets and sends them to the other controller. Packets received over the tunnel are unencapsulated by the other controller, where they reappear in their original form. (Ether-IP tunnels are defined in RFC 3378.)



All the client’s traffic will not be able to travel over the same path. Traffic leaving the client travels over the LWAPP or CAPWAP tunnel from AP2 to WLC2 and onto VLAN B, as you might expect. Even though the client has an IP address that is foreign to its new VLAN, it can still send packets onto the foreign VLAN.

Traffic coming toward the client takes a different path. In Figure 19-13, traffic enters theswitch on VLAN A and is forwarded to WLC1. Why does it enter VLAN A and not VLAN B, where the client is now located? Remember that the client is still using an IP address it obtained on VLAN A, so it will continue to appear in VLAN A—no matter where it roams within the wireless network.

Traffic being sent to the client’s destination address on VLAN A must be forwarded ontoVLAN A. Therefore, WLC1 must accept that traffic and forward it onto the appropriate controller that has a current association with the client. WLC1 sends the traffic throughthe Ether-IP tunnel to WLC2, which in turn sends the traffic through the tunnel to AP2and to the client


Because the client originally joined the WLAN on WLC1, WLC1 will always refer to itself as the client’s anchor point.

Any controller that is serving the client from a different subnetis known as a foreign agent.


As the client continues to roam, the anchor WLC will follow its movement by shifting the Ether-IP tunnel to connect with the client’s foreign WLC

The world is going to wireless …. Wireless Networking Part 2 CCNP Switch Hossein Shamloo.

Documents

wireless slide

ssid b

autonomous ap

larger network slide

vlan b

autonomous mode ap slide

wireless clients

ap cell