ENCOR_Chapter_18 - Wireless Infrastructure.pdf

Full Transcript

Chapter 18: Wireless Infrastructure CCNP Enterprise: Core Networking Content This chapter covers the following content: Management, Control and Data Planes – This section discuss about the three logical planes of operation in a wireless network Wireless LAN Topologies - This section describes...

Chapter 18: Wireless Infrastructure CCNP Enterprise: Core Networking Content This chapter covers the following content: Management, Control and Data Planes – This section discuss about the three logical planes of operation in a wireless network Wireless LAN Topologies - This section describes autonomous, cloud-based, centralized, embedded, and Mobility Express wireless architectures. Pairing Lightweight APs and WLCs - This section explains the process that lightweight APs must go through to discover and bind to a wireless LAN controller. Leveraging Antennas for Wireless Coverage - This section provides an overview of various antenna types and explains how each one alters the RF coverage over an area. Reading assignment: CCNP & CCIE Enterprise Core (Chapter 18) © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Management, Control and Data Planes Management Plane Defined by administrative network management, administration, and monitoring. Example: network management solution that can be used to monitor routers and switches and other wired network infrastructure. A centralized network management server can be used to push both configuration settings and firmware upgrades to network devices. The functions of the management plane within an 802.11 WLAN are as follows: WLAN configuration WLAN monitoring and reporting WLAN firmware management © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 Management, Control and Data Planes Control Plane Consists of control or signaling information and is often defined as network intelligence or protocols. Example: Dynamic layer 3 routing protocols, such as OSPF or BGP, used to forward data Content addressable memory (CAM) tables and Spanning Tree Protocol (STP) are control plane mechanisms used by layer 2 switches for data forwarding Some functions of the control plane within an 802.11 WLAN are as follows: Dynamic RF Roaming mechanisms QoS Load balancing Band steering Mesh protocols © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Application visibility and control Management, Control and Data Planes Data Plane The data plane, also known as the user plane, is the location in a network where user traffic is actually forwarded. Examples: An individual router where packets are forwarded An individual switch forwarding an 802.3 Ethernet frame The data plane is where the user data is forwarded: Standalone APs handle all data forwarding operations locally. WLAN controller solution (LWAPs) data is normally forwarded from the centralized controller, but data can also be forwarded at the edge of the network by an AP. Each vendor has a unique method and recommendations for handling data forwarding. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Wireless LAN Topologies AP Modes Cisco APs can operate in one of two modes: Autonomous - are self-sufficient and standalone Lightweight - can support several different network topologies, depending on where the companion wireless LAN controllers (WLCs) are located © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Autonomous APs Management, control and data planes all at the edge of the network. Management plane: All devices had to be managed/monitored individually unless a network management server (NMS) is used to centrally manage network devices Control plane: Intelligence isolated in each individual AP. No shared intelligence. Control plane mechanisms such as dynamic RF, roaming, mesh, etc. were very limited. Data plane: Data forwarded at the edge of network despite lack of widespread support for multiple VLANs at the edge. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Autonomous APs Network Management Systems (NMS) solutions: Most use the Simple Network Management Protocol (SNMP) to manage and monitor the WLAN Others use the Control And Provisioning of Wireless Access Points (CAPWAP) as strictly a monitoring and management protocol. Often NMSs are cloud-based solutions or can exist as on-premises server. Data plane and control plane do not exist in an NMS. 802.11 user traffic is never forwarded by an access point to an NMS, however, the 802.11 client associations and traffic can be still monitored. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Wireless LAN Topologies Autonomous Topology Autonomous APs self-contained, offering one or more standalone basic service sets (BSSs). are an extension of a switched network, connecting wireless SSIDs to wired VLANs at the access layer. must also be configured with a management IP address and management VLAN to enable remote management of the AP. must be configured and maintained individually unless you leverage a Fig. 18-1, autonomous APs present two wireless management platform such as Cisco Prime LANs with SSIDs wlan100 and wlan200 to the Infrastructure. wireless users. The APs also forward traffic between the wireless LANs and two wired VLANs 100 and 200. Require support for 802.1Q tagging at the edge on the network © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Wireless LAN Topologies Autonomous Topology (Cont.) Drawbacks of Autonomous Topology: The network configuration and efficiency can become cumbersome as the network scales. For example: You will likely want to offer the same SSID on many APs so that wireless clients can associate with that SSID in most any location or while roaming between any two APs. You may want to extend the VLAN and IP subnet to each and every AP so that clients do not have to request a new IP address for each new association. Benefit of Autonomous Topology: short and simple path for data to travel between the In Figure 18-2, two wireless users are associated to the wireless and wired networks. same autonomous AP. One can reach the other through the AP, without having to pass up into the wired network. General rule of thumb: For more than 4 APs in your This is not always the case with lightweight AP topologies. network, use WLC © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Lightweight APs Lightweight APs (LAPs): Also know as Controller-based APs Management, control and data planes are all centralized on the controller. Management plane: All devices managed and monitored from a central WLAN controller. Control plane: Intelligence centralized within the WLAN controller. Dynamic RF, load balancing, roaming handoffs, and other control plane mechanisms exist in the WLAN controller. Data plane: The WLAN controller exists as a data distribution point for user traffic. Access points tunnel all user traffic to a central controller. Common tunneling protocols: GRE, CAPWAP and IPSec ©can also 2016 Cisco and/or be used its affiliates. All rights reserved. Cisco Confidential 11 Wireless LAN Topologies Lightweight AP Topologies Each LAP is automatically configured and managed by the WLC and therefore needs to join a WLC to become fully functional. Split MAC architecture – a WLAN architecture where the AP handles most of the realtime 802.11 processes and the WLC performs the management functions. Examples: Integration service and distribution system service as well as QoS methods are usually handled by the controller. Depending on the vendor, encryption and decryption of 802.11 data frames might be handled by the controller or by the AP An AP and a WLC are joined by a logical pair of CAPWAP tunnels that extend through the wired network infrastructure. Control and data traffic are transported Fig. 18-3, a WLC is placed in a central location, so it can across the tunnels. maximize the number of APs joined to it. This is known as a Several topologies can be built from a WLC and a centralized or unified wireless LAN topology. Each AP has collection of APs depending on where the WLC is located its own CAPWAP tunnel to the WLC. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 within the network. Wireless LAN Topologies Lightweight AP Topologies - Centralized Cisco Centralized/Unified WLC: For a large enterprise - can support up to 6000 APs. The Layer 3 boundary for each data VLAN is handled at or near the WLC, so the VLANs need only exist at that location, indicated by the shaded link. Each AP still has its own unique management IP address, but it connects to an access layer switch via an access link rather than a trunk link. Even if multiple VLANs and WLANs are involved, they are carried over the same CAPWAP tunnel to and from the AP. Therefore, the AP needs only a single IP address to terminate the tunnel. As a wireless user moves through the coverage areas of the four APs, he might associate with many different APs in the By default, an AP will send a keepalive message access layer. Because all of the APs are joined to a single every 30 seconds over a wired network to the WLC, that WLC can easily maintain the user’s connectivity to WLC that it joined. all other areas of the network as he moves around. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 Wireless LAN Topologies Lightweight AP Topologies – Centralized (Cont.) Cisco Centralized/Unified WLC: The traffic from one client must pass through the AP, where it is encapsulated in the CAPWAP tunnel, and then travel high up into the network to reach the WLC, where it is unencapsulated and examined. The process then reverses. The length of the tunnel path can be a great concern for lightweight APs. The round-trip time (RTT) between an AP and a controller should be less than 100 ms so that wireless communication can be maintained in near real time. If the path has more latency than that, the APs may decide that the controller is not responding fast enough, so they may disconnect and find another, more responsive controller. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Wireless LAN Topologies Lightweight AP Topologies – Centralized (Cont.) Cisco Centralized/Unified WLC: A Cisco router separates broadcast domains and will prevent broadcasted CAPWAP Discovery Requests from being forwarded between a WLC and an access point. The ip forward-protocol and ip helper- address commands must be entered on the Cisco router to enable the forwarding of broadcast traffic to the specified WLC. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Wireless LAN Topologies Lightweight AP Topologies – Embedded Wireless Topology Embedded wireless Topology: WLC can co-located with an access layer switch. This is known as an embedded wireless network topology because the WLC is embedded in the switch hardware. Notice that each AP connects to an access switch for network connectivity as well as split MAC functionality, so the CAPWAP tunnel becomes really short. With user access merged into one layer, it becomes easier to apply common access and security policies. The embedded topology can be cost-effective because the same switching platform is used for both wired and wireless purposes. Ideally, each access layer switch would have its own embedded WLC. A Cisco embedded WLC typically supports up to 200 APs. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Wireless LAN Topologies Lightweight AP Topologies – Embedded Wireless Topology (Cont.) Embedded wireless Topology: Wireless devices can reach each other more efficiently because of shorter CAPWAP tunnel In contrast, traffic from a wireless user to a central resource such as a data center or the internet travels through the CAPWAP tunnel, is unencapsulated at the access layer switch (and WLC), and travels normally up through the rest of the network layers. Fig. 18-6, shows, the traffic path from one user to another must pass through an AP, the access switch (and WLC), and back down through the AP. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Wireless LAN Topologies Lightweight AP Topologies – Mobility Express Network Topology Mobility Express Network Topology: It is also possible to move the WLC even below the access layer and into an AP. In Mobility Express topology, where a fully functional Cisco AP also runs software that acts as a WLC. Mobility Express topology can be useful in small scale environments, such as small, midsize, or multi-site branch locations, where you might not want to invest in dedicated WLCs at all. The AP that hosts the WLC forms a CAPWAP tunnel with the WLC, as do any other APs at the same location. A Mobility Express WLC can support up to 100 APs. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 Distributed WLAN Architecture APs provide independent distributed intelligence but work together as a system to cooperatively provide control mechanisms. No centralized WLAN controller Control and data planes have moved back to the APs Management plane remains centralized – on-premises or cloud-based Configuration and monitoring of all access points in the distributed model is still handled by an NMS server. Require support for 802.1Q tagging at the edge on the network Advantages: Avoid centrally forwarding user traffic to the core APs don’t require IP-tunneling capabilities Scalability – as network grows, no need to buy additional WLC © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 Wireless Controller Logical & Physical Interfaces Reading Assignment: VLANs on Wireless LAN Controllers Configuration Example Cisco WLC interfaces, ports & their© 2016 functionality Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 12.4 CAPWAP Operation © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 CAPWAP Operation Introduction to CAPWAP Control and Provisioning of Wireless Access Points (CAPWAP) CAPWAP is an IEEE standard protocol that enables a WLC to manage multiple APs and WLANs. Based on LWAPP but adds additional security with Datagram Transport Layer Security (DTLS). Encapsulates and forwards WLAN client traffic between an AP and a WLC over tunnels using UDP ports 5246 and 5247. Port 5246 is for CAPWAP control messages used by the WLC to manage the AP. Port 5247 is used by CAPWAP to encapsulate data packets traveling to and from wireless clients. Operates over both IPv4 and IPv6. IPv4 uses IP protocol 17 and IPv6 uses IP protocol 136. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 CAPWAP Operation Split MAC Architecture The CAPWAP split MAC concept does all the functions normally performed by AP MAC Functions WLC MAC Functions individual APs and distributes them Beacons and probe Authentication between two functional components: responses AP MAC Functions Packet Association and re- acknowledgements association of roaming WLC MAC Functions and retransmissions clients Frame queueing and Frame translation to other packet prioritization protocols MAC layer data Termination of 802.11 encryption and traffic on a wired interface decryption © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 CAPWAP Operation DTLS Encryption Datagram Transport Layer Security (DTLS) DTLS provides security between the AP and the WLC. It is enabled by default to secure the CAPWAP control channel and encrypt all management and control traffic between AP and WLC. Data encryption is disabled by default Requires a DTLS license to be installed on the WLC before it can be enabled on the AP. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 CAPWAP Operation Flex Connect APs FlexConnect enables the configuration and control of APs over a WAN link. There are two modes of option for the FlexConnect AP: Connected mode – The WLC is reachable. The FlexConnect AP has CAPWAP connectivity with the WLC through the CAPWAP tunnel. The WLC performs all CAPWAP functions. Standalone mode – The WLC is unreachable. The FlexConnect AP has lost CAPWAP connectivity with the WLC. The FlexConnect AP can assume some of the WLC functions such as switching client data traffic locally and performing client authentication locally. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 Pairing Lightweight APs and WLCs A Cisco lightweight wireless AP needs to be paired with a WLC to function. Each AP must discover and bind itself with a controller before wireless clients can be supported. Cisco lightweight APs are designed to be “touch free”, but you have to configure the switch port, where the AP connects, with the correct access VLAN, access mode, and inline power settings, then the AP can power up and use a variety of methods to find a viable WLC to join. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 In-Class activity Watch the following video about pairing LAPs and WLCs (~9min) © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 Pairing Lightweight APs and WLCs AP States A lightweight AP goes through a variety of states defined as part of the Control and Provisioning of Wireless Access Points (CAPWAP) specification. Cisco AP state machine (sequence of states): 1. AP boots - Once an AP receives power, it boots on a small IOS image so that it can work through the remaining states and communicate over its network connection. The AP must also receive an IP address from either a DHCP server or a static configuration so that it can communicate over the network. 2. WLC discovery - The AP goes through a series of steps to find one or more controllers that it might join. 3. CAPWAP tunnel - The AP attempts to build a CAPWAP tunnel with one or more controllers. The tunnel will provide a secure Datagram Transport Layer Security (DTLS) channel for subsequent AP-WLC control messages. The AP and WLC authenticate each other through an exchange of digital certificates. 4. WLC join - The AP selects a WLC from a list of candidates and then sends a CAPWAP Join Request message to it. The WLC replies with a CAPWAP Join Response message. 5. Download image - The WLC informs the AP of its software release. If the AP’s own software is a different release, the AP downloads a matching image from the controller, reboots to apply the new image, and then returns to step 1. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 Pairing Lightweight APs and WLCs AP States (Cont.) 6. Download config - The AP pulls configuration parameters down from the WLC and can update existing values with those sent from the controller. Settings include RF, service set identifier (SSID), security, and quality of service (QoS) parameters. 7. Run state - Once the AP is fully initialized, the WLC places it in the “run” state. The AP and WLC then begin providing a BSS and begin accepting wireless clients. 8. Reset - If an AP is reset by the WLC, it tears down existing client associations and any CAPWAP tunnels to WLCs. The AP then reboots and starts through the entire state machine again. If there is a chance an AP could rehome with another WLC, you should make sure that both WLCs are running the same code release. Otherwise, the AP move should happen at a planned time, like during a maintenance window. You can predownload a new release to the controller’s APs prior to rebooting the WLC. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 Pairing Lightweight APs and WLCs Discovering a WLC To discover a WLC: AP sends a unicast CAPWAP Discovery Request to a controller’s IP over UDP port 5246 OR A broadcast to the local subnet. If the controller exists, it returns a CAPWAP Discovery Response to the AP. An AP must discover any WLCs that it can join without any preconfiguration. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 Pairing Lightweight APs and WLCs Discovering a WLC An AP must discover any WLCs that it can join without any preconfiguration. Several methods of discovery are used, and the sequence of discovery is as follows: 1. The AP broadcasts a CAPWAP Discovery Request on its local wired subnet. Any WLCs on the subnet answer with a CAPWAP Discovery Response. If the AP and controllers lie on different subnets, you can configure the local router to relay any broadcast requests on UDP port 5246 to specific controller addresses. Use the following configuration commands: router(config)# ip forward-protocol udp 5246 router(config)# interface vlan router(config-int)# ip helper-address router(config-int)# ip helper-address © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 Pairing Lightweight APs and WLCs Discovering a WLC (Cont.) 2. An AP can be “primed”* with up to 3 controllers: a primary, a secondary, and a tertiary. These are stored in NVRAM so that the AP can remember them after a reboot. Otherwise, if an AP has previously joined a WLC, it may have stored up to 8 out of a list of 32 WLC addresses that it received from the last controller it joined. 3. The DHCP server that supplies an IP can also send DHCP option 43 to suggest WLC addresses. DHCP configuration example where 192.168.200.100 is a WLC address: * Priming - The process of storing controller IPv4 or IPv6 addresses on an APs for later deployment © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 Pairing Lightweight APs and WLCs Discovering a WLC (Cont.) 4. The AP attempts to resolve the name CISCO-CAPWAP-CONTROLLER.localdomain with a DNS request (where localdomain is the domain name learned from DHCP). If the name resolves to an IP address, the controller attempts to contact a WLC at that address. 5. If none of the steps has been successful, the AP resets itself and restarts the discovery process again. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33 Pairing Lightweight APs and WLCs Selecting a WLC Joining a WLC involves sending it a CAPWAP Join Request and waiting for it to return a CAPWAP Join Response. From that point on, the AP and WLC build a DTLS tunnel to secure their CAPWAP control messages. The WLC selection process consists of the following three steps: 1. If the AP has previously joined a controller and has been configured or “primed” with a primary, secondary, and tertiary controller, it tries to join those controllers in succession. 2. If the AP does not know of any candidate controller, it tries to discover one. If a controller has been configured as a master controller, it responds to the AP’s request. 3. The AP attempts to join the least-loaded WLC, to load balance APs across a set of controllers. During the discovery phase, each controller reports its load—the ratio of the number of currently joined APs to the total AP capacity. The least-loaded WLC is the one with the lowest ratio = number of APs joined/ Maximum number of APs supported. If the controller already has the maximum number of APs joined to it, it rejects any additional APs. To provide flexibility in supporting APs on an oversubscribed controller, you can configure the APs with a priority value. Once a controller is full of APs, it rejects an AP with the lowest priority to make room for a new one that has a higher priority. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34 Pairing Lightweight APs and WLCs Maintaining WLC Availability Cisco APs can discover multiple controllers – not just the one that it chooses to join. If the joined controller becomes unavailable, the AP can simply select the next least loaded controller and request to join it. If a controller full of 1000 APs fails, all 1000 APs must go through the pairing process again - detect the failure, discover other controllers, and then select the least-loaded one to join. During that time, wireless clients can be left stranded with no connectivity. 1. The most deterministic approach is to use the primary, secondary, and tertiary controller fields in every AP. Once an AP joins a controller, it sends keepalive messages to the controller over the wired network. By default, keepalives are sent every 30 seconds. If a keepalive is not answered, an AP escalates by sending four more keepalives at 3-second intervals. If it does not answer, the AP presumes that the controller has failed. The AP then moves quickly to find a successor to join. Using default values, an AP can detect controller failure in 35 seconds. Regular Keepalive timer can be adjusted between 1 and 30 seconds & the escalated (fast heartbeat time) between 1 and 10 seconds. Using minimum values, failure can be detected in only 6 seconds. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35 Pairing Lightweight APs and WLCs Maintaining WLC Availability 2. WLCs also support high availability (HA) with stateful switchover (SSO) redundancy. SSO groups controllers into high availability pairs, where one controller takes on the active role and the other a hot standby mode. The APs only need to know the active primary controller. The active unit keeps CAPWAP tunnels, AP states, client states, configurations, and image files all in sync with the hot standby unit. The active controller also synchronizes the state of each associated client that is in the RUN state with the hot standby controller. If the active controller fails, the standby will already have the current state information for each AP and client, making the failover process transparent to the end users. This approach is a much more efficient process than the most deterministic approach. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 Pairing Lightweight APs and WLCs Cisco AP Modes From the WLC, you can configure a lightweight AP to operate in one of the following modes: Local The default lightweight mode that offers one or more functioning BSSs on a specific channel. During times when it is not transmitting, the AP scans the other channels to measure the level of noise, measure interference, discover rogue devices, and match against intrusion detection system (IDS) events. Monitor (Sensor) The AP does not transmit at all, but its receiver is enabled to act as a dedicated sensor. The AP checks for IDS events, detects rogue access points, and determines the position of stations through location- based services. FlexConnect An AP at a remote site can locally switch traffic between an SSID and a VLAN if its CAPWAP tunnel to the WLC is down and if it is configured to do so. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 Pairing Lightweight APs and WLCs Cisco AP Modes (Cont.) Sniffer An AP dedicates its radios to receiving 802.11 traffic from other sources, much like a sniffer or packet capture device. The captured traffic is then forwarded to a PC running network analyzer software such as LiveAction Omnipeek or Wireshark, where it can be analyzed further. Rogue detector An AP dedicates itself to detecting rogue devices by correlating MAC addresses heard on the wired network with those heard over the air. Rogue devices are those that appear on both networks. Bridge An AP becomes a dedicated bridge (point-to-point or point-to-multipoint) between two networks. Two APs in bridge mode can be used to link two locations separated by a distance. Multiple APs in bridge mode can form an indoor or outdoor mesh network. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38 Pairing Lightweight APs and WLCs Cisco AP Modes (Cont.) Flex+Bridge FlexConnect operation is enabled on a mesh AP. SE-Connect The AP dedicates its radios to spectrum analysis on all wireless channels. You can remotely connect a PC running software such as MetaGeek Chanalyzer or Cisco Spectrum Expert to the AP to collect and analyze the spectrum analysis data to discover sources of interference. A lightweight AP is normally in local mode when it is providing BSSs and allowing client devices to associate to wireless LANs. When an AP is configured to operate in one of the other modes, local mode (and the BSSs) is disabled. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39 Cloud Networking Several WLAN vendors offer a cloud service for management and monitoring. Cloud computing and cloud networking are catchphrases used to describe the advantages of computer networking functionality when provided under a Software as a Service (SaaS) model. The term cloud essentially means a scalable private enterprise network that resides on the Internet. The idea behind cloud networking is that applications and network management, monitoring, functionality, and control services are provided as a software service. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40

Use Quizgecko on...
Browser
Browser