wireless update partner se vt - talk 2 cisco

© 2010 Cisco Systems, Inc. All rights reserved. 1

Wireless Update

Partner SE VT

Wireless LAN Design

- H-REAP, OEAP

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Partners in Confidence 2

Agenda

Centralized WLAN Design

H-REAP

OEAP

SBA Design Guides

Q&A


Understanding WLAN Controllers—1st/2nd

Generation vs. 3rd Generation Approach

1st/2nd generation—APs act as 802.1Q translational bridge, putting client traffic on local VLANs

3rd generation—Controller bridges client traffic centrally

1st/2nd Generation

3rd GenerationData VLAN

Voice VLAN

Management VLAN

LWAPP

/CAPWAP

Tunnel

Data VLAN

Voice VLAN

Management VLAN


CAPWAP ModesSplit MAC

The CAPWAP protocol supports two modes of operation:

Split MAC (Centralized mode) and

Local MAC (H-REAP)

Split MAC:

WTP ACSTA

Wireless Phy

MAC Sublayer

CAPWAP

Data Plane

Wireless Frame

802.3 Frame


CAPWAP ModesLocal MAC

Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames

Locally bridged:

WTP ACSTA

Wireless Phy

MAC Sublayer

Wireless Frame

802.3 Frame


Single Building – Distribution/Core

WLC in distribution/core

Most of the time : L2 Roaming

WLCSiSi SiSi

WLC

L2

CAPWAP


WLCWLC

Wireless Building Block

SiSi SiSi

L2

Campus – Centralized WLCOverview

Centralized WLC

Concept of Wireless Building Block

No Wireless VLANs everywhere

Better performance with L2 Mobility

Recommended design L3

SiSi SiSi SiSi SiSi

CAPWAP

L3L3Building 1 Building 2

Core

SiSi SiSi

Data Center

SiSi

SiSi

CAPWAP


Campus – Distributed WLCOverview

Distributed WLC or WiSM

Each building has its own WLC

Each building can have its own Mobility group

Wireless insertion at distribution layer

Several distributed Wireless VLANs across the Campus

WLCWLC

L3

SiSi SiSi

SiSi SiSiSiSi SiSi

Core

L3L3

Data Center

SiSi

SiSi


Understanding H-REAP

Hybrid Architecture

Single Management & Control point

Centralized Traffic (Split MAC)

Or

Local Traffic (Local MAC)

HA will preserve local traffic only

WAN

Central Site

Remote

Office

Centralized

Traffic

Centralized

Traffic

Local

Traffic


Branch Office Deployment—Hybrid REAP

Design Considerations:

Supported on 1130, 1140, 1240, 1250, 1260, 3500i/e AP platforms

Allows bridging/tagging of traffic locally (local switching) by WLAN

Allows simultaneous tunneling of traffic to WLC (central switching) by WLAN

―Connected Mode‖—LWAPP control centralized

―Standalone Mode‖ (WAN outage)

Locally switched WLANs stay up

Some lost functionality

supported max latency up to 300 msecs latency between APs and WLC / up to 100 msecs for data+voice / up to 2 sec for local switching (with limitations)

H-REAP APs should be connected to trunk ports—allow only the relevant, locally switched VLANs

No optimization for:

Fast, secure roaming (CCKM, PKC)

Voice (no CAC or TSPEC support in standalone mode)


H-REAP Local MACPer SSID Local MAC

Enabling ―Local Switching‖ mode on per SSID :


H-REAP Local MACPer AP SSID to VLAN Mapping Mapping of SSID to 802.1Q VLAN is done per H-REAP

AP


Understanding H-REAP Groups

WLC Support up to 20 H-REAP Groups

Each H-REAP Group support up to 25 H-REAP AP

H-REAP Groups allow sharing of :

CCKM Fast Roaming keys

Local User authentication

Local EAP authentication

WAN

Central Site

Remote SiteRemote Site

H-REAP Group 1

H-REAP Group 2


H-REAP Groups and CCKM Keys

CCKM keys are stored on HREAP AP’s for layer-2 fast roaming

The HREAP AP’s will receive the CCKM keys from the WLC

If a HREAP AP boots up in the STANDALONE mode, it will not get the CCKM keys from the WLC and fast roaming is not supported

WAN

Central Site


H-REAP Group 1 H-REAP Group 2

Radius Server

CCKM Keys


H-REAP Groups and Local EAP

In case of WAN of failure (Standalone mode) HREAP AP’s can act like a Local EAP server

In a HREAP-Group we can store 100 usernames and act like a local EAP server

LEAP and EAP-FAST is the only supported EAP type in standalone mode

WAN

Central Site


H-REAP Group 1 H-REAP Group 2

Radius Server

Local EAP Server


H-REAP Groups and Local Radius Server

In case of WAN of failure (Standalone mode) HREAP AP’s can authenticate from a Local Radius Server

Only session-timeout radius attribute (attribute 27) is supported in the standalone mode

Radius accounting is not supported in standalone mode

WAN

Central Site

Remote Site

Remote Site

H-REAP Group 1

H-REAP Group 2

Radius Server

Radius Server


Case Study – HREAP Retail Design

Requirements for the Store Design

Up-to-5 AP per site.

L2 connectivity between the AP

Access local services in the store (servers, printers, etc)

WLAN Services :

SSID for Stores :

• Security type = WPA-PSK

• Will be the same SSID for all the stores, but different keys per store

• Local Switching

SSID for Employees :

• Security type = WPA/TKIP or WPA/AES

• Central RADIUS authentication

• Central Switching

WAN link :

– Bandwidth : 512 kbps

– RTT : 100 msec

– MTU : 1400 bytes


Datacenter

Store-1

WAN

Local Resource

H-REAP

CT-5508

Cluster

RADIUS

Scanners

(WPA-PSK)

SSID-Store-1

SSID-Employee

(WPA2)

LapTops

(WPA2)

Store-N

H-REAP

Scanners

(WPA-PSK)

SSID-Store -N

SSID-Employee

(WPA2)

LapTops

(WPA2)

WLAN 17 : Store-1

•SSID= Store-1

•WPA-PSK=123

…

WLAN 17+N : Store-N

•SSID=Store-N

•WPA-PSK=321

WLAN 1 : Data

•SSID=Employee

•WPA/Radius

Local Resource


Datacenter

Store-1

WAN

H-REAP

Scanners

(WPA-PSK)

SSID-Store-1

SSID-Employee

(WPA2)

LapTops

(WPA2)

AP-Group-1

Store-N

H-REAP

Scanners

(WPA-PSK)

SSID-Store-N

SSID-Employee

(WPA2)

LapTops

(WPA2)

AP-Group-NLocal Resource Local Resource

AP Group 1 : Store-1

•WLANs : Store-1

…

AP Group N : Store-N

•WLANs : Store-N

CT-5508

Cluster

RADIUS


Case Study – HREAP Retail Design

Create WLAN for Employee and for each store (local switching)

Create AP Group for each store and add AP-1 / WLAN-17 for Store-1, etc

Map locally switched WLAN to a VLAN per store


OfficeExtend Solution Highlights

Features

Scalable up to 500 APs per Wireless Controller

WCS provisioning for mass deployment

Personal SSID for non-corporate use

Ease of deployment with no special configuration needed on the Wireless Controller

Encryption of data at line rate, no encryption module needed

Supports UC wireless phones

OfficeExtend Solution

Key Benefits Secure, convenient, cost-effective

mobile teleworker solution enabling a consistent mobility experience

Ease of deployment for IT; plug and play for end user

802.11n 1140 AP and 1130 AP supported

Solution Elements

5508 Wireless Controller

1130 AP; 1140 AP

Management through WCS

5508 Wireless

Controller1140 AP 1130 AP


5508

Internet

Secure Encryption

Take the Corporate Network With You Seamlessly and Securely

AP1130, AP1140

OfficeExtend Solution

Secure Secure DTLS Encryption Between AP and Corporate Network Over the WANAP Can Call Home to Automatically Set Up Secure TunnelReduce Costs Through Telecommuting, Reduced Cell Phone Charges, and Lower OpEx

Simple

Cost Effective

Corporate Office

Home, Hotel, Anywhere


What Is OEAP Solution ?

Controller (Cisco Wireless 5508 Controller)

Support for 500 Office Extend AP per controller

AP (AP 1131 & AP 1140)

Data encryption in software (AP1130) and in hardware (AP1140)

LED changes to display the AP status

Latency based Join

Link latency detection

Disable Telnet and SSH Access to AP

Disable Rogue Detection

Local SSID

WLC GUI and WCS.

Configuration, reporting, troubleshoot and diagnostic enhancements


Aironet 600 Series OfficeExtend AP

Dual band 802.11n AP for the homes

Proven hardware design

Validated OEAP Features / Function

Supported by 5508, WiSM2, 2500

7.67‖ x 6.92‖ x 1.45‖

Available worldwide (all reg domains)

Target FCS: Q1CY11


Target 100 – 1000 Users (5-15 Servers)

CCNA Target Technical Level

Baseline Configuration Ready for Policy Development

Ready for Advances Technologies and Services

Smart Business Architecture - Foundation


Published Design Guideswww.cisco.com/go/sba

wireless update partner se vt - talk 2 cisco

Documents