Professional Documents
Culture Documents
BRKEWN-2016
BRKEWN-2018
Cisco Public
Abstract
This session focuses on the architecture concepts of the branch office WLAN deployments, emphasising the core technologies that drive and enable mobility in retail, banking, education, entreprise or managed wlan services. Topics covered include in-depth protocol description of HReap/FlexConnect, all deployment options in practice, and are based on customer case studies for their application into the branch environment.
BRKEWN-2018
Cisco Public
BRKEWN-2018
Cisco Public
Agenda
Cisco Unified Wireless Principles (Reminder)
Branches Using Remote Controllers Understanding H-REAP Mode and Limitations
BRKEWN-2018
Cisco Public
Agenda
Cisco Unified Wireless Principles
Branches Using Remote Controllers Understanding H-REAP Mode and Limitations
BRKEWN-2018
Cisco Public
Principles
AP must have CAPWAP connectivity with WLC Configuration downloaded to AP by WLC All Wi-Fi traffic is forwarded to the WLC
Aironet Access Point
Campus Network
BRKEWN-2018
Cisco Public
Agenda
Cisco Unified Wireless Principles (Reminder)
BRKEWN-2018
Cisco Public
WAN
WLC-25xx WLCM for ISR/ISR-G2
Remote Site A
BRKEWN-2018 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Remote Site B
Note: If you have ISR/ISR G2 at branch site then it is recommended to use the IOS Firewall at edge for unified access policies.
BRKEWN-2018
Cisco Public
Agenda
Cisco Unified Wireless Principles (Reminder)
Branches Using Remote Controllers
BRKEWN-2018
Cisco Public
10
CAPWAP Overview
Control and Provisioning of Wireless Access Point
CAPWAP is a standard, interoperable protocol that enables an Access Controller (AC) to manage a collection of Wireless Termination Points (WTPs)
CAPWAP carries control and data traffic between the two
Control plane is DTLS encrypted Data plane is DTLS encrypted (optional)
CAPWAP
Controller
Control Plane
BRKEWN-2018 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
11
CAPWAP Modes
Split MAC
Split MAC
Wireless Frame Wireless Phy MAC Sublayer CAPWAP Data Plane
802.3 Frame
STA
WTP
AC
BRKEWN-2018
Cisco Public
12
CAPWAP Modes
Local MAC
Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames
Locally bridged
Wireless Frame Wireless Phy MAC Sublayer
802.3 Frame
STA
WTP
AC
H-REAP support locally bridged MAC and split MAC per SSID
BRKEWN-2018 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
13
CAPWAP Modes
Local MAC
Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames
Tunneled as 802.3 frames
Wireless Frame Wireless Phy MAC Sublayer 802.3 Frame CAPWAP Data Plane
802.3 Frame
STA
WTP
AC
14
H-REAP Glossary
Connected mode When H-REAP can reach Controller (connected state), it gets help from controller to complete client authentication.
Standalone mode When controller is not reachable by H-REAP, it goes into standalone state and does client authentication by itself.
Local Switching Data traffic switched onto local VLANs for an SSID
Central Switching Data traffic tunneled back to WLC for an SSID
BRKEWN-2018 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
15
Cluster of WLC
Centralized Traffic
Or
Local traffic (local MAC)
WAN
Local Traffic
Remote Office
16
BRKEWN-2018
Cisco Public
17
Only WLAN with Local Switching enabled will allow local switching at the H-REAP AP
BRKEWN-2018
Cisco Public
18
H-REAP AP can be connected on an access port (using native VLAN) or connected to a 802.1Q trunk port
VLAN mapping is a per AP configuration on WLC and by AP group using templates on a WCS
BRKEWN-2018
Cisco Public
19
20
BRKEWN-2018
Cisco Public
21
Some features are not available in standalone mode or in local switching mode
ACL in local switching
BRKEWN-2018
Cisco Public
22
Key Differentiation
WAN Tolerance
High Latency Networks Access Points Clients Branches Access Points / Branch Deployment Model Form Factor IO Interface Upgrade Licenses 300-2,000 20,000 500 50 FlexConnect 1 RU 2x 10GE 100, 200, 500, 1K
WAN Survivability
Security
802.1x based port authentication
Voice support
Voice CAC
OKC/CCKM
BRKEWN-2018
Cisco Public
23
Local Authentication
Allows for the authentication capability to exist directly at the AP in FlexConnect instead of the WLC
Improved Scale
Group Scale: Max HREAP groups increased to 500 (7500s) and 100 (5500s) APs per Group: 50 (7500s) and 25 (5500s)
24
Agenda
Cisco Unified Wireless Principles (Reminder)
Branches Using Remote Controllers Understanding H-REAP Mode and Limitations
BRKEWN-2018
Cisco Public
25
Understanding AP Groups
Overview
AP groups is a logical concept of grouping AP which deliver similar Wi-Fi services; these services can be:
By physical location, and/or
By functional services (data, voice, guest, )
Remote Site A AP Group 1
WAN
Remote Site B
AP Group 2
AP Group 3
BRKEWN-2018
Cisco Public
26
Understanding AP Groups
Rules to Know
Rules to know :
One AP can be in only one AP Group One WLAN(SSID) can be in several AP Groups WLAN with ID 1-16 can not be removed from the default-group WLAN with ID greater than 16 will never be part of the defaultgroup All AP with no AP Group name or an unknown AP Group name will be part of the default-group
27
AP Groups
Configuration: Create a New Group
BRKEWN-2018
Cisco Public
28
AP Groups
Configuration: Add AP to Group
BRKEWN-2018
Cisco Public
29
AP Groups Usage
@ Internet
Guest-Access
AP Group 1
Central Site
Corporate-Voice
Corporate-Data
WAN/MAN
Manufacturing Plan
Store
Manufacturing Plan
Corporate-Voice, Corporate-Data, Scanners
AP Group 3
Store
Corporate-Data, Guest-Access
BRKEWN-2018
Corporate-Data
Cisco Public
30
AP Groups Usage
Per AP Group SSID to VLAN Mapping
AP groups give the ability to statically map Wi-Fi service (WLAN) to VLAN based on physical location
VLAN-1 AP Group 1
Central Site
VLAN-2
Users see the same Wi-Fi service on all sites but IP@ can be used for monitoring or filtering Can also be used to have smaller Wi-Fi subnets
VLAN-3
WAN/MAN
Corporate-Data Manufacturing Plan AP Group 2
Store AP Group 3
Corporate-Data Corporate-Data
BRKEWN-2018
Cisco Public
31
AP Groups
Configuration/VLAN Mapping
BRKEWN-2018
Cisco Public
32
AP Groups
Scaling
New Scaling # AP Groups # WLAN (SSID) # VLAN (Interfaces) Flex 7500 500 512 WLC 5508 500 512 WLC 4400 300 512 WLC 2100 50 512
512
512
512
512
BRKEWN-2018
Cisco Public
33
WAN
Remote Site Remote Site
Scaling information
500 H-REAP groups for Flex 7500
H-REAP Group 2
H-REAP Group 1
BRKEWN-2018
Cisco Public
34
CCKM/OKC keys are stored on HREAP APs for Layer 2 fast roaming
The HREAP APs will receive the CCKM/OKC keys from the WLC
Central Site
RADIUS Server
If a HREAP AP boots up in the standalone mode, it will not get the CCKM keys from the WLC and fast roaming is not supported
WAN
BRKEWN-2018
Cisco Public
35
BRKEWN-2018
Cisco Public
36
Agenda
Cisco Unified Wireless Principles (Reminder)
Branches Using Remote Controllers Understanding H-REAP Mode and Limitations
BRKEWN-2018
Cisco Public
37
WAN
Application Server
BRKEWN-2018
Cisco Public
38
CCKM roaming allowed in H-REAP group H-REAP AP will then search for backup WLC; when backup WLC is found, H-REAP AP will resync with WLC and resume client session with central traffic.
WAN
Remote Site
Application Server
Client session with Local Traffic are not impacted during resync with Backup WLC.
BRKEWN-2018 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
39
Central RADIUS
WAN
Local Backup RADIUS Remote Site
H-REAP Group 1
40
Define primary and secondary local backup RADIUS server per H-REAP group
BRKEWN-2018
Cisco Public
41
Central RADIUS
WAN
H-REAP Group 1
42
BRKEWN-2018
Cisco Public
43
Unsupported features
RRM, CCKM, WIDS, Location, Other AP Mode, NAC.
BRKEWN-2018
Cisco Public
44
AP can not automatically change from local mode to H-REAP mode on local WLC failure
Changing mode is a configuration task of the AP WAN
Remote Site
Application Server
45
H-REAP AP can not be configured with two SSID with same name; one in central switching mode, one in local switching mode; when central switching is down, local switched SSID becomes active
Changing enable status of an SSID is a configuration task of the WLC level
WAN
Remote Site H-REAP AP
46
Failover Matrix
Feature Static Security Keys (WEP, WPA2/PSK) 802.1x/EAP RADIUS Local Authentication OKC Fast Roaming WebAuth & MAC Auth WAN Up (Connected) Yes Yes Yes Yes Yes Yes New New WAN Down (Standalone) Yes Yes Yes (local RADIUS Backup) Yes Yes (not new clients) No
BRKEWN-2018
Cisco Public
47
Agenda
Cisco Unified Wireless Principles (Reminder)
Branches Using Remote Controllers Understanding H-REAP Mode and Limitations
BRKEWN-2018
Cisco Public
48
BRKEWN-2018
Cisco Public
49
Sites using H-REAP AP are usually sites with low WAN bandwidth
Each site may have small number of AP, but an enterprise may have a lot of branches Upgrading ~2000 AP through a low bandwidth WAN is a challenge :
BRKEWN-2018
Cisco Public
50
Use Pre-Download Feature and Control the Process Before Effectively Do the Upgrade
1.Download WLC upgraded firmware (will become primary) 2.Force the boot image to be the secondary (and not the newly upgraded one) to avoid parallel download of all AP in case of unexpected WLC reboot
Central Site
WAN
Remote Site-1 Remote Site-N
BRKEWN-2018
Cisco Public
51
Pre-download the AP firmware in the secondary boot image (will not disrupt the actual service) Can be started AP per AP to limit WAN exhaust Check that all the H-REAP AP are up-to-date (all download succeed) Swap the boot image of the AP to the new one, change the boot image of the WLC to the new one Reboot the controller
Central Site
4.
5.
WAN
Remote Site-1 AP Firmware Image Remote Site-N
7.0 6.0
6.
Primary
BRKEWN-2018
Cisco Public
52
Agenda
Cisco Unified Wireless Principles (Reminder)
Branches Using Remote Controllers Understanding H-REAP Mode and Limitations
BRKEWN-2018
Cisco Public
53
Customer Requirements
~1000 Medium stores (Supermarket) Up to 5 AP per store.
L2 connectivity between the AP. AP on access port (no 802.1Q trunk today)
Existing local resources (servers, )
WLAN Services :
SSID for Scanners :
WPA-PSK will be used on scanners Same SSID name for all the stores, but different key per store
BRKEWN-2018
54
RADIUS
WLAN 17 : Store 1
SSID=Scanner WPA-PSK=XYZ Local VLAN=native
CT-5508 Cluster
Data Center
WLAN 200 : Store-Data
SSID=Laptop WPA/RADIUS Central VLAN=Tag-
WAN Store-1
Local Resource Local Resource
Store-N
SSID-Laptop (WPA2)
SSID-Laptop (WPA2)
Scanners (WPA-PSK)
BRKEWN-2018
Laptops (WPA2)
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scanners (WPA-PSK)
Laptops (WPA2) 55
RADIUS
AP Group 1 : Store 1
WLANs : Store-1 Store-data
CT-5508 Cluster
Data Center
AP Group N : Store-N
SSID=Scanner WLANs : Store-N Store-data
WAN
Store-1
Local Resource
Store-N
AP-Group-1
Local Resource
AP-Group-N
SSID-Laptop (WPA2)
SSID-Laptop (WPA2)
Scanners (WPA-PSK)
BRKEWN-2018
Laptops (WPA2)
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scanners (WPA-PSK)
Laptops (WPA2) 56
Project Scale
1000 Stores with an average of 5 AP per store : 5000 AP 10 x CT-5508-500 to support 5000 AP
BRKEWN-2018
Cisco Public
57
Summary
Summary
Cisco Unified Wireless Network based on Controllers deliver Wireless Branch Solution
H-REAP is the feature designed to solve remote connectivity and WAN constraints Several Failover Scenario are targeted to offer Survivability of Small Remote Sites
BRKEWN-2018
Cisco Public
59
BRKEWN-2018
Cisco Public
60
Recommended Reading
BRKEWN-2018
Cisco Public
61
BRKEWN-2018
Cisco Public
62
Dont forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.
BRKEWN-2018
Cisco Public
63
BRKEWN-2018
Cisco Public
64
Thank you.
BRKEWN-2018
Cisco Public
65