Aadil Hassim Systems Engineer - Mobility
DESIGN AND DEPLOYMENT OF ENTERPRISE WLANS
Agenda Controller- Based Architecture Overview Mobility in the Cisco Unified WLAN Architecture Deploying the Cisco Unified Wireless Architecture Best PracLces
Agenda Controller- Based Architecture Overview Mobility in the Cisco Unified WLAN Architecture Deploying the Cisco Unified Wireless Architecture Best PracLces
Cisco Unified Wireless Principles Components Wireless LAN controllers Aironet access points Management (Prime Infrastructure) Mobility Service Engine (MSE) MSE Cisco Prime Infrastructure Wireless LAN Controllers Principles AP must have CAPWAP conneclvity with WLC ConfiguraLon downloaded to AP by WLC All Wi- Fi traffic is forwarded to the WLC Aironet Access Point Campus Network
Wi- Fi Client Centralized Wireless LAN Architecture What Is CAPWAP? CAPWAP: Control and Provisioning of Wireless Access Points is used between APs and WLAN controller and based on LWAPP CAPWAP carries control and data traffic between the two Control plane is DTLS encrypted Data plane is DTLS encrypted (oplonal) LWAPP- enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless CAPWAP is not supported on Layer 2 mode deployment CAPWAP Data Plane Controller Business ApplicaLon Access Point Control Plane 6
Agenda Controller- Based Architecture Overview Mobility in the Cisco Unified WLAN Architecture Deploying the Cisco Unified Wireless Architecture Best PracLces
Mobility Defined Mobility is a key reason for wireless networks Mobility means the end- user device is capable of moving localon in the networked environment Roaming occurs when a wireless client moves associalon from one AP and re- associates to another, typically because it s mobile! Mobility presents new challenges: Need to scale the architecture to support client roaming roaming can occur intra- controller and inter- controller Need to support client roaming that is seamless (fast) and preserves security
Scaling the Architecture with Mobility Groups Mobility Group allows controllers to peer with each other to support seamless roaming across controller boundaries APs learn the IPs of the other members of the mobility group a]er the CAPWAP Join process Support for up to 24 controllers, 24000 APs per mobility group Mobility messages exchanged between controllers Data tunneled between controllers in EtherIP (RFC 3378) 7.6 has the oplon of using Controller- A MAC: AA:AA:AA:AA:AA:01 Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller- B, AA:AA:AA:AA:AA:02 Controller- C, AA:AA:AA:AA:AA:03 EOIP or CAPWAP tunnels between controllers Controller- B MAC: AA:AA:AA:AA:AA:02 Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller- A, AA:AA:AA:AA:AA:01 Controller- C, AA:AA:AA:AA:AA:03 Controller- C MAC: AA:AA:AA:AA:AA:03 Ethernet in IP Tunnel Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller- A, AA:AA:AA:AA:AA:01 Controller- B, AA:AA:AA:AA:AA:02 Mobility Messages 9
Scaling the Architecture with Mobility Groups With Inter Release Controller Mobility (IRCM) roaming is supported between 7.4, 7.6, 8.0 Mobility Domain Mobility Group (7.4) One WLC Network Mobility Group Mobility Group (7.6) 24 WLCs in a Mobility Group Mobility Group (8.0) 1 72 WLCs in a Mobility Domain
How Long Does an STA Roam Take? Time it takes for: Client to disassociate + Probe for and select a new AP + 802.11 AssociaLon + 802.1X/EAP AuthenLcaLon + Rekeying + IP address (re) acquisilon All this can be on the order of seconds Can we make this faster?
Roaming Requirements Roaming must be fast Latency can be introduced by: Client channel scanning and AP seleclon algorithms Re- authenlcalon of client device and re- keying Refreshing of IP address Roaming must maintain security Open auth, stalc WEP session conlnues on new AP WPA/WPAv2 Personal New session key for encryplon derived via standard handshakes 802.1x, 802.11i, WPA/WPAv2 Enterprise Client must be re- authenlcated and new session key derived for encryplon
How Are We Going to Make Roaming Faster? Focus on Where We Can Have the Biggest Impact: EliminaLng the (re)ip address acquisilon challenge EliminaLng full 802.1X/EAP reauthenlcalon 13
Intra- Controller Roaming: WLC- 1 Client Database VLAN X Client Data (MAC, IP, QoS, Security) WLC- 2 Client Database WLC- 1 Mobility Message Exchange Roaming Data Path WLC- 2 Client database entry with new AP and appropriate security context No IP address refresh needed Client Roams to a Different AP
Client Roaming Between Subnets: VLAN X WLC- 1 Client Database Client Data (MAC, IP, QoS, Security) VLAN Z Client Data (MAC, IP, QoS, Security) WLC- 2 Client Database WLC- 1 Anchor Controller Mobility Message Exchange Data Tunnel WLC- 2 Foreign Controller Preroaming Data Path Client Roams to a Different AP
Roaming: Inter- Controller L3 inter- controller roam: STA moves associalon between APs joined to the different controllers but client traffic bridged onto different subnets Client must be re- authenlcated and new security session established Client database entry copied to new controller entry exists in both WLC client DBs Original controller tagged as the anchor, new controller tagged as the foreign WLCs must be in same mobility group or domain No IP address refresh needed Symmetric traffic path established - - asymmetric oplon has been eliminated as of 6.0 release Account for mobility message exchange in network design
How Are We Going to Make Roaming Faster? Focus on Where We Can Have the Biggest Impact ü EliminaLng the (re)ip address acquisilon challenge EliminaLng full 802.1X/EAP reauthenlcalon 17
Fast Secure Roaming Standard Wi- Fi Secure Roaming Cisco AAA Server (ACS or ISE) WAN 802.1X authenlcalon in wireless today requires three end- to- end transaclons with an overall transaclon Lme of > 500 ms 802.1X authenlcalon in wireless today requires a roaming client to reauthenlcate, incurring an addilonal 500+ ms to the roam 2. 802.1X ReauthenL- calon A]er Roaming AP2 1. 802.1X IniLal AuthenLcaLon TransacLon AP1
Cisco Centralized Key Management (CCKM) Cisco introduced CCKM in CCXv2 (pre- 802.11i), so widely available, especially with applicalon specific devices (ASDs) CCKM ported to CUWN architecture in 3.2 release In highly controlled test environments, CCKM roam Lmes consistently measure in the 5-8 msec range! CCKM is most widely implemented in ASDs, especially VoWLAN devices To work across WLCs, WLCs must be in the same mobility group CCX- based laptops may not fully support CCKM depends on supplicant capabililes CCKM is standardized in 802.11r, Apple ios 6.0, ios 7.0
802.11r IntroducLon IEEE Standard for Fast Roaming CCKM / OKC. Introduces a new concept of roaming where the handshake with the new AP is done even before the client roams to the target AP. The inilal handshake allows the client and APs to do PTK calculalon in advance, thus reducing roaming Lme. The pre- created PTK keys are applied to the client and AP once the client does the re- associalon request / response exchange with new target AP. 802.11r provides 2 ways of roaming: 1) Over- the- Air 2) Over- the- DS (DistribuLon System) The FT (Fast TransiLon) key hierarchy is designed to allow the client to make fast BSS transilons between APs without the need to re- authenlcate at every AP. WLAN configuralon will have new AKM type called FT (Fast TransiLon)
802.11r Fast TransiLon (FT) WLAN AuthenLcaLon ConfiguraLon Legacy clients may not associate with a WLAN that has 802.11r enabled along with 802.11i. If the driver or the supplicant that is responsible for parsing the Robust Security Network InformaLon Element (RSN IE) is old and confused by the addilonal AKM (AuthenLcaLon Key Management) suites adverlsed in the IE (IE48), the driver will not avempt to start the associalon process. Due to this limitalon, legacy clients cannot send associalon requests to WLANs with a FT PSK or FT 802.1x configuralon. These legacy clients, however, can slll associate with non- 802.11r WLANs. Therefore the recommendalon is to have a new unique WLAN. With unique SSIDs for the addilon 802.11r FT WPA clients. And an addilonal WLAN for the 802.11r FT 802.1x clients. An iphone with 6.0 or 7.0 ios could AuthenLcate to WLAN with both of these AKM s. But because of legacy clients this is NOT recommended. A non- 6.0/7.0 ios client can t associate.
MulLple WLANs for MulLple Auth Types Each with a Unique SSID 802.1x & 802.1x FT WLANs Unique SSIDs PSK & PSK FT WLANs With Unique SSIDs
Designing a Mobility Group/Domain Less roaming is bever clients and apps are happier While clients are authenlcalng/roaming, WLC CPU is doing the processing not as much of a big deal with latest controllers which has dedicated management/control processor L3 roaming & fast roaming clients consume client DB slots on mullple controllers consider worst case scenarios in designing roaming domain size Leverage natural roaming domain boundaries Mobility Message transport seleclon: mullcast vs. unicast Make sure the right ports and protocols are allowed
How Are We Going to Make Roaming Faster? Focus on Where We Can Have the Biggest Impact ü EliminaLng the (re)ip address acquisilon challenge ü EliminaLng full 802.1X/EAP reauthenlcalon 24
Agenda Controller- Based Architecture Overview Mobility in the Cisco Unified WLAN Architecture Deploying the Cisco Unified Wireless Architecture Best PracLces
Deploying the Cisco Unified Wireless Architecture Client Profiling High Availability Understanding AP Groups / RF Groups ApplicaNon Visibility
Client Profiling ISE offers a rich set of BYOD features: e.g. device idenlficalon, onboarding, posture and policy Customers who do not deploy ISE but slll require some of ISE features directly in WLC: NaLve profiling of idenlfying network end devices based on protocols like HTTP, DHCP Device- based policies enforcement per user or per device policy on the network. StaLsLcs based on per user or per device end points and policies applicable per device.
Client Profiling WLC- based local policy consists of 2 separate elements. Profiling can be based on: Role - defining user type or the user group the user belongs to. Device type e.g. Windows, OS_X, ipad, iphone, Android, etc. EAP Type - check what EAP method the client is geyng connected to. AcNon is policy that can be enforced a]er profiling: VLAN - override WLAN interface with VLAN id on WLC QoS level override WLAN QoS ACL override with named ACL Session 9meout override WLAN session Lmeout value Time of day policy override based on Lme of the day, else default to WLAN. 7.5/7.6 release contains 88 pre- exislng profiles:
Configuring Client Profiles Client profiling uses pre- exislng profiles in the controller Custom profiles are not supported in this release Wireless clients are profiled based on the MAC OUI, DHCP,HTTP user agent DHCP is required for DHCP profiling, Webauth for HTTP user agent 8.0 release contains 156 pre- exislng profiles: (Cisco Controller) >show profiling policy summary Number of Builtin Classification Profiles: 156 ID Name Parent Min CM Valid ==== ================================================ ====== ====== ===== 0 Android None 30 Yes 1 Apple-Device None 10 Yes 2 Apple-MacBook 1 20 Yes 3 Apple-iPad 1 20 Yes 4 Apple-iPhone 1 20 Yes /
Local Client Profiling ConfiguraLon At the WLAN level, enable Local Client Profiling (DHCP and HTTP) DHCP required is checked automalcally when seleclng DHCP profiling config wlan profiling {local radius} {dhcp http all} <wlan ID> (Cisco Controller) >config wlan profiling local all enable 1
Client Profiles in 7.6 When profiling is enabled, a client Device Type can be shown on WLAN.
Security Local Policies Action - Policy to Enforce VLAN QoS Session Timeout Sleeping Client Timeout Time of Day Match - How to Identify a Device Role EAP Type Device Type
Deploying the Cisco Unified Wireless Architecture Client Profiling High Availability Understanding AP Groups / RF Groups ApplicaNon Visibility
Controller Redundancy Redundant WLC in a geographically separate localon Layer- 3 conneclvity between the AP connected to primary WLC and the redundant WLC Redundant WLC need not be part of the same mobility group Configure high availability (HA) to detect failure and faster failover Use AP priority in case of over subscriplon of redundant WLC NOC or Data Centre WLAN- Controller- BKP WLAN- Controller- 1 WLAN- Controller- 2 WLAN- Controller- n APs Configured With: Primary: WLAN- Controller- 1 Secondary: WLAN- Controller- BKP APs Configured With: Primary: WLAN- Controller- 2 Secondary: WLAN- Controller- BKP APs Configured With: Primary: WLAN- Controller- n Secondary: WLAN- Controller- BKP
Controller Redundancy High Availability High Availability Principles : ð AP is registered with a WLC and maintain a backup list of WLC. ð AP use heartbeats to validate WLC conneclvity ð AP use Primary Discovery message to validate backup WLC list ð When AP loose 3 heartbeats it start join process to first backup WLC candidate ð Candidate Backup WLC is the first alive WLC in this order : primary, secondary, terlary, global primary, global secondary. ð AP does not re- inilate discovery process. Heartbeat Timeout Fast Heartbeat Timer AP Retransmit Interval AP Retransmit with FH Enabled AP Fallback to next WLC New Timers 7.2 1-30 secs 1-10 secs 2-5 secs 3-8 Times 12 secs
HA- SKU as secondary WLC - configuralon 3 6
High Availability (AP and Client SSO) 5500/7500/8500 WLC have dedicated Redundancy Port which is used to sync configuralon from AcLve to Standby WLC Keepalives are sent on RP port from Standby to AcLve WLC every 100 msec (default Lmer) to check the health of AcLve WLC. ICMP packets are also sent every one second from each WLC to check reachability to gateway using Redundant Management interface (RMI) Redundancy Port RP 1 RP 2 Active Controller - 5508 Hot Stand-by Controller 5500 Redundancy Port Active Controller 7510/8510 Hot Stand-by Controller - 7510/8510
High Availability AP SSO support 7.3/7.4 Model is 1:1 (AcLve : Hot- Standby) Supported on 5500 / 7500 / 8500 and WiSM- 2 Same hardware and so]ware version Two new interfaces Redundancy Port Redundancy Management Interface Same management IP on AcLve and Standby StaLc & dynamic system configuralons synced to standby. AP informalon synced to the standby. Synced when AP Joins or it s configuralon changes. AP CAPWAP re- join is avoided on switchover. DetecLon Lme : 5-996 msec for box failover, 3-4 seconds for management gateway failover Back- to- back ConnecLvity on the Redundancy Port between the two WLCs Clients are de- authenlcated on failover ; forced to re- associate EffecNve service downnme DetecNon Nme + Switch Over Time (Network recovery/convergence) + Client re- associanon Nme 38
Stateful HA with Client SSO 7.5 and above Client s informalon is synced to the Standby ü Client informalon is synced when client moves to RUN state. ü Client re- associalon is avoided on switch over Fully authenlcated clients(run state) are synced to the peer. The intermediate client state events are not synced Transient clients are dis- associated a]er switch over. EffecNve service downnme DetecNon Nme + Switch Over Time (Network recovery/convergence)
Supported HA Topologies 7.5 and above 1. Two 5508, 7500 or 8500 connected via back- to- back RP port in the same data center 2. Two 5508, 7500 or 8500 connected via RP port over L2 VLAN/fiber in the same or different data center 3. Two 5508, 7500 or 8500 connected to a VSS pair. 4. Two WiSM- 2 on the same chassis 5. Two WiSM- 2 on different chassis with redundancy VLAN extended over L2 network 6. Two WiSM- 2 on different chassis in VSS mode
SSO Behavior and RecommendaLons RTT latency on Redundancy Link : 80 milliseconds or less. 80% of keepalive Lmer. Preferred MTU on Redundancy Link : 1500 or above. Bandwidth on Redundancy Link : 60Mbps or more. 5500 / 7500 / 8500 : RP ConnecLvity between AcLve and Standby ü Via Switches ( 7.5 ) ü Back- to- back ( 7.3, 7.4, 7.5 ) WiSM- 2 : single 6500 chassis OR different chassis using VSS setup/extending redundancy VLAN. Recommended to have Redundancy Link and RMI ConnecLvity between WLCs on different switches or on different L2 networks Keepalive/Peer Discovery Lmers should be le] with default Lmer values for bever performance Default box failover deteclon Lme is 3 *100 = 300+60 = 360 +jiver (12 msec)= ~400 msec
Deploying the Cisco Unified Wireless Architecture Client Profiling High Availability Understanding AP Groups / RF Groups ApplicaNon Visibility
AP- Grouping in Campus VLAN 100 VLAN 100 VLAN 100 Access DistribuNon CAPWAP Core VLAN 100 / 21 DistribuNon ngle SSID = Employee WAN WLC- 1 Data Centre WLC- 2 Internet Access
AP- Group- 1 VLAN 60 /23 AP- Group- 2 VLAN 70 /23 AP- Group- 3 VLAN 80 /23 Access DistribuNon CAPWAP Core ngle SSID = Employee WAN VLAN 100 /21 WLC- 1 Data Centre VLAN 60 VLAN 70 VLAN 80 WLC- 2 Internet DistribuNon Access
Default AP- Group Network Name Default AP Group Only WLANs 1 16 Will Be Added in Default AP Group
MulLple AP- Groups AP Group 1 AP Group 2 AP Group 3
RF- Profiles RF Profiles allow the administrator to tune groups of AP s sharing a common coverage zone together. SelecLvely changing how RRM will operate the AP s within that coverage zone RF Profiles are created for either the 2.4 GHz radio or 5GHz radio Profiles are applied to groups of AP s belonging to an AP Group, in which all AP s in the group will have the same Profile Seyngs There are two components to this feature: RF Profile New in 7.2 providing administralve control over: Min/Max TPC values TPCv1 Threshold TPCv2 Threshold Data Rates High Density Client Load Balancing
RF Profiles RRM Create RF Tuning parameters can be applied through profiles assigned in AP groups 2 Profiles per AP group 1 ea. 2.4 and 5 GHz Profiles must be applied on ALL WLC s from which AP s will be assigned (same as AP Group) Permits control of granular groups of AP s We love it Wireless=>RF Profiles
Profiles : Granular Control Data Rates TPC, DCA, Coverage Hole Load Balancing High Density
5 WHY DCA in RF Profiles MulL Country Support one AP group per country- each with a defined channel list in RF Profiles Managing mixed channel (802.11n/ac 40/80 MHz) environment Channel assignment by physical area engineering on the 2nd floor, accounlng on the first floor, you want engineering to limit their impact Conference Center allows the assignment of channel ranges to individual vendors and crealon of buffer zones on main network to isolate
5 RRM DCA in RF Profiles the rules The country code must be set on the controller to allow other reg. domain channels. Channels must be selected under Global DCA on the controller to be available in profiles You must disable 802.11a/b networks to change DCA channels or Bandwidth (20/40/80) You can have a different assignment for bandwidth in an RF Profile than you have in Global RF Profiles, and AP groups must be present on every controller that has an AP you want to include in the AP group.
Profiles Applied Through AP Groups Create Profiles Create or edit AP Groups Apply Profiles (2.4/5 Ghz) to AP groups Assign AP s
RF- Profile in Campus RF- Profile- 1 RF- Profile- 2 RF- Profile- 3 VLAN 60 /23 VLAN 61 / 23 VLAN 70 /23 VLAN 71 /23 VLAN 80 /23 VLAN 81 /23 Access DistribuNon CAPWAP Core ngle SSID = Employee WAN WLC- 1 Data Centre VLAN 60 VLAN 61 VLAN 70 VLAN 71 VLAN 80 VLAN 81 WLC- 2 Internet DistribuNon Access
Deploying the Cisco Unified Wireless Architecture Client Profiling High Availability Understanding AP Groups / RF Groups ApplicaNon Visibility
ApplicaLon Visibility & Control CongesLon! WLC WAN Real Time InteracNve Non- Real Time Non- Business What applicalons are in the air? Why is my key applicalon running slow? How do I support a new applicalon for a set of users?
AVC supported features ClassificaLon : IdenLficaLon of ApplicaLon/Protocol, supports Stateful L4 - L7 classificalon. WLC can classify 1088 applicalons. AVC (ApplicaLon Visibility Control): Provides visibility of classified traffic and also gives an oplon to control the same, using Drop OR Mark (DSCP) aclon. AcLon DROP (Traffic for that applicalon will be dropped) AcLon MARK (ParLcular applicalons can be marked with different QOS profiles available on WLC OR administrator can custom define DSCP value for that applicalon) AVC Marking overrides all other QoS markings NetFlow: UpdaLng NBAR stats to Ne low collector like Cisco Prime Assurance Manager (PAM). AVC is supported on 2500, 5500, 7500, 8500 and WiSM2 controllers on Local and Flex Mode APs WLC can support 16 AVC profiles WLAN can support only 1 AVC profile and each profile can contain 32 rules, thus each WLAN can support 32 applicalon aclons of mark or drop. 56
Enabling AVC AVC enabled on per WLAN basis Global summary of top applicalons on Controller Monitor screen
AVC Profile Custom AVC Profiles created to do traffic shaping Apply the custom profile per WLAN
Ne low Monitor Configuring Ne low Exporter on the Controller and apply to WLAN
AVC Summary ApplicaLon StaLsLcs per WLAN with more details UP/Down Streams
AVC on 8.0 WLC PI/AAA Cisco-av-pair=avc-profile-name=<avc profile on wlc> Cisco-av-pair=role=<role name> Teacher Switch Student AP YouTube Facebook Skype bittorrent YouTube Facebook Skype bittorrent Teacher SSID: Classroom Security:WPA2/802.1x Student AAA profile enables different users /clients obtain different mdns/avc profiles even though they are connected to same SSID which is Led to the same VLAN
AVC configuralon for AAA override Example Teacher, Student 62
DirecLonal DSCP configuralon 63
Agenda Controller- Based Architecture Overview Mobility in the Cisco Unified WLAN Architecture Deploying the Cisco Unified Wireless Architecture Best PracNces
Bringing All Together Best PracLces NETWORK DESIGN WIRELESS / RF Enable High Availability (AP and Client SSO) Enable Pre- image download Enable AP Failover Priority Enable AVC (applicalon visibility and control) Enable NetFlow in your WLC Enable local Profiling (DHCP and HTTP) Enable VLAN Pooling Enable NTP Enable FlexConnect Groups Enable FlexConnect AP Upgrade Disable 11b data rates Restrict number of WLAN/SSID below 3 Enable channel bonding 40 or 80 MHz Enable BandSelect Use AP Groups & RF Groups Use RF Profiles to meet network needs Set the RSSI Low Checks Enable RRM (DCA & TPC) to be auto Enable Auto- RF group leader seleclon Enable Cisco CleanAir and EDRRM Enable Noise &Rogue Monitoring on all channels Enable Client Load Balancing
Bringing All Together Best PracLces (cont ) SECURITY Enable 802.1x and WPA/WPA2 on WLAN/SSID Change advance EAP Lmers Enable SSH and SNMPv3 Enable DHCP proxy Enable 11w / 11k and 11v Enable client exclusion Enable rogue classificalon Enable LSC (Logically gnificant CerLficate) Enable IDS / WiPS Install WSSI / Security module to monitor all channels Enable Max Concurrent Logins for a user name Enable strong password policies Enable ACL on your WLAN INFRASTRUCTURE Enable EoIP for guest anchor WLC Enable external or internal webauth for guest Enable Split Tunneling for OEAP Enable Fast SSID change Enable per- user band width contract Enable WMM Enable Qos on your WLAN Enable MulNcast Mobility for large mobility domains Enable 802.1x authenncanons for AP
THANK YOU