Design and Deployment of Enterprise WLANs Steve Acker Wireless Network Consulting Engineer CCIE #14097 CISSP #86844 Presentation_ID © 2009 Cisco Systems, Inc All rights reserved Cisco Public Network Design Overview BRKAGG-2010 Presentation_ID © 2008 Cisco Systems, Inc All rights reserved Cisco Public Section Agenda Connecting Controllers and APs to Networks Controller Redundancy and AP Load Balancing Campus WLAN Controller Designs Branch Office WLAN Controller Designs Migrating from Autonomous APs to the Controllerbased Architecture BRKAGG-2010 Presentation_ID © 2008 Cisco Systems, Inc All rights reserved Cisco Public Understanding WLAN Controllers—The WLAN Controller as a Network Device Data VLAN LWAPP Management VLAN Tunnel Voice VLAN WLAN controller For wireless end-user devices, the controller is a 802.1Q bridge that takes traffic of the air and puts it on a VLAN From the perspective of the AP, the controller is an LWAPP tunnel end-point with an IP address From the perspective of the network, it’s a layer-2 device connected via one or more 802.1Q trunk interfaces The AP connects to an access port—no concept of VLAN’sat the AP necessary BRKAGG-2010 Presentation_ID © 2008 Cisco Systems, Inc All rights reserved Cisco Public Understanding WLAN Controllers—The WLAN Controller as a Network Device Three Important Concepts to Understand: Port—Physical connection to a neighbor switch/router Interface—Logical connection mapping to a VLAN on the neighbor switch/router Management interface AP Manager interface(s) Dynamic interface(s) Virtual interface Service interface WLAN—Entity that maps an SSID to an interface at the controller, along with security, QoS, radio policies, and other wireless networking parameters BRKAGG-2010 Presentation_ID © 2008 Cisco Systems, Inc All rights reserved Cisco Public Initial Controller Configuration Welcome to the Cisco Wizard Configuration Tool Use the '-' character to backup System Name [Cisco_44:36:c3]: Enter Administrative User Name (24 characters max): admin Enter Administrative Password (24 characters max): admin Service Interface IP Address Configuration [none][DHCP]: Enable Link Aggregation (LAG) [yes][NO]:no Enter Port number : Management Interface IP Address: 10.10.80.3 Management Interface Netmask: 255.255.255.0 Management Interface Default Router: 10.10.80.1 Management Interface VLAN Identifier (0 = untagged): Management Interface Port Num [1 to 2]: Management Interface DHCP Server IP Address: 10.10.80.1 AP Transport Mode [layer2][LAYER3]: layer3 AP Manager Interface IP Address: 10.10.80.4 AP-Manager is on Management subnet, using same values AP Manager Interface DHCP Server (10.10.80.1): Virtual Gateway IP Address: 1.1.1.1 Mobility/RF Group Name: mobile-1 Enable Symmetric Mobility Tunneling: No Network Name (SSID): secure-1 Allow Static IP Addresses [YES][no]: Configure a RADIUS Server now? [YES][no]: Enter the RADIUS Server's Address: 10.10.10.12 Enter the RADIUS Server's Port [1812]: Enter the RADIUS Server's Secret: cisco Enter Country Code (enter 'help' for a list of countries) [US]: Enable 802.11b Network [YES][no]: Enable 802.11a Network [YES][no]: BRKAGG-2010 Presentation_ID © 2008 CiscoNetwork Systems, Inc All[YES][no]: rights reserved Cisco Public Enable 802.11g Service Port Management Port AP Manager Port Virtual Gateway Initial Configuration Screen of WLC BRKAGG-2010 Presentation_ID © 2008 Cisco Systems, Inc All rights reserved Cisco Public Connecting the WLAN Controller to the Network Options - Link aggregation (LAG) or no LAG LAG supported on 440x, WiSM, Cisco 3750G integrated WLAN controller switch LAG is the only option for WiSM, Cisco 3750G integrated WLAN controller switch 440x-based controller allows 48 APs per port in the absence of LAG Use multiple “AP Manager” interfaces to support more than 48 APs on the WLC without LAG—LWAPP algorithm will load balance APs across the AP managers LAG allows use of “AP Manager” interface by loadbalancing traffic across an EtherChannel interface BRKAGG-2010 Presentation_ID © 2008 Cisco Systems, Inc All rights reserved Cisco Public Multiple AP Manager Interfaces BRKAGG-2010 Presentation_ID © 2008 Cisco Systems, Inc All rights reserved Cisco Public Link Aggregation— Single AP Manager Interface No EtherChannel mode negotiation (LACP, PAgP): Set “etherchannel mode on” for neighboring switchports Requires ip-src-dst load balancing for the switch Etherchannel Default on 6K Default on 3750 is scr-mac Packets are forwarded out the same port they arrived on LAG group per WLC is supported BRKAGG-2010 Presentation_ID © 2008 Cisco Systems, Inc All rights reserved Cisco Public 10 H-REAP WLAN Configuration Configure the WLAN for H-REAP operation BRKAGG-2010 Presentation_ID © 2008 Cisco Systems, Inc All rights reserved Cisco Public 28 H-REAP AP Configuration Select a desired AP BRKAGG-2010 Presentation_ID © 2008 Cisco Systems, Inc All rights reserved Cisco Public 29 H-REAP AP Configuration (Cont.) and set it to H-REAP mode and enter VLAN info Enable VLAN Support and Enter the Native VLAN Information BRKAGG-2010 Presentation_ID © 2008 Cisco Systems, Inc All rights reserved Cisco Public 30 H-REAP AP Configuration (Cont.) and configure local VLAN tagging Set the VLAN ID per Locally Switched WLAN WLANs with LOCAL SWITCHING Are Not Configurable BRKAGG-2010 Presentation_ID © 2008 Cisco Systems, Inc All rights reserved Cisco Public 31 Branch Office WLAN Controller Options Appliance controllers Cisco 2106—Support APs Cisco 4402-12, 4402-24 Integrated controller WLAN controller module (WLCM) for ISR Cisco 3750 integrated WLAN controller (support for 25, 50 APs) 2106 440x Appliance WLCM in ISR Cisco 3750 Integrated WLAN Controller Integrated BRKAGG-2010 Presentation_ID © 2008 Cisco Systems, Inc All rights reserved Cisco Public 32 Section Agenda Connecting Controllers and APs to Networks Controller Redundancy and AP Load Balancing Design Considerations Migration from Autonomous APs to the Controllerbased Architecture BRKAGG-2010 Presentation_ID © 2008 Cisco Systems, Inc All rights reserved Cisco Public 33 Upgrading Autonomous Access Points to LWAPP Mode Basic AP upgrade process: Use Cisco-provided upgrade tool to load “LWAPP Recovery IOS Image” onto the AP(s) AP joins a controller, downloads full LWAPP IOS image LWAPP IOS upgrade is supported on the following platforms: 1120G series (802.11B/G) 1200 series, including 1210, 1230 (802.11B/G and/or 2nd generation 802.11A radios—RM21A, RM22A) 1130AG 1240AG BR1310 (only AP mode is supported in LWAPP) Only layer-3 LWAPP mode is supported Roll-back to autonomous-mode is supported BRKAGG-2010 Presentation_ID © 2008 Cisco Systems, Inc All rights reserved Cisco Public 34 LWAPP Upgrade Requirements Ensure the AP’s hardware is supported The AP is running IOS release 12.3(7)JA, or later The controller is running 3.1, or later and telnet is enabled (WLC_CLI) >config network telnet enable or Each AP’s information is input into a text file in the following format: ap-ip-address,telnet-username,telnet-user-password,enable-password ap-ip-address,telnet-username,telnet-user-password,enable-password … In the WLC GUI, Go to: Management | Telnet-SSH and Enable Telnet BRKAGG-2010 Presentation_ID © 2008 Cisco Systems, Inc All rights reserved Cisco Public 35 Using the LWAPP Upgrade Tool AP upgrade tool Point the Upgrade Tool to the AP csv text file Ensure the latest IOS LWAPP (JX) image is available via TFTP Telnet must be enabled on a WLC Make sure the time is correctly set APs with static IP addresses will rely on DNS to find WLCs across router hops – APs may be upgraded simultaneously Their completion status bars are shown here AP upgrade process status Click for AP MAC and SSC output BRKAGG-2010 Presentation_ID © 2008 Cisco Systems, Inc All rights reserved Cisco Public 36 Upgrading Autonomous Access Points to LWAPP Mode—Self-signed Certificates LWAPP join process assumes X.509 certificates and factory installed public/private keys All Cisco APs manufactured after July 18, 2005 have “Manufacturing Installed Certificates” (MIC) Cisco Aironet APs manufactured prior to July 18, 2005 not have factory installed public/private keys and certificates Upgrade tool issues commands to AP to have it generate an RSA key pair and a self-signed certificate (SSC) and installs the root CAs so that the AP can authenticate controllers SSCs must be individually authorized on each controller Upgrade tool extracts the public key and can install it on controller It also stores an AP MAC, public key tuple in a CSV file that can be imported into WCS and other controllers http://www.cisco.com/en/US/partner/products/hw/wireless/ps430/pr od_technical_reference09186a00804fc3dc.html BRKAGG-2010 Presentation_ID © 2008 Cisco Systems, Inc All rights reserved Cisco Public 37 Upgrading Autonomous Access Points to LWAPP Mode—Best Practices Basic upgrade strategy: Deploy, validate controllers and WCS Plan an LWAPP discovery strategy so APs can discover controllers Test the process in a lab or on low-traffic, easy-to-troubleshoot APs to validate the procedure Do the migration during a change window and allow time for troubleshooting Save the CSV file(s) with the MAC/Public Key mappings even if you import them to WCS Migrate APs in logical blocks rather then en masse Take caveats to co-existence into consideration Evaluate tolerance for downtime BRKAGG-2010 Presentation_ID © 2008 Cisco Systems, Inc All rights reserved Cisco Public 38 Upgrading Autonomous Access Points to LWAPP Mode—Planning the LWAPP Discovery Strategy Options for discovery when upgrading autonomous access points to LWAPP: Local subnet broadcast of LWAPP discovery request Vendor-specific DHCP option 43 DNS resolution of “CISCO-LWAPP-CONTROLLER.localdomain” Console port priming commands (valid only with LWAPP recovery IOS image) OTAP is not supported in the LWAPP recovery IOS image Most autonomous Cisco Aironet APs are deployed with static IP addresses AP preserves static IP address, default gateway, sysName, DNS server, domain name during the upgrade process Many Cisco customers have chosen to erase the AP configurations before upgrading and migrate to DHCP addresses instead of static IP addresses BRKAGG-2010 Presentation_ID © 2008 Cisco Systems, Inc All rights reserved Cisco Public 39 Upgrading Autonomous Access Points to LWAPP Mode—WLSM and WiSM Co-Existence WLSM and WiSM can co-exist in the same 650x chassis Minimum software requirements: (NOT RECOMMENDED) Supervisor 720: 12.2(18)SXF2 WLSM: Version 1.4.1 WiSM: 3.2.116.x http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example091 86a008073614c.shtml BRKAGG-2010 Presentation_ID © 2008 Cisco Systems, Inc All rights reserved Cisco Public 40 Coexistence Between Autonomous Access Point and Controller-Based Architecture No seamless roaming between architectures No coordination between WLSE radio management (RM) and Cisco Unified Architecture RRM RM and RRM algorithms should account for contention Each architecture may report other’s APs as rogue Consider network architectural impact and any necessary changes very carefully Upgraded APs should be connected to access ports instead of trunk ports May need to clean-up and harvest old, unnecessary VLANs and IP subnets Plan out new IP addressing schemes for wireless clients and APs BRKAGG-2010 Presentation_ID © 2008 Cisco Systems, Inc All rights reserved Cisco Public 41 BRKAGG-2010 Presentation_ID © 2008 Cisco Systems, Inc All rights reserved Cisco Public 42 ... Presentation_ID © 2008 Cisco Systems, Inc All rights reserved Cisco Public Understanding WLAN Controllers—The WLAN Controller as a Network Device Three Important Concepts to Understand: Port—Physical... Presentation_ID © 2008 Cisco Systems, Inc All rights reserved Cisco Public 19 Where to Place a WLAN Controller? Distributed Designs WLAN Client Subnets WiSM(s) or 440x WLAN controller(s) connected... Systems, Inc All rights reserved Cisco Public Understanding WLAN Controllers—The WLAN Controller as a Network Device Data VLAN LWAPP Management VLAN Tunnel Voice VLAN WLAN controller For wireless