1、1 2005 Cisco Systems,Inc.All rights reserved.AGG-2010 Design and Deployment of 802.11 Wireless LANs with Centralized ControllersDesign and Deployment of 802.11 Wireless LANs with Centralized Controllers2 2005 Cisco Systems,Inc.All rights reserved.AGG-2010 Design and Deployment of 802.11 Wireless LAN
2、s with Centralized ControllersUnderstanding the Cisco Unified Wireless Architecture3 2005 Cisco Systems,Inc.All rights reserved.AGG-2010 Design and Deployment of 802.11 Wireless LANs with Centralized ControllersSection Agenda Controller-based Architecture Overview Lightweight Access Point Protocol(L
3、WAPP)Protocol OverviewLWAPP AP Discovery and Join ProcessLWAPP Operations Mobility in the Cisco Unified WLAN Architecture Architecture Building Blocks4 2005 Cisco Systems,Inc.All rights reserved.AGG-2010 Design and Deployment of 802.11 Wireless LANs with Centralized ControllersCisco Unified Wireless
4、 NetworkEnd-to-End,Unified Only CiscoUnified cellular and Wi-Fi VoIP.Advanced threat detection,identity networking,location-based security,asset tracking and guest access.Unified Advanced ServicesSame level of security,scalability,reliability,ease of deployment,and management for wireless LANs as wi
5、red LANs.World-Class Network ManagementIntegration into all major switching and routing platforms.Secure innovative WLAN controllers.Network UnificationMobility Platform Ubiquitous network access in all environments.Enhanced productivity.Proven platform with large install base and 63%market share.Pl
6、ug and Play.90%of Wi-Fi silicon is Cisco Compatible Certified.“Out-of-the-Box”wireless security.Client Devices SiSiSiSi5 2005 Cisco Systems,Inc.All rights reserved.AGG-2010 Design and Deployment of 802.11 Wireless LANs with Centralized ControllersLWAPP TunnelIngress/Egress point from/to upstream swi
7、tched/routed wired network(802.1Q trunk)Switched/Routed Wired NetworkLightweight Access PointWireless LAN ControllerControl MessagesData EncapsulationCisco Centralized WLAN ModelAccess Points are“lightweight”controlled by a centralized WLAN controllerMuch of the traditional WLAN functionality moved
8、from access points to centralized WLAN controllerLWAPP defines control messaging and data encapsulation between access points and centralized WLAN controller6 2005 Cisco Systems,Inc.All rights reserved.AGG-2010 Design and Deployment of 802.11 Wireless LANs with Centralized ControllersSection Agenda
9、Controller-based Architecture Overview Lightweight Access Point Protocol(LWAPP)Protocol OverviewLWAPP AP Discovery and Join ProcessLWAPP Operations Mobility in the Cisco Unified WLAN Architecture Architecture Building Blocks7 2005 Cisco Systems,Inc.All rights reserved.AGG-2010 Design and Deployment
10、of 802.11 Wireless LANs with Centralized ControllersLWAPP TunnelIngress/Egress point from/to upstream switched/routed wired network(802.1Q trunk)Switched/Routed Wired NetworkLightweight Access PointWireless LAN ControllerControl MessagesData EncapsulationCisco Centralized WLAN ModelRemote RF interfa
11、ceReal-time 802.11 MACRF spectral analysisWLAN IDS Signature analysisSecurity managementQoS policies enforcementCentralized configuration,firmware managementNorthbound management interfacesLWAPP carries all communication between access point and controllerL2 or L3 transportMutual authenticationX.509
12、 certificate basedLWAPP control AES-CCM encryptedData encapsulationRadio resource managementMobility management8 2005 Cisco Systems,Inc.All rights reserved.AGG-2010 Design and Deployment of 802.11 Wireless LANs with Centralized ControllersLWAPP TunnelIngress/Egress point from/to upstream switched/ro
13、uted wired network(802.1Q trunk)Switched/Routed Wired NetworkLightweight Access PointWireless LAN ControllerControl MessagesData EncapsulationDivision of LaborSplit MACReal-time 802.11/MAC functionality:Beacon Generation Probe Response Power management/Packet buffering 802.11e/WMM scheduling,queuein
14、g MAC layer data encryption/decryption 802.11 control messagesData encapsulation/de-encapsulationFragmentation/De-fragmentationNon real-time 802.11/MAC functionality:Assoc/Disassoc/Reassoc 802.11e/WMM resource reservation 802.1X/EAP Key management802.11 Distribution servicesWired/Wireless Integratio
15、n services9 2005 Cisco Systems,Inc.All rights reserved.AGG-2010 Design and Deployment of 802.11 Wireless LANs with Centralized ControllersReal-time 802.11/MAC functionality:Beacon Generation Probe Response Assoc/Disassoc/Reassoc Power management/Packet buffering 802.11e/WMM scheduling,queueing MAC l
16、ayer data encryption/decryption 802.11 control messagesData encapsulation/de-encapsulationFragmentation/De-fragmentation802.11 Distribution servicesWired/Wireless Integration servicesDivision of LaborLocal MACNon real-time 802.11/MAC functionality:Proxy Assoc/Disassoc/Reassoc 802.11e/WMM resource re
17、servation 802.1X/EAP/WPA Key managementLWAPP TunnelUser traffic bridged locally at the Ethernet port of the AP.With REAP,this connection is an access link,but with H-REAP,this can either be access or 802.1Q trunk.Switched/Routed Wired NetworkLightweight Access PointWireless LAN ControllerControl Mes
18、sages Only10 2005 Cisco Systems,Inc.All rights reserved.AGG-2010 Design and Deployment of 802.11 Wireless LANs with Centralized ControllersLayer-2 LWAPP ArchitectureLWAPP Tunnel Layer 2 only,Ethertype 0 xBBBBIngress/Egress point from/to upstream switched/routed wired network(802.1Q trunk)Layer 2 Sub
19、net Single Broadcast DomainLightweight Access PointWireless LAN Controller Access Points dont require IP addressing Controllers need to be on EVERY subnet on which APs reside L2 LWAPP was the first step in the evolution of the architecture;many current product do not support this functionality11 200
20、5 Cisco Systems,Inc.All rights reserved.AGG-2010 Design and Deployment of 802.11 Wireless LANs with Centralized ControllersLayer-3 LWAPP ArchitectureIngress/Egress point from/to upstream switched/routed wired network(802.1Q trunk)Layer 2/3 Wired Network Single or Multiple Broadcast DomainsLightweigh
21、t Access PointWireless LAN ControllerL3 LWAPP TunnelControl Messages UDP 12223Data Encapsulation UDP 12222 Access Points require IP addressing APs can communicate w/WLC across routed boundaries L3 LWAPP is more flexible than L2 LWAPP and all products support this LWAPP operational flavor12 2005 Cisc
22、o Systems,Inc.All rights reserved.AGG-2010 Design and Deployment of 802.11 Wireless LANs with Centralized ControllersLWAPP State Machine(Simplified)LWAPP defines a state machine that governs the AP and controller behavior Major states:DiscoveryAP looks for a controllerJoinAP attempts to establish a
23、secured relationship with a controllerImage DataAP downloads code from controllerConfigAP receives configuration from controllerRunAP and controller operate normally and service dataResetAP clears state and starts over Note:LWAPP/CAPWAP RFC defines other states13 2005 Cisco Systems,Inc.All rights re
24、served.AGG-2010 Design and Deployment of 802.11 Wireless LANs with Centralized ControllersSection Agenda Controller-based Architecture Overview Lightweight Access Point Protocol(LWAPP)Protocol OverviewLWAPP AP Discovery and Join ProcessLWAPP Operations Mobility in the Cisco Unified WLAN Architecture
25、 Architecture Building Blocks14 2005 Cisco Systems,Inc.All rights reserved.AGG-2010 Design and Deployment of 802.11 Wireless LANs with Centralized ControllersLWAPP Discovery StateAP runs HUNTING algorithm to find candidate controllers to join15 2005 Cisco Systems,Inc.All rights reserved.AGG-2010 Des
26、ign and Deployment of 802.11 Wireless LANs with Centralized ControllersLWAPP Control Messages for Controller Hunting/DiscoveryLWAPP Discovery Request AP issues 1 or more of these messages to find controllers(sent to Management Interface IP Address)LWAPP Discovery Response Any controller receiving an
27、 LWAPP Discovery Request responds with this message to the requesting APLWAPP Discovery RequestLWAPP Discovery Response16 2005 Cisco Systems,Inc.All rights reserved.AGG-2010 Design and Deployment of 802.11 Wireless LANs with Centralized ControllersWLAN Controller Hunting Algorithm1.AP issues a DHCP
28、DISCOVER to get an IP address(unless it has a previously configured static IP address)2.If L2-LWAPP Mode is supported send an LWAPP Discovery Request in an Ethernet broadcastIf a WLAN Controller in L2 LWAPP Mode responds with an LWAPP Discovery Response,the AP moves to the LWAPP Join phase3.If L2-LW
29、APP Mode is not supported or step 2 fails to find a WLAN controller,attempt an L3-LWAPP WLAN Controller Discovery*4.If step 3 fails to find a valid candidate controller,reboot and return to step 117 2005 Cisco Systems,Inc.All rights reserved.AGG-2010 Design and Deployment of 802.11 Wireless LANs wit
30、h Centralized ControllersLayer-3 LWAPP WLAN Controller DiscoveryThe AP goes through the following discovery steps:1.LWAPP Discovery Request broadcast on local subnet(IP broadcast)WLAN Controller on same subnet as AP will respond with LWAPP Discovery Request2.LWAPP Discovery Request sent to controlle
31、r IP addresses learned via Over-the-Air Provisioning(OTAP)OTAPAlready joined APs advertise WLAN Controller in Over-the-Air neighbor messages3.LWAPP Discovery Request sent to ALL locally stored controller IP address(es)AP stores controller IP address of previously joined controller plus the controlle
32、rs“Mobility Group”members in NVRAM4.LWAPP Discovery Request sent to IP Address(es)learned in vendor specific DHCP Option 43 5.LWAPP Discovery Request sent to IP Address(es)learned through DNS resolution of“CISCO-LWAPP-CONTROLLER.localdomain”6.If no controller found,start hunting algorithm overAP com
33、piles a LIST of candidate controllers from the received LWAPP Discovery Responses18 2005 Cisco Systems,Inc.All rights reserved.AGG-2010 Design and Deployment of 802.11 Wireless LANs with Centralized ControllersLWAPP Join StateAP selects controller(s)from the candidate controller list to JOIN19 2005
34、Cisco Systems,Inc.All rights reserved.AGG-2010 Design and Deployment of 802.11 Wireless LANs with Centralized ControllersWLAN Controller Selection AlgorithmLWAPP Discovery Response contains important information from the WLAN Controller:Controller sysName,controller type,controller AP capacity,curre
35、nt AP load,“Master Controller”status,AP Manager IP address(es)and number of APs joined to the AP Manager After an“LWAPP Discovery Interval”timer expires,the AP selects a controller to join using the following decision criteria:1.If AP has been previously configured with a primary,secondary,and/or te
36、rtiary controller,the AP will attempt to join these first(specified in the Controller sysName)2.Attempt to join a WLAN Controller configured as a“Master”controller3.Attempt to join the WLAN Controller with the greatest excess AP capacity.This last step provides the whole system with dynamic AP load-
37、balancing20 2005 Cisco Systems,Inc.All rights reserved.AGG-2010 Design and Deployment of 802.11 Wireless LANs with Centralized ControllersLWAPP Control Messages for Join ProcessLWAPP Join Request AP sends this messages to selected controller(sent to AP Manager Interface IP Address)LWAPP Join Respons
38、e If controller validates AP request,it sends the LWAPP Join Response indicating that the AP is now registered with that controllerLWAPP Join RequestLWAPP Join Response21 2005 Cisco Systems,Inc.All rights reserved.AGG-2010 Design and Deployment of 802.11 Wireless LANs with Centralized ControllersSec
39、tion Agenda Controller-based Architecture Overview Lightweight Access Point Protocol(LWAPP)Protocol OverviewLWAPP AP Discovery and Join ProcessLWAPP Operations Mobility in the Cisco Unified WLAN Architecture Architecture Building Blocks22 2005 Cisco Systems,Inc.All rights reserved.AGG-2010 Design an
40、d Deployment of 802.11 Wireless LANs with Centralized ControllersLWAPP Image Data StateAfter AP Joins a controller,the controller notifies the AP of the IP Addresses of the other members of its“Mobility Group”It then transitions to the Image Data state or the Config state23 2005 Cisco Systems,Inc.Al
41、l rights reserved.AGG-2010 Design and Deployment of 802.11 Wireless LANs with Centralized ControllersLWAPP Image Data StateAfter AP Joins a controller,it will download a run-time image if it is running a different version than the controller.After downloading code,the AP resets and runs through the
42、discovery/join process24 2005 Cisco Systems,Inc.All rights reserved.AGG-2010 Design and Deployment of 802.11 Wireless LANs with Centralized ControllersLWAPP Config StateAfter AP Joins a controller and after it downloads a run-time image(if necessary),it will download its run-time configuration from
43、the controller.AP specific configuration parameters are stored in NVRAM.25 2005 Cisco Systems,Inc.All rights reserved.AGG-2010 Design and Deployment of 802.11 Wireless LANs with Centralized ControllersLWAPP Run StateAfter AP Joins a controller and after it downloads a run-time image(if necessary)and
44、 configuration,AP enters run state.In this state,it will service clients and periodically exchange control messages,send stats to the controller,receive commands26 2005 Cisco Systems,Inc.All rights reserved.AGG-2010 Design and Deployment of 802.11 Wireless LANs with Centralized ControllersLWAPP Oper
45、ationsClient Connections AP handles real-time 802.11 control and management Non-real time 802.11 handled at controller Controller is the 802.1x authenticator and centrally stores client QoS,security context 802.11 data frames are encrypted/decrypted at the RF interface“Action frames”are management f
46、rames as defined by 802.1127 2005 Cisco Systems,Inc.All rights reserved.AGG-2010 Design and Deployment of 802.11 Wireless LANs with Centralized ControllersUnderstanding Packet Flow in the Centralized Architecture28 2005 Cisco Systems,Inc.All rights reserved.AGG-2010 Design and Deployment of 802.11 W
47、ireless LANs with Centralized ControllersSection Agenda Controller-based Architecture Overview Lightweight Access Point Protocol(LWAPP)Protocol OverviewLWAPP AP Discovery and Join ProcessLWAPP Operations Mobility in the Cisco Unified WLAN Architecture Architecture Building Blocks29 2005 Cisco System
48、s,Inc.All rights reserved.AGG-2010 Design and Deployment of 802.11 Wireless LANs with Centralized ControllersScaling the Architecture with Mobility Groups Mobility Group allows controllers to peer with each-other to support seamless roaming across controller boundaries APs learn the IPs of the other
49、 members of the mobility group after the LWAPP Join process Support for up to 24 controllers,3600 APs per mobility group Mobility messages exchanged between controllers Data tunneled between controllers in EtherIP(RFC 3378)30 2005 Cisco Systems,Inc.All rights reserved.AGG-2010 Design and Deployment
50、of 802.11 Wireless LANs with Centralized ControllersIntra-Controller Roaming Intra-Controller roam happens when an AP moves association between APs joined to the same controller Client must be re-authenticated and new security session established Controller updates client database entry with new AP
