principes et valeurs de l’architecture wireless...

Copyright © 2001, Cisco Systems, Inc. All rights reserved.

© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 1

Principes et valeurs de l’Architecture Wireless Centralisée Cisco

Vincent Blavet([email protected])


Agenda

La Vision Mobilité d’Entreprise de Cisco

Pourquoi une Architecture Centralisée ?

Principe de l’Architecture LWAPP

Groupes de Mobilité

Produits Wireless LAN Cisco



La VisionMobilitéd’EntreprisedeCisco


La Mobilité …

Cisco Confidential 4



La Mobilité …La Mobilité … c’est rester connecté avec des Personnes, des Applications et des Ressources

Lieux

Personnes

Ressources

Cisco Confidential 5


Apporter uneRichesse aux

AffairesN’importe quand,

N’importe oùpar de multiples

réseaux

La Vision Mobilité d’Entreprise de CiscoSécurisée, Administrable, Extensible



Evolution de la Technologie Wireless LAN

Unified Wired+Wireless

Unified Wired+Wireless

Integrated and Unified Security (AAA, NAC, SDN, IDS/IPS, etc)

Exploding number of Wi-Fi Clients (laptops, dual-mode PCS Phones, Video PDAs)

Higher-capacity, higher-density WLANs (Pico Cells)

Unified wired+wireless support for applications (Voice/Video, Location Services, AAA)

Extending networking outdoors (mesh, outdoor AP, etc.)

Enterprise scale and reliability

Integrated and Unified Security (AAA, NAC, SDN, IDS/IPS, etc)

Exploding number of Wi-Fi Clients (laptops, dual-mode PCS Phones, Video PDAs)

Higher-capacity, higher-density WLANs (Pico Cells)

Unified wired+wireless support for applications (Voice/Video, Location Services, AAA)

Extending networking outdoors (mesh, outdoor AP, etc.)

Enterprise scale and reliability

Centralized Management and Control

Layer 2/3 Mobility

Wireless IDS/IPS

Hierarchical approach for scalability

Voice support

Centralized Management and Control

Layer 2/3 Mobility

Wireless IDS/IPS

Hierarchical approach for scalability

Voice support

CentralizedWLAN Systems

CentralizedWLAN Systems

Best in class range/ throughput

Enterprise-class Security

Capital Efficiency

Best in class range/ throughput

Enterprise-class Security

Capital Efficiency

Wireless Connectivity

Wireless Connectivity

2000 - Present 2003 - Present 2005 - Future


Enterprise Communications InfrastructureEnterprise Communications Infrastructure


Video

La Vision Mobilité d’Entreprise de Cisco Unification : Une histoire qui se répète …

Data VoiceData Services Voice Services Video Services

Converged NetworkConverged Network Services

Wireless

Wireless Services


Unified Wired & Wireless NetworkUnified Network Services

• Common platform for intelligent services

• Greatest efficiencies and lowest TCO

• Extensive application support common across entire network

2005+2005+Guest & Identity

Voice & UC

Mobile E-Mail

RFID & LocationVideo

Surveillance Outdoor

• Converged IP network lowers TCO

• Some application efficiencies, not optimized

• Overlay wireless remains a support and management burden

2000s – 2005

• Separate communications networks

• No common services• High support costs and limited

efficiency• Siloed applications

1980s – 2000s



La Vision Mobilité d’Entreprise de Cisco Services de Mobilité Wireless LAN

SecuritySecurity GuestGuest VoiceVoice LocationLocation

• Guest networks for customers, partners and auditors

• Vendor replenishment networks

• Public access networks

• Automatic, 24 x 7 security and compliance monitoring for breaches via wireless medium

• Network access control based on user location

• Asset management

• Location-based content distribution

• Streamlined workflow using historical location data

• Real-time mobile voice communications

• Improved collaboration via mobile unified communications

• Faster customer service response

Pervasive Wireless NetworkPervasive Wireless Network


Pourquoi uneArchitectureCentralisée ?



Wireless LAN EvolutionWhy Go Centralized ? : Easy Deployment

WAN

Central Site

Remote Offices

Centralised Controllers

No need to create new access VLANs

No need for initial AP configuration

Auto discoveryAuto updateAuto configuration

Path isolation of WLAN flow over wired network


internet

Wireless LAN EvolutionAdvanced WLAN Architecture (1)

Several Radio Network :

Corporate Network– Strong Security– Access to corporate LAN

Voice / IP Communication– Strong Security– Access to Voice VLAN– QoS

Guest Network– No encryption– Path isolation with Corp. Net.– Internet Access

Central Site

VLAN DataVLAN Voice



Wireless LAN EvolutionAdvanced WLAN Architecture (2)

WAN

Central Site

Remote Office

Hybrid Architecture

Single Management & Control point

–Centralized TrafficOr–Local Traffic

CentralizedTraffic

CentralizedTraffic

LocalTraffic


Wireless LAN EvolutionWhy Go Centralized ? : Easy Management

WAN

Central Site

Remote Office

No direct AP management

Single Management point From a controllerFrom WCS

Same action for each AP atthe same time



Wireless LAN EvolutionWhy Go Centralized ? : Radio Ressource Mgt

Radio Ressource Management

Radio auto-configuration

Security Scanning

Location tracking


Wireless LAN EvolutionUnified Wireless & Wired Network

Wired Access or Wireless Access : Same Needs !Architecture

– Support for multiple wired VLANs / wireless SSIDs– Dynamic VLAN association– Wired & Wireless Guest Access

Security– Authenticated access : Wired 802.1x / Wireless 802.11i– Client device posture : Wired NAC / Wireless NAC– IDS/IPS Security : Wired IDS/IPS / Radio IDS– L2 Security : IP Snooping, MAC Snooping, …

Voice Support & QoS– Voice VLANs : Separate voice traffic from data traffic– QoS : Wired 802.1q QoS / Wireless 802.11e QoS



Cisco WLAN SolutionsMigrating to Centralized Solution

APAP

Radius

Clients

WLSE

AP

Distributed SolutionAutonomous Access Points

WLSE Network Management

Centralized SolutionPossibility to migrate to centralized model

Same AP*, New Controller

WCS Network Management

Advanced FeaturesWLAN VoiceOver IP

WiFi Location Based Services

Wireless LAN Controller

WCS

Location Server


Principes de l’ArchitectureLWAPP



Centralized Wireless LAN ArchitectureOverview

Processing split between APs and Controllers

802.11 functionality shared

Central Management – AP is essentially a remote RF interface

Based on LWAPP Protocol

APs hold no security credentials

APs unusable without a controller -Just expensive paperweights!

Data traffic can be bridged locally or at controller

Lightweight Access Points

LWAPPSwitch/Routed

Network

Cisco WLAN Controller


LWAPP

Centralized Wireless LAN ArchitectureWhat is LWAPP ?

LWAPP - Light Weight Access Point Protocol is used between APsand WLAN Controller

LWAPP carries control and data traffic between the two– Control plane is AES-CCM encrypted– Data plane is not encrypted

It facilitates centralized management and automated configuration

Open, standards-based protocol (Submitted to IETF CAPWAP WG)

Access Point ControllerWiFi Client

Business Application

Control Plane

Data Plane



Architecture Deployment

Access Points need to be associated withWLAN Controller

Hunting phase : AP needs to find WLCJoin phase : AP associates securely with WLCAuthorization phase : WLC accept or not APConfiguration phase : WLC upload firmware (if

needed), WLC upload AP configuration

Where ismy WLC ?

Lightweight Access Points Cisco WLAN Controller


WLAN Controller Hunting Algorithm LWAPP Discovery with DHCP Option 43

LWAPP Controller Discover Request

LWAPP Controller Discover Response

WLC-110.150.50.15

WLC-210.150.60.15

Ip helper-addressinterface Vlan51ip address 10.150.51.1 255.255.255.0ip helper-address 10.150.100.1 (DHCP Server)

DHCP10.150.100.1

DHCP Request (Option 60 = “Aironet”)

DHCP Offer (Option 43 = “10.150.50.15,10.150.60.15”)

DHCP Request / Offer



WLAN Controller Hunting Algorithm LWAPP Discovery Broadcast

LWAPP L3 Discovery Broadcast for LWAPP-L3 Only Controller

IP Broadcast



DHCP10.150.100.1

DHCP Request


WLAN Controller Hunting Algorithm LWAPP Discovery with DNS Request



WLC-110.150.50.15

WLC-210.150.60.15

DNS ServerCISCO-LWAPP-CONTROLLER : 10.150.50.15

DNS Request (“CISCO-LWAPP-CONTROLLER.localdomain”)

DNS Response (“10.150.50.15,10.150.60.15”)

DNS Request / Response



WLAN Controller Hunting Algorithm LWAPP Discovery OTAP “Over the Air Protocol”



WLC-110.150.50.15

WLC-210.150.60.15

Registered Access Point

Established LWAPP Tunnel


WLAN Controller Join ProcessMutual Authentication

AP’s LWAPP Join Request the AP’s signed X.509 certificateWLAN Controller validates the certificate before sending an LWAPP Join Response

Manufacture Installed Certificate (MIC)—Cisco 1000 Series, all Cisco Aironet APs manufactured after July 18, 2005Self-Signed Certificate (SSC)—LWAPP Upgraded Cisco Aironet APs manufactured prior to July 18, 2005SSC APs must be “authorized” on the WLAN Controller

If AP is validated, the WLAN Controller sends the LWAPP Join Response which contains the controller’s signed X.509 certificate

ClientX.509

Certificate

ServerX.509

Certificate



Configuration PhaseFirmware and Configuration download

Firmware is downloaded by the AP from the WLC

Firmware downloaded only if needed, AP reboots after the download

Firmware digitally signed by Cisco

Network configuration isdownloaded by the AP from the WLC

Configuration is encrypted in the LWAPP Tunnel (control plane)

Configuration is appliedLightweight

Access Points

Cisco WLAN Controller

LWA

PP-L

3

Firm

war

eD

ownl

oad

Con

figur

atio

n D

ownl

oad


Wireless VLAN



Wireless VLANOverview

Support for up-to 8 or 16 SSIDs (Wireless VLAN)

Insertion point between Wireless world and Wired world is the Controller Trunk ports

Guest

CorporateUser

EntrepriseIntranet

Partner Net.

Internet

RADIUS

802.1QTrunk

Controller withGuest Portal

WLAN Controller

Partners

GuestTunneling


Wireless VLANStatic & Dynamic Wireless VLAN

Each Wireless VLAN (identified by an SSID) is associated with a VLAN interface inside the controller, identified by its VLAN id (802.1Q tag).Each Wireless VLAN has its own security policy (Authentication & Encryption)Each Wireless VLAN has its own MAC@ per AP and can broadcast or not its SSID

802.1Q Trunk

VLAN 1

VLAN 2

SSID 1

SSID 2




Multiple Wireless VLAN can be associated with a single wired VLAN interface.

802.1Q Trunk

VLAN 10

SSID A / WPA

SSID B / WPA-2



Users, using the same SSID, can be associated to different wired VLAN interfaces (Dynamic VLAN association)

Association will depend of the RADIUS configuration for the user or user group.

Single-SSIDUser-1

User-2802.1Q Trunk

VLAN 1

VLAN 2

RADIUS




Multiple Wireless VLAN, with different authentication / encryption configurations, can use the same SSID and be associated with different wired VLAN interface.

Same-SSIDWith WPA

Same-SSIDWith Open

802.1Q Trunk

VLAN 1

VLAN 2

CorporateUser

GuestUser


Groupes de Mobilité& Mobilité L2/L3



Scaling the Architecture with Mobility Groups

Controllers “peer” to support seamless campus roaming APs learn the IPs of the other members of the mobility group after the LWAPP Join processSupport for up to 24 controllers, 3600 APs per mobility groupMobility messages exchanged between controllersData tunneled between controllers in EtherIP(RFC 3378)


Intra-Controller Roaming

Intra-Controller roam happens when an AP moves association between APsjoined to the same controller

Client must be re-authenticated and new security session established

Controller updates client database entry with new AP and appropriate security context

No IP address refresh needed



Layer-2 Roaming—Inter-Controller


Client database entry moved to new controller


L2 Inter-Controller roam happens when an AP moves association between APs joined to the different controllers but client traffic bridged onto the same subnet


Layer-3 Roaming—Inter-controller

L3 Inter-Controller roam happens when an AP moves association between APs joined to the different controllers but client traffic bridged onto different subnet


Client database entry copiedto new controller

Original controller tagged as the “Anchor”

New controller tagged as the “Foreign”


Asymmetric traffic path established



Cisco WLAN Products


FeaturesIndustry’s best AP range & throughput

Enterprise class security

Many configuration options

Simultaneous air monitoring and traffic delivery

BenefitsZero touch management

No dedicated air monitors

Supports all deployment scenarios (indoor and outdoor)

From secure coverage to advanced services

Mobility Platform

Proven Platform for Mobile Access

Indoor Access Points

1130AG 1000

Indoor Rugged Access Points

1500

1240AG 1230AG

Outdoor Access Points/Bridges

1300



Making Wired and Wireless Integration A Reality…

FeaturesEnterprise scalability and reliability

Real-time RF Management

Multi-layered security

Mobility management

Standalone and integrated options

BenefitsCost effective solution for all office deployments

Ideal for data, voice, and video

Wired and wireless integration

Network Unification Wireless LAN Controllers

4400

Catalyst Series Wireless

2106

WiSM

WLAN Controller Module (WLCM)

ISR

3750G Integrated WLAN Controller

Unified W

ired & W

ireless Products !


Cisco Wireless Controller Family

Cisco WiSM 300 APs

Cisco 4404 100 APs

Deployment Size>=100 APs>=25 APs>=2-6 APs

Cisco 4402-5050 APs

ISR WLC Module6 AP Cisco 4402-12

12 APs

Cisco 4402-2525 APs

1-2 APs >=12 APs

H-REAP

>=50 APs

Cisco 375025 APs

Cisco 375050 APs

<300 APs

Cisco 21066 APs



Q & A


Retrouvez chaque mois l’actualitéCisco sur CiscoMag, la newsletter de Cisco FranceAbonnement : www.cisco.fr/go/ciscomag

Séminaire solutions :Le réseau de CampusJeudi 24 mai 2007 en matinée àl’Institut Océanographique - Paris

principes et valeurs de l’architecture wireless...

Documents