principes et valeurs de l’architecture wireless...
TRANSCRIPT
Copyright © 2001, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 1
Principes et valeurs de l’Architecture Wireless Centralisée Cisco
Vincent Blavet([email protected])
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 2
Agenda
La Vision Mobilité d’Entreprise de Cisco
Pourquoi une Architecture Centralisée ?
Principe de l’Architecture LWAPP
Groupes de Mobilité
Produits Wireless LAN Cisco
Copyright © 2001, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 3
La VisionMobilitéd’EntreprisedeCisco
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 4
La Mobilité …
Cisco Confidential 4
Copyright © 2001, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 5
La Mobilité …La Mobilité … c’est rester connecté avec des Personnes, des Applications et des Ressources
Lieux
Personnes
Ressources
Cisco Confidential 5
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 6
Apporter uneRichesse aux
AffairesN’importe quand,
N’importe oùpar de multiples
réseaux
La Vision Mobilité d’Entreprise de CiscoSécurisée, Administrable, Extensible
Copyright © 2001, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 7
Evolution de la Technologie Wireless LAN
Unified Wired+Wireless
Unified Wired+Wireless
Integrated and Unified Security (AAA, NAC, SDN, IDS/IPS, etc)
Exploding number of Wi-Fi Clients (laptops, dual-mode PCS Phones, Video PDAs)
Higher-capacity, higher-density WLANs (Pico Cells)
Unified wired+wireless support for applications (Voice/Video, Location Services, AAA)
Extending networking outdoors (mesh, outdoor AP, etc.)
Enterprise scale and reliability
Integrated and Unified Security (AAA, NAC, SDN, IDS/IPS, etc)
Exploding number of Wi-Fi Clients (laptops, dual-mode PCS Phones, Video PDAs)
Higher-capacity, higher-density WLANs (Pico Cells)
Unified wired+wireless support for applications (Voice/Video, Location Services, AAA)
Extending networking outdoors (mesh, outdoor AP, etc.)
Enterprise scale and reliability
Centralized Management and Control
Layer 2/3 Mobility
Wireless IDS/IPS
Hierarchical approach for scalability
Voice support
Centralized Management and Control
Layer 2/3 Mobility
Wireless IDS/IPS
Hierarchical approach for scalability
Voice support
CentralizedWLAN Systems
CentralizedWLAN Systems
Best in class range/ throughput
Enterprise-class Security
Capital Efficiency
Best in class range/ throughput
Enterprise-class Security
Capital Efficiency
Wireless Connectivity
Wireless Connectivity
2000 - Present 2003 - Present 2005 - Future
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 8
Enterprise Communications InfrastructureEnterprise Communications Infrastructure
Enterprise Communications InfrastructureEnterprise Communications Infrastructure
Video
La Vision Mobilité d’Entreprise de Cisco Unification : Une histoire qui se répète …
Data VoiceData Services Voice Services Video Services
Converged NetworkConverged Network Services
Wireless
Wireless Services
Enterprise Communications InfrastructureEnterprise Communications Infrastructure
Unified Wired & Wireless NetworkUnified Network Services
• Common platform for intelligent services
• Greatest efficiencies and lowest TCO
• Extensive application support common across entire network
2005+2005+Guest & Identity
Voice & UC
Mobile E-Mail
RFID & LocationVideo
Surveillance Outdoor
• Converged IP network lowers TCO
• Some application efficiencies, not optimized
• Overlay wireless remains a support and management burden
2000s – 2005
• Separate communications networks
• No common services• High support costs and limited
efficiency• Siloed applications
1980s – 2000s
Copyright © 2001, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 9
La Vision Mobilité d’Entreprise de Cisco Services de Mobilité Wireless LAN
SecuritySecurity GuestGuest VoiceVoice LocationLocation
• Guest networks for customers, partners and auditors
• Vendor replenishment networks
• Public access networks
• Automatic, 24 x 7 security and compliance monitoring for breaches via wireless medium
• Network access control based on user location
• Asset management
• Location-based content distribution
• Streamlined workflow using historical location data
• Real-time mobile voice communications
• Improved collaboration via mobile unified communications
• Faster customer service response
Pervasive Wireless NetworkPervasive Wireless Network
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 10
Pourquoi uneArchitectureCentralisée ?
Copyright © 2001, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 11
Wireless LAN EvolutionWhy Go Centralized ? : Easy Deployment
WAN
Central Site
Remote Offices
Centralised Controllers
No need to create new access VLANs
No need for initial AP configuration
Auto discoveryAuto updateAuto configuration
Path isolation of WLAN flow over wired network
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 12
internet
Wireless LAN EvolutionAdvanced WLAN Architecture (1)
Several Radio Network :
Corporate Network– Strong Security– Access to corporate LAN
Voice / IP Communication– Strong Security– Access to Voice VLAN– QoS
Guest Network– No encryption– Path isolation with Corp. Net.– Internet Access
Central Site
VLAN DataVLAN Voice
Copyright © 2001, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 13
Wireless LAN EvolutionAdvanced WLAN Architecture (2)
WAN
Central Site
Remote Office
Hybrid Architecture
Single Management & Control point
–Centralized TrafficOr–Local Traffic
CentralizedTraffic
CentralizedTraffic
LocalTraffic
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 14
Wireless LAN EvolutionWhy Go Centralized ? : Easy Management
WAN
Central Site
Remote Office
No direct AP management
Single Management point From a controllerFrom WCS
Same action for each AP atthe same time
Copyright © 2001, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 15
Wireless LAN EvolutionWhy Go Centralized ? : Radio Ressource Mgt
Radio Ressource Management
Radio auto-configuration
Security Scanning
Location tracking
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 16
Wireless LAN EvolutionUnified Wireless & Wired Network
Wired Access or Wireless Access : Same Needs !Architecture
– Support for multiple wired VLANs / wireless SSIDs– Dynamic VLAN association– Wired & Wireless Guest Access
Security– Authenticated access : Wired 802.1x / Wireless 802.11i– Client device posture : Wired NAC / Wireless NAC– IDS/IPS Security : Wired IDS/IPS / Radio IDS– L2 Security : IP Snooping, MAC Snooping, …
Voice Support & QoS– Voice VLANs : Separate voice traffic from data traffic– QoS : Wired 802.1q QoS / Wireless 802.11e QoS
Copyright © 2001, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 17
Cisco WLAN SolutionsMigrating to Centralized Solution
APAP
Radius
Clients
WLSE
AP
Distributed SolutionAutonomous Access Points
WLSE Network Management
Centralized SolutionPossibility to migrate to centralized model
Same AP*, New Controller
WCS Network Management
Advanced FeaturesWLAN VoiceOver IP
WiFi Location Based Services
Wireless LAN Controller
WCS
Location Server
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 18
Principes de l’ArchitectureLWAPP
Copyright © 2001, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 19
Centralized Wireless LAN ArchitectureOverview
Processing split between APs and Controllers
802.11 functionality shared
Central Management – AP is essentially a remote RF interface
Based on LWAPP Protocol
APs hold no security credentials
APs unusable without a controller -Just expensive paperweights!
Data traffic can be bridged locally or at controller
Lightweight Access Points
LWAPPSwitch/Routed
Network
Cisco WLAN Controller
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 20
LWAPP
Centralized Wireless LAN ArchitectureWhat is LWAPP ?
LWAPP - Light Weight Access Point Protocol is used between APsand WLAN Controller
LWAPP carries control and data traffic between the two– Control plane is AES-CCM encrypted– Data plane is not encrypted
It facilitates centralized management and automated configuration
Open, standards-based protocol (Submitted to IETF CAPWAP WG)
Access Point ControllerWiFi Client
Business Application
Control Plane
Data Plane
Copyright © 2001, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 21
Architecture Deployment
Access Points need to be associated withWLAN Controller
Hunting phase : AP needs to find WLCJoin phase : AP associates securely with WLCAuthorization phase : WLC accept or not APConfiguration phase : WLC upload firmware (if
needed), WLC upload AP configuration
Where ismy WLC ?
Lightweight Access Points Cisco WLAN Controller
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 22
WLAN Controller Hunting Algorithm LWAPP Discovery with DHCP Option 43
LWAPP Controller Discover Request
LWAPP Controller Discover Response
WLC-110.150.50.15
WLC-210.150.60.15
Ip helper-addressinterface Vlan51ip address 10.150.51.1 255.255.255.0ip helper-address 10.150.100.1 (DHCP Server)
DHCP10.150.100.1
DHCP Request (Option 60 = “Aironet”)
DHCP Offer (Option 43 = “10.150.50.15,10.150.60.15”)
DHCP Request / Offer
Copyright © 2001, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 23
WLAN Controller Hunting Algorithm LWAPP Discovery Broadcast
LWAPP L3 Discovery Broadcast for LWAPP-L3 Only Controller
IP Broadcast
LWAPP Controller Discover Request
LWAPP Controller Discover Response
DHCP10.150.100.1
DHCP Request
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 24
WLAN Controller Hunting Algorithm LWAPP Discovery with DNS Request
LWAPP Controller Discover Request
LWAPP Controller Discover Response
WLC-110.150.50.15
WLC-210.150.60.15
DNS ServerCISCO-LWAPP-CONTROLLER : 10.150.50.15
DNS Request (“CISCO-LWAPP-CONTROLLER.localdomain”)
DNS Response (“10.150.50.15,10.150.60.15”)
DNS Request / Response
Copyright © 2001, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 25
WLAN Controller Hunting Algorithm LWAPP Discovery OTAP “Over the Air Protocol”
LWAPP Controller Discover Request
LWAPP Controller Discover Response
WLC-110.150.50.15
WLC-210.150.60.15
Registered Access Point
Established LWAPP Tunnel
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 26
WLAN Controller Join ProcessMutual Authentication
AP’s LWAPP Join Request the AP’s signed X.509 certificateWLAN Controller validates the certificate before sending an LWAPP Join Response
Manufacture Installed Certificate (MIC)—Cisco 1000 Series, all Cisco Aironet APs manufactured after July 18, 2005Self-Signed Certificate (SSC)—LWAPP Upgraded Cisco Aironet APs manufactured prior to July 18, 2005SSC APs must be “authorized” on the WLAN Controller
If AP is validated, the WLAN Controller sends the LWAPP Join Response which contains the controller’s signed X.509 certificate
ClientX.509
Certificate
ServerX.509
Certificate
Copyright © 2001, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 27
Configuration PhaseFirmware and Configuration download
Firmware is downloaded by the AP from the WLC
Firmware downloaded only if needed, AP reboots after the download
Firmware digitally signed by Cisco
Network configuration isdownloaded by the AP from the WLC
Configuration is encrypted in the LWAPP Tunnel (control plane)
Configuration is appliedLightweight
Access Points
Cisco WLAN Controller
LWA
PP-L
3
Firm
war
eD
ownl
oad
Con
figur
atio
n D
ownl
oad
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 28
Wireless VLAN
Copyright © 2001, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 29
Wireless VLANOverview
Support for up-to 8 or 16 SSIDs (Wireless VLAN)
Insertion point between Wireless world and Wired world is the Controller Trunk ports
Guest
CorporateUser
EntrepriseIntranet
Partner Net.
Internet
RADIUS
802.1QTrunk
Controller withGuest Portal
WLAN Controller
Partners
GuestTunneling
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 30
Wireless VLANStatic & Dynamic Wireless VLAN
Each Wireless VLAN (identified by an SSID) is associated with a VLAN interface inside the controller, identified by its VLAN id (802.1Q tag).Each Wireless VLAN has its own security policy (Authentication & Encryption)Each Wireless VLAN has its own MAC@ per AP and can broadcast or not its SSID
802.1Q Trunk
VLAN 1
VLAN 2
SSID 1
SSID 2
Copyright © 2001, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 31
Wireless VLANStatic & Dynamic Wireless VLAN
Multiple Wireless VLAN can be associated with a single wired VLAN interface.
802.1Q Trunk
VLAN 10
SSID A / WPA
SSID B / WPA-2
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 32
Wireless VLANStatic & Dynamic Wireless VLAN
Users, using the same SSID, can be associated to different wired VLAN interfaces (Dynamic VLAN association)
Association will depend of the RADIUS configuration for the user or user group.
Single-SSIDUser-1
User-2802.1Q Trunk
VLAN 1
VLAN 2
RADIUS
Copyright © 2001, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 33
Wireless VLANStatic & Dynamic Wireless VLAN
Multiple Wireless VLAN, with different authentication / encryption configurations, can use the same SSID and be associated with different wired VLAN interface.
Same-SSIDWith WPA
Same-SSIDWith Open
802.1Q Trunk
VLAN 1
VLAN 2
CorporateUser
GuestUser
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 34
Groupes de Mobilité& Mobilité L2/L3
Copyright © 2001, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 35
Scaling the Architecture with Mobility Groups
Controllers “peer” to support seamless campus roaming APs learn the IPs of the other members of the mobility group after the LWAPP Join processSupport for up to 24 controllers, 3600 APs per mobility groupMobility messages exchanged between controllersData tunneled between controllers in EtherIP(RFC 3378)
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 36
Intra-Controller Roaming
Intra-Controller roam happens when an AP moves association between APsjoined to the same controller
Client must be re-authenticated and new security session established
Controller updates client database entry with new AP and appropriate security context
No IP address refresh needed
Copyright © 2001, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 37
Layer-2 Roaming—Inter-Controller
Client must be re-authenticated and new security session established
Client database entry moved to new controller
No IP address refresh needed
L2 Inter-Controller roam happens when an AP moves association between APs joined to the different controllers but client traffic bridged onto the same subnet
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 38
Layer-3 Roaming—Inter-controller
L3 Inter-Controller roam happens when an AP moves association between APs joined to the different controllers but client traffic bridged onto different subnet
Client must be re-authenticated and new security session established
Client database entry copiedto new controller
Original controller tagged as the “Anchor”
New controller tagged as the “Foreign”
No IP address refresh needed
Asymmetric traffic path established
Copyright © 2001, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 41
Cisco WLAN Products
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 42
FeaturesIndustry’s best AP range & throughput
Enterprise class security
Many configuration options
Simultaneous air monitoring and traffic delivery
BenefitsZero touch management
No dedicated air monitors
Supports all deployment scenarios (indoor and outdoor)
From secure coverage to advanced services
Mobility Platform
Proven Platform for Mobile Access
Indoor Access Points
1130AG 1000
Indoor Rugged Access Points
1500
1240AG 1230AG
Outdoor Access Points/Bridges
1300
Copyright © 2001, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 43
Making Wired and Wireless Integration A Reality…
FeaturesEnterprise scalability and reliability
Real-time RF Management
Multi-layered security
Mobility management
Standalone and integrated options
BenefitsCost effective solution for all office deployments
Ideal for data, voice, and video
Wired and wireless integration
Network Unification Wireless LAN Controllers
4400
Catalyst Series Wireless
2106
WiSM
WLAN Controller Module (WLCM)
ISR
3750G Integrated WLAN Controller
Unified W
ired & W
ireless Products !
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 44
Cisco Wireless Controller Family
Cisco WiSM 300 APs
Cisco 4404 100 APs
Deployment Size>=100 APs>=25 APs>=2-6 APs
Cisco 4402-5050 APs
ISR WLC Module6 AP Cisco 4402-12
12 APs
Cisco 4402-2525 APs
1-2 APs >=12 APs
H-REAP
>=50 APs
Cisco 375025 APs
Cisco 375050 APs
<300 APs
Cisco 21066 APs
Copyright © 2001, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 45
Q & A
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 46
Retrouvez chaque mois l’actualitéCisco sur CiscoMag, la newsletter de Cisco FranceAbonnement : www.cisco.fr/go/ciscomag
Séminaire solutions :Le réseau de CampusJeudi 24 mai 2007 en matinée àl’Institut Océanographique - Paris
Copyright © 2001, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialJMB 47