tunneling configuration guide for enterprise · enabling soft gre tunnel a soft gre tunnel can be...

Tunneling Configuration Guide for Enterprise Tech Note Version 1.0

©Ruckus Wireless 2

Tech Note Tunneling Configuration Guide for Enterprise v1.0

July 2016

Table of Contents Introduction ................................................................................................................................. 3 Tunneling Options ..................................................................................................................... 4

Why use tunneling ................................................................................................. 4 Tunnel types .......................................................................................................... 4

Ruckus GRE .................................................................................................... 4 Soft-GRE ......................................................................................................... 5

Tunneling support by Ruckus controllers ............................................................... 5 Tunneling Configuration ......................................................................................................... 6

WLAN Data Tunneling with vSZ-H ......................................................................... 6 vSZ-H with vSZ-D data plane ........................................................................... 6 Ruckus GRE configuration ............................................................................... 7 Soft-GRE configuration .................................................................................... 9

Tunneling with SZ 100 ......................................................................................... 10 Enabling Ruckus GRE tunnel .......................................................................... 10 Enabling Soft GRE tunnel ............................................................................... 11

Tunneling with vSZ-E ........................................................................................... 13 vSZ-E and vSZ-D data plane .......................................................................... 13 Ruckus GRE configuration ............................................................................. 13 Soft-GRE configuration .................................................................................. 14

Enabling Soft-GRE + IPsec Tunnel ...................................................................... 16 Troubleshooting ...................................................................................................................... 17

Validate supported configuration ......................................................................... 17 vSZ-D configuration and licensing ....................................................................... 17 Impact from applying incorrect configuration ....................................................... 17 Firewalls and network connectivity ....................................................................... 17

Summary .................................................................................................................................... 18 Appendix A: Examples of traffic captures ....................................................................... 19

Ruckus GRE with UDP ........................................................................................ 19 Ruckus GRE ........................................................................................................ 20

About Ruckus ........................................................................................................................... 21

©Ruckus Wireless 3


July 2016

Introduction

The Ruckus SZ 100, vSZ and SCG 200 wireless controllers provide a number of options for tunneling data traffic. This document will focus on several design scenarios that may apply to enterprise WLAN deployments. It will go through the types of tunnels, which are supported and can be implemented. It will also discuss some design goals i.e. what can be achieved with a tunneled. Step-by-step configuration guidance will be provided.

©Ruckus Wireless 4


July 2016

Tunneling Options

There are two distinct options for tunneling data in the Ruckus solution.

The first option addresses data tunneling from Access Points to the data plane on a wireless controller or to a 3rd-party network device, which can perform tunnel aggregation. Such a network design would apply to cases where data from user devices has to be centralized or distributed between multiple data aggregation points.

The second option addresses an architecture where all clients’ data has to be tunneled northbound from a wireless controller to a 3rd-party aggregation point. This scenario would mostly apply to solutions used by service providers and is out of the scope of this document. For more information see the Ruckus documentation for Ruckus Wireless SmartCell Gateway 200, “Tunneling Interface Reference Guide for SmartZone 3.2.1”

A local breakout mode is used in all other cases where data traffic does not need to be centralized and can be switched and routed locally.

Why use tunneling Using tunneling for data traffic can provide several advantages over a network design that is implemented with a local breakout mode. There are pros and cons for each but the following are the main design scenarios, which may benefit from tunneling:

• Guest traffic aggregation for network security and compliance • Voice traffic tunneling • Roaming and mobility across different subnets • Flat network design topology without multiple VLAN’s at the edge

Tunnel types Ruckus GRE GRE is a well-known tunneling protocol, described in the RFC 2784. An originating packet, which is called a payload packet, is encapsulated in GRE with an additional header added for delivery over a network. It is a delivery protocol and in many cases it can be IPv4. Packets are de-capsulated on the other end of the tunnel and the payload packet is forwarded to the destination.

Ruckus supports a proprietary GRE version called Ruckus GRE, which is used for tunneling the user data from Ruckus Access Points to vSZ, SCG-200 or Zone Director controllers, see Figure 1.

Common configuration options are:

• Ruckus GRE with UDP - commonly used on networks that require NAT traversal • Ruckus GRE - supports optional payload encryption

FIGURE 1 RUCKUS GRE DATA FLOW

©Ruckus Wireless 5


July 2016

Soft-GRE Soft-GRE tunnels are similar to GRE tunnels but only one end of tunnel network connection has to be defined. The Access Point will send an encapsulated packet to a dedicated gateway. When there are packets of data destined for the stations connected to that AP, the gateway will encapsulate these packets to send back to the AP.

This option requires a 3rd-party gateway that supports GRE termination. Soft-GRE tunnels can be used in the following cases:

• From Ruckus APs to 3rd-party gateway i.e. ALU 7750, see Figure 2 • Northbound from SCG to a 3rd-party gateway

FIGURE 2 SOFTGRE DATA FLOW

Tunneling support by Ruckus controllers TABLE 1 TUNNELING SUPPORT

SZ-100 vSZ-E vSZ-H SCG-200

Ruckus GRE Yes Yes* with vSZ-D

Yes* with vSZ-D

Yes

Soft-GRE Yes** Yes** Yes** Yes**

*vSZ-D is required by the vSZ-E and vSZ-H to terminate a data plane tunnel. Tunneling is not supported if a vSZ-D is not present.

vSZ-D capability

• Up 10K AP’s and 100K clients per instance • Throughput 1 or 10 or higher Gbps

** Configuration only i.e. Soft-GRE tunnels should be terminated on a 3rd-party gateway which supports Soft-GRE protocol e.g. ALU 7750

©Ruckus Wireless 6


July 2016

Tunneling Configuration WLAN Data Tunneling with vSZ-H vSZ-H with vSZ-D data plane A vSZ-D data plane VM is required for a vSZ-H to allow termination of Ruckus GRE tunnels from Access Points i.e. tunnels can’t be terminated on a vSZ-H directly.

A vSZ-D is not required to be physically co-located with vSZ-H. This provides a high level of flexibility in creating network architecture(s) with data tunneling. There are two possible scenarios for WLAN data aggregation, which can be implemented with vSZ-D data plane and virtual SmartZone:

1. Centralized tunneled WLANs 2. Distributed tunneled WLANs (future)

Tunneling can be configured on a per-WLAN basis, which means the following scenarios for user data traffic can be implemented for different WLANs on the same AP:

• Local breakout • Data tunneling to vSZ-D over Ruckus GRE • Data tunneling to a 3rd-party gateway over Soft-GRE

For more detailed information on the vSZ-D and how to install and configure it please refer to the “Virtual SmartZone Data Plane (vSZ-D) Configuration Guide”.

FIGURE 3 RUCKUS GRE TUNNEL TERMINATION ON VSZ-D WITH VSZ-H

vDZ-D Note

Every vSZ-D requires a license on the vSZ-H to operate. Make sure the license is available before proceeding.

When a vSZ-D is installed on the network and it is connected to vSZ-H please check the Data Plane status by going to Configuration>>System>>Cluster Planes

The configured vSZ-D(s) instance or instances should be listed under Data Planes showing Managed and Approved status in vSZ-H, see Figure 4

©Ruckus Wireless 7


July 2016

FIGURE 4 EXAMPLE OF VSZ-H DATA PLANE CONFIGURATION

Ruckus GRE configuration To configure a Ruckus GRE tunnel in vSZ-H, an AP Tunneled Profile has to be created. This can be done with the following steps:

1. Log into the Web UI and go to Configuration>>AP zones>> AP tunnel profile>>Ruckus GRE 2. Create new. See Figure 5 Creating Ruckus GRE profilebelow.

FIGURE 5 CREATING RUCKUS GRE PROFILE

Access Point(s) shall be put to an AP Zone.

3. To allocate AP to an AP zone, go to Configuration>>Access Points

Actions >> Move AP to a different zone i.e. icon in the right column of the table, see Figure 6

©Ruckus Wireless 8


July 2016

FIGURE 6 MOVING AP TO AN AP ZONE

To configure a WLAN for an AP zone, use the following steps:

4. Go to Configuration>>AP zones 5. Select correct zone, Zone configuration>>WLAN 6. Create new or select an existing WLAN 7. Select WLAN usage drop down menu and follow to Access Network, Tunnel traffic through Ruckus GRE option, see

Figure 7

FIGURE 7 ENABLE RUCKUS GRE FOR A WLAN

8. Next, allocate the Tunnel Profile created earlier to the AP zone

If an AP Zone does not exist create new AP zone or select Edit to modify the configuration of an existing AP zone.

9. Under AP Tunnel Options select Ruckus GRE tunnel type. 10. From a drop down list for “GRE Tunnel Profile” select the correct profile name, see Figure 8 below.

©Ruckus Wireless 9


July 2016

FIGURE 8 ALLOCATING RUCKUS GRE TUNNEL PROFILE

Soft-GRE configuration Soft-GRE tunnel configuration in a vSZ-H is very similar to Ruckus GRE configuration, but there are some differences.

1. First, create Soft-GRE AP Tunnel profile, 2. Configuration>>AP zones>> AP tunnel profiles>>SoftGRE, see Figure 9 below 3. Configure primary and secondary Gateway addresses or FQDN

Note: Soft-GRE tunnels have to be terminated on 3rd-party gateway with Soft-GRE termination support e.g. ALU 7750

4. MTU size can set as Auto or adjusted within the range 850-1500 bytes to prevent packet fragmentation.

FIGURE 9 SOFTGRE PROFILE

Define a SoftGRE profile for an AP zone:

5. Create a new AP zone or select Edit to modify the configuration of an existing AP zone. 6. Under “AP Tunnel Options” select Soft-GRE tunnel type. 7. Apply the profile created earlier, see an example on Figure 10 below.

FIGURE 10 APPLYING SOFTGRE PROFILE

Next, enable Soft-GRE tunneling for a WLAN.

8. Create a new or select an existing WLAN for an AP zone 9. Select WLAN usage drop down menu and mark a tick box for “Access Network >> Tunnel traffic through SoftGRE”, see

Figure 11.

©Ruckus Wireless 10


July 2016

FIGURE 11 SOFT-GRE TUNNELING FOR WLAN

An AP must be assigned to the correct AP zone. If it has not, please refer to Figure 6 earlier in this document and follow the steps above it.

Tunneling with SZ 100 Enabling Ruckus GRE tunnel Ruckus GRE tunnels from Ruckus APs can be directly terminated on a SZ-100 data plane. Tunneling can be configured using SZ 100 GUI. To configure a Ruckus GRE tunnel, use the following steps:

1. Go to Configuration>>AP Tunnel Settings and select Ruckus GRE tunnel type, see Figure 12. 2. Select GRE + UDP options if NAT traversal is required 3. Tunnel encryption can be optionally enabled.

FIGURE 12 ENABLING RUCKUS GRE SETTING



July 2016

Next, enable tunneling for the WLAN, this will tunnel all of the clients’ data to the SZ 100. To configure this, use the following steps:

4. Go to Configure>>WLANs and select the WLAN for tunneling. 5. Under WLAN Usage >> Access Network, mark the tick box “Tunnel WLAN traffic through Ruckus GRE”, see Figure 13

below.

FIGURE 13 ENABLING PER WLAN TRAFFIC TUNNELING

Enabling Soft GRE tunnel A Soft GRE tunnel can be enabled if the AP has to terminate traffic on a 3rd-party gateway with Soft GRE support. To enable the tunnel, use the following steps:

1. Go to Configuration>> AP Tunnel Settings 2. From the dropdown select “SoftGRE” option 3. Configure primary and secondary Gateway address or FQDN

MTU size can left as Auto or adjusted within the range 850-1500 bytes to prevent packet fragmentation, see Figure 14.

FIGURE 14 ENABLING SOFTGRE IN A SZ-100



July 2016

Tunneling of data traffic is enabled on a per-WLAN basis. To configure this, use the following steps:

4. Go to Configure>>WLANs and select the WLAN you want to tunnel traffic for. 5. Under WLAN Usage enable tick box Tunnel WLAN traffic through Soft GRE.

FIGURE 15 ENABLING WLAN TUNNELING WITH SOFT-GRE



July 2016

Tunneling with vSZ-E vSZ-E and vSZ-D data plane Similar to a vSZ-H, a vSZ-E also requires a separate data plane based on the vSZ-D platform to terminate Ruckus GRE tunnels. The data flow of traffic is the same as shown on Figure 3 earlier in this document.

Every vSZ-D requires a license on the vSZ-E to operate. Validate that this license is available by going to Administration>>License, see Figure 16 below.

FIGURE 16 VSZ-E LICENSING TABLE

A vSZ-D is installed as a separate VM that is controlled by the vSZ-E. Validate the vSZ-D is managed by the vSZ-E. To do this, log into the vSZ-E GUI and check under System>>Cluster Planes for Managed and Approved status in the list of Data Planes. To do that, go to Configuration>>System>>Cluster Planes. If it is not showing as approved and managed, the vSZ-D may still require an approval or it may not be communicating with the vSZ-E. Check the vSZ-D configuration and network settings to confirm operations.

FIGURE 17 EXAMPLE. VSZ-D DATA PLANE WITH MANAGED AND APPROVED STATUS

Ruckus GRE configuration When a vSZ-D data plane is shown with a Managed and Approved status in the vSZ-E, it may serve as a data plane for termination of Ruckus GRE tunnels from Ruckus APs. Configuration steps for tunneling are very similar to those for SZ-100 platform. Tunneling can be configured using vSZ-E GUI using the following steps:

6. On the vSZ-E go to Configuration>>AP Tunnel Settings and select the Ruckus GRE tunnel type. See Figure 18 below

FIGURE 18 ENABLING RUCKUS GRE IN VSZ-E

7. Select GRE + UDP options if NAT traversal is required 8. Tunnel encryption can be optionally enabled, by marking the check box.



July 2016

Tunneling is enabled on per-WLAN basis. To configure it for a specific WLAN, use the following steps:

9. Go to Configuration>>WLANs 10. Select a WLAN from the list or create a new WLAN if it does not exist 11. Under WLAN Usage mark the check box “Tunnel WLAN traffic through Ruckus GRE” as shown on Figure 19 below

FIGURE 19 ENABLING RUCKUS GRE TUNNEL FOR A WLAN ON THE VSZ-E

Soft-GRE configuration Soft-GRE tunnels should be enabled on the vSZ-E when an AP has to terminate its tunnel on a 3rd-party gateway with Soft-GRE tunnel support.

To enable Soft-GRE on the vSZ-E, use the following steps:

1. Go to Configuration>> AP Tunnel Settings 2. From the dropdown select SoftGRE option as a Tunnel Type. 3. Next, configure the primary and secondary Gateway address or FQDN. See Figure 20. Note that the Gateway IP address

is shown as an example only. 4. MTU size can set as Auto or adjusted within the range 850-1500 bytes to prevent packet fragmentation from an increased

overhead in the packets.

FIGURE 20 SOFT-GRE CONFIGURATION EXAMPLE ON THE VSZ-E



July 2016

5. Next, enable tunneling for specific WLAN, to configure it go to 6. Configure>>WLANs and select the WLAN you want to tunnel traffic for 7. Under WLAN Usage, mark the tick box “Tunnel WLAN traffic through Soft GRE”, see Figure 21

FIGURE 21 SOFT-GRE WLAN CONFIGURATION IN VSZ-E



July 2016

Enabling Soft-GRE + IPsec Tunnel

The use of Soft-GRE tunnels with IPsec is most applicable to mobile service providers where tunnels from APs must be terminated on a Wireless Access Gateway (WAG) in the Evolving Packet Core (EPC). The use of IPSec ensures these tunnels are encrypted. Please note that not all Access Points support IPsec tunnels. Verify your AP model supports this feature before deploying.

When enabling multiple tunneling protocols please consider the amount of packet overhead and adjust the MTU size if necessary. The IPsec protocol is CPU intensive and may impact performance of the tunnel endpoints i.e. in our case these are the Access Points with IPsec support and the aggregation gateway. The gateway where IPsec tunnels get terminated should have enough processing power to handle traffic from all endpoints, to validate the capability please check in documentation for specific platform.

Let’s consider a configuration example on SZ 100 platform. To start with, create a profile for IPsec in SZ-100 configuration by following these steps:

1. Go to Configuration>>Access Points>>IPsec > Create New 2. Configure a profile name and security gateway where this tunnel will be terminated

Authentication can be either set as a shared key or as a certificate based, see an example on Figure 22 for a shared key authentication. Configure the security gateway accordingly to match these authentication settings so these tunnel endpoints can be authenticated and an IPsec tunnel established. This may also require configuring additional features for IKE and ESP as well as for the Certification Management protocol.

FIGURE 22 CREATING IPSEC PROFILE



July 2016

Troubleshooting Validate supported configuration

When implementing WLAN designs with Ruckus GRE tunnels and SmartZone controllers please validate that the controller(s) has a data plane to terminate these tunnels. Table 1 provides the information for supported combinations. Note that SZ-100 platform has a data plane built-in, where vSZ-E and vSZ-H will require an external data plane.

vSZ-D configuration and licensing

When vSZ-D is installed as a VM and configured to operate with vSZ-E or vSZ-H, make sure they have an available license assigned to it. Additionally, vSZ-D has to be Managed and Approved as shown on Figure 4 and Figure 17.

Impact from applying incorrect configuration

If Ruckus GRE tunnel is enabled for a specific WLAN in the controller and this controller has no data plane present, the access points will not be able to terminate this tunnel and the SSID allocated to this WLAN will not be operational in these APs.

Firewalls and network connectivity

In some cases wireless APs and the wireless controller data plane can be deployed within same L2 domain (VLAN) but it is very likely that many deployments will be done over a L3 network where IP packets from one tunnel endpoint (AP) will have to cross multiple routers to reach other end of the tunnel (Data Plane).

In more complex L3 configurations, traffic may have to traverse a NAT router or a firewall. Tunneling protocol option shall be set to Ruckus GRE + UDP and these UDP ports shall be permitted through the firewall.

To help with troubleshooting, some examples of Ruckus GRE data captures are included in Appendix A: Examples of traffic captures of this document.



July 2016

Summary

This document discussed tunneling configuration for Ruckus GRE and Soft-GRE tunnel types on Ruckus Wi-Fi controllers and APs. Although most configuration steps look very similar across the SZ-100 and vSZ-E / vSZ-H platforms there are some differences between them. The most important feature is that the virtual platforms require a vSZ-D to assist with tunneling. Please note a WLAN configured to tunnel traffic will not function if the data plane is not present. This includes the advertising of a tunneled WLAN SSID.

Additional consideration should be given to the increased overhead, both in the packet size due to additional layer of encapsulation and in the processing requirements on both tunneling endpoints, especially, in cases where encrypted tunnels are configured.

To demonstrate different encapsulations, some examples of packet captures have been provided in Appendix A: Examples of traffic captures.



July 2016

Appendix A: Examples of traffic captures Ruckus GRE with UDP Below is an example of a Wireshark traffic capture performed on the Ethernet port connected to a Ruckus AP. In this example, data is encapsulated using Ruckus GRE + UDP protocol option.

• Access Point IP: 10.3.6.21 • vSZ-D IP: 192.168.110.24

The Figure 23 shows UDP packets with tunneled data passed between an AP and vSZ-D in both directions.

FIGURE 23 RUCKUS GRE PLUS UDP TRAFFIC CAPTURE



July 2016

Ruckus GRE

Below is an example of a Wireshark traffic capture performed on the Ethernet port connected to a Ruckus AP. In this example data is encapsulated using Ruckus GRE protocol option.

• Access Point IP: 10.3.6.64 • SZ-100 IP: 10.3.7.167

The Figure 24 shows GRE (Protocol 47) packets with tunneled data passed between the AP and SZ 100 in both directions.

FIGURE 24 GRE TUNNEL



July 2016

About Ruckus Headquartered in Sunnyvale, CA, Ruckus Wireless, Inc. is a global supplier of advanced wireless systems for the rapidly expanding mobile Internet infrastructure market. The company offers a wide range of indoor and outdoor “Smart Wi-Fi” products to mobile carriers, broadband service providers, and corporate enterprises, and has over 36,000 end-customers worldwide. Ruckus technology addresses Wi-Fi capacity and coverage challenges caused by the ever-increasing amount of traffic on wireless networks due to accelerated adoption of mobile devices such as smartphones and tablets. Ruckus invented and has patented state-of-the-art wireless voice, video, and data technology innovations, such as adaptive antenna arrays that extend signal range, increase client data rates, and avoid interference, providing consistent and reliable distribution of delay-sensitive multimedia content and services over standard 802.11 Wi-Fi. For more information, visit http://www.ruckuswireless.com.

Ruckus and Ruckus Wireless are trademarks of Ruckus Wireless, Inc. in the United States and other countries.

Copyright 2013 Ruckus Wireless, Inc. All Rights Reserved. Copyright Notice and Proprietary Information No part of this documentation may be reproduced, transmitted, or translated, in any form or by any means without prior written permission of Ruckus Wireless, Inc. (“Ruckus”), or as expressly provided by under license from Ruckus

Destination Control Statement Technical data contained in this publication may be subject to the export control laws of States law is prohibited. It is the reader’s responsibility to determine the applicable regulations and to comply with them.

Disclaimer THIS DOCUMENTATION AND ALL INFORMATION CONTAINED HEREIN (“MATERIAL”) IS PROVIDED FOR GENERAL INFORMATION PURPOSES ONLY. RUCKUS AND ITS LICENSORS MAKE NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THE MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR THAT THE MATERIAL IS ERROR-FREE, ACCURATE OR RELIABLE. RUCKUS RESERVES THE RIGHT TO MAKE CHANGES OR UPDATES TO THE MATERIAL AT ANY TIME.

Limitation of Liability IN NO EVENT SHALL RUCKUS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR USE, INCURRED BY YOU OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, ARISING FROM YOUR ACCESS TO, OR USE OF, THE MATERIAL

tunneling configuration guide for enterprise · enabling soft gre tunnel a soft gre tunnel can be...

Documents