wing 5.3. wing 5.3 training agenda layer 2 enhancements: tunnel-controller load balancing l2tpv3 ...

WiNG 5.3

WiNG 5.3 TrainingAgenda

Layer 2 Enhancements: Tunnel-Controller Load Balancing L2TPv3 Layer 2 NAT IGMP Snooping

Layer 3 Enhancements: Policy Based Routing NAT Load Balancing / Failover OSPF VRRP Critical Resource Monitoring Default Gateway Prioritization PPPoE Client Security Enhancements

Security Enhancements: IPsec VPN Auto IPsec Secure

© 2012 Motorola Solutions Proprietary & Confidential 2

Layer 2 Enhancements

Tunnel-Controller Load Balancing

Introduces support for load-balancing Extended VLANs between a cluster of Controllers– Must be enabled on both the Controllers and Access Points (Profile or Override)– Intended for Layer 2 or Layer 3 Adopted 802.11n Access Points– Disabled by default

Allows 802.11n Access Points to operate in a similar manner to AP300 / AP650 Access Points in WiNG 4.x

Overview


Switch

No Tunnel Load Balancing

Switch

With Tunnel Load Balancing

Controller Controller

AP

AP AP

AP AP AP

AP AP

Controller Controller

Layer 2 Tunneling Protocol v3Overview


L2TPv3 is an IETF standard used for transporting different types of layer2 frames over an IPv4 network

Supports two peers per tunnel– Primary peer preferred over secondary peer

L2TPv3 can be deployed to transport Ethernet frames between supported Access Points devices to third-party Router or Concentrator– Tunnel wireless user traffic to a third-party Router in the DMZ – Tunnel wireless user traffic from Access Points to different service provider

Routers In WiNG 5.3 L2TPv3 support is only provided for certain Access Points L2TPv3 Tunnel Termination on Integrated Services Controllers will be

introduced in WiNG 5.4.

Layer 2 Tunneling Protocol v3Configuration Example – Topology


L2TPv3 Tunnels from AP7131N Access Points to a Third-Party Router

Layer 2 NATOverview


In branch Extended VLAN environments, if an MU wants to browse Internet or communicate with a local service at the branch site (i.e. Printer, File Server etc), the MUs packets travel all the way to the Data Center where the Wireless Controllers and default router resides:– All traffic traverses the WAN or VPN connection

A work around is for the MU to connect to a separate VLAN with Local Bridging but requires the user to switch Wireless LANs

Layer 2 NAT and Policy Based Routing features in WiNG 5.3 address this limitation:– Allows Internet traffic to be forwarded locally at the Branch while corporate traffic

is forwarded to the Data Center over the Extended VLAN– Allows users to access Printers and Servers deployed at the Branch without

traversing the WAN Similar concept to Split Tunneling with IPsec VPN

Layer 2 NATConfiguration Example – Topology


IGMP SnoopingOverview


IGMP snooping provides efficient multicast delivery and bandwidth conservation mechanism for layer 2 devices– The layer 2 device only forwards Multicast groups out of ports / radios where

group members are present and not to non member ports / radios– The Layer 2 device monitor IGMP membership reports (joins / leaves) and builds

a IGMP table mapping groups to host ports / radios When disabled multicast forwarding behavior varies by vendor

– Layer 2 devices may flood known and unknown IP Multicast groups to all ports in the broadcast domain

– Layer 2 devices may suppress known Multicast groups until a single receiver joins a specific Multicast group

IGMP SnoopingConfiguration Example – Topology


Layer 3 Enhancements

Policy Based RoutingOverview


The current routing infrastructure in WiNG utilizes destination based routing– Traffic is forwarded to the next hop based on best match in the routing table

Policy Based Routing allows administrators to route traffic in ways that go beyond the traditional destination based routing:– Allows select traffic to be routed using criteria such as source / destination

address, protocol, application and traffic class (DSCP)– Allows traffic to be load-balanced across multiple WAN links– Allows traffic to be selectively marked for QoS purposes

Policy Based RoutingRoute-Maps Match Clauses


Match clauses are used to select traffic:– IP Access List – Traffic matching permit rules will be subjected to PBR; those

matching deny rules will be subjected to destination based routing– IP DSCP – DSCP value in the IP header of packets– Incoming WLAN – Applicable only on platforms with on-board radio (RFS4000

and AP71xx)– Wireless Client ROLE – Applicable only on platforms with on-board radio

(RFS4000, AP71xx)– Incoming Interface – Ingress layer 3 interface (VLAN, PPPoE, WWAN)

If a route-map has no match clauses, then it shall match all traffic

Policy Based RoutingConfiguration Example – Topology


NAT Load-Balancing / Failover

NAT has been enhanced to support multiple overloaded interfaces which can be used for Load-Balancing and Failover– Failover – High-availability based on Default Gateway Prioritization & Critical

Resource Monitoring– Load-Balancing – Leverages Policy Based Routing to forward traffic across

over Internet connections Each NAT rule can contain multiple interfaces (in any order):

– Virtual IP Interfaces– PPPoE Interface– WWAN Interface

Enables high-available remote branch deployments as well as flexible traffic forwarding

Overview


Open Shortest Path First (OSPFv2)

Dynamic routing protocol OSPFv2 is supported in WiNG 5.3 release– OSPF implementation compliant with RFC 2328– OSPF supported on broadcast (VLAN) interfaces

Maximum number of dynamic routes supported is limited by the routing table size supported on individual platform

Supports ABR, ASBR, Stub, Totally Stub, NSSA, Totally NSSA Supports route redistribution and route summarization

– Only static and connected routes can be re-distributed into OSPF Interacts with VRRP by only advertising via VRRP master Interacts with Policy Based Routing

Overview


Open Shortest Path First (OSPFv2)Standard Area Types


Open Shortest Path First (OSPFv2)Configuration Example – Topology


Virtual Router Redundancy Protocol (VRRP)Overview


Provides default gateway redundancy for branch office deployments– Allows our Wireless Controllers / Access Points to provide default gateway

services to users in the event of a primary Router failure (i.e. failover to 3G) VRRP version 2.0 (RFC 3768) and version 3.0 (RFC 5798) are supported

– Default is version 2.0 – Version 3.0 supports sub-second failover but very few vendors support it for

IPv4 (i.e. primarily implemented for IPv6) Proprietary implementation in Version 2.0 to support sub-second failover

(i.e. advertisement interval can be specified in msec)– This feature was added, since most vendors support this for providing sub-

second failover– By default advertisement interval is set to 1 second

Virtual Router Redundancy Protocol (VRRP)Overview Cont.


Supports failover in case of WAN link failover on WING or third-party Router– If the backup router detects that the WAN link in master is down, then it will

become a new VRRP master– When the link comes get restored, the VRRP master will transition back to a

backup state All services (DHCP, RADIUS, NAT, and VPN) running over virtual IP are

supported– For DHCP relay, one can point to the DHCP server as virtual IP – For VPN, on the initiator side, remote peer can be configured as virtual IP

Virtual Router Redundancy Protocol (VRRP)Configuration Example – Topology


Critical Resource Monitoring

Used to monitor user defined IP addresses / links for liveliness– Monitoring is done by ARP and ICMP ping requests

Resources can be monitored via: – IP Address – If the gateway address is statically configured– Interface – If the gateway address is dynamically learned from DHCP or PPPoE

Up to four sets of critical resources can be defined:– Under each resource, up to four IP addresses can be configured for monitoring– User can choose to take action when all resources in a set are down or when

any of the resources is down VRRP, Policy Based Routing and Default Route Prioritization can all

leverage the results of CRM User can configure critical resources to be:

– Monitored via an IP address (if the gateway address is statically configured)– VIA an interface (if the gateway address is dynamically learnt via DHCP or PPP)

Overview


Default Gateway PrioritizationOverview


WiNG 5.3 devices can learn a default gateway via:– Static Route– DHCP Client (Virtual IP Interface)– PPPoE / WWAN– OSPF

Feature allows administrators to prioritize the Default Gateways learnt via the above means– The default gateway with lowest priority shall be installed on the system

All learned default gateways are monitored for liveliness – In case a default gateway becomes unreachable, the next preferred gateway is

installed on the system. Whenever the old gateway becomes online, it is restored The default order of preferred gateways is Static Route, DHCP Client,

PPPoE, WWAN and OSPF This feature is available on all WiNG 5.X platforms

Default Gateway PrioritizationDefault Priorities


Each Interface can be assigned a priority from 1 – 8,000:

The default gateway with the lowest priority is installed!

Default Gateway Learned By Default Priority

Static Route 100

DHCP Client 1,000

PPPoE 2,000

3G WAN 3,000

OSPF 7,000

PPPoE Client

Many Internet service providers (ISPs) are using the Point-to-Point Protocol over Ethernet (PPPoE) to provide Digital Subscriber Link (DSL) broadband Internet access

PPPoE uses a standard methods of encryption, authentication, and compression specified by the Point-to-Point Protocol (PPP)

Implementing a PPPoE client allows a WiNG 5.X device to connect to the ISP over an Ethernet interface– Uses the interface name pppoe1– Interface supports Firewall and Crypto policies as well as NAT

A PPPoE client interface can be defined within a Device Profile or directly to a device as a Device Override

Interface configuration MUST include the VLAN ID the DSL modem is connected to!

Overview


Security Enhancements

IPsec VPNOverview


WiNG 5.3 re-introduces support for standards based IPsec VPN on select WiNG 5.X Access Points– Site-to-Site VPN– Remote VPN– Host to Host

Remote VPN support added to Controllers! Can be used when MINT and/or user traffic needs to be secured over an

IPv4 network– Access Point Controller within a site or over a Public network– Branch Offices– Remote Teleworkers– Secure communications to specific hosts (i.e. Controller RADIUS or LDAP)

Completely new IPsec implementation which integrates tightly with NAT and VRRP in addition to providing support for redundant peers

IPsec VPNVPN Configuration Example 1 – Topology


IPsec VPNVPN Configuration Example 2 – Topology


Auto IPsec SecureOverview


IPsec security for AP to Controller, Controller to Controller traffic , with minimal configuration:– Set up IPsec tunnel based on configured list of controller host– Set up IPsec tunnel based on statically configured link configuration

No explicit traffic selector configured by user. Traffic selector internally derived!

No explicit transform set configured by user! Only credentials configured is identity and authentication credentials!

Auto IPsec SecureConfiguration Example – Topology


wing 5.3. wing 5.3 training agenda layer 2 enhancements: tunnel-controller load balancing l2tpv3 ...

Documents

nat igmp snooping layer

wireless lans layer

ap7131n access points

access points profile

tunnel load balancing

thirdparty router slide

training agenda layer

ipsec vpn slide