CCDA Notes Identifying Wireless Networking Considerations
Wireless networks are experiencing widespread growth because of their availability, flexibility, and service offerings. This section introduces the Cisco unified wireless network architecture. Specifically, after an introduction of the Cisco unified wireless network, this section examines network controller technologies and presents guidelines for wireless network design in enterprise networks.
Introducing the Cisco Unified Wireless Network
Wireless local-area networks (WLAN) offer network access via radio waves. Wireless clients (such as a PC or PDA) access a wireless access point, using half-duplex communication. The wireless access point allows a wireless client to reach the rest of the network.
Traditional WLANs use an access point in autonomous mode, where the access point is configured with a service set identifier (SSID), radio frequency (RF) channel, and RF power settings. However, having an autonomous access point tasked with all these responsibilities can limit scalability and can hinder the addition of advanced wireless services.
Five primary components comprise the Cisco unified wireless network architecture:
- Clients—A wireless client device is typically an end-user device (such as a PC) that accesses a wireless network.
- Access point—Wireless access points offer network access for wireless clients.
- Network unification—To offer wireless clients access to an organization’s resources, the wireless network must be integrated (that is, unified) with the wired LAN.
- Network management—Just as enterprise LANs benefit from network management solutions, a wireless LAN can also use network management solutions to enhance security, reliability, and to offer assistance in WLAN deployments. An example of a wireless network management solution is the Cisco Wireless Control System (WCS).
- Mobility—Wireless mobility services include security threat detection, voice services, location services, and guest access.
Aside from autonomous mode, Cisco unified wireless networks can alternatively operate in split-MAC mode. With split-MAC operation, an access point is considered to be a “lightweight” access point, which cannot function without a wireless LAN controller (WLC).
Specifically, a wireless LAN client sending traffic to the wired LAN sends a packet to a lightweight access point, which encapsulates the packet using the Lightweight Access Point Protocol (LWAPP). The encapsulated traffic is sent over an LWAPP tunnel to a WLC. LWAPP sends packets in a Layer 2 frame with an Ethertype of 0xBBBB. LWAPP data traffic uses a destination port of 12222; LWAPP control traffic uses a destination port of 12223.
The lightweight access point, as shown, performs functions such as beaconing, packet transmission, and frame queuing; the WLC assumes roles such as authentication, key management, and resource reservation
The operation of the wireless access point discussed thus far is referred to as local mode. However, several other access point modes exist:
- Remote edge access point (REAP) mode—REAP allows an access point and a WLC to be separated by a WAN, as opposed to being connected on the same LAN.
- Rogue detector mode—Route access points can be monitored by a wireless access point operating in rogue detector mode.
- Monitor mode—Wireless access points can be set to a receiveonly mode, called monitor mode, and act as sensors for locationbased services (LBS).
- Sniffer mode—Wireless access points operating in sniffer mode can act as a protocol sniffer and capture packets, which are forwarded to a PC running the AiroPeek software.
- Bridge mode—Geographically separated wireless access points can be connected using a high-bandwidth, cost-effective wireless link, by running in bridge mode.
After a wireless client, such as a PC, associates with its access point, the access point only allows the client to communicate with the authentication server until the client successfully logs in and is authenticated, as illustrated. The WLC uses the Extensible Authentication Protocol (EAP) to communicate with the authentication server. Cisco Secure Access Control Server (ACS) could, for example, act as the authentication server.
Supported EAP types include the following:
- EAP-Transport Layer Security (EAP-TLS)—Wireless clients and authentication servers mutually authenticate using digital certificates.
- EAP-Protected EAP (EAP-PEAP)—The authentication server (that is, a RADIUS server) is authenticated over a Transport Layer Security (TLS) tunnel using a digital certificate; wireless clients are authenticated via EAP-GTC or EAP-MSCHAPv2.
- EAP Tunneled Transport Layer Security (EAP-TTLS)—The RADIUS server is authenticated over a TLS tunnel using the server’s certificate, and wireless clients authenticate using username and password credentials.
- Cisco Lightweight Extensible Authentication Protocol (LEAP)—Cisco developed LEAP as an early and proprietary EAP method. However, LEAP’s vulnerability to a dictionary attack represents a major LEAP weakness.
- Cisco EAP-Flexible Authentication via Secure Tunneling (EAP-FAST)—Cisco proposed EAP-FAST to address LEAP’s weaknesses.
Designers should understand the following three WLAN controller components:
- Ports—A port on a WLAN controller physically connects the WLAN controller to the wired network (for example, to a Cisco Catalyst switch port).
- Interfaces—An interface of a WLAN controller logically maps to a VLAN on the wired network.
- WLANs—A wireless LAN can be configured with security features, quality of service (QoS) mechanisms, and other wireless network parameters. Also, a WLAN associates an SSID to a WLC’s interface.
Cisco offers an array of WLCs. Different controllers support a different number of access points.
|WLC Model||Number of Supported Wireless Access Points|
|Cisco 2000 series WLC||6|
|Cisco WLC module for ISRs||6|
|Cisco Catalyst 3750G integrated WLC||Up to 50|
|Cisco 4400 series WLC||Up to 100|
|Cisco Catalyst 6500 series wireless services modules||Up to 300|
Understanding Wireless Network Controller Technologies
Lightweight access points do not require direct configuration and are therefore considered to be zero touch devices. After installing a lightweight access point, the access point goes through the following discovery process to discover a WLC:
- The lightweight access point sends a DHCPDISCOVER request to dynamically obtain an IP address, unless it already had a statically configured IP address.
- The lightweight access point broadcasts an LWAPP discovery message in a Layer 2 LWAPP frame, if the access point supports Layer 2 LWAPP transport mode.
- If step 1 was unsuccessful or if the access point lacks Layer 2 LWAPP transport mode support, the access point attempts Layer 3 LWAPP WLC discovery.
- If all steps were unsuccessful, the process begins again.
Based on the results of the discovery process, the lightweight access point selects which WLC to join. During the join process, the WLC validates the access point, and an encryption key is derived. This key is then used to encrypt and decrypt messages exchanged between the access point and the WLC.
Next, the lightweight access point and WLC perform the following steps:
- The WLC configures the lightweight access point with an SSID, security parameters, QoS settings, and other such parameters.
- Periodically, the WLC checks the status of the access point via query messages.
- Every 30 seconds the access point transmits an LWAPP heartbeat, and if no acknowledgment is received after five attempts, the access point seeks a new WLC to join.
Wireless networks offer users mobility, where the users can physically move throughout a campus. As the users move, their wireless clients update their access point association to the most appropriate access point, based on location.
Low-quality roaming requires that wireless clients obtain a new IP address (via DHCP), and potentially receive new security settings, as the clients move through the WLAN. This type of wireless environment can suffer from noticeable delays during the reassociation period, which makes such a solution inappropriate for voice calls.
High-quality roaming (that is, the mobility feature) does not require wireless clients to obtain a new IP address or update their security settings, thus providing seamless roaming. Mobility requires the seamless roaming experience to be maintained even if the access points, between which a client roams, are associated with different WLCs. The mobility feature also needs to support Layer 2 or Layer 3 roaming.
With Layer 2 roaming, the WLCs with which the access points associate are in the same subnet. However, with Layer 3 roaming, the access points associate with WLCs on different subnets.
When a wireless client associates with a new access point, the new access point’s WLC exchanges mobility messages with the old access point’s WLC. The client entry is not moved from the client database of
the old WLC to the new WLC. Instead, the old WLC marks the client with an anchor entry, and the database entry is copied to the new WLC client database where it is marked as a foreign entry.
Wireless mobility groups allow WLCs in a network to form peering relationships. These peering relationships allow a mobility group to support seamless roaming between WLCs, wireless access point load balancing, and WLC redundancy. Keep the following requirements in mind when designing a mobility group:
- The management interfaces of all WLCs must be able to reach each other via IP.
- All WLCs in a mobility group must be configured with the same mobility group name, which is case sensitive.
- The same virtual IP address must be configured on all WLCs.
- The MAC addresses and IP addresses of all mobility group members must be configured on all WLCs.
- WLCs must be able to communicate with one another using UDP port 16666 for unencrypted messages or using UDP port 16667 for encrypted messages.
When designing a wireless network to support roaming, consider the following recommendations from Cisco:
- Use roaming only when necessary.
- Ensure the route-trip time between WLCs is less than or equal to 10 ms.
- When possible, use Layer 2 roaming rather than Layer 3 roaming.
- Implement Proactive Key Caching (PKC) or Cisco Centralized Key Management (CCKM) to help speed up and secure the roaming process.
Because a WLC could become a single point of failure, when designing WLANs, consider adding WLC redundancy. WLCs support either dynamic or deterministic redundancy. Specifically, an access point selects a WLC using the following sequence:
- Deterministic—An access point can be preconfigured with a primary, secondary, or tertiary WLC. The access point can then attempt to join those controllers in the specified order. Consider the following deterministic redundancy designs:
N + 1—One controller backs up N controllers.
N N—N controllers back up N controllers.
N N + 1—N controllers back up N controllers as secondary, and one controller backs up all N controllers as tertiary.
- Initializing—Typically used only for the initial access point deployment, the WLC can attempt to join the WLC configured as a master controller.
- Dynamic—The access point uses a decision making algorithm to select a WLC based on the greatest availability for access point associations. Dynamic WLC redundancy uses LWAPP to perform load balancing across WLCs and to provide backup WLC information to the access points. This approach is often appropriate for a design where WLCs are clustered together at a central location.
The number of devices supported by an access point varies depending on the application being used. For example, Cisco recommends no more than seven or eight voice over WLAN (VoWLAN) devices be associated with the same access point, because of the likelihood of collisions and the issue of dropped voice packets not being retransmitted. However, as many as 20 data devices (for example, PCs) could be associated with the same access point, because most data applications can retransmit dropped packets and are more tolerant of latency, as
compared to voice.
Be aware that WLAN performance depends on the structure and materials used in a building’s construction, which impacts how radio waves are propagated throughout the building. These building characteristics can impact connection speeds and error rates. Fortunately, Cisco’s Radio Resource Management (RRM) allows Cisco wireless devices to monitor RF conditions and dynamically make adjustments to access point power and channel configurations to help accommodate for issues such as channel interference and signal coverage.
Specifically, a designer can specify an RF group, which defines a cluster of WLCs that coordinate their RRM calculations. RF groups are created via the following process:
- Access points transmit neighbor messages, which include the access points’ WLC IP addresses and hashed message integrity checks (MIC).
- Access points validate each other using the MIC, and an RF group is formed when access points on different WLCs hear validated neighbor messages at a signal strength of –80 dBm or stronger.
- The RF group members or controllers then elect an RF group leader, which is responsible for maintaining a master power and channel scheme for the group.
Cisco access points also support self-healing. With self-healing, a WLC uses RRM to adjust access point power levels, to accommodate for the failure of a neighboring access point.
Designing Wireless Networks with Controllers
When designing a wireless network, one of the first steps in the design process is to conduct an RF site survey. A site survey provides the designer with a better understanding of an environment’s RF characteristics (for example, coverage areas and RF interference). Based on the results of the RF site survey, the designer can strategically position the wireless infrastructure devices.
Conducting an RF site survey involves these procedures:
- Determine the number of customer devices to be supported, the required service level, and peak traffic-level requirements.
- Acquire a structural building diagram, which can be used to identify potential RF obstacles.
- Perform an on-site inspection, looking for structural components (for example, metal racks or elevator shafts) that might impair the wireless signal.
- Specify preliminary locations for access points, keeping in mind that the access points need power and access to the wired network.
- Conduct the actual RF site survey, which maps out RF coverage areas. A tool such as the Cisco WCS can import a floor plan and graphically display RF coverage areas and signal strengths. This type of composite graphic is often referred to as a heat map
- Document the results of the RF site survey. The documentation should include information such as the access point models used, locations of access points, signal strength levels, and bandwidth available at the outer boundaries of the coverage areas.
Many wireless networks also need to support connectivity for guests, without permitting guests full access to network resources. One approach to guest access is to isolate guest traffic on a separate VLAN. However, in large enterprise environments, this approach might not be deemed adequately secure.
Therefore, another option is to use a Layer 2 tunnel to send all guest traffic to a controller dedicated for guest use. This controller is located in a demilitarized zone (DMZ), which uses a firewall to separate the guest network from the organization’s internal network.
Wireless network design might also need to address outdoor wireless connectivity (for example, wirelessly interconnecting buildings).Traditionally, buildings were wirelessly interconnected using point-topoint bridging or point-to-multipoint bridging.
A newer approach is wireless mesh networking, as illustrated. An outdoor mesh uses multiple access points which interconnect, thus providing numerous redundant connections between nodes. These access points can dynamically discover one another and select an optimal path through the mesh
The Cisco unified wireless network, which is the basis of the wireless mesh network, is composed of the following elements:
- Cisco Wireless Control System (WCS)—WCS provides a graphical user interface (GUI) for networkwide policy configuration.
- Cisco Wireless LAN Controller (WLC)—WLCs manage multiple access points, manage wireless network security, and offer Layer 3 mobility features.
- Rooftop access point (RAP)—Typically located on a rooftop, the RAP provides wireless connectivity into a wired network.
- Pole-top mesh access point (MAP)—A MAP is typically located on a pole, such as a lamp post, and serves as an access point for wireless clients.
Although the connection from a MAP a RAP can support eight hops, Cisco recommends four or fewer hops. Also, be aware that a RAP can connect up to 32 MAPs, but Cisco recommends that a RAP connect no more than 20 to 25 MAPs.
When designing a wireless network for an enterprise campus, a designer should determine the following:
- The number of required access points
- The location of the access points
- The power source for the access points
- The number of required WLCs
- The location of the WLCs
Some of these same design considerations (for example, the number of access points needed) are also relevant for branch office wireless networks. However, branch offices might not be able to justify the expense of separate lightweight access point and WLC devices. One approach for branch offices is to use local MAC, which supports full 802.11 functionality in the access point.
Another option is to point the branch access points back to a centralized controller. If a centralized controller is used, the round-trip time (RTT) between an access point and its controller should not be greater than 200 ms. Also, designs using centralized controllers should implement one of the following technologies:
Remote Edge Access Point (REAP)—REAP extends LWAPP control timers, thus offering more compatibility for branch offices.Although control traffic is still encapsulated using LWAPP and sent to the centralized WLC, data is locally bridged. However, IEEE 802.1Q trunking is not supported by REAP, and REAP requires that all WLANs terminate on a single local VLAN or subnet.
Hybrid REAP (H-REAP)—Unlike REAP, H-REAP allows wireless network administrators to configure and control two or three access points, located in a branch office, over the IP WAN.Also, H-REAP access points have the ability to locally switch data traffic and locally authenticate clients if connectivity to the WLC is lost.