CCNP Switch Notes Wireless LANs in a Campus Network
Wireless LANs (WLAN) transmit and receive data using radio or infrared signals, sent through an access point (AP), and are not usually required to have radio frequency (RF) licenses. WLANs are local to a building or a campus and are an extension of the wired network.
Cisco Unified Wireless Network
The Cisco Unified Wireless Network concept has five components that work together to create a complete network, from client devices to network infrastructure, to network applications. Cisco has equipment appropriate to each component. Table 9-1 lists components and equipment.
Table 9-1 Cisco Unified Wireless Network Components
Component | Description and Device |
Client devices | Cisco client and Cisco compatible third-party vendor clients |
Mobility platform | APs and bridges using LWAPP |
Network unification | Leverages existing wired network. Includes WLAN controllers and switch and router modules |
Network management | Visualize and secure the WLAN. WCS for location tracking, RF management, wireless IPS, and WLC management |
Mobility services | Applications such as wireless IP phones, location appliances, and RF firewalls |
Cisco wireless IP phones have the same features as Cisco wired IP phones and can use LEAP for authentication.
The Cisco Compatible Extensions Program tests other vendors’ devices for compatibility with Cisco wireless products.Using products certified by this program ensures full functionality of Cisco enhancements and proprietary extensions.
Characteristics of Wireless LANs
WLANs function similarly to Ethernet LANs with the access point providing connectivity to the rest of the network as would a switch. The physical layer is radio waves, rather than wires. IEEE 802.11standard defines the physical and data link specifications, including the use of MAC addresses. The same protocols (such as IP) and applications (such as IPsec) can run over both wired and wireless LANs.
The following lists some characteristics of wireless LANs and the data transmitted over wireless networks.
- WLANs use Carrier Sense Multi-Access/Collision Avoidance (CSMA/CA).
- Wireless data is half-duplex. CSMA/CA uses Request to Send (RTS) and Clear to Send (CTS) messages to avoid collisions.
- Radio waves have unique potential issues. They are susceptible to interference, multipath distortion, and noise. Their coverage area can be blocked by building features, such as elevators. The signal might reach outside the building and lead to privacy issues.
- WLAN hosts have no physical network connection. They are often mobile and often battery-powered. The wireless network design must accommodate this.
- WLANs must adhere to each country’s RF standards
Service Set Identifiers (SSID)
An SSID maps to a VLAN and can be used to segment users into groups requiring different security or QoS treatment. SSIDs can be broadcast by the access point or statically configured on the client, but the client must have the same SSID as the AP to register with it. SSID names are case sensitive. When multiple SSIDs/VLANs are used on an AP, the wired connection back to the network must be a trunk to carry all the VLANs.
WLAN Topologies
The use of wireless products falls into three categories:
- Client access, which allows mobile users to access the wired LAN resources
- Wireless connections between buildings
- Wireless mesh
Wireless connections can be made inad-hocmode orinfrastructuremode. Ad-hoc mode (or Independent Basic Service Set [IBSS]) is simply a group of computers talking wirelessly to each other with no access point (AP). It is limited in range and functionality. Infrastructure mode’s BSS uses one AP to connect clients. The range of the AP’s signal, called its microcell, must encompass all clients. The Extended Service Set (ESS) uses multiple APs with overlapping microcells to cover all clients. Microcells should overlap by 10–15 percent for data and 15–20 percent for voice traffic. Each AP should use a different channel. “Pico” cells, with even smaller coverage areas, can also be used.
Workgroup bridges connect to devices without a wireless network interface card (NIC) to allow their access to the wireless network.
Wireless mesh networks can span large distances because only the edge APs connect to the wired network. The intermediate APs connect wirelessly to multiple other APs and act as repeaters for them. Each AP has multiple paths through the wireless network. The Adaptive Wireless Path (AWP) protocol runs between APs to determine the best path to the wired network. APs choose backup paths if the best path fails.
Client Connectivity
Clients associate with an access point as follows:
Access points send out beacons announcing information such as SSID, unless configured not to.
Step 1. The client sends a probe request and listens for beacons and probe responses.
Step 2. The AP sends a probe response.
Step 3. The client initiates an association to the AP. 802.1x authentication, and any other security information is sent to the AP.
Step 4. The AP accepts the association. SSID and MAC address information is exchanged.
Step 5. The AP adds the client’s MAC address to its association table.
Clients can roam between APs, but the APs must be configured with the same SSIDs/VLANs and security settings. Layer 2 roaming is done between APs on the same subnet and managed by the switches using a multicast protocol: Inter-Access Point Protocol (IAPP). Layer 3 roaming is done between APs on different subnets and is managed by the wireless LAN controllers. The switch connected to the AP updates its MAC address table when a client roams.
Short roaming times are needed for VoIP to reduce delay. A client will attempt to roam (or associate with another AP) when
- It misses too many beacons from the AP.
- The data rate is reduced.
- The maximum data retry count is exceeded.
- It is configured to search for another AP at regular intervals.
Cisco Wireless Network Components
Cisco supports two types of wireless solutions: one using autonomous access points, and one using lightweight (or “dumb”) access points in combination with WLAN controllers. The wired network infrastructure is the same for both types: switches and routers.
Access points can receive their power from Power over Ethernet (PoE) switches, routers with PoE switch modules, or midspan power injectors, thus alleviating the need for electrical outlets near them. APs require up to 15 W of power, so plan your power budget accordingly.
Autonomous (Stand-alone) APs
Autonomous APs run Cisco IOS, are programmed individually, and act independently. They can be centrally managed with the CiscoWorks Wireless LAN Solution Engine (WLSE), can use Cisco Secure Access Control Server (ACS) for RADIUS and TACAS+ authentication, and Wireless Domain Services (WDS) for RF management. Redundancy consists of multiple APs.
Network Design for Autonomous APs
When using stand-alone APs, the traffic flow is from client to AP to connected switch, and from there into the rest of the network. Plan the SSIDs and VLANs that will be on each AP, keeping in mind any roaming that users might do. Autonomous APs support Layer 2 roaming only, so SSIDs and VLAN must be statically configured on every AP in which a user might roam. Make sure to include a management VLAN on the AP.
Ensure that the AP has a power source, either a PoE switch or a power injector. Configure the switch interface connected to the AP as a trunk if the AP has multiple VLANs.
Lightweight Access Points
Lightweight APs divide the 802.11 processing between the AP and a Cisco Wireless LAN Controller (WLC). This is sometimes called “split MAC,” because they split the functions of the MAC layer, Layer 2. Their management components also include the Wireless Control System (WCS) and a location-tracking appliance. Redundancy consists of multiple WLCs. The AP handles real-time processes, and the WLC handles processes such as:
- Authentication
- Client association/mobility management
- Security management
- QoS policies
- VLAN tagging
- Forwarding of user traffic
The Lightweight Access Point Protocol (LWAPP) supports the split MAC function in traffic between a lightweight AP and its controller. LWAPP uses AES-encrypted control messages and encapsulates, but does not encrypt, data traffic.
Controllers and APs can also use a new IETF-standard protocol to communicate with each other: the Control and Provisioning of Wireless Access Points (CAPWAP) protocol. CAPWAP operates very much like LWAPP.
Both LWAPP and CAPWAP operate over UDP. The controller does not have to be in the same broadcast domain and IP subnet, just IP reachable. Lightweight APs follows this process to discover their controller:
Step 1. The AP requests a DHCP address. The DHCP response includes the management IP address of one or more WLCs.
Step 2. The AP sends an LWAPP or CAPWAP Discovery Request message to each WLC.
Step 3. The WLCs respond with an LWAPP or CAPWAP Discovery Response that includes the number of APs
currently associated to it.
Step 4. The AP sends a Join Request to the WLC with the fewest APs associated to it.
Step 5. The WLC responds with a Join Response message; the AP and the controller mutually authenticate each
other and derive encryption keys to be used with future control messages.The WLC then configures the AP with settings, such as SSIDs, channels, security settings, and 802.11 parameters.
Network Design for Lightweight APs
When using lightweight APs the traffic flow is from the AP, through the network, to the controller, and from there out to the rest of the network. User traffic is tunneled between the AP and the controller. Make sure that the AP and controller have Layer 3 connectivity.
The controller placement can be distributed, with a controller in each building or at each site, if no roaming between buildings is needed. A centralized design, with redundant controllers placed together, such as in a data center, simplifies management and increases user mobility.
SSIDs and VLANs must be planned, just as with an autonomous AP. But the configuration is done on the controller.Clients are placed into VLANs based either on the controller they connect to or an authentication process. The management VLAN is mapped to the controller. Controllers support both Layer 2 and Layer 3 roaming.
The link between a lightweight AP and the switch is an access port, assigned to a VLAN. The link between the controller and its connected switch is a trunk link. Controllers with several switch links can create an Etherchannel to the switch to increase bandwidth. Link aggregation is recommended for the 4400 series and is required on the WiSM and the 3750G integrated controllers.
Ensure that the AP has a power source, either a PoE switch or a power injector
Wireless LAN Controllers
Cisco WLAN controllers can be either an appliance, a module, or integrated into a 3750G switch. In the appliance line, the 5500 series is meant for large deployments and, as of this writing, supports up to 250 APs. The 4400 series is for medium-sized deployments and supports from 12 APs to 100 APs. The 2100 series is for small deployments and supports from 6 APs to 25 APs.
The WLAN controller integrated into a Cisco 3750G switch can support up to 25 APs per switch,or 100 per switch stack.The Wireless Services Module (WiSM) can be installed into Cisco 6500 and 7600 series switches for large deployments that need support for up to 300 APs. Cisco ISR routers have a WLAN controller module that can support up to 25 APs for small deployments.
Hybrid Remote Edge Access Point (H-REAP)
Wireless controllers need not be in the same physical location as their associated APs. However, having an AP and its controller separated by a WAN link can lead to some inefficiencies and problems. Two clients in the remote location that need to connect would have their traffic tunneled over the WAN to the controller and back again. Additionally, the AP would lose functionality if the WAN were down.
H-REAP addresses these problems:
- Connected mode:When the controller is reachable, the AP transmits user authentication to the controller. It sends traffic in specified WLANs (usually local traffic) to its local switch, however, rather than tunneling it back to the controller. The connection from the AP to switch needs to be a trunk link if the AP handles multiple VLANs. Traffic bound to remote networks is still tunneled over the WAN to the controller.
- Disconnected mode:When the controller is not reachable, the AP authenticates clients itself. It still sends client to its connected switch, but of course remote locations will not be reachable if the WAN is down.
H-REAP is configured at the controller for any APs that operate in this mode
Integrating Wireless into the LAN
This section covers configuring your switches for wireless APs and controllers, and planning your installation.
Switch Configuration When the switch port connects to a stand-alone AP, configure it as an access port if the AP has only one VLAN and a trunk port if it has multiple VLANs. Trust CoS if the link is a trunk. Set the trunk native VLAN to the AP’s management VLAN. Prioritize voice if you use wireless phones.
When the switch port connects to a controller-based AP, the port should be an access port. The port should be placed into the management VLAN because it is used for traffic between the AP and the controller. Trust DSCP on the port. If using wireless IPT, also set up QoS to prioritize voice.
The switch port connecting to a WLAN controller should be configured as a trunk link. Limit the trunk to wireless and management VLANs. Trust CoS and prioritize voice if you use wireless IP phones.
Links to a 4400 series controller might be aggregated into a Layer 2 Etherchannel. The 4400 cannot negotiate aggregation, so it is important to set the channel-group mode to “On”. Otherwise, the configuration is the same as with any other Etherchannel. Configure the channel as a trunk, allow only the management and wireless VLANs, and trust CoS.
The WiSM requires a separate VLAN for its management. This VLAN should be assigned only to the module’s service port and should not be used outside of the switch. Assign the VLAN to the service port with the global command wism service-vlan vlan. Assign an IP address to the VLAN interface; this IP address is used to communicate with the WiSM. The WiSM contains eight logical ports that connect to the switch fabric in two Etherchannel bundles. It also contains two separate controllers. Bundle configuration is done at each controller, using the wism module slot# controller controller# set of global commands.
Planning for a Wireless Implementation
In planning a wireless implementation, first gather requirements. Some questions to ask include the following:
- How many APs and where will they be installed?
- Stand-alone or controller-based?
- If controller-based, where will the controllers be located?
- Is PoE available?
- What VLANs and SSIDs will be used?
- What are the bandwidth requirements?
- What are the QoS requirements?
- Do you need security such as ACLs or Radius server?
- Do you need UPS for controllers?
When the requirements are gathered, create an implementation plan with details such as:
- Total needs, from the requirements that were previously gathered
- Any changes needed to the network design
- Any additional equipment needed
- Implementation steps
- Testing plan
The test plan might include checking that the AP and its clients get a DHCP address, that the AP is reachable from a management station, that clients can reach the network and Internet, and that the controller can reach the Radius server if used. To troubleshoot problems with wireless connectivity, review the steps for an AP to register with a WLC and a client with an AP.