Pages

CCNP Switch - Wireless LANs

Links:
 - Lightweight Acess Point Protocol (LWAPP) http://www.rhyshaden.com/lwapp.htm

Wireless LAN Basics
 - Wireless networks allow the access layer to be extended to end users without wires.
 - Some major differences in the physical layer.
 - Wired traditional Ethernet network is defined by the IEEE 802.3 (link status, link speed, and duplex mode must all operate like the standards describe).
 - Wireless LANs are defined by the IEEE 802.11 standards.
 - IEEE 802.11 WLANs are always half duplex because transmitting and receiving stations use the same frequency.
 - 802.11 standards do not permit full-duplex operation.

Avoiding Collisions in a WLAN
When two or more wireless stations transmit at the same time, their signals become mixed. Receiving stations can see the result only as garbled data, noise, or errors.
 - No clear-cut way exists to determine whether a collision has occurred.
 - As a basic feedback mechanism, whenever a wireless station transmits a frame, the receiving wireless station must send an ACK back to confirm that the frame was received error-free.
 - Acknowledgment frames serve as a rudimentary collision detection tool; however, it does not work to prevent collisions from occurring in the first place.
 - The IEEE 802.11 standards use the CSMA/CA method. Notice that wired 802.3 networks detect collisions, whereas 802.11 networks try to avoid collisions.
 - Collision avoidance works by requiring all stations to listen before they transmit a frame.
When a station has a frame that needs to be sent, one of the two following conditions occurs:
■ No other device is transmitting—The station can transmit its frame immediately. The intended receiving station must send an ACK to confirm that the original frame arrived intact and collision-free.
■ Another device is already transmitting a frame—The station must wait until the frame in progress has completed; then it must wait a random amount of time before transmitting its own frame.

Time
This process for transmission frame is called the distributed coordination function (DCF) 
 - The 802.11 standards require all stations to wait a short amount of time, called the DCF interframe space (DIFS), before transmitting anything at all.
 - The duration contains the number of timeslots (typically in microseconds) needed for the size of frame being sent.
 - In addition to the duration timer, every wireless station must also implement a random backoff timer.

WLAN Building Blocks
 - Regardless of the association status, any PC is capable of listening to or receiving the frames that are sent over a wireless medium.
 - In IEEE 802.11 terminology, any group of wireless devices is known as a service set
 - The devices must share a common service set identifier (SSID), which is a text string included in every frame sent.
 -  If the SSIDs match across the sender and receiver, the two devices can communicate.

 - Ad hoc wireless network or an Independent basic service set (IBSS) - allow two or more wireless clients to communicate directly with
each other, with no other means of network connectivity.
 - BSS centralizes access and control over a group of wireless devices by placing an access point (AP) as the hub of the service set.
 - The AP can require any of the following before allowing a client to join: matching SSID / A compatible wireless data rate / Authentication credentials.
 - Membership with the AP is called an association.
 - Extended Service Set (ESS) - if APs are placed at different geographic locations, they can all be interconnected by a switched infrastructure.
 - The 802.11 standards also define a method to allow the client to roam or to be passed from one AP to another as its location changes.

Access Point Operation
 - An AP’s primary function is to bridge wireless data from the air to a normal wired network.
 - An AP can also act as a bridge to form a single wireless link from one LAN to another over a long distance.
 - AP is in charge of mapping a VLAN to an SSID (AP must be connected to the switch by a trunk link that carries the VLANs).

Wireless LAN Cells
 - An AP’s coverage area is called a cell.
 - Moving from one AP to another is called roaming.
 - The signal range is roughly defined by the AP’s antenna pattern.
 - Roaming can make the AP’s coverage turn out to be much different than you expect.
 - The best approach to designing an AP’s location and range or coverage area is to perform a site survey.
 - When AP cells overlap, adjacent APs cannot use identical frequencies. If two neighboring APs did use the same frequency, they would only interfere with each other. Instead, AP frequencies must be alternated or staggered across the whole coverage area.
 - If the client maintains its same IP address as it roams between APs, it undergoes Layer 2 roaming.
 - If the client roams between APs located in different IP subnets, it undergoes Layer 3 roaming.
 - When cell sizes are reduced, they are often called microcells.
 - This concept can be further extended for extremely controlled environments like stock exchanges. In those cases, the AP power and cell size are minimized, and the cells are called picocells.

WLAN Architecture
 - Each AP is standalone or autonomous within the larger network. Cisco calls this an autonomous mode AP to distinguish it from other architectures.
 - Because each AP is autonomous, managing security over the wireless network can be difficult.
 - Cisco has collected a complete set of functions that are integral to wireless LANs and called them the Cisco Unified Wireless Network.
 - This architecture offers: WLAN security / WLAN deployment / WLAN management / WLAN control.
 - Cisco unified wireless network, a lightweight access point (LAP) performs only the real-time 802.11 operation.
 - The management functions are all performed on a wireless LAN controller (WLC).
 - LAP and WLC can be located on the same VLAN or IP subnet, but they don’t have to be.
LAP and WLC with LWAPP or CAPWAP
The LAP and WLC pair uses either the Lightweight Access Point Protocol (LWAPP, developed by Cisco) or the Control and Provisioning Wireless Access Points protocol (CAPWAP, defined in RFC 4118) as the tunneling mechanism.
These protocols consist of the two tunnels:
 - Control messages—Exchanges that are used to configure the LAP and manage its operation. The control messages are authenticated and encrypted so that the LAP is securely controlled by only the WLC.
 - Data—Packets to and from wireless clients associated with the LAP. The data is encapsulated within the LWAPP or CAPWAP protocol but is not encrypted or otherwise secured between the LAP and WLC.
 - LWAPP uses UDP destination ports 12222 and 12223 on the WLC end.
 - CAPWAP uses UDP ports 5246 and 5247.
 - Every LAP and WLC must also authenticate each other with digital certificates. An X.509 certificate is preinstalled in each device when it is purchased.

WLC Functions
■ Dynamic channel assignment—The WLC chooses and configures the RF channel used by each LAP based on other active access points in the area.
■ Transmit power optimization—TheWLC sets the transmit powerof each LAP based on the coverage area needed. Transmit power is also automatically adjusted periodically.
■ Self-healing wireless coverage—If an LAP radio dies, the coverage hole is “healed” by turning up the transmit power of surrounding LAPs automatically.
■ Flexible client roaming—Clients can roam at either Layer 2 or Layer 3 with very fast roaming times.
■ Dynamic client load balancing—If two or more LAPs are positioned to cover the same geographic area, the WLC can associate clients with the least used LAP. This distributes the client load across the LAPs.
■ RF monitoring—The WLC manages each LAP so that it scans channels to monitor the RF usage. By listening to a channel, the WLC can remotely gather information about RF interference, noise, signals from surrounding LAPs, and signals from rogue APs or ad-hoc clients.
■ Security management—The WLC can require wireless clients to obtain an IP address from a trusted DHCP server before allowing them to associate and access the WLAN.
Model                          Attribute
2100                           Handles up to 6, 12, or 25 LAPs
4402                           Handles up to 12, 25, or 50 LAPs
4404                           Handles up to 100 LAPs
5500                           Handles up to 12, 25, 50, 100, or 250 LAPs
WiSM                           Catalyst 6500 module with two WLCs;
                                handles up to 300 LAPs (150 per controller); up to 5 WiSMs in a single chassis
WLC module for ISR routers     Handles up to 6, 8, 12, or 25 LAPs
Catalyst 3750G integrated WLC  Handles up to 50 LAPs per switch, up to 200 LAPs per switch stack
 - Managing several WLCs can require a significant effort, due to the number of LAPs and clients to be managed and monitored.
 - The Cisco Wireless Control System (WCS) is an optional server platform that can be used as a single GUI front-end to all the WLCs in a network.
 - The WCS uses building floor plans to display dynamic representations of wireless coverage.
 - The WCS can be teamed with the Cisco Wireless Location Appliance to track the location of thousands of wireless clients.

Lightweight AP Operation
 - The LAP is designed to be a “zero-touch” configuration.
 - The LAP must find a WLC and obtain all of its configuration parameters, so you never have to actually configure it through its console port or over the network.
 - An LAP is always joined or bound to one WLC at any time. 
 - When an LAP is cut off from a WLC, client associations are normally dropped and no data can pass over the WLAN between clients.
 - LAP is said to have Split-MAC architectures (AP and the Wireless Controller Splits responsibilities)

LAP Operations:
 - The LAP obtains an IP address from a DHCP server.
   A DHCP server that adds option 43 to its reply containing a list of WLC addresses.
 - The LAP learns the IP addresses of any available WLCs
 - The LAP sends a join request to the first WLC in its list of addresses. When a WLC accepts the LAP, it sends a join reply back to the LAP
 - The WLC compares the LAP’s code image release to the code release stored locally. If they differ, the LAP downloads the code image stored on the WLC and reboots itself.
 - The WLC and LAP build a secure LWAPP or CAPWAP tunnel for management traffic and an LWAPP or CAPWAP tunnel (not secured) for wireless client data.

Traffic Patterns in a Cisco Unified Wireless Network
Because the LAPs connect to the wired network through logical LWAPP or CAPWAP tunnels, the traffic patterns into and out of the WLAN are different than traditional WLANs.
 - Even though all traffic into and out of the WLAN must pass through the LWAPP or CAPWAP tunnel and the WLC, not all traffic operations are applied end-to-end across the tunnel.
Traffic Patterns Through an LAP
Device path that traffic must take when passing from one wireless client to another - through the AP and its WLC
Roaming in a Cisco Unified Wireless Network
 - With autonomous APs, a client roams by moving its association from one AP to another.
 - The client must negotiate the move with each AP independently, and the APs must also make sure any buffered data from the client is passed along to follow the association.
 - Autonomous roaming occurs only at Layer 2; some other means must be added to support Layer 3 roaming.
 - With LAPs, a client still roams by moving its association.
 - Through the WLCs, LAPs can support both Layer 2 and Layer 3 roaming.

Intracontroller Roaming
 - 2 cells provided by AP1 and AP2 both use the same SSID, which enables the client to roam between them.
 - both AP1 and AP2 are joined to a single controller.
 - intracontroller roam -  where the client’s association stays within the same controller.

Intercontroller Roaming
 - In some cases, a client might roam from one controller to another.
 - a large wireless network might consist of too many LAPs to be supported by a single WLC.
 - LAPs could also be distributed over several controllers for load balancing or redundancy purposes.
 - As long as the two controllers (WLC1 and WLC2) are located in the same IP subnet, they can easily hand off the client’s association.
 - This is done through a mobility message exchange where information about the client is transferred from one WLC to the other.
 - When 2 WLC are in different IP Subnets - The two controllers bring up an Ether-IP tunnel between them for the specific purpose of carrying some of the client’s traffic. The Ether-IP tunnel is simply a way that the controllers can encapsulate MAClayer data inside an IP packet, using IP protocol 97.
 - Ether-IP tunnels are defined in RFC 3378.

Mobility Groups
 - For intercontroller roaming, a client must be able to roam from one LAP to another, where the LAPs are managed by different controllers.
 - The controllers must be able to hand off a client’s association information to each other during a roam.
 - To do this, the WLCs are configured into logical mobility groups.
 - A client can roam to any LAP (and its associated WLC) as long as it stays within a mobility group.
 - A mobility group can have up to 24 WLCs of any type or platform.
 - Sometimes a wireless client might move across a mobility group boundary, where two adjacent LAPs are in two different mobility groups. In this case, the client can transfer its association into the new mobility group, but its IP address and all of its session information
maintained in the WLCs will be dropped.

Configuring Switch Ports for WLAN Use
Configuring Support for Autonomous APs
 - Each SSID that is supported by the AP is mapped to a VLAN; when multiple SSIDs are offered, multiple VLANs must touch the AP
Switch(config)# interface gigabitethernet1/0/1
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport trunk allowed vlan 10,20,30
Switch(config-if)# switchport mode trunk
Switch(config-if)# spanning-tree portfast trunk   <--shorten the time required for STP to bring the trunk link up into the forwarding state
The link between the switch and access point should be configured as trunked link and set the encapsulation on the switch port to dot1q:
Switch(config)#interface ethernet 0/1
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk encapsulation dot1q
Switch(config-if)# mls qos trust dscp    <- optional
You can read more about how to configure the switch connected with an AP here:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml.

Configuring Support for LAPs
 - Appropriate locations for a LAP is Access-layer switch port
 - The LAP requires an access mode port—not a trunking port.
 - The only VLAN needed at the LAP is one where the LAP can get an IP address and reach the WLC.
Switch(config)# vlan 100
Switch(config-vlan)# name ap-management
Switch(config-vlan)# exit
Switch(config)# interface gigabitethernet1/0/10
Switch(config-if)# switchport
Switch(config-if)# switchport access vlan 100
Switch(config-if)# switchport mode access
Switch(config-if)# spanning-tree portfast
Switch(config-if)# power inline auto
Switch(config-if)# exit
Configuring Support for WLCs
 - Appropriate locations for a WLC is Distribution-layer switch port
 - The switch interfaces feeding a WLC should be configured as trunk links.
 - Some WLCs need a single interface, others have several interfaces that should be bundled into a single EtherChannel.
 - Wireless specialist will set the requirements for WLC interfaces/configuration.
Switch(config)# interface range gigabitethernet1/0/41 - 44
Switch(config-if)# switchport
Switch(config-if)# channel-group 1 mode on
Switch(config-if)# exit
Switch(config)# interface port-channel 1
Switch(config-if)# switchport encapsulation dot1q
Switch(config-if)# switchport trunk allowed vlan 10,20,30
Switch(config-if)# switchport mode trunk
Switch(config-if)# spanning-tree portfast trunk
Switch(config-if)# no shutdown
Switch(config-if)# exit