Cisco Wireless Architectures.
Autonomous AP Architecture:
An autonomous AP is capable of having both wireless and wired hardware so that the wireless connections can be terminated onto wired connection at AP itself.Autonomous APs offer one or more fully functional, standalone basic service sets (BSSs). They are also a natural extension of a switched network, connecting wireless service set identifiers (SSIDs) to wired virtual LANs (VLANs) at the access layer.
The above image is an example of autonomous AP architecture. From the figure you can see that the AP has two SSID’s wlan100 and wlan200, And you can also see that the vlan trunking takes place at the level of the distribution layer switches to access layer switches, if an user wants to access the network at Access Layer or distribution layer then he has to connect to AP.
From the figure you can also see that the AP is also configured with the Management IP address which will be useful in configuring various features of the AP’s like RF parameters like channels,range, SSID’s,vlan’s etc., Since the VLAN’s and SSID’s should be extended throughout the network, we should look at how they are extended in the network as shown below.
The shaded links in Figure above show an example of a single VLAN’s extent in the data plane. Working top to bottom, follow VLAN
100 as it reaches through the network. VLAN 100 is routed within the distribution layer and must be carried over trunk links to the access layer switches and then to each autonomous AP. In effect, VLAN 100 must extend end to end across the whole infrastructure — something that is usually considered to be a bad practice.
The Spanning Tree Protocol (STP) running on each switch becomes a vital ingredient to prevent bridging loops from forming and
corrupting the network. For these reasons, client roaming across autonomous APs is typically limited to the Layer 2 domain, or the extent of a single VLAN. As the wireless network expands, the infrastructure becomes more difficult to configure correctly and becomes less efficient.
Cloud based AP Architecture:
Recall that an autonomous AP needs quite a bit of configuration and management. To help manage more and more autonomous APs as the wireless network grows, you could place an AP management platform such as Cisco Prime Infrastructure in a central location within the enterprise.
A simpler approach is a cloud-based AP architecture, where the AP management function is pushed out of the enterprise and into the Internet cloud. Cisco Meraki is cloud-based and offers centralized management of wireless, switched, and security networks built from Meraki products.
As you can see from the above figure, the configuration of all the switches at access layer and distribution layer as well as Ap’s are stored in the cloud. They are also configured and update via the cloud. The Cisco Meraki cloud also adds the intelligence needed to automatically instruct each AP on which channel and transmit power level to use. It can also collect information from all of the APs about things such as RF interference, rogue or unexpected wireless devices that were overheard, and wireless usage statistics.
The network in the above figure has two distinct planes that can be seen, one is management plane and other one is the data plane. We can describe their functions as follows.
■ A control plane: Traffic used to control, configure, manage, and monitor the AP itself
■ A data plane: End-user traffic passing through the AP
Split-MAC Architectures:
Because autonomous APs are…well, autonomous, managing their RF operation can be quite difficult. As a network administrator, you are in charge of selecting and configuring the channel used by each AP and detecting and dealing with any rogue APs that might be interfering. You must also manage things such as the transmit power level to make sure that the wireless coverage is sufficient, it does not overlap too much, and there aren’t any coverage holes — even when an AP’s radio fails.
Managing wireless network security can also be difficult. Each autonomous AP handles its own security policies, with no central point of entry between the wireless and wired networks. That means there is no convenient place to monitor traffic for things such as intrusion detection and prevention, quality of service, bandwidth policing, and so on.
As a result some of the functions from the AP have been shifted to a centralized location. From the figure down below you can see that all the management functions of AP are sent to WLC and all the lightweight functions are carried out at the AP itself.
The real-time processes involve sending and receiving 802.11 frames, beacons, and probe messages. 802.11 data encryption is also handled in real time, on a per-packet basis. The AP must interact with wireless clients on some low level, known as the Media Access Control (MAC) layer. These functions must stay with the AP hardware, closest to the clients.
When the functions of an autonomous AP are divided, the AP hardware is known as a lightweight access point, and performs only the real-time 802.11 operation.
The management functions are usually performed on a wireless LAN controller (WLC), which controls many lightweight APs. This is shown in the bottom right portion of Figure above. Notice that the AP is left with duties in Layers 1 and 2, where frames are moved into and out of the RF domain. The AP becomes totally dependent on the WLC for every other WLAN function, such as authenticating users, managing security policies, and even selecting RF channels and output power.
The lightweight AP-WLC division of labor is known as a split-MAC architecture, where the normal MAC operations are pulled apart into two distinct locations.
The two devices must use a tunneling protocol between them, to carry 802.11-related messages and also client data. Remember that the AP and WLC can be located on the same VLAN or IP subnet, but they do not have to be. Instead, they can be located on two entirely different IP subnets in two entirely different locations.
The Control and Provisioning of Wireless Access Points (CAPWAP) tunneling protocol makes this all possible by encapsulating the data between the LAP and WLC within new IP packets.
As Figure 27–5 shows, the CAPWAP relationship actually consists of two separate tunnels, as follows:
■ CAPWAP control messages:
Carries exchanges that are used to configure the AP and manage its operation. The control messages are authenticated and encrypted, so the AP is securely controlled by only the appropriate WLC, then transported over the control tunnel.
■ CAPWAP data:
Used for packets traveling to and from wireless clients that are associated with the AP. Data packets are transported over the data tunnel but are not encrypted by default. When data encryption is enabled for an AP, packets are protected with Datagram Transport Layer Security (DTLS).
Every AP and WLC must also authenticate each other with digital certificates. An X.509 certificate is preinstalled in each device when it is purchased. By using certificates behind the scenes, every device is properly authenticated before becoming part of the wireless network. This process helps assure that no one can add an unauthorized AP to your network.
The CAPWAP tunneling allows the AP and WLC to be separated geographically and logically. It also breaks the dependence on Layer 2 connectivity between them. For example, Figure above uses shaded areas to show the extent of VLAN 100. Notice how VLAN 100 exists at he WLC and in the air as SSID 100, near the wireless clients — but not in between the AP and the WLC. Instead, traffic to and from clients associated with SSID 100 is transported across the network infrastructure encapsulated inside the CAPWAP data tunnel. The tunnel exists between the IP address of the WLC and the IP address of the AP, which allows all of the tunneled packets to be routed at Layer 3.
As the wireless network grows, the WLC simply builds more CAPWAP tunnels to reach more APs. Figure below depicts a network with four APs. Each AP has a control and a data tunnel back to the centralized WLC. SSID 100 can exist on every AP, and VLAN 100 can reach every AP through the network of tunnels.
Once CAPWAP tunnels are built from a WLC to one or more lightweight APs, the WLC can begin offering a variety of additional functions. Think of all the puzzles and shortcomings that were discussed for the traditional autonomous WLAN architecture as you read over the following list of WLC activities:
■ Dynamic channel assignment:
The WLC can automatically choose and configure the RF channel used by each AP, based on other active access points in the area.
■ Transmit power optimization:
The WLC can automatically set the transmit power of each AP based on the coverage area needed.
■ Self-healing wireless coverage:
If an AP radio dies, the coverage hole can be “healed” by turning up the transmit power of surrounding APs automatically.
■ Flexible client roaming:
Clients can roam between APs with very fast roaming times.
■ Dynamic client load balancing:
If two or more APs are positioned to cover the same geographic area, the WLC can associate clients with the least used AP. This distributes the client load across the APs.
■ RF monitoring:
The WLC manages each AP so that it scans channels to monitor the RF usage. By listening to a channel, the WLC can remotely gather information about RF interference, noise, signals from neighboring APs, and signals from rogue APs or ad hoc clients.
■ Security management:
The WLC can authenticate clients from a central service and can require wireless clients to obtain an IP address from a trusted DHCP server before allowing them to associate and access the WLAN.
■ Wireless intrusion protection system:
Leveraging its central location, the WLC can monitor client data to detect and prevent malicious activity.
Comparing Wireless LAN Controller Deployments:
One approach is to locate the WLC in a central location so that you can maximize the number of APs joined to it. This is usually called a unified or centralized WLC deployment, which tends to follow the concept that most of the resources users need to reach are located in a central location such as a data center or the Internet. Traffic to and from wireless users would travel over CAPWAP tunnels that reach into the center of the network, near the core, as shown in Figure below. A centralized WLC also provides a convenient place to enforce security policies that affect all wireless users.
Your network might have more APs — many, many more. A large enterprise network might have thousands of APs connected to its access layer. Scalability then becomes an important factor in the centralized design. Typical unified WLCs can support a maximum of 6000 APs. If you have more APs than the maximum, you will need to add more WLCs to the design, each located centrally.
A WLC can also be located in a central position in the network, inside a data center in a private cloud, as shown in Figure below. This is known as a cloud-based WLC deployment, where the WLC exists as a virtual machine rather than a physical device. If the cloud computing platform already exists, then deploying a cloud-based WLC becomes straightforward. Such a controller can typically support up to 3000 APs. If your wireless network scales beyond that, then additional WLCs can be added as more virtual machines.
For small campuses or distributed branch locations, where the number of APs is relatively small in each, the WLC can be co-located with a stack of switches, as shown in Figure below. This is known as an embedded WLC deployment because the controller is embedded within the switching hardware. Typical Cisco embedded WLCs can support up to 200 APs. The APs do not necessarily have to be connected to the switches that host the WLC; APs connected to other switches in other locations can join the embedded WLC too. As the number of APs grows, additional WLCs can be added by embedding them in other switch stacks at the site.
Finally, in small-scale environments, such as small, midsize, or multisite branch locations, you might not want to invest in dedicated WLCs at all. In this case, the WLC function can be co-located with an AP that is installed at the branch site. This is known as a Cisco Mobility Express WLC deployment, as shown in Figure below. The AP that hosts the WLC forms a CAPWAP tunnel with the WLC, along with any other APs at the same location. A Mobility Express WLC can support up to 100 APs.
Cisco AP Modes:
■ Local:
The default lightweight mode that offers one or more functioning BSSs on a specific channel. During times that it is not transmitting, the AP will scan the other channels to measure the level of noise, measure interference, discover rogue devices, and match
against intrusion detection system (IDS) events.
■ Monitor:
The AP does not transmit at all, but its receiver is enabled to act as a dedicated sensor. The AP checks for IDS events, detects rogue access points, and determines the position of stations through location-based services.
■ FlexConnect:
An AP at a remote site can locally switch traffic between an SSID and a VLAN if its CAPWAP tunnel to the WLC is down and if it is configured to do so.
■ Sniffer:
An AP dedicates its radios to receiving 802.11 traffic from other sources, much like a sniffer or packet capture device. The captured traffic is then forwarded to a PC running network analyzer software such as Wildpackets OmniPeek or WireShark, where it can be analyzed further.
■ Rogue detector:
An AP dedicates itself to detecting rogue devices by correlating MAC addresses heard on the wired network with those heard over the air. Rogue devices are those that appear on both networks.
■ Bridge:
An AP becomes a dedicated bridge (point-to-point or point-to-multipoint) between two networks. Two APs in bridge mode can be used to link two locations separated by a distance. Multiple APs in bridge mode can form an indoor or outdoor mesh network.
■ Flex+Bridge:
Flex Connect operation is enabled on a mesh AP.
■ SE-Connect:
The AP dedicates its radios to spectrum analysis on all wireless channels. You can remotely connect a PC running software such as MetaGeek Chanalyzer or Cisco Spectrum Expert to the AP to collect and analyze the spectrum analysis data to discover sources of interference.