Monday, June 20, 2011

WLAN Components

Cisco supports two different types of wireless access points, autonomous and lightweight.  Autonomous systems are able to provide wireless services independently and lightweight models work in combination with a wireless controller.    Both variations can receive their power from Power over Ethernet (PoE) switches or midspan power injectors which inject power into a cable run.  Both of these options are important because they prevent the need for electrical outlets near an AP, giving more flexible location options.  Note that access points can require up to 15 Watts of power, so if you are running PoE, me sure the switch can power the number of APs connected.

Autonomous APs

Autonomous APs run Cisco IOS ad are configured directly.  The traffic flows from client, to autonomous AP, to connected switch, to the rest of the network.  If roaming is a requirement, make sure proper VLANS and SSIDs are configured (make sure a management VLAN is included).  Also, only layer 2 roaming is possible on autonomous APs.  Make sure the switch has power and remember to configure the connected switch interface as a trunk if you are using multiple VLANs.
Redundancy is provided by multiple APs.


Repeaters are access points configured to extend the radio range of an existing wireless network.  The repeater AP is not connected to the wired LAN, instead it is in the signal range of an AP connected to the wired LAN.  Autonomous access points are required if you need to configure repeaters.  The SSID must match on both the root access point and the repeater AP and the recommended coverage overlap between the AP connected to the wired LAN and the repeater AP is 50%.
Because repeaters are also configured on the same channel as the LAN-connected AP, every additional repeater that is added to the chain on the same channel effectively cuts the throughput of that network in half because wireless works in half-duplex mode.  If any AP is transmitting, everyone else must wait their turn to relay the message.

Lightweight APs

When using lightweight access points, the AP and the wireless LAN controller (WLC) split the functions of layer 2, the MAC layer (sometimes referred to as “split” MAC).  The management controller includes a Wireless Control System (WCS) and location-tracking appliance.Redundancy consist of multiple WLCs.

The AP handles real-time processes and the WLC handles processes like:

  • Security
  • VLAN tagging
  • QoS
  • Forwarding traffic
  • Authentication
  • Client association
Controllers provide a single point of management which can be a big advantage in large-scal deployments.
This is were is starts getting heady, especially if your a route/switch guy… but hang with me


LWAPP provides access point discovery, information exchange, and configuration.  LWAPP encapsulated control traffic using UDP port 1024 as the source and UDP port 12223 as the destination. Layer 3 LWAPP uses a UDP/IP frame to that requires the CIsco AP to get it’s IP address from a DHCP server.
The split MAC function is performed by LWAPP or Lightweight Access Point Protocol which uses AES-encrypted control messages , but does not encrypt data traffic (control traffic LWAPP encapsulated and encrypted / data traffic LWAPP encapsulated but not encrypted).  A newer IETF-standard that can perform the same function is CAPWAP (Control Provisioning of Wireless Access Points protocol).  Both CAPWAP and LWAPP use UPD and the controller does not have to be in the same subnet as the APs, just reachable through IP.

Lightweight APs use this process to discover their controller:

  1. The AP requests a DHCP address – the response includes the management IP of on or more WLC.
  2. The AP sends a Discovery Request message (using LWAPP or CAPWAP) to each WLC.
  3. The WLC responds (using LWAPP or CAPWAP) with a Discovery Responsethat includes the number of APs associated with it.
  4. The AP sends a Join Requestto the WLC with the fewest APs associated to it.
  5. The WLC responds with a Join Response message.  Once that is complete, the AP and controller exchange authentication information and produce encryption keys for future control messages.  The WLC then configures the AP (SSID, channels, security settings, etc.).
Step 2 (discovery request) explained:
If Layer 2 LWAPP mode is supported on the LAP, the LAP broadcasts an LWAPP discovery message in a Layer 2 LWAPP frame.   If the LAP does not support Layer 2 mode, or if the WLC or the LAP fails to receive an LWAPP discovery response to the Layer 2 LWAPP discovery message broadcast, the LAP attempts a Layer 3 LWAPP WLC discovery.

Lightweight AP Planning

When using lightweight access points, the traffic flows from the client to the AP, through the switched network, to the WLC, and finally from their to it’s destination.  Because the traffic always goes from AP to the controller, it is important that the AP has layer 3 connectivity to the WLC.
While the controllers can be distributed across the network (ex. a single controller in each building), Cisco recommends a centralized approach co-locating them for example together in your data center.  Simplified management and user mobility are the reasons.
VLAN and SSID assignments must be configured on the controller in a AP environment as opposed to the autonomous model.  A management VLAN is used to communicate between the AP and controller.  The interface on the switch connected to the AP should be an access port using the management VLAN ID.  The interface on the switch connected to the controller should be a trunk to forward traffic for multiple subnets.  Etherchannels (portchannels) are often used to connect WLCs to the switch for redundancy and bandwidth.
When using LWAPP on a lightweight AP, the console port provides read-only access to the device.  As with the autonomous model, you should make sure the AP has power from either PoE or a power injector.

WLC Configuration
WLCs can be configured by command-line or through a web browser and GUI interface.  There are two commands that enable the web interface modes on the controller:
To enable HTTP accessconfig network webmode {enable | disable}
To enable HTTPS accessconfig network secureweb {enable | disable}
Note:  Cisco WLAN controllers can be either an appliance, module for 6500 and 7600 series switches, or integrated into 3750G switches.  Also, while we aren’t going to get into configuring an AP, you should be aware that the virtual interface on a WLC is often used for a DHCP relay.

Hybrid Remote Edge Access Point (H-REAP)

If the wireless controllers are located across the WAN, some significant problems can result.  The traffic would have to travel over the WAN to the controller and back again.  Also, if the WAN link goes down or flaps, the APs quickly loose functionality.

H-REAP is designed to address these problems.

  • Connected mode- When the controller is reachable, APs only send non-local traffic to the controller – the rest is just sent directly to the locally-attached switch for forwarding.  That prevents local traffic from having to cross the WAN.  Also, it doesn’t have to be local traffic – you can configure any VLANs you want to stay off the controller, but local VLANs make the most sense.  The AP sends only remote and authentication traffic to the controller.
Note:  In this mode, the connection between the AP and the switch should be a trunk to carry all the VLANs.
  • Disconnected mode- If the controller becomes unreachable, the AP authenticates clients itself.  Local traffic is still sent to the local switch, but remote destinations will not be reachable as the WAN would be down.
Note:  H-REAP is configured on the controllers, not the APs.

No comments:

Post a Comment

Dear Reader, if you like My Blog content, feel free to comment on our blog posts.