Welcome to Wireless Design!
Wireless network connectivity may be one of the most influential and widespread technologies of modern networks. Even though it’s what I feel is one of the least understood technology areas of network engineers today. Most of us are familiar with he practical aspects of setting up an SSID and setting a password, but nearly all network engineers I meet have only a vague familiarity with enterprise wireless design.
Before we get into the Cisco wireless design practices, let’s do a brief overview of wireless technologies.
In the last 20 years wireless standards have come quite a long way. Back in 1999 IEEE released the 802.11a wireless standard. This had a maximum theoretical throughput of 54Mbps and operated in the 5Ghz spectrum of frequencies. That’s to say, it used the UNII bands here in the United States. That’s the Unlicensed National Information Infrastructure. At a 40Mhz wide band this allows for 12 nonoverlapping frequencies.
In the same year, IEEE also published the 802.11b standard that offered lower throughput, at 11Mbps, though it operated in the 2.4Ghz spectrum. That’s the ISM band, or the Industrial, Scientific, Medical radio bands. This may have offered lower throughput however it had a feature of being able to reach farther and have better physical penetration through walls and other obstructions to line of sight. So it was a bit of a tradeoff, right? You get lower speeds but you can be further away from the access point.
The ISM band, at 22Mhz wide channels, offers 3 nonoverlapping frequencies. These are often referred to as channels. In the graph at the bottom here we see where each channel resides in the ISM band. The 3 channels at the top, 1, 6, and 11 are the primary channels that do not overlap. Of course you can use 2, 7, and 12, or 3, 8, and 13, but the usage of the top 3 is so ubiquitous that it’s recommended to use them so you’re not overlapping with everyone around you who may be broadcasting as well.
You can see that IEEE has steadily improved wireless communication with 802.11ac giving throughput of 2.3Gbps and operating in the 5Ghz band. The most recent standard released, and I’m talking here in the middle of 2019 is 802.11ax which is set to replace 802.11n and ac. This new standard changes the game a bit and boasts theoretical speeds of up to 11Gbps.
For the exam, certainly know the standards here in this table, what band they operate on and the non-overlapping channels.
Moving on through our wireless overview, let’s talk briefly about what an SSID is, or a service set identifier. Almost everyone knows this as the name of the wireless network that’s broadcast. This equates to a VLAN on a wired network, all devices communicating on a wireless network must have the same SSID configured. Cisco recommends mapping each SSID to a separate VLAN, as typically your different SSIDs will have different security requirements, it makes little sense to have the same VLAN accessible by a higher and lower security wireless network.
The SSID can be 2 to 32 characters long. At layer 2, you may not realize that wireless works with carrier sense multiple access collision avoidance. What’s this? Half duplex. When using the air or space as the transmission medium, there’s no way to detect a collision or operate at full duplex. A client or access point both listen first before transmitting to see if anyone else is transmitting. If they are, it waits for a random backoff timer then tries again and continues trying until it sees an opening to transmit in. This is why when someone says they are having trouble because the wireless in the area is crowded, it’s actually because one side or the other is having to wait a long time to find an opening where it is able to transmit.
So now we’ve had a brief overview of wireless, lets go into Cisco’s wireless design recommendations and framework. Cisco created the framework of the unified wireless network. The unified wireless network contains wireless clients, access points they connect to, unification of the wired and wireless networks, management of the wireless networks, and mobility services to allow users to roam when wireless. The bottom 3 elements here are provided by the cisco wireless LAN controller which we’ll go into some detail about its operation shortly.
Cisco is clear about the benefits that using the unified wireless network framework provides. They are a reduced total cost of ownership, enhanced visibility and control of the wireless networks, dynamic radio frequency management, wireless LAN security, unified wired and wireless networks, enterprise mobility which enhances productivity and collaboration because staff are able to work wirelessly within the corporate campus.
The unified wireless network requires a centralized design. Most people are used to their wireless routers or a wireless access point you purchase and configure individually, but this simply does not scale and there’s a fair number of features that are lost by the access points not operating as a single wireless network. In the centralized design we use Lightweight Access Points, or LAPs. These LAPs are controller by the Wireless LAN Controller, or WLC. The LAPs are generally not operational independently. They have enough brainpower to be able to boot up and look for a WLC and that’s about it, they need to be told how to do anything and everything else.
The diagram here illustrates a CAPWAP tunnel. In most deployments, the end-user traffic does not actually enter the network at the access point, rather the traffic is tunneled through the network to the WLC and then enters the network at the physical port where the WLC connects to the network. This is beneficial for a number of reasons, among them are that we do not require end to end VLANs. The VLAN to which your SSID is mapped to only needs to exist up to where the WLC is located and does not and should not exist where your access points connect to the network. This provides improved security and really facilitates a better design overall.
At first, Cisco access points in a centralized design used the Lightweight Access Point Protocol, or LWAPP to communicate and transport user data. This was a Cisco proprietary protocol and used AES for data encryption. It uses UDP 12222 and 12223 for control messages and data transport respectively. The industry standard response to this is CAPWAP, or the Control and Provisioning of Wireless Access Points. CAPWAP is now the preferred protocol for both Cisco and non Cisco lightweight access point communications. This uses DTLS for encryption and UDP 5246 and 5247 for control and data respectively. When I mentioned that user data is tunneled back to the WLC for entry to the network, it’s an LWAPP or CAPWAP tunnel that’s being used to transport that data. These protocols are also responsible for the discovery process and provisioning control messages that are sent between the WLC and the access points. Overall you don’t need to be concerned about the details of how the protocols work, however I would commit the information on this slide to memory.
Now your design may be configured in such a way that you don’t want the user data to be transported back to the WLC for entry to the network. Perhaps bandwidth over a WAN link to one of your branch offices is rather limited and you want the users internet bound traffic to use the ISP connection at the local branch office rather than use the WAN link and go out to the internet from the HQ. This is where the concept of split-MAC vs. local-MAC operation comes in. in split-MAC operation the WLC is the termination point where client data enters and exits the wired network. In local-MAC operation however, the client data terminates at the access point. The WLC in this circumstance still handles a significant portion of the operations for things such as association and dissociation requests, and authentication.
- Local mode – default operating mode
- H-REAP – For managing LAP over WAN. Allows split-MAC
- Monitor – AP doesn’t handle client data, only provides location based services
- Rogue detector – AP only listens for access points
- Sniffer – Only supported with AiroPeek; captures all traffic on a channel
- Bridge – AP acts as a point to point or point to multipoint wireless bridge
This list shows the modes that an access point can be operated in. Local mode is the default and normal operating mode you’d expect. H-REAP, or hybrid remote edge access point, is a mode used for managing LAPs over a WAN. This allows for local MAC or split MAC operation. REAP mode can allow for the wireless at a branch office to remain functional in the event that the WAN link is lost, so the LAP has some autonomous capability while it has lost connectivity to the WLC. With monitor mode the LAP is just listening to provide location-based services. Rogue detector mode the AP is also not participating in handling user traffic and instead is only listening for surrounding access points. The AP collects the broadcast MACs of each of the access points it can hear and sends them to the WLC so it can determine if any of them are seen on the wired network. If they are, we know that there is an unauthorized wireless access into the wired network somewhere. In sniffer mode the access point is capturing all traffic on a channel. This is only supported when using the application called Airopeek. Finally the LAP can be operated in bridge mode, which provides a point to point or point to multipoint wireless bridge, to perhaps connect 2 buildings, or connect a remote location where running a wired connection was not feasible or impractical.
For the exam certainly be familiar with what modes exist and what they’re used for, although you shouldn’t need to be familiar with any details on their operation.
When an LAP first boots up it’ll go through the process outlined here. First it’ll try to discover the WLC using CAPWAP, if that doesn’t succeed after 60sec, then it’ll try LWAPP. After another 60sec if it can’t find a WLC it’ll go back to using CAPWAP and try again and repeat this until it locates a WLC. Once the WLCs are located, if it has multiple to choose from it’ll select which to associate with the below order. You can manually configure a primary, secondary and tertiary WLC for the LAP to associate with. If you have not manually configured any WLCs then the LAP will associate with the WLC which is configured as the master. In the event the master is not available it’ll associate with eh WLC with the greatest capacity available, which may not be the one with the least available, depending on the models of WLCs in your network.
The WLCs themselves have 3 main components. WLANs, Interfaces, and Ports. The WLANs are identified by an SSID and are assigned to use an interface. The interfaces are logical connections which map to a VLAN on the wired network and there’s 5 different types of interfaces, 3 of which are mandatory to be configured. The management interface is for in-band management and must be configured, the service-port is for out of band management and is optional. The AP manager interface is used for AP communications, provisioning and association and is a mandatory interface. The dynamic interface type is created dynamically and are the interfaces associated with SSIDs for user data traffic. The virtual interface type is used for DHCP relay and authentication traffic. Finally, the ports of a WLC are the physical ports which connect to the wired network that the logical interfaces use for communication.
Now, Cisco has many different models of WLCs out there for a variety of different use cases. They each generally have a different number of access point associations they can support per physical port. This table gives a brief overview of some of the models available for WLCs. You can see here we can even have a WLC module for our ISR or in our chassis based switch.
For the exam certainly ensure you’re familiar with the models here and the number of APs supported.
One of the major benefits to having a centralized wireless design, and the unified wireless network, is the ability for automatic radio resource management. Now, what do I mean here. I mean that when you have wireless access points everywhere to ensure you have coverage in the places you need most, you also end up with a lot of overlap. This can cause access points to interfere with one another and cause more problems than you solved by placing more access points. An individual WLC will automatically manage the transmission power and channel selection of the LAPs to ensure you get as minimal interference as possible. However, you can imagine this could cause some problems if you have a design that ends up requiring more than one WLC. This is where RF Groups come in. APs send neighbor messages all the time, when an AP hears one that’s at least -80dbm, and dbm is just the unit of measure for wireless signal, then a neighbor relationship is formed as long as the WLCs have the same group password configured. When WLCs for an RF group they elect a master and that master is responsible for doing the calculations for the radio resource management to coordinate all of the access points in the group so they don’t interfere with each other, or at least have as little interference as possible.