Automimius WLAN Architecture
組成元件:Autonomous AP
feature
使用WDS
支援User Authentication Cache
Cisco的網管軟體使用WLSE
ACS支援RADIUS/TACACS+ Server
support POE
WDS(WLAN Domain Service)
AP-Based WDS
L2 Fast Secure Roaming(IAPP),只能做L2的Roaming。
Scable WLAN Mangment
Advanced Radio Freguaercy Mangment Control
Enhanced WLAN Security
無法做到較完整的QoS
WDS可以把config push給AP
RF的管理可以由WDS控制。
Switch-Based WDS(加強AP-Based WDS的功能)
支援L2 / L3的Roaming(IAPP / Mobile IP)
可以做到End-to-End的QoS
可以做到End-to-End的Security
WLSE(Cisco Wireless LAN Solution Engine)
用來管理cisco Aironet Wi-Fi的software,例如wireless AP,作用在於簡化Aironet裝置的組態配置和監控,並具有偵測未授權存取點的安全功能。如果駭客掌控這項管理工具,就可以隱匿未經許可的存取點,或更改射頻計畫(radio frequency plan),可能造成整個系統停擺。
ps:
The WLSE is not used to control LAP
………………………………………….
Cisco Unified Wireless Network Architecture
組成元件有以下
1.LAP(lightweight access point )
a LAP performs only the real-time 802.11 operation.
The LAP gets its name because the code image and the local intelligence are stripped down, or lightweight, compared to the traditional autonomous AP.
ex:Aironet 1200 series AP
2.WLC(wireless LAN controller)
The management functions are all performed on a WLC, which is common to many LAPs.
main functions: Authentication , Mobility , Security management
feature
Cisco的網管軟體使用WCS
支援Location Server以追蹤LWAP的Server
ACS支援RADIUS/TACACS+ Server
support POE
WCS(Cisco Wireless Control System)
is an optional server platform that can be used as a single GUI front-end to all the WLCs in a network.
From the WCS, you can perform any WLAN management or configuration task, as well as RF planning and wireless user tracking.
…
Lightweight AP Operation
1
LAP取得dhcp給的ip
ps:If the ap does not receive an address, it continues to send requests indefinitely.
2
LAP尋找該網段所有WLC
ps:LAP一般接在access layer,WLC一般接在distribution layer
3
LAP向第一個WLC要求加入,若沒回應則向下個WLC要求加入,直到加入成功為止
ps:LAP可記錄3個WLC,分別為primary, secondary,tertiary
4
LAP和WLC比較code image是否一樣,若不同則從WLC更新自己的code image並重開機
5
LAP和WLC透過encapsulate建立兩條通道
加密的LWAPP或CAPWAP,用於管理
不加密的LWAPP或CAPWAP,用於client數據
ps:
LAP不支援以trunk方式接入網路
LWAPP(Lightweight Access Point Protocol)
The tunneling protocol developed by Cisco
LWAPP Tunnel有以下兩種
L2 Mode Tunnel:
All Traffic封裝在Ethernet Frame
不使用 IP封包。
Type:0XBBB
LWAP與WLC需在同一個LAN(Broadcast)
較沒有彈性:規劃無線網路環境會因需要跨越不同網段的情況而受到限制。
L3 Mode Tunnel:
uses UDP src port 1024 and destination ports 12222(for data) on the WLC end
uses UDP src port 1024 and destination ports 12223(for manage) on the WLC end
Mobile IP封裝在16666、16667/UDP
較有彈性,不需要在同一個VLAN裡面
需要有IP
LWAPP traffic type:
LWAPP Controller MSG:控制訊號以管理
使用AES加密,在WLC與LWAP之間溝通
Wireless Client Data Frame:client數據
沒有加密,只傳送IP-Ethernet Type Frame
預設不會傳送Multicast / Broadcast Traffic
WLC Discovery Process:
The LAP will send Layer 2 LWAPP mode discovery request messages. If the attempt fails, the LAP will try Layer 3 LWAPP WLC discovery.
CAPWAP(Control and Provisioning Wireless Access Point)
standards-based tunneling protocol . this is CAPWAP is defined in RFC 4118.
uses UDP destination ports 5246 and 5247 on the WLC end
cisco LAP若與WLC失聯
1,LAP會搜尋其他WLC
2,所有client將斷線,直到LAP與其他WLC連接
ps;
若使用Cisco Hybrid Remote Edge Access Point (HREAP),與WLC失聯時client可持續運作
ps:
Aironet Desktop Utility (ADU)
1. can support only one wireless client adapter installed and used at a time.
2. can be used to establish the association between the client adapter and the access point, manage authentication to the wireless network, and enable encryption.
3. an be used to enable or disable the adapter radio and to configure LEAP authentication with dynamic WEP
4. The Microsoft Wireless Configuration Manager can be configured to display the Aironet System Tray Utility (ASTU) icon in the Windows system tray.
intercontroller roaming
the WLCs are configured into logical mobility groups.
A client can roam to any LAP (and its associated WLC) as long as it stays within a mobility group.
A mobility group can have up to 24 WLCs of any type or platform
ps:
same controller roaming之ssid需相同
連接LAP之switch無需特殊之指令,只要給正確的vlan即可
ex:
LAP連接switch GI1/0/10之設定範例
Switch(config)# vlan 100
Switch(config-vlan)# name ap-management
Switch(config-vlan)# exit
Switch(config)# interface gigabitethernet1/0/10
Switch(config-if)# switchport
Switch(config-if)# switchport access vlan 100
Switch(config-if)# switchport mode access
Switch(config-if)# spanning-tree portfast
Switch(config-if)# power inline auto
Switch(config-if)# exit
連接WLC之switch需確保可以抵達每一個LAP,因此可使用trunk方式
ex:
WLC連接switch GI1/0/20之設定範例
Switch(config)# interface range gigabitethernet1/0/20
Switch(config-if)# switchport encapsulation dot1q
Switch(config-if)# switchport trunk allowed vlan 10,20,30
Switch(config-if)# switchport mode trunk
Switch(config-if)# spanning-tree portfast trunk
Switch(config-if)# no shutdown
Switch(config-if)# exit
ps:
Cisco Compatible Extensions program
objective
to provide customers with a broad range of WLAN client devices that have been tested for interoperability with Cisco Aironet innovations
features
1. Mobility
2. Security
3. VLAN and QoS
reference
http://smalleaf.blogspot.com/2010/07/ccna-wireless-iuwne640-721.html
http://nkongkimo.wordpress.com/category/ccnp-bcmsn-module-06/