1 / 14

Controller & LWAPP Architecture Overview

Controller & LWAPP Architecture Overview. Centralized Wireless LAN Architecture Overview. Processing split between APs and controllers 802.11 functionality shared Central management — AP is essentially a remote RF interface Based on LWAPP protocol APs hold no security credentials

yardley
Télécharger la présentation

Controller & LWAPP Architecture Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Controller & LWAPP Architecture Overview

  2. Centralized Wireless LAN ArchitectureOverview • Processing split between APs and controllers • 802.11 functionality shared • Central management—AP is essentially a remote RF interface • Based on LWAPP protocol • APs hold no security credentials • APs unusable without a controller—Just expensive paperweights! • Data traffic can be bridged locally or at controller Cisco WLAN Controller LWAPP LWAPP

  3. Centralized Wireless LAN ArchitectureAP/Controller: Division of Labor Controller • 802.11 MAC Mgmt – (re)association requests & action frames • 802.11 data – encapsulate and sent to AP • 802.11e resource reservation – control protocol carried to AP in 802.11 mgmt frames – signaling done in the controller. • 802.11i authentication & key exchange AP • 802.11 – beacons, probe response, auth (if open) • 802.11 control – packet ack & retransmission (latency) • 802.11e – frame queuing & packet prioritization (real-time access) • 802.11i – Layer 2 encryption Cisco WLAN Controller LWAPP Lightweight Access Points

  4. Centralized Wireless LAN ArchitectureWhat Is LWAPP? • LWAPP—Light weight access point protocol is used between APs and WLAN controller • LWAPP carries control and data traffic between the two • Control plane is AES-CCM encrypted • Data plane is not encrypted • It facilitates centralized management and automated configuration • Open, standards-based protocol (submitted to IETF CAPWAP WG) Business Application Data Plane LWAPP Access Point Controller WiFi Client Control Plane

  5. LWAPP ModesLayer 2 and Layer 3 LWAPP • Layer 2 LWAPP is in an Ethernet frame • AP and WLC in same L2 domain • Layer 3 LWAPP is in a UDP/IP frame • AP need IP address • Support routing between AP and WLC Cisco WLAN Controller Cisco WLAN Controller LWAPP-L3 LWAPP-L3 LWAPP-L2 Lightweight Access Points Lightweight Access Points LWAPP-L3 Is the Preferred Solution

  6. Layer 2/3 Wired Network – Single or Multiple Broadcast Domains Lightweight Access Point Wireless LAN Controller Ingress/Egress point from/to upstream switched/routed wired network (802.1Q trunk) Layer-3 LWAPP Architecture • Access Points require IP addressing • APs can communicate w/ WLC across routed boundaries • L3 LWAPP is more flexible than L2 LWAPP and all products support this LWAPP operational ‘flavor’ L3 LWAPP Tunnel Data Encapsulation – UDP 12222 Control Messages – UDP 12223

  7. LWAPP State Machine (Simplified) • LWAPP defines a state machine that governs the AP and controller behavior • Major states: • Discovery—AP looks for a controller • Join—AP attempts to establish a secured relationship with a controller • Image Data—AP downloads code from controller • Config—AP receives configuration from controller • Run—AP and controller operate normally and service data • Reset—AP clears state and starts over • Note: LWAPP/CAPWAP RFC defines other states

  8. Layer-3 LWAPP WLAN Controller Discovery • The AP goes through the following discovery steps: • LWAPP Discovery Request broadcast on local subnet (IP broadcast) • WLAN Controller on same subnet as AP will respond to LWAPP Discovery Request • LWAPP Discovery Request sent to controller IP addresses learned via Over-the-Air Provisioning (OTAP) • OTAP—Already joined APs advertise WLAN Controller in Over-the-Air neighbor messages • LWAPP Discovery Request sent to ALL locally stored controller IP address(es) • AP stores controller IP address of previously joined controller plus the controller’s “Mobility Group” members in NVRAM • LWAPP Discovery Request sent to IP Address(es) learned in vendor specific DHCP Option 43 • LWAPP Discovery Request sent to IP Address(es) learned through DNS resolution of “CISCO-LWAPP-CONTROLLER.localdomain” • If no controller found, start hunting algorithm over • AP compiles a LIST of candidate controllers from the received LWAPP Discovery Responses

  9. WLAN Controller Join Process • LWAPP Discovery Response contains important information from the WLAN Controller: • Controller sysName, controller type, controller AP capacity, current AP load, “Master Controller” status, AP Manager IP address(es) and number of APs joined to the AP Manager • After an “LWAPP Discovery Interval” timer expires, the AP selects a controller to join using the following decision criteria: • If AP has been previously configured with a primary, secondary, and/or tertiary controller, the AP will attempt to join these first (specified in the Controller sysName) • Attempt to join a WLAN Controller configured as a “Master” controller • Attempt to join the WLAN Controller with the greatest excess AP capacity • This last step provides the whole system with dynamic AP load-balancing

  10. Securing the LWAPP Join Process • LWAPP Join implements strong mutual authentication between AP and WLC • AES key is used to encrypt the payloads of subsequent LWAPP Control Messages

  11. LWAPP State Machine Review

  12. LWAPP Operations—Client Connections • AP handles real-time 802.11 control and management • Non-real time 802.11 handled at controller • Controller is the 802.1x authenticator and centrally stores client QoS, security context • 802.11 data frames are encrypted/decrypted at the RF interface • “Action frames” are management frames as defined by 802.11

  13. Understanding Packet Flow in the Centralized Architecture

  14. Broadcast and Multicast on the WLC • WLC, by default, does not send broadcast/multicast traffic to WLAN • No impact on typical client DHCP and ARP behavior • WLC Acts as an ARP proxy for the WLAN • WLC acts as a DHCP relay agent for WLAN clients

More Related