Cisco OL-6217-01 User Manual
Cisco Structured Wireless-A ware
Network (SWAN) Implementation Guide
January 2005
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Text Part Number: OL-6217-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS M ANUAL ARE SUBJECT TO CHA NGE WITHOUT NO TICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSI BILITY FOR THEIR APPLICA TION OF ANY PRODUCT S.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORT H IN THE INFORMATION PACKET T HAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant
to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accor dance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required
to correct the interference at their own expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not
installed in accordance with Cisco’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to
comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable
protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.
Modifying the equipment without Cisc o’s writ ten author ization m ay resul t in the equi pment no lo nger comp lyi ng with FCC requi rements for Class A or Class B digital
devices. In that event, your right to use the equ ipment may be limit ed by FCC regul ations , and you may be requir ed to correct a ny interference to radio or television
communications at your own expense.
You can determine whether your equipment is causing interference by turning it off. If the interferen ce stops, it was probably caused by the Cisco equipment or one of its
peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the followi ng measures:
• Turn the television or radio antenna unt il the int erference st ops.
• Move the equipment to one side or the other of the televisio n or radi o.
• Move the equipment farther away from the te levision or radio.
• Plug the equipment into an outlet that is on a di fferent cir cuit from the televi sion o r radio. (That is, make certain th e equipment and the te levision or radio are on circuit s
controlled by different circuit breaker s or fuses.)
Modifications to this product no t author ized by Cis co Syst ems, Inc. coul d voi d the FCC appro val and ne gate your authorit y to op erate the pr odu ct.
The Cisco implementation of TCP head er compressi on is an adap tation of a program developed by the Universi ty of Ca lifornia, Berk eley (UCB) as part of UCB ’s public
domain version of the UNIX operatin g system. All rights reserved . Copyri ght © 1981 , Rege nts of the Uni versity of Calif ornia.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THE SE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAI M ALL WARRANTIE S, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NO NINFRINGEM ENT OR ARISING FROM A COURS E OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING ,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE S.
CCSP, the Cisco Square Bridge logo, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work,
Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco,
the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation,
Enterprise/Solver, EtherChann el, Eth erFast, Et herSwitch, Fast Step, GigaDr ive, Gig aSta ck, HomeLin k, Int ernet Quot ient, IOS , IP/TV, iQ Expertise, the iQ logo, iQ Net
Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing,
ProConnect, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient,
TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0406 R)
Cisco Aironet 1400 Series Wirel ess Bridg e Deplo yment Gu ide
Copyright © 2004 Cisco Systems, Inc. All rights reserved.
Audience 5
Acronyms and Terms 6
Cisco SWAN Framework Overvi ew 7
CISCO SWAN Framework Componen ts 11
Software Components 12
Hardware Components 12
Implementing the Cisco SWAN Framework 13
Common Tasks 14
Configuring the CiscoSecure ACS Ser ver for Infrastructure Authentica tion 14
Configuring the Local RADIUS Server on the Access Point for Infrastructure Authentication 18
Configuring th e AAA Server to Support WLAN Client Authentication 18
Preparing the CiscoWorks WLSE for Managing WLAN Devices 18
Distributed WDS Solution Configuration 21
Configuring the WDS Access Point 21
Configuring the Infrastructure Access Point 23
Managing the Access Points with the CiscoWorks WLSE 24
Validating the Configuration 24
Infrastructure Integrated WDS Solution Configuration 25
Configuring the Catalyst 6500 Supervisor 720 25
Configuring the WDS on the WLSM 26
Configuring the Infrastructure Access Points 27
Managing the WLSM and Access Points with the CiscoWorks WLSE 28
Validating the Setup 29
Fast Secure Roaming with Cisco Centralized Key Management (CCKM) 30
When Not Using Multiple Encryption Types 31
When Using Multiple Encryption Types 31
Configuring ACU to use CCKM 32
Cisco SWAN Radio Management Features 33
Preparing to Use Cisco SWAN Radio Management 34
Cisco SWAN Radio Management Features 35
Conclusion 37
CONTENTS
78-xxxxx-xx
Book Title
iii
Contents
iv
Book Title
78-xxxxx-xx
Audience
Cisco Structured Wireless-Aware Network
(SWAN) Implementation Guide
The Cisco Structured Wireless-A ware Network (SWAN) provides the framework to integrate and extend
wired and wireless networks to deliver the lowest possible total cost of ownership for companies
deploying wireless LANs (WLANs). Cisco SWAN extends “wireless awareness” into important
elements of the network infrastructure, providing the same level of security, scalability, reliab ili ty, ease
of deployment, and manageme nt for wire less LANs t hat organizati ons have come to expect from thei r
wired LANs.
This document provides a brief technic al synopsis of the Cisco SWAN framework and functio nality and
provides details on implementing the solution.
The audience for this doc umen t is Cisco Syste ms Engineer s, Consul ting System s Enginee rs, Prod uct
Sales Specialists, and Cisco custo mers impleme nting and evaluating the Cisco SWAN framework.
This document is not an extensive theoretical disc ussion on the Cisco SWAN framework; it is intended
as a refere nce to ou tli ne the i mple mentat ion pr ocedur es fo r sel ected Cis co SWAN compon ents, featu res,
and capabilities.
OL-6217-01
For a detailed review of Cisco SWAN fe atures a nd benefits, read th e Cisco SWAN brochure at:
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_b rochu re09186a 00801 84925.html
Or visit the Cisco SWAN website:
http://www.cisco.com/go/swan
Cisco Structured Wire le ss-Aware Network (SW AN) Implem entation Guide
5
Acroymns and Term s
Acroymns and Terms
Term Definition
Cisco SWAN Cisco Structured Wireless Aware Network—Cisco’s
WDS Wireless Domain Service — Cisco IOS software functionality
WLCCP Wireless LAN Context Control Protocol —A Ci sco-d efined
RM Radio Management — Access points participating in radio
AAA Authentication Authorization and Accounting — A common
CiscoWorks WLSE CiscoWorks Wireless LAN Solution Engine — A component
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide
Table 1 Acronyms, Terms, and Definitions
framework for delivering integrated wired and wireless LAN
networks.
enabling advanced Cisco SWAN functionality.
control protocol for Cisco SWAN.
management scan the ra dio environment and send re ports to
the WDS device on such radio information as potential rogue
access points, associated clients, client signal strengths, and
the radio signal s f rom o ther ac cess point s.
acronym used to describe secure network access services.
of the Cisco SW AN framework that provides many features for
managing the wireless LAN , including making con figuration
changes, providing reports, collecting radio monitoring and
management inf or matio n, and pe rfo rmin g d evice d iscovery.
ACS CiscoSecure Access Control Server — An optional AAA
product from Cisc o t hat is of ten us ed w ith the Ci sco SWAN
framework.
WLSM Wireless LAN Service Module — A service module
component of the Cisco SWAN framework. The WLSM is a
member of the C ata lyst 6 500 se rvic e mo dul e fa mil y th at
enables the Cisco SWAN switch-based WDS architecture.
Client A wireless end-user de vice such as a laptop computer , PD A, or
wireless IP phone.
MN Mobile Node — In Cisco SWAN fram ework terminology, a
mobile node is a valid, authenticated wireless client device.
Infrastructure Access
Point
WLAN Control Domain A WLAN control domain consists of a WDS-host device, its
WDS Host An IOS-based Cisco device hosting WDS that is either a Cisco
In the Cisco SWAN framework, an infrastructure access point
is an access point that is registered with a WDS-host device
and can deliver Cisco SWAN functionality.
registered infrastructure access points, and all of its mobil e
nodes.
Aironet Access Point or the WLSM.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide
6
OL-6217-01
Cisco Structured Wireless-Aware Network (SWAN) Impl ementation Guide
Table 1 Acronyms, Terms, and Definitions
Term Definition
Access Point-Based
WDS Architecture
The Access Point-Based WDS architecture is an architecture
with Layer 2 WLAN control domain s, wher e WDS is hosted
on Cisco Aironet access point s.
Switch-Based WDS
Architecture
The Switch-Based WDS architecture is an architecture with
Layer 3 WLAN control domains, where the WDS is hosted on
the WLSM.
mGRE Multipoint Generic Route Encapsulation — A tunneling
encapsulation type d efined by IET F R FC t hat is leveraged by
the Cisco SWAN framework switch-based WDS solut ion.
CCKM Cisco Centralized Key Management — A Cisco- defined
encryption key management scheme that en ables fast secure
roaming within a WLAN control domain.
802.1X/EAP 802.1X is an IEEE defined mechanism for port access control,
and extensible authentication protocol (EAP) is an
authentication protocol defined by IETF RFC. EAP is generic
enough to be implemen ted in a num ber of ways, in cludin g
Cisco LEAP, EAP-FAST, PEAP, EAP-TLS, and EAP-TTLS.
The combination of 802.1 X port acce ss control an d EAP
authentication type is used to secure access to the WLAN.
Cisco LEAP A Cisco-defined EAP type for secure access to the WLAN
EAP-FAST A Cisco-defined EAP type for secure access to the WLAN
ACU Cisco Aironet Client Utility
ADU Cisco Aironet Desktop Utility
Cisco SWAN Framework Overview
Cisco SWAN Framework Overview
Cisco SWAN provides the framework to integrate and extend wired and wireless networks to deliver the
lowest possible total cost of ownership for companies deploying WLAN s. Cisco SWAN extends
"wireless awareness" in to impo rta nt elem ents of the ne tw ork infr astru cture , p ro v idin g the sam e level of
security, scalability, reliability, ease of deployment, and management for wireless LANs that
organizations have come to expec t fr om the ir wir ed L ANs.
The Cisco SW AN framework addresses two key issues with managing and operating WLANs: fast secure
WLAN client roaming and ra dio manage ment. Fast secure roami ng allows WLAN clie nts to move
association from one access point to another with little or no service disruption. Cisco SWAN radio
management charac terize s the radi o transmissi on environment and re sponds to the conditio ns of the
environment.
The Cisco SWAN framework can be vi su alized as a laye re d model. The Cis co S WAN framework layers
are:
• Management Layer
• Wireless Domain Services Layer
• Infrastructure Acc ess Point L ayer
• Wireless Client Layer
Cisco Structured Wire le ss-Aware Network (SW AN) Implem entation Guide
OL-6217-01
7
Cisco SWAN Framewor k Overview
The Cisco SWAN framework introduces WLCCP to facilitate control messaging betwee n the framewo rk
components. Figure 1 illu strates th e concep tual mod el of the Cisco SWAN framework, including the
WLCCP messaging protocol . As shown in Figure 1, each layer is impl emented in specific Cisco
products.
Figure 1 Cisco SWAN Layers
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide
The management layer sup plies the pr ocessin g of RM data fr om the lower layers , controll ing and
managing the rad io c overage e nvironment. T his dat a i s also us ed fo r sec ur ing th e radi o coverag e
environment by detecting ro gue a cce ss poi nts an d wirele ss c lien ts. A uth en tica tion, A uthor izat ion, and
Accounting (AAA) services are also placed in the management layer.
The required management layer component is the CiscoWorks WLSE. An optional component is the
CiscoSecure ACS. Other products with func tionality eq uivalent to ACS may be used in Cisco SWA N.
The WDS layer provides critical services: WLAN client context awareness, fast secure roaming, and
aggregation of radio management data from the infrastructure access point and client layer. WDS is
implemented in supporting versions of Cisco IOS for the Cisco Air onet 1100 and 120 0 series acc ess
points and on the special Cisco IOS running on the wireless LAN service module for the Catalyst 6500
switch platform. The solution architecture dictates whether to use the WDS access point or the WLSM
implementation.
The infrastructure access point laye r facilitate s WLAN clie nt access to the wired-ne twork, radi o
downlink encryption, a nd ra dio ma nage ment data c oll ecti on , in clu ding on- goin g r adi o m onitor ing.
The client layer incl udes all wireless cl ient s. Advanced SWAN framework features take advantage of
client-side capabilities to allo w for radio measuremen t collection from th e WLAN clients and fast secure
roaming.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide
8
OL-6217-01
Cisco Structured Wireless-Aware Network (SWAN) Impl ementation Guide
Figure 2 represents a logical, hierarchical view of the SWAN framework that clearly illustrates the
importance of the WDS layer.
Figure 2 Cisco SWAN Logical View
Cisco SWAN Framework Overview
WLAN control
domain
WLSE
WDS
WLCCP
messages
IP IP
WLCCP messages
802.1x
authenticator
Data
packets
ACS
WDS
WLCCP
messages
RADIUS control
domain
WLAN control
domain
127430
WDS are configured to r un on a sup portin g d evice—eithe r a Ci sco A iro net 1100 or 120 0 f or a Lay er 2
architectural solution or the WLSM for an switch-based, Layer 3 solution. In both cases, infrastructure
access points register with the WDS using special WLCCP messages.
Once registered, the infrastr ucture a ccess p oints forwa rd clie nt associa tion, a uthenti cation, and roa ming
information through the WDS via WLCCP MN registration messa ge s, allowing the WDS to co nt rol and
track wireless clients. If cli ent authe nticat ion is impleme nted via a ny 802.1x with EA P (such as Cisco
LEAP , EAP-F AST, PEAP, EAP-TLS, or EAP-TTLS), the WDS performs an additional important role by
acting as the 802.1x authenticat or for all wireless clie nts. In 802.1x authentication tr ansactions, the WDS
communicates directly with the RADIUS server. Any valid wireless client associated with an
infrastructure access point and registered with t he WDS.
A WDS, its registered in frast ruct u re a cce ss p oints , a nd regist ered c lient s make u p a WLA N co ntrol
domain. Wireless clients can seamlessly roam between access points within a WLAN control domain. A
WDS also collects radio manage ment data fro m the infr astruc ture access poi nts and, potential ly, the
MNs within the WLA N c on trol dom ain via sp eci al WLC C P rad io m anag eme nt ( WLC CP-RM )
messages. This data is aggregated by the WDS and pa ssed on to the WLSE in WLC CP-RM messa ges.
The WLSE uses this RM data to control and manage the radio coverage environment and to detect rogue
access points and clie nts.
Cisco SWAN offers two basic WL AN archi tectures : an arch itecture s upportin g a Lay er 2 WL AN contro l
domain and an architecture supporting a Layer 3 WLAN control domain. The Layer 2 architecture
leverag es access point-base d WDS. This architectu re is called the access point- based WDS solution. The
Layer 3 architecture leverages WLSM-based WDS and is called the switch-based WDS solution.
OL-6217-01
Cisco Structured Wire le ss-Aware Network (SW AN) Implem entation Guide
9
Cisco SWAN Framewor k Overview
Figure 3 shows the access point-based WDS solution .
Figure 3 Access Point-Based WDS Solution
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide
In the access point-based WDS solution, infrastructure access points discover the WDS via special
WLCCP multicast messages. You must have an access point running WDS on each Layer 2 subnet . The
solution supports up to 30 infrastructure access points when the WDS-host access point is also serving
wireless clients and up to 60 infrastructure access points when the WDS-host access point is not serving
wireless clients. The access point-based WDS solution facilitates seamless MN roaming across a Layer
2 WLAN control context.
Figure 4 shows the switch-based WDS solution.
10
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide
OL-6217-01
Cisco Structured Wireless-Aware Network (SWAN) Impl ementation Guide
Figure 4 Switch-Based WDS Solution
Cisco SWAN Framework Overview
In the switch-based WDS solution, mGRE tunnels are built from the Catalyst 6500 switch hosting the
WLSM where the WDS is running. Wireless client data is tun neled to the Cata ly st 6 500 switc h w here it
is forwarded appropriately. The mGRE tunnel legs are built wh en the infrastructure access poin ts register
with the WDS on the WLSM. Wireless client authentic ation and MN re gistratio n WLCCP messages are
forwarded to the WLSM for centralized processing. Unlike wireless client data traffic, WLCCP
messages are not forwarded on the mGRE tunnel legs. Rather, these messages traverse the ne twork like
standard IP packets. The switch -based WD S architectur e offers comple te control an d data plane
separation, which are essential elements to true network scalability. The switch-based WDS solution
facilitates seamless roaming across a Layer 3 WLAN control context and supports up to 300 registered
infrastructure acce ss poi nts an d 6000 M Ns p er WL SM.
CISCO SWAN Framework Components
The Cisco SWAN framework has software and hardware components.
The software components are:
• WDS
• WLCCP
The hardware components are:
• WDS-host devices
• Infrastructure a ccess points
OL-6217-01
Cisco Structured Wire le ss-Aware Network (SW AN) Implem entation Guide
11
Cisco SWAN Framewor k Overview
• WLSE
• Cisco and Cisco compatible clients
Software Components
There are two softw are comp onents essen tial to the operat ion of th e Cisc o SWAN framew or k: W DS and
WLCCP.
WLCCP
WLCCP is a Cisco-defined co ntro l pr otoc ol t hat al lows contr ol c ommu ni cati on be twe en t he Cisco
SWAN components. WLCCP messages are used to auth en tic ate and re gi st e r Ci sco SWAN components,
constructing the Cisco SWAN control topology. The WLCCP messages are used in WLAN client
association and auth enticat ion, an d re-assoc iation a nd re-aut hentica tion duri ng client roaming .
WLCCP-RM is used to transfer radio measurement data between the Cisco SWAN components. A
technical discussion of WLCCP is beyond the scop e of this docume nt.
WDS
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide
WDS are a set o f IOS ser vice s th at de fine a WL AN co ntr ol do ma in. Within a WLA N co ntr ol do mai n,
all infrastructure access points register with the WDS. After registration, 802.1x WLAN client
authentications ar e forwarded th rough the WDS. Infrastr ucture access points registe r their asso ciated
WLAN clients with the WDS, so the WDS tracks all WLAN clients within the WLAN control domain.
WDS also collects radio manageme nt data fro m infrast ructure access points (and option ally mobi le
nodes), aggregates data, a nd forwards them to the CiscoWorks WLSE for intelligent proce ssing. WD S
can be impleme nted on an ac cess poin t or on the WLSM.
Hardware Components
The hardware required to impl ement th e Cisco SWAN framework includes WDS hosting devices,
infrastructure access points, and the CiscoWorks WLSE. Optional hardware components include WLAN
client devices: Cisco Airone t c lie nt ad apte rs a nd devices cert ified a s p art of t he C isco Com pa tibl e
Extensions program.
WDS-Host Devices
WDS can be hosted on an acc ess poi nt or on th e W LSM. W DS is su ppo rte d on the C is co Air onet 110 0
and 1200 series IOS-based access points for the access point-based WDS solution. WDS is supported on
the WLSM for the switch-based WDS solution.
Infrastructure Access Points
Infrastructure access points register with the WDS within the WLAN control domain. The Cisco Aironet
350, 1100, and 1200 series IO S-base d acce ss point s are supp orte d as infr as truct ure ac cess poin ts in the
access point-based W DS sol u tion. Cisc o Ai rone t 11 00 an d 1200 se rie s IOS- base d ac cess points ar e
supported as infrastructure access points in th e switch-ba sed WDS soluti on.
12
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide
OL-6217-01
Loading...