Beruflich Dokumente
Kultur Dokumente
Objectives
Upon completing this lesson, you will be able to <please complete here>. This ability includes
being able to meet these objectives:
SWITCH v1.08-4
8-4
WLSE
WDS
SWITCH v1.08-5
Network infrastructure with router and switches. Switches can be used to supply power to
the access points (PoE).
Wireless Domain Services (WDS) for radio frequency (RF) management and fast, secure
roaming.
Cisco Secure Access Control Server (ACS) for security using RADIUS and TACACS+
protocol.
8-5
ACS
WDS
Data traffic
between
wireless clients
flows via switch
SWITCH v1.08-6
The data traffic between two clients on the same subnet on different access points flows via the
layer 2 switch infrastructure
8-6
WCS
ACS
WLC
SWITCH v1.08-7
Network infrastructure with router and switches. Switches can be used to supply power to
the access points (PoE)
Cisco Wireless LAN Controller (WLC) for the configuration of the access points
Cisco Secure ACS for security using RADIUS and TACACS+ protocol
8-7
SWITCH v1.08-8
The controller-based architecture splits the processing of the 802.11 protocol between two
devices, the access point and a centralized Cisco WLC. The processing of the 802.11 data and
management protocols and the access point functionality is also divided between the two
devices. This approach is called split MAC.
The access point handles the portions of the protocol that have real-time requirements:
The frame exchange handshake between a client and access point when transferring a
frame over the air
The buffering and transmission of frames for clients in power save operation
Providing real-time signal quality information to the controller with every received frame
Monitoring each radio channel for noise, interference, and presence of other WLANs
All remaining functionality is handled in the Cisco Aironet WLC, where time-sensitivity is not
a concern and controller-wide visibility is required.
8-8
802.11 authentication
SWITCH v1.08-9
The control traffic between the access point and the controller is encapsulated with the
LWAPP. The control traffic is encrypted via the Advanced Encryption Standard (AES).
The data traffic between the access point and controller is also encapsulated with LWAPP. The
data traffic is not encrypted. It is switched at the WLAN controller, where VLAN tagging and
quality of service (QoS) are also applied.
8-9
WCS
ACS
WLC
Data traffic
between
wireless clients
via controller
SWITCH v1.08-10
The data traffic between two clients flows via the wireless LAN controller
8-10
Controller-based
Access points
Standalone IOS
Controller-based IOS
Configuration
Access point
WLAN controller
Operation
Independent
Dependent on WLC
Management and
monitoring
WLSE
WCS
Redundancy
Access point
Access point
WLAN controller
SWITCH v1.08-12
8-11
1130AG
1140AGN
1240AG
1250AGN
1400A
1520AG
SWITCH v1.08-13
8-12
Cisco Aironet 1130AG Series Access Point is for the carpeted enterprise that has little
environmental variability and operates within a controlled environment.
Cisco Aironet 1140AGN is the 802.11n draft 2.0 access point for the office environment.
Cisco Aironet 1240AG Series Access Point is for challenging environments that need a
ruggedized enclosure such as manufacturing, loading docks, and warehouses.
Cisco Aironet 1250AGN is the 802.11n draft 2.0 access point with external antennas and
for challenging environments
Cisco Aironet 1300 Series Outdoor Access Point/Bridge or Cisco Aironet 1400 Series
Wireless Bridges offer high-speed, high-performance outdoor bridging for line-of-sight
applications. They both have a ruggedized enclosure for harsh outdoor environments with
extended operating temperature range. Both are available in an standalone version only.
Cisco Aironet 1300 Series Outdoor Access Point/Bridge can be deployed as an standalone
access point, bridge, or workgroup bridge. It has a ruggedized enclosure and provides high-
speed and cost-effective wireless connectivity between multiple fixed or mobile networks
and clients.
Cisco Aironet 1520 Controller-based Outdoor Mesh Access Point is for cost-effective,
scalable deployment of secure outdoor WLANs for network connections within a campus
area, outdoor infrastructure for mobile users, or public access for outdoor areas.
8-13
WLAN Controllers
This subtopic describes WLAN Controllers types
Integrated controllers
WLAN controller modul for ISR
3750G switch with integrated WLAN controller
WiSM module for 6500 switch
SWITCH v1.08-14
Depending on the size of the campus and whether integration with Layer 3 infrastructure
devices is desired, one of two categories of WLCs is typically deployed.
Appliance controllers from the Cisco 4400 Series can be used to support from six to 100 access
points. These controllers can support from 40 to 2000 wireless devices, depending on the mix
of data and voice clients. Layer 3 routing is supported on another platform. The Cisco 4400
Series connects to the enterprise network using a 802.1Q trunk.
Controllers integrated in Layer 3 devices such as the Cisco Catalyst 3750G Integrated Wireless
LAN Controller or the Cisco Catalyst 6500 Series WiSM support from 25 to 300 access points.
In this case, Layer 3 routing can be supported on the same platform. The integrated controllers
support Layer 2 connections internally and can use Layer 2 or Layer 3 connections to the wired
enterprise network.
The Cisco 2100 Series delivers WLAN services to small and medium-sized enterprise
environments. It supports up to six controller-based access points, making it a cost-effective
solution for smaller buildings and branch offices within a distributed enterprise
The Cisco 4400 Series Wireless LAN Controller is designed for medium to large facilities. It is
available in two models:
WLAN controllers are also available for the Cisco Catalyst 6500 and Cisco Integrated Services
Routers (ISRs).
8-14
6 / 12 / 25
8 / 12
25 / 50
12 / 25 / 50 / 100
300
SWITCH v1.08-15
These counts may change as products are updated. Please check http://www.cisco.com
for the latest information.
8-15
DHCP
Server
SWITCH v1.08-17
The standalone access points are connected to trunk ports on switches with power over
Ethernet. Management and data VLANs are connected to the standalone access points
8-16
SWITCH v1.08-18
8-17
SWITCH v1.08-20
The wireless LAN controller is connected to trunk ports on. Management and data VLANs are
connected to the wireless LAN controller
The controller-based access points are connected to access ports on switches with power over
Ethernet. Only the access point VLAN is connected to the controller-based access points
8-18
SWITCH v1.08-21
8-19
Controller-based AP Protocol
CAPWAP / LWAPP
Data
WLC
Data
Split-MAC architecture
Access point
WLAN controller
Security policies
RF interface (radio)
QoS policies
RF management
Mobility management
SWITCH v1.08-22
8-20
Hybrid REAP
SWITCH v1.08-23
H-REAP is an enhancement to REAP that also enables customers to configure and control two
or three access points in a branch or remote office from the corporate office through a WAN
link without deploying a controller in each office. The H-REAP access points can switch client
data traffic locally and perform client authentication locally when their connection to the
controller is lost. When they are connected to the controller, they can also send traffic back to
the controller.
H-REAP provides more security options for the remote site:
Disconnected mode: When the controller is not reachable by H-REAP, the device goes
into the stand-alone state and does client authentication by itself. In stand-alone mode, HREAP supports WPA-PSK and WPA2-PSK for client authentication.
Connected mode: When H-REAP can reach the controller, so that it is in a connected
state, H-REAP gets help from the controller to complete client authentication. In connected
mode, H-REAP supports WPA-PSK, WPA2-PSK, virtual private networks (VPNs), Layer
2 Tunneling Protocol (L2TP), Extensible Authentication Protocol (EAP), and web
authentication for client authentication.
H-REAP is more delay-sensitive than REAP; round-trip latency must not exceed 200 ms
between the access point and the controller, and LWAPP control packets must be prioritized
over all other traffic.
H-REAP supports a one-to-one NAT configuration. It also supports Port Address Translation
(PAT) for all features except true multicast. Multicast is supported across NAT boundaries
when configured using the Unicast option.
8-21
SWITCH v1.08-25
To decrease the cost and complexity of the installation, the access points can be powered over
an Ethernet cable, eliminating the need to run expensive AC power to remote access point
installation locations.
No electrician is required. Anyone qualified to run Category 5 cable can install the cabling that
is required to power Cisco Aironet access points. The standard Category 5 cable requirements
still apply (maximum 328 feet or 100 meters).
Power-sourcing equipment (PSE) can be switches, routers with switch modules, and power
injectors.
Powered devices are access points and other devices.
New PoE switches, such as the Catalyst 3560-24PS switch, can supply power of up to 15W per
port.
Up to 15W power is required for dual-mode access points
8-22
Power adapter
Benefits
Power injector
Remote management
Disadvantages
SWITCH v1.08-26
Power adapter
Power injector
Disadvantages
Cannot be remotely managed
May require additional configuration on access points
Additional power cabling
8-23
SWITCH v1.08-27
8-24
SWITCH v1.08-28
The IEEE 803.2af standard will be enhanced with a new standard 802.3at which will provide
more power.
As a interim solution from Cisco called enhanced PoE provides up to 20W of power with the
E-series switches.
With IOS 12.2(46) and later the 3560 and 3750 switches can power the 1250AG access point. It
requires 18W for full operation. With this IOS access point and switch communicate power
capabilities via CDP. This allows to operate the 1250AG access point with a reduced power op
15W.
8-25
Class
Usage
Minimum Power
Levels Output at the
PSE
Default
15.4W
0.44 to 12.95W
Optional
4.0W
0.44 to 3.84W
Optional
7.0W
3.84 to 6.49W
Optional
15.4W
6.49 to 12.95W
Reserved
for future
use
Treat as Class 0
SWITCH v1.08-29
PoE Configuration To decrease the cost and complexity of the installation, the access points
can be powered over an Ethernet cable, eliminating the need to run expensive AC power to
remote access point installation locations.
No electrician is required. Anyone qualified to run Category 5 cable can install the cabling that
is required to power Cisco Aironet access points. The standard Category 5 cable requirements
still apply (maximum 328 feet or 100 meters).
Power-sourcing equipment (PSE) can be switches, routers with switch modules, and power
injectors.
Powered devices are access points and other devices.
New PoE switches, such as the Catalyst 3560-24PS switch, can supply power of up to 15W
per port.
Up to 15W power is required for dual-mode access points
8-26
PoE Configuration
This subtopic describes PoE Configuration
PoE Switch
switch(config-if)# power inline {auto | never}
PoE configuration
switch# show power inline [interface]
New screenshot
SWITCH v1.08-30
Auto (default)
Never
Power disabled
The command show power inline displays the configuration and statistics about the used
power drawn by connected powered devices and the capacity of the power supply.
8-27
PoE Verification
This subtopic describes PoE Switch Port Status
New screenshot
SWITCH v1.08-31
The Catalyst switch device manager displays the port status and the PoE statistics.
8-28
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
Standalone and controller-based WLAN solutions are the Cisco
implementations of WLAN.
CAPWAP / LWAPP is the protocol used between controller-based
access points and WLAN controllers.
WLAN components include clients, access points, controllers,
management systems, infrastructure devices, and security server.
The Cisco Unified Wireless Network provides a unified enterpriseclass wireless solution.
Cisco Aironet access points are available for indoor or outdoor
use.
Access points and IP phones can be powered over Ethernet
cable.
SWITCH v1.08-32
8-29
8-30