AP Controller Equipment ScalingCisco provides different solutions for supporting differing numbers of APs within an enterprise. Standalone WLCs, modules for Integrated Services Routers (ISR), and modules for 6500 switches. Below is listed different WLC types, followed by the number of supported APs that can be associated:
- 2100 series WLC: 25
- WLC for ISR: 25
- Catalyst 3750 Integrated WLC: 50
- 4400 series WLC: 100
- 6500/6700 series WLC module: 300
- 5500 series WLC: 500
To scale beyond the default 48 supported APs on a Cisco WLC:
- Use multiple AP interfaces: This option only works on 4400 series WLCs
- Use link aggregation (LAG): This option works on 5500 and 4400 series WLC, and is the default operation on Catalyst 3750 Integrated WLCs and Catalyst 6500 WiSM
The largest limitation of LAG is that only one may exist per WLC, so if a LAG exists all physical ports are members. This means the WLC can only be connected to one neighboring device.
Roaming and Mobility GroupsRoaming occurs when users move from one AP association to another, this may occur as a user moves around. This must be seamless to the end user, and can be intercontroller, or intracontroller.
Intracontroller RoamingThis occurs when a user moves between APs that are both associated with the same WLC. The WLC updates its client database with the new AP association and does not change the client's IP address. If required, a client is reauthenticated when changing AP associations and a new security association is created.
Layer 2 Intercontroller RoamingThis occurs when a user moves between two APs that are associated to different WLCs, but both WLCs are part of the same subnet. When this sort of roaming occurs, the WLC passes its client database to the other WLC, and no IP address change happens for the client. If required the client is reauthenticated and a new security association is created.
Layer 3 Intercontroller RoamingThis occurs when a client moves between APs associated to WLCs that are on different subnets. When the client moves its association, the new WLC and the previous WLC exchange mobility messages. The client database is not moved to the new WLC, instead the first WLC marks the client as an 'anchor' entry and the new WLC marks the client as a 'foreign' entry. The wireless client's IP address is preserved and, if required, the client reauthenticates and gets a new security association. From then on, traffic is routed asymmetrically. Traffic from the client is forwarded to the wired network by the new WLC, but traffic that is destined for the client is forwarded from the wired network to the original WLC. The original WLC then forwards that traffic to the new WLC via Ether-in-IP tunneling, which is then sent from the new WLC to the client.
Mobility GroupsMobility groups allow WLCs to peer with each other to allow roaming across the controller's boundaries, AP load balancing and redundancy. When WLCs are placed into the same mobility group, they will exchange mobility messages and the EtherIP tunneling is possible when roaming occurs. For this reason WLCs that are meant to be redundant and allow roaming should be placed into the same mobility groups.
Up to 24 WLCs can be placed into a mobility group, and what devices are in the group determine how many APs can be supported. WLCs can also be configured with mobility lists, which are lists of which WLCs belong to which mobility groups. If a WLC has this list, clients can roam between mobility groups so long as mobility lists are configured on the WLCs. Mobility lists can support 48 mobility groups with Release 5.0, or 72 lists with Release 5.1 or later
WLCs use UDP port 16666 for unencrypted messages and UDP 166667 for encrypted messages. APs learn the IPs of other members of the mobility group when joining via CAPWAP
Cisco best practice is to minimize intercontroller roaming, and if needed, Layer 2 intercontroller roaming is preferred as it is far more efficient. Total round-trip travel time between controllers should be under 10ms. Proactive key caching (PKC) or Cisco Compatible Extensions (CCKM) Version 4 is recommended to speed/secure roaming.
WLAN Design Best Practice
Controller Redundancy: Dynamic or DeterministicDeterministic redundancy is best practice and requires APs to be configured with a primary/secondary/tertiary controller preference. This requires more front-end work, but allows for deterministic failover and predictability. Deterministic advantages include:
- Network scalability
- Flexible/powerful redundancy options
- Faster failover
- Deterministic fallback
Dynamic redundancy uses CAPWAP to load balance APs across WLCs, by populating each AP with a backup WLC. This solution works best when all WLCs are located centrally since it is dynamic. Dynamic advantages include:
- Easier configuration
- Dynamic AP load balancing
Unpredictable operation and longer failover occurs with dynamic redundancy, as well as a lack of other options for failover.
N+1 WLC RedundancyWith this redundancy option, a single WLC is configured as a backup for multiple WLCs. This could cause the backup to become oversubscribed.
N+N WLC RedundancyWith this redundancy option, an equal number of backup WLCs are configured. A pair of WLCs on one floor may be configured as backup WLCs for another floor, and vice versa. There needs to be enough capacity to allow for failover if needed (no more than 50% capacity used).
N+N+1 WLC RedundancyWith this redundancy option, an equal number of controllers are configured as backups for each other (as above), and a tertiary backup WLC is configured as well. This tertiary controller backs up the secondary controllers, usually placed in the data center or NOC
Radio Management/Radio GroupsDue to the ISM limit on available frequencies for 802.11b/g/n there is a limit on what non-overlapping channels can be used (1, 6, 11). Best practice for APs is to limit the number of data devices attached to a single AP to 20, or 7 concurrent Voice over WLAN (VoWLAN) calls using G.711 codec, or 8 concurrent VoWLAN calls using G.729.
As user population grows on the WLAN additional APs should be added to maintain the ratio. Cisco Radio Resource Management (RRM) manages AP RF channels/power configuration to minimize interference. WLCs use RRM algorithm to automatically optimize and self-heal the radio frequencies using these functions:
- Radio Resource Monitor: LWAPs monitor all radio channels and monitor for rogue APs, clients and interfering APs
- Dynamic Channel Assignment: WLCs automatically manage channels for APs to avoid interference
- Interference Detection/Avoidance: Interference is detected by a predefined threshold (10% default)
- Dynamic Transmit Power Control: WLCs automatically adjust broadcast power of APs
- Coverage Hole Detection/Correction: WLCs can adjust AP power output if clients report low signals
- Client/Network Load Balancing: Clients can be influenced to connect to certain APs to load balance
WLCs can use RRM to raise power levels and channels of APs to compensate for lost/downed APs.
RF GroupsRF groups are clusters of WLCs that coordinate their RRM calculations. When the WLCs join the group, the RRM calculation expands to include the WLCs joined. APs send neighbor messages to each other, and if the message is above -80dBm the controllers form an RF group. WLCs elect a leader to analyze the RF data and make RRM decisions. The leader exchanges messages among RF group members on UDP port 12114 for 802.b/g/n, and UDP port 12115 for 802.11a.
How RF groups form:
- APs send out neighbor messages looking for other APs, which includes an encrypted shared secret key that is preconfigured on trusted WLCs
- Messages with the same secret key are validated and trusted. These messages must be transmitted above -80dBm to form the group.
- Members of the formed RF group elect a leader to analyze and push a master power/channel scheme for the group. The leader receives realtime data about the WLAN to make this calculation
RF Site SurveySite surveys are done similarly to surveys for wired network design. The RF site survey identifies customer requirements and coverage needed as well as check for interference. The site survey should consist of the following steps:
- Define customer requirements, what applications are needed (such as VOIP) and what types of devices need to be supported as well as where these wireless devices will be located
- Obtain a facility diagram to identify RF interference/dead zones
- Visually inspect the facility to identify barriers to wireless signal like elevator shafts and stairwells
- Identify areas intensively used as well as areas that are not used often
- Determine preliminary AP locations, power placement, wired network access, channel selection, mounting locations, antennas
- Use an AP to survey locations and the received RF strength based on targeted AP placement
- Document findings by recording locations, signal readings, data rates at the outer areas of coverage. The report includes:
- Detailed customer requirements, diagram AP coverage
- Parts list including antennas, accessories, network components
- Tools/methods used for site survey
Ethernet over IP Tunnels for Guest ServicesBasic guest access entails separating guest SSID/vlan from the corporate network, broadcasting guest access but not corporate. Another solution involves EoIP to tunnel the guest traffic from the AP to the an anchor WLC. When guests access the guest APs, their connections are automatically tunneled to the specified anchor WLC for guest access. This keeps guest traffic logically separated from the corporate network without the need to run extra vlans.
Wireless Mesh in Outdoor WirelessWireless Mesh Components:
- Wireless Control System (WCS): Wireless mesh SNMP management system allows network-wide configuration/management
- WLAN Controller (WLC): Links the meshed APs to the wired network, manages security, mitigates radio interference, etc
- Rooftop AP(RAP): Connects the mesh to the wired network, serves as root. Communicates with MAPs, typically located on rooftops/towers
- Mesh Access Point(MAP): AP that provides access to wireless clients, communicating with RAPs for wired network connection. Usually located on a lamppost or other pole.
Mesh Design Recommendations
- Less than 10ms latency per hop, 2-3ms preferred
- Four or fewer hops are recommended for outdoor deployment though eight are supported
- For indoor deployment one hop is supported
- Best performance occurs when no more than 20 MAPs are used per RAP, though 32 are supported
- Throughput: One hop = 14Mbps, two hops = 7 Mbps, three hops = 3 Mbps, four hops = 1 Mbps
Campus Design Considerations
- Number of APs: Should be enough APs to provide full coverage for wireless clients for the expected access locations. 20 data devices per AP, and 7 G.711 concurrent or 8 G.729 concurrent VoWLAN calls.
- AP Placement: APs should be placed in a centralized location of the expected access area, and placed in conference rooms to accommodate peak requirements
- AP Power: Traditional wall power can be used, or Power over Ethernet (PoE)
- Number of WLCs: The number of WLCs depends on the redundancy strategy and number of required APs
- WLC Placement: WLCs are placed in secured wiring closets or the data center. Intercontroller roaming should be minimized, and deterministic redundancy is recommended
Branch Design ConsiderationsBranch offices may not need a WLC installed depending on how many APs are needed. If a WLC is not installed at the branch office, the round-trip time between APs and the WLC should not exceed 300ms. REAP or Hybrid REAP (H-REAP) should be used.
Local MAC: CAPWAP supports local media access control for branch deployments. In this deployment, the AP provides MAC management support for associations, terminating traffic at the AP instead of a WLC. This allows local access without requiring traffic to travel all the way to a central office WLC, and to continue functioning if the connection to the central office is lost.
REAP: REAP supports branch offices by extending LWAPP control timers. Control traffic is still encapsulated over an LWAPP tunnel over the WAN to a WLC, but local traffic is bridged. In this way the clients still have access to local resources if the WAN fails. REAP devices only support Layer 2 security policy, do not support NAT and need a routable IP address.
Hybrid REAP: H-REAP enhances REAP by providing additional capabilities like NAT and the ability to control three APs remotely. APs connect to WLC over WAN and use two security modes:
- Standalone: H-REAP authenticates clients when the WLC can't be reached. WPA-PSK and WPA2-PSK are supported.
- Connected: The AP uses the WLC for client authentication. H-REAP supports WPA-PDK, WPA2-PSK, VPN, L2TP, EAP and web authentication
H-REAP round-trip time must not exceed 300ms and CAPWAP must be prioritized traffic.
Branch Office Controllers
- Cisco 2100 series
- Cisco 4402-12/4402-24
- WLC Module in Integrated Services Router
- 3750 with WLAN controller
WLAN Design Summary
- RF site survey will determine RF characteristics and AP placement
- Guest services are supported using EoIP in the Cisco Unified Wireless Network
- Outdoor wireless is supported using outdoor APs and mesh networking APs
- Campus WLAN design provides wireless coverage using LWAPs managed by WLCs
- Branch WLAN design deals with wireless access management at remote sites using REAP or H-REAP
- Each AP should be limited to 20 data devices
- Separate SSIDs should be used for voice, and APs should not have more than 7 concurrent calls using G.711 codec, or 8 using G.729 codec
UDP Ports Used by WirelessLWAPP Control: 12223
LWAPP Data: 12222
WLC Exchange Messages (unencrypted): 16666
WLC Exchange Messages (encrypted): 16667
RF 802.11b/g/n: 12114
RF 802.11a: 12115
CAPWAP Control: 5246
CAPWAP Data: 5247