Design GuideTable of ContentsEnterprise Mobility 4.1 Design Guide1Cisco Validated Design2Contents3Preface15Document Purpose15Intended Audience15Document Organization15Cisco Unified Wireless Network Solution Overview17WLAN Introduction17WLAN Solution Benefits17Requirements of WLAN Systems18Cisco Unified Wireless Network21Cisco Unified Wireless Technology and Architecture23LWAPP Overview23Split MAC24Layer 2 and Layer 3 Tunnels26Layer 2 Tunnel26Layer 3 Tunnel27WLC Discovery and Selection30Components31WLCs31APs32Cisco Standalone APs32Cisco LWAPP APs33Mobility Groups, AP Groups, and RF Groups35Mobility Groups35Mobility Group Definition36Mobility Group Application37Mobility Group-Exceptions37AP Groups37RF Groups38Roaming39WLC to WLC Roaming Across Client Subnets40Layer 3 Roam-Asymmetrical Mobility Tunnel41Layer 3 Roam-Symmetrical Mobility Tunnel42Important Notes About Layer 3 Roaming44Broadcast and Multicast on the WLC44WLC Broadcast and Multicast Details46DHCP46ARP46Other Broadcast and Multicast Traffic47Design Considerations47WLC Location48Centralizing WLCs49Distributed WLC Network Connectivity50Traffic Load and Wired Network Performance52AP Connectivity53Operation and Maintenance53WLC Discovery53AP Distribution54Firmware Changes54WLAN Radio Frequency Design Considerations57RF Basics57Regulatory Domains57Operating Frequencies58802.11b/g Operating Frequencies and Data Rates59802.11a Operating Frequencies and Data Rates59Understanding the IEEE 802.11 Standards62Direct Sequence Spread Spectrum63IEEE 802.11b Direct Sequence Channels63IEEE 802.11g64IEEE 802.11a OFDM Physical Layer65IEEE 802.11a Channels65RF Power Terminology66dB66dBi66dBm66Effective Isotropic Radiated Power67Planning for RF Deployment67Different Deployment Types of Overlapping WLAN Coverage68Data-Only Deployment68Voice/Deployment69Location-Based Services Deployments70WLAN Data Rate Requirements72Data Rate Compared to Coverage Area72AP Density for Different Data Rates73Client Density and Throughput Requirements75WLAN Coverage Requirements76Power Level and Antenna Choice77Omni-Directional Antennas77Patch Antennas78Security Policy Requirements79RF Environment79RF Deployment Best Practices80Manually Fine-Tuning WLAN Coverage81Channel and Data Rate Selection81Recommendations for Channel Selection81Manual Channel Selection82Data Rate Selection84Mandatory, Supported, and Disabled Rate Modes85Lowest and Highest Mandatory Rate Settings85Radio Resource Management (Auto-RF)86Overview of Auto-RF Operation86Auto-RF Variables and Settings87Sample show ap auto-rf Command Output90Dynamic Channel Assignment91Interference Detection and Avoidance91Dynamic Transmit Power Control92Coverage Hole Detection and Correction92Client and Network Load Balancing92Cisco Unified Wireless Network Architecture-Base Security Features93Base 802.11 Security Features93WLAN Security Implementation Criteria93Terminology95802.1X96Extensible Authentication Protocol97Authentication98Supplicants98Authenticator99Authentication Server101Encryption102WEP103TKIP Encryption103AES Encryption104Four-Way Handshake105Cisco Compatible Extensions106Proactive Key Caching and CCKM108Cisco Unified Wireless Network Architecture110LWAPP Features111Cisco Unified Wireless Security Features112Enhanced WLAN Security Options112Local EAP Authentication114ACL and Firewall Features116DHCP and ARP Protection116Peer-to-Peer Blocking117Wireless IDS117Client Exclusion118Rogue AP119Air/RF Detection120Location121Wire Detection121Rogue AP Containment122Management Frame Protection122Client Management Frame Protection125WCS Security Features125Configuration Verification125Alarms and Reports126Architecture Integration127Cisco Integrated Security Features128Types of Attacks128MAC Flooding Attack128DHCP Rogue Server Attack129DHCP Starvation Attack129ARP Spoofing-based Man-In-the-Middle Attack129IP Spoofing Attack129CISF for Wireless Deployment Scenarios129Using CISF for Wireless Features131Using Port Security to Mitigate a MAC Flooding Attack131Port Security in a Wireless Network131Effectiveness of Port Security132Using Port Security to Mitigate a DHCP Starvation Attack132Wireless DHCP Starvation Attack132Using DHCP Snooping to Mitigate a Rogue DHCP Server Attack133DHCP Snooping for Wireless Access133Effectiveness of DHCP Snooping134Using Dynamic ARP Inspection to Mitigate a Man-in-the-Middle Attack134DAI for Wireless Access134Effectiveness of DAI135Using IP Source Guard to Mitigate IP and MAC Spoofing136IP Source Guard for Wireless Access136Effectiveness of IP Source Guard137Summary of Findings138References139Cisco Unified Wireless QoS141QoS Overview141Wireless QoS Deployment Schemes142QoS Parameters142Upstream and Downstream QoS143QoS and Network Performance144802.11 DCF144Interframe Spaces145Random Backoff145CWmin, CWmax, and Retries146Wi-Fi Multimedia147WMM Access147WMM Classification147WMM Queues149EDCA150U-APSD152TSpec Admission Control154Add Traffic Stream154QoS Advanced Features for WLAN Infrastructure156IP Phones159Setting the Admission Control Parameters159Impact of TSpec Admission Control161802.11e, 802.1P, and DSCP Mapping162QoS Baseline Priority Mapping163Deploying QoS Features on LWAPP-based APs163WAN QoS and the H-REAP164Guidelines for Deploying Wireless QoS164Throughput164QoS Example LAN Switch Configuration165AP Switch Configuration165WLC Switch Configuration165Traffic Shaping, Over the Air QoS, and WMM Clients166WLAN Voice and the Cisco 7921G and 7920166LWAPP over WAN Connections166LWAPP Traffic Classification167LWAPP Control Traffic167LWAPP 802.11 Traffic170Classification Considerations170LWAPP Traffic Volumes170Example Router Configurations170Remarking Client Generated CS6 Packets170Changing the DSCP of LWAPP Control Traffic above a predefined rate171Cisco Unified Wireless Multicast Design173Introduction173Overview of Multicast Forwarding in Cisco Unified Wireless Networks173Wireless Multicast Roaming175Asymmetric Multicast Tunneling175Multicast Enabled Networks176LWAPP Multicast Reserved Ports and Addresses176Enabling Multicast Forwarding on the Controller177CLI Commands to Enable Ethernet Multicast Mode177Multicast Deployment Considerations178Recommendations for Choosing an LWAPP Multicast Address178Fragmentation and LWAPP Multicast Packets178All Controllers have the Same LWAPP Multicast Group179Controlling Multicast on the WLAN Using Standard Multicast Techniques179How Controller Placement Impacts Multicast Traffic and Roaming181Additional Considerations182Cisco Unified Wireless Hybrid REAP183Remote Edge AP183Hybrid REAP184Supported Platforms184WLAN WLCs184Access Points185H-REAP Terminology185Switching Modes185Operation Modes185H-REAP States186Applications188Branch Wireless Connectivity188Branch Guest Access189Public WLAN Hotspot190Unified Wireless Feature Support191Deployment Considerations192WAN Link192Roaming193Radio Resource Management193Location Services194QoS Considerations194General WLC Deployment Considerations with H-REAP194WAN Link Disruptions195EAP 802.1x and Web Auth WLANs195Other Features195Radio Configuration195H-REAP Limitations and Caveats196Local Switching Restrictions196Max Supported WLANs196Network Address Translation (NAT/PAT)196Restricting Inter-Client Communication198H-REAP Scaling198Inline Power199Management199H-REAP Configuration199Initial Configuration199Serial Console Port199DHCP with Statically Configured WLC IPs201Configuring LAP for H-REAP Operation201Enabling VLAN Support203Advanced Configuration203Choosing WLANs for Local Switching204Configuring H-REAP Support on a WLAN204H-REAP Local Switching (VLAN) Configuration205Establishing a WLAN to Local VLAN Mapping206WLC Dynamic Interface Configuration for Remote Only WLANs207H-REAP Verification207Verifying the H-REAP AP Addressing207Verifying the WLC Resolution Configuration207Troubleshooting208H-REAP Does Not Join the WLC208Client Associated to Local Switched WLAN Cannot Obtain an IP Address208Client Cannot Authenticate or Associate to Locally Switched WLAN208Client Cannot Authenticate or Associate to the Central Switched WLAN209H-REAP Debug Commands209WLC Debug Commands209H-REAP AP Debug Commands209Cisco Wireless Mesh Networking211Introduction211Cisco 1500 Series Mesh AP212Cisco Wireless LAN Controllers214Wireless Control System (WCS)215Wireless Mesh Operation215Bridge Authentication216Wireless Mesh Encryption216AWPP Wireless Mesh Routing217Example Simple Mesh Deployment217Mesh Neighbors, Parents, and Children220Background Scanning in Mesh Networks222Ease Calculation224SNR Smoothing224Loop Prevention224Choosing the Best Mesh Parent225Routing Around an Interface225Design Details225Wireless Mesh Design Constraints226Client WLAN226Bridging Backhaul Packets226Client Access on Backhaul Connections227Increasing Mesh Availability227Multiple RAPs229Multiple Controllers230Multiple Wireless Mesh Mobility Groups231Design Example231MAP Density and Distance231Connecting the Cisco 1500 Mesh AP to your Network234Physical Placement of Mesh APs235AP 1500 Alternate Deployment Options236Wireless Backhaul236Point-to-Multipoint Wireless Bridging23610.6.3 Point-to-Point Wireless Bridging237VoWLAN Design Recommendations239Antenna Considerations239AP Antenna Selection239Antenna Positioning241Handset Antennas241Channel Utilization241Dynamic Frequency Selection (DFS) and 802.11h Requirements of the APs242Channels in the 5 GHz Band243Call Capacity245AP Call Capacity248Cell Edge Design250Dual Band Coverage Cells252Dynamic Transmit Power Control252Interference Sources Local to the User253Cisco Unified Wireless Guest Access Services255Introduction255Scope256Wireless Guest Access Overview256Guest Access using the Cisco Unified Wireless Solution256WLAN Controller Guest Access257Supported Platforms258Auto Anchor Mobility to Support Wireless Guest Access258Anchor Controller Deployment Guidelines260Anchor Controller Positioning260DHCP Services261Routing261Anchor Controller Sizing and Scaling261Anchor Controller Redundancy261Web Portal Authentication262User Redirection263Guest Credentials Management264Local Controller Lobby Admin Access265Guest User Authentication265External Authentication266External Authentication using Cisco Secure ACS and Microsoft User Databases266Guest Pass-through266Guest Access Configuration268Anchor WLC Installation and Interface Configuration269Guest VLAN Interface Configuration270Defining a New Interface270Defining an Interface Name and VLAN ID270Defining Interface Properties271Mobility Group Configuration272Defining the Default Mobility Domain Name for the Anchor WLC272Defining Mobility Group Members of the Anchor WLC273Adding Foreign Controllers as Mobility Group Members273Adding the Anchor WLC as a Mobility Group Member of a Foreign WLC274Guest WLAN Configuration274Foreign WLC-Guest WLAN Configuration275Defining a Guest WLAN SSID276Defining Guest WLAN Parameters and Policies277Establishing the Guest WLAN Mobility Anchor(s)280Verifying the Guest WLAN Mobility Anchor281Guest WLAN Configuration on the Anchor WLC281Anchor WLC-Guest WLAN Interface282Anchor WLC-Defining the Guest WLAN Mobility Anchor282Guest Account Management283Guest Management Using WCS284Using the Add Guest User Template285Using the Schedule Guest User Template288Managing Guest Credentials Directly on the Anchor Controller293Configuring the Maximum Number of User Accounts294Maximum Concurrent User Logins294Guest User Management Caveats295Other Features and Solution Options295Web Portal Page Configuration and Management295Internal Web Page Management296Importing A Web Page296Selecting an Imported Web Auth Page297Internal Web Certificate Management298Importing an External Web Certificate299Support for External Web Redirection299Anchor WLC-Pre-Authentication ACL300Anchor Controller DHCP Configuration302Adding a New DHCP Scope to the Anchor Controller302Defining a Scope Name302Defining Scope Properties303External Radius Authentication303Adding a RADIUS Server304External Access Control306Verifying Guest Access Functionality308Troubleshooting Guest Access308User Cannot Associate to the Guest WLAN309User Does Not Obtain an IP Address via DHCP309User is Not Redirected to Web Auth Page309User Cannot Authenticate309User Cannot Connect to Internet or Upstream Service310System Monitoring310Anchor Controller310Campus (Foreign) Controller312Debug Commands313Mobile Access Router, Universal Bridge Client, and Cisco Unified Wireless3153200 Series Mobile Access Router Overview315Cisco 3200 Series and Wireless Network Access316Vehicle Network Example316Simple Bridge Client Data Path Example317Cisco 3200 Series in Mobile IP Environments318WMIC Roaming Algorithm319Basic Configuration Examples320Connecting to the Cisco 32XX320Configure IP Address, DHCP, VLAN on 3200 Series320WMIC Configurations321WMIC Work Group Bridge Configuration321WMIC Universal Bridge Client Configuration322WMIC as an Access Point Configuration322Security322Authentication Types322Encryption and Key Management323Security Configuration323Assigning Authentication Types to an SSID323Configuring dot1x Credentials325EAP-TLS Authentication with AES Encryption Example326Configuring the Root Device Interaction with WDS327Configuring Additional WPA Settings328Setting a Pre-Shared Key328Configuring Group Key Updates328WPA and Pre-shared Key Configuration Example328Cisco 3200 Series Product Details329Cisco 3200 Series Interfaces329Cisco 3230 Enclosure Connections330Cisco 3270 Rugged Enclosure Configuration330Cisco 3200 Series WMIC Features332Cisco 3200 Series Bridge Considerations333Cisco 3200 Series Management Options335Cisco Unified Wireless and Mobile IP337Introduction337Different Levels of Network Mobility337Requirements for a Mobility Solution339Location Database340Move Discovery, Location Discovery, and Update Signaling340Path Re-establishment341Roaming on a Cisco Unified Wireless Network341Roaming on a Mobile IP-enabled Network342Configuration 1: Sample Mobile IP Client Interface and Host Table Manipulation345Mobile IP Client Characteristics When Roaming on a Cisco Unified Wireless Network346Cisco Unified Wireless Location-Based Services349Introduction349Reference Publications350Cisco Location-Based Services Architecture350Positioning Technologies350What is RF Fingerprinting?351Overall Architecture352Role of the Cisco Wireless Location Appliance354Accuracy and Precision356Tracking Assets and Rogue Devices357Cisco Location Control Protocol358Installation and Configuration359Installing and Configuring the Location Appliance and WCS359Deployment Best Practices361Location-Aware WLAN Design Considerations361RFID Tag Considerations362SOAP/XML Application Programming Interface363Glossary365Size: 15.7 MBPages: 368Language: EnglishOpen manual