Real-time Traffic Applications and Service over WLAN
BRKCOL-2275
Matt Jordy, Technical Marketing Engineer ([email protected]) BRKCOL-2275 Session Overview • This session discusses design considerations for real-time traffic over 802.11 WLAN (RToWLAN) deployments. RToWLAN deployments provide access to voice, video, and other real-time traffic applications and services for wireless mobile devices. • The session begins with a brief overview of the architecture and components as well as drivers and benefits for implementing RToWLAN • The session covers design & deployment considerations including best practices for real-time traffic deployments including 802.11 WLAN radio frequency design, quality of service, security, roaming, high availability and capacity. • The session covers a range RToWLAN wireless devices including software-based clients (e.g. Cisco Jabber) running on corporate or even personal mobile devices (BYOD) as well as hardware devices (e.g. Cisco Unified Wireless IP Phones). • At the end of the session it is expected that attendees will have a good understanding of the various RToWLAN considerations for enabling mobile collaboration.
3 Please consult the latest applicable product BRKCOL-2275 documentation for specific feature, software version, and hardware version support requirements Session Logistics
• Attendees should have some familiarity with Cisco wireless and collaboration solutions. • Appendix slides (additional information). • Session time: 90 minutes • Please ask questions as we go – 3 types of questions: Questions I'll answer Questions I'll defer to later in the session Questions I don't know the answer to, outside the scope of our session, or those that consume too much time
Come see me after session to chat or send me an email
([email protected]) with question(s) so I can get back to you. 4 Real-time Traffic Applications & Services over WLAN Session Scope and Assumptions • 802.11 Enterprise Wireless LAN » Non-licensed spectrum. Wireless types not covered include satellite, 3G/4G, LTE, WiMAX, Femtocell, and DECT. » No coverage for managed service, service provider, or outdoor/rugged/specialized environment deployments. • Deployments of unified wireless network or controller-based deployments » Wireless controllers for centralized management of access points and wireless traffic. No “autonomous” access points. » Focused on Cisco Unified Wireless (Aironet) products. No coverage for Meraki. • Technology and design considerations » Not product specific features and configuration.
5 Agenda BRKCOL-2275 • Real-time Traffic over Wireless LAN (RToWLAN) Overview • RToWLAN Radio Frequency Design • RToWLAN Quality of Service • RToWLAN Security • RToWLAN Roaming • RToWLAN Summary
6 Real-time Traffic over Wireless LAN (RToWLAN) Overview
7 Real-time Traffic Applications & Services over WLAN Definitions • RToWLAN
» 802.11 wireless network deployments that support real-time traffic capable endpoints and enable real-time traffic applications and services are referred to as Real-time Traffic over WLAN (RToWLAN) deployments.
• Real-time traffic
» Network traffic including packetized voice and video and other network traffic consumed as near to the moment it is generated as possible. Because the value of real-time network traffic drops to zero almost instantly, there is no retransmission, and limited tolerance for delay, jitter, and packet loss.
• Real-time traffic applications and services
» High-quality point-to-point and multi-point voice and video communications, desktop virtualization, and presence are examples of applications and services that generate significant amounts of network traffic and rely on near instant network traversal in order to reliably deliver these capabilities.
8 Real-time Traffic Applications & Services over WLAN Architectural Overview The RToWLAN Collaboration PSTN Mobile solution architecture Applications Voice includes three key and Services Media elements: Resources Internet Enterprise Mobile 802.11 Wired LAN Data Wireless LAN Enterprise Infrastructure WLAN (802.11)
Real-time Traffic 802.11 Wireless Endpoints 9 Real-time Traffic Applications & Services over WLAN Cisco 802.11 Wireless LAN Infrastructure WIRELESS LAN
WIRELESS MANAGEMENT AND SECURITY
Cisco Wireless Cisco Wireless LAN Controller Access Point (WLC) (AP) (RADIUS / AAA) (e.g. Cisco WLC (e.g. Cisco 5500, 5700, Aironet 3700/ Cisco Secure 8500, and Flex 2700 and 3600/ Access Control 7500 series) 2600 series) Cisco Identity Cisco Prime System (ACS) Services Engine Infrastructure (ISE)
Converged Accessv Wireless (Catalyst 3650, 3850, 10 4500 Sup 8-E) Real-time Traffic Applications & Services over WLAN Cisco Collaboration Applications and Services CALL CONTROL APPLICATIONS EDGE
Internet Cisco Cisco IM & Cisco Unified CM Unity Connection Presence Cisco MANAGEMENT MEDIA RESOURCES/SERVICES Expressway
PSTN
Cisco Prime Media Conferencing/ Collaboration Recording Resources (IOS) MCU PSTN
11 Real-time Traffic Applications & Services over WLAN Real-time Traffic 802.11 Wireless Endpoints JABBER CLIENT DEVICES WIRELESS IP PHONE
Jabber on Jabber on Cisco Unified Mobile Desktop Wireless IP Phone DESK PHONE
(e.g. Cisco SPARK CLIENT DEVICES 7925G, 7925G- EX, and 7926G)
Cisco Unified IP Phone (e.g. Cisco 9971, 8861, 8865, and DX Series) 12 Real-time Traffic Applications & Services over WLAN Endpoint Selection Wireless capabilities vary across endpoints, however, purpose-built single function devices optimized for enterprise wireless communications tend to provide the best performance and end-user experience Jabber Jabber 9971, 886x, 7925G/G-EX, desktop mobile DX650/70/80 7926G Spark
Hardware-based, not Hardware-based voice-only Software-based endpoint, Software-based endpoint, typically in motion device, highly mobile not typically in motion highly mobile • Enterprise QoS marking at Layer 2 & 3 • QoS marking dependent on OS • Cisco controlled hardware and OS = Trusted • No control over 3rd party hardware / OS = Untrusted • Purpose-built, single function / phone-centric • Limited control from non-native applications device • Multi-purpose device, generates many traffic types
13 Real-time Traffic Applications & Services over WLAN Network and Endpoint Control Non-deterministic Network and endpoint control are important considerations for media access. No priority servicing. No RToWLAN deployments bandwidth guarantees
SHARED CHANNEL Wired = Wireless Network » More enterprise control = higher quality Enterprise Public/Private Mobile collaboration experience. WLAN WiFi Hotspot Provider » Control over RF design, QoS, etc.. (802.11) (802.11)REALITY(4G/LTE/UTMS) AS GOOD » Ultimately Internet is beyond our control. Internet Endpoint AS IT GETS » More hardware and OS control = higher quality collaboration experience » Control over applications/services, QoS marking, Increasing Control
standards/pre-standards support, etc. 14 » Purpose-built hardware v. software and multi-purpose hardware Real-time Traffic Applications & Services over WLAN Solution Benefits RToWLAN deployments provide the following benefits:
• Improved productivity and maximum availability and reachability for mobile users.
• High-quality voice and video calls and seamless roaming experience for users in motion.
• Reduced expenditure on mobile provider network access and reduced dependency on mobile provider network coverage within the enterprise
• Capitalizes on the increased presence of personal mobile devices within the enterprise (BYOD) for collaboration and communication at little or no cost
15 Real-time Traffic Applications & Services over WLAN 802.11 Wireless Overview: Key RToWLAN Wireless Standards Important RToWLAN wireless standards:
» 802.11e: Standard providing quality of service enhancements enabling more frequent access / higher priority for certain types of traffic on the wireless network traffic. Critical for delay-sensitive applications like real-time traffic over WLAN applications and services. WiFi Multimedia (WMM) focusing on QoS is a subset of this standard.
» 802.11k: Wireless radio management enhancements enabling distribution of network load to under-utilized APs rather than having all devices connect to the strongest signal AP.
» 802.11r: This standard optimizes and speeds up secure roaming for wireless devices by reducing number of packets exchanged between the client and APs during the roam and preauthenticating the client prior to the roam. Cisco Centralized Key Management (CCKM) fast roaming is standardized in 802.11r.
16 Real-time Traffic Applications & Services over WLAN Cisco 802.11 WLAN Infrastructure Deployment Architecture Summary Autonomous Centralized Flex Connect Converged Access
Catalyst 3850 / 3650 / Enterprise Enterprise 4500 Sup 8-E IP Network IP Network Enterprise IP Network Enterprise Enterprise WLAN (802.11) Enterprise WLAN (802.11) WLAN (802.11) Enterprise WLAN (802.11) • Centralized AP management & • Centralized AP management / BRANCH • No WLAN Controller (WLC): configuration configuration along with APs managed separately, no • Centralized RRM, CleanAir, centralized RRM, CleanAir, etc. centralized configuration ClientLink, rogue AP detection • Reduces unnecessary hair- • Branch terminated • Limited centralized radio • Traffic visibility at WLC pinning of traffic accessing CAPWAP and traffic resource management (RRM), local site resources visibility at local WLC no rogue AP detection • Hairpinning of local site branch • Reduces RTT delay increasing • Wired/wireless in a single traffic at central site, local site application box / single OS increasing IP WAN traffic performance • WLC throughput concerns • Hardware cost: switch • Reduced traffic visibility at upgrade 17 WLC RToWLAN Radio Frequency Design
18 Real-time Traffic Applications & Services over WLAN 802.11 Wireless Overview: Wireless Bands and Standards NON- WIRELESS AVAILABLE MAXIMUM BAND OVERLAPPING STANDARD CHANNELS 1 BANDWIDTH 3 CHANNELS 2 11 802.11b 3 11 Mbps (Max. 14) 2.4 11 802.11g 3 54 Mbps GHz (Max. 14) 11 1 Check local regulatory 3 54 Mbps (Max. 14) domains for supported 802.11n channels in a location. 20 18 Up to 600 Mbps 2 Supported non- (Max. 24+) overlapping channels in 20 US. Varies by 802.11a 18 54 Mbps regulatory domain. 5 GHz (Max. 24+) 3 Theoretical maximum. Up to 1.3 Gbps [Wave 1] 20 Actual throughput will 802.11ac 18 be lower. (Max. 24+) 2.3 (or higher) Gbps [Wave 2] 19 Real-time Traffic Applications & Services over WLAN 802.11 Wireless Overview: Wireless Bands and Standards NON- WIRELESS AVAILABLE MAXIMUM BAND OVERLAPPING STANDARD • CHANNELS802.11n and 1 802.11ac standards BANDWIDTHsupport 3 advanced antennaCHANNELS / beamforming 2 Normal channel cells technology11 enabling multiple spatial 802.11b 3 11 Mbps (Max. 14) 20 20 20 20 stream and user MIMO. MHz MHz MHz MHz 2.4 11 802.11g • Provides support for3 wider channel54 Mbps GHz cells(Max. 14)(channel bonding) 11 1 Check local regulatory » Channel cell widths3 of 40 MHz,54 Mbps 40 40 (Max. 14) MHz domainsMHz for supported 802.11n 80 MHz, 160 MHz (802.11ac Wave 2), channels in a location. 20 provide increased 18throughputUp to 600 Mbps 2 Supported non- (Max. 24+) » Balance increased bandwidth v. reduced overlapping channels in 20 US. Varies by 802.11a density: Fewer non18-overlapping54 Mbpschannels. 80 (Max. 24+) regulatory domain. 5 GHz » Requires support on both wireless MHz 3 Theoretical maximum. infrastructure and endpoints Up to 1.3 Gbps [Wave 1] 20 Actual throughput will 802.11ac 18 be lower. (Max. 24+) 2.3 (or higher) Gbps [Wave 2] RECOMMENDATION: Avoid channel bonding (channels greater than 20 MHz) for 20 deployments with large numbers of RToWLAN clients (or non-802.11n / 802.11ac clients). Real-time Traffic Applications & Services over WLAN 802.11 Wireless Overview: It Is All About the Channel Cells! (1 of 2) 802.11 WLANs are built on the basis of cells or channel cells.
• Each WLAN infrastructure AP enables an active channel cell for network transport
• Channel cell considerations include:
» Identification and selection of the channel (automatic v. manual)
» Quantity of available channels (determined in part on density of APs and endpoints)
» Proximity of channels and interference (adjacency, overlapping v. non-overlapping)
» Channel size (20 MHz, 40 MHz, 80 MHz…)
21 Real-time Traffic Applications & Services over WLAN 802.11 Wireless Overview: It Is All About the Channel Cells! (2 of 2) 802.11 WLANs are built on the basis of cells or channel cells. Typically represented as circles overlaid on map of physical environment…
22 Real-time Traffic Applications & Services over WLAN 802.11 Wireless Overview: It Is All About the Channel Cells! (2 of 2) 802.11 WLANs are built on the basis of cells or channel cells. Typically represented as circles overlaid on map of physical environment…
…but in reality they are not perfect circles…
23 Real-time Traffic Applications & Services over WLAN 802.11 Wireless Overview: It Is All About the Channel Cells! (2 of 2) 802.11 WLANs are built on the basis of cells or channel cells. Typically represented as circles overlaid on map of physical environment…
…but in reality they are not perfect circles…
…and they have 3 dimensions
24 Real-time Traffic Applications & Services over WLAN Site Survey: Verify RF Design and Identify Problems Site survey is required for ensuring the enterprise wireless network maintains acceptable performance while accommodating real-time traffic endpoints, applications, and services • The site survey accomplishes the following: » Ensures appropriate RF design and AP coverage including Channel design, cell coverage patterns, antenna direction & attenuation, and accommodation of wall densities, structural elements, & “problematic” locations (machinery, elevators, stairwells, areas between buildings) » Ensures required band and traffic rates are enabled and available. » Confirms and verifies security mechanism(s) including encryption and authentication. » Identifies and eliminates unauthorized wireless sources including rogue APs. » Identifies potential interference sources (microwaves, Bluetooth devices, etc.)
25 Real-time Traffic Applications & Services over WLAN Site Survey: When? Where? How? The site survey should be conducted during expected service times in all service areas of occupied buildings and work spaces and verified with planned/expected RToWLAN endpoints
» RF characteristics of an empty building are quite different from a an occupied building. Bodies, furniture, and other equipment impacts channel cell coverage.
» All devices are not created equal - endpoint/client wireless radios are different, therefore wireless performance can be variable. Survey with and verify the operation and performance of the endpoints/clients that will actually be deployed at the site.
26 Real-time Traffic Applications & Services over WLAN Site Survey: Periodic Repetition • Site survey is not a one-time activity: Regular site surveys should be conducted. Particularly when new hardware (devices, APs) or software (firmware, applications) are introduced, and whenever the physical environment changes.
What about » Use Mobile Device Management application to restrict mobile mobile devices devices based on type, firmware version, and applications. (corporate or BYOD)? » Quarantine devices until they come into compliance.
• Use the same site survey tool: In order to have comparable survey results you should use the same survey tool each time.
• Example site survey tools: AirMagnet Survey, Ekahau Site Survey, VisiWave Site Survey
27 Real-time Traffic Applications & Services over WLAN Radio Frequency Design Proper radio frequency (RF) design is crucial for a successful RToWLAN deployment
• There are three main RF design recommendations for real-time traffic over WLAN:
1. Channel cell radius or power-level boundary of approximately -67 dBm (or less) – Minimizes packet loss
2. Same channel cell separation of 19 dBm – Minimizes co-channel interference.
28 Real-time Traffic Applications & Services over WLAN Radio Frequency Design (cont.) • There are three main RF design recommendations for real-time traffic over WLAN:
3. Minimum of 20% channel cell overlap on non-adjacent channels – Ensures seamless roaming between APs.
» RF design must consider 3-dimensions in order to appropriately overlap on non-adjacent channels and avoid co-channel interference.
CH 11 CH 1 CH 6 CH 11
Minimum of 20% overlap
CH 1 CH 6 CH 11 CH 1
29 Real-time Traffic Applications & Services over WLAN Radio Frequency Design (cont.) • There are three main RF design recommendations for real-time traffic over WLAN:
3. Minimum of 20% channel cell overlap on non-adjacent channels – Ensures seamless roaming between APs.
» RF design must consider 3-dimensions in order to appropriately overlap on non-adjacent channels and avoid co-channel interference. These RF design recommendations (channel cell power level boundary, same channel cell 5 GHz improves separation, and non- density and adjacent channel overlap), generally apply to reduces co-channel RToWLAN deployments interference with wide channel cells enabled (802.11n or 802.11ac).
30 Real-time Traffic Applications & Services over WLAN General WLAN Design • Deploy RToWLAN endpoints on the 5 GHz band (802.11 a/n/ac) More bandwidth Higher density Less interference Higher call capacity X • If you must deploy endpoints on the 5 GHz 2.4 GHz 2.4 GHz band (802.11 b/g/n): » No Bluetooth 1 Mbps, 2 Mbps, 5.5 Mbps, 6 Mbps, 9 Mbps » Disable unused lower data rates • Always verify WLAN operation with new devices, firmware, and clients.
• Consider wireless endpoints and infrastructure which support the latest 802.11 Check the standards (e.g. 802.11e, 802.11k, 802.11r). These standards provide improved specs real-time traffic performance and functionality
31 Real-time Traffic Applications & Services over WLAN Enterprise-Class WLAN: Measure of Success Enterprise-class WLAN networks ensure that collaboration and other real-time traffic applications and services deliver high quality end-user experience. • A properly designed enterprise-class WLAN should meet the following minimum requirements:
» ≤ 1% average IP packet loss for collaboration and other RToWLAN application traffic
» ≤ 30 ms average end-to-end delay variation or jitter for collaboration and other RToWLAN application traffic
» ≤ 150 ms average one-way packet delay for collaboration and other RToWLAN application traffic
32 Real-time Traffic Applications & Services over WLAN Wireless Network Segmentation with Service Set Identifiers (SSIDs) 802.11 service set identifiers (SSIDs) enable wireless network segmentation similar to VLANs on the wired network • Administrators use SSIDs to apply separate traffic / feature profiles for different types of wireless devices providing segmentation based on security, QoS, & roaming requirements. • Balance segmentation requirements against advertised SSID beacon overhead. Avoid one SSID per device type. Voice/Video SSID for wireless hardware voice / video endpoints e.g. 792x, 886X
Voice/Video + Data SSID for multifunction hardware endpoints and software clients e.g. DX series (enhanced mode), Jabber on a corporate desktop/mobile
Data-Only SSID for non-collaboration wireless devices that only generate data traffic e.g. guest/BYOD mobile or PC
WLAN (802.11) 33 RToWLAN Quality of Service
34 Real-time Traffic Applications & Services over WLAN Importance of Quality of Service (QoS) Without quality of service (QoS) end-user experience with collaboration and other real-time applications and services is compromised
• Poor voice/video quality – voice clipping and drop outs, pixelated video, out-of- sync audio/video, etc.
• Slow application response times – delayed dial tone/call setup, delayed IM delivery and presence status updates, slow screen refreshes, etc.
• Feature or function failures – dropped calls, unreliable connections, etc.
35 Real-time Traffic Applications & Services over WLAN QoS Mechanisms Enterprise QoS is essential for Wireless QoS ensures providing good user experience ? X acceptable application response for users of real-time traffic AF41 time and high-quality voice applications and services. & video. BE AF41 Endpoint Trust EF CS3 AF41 » Enterprise QoS depends on application/endpoint trust model. CS3 EF Traffic Marking/Re-marking Can this endpoint be trusted? If Queuing not, then remark. » Enterprise QoS depends on » Enterprise QoS requires end- appropriate marking of end- » Trust depends on ability to control to-end priority queuing and point traffic (DSCP / PHB and the endpoint/application and dedicated bandwidth for real- UP) traffic profile time traffic flows. » Marking or remarking can be » Restricted or unreliable marking » QoS marking determines done at the application, (capability/granularity), complex queue assignment endpoint, or network traffic profiles = Untrusted. 36 Real-time Traffic Applications & Services over WLAN QoS Overview 802.11e UP DSCP (Differentiated services Code Point) PHB (Per Hop Behavior) 802.1p Layer 2 Wireless User Priority (UP) Field 1 1 0 Layer 3 IP Header Layer 2 Ethernet 1 0 1 1 0 1 1 1 0 ToS Field CoS Field LAYER 2 LAYER 3 INTERFACE NETWORK QUEUES LINK 802.11e DSCP Traffic Type* 802.1p UP (PHB) EF Priority Queue RToWLAN EF Network 6 7 48(CS6) Traffic (CAPWAP, etc.) Voice 5 6 46 (EF) AF41 Video 4 5 34 (AF41) AF41 Mission Critical 3 4 26 (AF31) CS3 Call Signaling 3 4 24 (CS3) CS3 Transactional 2 3 18 (AF 21) ? Bulk Data 1 2 10 (AF 11) Best Effort 0 0 0 (DF) All Other ?
Traffic 37 Scavenger 0 1 2 * Traffic marking / categories based on RFC 4594 Real-time Traffic Applications & Services over WLAN QoS: Wi-Fi Multimedia (WMM) and Network Access and Queuing Wi-Fi Alliance interoperability certification based on the 802.11e standard 802.11e UP WMM Access Marking Categories • Provides wireless QoS by enabling layer 2 802.11e UP 7 marking of wireless traffic Voice 6 (AC_VO) • Separates wireless traffic into 4 differentiated service QoS 5 access categories corresponding to 4 traffic queues Video 4 (AC_VI) » 4 traffic queues contend for access to the wireless channel 3 Best Effort » Each access category of traffic defines specific delay and random 0 (AC_BE) back-off characteristics for contention management 2 Background • Ensures high-priority traffic flows get more frequent access 1 (AC_BK) to the channel RToWLAN benefit: WMM-capable endpoints receive higher priority throughput on the wireless channel for real-time traffic (WMM AC_VO 38 and AC_VI access categories) ensuring high-quality voice and video Real-time Traffic Applications & Services over WLAN QoS: Wireless LAN QoS Profile A platinum QoS profile should be configured on the WLC and applied to all WLANs that will carry real-time traffic » Maximum Priority should be set to “voice”: This determines the highest allowed DSCP value for traffic on the WLAN (DSCP 46) » Unicast and Multicast Default Priority should be set to “best effort”: This is the default marking applied to all unmarked traffic on the WLAN (DSCP 0)
AireOS 39 Real-time Traffic Applications & Services over WLAN QoS: Application Visibility and Control (AVC) and QoS Marking Application Visibility and Control (AVC) is a built-in network-based application recognition (NBAR) feature available on Cisco APs and WLAN controllers • For each identified application flow, the network can drop, mark/remark, or permit packets of specific traffic types Voice Wired PERMIT EF WLAN LAN (802.11) STOP Video Wireless AP WLAN MARK Bulk Data Controller DROP Upstream / Downstream Best Effort
Trash
• WLC treatment (drop/mark/permit) occurs on egress in both upstream and down stream directions. 40 Real-time Traffic Applications & Services over WLAN QoS: Application Visibility and Control (AVC) and QoS Marking (cont.) Application Visibility and Control (AVC) is a built-in network-based application recognition (NBAR) feature available on Cisco APs and WLAN controllers 1. Create AVC profile: Voice applications • Network identifies traffic type of each flow based marked EF (46) deep packet inspection • WLC firmware contains over 1,000 application signatures for identification of application traffic types including cisco-phone and cisco-jabber-audio/video
Video applications marked AF41 (34)
2. Enable AVC and apply Signaling marked AireOS 41 profile to WLAN: CS3 (24) Real-time Traffic Applications & Services over WLAN
Wired and Wireless QoS Mapping CAPWAP Encapuslated DSCP 802.11e DSCP Payload UPSTREAM: DSCP Payload 802.1p DSCP Payload 1 Layer 2 802.11e wireless UP marking 3 maps to CAPWAP 4 DSCP layer 3 marking. Network Downstream Radio Downstream Logical Layer 3 inner CAPWAP Wired /Wireless 2 Boundary Enterprise Wired LAN DSCP marking maps to layer 3 DSCP wired marking. Enterprise WLAN CAPWAP (802.11) DOWNSTREAM: Radio Upstream 3 Layer 3 DSCP wired Network Upstream marking maps to 1 CAPWAP DSCP layer 3 marking. 802.1p DSCP Payload 802.11e DSCP Payload Layer 3 DSCP CAPWAP CAPWAP Encapuslated 4 DSCP marking maps to layer DSCP Payload 2 802.11e UP wireless marking. 2 DSCP of packet leaving WLC will be equal to DSCP of 42 packet leaving wireless client Real-time Traffic Applications & Services over WLAN Wireless QoS and Cisco Wireless Endpoints
DOWNSTREAM: Real-time applications and services traffic gets improved Cisco wireless endpoints access across the wireless network to the endpoint. mark packets with appropriate 802.11e UP Network Downstream Radio Downstream values ensuring more Logical Wired /Wireless Enterprise Wired LAN frequent access to the Boundary wireless network for real- Enterprise WLAN time traffic CAPWAP (802.11) Cisco desk Network Upstream Radio Upstream phones Cisco Unified (9971, DX, 886x) Wireless UPSTREAM: IP phone Real-time applications and services traffic gets (7925G/G-EX, 7926G) priority queuing/dedicated bandwidth as appropriate when traversing the wired network. 43 Real-time Traffic Applications & Services over WLAN Wireless and Jabber QoS Cisco Jabber clients map enterprise QoS aligned layer 3 packet marking to layer 2 802.11e UP marking, however… • Mapping may not be performed by third party device OS. • If mapping is done, mapping may not align with enterprise QoS policy. • Mapping often cannot be controlled Mitigation: Group policy objects (Windows client only) or Problematic 1st hop If incorrect / no Layer 2 wireless AVC marking at endpoint, then Network Downstream Radio Downstream Logical nothing can be done until Wired /Wireless traffic reaches the WLC (or AP) Boundary Enterprise Wired LAN Enterprise WLAN Cisco Jabber CAPWAP desktop (802.11) Cisco Jabber (Windows, Mac) What about trust? Jabber clients run on mobile devicesNetwork where Upstream other applications mayRadio generate Upstream (Android, iOS)
traffic markings outside of enterprise QoS policy 44 Real-time Traffic Applications & Services over WLAN Policy Enforcement Point (PEP) for Wireless QoS: AireOS v. IOS XE If wireless traffic is not marked at layer 2 (UP) by the AireOS endpoint, what can be done about it? Enterprise Wired LAN WLC AP • Remarking of traffic streams by CAPWAP AVC in the wireless network occurs at the policy enforcement Policy Enforcement Point point (PEP). » With AireOS, PEP is at the WLC. Traffic cannot be remarked QoS remarking until packets reach the WLC. boundary
IOS XE Policy Enforcement Point Enterprise Wired LAN » With IOS XE, PEP is at the AP. AP Catalyst / WLC* Traffic can be remarked at the AP CAPWAP
45 * IOS XE: Catalyst 3850 / 3650 / 4500 Sup 8-E and 5760 WLC Real-time Traffic Applications & Services over WLAN Policy Enforcement Point (PEP) for Wireless QoS: AireOS 8.1 and Later If wireless traffic is not marked at layer 2 (UP) by the AireOS endpoint, what can be done about it? Enterprise Wired LAN WLC AP • Remarking of traffic streams by CAPWAP AVC in the wireless network occurs at the policy enforcement Policy Enforcement Point point (PEP). » With AireOS, PEP is at the WLC. Traffic cannot be remarked QoS remarking until packets reach the WLC. boundary With AireOS 8.1 and later, the PEP moves to the AP IOS XE for FlexConnect deployments. Policy Enforcement Point Enterprise Wired LAN » With IOS XE, PEP is at the AP. AP Catalyst / WLC* Traffic can be remarked at the AP CAPWAP
46 * IOS XE: Catalyst 3850 / 3650 / 4500 Sup 8-E and 5760 WLC Real-time Traffic Applications & Services over WLAN Policy Enforcement Point (PEP) for Wireless QoS: AireOS 8.1 and Later If wireless traffic is not marked at layer 2 (UP) by the AireOS endpoint, what can be done about it? Enterprise Wired LAN WLC AP • Remarking of traffic streams by CAPWAP AVC in the wireless network occurs at the policy enforcement Policy Enforcement Point point (PEP). » With AireOS, PEP is at the WLC. Traffic cannot be remarked QoS remarking until packets reach the WLC. boundary With AireOS 8.1 and later, the PEP moves to the AP IOS XE for FlexConnect deployments. Policy Enforcement Point Enterprise Wired LAN » With IOS XE, PEP is at the AP. AP Catalyst / WLC* Traffic can be remarked at the AP CAPWAP
47 * IOS XE: Catalyst 3850 / 3650 / 4500 Sup 8-E and 5760 WLC For Applications & Services over WLAN Your Real-time Traffic Reference Cisco Endpoint and Client QoS Traffic Marking
Endpoint/Client QoS Type Control Voice Video (WMM AC_VI) (WMM AC_VO) (WMM AC_VI) Jabber for iOS Layer 2 UP (802.11e) 0 5 5 (iPad, iPhone) Layer 3 PHB / DSCP CS3 / 24 EF / 46 AF41 / 34 Layer 2 UP (802.11e) 0 5 5 Jabber for Android Layer 3 PHB / DSCP CS3 / 24 EF / 46 AF41 / 34 Jabber for Windows Layer 2 UP (802.11e) 3 5 4 (desktop) Layer 3 PHB / DSCP CS3 / 24 EF / 46 AF41 / 34 Jabber for Mac Layer 2 UP (802.11e) 0 5 5 (desktop) Layer 3 PHB / DSCP CS3 / 24 EF / 46 AF41 / 34 Unified IP Phones Layer 2 UP (802.11e) 4 6 5 (DX650/70/80, 886x, 9971) Layer 3 PHB / DSCP CS3 / 24 EF / 46 AF41 / 34 Unified Wireless Layer 2 UP (802.11e) 4 6 – IP Phones (7925G/G-EX, 7926G) Layer 3 PHB / DSCP CS3 / 24 EF / 46 – 48 For Applications & Services over WLAN Your Real-time Traffic Reference Cisco Endpoint and Client QoS Traffic Marking
Endpoint/Client QoS Type Control Voice Video (WMM AC_VI) (WMM AC_VO) (WMM AC_VI) Jabber for iOS Layer 2 UP (802.11e) 0 5 5 (iPad, iPhone) Layer 3 PHB / DSCP CS3 / 24 EF / 46 AF41 / 34 Layer 2 UP (802.11e) 0 5 5 Jabber for AndroidPlease consult applicable product documentation Layer 3 PHB / DSCP CS3 / 24 EF / 46 AF41 / 34 or verify QoS marking with the latest available Jabber for Windows Layer 2 UP (802.11e) 3 5 4 (desktop)endpointLayer firmware 3 PHB / DSCP or clientCS3 / 24 software.EF / 46 AF41 / 34 Jabber for Mac Layer 2 UP (802.11e) 0 5 5 (desktop) Layer 3 PHB / DSCP CS3 / 24 EF / 46 AF41 / 34 Unified IP Phones Layer 2 UP (802.11e) 4 6 5 (DX650/70/80, 886x, 9971) Layer 3 PHB / DSCP CS3 / 24 EF / 46 AF41 / 34 Unified Wireless Layer 2 UP (802.11e) 4 6 – IP Phones (7925G/G-EX, 7926G) Layer 3 PHB / DSCP CS3 / 24 EF / 46 – 49 RToWLAN Security
50 Real-time Traffic Applications & Services over WLAN Wireless Security Overview Given the shared network access medium of 802.11 wireless, WLAN traffic is visible to any WLAN device within the radio frequency (RF) range of the infrastructure. The presents the following challenges: • Providing privacy for users and devices of the WLAN from unauthorized users or devices. • Providing privacy for authorized users and devices of the WLAN from each other. • Providing privacy for multicast and broadcast WLAN traffic. • Differentiating between user and devices on the WLAN. RToWLAN applications and services should be deployed securely with user and device authentication and traffic encryption to ensure: » Only authorized users and their devices are given access to the network. » Real-time traffic flows are protected from interception and eavesdropping.
51 Real-time Traffic Applications & Services over WLAN WLAN Security Security Security Description Considerations Scheme Level . No protection from unauthorized access, traffic interception, and eavesdropping. Generally considered undesirable when deploying an Security scheme enterprise WLAN Open provides no encryption . Open WLAN SSIDs provide limited network access for basic guest or authentication access (Internet) or to onboard personal or non-corporate devices in bring-your-own-device (BYOD) scenarios . No per-user/per-device authentication: WPA/WPA2 Personal relies on a pre-shared key for client authentication used by all users/clients WPA / WPA2 Security schemes . Session encryption key is derived during initial cyrptographic Personal provide encryption and handshake and provides unique per-user / per-session encryption. (Shared Key) authentication . No requirement for AAA server. Ideal for small or multi-site deployments RECOMMENDED . Requires an Authentication, Authorization, and Accounting (AAA) Security scheme relies WPA / WPA2 server for Extensible Authentication Protocol (EAP) authentication on 802.1X with EAP Enterprise . Provides highly secure WLAN authentication and communications for authentication and (Server Based) encryption without vulnerabilities of shared key schemes encryption 52 . EAP methods include: EAP-FAST, EAP-TLS, and PEAP Real-time Traffic Applications & Services over WLAN Extensible Authentication Protocol (EAP): Authentication Flow The Wireless EAP 802.1X RADIUS authentication process EAP relies on: EAP Identity Request » 802.1X frames between EAP Identity Response RADIUS Access Request the wireless client and the [EAP Identity] WLAN controller (WLC) EAP Request – EAP Type RADIUS Access Challenge
for network access … [EAP Request – EAP Type]
Authentication Conversation EAP Response – EAP Type RADIUS Access Request (between client and ISE/AAA) [Credentials] [EAP Response – EAP Type] » RADIUS between the EAP Success RADIUS Accept Request [EAP Success] WLC and ISE (AAA server) for authentication Enterprise Network (RADIUS/AAA) Wireless Wireless WLAN Identity Services Client AP Controller Engine (ISE) Real-time Traffic Applications & Services over WLAN EAP: Encryption and the 4-Way Handshake After successful client 802.1X RADIUS authentication: EAP » The pairwise master PMK EAP Success PMK RADIUS Accept Request key (PMK) resulting [EAP Success] from EAP EAPOL-key (ANonce) authentication is EAPOL-key (SNonce, MIC) used to derive the PTK 4-way cryptographic pair-wise transient EAPOL-key (Encrypted GTK, MIC) PTK handshake key (PTK). EAPOL-key (Acknowledge, MIC) » The PTK is used Secure connection established. Traffic encrypted to encrypt traffic on the Enterprise connection. Network (RADIUS/AAA) Wireless Wireless WLAN Identity Services Client AP Controller Engine (ISE) Real-time Traffic Applications & Services over WLAN EAP: Wireless 802.1X Port-based 802.1x network access Wireless AP WLAN as part of the EAP mechanism Controller Wireless restricts client access on the Client 1 network to 802.1X frames until Virtual port the client is successfully created on AP authenticated and an encrypted Port Blocked 2 session has been established. Only 802.1X STOP 802.1X X traffic allowed
Successful EAP authentication Encrypted session established
3 Once client is authenticated, GO all traffic is permitted to flow 55 Identity Services through the virtual port Engine (ISE) Port Unblocked Real-time Traffic Applications & Services over WLAN Wireless Security Goal Balance end-user experience against enterprise security policies when selecting WLAN security method(s)
WPA / WPA2 Enterprise • Implement the strongest security mechanism(s) possible. (802.1X with EAP)
• Secure access without user intervention* increases WLAN EAP-TLS** with PKI attachment rate and speeds up authentication & roaming. client / server certificates
802.1X / EAP with • Enable fastest, most secure roaming 802.11r FT or CCKM
• Corporate policy, wireless infrastructure and endpoint type will ultimately dictate the mechanism(s) deployed. Wireless LAN
* After initial enrollment (802.11) ** Consider EAP-FAST or PEAP for 56 endpoints without EAP-TLS support RToWLAN Roaming
57 Real-time Traffic Applications & Services over WLAN Seamless Roaming Seamless roaming between APs enables mobile wireless endpoints to maintain uninterrupted network connectivity as they move within the enterprise location/site. Wireless • To facilitate seamless roaming: » Avoid roaming across subnet boundaries. Endpoint IP address change will result in dropped calls and connections. Controller- based deployments enable roaming within a mobility group (a set of APs controlled by one or more WLCs) without requiring client IP address changes
» Avoid inter-band roaming. Moving between bands causes association delays, slower roaming
» Enable the same SSID (i.e. network name) across the wireless infrastructure. Moving between SSIDs causes association delays, slower roaming
58 Real-time Traffic Applications & Services over WLAN Fast Secure Roaming Fast secure roaming enables wireless endpoints in motion to maintain secure network connectivity when transitioning between APs. To facilitate fast secure roaming: Wireless
» Roaming endpoints must have a clear picture of the currently available neighboring APs in order to identify a viable target “roam-to” AP (802.11k)
» Endpoint must authenticate or re-authenticae to the “roam-to” AP using a fast keying/authentication method (802.11r, CCKM)
» Network transition to “roam-to” AP must occur prior to loss of signal or communication with the “roam-from” AP
59 Real-time Traffic Applications & Services over WLAN Client Roaming: Authentication/Re-authentication Impact on Roam Time • Authentication or re-authentication of a wireless client during roaming adds delay to overall roam process. • How much delay? Depends on the authentication method used on the WLAN. » Open or shared key (WEP, WPA/WPA2-Personal) authentication . Minimal impact on overall roam time: Requires no communication between the client and an authentication server. » 802.1X/EAP (WPA/WPA2-Enterprise) authentication . Delayed roaming – latency may exceed 1 second: Requirement for communication between the client and authentication server as well as cryptographic overhead at client and server resulting in perceptible gaps in voice and video calls. Open/shared key Delay > 1 second 802.1X/EAP Wired LAN WLAN (802.11) “Roam-from” AP “Roam-to” AP WLAN Controller ISE/AAA 60 Real-time Traffic Applications & Services over WLAN Fast Secure Roaming Algorithms • 802.11 fast secure roaming reduces gaps in traffic during roaming while maintaining secure connectivity • The focus of these algorithms is to minimize the delay introduced by the authentication conversation Authentication Conversation • Fast roaming algorithms: EAP Request – EAP Type RADIUS Access Challenge … [EAP Request – EAP Type] » Cisco Centralized Key • 792x • 9971 EAP Response – EAP Type RADIUS Access Request Management (CCKM) • DX [Credentials] [EAP Response – EAP Type] » Proactive Key Cache (PKC) » 802.11r Fast Transition (FT) • 886x Delay > 1 second • Mobile devices Roaming (latest Android / Apple models) 802.1X/EAP Enterprise “Roam-from” Network AP 61 “Roam-to” AP WLAN Controller ISE/AAA Real-time Traffic Applications & Services over WLAN Fast Secure Roaming Algorithms (cont.) • 802.11 fast secure roaming reduces gaps in traffic during roaming while maintaining secure connectivity • The focus of these algorithms is to minimize the delay introduced by the Even with fast roaming, very slight gaps in real-time authentication conversation traffic stream may stillAuthentication occur during Conversation the roaming event. EAP Request – EAP Type RADIUS Access Challenge • Fast roaming algorithms: With proper WLAN design and optimization… of roam [EAP Request – EAP Type] » Cisco Centralized Key • 792x operations within the network, voice, video, and other • 9971 EAP Response – EAP Type RADIUS Access Request Management (CCKM) • DX real-time traffic connections and quality are maintained. [Credentials] [EAP Response – EAP Type] » Proactive Key Cache (PKC) » 802.11r Fast Transition (FT) • 886x DelayDelay > 1> second1 second • Mobile devices Roaming (latest Android / Apple models)
Check Enterprise the Note: 802.11r mixed mode (supported with AireOS 8.0 and later) enables non- specs Network 802.11r“Roamwireless-from” clients with updated drivers to associate to 802.11r enabled AP 62 SSIDs. This prevents the need“Roam for-to” a APseparateWLAN WLAN/ ControllerSSID for 802.11r ISE/AAAclients. For Applications & Services over WLAN Your Real-time Traffic Reference Client Roaming : Fast Roaming Algorithms Fast roaming algorithms accelerate the 802.1X/EAP authentication/re-authentication process reducing latency and reducing gaps in real-time wireless traffic.
• Cisco Centralized Key Management (CCKM) – Cisco specification supported with CCX*
» Roaming client and WLC leverage pre-established keying material to quickly derive a new key for re- establishing connectivity with the new AP (standardized in 802.11r)
• Proactive Key Cache (PKC) – Extension to the 802.11i standard specification supported with WPA2
» Caches the WPA pairwise master key (PMK) previously derived during an earlier 802.1X/EAP authentication. Caching occurs prior to the client roaming so that on roam, client can authenticate quickly.
• Fast Transition (FT) Roaming – 802.11r standard specification supported with WPA/WPA2
» Wireless clients pre-authenticate to the new AP prior to roaming. Roams occur more quickly because authentication has already occurred requiring fewer packets to be exchange between AP and client.
63 * Cisco Compatible Extensions (CCX) RToWLAN Summary
64 Real-time Traffic Applications & Services over WLAN RToWLAN – Key Takeaways • Wireless LAN is shared (think hub) – Shared medium, never as good as wired, but enterprise class WLAN with the right endpoints will get you close.
• 5GHz - Provides denser deployments with less interference. And you can keep your Bluetooth headset!
• Site Survey (regularly) – Verify the wireless radio frequency design, identify (and then mitigate) sources of interference, confirm client network authentication and roaming.
• Quality of service – Enabling and configuring QoS on the wireless network ensures priority treatment for real-time traffic across both the wireless and wired LANs.
• Security – When selecting WLAN security mechanism(s) consider both strength of security and speed of authentication. Security policy and devices will dictate security mechanism.
• Fast roaming and authentication – Enabling fast roaming and authentication (802.1r FT, CCKM) keying ensures that active calls are maintained for users on the move BOTTOM LINE Successful real-time traffic applications and services deployments require a well designed enterprise class wireless network. 65 Real-time Traffic Applications & Services over WLAN For Your Reference RToWLAN SRND For more information on voice, video and other collaboration applications and services over WLANs see the Real-time Traffic over WLAN SRND available at: http://www.cisco.com/en/US/docs/solutions/Enterprise /Mobility/RToWLAN/CCVP_BK_R7805F20_00_rtowlan-srnd.html
Related SRNDs/design guides:
• Collaboration Design: Refer to the latest Collaboration SRND at http://www.cisco.com/go/ucsrnd
• General Wireless Network Design: See Enterprise Mobility SRND available at http:www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73.html
66 Real-time Traffic Applications & Services over WLAN For Your Reference Additional Resources For additional information on RToWLAN related Cisco solutions refer to product documentation and design/deployment guides: o Cisco Unified Wireless: Refer to wireless product information at http://www.cisco.com/go/wireless o Cisco Wireless IP Phones: Refer to deployment guides at
» 792x Series: http://www.cisco.com/c/en/us/support/collaboration-endpoints/unified-ip-phone-7900-series/products-implementation-design-guides-list.html
» DX series: http://www.cisco.com/c/en/us/support/collaboration-endpoints/desktop-collaboration-experience-dx600-series/products-implementation-design-guides-list.html
» 9971: http://www.cisco.com/c/en/us/support/collaboration-endpoints/unified-ip-phones-9900-series/products-implementation-design-guides-list.html
» 886x: http://www.cisco.com/c/en/us/support/collaboration-endpoints/unified-ip-phone-8800-series/products-implementation-design-guides-list.html o Cisco Jabber: Refer to Jabber product information at http://www.cisco.com/go/jabber o Cisco Collaboration: Refer to collaboration & UC product information at http://www.cisco.com/go/collaboration o Cisco Prime Infrastructure: Refer to Cisco Prime product information at http://www.cisco.com/c/en/us/products/cloud-systems-management/prime-infrastructure/index.html o QoS Design: Refer to QoS design guides at http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-application-performance/landing_voice_video.html
67 Real-time Traffic Applications & Services over WLAN Want More Wireless? BRKEWN-2022 Converged Access Mobility Design & Feature Update » Wednesday, February 17th / 2:30 PM BRKEWN-2670 Best Practices for Configuring Cisco Wireless LAN Controllers » Wednesday, February 17th / 2:30 PM BRKEWN-2017 Understanding RF Fundamentals and Radio Design for 11ac Wireless Networks » Wednesday, February 17th / 4:30 PM BRKEWN-2011 Managing an Enterprise WLAN with Cisco Prime Infrastructure » Thursday, February 18th / 9 AM Sessions earlier this week: » BRKEWN-2000 Design and Deployment of Wireless LANs for Mobile Applications » BRKEWN-2010 Design and Deployment of Enterprise WLANs » BRKCRS-2501 Campus QoS Design-Simplified
68 Call to Action
• Visit the World of Solutions for • Cisco Campus • Walk in Labs • Technical Solution Clinics
• Meet the Engineer Matt Jordy – walk-in meeting hours: » Wednesday, Feb. 17 2 – 5 PM » Thursday, Feb. 18 3 – 5 PM
• Lunch and Learn Topics
• DevNet zone related sessions Complete Your Online Session Evaluation BRKCOL-2275
• Please complete your online session evaluations after each session. Complete 4 session evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt.
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Thank you
71
Thank you Appendix Real-time Traffic Applications & Services over WLAN Cisco 802.11 WLAN Infrastructure Deployment Architecture Unified Wireless / Local Mode: WLCCENTRAL and APs SITE co-located in the same site Controller-based Wirelss Wireless LAN Wireless Access Point (AP) LAN (with “lightweight” APs) Controller (WLC) » WLC controls and manages APs Enterprise Enterprise Wired LAN WLAN » Enables dynamic RF (802.11) management and automatic AP provisioning, CENTRAL SITE Wireless AP Wireless configuration, and Endpoints Enterprise software management. Wired LAN Enterprise WLAN (802.11) » APs rely on CAPWAP* tunneling of all traffic to the Distributed WLAN Out of scope “Autonomous” / controller “standalone” APs
74
* Control and Provisioning of Wireless Access Points (CAPWAP) Real-time Traffic Applications & Services over WLAN Cisco 802.11 WLAN Infrastructure Deployment Architecture: Multi-site Controller-based WLAN Local Mode: WLCCENTRAL and APs SITE co-located in the same site Wireless LAN Wireless and multi-site deployments Controller (WLC) Access Point (AP) » Option 1: Distributed WLC (Local Mode) • WLC at each site manages Enterprise Enterprise Wired LAN WLAN local site APs. (802.11) • Mobility Groups for Enterprise integrating WLCs across sites Wireless WAN AP Wireless AP Wireless » Option 2: FlexConnect Enterprise Endpoints with local switching WLAN • APs managed by (802.11) centralized WLC FlexConnect: WLC and APs separated by WAN • Local traffic switched at AP BRANCH SITE without need for WAN / CAPWAP tunnel traversal. 75 Real-time Traffic Applications & Services over WLAN Cisco 802.11 WLAN Infrastructure Deployment Architecture: Converged Access Converged access for branch sites: CENTRAL SITE Catalyst 3850, 3650, and 4000 series access layer switches Enterprise BRANCH SITE • Integrated wired and wireless Wired LAN capabilities on the same IOS box (IOS XE 3.2 and later) Enterprise WAN • No CAPWAP tunneling over WAN Enterprise Wireless WLAN APs » Built-in WLC with support for local AP attachment and (802.11) CAPWAP tunnel termination. • Improved QoS Catalyst 3850 / Catalyst 3650 / QoS mapping/marking is handled at the local site rather than at the » Catalyst 4000 head-end WLC » Granular IOS-based QoS v. AireOS precious metals QoS WLAN profiles
76 Real-time Traffic Applications & Services over WLAN Call Admission Control Wireless call admission control (CAC) is a critical aspect for voice and video over WLAN calling as it ensures that calls are not set up if the wireless AP is congested/busy.
Two types of wireless CAC: Cisco IP Phones Cisco Jabber 7925G/G-EX, 9971, 886x, Desktop Mobile 7926G DX650/70/80 » 802.11e CAC using Yes (9971, 886x), Yes Not supported Not supported TSPEC/ADDTS No (DX650/70/80) » Cisco Unified Wireless Not recommended with TCP-based SIP* SIP CAC (media session snooping) * With TCP-based SIP, if WLAN is busy, it will stop forwarding all upstream/ downstream SIP packets, resulting in potential loss of device registration.
77 Real-time Traffic Applications & Services over WLAN Cisco WLAN RF Capabilities for Improved RToWLAN Performance: CleanAir Cisco CleanAir technology
• System-wide Cisco Unified Wireless Network capability that enables self-healing and self-optimizing wireless networks
• Built-in chipset-level spectrum intelligence and management Cisco CleanAir
• Detects and identifies sources of wireless and non-wireless interference and then makes dynamic adjustments to optimize wireless coverage
• Integrated with Cisco Aironet APs including the 3700, 3600, 2700, and 2600 series » RToWLAN benefit: Improved WLAN performance and reliability ensures real-time traffic applications and services are able to deliver high quality end-user experience
78 Real-time Traffic Applications & Services over WLAN Cisco WLAN RF Capabilities for Improved RToWLAN Performance: ClientLink Cisco ClientLink technology
• Cisco Unified Wireless Network AP intelligent wireless signal beamforming technology specifically for use on mixed-client networks.
• Optimizes overall network capacity by helping to ensure that Cisco ClientLink 802.11a/g, 802.11n and 802.11ac clients all operate at the highest possible rates.
• Requires no feedback or capabilities at the wireless endpoint.
• Feature is on by default with 7.2 and later versions of Cisco Unified Wireless firmware and available with Aironet APs including the 3700, 3600, 2700, and 2600 series. » RToWLAN benefit: Ensures optimized throughput and performance for ALL RToWLAN endpoints including personal or guest mobile devices (BYOD)
79 Real-time Traffic Applications & Services over WLAN Hotspots & Internet • Public/private Wi-Fi hotspots (home, hotel, airport, coffee shop…) » Everywhere, convenient, but NOT usually enterprise class x Usually unmanaged, often unreliable x Not optimized for real-time traffic: No end-to-end QoS, best-effort bandwidth based on network utilization and capacity x Poor throughput, jitter, delay, and packet-loss can occur before traffic even leaves the wireless network Even if the hotspot is enterprise caliber and managed/optimized for real-time traffic… There is always the » Always unmanaged Internet » More best-effort bandwidth, more potential for poor throughput, jitter, delay, & packet loss.
80 Real-time Traffic Applications & Services over WLAN Channel Cell Call Capacity WLAN channel cell call capacity is an important design consideration when deploying RToWLAN networks • Per 802.11 a/n (5 GHz) and 802.11 g/n (2.4 GHz) channel cell (with Bluetooth disabled) capacities: » Maximum of 27 simultaneous voice over WLAN (VoWLAN) bidirectional streams with 24 Mbps or higher data rates enabled » Maximum of 8 simultaneous voice and video over WLAN (VVoWLAN) bidirectional streams assuming a video resolution of 720p (high-definition) and a video bit rate of up to 1 Mbps • Call capacity oversubscription of the RToWLAN infrastructure results in dropped wireless connections, poor voice and video quality, and delayed or even failed call setups. • Reduce chances of oversubscribing an RToWLAN by deploying sufficient numbers of APs to handle required call capacities.
81 Real-time Traffic Applications & Services over WLAN
Open Security No protection from unauthorized access, • This security scheme provides no traffic interception, encryption or authentication and eavesdropping.
• Generally considered undesirable when deploying an enterprise WLAN but… Unsecure
Open WLAN SSIDs provide limited network access for basic guest internet accessWLAN Security or to onboard personal or non-corporate Meter devices in bring-your-own-device (BYOD) scenarios Open No encryption/authentication Design Tip: When implementing an open security scheme, Wired LAN remember to segment open WLAN Guest (802.11) WLAN SSIDs/networks from the Access/ rest of the enterprise network to BYOD Wireless AP WLAN Controller AAA Server prevent unauthorized access 82 Real-time Traffic Applications & Services over WLAN Shared Key Security: WPA/WPA2 Personal
• The Wi-Fi Protected Access (WPA) and WPA2 security schemes
provide both encryption and authentication* Secure • WPA/WPA2 Personal relies on a pre-shared key for client authentication. This key is used by all users/clients No per-user/per-device authentication. WLAN Security Meter • WPA/WPA2 encryption key is derived during initial cryptographic handshake provides unique per-user and per-session encryption. WPA/WPA2 Personal Encryption and authentication • Advantage: No requirement for AAA server. Ideal for small or multi-site deployments Wired LAN Design Tip: Use strong keys to prevent WLAN successful dictionary attacks when leveraging (802.11) pre-shared key security mechanisms. Wireless AP WLAN Controller AAA Server *Improvements over WEP: TKIP (WPA) / AES (WPA2) 83 encryption using a unique per-user/per-session key. Real-time Traffic Applications & Services over WLAN Server-based Security: WPA/WPA2 Enterprise Most Secure • WPA/WPA2 Enterprise security scheme relies on 802.1X with Extensible Authentication Protocol (EAP) for authentication and encryption enabling per user/device authentication and encryption. » EAP methods include: EAP-FAST, EAP-TLS, and PEAP
• Authentication: Requires an Authentication, WPA/WPA2 Enterprise WLAN Security Authorization, and Accounting (AAA) server Encryption and authentication Meter
• Advantage: Provides highly secure EAP wireless network authentication and communications encryption without vulnerabilities of shared key schemes 802.1X RADIUS Design Tip: Enable fastest most secure Wired LAN WLAN roaming and automatic wireless attachment (802.11) without user intervention by relying on PKI Wireless AP certificate-based server and client WLAN Controller AAA Server authentication (e.g. EAP-TLS) 84 Real-time Traffic Applications & Services over WLAN Additional Security Considerations: Threat Detection and Mitigation Cisco Unified Wireless infrastructure supports a number of features and functions to detect and mitigate RF and security issue on the WLAN including: • Rouge AP detection and mitigation » Cisco Unified Wireless Infrastructure is capable of rogue AP detection based on beacon and probe sniffing » The system determines the location of the rouge AP based on changing RF characteristics as compared to known state of the managed network » Once located and identified, the system isolates the AP by adjusting RF parameters and disallowing client connections to the AP. • Intrusion Detection System (IDS) » Cisco WLC contains built-in IDS capabilities and standard IDS attack signatures enabling the system to detect, analysis, and report attacks to the wireless and network management systems.
NOTE: Wired network threat detection and mitigation features (e.g. port security, DHCP snooping, dynamic ARP inspection, etc.) should be configured as these are the first line of defense against wired-side attacks85 Real-time Traffic Applications & Services over WLAN Client Roaming Decision: Roam Triggers The following common situations generally cause a Wireless LAN endpoint to initiate a roam from one AP to another: » Maximum data retry threshold exceeded: Excessive data retries will trigger a roam. » Low signal-to-noise ratio (SNR): When the difference between receive signal strength and the noise floor drops below a threshold a roam is triggered » Low received signal strength indicator (RSSI): A roam is triggered when the receive signal strength at the wireless client drops below a threshold. » Vendor-specific and/or standards-based triggers may also cause a roam based on certain network conditions. For example a call admission control denial in the network might trigger a roam RSSI RSSI decreases increases Next step: Once the client determines a roam is required, it must evaluate and select a
neighboring AP to roam to. 86 Real-time Traffic Applications & Services over WLAN Client Roaming Decisions: Channel Scanning Channel scanning enables wireless clients to learn about currently available neighboring APs and determine viable targets for roaming Active scanning is Active Scan preferred because it • Active v. Passive scanning lowers the latency of Probe request each scan. The client » Active scanning: Wireless client 1 does not have to wait for beacon interval to sends a probe request on each WLAN CH 36 receive neighboring AP information which 2 channel it scans and waits for speeds up per channel probe responses from AP(s). Probe response scan time.
Vendor-specific » Passive scanning: Wireless client Passive Scan attributes enable waits for the periodic beacon from alterations of client scan algorithms to AP(s) on each channel it scans. minimize impact of WLAN CH 36 scanning on client NOTE: The wireless device 1 performance is unable to transmit client Periodic beacon traffic during channel scans 87 Real-time Traffic Applications & Services over WLAN Client Roaming Decisions: Selection of Target AP Information from channel scanning is used by the wireless client to select the best target AP for continued wireless connectivity Wireless client: “I need to roam…what is the best AP to roam to?” • Wireless clients build and maintain a list of candidate “roam-to” APs based on variables including RSSI, SNR, number of clients per AP, and channel load. • List of candidate APs is derived from scan information and neighbor lists: » Background scans (active or passive channel scanning prior to roam trigger) » On-roam scans (active or passive channel scanning after roam is triggered) » Wireless APs provide lists of current neighboring APs (e.g. 802.11k neighbor lists) • Based on client-specific algorithm, the wireless client uses list of candidate APs and information about each AP to determine the best “roam-to” target AP
88 Real-time Traffic Applications & Services over WLAN High Availability Highly available RToWLAN deployments require WLAN network attachment services (association, authentication, encryption) and real-time traffic applications and services (voice/video call control, etc.) to be fault tolerant and highly resilient.
• Replicate key security authentication services (AAA, Certificate Authority, LDAP directory, etc.) to accommodate failure scenarios including loss of communication between a remote site and a centralized authentication server. [FlexConnect local authentication]
• Replicate key WLAN infrastructure components (APs, WLCs) to maintain network service in event of hardware or firmware failure
• Use node clustering for collaboration application servers/VMs (Unified CM, IM & Presence, etc.) in order to prevent service outages during instances of node failure.
• Actively monitor and maintain WLAN and collaboration infrastructure using management applications like Cisco Prime Infrastructure and Cisco Prime Collaboration
89