Table Of Contents
Cisco Catalyst 6500 Series Wireless LAN Services Module: White Paper
The Cisco Structured Wireless-Aware Network (Cisco SWAN) framework now includes the Cisco Catalyst 6500 Series Wireless LAN Services Module (WLSM). This document focuses on the WLSM and its integration into the Cisco SWAN framework. The WLSM offers these important benefits to the Catalyst 6500 series switches:
•Very fast Layer 2 and Layer 3 roaming (less than 50 ms) for mobile users registered with the WLSM. This is especially important for Voice over IP (VoIP) support.
•Increased scalability supporting up to 300 access points and up to 6000 mobile users.
•Simplified wired and wireless network management provided by a single entry point into the wired network for both wireless LAN control and user data.
•A single quality of service (QoS) and security policy for all wireless users in a subnet. This is provided by a centralized entry point to the network using fast secure roaming tunnels (FSRTs) via a multipoint generic routing encapsulation (mGRE) tunnel on the Cisco Catalyst 6500 Series Supervisor Engine.
•Support for multiple service set identifiers (SSIDs) and VLANs on the access point, enabling wireless data traffic to be segregated into different roaming subnets or mobility groups.
•Failover to a secondary WLSM using the Hot Standby Router Protocol (HSRP).
•A centralized point for troubleshooting and debugging.
•Support for advanced Catalyst 6500 switch features, including the Catalyst 6500 series service modules.
Layer 3 Mobility
Layer 3 roaming eliminates the need to restrict mobile users to access points within the same IP subnetwork. Mobile IP telephony and video distribution to portable media devices (like laptops and PDAs) across the wireless campus are now viable deployment options.
The centralized nature of the WLSM enables customers to apply centralized security and QoS policies. The same security mechanisms found in Cisco Catalyst 6500 switches can now be extended to wireless users, further reinforcing data protection for mobile users and reducing the chance of the network being compromised.
The WLSM enables you to manage up to 6000 mobile nodes and up to 300 Cisco Aironet 1200 or 1100 series access points.
There are four components to the Cisco SWAN framework—access points; management and security servers; WLAN client devices; and infrastructure devices.
•Access points—Cisco Aironet access points running Cisco IOS software are required. These access points offer secure, manageable, and reliable wireless connectivity with exceptional range and performance, as well as integrated radio frequency (RF) management.
•Management and security servers—The WLSE and an IEEE 802.1X authentication server, such as Cisco Secure Access Control Server (ACS), are required to manage and secure the wireless network. These products simplify the deployment and management of the WLAN infrastructure and help you implement an enterprise-class security solution.
•WLAN client devices—Wi-Fi certified or IEEE 802.11 clients are required. Using Cisco Aironet or Cisco Compatible client devices provides additional benefits, including advanced enterprise-class security, extended RF radio management, and enhanced interoperability.
•Infrastructure devices—As Cisco incorporates wireless capabilities into its switches and routers, customers receive a unified network system that extends to wireless traffic all of the enterprise-class scalability, security, reliability, and simplified manageability of the wired infrastructure. The WLSM is a Cisco SWAN infrastructure device.
WLSM Operational Overview
The WLSM works with the Supervisor Engine 720 and with Cisco Aironet 1100 and 1200 series access points to provide a logical network over an existing network infrastructure. Within this network, a mobile user can roam and remain within the same Layer 3 broadcast domain. Layer 3 roaming is accomplished using an FSRT for each active roaming subnet (mobility group), terminated at one end on the Supervisor Engine 720 and at the other end on the Cisco Aironet access point (see Figure 1).
Figure 1 Logical Layer 3 Mobility Network Provided by the FSRT Tunnel
After a mobile user registers with the network, an FSRT endpoint is created on the access point, enabling the user to send and receive data from within the mobility group. The mobile user traffic traverses the FSRT that has been set up by the local access point and is forwarded to the central Cisco Catalyst 6500 switch. The FSRT always terminates on the Supervisor Engine 720; as long as the user is associated with any access point under WLSM control, its traffic is always part of the same logical Layer 3 network (subnet).
When a mobile user associates with an access point that WLSM controls, the user registers with the network and is assigned to a particular mobility group. At the system level, a mobile network ID internally defines this mobility group. The mobile network ID is the mechanism the system uses to associate the user with a particular FSRT. As the user roams, the system tracks user movement, making sure that the user maintains association with the same mobility group. When using Cisco Centralized Key Management (CCKM)-enabled clients, the user can roam without having to reauthenticate with the authentication, authorization, and accounting (AAA) server. The CCKM-enabled clients also provide very fast roaming (approximately 50 ms) between the access points.
Another important aspect of the system is the separation of control plane and data plane traffic (see Figure 2). The WLSM does not process network traffic originating from the mobile user. Traffic to and from the user is forwarded over the FSRT to the Supervisor Engine 720 on the Cisco Catalyst 6500 switch. The Supervisor Engine 720 takes control of forwarding the traffic to its ultimate destination, which enables the system to support mobile node traffic forwarding up to 10 million packets per second (Mpps) per forwarding engine. Control plane traffic, such as roaming events or WLSM notification of mobile user and access point registrations, does not traverse the FSRT; it is passed over the native infrastructure and is processed by the WLSM. This traffic separation maximizes performance for each type of traffic.
Figure 2 Control Plane and Data Plane Traffic
Cisco Layer 3 mobility is a main focus of the WLSM. The WLSM is a single-slot module for Cisco Catalyst 6500 series switches (Figure 3), and uses a technology base found in other Cisco Catalyst 6500 series service modules. This technology uses hardware that enables the module to connect into the Cisco Catalyst 6500 backplane and to communicate with other modules in the chassis.
Figure 3 WLSM
The WLSM is a Cisco Express Forwarding line-card module that supports a connection into the 32-gigabits per second (Gbps) bus and provides a single 8-Gbps fabric channel into the 256-Gbps fabric. The 8-Gbps fabric channel is reserved for management and control plane traffic such as AAA authentication, roam events, and radio management data. In addition, the 8-Gbps fabric channel enables the switch to operate in compact mode; the switch can still operate and support centralized switching speeds up to 30 Mpps when the WLSM is present in the chassis with only fabric-enabled line cards.
The WLSM has its own Cisco IOS software, which supports Wireless Domain Services (WDS). This Cisco IOS software runs independent of the Cisco IOS software on the Supervisor Engine 720. The WLSM also uses its own command-line interface (CLI) to enable an administrator to configure the module; a front console port provides initial configuration access. The WLSM CLI can be accessed from the switch CLI after an initial set of parameters is installed on the WLSM. A separate configuration file is maintained in the WLSM, which can be modified from the WLSM CLI. Alternatively, the module has its own IP address so that it can be accessed using Telnet, if required.
Using the WLSM in a Cisco Catalyst 6500 series chassis requires specific hardware and software, including a Policy Feature Card 3 (PFC3)-equipped supervisor engine such as the Supervisor Engine 720 or the more recently introduced Supervisor Engine 720-3BXL (see Figure 4). The Supervisor Engine 720 is required to support Multipoint Generic Routing Encapsulation (mGRE) in hardware, enabling up to 10 Mpps of wireless traffic. The WLSM does not work with Supervisor Engine 1, 1A, 2, or 2U.
Figure 4 Supervisor Engine 720
In addition to hardware support of FSRTs via GRE, a new subsystem has been added to run on the Supervisor Engine 720, the Layer 3 Mobility Manager (L3MM). The L3MM runs on the Supervisor Engine 720 route processor. One of its primary purposes is to administer a local mobility database, which keeps track of each mobile node's IP and MAC addresses, and the access points they are associated with.
The L3MM introduces a new control protocol, Layer 3 Mobility Control Protocol (LCP), to communicate with WDS running on the WLSM (this is different than the protocol used by the WDS to communicate with access points). The WDS interacts with the access points using Wireless LAN Context Control Protocol (WLCCP) when various events occur; then, the WDS informs the L3MM of these events using LCP so that the mobility database can be updated.
Cisco IOS software release 12.2(18)SXD provides recognition of the WLSM, its support for WDS, and its support for the new L3MM. Currently, there is no support for the WLSM in the hybrid mode of operation (running Cisco Catalyst Operating System software).
This Layer 3 mobility solution supports Cisco Aironet 1200 and 1100 series access points
(see Figure 5); however, it does not support Cisco Aironet 340 and 350 series access points. The supported Cisco Aironet access points use new extensions within their Cisco IOS software to interact with the WLSM. FSRT support is one new aspect of the software extensions; this enables the access point to set up, maintain, and tear down FSRTs that connect back to the Supervisor Engine 720.
Figure 5 Cisco Aironet 1200 and 1100 Series Access Points
The new access point software also supports extensions to the WLCCP, enabling the access point to communicate with the WDS on the WLSM. Other extensions to WLCCP include enabling proxy Address Resolution Protocol (ARP) to be supported on the access point, tunnel management support, and a wireless network ID that is used to map traffic from a client to a specific FSRT.
Like the access points, the WLSE supports new software to enable it to communicate with the WDS running on the WLSM, including software extensions that enable the WLSE to enable radio management and other network management functions (see Figure 6).
Figure 6 CiscoWorks WLSE
Layer 3 Mobility Architecture
Each Cisco SWAN component incorporates features to support Layer 3 mobility. These components and the services, subsystems, and protocols used by these components are described in more detail in this section.
WDS on the WLSM
The WDS that runs on the WLSM differs from the WDS running on the access point in that it contains five (instead of four) subsystems (see Figure 7). One new subsystem has been designed to support Layer 3 mobility roaming. This new subsystem is the WDS LCP subsystem; it supports communication with the new L3MM. It forwards registration and mobility events, and propagates tunnel endpoint and other configuration information to the L3MM and communicates this information via LCP.
Figure 7 WDS Subsystems
Layer 3 Mobility Manager (L3MM)
One of the more significant subsystems introduced in the WLSM solution is the L3MM, a new software subsystem that has been incorporated into the instance of Cisco IOS software running on the Supervisor Engine 720. It runs on the route processor, which sits on the Multilayer Switch Feature Card (MSFC) and performs three main functions critical to Layer 3 roaming. The first and most important function is the management of the mobility database. The other two functions are interacting with the WDS to receive notification of access point and mobile node registrations and roaming events, and interfacing with the Cisco Express Forwarding and mGRE subsystem on the Supervisor Engine 720 forwarding engine to instruct them to program mGRE endpoints into the hardware forwarding tables.
The mobility database enables the L3MM to track mobile nodes and the access points that they are associated with. The mobility database contains an entry for each access point and mobile node that is registered with the system. The access point entry contains information about the access point's IP and MAC address, along with the wireless network ID (defined on that access point) for the mobile node. The mobility database mobile node entry contains the mobile node's IP and MAC address and the IP address of the access point where the moble node is associated, along with the wireless network ID for the moble node.
The L3MM also has an interface to the WDS that runs on the WLSM. When an access point or a mobile node registers, it does this by alerting the WDS of that event. Roaming events are also forwarded to the WDS, and it is the responsibility of the WDS to inform the L3MM when these events occur. The L3MM communicates with the WDS using LCP. This protocol runs on top of the User Datagram Protocol (UDP) and incorporates a heartbeat (keep alive) indicating the online status of the other party.
Layer 3 Control Protocol
LCP is a simple communications protocol (see Figure 8) that is used to exchange control messages between the L3MM and the WDS. LCP is forwarded over UDP and uses port 2887. Using UDP means it relies on IP, and as such, uses a loopback address (127.x.x.x) for IP communications. An internal Ethernet out-of-band channel (EOBC) provides a communications path for the LCP packets to traverse. The EOBC is also used for other module-to-module communications.
Figure 8 Layer 3 Mobility Control Protocol
LCP communication are usually requests or replies to information. The LCP header is fixed and contains numerous fields, including a session ID that it uses to keep track of current communications. LCP supports these major sessions:
•Update an access point entry from the mobility database—This entry contains information like the IP address of the newly registered access point, the number of VLANs to tunnel endpoints, and wireless network ID/IP address pairs
•Remove an access point entry from the mobility database—This entry contains the IP address of the previously registered access point
•Update a mobile node entry in the mobility database—This entry contains the mobile node's IP and MAC addresses, the IP address of the currently associated access point, and the wireless network ID
•Remove a mobile node entry in the mobility database—This entry contains the mobile node's MAC address
•Change a mobile node's IP address—This record contains the mobile node's IP and MAC addresses
mGRE is a variant of GRE that enables a single tunnel on the supervisor engine to communicate with multiple endpoints. All access points at the other end of the FSRT connect back to the central switch. The FSRT between these endpoints forms the logical Layer 3 network operating on the existing network infrastructure. This logical network enables all mobile nodes that associate with any of the access points to remain in the same IP subnet. Within the context of this logical network, mobile users can roam and maintain IP connectivity to the network.
The Supervisor Engine 720 introduced support for mGRE encapsulation in hardware at speeds of up to 10 Mpps, making it a suitable candidate to handle mGRE processing for this Layer 3 mobility solution. It is important to reiterate that the mGRE tunnel is used for the data path traffic and not the control path traffic between the access point and central switch. This operation helps the sysytem support up to 300 access points and up to 6000 mobile clients.
Wireless LAN Context Control Protocol
WLCCP is used to pass control messages between the access points and the WDS running on the WLSM. Prior to WDS being available on the WLSM, the WDS ran on access points. To facilitate running the WDS on the WLSM, WLCCP was enhanced with these new capabilities:
•The access point can now request, from the WDS, the wireless network ID to tunnel endpoint binding. The configuration of the tunnel interface on the supervisor engine contains the wireless network ID, but this is not defined in the access point's configuration. When the access point sets up the FSRT, it needs to know which SSID to associate with the tunnel in order to forward the mobile user's traffic to the correct tunnel endpoint on the supervisor engine.
•The access point can now forward to the WDS the wireless network ID associated with a particular mobile node.
•The protocol now supports a request message for the wireless network ID to tunnel IP address binding for a mobile node.
•The protocol now supports a request message for the switch MAC address used to reply to the mobile node's ARP request.
•The protocol now supports an update message from the WDS to the access point notifying it of the IP address assigned to a Dynamic Host Control Protocol (DHCP) client. The access point uses this information to create a forwarding table entry.
•The protocol now supports a process for exchanging the maximum transmission unit (MTU) information between the access point and the WDS.
Cisco Aironet series WLAN access points are a key component of the Cisco SWAN framework. Cisco Aironet 1100 and 1200 series access points running Cisco IOS Release 12.2(15)XR or later can operate with the WLSM. Cisco SWAN enhancements available to access points using this Cisco IOS software release and the WLSM include:
•When the WLSM WDS is used, a fixed address is used to identify the WDS to the access point.
Note With previous software versions, WDS access points use a discovery process to find the device supporting WDS.
•The access point software supports FSRTs, which are used as data paths for mobile nodes into the network. When the first mobile node registers for a particular SSID (mobility group), WDS instructs the access point to change the FSRT interface status to UP. Likewise, when the last mobile node for an SSID drops out, the FSRT is changed to a state of DOWN and removed from the interface list. Up to 16 FSRTs can be supported on a single access point. Unlike a normal GRE tunnel, no tunnel keepalives are exchanged between the supervisor engine and the access point.
•The access point software supports the WLCCP extensions.
•The access point sends the mobile node's IP and MAC address binding information to the WDS as part of the mobile nodes registration process.
•To ensure that data from the mobile node is forwarded over the correct tunnel, the access point software has been extended to enable the SSID to be associated with a wireless network ID.
When the first mobile user associates with an access point, a FSRT (identified by the user registration SSID) is created, enabling the mobile user to access the network. The data path from the mobile user to the destination varies based on whether the data is a unicast, multicast, or broadcast packet.
IP Unicast Traffic
The WLSM supports bidirectional flow of a mobile node's unicast traffic from the access point to the supervisor engine over the FSRT. Upon receiving a mobile node unicast packet, the access point encapsulates the packet and forwards it over the FSRT to the supervisor engine. In transit, the packet's FSRT header includes the source address of the access point's tunnel interface and the destination address of the supervisor engine's corresponding tunnel interface. While in transit, any interface forwarding the packets can use a QoS policy to determine the level of service that should be applied to that particular tunneled traffic. At the destination tunnel interface, addition security and QoS policies can be applied based on local rules.
Figure 9 illustrates the IP unicast packet format from the mobile node to the target host.
Figure 9 IP Unicast Packet Format (from Mobile Node to Target via Access Point and Switch)
For return traffic, the central switch inspects the corresponding wireless network ID for the target host (mobile node) to determine which tunnel to forward the data over. The switch then encapsulates the packet with a new header using the access point's IP address and forwards the packet to the access point. The access point strips off the external header and inspects the original payload destination IP address to determine which mobile node to forward the data to, and then attaches an 802.11 header for forwarding to the mobile node. Figure 10 illustrates the IP unicast packet format from the switch to the access point.
Figure 10 IP Unicast Packet Format (from Switch to Access Point)
IP Multicast Traffic
The WLSM handles multicast traffic slightly differently than unicast IP traffic. When a mobile user sends IP multicast traffic, the access point encapsulates the packet with a GRE header and forwards the packet over the tunnel. The only exception in this scenario (upstream IP multicast traffic flow) is Internet Group Management Protocol (IGMP) Join messages, which are locally bridged by the access point to the local infrastructure. For the first phase of the WLSM release, downstream IP multicast traffic from the supervisor engine back to the access point is not sent via the FSRT. Instead, IP multicast traffic sent to the access point is forwarded using the underlying network infrastructure. For this reason, all network nodes between the supervisor engine and the access point must be accordingly configured to enable multicast traffic to reach its destination.
There are several forms of broadcast traffic, each being handled slightly differently by the WLSM:
•Upstream MAC broadcast, non-IP, and non-ARP Layer 3 protocol traffic—This traffic is bridged into the local network as nontunneled traffic.
•MAC broadcast ARP packet
–If the querried address is not the access point IP address, then the access point responds to the ARP.
–If the querried address is the access point IP address, then the access point forwards the packet over the FSRT to the supervisor engine. The supervisor engine does not forward this packet beyond the tunnel interface, and it may or may not choose to respond back to the ARP query.
•MAC broadcast IP packet—The access point forwards the packet to the supervisor engine. The route processor on the supervisor can react in two ways. It can consume the packet without forwarding, or it can forward the packet if explicitly configured to do so. If explicitly configured to forward the packet, it is forwarded over the other point-to-point links that make up the FSRT. (DHCP broadcasts might not be subject to broadcast replication, this is dependent on whether the tunnel interface is configured to forward DHCP packets via a command like IP HELPER.)
Non-IP traffic is not supported on the FSRT; rather, non-IP traffic is bridged on the underlying network infrastructure in both directions (from access point to supervisor engine and from supervisor engine to access point). For this reason, non-IP traffic cannot take advantage of the roaming capabilities provided by the WLSM.
Layer 3 Roaming Events
WLSM enables a mobile client to roam across registered access points while maintaining Layer 3 connectivity to the network. The roaming sequence is slightly different for non-CCKM clients. When roaming, a non-CCKM client must reauthenticate with the Cisco Secure ACS. Because of the needed reauthentication, non-CCKM clients require more than 50 ms to roam from one access point to another.
Figure 11 displays the mobile node authentication events.
Figure 11 Mobile Node Authentication
After the non-CCKM user has authenticated, the sequence follows the same steps as a CCKM client (Figure 12).
Figure 12 Packet Walk for a Mobile Node Roam
When a mobile users roam out of range with their associated access point and into the range of another access point, the mobile node attempts to reassociate with the new access point. On receiving the association request, the access point forwards a WLCCP control message to the WDS, informing it that a mobile node is about to register on a different access point. The access point forwards a WLCCP control packet to the WDS requesting that the mobile node be registered against the newly associated access point. The WDS packages an LCP control message with the mobile node's IP and MAC addresses and the wireless network ID to update the mobile node's entry in the mobility database.
The L3MM then programs a new FSRT endpoint if one does not already exist for that mobile node. The L3MM forwards a message back to the WDS informing it of the successful update of the mobile node's mobility record. The WDS then relays this message to the newly associated access point, requesting that the access point update its forwarding table entry for that mobile user. The mobile node has successfully roamed and can start sending and receiving data.
Layer 3 mobility in the Cisco SWAN framework is enabled by the WLSM and by other extensions to existing Cisco SWAN components. The Cisco Catalyst 6500 WLSM provides less than 50-ms Layer 3 roaming times.
The creation of a logical wireless network for mobile users within their existing campus LANs also introduces other benefits to customers wishing to deploy wireless by simplifying deployment and management of the WLAN. The WLSM eliminates the need to deploy campus-wide VLANs and greatly simplifies the approach to wireless implementation and administration. It also supports up to 6000 mobile nodes and up to 300 Cisco Aironet 1200 or 1100 series access points.
Copyright © 2004 Cisco Systems, Inc. All rights reserved.