Sideseadmed (IRT0040)
2.5 AP
Avo
LOENG 2
Raadiressursi jaotus
Operator A
Operator B
Operator N
Joint
radio
access
system
Joint
frequency
range
Infrastructure based networks
Uses fixed base stations (infrastructure) which
are responsible for coordinating
communication between the mobile hosts
(nodes)
Hidden Nodes - a QoS Issue
• If you can’t see a frame you
can’t avoid colliding
• RF characteristics make it
hard to see all frames
• Hidden nodes usurp priority
and break service
commitments
• Only the AP can see and be
seen by all nodesHidden
• The Light Weight Access Point Protocol is used
between APsand a WLAN Controller
• LWAPP carries control and data traffic between the
two
• It facilitates centralized management and
automated configuration
• Open, standards-based protocol
––Submitted to IETF CAPWAP WG
Lightweight AP WLAN Concept
Autonomous Deployments
•Each AP had its own view of the network – like
standalone cell towers
•No hierarchical view of the RF – or the network
Centralization – not a new idea
• Original cellular
networks were nodal.
• Lots of call drops
• Lots of administration
• Roaming wasn’t very
good
• Not capable of
providing advanced
services
Enter the Base Station Controller
Management/Control
• Complete view
of the network
• Improved
roaming
• One point of
administration
• Enabled
provisioning of
advanced
call
services
Base stations are used to handle
setup, handovers, and other functions
across an entire cellular network.
Enter The Wireless Controller
DHCP
LWAPP
DNS
RADIUS
ACS
HPOV
Control and Management
System Layers
Basic LWAPP Architecture
AC
LWAPP
(C=0)
802.11
AssocReq
LWAPP
(C=0)
802.11
AssocResp
LWAPP
(C=0)
802.11
Data Frame
WTP
802.11
AssocReq
802.11
AssocResp
802.11
Data Frame
STA
Unified Wireless Network
Unified Advanced Services
Si
Si
–Unified cellular and Wi-Fi VoIP. Advanced
threat detection, identity networking,
location-based security, asset tracking and
guest access.
World-Class Network Management
–Same level of security, scalability,
reliability, ease of deployment, and
management for wireless LANs as wired
LANs.
Network Unification
•Integration into all major switching and
routing platforms. Secure innovative
WLAN controllers.
Mobility Platform
•Ubiquitous network access in all
environments. Enhanced productivity.
Proven platform with large install base and
Client
Devices
61% market share.
Plug
and play.
•90% of Wi-Fi silicon is Certified. “Out-ofthe-Box” wireless security.
Centralized Wireless LAN Architecture
• Controller
– 802.11 MAC Mgmt – (re)association
requests & action frames
– 802.11 data – encapsulate and sent to AP
– 802.11e Resource Reservation – control
protocol carried to AP in 802.11 mgmt
frames – signaling done in the controller.
– 802.11i Authentication & Key exchange
• AP
– 802.11 – beacons, probe response, auth
(if open)
– 802.11 control – packet ack &
retransmission (latency)
– 802.11e – frame queuing & packet
prioritization (real-time access)
– 802.11i – Layer 2 encryption
WLAN Controller
LWAPP
Lightweight
Access Points
LWAPP
•LWAPP - Light Weight Access Point Protocol is used
between
APs and WLAN Controller
•LWAPP carries control and data traffic between the two
– Control plane is AES-CCM encrypted
– Data plane is not encrypted
•It facilitates centralized management and automated
configuration
Business Application
•Open, standards-based protocol (Submitted
to IETF
Data Plane
Point
CAPWAPAccess
WG)
LWAPP
Controller
WiFi Client
Control Plane
Protocol for Centralization
• LWAPP = LightWeight Access
Point Protocol
• Standardized Interface between
an access point and a centralized
controller
• Defines:
– Association of APs
Authentication of APs
Control of APs
Controllers
•
•
•
•
•
•
Security Policies
Wireless IDS
QoS Policies
RF Management
Mobility Management
IPSec Encryption
• Works across L2 / L3 boundaries
• Design goals:
–
–
–
Zero-config deployment
Secure deployment
Centralization
Access Points
•
•
•
Remote RF interface
Timing critical
functions
L2 Encryption
LWAPP Modes Layer 2
• Layer 2 LWAPP is in an
Ethernet frame (Ethertype
0xBBBB)
• Cisco WLAN Controller and
AP must be connected to the
same VLAN/subnet
LWAPP-L2 : Data Message
MAC Header
LWAPP Header (C=0)
LWAPP Header (C=1)
Data …
Control Msg
LWAPP-L2
Lightweight
Access Points
LWAPP-L2 : Control Message
MAC Header
Cisco WLAN Controller
Control Elts …
LWAPP Modes Layer 3
•Layer 3 LWAPP is in a UDP / IP frame
– Data traffic uses source port 1024 and destination
12222
– Control traffic uses source port 1024 and
destination port 12223
Cisco WLAN Controller
•Cisco Controller and AP can be
connected to the same VLAN/subnet or
connected to a different VLAN/subnet
•Requires IP addressing of Cisco
Lightweight AP
LWAPP-L3 : Data Message
MAC Header
IP
UDP=12222
LWAPP Header (C=0)
Data …
LWAPP-L3
LWAPP-L3
Lightweight
Access Points
LWAPP-L3 : Control Message
MAC Header
IP
UDP=12223
LWAPP Header (C=1)
Control Msg
Control Elts …
The need for Client Mobility
• Wireless LAN is not only
about wire-less
• Need for mobility, and not
only “hotspot” connectivity
• Mobility is when a client
move from one Access Point
to an other
• Access points can be on a
single Controller or on
different Controller
• Client need to keep IP
connectivity (same IP
address)
• Client Mobility is mandatory
for some applications (Voice,
Video, Business Applications,
…)
Controller 1
Controller 2
Subnet A
AP A
AP B
Subnet B
AP C
AP D
Client Mobility
• Different Client Mobility levels
L2 Mobility
L3 Mobility : Conceptually similar to Proxy
Mobile IP
– Foreign and Anchor Controllers
– Asymmetric traffic flow
• What about Security ?
PKC – Proactive Key Caching
WPA2 / 802.11i Fast Roaming
Mobility Groups
• Mobility Group is a “Cluster of
Controllers” that share information
between them (e.g. client context
and state, controller “load”, etc.)
Controller-B
MAC: AA:AA:AA:AA:AA:02
• Up to 24 Controllers per
Mobility Group
• Mobility Group facilitates
seamless roaming at both L2 & L3
IP connectivity between all
devices
Same Mobility Group Name
(IS case sensitive)
Same Virtual Interface
IP address
Each device is configured with
the MAC and IP of every other
device in the group
Mobility Group Neighbors:
Controller-A, AA:AA:AA:AA:AA:01
Controller-C, AA:AA:AA:AA:AA:03
Controller-A
MAC: AA:AA:AA:AA:AA:01
Mobility Group Name: MyMobilityGroup
Mobility Group Neighbors:
Controller-B, AA:AA:AA:AA:AA:02
Controller-C, AA:AA:AA:AA:AA:03
et
ern
Eth
Ov
Eth
ern
et
IP
er
Ov
e
el
nn
Tu
r IP
Tu
nn
el
Ethernet Over IP Tunnel
• Configuring a Mobility Group:
Mobility Group Name: MyMobilityGroup
Controller-C
MAC: AA:AA:AA:AA:AA:03
Mobility Group Name: MyMobilityGroup
Mobility Group Neighbors:
Controller-A, AA:AA:AA:AA:AA:01
Controller-B, AA:AA:AA:AA:AA:02
Layer 2 Mobility
move
•All controllers in same Mobility Group
•Client connects to AP A on Controller 1
– Client database entry created
•Client roams to AP B on Controller 1
Client Database
MAC, WLAN, AP, QoS, IP, Sec,…
– Proactive Key Caching (PKC) provides fast
roam times for WPA2/802.11i clients. No
need to re-authenticate to Radius server.
Controller 1
Mobility
Announcement
Controller 2
•Client roams from AP B (Controller 1) to
AP C (Controller 2)
– Controller 2 makes a Mobility
Announcement to peers in Mobility Group
looking for Controller with client MAC
– Controller 1 responds, handshakes, ACKs
– Client database entry moved to Controller 2
AP A
AP B
AP C
AP D
• PMK data included (master key data from Radius
server)
– Proactive Key Caching provides fast roam
times for WPA2/802.11i clients . No need
to re-authenticate to Radius server.
• Roam is transparent to client
• Same DHCP address maintained
• Proactive Key Caching with WPA2/802.11i
(Funk or MS client)
Layer 3 Mobility
•
•
•
All controllers in same Mobility Group
Ethernet in IP Tunnels automatically
created between controllers
Client connects to AP B on Controller 1
–
•
Client Database
copy
MAC, WLAN, IP, Sec, ANCHOR…
MAC, WLAN, IP, Sec, FOREIGN…
Ethernet in IP Tunnel
Client database entry created as ANCHOR
Client roams to AP C on Controller 2
–
–
–
–
Controller 1
Controller 2 makes a Mobility
Announcement to peers in Mobility Group
looking for Controller with client MAC
Controller 1 responds, handshakes, ACKs
Client database entry copied to Controller 2
•
•
•
Client Database
Controller 2
Mobility
Announcement
Subnet A
Subnet B
Marked as FOREIGN
PMK data included (master key data from
Radius server)
AP A
Proactive Key Caching provides fast roam
times for WPA2/802.11i clients. No need to
re-authenticate to Radius server.
AP B
AP C
AP D
Client roams to AP on 3rd Controller
–
Same as above except FOREIGN client DB
entry moved from previous Foreign
Controller
•
•
•
•
•
Roam is transparent to client
Traffic from client to network exits at Foreign Controller
Traffic to client tunneled from Anchor to Foreign Controller
Same DHCP address maintained
Proactive Key Caching with WPA/802.11i (Funk or MS client)
Specific Mobility : Guest Access
• The traditional approach to segmenting
guest traffic requires ‘pulling’ the guest
VLAN through the corporate network
Internet
– Many companies
can’t or won’t do
this
Isolated
Guest
Corp
User
Corp
Intranet
802.1Q
WLAN
Controller
(Policy)
LWAPP
AP
Corp
SSID
Guest
SSID
Corp
SSID
LWAPP
AP
Guest
SSID
Internet
Tunnel Guest Traffic
• By tunneling all guest traffic to a DMZ controller,
traffic originates and terminates in the DMZ
• Guest clients logically reside in
the DMZ network
• No changes required to existing
infrastructure except adding FW
rules
• Add additional DMZ controllers
for scalability
• Each DMZ controller can handle
up to 40 tunnels
Internet
Guest
WLAN
Controller
EoIP IP Proto 97
“Guest Tunnel”
Corp
Intranet
WLAN
Controller
WLAN
Controller
LWAPP AP
LWAPP AP
Corp
SSID
Guest
SSID
Corp
SSID
Guest
SSID
Ad-hoc networks
• Consists of mobile nodes which
communicate with each other through
wireless medium without any fixed
infrastructure
Ad-hoc
On iseseadistuv võrk,
kus seadmed käituvad ruuteritena
ning võivad oma asukohta ruumis muuta.
MANET
Difficulties for routing
 limited connectivity due to
transmission range of signal
 Low bandwidth
 Higher error rates
 Vulnerable to interference
 Power consumption
 No specific devices to do
routing
 Dynamic nature - high
mobility and frequent
topological changes
Mobile Ad Hoc Networks
• Meaning of the word “Ad hoc” is “for this”,
means “for this purpose only”, implies it is a
special network for a particular application.
• A mobile ad-hoc network (MANET) is a self
configuring network of mobile routers (and
associated hosts) connected by wireless links—the
union of which form an arbitrary topology.
• The routers are free to move randomly and
organize themselves arbitrarily; thus, the network's
wireless topology may change rapidly and
unpredictably.
Characteristics and tradeoffs
• Characteristics
–
–
–
–
Decentralized
Self-organized
Self-deployed
Dynamic network topology
• Tradeoffs
–
–
–
–
􀂄 Bandwidth limited
􀂄 Multi-hop router needed
􀂄 Energy consumption problem
􀂄 Security problem
Adhoc Routing Protocols
Wireless Routing Protocol (WRP)
Proactive
routing
Destination Sequence Distance Vector (DSDV)
routing protocol
Fisheye State Routing (FSR)
Distance Routing Effect Algo. for Mobility
(DREAM)
Location-based routing
Dynamic Source Routing (DSR) protocol
Uniform
routing
Temporally-Ordered Routing Algorithm (TORA)
Reactive
routing
Zone-based
routing
Adhoc On-demand Distance Vector Routing
(AODV)
Location Aided Routing (LAR)
Location-based routing
Associativity Based Routing (ABR) protocol
Link-stability based routing
protocol
Signal Stability-base adaptive Routing (SSR)
Link-stability based routing
protocol
Zone Routing Protocol (ZRP)
Hybrid routing protocol
Hybrid Adhoc Routing Protocol (HARP)
Hybrid routing protocol
Zone-based Hierarchical Link State routing
(ZHLS)
Hybrid routing protocol
Ad Hoc Routing Protocols
Proactive
(table-driven)
•DSDV
•WARP
•DREAM
Reactive
(on-demand)
•DSR
•AODV
•TORA
Hybrid
•ZRP
•HARP
Residential
Modem
Base
Station
Business
Modem
Portable
Modem
Management System
Network Planning
Rahakulu ja katteala
Lingid
http://www.cs.umd.edu/~clancy/docs/lwappreview.pdf
http://www.ieee802.org/21/
http://www.ieee802.org/11/
http://www.ietf.org/rfc/rfc3990.txt
Lingid
http://en.wikipedia.org/wiki/AODV
http://en.wikipedia.org/wiki/Mobile_adhoc_network
http://moment.cs.ucsb.edu/AODV
http://core.it.uu.se/core/index.php/Main_Page