Software-Defined Access Wireless

Introduction to Software-Defined Access Wireless

The Enterprise Fabric provides end-to-end enterprise-wide segmentation, flexible subnet addressing, and controller-based networking with uniform enterprise-wide policy and mobility. It moves the enterprise network from current VLAN-centric architecture to a user group-based enterprise architecture, with flexible Layer 2 extensions within and across sites.

Enterprise fabric is a network topology where traffic is passed through inter-connected switches, while providing the abstraction of a single Layer 2 or Layer 3 device. This provides seamless connectivity, with policy application and enforcement at the edge of the fabric. Fabric uses IP overlay, which makes the network appear as a single virtual entity without using clustering technologies.

The following definitions are used for fabric nodes:

  • Enterprise Fabric: A network topology where traffic is passed through inter-connected switches, while providing the abstraction of a single Layer 2 or Layer 3 device.

  • Fabric Domain: An independent operation part of the network. It is administered independent of other fabric domains.

  • End Points: Hosts or devices that connect to the fabric edge node are known as end points (EPs). They directly connect to the fabric edge node or through a Layer 2 network.

The following figure shows the components of a typical SD-Access Wireless. It consists of Fabric Border Nodes (BN), Fabric Edge Nodes (EN), Wireless Controller (WLC), Cisco DNA Center, and Host Tracking Database (HDB).

Figure 1. Software-Defined Access Wireless

The figure covers the following deployment topologies:

  • All-in-one Fabric—When we have all Fabric Edge, Fabric Border, Control-Plane and controller functionality enabled on a Catalyst 4500E switch. This toplogy is depicted in the mid part of the figure.

  • Split topology—When we have Fabric Border, or Control Plane, or controller on a Catalyst 4500E switch with separate Fabric Edge. This toplogy is depicted in the left-most part of the figure.

  • Co-located Fabric Edge and Controller—When we have Fabric Edge and controller on a Catalyst 4500E switch. This toplogy is depicted in the right-most part of the figure.

Cisco DNA Center: Is an open, software-driven architecture built on a set of design principles with the objective of configuring and managing Catalyst 4500E Series switches.

Host ID Tracking Database(map-server and map-resolver in LISP): This database allows the network to determine the location of a device or user. When the EP ID of a host is learnt, other end points can query the database about the location of the host. The flexibility of tracking subnets helps in summarization across domains and improves the scalability of the database.

Fabric Border Node(Proxy Egress Tunnel Router [PxTR or PITR/PETR] in LISP): These nodes connect traditional Layer 3 networks or different fabric domains to the enterprise fabric domain. If there are multiple fabric domains, these nodes connect a fabric domain to one or more fabric domains, which could be of the same or different type. These nodes are responsible for translation of context from one fabric domain to another. When the encapsulation is the same across different fabric domains, the translation of fabric context is generally 1:1. The fabric control planes of two domains exchange reachability and policy information through this device.

Fabric Edge Nodes(Egress Tunnel Router [ETR] or Ingress Tunnel Router [ITR] in LISP): These nodes are responsible for admitting, encapsulating or decapsulating, and forwarding of traffic from the EPs. They lie at the perimeter of the fabric and are the first points of attachment of the policy. EPs could be directly or indirectly attached to a fabric edge node using an intermediate Layer 2 network that lies outside the fabric domain. Traditional Layer 2 networks, wireless access points, or end hosts are connected to fabric edge nodes.

Wireless Controller: The WLC provides AP image and configuration management, client session management and mobility. Additionally, it registers the mac address of wireless clients in the host tracking database at the time of client join, as well as updates the location at the time of client roam.

Access Points: AP applies all the wireless media specific features. For example, radio and SSID policies, webauth punt, peer-to-peer blocking, and so on. It establishes CAPWAP control and data tunnel to WLC. It converts 802.11 data traffic from wireless clients to 802.3 and sends it to the access switch with VXLAN encapsulation.

The SDA allows to simplify:

  • Addressing in wireless networks

  • Mobility in wireless networks

  • Guest access and move towards multi-tenancy

  • Leverage Sub-net extension (stretched subnet) in wireless network

  • Provide consistent wireless policies

AP Bring-up Process

The sequence of bringing up an AP is given below:

  • Switch powers up the AP (POE or UPOE)

  • AP gets an IP address from the DHCP server.

  • Switch registers the IP address of the AP with the map server.

  • AP discovers Cisco WLC through CAPWAP discovery.

  • After Datagram Transport Layer Security (DTLS) handshake, CAPWAP control tunnel is created between AP and Cisco WLC for control packets. CAPWAP data tunnel is created for IEEE 802.11 management frames. The AP image is downloaded and the configuration is pushed on AP from controller.

  • Cisco WLC queries the map server for the switch (RLOC IP) behind which the AP has been registered.

  • Cisco WLC registers a dummy MAC address with the map server.

  • Map server sends a dummy MAC address notification to the switch to create a VXLAN tunnel to AP.

  • AP is ready to accept clients.

Onboarding the Wireless Clients

The sequence of on boarding the clients are given below:

  • The wireless client associates itself to the AP.

  • Client starts IEEE 802.1x authentication on Cisco WLC (if configured) using CAPWAP data tunnel.

  • After Layer 2 authentication is complete, Cisco WLC registers MAC address of the client with map server.

  • Map server sends a notify message to switch with the client details.

  • Switch adds the client MAC to the Layer 2 forwarding table.

  • Cisco WLC moves the client to RUN state and the client can start sending traffic.

  • Switch registers the IP address of the client to the MAP server.

  • The switch decapsulates the VXLAN packet.

  • The switch forwards the DHCP packet to the DHCP server or relay.

  • The switch receives the DHCP ack for the wireless client. Switch learns the IP address of the client and sends an update to the map server.

  • Switch broadcasts the DHCP ack to all ports in the VLAN, including the AP facing VXLAN tunnels.

  • DHCP acknowledgement reaches AP, which forwards it to client.

  • AP sends IP address of the client to Cisco WLC.

  • Cisco WLC moves the client to RUN state.

Platform Support

Table 1. Supported AireOS Controllers

Controller

Support

3504

Yes

5520

Supported only on the local mode AP

8540

Supported only on the local mode AP

vWLC

No
Table 2. AP Support

AP

Support

802.11n

No

802.11ac Wave 1

Yes

802.11ac Wave 2

Yes

Mesh

No
Table 3. Client Security

Security

Support

Open and Static WEP

No

WPA-PSK

Yes

802.1x (WPA/WPA2)

Yes

MAC Filtering

Yes

CCKM Fast Roaming

Yes

Local EAP

Yes. However, it is not recommended.

AAA Override

Supported for SGT, L2 VNID, ACL policy, and QoS policy.

Internal WebAuth

IPv4 clients

External Webauth

IPv4 clients

Pre Auth ACL

IPv4 clients

FQDN ACL

No
Table 4. IPv6 Support

IPv6

Support

IPv6 Infra Support

No

IPv6 Client Support

Yes (From Release 8.8 onwards)
Table 5. Polciy, QoS, and Feature Support

Features

Support

IPv4 ACL for Clients

Yes. Flex ACL for ACL at AP.

IPv6 ACL for Clients

Yes (From Release 8.8 onwards)

P2P Blocking

Supported through security group tag (SGT) and security group ACL (SGACL) on the switch for clients on the same AP.

IP Source Guard

Switches

AVC Visibility

AP

AVC QOS

AP

Downloadable Protocol Pack updates

No

Device profiling

No

mDNS Proxy

No

MS Lync Server QOS Integration

No

Netflow Exporter

No

QoS

Yes (Metal profiles and rate limiting)

Passive Client/Silent Host

No

Location tracking / Hyperlocation

Yes

Wireless Multicast

Yes

Note 

Video streaming is supported from Release 8.8 onwards.

URL Filtering

No

HA

Controller to controller

Migration From Converged Access

The following list shows the migration process from converged access to fabric wireless:

  1. Bring up the WLC with image supporting fabric mode.

  2. Configure the network with the fabric mode for the appropriate subnets, using an APIC-EM or CLIs. We recommed that you use APIC-EM for this purpose.

  3. Configure the discovery mechanism such that the DHCP discovery on the new AP subnet should lead to the controller supporting fabric mode.

  4. When the AP comes up, do a DHCP request and get the IP address in the AP VLAN.

  5. The AP creates a control plane CAPWAP tunnel with the WLC.

  6. Based on the configuration, the WLC programs the AP for the fabric mode.

  7. AP follows the SDA for wireless flow.


Note

  • Mobility between fabric and non-fabric SSIDs are not supported

  • AP images and licenses are hosted on the Cisco WLC and the AP fetches the images and licenses directly from it. APIC-EM is responsible for managing the AP licenses on the Cisco WLC.

  • After a TCP connection flap in the WLC, it takes about five to six minutes to reestablish the connection. During this time, the access tunnels gets reset during client join.

Restrictions

  • In a preauthentication scenario, IP addresses (either IPv4 or IPv6) learned via DNS resolution are lost after Cisco WLC switchover.

  • HA sync for Fabric related statistics is not supported.

Configuring SD-Access Wireless (CLI)

Perform the following steps to configure fabric on a WLAN.

Before you begin

  • Configure the AP in local mode to enable fabric on it.

Procedure

Step 1

config wlan fabric enable wlanid

Example:

config wlan fabric enable wlan1

Enables Fabric on the WLAN.
Step 2

config wlan fabric vnid vnid wlanid

Example:

config wlan fabric vnid 10 wlan1

Configures a Virtual Extensible LAN (VXLAN) network identifier (VNID) on fabric WLAN.
Step 3

config wlan fabric encap vxlan wlanid

Example:

config wlan fabric encap vxlan wlan1

Maps a VNID to the fabric WLAN.
Step 4

config wlan fabric switch-ip ip-address wlanid

Example:

config wlan fabric switch-ip 209.165.200.10 wlan1

Sets a VLAN peer ip to WLAN.
Step 5

config wlan fabric [ipv6] acl {fabric-acl-name | none} wlan-id

Example:

config wlan fabric acl fabric-acl wlan1

Configures a FlexConnect ACL on the controller and associates it with the Fabric WLAN. To dissociate a FlexConnect ACL from the Fabric WLAN, use the none option.

Step 6

config fabric flex-acl-template template-entry template-name {add | delete} acl-name

Example:

config fabric flex-acl-template template-entry myflextemplate add myflexacl

Pushes the ACL to AP and applies it to client via AAA.
Step 7

config wlan fabric avc-policy fabric-avc-policy wlanid

Example:

config wlan fabric fabric-avc-policy wlan1

Configures an AVC profile name associates it with the fabric WLAN.
Step 8

config wlan fabric controlplane guest-fabric enable wlanid

Example:

config wlan fabric controlplane guest-fabric enable wlan1

(Optional) Enables guest fabric for this WLAN .
Step 9

show fabric summary

Example:

show fabric summary

(Optional) Displays the fabric configuration summary.

Enabling SD-Access Wireless (GUI)

Use the following procedure to enable fabric and configure parameters on the enterprise and guest controllers.

Procedure

Step 1

Choose Controller > Fabric Configuration > Control Plane.

The Fabric Control Configuration page is displayed.
Step 2

Move the Fabric slider to enable or disable Fabric.

You can enable fabric and configure parameters on the enterprise and guest controllers, using the Fabric Enable/Disable option at the top of the screen.

Step 3

Select the check box in the Primary IP Address field to enable the fields.
Step 4

Enter an IP address in the Primary IP Address field.

Step 5

Enter a shared key in the Pre Shared Key field.

Step 6

The Connection Status field shows the connection status of the Fabric.

Step 7

Repeat the procedure described in steps 3 to 6 for Secondary IP Address and in the Guest Controllers section.

Step 8

Click Apply.

Configuring SD-Access Wireless VNID (GUI)

Use the following procedure to enable fabric and configure parameters on the enterprise and guest controllers.

Procedure

Step 1

Choose Controller > Fabric Configuration > Interface.

The Fabric Interface > Edit page is displayed.

Step 2

Enter an interface name in the Fabric Interface Name field.

Step 3

Enter an instance ID in the L2 Instance ID field.

Step 4

Enter the network IP adddress in the Network IP field.

Step 5

Enter the subnet mask at the Subnet Massk field.

Step 6

Enter an instance ID in the L3 Instance ID field.

Step 7

Click Apply.

Configuring SD-Access Wireless WLAN (GUI)

Use the following procedure to configure Fabric WLAN parameters.

Procedure

Step 1

Choose WLANs to open the WLANs page.

Step 2

Click the ID number of the desired WLAN to open the WLANs > Edit page.

Step 3

Choose the Advanced tab to open the WLANs > Edit (Advanced) page.

Step 4

Select the Enabled check box under the Fabric Configuration section.
Step 5

Use the drop down to select the Fabric Interface Name.

Step 6

Enter an instance ID in the L2 Instance ID field.

Step 7

Enter the IP adddress in the Peer IP field.

Step 8

Use the drop down to select the Fabric ACL name.

Step 9

Use the drop down to select the Fabric AVC name.

Step 10

Click Apply.

Configuring DNS Access Control List on SD-Access (GUI)

Use the following procedure to configure Fabric DNS ACL parameters.

Procedure

Step 1

Configure the Control Place parameters.

See the Enabling SD-Access Wireless procedure.
Step 2

Configure the Fabric Interface parameters.

See the Configuring Fabric Interface procedure.
Step 3

Choose WLANs > WLAN ID > Security to open the WLANs Edit page.

Step 4

In the Security tab, set the Layer 3 Security to Web Policy from the drop-down list on the Layer 3 tab.

Step 5

From the Preauthentication ACL > WebAuth FlexAcl drop-down list choose the ACL option that you want to apply to the WLAN.

Step 6

Click Apply.

Configuring Access Control List Templates (GUI)

Procedure

Step 1

Choose Controller > Fabric Configuration > Templates.

The page displays the list of Fabric ACLs.
Step 2

To create a template:

You can create a new template (a) or copy an existing template (b) to create a new template.

  • To create a new template—Choose Fabric ACL Template > New and enter the name of the template. Click Apply.

  • To create a new template based on an existing template—Click Copy, enter the name of the template, and choose a template from the Existing Fabric Templates drop-down list. Click Copy.

Step 3

Click Apply.

Step 4

To link a FlexConnect ACL to this template, click the template name on the Fabric ACL Template List page.

The Fabric ACL Template > Edit page is displayed.

Step 5

From the IPv4 ACL / IPv6 ACL drop-down list, choose the post authentication ACL that you want to add to the Fabric ACL template.

Step 6

Click Add.

Step 7

Save the configuration.