Cisco Catalyst 6500 Series Wireless LAN
Services Module: White Paper
Overview
The Cisco Structured Wireless-Aware Network (Cisco SWAN) framework now includes the Cisco
Catalyst 6500 Series Wireless LAN Services Module (WLSM). This document focuses on the WLSM
and its integration into the Cisco SWAN framework. The WLSM offers these important benefits to the
Catalyst 6500 series switches:
•
Very fast Layer 2 and Layer 3 roaming (less than 50 ms) for mobile users registered with the WLSM.
This is especially important for Voice over IP (VoIP) support.
•
Increased scalability supporting up to 300 access points and up to 6000 mobile users.
•
Simplified wired and wireless network management provided by a single entry point into the wired
network for both wireless LAN control and user data.
•
A single quality of service (QoS) and security policy for all wireless users in a subnet. This is
provided by a centralized entry point to the network using fast secure roaming tunnels (FSRTs) via
a multipoint generic routing encapsulation (mGRE) tunnel on the Cisco Catalyst 6500 Series
Supervisor Engine.
•
Support for multiple service set identifiers (SSIDs) and VLANs on the access point, enabling
wireless data traffic to be segregated into different roaming subnets or mobility groups.
•
Failover to a secondary WLSM using the Hot Standby Router Protocol (HSRP).
•
A centralized point for troubleshooting and debugging.
•
Support for advanced Catalyst 6500 switch features, including the Catalyst 6500 series service
modules.
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Copyright © 2004 Cisco Systems, Inc. All rights reserved.
Overview
Layer 3 Mobility
Layer 3 roaming eliminates the need to restrict mobile users to access points within the same IP
subnetwork. Mobile IP telephony and video distribution to portable media devices (like laptops and
PDAs) across the wireless campus are now viable deployment options.
The centralized nature of the WLSM enables customers to apply centralized security and QoS policies.
The same security mechanisms found in Cisco Catalyst 6500 switches can now be extended to wireless
users, further reinforcing data protection for mobile users and reducing the chance of the network being
compromised.
The WLSM enables you to manage up to 6000 mobile nodes and up to 300 Cisco Aironet 1200 or 1100
series access points.
Cisco SWAN
There are four components to the Cisco SWAN framework—access points; management and security
servers; WLAN client devices; and infrastructure devices.
•
Access points—Cisco Aironet access points running Cisco IOS software are required. These access
points offer secure, manageable, and reliable wireless connectivity with exceptional range and
performance, as well as integrated radio frequency (RF) management.
•
Management and security servers—The WLSE and an IEEE 802.1X authentication server, such as
Cisco Secure Access Control Server (ACS), are required to manage and secure the wireless network.
These products simplify the deployment and management of the WLAN infrastructure and help you
implement an enterprise-class security solution.
•
WLAN client devices—Wi-Fi certified or IEEE 802.11 clients are required. Using Cisco Aironet or
Cisco Compatible client devices provides additional benefits, including advanced enterprise-class
security, extended RF radio management, and enhanced interoperability.
•
Infrastructure devices—As Cisco incorporates wireless capabilities into its switches and routers,
customers receive a unified network system that extends to wireless traffic all of the enterprise-class
scalability, security, reliability, and simplified manageability of the wired infrastructure. The
WLSM is a Cisco SWAN infrastructure device.
Cisco Catalyst 6500 Series Wireless LAN Services Module: White Paper
2
OL-6450-01
WLSM Operational Overview
WLSM Operational Overview
The WLSM works with the Supervisor Engine 720 and with Cisco Aironet 1100 and 1200 series access
points to provide a logical network over an existing network infrastructure. Within this network, a mobile
user can roam and remain within the same Layer 3 broadcast domain. Layer 3 roaming is accomplished
using an FSRT for each active roaming subnet (mobility group), terminated at one end on the Supervisor
Engine 720 and at the other end on the Cisco Aironet access point (see Figure 1).
Figure 1
Logical Layer 3 Mobility Network Provided by the FSRT Tunnel
After a mobile user registers with the network, an FSRT endpoint is created on the access point, enabling
the user to send and receive data from within the mobility group. The mobile user traffic traverses the
FSRT that has been set up by the local access point and is forwarded to the central Cisco Catalyst 6500
switch. The FSRT always terminates on the Supervisor Engine 720; as long as the user is associated with
any access point under WLSM control, its traffic is always part of the same logical Layer 3 network
(subnet).
When a mobile user associates with an access point that WLSM controls, the user registers with the
network and is assigned to a particular mobility group. At the system level, a mobile network ID
internally defines this mobility group. The mobile network ID is the mechanism the system uses to
associate the user with a particular FSRT. As the user roams, the system tracks user movement, making
sure that the user maintains association with the same mobility group. When using Cisco Centralized
Key Management (CCKM)-enabled clients, the user can roam without having to reauthenticate with the
authentication, authorization, and accounting (AAA) server. The CCKM-enabled clients also provide
very fast roaming (approximately 50 ms) between the access points.
Another important aspect of the system is the separation of control plane and data plane traffic (see
Figure 2). The WLSM does not process network traffic originating from the mobile user. Traffic to and
from the user is forwarded over the FSRT to the Supervisor Engine 720 on the Cisco Catalyst 6500
switch. The Supervisor Engine 720 takes control of forwarding the traffic to its ultimate destination,
which enables the system to support mobile node traffic forwarding up to 10 million packets per second
(Mpps) per forwarding engine. Control plane traffic, such as roaming events or WLSM notification of
mobile user and access point registrations, does not traverse the FSRT; it is passed over the native
infrastructure and is processed by the WLSM. This traffic separation maximizes performance for each
type of traffic.
Cisco Catalyst 6500 Series Wireless LAN Services Module: White Paper
OL-6450-01
3
Mobility Components
Figure 2
Control Plane and Data Plane Traffic
Mobility Components
Cisco Layer 3 mobility is a main focus of the WLSM. The WLSM is a single-slot module for Cisco
Catalyst 6500 series switches (Figure 3), and uses a technology base found in other Cisco Catalyst 6500
series service modules. This technology uses hardware that enables the module to connect into the Cisco
Catalyst 6500 backplane and to communicate with other modules in the chassis.
Figure 3
WLSM
The WLSM is a Cisco Express Forwarding line-card module that supports a connection into the
32-gigabits per second (Gbps) bus and provides a single 8-Gbps fabric channel into the 256-Gbps fabric.
The 8-Gbps fabric channel is reserved for management and control plane traffic such as AAA
authentication, roam events, and radio management data. In addition, the 8-Gbps fabric channel enables
the switch to operate in compact mode; the switch can still operate and support centralized switching
speeds up to 30 Mpps when the WLSM is present in the chassis with only fabric-enabled line cards.
The WLSM has its own Cisco IOS software, which supports Wireless Domain Services (WDS). This
Cisco IOS software runs independent of the Cisco IOS software on the Supervisor Engine 720. The
WLSM also uses its own command-line interface (CLI) to enable an administrator to configure the
module; a front console port provides initial configuration access. The WLSM CLI can be accessed from
Cisco Catalyst 6500 Series Wireless LAN Services Module: White Paper
4
OL-6450-01
Mobility Components
the switch CLI after an initial set of parameters is installed on the WLSM. A separate configuration file
is maintained in the WLSM, which can be modified from the WLSM CLI. Alternatively, the module has
its own IP address so that it can be accessed using Telnet, if required.
Using the WLSM in a Cisco Catalyst 6500 series chassis requires specific hardware and software,
including a Policy Feature Card 3 (PFC3)-equipped supervisor engine such as the Supervisor Engine 720
or the more recently introduced Supervisor Engine 720-3BXL (see Figure 4). The Supervisor Engine
720 is required to support Multipoint Generic Routing Encapsulation (mGRE) in hardware, enabling up
to 10 Mpps of wireless traffic. The WLSM does not work with Supervisor Engine 1, 1A, 2, or 2U.
Figure 4
Supervisor Engine 720
In addition to hardware support of FSRTs via GRE, a new subsystem has been added to run on the
Supervisor Engine 720, the Layer 3 Mobility Manager (L3MM). The L3MM runs on the Supervisor
Engine 720 route processor. One of its primary purposes is to administer a local mobility database, which
keeps track of each mobile node’s IP and MAC addresses, and the access points they are associated with.
The L3MM introduces a new control protocol, Layer 3 Mobility Control Protocol (LCP), to
communicate with WDS running on the WLSM (this is different than the protocol used by the WDS to
communicate with access points). The WDS interacts with the access points using Wireless LAN
Context Control Protocol (WLCCP) when various events occur; then, the WDS informs the L3MM of
these events using LCP so that the mobility database can be updated.
Cisco IOS software release 12.2(18)SXD provides recognition of the WLSM, its support for WDS, and
its support for the new L3MM. Currently, there is no support for the WLSM in the hybrid mode of
operation (running Cisco Catalyst Operating System software).
Cisco Catalyst 6500 Series Wireless LAN Services Module: White Paper
OL-6450-01
5
Mobility Components
This Layer 3 mobility solution supports Cisco Aironet 1200 and 1100 series access points
(see Figure 5); however, it does not support Cisco Aironet 340 and 350 series access points. The
supported Cisco Aironet access points use new extensions within their Cisco IOS software to interact
with the WLSM. FSRT support is one new aspect of the software extensions; this enables the access
point to set up, maintain, and tear down FSRTs that connect back to the Supervisor Engine 720.
Figure 5
Cisco Aironet 1200 and 1100 Series Access Points
The new access point software also supports extensions to the WLCCP, enabling the access point to
communicate with the WDS on the WLSM. Other extensions to WLCCP include enabling proxy Address
Resolution Protocol (ARP) to be supported on the access point, tunnel management support, and a
wireless network ID that is used to map traffic from a client to a specific FSRT.
Like the access points, the WLSE supports new software to enable it to communicate with the WDS
running on the WLSM, including software extensions that enable the WLSE to enable radio management
and other network management functions (see Figure 6).
Figure 6
CiscoWorks WLSE
Cisco Catalyst 6500 Series Wireless LAN Services Module: White Paper
6
OL-6450-01
Layer 3 Mobility Architecture
Layer 3 Mobility Architecture
Each Cisco SWAN component incorporates features to support Layer 3 mobility. These components and
the services, subsystems, and protocols used by these components are described in more detail in this
section.
WDS on the WLSM
The WDS that runs on the WLSM differs from the WDS running on the access point in that it contains
five (instead of four) subsystems (see Figure 7). One new subsystem has been designed to support Layer
3 mobility roaming. This new subsystem is the WDS LCP subsystem; it supports communication with
the new L3MM. It forwards registration and mobility events, and propagates tunnel endpoint and other
configuration information to the L3MM and communicates this information via LCP.
Figure 7
WDS Subsystems
Layer 3 Mobility Manager (L3MM)
One of the more significant subsystems introduced in the WLSM solution is the L3MM, a new software
subsystem that has been incorporated into the instance of Cisco IOS software running on the Supervisor
Engine 720. It runs on the route processor, which sits on the Multilayer Switch Feature Card (MSFC)
and performs three main functions critical to Layer 3 roaming. The first and most important function is
the management of the mobility database. The other two functions are interacting with the WDS to
receive notification of access point and mobile node registrations and roaming events, and interfacing
with the Cisco Express Forwarding and mGRE subsystem on the Supervisor Engine 720 forwarding
engine to instruct them to program mGRE endpoints into the hardware forwarding tables.
The mobility database enables the L3MM to track mobile nodes and the access points that they are
associated with. The mobility database contains an entry for each access point and mobile node that is
registered with the system. The access point entry contains information about the access point’s IP and
MAC address, along with the wireless network ID (defined on that access point) for the mobile node.
Cisco Catalyst 6500 Series Wireless LAN Services Module: White Paper
OL-6450-01
7
Layer 3 Mobility Architecture
The mobility database mobile node entry contains the mobile node’s IP and MAC address and the IP
address of the access point where the moble node is associated, along with the wireless network ID for
the moble node.
The L3MM also has an interface to the WDS that runs on the WLSM. When an access point or a mobile
node registers, it does this by alerting the WDS of that event. Roaming events are also forwarded to the
WDS, and it is the responsibility of the WDS to inform the L3MM when these events occur. The L3MM
communicates with the WDS using LCP. This protocol runs on top of the User Datagram Protocol (UDP)
and incorporates a heartbeat (keep alive) indicating the online status of the other party.
Layer 3 Control Protocol
LCP is a simple communications protocol (see Figure 8) that is used to exchange control messages
between the L3MM and the WDS. LCP is forwarded over UDP and uses port 2887. Using UDP means
it relies on IP, and as such, uses a loopback address (127.x.x.x) for IP communications. An internal
Ethernet out-of-band channel (EOBC) provides a communications path for the LCP packets to traverse.
The EOBC is also used for other module-to-module communications.
Figure 8
Layer 3 Mobility Control Protocol
LCP communication are usually requests or replies to information. The LCP header is fixed and contains
numerous fields, including a session ID that it uses to keep track of current communications. LCP
supports these major sessions:
•
Update an access point entry from the mobility database—This entry contains information like the
IP address of the newly registered access point, the number of VLANs to tunnel endpoints, and
wireless network ID/IP address pairs
•
Remove an access point entry from the mobility database—This entry contains the IP address of the
previously registered access point
•
Update a mobile node entry in the mobility database—This entry contains the mobile node’s IP and
MAC addresses, the IP address of the currently associated access point, and the wireless network ID
•
Remove a mobile node entry in the mobility database—This entry contains the mobile node’s MAC
address
•
Change a mobile node’s IP address—This record contains the mobile node’s IP and MAC addresses
Cisco Catalyst 6500 Series Wireless LAN Services Module: White Paper
8
OL-6450-01
Layer 3 Mobility Architecture
Multipoint GRE
mGRE is a variant of GRE that enables a single tunnel on the supervisor engine to communicate with
multiple endpoints. All access points at the other end of the FSRT connect back to the central switch.
The FSRT between these endpoints forms the logical Layer 3 network operating on the existing network
infrastructure. This logical network enables all mobile nodes that associate with any of the access points
to remain in the same IP subnet. Within the context of this logical network, mobile users can roam and
maintain IP connectivity to the network.
The Supervisor Engine 720 introduced support for mGRE encapsulation in hardware at speeds of up to
10 Mpps, making it a suitable candidate to handle mGRE processing for this Layer 3 mobility solution.
It is important to reiterate that the mGRE tunnel is used for the data path traffic and not the control path
traffic between the access point and central switch. This operation helps the sysytem support up to 300
access points and up to 6000 mobile clients.
Wireless LAN Context Control Protocol
WLCCP is used to pass control messages between the access points and the WDS running on the WLSM.
Prior to WDS being available on the WLSM, the WDS ran on access points. To facilitate running the
WDS on the WLSM, WLCCP was enhanced with these new capabilities:
•
The access point can now request, from the WDS, the wireless network ID to tunnel endpoint
binding. The configuration of the tunnel interface on the supervisor engine contains the wireless
network ID, but this is not defined in the access point’s configuration. When the access point sets
up the FSRT, it needs to know which SSID to associate with the tunnel in order to forward the mobile
user’s traffic to the correct tunnel endpoint on the supervisor engine.
•
The access point can now forward to the WDS the wireless network ID associated with a particular
mobile node.
•
The protocol now supports a request message for the wireless network ID to tunnel IP address
binding for a mobile node.
•
The protocol now supports a request message for the switch MAC address used to reply to the
mobile node’s ARP request.
•
The protocol now supports an update message from the WDS to the access point notifying it of the
IP address assigned to a Dynamic Host Control Protocol (DHCP) client. The access point uses this
information to create a forwarding table entry.
•
The protocol now supports a process for exchanging the maximum transmission unit (MTU)
information between the access point and the WDS.
Access Points
Cisco Aironet series WLAN access points are a key component of the Cisco SWAN framework. Cisco
Aironet 1100 and 1200 series access points running Cisco IOS Release 12.2(15)XR or later can operate
with the WLSM. Cisco SWAN enhancements available to access points using this Cisco IOS software
release and the WLSM include:
•
When the WLSM WDS is used, a fixed address is used to identify the WDS to the access point.
Cisco Catalyst 6500 Series Wireless LAN Services Module: White Paper
OL-6450-01
9
Packet Flows
Note
With previous software versions, WDS access points use a discovery process to find the
device supporting WDS.
•
The access point software supports FSRTs, which are used as data paths for mobile nodes into the
network. When the first mobile node registers for a particular SSID (mobility group), WDS instructs
the access point to change the FSRT interface status to UP. Likewise, when the last mobile node for
an SSID drops out, the FSRT is changed to a state of DOWN and removed from the interface list.
Up to 16 FSRTs can be supported on a single access point. Unlike a normal GRE tunnel, no tunnel
keepalives are exchanged between the supervisor engine and the access point.
•
The access point software supports the WLCCP extensions.
•
The access point sends the mobile node’s IP and MAC address binding information to the WDS as
part of the mobile nodes registration process.
•
To ensure that data from the mobile node is forwarded over the correct tunnel, the access point
software has been extended to enable the SSID to be associated with a wireless network ID.
Packet Flows
When the first mobile user associates with an access point, a FSRT (identified by the user registration
SSID) is created, enabling the mobile user to access the network. The data path from the mobile user to
the destination varies based on whether the data is a unicast, multicast, or broadcast packet.
IP Unicast Traffic
The WLSM supports bidirectional flow of a mobile node’s unicast traffic from the access point to the
supervisor engine over the FSRT. Upon receiving a mobile node unicast packet, the access point
encapsulates the packet and forwards it over the FSRT to the supervisor engine. In transit, the packet’s
FSRT header includes the source address of the access point’s tunnel interface and the destination
address of the supervisor engine’s corresponding tunnel interface. While in transit, any interface
forwarding the packets can use a QoS policy to determine the level of service that should be applied to
that particular tunneled traffic. At the destination tunnel interface, addition security and QoS policies
can be applied based on local rules.
Cisco Catalyst 6500 Series Wireless LAN Services Module: White Paper
10
OL-6450-01
Packet Flows
Figure 9 illustrates the IP unicast packet format from the mobile node to the target host.
Figure 9
IP Unicast Packet Format (from Mobile Node to Target via Access Point and Switch)
For return traffic, the central switch inspects the corresponding wireless network ID for the target host
(mobile node) to determine which tunnel to forward the data over. The switch then encapsulates the
packet with a new header using the access point’s IP address and forwards the packet to the access point.
The access point strips off the external header and inspects the original payload destination IP address
to determine which mobile node to forward the data to, and then attaches an 802.11 header for
forwarding to the mobile node. Figure 10 illustrates the IP unicast packet format from the switch to the
access point.
Figure 10
IP Unicast Packet Format (from Switch to Access Point)
Cisco Catalyst 6500 Series Wireless LAN Services Module: White Paper
OL-6450-01
11
Packet Flows
IP Multicast Traffic
The WLSM handles multicast traffic slightly differently than unicast IP traffic. When a mobile user
sends IP multicast traffic, the access point encapsulates the packet with a GRE header and forwards the
packet over the tunnel. The only exception in this scenario (upstream IP multicast traffic flow) is Internet
Group Management Protocol (IGMP) Join messages, which are locally bridged by the access point to
the local infrastructure. For the first phase of the WLSM release, downstream IP multicast traffic from
the supervisor engine back to the access point is not sent via the FSRT. Instead, IP multicast traffic sent
to the access point is forwarded using the underlying network infrastructure. For this reason, all network
nodes between the supervisor engine and the access point must be accordingly configured to enable
multicast traffic to reach its destination.
Broadcast Traffic
There are several forms of broadcast traffic, each being handled slightly differently by the WLSM:
•
Upstream MAC broadcast, non-IP, and non-ARP Layer 3 protocol traffic—This traffic is bridged
into the local network as nontunneled traffic.
•
MAC broadcast ARP packet
– If the querried address is not the access point IP address, then the access point responds to the
ARP.
– If the querried address is the access point IP address, then the access point forwards the packet
over the FSRT to the supervisor engine. The supervisor engine does not forward this packet
beyond the tunnel interface, and it may or may not choose to respond back to the ARP query.
•
MAC broadcast IP packet—The access point forwards the packet to the supervisor engine. The route
processor on the supervisor can react in two ways. It can consume the packet without forwarding,
or it can forward the packet if explicitly configured to do so. If explicitly configured to forward the
packet, it is forwarded over the other point-to-point links that make up the FSRT. (DHCP broadcasts
might not be subject to broadcast replication, this is dependent on whether the tunnel interface is
configured to forward DHCP packets via a command like IP HELPER.)
Non-IP Traffic
Non-IP traffic is not supported on the FSRT; rather, non-IP traffic is bridged on the underlying network
infrastructure in both directions (from access point to supervisor engine and from supervisor engine to
access point). For this reason, non-IP traffic cannot take advantage of the roaming capabilities provided
by the WLSM.
Cisco Catalyst 6500 Series Wireless LAN Services Module: White Paper
12
OL-6450-01
Layer 3 Roaming Events
Layer 3 Roaming Events
WLSM enables a mobile client to roam across registered access points while maintaining Layer 3
connectivity to the network. The roaming sequence is slightly different for non-CCKM clients. When
roaming, a non-CCKM client must reauthenticate with the Cisco Secure ACS. Because of the needed
reauthentication, non-CCKM clients require more than 50 ms to roam from one access point to another.
Figure 11 displays the mobile node authentication events.
Figure 11
Mobile Node Authentication
Cisco Catalyst 6500 Series Wireless LAN Services Module: White Paper
OL-6450-01
13
Summary
After the non-CCKM user has authenticated, the sequence follows the same steps as a CCKM client
(Figure 12).
Figure 12
Packet Walk for a Mobile Node Roam
When a mobile users roam out of range with their associated access point and into the range of another
access point, the mobile node attempts to reassociate with the new access point. On receiving the
association request, the access point forwards a WLCCP control message to the WDS, informing it that
a mobile node is about to register on a different access point. The access point forwards a WLCCP
control packet to the WDS requesting that the mobile node be registered against the newly associated
access point. The WDS packages an LCP control message with the mobile node’s IP and MAC addresses
and the wireless network ID to update the mobile node’s entry in the mobility database.
The L3MM then programs a new FSRT endpoint if one does not already exist for that mobile node. The
L3MM forwards a message back to the WDS informing it of the successful update of the mobile node’s
mobility record. The WDS then relays this message to the newly associated access point, requesting that
the access point update its forwarding table entry for that mobile user. The mobile node has successfully
roamed and can start sending and receiving data.
Summary
Layer 3 mobility in the Cisco SWAN framework is enabled by the WLSM and by other extensions to
existing Cisco SWAN components. The Cisco Catalyst 6500 WLSM provides less than 50-ms Layer 3
roaming times.
The creation of a logical wireless network for mobile users within their existing campus LANs also
introduces other benefits to customers wishing to deploy wireless by simplifying deployment and
management of the WLAN. The WLSM eliminates the need to deploy campus-wide VLANs and greatly
simplifies the approach to wireless implementation and administration. It also supports up to 6000
mobile nodes and up to 300 Cisco Aironet 1200 or 1100 series access points.
Cisco Catalyst 6500 Series Wireless LAN Services Module: White Paper
14
OL-6450-01
Summary
Cisco Catalyst 6500 Series Wireless LAN Services Module: White Paper
OL-6450-01
15
Summary
CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is
a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS,
iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers,
Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient,
and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0711R)
Copyright © 2004 Cisco Systems, Inc. All rights reserved.
Cisco Catalyst 6500 Series Wireless LAN Services Module: White Paper
16
OL-6450-01