Thursday, 5 July 2012

Lightweight AP Architecture Part 2 - Roaming

AP Modes of Operation:
Local Mode - This mode is the standard AP mode, it handles data transfer for clients and also monitors all channels. It uses a 180 secs cycle in the 2.4GHz frequency where is spends 13 seconds on it's assigned channel, then spends 60msec scanning another channel, where after it returns to it's assigned channel for 13 sec and the cycle continues. In the 5GHz frequency the AP spends 10sec on the assigned channel due to the large number of channels.
Monitor Mode - Only allows for monitoring and no client data traffic. The AP can be used as a sensor for wireless IDS (scanning for rouge APs and clients), data gathering for performance related issue troubleshooting, as a site survey tool, as a triangulation point when using the Wireless Location Appliance. Each channel is scanned for 1.1ms and the channels to be scanned are set on the AP.
Sniffer Mode - The AP captures frames on a specific channel and sends the frames to a device running an analyser e.g. wireshark. Sniffer mode causes a reboot of the AP.
Rogue detection mode - AP is connected to a trunk link and operates with using it's radios. The controller updates the AP with the MAC addresses of known rouge APs and clients. The AP listens on the wired network for ARP packets and if it sees the rogues MAC then sends an alarm to the WLC. Stations cannot associate in rouge detection mode.
H-REAP Mode - H-REAP APs are deployed at remote sites that do not warrant a WLC. If the connection to the WLC is lost the AP continues to function. There are a number of restrictions on the WAN link required for H-REAP: cannot be less than 128kbps, round trip latency cannot exceed 100ms, at least 500bytes MTU, code updates over 4MB cannot be received. The AP also needs to have at least 32MB of memory because it needs to store additional information such as: DTIM period, beacon period, time between beacon frames, preambles, power level, country code, black list of forbidden MACs. Also, an AP in H-REAP mode cannot used L2 or L3 broadcasts to find it's WLC, it needs to use DHCP option 43, DNS, or OTAP via another AP.
Bridging Mode - The AP is used as a point-to-point or point-to-multipoint bridge. Only some models can handle this: 1130AG, 1240 and 1500 series.

Roaming:
A Mobility domain is a group of controllers. Clients roam between APs attached to WLC in a mobility group. Clients can only roam between mobility groups if they are part of the same mobility domain. If they are not then a complete re-authentication process has to take place. In order for a controller to be part of a mobility domain it must be configured with MAC and IP addresses which map to existing WLC in the group. They also need the same domain name and the same virtual gateway address. Up to 24 controllers can be part of a group.
In order for roaming to occur there are a few more prerequisites: The controllers must have the same code version, the same LWAPP mode and the same ACLs, the same SSIDs. When roaming occurs either the new WLC can handle all the APs connections (asymmetric tunnelling) or traffic can be sent back to the old controller (symmetric tunnelling).

Layer 2 roaming:
When an client roams to a new AP within the same subnet the AP authenticates with the new AP and traffic is tunnelled back to the original controller. Intra-controller roaming is when the client roams between APs on the same controller and typically takes about 10 msec. Inter-controller roaming is when a client roams between APs to 2 different controllers and typically takes about 20msec.

Layer 3 roaming:
In L3 roaming either the client changes subnets but retains it's old IP address or it re-authenticates. The controller creates a tunnel which makes the client and network think the subnet hasn't changed. If both the to and from traffic is tunnelled between the new and old controller this is known as symmetric tunnelling. If the traffic from the client uses normal IP routing and just the return traffic is tunnelled between the controllers this is known as asymmetric tunnelling. L3 roaming is a quick process because unlike L2 roaming not all the client information is handed over. Instead the old controller marks the client data as an anchor entry and the new controller marks it as foreign entry.
Asymmetric routing path is:
client -> foreign controller -> destination
destination -> anchor controller -> client
Symmetric routing path is:
client -> foreign controller -> anchor controller -> destination
destination -> anchor controller -> foreign controller -> client
The option on the controller which determines if symmetric or asymmetric tunnelling is used is called Symmetric Mobility Tunnelling.
If you want one controller to have symmetric tunnelling and the rest to be asymmetric, for example a guest WLAN which is only allowed internet access. To do this a special anchor must be defined, a mobility anchor. When using a mobility anchor all traffic to and from the client must go through this anchor, regardless of where the client is located. The client gets it's IP address and security configuration from this mobility anchor. It is possible to have redundant mobility anchor controllers. Anchors must be connected to a VLAN trunk port in order to all stations to keep their IP addresses when roaming

No comments:

Post a Comment