Introducing Wi-NG: Symbols Wireless Next-Generation Architecture
2SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Symbol Wireless Switching Solutions for 2006 and Beyond Wi-NG: Next Gen Wireless OS Next Gen Hardware
3SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Key Goals: Meet the challenges of integrating emerging RF technologies such as RFID Ability to adapt to any network deployment scenarios: – L2, L3, Wireless Focus on enhancing Security, Mobility, Quality of Service for Multimedia Apps, Ease of Deployment and Management Support the integration of best-of-breed wireless applications and services including Mesh, Asset Tracking, Fixed Mobile Convergence (Cellular/Wi-Fi handoffs), etc. Hardware independence: – Support for multiple H/W platforms (including OEM); highly scalable Create consistency across the Symbol Wireless Switch portfolio – Common command line, GUI, SNMP Wi-NG RF Abstraction + Scalability + Portfolio Consistency Modularity +
4SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Wi-NG: Key Drivers Requirement to integrate with more complex network designs in the larger enterprise Growth in VoWLAN adoption n: Drive higher bandwidth applications over wireless Requirement to create consistency across the product portfolio and have a platform that would allow faster market response Differentiation: Opportunity to integrate emerging RF technologies (including RFID and Wi-MAX) on a common platform
5SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Why Wi-NG? Aligns Symbol to address the networking requirements of the broader enterprise and vertical markets while providing the foundation for enabling next generation technologies such as RFID, Wi-Max, Fixed-Mobile Convergence (FMC), etc.
6SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Management IDS/WIPS RF Planning/Mgmt. Firmware/Config. Mgmt. Clustering/Self Healing Enhanced Security Significantly Lower TCO Regulatory Compliance High Uptime Wi-NG Architecture Infrastructure Linux based software RF & H/W abstraction, Services/ Diagnostics Driving Business Efficiencies Enabling OEM Deals High Performance ArchitectureFeaturesBenefits Services Symbol Client Extensions L2/L3 Mobility Mesh Locationing Security Enhanced Battery Life Seamless Voice/Video Roaming Extend Wireless Outside 4-walls Asset Tracking, Physical Security Simplified wireless security Applications Enterprise Connectivity Asset Tracking VoWLAN Employee Productivity Reduce Costs, Enforce Compliance Voice Cost Savings
7SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Wi-NG Functional Blocks: Infrastructure Wi-NG Infrastructure defines a uniform, cross- product, hardware agnostic, modular architecture that can be used for developing switching, wireless, security and network management applications. It hides hardware specific dependencies by providing hardware abstraction layers (and drivers) for key CPU architectures (XScale/ARM, x86, MIPS, PowerPC etc) and hardware Makes possible OEM opportunities It enables: – Better diagnostics and remote serviceability – Clustering (of multiple switches) and load balancing of APs across switches participating in a cluster
8SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Wi-NG Functional Blocks: Wireless Wi-NG Wireless is a modular and portable subsystem that provides: Full IEEE and Wi-Fi Alliance standards support AP configuration and management Security and QoS Wireless mobility features such as self-healing, Hotspot, MU load balancing Intrusion detection features such as rogue AP, detection of excessive operations etc, Identity driven management of mobile clients APIs for wireless ecosystem partners, etc.
9SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Wi-NG Functional Blocks: Management Wi-NG Management provides CLI, MIBs and Java Applet GUI interfaces designed to enable user to efficiently and proactively manage wireless network with little or no learning curve. CLI is CISCO-like and a Cisco user will have almost no training required to use and operate Wi-NG based product. Every feature is configurable via SNMP as well as the richest monitoring is delivered via SNMP. GUI (Java Applet) architecture enables a common look and feel across all portfolio products with different set of Wi-NG features.
10SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Wi-NG Functional Blocks: L2/L3 and Security Wi-NG L2/L3 subsystem includes protocol stacks for L2 and L3 management. This subsystem is portable, modular, hardware independent allowing flexibility to include only selective parts/stacks in a product. Wi-NG Security subsystem includes modules for VPN support, Firewall, IDS, On-board RADIUS Server etc.
11SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Wi-NG: Business Benefits Wi-NG will allow us to compete more effectively in the enterprise wireless market segment. The significant supporting functionality is the ability to deploy our wireless switching solution in not just Layer 2 networks (as is the mostly the case today) but also in Layer 3 networks as well – and supporting roaming with the best Quality of Service. This functionality will simplify the deployment and management of Wi-Fi networks in large enterprises, hospital complexes, large manufacturing plants, and educational institutions, etc., where Layer 3 network designs are the norm (or becoming a norm) and where there is also a need for enhanced security, voice support, and overall mobility management. We can now put more focus on these verticals in addition to the horizontal enterprise, increasing our market penetration by working with these accounts directly as well as through partners focused on these markets.
12SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Wi-NG Business Benefits (2) The next generation very high performance hardware platform (available January 2007 time frame) that supports the core Wi-NG based software will open up new opportunities in the horizontal enterprise as well as in the broader market including: Educational institutions Healthcare, and Manufacturing This hardware will have sufficient horsepower to support up to 256 Access Ports and will also support the upcoming high bandwidth n standard.
13SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Wi-NG: Business Benefits (3) The RFID integration capability should open up opportunities in accounts where both technologies are being considered – and drive new opportunities as well. RFID integration means not just being able to support the existing RFID reader and manage it through the same platform that supports Wi-Fi – but also being able to add some amount of business intelligence and data correlation capabilities to further streamline tag data flows to back-end business systems. We will be prototyping this technology this year (2006) and launching a few pilots. We will integrate best practices from those pilots and plan to release this software in mid-year 2007.
14SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Wi-NG: Business Benefits (4) Being Linux based, modular and with support for multiple hardware platforms, Wi-NG opens up many OEM opportunities (such as the IBM Blade Server) thus enabling additional market coverage The Wi-NG software allows external services/applications to easily plug into the infrastructure. This includes for example Fixed Mobile Converge (Wi-Fi / Cellular handoffs), locationing / asset management and more. This will allow us to work with partners and solution providers and further expand selling opportunities.
15SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION WS5100 v3.0: Summary Security Network Integration QoS Network Integration Mobility, Management IPSec VPN Gateway, Stateful Packet Inspection Firewall; L2/L3 Filtering Enhanced IDS; Secure Guest Access (with Provisioning) WMM-UPSD (Power Save); And Admission Control L3 Deployment of APs; L3 Roaming r Based Fast Roaming; SmartScan; Clustering (Active:Active and 1:Many Failover); MSP Support
16SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION New WS5100 v3.0 Features Supports a completely redesigned interface: No more policy driven model More akin to WS2000 Cisco Like CLI Text Based Configuration Support for multiple FW and Config Files Expanded serviceability features: Process Monitors Integrated packet capture tool Copy Tech Support Command
17SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION What Will Not be in v3.0 Wireless Bridging Planned for next major release More number of DoS attack prevention (with Stateful Packet Inspection Firewall) SIP Call Admission Control (similar to what is implemented in WS200 v2.2) However WMM itself supports some level of Admission Control that will be implemented in v3.0: MUs are not allowed to send traffic on certain access categories (voice/video) unless they have requested the AP for permission first. MUs request permission using a TSPEC, which is a special frame directed to the AP specifying what access category the MU wants to send/receive traffic in. – The switch has the choice of accepting or rejecting the TSPEC. The switch can be configured to allow a certain number of MUs access to each access category (say 10 on voice, 5 on video). – Any additional MUs that associate with that AP will not be allowed to send traffic in video or voice AC. – They can still use best-effort, so they dont lose service, but being a lower priority than the voice ones, they dont impact the performance of the voice MUs.
18SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION WS5100: Transitions V3.0 (Next Gen Software) will be supported only on WS5100 (and next generation switches) V3.0 will not be supported on WS5000 wireless switches with 128 MB DOMs V3.0 will not support AP200, AP-3021 (FH) and AP-4121 Access Points AP-4131 Port Conversion will still be supported V3.0 will support AP100 Access Port but only with the old Switch-AP Protocol (WiSP) L3 will not be supported on AP100, AP4131 WS5100 v1.4. x and v2. x will be upgradeable to v3.0
19SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Symbol Solution Elements Wireless Switch + Wi-NG Software Wireless Intrusion Protection System (WIPS) Mobility Services Platform (MSP) Symbol RF Manager
WS5100 v3.0: Upgrade Process
21SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Firmware Upgrade WS5100 Switches with the following officially released FW Versions can be upgraded to v3.0: V1.4.1 V1.4.2 V1.4.3 V2.0 V2.1 Licenses, Certificates are preserved during migration (up) Offline configuration migration tool available Migration downward to v1.4. x and v2. x will be supported Configurations will not be preserved on downgrade
22SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Upgrade Process Step 1: The user ensures that there is enough space left on the flash. If the required amount of space is not left on the flash, the user will have to clean up the flash. This is done via a downloaded script called preupgrade.
23SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Running PreUpgrade (Similar to Current Process) Copy the PreUpgradeScript script using tftp/ftp to the system to be upgraded using the following command under the cfg mode of the CLI. (This example uses ftp). WS5000> cfg WS5000.(Cfg)> copy ftp system -u User Enter the file name to be copied from FTP server : PreUpgradeScript IP address of the FTP server : Enter the user password : ******* Copying 'PreUpgradeScript' from ftp:// to Switch... Data connection mode : BINARY Status : Transfer completed successfully 3117 bytes received in seconds (3.3e+02 Kbytes/s) Once the PreUpgradeScript is transferred, go into service mode by typing service from the CLI, as shown below. WS5000.(Cfg)>.. WS5000> service Enter CLI Service Mode password: ******** Enabling CLI Service Mode commands done. SM-WS5000> Once in service mode CLI, change the mode of the script to executable by executing the following command. SM-WS5000> launch -c chmod +x /image/PreUpgradeScript Now run the script by executing the following command. SM-WS5000> launch -c /image/PreUpgradeScript freemem The script looks for the free space on the disk, and if it exists, it will display the following message. SM-WS5000> launch -c /image/PreUpgradeScript freemem Welcome to 2.0 Upgrade Procedure... !! Finding out the Free Space Needed... !! Total Free Space on the System: 187 OK. You have the required space to do the upgrade.. !!
24SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Upgrade contd. Step 2: Copy the appropriate upgrade image to the switch. – For upgrading from a previous v3.0 development or beta build (v xxxD or v xxxB) copy WS5100_v B.img to the switch. – For upgrading from v2. x copy WS B.v2 to the switch. – For upgrading from v1.4. x copy WS B.v2 to the switch. Enter Service mode on the switch. Execute the file copied to the switch in step above. 3 resets later the system boots up with V3. A normal upgrade takes 1 reset, but migration from v1.4. x or 2. x requires 3 resets.
WS5100 v3.0: Review of CLI and GUI (Applet)
26SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION CLI Configuration Overview The CLI is Cisco-like Context-sensitive help Finishing a command with ? will display the completions for that particular command Completion Command Pressing spacebar or on partially written command will complete it The CLI is accessible via: – Local Serial Interface – Remote Telnet or SSH session
27SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION CLI Configuration Mode Configuration Mode Indicated by (config) # prompt Allows user to configure the switch Must first enter Enable mode to access Configuration mode Enter ^Z or type exit or end at the command prompt to return to Enable mode Commands become part of the running config immediately Must issue command to save config to Startup (NVRAM) – # write mem
28SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION CLI Feature Overview (cont.) The following commands can be used to view the configuration: #show running-config #show startup-config #show running-config include-factory Displays factory defaults as well Output modifiers may be added to limit the output: #show running-config | ? appendAppend Output BeginBegin with the Line that matches ExcludeExclude Lines that match IncludeInclude Lines that match redirectRedirect Output
29SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION CLI File system commands Access to the file system can be made through the following commands: Dir – Lists the contents of the flash file system Delete – Deletes files from the flash file system Copy – Access copy commands from Enable or Config Mode #copy [source] [destination] – Source and Destination can be: flash: ftp: Log running-config startup-config system: tftp:
User Interface Java Based Applet
31SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Infrastructure - Manageability UI – Browser Based Extremely feature-rich MIB with full SNMP v3 access UI uses SNMP for all operations with switch – Each configuration command or status request is converted by Java application into SNMP request Multiple threads keep system responsive to user – Puller & Pusher threads update screens as background task Pre-Defined Look and Feel – Dashboard view for System Status – Minimal clicks needed to drill into settings – Intelligent screens gray out configuration options based on user
32SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION UI Design
33SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Dashboard View
34SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION New Way of Configuring Wireless Networks
35SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Support for Two (2) Boot images – Primary – Secondary Wireless Switch normally boots with the Primary Image. If Primary doesnt fully initialize 2 times in a row, Wireless Switch will fallback to Secondary Image. Allows user to upgrade Secondary image while running Primary and vice versa. Upgrade is two step process: copy new image from FTP or TFTP server or for systems with Compact Flash (CF) or USB drives, directly from flash drive. During next reboot the new image will be selected for use; user may override this and continue to use current image if desired. Primary/Secondary Boot Images
36SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Primary and Secondary Images
37SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION FW Failover / Updating FW
38SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Text Based Configuration File Configuration for the switch is stored in text format as the series of CLI commands. Commands are parsed (translated and executed) by the software when the system is booted (from the configuration file that is marked as startup-config) or when you enter commands at the CLI in a configuration mode. For the first time, there is no startup-config file and Wireless Switch comes up with default (factory) configuration. To reset to the factory use the command erase startup-config Concept of running config and persistent config. Multiple configuration files can be present on the switch at any time out of which only one can be marked as use-on-boot. At runtime the Wireless Switchs configuration is called running-configuration. – The running-configuration is maintained in volatile memory and can be different from startup configuration
39SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION NEW!! User Roles and Privileges In WS5100 v3.0, the User Roles / Privileges are configurable (Under Management Access) Roles: Monitor: This role provides read-only access to the switch. Helpdesk: This role will typically be used by support staff to troubleshoot and debug the problems reported by the customer. – It can typically run troubleshooting utilities like Sniffer, execute service commands, view/retrieve logs, and reboot the switch. Network Admin: This roles provides ability to configure all wired and wireless parameters like IP config, VLANs, L2/L3 security, WLANs, radios, IDS, Hotspot, etc. System Admin: This role will allow configuring general settings like NTP, boot parameters, licenses, perform image upgrade, auto install, manager redundancy/clustering, control access to the switch. Web Admin: This role provides ability to add users for web authentication (hotspot). Root: This role provides super user access to the switch. This is like a root user on UNIX systems.
Wi-NG: Key Features L3 Adoption L3 Mobility
41SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Wi-AP & WISPE: Deployment of Access Ports over L2 and L3 Networks L3 Mobility Implementation Agenda
WiAP: Overview
43SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION WiAP and WISPE: Overview WiAP is a multiplatform common code base for Symbols Access Port products. AP300 is the first WiAP hardware platform The n Access Port will be a WiAP platform WiAP can be ported to non-Symbol APs WiAP is the Access Port counterpart to WiOS (Common Code Base on the Switch) WiAP v1.0 for the AP300 will ship with WS5100 v3.0 WISPE (Wireless Switching Protocol Extensions) is a successor to the Wireless Switching Protocol (WISP), the existing protocol that defines a tunnel for packets between Access Ports (APs) and Wireless Switches (WS) WISPE extends WISP by allowing the tunnel to run over Layer 3 and later, over wireless hops
44SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION WiAP: Architecture Key Wireless Tunnel L2 Tunnel L3 Tunnel Low latency, high band width L3 Network L2 Switch w/ PoE L2 Tunneled WiAPs Wireless Tunnel WiAP L3 Tunneled WiAPs Parking Lot Lamps
45SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Layer 2 Access Port - Switch Connectivity Standard current WISP functionality is maintained. – Simple deployment. – Low latency port/switch traffic. L2 Switch Wireless Switch Access Port Access Port Access Port
46SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Layer 3 Access Port - Switch Connectivity WiAP will support IP Encapsulation of Access Port – Wireless Switch traffic – This makes it easy to overlay wireless over existing L3 network designs Access ports and switches can be deployed without dragging VLANs across the network DHCP servers provide IP address configuration to Access Ports x x
47SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Wireless Access Port - Switch Connectivity WiAP (in later releases) will support wireless encapsulation of port/switch traffic – Access ports gain the flexibility of wireless bridging Access Ports will form a switch controlled wireless mesh to bridge traffic from wireless to wired access ports – Parking lot and outdoor-hop deployments become simple
48SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION WISPE WISPE is the protocol used by Symbol for all communications between the switch and the WiAP. WISPE looks like CAPWAP, but CAPWAP compliance is not one of the goals of WS5100 v3.0 – The CAPWAP specification is an evolving document, and is not as rich as the WISP specification, so the plan is to implement all WISP features as vendor specific extensions to a yet-to-be-defined draft version of CAPWAP, and called the whole thing WISPE. Some of the interesting differences between WISPE and WISP are: – There is no flow control in WISPE – it is assumed that the AP has sufficient buffers that will render this unnecessary. This means that the AP100 cannot be supported under WISPE – only the AP300 and AP5131 will be supported. – WISPE works over Layer 2 and Layer 3 networks, unlike WISP which is a pure Layer 2 protocol. – WISPE implements all the Symbol proprietary features, and undocumented CAPWAP features as vendor specific extensions to CAPWAP. – CAPWAP itself has no provisions for working over an L2 or Wireless link – this is yet another Symbol proprietary extension that will be provided under WISPE.
49SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION CAPWAP CAPWAP: Control and Provisioning of Wireless Access Points IETF Working Group CAPWAP WG Charter: Develop the CAPWAP protocol to provide interoperability among different WLAN backend architectures – The intent of the CAPWAP protocol is to facilitate control, management and provisioning of WLAN Termination Points (WTPs) specifying the services, functions and resources relating to WLAN Termination Points in order to allow for interoperable implementations of WTPs and Access Controllers. Reference: RFC 4118:
50SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION CAPWAP Functions A set of WLAN control functions that are not directly defined by IEEE Standards, but deemed essential for effective control, configuration, and management of WLAN access networks. These include: RF monitoring, such as noise and interference detection, and measurement. RF configuration, e.g., for retransmission, channel selection, transmission power adjustment WTP configuration, e.g., for SSID. WTP firmware loading, e.g., automatic loading and upgrading of WTP firmware for network wide consistency Network-wide STA state information database, including the information needed to support value-added services, such as mobility and load balancing Mutual authentication between network entities, e.g., for AC and WTP authentication in a Centralized WLAN Architecture.
51SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION CAPWAP: Split MAC Architecture A subgroup of the Centralized WLAN Architecture whereby WTPs in such WLAN access networks only implement the delay sensitive MAC services (including all control frames and some management frames) for IEEE , while all the remaining management and data frames are tunneled to the Access Controller for centralized processing The IEEE MAC, as defined by IEEE Standards is effectively split between the WTP and AC Usually, the decision of which functions of the MAC need to be provided by the AC is based on the time-criticality of the services considered. In the Split MAC architecture, the WTP terminates the infrastructure side of the wireless physical link, provides radio-related management, and also implements time-critical functionality of the MAC. In addition, the non-real time management functions are handled by a centralized AC, along with higher level services, such as configuration, QoS, policies for load balancing, and access control lists. The key distinction between Local MAC and Split MAC relates to non-real time functions: In Split MAC architecture, the AC terminates non real time functions In Local MAC architecture, the WTP terminates the non-real time functions and consequently sends appropriate messages to the AC.
52SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Motivations for Split MAC Approach There are several motivations for taking the Split MAC approach: The first is to offload functionality that is specific and relevant only to the locality of each BSS to the WTP, in order to allow the AC to scale to a large number of 'light weight' WTP devices. – The real time functionality is subject to latency constraints and cannot tolerate delays due to transmission of control frames (or other real time information) over multiple-hops. Another consideration is cost reduction of the WTP to make it as cheap and simple as possible. Moving functions like encryption and decryption to the AC reduces vulnerabilities from a compromised WTP, since user encryption keys no longer reside on the WTP. – As a result, any advancements in security protocol and algorithm designs do not necessarily obsolete the WTPs; the ACs implement the new security schemes instead, which simplifies the management and update task. Additionally, the network is protected against LAN-side eavesdropping.
53SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Real Time vs. Non-Real Time There is no clear definition in the specification as to which MAC functions are considered "real time Each vendor interprets this in their own way. Most vendors agree that the following services of MAC are examples of real time services, and are chosen to be implemented on the WTPs: Beacon Generation Probe Response/Transmission Processing of Control Frames: RTS/CTS/ACK/PS-Poll/CF-End/CF-ACK Synchronization Retransmissions Transmission Rate Adaptation The following list includes examples of non-real time MAC functions as interpreted by most vendors: Authentication/De-authentication Association/Disassociation/Re association/Distribution Integration Services: Bridging between and Privacy: Encryption/Decryption Fragmentation/Defragmentation However, some vendors may choose to classify some of the above "non- real time" functions as real time functions in order to support specific applications with strict QoS requirements. For example, Re-association is sometimes implemented as a "real time" function to support VoIP applications.
54SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION CAPWAP and WISPE WISPE implements the Split-MAC architecture defined in the CAPWAP drafts. The Split-MAC architecture splits the functions between the Wireless Switch and the AP differently from the current Symbol WISP- based architecture
55SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Symbols Implementation (1) FunctionNotes Antenna DiversityThe switch enables/disables this feature and specifies the gain of the antenna(s) WISPE will provide the ability to configure primary, secondary, and receive and transmit diversity just as WISP does today X Authentication802.1x will be performed just as in WISP, if necessary. WISPE 1.0 will not implement DTLS defined in CAPWAP. Jumbo Frames Support; Fragmentation and Reassembly For the L2 case, MTU discovery will be performed from both ends and jumbo frames will be supported if possible. For the L3 case, there is no MTU discovery in WISPE 1.0. Fragmentation and reassembly will be performed according to CAPWAP a: DFS, TPC, Radar Avoidance Same as WISP b+g: Dual Mode Protection; Short Slot Timer Implemented on AP EncryptionSwitch performs encryption; WiAP is a pass through. CAPWAP control frames should be encrypted according to the draft – but this is not being implemented in this release. Also, AP-Switch authentication is not done in this release. Rate ScalingThe AP performs all rate scaling. The switch no longer performs this function. L3 TunnelingSwitch is discovered using the DHCP options or through DNS. All packets are thereafter encapsulated in UDP frames. PSPBecause of the latency in the L3 and wireless hop links, the AP will perform all the buffering for PSP frames. Broadcast frames are buffered and discarded at the port.
56SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Symbols Implementation (2) Function Notes QoS: WLAN Based Prioritization; MU Based Prioritization This is performed entirely on the switch. The switch classifies packets from different WLANs into WMM categories. The AP simply implements WMM based on the passed category. QoS: WMMThe switch configures the parameters on the AP and performs packet classification. The AP performs WMM scheduling. The AP manages its own WMM buffers (this was done by the switch using flow control before) QoS: WMM-Power Save (Unscheduled APSD) The AP performs this as a part of its PSP implementation. QoS: Voice Strict priority Seamless roaming SpectraLink Voice prioritization Multicast prioritization The classification is done on the switch, the AP performs the scheduling. QoS: Bandwidth constrained L3 tunnel Both the switch and the AP fill in the TOS bits in the packets bound to each other. It is hoped that the intermediate infrastructure will act upon this and deliver packets according to their individual packet classes. WiAP will extract the WMM class and fill the corresponding TOS fields accordingly. All CAPWAP management frames and management frames have the highest priority. In the absence of an 11e field, the packets will go out with normal priority. SpectraLink phones and voice MUs are specifically identified as such to the AP by the switch. These MUs packets will be forwarded to the switch with voice priority in the TOS fields.
57SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Symbols Implementation (3) FunctionNotes Channel Selection 11a DFS Auto channel Clear channel detection No change in implementation Load balancing elementNo change in implementation Intrusion detection: Wireless IPS Rogue AP Detection MU-based Rogue AP detection Countermeasures Probe Requests, Probe responses, Beacons are forwarded in a special mode. Dedicated mode where we forward authentication responses/requests and assoc responses/requests from any MU/AP while performing a full scan MU-based rogue AP detection and countermeasures are implemented by the switch. RTLSPerformed as before by the switch – probe requests and beacons will be forwarded to the switch. Self healing; power scaling;Performed as before on the switch. The power configuration is identical to the one in WISP. Switch Discovery and AdoptionL2 WISPE switch discovery is performed first. If it fails L3 WISPE discovery is performed. If both fail, the legacy WISP discovery is performed. L3 switch discovery and adoption requires DHCP options in the DHCP server to be provided or a DNS server to be configured. Switch load balancing will be performed just as in WISP.
58SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Functional Partitioning FUNCTIONSWITCH RESPONSIBILITYWiAP RESPONSIBILITY Association and authenticationCompletely herePass through. AP buffer managementNoneWiAP manages its own buffers, no more flow control. PSPSwitch performs lagged PSPAP buffers some MU buffers for PSP. QoS- WMM classificationThe switch performs all packet classification. The AP performs all scheduling between WMM categories. QoS-WLAN prioritizationThe switch classifies packets based on WLANs The AP performs all scheduling based on WMM categories. QoS-SpectraLink and legacy voice prioritization The switch classifies packets as SpectraLink voice. The AP performs SpectraLink round robin prioritization and legacy voice prioritization. Encryption and authenticationIn the switchNone Rate scalingIn the switchThe AP performs retry-rate scaling. RF MonitoringThe switch filters packets and configures the port to monitor on a channel. The radio on the AP simply responds to switch configuration and acts as a pass through for the packets. Wireless TunnelThe switch configures the forwarding tables in the APs for each destination. The AP forwards incoming wireless hop packets according to these forwarding tables. L3 TunnelThe switch simply listens on a port 0x6000 for control frames and a configurable port for data frames. The AP discovers the switch using the IP addresses that it receives from the DHCP server in vendor specific extensions (configured by the admin) or from a DNS server. Thereafter, it simply encapsulates all its data frames in UDP packets.
59SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION AP Startup and Discovery (1) Switch discovery is attempted in 3 ways: On the local VLAN Through the DHCP server and (in later versions….through a neighboring AP) Initially, the AP attempts to find its Wireless Switch by broadcasting a Hello packet on its local VLAN. All Wireless Switches on the VLAN that receive this Hello packet respond with a Parent packet. If no response is received, the AP attempts to discover its Wireless Switch by first obtaining an IP address from a DHCP (or DNS) server and checking the options field in the DHCP response. The options field (Option 43) contains a list of Wireless Switch IP addresses for the AP. – The system administrator programs these options into the DHCP server. If the AP finds such a list, it sends a unidirectional Hello packet encapsulated in a UDP/IP frame to each WS on the list. Each Wireless Switch that receives such a packet will respond with a Parent response
60SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION AP Startup and Discovery (2) In Later Versions (Wireless Discovery): If there is no link detected on the Ethernet port, the AP (lets call it AP1) attempts to discover switches through APs already adopted by a switch. AP1 does this by scanning for beacons from nearby APs. – Having discovered one or more neighboring APs, the AP1 transmits a broadcast Hello packet to each neighbor encapsulated in an data frame. – If one of the neighboring APs (lets call it AP2) happens to be connected to a WS, it will forward the packet to the WS and proxy for AP1. – The WS generates a Parent packet in response to the Hello packet and sends the response in a layer-2 WISPE packet. – Since AP2 proxies for AP1, it picks up the Parent message and forwards it over the air to AP1. More details about wireless hop procedures are outlined in the Appendix. The AP retries these 3 methods of discovering the switch until one of them is successful. In parallel, the AP also attempts 802.1x authentication in case it is needed. 3
61SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION WISPe Message Encapsulation: Layer 2 If the Access Port is directly connected to the Wireless Switch, the WISPe message is encapsulated as shown below This is the standard WISPe Layer2 format:
62SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION WISPe Message Encapsulation: Layer 3 If the link between the Access Port and the Wireless Switch is a Layer 3 link, the WISPe message is encapsulated in a UDP/IP frame and transmitted to the nearest router. A different UDP port number will be used by each portal (radio) in an Access Port. The UDP port numbers used will be mutually agreed upon, pre-defined numbers (e.g. port 5100 for portal 1, 5101 for portal 2, etc.) – The destination port number (in WS5100 v3.0) will be 6000 The packet is shown below:
63SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION WISPe Message Encapsulation: Wireless Hop (Later Versions) When the link between the Access Port and the Wireless Switch involves a wireless hop through a wired Access Port, the message takes the format shown below. A Layer 2 WISPE message is encapsulated in an header and transmitted over the wireless hop between the wireless Access Port and the Access Port connected to the Wireless Switch (or potentially to another wireless Access Port). The receiving Access Port strips off the header, then forwards this message to the Wireless Switch, encapsulated as required based on its link type (Layer-2, Layer-3, or wireless hop).
64SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Impact of Layer 3 Tunneling FEATUREEFFECTS OF L3 LATENCY AND SLOW L3 PATHS ROAMING QUALITY If the L3 link bandwidth is too meager, there is no way for the switch or the AP to detect it until it begins to impact latency. One might find that the number of simultaneous roams becomes limited, and the quality of the roams is poor (lossy). In such a situation, an infrastructure that implements Diffserv could be helpful. WISPE requires a minimum bandwidth of 10Mbps between the WS and the WiAP to operate without substantial degradation in roaming quality. WMM Since the AP performs WMM scheduling all by itself (in contrast to WISP where the queue management was partially performed by the switch), WMM priorities will still be preserved across the L3 link, regardless of the latency. APSD, PSP Regardless of the type of tunnel, APSD and PSP are performed partially in the switch and partially in the AP. This split model attempts to mask the effect of tunnel latencies. THROUGHPUT Having a 10Mbps full-duplex link is a necessary condition for good roaming quality. But the throughput will still be limited by the throughput of the link. QOS - VOICE After an AP is adopted over an L3 tunnel, if the latency suddenly spikes, there is no way to protect against voice jitter buffer overflows. While this may not affect SpectraLink round robin prioritization for a given latency, it will cause considerable lag in the conversation, depending on the latency. Hence, guaranteeing a latency of < 30ms in the L3 path will go a long way towards improving voice performance. Sudden changes in the bandwidth of the L3 tunnel will have a similar deleterious effect on voice. It is hoped that the infrastructure pays attention to the TOS field and the.1p fields and implements differentiated services.
65SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION L3 Deployment Scenario
66SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION WISP-WiAP: Upgrade/Downgrade AP300 WISP to WiAP Upgrade An AP300 running WISP boot firmware shall be adopted by any Wireless Switch running WiOS2 firmware (WS5100 v3.0, RF7000 v1.0). At the end of the adoption process, the WISP firmware on the AP300 will be replaced by an image capable of WiAP features. This adoption can only take place on an L2 broadcast domain. – Since a WISP AP300 has no L3 capability it must be adopted on L2 to be updated to WiAP. AP300 WiAP to WISP Downgrade An AP300 running WiAP firmware SHALL be adopted by a Wireless Switch running non WiOS software. – This is for backwards compatibility. An AP300 with WiAP firmware will still discover and adopt to a Wireless Switch using the older WISP protocol messages. – At the end of this adoption process the WiAP firmware on the AP300 will be replaced by the older WISP firmware image. Upgrade Downgrade
67SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION L3 Adoption: Test Topology VLAN 101VLAN 10 VLAN 100 (L2) AP2: VLAN 101 (L3) AP1: VLAN 100 AP1: x DHCP Server (Use Option 189 to Specify Switch IP Address)
L3 Mobility
69SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION L3 Mobility Driving Requirement: In large campuses / enterprises with a highly segmented network, provide the ability for mobile units (MUs) to roam across Subnets (L3 boundaries) when associated with Symbol Wireless Switches and retain their IP Address. Deliver QoS and Security as the devices move across Subnets Layer 3 mobility is a mechanism which enables a Mobile Unit (MU) to maintain the same Layer 3 address while roaming throughout a multi-VLAN network. This enables transparent routing of IP datagrams to MUs during their movement, so that data sessions can be initiated to them while they roam (in particular for Voice applications). Layer 3 mobility also enables TCP/UDP sessions to be maintained in spite of roaming among different IP subnets.
70SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION L3 Mobility: Implementation Overview (1) Seamless roaming of MUs between wireless switches on different Layer 3 subnets, while retaining the same IP address. Static configuration of Mobility Peer switches Plans to automate the peer discovery process in a future release. This solution does not require any changes to the MU. In comparison, other solutions to this problem such as Mobile IP [RFC 3344] require special functionality & software on the mobile unit. This creates numerous inter-working problems with working with MUs from different vendors/ legacy devices which do not support this Support for a maximum of 15 mobility peers, with each switch handling up to a maximum of 500 MUs. A full mesh of GRE tunnels would be established between the mobility peers. Each tunnel is between a pair of switches and would be capable of handling data traffic for all MUs (for all VLANs) associated directly or indirectly (if the switch is the HS and not the CS) with the MU.
71SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION L3 Mobility: Implementation Overview (2) Data traffic for roamed MUs is tunneled between and the home and current switches by encapsulating the entire L2 packet inside GRE with a proprietary code-point. L2oGRE was chosen instead of IPoGRE so that VLAN headers can be carried across the tunnels to identify the VLAN of broadcast/multicast packets. When MUs roam within the same VLAN, the current behavior is retained by re-homing the MU to the new switch so that extra hops are avoided while forwarding data traffic Mobile units can be assigned IP addresses statically or dynamically. The forward and reverse data paths for traffic originating from and destined to MUs that have roamed from one L3 subnet to another will be symmetric.
72SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION L3 Mobility Implementation: Key Concepts (Terminology) Mobility Domain: A Mobility Domain comprises of a network of Wireless Switches to which an MU can roam seamlessly without changing its IP address. The initial implementation will support only a single mobility domain. Home Switch (HS): As soon as a MU enters a mobility domain by associating with a switch, it is first assigned a Home Switch The HS for a MU does not change for the remainder of the MUs stay in the mobility domain. All data packets transmitted/received by the MU including DHCP and ARP is tunneled through the HS. The IP address for the MU is assigned from the RON subnet of the HS. Current Switch (CS): The CS for the MU is the switch in the mobility domain to which it is currently associated to and keeps changing as the MU continues to roam between the different switches. The CS is also responsible for delivering data packets from the MU to its HS and vice- versa.
73SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Mobility Exchange Protocol: Peer Configuration Peer Configuration and Establishment All Wireless Switches that support the L3 mobility functionality peer with every other switch in the mobility domain to exchange mobility related control plane information. – This includes the IP address, MAC address, HS IP address, CS IP address and HS-VLAN-id of all the MUs in the mobility-domain. – A consistent peer configuration resulting in a full-mesh of peering sessions is required for L3 mobility to work correctly. Peering sessions use TCP as the transport layer protocol to carry mobility update messages. Using TCP provides the following advantages: – TCP retransmits lost messages thereby providing reliable connectivity – TCP ensures in-order delivery of messages using sequence numbers. – TCP has a built-in keep-alive mechanism which helps detect loss of connectivity to the peer or peer failure. In WS5100 v3.0, this feature will have support only for static configuration of mobility peers with plans to automate to automate the peer-discovery and establishment process in a future release.
74SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Mobility Exchange Protocol: MU Database MU-Database The MU database is a complete set of all MUs currently associated with switches in the mobility domain. Every switch needs to be aware of all the MUs and their mobility-related parameters to distinguish between new MUs entering the network and existing MUs roaming within the mobility domain. The mobility related parameters include: – MU MAC address – MU IP-address – Home Switch IP address – Current Switch IP address – Home Switch VLAN identifier As soon as a peering session is established between two switches, the initial data flow involves the exchange of the full MU database. – The protocol does not require periodic refresh of the entire MU database and only incremental updates are sent as the database changes. The MU database within a switch consists of two distinct parts: – Home MU Database (HMDB): The set of MUs for which this switch is the HS. – Foreign MU Database (FMDB): The set of MUs for which we are not the HS. These MUs are learnt from other peers in the mobility domain via Mobility Exchange messages.
75SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION L3 Mobility Exchange Messages JOIN messages are used to advertise the presence of one or more MUs in the MU database to a peer. When a MU that is currently not present in the MU database associates with a switch, it immediately sends a JOIN message to the HS with the MUs MAC, HS- VLAN, CS-IP and HS-IP information. The HS then forwards the JOIN to all its peers, except the one from which it received the original message. JOIN messages are always originated by the CS. JOIN messages are also used during the HS-Selection phase to inform a candidate HS about a MU and is initiated by the CS as soon as a MU enters the mobility domain by associating with it. LEAVE messages are sent when the switch decides that an MU that was originally present in the MU database is no longer present in the mobility domain. The CS sends a LEAVE to the HS for a MU, as soon as the ROAM-timer expires for that MU. The ROAM-timer gives the MU a configurable time interval within which it could roam to another switch after dissociating with its CS explicitly or if the CS determines that the MU has left based on its data inactivity timer. The HS forwards the LEAVE to all other peers in the mobility domain. L3-ROAM: When a MU roams to a new CS that is on a different L3 network (MU is mapped to a different VLAN ID), it sends a L3-ROAM message to the HS with the new CS-IP information. This L3-ROAM message is then forwarded by the HS to all other peers. L2-ROAM: When a MU roams to a new CS that is on the same L3 subnet as the old CS (MU is mapped to same VLAN ID), it sends a L2-ROAM message to the old HS with the new HS-IP and CS-IP information. This L2-ROAM message is then forwarded by the old HS to all other peers.
76SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION L3 Roam Operation and Data Forwarding The MU first associates with a wireless switch in the mobility domain. This switch becomes the home switch (HS) for the MU. The HS sends a JOIN message with MUs MAC-address, IP-address and HS-VLAN information to all its peers. When the MU roams to a WS on a different L3 subnet, this switch becomes the CS for the MU and sends out a L3-ROAM message to the HS, which is then relayed out to all the peers. The CS tunnels all data packets (including DHCP and ARP) transmitted by the MU out to the HS, which then decapsulates and forwards the packet as if the MU were local to the HS. The MU thus continues to retain its IP address in the HS-VLAN. All packets destined to the MU are tunneled back by the HS to the CS.
77SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION L2 Roaming When a MU roams to a CS that is on the same L3 network (MU is mapped to the same VLAN ID), it sends a L2-ROAM message to the HS to indicate that the MU has roamed within the same VLAN. The old HS forwards this to all its peers, with the new HS and CS information. The MU is basically re-homed to the new CS, but gets to keep its old IP address. This is similar to the current behavior and avoids the overhead of an extra hop across the GRE tunnel to the HS for data traffic. The same procedure is followed even if the new CS is on a different L3 subnet, but uses the same VLAN ID (overlapping VLAN scenario). However the MU must send a DHCP request again and obtain a new IP address.
78SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION L3 Mobility: Data Forwarding (MU-1 and MU-2 are initially homed with WS1. Both MU-1 and MU-2 roam to WS-2 (new CS)) MU-2 to Host (H): MU-2 sends the packet first to its CS (WS-2) The CS encapsulates the L2 packet in GRE and tunnels it to the MUs HS (WS-1) The HS decapsulates the GRE packet and forwards the inner L2 packet on its RON-interface to the L2/L3 Switch, which ultimately sends it to the host H. Host to MU-2: H forwards the packet to the L2/L3 Switch, which sends it to MU-2s HS (WS-1 – proxy ARPs for the MU). WS-1 encapsulates the L2 packet and tunnels it to the CS (WS-2). WS-2 decapsulates and sends the original packet to MU-2. MU-1 to MU-2: MU-1 sends the data packet first to its CS (WS-2). WS-2 tunnels the L2 packet to MU-1s HS (WS-1). WS-1 decapsulates and tunnels the packet back to WS-2 (MU-2s CS). WS-2 decapsulates and forwards the packet to MU-2. Host L2/L3 Switch MU1 MU /24 (VLAN10) /24 (VLAN11) WS2 WS1
79SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION L3 Mobility: Test Topology VLAN 101VLAN 1, 10 VLAN 100 (L2) AP2: VLAN 101 (L3) AP1: VLAN 100 AP1: x DHCP Server (Use Option 189 to Specify Switch IP Address) WS1 WS2 VLAN 1, 20 VLAN 200
80SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION L3 Mobility Configuration
81SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION L3 Mobility Implementation: Key Highlights Distributed architecture with switch failures affecting only a small subset of the MUs in the network (ones for which the failed switch is HS or CS) Secure tunneling between Mobility Peers using GREoIPSEC Home Switch Load Balancing (next release) Capable of carrying Non-IP traffic QOS parameters including 802.1p and DSCP are preserved and mapped over to the encapsulated packet, ensuring that the tunneled packet gets appropriate QOS treatment on the wired network. Support for Roam-capable WLANs (enable/disable mobility on a per-WLAN basis). Ease of Mobility Peer Configuration using Cluster CLI – the same set of mobility peers on all Wireless Switches can be configured from a single device.
82SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION L3 Mobility: Potential Implementation Limitations There could be potential deployment scenarios where a disproportionately large number of MUs get homed to a small subset of switches in the network causing larger loads due to tunneling of data traffic to these switches. Example: Switches located at the entrance to a campus. One way to resolve this is to introduce a HS-Selection mechanism, where the MUs Home-switch is load- balanced between a set of candidate switches based on pre-configured algorithms (RR, WRR, static etc). This will be implemented in a future release.
83SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Clustering Versus Mobility Core 1 Core 2 Access 1 Access 2 Cluster If CS Fails, the MU associates with the Backup switch and gets an IP Address on the Backup Switchs IP Subnet If HS fails, MU is forced to re-associate to the CS and therefore gets a new IP Address on the CSs IP Subnet
Wi-NG: Key Features Redundancy Enhancements
WCCP: Overview
86SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Redundancy Overview Currently the Wireless Switch supports Active: Standby Failover The Standby switch listens to heartbeats from the Primary – The Standby switch adopts the Access Ports if the Primary is down In this scenario, the Standby is essentially inactive (in terms of servicing wireless network traffic) until it becomes Primary WS5100 v3.0 enhances the redundancy feature through: Support for Active:Active failover and 1:Many failover Support for load balancing Access Ports in a cluster of switches
87SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Clustering Concept In WS5100 v3.0, a group of switches can be made part of a Redundancy Group or Cluster The objective is to minimize wireless network traffic disruption in the event of failure of any switch within that cluster Enabling the clustering mechanism allows the switches in that cluster to: Exchange licensing information Load balance the Access Ports between them Redistribute the load in the event of switch / network failure Managing (configuration and monitoring) all switches in the cluster from any single switch using the cluster-cli feature. Exchange of most interested and important information like Rogue detection, APs in self healing mode, Number of APs and radios adopted and switch AP adoption capacity etc.
88SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION WCCP Framework The enhanced redundancy/failover is achieved through the new Wireless Cluster Control Protocol (WCCP) WCCP is used for: Managing the auto port adoption by switches within a cluster Sharing licenses within the Cluster Actively monitoring other switches in the same Cluster Exchanging runtime information such as AP adoption, detected Rogue APs, APs operating in self healing mode, Number of APs and Radio Adopted and switch AP adoption capacity etc. Providing license and state information whether to adopt Access Ports (or not) to the Adoption module Allows to configure and manage all switches in the cluster from any switch part of that cluster using the cluster-cli feature (it is available only though CLI, not in Applet or SNMP). Supports to configure the cluster specific commands which are unique to individual switches using common config file from DHCP. Acting as a tunnel between the application modules of the core cell controller across switches (to be used in future software releases). WCCP is established when a group of switches is assigned a unique ClusterID The Cluster can have a mix of Primary and Standby switches or all of them can be Primary All Primary switches are in Active state and will adopt the Access Ports The Standby switch will adopt the Access Ports when the Primary fails or if there is an unadopted Access Port in the network
89SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Definitions AcronymDefinition Cluster / Group ID WCCP Group Identifier. A group of 2 or more switches in which each switch monitors the other members within the group and provides failover mechanism. There can be many Cluster/Redundancy group IDs in a network Primary SwitchA switch that is currently forwarding data packets and adopting the Access Ports. All switches with licenses by default are Primary Standby SwitchValid only if WCCP is enabled. In Standby mode a switch will adopt Access Ports only in the event of failure of the Primary Discovery TimeThe time duration in which a switch determines the existence of other switches in the Cluster Heartbeat Interval The frequency with which the heartbeat messages sent between switches in a Cluster Hold TimerIf there is no heartbeat for this time from the neighbor or active switch, then it is declared dead RONRest of Network Redundancy Group A Cluster is also referred to as Redundancy Group
90SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION WCCP Implementation Overview (1) All members of a Cluster will be able to make use of the same Configuration File located in an external DHCP Server The clustering related parameters can be configured manually or fetched using DHCP options Clustering requires certain unique values to be assigned to each switch in the cluster: – Interface IP Address (Interface used to exchange heartbeats). – Member IP Addresses (IP Addresses of peers in the cluster) – Redundancy Mode – Cluster ID/Redundancy Group ID. There will be NO runtime configuration syncing between members of a Cluster A maximum of 12 switches can be part of a Cluster in the case of WS5100
91SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION WCCP Implementation Overview (2) Every switch in a Cluster has a Load Indicator (default is 0) This is adjusted runtime based on the load on the switch This is determined by the number of APs adopted by the switch and the switchs AP adoption capacity. When Access Ports send the WISP Hello message, they receive a Parent message (Hello Response) with this Load Indicator – The Access Port select the switch that has the smallest Load Indicator value (least load) Switches exchange their licensing information and compute the number of APs they can adopt and try to load balance at startup or when APs/Switches are added/removed or in the event of network failure A Preferred List can be used to distribute the Access Port adoption across the switches in the cluster This is a Global list – all switches in the cluster should have the same configured preferred list (of AP MAC Addresses) Each switch establishes a TCP/IP connection with other switches in the Cluster All switches periodically exchange heartbeats to each other over the UDP connection Each switch maintains a neighbor switch status as to whether it is alive or not
92SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION WCCP Operation: Discovery Phase In this phase (the interval is based on the configured Discovery Time), the switches tries to discover other switches in that Cluster by exchanging heartbeats via UDP. Cluster Specific configuration parameters have to be the same between the switches in order for the connection to be established between them. These parameters are: Cluster ID Heartbeat Interval Hold Interval Discovery Time Version (Higher cluster version switches will support the lower version switches) During the Discovery Phase, no Access Ports will be adopted Once all the peers are in established state, the Discovery phase is exited
93SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION WCCP state machine Unlike the current design, the WIOS 3.0 version of redundancy protocol (WCCP) uses a symmetric state machine for both primary and standby switches. Discovery Online/ Active Disabled Discovery Done Startup WCCP disabled WCCP enabled WCCP disabled Startup Done
94SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION State Machine Cont. When cluster feature is disabled, the switch goes to disabled state from any state. On enabling cluster, switch changes to startup state. Switch continues to be in the startup state for another 50 seconds, if STP convergence is enabled. Otherwise immediately transitions to Discovery state. In discovery state, the switch discovers other switches in the cluster by sending and receiving heartbeats. After discovering all configured members, establishing (TCP) connection and determining the cluster license, the switch goes to Active state. If all configured members are not discovered, the switch will transition to Active state only after the discovery timer expires. Both primary and standby switches execute the same set of four states. The mode of the switch either as Primary or Standby will determine; who should adopt the port in active state.
95SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION 1:Many Redundancy In WS5100 v3.0, up to 12 switches can be part of a cluster The cluster can have multiple primary and standby switches Recommended design is to have multiple primary switches and one standby switch Each Switch cannot support more than its maximum capacity in the event of failover For example in the case of WS5100, the upper limit per switch will be 48 In a Cluster, the licenses will be Aggregated
96SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Use Case (1): Active/Standby In the above scenario, a Cluster of Active/Standby switch will continue to operate as before If the Primary switch (which has adopted 6 Access Ports) goes down, the Standby switch will adopt 6 Access Ports Primary: Active (Port License = 6) Standby: Active (Port License = 0)
97SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Use Case (2): Active/Active In this scenario, once the cluster is established and there are 12 Access Ports to be adopted, the original Primary switch (that is licensed) and the other with zero license configured as primary switch will load balance the Access Ports between them The Primary will have 6 Access Ports and the original zero-port license switch will also have 6 Access Ports If the original licensed switch goes offline, the second switch will adopt the Access Ports attached to the Primary and it will end up with 12 Access Ports Primary: Active (Port License = 12) Primary: Active (Port License = 0)
98SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Use Case (3): 1:Many In this scenario, initial load balancing after cluster establishment will lead to 16 ports adopted by each active switch. If any of the 3 primary switches in the Cluster fails, the Standby will adopt 16 Access Ports Primary (Port License = 12) Primary (Port License = 12) Primary (Port License =24) Redundancy Mode: Standby (Port License =0)
99SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Use Case (4): 1:Many In this scenario, after cluster establishment, the 48 APs will be redistributed between the 4 switches: Each switch will now adopt 12 Access Ports If the 48-port license switch goes down, the remaining 3 switches will continue to support a total of 48 Access Ports Primary: Active (Port License = 48) Primary: Active (Port License = 0) Primary: Active (Port License =0) Primary: Active (Port License =0)
100SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Clustering Configuration Parameters
101SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION CLI Commands
102SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Show Redundancy Members Output:
103SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Cluster CLI Cluster CLI feature: This feature facilitates the user/administrator to manage (configure and monitor) all switches in a cluster from any switch part of that cluster. As per this feature, a new context is provided under CLI interface. One can get into this context by typing cluster-cli enable from the EXEC mode. Once the user in the cluster-cli context, he can execute all show commands and most of the configuration commands those available under regular CLI. 1) To get into cluster cli context: WS5100# cluster-cli enable 2) Executing commands under cluster context WS5100:cluster-cli# show version The above command executes shows version in all member switches of cluster and displays the output of all switches at one single switch console where the command was initiated. Note: Cluster-cli feature is operational only if cluster/redundancy feature is enabled, since it uses the existing TCP connection to send and receive the command/response between members switches. 3) To come out from the cluster-cli context: WS5100:cluster-cli# no cluster-cli enable
Wi-NG: Key Features Security Enhancements Manju Mahishi
105SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Security Enhancements Packet Filtering / ACLs IPSec VPN Gateway Secure Guest Access (Public Hotspots) Radius Enhancements
Packet Filtering and Access Control Lists (ACLs)
107SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Introduction Packet filtering can help limit network traffic and restrict network use by certain users or devices. An ACL is a sequential collection of permit and deny conditions that apply to packets. When a packet is received on an interface, the switch compares the fields in the packet against any applied ACLs to verify that the packet has the required permissions to be forwarded, based on the criteria specified in the access lists An ACL contains an ordered list of access control entries (ACEs) Each ACE specifies permit or deny and a set of conditions the packet must satisfy in order to match the ACE. Because the switch stops testing conditions after the first match, the order of conditions in the list is critical. The switch supports two types of ACLs: IP ACLs filter IP traffic, including TCP, UDP, and ICMP. Ethernet or MAC ACLs filter non-IP traffic.
108SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION ACL Application The switch supports following applications of ACLs to filter traffic: Router ACLs are applied to VLAN (Layer 3) interfaces. – One Router ACL can be applied in each direction on an interface. – These ACLs filter traffic based on Layer 3 parameters namely: Source IP Destination IP Protocol types and Port numbers Port ACLs access-control traffic entering a Layer 2 interface. – The switch does not support Port ACLs in the outbound direction. – Only switched packets are subjected to these kind of ACLs. – Traffic filtering can be done based on Layer 2 parameters namely: Source MAC Destination MAC, Ethertype, VLAN-ID 802.1p bits OR Layer 3 parameters: Source IP, Destination IP, Protocol, and Port Maximum of 500 ACLs and 500 ACEs per ACL will be supported in this release.
109SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Rule Application Order The rules or Access Control Entries (ACEs) within an ACL will be applied to packets based on their precedence values. Rules with higher precedence are always applied first. Administrator can specify the precedence value while adding the rule to an ACL. However this is an optional value and if not specified rules are applied based on the order in which they are added to the system. Also the user is not allowed to add two rules with the same precedence values. While displaying the ACL, rules will be displayed based on the order of precedence. Using rule precedence gives administrator the flexibility to add rules in any order but control the sequence in which they are applied to packets
110SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Router ACLs Router ACLs are applied to Layer 3 or VLAN interfaces. Only one ACL can be applied in both inbound and outbound directions. If an ACL is already applied in a particular direction on an interface, applying a new one will replace the existing ACL. Router ACLs are applicable only if the switch acts as a gateway. Two types of Router ACLs are supported: Standard IP access lists use source IP addresses for matching operations. Extended IP access lists use source and destination IP addresses and optional protocol type information for matching operations. The switch examines ACLs associated with features configured on a given interface and a direction. As packets enter the switch on an interface, ACLs associated with all inbound features configured on that interface are examined. After packets are routed and before they are forwarded to the next hop, all ACLs associated with outbound features configured on the egress interface are examined.
111SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Standard IP ACL Syntax access-list access-list-number (deny | permit) (source/ source- mask | host source | any) [rule-precedence access-list-entry precedence] Description: access-list-number: decimal number from 1 to 99 or 1300 to 1999 source/source-mask: Source is the source address of the network or host in dotted decimal. Source-mask is the network mask. For e.g /24 indicates that the first 24 bits of the source IP are used for matching. The keyword any is an abbreviation for source IP of and source-mask bits equal to 0. The keyword host is an abbreviation for exact source (A.B.C.D) and source-mask bits equal to 32. access-list-entry precedence: Integer value between This value sets the rule precedence in the ACL Example: Switch(config)# access-list 2 deny host rule-precedence 20 Switch(config)# access-list 2 permit any rule-precedence 10 Switch(config)# end Switch# show access-list 2 Standard IP access list 2 deny rule-precedence 20 permit any rule-precedence 10
112SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Extended IP ACL Syntax access-list access-list-number (deny | permit) (ip) (source/source-mask | host source | any ) (destination/destination-mask | host destination | any ) [rule-precedence access- list-entry precedence] access-list access-list-number (deny | permit) (tcp|udp) (source/source-mask | host source | any) [operator source-port] (destination/destination-mask | host destination | any) [operator destination-port] [rule-precedence access-list-entry precedence] access-list access-list-number (deny | permit) (icmp) (source/source-mask | host source | any) (destination/ destination-mask | host destination | any) [icmp-type | [icmp-type icmp-code]] [rule-precedence access-list-entry precedence] Description: access-list-number : ACL number should be between or protocol : Any IP protocol value. Specify ip (to match any protocol) or icmp or tcp or udp source/source-mask : Same as standard IP ACL. For e.g /22 operator: Valid only for tcp or udp protocols. Valid values are eq and range. For range two port nos. need to be specified port: Valid Port number. icmp-type: ICMP type value from 0 to 255. Valid only for protocol type icmp. icmp-code: ICMP code value from 0 to 255. Valid only for protocol type icmp. Destination/destination-mask : Same as standard IP ACL. E.g /24 access-list-entry-precedence: same as standard IP ACL Example: Switch(config)# access-list 102 permit tcp any host eq 22 Switch(config)# access-list 102 deny tcp any /24 range Switch# show access-list 102 Extended IP access list 102 permit tcp any host eq 22 rule-precedence 2 deny tcp any /24 range rule-precedence 1
113SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Named IP ACLs Named IP ACLs are similar to Numbered IP ACLs except that a user defined keyword can be used to identify the ACL instead of a number ip access-list standard {acl-name}Or ip access list extended {acl-name} (deny | permit) (source/source-mask | host source | any) [rule-precedence access-list-entry precedence]
114SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Port ACLs Port ACLs are supported on physical interfaces only and for inbound traffic only. The following types of Port ACLs are supported: Standard IP access lists using source IP addresses Extended IP access lists using source and destination IP addresses and optional protocol type information. MAC extended access lists using source and destination MAC addresses, VLAN ID and optional protocol type information. When a Port ACL is applied to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. With Port ACLs, one can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. Both IP and non-IP traffic on the same Layer 2 interface can be filtered by applying both an IP access list and a MAC access list to the interface. Note: Not more than one IP access list and one MAC access list can be applied to a Layer 2 interface. If an IP access list or MAC access list is already configured on a Layer 2 interface and a new IP access list or MAC access list is applied to the interface, the new ACL replaces the previously configured one.
115SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION MAC ACL Syntax Step 1. mac access-list extended (acl-name) Step 2. (deny|permit) (any | host source MAC address | source MAC source MAC address mask ) (any | host destination MAC address | destination MAC destination MAC address mask) [vlan vlan-id] [dot1p dot1p-value] [type value | ip | ipv6 | arp | vlan | wisp | ] [rule-precedence access-list-entry precedence]
116SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION ACLs on Wired and Wireless Traffic Wired packets that are switched are subjected to: Only Port ACLs on the incoming path Wired packets that are routed are subjected to: Router ACLs on the incoming path. Only Router ACLs on the outgoing path Wireless packets are subjected to Router or Port ACLs on the incoming path Router ACLs on the outgoing path
117SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Handling of Fragmented and Unfragmented Packets ACL rules will be applied to all fragments of a packet. The current implementation does not provide the flexibility of applying rules selectively to initial and non-initial fragments. If an ACL rule checks for Layer 3 and Layer 4 information, for e.g., TCP port 23, then only the first fragment of the packet will match it. Rest of the fragments of the same packet will not match this rule. The administrator should configure the PERMIT rules in such a way that if the first fragment is allowed based on Layer 3 and Layer 4 information, then other fragments are also allowed based on just the Layer 3 information. For DENY rules, it does not matter whether appropriate matching rules are configured for fragments, as the first fragment will always match and get dropped. Hence the receiving host will not be able to re-assemble the whole packet, which effectively means dropping the whole packet.
118SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION NAT Support NAT will be supported for non-IPSec packets which are routed by the switch. The following types of NAT will be supported: Static NAT: – Static NAT is similar to Port NAT with the only difference that it allows the user to configure a source NAT IP address and/or destination NAT IP address to which all the packets will be NATted to. – The source NAT IP address will be used when hosts on a private network are trying to access a host on a public network. – Destination NAT IP address can be used for public hosts to talk to a host on the private network. – Static NAT based on IP address pools will not be supported. Port NAT: – Port NAT is also known as NAPT or PAT in Cisco terminology where multiple local addresses are mapped to single global address and a dynamic port number. – The user is not required to configure any NAT IP address. Instead IP address of the public interface of the switch is used to NAT packets going out from private network and vice versa for packets entering private network.
119SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Prevention Against DOS Attacks WS5100 v3.0 will support protection against some DOS attacks for packets that gets routed. Packet that get switched will not have the check for this attack. The list of DOS attack prevention supported is as follows: SYN Flood LAND Attack SMURF Attack Christmas Tree Attack Fragment Overflow Traceroute Null Scan FIN Scan
120SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION What Will Not Be Supported ACLs based on header fields will not be supported in this release. QOS and Time based ACLs will not be supported in this release. Packet filtering based on IP TOS values and marking of DSCP/ToS bits and VLAN user priority will not be supported in this release.
121SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Overview HotSpot / Secure Public Access This feature allows the Wireless Switch to be used as a single onsite box for providing wireless LAN hotspots. All HTTP traffic from a MU that is not RADIUS authenticated is filtered based on Redirect traffic filter port and redirected to the Logon Web Page Address. Administrator can configure Redirect traffic filter port and the Logon Web Page Address (secure HTTPS) In the Logon Web Page, the user is asked for username/password and when the user submits username/password, it is RADIUS authenticated. – If the client authenticates properly then a timeout for the session (as configured in the RADIUS Server) is established. The Logon Web Page may be hosted internally (i.e. locally on the Wireless Switch) or externally (i.e. on an external web server). White list support – List of IP Addresses that users can access without requiring authentication
Secure Guest Access
123SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Standalone Applet For Hotspot Provisioning Standalone Java Applet for front desk person to provision guest users Enters User Name Enters (or Generates) Password Selects Time of Access
Intrusion Detection Enhancements
125SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Enhanced Intrusion Detection Basic Analysis: – Excessive Authentication /Association – Excessive Probes – Excessive Disassoc/Deauth – Excessive decryption errors – Excessive Authentication failures – Excessive replay – Excessive crypto IV failures (tkip/ccmp replay) Anomaly Analysis: – Source MAC = Dest MAC – Illegal Frame Sizes – Source MAC is multicast – TKIP countermeasures – All zero addresses All thresholds can be set on either on per-MU or per-radio basis. bad MAC addresses are automatically added to a black-list and all frames from those MAC address are then ignored. The timeout is configurable. Bad packets can be saved on the switch for later forensic analysis.
126SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Rogue AP Detection Changes Dedicated AP will always remain dedicated and will not forward data frames or allow MUs to associate On channel forwarding is always on by default
RADIUS Enhancements
128SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION MAC Authentication MAC address of MU stored on Radius server as both Username and Password (colon separated). As soon as an MU associates the Switch will send a Radius request to the server with the Username and Password as MAC address. All traffic from the MU is dropped until the server sends an Access Accept
129SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION NEW!! RADIUS Vendor Specific Attributes (1) SYM_WLAN_CURRENT_SSID 2 We send the SSID as a string using this attribute. the external radius server can choose to deny association if the SSID does not match the users configuration. SYM_WLAN_ALLOWED_SSID 3 The external Radius server can send back a list of allowed SSIDs using this attribute multiple attributes can be present in the Radius packet (max size: 4096 bytes), as long as even one matches we allow the user; otherwise access is denied SYM_WLAN_CURRENT_WLAN_IDX 4 The current wlan index is sent as a number Radius servers can choose to allow/deny access based on this (the onboard Radius server also uses this).
130SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION NEW!! RADIUS Vendor Specific Attributes (2) SYM_WLAN_QOS_PROFILE 5 An integer between 1 and 4 to over-ride the QoS profile of the WLAN for one specific user. 4 corresponds to voice (best throughput/latency) and 1 to best-effort. SYM_WLAN_ALLOWED_RADIO 6 A string which if present, must be a part of the description of the radio where the user is currently associated. If not, the user is denied access. For example if three APs on the network have description: "Conference room 1", "lab 1", "lab 2" if this attribute contains "Conference" for a user, that user will be denied association if he/she tries to connect through the APs in "lab 1" or "lab 2". SYM_SESSION_EXPIRY_TIME 7 Specifies a time at which the users session is to be terminated. We also support the standard Session-Timeout attribute which specifies the number of seconds for which the session is to be valid. this attribute is an absolute date/time "DD:MM:YYYY-HH:mm"
QoS Enhancements Self Healing New Symbol Extensions
132SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION WS5100 v3.0: Wireless QoS Radius packets have configurable DSCP/ToS Traffic between AP and Switch is prioritized WMM AC - DSCP/802.1p mappings are configurable WLAN QoS prioritization is simpler: Voice/Video/Best-effort/Background/WMM User based QoS settings (update of QoS priority level of a user from the Radius server) Support for WMM-UPSD: helps improve battery life of phones Support for per-BSS DTIM configuration
Wi-Fi Multimedia Extensions (WMM) Manju Mahishi
134SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Wi-Fi Multimedia Extensions Quality of Service (QoS) is required to support multimedia applications and advanced traffic management. WMM adds prioritized QoS capabilities to Wi-Fi networks and optimizes their performance when multiple concurring applications, each with different latency and throughput requirements, compete for network resources. By using WMM, end-user satisfaction is maintained in a wider variety of environments and traffic conditions. WMM makes it possible for home network owners and enterprise network managers to decide which data streams are most important and assign them a higher traffic priority. The Wi-Fi Alliance defined WMM as a profile of the upcoming IEEE e standard and started a program for Wi-Fi CERTIFIED for WMM to satisfy the most urgent needs of the industry for a QoS solution for Wi-Fi networks. WMM provides prioritized media access and is based on the Enhanced Distributed Channel Access (EDCA) method. It defines four priority classes to manage traffic from different applications : Voice Video Best effort, and Background.
135SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Why QoS? Typically, networks operate on a best-effort delivery basis All traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped. Applications such as voice, video and music streaming, and interactive gaming generate data streams that have strict latency and throughput requirements. To ensure a good user experience, traffic from different applications has to be managed and prioritized using QoS. When QoS is configured on the switch, users can select specific network traffic, prioritize it, and use congestion-management and congestion- avoidance techniques to provide preferential treatment. Implementing QoS on wireless LANs makes network performance more predictable and bandwidth utilization more effective. The benefits of QoS become more obvious as the load on the wireless LAN increases, keeping the latency, jitter, and loss for selected traffic types within an acceptable range.
136SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION End-to-End QoS: 802.1p – Packet Prioritization (Layer2) 3 bits long (0-7) Relative Priority applied per application Recognized by most Layer 2 Switches that implement VLANs PriorityApplication 7Network Control: Management Traffic 6Voice:
137SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION End-to-End QoS (L3): DiffServ, DSCP Diffserv is a Class of Service (CoS) model that enhances best-effort Internet services by differentiating traffic by users, service requirements and other criteria. Packets are specifically marked, allowing network nodes to provide different levels of service, as appropriate for voice calls, video playback or other delay-sensitive applications, via priority queuing or bandwidth allocation, or by choosing dedicated routes for specific traffic flows. Diffserv defines a field in Layer 3 IP packet headers referred to as the Diffserv Codepoint (DSCP). Hosts or routers passing traffic to a Diffserv-enabled network will typically mark each transmitted packet with an appropriate DSCP. The DSCP markings are used by Diffserv network routers to appropriately classify packets and to apply particular queue handling or scheduling behavior (Per-Hop Behavior, or PHB). PHBs are different types of behavior applied to individual routers. – While they cannot guarantee end-to-end QoS, numerous routers assigned the same PHBs can be linked (while limiting the rate at which packets are submitted) to enable end-to-end QoS and achieve near-leased-line service performance.
138SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Overview of WMM Operation (1) WMM introduces traffic prioritization capabilities based on the four Access Categories The higher the AC, the higher the probability to transmit The ACs were designed to correspond to 802.1d priorities to facilitate interoperability with QoS policy management mechanisms, such as UPnP. WMM enabled switches/ APs coexist with legacy devices (devices that are not WMM-enabled) Packets not assigned to a specific AC are categorized by default as having best effort priority. Applications assign each data packet to a given AC Packets are then added to one of four independent transmit queues (one per AC; i.e., voice, video, best effort, or background) in the client. The client has an internal collision resolution mechanism to address collision among different queues, which selects the frames with the highest priority to transmit. The same mechanism deals with external collision, to determine which client should be granted the Opportunity to Transmit (TXOP). Access Category Description 802.1d Tags WMM Voice (AC3) Highest Priority Allows multiple concurrent VoIP Calls, with low latency and toll voice quality 7, 6 WMM Video (AC2) Prioritize video traffic above other data traffic One g or a channel support 3-4 SDTV streams or 1 HDTV stream 5, 4 WMM Best Effort (AC1) Traffic from legacy devices, traffic from applications or devices that lack QoS capabilities Traffic less sensitive to latency, but affected by long delays, such as Internet browsing 0, 3 WMM Background (AC0) Low priority traffic (file downloads, print jobs) that does not have strict latency and throughput requirements 2, 1 Source: Wi-Fi CERTIFIED for WMM - Support for Multimedia Applications with Quality of Service in Wi-Fi® Networks (Sept, 2004)
139SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Overview of WMM Operation (2) The collision resolution algorithm that is responsible for traffic prioritization is probabilistic and depends on two timing parameters that vary for each AC: The minimum interframe space, or Arbitrary Inter-Frame Space Number (AIFSN) The Contention Window (CW), sometimes referred to as the Random Backoff Wait. – Both values are smaller for high-priority traffic. For each AC, a backoff value is calculated as the sum of the AIFSN and a random value from zero to the CW. The value of the CW varies through time. Initially the CW is set to a value that depends on the AC. After each collision the CW is doubled until a maximum value (also dependent on the AC) is reached. After successful transmission, the CW is reset to its initial, AC dependant value. The AC with the lowest backoff value gets the TXOP. As frames with the highest AC tend to have the lowest backoff values, they are more likely to get a TXOP. Once a client gains a TXOP, it is allowed to transmit for a given time that depends on the AC and the PHY rate. The TXOP limit ranges from 0.2 ms (background priority) to 3 ms (video priority) in an a/g network, and from 1.2 ms to 6 ms in an b network. This bursting capability greatly enhances the efficiency for high data rate traffic, such as AV streaming. Also, the devices operating at higher PHY rates are not penalized when devices that support only lower PHY rates (e.g. because of distance) contend for medium access. Source: Wi-Fi CERTIFIED for WMM - Support for Multimedia Applications with Quality of Service in Wi-Fi® Networks (Sept, 2004)
140SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Transmission Efficiency with EDCA
141SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION WMM in v3.0 WMM-UPSD (Power Save) Wireless Switch is WMM-UPSD capable – Unscheduled Power Save and Delivery: Improves voice capacity and battery life of voice devices – No Symbol MUs support this yet (planned for H1 2007) – SpectraLink phones will support WMM-UPSD in Q MU based load balancing Wireless Switch will ensure that load indicators (Symbol proprietary as well as e standard specific) are sent to MU. Symbol MUs or e MUs may make use of this information for load balancing.
142SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION WMM Admission Control Admission Control that will be implemented in v3.0: MUs are not allowed to send traffic on certain access categories (voice/video) unless they have requested the AP for permission first. MUs request permission using a TSPEC, which is a special frame directed to the AP specifying what access category the MU wants to send/receive traffic in. – The switch has the choice of accepting or rejecting the TSPEC. The switch can be configured to allow a certain number of MUs access to each access category (say 10 on voice, 5 on video). – Any additional MUs that associate with that AP will not be allowed to send traffic in video or voice AC. – They can still use best-effort, so they dont lose service, but being a lower priority than the voice ones, they dont impact the performance of the voice MUs.
143SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Wi-NG Features Contd. Self Healing Self Healing is the ability to dynamically adjust the RF network (Transmit power, channels and/or supported rates) based on AP failure or interference in RF network. Two types of self-healing is supported: – Neighbor-Recovery When an AP fails (detected either by loss of WISP heartbeats or beacons detected by detector APs), the neighbor APs assist in self healing. – Interference Avoidance This is also known as dynamic channel selection based on interference detection. Administrator shall be able to configure RFRetry threshold setting and in event the RFRetry has exceeded that threshold, the AP shall do ACS again.
144SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Location Awareness MU association ACLs are based not only on WLANs, but also on RADIO description.
145SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Symbol Extensions (1) Fast Roaming: Moves the association from one AP to another as the MU roams. Old key is re-used. No need to do 4- way handshake again. MOBILE UNIT AP + SWITCH RADIUS SERVER WPA2/802.11i handshake EAP/802.1x Authentication: EAPoL from MU to Switch, and RADIUS from the switch to the RADIUS server. Now both the mobile unit and the AP/SWITCH have a Pairwise-Master- Key (PMK). The following handshake uses this to derive a session key. Now both the mobile unit and the AP/SWITCH have a session key, and all data frames over the air will now be encrypted using this key Authentication and Association
146SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Symbol Extensions (2) SmartScan of channels List of channels currently in use provided to the MU and the MU will only scan those channels: – Avoids interference – Increases battery life – reduces scan times Location aware message from AP to MU Radios can be configured with a custom message, and any MU that associates with that RADIO will be provided with that message
147SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION WS5100 v3.0: Other Notes Support for packet marking will continue GRE Tunneling will also be supported (similar to what is implemented in v2.1)
Process Monitoring & Diagnostics
149SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Wi-NG Features Contd. Process Monitoring Process Monitor responsible for startup (and shutdown) of all processes in the system and for monitoring their health. Using periodic Heartbeat messages from all processes, the Process Monitor verifies that all processes are up and running at all times. In the event that a process dies or hangs, Process Monitor will kill this process and restart it. Diagnostics The diagnostics provides a range of automatic health monitoring features which ensure that the system is in working order. The diagnostics subsystem monitors (and generates logs/traps) for: – CPU load – Kernel resource (RAM, file descriptors etc) usage – file system (non-volatile memory) statistics
150SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Troubleshooting Enhancements Remote Serviceability Features copy tech-support command Ethereal Packet Capture Startup Log CLI Command History Upgrade History Reboot History Cluster History AP Adoption history MU Roam History Crash/Core Dump/AP crash management
How We Stack Up with v3.0
152SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION Symbol Solution Elements Wireless Switch + Wi-NG Software Wireless Intrusion Protection System (WIPS) Mobility Services Platform (MSP) Symbol RF Manager
153SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION How Symbols WLAN Offering Currently Stacks Up (Pre: Wi-NG; Compared to Cisco/Aruba) FunctionalityHow Symbol Stacks Up Security (WPA2, IDS/IPS, Firewalls, VPN, NAC) Infrastructure ManagementSEMM/MSP RF Planning, Visual RF Monitoring Tools, Locationing L3 Capability Wireless Bridging / Mesh High Performance Systems Ease of Configuration Enterprise Mobility Features (Roaming, Power Save, QoS, MU Management) Overall Cost of Ownership
154SYMBOL WIRELESS INFRASTRUCTURE DIVISION PRESENTATION How Wireless Switch Infrastructure Stacks Up with Wi-NG and RF7000 FunctionalityHow Symbol Stacks Up Security (WPA2, IDS/IPS, Firewalls, VPN, NAC)(NAC: Will test with MS and couple of other solutions by end of Q1 2007) Infrastructure ManagementMSP v2.8.1 RF Planning, Visual RF Monitoring Tools, Locationing RF Manager 1.0; Integrated Locationing in WIPS 2.0; Support for Ekahau (and AeroScout in Q1 2007) L3 Mobility CapabilityBetter solution than Aruba Remote AP Solutions To Be Developed Soon Wireless Bridging / MeshSupported in AP-5131; coming Q in Switches High Performance SystemsRF7000. Very cost competitive compared to Aruba and Ciscos solution; more feature rich and delivers more benefits to customers Ease of Configuration Enterprise Mobility Features (Roaming, Power Save, QoS, MU Management) Overall Cost of Ownership / End User Benefits
THANK YOU!!