Transcript Document
WiNG 5.3
WiNG 5.3 Training
Agenda
Layer 2 Enhancements:
Tunnel-Controller Load Balancing
L2TPv3
Layer 2 NAT
IGMP Snooping
Security Enhancements:
IPsec VPN
Auto IPsec Secure
Layer 3 Enhancements:
Policy Based Routing
NAT Load Balancing / Failover
OSPF
VRRP
Critical Resource Monitoring
Default Gateway Prioritization
PPPoE Client
Security Enhancements
© 2012 Motorola Solutions Proprietary & Confidential
2
Layer 2 Enhancements
Tunnel-Controller Load Balancing
Overview
Introduces support for load-balancing Extended VLANs between a cluster of
Controllers
– Must be enabled on both the Controllers and Access Points (Profile or Override)
– Intended for Layer 2 or Layer 3 Adopted 802.11n Access Points
– Disabled by default
Allows 802.11n Access Points to operate in a similar manner to AP300 / AP650
Access Points in WiNG 4.x
Controller
AP
AP
Switch
AP
Controller
Controller
AP
AP
Switch
AP
No Tunnel Load Balancing
Controller
AP
AP
With Tunnel Load Balancing
© 2012 Motorola Solutions Proprietary & Confidential
4
Layer 2 Tunneling Protocol v3
Overview
L2TPv3 is an IETF standard used for transporting different types of layer2
frames over an IPv4 network
Supports two peers per tunnel
– Primary peer preferred over secondary peer
L2TPv3 can be deployed to transport Ethernet frames between supported
Access Points devices to third-party Router or Concentrator
– Tunnel wireless user traffic to a third-party Router in the DMZ
– Tunnel wireless user traffic from Access Points to different service provider
Routers
In WiNG 5.3 L2TPv3 support is only provided for certain Access Points
L2TPv3 Tunnel Termination on Integrated Services Controllers will be
introduced in WiNG 5.4.
© 2012 Motorola Solutions Proprietary & Confidential
5
Layer 2 Tunneling Protocol v3
Configuration Example – Topology
L2TPv3 Tunnels from AP7131N Access Points to a Third-Party Router
© 2012 Motorola Solutions Proprietary & Confidential
6
Layer 2 NAT
Overview
In branch Extended VLAN environments, if an MU wants to browse
Internet or communicate with a local service at the branch site (i.e. Printer,
File Server etc), the MUs packets travel all the way to the Data Center
where the Wireless Controllers and default router resides:
– All traffic traverses the WAN or VPN connection
A work around is for the MU to connect to a separate VLAN with Local
Bridging but requires the user to switch Wireless LANs
Layer 2 NAT and Policy Based Routing features in WiNG 5.3 address this
limitation:
– Allows Internet traffic to be forwarded locally at the Branch while corporate traffic
is forwarded to the Data Center over the Extended VLAN
– Allows users to access Printers and Servers deployed at the Branch without
traversing the WAN
Similar concept to Split Tunneling with IPsec VPN
© 2012 Motorola Solutions Proprietary & Confidential
7
Layer 2 NAT
Configuration Example – Topology
© 2012 Motorola Solutions Proprietary & Confidential
8
IGMP Snooping
Overview
IGMP snooping provides efficient multicast delivery and bandwidth
conservation mechanism for layer 2 devices
– The layer 2 device only forwards Multicast groups out of ports / radios where
group members are present and not to non member ports / radios
– The Layer 2 device monitor IGMP membership reports (joins / leaves) and builds
a IGMP table mapping groups to host ports / radios
When disabled multicast forwarding behavior varies by vendor
– Layer 2 devices may flood known and unknown IP Multicast groups to all ports in
the broadcast domain
– Layer 2 devices may suppress known Multicast groups until a single receiver
joins a specific Multicast group
© 2012 Motorola Solutions Proprietary & Confidential
9
IGMP Snooping
Configuration Example – Topology
© 2012 Motorola Solutions Proprietary & Confidential
10
WiNG 5.3 Training
Agenda
Layer 2 Enhancements:
Tunnel-Controller Load Balancing
L2TPv3
Layer 2 NAT
IGMP Snooping
Security Enhancements:
IPsec VPN
Auto IPsec Secure
Layer 3 Enhancements:
Policy Based Routing
NAT Load Balancing / Failover
OSPF
VRRP
Critical Resource Monitoring
Default Gateway Prioritization
PPPoE Client
Security Enhancements
© 2012 Motorola Solutions Proprietary & Confidential
11
Layer 3 Enhancements
Policy Based Routing
Overview
The current routing infrastructure in WiNG utilizes destination based
routing
– Traffic is forwarded to the next hop based on best match in the routing table
Policy Based Routing allows administrators to route traffic in ways that go
beyond the traditional destination based routing:
– Allows select traffic to be routed using criteria such as source / destination
address, protocol, application and traffic class (DSCP)
– Allows traffic to be load-balanced across multiple WAN links
– Allows traffic to be selectively marked for QoS purposes
© 2012 Motorola Solutions Proprietary & Confidential
13
Policy Based Routing
Route-Maps Match Clauses
Match clauses are used to select traffic:
– IP Access List – Traffic matching permit rules will be subjected to PBR; those
matching deny rules will be subjected to destination based routing
– IP DSCP – DSCP value in the IP header of packets
– Incoming WLAN – Applicable only on platforms with on-board radio (RFS4000
and AP71xx)
– Wireless Client ROLE – Applicable only on platforms with on-board radio
(RFS4000, AP71xx)
– Incoming Interface – Ingress layer 3 interface (VLAN, PPPoE, WWAN)
If a route-map has no match clauses, then it shall match all traffic
© 2012 Motorola Solutions Proprietary & Confidential
14
Policy Based Routing
Configuration Example – Topology
© 2012 Motorola Solutions Proprietary & Confidential
15
NAT Load-Balancing / Failover
Overview
NAT has been enhanced to support multiple overloaded interfaces which
can be used for Load-Balancing and Failover
– Failover – High-availability based on Default Gateway Prioritization & Critical
Resource Monitoring
– Load-Balancing – Leverages Policy Based Routing to forward traffic across
over Internet connections
Each NAT rule can contain multiple interfaces (in any order):
– Virtual IP Interfaces
– PPPoE Interface
– WWAN Interface
Enables high-available remote branch deployments as well as flexible
traffic forwarding
© 2012 Motorola Solutions Proprietary & Confidential
16
Open Shortest Path First (OSPFv2)
Overview
Dynamic routing protocol OSPFv2 is supported in WiNG 5.3 release
– OSPF implementation compliant with RFC 2328
– OSPF supported on broadcast (VLAN) interfaces
Maximum number of dynamic routes supported is limited by the routing
table size supported on individual platform
Supports ABR, ASBR, Stub, Totally Stub, NSSA, Totally NSSA
Supports route redistribution and route summarization
– Only static and connected routes can be re-distributed into OSPF
Interacts with VRRP by only advertising via VRRP master
Interacts with Policy Based Routing
© 2012 Motorola Solutions Proprietary & Confidential
17
Open Shortest Path First (OSPFv2)
Standard Area Types
© 2012 Motorola Solutions Proprietary & Confidential
18
Open Shortest Path First (OSPFv2)
Configuration Example – Topology
© 2012 Motorola Solutions Proprietary & Confidential
19
Virtual Router Redundancy Protocol (VRRP)
Overview
Provides default gateway redundancy for branch office deployments
– Allows our Wireless Controllers / Access Points to provide default gateway
services to users in the event of a primary Router failure (i.e. failover to 3G)
VRRP version 2.0 (RFC 3768) and version 3.0 (RFC 5798) are supported
– Default is version 2.0
– Version 3.0 supports sub-second failover but very few vendors support it for
IPv4 (i.e. primarily implemented for IPv6)
Proprietary implementation in Version 2.0 to support sub-second failover
(i.e. advertisement interval can be specified in msec)
– This feature was added, since most vendors support this for providing subsecond failover
– By default advertisement interval is set to 1 second
© 2012 Motorola Solutions Proprietary & Confidential
20
Virtual Router Redundancy Protocol (VRRP)
Overview Cont.
Supports failover in case of WAN link failover on WING or third-party
Router
– If the backup router detects that the WAN link in master is down, then it will
become a new VRRP master
– When the link comes get restored, the VRRP master will transition back to a
backup state
All services (DHCP, RADIUS, NAT, and VPN) running over virtual IP are
supported
– For DHCP relay, one can point to the DHCP server as virtual IP
– For VPN, on the initiator side, remote peer can be configured as virtual IP
© 2012 Motorola Solutions Proprietary & Confidential
21
Virtual Router Redundancy Protocol (VRRP)
Configuration Example – Topology
© 2012 Motorola Solutions Proprietary & Confidential
22
Critical Resource Monitoring
Overview
Used to monitor user defined IP addresses / links for liveliness
– Monitoring is done by ARP and ICMP ping requests
Resources can be monitored via:
– IP Address – If the gateway address is statically configured
– Interface – If the gateway address is dynamically learned from DHCP or PPPoE
Up to four sets of critical resources can be defined:
– Under each resource, up to four IP addresses can be configured for monitoring
– User can choose to take action when all resources in a set are down or when
any of the resources is down
VRRP, Policy Based Routing and Default Route Prioritization can all
leverage the results of CRM
User can configure critical resources to be:
– Monitored via an IP address (if the gateway address is statically configured)
– VIA an interface (if the gateway address is dynamically learnt via DHCP or PPP)
© 2012 Motorola Solutions Proprietary & Confidential
23
Default Gateway Prioritization
Overview
WiNG 5.3 devices can learn a default gateway via:
–
–
–
–
Static Route
DHCP Client (Virtual IP Interface)
PPPoE / WWAN
OSPF
Feature allows administrators to prioritize the Default Gateways learnt via
the above means
– The default gateway with lowest priority shall be installed on the system
All learned default gateways are monitored for liveliness
– In case a default gateway becomes unreachable, the next preferred gateway is
installed on the system. Whenever the old gateway becomes online, it is restored
The default order of preferred gateways is Static Route, DHCP Client,
PPPoE, WWAN and OSPF
This feature is available on all WiNG 5.X platforms
© 2012 Motorola Solutions Proprietary & Confidential
24
Default Gateway Prioritization
Default Priorities
Each Interface can be assigned a priority from 1 – 8,000:
Default Gateway Learned By
Default Priority
Static Route
100
DHCP Client
1,000
PPPoE
2,000
3G WAN
3,000
OSPF
7,000
The default gateway with the lowest priority is installed!
© 2012 Motorola Solutions Proprietary & Confidential
25
PPPoE Client
Overview
Many Internet service providers (ISPs) are using the Point-to-Point
Protocol over Ethernet (PPPoE) to provide Digital Subscriber Link (DSL)
broadband Internet access
PPPoE uses a standard methods of encryption, authentication, and
compression specified by the Point-to-Point Protocol (PPP)
Implementing a PPPoE client allows a WiNG 5.X device to connect to the
ISP over an Ethernet interface
– Uses the interface name pppoe1
– Interface supports Firewall and Crypto policies as well as NAT
A PPPoE client interface can be defined within a Device Profile or directly
to a device as a Device Override
Interface configuration MUST include the VLAN ID the DSL modem is
connected to!
© 2012 Motorola Solutions Proprietary & Confidential
26
WiNG 5.3 Training
Agenda
Layer 2 Enhancements:
Tunnel-Controller Load Balancing
L2TPv3
Layer 2 NAT
IGMP Snooping
Security Enhancements:
IPsec VPN
Auto IPsec Secure
Layer 3 Enhancements:
Policy Based Routing
NAT Load Balancing / Failover
OSPF
VRRP
Critical Resource Monitoring
Default Gateway Prioritization
PPPoE Client
Security Enhancements
© 2012 Motorola Solutions Proprietary & Confidential
27
Security Enhancements
IPsec VPN
Overview
WiNG 5.3 re-introduces support for standards based IPsec VPN on select
WiNG 5.X Access Points
– Site-to-Site VPN
– Remote VPN
– Host to Host
Remote VPN support added to Controllers!
Can be used when MINT and/or user traffic needs to be secured over an
IPv4 network
–
–
–
–
Access Point Controller within a site or over a Public network
Branch Offices
Remote Teleworkers
Secure communications to specific hosts (i.e. Controller RADIUS or LDAP)
Completely new IPsec implementation which integrates tightly with NAT
and VRRP in addition to providing support for redundant peers
© 2012 Motorola Solutions Proprietary & Confidential
29
IPsec VPN
VPN Configuration Example 1 – Topology
© 2012 Motorola Solutions Proprietary & Confidential
30
IPsec VPN
VPN Configuration Example 2 – Topology
© 2012 Motorola Solutions Proprietary & Confidential
31
Auto IPsec Secure
Overview
IPsec security for AP to Controller, Controller to Controller traffic , with
minimal configuration:
– Set up IPsec tunnel based on configured list of controller host
– Set up IPsec tunnel based on statically configured link configuration
No explicit traffic selector configured by user. Traffic selector internally
derived!
No explicit transform set configured by user!
Only credentials configured is identity and authentication credentials!
© 2012 Motorola Solutions Proprietary & Confidential
32
Auto IPsec Secure
Configuration Example – Topology
© 2012 Motorola Solutions Proprietary & Confidential
33
Q&A