Subnet Roaming with the RoamAbout Wireless Switch System Whitepaper

Subnet Roaming with the RoamAbout Wireless Switch System Page 1 of 8 • Whitepaper Mobility is the driving force behind the deployment of wireless LANs. Enterprises benefit from increased productivity when users can run applications anywhere and have the flexibility to work while they roam wherever their job takes them. Enterprise IT managers deploying wireless LANs like the flexibility that Secure Networks gives them in terms of wired networks and the ability to have complete user mobility. For example, using Secure Networks Acceptable Use Policy on the wired network allows managers to define business policies and have them implemented seamlessly across the wired infrastructure. Enterprises are looking for the same capability on wireless. On wireless networks the requirements are the same. When users roam, they will associate with an access point that is attached to a different port on a different switch and router subnet. On a wireless LAN, network permissions now need to follow users as they roam. Leveraging and integrating authentication, authorization, and accounting (AAA), the RoamAbout Wireless Switch implements the IEEE 802.1X protocol to authenticate users and control access to the network. Typically, the same username and password the user enters to log into the network (e.g., NT Domain, Active Directory) is used by the wireless switch to authenticate the user against an AAA back-end. Remote access dial-in user service (RADIUS) is a very common type of AAA server. During the authentication process, the system learns each user’s network authorization attributes. User network authorization attributes may include VLAN/subnet membership, ACLs, and mobile profiles, which may limit where the user is allowed to roam. Note: The term subnet and VLAN are used interchangeably and refer only to an identified broadcast domain that is associated with a user. Broadcast domains are identified system wide using a name string or number. These VLAN names are independent of 802.1Q tag values, when used. The Mobile Domain Enterprise networks that deploy a RoamAbout Wireless Switch System might use several wireless switches to deliver wireless LAN service in all areas where mobility is required. These wireless switches communicate with each other and with the access points to create a mobile domain and deliver identity-based networking. Identity-based networking provides user-specific services based on a user’s identity. The wireless switches that form the mobile domain authenticate each user and enforce their network authorizations wherever they roam. These network authorizations include the user’s VLAN/subnet membership, ACLs, and mobile profiles that were learned from AAA during the authentication process. In addition, the mobile domain moves statistics, session history, and security-related information to hosting wireless switches as the user moves through the mobile domain. Page 2 of 8 • Whitepaper Wireless Switch Ports The wireless switch comes in two configurations and will usually be installed in the data center. The RoamAbout RBT-8100 has one Gigabit Ethernet port and the RoamAbout RBT-8200 has two Gigabit Ethernet ports. The RoamAbout Wireless Switches support indirect connections to the access points via Layer 2 or Layer 3 connections through the wired infrastructure. On the RoamAbout RBT-8200, the RoamAbout Mobility System Software allows the IT manager to configure any port on the wireless switch as either a “network” or “user” port or both. On the RoamAbout RBT-8100, the single Gigabit Ethernet port is configured as both network and user port. Network ports connect to the network backbone. User ports permit authenticated network access on a per-user basis. Network ports are roughly analogous to the “trusted” ports of a firewall or access server, while the user ports are roughly analogous to a firewall’s “untrusted” ports. Network ports determine the subnets or VLANs that are locally available to users connected to a particular wireless switch. User ports are the wired connection for users who connect through an access point attached to a port. RoamAbout Switch Manager (RASM) AAA Servers RoamAbout Thin Access Point RoamAbout RBT-8x00 Wireless Switch RoamAbout Thin Access Point RoamAbout RBT-8x00 Wireless Switch RoamAbout Thin Access Point RoamAbout Thin Access Point Figure 1. Connecting to the network via the RoamAbout Wireless Switch. When the user authenticates to, or roams to, an access point, the hosting wireless switch learns which VLAN or subnet to put the user on based on their identity and authorizations in the AAA server. (See Figure 1.) If the network port of the wireless switch is directly connected to the user’s subnet, for example through its gigabit port(s), the user is joined to it automatically. If the network ports of the wireless switch are not directly connected to that VLAN, then the user has just roamed across a subnet boundary. Page 3 of 8 • Whitepaper Subnet Roaming Subnet roaming occurs when the user roams to an access point hosted by a wireless switch whose network port is not directly connected to the user’s VLAN/subnet. The RoamAbout Wireless Switch System supports subnet roaming with identity-based networking. Identity-based networking allows the RoamAbout Wireless Switch System to enforce network authorizations based on the user’s identity even when they roam across subnets. The example below illustrates how identity-based networking leverages Layer 2 VLAN technology to support subnet roaming. In Figure 2 below, Amy is a member of the “red” VLAN/subnet and roams to an access point hosted by a wireless switch whose network port is directly connected to the “blue” VLAN/subnet and not the “red” VLAN/subnet. The hosting wireless switch attached to the “blue” VLAN/subnet will automatically search its local mobile domain database of wireless switches to find a wireless switch whose network port is directly attached to the “red” VLAN/subnet. Once it is found, the wireless switch hosting the roaming client forms an IP tunnel to the wireless switch hosting “red.” If multiple wireless switches are hosting “red,” a “tunnel affinity” parameter can be used to influence choice. Router Firewall Internet Blue VLAN/subnet 10.1.1.0 Layer 2 tunnel Red VLAN/subnet 10.1.2.0 Server 10.1.1.0 10.1.2.0 Server Bob Amy Figure 2. The hosting wireless switch automatically connects the user to the appropriate VLAN/subnet. Page 4 of 8 • Whitepaper What Does the Wireless User See? (Using a Single “SSID”) In Figure 2, how did Bob’s and Amy’s client configuration differ? The answer is: They can be identical. A critical aspect for deploying large wireless LAN systems is to minimize or eliminate configuration elements and differences on the client’s device. The RoamAbout Wireless Switch System allows the implementation of a single 802.11 service set identifier (SSID) to all wireless users, regardless of their 802.1X/EAP type, their subnet or VLAN membership, or other authorization credentials. The client machine sees only one SSID throughout the enterprise. Users are authenticated, and then authorized and connected to various VLANs or subnets all using the same SSID. By using a single SSID, the client is configured only once and all clients are configured the same way. SSIDs are not a determinant of security credentials or network capabilities— only the AAA process is. It is still possible to join the subnet or VLAN of interest and to restrict roaming capabilities based on physical location. The management task of managing an array of SSIDs on the clients and in the network is removed. What Does the Network See? To the rest of the network, including intervening switches and routers, the tunnel looks like simple IP unicast traffic between two wireless switches. The user’s traffic that is carried in the tunnel between the wireless switches is not required to be IP traffic. It is a Layer 2 tunnel from the wireless switch on the “blue” VLAN/subnet to the wireless switch on the “red” VLAN/subnet. The tunnel is identical to putting an additional user on an unused port of a switch that is part of the red VLAN/subnet. From a network backbone and routing perspective, nothing changes. No new subnets need to be added to the network. If you are currently a user of the red subnet, you can remain a user of the red subnet. Any ACLs that you have currently implemented remain effective. If there are firewalls or highly restrictive ACLs between subnets, the only impact to network configuration is to allow the wireless switches (not clients) to exchange data. The firewalls still remain effective for user data. Page 5 of 8 • Whitepaper Identity-Based Networking Scales to Support Hundreds of Roams The Layer 2 approach combined with tunneling scales extensively. (See Figure 3.) For example: —If additional users of the “red” VLAN/subnet roam to the wireless switch that is attached to the “blue” VLAN/subnet, their traffic also traverses the existing tunnel that was initially setup for Amy rather than creating a new tunnel for each roaming user. —If Amy and those same additional users send traffic to each other, that traffic is switched locally on the wireless switch attached to the “blue” VLAN/subnet rather than being transmitted across the tunnel. Logically, the “red” VLAN/subnet is instantiated on the wireless switch that is connected to the “blue” VLAN/subnet. Router Firewall Internet Blue VLAN/subnet 10.1.1.0 Layer 2 tunnel Red VLAN/subnet 10.1.2.0 10.1.1.0 10.1.2.0 Bob Amy Figure 3. When users on the same VLAN/subnet send traffic to each other, the traffic is switched locally. An existing tunnel can be used for any number of users or subnets in any direction. For example: — If users of the “blue” VLAN/subnet roam to the wireless switch that is attached to the “red” VLAN/subnet, their traffic is tunneled back to the RoamAbout wireless switch on the “blue” VLAN/subnet through the existing tunnel that was setup for Amy. —If the wireless switch that attaches to the “red” VLAN/subnet is also attached to the “green” VLAN/subnet, then the one tunnel will carry traffic from users who roam to the wireless switch attached to the “blue” VLAN/subnet. (See Figure 4.) Page 6 of 8 • Whitepaper Router Firewall Internet Blue VLAN/subnet 10.1.1.0 Layer 2 tunnel Red VLAN/subnet 10.1.2.0 Green VLAN/subnet 10.1.3.0 10.1.1.0 10.1.2.0 Figure 4. A single tunnel carries traffic from multiple VLAN/subnets. What are the “Impacts” of Subnet Roaming and Tunneling? Wireless Switches Tunnels are quite “lightweight,” and there aren’t many of them in a mobile domain. When needed, they provide a path over which the wireless switch can dynamically instantiate “virtual ports” for the VLANs of interest. Each wireless switch would never have more than (N minus 1) tunnels, where N is the total number of wireless switches in the mobile domain. Existing Routers For existing routers in the enterprise, a wireless switch-to-wireless switch connection means additional IP unicast traffic is being routed between wireless switches when users roam away from their native subnet. The existing routers do not participate in any tunneling overhead, and they do not need to run any additional protocols such as Mobile IP. In fact, no additional router configuration is necessary. The additional routed traffic can be weighed against the cost and difficulty of extending subnets to new areas—the difficulty depends entirely on the enterprise backbone architecture. To assist in this analysis, the RoamAbout System Software provides extensive information on tunnel usage including traffic statistics, what VLANs are being used and what users are utilizing them. For more information, see the technical section of the FAQ document for the RoamAbout Wireless Switch System. Page 7 of 8 • Whitepaper All contents are copyright © 2005 Enterasys Networks, Inc. All rights reserved. Lit. #9013965 5/05 Page 8 of 8 • Whitepaper