The Light Weight Access Point Protocol Monmouth College Computer Science Department COMP450 – Independent Study By: Daniel Krueger December 2008 Purpose Laptops, IP phones, and other mobile computing devices are becoming staples in the corporate workplace, consequently increasing the demand for larger, more intricate wireless network solutions. However, increasing a wireless local area network (WLAN) infrastructure brings to attention several challenges and concerns. Administration Inherently, staffing and administration costs will increase, as a larger deployment will have an increased amount of problems. Isolating and diagnosing WLAN issues become a more involved and time‐consuming task, due to the shear size of the infrastructure. Thus, administration costs can be expected to increase at a greater than linear rate. Security A major concern is network security. WLAN environments of every size have increased security vulnerabilities over their wired local area network (LAN) predecessors, as the network transmission media is air, a physically open medium. Visibility of threats is limited, and may not be detected unless a user reports a problem. The probability of being victimized in a WLAN attack increases as the infrastructure grows. Scalability A function of the WLAN is having the ability to roam throughout the domain, while always maintaining network connectivity. Therefore, unlike a wired LAN, a single user may connect through various points of the infrastructure. However, as the WLAN grows and more access points are added, controls are needed for “load balancing”, or managing the aggregate amount of users throughout the domain. Efficient load balancing maintains scalability through maximizing user throughput and signal strength. Failure to implement these controls may have brutal consequences on scalability. Cisco System Inc.’s proprietary Light Weight Access Point Protocol (LWAPP) was developed to address these emerging issues in wireless networks. The purpose of this report is to explore the LWAPP technology and determine under what conditions it would be beneficial for an institution to integrate LWAPP into its WLAN architecture. Background Traditional WLAN Architecture Traditional WLAN solutions, prior to LWAPP, use “fat” wireless access points to provide network connectivity. A “fat” wireless access point operates on a stand‐ alone basis, as it contains all necessary information to handle wireless clients (Meyer). Thus, the traditional architecture pushed all traffic handling, authentication/security, RF management, and mobility functions out to the individual “fat” access point (Calhoun Aaron). Because these access points operate in isolation, and the visibility of all 802.11 traffic is limited to individual access points only, this architecture is inherently flawed. Therefore, several downsides are present: • Operations and staffing costs increase greatly, as it is more difficult for network administrators to diagnose and address WLAN problems. • Network‐wide attacks and interference are not visible across the system. This has implications for security policy enforcement, as well as the inability to detect and mitigate rogue devices, denial of service (DoS) attacks, and other malicious network activities. • A system cannot correlate activity across the wireless network. Enabling optimized, real‐time load balancing between access points is limited to manual configurations. • An enterprise’s security is challenged, should an access point be stolen or comprised (Understanding the Lightweight Access Point Protocol (LWAPP)). An Industry Response As a response to these issues with traditional wireless networks, many equipment vendors announced new architectures to centralize WLAN intelligence for better performance. The arrival of WLAN switch start‐ups in the early 2000’s encouraged the trend toward centralized management, based on “thin” access points connected to the wired network via a WLAN switch (Calhoun Aaron). A “thin” access point is essentially a radio antenna connected to and controlled by the WLAN switch. By centralizing key intelligence functions within the switch, these functions could be managed across the entire wireless enterprise. Therefore, reducing the amount of time spend on configuring, monitoring, or troubleshooting a large network. The system would also allow network administrators to closely analyze the network (Meyer). Airespace, a Wi‐FI infrastructure management company who owned LWAPP related patents, focused on controlling multiple access points simultaneously. They sought to create interoperability between thin access points and WLAN switches from different vendors. In June 2003, Cisco Systems Inc. introduced its own approach to WLAN and management, Structured Wireless‐Aware Network solution. Shortly thereafter, Cisco acquired Airespace, and reversed its prior negative position on LWAPP, endorsing Airespace’s LWAPP technology (Griffith). Argument for a Standard For several years the Internet Engineering Task Force (IETF) had been working on a protocol for controlling and provisioning of wireless access point, driven largely by the proliferation of productions that used “thin” access points with centralized WLAN intelligence (Vance). The need for a standard to govern how these devices communicate with one another was best described by Alan Cohen, then vice‐president at Airespace, Standardization drives adoption, LWAPP is essentially USB for WAN [access points] and network devices. USB allows you to plug a printer or a CD burner into a PC, and it connects at a very high speed. With USB in place, the issue of how to connect any new device is taken off the table. This encourages people to create. So when HP comes out with a new photo printer or Apple comes out with the iPod, they just work. The same is true with LWAPP. When you deploy a wireless switch, along with any type of LWAPPenabled [access point], they will work (Qtd. in Vance). The LWAPP protocol proposal pushed by Cisco would standardize the communications protocol between access points and WLAN systems (controllers, switches, routers, etc.) It defines the control messaging for setup and path authentication and run‐time operations. LWAPP also defines the tunneling mechanism for data traffic. Specifically, it would: • Provide consistent behavior across WLAN devices via generic encapsulation and transport mechanism, thereby ensuring multi‐vendor WLA interoperability and protection of WLAN hardware investments. • Reducing processing within an access point, freeing the limited resources to focus on wireless access (not filtering and policy enforcement). Access points are essentially remote radio frequency interfaces that no longer house all the mandatory wireless processing capabilities. • Permit traffic handling, authentication, encryption, and policy enforcement to be centralized for an entire WLAN system, thereby simplifying WLAN deployment and management (Understanding the Lightweight Access Point Protocol (LWAPP)). Although this specific protocol has so far not been popular beyond the Airespace/Cisco product lines, the CAPWAP (control and provisioning of wireless access points) standard is based on LWAPP. Still considered proprietary, LWAPP systems compete with other non‐standard lightweight wireless mechanisms from companies like Aruba and Trapeze Networks (IETF selects Cisco's LWAPP). The LWAPP Technology Cisco’s specific Centralized Wireless LAN Architecture uses access points operating in light‐weight (thin) mode. The access points associate to the WLAN switch, a Cisco wireless LAN controller. The controller manages initial configuration, firmware upgrades, and control transactions, such as 802.1x authentications. Additionally, all wireless data traffic is tunneled through the controllers (Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode). An access point discovers a controller using LWAPP discovery mechanisms and then sends it an LWAPP join request. Replying with an LWAPP join response, the controller adds the access point to the RF domain. After joining the domain, the access point will download any necessary software revisions to match that of the controller. The transactions between controller and access point are secured key certificates, requiring already provisioned X.509 certificates on both the access points and controller (Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode). A more in depth look at a single Cisco AP option, the Cisco Aironet 1000 Series indicates the access point provides dual band support for 802.11a and 802.11b/g channels, and load‐balances between bands for real‐time RF management (Lightweight Access Point FAQ). The plethora of channels allows clients an uninterrupted, reliable connection, despite any RF or electromagnetic interference. The access point is “zero touch” deployed, as no individual configuration is necessary (Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode). Case Studies LWAPP Deployed at Cisco Systems Inc. In a move to upgrade its wireless infrastructure and serve as a real‐world model for customers, Cisco significantly improved its WLAN architecture in 2006 through adopting its own LWAPP technology. By 2005, it became apparent a major renovation of the WLAN was required. User saturation of the current infrastructure was near, and the company required a WLAN with better security and reduced support costs. Specfically, these objectives included: • Accessibility— Increased WLAN coverage, accessibility and performance for 60,000 users. • Availability—Use a tool suite that provides visibility into service‐impacting incidents; support new features like Layer 2 roaming, Call Admission Control, and QoS. • Security—Limit vulnerability to attack and loss of intellectual property by detecting rogue AP’s through radio based‐scanning; support 802.11i security standards (Wireless Case Study: How Cisco Upgraded Its Wireless Infrastructure). The solution, based on the Cisco Unified Wireless Network, extended from the company headquarters campus to both large/mid‐size field offices and small remote office locations. Predicated on three main designs, the architecture plan used both autonomous (fat), and LWAPP (thin), access points. At the main headquarters campus, the WLAN design used Aironet 1130AG series access points, as they offer features such as dual band and 802.11i security compliance. Authorized user traffic would be carried over LWAPP tunnels, while guest traffic would be carried in a generic routing encapsulation (GRE) tunnel (Wireless Case Study: How Cisco Upgraded Its Wireless Infrastructure). At the midsized and larger field offices, a centralized WLAN solution was also employed, using Aironet 1130AG Series SP’s controlled by two 4400 Series WLAN controllers. The controllers manage office‐wide WLAN functions like security policies, intrusion prevention, Auto RF, QoS, and mobility (Wireless Case Study: How Cisco Upgraded Its Wireless Infrastructure). After the implementation of LWAPP into the WLAN infrastructure, notable benefits were immediately evident: • A 600% increase in aggregate wireless bandwidth, achieved by nearly doubling AP’s and using higher bandwidth protocols. The user‐to‐AP ratio approached 15:1, (versus the previous 25:1), yielding approximeately 2.3 Mbps bandwidth per user on a single radio interface. • Greater reliability as measured by a 95% reduction in incidents affecting service to users, which delivers an estimated cost avoidance of US$1.4 million/year. • Reduced operational costs, estimated at 30% savings. • New security capabilities, although this was flagged as an enhancement opportunity for continued pursuit. • Employee productivity gains, of almost 1 to 1.5 hours of productive time every day by using wireless access. This equates to more than US$24,000/user annually (Wireless Case Study: How Cisco Upgraded Its Wireless Infrastructure). LWAPP: Syracuse University, Test Using the Real World Lab at Syracuse University, a small‐scale Aironet 1500 mesh network was set‐up for evaluation (Badman). Wireless mesh networks are designed for broad coverage encompassing outdoor settings: typically urban areas, corporate or other campus environments like hospitals and educational institutions. Variables beyond providers’ control that will unpredictably affect performance include outdoor physical obstacles like signs, awnings, trees, competing networks, etc. Mesh networks differ from traditional WLAN systems in that many access points are used; however only a portion of them connects to the wired Ethernet network. The additional access points serve as repeaters to amplify the pre‐existing wireless signal. In Cisco’s 1500 series access points, the traffic routing is executed using Cisco’s AWPP (Adaptive Wireless Path Protocol). The 1500 series are built designed specifically for use with LWAPP, which implies the access points are essentially useless until connected to a controller for intelligence (Badman). To create the mesh, Syracuse University deployed several 1500 series access points connected to the typical Ethernet network via the controller. Significantly more “stand alone,” repeater access points were positioned on streetlight poles and other tall apertures (Badman). Findings from the test include: • LWAPP architecture does not integrate with legacy Cisco WLAN’s. Cisco’s legacy access points, prior to the Aironet 1000 Series, cannot be used as a thin access point in an LWAPP environment. Thus, a renovation of network infrastructure and replacement of existing access points may be required for certain companies adopting the technology. • No radio power or activity indicator is present on Cisco’s 1500 series access points. Thus, the entire system must be fully implemented and then verified through the management console. Cisco agrees this issue must be addressed (Badman). Analysis Benefits Through centralizing WLAN intelligence, LWAPP efficiently addresses many of the deficiencies and challenges emerging from growing WLAN infrastructures. • Ease of administration is achieved; therefore, drastically reducing operating costs. Specifically, in Cisco’s deployment, there was a 95% decrease in network connectivity incidents, and an overall 30% decrease in administration and staffing costs. • Security is enhanced, as security policies, encryption keys, and other sensitive information is stored centrally on a WLAN controller, removing all privileged information from the individual access points. Additionally, rogue devices are easily detected and visible to administrators in the management console. • Greater scalability is achieved with layer 2 roaming and QoS algorithms on the WLAN controller, as load balancing of users can be done more efficiently. Cisco received an average 2.3 Mbps bandwidth increase per user, with a 600% overall bandwidth increase. Furthermore, the user‐to‐AP ratio decreased on average by 10 users. Deficits Although Cisco System’s LWAPP technology mitigates many of the potential WLAN issues, the technology has several drawbacks and insufficiencies. • LWAPP is potentially an expensive venture, as Syracuse University discovered, legacy Cisco access points are not compatible with the WLAN controllers. Thus, any institution wishing to adopt LWAPP must have the compatible access points, or replace every existing, non‐compatible unit. • Being a proprietary protocol, there is no guarantee for future vendor support. Although LWAPP is currently the industry leader for WLAN management, other companies such as Meru, Aruba, and Trapeze Networks are competing for market share. Therefore, if the IEFT adopts a different vendor as the CAPWAP standard, support for LWAPP may be abolished, making the technology obsolete. Integration of LWAPP An institution best suited to adopt Cisco System’s LWAPP technology has the financial resources for the initial investment. The WLAN should minimally be an enterprise level network, as the return on investment (ROI) is directly related to size of the infrastructure. Thus, the larger and more widely dispersed the network, the greater ROI one can expect. Furthermore, there should be a demand for reduced administration, and/or increased security, as these are the areas in which LWAPP offers the greatest ROI. Obviously, centralized WLAN management, and more specifically LWAPP is not a technology for every institution’s wireless architecture. Smaller WLAN infrastructures that are administered by a single individual, or wireless environments contained in one geographical location are best served with the traditional, autonomous access point configuration. The ROI will be less or non‐ existent in a small to medium size environment, as the benefits will be less prominent. Even in information sensitive environments where security is a staple the autonomous configuration will suffice because the smaller WLAN size greatly mitigates the possibility of security oversights. However, such an institution considering building an entirely new WLAN should use Cisco access points with LWAPP compatibility. Thus, when the cost of LWAPP licenses decreases, the institution will have a fully compatible infrastructure for adopting LWAPP, should they so choose. These recommendations are based on the assumption that Cisco System’s LWAPP technology will be the dominant protocol for the controlling and provisioning of access points, and possibly the standard as named by the IETF in the proceeding years. Works Cited Badman, Lee. "Cisco Aironet 1500." Network Computing. 17 Jan. 2006. United Business Media LLC. 11 Nov. 2008 <http://www.networkcomputing.com/showarticle.jhtml?articleid=175803961>. Calhoun, Pat, and Jeff Aaron. "LWAPP brings harmony to WLANs." Network World. 1 Dec. 2003. Microsoft. 20 Nov. 2008 <http://www.networkworld.com/news/tech/2003/1201techupdate.html>. Griffith, Eric. "Unpatched Cisco/Airespace WLANs at Risk." Wi-Fi Planet. 3 Nov. 2005. Jupitermedia Corporation. 20 Nov. 2008 <http://www.wi- fiplanet.com/news/article.php/3561421>. "IETF selects Cisco's LWAPP." Fierce Broadband Wireless. 10 Jan. 2006. FierceMarkets Inc. 20 Nov. 2008 <http://www.fiercebroadbandwireless.com/story/ietf-selects- cisco-s-lwapp/2006-01-11>. "Lightweight Access Point FAQ." Cisco. Cisco Systems Inc. 11 Nov. 2008 <http://www.cisco.com/en/us/products/hw/wireless/ps430/products_qanda_item0 9186a00806a4da3.shtml>. Meyer, Eric. "Wireless Access Points: Thin vs Fat." Ezine Articles. 2008. 20 Nov. 2008 <http://ezinearticles.com/?wireless-access-points:-thin-vs-fat&id=260040>. "Understanding the Lightweight Access Point Protocol (LWAPP)." Cisco. 2005. Cisco Systems Inc. 11 Nov. 2008 <http://www.cisco.com/en/us/prod/collateral/wireless/ps5678/ps6306/prod_white _paper0900aecd802c18ee.html>. "Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode." Cisco. 24 Apr. 2008. Cisco Systems Inc. 20 Nov. 2008 <http://www.cisco.com/en/us/docs/wireless/access_point/conversion/lwapp/upgra de/guide/lwapnote.html>. Vance, Jeff. "The LWAPP flap." Network World. 1 May 2004. Microsoft. 20 Nov. 2008 <http://www.networkworld.com/research/2004/0105lwapp.html>. "Wireless Case Study: How Cisco Upgraded Its Wireless Infrastructure." Cisco. Cisco Systems Inc. 11 Nov. 2008 <http://www.cisco.com/web/about/ciscoitatwork/mobility/ngwlan_web.html>.
Pages to are hidden for
"The Light Weight Access Point Protocol"Please download to view full document