|AC Hierarchy Technology White Paper-6W100-book.pdf||253.43 KB|
- Table of Contents
- Related Documents
Technology White Paper
In an AC+fit AP network, the AC processes most wireless-related services, which requires the AC-AP tunnels to provide high bandwidth and transmission speed. If fit APs connect to the AC through the Internet, issues such as slow authentication and poor mobility will occur in the single-layer AC network.
To solve the issues, the AC hierarchy architecture is introduced. An AC hierarchy network contains a central AC, local ACs, and fit APs. The central AC manages the entire network and local ACs provide network access to APs and process data traffic.
AC hierarchy integrates centralized management and distributed control, providing guaranteed performance with enhanced maintainability and expandability.
AC hierarchy provides the following benefits:
· Fast network deployment and centralized management—All management and configuration operations are performed on the central AC. Local ACs automatically synchronize configuration from the central AC through management tunnels.
· License sharing—The central AC manages and allocates licenses in a unified manner, reducing license waste and saving cost.
· High availability—The architecture provides AC backup and central AC fail-permit to prevent single points of failure from affecting service continuity.
¡ AC backup—Includes horizontal AC backup for two central ACs to back up each other and vertical AC backup for APs to directly associate with the central AC when a local AC fails.
¡ Central AC fail-permit—Enables local ACs to bypass the central AC to transmit and receive data when the central AC fails. When the central AC recovers, local ACs synchronize AP running data to the central AC and the central AC continues to transmit traffic.
· Flexible network expansion—Enables you to add local ACs or APs through a simplified configuration process and allows flexible switching of AC roles between central AC and local AC.
· Local AC load balancing—Enables the central AC to always assign the local AC with the lowest workload to an AP attempting to come online, improving network performance.
· Access right management—Allows you to assign different rights to administrators of the central AC and local ACs by configuring location identifiers for service templates, AP groups, and RRM holddown groups.
· NAT traversal—Allows the central AC and local ACs to communicate through NAT.
· Central AC—Manages all local ACs, performs centralized authentication, and processes other services that do not require high real-time performance. The central AC can also provide AP access and data forwarding services.
· Local AC—Provides network access to APs, manages APs, and processes data traffic.
AC hierarchy uses the following tunnels for local AC and AP management:
· Tunnels between the central AC and local ACs—The central AC sends AP configuration over this tunnel to the local ACs, and the local ACs report AP and client information to the central AC.
· CAPWAP tunnels between local ACs and APs—Local ACs send AP configuration to the APs over this tunnel.
· Centralized configuration deployment—In an AC hierarchy network, the central AC issues AP, radio, and service configurations to the corresponding local AC, and the local AC sends the configurations to the AP when the AP comes online.
· Centralized license management—The AC manages and allocates licenses in a unified way. Users do not need to install licenses on local ACs. This reduces license waste and saves cost.
As shown in Figure 1, two central ACs back up each other. For local AC 1, central AC 1 and central AC 2 are the master and backup central ACs, respectively. When central AC 1 fails, local AC 1 associates with central AC 2. After central AC 1 recovers, local AC 1 switches back to central AC 1.
As shown in Figure 2, when the only available local AC fails, its associated APs connect to the central AC to provide wireless services. After the local AC recovers, the APs switch back to the local AC if they are configured to.
The fail-permit feature enables the AP-local AC tunnels to operate correctly even if the central AC fails. In this case, online clients will not be logged off and can still visit resources in the network. Whether a new client can come online depends on the authentication and forwarding modes.
· If local AC authentication and local AC forwarding are configured, new clients can come online.
· If central AC authentication and AP local forwarding are configured, new clients cannot come online because the central AC cannot be reached.
Data synchronization ensures AP data consistency between the central AC and local ACs. When the tunnels between the central AC and local ACs fail, the settings on the central AC cannot be deployed to the local ACs and APs in real time. Data synchronization enables local ACs to synchronize AP running information to the central AC after the central AC recovers. Upon receiving the information, the central AC compares the information with its local information. If any difference exists for an AP, the central AC resends AP configurations to the AP through the local AC. If basic AP information, such as AP name and serial ID, is inconsistent, the central AC logs off the AP.
AC hierarchy supports two authentication methods: 802.1X authentication and portal authentication. Both the central AC and local ACs can act as the authenticator.
In 802.1X authentication, the authenticator works together with the RADIUS server to perform client authentication. In portal authentication, you can configure portal filtering rules on the central AC. The central AC will issue the rules to the data forwarder (local AC or AP) to control user traffic forwarding.
Authentication and data forwarding by local AC
As shown in Figure 3, the central AC is deployed at the headquarters and local ACs are deployed at the branches. Local ACs authenticate clients and forward data traffic.
Authentication by central AC and data forwarding by APs
As shown in Figure 4, the central AC is deployed at the headquarters and local ACs are deployed at the branches. The central AC authenticates clients and APs forward data traffic.
Access right management allows you to assign different rights to administrators for the central AC and local ACs by configuring location identifiers for service templates, AP groups, and RRM holddown groups.
Figure 5 Access right management
AP firmware upgrade
At AP association, the local AC examines the AP software version. If no match is found, the local AC notifies the AP of the AP software version inconsistency. Then, the AP requests a software version from the local AC for upgrade. If the local AC does not have the version, it requests the version from the central AC, sends the version to the AP, and saves the version for future use.
Local AC firmware upgrade
At local AC association, the central AC examines the software version of the local AC. If no match is found, the central AC notifies the local AC of the software version inconsistency. Then, the local AC requests a version from the central AC for upgrade.
Headquarters and branch deployment is suitable for the education industry, large malls, and plants. The central AC deployed at the headquarters manages all devices, and local ACs or APs deployed at branches forward traffic. This not only improves network performance, but also simplifies network setup and reduces maintenance workload and cost.
Figure 6 Headquarters and branch deployment