Once a user successfully associates and authenticates with a wireless network, the next layer up in the protocol stack requires assignment to a virtual LAN (VLAN) based on role or some other factor, and then dynamic acquisition of an IP address on the assigned VLAN via DHCP. The VLAN serves as the interconnect/interworking mechanism between mobile and fixed networks. As illustrated below, traditional fixed models of VLAN network design don’t work for mobile networks; they are still important, but need to be altered to accommodate mobility.
Traditionally, VLANs have been used as a fundamental building block for all network designs. Their primary use today is to scale enterprise IP networks by mapping each VLAN to an IP subnet, thus limiting broadcast domains. Traditional fixed network design principles are port-based, where each port is implicitly assumed to serve a single device, such as a desktop computer or a VoIP desk set. Based on this assumption, as a rule of thumb, most fixed network designs placed no more than 200 ports, mapped to an equivalent number of IP addressed devices, into a given broadcast domain and or single VLAN. It is quite typical to map every port on the floor of a building to a single VLAN, and then map multiple floors to their own VLANs and IP subnets, thus creating a deterministic design that scales even to very large networks.
With the emergence of VoIP, VLANs are being used as a QoS mechanism as well. All VoIP traffic on a floor is separated onto its own VLAN, and the entire VLAN is tagged as high priority. More recently, VLANs are being used as a security mechanism, where, for example, guest users are placed on a dedicated guest VLAN or machines infected with viruses and worms are placed on a quarantined VLAN. These VLANs are secured from the rest of the network with VLAN access control lists (VACLs) that determine their network access levels.
Given the above model of fixed network usage of VLANs, how do mobile networks map into this framework? The default method of mapping wireless users to VLANs is to associate an SSID with a VLAN. However, as mentioned above, the scalability of this model is very limited since a VLAN typically cannot handle more than 200 users very effectively. Increased broadcast traffic on large VLANs not only causes performance problems and consumes precious over-the-air bandwidth, but also drains battery life on mobile devices. Therefore, the next step enterprises often take is to segment wireless traffic into multiple VLANs using floor-based VLAN assignments similar to the fixed network model. This approach results in the creation of a new set of mobile VLANs that parallels the fixed network data, voice, guest and quarantine VLANs. The addition of so many VLANs creates a VLAN explosion and excessive network complexity. Further, this approach fails at a fundamental level because it does not take mobile network usage patterns into account.
As campus user density increases and mobile network usage becomes prevalent, it becomes very difficult to predict the number of users that might be associated on any given floor at any given point in time. Under these circumstances, users may get associated and authenticated to the wireless LAN, but but be unable to receive an IP address because the VLAN IP address space has been completely exhausted at the DHCP server. At this point, enterprises resort to flattening the IP subnets serving mobile users by increasing the VLAN size to accommodate the transient loads. Again, this results in the undesired effects of large broadcast domains.
Another approach is to over-provision the number of VLANs for each floor in anticipation of transient peak loads, but this leads to an even greater explosion in the number of VLANs required. Over-provisioning of VLANs not only wastes resources, but also raises operational costs and vastly increases complexity when network troubleshooting.
A new model is required to simplify and scale the VLAN architecture for mobile networks.
Figure 4. VLAN Pooling Simplifies Dense, Mobile Campus WLAN Deployments
A new mechanism, called VLAN Pooling, delivers the flexibility of VLAN-based network planning without any of the negative side effects discussed above. In VLAN Pooling, multiple VLANs form a VLAN pool, and all VLANs belonging to the VLAN pool are available at any location on the campus. VLAN assignment is performed dynamically at the time a user logs into the network and is based on current user loads on the different VLANs that form the VLAN pool. As an example, if a campus network has 1,000 users that can connect anywhere on the campus at any point in time, a total of 5 VLANs are required, based on the 200 users to a VLAN rule-of-thumb. These 5 VLANs are placed in a VLAN pool and made available at all points in the campus network. When a user logs in, they are assigned to one of the VLANs, typically the least used VLAN, based on current user counts of each VLAN in the VLAN pool. This results in even loading of all VLANs and ensures that every user gets an IP address and successfully connects to the network every time.
In the mobile network, VLANs are used only to limit the broadcast domains and map to IP subnets. Security and QoS assignments are done on a per-user basis and determined by the role of a user, not by their association with a particular VLAN. Security policy enforcement in a VLAN pool is performed using a built-in identity-based stateful firewall integrated in the mobility controller. There is no need to use VLANs for security purposes since the stateful firewall enforces policies on a per-user basis. QoS policy enforcement is also performed by the mobility controller using built-in VoIP application layer gateways (ALGs) that recognize VoIP call flows and run call admission control (CAC) algorithms based on the number of active calls in the air. QoS information is signaled to the fixed network via DSCP and 802.1p tags.
The VLAN pooling model greatly simplifies mobile network design. It retains the familiar VLAN construct, but uses it in an innovative way to minimize disruption and meet all the mobility, security and QoS needs of mobile users and devices.
Hernández Caballero Indiana
Asignatura: CRF
Fuente:http://www.wit.co.th/pdf/Aruba/Scaling-Enterprise-Wireless_LAN.pdf
Asignatura: CRF
Fuente:http://www.wit.co.th/pdf/Aruba/Scaling-Enterprise-Wireless_LAN.pdf
No hay comentarios:
Publicar un comentario