Cisco's Catalyst 6500 Series Wireless LAN Services Module

Cisco has revealed the premier element of its SWAN strategy. But will implementation issues ruffle some feathers?

August 13, 2004

5 Min Read
Network Computing logo

Beefy Boxes

Cisco shipped a preproduction version of the WLSM, a Catalyst 6500 and the line cards needed to support the new environment to our Syracuse University Real-World Labs®. The pallet was hefty, as is the price: You can easily spend $100,000 for a high-availability system, and that's before you buy a single AP.

To keep costs down, Cisco is banking on organizations sliding the WLSM into an existing Catalyst 6500. We don't see that happening, at least in the short term. This theory presupposes that many Cisco customers have implemented the Supervisor 720 module, which the WLSM's multipoint tunneling requires. Cisco wouldn't tell us how many Catalyst 6500 users are running the Sup 720.

Even if you have the Sup 720, adding the new module and the latest wireless-enabled IOS revision to a production 6500 carries the 1.0 rev risk. And an offering as ambitious as the WLSM is bound to have bugs.

Cisco's WLSM

Click to Enlarge

Setup Setbacks

Cisco sent two engineers to help us on initial setup. But even they struggled with some problems that delayed testing by a few hours. After they left, we integrated the WLSM with a WLSE management appliance and connected a few APs. It was hardly plug and play, but it worked.

The WLSM is hot-swappable, so physical installation is easy. However, the system is configured over the IOS command line, and there are about 20 new IOS commands to learn. IOS is efficient and may be preferred by Cisco gurus, but competitors offer easier-to-use management interfaces.

We had to upgrade the firmware on our 1100 and 1200 Series APs (older 340s and 350s aren't supported) to new prerelease code. Most organizations deploying the WLSM will probably have in place the WLSE management system, which is capable of automating this and most other configuration tasks.

Defining DegreesThe WLSM works in close cooperation with the Catalyst 6500 Supervisor module, which facilitates fast-roaming services. The architecture uses multipoint GRE (generic routing encapsulation) tunneling to interconnect APs on multiple subnets. We configured the VRFs (virtual routing and forwarding tables) on the Sup 720 module. Then we associated the VRFs--VLANs whose GRE tunnels are terminated at the Sup 720--with "mobility groups" defined in the WLSM. Mobility groups are associated with 802.11 SSIDs, so the choice of SSID to which a wireless client associates determines the subnet to which the client is connected.

Policies are enforced at the group level. This level of access granularity worked as advertised and probably is adequate. However, many of Cisco's competitors offer policy control down to the individual level.

The WLSM takes over the WDS (Wireless Domain Services) controller function previously handled by designated APs. WDS is a critical component of SWAN's secure roaming, configuration and radio-management services. WLSM acts as a central authentication engine working with Cisco's RADIUS-based ACS (Access Control Server). To configure WDS, we had our APs look to WLSM as the WDS controller, then pointed the WLSM to the RADIUS server for authentication. We also configured WLSE to work with WLSM.

Perhaps the greatest promise for WLSM is that it can work with other Cisco Internetwork services. For example, we integrated the wireless services offered through the WLSM with other Catalyst security services, including intrusion detection, DoS protection and virtual firewall services.

While a bit complex, the WLSM worked well, though it's limited to Cisco LEAP and EAP-FAST authentication types. TLS and PEAP, which are preinstalled on Windows clients, aren't supported. We forced a roam between APs on different subnets by manipulating the RF levels. When we measured the latency, the handoff occurred in about 50 ms. That's well under the 200-ms threshold often associated with VoIP.



Cisco Catalyst 6500 Series Wireless LAN Services Module, starts at $18,000. Cisco Systems, (800) 553-6387, (408) 526-4000.

Implementation IssuesThis product is designed to be integrated within a Catalyst environment, and network engineers experienced in managing Catalyst 6500s should find the WLSM easier to install and configure than we did. Still, admins must work not only with the Catalyst interface, but also with the WLSE GUI and possibly with the Aironet 1100 and 1200 management interfaces.

Implementing this system will require coordination between the Ethernet LAN engineers and the wireless gurus, just as the design and development of Cisco's platform required cooperation between management, switching and wireless units.

Some organizations will be leery of getting locked into an all-Cisco solution. Not only are Cisco's APs substantially more expensive than competitors'; to take advantage of fast roaming, you'll need clients that support Cisco's CCX 2.0 extensions. Although these extensions are supported by the major WLAN chip makers, they may not be supported on legacy systems or specialized mobile devices. We hope the IEEE 802.11r task group will move quickly in developing fast-roaming standards, and that Cisco will support those standards.

To be sure, Cisco's offering is late to the table and lacks the maturity of competing products, both on paper and in our lab tests. Nevertheless, the WLSM looks like a viable 1.0 release, offering the promise of high performance and integration with existing Cisco network services.

Dave Molta is a Network Computing senior technology editor. Write to him at [email protected].In most enterprises, the WLSM will be deployed in conjunction with the WLSE management appliance. Together, they offer the following core wireless-network capabilities:

  • Fast secure subnet roaming. Mobile devices, including VoIP handsets, can roam across conventional subnet boundaries with low latency while maintaining secure wireless connectivity.

  • Group-level access control and related policies. These are centrally administered through "mobility groups" associated with distinct 802.11 SSIDs.

  • A single point of management on the wireless network. From here, administrators can perform configuration and RF management

  • Integration between the wireless network and other Catalyst modules. Such modules include firewalls and intrusion-detection systems.0

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox
More Insights