Although most WiFi hot-spot deployments are small enough to be deployed as a single subnet, medium- to large-enterprise WLANs usually require access points to be spread across several subnets. This requirement introduced the following challenges when users move between APs in different subnets:
How fast does "fast" mean? Most agree that time-sensitive applications such as VoIP are a good benchmark, which is at good quality when latency is less than 150 milliseconds. When a client associates with an AP, the authentication process involves the AAA server and the client. A few message exchanges are required for the AAA server to authenticate the client (and sometimes vice versa) before the AP obtains a shared key that the client uses to pass traffic between them.
There is no value to fast reauthentication if the client has to obtain a new IP address on the new AP. Session continuity would not be possible if this happens. Therefore, the client must retain its IP address when moving to an AP that is located in a different subnet than the previous AP.
Policy, such as an access control list (ACL), QoS, and so on, should remain the same for the client that is moving about in the WLAN network. One way to imagine this is to consider that the client is always on a virtual subnet that has certain policies applied, much like a physical subnet. Regardless of which AP the client is associated with, the client's traffic is enforced with consistency based on the "home subnet" policy. Of course, an independent location-based policy can also be applied. For example, an engineer who has roamed into the Finance department's network can have certain access privileges curtailed.
The Cisco SWAN provides a framework to integrate and extend wired and wireless networks for wireless LAN deployments. The Cisco SWAN extends "wireless awareness" into important elements of the network infrastructure, providing the same level of security, scalability, reliability, ease of deployment, and management for wireless LANs that organizations have come to expect from their wired LANs. Okay, the marketing pitch is over. One aspect of SWAN is a feature that is reminiscent of Mobile IP; this is aptly named Fast Secure Roaming.
Fast Secure Roaming is a mechanism that enables a client to roam between WLAN access points in the same subnet or between subnets to support time-sensitive applications. This is achieved by taking advantage of AP-assisted channel (frequency range) scanning, expedited IEEE 802.1x rekeying, and tunneling support for Layer 3 roaming. Channel surfing to find APs can be time consuming. The 802.11 client that is ignorant to the channel layoutset up to avoid interference among APs covering an areamust scan through each channel to detect the presence of an AP. Finding neighboring APs is significantly easier if the associated AP informed the client which channels should be checked first. After the client associates with the new AP, it needs to authenticate with the network to be authorized network access. Typically IEEE 802.1x is used for authentication for WiFi. Simply put, IEEE 802.1x is a standard for passing authentication messages between a client and a AAA server over wired or wireless LAN. After successful authentication, the AAA server sends an access key to the AP for encrypting/decrypting traffic that is sent/received over the WLAN. Fast Secure Roaming caches the authentication key for local reauthentication and transfers the access key to the new AP.
Now that the client is allowed network access, its IP address would not be reachable in a new subnet. That is the point where mobility signaling and tunneling get involved. The new AP notifies the SWAN-aware switch that the client arrived. As previously mentioned, the client has an IP address on a virtual subnet where routing directs traffic to. This subnet belongs to the switch, which has the responsibility to tunnel traffic to and from the AP where the client is currently associated. Because the client's packets are anchored there, policy can be enforced at a centralized location.
Reconsider the challenges that are imposed by Layer 3 roaming. AP-assisted channel scanning and key caching and transfer provide fast 802.11 reauthentication. Tunneling allows the client to keep the same IP address. An anchor point solves the problem of consistent policy enforcement.
The Cisco SWAN Fast Secure Roaming, illustrated in Figure 9-6, currently delivers the top performance with access-point handover times of less than 50 milliseconds; these results have been independently measured. (Source: http://www.nwc.com/shared/article/printFullArticle.jhtml?articleID=59301907.) The following URLs provide more information on the solution:
Figure 9-6. Fast Secure Roaming in the Cisco SWAN
What's the difference between Fast Secure Roaming and Mobile IP? The comparison can only be based on today's solutions because both technologies continue to evolve. Each provides Layer 3 roaming capability that allows a client to roam across subnet boundaries while maintaining its communication sessions. But the fundamental difference is where in the protocol stack the support is implanted. Fast Secure Roaming is integrated with WiFi operations. It helps channel scanning, facilitates 802.1x authentication, and sets up forwarding using tunnels based on Layer 2 events. Most of the operations happen without awareness of the client's IP address. And more importantly, no new software is required on the client because the mobility signaling is provided by the network nodes. Mobile IP, however, functions at Layer 3 only. The client software is needed to detect movement learned from IP messages (agent advertisements) and to register its location (CoA) to the Home Agent. The benefit of having the Mobile Node function is that the client can select the best access link to use for connectivity.
Is Fast Secure Roaming and Mobile IP competitive or complementary? The Cisco SWAN is the right mobility solution in a WLAN deployment that has clients that cannot be installed with Mobile IP software and has roaming confined to only a WLAN requiring fast Layer 2 authentication. Mobile IP, on the other hand, fits for roaming among WLAN, wired Ethernet, cellular, and other access networks. Fast Secure Roaming and Mobile IP are compatible partners when used together. An example is an employee who works in an office and attends meetings elsewhere. The user is sitting in the office watching a company broadcast on video on demand (VoD) in his docked notebook. The WLAN access card is typically already authenticated with the network and is associated to an access point. The Mobile IP client on the notebook selects the higher-speed Ethernet interface for communications, which frees the airwaves for others to consume. The user realizes that he is late to a meeting and hurries over to the conference room with his notebook. The Mobile IP client detects that the Ethernet link is down and immediately selects the WLAN interface for use. As the user heads toward the conference room, Fast Secure Roaming provides seamless handovers. The VoD session never drops or is noticeably affected during this period. Mobile IP is also unaware of any intersubnet mobility. Later, when the user returns to his office and docks his notebook, the Mobile IP client chooses the wired Ethernet again.