SD-Access Onboarding with Wireless

Hi, everyone.

I have some shorter questions today regarding how APs are deployed in an SD-Access fabric. My book says:

A fabric-enabled WLC connects APs and wireless endpoints to the SD-Access fabric. The
WLC is external to the fabric and connects to the SD-Access fabric through an internal border node.

While my CBT Nuggets resource says that the WLC is located within the fabric… so which one there is correct?

The control plane node maps the host EID to the current fabric access point and fabric edge node location the access point is attached to.

In the case of a fabric WLC, does it register the EIDs with the control node instead of the switch (fabric edge node)? If so, what information does it provide? The EID, the AP, and the fabric edge node location, all three together?

Fabric APs establish a VXLAN tunnel to the fabric edge to transport wireless client data
traffic through the VXLAN tunnel instead of the CAPWAP tunnel. For this to work, the
AP must be directly connected to the fabric edge or a fabric extended node.

So does the AP establish a VXLAN tunnel starting from itself all the way to the destination edge node? So the control plane remains centralized while the data plane isn’t?

If possible, could someone tell me how exactly is an AP and a wireless client onboarded? I don’t think I quite understand the full process. The AP comes online, builds a CAPWAP tunnel to the WLC, the WLC then registers this AP and any further clients… or? When exactly does the AP build the VXLAN tunnel?

Thank you.
David

Hello David

Going over some additional Cisco documentation, my understanding is that the WLC always remains outside of the fabric (i.e., it doesn’t directly participate in the VXLAN and LISP operations). The term “fabric-enabled” is also confusing when used for the WLC because it gives the wrong impression. It should probably say something like “The WLC that supports fabric-mode APs…” In any case, even though CBT Nuggets is trustworthy, I would still take the Cisco documentation over that. This document does add some more light to the conversation, especially if you search for the term “fabric mode”.

In a wired fabric deployment, the fabric edge node (usually a switch) registers connected clients (EIDs) with the control plane node. In a wireless fabric deployment, where fabric-mode APs are used, the WLC (not the fabric edge node) is responsible for registering wireless client EIDs with the LISP control plane node. Even though the wireless client’s traffic enters the fabric through the edge switch, the WLC knows which AP and which edge switch the client is connected to. So the WLC registers with the control plane, providing the EID, RLOC, and the AP info.

Well, not quite. The wording is indeed misleading. Even in fabric mode, the AP does not establish VXLAN tunnels itself. The fabric edge node (the switch it’s connected to) still handles all VXLAN encapsulation and decapsulation.

What changes when an AP is in fabric mode? “Fabric mode” simply means that the AP is joined to a fabric edge node. The AP uses a CAPWAP tunnel to the WLC only for control plane traffic Wireless client data traffic is bridged into the fabric, where the fabric edge node encapsulates it into VXLAN and sends it through the fabric. In essence, the AP in fabric mode acts like a port extender, passing Ethernet frames from wireless clients to the fabric edge switch.

Here’s a quick high level step by step list that may help you out:

  1. AP joins the network. The AP connects physically to a fabric edge node, boots up, requests DHCP and gets an IP address and Option 43 (if used) or DNS to locate the WLC. The AP builds a CAPWAP tunnel to the WLC for control plane only.
  2. The WLC pushes the config to the AP including SSID and info about the fabric mode. The AP is now a fabric mode AP.
  3. A wireless client associates to the SSID, the AP sends client control traffic to the WLC over the CAPWAP for authentication and policies. Once authenticated the WLC register’s the client’s IP with the LISP control plane node using the RLOC of the fabric edge node the AP is connected to, so now LISP knows where the wireless client is located.
  4. Once the client is authenticated, the AP bridges the client’s data frames to the fabric edge node directly, not over the CAPWAP. The edge node encapsulates the client traffic in VXLAN and sends it across the SD-Access fabric. At this point the VXLAN tunnel starts at the fabric edge node, not the AP.

I hope this has been helpful!

Laz