Cisco WDS Overview

In this post, I will explain the purpose of Cisco Wireless Domain Services (WDS) and how wireless deployments can benefit from use of this feature. In a future post, I will detail how to configure WDS services on autonomous access points.

WDS is a service that runs on Cisco autonomous access points to provide coordinated management and control of wireless services across multiple standalone devices (APs). By participating in WDS, the access points have broader knowledge of their environment and can provide better service to clients than would otherwise be possible. Think of WDS as creating a common collective (... akin to The Borg for you Star Trek TNG fans!) amongst access points. This protocol builds upon the defunct Inter-Access Point Protocol (IAPP) which never took hold. The final evolution of this type of service can be seen in today's wireless controller based architectures.

WDS enables features to improve client performance and security of wireless LAN networks. The main features include:
  • Cisco Centralized Key Management (CCKM)
    CCKM is a Cisco proprietary protocol that enables clients and access points to cache and re-use keying material derived from a full 802.1x/EAP authentication. This enables clients to roam between access points faster without the need to perform a full re-authentication. This feature became especially useful as wireless LANs evolved from static WEP encryption to the much more robust WPA and eventually WPA2. CCKM requires CCXv2 (or newer) compatible clients, depending on the authentication type used.

  • Radio Management
    Access points forward radio management information such as rogue APs and client associations to the WDS master device. The WDS master device aggregates this information and forwards it to the Wireless LAN Solution Engine (WLSE) network management device for centralized logging and alerting. WDS also enables 802.11w management frame protection capability by providing a central point for key distribution and management across autonomous accesss points.

There are three components in the WDS architecuture:
  1. WDS Master
    The WDS master is the central control point for authenticating wireless clients, caching client key material, distributing MFP key material, reporting radio management information to an upstream network management station, and updating other APs participating in WDS. This service may be performed by an autonomous access point, Wireless LAN Services Module (WLSM) which is end-of-life, or by an ISR router. Only one device may be the active WDS master, but backup masters may exist.

  2. WDS Client
    Participates in WDS services and receives required information from the WDS master. Performed by autonomous access points.

  3. Wireless Network Manager (WNM)
    Performs centralized reporting and management. Usually performed by a Wireless LAN Solution Engine (WLSE).

Typically, autonomous access points are used as WDS masters due to the lack of available options with the WLSM and ISR router modules. When using an AP as the WDS master, a limitation of 30 WDS clients are supported if also serving wireless clients. If not serving wireless clients, then up to 60 WDS clients are allowed.

WDS communicates over the network using the Wireless LAN Context Control Protocol (WLCCP). This protocol uses the multicast destination address 01:40:96:ff:ff:c0 for advertisement and discovery of the WDS master. Once the master is discovered by WDS clients, then unicast UDP sessions are created over port 2887 to authenticate the WDS client and exchange information. Alternatively, the WDS master IP address may be configured statically in the WDS client if the master is not on the same subnet or if multicast routing is not enabled.

A few important features should be understood by network administrators prior to implementing WDS:
  • WDS master election is performed by comparing priority values. The device with the highest priority is elected master.
  • One or more backup WDS candidate devices may exist should the master fail.
  • WDS clients authenticate to the WDS master using LEAP. Therefore, LEAP must be enabled in the AAA server performing authentication for WDS devices.
  • All wireless client authentications are performed by the WDS master when active.
  • WDS clients will revert to standalone mode if the WDS master fails and CCKM fast roaming will not be available.
  • If a backup master exists, the WDS clients will re-join the new master and begin forwarding wireless client authentications again.
  • Network-EAP (LEAP) must be enabled on SSIDs performing CCKM fast roaming, even if wireless clients are authenticated using another EAP type.
In the next post, I will cover configuration of WDS on access points and verification of proper operation.