Cisco Unified Wireless Network and Converged access – Design session

1© 2014 Cisco and/or its affiliates. All rights reserved. 1

Cisco Unified Wireless Network and Converged access – Design session

Flavien RICHARDTechnology Solutions Architect

November 2014

2

Early 2000 2002 2004 2006 2008 2010 2012 2014 2016

CL

IEN

TS

/ B

AN

DW

IDT

H

10Gbps

11Mbps

802.11n450 Mbps

802.11a, 802.11b11 Mbps

802.11g54 Mbps

802.11ac-1~1 Gbps

802.11ac-23.5 Gbps

Future? New Frequencies?

Wireless StandardsPast, Present, and Future

3

System Management

CapacitySelf Healing

and Optimizing

Hotspot

Casual Pervasive indoors

Media RichApplications

Mission Critical

CleanAir

Business Critical

High PerformanceHigh Density

4

5

1 3 5 7Think about it, and choose the best answer

How Many Mobile Data DevicesDo You Think You will Carry Everywhere in 2016?

6

U n i f i e d A c c e s sOne Policy

One Management

One Network

Unified AccessUncompromised User Experience in Any Workspace

7

• The Industry is now talking about Unified Access

Gartner Magic Quadrant: wireless and wired together

Wired, Wireless: who cares what is the access technology? What customers care is the overall Network experience

• The industry recognizes Cisco’s Leadership

Leader since 2012 (since WiFi and LAN are reported together)

Executing Better than any competitor

We have the largest Development Team in the industry

We have the largest Patent Portfolio in the industry

We are taking Market Share from competitors

We are innovating faster than the competition

8

2500 Virtual WLC e.g. UCS-E on ISR G2

Flex 7500

850057605508 WISM2

Catalyst 3850 VirtualController

• 12 to 500 APs• 7000 clients• 8 Gbps

• 100 to 1000 APs• 15,000 clients• 20 Gbps• Catalyst 6500E/6807

• 25 to 1000 APs• 12,000 clients• 60 Gbps

• 100 to 6000 APs• 64,000 clients• 10 Gbps

Large Campus Service Provider

Small Campus / Branch (Controller On-Premise) Branch (Controller in DC)


• 5 to 200 APs• 3000 clients• 500 Mbps

• 1-50 APs per switch/stack(Directly connected APs)

• 2000 clients per stack• 40 Gbps per switch


• 300 to 6000 APs• 64,000 clients• 1 Gbps central



Catalyst 3650

AireOS Controllers have a rich roadmap and are the lead WLC platforms for 2015

9

• 50% of enterprise traffic will originate on WiFi by 2017

• Half (50%) of all new Wi-Fi devices in end of 2014 are 802.11ac capable (ABI Research)

• Investment protection: 802.11ac Wave 1 can fulfill smartphone and tablet bandwidth requirements for 5+ years

• 802.11ac improves the speed by 3X and by 2X battery efficiency for smartphones, tablets, and laptops

• Why Cisco for 802.11ac:

• Backward compatible at the same price of 802.11n

• Locally manufactured APs 2700 and 3700 !

• Only vendor already committed to Wave 2 on existing APs

• HDX technology: Turbo scheduler, CL3.0, Optimized roaming

• More info: http://cisco.com/c/en/us/products/collateral/wireless/aironet-3700-series/white-paper-c11-731923.html

10

At 11 mbps (802.11b)?

At 54 mbps (802.11a or g)?

At 300 mbps (802.11n5:2SS)?

At 866 mbps (802.11ac:2SS)?

How many packets can I transmit at that speed compared to

the other speeds above?

Smasung Galaxy S5 supports MIMO

2x2:2SS 802.11ac for the first time on

a smartphone (866 mbps)!

11

Enterprise Class

1K Family

Mission Critical

2K Family

Best in Class

3K Family

OEAP-600

AP-702 & 702W

Sub 1K FamilyAP-3600

AP-3700

AP-1600

AP-1700

AP-2600

AP-2700

AP-3500

12

with Integrated

802.11ac (4x4:3)

• Industry’s first 4x4 MIMO : 3 SS 802.11ac AP

• 2-3X performance of 802.11n 5Ghz Wi-Fi

• Higher performance at a greater distance

• RF Excellence enabled in hardware

• High Density Experience Technology

• Higher Client density, scale and performance

• Future proofed design

• Modular Architecture = investment protection

• Security, 3G Small Cell or Wave 2 802.11ac

module options

13

• 3x4 MIMO:3 SS 802.11ac AP

• High Density Experience Technology

• Client density scale and performance

• Implicit Beam Forming – aka ClientLink 3.0, as

well as Explicit BeamForming

• 2 GigE Ports

• 2nd Port provides downward device connectivity

only (no other AP or PoE out)

• Antenna Support

• Supports all the antennas available for the 3700;

3600, 2600 and 1600

• Available since 7.6.120 and 3.6 IOS-XE

with Integrated

802.11ac (3x4:3SS)with Integrated

802.11ac (3x4:3)

14

15

DSPCPU 512 MHz

DRAM (128MB)

DSP

Customized AP Design

DRAM

(512MB)

Dual-Core*

CPU800 MHz

ASIC design allows on-radio CPU and memory for distributed packet processing and throughput maximizing. Architecture

also allows unique 4x4 MIMO antenna design.

Radio – 5GHz

CPU 384 MHz

DRAM (128MB)

Radio – 2.4GHz

Traditional AP Design

DRAM

(512MB)

Dual-Core

CPU

800MHz

Radio – 2.4GHz

Radio – 5GHz

Merchant silicon architecture is heavily

dependent on the single CPU for all functions.

1x Dual

Core

Processors

6x Total(1x Dual Core,

2x Radio, 2x DSP)

512 MB

Memory

768 MB

*1 Core Enabled Today, 1 Reserved for Future Use

Merchant SiliconCisco AP3700

and AP2700

Competition

Merchant Silicon ASIC-driven RF Architecture

17

AP is supported using 7.6.120 code onwards

Cisco Aironet 702W Series

Max Data Rate 300 Mbps per radio

Radio Design MIMO: Spatial

StreamsDual-Radio, 2x2:2

Local Ethernet Ports 4 x GE

Powering Capability 1 x GE port PoE out

Max No. Clients 200

BandSelect ✔

VideoStream ✔

Rogue AP Detection ✔

Adaptive wIPS ✔

Monitor Mode ✔

FlexConnect ✔

Converged Access (Future)

Autonomous (Future)

Data Uplink (Mbps) 10/100/1000

Power 802.3af/at, AC Adapter

Security lock Torx screw, Kensington lock

Temperature Range 0 – 40° C

• Cisco Aironet Wall Mount AP is targeted for Multi Dwelling Unit

(MDU), Hospitality, and Schools Deployments seeking a high-

performance in-room Wireless + Wired Access Device

• Designed for ease of mounting to numerous global wall-box

standards

• Robust enterprise-class design and RF performance

• Simultaneous, Dual Radio & Dual Band with Integrated Antennas

• 4x GE Ethernet Ports, 1x WAN GE port

• Dimensions: 15x10x3 cm

18

Base

1530

Highly Versatile

1550

Best in Class

1570

• Low Profile, Low Price

• 11n, 2G: 3x3:3; 5G: 2x3:2

• Internal or External Antennas

• -30°C to +65°C

• Multiple models & features

• Enterprise, MSO

• DOCSIS3.0 8x4

• 11n, 2x3:2

• Int/External Antennas

• -40°C to +65°C

• High-end Enterprise, MSO

• 802.11ac, 4x4:3

• NG-Cable: 24x8

• Int/External Antennas

• Modular: Future Proof

• -40°C to +65°C

19

NEW Access Points

• Indoor: AP700w—Wall Plate, AP1700—fixed lower end, AP2700 –fixed 802.11ac, 3G Small Cell Module for AP3600 and AP3700

• Outdoor: AP1570, 1550WU—Emerson Sensor Gateway

NEW Capabilities and Functionality

• Connected Mobile Experiences (Phase 2)

• High Density Experiences (Phase 1) – CleanAir 80 MHz, ClientLink 3.0

• Microsoft Lync 2013 Certification

• Application Visibility and Control (Phase 2 and 3)

• Bonjour Services Directory (Phase 2 and 3)

• IOS: Stateful Switchover, AVC, Bonjour

• IOS: Integrated policy and device profiling

• IOS: 802.11u, 802.11k, 802.11r, 802.11w

3G Small

Cell Module

802.11ac Wave

1 Module 1530

AP700

Wall Plate

NEW WLAN Controllers

• Converged Access (SDN-Ready): Catalyst 3650, Catalyst 4500 ♯

Catalyst 3650 Catalyst 4500

1570AP3700

802.11acAP2700

802.11ac

♯ Sup 8E hardware supervisor with UADP Converged Access exists, software due end of 2014

20Cisco Public© 2014 Cisco and/or its affiliates. All rights reserved. 20

Unified Access Wireless Deployment modes

21

Autonomous FlexConnect Centralized Converged Access

Traffic Distributed at AP Traffic Centralized at Controller

Traffic Distributed at SwitchStandalone APs

Target

PositioningSmall Wireless Network Branch Campus Branch and small Campus

Purchase

DecisionWireless only Wireless only Wireless only Wired and Wireless

Benefit

• Simple and cost-effective

• Enterprise Class AP quality

• Provides Bridge functionality

• Highly scalable for

large number of branches

• No controller at branch

• Most feature rich

solution

• Wireless Traffic visibility

at the controller

• Wired & Wireless common operations

• One Enforcement Point

• One OS (IOS)

• Traffic visibility at every network layer

• Performance optimized for 11ac

Key

considerations

• Limited features

• First step to Controller based

• Very limited automation

• L2 roaming only

• Branch with WAN bw and

latency requirements

• Top Performance and

Scalability

• Full Access layer evolution

(3650/3850)

WAN

22

• Scalability

Zero-touch configuration

Centralized configuration management, image management and troubleshooting

• Radio Frequency (RF) Management

System wide view of RF – Cisco Leader

Dynamic Channel Selection, Dynamic Power Settings, Coverage Hole Detection/Mitigation (RRM)

Advanced Interference Handling (CleanAir) – Cisco Only

• Advanced Mobility Services – Investment protection

Advanced Location based Services (CMX) – Cisco Only

Optimized end-end multicast delivery (VideoStream) – Cisco Only

Advanced Wireless IPS (aWIPS)

Advanced Roaming (802.11r)

23

• What are Radio Resource Manager’s objectives?

Provide a system wide RF view of the network at the Controller (only Cisco!!)

Dynamically balance the network and mitigate changes

Manage Spectrum Efficiency so as to provide the optimal throughput under changing conditions

• What’s RRM

DCA—Dynamic Channel Assignment

TPC—Transmit Power Control

CHDM—Coverage Hole Detection and Mitigation

• RRM best practices

RRM settings to auto for most deployments (High Density is a special case)

Design for most radios set at mid power level (lever 3 for example)

Survey for lowest common client type and technology supported

RRM doesn’t replace the site survey and doesn’t create spectrum

Radio Frequency High Availability

For more info: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008072c759.shtml

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008072c759.shtml

24

• CAPWAP: Control and Provisioning of Wireless Access Points is used between APs and WLAN controller.

CAPWAP is an open protocol (IETF RFC)

Control Plane UDP 5246 (DTLS encrypted), Data plane UDP 5247 (optionally encrypted)

• Access points discover and join a CAPWAP controller

• Configuration and firmware can be pushed from the controller

• Statistics gathering and wireless security

CAPWAP Controller

Wi-Fi Client

Business

Application

Control Plane

Data Plane

Access

Point

25

• The CAPWAP protocol supports two modes of operation

Split MAC (centralized mode). AP is in Local Mode (default)

Local MAC (FlexConnect)

• Split MAC

Wireless Phy

MAC Sublayer

CAPWAP

Data Plane

Wireless Frame

802.3 Frame

Wi-Fi Client ControllerAccess

Point

26

• Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frame

Wireless Phy

MAC Sublayer

Wireless Frame

802.3 Frame

• FlexConnect support locally bridged MAC and split MAC per SSID

• Tunnel mode is not implemented by Cisco

Wi-Fi Client ControllerAccess

Point

27

• Centralized configuration and policy enforcement of the Wireless LAN

• All access to network resources goes through the controller

RADIUS, DHCP, DNS, VLANs etc (assuming AP in Local Mode)

• Controller acts as security gateway for clients

Authentication profiles, ACL enforcement, Bandwidth controls

• Manages all access points on the network

Auto Channel and power assignments, coverage hole detection, firmware upgrade, statistics gathering, IDS & rogue AP Detection, RF analysis

• No need to re-subnet the network for deployment (L2/L3 Roaming)

Simple plug and play deployment model, AP’s can be dropped into any local or remote network segment.


Campus Design and Deployment options

30

• Components

• Wireless LAN controllers

• Aironet Access Points

• Management (Prime Infrastructure)

• Mobility Service Engine (MSE)

• Principles

• Overlay Architecture

• Based on AireOS software

• AP must have CAPWAP connectivity with WLC

• Configuration downloaded to AP by WLC

• All Wi-Fi traffic is forwarded to the WLC

Wireless LAN

Controller

Aironet Access

Point

Cisco Prime

Infrastructure

MSE

Campus

Network

31

Mobility Group

Data Center /

Service block

AP-Controller CAPWAP Tunnel

802.11 Control Session + Data Plane

LE

GE

ND

AP AP AP AP

Inter-Controller

EoIP / CAPWAP Tunnel

SSID2 SSID3

Intranet

EoIP Mobility Tunnel ( ≤ 7.2 or 7.4)

CAPWAP Option in 7.3, ≥ 7.6

SSID1

Inter-Controller (Guest Anchor)

EoIP / CAPWAP Tunnel

Internet

Well-known,

proven

architecture

SSID – VLAN

Mapping

(at controller)

CAPWAP

Tunnels

Notes –

• AP / WLC CAPWAP Tunnels are an IETF Standard• UDP ports used –

• 5246: Encrypted Control Traffic • 5247: Data Traffic (non-Encrypted or DTLS Encrypted (configurable)

• Inter-WLC Mobility Tunnels• EoIP – IP Protocol 97 … AireOS 7.3 introduced CAPWAP option• Used for inter-WLC L3 Roaming and Guest Anchor

Encrypted

(see Notes)

WLC #2

“Guest” Anchor WLCWLC #1

Existing Unified Wireless Deployment today

…

PI

ISE

32

Mobility Group

Intranet

EoIP Mobility Tunnel ( ≤ 7.2 or 7.4)

CAPWAP Option in 7.3, ≥ 7.6

Data Center /

Service block

PI

ISE

AP AP AP AP

SSID2 SSID3SSID1

Internet

CAPWAP

Tunnels

Additionaldetails oncontroller

functionality

These will become important lateras we delve into the Converged Access deployment …

LE

GE

ND

“Guest” Anchor WLC

Mobility Controller

Handles Roaming, RRM, AP licenses,

WIPS, etc.

MC

MC

MC

MC

Mobility Agent

Terminates CAPWAP Tunnels,

Maintains Client Database

MA

MA

MA

MA


…

WLC #2

WLC #1

33

Layer 2

Mobility Group

WiSM2s / 5508s

Data Center-

DMZ

SiSi SiSi

SiSi

SiSi

Data CenterCampus Services

SiSi

SiSi

CampusGuest Anchors

Internet

SiSiSiSi

SiSiSiSi

CampusAccess

MC

MC

MC

MA

MA

MA

MC MA

MC MA

PI

ISE

PoP PoA

Point of Presence (PoP) vs.Point of Attachment (PoA) –

• PoP is where the wireless useris seen to be within the wiredportion of the network

• Anchors client IP address• Used for security policy application

• PoA is where the wireless userhas roamed to while mobile

• Moves with user AP connectivity• Used for user mobility and QoS

policy application

• Now, let’s see how mobility workswhen a user roams in this deployment model …


…

34

Mobility Group defined:• Group of Wireless LAN Controllers (WLCs) in a

network with the same Mobility Group name

• Provides Seamless Mobility and Fast roaming for clients

• Up to 24 WLCs members in one Mobility Group, statically configured

• Full mesh of tunnels between members

Messages can be sent using Multicast

• Mobility Control Messages

UDP port 16666 for un-encrypted traffic

• User Data traffic

EoIP (IP protocol 97) or CAPWAP (UDP 5246)

• NAT between members is supported

WLC 1

WLC 2

WLC 3

WLC 4

Mobility Group

36

Client Database Client Database

Mobility Message Exchange

Roaming Data Path

clientcontext

VLAN X• Layer 2: same VLAN present on

both controllers

• Client database context is moved

from WLC1 to WLC2

• Client database is updated with

new AP and security info

• Client becomes LOCAL to WLC-2.

WLC-2 advertises reachability to

the client

• No IP address refresh needed.

Data flows as shown

WLC 1 WLC 2


37

Layer 2

Mobility Group

WiSM2s / 5508s

Data Center-

DMZ

SiSi SiSi

SiSi

SiSi


SiSi

SiSi

CampusGuest Anchors

Internet

SiSiSiSi

SiSiSiSi

CampusAccess

MC MA

MC MA

PI

ISEMC

MC

MC

MA

MA

MA• Initially, the user’s PoP and PoA

are co-located on the same controller

• The controllers within the DC share

a common set of user VLANs at Layer 2

• Initially, the user’s traffic flow is as shown …

PoA PoP


…

38

Layer 2

Mobility Group

WiSM2s / 5508s

Data Center-

DMZ

SiSi SiSi

SiSi

SiSi


SiSi

SiSi

CampusGuest Anchors

Internet

SiSiSiSi

SiSiSiSi

CampusAccess

MC MA

MC MA

PI

ISEMC

MC

MC

MA

MA

MA

PoA PoP

• Now, the user roams to an AP handled by

a different controller, within the same

Mobility Group …

• The user’s PoP and PoA both move to the

new controller handling that user after the

roam (possible since the controllers in this

deployment model are all L2-adjacent within

the VLANs) …

• After the roam, the user’s traffic flow

is as shown …


…

39



clientcontext

• Layer 3: different client VLAN

on controllers

• WLC-2 knows it doesn’t

have VLAN X

• Client database entry is

copied from WLC1 to WLC2

• Client database is updated with

new AP and security info

WLC 1 WLC 2client

context

VLAN X VLAN Z

40


Roaming Data Path

clientcontext

• WLC-1 is still the “anchor”

for the client session

• Traffic goes through the EoIP

tunnel and exit again in VLAN X

• No IP address change needed

WLC 1 WLC 2

VLAN X VLAN Z

clientcontext

EoIP tunnel


41

Data Center

Campus Services

ISE

PI

Data Center-

DMZ

SiSi SiSi

SiSi

SiSi


SiSi

SiSi

CampusGuest Anchors

Internet

SiSiSiSi

SiSiSiSi

CampusAccess

PI

ISE

MC MA

MC MA

• Initially, the user’s PoP and PoA

are co-located on the same controller

• Note – in this deployment model, it is assumed

that all of the controllers across the Campus

do not share a common set of user VLANs

at Layer 2 …

(i.e. the controllers are all L3-separated)

• Initially, the user’s traffic flow is as shown …

Layer 3

Mobility

Group5508 /

WiSM-2

5508 /

WiSM-2

MC MA MC MA

PoP

PoA


…

42

Data Center

Campus Services

ISE

PI

Data Center-

DMZ

SiSi SiSi

SiSi

SiSi


SiSi

SiSi

CampusGuest Anchors

Internet

SiSiSiSi

SiSiSiSi

CampusAccess

PI

ISE

MC MA

MC MA

Layer 3

Mobility

Group5508 /

WiSM-2

5508 /

WiSM-2

• Now, the user roams to an AP handled by

a different controller, within the same

Mobility Group …

• The user’s PoA moves to the new controller

handling that user after the roam – but the

user’s PoP stays fixed on the original

controller that the user associated to

• This is done to ensure that the user retains

the same IP address across an L3 boundary

roam – and also to ensure continuity of policy

application during roaming

• After the roam, the user’s

traffic flow is as shown …

Symmetric

Mobility

Tunneling

PoP

MC MA MC MAPoA


…

43

Data Center

Campus Services

ISE

PI

Data Center-DMZ

SiSi SiSi

SiSi

SiSi


SiSi

SiSi

Campus Internet

SiSiSiSi

SiSiSiSi

CampusAccess

PI

ISE

Layer 3

Mobility

Group5508 /

WiSM-2

5508 /

WiSM-2

PoAMC MA MC MA

Guest AnchorsMC MA

MC MA

PoP

PoA


…

• Now, let’s examine roaming

with Mobility Anchor use …

• When using Mobility Anchors, the user’s PoP

is always located at the Mobility Anchor

controller ... while the user’s PoA moves

as the user roams …

• Again, this is done to ensure that the user retains

the same IP address across an L3 boundary

roam – and also to ensure continuity of policy

application during roaming

• Before the roam, the user’s traffic flow

is as shown … (tunneling of user traffic

back to the Mobility Anchor –

guest traffic assumed)

44

Data Center

Campus Services

ISE

PI

Data Center-DMZ

SiSi SiSi

SiSi

SiSi


SiSi

SiSi

Campus Internet

SiSiSiSi

SiSiSiSi

CampusAccess

PI

ISE

Layer 3

Mobility

Group5508 /

WiSM-2

5508 /

WiSM-2

Guest AnchorsMC MA

MC MA

• Now, let’s examine roaming

with Mobility Anchor use …

• After the roam, the user’s PoA moves to the

new controller that handles the AP the user

has roamed onto … however, the user’s PoP

remains fixed at the Mobility Anchor controller …

• After the roam, the user’s traffic flow

is as shown …

(tunneling of user traffic back to the

Mobility Anchor – guest traffic assumed)

MC MA MC MA

PoP

PoA


…

45

• Controller acts a L2 device, bridges wireless traffic on to a VLAN

• All traffic is centralized and goes through the WLC

• Even for two clients connected to the same AP

• Full features support since WLC sees all the traffic

• Controller is the insertion point for wireless traffic to the wired network

• QoS or Security Policies for wireless traffic can be easily centralized

• Can easily scale by adding other controllers in the centralized location (Data Center)

• No configuration needed on the switch access port connected to the Access Point

• Inter-Controller L2 roaming is recommended

• Less exchange of traffic among the controllers

46

PSTN

CUCM

WiSM2s / 5508s

Wired policiesimplemented

on switch

Wireless policiesimplementedon controller

MC MA MC MA

PoPPoA

Traffic Flows,Unified Wireless –

• In this example, a VoIP user is on today’s CUWN network, and ismaking a call from a wirelesshandset to a wired handset …

• We can see that all of the user’s traffic needs to be hairpinned back through the centralized controller, in both directions …

In this example, a total of 9 hopsare incurred for each directionof the traffic path (including the controllers – Layer 3 roamingmight add more hops) …

The same

traffic paths are

incurred for voice,

video, data, etc. –

all centralized

Separate

policies and

services for wired

and wireless

users


…


Campus Design and Deployment optionsConverged Access

48

Common Cisco IOS for

LAN and WLAN

Programmable SDN-Ready

Show

Run Config Debug

Clear

Ping

Save

AP

Set

Operational Consistency(Same Well-known Commands)

?Copy

Wireless Management Interface

Wireless Mobility Controller

RenameAntennadot11

Unified Access Data Plane ASIC (UADP)

Common Fabric for

LAN and WLAN

49

Wireless ControlSystem

Access ControlServer

LAN MgmtSolution

Identity Mgmt

NACProfiler

GuestServer

Cisco WirelessLAN Controller

InternalResources

Cisco FirewallCisco Access Point

Catalyst Switch

Corporate Network

Internet

One ManagementPrime

One PolicyISE

IOS Based WLAN Control ler• Consistent IOS and ASIC with Catalyst 3x50

• Recommended to scale Campuses beyond 100 APs on switches or 4 000 wireless devices

Converged Access Mode

• Integrated wireless controller

• Distributed wired/wireless data plane (CAPWAP termination on switch)

WLC 5760

One Network

Catalyst 3650Catalyst 3850

One Network, with Converged AccessA New Deployment Mode Option for Wired / Wireless

50

Scale with distributed wired

and wirelessdata plane

Large stack bandwidth;40G wireless / switch;

efficient multicast; 802.11ac optimized

Maximumresiliency with

fast stateful recovery

Layered network high availability design with

stateful switchover

Singleplatform for

wired and wireless

Common IOS, same administration point,

one release

Uni f ied Access - One Po l icy | One Management | One Network

Network wide visibility for

fastertroubleshooting

Wired and wirelesstraffic visible at

every hop

Consistent security and

Quality of Service control

Hierarchical bandwidth management anddistributed policy

enforcement

Cisco Converged Access Deployment

Converged Wired / Wireless Access SwitchesBenefits – Overview

51

V i s i b i l i t y i n t o W i r e d a n d W i r e l e s s T r a f f i c a t t h e A c c e s s

• Can monitor East-West and North-South flows

• Natively available in the hardware

• Single flow monitor can be applied to wired ports and SSID

• Detect network anomalies with hop-by-hop metricssuch as packet loss, RTT, jitter and delay

• Understand Application Traffic Patterns such asHTTP, SMTP, Voice, Video, etc.

• Analyze usage trends over time and location

• Enforce policies to limit usage - based on application,time, location or load

• Plan for access capacity expansion

Understand Bandwidth

consumption by various

devices and applications

Detect Anomaly in Traffic flows


Visibility for Wired and WirelessFlexible NetFlow v9

52

Sub-Domain

#1

Sub-Domain

#2

Mobility Group

SPG SPG

PIISE

MAMAMA MAMAMA

MCMC


53

Fast Roam

New Authentication

Mobility Group

Mobility Subdomain A

Mobility Controller

Peer Group 2

50ms 80ms 120ms > 250ms14ms

Mobility Subdomain B

Peer Group 1Mobility Agent


Mobility Controller

54

• Mobility Agent (MA) – Terminates CAPWAP tunnel from AP

• Mobility Controller (MC) – Manages mobility within and across Sub-Domains

• Mobility Groups – Grouping of Mobility Controllers (MCs) to enable Fast Roaming

• Switch Peer Group (SPG) – Localizes traffic for roams within Distribution Block

Physical Entities

Logical Entities

MA, MC, Mobility Group functionalities all exist in today’s controllers


55

Mobility Group PIISE

MAMAMA


• MA is the first level in the hierarchy of MA / MC / MO

• One MA per Catalyst 3850/3650 Stack

• Maintains Client DB of locally served clients

• Interfaces to the Mobility Controller (MC)

Mobility Agent

56

Mobility Group PIISE

MAMAMA


MC

• Mandatory element in design. Handles AP licenses

• Can be hosted together with MA

• Manages mobility-related state of MAs

• Maintains Client DB within a Sub-Domain

(1 x MC = One Sub-Domain)

• Handles RF functions (including RRM)

• Multiple MCs can be grouped together

in a Mobility Group

Mobility Controller

57

• Can act as a Mobility Agent (MA)for terminating CAPWAP tunnels for locally connected APs …

• as well as a Mobility Controller (MC)for other Mobility Agent (MA) switches, in small deployments

- MA/MC functionality works on a Stack of Catalyst 3650/3850 Switches- MA/MC functionality runs on Stack Master- Stack Standby synchronizes some information (useful for intra-stack HA)

Best-in-ClassWired Switch –with Integrated

Wireless Mobilityfunctionality

MC

MA


58

Sub-Domain 1

MAMA

SPG-B

MC

MAMA

SPG-A


• Made up of multiple Catalyst 3x50 switches as

Mobility Agents (MAs), plus an MC (on controller as

shown)

• Handles roaming across SPG (L2 / L3)

• MAs within an SPG are fully-meshed

(auto-created at SPG formation)

• Fast Roaming within an SPG

• Multiple SPGs under the control

of a single MC form a Sub-Domain

Switch Peer Group

SPGs are a logical construct, not a physical one

SPGs can be formed across Layer 2 or Layer 3 boundaries

SPGs are designed to constrain roaming traffic to a smaller area, and optimize roaming capabilities and performance

Current thinking on best practices dictates thatSPGs will likely be built around buildings,around floors within a building, or otherareas that users are likely to roam most within

Roamed traffic within an SPG moves directlybetween the MAs in that SPG (CAPWAP full mesh)

Roamed traffic between SPGs movesvia the MC(s) servicing those SPGs

Hierarchical

architecture

is optimized for

scalability and

roaming

59

Sub-Domain 1

MAMA

SPG-B

MAMA

SPG-A

Sub-Domain 2

MAMA

SPG-E

MAMA

SPG-F


MC MC

Mobility

Group

• Made up of multiple Catalyst 3x50 switches as

Mobility Agents (MAs), plus an MC (on controller as

shown)

• Handles roaming across SPG (L2 / L3)

• MAs within an SPG are fully-meshed

(auto-created at SPG formation)

• Fast Roaming within an SPG

• Multiple SPGs under the control

of a single MC form a Sub-Domain

Switch Peer Group

• Made up of Multiple

Mobility Controllers (MCs)

• Handles roaming across MCs (L2 / L3)

• RF Management (RRM, handled by RF Group), Key

Distribution for Fast Roaming

• One Mobility Controller (MC) manages RRM for the

entire RF Group

• Fast Roams are limited to Mobility Group member

MCs

Mobility Group

60

AP AP AP

SPG

Point of Presence (PoP) vs.Point of Attachment (PoA) –

• PoP is where the wireless useris seen to be within the wiredportion of the network

• PoA is where the wireless userhas roamed to while mobile

• Before a user roams, PoP andPoA are in the same place

If users

associate and

remain stationary,

this is their

traffic flow

Note – the traffic does NOT flow through the MC …MA MA MA

PoA

PoP


MC

61

SPG

uRPF, Symmetrical

Routing, NetFlow,

Stateful Policy

Application …

Roaming, Within a SwitchPeer Group (Branch) –

• Now, let’s examine a roam at a larger branch, with multiple3x50-based switch stacks joined together via a distribution layer

• In this example, the larger Branch site consists of a singleSwitch Peer Group – and the user roams within that SPG –again, at a larger Branch such as this, this may bethe only type of roam

The user may or may not have roamed across an L3 boundary (depends on wired setup) – however, users are always* taken back to their PoP for policy application

Again, notice how the 3x50 switch stack on theleft is an MC (as well as an MA) in this picture –in a larger branch such as this with 50 APsor less, no discrete controller is necessarily required …

* Adjustable via setting,may be useful for L2 roams

MC MA MA MA

PoA

PoP

Roaming

across Stacks(same SPG)

Very

common

roaming

case

62

• When a wireless client roams to a switch where the client VLAN is present,it is considered as an L2 Roam –

In CUWN this would imply that the PoP moves to the new switch

• When a wireless client roams across L3 subnets (i.e. to switcheswhere its own VLAN is not present), it is considered as an L3 Roam –

same as CUWN, tunneling is used to keep the client’s IP address

• In Converged Access by default all roams are L3

The data path is anchored at the home switch (feature called “Sticky / L2 anchoring”)

Sticky roaming in ON by default. It can be disabled on per WLAN basis

• In both cases, client will continue to maintain itsoriginal IP address – this is called seamless mobility.

Roam


63

SPG SPG

Roamingacross SPGs

(L3 separationassumed at

access layer)


MA MAMA MA MAMA

PoA

PoP

Roaming across SPGs

• In this example, the user roams across Switch Peer Groups –since SPGs are typically formed around floors or other geographically-close areas, this could represent a large building

• Typically, this type of roam will take place across an L3 boundary (depends on wired setup) –however, users are always* taken back to their PoP for policy application

• Note how traffic goes through the MC is this case

Less

common

roaming

case

MC MC

64

PSTN

CUCM

SPG

More efficientsince traffic flowsare localized to

the 3x50 switch –Performance

Increase

Trafficdoes not

flowvia MCs

Traffic Flows, Comparison (Converged Access) –

• Now, our VoIP user is on a CiscoConverged Access network, and isagain making a call from a wirelesshandset to a wired handset …

• We can see that all of the user’straffic is localized to their PeerGroup, below the distribution layer, in both directions …

In this example, a total of 1 hopis incurred for each directionof the traffic path (assumingno roaming) … two additionalhops may be incurred for routing …

Convergedpolicies andservices for

wiredand wireless

users

Wired andwireless policies

implementedon 3650/3850

switch


MA MAMA MA

PoPPoA

MC

65

• Wireless Data traffic is distributed at the Access switches

Traffic path is optimized for east west communication

• Same distributed Point of Ingress to the network for wired and wireless (access switch)

Same troubleshooting tools, same visibility for wireless traffic (not encapsulated anymore)

• Subnet design should be carefully considered

Possible DHCP addresses contention between wireless and wired

Difficult to size the wireless subnet

Same policies can be applied for wired and wireless if desired

• Size recommendation for Campus deployments

a) No more than 600 APs and 7000 clients for the 5760 as MC in CA deployments

b) No more than 2 x MCs on Switches only deployments (50 APs with 3650s and 100 APs with 3850s)


Branch Office Design and Deployment options

67

Cisco FlexConnect with different controller deployment options

Flex 7500

VirtualController

Branch (Controller in DC)



68

FlexConnect (ex-HREAP)

ISE

SSID

Data

SSID

Guest

Remote

Location

Controller

Trunk

Trunk

links

MSE

WAN

Prime

SSID

Voice

• Centralized control plane

• FlexConnect mode of operation:

Connected mode vs Standalone

• Data plane flexibility

Local vs Central switching

Configured per SSID

• FlexConnect Local switching

VLANs are added at access switch

Not all features are supported (L3 roaming, Mesh, WGB support, etc)

• HA will preserve locally switched traffic

• Mostly deployed over a WAN

RTT below 300 ms for data (100 ms for voice)

Minimum 500 bytes WAN MTU (with max four fragmented packets)

69

Local controller onsite

Remote Site B

Remote Site A

WLC-25xx WLCM for

ISR/ISR-G2

Backup Central

Controller

WAN

Central Site

Remote Site C

Cat-3650

CAPWAPCisco 2500 Series Controller

Catalyst 3650

Virtual Controllers (vWLC)

Cisco Confidential© 2014 Cisco and/or its affiliates. All rights reserved. 70

Evolution of Medium/Large Branch Deployment“Catalyst 3650 is the New Branch Controller”

DMZPrime

ISE

70Employee Guest

Guest

Anchor

Catalyst

2960X®

ISR

2900/3900

WAN

WLC

2504

DMZPrime

ISE

WAN

70Employee Guest

Guest

Anchor

Catalyst

3650

ISR AX

Traditional Deployment Cat. 3650 as Branch Controller

• Dedicated WLC (2504 upto 75 APs)

• Multiple OS/devices to manage

• 1 Gbps of Wireless traffic

• Up to 1000 wireless clients

• Cat. 3650 terminates wired and

wireless traffic – 40 Gbps Wireless

• Up to 1000 W&Wless clients, 25 APs

• Full IOS based branch, HA capable

Priced at par vs. traditional solutions

3650* vs.

2K-X** 2K-XR***

# o

f A

P’s

in

So

luti

on 5 29% -9%

10 24% -8%

15 10% -13%

20 9% -12%

25 1% -15%

* 24 Port PoE IP Base w/1G UpL

** LAN Base + 2504 WLC

*** IP Lite + 2504 WLC

71

Access Points

UA /3KUA

3K

Converged Access Branch Deployment Modes

DMZISEPrime

UA 3K

71Employee Guest

Controller-less BRANCHController-less larger BRANCH

PrimeISE

WAN

AP CAPWAP Tunnels

INTEGRATED

CONTROLLER

Capwap Tunnel Standard Ethernet, No Tunnels Guest Tunnel from Switch to DMZ Controller

3650

3650

• Up to 25 Access Points with 3650

• Up to 1000 Clients per branch with 3650

• All WAN Services Available (local

termination)

• Up to 50 Access Points with only 3650s

• Up to 2000 Clients with only 3650s

• Visibility, Control and resiliency

MC MAMC MA

MC MA

72

• What Flex and Converged Access really have in common from an architecture point of view, that makes people compare the two?

Control Plane and Data Plane separation

Distributed Data Plane

Wireless and wired traffic are both local to the access switch, same or different VLANs are supported for wireless and wired

Visibility of wireless traffic available from the access switch

WAN optimization techniques (WAAS) applicable to wireless traffic

Security and QoS policies applicable at the edge (branch) of the network (not the same policies though, but at least the point of enforcement can be distributed)

Architecture comparison

73

• For this comparison, only FlexConnect Local switching is considered:

In terms of architecture and feature support, Flex Central switching is very similar to the Centralized deployment mode (AP in Local mode)

• For this comparison a 3650/3850-based Converged Access solution is considered:

One or more stacks but MC is embedded in the 3650/3850, not in a discrete controller

• For the comparison, the following Reference Design is considered:

Branch deployment with less than 25 Aps

Voice and fast roaming is a requirement

High availability is required

• Today, CA only supports local mode APs and few features are still different.

Preliminary considerations

74

Architecture comparison:

the differencesFunction Converged Access (3x50) FlexConnect (local switching)

Control and data plane separation MC and MA functionalities are used Controller handles the Control plane, AP the data plane

Control and data plane termination Both terminated at the switchControl Plane terminated at the WLC (300ms max RTT requirement), AP bridging for data traffic

Wired and Wireless traffic True wireless and wired convergenceLocal access switch sees wireless traffic as if it was wired traffic through a bridge

Dot1x AuthenticationSwitch acts as dot1x Authenticator for wireless and wired

WLC or AP is authenticator for wireless

L2/L3 Seamless Roaming All supported Only L2 roaming supported

Fast Roaming SupportedSupported within the FlexConnect Group (different scalability for different controller platforms)

Subnetting definitionFlexibility of having wireless in same or different VLANs per wiring closet

Same VLAN is required for seamless roaming

QoS policies Enforcement pointLocal switch and same for wired and for wireless

WLC, AP or access switch, and usually different for wireless and wired

Security Enforcement pointLocal switch and same for wired and for wireless

WLC, AP or access switch, and usually different for wireless and wired

WAN dependenciesNo WAN dependencies for Wireless service

Different requirements based on type of traffic (voice, data, monitor Aps only)*

75

Feature comparison:

the differences

Feature (*) 3650 / 3850 in the Branch Flex (**) Local Mode

All AP modes (Mesh, Flex, OEAP) Not supported (roadmap), and only 11n+ APs Supported (Mesh and Flex since 8.0)

802.11r Fast Secure Roaming Supported Supported

No service interruption upon controller failure (***) AP SSO is supported within stack Supported

Vlan Select (interface Group) Supported Not supported

Downloadable ACL Supported Not supported (Airespace ACL)

Security Group Tag (SGT) and Security Group

ACLs (SGA)Supported Not supported

IPv6 client Mobility Supported Not supported

Advanced Modular QoS and QoS override Supported Not supported

Netflow Supported Not supported

VideoStream (multicast to unicast) Supported Supported

Application Visibility and Control Supported Not Supported (planned for 8.1)

Bonjour Services Supported Supported


Summary

77

U n i f i e d A c c e s sOne Policy

One Management

One Network

78

CONVERGED ACCESSCENTRALIZED AireOS

Intranet

• Switch refresh

• Future upgrade to converged access

• Perfect for scaling with 802.11ac

• Ready for SDN evolution

• Perfect for branch deployments

• Wireless-only overlay

• Most mature and feature rich offering

• Ready for 802.11ac

• Perfect for 802.11n

• Support for all AP modes

• Optimized for Campus

• Broadest Feature Set


• Centralized data plane

• On-Premise controller

• Controller at every location


• Distributed data plane

• Common LAN and WLAN OS

• LAN and WLAN feature consistency

• Optimized for high performance

• Optimized for branch deployments

Positioning

Characteristics

79

Multiple options exist, depending on the type and size of branch

• 1 AP: Autonomous IOS AP or CVO Router

• Up to 10 APs: FlexConnect with vWLC, 7500 or 5508/WiSM-2

• Up to 25 APs: Converged Access, FlexConnect, Local 2504 bundles

2500 Virtual WLC e.g. UCS-E on ISR G2

Flex 7500Catalyst

3850Virtual

Controller

Branch Controller On-Premise Controller in DC









Catalyst 3650

83

2 90 90

Document View Count

http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html

Cisco Wireless LAN Controller - Configuration Best Practices

84

BE

ST

P

RA

CT

ICE

S (

Air

OS

)

INF

RA

ST

RU

CT

UR

E

Enable High Availability (AP and Client SSO)

Enable AP Failover Priority

Enable AP Multicast Mode

Enable Multicast VLAN

Enable Pre-image download

Enable AVC

Enable NetFlow

Enable Local Profiling (DHCP and HTTP)

Enable NTP

Modify the AP Re-transmit Parameters

Enable FastSSID change

Enable Per-user BW contracts

Enable Multicast Mobility

Enable Client Load balancing

Disable Aironet IE

FlexConnect Groups and Smart AP Upgrade

Enable 802.1x and WPA/WPA2 on WLAN

Enable 802.1x authentication for AP

Change advance EAP timers

Enable SSH and disable telnet

Disable Management Over Wireless

Disable WiFi Direct

Secure Web Access (HTTPS)

Enable User Policies

Enable Client exclusion policies

Enable rogue policies and Rogue Detection RSSI

Strong password Policies

Enable IDS

Extend BYOD Timers

Set a Bridge Group Name

Set a Preferred Parent

Deploy Multiple Root APs in each BGN

Set Backhaul rate to "Auto"

Set Backhaul Channel Width to 40/80 MHz

Backhaul Link SNR > 25 dBm

Avoid DFS channels for Backhaul if possible

External RADIUS server for Mesh MAC Authentication

Enable IDS

Enable EAP Mesh Security Mode

ME

SH

WIR

EL

ES

S / R

FS

EC

UR

ITY

Disable 802.11b data rates

Restrict number of WLAN below 4

Enable channel bonding – 40 or 80 MHz

Enable BandSelect

Use RF Profiles and AP Groups

Enable RRM (DCA & TPC) to be auto

Enable Auto-RF group leader selection

Enable Cisco CleanAir and EDRRM

Enable Noise &Rogue Monitoring on all channels

Enable DFS channels

Avoid Cisco AP Load

http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html


Key Takeaways

101

Industry LeadershipMarket Leadership

• 20+ years of market share leadership

• 800,000+ WLAN customers

• 2,000,000+ LAN customers

• 18,000,000 ISE endpoint licenses sold

• 75,000,000 AnyConnect licenses sold

• Broadest LAN, WLAN, and Security portfolio

• 90% Fortune 1000 have selected Cisco

• 10+ years of Gartner MQ leadership

• Leader in Unified Access Gartner MQ

• Ongoing IEEE, IETF, Wi-Fi Alliance leadership

• Largest patent portfolio in the industry

• Largest development team in the industry

• EAL Common Criteria, PCI

102

Thank you.

Cisco Public© 2014 Cisco and/or its affiliates. All rights reserved. 102