Post on 16-Jul-2015
1© 2014 Cisco and/or its affiliates. All rights reserved. 1
Cisco Unified Wireless Network and Converged access – Design session
Flavien RICHARDTechnology Solutions Architect
November 2014
2
Early 2000 2002 2004 2006 2008 2010 2012 2014 2016
CL
IEN
TS
/ B
AN
DW
IDT
H
10Gbps
11Mbps
802.11n450 Mbps
802.11a, 802.11b11 Mbps
802.11g54 Mbps
802.11ac-1~1 Gbps
802.11ac-23.5 Gbps
Future? New Frequencies?
Wireless StandardsPast, Present, and Future
3
System Management
CapacitySelf Healing
and Optimizing
Hotspot
Casual Pervasive indoors
Media RichApplications
Mission Critical
CleanAir
Business Critical
High PerformanceHigh Density
4
5
1 3 5 7Think about it, and choose the best answer
How Many Mobile Data DevicesDo You Think You will Carry Everywhere in 2016?
6
U n i f i e d A c c e s sOne Policy
One Management
One Network
Unified AccessUncompromised User Experience in Any Workspace
7
• The Industry is now talking about Unified Access
Gartner Magic Quadrant: wireless and wired together
Wired, Wireless: who cares what is the access technology? What customers care is the overall Network experience
• The industry recognizes Cisco’s Leadership
Leader since 2012 (since WiFi and LAN are reported together)
Executing Better than any competitor
We have the largest Development Team in the industry
We have the largest Patent Portfolio in the industry
We are taking Market Share from competitors
We are innovating faster than the competition
8
2500 Virtual WLC e.g. UCS-E on ISR G2
Flex 7500
850057605508 WISM2
Catalyst 3850 VirtualController
• 12 to 500 APs• 7000 clients• 8 Gbps
• 100 to 1000 APs• 15,000 clients• 20 Gbps• Catalyst 6500E/6807
• 25 to 1000 APs• 12,000 clients• 60 Gbps
• 100 to 6000 APs• 64,000 clients• 10 Gbps
Large Campus Service Provider
Small Campus / Branch (Controller On-Premise) Branch (Controller in DC)
• 5 to 75 APs• 1000 clients• 1 Gbps
• 5 to 200 APs• 3000 clients• 500 Mbps
• 1-50 APs per switch/stack(Directly connected APs)
• 2000 clients per stack• 40 Gbps per switch
• 5 to 200 APs• 6000 clients• 500 Mbps
• 300 to 6000 APs• 64,000 clients• 1 Gbps central
• 1-25 APs per switch/stack(Directly connected APs)
• 1000 clients per stack• 40 Gbps per switch
Catalyst 3650
AireOS Controllers have a rich roadmap and are the lead WLC platforms for 2015
9
• 50% of enterprise traffic will originate on WiFi by 2017
• Half (50%) of all new Wi-Fi devices in end of 2014 are 802.11ac capable (ABI Research)
• Investment protection: 802.11ac Wave 1 can fulfill smartphone and tablet bandwidth requirements for 5+ years
• 802.11ac improves the speed by 3X and by 2X battery efficiency for smartphones, tablets, and laptops
• Why Cisco for 802.11ac:
• Backward compatible at the same price of 802.11n
• Locally manufactured APs 2700 and 3700 !
• Only vendor already committed to Wave 2 on existing APs
• HDX technology: Turbo scheduler, CL3.0, Optimized roaming
• More info: http://cisco.com/c/en/us/products/collateral/wireless/aironet-3700-series/white-paper-c11-731923.html
10
At 11 mbps (802.11b)?
At 54 mbps (802.11a or g)?
At 300 mbps (802.11n5:2SS)?
At 866 mbps (802.11ac:2SS)?
How many packets can I transmit at that speed compared to
the other speeds above?
Smasung Galaxy S5 supports MIMO
2x2:2SS 802.11ac for the first time on
a smartphone (866 mbps)!
11
Enterprise Class
1K Family
Mission Critical
2K Family
Best in Class
3K Family
OEAP-600
AP-702 & 702W
Sub 1K FamilyAP-3600
AP-3700
AP-1600
AP-1700
AP-2600
AP-2700
AP-3500
12
with Integrated
802.11ac (4x4:3)
• Industry’s first 4x4 MIMO : 3 SS 802.11ac AP
• 2-3X performance of 802.11n 5Ghz Wi-Fi
• Higher performance at a greater distance
• RF Excellence enabled in hardware
• High Density Experience Technology
• Higher Client density, scale and performance
• Future proofed design
• Modular Architecture = investment protection
• Security, 3G Small Cell or Wave 2 802.11ac
module options
13
• 3x4 MIMO:3 SS 802.11ac AP
• High Density Experience Technology
• Client density scale and performance
• Implicit Beam Forming – aka ClientLink 3.0, as
well as Explicit BeamForming
• 2 GigE Ports
• 2nd Port provides downward device connectivity
only (no other AP or PoE out)
• Antenna Support
• Supports all the antennas available for the 3700;
3600, 2600 and 1600
• Available since 7.6.120 and 3.6 IOS-XE
with Integrated
802.11ac (3x4:3SS)with Integrated
802.11ac (3x4:3)
14
15
DSPCPU 512 MHz
DRAM (128MB)
DSP
Customized AP Design
DRAM
(512MB)
Dual-Core*
CPU800 MHz
ASIC design allows on-radio CPU and memory for distributed packet processing and throughput maximizing. Architecture
also allows unique 4x4 MIMO antenna design.
Radio – 5GHz
CPU 384 MHz
DRAM (128MB)
Radio – 2.4GHz
Traditional AP Design
DRAM
(512MB)
Dual-Core
CPU
800MHz
Radio – 2.4GHz
Radio – 5GHz
Merchant silicon architecture is heavily
dependent on the single CPU for all functions.
1x Dual
Core
Processors
6x Total(1x Dual Core,
2x Radio, 2x DSP)
512 MB
Memory
768 MB
*1 Core Enabled Today, 1 Reserved for Future Use
Merchant SiliconCisco AP3700
and AP2700
Competition
Merchant Silicon ASIC-driven RF Architecture
17
AP is supported using 7.6.120 code onwards
Cisco Aironet 702W Series
Max Data Rate 300 Mbps per radio
Radio Design MIMO: Spatial
StreamsDual-Radio, 2x2:2
Local Ethernet Ports 4 x GE
Powering Capability 1 x GE port PoE out
Max No. Clients 200
BandSelect ✔
VideoStream ✔
Rogue AP Detection ✔
Adaptive wIPS ✔
Monitor Mode ✔
FlexConnect ✔
Converged Access (Future)
Autonomous (Future)
Data Uplink (Mbps) 10/100/1000
Power 802.3af/at, AC Adapter
Security lock Torx screw, Kensington lock
Temperature Range 0 – 40° C
• Cisco Aironet Wall Mount AP is targeted for Multi Dwelling Unit
(MDU), Hospitality, and Schools Deployments seeking a high-
performance in-room Wireless + Wired Access Device
• Designed for ease of mounting to numerous global wall-box
standards
• Robust enterprise-class design and RF performance
• Simultaneous, Dual Radio & Dual Band with Integrated Antennas
• 4x GE Ethernet Ports, 1x WAN GE port
• Dimensions: 15x10x3 cm
18
Base
1530
Highly Versatile
1550
Best in Class
1570
• Low Profile, Low Price
• 11n, 2G: 3x3:3; 5G: 2x3:2
• Internal or External Antennas
• -30°C to +65°C
• Multiple models & features
• Enterprise, MSO
• DOCSIS3.0 8x4
• 11n, 2x3:2
• Int/External Antennas
• -40°C to +65°C
• High-end Enterprise, MSO
• 802.11ac, 4x4:3
• NG-Cable: 24x8
• Int/External Antennas
• Modular: Future Proof
• -40°C to +65°C
19
NEW Access Points
• Indoor: AP700w—Wall Plate, AP1700—fixed lower end, AP2700 –fixed 802.11ac, 3G Small Cell Module for AP3600 and AP3700
• Outdoor: AP1570, 1550WU—Emerson Sensor Gateway
NEW Capabilities and Functionality
• Connected Mobile Experiences (Phase 2)
• High Density Experiences (Phase 1) – CleanAir 80 MHz, ClientLink 3.0
• Microsoft Lync 2013 Certification
• Application Visibility and Control (Phase 2 and 3)
• Bonjour Services Directory (Phase 2 and 3)
• IOS: Stateful Switchover, AVC, Bonjour
• IOS: Integrated policy and device profiling
• IOS: 802.11u, 802.11k, 802.11r, 802.11w
3G Small
Cell Module
802.11ac Wave
1 Module 1530
AP700
Wall Plate
NEW WLAN Controllers
• Converged Access (SDN-Ready): Catalyst 3650, Catalyst 4500 ♯
Catalyst 3650 Catalyst 4500
1570AP3700
802.11acAP2700
802.11ac
♯ Sup 8E hardware supervisor with UADP Converged Access exists, software due end of 2014
20Cisco Public© 2014 Cisco and/or its affiliates. All rights reserved. 20
Unified Access Wireless Deployment modes
21
Autonomous FlexConnect Centralized Converged Access
Traffic Distributed at AP Traffic Centralized at Controller
Traffic Distributed at SwitchStandalone APs
Target
PositioningSmall Wireless Network Branch Campus Branch and small Campus
Purchase
DecisionWireless only Wireless only Wireless only Wired and Wireless
Benefit
• Simple and cost-effective
• Enterprise Class AP quality
• Provides Bridge functionality
• Highly scalable for
large number of branches
• No controller at branch
• Most feature rich
solution
• Wireless Traffic visibility
at the controller
• Wired & Wireless common operations
• One Enforcement Point
• One OS (IOS)
• Traffic visibility at every network layer
• Performance optimized for 11ac
Key
considerations
• Limited features
• First step to Controller based
• Very limited automation
• L2 roaming only
• Branch with WAN bw and
latency requirements
• Top Performance and
Scalability
• Full Access layer evolution
(3650/3850)
WAN
22
• Scalability
Zero-touch configuration
Centralized configuration management, image management and troubleshooting
• Radio Frequency (RF) Management
System wide view of RF – Cisco Leader
Dynamic Channel Selection, Dynamic Power Settings, Coverage Hole Detection/Mitigation (RRM)
Advanced Interference Handling (CleanAir) – Cisco Only
• Advanced Mobility Services – Investment protection
Advanced Location based Services (CMX) – Cisco Only
Optimized end-end multicast delivery (VideoStream) – Cisco Only
Advanced Wireless IPS (aWIPS)
Advanced Roaming (802.11r)
23
• What are Radio Resource Manager’s objectives?
Provide a system wide RF view of the network at the Controller (only Cisco!!)
Dynamically balance the network and mitigate changes
Manage Spectrum Efficiency so as to provide the optimal throughput under changing conditions
• What’s RRM
DCA—Dynamic Channel Assignment
TPC—Transmit Power Control
CHDM—Coverage Hole Detection and Mitigation
• RRM best practices
RRM settings to auto for most deployments (High Density is a special case)
Design for most radios set at mid power level (lever 3 for example)
Survey for lowest common client type and technology supported
RRM doesn’t replace the site survey and doesn’t create spectrum
Radio Frequency High Availability
For more info: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008072c759.shtml
24
• CAPWAP: Control and Provisioning of Wireless Access Points is used between APs and WLAN controller.
CAPWAP is an open protocol (IETF RFC)
Control Plane UDP 5246 (DTLS encrypted), Data plane UDP 5247 (optionally encrypted)
• Access points discover and join a CAPWAP controller
• Configuration and firmware can be pushed from the controller
• Statistics gathering and wireless security
CAPWAP Controller
Wi-Fi Client
Business
Application
Control Plane
Data Plane
Access
Point
25
• The CAPWAP protocol supports two modes of operation
Split MAC (centralized mode). AP is in Local Mode (default)
Local MAC (FlexConnect)
• Split MAC
Wireless Phy
MAC Sublayer
CAPWAP
Data Plane
Wireless Frame
802.3 Frame
Wi-Fi Client ControllerAccess
Point
26
• Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frame
Wireless Phy
MAC Sublayer
Wireless Frame
802.3 Frame
• FlexConnect support locally bridged MAC and split MAC per SSID
• Tunnel mode is not implemented by Cisco
Wi-Fi Client ControllerAccess
Point
27
• Centralized configuration and policy enforcement of the Wireless LAN
• All access to network resources goes through the controller
RADIUS, DHCP, DNS, VLANs etc (assuming AP in Local Mode)
• Controller acts as security gateway for clients
Authentication profiles, ACL enforcement, Bandwidth controls
• Manages all access points on the network
Auto Channel and power assignments, coverage hole detection, firmware upgrade, statistics gathering, IDS & rogue AP Detection, RF analysis
• No need to re-subnet the network for deployment (L2/L3 Roaming)
Simple plug and play deployment model, AP’s can be dropped into any local or remote network segment.
28Cisco Public© 2014 Cisco and/or its affiliates. All rights reserved. 28
Campus Design and Deployment options
30
• Components
• Wireless LAN controllers
• Aironet Access Points
• Management (Prime Infrastructure)
• Mobility Service Engine (MSE)
• Principles
• Overlay Architecture
• Based on AireOS software
• AP must have CAPWAP connectivity with WLC
• Configuration downloaded to AP by WLC
• All Wi-Fi traffic is forwarded to the WLC
Wireless LAN
Controller
Aironet Access
Point
Cisco Prime
Infrastructure
MSE
Campus
Network
31
Mobility Group
Data Center /
Service block
AP-Controller CAPWAP Tunnel
802.11 Control Session + Data Plane
LE
GE
ND
AP AP AP AP
Inter-Controller
EoIP / CAPWAP Tunnel
SSID2 SSID3
Intranet
EoIP Mobility Tunnel ( ≤ 7.2 or 7.4)
CAPWAP Option in 7.3, ≥ 7.6
SSID1
Inter-Controller (Guest Anchor)
EoIP / CAPWAP Tunnel
Internet
Well-known,
proven
architecture
SSID – VLAN
Mapping
(at controller)
CAPWAP
Tunnels
Notes –
• AP / WLC CAPWAP Tunnels are an IETF Standard• UDP ports used –
• 5246: Encrypted Control Traffic • 5247: Data Traffic (non-Encrypted or DTLS Encrypted (configurable)
• Inter-WLC Mobility Tunnels• EoIP – IP Protocol 97 … AireOS 7.3 introduced CAPWAP option• Used for inter-WLC L3 Roaming and Guest Anchor
Encrypted
(see Notes)
WLC #2
“Guest” Anchor WLCWLC #1
Existing Unified Wireless Deployment today
…
PI
ISE
32
Mobility Group
Intranet
EoIP Mobility Tunnel ( ≤ 7.2 or 7.4)
CAPWAP Option in 7.3, ≥ 7.6
Data Center /
Service block
PI
ISE
AP AP AP AP
SSID2 SSID3SSID1
Internet
CAPWAP
Tunnels
Additionaldetails oncontroller
functionality
These will become important lateras we delve into the Converged Access deployment …
LE
GE
ND
“Guest” Anchor WLC
Mobility Controller
Handles Roaming, RRM, AP licenses,
WIPS, etc.
MC
MC
MC
MC
Mobility Agent
Terminates CAPWAP Tunnels,
Maintains Client Database
MA
MA
MA
MA
Existing Unified Wireless Deployment today
…
WLC #2
WLC #1
33
Layer 2
Mobility Group
WiSM2s / 5508s
Data Center-
DMZ
SiSi SiSi
SiSi
SiSi
Data CenterCampus Services
SiSi
SiSi
CampusGuest Anchors
Internet
SiSiSiSi
SiSiSiSi
CampusAccess
MC
MC
MC
MA
MA
MA
MC MA
MC MA
PI
ISE
PoP PoA
Point of Presence (PoP) vs.Point of Attachment (PoA) –
• PoP is where the wireless useris seen to be within the wiredportion of the network
• Anchors client IP address• Used for security policy application
• PoA is where the wireless userhas roamed to while mobile
• Moves with user AP connectivity• Used for user mobility and QoS
policy application
• Now, let’s see how mobility workswhen a user roams in this deployment model …
Existing Unified Wireless Deployment today
…
34
Mobility Group defined:• Group of Wireless LAN Controllers (WLCs) in a
network with the same Mobility Group name
• Provides Seamless Mobility and Fast roaming for clients
• Up to 24 WLCs members in one Mobility Group, statically configured
• Full mesh of tunnels between members
Messages can be sent using Multicast
• Mobility Control Messages
UDP port 16666 for un-encrypted traffic
• User Data traffic
EoIP (IP protocol 97) or CAPWAP (UDP 5246)
• NAT between members is supported
WLC 1
WLC 2
WLC 3
WLC 4
Mobility Group
36
Client Database Client Database
Mobility Message Exchange
Roaming Data Path
clientcontext
VLAN X• Layer 2: same VLAN present on
both controllers
• Client database context is moved
from WLC1 to WLC2
• Client database is updated with
new AP and security info
• Client becomes LOCAL to WLC-2.
WLC-2 advertises reachability to
the client
• No IP address refresh needed.
Data flows as shown
WLC 1 WLC 2
Mobility Message Exchange
37
Layer 2
Mobility Group
WiSM2s / 5508s
Data Center-
DMZ
SiSi SiSi
SiSi
SiSi
Data CenterCampus Services
SiSi
SiSi
CampusGuest Anchors
Internet
SiSiSiSi
SiSiSiSi
CampusAccess
MC MA
MC MA
PI
ISEMC
MC
MC
MA
MA
MA• Initially, the user’s PoP and PoA
are co-located on the same controller
• The controllers within the DC share
a common set of user VLANs at Layer 2
• Initially, the user’s traffic flow is as shown …
PoA PoP
Existing Unified Wireless Deployment today
…
38
Layer 2
Mobility Group
WiSM2s / 5508s
Data Center-
DMZ
SiSi SiSi
SiSi
SiSi
Data CenterCampus Services
SiSi
SiSi
CampusGuest Anchors
Internet
SiSiSiSi
SiSiSiSi
CampusAccess
MC MA
MC MA
PI
ISEMC
MC
MC
MA
MA
MA
PoA PoP
• Now, the user roams to an AP handled by
a different controller, within the same
Mobility Group …
• The user’s PoP and PoA both move to the
new controller handling that user after the
roam (possible since the controllers in this
deployment model are all L2-adjacent within
the VLANs) …
• After the roam, the user’s traffic flow
is as shown …
Existing Unified Wireless Deployment today
…
39
Client Database Client Database
Mobility Message Exchange
clientcontext
• Layer 3: different client VLAN
on controllers
• WLC-2 knows it doesn’t
have VLAN X
• Client database entry is
copied from WLC1 to WLC2
• Client database is updated with
new AP and security info
WLC 1 WLC 2client
context
VLAN X VLAN Z
40
Client Database Client Database
Roaming Data Path
clientcontext
• WLC-1 is still the “anchor”
for the client session
• Traffic goes through the EoIP
tunnel and exit again in VLAN X
• No IP address change needed
WLC 1 WLC 2
VLAN X VLAN Z
clientcontext
EoIP tunnel
Mobility Message Exchange
41
Data Center
Campus Services
ISE
PI
Data Center-
DMZ
SiSi SiSi
SiSi
SiSi
Data CenterCampus Services
SiSi
SiSi
CampusGuest Anchors
Internet
SiSiSiSi
SiSiSiSi
CampusAccess
PI
ISE
MC MA
MC MA
• Initially, the user’s PoP and PoA
are co-located on the same controller
• Note – in this deployment model, it is assumed
that all of the controllers across the Campus
do not share a common set of user VLANs
at Layer 2 …
(i.e. the controllers are all L3-separated)
• Initially, the user’s traffic flow is as shown …
Layer 3
Mobility
Group5508 /
WiSM-2
5508 /
WiSM-2
MC MA MC MA
PoP
PoA
Existing Unified Wireless Deployment today
…
42
Data Center
Campus Services
ISE
PI
Data Center-
DMZ
SiSi SiSi
SiSi
SiSi
Data CenterCampus Services
SiSi
SiSi
CampusGuest Anchors
Internet
SiSiSiSi
SiSiSiSi
CampusAccess
PI
ISE
MC MA
MC MA
Layer 3
Mobility
Group5508 /
WiSM-2
5508 /
WiSM-2
• Now, the user roams to an AP handled by
a different controller, within the same
Mobility Group …
• The user’s PoA moves to the new controller
handling that user after the roam – but the
user’s PoP stays fixed on the original
controller that the user associated to
• This is done to ensure that the user retains
the same IP address across an L3 boundary
roam – and also to ensure continuity of policy
application during roaming
• After the roam, the user’s
traffic flow is as shown …
Symmetric
Mobility
Tunneling
PoP
MC MA MC MAPoA
Existing Unified Wireless Deployment today
…
43
Data Center
Campus Services
ISE
PI
Data Center-DMZ
SiSi SiSi
SiSi
SiSi
Data CenterCampus Services
SiSi
SiSi
Campus Internet
SiSiSiSi
SiSiSiSi
CampusAccess
PI
ISE
Layer 3
Mobility
Group5508 /
WiSM-2
5508 /
WiSM-2
PoAMC MA MC MA
Guest AnchorsMC MA
MC MA
PoP
PoA
Existing Unified Wireless Deployment today
…
• Now, let’s examine roaming
with Mobility Anchor use …
• When using Mobility Anchors, the user’s PoP
is always located at the Mobility Anchor
controller ... while the user’s PoA moves
as the user roams …
• Again, this is done to ensure that the user retains
the same IP address across an L3 boundary
roam – and also to ensure continuity of policy
application during roaming
• Before the roam, the user’s traffic flow
is as shown … (tunneling of user traffic
back to the Mobility Anchor –
guest traffic assumed)
44
Data Center
Campus Services
ISE
PI
Data Center-DMZ
SiSi SiSi
SiSi
SiSi
Data CenterCampus Services
SiSi
SiSi
Campus Internet
SiSiSiSi
SiSiSiSi
CampusAccess
PI
ISE
Layer 3
Mobility
Group5508 /
WiSM-2
5508 /
WiSM-2
Guest AnchorsMC MA
MC MA
• Now, let’s examine roaming
with Mobility Anchor use …
• After the roam, the user’s PoA moves to the
new controller that handles the AP the user
has roamed onto … however, the user’s PoP
remains fixed at the Mobility Anchor controller …
• After the roam, the user’s traffic flow
is as shown …
(tunneling of user traffic back to the
Mobility Anchor – guest traffic assumed)
MC MA MC MA
PoP
PoA
Existing Unified Wireless Deployment today
…
45
• Controller acts a L2 device, bridges wireless traffic on to a VLAN
• All traffic is centralized and goes through the WLC
• Even for two clients connected to the same AP
• Full features support since WLC sees all the traffic
• Controller is the insertion point for wireless traffic to the wired network
• QoS or Security Policies for wireless traffic can be easily centralized
• Can easily scale by adding other controllers in the centralized location (Data Center)
• No configuration needed on the switch access port connected to the Access Point
• Inter-Controller L2 roaming is recommended
• Less exchange of traffic among the controllers
46
PSTN
CUCM
WiSM2s / 5508s
Wired policiesimplemented
on switch
Wireless policiesimplementedon controller
MC MA MC MA
PoPPoA
Traffic Flows,Unified Wireless –
• In this example, a VoIP user is on today’s CUWN network, and ismaking a call from a wirelesshandset to a wired handset …
• We can see that all of the user’s traffic needs to be hairpinned back through the centralized controller, in both directions …
In this example, a total of 9 hopsare incurred for each directionof the traffic path (including the controllers – Layer 3 roamingmight add more hops) …
The same
traffic paths are
incurred for voice,
video, data, etc. –
all centralized
Separate
policies and
services for wired
and wireless
users
Existing Unified Wireless Deployment today
…
47Cisco Public© 2014 Cisco and/or its affiliates. All rights reserved. 47
Campus Design and Deployment optionsConverged Access
48
Common Cisco IOS for
LAN and WLAN
Programmable SDN-Ready
Show
Run Config Debug
Clear
Ping
Save
AP
Set
Operational Consistency(Same Well-known Commands)
?Copy
Wireless Management Interface
Wireless Mobility Controller
RenameAntennadot11
Unified Access Data Plane ASIC (UADP)
Common Fabric for
LAN and WLAN
49
Wireless ControlSystem
Access ControlServer
LAN MgmtSolution
Identity Mgmt
NACProfiler
GuestServer
Cisco WirelessLAN Controller
InternalResources
Cisco FirewallCisco Access Point
Catalyst Switch
Corporate Network
Internet
One ManagementPrime
One PolicyISE
IOS Based WLAN Control ler• Consistent IOS and ASIC with Catalyst 3x50
• Recommended to scale Campuses beyond 100 APs on switches or 4 000 wireless devices
Converged Access Mode
• Integrated wireless controller
• Distributed wired/wireless data plane (CAPWAP termination on switch)
WLC 5760
One Network
Catalyst 3650Catalyst 3850
One Network, with Converged AccessA New Deployment Mode Option for Wired / Wireless
50
Scale with distributed wired
and wirelessdata plane
Large stack bandwidth;40G wireless / switch;
efficient multicast; 802.11ac optimized
Maximumresiliency with
fast stateful recovery
Layered network high availability design with
stateful switchover
Singleplatform for
wired and wireless
Common IOS, same administration point,
one release
Uni f ied Access - One Po l icy | One Management | One Network
Network wide visibility for
fastertroubleshooting
Wired and wirelesstraffic visible at
every hop
Consistent security and
Quality of Service control
Hierarchical bandwidth management anddistributed policy
enforcement
Cisco Converged Access Deployment
Converged Wired / Wireless Access SwitchesBenefits – Overview
51
V i s i b i l i t y i n t o W i r e d a n d W i r e l e s s T r a f f i c a t t h e A c c e s s
• Can monitor East-West and North-South flows
• Natively available in the hardware
• Single flow monitor can be applied to wired ports and SSID
• Detect network anomalies with hop-by-hop metricssuch as packet loss, RTT, jitter and delay
• Understand Application Traffic Patterns such asHTTP, SMTP, Voice, Video, etc.
• Analyze usage trends over time and location
• Enforce policies to limit usage - based on application,time, location or load
• Plan for access capacity expansion
Understand Bandwidth
consumption by various
devices and applications
Detect Anomaly in Traffic flows
Cisco Converged Access Deployment
Visibility for Wired and WirelessFlexible NetFlow v9
52
Sub-Domain
#1
Sub-Domain
#2
Mobility Group
SPG SPG
PIISE
MAMAMA MAMAMA
MCMC
Cisco Converged Access Deployment
53
Fast Roam
New Authentication
Mobility Group
Mobility Subdomain A
Mobility Controller
Peer Group 2
50ms 80ms 120ms > 250ms14ms
Mobility Subdomain B
Peer Group 1Mobility Agent
Cisco Converged Access Deployment
Mobility Controller
54
• Mobility Agent (MA) – Terminates CAPWAP tunnel from AP
• Mobility Controller (MC) – Manages mobility within and across Sub-Domains
• Mobility Groups – Grouping of Mobility Controllers (MCs) to enable Fast Roaming
• Switch Peer Group (SPG) – Localizes traffic for roams within Distribution Block
Physical Entities
Logical Entities
MA, MC, Mobility Group functionalities all exist in today’s controllers
Cisco Converged Access Deployment
55
Mobility Group PIISE
MAMAMA
Cisco Converged Access Deployment
• MA is the first level in the hierarchy of MA / MC / MO
• One MA per Catalyst 3850/3650 Stack
• Maintains Client DB of locally served clients
• Interfaces to the Mobility Controller (MC)
Mobility Agent
56
Mobility Group PIISE
MAMAMA
Cisco Converged Access Deployment
MC
• Mandatory element in design. Handles AP licenses
• Can be hosted together with MA
• Manages mobility-related state of MAs
• Maintains Client DB within a Sub-Domain
(1 x MC = One Sub-Domain)
• Handles RF functions (including RRM)
• Multiple MCs can be grouped together
in a Mobility Group
Mobility Controller
57
• Can act as a Mobility Agent (MA)for terminating CAPWAP tunnels for locally connected APs …
• as well as a Mobility Controller (MC)for other Mobility Agent (MA) switches, in small deployments
- MA/MC functionality works on a Stack of Catalyst 3650/3850 Switches- MA/MC functionality runs on Stack Master- Stack Standby synchronizes some information (useful for intra-stack HA)
Best-in-ClassWired Switch –with Integrated
Wireless Mobilityfunctionality
MC
MA
Cisco Converged Access Deployment
58
Sub-Domain 1
MAMA
SPG-B
MC
MAMA
SPG-A
Cisco Converged Access Deployment
• Made up of multiple Catalyst 3x50 switches as
Mobility Agents (MAs), plus an MC (on controller as
shown)
• Handles roaming across SPG (L2 / L3)
• MAs within an SPG are fully-meshed
(auto-created at SPG formation)
• Fast Roaming within an SPG
• Multiple SPGs under the control
of a single MC form a Sub-Domain
Switch Peer Group
SPGs are a logical construct, not a physical one
SPGs can be formed across Layer 2 or Layer 3 boundaries
SPGs are designed to constrain roaming traffic to a smaller area, and optimize roaming capabilities and performance
Current thinking on best practices dictates thatSPGs will likely be built around buildings,around floors within a building, or otherareas that users are likely to roam most within
Roamed traffic within an SPG moves directlybetween the MAs in that SPG (CAPWAP full mesh)
Roamed traffic between SPGs movesvia the MC(s) servicing those SPGs
Hierarchical
architecture
is optimized for
scalability and
roaming
59
Sub-Domain 1
MAMA
SPG-B
MAMA
SPG-A
Sub-Domain 2
MAMA
SPG-E
MAMA
SPG-F
Cisco Converged Access Deployment
MC MC
Mobility
Group
• Made up of multiple Catalyst 3x50 switches as
Mobility Agents (MAs), plus an MC (on controller as
shown)
• Handles roaming across SPG (L2 / L3)
• MAs within an SPG are fully-meshed
(auto-created at SPG formation)
• Fast Roaming within an SPG
• Multiple SPGs under the control
of a single MC form a Sub-Domain
Switch Peer Group
• Made up of Multiple
Mobility Controllers (MCs)
• Handles roaming across MCs (L2 / L3)
• RF Management (RRM, handled by RF Group), Key
Distribution for Fast Roaming
• One Mobility Controller (MC) manages RRM for the
entire RF Group
• Fast Roams are limited to Mobility Group member
MCs
Mobility Group
60
AP AP AP
SPG
Point of Presence (PoP) vs.Point of Attachment (PoA) –
• PoP is where the wireless useris seen to be within the wiredportion of the network
• PoA is where the wireless userhas roamed to while mobile
• Before a user roams, PoP andPoA are in the same place
If users
associate and
remain stationary,
this is their
traffic flow
Note – the traffic does NOT flow through the MC …MA MA MA
PoA
PoP
Cisco Converged Access Deployment
MC
61
SPG
uRPF, Symmetrical
Routing, NetFlow,
Stateful Policy
Application …
Roaming, Within a SwitchPeer Group (Branch) –
• Now, let’s examine a roam at a larger branch, with multiple3x50-based switch stacks joined together via a distribution layer
• In this example, the larger Branch site consists of a singleSwitch Peer Group – and the user roams within that SPG –again, at a larger Branch such as this, this may bethe only type of roam
The user may or may not have roamed across an L3 boundary (depends on wired setup) – however, users are always* taken back to their PoP for policy application
Again, notice how the 3x50 switch stack on theleft is an MC (as well as an MA) in this picture –in a larger branch such as this with 50 APsor less, no discrete controller is necessarily required …
* Adjustable via setting,may be useful for L2 roams
MC MA MA MA
PoA
PoP
Roaming
across Stacks(same SPG)
Very
common
roaming
case
62
• When a wireless client roams to a switch where the client VLAN is present,it is considered as an L2 Roam –
In CUWN this would imply that the PoP moves to the new switch
• When a wireless client roams across L3 subnets (i.e. to switcheswhere its own VLAN is not present), it is considered as an L3 Roam –
same as CUWN, tunneling is used to keep the client’s IP address
• In Converged Access by default all roams are L3
The data path is anchored at the home switch (feature called “Sticky / L2 anchoring”)
Sticky roaming in ON by default. It can be disabled on per WLAN basis
• In both cases, client will continue to maintain itsoriginal IP address – this is called seamless mobility.
Roam
Cisco Converged Access Deployment
63
SPG SPG
Roamingacross SPGs
(L3 separationassumed at
access layer)
Cisco Converged Access Deployment
MA MAMA MA MAMA
PoA
PoP
Roaming across SPGs
• In this example, the user roams across Switch Peer Groups –since SPGs are typically formed around floors or other geographically-close areas, this could represent a large building
• Typically, this type of roam will take place across an L3 boundary (depends on wired setup) –however, users are always* taken back to their PoP for policy application
• Note how traffic goes through the MC is this case
Less
common
roaming
case
MC MC
64
PSTN
CUCM
SPG
More efficientsince traffic flowsare localized to
the 3x50 switch –Performance
Increase
Trafficdoes not
flowvia MCs
Traffic Flows, Comparison (Converged Access) –
• Now, our VoIP user is on a CiscoConverged Access network, and isagain making a call from a wirelesshandset to a wired handset …
• We can see that all of the user’straffic is localized to their PeerGroup, below the distribution layer, in both directions …
In this example, a total of 1 hopis incurred for each directionof the traffic path (assumingno roaming) … two additionalhops may be incurred for routing …
Convergedpolicies andservices for
wiredand wireless
users
Wired andwireless policies
implementedon 3650/3850
switch
Cisco Converged Access Deployment
MA MAMA MA
PoPPoA
MC
65
• Wireless Data traffic is distributed at the Access switches
Traffic path is optimized for east west communication
• Same distributed Point of Ingress to the network for wired and wireless (access switch)
Same troubleshooting tools, same visibility for wireless traffic (not encapsulated anymore)
• Subnet design should be carefully considered
Possible DHCP addresses contention between wireless and wired
Difficult to size the wireless subnet
Same policies can be applied for wired and wireless if desired
• Size recommendation for Campus deployments
a) No more than 600 APs and 7000 clients for the 5760 as MC in CA deployments
b) No more than 2 x MCs on Switches only deployments (50 APs with 3650s and 100 APs with 3850s)
66Cisco Public© 2014 Cisco and/or its affiliates. All rights reserved. 66
Branch Office Design and Deployment options
67
Cisco FlexConnect with different controller deployment options
Flex 7500
VirtualController
Branch (Controller in DC)
• 5 to 200 APs• 6000 clients• 500 Mbps
• 300 to 6000 APs• 64,000 clients• 1 Gbps central
68
FlexConnect (ex-HREAP)
ISE
SSID
Data
SSID
Guest
Remote
Location
Controller
Trunk
Trunk
links
MSE
WAN
Prime
SSID
Voice
• Centralized control plane
• FlexConnect mode of operation:
Connected mode vs Standalone
• Data plane flexibility
Local vs Central switching
Configured per SSID
• FlexConnect Local switching
VLANs are added at access switch
Not all features are supported (L3 roaming, Mesh, WGB support, etc)
• HA will preserve locally switched traffic
• Mostly deployed over a WAN
RTT below 300 ms for data (100 ms for voice)
Minimum 500 bytes WAN MTU (with max four fragmented packets)
69
Local controller onsite
Remote Site B
Remote Site A
WLC-25xx WLCM for
ISR/ISR-G2
Backup Central
Controller
WAN
Central Site
Remote Site C
Cat-3650
CAPWAPCisco 2500 Series Controller
Catalyst 3650
Virtual Controllers (vWLC)
Cisco Confidential© 2014 Cisco and/or its affiliates. All rights reserved. 70
Evolution of Medium/Large Branch Deployment“Catalyst 3650 is the New Branch Controller”
DMZPrime
ISE
70Employee Guest
Guest
Anchor
Catalyst
2960X®
ISR
2900/3900
WAN
WLC
2504
DMZPrime
ISE
WAN
70Employee Guest
Guest
Anchor
Catalyst
3650
ISR AX
Traditional Deployment Cat. 3650 as Branch Controller
• Dedicated WLC (2504 upto 75 APs)
• Multiple OS/devices to manage
• 1 Gbps of Wireless traffic
• Up to 1000 wireless clients
• Cat. 3650 terminates wired and
wireless traffic – 40 Gbps Wireless
• Up to 1000 W&Wless clients, 25 APs
• Full IOS based branch, HA capable
Priced at par vs. traditional solutions
3650* vs.
2K-X** 2K-XR***
# o
f A
P’s
in
So
luti
on 5 29% -9%
10 24% -8%
15 10% -13%
20 9% -12%
25 1% -15%
* 24 Port PoE IP Base w/1G UpL
** LAN Base + 2504 WLC
*** IP Lite + 2504 WLC
71
Access Points
UA /3KUA
3K
Converged Access Branch Deployment Modes
DMZISEPrime
UA 3K
71Employee Guest
Controller-less BRANCHController-less larger BRANCH
PrimeISE
WAN
AP CAPWAP Tunnels
INTEGRATED
CONTROLLER
Capwap Tunnel Standard Ethernet, No Tunnels Guest Tunnel from Switch to DMZ Controller
3650
3650
• Up to 25 Access Points with 3650
• Up to 1000 Clients per branch with 3650
• All WAN Services Available (local
termination)
• Up to 50 Access Points with only 3650s
• Up to 2000 Clients with only 3650s
• Visibility, Control and resiliency
MC MAMC MA
MC MA
72
• What Flex and Converged Access really have in common from an architecture point of view, that makes people compare the two?
Control Plane and Data Plane separation
Distributed Data Plane
Wireless and wired traffic are both local to the access switch, same or different VLANs are supported for wireless and wired
Visibility of wireless traffic available from the access switch
WAN optimization techniques (WAAS) applicable to wireless traffic
Security and QoS policies applicable at the edge (branch) of the network (not the same policies though, but at least the point of enforcement can be distributed)
Architecture comparison
73
• For this comparison, only FlexConnect Local switching is considered:
In terms of architecture and feature support, Flex Central switching is very similar to the Centralized deployment mode (AP in Local mode)
• For this comparison a 3650/3850-based Converged Access solution is considered:
One or more stacks but MC is embedded in the 3650/3850, not in a discrete controller
• For the comparison, the following Reference Design is considered:
Branch deployment with less than 25 Aps
Voice and fast roaming is a requirement
High availability is required
• Today, CA only supports local mode APs and few features are still different.
Preliminary considerations
74
Architecture comparison:
the differencesFunction Converged Access (3x50) FlexConnect (local switching)
Control and data plane separation MC and MA functionalities are used Controller handles the Control plane, AP the data plane
Control and data plane termination Both terminated at the switchControl Plane terminated at the WLC (300ms max RTT requirement), AP bridging for data traffic
Wired and Wireless traffic True wireless and wired convergenceLocal access switch sees wireless traffic as if it was wired traffic through a bridge
Dot1x AuthenticationSwitch acts as dot1x Authenticator for wireless and wired
WLC or AP is authenticator for wireless
L2/L3 Seamless Roaming All supported Only L2 roaming supported
Fast Roaming SupportedSupported within the FlexConnect Group (different scalability for different controller platforms)
Subnetting definitionFlexibility of having wireless in same or different VLANs per wiring closet
Same VLAN is required for seamless roaming
QoS policies Enforcement pointLocal switch and same for wired and for wireless
WLC, AP or access switch, and usually different for wireless and wired
Security Enforcement pointLocal switch and same for wired and for wireless
WLC, AP or access switch, and usually different for wireless and wired
WAN dependenciesNo WAN dependencies for Wireless service
Different requirements based on type of traffic (voice, data, monitor Aps only)*
75
Feature comparison:
the differences
Feature (*) 3650 / 3850 in the Branch Flex (**) Local Mode
All AP modes (Mesh, Flex, OEAP) Not supported (roadmap), and only 11n+ APs Supported (Mesh and Flex since 8.0)
802.11r Fast Secure Roaming Supported Supported
No service interruption upon controller failure (***) AP SSO is supported within stack Supported
Vlan Select (interface Group) Supported Not supported
Downloadable ACL Supported Not supported (Airespace ACL)
Security Group Tag (SGT) and Security Group
ACLs (SGA)Supported Not supported
IPv6 client Mobility Supported Not supported
Advanced Modular QoS and QoS override Supported Not supported
Netflow Supported Not supported
VideoStream (multicast to unicast) Supported Supported
Application Visibility and Control Supported Not Supported (planned for 8.1)
Bonjour Services Supported Supported
76Cisco Public© 2014 Cisco and/or its affiliates. All rights reserved. 76
Summary
77
U n i f i e d A c c e s sOne Policy
One Management
One Network
78
CONVERGED ACCESSCENTRALIZED AireOS
Intranet
• Switch refresh
• Future upgrade to converged access
• Perfect for scaling with 802.11ac
• Ready for SDN evolution
• Perfect for branch deployments
• Wireless-only overlay
• Most mature and feature rich offering
• Ready for 802.11ac
• Perfect for 802.11n
• Support for all AP modes
• Optimized for Campus
• Broadest Feature Set
• Centralized control plane
• Centralized data plane
• On-Premise controller
• Controller at every location
• Centralized control plane
• Distributed data plane
• Common LAN and WLAN OS
• LAN and WLAN feature consistency
• Optimized for high performance
• Optimized for branch deployments
Positioning
Characteristics
79
Multiple options exist, depending on the type and size of branch
• 1 AP: Autonomous IOS AP or CVO Router
• Up to 10 APs: FlexConnect with vWLC, 7500 or 5508/WiSM-2
• Up to 25 APs: Converged Access, FlexConnect, Local 2504 bundles
2500 Virtual WLC e.g. UCS-E on ISR G2
Flex 7500Catalyst
3850Virtual
Controller
Branch Controller On-Premise Controller in DC
• 5 to 75 APs• 1000 clients• 1 Gbps
• 5 to 200 APs• 3000 clients• 500 Mbps
• 1-50 APs per switch/stack(Directly connected APs)
• 2000 clients per stack• 40 Gbps per switch
• 5 to 200 APs• 6000 clients• 500 Mbps
• 300 to 6000 APs• 64,000 clients• 1 Gbps central
• 1-25 APs per switch/stack(Directly connected APs)
• 1000 clients per stack• 40 Gbps per switch
Catalyst 3650
83
2 90 90
Document View Count
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
Cisco Wireless LAN Controller - Configuration Best Practices
84
BE
ST
P
RA
CT
ICE
S (
Air
OS
)
INF
RA
ST
RU
CT
UR
E
Enable High Availability (AP and Client SSO)
Enable AP Failover Priority
Enable AP Multicast Mode
Enable Multicast VLAN
Enable Pre-image download
Enable AVC
Enable NetFlow
Enable Local Profiling (DHCP and HTTP)
Enable NTP
Modify the AP Re-transmit Parameters
Enable FastSSID change
Enable Per-user BW contracts
Enable Multicast Mobility
Enable Client Load balancing
Disable Aironet IE
FlexConnect Groups and Smart AP Upgrade
Enable 802.1x and WPA/WPA2 on WLAN
Enable 802.1x authentication for AP
Change advance EAP timers
Enable SSH and disable telnet
Disable Management Over Wireless
Disable WiFi Direct
Secure Web Access (HTTPS)
Enable User Policies
Enable Client exclusion policies
Enable rogue policies and Rogue Detection RSSI
Strong password Policies
Enable IDS
Extend BYOD Timers
Set a Bridge Group Name
Set a Preferred Parent
Deploy Multiple Root APs in each BGN
Set Backhaul rate to "Auto"
Set Backhaul Channel Width to 40/80 MHz
Backhaul Link SNR > 25 dBm
Avoid DFS channels for Backhaul if possible
External RADIUS server for Mesh MAC Authentication
Enable IDS
Enable EAP Mesh Security Mode
ME
SH
WIR
EL
ES
S / R
FS
EC
UR
ITY
Disable 802.11b data rates
Restrict number of WLAN below 4
Enable channel bonding – 40 or 80 MHz
Enable BandSelect
Use RF Profiles and AP Groups
Enable RRM (DCA & TPC) to be auto
Enable Auto-RF group leader selection
Enable Cisco CleanAir and EDRRM
Enable Noise &Rogue Monitoring on all channels
Enable DFS channels
Avoid Cisco AP Load
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
100Cisco Public© 2014 Cisco and/or its affiliates. All rights reserved. 100
Key Takeaways
101
Industry LeadershipMarket Leadership
• 20+ years of market share leadership
• 800,000+ WLAN customers
• 2,000,000+ LAN customers
• 18,000,000 ISE endpoint licenses sold
• 75,000,000 AnyConnect licenses sold
• Broadest LAN, WLAN, and Security portfolio
• 90% Fortune 1000 have selected Cisco
• 10+ years of Gartner MQ leadership
• Leader in Unified Access Gartner MQ
• Ongoing IEEE, IETF, Wi-Fi Alliance leadership
• Largest patent portfolio in the industry
• Largest development team in the industry
• EAL Common Criteria, PCI
102
Thank you.
Cisco Public© 2014 Cisco and/or its affiliates. All rights reserved. 102