Cisco Connect Clubftp.cisco.cz/Seminare/2013-ConnectClub/2014-06-05... · • WLAN design s...

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Connect 1 1 © 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Connect Club

Architektura WLAN sítí – řešení pro pobočky

Jaroslav Čížek – Cisco

Červen 2014

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2

Architektura WLAN sití – řešení pro pobočky

• Úvod

• Modely nasazení WLAN pro pobočky

• WLAN design s lokálními kontrolery na pobočkách

- klasické kontrolery - konvergovaný přístup

• WLAN design s kontrolery v centru a AP na pobočkách (FlexConnect)

• Cloudové řešení

• Vybrané vlastnosti Cisco FlexConnect řešení

• Obecné FlexConnect vlastnosti

• Novinky a zajímavosti

• Cisco WLAN portfolio pro pobočkové sítě

• Shrnutí


ORGANIZATION

TIME

Smartphone adoption is growing

at 50%+ annually

By 2015, tablets will

constitute 50% of

laptop sales

Market Landscape: Influx of Mobile Devices

© 2013 Cisco and/or its affiliates. All rights reserved. 4

Modely nasazení WLAN pro pobočky


Wireless Deployment Modes - Overview

One Policy, One Management, One Network

Unified Access Wireless

Unparalleled Deployment Flexibility

Autonomous FlexConnect

(Private

Cloud)

Centralized Converged

Access

Ease of Use

Unified

Network

Public

Cloud

N.A.A.S.


Unified Wireless Principles

6

• Components

• Wireless LAN Controllers

• Aironet Access Points

• Management

• Mobility Services Engine

• Principles

• AP must have CAPWAP connectivity with WLC

• Configuration downloaded to AP by WLC

• All Wi-Fi traffic is forwarded to the WLC

Wireless LAN

Controllers

Aironet Access

Point

Cisco Prime

Infrastructure

Campus

Network


Branch Office with Local WLAN Controller

7

• Branches can also have local remote controllers

• Small or Mid-size Branch WLCs

CT-2504,

Integrated controller modules in ISR/ISR-G2

Converged Access Cat-3850/3650

• High-availability design with central backup controller is supported; WAN limitations may apply

Overview

Remote Site B

Remote Site A

WLC-25xx WLCM for

ISR/ISR-G2

Backup Central

Controller

WAN

Central Site

Remote Site C

Cat-3850

CAPWAP


Branch Deployments with Converged Access

Single platform for wired and wireless

Wired and wireless traffic visibility at every hop

Consistent security and QoS control

Maximum resiliency with fast stateful recovery

Scale with distributed wired and wireless data

plane (480G Stack/40G wireless per switch)

• Allows for Advanced QoS, WAN optimization,

NetFlow, and other services for wireless and wired traffic

• Supports Layer 3 roaming

• Good availability due to MA/MC redundancy within the 3850

stack – provides wireless continuity with either WAN outage or

switch failure within the stack

25 (– 100)

AP’s

Multilayer or

Routed Access

DEPOYABLE

TODAY

DMZ

ISE Prime

3850/3650

8 Employee Guest

BRANCH

WAN

INTEGRATED

CONTROLLER

Converged Access With:

Cat-3650/3850 (NOW), Cat4500 (H2CY2014)


Branch Office with Local WLAN Controller

9

• Cookie cutter configuration for every branch site

• Layer-3 roaming within the branch

• Reliable Multicast (filtering)

• IPv6 L3 Mobility

• AVC (Application Visibility and Control)

Note: If you have ISR/ISR G2 at branch site then it is recommended to use the IOS Firewall at edge for unified access policies.

Advantages


Evolution of Medium/Large Branch Deployment

DMZ Prime

ISE

10 Employee Guest

Guest

Anchor

Catalyst

2960S

ISR

2900/3900

WAN

WLC

2504

DMZ Prime

ISE

WAN

10 Employee Guest

Guest

Anchor

Catalyst

3650

/3850

ISR AX

Traditional Deployment Cat. 3650/3850 as Branch Controller

• Dedicated WLC (2504 up to 75

APs)

• Multiple OS/devices to manage

• 1 Gbps of Wireless traffic

• Up to 1000 wireless clients

• Cat. 3650/3850 terminates wired

and wlan traffic – 40 Gbps Wireless

• Up to 1000 W&Wless clients, 25/50

APs

• Full IOS based branch, HA capable

Priced at par vs. traditional solutions

3650* vs.

2K-X** 2K-XR***

# o

f A

P’s

in

So

luti

on

5 29% -9%

10 24% -8%

15 10% -13%

20 9% -12%

25 1% -15%

* 24 Port PoE IP Base w/1G UpL

** LAN Base + 2504 WLC

*** IP Lite + 2504 WLC


• Management and data plane are split

• Data Plane can be:

Centralized (SSID traffic sent all to WLC)

Local (SSID traffic sent all to local VLAN)

• Two modes of operation:

Connected (when WLC is reachable)

Standalone (when WLC is not reachable)

• Traffic Switching mode is configured per AP and per WLAN (SSID)

From 7.3 split tunneling is supported on a per-WLAN basis: the AP can NAT unicast IPv4 to local hosts

• FlexConnect Group:

Defines the Key caching domain for Fast L2 Roaming, allows backup Radius scenarios and fast code upgrade

WAN

Central Site

Remote Office

with

FlexConnect

Centralized

Traffic

Centralized

Traffic

Local

Traffic

Cluster of

WLC Branch Office Deployment FlexConnect (HREAP)


FlexConnect Design Considerations

• Note: 12 kbps per AP is worse case scenarios, tested with aWIPS, CleanAir, Location services on. Best case scenario is around 1-2 kbps

WAN Limitations

Deployment Type WAN Bandwidth

(Min)

WAN RTT Latency

(Max)

Max APs per

Branch

Max Clients per

Branch

Data 64 kbps 300 ms 5 25

Data+Voice 128 kbps 100 ms 5 25

Monitor 64 kbps 2 sec 5 N/A

Data 640 kbps 300 ms 50 1000

Data+Voice 1.44 Mbps 100 ms 50 1000

Monitor 640 kbps 2 sec 50 N/A

12

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 13 13

FlexConnect Design Considerations

• Some features are not available in standalone mode or in local switching mode

MAC/Web Auth in Standalone Mode

VideoStream

IPv6 L3 Mobility

SXP TrustSec

See full list in « FlexConnect Feature Matrix »

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b3690b.shtml

Feature Limitations Apply




Converged Access vs FlexConnect Architecture comparison:

the differences

Function Converged Access (3x50) FlexConnect (local switching)

Control and data plane separation MC and MA functionalities are used Controller handles the Control plane, AP the data plane

Control and data plane termination Both terminated at the switch Control Plane terminated at the WLC (300ms max RTT requirement), AP bridging for data traffic

Wired and Wireless traffic True wireless and wired convergence Local access switch sees wireless traffic as if it was wired

traffic through a bridge

Dot1x Authentication Switch acts as dot1x Authenticator for wireless and wired

WLC or AP is authenticator for wireless

L2/L3 Seamless Roaming Both supported Only L2 roaming supported

Fast Roaming Supported Supported within the FlexConnect Group (different scalability for different controller platforms)

Subnetting definition Flexibility of having wireless in same or different VLANs per wiring closet

Same VLAN is required for seamless roaming

QoS policies Enforcement point Local switch and same for wired and for wireless

WLC, AP or access switch, and usually different for wireless and wired

Security Enforcement point Local switch and same for wired and for wireless

WLC, AP or access switch, and usually different for wireless and wired

WAN dependencies No WAN dependencies for Wireless

service Different requirements based on type of traffic (voice, data,

monitor Aps only)*


E-Mail

Headquarters

Internet VPN

Home Office Design OEAP AP

• Cisco controller installed in the DMZ of the corporate network

• OfficeExtend AP (OEAP) installed at teleworker’s home

• Corporate access to employee over centrally configured SSID

• Family Internet access over a locally configured SSID

WLC 5508 / 2504 / WiSM-2

/ WLC7500 / vWLC

Prime

15


Cloud-managed networking architecture

Network endpoints securely

connected to the cloud

Cloud-hosted centralized

management platform

Intuitive browser-based

dashboard


Cisco Meraki - - Bringing the cloud to enterprise networks


Out of band cloud management in every product Scalable

- Unlimited throughput, no bottlenecks

- Add devices or sites in minutes

Reliable

- Highly available cloud with multiple datacenters

- Network functions even if connection to cloud is interrupted

- 99.99% uptime SLA

Secure

- No user traffic passes through cloud

- Fully HIPAA / PCI compliant (level 1 certified)

- 3rd party security audits, daily penetration testing

- Automatic firmware and security updates (user-scheduled)

Reliability and security information at meraki.cisco.com/trust

Management

data (1 kb/s)

WAN


Cisco ONE Architecture

Cisco Enterprise Cisco Cloud Managed

Deployment Flexibility

Catalyst 2K/3K/4K/6K

ISR-AX, ASA: Routing, Security, WAAS, UCS-E

Aironet Access Points

3rd Party MDM Integration

Catalyst with integrated

controller

WLAN Controllers

Ease of Use

MS Switches

MX Security

Appliances (UTM)

MR Access Points

Systems Manager

Prime ISE

The Cisco ONE Architecture

Cloud Management


Vybrané vlastnosti Cisco FlexConnect řešení


Understanding AP Groups

• AP Groups is a logical concept of grouping AP’s which deliver similar Wi-Fi services; these services can be:

By physical location, and/or

By functional services (data, voice, guest, …)

• Same AP groups need to be defined in all WLC’s of a mobility group

Overview

Remote Site A Remote Site B

Central Site

WAN

AP Group 1

AP Group 2 AP Group 3

Flex 7500

Scaling Flex

7500 vWLC 5508 WiSM-2 2504

# AP Groups 6000 200 500 1000 50

# WLAN

(SSID) 512 512 512 512 16

# VLAN

(Interfaces) 4095 512 512 512 16


22

Understanding FlexConnect Groups

• FlexConnect groups allow sharing of:

CCKM/OKC fast roaming keys

Local/backup RADIUS servers IP/keys

Local user authentication

Local EAP authentication

AAA-Override for Local Switching

Smart Image Upgrade

• Scaling information

Overview

FlexConnect Group 1

Remote Site Remote Site

WAN

Central Site

FlexConnect Group 2

Flex 7500

Cluster

Scaling Flex

7500 vWLC 5508 WiSM2 2504

FlexConnect

Groups 2000 100 100 100 30

AP per Group 100 100 25 25 25


FlexConnect Backup Scenario

• FlexConnect will backup on local switched mode

No impact for locally switched SSIDs

Disconnection of centrally switched SSIDs clients

• Static authentication keys are locally stored in FlexConnect AP

• Lost features

RRM, WIDS, location, other AP modes

Web authentication, NAC

WAN Failure

Remote Site

WAN

Central Site

Application

Server


• FlexConnect will first backup on local switched mode

No impact for locally switched SSIDs

Disconnection of centrally switched SSIDs clients

• CCKM roaming allowed in FlexConnect group

• FlexConnect AP will then search for backup WLC; when backup WLC is found, FlexConnect AP will resync with WLC and resume client sessions with central traffic.

• Client sessions with Local Traffic are not impacted during resync with Backup WLC.

Remote Site

WAN

Central Site

Application

Server

FlexConnect Backup Scenario WLC Failure


FlexConnect Group: Local Backup RADIUS

• Normal authentication is done centrally

• On WAN failure, AP authenticates new clients with locally defined RADIUS server

• Existing connected clients stay connected

• Clients can roam with

CCKM fast roaming, or

Reauthentication

Backup Scenario

Remote Site

WAN

Central Site

FlexConnect Group 1

Central RADIUS

Local Backup

RADIUS

CCKM Fast Roaming


FlexConnect Group: Local Backup Authentication

• Normal authentication is done centrally

• On WAN failure, AP authenticates new clients with its local database

• Each FlexConnect AP has a copy of the local user DB

• Existing authenticated clients stay connected

• Clients can roam with:

CCKM fast roaming, or

Local re-authentication

Backup Scenario

Remote Site

WAN

Central Site

Central RADIUS

CCKM Fast Roaming

FlexConnect Group 1

26

Supported Security Types Release Version

LEAP 6.0

EAP-FAST 6.0

PEAP 7.5

EAP-TLS 7.5


FlexConnect Improvements in 7.2 – 7.5

• Smart AP Image Upgrade

• ACL’s on FlexConnect AP

• AAA Over-ride of VLAN - dynamic VLAN assignment for locally switched clients

• H-REAP -> FlexConnect Re-branding

• Fast Roaming for Voice Clients

• Peer to Peer Blocking

• PEAP and EAP-TLS Support (7.5)

• FlexConnect Group specific WLAN-VLAN mapping (7.5)

• AAA Client ACL (7.5)

• Ethernet Fallback (7.6)

• Videostream for Local switching (8.0)

• Faster time to deploy (8.0)

• Flex with Mesh deployment support (8.0)

• Flex 7500 Scale Update

• VLAN Based Central Switching

• Split Tunneling

• Central DHCP Processing

• WGB/uWGB Support with local switching

• Bidirectional Rate Limiting

• Support for ISE BYOD Registration & Provisioning

27

7.2 7.3 & 7.4 7.5, 7.6 & 8.0


VLAN 7

QoS =

Platinum

VLAN 3

QoS = Silver

FlexConnect AAA VLAN Override

• AAA VLAN Override with local or central authentication

• Up to 16 VLANs per FlexConnect AP

• VLAN ID must be enabled per AP or FlexConnect Group

• If VLAN ID does not exist, default VLAN is used, unless « VLAN Based Central Switching » enabled

• Starting from 7.5 AAA override for QoS is also supported.

Remote Site

WAN

Central Site

FlexConnect Group 1

RADIUS

Application

Server

Starting

from 7.2

28


FlexConnect ACL – VLAN Mapping

Remote Site

WAN

Central Site

Application

Server

• FlexConnects ACL are applied per VLAN

• FlexConnect ACL are Ingress / Egress oriented

• Starting from 7.5 FlexConnect ACL support AAA-returned Client ACL

512 FlexConnect ACL per WLC

• 16 ingress ACL & 16 egress ACL per AP

• 64 ACL rules per ACL

• No IPv6 ACL

Scale

Starting

from 7.2

29


Local Switching Peer-to-peer Blocking

• Support for Peer-to-Peer blocking in FlexConnect AP

• Apply for clients on same FlexConnect AP

• P2P blocking modes : disable or drop

• For P2P blocking inter-AP use ACL or Private VLAN function

Remote Site

WAN

Central Site

Application

Server

Starting

from 7.2

30


FlexConnect ACL – Split Tunneling

• Split tunneling allow some traffic to be locally switched although the WLAN is defined as centrally switched

• Split tunneling is using a NAT/PAT feature with ACL to perform the local switching

• Split tunneling is using the AP IP@ for the NAT/PAT feature

WLC FlexConnect AP CAPWAP

WAN

Central Server

Central Traffic

Local Printer

NAT/PAT

ACL

Local Traffic

Starting

from 7.3

31


WAN

FlexConnect Smart AP Image Upgrade

Smart AP Image Upgrade use a « master » AP in each FlexConnect Group to download the code.

Other FlexConnect AP download the code from the master locally

1. Download WLC upgraded firmware (will become primary)

2. Force the « boot image » to be the secondary (and not the newly upgraded one) to avoid parallel download of all AP in case of unexpected WLC reboot

3. WLC elect a master AP in each FlexConnect Group (can be also set manually)

Remote Site-1 Remote Site-N

Wireless Control

System Wireless LAN

Controller

Primary Secondary

Firmware Image

New

Old New New Old

Central Site

Master AP

Starting

from 7.2

32


WAN

FlexConnect Smart AP Image Upgrade

4. Master AP « Pre-download » the AP firmware in the secondary « boot image » (will not disrupt the actual service)—Can be started group per group to limit WAN exhaust

5. Slave AP « Pre-download » the AP firmware from the Master AP

6. Change the « boot image » of the WLC to the new image

7. Reboot the controller

Old New New Old

New Old

Central Site

Remote Site-1 Remote Site-N

Wireless Control

System Wireless LAN

Controller

Primary Secondary

Firmware Image

Primary Secondary

AP Firmware Image

New Old

Primary Secondary

AP Firmware Image

Master AP

33


Flex + Bridge (Flex on Mesh) • New AP mode that allows Flexconnect

behavior across mesh-enabled AP

Control plane supports:

Connected (WLC is reachable)

Standalone (WLC not reachable)

Data Plane supports:

Centralized (split MAC)

Local (local MAC)

Flexconnect Groups

Max 8 Mesh hops, Max 32 MAPs per RAP

Local AAA support

• A WLC have a mix of Bridge and Flex + Bridge

• MAPs inherent VLANs from its connected RAP

3

4

WAN

Central Site

Remote

Office

Centralized

Traffic

Local

Traffic

WLCs

Local Data WLAN

Central Data WLAN

Starting

from 8.0


Cisco WLAN portfolio pro pobočkové sítě


Cisco Aironet Indoor Access Point Industry’s Best 802.11n and 802.11ac Series Access Points

Mission Specific

600 & 700

Enterprise Class

1600

Mission Critical

2700

Best in Class

3700

Enterprise Best In Class Value-Based Mission Critical

• Up to 600 Mbps

• 702w: Wall Plate AP

• Hospitality, Dorms, MDU

• 702i: Compact Mid-market AP

• 600: Teleworker

• Up to 600 Mbps

• 3x3 MIMO : 2 SS

• CleanAir Express*

• ClientLink 2.0

• Over 1 Gbps, 802.11ac

• 3x4 MIMO : 3 SS

• HDX Technology

• CleanAir 80 MHz, ClientLink 3.0, VideoStream

• Over 1 Gbps, 802.11ac

• 4x4 MIMO : 3SS

• HDX Technology

• CleanAir 80 MHz, ClientLink 3.0, VideoStream

• Future proof modularity: Security, 3G Small Cell, Location Accuracy or Wave 2 802.11ac

NEW

NEW

802.11n

802.11ac

802.11ac

802.11n

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37

2500 Virtual WLC e.g.

UCS-E on ISR G2

Flex 7500

8500 5760 5508 WISM2

Catalyst 3850

Catalyst 3850

Virtual Controller

• 1-50 AP/switch per stack (Directly connected APs) • 2000 clients/stack • 40 Gbps/switch

• 12 to 500 APs • 7000 clients • 8 Gbps

• 100 to 1000 APs • 15,000 clients • 20 Gbps



Large Campus Service Provider

Small Campus / Branch (Controller On-Premise) Branch (Controller in DC)


• 5 to 200 APs • 3000 clients • 500 Mbps

• 1-50 APs per switch/stack (Directly connected APs) • 2000 clients per stack • 40 Gbps per switch

• 5 to 200 APs • 3000 clients • 500 Mbps

• 300 to 6000 APs

• 64,000 clients • 1 Gbps central

WLAN Controller Portfolio Industry’s broadest portfolio from standalone appliance, virtual and infrastructure-based

Catalyst 4500-E Sup8E*


• 1-25 APs per switch/stack (Directly connected APs) • 1000 clients per stack • 40 Gbps per switch

Catalyst 3650

AireOS Controllers have a rich roadmap and will be the lead WLC platforms for FY14

*Q4 CY14


Cisco Prime Infrastructure Realizing the Vision of One Management

Lifecycle

Converged

Management with

Integrated Best

Practices

Convergence Consolidation Cisco Advantage

Data Center

Simplified

Operations

management

Assurance

End-to-End Application

Experience & Visibility


Network Visibility

• Single view showing clients, rogues, tags, interferer, etc.

• Enhanced with clear icon indicators.

• Location data can be tracked historically.

Rogue AP Guest Rogue Client Interferer WIPS Attacker Tags

PI


GUEST PRESENCE GUEST ACCESS GUEST EXPERIENCE

MSE / Connected Mobile Experience

ENGAGE DETECT CONNECT

The customer’s personal mobile device detected as they enter the venue

The customer is seamlessly and securely connected to the Wi-Fi network

The customer receives highly relevant content and services based on their preferences, profile and location

Customer: Presence in the venue. IT: understand network utilization, peak usage, number and types of devices on the network.

ANALYTICS

Business: insights into customer online and onsite behavior, most traffic paths, dwell times, location density etc.


Who? What? When? Where? How?

Cisco’s Unified Access Innovations Best in Class and Best of Breed

Unified Access Innovations (Predictability) Policy and Network Management

CleanAir Chip level proactive and automatic interference

mitigation

ISE (Control)

Prime (Visibility)

Chip level proactive and automatic electronic

beamforming ClientLink

TrustSec—Secure Group Access

Simplified user and resource based segmentation –

independent of topology

Always-On context-aware

VPN connectivity AnyConnect

Wired multicast efficiency over a Wireless network VideoStream

Sub second WLAN and

LAN convergence Stateful Switchover

Identify, analyze, and optimize application traffic Application Visibility and Control

Automatic advanced RF shaping

and management Radio Resource Management


Shrnutí


Unified Access: Wireless Deployment Options

AUTONOMOUS CLOUD MANAGED FLEX CONNECT CENTRALIZED CONVERGED

• Common OS • Lean IT

• Mid-Market / Distributed Enterprise

• Intended for static installations • SP Hotspots

• Data center hosted controller • Distributed enterprises

• Premise-based controller • Traditional Overlay Model

• Highly Scalable

• Common OS • Consistent Wired/Wireless

• Highest performance

• MR Access Points • MS switches

• MX security • Dashboard

• Aironet Access Points • 11ac: 3700 / 2700

• 11n: 1600 / 700 • Catalyst Switches

• 3850 / 3650 • 2960-X

• Controllers • N / A



• 6800/4500/3850/3650 • 4500-X / 2960-X

• Controllers • 8510 / 7510/vWLC



• 6800/4500/3850/3650 • 4500-X / 2960-X

• Controllers • 8510 / 5760 / 5508 /

WiSM2 / 2504



• 6800/4500*/3850/3650 • 4500-X

• Controllers • Integrated

• 5760 external MC

Dashboard

WAN Intranet

Cisco Unified Access: 1 Architecture, 4 Deployment Modes Cisco Cloud Networking

* Roadmap

Prime ISE


Best Practices – Branch Deployment

• Select correct architecture for branch office – local controller or FlexConnect

• Prioritize the right traffic over the WAN

• Have correct WAN survivability model

• Proper WAN bandwidth and Latency to support voice and multimedia applications

• Enable Enhanced Local Mode (ELM) or WiPS using WSSI module for security.

• Take advantage of latest BYOD enhancements with FlexConnect architecture


Děkujeme za pozornost.

Cisco Connect Clubftp.cisco.cz/Seminare/2013-ConnectClub/2014-06-05... · • WLAN design s...

Documents

Transcript of Cisco Connect Clubftp.cisco.cz/Seminare/2013-ConnectClub/2014-06-05... · • WLAN design s...