Converged Access - Branch Network Design
-
Upload
cisco-public-sector -
Category
Technology
-
view
294 -
download
0
Transcript of Converged Access - Branch Network Design
-
Cisco Confidential 1 2013-2014 Cisco and/or its affiliates. All rights reserved.
Single-Switch Branch Design
-
Cisco Confidential 2 2013-2014 Cisco and/or its affiliates. All rights reserved.
MA
CA Branch Design MA and MC Placement
WAN
MC
Branch
MAMA MA
Branch
Recommended to keep MA and MC to keep within administrative LAN boundary
Design 1 or Design 2 recommended depending on scale (Agent/AP/Client) and MC redundancy requirements
MC across WAN. Not Recommended. Not Supported.
MC Placement Alternatives :
Access
Distribution
Design 1 = In Branch Access-Layer
MC MAMA MA
Branch
MC
Design 2 = In Branch Dist-Layer
Design 3 = Across WAN-Layer
MA Placement Alternatives : None. Static in Access
-
Cisco Confidential 3 2013-2014 Cisco and/or its affiliates. All rights reserved.
Branch
Small Inventory Single or Logical Stack switch configuration Low AP and Client Counts Any Catalyst platform meets scale requirements
Simple Mobility Network Design Single Switch = 1 MC/MA, No separate MA thus No SPG Simplified configuration : Wireless, Mobility, VLAN, IP Subnet etc. Built-in HA StackWise, AP/Tunnel SSO, StackPower, Redundant Fan/PSU
Better Roaming : Single floor L2 roaming boundary Optimal backplane utilization when stacked
Flexible Guest Wireless solution : Anchor-Based or Anchor-Less solution Centralized Web Authentication
Converged Access Single Switch Branch Design
Internet
GA
DC
CPI ISE
MC MA
WAN
Roaming Boundary
-
Cisco Confidential 4 2013-2014 Cisco and/or its affiliates. All rights reserved.
Floor-1
Floor-2
Floor-1
Floor-2
Floor-3
Floor-4
Converged Access Controller-Less Branch Design
Medium-size Branch
Large-size Branch
Inventory Mobility Roaming Guest
Variable Size and Deployment Models
Follow 5 step design to deploy success :
Foundation
Internet
GA
DC
CPI ISE
WAN
-
Cisco Confidential 5 2013-2014 Cisco and/or its affiliates. All rights reserved.
Total Building/Site Counto Typically 1 Building/Site count
Floors Count Per Buildingo Ranging 1-3 count
o Check on RF-coverage gap between elevators/stairs etc.
Switch Type and Count Per Buildingo Converged Access Platforms in Access & Distribution layer o Ranging 4 to 8. Stack if possibleo Helps determine platform choice for MC role and its placement
AP Count Per Buildingo Ranging 5-30o Helps determine platform choice for MC role
Client Count Per Buildingo Ranging 200-300o Helps determine platform choice for MC role
Converged Access Single Domain Design
Floor-1
Floor-2
InventoryInventory Sizing Network for Single Domain Design
-
Cisco Confidential 6 2013-2014 Cisco and/or its affiliates. All rights reserved.
Catalyst switch selection for MC role depends on three following scale factors : Total Switch Count at selected site Total AP Count across all floors at selected site Total Client (devices) Count across all floors at selected site
As an MC the Catalyst 3850 has a recommended limit of 50 APs
3650 in MC role supports half capacity. But as an MA the scale would depend on MC
Build Converged Access network with any supported Catalyst switch permutation
Common Software Release means common feature set support across complete portfolio
Converged Access Single Domain DesignMobilityMobility Deciding MC System for Single Domain Design
MC Switch MA Switch AP Client
3850-Ethernet 8 50 1000
3850-Fiber 8 50 1000
3650-Ethernet 4 25 500
Single-MC Max Scale
Floor-1
Floor-2
-
Cisco Confidential 7 2013-2014 Cisco and/or its affiliates. All rights reserved.
Floor-1
Floor-2
1 MC = 1 Sub-Domain. Deploy another MC or Sub-Domain for additional scale in large network. Known as Multi-Domain Design
Total number of MC Count per building decision depends on following factor :o Scale = More AP/Client scale then one MCo HA = MC redundancy critical for Core Mobility
services
Best Practices :o Keep simple with single MC if meets the scaleo Stack/add Sup on MC if redundancy is concerno Mix Catalyst switch in design that allows MC
redundancy and still supports full architecture
Converged Access Single Domain DesignMobilityMobility Deciding MC System Count for Single Domain Design
MC
MA
MA
MA
MA
MCMC
-
Cisco Confidential 8 2013-2014 Cisco and/or its affiliates. All rights reserved.
MC redundancy provides critical AP and Tunnel SSO
Wireless control-plane redundancy with proven switching HA function :o 4500-Sup8E as MC Dual-Sup NSF/SSOo 3850-Eth/Fiber as MC StackWise-480o 3650 as MC StackWise-160
Client SSO not supported. User impact none to minor :o Local Domain Clients Noneo Local Clients Re-associate. Sub-Second recoveryo Foreign Clients Re-associate. Sub-Second recovery
Converged Access Single Domain DesignMobilityMobility MC Redundancy for Single Domain Design
Floor-1
Floor-2
MC
MA
MA
MA
MA
-
Cisco Confidential 9 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cell coverage determines roaming boundary limit. Reflects how to construct Mobility topologies
Understand Soft Roam versus Hard Roam :o Soft Roam = Seamless move without
rebuilding connection stateo Hard Roam = Pervasive move with rebuilding
connection state
Switch-Peer-Group (SPG) an logical group of switches to automatically builds Mobility topologies for seamless roaming support across network
1 Catalyst MC = 1 Single SPG for these deployment size. More possible but no benefits and may complicate deployment.
Converged Access Single Domain DesignRoamingRoaming Designing SPG for Single Domain Network
SPG-1
Floor-1
Floor-2
MC
MA
MA
MA
MA
Soft-Roam User. No Reauth, same VLAN, IP, Policies
Hard-Roam User. Full Reauth, new VLAN, IP, Policies
-
Cisco Confidential 10 2013-2014 Cisco and/or its affiliates. All rights reserved.
Converged Access supports Layer 3 (default) and Layer 2 roam
Recommended Layer 3 roam key benefits : Maintains Spanning-Tree best practices Small link-local broadcast/multicast flood and fault domain Rapid roam between Access switches even with policies Proven Converged Access Design
Layer 2 roam possible with explicit configuration : Pros Local egress forwarding path with full client handoff Cons Large flood and fault domain size, slow roam with
downloaded policies from AAA server
Anchored SSIDs, i.e. Guest dont need any VLANs. Keep configuration default
Keep Wireless Management VLAN separate from Client VLANs smaller broadcast/multicast domain, prevents policy conflict
Converged Access Single Domain DesignRoamingRoaming VLAN And Roam Design in Single Domain Network
SSID-1 101 201 301 401
SSID-1 Layer 3 Roam SSID
SSID-2 201
SSID-2 Layer 2 Roam SSID
SSID-3 None
SSID-3 Anchored SSID (Guest)
WM 11 21 31 41
WM Wireless Management
SPG-1
MC
MAMA MAMA
Wireless Client VLAN Design
-
Cisco Confidential 11 2013-2014 Cisco and/or its affiliates. All rights reserved.
Floor-1
SPG-1
Floor-2
MC
MA MA
Most of the devices perform soft-roam on single-floor. Voice may go beyond
Stack helps improves roaming performance. Rapid local switching roam instead over network
Stack switching helps maintaining VLAN best practices and optimizes converged distribution block
Converged Access Single Domain DesignRoamingMobility Roaming Benefits with StackWise in Single Domain Network
MA
Distribution
Access Access
-
Cisco Confidential 12 2013-2014 Cisco and/or its affiliates. All rights reserved.
Converged Access Single Domain Key Design Summary
Identify cell coverage and required roaming boundaryKeep SPG design simple. 1 MC = 1 SPGRecommended default Layer 3 roamUnique SSID and Wireless Mgmt VLAN Per-Access Optimize roaming delays with StackWise in Access
Roaming
Stack in DistributionStack in Access if possibleMultilayer Network DesignEtherChannelUnique Wired and Wireless VLAN (Design-1)Unique Wireless Mgmt VLAN Per AccessCisco Borderless Campus CVD Best Practices
Foundation
Collect Infrastructure InventoryAnalyze RF coverageUp to date RF surveyDesign conclusion based Inventory
Inventory
Keep MC design simple. 1 MC per BranchDesignate system for MC role to support scaleMC placement in Distribution if StackWise/VSSAdd more HA component to MC if desired
Mobility
Floor-1
Floor-2
MC
MA MA
MA MA
-
Cisco Confidential 13 2013-2014 Cisco and/or its affiliates. All rights reserved.
Multi-Domain Branch Design
-
Cisco Confidential 14 2013-2014 Cisco and/or its affiliates. All rights reserved.
Floor-1
Floor-2
Floor-1
Floor-2
Converged Access Controller-Less Branch Design
Inventory Mobility Roaming Guest
Variable Size and Deployment Models
Follow 5 step design to deploy success :
Foundation
MA MA
MA MA
MA MA
MA MA
MC
Floor-3
Floor-4
MA
MA MA
MC
MC
Expanded Network DesignCA Single Sub-Domain Design
CA Multi Sub-Domain Design
Multi Sub-Domain Design Principles :
Add More To Grow Peer Only If Need
Branch 1 Branch 2
-
Cisco Confidential 15 2013-2014 Cisco and/or its affiliates. All rights reserved.
Converged Access Multi Domain DesignFoundationFoundation Build Solid Foundation To Scale Multi Sub-domain Design
Floor-1
Floor-2
Floor-3
Floor-4
Consistent network foundation design and principles as single sub-domain network
Modular-class platform for better density, scale, performance and resilient network
Integrated Wireless Controller functionality valuable but may not meet the required scale
Recommended network designo VSS* / StackWiseo STP Loop-free topology with Layer 2 EtherChannelo Unique VLAN Per Access switch design
-
Cisco Confidential 16 2013-2014 Cisco and/or its affiliates. All rights reserved.
Total Building/Site Counto Typically 1 Building/Site count
Floors Count Per Buildingo Ranging 5-10 count
o Check on RF-coverage gap between elevators/stairs etc.
Switch Type and Count Per Buildingo Converged Access Platforms in Access & Distribution layer o Ranging 10 to 20. Stack if possibleo Helps determine platform choice for MC role and its placement
AP Count Per Buildingo Ranging 50-150o Helps determine platform choice for MC role
Client Count Per Buildingo Ranging 1000-2000o Helps determine platform choice for MC role
Converged Access Multi Domain DesignInventoryInventory Sizing Network for Single Sub-domain Design
Floor-1
Floor-2
Floor-3
Floor-4
-
Cisco Confidential 17 2013-2014 Cisco and/or its affiliates. All rights reserved.
Rule # 1 Add More To Grow.
Catalyst switch selection for MC role depends on three following scale factors : Total Switch Count at selected site Total AP Count across all floors at selected site Total Client (devices) Count across all floors at selected site
Multiple MCs may require to meet scale limit. All MCs can be same or mix Catalyst platforms
Recommended consistent IOS Software version is on each MCs
Converged Access Multi Domain DesignMobilityMobility Deciding MC System for Multi Sub-domain Design
MC Switch MA Switch AP Client
3850-Ethernet 8 50 1000
3850-Fiber 8 50 1000
3650-Ethernet 8 25 500
Single-MC Max Scale
Floor-1
Floor-2
MA
MA MA
Floor-3
Floor-4
MA
MA MA
MC
MC
-
Cisco Confidential 18 2013-2014 Cisco and/or its affiliates. All rights reserved.
Multi Sub-domain Network
Floor-1
Floor-2
Floor-3
Floor-4
MC placement depends on following factors :o Distribution-Layer. Single-Domain design
recommended if scale and HA fits the requiremento Access-Layer. Scales better MA/AP/Client
Simplify MC with StackWise or VSS* when deployed at Distribution-Layer
MC at Access-Layer follow certain design considerations :o 3850/3650 StackWise. Default Standalone design
may not provide enough redundancy
Best Practices : Deploy MC either in Access or in Distribution. Do not deploy at both layers
Converged Access Multi Domain DesignMobilityMobility MC Placement In Multi Sub-domain Network
MA
MA MA
MA
MA MA
MA
MA
MCMC
Single Sub-domain Network
-
Cisco Confidential 19 2013-2014 Cisco and/or its affiliates. All rights reserved.
MC-1-SPG-1
MC-2-SPG-1 Expanded cell coverage determines roaming boundary limit. Reflects how to construct Mobility topologies across multiple sub-domains
Contiguous Mobility RF domain covering entire building
Rule # 2 Peer Only If Need
Static peering between MCs to build seamless indoor device roaming boundary limit
1 Catalyst MC = 1 Single SPG for these deployment model.
Converged Access Multi Domain DesignRoamingRoaming Designing Mobility and SPG for Multi Sub-domain Network
Floor-1
Floor-2
MA
MA MA
Floor-3
Floor-4
MA
MA MA
MC
MC
-
Cisco Confidential 20 2013-2014 Cisco and/or its affiliates. All rights reserved.
More scale hence more processing in large size network
Large flood/fault domain with VLAN spanning across Access may impact performance and network reliability
Recommended unique VLAN design per Access :o Imperative building loop-free and small size broadcast domaino Aligned with Wired best practice for large port count
Decouple user data-plane and wireless control-plane with unique VLAN per Access
Evaluate Distribution Layer switch specifications to support required scale and performance
Converged Access Multi Domain DesignRoamingRoaming VLAN And Roam Design in Multi Sub-domain Network
SSID-1 101 201 301 401
SSID-1 Layer 3 Roam SSID
SSID-2 201
SSID-2 Layer 2 Roam SSID
SSID-3 None
SSID-3 Anchored SSID (Guest)
WM 11 21 31 41
WM Wireless Management
Wireless Client VLAN Design
MC-1-SPG-1
MC
MAMA
MC
MC-2-SPG-1
-
Cisco Confidential 21 2013-2014 Cisco and/or its affiliates. All rights reserved.
Floor-1
Floor-2
MA
MA MA
Floor-3
Floor-4
MA
MA MA
MC
MC
Converged Access Multi Sub-domain Key Design Summary
Identify cell coverage and required roaming boundaryKeep SPG design simple. 1 MC = 1 SPGRecommended default Layer 3 roamUnique SSID and Wireless Mgmt VLAN Per-Access Optimize roaming delays with StackWise in Access
Roaming
Stack/VSS in DistributionStack in Access if possibleMultilayer Network DesignEtherChannelUnique Wired and Wireless VLAN (Design-1)Unique Wireless Mgmt VLAN Per AccessCisco Borderless Campus CVD Best Practices
Foundation
Collect Infrastructure InventoryAnalyze RF coverageUp to date RF surveyDesign conclusion based Inventory
Inventory
MC placement in Access for 2X scaleKeep MC design simple. 2 MCs per BranchDesignate system for MC role to support scaleAdd more HA components to MC if desired
Mobility
-
Cisco Confidential 22 2013-2014 Cisco and/or its affiliates. All rights reserved.
Guest Network Design
-
Cisco Confidential 23 2013-2014 Cisco and/or its affiliates. All rights reserved.
Converged Access Guest Network Design Alternatives
Ideal for Small Branch to provide local Internet Access Catalyst integrated L2/L3 security with central policy-
engine, i.e. Cisco ISE Local L2/L3 network termination with possible L3
segmentation to WAN edge
MC/MA
Branch
MC/MA
Branch
MC/MA
Branch
SiSiSiSiSiSi
MA MC/MA
Sub-Domain-1
SPG-1
MA MC/MA
Sub-Domain-2SPG-2
Sub-Domain-1
SPG-1
MA MA
MC
Sub-Domain-2
MA MA
MC
SPG-2
SiSiSiSiSiSi SiSiSiSiSiSi
Internet
GA
DC
CPI ISE
Controller-Less Single-Switch Branch Controller-Less Multi-Domain Branch/CampusController-Less Single/Multi-Domain Branch
Anchor-Less Guest Solution :
Internet DC
CPI ISE
Anchor-Based Guest Solution : Common solution for Guest termination close to Internet point Controller-based integrated L2/L3 security with central policy-
engine, i.e. Cisco ISE Transparent Guest network termination to Anchor in DMZ for
centralized policy enforcement
-
Cisco Confidential 24 2013-2014 Cisco and/or its affiliates. All rights reserved.
Converged Access Guest Anchor Platform Support
Sub-Domain-1
SPG-1
MA MA
MC
Sub-Domain-2
MA MA
MC
SPG-2
SiSiSiSiSiSi SiSiSiSiSiSi
Internet
GA
DC
CPI ISE
Sub-Domain-1
SPG-1
MA MA
MC
Sub-Domain-2
MA MA
MC
SPG-2
Controller-Less Multi-Domain Branch/Campus Controller-Based Multi-Domain Campus
Foreign Anchor Guest Anchor WLC Software Release New Mobility
Catalyst : Catalyst 3650/3850AireOS WLC : 5508 and WiSM2 New AireOS WLC : 8510, 5520 and 8540
5508/WiSM2 7.3.112 and above Required *
8510 8.1 and above Required *
5520 / 8540 8.1 and above Required *
Current generation 5508 and WiSM2 with New Mobility Continue to support beyond 8.1 AireOS Software release.
No change in strategy New AireOS Platform Support 8510 and 5520 / 8540
* = Non-Default. Required configuration change and reboot WLC
WLC-1
AP AP AP AP AP AP
WLC-2
Centralized Multi-Domain Campus
Guest Anchor WLC Product Support Matrix Key Points
-
Cisco Confidential 25 2013-2014 Cisco and/or its affiliates. All rights reserved.
Converged Access Guest Anchor Scale ConsiderationInternet
GA
DC
CPI ISE
MC/MA
Branch
MC/MA
Branch
MC/MA
Branch
SiSiSiSiSiSi
MA MC/MA
Sub-Domain-1
SPG-1
MA MC/MA
Sub-Domain-2SPG-2
Maximum 71 Mobility Tunnel support on AireOS platform Consider GA WLC : MC tunnel ratio across Branch locations
Guest Anchor WLC Max Mobility Tunnel Max Client Count
5508 71 7000
WiSM2 71 15000
8510 71 64000
5520 71 20000
8540 71 64000
Guest Anchor WLC Tunnel and Client Scale Matrix
Key Points
-
Thank you.