Converged Access - Branch Network Design

Cisco Confidential 1 2013-2014 Cisco and/or its affiliates. All rights reserved.

Single-Switch Branch Design


MA

CA Branch Design MA and MC Placement

WAN

MC

Branch

MAMA MA

Branch

Recommended to keep MA and MC to keep within administrative LAN boundary

Design 1 or Design 2 recommended depending on scale (Agent/AP/Client) and MC redundancy requirements

MC across WAN. Not Recommended. Not Supported.

MC Placement Alternatives :

Access

Distribution

Design 1 = In Branch Access-Layer

MC MAMA MA

Branch

MC

Design 2 = In Branch Dist-Layer

Design 3 = Across WAN-Layer

MA Placement Alternatives : None. Static in Access


Branch

Small Inventory Single or Logical Stack switch configuration Low AP and Client Counts Any Catalyst platform meets scale requirements

Simple Mobility Network Design Single Switch = 1 MC/MA, No separate MA thus No SPG Simplified configuration : Wireless, Mobility, VLAN, IP Subnet etc. Built-in HA StackWise, AP/Tunnel SSO, StackPower, Redundant Fan/PSU

Better Roaming : Single floor L2 roaming boundary Optimal backplane utilization when stacked

Flexible Guest Wireless solution : Anchor-Based or Anchor-Less solution Centralized Web Authentication

Converged Access Single Switch Branch Design

Internet

GA

DC

CPI ISE

MC MA

WAN

Roaming Boundary


Floor-1

Floor-2

Floor-1

Floor-2

Floor-3

Floor-4

Converged Access Controller-Less Branch Design

Medium-size Branch

Large-size Branch

Inventory Mobility Roaming Guest

Variable Size and Deployment Models

Follow 5 step design to deploy success :

Foundation

Internet

GA

DC

CPI ISE

WAN


Total Building/Site Counto Typically 1 Building/Site count

Floors Count Per Buildingo Ranging 1-3 count

o Check on RF-coverage gap between elevators/stairs etc.

Switch Type and Count Per Buildingo Converged Access Platforms in Access & Distribution layer o Ranging 4 to 8. Stack if possibleo Helps determine platform choice for MC role and its placement

AP Count Per Buildingo Ranging 5-30o Helps determine platform choice for MC role

Client Count Per Buildingo Ranging 200-300o Helps determine platform choice for MC role

Converged Access Single Domain Design

Floor-1

Floor-2

InventoryInventory Sizing Network for Single Domain Design


Catalyst switch selection for MC role depends on three following scale factors : Total Switch Count at selected site Total AP Count across all floors at selected site Total Client (devices) Count across all floors at selected site

As an MC the Catalyst 3850 has a recommended limit of 50 APs

3650 in MC role supports half capacity. But as an MA the scale would depend on MC

Build Converged Access network with any supported Catalyst switch permutation

Common Software Release means common feature set support across complete portfolio

Converged Access Single Domain DesignMobilityMobility Deciding MC System for Single Domain Design

MC Switch MA Switch AP Client

3850-Ethernet 8 50 1000

3850-Fiber 8 50 1000

3650-Ethernet 4 25 500

Single-MC Max Scale

Floor-1

Floor-2


Floor-1

Floor-2

1 MC = 1 Sub-Domain. Deploy another MC or Sub-Domain for additional scale in large network. Known as Multi-Domain Design

Total number of MC Count per building decision depends on following factor :o Scale = More AP/Client scale then one MCo HA = MC redundancy critical for Core Mobility

services

Best Practices :o Keep simple with single MC if meets the scaleo Stack/add Sup on MC if redundancy is concerno Mix Catalyst switch in design that allows MC

redundancy and still supports full architecture

Converged Access Single Domain DesignMobilityMobility Deciding MC System Count for Single Domain Design

MC

MA

MA

MA

MA

MCMC


MC redundancy provides critical AP and Tunnel SSO

Wireless control-plane redundancy with proven switching HA function :o 4500-Sup8E as MC Dual-Sup NSF/SSOo 3850-Eth/Fiber as MC StackWise-480o 3650 as MC StackWise-160

Client SSO not supported. User impact none to minor :o Local Domain Clients Noneo Local Clients Re-associate. Sub-Second recoveryo Foreign Clients Re-associate. Sub-Second recovery

Converged Access Single Domain DesignMobilityMobility MC Redundancy for Single Domain Design

Floor-1

Floor-2

MC

MA

MA

MA

MA


Cell coverage determines roaming boundary limit. Reflects how to construct Mobility topologies

Understand Soft Roam versus Hard Roam :o Soft Roam = Seamless move without

rebuilding connection stateo Hard Roam = Pervasive move with rebuilding

connection state

Switch-Peer-Group (SPG) an logical group of switches to automatically builds Mobility topologies for seamless roaming support across network

1 Catalyst MC = 1 Single SPG for these deployment size. More possible but no benefits and may complicate deployment.

Converged Access Single Domain DesignRoamingRoaming Designing SPG for Single Domain Network

SPG-1

Floor-1

Floor-2

MC

MA

MA

MA

MA

Soft-Roam User. No Reauth, same VLAN, IP, Policies

Hard-Roam User. Full Reauth, new VLAN, IP, Policies


Converged Access supports Layer 3 (default) and Layer 2 roam

Recommended Layer 3 roam key benefits : Maintains Spanning-Tree best practices Small link-local broadcast/multicast flood and fault domain Rapid roam between Access switches even with policies Proven Converged Access Design

Layer 2 roam possible with explicit configuration : Pros Local egress forwarding path with full client handoff Cons Large flood and fault domain size, slow roam with

downloaded policies from AAA server

Anchored SSIDs, i.e. Guest dont need any VLANs. Keep configuration default

Keep Wireless Management VLAN separate from Client VLANs smaller broadcast/multicast domain, prevents policy conflict

Converged Access Single Domain DesignRoamingRoaming VLAN And Roam Design in Single Domain Network

SSID-1 101 201 301 401

SSID-1 Layer 3 Roam SSID

SSID-2 201


SSID-3 None

SSID-3 Anchored SSID (Guest)

WM 11 21 31 41

WM Wireless Management

SPG-1

MC

MAMA MAMA

Wireless Client VLAN Design


Floor-1

SPG-1

Floor-2

MC

MA MA

Most of the devices perform soft-roam on single-floor. Voice may go beyond

Stack helps improves roaming performance. Rapid local switching roam instead over network

Stack switching helps maintaining VLAN best practices and optimizes converged distribution block

Converged Access Single Domain DesignRoamingMobility Roaming Benefits with StackWise in Single Domain Network

MA

Distribution

Access Access


Converged Access Single Domain Key Design Summary

Identify cell coverage and required roaming boundaryKeep SPG design simple. 1 MC = 1 SPGRecommended default Layer 3 roamUnique SSID and Wireless Mgmt VLAN Per-Access Optimize roaming delays with StackWise in Access

Roaming

Stack in DistributionStack in Access if possibleMultilayer Network DesignEtherChannelUnique Wired and Wireless VLAN (Design-1)Unique Wireless Mgmt VLAN Per AccessCisco Borderless Campus CVD Best Practices

Foundation

Collect Infrastructure InventoryAnalyze RF coverageUp to date RF surveyDesign conclusion based Inventory

Inventory

Keep MC design simple. 1 MC per BranchDesignate system for MC role to support scaleMC placement in Distribution if StackWise/VSSAdd more HA component to MC if desired

Mobility

Floor-1

Floor-2

MC

MA MA

MA MA


Multi-Domain Branch Design


Floor-1

Floor-2

Floor-1

Floor-2

Converged Access Controller-Less Branch Design

Inventory Mobility Roaming Guest

Variable Size and Deployment Models

Follow 5 step design to deploy success :

Foundation

MA MA

MA MA

MA MA

MA MA

MC

Floor-3

Floor-4

MA

MA MA

MC

MC

Expanded Network DesignCA Single Sub-Domain Design

CA Multi Sub-Domain Design

Multi Sub-Domain Design Principles :

Add More To Grow Peer Only If Need

Branch 1 Branch 2


Converged Access Multi Domain DesignFoundationFoundation Build Solid Foundation To Scale Multi Sub-domain Design

Floor-1

Floor-2

Floor-3

Floor-4

Consistent network foundation design and principles as single sub-domain network

Modular-class platform for better density, scale, performance and resilient network

Integrated Wireless Controller functionality valuable but may not meet the required scale

Recommended network designo VSS* / StackWiseo STP Loop-free topology with Layer 2 EtherChannelo Unique VLAN Per Access switch design


Total Building/Site Counto Typically 1 Building/Site count

Floors Count Per Buildingo Ranging 5-10 count

o Check on RF-coverage gap between elevators/stairs etc.

Switch Type and Count Per Buildingo Converged Access Platforms in Access & Distribution layer o Ranging 10 to 20. Stack if possibleo Helps determine platform choice for MC role and its placement

AP Count Per Buildingo Ranging 50-150o Helps determine platform choice for MC role

Client Count Per Buildingo Ranging 1000-2000o Helps determine platform choice for MC role

Converged Access Multi Domain DesignInventoryInventory Sizing Network for Single Sub-domain Design

Floor-1

Floor-2

Floor-3

Floor-4


Rule # 1 Add More To Grow.

Catalyst switch selection for MC role depends on three following scale factors : Total Switch Count at selected site Total AP Count across all floors at selected site Total Client (devices) Count across all floors at selected site

Multiple MCs may require to meet scale limit. All MCs can be same or mix Catalyst platforms

Recommended consistent IOS Software version is on each MCs

Converged Access Multi Domain DesignMobilityMobility Deciding MC System for Multi Sub-domain Design

MC Switch MA Switch AP Client

3850-Ethernet 8 50 1000

3850-Fiber 8 50 1000

3650-Ethernet 8 25 500

Single-MC Max Scale

Floor-1

Floor-2

MA

MA MA

Floor-3

Floor-4

MA

MA MA

MC

MC


Multi Sub-domain Network

Floor-1

Floor-2

Floor-3

Floor-4

MC placement depends on following factors :o Distribution-Layer. Single-Domain design

recommended if scale and HA fits the requiremento Access-Layer. Scales better MA/AP/Client

Simplify MC with StackWise or VSS* when deployed at Distribution-Layer

MC at Access-Layer follow certain design considerations :o 3850/3650 StackWise. Default Standalone design

may not provide enough redundancy

Best Practices : Deploy MC either in Access or in Distribution. Do not deploy at both layers

Converged Access Multi Domain DesignMobilityMobility MC Placement In Multi Sub-domain Network

MA

MA MA

MA

MA MA

MA

MA

MCMC

Single Sub-domain Network


MC-1-SPG-1

MC-2-SPG-1 Expanded cell coverage determines roaming boundary limit. Reflects how to construct Mobility topologies across multiple sub-domains

Contiguous Mobility RF domain covering entire building

Rule # 2 Peer Only If Need

Static peering between MCs to build seamless indoor device roaming boundary limit

1 Catalyst MC = 1 Single SPG for these deployment model.

Converged Access Multi Domain DesignRoamingRoaming Designing Mobility and SPG for Multi Sub-domain Network

Floor-1

Floor-2

MA

MA MA

Floor-3

Floor-4

MA

MA MA

MC

MC


More scale hence more processing in large size network

Large flood/fault domain with VLAN spanning across Access may impact performance and network reliability

Recommended unique VLAN design per Access :o Imperative building loop-free and small size broadcast domaino Aligned with Wired best practice for large port count

Decouple user data-plane and wireless control-plane with unique VLAN per Access

Evaluate Distribution Layer switch specifications to support required scale and performance

Converged Access Multi Domain DesignRoamingRoaming VLAN And Roam Design in Multi Sub-domain Network

SSID-1 101 201 301 401


SSID-2 201


SSID-3 None

SSID-3 Anchored SSID (Guest)

WM 11 21 31 41

WM Wireless Management

Wireless Client VLAN Design

MC-1-SPG-1

MC

MAMA

MC

MC-2-SPG-1


Floor-1

Floor-2

MA

MA MA

Floor-3

Floor-4

MA

MA MA

MC

MC

Converged Access Multi Sub-domain Key Design Summary

Identify cell coverage and required roaming boundaryKeep SPG design simple. 1 MC = 1 SPGRecommended default Layer 3 roamUnique SSID and Wireless Mgmt VLAN Per-Access Optimize roaming delays with StackWise in Access

Roaming

Stack/VSS in DistributionStack in Access if possibleMultilayer Network DesignEtherChannelUnique Wired and Wireless VLAN (Design-1)Unique Wireless Mgmt VLAN Per AccessCisco Borderless Campus CVD Best Practices

Foundation

Collect Infrastructure InventoryAnalyze RF coverageUp to date RF surveyDesign conclusion based Inventory

Inventory

MC placement in Access for 2X scaleKeep MC design simple. 2 MCs per BranchDesignate system for MC role to support scaleAdd more HA components to MC if desired

Mobility


Guest Network Design


Converged Access Guest Network Design Alternatives

Ideal for Small Branch to provide local Internet Access Catalyst integrated L2/L3 security with central policy-

engine, i.e. Cisco ISE Local L2/L3 network termination with possible L3

segmentation to WAN edge

MC/MA

Branch

MC/MA

Branch

MC/MA

Branch

SiSiSiSiSiSi

MA MC/MA

Sub-Domain-1

SPG-1

MA MC/MA

Sub-Domain-2SPG-2

Sub-Domain-1

SPG-1

MA MA

MC

Sub-Domain-2

MA MA

MC

SPG-2

SiSiSiSiSiSi SiSiSiSiSiSi

Internet

GA

DC

CPI ISE

Controller-Less Single-Switch Branch Controller-Less Multi-Domain Branch/CampusController-Less Single/Multi-Domain Branch

Anchor-Less Guest Solution :

Internet DC

CPI ISE

Anchor-Based Guest Solution : Common solution for Guest termination close to Internet point Controller-based integrated L2/L3 security with central policy-

engine, i.e. Cisco ISE Transparent Guest network termination to Anchor in DMZ for

centralized policy enforcement


Converged Access Guest Anchor Platform Support

Sub-Domain-1

SPG-1

MA MA

MC

Sub-Domain-2

MA MA

MC

SPG-2

SiSiSiSiSiSi SiSiSiSiSiSi

Internet

GA

DC

CPI ISE

Sub-Domain-1

SPG-1

MA MA

MC

Sub-Domain-2

MA MA

MC

SPG-2

Controller-Less Multi-Domain Branch/Campus Controller-Based Multi-Domain Campus

Foreign Anchor Guest Anchor WLC Software Release New Mobility

Catalyst : Catalyst 3650/3850AireOS WLC : 5508 and WiSM2 New AireOS WLC : 8510, 5520 and 8540

5508/WiSM2 7.3.112 and above Required *

8510 8.1 and above Required *

5520 / 8540 8.1 and above Required *

Current generation 5508 and WiSM2 with New Mobility Continue to support beyond 8.1 AireOS Software release.

No change in strategy New AireOS Platform Support 8510 and 5520 / 8540

* = Non-Default. Required configuration change and reboot WLC

WLC-1

AP AP AP AP AP AP

WLC-2

Centralized Multi-Domain Campus

Guest Anchor WLC Product Support Matrix Key Points


Converged Access Guest Anchor Scale ConsiderationInternet

GA

DC

CPI ISE

MC/MA

Branch

MC/MA

Branch

MC/MA

Branch

SiSiSiSiSiSi

MA MC/MA

Sub-Domain-1

SPG-1

MA MC/MA

Sub-Domain-2SPG-2

Maximum 71 Mobility Tunnel support on AireOS platform Consider GA WLC : MC tunnel ratio across Branch locations

Guest Anchor WLC Max Mobility Tunnel Max Client Count

5508 71 7000

WiSM2 71 15000

8510 71 64000

5520 71 20000

8540 71 64000

Guest Anchor WLC Tunnel and Client Scale Matrix

Key Points

Thank you.

Converged Access - Branch Network Design

Technology

Transcript of Converged Access - Branch Network Design