Converged Access - DoD Design Discussion

Cisco Confidential 1© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Jay Pitcher – Technical Solution [email protected]


§ WLAN Deployment options§ Architecture Review§ CA - Path to success§ CA - Branch Design§ CA - Campus Design§ Role of Cisco Prime Infrastructure


Wireless Controller : Deployment Modes

Autonomous FlexConnect Centralized Converged Access

Traffic Distributed at AP

Traffic Centralized at Controller

Traffic Distributed at SwitchStandalone APs

Target Positioning Small Wireless Network Branch Campus Branch and Campus

Scope Wireless only Wireless only Wireless only Wired and Wireless

Key Use cases• Small number of APs• WGB mode – Bridge wired

devices

• Centralized Control with local data plane

• Max of 100 APs at location

• Most complete solution• All Capabilities of

Enterprise WLAN

• CA Switches Available• Basic Enterprise WLAN• Fewer than 100 APs

Key Considerations • Certification concerns

• No L3 roaming• Client connect to AP at the

AP• Full features • Enterprise WLAN only, no Mesh, no

modules

WAN


Converged Access Scalability Guidelines UnchangedUp to 3.7.0

3650 3850

Certified Release 3.6(recommended 3.6.4)

3.6(recommended 3.6.4)

Mobility Controller Mode Yes Yes

APs Supported 25 50

Clients Supported 1000 2000

Mobility Agent Mode Yes Yes

Number of MC in Mobility Domain 8 / 2 8 / 2Number of MAs in Sub-domain(per MC)

16 / 8 16 / 8

AP Scale (Per-Domain) 200 / 50 250 / 100


Converged Access Deployments Recommendation

2

1

Mobility Domain - Up to 4000 Devices / 100 AP’sMax 2 x 3850 MC

Centralized Overlay

Num

ber o

f Dev

ices

Size of Mobility Domain

Mobility Domain - Up to 2000 Devices / 50 AP’sMax 1 x 3850 MC

Seamless Roaming Use Case Nomadic Roaming Use Case

Size of Mobility Domain

MC

MA1 MA2 MA8…

4Site - N

MC

MA1 MA2 MA8…

MC

MA1 MA2 MA8…

Site - 3

Site - 2

Mobility Domain 1

Site - 1

MC

MA1 MA2 MA8…

MC

MA1 MA2 MA8…

(N) x independent Mobility DomainsUp to 4000 Devices / 100 AP’s per Mobility Domain

UnchangedUp to 3.7.0


Cisco Digital Network Architecture

AutomationAbstraction & Policy Control from

Core to Edge

Open & Programmable | Standards-Based

Open APIs | Developers Environment

Cloud Service ManagementPolicy | Orchestration

VirtualizationPhysical & Virtual Infrastructure | App Hosting

AnalyticsNetwork Data,

Contextual Insights

Insights & Experiences

Automation& Assurance

Security & Compliance

Network-enabled Applications

Cloud-enabled | Software-delivered

Principles


Network Requirements for the Digital OrganizationWireless as Part of Your End-to-End Strategy

Personalized engagement on mobile devices

Physical or virtual wireless services

Employee and guest access Based on deep context

Expose wireless acquired data to applications

Application policy across wireless, wired and WAN

Validate activity across wireless, wired and WAN

Combine network and business insight Day zero wireless deployment Accelerate security issue

detection and resolution

Insights &Experiences

Drive Business Innovations

Automation& Assurance

Speed, Simplicity & Visibility

Security & Compliance

Real-time and Dynamic Threat Defense


Fabric Access

Fabric Border

Wireless Border (external WLC)

Wireless Small Deployments Large DeploymentsScale 250 Access Points; 4000 clients 15K Access Points; 150,000 Clients

Policy Enforcement WLC WLC

Control & Data CAPWAP CAPWAP

Device is fabric enabledCAPWAP Transport

Host (HTDB)Database

Traditional Wireless over the Fabric


Wireless Small Deployments Large DeploymentsScale 250 Access Points; 4000 clients 15K Access Points; 150,000 Clients

Policy Enforcement Fabric Access switch (Unified policy for Wired & Wireless for Flex, Local, Converged Access modes)

Control Path CAPWAP

WLC as external service

Fabric Access

Fabric Border

(Unified policies for wired & wireless

Host (HTDB)Database

Integrated Wireless on The Fabric –IT Service for Endpoints regardless of Media type (Wired or Wireless)


Cisco Wireless Government Certifications - Today

What’s Certified:• All Cisco 11ac and 11n Access Points • All appliance and integrated controllers• MSE 8.0 and PI 2.2• APL Listing for WLAS, WAB,WIDS

Predictable wireless certification – MD SW release gets certifiedCommon release both Enterprise and Government customers

Feature consistency and deployment flexibility

Certification 7.0 8.0 IOS 3.6

FIPS

CC

UCAPL

CSfC

USGv6

Comprehensive certified end-end solution


Cisco Wireless Government Certifications - Tomorrow

What will be Certified• All current controllers & .11n/.11ac APs• New .11ac Wave 2 APs, 3802/2802• 5520/8540 Controller• New controller/mesh platforms

Predictable wireless certification – MD SW release gets certifiedCommon release both Enterprise and Government customers

Feature consistency and deployment flexibility

Certification 8.3 16.3

FIPS

CC

UCAPL

CSfC

USGv6

Comprehensive certified end-end solution


Converged Access – FoundationUADP

ASIC TechnologyIOS Catalyst 3650 (IOS XE Software)

IOS Catalyst 3850 (IOS XE Software)

- Up to (50) AP’s per stack [9] (IOS XE 3.7.1 or >)- Only (25) AP’s per stack [9] prior to IOS XE 3.7.1- Up to 1,000 wireless clients- Up to 40Gbps wireless throughput (48-port models)

- Up to (100) AP’s per stack [9] (IOS XE 3.7.1 or >)- Only (50) AP’s per stack [9] prior to IOS XE 3.7.1- Up to 2,000 wireless clients- Up to 40Gbps wireless throughput (48-port models)


The Solution:Cisco Multigigabit Ethernet

Delivers up to 5X Speeds in Enterprise without replacing cabling.

2.5-5G

Cat 5e CablesWiFi > 1G

MultigigabitSwitch

MultigigabitCapable AP

Is a game-changing technology allowing enterprise networks to

evolve beyond 1G

Enables 2.5 and 5 Gbps up to 100m on legacy cables

Supports all PoE standardsup to 60W

Cisco Multigigabit with


Catalyst 3850 ─ Multigigabit Versions

48 Port Version 24 Port VersionDownlinks:36 x 1G LineRate 10/100/1000BASE-T, 12 x GE/mGig/10GT Line RatePoE/PoE+/UPoE, EEE, MACSec

Uplinks:4x10GE SFP+, 2 x 40G QSFP (NEW), 8x10G SFP+ (NEW)

Downlinks:24 x GE/mGig/10GTPoE/PoE+/UPoE, EEE, MACSec

Uplinks: 4x10GE SFP+, 2 x 40G QSFP (NEW), 8x10G SFP+ (NEW)

All 3850 Versions Can Stack with Each Other


Unified Wireless – Centralized Wireless Architecture

Core

DCInternetMobility

§ Central Access Management

o Access Points – Configuration, Software, Radio etc.o WLAN – SSID, Policy based etc.o Wirelss Edge Mgmt – Authenticator, Logging etc.

§ Central Forwarding Management

o Topology – Hub-N-Spoke Forwarding Design

§ Central Client Management

o Security – Authentication, Authorizationo VLAN – Access Tier between Wired and Overlayo Policy Enforcement – QoS, Security,

Edge Function

§ License Management

o Access Point License Management

§ Mobility Database and Management

o Wireless Client Database (Local Domain)o Inter-WLC Mobility Domain Network

§ Guest Access

o Anchor-Based Guest Solution with additional WLC

§ Central Wireless Services

o Adv. Wireless – CleanAir and Radio Resource Mgmt (RRM)o Security - wIPS

Core Function

Access

WLC


Unified Wireless – Distributed Wireless Architecture

Core

DCInternetMobility

§ Central Access Management


§ Central Forwarding Management

o Topology – Hub-N-Spoke Forwarding Design

§ Central Client Management

o Security – Authentication, Authorizationo VLAN – Access Tier between Wired and Overlayo Policy Enforcement – Hybrid QoS, Security, AVC etc.

Edge Function

§ License Management

o Access Point License Management

§ Mobility Database and Management

o Wireless Client Database (Local Domain)o Inter-WLC Mobility Domain Network

§ Guest Access

o Anchor-Based Guest Solution with additional WLC

§ Central Wireless Services

o Adv. Wireless – CleanAir and Radio Resource Mgmt (RRM)o Security - wIPS

Core Function

Access

§ Distributed Access Management


§ Distributed Forwarding Management

o Topology – Distributed Forwarding Design

§ Distributed Client Management

o Security – Authentication, Authorizationo VLAN – Common Access Tier Wired and Wirelesso Policy Enforcement – Common QoS, Security, AVC

etc.

Edge Function

SiSiSiSiSiSi

MC

MAMAMA

§ Converged Access ≠ FlexConnect. Converged Access = WLC + Ethernet Switch

§ All Wireless Controller Edge function is distributed to individual Ethernet switches. More significant operation

§ Wireless Controller Core function becomes limited. Less significant operation


All Depends

Converged Access – Where do we Start?

How many AP per MA?

How many Clients?

Who can be MC

How about MC Redundancy?

How do I design SPG?

How many MC?

Where should be the MC?

How do I define Roaming Boundary

What is Soft vs Hard Roam?

How do I design MC in Distribution?

How many Floors per Building?

How many AP per MC?

How many Building per Domain?

How many AP per Building?

How do I design Guest?

Do I need Mobility Oracle?

What is Nomadic Roaming?

How do I design CA with FHRP?

How do I design Subnet Plan?

DesignQuestion?

Can I use different Catalyst to build CA?

What is New Mobility?

Can I building IOS to AireOS Mobility?

Can I have roaming between CA and Centralized?Why do I need SPG?

What happens when MC Fails?

How do I make unsupported AP work?


Check Inventory –

ü Total Building/Site Countü Floors Count Per Buildingü Switch Count Per Buildingü AP Count Per Buildingü Client Count Per Building

Foundation Design –

ü L2 or L3 Network Designü Loop-free STP Topologyü VSS / StackWiseü EtherChannelsü Cisco Best Practices

CA Design –

ü MC Platform Decisionü MC Count Per Buildingü MC Placementü MC Redundancyü Cisco Best Practices

Roaming Design –

ü Boundary Limitü SPG Designü L3 vs L2 Roam ü Stack Benefitsü Cisco Best Practices

Guest Design –

ü Anchor-based vsAnchor-Lessü IOS and AireOS Interoperabilityü Foreign Tunnel Scalabilityü Stack Benefitsü Cisco Best Practices

Foundation Inventory Mobility Roaming Guest

Converged Access – Systematic Design to Deploy Approach

§ System Step-By-Step Design to Deploy Phase. No different need in networking principle

§ Converged Access = 50% Wireless and 50% Wired. Single IT team effort to enable architectural transition

§ Wired and Wireless Best Practices integration sets the converged foundation to deliver expected and better results

5 Design Steps For Success


§ Inventory – Different building/floor plans and size that reflects to AP, Client and network devices scale

§ Mobility – Variable scale limit in each site introduces variable Mobility designs at site to to the block level

§ Roaming – Mobility design builds variable size of seamless roaming boundary limit for building pervasive wireless infrastructure

§ Guest – The three-tier Mobility design also require to evaluate Guest wireless solution that can scale

Converged Access – One Technology Fits Many Needs

MC/MA

Branch

MC/MA

Branch

MC/MA

Branch

SiSiSiSiSiSi

MA MC/MA

Sub-Domain-1

SPG-1

MA MC/MA

Sub-Domain-2SPG-2

Internet

GA

DC

CPI ISE

Controller-Less Single-Switch Branch Controller-Less Single/Multi-Domain Branch

Each Network Design have :

Consistent Solution for Variable Deployments


Converged Access – ONE Network = ONE IT

MC/MA

Branch

MC/MA

Branch

MC/MA

Branch

SiSiSiSiSiSi

MA MC/MA

Sub-Domain-1

SPG-1

MA MC/MA

Sub-Domain-2SPG-2

Sub-Domain-1

SPG-1

MA MA

MC

Sub-Domain-2

MA MA

MC

SPG-2

SiSiSiSiSiSi SiSiSiSiSiSi

Sub-Domain-1

SPG-1

MA MA

MC

Sub-Domain-2

MA MA

MC

SPG-2

Controller-Less Single-Switch Branch Controller-Less Multi-Domain Branch/CampusController-Less Single/Multi-Domain Branch Controller-Based Multi-Domain Campus

Tight Wired and Wireless IT Team Collaboration

50% Wireless50% Wired

Wireless IT TeamBreadth of Wireless Knowledge :§ Mobility and Wireless Architecture§ Deep RF network understanding§ Device and Network Operation§ Wireless Security and Services§ Wireless Endpoint Experience§ Much more…

Wired IT TeamDeep Foundation Knowledge :§ End-to-End Network Architecture§ Expert in Route/Switch designs§ IOS Device and Network Operation§ Network Security and Services§ Wireless Endpoint Experience§ Much more…

Win TogetherConverged Access

Success!


Converged Access – Set Foundation Right!Foundation

Simplify To Scale

Distribution

Access

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/Borderless_Campus_Network_1-0/Borderless_Campus_1-0_Design_Guide.pdfCisco Validated Design Guide

ü Aggregation – A system that provides control/data plane scale for common Wired/Wireless network. I.e, MAC entries, MAC move due to roam, CPU scale to support link-local bcast/mcast traffic etc.

ü System Design – VSS or StackWise and EtherChannels. Build simple system and network topologies to scaleü Network Design – Multilayer or Routed Access. Consider VLAN span, L2 Roam, Subnet with Routed Accessü Best Practices – Following Cisco recommended Best Practices to set the foundation right for Converged Access

Branch – L2 Network Design Campus – L2 Network Design Campus – L3 Network Design



Simplify To Scale

Distribution

Access

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/Borderless_Campus_Network_1-0/Borderless_Campus_1-0_Design_Guide.pdfCisco Validated Design Guide

SiSiSiSiSiSi

Access

Distribution

Wired L2/L3 Boundary

Wireless L2/L3 Boundary

Wireless ü MAC Addressü IP Addressü IGMPü Broadcast/Multicast

Wiredü MAC Addressü IP Addressü IGMPü Broadcast/Multicast

§ Separate L2/L3 boundary for Wired and Wireless users with traditional wireless deployments. Becomes common with next-generation Converged Access Wireless solution

§ Common block means more MAC address, IP address and large flood domain§ Catalyst platforms scalable to support. But solid L2/L3 foundation design required for optimal performance



Simplify To Scale

Access

Distribution

101 201 301Wired VLAN

Wireless VLAN 102 202 302

101 201 301Wired +

Wireless VLAN 101 201 301Wired VLAN

Wireless VLAN 102

Design – 1 Design – 2 Design – 3

Pros

Cons

ü Structured and Intuitive addressing planü Contained flood/fault domainü Unique policy for Wired vs Wirelessü Deterministic DHCP pool operationü Cisco recommended design

ü May require more subnetsü Subnet sizing may require extra planning

Pros

Cons

ü Less VLANs and Subnets

ü Dual-home device may impact applicationü Cannot enforce unique access policiesü Challenging to plan Subnet

Pros

Cons

ü Partial structured addressing planü Traditional CUWN VLAN designü Unique policy Wired vs Wireless

ü VSS/StackWise required in Distributionü Large link local bcast/mcast flood domainü STP fault domain widens in large network

Recommended


§ Architecturally non-recommended deployment design§ Converged Access MC ≠ Traditional WLC§ No key operational benefit in pushing Core function boundary across WAN§ All Edge configuration and function remains fully distributed to each Access

Layer MA switches§ Solve operational simplicity with new Cisco Prime Infra WorkFlows and

alternatively MC Managing MA IOS feature if Cisco Prime unavailable

Converged Access – MC over WAN Summary Not RecommendedNot Supported

Converged Access - DoD Design Discussion

Technology

Transcript of Converged Access - DoD Design Discussion