Cisco Unified Wireless Network and Converged access – Design session

Cisco Unified Wireless Network
and Converged access – Design
session
Flavien RICHARD
Technology Solutions Architect
November 2014
© 2014 Cisco and/or its affiliates. All rights reserved. 1

10Gbps
Future?
New
Frequencies?
2
Wireless Standards
Past, Present, and Future
CL I ENT S / BANDWIDTH
11Mbps
802.11n
450 Mbps
802.11a, 802.11b
11 Mbps
802.11g
54 Mbps
802.11ac-2
3.5 Gbps
802.11ac-1
~1 Gbps
Early 2000 2002 2004 2006 2008 2010 2012 2014 2016

3
Casual Pervasive
System Management
Capacity
Self Healing
and Optimizing
Hotspot
indoors
Media Rich
Applications
Mission Critical
CleanAir
Business Critical
High Performance
High Density

5
How Many Mobile Data Devices
Do You Think You will Carry Everywhere in 2016?
Think about it, and choose the best answer
1 3 5 7

6
U n i f i e d A c c e s s
One Policy
One Management
One Network
Unified Access
Uncompromised User Experience in Any Workspace

7
• The Industry is now talking about Unified Access
Gartner Magic Quadrant: wireless and wired together
Wired, Wireless: who cares what is the access technology?
What customers care is the overall Network experience
• The industry recognizes Cisco’s Leadership
Leader since 2012 (since WiFi and LAN are reported together)
Executing Better than any competitor
We have the largest Development Team in the industry
We have the largest Patent Portfolio in the industry
We are taking Market Share from competitors
We are innovating faster than the competition

8
2500 Virtual WLC e.g.
UCS-E on ISR G2
Large Campus Service Provider
Flex 7500
5508 WISM2 5760 8500
Catalyst 3850 Virtual
Controller
• 12 to 500 APs
• 7000 clients
• 8 Gbps
• 100 to 1000 APs
• 15,000 clients
• 20 Gbps
• Catalyst 6500E/6807
• 25 to 1000 APs
• 12,000 clients
• 60 Gbps
• 100 to 6000 APs
• 64,000 clients
• 10 Gbps
Small Campus / Branch (Controller On-Premise) Branch (Controller in DC)
• 5 to 75 APs
• 1000 clients
• 1 Gbps
• 5 to 200 APs
• 3000 clients
• 500 Mbps
• 1-50 APs per switch/stack
(Directly connected APs)
• 2000 clients per stack
• 40 Gbps per switch
• 5 to 200 APs
• 6000 clients
• 500 Mbps
• 300 to 6000 APs
• 64,000 clients
• 1 Gbps central
Catalyst 3650
AireOS Controllers have a rich roadmap and are the lead WLC platforms for 2015

9
• 50% of enterprise traffic will originate on WiFi by 2017
• Half (50%) of all new Wi-Fi devices in end of 2014 are
802.11ac capable (ABI Research)
• Investment protection: 802.11ac Wave 1 can fulfill
smartphone and tablet bandwidth requirements for 5+ years
• 802.11ac improves the speed by 3X and by 2X battery
efficiency for smartphones, tablets, and laptops
• Why Cisco for 802.11ac:
• Backward compatible at the same price of 802.11n
• Locally manufactured APs 2700 and 3700 !
• Only vendor already committed to Wave 2 on existing APs
• HDX technology: Turbo scheduler, CL3.0, Optimized roaming
• More info: http://cisco.com/c/en/us/products/collateral/wireless/aironet-
3700-series/white-paper-c11-731923.html

10
At 11 mbps (802.11b)?
At 54 mbps (802.11a or g)?
At 300 mbps (802.11n5:2SS)?
At 866 mbps (802.11ac:2SS)?
Smasung Galaxy S5 supports MIMO
2x2:2SS 802.11ac for the first time on
a smartphone (866 mbps)!
How many packets can I transmit at that speed compared to
the other speeds above?

11
Enterprise Class
1K Family
Mission Critical
2K Family
Best in Class
3K Family
Sub 1K Family
AP-702 & 702W
OEAP-600
AP-3600
AP-3700
AP-1600
AP-1700
AP-2600
AP-2700
AP-3500

12
with Integrated
802.11ac (4x4:3)
• Industry’s first 4x4 MIMO : 3 SS 802.11ac AP
• 2-3X performance of 802.11n 5Ghz Wi-Fi
• Higher performance at a greater distance
• RF Excellence enabled in hardware
• High Density Experience Technology
• Higher Client density, scale and performance
• Future proofed design
• Modular Architecture = investment protection
• Security, 3G Small Cell or Wave 2 802.11ac
module options

13
• 3x4 MIMO:3 SS 802.11ac AP
• High Density Experience Technology
• Client density scale and performance
• Implicit Beam Forming – aka ClientLink 3.0, as
well as Explicit BeamForming
• 2 GigE Ports
• 2nd Port provides downward device connectivity
only (no other AP or PoE out)
• Antenna Support
• Supports all the antennas available for the 3700;
3600, 2600 and 1600
• Available since 7.6.120 and 3.6 IOS-XE
with Integrated
802w.1it1ha Icn (t3exg4r:a3tSedS )
802.11ac (3x4:3)

15
Customized AP Design
DSP
Radio – 2.4GHz
DRAM (128MB)
CPU 384 MHz
DRAM (128MB)
CPU 512 MHz DSP
DRAM
(512MB)
Dual-Core*
CPU
800 MHz
ASIC design allows on-radio CPU and
memory for distributed packet processing
and throughput maximizing. Architecture
also allows unique 4x4 MIMO antenna
design.
Radio – 5GHz
Traditional AP Design
Radio – 2.4GHz
DRAM
(512MB)
Dual-Core
CPU
800MHz
Radio – 5GHz
Merchant silicon
architecture is heavily
dependent on the single
CPU for all functions.
1x Dual
Core
Processors
6x Total
(1x Dual Core,
2x Radio, 2x DSP)
512 MB
Memory
768 MB
*1 Core Enabled Today, 1 Reserved for Future Use
Merchant Silicon
Cisco AP3700
and AP2700
Competition
Merchant Silicon ASIC-driven RF Architecture

17
AP is supported using 7.6.120 code onwards
Cisco Aironet 702W Series
Max Data Rate 300 Mbps per radio
Radio Design MIMO: Spatial
Streams
Dual-Radio, 2x2:2
Local Ethernet Ports 4 x GE
Powering Capability 1 x GE port PoE out
Max No. Clients 200
BandSelect ✔
VideoStream ✔
Rogue AP Detection ✔
Adaptive wIPS ✔
Monitor Mode ✔
FlexConnect ✔
Converged Access (Future)
Autonomous (Future)
Data Uplink (Mbps) 10/100/1000
Power 802.3af/at, AC Adapter
Security lock Torx screw, Kensington lock
Temperature Range 0 – 40° C
• Cisco Aironet Wall Mount AP is targeted for Multi Dwelling Unit
(MDU), Hospitality, and Schools Deployments seeking a high-performance
in-room Wireless + Wired Access Device
• Designed for ease of mounting to numerous global wall-box
standards
• Robust enterprise-class design and RF performance
• Simultaneous, Dual Radio & Dual Band with Integrated Antennas
• 4x GE Ethernet Ports, 1x WAN GE port
• Dimensions: 15x10x3 cm

18
Base
1530
Highly Versatile
1550
Best in Class
1570
• Low Profile, Low Price
• 11n, 2G: 3x3:3; 5G: 2x3:2
• Internal or External Antennas
• -30°C to +65°C
• Multiple models & features
• Enterprise, MSO
• DOCSIS3.0 8x4
• 11n, 2x3:2
• Int/External Antennas
• -40°C to +65°C
• High-end Enterprise, MSO
• 802.11ac, 4x4:3
• NG-Cable: 24x8
• Int/External Antennas
•Modular: Future Proof
• -40°C to +65°C

19
NEW Access Points
• Indoor: AP700w—Wall Plate, AP1700—fixed lower end, AP2700 –
fixed 802.11ac, 3G Small Cell Module for AP3600 and AP3700
• Outdoor: AP1570, 1550WU—Emerson Sensor Gateway
3G Small
Cell Module
802.11ac Wave
1 Module
1530
AP700
Wall Plate
NEW Capabilities and Functionality
• Connected Mobile Experiences (Phase 2)
• High Density Experiences (Phase 1) – CleanAir 80 MHz, ClientLink 3.0
• Microsoft Lync 2013 Certification
• Application Visibility and Control (Phase 2 and 3)
• Bonjour Services Directory (Phase 2 and 3)
• IOS: Stateful Switchover, AVC, Bonjour
• IOS: Integrated policy and device profiling
• IOS: 802.11u, 802.11k, 802.11r, 802.11w
NEW WLAN Controllers
• Converged Access (SDN-Ready): Catalyst 3650, Catalyst 4500 ♯
Catalyst 3650 Catalyst 4500
1570
AP3700
802.11ac
AP2700
802.11ac
♯ Sup 8E hardware supervisor with UADP Converged Access exists, software due end of 2014

Unified Access Wireless
Deployment modes
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21
Autonomous FlexConnect Centralized Converged Access
Standalone APs Traffic Distributed at AP Traffic Centralized
Traffic Distributed at Switch
at Controller
Target
Positioning
Small Wireless Network Branch Campus Branch and small Campus
Purchase
Decision
Wireless only Wireless only Wireless only Wired and Wireless
Benefit
• Simple and cost-effective
• Enterprise Class AP quality
• Provides Bridge functionality
• Highly scalable for
large number of branches
• No controller at branch
• Most feature rich
solution
• Wireless Traffic visibility
at the controller
• Wired & Wireless common operations
• One Enforcement Point
• One OS (IOS)
• Traffic visibility at every network layer
• Performance optimized for 11ac
Key
considerations
• Limited features
• First step to Controller based
• Very limited automation
• L2 roaming only
• Branch with WAN bw and
latency requirements
• Top Performance and
Scalability
• Full Access layer evolution
(3650/3850)
WAN

22
• Scalability
Zero-touch configuration
Centralized configuration management, image management and troubleshooting
• Radio Frequency (RF) Management
System wide view of RF – Cisco Leader
Dynamic Channel Selection, Dynamic Power Settings, Coverage Hole Detection/Mitigation (RRM)
Advanced Interference Handling (CleanAir) – Cisco Only
• Advanced Mobility Services – Investment protection
Advanced Location based Services (CMX) – Cisco Only
Optimized end-end multicast delivery (VideoStream) – Cisco Only
Advanced Wireless IPS (aWIPS)
Advanced Roaming (802.11r)

23
Radio Frequency High Availability
• What are Radio Resource Manager’s objectives?
Provide a system wide RF view of the network at the Controller (only Cisco!!)
Dynamically balance the network and mitigate changes
Manage Spectrum Efficiency so as to provide the optimal throughput under changing conditions
• What’s RRM
DCA—Dynamic Channel Assignment
TPC—Transmit Power Control
CHDM—Coverage Hole Detection and Mitigation
• RRM best practices
RRM settings to auto for most deployments (High Density is a special case)
Design for most radios set at mid power level (lever 3 for example)
Survey for lowest common client type and technology supported
RRM doesn’t replace the site survey and doesn’t create spectrum
For more info: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008072c759.shtml

24
• CAPWAP: Control and Provisioning of Wireless Access Points is used between
APs and WLAN controller.
CAPWAP is an open protocol (IETF RFC)
Control Plane UDP 5246 (DTLS encrypted), Data plane UDP 5247 (optionally encrypted)
• Access points discover and join a CAPWAP controller
• Configuration and firmware can be pushed from the controller
• Statistics gathering and wireless security
Data Plane
CAPWAP Controller
Wi-Fi Client
Business
Application
Control Plane
Access
Point

25
• The CAPWAP protocol supports two modes of operation
Split MAC (centralized mode). AP is in Local Mode (default)
Local MAC (FlexConnect)
• Split MAC
Wireless Phy
MAC Sublayer
CAPWAP
Data Plane
Wireless Frame
802.3 Frame
Wi-Fi Client Access Controller
Point

26
• Local MAC mode of operation allows for the data frames to be either locally
bridged or tunneled as 802.3 frame
Wireless Frame
Wireless Phy
MAC Sublayer
802.3 Frame
Wi-Fi Client Access Controller
Point
• FlexConnect support locally bridged MAC and split MAC per SSID
• Tunnel mode is not implemented by Cisco

27
• Centralized configuration and policy enforcement of the Wireless LAN
• All access to network resources goes through the controller
RADIUS, DHCP, DNS, VLANs etc (assuming AP in Local Mode)
• Controller acts as security gateway for clients
Authentication profiles, ACL enforcement, Bandwidth controls
• Manages all access points on the network
Auto Channel and power assignments, coverage hole detection, firmware upgrade, statistics
gathering, IDS & rogue AP Detection, RF analysis
• No need to re-subnet the network for deployment (L2/L3 Roaming)
Simple plug and play deployment model, AP’s can be dropped into any local or remote network
segment.

Campus Design and
Deployment options

30
• Components
• Wireless LAN controllers
• Aironet Access Points
• Management (Prime Infrastructure)
• Mobility Service Engine (MSE)
• Principles
• Overlay Architecture
• Based on AireOS software
• AP must have CAPWAP connectivity with WLC
• Configuration downloaded to AP by WLC
• All Wi-Fi traffic is forwarded to the WLC
Wireless LAN
Controller
Aironet Access
Point
Cisco Prime
Infrastructure
MSE
Campus
Network

31
Mobility
Group
Data Center /
Service block
AP-Controller CAPWAP Tunnel
802.11 Control Session + Data Plane
L E G E N D
AP AP AP AP
Inter-Controller
EoIP / CAPWAP Tunnel
SSID2 SSID3
Intranet
EoIP Mobility Tunnel ( ≤ 7.2 or 7.4)
CAPWAP Option in 7.3, ≥ 7.6
SSID1
Inter-Controller (Guest Anchor)
EoIP / CAPWAP Tunnel
Internet
Well-known,
proven
architecture
SSID – VLAN
Mapping
(at controller)
CAPWAP
Tunnels
Notes –
• AP / WLC CAPWAP Tunnels are an IETF Standard
• UDP ports used –
• 5246: Encrypted Control Traffic
• 5247: Data Traffic (non-Encrypted or DTLS Encrypted (configurable)
• Inter-WLC Mobility Tunnels
• EoIP – IP Protocol 97 … AireOS 7.3 introduced CAPWAP option
• Used for inter-WLC L3 Roaming and Guest Anchor
Encrypted
(see Notes)
WLC #2
“Guest” Anchor WLC
WLC #1
Existing Unified Wireless Deployment today
…
PI
ISE

32
Mobility
Group
Intranet
EoIP Mobility Tunnel ( ≤ 7.2 or 7.4)
CAPWAP Option in 7.3, ≥ 7.6
Data Center /
Service block
PI
ISE
AP AP AP AP
SSID2 SSID1 SSID3
Internet
CAPWAP
Tunnels
Mobility Controller
Handles Roaming, RRM, AP licenses,
WIPS, etc.
Additional
details on
controller
functionality
L E G E N D
“Guest” Anchor WLC
These will become important later
as we delve into the Converged Access deployment …
MC
MC
MC
MC
Mobility Agent
Terminates CAPWAP Tunnels,
Maintains Client Database
MA
MA
MA
MA
…
WLC #2
WLC #1

33
WiSM2s / 5508s
Layer 2
Mobility Group
Data Center-
DMZ
Si Si
Si
Si
Data Center
Campus Services
Si
Si
Campus
Guest Anchors
Internet
Si
Si
Si
Si
Campus
Access
MC
MC
MC
MA
MA
MA
MC MA
MC MA
ISE
PI
PoP PoA
Point of Presence (PoP) vs.
Point of Attachment (PoA) –
• PoP is where the wireless user
…
is seen to be within the wired
portion of the network
• Anchors client IP address
• Used for security policy application
• PoA is where the wireless user
has roamed to while mobile
• Moves with user AP connectivity
• Used for user mobility and QoS
policy application
• Now, let’s see how mobility works
when a user roams in this deployment model …

34
Mobility Group defined:
• Group of Wireless LAN Controllers (WLCs) in a
network with the same Mobility Group name
• Provides Seamless Mobility and Fast roaming for
clients
• Up to 24 WLCs members in one Mobility Group,
statically configured
• Full mesh of tunnels between members
Messages can be sent using Multicast
• Mobility Control Messages
UDP port 16666 for un-encrypted traffic
• User Data traffic
EoIP (IP protocol 97) or CAPWAP (UDP 5246)
• NAT between members is supported
WLC 1
WLC 3
WLC 2
WLC 4
Mobility Group

36
Client Database Client Database
Mobility Message Exchange
Roaming Data Path
client
context
VLAN X
• Layer 2: same VLAN present on
both controllers
• Client database context is moved
from WLC1 to WLC2
• Client database is updated with
new AP and security info
• Client becomes LOCAL to WLC-2.
WLC-2 advertises reachability to
the client
• No IP address refresh needed.
Data flows as shown
WLC 1 WLC 2

37
WiSM2s / 5508s
Layer 2
Mobility Group
Data Center-
DMZ
Si Si
Si
Si
Data Center
Campus Services
Si
Si
Campus
Guest Anchors
Internet
Si
Si
Si
Si
Campus
Access
MC MA
MC MA
ISE
PI
MC
MC
MC
MA
MA
MA
• Initially, the user’s PoP and PoA
are co-located on the same controller
• The controllers within the DC share
a common set of user VLANs at Layer 2
• Initially, the user’s traffic flow is as shown …
PoA PoP
…

38
WiSM2s / 5508s
Layer 2
Mobility Group
Data Center-
DMZ
Si Si
Si
Si
Data Center
Campus Services
Si
Si
Campus
Guest Anchors
Internet
Si
Si
Si
Si
Campus
Access
MC MA
MC MA
ISE
PI
MC
MC
MC
MA
MA
MA
PoA PoP
• Now, the user roams to an AP handled by
a different controller, within the same
Mobility Group …
• The user’s PoP and PoA both move to the
new controller handling that user after the
roam (possible since the controllers in this
deployment model are all L2-adjacent within
the VLANs) …
• After the roam, the user’s traffic flow
is as shown …
…

39
VLAN X VLAN Z
client
context
• Layer 3: different client VLAN
on controllers
• WLC-2 knows it doesn’t
have VLAN X
• Client database entry is
copied from WLC1 to WLC2
• Client database is updated with
new AP and security info
WLC 1 WLC 2

40
VLAN X VLAN Z
Roaming Data Path
client
context
• WLC-1 is still the “anchor”
for the client session
• Traffic goes through the EoIP
tunnel and exit again in VLAN X
• No IP address change needed
client
context
WLC 1 WLC 2
EoIP tunnel

41
Data Center
Campus Services
ISE
ISE
PI
Data Center-
DMZ
Si Si
Si
Si
Data Center
Si
Si
Campus
Guest Anchors
Internet
PoP
MC MA MC MA
Si
Si
Si
Si
Campus
Access
PI
MC MA
MC MA
• Initially, the user’s PoP and PoA
are co-located on the same controller
• Note – in this deployment model, it is assumed
that all of the controllers across the Campus
do not share a common set of user VLANs
at Layer 2 …
(i.e. the controllers are all L3-separated)
• Initially, the user’s traffic flow is as shown …
Layer 3
Mobility
5508 / Group
WiSM-2
PoA
5508 /
WiSM-2
…

42
Data Center
Campus Services
ISE
ISE
PI
Data Center-
DMZ
Si Si
Si
Si
Data Center
Si
Si
Campus
Guest Anchors
Internet
Si
Si
Si
Si
Campus
Access
PI
MC MA
MC MA
Layer 3
Mobility
5508 / Group
WiSM-2
5508 /
WiSM-2
• Now, the user roams to an AP handled by
a different controller, within the same
Mobility Group …
• The user’s PoA moves to the new controller
handling that user after the roam – but the
user’s PoP stays fixed on the original
controller that the user associated to
• This is done to ensure that the user retains
the same IP address across an L3 boundary
roam – and also to ensure continuity of policy
application during roaming
• After the roam, the user’s
traffic flow is as shown …
Symmetric
Mobility
Tunneling
PoP
MC MA MC MA PoA
…

43
Data Center
ISE
ISE
PI
Data Center-DMZ
Campus Internet
Si Si
Si
Si
Campus Services
Si
Si
PoA MC MA MC MA
Si
Si
Si
Si
Campus
Access
PI
Layer 3
Mobility
5508 / Group
WiSM-2
5508 /
WiSM-2
Guest Anchors
MC MA
PoP
MC MA
PoA
…
• Now, let’s examine roaming
with Mobility Anchor use …
• When using Mobility Anchors, the user’s PoP
is always located at the Mobility Anchor
controller ... while the user’s PoA moves
as the user roams …
• Again, this is done to ensure that the user retains
the same IP address across an L3 boundary
roam – and also to ensure continuity of policy
application during roaming
• Before the roam, the user’s traffic flow
is as shown … (tunneling of user traffic
back to the Mobility Anchor –
guest traffic assumed)

44
Data Center
ISE
ISE
PI
Data Center-DMZ
Campus Internet
Si Si
Si
Si
Campus Services
Si
Si
Si
Si
Si
Si
Campus
Access
PI
Layer 3
Mobility
5508 / Group
WiSM-2
5508 /
WiSM-2
Guest Anchors
MC MA
MC MA
• Now, let’s examine roaming
with Mobility Anchor use …
• After the roam, the user’s PoA moves to the
new controller that handles the AP the user
has roamed onto … however, the user’s PoP
remains fixed at the Mobility Anchor controller …
• After the roam, the user’s traffic flow
is as shown …
(tunneling of user traffic back to the
Mobility Anchor – guest traffic assumed)
MC MA MC MA
PoP
PoA
…

45
• Controller acts a L2 device, bridges wireless traffic on to a VLAN
• All traffic is centralized and goes through the WLC
• Even for two clients connected to the same AP
• Full features support since WLC sees all the traffic
• Controller is the insertion point for wireless traffic to the wired network
• QoS or Security Policies for wireless traffic can be easily centralized
• Can easily scale by adding other controllers in the centralized location (Data Center)
• No configuration needed on the switch access port connected to the Access Point
• Inter-Controller L2 roaming is recommended
• Less exchange of traffic among the controllers

46
PSTN
CUCM
WiSM2s /
5508s
Wireless policies
implemented
on controller
Wired policies
implemented
on switch
MC MA MC MA
PoP
PoA
Traffic Flows,
Unified Wireless –
• In this example, a VoIP user is on
today’s CUWN network, and is
making a call from a wireless
handset to a wired handset …
• We can see that all of the user’s
traffic needs to be hairpinned
back through the centralized
controller, in both directions …
In this example, a total of 9 hops
are incurred for each direction
of the traffic path (including the
controllers – Layer 3 roaming
might add more hops) …
Separate
policies and
services for wired
and wireless
users
The same
traffic paths are
incurred for voice,
video, data, etc. –
all centralized
…

Campus Design and
Deployment options
Converged Access

48
Common Cisco IOS for
LAN and WLAN
Common Fabric for
LAN and WLAN
Programmable SDN-Ready
Show
Clear
Run Config Debug
Ping
Save
AP
Set
Operational Consistency
(Same Well-known Commands)
Copy ?
Wireless Mobility Controller
dot11 Antenna Rename
Wireless Management Interface
Unified Access Data Plane ASIC (UADP)

49
One Network, with Converged Access
A New Deployment Mode Option for Wired / Wireless
Wireless Control
System
Access Control
Server
LAN Mgmt
Solution
Identity
Mgmt
NAC
Profiler
Guest
Server
Cisco Wireless
LAN Controller
Internal
Resources
Cisco Cisco Firewall
Access Point
Catalyst Switch
Corporate
Network
Internet
One Management
Prime
One Policy
ISE
IOS Based WLAN Control ler
• Consistent IOS and ASIC with Catalyst 3x50
• Recommended to scale Campuses beyond
100 APs on switches or 4 000 wireless
devices
Converged Access Mode
• Integrated wireless controller
• Distributed wired/wireless data plane
(CAPWAP termination on switch)
WLC 5760
One Network
Catalyst 3650
Catalyst 3850

Cisco Converged Access Deployment
50
Scalewith
distributed wired
and wireless
data plane
Large stack bandwidth;
40G wireless / switch;
efficient multicast; 802.11ac
optimized
Converged Wired / Wireless Access Switches
Benefits – Overview
Maximum
resiliency with
fast stateful
recovery
Layered network high
availability design with
stateful switchover
Single
platform for
wired and
wireless
Common IOS, same
administration point,
one release
Network wide
visibility for
faster
troubleshooting
Wired and wireless
traffic visible at
every hop
Consistent
security and
Quality of Service
control
Hierarchical bandwidth
management and
distributed policy
enforcement
Uni f ied Access - One Pol icy | One Management | One Network

51
V i s i b i l i t y i n t o Wi r e d a n d
Wi r e l e s s T r a f f i c a t t h e A c c e s s
• Can monitor East-West and North-South flows
• Natively available in the hardware
• Single flow monitor can be applied to wired ports and SSID
• Detect network anomalies with hop-by-hop metrics
such as packet loss, RTT, jitter and delay
• Understand Application Traffic Patterns such as
HTTP, SMTP, Voice, Video, etc.
• Analyze usage trends over time and location
• Enforce policies to limit usage - based on application,
time, location or load
• Plan for access capacity expansion
Understand Bandwidth
consumption by various
devices and applications
Detect Anomaly in Traffic flows
Visibility for Wired and Wireless
Flexible NetFlow v9

52
Sub-Domain
#1
Sub-Domain
#2
Mobility Group
MC
SPG SPG
ISE PI
MC
MA MA MA MA MA MA

53
Fast Roam
New Authentication
Mobility Group
Mobility
Controller
Mobility Subdomain A
Peer Group 2
Mobility Subdomain B
Peer Group 1 Mobility
Agent
14ms 50ms 80ms 120ms > 250ms
Mobility
Controller

54
Physical Entities
• Mobility Agent (MA) – Terminates CAPWAP tunnel from AP
• Mobility Controller (MC) – Manages mobility within and across Sub-Domains
Logical Entities
• Mobility Groups – Grouping of Mobility Controllers (MCs) to enable Fast Roaming
• Switch Peer Group (SPG) – Localizes traffic for roams within Distribution Block
MA, MC, Mobility Group functionalities all exist in today’s controllers

55
Mobility Group ISE PI
MA MA MA
Mobility Agent
• MA is the first level in the hierarchy of MA / MC / MO
• One MA per Catalyst 3850/3650 Stack
• Maintains Client DB of locally served clients
• Interfaces to the Mobility Controller (MC)

56
Mobility Group ISE PI
MA MA MA
MC
Mobility Controller
• Mandatory element in design. Handles AP licenses
• Can be hosted together with MA
• Manages mobility-related state of MAs
• Maintains Client DB within a Sub-Domain
(1 x MC = One Sub-Domain)
• Handles RF functions (including RRM)
• Multiple MCs can be grouped together
in a Mobility Group

57
• Can act as a Mobility Agent (MA)
for terminating CAPWAP tunnels for locally connected APs …
• as well as a Mobility Controller (MC)
for other Mobility Agent (MA) switches, in small deployments
Best-in-Class
Wired Switch –
with Integrated
Wireless Mobility
functionality
- MA/MC functionality works on a Stack of Catalyst 3650/3850 Switches
- MA/MC functionality runs on Stack Master
- Stack Standby synchronizes some information (useful for intra-stack HA)
MA
MC

58
Sub-Domain 1
SPG-B
MA MA
MC
SPG-A
MA MA
Switch Peer Group
• Made up of multiple Catalyst 3x50 switches as
Mobility Agents (MAs), plus an MC (on controller as
shown)
• Handles roaming across SPG (L2 / L3)
• MAs within an SPG are fully-meshed
(auto-created at SPG formation)
• Fast Roaming within an SPG
• Multiple SPGs under the control
of a single MC form a Sub-Domain
SPGs are a logical construct, not a physical one
SPGs can be formed across Layer 2 or Layer 3 boundaries
SPGs are designed to constrain roaming traffic to a
smaller area, and optimize roaming capabilities and
performance
Current thinking on best practices dictates that
SPGs will likely be built around buildings,
around floors within a building, or other
areas that users are likely to roam most within
Roamed traffic within an SPG moves directly
between the MAs in that SPG (CAPWAP full mesh)
Roamed traffic between SPGs moves
via the MC(s) servicing those SPGs
Hierarchical
architecture
is optimized for
scalability and
roaming

59
Sub-Domain 1
SPG-B
MA MA
SPG-A
MA MA
Sub-Domain 2
SPG-E
MA MA
SPG-F
MA MA
MC MC
Mobility
Group
Switch Peer Group
• Made up of multiple Catalyst 3x50 switches as
Mobility Agents (MAs), plus an MC (on controller as
shown)
• Handles roaming across SPG (L2 / L3)
• MAs within an SPG are fully-meshed
(auto-created at SPG formation)
• Fast Roaming within an SPG
• Multiple SPGs under the control
of a single MC form a Sub-Domain
Mobility Group
• Made up of Multiple
Mobility Controllers (MCs)
• Handles roaming across MCs (L2 / L3)
• RF Management (RRM, handled by RF Group), Key
Distribution for Fast Roaming
• One Mobility Controller (MC) manages RRM for the
entire RF Group
• Fast Roams are limited to Mobility Group member
MCs

60
SPG
AP AP AP
Point of Presence (PoP) vs.
Point of Attachment (PoA) –
• PoP is where the wireless user
is seen to be within the wired
portion of the network
• PoA is where the wireless user
has roamed to while mobile
• Before a user roams, PoP and
PoA are in the same place
If users
associate and
remain stationary,
this is their
traffic flow
Note – the traffic does NOT flow through
MA MA MA the MC …
PoA
PoP
MC

61
SPG
uRPF, Symmetrical
Routing, NetFlow,
Stateful Policy
Application …
Roaming, Within a Switch
Peer Group (Branch) –
• Now, let’s examine a roam at a larger branch, with multiple
3x50-based switch stacks joined together via a distribution layer
• In this example, the larger Branch site consists of a single
Switch Peer Group – and the user roams within that SPG –
again, at a larger Branch such as this, this may be
the only type of roam
The user may or may not have roamed across an L3
boundary (depends on wired setup) – however, users are
always* taken back to their PoP for policy application
Again, notice how the 3x50 switch stack on the
left is an MC (as well as an MA) in this picture –
in a larger branch such as this with 50 APs
or less, no discrete controller is necessarily required …
* Adjustable via setting,
may be useful for L2
roams
MC MA MA MA
PoA
PoP
Roaming
across Stacks
(same SPG)
Very
common
roaming
case

62
• When a wireless client roams to a switch where the client VLAN is present,
it is considered as an L2 Roam –
In CUWN this would imply that the PoP moves to the new switch
• When a wireless client roams across L3 subnets (i.e. to switches
where its own VLAN is not present), it is considered as an L3 Roam –
same as CUWN, tunneling is used to keep the client’s IP address
• In Converged Access by default all roams are L3
The data path is anchored at the home switch (feature called “Sticky / L2 anchoring”)
Sticky roaming in ON by default. It can be disabled on per WLAN basis
• In both cases, client will continue to maintain its
original IP address – this is called seamless mobility.
Roam

63
Roaming
across SPGs
(L3 separation
assumed at
access layer)
SPG SPG
MA MA MA MA MA MA
PoA
PoP
Roaming across SPGs
• In this example, the user roams
across Switch Peer Groups –
since SPGs are typically formed
around floors or other
geographically-close areas, this
could represent a large building
• Typically, this type of roam will
take place across an L3 boundary
(depends on wired setup) –
however, users are always* taken
back to their PoP for policy
application
• Note how traffic goes through the
MC is this case
Less
common
roaming
case
MC MC

64
PSTN
CUCM
SPG
More efficient
since traffic flows
are localized to
the 3x50 switch –
Performance
Increase
Traffic
does not
flow
via MCs
Traffic Flows, Comparison
(Converged Access) –
• Now, our VoIP user is on a Cisco
Converged Access network, and is
again making a call from a wireless
handset to a wired handset …
• We can see that all of the user’s
traffic is localized to their Peer
Group, below the distribution
layer, in both directions …
In this example, a total of 1 hop
is incurred for each direction
of the traffic path (assuming
no roaming) … two additional
hops may be incurred for routing …
Converged
policies and
services for
wired
and wireless
users
Wired and
wireless policies
implemented
on 3650/3850
switch
MA MA MA MA
PoP
PoA
MC

65
• Wireless Data traffic is distributed at the Access switches
Traffic path is optimized for east west communication
• Same distributed Point of Ingress to the network for wired and wireless (access switch)
Same troubleshooting tools, same visibility for wireless traffic (not encapsulated anymore)
• Subnet design should be carefully considered
Possible DHCP addresses contention between wireless and wired
Difficult to size the wireless subnet
Same policies can be applied for wired and wireless if desired
• Size recommendation for Campus deployments
a) No more than 600 APs and 7000 clients for the 5760 as MC in CA deployments
b) No more than 2 x MCs on Switches only deployments (50 APs with 3650s and 100 APs with 3850s)

Branch Office Design and
Deployment options

Cisco FlexConnect with different controller deployment options
67
Branch (Controller in DC)
Flex
7500
Virtual
Controller
• 5 to 200 APs
• 6000 clients
• 500 Mbps
• 300 to 6000 APs
• 64,000 clients
• 1 Gbps central

68
FlexConnect (ex-HREAP)
ISE
SSID
Data
MSE
SSID
Guest
Remote
Location
Controller
Trunk
Trunk
links
WAN
Prime
SSID
Voice
• Centralized control plane
• FlexConnect mode of operation:
Connected mode vs Standalone
• Data plane flexibility
Local vs Central switching
Configured per SSID
• FlexConnect Local switching
VLANs are added at access switch
Not all features are supported (L3 roaming, Mesh, WGB support, etc)
• HA will preserve locally switched traffic
• Mostly deployed over a WAN
RTT below 300 ms for data (100 ms for voice)
Minimum 500 bytes WAN MTU (with max four fragmented packets)

Cisco 2500 Series Controller CAPWAP
Cat-3650
69
Local controller onsite
Backup Central
Controller
Central Site
WLC-25xx WLCM for
Remote Site B
Remote Site A
ISR/ISR-G2
WAN
Remote Site C
Virtual Controllers (vWLC)
Catalyst 3650

Evolution of Medium/Large Branch Deployment
“Catalyst 3650 is the New Branch Controller”
Traditional Deployment Cat. 3650 as Branch Controller
• Dedicated WLC (2504 upto 75 APs)
• Multiple OS/devices to manage
• 1 Gbps of Wireless traffic
• Up to 1000 wireless clients
DMZ
Prime
ISE
WLC
2504
Catalyst
2960X®
70
Guest
Anchor
ISR
2900/3900
WAN
Employee Guest
• Cat. 3650 terminates wired and
wireless traffic – 40 Gbps Wireless
• Up to 1000 W&Wless clients, 25 APs
• Full IOS based branch, HA capable
DMZ
Prime
ISE
WAN
Guest
Anchor
Catalyst
3650
ISR AX
70
Employee Guest
Priced at par vs. traditional solutions
3650* vs.
2K-X** 2K-XR***
# of AP’s in Solution
5 29% -9%
10 24% -8%
15 10% -13%
20 9% -12%
25 1% -15%
* 24 Port PoE IP Base w/1G UpL
** LAN Base + 2504 WLC
*** IP Lite + 2504 WLC
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70

71
Converged Access Branch Deployment Modes
ISE Prime
MC MA MC MA
UA UA /3K
3K
Access
Points
DMZ
Prime ISE
UA 3K
3650
Em7p1loyee Guest
Controller-less BRANCH
Controller-less larger BRANCH
WAN
AP CAPWAP Tunnels
INTEGRATED
CONTROLLER
3650
• Up to 25 Access Points with 3650
• Up to 1000 Clients per branch with 3650
• All WAN Services Available (local
Capwap Tunnel Standard Ethernet, No Tunnels Guest Tunnel from Switch to DMZ Controller
termination)
• Up to 50 Access Points with only 3650s
• Up to 2000 Clients with only 3650s
• Visibility, Control and resiliency
MC MA

72
Architecture comparison
• What Flex and Converged Access really have in common from an architecture point
of view, that makes people compare the two?
Control Plane and Data Plane separation
Distributed Data Plane
Wireless and wired traffic are both local to the access switch, same or different VLANs are supported
for wireless and wired
Visibility of wireless traffic available from the access switch
WAN optimization techniques (WAAS) applicable to wireless traffic
Security and QoS policies applicable at the edge (branch) of the network (not the same policies
though, but at least the point of enforcement can be distributed)

73
Preliminary considerations
• For this comparison, only FlexConnect Local switching is considered:
In terms of architecture and feature support, Flex Central switching is very similar to the Centralized
deployment mode (AP in Local mode)
• For this comparison a 3650/3850-based Converged Access solution is considered:
One or more stacks but MC is embedded in the 3650/3850, not in a discrete controller
• For the comparison, the following Reference Design is considered:
Branch deployment with less than 25 Aps
Voice and fast roaming is a requirement
High availability is required
• Today, CA only supports local mode APs and few features are still different.

Architecture comparison:
the differences
74
Function Converged Access (3x50) FlexConnect (local switching)
Control and data plane separation MC and MA functionalities are used Controller handles the Control plane, AP the data plane
Control and data plane termination Both terminated at the switch
Control Plane terminated at the WLC (300ms max RTT
requirement), AP bridging for data traffic
Wired and Wireless traffic True wireless and wired convergence
Local access switch sees wireless traffic as if it was wired
traffic through a bridge
Dot1x Authentication
Switch acts as dot1x Authenticator for
wireless and wired
WLC or AP is authenticator for wireless
L2/L3 Seamless Roaming All supported Only L2 roaming supported
Fast Roaming Supported
Supported within the FlexConnect Group (different
scalability for different controller platforms)
Subnetting definition
Flexibility of having wireless in same or
different VLANs per wiring closet
Same VLAN is required for seamless roaming
QoS policies Enforcement point
Local switch and same for wired and for
wireless
WLC, AP or access switch, and usually different for wireless
and wired
Security Enforcement point
Local switch and same for wired and for
wireless
WLC, AP or access switch, and usually different for wireless
and wired
WAN dependencies
No WAN dependencies for Wireless
service
Different requirements based on type of traffic (voice, data,
monitor Aps only)*

75
Feature comparison:
the differences
Feature (*) 3650 / 3850 in the Branch Flex (**) Local Mode
All AP modes (Mesh, Flex, OEAP) Not supported (roadmap), and only 11n+ APs Supported (Mesh and Flex since 8.0)
802.11r Fast Secure Roaming Supported Supported
No service interruption upon controller failure (***) AP SSO is supported within stack Supported
Vlan Select (interface Group) Supported Not supported
Downloadable ACL Supported Not supported (Airespace ACL)
Security Group Tag (SGT) and Security Group
Supported Not supported
ACLs (SGA)
IPv6 client Mobility Supported Not supported
Advanced Modular QoS and QoS override Supported Not supported
Netflow Supported Not supported
VideoStream (multicast to unicast) Supported Supported
Application Visibility and Control Supported Not Supported (planned for 8.1)
Bonjour Services Supported Supported

Summary

77
U n i f i e d A c c e s s
One Policy
One Management
One Network

78
Intranet
CENTRALIZED AireOS CONVERGED ACCESS
• Switch refresh
• Future upgrade to converged access
• Perfect for scaling with 802.11ac
• Ready for SDN evolution
• Perfect for branch deployments
• Wireless-only overlay
• Most mature and feature rich offering
• Ready for 802.11ac
• Perfect for 802.11n
• Support for all AP modes
• Optimized for Campus
• Broadest Feature Set
• Centralized data plane
• On-Premise controller
• Controller at every location
• Distributed data plane
• Common LAN and WLAN OS
• LAN and WLAN feature consistency
• Optimized for high performance
• Optimized for branch deployments
Positioning
Characteristics

79
Multiple options exist, depending on the type and size of branch
• 1 AP: Autonomous IOS AP or CVO Router
• Up to 10 APs: FlexConnect with vWLC, 7500 or 5508/WiSM-2
• Up to 25 APs: Converged Access, FlexConnect, Local 2504 bundles
Branch Controller On-Premise Controller in DC
2500 Virtual WLC e.g.
UCS-E on ISR G2
Flex 7500
Catalyst
3850
Virtual
Controller
• 5 to 75 APs
• 1000 clients
• 1 Gbps
• 5 to 200 APs
• 3000 clients
• 500 Mbps
• 5 to 200 APs
• 6000 clients
• 500 Mbps
• 300 to 6000 APs
• 64,000 clients
• 1 Gbps central
Catalyst
3650

83
Cisco Wireless LAN Controller - Configuration Best
Practices
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
Document View Count
2 0 0 9 9

84
BEST PRACTICES (AirOS)
INFRASTRUCTURE
Enable High Availability (AP and Client SSO)
Enable AP Failover Priority
Enable AP Multicast Mode
Enable Multicast VLAN
Enable Pre-image download
Enable AVC
Enable NetFlow
Enable Local Profiling (DHCP and HTTP)
Enable NTP
Modify the AP Re-transmit Parameters
Enable FastSSID change
Enable Per-user BW contracts
Enable Multicast Mobility
Enable Client Load balancing
Disable Aironet IE
FlexConnect Groups and Smart AP Upgrade
Enable 802.1x and WPA/WPA2 on WLAN
Enable 802.1x authentication for AP
Change advance EAP timers
Enable SSH and disable telnet
Disable Management Over Wireless
Disable WiFi Direct
Secure Web Access (HTTPS)
Enable User Policies
Enable Client exclusion policies
Enable rogue policies and Rogue Detection RSSI
Strong password Policies
Enable IDS
Extend BYOD Timers
Set a Bridge Group Name
Set a Preferred Parent
Deploy Multiple Root APs in each BGN
Set Backhaul rate to "Auto"
Set Backhaul Channel Width to 40/80 MHz
Backhaul Link SNR > 25 dBm
Avoid DFS channels for Backhaul if possible
External RADIUS server for Mesh MAC Authentication
Enable IDS
Enable EAP Mesh Security Mode
MESH
SECURITY
WIRELESS / RF
Disable 802.11b data rates
Restrict number of WLAN below 4
Enable channel bonding – 40 or 80 MHz
Enable BandSelect
Use RF Profiles and AP Groups
Enable RRM (DCA & TPC) to be auto
Enable Auto-RF group leader selection
Enable Cisco CleanAir and EDRRM
Enable Noise &Rogue Monitoring on all channels
Enable DFS channels
Avoid Cisco AP Load
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html

Key Takeaways

101
Market Leadership Industry Leadership
• 20+ years of market share leadership
• 800,000+ WLAN customers
• 2,000,000+ LAN customers
• 18,000,000 ISE endpoint licenses sold
• 75,000,000 AnyConnect licenses sold
• Broadest LAN, WLAN, and Security portfolio
• 90% Fortune 1000 have selected Cisco
• 10+ years of Gartner MQ leadership
• Leader in Unified Access Gartner MQ
• Ongoing IEEE, IETF, Wi-Fi Alliance leadership
• Largest patent portfolio in the industry
• Largest development team in the industry
• EAL Common Criteria, PCI

Cisco Unified Wireless Network and Converged access – Design session

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Cisco Unified Wireless Network and Converged access – Design session

Similar to Cisco Unified Wireless Network and Converged access – Design session (20)

More from Cisco Russia

More from Cisco Russia (20)

Recently uploaded

Recently uploaded (20)

Cisco Unified Wireless Network and Converged access – Design session