architecting network for branch offices with cisco unified wireless
TRANSCRIPT
Architecting Network for Branch Offices with Cisco
Unified Wireless Aparajita Sood
Technical Marketing Engineer
BRKEWN-2016
Objective
Best Practices for Designing Resilient, Secure
and Service-Ready Branch Networks
Agenda
• Understand Wireless Branch Deployment Options
• Evaluate FlexConnect Architectural Requirements
• Identify the need for FlexConnect & AP Groups
• Design a Resilient Branch Network
• Design Secure & BYOD enabled Branch Network
• Operate Wireless Branch efficiently over WAN
• Service-Ready Branch
• FlexConnect Best Practices
Wireless LAN Controller DeploymentDeployment Modes
Autonomous FlexConnect Centralised Converged Access
Traffic Distributed at AP Traffic Centralisedat Controller
Traffic Distributed at SwitchStandalone APs
Target
PositioningSmall Wireless Network Branch Campus Branch and Campus
Scope Wireless only Wireless only Wireless only Wired and Wireless
High
Availability
• Can only claim AP quality
• No RF HA
• No Network layer HA
• No services
• Full RF HA
• Client SSO when Local
Switching
• Most complete solution • Exploits HA in IOS switches
Key
Considerations
• Limited features. Upgradable
to controller based
• Branch with WAN BW and
latency requirements• Full features
• Catalyst 3650/3850 in the access
layer
WAN
Wireless Branch Deployment Options
Branch Office with Local WLAN ControllerOverview
• Branches can also have local controllers
• Small or Mid-size Branch WLCs
• CT-2504,
• Integrated controller modules in ISR/ISR-G2
• Converged Access Cat-3850
Remote Site B
Remote Site A
WLC-25xx
WLCM for
ISR/ISR-G2
Backup Central
Controller
WAN
Central Site
Remote Site C
Cat-3850
CAPWAP
• Cookie cutter configuration for every branch site
• Layer-3 roaming within the branch
• IPv6 L3 Mobility
Advantages
Branch Office DeploymentFlexConnect (HREAP)
• Hybrid Architecture
• Single management and control point
• Data Traffic Switching
• Centralized traffic(split MAC)
• or
• Local traffic (local MAC)
• HA will preserve local traffic only
• Traffic Switching is configured per AP and per WLAN (SSID)
WAN
Central Site
Remote Office
Centralized
Traffic
Centralized
Traffic
Local
Traffic
FlexConnect Glossary
Standalone Mode When FlexConnect AP cannot reach Controller, it goes into standalone state and does client authentication by itself.
Local Switching Data traffic switched onto local VLANs for an SSID
Central Switching Data traffic tunneled back to WLC for an SSID
Connected Mode When FlexConnect AP can reach Controller, it gets help from controller to complete client authentication.
Configure FlexConnect ModeStep 1: Configure Access Point Mode
• Enable FlexConnect mode per AP
• Supported APs:
AP-1130, AP-1240, AP-1040, AP-1140, AP-1260, AP-1250, AP-3500, AP-1600 , AP-2600 , AP-3600, AP-3700, AP-1700, AP-2700, AP 700, AP-1520, AP-1530, AP-1550, AP-1570
Configure FlexConnect Local SwitchingStep 2: Enable Local Switching per WLAN
Only WLAN with “FlexConnect Local Switching” enabled will allow local switching on the FlexConnect AP
Configure FlexConnect VLAN MappingStep 3: FlexConnect Specific Configuration – VLAN Support
• FlexConnect AP can be connected on an access port or connected to a 802.1Q trunk port (using the native VLAN)
• VLAN mapping can be performed per AP configuration on WLC and/or by AP groups using Cisco Prime Infrastructure templates
Configure FlexConnect VLAN MappingStep 4: FlexConnect Specific Configuration – Native Vlan
• When connecting with Native VLAN on AP, L2 switchport must also match with corresponding Native VLAN configuration
• Each corresponding SSID that is allowed to be locally switch should be allowedon the corresponding switchport.
Configure FlexConnect SSID-VLAN Mapping Step 5: Per AP SSID to VLAN Mapping
• Mapping of SSID to 802.1Q VLAN is done per FlexConnect AP
• Or use Cisco Prime Infrastructure (NCS) via configuration templates
1 2
Configure FlexConnect VLAN MappingUsing Cisco Prime Infrastructure
• Prime Infrastructure provides simplified configuration to all FlexConnect APswith one Lightweight AP Template
Evaluate FlexConnect Architectural Requirements
FlexConnect Design Considerations
WAN Limitations Apply
Deployment
Type
WAN Bandwidth
(Min)
WAN RTT
Latency (Max)
Max APs per
Branch
Max Clients per
Branch
Data 64 kbps 300 ms 5 25
Data 640 kbps 300 ms 50 1000
Data 1.44 Mbps 1 sec 50 1000
Data+Voice 128 kbps 100 ms 5 25
Data+Voice 1.44 Mbps 100 ms 50 1000
Monitor 64 kbps 2 sec 5 N/A
Monitor 640 kbps 2 sec 50 N/A
For YourReference
It is highly recommended that the minimum bandwidth restriction remains 24 Kbps per AP with the round trip
latency no greater than 300 ms for data deployments and 100 ms for data + voice deployments.
• MAC/Web Auth in Standalone Mode
• IPv6 Mobility
• SXP TrustSec
• Application Visibility and Control 8.1 Feature
• Service Discovery Gateway
• Native Profiling and Policy Classification
• See full list in « FlexConnect Feature Matrix »
• http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b3690b.shtml
Feature Limitations In Standalone mode and Local Switching
FlexConnect Design Considerations
IPv6 Support
Significant support for IPv6 with Central Switching
IPv6 RA Guard and IPv6 Bridging fully supported with Local Switching
✔✔✔
✔✔✔✔
✔✔
Economies of Scale For Lean BranchesFlex 7500 Wireless Controller
WAN Tolerance
• High Latency Networks
• WAN Survivability
Security
802.1x based port authentication
Voice support
• Voice CAC
• OKC/CCKM
Key Differentiation
Access Points 300-6,000
Clients 64,000
Branches ( Flex Groups ) 2000
Access Points / Branch 100
Deployment Model FlexConnect
Form Factor 1 RU
IO Interface 2 x 10GE
Upgrade Licenses 100, 200, 500, 1K
RTU Licenses
Functionality
Access Points 6,000
Clients 64,000
Branches/locations 6,000 (2000 FlexGroups)
Access Points per
FlexConnect group
100
Deployment types Local (centralized),
FlexConnect and mesh
Form Factor 2 RU
IO Interface and
redundancy
Four x 10GE ports with LAG
Functionality
High scale
• 4K VLANs
Rich Features with deployment flexibility
Geo Separated AP/Client SSO
• FlexConnect, Local mode and mesh support Right to use (with EULA) for ease of license enablement
• 3G Packet core integration: PMIPv6 MAG solution with ASR5K (LMA)
• FlexConnect with HS2.0 for 3G offload
• Other key features:
802.11r fast roaming
Rate limit traffic flows
Video Stream for rich media flows
Key Differentiation
Optimized for High Scale DeploymentsCisco 8540 Series Controller
Flex 7500 Scale & Feature Update - 7.0.116.0 vs. 7.4
Scalability 7.0.116.0 7.4
Total APs 2000 6000
Total Clients 20,000 64,000
Total FlexConnect Group 500 2000
Support for OEAPs No Yes
Central Switching BW Limit ~250 Mb ~1 Gb
Data DTLS Support No Yes
Central Switching 802.1x No Yes
FlexConnect Feature IntroductionFor YourReference
FlexConnect Features Release Version
AAA-VLAN Override, ALCs & P2P Blocking 7.2
Smart AP Image Upgrade 7.2
External Web-Auth & Mobile Device On-boarding 7.2
Flex 7500 Scale Update 7.3
VLAN Based Central Switching 7.3
Split-tunneling 7.3
Work Group Bridge (WGB) Support 7.3
Bi-Directional Rate Limiting 7.4
ISE BYOD Registration & Provisioning 7.4
AAA-ACL & AAA-QoS Override 7.5
EAP-TLS & PEAP Support for Local Authentication 7.5
Ethernet Fallback 7.6
VideoStream for Local Switching 8.0
Faster time to deploy 8.0
FlexConnext on Mesh APs 8.0
AVC for FlexConnect 8.1
VLAN Name override for FlexConnect 8.1
VLAN Support/Native VLAN on Flex Group 8.1
Why do we need FlexConnect & AP Groups?
Understanding AP GroupsOverview
• AP Groups is a logical concept of grouping AP’s which deliver similar Wi-Fi services; these services can be:
• By physical location, and/or
• By functional services (data, voice, guest, …)
• Same AP groups need to be defined in all WLC’s of a mobility group
Remote Site A Remote Site B
Central Site
WAN
AP Group 1
AP Group 2
AP Group 3
Flex 7500
Scaling7510/8510
/8540CT-5508 WiSM-2 CT-2504
# AP Groups 6000 500 1000 50
# WLAN
(SSID)512 512 512 16
# VLAN
(Interfaces)4095 512 512 16
AP GroupsConfiguration: Create a New Group
AP Groups Usage
WAN
Central Site
StoreManufacturing Site
AP Group 2
AP Group 3
AP Group 1
Corporate-Voice
Guest-Access
Corporate-Data
Guest-Access
Corporate-Data
@ Internet
Scanners
AP groups give the ability to enable Wi-Fi
Services (WLAN) based on physical
location
Central SiteCorporate-Voice, Corporate-Data, Guest-
Access
Manufacturing SiteCorporate-Voice, Corporate-Data,
Scanners
StoreCorporate-Data, Guest-Access
Per Location SSID
AP Groups UsagePer AP Group SSID to VLAN Mapping
• AP groups give the ability to statically map Wi-Fi service (WLAN) to VLAN based on physical location
• Users see the sameWi-Fi service on all sites.
• Admin can monitor and filter basedon different IP@ each site
• Can also be used to have smallerWi-Fi subnets
• For example per floor subnets in a building.
Corporate-Data
Corporate-Data
Corporate-Data
VLAN-1
VLAN-2
VLAN-3
Manufacturing Site
Store
Central Site
WAN/MAN
AP Group 1Head Office
AP Group 2
AP Group 3
Understanding FlexConnect Groups
FlexConnect Group 1
Remote Site Remote Site
WAN
Central Site
FlexConnect Group 2
Flex 7500
Cluster
Scaling
7510/
8510/
8540
CT-5508 WiSM2 CT-2504
FlexConnect
Groups2000 100 100 30
AP per Group 100 25 25 25
Overview
FlexConnect groups allow sharing of:
• CCKM/OKC fast roaming keys
• Local/backup RADIUS servers IP/keys
• Local EAP authentication
• AAA-Override for Local Switching
• Smart Image Upgrade
• FlexConnect AVC (8.1)
FlexConnect Groups and CCKM/OKC Keys
WAN
Central Site
RADIUS Server
CCKM Keys
FlexConnect Group 1 FlexConnect Group 2
• CCKM/OKC keys stored on FlexConnect APs for
Layer 2 fast roaming
• The FlexConnect APs receives CCKM/OKC keys
from WLC
• If a FlexConnect AP boots up
in standalone mode, it will not get the OKC/CCKM
keys from the WLC
• FlexConnect supports 802.11r Fast Transition with
local key caching.
Overview
FlexConnect Groups Creation
Step 1: Add a New FlexConnect Group
Step 2: Add APs to the
FlexConnect Group
1
2
FlexConnect Groups Template on PI
For YourReference
FlexConnect Groups Template on PI
For YourReference
Designing a Resilient Wireless Branch Network
FlexConnect Backup ScenarioWAN Failure
• FlexConnect will backup on local switched mode
• No impact for locally switched SSIDs
• Disconnection of centrally switched SSIDs clients
• Static authentication keys are locallystored in FlexConnect AP
• Lost features
• RRM, WIDS, location, other AP modes
• Web authentication, NAC
Remote Site
WAN
Central Site
Application
Server
FlexConnect Backup ScenarioWLC Failure scenario with N+1 HA
• FlexConnect will first backup on local switched mode
• No impact for locally switched SSIDs
• Disconnection of centrally switched SSIDs clients
• CCKM roaming allowed in FlexConnect group
• FlexConnect AP will then searchfor backup WLC; when backup WLC isfound, FlexConnect AP will resync with WLC and resume client sessions with central traffic.
• Client sessions with Local Traffic are not impacted during resync with Backup WLC.
Remote Site
WAN
Central Site
Application
Server
FlexConnect Backup ScenarioWLC failure scenario with SSO
• HA considerations:
• No impact for locally switched SSIDs
• Disconnection of centrally switched SSIDs clients with AP SSO
• No/minimal impact for centrally switched client with Client SSO (7.5 and above)
• FlexConnect AP will NOT transition to Standalone because SSO kicks in
• AP will continue to be in Connected mode with the Standby (now Active) WLC
WAN
Application
Server
Remote Office
Central SiteActive
Standby
FlexConnect Group : Backup ScenarioLocal Backup RADIUS
• Normal authentication is done centrally
• On WAN failure, AP authenticates new clients with locally defined RADIUS server
• Existing connected clients stay connected
• Clients can roam with
• CCKM fast roaming, or
• Re-authentication
Remote Site
WAN
Central Site
Central
RADIUS
Local Backup
RADIUS
CCKM Fast Roaming
FlexConnect Group: Local Backup RADIUSConfiguration
• Define primary and secondary local backup RADIUS server per FlexConnectgroup
Local Authentication
Remote Site
WAN
Central Site
FlexConnect Group
Central
RADIUS
Local
RADIUS
• By default FlexConnect AP
authenticates clients through central
controller
• Local Authentication allow use of local
RADIUS server directly from the
FlexConnect AP
Local Authentication
Local AuthenticationConfiguration
FlexConnect Group: Backup ScenarioLocal Backup Authentication
• Normal authentication is done centrally
• On WAN failure, AP authenticates new clients with its local database
• Each FlexConnect AP has a copy of the local user DB
• Existing authenticated clients stay connected
• Clients can roam with:
• CCKM fast roaming, or
• Local re-authentication
Remote Site
WAN
Central Site
Central
RADIUS
CCKM Fast
Roaming
FlexConnect Group 1
Supported Security Types Release Version
LEAP 6.0
EAP-FAST 6.0
PEAP 7.5
EAP-TLS 7.5
FlexConnect Group: Local Backup AuthenticationConfiguration
• Define users (max 100) and passwords
• Select supported Security protocols i.e. LEAP, EAP-FAST, PEAP or EAP-TLS
1 2
Designing Secure & BYOD Enabled Branch Network
FlexConnect Peer-to-peer Blocking
Local Switching Peer-to-peer Blocking
Remote Site
WAN
Central Site
Application
Server
Starting
from 7.2
Support for Peer-to-Peer blocking in
FlexConnect AP
Apply for clients on same FlexConnect AP
P2P blocking modes : disable or drop
For P2P blocking inter-AP use ACL or Private
VLAN function
Standalone mode support
Overview
Local Switching Peer-to-peer BlockingConfiguration
Multiple Policy Touch PointsBoth modes of operation will drop the packet @ AP
for Local Switching enabled WLAN
* Central Switching WLAN will support “Forward - UpStream” and will send the packet to the next upstream node connected to WLC
FlexConnect AAA VLAN & QoS Override
VLAN 7
QoS = Platinum
VLAN 3
QoS = Silver
FlexConnect AAA VLAN Override
• AAA VLAN Override with local or central authentication
• Up to 16 VLANs per FlexConnect AP
• VLAN ID must be enabled per AP or FlexConnect Group
• If VLAN ID does not exist, default VLAN isused, unless « VLAN Based Central Switching » enabled
Description
Remote Site
WAN
Central Site
FlexConnect Group
RADIUS
Application
Server
Starting
from 7.2
FlexConnect AAA VLAN OverrideConfiguration
WAN
ISE
Create Sub-Interface on FlexConnect
AP
IETF 81
IETF 64
IETF 65
For YourReference
VLAN Based Central Switching
• While doing AAA VLAN Override withlocal switching :
• If VLAN ID does not exist at the AP, the traffic is central switched to the central VLAN ID
• If the central VLAN ID does not exist, the traffic is centrally switched to the default VLAN ID of the WLAN
Overview
Remote Site
WAN
Central
RADIUS
VLAN 7
VLAN 3
VLAN 7
VLAN 3
does not
Exist on
this AP
VLAN 7
does not
Exist on
this AP
VLAN 7
does not
Exist on
this WLC
Go to Default
VLAN IDCentral
VLAN 3
FlexConnect AAA QoS Override
Description
Dynamically assign QoS levels and/or bandwidth contracts for local switching, centrally authenticated WLANs
Web-authenticated WLANs and 802.1X-authenticated WLANs supported
Order of precedence for Rate Limiting parameters AAA override
QoS Profile of AAA override
Local WLAN configuration
QoS Profile of local WLAN configuration
Starting
from 7.5
Vendor ID/Vendor Type Attribute
[14179\002] Aire-QoS-Level
[14179\004] Aire-802.1P-Tag
[14179\007] Aire-Data-Bandwidth-Average-
Contract
[14179\008] Aire-Real-Time-Bandwidth-
Average-Contract
[14179\009] Aire-Data-Bandwidth-Burst-
Contract
[14179\0010] Aire-Real-Time-Bandwidth-
Burst-Contract
AAA Override Deployment ScenarioProblem Statement
Remote Site BRemote Site A
Function VLAN ID
Engineering 10
Marketing 20
Sales 30
VLAN 20
WAN
Central Site
Application
Server
Function VLAN ID
Engineering 11
Marketing 21
Sales 31
VLAN 20
does not
exist
Application
Server
VLAN Name Mapping at FlexConnect Group
Remote Site B
Central Site
WAN
Remote Site A
Flex Group A
VLAN Name VLAN
ID
Engineering 10
Marketing 20
Sales 30
.
.
HR 160
VLAN ID
11
21
31
VLAN ID
10
20
30
VLAN Name VLAN
ID
Engineering 11
Marketing 21
Sales 31
Flex Group B
VLAN Name VLAN
ID
Engineering 11
Marketing 21
Sales 31
.
.
HR 161
VLAN Name VLAN
ID
Engineering 10
Marketing 20
Sales 30
Starting
from 8.1
VLAN Name AAA Override - Solution
Remote Site BRemote Site A
VLAN Name VLAN ID
Engineering 10
Marketing 20
Sales 30
VLAN NAME=
Marketing
Remote Site
WAN
Central Site
Application
Server
VLAN Name VLAN ID
Engineering 11
Marketing 21
Sales 31
Remote Site
VLAN 20
VLAN 21
Aire-Interface-Name or
IETF Tunnel-Private-Group-ID
Starting
from 8.1
FlexConnect ACL VLAN Mapping & Per-Client ACL
FlexConnect ACL – VLAN Mapping
• FlexConnects ACL are applied per VLAN
• FlexConnect ACL are Ingress / Egress oriented
• Starting from 7.5 FlexConnect ACL support AAA-
returned Client ACL
Overview
Remote Site
WAN
Central Site
Application
Server
Starting
from 7.2
512 FlexConnect ACL per WLC
• 16 ingress ACL per AP
• 16 egress ACL per AP
• 64 ACL rules per ACL
• No IPv6 ACL
ACL Scale
FlexConnect Access Lists
• FlexConnect ACL rule creation is similar to rule creation for Local Mode AP
Configuration – Create FlexConnect ACL
1
2
3
FlexConnect ACL – VLAN Mapping
• FlexConnect ACL can be applied per AP using VLAN Mappings configuration
Configuration – FlexConnect ACL per AP
1
2
FlexConnect ACL – VLAN Mapping
• FlexConnect ACL can be applied per FlexConnect Groups per VLAN in the ACL Mapping tab.
Configuration –FlexConnect ACL per FlexConnect Group
1 2
FlexConnect Split Tunneling(Using FlexConnect Split ACL)
FlexConnect ACL – Split Tunneling
• Split tunneling allow some traffic to be locally switched although the WLAN is defined as centrally switched
• Split tunneling is using a NAT/PAT feature with ACL to perform the local switching
• Split tunneling is using the AP IP@ for the NAT/PAT feature
Overview
WLCFlexConnect APCAPWAP
WAN
Central Server
Central Traffic
Local Printer
NAT/PAT
ACL
Local Traffic
Starting
from 7.3
FlexConnect ACL – Split Tunneling
• Create a centrally switched WLAN
• Define Flex ACL to match traffic to be locally switched
Configuration
Flex Local switching
should not be checked
Central subnet Local subnet
FlexConnect ACL – Split TunnelingConfiguration – Per Access Point
FlexConnect ACL – Split TunnelingConfiguration – Per FlexConnect Group
Deploying External WebAuth withFlexConnect Local Switching(Using FlexConnect WebAuth ACL)
External WebAuth with Local SwitchingDescription
• Provides L3 Web Redirect from locallyswitched vlan
• Reduces WAN traffic by locally switchingguest traffic
• Flexible and centralized web portal creationfor multiple sites
• FlexConnect AP must be in Connected state with Centralized Controller for this functionalityto work
Remote Site
WAN
Central Site
FlexConnect Group 1
VLAN
503
VLAN 7 - Employee
Internet
WebServer
Starting
from
7.2.110
Guest
External WebAuth with Local SwitchingConfigurationStep 1: Configure Pre-Auth ACL that will be applied to FlexConnect Group, AP or
WLAN
External Web-Server IP
External WebAuth with Local SwitchingConfiguration
Step 2: Apply Pre-Auth ACL to WLAN
Apply Pre-Auth ACL to
WLAN
External WebAuth with Local SwitchingConfiguration – Per AP
Step 3: Apply Pre-Auth ACL to
FlexConnect APMap WLAN-Id to
Pre-Auth ACL
External WebAuth with Local SwitchingConfiguration – Per FlexConnect Group
Or Step 3: Apply Pre-Auth ACL to FlexConnect Group
Map WLAN-Id to
Pre-Auth ACL
External WebAuth with Local SwitchingConfiguration
Step 4: Configure External Web Server
External Web-Server IP
Deploying BYOD with FlexConnect Local Switching(Using FlexConnect WebPolicies ACL)
Bring Your Own Device(s) : The New Normal
CA-Server
BYOD Device On-Boarding in FlexConnectExample: Apple iOS Device Provisioning
ISEWLC
ISEWLC
Client
Reconnects
CA-Server
Starting
from 7.4
Initial Connection Using
PEAP 1
Device Provisioning
Wizard2
Future Connections
using EAP-TLS3
FlexConnect Access Lists fo BYOD
• Create FlexConnect ACL to allow access to Cisco ISE
Create FlexConnect ACL
1
2
3
FlexConnect Web Policy ACL
• ACL Mapping can be configured per FlexConnect AP
Configure Web Policy ACL per FlexConnect AP
FlexConnect Web Policy ACL
• Use ACL Mapping tab in FlexConnect Group configuration
• WebPolicies ACL are not the same as VLAN ACL or WebAuthentication ACL.
Configure Web Policy ACL per FlexConnect Group
Cisco Wireless Central DHCP Processing
• To support DHCP Profiling Probe with FlexConnect, DHCP request must be sent to WLC. This is done by the « Central DHCP Processing » configuration.
Configuration
Deploying BYOD with FlexConnect WirelessSummary – 802.1x/EAP Authentication ISE
WLCFlexConnect AP
CAPWAP
WANWeb Server
DHCP Server
802.1x/EAP Request Radius Access-Request
Radius Access-Response• Access-Type: Access-Accept
• URL-Redirect-ACL=FlexACLWebPolicy,
• URL-Redirect=http://……)
802.1x/EAP Response
Inside CAPWAP
Inside CAPWAP
URL + ACL Redirect
Inside CAPWAP
WiFi Association
Unknown Device,
Redirect to registration
Deploying BYOD with FlexConnect WirelessSummary – DHCP Request
DHCP Request
RADIUS-Accounting
• host-name=MyiPad
• dhcp-class-identifier=APPLEDHCP Lease
Inside CAPWAP
Inside CAPWAP
ISE
WLCFlexConnect AP
CAPWAP
WANWeb Server
DHCP Server
Device is
an iPad
Deploying BYOD with FlexConnect WirelessSummary – URL-Redirect
HTTP
Request
ISE
WLCFlexConnect AP
CAPWAP
WANWeb Server
DHCP Server
URL-Redirect
Inside CAPWAP
HTTP Request
Redirected to WLC by AP
Deploying BYOD with FlexConnect WirelessSummary – Registration & Provisioning
Device Registration & Provisioning
ISE
WLCFlexConnect AP
CAPWAP
WANWeb Server
DHCP Server
RADIUS Change-of-AuthorizationEAP DeAuthentication
EAP Authentication
Device is Registrered
Trigger Change-of-Auth
Deploying BYOD with FlexConnect WirelessSummary – Device Access ISE
WLCFlexConnect AP
CAPWAP
WANWeb Server
DHCP Server
802.1x/EAP Request/ResponseRadius Access-Request
Inside CAPWAP
DHCP Request/Response
Inside CAPWAP
Radius Access-Response
Web Traffic
Device is Registrered
And Provisioned
Allow Access
Summary of FlexConnect ACLs
84
Split Tunnel ACL Allow some traffic to be locally switched
Web Authentication ACL Provides L3 Web Redirect for local switching
Web Policies ACL BYOD with FlexConnect
VLAN-ACL Applied on the 802.3 interface of the FlexConnect AP
AAA returned Client ACL Applied on the 802.11 interface of the AP
Operating Wireless BranchSmart Upgrade over WAN
Upgrading a FlexConnect Deployment
• Sites using FlexConnect AP are usually sites with low WAN bandwidth
• Each site may have small number of AP, but an enterprise may have a lot of branches
• Upgrading ~6000 AP through a low bandwidth WAN is a challenge :
• Time needed to download all the AP firmware
• Exhaust of the WAN link
• Risk of failures during the download
Concerns
WAN
FlexConnect Smart AP Image Upgrade
• Smart AP Image Upgrade use a « master » AP in each FlexConnect Group to downloadthe code.
• Other FlexConnect AP download the code from the master locally
1. Download WLC upgraded firmware (willbecome primary)
2. Force the « boot image » to be the secondary (and not the newlyupgraded one) to avoid parallel download of all AP in case of unexpected WLC reboot
3. WLC elects a master AP in eachFlexConnect Group (can be also set manually)
Overview
Remote Site-1 Remote Site-N
Cisco Prime
Wireless LAN
Controller
Primary Secondary
Firmware Image
New
OldNew
NewOld
Central Site
Master AP
Starting
from 7.2
WAN
FlexConnect Smart AP Image Upgrade
4. Master AP « Pre-download » the AP firmware in the secondary « boot image » (will not disrupt the actual service)—Can be started group per group to limit WAN exhaust
5. Slave AP « Pre-download » the AP firmware from the Master AP
6. Change the « boot image » of the WLCto the new image
7. Reboot the controller
Description (Contd.)OldNewNewOld
NewOld
Central Site
Remote Site-1 Remote Site-N
Wireless LAN
Controller
Primary Secondary
Firmware Image
Primary Secondary
AP Firmware Image
NewOld
Primary Secondary
AP Firmware Image
Master AP
Cisco Prime
FlexConnect Smart AP Image Upgrade
• “FlexConnect AP Upgrade” checkbox has to be enabled for each FlexConnect Group.
• By default, Master AP for each FlexConnect Group is selected using Lower-MAC algorithm.
• One Master select per AP type.
Configuration
Enable Efficient AP Image
Upgrade
Master AP Selection is
Optional
Random Backoff Interval
(100-300sec) between
each retry
Valid Range is 1-63
Per Branch or FlexConnect Group
Upgrade
Upgrade across all Branches or
FlexConnect Groups whose
“FlexConnect AP Upgrade” checkbox
is set
FlexConnect Smart AP Image Upgrade Configuration contd.
()
Service-Ready Branch
FlexConnect VideoStream
• Choppy, Unreliable Video
• Video Stream does not utilize 802.11n/ac High Throughput data rates
• Heavy utilization of channel due to high rate of very slow packets
• Video delivery is not reliable causing poor Quality of Experience
Video Impact
Video Multicast Delivery Challenges
802.11Data Rates
B/G
N
VideoServer
• Multicast packets (UDP) are sent as broadcast packets over the air per 802.11 standard
• Broadcast packets do not use error correction: “fire and forget”
• Broadcast packets are sent at data rate mandatory to all clients connected to the WLAN
1 Mb for B/G (400K actual)6 Mb for A (2.7 Mb actual)
Technical Challenges
Default 802.11B/Gmandatory data rates
1
2
5.5
6
9
11
12
18
24
36
48
54
M0
M1
...
M14
M15
Video Multicast Delivery Solution802.11
Data Rates
• IGMP state monitored for each client. Only send video to clients requesting
• Sent as unicast to individual clients at their data rate
• Multicast packets replicated at AP
Technical Solution
• Smooth, Reliable Video delivered to multiple clients
• Quality of Video protected in varying channel load conditions
• Prioritizes Business Video (QoSGold) over other video ( Best-effort )
Video Impact
Default 802.11B/Gmandatory data rates
N
VideoServer
B/G
1
2
5.5
6
9
11
12
18
24
36
48
54
M0
M1
...
M14
M15
Starting
from 8.0
FlexConnect VideoStream Configuration
(Cisco Controller) >config media-stream multicast-direct ?
enable Enable Global Multicast to Unicast Conversion
disable Disable Global Multicast to Unicast Conversion
Enable VideoStream - Global
FlexConnect VideoStream ConfigurationAdd Stream Configuration
(Cisco Controller) >configure media-stream add multicast-direct <media-stream-
name> <start-IP> <end-IP> [template | detail <bandwidth> <packet-size> <Re-
evaluation> video <priority> <drop|fallback>]’
FlexConnect VideoStream ConfigurationEnable VideoStream - WLAN
(Cisco Controller) >config wlan media-stream multicast-direct 1 ?
enable Enables Multicast-direct on the WLAN
disable Disables Multicast-direct on the WLAN.
(Cisco Controller) >show flexconnect media-stream client summary
Client Mac Stream Name Multicast IP AP-Name VLAN Type
----------------- -------------------- --------------- ------------------------- ----- ----------------
7c:d1:c3:86:7e:dc Media2 229.77.77.28 AP_1600 0 Multicast Direct
88:cb:87:bd:0c:ab Media2 229.77.77.28 AP_1600 0 Multicast Direct
d8:96:95:02:7e:b4 Media2 229.77.77.28 AP_1600 0 Multicast Direct
FlexConnect VideoStream MonitoringController
FlexConnect Bridge Mode Support
• New AP mode that allows
Flexconnect behavior across
mesh-enabled AP • Flexconnect Groups
• Max 8 Mesh hops, Max 32 MAPs
per RAP
• Local AAA support
• A WLC have a mix of Bridge and
Flex + Bridge
• MAPs inherent VLANs from its
connected RAP
FlexConnect on Mesh APs
WAN
Central Site
Remote
Office
Centralized
Traffic
Local
Traffic
Local Data WLAN
Central Data WLAN
Starting
from 8.0
FlexConnect on Mesh APs
FlexConnect-Bridge Failover Scenario
WAN
Application
Server
Primary
Remote
Office
Secondary
• AP SSO is supported for the RAP only. N+1
Recommended
• Multi-sector RAP deployments can be used for
redundancy
• RAP to standalone mode when WLC is not reachable
• MAPs to standalone mode when WLC
is not reachable but gateway is
• When in standalone mode no new
mesh AP can join the mesh tree
Failover Considerations
AP Modes Feature ComparisonFeature\AP Mode Local Mode Bridge Mode Flexconnect Mode
Central Switching Yes Yes Yes
Root Ethernet VLAN bridging
No Yes (secondary Ethernet hosts)
Yes
Secondary Ethernet Access Ports
No Yes No
Secondary Ethernet VLAN Trunk Ports
No Yes No
Local VLAN Inheritance by MAPs from RAPs
No Yes - Secondary Ethernet “access” ports only
No
Wireless Child Mesh APs No Yes No
Fault Tolerant Resilient Mode
No No Yes
Security ACLs per VLAN on Ethernet Root Ports
No No Yes
Integrated IP Routing (PPP/PPPoE/NAT)
No No Yes
VLAN Transparent Bridging
No No No
Path Control Protocol No Yes No
Flex+Bridge Mode
Yes
Yes
Yes
Yes
Yes – both bridged 802.11 WLANs and Ethernet “access” portsYes
Yes
Yes (on RAPs)
Yes (on RAPs)
No
Yes
For YourReference
Wireless Access Points AP_NAME General
Wireless Access Points AP_NAME FlexConnect
FlexConnect Bridge Mode Configuration
AP will reboot
upon change
Same options
as an AP in Flex
Mode
FlexConnect Application Visibility and Control
Use QoS to control
application bandwidth
usage to improve
application performance
Control
Advanced reporting tool
aggregates and reports
application performance
App Visibility &
User Experience Report
Visibility and User
Experience
Static
Netflow
Perf. Collection &
Exporting
How AVC solution works
App BW Transaction
Time
…
WebEx 3 Mb 150 ms …
Citrix 10 Mb 500 ms …
DPI engine (NBAR2)
identifies applications
using L7 signatures
Deep Packet
Inspection
AP
NBAR on AP
AP collects application info
and export it to
controller/switch every 90
seconds
AireOS 8.1AireOS 8.1
WAN
AVC on FlexConnect APs
Katana
Netflow Export from AP to WLC
Flow ID App Name Packets
1 WebEx 1000
2 Msft-Lync 2300
3 Skype 660
Real-time information for
last 90 seconds
Gen2 AP
Stateful context
transfer on roam
Gen2 AP
BRANCH
Deployment
Type
WAN
Bandwidth (
Min)
WAN RTT
Latency(Max)
Max Aps per
Branch
Max Clients per
Branch
Data + Flex AVC 75 Kbps 300 msec 5 25
AVC for FlexConnect APs
• Export to external Netflow supported
• Intra FlexConnect Group Roaming Support
• Supported on all controller models except 2504
• Supported on Gen 2 APs : 1600, 2600, 3600, 1700,
2700, 3700, 1532, 1570
• FlexConnect and Flex+bridge mode supported
WLC Functionality
• NBAR2 engine on FlexConnect AP
• Protocol Pack 8.0
• NBAR engine version 16
• Send flows to WLC every 90 sec using Netflow
• Classification and Control at AP
• Mark ( DSCP )
• Drop
• Rate-limit
• Supported on Gen 2 APs : 1600, 2600, 3600, 1700, 2700, 3700, 1532, 1570
AP Functionality
AVC Configuration on Local Switching WLAN
WLAN AVC
Configuration
Local Switching WLAN
AVC Configuration per FlexConnect Group• FlexConnect Group specific AVC configuration takes precedence over WLAN AVC config
• No AP Specific AVC configuration.
• WLAN AVC configuration will be pushed to Flex APs where WLAN is broadcast
FlexConnect Group AVC
configuration
Enable/disable, Profile,
Monitor per WLAN
Application Visibility
WLAN-Specific
Enable/Disable
FlexConnect AVC Profiles
Can be associated under WLAN and/or
FlexConnect Group
FlexConnect AVC
profiles
FlexConnect AVC Applications
Protocol Pack version 8.0
Engine version 16
Monitoring AVC Statistics per FlexConnect Group
Per Client AVC Statistics Per FlexConnect Group
AVC Statistics
VLAN Support/Native VLAN FlexConnect Group Support
• Prior to 8.1 : VLAN Support / Native VLAN ID configuration available per AP
• 8.1 : VLAN Support / Native VLAN ID configuration extended to FlexConnect Group
Benefits • Prevent configuration from being lost upon AP Flash Corruption
• Consolidate configurations for all APs at the Branch Level
• Consistency of Mapping
• Ease of Configuration
VLAN Support/Native VLAN at FlexConnect Group
FlexConnect Group Configuration
Push FCG config to All
APs
FlexConnect AP Configuration
Inheritance Level
AP Specific
OR
Group Specific
Group and AP Level Inheritance
FlexConnect Group 1FlexConnect Group 2
Inheritance AP Specific
Native VLAN ID = 20VLAN Support : OnAP WLAN-VLAN Mappings
Native VLAN ID = 10VLAN Support : OnFCG WLAN-VLAN Mappings
Override Flag : Off
Native VLAN ID = 10VLAN Support : OnFCG WLAN-VLAN Mappings
Override Flag : On
Inheritance Group Specific
Native VLAN ID = 10VLAN Support : OnFCG WLAN-VLAN Mappings
Bringing All Together –FlexConnect Best Practices
FlexConnect Best Practices
Enable FlexConnect Groups
CCKM/OKC Key sharing for Voice deployments
Enable Smart AP Image Upgrade
Design for Resiliency
VLAN-WLAN Mappings at Group Level
Consistent configuration across Primary and Backup WLCs
VLAN Name override
VLAN Support and Native VLAN at Group
FLE
X
CO
NN
EC
T
Summary
• Cisco Unified Wireless Network based on Controllers deliver Wireless Branch Solution
• FlexConnect is the feature designed to solve remote connectivity and WAN constraints
• Several Failover Scenario are targeted to offer Survivability of Small Remote Sites
References:
• Wireless LAN Controller Scale Comparison Guidehttp://www.cisco.com/en/US/products/hw/wireless/products_category_buyers_guide.html#controllers
• FlexConnect Branch Controller Deployment Guidehttp://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/112973-flex7500-wbc-guide-00.html
• FlexConnect feature matrixhttp://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html
• Wireless Best Practiceshttp://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/82463-wlc-config-best-practice.html
Participate in the “My Favorite Speaker” Contest
• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)
• Send a tweet and include
• Your favorite speaker’s Twitter handle
• Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could Be a Winner
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you
