-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
1/107
2011 Cisco and/or its affiliates. All rights reserved. 2012 Cisco and/or its affiliates. All rights reserved.
Design and Deploymentof Enterprise WLANs
Isaac EstradaNetwork Consulting Engineer WWWP
Advanced Services
Septiembre 12, 2013
San Jos, Costa Rica
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
2/107
2011 Cisco and/or its affiliates. All rights reserved. 2012 Cisco and/or its affiliates. All rights reserved.
If you fail to Plan, you Plan t
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
3/107
2012 Cisco and/or its affiliates. All rights reserved.
Agenda
Wireless RF Design Overview
Controller-Based Architecture Overview
Mobility in the Cisco Unified WLAN Archi
Architecture Building Blocks
Deploying the Cisco Unified Wireless Arc
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
4/107
2012 Cisco and/or its affiliates. All rights reserved.
An RF site survey is the first step in thedeployment of a wireless network, and it is themost important step to ensure desired operation.
Wireless RF Design
Is a Site Survey even Needed?
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
5/107
2012 Cisco and/or its affiliates. All rights reserved.
WLAN Requirements
WLAN Applications:
Data (Email, Databases, Web, etc)
VoWLAN
Streaming video
Location Based Services
Security, QoS, WMM, etc
WLAN Client Types Laptops Smartphones
Tablets / Handhelds
Protocol Requirements
802.11b/g 2.4 GHz
802.11a 5 GHz
802.11n (2.4/5 GHz)
Protocol Pros and Cons
Business requirements
s
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
6/107
2012 Cisco and/or its affiliates. All rights reserved.
WLAN Requirements
RF Coverage Information: RF coverage inside and outside
Identify and select RF coverage areas
User Density
Current and Future Wireless users and devices
Identify and classify correctly density areas (Cubicles,Auditoriums, conference room, etc)
Mobile vs. Mobility
Expected Throughput 802.11b is typically 5.5 Mb/s
802.11g is typically 20 Mb/s
802.11g is typically 6 Mb/s with 802.11b clients present
802.11a is typically 22 Mb/s
802.11n expected (>100 Mb/s)
Coverage and Capacity Requirements
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
7/107
Conducting a SpectrumAnalysis
Conducting Active Sit
Pre Site Survey Analysis (Active)
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
8/107
Using the right Access Points and Antenn
AIR-CAP3502E-x-K9Cisco Aironet 3500 Series Access Point
AIR-CAP3502I-x-K9Cisco Aironet 3500 Series Access Point
AIR-CAP3602E-x-K9Cisco Aironet 3500 Series Access Point
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
9/107
WLAN Performance Analysis
Conducting Passive S
Post Site Survey Analysis (Passive)
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
10/107 2012 Cisco and/or its affiliates. All rights reserved.
Controller-BasedArchitecture
Overview
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
11/107 2012 Cisco and/or its affiliates. All rights reserved.
AgendaCisco Unified Wireless Principles
Components
Wireless LAN Controller
Aironet Access points
Management (Prime Infrastructure)
Mobility Service Engine (MSE)
Principles
AP must have CAPWAPconnectivity with WLC
Configurationdownloaded to AP by WLC
All Wi-Fi traffic isforwarded to the WLC
Cisco AP
CiscoPI
MSE
Campus
Network
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
12/107 2012 Cisco and/or its affiliates. All rights reserved.
Centralized Wireless LAN Architecture
What is CAPWAP?
CAPWAP: Control and Provisioning of Wireless Access Points is used beWLAN controller and based on LWAPP
CAPWAP carries control and data traffic between the two
Control plane is DTLS encrypted
Data plane is DTLS encrypted (optional)
LWAPP-enabled access points can discover and join a CAPWAP controllconversion to a CAPWAP controller is seamless
CAPWAP ControllerWi-Fi Client
Control Plane
Data Plane
Access
Point
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
13/107 2012 Cisco and/or its affiliates. All rights reserved.
CAPWAP State Machine
DiscoveryReset
Image Data
Config
AP Boots UP
DTLSSetup
Join
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
14/107
2012 Cisco and/or its affiliates. All rights reserved.
AP Controller Discovery
Layer 2 join procedure attempted on LWAPP APs
(CAPWAP does not support Layer 2 APs)
Broadcast message sent to discover controller on alocal subnet
Layer 3 join process on CAPWAP APs and on LWAPP APLayer 2 fails
Previously learned or primed controllers
Subnet broadcast
DHCP option 43
DNS lookup
Controller Discovery Order
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
15/107
2012 Cisco and/or its affiliates. All rights reserved.
Efficient CAPWAP Operation
Define the Wireless Access Point Device DHCP Scopes
Default router IP Address for Access Point scope
Helper address (forwarding UDP 5246 to the WLCs manainterface)
Domain name
Appropriate DHCP Lease timer for Aps
Pool sizes for WLAN devices in accordance to different tysites
If NAT is used, static 1-to-1 NAT to an outside address isrecommended
Best Practices
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
16/107
2012 Cisco and/or its affiliates. All rights reserved.
Mobility in the CiscoUnified WLAN
Architecture
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
17/107
2012 Cisco and/or its affiliates. All rights reserved.
Mobility Defined
Mobility is a key reason for wireless networks
Mobility means the end-user device is capable of moving lothe networked environment
Roamingoccurs when a wireless client moves association fAP and re-associates to another, typically because its mob
Mobility presents new challenges:
Need to scale the architecture to support client roamingroamoccur intra-controller and inter-controller
Need to support client roaming that is seamless (fast) and pressecurity
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
18/107
2012 Cisco and/or its affiliates. All rights reserved.
Scaling the Architecture with Mobility Gro Mobility Group allows controllers to peer with each other to support sea
roaming across controller boundaries
APs learn the IPs of the other members of the mobility group after the CJoin process
Support for up to24 controllers,24000 APs permobility group
Mobility messagesexchangedbetweencontrollers
Data tunneled betweencontrollers in EtherIP (RFC 3378)
EthernetinIPTunnel
Controller-CMAC: AA:AA:AA:AA:AA:03
Mobility Group Name: MyMobilityGroup
Mobility Group Neighbors:Controller-A, AA:AA:AA:AA:AA:01Controller-B, AA:AA:AA:AA:AA:02
Controller-AMAC: AA:AA:AA:AA:AA:01
Mobility Group Name: MyMobilityGroup
Mobility Group Neighbors:Controller-B, AA:AA:AA:AA:AA:02Controller-C, AA:AA:AA:AA:AA:03
Controller-BMAC: AA:AA:AA:AA:AA:02
Mobility Group Name: MyMobilityGro
Mobility Group Neighbors:Controller-A, AA:AA:AA:AA:AA:01Controller-C, AA:AA:AA:AA:AA:03
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
19/107
2012 Cisco and/or its affiliates. All rights reserved.
Scaling the Architecture with Mobility Gro
One
WLC NetworkMobility Group
Mob
24 WLCs in a
Mobility Group
Mob
Mob
Mob
72
Mo
With Inter Release Controller Mobility (IRCM) roaming is
supported between 7.3 7.4 and 7.5
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
20/107
2012 Cisco and/or its affiliates. All rights reserved.
How Long Does an Client Roam Take?
Time it takes for:
Client to disassociate +
Probe for and select a new AP +
802.11 Association +
802.1X/EAP Authentication +
Rekeying +
IP address (re) acquisition
All this can be on the order of seconds Can we make th
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
21/107
2012 Cisco and/or its affiliates. All rights reserved.
Roaming Requirements
Roaming must be fast Latency can be introduced by:
Client channel scanning and AP selection algorithms
Re-authentication of client device and re-keying
Refreshing of IP address
Roaming must maintain security
Open auth, static WEPsession continues on new AP
WPA/WPAv2 PersonalNew session key for encryption derived via standa
802.1x, 802.11i, WPA/WPAv2 EnterpriseClient must be re-authenticated session key derived for encryption
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
22/107
2012 Cisco and/or its affiliates. All rights reserved.
Layer 2 Roaming: Inter-Controller
WLC-1 WLC-2
WLC-1 ClientDatabase
WLC-2 Client Database
Mobility Message Exchange
Roaming DataPath
Client Data (MAC,IP, QoS, Security)
VLAN X
Client Roams to a Different
AP
Clieentrandsec
No refr
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
23/107
2012 Cisco and/or its affiliates. All rights reserved.
Layer 3 Roaming: Inter-Controller
WLC-1
WLC-1 ClientDatabase
WLC-2 Client Datab
Preroaming DataPath
VLAN XClient Data (MAC, IP,QoS, Security)
Client Data (MAC,IP, QoS, Security)
VLAN Z
Mobility Message Exchange
FoAnchor ControllerData Tunnel
,
Client Roams to a
Different AP
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
24/107
2012 Cisco and/or its affiliates. All rights reserved.
Roaming: Inter-ControllerLayer 3
L3 inter-controller roam: STA moves association between APs joined to the dcontrollers but client traffic bridged onto different subnets
Client must be re-authenticated and new security session established
Client database entry copiedto new controller entry exists in both WLC clie
Original controller tagged as the anchor, new controller tagged as the fore
WLCs must be in same mobility group or domain
No IP address refresh needed
Symmetric traffic path established -- asymmetric option has been eliminatedrelease
Account for mobility message exchange in network design
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
25/107
How Are We Going to Make Roaming Fas
Eliminating the (re)IP address acquisitionchallenge
Eliminating full 802.1X/EAP
reauthentication
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
26/107
Fast Secure RoamingStandard Wi-Fi Secure Roaming
Note: Mechanism Is Needed to Centralize Key Distribution
802.1X authentication in wirelesend-to-end transactions with atime of > 500 ms
802.1X authentication in wirelesroaming client to reauthenticate
500+ ms to the roamCisco AAAServer
(ACS or
ISE)
WAN
AP1AP2
1. 802.1X Initial
Authentication
Transaction2. 802.1X
Reauthenti-
cation After
Roaming
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
27/107
2012 Cisco and/or its affiliates. All rights reserved.
Cisco Centralized Key Management (CC
Cisco introduced CCKM in CCXv2 so widely available, especially with applic
devices (ASDs)
CCKM ported to CUWN architecture in 3.2 release
In highly controlled test environments, CCKM roam times consistently measumsec range!
CCKM is most widely implemented in ASDs, especially VoWLAN devices
To work across WLCs, WLCs must be in the same mobility group
CCX-based laptops may not fully support CCKM depends on supplicant ca
CCKM is standardized in 802.11r, Apple iOS 6.0
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
28/107
2012 Cisco and/or its affiliates. All rights reserved.
IEEE 802.11r Introduction
IEEE Standard for Fast Transition (FT)
Introduces a new concept of roaming where the handshake with the new APbefore the client roams to the target AP.
The initial handshake allows the client and APs to do PTK calculation in advareducing roaming time.
The pre-created PTK keys are applied to the client and AP once the client doassociation request / response exchange with new target AP.
802.11r provides 2 ways of roaming: Over-the-Air
Over-the-DS (Distribution System)
The FT (Fast Transition) key hierarchy is designed to allow the client to maktransitions between APs without the need to re-authenticate at every AP.
WLAN configuration will have new AKM type called FT (Fast Transition)
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
29/107
2011 Cisco and/or its affiliates. All rights reserved. 2012 Cisco and/or its affiliates. All rights reserved.
802.11r Fast Transition (FT)WLAN Authentication Configuration
Legacy clients may not associate with a WLAN that has 802.11r
enabled along with 802.11i. If the driver or the supplicant that isresponsible for parsing the Robust Security Network InformationElement (RSN IE) is old and confused by the additional AKM(Authentication Key Management) suites advertised in the IE (IE48),the driver will not attempt to start the association process.
Due to this limitation, legacy clients cannot send association
requests to WLANs with a FT PSK or FT 802.1x configuration.These legacy clients, however, can still associate with non-802.11rWLANs.
Therefore the recommendation is to have a new unique WLAN. Withunique SSIDs for the addition 802.11r FT WPA clients. And anadditional WLAN for the 802.11r FT 802.1x clients.
An iPhoneAuthentica
both of the
because ois NOTrec
A non-6.0associate
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
30/107
2012 Cisco and/or its affiliates. All rights reserved.
Multiple WLANs for Multiple Auth Types Each with a Uniq
802.1x & 802.1x FT WLANs Unique SSIDs PSK & PSK FT WLANs With
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
31/107
2012 Cisco and/or its affiliates. All rights reserved.
Designing a Mobility Group/DomainDesign Considerations
Less roaming is better clients and apps are happier
While clients are authenticating/roaming, WLC CPU is doing the prnot as much of a big deal for 5508 which has dedicated managemeprocessor
L3 roaming & fast roaming clients consume client DB slots on multcontrollers consider worst case scenarios in designing roaming
Leverage natural roaming domain boundaries
Mobility Message transport selection: multicast vs. unicast
Make sure the right ports and protocols are allowed
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
32/107
2011 Cisco and/or its affiliates. All rights reserved. 2012 Cisco and/or its affiliates. All rights reserved.
ArchitectureBuilding Blocks
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
33/107
2012 Cisco and/or its affiliates. All rights reserved.
s/w release
UnifiedAccessWLANInfrastructure
WLC 8500Target customer - SP
802.11rL2 Fast Roaming
ISE - Flex integrationFlex / Local Mode parity with
ISE
Outdoor AP Internal Antenna
AP 2600802.11n G2
AP1600802.11n G2
Controller Resiliency- AP SSOHA Licensing
Scale Flex75006K APs
Virtual Controller
AP3600Security Module
7.2MR1 7.3 7.4
FlexConnect Split Tunneling
802.11r Flex Modes
Bi-directional rate-limiting
Voice/Video:11n CAC
Local andFlexConnect support on RAP
Outdoor AP Honeywellintegration
Outdoor APUni Band Antenna
Pro
May 2012 Sep 2012 Dec 2012
F
Application visibility and control(AVC)
Bonjour Services DirectoryPhase 1
AP neighbor list(Subset of 802.11k)
Scale WLC 2500
Guest Anchor on WLC2500
LAG on Flex7500, WLC 8500,WLC 2500
HA Licensing, N:1
PMIPv6 on WLC
802.11w (local mode)Protected Mgmt Frame
Bo
Gu
OE
CUWN Release - Key Controller Features
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
34/107
2012 Cisco and/or its affiliates. All rights reserved.
SRE WLCM250 APs
500 Clients
5500500 APs
7000 Clients
Flex75003000 Aps
30000 Clients
Scale (# of clients, APs)
Features/P
erformance
Multi-arch
Support Fle
85006000 APs
64000 Clients
New(7.3)
Virtual Controller200 APs
3000 Clients
New(7.3)
Flex75006000 Aps
64000 Clients
New(7.3)
250050 APs500 Clients
WiSM21000 APs
15000 Clients
Controller Product Portfolio
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
35/107
2012 Cisco and/or its affiliates. All rights reserved.
ENTERPRISECLASS
MISSIONCRITICAL
TELEWORKER
Enterprise Class Performance
Video/Voice/Multi-Media
Any Device/BYOD
Optimised
Client Scalability
RF Interference Mitigation
Hig
Inve
802
HD
Bes
Basic Connectivity
Deployment Flexibilit y
Entry Level Sm/Med Sm/Med/Large Me
New
Q2FY13
Cisco Aironet Access Points
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
36/107
2012 Cisco and/or its affiliates. All rights reserved.1 sco an /or s a a es r s r ser ve
AP Model
(availability)
3600 Series 2600 Series 1600 Series
(Q4)
Max Data Rate 1.3 Gbps 450 Mbps 300 Mbps
Radio Design(MIMO: Spatial Streams) .11n: 4X4:3.11ac: 3x3:3 3X4:3 3X3:2
CleanAir *
ClientLink ClientLink 2.0 ClientLink 2.0 ClientLink 2.0
BandSelect
VideoStream
Rogue AP Detection
Adaptive wIPS
OfficeExtend
FlexConnect
Wireless Mesh
Autonomous
Power 802.3af 802.3af 802.3af
Wi-Fi Standards 802.11 a/b/g/n/ac 802.11 a/b/g/n 802.11 a/b/g/n
Cisco Aironet 802.11n Indoor Access Poin
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
37/107
2012 Cisco and/or its affiliates. All rights reserved.
Which Version Should I Use? 6.0, 7.0, 7.2, 7.3
WLC 5508 supports 6.0, 7.0 and 7.2 &
WLC7500, WiSM-2 and WLC2504 onlsupported in 7.0 onwards
7.0.220 is the latest MD AssureWaveRibbon)
Please note the current revision of 77.0.235.3 which is the recommendedyou today
AP3660+11ac (7.5), AP1600(7.4), AP2AP 3600(7.2)
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
38/107
2011 Cisco and/or its affiliates. All rights reserved. 2012 Cisco and/or its affiliates. All rights reserved.
Deploying theCisco UnifiedWireless
Architecture
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
39/107
2012 Cisco and/or its affiliates. All rights reserved.
Deploying the Cisco Unified Wireless Arc
Client Profiling
High Availability
Understanding AP Groups / RF Groups
Application Visibility
Branch Office Designs
Guest Access Deployment
Home Office Design
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
40/107
2012 Cisco and/or its affiliates. All rights reserved.
Deploying the Cisco Unified Wireless Arc
Client Profiling
High Availability
Understanding AP Groups / RF Groups
Application Visibility
Branch Office Designs
Guest Access Deployment
Home Office Design
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
41/107
2012 Cisco and/or its affiliates. All rights reserved.
Client Profiling
ISE offers a rich set of BYOD features: e.g. device identifonboarding, posture and policy
Customers who do not deploy ISE but still require some ofeatures directly in WLC:
Native profiling of identifying network end devices based on prHTTP, DHCP
Device-based policies enforcement per user or per device polinetwork.
Statistics based on per user or per device end points and policapplicable per device.
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
42/107
2012 Cisco and/or its affiliates. All rights reserved.
Client Profiling on WLC
WLC-based local policy consists of 2 separate elements.
Profilingcan be based on: Role - defining user type or the user group the user belongs to.
Device type e.g. Windows, OS_X, iPad, iPhone, Android, etc.
EAP Type - check what EAP method the client is getting connecte
Actionis policy that can be enforced after profiling:
VLAN - override WLAN interface with VLAN id on WLC QoS level override WLAN QoS
ACL override with named ACL
Session timeout override WLAN session timeout value
Time of day policy override based on time of the day, else defau
7.5 release contains 88 pre-existing profiles:
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
43/107
2012 Cisco and/or its affiliates. All rights reserved.
Configuring Client Profiles
Client profiling uses pre-existing profiles in the controller
Custom profiles are not supported in this release
Wireless clients are profiled based on the MAC OUI, DHCP,HTTP DHCP is required for DHCP profiling, Webauth for HTTP user agent
7.5 release contains 88 pre-existing profiles:
(Cisco Controller) >show profiling policy summary
Number of Built-in Classification Profiles: 88ID Name Parent Min CM Valid
==== ================================================ ====== ====== =====
0 Android None
1 Apple-Device None
2 Apple-MacBook 1
3 Apple-iPad 1
4 Apple-iPhone 1
/
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
44/107
2012 Cisco and/or its affiliates. All rights reserved.
Local Client Profiling Configuration
At the WLAN level, enable Local Client Profiling (DHCP and HTTPDHCP required is checked automatically when selecting DHCP profiling
config wlan profiling {local | radius} {dhcp | http | all}
(Cisco Controller) >config wlan profiling local all enable 1
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
45/107
2012 Cisco and/or its affiliates. All rights reserved.
Client Profiles
When profiling is enabled, a client Device Type can be shown on W
... ...
(Cisco Controller) >show client summary devicetype
Number of Clients................................ 3
MAC Address AP Name Status Device Type
----------------- ---------------- ------------- --------------------------------
14:10:9f:ea:b8:c2 AP3600MM Associated OS_X-Workstation
c8:d7:19:34:7e:dd AP3600MM Associated Windows7-Workstatio
d8:d1:cb:9a:28:f8 AP3600MM Associated Apple-iPhone
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
46/107
2012 Cisco and/or its affiliates. All rights reserved.
Security Local Policies
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
47/107
2012 Cisco and/or its affiliates. All rights reserved.
Deploying the Cisco Unified Wireless Arc
Client Profiling
High Availability
Understanding AP Groups / RF Groups
Application Visibility
Bonjour Gateway
IPv6 Deployment with Controllers
Branch Office Designs
Guest Access Deployment
Home Office Design
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
48/107
2012 Cisco and/or its affiliates. All rights reserved.
Controller RedundancyMost Common (N+1)
Redundant WLC in a geographicallyseparate location
Layer-3 connectivity between the APconnected to primary WLC and theredundant WLC
Redundant WLC need not be part ofthe same mobility group
Configure high availability (HA) todetect failure and faster failover
Use AP priority in case of over
subscription of redundant WLC
WLAN-Controller-1
WLAN-Controller-2
WLAN-Controller-n
WLAN-Controller-BKP
NOC or Data Centre
Controller Redundancy High Availability
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
49/107
2012 Cisco and/or its affiliates. All rights reserved.
Controller Redundancy High Availability
High Availability Principles :
AP is registered with a WLC andmaintain a backup list of WLC.
AP use heartbeats to validate WLCconnectivity
AP use Primary Discovery message tovalidate backup WLC list
When AP loose 3 heartbeats it start joinprocess to first backup WLC candidate
Candidate Backup WLC is the first aliveWLC in this order : primary, secondary,tertiary, global primary, global secondary.
AP does not re-initiate discoveryprocess.
Primary WLC
Secondary WLC
New Ti
Heartbeat Timeout 1-30 se
Fast Heartbeat Timer 1-10 se
AP Retransm it Interval 2-5 se
AP Retransm it wit h FH Enab led 3-8 Tim
AP Fallb ack to next WLC 12 sec
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
50/107
2012 Cisco and/or its affiliates. All rights reserved.
HA-SKU controller allowed for use as secondary controller for 90 days without
If HA feature disabled the controller used as secondary controller for the maximsupported APs.
Note: HA-SKU ; 5508 50AP, WiSM2 100AP, 7500/8500 300AP will work as Standby
This feature enables HA-SKU controller as secondary contro
Primary Controller WiSM-2 #2License Count:500
APs connected: 500
Primary Controller-5508 #1
License Count: 100
APs connected: 90
Primary Controller -2500 #3
License Count: 75
APs connected: 25
Backup Controller WLC Max AP supp
HA-SKU as secondary WLC (AP-SSO dis
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
51/107
2012 Cisco and/or its affiliates. All rights reserved.
HA-SKU as secondary WLC - configurati
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
52/107
Model is 1:1 (Active : Hot-Standby)
Supported on 5500 / 7500 / 8500 and WiSM-2
Same hardware and software version
Two new interfaces
Redundancy Port
Redundancy Management Interface
Same management IP on Active and Standby
Static & dynamic system configurationssynced to standby.
AP information synced to the
Synced when AP Joins changes.
AP CAPWAP re-join is avo
Detection time : 5-996 msec
3-4 seconds for management
Back-to-back Connectivity on
Port between the two WLCs
Clients are de-authenticated to re-associate
High Availability AP SSO support 7.3/7.4
Effective service downtime = Detection time + Switch Over
(Network recovery/convergence) + Client re-association time
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
53/107
2012 Cisco and/or its affiliates. All rights reserved.
Clients information is synced to the Standby
Client information is synced when client moves to RUN state.
Client re-association is avoided on switch over
Fully authenticated clients(RUN state) are synced to the peer.
The intermediate client state events are not synced
Transient clients are dis-associated after switch over.
Effective service downtime = Detection time + Switch Over Time(Network recovery/convergence)
Clients information is synced to the Standby
Client information is synced when client moves to RUN state.
Client re-association is avoided on switch over
Fully authenticated clients(RUN state) are synced to the peer.
The intermediate client state events are not synced
Transient clients are dis-associated after switch over.
Stateful HA with Client SSO
ffective service downtime = Detection time + Switch Over TimeNetwork recovery convergence
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
54/107
Act
Hot
Acti
Hot S
RP 1
RP 2
Redundancy
Port
Connectivity
5500/7500/8500 WLC have dedicated
Redundancy Port which is used tosynch configuration from Active toStandby WLC
Keepalives are sent on RP port fromStandby to Active WLC every 100 msec(default timer) to check the health of
Active WLC.
ICMP packets are also sent every onesecond from each WLC to checkreachability to gateway usingRedundant Management interface.
HA Connectivity on 5500 / 7500 / 8500 W
Flex 7500
WLC 5500
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
55/107
WiSM-2 WLC have dedicatedRedundancy Vlan which is used to
synch configuration from Active toStandby WLC
Keepalives are sent on RedundancyVlan from Standby to Active WLC every100 msec (default timer) to check thehealth of Active WLC.
To achieve HA between WiSM-2 WLCsit can be deployed in single chassis ORcan also be deployed between multiplechassis using VSS as well as byextending Redundancy Vlan betweentwo chassis.
High Availability Connectivity on WiSM-2
Slot 8: Activ
Slot 9: Hot S
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
56/107
Web-GUI Configuration
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
57/107
configure interface address management
configure interface address redundancy-management peer-redundancy-managem
configure redundancy unit [primary | secondary]
configure redundancy mode [sso | disable]
configure redundancy t imer keep-alive-timer (default 100 milli-sec)
configure redundancy timer peer-search-timer (default 120 sec)
CLI Configuration Commands
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
58/107
2012 Cisco and/or its affiliates. All rights reserved.
1. Two 5508 , 7500 or 8500 connected via back-to-back RP port in the same data cen
2. Two 5508 , 7500 or 8500 connected via RP port over L2 VLAN/fiber in the same orcenter
3. Two 5508, 7500 or 8500 connected to a VSS pair.
4. Two WiSM-2 on the same chassis
5. Two WiSM-2 on different chassis with redundancy VLAN extended over L2 network
6. Two WiSM-2 on different chassis in VSS mode
Supported HA Topologies 7.5
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
59/107
2012 Cisco and/or its affiliates. All rights reserved.
WLC 5508/7500/8500 Back-to-back RP Co
Configuration on Prima
configure interface add
9.5.56.2 255.255.255.0
configure interface add
redundancy-mana
peer-redundancy-
configure redundancy u
configure redundancy m
Configuration on Hot S
configure interface add9.5.56.3 255.255.255.0
configure interface add
redundancy-mana
peer-redundancy-
configure redundancy u
configure redundancy m
Management GW is moni tored w ith 12 pings ( ~15 sec)
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
60/107
2012 Cisco and/or its affiliates. All rights reserved.
WLC 5508/7500/8500 RP Connectivity via
. RTT Latency : 80 ms or less default ; Bandwidth: 60 Mbps or more ; MTU: 1500
Configuration on Prima
configure interface add
9.5.56.2 255.255.255.0
configure interface add
redundancy-mana
peer-redundancy
configure redundancy
configure redundancy
Configuration on Hot S
configure interface add9.5.56.3 255.255.255.0
configure interface add
redundancy-mana
peer-redundancy
configure redundancy
configure redundancy
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
61/107
2012 Cisco and/or its affiliates. All rights reserved.
WiSM-2 connectivity over L2 Redundancy
Configuration on Cat6k
wism service-vlan 192 ( servicwism redundancy-vlan 169 ( r
wism module 6 controller 1 all
VLAN )
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
62/107
2012 Cisco and/or its affiliates. All rights reserved.
Switch-1(VSS Active)
Switch-2(VSS Standby)
Data Plane Active
Control Plane Active
FWSM Acti ve
WiSM-2 Active
Data Plane Active
Control Plane Stand
WiSM-2 Backup
VSL
Failover/State Sync VLAN
Virtual Switch System (VSS)
WiSM-2 in a VSS Pair
FWSM Standby
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
63/107
Standby
Cisco 5508
Cisco Catalyst VSS Pair
Cisco 5508Cisco 5508
WLC 5508/7500/8500 Connected to VSS
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
64/107
5500 / 7500 / 8500 : RP Connectivity between Active and Standby
Via Switches ( 7.5 )
Back-to-back ( 7.3, 7.4, 7.5 )
WiSM-2 : single 6500 chassis OR different chassis using VSS setup/extending redu
RTT latency on Redundancy Link : 80 milliseconds or less. 80% of keepalive timer.
Preferred MTU on Redundancy Link : 1500 or above.
Bandwidth on Redundancy Link : 60Mbps or more.
Recommended to have Redundancy Link and RMI Connectivity between WLCs on d
switches or on different L2 networks
Keepalive/Peer Discovery timers should be left with default timer values for better pe
Default box failover detection time is 3 *100 = 300+60 = 360 +jitter (12 msec)= ~400
SSO Behavior and Recommendations
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
65/107
2012 Cisco and/or its affiliates. All rights reserved.
Deploying the Cisco Unified Wireless Arc
Client Profiling
High Availability
Understanding AP Groups / RF Groups
Application Visibility
Branch Office Designs
Guest Access Deployment
Home Office Design
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
66/107
2012 Cisco and/or its affiliates. All rights reserved.
AP-Groups - Default AP-Group
The first 16 WLANs created (WLAN IDs 116) on the WLC are incldefault AP-Group
Default AP-Group cannot be modified
APs with no assignment to an specific AP-Group will use the Defau
The 17th and higher WLAN (WLAN IDs 17 and up) can be assigneGroups
Any given WLAN can be mapped to different dynamic interfaces inGroups
WLC 2106 (AP groups: 50), WLC 2504 (AP groups:50)WLC 4400 and WiSM (AP groups: 300),WLC 5508 & WiSM-2 (AP groups: 500),WLC 7500 (AP Groups : 500)
AP-Grouping in Campus
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
67/107
2012 Cisco and/or its affiliates. All rights reserved.
AP Grouping in Campus
Data CentreWAN Internet
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
WLC-2WLC-1
VLAN 100 /21
SingleSSID =
Employee
VLAN 100 VLAN 100 VLAN 100
CAPWAP
AP-Grouping in Campus
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
68/107
2012 Cisco and/or its affiliates. All rights reserved.
p g p
Data CentreWAN Internet
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
AP-Group-2 AP-Group-3AP-Group-1
WLC-2WLC-1
VLAN 80 /23VLAN 70 /23VLAN 60 /23
VLAN 100/21
CAPWAP
VLAN 60VLAN 70
VLAN 80
SingleSSID =
Employee
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
69/107
2012 Cisco and/or its affiliates. All rights reserved.
Network Name
Default AP Group
Only WLANs 116 Will BeAdded in Default AP
Group
Default AP-Group
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
70/107
2012 Cisco and/or its affiliates. All rights reserved.
AP Group 1
AP Group 2
AP Group 3
Multiple AP-Groups
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
71/107
2012 Cisco and/or its affiliates. All rights reserved.
RF-Profiles7.2 and 7.3 Release
RF Profiles allow the administrator to tune groups of APs sharing a
coverage zone together. Selectively changing how RRM will operate the APs within that coverage z
RF Profiles are created for either the 2.4 GHz radio or 5GHz radio
Profiles are applied to groups of APs belonging to an AP Group, in which agroup will have the same Profile Settings
There are two components to this feature: RF Profile New in 7.2 providing administrative control over:
Min/Max TPC values
TPCv1 Threshold
TPCv2 Threshold
Data Rates
High Density
Client Load Balancing
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
72/107
2012 Cisco and/or its affiliates. All rights reserved.
Low Density Profile
A normal profile can be built
to match your exact Criteria You may wish to increase the
mandatory data Rate tomatch your coverage (higherif dense, lower if sparse)
Change the RRM coverage
thresholds to match yourexact architecture
Make a custom loadbalancing plan that suits theenvironment
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
73/107
2012 Cisco and/or its affiliates. All rights reserved.
High Density Profile
For High Density, RF profileswill differ significantly
Enforce Minimum PowerTPCv1-2 thresholds hotter
Higher MandaMore Disabled
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
74/107
2012 Cisco and/or its affiliates. All rights reserved.
High Density Profile cont.
Custom Fixed Mcast
parameters
Higher Load Balancingwindow
Higher BandSelectthresholds (prevents alot of un-necessary
work)
RF Profile in Campus
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
75/107
2012 Cisco and/or its affiliates. All rights reserved.
RF-Profile in Campus
Data CentreWAN Internet
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
RF-Profile-2 RF-Profile-3RF-Profile-1
WLC-2WLC-1
VLAN 80 /23
VLAN 81 /23
VLAN 70 /23
VLAN 71 /23
VLAN 60 /23
VLAN 61 / 23
LWAPP/CAPWAP
VLAN 60VLAN 61
VLAN 70VLAN 71
VLAN 80VLAN 81
SingleSSID =
Employee
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
76/107
2012 Cisco and/or its affiliates. All rights reserved.
RF Profile -1
RF Profile -2
RF Profile -3
Multiple RF-Profiles
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
77/107
2012 Cisco and/or its affiliates. All rights reserved.
Deploying the Cisco Unified Wireless Arc
Client Profiling High Availability
Understanding AP Groups / RF Groups
Application Visibility
Branch Office Designs
Guest Access Deployment
Home Office Design
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
78/107
2012 Cisco and/or its affiliates. All rights reserved.
Application Visibility & Control
WLC
What applications are in the air?
Why is my key application running slow?
How do I support a new application for a set of user
Congestion!
Real Time
Interactive
Non-Real Time
Non-Business
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
79/107
2012 Cisco and/or its affiliates. All rights reserved.
NBAR supported features
Classification : Identification of Application/Protocol, supports Stateful L4 - L7 cla
can classify 1039 applications.
AVC (Application Visibility Control): Provides visibility of classified traffic and als
control the same, using Drop OR Mark (DSCP) action. Action DROP (Traffic for that application will be dropped) Action MARK(Particular applications can be marked with different QOS profiles availa
administrator can custom define DSCP value for that application)
AVC Marking overrides all other QoS markings
NetFlow: Updating NBAR stats to Netflow collector like Cisco Prime Assurance M
NBAR is supported on 2500, 5500, 7500, 8500 and WiSM2 controllers on Local a
WLC can support 16 AVC profiles
WLAN can support only 1 AVC profile and each profile can contain 32 rules, thus
support 32 application actions of mark or drop.
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
80/107
2012 Cisco and/or its affiliates. All rights reserved.
Enabling AVC
AVC enabled on per WLAN basis
Global summary of topapplications on ControllerMonitor screen
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
81/107
2012 Cisco and/or its affiliates. All rights reserved.
AVC Profile
Custom AVC
Profiles created todo traffic shaping
Apply the custom profile per WLAN
N tfl M it
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
82/107
2012 Cisco and/or its affiliates. All rights reserved.
Netflow Monitor
Configuring Netflow Exporter on the Controller and apply to WLAN
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
83/107
2012 Cisco and/or its affiliates. All rights reserved.
AVC Summary
Application Statistics per WLAN with more details UP/Down Stream
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
84/107
2012 Cisco and/or its affiliates. All rights reserved.
Client Profiling
High Availability Understanding AP Groups / RF Groups
Application Visibility
Branch Office Designs
Guest Access Deployment
Home Office Design
Deploying the Cisco Unified Wireless Arc
B h Offi D l t
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
85/107
2012 Cisco and/or its affiliates. All rights reserved.
Branch Office DeploymentFlexConnect
Hybrid architecture
Single management and control point Centralized trafic
Local traffic
HA will preserve local traffic only
WAN
CentralizedTraffic
LocalTraffic
FlexConnect Design Considerations
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
86/107
2012 Cisco and/or its affiliates. All rights reserved.
FlexConnect Design ConsiderationsWAN Limitations Apply
DeploymentType WAN Bandwidth(Min) WAN RTTLatency (Max) Max APs perBranch
Data 128 kbps 300 ms 5
Data+Voice 128 kbps 100 ms 5
Data 128 kbps 1 sec 1
Monitor
128 kbps
2 sec
5
Data 1.44 Mbps 1 sec 50
Data+Voice 1.44 Mbps 100 ms 50
Monitor 1.44 Mbps 2 sec 50
Economies of Scale for Lean Branche
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
87/107
2012 Cisco and/or its affiliates. All rights reserved. 201 . .
Key Differentiatio WAN Tolerance
High Latency Netwo
WAN Survivability
Security
802.1x based port auth Voice support
Voice CAC
OKC/CCKM
Economies of Scale for Lean Branche
Flex 7500 Wireless Controller
Access Points 300 - 6,000
Clients 64,000
Branches 2000
Access Points / Branch 100
Deployment Model FlexConnect
Form Factor 1 RU
IO Interface 2x 10GE
Upgrade Licenses 100, 200, 500, 1K
U d t di Fl C t G
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
88/107
2012 Cisco and/or its affiliates. All rights reserved.
Understanding FlexConnect Groups
FlexConnect groups allow sharing of:
CCKM/OKC fast roaming keys
Local/backup RADIUS servers IP/keys Local user authentication
Local EAP authentication
AAA-Override for Local Switching
Smart Image Upgrade
Scaling information
FlexConnect Group 1
Remote Site
WAN
Central Site
ScalingFlex
7500CT-5508 WiSM2 CT-2504
FlexConnectGroups
2000 100 100 30
AP per Group 100 25 25 25
EAP TLS/PEAP Overview
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
89/107
2012 Cisco and/or its affiliates. All rights reserved.
EAP-TLS/PEAP Overview
Local Authentication on FlexConnect AP
FlexConnect AP contacting RADIUS Server FlexConnect AP acting as RADIUS Server
EAP Methods when AP acting as RADIUS Server: LEAP, EAP-FAST, PEAP,
PEAP and EAP-TLS Support in
Standalone Mode
Local Authentication Continued support for RADIUS Servers on FlexConnect Group.
RADIUS Server Configuration takes precedence over FlexConnect AP acting Server.
Access points 1040, 1140, 1520, 1550, 1600, 3500, 3600, 2600, 1250, 1260,
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
90/107
2012 Cisco and/or its affiliates. All rights reserved.
PEAP/EAP-TLS Web-GUI
Enable AP Local Authentication
Radius Server configured on the FlexConnect group takes precedenLocal Authentication
Local Switching Access Lists
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
91/107
2012 Cisco and/or its affiliates. All rights reserved.
Local Switching Access Lists
Support for ACL in FlexConnect local
switching mode
ACL mapped to local VLAN per AP orFlexConnect Group
512 FlexConnect ACL per WLC
16 ingress ACL & 16 egress ACL per AP 64 ACL rules per ACL
No IPv6 ACL
New in 7.2
Remote Site
WAN
Cent
Local S itching Access Lists Config ration
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
92/107
2012 Cisco and/or its affiliates. All rights reserved.
Local Switching Access Lists Configuration
ACL rule creation and application for FlexConnect isidentical to WLC rule creation for Local Mode
New in 7.2
Step 2
Step 1
Click to add
ACL ru les Step 3
Provisio
Inboun
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
93/107
2012 Cisco and/or its affiliates. All rights reserved.
Local Switching Peer-to-Peer Blocking
Support for Peer-to-Peer blocking inFlexConnect AP
Apply for clients on same FlexConnectAP
P2P blocking modes : disable or drop For P2P blocking inter-AP use ACL or
Private VLAN fonction
New in 7.2
Remote Site
WAN
Cent
FlexConnect AAA VLAN Override
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
94/107
2012 Cisco and/or its affiliates. All rights reserved.
FlexConnect AAA VLAN Override
AAA VLAN Override with local or
central authentication
Up to 16 VLANs per FlexConnect AP
VLAN ID must be enabled per AP orFlexConnect Group
If VLAN ID does not exist, defaultVLAN is used
QoS and ACL Override isnot supported.
New in 7.2
Remote Site
WAN
Cent
FlexConnect Group 1
Central RADIUS
Appl icationServer
VLAN 3
VLAN 3VLAN 7
FlexConnect AAA VLAN Override
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
95/107
2012 Cisco and/or its affiliates. All rights reserved.
FlexConnect AAA VLAN Override
New in 7.2
WAN
VLAN109
Create S
FlexC
IETF 81IETF 64IETF 65
E t l W bA th ith L l S it hi
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
96/107
2012 Cisco and/or its affiliates. All rights reserved.
External WebAuth with Local Switching
Provides L3 Web Redirect from locally
switched vlan
Reduces WAN traffic by locallyswitching guest traffic
Flexible and centralized web portalcreation for multiple sites
Provides flexible use of Conditional andSplash Page Web Redirect
FlexConnect AP must be in Connectedstate with Centralized Controller to work
Remote Site
WAN
Cent
FlexConnect Group 1
VLAN
503
Internet
WebServer
Fl C t ACL S lit T li
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
97/107
2012 Cisco and/or its affiliates. All rights reserved.
FlexConnect ACL Split Tunneling
Split tunneling allow some traffic to be locally switched although the
defined as centrally switched
Split tunneling is using a NAT/PAT feature with ACL to perform the switching
Split tunneling is using the AP IP@ for the NAT/PAT feature
WLCFlexConnect AP
CAPWAP
WAN
Central Server
Central Traffic
Local Printer
NAT/PATACL
Local Traffic
Fl C t d AP1500 (O td )
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
98/107
FlexConnect and AP1500 (Outdoor)
Indoor AP Parity with Outdoor RAP (1520 & 1550) only
Local Mode
FlexConnect Mode
No MAP functionality in this release
Flex Mode will have support for Central and Local Switching
Controller
L3/L2 switch MAP(Mesh AP)RAP(Root AP) Backhaul 5GHzo Backhaul 5GHz
Local or
FlexConnect
D l i th Ci U ifi d Wi l A hit
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
99/107
2012 Cisco and/or its affiliates. All rights reserved.
Client Profiling
High Availability
Understanding AP Groups / RF Groups
Application Visibility
Bonjour Gateway
IPv6 Deployment with Controllers
Branch Office Designs
Understanding FlexConnect AP Deployment
Understanding Branch Controller Deployment
Guest Access Deployment
Home Office Design
Deploying the Cisco Unified Wireless Archit
B h Offi WLAN C t ll O ti
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
100/107
2012 Cisco and/or its affiliates. All rights reserved.
E-Mail
Branch Office WLAN Controller Options
Appliance controllers
Cisco 2504-12
Cisco 5508-12, 5508-25
Integrated controller
WLAN controller module (WLCM-2) for ISR G2
Virtual WLC (vWLC)
Headquarters
BO
Internet VPN
MPLS
ATM
Frame Relay
Number of UseNumber of AP
Number of Users
Number of APs:
WCS
Branch Office WLAN Controller Options
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
101/107
2012 Cisco and/or its affiliates. All rights reserved.
Sm
O
E-Mail
Headquarters
B
O
Branch Office WLAN Controller Options
Cisco Unified Wireless Network with controller-based
Multiple Integrated WAN options on ISR
Consistent branch-HQ services, features, andperformance
Standardised branch configuration extends theunified wired and wireless network
Branch configuration management from central
WCS
**AP Count Vary Depending on Channel
Utilisation and Data Rates
WCSCis
WL
Internet VPN
MPLS
ATM
Frame Relay
D l i th Ci U ifi d Wi l A
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
102/107
2012 Cisco and/or its affiliates. All rights reserved.
High Availability Understanding AP Groups / RF Groups
Application Visibility
Branch Office Designs
Guest Access Deployment
Home Office Design
Deploying the Cisco Unified Wireless Arc
Guest Access Deployment
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
103/107
2012 Cisco and/or its affiliates. All rights reserved.
Guest Access DeploymentWLAN Controller Deployments with EoIP Tunnel
Use of up to 71 EoIP tunnels to logically segment andtransport the guest traffic between remote and anchorcontrollers
Other traffic (employee for example) still locally bridgedat the remote controller on the corresponding VLAN
No need to define the guest VLANson the switches connected to theremote controllers
Original guests Ethernet frame maintained acrossCAPWAP and EoIP tunnels
Redundant EoIP tunnels to theAnchor WLC
With 7.4 release 2504 series EoIP connections canterminate 10 EoIP tunnels
Cisco ASAFirewall
Guest
CAPWAP
EoIPGuest
Tunnel
Inte
G
Deploying the Cisco Unified Wireless Archi
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
104/107
2012 Cisco and/or its affiliates. All rights reserved.
High Availability Understanding AP Groups / RF Groups
Application Visibility
Branch Office Designs
Guest Access Deployment
Home Office Designs
Deploying the Cisco Unified Wireless Archi
Home Office Design
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
105/107
2012 Cisco and/or its affiliates. All rights reserved.
E-Mail
Headquarters
Internet VPN
Home Office DesignOEAP AP Cisco controller installed
the corporate network
OfficeExtend AP (OEAP
teleworkers home
Corporate access to empcentrally configured SSID
Family Internet access oconfigured SSID
WLC 5508/WiSM-2 / WLC7500
WCS
2012 Cisco and/or its affiliates. All rights reserve
Summary Key Takeways
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
106/107
2012 Cisco and/or its affiliates. All rights reserved.
Summary Key Takeways
RF Plan and Design base on Business requirements
Take advantage of the standards (CAPWAP, DTLS,802.11 i,
Wide range of architecture / design choices
Brand new controllers (WiSM-2, WLC 7500,WLC 8500, WLC
WLC) portfolio with investment protection Take advantage of innovations from Cisco (CleanAir, BandS
ClientLink, Security, CCX, FlexConnect, etc)
Ciscos investment into technology Cisco Prime, ISE, NewCloud controller
-
7/23/2019 BRKEWN-2010 - Design and Deployment of Enterprise WLANs
107/107
Thank you.