Architecting Network for Branch Offices With Cisco Unified Wireless

7/21/2019 Architecting Network for Branch Offices With Cisco Unified Wireless

1/65


2/65

Architecting Network for Branch OfficesCisco Unified WirelessBRKEWN-2026

Aparajita SoodTechnical Marketing Engineer


3/65

2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2026 Cisco Public

Objective

Design & Deploy Bran

Network That Increas

Business Resiliency


4/65


Agenda

Learn Cisco Unified Wireless LAN Principles (Rem

Understand Wireless Branch Deployment OptionsEvaluate FlexConnect Architectural Requirements

Identify the need for FlexConnect & AP Groups

Design a Resilient Branch Network

Design Secure & BYOD enabled Branch NetworkHow to operate Wireless Branch efficiently over W

FlexConnect Resiliency DEMO


5/65

Cisco Unified Wireless LAN Principles


6/65 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2026 Cisco Public

Cisco One Network : Wireless Deployment M

One Policy, One Management, One Network

Unified Access Wireless

Unparal leled Deployment Flexibi l i ty

Autonomous FlexConnect Centralized ConvergeAccess



Cisco Unified Wireless Principles

Components

Wireless LAN Controllers

Aironet Access Points

Management (PrimeInfrastructure)

Mobility Services Engine (MSE)

Principles

AP must have CAPWAPconnectivity with WLC

Configurationdownloaded to AP by WLC

All Wi-Fi traffic isforwarded to the WLC

Aironet Access

Point

Cisco Prime

Infrastructure

Campus

Network


8/65

Wireless Branch Deployment Options



Branch Office with Local WLAN Controller

Branches can also have localremote controllers

Small or Mid-size BranchWLCs

CT-2504,

Integrated controller modules inISR/ISR-G2

Converged Access Cat-3850

High-availability design withcentral backup controller issupported; WAN limitationsmay apply

Overview

Remote Site B

Remote Site A

WLC-25xx WLCM for

ISR/ISR-G2

Backup

Contr

WAN

Central Site



Branch Office with Local WLAN Controller

Cookie cutter configuration for every branch site Layer-3 roaming within the branch

Reliable Multicast (filtering)

IPv6 L3 Mobility

Note:If you have ISR/ISR G2 at branch site then it is recommended IOS Firewall at edge for unified access policies.

Advantages


11/65


Branch Office Deployment

Hybrid architecture Single management and control point

Data Traffic Switching

Centralized traffic(split MAC)

or

Local traffic (local MAC)

HA will preserve local traffic only

Traffic Switching is configured per APand per WLAN (SSID)

FlexConnect (HREAP)

WAN

Central Site

Centralized

Traffic

Local

Traffic


12/65


FlexConnect Glossary

Connected Mode When FlexConnect can reach Controll

state), it gets help from controller to complete client authenticatio Standalone modeWhen controller is not reachable by FlexCo

into standalone state and does client authentication by itself.

Local SwitchingData traffic switched onto local VLANs for an

Central SwitchingData traffic tunneled back to WLC for an SS


13/65


Configure FlexConnect Mode

Enable FlexConnect mode per AP

Supported AP: AP-1130, AP-1240, AP-1040, AP-1140, AP-1260, A3500, AP-1600 , AP-2600 , AP-3600, AP-3700, AP-1520, AP-1530

Step 1: Configure Access Point Mode


14/65


Configure FlexConnect Local Switching

Only WLAN with FlexConnect Local Switchingenabled will allo

switching on the FlexConnect AP

Step 2: Enable Local Switching per WLAN


15/65

Evaluate FlexConnect Architectural Requ


16/65


FlexConnect Design ConsiderationsWAN Limitations Apply

Deployment

Type

WAN

Bandwidth(Min)

WAN RTT

Latency (Max)

Max APs per

Branch

Data 64 kbps 300 ms 5

Data 640 kbps 300 ms 50

Data 1.44 Mbps 1 sec 50

Data+Voice

128 kbps

100 ms

5

Data+Voice 1.44 Mbps 100 ms 50

Monitor 64 kbps 2 sec 5

Monitor 640 kbps 2 sec 50


17/65


FlexConnect Design Considerations

Some features are not available in standalone mode or in local sw

MAC/Web Auth in Standalone Mode VideoStream

IPv6 L3 Mobility

SXP TrustSec

See full list in FlexConnect Feature Matrix

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a008

Feature Limitations Apply
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b3690b.shtmlhttp://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b3690b.shtml


18/65


Economies of Scale For Lean Branches

Flex 7500 Wireless Controller

Access Points 300-6,000

Clients 64,000

Branches 2000

Access Points / Branch 100

Deployment Model FlexConnect

Form Factor 1 RU

IO Interface 2 x 10GE

Upgrade Licenses 100, 200, 500, 1K

RTU Licenses

Key Differentiation WAN Tolerance

High Latency Netwo

WAN Survivability

Security

802.1x based port auth

Voice support

Voice CAC

OKC/CCKM


19/65


Flex 7500 Scale & Feature Update - 7.0.116.

Scalability 7.0.116.0

Total APs

2000

Total Clients 20,000

Total FlexConnect Group 500

Support for OEAPs No

Central Switching BW Limit ~250 Mb

Data DTLS Support No

Central Switching 802.1x No


20/65


FlexConnect Feature Introduction

FlexConnect Features Release Ve

AAA-VLAN Override, ALCs & P2P Blocking 7.2

Smart AP Image Upgrade

7.2

External Web-Auth & Mobile Device On-boarding

7.2

Flex 7500 Scale Update 7.3

VLAN Based Central Switching 7.3

Split-tunneling 7.3

Work Group Bridge (WGB) Support 7.3

Bi-Directional Rate Limiting 7.4

ISE BYOD Registration & Provisioning 7.4

AAA-ACL & AAA-QoS Override 7.5

EAP-TLS & PEAP Support for Local Authentication 7.5


21/65

Why do we need FlexConnect & AP Gro


22/65


Understanding AP Groups

AP Groups is a logical concept ofgrouping APs which deliver

similar Wi-Fi services; theseservices can be:

By physical location, and/or

By functional services(data, voice, guest, )

Same AP groups need to bedefined in all WLCs of a mobilitygroup

Overview

Remote Site A

Central Sit

WAN

AP Group 1

AP Group 2

Scaling Flex 7500 CT-5508 WiSM-2 CT-2504

# AP Groups 6000 500 1000 50

# WLAN

(SSID)512 512 512 16

# VLAN

(Interfaces)4095 512 512 16


23/65


WAN/MAN

AP Groups Usage

AP groups give the ability to

enable Wi-Fi Services (WLAN)based on physical location

Example

Central Site

Corporate-Voice, Corporate-Data,Guest-Access

Manufacturing Site

Corporate-Voice,Corporate-Data, Scanners

Store

Corporate-Data,Guest-Access

Per Location SSID

Manufacturing Site

AP Group 2

AP Group 1

Corporate-Voice

Guest-Access

Corporate-Data

Guest-Access

Scanners

AP G U


24/65


AP Groups Usage

AP groups give the ability tostatically map Wi-Fi service(WLAN) to VLAN based onphysical location

Users see the sameWi-Fi service on all sites.

Admin can monitor and filter

based on different IP@ eachsite

Can also be used to havesmaller Wi-Fi subnets For example per floor subnets

in a building.

Per AP Group SSID to VLAN Mapping

Corporate-Data

Corporate-Data

Manufacturing Site

Central Site

WAN/MAN

AP Group 1

Head Office

AP Group 2

U d t di Fl C t G


25/65


Understanding FlexConnect Groups

FlexConnect groups allow sharing of:

CCKM/OKC fast roaming keys

Local/backup RADIUS servers IP/keys Local user authentication

Local EAP authentication

AAA-Override for Local Switching

Smart Image Upgrade

Scaling information

Overview

FlexConnect Group 1

Remote Site

WAN

Central Sit

Flex

ScalingFlex

7500CT-5508 WiSM2 CT-2504

FlexConnect

Groups2000 100 100 30

AP per Group 100 25 25 25

Fl C t G d CCKM/OKC K


26/65


FlexConnect Groups and CCKM/OKC Keys

CCKM/OKC keys are stored onFlexConnect APs for Layer 2 fast

roaming

The FlexConnect APs will receivethe CCKM/OKC keys from theWLC

If a FlexConnect AP boots upin standalone mode, it will not get

the OKC/CCKM keys fromthe WLC and fast roamingwill not be supported

FlexConnect supports 802.11r FastTransition with local key caching.

WAN

Central Site

FlexConnect

Group 1

FlexConnect Group 1 FlexConn


27/65

Designing a Resilient Wireless Branch N

Fl C t B k S i


28/65


FlexConnect Backup Scenario

FlexConnect will backup on localswitched mode

No impact for locally switched SSIDs Disconnection of centrally switched SSIDs clients

Static authentication keys are locally stored inFlexConnect AP

Lost features

RRM, WIDS, location, other AP modes

Web authentication, NAC

WAN Failure

Remote Site

WAN

Cent

FlexConnect Backup Scenario WLC F il


29/65


FlexConnect Backup Scenario - WLC Failur

FlexConnect will first backup on local switchedmode

No impact for locally switched SSIDs Disconnection of centrally switched SSIDs

clients

CCKM roaming allowed inFlexConnect group

FlexConnect AP will then search

for backup WLC; when backup WLC is found,FlexConnect AP will resync with WLC andresume client sessions with central traffic.

Client sessions with Local Traffic are notimpacted during resync with Backup WLC.

Remote Site

WAN

Cent

FlexConnect Group: Local Backup RADIUS


30/65


FlexConnect Group: Local Backup RADIUS

Normal authentication is done centrally

On WAN failure, AP authenticates newclients with locally defined RADIUS server

Existing connected clients stay connected

Clients can roam with

CCKM fast roaming, or

Reauthentication

Backup Scenario

Remote Site

WAN

Cent

Central RADIUS

Local Backup

RADIUS

CCKM Fast Roaming

Local Authentication


31/65


Local Authentication

By default FlexConnect APauthenticates clients through centralcontroller

Local Authentication allow use of localRADIUS server directly from theFlexConnect AP

Remote Site

WAN

Cent

Central RADIUS

Local

RADIUS

New in 7.0.116

FlexConnect Group: Local Backup Authent


32/65


FlexConnect Group: Local Backup Authent

Normal authentication is done centrally

On WAN failure, AP authenticates new

clients with its local database Each FlexConnect AP has a copy of the

local user DB

Existing authenticated clients stayconnected

Clients can roam with:

CCKM fast roaming, or

Local re-authentication

Backup Scenario

Remote Site

W

C

Central RADIUS

CCKM Fast Roaming

Supported Security Types Release Version

LEAP 6.0

EAP-FAST 6.0

PEAP 7.5

EAP-TLS 7.5


33/65

Designing Secure & BYOD Enabled BranNetwork


34/65

FlexConnect Peer-to-peer Blocking

Local Switching Peer-to-peer Blocking


35/65


Local Switching Peer-to-peer Blocking

Support for Peer-to-Peer blocking in

FlexConnect APApply for clients on same FlexConnect AP

P2P blocking modes : disable or drop

For P2P blocking inter-AP use ACL or PrivateVLAN function

Description

Remote Site

WAN

Cent


36/65

FlexConnect AAA VLAN & QoS Override

FlexConnect AAA VLAN Override


37/65


VLAN 7

QoS = Platinum

VLAN 3

QoS = Silver


AAA VLAN Override with local orcentral authentication

Up to 16 VLANs per FlexConnect AP

VLAN ID must be enabled per AP orFlexConnect Group

If VLAN ID does not exist, default VLANis used, unless VLAN Based Central

Switching enabled Starting from 7.5AAA override for

QoS is also supported.

Description

Remote Site

WA

Cent

FlexConnect Group 1

RADIUS

Application

Server



38/65


FlexConnect AAA VLAN OverrideConfiguration

WAN

Create Sub-Inte

IETF 81

IETF 64

IETF 65

VLAN Based Central Switching


39/65


VLAN Based Central Switching

While doing AAA VLAN Override with

local switching : If VLAN ID does not exist at the AP, the

traffic is central switched to the centralVLAN ID

If the central VLAN ID does not exist, thetraffic is centrally switched to the default

VLAN ID of the WLAN

Overview

Remote Site

WAN

Central RADIUS

VLAN 3

VLAN 7

VLAN 3

does not

Exist on

this AP

Centra

VLAN

Fl C t AAA Q S O id


40/65


FlexConnect AAA QoS OverrideDescription

Dynamically assign QoS levels and/or

bandwidth contracts for local switching,centrally authenticated WLANs

Web-authenticated WLANs and 802.1X-authenticated WLANs supported

Order of precedence for Rate Limiting

parameters AAA override QoS Profile of AAA override

Local WLAN configuration

QoS Profile of local WLAN configuration

Supported on 802.11n non-mesh access points 1040,1140,1250,1260,1600,2600,350

Vendor ID/Vendor Type Attribut

[14179\002] Aire-QoS

[14179\004] Aire-802

[14179\007] Aire-Dat

Contract

[14179\008] Aire-Rea

Average

[14179\009] Aire-DatContract

[14179\0010] Aire-Rea

Burst-Co


41/65

FlexConnect ACL VLAN Mapping & Per-Cl

FlexConnect ACL VLAN Mapping


42/65


FlexConnect ACL VLAN MappingOverview

Remote Site

FlexConnects ACL are applied per VLAN

FlexConnect ACL are Ingress / Egress

oriented Starting from 7.5 FlexConnect ACL support

AAA-returned Client ACL

512 FlexConnect ACL per WLC

16 ingress ACL & 16 egress ACL per AP

64 ACL rules per ACL

No IPv6 ACL

Scale


43/65

FlexConnect Split Tunneling(Using FlexConnect Split ACL)

FlexConnect ACLSplit Tunneling


44/65


p g

Split tunneling allow some traffic to be locally switched although tdefined as centrally switched

Split tunneling is using a NAT/PAT feature with ACL to perform thswitching

Split tunneling is using the AP IP@ for the NAT/PAT feature

Overview

WLCFlexConnect APCAPWAP

WAN

Central Server

Central Traffic

Local Printer

NAT/PAT

ACL

Local Traffic


45/65

Deploying External WebAuth with FlexConLocal Switching(Using FlexConnect WebAuth ACL)

External WebAuth with Local Switching


46/65


g

Provides L3 Web Redirect fromlocally switched vlan

Reduces WAN traffic by locallyswitching guest traffic

Flexible and centralized web portalcreation for multiple sites

Provides flexible use of Conditional

and Splash Page Web Redirect FlexConnect AP must be in

Connected state with CentralizedController for this functionality towork

Description

Remote Site

WAN

Cent

FlexConnect Group 1

VLAN

503

Internet

WebServer

Guest


47/65

Deploying BYOD with FlexConnect Local S(Using FlexConnect WebPolicies ACL)

BYOD Device On-Boarding in FlexConnectExample: Apple iOS Device Provisioning


48/65


Example: Apple iOS Device Provisioning

InitialConnection

Using PEAP

WLC

1

Device

Provisioning

Wizard2

Future

Connections

Using EAP-TLS3

WLC

Deploying BYOD with FlexConnect WirelesS 802 1 /EAP A th ti ti


49/65


Summary802.1x/EAP AuthenticationISE

WLCFlexConnect AP

CAPWAP

WAN

802.1x/EAP Request Radius Access-Request

Radius Access-Response Access-Type: Access-Accept URL-Redirect-ACL=FlexACLWebPolicy,

URL-Redirect=http://)

802.1x/EAP Response

Inside CAPWAP

Inside CAPWAP

URL + ACL Redirect

Inside CAPWAP

WiFi Association

Deploying BYOD with FlexConnect WirelesS DHCP R t


50/65


SummaryDHCP Request

DHCP Request

RADIUS-Accounting

host-name=MyiPad dhcp-class-identifier=APPLEDHCP Lease

Inside CAPWAP

Inside CAPWAP

ISE

WLCFlexConnect AP

CAPWAP

WAN

Deploying BYOD with FlexConnect WirelesS mmar URL Redirect


51/65


SummaryURL-Redirect

HTTP

Request

ISE

WLCFlexConnect AP

CAPWAP

WAN

URL-Redirect

Inside CAPWAP

HTTP Request

Redirected to WLC by AP

Deploying BYOD with FlexConnect WirelesSummary Registration & Provisioning


52/65


SummaryRegistration & Provisioning

Device Registration & Provisioning

ISE

WLCFlexConnect AP

CAPWAP

WAN

RADIUS Change-of-AuthorizationEAP DeAuthentication

EAP Authentication

Deploying BYOD with FlexConnect WirelesSummary Device Access


53/65


SummaryDevice AccessISE

WLCFlexConnect AP

CAPWAP

WAN

802.1x/EAP Request/ResponseRadius Access-Request

Inside CAPWAP

DHCP Request/Response

Inside CAPWAP

Radius Access-Response

Web Traffic


54/65

Operating Wireless BranchSmart Upgrade over WAN

Upgrading a FlexConnect DeploymentConcerns


55/65


Sites using FlexConnect AP are usually sites with low WAN

Each site may have small number of AP, but an enterprise lot of branches

Upgrading ~6000 AP through a low bandwidth WAN is a ch

Time needed to download all the AP firmware

Exhaust of the WAN link

Risk of failures during the download

Concerns

FlexConnect Smart AP Image UpgradeOverview


56/65


WAN

Smart AP Image Upgrade use a

master AP in each FlexConnectGroup to download the code.

Other FlexConnect AP download thecode from the master locally

1.Download WLC upgraded firmware (will becomeprimary)

2.Force the boot image to be the secondary (and not the newly upgradedone) to avoid parallel download of all AP in case ofunexpected WLC reboot

3.WLC elect a master AP in each FlexConnectGroup (can be also set manually)

Overview

Remote Site-1

Wireless Control

System

New

Central Sit

Master AP

FlexConnect Smart AP Image UpgradeDescription (Cont )


57/65


WAN

4. Master AP Pre-download the APfirmware in the secondary boot

image (will not disrupt the actualservice)Can be started group pergroup to limit WAN exhaust

5. Slave AP Pre-download the APfirmware from the Master AP

6. Change the bootimage of the WLC

to the new image7. Reboot the controller

Description (Cont)

NewOld

Central Sit

Remote Site-1

Wireless Control

System

Primary Secondary

AP Firmware Image

NewOld

Primary Secondary

AP Firmware Image

Master AP


58/65

FlexConnect Resiliency Demo

FlexConnect Fault-Tolerance Demo


59/65


C

A

PW

A

P

1.Associate Wireless Clients to SSID FlexDemo

2. Confirm AP is reachable from WLC or inFlexConnect Connected mode.

3. Start Ping from Laptop:10.10.10.20 to iPad:10.10.10.10

4. Kill the CAPWAP tunnel between AP & WLC i.e.unplug WLC from the Switch.

5. Check the AP switching from Connected to

Standalone due to loss of reachability with WLC.6. Notice the Ping packets are still running.

WLC

SSID: Fl

IP: 10.10.10.10

Fault-Tolerance is Integrated in FlexConnect

architecture & requires No Configuration


60/65

Summary

Summary


61/65


Cisco Unified Wireless Network based on Controllers deliver WireSolution

FlexConnect is the feature designed to solve remote connectivityconstraints

Several Failover Scenario are targeted to offer Survivability of SmSites

Wireless LAN Controller Scale Comparison Guide:http://www.cisco.com/en/US/products/hw/wireless/products_categuide.html#controllers

FlexConnect Branch Controller Deployment Guide:http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a00
http://www.cisco.com/en/US/products/hw/wireless/products_category_buyers_guide.htmlhttp://www.cisco.com/en/US/products/hw/wireless/products_category_buyers_guide.htmlhttp://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtmlhttp://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtmlhttp://www.cisco.com/en/US/products/hw/wireless/products_category_buyers_guide.htmlhttp://www.cisco.com/en/US/products/hw/wireless/products_category_buyers_guide.htmlhttp://www.cisco.com/en/US/products/hw/wireless/products_category_buyers_guide.html


62/65

Deploying CiscosFlexConnect in Branche

Increases Business Resili

Call to Action


63/65


Visit the World of Solutions:-

Cisco Campus

Walk-in Labs

Technical Solutions Clinics

Meet the Engineer

Lunch Time Table Topics, held in the main Catering Hall

Recommended Reading: For reading material and further resourcsession, please visit www.pearson-books.com/CLMilan2014
http://www.pearson-books.com/CLMilan2014http://www.pearson-books.com/CLMilan2014http://www.pearson-books.com/CLMilan2014http://www.pearson-books.com/CLMilan2014


64/65


65/65

Documents

Architecting Network for Branch Offices With Cisco Unified Wireless