2015 Product Update and Converged Access

2015 Product Update&

Converged AccessRob RummelCCIE 9012Systems Engineer

Cisco 2© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Modular Access Switching Update

Fixed Access Switching Update

Campus Backbone

ISR 4400

Agenda

Converged Access

Cisco 4000 Series Integrated Services Routers


Cisco Branch Router Evolution

ISR 4431 & 4300 familyMaking for a complete ISR 4000 familyISR 4451-X

First ISR based on IOS XE

ISR G2 family800, 1900, 2900 & 3900Taking the ISR concept to the next level

ISR G1 family1800, 2800, 3800The first architecture custom designed for integrated services

Cisco 2500Cisco’s first family of branch routers for 23 different deployments

Cisco 2600Superseded 2500. Considered one of Cisco's premier products.

2014

2013

2009

2004

1998

1993

Not shown here: 700, 1600, 1700, 4000/4500, 3600 & 3700 series routers


Pay-As-You-Grow with Cisco ISR 4000 Series

ISR 432150-100 Mbps

ISR 4331100-300 Mbps

ISR 4351 200-400 Mbps

ISR 4431 500-1000 Mbps

ISR 4451 1-2Gbps

Investment Protection Without Oversubscription

4-10X FasterAdd performance and services anytime

Flexible consumption options


Cisco ISR 4451ISR4451-X/K9

Entity ISR 4451

CPU architecture 4 core control/services 10 core dataplane

Network Interface Modules 3

Enhanced Service Modules 2

Front-Panel Ethernet 4 GE (all dual-phy RJ45 or SFP)

ISC slot 1 for all ISC cards

USB type A ports 2

Power Dual internal AC or DC

Control/services memory

Base 4 GB; max 16 GB 1600 MHz DIMMs 2 DIMM slots

Mgmt Ethernet 1 Gbps

1 Gbps or 2 Gbps Performance1 Gbps or 2 Gbps Performance


Cisco ISR 4431ISR4431/K9

500 Mbps or 1 Gbps Performance500 Mbps or 1 Gbps Performance

Entity ISR 4431

CPU architecture 4 core control/services6 core data plane



Front-Panel Ethernet 4 GE (all dual-phy RJ45 or SFP)


USB type A ports 2

Power Dual internal AC or DC


Base 4 GB; max 16 GB1600 MHz DIMMs 2 DIMM slots




200 Mbps or 400 Mbps Performance200 Mbps or 400 Mbps Performance

Entity ISR 4351

CPU architecture 8-core CPU



Front-Panel Ethernet 3 GE (all dual phy RJ45 or SFP)


USB type A ports 2

Power Single internal AC or DC







Entity ISR 4331




Front-Panel Ethernet1 dual-phy (SFP or RJ45)1 RJ45 only1 SFP only (copper SFP supported)


USB type A ports 1

Power 1 internal AC







Entity ISR 4321




Front-Panel Ethernet 2 GE (1 dual-phy, 1 RJ45 only)


USB type A ports 1

Power 1 internal AC





Revolutionary Platform ArchitectureArchitected for the Optimal Application Experience

Converged Branch with UCS® E-Series

Integrated compute Up to 8 cores

4-10 Times Faster Than ISR G2 at similar price

Native L2-7 ServicesSecurity, optimization

Pay as You GrowPerformance and services

Virtualized Services FrameworkAppliance-level performance

Service-Aware Data Plane For efficient traffic handling Cisco ISR

4000

Powering the Intelligent WAN


Cisco ISR 4000 Family I/O Design

Management Interfaceout-of-band control plane connection directly to a management network

Front-Panel GE RJ45/SFP GE Interfaces

PoE+ available on some models

Network Interface Modules Larger and more powerful than EHWICs Up to 8 ports per module DSPs directly on modules

Optional Drive NIM for Service Containers RAID 1 for data protection Single HD (future) and

dual SSD options Embedded SSD option

USB Connections 2 type A for file storage USB type B console in addition

to RJ45 console and aux ports

Enhanced Service Modules Compatible with Cisco® ISR G2 Up to 10-Gbps connection to system Faster and more powerful than SMs

Internal Services CardInternal ExpansionCurrently for CUBE DSPs


Cisco 4300 Comparison to 4400: Differences

4400 Family Benefits

Redundant power

Ability to physically separate control, services, and data plane CPU sockets

Additional service container capacity through faster CPUs

Higher throughput for base and performance licenses


Cisco ISR 4400 Series Architecture

Control Plane (1 core) and Services Plane (3 cores)

Data Plane (6 or 10 cores)

Multigigabit Fabric

FPGE

ISC

SM-X

NIMService Plane

(control plane CPU)Service Plane

(control plane CPU)

KVM - HypervisorKVM - Hypervisor

ISR-WAAS

Service containers live here

IOS


Cisco ISR 4300 Series Architecture

Service Plane (control plane CPU)

Service Plane (control plane CPU)

KVM - HypervisorKVM - Hypervisor

ISR-WAAS

IOS

Service Container

Multigigabit Fabric

FPGE

ISC

SM-X

NIM

Data Plane Cores

Note:4321 uses 2DP, 1CP & 1SC cores


ISR 4400


Campus Backbone


Agenda

Converged Access


Catalyst Access PortfolioEssential connectivity to Unified Access for NG Workspace

• Secure, reliable access• Low TCO & energy‐efficient

Competitive Feature Set at Compelling Prices

UNIFIEDWORKSPACE BYOD Video Mobility

Converged Wired/Wireless Access

• Upto 480G Stacking• Upto 4x10G Uplinks• Stackpower with 3850• Supports up to 50AP’s

• Scale and Performance• 928G Backplane• 8 Modular 1/10G

Uplinks• Supports 50AP’s*

Lead Modular SwitchLead Stackable Switch

SCALE

FEAT

URE

S

NEW Jul 2013 NEW Jan 2013 gNEW Aug 2013


© 2013 Cisco and/or its affiliates. All rights reserved. Cisco 18

High Education

K-12Healthcare

• BYOD & rapid Client adoption Students bring in latest laptops, smartphone, tabletsHigh concentration of devices connecting to the networkBetter spectrum use when devices move to 5GHz rather than the crowded 2.4GHz band

• CT, MRI, Cardiac Imaging, and 4D modeling demands higher bandwidth

• Large file movement of images when not real‐time

• Efficient handling of legacy and new 11ac devices as wireless density increases

• Collaborative Classrooms with HD Video

• Multi‐screen HD video is streamed live to 802.11ac and 802.11n enabled devices in classrooms

Service Provider

Stadiums

• Enhanced service offerings with the latest wireless technology, providing competitive differentiation

• SP‐Wi‐Fi off‐load − balancing users between Wi‐Fi and 3G/4G/LTE

• Better Customer experience to high Bandwidth Apps such as Netflix or Hulu Plus

• Continued shift to 5 GHz to offload the crowded 2.4 GHz

• 802.11ac and CMX deliver next-gen fan experience

• Enhanced scaling forinherently High density environments

• New revenue opportunities (sponsorship, merchandising)

• CMX maps with featured attractions

• Differentiate core retail services

802.11ac Drivers


Cisco Multi-Gigabit Ethernet (mGig) SolutionKey Differentiators

POE/POE+/UPOE Cisco Innovation over 10GT Standard to support high end point power needs

Maintain Switch to AP Reach at Higher SpeedsAdaptive Rate Technology (FE, 1G, 2.5G, 5G, and 10G) Future proofed for higher speeds

Standards Compliant 1G and 10G BaseT IEEE standards, intermediate speeds WIP

Infrastructure Investment Protection Supports 100m distance with Cat5e cabling up to 5G speeds for BrownfieldSupports Cat6a cabling for Greenfield deployments for higher speeds

So we have a very unique innovation that we are offering, which is completely differentiating us from the rest of

the industry.

The first major one is as the .11ac is getting adopted, there's an increasing need for more and more speeds.

So today we can go up to one gig speeds for the .11ac.

With the .11ac, we have two.

There is need for going higher than one gig.

So we have the offering, the multi‐gigabit ethernet, which is a unique offering which is capable of supporting adaptive rate

speeds, all the way from 100 meg, all the way up to 10 gig, completely future‐proofing for higher speeds for

your deployments.

So the speeds that specifically are non‐standardized at this point are the 2.5 gig and 5 gig, squarely addressing the.11ac [INAUDIBLE]

standards for phase one and phase two.

So this will essentially allow our customers to come, connect their Next Generation APs onto the switching infrastructure and deliveringhigher bandwidth.

The second key aspect is basically there is a lot of cabling out there today in the campus.

Predominantly, a lot of this cabling is Cat5e cabling based.And there's a lot of investment out here to rip apart and change it.

So today there is a technology that we have.

The Cat5e cable can only deliver up to 1 gig of speed.

The multi‐gigabit ethernet solution that we have is a unique differentiator that will let you deliver speeds beyond 1 gig,

using the same Cat5e cabling infrastructure.

So this is, again, a unique differentiator from rest of the competition.

The third key aspect as why we're delivering this, there is a lot of devices that are getting on board.

We're just demanding a lot more power in terms of PoE and PoE Plus.

And universal PoE delivering beyond 30 watts for the future IOT onboarding.

So it is very important that this solution also helps in getting us that in terms of delivering voltage higher

than the 30 watts, bringing the universal PoE devices on board.

Last, but not the least, any of these have to be standards compliant.

The solution that we have is completely compliant with the 1 gig and the 10 gig, and we are closely

working with the standard bodies to take up the intermediate speeds between 1 gig and 10 gig.

So you can see all these differentiators will completely help us launch, and take advantage of the .11ac proliferation thatis happening in industry.


Catalyst Access Switching – Driving the UPOE EcoSystem

Lighting as a Service (Laas)

Lighting as a Service (Laas)

Internet of Everything (IOE)

Internet of Everything (IOE) Next Gen RetailNext Gen Retail Enterprises: VDIEnterprises: VDI

HealthCare: Nurse Call Systems

HealthCare: Nurse Call Systems

Financial Institutions: IP Turrets

Financial Institutions: IP Turrets

Bring HA Mission Critical Applications

Lower CapEx& OpEx

Integrate, Monitor, Analyze and

Control

Address BYOD, 802.11ac Wave2


Enterprise IOT – Connected Lighting

Indu

stry

Indu

stry

Cis

co

Visi

onC

isco

Vi

sion

Ben

efits

Ben

efits

• Superior experience and favorable economics

• Intelligent building automation with IP convergence and IoT

• Centralized management and monitoring

Lower TCO

$$$ High Voltage (110/277V) AC Wiring in the Ceiling $$$

Requires High Voltage Electrician & labor intensive

• Intelligent “digital ceiling” with PoE and energy management over IP• Software defined policy

• Partnering with IoT Ecosystem

Better LED Lighting Experience

• Lower TCO: reduced material & labor cost, energy savings• Intelligent IP platform, software analytics • Global standardized lighting solution


Address BYOD 3.0 Scalability

Hill‐RomHill‐Rom NurseCall system + Catalyst UPoEUL Certification in ProgressStanford Hospital – planning to use UPOE line card + 9000 W PS in their medical networkSolution will be available as a single bundle 1HCY2015More healthcare partners in the pipeline!

Visit https://www.youtube.com/watch?v=J2CNxSl0DCM for Launch video.

UPOE EcoSystem Partnership in Healthcare


The Catalyst Access portfolio was completely refreshed in 2013

• Secure, reliable access• Low TCO & energy‐efficient

Competitive Feature Set at Compelling Prices

UNIFIEDWORKSPACE BYOD Video Mobility

Converged Wired/Wireless Access

• Upto 480G Stacking• Upto 4x10G Uplinks• Stackpower with 3850• Supports up to 50AP’s

• Scale and Performance• 928G Backplane• 8 Modular 1/10G

Uplinks• Supports 50AP’s*

Lead Modular SwitchLead Stackable Switch

SCALE

FEAT

URE

S

NEW Jul 2013 NEW Jan 2013 gNEW Aug 2013


Catalyst 3850/3650 Leadership in Wired ServicesSCALABILITY/PERFORMANCE

Up to 480G Stacking Up to 50 Access Points / 2000 Clients 4x10GE Uplinks with Copper/Fiber Downlinks IPv4/IPv6/Multicast Scalability Leadership

AVAILABILITY / RESILENCY Stateful Switch Over (SSO) AP and Tunnel SSO Stackpower FRU Power Supplies / Fans

IINTERNET OF THINGS / SDN

Segmentation (TrustSec, VRF-lite) UPOE / Full POE / EnergyWise Bonjour / Services Discovery Gateway Flexible Parser

NETWORK AS A SENSOR Flexible Netflow WireShark MediaNet* Embedded Event Manager

Cisco 25© 2013 Cisco and/or its affiliates. All rights reserved.

Key Benefits Built on UADP ASIC

12 and 24 port 1G SFP

2x10G or 4x1G Modular Uplinks

Stackable with 3850 Access switches

StackPower

Integrated Mobility Controller

Wide range of Optical Interfaces

Converged Access Portfolio Strengthened With the New 3850 Fiber SwitchesConverged Access Portfolio Strengthened With the New 3850 Fiber Switches

Catalyst 3850 1G Fiber SwitchesInnovation with UADP continues…

DATADATA

PoE+PoE+

UPOEUPOE

FiberFiber

Flexible Stacking options with C3850


Release 3.6.0E!!!Enhanced Wired and Wireless Functionality

Infrastructure• Active and Passive CX1 SFP, Active CX1 SFP+, • TDR in Lan Base (4K,parity with 3K), WCCP in IP-base (3K)Layer 3• IPv6 VRF, uRPF, PBR• IPv4 & IPv6 SDM Templates • VRRPv3IT Simplicity• PnP Agent, PnP Smart Install Proxy• Auto Conf and Interface TemplatesServices• Device Sensor w/ISE• Service Discovery Gateway Ph II (Location, Static service,HA)• IP4 FQDN ACL, Secure CDP, IPv6 CTS, Bidir SXPApplication Experience• Perf Mon, Mediatrace

Infrastructure• New AP Support

• AP700I, • AP700W• AP2700• Outdoor AP1530 series (Centralized Mode Only)

Mobility Services• AVC-Wireless Ph II ( QoS tie-in with Policy)• Service Discovery Gateway Ph II (location static

service)• Device Sensor (Policy Classification Engine)• AP Pass Through

Interop• Prime 2.1, ISE 1.2/1.3, MSE 8.0

Compliance for Wired and Wireless (FIPS 140-2, CC, UCAPL, CSfc APL)

Wired FeaturesWired Features Wireless FeaturesWireless Features


Momentum towards completion of the CA solutionSignificant Feature Enhancements and Management Improvements

3.3 3.6 3.7

INFRA 9 member stacking, HSRP, Critical Voice VLAN, Sevices Discovery Gateway

VRRPv3, IPv6 Routing/PBR/VRF, QinQ, Energywise

PVLAN, XPS, AP1570, World Regulatory Domain

SECURITYSGT/SGACL on wired and wireless Device Sensor, Policy Classification Engine Macsec (wired) and IPv6 FHS

APPLICATIONEXPERIENCE Wireshark (wired and wireless), AVC

Wireless Ph IMSI/MSP, Perf. Mon, AVC Wireless Ph II AFD Visibility, Wireless Auto QoS

MANAGEABILITY & PROGRAMMABILITY 3650 management with PI 2.0.1 PI 2.1, PnP Agent/ Proxy, Interface

Templates, Auto Conf.PI 2.2, SDN* (OF1.3/OnePK), MCMA, Prime

CA Templates

CERTIFICATIONStart - FIPS, Common Criteria, UCAPL End - FIPS, Common Criteria, UCAPL WFA

*Beni MR


Catalyst 2960-X Series Access Switches is best in its class

2xDoubling Everything Stack units, bandwidth & more

Investment Protection Stack with Existing 2960‐S/SF

Application Visibility & Control

Layer 3Routing

GreenestSwitch Ever

Future-ProofScalable Smart

Intelligent & GreenSimple

Reduce TCOSecureOne Policy


The Quiet and Fanless Catalyst PortfolioOptimized for deployments outside the wiring closet

WS-C2960X-24PSQ-L• 8 Ports PoE+ (110W)• LAN Base Sofftware

Ideal for retail, conference rooms, classrooms, hotels and more

Ideal for retail, conference rooms, classrooms, hotels and more

24 Ports8 Ports 12 Ports

Port Density

Catalyst Compact• 8/12 Ports PoE+ (240W)• L2/L3 Software


Enhanced PoE capabilities on the compact switches enable Perpetual PoE and scale

• Increased PoE Budget: 240W of PoE+ (8 x 30W)• Fanless, silent reliable operation.

• Provides non‐stop PoE power. • Switch can continue to provide PoE+ during

config and reboot

Dense Sensor Network

(Light, Motion, CO2/CO, etc.)

WiFi Access Point

IP Video Surveillance Camera

Wall Switch

CommercialLED PoE Fixtures

Ethernet Cable

Building Mgmt(Connected HVAC)

Digital Ceiling Applications

…

Compact Switch in the

Ceiling

An expanding ecosystem of PoE devices

• Option to power over 18V‐60V external DC power supply, supports PoE+


The compact switches deliver advanced networking features for performance and scale.

IT SimplicityInstant Access with 10G – New Smart Operations , AutoconfNG Plug n Play – New

SMART SERVICESNetflow Lite – New Embedded Event ManagerEEE, Hibernate Mode – New 2 x UPOE Powering option – New

SECURITYSegmentation (TrustSec*, VRF‐lite) – New MACsec*

Secure Boot – New

PERFORMANCE10G Fiber uplinks– New mGig for 11ac wireless New PoE+ Scale (240W) – New Persistent PoE* – New

(*) On the roadmap


Spurring Innovation in Enterprise IoTDoublemint – An easy way to hook up USB sensors to Cisco hardware

EIoT DevKit – combination of HW, SW and documentation to enable the developer to accelerate endpoint devices onto the network

How this is achieved?

Why create it?

What is it? PoE to USB Adapter

Accelerate IoTAdoption

Extensive ecosystem of USB

sensors & actuators

Enables rapid prototyping

Increase # of ports for Cisco Products

Any IOS capable switch or router becomes an IoT

gateway

USB

Server or VM running python

TemperatureTemperature SoundSoundLightLight MotionMotion

BLE BeaconBLE Beacon ….….RFIDRFID Legacy Serial Device

Legacy Serial Device


ISR 4400


Campus Backbone


Agenda

Converged Access


4503‐E

4507R+E4510R+E

4506‐E

Four Chassis Options 7 and 10 Slot with Sup Redundancy

Catalyst 4500E Portfolio

Power SupplyMaximize UPOE/POE+/POE delivery

Fully Loaded 10‐Slot with POE PWR‐C45‐9000ACV PWR‐C45‐6000ACV PWR‐C45‐4200ACV

SupervisorsTraditional and Wireless Convergence

928G Wired, 20G Wireless WS‐X45‐SUP7L‐EWS‐X45‐SUP8‐E WS‐X45‐SUP7‐E

1GE: 12/24/48 portWS‐X47xx‐SFP‐E

POE: WS‐X4748‐UPOE+E

Data: WS‐X4748‐RJ45‐E

Port Scale:Access and Collapse Agg 384 10/100/1000 POE/PoE+/UPOE

96 SFP+ , 192 SFP

10GE: WS‐X4712‐SFP+E


Wireless on Catalyst 4500 Sup-8E

Works in all Shipping 4500-E chassis

Up to 50APs2000 Clients

8 SFP+ 10G/1G Uplinks

Campus LISP Ready928G total capacity

Wireless integration

Faster CPU

A p p V i s i b i l i t y

L o w e r T C O

S c a l e

• Investment Protection to UA Arch• In Service Software Upgrade• Life Cycle

• Flexible NetFlow Wireless •IOS XE Open Application Platform

• 20G Wireless Termination*• 100% more Uplink Bandwidth• Programmable Uplink FPGA (LISP)

* Wireless support in H2CY143.7


ISR 4400



Campus Backbone

Agenda

Converged Access

Campus Backbone Update


Future-proof backbone platform to scale your campus services with NO

compromise

Mini but mighty backbone platform

with high density 10G and rich services

With Catalyst Instant Access Technology

solution that dramatically simplifies

your campus operations


Taking Catalyst 6K Up to 880G/Slot7 Slots10 RU

Investment protection! Compatible with Sup2T, 6700, 6800, 6900 and latest service modules

Backwards compatible backplane connectors

Catalyst 6500 DNA

Low-power and noiseHigh-efficiency fans

Up to 4 (N+1) power supply redundancy

3000W AC

Up to 880G/Slot capable

Next-generation ready

Side-to-side air flow (redirectable via airflow baffles)


C6K-Based “Extensible” Fixed Platform

Up to eighty 1G/10G ports or twenty 40G ports*

Fixed module sixteen 10/100/1000/10G or up to four 40G X86 2 GHz CPU 4 GB DRAM

Sixteen 10/100M, 1/10G or up to four 40G ports

MACsec, VSS, instant access, MPLS, VPLS, LISP, SGT, 1588(*) capable on every port

Low powerLow noise fans

Platinum EFFRedundant AC and DC PS


48 x 1G RJ45 Ports

Catalyst 6500 features at access

2 x 10G SFP+ Uplink PortsData and

PoE/PoE+ Options

Stackable up to three members at FCS

System and Status LEDs


Catalyst New 10G Line Card: C6800-32P10GNew High Density Multi-Rate Line Cards

* with new CVR-4SFP-QSFP Adapter Cable

32 ports of SFP/SFP+, up to 8 ports of QSFP

10/100/1000M GLC-T

100M FX

250MB per Port; 500MB in Performance Mode

Instant Access, SGT, MACSec

160G Throughput,

Performance mode for line rate

1M IPV4 Route

1M Netflow

Not Every Port is Created Equal!Not Every Port is Created Equal!


Throughput in 6807 160G

Optics: SFP/SFP+

Egress Buffer/port: 250 MB

Features:

Full-feature L2/L3 module with MPLS, VPLS. IPv4/IPv6

capabilities, 1M IPv4 Routes,1M NetFlow

Additional Hardware Features:

Large Buffers, SGT, MACSec, LISP, Dual Priority Queues, Two Level Shaping, Instant Access

Ideal for: Campus Aggregation and Core

80G

SFP/SFP+

250 MB


capabilities, 1M IPv4 Routes,1M NetFlow

Large Buffers, SGT, MACSec, LISP, Dual Priority Queues, Two Level Shaping, Instant Access

Campus Aggregation and Core

80G

SFP/SFP+

500 MB


capabilities, 1M+ IPv4 Routes,1M NetFlow

Large Buffers, SGT, MACSec, LISP, Dual Priority Queues, Two Level Shaping, Instant

Access

Campus Aggregation Core

Instant Access

Hierarchical QoS

SGT & MACSecLarge Buffers

Catalyst 6800 10G PortfolioProviding Deployment Options

32x10G SFP+ 16x10G SFP+ 8x10G SFP+


ISR 4400


Campus Backbone

Agenda


Converged Access




Extending Wired Benefits to the Wireless Network

Application Visibilitywith Wireshark and Flexible Netflow

Security across wired and wireless with Trustsec

Resiliency with StackPower and StatefulSwitchover

Simplicity with PnP, Auto Smart Ports and Interface Templates


Network As A SensorFlexible NetFlow – Defend Against Emerging Threats (Cyber Security)

Lancope StealthWatch

User connects laptop that is infected with a virus. Virus spreads to another user.Catalyst switch is running Flexible NetFlow. It sends user id, application id, traffic volume & more to Lancope.Lancope alerts IT about security breach. IT quarantines affected devices for remediation.IT prevents the virus from spreading to other devices.

Catalyst 3650, 3850, or 4500E


Network as a SensorWireshark – Troubleshoot Remotely

SalesForce.Com

Web Server

Loading….

Users complain that Salesforce is running slow.IT does not know where is the problem:Switches, WAN Bandwidth, or Cloud Servers?

IT runs Wireshark to capture and analyze packetsat switch uplinks. Wireshark is included in IOS.

Analysis shows no congestion or packet drops at switch.

IT pings web server over WAN links & gets fast response.

WAN links are not causing the problem.

IT isolates the issue to cloud servers.

IT contacts 3rd party cloud provider to resolve the issue.

Switch

WAN

CloudServers


SecurityTrustsec – Simplify Security Enforcement

Role Intranet Financial Servers Web

Guest No No Yes

Employees Yes Yes Yes

Remote VPN Yes No Yes

Employee

RemoteEmployee

Guest

EE RR GG

EE RR EE RREE

11 22 33

EERRGG


SimplicityPlug-N-Play– Simplified Day 0/ Day 1 Provisioning

Pre Provision Projects/Sites• Policies• Match Rules • Configs/Image• IP Addressing

Network Admin

1

Campus-Bldg-2

Smart InstallProxy

PnP Agent

Smart Install-Client

PnP Agent

PnP Agent

PnP Agent

PnP Server

Installer

Remote Installer• Mount and cable devices • Power-on

2APIC EM

3

• Network Admin remotely monitors status of install while in progress.

• Booting devices call out to PnP Server, requesting instructions



Traditional DeploymentsGuest SSID can hog the bandwidth

per SSID Bandwidth

Guest Enterprise

BW allocation

AP

GuestEnterprise

Single user can hog bandwidth

Enterprise

BW allocation

AP

Heavy Hitter

Fair Sharing

Heavy Hitter(BW hog)

Usage based fair bandwidth allocation

Enterprise

Fair BW allocation

Heavy Hitter

Heavy Hitter(BW hog)

Converged AccessDeterministic SSID bandwidth

Enterprise

BW allocationGuest

Enterprise

Guest10% min BW 90% min BW

Hierarchical Bandwidth Management & Fair Sharing


Application Visibility and Control

WirelessAPs

MCCisco Catalyst 3850/3650

Cisco Catalyst 6500/6800

MA MA MA

Web-UI on MA

Applications:Bittorent: 69%Skype: 2%…

NBAR2

Wirelessclients & Apps

Bittorent SkypeFacebook

Wireless only


Cisco Service Discovery Gateway

Customer Challenges:• Apple Bonjour® and Zeroconf compliant devices are

designed for a single LAN at home • Consumers expect the same service discovery in the

Enterprise/Campus – Across VLANs

Benefits:• ZeroConf service discovery across VLANs• Easy to manage• Designed to scale• Transparent to consumer devices• IPv4 and IPv6 • Wireless and wired access• Integrates role-based access control

CAP/WAP

VLAN100 VLAN200

mDNS based technology

The mDNS Policy Profile is a list of allowed

network applications. (i.e. AirPlay or Printing)

AirPrint AirPlay FileShare

Service Policy



Agenda

• What is Converged Access?

• Converged Access Platforms Overview

• Wireless Deployment Options

• The new Converged Access Mobility Architecture

• How to deploy a Converged Access network?

5

Cisco 58© 2013-2014 Cisco and/or its affiliates. All rights reserved.Wireless Control

System

Access ControlServer

LAN MgmtSolution

Identity Mgmt

NACProfiler

GuestServer

Cisco WirelessLAN Controller

InternalResources

Cisco FirewallCisco Access Point

Catalyst Switch

Corporate Network Internet

One ManagementPrime

One PolicyISE

IOS Based WLAN Control ler• Consistent IOS and ASIC as Catalyst 3x50

• Required to scale beyond 200/250 APor 8 000/16 000 client domains

Converged Access Mode• Integrated wireless controller

• Distributed wired/wireless data plane (CAPWAP termination on switch)

WLC 5760

One Network

Catalyst 3650Catalyst 3850

58

One Network with Converged Access


Scalewith distributed wired and wirelessdata plane

Large stack bandwidth;40G wireless / switch;

efficient multicast; 802.11ac optimized

Maximumresiliency with fast stateful recovery

Layered network high availability design with stateful switchover

Singleplatform for wired and wireless

Common IOS, same administration point,

one release

Uni f ied Access - One Po l icy | One Management | One Network

Network wide visibility for

fastertroubleshooting

Wired and wirelesstraffic visible at

every hop

Consistent security and

Quality of Service control

Hierarchical bandwidth management anddistributed policy enforcement

Converged Wired/Wireless Access – Benefits


Agenda






• Good Stuff to Know

6


Cisco Unified Access PortfolioRobust Converged Wired and Wireless Solution

Identity Services Engine (ISE)

Prime Infrastructure

One PolicyOne Policy

1600

Small‐Mid Enterprise

2600 and 2700

Feature‐OptimizedEnterprise

3600

Mid‐LargeEnterprise

3700 W/ HDX

High‐DensityEnterprise

1530

LowProfile

1550

Larger Deployments

8500, 5760, 5508

WirelessControllers

Backbone Switches

Catalyst 4500

Converged Access Switches

Catalyst3650

Catalyst3850

One Network One Network Controllers and Access Switches Controllers and Access Switches

MDM/MAM SIEM

Access Points Access Points


Catalyst 2960-X

AccessSwitch

One Management


6B e s t - i n - C l a s s P e r f o r m a n c e , S e c u r i t y, a n d R e s i l i e n c y

5760 Wireless Controller

Cisco Prime

Who?Who? What?What? When?When?Where?Where? How?How?Who? What? When?Where? How?

ISE

Catalyst 3850/3650• Industry’s first fully integrated wired and wireless switch• Wireless: 480G stack, 50 APs, 2K clients, 40G• Flexible NetFlow, Granular QoS

One Policy with Identity Services Engine (ISE)• BYOD policy management• Device profiling and posture• Guest access portal

• Full wired and wireless management• User/device centric view• Intuitive troubleshooting workflows

One Management with Cisco Prime 2.0

5760 Wireless Controller• Consistent IOS with Catalyst 3850

• 60G, 1K APs, 12K Clients, N+1 Redundancy

• Flexible Netflow, Granular QOS

Catalyst 3850

Unified Access Components – Complete Overview

Cisco 63© 2013-2014 Cisco and/or its affiliates. All rights reserved.Bu i l t on C i s co ’s I nnovat i ve “UADP ” AS IC

Wireless CAPWAP Termination in HW

Up to 50 APs /2000 clients per stack, and 40G per switch

Up to 2000 Clients per Stack

40 Gbps Uplink Bandwidth (Modular)

Stackpower

Line Rate on All Ports

Multi‐Core CPU

480 Gbps Stacking Bandwidth

Full POE+

FRU Fans, Power Supplies ‐ HA

Granular QoS / Flexible NetFlow / SGT‐SGACL

63

APs must be directly connected to Catalyst 3850

Catalyst 3850 Switch – Platform Overview


Wireless CAPWAP Termination in HWUp to 1000 Clients

per Stack

Up to 40 Gbps Uplink Bandwidth

Line Rateon All Ports

FRU Fans

Granular QoS / Flexible NetFlow

Modular 160 Gbps 9 members Stack

SGT/SGACL

Full POE+

Fixed 1G/10G Uplinks

Up to 25 APs / 1000 clients per stack, and 40G per switch

New Front‐End Power Supplies

New Catalyst 3650 Switch – Platform Overview

APs must be directly connected to Catalyst 3650

Bu i l t on C i s co ’s I nnovat i ve “UADP ” AS IC


Centralized, or Converged Access Deployment Modes

First IOS-BasedWireless LAN Controller

FRU Fans

6x 1/10G SFP+uplinks with LAG

FRU Power Supplies

60 Gbps Wireless BandwidthGranular QOS/Flexible NetFlow

Up to 12,000 Concurrent ClientsUp to 1000 Access Points

Bu i l t on C i s co ’s I nnovat i ve “UADP ” AS IC

Wireless LAN Controller (WLC) 5760 – Platform Overview

HA Port


Agenda

• What is Converged Access ?





• Good Stuff to Know


Cisco One Network: Wireless Deployment Modes

One Policy, One Management, One Network

Unified Access Wireless

Unparal leled Deployment Flexibi l i tyUnparal leled Deployment Flexibi l i ty

Autonomous FlexConnect Centralized Converged Access


Unified Access—Wireless Deployment Modes

AutonomousAutonomous FlexConnectFlexConnect CentralizedCentralized Converged AccessConverged Access

Traffic Distributed at AP Traffic Centralized at Controller

Traffic Distributed at SwitchStandalone APs

Target Positioning Small Wireless Network Branch Campus Branch and Campus

Purchase Decision

Wireless only Wireless only Wireless only Wired and Wireless

Benefits

• Simple and cost-effective for small networks

• Highly scalable for large number of remote branches

• Simple wireless operations with DC hosted controller

• Simplified operations with centralized control for Wireless

• Wireless Traffic visibility at the controller

• Wired and Wireless common operations

• One Enforcement Point• One OS (IOS)• Traffic visibility at every network layer• Performance optimized for 11ac

Key Considerations

• Limited RRM, no Rogue detection

• L2 roaming only• WAN BW and latency

requirements

• System throughput • Catalyst 3850/3650 in the access layer

WAN


Access Points

CA 3K

DMZISEPrime

CA 3K

69Employee Guest

INTEGRATED CONTROLLER OPTIONS

Controller-less BRANCH Controller-less SMALL/MEDIUM CAMPUS

PrimeISE

WAN

5508 or WISM2 with SW Upgrade or new 5760

Any CA 3K

LARGE CAMPUS with Controllers

EXTERNAL MOBILITY CONTROLLER NEEDED

ISE Prime

Traditional 3K/4K

Access Points

AP CAPWAP Tunnels

Mobility ControllerMobility

ControllerMobility

ControllerMobility

Controller

INTEGRATED CONTROLLERINTEGRATED CONTROLLER


Mobility AgentMobility Agent

Capwap Tunnel Standard Ethernet, No Tunnels Guest Tunnel from Switch to DMZ Controller

3x50

3x50

• Up to 25 Access Points with 3650 (50 w3850)• Up to 1000 Clients per branch with 3650• All WAN Services Available (local

termination)

• Up to 200 Access Points with only 3650s• Up to 250 Access Points with 3850s• Up to 8000 Clients with only 3650s (16k w/3850)• Visibility, Control and resiliency

• Up to 72 000 Access Points (5760 or WiSM-2)• Up to 1 080 000 clients (WiSM-2 as MCs)• Largest Layer 3 roaming domains

Optional Guest Anchor

Converged Access Deployment Modes


Agenda

• What is Converged Access ?






ISEISE PIPI

Data Centre /Service block

Mobility GroupMobility Group

AP AP AP AP

Inter‐ControllerEoIP / CAPWAP Tunnel

Inter‐ControllerEoIP / CAPWAP Tunnel

AP‐Controller CAPWAP Tunnel802.11 Control Session + Data

Plane

AP‐Controller CAPWAP Tunnel802.11 Control Session + Data

Plane

SSID2 SSID1 SSID3

IntranetEoIP Mobility Tunnel ( < 7.2)

CAPWAP Option in 7.3EoIP Mobility Tunnel ( < 7.2)

CAPWAP Option in 7.3

Notes –• AP / WLC CAPWAP Tunnels are an IETF Standard• UDP ports used –

• 5246: Encrypted Control Traffic • 5247: Data Traffic (non‐Encrypted or DTLS Encrypted (configurable))

• Inter‐WLC Mobility Tunnels• EoIP – IP Protocol 97 … AireOS 7.3 introduces CAPWAP option• Used for inter‐WLC L3 Roaming and Guest Anchor

Inter‐Controller (Guest Anchor)EoIP / CAPWAP Tunnel

Inter‐Controller (Guest Anchor)EoIP / CAPWAP Tunnel

WLC #1WLC #1

CAPWAPTunnelsCAPWAPTunnels LE

GEN

DLEGEN

D

Internet

Well‐known,proven

architecture

Encrypted(see Notes)Encrypted(see Notes)

SSID – VLAN Mapping

(at controller)

SSID – VLAN Mapping

(at controller)

Foreign WLC “Guest” AnchorForeign WLC

“Guest” Anchor

WLC #2WLC #2

Existing Wireless Deployment todayArchitecture Constructs –CUWN Tunnel Types


ISEISE PIPI

Data Centre /Service block

Mobility GroupMobility Group

AP AP AP AP

SSID2 SSID1 SSID3

IntranetEoIP Mobility Tunnel ( < 7.2)

CAPWAP Option in 7.3EoIP Mobility Tunnel ( < 7.2)

CAPWAP Option in 7.3

WLC #1WLC #1

CAPWAPTunnelsCAPWAPTunnels

Internet

Well‐known,proven

architectureForeign WLC “Guest” AnchorForeign WLC

“Guest” Anchor

WLC #2WLC #2

Access Points –AP3600, 2600, etc.Access Points –

AP3600, 2600, etc.

Access Switches –Catalyst

3750‐X, 4500‐E

Access Switches –Catalyst

3750‐X, 4500‐E

Distribution Switches –Catalyst 4500‐E, 6500‐EDistribution Switches –Catalyst 4500‐E, 6500‐E

Core Switches –Catalyst 6500‐ECore Switches –Catalyst 6500‐E

Controllers –WLC 5508,WiSM2

Controllers –WLC 5508,WiSM2

Controller –WLC 5508Controller –WLC 5508

Some typical examples –

of products we see used today at various points

in the CUWN solution set,for wireless as well aswired connectivity

Architecture Constructs –CUWN Product Examples

Existing Wireless Deployment today


Converged Access – Deployment Overview

Mobility DomainMobility Domain MO

Sub-Domain #1

Sub-Domain #1

Sub-Domain #2

Sub-Domain #2

Mobility Group

SPGSPG SPGSPG

PIISE

MAMAMA MAMAMA

MCMC


• Mobility Agent (MA) – Terminates CAPWAP tunnel from AP• Mobility Controller (MC) – Manages mobility within and across Sub‐Domains• Mobility Oracle (MO) – Superset of MC,

allows for Scalable Mobility Management within a Domain

• Mobility Groups – Grouping of Mobility Controllers (MCs)to enable Fast Roaming, Radio Frequency Management, etc.

• Switch Peer Group (SPG) – Localises traffic for roams within its Distribution Block

Physical Entities –

Logical Entities –

MA, MC, Mobility Group functionality all exist in today’s controllers (4400, 5500, WiSM2)

Cisco Converged Access Deployment

Converged Access –Components – Physical vs. Logical Entities


Service BlockService Block ISEISE

PIPI

AP AP AP

• MA is the first level in the hierarchy of MA / MC / MO

• MA is the first level in the hierarchy of MA / MC / MO

• One MA per Catalyst 3850/3650 Stack

• One MA per Catalyst 3850/3650 Stack

• Maintains Client DBof locally served clients

• Maintains Client DBof locally served clients

• Interfaces to the Mobility Controller (MC)

• Interfaces to the Mobility Controller (MC)

MA MA MA

Converged Access –Physical Entities – Mobility Agents (MA)


Service BlockService Block ISEISE

PIPI

AP AP AP

• Mandatory element in design• Mandatory element in design

• Maintains Client DB within a Sub‐Domain (1 x MC = One Sub‐Domain)

• Maintains Client DB within a Sub‐Domain (1 x MC = One Sub‐Domain)

• Handles RF functions (including RRM)• Handles RF functions (including RRM)

• Multiple MCs can be grouped togetherin a Mobility Group for scalability

• Multiple MCs can be grouped togetherin a Mobility Group for scalability

• Manages mobility‐related configuration of the downstream MAs

• Manages mobility‐related configuration of the downstream MAs

• Can be hosted on a MA (smaller deployments)• Can be hosted on a MA (smaller deployments)

• Supported platforms areCatalyst 3850/3650, WiSM2, 5508, and 5760

• Supported platforms areCatalyst 3850/3650, WiSM2, 5508, and 5760

MC

MA MA MA

MC

Cisco Converged Access Deployment

Converged Access –Physical Entities – Mobility Controllers (MC)


• Fast Roaming within an SPG• Fast Roaming within an SPG

• MAs within an SPG are fully-meshed (auto-created at SPG formation)

• MAs within an SPG are fully-meshed (auto-created at SPG formation)

• Made up of multiple Catalyst 3x50 switches as Mobility Agents (MAs),plus an MC (on controller as shown)

• Made up of multiple Catalyst 3x50 switches as Mobility Agents (MAs),plus an MC (on controller as shown)

• Handles roaming across SPG (L2 / L3)• Handles roaming across SPG (L2 / L3)

• Multiple SPGs under the controlof a single MC form a Sub-Domain

• Multiple SPGs under the controlof a single MC form a Sub-Domain

SPGs are a logical construct, not a physical one …SPGs can be formed across Layer 2 or Layer 3 boundaries

SPGs are designed to constrain roaming traffic to a smaller area, and optimize roaming capabilities and performance

Current thinking on best practices dictates thatSPGs will likely be built around buildings,around floors within a building, or otherareas that users are likely to roam most withinRoamed traffic within an SPG moves directlybetween the MAs in that SPG (CAPWAP full mesh)

Roamed traffic between SPGs movesvia the MC(s) servicing those SPGs

Sub-Domain 1

MAMA

SPG-B

MC

MAMA

SPG-A

Converged Access –Logical Entities – Switch Peer Groups (SPGs)


Mobility Domain

Mobility Group M

Converged Access: Mobility Architecture

Fast Roam

Full Authentication

Mobility Group N

Mobility Subdomain A

Mobility Oracle

Mobility Controller

Peer Group 2

50ms 80ms 120ms > 250ms14ms

Mobility Subdomain B

Peer Group 1Mobility Agent


7

Converged Access – Scalability ConsiderationsCheck for latest release notes

As with any solution – there are scalability constraints to be aware of …• These are summarized below, for quick reference

Scalability3650 as

MC(3.3.1SE)

3850 as MC(3.3.1SE)

WLC2504(7.6)

WLC5760(7.6)

WLC5508(7.6)

WiSM2(7.6)

Max APs Supported per MC 25 50 75 1000 500 1000

Max APs Supported in overall Mobility Domain 200 250 5400 72000 36000 72000

Max Clients Supported per MC 1000 2000 1000 12000 7000 15000

Max Clients Supported in overall Mobility Domain 8000 16000 72000 864000 504000 1.08M

Max number of MC in Mobility Domain 8 8 72 72 72 72

Max number of MC in Mobility Group 8 8 24 24 24 24

Max number of MAs in Sub-domain (per MC) 16 16 350 350 350 350Max number of SPGs in Mobility Sub-Domain (per

MC) 8 8 24 24 24 24

Max number of MAs in a SPG 16 16 64 64 64 64

Max number of WLANs 64 64 16 512 512 512

For YourReference


Agenda







• The Catalyst 3850 and 3650 support only directly attached APsAPs need to be in the same VLAN as the Wireless Management interface:

If you do not define a wireless management VLAN on the 3x50, the switch will then be transparent to AP attachment and everything will continue to operate as it does today on a 3750-X.

As soon as you define a «wireless management interface VLAN», the Catalyst 3x50 will interceptall incoming AP CAPWAP requests, and terminate / process them at the local ASIC.

• WLC 5760 supports only NON-directly attached APs

Same as it works today in CUWN: AP attached to a local switch (3750-X or alike) findsthe centralized controller through DHCP option 43 or other methods and registers

interface GigabitEthernet1/0/1description to_APswitchport access vlan 31switchport mode access

interface Vlan31ip address 192.168.31.42 255.255.255.0!wireless management interface Vlan31

81

Converged Access Deployment –Before You Begin – How to Connect APs


Access Points

NewCatalyst 3850

New Catalyst 3850

DMZISEPrime

3850/3650

Employee

Guest


BRANCH LARGER BRANCH/SMALL CAMPUS

UP TO 50 ACCESS POINTS MULTIPLE STACKS, UP TO 250 APs



PrimeISE

WAN

Catalyst 3750


New Catalyst 3850

LARGE CAMPUS

EXTERNAL MOBILITYCONTROLLER NEEDED

GREATER THAN 250 ACCESS POINTS

ISEPrime

Access Points

AP Capwap Tunnels

Mobility ControllerMobility Controller

Mobility AgentMobility AgentINTEGRATED CONTROLLERSINTEGRATED CONTROLLERS

82

Converged Access Deployment – Branch Use Case


Management VLAN Configurationinterface Vlan31description MANAGEMENT VLANip address 192.168.31.42 255.255.255.0

SVIs for client VLANs defined locally on the switch

interface Vlan32description Client VLAN32ip address 192.168.32.2 255.255.255.0

interface Vlan33description Client VLAN33ip address 192.168.33.2 255.255.255.0

Wireless Management Interface Configuration3850(config)# wireless management interface VLAN31

3850# show wireless Interface summary Wireless Interface SummaryAP Manager on management Interface: Enabled

Interface Name Interface Type VLAN ID IP Address IP Netmask MAC Address---------------------------------------------------------------------------------Vlan31 Management 31 192.168.31.42 255.255.255.0 2037.06ce.0a55

ISEPrime

3850

Guest

BRANCH


WAN

This activates the MA functionalityThis activates the MA functionality

83

Converged Access Deployment –Branch Use Case – Mobility Configuration


Configuring Mobility Controller

3850(config)# wireless mobility controller

Mobility role changed to Mobility Controller Please save config and reboot the whole stack

3850# sh wireless mobility summary Mobility Controller Summary:

Mobility Role : Mobility ControllerMobility Protocol Port : 16666Mobility Group Name : defaultMobility Oracle IP Address : 0.0.0.0DTLS Mode : EnabledMobility Domain ID for 802.11r : 0xac34Mobility Keepalive Interval : 10Mobility Keepalive Count : 3Mobility Control Message DSCP Value : 0Mobility Domain Member Count : 1Link Status is Control Path Status : Data Path Status

Controllers configured in the Mobility Domain:IP Public IP Group Name Multicast IP Link Status---------------------------------------------------------------------------------------------192.168.31.42 - default 0.0.0.0 UP : UP

After rebootAfter reboot

ISEPrime

3850

Guest

BRANCH


WAN

This activates the MC functionalityThis activates the MC functionality

84

Converged Access Deployment –Branch Use Case – Mobility Configuration, continued


GUI: Wireless Management Configuration

IOS GUIIOS GUI

85


GUI: VLAN Interface Configuration

IOS GUIIOS GUI

86


Access Point port configurationinterface GigabitEthernet1/0/15

description - Access port for Access pointsswitchport access vlan 31switchport mode access

3850# show ap summary Number of APs: 1

Global AP User Name: Not configuredGlobal AP Dot1x User Name: Not configured

AP Name AP Model Ethernet MAC Radio MAC State --------------------------------------------------------------------------------------AP3502I 3502I c47d.4f3a.ed80 04fe.7f49.58c0 Registered

WLAN Configuration

3850(config)# wlan WPA-PSK 4 wpa-psk 3850(config-wlan)# client vlan 323850(config-wlan)# no security wpa akm dot1x3850(config-wlan)# security wpa akm psk set-key ascii 0 Cisco12343850(config-wlan)# no shut

Access Points need to be configured on Wireless

Management VLAN

Access Points need to be configured on Wireless

Management VLAN

ISEPrime

3850

Guest

BRANCH


WAN

WLAN sample configurationWLAN sample configuration

87

Converged Access Deployment –Branch Use Case – AP Port and WLAN Configuration


Client Connectivity

3850# sh wireless client summary

Number of Local Clients : 1

MAC Address AP Name WLAN State Protocol--------------------------------------------------------------------------------f81e.dfe2.e80e AP3502I 4 UP 11n(5)

3850# sh wcdb database all

Total Number of Wireless Clients = 1Clients Waiting to Join = 0Local Clients = 1Anchor Clients = 0Foreign Clients = 0MTE Clients = 0

Mac Address VlanId IP Address Auth Mob -------------- ------ --------------- ------- -----f81e.dfe2.e80e 32 192.168.32.57 RUN LOCAL

ISEPrime

3850

Guest

BRANCH


WAN

88

Converged Access Deployment –Branch Use Case – Client Connectivity


GUI: WLAN Configuration

IOS GUIIOS GUI

89


Access Points

Catalyst 3850

Catalyst 3850

DMZISEPrime

3850s

Employee

Guest


BRANCH LARGER BRANCH / SMALL CAMPUS

UP TO 50 ACCESS POINTS MULTIPLE STACKS, UP TO 250 APs

INEGRATED CONTROLLERINEGRATED CONTROLLER


PrimeISE

WAN

Catalyst 3750


Catalyst3850

LARGE CAMPUS



ISEPrime

Access Points

AP Capwap Tunnels


Mobility AgentMobility AgentINTEGRATED CONTROLLERINTEGRATED CONTROLLER


90

Converged Access Deployment –Larger Branch / Small Campus Use Case


SPG configuration on 3850 acting as MC

3850-MC1(config)# wireless mobility controller peer-group GroupABC

3850-MC(config)# wireless mobility controller peer-group GroupABC member ip 192.168.41.44

3850 acting as MA

interface Vlan41description MANAGEMENT VLANip address 192.168.41.44 255.255.255.0

3850-MA(config)# wireless management interface VLAN 41

3850-MA(config)# wireless mobility controller ip 192.168.31.42

Access Points

Catalyst 3850

Catalyst3850

MEDIUM BRANCH up to 50 APs, multiple stacks

PrimeISE

AP Capwap Tunnels


3850-MC1# sh wireless mobility summary

Mobility Controller Summary:

Mobility Role : Mobility ControllerMobility Protocol Port : 16666Mobility Group Name : defaultMobility Oracle IP Address : 0.0.0.0DTLS Mode : EnabledMobility Domain ID for 802.11r : 0xac34Mobility Keepalive Interval : 10Mobility Keepalive Count : 3Mobility Control Message DSCP Value : 0Mobility Domain Member Count : 1

Link Status is Control Path Status : Data Path Status

Controllers configured in the Mobility Domain:

IP Public IP Group Name Multicast IP Link Status-------------------------------------------------------------------------------192.168.31.42 - default 0.0.0.0 UP : UP

Switch Peer Group Name : GroupABCSwitch Peer Group Member Count : 1Bridge Domain ID : 0Multicast IP Address : 0.0.0.0

IP Public IP Link Status-------------------------------------------------------192.168.41.44 192.168.41.44 UP: UP

Both control and data plane need to be UPBoth control and data plane need to be UP

91

Converged Access Deployment –Larger Branch / Small Campus Use Case – SPG Configuration


MC configuration on the 3850 to create a Mobility Group and add the other switch as a member

3850-MC1(config)# wireless mobility group name Mobility-GroupABC

3850-MC1(config)# wireless mobility group member ip 192.168.41.44 public-ip 192.168.41.44 Mobility-GroupABC

MC configuration on the other 3850

3850-MC2(config)# wireless mobility controller

Mobility role changed to Mobility Controller Please save config and reboot the whole stack

3850-MC2(config)# wireless mobility group name Mobility-GroupABC

3850-MC2(config)# wireless mobility group member ip 192.168.31.42 public-ip 192.168.31.42 Mobility-GroupABC

Access Points

Catalyst 3850

Catalyst3850

SMALL CAMPUS up to 250 APs, multiple stacks

PrimeISE

AP Capwap Tunnels


This switch is now also a Mobility Controller,

not onlya Mobility Agent

This switch is now also a Mobility Controller,

not onlya Mobility Agent


92

Converged Access Deployment –Larger Branch / Small Campus Use Case – Multiple MCs


Access Points

Catalyst 3850

New Catalyst 3850

DMZISEPrime

3850

Employee

Guest


BRANCH LARGER BRANCH/SMALL CAMPUS

UP TO 50 ACCESSS POINTS MULTIPLE STACKS, UP TO 250 APs



PrimeISE

WAN


AP Capwap Tunnels

INTEGRATED CONTROLLERSINTEGRATED CONTROLLERS

Catalyst 3750

5508 or WISM2 with SW upgrade or 5760

Catalyst3850

LARGE CAMPUS


ISEPrime

Access Points



93

Converged Access Deployment –Large Campus Use Case


• Configure 5760 as MC and member of SPG

interface Vlan100description WIRELESS MANAGEMENT VLANip address 192.168.100.42 255.255.255.0

5760(config)# wireless management interface VLAN100

5760(config)# wireless mobility controller peer-group WestBldg

5760(config)# wireless mobility controller peer-group WestBldg member ip 10.1.1.5

• Configure 3850 as MA

interface Vlan10description MANAGEMENT VLANip address 10.1.1.5 255.255.255.0

3850(config)# wireless management interface VLAN10

3850(config)# wireless mobility controller ip 192.168.100.42

Catalyst 3750

5508/WISM2 with swupgradeor 5760

Catalyst3850

LARGE CAMPUS

ISEPrime

Access Points


Controller


94

Converged Access Deployment –Large Campus Use Case – Mobility Configuration


• Mobility Group configuration

5760(config)# wireless mobility group name cisco-live

5760(config)# wireless mobility group member ip 10.1.1.5

• Verify the configuration

5760# sh wireless mobility summary

Mobility Controller Summary:Mobility Role : Mobility ControllerMobility Protocol Port : 16666Mobility Group Name : cisco-liveMobility Oracle : DisabledMobility Oracle Ip Address : 0.0.0.0DTLS Mode : EnabledMobility Domain ID for 802.11r : 0x2feeMobility Keepalive Interval : 10Mobility Keepalive Count : 3Mobility Control Message DSCP Value : 0Mobility Group Members Configured :

Catalyst 3750

5508 or WISM2 with swupgradeor 5760

Catalyst3850

LARGE CAMPUS

ISEPrime

Access Points


Controller

Mobility AgentMobility AgentControllers configured in the Mobility Domain:

IP Address Public IP Address Group Name Multicast IP Status------------------------------------------------------------------------------------192.168.100.42 - cisco-live 0.0.0.0 UP10.1.1.5 10.1.1.5 cisco-live 0.0.0.0 UP

Switches configured in WestBldg switch Peer Group: 1

IP Address Public IP Address Status------------------------------------------------------------------192.168.41.44 192.168.41.44 UP

95

Converged Access Deployment –Large Campus Use Case – Mobility Configuration, continued


GUI: Mobility Controller Configuration-5760

IOS GUIIOS GUI

96


GUI: Mobility Agent Configuration CAT3850

IOS GUIIOS GUI

97


GUI: Switch Peer Group Configuration

IOS GUIIOS GUI

98


• New Mobility is supported on 7.3.112, 7.5 and 7.6 with 5508 and WiSM2

• Only MC and MO functions are supportedon the upgraded controller

“MA only” functionality for converged access APs is only supported on 3850

• Seamless and Fast roaming is supportedbetween Converged Access and CUWN

Controllers need to be In the same Mobility Group

Roaming is always treated as a L3 roam

Traffic is anchored at the home switch/controller

• 5760 can terminate CAPWAP tunnel from APsconnected to non-MA switches

• 3850 (acting as MA) will only allow APs toterminate CAPWAP locally

Cannot connect an AP to 3850 and have it registered to a CUWN controller

Catalyst 3750


Catalyst 3850 / 3650

Hybrid CUWN and Converged Access Deployment

ISEPrime

Access Points



Converged Access Deployment –Hybrid Deployment – Key Considerations

99


Converged Access Deployment –IOS-XE-based Wireless Controllers – Highlights

1

• 60 Gbps wireless throughput

• Up to 1000 Aps

• Up to 12000 Clients

• Optimized for 802.11ac deploymentsDistributed data forwarding & services

Support for latest 3700 802.11ac AP!

• Common IOS and Feature Set for Wired and Wireless

Granular QoS

Downloadable ACLs

EEM / TCL Scripting, Secure Copy

Flexible Netflow v9

• Multiple LAGs (Aggregated uplinks)

• Secure Web-auth redirection using HTTPS

• Right-To-Use license model

Differentiating capabilitiesDifferentiating capabilitiesWLC 5760WLC 5760


• Up to 50 directly connected APs / Stack

• Up to 2000 Clients per Switch/Stack



• Up to 25 directly connected APs / Stack

• Up to 1000 Clients per Switch/Stack



Feature 5508 5760

Throughput 8 Gbps 60 Gbps Line‐rate

Scale 500 APs, 7000 Clients Up to 1000 APs, 12000 Clients

Data forwarding Modes Local, Flex, Mesh, Outdoor, OEAP Local Mode

Resiliency SSO, N+1, HA SKU AP SSO, N+1, Multiple LAG, HA SKU

QoS Alloy (precious metal) QoS Granular QoS (MQC), AFB

Security Dynamic ACLs (Airspace ACL) Downloadable and Dynamic ACLs

BYOD ISE 1.2, CWA, Device Sensor, Policy Classification Engine ISE 1.2, CWA, Policy Classification Engine

AVC AVC phase 3, Microsoft Lync and Jabber support AVC Phase 2, Lync and Jabber support

Bonjour Bonjour Phase 3 Bonjour Phase 2

IPv6 IPv6 Client Mobility, First Hop Security, Source Guard IPv6 Client Mobility, First Hop Security

Management GUI, AireOS CLI, Secure FTP IOS CLI, EEM/TCL, GUI

Licensing License PAK based on serial number Right to use101

Converged Access Deployment –WLC 5760 (IOS-XE 3.6) vs. WLC 5508 (AireOS 8.0)


102

• Software compatibility matrix for IOS based Controllers:

(*) IOS-XE 3.6 is not officially supported by PI 2.1 because it doesn’t supportthe new features and but supports the new hardware introduced in IOS-XE 3.6

5760 3850 3650 5508 MSE ISE ACS Prime

3.2.0SE 3.2.0SE - 7.3.112 - 1.1.1MR 5.2 -

3.2.1SE 3.2.1SE - 7.3.112 - 1.1.3,1.1.2 5.2, 5.3 -

3.2.2SE 3.2.2SE - 7.3.112/7.5+ - 1.1.3,1.1.2 5.2,5.3 -

3.2.3SE 3.2.3SE - 7.3.112/7.5+ 7.4 1.1.3,1.1.2 5.2, 5.3 2.0

3.3.0SE 3.3.0SE 3.3.0SE 7.3.112/7.5+ 7.5 1.2 2.1

3.3.xSE 3.3.xSE 3.3.xSE 7.3.112/7.5+ 7.5 1.2 2.1

3.6.0SE 3.6.0SE 3.6.0SE 7.6/8.0 8.0 1.2/1.3 2.1*

Converged Access Deployment – Software Matrix


Agenda






• Putting it all together

1


1

An Evolutionary Advance to Cisco’s Wired + Wireless Portfolio, to address device and bandwidth scale, and services demands ….

Control plane functionalityon NG Controller

(also possible on upgraded 5508s, WiSM2s forbrownfield deployments, or NG Converged

Accessswitches for small, branch deployments) Next-Generation WLAN Controller (5760)

Data plane functionalityon NG Switches

(also possible on NG Controllers, for deploymentsin which a centralized approach is preferred)

Next-Generation Switches (Cat 3850/3650)

Enabled by Cisco’s strengthinSilicon and Systems …UADP ASIC

ControllerController

104

Bringing Together Wired and Wireless –How Are We Addressing This Shift?


1

Bringing Together Wired and Wireless –How Are We Addressing This Shift?

Mobility DomainMobility Domain MO

Sub-Domain #1

Sub-Domain #1

Sub-Domain #2

Sub-Domain #2

Mobility Group

SPGSPG SPGSPG

PIISE

MAMAMA MAMAMA

MCMC

An Evolutionary Advance to Cisco’s Wired + Wireless Portfolio, to address device and bandwidth scale, and services demands ….

CiscoConverged

AccessDeployment


Converged Access – Deployment Guides

1

For additional deployment information, check the deployment guides…

WLC 5760 Deployment Guide: http://www.cisco.com/en/US/docs/wireless/technology/5760_deploy/CT5760_Controller_Deployment_Guide.html

Catalyst 3850 Deployment Guide: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps12686/deployment_guide_c07-727067.html

IOS-XE HA Deployment Guide: http://www.cisco.com/en/US/docs/wireless/controller/technotes/5700/software/release/ios_xe_33/5760_HA_DG_iosXE33.pdf

AVC Deployment Guide: http://www.cisco.com/en/US/docs/wireless/controller/technotes/5700/software/release/ios_xe_33/iosXE_3point3_AVC_DG.html


Rob RummelCCIE 9012Systems Engineer

Mahalo!!!