Design and Deployment of Branch Office Wireless Networks Live 2015 Melbourne... · Design and Deployment of Branch Office Wireless Networks Sujit Ghosh Sr. Mgr. Technical Marketing

#clmel

Design and Deployment of Branch Office Wireless Networks

Sujit Ghosh

Sr. Mgr. Technical Marketing

BRKEWN-2016

© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public

Objective

3

Best Practices for Designing Resilient, Secure

and Service-Ready Branch Networks

BRKEWN-2016 Cisco Public© 2015 Cisco and/or its affi liates. All rights reserved.

Agenda

• Learn Cisco Unified Wireless LAN Principles

• Understand Wireless Branch Deployment Options

• Evaluate FlexConnect Architectural Requirements

• Identify the need for FlexConnect & AP Groups

• Design a Resilient Branch Network

• Design Secure & BYOD enabled Branch Network

• Operate Wireless Branch efficiently over WAN

• Service-Ready Branch

• FlexConnect Best Practices

4

Cisco Unified Wireless LAN Principles


Wireless Controller: Deployment Modes

Autonomous FlexConnect Centralised Converged Access

Traffic Distributed at AP Traffic Centralisedat Controller

Traffic Distributed at SwitchStandalone APs

Target

PositioningSmall Wireless Network Branch Campus Branch and Campus

Scope Wireless only Wireless only Wireless only Wired and Wireless

High

Availability

• Can only claim AP quality

• No RF HA• No Network layer HA

• No services

• Full RF HA

• Client SSO when Local Switching

• Most complete solution • Exploits HA in IOS switches

Key

Considerations

• Limited features. Upgradable

to controller based

• Branch with WAN BW and

latency requirements• Full features

• Catalyst 3650/3850 in the access

layer

WAN


Branch Office Deployment

• Hybrid architecture

• Single management and control point

• Data Traffic Switching

– Centralised traffic(split MAC)

– or

– Local traffic (local MAC)

• HA will preserve local traffic only

• Traffic Switching is configured per AP and per WLAN (SSID)

7

FlexConnect (HREAP)

WAN

Central Site

Remote Office

Centralised

Traffic

Centralised

Traffic

Local

Traffic

Wireless Branch Deployment Options


Branch Office with Local WLAN Controller

• Branches can also have local controllers

• Small or Mid-size Branch WLCs

– CT-2504,

– Integrated controller modules in ISR/ISR-G2

– Converged Access Cat-3850

9

Overview

Remote Site B

Remote Site A

WLC-25xx

WLCM for

ISR/ISR-G2

Backup Central

Controller

WAN

Central Site

Remote Site C

Cat-3850

CAPWAP

• Cookie cutter configuration for every branch site

• Layer-3 roaming within the branch

• IPv6 L3 Mobility

Advantages


Branch Office Deployment

• Hybrid architecture

• Single management and control point

• Data Traffic Switching

– Centralised traffic(split MAC)

– or

– Local traffic (local MAC)

• HA will preserve local traffic only

• Traffic Switching is configured per AP and per WLAN (SSID)

10

FlexConnect (HREAP)

WAN

Central Site

Remote Office

Centralised

Traffic

Centralised

Traffic

Local

Traffic


FlexConnect Glossary

11

Standalone Mode When FlexConnect AP cannot reach Controller, it goes into standalone state and does client authentication by itself.

Local Switching Data traffic switched onto local VLANs for an SSID

Central Switching Data traffic tunneled back to WLC for an SSID

Connected Mode When FlexConnect AP can reach Controller, it gets help from controller to complete client authentication.


Configure FlexConnect Mode

• Enable FlexConnect mode per AP

• Supported APs:

AP-1130, AP-1240, AP-1040, AP-1140, AP-1260, AP-1250, AP-3500, AP-1600 , AP-2600 , AP-3600, AP-1700, AP-3700, AP-2700, AP 700, AP-1520, AP-1530, AP-1550, AP-1570

12

Step 1: Configure Access Point Mode


Configure FlexConnect Local Switching

Only WLAN with “FlexConnect Local Switching” enabled will allow local switching on the FlexConnect AP

13

Step 2: Enable Local Switching per WLAN


Configure FlexConnect VLAN Mapping

• FlexConnect AP can be connected on an access port or connected to a 802.1Q trunk port (using the native VLAN)

• VLAN mapping can be performed per AP configuration on WLC and/or by AP groups using Cisco Prime Infrastructure templates

14

Step 3: FlexConnect Specific Configuration



• When connecting with Native VLAN on AP, L2 switchport must also match with corresponding Native VLAN configuration

• Each corresponding SSID that is allowed to be locally switch should be allowedon the corresponding switchport.

15

Step 4: FlexConnect Specific Configuration – Native Vlan


Configure FlexConnect SSID-VLAN Mapping

• Mapping of SSID to 802.1Q VLAN is done per FlexConnect AP

• Or use Cisco Prime Infrastructure (NCS) via configuration templates

16

Step 5: Per AP SSID to VLAN Mapping

1 2



• Prime Infrastructure provides simplifiedconfiguration to all FlexConnect APswith one Lightweight AP Template

17

Using Cisco Prime Infrastructure

Evaluate FlexConnect Architectural Requirements


FlexConnect Design Considerations

19

WAN Limitations Apply

Deployment Type

WAN Bandwidth(Min)

WAN RTT Latency

(Max)

Max APs per

BranchMax Clients per

Branch

Data 64 kbps 300 ms 5 25

Data 640 kbps 300 ms 50 1000

Data 1.44 Mbps 1 sec 50 1000

Data+Voice 128 kbps 100 ms 5 25

Data+Voice 1.44 Mbps 100 ms 50 1000

Monitor 64 kbps 2 sec 5 N/A

Monitor 640 kbps 2 sec 50 N/A

For YourReference

It is highly recommended that the minimum bandwidth restriction remains 24 Kbps per AP with the round trip

latency no greater than 300 ms for data deployments and 100 ms for data + voice deployments.


FlexConnect Design Considerations

– MAC/Web Auth in Standalone Mode

– IPv6 L3 Mobility

– SXP TrustSec

– Application Visibility and Control Coming in 8.1

– Service Discovery Gateway

– Native Profiling and Policy Classification

– See full list in « FlexConnect Feature Matrix »

– http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b3690b.shtml

Feature Limitations In Standalonemode and Local Switching

20

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b3690b.shtml


IPv6 Support

21

Significant support for IPv6 with Central Switching

IPv6 RA Guard and IPv6 Bridging fully supported with Local Switching

✔

✔

✔

✔

✔

✔

✔

✔

✔


Economies of Scale For Lean BranchesFlex 7500 Wireless Controller

22

WAN Tolerance

• High Latency Networks

• WAN Survivability

Security

802.1x based port authentication

Voice support

• Voice CAC

• OKC/CCKM

Key Differentiation

Access Points 300-6,000

Clients 64,000

Branches ( Flex Groups ) 2000

Access Points / Branch 100

Deployment Model FlexConnect

Form Factor 1 RU

IO Interface 2 x 10GE

Upgrade Licenses 100, 200, 500, 1K

RTU Licenses

Functionality


Optimised for High Scale DeploymentsCisco 8510 Series Controller

Access Points 300-6,000

Clients 64,000

Branches/locations 6,000 (2000 FlexGroups)

Access Points per

FlexConnect group

100

Deployment types Local (centralised),

FlexConnect and mesh

Form Factor 1 RU

IO Interface and

redundancy

Dual redundant 10GE ports

with LAG

* Indicates unique 8500 features

Functionality

High scale

• 4K VLANs

Rich Features with deployment flexibility

Geo Separated AP/Client SSO

• FlexConnect, Local mode and mesh support Right to use

(with EULA) for ease of license enablement

• 3G Packet core integration: PMIPv6 MAG solution with ASR5K (LMA)

• FlexConnect with HS2.0 for 3G offload

• Other key features:

802.11r fast roaming

Rate limit traffic flows

Video Stream for rich media flows

Key Differentiation


FlexConnect Feature Introduction

24

For YourReference

FlexConnect Features Release Version

AAA-VLAN Override, ALCs & P2P Blocking 7.2

Smart AP Image Upgrade 7.2

External Web-Auth & Mobile Device On-boarding 7.2

Flex 7500 Scale Update 7.3

VLAN Based Central Switching 7.3

Split-tunnelling 7.3

Work Group Bridge (WGB) Support 7.3

Bi-Directional Rate Limiting 7.4

ISE BYOD Registration & Provisioning 7.4

AAA-ACL & AAA-QoS Override 7.5

EAP-TLS & PEAP Support for Local Authentication 7.5

Ethernet Fallback 7.6

VideoStream for Local Switching 8.0

Faster time to deploy 8.0

FlexConnext on Mesh APs 8.0

AVC for FlexConnect 8.1

VLAN Name override for FlexConnect 8.1

Why Do We Need FlexConnect and AP Groups?


Understanding AP Groups

• AP Groups is a logical concept of grouping AP’s which deliver similar Wi-Fi services; these services can be:

– By physical location, and/or

– By functional services (data, voice, guest, …)

• Same AP groups need to be defined in all WLC’s of a mobility group

Overview

26

Remote Site A Remote Site B

Central Site

WAN

AP Group 1

AP Group 2

AP Group 3

Flex 7500

Scaling 7500/8500 CT-5508 WiSM-2 CT-2504

# AP Groups 6000 500 1000 50

# WLAN

(SSID)512 512 512 16

# VLAN

(Interfaces)4095 512 512 16


AP Groups

Configuration: Create a New Group

27


AP Groups Usage

28

WAN

Central Site

StoreManufacturing Site

AP Group 2

AP Group 3

AP Group 1

Corporate-Voice

Guest-Access

Corporate-Data

Guest-Access

Corporate-Data

@ Internet

Scanners

AP groups give the ability to enable

Wi-Fi Services (WLAN) based on

physical location

Central SiteCorporate-Voice, Corporate-Data,

Guest-Access

Manufacturing SiteCorporate-Voice, Corporate-Data,

Scanners

StoreCorporate-Data, Guest-Access

Per Location SSID


AP Groups Usage

• AP groups give the ability to statically map Wi-Fi service (WLAN) to VLAN based on physical location

• Users see the sameWi-Fi service on all sites.

• Admincan monitor and filter basedon different IP@ each site

• Can also be used to have smallerWi-Fi subnets

• For example per floor subnets in a building.

Per AP Group SSID to VLAN Mapping

29

Corporate-Data

Corporate-Data

Corporate-Data

VLAN-1

VLAN-2

VLAN-3

Manufacturing Site

Store

Central Site

WAN/MAN

AP Group 1Head Office

AP Group 2

AP Group 3


AP Groups

Configuration/VLAN Mapping

30


Understanding FlexConnect Groups

31

FlexConnect Group 1

Remote Site Remote Site

WAN

Central Site

FlexConnect Group 2

Flex 7500

Cluster

Scaling

Flex

7500/

8500

CT-5508 WiSM2 CT-2504

FlexConnect

Groups2000 100 100 30

AP per Group 100 25 25 25

Overview

FlexConnect groups allow sharing of:

• CCKM/OKC fast roaming keys

• Local/backup RADIUS servers IP/keys

• Local EAP authentication

• AAA-Override for Local Switching

• Smart Image Upgrade

• FlexConnect AVC (8.1)


FlexConnect Groups and CCKM/OKC Keys

32

WAN

Central Site

RADIUS Server

CCKM Keys

FlexConnect Group 1 FlexConnect Group 2

• CCKM/OKC keys stored on FlexConnect

APs for Layer 2 fast roaming

• The FlexConnect APs receives CCKM/OKC

keys from WLC

• If a FlexConnect AP boots up in standalone mode, it will not get the

OKC/CCKM keys from the WLC

• FlexConnect supports 802.11r Fast

Transition with local key caching.

Overview


FlexConnect Groups Creation

33

Step 1: Add a New FlexConnect Group

Step 2: Add APs to the FlexConnect Group

1

2


FlexConnect Groups Template on PI

34


FlexConnect Groups Template on PI

35

Designing a Resilient Wireless Branch Network


FlexConnect Backup Scenario

• FlexConnect will backup on local switched mode

– No impact for locally switched SSIDs

– Disconnection of centrally switched SSIDs clients

• Static authenticationkeys are locally stored in FlexConnect AP

• Lost features

– RRM, WIDS, location, other AP modes

– Web authentication, NAC

WAN Failure

37

Remote Site

WAN

Central Site

Application

Server



• FlexConnect will first backup on local switched mode


– Disconnection of centrally switched SSIDs clients

• CCKM roaming allowed in FlexConnect group

• FlexConnect AP will then searchfor backup WLC; when backup WLC is found, FlexConnect AP will resync with WLC and resume client sessions with central traffic.

• Client sessions with Local Traffic are not impacted during resync with Backup WLC.

WLC Failure scenario with N+1 HA

38

Remote Site

WAN

Central Site

Application

Server



• HA considerations:


– Disconnection of centrally switched SSIDs clients with AP SSO

– No/minimal impact for centrally switched client with Client SSO (7.5 and above)

• FlexConnect AP will NOT transition to Standalone because SSO kicks in

• AP will continue to be in Connected mode with the Standby (now Active) WLC

39

WAN

Application

Server

Remote Office

Central SiteActive

StandbyWLC failure scenario with SSO


FlexConnect Group : Backup Scenario

• Normal authentication is done centrally

• On WAN failure, AP authenticates new clients with locally defined RADIUS server

• Existing connected clients stay connected

• Clients can roam with – CCKM fast roaming, or

– Re-authentication

Local Backup RADIUS

40

Remote Site

WAN

Central Site

Central

RADIUS

Local Backup

RADIUS

CCKM Fast Roaming


FlexConnect Group: Local Backup RADIUS

• Define primary and secondary local backup RADIUS server per FlexConnectgroup

Configuration

41


Local Authentication

42

Remote Site

WAN

Central Site

FlexConnect Group

Central

RADIUS

Local

RADIUS

• By default FlexConnect AP authenticates clients through central

controller

• Local Authenticationallow use of local RADIUS server directly from the FlexConnect AP

Local Authentication


Local AuthenticationConfiguration

43


FlexConnect Group: Backup Scenario

• Normal authentication is done centrally

• On WAN failure, AP authenticates new clients with its local database

• Each FlexConnect AP has a copy of the local user DB

• Existing authenticated clients stay connected

• Clients can roam with:

– CCKM fast roaming, or

– Local re-authentication

Local Backup Authentication

44

Remote Site

WAN

Central Site

Central

RADIUS

CCKM Fast

Roaming

FlexConnect Group 1

Supported Security Types Release Version

LEAP 6.0

EAP-FAST 6.0

PEAP 7.5

EAP-TLS 7.5


FlexConnect Group: Local Backup Authentication

• Define users (max 100) and passwords

• Select supported Security protocols i.e. LEAP, EAP-FAST, PEAP or EAP-TLS

Configuration

45

1 2

Designing Secure and BYOD Enabled Branch Network

FlexConnect Peer-to-peer Blocking


Local Switching Peer-to-peer Blocking

48

Remote Site

WAN

Central Site

Application

Server

Starting from 7.2

Support for Peer-to-Peer blocking in FlexConnect AP

Apply for clients on same FlexConnect AP

P2P blockingmodes : disable or drop

For P2P blocking inter-AP use ACL or

Private VLAN function

Overview


Local Switching Peer-to-peer BlockingConfiguration

49

Multiple Policy Touch Points

Both modes of operation will drop the packet @ AP for Local Switching

enabled WLAN

* Central Switching WLAN will support “Forward - UpStream” and will send the packet to the next upstream node connected to WLC

FlexConnect AAA VLAN and QoS Override


VLAN 7

QoS = Platinum

VLAN 3

QoS = Silver

FlexConnect AAA VLAN Override

• AAA VLAN Override with local or central authentication

• Up to 16 VLANs per FlexConnect AP

• VLAN ID must be enabled per AP or FlexConnect Group

• If VLAN ID does not exist, default VLAN isused, unless « VLAN Based Central Switching » enabled

• Starting from 7.5 AAA override for QoS isalso supported.

Description

51

Remote Site

WAN

Central Site

FlexConnect Group

RADIUS

Application

Server

Starting from 7.2


FlexConnect AAA VLAN OverrideConfiguration

52

WAN

ISE

Create Sub-Interface on FlexConnect

AP

IETF 81IETF 64IETF 65

For YourReference


VLAN Based Central Switching

• Whiledoing AAA VLAN Override withlocal switching :

• If VLAN ID does not exist at the AP, the traffic is central switched to the central VLAN ID

• If the central VLAN ID does not exist, the traffic is centrally switched to the default VLAN ID of the WLAN

Overview

53

Remote Site

WAN

Central

RADIUS

VLAN 7

VLAN 3

VLAN 7

VLAN 3

does notExist on

this AP

VLAN 7

does notExist on

this AP

VLAN 7

does not

Exist on

this WLC

Go to DefaultVLAN ID

Central VLAN 3


FlexConnect AAA QoS Override

Description

54

Dynamically assign QoS levels and/or bandwidth contracts for local switching, centrally authenticated WLANs

Web-authenticated WLANs and 802.1X-authenticated WLANs supported

Order of precedence for Rate Limiting parameters AAA override

QoS Profile of AAA override

Local WLAN configuration

QoS Profile of local WLAN configuration

Starting from 7.5

Vendor ID/Vendor Type Attribute

[14179\002] Aire-QoS-Level

[14179\004] Aire-802.1P-Tag

[14179\007] Aire-Data-Bandwidth-Average-

Contract

[14179\008] Aire-Real-Time-Bandwidth-

Average-Contract

[14179\009] Aire-Data-Bandwidth-Burst-

Contract

[14179\0010] Aire-Real-Time-Bandwidth-

Burst-Contract


AAA Override Deployment ScenarioProblem Statement

Remote Site BRemote Site A

Function VLAN ID

Engineering 10

Marketing 20

Sales 30

VLAN 20

WAN

Central Site

Application

Server

Function VLAN ID

Engineering 11

Marketing 21

Sales 31

VLAN 20

does not

exist

Application

Server


VLAN Name Mapping at FlexConnect Group

Remote Site B

Central Site

WAN

Remote Site A

Flex Group A

VLAN Name VLAN

ID

Engineering 10

Marketing 20

Sales 30

.

.

HR 160

VLAN ID

11

21

31

VLAN ID

10

20

30

VLAN Name VLAN

ID

Engineering 11

Marketing 21

Sales 31

Flex Group B

VLAN Name VLAN

ID

Engineering 11

Marketing 21

Sales 31

.

.

HR 161

VLAN Name VLAN

ID

Engineering 10

Marketing 20

Sales 30

Coming in 8.1

© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public 57

VLAN Name AAA Override - Solution

Remote Site BRemote Site A

VLAN Name VLAN ID

Engineering 10

Marketing 20

Sales 30

VLAN NAME=

Marketing

Remote Site

WAN

Central Site

Application

Server

VLAN Name VLAN ID

Engineering 11

Marketing 21

Sales 31

Remote Site

VLAN 20

VLAN 21

Aire-Interface-Name or

IETF Tunnel-Private-Group-ID

Coming in 8.1

FlexConnect ACL VLAN Mapping and Per-Client ACL


FlexConnect ACL – VLAN Mapping

• FlexConnects ACL are applied per VLAN

• FlexConnect ACL are Ingress / Egress oriented

• Starting from 7.5 FlexConnect ACL support AAA-

returned Client ACL

Overview

59

Remote Site

WAN

Central Site

Application

Server

Starting from 7.2

512 FlexConnect ACL per WLC

• 16 ingress ACL & 16

egress ACL per AP

• 64 ACL rules per ACL

• No IPv6 ACL

ACL Scale


FlexConnect Access Lists

• FlexConnect ACL rule creation is similar to rule creation for Local Mode AP

Configuration – Create FlexConnect ACL

60

1

2

3



• FlexConnect ACL can be applied per AP using VLAN Mappings configuration

Configuration – FlexConnect ACL per AP

61

1

2



• FlexConnect ACL can be applied per FlexConnect Groups per VLAN in the ACL Mapping tab.

Configuration –FlexConnect ACL per FlexConnect Group

62

1 2

FlexConnect Split Tunnelling(Using FlexConnect Split ACL)


FlexConnect ACL – Split Tunnelling

• Split tunnelling allow some traffic to be locally switched although the WLAN is defined as centrally switched

• Split tunnelling is using a NAT/PAT feature with ACL to perform the local switching

• Split tunnelling is using the AP IP@ for the NAT/PAT feature

Overview

64

WLCFlexConnect APCAPWAP

WAN

Central Server

Central Traffic

Local Printer

NAT/PAT

ACL

Local Traffic

Starting from 7.3


FlexConnect ACL – Split Tunnelling

• Create a centrally switched WLAN

• Define Flex ACL to match traffic to be locally switched

Configuration

65

Flex Local switching should not be checked

Central subnet Local subnet


FlexConnect ACL – Split TunnellingConfiguration – Per Access Point

66


FlexConnect ACL – Split TunnellingConfiguration – Per FlexConnect Group

67

Deploying External WebAuth with FlexConnect Local Switching (Using FlexConnect WebAuth ACL)


External WebAuth with Local Switching

• Provides L3 Web Redirect from locallyswitched vlan

• Reduces WAN traffic by locally switchingguest traffic

• Flexible and centralised web portal creationfor multiple sites

• Provides flexible use of Conditional and Splash Page Web Redirect

• FlexConnect AP must be in Connectedstate with Centralised Controller for thisfunctionality to work

Description

69

Remote Site

WAN

Central Site

FlexConnect Group 1

VLAN

503

VLAN 7 - Employee

Internet

WebServer

Starting from

7.2.110

Guest


External WebAuth with Local SwitchingConfiguration

70

Step 1: Configure Pre-Auth ACL that will be applied to FlexConnect Group, AP or WLAN

External Web-Server IP



71

Step 2: Apply Pre-Auth ACL to WLAN

Apply Pre-Auth ACL to WLAN


External WebAuth with Local SwitchingConfiguration – Per AP

72

Step 3: Apply Pre-Auth ACL to FlexConnect AP

Map WLAN-Id to Pre-Auth ACL


External WebAuth with Local SwitchingConfiguration – Per FlexConnect Group

73

Or Step 3: Apply Pre-Auth ACL to FlexConnect Group

Map WLAN-Id to Pre-Auth ACL



74

Step 4: Configure External Web Server

External Web-Server IP

Deploying BYOD with FlexConnect Local Switching(Using FlexConnect WebPolicies ACL)


Bring Your Own Device(s) : The New Normal


CA-Server

BYOD Device On-Boarding in FlexConnectExample: Apple iOS Device Provisioning

77

ISEWLC

ISEWLC

Client Reconnects

CA-Server

Starting from 7.4

Initial Connection Using

PEAP 1

Device Provisioning

Wizard2

Future Connections

using EAP-TLS3


FlexConnect Access Lists for BYOD

• Create FlexConnect ACL to allow access to Cisco ISE

Create FlexConnect ACL

78

1

2

3


FlexConnect Web Policy ACL

• ACL Mapping can be configured per FlexConnect AP

Configure Web Policy ACL per FlexConnect AP

79


FlexConnect Web Policy ACL

• Use ACL Mapping tab in FlexConnect Group configuration

• WebPolicies ACL are not the same as VLAN ACL or WebAuthentication ACL.

Configure Web Policy ACL per FlexConnect Group

80


Cisco Wireless Central DHCP Processing

• To support DHCP Profiling Probe with FlexConnect, DHCP request must be sent to WLC. This is done by the « Central DHCP Processing » configuration.

Configuration

81


Deploying BYOD with FlexConnect WirelessSummary – 802.1x/EAP Authentication

82

ISE

WLCFlexConnect AP

CAPWAP

WANWeb Server

DHCP Server

802.1x/EAP Request Radius Access-Request

Radius Access-Response• Access-Type: Access-Accept

• URL-Redirect-ACL=FlexACLWebPolicy,

• URL-Redirect=http://……)

802.1x/EAP Response

Inside CAPWAP

Inside CAPWAP

URL + ACL Redirect

Inside CAPWAP

WiFi Association

Unknown Device,

Redirect to registration


Deploying BYOD with FlexConnect WirelessSummary – DHCP Request

83

DHCP Request

RADIUS-Accounting• host-name=MyiPad

• dhcp-class-identifier=APPLEDHCP Lease

Inside CAPWAP

Inside CAPWAP

ISE

WLCFlexConnect AP

CAPWAP

WANWeb Server

DHCP Server

Device is

an iPad


Deploying BYOD with FlexConnect WirelessSummary – URL-Redirect

84

HTTPRequest

ISE

WLCFlexConnect AP

CAPWAP

WANWeb Server

DHCP Server

URL-Redirect

Inside CAPWAP

HTTP Request Redirected to WLC by AP


Deploying BYOD with FlexConnect WirelessSummary – Registration & Provisioning

85

Device Registration & Provisioning

ISE

WLCFlexConnect AP

CAPWAP

WANWeb Server

DHCP Server

RADIUS Change-of-AuthorisationEAP DeAuthentication

EAP Authentication

Device is Registrered

Trigger Change-of-Auth


Deploying BYOD with FlexConnect WirelessSummary – Device Access

86

ISE

WLCFlexConnect AP

CAPWAP

WANWeb Server

DHCP Server

802.1x/EAP Request/ResponseRadius Access-Request

Inside CAPWAP

DHCP Request/Response

Inside CAPWAP

Radius Access-Response

Web Traffic

Device is Registrered

And ProvisionedAllow Access


Summary of FlexConnect ACLs

87

87

Split Tunnel ACL Allow some traffic to be locally switched

Web Authentication ACL Provides L3 Web Redirect for local switching

Web Policies ACL BYOD with FlexConnect

VLAN-ACL Applied on the 802.3 interface of the FlexConnect AP

AAA returned Client ACL Applied on the 802.11 interface of the AP

Operating Wireless BranchSmart Upgrade over WAN


Upgrading a FlexConnect Deployment

• Sites using FlexConnect AP are usually sites with low WAN bandwidth

• Each site may have small number of AP, but an enterprise may have a lot of branches

• Upgrading ~6000 AP through a low bandwidth WAN is a challenge :

– Time needed to download all the AP firmware

– Exhaust of the WAN link

– Risk of failures during the download

Concerns

89


WAN

FlexConnect Smart AP Image Upgrade

• Smart AP Image Upgrade use a « master » AP in each FlexConnect Group to downloadthe code.

• Other FlexConnect AP download the code from the master locally

1. Download WLC upgraded firmware (willbecome primary)

2. Force the « boot image » to be the secondary (and not the newlyupgraded one) to avoid parallel download of all AP in case of unexpected WLC reboot

3. WLC elects a master AP in eachFlexConnect Group (can be also set manually)

Overview

90

Remote Site-1 Remote Site-N

Cisco Prime

Wireless LAN

Controller

Primary Secondary

Firmware Image

New

OldNew

NewOld

Central Site

Master AP

Starting from 7.2


WAN


4. Master AP « Pre-download » the AP firmware in the secondary « boot image » (will not disrupt the actual service)—Can be started group per group to limit WAN exhaust

5. Slave AP « Pre-download » the AP firmware from the Master AP

6. Change the « boot image » of the WLCto the new image

7. Reboot the controller

Description (Contd.)

91

OldNewNewOld

NewOld

Central Site

Remote Site-1 Remote Site-N

Wireless LAN

Controller

Primary Secondary

Firmware Image

Primary Secondary

AP Firmware Image

NewOld

Primary Secondary

AP Firmware Image

Master AP

Cisco Prime



• “FlexConnect AP Upgrade” checkbox has to be enabled for each FlexConnect Group.

• By default, Master AP for each FlexConnect Group is selected using Lower-MAC algorithm.

• One Master select per AP type.

Configuration

92

Enable Efficient AP Image

Upgrade

Master AP Selection is

Optional

Random Backoff Interval

(100-300sec) between

each retry

Valid Range is 1-63


Per Branch or FlexConnect Group

Upgrade

Upgrade across all Branches or

FlexConnect Groups whose

“FlexConnect AP Upgrade” checkbox

is set

FlexConnect Smart AP Image Upgrade Configuration contd.

93

()

Service-Ready Branch

FlexConnect VideoStream


• Choppy, Unreliable Video

• Video Stream does not utilise 802.11n/ac High Throughput data rates

• Heavy utilisation of channel due to high rate of very slow packets

• Video delivery is not reliable causing poor Quality of Experience

Video Impact

Video Multicast Delivery Challenges

802.11Data Rates

B/G

N

VideoServer

• Multicast packets (UDP) are sent as broadcast packets over the air per 802.11 standard

• Broadcast packets do not use error correction: “fire and forget”

• Broadcast packets are sent at data rate mandatory to all clients connected to the WLAN

1 Mb for B/G (400K actual)6 Mb for A (2.7 Mb actual)

Technical Challenges

Default 802.11B/Gmandatory data rates

1

2

5.5

6

9

11

12

18

24

36

48

54

M0

M1

...

M14

M15


Video Multicast Delivery Solution802.11

Data Rates

• IGMP state monitored for each client. Only send video to clients requesting

• Sent as unicast to individual clients at their data rate

• Multicast packets replicated at AP

Technical Solution

• Smooth, Reliable Video delivered to multiple clients

• Quality of Video protected in varying channel load conditions

• Prioritises Business Video (QoSGold) over other video ( Best-effort )

Video Impact

Default 802.11B/Gmandatory data rates

N

VideoServer

B/G

1

2

5.5

6

9

11

12

18

24

36

48

54

M0

M1

...

M14

M15

Starting from 8.0


FlexConnect VideoStream Configuration

(Cisco Controller) >config media-stream multicast-direct ?

enable Enable Global Multicast to Unicast Conversion

disable Disable Global Multicast to Unicast Conversion

Enable VideoStream - Global


FlexConnect VideoStream ConfigurationAdd Stream Configuration

(Cisco Controller) >configure media-stream add multicast-direct <media-stream-

name> <start-IP> <end-IP> [template | detail <bandwidth> <packet-size> <Re-

evaluation> video <priority> <drop|fallback>]’


FlexConnect VideoStream ConfigurationEnable VideoStream - WLAN

(Cisco Controller) >config wlan media-stream multicast-direct 1 ?

enable Enables Multicast-direct on the WLAN

disable Disables Multicast-direct on the WLAN.


(Cisco Controller) >show flexconnect media-stream client summary

Client Mac Stream Name Multicast IP AP-Name VLAN Type

----------------- -------------------- --------------- ------------------------- ----- ----------------

7c:d1:c3:86:7e:dc Media2 229.77.77.28 AP_1600 0 Multicast Direct

88:cb:87:bd:0c:ab Media2 229.77.77.28 AP_1600 0 Multicast Direct

d8:96:95:02:7e:b4 Media2 229.77.77.28 AP_1600 0 Multicast Direct

FlexConnect VideoStream MonitoringController

FlexConnect Bridge Mode Support


• New AP mode that allows Flexconnect behaviour across

mesh-enabled AP • Flexconnect Groups

• Max 8 Mesh hops, Max 32 MAPs

per RAP

• Local AAA support

• A WLC have a mix of Bridge and Flex + Bridge

• MAPs inherent VLANs from its

connected RAP

FlexConnect on Mesh APs

103

WAN

Central Site

Remote

Office

Centralised

Traffic

Local

Traffic

Local Data WLAN

Central Data WLAN

Starting from 8.0

Per Location SSID


FlexConnect-Bridge Failover Scenario

WAN

Application

Server

Primary

Remote Office

Secondary

• AP SSO is supported for the RAP only. N+1

Recommended. SSO for MAPs coming in 8.1

• Multi-sector RAP deployments can be used for

redundancy

• RAP to standalone mode when WLC is not reachable

• MAPs to standalone mode when WLC is

not reachable but gateway is

• When in standalone mode no new

mesh AP can join the mesh tree

Failover Considerations


AP Modes Feature ComparisonFeature\AP Mode Local Mode Bridge Mode Flexconnect Mode

Central Switching Yes Yes Yes

Root Ethernet VLAN bridging

No Yes (secondary Ethernet hosts)

Yes

Secondary Ethernet Access Ports

No Yes No

Secondary Ethernet VLAN Trunk Ports

No Yes No

Local VLAN Inheritance by MAPs from RAPs

No Yes - Secondary Ethernet “access” ports only

No

Wireless Child Mesh APs No Yes No

Fault Tolerant Resilient Mode

No No Yes

Security ACLs per VLAN on Ethernet Root Ports

No No Yes

Integrated IP Routing (PPP/PPPoE/NAT)

No No Yes

VLAN Transparent Bridging

No No No

Path Control Protocol No Yes No

Flex+Bridge Mode

Yes

Yes

Yes

Yes

Yes – both bridged 802.11 WLANs and Ethernet “access” portsYes

Yes

Yes (on RAPs)

Yes (on RAPs)

No

Yes

For YourReference


Wireless Access Points AP_NAME General

Wireless Access Points AP_NAME FlexConnect

FlexConnect Bridge Mode Configuration

AP will reboot

upon change

Same options

as an AP in Flex

Mode

FlexConnect Application Visibility and Control Coming in 8.1


Use QoS to control

application bandwidth

usage to improve

application performance

Control

Advanced reporting tool

aggregates and reports

application performance

App Visibility &

User Experience Report

Reporting Tool

Static

Netflow

Perf. Collection & Exporting

How AVC Solution Works

App BW Transaction

Time

…

WebEx 3 Mb 150 ms …

Citrix 10 Mb 500 ms …

DPI engine (NBAR2)

identifies applications

using L7 signatures

Deep Packet Inspection

AP

NBAR on AP

AP collects application info

and export it to

controller/switch every 90

seconds

AireOS 8.1AireOS 8.1

Coming in 8.1

http://images.google.fr/imgres?imgurl=http://4.bp.blogspot.com/_UZImdYAiry8/Sb9qYmN0llI/AAAAAAAAPtc/a_qXEx69CB0/s400/oracle_logo.jpg&imgrefurl=http://vectorlogo.blogspot.com/2009/03/oracle-logo-eps.html&usg=__TTg6bQ4L8aDCa2kKWUD3Q4YWewM=&h=161&w=400&sz=7&hl=fr&start=3&sig2=xj4d94noyf1kS0Adw6tzJA&um=1&tbnid=LLEUA6II6jNxiM:&tbnh=50&tbnw=124&prev=/images?q=oracle+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=FeHBSvDVKsjKjAeGsfDoBQ





WAN

AVC on FlexConnect APs

Katana

Netflow Export from AP to WLC

NBAR2 (1000+ Applications) and Netflowwill be ported onto Access Points!

Stateful context transfer will be supported for intra FlexConnect Group roams

STATIC NETFLOW TO

CPI OR THIRD PARTY NETFLOW COLLECTOR

Flow ID App Name Packets

1 WebEx 1000

2 Msft-Lync 2300

3 Skype 660

Real-time information for

last 90 seconds

Gen2 AP

Stateful context

transfer on roam

Gen2 AP

BRANCH

Coming in 8.1

http://images.google.fr/imgres?imgurl=http://www.nowhereelse.fr/wp-content/docs/youtube-logo5.jpg&imgrefurl=http://www.nowhereelse.fr/youtube-live-video-streaming-12525/&usg=__MyBsEJIR3joE8gm-rBq5Wel1qGA=&h=428&w=570&sz=33&hl=fr&start=1&sig2=z2krQGjzyqJMHPDfVwLLvg&um=1&tbnid=RKDnixEb39ds5M:&tbnh=101&tbnw=134&prev=/images?q=video+streaming+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=0czJSp79EcSD4QaBkoTHAQ

http://images.google.fr/imgres?imgurl=http://www.nowhereelse.fr/wp-content/docs/youtube-logo5.jpg&imgrefurl=http://www.nowhereelse.fr/youtube-live-video-streaming-12525/&usg=__MyBsEJIR3joE8gm-rBq5Wel1qGA=&h=428&w=570&sz=33&hl=fr&start=1&sig2=z2krQGjzyqJMHPDfVwLLvg&um=1&tbnid=RKDnixEb39ds5M:&tbnh=101&tbnw=134&prev=/images?q=video+streaming+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=0czJSp79EcSD4QaBkoTHAQ

http://images.google.fr/imgres?imgurl=http://elbconsultingllc.com/images/SAP-Logo.jpg&imgrefurl=http://elbconsultingllc.com/index.html&usg=__ttrD8hVR0ZecJBAgUc1jjcxqsZQ=&h=551&w=945&sz=36&hl=fr&start=1&sig2=eDSzYadbfwaGzGedWvK1-g&um=1&tbnid=9f5hdQ6CnNYH3M:&tbnh=86&tbnw=148&prev=/images?q=sap+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=reDBSv2WCZa7jAfWrvXgBQ

http://images.google.fr/imgres?imgurl=http://elbconsultingllc.com/images/SAP-Logo.jpg&imgrefurl=http://elbconsultingllc.com/index.html&usg=__ttrD8hVR0ZecJBAgUc1jjcxqsZQ=&h=551&w=945&sz=36&hl=fr&start=1&sig2=eDSzYadbfwaGzGedWvK1-g&um=1&tbnid=9f5hdQ6CnNYH3M:&tbnh=86&tbnw=148&prev=/images?q=sap+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=reDBSv2WCZa7jAfWrvXgBQ


• Export to external Netflow supported• Intra FlexConnect Group Roaming Support

• Supported on all controller models except 2504

• Supported on Gen 2 APs : 1600, 2600, 3600,

1700, 2700, 3700, 1532, 1570

• FlexConnect and Flex+bridge mode supported

Support on WLC • NBAR2 engine on FlexConnect AP

• Protocol Pack 8.0

• NBAR engine version 16

• Send flows to WLC every 90 sec using Netflow

• Classification and Control at AP• Mark ( DSCP )

• Drop

• Rate-limit

Support on AP

AVC for FlexConnect APs Coming in 8.1


AVC Configuration on Local Switching WLAN

WLAN AVC

Configuration

Local Switching WLAN

Coming in 8.1


AVC Configuration per FlexConnect Group

• FlexConnect Group specific AVC configuration takes precedence over WLAN AVC config

• No AP Specific AVC configuration.

• WLAN AVC configuration will be pushed to Flex APs where WLAN is broadcast

FlexConnect Group AVC

configuration

Enable/disable, Profile,

Monitor per WLAN

Application Visibility

WLAN-Specific

Enable/Disable

Coming in 8.1


FlexConnect AVC Profiles

Can be associated under WLAN and/or FlexConnect Group

FlexConnect AVC

profiles

Coming in 8.1


FlexConnect AVC Applications

Protocol Pack version 8.0

Engine version 16

Coming in 8.1


Monitoring AVC Statistics per FlexConnect Group

Per Client AVC Statistics Per FlexConnect Group

AVC Statistics

FlexConnect Best Practices


BE

ST

P

RA

CT

ICE

S (A

irO

S)

Make it Easy Make it work Make it perform

INF

RA

ST

RU

CT

UR

EEnable High Availability (AP and Client SSO)

Enable AP Failover Priority

Enable AP Multicast Mode

Enable Multicast VLAN

Enable Pre-image download

Enable AVC

Enable NetFlow

Enable Local Profiling (DHCP and HTTP)

Enable NTP

Modify the AP Re-transmit Parameters

Enable FastSSID change

Enable Per-user BW contracts

Enable Multicast Mobility

Enable Client Load balancing

Disable Aironet IE

FlexConnect Groups and Smart AP Upgrade

Enable 802.1x and WPA/WPA2 on WLAN

Enable 802.1x authentication for APChange advance EAP timers Enable SSH and disable telnet

Disable Management Over WirelessDisable WiFi DirectPeer-to-peer blocking

Secure Web Access (HTTPS)Enable User PoliciesEnable Client exclusion policies

Enable rogue policies and Rogue Detection RSSIStrong password Policies Enable IDS

BYOD Timers

Set Bridge Group NameSet Preferred Parent

Multiple Root APs in each BGN

Set Backhaul rate to "Auto"Set Backhaul Channel Width to 40/80 MHz

Backhaul Link SNR > 25 dBm

Avoid DFS channels for Backhaul

External RADIUS server for Mesh MAC AuthenticationEnable IDS

Enable EAP Mesh Security Mode

ME

SH

WIR

EL

ES

S /

RF

SE

CU

RIT

Y

Disable 802.11b data rates

Restrict number of WLAN below 4Enable channel bonding – 40 or 80 MHz Enable BandSelect

Use RF Profiles and AP GroupsEnable RRM (DCA & TPC) to be autoEnable Auto-RF group leader selection

Enable Cisco CleanAir and EDRRMEnable Noise &Rogue Monitoring on all channels Enable DFS channels

Avoid Cisco AP Load

http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html

Best Practices RecommendationsFor YourReference


FlexConnect Best Practices

Enable FlexConnect Groups

CCKM/OKC Key sharing for Voice deployments

Enable Smart AP Image Upgrade

Design for Resiliency

VLAN-WLAN Mappings at Group Level

Consistent configuration across Primary and Backup WLCs

FLE

X

CO

NN

EC

T


Summary• Cisco Unified Wireless Network based on Controllers deliver Wireless Branch Solution

• FlexConnect is the feature designed to solve remote connectivity and WAN constraints

• Several Failover Scenario are targeted to offer Survivability of Small Remote Sites

References:

• Wireless LAN Controller Scale Comparison Guidehttp://www.cisco.com/en/US/products/hw/wireless/products_category_buyers_guide.html#controllers

• FlexConnect Branch Controller Deployment Guidehttp://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/112973-flex7500-wbc-guide-00.html

• FlexConnect feature matrixhttp://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html

• Wireless Best Practiceshttp://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/82463-wlc-config-best-practice.html

119

http://www.cisco.com/en/US/products/hw/wireless/products_category_buyers_guide.html

http://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/112973-flex7500-wbc-guide-00.html

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/82463-wlc-config-best-practice.html

Q & A


Give us your feedback and receive a

Cisco Live 2015 T-Shirt!

Complete your Overall Event Survey and 5 Session

Evaluations.

• Directly from your mobile device on the Cisco Live

Mobile App

• By visiting the Cisco Live Mobile Site

http://showcase.genie-connect.com/clmelbourne2015

• Visit any Cisco Live Internet Station located

throughout the venue

T-Shirts can be collected in the World of Solutions

on Friday 20 March 12:00pm - 2:00pm

Complete Your Online Session Evaluation

Learn online with Cisco Live! Visit us online after the conference for full

access to session videos and

presentations. www.CiscoLiveAPAC.com

http://showcase.genie-connect.com/clmelbourne2015

http://www.ciscoliveapac.com/

Documents

Design and Deployment of Branch Office Wireless Networks Live 2015 Melbourne... · Design and Deployment of Branch Office Wireless Networks Sujit Ghosh Sr. Mgr. Technical Marketing