Upload
cisco-public-sector
View
284
Download
3
Embed Size (px)
Citation preview
Cisco Confidential 1© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Jay Pitcher – Technical Solution [email protected]
Cisco Confidential 2© 2013-2014 Cisco and/or its affiliates. All rights reserved.
§ WLAN Deployment options§ Architecture Review§ CA - Path to success§ CA - Branch Design§ CA - Campus Design§ Role of Cisco Prime Infrastructure
Cisco Confidential 3© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 4© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Wireless Controller : Deployment Modes
Autonomous FlexConnect Centralized Converged Access
Traffic Distributed at AP
Traffic Centralized at Controller
Traffic Distributed at SwitchStandalone APs
Target Positioning Small Wireless Network Branch Campus Branch and Campus
Scope Wireless only Wireless only Wireless only Wired and Wireless
Key Use cases• Small number of APs• WGB mode – Bridge wired
devices
• Centralized Control with local data plane
• Max of 100 APs at location
• Most complete solution• All Capabilities of
Enterprise WLAN
• CA Switches Available• Basic Enterprise WLAN• Fewer than 100 APs
Key Considerations • Certification concerns
• No L3 roaming• Client connect to AP at the
AP• Full features • Enterprise WLAN only, no Mesh, no
modules
WAN
Cisco Confidential 5© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Converged Access Scalability Guidelines UnchangedUp to 3.7.0
3650 3850
Certified Release 3.6(recommended 3.6.4)
3.6(recommended 3.6.4)
Mobility Controller Mode Yes Yes
APs Supported 25 50
Clients Supported 1000 2000
Mobility Agent Mode Yes Yes
Number of MC in Mobility Domain 8 / 2 8 / 2Number of MAs in Sub-domain(per MC)
16 / 8 16 / 8
AP Scale (Per-Domain) 200 / 50 250 / 100
Cisco Confidential 6© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Converged Access Deployments Recommendation
2
1
Mobility Domain - Up to 4000 Devices / 100 AP’sMax 2 x 3850 MC
Centralized Overlay
Num
ber o
f Dev
ices
Size of Mobility Domain
Mobility Domain - Up to 2000 Devices / 50 AP’sMax 1 x 3850 MC
Seamless Roaming Use Case Nomadic Roaming Use Case
Size of Mobility Domain
MC
MA1 MA2 MA8…
4Site - N
MC
MA1 MA2 MA8…
MC
MA1 MA2 MA8…
Site - 3
Site - 2
Mobility Domain 1
Site - 1
MC
MA1 MA2 MA8…
MC
MA1 MA2 MA8…
(N) x independent Mobility DomainsUp to 4000 Devices / 100 AP’s per Mobility Domain
UnchangedUp to 3.7.0
Cisco Confidential 7© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Digital Network Architecture
AutomationAbstraction & Policy Control from
Core to Edge
Open & Programmable | Standards-Based
Open APIs | Developers Environment
Cloud Service ManagementPolicy | Orchestration
VirtualizationPhysical & Virtual Infrastructure | App Hosting
AnalyticsNetwork Data,
Contextual Insights
Insights & Experiences
Automation& Assurance
Security & Compliance
Network-enabled Applications
Cloud-enabled | Software-delivered
Principles
Cisco Confidential 8© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Network Requirements for the Digital OrganizationWireless as Part of Your End-to-End Strategy
Personalized engagement on mobile devices
Physical or virtual wireless services
Employee and guest access Based on deep context
Expose wireless acquired data to applications
Application policy across wireless, wired and WAN
Validate activity across wireless, wired and WAN
Combine network and business insight Day zero wireless deployment Accelerate security issue
detection and resolution
Insights &Experiences
Drive Business Innovations
Automation& Assurance
Speed, Simplicity & Visibility
Security & Compliance
Real-time and Dynamic Threat Defense
Cisco Confidential 9© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Fabric Access
Fabric Border
Wireless Border (external WLC)
Wireless Small Deployments Large DeploymentsScale 250 Access Points; 4000 clients 15K Access Points; 150,000 Clients
Policy Enforcement WLC WLC
Control & Data CAPWAP CAPWAP
Device is fabric enabledCAPWAP Transport
Host (HTDB)Database
Traditional Wireless over the Fabric
Cisco Confidential 10© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Wireless Small Deployments Large DeploymentsScale 250 Access Points; 4000 clients 15K Access Points; 150,000 Clients
Policy Enforcement Fabric Access switch (Unified policy for Wired & Wireless for Flex, Local, Converged Access modes)
Control Path CAPWAP
WLC as external service
Fabric Access
Fabric Border
(Unified policies for wired & wireless
Host (HTDB)Database
Integrated Wireless on The Fabric –IT Service for Endpoints regardless of Media type (Wired or Wireless)
Cisco Confidential 11© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 12© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Wireless Government Certifications - Today
What’s Certified:• All Cisco 11ac and 11n Access Points • All appliance and integrated controllers• MSE 8.0 and PI 2.2• APL Listing for WLAS, WAB,WIDS
Predictable wireless certification – MD SW release gets certifiedCommon release both Enterprise and Government customers
Feature consistency and deployment flexibility
Certification 7.0 8.0 IOS 3.6
FIPS
CC
UCAPL
CSfC
USGv6
Comprehensive certified end-end solution
Cisco Confidential 13© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Wireless Government Certifications - Tomorrow
What will be Certified• All current controllers & .11n/.11ac APs• New .11ac Wave 2 APs, 3802/2802• 5520/8540 Controller• New controller/mesh platforms
Predictable wireless certification – MD SW release gets certifiedCommon release both Enterprise and Government customers
Feature consistency and deployment flexibility
Certification 8.3 16.3
FIPS
CC
UCAPL
CSfC
USGv6
Comprehensive certified end-end solution
Cisco Confidential 14© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Converged Access – FoundationUADP
ASIC TechnologyIOS Catalyst 3650 (IOS XE Software)
IOS Catalyst 3850 (IOS XE Software)
- Up to (50) AP’s per stack [9] (IOS XE 3.7.1 or >)- Only (25) AP’s per stack [9] prior to IOS XE 3.7.1- Up to 1,000 wireless clients- Up to 40Gbps wireless throughput (48-port models)
- Up to (100) AP’s per stack [9] (IOS XE 3.7.1 or >)- Only (50) AP’s per stack [9] prior to IOS XE 3.7.1- Up to 2,000 wireless clients- Up to 40Gbps wireless throughput (48-port models)
Cisco Confidential 15© 2013-2014 Cisco and/or its affiliates. All rights reserved.
The Solution:Cisco Multigigabit Ethernet
Delivers up to 5X Speeds in Enterprise without replacing cabling.
2.5-5G
Cat 5e CablesWiFi > 1G
MultigigabitSwitch
MultigigabitCapable AP
Is a game-changing technology allowing enterprise networks to
evolve beyond 1G
Enables 2.5 and 5 Gbps up to 100m on legacy cables
Supports all PoE standardsup to 60W
Cisco Multigigabit with
Cisco Confidential 16© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Catalyst 3850 ─ Multigigabit Versions
48 Port Version 24 Port VersionDownlinks:36 x 1G LineRate 10/100/1000BASE-T, 12 x GE/mGig/10GT Line RatePoE/PoE+/UPoE, EEE, MACSec
Uplinks:4x10GE SFP+, 2 x 40G QSFP (NEW), 8x10G SFP+ (NEW)
Downlinks:24 x GE/mGig/10GTPoE/PoE+/UPoE, EEE, MACSec
Uplinks: 4x10GE SFP+, 2 x 40G QSFP (NEW), 8x10G SFP+ (NEW)
All 3850 Versions Can Stack with Each Other
Cisco Confidential 17© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 18© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Unified Wireless – Centralized Wireless Architecture
Core
DCInternetMobility
§ Central Access Management
o Access Points – Configuration, Software, Radio etc.o WLAN – SSID, Policy based etc.o Wirelss Edge Mgmt – Authenticator, Logging etc.
§ Central Forwarding Management
o Topology – Hub-N-Spoke Forwarding Design
§ Central Client Management
o Security – Authentication, Authorizationo VLAN – Access Tier between Wired and Overlayo Policy Enforcement – QoS, Security,
Edge Function
§ License Management
o Access Point License Management
§ Mobility Database and Management
o Wireless Client Database (Local Domain)o Inter-WLC Mobility Domain Network
§ Guest Access
o Anchor-Based Guest Solution with additional WLC
§ Central Wireless Services
o Adv. Wireless – CleanAir and Radio Resource Mgmt (RRM)o Security - wIPS
Core Function
Access
WLC
Cisco Confidential 19© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Unified Wireless – Distributed Wireless Architecture
Core
DCInternetMobility
§ Central Access Management
o Access Points – Configuration, Software, Radio etc.o WLAN – SSID, Policy based etc.o Wirelss Edge Mgmt – Authenticator, Logging etc.
§ Central Forwarding Management
o Topology – Hub-N-Spoke Forwarding Design
§ Central Client Management
o Security – Authentication, Authorizationo VLAN – Access Tier between Wired and Overlayo Policy Enforcement – Hybrid QoS, Security, AVC etc.
Edge Function
§ License Management
o Access Point License Management
§ Mobility Database and Management
o Wireless Client Database (Local Domain)o Inter-WLC Mobility Domain Network
§ Guest Access
o Anchor-Based Guest Solution with additional WLC
§ Central Wireless Services
o Adv. Wireless – CleanAir and Radio Resource Mgmt (RRM)o Security - wIPS
Core Function
Access
§ Distributed Access Management
o Access Points – Configuration, Software, Radio etc.o WLAN – SSID, Policy based etc.o Wirelss Edge Mgmt – Authenticator, Logging etc.
§ Distributed Forwarding Management
o Topology – Distributed Forwarding Design
§ Distributed Client Management
o Security – Authentication, Authorizationo VLAN – Common Access Tier Wired and Wirelesso Policy Enforcement – Common QoS, Security, AVC
etc.
Edge Function
SiSiSiSiSiSi
MC
MAMAMA
§ Converged Access ≠ FlexConnect. Converged Access = WLC + Ethernet Switch
§ All Wireless Controller Edge function is distributed to individual Ethernet switches. More significant operation
§ Wireless Controller Core function becomes limited. Less significant operation
Cisco Confidential 20© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 21© 2013-2014 Cisco and/or its affiliates. All rights reserved.
All Depends
Converged Access – Where do we Start?
How many AP per MA?
How many Clients?
Who can be MC
How about MC Redundancy?
How do I design SPG?
How many MC?
Where should be the MC?
How do I define Roaming Boundary
What is Soft vs Hard Roam?
How do I design MC in Distribution?
How many Floors per Building?
How many AP per MC?
How many Building per Domain?
How many AP per Building?
How do I design Guest?
Do I need Mobility Oracle?
What is Nomadic Roaming?
How do I design CA with FHRP?
How do I design Subnet Plan?
DesignQuestion?
Can I use different Catalyst to build CA?
What is New Mobility?
Can I building IOS to AireOS Mobility?
Can I have roaming between CA and Centralized?Why do I need SPG?
What happens when MC Fails?
How do I make unsupported AP work?
Cisco Confidential 22© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Check Inventory –
ü Total Building/Site Countü Floors Count Per Buildingü Switch Count Per Buildingü AP Count Per Buildingü Client Count Per Building
Foundation Design –
ü L2 or L3 Network Designü Loop-free STP Topologyü VSS / StackWiseü EtherChannelsü Cisco Best Practices
CA Design –
ü MC Platform Decisionü MC Count Per Buildingü MC Placementü MC Redundancyü Cisco Best Practices
Roaming Design –
ü Boundary Limitü SPG Designü L3 vs L2 Roam ü Stack Benefitsü Cisco Best Practices
Guest Design –
ü Anchor-based vsAnchor-Lessü IOS and AireOS Interoperabilityü Foreign Tunnel Scalabilityü Stack Benefitsü Cisco Best Practices
Foundation Inventory Mobility Roaming Guest
Converged Access – Systematic Design to Deploy Approach
§ System Step-By-Step Design to Deploy Phase. No different need in networking principle
§ Converged Access = 50% Wireless and 50% Wired. Single IT team effort to enable architectural transition
§ Wired and Wireless Best Practices integration sets the converged foundation to deliver expected and better results
5 Design Steps For Success
Cisco Confidential 23© 2013-2014 Cisco and/or its affiliates. All rights reserved.
§ Inventory – Different building/floor plans and size that reflects to AP, Client and network devices scale
§ Mobility – Variable scale limit in each site introduces variable Mobility designs at site to to the block level
§ Roaming – Mobility design builds variable size of seamless roaming boundary limit for building pervasive wireless infrastructure
§ Guest – The three-tier Mobility design also require to evaluate Guest wireless solution that can scale
Converged Access – One Technology Fits Many Needs
MC/MA
Branch
MC/MA
Branch
MC/MA
Branch
SiSiSiSiSiSi
MA MC/MA
Sub-Domain-1
SPG-1
MA MC/MA
Sub-Domain-2SPG-2
Internet
GA
DC
CPI ISE
Controller-Less Single-Switch Branch Controller-Less Single/Multi-Domain Branch
Each Network Design have :
Consistent Solution for Variable Deployments
Cisco Confidential 24© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Converged Access – ONE Network = ONE IT
MC/MA
Branch
MC/MA
Branch
MC/MA
Branch
SiSiSiSiSiSi
MA MC/MA
Sub-Domain-1
SPG-1
MA MC/MA
Sub-Domain-2SPG-2
Sub-Domain-1
SPG-1
MA MA
MC
Sub-Domain-2
MA MA
MC
SPG-2
SiSiSiSiSiSi SiSiSiSiSiSi
Sub-Domain-1
SPG-1
MA MA
MC
Sub-Domain-2
MA MA
MC
SPG-2
Controller-Less Single-Switch Branch Controller-Less Multi-Domain Branch/CampusController-Less Single/Multi-Domain Branch Controller-Based Multi-Domain Campus
Tight Wired and Wireless IT Team Collaboration
50% Wireless50% Wired
Wireless IT TeamBreadth of Wireless Knowledge :§ Mobility and Wireless Architecture§ Deep RF network understanding§ Device and Network Operation§ Wireless Security and Services§ Wireless Endpoint Experience§ Much more…
Wired IT TeamDeep Foundation Knowledge :§ End-to-End Network Architecture§ Expert in Route/Switch designs§ IOS Device and Network Operation§ Network Security and Services§ Wireless Endpoint Experience§ Much more…
Win TogetherConverged Access
Success!
Cisco Confidential 25© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Converged Access – Set Foundation Right!Foundation
Simplify To Scale
Distribution
Access
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/Borderless_Campus_Network_1-0/Borderless_Campus_1-0_Design_Guide.pdfCisco Validated Design Guide
ü Aggregation – A system that provides control/data plane scale for common Wired/Wireless network. I.e, MAC entries, MAC move due to roam, CPU scale to support link-local bcast/mcast traffic etc.
ü System Design – VSS or StackWise and EtherChannels. Build simple system and network topologies to scaleü Network Design – Multilayer or Routed Access. Consider VLAN span, L2 Roam, Subnet with Routed Accessü Best Practices – Following Cisco recommended Best Practices to set the foundation right for Converged Access
Branch – L2 Network Design Campus – L2 Network Design Campus – L3 Network Design
Cisco Confidential 26© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Converged Access – Set Foundation Right!Foundation
Simplify To Scale
Distribution
Access
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/Borderless_Campus_Network_1-0/Borderless_Campus_1-0_Design_Guide.pdfCisco Validated Design Guide
SiSiSiSiSiSi
Access
Distribution
Wired L2/L3 Boundary
Wireless L2/L3 Boundary
Wireless ü MAC Addressü IP Addressü IGMPü Broadcast/Multicast
Wiredü MAC Addressü IP Addressü IGMPü Broadcast/Multicast
§ Separate L2/L3 boundary for Wired and Wireless users with traditional wireless deployments. Becomes common with next-generation Converged Access Wireless solution
§ Common block means more MAC address, IP address and large flood domain§ Catalyst platforms scalable to support. But solid L2/L3 foundation design required for optimal performance
Cisco Confidential 27© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Converged Access – Set Foundation Right!Foundation
Simplify To Scale
Access
Distribution
101 201 301Wired VLAN
Wireless VLAN 102 202 302
101 201 301Wired +
Wireless VLAN 101 201 301Wired VLAN
Wireless VLAN 102
Design – 1 Design – 2 Design – 3
Pros
Cons
ü Structured and Intuitive addressing planü Contained flood/fault domainü Unique policy for Wired vs Wirelessü Deterministic DHCP pool operationü Cisco recommended design
ü May require more subnetsü Subnet sizing may require extra planning
Pros
Cons
ü Less VLANs and Subnets
ü Dual-home device may impact applicationü Cannot enforce unique access policiesü Challenging to plan Subnet
Pros
Cons
ü Partial structured addressing planü Traditional CUWN VLAN designü Unique policy Wired vs Wireless
ü VSS/StackWise required in Distributionü Large link local bcast/mcast flood domainü STP fault domain widens in large network
Recommended
Cisco Confidential 28© 2013-2014 Cisco and/or its affiliates. All rights reserved.
§ Architecturally non-recommended deployment design§ Converged Access MC ≠ Traditional WLC§ No key operational benefit in pushing Core function boundary across WAN§ All Edge configuration and function remains fully distributed to each Access
Layer MA switches§ Solve operational simplicity with new Cisco Prime Infra WorkFlows and
alternatively MC Managing MA IOS feature if Cisco Prime unavailable
Converged Access – MC over WAN Summary Not RecommendedNot Supported