Upload
cisco-public-sector
View
2.842
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Overview of how the newest generation of Cisco wireless products are driving a new paradigm in wireless LAN designs. Topics of interest will include BYOD, Guest WLAN, expanded WLAN client authentication, 3G support and distributed controller functionality within the Cisco WLAN architecture.
Citation preview
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 1© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
“Diving into Converged Access” Cisco Tech Day January 17th, 2014
Steve PhillipsWireless Consulting Systems Engineer
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public2© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public2
Converged Access Solution and Platforms Overview
Converged Access Architecture and Components Review
Converged Access Roaming
Converged Access Quality of Service
Converged Access Security and Guest Access
Converged Access Design Options
Converged Access Migration
Wrap-up and Final Thoughts
Agenda Diving into Converged Access – Solution and Design Overview & Deep Dive
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public3
System Management
Capacity
Self Healing and Optimizing
Hotspot
Casual Pervasive indoors
Media RichApplications
Mission Critical
CleanAir
Very High Density
VXI Capable
Enterprise Wireless Evolution –From Best-Effort to Mission-Critical and Very High Density
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Early 2000 2002 2004 2006 2008 2010 2012 2014 …
CLI
EN
TS
/ B
AN
DW
IDT
HMedia Rich ApplicationsPervasive Mission CriticalNice to Have
10Gbps
11Mbps
802.11n450 Mbps
802.11b11 Mbps
802.11g, 802.11a54 Mbps
802.11ac-11 Gbps
802.11ac-23.5 Gbps
Future
Wireless Standards –Past, Present, and Future
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public5
Wireless ControlSystem
Access ControlServer
LAN MgmtSolution
Identity Mgmt
NACProfiler
GuestServer
Cisco WirelessLAN Controller
InternalResources
Cisco FirewallCisco Access Point
Catalyst Switch
Corporate Network Internet
One ManagementPrime
One PolicyISE
IOS Based WLAN Control ler
• Consistent IOS and ASIC w/ Catalyst 3850
• Required to scale beyond 250 APor 16K client domains
Converged Access Mode
• Integrated wireless controller
• Distributed wired/wireless data plane (CAPWAP termination on switch)
New 5760
One Network
Catalyst 3850
One Network, with Converged Access –A New Deployment Option for Wired / Wireless
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public6
Scale with distributed wired
and wirelessdata plane
480G stack bandwidth;40G wireless / switch;
efficient multicast; 802.11ac fully ready
Maximum resiliency with
fast stateful recovery
Layered network high availability design with
stateful switchover
Singleplatform for
wired and wireless
Common IOS, same administration point,
one release
Uni f ied Access - One Po l icy | One Management | One Network
Network wide visibility for
fastertroubleshooting
Wired and wirelesstraffic visible at
every hop
Consistent security and
Quality of Service control
Hierarchical bandwidth management anddistributed policy
enforcement
Converged Wired / Wireless Access –Benefits – Overview
Cisco Converged Access Deployment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public10
• Centralized deployment• L2/L3 Fast Roaming• Clean Air• Video Stream• Radio Resource
Management (RRM)• Wireless Security• Radio performance• 802.11ac Ready
Features: • Stacking, StackPower• Advanced Identity• Visibility and Control• Flexible NetFlow• Granular QoS• High Availability• EEM, scripting• IOS-XE Modular OS
Features:
B E N E F I T S• Built on UADP – Cisco’s Innovative
Flexparser ASIC technology• Eliminates operational complexity• Single Operating System for wired and
wireless
2 0 + Ye a r s o f I O S R i c h n e s s – N o w o n W i r e l e s s
WIRELESS WIRED
Catalyst 3850 –Single Platform for Wired and Wireless
Cisco Converged Access Deployment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public11
B u i l t o n C i s c o ’s I n n o va ti v e “ UA D P ” A S I C
Wireless CAPWAP Termination
Up to 50 APs/2000 clients per stack, and 40G per switch
Up to 2000 Clients per Stack
40 Gbps Uplink Bandwidth (Modular)
Stackpower
Line Rate on All Ports
Multi-Core CPU
480 Gbps Stacking Bandwidth
Full POE+
FRU Fans, Power Supplies - HA
Granular QoS/Flexible NetFlow
Catalyst 3850 –Platform Overview
Cisco Converged Access Deployment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public12
• CAPWAP termination and DTLS in Hardware• Up to 40G wireless capacity per switch
• Capacity increases with members
• 50 APs and 2000 clients per switch stack • Wireless switch peer group support for faster
roaming: latency sensitive applications• Supports IPv4 and IPv6 client mobility
• APs must be directly connected to Catalyst 3850
Best-in-ClassWired Switch –with Integrated
Wireless Mobilityfunctionality
Catalyst 3850 –Wireless Capabilities
Cisco Converged Access Deployment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public13
Built on Cisco’s Innovative “UADP” ASIC
Centralized, or Converged Access
Deployment Modes
First IOS-BasedWireless LAN Controller
FRU Fans
802.11ac Optimized
6x 1/10G SFP+uplinks with LAG
FRU Power Supplies
60 Gbps Wireless BandwidthFlexible NetFlow
Up to 12,000 Concurrent ClientsUp to 1000 Access Points
Granular QoS
WLC 5760 –Platform Overview
Cisco Converged Access Deployment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public14
One Policy, One Management, One Network
Unified Access Wireless
Unparalleled Deployment Flexibility
Autonomous FlexConnect(Private Cloud)
Centralized Converged Access
Ease of Use
Unified Network
Public Cloud
N.A.A.S.
New New
One Network –Wireless Deployment Mode Options, Overview
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public15© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public15
Converged Access Solution and Platforms Overview
Converged Access Architecture and Components Review
Converged Access Roaming
Converged Access Quality of Service
Converged Access Security and Guest Access
Converged Access Design Options
Converged Access Migration
Wrap-up and Final Thoughts
Agenda Diving into Converged Access – Solution and Design Overview & Deep Dive
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public16
Cisco Converged Access –What I Am Going to Cover …
System Architecture
Roaming, QoS
Security, Design Options
CornerStones
Foundational Elementsfor the Converged Access Solution
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public17
We’ve Been Here Before…
Functionality split with CAPWAP
Hotspot deployments with nomadic roaming
AutonomousMode
CiscoUnified
Wireless
CiscoConverged
Access
Control plane functionality on NG Controller
(also possible on upgraded 5508s, WiSM2sfor brownfield deployments, or NG Converged Access switches for small, branch deployments)
Increased scalability, Centralized policy application
•Unified wired-wireless experience (security, policy, services)
•Common policy enforcement, Common services for wired and wireless traffic (NetFlow, advanced QoS, and more …)
Data plane functionality on NG Switches
(also possible on NG Controllers, for deployments in which a centralized approach is preferred)
StandaloneAccess Point
Access Point
Frees up the AP to focus on real-time communication, policy application and optimize RF & MAC functionality such as CleanAir, ClientLink
Centralized tunneling of user traffic to controller (data plane and control plane)
System-wide coordination for channel and power assignment, rogue detection, security attacks, interference, roaming
Controller
Cisco Converged Access –Network Requirements Driving Wireless Evolution …
Performance and Unified ExperienceScale and Services
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public18© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public18
Mobility Group
Data Center /Service blockArchitecture Constructs –
CUWN Tunnel Types
AP-Controller CAPWAP Tunnel802.11 Control Session + Data Plane
LE
GE
ND
AP AP AP AP
Inter-ControllerEoIP / CAPWAP Tunnel
SSID2 SSID3
Intranet
EoIP Mobility Tunnel ( < 7.2)CAPWAP Option in 7.3
SSID1
Inter-Controller (Guest Anchor)EoIP / CAPWAP Tunnel
Internet
Well-known,proven
architecture
SSID – VLAN Mapping
(at controller)
CAPWAPTunnels
Notes –• AP / WLC CAPWAP Tunnels are an IETF Standard• UDP ports used –
• 5246: Encrypted Control Traffic • 5247: Data Traffic (non-Encrypted or DTLS Encrypted (configurable)
• Inter-WLC Mobility Tunnels• EoIP – IP Protocol 97 … AireOS 7.3 introduces CAPWAP option• Used for inter-WLC L3 Roaming and Guest Anchor
Encrypted(see Notes)
WLC #2
Foreign WLC “Guest” AnchorWLC #1
Existing Unified Wireless Deployment today …
PI
ISE
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public19© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public19
Data Center /Service block
PI
ISE
Mobility Group
AP AP AP AP
SSID2 SSID3
Intranet
EoIP Mobility Tunnel ( < 7.2)CAPWAP Option in 7.3
SSID1
Internet
CAPWAPTunnels
Additionaldetails oncontroller
functionality
These will become important lateras we delve into the Converged Access deployment …
Architecture Constructs –CUWN Control Functions
LE
GE
ND
Foreign WLC “Guest” Anchor
Mobility ControllerHandles Roaming, RRM, WIPS, etc.
MCMC
MC
MC
Mobility AgentTerminates CAPWAP Tunnels,Maintains Client Database
MAMA
MA
MA
Existing Unified Wireless Deployment today …
WLC #2WLC #1
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public20
Mobility Domain
Sub-Domain #1
Sub-Domain #2
Mobility Group
SPG SPG
PIISE
MAMAMA MAMAMA
MCMC
Converged Access –Deployment Overview
Cisco Converged Access Deployment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public21
• Mobility Agent (MA) – Terminates CAPWAP from AP, Manages client database• Mobility Controller (MC) – Manages mobility within and across Sub-Domains• Mobility Oracle (MO) – Superset of MC,
allows for Scalable Mobility Management within a Domain
• Mobility Groups – Grouping of Mobility Controllers (MCs)to enable Fast Roaming, Radio Frequency Management, etc.
• Mobility Domain – Grouping of MCs to support seamless roaming• Switch Peer Group (SPG) – Localizes traffic for roams within Distribution Block
Physical Entities –
Logical Entities –
MA, MC, Mobility Group functionality all exist in today’s controllers (4400, 5500, WiSM2)
Converged Access –Components – Physical vs. Logical Entities
Cisco Converged Access Deployment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public22
• Can act as a Mobility Agent (MA)for terminating CAPWAP tunnels for locally connected APs …
• as well as a Mobility Controller (MC)for other Mobility Agent (MA) switches, in small deployments
- MA/MC functionality works on a Stack of Catalyst 3850 Switches- MA/MC functionality runs on Stack Master- Stack Standby synchronizes some information (useful for intra-stack HA)
Best-in-ClassWired Switch –with Integrated
Wireless Mobilityfunctionality
Converged Access –Physical Entities – Catalyst 3850 Switch Stack
MC
MA
Cisco Converged Access Deployment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public23
• Fast Roaming within an SPG
• MAs within an SPG are fully-meshed (auto-created at SPG formation)
• Made up of multiple Catalyst 3850 switches as Mobility Agents (MAs),plus an MC (on controller as shown)
• Handles roaming across SPG (L2 / L3)
• Multiple SPGs under the controlof a single MC form a Sub-Domain
SPGs are a logical construct, not a physical one …
SPGs can be formed across Layer 2 or Layer 3 boundaries
SPGs are designed to constrain roaming traffic to a smaller area, and optimize roaming capabilities and performance
Current thinking on best practices dictates thatSPGs will likely be built around buildings,around floors within a building, or otherareas that users are likely to roam most within
Roamed traffic within an SPG moves directlybetween the MAs in that SPG (CAPWAP full mesh)
Roamed traffic between SPGs movesvia the MC(s) servicing those SPGs
Hierarchicalarchitecture
is optimized forscalability and
roaming
Converged Access –Logical Entities – Switch Peer Groups
Sub-Domain 1
MAMA
SPG-B
MC
MAMA
SPG-A
Cisco Converged Access Deployment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public24
Sub-Domain 2
MAMA
SPG-C
MAMA
SPG-D
Sub-Domain 1
MAMA
SPG-B
MAMA
SPG-A
Converged Access –Logical Entities – Switch Peer Groups and Mobility Group
Sub-Domain 3
MAMA
SPG-E
MAMA
SPG-F
Cisco Converged Access Deployment
MobilityGroup
MC MC
MC
• One Mobility Controller (MC) manages the RRM for entire Group
• RF Management (RRM) and Key Distribution for Fast Roaming
• Made up of MultipleMobility Controllers (MCs)
• Fast Roams are limited toMobility Group member MCs
• Handles roaming across MG (L2 / L3)
• Fast Roaming within an SPG
• MAs within an SPG are fully-meshed (auto-created at SPG formation)
• Made up of multiple Catalyst 3850 switches as Mobility Agents (MAs),plus an MC (on controller as shown)
• Handles roaming across SPG (L2 / L3)
• Multiple SPGs under the controlof a single MC form a Sub-Domain
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public25
As with any solution – there are scalability constraints to be aware of …• These are summarized below, for quick reference
Scalability 3850 as MC 5760 5508 WiSM2
Max number of MCs in a Mobility Domain 8 72 72 72
Max number of MCs in a Mobility Group 8 24 24 24
Max number of MAs in a Sub-domain (per MC) 16 350 350 350
Max number of SPGs in a Mobility Sub-Domain (per MC) 8 24 24 24
Max number of MAs in a SPG 16 64 64 64
Max number of WLANs 64 512 512 512
Converged Access –Scalability Considerations
Cisco Converged Access Deployment
For YourReference
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public26© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public26
Converged Access Solution and Platforms Overview
Converged Access Architecture and Components Review
Converged Access Roaming
Converged Access Quality of Service
Converged Access Security and Guest Access
Converged Access Design Options
Converged Access Migration
Wrap-up and Final Thoughts
Agenda Diving into Converged Access – Solution and Design Overview & Deep Dive
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public27© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public27
PSTN
CUCM
WiSM2s / 5508s
MC MA MC MA
PoPPoA
Unified Wireless –Point of Presence (PoP), Point of Attachment (PoA)
Existing Unified Wireless Deployment today …
Point of Presence (PoP) vs.Point of Attachment (PoA) –• PoP is where the wireless user
is seen to be within the wiredportion of the network
• Anchors client IP address• Used for security policy application
• PoA is where the wireless userhas roamed to while mobile
• Moves with user AP connectivity• Used for user mobility and QoS
policy application
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public28
PSTN
CUCM
WiSM2s / 5508s
Wired policiesimplemented
on switch
Wireless policiesimplementedon controller
MC MA MC MA
PoPPoA
Traffic Flows,Unified Wireless –• In this example, a VoIP user is on
today’s CUWN network, and ismaking a call from a wirelesshandset to a wired handset …
• We can see that all of the user’s traffic needs to be hairpinned back through the centralized controller, in both directions …
In this example, a total of 9 hopsare incurred for each directionof the traffic path (including the controllers – Layer 3 roamingmight add more hops) …
The sametraffic paths are
incurred for voice,video, data, etc. –
all centralized
Separatepolicies and
services for wiredand wireless
users
Unified Wireless –Traffic Flow
Existing Unified Wireless Deployment today …
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public29© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public29
Data CenterCampus Services
ISE
PI
Data Center-DMZData Center
Campus ServicesCampus
Guest AnchorsInternet
CampusAccess
PI
ISE
MC MA
MC MA
• Initially, the user’s PoP and PoAare co-located on the same controller
• Note – in this deployment model, it is assumedthat all of the controllers across the Campusdo not share a common set of user VLANsat Layer 2 …(i.e. the controllers are all L3-separated)
• Initially, the user’s traffic flow is as shown …
Unified Wireless –Layer 3 Roaming (Campus Deployment)
Layer 3Mobility Group5508 /
WiSM-25508 /
WiSM-2
MC MA MC MA
PoP
PoA
Existing Unified Wireless Deployment today …
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public30© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public30
Data CenterCampus Services
ISE
PI
Data Center-DMZData Center
Campus ServicesCampus
Guest AnchorsInternet
CampusAccess
PI
ISE
MC MA
MC MA
Layer 3Mobility Group5508 /
WiSM-25508 /
WiSM-2
• Now, the user roams to an AP handled bya different controller, within the sameMobility Group …
• The user’s PoA moves to the new controller handling that user after the roam – but the user’s PoP stays fixed on the original controller that the user associated to
• This is done to ensure that the user retains the same IP address across an L3 boundary roam – and also to ensure continuity of policy application during roaming
• After the roam, the user’straffic flow is as shown …
SymmetricMobility
Tunneling
Unified Wireless –Layer 3 Roaming (Campus Deployment)
PoP
MC MA MC MAPoA
Existing Unified Wireless Deployment today …
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public31
PSTN
CUCM
SPG
More efficientsince traffic flowsare localized to
the 3850 switch –Performance
Increase
WiSM2s / 5508s / 5760s
Trafficdoes not
flowvia MCs
Traffic Flows, Comparison (Converged Access) –• Now, our VoIP user is on a Cisco
Converged Access network, and isagain making a call from a wirelesshandset to a wired handset …
• We can see that all of the user’straffic is localized to their PeerGroup, below the distribution layer, in both directions …
In this example, a total of 1 hopis incurred for each directionof the traffic path (assumingno roaming) … two additionalhops may be incurred for routing …
Convergedpolicies and
services for wiredand wireless
users
Wired andwireless policies
implementedon 3850 switch
Converged Access –Traffic Flow
Cisco Converged Access Deployment
MC MCMA MAMA MA
PoPPoA
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public32
PIISECentral Location
Guest Anchor
DMZ
WAN
CAPWAP tunnelto Guest Anchor
3850Switch
CAPWAP tunnels –control and data path
MA
MC
Roaming,Single Catalyst 3850 Switch Stack –
• In this example, the user roams within their 3850-based switch stack –for a small Branch site, this may be the only type of roam
Roaming within a stack does not change the user’s PoP or PoA –since the stack implements a single MA (redundant within the stack),and thus a user that roams to another AP serviced by the same stackdoes not cause a PoA move (PoA stays local to the stack)
Roamingacross Stack
(small branch)
Notice how the 3850 switch stackshown is an MC (as well as an MA) –in a branch such as this with 50 APsor less, no discrete controller isnecessarily required …
Converged Access –Traffic Flow and Roaming – Branch, Single Catalyst 3850 Stack
MC MA
PoA
PoP
Cisco Converged Access Deployment
Verycommonroaming
case
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public33
SPG
uRPF, Symmetrical Routing, NetFlow,
Stateful Policy Application …
Roaming, Within a SwitchPeer Group (Branch) –• Now, let’s examine a roam at a larger branch, with multiple
3850-based switch stacks joined together via a distribution layer
• In this example, the larger Branch site consists of a singleSwitch Peer Group – and the user roams within that SPG –again, at a larger Branch such as this, this may bethe only type of roam
The user may or may not have roamed across an L3 boundary (depends on wired setup) – however, users are always* taken back to their PoP for policy application
Roamingacross Stacks (larger branch)
Again, notice how the 3850 switch stack on theleft is an MC (as well as an MA) in this picture –in a larger branch such as this with 50 APsor less, no discrete controller is necessarily required …
* Adjustable via setting,may be useful for L2 roams
Converged Access –Traffic Flow and Roaming – L2 / L3 Roam (within SPG)
MC MA MA MA
PoA
PoP
Cisco Converged Access Deployment
Overall observation –
This looks exactly the same as a Layer 3inter-controller roam in CUWN …because it is exactly the same process –Just distributed, rather than centralized …
Verycommonroaming
case
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public34
PSTN
CUCM
SPG
WiSM2s / 5508s / 5760s
Wired andwireless policies
implementedon 3850 switch
MC MC
PoPPoA
More efficientsince traffic flowsare still localized
to the SPG –Performance &
Scalability
Trafficstill doesnot flowvia MCs
Traffic Flows, Comparison (Converged Access) –• Now, our VoIP user on the Cisco
Converged Access network roams,while a call is in progress betweenthe wireless and wired handsets …
• We can see that all of the user’s traffic is still localized to their Switch Peer Group, below the distribution layer,in both directions …
In this example, a total of 3 hopsis incurred for each directionof the traffic path (assumingintra-SPG roaming) … two additional hops may beincurred for routing …
Convergedpolicies and
services for wiredand wireless
users
Converged Access –Traffic Flow and Roaming – with Intra-SPG Roam
Cisco Converged Access Deployment
MA MAMA MAPoP
PoA
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public35
SPG SPG
Roamingacross SPGs(L3 separation
assumed ataccess layer)
Roaming,Across SPGs (Campus) –• Now, let’s examine a few
more types of user roams
• In this example, the user roams across Switch Peer Groups – since SPGs are typically formed around floors or other geographically-close areas, this type of roamis possible, but less likelythan roaming within an SPG
Typically, this type of roam will take place across an L3 boundary (depends on wired setup) – however, users are always* taken back to their PoP for policy application
Converged Access –Traffic Flow and Roaming – L2 / L3 Roam (across Switch Peer Groups)
Cisco Converged Access Deployment
MC
MA MAMA MA MAMA
PoAPoP
Lesscommonroaming
case
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public36
Converged Access –Traffic Flow and Roaming – L2 / L3 Roam (across Switch Peer Groups)
Cisco Converged Access Deployment
SPG SPG
MC
MA MAMA MA MAMA
PoAPoP
10.101.1.109 10.101.6.109
10.125.11.14
Overall view –across the entire
Sub-Domain controlled by
the MCL09-5760-1# show wireless mobility controller client summaryNumber of Clients : 5
State is the Sub-Domain state of the client.* indicates IP of the associated Sub-domainAssociated Time in hours:minutes:seconds
MAC Address State Anchor IP Associated IP Associated Time--------------------------------------------------------------------------------001e.65b7.7d1a Local 10.101.1.109 10.101.6.109 00:04:36b817.c2f0.61b2 Local 0.0.0.0 10.101.7.109 00:21:0774e1.b65a.a8f3 Local 10.101.3.109 10.101.1.109 00:03:27cc08.e028.6fdd Local 0.0.0.0 10.101.1.109 00:04:57a467.06e2.813d Local 0.0.0.0 10.101.3.109 00:02:56
Roamed client, Switch 1 to Switch 6 (inter-SPG)Stationary client, Switch 7
Roamed client, Switch 3 to Switch 1 (intra-SPG)Stationary client, Switch 1Stationary client, Switch 3
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public37
There are multiple additional roaming scenarios –• These replicate the traffic flow expectations seen elsewhere with Converged Access
• Traffic within an SPG flows directly between MAs – traffic between SPGs flows via MCs•
• Catalyst 3850-based MC deployments are likely to be common in branches and even possibly smaller Campuses• Larger deployments are likely to use discrete controllers
(5760, 5508, WiSM2s) as MCs, for scalability and simplicity
• Rather than detail every roaming case here, some of these are summarized below –Full details are available in a deeper-dive session, upon request …
Converged Access –More Details – Roaming
Cisco Converged Access Deployment
For YourReference
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public38
As we saw previously, we can also optionally use a Catalyst 3850 switchas an MC + co-located MA for a Switch Peer Group … let’s explore this in more detail –• Single Catalyst 3850 MC supported per Switch Peer Group …• which can have up to 16 x MAs (stacks) per 3850-based MC
• Single Catalyst 3850 MC can handle up to 50 APs and 2,000 clientstotal … therefore, up to 50 APs and 2,000 clientsin a Catalyst 3850-based Switch Peer Group
• MC handles inter-SPG roaming,RRM, Guest Access, etc.
• More scalable MC capabilitycan be provided by 5760 /WiSM2 But what if
we want to scalelarger, withoutimplementing
5760 / WiSM2?
Is this possible?
Converged Access –Catalyst 3850-based MCs – Functionality
Cisco Converged Access Deployment
PIISE
Guest Anchor
MC MA
SPG
MC MA MA MA
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public39
PIISE
Mobility Group
SPG
MC MA MA MA
SPG
MC MA MA MA
Switch Peer Group / Mobility Group Scaling with Catalyst 3850 –• Up to 8 x Catalyst 3850 MCs can be formed into a Mobility Group
• Up to 250 APs total and 16,000 clients supported (maximum)across a Mobility Group made up solely of Catalyst 3850 switches
• Licensing is per MC – not pooled across MCs
• RRM, etc. is coordinatedacross the MCs in the sameMobility Group
Full mesh of MCsacross Mobility Group
• Guest tunneling is per MC –to Guest Anchor controller
Guest Anchor
MC MA
Converged Access –Catalyst 3850-based MCs – Scaling
Cisco Converged Access Deployment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public40
Considerations –• Many larger designs (such as most Campuses) will likely utilize a discrete
controller, or group of controllers, as MCs. Combined with Catalyst 3850 switchesas MAs, this likely provides the most scalable design option for a larger network build.
• However, if using 3850 switches as MCs for smaller builds – and with the scalinglimits detailed on the previous slide in mind – we need to determine where tobest use this capability.
• Pros –
• CapEx cost savings – via the elimination of a controller-as-MC in some designs(typically, smaller use cases and deployments) … cost also need to take intoconsideration licensing on the Catalyst 3850 switches.
• Cons –
• OpEx complexity – due to some additional complexity that comes into roaming situationswhen using multiple 3850 switch-based MCs (as detailed in the preceding slide). Whilenot insurmountable, this does need to be factored in as part of the decision process.
Conclusion –In smaller designs (such as branches), the use of Catalyst 3850 switches as MCs is likely workable. In mid-sized designs, this may also be workable, but does lead to some additional roaming considerations(as detailed on the following slides). In large campus deployments, the use of controllers as MCs ismore likely, due to economies of scale.
Converged Access –Catalyst 3850-based MCs – When to Use
Cisco Converged Access Deployment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public41
Key Takeaways –Converged Access – Exciting Platforms, and an Evolutionary Addition
Cisco Converged Access Deployment
Converged Access is a evolutionary advance to our Wireless deployment options.
CA addresses inflection points around device and bandwidth scale, and allows anunprecedented level of traffic visibility and control for wired / wireless deployments.
The Catalyst 3850 switch offers the best stackable switch platform in the industry,incorporating many important advances to the state-of-the-art in stackable switching.
Many of the terms and components used to describe Converged Access also exist in today’sUnified Wireless deployments. New components added with Converged Access include –
Switch Peer Group (SPG) – used to localize roaming
Mobility Oracle – used to allow greater Mobility Domain scalability
With CA, the Catalyst 3850 switch is a full partner in the mobility roaming domain.Roaming in Converged Access (by default) behaves as a Layer 3 roam does in Unified Access, incorporating MAs and MCs for seamless roaming with full visibility and control over traffic flows.
In small to mid-sized deployments, the Catalyst 3850 can be used as both an MC as well as an MA.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public42© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public42
Converged Access Solution and Platforms Overview
Converged Access Architecture and Components Review
Converged Access Roaming
Converged Access Quality of Service
Converged Access Security and Guest Access
Converged Access Design Options
Converged Access Migration
Wrap-up and Final Thoughts
Agenda Diving into Converged Access – Solution and Design Overview & Deep Dive
43© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public43
Current Mobility Architecture
AP AP AP AP
CAPWAP Tunnels
5508/WiSM2
Challenges –
Overlay model with multiple points of policy application*Limited visibility into applications Lack of granular classificationSoftware based QoS
Marking Policing
* Overlay model applies to CUWN local mode and FlexConnect centralized mode
CUWN Architecture –Overview – Challenges of QoS
Existing Unified Wireless Deployment today …
44© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public44
Current QoS Architecture
WAN BLOCK
Campus BLOCK
5508/WiSM2
Distributed ManagementConfiguration
and Deployment
Separatepolicies and
services for wiredand wireless
users
Wired policiesimplemented
on switch
Wireless policies
implementedon controller pushed to AP
Marking Policing
Queuing
Existing QoS Deployments–How We Overlay QoS Policies Today
Existing Unified Wireless Deployment today …
45© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public45
• Modular QoS based CLI (MQC)
Alignment with 4500E series(Sup6, Sup7)
Class-based Queueing, Policing, Shaping, Marking
• More Queues
Up to 2P6Q3T queuing capabilities
Standard 3750 provides 1P3Q3T
Not limited to 2 queue-sets
Flexible MQC Provisioning abstracts queuing hardware
• Granular QoS control at the wireless edgeTunnel termination allows customers to provide QoS treatment per SSIDs, per-Clients and common treatment of wired and wireless traffic throughout the network
• Enhanced Bandwidth Management Approximate Fair Drop (AFD) Bandwidth Management ensures fairness at Client, SSID and Radio levels for NRT traffic
• Wireless Specific Interface ControlPolicing capabilities Per-SSID, Per-Client upstream*** and downstream
AAA support for dynamic Client based QoS and Security policies
• Per SSID Bandwidth Management
Wired (Cat 3850) Wireless (Cat 3850 & CT 5760)
*** NOT available on CT 5760 at FCS
QoS – What’s New with Converged AccessCisco Converged Access Deployment
46© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public46
• Modular QoS based CLI
Alignment with 4500E series (Sup6, Sup7)
Class-based Queueing, Policing, Shaping, Marking
• More Queues
Up to 2P6Q3T queuing capabilities
Standard 3750 provides 1P3Q3T
Not limited to 2 queue-sets
Flexible MQC Provisioning abstracts queuing hardware
Wired (Cat 3850) Wireless (Cat 3850 & CT 5760)DMZISEPrime
UA 3850
46Employee Guest
BRANCH
WAN
INTEGRATED CONTROLLER
*** NOT available on CT 5760 at FCSMarking Policing
• Granular QoS control at the wireless edgeTunnel termination allows customers to provide QoS treatment per SSIDs, per-Clients and common treatment of wired and wireless traffic throughout the network
• Enhanced Bandwidth ManagementApproximate Fair Drop (AFD) Bandwidth Management ensures fairness at Client, SSID and Radio levels for NRT traffic
• Wireless Specific Interface ControlPolicing capabilities Per-SSID, Per-Client upstream*** and downstream
AAA support for dynamic Client based QoS and Security policies
• Per SSID Bandwidth Management
QoS – What’s New with Converged AccessCisco Converged Access Deployment
47© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public47
• Modular QoS based CLI
Alignment with 4500E series (Sup6, Sup7)
Class-based Queueing, Policing, Shaping, Marking
• More Queues
Up to 2P6Q3T queuing capabilities
Standard 3750 provides 1P3Q3T
Not limited to 2 queue-sets
Flexible MQC Provisioning abstracts queuing hardware
Wired (Cat 3850) Wireless (Cat 3850 & CT 5760)
*** NOT available on CT 5760 at FCS
.11n AP
5 mbps Max bandwidth allowed:54 – (4 * 5) = 34Mbps
5 mbps
5 mbps
5 mbps
With the CT 5760 or CAT 3850Usage based fair allocation without configuration
• Granular QoS control at the wireless edgeTunnel termination allows customers to provide QoS treatment per SSIDs, per-Clients and common treatment of wired and wireless traffic throughout the network
• Enhanced Bandwidth ManagementApproximate Fair Drop (AFD) Bandwidth Management ensures fairness at Client, SSID and Radio levels for NRT traffic
• Wireless Specific Interface ControlPolicing capabilities Per-SSID, Per-Client upstream*** and downstream
AAA support for dynamic Client based QoS and Security policies
• Per SSID Bandwidth Management
QoS – What’s New with Converged AccessCisco Converged Access Deployment
48© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public48
• MQC based CLI
Alignment with 4500E series (Sup6, Sup7)
Class-based Queueing, Policing, Shaping, Marking
• More Queues
Up to 2P6Q3T queuing capabilities
Standard 3750 provides 1P3Q3T
Not limited to 2 queue-sets
Flexible MQC Provisioning abstracts queuing hardware
Wired (Cat 3850) Wireless (Cat 3850 & CT 5760)
• MQC based CLI
Alignment with 4500E series (Sup6, Sup7)
Class-based Queueing, Policing, Shaping, Marking
• More Queues
Up to 2P6Q3T queueing capabilities
Standard 3750 provides 1P3Q3T
Not limited to 2 queue-sets
Flexible MQC Provisioning abstracts queueing hardware
Wired (Cat 3850)
• SSID: BYOD• QoS policy on 3850 used to police each client bidirectionally
• Policy can be sent via AAA to provide specific per-client policy
• Allocate Bandwidth or police/shape SSID as a whole
With the 3850Bidirectional policing at the edge per- user , per-SSID and in Hardware
*** NOT available on CT 5760 at FCS
• Granular QoS control at the wireless edgeTunnel termination allows customers to provide QoS treatment per SSIDs, per-Clients and common treatment of wired and wireless traffic throughout the network
• Enhanced Bandwidth ManagementApproximate Fair Drop (AFD) Bandwidth Management ensures fairness at Client, SSID and Radio levels for NRT traffic
• Wireless Specific Interface ControlPolicing capabilities Per-SSID, Per-Client upstream*** and downstream
AAA support for dynamic Client based QoS and Security policies
• Per SSID Bandwidth Management
QoS – What’s New with Converged AccessCisco Converged Access Deployment
49© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public49
• Modular QoS based CLI
Alignment with 4500E series (Sup6, Sup7)
Class-based Queueing, Policing, Shaping, Marking
• More Queues
Up to 2P6Q3T queuing capabilities
Standard 3750 provides 1P3Q3T
Not limited to 2 queue-sets
Flexible MQC Provisioning abstracts queuing hardware
Wired (Cat 3850) Wireless (Cat 3850 & CT 5760)
EnterpriseGuest
10% BW 90% BW
Deterministic BW
With the CT 5760 or CAT 3850Deterministic bandwidth is allocated per SSID
*** NOT available on CT 5760 at FCS
• Granular QoS control at the wireless edgeTunnel termination allows customers to provide QoS treatment per SSIDs, per-Clients and common treatment of wired and wireless traffic throughout the network
• Enhanced Bandwidth ManagementApproximate Fair Drop (AFD) Bandwidth Management ensures fairness at Client, SSID and Radio levels for NRT traffic
• Wireless Specific Interface ControlPolicing capabilities Per-SSID, Per-Client upstream*** and downstream
AAA support for dynamic Client based QoS and Security policies
• Per SSID Bandwidth Management
QoS – What’s New with Converged AccessCisco Converged Access Deployment
50© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public50
• Modular QoS based CLI (MQC)
Alignment with 4500E series (Sup6, Sup7)
Class-based Queueing, Policing, Shaping, Marking
• More Queues
Up to 2P6Q3T queuing capabilities
Standard 3750 provides 1P3Q3T
Not limited to 2 queue-sets
Flexible MQC Provisioning abstracts queuing hardware
• Granular QoS control at the wireless edge
Tunnel termination allows customers to provide QoS treatment per SSIDs, per-Clients
• Enhanced Bandwidth ManagementAFD Bandwidth Management ensures fairness at Client, SSID and Radio levels for NRT traffic
• Wireless Specific Interface ControlPolicing capabilities Per-SSID, Per-Client upstream*** and downstream
AAA support for dynamic Client based QoS and Security policies
• Per SSID bandwidth allocation
Wired (Cat 3850) Wireless (Cat 3850 & CT 5760)
Policy-map PER-PORT-POLICING Class VOIP set dscp ef police 128000 conform-action transmit exceed-action drop Class VIDEO set dscp CS4 police 384000 conform-action transmit exceed-action drop Class SIGNALING set dscp cs3 police 32000 conform-action transmit exceed-action drop Class TRANSACTIONAL-DATA set dscp af21 Class class-default set dscp default
*** NOT available on CT 5760 at FCS
QoS – What’s New with Converged AccessCisco Converged Access Deployment
51© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public51
Into a wired port Out of a wireless port
• Classification• Policing• Marking
• Classification• Mutation*• Policing• Shaping*• Bandwidth• Priority
Shaped by default
200Mbps or 400Mbps
Client SSID Radio*
Shaped by default to Sum of Radios
• Priority• Police• Bandwidth
Port
NOTE: SSID policies are actually per AP or BSSID.
Marking is based on Table-map not Set
Entire SSID is Rate Limited, AFD
manages NRT traffic. Not Configurable -based on max rate radio can support
Priority queues must be configured they
are not on by default
QoS Touch Points –Port, Radio, SSID, Client – What Features Apply at Each Level, Downstream
Cisco Converged Access Deployment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public52© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public52
Converged Access Solution and Platforms Overview
Converged Access Architecture and Components Review
Converged Access Roaming
Converged Access Quality of Service
Converged Access Security and Guest Access
Converged Access Design Options
Converged Access Migration
Wrap-up and Final Thoughts
Agenda Diving into Converged Access – Solution and Design Overview & Deep Dive
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public53
Top of Mind Security Concerns
How can we enhance the level of Security?
How to deploy a consistent policy for all these devices?
How to ensure end-to-end security in a scalable way?
Device Proliferationwill lead to billions of devices
(Internet of Everything)
The Challenge
Help!
Converged Access –Security is Paramount!
Cisco Converged Access Deployment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public54
Contractor Users
Guest Users
Employees
Services• LDAP• CA
BYOD Guest SSID (open)BYOD Corporate SSID (dot1x)
ISE
Cat 3850AP
Core
Internet
Converged Access –Security Architecture Overview
Cisco Converged Access Deployment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public55
Contractor
Guest
Policy A
Policy B
Policy C
Policy C
Policy D
Policy G
Policy E
Policy E
Policy F
Policy F
How to define and apply security policy consistently across every device on the network?
User
Employee
Wired
Wireless
VPN
Wired
Wireless
Wired / Wireless
Wired
Wireless
Wired
Wireless
Personal Device
Personal Device
Corporate Device
Personal Device
Corporate Device
Converged Access –The Need for Integrated Policy
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public56
AuthZ with dVLAN 30;dACL Permit ip any any
6
Same-SSID
802.1q Trunk
Dot1X Authentication1
AuthZ with dVLAN 30;dACL Permit ip any any;
2
Dot1X Authentication3
Authz with dVLAN 40;dACL Restricted Access
4
Corporate ResourcesVLAN 30
InternetVLAN 40
CorporateWiredDevice
Dot1X Authentication5
Employee using the same SSID, can be associated to different VLAN interfaces and policy after EAP authentication
Employee using corporate wired and wireless device with their AD user id can be assigned to same VLAN 30 to have full access to the network
Employee using personal iDevice with their AD user id can be assigned to VLAN 40 and policy to access internet only
ISE
CorporateWirelessDevice
Employee PersonalDevice
One Policy –Wired and Wireless
Cisco Converged Access Deployment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public57
• Policy management is done in IOS and policy enforcement is done in hardware for both wired & wireless device For wireless clients WCM will decide which policy to be applied
• Client Roaming L3 roam ACL policies will be applied on anchor switch (PoP)
L2 roam ACL polices hand-off to newer switch (PoA)
• ACLs – Centralized and Distributed Policy, IPv4 and IPv6
• URL Redirection / URL ACL
• VLANs
• Service Templates (distributed / centralized)
Converged Access – Policy EnforcementAuthorization – the Second “A” in AAA
Cisco Converged Access Deployment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public58
• Before Cat3850: One port, one VLAN per access port (1:1)
• Exception: Voice (one Data Device untagged, one Voice Device tagged w/ VVLAN)
• Later: Allowing VLAN assignment on multi-authentication ports, but first device ‘rules’ the port.
• Now: Each session can have individual VLAN assigned
160 WIRED-EMPLOYEE active Gi1/0/13
VM
Gi1/0/13
Not a trunk!
170 WIRED-GUEST active Gi1/0/13
Per-Session VLAN Assignment –MAC-based VLANs
Cisco Converged Access Deployment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public59
Mobility Controller
Mobility Agent
Peer Group
Mobility Agent
Mobility Agent
1. Wireless Client request Association
2. MA respond back with Association
3. WCM triggers IOS module to do authentication
4. IOS starts authentication process for client with AAA server
5. AAA server responds with ‘access accept’ including dACL name and version number in policy attributes
6. If switch has downloaded this dACL previously and has current version it uses the cached version
7. If switch does not have current version then it queries the server for latest dACL version1. Client Request
2. MA responds back
3. WCM triggers Auth Manager for Auth
4. Auth
Manager
starts Auth
Process
5. AAA server
Auth Success
with dACL name,
version & Policy
6. If MA has dACL, uses cached version
7. If Not, then
Queries server
again
ISE
Downloadable ACLSimilar
Cisco Converged Access Deployment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public60
ISE Policy Definition Example –Same Authorization Policy for Wired AND Wireless
Cisco Converged Access Deployment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public61
Cat 3850 CT5760 CT5508
BYOD Functionality YES YES YES
Rogue detect / classify / contain, RDLP
YES YES YES
Port Security YES YES NO
IP Source Guard YES YES NO
Dynamic ARP Inspection YES YES NO
LDAP, TACACS+, RADIUS
YES YES YES
LSC and MIC YES YES YES
AP dot1x EAP-FAST YES YES YES
Secure Fast Roaming YES YES YES
802.1X-rev-2010 (MACsec / MKA)
H/W Ready H/W Ready NO
Converged Access –MC Wireless Security Features Comparison
Cisco Converged Access Deployment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public62
Cat 3850 CT5760 CT5508
IP Theft, DHCP Snooping, Data Gleaning
YES YES YES
IOS ACL YES YES YES
Adaptive wIPS, WPS YES YES YES
CIDS YES YES YES
TrustSec SGT / SGACL H/W Ready H/W Ready SXP
Guest Access YES YES YES
IPv6 RA Guard YES YES NO
MFP YES YES YES
IP Device Tracking YES YES NO
CoPP Static Static NO
Converged Access –MC Security Features Comparison continued
Cisco Converged Access Deployment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public63
• Harmonized Security features for wired and wireless
• Integrated Policy for both wired and wireless
• Increased Scalability through optimizing a balance of centralized & distributed architecture
Key Takeaways –Converged Access Security Architecture provides with:
Cisco Converged Access Deployment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public64
Cisco Converged Access Deployment
WebAuth Portal Characteristics
Small ~ Mid-Size Independent or Remote Branch
• Distributed Guest WebAuth Portal in each MA
• Wireless Guest Traffic get’s POP at MA
• WebAuth Portal on-box, Customizable Login Page, or re-direct, E-Mail input, Click-2-Accept Acceptable Use Page, Passthru/Consent, Logout Page
• HTTPS and HTTP redirect for Wired and Wireless
• Authenticating: local database/AAA/LDAP/Cisco Prime-Lobby Ambassador
• Security: Pre-Auth ACL, AAA override for DACL, Enhanced QOS(MQC) Class assignment, Session-Timeout, Black Listing
• Visibility: Flexible Netflow
• Seamless Mobility L2/L3 Roaming
CPI
AP CAPWAPTunnels
MC/MA MA MA
IntranetInternet
FW
ISE
WebAuth
Cat3850
SPGWebAuth WebAuth
AP AP APGuestGuestGuest
EmployeeEmployeeEmployee
Converged Access, Mid-Sized and Small Branch –Guest Access with Catalyst 3850 Only (< 250 APs, and no Guest Anchor)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public65
Cisco Converged Access Deployment
WebAuth Portal & GA CharacteristicsSmall ~ Mid-Size Independent Branch With Cat3850
• Central Guest WebAuth Portal in CT5760 GA* Centralized Wireless Guest only at FCS
* Cat3850 only acts as Foreign.
• Wireless Guest Traffic get’s POP at GA
• Provides granular centralized profiling ISE Policy Decision Point (PDP) of Guest devices
• Provides simple aggregation to DMZ for Firewall and Web Filtering of all Guest.
• WebAuth Portal on-box, Customizable Login Page, or re-direct, E-Mail input, Click-2-Accept Acceptable Use Page, Passthru/Consent, Logout Page
• HTTPS and HTTP redirect for Wired and Wireless
• Authenticating: local database/AAA/LDAP/Cisco Prime-Lobby Ambassador
• Security: Pre-Auth ACL, AAA override for DACL, Enhanced QOS(MQC) Class assignment, Session-Timeout, Black Listing
• Visibility: Flexible Netflow
• Seamless Mobility L2/L3 Roaming
CT5760 ISE CPI
FWIntranet
Data CenterService block
Guest Anchor
CAPWAP Mobility Tunnel
WebAuth
AP AP AP
MC/MA MA MAMA
AP
CAPWAPTunnels
GuestGuestGuest
EmployeeEmployeeEmployee
Guest
Employee
Cat3850Foreign
SPG
Converged Access, Mid-Sized and Small Branch –WebAuth & Guest Anchor with 5760 and 3850 (<250 APs per Branch)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public66
WebAuth Portal & GA Characteristics
Large Independent Branch (No Cat3850) – “Classic Centralized CUWN”
• Central Guest WebAuth Portal in CT5760 GA
• Wireless Guest Traffic get’s POP at GA
• Provides granular centralized profiling (PDP) of Guest devices
• Provides simple aggregation to DMZ for Firewall and Web Filtering of all Guest.
• WebAuth Portal on-box, Customizable Login Page, or re-direct, E-Mail input, Click-2-Accept Acceptable Use Page, Passthru/Consent, Logout Page
• HTTPS and HTTP redirect for Wired and Wireless
• Authenticating: local database/AAA/LDAP/Cisco Prime-Lobby Ambassador
• Security: Pre-Auth ACL, AAA override for DACL, Enhanced QOS(MQC) Class assignment, Session-Timeout, Black Listing
• Visibility: Flexible Netflow
• Seamless Mobility L2/L3 Roaming
AP AP AP AP
5760
5760 ISE CPI
FWIntranet
Data CenterService block
Guest Anchor
Guest GuestGuestGuestEmployeeEmployeeEmployeeEmployee
CAPWAP Mobility Tunnel
CAPWAPTunnels
DistributedService block
WebAuth
Cat3750
Converged Access, Large Campus –Campus WebAuth & Guest Anchor with Centralized 5760
Cisco Converged Access Deployment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public67 67
• Converged Access Cat3850 and CT5760 both support consistent CUWN - GA modes as AireOS 7.0.220.0 release features
• Anchor roles are supported on CT5760 and also CT5508 / WiSM-2 running New Hierarchal Mobility modes only 7.3.112.0
• Foreign Role is supported on Cat3850 / CT5760 / CT5508 / WiSM-2
• Authentication Methods –
‒ L3 Methods (WebAuth)
L3 Authentication happensat Anchor (PoP)
‒ L2 Methods (PSK, Dot1x)
L2 Authentication happensat Foreign (PoA)
67
CT5760 ISE CPI
FWIntranet
Data CenterService block
Guest Anchor
CAPWAP Mobility Tunnel
WebAuth
AP AP AP
MC/MA MA MAMA
AP
CAPWAPTunnels
Cat3850Foreign
SPG
CT5760
Guest Anchor (GA) –AireOS and IOS Deployment Highlights
Cisco Converged Access Deployment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public68
NOTES:
1. New Mobility is only supported on AireOS CT5508 & WiSM-2 platforms but does not form any IRCM or GA with CT2500/CT7500/CT8500/v-WLC
2. Guest Anchor Termination is only supported on CT5760/CT5508/WiSM-2. CT5760/CT5508/WiSM-2/Cat3850 all supported as a Foreign
3. Rogue Detector Mode not supported
4. In Release 7.2 RF Profiles and groups was introduced. RRM for release 7.2 and later is not backwardly compatible with previous releases.
5. RRM Converged Access is compatible with CUWN release 7.3.112.0 but does not support RF Profiles and Groups introduced in 7.2
6. No AP SSO in IOS for CT5760. AP Intra-OS Platform Fast Failover Supported. AP Inter-OS Platform Image Download & Reboot performed.
CUWN Service 4.2.x.x 5.0.x.x 5.1.x.x 6.0.x.x 7.0.x.x 7.2.x.x 7.3.101.0 7.3.112.0Note: 1
IOS WCM 3.2.0SE
Layer 2 and Layer 3 Roaming Y – – Y Y Y Y 0 0
Wireless Guest Anchor/Termination Y Y Y Y Y Y Y 0 02
WiPS & AwISP Rogue Detection Y – – Y Y Y Y 0 03
Fast Roaming (CCKM) in a mobility group Y – – Y Y Y Y 0 0
Location Services Y – – Y Y Y Y 0 0
Radio Resource Management(RRM)
Y – – Y Y Y4 Y4 05 05
Management Frame Protection(MFP)
Y – – Y Y Y Y 0 0
AP Failover Y – – Y Y Y Y 06 06
Y = Compatibility in Classic Flat Mobility O = Compatibility in New Hierarchal Mobility
Cisco Converged Access Deployment
New Hierarchical Mobility Mode, with Guest Access –IRCM Compatibility Matrix: http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.htm
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public69
• Well Proven & Reliable GA Architecture as previously utilized across CUWN
• Robust GA Feature Set with new expanded QoS and Policy capabilities
• Simplified Configuration with rich IOS troubleshooting tools
Key Takeaways –Converged Access Guest Access Architecture provides with:
Cisco Converged Access Deployment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public70© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public70
Converged Access Solution and Platforms Overview
Converged Access Architecture and Components Review
Converged Access Roaming
Converged Access Quality of Service
Converged Access Security and Guest Access
Converged Access Design Options
Converged Access Migration
Wrap-up and Final Thoughts
Agenda Diving into Converged Access – Solution and Design Overview & Deep Dive
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public71
Converged Access –Small Branch – No Discrete Controllers, Catalyst 3850s as MC / MAs
Characteristics –• May be a lower-speed WAN link
(bandwidth and latency a concern only for Guest traffic)
• Allows for Advanced QoS, WAN optimization,NetFlow, and other services for wireless and wired traffic
• Supports Layer 3 roaming
• Supports VideoStream and optimized multicast
• Good availability due to MA/MC redundancy within the 3850 stack – provideswireless continuity with either WAN outage or switch failure within the stack
Up to50 APs Applicable
to a SmallBranch
Deployment
Deploymentcould consist
of multiple stacks –one stack as MC/MA,
rest of stacks asMAs only
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public72
Up to50 APs
Characteristics –• No discrete controllers deployed, even with multiple wiring
closets
• Allows for Advanced QoS, WAN optimization, NetFlow,and other services for wireless ad wired traffic
• Supports Layer 3 roaming
• Supports VideoStream and optimized multicast
• Good availability due to MA/MC redundancy within the 3850 stacks – provides wireless continuity with either WAN outage or switch failure within the stack
Applicableto a Small to
Medium BranchDeployment
Converged Access – Small / Medium BranchNo Discrete Controllers, Catalyst 3850s as MC / MAs, Single SPG
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public73
Up to250 APs
Characteristics –• No discrete controllers deployed, even at a larger branch
• Allows for Advanced QoS, WAN optimization, NetFlow,and other services for wireless ad wired traffic
• Supports Layer 3 roaming
• Supports VideoStream and optimized multicast
• Good availability due to MA/MC redundancy within the 3850 stacks – provides wireless continuity with either WAN outage or switch failure within the stack
Scalability …up to 8 x 3850-based MCs
Applicableto a Larger
BranchDeployment
Note – MCs handling oneor more SPGs each, all MCs meshed into a single Mobility Group for the site. Guest tunnel per MC to Anchor.
Converged Access – Large BranchNo Discrete Controllers, Catalyst 3850s as MCs / MAs, Multiple SPGs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public74
Converged Access – Large BranchControllers as MCs, Catalyst 3850s as MAs only, Multiple SPGs
Characteristics –
• Greater scalability via the use of discrete controllers as MCs,in conjunction with Catalyst 3850 switches as Mas
• Allows for Advanced QoS, WAN optimization, NetFlow,and other services for wireless and wired traffic
• Supports Layer 3 roaming, VideoStream, and optimized multicast
• Good availability due to MA redundancy (3850 stacks) and MC redundancy (controllers) – provides wireless continuity with either WAN outage or switch / controller failure
• Simplified Mobility deployment vs.the use of 3850 switches as MCs / MAs
Applicableto a LargerBranch or
SmallCampus
>250 APs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public76
Applicableto a Larger
Campus
Characteristics –
• Use of discrete controllers as MCs, combined with Catalyst 3850 switches as MAs, provides for a very scalable solution
• Allows for Advanced QoS, NetFlow,and other services for wireless and wired traffic
• Supports Layer 3 roaming – provides scalability bykeeping many roams localized to SPGs (below dist.)
• Good availability due to MAredundancy (3850 stacks) and MC redundancy (controllers)
• Simplified Mobility deployment using 3850 switches as MAs only, vs. the use of 3850 switches as MCs / MAs
>250 APsConverged Access –Large Campus – Centralized MCs, 3850s as MAs only
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public77
Characteristics –
• Use of discrete controllers as MCs,combined with 3850 switches as MAs,provides for a veryscalable solution
• Use of distributedcontrollers (vs. centralizedin DC) may be moreappropriate in somewireless deployments
• Allows for Advanced QoS, NetFlow, and other servicesfor wireless and wired traffic
• Supports Layer 3 roaming – provides scalability by keeping many roams localized to SPGs (below distribution)
• Good availability due to MAredundancy (3850 stacks) andMC redundancy (controllers)
• Simplified Mobility deploymentusing 3850 switches as MAs only,vs. the use of 3850 switchesas MCs / MAs)
Applicableto a Larger
Campus
>250 APsConverged Access –Large Campus – Distributed MCs, 3850s as MAs only
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public78© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public78
Converged Access Solution and Platforms Overview
Converged Access Architecture and Components Review
Converged Access Roaming
Converged Access Quality of Service
Converged Access Security and Guest Access
Converged Access Design Options
Converged Access Migration
Wrap-up and Final Thoughts
Agenda Diving into Converged Access – Solution and Design Overview & Deep Dive
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public79
Data Center /Service block
IntranetMobility Group
5508 / WiSM2 5508 / WiSM2
EtherIP Mobility Tunnel
CAPWAP Tunnels
CAPWAP Tunnels
Well-knownand well-proven …
Prior to Migrationto Converged
Access
Separatepolicies and
services for wiredand wireless
users
Wired policiesimplemented
on switch
Wireless policiesimplementedon controller
All wirelesstraffic centralized
via controllersas shown
Existing Unified Wireless Deployment Today…
PIISE
Converged Wired / Wireless Access –Evolving from Overlay …
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public80
Intranet
Data Center /Service block PIISE
Mobility Group
5508 / WiSM2 5508 / WiSM2
CAPWAP Mobility Tunnel
CAPWAP Tunnels
CAPWAP Tunnels
In termediate s tep
Software upgrade
Software upgrade
SwitchPeer
Group
MA MA
InitialMigration Step –
Controller Upgrades,
Implementationof First CASwitches
Be awarethat feature
differences mayexist, based on
MA softwareversions
Cisco Converged Access Deployment
MC MA MC MA
Converged Wired / Wireless Access –Evolving from Overlay …
EtherIP Mobility Tunnel
Catalyst 3850switches
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public81
Intranet
Data Center /Service block PIISE
Mobility Group
5508 / WiSM2 5508 / WiSM2
In termediate s tep
Controllerupgrade
Controllerupgrade
SwitchPeer
Group
MA
Cisco Converged Access Deployment
MC MA MC MA
SwitchPeer
Group
MA MA
5760 Controller
5760 Controller
MC MA MC MA
FurtherMigration Step –Controller Upgrades,
Implementationof Additional CA
Switches
Converged Wired / Wireless Access –Evolving from Overlay …
CAPWAP Tunnels
CAPWAP Tunnels
MA
CAPWAP Mobility Tunnel
Catalyst 3850switches
Catalyst 3850switches
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public82
Data Center /Service block PIISE
IntranetMobility Group
5760 or upgraded WiSM2 / 5508
Cisco Converged Access Deployment
SwitchPeer
Groups
SwitchPeer
GroupsCatalyst 3850 switches
5760 or upgraded WiSM2 / 5508
CAPWAP Tunnels
CAPWAP Tunnels
MA MAMA MA MA MA MA MA
MC MA MC MA
Implementationof End-to-End
ConvergedAccess
Deployment
Convergedpolicies and
services for wiredand wireless
users
Wired andwireless policies
implementedon 3850 switch
Increase in performance and
scalability via local termination of both wired and wireless
traffic
Increase invisibility and control (NetFlow, Advanced
QoS, etc) vialocal terminationof both wired and
wireless trafficCAPWAP Mobility Tunnel
Converged Wired / Wireless Access –… to Integrated
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public83© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public83
Converged Access Solution and Platforms Overview
Converged Access Architecture and Components Review
Converged Access Roaming
Converged Access Quality of Service
Converged Access Security and Guest Access
Converged Access Design Options
Converged Access Migration
Wrap-up and Final Thoughts
Agenda Diving into Converged Access – Solution and Design Overview & Deep Dive
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public84
An Evolutionary Advance to Cisco’s Wired + Wireless Portfolio, to address device and bandwidth scale, and services demands ….
Control plane functionalityon NG Controller
(also possible on upgraded 5508s, WiSM2s for brownfield deployments, or NG Converged
Access switches for small, branch deployments) Next-Generation WLAN Controller (5760)
Data plane functionality on NG Switches (also possible on NG Controllers, for deployments
in which a centralized approach is preferred)
Next-Generation Switches (Catalyst 3850s)
Bringing Together Wired and Wireless –How Are We Addressing This Shift?
ControllerController
Cisco Converged Access Deployment
Enabled by Cisco’s strengthin Silicon and Systems …UADP ASIC
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public85
Mobility Domain
Sub-Domain #1
Sub-Domain #2
Mobility Group
SPG SPG
PIISE
MAMAMA MAMAMA
MCMC
An Evolutionary Advance to Cisco’s Wired + Wireless Portfolio, to address device and bandwidth scale, and services demands ….
CiscoConverged
AccessDeployment
Cisco Converged Access Deployment
Bringing Together Wired and Wireless –With a Next-Generation Deployment and Solution
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public86
Do You Have a Better Understanding …
of what Converged Access is …
of how Converged Access works …
and how you would use it in your network designs?
Converged Access –Tell Us How We Did!
Did We Achieve Our Objectives?
Cisco Converged Access Deployment
Thank you.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public87