Flavien RICHARD Mobility SoluAons Architect CONVERGED ACCESS MOBILITY DESIGN & ARCHITECTURE

Transcription

1

2 Flavien RICHARD Mobility SoluAons Architect CONVERGED ACCESS MOBILITY DESIGN & ARCHITECTURE

3 AGENDA What is Converged Access? Converged Access PlaLorms Overview Wireless Deployment OpAons Converged Access Mobility Architecture How to Deploy a Converged Access Network? IOS- XE 3.6 Release Update Bringing Together Wired and Wireless

4 One Network with Converged Access I O S B a s e d W L A N C o n t r o l l e r Cisco Wireless LAN 5 Controller WLC 760 Internal Resources Consistent IOS and ASIC as Catalyst 3x50 Required to scale to larger AP counts and client domains One Network C o n v e r g e d A c c e s s M o d e Corporate Network Integrated wireless controller Distributed wired/wireless data plane Cisco (CAPWAP terminaaon on switch) Access Point Catalyst 3650 Catalyst Switch Catalyst 3850 LAN Mgmt SoluAon Internet One Policy Wireless Control System ISE Cisco Firewall Access Control Server IdenAty Mgmt One Management Guest Server Prime NAC Profiler 4

5 Converged Wired/Wireless Access - Benefits Single plaform for wired and wireless Network wide visibility for faster troubleshooang Consistent security and Quality of Service control Maximum resiliency with fast stateful recovery Scale with distributed wired and wireless data plane Common IOS, same administraaon point, one release Wired and wireless traffic visible at every hop Hierarchical bandwidth management and distributed policy enforcement Layered network high availability design with stateful switchover Large stack bandwidth; 40G wireless / switch; efficient mulacast; ac opamized Unified Access - One Policy One Management One Network

6 AGENDA What is Converged Access? Converged Access PlaLorms Overview Wireless Deployment OpAons Converged Access Mobility Architecture How to Deploy a Converged Access Network? IOS- XE 3.6 Release Update Bringing Together Wired and Wireless

7 Unified Access Components Complete Overview One Policy with IdenAty Services Engine (ISE 1.3) BYOD policy management Device profiling and posture Guest access portal One Management with Cisco Prime 2.1 Full wired and wireless management User/device centric view IntuiAve troubleshooang workflows Who? What? When? Where? How? Catalyst 3850 ISE Cisco Prime 5760 Wireless Controller Catalyst 3850/3650 Industry s first fully integrated wired and wireless switch Wireless: 480G stack, up to 50 APs, up to 2K clients, 40G Flexible NetFlow, Granular QoS, AVC, NaAve Profiling 5760 Wireless Controller Consistent IOS with Catalyst G, 1K APs, 12K Clients, N+1 Redundancy Flexible NeLlow, Granular QOS, AVC, NaAve Profiling Best- in- Class Performance, Security and Resiliency

8 Catalyst 3850 Switch Platform Overview Wireless CAPWAP TerminaAon in HW Up to 50 APs / 2000 clients per stack, and 40G per switch 480 Gbps Stacking Bandwidth Up to 2000 Clients per Stack Full POE+ FRU Fans, Power Supplies - HA Stackpower Granular QoS / Flexible NetFlow / SGT- SGACL APs must be directly connected to Catalyst 3850 Line Rate on All Ports MulA- Core CPU 40 Gbps Uplink Bandwidth (Modular) Built on Cisco s InnovaRve UADP ASIC

9 Catalyst 3650 Switch Platform Overview New Front- End Power Supplies FRU Fans Modular 160 Gbps 9 members Stack Up to 25 APs / 1000 clients per stack, and 40G per switch Up to 1000 Clients per Stack SGT/SGACL Granular QoS / Flexible NetFlow APs must be directly connected to Catalyst 3650 Line Rate on All Ports Full POE+ Wireless CAPWAP TerminaAon in HW Fixed 1G/10G Uplinks Up to 40 Gbps Uplink Bandwidth Built on Cisco s InnovaRve UADP ASIC

10 Wireless LAN Controller (WLC) 5760 Platform Overview Centralized, or Converged Access Deployment Modes First IOS-Based Wireless LAN Controller Up to 1000 Access Points 6x 1/10G SFP+ uplinks with LAG FRU Fans Up to 12,000 Concurrent Clients 60 Gbps Wireless Bandwidth Granular QOS/Flexible NetFlow HA Port B u i l t o n C i s c o s I n n o v a R v e U A D P A S I C FRU Power Supplies

11 AGENDA What is Converged Access? Converged Access PlaLorms Overview Wireless Deployment OpAons Converged Access Mobility Architecture How to Deploy a Converged Access Network? IOS- XE 3.6 Release Update Bringing Together Wired and Wireless

12 Cisco One Network: Wireless Deployment Modes One Policy, One Management, One Network Unified Access Wireless Autonomous FlexConnect Centralized Converged Access Unparalleled Deployment Flexibility

13 Unified Access: Wireless Deployment Modes Autonomous FlexConnect Centralized Converged Access WAN Standalone APs Traffic Distributed at AP Traffic Centralized at Controller Traffic Distributed at Switch Target Positioning Purchase Decision Small Wireless Network Branch Campus Branch and Campus Wireless only Wireless only Wireless only Wired and Wireless Benefits Key Considerations Simple and cost-effective for small networks Highly scalable for large number of remote branches Simple wireless operations with DC hosted controller Limited RRM, L2 roaming only no Rogue detection WAN BW and latency requirements Simplified operations with centralized control for Wireless Wireless Traffic visibility at the controller Wired and Wireless common operations One Enforcement Point One OS (IOS) Traffic visibility at every network layer Performance optimized for 11ac System throughput Catalyst 3850/3650 in the access layer

14 Converged Access Deployment Modes INTEGRATED CONTROLLER OPTIONS EXTERNAL MOBILITY CONTROLLER NEEDED DMZ Prime ISE ISE Prime Mobility Controller ISE Prime Mobility Controller 5508 or WISM2 on 8.0 or new 5760 Optional Guest Anchor WAN CA 3K 3x50 INTEGRATED CONTROLLER 3x50 INTEGRATED CONTROLLER CA 3K Any CA 3K Mobility Agent Traditional 3K/4K Employee 14 Guest AP CAPWAP Tunnels Access Points Access Points Controller-less BRANCH Up to 25 Access Points with 3650 (50 w3850) Up to 1000 Clients per branch with 3650 All WAN Services Available (local termination) Controller-less SMALL/MEDIUM CAMPUS Up to 200 Access Points with only 3650s Up to 250 Access Points with 3850s Up to 8000 Clients with only 3650s (16k w/3850) Visibility, Control and resiliency LARGE CAMPUS with Controllers Up to Access Points (5760 or WiSM-2) Up to clients (WiSM-2 as MCs) Largest Layer 3 roaming domains Capwap Tunnel Standard Ethernet, No Tunnels Guest Tunnel from Switch to DMZ Controller

15 AGENDA What is Converged Access? Converged Access PlaLorms Overview Wireless Deployment OpAons Converged Access Mobility Architecture How to Deploy a Converged Access Network? IOS- XE 3.6 Release Update Bringing Together Wired and Wireless

16 Architecture Constructs CUWN Tunnel Types Mobility Group WLC #1 Intranet EoIP Mobility Tunnel ( < 7.2) CAPWAP OpRon in 7.3 Data Centre / Service block Internet ISE PI Foreign WLC Guest Anchor Well- known, proven architecture WLC #2 SSID VLAN Mapping (at controller) Encrypted (see Notes) CAPWAP Tunnels AP AP AP AP SSID2 SSID1 SSID3 Notes LEGEND Inter- Controller (Guest Anchor) EoIP / CAPWAP Tunnel Inter- Controller EoIP / CAPWAP Tunnel AP- Controller CAPWAP Tunnel Control Session + Data Plane AP / WLC CAPWAP Tunnels are an IETF Standard UDP ports used 5246: Encrypted Control Traffic 5247: Data Traffic (non- Encrypted or DTLS Encrypted (configurable)) Inter- WLC Mobility Tunnels EoIP IP Protocol 97 AireOS 7.3 introduces CAPWAP opaon Used for inter- WLC L3 Roaming and Guest Anchor

17 Architecture Constructs CUWN Product Examples Mobility Group Controllers WLC 5508, WiSM2 WLC #1 Core Switches Catalyst E Intranet EoIP Mobility Tunnel ( < 7.2) CAPWAP OpRon in 7.3 WLC #2 Data Centre / Service block Internet ISE PI Foreign WLC Guest Anchor Controller WLC 5508 Well- known, proven Architecture CAPWAP Tunnels AP AP AP AP DistribuRon Switches Catalyst E, E Access Switches Catalyst X, E Access Points AP3700, 2700, etc. Some typical examples of products we see used today (at various points in the CUWN soluaon set) - for wireless as well as wired connecavity SSID2 SSID1 SSID3

18 Converged Access Deployment Overview Mobility Domain ISE MO# PI Mobility Group MC MC Sub-Domain #1 SPG SPG MA Sub-Domain #2 MA MA MA MA MA

19 Converged Access Components Physical vs. Logical Entities Physical EnRRes Mobility Agent (MA) Terminates CAPWAP tunnel from AP Mobility Controller (MC) Manages mobility within and across Sub- Domains Mobility Oracle (MO) Superset of MC, allows for Scalable Mobility Management within a Domain Logical EnRRes Mobility Groups Grouping of Mobility Controllers (MCs) to enable Fast Roaming, Radio Frequency Management, etc. Switch Peer Group (SPG) Localises traffic for roams within its DistribuAon Block MA, MC, Mobility Group funcronality all exist in today s controllers (4400, 5500, WiSM2) Cisco Converged Access Deployment

20 Physical Entities Mobility Agents(MA) Service Block ISE PI MA# MA# MA# MA is the first level in the hierarchy of MA / MC One MA per Catalyst 3850/3650 Stack Maintains Client DB of locally served clients Interfaces to the Mobility Controller (MC) AP AP AP

21 Physical Entities Mobility Controllers (MC) Service Block ISE MC# MC# PI MA# MA# MA# AP AP AP Mandatory element in design Can be hosted on a MA (smaller deployments) Manages AP licenses for the downstream MAs Maintains Client DB within a Sub- Domain (1 x MC = One Sub- Domain) Handles RF funcrons (including RRM) MulRple MCs can be grouped together in a Mobility Group for scalability Supported plaforms are Catalyst 3850/3650, WiSM2, 5508, and 5760

22 Logical Entities Switch Peer Groups (SPGs) MA MA Made up of multiple Catalyst 3x50 switches as Mobility Agents (MAs), plus an MC (on controller as shown) Handles roaming across SPG (L2 / L3) MAs within an SPG are fully-meshed (auto-created at SPG formation) Fast Roaming within an SPG Sub-Domain 1 SPG-B MA SPG-A MA Multiple SPGs under the control of a single MC form a Sub-Domain MC SPGs are a logical construct, not a physical one SPGs can be formed across Layer 2 or Layer 3 boundaries SPGs are designed to constrain roaming traffic to a smaller area, and optimize roaming capabilities and performance SPGs will likely be built around buildings, around floors within a building, or other areas that users are likely to roam most within Roamed traffic within an SPG moves directly between the MAs in that SPG (CAPWAP full mesh) Roamed traffic between SPGs moves via the MC(s) servicing those SPGs

23 Converged Access: Mobility Architecture Mobility Oracle Mobility Controller Mobility Group N Mobility Subdomain A Mobility Subdomain B Mobility Group M Mobility Agent Peer Group 1 Peer Group 2 Mobility Domain 14ms 50ms 80ms 120ms > 250ms Fast Roam Full Authentication

24 Converged Access Scalability and Interoperability Centralized 3650 / 3850 CT5760 CT5508 WiSM2 3.3.x SE 3.3.x SE (Supported / Recommended *) AireOS 7.6.x & 8.0.x AireOS 7.6.x & 8.0.x Centralized Mode Support N/A Yes Yes Yes For Your Reference Centralized - APs N/A 1000 / Centralized - Clients Supported N/A / FlexConnect & Mesh Support No No Yes Yes Centralized - Number of MCs in Mobility Domain N/A 72 / Centralized Design recommendaron Summary * Current recommended deployment design guidelines. 24

25 Scalability and Interoperability Converged Access Mode For Your Reference CT5760 CT5508 WiSM2 3.3.x SE (Supported / Recommended *) 3.3.x SE (Supported / Recommended *) 3.3.x SE (Supported / Recommended *) AireOS 7.6.x & 8.0.x AireOS 7.6.x & 8.0.x Mobility Controller Mode Yes Yes Yes** Yes Yes APs Supported / Clients Supported / Mobility Agent Mode Yes Yes N/A N/A N/A Number of MC in Mobility Domain 8 / 2 8 / 2 72 / Number of MAs in Sub- domain (per MC) 16 / 8 16 / / AP Scale (Per- Domain) 200 / / / Converged Access Design RecommendaRon Summary * Current recommended deployment design guidelines ** CT5760 is the preferred external appliance to operate as MC 25

26 Converged Access Interoperability Hybrid Mode For Your Reference 3650 / 3850 CT5760 CT5508 WiSM2 3.3.x SE 3.3.x SE AireOS 7.6.x & 8.0.x AireOS 7.6.x & 8.0.x Mixed MC ( CA & Centralized) Mode No Yes** Yes Yes IRCM (Inter- Release Controller Mobility) Yes Yes Yes Yes Guest Anchor Interoperability Yes Yes Yes Yes - Guest Anchor Mode No Yes Yes Yes - Foreign Anchor Mode Yes Yes Yes Yes Hybrid Wireless Design RecommendaRon Summary ** CT5760 is the preferred external appliance to operate as MC 26

27 AGENDA What is Converged Access? Converged Access PlaLorms Overview Wireless Deployment OpAons Converged Access Mobility Architecture How to Deploy a Converged Access Network? IOS- XE 3.6 Release Update Bringing Together Wired and Wireless

28 Converged Access Deployment Before You Begin How to Connect APs The Catalyst 3850 and 3650 support only directly attached APs APs need to be in the same VLAN as the Wireless Management interface: interface GigabitEthernet1/0/1 description to_ap switchport access vlan 31 switchport mode access interface Vlan31 ip address ! wireless management interface Vlan31 If you do not define a wireless management VLAN on the 3x50, the switch will then be transparent to AP attachment and everything will continue to operate as it does today on a 3750-X. As soon as you define a «wireless management interface VLAN», the Catalyst 3x50 will intercept all incoming AP CAPWAP requests on that vlan, and terminate / process them at the local ASIC. WLC 5760 supports only NON-directly attached APs Same as it works today in CUWN: AP attached to a local switch (3750-X or alike) finds the centralized controller through DHCP option 43 or other methods and registers

29 Wireless Best Practices Summary SECURITY WIRELESS / RF Enable band select Enable fast ssid change Disable low data rate Enable Platinum QoS for Voice WLAN Enable RRM (DCA and TPC) to be auto Configure WebAuth best practices Enable CleanAir Limit the number of SSID to 3 Enable 802.1x and WPA/WPA2 on WLAN/SSID Change advanced EAP timers Enable client exclusion Enable rogue classification Enable Max Concurrent Logins for a user name Enable strong password policies Enable ACL on your WLAN INFRASTRUCTURE Upgrade to recommended software version (3.3.4 or 3.6) Configure GUI Settings Apply right-to-use licenses Configure default gateway Enable NTP/Time Enable ap capwap multicast Configure DHCP Snooping Configure LAG for port redundancy Enable High Availability AP SSO Enable AVC (Application Visibility and Control) For Your Reference

30 Converged Access Deployment Branch Use Case DMZ Prime ISE INTEGRATED CONTROLLER OPTIONS ISE Prime Mobility Controller ISE EXTERNAL MOBILITY CONTROLLER NEEDED Prime 5508 or WISM2 with SW Upgrade or new 5760 WAN 3850/ 3650 INTEGRATED CONTROLLER New Catalyst 3850 INTEGRATED CONTROLLERS New Catalyst 3850 New Catalyst 3850 Mobility Agent Catalyst 3750 Employee BRANCH UP TO 50 ACCESS POINTS Guest AP Capwap Tunnels LARGER BRANCH/SMALL CAMPUS MULTIPLE STACKS, UP TO 250 APs Capwap 2014 Cisco Tunnel and/or its affiliates. All rights reserved. Cisco Standard Public Ethernet, No Tunnels Guest Tunnel from Switch to DMZ Controller Access Points LARGE CAMPUS GREATER THAN 250 ACCESS POINTS Access Points

31 Converged Access Deployment Branch Use Case Mobility Configuration Management VLAN ConfiguraAon interface Vlan31 description MANAGEMENT VLAN ip address SVIs for client VLANs defined locally on the switch interface Vlan32 description Client VLAN32 ip address interface Vlan33 description Client VLAN33 ip address Wireless Management Interface ConfiguraAon 3850(config)# wireless management interface VLAN31 This acavates the MA funcaonality 3850 Prime ISE WAN INTEGRATED CONTROLLER 3850# show wireless Interface summary Wireless Interface Summary AP Manager on management Interface: Enabled Interface Name Interface Type VLAN ID IP Address IP Netmask MAC Address Vlan31 Management ce.0a55 BRANCH Guest

32 Converged Access Deployment Branch Use Case Mobility Configuration, continued Configuring Mobility Controller 3850(config)# wireless mobility controller This acavates the MC funcaonality Prime ISE Mobility role changed to Mobility Controller Please save config and reboot the whole stack 3850# sh wireless mobility summary Mobility Controller Summary: Arer reboot WAN Mobility Role : Mobility Controller Mobility Protocol Port : Mobility Group Name : default Mobility Oracle IP Address : DTLS Mode : Enabled Mobility Domain ID for r : 0xac34 Mobility Keepalive Interval : 10 Mobility Keepalive Count : 3 Mobility Control Message DSCP Value : 0 Mobility Domain Member Count : 1 Link Status is Control Path Status : Data Path Status 3850 INTEGRATED CONTROLLER Guest Controllers configured in the Mobility Domain: IP Public IP Group Name Multicast IP Link Status default UP : UP BRANCH

33 GUI: Wireless Management Configuration

34 GUI: VLAN Interface Configuration

35 Converged Access Deployment Branch Use Case AP Port and WLAN Configuration Access Point port configuraaon interface GigabitEthernet1/0/15 description - Access port for Access points switchport access vlan 31 switchport mode access Access Points need to be configured on Wireless Management VLAN Prime ISE 3850# show ap summary Number of APs: 1 WAN Global AP User Name: Not configured Global AP Dot1x User Name: Not configured AP Name AP Model Ethernet MAC Radio MAC State AP3502I 3502I c47d.4f3a.ed80 04fe.7f49.58c0 Registered 3850 INTEGRATED CONTROLLER WLAN ConfiguraAon WLAN sample 3850(config)# wlan WPA-PSK 4 wpa-psk configuraaon 3850(config-wlan)# client vlan (config-wlan)# no security wpa akm dot1x 3850(config-wlan)# security wpa akm psk set-key ascii 0 Cisco (config-wlan)# no shut BRANCH Guest

36 Converged Access Deployment Branch Use Case Client Connectivity Client ConnecAvity 3850# sh wireless client summary Prime ISE Number of Local Clients : 1 MAC Address AP Name WLAN State Protocol f81e.dfe2.e80e AP3502I 4 UP 11n(5) WAN 3850# sh wcdb database all Total Number of Wireless Clients = 1 Clients Waiting to Join = 0 Local Clients = 1 Anchor Clients = 0 Foreign Clients = 0 MTE Clients = 0 Mac Address VlanId IP Address Auth Mob f81e.dfe2.e80e RUN LOCAL 3850 INTEGRATED CONTROLLER BRANCH Guest

37 GUI: WLAN Configuration

38 Converged Access Deployment Larger Branch / Small Campus Use Case SPG Configuration 3850-MC1# sh wireless mobility summary SPG Mobility configuration Controller on Summary: 3850 acting as MC ISE Prime 3850-MC1(config)# Mobility Role wireless mobility controller : Mobility peer-group Controller GroupABC Mobility Protocol Port : MC(config)# Mobility Group wireless Name mobility controller : default peer-group GroupABC member ip Mobility Oracle IP Address : DTLS Mode : Enabled Mobility Domain ID for r : 0xac34 Mobility Keepalive Interval : 10 Mobility Keepalive Count : Mobility acting Control as MA Message DSCP Value : 0 Mobility Domain Member Count : 1 interface Vlan41 Link Status is Control Path Status : Data Path Status description MANAGEMENT VLAN ip address Controllers configured in the Mobility Domain: 3850-MA(config)# IP wireless Public management IP Group interface Name VLAN Multicast 41 IP Link Status MA(config)# wireless mobility default controller ip UP : UP Catalyst 3x50 AP Capwap Tunnels INTEGRATED CONTROLLER Catalyst 3850 Switch Peer Group Name : GroupABC Switch Peer Group Member Count : 1 Bridge Domain ID : 0 Multicast IP Address : IP Public IP Link Status UP: UP Both control and data plane need to be UP Access Points MEDIUM BRANCH up to 50 APs, multiple stacks

39 Converged Access Deployment Larger Branch / Small Campus Use Case DMZ Prime ISE INTEGRATED CONTROLLER OPTIONS ISE Prime Mobility Controller ISE EXTERNAL MOBILITY CONTROLLER NEEDED Prime 5508 or WISM2 with SW Upgrade or new 5760 WAN 3850s INEGRATED CONTROLLER Catalyst 3850 INTEGRATED CONTROLLER INTEGRATED CONTROLLER Catalyst 3850 Catalyst 3850 Mobility Agent Catalyst 3750 Employee BRANCH Guest AP Capwap Tunnels Access Points LARGER BRANCH / SMALL CAMPUS LARGE CAMPUS Access Points UP TO 50 ACCESS POINTS MULTIPLE STACKS, UP TO 250 APs GREATER THAN 250 ACCESS POINTS Capwap 2014 Cisco Tunnel and/or its affiliates. All rights reserved. Cisco Standard Public Ethernet, No Tunnels Guest Tunnel from Switch to DMZ Controller

40 Converged Access Deployment Larger Branch / Small Campus Use Case Multiple MCs MC configuration on the 3x50 to create a Mobility Group and add the other switch as a member ISE Prime 3850-MC1(config)# wireless mobility group name Mobility-GroupABC 3850-MC1(config)# wireless mobility group member ip public-ip Mobility-GroupABC MC configuration on the other 3x MC2(config)# wireless mobility controller Mobility role changed to Mobility Controller Please save config and reboot the whole stack This switch is now also a Mobility Controller, not only a Mobility Agent Catalyst 3850 INTEGRATED CONTROLLER INTEGRATED CONTROLLER Catalyst MC2(config)# wireless mobility group name Mobility-GroupABC AP Capwap Tunnels 3850-MC2(config)# wireless mobility group member ip public-ip Mobility-GroupABC Access Points SMALL CAMPUS up to 250 APs, multiple stacks

41 Converged Access Deployment Large Campus Use Case DMZ Prime ISE INTEGRATED CONTROLLER OPTIONS ISE Prime Mobility Controller ISE EXTERNAL MOBILITY CONTROLLER NEEDED Prime 5508 or WISM2 with SW upgrade or 5760 WAN 3850 INTEGRATED CONTROLLER New Catalyst 3850 INTEGRATED CONTROLLERS Catalyst 3850 Catalyst 3850 Mobility Agent Catalyst 3750 Employee BRANCH Guest AP Capwap Tunnels LARGER BRANCH/SMALL CAMPUS Access Points LARGE CAMPUS Access Points UP TO 50 ACCESSS POINTS MULTIPLE STACKS, UP TO 250 APs GREATER THAN 250 ACCESS POINTS Capwap 2014 Cisco Tunnel and/or its affiliates. All rights reserved. Cisco Standard Public Ethernet, No Tunnels Guest Tunnel from Switch to DMZ Controller

42 Converged Access Deployment Large Campus Use Case Mobility Configuration Configure 5760 as MC and member of SPG interface Vlan100 description WIRELESS MANAGEMENT VLAN ip address Mobility Controller ISE Prime 5508/WISM2 with sw upgrade or (config)# wireless management interface VLAN (config)# wireless mobility controller peer-group WestBldg 5760(config)# wireless mobility controller peer-group WestBldg member ip Configure 3850 as MA interface Vlan10 description MANAGEMENT VLAN ip address Catalyst 3850 Mobility Agent Catalyst (config)# wireless management interface VLAN10 Access Points 3850(config)# wireless mobility controller ip LARGE CAMPUS

43 Converged Access Deployment Large Campus Use Case Mobility Configuration, continued Mobility Group configuraaon 5760(config)# wireless mobility group name cisco-live 5760(config)# wireless mobility group member ip Mobility Controller ISE Prime 5508 or WISM2 with sw upgrade or 5760 Verify the configuraaon 5760# sh wireless mobility summary Mobility Controller Summary: Mobility Role : Mobility Controller Mobility Protocol Port : Mobility Controllers Group configured Name in the Mobility Domain: : cisco-live Mobility Oracle : Disabled IP Address Public IP Address Group Name Multicast IP Status Mobility Oracle Ip Address : DTLS Mode - cisco-live : Enabled UP Mobility Domain ID for r cisco-live : 0x2fee UP Mobility Keepalive Interval : 10 Switches configured in WestBldg switch Peer Group: 1 Mobility Keepalive Count : 3 Mobility IP Address Control Message Public DSCP IP Address Value Status : 0 Mobility Group Members Configured : UP Catalyst 3850 Mobility Agent LARGE CAMPUS Catalyst 3750 Access Points

44 GUI: Mobility Controller Configuration-5760

45 GUI: Mobility Agent Configuration CAT3850

46 GUI: Switch Peer Group Configuration

47 Converged Access Deployment Hybrid Deployment Key Considerations Mobility Controller ISE Prime 5508/WISM2 with 7.6/8.0 sorware or new 5760 New Mobility is supported on , 7.6 and 8.0 with 5508 and WiSM2 Only MC and MO functions are supported on the upgraded controller: MA only functionality for converged access APs is only supported on 3650/3850 Seamless and Fast roaming is supported between Converged Access and CUWN Controllers need to be in the same Mobility Group Roaming is always treated as a L3 roam Traffic is anchored at the home switch/controller Catalyst 3850 / 3650 Mobility Agent Catalyst can terminate CAPWAP tunnel from APs connected to non-ma switches 3650/3850 (acting as MA) will only allow APs to terminate CAPWAP locally Access Points Hybrid CUWN and Converged Access Deployment With / 3.6 release you can connect an AP to 3x50 and have it register to a CUWN controller if on a vlan that is not the wireless management interface

48 AGENDA What is Converged Access? Converged Access PlaLorms Overview Wireless Deployment OpAons Converged Access Mobility Architecture How to Deploy a Converged Access Network? IOS- XE 3.6 Release Update Bringing Together Wired and Wireless

49 IOS- XE 3.6.0SE SoluAon Interoperability WLC IOS-XE Based Solutions Product type Controller Version WLC (IOS-XE) WLC (AireOs) 3.6 for IRCM on Catalysts & WLC / 8.0 on 2504, 5508 and WiSM-2 CPI (Prime) 2.1* MSE (CMX, WIPS, CleanAir) 8.0 ISE 1.2 and 1.3

50 Converged Access Deployment IOS-XE-based Wireless Controllers Highlights Optimized for ac deployments Distributed data forwarding & services Support for latest ac AP! Common IOS and Feature Set for Wired and Wireless Granular QoS Differentiating capabilities Downloadable ACLs EEM / TCL Scripting, Secure Copy Flexible Netflow v9 Multiple LAGs (Aggregated uplinks) Secure Web-auth redirection using HTTPS Right-To-Use license model WLC Gbps wireless throughput Up to 1000 Aps Up to Clients Catalyst Gbps wireless throughput Up to 50 directly connected APs / Stack Up to 2000 Clients per Switch/Stack Catalyst Gbps wireless throughput Up to 25 directly connected APs / Stack Up to 1000 Clients per Switch/Stack

51 Converged Access Deployment WLC 5760 (IOS-XE 3.6) vs. WLC 5508 (AireOS 8.0) Feature Throughput 8 Gbps 60 Gbps Line- rate Scale 500 APs, 7000 Clients Up to 1000 APs, Clients Data forwarding Modes Local, Flex, Mesh, Outdoor, OEAP Local Mode Resiliency SSO, N+1, HA SKU AP SSO, N+1, MulAple LAG, HA SKU QoS Alloy (precious metal) QoS Granular QoS (MQC), AFB Security Dynamic ACLs (Airspace ACL) Downloadable and Dynamic ACLs BYOD ISE 1.3, CWA, Device Sensor, Policy ClassificaAon Engine ISE 1.3, CWA, Policy ClassificaAon Engine AVC AVC phase 3, Microsor Lync and Jabber support AVC Phase 2, Lync and Jabber support Bonjour Bonjour Phase 3 Bonjour Phase 2 IPv6 IPv6 Client Mobility, First Hop Security, Source Guard IPv6 Client Mobility, First Hop Security Management GUI, AireOS CLI, Secure FTP IOS CLI, EEM/TCL, GUI Licensing License PAK based on serial number Right to use

52 Converged Access Deployment Sorware Software Matrix Software compatibility matrix for IOS based Controllers: MSE ISE ACS Prime 3.2.0SE 3.2.0SE MR SE 3.2.1SE , , SE 3.2.2SE / , , SE 3.2.3SE / , , SE 3.3.0SE 3.3.0SE / xSE 3.3.xSE 3.3.xSE / SE 3.6.0SE 3.6.0SE 7.6/ / * (*) IOS-XE 3.6 is not officially supported by PI 2.1 because it doesn t support the new features and but supports the new hardware introduced in IOS-XE 3.6

53 IOS- XE 3.6.0SE addiaonal features - ApplicaAon Visibility and Control (AVC) - Service Discovery Gateway - Local Profiling and Policy ClassificaAon - TrustSec SGT ac AP Support n Outdoor AP support (no Bridge or Mesh) on High Availability - AP SSO on 5760 See appendix for feature details

54 AGENDA What is Converged Access? Converged Access PlaLorms Overview Wireless Deployment OpAons Converged Access Mobility Architecture How to Deploy a Converged Access Network? IOS- XE 3.6 Release Update Bringing Together Wired and Wireless

55 Bringing Together Wired and Wireless How Are We Addressing This Shift? Control plane functionality on NG Controller (also possible on upgraded 5508s, WiSM2s for brownfield deployments, or NG Converged Access switches for small, branch deployments) Next-Generation WLAN Controller (5760) Controller Data plane functionality on NG Switches (also possible on NG Controllers, for deployments in which a centralized approach is preferred) New Generation Switches (Cat 3850/3650) Enabled by Cisco s strength in Silicon and Systems UADP ASIC An Evolutionary Advance to Cisco s Wired + Wireless Portfolio, to address device and bandwidth scale, and services demands.

56 Bringing Together Wired and Wireless How Are We Addressing This Shift? Mobility Domain ISE MO# PI Mobility Group MC MC Sub-Domain #1 SPG Sub-Domain #2 SPG MA MA MA Cisco Converged Access Deployment MA MA MA An Evolutionary Advance to Cisco s Wired + Wireless Portfolio, to address device and bandwidth scale, and services demands.

57 Converged Access Deployment Guides For additional deployment information, check the deployment guides WLC 5760 Deployment Guide: CT5760_Controller_Deployment_Guide.html Catalyst 3650/3850 Deployment Guide: deployment_guide_c html IOS-XE HA Deployment Guide: ios_xe_33/5760_ha_dg_iosxe33.pdf AVC Deployment Guide: iosxe_3point3_avc_dg.html

58 THANK YOU

59 Appendix IOS-XE 3.6 Release Update Application Visibility and Control (AVC) Service Discovery Gateway TrustSec ac Support High Availability- AP SSO Local Profiling and Policy Classification

60 How AVC solution works WLC/Switch App Visibility & User Experience Report WLC/Switch App BW Transaction Time NFv9 WebEx 3 Mb 150 ms Citrix 10 Mb 500 ms High Med Low AP NBAR on AP Deep Packet Inspection Reporting Perf. Tool Collection & Exporting Reporting Tool Control DPI engine (NBAR2) identifies applications using L7 signatures AP collects application info and export it to controller/ switch every 90 seconds Advanced reporting tool aggregates and reports application performance Use QoS to control application bandwidth usage to improve application performance

61 Overview: NBAR2 classification of Microsoft Lync Three classifications flows for Microsoft Lync MS-Lync Media (Audio and Video Flows) MS-Lync (Desktop Sharing, Chat) MS-Lync File Transfer Different Policies for different components of a Lync Session In addition to detecting Microsoft Lync, AVC is able to sub-classify and prioritize Audio/Video, Desktop Sharing and File Transfer differently

62 IOS-XE AVC Supported Features Supported on all IOS platforms: 5760/3850/3650 Use Protocol Pack v8.0 NBAR2 Engine v16 Seamless Roaming More than 1000 Applications Supported on APs(AP1600, 2600, 2700, 3600, 3700 and 1532) Centralized and Converged Access Flexible Netflow v9 Export to PI(PAM) and external collectors(plixir, ActionPacked, etc)

63 AVC QoS Policies QoS Policies can be applied for Upstream and Downstream traffic Application Control is done on the AP for Upstream QoS and on Switch/ WLC for Downstream QoS with NBAR classification done on the AP Upstream Direction*: Mark, Police and Drop Downstream Direction**: Mark and Police (No Drop) Action DROP (Traffic can be dropped for upstream traffic only) Action MARK (Applications can be marked with different DSCP or CoS values. Marking can be applied on both upstream and downstream traffic) Action POLICE (Applications can be Rate-Limited with the lowest rate of 8 Kbps. Policing can be applied on both upstream and downstream traffic) *Upstream Direction: Wireless Clientà APà Controller **Downstream Direction: Controllerà APà Wireless Client

64 AVC QoS Policies - Continued Application Recognition and Control is defined under Client QoS policy Role Based Application Policy Support- Example: Alice(Nurse) and Bob (IT Admin) are both employees in a hospital Both Alice and Bob are connected to the same SSID- Bob can access certain applications but Alice cannot Done by defining two QoS policies on the controller and using AAA override with ISE AVC can be configured with two main steps using the GUI: 1- Creating a QoS Policy 2- Applying QoS Policy to the WLAN AVC monitoring can be done from dashboard, per client and per SSID

65 AVC Configuration from GUI 1- Creating a QoS Policy

66 AVC Configuration from GUI 1- Creating a QoS Policy-Continued

67 AVC Configuration from GUI 2- Applying QoS Policy to a WLAN

68 AVC Monitoring and Statistics Per WLAN AVC Stats

69 AVC Monitoring and Statistics Per WLAN AVC Stats

70 AVC Monitoring and Statistics Per Client AVC Stats

71 Cisco PI2.0/2.1 Netflow Monitoring Note: PAM Assurance license is required on PI 2.0 for NetFlow Monitoring

72 NBAR/AVC Summary Same QoS Policy can be mapped to multiple WLANs. But one WLAN can have only one QoS Policy Three actions either DROP/MARK/POLICE are possible on classified application Only 1 NetFlow exporter and monitor can be configured per WLAN AVC stats are displayed for top 30 applications on both GUI and CLI Any application, which is not supported/recognized by NBAR engine on WLC, is captured under bucket of UNCLASSFIED/Unknown traffic Ø NBAR Feature Limitation o IPv6 traffic cannot be classified o Multicast traffic is not supported o Protocol Pack are not upgradable- will be upgraded as part of a regular release

73 Appendix IOS-XE 3.6 Release Update Application Visibility and Control (AVC) Service Discovery Gateway TrustSec ac Support High Availability- AP SSO Local Profiling and Policy Classification 73

74 Service Discovery Gateway for Cisco IOS Platforms Catalyst 3560, 3750, 4500 platforms XE3.5.0E/15.2(1)E release Available Catalyst 3650 and 3850 IOS XE 3.3.0SE release Available Catalyst 5760 Wireless LAN Controller IOS XE 3.3.0SE release Available Catalyst (2)SY release Available ASR1000 and ISR XE 3.11 release Available

75 Service Discovery Gateway On CT-5760(Centralized), the 3850 and 3650 series switches Both wired and wireless clients can benefit from switch or router based solution VLAN 20 mdns Cache: AirPlay VLAN 20 AirPrint VLAN 23 Apple TV CAPWAP Tunnel VLAN 23 VLAN 99 ipad AirPrint

76 Policy Capabilities Service Policy The mdns Policy Profile is a list of allowed network applications. (i.e. AirPlay or Printing) AirPrint AirPlay File Share The mdns policy profile provides filtering to allow only certain WLANs, interfaces or users to access specific service types. Enforced per Interface (which include WLAN and VLAN groups) mdns snooping needs to be enabled globally

77 Service Discovery Gateway Policy Example for Education Teacher Service Policy Services Discovery Student Service Policy AirPrint AirPlay File Share AirPrint AirPlay File Share itunes Sharing Teacher Network Student Network Teachers are allowed to print, access the Apple TV and file shares. Students are allowed to print and share itunes, but not access the Apple TV, or file shares.

78 SDG - Location Aware Wireless Bonjour Services Neighboring AP Apple TV2 (Wireless) AirPlay Services Apple TV1 CAPWAP Tunnel Neighboring AP VLAN 20 VLAN 21 VLAN 40 Apple TV3 (Wireless) Location(proximity) is defined based on AP neighbor list If proximity is enabled, mdns services will be filtered based on the AP neighbor list Supported for wireless mdns services only. Wired clients will not be filtered

79 SDG Location (Proximity) Configuration Proximity configuration can be done from CLI and GUI service-routing mdns-sd service-policy permit-all IN service-policy permit-all OUT service-policy-proximity query2 limit 10 service-list mdns-sd query2 query service-type _airplay._tcp.local service-type _raop._tcp.local service-type _apple-mobdev._tcp.local service-type _universal._sub._ipp._tcp.local service-type _sleep-proxy._udp.local

80 SDG - Static Service Static Service: User can configure static services which are always present in the cache. This is required for certain network elements which either are not capable of advertisements or have very few advertisements cycles

81 SDG - Designated Gateway When multiple mdns gateway are configured in the same domain, queries and announcements packets are received by all mdns gateways. Admin have the option of configuring a Designated Gateway in a given link local domain to address this issue service-routing mdns-sd service-policy permit-all IN service-policy permit-all OUT service-policy-query itunequery 60 designated-gateway enable ttl 6

82 mdns Configuration - GUI Global mdns Configuration

83 mdns Configuration - GUI Advanced Options

84 mdns Configuration - GUI Interface mdns Configuration

85 Monitoring of mdns Devices - GUI mdns enabled devices advertising service is shown as Domain Name

86 Service Discovery Gateway Summary Both wired and wireless clients are supported 14K services on 5760 and 2.5K on 3650/3850 Supported with Centralized and Converged Access mode Roaming and Guest Anchor supports Easy to configure and manage from both GUI and CLI Location based (AP neighbor list) Static Service Support Designated Gateway and Enumeration features (Optional Configuration)

87 Appendix IOS-XE 3.6 Release Update Application Visibility and Control (AVC) Service Discovery Gateway TrustSec ac Support High Availability- AP SSO Local Profiling and Policy Classification

88 TrustSec Security Group Access Overview Translating Business Policy to the Network TrustSec lets you define policy in meaningful business terms Context Classification Business Policy TAG Security Group Tag Destination Source Exec PC Prod HRMS HR Database HR Database Prod HRMS Storage Exec BYOD X X X X X X Distributed Enforcement throughout Network Switch Router DC FW DC Switch

89 Clear ROI in OPEX Simplified Security Group Filtering Traditional ACL / FW Filtering

90 SGA Policy Destination SGT Source SGT Public Portal (SGT 8) Internal Portal (SGT 9) IT Portal (SGT 4) Production Servers (SGT 10) BYOD(SGT 7) Web Web No Access Web File Share Corp Asset (SGT 5) Web SSH RDP File Share Web SSH RDP File Share Full Access SSH RDP File Share

91 SGT Assignment and Enforcement End user authenticated Classified as Employee (5) FIB Lookup Destination MAC/Port SGT 20 Destination Classification CRM: SGT 20 ESXi: SGT 30 ISE SRC: sw SRC: DST: SGT: 5 Cat6500 Cat6500 Nexus 7000 Nexus 5500 Enterprise Backbone Nexus 2248 Nexus 2248 CRM DST: SGT: 20 ESXi DST: SGT: 30 WLC5508 / 5760 ASA5585 SRC\DST CRM (20) ESXi (30) Employee (5) SGACL-A SGACL-B BYOD (7) Deny Deny

92 Wireless TrustSec Support for Converged Access Deployment Mode Unified AireOS 2504, 5508 WiSM2 Controller Platforms TrustSec Support Authentication Release SXP(speaker mode) 802.1X 7.2 and above Converged Access IOS 3850, SGT, SGACL SXP (speaker / listener) 802.1X MAB WebAuth IOS-XE 3.3 and above

93 Agenda What is Converged Access? Converged Access Platforms Overview Wireless Deployment Options Converged Access Mobility Architecture How to deploy a Converged Access network? IOS-XE 3.6 Release Update Application Visibility and Control (AVC) Service Discovery Gateway TrustSec ac Support High Availability- AP SSO Local Profiling and Policy Classification Bringing Together Wired and Wireless

94 802.11ac The Gigabit Wireless Standard What is ac? Next-generation Wi-Fi specification gigabit wireless Backwards compatible with n and a Most efficient Wi-Fi standard to date Optimized for high bandwidth applications WFA certification ready for Wave 1 What Are the Features? Specifies a data rate up to 6.9Gbps per 5 GHz radio Max Data rate of 1.3Gbps in Wave 1 (phase 1) Operates in 5 GHz band only Enhanced channel bonding, modulation (256 QAM) and more spatial streams than n What Are the Benefits? Faster Throughput 2-3x on average of n Greater Capacity More clients utilizing the resources of an AP Broader Coverage Robust connectivity & range. Fewer dead spots Longer Battery Life On and off the Wi-Fi network faster, translates to less power draw and longer battery life

95 AP3700 with Modularity & Integrated ac 4x4:3 SU-MIMO Dual-band 2.4 and 5 GHz integrated radios with Modularity ac Wave 1 on the integrated 5 GHz radio 1.3 Gbps PHY : 3 Spatial Streams, 20/40/80 MHz channels, 256 QAM Explicit Compressed Beam Forming (ECBF) support as per the ac specification a,.11n and.11ac clients supported on the integrated 5 GHz radio Modular Architecture carried forward from the AP3600 No Module is supported yet on CA Requires ~15w of power at the AP Enhanced PoE or PoE+ for full functionality Fits under 15.4w 802.3af by automatically down shifting RF arch to 3x3:3 on both 2.4 and 5 GHz Antenna support Support all the antennas available for the 3600, 2600 and 1600

96 Configuring 11ac : Channel Width

97 Agenda What is Converged Access? Converged Access Platforms Overview Wireless Deployment Options Converged Access Mobility Architecture How to Deploy a Converged Access Network? IOS-XE 3.6 Release Update Application Visibility and Control (AVC) Service Discovery Gateway TrustSec ac Support High Availability- AP SSO Local Profiling and Policy Classification Bringing Together Wired and Wireless

98 5760 High Availability Recap Primary/Secondary/Tertiary WLC defined on each AP Primary and Secondary Backup configuration with Fast Heart Beat Each WLC configured separately and has unique IP Address With Primary Failure, AP goes in Discovery State and CAPWAP State Machine is restarted

99 5760 High Availability with APSSO Two 5760 units can be stacked for 1:1 redundancy, using stack cables One 5760 elected as Active and the other becomes Hot- Standby Bulk and Incremental Configuration sync Redundancy supported both at Port level and System level AP CAPWAP information sync. APs will not disconnect and continue to be associated to the controller Significantly reduces network downtime

100 High Availability Connectivity on 5760 High availability is enabled using Cisco StackWise-480 technology in Full Ring Setup.

101 High Availability WLC 5760-based MCs How to Pair the Boxes Recommended: power up the second unit only after a first 5760 is deployed Power up first unit Boot up complete Configure mgmt interface, VLANs, WLANs and switch priority Connect a powered down 5760 unit as a stack Power up second unit Boot up complete Verify HA- Pair Active and Hot-Standby Verify config- sync from Active to Hot- Standby Adding powered-on 5760 Unit (merging) causes stack to reload and elect a new Active. Use Controller# switch 1 Priority 15 on the first unit to prevent having the second unit become active and wipe out your config

102 Active Controller Election Process 5760 that is the current Active controller 5760 with highest stack member Priority Value 5760 with shortest Startup Time 5760 with Lowest MAC Address

103 Verifying HA Pair Details By Default : The 5760 stack uses the MAC address of the active Persistent MAC address feature : time delay before the stack MAC address changes to new Active

104 Verifying Stack Port Details No No neighbor detected. Cannot send Absent No - no No stack cable cable detected. connected or stack cable not functional. traffic Down Yes over Cable stack this detected, cable link. connected either no connected neighbor is up, or the stack port is Disabled. OK Yes Cable Neighbor is detected, detected. connected Port neighbor can send is up. traffic over this link.

105 Verifying Redundancy States

106 APSSO Web UI

107 APSSO Failover System Redundancy Models: Manual Switchover Software Failure Switchover Power Failure Switchover Metrics Failure DetecRon ReconciliaRon Time ( Standby becoming AcRve) Time In the order of 50 ms In the order of 1020 millisec

108 5760 APSSO hybrid with N+1 High Availability Both Active and Standby combined in SSO setup are configured as primary. On failure of Active and Standby, APs will fall back to secondary and further to tertiary controller. N+1 HA can be deployed with hybrid of 5760 and CUWN controllers. But APs will reload when failing over

109 Licensing for APSSO with HA-SKU Total capacity of the SSO Stack is 1000 APs MC keeps track of the cumulative AP Count and in-use AP licenses Not allow more APs than cumulative AP count licenses available in the SSO stack WLC (500) Active HA-SKU WLC (0) Standby switchover WLC (500) Standby HA-SKU WLC (0) New Active Total AP Count = 500 Supported APs = 500 Total AP Count = 500 Supported APs = 500 AP failover

110 Agenda What is Converged Access? Converged Access Platforms Overview Wireless Deployment Options Converged Access Mobility Architecture How to Deploy a Converged Access Network? IOS-XE 3.6 Release Update Application Visibility and Control (AVC) Service Discovery Gateway TrustSec ac Support High Availability- AP SSO Local Profiling and Policy Classification Bringing Together Wired and Wireless

111 How Many Mobile Devices Do You Think You Will Carry Everywhere in 2016? Think about it, and choose the best answer

112 Local Profiling and Policy Classification ISE offers rich set of BYOD features: e.g. device identification, onboarding, posture and policy Customers not deploying ISE but requiring subset of ISE features Native profiling of end devices based on MAC OUI, HTTP, DHCP Device-based policies enforcement per user or per device policy

113 Client Profiles Client profiling uses pre-existing profiles in the controller Wireless clients are profiled based on the MAC OUI, DHCP, HTTP user agent IOS XE 3.6 release contains 287 pre-existing profiles

114 Local Client Profiling Configuration At the WLAN level, enable Local HTTP Profiling

115 Client Profiling When profiling is enabled, a client Device Type can be seen on the Monitor Page Local Profiling Pie Chart will be available by FCS

116 Policy Classification MAC Teacher Student OUI Device type Username User Role Admin Device Type User-Role John Identity VLAN Session timeout ACL Egress QoS Ingress QoS

117 Policy Enforcement Configuration 3-Step Process Creation of Servicetemplate Creation of Policy-Map Association of Service Policy to WLAN/VLAN VLAN ACL Session timeout Egress QoS Ingress QoS Service Template Policy Map Username User-Role MAC OUI Device Type VLAN ACL Session t/o Egress QoS Ingress QoS WLAN Service Policy Username User-Role MAC OUI Device Type VLAN ACL t/o Egress QoS Ingress QoS

118 Step 1 : Creating Service Templates

119 Step 2 : Creating Policy Maps

120 Step 3 : Configure Policies on WLAN

121 Verifying Local Profiling and Policy Enforcement VLAN Override Policy Policy action will be applied : - After L2 authentication - After L3 authentication - When device sends HTTP traffic and profiling occurs

122 Local Profiling and Policy Classification Facts If AAA override is enabled, AAA returned attributes take precedence Precedence follows AAA override > Local Policy > WLAN defaults No Support for Wired clients behind the WGB WLAN can only be associated with one Policy Map at any time