Architecting Network for Branch Offices with Cisco Unified Wireless

Transcription

1

2 Architecting Network for Branch Offices with Cisco Unified Wireless Aparajita Sood Technical Marketing Engineer

3 Objective Design & Deploy Branch Network That Increases Business Resiliency 3

4 Agenda Learn Cisco Unified Wireless LAN Principles Understand Wireless Branch Deployment Options Evaluate FlexConnect Architectural Requirements Identify the need for FlexConnect & AP Groups Design a Resilient Branch Network Design Secure & BYOD enabled Branch Network Operate Wireless Branch efficiently over WAN FlexConnect Best Practices FlexConnect Resiliency Demo 4

5 Cisco Unified Wireless LAN Principles

6 Cisco One Network : Wireless Deployment Modes One Policy, One Management, One Network Unified Access Wireless Autonomous FlexConnect Centralized Converged Access Unparalleled Deployment Flexibility 6

7 Cisco Unified Wireless Principles Components Wireless LAN Controllers Aironet Access Points Management (Prime Infrastructure) Mobility Services Engine (MSE) Principles AP must have CAPWAP connectivity with WLC Configuration downloaded to AP by WLC All Wi-Fi traffic is forwarded to the WLC Cisco Prime Infrastructure Aironet Access Point Campus Network Wireless LAN Controllers 7

8 Wireless Branch Deployment Options

9 Branch Office with Local WLAN Controller Overview Backup Central Controller Branches can also have local remote controllers Small or Mid-size Branch WLCs CT-2504, Integrated controller modules in ISR/ISR-G2 Converged Access Cat-3850 High-availability design with central backup controller is supported; WAN limitations may apply WLC-25xx Remote Site A 9 Central Site WAN Remote Site B WLCM for ISR/ISR-G2 CAPWAP Remote Site C Cat-3850

10 Branch Office with Local WLAN Controller Advantages Cookie cutter configuration for every branch site Layer-3 roaming within the branch IPv6 L3 Mobility Note: If you have ISR/ISR G2 at branch site then it is recommended to use the IOS Firewall at edge for unified access policies. 10

11 Branch Office Deployment FlexConnect (HREAP) Hybrid architecture Single management and control point Data Traffic Switching Centralized traffic (split MAC) or Local traffic (local MAC) Centralized Traffic Central Site WAN Cluster of WLC Centralized Traffic HA will preserve local traffic only Traffic Switching is configured per AP and per WLAN (SSID) Local Traffic Remote Office 11

12 FlexConnect Glossary Connected Mode When FlexConnect can reach Controller (connected state), it gets help from controller to complete client authentication. Standalone mode When controller is not reachable by FlexConnect, it goes into standalone state and does client authentication by itself. Local Switching Data traffic switched onto local VLANs for an SSID Central Switching Data traffic tunneled back to WLC for an SSID 12

13 Configure FlexConnect Mode Step 1: Configure Access Point Mode Enable FlexConnect mode per AP Supported APs: AP-1130, AP-1240, AP-1040, AP-1140, AP- 1260, AP-1250, AP-3500, AP-1600, AP- 2600, AP-3600, AP-3700, AP-2700, AP 700, AP-1520, AP-1530, AP

14 Configure FlexConnect Local Switching Step 2: Enable Local Switching per WLAN Only WLAN with FlexConnect Local Switching enabled will allow local switching on the FlexConnect AP 14

15 Configure FlexConnect VLAN Mapping Step 3: FlexConnect Specific Configuration FlexConnect AP can be connected on an access port or connected to a 802.1Q trunk port (using the native VLAN) VLAN mapping can be performed per AP configuration on WLC and/or by AP groups using Cisco Prime Infrastructure templates 15

16 Configure FlexConnect VLAN Mapping Step 4: FlexConnect Specific Configuration Native Vlan When connecting with Native VLAN on AP, L2 switchport must also match with corresponding Native VLAN configuration Each corresponding SSID that is allowed to be locally switch should be allowed on the corresponding switchport. 16

17 Configure FlexConnect SSID-VLAN Mapping Step 5: Per AP SSID to VLAN Mapping Mapping of SSID to 802.1Q VLAN is done per FlexConnect AP Or use Cisco Prime Infrastructure (NCS) via configuration templates

18 Configure FlexConnect VLAN Mapping Using Cisco Prime Infrastructure Prime Infrastructure provides simplified configuration to all FlexConnect APs with one Lightweight AP Template 18

19 Evaluate FlexConnect Architectural Requirements

20 FlexConnect Design Considerations WAN Limitations Apply For Your Reference Deployment Type WAN Bandwidth (Min) WAN RTT Latency (Max) Max APs per Branch Max Clients per Branch Data 64 kbps 300 ms 5 25 Data 640 kbps 300 ms Data 1.44 Mbps 1 sec Data+Voice 128 kbps 100 ms 5 25 Data+Voice 1.44 Mbps 100 ms Monitor 64 kbps 2 sec 5 N/A Monitor 640 kbps 2 sec 50 N/A 20

21 FlexConnect Design Considerations Feature Limitations Apply Some features are not available in standalone mode or in local switching mode MAC/Web Auth in Standalone Mode IPv6 L3 Mobility SXP TrustSec Application Visibility and Control Service Discovery Gateway Native Profiling and Policy Classification See full list in «FlexConnect Feature Matrix» html 21

22 Economies of Scale For Lean Branches Flex 7500 Wireless Controller Access Points 300-6,000 Clients 64,000 Branches 2000 Access Points / Branch 100 Deployment Model Form Factor IO Interface Upgrade Licenses FlexConnect 1 RU 2 x 10GE 100, 200, 500, 1K RTU Licenses Key Differentiation WAN Tolerance High Latency Networks WAN Survivability Security 802.1x based port authentication Voice support Voice CAC OKC/CCKM 22

23 Cisco 8510 series Controller Optimized for High Scale Deployments * Indicates unique 8500 features Access Points 300-6,000 Clients 64,000 Branches/locations Access Points per FlexConnect group Deployment types Form Factor IO Interface and redundancy Power options Power redundancy 6,000 (2000 groups) 100 Local (centralized), FlexConnect and mesh 1 RU Dual redundant 10GE ports with LAG AC and DC Dual redundant power supplies installed High scale 4K VLANs 6000 local mode APs and 64,000 clients in 1RU Rich Features with deployment flexibility Geo Separated AP/Client SSO Outdoor AP support FlexConnect, Local mode and mesh support for 6000APs and 64,000 clients Right to use (with EULA) for ease of license enablement 3G Packet core integration: PMIPv6 MAG solution with ASR5K (LMA) FlexConnect with HS2.0 for 3G offload Other key features: r fast roaming Rate limit traffic flows Video Stream for rich media flows

24 Flex 7500 Scale & Feature Update vs. 7.4 Scalability Total APs Total Clients 20,000 64,000 Total FlexConnect Group Support for OEAPs No Yes Central Switching BW Limit ~250 Mb ~1 Gb Data DTLS Support No Yes Central Switching 802.1x No Yes 24

25 FlexConnect Feature Introduction For Your Reference FlexConnect Features Release Version AAA-VLAN Override, ALCs & P2P Blocking 7.2 Smart AP Image Upgrade 7.2 External Web-Auth & Mobile Device On-boarding 7.2 Flex 7500 Scale Update 7.3 VLAN Based Central Switching 7.3 Split-tunneling 7.3 Work Group Bridge (WGB) Support 7.3 Bi-Directional Rate Limiting 7.4 ISE BYOD Registration & Provisioning 7.4 AAA-ACL & AAA-QoS Override 7.5 EAP-TLS & PEAP Support for Local Authentication 7.5 Ethernet Fallback 7.6 VideoStream for Local Switching 8.0 Faster time to deploy 8.0 FlexConnect Mode on Mesh APs

26 Why do we need FlexConnect & AP Groups?

27 Understanding AP Groups Overview AP Groups is a logical concept of grouping AP s which deliver similar Wi- Fi services; these services can be: By physical location, and/or By functional services (data, voice, guest, ) AP Group 1 Central Site WAN Flex 7500 Same AP groups need to be defined in all WLC s of a mobility group Remote Site A Remote Site B Scaling Flex 7500 CT-5508 WiSM-2 CT-2504 AP Group 2 AP Group 3 # AP Groups # WLAN (SSID) # VLAN (Interfaces)

28 AP Groups Configuration: Create a New Group 28

29 AP Groups Internet Per Location SSID Guest-Access AP Group 1 Central Site AP groups give the ability to enable Wi-Fi Services (WLAN) based on physical location Corporate-Voice Example Central Site Corporate-Voice, Corporate-Data, Guest-Access Manufacturing Site Corporate-Voice, Corporate-Data, Scanners Store Corporate-Data, Guest-Access Corporate-Data Manufacturing Site Scanners AP Group 2 WAN/MAN Store AP Group 3 Corporate-Data Guest-Access 29

30 AP Groups Usage Per AP Group SSID to VLAN Mapping AP groups give the ability to statically map Wi-Fi service (WLAN) to VLAN based on physical location Users see the same Wi-Fi service on all sites. Admin can monitor and filter based on different each site Can also be used to have smaller Wi-Fi subnets For example per floor subnets in a building. Corporate-Data AP Group 2 Manufacturing Site AP Group 1 Head Office Corporate-Data Central Site WAN/MAN VLAN-1 VLAN-2 VLAN-3 AP Group 3 Store Corporate-Data 30

31 AP Groups Configuration/VLAN Mapping 31

32 Understanding FlexConnect Groups Overview FlexConnect groups allow sharing of: CCKM/OKC fast roaming keys Local/backup RADIUS servers IP/keys Local EAP authentication AAA-Override for Local Switching Smart Image Upgrade Scaling information Remote Site Central Site WAN Flex 7500 Cluster Remote Site Scaling Flex 7500 CT-5508 WiSM2 CT-2504 FlexConnect Groups FlexConnect Group 1 FlexConnect Group 2 AP per Group

33 FlexConnect Groups and CCKM/OKC Keys Overview CCKM/OKC keys are stored on FlexConnect APs for Layer 2 fast roaming Central Site CCKM Keys RADIUS Server The FlexConnect APs will receive the CCKM/OKC keys from the WLC If a FlexConnect AP boots up in standalone mode, it will not get the OKC/CCKM keys from the WLC and fast roaming will not be supported FlexConnect Group 1 WAN FlexConnect supports r Fast Transition with local key caching. FlexConnect Group 1 FlexConnect Group 2 33

34 FlexConnect Groups Creation Step 1: Add a New FlexConnect Group 1 2 Step 2: Add APs to the FlexConnect Group 34

35 Designing a Resilient Wireless Branch Network

36 FlexConnect Backup Scenario WAN Failure FlexConnect will backup on local switched mode No impact for locally switched SSIDs Disconnection of centrally switched SSIDs clients Static authentication keys are locally stored in FlexConnect AP Lost features RRM, WIDS, location, other AP modes Web authentication, NAC Remote Site Central Site WAN Application Server 36

37 FlexConnect Backup Scenario - WLC Failure FlexConnect will first backup on local switched mode No impact for locally switched SSIDs Disconnection of centrally switched SSIDs clients CCKM roaming allowed in FlexConnect group FlexConnect AP will then search for backup WLC; when backup WLC is found, FlexConnect AP will resync with WLC and resume client sessions with central traffic. Client sessions with Local Traffic are not impacted during resync with Backup WLC. Remote Site Central Site WAN Application Server 37

38 FlexConnect Group: Local Backup RADIUS Backup Scenario Normal authentication is done centrally On WAN failure, AP authenticates new clients with locally defined RADIUS server Central RADIUS Central Site Existing connected clients stay connected WAN Clients can roam with CCKM fast roaming, or Reauthentication Local Backup RADIUS Remote Site FlexConnect Group 1 CCKM Fast Roaming 38

39 FlexConnect Group: Local Backup RADIUS Configuration Define primary and secondary local backup RADIUS server per FlexConnect group 39

40 Local Authentication By default FlexConnect AP authenticates clients through central controller Local Authentication allow use of local RADIUS server directly from the FlexConnect AP Central RADIUS Central Site WAN Local RADIUS Remote Site FlexConnect Group 1 New in

41 Local Authentication Configuration 41

42 FlexConnect Group: Local Backup Authentication Backup Scenario Normal authentication is done centrally On WAN failure, AP authenticates new clients with its local database Each FlexConnect AP has a copy of the local user DB Existing authenticated clients stay connected Clients can roam with: CCKM fast roaming, or Local re-authentication Supported Security Types Release Version LEAP 6.0 EAP-FAST 6.0 PEAP 7.5 EAP-TLS Central RADIUS Remote Site CCKM Fast Roaming Central Site WAN FlexConnect Group 1

43 FlexConnect Group: Local Backup Authentication Configuration Define users (max 100) and passwords Select supported Security protocols i.e. LEAP, EAP-FAST, PEAP or EAP-TLS

44 Designing Secure & BYOD Enabled Branch Network

45 FlexConnect Peer-to-peer Blocking

46 Local Switching Peer-to-peer Blocking Description Central Site Starting from 7.2 Support for Peer-to-Peer blocking in FlexConnect AP Apply for clients on same FlexConnect AP P2P blocking modes : disable or drop WAN For P2P blocking inter-ap use ACL or Private VLAN function Remote Site Application Server 46

47 Local Switching Peer-to-peer Blocking Configuration Both modes of operation will drop the packet Policy AP for Touch Local Points Switching enabled WLAN * Central Switching WLAN will support Forward - UpStream and will send the packet to the next upstream node connected to WLC 47

48 FlexConnect AAA VLAN & QoS Override

49 FlexConnect AAA VLAN Override Description AAA VLAN Override with local or central authentication Up to 16 VLANs per FlexConnect AP VLAN ID must be enabled per AP or FlexConnect Group If VLAN ID does not exist, default VLAN is used, unless «VLAN Based Central Switching» enabled Starting from 7.5 AAA override for QoS is also supported. VLAN 3 VLAN QoS = 7 Silver QoS = Platinum Application Server RADIUS Remote Site Central Site WAN Starting from 7.2 FlexConnect Group 1 49

50 FlexConnect AAA VLAN Override Configuration IETF 65 IETF 64 IETF 81 For Your Reference WAN ISE Create Sub-Interface on FlexConnect AP 50

51 VLAN Based Central Switching Overview While doing AAA VLAN Override with local switching : If VLAN ID does not exist at the AP, the traffic is central switched to the central VLAN ID Central RADIUS VLAN 3 VLAN 7 Central VLAN 3 WAN Go to Default VLAN ID VLAN 7 does not Exist on this WLC If the central VLAN ID does not exist, the traffic is centrally switched to the default VLAN ID of the WLAN Remote Site 51 VLAN 3 does not Exist on this AP VLAN 7 VLAN 7 does not Exist on this AP

52 FlexConnect AAA QoS Override Description Starting from 7.5 Dynamically assign QoS levels and/or bandwidth contracts for local switching, centrally authenticated WLANs Web-authenticated WLANs and 802.1Xauthenticated WLANs supported Order of precedence for Rate Limiting parameters AAA override QoS Profile of AAA override Local WLAN configuration QoS Profile of local WLAN configuration Vendor ID/Vendor Type Attribute [14179\002] Aire-QoS-Level [14179\004] Aire-802.1P-Tag [14179\007] Aire-Data-Bandwidth-Average- Contract [14179\008] Aire-Real-Time-Bandwidth- Average-Contract [14179\009] Aire-Data-Bandwidth-Burst- Contract [14179\0010] Aire-Real-Time-Bandwidth- Burst-Contract Supported on n non-mesh access points 1040,1140,1250,1260,1600,2600,3500,3600,3700,

53 FlexConnect ACL VLAN Mapping & Per- Client ACL

54 FlexConnect ACL VLAN Mapping Overview FlexConnects ACL are applied per VLAN FlexConnect ACL are Ingress / Egress oriented Starting from 7.5 FlexConnect ACL support AAAreturned Client ACL WAN Starting from 7.2 Central Site Scale 512 FlexConnect ACL per WLC 16 ingress ACL & 16 egress ACL per AP 64 ACL rules per ACL No IPv6 ACL Remote Site Application Server 54

55 FlexConnect Access Lists Configuration Create FlexConnect ACL FlexConnect ACL rule creation is similar to rule creation for Local Mode AP

56 FlexConnect ACL VLAN Mapping Configuration FlexConnect ACL per AP FlexConnect ACL can be applied per AP using VLAN Mappings configuration

57 FlexConnect ACL VLAN Mapping Configuration FlexConnect ACL per FlexConnect Group FlexConnect ACL can be applied per FlexConnect Groups per VLAN in the ACL Mapping tab

58 FlexConnect Split Tunneling (Using FlexConnect Split ACL)

59 FlexConnect ACL Split Tunneling Overview Starting from 7.3 Split tunneling allow some traffic to be locally switched although the WLAN is defined as centrally switched Split tunneling is using a NAT/PAT feature with ACL to perform the local switching Split tunneling is using the AP IP@ for the NAT/PAT feature FlexConnect AP CAPWAP WLC Central Traffic NAT/PAT ACL WAN Central Server Local Printer Local Traffic 59

60 FlexConnect ACL Split Tunneling Configuration Create a centrally switched WLAN Flex Local switching should not be checked Define Flex ACL to match traffic to be locally switched Central subnet Local subnet 60

61 FlexConnect ACL Split Tunneling Configuration Per Access Point 61

62 FlexConnect ACL Split Tunneling Configuration Per FlexConnect Group 62

63 Deploying External WebAuth with FlexConnect Local Switching (Using FlexConnect WebAuth ACL)

64 External WebAuth with Local Switching Description Provides L3 Web Redirect from locally switched VLAN Reduces WAN traffic by locally switching guest traffic Flexible and centralized web portal creation for multiple sites Provides flexible use of Conditional and Splash Page Web Redirect FlexConnect AP must be in Connected state with Centralized Controller for this functionality to work Guest Internet VLAN 503 WebServer Remote Site FlexConnect Group 1 Central Site WAN Starting from VLAN 7 - Employee 64

65 External WebAuth with Local Switching Configuration Step 1: Configure Pre-Auth ACL that will be applied to FlexConnect Group, AP or WLAN External Web-Server IP 65

66 External WebAuth with Local Switching Configuration Step 2: Apply Pre-Auth ACL to WLAN Apply Pre-Auth ACL to WLAN 66

67 External WebAuth with Local Switching Configuration Per AP Step 3: Apply Pre-Auth ACL to FlexConnect AP Map WLAN-Id to Pre-Auth ACL 67

68 External WebAuth with Local Switching Configuration Per FlexConnect Group Or Step 3: Apply Pre-Auth ACL to FlexConnect Group Map WLAN-Id to Pre-Auth ACL 68

69 External WebAuth with Local Switching Configuration Step 4: Configure External Web Server External Web-Server IP 69

70 Deploying BYOD with FlexConnect Local Switching (Using FlexConnect WebPolicies ACL)

71 BYOD : Bring Your Own Device(s)

72 BYOD Device On-Boarding in FlexConnect Example: Apple ios Device Provisioning Starting from Initial Connection Using PEAP WLC ISE CA-Server 3 2 Device Provisioning Wizard Future Connections Using EAP-TLS WLC Client Reconnects ISE CA-Server 72

73 FlexConnect Access Lists fo BYOD Create FlexConnect ACL Create FlexConnect ACL to allow access to Cisco ISE

74 FlexConnect Web Policy ACL Configure Web Policy ACL per FlexConnect AP ACL Mapping can be configured per FlexConnect AP 74

75 FlexConnect Web Policy ACL Configure Web Policy ACL per FlexConnect Group Use ACL Mapping tab in FlexConnect Group configuration WebPolicies ACL are not the same as VLAN ACL or WebAuthentication ACL. 75

76 Cisco Wireless Central DHCP Processing Configuration To support DHCP Profiling Probe with FlexConnect, DHCP request must be sent to WLC. This is done by the «Central DHCP Processing» configuration. 76

77 Deploying BYOD with FlexConnect Wireless Summary 802.1x/EAP Authentication ISE DHCP Server FlexConnect AP CAPWAP WLC WAN Web Server WiFi Association 802.1x/EAP Request Inside CAPWAP URL + ACL Redirect Inside CAPWAP 802.1x/EAP Response Inside CAPWAP Radius Access-Request Radius Access-Response Access-Type: Access-Accept URL-Redirect-ACL=FlexACLWebPolicy, URL-Redirect= ) Unknown Device, Redirect to registration 77

78 Deploying BYOD with FlexConnect Wireless Summary DHCP Request ISE DHCP Server FlexConnect AP CAPWAP WLC WAN Web Server DHCP Request Inside CAPWAP DHCP Lease RADIUS-Accounting host-name=myipad dhcp-class-identifier=apple Device is an Apple ipad Inside CAPWAP 78

79 Deploying BYOD with FlexConnect Wireless Summary URL-Redirect ISE DHCP Server FlexConnect AP CAPWAP WLC WAN Web Server HTTP Request HTTP Request Redirected to WLC by AP Inside CAPWAP URL-Redirect 79

80 Deploying BYOD with FlexConnect Wireless Summary Registration & Provisioning ISE DHCP Server FlexConnect AP CAPWAP WLC WAN Web Server Device Registration & Provisioning Device is Registrered Trigger Change-of-Auth EAP DeAuthentication RADIUS Change-of-Authorization EAP Authentication 80

81 Deploying BYOD with FlexConnect Wireless Summary Device Access ISE DHCP Server FlexConnect AP CAPWAP WLC WAN Web Server 802.1x/EAP Request/Response Inside CAPWAP Radius Access-Request Radius Access-Response Device is Registrered And Provisioned Allow Access DHCP Request/Response Inside CAPWAP Web Traffic 81

82 Operating Wireless Branch Smart Upgrade over WAN

83 Upgrading a FlexConnect Deployment Concerns Starting from 7.2 Sites using FlexConnect AP are usually sites with low WAN bandwidth Each site may have small number of AP, but an enterprise may have a lot of branches Upgrading ~6000 AP through a low bandwidth WAN is a challenge : Time needed to download all the AP firmware Exhaust of the WAN link Risk of failures during the download 83

84 FlexConnect Smart AP Image Upgrade Overview Firmware Image Starting from 7.2 Smart AP Image Upgrade use a «master» AP in each FlexConnect Group to download the code. New New Old Primary Old New Secondary Other FlexConnect AP download the code from the master locally Wireless Control System Central Site Wireless LAN Controller 1. Download WLC upgraded firmware (will become primary) 2. Force the «boot image» to be the secondary (and not the newly upgraded one) to avoid parallel download of all AP in case of unexpected WLC reboot 3. WLC elect a master AP in each FlexConnect Group (can be also set manually) Remote Site-1 WAN Remote Site-N 84 Master AP

85 FlexConnect Smart AP Image Upgrade Description (Cont ) Firmware Image 4. Master AP «Pre-download» the AP firmware in the secondary «boot image» (will not disrupt the actual service) Can be started group per group to limit WAN exhaust 5. Slave AP «Pre-download» the AP firmware from the Master AP Wireless Control System Central Site New Old Primary New Old Secondary Wireless LAN Controller 6. Change the «boot image» of the WLC to the new image 7. Reboot the controller AP Firmware Image Remote Site-1 WAN AP Firmware Image Remote Site-N Old Primary New Secondary Old Primary New Secondary 85 Master AP

86 FlexConnect Smart AP Image Upgrade Configuration Enable Efficient AP Image Upgrade Random Backoff Interval ( sec) between each retry Valid Range is 1-63 Master AP Selection is Optional FlexConnect AP Upgrade checkbox has to be enabled for each FlexConnect Group. By default, Master AP for each FlexConnect Group is selected using Lower-MAC algorithm. One Master select per AP type. 86

87 FlexConnect Smart AP Image Upgrade () Configuration contd. Per Branch or FlexConnect Group Upgrade Upgrade across all Branches or FlexConnect Groups whose FlexConnect AP Upgrade checkbox is set 87

88 FlexConnect VideoStream

89 Video Multicast Delivery Challenges Technical Challenges Multicast packets (UDP) are sent as broadcast packets over the air per standard Broadcast packets do not use error correction: fire and forget Broadcast packets are sent at data rate mandatory to all clients connected to the WLAN 1 Mb for B/G (400K actual) 6 Mb for A (2.7 Mb actual) Video Server B/G N Default B/G mandatory data rates Data Rates M0 M1... M14 M15 Video Impact Choppy, Unreliable Video Video Stream does not utilize n/ac High Throughput data rates Heavy utilization of channel due to high rate of very slow packets Video delivery is not reliable causing poor Quality of Experience

90 Broadcasting Multicast Video Affect on AP Channel G/N AP Coverage Boundary Cell Edge 1 Mb Video Stream Channel utilization maxed out Hub environment affects ALL clients in cell Wireless becomes unusable 1 Mb Data Rate Packets 400 Kb Max Multicast video stream works fine on wired Video stream choppy on wireless Entire WiFi cell consumed with video

91 Video Multicast Delivery Solution Technical Solution IGMP state monitored for each client. Only send video to clients requesting Sent as unicast to individual clients at their data rate Multicast packets replicated at AP Video Server B/G N Data Rates M0 M1... M14 M15 Video Impact Smooth, Reliable Video delivered to multiple clients Quality of Video protected in varying channel load conditions Prioritizes Business Video (QoS Gold) over other video ( Best-effort ) Default B/G mandatory data rates Starting from 8.0

92 FlexConnect VideoStream Configuration Enable VideoStream - Global (Cisco Controller) >config media-stream multicast-direct? enable Enable Global Multicast to Unicast Conversion disable Disable Global Multicast to Unicast Conversion

93 FlexConnect VideoStream Configuration Add Stream Configuration (Cisco Controller) >configure media-stream add multicast-direct <media-streamname> <start-ip> <end-ip> [template detail <bandwidth> <packet-size> <Reevaluation> video <priority> <drop fallback>]

94 FlexConnect VideoStream Configuration Enable VideoStream - WLAN (Cisco Controller) >config wlan media-stream multicast-direct 1? enable Enables Multicast-direct on the WLAN disable Disables Multicast-direct on the WLAN.

95 FlexConnect VideoStream Monitoring Controller (Cisco Controller) >show flexconnect media-stream client summary Client Mac Stream Name Multicast IP AP-Name VLAN Type c:d1:c3:86:7e:dc Media AP_ Multicast Direct 88:cb:87:bd:0c:ab Media AP_ Multicast Direct d8:96:95:02:7e:b4 Media AP_ Multicast Direct

96 FlexConnect Bridge Mode Support

97 FlexConnect on Mesh APs New AP mode that allows Flexconnect behavior across mesh-enabled AP Control plane supports: Connected (WLC is reachable) Standalone (WLC not reachable) Data Plane supports: Centralized (split MAC) Local (local MAC) Flexconnect Groups Max 8 Mesh hops, Max 32 MAPs per RAP Local AAA support A WLC have a mix of Bridge and Flex + Bridge MAPs inherent VLANs from its connected RAP Central Site Local Traffic WAN Local Data WLAN Central Data WLAN WLCs Starting from 8.0 Centralized Traffic Remote Office 97

98 FlexConnect on Mesh AP Failover AP SSO is supported for the RAP only Flex+bridge deployments should be implement with N+1 redundancy Multi-sector RAP deployments can be used for redundancy RAP to standalone mode when WLC is not reachable MAPs to standalone mode when WLC is not reachable but gateway is When in standalone mode no new mesh AP can join the mesh tree Remote Office Secondary WAN Primary Application Server

99 AP Modes Feature Comparison Feature\AP Mode Local Mode Bridge Mode Flexconnect Mode Flex+Bridge Mode For Your Reference Central Switching Yes Yes Yes Root Ethernet VLAN bridging Secondary Ethernet Access Ports Secondary Ethernet VLAN Trunk Ports Local VLAN Inheritance by MAPs from RAPs No Yes (secondary Ethernet Yes hosts) No Yes No No Yes No No Yes - Secondary Ethernet access ports only Wireless Child Mesh APs No Yes No Fault Tolerant Resilient No No Yes Mode Security ACLs per VLAN No No Yes on Ethernet Root Ports Integrated IP Routing No No Yes (PPP/PPPoE/NAT) VLAN Transparent No No No Bridging Path Control Protocol No Yes No No Yes Yes Yes Yes Yes both bridged WLANs and Ethernet access ports Yes Yes Yes (on RAPs) Yes (on RAPs) No Yes

100 FlexConnect Bridge Mode Configuration Wireless Access Points AP_NAME General Wireless Access Points AP_NAME FlexConnect AP will reboot upon change Same options as an AP in Flex Mode

101 FlexConnect Best Practices

102 WIRELESS / RF INFRASTRUCTURE NETWORK DESIGN SECURITY Wireless Best Practices Enable High Availability (AP and Client SSO) Enable Pre-image download Enable AP Failover Priority Enable AVC (application visibility and control) Enable NetFlow in your WLC Enable local Profiling (DHCP and HTTP) Enable VLAN Pooling Enable NTP Enable FlexConnect Groups Enable FlexConnect AP Upgrade Disable 11b data rates Restrict number of WLAN/SSID below 3 Enable channel bonding 40 or 80 MHz Enable BandSelect Use AP Groups & RF Groups Use RF Profiles to meet network needs Set the RSSI Low Checks Enable RRM (DCA & TPC) to be auto Enable Auto-RF group leader selection Enable Cisco CleanAir and EDRRM Enable Noise &Rogue Monitoring on all channels Enable Client Load Balancing Enable 802.1x and WPA/WPA2 on WLAN/SSID Change advance EAP timers Enable SSH and SNMPv3 Enable DHCP proxy Enable 11w / 11k and 11v Enable client exclusion Enable rogue classification Enable LSC (Logically Significant Certificate) Enable IDS / WiPS Install WSSI / Security module to monitor all channels Enable Max Concurrent Logins for a user name Enable strong password policies Enable ACL on your WLAN Enable EoIP for guest anchor WLC Enable external or internal webauth for guest Enable Split Tunneling for OEAP Enable Fast SSID change Enable per-user band width contract Enable WMM Enable Qos on your WLAN Enable Multicast Mobility for large mobility domains Enable 802.1x authentications for AP

103 FlexConnect Best Practices Check AP model for FlexConnect Support AP-1130, AP-1240, AP-1040, AP-1140, AP-1260, AP-1250, AP-3500, AP-1600, AP-2600, AP- 3600, AP-3700, AP-2700, AP 700, AP-1520, AP-1530, AP-1550 Check Design Considerations Minimum WAN Bandwidth, Maximum RTT, Minimum MTU, fragmentation QoS to prioritize CAPWAP Control Channel - UDP 5246 Consider Feature Limitations in Standalone mode/local Switching Web-authentication, Layer 3 Roaming, TrustSec SXP Define FlexConnect Groups CCKM/OKC roaming for Voice, Local EAP, local Backup Radius, Smart AP Image Upgrade Enable Local Switching on SSID, VLAN Support, Native VLAN ID on WLC Reduced WAN Bandwidth Utilization Switch port Trunk for multiple VLAN local switching, match native VLAN ID 103

104 FlexConnect Best Practices contd. Design for Resiliency Enable local Primary, Secondary backup Radius Server Enable Local EAP EAP-FAST, PEAP(7.5), EAP-TLS (7.5) WLC Backup Management Interface Port ( in case of Port Failure) Smart AP Image Upgrade Conserves WAN bandwidth Reduces upgrade induced service downtime Reduces risk of download failure VLAN-ACL, WLAN-VLAN mapping precedence AP > FlexConnect Group > WLAN If VLAN is created at the AP using WLAN-VLAN mapping, the ACL should also be created on the AP (not at FlexConnect group) wips and wips Enhanced Local mode supported 104

105 FlexConnect Best Practices contd. AAA override of ACL/VLAN ACL/VLAN should be pre-created using AP/FlexConnect group level config VLAN Based Local Switching : Best Effort to put client on VLAN returned from AAA Server VLAN tagging feature No native VLAN config for AP, all AP generated packets tagged Connect AP to trunk port Central DHCP and Local split tunnel feature Static IP Clients not supported Uses routing functionality of AP NAT-PAT support is mandatory for PPPOE APs 105

106 Summary

107 Summary Cisco Unified Wireless Network based on Controllers deliver Wireless Branch Solution FlexConnect is the feature designed to solve remote connectivity and WAN constraints Several Failover Scenario are targeted to offer Survivability of Small Remote Sites References: Wireless LAN Controller Scale Comparison Guidehttp:// ers FlexConnect Branch Controller Deployment Guide FlexConnect Feature Matrixhttp:// Wireless Best Practiceshttp:// 107

108 Deploying Cisco s FlexConnect in Branches Increases Business Resiliency

109 FlexConnect Resiliency Demo

110 FlexConnect Fault-Tolerance Demo 1. Associate Wireless Clients to SSID FlexDemo WLC Confirm AP is reachable from WLC or in FlexConnect Connected mode. 3. Start Ping from Laptop: to ipad: Kill the CAPWAP tunnel between AP & WLC i.e. unplug WLC from the Switch. 5. Check the AP switching from Connected to Standalone due to loss of reachability with WLC. 6. Notice the Ping packets are still running. C A P W A P ISR AP Authenticate new clients 8. Plug back WLC into the setup and make sure there is no disruption Fault-Tolerance is Integrated in FlexConnect SSID: FlexDemo IP: IP:

111 1 Demo Setup Configuration Guidelines AP in FlexConnect Mode 2 WLAN configured for Local Switching and Local Authentication 3 4 Creation of FlexConnect Group Local EAP configured under FlexConnect group 111

112 Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online 112

113 Continue Your Education Demos in the Cisco Campus Walk-in Self-Paced Labs Table Topics Meet the Engineer 1:1 meetings 113

114

115