Best Practices to Deploy High-Availability in Wireless LAN Architectures

Similar documents
Best Practices to Deploy High-Availability in Wireless LAN Architectures

Best practices to deploy high-availability in Wireless LAN Architectures

High Availability (AP SSO) Deployment Guide

Architecting Network for Branch Offices with Cisco Unified Wireless

Architecting Network for Branch Offices with Cisco Unified Wireless Karan Sheth Sr. Technical Marketing Engineer

CCIE Wireless v3 Lab Video Series 1 Table of Contents

CCIE Wireless v3 Workbook Volume 1

Configuring OfficeExtend Access Points

Deploying Cisco Wireless Enterprise Networks

Configuring Hybrid REAP

Configure Devices Using Converged Access Deployment Templates for Campus and Branch Networks

CCIE Wireless v3.1 Workbook Volume 1

exam. Number: Passing Score: 800 Time Limit: 120 min CISCO Deploying Cisco Wireless Enterprise Networks. Version 1.

Configuring FlexConnect Groups

Configuring Auto-Anchor Mobility

Wireless LAN Controller (WLC) Mobility Groups FAQ

Cisco Troubleshooting Cisco Wireless Enterprise Networks WITSHOOT v1.1

Converged Access: Wireless AP and RF

Cisco 8500 Series Wireless Controller Deployment Guide

P ART 3. Configuring the Infrastructure

Configuring Client Roaming

Configuring FlexConnect Groups

Cisco Deploying Basic Wireless LANs

Configuring Client Roaming

Cisco Unified Wireless Network Software Release 7.4

Borderless Networks. Tom Schepers, Director Systems Engineering

Configuring High Availability (HA)

Architecting Network for Branch Offices with Cisco Unified Wireless

Real4Test. Real IT Certification Exam Study materials/braindumps

Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services

Test Results Summary for Cisco Unified Wireless LAN Test 7.5 for Japan (Release )

FlexConnect. Information About FlexConnect

Test Results Summary for Cisco Wireless LAN Controller AireOS 8.2MR1 for Japan (Release Version AireOS )

PassCollection. IT certification exam collections provider, High pass rate

Configuring RF Profiles

Per-WLAN Wireless Settings

Configuring Backup Controllers

FortiNAC. Cisco Airespace Wireless Controller Integration. Version: 8.x. Date: 8/28/2018. Rev: B

Mobility Groups. Information About Mobility

Using Access Point Communication Protocols

Universal Wireless Controller Configuration for Cisco Identity Services Engine. Secure Access How-To Guide Series

High Density & High Availability in Wireless Deployment

Test Results Summary for Cisco Unified Wireless LAN Test 7.4 for Japan (Release )

Software-Defined Access Wireless

Configuring Auto-Anchor Mobility

Ensure that you meet these requirements before you attempt this configuration:

CertKiller q

DWS-4000 Series DWL-3600AP DWL-6600AP

Configuring Layer2 Security

Managing Software. Upgrading the Controller Software. Considerations for Upgrading Controller Software

Performing Administrative Tasks

Design and Deployment of Enterprise WLANs

Client Data Tunneling

Multicast VLAN, page 1 Passive Clients, page 2 Dynamic Anchoring for Clients with Static IP Addresses, page 5

Deployment Guide for Cisco Guest Access Using the Cisco Wireless LAN Controller, Release 4.1

Cisco Mobility Express Solution

Configuring Link Aggregation

Configuring Client Profiling

Cisco NCS Overview. The Cisco Unified Network Solution CHAPTER

Cisco Unified Wireless Technology and Architecture

Wireless LAN Controller (WLC) Design and Features FAQ

Configuring Repeater and Standby Access Points and Workgroup Bridge Mode

Introduction to Technology

Ports and Interfaces. Ports. Information About Ports. Ports, page 1 Link Aggregation, page 5 Interfaces, page 10

Software-Defined Access Wireless

SD-Access Wireless: why would you care?

Politecnico di Torino Network architecture and management. Outline 11/01/2016. Marcello Maggiora, Antonio Lantieri, Marco Ricca

Test Results Summary for Cisco Wireless LAN Controller AireOS 8.3, IOS XE for Japan (Release Version AireOS /IOS XE 16.2.

Vendor: Cisco. Exam Code: Exam Name: Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0. Version: Demo

Cisco Wireless LAN Controller Configuration Guide

Mesh Deployment Modes

Template information can be overridden on individual devices.

NXC Series. Handbook. NXC Controllers NXC 2500/ Default Login Details. Firmware Version 5.00 Edition 19, 5/

Converged Access Mobility Design & Architecture

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services

Q&As. Implementing Cisco Unified Wireless Voice Networks (IUWVN) v2.0. Pass Cisco Exam with 100% Guarantee

Wireless Domain Services FAQ

Managing Rogue Devices

Template information can be overridden on individual devices.

DEPLOYING BASIC CISCO WIRELESS LANS (WDBWL)

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

Campus LAN and Wireless LAN Design Summary

Multicast/Broadcast Setup

Configuring Port Channels

A connected workforce is a more productive workforce

Editing WLAN SSID or Profile Name for WLANs (CLI), page 6

Securing Cisco Wireless Enterprise Networks ( )

Configure Controller and AP Settings

Securing Wireless LAN Controllers (WLCs)

Campus network: Looking at the big picture

Configuring a WLAN for Static WEP

Software-Defined Access Wireless

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

Cisco Catalyst 9800 Wireless Controller Series Web UI Deployment Guide

DHCP. DHCP Proxy. Information About Configuring DHCP Proxy. Restrictions on Using DHCP Proxy

IP network that supports DHCP or manual assignment of IP address, gateway, and subnet mask

WLAN Timeouts. Timeouts. Timeout for Disabled Clients. Session Timeout. Information About Configuring a Timeout for Disabled Clients

Configure n on the WLC

3. What could you use if you wanted to reduce unnecessary broadcast, multicast, and flooded unicast packets?

Transcription:

Best Practices to Deploy High-Availability in Wireless LAN Architectures Kara Muessig Technical Solutions Architect CCIE (Wireless) #29572

Planned downtime Failover Redundancy Survivability Clustering/Pooling Performance High Availability End-to-end access Cost $$$$ Productivity Session Objectives Learn the Design Recommendations, Configuration Best Practices, Deployment tips, to have your wireless network..always on, ALWAYS Present, ALWAYS AVAILABLE 3

Special Thanks! This presentation is a culmination of best practices and tips from a wide range of Cisco technologists. 4

Agenda For Your Reference Radio Frequency (RF) High Availability (HA) Site Survey, RRM, CleanAir Deterministic (N+1) Failover AP Pre-image Download Centralized (N+N) HA Architecture AP SSO, Client SSO Distributed (Converged Access) HA Architecture FlexConnect and WAN Survivability Management and Mobility Services HA Prime Infrastructure Mobility Services Engine One Policy, One Management, One Network Unified Access Wireless Autonomous FlexConnect Centralized Converged Access U n p a r a l l e l e d D e p l o y m e n t F l e x i b i l i t y 5

Radio Frequency High Availability RF HA is the ability to have redundancy in the physical layer. Creating a stable RF environment Dealing with coverage holes if an AP goes down How to mitigate an interference source Creating a pervasive, predictable RF environment 6

Guidelines for surveying for RF HA Rule of Thumb Want most radios at power level 3 Site Survey tools: Use Active Survey Examples: AirMagnet, Ekahau, Veriwave WaveDeploy Clients and Controller Get to know the area: Consider three dimensional radio propagation in multi-story buildings Be aware of perimeter and corner areas Survey for lowest common client type and technology supported 802.11b/g, 802.11a, 802.11n Smartphones usually have lower power radio # Antennas 2.4 GHz 5 GHz Antenna Gain (dbi) 2.4 GHz 5 GHz Total Tx Pwr (dbm) 2.4 GHz 5 GHz 2 2 MacBook Pro ipad 3 iphone 4S iphone 5 Samsung S3 4.6 7 28 (20) 26 (23) 1 1-0.26 4.5 ave-peak ave-peak 16.5-25.5 17-25 2013 17.5 Cisco - 26.4 and/or its affiliates. n/a All rights reserved. 1 0-1.5 n/a 1 1-1.4-2.9 ave-peak 16-26 13-25 1 1 ave-peak 13-20 15-20 7

Managing the spectrum: RRM, RF Profiles, CleanAir RRM (Radio Resource Management) Manage Spectrum Efficiency to provide the optimal throughput under changing conditions Provides a system wide RF view of the network To dynamically balance the infrastructure and mitigate changes Monitor and maintain coverage for all clients RF Profiles Allow for selectively tuning RRM functions within groups of AP s sharing a common coverage zone RF Profiles are created for either the 2.4 GHz radio or 5GHz radio Allow administrative control over: o Min/Max TPC values, TPCv1 Threshold, TPCv2 Threshold, Data Rates CleanAir Spectrum intelligence solution designed to proactively manage the challenges of a shared wireless spectrum Who, what, when, where, and how with interference Enables the network to act upon this information 8

Client Link: Reduced Coverage Holes ClientLink Disabled ClientLink Enabled Lower Data Rates Source: Miercom; AirMagnet/Fluke Iperf Survey Higher Data Rates 9

Deterministic / N+1 Failover

Controllers and physical connection All controllers including 5760, 5508, 2504, 8510, 7500 WiSM2 and older models can participate in deterministic failover Utilizing VSS pairs allows the 5508 controllers to have link redundancy WLC 5760 introduces multiple LAG groups that allow for link redundancy if you don t have VSS pairs FlexLink (preferred method) with active / standby Load balancing per VLAN between links Cisco 5508 Catalyst VSS Pair This the primary link Switch communicates with 5760 on this link 1 port or 2 port LAG 5760 Layer 2 Adjacent only This the standby link 1 port or 2 port LAG 5760 link is on standby, no communication here Infrastructure sees 5760 here 11

**Ethernet in IP Tunnel Mobility Group For Your Reference Mobility Group allows controllers to peer with each other to support Seamless and Fast roaming across controller boundaries (CCKM / 802.11r key domain) Support for up to 24 controllers, 24,000 APs per mobility group Seamless Roaming (not Fast) is supported across mobility groups with in the mobility group domain up to 72 controllers With Inter Release Controller Mobility (IRCM) roaming is supported between 4.2.207, 6.0.188 and 7.0, 7.2, 7.3, 7.4 codes **With 7.3.112.0 and 7.5 codes new mobility changes the tunnel type with in the controller to CAPWAP tunnels instead of EoIP tunnels Controller-A MAC: AA:AA:AA:AA:AA:01 Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-B, AA:AA:AA:AA:AA:02 Controller-C, AA:AA:AA:AA:AA:03 Controller-B MAC: AA:AA:AA:AA:AA:02 Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 Controller-C, AA:AA:AA:AA:AA:03 Controller-C MAC: AA:AA:AA:AA:AA:03 Mobility Group Name: MyMobilityGroup Mobility Group Neighbors: Controller-A, AA:AA:AA:AA:AA:01 Controller-B, AA:AA:AA:AA:AA:02 12

Controller Redundancy - Deterministic mode WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C Primary: WLAN-Controller-A Secondary: WLAN-Controller-B Tertiary: WLAN-Controller-C Primary: WLAN-Controller-B Secondary: WLAN-Controller-C Tertiary: WLAN-Controller-A Primary: WLAN-Controller-C Secondary: WLAN-Controller-A Tertiary: WLAN-Controller-B Administrator statically assigns APs a primary, secondary, and/or tertiary controller Assigned from controller interface (per AP) or Prime Infrastructure (template-based) You need to specify Name and IP if WLCs are not in the same Mobility Group AP uses heartbeats to validate current WLC connectivity When AP looses 5 heartbeats it starts join process to first backup WLC candidate Candidate Backup WLC is the first alive WLC in this order : primary, secondary, tertiary, global primary, global secondary. Failover is faster than Dynamic mode because AP goes back to discovery state just to make sure the backup WLC is UP and then immediately starts the JOIN process 14

Deterministic: Backup Controllers Backup controllers configured for all APs under Wireless > High Availability tab Used if there are no primary/secondary/tertiary WLCs configured on the AP The backup controllers are added to the primary discovery request message recipient list of the AP. 15

AP Failover Priority Assign priorities to APs: Critical, High, Medium, Low Critical priority APs get precedence over all other APs when joining a controller In a failover situation, a higher priority AP will be allowed in ahead of all other APs AP Priority: Critical Critical AP fails over AP Priority: Medium Medium priority AP dropped Controller If controller is full, existing lower priority APs will be dropped to accommodate higher priority APs 16

Reducing Failover Time: Fast Heartbeat, Primary Discovery Request Fast Heartbeat When the fast heartbeat timer expires, the AP sends 3 fast echo requests to the WLC for 3 times (instead of 1 sec heartbeats) If no response, primary is considered dead and the AP selects an available controller from its backup controller list in the order of primary, secondary, tertiary, primary backup controller, and secondary backup controller. Fast Heartbeat only supported for Local and Flex mode AP Primary Discovery Request Timer The access point maintains a list of backup controllers and periodically sends primary discovery requests to each entry on the list. Configure a primary discovery request timer to specify the amount of time that a controller has to respond to the discovery request If controller doesn t respond in allocated amount of time then AP moves it off the list of available backup controllers. 17

Deterministic: N+1 Design Redundant WLC can be in a geographically separate location Redundant WLC need not be part of the same mobility group Configure high availability parameters to detect failure and faster failover Use AP priority in case of over subscription of redundant WLC HA SKU available in 7.4: No need to purchase licenses on backup WLC When backup takes over 90-days counter is started NOC or Data Center WLC-BKP WLAN-Controller-1 WLAN-Controller-2 WLAN-Controller-n Needs to be configured normally as you would do with the secondary controller (no auto sync). This is NOT AP SSO Nothing different than normal N+1 operations. APs Configured With: Primary: WLAN- Controller-1 Secondary: WLC-BKP APs Configured With: Primary: WLAN- Controller-2 Secondary: WçC-BKP APs Configured With: Primary: WLAN- Controller-n Secondary: WLC-BKP 18

AP Pre-image Download

AP Joins without Download AP Pre-image Download CAPWAP-L3 AP Pre-download image AP Pre-image download allows AP to download code while it is operational CAPWAP APs can download and keep more than one image of 4-5MB each Pre-image download operation 1. Upgrade the image on the controller 2. Don t reboot the controller 3. Issue AP Pre-image download command 4. Once all AP images are downloaded 5. Reboot the controller 6. AP reloads and joins the controller without downtime of downloading the image Cisco WLAN Controller Access Points 20

Configure AP pre-download image For Your Reference Perform primary image predownload on the AP Wireless > AP > Global Configuration AP now starts pre-downloading AP now swaps image after reboot of the controller 21

Summary HA before 7.3 and SSO Primary/Secondary/Tertiary WLC need to be defined on each AP Each WLC configured separately and have their own unique IP Address Primary and Secondary Backup are configured Globally Fast Heartbeat can be used to speed up failover With Failover detection AP goes in Discovery State and CAPWAP State Machine is restarted Downtime between Failover may go up to 1.5 minutes depending upon number of APs Each WLC is managed and monitored separately by NCS/Prime Infrastructure 22

Centralized (N+N) HA Architecture

Supported Code and Controllers For every active primary controller there is a standby redundant controller. WLC 5508 Supported Controllers: 5508, WiSM2, 7500, 8510 AP Stateful Switch Over (SSO) 7.3 WLC HA Sku 7.4 (for N+1) Client Stateful Switch Over (SSO) 7.5 WLC Flex 7500 WiSM 2 WLC 8510 24

AP Stateful Switch Over (AP SSO)

High Availability AP SSO Model is 1:1 (Active : Hot-Standby) Supported on 5500 / 7500 / 8500 and WiSM-2 Same hardware and software version Two new interfaces Redundancy Port Redundancy Management Interface Same management IP on Active and Standby Static & dynamic system configurations synced to standby. AP information synced to the standby. Synced when AP Joins or it s configuration changes. AP CAPWAP re-join is avoided on switchover. Detection time : 5-996 msec for box failover, 3-4 seconds for management gateway failover Back-to-back Connectivity on the Redundancy Port between the two WLCs Clients are de-authenticated on failover; forced to re-associate Effective service downtime = Detection time + Switch Over Time (Network recovery/convergence) + Client re-association time 26

AP SSO - States Active WLC AP Keep-Alive Redundancy Information failure/notify Role and Negotiation Config Peer Sync Redundancy Link Established (Over dedicated Redundancy Port) Standby WLC Client Associate AP Join Switch AP session intact. Does not re-establish capwap Effective downtime for client is Detection time + Switchover time + Client Association time Client reassociates 27

AP SSO Configuration (Only valid for 7.3 / 7.4)

AP SSO Gui Config For Your Reference By default HA is disabled. Configure Redundant Management and Peer Redundant Management IP first before enabling AP SSO 31

AP SSO GUI Config cont. For Your Reference Configure AP SSO selecting Enable from drop down: Optional configuration To Reset Peer WLC click on Commands -> Redundancy -> Reset Peer 32

AP SSO Show commands For Your Reference To check the Redundancy Status and Switchover History show redundancy status Total 10 history counts are maintained for switchover. 33

AP SSO Important things to Note Once SSO is enabled, Standby WLC cannot be accessed via the GUI on service port. It can be accessed via console connection, SSH/Telnet on service port, and SSH on the redundant management interface Physical connection between Redundant Port and Infrastructure Network should be done first before HA configuration Webauth certificates have to be installed on BOTH controllers prior to setting up HA OEAP600 not supported Clear configuration on Active WLC will also initiate clear config on Standby WLC. Internal DHCP is not supported when HA configuration is enabled. L2 MGID is synched but L3 MGID database is cleared with SSO Location and Rogue information is not synched. When HA is disabled on Active it will be pushed to Standby and after reboot all the ports will come up on Active and will be disabled on Standby. 34

AP SSO - Licensing For Your Reference HA Pair with HA SKU HA SKU is a new SKU with Zero AP Count License The device with HA SKU becomes standby first time it pairs up AP-count license info will be pushed from Active to Standby In the event of Active failure HA SKU will let APs join with AP-count obtained and will start 90-day count-down. After 90-days, it starts nagging messages.won t disconnect connected APs HA Pair with both the WLC having Valid AP Count License Active / Standby WLC decided based on configuration. AP-count license info will be pushed from Active to Standby In the event of Active Failure, the new Active will operate with the license count of the previous Active and will start 90-day count-down. Starting in AirOS 7.4. Valid for all controller types. 35

Client Stateful Switch Over (Client SSO)

Client SSO - Overview Client s information is synced to the Standby Client information is synced when client moves to RUN state. Client re-association is avoided on switch over Fully authenticated clients(run state) are synced to the peer. The intermediate client state events are not synced Transient clients are dis-associated after switch over. Effective service downtime = Detection time + Switch Over Time (Network recovery/convergence) 37

Client SSO - States Keep-Alive Redundancy AP and failure/notify Role Client Negotiation info Peer Sync Active WLC Client Associate Redundancy Link Established (Over dedicated Redundancy Port) Standby WLC AP Join Switch AP session intact. Does not re-establish capwap Effective downtime for client is Detection time + Switchover time Client session intact. Does not re-associate 38

Client SSO Configuration & Topology

Client SSO GUI config For Your Reference 40

CLI Configuration Commands For Your Reference configure interface address management <ip-address> <subnet-mask> <gateway> configure interface address redundancy-management <ip-address> peerredundancy-management <ip-address> configure redundancy unit [primary secondary] configure redundancy mode [sso disable] configure redundancy timer keep-alive-timer <interval> (default 100 milli-sec) configure redundancy timer peer-search-timer <timeout> (default 120 sec) 41

Troubleshooting commands For Your Reference Show redundancy summary shows state and role of each controller Show AP uptime Show AP summary Show client summary Show client detail shows connected time of client Show pmk-cache all FSR for each client present on active/standby controllers 42

Supported (N+N) HA Topologies - AirOS 7.5 1. Two 5508, 7500* or 8500* connected via back-to-back RP port in the same data center 2. Two 5508, 7500* or 8500* connected via RP port over L2 VLAN/fiber in the same or different data center** 3. Two 5508, 7500* or 8500* connected to a VSS pair 1. Two WiSM-2 on the same chassis 2. Two WiSM-2 on different chassis with redundancy VLAN extended over L2 network** 3. Two WiSM-2 on different chassis in VSS mode * WLC types supported in 7.5 code ** Support for topology started in 7.5 43

WLC 5508/7500/8500 Back-to-back RP Connectivity Configuration on Primary WLC: configure interface address management 9.5.56.2 255.255.255.0 9.5.56.1 configure interface address redundancy-management 9.5.56.10 peer-redundancy-management 9.5.56.11 configure redundancy unit primary configure redundancy mode sso Configuration on Hot Standby WLC: configure interface address management 9.5.56.3 255.255.255.0 9.5.56.1 configure interface address redundancy-management 9.5.56.11 peer-redundancy-management 9.5.56.10 configure redundancy unit secondary configure redundancy mode sso Management GW is monitored with 12 pings ( ~15 sec) 44

WLC 5508/7500/8500 RP Connectivity via Switches Configuration on Primary WLC: configure interface address management 9.5.56.2 255.255.255.0 9.5.56.1 configure interface address redundancy-management 9.5.56.10 peer-redundancy-management 9.5.56.11 configure redundancy unit primary configure redundancy mode sso Configuration on Hot Standby WLC: configure interface address management 9.5.56.3 255.255.255.0 9.5.56.1 configure interface address redundancy-management 9.5.56.11 peer-redundancy-management 9.5.56.10 configure redundancy unit secondary configure redundancy mode sso. RTT Latency : 80 ms or less default ; Bandwidth: 60 Mbps or more ; MTU: 1500 45

WiSM-2 connectivity over L2 Redundancy VLAN Configuration on Cat6k wism service-vlan 192 ( service port VLAN ) wism redundancy-vlan 169 ( redundancy port VLAN ) wism module 6 controller 1 allowed-vlan 24-38 (data VLAN ). RTT Latency : 80 ms or less default ; Bandwidth: 60 Mbps or more ; MTU: 1500 46

WLC Connected to VSS Pair VSS with 5508 and split LAG VSS with 5508 and non-split LAG WiSM2 with VSS Cisco Catalyst VSS Pair Catalyst VSS Pair L3 Core L2/L3 Distribution Cisco 5508 Standby Cisco 5508 Cisco 5508 Standby Cisco 5508 Access 47

Hybrid - SSO with Deterministic HA SSO can be deployed with Secondary and Tertiary Controllers Both Active and Standby combined in SSO setup are configured as primary. On failure of both Active and Standby WLC in SSO setup, APs will fall back to secondary and further to configured tertiary controller. 48

Client SSO Important points ONLY Clients in RUN state are maintained during failover Transient list is deleted Clients in transitions like roaming, dot1x key regeneration, webauth logout, etc. are disassociated Posture and NAC OOB are not supported, since client is not in RUN state Some clients, and some information about clients are not sync between Active and Standby CCX Based apps - need to be re-started post Switch-over Client Statistics are not synced PMIPv6, NBAR, SIP static CAC tree are not synced, need to be re-learned after SSO WGB and clients associated to it are not synced OEAP(600) clients are not synced Passive clients are not synced After failover previous Active controller will reboot (if it didn t crash) and try to find redundancy pair ISSU is not supported New mobility is NOT supported 49

SSO Behavior and Recommendations RTT latency on Redundancy Link : 80 milliseconds or less. 80% of keepalive timer. Preferred MTU on Redundancy Link : 1500 or above. Bandwidth on Redundancy Link : 60 Mbps or more. 5500 / 7500 / 8500 : RP Connectivity between Active and Standby Via Switches ( 7.5 ) Back-to-back ( 7.3, 7.4, 7.5 ) WiSM-2 : single 6500 chassis OR different chassis using VSS setup/extending redundancy VLAN. Recommended to have Redundancy Link and RMI Connectivity between WLCs on different switches or on different L2 networks Keepalive/Peer Discovery timers should be left with default timer values for better performance Default box failover detection time is 3 *100 = 300+60 = 360 +jitter (12 msec)= ~400 msec 50

Distributed (Converged Access) HA Architecture

Distributed Architecture- Converged Access Today wireless data plane is centralized, wireless traffic overlaid on top wired GLBP A distributed wireless and wired data plane brings: Scalability, End to end traffic visibility, Common policy, Rich media optimization SSO VSS WIRELESS WIRED ISSU First Hop Redundancy Etherchanneled uplinks High Availability all traditional wired HA now a part of wireless HA Stackwise HSRP Redundant Supervisors VRRP StackPower NSF 52

Converged Access Deployment Overview Mobility Domain MO ISE PI Mobility Group MC MC Sub-Domain #1 Sub-Domain #2 SPG SPG MA MA MA MA MA MA 53

High Availability on the 3850 HA on the 3850 HA is available on a per stack basis (up to 4 members at FCS), not between stacks Stack MC or utilized AirOS MC s to prevent single point of failure There is no HA setup for master-active and master-standby. They are elected automatically by the stack. However, user can set priority level to the members and this is used in the active/standby election. Currently, this can be done from CLI. SSO is not available on 5760, but you can configure deterministic failover with HA sku. 54

Catalyst 3850 HA Shift from 3750X Catalyst 3750-X StackWise-Plus - Hybrid control-plane processing - N:1 stateless control-plane redundancy - Distributed L2/L3 Forwarding Redundancy - Stateless L3 protocol Redundancy Catalyst 3850 StackWise-480 - Centralized control-plane processing - 1+1 Stateful redundancy (SSO) - Distributed L2/L3 Forwarding Redundancy - IOS HA Framework alignment for L3 protocol 55

Catalyst 3850 Fault Tolerance in Stack A A S MA/MC Active MC goes down in stack Standby MC must now become Active Guest Anchor MC MA ISE Active MC goes down in stack No impact to non-roamed clients on other MA switches Local clients on the stack need to re-authenticate and re-dhcp Roamed clients need to re-auth and re-dhcp PI Mobility Group SPG MC MA MA MA SPG MC MA MA MA PoP (Local Client re-auths, re-dhcps) (Roamed Client re-auths, re-dhcps, (No impact to existing becomes local) clients on MAs) clients on MAs) (No impact to existing 56

Catalyst 3850 Fault Tolerance across Stacks If the whole Catalyst 3850-based stack, operating as an MC, completely goes down Roaming within a Switch Peer Group still works seamlessly Roaming between Switch Peer Groups does not work (re-dhcp) PMKs (via PKC) will not be distributed if the MC is down so no Fast Roaming for new clients until the MC is restored When the MC is down, RRM, Guest Access, (guest tunneling) and other MC-based functions do not operate within the affected Switch Peer Group other Switch Peer Groups are unaffected. Mobility Group SPG MC MA Stack Blowe totally d up down real good MA No PMK, no Fast roam) MA (Client roams Seamlessly) SPG Guest Anchor MC MC MA MA MA PoP MA ISE (Client re-auths, re-dhcps, becomes local) 57 PI

MC Failure Sub-Domain and Anchor Connections Roamed and Local users, High Availability Considerations Tunnel to Guest Anchor MC MC Totally Down Now, the MC fails let s examine the effects When the MC for a given SubDomain goes down, all of the tunnels serviced by that MC go down this includes all MA-MC tunnels (purple tunnels as shown on this diagram), as well as any MC-Guest Anchor tunnel (if present grey tunnel as shown on this diagram) SPG SPG MA Non-roamed user (No impact to existing clients on MAs) MA MA MA MA (Roamed Client re-auths, re-dhcps, becomes local) 2013 Cisco and/or its affiliates. All rights reserved. Roamed user MA Note that all of the tunnel connections between switches within the SPGs themselves stay up as these are pre-formed at SPG creation, and once up, do not depend on the MC to stay up 58

Hybrid - MC Redundancy with AireOS SSO Active MC goes down in 1:1 HA Standby HA MC 5508, WiSM-2, 8510 becomes Active Active MC MC Down HA MC Roamed and Local users, High Availability Considerations Tunnel to Guest Anchor Local users on their MAs have no impact following a HA MC failover event Former Standby MC Now Active Intra-SPG roamed users also have no impact following the MC HA failover APs stay up and running SPG SPG MA MA MA MA MA MA All previously-roamed clients (inter-spg) will result in a hard roam after MC failover (re-auth, re-dhcp, change of client IP address, known as becoming local ) Any new intra-spg or inter-spg roaming happening after MC HA failover from local MA clients will be handled normally (No impact (Inter-SPG to existing roamed Client intra-spg Non-roamed user: Roamed user (between SPGs): re-auths, (No impact to existing roamed re-dhcps, local clients on MAs) clients on becomes local) 2013 Cisco and/or its affiliates. All rights reserved. MAs) 59

FlexConnect and WAN Survivability

FlexConnect overview Management and data plane are split Data Plane can be: Centralized (split MAC architecture) Local (local MAC architecture) Centralized Traffic Central Site Cluster of WLC Centralized Traffic Two modes of operation: Connected (when WLC is reachable) Standalone (when WLC is not reachable) Traffic Switching is configured per AP and per WLAN (SSID) From 7.3 split tunneling is supported on a WLAN basis FlexConnect Group: Defines the Key caching domain for Fast Roaming, allows backup Radius scenarios WAN Local Traffic Remote Office 61

FlexConnect Survivability WAN Failure (or single central WLC failure) HA considerations: No impact for connected clients on locally switched SSIDs Disconnection for centrally switched SSIDs clients Static authentication keys are locally stored in FlexConnect AP New clients can join if authentication is based on static keys Fast roaming allowed within FlexConnect group for already connected clients Lost features RRM, CleanAir, WIDS, Location, other AP modes Web authentication, NAC Remote Site Central Site WAN Application Server 62

FlexConnect Group: Local Backup RADIUS Backup Scenario Normal authentication is done centrally On WAN failure, AP authenticates new clients with locally defined RADIUS server Existing connected clients stay connected Clients can roam with CCKM fast roaming, or Reauthentication Central RADIUS Local Backup RADIUS Remote Site Central Site WAN FlexConnect Group 1 CCKM Fast Roaming 63

Local Authentication By default FlexConnect AP authenticates clients through central controller Local Authentication allow use of local RADIUS server directly from the FlexConnect AP Central RADIUS Central Site WAN Local RADIUS Remote Site FlexConnect Group 1 New in 7.0.116 64

FlexConnect Group: Local Backup Authentication Backup Scenario Normal authentication is done centrally On WAN failure, AP authenticates new clients with its local database Each FlexConnect AP has a copy of the local user DB Existing authenticated clients stay connected Clients can roam with: CCKM fast roaming, or Local re-authentication Supported Security Types Release Version LEAP 6.0 EAP-FAST 6.0 PEAP 7.5 EAP-TLS 7.5 Central RADIUS Remote Site CCKM Fast Roaming Central Site WAN FlexConnect Group 1 65

FlexConnect Survivability WLC failure with Deterministic N+1 HA considerations: No impact for locally switched SSIDs Disconnection of centrally switched SSIDs clients Secondary Central Site Primary FlexConnect AP transitions to Standalone and then to Connected when joins the Secondary WAN When in Standalone mode, Fast roaming is allowed within the FlexConnect Group Upon resync with Secondary, client sessions for local traffic are not impacted (provided that the configuration on the WLCs are identical) Remote Office Application Server 66

FlexConnect WLC failure scenario with SSO HA considerations: No impact for locally switched SSIDs Disconnection of centrally switched SSIDs clients Standby Central Site Active FlexConnect AP will NOT transition to Standalone because SSO kicks in AP will go straight to Connected mode with the Standby WLC With client SSO local and centralized traffic is not impacted. Remote Office WAN Application Server 67

Management and Mobility Services HA

Prime Infrastructure (CPI) High Availability CPI runs in an active / standby (1:1) mode Secondary PI not accessible Requires same HW and SW - Physical-physical and virtual-virtual supported Can be geographically separated, however need a reliable, high speed, unimpeded network in-between No database loss when failover occurs Failover can be Automatic or Manual. Failback is always manual If the standby PI doesn t receive 3 heartbeats (timeout 2 seconds) then either the standby PI will become active or email will be sent to network admin. Active Standby 69

PI HA - Config For Your Reference The first step is to install and configure the Secondary PI. When configuring the Primary PI for HA, the Secondary PI needs to be installed and reachable by the Primary PI The following parameters must be configured on the primary PI: name/ip address of secondary PI email address of network administrator for system notification manual or automatic failover option Secondary PI must always be a new installation and this option must be selected during PI install process, i.e. standalone or primary PI cannot be converted to secondary PI. Standalone PI can be converted to HA Primary. 70

PI HA Config Verification For Your Reference Verify that the configuration is complete on the HA Status tab. After initial deployment of PI, the entire configuration of primary PI is replicated to the host of the secondary PI This process can be time consuming and take up to a half hour to run After database is replicated on the delta of changes will be pushed over to the secondary PI 71

Mobility Service Engine HA

Mobility Service Engine (MSE) - HA Every active primary MSE is backed up by another inactive instance. The secondary MSE becomes active only after the failover procedure is initiated. The failover procedure can be manual or automatic. A heartbeat is maintained between the primary and secondary MSE When the primary MSE fails and the secondary takes over, the virtual address of the primary MSE is switched transparently. No HA license or a second set of client/ WIPS license required HA for all services supported; Failover times < 1 min HA supports Network Connected and Direct Connected. Directly connected with a cable can help reduce latencies in heartbeat response times, data replication and failure detection times. Supports automatic & manual failover / failback Physical to physical & virtual to virtual HA supported WLC1 Primary MSE Virtual IP: 10.10.10.11 Eth0: 10.10.10.12 WLC2 Directly or network connected Secondary MSE Eth0: 10.10.10.13 PI 3 rd Party 73

MSE HA - Config For Your Reference Additional config required under HA HA mode in Start up script Define secondary name & ip address 74

MSE HA Verification For Your Reference Status shows active under the HA Configuration Sync is complete 75

High Availability - Summary Radio Frequency (RF) High Availability (HA) Site Survey, RRM, CleanAir Cisco Prime Infrastructure Deterministic (N+1) Failover AP Pre-image Download Centralized (N+N) HA Architecture AP SSO, Client SSO Distributed (Converged Access) HA Architecture FlexConnect and WAN Survivability Management and Mobility Services HA Prime Infrastructure Mobility Services Engine MSE Aironet Access Point Campus Network Wireless LAN Controllers 76

Related Session and Links BRKEWN-2017 - Understanding RF Fundamentals and the Radio Design of Wireless Networks Fred Niehaus BRKEWN-2016 - Branch Office Wireless LAN Design Karan Sheth BRKEWN-2022 - Converged Access Mobility Design & Architecture (2013 Orlando) - Sujit Ghosh HA Deployment guide http://www.cisco.com/en/us/products/ps10315/products_tech_note09186a008 0bd3504.shtml#upgrade WOS HA Demo Aparajita Sood 77

Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Cisco Daily Challenge points for each session evaluation you complete. Complete your session evaluation online now through either the mobile app or internet kiosk stations. Maximize your Cisco Live experience with your free Cisco Live 365 account. Download session PDFs, view sessions on-demand and participate in live activities throughout the year. Click the Enter Cisco Live 365 button in your Cisco Live portal to log in. 78

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback