Unified access - Is your network ready
Upcoming SlideShare
Loading in...5
×
 

Unified access - Is your network ready

on

  • 575 views

Unified access - Is your network ready

Unified access - Is your network ready
Wed 20th Nov 11:00am - 11:40am

Statistics

Views

Total Views
575
Views on SlideShare
575
Embed Views
0

Actions

Likes
0
Downloads
14
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • For 8 SPGs with 2 MA each SPG not to exceed 16 MA for single SPG sub-domain.For 64 SPGs with 6 MA each in MC not to exceed 350 MA per MC
  • For 8 PGs with 2 MA each SPG not to exceed 16 MA for single SPG sub-domain.

Unified access - Is your network ready Unified access - Is your network ready Presentation Transcript

  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Increased scalability, Centralized policy application Centralized tunneling of user traffic to controller (data plane and control plane) System-wide coordination for channel and power assignment, rogue detection, security attacks, interference, roaming Hotspot deployments with nomadic roaming Standalone Functionality split with CAPWAP Autonomous Mode © 20121 Cisco and/or its affiliates. All rights reserved. (also possible on upgraded 5508s, WiSM2s for brownfield deployments, or NG Unified Access switches for small, branch deployments) Cisco Unified Access Controller Cisco Unified Wireless Access Point Control plane functionality on NG Controller Access Point Frees up the AP to focus on real-time communication, policy application and optimize RF & MAC functionality such as CleanAir, ClientLink Scale and Services Data plane functionality on NG Switches (also possible on NG Controllers, for deployments in which a centralized approach is preferred) • Unified wired-wireless experience (security, policy, services) • Common policy enforcement, Common services for wired and wireless traffic (NetFlow, advanced QoS, and more …) Performance and Unified Experience 1
  • Agenda Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution • Unified Access Deployment – Solution Overview • Existing Wireless Deployment – Architecture Refresher • The Unified Access Deployment in Detail – - Components of the Deployment – Hardware and Software - Components of the Deployment – Terminology and Building Blocks - Unified Access Deployment – Traffic Flows and Roaming - Unified Access Deployment – High Availability - Unified Access Deployment – IP Addressing - Unified Access Design Options, Greenfield – - Small Branch, Larger Branch, and Campus - Migration Options – Evolving to a Unified Access Solution • Summary © 20122 Cisco and/or its affiliates. All rights reserved. 2
  • Cisco Confidential – Data Center / Service block For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Internet ISE NCS Intranet Mobility Group EoIP Mobility Tunnel ( < 7.2) CAPWAP Option in 7.3 Foreign WLC “Guest” Anchor WLC #1 Well-known, proven architecture LEGEND WLC #2 CAPWAP Tunnels Encrypted (see Notes) Notes – Inter-Controller (Guest Anchor) EoIP / CAPWAP Tunnel Inter-Controller EoIP / CAPWAP Tunnel AP-Controller CAPWAP Tunnel 802.11 Control Session + Data Plane • • AP • AP SSID – VLAN Mapping (at controller) SSID2 SSID1 © 20123 Cisco and/or its affiliates. All rights reserved. SSID3 AP AP / WLC CAPWAP Tunnels are an IETF Standard UDP ports used – • 5246: Encrypted Control Traffic • 5247: Data Traffic (non-Encrypted or DTLS Encrypted (configurable)) Inter-WLC Mobility Tunnels • EoIP – IP Protocol 97 … AireOS 7.3 introduces CAPWAP option • Used for inter-WLC L3 Roaming and Guest Anchor AP Existing Unified Wireless Deployment today3 …
  • Cisco Confidential – Data Center / Service block For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Internet ISE NCS Intranet Mobility Group MA EoIP Mobility Tunnel ( < 7.2) CAPWAP Option in 7.3 WLC #1 Foreign WLC “Guest” Anchor MA MC WLC #2 MC MC AP AP Inter-Controller (Guest Anchor) EoIP / CAPWAP Tunnel LEGEND CAPWAP Tunnels AP MA AP Additional details on controller functionality Inter-Controller EoIP / CAPWAP Tunnel AP-Controller CAPWAP Tunnel 802.11 Control Session + Data Plane MA MC Mobility Agent Maintains Client Database Mobility Coordinator Handles Roaming, RRM, WIPS, etc. These will become important later as we delve into the Unified Access deployment … SSID2 SSID1 © 20124 Cisco and/or its affiliates. All rights reserved. SSID3 Existing Unified Wireless Deployment today4 …
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Mobility Domain Mobility Group One WLC Network Mobility Group • Up to 500 AP’s • Up 7K Clients • Up to 8 GB I/O for AP Traffic • CT5508 rel 7.2 • Max theoretical scalability numbers • Without Considering FlexConnect © 20125 Cisco and/or its affiliates. All rights reserved. • Up to 24 WLCs in a MG • Up to 12K AP’s • Up 168K Clients • Up to 192 GB I/O for AP Traffic Mobility Group Mobility Group • Up to 72 WLCs in a MD • Up to 36K AP’s • Up to 504K Clients • Up to 576GB I/O for AP Traffic 5
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Mobility Domain Mobility Group One WLC Network Mobility Group • Up to 1K AP’s • Up 15K Clients • Up to 20 GB I/O for AP Traffic • WiSM-2 rel 7.2 • Max theoretical scalability numbers • Without Considering FlexConnect © 20126 Cisco and/or its affiliates. All rights reserved. • Up to 24 WLCs in a MG • Up to 24K AP’s • Up 360K Clients • Up to 480 GB I/O for AP Traffic Mobility Group Mobility Group • Up to 72 WLCs in a MD • Up to 72K AP’s • Up to 1.08M Clients • Up to 1.44TB I/O for AP Traffic 6
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Data Center-DMZ Data Center Campus Services MC MC MA Si MA MC Point of Presence (PoP) vs. Point of Attachment (PoA) – Si NCS PoP MA MA MC Internet MA MC Si WiSM2s / 5508s ISE Guest Anchors Campus Si PoA Si Si • Si Si Si Si PoP is where the wireless user is seen to be within the wired portion of the network • Anchors client IP address • Used for security policy application • PoA is where the wireless user has roamed to while mobile • Moves with user AP connectivity • Used for user mobility • Layer 2 Mobility Group Now, let’s see how mobility works when a user roams in this deployment model … Campus Access © 20127 Cisco and/or its affiliates. All rights reserved. Existing Unified Wireless Deployment today7 …
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Data Center-DMZ Data Center Campus Services MC MC MA Si MA MC Internet MA MC Si WiSM2s / 5508s ISE Guest Anchors Campus MA • NCS PoP MA Si Initially, the user’s traffic flow is as shown … Si PoA Layer 2 Mobility Group Note – in this deployment model, it is assumed that all of the controllers within the DC share a common set of user VLANs at Layer 2 • MC Initially, the user’s PoP and PoA are co-located on the same controller • Si Si Si Si Si Si Campus Access © 20128 Cisco and/or its affiliates. All rights reserved. Existing Unified Wireless Deployment today8 …
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Data Center-DMZ Data Center Campus Services MC MC Si MA • MC PoP MA The user’s PoP and PoA both move to the new controller handling that user after the roam (possible since the controllers in this deployment model are all L2-adjacent within the VLANs) … • After the roam, the user’s traffic flow is as shown … Si PoA Layer 2 Mobility Group Si Si Si Si Si Campus Access © 20129 Cisco and/or its affiliates. All rights reserved. Now, the user roams to an AP handled by a different controller, within the same Mobility Group … • Si NCS MA MA MC Internet MA MC Si WiSM2s / 5508s ISE Guest Anchors Campus Si Move of the user’s entire Mobility Context Existing Unified Wireless Deployment today9 …
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Data Center-DMZ Data Center Campus Services Guest Anchors Campus MC MC Si Internet MA MA Si ISE • Initially, the user’s PoP and PoA are co-located on the same controller • Si Note – in this deployment model, it is assumed that all of the controllers across the Campus do not share a common set of user VLANs at Layer 2 … (i.e. the controllers are all L3-separated) • Initially, the user’s traffic flow is as shown … Si NCS Si Si PoP MC MA MC MA PoA 5508 / WiSM-2 Si Si 5508 / WiSM-2 Si Si Layer 3 Mobility Group Campus Access 10 © 2012 Cisco and/or its affiliates. All rights reserved. 10 Existing Unified Wireless Deployment today …
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Data Center-DMZ Data Center Campus Services Guest Anchors Campus MC MC Si Internet MA MA Si ISE • Now, the user roams to an AP handled by a different controller, within the same Mobility Group … • Si The user’s PoA moves to the new controller handling that user after the roam – but the user’s PoP stays fixed on the original controller that the user associated to • This is done to ensure that the user retains the same IP address across an L3 boundary roam – and also to ensure continuity of policy application during roaming • After the roam, the user’s traffic flow is as shown … Si NCS Si Si PoP MC MA MC MA PoA 5508 / WiSM-2 Si Si 5508 / WiSM-2 Campus Access 11 © 2012 Cisco and/or its affiliates. All rights reserved. Si Si Layer 3 Mobility Group Symmetric Mobility Tunneling 11 Existing Unified Wireless Deployment today …
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Data Center-DMZ Data Center Campus Services Guest Anchors Campus MC MC Si Internet MA PoP MA Si ISE • Now, let’s examine roaming with Mobility Anchor use … • When using Mobility Anchors, the user’s PoP is always located at the Mobility Anchor controller ... while the user’s PoA moves as the user roams … • Again, this is done to ensure that the user retains the same IP address across an L3 boundary roam – and also to ensure continuity of policy application during roaming • Si Before the roam, the user’s traffic flow is as shown … (tunneling of user traffic back to the Mobility Anchor – guest traffic assumed) Si NCS Si MC MA MC Si MA PoA 5508 / WiSM-2 Si Si 5508 / WiSM-2 Campus Access 12 © 2012 Cisco and/or its affiliates. All rights reserved. Si Si Layer 3 Mobility Group 12 Existing Unified Wireless Deployment today …
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Data Center-DMZ Data Center Campus Services Guest Anchors Campus MC MC Si Internet MA PoP MA Si ISE • Now, let’s examine roaming with Mobility Anchor use … • Si After the roam, the user’s PoA moves to the new controller that handles the AP the user has roamed onto … however, the user’s PoP remains fixed at the Mobility Anchor controller … • After the roam, the user’s traffic flow is as shown … (tunneling of user traffic back to the Mobility Anchor – guest traffic assumed) Si NCS Si MC MA MC Si MA PoA 5508 / WiSM-2 Si Si 5508 / WiSM-2 Si Si Layer 3 Mobility Group Campus Access 13 © 2012 Cisco and/or its affiliates. All rights reserved. 13 Existing Unified Wireless Deployment today …
  • Cisco Confidential – WiSM2s / 5508s MC MA MC Separate policies and services for wired and wireless users MA For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution PSTN PoP PoA CUCM Traffic Flows, Unified Wireless – • The same traffic paths are incurred for voice, video, data, etc. – all centralized Wired policies implemented on switch 14 © 2012 Cisco and/or its affiliates. All rights reserved. In this example, a VoIP user is on today’s CUWN network, and is making a call from a wireless handset to a wired handset … • Wireless policies implemented on controller We can see that all of the user’s traffic needs to be hairpinned back through the centralized controller, in both directions … In this example, a total of 9 hops are incurred for each direction of the traffic path (including the controllers – Layer 3 roaming might add more hops) … 14 Existing Unified Wireless Deployment today …
  • Agenda Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution • Unified Access Deployment – Solution Overview • Existing Wireless Deployment – Architecture Refresher • The Unified Access Deployment in Detail – - Components of the Deployment – Hardware and Software - Components of the Deployment – Terminology and Building Blocks - Unified Access Deployment – Traffic Flows and Roaming - Unified Access Deployment – High Availability - Unified Access Deployment – IP Addressing - Unified Access Design Options, Greenfield – - Small Branch, Larger Branch, and Campus - Migration Options – Evolving to a Unified Access Solution • Summary 15 © 2012 Cisco and/or its affiliates. All rights reserved. 15
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Cisco Prime Infrastructure (NCS 2.0) • Full UA Management • Consistent Network Services and MultiDomain Network Mgmt • Troubleshoot End User Issues in Real-time Identity Services Engine (ISE) • BYOD Policy Mgmt • Mobile device profiling and posture • Guest Access Portal • Scales up for large ISE Enterprise needs Who What Whe WhereHow ? ? n? ? ? Cisco Prime UA Catalyst 3850 5760 Wireless UA Catalyst 3850 5760 Wireless Controller NG Catalyst 4500 Sup * Controller • 480G Stack, StackPower • Advanced Features: Flex. Netflow, Adv. QoS • 60G, 1k APs, N+1 Redundancy • Terminates Wireless at Access Switch • Advanced Features: QoS, Netflow, • Scalability for 11ac wireless traffic downloadable ACLs • Wired multi-tier reliability for wireless • Supports hybrid deployment models • Embedded controller for up to 50 APs • IOS XE for wired and wireless features Best-in-Class Performance, Security and Resiliency 16 © 2012 Cisco and/or its affiliates. All rights reserved. 16
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Features Hardware • 40 Gig of uplink bandwidth (4 x 10G ports) on 48-port switch model (2 x 10G on 24-port) • Line rate on all ports • PoE+ and MAC Sec support • HW based wireless support – CAPWAP, DTLS and Fragmentation support • Flexible ASIC: multiple protocol support capability • StackPower Wireless • • 480G stacking interface HA support (.5 sec failover) Flexible Netflow – 48k flows/stack MQC support • 8 queues per port • 2k policers and Microflow policers • SGT / SGACL & MACsec support * Best-in-Class Wired Switch – with Integrated Wireless Mobility functionality IOS Evolution Unified wired & wireless – • IOS for wireless • Uniform wired & wireless policies Wireless switch group support for faster roaming: latency sensitive applications 17 © 2012 Cisco and/or its affiliates. All rights reserved. • • • • * Roadmap • Enabling Open Service Platform • 4 core CPU to host services • Modern OS to leverage Next-Gen switching hardware • 15.0 Maintenance Strategy • Wireshark * • NBAR * Up to 50 APs per UA 3850 switch stack / SPG – Up to 2,000 clients per stack / SPG 17
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Performance & Scale – • Scalability – • • • Key Advantages – • • Investment protection for modular install base to new Unified Access deployment • Flexible NetFlow with wireless attributes (Radio, SSID, user) • Low optics cost solution • Extended for other capabilities like NBAR2 • 18 © 2012 Cisco and/or its affiliates. All rights reserved. • FRU Wireless Module 10G Bandwidth, 50 APs, 2000 Users Uplinks – • • Scalable wireless • Wireless Controller – • • Wired - Wireless convergence 888 Gbps TCAM scale – Sup-7E equivalent 8 x 10G SFP+ (2 x QSFP+) TRILL / FabricPath / LISP High Availability – • Virtual Switching System (VSS) Up to 50 APs per NG 4500-E chassis – Up to 2,000 clients per chassis 18
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Industry-Leading Performance • 60G throughput (centralized deployments), 1000 APs 6 x 10G uplinks Hardware ready for SGT / SGACL, Advanced Crypto, NBAR2 * • • Operational Simplicity • • • • • • • N+1 Redundancy Stateful AP Failover * Per user, Radio, SSID QoS Policies Flexible Netflow IPv6 Client Mobility Flexible Deployments Unified wired & wireless operations: • IOS for wireless • Uniform wired & wireless policies NCS and ISE for scalable management and policies 19 © 2012 Cisco and/or its affiliates. All rights reserved. Advanced Features * Roadmap • Unified WLAN deployment (local-mode) • Unified Access deployment • Hybrid Deployments Up to 1,000 APs per 5760 controller – Up to 12,000 clients per 5760 19
  • Agenda Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution • Unified Access Deployment – Solution Overview • Existing Wireless Deployment – Architecture Refresher • The Unified Access Deployment in Detail – - Components of the Deployment – Hardware and Software - Components of the Deployment – Terminology and Building Blocks - Unified Access Deployment – Traffic Flows and Roaming - Unified Access Deployment – High Availability - Unified Access Deployment – IP Addressing - Unified Access Design Options, Greenfield – - Small Branch, Larger Branch, and Campus - Migration Options – Evolving to a Unified Access Solution • Summary 20 © 2012 Cisco and/or its affiliates. All rights reserved. 20
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Mobility Domain NCS ISE MO Mobility Group MC MC Sub-Domain #1 SPG SPG MA 21 © 2012 Cisco and/or its affiliates. All rights reserved. Sub-Domain #2 MA MA MA MA MA 21 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Physical Entities – • Mobility Agent (MA) – Terminates CAPWAP tunnel from AP • Mobility Coordinator (MC) – Manages mobility within and across Sub-Domains • Mobility Oracle (MO) – Superset of MC, allows for Scalable Mobility Management within a Domain Logical Entities – • Mobility Groups – Grouping of Mobility Coordinators (MC) to enable Fast Roaming, Radio Frequency Management, etc. • Switch Peer Group (SPG) – Localizes traffic for roams within its Distribution Block MA, MC, Mobility Group functionality all exist in today’s controllers (4400, 5500, WiSM2) 22 © 2012 Cisco and/or its affiliates. All rights reserved. 22 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Service Block ISE NCS • MA is the first level in the hierarchy of MA / MC / MO • One MA per UA 3850 Stack MA MA MA • Maintains Client DB of locally served clients • Interfaces to the Mobility Coordinator (MC) AP 23 AP AP Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Service Block ISE NCS MC MC • • AP 24 AP AP Maintains Client DB within a SubDomain (1 x MC = One Sub-Domain) • Handles RF functions (including RRM) • MA Manages mobility-related configuration of the downstream MAs • MA Can be hosted on a MA (smaller deployments) • MA Mandatory element in design Multiple MCs can be grouped together in a Mobility Group for scalability • Supported platforms are UA 3850, WiSM2, 5508, and 5760 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Best-in-Class Wired Switch – with Integrated Wireless Mobility functionality MA • Can act as a Mobility Agent (MA) for terminating CAPWAP tunnels for locally connected APs … MC • as well as a Mobility Coordinator (MC) for other Mobility Agent (MA) switches, in small deployments - MA/MC functionality works on a Stack of UA 3850 Switches - MA/MC functionality runs on Stack Master 25 © 2012 Cisco and/or its affiliates. All rights reserved. - Stack Standby synchronizes some information (useful for intra-stack HA) 25
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution SPG – E MA Sub-Domain 3 MA Sub-Domain 1 SPG – F SPG – B MA MA SPG – A MA • • • MA MA MC MC Mobility Group Made up of multiple UA 3850 switches as Mobility Agents (MAs), plus an MC (on controller as shown) Handles roaming across SPG (L2 / L3) MA • • MC SPG – C MA MAs within an SPG are fully-meshed (auto-created at SPG formation) MA Fast Roaming within an SPG MA • Multiple SPGs under the control of a single MC form a Sub-Domain Handles roaming across MG (L2 / L3) • RF Management (RRM) and Key Distribution for Fast Roaming • One Mobility Coordinator (MC) manages the RRM for entire Group • Fast Roams are limited to Mobility Group member MCs SPG – D • Made up of Multiple Mobility Coordinators (MC) Sub-Domain 2 26 © 2012 Cisco and/or its affiliates. All rights reserved. MA 26 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Service Block ISE MO NCS MC MC • • AP 27 AP Maintains Client DB of clients across multiple Mobility Coordinators (MCs) • MA Further enhances scalability and performance by coordinating Inter-MC roams (removes need for N2 communications between MCs, improves client join performance) • MA Top level in the MA/MC/MO Hierarchy - Optional Can be a Software-Upgraded WiSM2, 5508 or 5760 Controller MA AP Cisco Unified Access Deployment
  • Agenda Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution • Unified Access Deployment – Solution Overview • Existing Wireless Deployment – Architecture Refresher • The Unified Access Deployment in Detail – - Components of the Deployment – Hardware and Software - Components of the Deployment – Terminology and Building Blocks - Unified Access Deployment – Traffic Flows and Roaming - Unified Access Deployment – High Availability - Unified Access Deployment – IP Addressing - Unified Access Design Options, Greenfield – - Small Branch, Larger Branch, and Campus - Migration Options – Evolving to a Unified Access Solution • Summary 28 © 2012 Cisco and/or its affiliates. All rights reserved. 28
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Point of Presence (PoP) vs. Point of Attachment (PoA) – MC • • MA MA PoA AP 29 © 2012 Cisco and/or its affiliates. All rights reserved. AP AP Before a user roams, PoP and PoA are in the same place Note – for the purposes of illustrating MA PoP PoA is where the wireless user has roamed to while mobile • SPG PoP is where the wireless user is seen to be within the wired portion of the network If users associate and remain stationary, this is their traffic flow roaming, we are showing the purple connections herein that indicate the connections between the MAs and their corresponding MC for the Switch Peer Group (or Groups) involved on each slide … notice that, in this example, the traffic does NOT flow through the MC … 29 Cisco Unified Access Deployment
  • Notice how the UA switch stack shown is an MC (as well as an MA) – in a branch such as this with 50 APs or less, no discrete controller is necessarily required … Central Location MC ISE MA NCS CAPWAP tunnel to Guest Anchor WAN Guest Anchor DMZ CAPWAP tunnels – control and data path MC UA Switch MA PoP PoA Roaming across Stack (small branch) Roaming, Single UA Switch Stack – • In this example, the user roams within their UA-based switch stack – for a small Branch site, this may be the only type of roam Roaming within a stack does not change the user’s PoP or PoA – since the stack implements a single MA (redundant within the stack), and thus a user that roams to another AP serviced by the same stack does not cause a PoA move (PoA stays local to the stack) 30 © 2012 Cisco and/or its affiliates. All rights reserved. 30 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Central Location ISE NCS CAPWAP tunnel to Guest Anchor MC WAN PoP MA Guest Anchor DMZ CAPWAP tunnels – control and data path MC PoA MA A Overview of Roaming with Guest / Mobility Anchors, in the Context of PoP and PoA – • When using Guest / Mobility Anchors, all Guest traffic has it’s PoP set to the uplink of the Mobility Anchor controller – while the user’s PoA moves within the network as they roam This is always the case for user traffic that is anchored to another controller within the network – and always has been … this is inherent to how Mobility Anchors work … 31 © 2012 Cisco and/or its affiliates. All rights reserved. 31 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Roaming across Stacks Roaming, Within a Switch Peer Group (Branch) – uRPF, Symmetrical Routing, NetFlow, Stateful Policy Application … (larger branch) • Now, let’s examine a roam at a larger branch, with multiple UA-based switch stacks joined together via a distribution layer • In this example, the larger Branch site consists of a single Switch Peer Group – and the user roams within that SPG – again, at a larger Branch such as this, this may be the only type of roam CLI example SPG MC MA PoP MA MA The user may or may not have roamed across an L3 boundary (also Prime if possible) (depends on wired setup) – however, users are always* taken back to their PoP for policy application PoA Again, notice how the UA switch stack on the left is an MC (as well as an MA) in this picture – in a larger branch such as this with 50 APs or less, no discrete controller is necessarily required … 32 © 2012 Cisco and/or its affiliates. All rights reserved. * Adjustable via setting, may be useful for L2 roams (detailed on following slide) 32 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Roaming within an SPG MC uRPF, Symmetrical Routing, NetFlow, Stateful Policy Application … (L3 behaviour and default L2 behaviour) MA PoP 33 © 2012 Cisco and/or its affiliates. All rights reserved. MA MA Note – the traffic in this most common type of roam did not have to be transported back to, or via, the MC (controller) servicing the Switch Peer Group – it stayed local to the SPG only (i.e. under the distribution layer in this example – not back through the core) * Adjustable via setting, may be useful for L2 roams (detailed on following slide) • Now, let’s examine a few different types of user roams • SPG PoA Roaming, Within an SPG (Campus) – In this example, the user roams within their Switch Peer Group – since SPGs are typically formed around floors or other geographicallyclose areas, this is the most likely and most common type of roam The user may or may not have roamed across an L3 boundary (depends on wired setup) – however, users are always* taken back to their PoP for policy application 33 Cisco Unified Access Deployment
  • WiSM2s / 5508s / 5760s MC MA MC Converged policies and services for wired and wireless users MA PSTN CUCM Traffic Flows, Comparison (Unified Access) – • Traffic does not flow via MCs More efficient since traffic flows are localized to the UA switch – Performance Increase SPG PoP Wired and wireless policies implemented on UA switch 34 © 2012 Cisco and/or its affiliates. All rights reserved. PoA Now, our VoIP user is on a Cisco Unified Access network, and is again making a call from a wireless handset to a wired handset … • We can see that all of the user’s traffic is localized to their Peer Group, below the distribution layer, in both directions … In this example, a total of 1 hop is incurred for each direction of the traffic path (assuming no roaming) … two additional hops may be incurred for routing … 34 Cisco Unified Access Deployment
  • Cisco Confidential – WiSM2s / 5508s / 5760s MC Converged policies and services for wired and wireless users MC PSTN CUCM For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Traffic Flows, Comparison (Unified Access) – • Traffic still does not flow via MCs More efficient since traffic flows are still localized to the SPG – Performance & Scalability SPG MA PoP Wired and wireless policies implemented on UA switch 35 © 2012 Cisco and/or its affiliates. All rights reserved. PoA MA MA MA Now, our VoIP user on the Cisco Unified Access network roams, while a call is in progress between the wireless and wired handsets … • We can see that all of the user’s traffic is still localized to their Peer Group, below the distribution layer, in both directions … In this example, a total of 3 hops is incurred for each direction of the traffic path (assuming intra-SPG roaming) … two additional hops may be incurred for routing … 35 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Roaming, Across SPGs (Campus) – MC uRPF, Symmetrical Routing, NetFlow, Stateful Policy Application … • • Roaming across SPGs (L3 separation assumed at access layer) SPG SPG MA MA MA MA MA MA Now, let’s examine a few different types of user roams In this example, the user roams across Switch Peer Groups – since SPGs are typically formed around floors or other geographically-close areas, this type of roam is possible, but less likely than roaming within an SPG PoP PoA 36 © 2012 Cisco and/or its affiliates. All rights reserved. * Adjustable via setting, may be useful for L2 roams (detailed on following slide) Typically, this type of roam will take place across an L3 boundary (depends on wired setup) – however, users are always* taken back to their PoP for policy application 36 Cisco Unified Access Architecture
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution MC uRPF, Symmetrical Routing, NetFlow, Stateful Policy Application … Roaming, Across SPGs and MCs (Campus) – MC • • Roaming across Controllers (L3 separation assumed at access layer) SPG SPG MA MA MA MA MA In this example, the user roams across Switch Peer Groups and Controllers – (within the same Mobility Group) … again, this type of roam is possible, but less likely than intra-SPG roaming MA PoP Typically, this type of roam will take place across an L3 boundary (depends on wired setup) – however, users are always* taken back to their PoP for policy application PoA 37 © 2012 Cisco and/or its affiliates. All rights reserved. Now, let’s examine a few different types of user roams * Adjustable via setting, may be useful for L2 roams (detailed on following slide) 37 Cisco Unified Access Architecture
  • MC Roaming, Across SPGs (Layer 2) – MC Layer 2 Extension • Roaming across network Now, let’s examine a few different types of user roams • In this example, the user roams across Switch Peer Groups and Controllers – (within the same Mobility Group) … but in this case, we have Layer 2 extended across the network (L2 separation across access layer in this example) SPG SPG MA MA MA PoP PoA 38 © 2012 Cisco and/or its affiliates. All rights reserved. Policy moves with user move – follows PoP MA MA MA This would not be typical of most Enterprise wired deployments – however, if this setup is present, an available setting allows for L2 roaming (move of both PoP and PoA) 38 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution As Noted – • When a user roams in a L2 environment, an optional setting allows for both the user’s PoA and PoP to move. • The benefits that accrue to a PoP move for an L2 user roam are reduced end-to-end traffic latency for the user (less traffic hops), as well as a reduction of state held within the network (as the user needs to be kept track of only at the roamed-to switch). PG • • The drawback to a PoP move for an L2 user roam are likely increased roam times, as user policy may be retrieved from the AAA server, and applied at the roamed-to switch. The combination of these two elements may introduce a level of non-deterministic behaviour into the roam times if this option is used. ! "# ! "# ! "# PoP PoA Default Behaviour – Policy moves • L2 Roams Disabled – by default, all roams (whether across an L3 boundary or not) with user move – follows PoP carry the user’s traffic from their roamed-to switch (where the user’s PoA has moved to), back to the original switch the user associated through (where the user’s PoP remains). In this case, the user’s policy application point remains fixed, and roam times are more deterministic. • This may also reduce the load on the AAA server during user roams, as policy may not need to be retrieved, and PKC within the Switch Peer Group can take care of crypto key distribution. • However, if desired, this behaviour can be modified via a setting to allow for an L2 roam – assuming the network topology involved allows for the 39 39 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Unified Access Deployment appropriate Layer 2 extension across the network.
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution As we saw previously, we can also optionally use a UA 3850 switch as an MC + co-located MA for a Switch Peer Group … let’s explore this in more detail – • Single UA 3850 MC supported per Switch Peer Group • Single UA 3850 MC can handle up to 50 APs and 2,000 clients total … therefore, up to 50 APs and 2,000 clients per UA 3850-based Switch Peer Group • More scalable MC capability can be provided by 5760 / WiSM2 MC MA MC handles inter-SPG roaming, RRM, CleanAir, Rogue Detection, Guest, etc. • Guest Anchor ISE SPG MC MA MA MA NCS But what if we want to scale larger, without implementing 5760 / WiSM2? Is this possible? 40 © 2012 Cisco and/or its affiliates. All rights reserved. 40 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Switch Peer Group / Mobility Group Scaling with UA 3850 – • Up to 8 x UA 3850 MCs can be formed into a Mobility Group • Up to 250 APs total and 16,000 clients supported (maximum) across a Mobility Group made up solely of UA 3850 switches • Guest tunneling is per MC – to Guest Anchor controller Guest Anchor Licensing is per MC – not pooled across MCs • • RRM, CleanAir, Rogue Detection, etc. is coordinated across the MCs in the same Mobility Group MC MA ISE Full mesh of MCs across Mobility Group NCS PG PG "# ! PG "# ! Mobility Group PG "# ! PG "# ! PG "# ! ! "# SPG MC 41 © 2012 Cisco and/or its affiliates. All rights reserved. MA ! "# ! "# ! "# ! "# ! "# ! "# ! "# ! "# ! "# ! "# ! "# ! "# ! "# ! "# ! "# ! "# ! "# ! "# SPG MA MA MC MA MA MA 41 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Background – • Many larger designs (such as most Campuses) will likely utilize a discrete controller, or group of controllers, as MCs. Combined with UA 3850 switches as MAs, this likely provides the most scalable design option for a larger network build. • However, if using UA 3850 switches as MCs for smaller builds – and with the scaling limits detailed on the previous slide in mind – we need to determine where to best use this capability. • Pros – • • PG ! "# ! "# ! "# CapEx cost savings – via the elimination of a controller-as-MC in some designs (typically, smaller use cases and deployments) … cost also need to take into consideration licensing on UA 3850 switches (TBD). Cons – • ! "# OpEx complexity – due to some additional complexity that comes into roaming situations when using multiple UA switch-based MCs (as detailed in the following slides). While not insurmountable, this does need to be factored in as part of the decision process. Roaming details provided on following slides Conclusion – In smaller designs (such as branches), the use of UA 3850 switches as MCs is likely workable. In mid-sized designs, this may also be workable, but does lead to some additional roaming considerations (as detailed on the following slides). In large campus deployments, the use of controllers as MCs 42 42 is rights reserved. © 2012 Cisco and/or its affiliates. All more likely, due to economies of scale. Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Roaming, within a Stack (UA Switches as MCs) – • Initially, all clients in this example are on their initial, local UA switches • Now, a client roams – and we see his resulting traffic topology • Roaming within a stack does not change the user’s PoP or PoA – since the stack implements a single MA (redundant within the stack), and thus a user that roams to another AP serviced by the same stack does not cause a PoA move Guest Anchor MC PoA PoP MA NCS CLI example SPG MC MA ISE Mobility Group SPG MA MA MC No change to user’s PoP or PoA uRPF, Symmetrical Routing, NetFlow, Stateful Policy Application … (also Prime if possible) MA MA PoP PoA MA Scalability – Max of 8 x UA 3850 switches as MCs, grouped into a Mobility Group 250 APs total across all UA 3850 MCs Max. 50 APs per UA 3850 stack / SPG 43 © 2012 Cisco and/or its affiliates. All rights reserved. 43 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Roaming, within a Switch Peer Group (UA Switches as MCs) – • Now, the client roams to an AP serviced by another switch stack (within the same SPG) • Let’s examine his resulting traffic topology • The user has moved between MAs (switch stacks) – to maintain consistency of user connectivity (IP address) and policy application, the user’s traffic is transported to the MA that the user associated with initially (i.e. the user’s PoA moved, but their PoP stayed static) Guest Anchor MC MA ISE Most common roaming case NCS Mobility Group SPG MC MA SPG MA MA MC MA MA PoP PoA MA Scalability – Max of 8 x UA 3850 switches as MCs, grouped into a Mobility Group 250 APs total across all UA 3850 MCs Max. 50 APs per UA 3850 stack / SPG 44 © 2012 Cisco and/or its affiliates. All rights reserved. 44 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Roaming, across Switch Peer Groups (UA Switches as MCs) – • Now, let’s examine a more complex roam where the user roams across SPGs • In this example – the user roams to a separate SPG, onto the stack serving as MC for that SPG • The user’s has moved between SPGs – so their traffic needs to be transported back to their PoP, which has remained static – and it does so by transiting between the two MCs servicing these two Switch Peer Groups (MCs are fully meshed within the MG) Guest Anchor MC MA Roaming between PGs (geographicallyseparated) ISE NCS Mobility Group SPG MC MA SPG MA MA MC MA MA PoP PoA MA Scalability – Max of 8 x UA 3850 switches as MCs, grouped into a Mobility Group 250 APs total across all UA 3850 MCs Max. 50 APs per UA 3850 stack / SPG 45 © 2012 Cisco and/or its affiliates. All rights reserved. 45 Cisco Unified Access Architecture
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Roaming, across Switch Peer Groups and MCs (UA Switches as MCs) – • Now, lets’ examine the most complex type of roam – across SPGs and MCs / MAs • Remember – these types of roams are likely to be a minority case in most deployments • The user has moved between MAs, MCs, and SPGs – and their traffic takes the path shown since, again, their PoP has remained static, while the PoA moved as the user roamed (maintains user IP address, maintains consistency of policy application) Guest Anchor MC MA Roaming between SPGs and MCs (geographicallyseparated) ISE NCS Mobility Group SPG MC MA SPG MA MA MC MA MA PoP PoA MA Scalability – Max of 8 x UA 3850 switches as MCs, grouped into a Mobility Group 250 APs total across all UA 3850 MCs Max. 50 APs per UA 3850 stack / SPG 46 © 2012 Cisco and/or its affiliates. All rights reserved. 46 Cisco Unified Access Architecture
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution What happens when – • Everyone enters the building via a common lobby • APs in that lobby are controlled by one UA switch stack • All the users, and their traffic – • Guest Anchor MC Gets “pinned” to that switch ... causing issues for traffic load, switch load, DHCP pool exhaustion, etc. … MA ISE Many users could end up “staying in the lobby” logically NCS Mobility Group SPG MC MA SPG MA MA PoP PoA 47 © 2012 Cisco and/or its affiliates. All rights reserved. PoP PoA Lobby area MC MA MA MA Scalability – Max of 8 x UA 3850 switches as MCs, grouped into a Mobility Group 250 APs total across all UA 3850 MCs Max. 50 APs per UA 3850 stack 47 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution What can we do to address this issue? • User client association get distributed across UA switches in the Switch Peer Group • User load info is constantly shared within the SPG – with heartbeat (10s default, adjustable 1s-30s) • At 50% client load, the lobby UA switch distributes incoming client association requests to it’s Switch Peer Group members … the client is anchored based on reported client load • Guest Anchor MC MA Addresses traffic load, switch load, DHCP pool exhaustion, etc. ISE Client will be anchored to the Mobility Group middle UA stack – as it reported that it had less clients associated SPG MC MA SPG MA 50% load! MA PoP MC MA MA MA PoP PoA 48 © 2012 Cisco and/or its affiliates. All rights reserved. NCS PoA Lobby area 48 Cisco Unified Access Deployment
  • Cisco Confidential – Mobility Domain For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Sub-Domain - 1 5760 MC/MO MA=Mobility Agent MC=Mobility Coordinator SPG=Switch Peer Group SD=Sub-Domain 3850 MA SPG - 1 Sub-Domain 5760 MC MC/MA on one Switch Switch Peer Group - 1 MA-1 MA-2 … … MA-16 MA-3 … Sub-Domain SubDomain SPG - 1 … SPG - 2 SPG - 4 … 5760 MC MA 1~4 MA 6~8 49 © 2012 Cisco and/or its affiliates. All rights reserved. Sub-Domain SPG - 1 SPG – N-1 SPG - 2 SPG - 64 SPG - N … 5760 MC MA 1~4 Sub-Domain - 8 MA 13~16 … • 1 MC = 1 SD • Up to 50 APs • Up to 2K Clients • Up to 50GB I/O for AP Traffic SPG 2 MA 6~8 • Up to 16 MAs in an SPG • Up to 64 SPGs in an SD • Up to 350 MAs per MC • Up to 1K APs in an SD • Up to 12K Clients •Up to 1TB I/O for AP Traffic MA 346~350 • 72 Mobility SD in a MD • Up to 25,200 MAs per MD • Up to 72K APs • Up to 864K Clients •Up to 72TB I/O for AP Traffic 49
  • Cisco Confidential – Mobility Domain For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Sub-Domain - 1 UA3850 MA MA=Mobility Agent MC=Mobility Coordinator SPG=Switch Peer Group SD=Sub-Domain UA3850 MC SPG - 1 Sub-Domain 3850 MC Switch Peer Group - 1 MA-1 MA-2 MA-3 … … MA-16 … SubDomain Sub-Domain SPG - 1 … SPG - 2 SPG - 4 … 3850 MC MA 1~4 MA 6~8 SPG - 1 SPG – N-1 SPG - 2 SPG - 8 … • 1 MC = 1 SD • Up to 50 APs • Up to 2K Clients • Up to 50 GB I/O for AP Traffic 50 © 2012 Cisco and/or its affiliates. All rights reserved. 3850 MC MA 1~2 MA 3~4 Sub-Domain - 8 MA 13~16 … Sub-Domain SPG - 2 SPG - N MA 15~16 • Up to 16 MAs in an SPG • Up to 8 SPGs in an SD • Up to 16 MAs per MC • Up to 50 APs • Up to 2K Clients • Up to 250 GB I/O for AP Traffic • Up to 8 SDs in an MD • Up to 128 MAs per MD • Up to 250 APs • Up to 16K Clients • Up to 250 GB I/O for AP Traffic 50
  • Agenda Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution • Unified Access Deployment – Solution Overview • Existing Wireless Deployment – Architecture Refresher • The Unified Access Deployment in Detail – - Components of the Deployment – Hardware and Software - Components of the Deployment – Terminology and Building Blocks - Unified Access Deployment – Traffic Flows and Roaming - Unified Access Deployment – High Availability - Unified Access Deployment – IP Addressing - Unified Access Design Options, Greenfield – - Small Branch, Larger Branch, and Campus - Migration Options – Evolving to a Unified Access Solution • Summary 51 © 2012 Cisco and/or its affiliates. All rights reserved. 51
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution • Revise HA section (addition of 4-5 slides) to show the following – • Additional details on intra-stack UA 3850 HA and failover / recovery • Additional details on AP SSO, Client SSO (FCS++) • Impact of software upgrades, AP pre-image download • Document results from HA testing in PoC Lab 52 © 2012 Cisco and/or its affiliates. All rights reserved. 52
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Examining traffic topologies – • Let’s now examine a second client roam, with a subsequent MC failover within a stack (failure of the MC switch in a UA stack, for a Switch Peer Group) • First, the traffic topology after the roam – as we saw before … • Again, this traffic pattern is normal – for all of the reasons stated previously (default behavior) Guest Anchor MC MA ISE NCS Mobility Group SPG MC MA SPG MA MA MC MA MA PoP MA PoA 53 © 2012 Cisco and/or its affiliates. All rights reserved. 53 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Examining state within the stack (for MC) – M • MA/MC S Let’s now examine the state maintained by the MC within a stack, and see what redundancy we provide for this … Guest Anchor MC MA ISE NCS Mobility Group SPG MC 54 © 2012 Cisco and/or its affiliates. All rights reserved. MA SPG MA MA MC MA MA MA 54 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution MA/MC M S AP Guest MC2MA Inter-MC SPG AP Guest MC2MA Tunnel State is synced between Master and Standby Member in stack Inter-MC SPG CLI example MC 55 © 2012 Cisco and/or its affiliates. All rights reserved. MA Tunnel States are inactive on Standby Member 55 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution MC goes down in stack – Standby MC must now become Master MA/MC M M S MA/MC Guest Anchor So what are the impacts to local users, and to roamed users? MC MA ISE NCS Mobility Group SPG MC MA SPG MA MA PoP MC MA MA MA PoP PoA ✗ (Local Client re-auths, re-DHCPs) 56 © 2012 Cisco and/or its affiliates. All rights reserved. ✓ (No impact to existing clients on MAs) ✗ (Roamed Client re-auths, re-DHCPs, becomes local) ✓ (No impact to existing clients on MAs) 56 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Switch Peer Group Fault Tolerance with UA 3850 – • If an UA 3850-based MC is down in a Switch Peer Group – • Roaming within a Switch Peer Group still works • Roaming between Switch Peer Groups does not work • PMKs (via PKC) will not be distributed if the MC is down – so no Fast Roaming for new clients until the MC is restored Guest Anchor MC MA ISE NCS Mobility Group SPG MC MA Stack Blowed totally up real down good SPG MA ✗ 57 © 2012 Cisco and/or its affiliates. All rights reserved. (no PMK, no fast roam) MA MC ✓ (Client roams Seamlessly) MA MA MA ✗ (Client re-auths, re-DHCPs, becomes local) 57 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Switch Peer Group Fault Tolerance with UA 3850 – • If an UA 3850-based MC is down in a Switch Peer Group – • When MC is down, RRM, CleanAir, Rogue Detection, and Guest Access (guest tunneling) do not operate within the affected Switch Peer Group – other Switch Peer Groups are unaffected, however Guest Anchor MC MA ISE NCS Mobility Group SPG MC Stack totally down MA SPG MA MA ✗ 58 © 2012 Cisco and/or its affiliates. All rights reserved. (Guest access down) MC MA MA MA ✓ (Guest access up) 58 Cisco Unified Access Deployment
  • Agenda Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution • Unified Access Deployment – Solution Overview • Existing Wireless Deployment – Architecture Refresher • The Unified Access Deployment in Detail – - Components of the Deployment – Hardware and Software - Components of the Deployment – Terminology and Building Blocks - Unified Access Deployment – Traffic Flows and Roaming - Unified Access Deployment – High Availability - Unified Access Deployment – IP Addressing - Unified Access Design Options, Greenfield – - Small Branch, Larger Branch, and Campus - Migration Options – Evolving to a Unified Access Solution • Summary 59 © 2012 Cisco and/or its affiliates. All rights reserved. 59
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution • Insert slides (6 – 8 total) to discuss the following topic areas, related to UA deployment IP addressing – • Recommendations for wired and wireless management VLANs • Recommendations for separate / mixed wired and wireless client VLANs • Client or OS issues relating to mixed subnets? • Recommendations on VLAN sizing for wireless • Recommendations on VLAN spanning for L2 roams • Document results from setups in PoC Lab • Best practice recommendations, with reference to current SBA designs (if possible within the October timeframe) 60 © 2012 Cisco and/or its affiliates. All rights reserved. 60
  • Agenda Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution • Unified Access Deployment – Solution Overview • Existing Wireless Deployment – Architecture Refresher • The Unified Access Deployment in Detail – - Components of the Deployment – Hardware and Software - Components of the Deployment – Terminology and Building Blocks - Unified Access Deployment – Traffic Flows and Roaming - Unified Access Deployment – High Availability - Unified Access Deployment – IP Addressing - Unified Access Design Options, Greenfield – - Small Branch, Larger Branch, and Campus - Migration Options – Evolving to a Unified Access Solution • Summary 61 © 2012 Cisco and/or its affiliates. All rights reserved. 61
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Central Location ISE NCS WAN Guest Anchor(s) DMZ CAPWAP tunnels – control and data path UA Switch Likely the most common deployment at FCS Characteristics – 62 © 2012 Cisco and/or its affiliates. All rights reserved. May be a lower-speed WAN link (bandwidth and latency a concern only for Guest traffic) • Deployment could consist of multiple stacks – one stack as MC/MA, rest of stacks as MAs only • Allows for Advanced QoS, WAN optimization, NetFlow, and other services for wireless and wired traffic • Supports Layer 3 roaming • Supports VideoStream and optimized multicast • Good availability due to MA/MC redundancy within the UA stack – provides wireless continuity with either WAN outage or switch failure within the UA stack 62 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Central Location ISE NCS WAN Guest Anchor(s) DMZ Likely the most common deployment at FCS Characteristics – Applicable to a Smaller Branch with Several Wiring Closets MC 63 © 2012 Cisco and/or its affiliates. All rights reserved. • MA MA MA MA Allows for Advanced QoS, WAN optimization, NetFlow, and other services for wireless ad wired traffic • Si No discrete controllers deployed, even with multiple wiring closets Supports Layer 3 roaming • Switch Peer Group • Supports VideoStream and optimized multicast • Good availability due to MA/MC redundancy within the UA stacks – provides wireless continuity with either WAN outage or switch failure within the UA stack 63 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Central Location ISE NCS WAN Guest Anchor(s) DMZ Applicable to a Larger Branch with Multiple Wiring Closets Characteristics – • • Switch Peer Groups MC 64 © 2012 Cisco and/or its affiliates. All rights reserved. MA MA • Si MC MA MA Allows for Advanced QoS, WAN optimization, NetFlow, and other services for wireless ad wired traffic Supports Layer 3 roaming • Si Mobility Group No discrete controllers deployed, even at a larger branch Supports VideoStream and optimized multicast • Good availability due to MA/MC redundancy within the UA stacks – provides wireless continuity with either WAN outage or switch failure within the UA stack 64 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Central Location ISE NCS WAN Guest Anchor(s) DMZ Applicable to a Larger Branch or Small Campus Characteristics – 5760 / WiSM2 / 5508 • • • Good availability due to MA redundancy (UA stacks) and MC redundancy (controllers) – provides wireless continuity with either WAN outage or switch / controller failure • 65 © 2012 Cisco and/or its affiliates. All rights reserved. Supports Layer 3 roaming, VideoStream, and optimized multicast Simplified Mobility deployment vs. the use of UA switches as MCs / MAs MC Mobility Group Switch Peer Groups Allows for Advanced QoS, WAN optimization, NetFlow, and other services for wireless and wired traffic • MC Greater scalability via the use of discrete controllers as MCs, in conjunction with UA switches as MAs Si MA MA Si MA MA 65 Cisco Unified Access Deployment
  • Scalability … up to 8 UA 3850 MCs, up to 250 APs total (w/ inter-dist. roaming) • • Si Campus / Metro • Supports roaming between distribution layers, keeps many roams localized below dist. layer • Supports Layer 3 roaming MC MA 66 © 2012 Cisco and/or its affiliates. All rights reserved. MA MA MO • Switch Peer Groups MC Si Allows for Advanced QoS, NetFlow, and other services for wireless and wired traffic Si Guest Anchors MC No discrete controllers deployed, even at a small Campus Si Si Si Si Mobility Group MA MC MA For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution ISE Data Center Characteristics – Cisco Confidential – NCS (optional) Good availability due to MC/MA redundancy within the UA stacks – moderately scalable using UA 3850s (up to 8 in total) as MCs, combined with a single Mobility Group in the deployment Note – MC present per SPG, all SPG MCs meshed into single Mobility Group for the site. Guest tunnel per MC to Anchor. Si Applicable to a Small Campus (with interbuilding wireless coverage) MA 66 Cisco Unified Access Deployment
  • Scalability …. > 8 UA 3850 MCs, > 250 APs total (w/o inter-dist. roaming) • • Si Campus / Metro • No support for roaming across distribution layers (no inter-dist. RF coverage) • Switch Peer Groups MC MC MA Si MA MA ✓ 67 (Client roams Seamlessly) © 2012 Cisco and/or its affiliates. All rights reserved. Si No inter-MG RF coverage Mobility Group 1 MC MC MC NCS (optional) Good availability due to MC/MA redundancy within the UA stacks – more scalable using UA 3850s (up to 8 total per Mobility Group) as MCs, combined with multiple Mobility Groups in the deployment Supports Layer 3 roaming MC MA MO • Si MC Si Allows for Advanced QoS, NetFlow, and other services for wireless and wired traffic Si Guest Anchors MC No discrete controllers deployed, even at a larger Campus For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution ISE Data Center Characteristics – Cisco Confidential – Si Si Mobility Group 2 Note – MC present per SPG, all SPG MCs meshed into multiple Mobility Groups for the site. Guest tunnel per MC to Anchor. MA MA ✗ (Client re-auths, re-DHCPs, becomes local) May by Applicable to a Small Campus (without any interbuilding wireless coverage) No inter-dist. roaming – no RRM, no CleanAir, no Rogue Det. across separate Mob. Groups 67 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution ISE Data Center Guest Anchors Si Campus / Metro Si MO 5760s / WiSM2s / 5508s Campus Services Characteristics – MC Si Use of discrete controllers as MCs, combined with UA switches as MAs, provides for a very scalable solution Allows for Advanced QoS, NetFlow, and other services for wireless and wired traffic Si MC Mobility Group • • MC Si Si • Supports Layer 3 roaming – provides scalability by keeping many roams localized to SPGs (below dist.) • Si Switch Peer Groups NCS (optional) Applicable to a Larger Campus MA 68 © 2012 Cisco and/or its affiliates. All rights reserved. Si Si MA Si MA MA • ) Good availability due to MA redundancy (UA stacks) and MC redundancy (controllers) • Simplified Mobility deployment using UA switches as MAs only, vs. the use of UA switches as MCs / MAs 68 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Characteristics – • • ISE Data Center Use of discrete controllers as MCs, combined with Campus / Metro UA switches as MAs, provides for a very scalable solution Use of distributed controllers (vs. centralized in DC) may be more appropriate in some wireless deployments Si Si MO • Si Si Guest Anchors NCS (optional) Applicable to a Larger Campus Allows for Advanced QoS, NetFlow, and other services for wireless and wired traffic • Mobility Group Supports Layer 3 roaming – provides scalability by keeping many roams localized to SPGs (below distribution) • MC MC Si Switch Peer Groups MA MC MC Si Si MA • MA MA • 69 © 2012 Cisco and/or its affiliates. All rights reserved. Si Good availability due to MA redundancy (UA stacks) and 5760s / MC redundancy (controllers) WiSM2s / 5508s Simplified Mobility deployment using UA switches as MAs only, vs. the use of UA switches as MCs / MAs ) 69 Cisco Unified Access Deployment
  • Agenda Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution • Unified Access Deployment – Solution Overview • Existing Wireless Deployment – Architecture Refresher • The Unified Access Deployment in Detail – - Components of the Deployment – Hardware and Software - Components of the Deployment – Terminology and Building Blocks - Unified Access Deployment – Traffic Flows and Roaming - Unified Access Deployment – High Availability - Unified Access Deployment – IP Addressing - Unified Access Design Options, Greenfield – - Small Branch, Larger Branch, and Campus - Migration Options – Evolving to a Unified Access Solution • Summary 70 © 2012 Cisco and/or its affiliates. All rights reserved. 70
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Data Center / Service block ISE NCS Intranet Mobility Group EtherIP Mobility Tunnel MC MA MC MA 5508 / WiSM2 5508 / WiSM2 Prior to Migration to Unified Access CAPWAP Tunnels 71 © 2012 Cisco and/or its affiliates. All rights reserved. CAPWAP Tunnels 71 Existing Unified Wireless Deployment today …
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Data Center / Service block ISE MO NCS 5760 / 5508 / WiSM2 (optional) Intermediate step Intranet Mobility Group Software upgrade MC CAPWAP Mobility Tunnel MA MC Software upgrade MA 5508 / WiSM2 5508 / WiSM2 Initial Migration Step – Controller Upgrades, Implementation of First UA Switches MA MA Peer Group Be aware that feature differences may exist, based on MA software versions 72 © 2012 Cisco and/or its affiliates. All rights reserved. CAPWAP Tunnels CAPWAP Tunnels 72 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Data Center / Service block ISE MO NCS 5760 / 5508 / WiSM2 (optional) Intermediate step Intranet Mobility Group Controller upgrade MC CAPWAP Mobility Tunnel MA MC MA Controller upgrade 5760 Controller 5760 Controller Further Migration Step – Controller Upgrades, Implementation of Additional UA Switches MA MA Peer Group CAPWAP Tunnels 73 © 2012 Cisco and/or its affiliates. All rights reserved. MA MA Peer Group CAPWAP Tunnels Be aware that feature differences may exist, based on MC platforms and versions 73 Cisco Unified Access Deployment
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Data Center / Service block ISE MO NCS 5760 / 5508 / WiSM2 (optional) Eventual state Intranet Mobility Group CAPWAP Mobility Tunnel MC MC 5760 Controller 5760 Controller Final Migration Step – Implementation of End-to-End Unified Access Deployment MA MA MA Peer Groups MA MA MA Peer Groups CAPWAP Tunnels 74 © 2012 Cisco and/or its affiliates. All rights reserved. MA MA CAPWAP Tunnels 74 Cisco Unified Access Deployment
  • Agenda Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution • Unified Access Deployment – Solution Overview • Existing Wireless Deployment – Architecture Refresher • The Unified Access Deployment in Detail – - Components of the Deployment – Hardware and Software - Components of the Deployment – Terminology and Building Blocks - Unified Access Deployment – Traffic Flows and Roaming - Unified Access Deployment – High Availability - Unified Access Deployment – IP Addressing - Unified Access Design Options, Greenfield – - Small Branch, Larger Branch, and Campus - Migration Options – Evolving to a Unified Access Solution • Summary 75 © 2012 Cisco and/or its affiliates. All rights reserved. 75
  • Cisco Confidential – For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Control plane func onality on NG Controller (also possible on upgraded 5508s, WiSM2s for brownfield deployments, or NG Unified Access switches for small, branch deployments) Next-Generation WLAN Controller (5760) Controller Data plane func onality on NG Switches (also possible on NG Controllers, for deployments in which a centralized approach is preferred) Next-Generation Switches (UA 3850s) Enabled by Cisco’s strength in Silicon and Systems … Doppler ASIC 76 © 2012 Cisco and/or its affiliates. All rights reserved. An Evolutionary Advance to Cisco’s Wired + Wireless Portfolio, to address device and bandwidth scale, and services demands …. 76
  • Cisco Confidential – With a Next-Generation Deployment and Solution Mobility Domain NCS ISE ! "# For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Mobility Group ! "# ! "# Cisco Unified Access Deployment PG PG ! "# 77 © 2012 Cisco and/or its affiliates. All rights reserved. ! "# ! "# ! "# ! "# ! "# An Evolutionary Advance to Cisco’s Wired + Wireless Portfolio, to address device and bandwidth scale, and services demands …. 77