Your SlideShare is downloading. ×
0
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Diving into Converged Access
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Diving into Converged Access

2,905

Published on

Overview of how the newest generation of Cisco wireless products are driving a new paradigm in wireless LAN designs. Topics of interest will include BYOD, Guest WLAN, expanded WLAN client …

Overview of how the newest generation of Cisco wireless products are driving a new paradigm in wireless LAN designs. Topics of interest will include BYOD, Guest WLAN, expanded WLAN client authentication, 3G support and distributed controller functionality within the Cisco WLAN architecture.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,905
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
103
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. “Diving into Converged Access” Cisco Tech Day January 17th, 2014 Steve Phillips Wireless Consulting Systems Engineer stevephi@cisco.com © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
  • 2. Agenda Diving into Converged Access – Solution and Design Overview & Deep Dive Converged Access Solution and Platforms Overview Converged Access Architecture and Components Review Converged Access Roaming Converged Access Quality of Service Converged Access Security and Guest Access Converged Access Design Options Converged Access Migration Wrap-up and Final Thoughts 2 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 3. Enterprise Wireless Evolution – From Best-Effort to Mission-Critical and Very High Density Casual Pervasive indoors Media Rich Applications Mission Critical Very High Density CleanAir Hotspot System Management Capacity Self Healing and Optimizing 3 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public VXI Capable
  • 4. Wireless Standards – Past, Present, and Future Nice to Have Pervasive Media Rich Applications Mission Critical 10Gbps BANDWIDTH Future 802.11ac-2 3.5 Gbps 802.11ac-1 1 Gbps CLIENTS / 802.11n 450 Mbps 802.11g, 802.11a 54 Mbps 802.11b 11 Mbps 11Mbps Early 2000 © 2012 Cisco and/or its affiliates. All rights reserved. 2002 2004 2006 2008 2010 2012 2014 … Cisco Public 4
  • 5. One Network, with Converged Access – A New Deployment Option for Wired / Wireless Cisco Wireless LAN 5760 New Controller I O S B a s e d W L A N C o n t ro l l e r Internal Resources • Consistent IOS and ASIC w/ Catalyst 3850 • Required to scale beyond 250 AP or 16K client domains One Network C o nv e rge d A c c e s s M o d e Corporate Network • Integrated wireless controller • Distributed wired/wireless data plane Cisco (CAPWAP termination on switch) Access Point Internet Catalyst Catalyst Switch 3850 Cisco Firewall LAN Mgmt Solution 5 © 2013 Cisco and/or its affiliates. All rights reserved. Wireless Control One Policy System ISE Cisco Public Access Control Server Identity Mgmt Guest One Management Server Prime NAC Profiler
  • 6. Converged Wired / Wireless Access – Cisco Converged Access Deployment Benefits – Overview Single platform for wired and wireless Common IOS, same administration point, one release Network wide Consistent visibility for security and faster Quality of Service troubleshooting control Wired and wireless traffic visible at every hop Hierarchical bandwidth management and distributed policy enforcement Maximum resiliency with fast stateful recovery Scale with distributed wired and wireless data plane Layered network high availability design with stateful switchover 480G stack bandwidth; 40G wireless / switch; efficient multicast; 802.11ac fully ready Unified Access - One Policy | One Management | One Network 6 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 7. Cisco Converged Access Deployment Catalyst 3850 – Single Platform for Wired and Wireless 2 0 + Ye a r s o f I O S R i c h n e s s – N o w o n W i r e l e s s WIRED WIRELESS Features: Features: • Centralized deployment • L2/L3 Fast Roaming • Clean Air • Video Stream • Radio Resource Management (RRM) • Wireless Security • Radio performance • 802.11ac Ready 10 BENEFITS • Built on UADP – Cisco’s Innovative Flexparser ASIC technology • Eliminates operational complexity • Single Operating System for wired and wireless © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public • Stacking, StackPower • Advanced Identity • Visibility and Control • Flexible NetFlow • Granular QoS • High Availability • EEM, scripting • IOS-XE Modular OS
  • 8. Cisco Converged Access Deployment Catalyst 3850 – Platform Overview Wireless CAPWAP Termination Up to 50 APs/2000 clients per stack, 480 Gbps and 40G per switch Stacking Bandwidth FRU Fans, Power Supplies - HA Up to 2000 Clients per Stack Stackpower Full POE+ Granular QoS/Flexible NetFlow Multi-Core CPU Line Rate on All Ports 40 Gbps Uplink Bandwidth (Modular) B u i l t o n C i s c o ’s I n n o v a t i v e “ UA D P ” A S I C 11 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 9. Cisco Converged Access Deployment Catalyst 3850 – Wireless Capabilities • CAPWAP termination and DTLS in Hardware • Up to 40G wireless capacity per switch • Capacity increases with members • 50 APs and 2000 clients per switch stack • Wireless switch peer group support for faster roaming: latency sensitive applications • Supports IPv4 and IPv6 client mobility • APs must be directly connected to Catalyst 3850 12 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Best-in-Class Wired Switch – with Integrated Wireless Mobility functionality
  • 10. Cisco Converged Access Deployment WLC 5760 – Platform Overview Up to 1000 Access Points Centralized, or Converged Access Deployment Modes 6x 1/10G SFP+ uplinks with LAG First IOS-Based Wireless LAN Controller Up to 12,000 Concurrent Clients 60 Gbps Wireless Bandwidth Granular QoS Flexible NetFlow FRU Power Supplies FRU Fans Built on Cisco’s Innovative “UADP” ASIC 13 802.11ac Optimized © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 11. One Network – Wireless Deployment Mode Options, Overview One Policy, One Management, One Network N.A.A.S. Unified Access Wireless Unified Network Autonomous FlexConnect (Private Cloud) Centralized Converged Access Unparalleled Deployment Flexibility 14 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Public Cloud Ease of Use
  • 12. Agenda Diving into Converged Access – Solution and Design Overview & Deep Dive Converged Access Solution and Platforms Overview Converged Access Architecture and Components Review Converged Access Roaming Converged Access Quality of Service Converged Access Security and Guest Access Converged Access Design Options Converged Access Migration Wrap-up and Final Thoughts 15 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 13. Cisco Converged Access – What I Am Going to Cover … System Architecture Roaming, QoS Corner Stones Security, Design Options Foundational Elements 16 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public for the Converged Access Solution
  • 14. Cisco Converged Access – Network Requirements Driving Wireless Evolution … Increased scalability, Centralized policy application We’ve Been Here Before… Control plane functionality on NG Controller Centralized tunneling of user traffic to controller (data plane and control plane) System-wide coordination for channel and power assignment, rogue detection, security attacks, interference, roaming Hotspot deployments with nomadic roaming Standalone Access Point Autonomous Mode Cisco Converged Access Controller Functionality split with CAPWAP Cisco Unified Wireless Access Point Frees up the AP to focus on real-time communication, policy application and optimize RF & MAC functionality such as CleanAir, ClientLink Scale and Services 17 © 2013 Cisco and/or its affiliates. All rights reserved. (also possible on upgraded 5508s, WiSM2s for brownfield deployments, or NG Converged Access switches for small, branch deployments) Cisco Public Data plane functionality on NG Switches (also possible on NG Controllers, for deployments in which a centralized approach is preferred) • Unified wired-wireless experience (security, policy, services) • Common policy enforcement, Common services for wired and wireless traffic (NetFlow, advanced QoS, and more …) Performance and Unified Experience
  • 15. Existing Unified Wireless Deployment today … Architecture Constructs – Data Center / Service block PI Internet CUWN Tunnel Types ISE Intranet Mobility Group Well-known, proven architecture EoIP Mobility Tunnel ( < 7.2) CAPWAP Option in 7.3 Foreign WLC “Guest” Anchor WLC #1 LEGEND WLC #2 CAPWAP Tunnels Encrypted (see Notes) Notes – Inter-Controller (Guest Anchor) EoIP / CAPWAP Tunnel Inter-Controller EoIP / CAPWAP Tunnel AP-Controller CAPWAP Tunnel 802.11 Control Session + Data Plane AP AP AP SSID – VLAN Mapping (at controller) SSID2 18 AP / WLC CAPWAP Tunnels are an IETF Standard UDP ports used – • 5246: Encrypted Control Traffic • 5247: Data Traffic (non-Encrypted or DTLS Encrypted (configurable) • AP • • Inter-WLC Mobility Tunnels • EoIP – IP Protocol 97 … AireOS 7.3 introduces CAPWAP option • Used for inter-WLC L3 Roaming and Guest Anchor SSID1 SSID3 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 16. Existing Unified Wireless Deployment today … Architecture Constructs – Data Center / Service block PI Internet CUWN Control Functions ISE Intranet Mobility Group EoIP Mobility Tunnel ( < 7.2) CAPWAP Option in 7.3 MA MA WLC #1 Foreign WLC “Guest” Anchor WLC #2 MA MC MC LEGEND MC CAPWAP Tunnels AP AP AP MA Mobility Agent Terminates CAPWAP Tunnels, Maintains Client Database MC Mobility Controller Handles Roaming, RRM, WIPS, etc. Additional details on controller functionality AP These will become important later as we delve into the Converged Access deployment … SSID2 19 SSID1 SSID3 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 17. Cisco Converged Access Deployment Converged Access – Deployment Overview Mobility Domain ISE MO PI Mobility Group MC MC Sub-Domain #1 SPG SPG MA 20 Sub-Domain #2 © 2013 Cisco and/or its affiliates. All rights reserved. MA MA Cisco Public MA MA MA
  • 18. Cisco Converged Access Deployment Converged Access – Components – Physical vs. Logical Entities Physical Entities – • Mobility Agent (MA) – Terminates CAPWAP from AP, Manages client database • Mobility Controller (MC) – Manages mobility within and across Sub-Domains • Mobility Oracle (MO) – Superset of MC, allows for Scalable Mobility Management within a Domain Logical Entities – • Mobility Groups – Grouping of Mobility Controllers (MCs) to enable Fast Roaming, Radio Frequency Management, etc. • Mobility Domain – Grouping of MCs to support seamless roaming • Switch Peer Group (SPG) – Localizes traffic for roams within Distribution Block MA, MC, Mobility Group functionality all exist in today’s controllers (4400, 5500, WiSM2) 21 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 19. Cisco Converged Access Deployment Converged Access – Physical Entities – Catalyst 3850 Switch Stack Best-in-Class Wired Switch – with Integrated Wireless Mobility functionality MA • Can act as a Mobility Agent (MA) MC • as well as a Mobility Controller (MC) for terminating CAPWAP tunnels for locally connected APs … for other Mobility Agent (MA) switches, in small deployments - MA/MC functionality works on a Stack of Catalyst 3850 Switches - MA/MC functionality runs on Stack Master - Stack Standby synchronizes some information (useful for intra-stack HA) 22 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 20. Cisco Converged Access Deployment Converged Access – Logical Entities – Switch Peer Groups SPGs are a logical construct, not a physical one … Sub-Domain 1 SPGs can be formed across Layer 2 or Layer 3 boundaries SPG-B MA MA SPG-A MA • MC Current thinking on best practices dictates that SPGs will likely be built around buildings, around floors within a building, or other areas that users are likely to roam most within MA Roamed traffic within an SPG moves directly between the MAs in that SPG (CAPWAP full mesh) Made up of multiple Catalyst 3850 switches as Mobility Agents (MAs), plus an MC (on controller as shown) • MAs within an SPG are fully-meshed (auto-created at SPG formation) • Fast Roaming within an SPG • Roamed traffic between SPGs moves via the MC(s) servicing those SPGs Handles roaming across SPG (L2 / L3) • Multiple SPGs under the control of a single MC form a Sub-Domain 23 © 2013 Cisco and/or its affiliates. All rights reserved. SPGs are designed to constrain roaming traffic to a smaller area, and optimize roaming capabilities and performance Hierarchical architecture is optimized for scalability and roaming Cisco Public
  • 21. Cisco Converged Access Deployment Converged Access – Logical Entities – Switch Peer Groups and Mobility Group Sub-Domain 3 Sub-Domain 1 SPG-E SPG-B MA SPG-A MA • MA MA MC MC MA Mobility Group Handles roaming across SPG (L2 / L3) • Fast Roaming within an SPG • Multiple SPGs under the control of a single MC form a Sub-Domain 24 © 2013 Cisco and/or its affiliates. All rights reserved. MA MA • Made up of Multiple Mobility Controllers (MCs) • Handles roaming across MG (L2 / L3) MA • RF Management (RRM) and Key Distribution for Fast Roaming • One Mobility Controller (MC) manages the RRM for entire Group • Fast Roams are limited to Mobility Group member MCs MC MAs within an SPG are fully-meshed (auto-created at SPG formation) • SPG-F SPG-C Made up of multiple Catalyst 3850 switches as Mobility Agents (MAs), plus an MC (on controller as shown) • MA MA SPG-D MA MA Sub-Domain 2 Cisco Public
  • 22. Cisco Converged Access Deployment Converged Access – Scalability Considerations For Your Reference As with any solution – there are scalability constraints to be aware of … • These are summarized below, for quick reference Scalability 3850 as MC 5760 5508 WiSM2 Max number of MCs in a Mobility Domain 8 72 72 72 Max number of MCs in a Mobility Group 8 24 24 24 Max number of MAs in a Sub-domain (per MC) 16 350 350 350 8 24 24 24 Max number of MAs in a SPG 16 64 64 64 Max number of WLANs 64 512 512 512 Max number of SPGs in a Mobility Sub-Domain (per MC) 25 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 23. Agenda Diving into Converged Access – Solution and Design Overview & Deep Dive Converged Access Solution and Platforms Overview Converged Access Architecture and Components Review Converged Access Roaming Converged Access Quality of Service Converged Access Security and Guest Access Converged Access Design Options Converged Access Migration Wrap-up and Final Thoughts 26 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 24. Existing Unified Wireless Deployment today … Unified Wireless – Point of Presence (PoP), Point of Attachment (PoA) WiSM2s / 5508s MC MA MC MA PSTN PoP PoA CUCM Point of Presence (PoP) vs. Point of Attachment (PoA) – • • 27 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public PoP is where the wireless user is seen to be within the wired portion of the network • Anchors client IP address • Used for security policy application PoA is where the wireless user has roamed to while mobile • Moves with user AP connectivity • Used for user mobility and QoS policy application
  • 25. Existing Unified Wireless Deployment today … Unified Wireless – Traffic Flow WiSM2s / 5508s MC MA MC MA PSTN PoP Separate policies and services for wired and wireless users PoA CUCM Traffic Flows, Unified Wireless – • The same traffic paths are incurred for voice, video, data, etc. – all centralized Wired policies implemented on switch 28 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public In this example, a VoIP user is on today’s CUWN network, and is making a call from a wireless handset to a wired handset … • Wireless policies implemented on controller We can see that all of the user’s traffic needs to be hairpinned back through the centralized controller, in both directions … In this example, a total of 9 hops are incurred for each direction of the traffic path (including the controllers – Layer 3 roaming might add more hops) …
  • 26. Existing Unified Wireless Deployment today … Unified Wireless – Layer 3 Roaming (Campus Deployment) Data Center-DMZ Data Center Campus Services Campus Guest Anchors MC Si MC MA Internet MA Si ISE • PI PI Si Si Initially, the user’s PoP and PoA are co-located on the same controller • Si Si Note – in this deployment model, it is assumed that all of the controllers across the Campus do not share a common set of user VLANs at Layer 2 … (i.e. the controllers are all L3-separated) • Initially, the user’s traffic flow is as shown … PoP MC MA PoA 5508 / WiSM-2 MC Si Si MA 5508 / WiSM-2 Si Si Layer 3 Mobility Group Campus Access 29 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 27. Existing Unified Wireless Deployment today … Unified Wireless – Layer 3 Roaming (Campus Deployment) Data Center-DMZ Data Center Campus Services Campus Guest Anchors MC Si MC MA Internet Symmetric Mobility Tunneling MA Si ISE • Si The user’s PoA moves to the new controller handling that user after the roam – but the user’s PoP stays fixed on the original controller that the user associated to • This is done to ensure that the user retains the same IP address across an L3 boundary roam – and also to ensure continuity of policy application during roaming • PI PI Now, the user roams to an AP handled by a different controller, within the same Mobility Group … • Si Si After the roam, the user’s traffic flow is as shown … Si PoP MC MA PoA 5508 / WiSM-2 MC Si Si MA 5508 / WiSM-2 Si Si Layer 3 Mobility Group Campus Access 30 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 28. Cisco Converged Access Deployment Converged Access – Converged policies and services for wired and wireless users Traffic Flow WiSM2s / 5508s / 5760s MC MA MC MA PSTN CUCM Traffic Flows, Comparison (Converged Access) – • Traffic does not flow via MCs More efficient since traffic flows are localized to the 3850 switch – Performance Increase SPG PoP Wired and wireless policies implemented on 3850 switch 31 PoA © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Now, our VoIP user is on a Cisco Converged Access network, and is again making a call from a wireless handset to a wired handset … • We can see that all of the user’s traffic is localized to their Peer Group, below the distribution layer, in both directions … In this example, a total of 1 hop is incurred for each direction of the traffic path (assuming no roaming) … two additional hops may be incurred for routing …
  • 29. Cisco Converged Access Deployment Converged Access – Traffic Flow and Roaming – Branch, Single Catalyst 3850 Stack Notice how the 3850 switch stack shown is an MC (as well as an MA) – in a branch such as this with 50 APs or less, no discrete controller is necessarily required … MC Central Location ISE Guest Anchor CAPWAP tunnel to Guest Anchor 3850 Switch MC MA PoP PoA PI MA WAN CAPWAP tunnels – control and data path Very common roaming case DMZ Roaming across Stack (small branch) Roaming, Single Catalyst 3850 Switch Stack – • In this example, the user roams within their 3850-based switch stack – for a small Branch site, this may be the only type of roam Roaming within a stack does not change the user’s PoP or PoA – since the stack implements a single MA (redundant within the stack), and thus a user that roams to another AP serviced by the same stack does not cause a PoA move (PoA stays local to the stack) 32 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 30. Cisco Converged Access Deployment Converged Access – Traffic Flow and Roaming – L2 / L3 Roam (within SPG) Roaming across Stacks Very common roaming case (larger branch) Roaming, Within a Switch Peer Group (Branch) – • • uRPF, Symmetrical Routing, NetFlow, Stateful Policy Application … MA MA In this example, the larger Branch site consists of a single Switch Peer Group – and the user roams within that SPG – again, at a larger Branch such as this, this may be the only type of roam The user may or may not have roamed across an L3 boundary (depends on wired setup) – however, users are always* taken back to their PoP for policy application SPG MC Now, let’s examine a roam at a larger branch, with multiple 3850-based switch stacks joined together via a distribution layer MA PoP PoA Overall observation – * Adjustable via setting, may be useful for L2 roams Again, notice how the 3850 switch stack on the left is an MC (as wellThis looks exactly the same as a Layer as an MA) in this picture – in a larger branch such as this with 50 APs inter-controller roam in CUWN … or less, no discrete controller is necessarily required … 33 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public because it is exactly the same process – Just distributed, rather than centralized … 3
  • 31. Cisco Converged Access Deployment Converged Access – Traffic Flow and Roaming – with Intra-SPG Roam WiSM2s / 5508s / 5760s MC MC PSTN CUCM Converged policies and services for wired and wireless users Traffic Flows, Comparison (Converged Access) – • Traffic still does not flow via MCs More efficient since traffic flows are still localized to the SPG – Performance & Scalability SPG MA MA MA MA PoP Wired and wireless policies implemented on 3850 switch 34 PoA © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Now, our VoIP user on the Cisco Converged Access network roams, while a call is in progress between the wireless and wired handsets … • We can see that all of the user’s traffic is still localized to their Switch Peer Group, below the distribution layer, in both directions … In this example, a total of 3 hops is incurred for each direction of the traffic path (assuming intra-SPG roaming) … two additional hops may be incurred for routing …
  • 32. Cisco Converged Access Deployment Converged Access – Traffic Flow and Roaming – L2 / L3 Roam (across Switch Peer Groups) Less common roaming case Roaming, Across SPGs (Campus) – MC • • Roaming across SPGs (L3 separation assumed at access layer) SPG SPG MA MA MA MA PoP PoA 35 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public MA MA Now, let’s examine a few more types of user roams In this example, the user roams across Switch Peer Groups – since SPGs are typically formed around floors or other geographically-close areas, this type of roam is possible, but less likely than roaming within an SPG Typically, this type of roam will take place across an L3 boundary (depends on wired setup) – however, users are always* taken back to their PoP for policy application
  • 33. Cisco Converged Access Deployment Converged Access – Traffic Flow and Roaming – L2 / L3 Roam (across Switch Peer Groups) Overall view – MC 10.125.11.14 L09-5760-1# show wireless mobility controller client summary Number of Clients : 5 across the entire Sub-Domain controlled by the MC State is the Sub-Domain state of the client. * indicates IP of the associated Sub-domain Associated Time in hours:minutes:seconds MAC Address State Anchor IP Associated IP Associated Time 10.101.1.109 10.101.6.109 SPG SPG -------------------------------------------------------------------------------001e.65b7.7d1a Local 10.101.1.109 10.101.6.109 00:04:36 MA Roamed client, Switch 1 to Switch 6 (inter-SPG) MA MA MA MA MA PoP b817.c2f0.61b2 Local 0.0.0.0 10.101.7.109 00:21:07 Stationary client, Switch 7 PoA 74e1.b65a.a8f3 Local 10.101.3.109 10.101.1.109 00:03:27 Roamed client, Switch 3 to Switch 1 (intra-SPG) cc08.e028.6fdd Local 0.0.0.0 10.101.1.109 00:04:57 Stationary client, Switch 1 a467.06e2.813d Local 0.0.0.0 10.101.3.109 00:02:56 Stationary client, Switch 3 36 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 34. Cisco Converged Access Deployment Converged Access – More Details – Roaming There are multiple additional roaming scenarios – • These replicate the traffic flow expectations seen elsewhere with Converged Access • For Your Reference Traffic within an SPG flows directly between MAs – traffic between SPGs flows via MCs • • Catalyst 3850-based MC deployments are likely to be common in branches and even possibly smaller Campuses • Larger deployments are likely to use discrete controllers (5760, 5508, WiSM2s) as MCs, for scalability and simplicity • Rather than detail every roaming case here, some of these are summarized below – Full details are available in a deeper-dive session, upon request … 37 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 35. Cisco Converged Access Deployment Converged Access – Catalyst 3850-based MCs – Functionality As we saw previously, we can also optionally use a Catalyst 3850 switch as an MC + co-located MA for a Switch Peer Group … let’s explore this in more detail – • • • • • Single Catalyst 3850 MC supported per Switch Peer Group … which can have up to 16 x MAs (stacks) per 3850-based MC Single Catalyst 3850 MC can handle up to 50 APs and 2,000 clients total … therefore, up to 50 APs and 2,000 clients in a Catalyst 3850-based Switch Peer Group MC handles inter-SPG roaming, RRM, Guest Access, etc. More scalable MC capability can be provided by 5760 / WiSM2 SPG MC MA MA MA Guest Anchor MC MA ISE PI But what if we want to scale larger, without implementing 5760 / WiSM2? Is this possible? 38 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 36. Cisco Converged Access Deployment Converged Access – Catalyst 3850-based MCs – Scaling Switch Peer Group / Mobility Group Scaling with Catalyst 3850 – • • Up to 8 x Catalyst 3850 MCs can be formed into a Mobility Group Up to 250 APs total and 16,000 clients supported (maximum) across a Mobility Group made up solely of Catalyst 3850 switches • Licensing is per MC – not pooled across MCs • RRM, etc. is coordinated across the MCs in the same Mobility Group • Guest tunneling is per MC – to Guest Anchor controller Guest Anchor MC MA ISE PI SPG ! "# ! "# SPG ! "# SPG Mobility Group ! "# SPG ! "# SPG ! "# SPG ! "# SPG MC 39 MA © 2013 Cisco and/or its affiliates. All rights reserved. SPG MA MA Cisco Public MC MA MA MA ! "# ! "# ! "# ! "# ! "# ! "# ! "# ! "# ! "# ! "# ! "# ! "# ! "# ! "# ! "# ! "# ! "# Full mesh of MCs across Mobility Group
  • 37. Cisco Converged Access Deployment Converged Access – Catalyst 3850-based MCs – When to Use Considerations – • • Many larger designs (such as most Campuses) will likely utilize a discrete controller, or group of controllers, as MCs. Combined with Catalyst 3850 switches as MAs, this likely provides the most scalable design option for a larger network build. However, if using 3850 switches as MCs for smaller builds – and with the scaling limits detailed on the previous slide in mind – we need to determine where to best use this capability. • Pros – • CapEx cost savings – via the elimination of a controller-as-MC in some designs (typically, smaller use cases and deployments) … cost also need to take into consideration licensing on the Catalyst 3850 switches. • Cons – • OpEx complexity – due to some additional complexity that comes into roaming situations when using multiple 3850 switch-based MCs (as detailed in the preceding slide). While not insurmountable, this does need to be factored in as part of the decision process. Conclusion – In smaller designs (such as branches), the use of Catalyst 3850 switches as MCs is likely workable. In mid-sized designs, this may also be workable, but does lead to some additional roaming considerations (as detailed on the following slides). In large campus deployments, the use of controllers as MCs is more likely, due to economies of scale. 40 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 38. Cisco Converged Access Deployment Key Takeaways – Converged Access – Exciting Platforms, and an Evolutionary Addition Converged Access is a evolutionary advance to our Wireless deployment options. CA addresses inflection points around device and bandwidth scale, and allows an unprecedented level of traffic visibility and control for wired / wireless deployments. The Catalyst 3850 switch offers the best stackable switch platform in the industry, incorporating many important advances to the state-of-the-art in stackable switching. Many of the terms and components used to describe Converged Access also exist in today’s Unified Wireless deployments. New components added with Converged Access include – Switch Peer Group (SPG) – used to localize roaming Mobility Oracle – used to allow greater Mobility Domain scalability With CA, the Catalyst 3850 switch is a full partner in the mobility roaming domain. Roaming in Converged Access (by default) behaves as a Layer 3 roam does in Unified Access, incorporating MAs and MCs for seamless roaming with full visibility and control over traffic flows. In small to mid-sized deployments, the Catalyst 3850 can be used as both an MC as well as an MA. 41 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 39. Agenda Diving into Converged Access – Solution and Design Overview & Deep Dive Converged Access Solution and Platforms Overview Converged Access Architecture and Components Review Converged Access Roaming Converged Access Quality of Service Converged Access Security and Guest Access Converged Access Design Options Converged Access Migration Wrap-up and Final Thoughts 42 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 40. Existing Unified Wireless Deployment today … CUWN Architecture – Overview – Challenges of QoS Current Mobility Architecture 5508/WiSM2 Challenges – Overlay model with multiple points of policy application* Limited visibility into applications Lack of granular classification Software based QoS CAPWAP Tunnels AP AP AP AP * Overlay model applies to CUWN local mode and FlexConnect centralized mode 43 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Marking Policing 43
  • 41. Existing Unified Wireless Deployment today … Existing QoS Deployments– How We Overlay QoS Policies Today Current QoS Architecture WAN BLOCK 5508/WiSM2 Campus BLOCK Distributed Management Configuration and Deployment Separate policies and services for wired and wireless users Wireless policies implemented on controller pushed to AP Wired policies implemented on switch Marking Policing Queuing 44 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
  • 42. Cisco Converged Access Deployment QoS – What’s New with Converged Access Wireless (Cat 3850 & CT 5760) Wired (Cat 3850) • Granular QoS control at the wireless edge • Modular QoS based CLI (MQC) Tunnel termination allows customers to provide QoS treatment per SSIDs, per-Clients and common treatment of wired and wireless traffic throughout the network Alignment with 4500E series (Sup6, Sup7) Class-based Queueing, Policing, Shaping, Marking • Enhanced Bandwidth Management • More Queues Up to 2P6Q3T queuing capabilities Approximate Fair Drop (AFD) Bandwidth Management ensures fairness at Client, SSID and Radio levels for NRT traffic • Wireless Specific Interface Control Standard 3750 provides 1P3Q3T Not limited to 2 queue-sets Flexible MQC Provisioning abstracts queuing hardware Policing capabilities Per-SSID, Per-Client upstream*** and downstream AAA support for dynamic Client based QoS and Security policies • Per SSID Bandwidth Management *** NOT available on CT 5760 at FCS 45 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
  • 43. Cisco Converged Access Deployment QoS – What’s New with Converged Access Wireless (Cat 3850 & CT 5760) Wired (Cat 3850) DMZ Prime ISE • Granular QoS control at the wireless edge • Modular QoS based CLI Alignment with 4500E series (Sup6, Sup7) WAN Class-based Queueing, Policing, Shaping, Marking • More Queues UA 3850 • Enhanced Bandwidth Management INTEGRATED CONTROLLER Up to 2P6Q3T queuing capabilities Standard 3750 provides 1P3Q3T Guest Flexible MQC Provisioning abstracts queuing hardware BRANCH Marking 46 Policing © 2013 Cisco and/or its affiliates. All rights reserved. Approximate Fair Drop (AFD) Bandwidth Management ensures fairness at Client, SSID and Radio levels for NRT traffic • Wireless Specific Interface Control Policing capabilities Per-SSID, Per-Client upstream*** and downstream Not limited to 2 queue-sets Employee 46 Tunnel termination allows customers to provide QoS treatment per SSIDs, per-Clients and common treatment of wired and wireless traffic throughout the network AAA support for dynamic Client based QoS and Security policies • Per SSID Bandwidth Management *** NOT available on CT 5760 at FCS Cisco Public 46
  • 44. Cisco Converged Access Deployment QoS – What’s New with Converged Access With the CT 5760 or CAT 3850 Usage based fair allocation without configuration • Modular QoS based CLI Wired (Cat 3850) • Granular QoS control at the wireless edge Alignment with 4500E series (Sup6, Sup7) Tunnel termination allows customers to provide QoS treatment per SSIDs, per-Clients and common treatment of wired and wireless traffic throughout the network Class-based Queueing, Policing, Shaping, Marking .11n AP • Enhanced Bandwidth Management • More Queues Approximate Fair Drop (AFD) Bandwidth Management ensures fairness at Client, SSID and Radio levels for NRT traffic Up to 2P6Q3T queuing capabilities Standard 3750 provides 1P3Q3T 5 mbps • Wireless Specific Interface Control Not limited to 2 queue-sets 5 mbps Wireless (Cat 3850 & CT 5760) 5 mbps Max bandwidth allowed: Flexible MQC Provisioning abstracts 5 mbps 54 – (4 * 5) = 34Mbps queuing hardware Policing capabilities Per-SSID, Per-Client upstream*** and downstream AAA support for dynamic Client based QoS and Security policies • Per SSID Bandwidth Management *** NOT available on CT 5760 at FCS 47 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
  • 45. Cisco Converged Access Deployment QoS – What’s New with Converged Access With the 3850 Bidirectional policing at the edge per- user , perSSID and in Hardware Wired (Cat 3850) Wireless (Cat 3850 & CT 5760) • Granular QoS control at the wireless edge • MQC based CLI Alignment with 4500E series (Sup6, Sup7) Class-based Queueing, Policing, Shaping, Marking Tunnel termination allows customers to provide QoS treatment per SSIDs, per-Clients and common treatment of wired and wireless traffic throughout the network • Enhanced Bandwidth Management • More Queues Up to 2P6Q3T queueing capabilities queuing capabilities Approximate Fair Drop (AFD) Bandwidth Management ensures fairness at Client, SSID and Radio levels for NRT traffic • Wireless Specific Interface Control Standard 3750 provides 1P3Q3T • SSID: BYOD Not limited to 2 queue-sets • QoS policy on 3850 used to police each client bidirectionally • Policy can beFlexible MQC Provisioning abstracts sent via AAA to provide specific per-client policy • Allocate Bandwidth or police/shape SSID as a whole queueing hardware queuing hardware Policing capabilities Per-SSID, Per-Client upstream*** and downstream AAA support for dynamic Client based QoS and Security policies • Per SSID Bandwidth Management *** NOT available on CT 5760 at FCS 48 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
  • 46. Cisco Converged Access Deployment QoS – What’s New with Converged Access With the CT 5760 or CAT 3850 Deterministic bandwidth is allocated per SSID Wired (Cat 3850) • Granular QoS control at the wireless edge • Modular QoS based CLI Alignment with 4500E series (Sup6, 90% BW Sup7) 10% BW Wireless (Cat 3850 & CT 5760) Class-based Queueing, Policing, Enterprise Guest Shaping, Marking • More Queues Up to 2P6Q3T queuing capabilities Tunnel termination allows customers to provide QoS treatment per SSIDs, per-Clients and common treatment of wired and wireless traffic throughout the network • Enhanced Bandwidth Management Approximate Fair Drop (AFD) Bandwidth Management ensures fairness at Client, SSID and Radio levels for NRT traffic • Wireless Specific Interface Control Standard 3750 provides 1P3Q3T Deterministic BW Not limited to 2 queue-sets Flexible MQC Provisioning abstracts queuing hardware Policing capabilities Per-SSID, Per-Client upstream*** and downstream AAA support for dynamic Client based QoS and Security policies • Per SSID Bandwidth Management *** NOT available on CT 5760 at FCS 49 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
  • 47. Cisco Converged Access Deployment QoS – What’s New with Converged Access Wireless (Cat 3850 & CT 5760) Wired (Cat 3850) • Modular QoS based CLI (MQC) Alignment with 4500E series (Sup6, Sup7) Class-based Queueing, Policing, Shaping, Marking • Granular QoS control at the wireless edge Policy-map PER-PORT-POLICING Tunnel termination allows customers to Class VOIP provide QoS treatment per SSIDs, perset dscp ef Clients police 128000 conform-action transmit exceed-action drop Class VIDEO set dscp CS4 police 384000 conform-action transmit exceed-action drop Class SIGNALING AFD Bandwidth Management ensures fairness at Client, SSID and Radio levels set dscp cs3 police 32000 conform-action traffic exceed-action drop for NRT transmit Class TRANSACTIONAL-DATA set dscp af21 Class class-default set dscp default Policing capabilities Per-SSID, Per-Client • Enhanced Bandwidth Management • More Queues Up to 2P6Q3T queuing capabilities Standard 3750 provides 1P3Q3T • Wireless Specific Interface Control Not limited to 2 queue-sets Flexible MQC Provisioning abstracts queuing hardware upstream*** and downstream AAA support for dynamic Client based QoS and Security policies • Per SSID bandwidth allocation *** NOT available on CT 5760 at FCS 50 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
  • 48. Cisco Converged Access Deployment QoS Touch Points – Port, Radio, SSID, Client – What Features Apply at Each Level, Downstream Marking is based on SSID Table-map not Set Client Radio* Shaped by • Classification default • Mutation* • Policing 200Mbps • Shaping* or • Bandwidth Entire SSID is Rate 400Mbps • Priority Limited, AFD manages NRT traffic. Not Configurable based on max rate radio can support • Classification • Policing • Marking Into a wired port 51 Port Priority queues must be configured they are not on by default Shaped by default to Sum of Radios • Priority • Police • Bandwidth NOTE: SSID policies are actually per AP or BSSID. Out of a wireless port © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
  • 49. Agenda Diving into Converged Access – Solution and Design Overview & Deep Dive Converged Access Solution and Platforms Overview Converged Access Architecture and Components Review Converged Access Roaming Converged Access Quality of Service Converged Access Security and Guest Access Converged Access Design Options Converged Access Migration Wrap-up and Final Thoughts 52 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 50. Cisco Converged Access Deployment Converged Access – Security is Paramount! The Challenge Device Proliferation will lead to billions of devices (Internet of Everything) 53 © 2013 Cisco and/or its affiliates. All rights reserved. Top of Mind Security Concerns How can we enhance the level of Security? Cisco Public How to deploy a consistent policy for all these devices? How to ensure end-to-end security in a scalable way?
  • 51. Cisco Converged Access Deployment Converged Access – Security Architecture Overview Contractor Users Guest Users Internet Employees Core AP Cat 3850 BYOD Guest SSID (open) BYOD Corporate SSID (dot1x) 54 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public ISE Services • LDAP • CA
  • 52. Converged Access – The Need for Integrated Policy Wired Employee Personal Device User Corporate Device Wireless Policy B VPN Corporate Device Policy A Policy C Wired Policy C Wireless Policy D Wired Policy E Wireless Policy E Wired Policy F Wireless Policy F Wired / Wireless Policy G Contractor Personal Device Guest 55 Personal Device © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public How to define and apply security policy consistently across every device on the network?
  • 53. Cisco Converged Access Deployment One Policy – Wired and Wireless Corporate Wired Device 5 Dot1X Authentication Corporate Wireless Device Same-SSID Employee Personal Device    1 Dot1X Authentication 2 AuthZ with dVLAN 30; dACL Permit ip any any; ISE 4 Authz with dVLAN 40; dACL Restricted Access Corporate Resources VLAN 30 802.1q Trunk 3 Dot1X Authentication Internet VLAN 40 6 AuthZ with dVLAN 30; dACL Permit ip any any Employee using the same SSID, can be associated to different VLAN interfaces and policy after EAP authentication Employee using corporate wired and wireless device with their AD user id can be assigned to same VLAN 30 to have full access to the network Employee using personal iDevice with their AD user id can be assigned to VLAN 40 and policy to access internet only 56 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 54. Converged Access – Policy Enforcement Cisco Converged Access Deployment Authorization – the Second “A” in AAA • Policy management is done in IOS and policy enforcement is done in hardware for both wired & wireless device  For wireless clients WCM will decide which policy to be applied • Client Roaming  L3 roam ACL policies will be applied on anchor switch (PoP)  L2 roam ACL polices hand-off to newer switch (PoA) • • • • 57 ACLs – Centralized and Distributed Policy, IPv4 and IPv6 URL Redirection / URL ACL VLANs Service Templates (distributed / centralized) © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 55. Cisco Converged Access Deployment Per-Session VLAN Assignment – MAC-based VLANs • Before Cat3850: One port, one VLAN per access port (1:1) VM • Exception: Voice (one Data Device untagged, one Voice Device tagged w/ VVLAN) • Later: Allowing VLAN assignment on multi-authentication ports, but first device ‘rules’ the port. • Now: Each session can have individual VLAN assigned Not a trunk! Gi1/0/13 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public WIRED-EMPLOYEE active Gi1/0/13 170 58 160 WIRED-GUEST active Gi1/0/13
  • 56. Cisco Converged Access Deployment Downloadable ACL Similar ISE 1. Wireless Client request Association 2. MA respond back with Association 3. WCM triggers IOS module to do authentication 4. IOS starts authentication process for client with AAA server Mobility Controller 5. AAA server responds with ‘access accept’ including dACL name and version number in policy attributes Peer Group Mobility Agent Mobility Agent Mobility Agent 6. If switch has downloaded this dACL previously and has current version it uses the cached version 7. If switch does not have current version then it queries the server for latest dACL version 59 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 57. ISE Policy Definition Example – Same Authorization Policy for Wired AND Wireless 60 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Converged Access Deployment
  • 58. Cisco Converged Access Deployment Converged Access – MC Wireless Security Features Comparison Cat 3850 YES YES CT5760 YES YES CT5508 YES YES Port Security YES YES NO IP Source Guard Dynamic ARP Inspection LDAP, TACACS+, RADIUS YES YES YES YES YES YES NO NO YES LSC and MIC AP dot1x EAP-FAST YES YES YES YES YES YES Secure Fast Roaming 802.1X-rev-2010 (MACsec / MKA) YES H/W Ready YES H/W Ready YES NO BYOD Functionality Rogue detect / classify / contain, RDLP 61 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 59. Cisco Converged Access Deployment Converged Access – MC Security Features Comparison continued Cat 3850 YES CT5760 YES CT5508 YES YES YES YES YES YES YES YES H/W Ready YES YES YES H/W Ready YES YES YES SXP YES NO MFP YES YES YES IP Device Tracking CoPP YES Static YES Static NO NO IP Theft, DHCP Snooping, Data Gleaning IOS ACL Adaptive wIPS, WPS CIDS TrustSec SGT / SGACL Guest Access IPv6 RA Guard 62 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 60. Cisco Converged Access Deployment Key Takeaways – Converged Access Security Architecture provides with: • Harmonized Security features for wired and wireless • Integrated Policy for both wired and wireless • Increased Scalability through optimizing a balance of centralized & distributed architecture 63 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 61. Cisco Converged Access Deployment Converged Access, Mid-Sized and Small Branch – Guest Access with Catalyst 3850 Only (< 250 APs, and no Guest Anchor) WebAuth Portal Characteristics Small ~ Mid-Size Independent or Remote Branch • • Wireless Guest Traffic get’s POP at MA • WebAuth Portal on-box, Customizable Login Page, or re-direct, EMail input, Click-2-Accept Acceptable Use Page, Passthru/Consent, Logout Page • HTTPS and HTTP redirect for Wired and Wireless • Authenticating: local database/AAA/LDAP/Cisco Prime-Lobby Ambassador • Security: Pre-Auth ACL, AAA override for DACL, Enhanced QOS(MQC) Class assignment, Session-Timeout, Black Listing • Visibility: Flexible Netflow • Intranet Internet Distributed Guest WebAuth Portal in each MA Seamless Mobility L2/L3 Roaming FW CPI ISE WebAuth SPG MC/ MA AP 64 WebAuth MA WebAuth MA Cat3850 AP Guest Employee AP Guest Employee © 2013 Cisco and/or its affiliates. All rights reserved. AP CAPWAP Tunnels Guest Employee Cisco Public
  • 62. Cisco Converged Access Deployment Converged Access, Mid-Sized and Small Branch – WebAuth & Guest Anchor with 5760 and 3850 (<250 APs per Branch) Data Center Service block WebAuth CAPWAP Mobility Tunnel CT5760Guest Anchor Intranet ISE CPI FW WebAuth Portal & GA Characteristics Small ~ Mid-Size Independent Branch With Cat3850 • Central Guest WebAuth Portal in CT5760 GA * Centralized Wireless Guest only at FCS * Cat3850 only acts as Foreign. CAPWAP Tunnels • • 65 AP AP Guest Employee Guest Employee Cat3850 Foreign Guest Employee © 2013 Cisco and/or its affiliates. All rights reserved. WebAuth Portal on-box, Customizable Login Page, or re-direct, E-Mail input, Click-2Accept Acceptable Use Page, Passthru/Consent, Logout Page • HTTPS and HTTP redirect for Wired and Wireless Authenticating: local database/AAA/LDAP/Cisco Prime-Lobby Ambassador Security: Pre-Auth ACL, AAA override for DACL, Enhanced QOS(MQC) Class assignment, Session-Timeout, Black Listing Visibility: Flexible Netflow • Guest Employee MA Provides simple aggregation to DMZ for Firewall and Web Filtering of all Guest. • AP MA • • AP MA Provides granular centralized profiling ISE Policy Decision Point (PDP) of Guest devices • MC/ MA Wireless Guest Traffic get’s POP at GA • SPG Seamless Mobility L2/L3 Roaming Cisco Public
  • 63. Converged Access, Large Campus – Cisco Converged Access Deployment Campus WebAuth & Guest Anchor with Centralized 5760 Data Center Service block WebAuth CAPWAP Mobility Tunnel Distributed Service block 5760 Guest Anchor Intranet 5760 CAPWAP Tunnels ISE CPI FW WebAuth Portal & GA Characteristics Large Independent Branch (No Cat3850) – “Classic Centralized CUWN” • • 66 WebAuth Portal on-box, Customizable Login Page, or re-direct, E-Mail input, Click2-Accept Acceptable Use Page, Passthru/Consent, Logout Page • HTTPS and HTTP redirect for Wired and Wireless • Authenticating: local database/AAA/LDAP/Cisco Prime-Lobby Ambassador Security: Pre-Auth ACL, AAA override for DACL, Enhanced QOS(MQC) Class assignment, Session-Timeout, Black Listing Visibility: Flexible Netflow • Guest Employee Provides simple aggregation to DMZ for Firewall and Web Filtering of all Guest. • Guest Employee AP • • AP Provides granular centralized profiling (PDP) of Guest devices • AP Wireless Guest Traffic get’s POP at GA • Cat3750 Central Guest WebAuth Portal in CT5760 GA Seamless Mobility L2/L3 Roaming AP Guest Employee Guest Employee © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 64. Cisco Converged Access Deployment Guest Anchor (GA) – AireOS and IOS Deployment Highlights • Converged Access Cat3850 and CT5760 both support consistent CUWN - GA modes as AireOS 7.0.220.0 release features Data Center Service block WebAuth CAPWAP Mobility Tunnel Intranet • Anchor roles are supported on CT5760 and also CT5508 / WiSM-2 running New Hierarchal Mobility modes only 7.3.112.0 ISE CT5760 Guest Anchor CPI FW CT5760 CAPWAP Tunnels • Foreign Role is supported on Cat3850 / CT5760 / CT5508 / WiSM-2 MC/ MA MA MA MA • Authentication Methods – AP AP AP AP SPG Cat3850 Foreign ‒ L3 Methods (WebAuth) L3 Authentication happens at Anchor (PoP) ‒ L2 Methods (PSK, Dot1x) 6 L2 Authentication happens at Foreign (PoA) 67 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
  • 65. Cisco Converged Access Deployment New Hierarchical Mobility Mode, with Guest Access – IRCM Compatibility Matrix: http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.htm CUWN Service 4.2.x.x 5.0.x.x 5.1.x.x 6.0.x.x 7.0.x.x 7.2.x.x 7.3.101.0 7.3.112.0 Note: 1 IOS WCM 3.2.0SE Layer 2 and Layer 3 Roaming Y – – Y Y Y Y 0 0 Wireless Guest Anchor/Termination Y Y Y Y Y Y Y 0 02 WiPS & AwISP Rogue Detection Y – – Y Y Y Y 0 03 Fast Roaming (CCKM) in a mobility group Y – – Y Y Y Y 0 0 Location Services Y – – Y Y Y Y 0 0 Radio Resource Management (RRM) Y – – Y Y Y4 Y4 05 05 Management Frame Protection (MFP) AP Failover Y – – Y Y Y Y 0 0 Y – – Y Y Y Y 06 06 Y = Compatibility in Classic Flat Mobility O = Compatibility in New Hierarchal Mobility NOTES: 1. New Mobility is only supported on AireOS CT5508 & WiSM-2 platforms but does not form any IRCM or GA with CT2500/CT7500/CT8500/v-WLC 2. Guest Anchor Termination is only supported on CT5760/CT5508/WiSM-2. CT5760/CT5508/WiSM-2/Cat3850 all supported as a Foreign 3. Rogue Detector Mode not supported 4. In Release 7.2 RF Profiles and groups was introduced. RRM for release 7.2 and later is not backwardly compatible with previous releases. 5. RRM Converged Access is compatible with CUWN release 7.3.112.0 but does not support RF Profiles and Groups introduced in 7.2 6. 68 No AP SSO in IOS for CT5760. AP Intra-OS Platform Fast Failover Supported. AP Inter-OS Platform Image Download & Reboot performed. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 66. Cisco Converged Access Deployment Key Takeaways – Converged Access Guest Access Architecture provides with: • Well Proven & Reliable GA Architecture as previously utilized across CUWN • Robust GA Feature Set with new expanded QoS and Policy capabilities • Simplified Configuration with rich IOS troubleshooting tools 69 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 67. Agenda Diving into Converged Access – Solution and Design Overview & Deep Dive Converged Access Solution and Platforms Overview Converged Access Architecture and Components Review Converged Access Roaming Converged Access Quality of Service Converged Access Security and Guest Access Converged Access Design Options Converged Access Migration Wrap-up and Final Thoughts 70 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 68. Converged Access – Small Branch – No Discrete Controllers, Catalyst 3850s as MC / MAs Up to 50 APs Applicable to a Small Branch Deployment Characteristics – • • Deployment could consist of multiple stacks – one stack as MC/MA, rest of stacks as MAs only 71 © 2013 Cisco and/or its affiliates. All rights reserved. May be a lower-speed WAN link (bandwidth and latency a concern only for Guest traffic) Allows for Advanced QoS, WAN optimization, NetFlow, and other services for wireless and wired traffic • Supports Layer 3 roaming • Supports VideoStream and optimized multicast • Good availability due to MA/MC redundancy within the 3850 stack – provides wireless continuity with either WAN outage or switch failure within the stack Cisco Public
  • 69. Converged Access – Small / Medium Branch No Discrete Controllers, Catalyst 3850s as MC / MAs, Single SPG Applicable to a Small to Medium Branch Deployment Up to 50 APs Characteristics – • • • • • 72 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public No discrete controllers deployed, even with multiple wiring closets Allows for Advanced QoS, WAN optimization, NetFlow, and other services for wireless ad wired traffic Supports Layer 3 roaming Supports VideoStream and optimized multicast Good availability due to MA/MC redundancy within the 3850 stacks – provides wireless continuity with either WAN outage or switch failure within the stack
  • 70. Converged Access – Large Branch No Discrete Controllers, Catalyst 3850s as MCs / MAs, Multiple SPGs Scalability … up to 8 x 3850-based MCs Applicable to a Larger Branch Deployment Up to 250 APs Note – MCs handling one or more SPGs each, all MCs meshed into a single Mobility Group for the site. Guest tunnel per MC to Anchor. Characteristics – • Supports Layer 3 roaming Supports VideoStream and optimized multicast • Cisco Public Allows for Advanced QoS, WAN optimization, NetFlow, and other services for wireless ad wired traffic • © 2013 Cisco and/or its affiliates. All rights reserved. No discrete controllers deployed, even at a larger branch • 73 • Good availability due to MA/MC redundancy within the 3850 stacks – provides wireless continuity with either WAN outage or switch failure within the stack
  • 71. Converged Access – Large Branch Controllers as MCs, Catalyst 3850s as MAs only, Multiple SPGs Applicable to a Larger Branch or Small Campus >250 APs Characteristics – • • Good availability due to MA redundancy (3850 stacks) and MC redundancy (controllers) – provides wireless continuity with either WAN outage or switch / controller failure • Cisco Public Supports Layer 3 roaming, VideoStream, and optimized multicast • © 2013 Cisco and/or its affiliates. All rights reserved. Allows for Advanced QoS, WAN optimization, NetFlow, and other services for wireless and wired traffic • 74 Greater scalability via the use of discrete controllers as MCs, in conjunction with Catalyst 3850 switches as Mas Simplified Mobility deployment vs. the use of 3850 switches as MCs / MAs
  • 72. Converged Access – Large Campus – Centralized MCs, 3850s as MAs only >250 APs Applicable to a Larger Campus Characteristics – • Use of discrete controllers as MCs, combined with Catalyst 3850 switches as MAs, provides for a very scalable solution • Allows for Advanced QoS, NetFlow, and other services for wireless and wired traffic • Supports Layer 3 roaming – provides scalability by keeping many roams localized to SPGs (below dist.) • Good availability due to MA redundancy (3850 stacks) and MC redundancy (controllers) • Simplified Mobility deployment using 3850 switches as MAs only, vs. the use of 3850 switches as MCs / MAs 76 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 73. Converged Access – Large Campus – Distributed MCs, 3850s as MAs only >250 APs Characteristics – • • Use of discrete controllers as MCs, combined with 3850 switches as MAs, provides for a very scalable solution Applicable to a Larger Campus Use of distributed controllers (vs. centralized in DC) may be more appropriate in some wireless deployments • Allows for Advanced QoS, NetFlow, and other services for wireless and wired traffic • Supports Layer 3 roaming – provides scalability by keeping many roams localized to SPGs (below distribution) • • 77 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Good availability due to MA redundancy (3850 stacks) and MC redundancy (controllers) Simplified Mobility deployment using 3850 switches as MAs only, vs. the use of 3850 switches as MCs / MAs)
  • 74. Agenda Diving into Converged Access – Solution and Design Overview & Deep Dive Converged Access Solution and Platforms Overview Converged Access Architecture and Components Review Converged Access Roaming Converged Access Quality of Service Converged Access Security and Guest Access Converged Access Design Options Converged Access Migration Wrap-up and Final Thoughts 78 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 75. Converged Wired / Wireless Access – Evolving from Overlay … Data Center / Service block ISE Existing Unified Wireless Deployment Today… PI Intranet Mobility Group Well-known and well-proven … Prior to Migration to Converged Access EtherIP Mobility Tunnel 5508 / WiSM2 5508 / WiSM2 Separate policies and services for wired and wireless users Wireless policies implemented on controller Wired policies implemented on switch 79 CAPWAP Tunnels CAPWAP Tunnels © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public All wireless traffic centralized via controllers as shown
  • 76. Cisco Converged Access Deployment Converged Wired / Wireless Access – Evolving from Overlay … Intermediate step Data Center / Service block ISE PI Intranet Mobility Group Software upgrade MC CAPWAP Mobility Tunnel EtherIP Mobility Tunnel MA MC MA Software upgrade 5508 / WiSM2 5508 / WiSM2 Initial Migration Step – Switch Peer Group Be aware that feature differences may exist, based on MA software versions 80 MA MA Controller Upgrades, Implementation of First CA Switches Catalyst 3850 switches CAPWAP Tunnels CAPWAP Tunnels © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 77. Cisco Converged Access Deployment Converged Wired / Wireless Access – Evolving from Overlay … Intermediate step Data Center / Service block ISE PI Intranet Mobility Group Controller upgrade MC CAPWAP Mobility Tunnel MA MC MA Controller upgrade 5760 5508 / WiSM2 5760 5508 / WiSM2 Controller Controller Further Migration Step – Switch Peer Group MA MA Catalyst 3850 switches © 2012 Cisco and/or its affiliates. All rights reserved. MA CAPWAP Tunnels CAPWAP Tunnels 81 Catalyst 3850 switches Switch MA Peer Group Controller Upgrades, Implementation of Additional CA Switches Cisco Public
  • 78. Cisco Converged Access Deployment Converged Wired / Wireless Access – … to Integrated Data Center / Service block ISE Increase in visibility and control (NetFlow, Advanced QoS, etc) via local termination of both wired and wireless traffic PI Intranet Mobility Group MC CAPWAP Mobility Tunnel MA MC 5760 or upgraded WiSM2 / 5508 5760 or upgraded WiSM2 / 5508 Implementation of End-to-End Converged Access Deployment Switch Peer Groups Wired and wireless policies implemented on 3850 switch 82 MA MA MA MA Switch Peer Groups MA MA MA CAPWAP Tunnels CAPWAP Tunnels © 2012 Cisco and/or its affiliates. All rights reserved. MA Cisco Public MA Increase in performance and scalability via local termination of both wired and wireless traffic Catalyst 3850 switches Converged policies and services for wired and wireless users
  • 79. Agenda Diving into Converged Access – Solution and Design Overview & Deep Dive Converged Access Solution and Platforms Overview Converged Access Architecture and Components Review Converged Access Roaming Converged Access Quality of Service Converged Access Security and Guest Access Converged Access Design Options Converged Access Migration Wrap-up and Final Thoughts 83 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 80. Bringing Together Wired and Wireless – Cisco Converged Access Deployment How Are We Addressing This Shift? Control plane functionality on NG Controller (also possible on upgraded 5508s, WiSM2s for brownfield deployments, or NG Converged Access switches for small, branch deployments) Next-Generation WLAN Controller (5760) Controller Data plane functionality on NG Switches (also possible on NG Controllers, for deployments in which a centralized approach is preferred) Enabled by Cisco’s strength inSilicon and Systems … UADP ASIC 84 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Next-Generation Switches (Catalyst 3850s) An Evolutionary Advance to Cisco’s Wired + Wireless Portfolio, to address device and bandwidth scale, and services demands ….
  • 81. Bringing Together Wired and Wireless – Cisco Converged Access Deployment With a Next-Generation Deployment and Solution Mobility Domain ISE MO PI Cisco Converged Access Mobility Group MC MC Deployment Sub-Domain #1 SPG SPG MA 85 Sub-Domain #2 MA © 2012 Cisco and/or its affiliates. All rights reserved. MA Cisco Public MA MA MA An Evolutionary Advance to Cisco’s Wired + Wireless Portfolio, to address device and bandwidth scale, and services demands ….
  • 82. Converged Access – Tell Us How We Did! Did We Achieve Our Objectives? Do You Have a Better Understanding … of what Converged Access is … of how Converged Access works … and how you would use it in your network designs? 86 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Converged Access Deployment
  • 83. Thank you. 87 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

×