Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Converged Access - Campus Network Design

774 views

Published on

Part 3 of 3 of a discussion on converged access design.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Converged Access - Campus Network Design

  1. 1. Cisco Confidential 1© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  2. 2. Cisco Confidential 2© 2013-2014 Cisco and/or its affiliates. All rights reserved. Converged Access – Controller-Less Campus Design Add More To Grow Floor-1 Floor-2 MA MA MA MC Floor-3 Floor-4 Floor-1 Floor-2 MA MC MA MA MC MA MA MA Floor-3 Floor-4 Floor-1 Floor-2 Floor-3 Floor-4 Floor-1 Floor-2 Floor-3 Floor-4 Floor-1 Floor-2 MA MA MA MA MA MC MA MC MA MA MA MA MA MC MA MC MA MA MA MA MA MC MA MC Bldg – 1 Bldg – 2 Bldg – 3 Bldg – 4 Bldg – 5 Floor-3 Floor-4 MA MA MA MC
  3. 3. Cisco Confidential 3© 2013-2014 Cisco and/or its affiliates. All rights reserved. ü VSS in Distribution ü Stack inAccess if possible ü Multilayer Network Design ü EtherChannel ü Unique Wired and Wireless VLAN (Design-1) ü Unique Wireless Mgmt VLAN Per Access ü Cisco Borderless Campus CVD Best Practices Converged Access – Controller-Less Campus Design Consistent Success Design Principles Inventory Foundation Floor-3 Floor-4 Floor-1 Floor-2 MA MC MA MA MC MA MA MA ü Collect Per-Building Infrastructure Inventory ü Analyze Indoor RF coverage ü Check if Outdoor RF coverage required today ü Up to date RF survey. ü Design conclusion based Inventory Bldg – 1 * = IOS-XE RF Profile Coming Soon
  4. 4. Cisco Confidential 4© 2013-2014 Cisco and/or its affiliates. All rights reserved. Floor-3 Floor-4 Floor-1 Floor-2 MA MC MA MA MC MA MA MA Floor-3 Floor-4 Floor-1 Floor-2 MA MC MA MA MC MA MA MA Converged Access – Controller-Less Campus Mobility Design § Seamless Roam – Static inter-domain Mobility peering between MCs. Non-disruptive Wireless communication across all same building § Hard Roam – No outdoor RF coverage. Clients re-associate Wireless network between buildings Peer Only If Need. Do not build Mobility tunnels beyond one building Bldg – 1 Bldg – 2 No outdoor RF Mobility Roaming
  5. 5. Cisco Confidential 5© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  6. 6. Cisco Confidential 6© 2013-2014 Cisco and/or its affiliates. All rights reserved. Converged Access – Quality Fact Check 0" 20" 40" 60" 80" 100" 120" 140" 160" Apr'14" May'14" Jun'14" Jul'14" Aug'15" Sep'14" Oct'14" Nov'14" Dec'14" Jan'15" Feb'15" Mar'15" UniqueTACCaseCount New IOS and New Bug New IOS and Old Bug Self-Resolved by Customer Customer Education Mis-configured System/Network Solve Challenge with : Cisco Prime Infra. CA WorkFlows
  7. 7. Cisco Confidential 7© 2013-2014 Cisco and/or its affiliates. All rights reserved. How Long Would it Take You To Deploy This Network? POD-1-3K1 POD-1-3K2 Branch-1 POD-2-3K1 POD-2-3K2 POD-3-3K1 POD-3-3K2 POD-4-3K1 POD-4-3K2 POD-5-3K1 POD-5-3K2 POD-6-3K1 POD-6-3K2 POD-7-3K1 POD-7-3K2 POD-8-3K1 POD-8-3K2 Branch-2 Branch-3 Branch-4 Branch-5 Branch-6 Branch-7 Branch-8 Branch-9 Branch-10 Branch-11 Branch-12 Branch-13 Branch-14 Branch-15 Branch-16 Internet 5760-GA-1 Internet 5760-GA-2 MC to Guest Anchor MobilityAddressing & Mobility POD-X-3K-8021X POD-X-3K-PSK POD-X-3K-OPEN POD-X-3K-GUESTWLANs Bandwidth (%) 40 30 20 10 AppVisibility ISE X Security Centralized WebAuth !  DynamicVLAN !  Downloadable ACL !  IEEE 802.11AC !  Radio Resource Mgmt !  ClientLink 3.0 !  CleanAir !  Fast-SSID-Change !  Captive Bypass-Portal Wireless Services Two Guest Anchor Controllers 16 Converged Access Branches WLANs and Security IP Addressing QoS and App Visibility and a suite of Services So How Long to Deploy All of This?
  8. 8. Cisco Confidential 8© 2013-2014 Cisco and/or its affiliates. All rights reserved. POD-1-3K1 POD-1-3K2 Branch-1 POD-2-3K1 POD-2-3K2 POD-3-3K1 POD-3-3K2 POD-4-3K1 POD-4-3K2 POD-5-3K1 POD-5-3K2 POD-6-3K1 POD-6-3K2 POD-7-3K1 POD-7-3K2 POD-8-3K1 POD-8-3K2 Branch-2 Branch-3 Branch-4 Branch-5 Branch-6 Branch-7 Branch-8 Branch-9 Branch-10 Branch-11 Branch-12 Branch-13 Branch-14 Branch-15 Branch-16 Internet 5760-GA-1 Internet 5760-GA-2 MC to Guest Anchor MobilityAddressing & Mobility POD-X-3K-8021X POD-X-3K-PSK POD-X-3K-OPEN POD-X-3K-GUESTWLANs Bandwidth (%) 40 30 20 10 AppVisibility ISE X Security Centralized WebAuth !  DynamicVLAN !  Downloadable ACL !  IEEE 802.11AC !  Radio Resource Mgmt !  ClientLink 3.0 !  CleanAir !  Fast-SSID-Change !  Captive Bypass-Portal Wireless Services So How Long to Deploy All of This? How about 5 minutes? J How Long Would it Take You To Deploy This Network?
  9. 9. Cisco Confidential 9© 2013-2014 Cisco and/or its affiliates. All rights reserved. Converged Access WorkFlow Overview DC CPI ISE WLAN : 4 SSID Support – WPA2-Ent/WPA2-Personal/Open/Guest-CWA, 802.11 AC, Captive Bypass-Portal, Fast SSID-Change etc. Application Experience : Wireless Flexible Netflow, Application Visibility and Per-SSID BW allocation Security : Radius, 802.1X, CWA, AAA-Override, Client Timeout, NAC, DHCP Snooping, ARP Inspection, Clear Password Encryption etc. Wireless Best Practices : Band-Select, RRM, CleanAir, DCA Channel, Radius Timeout, WiFi Direct Policy etc MC/MA MAMA Large Branch MC/MA MAMA Large Campus MA MA MA MC MA MA MA MC MC/MA Branch MC/MA Branch MC/MA Branch IOS-XE Wireless WorkFlows WorkFlow 1 – Small Network WorkFlow 2 – Large Network Shipping : Mar ‘15 Cisco Prime Infra : 2.2.1 + Wireless Technology Package 1.0.0 Platform System Mode IOS-XE Software Version Agent (MA) Controller (MC) Catalyst 3650/3850 Standalone and StackWise 3.6.0 and above Catalyst 3850 Fiber Standalone and StackWise 3.6.0 and above IOS-XE Supported Platforms
  10. 10. Cisco Confidential 10© 2013-2014 Cisco and/or its affiliates. All rights reserved. CA WorkFlows – Configuration Structure 3x50 / 4500E-Sup8E 5760-GA WM VLAN ID 105 33 WM IP / Mask 10.102.1.77 / 255.255.255.240 10.99.2.243 / 255.255.255.240 SSID SSID / VLAN Name WLAN 1 - 8021X PI_8021X / PI_8021X_VLAN WLAN 2 – PSK PI_PSK / PI_PSK_VLAN WLAN 3 – OPEN PI_OPEN / PI_OPEN_VLAN SSID / VLAN Name Guest PI_GUEST_CWA / GUEST_VLAN AAA Server Protocol Radius IP 10.100.1.51 Key cisco Prime Lancope IP : Port 10.100.1.82 10.100.2.82 SSID BW % WLAN 1 - 8021X 40 WLAN 2 – PSK 30 WLAN 3 – OPEN 20 GUEST 10 Enterprise-SSID Guest-SSID Security Application Experience WM Address Network – Global Significant Device – Local Significant Network-Wide Wireless Configuration – ü Enterprise and Guest SSID ü Security Policy ü Application Visibility ü Wireless QoS Per-Device Configuration – ü Wireless Mgmt VLAN ID ü Wireless Mgmt IP / Mask Device Group – Domain Significant Role Controller Agent Controller IP 10.101.3.109 Switch Peer Group Name SPG-1 Mobility Agent IP(s) 10.101.1.109 ; 10.101.2.109 Peer Controller IP (s) 10.101.13.109 ; 10.101.23.109 Per-Domain Configuration – ü Role : Agent (MA) or Controller (MC) ü SPG Group ü SPG Group to Agent Mapping ü Mobility Peerings
  11. 11. Cisco Confidential 11© 2013-2014 Cisco and/or its affiliates. All rights reserved. CA WorkFlows Planning – End-to-End Network Design MC/MA Branch MC/MA Branch MC/MA Branch SiSiSiSiSiSi MA MC/MA Sub-Domain-1 SPG-1 MA MC/MA Sub-Domain-2 SPG-2 WAN Internet GA DC CPI ISE Controller-Less Single-Switch Branch ü Per-Site single switch Branch/Retail ü Integrated MA/MC Role ü No SPG Required ü Pre-Installed IPBase and AP License ü Central Guest WiFi solution ü Remote backend services Controller-Less Single/Multi-Domain Branch ü Multi-device Branch Network ü Multiple MA and MC(s) in Access ü SPG Required ü Pre-Installed IPBase and AP License ü Central Guest WiFi solution ü Remote backend services
  12. 12. Cisco Confidential 12© 2013-2014 Cisco and/or its affiliates. All rights reserved. CA WorkFlows Pre-Requisite – Layer 2 Configuration MC/MA MC/MA MC/MA MA MC/MA MA MA MA MA Internet GA SiSiSiSiSiSi Location Device WLAN * VLAN Name ** VLAN ID Branch-1 3850 SSID-1 SSID_1_VLAN 101 Branch-2 3650 SSID-1 SSID_1_VLAN 201 Campus-SW1 4500- Sup8E SSID-1 SSID_1_VLAN 101 Campus-SW2 3850 SSID-1 SSID_1_VLAN 102 DMZ Guest Anchor 5760 Guest Guest_VLAN 500 SiSiSiSiSiSi SiSiSiSiSiSi L2 L2 L2 L2 L2 L2 L2 L2 SiSiSiSiSiSi L2 L2 SiSiSiSiSiSi § Layer 2 network in Branch, Campus and DMZ must be preset before using Converged Access WorkFlows : o Wireless Management VLAN : ü Create VLAN ID in database. ü Network-wide common or unique VLAN Name ü Associate VLAN to AP Ports o Wireless Client VLAN : ü Create VLAN ID in database ü Network-wide common VLAN Name o Guest Client VLAN : ü Create VLAN ID in database of Guest Anchor WLC ü VLAN Name must be common on all Guest Anchor § Enable DHCP Snooping and Trust settings on Wireless Client VLANs § Allow Wireless Management and Wireless Client VLAN on L2 Trunk ports of switches and upstream L2/L3 devices (Router/Switch)
  13. 13. Cisco Confidential 13© 2013-2014 Cisco and/or its affiliates. All rights reserved. CA WorkFlows Pre-Requisite – Wireless Configuration MA MC/MA MC/MA SiSiSiSiSiSi MC GA MC § Depending on certain Wireless configuration in Branch and Campus must be preset before using Converged Access WorkFlows § Mobility Device Role conversion before : ü Identify and convert Catalyst Switch in Mobility Controller (MC). Reboot required ü No Change on Catalyst switch in MobilityAgent (MA) AP License provisioning : ü Access Points licenses are required on Mobility Controller ü Install appropriate number of AP licenses on each MC support maximum number it needs to support in its local Sub-Domain level Device Type Default Mobility Role Desire Mobility Role Conversion AP License Catalyst 3650/3850 MA MA Not Required Not Required Catalyst 3650/3850 MA MC Required Required 3850(config)#wireless mobility controller 3850#copy run start 3850#reload 3650/3850 – MC Role Conversion 3850#license right-to-use activate apcount <count> slot <id> acceptEULA 3650/3850 – AP License Provisioning
  14. 14. Cisco Confidential 14© 2013-2014 Cisco and/or its affiliates. All rights reserved. CA WorkFlows Pre-Requisite – Servers Configuration § Cisco Prime Infrastructure – ü All network-wide Catalyst switches must be configured with SNMP ü Programmed in Cisco Prime Infrastructure Device Management ü Link Cisco Prime Infrastructure with Cisco ISE engine as external server to centrally monitor end-to-end Client connectivity and policy enforcement details § Cisco ISE/ACS – ü All network devices including Catalyst switches and Guest Anchor WLC must be configured in Cisco ISE/ACS to enable centralized policy engine function. ü No AAA configuration required on network devices. Automated using Cisco Prime Infrastructure WorkFlows § DHCP Server – ü Internal or external DHCP Server must be preconfigured with appropriate pool settings for Wireless Clients § DNS Server – ü DNS Server must be preconfigured with appropriate name-lookup process to successfully connect the network DC CPI ISE MA MC/MA MC/MA SiSiSiSiSiSi MC GA
  15. 15. Cisco Confidential 15© 2013-2014 Cisco and/or its affiliates. All rights reserved. CA WorkFlow Pre-Requisite – Sample Network Configurations
  16. 16. Cisco Confidential 16© 2013-2014 Cisco and/or its affiliates. All rights reserved. Global Converged Access Configuration – Build and Export SSID SSID / VLAN Name WLAN 1 - 8021X PI_8021X / PI_8021X_VLAN WLAN 2 – PSK PI_PSK / PI_PSK_VLAN WLAN 3 – OPEN PI_OPEN / PI_OPEN_VLAN SSID / VLAN Name Guest PI_GUEST_CWA / GUEST_VLAN AAA Server Protocol Radius IP 10.100.1.51 Key cisco Prime Lancope IP : Port 10.100.1.82 10.100.2.82 SSID BW % WLAN 1 - 8021X 40 WLAN 2 – PSK 30 WLAN 3 – OPEN 20 GUEST 10 Enterprise-SSID Guest-SSID Security Application Experience Network – Global Significant Export § Supported in Template Based Deployment mode § Build Once. Use Many model § Generate global significant Converged Access configurations including : ü SSID and VLAN Name ü Guest SSID, Guest Anchor WLC and VLAN Name ü Security Parameters ü Application Experience : Flexible NetFlow Collector IP Address, Per-SSID QoS Policy § Export this one time required configuration as CSV on local desktop. Reuse by simply importing configuration
  17. 17. Cisco Confidential 17© 2013-2014 Cisco and/or its affiliates. All rights reserved. Global Converged Access Configuration – Import Template SSID SSID / VLAN Name WLAN 1 - 8021X PI_8021X / PI_8021X_VLAN WLAN 2 – PSK PI_PSK / PI_PSK_VLAN WLAN 3 – OPEN PI_OPEN / PI_OPEN_VLAN SSID / VLAN Name Guest PI_GUEST_CWA / GUEST_VLAN AAA Server Protocol Radius IP 10.100.1.51 Key cisco Prime Lancope IP : Port 10.100.1.82 10.100.2.82 SSID BW % WLAN 1 - 8021X 40 WLAN 2 – PSK 30 WLAN 3 – OPEN 20 GUEST 10 Enterprise-SSID Guest-SSID Security Application Experience Network – Global Significant Import § Supported in Template Based Deployment mode § Update CSV and import global Converged Access configuration § Program per-device configuration : ü Wireless Management VLAN ID, IP Address and Mask ü Guest SSID, Guest Anchor WLC and VLAN Name ü Security Parameters ü Application Experience : Flexible NetFlow Collector IP Address, Per-SSID QoS Policy § For Large Template configure per Mobility sub-domain parameters § Deploy the Workflow on selected device. § Repeat above steps for another set of Converged Access devices 3x50 / 4500E-Sup8E 5760-GA WM VLAN ID 105 33 WM IP / Mask 10.102.1.77 / 255.255.255.240 10.99.2.243 / 255.255.255.240 WM Address Device – Local Significant Device Group – Domain Significant Role Controller Agent Controller IP 10.101.3.109 Switch Peer Group Name SPG-1 Mobility Agent IP(s) 10.101.1.109 ; 10.101.2.109 Peer Controller IP (s) 10.101.13.109 ; 10.101.23.109
  18. 18. Cisco Confidential 18© 2013-2014 Cisco and/or its affiliates. All rights reserved. CPI Template – Key Benefits ü Complete automation of Converged Access architecture with simple data inputs ü Simple to User. Intelligence in Tool ü Mask Complexity. Basic user knowledge to power up broad IOS innovations ü Scalable design to accelerate deployments ü Optimize Converged Access deployments with integrated recommended Best Practices
  19. 19. Thank you.

×