Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Converged Access - DoD Design Discussion

581 views

Published on

Part 1 of 3 of a discussion on converged access design.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Converged Access - DoD Design Discussion

  1. 1. Cisco Confidential 1© 2013-2014 Cisco and/or its affiliates. All rights reserved. Jay Pitcher – Technical Solution Architect japitche@cico.com
  2. 2. Cisco Confidential 2© 2013-2014 Cisco and/or its affiliates. All rights reserved. § WLAN Deployment options § Architecture Review § CA - Path to success § CA - Branch Design § CA - Campus Design § Role of Cisco Prime Infrastructure
  3. 3. Cisco Confidential 3© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  4. 4. Cisco Confidential 4© 2013-2014 Cisco and/or its affiliates. All rights reserved. Wireless Controller : Deployment Modes Autonomous FlexConnect Centralized Converged Access Traffic Distributed at AP Traffic Centralized at Controller Traffic Distributed at SwitchStandalone APs Target Positioning Small Wireless Network Branch Campus Branch and Campus Scope Wireless only Wireless only Wireless only Wired and Wireless Key Use cases • Small number of APs • WGB mode – Bridge wired devices • Centralized Control with local data plane • Max of 100 APs at location • Most complete solution • All Capabilities of Enterprise WLAN • CA Switches Available • Basic Enterprise WLAN • Fewer than 100 APs Key Considerations • Certification concerns • No L3 roaming • Clientconnectto AP at the AP • Full features • Enterprise WLAN only, no Mesh, no modules WAN
  5. 5. Cisco Confidential 5© 2013-2014 Cisco and/or its affiliates. All rights reserved. Converged Access Scalability Guidelines Unchanged Up to 3.7.0 3650 3850 Certified Release 3.6 (recommended 3.6.4) 3.6 (recommended 3.6.4) Mobility Controller Mode Yes Yes APs Supported 25 50 Clients Supported 1000 2000 Mobility Agent Mode Yes Yes Number of MC in Mobility Domain 8 / 2 8 / 2 Number of MAs in Sub-domain (per MC) 16 / 8 16 / 8 AP Scale (Per-Domain) 200 / 50 250 / 100
  6. 6. Cisco Confidential 6© 2013-2014 Cisco and/or its affiliates. All rights reserved. Converged Access Deployments Recommendation 2 1 Mobility Domain - Up to 4000 Devices / 100 AP’s Max 2 x 3850 MC Centralized Overlay NumberofDevices Size of Mobility Domain Mobility Domain - Up to 2000 Devices / 50 AP’s Max 1 x 3850 MC Seamless Roaming Use Case Nomadic Roaming Use Case Size of Mobility Domain MC MA1 MA2 MA8 … 4 Site - N MC MA1 MA2 MA8 … MC MA1 MA2 MA8 … Site - 3 Site - 2 Mobility Domain 1 Site - 1 MC MA1 MA2 MA8 … MC MA1 MA2 MA8 … (N) x independent Mobility Domains Up to 4000 Devices / 100 AP’s per Mobility Domain Unchanged Up to 3.7.0
  7. 7. Cisco Confidential 7© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Digital Network Architecture Automation Abstraction & Policy Control from Core to Edge Open & Programmable | Standards-Based Open APIs | Developers Environment Cloud Service Management Policy | Orchestration Virtualization Physical & Virtual Infrastructure | App Hosting Analytics Network Data, Contextual Insights Insights & Experiences Automation & Assurance Security & Compliance Network-enabledApplications Cloud-enabled | Software-delivered Principles
  8. 8. Cisco Confidential 8© 2013-2014 Cisco and/or its affiliates. All rights reserved. Network Requirements for the Digital Organization Wireless as Part of Your End-to-End Strategy Personalizedengagementon mobile devices Physicalor virtualwireless services Employeeand guestaccess Based on deep context Expose wirelessacquired data to applications Applicationpolicy across wireless,wired and WAN Validate activity across wireless,wired and WAN Combine networkand business insight Day zero wireless deployment Acceleratesecurity issue detection and resolution Insights & Experiences Drive Business Innovations Automation & Assurance Speed, Simplicity & Visibility Security & Compliance Real-time and Dynamic Threat Defense
  9. 9. Cisco Confidential 9© 2013-2014 Cisco and/or its affiliates. All rights reserved. Fabric Access Fabric Border Wireless Border (external WLC) Wireless Small Deployments Large Deployments Scale 250 Access Points; 4000 clients 15K Access Points; 150,000 Clients Policy Enforcement WLC WLC Control& Data CAPWAP CAPWAP Device is fabric enabled CAPWAP Transport Host (HTDB) Databas e Traditional Wireless over the Fabric
  10. 10. Cisco Confidential 10© 2013-2014 Cisco and/or its affiliates. All rights reserved. Wireless Small Deployments Large Deployments Scale 250 Access Points; 4000 clients 15K Access Points; 150,000 Clients Policy Enforcement Fabric Access switch (Unified policy for Wired & Wireless for Flex, Local, Converged Access modes) ControlPath CAPWAP WLC as external service Fabric Access Fabric Border (Unified policies for wired & wireless Host (HTDB) Database Integrated Wireless on The Fabric – IT Service for Endpoints regardless of Media type (Wired or Wireless)
  11. 11. Cisco Confidential 11© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  12. 12. Cisco Confidential 12© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Wireless Government Certifications - Today What’s Certified: • All Cisco 11ac and 11n Access Points • All appliance and integratedcontrollers • MSE 8.0 and PI 2.2 • APL Listing for WLAS, WAB,WIDS Predictable wireless certification – MD SW release gets certified Common release both Enterprise and Government customers Feature consistencyand deployment flexibility Certification 7.0 8.0 IOS 3.6 FIPS CC UCAPL CSfC USGv6 Comprehensive certified end-end solution
  13. 13. Cisco Confidential 13© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Wireless Government Certifications - Tomorrow What will be Certified • All currentcontrollers & .11n/.11ac APs • New .11ac Wave 2 APs, 3802/2802 • 5520/8540Controller • New controller/meshplatforms Predictable wireless certification – MD SW release gets certified Common release both Enterprise and Government customers Feature consistencyand deployment flexibility Certification 8.3 16.3 FIPS CC UCAPL CSfC USGv6 Comprehensive certified end-end solution
  14. 14. Cisco Confidential 14© 2013-2014 Cisco and/or its affiliates. All rights reserved. Converged Access – Foundation UADP ASIC Technology IOS Catalyst 3650 (IOS XE Software) IOS Catalyst 3850 (IOS XE Software) - Up to (50) AP’s per stack [9] (IOS XE 3.7.1 or >) - Only (25) AP’s per stack [9] prior to IOS XE 3.7.1 - Up to 1,000 wireless clients - Up to 40Gbps wireless throughput (48-port models) - Up to (100) AP’s per stack [9] (IOS XE 3.7.1 or >) - Only (50) AP’s per stack [9] prior to IOS XE 3.7.1 - Up to 2,000 wireless clients - Up to 40Gbps wireless throughput (48-port models)
  15. 15. Cisco Confidential 15© 2013-2014 Cisco and/or its affiliates. All rights reserved. The Solution: CiscoMultigigabitEthernet Delivers up to 5X Speeds in Enterprise without replacing cabling. 2.5-5G Cat 5e Cables WiFi > 1G Multigigabit Switch Multigigabit Capable AP Is a game-changing technology allowing enterprise networks to evolve beyond 1G Enables 2.5 and 5 Gbps up to 100m on legacy cables Supports all PoE standards up to 60W Cisco Multigigabit with
  16. 16. Cisco Confidential 16© 2013-2014 Cisco and/or its affiliates. All rights reserved. Catalyst 3850 ─ Multigigabit Versions 48 Port Version 24 Port Version Downlinks: 36 x 1G LineRate 10/100/1000BASE-T, 12 x GE/mGig/10GT Line Rate PoE/PoE+/UPoE,EEE,MACSec Uplinks: 4x10GE SFP+,2 x 40G QSFP (NEW), 8x10G SFP+ (NEW) Downlinks: 24 x GE/mGig/10GT PoE/PoE+/UPoE,EEE,MACSec Uplinks: 4x10GE SFP+,2 x 40G QSFP (NEW), 8x10G SFP+ (NEW) All 3850 VersionsCan Stack with Each Other
  17. 17. Cisco Confidential 17© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  18. 18. Cisco Confidential 18© 2013-2014 Cisco and/or its affiliates. All rights reserved. Unified Wireless – Centralized Wireless Architecture Core DCInternetMobility § Central Access Management o Access Points – Configuration, Software, Radio etc. o WLAN – SSID, Policy based etc. o Wirelss Edge Mgmt – Authenticator, Logging etc. § Central Forwarding Management o Topology – Hub-N-Spoke Forwarding Design § Central Client Management o Security – Authentication, Authorization o VLAN – Access Tier between Wired and Overlay o Policy Enforcement – QoS, Security, Edge Function § License Management o Access Point License Management § Mobility Database and Management o Wireless Client Database (Local Domain) o Inter-WLC Mobility Domain Network § Guest Access o Anchor-Based Guest Solution with additional WLC § Central Wireless Services o Adv. Wireless – CleanAir and Radio Resource Mgmt (RRM) o Security - wIPS Core Function Access WLC
  19. 19. Cisco Confidential 19© 2013-2014 Cisco and/or its affiliates. All rights reserved. Unified Wireless – Distributed Wireless Architecture Core DCInternetMobility § Central Access Management o Access Points – Configuration, Software, Radio etc. o WLAN – SSID, Policy based etc. o Wirelss Edge Mgmt – Authenticator, Logging etc. § Central Forwarding Management o Topology – Hub-N-Spoke Forwarding Design § Central Client Management o Security – Authentication, Authorization o VLAN – Access Tier between Wired and Overlay o Policy Enforcement – Hybrid QoS, Security, AVC etc. Edge Function § License Management o Access Point License Management § Mobility Database and Management o Wireless Client Database (Local Domain) o Inter-WLC Mobility Domain Network § Guest Access o Anchor-Based Guest Solution with additional WLC § Central Wireless Services o Adv. Wireless – CleanAir and Radio Resource Mgmt (RRM) o Security - wIPS Core Function Access § Distributed Access Management o Access Points – Configuration, Software, Radio etc. o WLAN – SSID, Policy based etc. o Wirelss Edge Mgmt – Authenticator, Logging etc. § Distributed Forwarding Management o Topology – Distributed Forwarding Design § Distributed Client Management o Security – Authentication, Authorization o VLAN – Common Access Tier Wired and Wireless o Policy Enforcement – Common QoS, Security, AVC etc. Edge Function SiSiSiSiSiSi MC MAMAMA § Converged Access ≠ FlexConnect. ConvergedAccess = WLC + Ethernet Switch § All Wireless Controller Edge function is distributed to individual Ethernet switches. More significant operation § Wireless Controller Core function becomes limited. Less significant operation
  20. 20. Cisco Confidential 20© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  21. 21. Cisco Confidential 21© 2013-2014 Cisco and/or its affiliates. All rights reserved. All Depends Converged Access – Where do we Start? How many AP per MA? How many Clients? Who can be MC How about MC Redundancy? How do I design SPG? How many MC? Where should be the MC? How do I define Roaming Boundary What is Soft vs Hard Roam? How do I design MC in Distribution? How many Floors per Building? How many AP per MC? How many Building per Domain? How many AP per Building? How do I design Guest? Do I need Mobility Oracle? What is Nomadic Roaming? How do I design CA with FHRP? How do I design Subnet Plan? Design Question? Can I use different Catalyst to build CA? What is New Mobility? Can I building IOS to AireOS Mobility? Can I have roaming between CA and Centralized?Why do I need SPG? What happens when MC Fails? How do I make unsupported AP work?
  22. 22. Cisco Confidential 22© 2013-2014 Cisco and/or its affiliates. All rights reserved. Check Inventory– ü TotalBuilding/Site Count ü Floors Count Per Building ü Switch Count Per Building ü AP Count Per Building ü Client Count Per Building Foundation Design – ü L2 or L3 Network Design ü Loop-free STP Topology ü VSS / StackWise ü EtherChannels ü Cisco Best Practices CA Design – ü MC Platform Decision ü MC Count Per Building ü MC Placement ü MC Redundancy ü Cisco Best Practices Roaming Design – ü Boundary Limit ü SPG Design ü L3 vs L2 Roam ü Stack Benefits ü Cisco Best Practices Guest Design – ü Anchor-based vsAnchor-Less ü IOS and AireOS Interoperability ü Foreign TunnelScalability ü Stack Benefits ü Cisco Best Practices Foundation Inventory Mobility Roaming Guest Converged Access – Systematic Design to Deploy Approach § System Step-By-Step Design to Deploy Phase. No different need in networking principle § Converged Access = 50% Wireless and 50% Wired. Single IT team effort to enable architectural transition § Wired and Wireless Best Practices integration sets the converged foundation to deliver expected and better results 5 Design Steps For Success
  23. 23. Cisco Confidential 23© 2013-2014 Cisco and/or its affiliates. All rights reserved. § Inventory – Different building/floor plans and size that reflects to AP, Client and network devices scale § Mobility – Variable scale limit in each site introduces variable Mobility designs at site to to the block level § Roaming – Mobility design builds variable size of seamless roaming boundary limit for building pervasive wireless infrastructure § Guest – The three-tier Mobility design also require to evaluate Guest wireless solution that can scale Converged Access – One Technology Fits Many Needs MC/MA Branch MC/MA Branch MC/MA Branch SiSiSiSiSiSi MA MC/MA Sub-Domain-1 SPG-1 MA MC/MA Sub-Domain-2 SPG-2 Internet GA DC CPI ISE Controller-Less Single-Switch Branch Controller-Less Single/Multi-Domain Branch Each Network Design have : Consistent Solution for Variable Deployments
  24. 24. Cisco Confidential 24© 2013-2014 Cisco and/or its affiliates. All rights reserved. Converged Access – ONE Network = ONE IT MC/MA Branch MC/MA Branch MC/MA Branch SiSiSiSiSiSi MA MC/MA Sub-Domain-1 SPG-1 MA MC/MA Sub-Domain-2 SPG-2 Sub-Domain-1 SPG-1 MA MA MC Sub-Domain-2 MA MA MC SPG-2 SiSiSiSiSiSi SiSiSiSiSiSi Sub-Domain-1 SPG-1 MA MA MC Sub-Domain-2 MA MA MC SPG-2 Controller-Less Single-Switch Branch Controller-Less Multi-Domain Branch/CampusController-Less Single/Multi-Domain Branch Controller-Based Multi-Domain Campus Tight Wired and Wireless IT Team Collaboration 50% Wireless 50% Wired Wireless IT Team Breadth of Wireless Knowledge : § Mobility and Wireless Architecture § Deep RF network understanding § Device and Network Operation § Wireless Security and Services § Wireless Endpoint Experience § Much more… Wired IT Team Deep Foundation Knowledge : § End-to-End NetworkArchitecture § Expert in Route/Switch designs § IOS Device and Network Operation § Network Security and Services § Wireless Endpoint Experience § Much more… Win Together Converged Access Success!
  25. 25. Cisco Confidential 25© 2013-2014 Cisco and/or its affiliates. All rights reserved. Converged Access – Set Foundation Right! Foundation Simplify To Scale Distribution Access http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/Borderless_Campus_Network_1-0/Borderless_Campus_1-0_Design_Guide.pdf Cisco Validated Design Guide ü Aggregation – A system that provides control/data plane scale for common Wired/Wireless network. I.e, MAC entries, MAC move due to roam, CPU scale to support link-local bcast/mcast traffic etc. ü System Design – VSS or StackWise and EtherChannels. Build simple system and network topologies to scale ü Network Design – Multilayer or Routed Access. Consider VLAN span, L2 Roam, Subnet with Routed Access ü Best Practices – Following Cisco recommended Best Practices to set the foundation right for Converged Access Branch – L2 Network Design Campus – L2 Network Design Campus – L3 Network Design
  26. 26. Cisco Confidential 26© 2013-2014 Cisco and/or its affiliates. All rights reserved. Converged Access – Set Foundation Right! Foundation Simplify To Scale Distribution Access http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/Borderless_Campus_Network_1-0/Borderless_Campus_1-0_Design_Guide.pdf Cisco Validated Design Guide SiSiSiSiSiSi Access Distribution Wired L2/L3 Boundary Wireless L2/L3 Boundary Wireless ü MAC Address ü IP Address ü IGMP ü Broadcast/Multicast Wired ü MAC Address ü IP Address ü IGMP ü Broadcast/Multicast § Separate L2/L3 boundary for Wired and Wireless users with traditional wireless deployments. Becomes common with next-generation Converged Access Wireless solution § Common block means more MAC address, IP address and large flood domain § Catalyst platforms scalable to support. But solid L2/L3 foundation design required for optimal performance
  27. 27. Cisco Confidential 27© 2013-2014 Cisco and/or its affiliates. All rights reserved. Converged Access – Set Foundation Right! Foundation Simplify To Scale Access Distribution 101 201 301Wired VLAN Wireless VLAN 102 202 302 101 201 301 Wired + Wireless VLAN 101 201 301Wired VLAN Wireless VLAN 102 Design – 1 Design – 2 Design – 3 Pros Cons ü Structured and Intuitive addressing plan ü Contained flood/fault domain ü Unique policy for Wired vs Wireless ü Deterministic DHCP pool operation ü Cisco recommended design ü May require more subnets ü Subnet sizing may require extra planning Pros Cons ü Less VLANs and Subnets ü Dual-home device may impact application ü Cannot enforce unique access policies ü Challenging to plan Subnet Pros Cons ü Partial structured addressing plan ü Traditional CUWN VLAN design ü Unique policy Wired vs Wireless ü VSS/StackWise required in Distribution ü Large link local bcast/mcast flood domain ü STP fault domain widens in large network Recommended
  28. 28. Cisco Confidential 28© 2013-2014 Cisco and/or its affiliates. All rights reserved. § Architecturally non-recommended deployment design § Converged Access MC ≠ Traditional WLC § No key operational benefit in pushing Core function boundary across WAN § All Edge configuration and function remains fully distributed to each Access Layer MA switches § Solve operational simplicity with new Cisco Prime Infra WorkFlows and alternatively MC Managing MA IOS feature if Cisco Prime unavailable Converged Access – MC over WAN Summary Not Recommended Not Supported

×