Design and Deployment of Branch Office Wireless Networks BRKEWN-2016
Sujit Ghosh
Sr. Mgr. Technical Marketing #clmel
Objective
Best Practices for Designing Resilient, Secure and Service-Ready Branch Networks BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
3
Agenda • Learn Cisco Unified Wireless LAN Principles • Understand Wireless Branch Deployment Options • Evaluate FlexConnect Architectural Requirements • Identify the need for FlexConnect & AP Groups • Design a Resilient Branch Network • Design Secure & BYOD enabled Branch Network • Operate Wireless Branch efficiently over WAN • Service-Ready Branch
• FlexConnect Best Practices
BRKEWN-2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
4
Cisco Unified Wireless LAN Principles
Wireless Controller: Deployment Modes FlexConnect
Autonomous
Centralised
Converged Access
Traffic Distributed at AP
Traffic Centralised at Controller
Traffic Distributed at Switch
Small Wireless Network
Branch
Campus
Branch and Campus
Wireless only
Wireless only
Wireless only
Wired and Wireless
WAN
Standalone APs
Target Positioning Scope
High Availability
Key Considerations BRKEWN 2016
• • • •
Can only claim AP quality No RF HA No Network layer HA No services
• •
Full RF HA Client SSO when Local Switching
•
Most complete solution
•
Limited features. Upgradable to controller based
•
Branch with WAN BW and latency requirements
•
Full features
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
•
Exploits HA in IOS switches
•
Catalyst 3650/3850 in the access layer
Branch Office Deployment
Central Site
FlexConnect (HREAP) Centralised Traffic
• Hybrid architecture • Single management and control point
Centralised Traffic
• Data Traffic Switching – Centralised traffic (split MAC) – or – Local traffic (local MAC)
WAN
• HA will preserve local traffic only • Traffic Switching is configured per AP and per WLAN (SSID) Local Traffic BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
7
Remote Office
Wireless Branch Deployment Options
Branch Office with Local WLAN Controller Overview Central Site
• Branches can also have local controllers
Backup Central Controller
CAPWAP
• Small or Mid-size Branch WLCs
WAN
– CT-2504, – Integrated controller modules in ISR/ISR-G2 – Converged Access Cat-3850
WLC-25xx
Cat-3850
WLCM for ISR/ISR-G2
Advantages • Cookie cutter configuration for every branch site • Layer-3 roaming within the branch • IPv6 L3 Mobility
Remote Site C
Remote Site A
Remote Site B BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
9
Branch Office Deployment
Central Site
FlexConnect (HREAP) Centralised Traffic
• Hybrid architecture • Single management and control point
Centralised Traffic
• Data Traffic Switching – Centralised traffic (split MAC) – or – Local traffic (local MAC)
WAN
• HA will preserve local traffic only • Traffic Switching is configured per AP and per WLAN (SSID) Local Traffic BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
10
Remote Office
FlexConnect Glossary Connected Mode When FlexConnect AP can reach Controller, it gets help from controller to complete client authentication.
Standalone Mode When FlexConnect AP cannot reach Controller, it goes into standalone state and does client authentication by itself.
Local Switching Data traffic switched onto local VLANs for an SSID 11
Central Switching Data traffic tunneled back to WLC for an SSID BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Configure FlexConnect Mode Step 1: Configure Access Point Mode
• Enable FlexConnect mode per AP
• Supported APs: AP-1130, AP-1240, AP-1040, AP-1140, AP1260, AP-1250, AP-3500, AP-1600 , AP2600 , AP-3600, AP-1700, AP-3700, AP2700, AP 700, AP-1520, AP-1530, AP1550, AP-1570
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
12
Configure FlexConnect Local Switching Step 2: Enable Local Switching per WLAN Only WLAN with “FlexConnect Local Switching” enabled will allow local switching on the FlexConnect AP
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
13
Configure FlexConnect VLAN Mapping Step 3: FlexConnect Specific Configuration • FlexConnect AP can be connected on an access port or connected to a 802.1Q trunk port (using the native VLAN)
• VLAN mapping can be performed per AP configuration on WLC and/or by AP groups using Cisco Prime Infrastructure templates
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
14
Configure FlexConnect VLAN Mapping Step 4: FlexConnect Specific Configuration – Native Vlan • When connecting with Native VLAN on AP, L2 switchport must also match with corresponding Native VLAN configuration • Each corresponding SSID that is allowed to be locally switch should be allowed on the corresponding switchport.
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
15
Configure FlexConnect SSID-VLAN Mapping Step 5: Per AP SSID to VLAN Mapping • Mapping of SSID to 802.1Q VLAN is done per FlexConnect AP • Or use Cisco Prime Infrastructure (NCS) via configuration templates 1
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
16
2
Configure FlexConnect VLAN Mapping Using Cisco Prime Infrastructure • Prime Infrastructure provides simplified configuration to all FlexConnect APs with one Lightweight AP Template
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
17
Evaluate FlexConnect Architectural Requirements
For Your Reference
FlexConnect Design Considerations WAN Limitations Apply Deployment Type
WAN Bandwidth WAN RTT Latency (Max) (Min)
Max APs per Branch
Max Clients per Branch
Data
64 kbps
300 ms
5
25
Data
640 kbps
300 ms
50
1000
Data
1.44 Mbps
1 sec
50
1000
Data+Voice
128 kbps
100 ms
5
25
Data+Voice
1.44 Mbps
100 ms
50
1000
Monitor
64 kbps
2 sec
5
N/A
Monitor
640 kbps
2 sec
50
N/A
It is highly recommended that the minimum bandwidth restriction remains 24 Kbps per AP with the round trip latency no greater than 300 ms for data deployments and 100 ms for data + voice deployments. BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
19
FlexConnect Design Considerations Feature Limitations In Standalone mode and Local Switching – – – – – – – –
MAC/Web Auth in Standalone Mode IPv6 L3 Mobility SXP TrustSec Application Visibility and Control Coming in 8.1 Service Discovery Gateway Native Profiling and Policy Classification See full list in « FlexConnect Feature Matrix » http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b3690b.s html
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
20
IPv6 Support ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ Significant support for IPv6 with Central Switching IPv6 RA Guard and IPv6 Bridging fully supported with Local Switching BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
21
Economies of Scale For Lean Branches Flex 7500 Wireless Controller Functionality
Key Differentiation
Access Points
300-6,000
Clients
64,000
Branches ( Flex Groups )
2000
Access Points / Branch
100
Deployment Model
FlexConnect
Form Factor
1 RU
• Voice CAC
IO Interface
2 x 10GE
• OKC/CCKM
Upgrade Licenses
100, 200, 500, 1K RTU Licenses
WAN Tolerance • High Latency Networks • WAN Survivability
Security 802.1x based port authentication Voice support
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
22
* Indicates unique 8500 features
Optimised for High Scale Deployments Cisco 8510 Series Controller
Functionality
Key Differentiation
High scale •
300-6,000
Clients
64,000
Branches/locations
6,000 (2000 FlexGroups)
Access Points per FlexConnect group
100
Deployment types
Local (centralised), FlexConnect and mesh
Form Factor
1 RU
IO Interface and redundancy
Dual redundant 10GE ports with LAG
4K VLANs
Rich Features with deployment flexibility
Access Points
Geo Separated AP/Client SSO
• FlexConnect, Local mode and mesh support Right to use (with EULA) for ease of license enablement • 3G Packet core integration: PMIPv6 MAG solution with ASR5K (LMA) • FlexConnect with HS2.0 for 3G offload • Other key features:
802.11r fast roaming Rate limit traffic flows Video Stream for rich media flows
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
For Your Reference
FlexConnect Feature Introduction
BRKEWN 2016
FlexConnect Features
Release Version
AAA-VLAN Override, ALCs & P2P Blocking
7.2
Smart AP Image Upgrade
7.2
External Web-Auth & Mobile Device On-boarding
7.2
Flex 7500 Scale Update
7.3
VLAN Based Central Switching
7.3
Split-tunnelling
7.3
Work Group Bridge (WGB) Support
7.3
Bi-Directional Rate Limiting
7.4
ISE BYOD Registration & Provisioning
7.4
AAA-ACL & AAA-QoS Override
7.5
EAP-TLS & PEAP Support for Local Authentication
7.5
Ethernet Fallback
7.6
VideoStream for Local Switching
8.0
Faster time to deploy
8.0
FlexConnext on Mesh APs
8.0
AVC for FlexConnect
8.1
VLAN override for FlexConnect © 2015 Cisco and/orName its affiliates. All rights reserved. Cisco Public
24
8.1
Why Do We Need FlexConnect and AP Groups?
Understanding AP Groups Overview
Central Site
AP Group 1
Flex 7500
• AP Groups is a logical concept of grouping AP’s which deliver similar Wi-Fi services; these services can be: – By physical location, and/or – By functional services (data, voice, guest, …)
• Same AP groups need to be defined in all WLC’s of a mobility group Scaling
7500/8500
CT-5508
WiSM-2
CT-2504
# AP Groups
6000
500
1000
50
# WLAN (SSID)
512
512
512
16
# VLAN (Interfaces)
4095
512
512
16
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
WAN
Remote Site A
Remote Site B
AP Group 3
AP Group 2
26
AP Groups Configuration: Create a New Group
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
27
AP Groups Usage
@ Internet Guest-Access
AP Group 1
Central Site
Per Location SSID Corporate-Voice
AP groups give the ability to enable Wi-Fi Services (WLAN) based on physical location
Central Site Corporate-Voice, Corporate-Data, Guest-Access
Corporate-Data
WAN Manufacturing Site
Store
Manufacturing Site Corporate-Voice, Corporate-Data, Scanners
Store
AP Group 3
Scanners AP Group 2
Corporate-Data, Guest-Access BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Corporate-Data Guest-Access
Cisco Public
28
AP Groups Usage AP Group 1 Head Office
Per AP Group SSID to VLAN Mapping
VLAN-1
Central Site VLAN-2
• AP groups give the ability to statically map Wi-Fi service (WLAN) to VLAN based on physical location • Users see the same Wi-Fi service on all sites.
VLAN-3
Corporate-Data
WAN/MAN
• Admin can monitor and filter based on different IP@ each site
• Can also be used to have smaller Wi-Fi subnets AP Group 2 • For example per floor subnets in a Manufacturing Site Corporate-Data building. BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
29
AP Group 3 Store
Corporate-Data
AP Groups Configuration/VLAN Mapping
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
30
Understanding FlexConnect Groups Central Site
Overview
Flex 7500 Cluster
FlexConnect groups allow sharing of:
• • • • • •
CCKM/OKC fast roaming keys Local/backup RADIUS servers IP/keys Local EAP authentication AAA-Override for Local Switching Smart Image Upgrade FlexConnect AVC (8.1)
Scaling
Flex 7500/ 8500
CT-5508
WiSM2
CT-2504
FlexConnect Groups
2000
100
100
30
WAN Remote Site
FlexConnect Group 1 AP per Group BRKEWN 2016
100
25
25
© 2015 Cisco and/or its affiliates. All rights reserved.
25 Cisco Public
31
Remote Site
FlexConnect Group 2
FlexConnect Groups and CCKM/OKC Keys Central Site
CCKM Keys
Overview RADIUS Server
•
CCKM/OKC keys stored on FlexConnect APs for Layer 2 fast roaming WAN
•
The FlexConnect APs receives CCKM/OKC keys from WLC
•
If a FlexConnect AP boots up in standalone mode, it will not get the OKC/CCKM keys from the WLC
•
FlexConnect supports 802.11r Fast Transition with local key caching.
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
FlexConnect Group 1 Cisco Public
32
FlexConnect Group 2
FlexConnect Groups Creation Step 1: Add a New FlexConnect Group
1
2
Step 2: Add APs to the FlexConnect Group BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
33
FlexConnect Groups Template on PI
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
34
FlexConnect Groups Template on PI
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
35
Designing a Resilient Wireless Branch Network
FlexConnect Backup Scenario Central Site
WAN Failure • FlexConnect will backup on local switched mode – No impact for locally switched SSIDs – Disconnection of centrally switched SSIDs clients
• Static authentication keys are locally stored in FlexConnect AP
• Lost features
© 2015 Cisco and/or its affiliates. All rights reserved.
Remote Site Application Server
– RRM, WIDS, location, other AP modes – Web authentication, NAC
BRKEWN 2016
WAN
Cisco Public
37
FlexConnect Backup Scenario Central Site
WLC Failure scenario with N+1 HA • FlexConnect will first backup on local switched mode – No impact for locally switched SSIDs – Disconnection of centrally switched SSIDs clients
• CCKM roaming allowed in FlexConnect group
WAN
• FlexConnect AP will then search for backup WLC; when backup WLC is found, FlexConnect AP will resync with WLC and resume client sessions with central traffic. • Client sessions with Local Traffic are not impacted during resync with Backup WLC. BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
38
Remote Site Application Server
FlexConnect Backup Scenario WLC failure scenario with SSO
Central Site
Standby
Active
• HA considerations: – No impact for locally switched SSIDs – Disconnection of centrally switched SSIDs clients with AP SSO – No/minimal impact for centrally switched client with Client SSO (7.5 and above)
WAN
Application Server
• FlexConnect AP will NOT transition to Standalone because SSO kicks in • AP will continue to be in Connected mode with the Standby (now Active) WLC BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
39
Remote Office
FlexConnect Group : Backup Scenario Central Site
Local Backup RADIUS Central RADIUS
• Normal authentication is done centrally • On WAN failure, AP authenticates new clients with locally defined RADIUS server • Existing connected clients stay connected • Clients can roam with
WAN Local Backup Remote Site RADIUS
– CCKM fast roaming, or – Re-authentication
CCKM Fast Roaming BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
40
FlexConnect Group: Local Backup RADIUS Configuration
• Define primary and secondary local backup RADIUS server per FlexConnect group
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
41
Local Authentication Central Site
Local Authentication
Central RADIUS
• By default FlexConnect AP authenticates clients through central controller
WAN Local RADIUS
• Local Authentication allow use of local RADIUS server directly from the FlexConnect AP
Remote Site
FlexConnect Group
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
42
Local Authentication Configuration
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
43
FlexConnect Group: Backup Scenario Central Site
Local Backup Authentication Central RADIUS
• Normal authentication is done centrally • On WAN failure, AP authenticates new clients with its local database • Each FlexConnect AP has a copy of the local user DB
WAN
• Existing authenticated clients stay connected Remote Site
• Clients can roam with: – CCKM fast roaming, or – Local re-authentication Supported Security Types
FlexConnect Group 1
Release Version
LEAP 6.0 EAP-FAST 6.0 PEAP 7.5 7.5 BRKEWN 2016 EAP-TLS © 2015 Cisco and/or its affiliates. All rights reserved.
CCKM Fast Roaming Cisco Public
44
FlexConnect Group: Local Backup Authentication Configuration
• Define users (max 100) and passwords • Select supported Security protocols i.e. LEAP, EAP-FAST, PEAP or EAP-TLS 2
1
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
45
Designing Secure and BYOD Enabled Branch Network
FlexConnect Peer-to-peer Blocking
Starting from 7.2
Local Switching Peer-to-peer Blocking
Central Site
Overview Support for Peer-to-Peer blocking in FlexConnect AP WAN
Apply for clients on same FlexConnect AP P2P blocking modes : disable or drop
Application Server
For P2P blocking inter-AP use ACL or Private VLAN function BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Remote Site
48
Local Switching Peer-to-peer Blocking Configuration
Both modes of operation will drop the packet AP forTouch Local Points Switching Multiple@Policy enabled WLAN * Central Switching WLAN will support “Forward - UpStream” and will send the packet to the next upstream node connected to WLC
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
49
FlexConnect AAA VLAN and QoS Override
Starting from 7.2
FlexConnect AAA VLAN Override Description
RADIUS
• AAA VLAN Override with local or central authentication
• Up to 16 VLANs per FlexConnect AP • VLAN ID must be enabled per AP or FlexConnect Group
VLAN 3 QoS VLAN =7 Silver QoS = Platinum
WAN Application Server
• If VLAN ID does not exist, default VLAN is used, unless « VLAN Based Central Switching » enabled
Remote Site
• Starting from 7.5 AAA override for QoS is also supported. FlexConnect Group BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
51
Central Site
FlexConnect AAA VLAN Override
For Your Reference
Configuration IETF 65 IETF 64 IETF 81
WAN ISE
Create Sub-Interface on FlexConnect AP
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
52
VLAN Based Central Switching Overview
Central VLAN 3 Central RADIUS
• While doing AAA VLAN Override with local switching :
VLAN 7 does not Exist on this WLC
VLAN 3
VLAN 7
• If VLAN ID does not exist at the AP, the traffic is central switched to the central VLAN ID
WAN Remote Site
• If the central VLAN ID does not exist, the traffic is centrally switched to the default VLAN ID of the WLAN
BRKEWN 2016
Go to Default VLAN ID
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
53
VLAN 3 does not Exist on this AP
VLAN 7 VLAN 7 does not Exist on this AP
Starting from 7.5
FlexConnect AAA QoS Override Description Dynamically assign QoS levels and/or bandwidth contracts for local switching, centrally authenticated WLANs
Web-authenticated WLANs and 802.1Xauthenticated WLANs supported Order of precedence for Rate Limiting parameters
AAA override QoS Profile of AAA override Local WLAN configuration QoS Profile of local WLAN configuration
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
54
Vendor ID/Vendor Type
Attribute
[14179\002]
Aire-QoS-Level
[14179\004]
Aire-802.1P-Tag
[14179\007]
Aire-Data-Bandwidth-AverageContract
[14179\008]
Aire-Real-Time-BandwidthAverage-Contract
[14179\009]
Aire-Data-Bandwidth-BurstContract
[14179\0010]
Aire-Real-Time-BandwidthBurst-Contract
AAA Override Deployment Scenario Problem Statement Central Site VLAN 20
WAN Application Server
Function
VLAN ID
Engineering
10
Marketing
20
Sales
30
BRKEWN 2016
Application Server
Remote Site A
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Remote Site B
Function
VLAN ID
Engineering
11
Marketing
21
Sales
31
VLAN 20 does not exist
Coming in 8.1
VLAN Name Mapping at FlexConnect Group Central Site
Flex Group A VLAN Name
VLAN ID
VLAN Name
Engineering
10
Marketing
20
Engineering VLAN Name Marketing
Sales
Sales Engineering
30
. . HR
160
VLAN ID 10 VLAN 20 ID 30 11
Flex Group B VLAN Name
VLAN ID
Engineering
11
Marketing
21
Sales
31
Marketing
21
. .
Sales
31
HR
WAN
Remote Site B Remote Site A
VLAN ID
VLAN ID 11
10
21
20
31
30
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
161
Coming in 8.1
VLAN Name AAA Override - Solution Central Site Aire-Interface-Name or IETF Tunnel-Private-Group-ID VLAN NAME= Marketing
WAN Application Server
Rem ote Site
Rem ote Site
VLAN 20 VLAN Name
VLAN ID
Engineering
10
Marketing
20
Sales
30
BRKEWN 2016
VLAN 21
Remote Site A
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
57
Remote Site B
VLAN Name
VLAN ID
Engineering
11
Marketing
21
Sales
31
FlexConnect ACL VLAN Mapping and PerClient ACL
Starting from 7.2
FlexConnect ACL – VLAN Mapping Overview
Central Site
• FlexConnects ACL are applied per VLAN • FlexConnect ACL are Ingress / Egress oriented • Starting from 7.5 FlexConnect ACL support AAAreturned Client ACL WAN
ACL Scale Remote Site
512 FlexConnect ACL per WLC • 16 ingress ACL & 16 egress ACL per AP • 64 ACL rules per ACL • No IPv6 ACL BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Application Server
Cisco Public
59
FlexConnect Access Lists Configuration – Create FlexConnect ACL
• FlexConnect ACL rule creation is similar to rule creation for Local Mode AP 1 3
2
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
60
FlexConnect ACL – VLAN Mapping Configuration – FlexConnect ACL per AP
2
• FlexConnect ACL can be applied per AP using VLAN Mappings configuration
1
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
61
FlexConnect ACL – VLAN Mapping Configuration –FlexConnect ACL per FlexConnect Group
• FlexConnect ACL can be applied per FlexConnect Groups per VLAN in the ACL Mapping tab. 1 2
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
62
FlexConnect Split Tunnelling (Using FlexConnect Split ACL)
Starting from 7.3
FlexConnect ACL – Split Tunnelling Overview
• Split tunnelling allow some traffic to be locally switched although the WLAN is defined as centrally switched • Split tunnelling is using a NAT/PAT feature with ACL to perform the local switching • Split tunnelling is using the AP IP@ for the NAT/PAT feature
FlexConnect AP
WLC
CAPWAP
Central Traffic
WAN
NAT/PAT ACL
Central Server
Local Traffic Local Printer BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
64
FlexConnect ACL – Split Tunnelling Configuration
• Create a centrally switched WLAN Flex Local switching should not be checked • Define Flex ACL to match traffic to be locally switched
Central subnet
BRKEWN 2016
Local subnet
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
65
FlexConnect ACL – Split Tunnelling Configuration – Per Access Point
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
66
FlexConnect ACL – Split Tunnelling Configuration – Per FlexConnect Group
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
67
Deploying External WebAuth with FlexConnect Local Switching (Using FlexConnect WebAuth ACL)
Starting from 7.2.110
External WebAuth with Local Switching Description
Central Site
• Provides L3 Web Redirect from locally switched vlan
WebServer
• Reduces WAN traffic by locally switching guest traffic • Flexible and centralised web portal creation for multiple sites • Provides flexible use of Conditional and Splash Page Web Redirect
WAN Internet
Remote Site
VLAN 503
• FlexConnect AP must be in Connected state with Centralised Controller for this functionality to work
VLAN 7 - Employee
Guest FlexConnect Group 1
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
69
External WebAuth with Local Switching Configuration Step 1: Configure Pre-Auth ACL that will be applied to FlexConnect Group, AP or WLAN
External Web-Server IP BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
70
External WebAuth with Local Switching Configuration
Step 2: Apply Pre-Auth ACL to WLAN
Apply Pre-Auth ACL to WLAN
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
71
External WebAuth with Local Switching Configuration – Per AP Step 3: Apply Pre-Auth ACL to FlexConnect AP
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Map WLAN-Id to Pre-Auth ACL
72
External WebAuth with Local Switching Configuration – Per FlexConnect Group Or Step 3: Apply Pre-Auth ACL to FlexConnect Group
Map WLAN-Id to Pre-Auth ACL
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
73
External WebAuth with Local Switching Configuration Step 4: Configure External Web Server
External Web-Server IP
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
74
Deploying BYOD with FlexConnect Local Switching (Using FlexConnect WebPolicies ACL)
Bring Your Own Device(s) : The New Normal
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
BYOD Device On-Boarding in FlexConnect
Starting from 7.4
Example: Apple iOS Device Provisioning
WLC
ISE
CA-Server
Initial Connection Using PEAP
1
2
3
Device Provisioning Wizard
Client Reconnects
WLC
Future Connections using EAP-TLS
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
77
ISE
CA-Server
FlexConnect Access Lists for BYOD Create FlexConnect ACL
• Create FlexConnect ACL to allow access to Cisco ISE 1 3 2
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
78
FlexConnect Web Policy ACL Configure Web Policy ACL per FlexConnect AP
• ACL Mapping can be configured per FlexConnect AP
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
79
FlexConnect Web Policy ACL Configure Web Policy ACL per FlexConnect Group
• Use ACL Mapping tab in FlexConnect Group configuration • WebPolicies ACL are not the same as VLAN ACL or WebAuthentication ACL.
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
80
Cisco Wireless Central DHCP Processing Configuration
• To support DHCP Profiling Probe with FlexConnect, DHCP request must be sent to WLC. This is done by the « Central DHCP Processing » configuration.
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
81
Deploying BYOD with FlexConnect Wireless Summary – 802.1x/EAP Authentication
ISE DHCP Server
FlexConnect AP
WLC
CAPWAP
Web Server WAN
WiFi Association 802.1x/EAP Request Inside CAPWAP
Radius Access-Request Radius Access-Response
URL + ACL Redirect
• • •
Inside CAPWAP
802.1x/EAP Response Inside CAPWAP BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
82
Access-Type: Access-Accept URL-Redirect-ACL=FlexACLWebPolicy, URL-Redirect=http://……)
Unknown Device, Redirect to registration
Deploying BYOD with FlexConnect Wireless Summary – DHCP Request
ISE DHCP Server
FlexConnect AP
WLC
CAPWAP
Web Server WAN
DHCP Request Inside CAPWAP
RADIUS-Accounting • host-name=MyiPad • dhcp-class-identifier=APPLE
DHCP Lease Inside CAPWAP
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
83
Device is an iPad
Deploying BYOD with FlexConnect Wireless Summary – URL-Redirect
ISE DHCP Server
FlexConnect AP
WLC
CAPWAP
Web Server WAN
HTTP Request
HTTP Request Redirected to WLC by AP Inside CAPWAP
URL-Redirect
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
84
Deploying BYOD with FlexConnect Wireless Summary – Registration & Provisioning
ISE DHCP Server
FlexConnect AP
WLC
CAPWAP
Web Server WAN
Device Registration & Provisioning RADIUS Change-of-Authorisation
EAP DeAuthentication EAP Authentication
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
85
Device is Registrered Trigger Change-of-Auth
Deploying BYOD with FlexConnect Wireless Summary – Device Access
ISE DHCP Server
FlexConnect AP
WLC
CAPWAP
Web Server WAN
Radius Access-Request
802.1x/EAP Request/Response
Radius Access-Response
Inside CAPWAP
DHCP Request/Response Inside CAPWAP
Web Traffic
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
86
Device is Registrered And Provisioned Allow Access
Summary of FlexConnect ACLs VLAN-ACL Applied on the 802.3 interface of the FlexConnect AP AAA returned Client ACL Applied on the 802.11 interface of the AP Split Tunnel ACL Allow some traffic to be locally switched Web Authentication ACL Provides L3 Web Redirect for local switching 87
Web Policies ACL BYOD with FlexConnect
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
87
Operating Wireless Branch Smart Upgrade over WAN
Upgrading a FlexConnect Deployment Concerns • Sites using FlexConnect AP are usually sites with low WAN bandwidth • Each site may have small number of AP, but an enterprise may have a lot of branches • Upgrading ~6000 AP through a low bandwidth WAN is a challenge : – Time needed to download all the AP firmware – Exhaust of the WAN link – Risk of failures during the download
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
89
Starting from 7.2
FlexConnect Smart AP Image Upgrade
Firmware Image
Overview
Old
New
Cisco Prime
Primary
New
• Smart AP Image Upgrade use a « master » AP in each FlexConnect Group to download the code.
Central Site
New
Old
Secondary
Wireless LAN Controller
• Other FlexConnect AP download the code from the master locally 1.
Download WLC upgraded firmware (will become primary)
2.
Force the « boot image » to be the secondary (and not the newly upgraded one) to avoid parallel download of all AP in case of unexpected WLC reboot
3.
WLC elects a master AP in each FlexConnect Group (can be also set manually)
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
WAN Remote Site-N
Remote Site-1
Master AP Cisco Public
90
FlexConnect Smart AP Image Upgrade Firmware Image
Description (Contd.)
New Old Primary
Cisco Prime
4. Master AP « Pre-download » the AP firmware in the secondary « boot image » (will not disrupt the actual service)—Can be started group per group to limit WAN exhaust
Central Site
5. Slave AP « Pre-download » the AP firmware from the Master AP
6. Change the « boot image » of the WLC to the new image
New Secondary
AP Firmware Image
Old Primary
New Secondary
7. Reboot the controller Master AP BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Wireless LAN Controller
WAN
AP Firmware Image Remote Site-1 Old Primary
New Old Secondary
91
Remote Site-N
FlexConnect Smart AP Image Upgrade Configuration Enable Efficient AP Image Upgrade Valid Range is 1-63
Random Backoff Interval (100-300sec) between each retry Master AP Selection is Optional • “FlexConnect AP Upgrade” checkbox has to be enabled for each FlexConnect Group. • By default, Master AP for each FlexConnect Group is selected using Lower-MAC algorithm. • One Master select per AP type.
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
92
FlexConnect Smart AP Image Upgrade () Configuration contd.
Per Branch or FlexConnect Group Upgrade
Upgrade across all Branches or FlexConnect Groups whose “FlexConnect AP Upgrade” checkbox is set
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
93
Service-Ready Branch
FlexConnect VideoStream
Video Multicast Delivery Challenges Technical Challenges
802.11 Data Rates
• Multicast packets (UDP) are sent as broadcast packets over the air per 802.11 standard
1 2 5.5
• Broadcast packets do not use error correction: “fire and forget”
6
• Broadcast packets are sent at data rate mandatory to all clients connected to the WLAN 1 Mb for B/G 6 Mb for A
9
B/G
11 12 18
(400K actual) (2.7 Mb actual)
24 36
48 54 M0
N
M1 ...
Video Server BRKEWN 2016
M14
Default 802.11B/G mandatory data rates
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
M15
Video Impact • Choppy, Unreliable Video • Video Stream does not utilise 802.11n/ac High Throughput data rates • Heavy utilisation of channel due to high rate of very slow packets • Video delivery is not reliable causing poor Quality of Experience
Video Multicast Delivery Solution 802.11 Data Rates
Technical Solution
1
• IGMP state monitored for each client. Only send video to clients requesting
2 5.5 6
• Sent as unicast to individual clients at their data rate
• Multicast packets replicated at AP
9
B/G
11 12
Video Impact • Smooth, Reliable Video delivered to multiple clients • Quality of Video protected in varying channel load conditions • Prioritises Business Video (QoS Gold) over other video ( Best-effort )
18 24 36
48 54 M0
N
M1 ...
Video Server BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
M14 M15
Cisco Public
Starting from 8.0
Default 802.11B/G mandatory data rates
FlexConnect VideoStream Configuration Enable VideoStream - Global
(Cisco Controller) >config media-stream multicast-direct ? enable Enable Global Multicast to Unicast Conversion disable Disable Global Multicast to Unicast Conversion
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
FlexConnect VideoStream Configuration Add Stream Configuration
(Cisco Controller) >configure media-stream add multicast-direct [template | detail video ]’
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
FlexConnect VideoStream Configuration Enable VideoStream - WLAN
(Cisco Controller) >config wlan media-stream multicast-direct 1 ? enable Enables Multicast-direct on the WLAN disable Disables Multicast-direct on the WLAN. BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
FlexConnect VideoStream Monitoring Controller
(Cisco Controller) >show flexconnect media-stream client summary Client Mac ----------------7c:d1:c3:86:7e:dc 88:cb:87:bd:0c:ab d8:96:95:02:7e:b4
BRKEWN 2016
Stream Name -------------------Media2 Media2 Media2
© 2015 Cisco and/or its affiliates. All rights reserved.
Multicast IP --------------229.77.77.28 229.77.77.28 229.77.77.28
Cisco Public
AP-Name ------------------------AP_1600 AP_1600 AP_1600
VLAN ----0 0 0
Type ---------------Multicast Direct Multicast Direct Multicast Direct
FlexConnect Bridge Mode Support
Starting from 8.0
FlexConnect on Mesh APs
Centralised Traffic
Per Location SSID •
New AP mode that allows Flexconnect behaviour across mesh-enabled AP • • •
• •
Central Site
WAN
Flexconnect Groups Max 8 Mesh hops, Max 32 MAPs per RAP Local AAA support
A WLC have a mix of Bridge and Flex + Bridge MAPs inherent VLANs from its connected RAP
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Local Traffic
Cisco Public
Local Data WLAN Central Data WLAN
Remote Office 103
FlexConnect-Bridge Failover Scenario
Secondary
Primary
Failover Considerations • •
AP SSO is supported for the RAP only. N+1 Recommended. SSO for MAPs coming in 8.1
WAN
Multi-sector RAP deployments can be used for redundancy
•
RAP to standalone mode when WLC is not reachable
•
MAPs to standalone mode when WLC not reachable but gateway is
•
When in standalone mode no new mesh AP can join the mesh tree
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Remote Office Application Server
is
AP Modes Feature Comparison
For Your Reference
Feature\AP Mode
Local Mode
Bridge Mode
Flexconnect Mode
Flex+Bridge Mode
Central Switching
Yes
Yes
Yes
Yes
Root Ethernet VLAN bridging Secondary Ethernet Access Ports Secondary Ethernet VLAN Trunk Ports Local VLAN Inheritance by MAPs from RAPs
No
Yes
Yes
No
Yes (secondary Ethernet hosts) Yes
No
Yes
No
Yes
No
No
Yes - Secondary Ethernet “access” ports only Yes
No
No
Yes – both bridged 802.11 WLANs and Ethernet “access” ports Yes
No
No
Yes
Yes
No
No
Yes
Yes (on RAPs)
No
No
Yes
Yes (on RAPs)
No
No
No
No
No
Yes
No
Yes
Wireless Child Mesh APs No Fault Tolerant Resilient Mode Security ACLs per VLAN on Ethernet Root Ports Integrated IP Routing (PPP/PPPoE/NAT) VLAN Transparent Bridging Path Control Protocol BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Yes
FlexConnect Bridge Mode Configuration Wireless Access Points AP_NAME General
Wireless Access Points AP_NAME FlexConnect AP will reboot upon change Same options as an AP in Flex Mode
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
106
FlexConnect Application Visibility and Control Coming in 8.1
Coming in 8.1
How AVC Solution Works
AireOS 8.1
App Visibility & User Experience Report
AireOS 8.1
App
BW
Transaction Tim e
…
WebEx Citrix
3 Mb 10 Mb
150 ms 500 ms
… …
Static Netflow AP NBAR on AP
Deep Packet Inspection
DPI engine (NBAR2) identifies applications using L7 signatures
BRKEWN 2016
Perf. Collection & Exporting AP collects application info and export it to controller/switch every 90 seconds
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Reporting Tool
Advanced reporting tool aggregates and reports application performance
Control
Use QoS to control application bandwidth usage to improve application performance
AVC on FlexConnect APs
Coming in 8.1 Katana
Gen2 AP
BRANCH
Netflow Export from AP to WLC Real-time information for last 90 seconds
Stateful context transfer on roam
WAN Gen2 AP
Flow ID
App Name
Packets
1
WebEx
1000
2
Msft-Lync
2300
3
Skype
660
STATIC NETFLOW TO CPI OR THIRD PARTY NETFLOW COLLECTOR
NBAR2 (1000+ Applications) and Netflow will be ported onto Access Points! Stateful context transfer will be supported for intra FlexConnect Group roams BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Coming in 8.1
AVC for FlexConnect APs Support on AP • • • • •
NBAR2 engine on FlexConnect AP Protocol Pack 8.0 NBAR engine version 16 Send flows to WLC every 90 sec using Netflow Classification and Control at AP • Mark ( DSCP ) • Drop • Rate-limit
Support on WLC • • • • •
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Export to external Netflow supported Intra FlexConnect Group Roaming Support Supported on all controller models except 2504 Supported on Gen 2 APs : 1600, 2600, 3600, 1700, 2700, 3700, 1532, 1570 FlexConnect and Flex+bridge mode supported
110
Coming in 8.1
AVC Configuration on Local Switching WLAN
WLAN AVC Configuration
Local Switching WLAN
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
AVC Configuration per FlexConnect Group
Coming in 8.1
• FlexConnect Group specific AVC configuration takes precedence over WLAN AVC config • No AP Specific AVC configuration. • WLAN AVC configuration will be pushed to Flex APs where WLAN is broadcast
FlexConnect Group AVC configuration
Application Visibility WLAN-Specific Enable/Disable
Enable/disable, Profile, Monitor per WLAN
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
FlexConnect AVC Profiles Can be associated under WLAN and/or FlexConnect Group
FlexConnect AVC profiles
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Coming in 8.1
FlexConnect AVC Applications
Protocol Pack version 8.0 Engine version 16
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Coming in 8.1
Monitoring AVC Statistics per FlexConnect Group Per Client AVC Statistics
BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Per FlexConnect Group AVC Statistics
Cisco Public
FlexConnect Best Practices
Make it Easy
Make it work
BRKEWN 2016
Set Bridge Group Name Set Preferred Parent Multiple Root APs in each BGN Set Backhaul rate to "Auto" Set Backhaul Channel Width to 40/80 MHz Backhaul Link SNR > 25 dBm Avoid DFS channels for Backhaul External RADIUS server for Mesh MAC Authentication Enable IDS Enable EAP Mesh Security Mode
SECURITY
Enable High Availability (AP and Client SSO) Enable AP Failover Priority Enable AP Multicast Mode Enable Multicast VLAN Enable Pre-image download Enable AVC Enable NetFlow Enable Local Profiling (DHCP and HTTP) Enable NTP Modify the AP Re-transmit Parameters Enable FastSSID change Enable Per-user BW contracts Enable Multicast Mobility Enable Client Load balancing Disable Aironet IE FlexConnect Groups and Smart AP Upgrade
WIRELESS / RF
INFRASTRUCTURE MESH
BEST PRACTICES (AirOS)
Best Practices Recommendations
Make it perform
For Your Reference
Enable 802.1x and WPA/WPA2 on WLAN Enable 802.1x authentication for AP Change advance EAP timers Enable SSH and disable telnet Disable Management Over Wireless Disable WiFi Direct Peer-to-peer blocking Secure Web Access (HTTPS) Enable User Policies Enable Client exclusion policies Enable rogue policies and Rogue Detection RSSI Strong password Policies Enable IDS BYOD Timers Disable 802.11b data rates Restrict number of WLAN below 4 Enable channel bonding – 40 or 80 MHz Enable BandSelect Use RF Profiles and AP Groups Enable RRM (DCA & TPC) to be auto Enable Auto-RF group leader selection Enable Cisco CleanAir and EDRRM Enable Noise &Rogue Monitoring on all channels Enable DFS channels Avoid Cisco AP Load
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
FLEX CONNECT
FlexConnect Best Practices
BRKEWN 2016
Enable FlexConnect Groups CCKM/OKC Key sharing for Voice deployments Enable Smart AP Image Upgrade Design for Resiliency VLAN-WLAN Mappings at Group Level Consistent configuration across Primary and Backup WLCs
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Summary • Cisco Unified Wireless Network based on Controllers deliver Wireless Branch Solution • FlexConnect is the feature designed to solve remote connectivity and WAN constraints • Several Failover Scenario are targeted to offer Survivability of Small Remote Sites References: • Wireless LAN Controller Scale Comparison Guidehttp://www.cisco.com/en/US/products/hw/wireless/products_category_buyers_guide.html#controll ers • FlexConnect Branch Controller Deployment Guidehttp://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/112973flex7500-wbc-guide-00.html • FlexConnect feature matrixhttp://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wirelesscontrollers/112042-technote-product-00.html • Wireless Best Practiceshttp://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lanwlan/82463-wlc-config-best-practice.html BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
119
Q&A
Complete Your Online Session Evaluation Give us your feedback and receive a Cisco Live 2015 T-Shirt! Complete your Overall Event Survey and 5 Session Evaluations. • Directly from your mobile device on the Cisco Live Mobile App • By visiting the Cisco Live Mobile Site http://showcase.genie-connect.com/clmelbourne2015 • Visit any Cisco Live Internet Station located throughout the venue
T-Shirts can be collected in the World of Solutions on Friday 20 March 12:00pm - 2:00pm BRKEWN 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations. www.CiscoLiveAPAC.com