
VSS in Distribution Stack in Access if possible Multilayer Network Design EtherChannel Unique Wired and Wireless VLAN (Design-1) Unique Wireless Mgmt VLAN Per Access Cisco Borderless Campus CVD Best Practices

Converged Access Controller-Less Campus DesignConsistent Success Design Principles

Inventory

Foundation

Floor-3

Floor-4

Floor-1

Floor-2

MAMC

MA

MA

MC

MA

MA MA

Collect Per-Building Infrastructure Inventory Analyze Indoor RF coverage Check if Outdoor RF coverage required today Up to date RF survey. Design conclusion based Inventory

Bldg 1

* = IOS-XE RF Profile Coming Soon


Floor-3

Floor-4

Floor-1

Floor-2

MAMC

MA

MA

MC

MA

MA MA

Floor-3

Floor-4

Floor-1

Floor-2

MAMC

MA

MA

MC

MA

MA MA

Converged Access Controller-Less Campus Mobility Design

Seamless Roam Static inter-domain Mobility peering between MCs. Non-disruptive Wireless communication across all same building

Hard Roam No outdoor RF coverage. Clients re-associate Wireless network between buildings

Peer Only If Need. Do not build Mobility tunnels beyond one building

Bldg 1 Bldg 2

No outdoor RF

MobilityRoaming


Converged Access Quality Fact Check

0"

20"

40"

60"

80"

100"

120"

140"

160"

Apr'14" May'14" Jun'14" Jul'14" Aug'15" Sep'14" Oct'14" Nov'14" Dec'14" Jan'15" Feb'15" Mar'15"

Uni

que

TAC

Cas

e C

ount

New IOS and New Bug

New IOS and Old Bug

Self-Resolved by Customer

Customer Education

Mis-configured System/Network

Solve Challenge with :Cisco Prime Infra. CA WorkFlows


How Long Would it Take You To Deploy This Network?

POD-1-3K1 POD-1-3K2

Branch-1

POD-2-3K1 POD-2-3K2 POD-3-3K1 POD-3-3K2 POD-4-3K1 POD-4-3K2 POD-5-3K1 POD-5-3K2 POD-6-3K1 POD-6-3K2 POD-7-3K1 POD-7-3K2 POD-8-3K1 POD-8-3K2

Branch-2 Branch-3 Branch-4 Branch-5 Branch-6 Branch-7 Branch-8 Branch-9 Branch-10 Branch-11 Branch-12 Branch-13 Branch-14 Branch-15 Branch-16

Internet

5760-GA-1

Internet

5760-GA-2

MC to Guest Anchor MobilityAddressing & Mobility

POD-X-3K-8021X POD-X-3K-PSK POD-X-3K-OPEN POD-X-3K-GUESTWLANs

Bandwidth (%) 40 30 20 10

App Visibility

ISE

XSecurityCentralized WebAuth

! Dynamic VLAN! Downloadable ACL

! IEEE 802.11AC! Radio Resource Mgmt

! ClientLink 3.0! CleanAir

! Fast-SSID-Change! Captive Bypass-PortalWireless Services

Two Guest Anchor Controllers

16 Converged Access Branches

WLANs andSecurity

IP Addressing

QoS and AppVisibility

and a suite of Services

So How Long to

Deploy Allof This?


POD-1-3K1 POD-1-3K2

Branch-1

POD-2-3K1 POD-2-3K2 POD-3-3K1 POD-3-3K2 POD-4-3K1 POD-4-3K2 POD-5-3K1 POD-5-3K2 POD-6-3K1 POD-6-3K2 POD-7-3K1 POD-7-3K2 POD-8-3K1 POD-8-3K2

Branch-2 Branch-3 Branch-4 Branch-5 Branch-6 Branch-7 Branch-8 Branch-9 Branch-10 Branch-11 Branch-12 Branch-13 Branch-14 Branch-15 Branch-16

Internet

5760-GA-1

Internet

5760-GA-2

MC to Guest Anchor MobilityAddressing & Mobility

POD-X-3K-8021X POD-X-3K-PSK POD-X-3K-OPEN POD-X-3K-GUESTWLANs

Bandwidth (%) 40 30 20 10

App Visibility

ISE

XSecurityCentralized WebAuth

! Dynamic VLAN! Downloadable ACL

! IEEE 802.11AC! Radio Resource Mgmt

! ClientLink 3.0! CleanAir

! Fast-SSID-Change! Captive Bypass-PortalWireless Services

So How Long to

Deploy Allof This?

How about 5 minutes? J

How Long Would it Take You To Deploy This Network?


Converged Access WorkFlow OverviewDC

CPI ISE

WLAN : 4 SSID Support WPA2-Ent/WPA2-Personal/Open/Guest-CWA, 802.11 AC, Captive Bypass-Portal, Fast SSID-Change etc.

Application Experience : Wireless Flexible Netflow, Application Visibility and Per-SSID BW allocation

Security : Radius, 802.1X, CWA, AAA-Override, Client Timeout, NAC, DHCP Snooping, ARP Inspection, Clear Password Encryption etc.

Wireless Best Practices : Band-Select, RRM, CleanAir, DCA Channel, Radius Timeout, WiFi Direct Policy etc

MC/MA MAMA

Large Branch

MC/MA MAMA

Large Campus

MA MA MA

MC

MA MA MA

MC

MC/MA

Branch

MC/MA

Branch

MC/MA

Branch

IOS-XEWireless

WorkFlows

WorkFlow 1 Small Network WorkFlow 2 Large Network

Shipping : Mar 15Cisco Prime Infra : 2.2.1 +Wireless Technology Package 1.0.0

Platform System Mode IOS-XE Software Version Agent (MA) Controller (MC)

Catalyst 3650/3850 Standalone and StackWise 3.6.0 and above

Catalyst 3850 Fiber Standalone and StackWise 3.6.0 and above

IOS-XE Supported Platforms


CA WorkFlows Configuration Structure

3x50 / 4500E-Sup8E 5760-GA

WM VLAN ID 105 33

WM IP / Mask 10.102.1.77 / 255.255.255.240 10.99.2.243 / 255.255.255.240

SSID SSID / VLAN Name

WLAN 1 - 8021X PI_8021X / PI_8021X_VLAN

WLAN 2 PSK PI_PSK / PI_PSK_VLAN

WLAN 3 OPEN PI_OPEN / PI_OPEN_VLAN

SSID / VLAN Name

Guest PI_GUEST_CWA / GUEST_VLAN

AAA Server

Protocol Radius

IP 10.100.1.51

Key cisco

Prime Lancope

IP : Port 10.100.1.82 10.100.2.82

SSID BW %

WLAN 1 - 8021X 40

WLAN 2 PSK 30

WLAN 3 OPEN 20

GUEST 10

Enterprise-SSID Guest-SSID

Security Application Experience

WM Address

Network Global Significant

Device Local Significant

Network-Wide Wireless Configuration Enterprise and Guest SSID Security Policy Application Visibility Wireless QoS

Per-Device Configuration Wireless Mgmt VLAN ID Wireless Mgmt IP / Mask

Device Group Domain Significant

Role Controller

Agent

Controller IP 10.101.3.109

Switch Peer Group Name

SPG-1

Mobility Agent IP(s) 10.101.1.109 ; 10.101.2.109

Peer Controller IP (s) 10.101.13.109 ;10.101.23.109

Per-Domain Configuration Role : Agent (MA) or Controller (MC) SPG Group SPG Group to Agent Mapping Mobility Peerings


CA WorkFlows Planning End-to-End Network Design

MC/MA

Branch

MC/MA

Branch

MC/MA

Branch

SiSiSiSiSiSi

MA MC/MA

Sub-Domain-1

SPG-1

MA MC/MA

Sub-Domain-2SPG-2

WAN

Internet

GA

DC

CPI ISE

Controller-Less Single-Switch Branch

Per-Site single switch Branch/Retail Integrated MA/MC Role No SPG Required Pre-Installed IPBase and AP License Central Guest WiFi solution Remote backend services

Controller-Less Single/Multi-Domain Branch

Multi-device Branch Network Multiple MA and MC(s) in Access SPG Required Pre-Installed IPBase and AP License Central Guest WiFi solution Remote backend services


CA WorkFlows Pre-Requisite Layer 2 Configuration

MC/MA MC/MA MC/MA MA MC/MA MA MA MA MA

Internet

GA

SiSiSiSiSiSi

Location Device WLAN * VLAN Name ** VLAN ID

Branch-1 3850 SSID-1 SSID_1_VLAN 101

Branch-2 3650 SSID-1 SSID_1_VLAN 201

Campus-SW1 4500-Sup8E

SSID-1 SSID_1_VLAN 101

Campus-SW2 3850 SSID-1 SSID_1_VLAN 102

DMZ Guest Anchor

5760 Guest Guest_VLAN 500

SiSiSiSiSiSi SiSiSiSiSiSi

L2 L2

L2 L2 L2 L2

L2 L2

SiSiSiSiSiSi

L2

L2

SiSiSiSiSiSi

Layer 2 network in Branch, Campus and DMZ must be preset before using Converged Access WorkFlows :

o Wireless Management VLAN : Create VLAN ID in database.

Network-wide common or unique VLAN Name

Associate VLAN to AP Ports

o Wireless Client VLAN : Create VLAN ID in database

Network-wide common VLAN Name

o Guest Client VLAN : Create VLAN ID in database of Guest Anchor WLC

VLAN Name must be common on all Guest Anchor

Enable DHCP Snooping and Trust settings on Wireless Client VLANs

Allow Wireless Management and Wireless Client VLAN on L2 Trunk ports of switches and upstream L2/L3 devices (Router/Switch)


CA WorkFlows Pre-Requisite Wireless Configuration

MA MC/MA MC/MA

SiSiSiSiSiSi

MC

GA

MC

Depending on certain Wireless configuration in Branch and Campus must be preset before using Converged Access WorkFlows

Mobility Device Role conversion before :

Identify and convert Catalyst Switch in Mobility Controller (MC). Reboot required

No Change on Catalyst switch in Mobility Agent (MA) AP License provisioning :

Access Points licenses are required on Mobility Controller

Install appropriate number of AP licenses on each MC support maximum number it needs to support in its local Sub-Domain level

Device Type Default Mobility Role Desire Mobility Role Conversion AP License

Catalyst3650/3850

MA MA Not Required

Not Required

Catalyst3650/3850

MA MC Required Required

3850(config)#wireless mobility controller3850#copy run start3850#reload

3650/3850 MC Role Conversion

3850#license right-to-use activate apcount slot acceptEULA3650/3850 AP License Provisioning


CA WorkFlows Pre-Requisite Servers Configuration

Cisco Prime Infrastructure All network-wide Catalyst switches must be configured with SNMP

Programmed in Cisco Prime Infrastructure Device Management Link Cisco Prime Infrastructure with Cisco ISE engine as external

server to centrally monitor end-to-end Client connectivity and policy enforcement details

Cisco ISE/ACS All network devices including Catalyst switches and Guest Anchor

WLC must be configured in Cisco ISE/ACS to enable centralized policy engine function.

No AAA configuration required on network devices. Automated using Cisco Prime Infrastructure WorkFlows

DHCP Server Internal or external DHCP Server must be preconfigured with

appropriate pool settings for Wireless Clients

DNS Server

DNS Server must be preconfigured with appropriate name-lookup process to successfully connect the network

DC

CPI ISE

MA MC/MA MC/MA

SiSiSiSiSiSi

MC GA


CA WorkFlow Pre-Requisite Sample Network Configurations


Global Converged Access Configuration Build and Export





SSID / VLAN Name


AAA Server

Protocol Radius

IP 10.100.1.51

Key cisco

Prime Lancope

IP : Port 10.100.1.82 10.100.2.82

SSID BW %

WLAN 1 - 8021X 40

WLAN 2 PSK 30

WLAN 3 OPEN 20

GUEST 10




Export

Supported in Template Based Deployment mode

Build Once. Use Many model

Generate global significant Converged Access configurations including :

SSID and VLAN Name

Guest SSID, Guest Anchor WLC and VLAN Name

Security Parameters Application Experience : Flexible NetFlow Collector IP

Address, Per-SSID QoS Policy

Export this one time required configuration as CSV on local desktop. Reuse by simply importing configuration


Global Converged Access Configuration Import Template





SSID / VLAN Name


AAA Server

Protocol Radius

IP 10.100.1.51

Key cisco

Prime Lancope

IP : Port 10.100.1.82 10.100.2.82

SSID BW %

WLAN 1 - 8021X 40

WLAN 2 PSK 30

WLAN 3 OPEN 20

GUEST 10




Import

Supported in Template Based Deployment mode

Update CSV and import global Converged Access configuration

Program per-device configuration :

Wireless Management VLAN ID, IP Address and Mask

Guest SSID, Guest Anchor WLC and VLAN Name

Security Parameters

Application Experience : Flexible NetFlow Collector IP Address, Per-SSID QoS Policy

For Large Template configure per Mobility sub-domain parameters

Deploy the Workflow on selected device.

Repeat above steps for another set of Converged Access devices

3x50 / 4500E-Sup8E 5760-GA

WM VLAN ID 105 33

WM IP / Mask 10.102.1.77 / 255.255.255.240 10.99.2.243 / 255.255.255.240

WM AddressDevice Local Significant

Device Group Domain Significant

Role Controller

Agent

Controller IP 10.101.3.109

Switch Peer Group Name

SPG-1

Mobility Agent IP(s) 10.101.1.109 ; 10.101.2.109

Peer Controller IP (s) 10.101.13.109 ;10.101.23.109


CPI Template Key Benefits

Complete automation of Converged Access architecture with simple data inputs

Simple to User. Intelligence in Tool

Mask Complexity. Basic user knowledge to power up broad IOS innovations

Scalable design to accelerate deployments

Optimize Converged Access deployments with integrated recommended Best Practices

Thank you.

Date post:	16-Apr-2017
Category:	Technology
Upload:	cisco-public-sector
View:	549 times
Download:	8 times

Converged Access - Campus Network Design

Technology