Date post: | 16-Apr-2017 |
Category: |
Technology |
Upload: | cisco-public-sector |
View: | 549 times |
Download: | 8 times |
Cisco Confidential 1 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 2 2013-2014 Cisco and/or its affiliates. All rights reserved.
Converged Access Controller-Less Campus DesignAdd More To Grow
Floor-1
Floor-2
MA
MA MA
MC
Floor-3
Floor-4
Floor-1
Floor-2
MAMC
MA
MA
MC
MA
MA MA
Floor-3
Floor-4
Floor-1
Floor-2
Floor-3
Floor-4
Floor-1
Floor-2
Floor-3
Floor-4
Floor-1
Floor-2
MA MA
MA
MA
MA
MC
MA
MC
MA MA
MA
MA
MA
MC
MA
MC
MA MA
MA
MA
MA
MC
MA
MC
Bldg 1Bldg 2
Bldg 3 Bldg 4 Bldg 5
Floor-3
Floor-4
MA
MA MA
MC
Cisco Confidential 3 2013-2014 Cisco and/or its affiliates. All rights reserved.
VSS in Distribution Stack in Access if possible Multilayer Network Design EtherChannel Unique Wired and Wireless VLAN (Design-1) Unique Wireless Mgmt VLAN Per Access Cisco Borderless Campus CVD Best Practices
Converged Access Controller-Less Campus DesignConsistent Success Design Principles
Inventory
Foundation
Floor-3
Floor-4
Floor-1
Floor-2
MAMC
MA
MA
MC
MA
MA MA
Collect Per-Building Infrastructure Inventory Analyze Indoor RF coverage Check if Outdoor RF coverage required today Up to date RF survey. Design conclusion based Inventory
Bldg 1
* = IOS-XE RF Profile Coming Soon
Cisco Confidential 4 2013-2014 Cisco and/or its affiliates. All rights reserved.
Floor-3
Floor-4
Floor-1
Floor-2
MAMC
MA
MA
MC
MA
MA MA
Floor-3
Floor-4
Floor-1
Floor-2
MAMC
MA
MA
MC
MA
MA MA
Converged Access Controller-Less Campus Mobility Design
Seamless Roam Static inter-domain Mobility peering between MCs. Non-disruptive Wireless communication across all same building
Hard Roam No outdoor RF coverage. Clients re-associate Wireless network between buildings
Peer Only If Need. Do not build Mobility tunnels beyond one building
Bldg 1 Bldg 2
No outdoor RF
MobilityRoaming
Cisco Confidential 5 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 6 2013-2014 Cisco and/or its affiliates. All rights reserved.
Converged Access Quality Fact Check
0"
20"
40"
60"
80"
100"
120"
140"
160"
Apr'14" May'14" Jun'14" Jul'14" Aug'15" Sep'14" Oct'14" Nov'14" Dec'14" Jan'15" Feb'15" Mar'15"
Uni
que
TAC
Cas
e C
ount
New IOS and New Bug
New IOS and Old Bug
Self-Resolved by Customer
Customer Education
Mis-configured System/Network
Solve Challenge with :Cisco Prime Infra. CA WorkFlows
Cisco Confidential 7 2013-2014 Cisco and/or its affiliates. All rights reserved.
How Long Would it Take You To Deploy This Network?
POD-1-3K1 POD-1-3K2
Branch-1
POD-2-3K1 POD-2-3K2 POD-3-3K1 POD-3-3K2 POD-4-3K1 POD-4-3K2 POD-5-3K1 POD-5-3K2 POD-6-3K1 POD-6-3K2 POD-7-3K1 POD-7-3K2 POD-8-3K1 POD-8-3K2
Branch-2 Branch-3 Branch-4 Branch-5 Branch-6 Branch-7 Branch-8 Branch-9 Branch-10 Branch-11 Branch-12 Branch-13 Branch-14 Branch-15 Branch-16
Internet
5760-GA-1
Internet
5760-GA-2
MC to Guest Anchor MobilityAddressing & Mobility
POD-X-3K-8021X POD-X-3K-PSK POD-X-3K-OPEN POD-X-3K-GUESTWLANs
Bandwidth (%) 40 30 20 10
App Visibility
ISE
XSecurityCentralized WebAuth
! Dynamic VLAN! Downloadable ACL
! IEEE 802.11AC! Radio Resource Mgmt
! ClientLink 3.0! CleanAir
! Fast-SSID-Change! Captive Bypass-PortalWireless Services
Two Guest Anchor Controllers
16 Converged Access Branches
WLANs andSecurity
IP Addressing
QoS and AppVisibility
and a suite of Services
So How Long to
Deploy Allof This?
Cisco Confidential 8 2013-2014 Cisco and/or its affiliates. All rights reserved.
POD-1-3K1 POD-1-3K2
Branch-1
POD-2-3K1 POD-2-3K2 POD-3-3K1 POD-3-3K2 POD-4-3K1 POD-4-3K2 POD-5-3K1 POD-5-3K2 POD-6-3K1 POD-6-3K2 POD-7-3K1 POD-7-3K2 POD-8-3K1 POD-8-3K2
Branch-2 Branch-3 Branch-4 Branch-5 Branch-6 Branch-7 Branch-8 Branch-9 Branch-10 Branch-11 Branch-12 Branch-13 Branch-14 Branch-15 Branch-16
Internet
5760-GA-1
Internet
5760-GA-2
MC to Guest Anchor MobilityAddressing & Mobility
POD-X-3K-8021X POD-X-3K-PSK POD-X-3K-OPEN POD-X-3K-GUESTWLANs
Bandwidth (%) 40 30 20 10
App Visibility
ISE
XSecurityCentralized WebAuth
! Dynamic VLAN! Downloadable ACL
! IEEE 802.11AC! Radio Resource Mgmt
! ClientLink 3.0! CleanAir
! Fast-SSID-Change! Captive Bypass-PortalWireless Services
So How Long to
Deploy Allof This?
How about 5 minutes? J
How Long Would it Take You To Deploy This Network?
Cisco Confidential 9 2013-2014 Cisco and/or its affiliates. All rights reserved.
Converged Access WorkFlow OverviewDC
CPI ISE
WLAN : 4 SSID Support WPA2-Ent/WPA2-Personal/Open/Guest-CWA, 802.11 AC, Captive Bypass-Portal, Fast SSID-Change etc.
Application Experience : Wireless Flexible Netflow, Application Visibility and Per-SSID BW allocation
Security : Radius, 802.1X, CWA, AAA-Override, Client Timeout, NAC, DHCP Snooping, ARP Inspection, Clear Password Encryption etc.
Wireless Best Practices : Band-Select, RRM, CleanAir, DCA Channel, Radius Timeout, WiFi Direct Policy etc
MC/MA MAMA
Large Branch
MC/MA MAMA
Large Campus
MA MA MA
MC
MA MA MA
MC
MC/MA
Branch
MC/MA
Branch
MC/MA
Branch
IOS-XEWireless
WorkFlows
WorkFlow 1 Small Network WorkFlow 2 Large Network
Shipping : Mar 15Cisco Prime Infra : 2.2.1 +Wireless Technology Package 1.0.0
Platform System Mode IOS-XE Software Version Agent (MA) Controller (MC)
Catalyst 3650/3850 Standalone and StackWise 3.6.0 and above
Catalyst 3850 Fiber Standalone and StackWise 3.6.0 and above
IOS-XE Supported Platforms
Cisco Confidential 10 2013-2014 Cisco and/or its affiliates. All rights reserved.
CA WorkFlows Configuration Structure
3x50 / 4500E-Sup8E 5760-GA
WM VLAN ID 105 33
WM IP / Mask 10.102.1.77 / 255.255.255.240 10.99.2.243 / 255.255.255.240
SSID SSID / VLAN Name
WLAN 1 - 8021X PI_8021X / PI_8021X_VLAN
WLAN 2 PSK PI_PSK / PI_PSK_VLAN
WLAN 3 OPEN PI_OPEN / PI_OPEN_VLAN
SSID / VLAN Name
Guest PI_GUEST_CWA / GUEST_VLAN
AAA Server
Protocol Radius
IP 10.100.1.51
Key cisco
Prime Lancope
IP : Port 10.100.1.82 10.100.2.82
SSID BW %
WLAN 1 - 8021X 40
WLAN 2 PSK 30
WLAN 3 OPEN 20
GUEST 10
Enterprise-SSID Guest-SSID
Security Application Experience
WM Address
Network Global Significant
Device Local Significant
Network-Wide Wireless Configuration Enterprise and Guest SSID Security Policy Application Visibility Wireless QoS
Per-Device Configuration Wireless Mgmt VLAN ID Wireless Mgmt IP / Mask
Device Group Domain Significant
Role Controller
Agent
Controller IP 10.101.3.109
Switch Peer Group Name
SPG-1
Mobility Agent IP(s) 10.101.1.109 ; 10.101.2.109
Peer Controller IP (s) 10.101.13.109 ;10.101.23.109
Per-Domain Configuration Role : Agent (MA) or Controller (MC) SPG Group SPG Group to Agent Mapping Mobility Peerings
Cisco Confidential 11 2013-2014 Cisco and/or its affiliates. All rights reserved.
CA WorkFlows Planning End-to-End Network Design
MC/MA
Branch
MC/MA
Branch
MC/MA
Branch
SiSiSiSiSiSi
MA MC/MA
Sub-Domain-1
SPG-1
MA MC/MA
Sub-Domain-2SPG-2
WAN
Internet
GA
DC
CPI ISE
Controller-Less Single-Switch Branch
Per-Site single switch Branch/Retail Integrated MA/MC Role No SPG Required Pre-Installed IPBase and AP License Central Guest WiFi solution Remote backend services
Controller-Less Single/Multi-Domain Branch
Multi-device Branch Network Multiple MA and MC(s) in Access SPG Required Pre-Installed IPBase and AP License Central Guest WiFi solution Remote backend services
Cisco Confidential 12 2013-2014 Cisco and/or its affiliates. All rights reserved.
CA WorkFlows Pre-Requisite Layer 2 Configuration
MC/MA MC/MA MC/MA MA MC/MA MA MA MA MA
Internet
GA
SiSiSiSiSiSi
Location Device WLAN * VLAN Name ** VLAN ID
Branch-1 3850 SSID-1 SSID_1_VLAN 101
Branch-2 3650 SSID-1 SSID_1_VLAN 201
Campus-SW1 4500-Sup8E
SSID-1 SSID_1_VLAN 101
Campus-SW2 3850 SSID-1 SSID_1_VLAN 102
DMZ Guest Anchor
5760 Guest Guest_VLAN 500
SiSiSiSiSiSi SiSiSiSiSiSi
L2 L2
L2 L2 L2 L2
L2 L2
SiSiSiSiSiSi
L2
L2
SiSiSiSiSiSi
Layer 2 network in Branch, Campus and DMZ must be preset before using Converged Access WorkFlows :
o Wireless Management VLAN : Create VLAN ID in database.
Network-wide common or unique VLAN Name
Associate VLAN to AP Ports
o Wireless Client VLAN : Create VLAN ID in database
Network-wide common VLAN Name
o Guest Client VLAN : Create VLAN ID in database of Guest Anchor WLC
VLAN Name must be common on all Guest Anchor
Enable DHCP Snooping and Trust settings on Wireless Client VLANs
Allow Wireless Management and Wireless Client VLAN on L2 Trunk ports of switches and upstream L2/L3 devices (Router/Switch)
Cisco Confidential 13 2013-2014 Cisco and/or its affiliates. All rights reserved.
CA WorkFlows Pre-Requisite Wireless Configuration
MA MC/MA MC/MA
SiSiSiSiSiSi
MC
GA
MC
Depending on certain Wireless configuration in Branch and Campus must be preset before using Converged Access WorkFlows
Mobility Device Role conversion before :
Identify and convert Catalyst Switch in Mobility Controller (MC). Reboot required
No Change on Catalyst switch in Mobility Agent (MA) AP License provisioning :
Access Points licenses are required on Mobility Controller
Install appropriate number of AP licenses on each MC support maximum number it needs to support in its local Sub-Domain level
Device Type Default Mobility Role Desire Mobility Role Conversion AP License
Catalyst3650/3850
MA MA Not Required
Not Required
Catalyst3650/3850
MA MC Required Required
3850(config)#wireless mobility controller3850#copy run start3850#reload
3650/3850 MC Role Conversion
3850#license right-to-use activate apcount slot acceptEULA3650/3850 AP License Provisioning
Cisco Confidential 14 2013-2014 Cisco and/or its affiliates. All rights reserved.
CA WorkFlows Pre-Requisite Servers Configuration
Cisco Prime Infrastructure All network-wide Catalyst switches must be configured with SNMP
Programmed in Cisco Prime Infrastructure Device Management Link Cisco Prime Infrastructure with Cisco ISE engine as external
server to centrally monitor end-to-end Client connectivity and policy enforcement details
Cisco ISE/ACS All network devices including Catalyst switches and Guest Anchor
WLC must be configured in Cisco ISE/ACS to enable centralized policy engine function.
No AAA configuration required on network devices. Automated using Cisco Prime Infrastructure WorkFlows
DHCP Server Internal or external DHCP Server must be preconfigured with
appropriate pool settings for Wireless Clients
DNS Server
DNS Server must be preconfigured with appropriate name-lookup process to successfully connect the network
DC
CPI ISE
MA MC/MA MC/MA
SiSiSiSiSiSi
MC GA
Cisco Confidential 15 2013-2014 Cisco and/or its affiliates. All rights reserved.
CA WorkFlow Pre-Requisite Sample Network Configurations
Cisco Confidential 16 2013-2014 Cisco and/or its affiliates. All rights reserved.
Global Converged Access Configuration Build and Export
SSID SSID / VLAN Name
WLAN 1 - 8021X PI_8021X / PI_8021X_VLAN
WLAN 2 PSK PI_PSK / PI_PSK_VLAN
WLAN 3 OPEN PI_OPEN / PI_OPEN_VLAN
SSID / VLAN Name
Guest PI_GUEST_CWA / GUEST_VLAN
AAA Server
Protocol Radius
IP 10.100.1.51
Key cisco
Prime Lancope
IP : Port 10.100.1.82 10.100.2.82
SSID BW %
WLAN 1 - 8021X 40
WLAN 2 PSK 30
WLAN 3 OPEN 20
GUEST 10
Enterprise-SSID Guest-SSID
Security Application Experience
Network Global Significant
Export
Supported in Template Based Deployment mode
Build Once. Use Many model
Generate global significant Converged Access configurations including :
SSID and VLAN Name
Guest SSID, Guest Anchor WLC and VLAN Name
Security Parameters Application Experience : Flexible NetFlow Collector IP
Address, Per-SSID QoS Policy
Export this one time required configuration as CSV on local desktop. Reuse by simply importing configuration
Cisco Confidential 17 2013-2014 Cisco and/or its affiliates. All rights reserved.
Global Converged Access Configuration Import Template
SSID SSID / VLAN Name
WLAN 1 - 8021X PI_8021X / PI_8021X_VLAN
WLAN 2 PSK PI_PSK / PI_PSK_VLAN
WLAN 3 OPEN PI_OPEN / PI_OPEN_VLAN
SSID / VLAN Name
Guest PI_GUEST_CWA / GUEST_VLAN
AAA Server
Protocol Radius
IP 10.100.1.51
Key cisco
Prime Lancope
IP : Port 10.100.1.82 10.100.2.82
SSID BW %
WLAN 1 - 8021X 40
WLAN 2 PSK 30
WLAN 3 OPEN 20
GUEST 10
Enterprise-SSID Guest-SSID
Security Application Experience
Network Global Significant
Import
Supported in Template Based Deployment mode
Update CSV and import global Converged Access configuration
Program per-device configuration :
Wireless Management VLAN ID, IP Address and Mask
Guest SSID, Guest Anchor WLC and VLAN Name
Security Parameters
Application Experience : Flexible NetFlow Collector IP Address, Per-SSID QoS Policy
For Large Template configure per Mobility sub-domain parameters
Deploy the Workflow on selected device.
Repeat above steps for another set of Converged Access devices
3x50 / 4500E-Sup8E 5760-GA
WM VLAN ID 105 33
WM IP / Mask 10.102.1.77 / 255.255.255.240 10.99.2.243 / 255.255.255.240
WM AddressDevice Local Significant
Device Group Domain Significant
Role Controller
Agent
Controller IP 10.101.3.109
Switch Peer Group Name
SPG-1
Mobility Agent IP(s) 10.101.1.109 ; 10.101.2.109
Peer Controller IP (s) 10.101.13.109 ;10.101.23.109
Cisco Confidential 18 2013-2014 Cisco and/or its affiliates. All rights reserved.
CPI Template Key Benefits
Complete automation of Converged Access architecture with simple data inputs
Simple to User. Intelligence in Tool
Mask Complexity. Basic user knowledge to power up broad IOS innovations
Scalable design to accelerate deployments
Optimize Converged Access deployments with integrated recommended Best Practices
Thank you.