Cisco-Wireless Branch Deployment

Branch Office Wireless LAN Design
Rajat Tayal - Technical Marketing Engineer (rtayal@cisco.com)

BRKEWN-2016
Agenda
• Understand Wireless Branch Deployment Options
• Evaluate FlexConnect Architectural Requirements
• Identify the need for FlexConnect & AP Groups
• Design a Resilient Branch Network
• Design Secure & BYOD enabled Branch Network
• Service-Ready Branch
• Provision and Operate Wireless Branch over WAN
• FlexConnect Best Practices
Unified Access: One Architecture, Multiple Deployment Options
WAN Intranet
MOBILITY EXPRESS FLEX CONNECT CONVERGED CENTRALIZED
Small Network Branch Small Campus / Branch Large Campus
• Single site network • Distributed network • Simplified Campus/Branch • Data center hosted
• Low IT footprints • Highly scalable • Consistent Wired/Wireless controller
• SP hotspots • Best in class for distributed • Common OS • Distributed enterprises
networks Aironet Access Points
• Virtual controller function 11ac Wave2 : 3800/2800/1800
• Controllers • Controllers
• Controllers
11ac: 3700/2700/1700
on AP • New 8540 Controller • Integrated • New 8540 Controller
11n: 3600/ 2600/ 1600/ 700i/700w
• 11ac: 1800/2800/3800 • New 5520 Controller 3650/3850/Sup 8E • New 5520 Controller
• or other Cisco Wireless • or other Cisco Wireless
Controllers Controllers
Prime Infrastructure, Identity Service Engine, Connected Mobile Experiences
BRKEWN-2016 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Wi-Fi Connectivity Speed Timeline
Gigabit Wi-Fi As Primary Access
4
Spatial 4SS Desktops
Stream
s
3SS Desktops / Laptops
5260** 3
Spatial
Streams 2SS Laptops / Tablets
3500** 3500** 2
Spatial 1SS Tablets / Smartphones
Stream
2340**
1730**
1300* = Connect Rates (Mbps)
1
Spatial
600* Stream
870* SS = Spatial Streams
450
300 290* 290*
Multi-Gigabit
Uplinks
*Assuming 80 MHz channel is available
2 Gigabit
Ethernet
Uplinks
54
Ethernet
65 and suitable
Gigabit
Uplink
24 **Assuming 160 MHz channel is
2 11
802.11ac 802.11ac Dual available and suitable
802.11 802.11b 802.11a/g 802.11n 5GHz
Wave 1 Wave 2
1997 1999 2003 2007 2013 2015 2016

Cisco Aironet Indoor Access Points Portfolio
Positioned to Capture the 802.11ac Wave 2 Transition New
New Best in Class
New
Enterprise Class Enterprise Class Enterprise Class
Mission Critical
3800
2800
1810 1830 1850
AP1810W & OEAP1810
• 4x4:3SS 160 MHz; 5 Gbps
• 2.4, 5GHz or Dual 5GHz
• 4x4:3SS 160 MHz; 5 Gbps
• 2x2:2SS 80 MHz; 867 • 2 GE or 1 GE + 1 mGig (5G)
Mbps • 2.4, 5GHz or Dual 5GHz
• Internal or External antenna
• Tx Beam Forming • 2 GE Ports
• 3x3:2SS 80MHz; 867Mbps • 4x4:3SS 80Mhz; 1.7 Gbps • Smart Antenna Connector
• 1 GE Port uplink • Internal or External antenna
• Spectrum Analysis* • Spectrum Analysis* • Enhanced Location* (External
• 3 GE Local Ports, • Smart Antenna Connector Antenna)
• Internal antenna • Internal or External antenna
including 1 PoE out • Enhanced Location* • CleanAir 160 MHz,
• Tx Beam Forming • Tx Beam Forming
• Local ports 802.1x ready • CleanAir 160MHz • ClientLink 4.0, StadiumVision
• 1 GE Port • 2 GE Ports
• Integrated BLE Gateway* • ClientLink 4.0 • USB 2.0
• USB 2.0 • USB 2.0
• One or Two Local Ports • USB 2.0 • Modularity
can be tunneled back to • Centralized, FlexConnect • Centralized, FlexConnect
and Mobility Express and Mobility Express • Centralized, FlexConnect • Centralized, FlexConnect and
corporate and Mobility Express* Mobility Express*
Enterprise Mission Critical Best In Class
New
Next-Generation Wave 2 802.11ac Access Points
• Industry leading 4x4 MIMO:3 spatial streams (SS)

Wave 2 802.11ac access points
• Dual radio, 802.11ac Wave 2, 160 MHz
• 2 x 5 GHz: 4x4: 3SS supporting
- SU-MIMO / MU-MIMO
- Flexible Radio Assignment: 2.4GHz, 5GHz, Wireless Security
Module, or Wireless Service Assurance
• 2 x Gigabit Ethernet
• HDX Technology
• USB 2.0
• Internal and external antenna models
Cisco Aironet® 2800 Series
Gigabit Wi-Fi has fully arrived.

* Planning
New
Next-Generation Wave 2 802.11ac Access Points
• Industry leading 4x4 MIMO:3 spatial streams (SS)

Wave 2 802.11ac access points
• Dual radio, 802.11ac Wave 2, 160 MHz
• 2 x 5 GHz: 4x4: 3SS supporting
- SU-MIMO / MU-MIMO
- Flexible Radio Assignment: 2.4GHz, Dual-5GHz, Wireless
Security Module, or Wireless Service Assurance
• Gigabit Ethernet and multi-Gigabit Ethernet (1G,
2.5G, 5G)
• HDX Technology
• USB 2.0
• Internal and external antenna models
Cisco Aironet® 3800 Series • Modularity: Side Mount Modular
Gigabit Wi-Fi has fully arrived.
* Planning
Wireless Branch Deployment
Options
Branch Office with Local WLAN Controller
Overview Backup Central
Controller
Central Site
• Branches can also have local
controllers CAPWAP
• Small or Mid-size Branch WLCs WAN

• CT-2504, Cat-3850
WLC-25xx
• Integrated controller modules in WLCM for
ISR/ISR-G2 ISR/ISR-G2
• Converged Access Cat-3850
Advantages
• Layer-3 roaming within the branch
• Cookie cutter configuration for every branch site
Remote Site C
Remote Site A
Remote Site B
Branch Office Deployment Central Site
FlexConnect (HREAP)
Centralized
• Hybrid architecture Traffic
Centralized
Traffic
• Single management and control point
• Data Traffic Switching
• Centralized traffic
(split MAC) or
• Local traffic (local MAC)
WAN
• Standalone Mode will preserve local traffic
only
• Traffic Switching is configured per AP
and per WLAN (SSID)
Remote Office
Local
Traffic
FlexConnect Glossary
Connected Mode When FlexConnect AP can reach Controller, it gets help from controller to complete client
authentication.
Standalone Mode When FlexConnect AP cannot reach Controller, it goes into standalone state and does client
authentication by itself.
Local Switching Data traffic switched onto local VLANs for an SSID
Central Switching Data traffic tunneled back to WLC for an SSID
Configure FlexConnect Mode
Step 1: Configure Access Point Mode
• Enable FlexConnect mode per AP
• Supported APs:
AP-1040, AP-1130, AP-1140, AP-1240, AP-
1250, AP-1260, AP-1520, AP-1530, AP-
1550, AP-1570, AP-1600, AP-1700, AP-
1800, AP-2600, AP-2700, AP-2800, AP-
3500, AP-3600, AP-3700, AP-3800
Configure FlexConnect Local Switching
Step 2: Enable Local Switching per WLAN
Only WLAN with “FlexConnect Local Switching” enabled will allow local
switching on the FlexConnect AP
Configure FlexConnect VLAN Mapping
Step 3: FlexConnect Specific Configuration – VLAN Support
• FlexConnect AP can be connected on an access port or connected to a 802.1Q
trunk port (using the native VLAN)
• VLAN mapping can be performed per AP configuration on WLC and/or by AP
groups using Cisco Prime Infrastructure templates
Step 4: FlexConnect Specific Configuration – Native Vlan
• When connecting with Native VLAN on AP, L2 switchport must also match with
corresponding Native VLAN configuration
• Each corresponding SSID that is allowed to be locally switch should be allowed
on the corresponding switchport.
Configure FlexConnect SSID-VLAN Mapping
Step 5: Per AP SSID to VLAN Mapping
• Mapping of SSID to 802.1Q VLAN is done per FlexConnect AP
• Or use Cisco Prime Infrastructure (NCS) via configuration templates
1 2
Using Cisco Prime Infrastructure
• Prime Infrastructure provides simplified configuration to all FlexConnect APs
with one Lightweight AP Template
Evaluate FlexConnect Architectural
Requirements
FlexConnect Design Considerations For Your
Reference
WAN Limitations Apply
Deployment WAN Bandwidth WAN RTT Max APs per Max Clients per
Type (Min) Latency (Max) Branch Branch
Data 64 kbps 300 ms 5 25

Data 640 kbps 300 ms 50 1000
Data 1.44 Mbps 1 sec 50 1000
Data+Voice 128 kbps 100 ms 5 25
Data+Voice 1.44 Mbps 100 ms 50 1000
Monitor 64 kbps 2 sec 5 N/A
Monitor 640 kbps 2 sec 50 N/A
It is highly recommended that the minimum bandwidth restriction remains 24 Kbps per AP with the round trip
latency no greater than 300 ms for data deployments and 100 ms for data + voice deployments.
FlexConnect Design Considerations
Feature Limitations in Standalone mode and Local Switching
• MAC/Web Auth in Standalone Mode
• IPv6 Mobility
• SXP TrustSec
• Service Discovery Gateway
• Native Profiling and Policy Classification
• See full list in « FlexConnect Feature Matrix »
• http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b3690b.s
html
IPv6 Support
✔
✔
✔
✔
✔
✔
✔
✔
✔
Significant support for IPv6 with Central Switching

IPv6 RA Guard and IPv6 Bridging fully supported with Local Switching
Economies of Scale For Lean Branches
Flex 7500 Wireless Controller
Key Differentiation Functionality
Access Points 300-6,000

 WAN Tolerance
Clients 64,000
• High Latency Networks
Branches ( Flex Groups ) 2000
• WAN Survivability
 Security Access Points / Branch 100
802.1x based port authentication Deployment Model FlexConnect
 Voice support Form Factor 1 RU

• Voice CAC IO Interface 2 x 10GE
• OKC/CCKM Upgrade Licenses 100, 200, 500, 1K
RTU Licenses
Optimized for High Scale Deployments
Cisco 8540 Series Controller Functionality
Access Points 6,000
Key Differentiation Clients 64,000
Branches/locations 6,000 (2000 FlexGroups)

 High scale
• 4K VLANs
Access Points per 100
 Rich Features with deployment flexibility FlexConnect group
 Geo Separated AP/Client SSO
Deployment types Local (centralized),
• FlexConnect, Local mode and mesh support Right to use
FlexConnect and mesh
(with EULA) for ease of license enablement
• 3G Packet core integration: PMIPv6 MAG solution with Form Factor 2 RU
ASR5K (LMA)
• FlexConnect with HS2.0 for 3G offload IO Interface and Four x 10GE ports with LAG
redundancy
• Other key features:
802.11r fast roaming
Rate limit traffic flows
Video Stream for rich media flows
For Your
FlexConnect Feature Introduction Reference
FlexConnect Features Release Version

AAA-VLAN Override, ALCs & P2P Blocking 7.2
Smart AP Image Upgrade 7.2
External Web-Auth & Mobile Device On-boarding 7.2
Flex 7500 Scale Update 7.3
VLAN Based Central Switching 7.3
Split-tunneling 7.3
Work Group Bridge (WGB) Support 7.3
Bi-Directional Rate Limiting 7.4
ISE BYOD Registration & Provisioning 7.4
AAA-ACL & AAA-QoS Override 7.5
EAP-TLS & PEAP Support for Local Authentication 7.5
Ethernet Fallback 7.6
VideoStream for Local Switching 8.0
Faster time to deploy 8.0
FlexConnext on Mesh APs 8.0
AVC for FlexConnect 8.1
VLAN Name override for FlexConnect 8.1
FlexConnect Mode for AP from PnP 8.2
FlexConnect Group for AP from PnP and Default FlexConnect Group 8.3
Why do we need FlexConnect & AP
Groups?
Understanding AP Groups
Overview AP Group 1 Central Site
Flex 7500
• AP Groups is a logical concept of
grouping AP’s which deliver similar Wi-Fi
services; these services can be:
• By physical location, and/or
• By functional services
(data, voice, guest, etc..)
• Same AP groups need to be defined in all Remote Site A WAN Remote Site B
WLC’s of a mobility group

AP Group 3
7510/8510
Scaling CT-5508 WiSM-2 CT-2504
/8540
# AP Groups 6000 500 1000 50
# WLAN
512 512 512 16
(SSID)
# VLAN AP Group 2
4095 512 512 16
(Interfaces)
AP Groups
Configuration: Create a New Group
AP Groups Usage @ Internet
Guest-Access AP Group 1 Central Site

Per Location SSID
Corporate-Voice
AP groups give the ability to enable Wi-Fi

Services (WLAN) based on physical
location Corporate-Data
Central Site WAN

Corporate-Voice, Corporate-Data, Guest- Manufacturing Site
Store
Access
Manufacturing Site
Corporate-Voice, Corporate-Data, AP Group 3
Scanners
Store
Corporate-Data, Guest-Access Scanners
AP Group 2 Corporate-Data
Guest-Access
Corporate-Data
Corporate-Voice
AP Groups Usage
AP Group 1
VLAN-1
Head Office
Per AP Group SSID to VLAN Mapping Central Site
VLAN-2
• AP groups give the ability to statically
map Wi-Fi service (WLAN) to VLAN
based on physical location VLAN-3
• Users see the same

Wi-Fi service on all sites. Corporate-Data
WAN/MAN
• Admin can monitor and filter based on
different IP@ each site
AP Group 3
• Can also be used to have smaller Wi-Fi Store
subnets
• For example per floor subnets in a building. AP Group 2
Manufacturing Site Corporate-Data
Corporate-Data
Understanding FlexConnect Groups
Central Site
Flex 7500
Overview Cluster
FlexConnect groups allow sharing of:

• CCKM/OKC fast roaming keys
• Local/backup RADIUS servers IP/keys
• Local EAP authentication WAN
• AAA-Override for Local Switching Remote Site Remote Site
• Smart Image Upgrade
• FlexConnect AVC
7510/
Scaling 8510/ CT-5508 WiSM2 CT-2504
8540
FlexConnect
2000 100 100 30
Groups
AP per Group 100 25 25 25 FlexConnect Group 1 FlexConnect Group 2
FlexConnect Groups and CCKM/OKC Keys
Overview Central Site CCKM Keys
RADIUS Server
• CCKM/OKC keys stored on FlexConnect APs for

Layer 2 fast roaming
• The FlexConnect APs receives CCKM/OKC keys WAN

from WLC
• If a FlexConnect AP boots up
in standalone mode, it will not get the OKC/CCKM
keys from the WLC
• FlexConnect supports 802.11r Fast Transition with

local key caching.
FlexConnect Group 1 FlexConnect Group 2
FlexConnect Groups Creation
Step 1: Add a New FlexConnect Group
1
Step 2: Add APs to the

FlexConnect Group
For Your
Reference
FlexConnect Groups Template on PI
For Your
Reference
FlexConnect Groups Template on PI
Designing a Resilient Wireless
Branch Network
FlexConnect Backup Scenario
Central Site
WAN Failure
• FlexConnect will backup on local

switched mode
• No impact for locally switched SSIDs
• Disconnection of centrally switched SSIDs clients WAN
• Static authentication keys are locally stored in
FlexConnect AP Remote Site
• Lost features Application

• RRM, WIDS, location, other AP modes Server
• Web authentication, NAC
Central Site
WLC Failure scenario with N+1 HA
• FlexConnect will first backup on local switched mode

• Disconnection of centrally switched SSIDs clients
• CCKM roaming allowed in WAN

FlexConnect group
• FlexConnect AP will then search Remote Site
for backup WLC; when backup WLC is found,
FlexConnect AP will resync with WLC and Application
Server
resume client sessions with central traffic.
• Client sessions with Local Traffic are not
impacted during resync with Backup WLC.
WLC failure scenario with SSO Central Site
Standby
Active
• HA considerations:
• Disconnection of centrally switched SSIDs WAN
clients with AP SSO
• No/minimal impact for centrally switched client
with Client SSO (7.5 and above)
• FlexConnect AP will NOT transition to Application
Standalone because SSO kicks in Server
• AP will continue to be in Connected mode

with the Standby (now Active) WLC
Remote Office
FlexConnect Group : Backup Scenario
Central Site
Local Backup RADIUS
Central
• Normal authentication is done centrally RADIUS
• On WAN failure, AP authenticates new

clients with locally defined RADIUS server
WAN
• Existing connected clients stay connected
Local Backup
• Clients can roam with RADIUS Remote Site
• CCKM fast roaming, or

• Re-authentication
CCKM Fast Roaming

FlexConnect Group: Local Backup RADIUS
Configuration
• Define primary and secondary local backup RADIUS server per FlexConnect
group
Local Authentication
Central Site
Local Authentication Central

RADIUS
• By default FlexConnect AP
authenticates clients through central WAN
controller Local
RADIUS
Remote Site
• Local Authentication allow use of

local RADIUS server directly from
the FlexConnect AP FlexConnect Group
Local Authentication
Configuration
FlexConnect Group: Backup Scenario
Central Site
Local Backup Authentication
Central
• Normal authentication is done centrally RADIUS
• On WAN failure, AP authenticates new clients with its

local database
• Each FlexConnect AP has a copy of the local user DB
WAN
• Existing authenticated clients stay connected
Remote Site
• Clients can roam with:
• CCKM fast roaming, or
• Local re-authentication
FlexConnect Group 1
Supported Security Types Release Version
LEAP 6.0
EAP-FAST 6.0 CCKM Fast
PEAP 7.5 Roaming
EAP-TLS 7.5 BRKEWN-2016 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
FlexConnect Group: Local Backup Authentication
Configuration
• Define users (max 100) and passwords
• Select supported Security protocols i.e. LEAP, EAP-FAST, PEAP or EAP-TLS

2
1
Designing Secure & BYOD Enabled
Branch Network
FlexConnect Peer-to-peer Blocking
Starting
Local Switching Peer-to-peer Blocking from 7.2
Central Site
Overview
Support for Peer-to-Peer blocking in

FlexConnect AP
WAN
Apply for clients on same FlexConnect AP
Remote Site
P2P blocking modes : disable or drop
Application
Server
For P2P blocking inter-AP use ACL or Private
VLAN function
Standalone mode support
Local Switching Peer-to-peer Blocking
Configuration
Both modes of operation will drop the packet @ AP

Multiple Policy Touch Points
for Local Switching enabled WLAN
* Central Switching WLAN will support “Forward - UpStream” and will send the packet to the next upstream
node connected to WLC
FlexConnect AAA VLAN & QoS
Override
Starting
from 7.2
FlexConnect AAA VLAN Override
Description RADIUS Central Site
• AAA VLAN Override with local or central VLAN 3

authentication QoS = Silver
VLAN 7
• Up to 16 VLANs per FlexConnect AP QoS = Platinum
• VLAN ID must be enabled per AP or WAN

FlexConnect Group Application
Server
Remote Site
• If VLAN ID does not exist, default VLAN is
used, unless « VLAN Based Central
Switching » enabled
FlexConnect Group
For Your
FlexConnect AAA VLAN Override Reference
Configuration
IETF 65
IETF 64
IETF 81
WAN
ISE
Create Sub-Interface on FlexConnect

AP
VLAN Based Central Switching Central
VLAN 3
Go to Default
VLAN ID
Overview Central
RADIUS
VLAN 7
• While doing AAA VLAN Override with VLAN 3 does not
local switching : VLAN 7 Exist on this
WLC
• If VLAN ID does not exist at the AP,
the traffic is central switched to the WAN
central VLAN ID
Remote Site
• If the central VLAN ID does not exist,
the traffic is centrally switched to the
default VLAN ID of the WLAN
VLAN 7 VLAN 7
does not
VLAN 3 Exist on
does not this AP
Exist on
this AP
Starting
from 7.5
FlexConnect AAA QoS Override
Description
Vendor ID/Vendor Type Attribute
 Dynamically assign QoS levels and/or
bandwidth contracts for local switching, [14179\002] Aire-QoS-Level
centrally authenticated WLANs [14179\004] Aire-802.1P-Tag
 Web-authenticated WLANs and 802.1X- [14179\007] Aire-Data-Bandwidth-Average-

authenticated WLANs supported Contract
[14179\008] Aire-Real-Time-Bandwidth-
 Order of precedence for Rate Limiting Average-Contract
parameters [14179\009] Aire-Data-Bandwidth-Burst-

Contract
 AAA override
[14179\0010] Aire-Real-Time-Bandwidth-
 QoS Profile of AAA override Burst-Contract
 Local WLAN configuration
 QoS Profile of local WLAN configuration
AAA Override Deployment Scenario
Problem Statement
Central Site
VLAN 20
WAN
Application
Server
Function VLAN ID
Engineering 11
Marketing 21
Function VLAN ID Sales 31
Engineering 10 Application
Server
Marketing 20
Sales 30 VLAN 20
Remote Site A Remote Site B does not
exist
Starting
VLAN Name Mapping at FlexConnect Group from 8.1
Flex Group A Central Site Flex Group B

VLAN Name VLAN VLAN Name VLAN
VLAN Name VLAN
ID ID
ID
Engineering 10 Engineering 10
Engineering 11
VLAN Name
Marketing VLAN
20
Marketing 20 Marketing 21
ID
Sales 30 Sales 30
Sales 31
Engineering 11
. .
. Marketing 21
WAN .
HR 160 Sales 31 HR 161
Remote Site B
Remote Site A
VLAN ID
VLAN ID
11
10 21
20 31
30
Starting
from 8.1
VLAN Name AAA Override - Solution
Central Site
Aire-Interface-Name or
IETF Tunnel-Private-Group-ID
VLAN NAME=
Marketing
WAN
Application
Server
Remote Site Remote Site VLAN Name VLAN ID
VLAN 20 Engineering 11
Marketing 21
VLAN Name VLAN ID Sales 31
Engineering 10
Marketing 20
Sales 30
Remote Site A VLAN 21 Remote Site B
FlexConnect ACL VLAN Mapping &
Per-Client ACL
Starting
FlexConnect ACL – VLAN Mapping from 7.2
Overview Central Site
• FlexConnects ACL are applied per VLAN

• FlexConnect ACL are Ingress / Egress oriented
• Starting from 7.5 FlexConnect ACL support AAA-
returned Client ACL
WAN
ACL Scale
Remote Site
512 FlexConnect ACL per WLC Application

• 16 ingress ACL per AP Server
• 16 egress ACL per AP

• 64 ACL rules per ACL
• No IPv6 ACL
FlexConnect Access Lists
Configuration – Create FlexConnect ACL
• FlexConnect ACL rule creation is similar to rule creation for Local Mode AP
1
FlexConnect ACL – VLAN Mapping
Configuration – FlexConnect ACL per AP 2
• FlexConnect ACL can be applied per AP
using VLAN Mappings configuration
FlexConnect ACL – VLAN Mapping
Configuration –FlexConnect ACL per FlexConnect Group
• FlexConnect ACL can be applied per FlexConnect Groups per VLAN in the ACL
Mapping tab.
1 2
FlexConnect Split Tunneling
(Using FlexConnect Split ACL)
Starting
FlexConnect ACL – Split Tunneling from 7.3
Overview
• Split tunneling allow some traffic to be locally switched although the WLAN is defined as centrally
switched
• Split tunneling is using a NAT/PAT feature with ACL to perform the local switching
• Split tunneling is using the AP IP@ for the NAT/PAT feature
FlexConnect AP WLC Central Traffic

CAPWAP
NAT/PAT WAN
ACL
Central Server
Local Traffic
Local Printer
FlexConnect ACL – Split Tunneling
Configuration
• Create a centrally switched WLAN
Flex Local switching should

not be checked
• Define Flex ACL to match traffic to be locally switched
Central subnet Local subnet
Configuration – Per Access Point
Configuration – Per FlexConnect Group
Deploying BYOD with FlexConnect
Local Switching
(Using FlexConnect WebPolicies
ACL)
Bring Your Own Device(s) : The New Normal
BYOD Device On-Boarding in FlexConnect Starting
from 7.4
Example: Apple iOS Device Provisioning
WLC ISE CA-Server

Initial Connection Using
PEAP
1
Device Provisioning
Wizard
2
Client
Reconnects
Future Connections WLC ISE CA-Server

using EAP-TLS
3
FlexConnect Access Lists fo BYOD
Create FlexConnect ACL
• Create FlexConnect ACL to allow access to Cisco ISE
1
FlexConnect Web Policy ACL
Configure Web Policy ACL per FlexConnect AP
• ACL Mapping can be configured per FlexConnect AP
FlexConnect Web Policy ACL
Configure Web Policy ACL per FlexConnect Group
• Use ACL Mapping tab in FlexConnect Group configuration
• WebPolicies ACL are not the same as VLAN ACL or WebAuthentication ACL.
Cisco Wireless Central DHCP Processing
Configuration
• To support DHCP Profiling Probe with FlexConnect, DHCP request must be
sent to WLC. This is done by the « Central DHCP Processing » configuration.
Deploying BYOD with FlexConnect Wireless
Summary – 802.1x/EAP Authentication ISE
DHCP Server
FlexConnect AP
CAPWAP WLC
Web Server
WAN
WiFi Association
802.1x/EAP Request Radius Access-Request Unknown Device,

Inside CAPWAP Redirect to registration
Radius Access-Response
• Access-Type: Access-Accept
• URL-Redirect-ACL=FlexACLWebPolicy,
URL + ACL Redirect • URL-Redirect=http://……)
Inside CAPWAP
802.1x/EAP Response
Inside CAPWAP
Summary – DHCP Request ISE
DHCP Server
FlexConnect AP
CAPWAP WLC
Web Server
WAN
DHCP Request
Inside CAPWAP
Device is
RADIUS-Accounting an iPad
• host-name=MyiPad
• dhcp-class-identifier=APPLE
DHCP Lease
Inside CAPWAP
Summary – URL-Redirect ISE
DHCP Server
FlexConnect AP
CAPWAP WLC
Web Server
WAN
HTTP HTTP Request

Request Redirected to WLC by AP
Inside CAPWAP
URL-Redirect
Summary – Registration & Provisioning ISE
DHCP Server
FlexConnect AP
CAPWAP WLC
Web Server
WAN
Device Registration & Provisioning Device is Registrered

Trigger Change-of-Auth
EAP DeAuthentication RADIUS Change-of-Authorization

EAP Authentication
Summary – Device Access ISE
DHCP Server
FlexConnect AP
CAPWAP WLC
Web Server
WAN
Radius Access-Request Device is Registrered

802.1x/EAP Request/Response
Radius Access-Response And Provisioned
Inside CAPWAP
Allow Access
DHCP Request/Response
Inside CAPWAP
Web Traffic
Summary of FlexConnect ACLs
VLAN-ACL Applied on the 802.3 interface of the FlexConnect AP
AAA returned Client ACL Applied on the 802.11 interface of the AP
Split Tunnel ACL Allow some traffic to be locally switched
-
80
Web Policies ACL BYOD with FlexConnect
BRKEWN-2016 80
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Service-Ready Branch
FlexConnect VideoStream
Video Multicast Delivery Challenges
Technical Challenges 802.11
Data Rates
• Multicast packets (UDP) are sent as
1
broadcast packets over the air per 802.11
standard 2
5.5
• Broadcast packets do not use error
correction: “fire and forget” 6
9
• Broadcast packets are sent at data rate B/G 11
Video Impact
mandatory to all clients connected to the
WLAN 12
• Choppy, Unreliable Video
18
1 Mb for B/G (400K actual) • Video Stream does not utilize 802.11n/ac
24
6 Mb for A (2.7 Mb actual) High Throughput data rates
36
48
• Heavy utilization of channel due to high
rate of very slow packets
54
M0 • Video delivery is not reliable causing poor
Quality of Experience
N M1
...
Video M14
Server Default 802.11B/G M15
mandatory data rates
Starting
from 8.0
Video Multicast Delivery Solution
802.11
Technical Solution Data Rates Video Impact
1
• IGMP state monitored for each client. 2

• Smooth, Reliable Video delivered to
Only send video to clients requesting 5.5
multiple clients
• Sent as unicast to individual clients at
6 • Quality of Video protected in varying
their data rate 9 channel load conditions
11
• Multicast packets replicated at AP B/G • Prioritizes Business Video (QoS
12
Gold) over other video ( Best-effort )
18
24
36
48
54
M0
N M1
...
Video M14
Server M15
Default 802.11B/G
mandatory data rates
FlexConnect VideoStream Configuration
Enable VideoStream - Global
(Cisco Controller) >config media-stream multicast-direct ?

enable Enable Global Multicast to Unicast Conversion
disable Disable Global Multicast to Unicast Conversion
Add Stream Configuration
(Cisco Controller) >configure media-stream add multicast-direct <media-stream-

name> <start-IP> <end-IP> [template | detail <bandwidth> <packet-size> <Re-
evaluation> video <priority> <drop|fallback>]’
Enable VideoStream - WLAN
(Cisco Controller) >config wlan media-stream multicast-direct 1 ?

enable Enables Multicast-direct on the WLAN
disable Disables Multicast-direct on the WLAN.
FlexConnect VideoStream Monitoring
Controller
(Cisco Controller) >show flexconnect media-stream client summary

Client Mac Stream Name Multicast IP AP-Name VLAN Type
----------------- -------------------- --------------- ------------------------- ----- ----------------
7c:d1:c3:86:7e:dc Media2 229.77.77.28 AP_1600 0 Multicast Direct
88:cb:87:bd:0c:ab Media2 229.77.77.28 AP_1600 0 Multicast Direct
d8:96:95:02:7e:b4 Media2 229.77.77.28 AP_1600 0 Multicast Direct
FlexConnect Bridge Mode Support
Starting
FlexConnect on Mesh APs from 8.0
Centralized
Traffic
FlexConnect on Mesh APs
• New AP mode that allows Central Site

Flexconnect behavior across
mesh-enabled AP
• Flexconnect Groups WAN
• Max 8 Mesh hops, Max 32 MAPs
per RAP
• Local AAA support
• A WLC have a mix of Bridge and
Flex + Bridge
• MAPs inherent VLANs from its Local Remote
connected RAP Traffic Office
Local Data WLAN

BRKEWN-2016
Central Data WLAN
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
FlexConnect-Bridge Failover Scenario Secondary Primary
Failover Considerations
• AP SSO is supported for the RAP only. N+1

Recommended WAN
• Multi-sector RAP deployments can be used for
redundancy
Remote
Office
• RAP to standalone mode when WLC is not reachable Application
Server
• MAPs to standalone mode when WLC

is not reachable but gateway is
• When in standalone mode no new

mesh AP can join the mesh tree
For Your
AP Modes Feature Comparison Reference
Feature\AP Mode Local Mode Bridge Mode Flexconnect Mode Flex+Bridge Mode
Central Switching Yes Yes Yes Yes
Root Ethernet VLAN No Yes (secondary Ethernet Yes Yes

bridging hosts)
Secondary Ethernet No Yes No Yes
Access Ports
Secondary Ethernet No Yes No Yes
VLAN Trunk Ports
Local VLAN Inheritance No Yes - Secondary No Yes – both bridged
by MAPs from RAPs Ethernet “access” ports 802.11 WLANs and
only Ethernet “access”
Wireless Child Mesh APs No Yes No ports
Yes
Fault Tolerant Resilient No No Yes
Yes
Mode
Security ACLs per VLAN No No Yes
Yes (on RAPs)
on Ethernet Root Ports
Integrated IP Routing No No Yes Yes (on RAPs)
(PPP/PPPoE/NAT)
VLAN Transparent No No No No
Bridging
Path Control Protocol No Yes No Yes
FlexConnect Bridge Mode Configuration
Wireless  Access Points  AP_NAME  General
Wireless  Access Points  AP_NAME  FlexConnect
AP will reboot
upon change
Same options
as an AP in Flex
Mode
FlexConnect Application Visibility
and Control
How AVC solution works
AireOS 8.1 App Visibility & AireOS 8.1
User Experience Report
App BW Transaction …
Time
WebEx 3 Mb 150 ms …
Citrix 10 Mb 500 ms …
Static
Netflow
AP
NBAR on AP
Deep Packet Perf. Collection & Visibility and User

Control
Inspection Exporting Experience
AP collects application info Use QoS to control

DPI engine (NBAR2) and export it to Advanced reporting tool
application bandwidth
identifies applications controller/switch every 90 aggregates and reports
usage to improve
using L7 signatures seconds application performance
application performance
AVC on FlexConnect APs
Katana
Gen2 AP
BRANCH Netflow Export from AP to WLC

Real-time information for
Stateful context last 90 seconds
transfer on roam
WAN
Gen2 AP
Flow ID App Name Packets

1 WebEx 1000
Deployment WAN WAN RTT Max Aps per Max Clients per
2 Msft-Lync 2300 Type Bandwidth ( Latency(Max) Branch Branch
3 Skype 660 Min)
Data + Flex AVC 75 Kbps 300 msec 5 25
AVC for FlexConnect APs
AP Functionality
• NBAR2 engine on FlexConnect AP

• Protocol Pack 8.0
• NBAR engine version 16
WLC Functionality
• Send flows to WLC every 90 sec using Netflow
• Classification and Control at AP
• Mark ( DSCP ) • Export to external Netflow supported
• Drop • Intra FlexConnect Group Roaming Support
• Rate-limit • Supported on all controller models except 2504
• Supported on Gen 2 APs : 1600, 2600, 3600, 1700, 2700, • Supported on Gen 2 APs : 1600, 2600, 3600, 1700,
3700, 1532, 1570 2700, 3700, 1532, 1570
• FlexConnect and Flex+bridge mode supported
AVC Configuration on Local Switching WLAN
WLAN AVC
Configuration
Local Switching WLAN
AVC Configuration per FlexConnect Group
• FlexConnect Group specific AVC configuration takes precedence over WLAN AVC config
• No AP Specific AVC configuration.
• WLAN AVC configuration will be pushed to Flex APs where WLAN is broadcast
Application Visibility FlexConnect Group AVC

WLAN-Specific configuration
Enable/Disable
Enable/disable, Profile,
Monitor per WLAN
FlexConnect AVC Profiles
Can be associated under WLAN and/or FlexConnect Group
FlexConnect AVC
profiles
FlexConnect AVC Applications
Protocol Pack version 8.0

Engine version 16
Monitoring AVC Statistics per FlexConnect Group
Per Client AVC Statistics Per FlexConnect Group

AVC Statistics
Operating the Wireless Branch
Branch Office Provisioning
Network Plug-N-Play – Simple, Secure, Scalable
Today’s Process Business
Network Challenges
Direct Costs
Central Staging Facility
Ships • Shipping after Configuring device
Pre Provision
1• Travel
equipment costs for IT installer
Projects/Sites
• Install OS
• Install Config
• Prime device Network Admin
Network Complexity
Reseller/Partner Admin
• Config errors
• Different products / processes
2 Install & Power-on 3 Monitor device
devices installation
Security
• 3rd party not secure
Installer
Installer
Network Admin
Time/Productivity
Site-1 Site-2 Site-3
• Manual process
Site(s)
• Shipping , Storage, Travel
Network PnP Discovery Options
Switches (Catalyst) Routers (ISR/ASR) Wireless AP
DHCP with Options 60 & 43

1 DHCP
Server
PnP String: 5A1D;B2;K4;I172.19.45.222;J80
Brand new
device only
DNS Lookup
2 DNS
Server pnpserver.localdomain ---- e.g.172.19.45.222 (PnP Server)
3 CAPWAP CAPWAP based WLC discovery

(For AP only)
Use Case : Branch Deployment for On-Prem PnP Server
APIC-EM
/PnP PnP Server/Site Updates
Step 1 Server
New devices PID Serial # Hostname WLC IP address
contact PnP
Pre Provision Site in APIC EM Server to get
AIR-CAP3702I-A-K9 RFD0PP2T025 AP-Store1-1 192.168.15.1
• Serial Number based match rule provisioned ISR-2951 FOX23zxcb ISR-bakcup 192.168.15.2
• MAC Addressed based match C3850 FOC123dfg Dist1 192.168.16.3
• Config
C3560C FOC443asd ACC-sw1 192.168.16.4
• Installer User ID
C3560C FOC443asa ACC-sw2 192.168.16.5
C3560C FOC443asx AC-sw4 192.168.16.7

Network
Admin
Challenges:
• Provisioning of branch offices quickly and easily
Solution:
WLC IP (Prim/Sec/Ter)
• Pre-Provision the AP details from a central Service (PnP)
Installer AP Name
AP Mode (Flex/Local)
AP Group Name
Flex Group Name – Coming 8.3 BRKEWN-2016 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Branch Office Upgrade over WAN
Upgrading a FlexConnect Deployment
Concerns
• Sites using FlexConnect AP are usually sites with low WAN bandwidth
• Each site may have small number of AP, but an enterprise may have a lot of
branches
• Upgrading ~6000 AP through a low bandwidth WAN is a challenge :
• Time needed to download all the AP firmware
• Exhaust of the WAN link
• Risk of failures during the download
Starting
from 7.2
FlexConnect Smart AP Image Upgrade
Firmware Image
Overview
Old
New
New
Cisco Prime Old
New Primary Secondary
• Smart AP Image Upgrade use a « master »
AP in each FlexConnect Group to download Wireless LAN
the code. Central Site Controller
• Other FlexConnect AP download the code

from the master locally
1. Download WLC upgraded firmware (will
become primary) WAN
2. Force the « boot image » Remote Site-1 Remote Site-N
to be the secondary (and not the newly

upgraded one) to avoid parallel download of
all AP in case of unexpected WLC reboot
3. WLC elects a master AP in each
FlexConnect Group (can be also set
manually) Master AP
Firmware Image
Description (Contd.)
Cisco Prime New
Old New
Old
Primary Secondary
4. Master AP « Pre-download » the AP

firmware in the secondary « boot image » Central Site
Wireless LAN
Controller
(will not disrupt the actual service)—Can
be started group per group to limit WAN
exhaust
5. Slave AP « Pre-download » the AP
firmware from the Master AP WAN
AP Firmware Image
Remote Site-1 AP Firmware Image Remote Site-N
6. Change the « boot
image » of the WLC Old New
Old New
to the new image Primary Secondary
Primary Secondary
7. Reboot the controller
Master AP
Configuration
Enable Efficient AP Image

Upgrade
Valid Range is 1-63
Random Backoff Interval
(100-300sec) between
each retry
Master AP Selection is
Optional
• “FlexConnect AP Upgrade” checkbox has to be enabled for each FlexConnect Group.
• By default, Master AP for each FlexConnect Group is selected using Lower-MAC algorithm.
• One Master select per AP type.
FlexConnect
() Smart AP Image Upgrade
Configuration contd.
Per Branch or FlexConnect Group

Upgrade
Upgrade across all Branches or

FlexConnect Groups whose
“FlexConnect AP Upgrade” checkbox
is set
Bringing All Together – FlexConnect
Best Practices
FlexConnect Best Practices
 Enable FlexConnect Groups

 CCKM/OKC Key sharing for Voice deployments

CONNECT
Enable Smart AP Image Upgrade

FLEX
 Design for Resiliency

 VLAN-WLAN Mappings at Group Level
 Consistent configuration across Primary and Backup WLCs
 VLAN Name override
 VLAN Support and Native VLAN at Group
Summary
• Cisco Unified Wireless Network based on Controllers deliver Wireless Branch Solution
• FlexConnect is the feature designed to solve remote connectivity and WAN constraints
• Several Failover Scenario are targeted to offer Survivability of Small Remote Sites
References:
• Wireless LAN Controller Scale Comparison
Guidehttp://www.cisco.com/en/US/products/hw/wireless/products_category_buyers_guide.html#controllers
• FlexConnect Branch Controller Deployment Guidehttp://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-

wireless-controllers/112973-flex7500-wbc-guide-00.html
• FlexConnect feature matrixhttp://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-

technote-product-00.html
• Wireless Best Practiceshttp://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/82463-wlc-config-

best-practice.html
Complete Your Online Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 Amazon gift card.
• Complete your session surveys
through the Cisco Live mobile
app or from the Session Catalog
on CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available

for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you

Cisco-Wireless Branch Deployment

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco-Wireless Branch Deployment

Uploaded by

Copyright:

Available Formats

Branch Office Wireless LAN Design

Rajat Tayal - Technical Marketing Engineer (rtayal@cisco.com)

MOBILITY EXPRESS FLEX CONNECT CONVERGED CENTRALIZED

Small Network Branch Small Campus / Branch Large Campus

Prime Infrastructure, Identity Service Engine, Connected Mobile Experiences

300 290* 290*

1997 1999 2003 2007 2013 2015 2016

• Industry leading 4x4 MIMO:3 spatial streams (SS)

Gigabit Wi-Fi has fully arrived.

• Industry leading 4x4 MIMO:3 spatial streams (SS)

• Small or Mid-size Branch WLCs WAN

• Converged Access Cat-3850

Central Switching Data traffic tunneled back to WLC for an SSID

WAN Limitations Apply

Data 64 kbps 300 ms 5 25

Significant support for IPv6 with Central Switching

Key Differentiation Functionality

Access Points 300-6,000

802.1x based port authentication Deployment Model FlexConnect

 Voice support Form Factor 1 RU

Branches/locations 6,000 (2000 FlexGroups)

FlexConnect Features Release Version

WLC’s of a mobility group

# AP Groups 6000 500 1000 50

Guest-Access AP Group 1 Central Site

AP groups give the ability to enable Wi-Fi

Central Site WAN

• Users see the same

FlexConnect groups allow sharing of:

• CCKM/OKC keys stored on FlexConnect APs for

• The FlexConnect APs receives CCKM/OKC keys WAN

• FlexConnect supports 802.11r Fast Transition with

FlexConnect Group 1 FlexConnect Group 2

Step 2: Add APs to the

• FlexConnect will backup on local

• Lost features Application

• Web authentication, NAC

• FlexConnect will first backup on local switched mode

• CCKM roaming allowed in WAN

• AP will continue to be in Connected mode

• On WAN failure, AP authenticates new

• CCKM fast roaming, or

CCKM Fast Roaming

Local Authentication Central

• Local Authentication allow use of

• On WAN failure, AP authenticates new clients with its

• Select supported Security protocols i.e. LEAP, EAP-FAST, PEAP or EAP-TLS

Support for Peer-to-Peer blocking in

Standalone mode support

Both modes of operation will drop the packet @ AP

• AAA VLAN Override with local or central VLAN 3

• VLAN ID must be enabled per AP or WAN

Create Sub-Interface on FlexConnect

centrally authenticated WLANs [14179\004] Aire-802.1P-Tag

 Web-authenticated WLANs and 802.1X- [14179\007] Aire-Data-Bandwidth-Average-

parameters [14179\009] Aire-Data-Bandwidth-Burst-

Flex Group A Central Site Flex Group B

FlexConnect ACL – VLAN Mapping from 7.2

Overview Central Site

• FlexConnects ACL are applied per VLAN

512 FlexConnect ACL per WLC Application

• 16 egress ACL per AP

FlexConnect ACL – Split Tunneling from 7.3

FlexConnect AP WLC Central Traffic