Brkewn 2016

#CLUS
Branch Office
Wireless LAN Design
Rajat Tayal (Technical Marketing Engineer)

BRKEWN-2016
#CLUS
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot#BRKEWN-2016

by the speaker until June 18, 2018.
#CLUS BRKEWN-2016 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
 Wireless LAN Controller and Access Point Portfolio
 Branch Deployment Options
 Evaluate FlexConnect Requirements and identify need for AP Groups &
FlexConnect AP Groups
 Design a Resilient, Secure, and BYOD enabled Branch Network
 Design a Service-Ready Branch
 Provision and Operate Wireless Branch over WAN
 Deploying Branch Offices using Cisco Mobility Express
#CLUS BRKEWN-2016 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Intent Based Infrastructure - Wireless LAN
Controller Portfolio
Multiple Deployment options & SD-Access Wireless Ready
SD-Access Wireless Ready
Branch Deployment Campus Deployment
Cisco 8540
6000 APs
Cisco 5520 64,000 clients,
1500 APs 40 Gbps
20,000 Clients, 20
Cisco 3504 Gbps
150 APs
3000 Clients,
Mobility Express 4 Gbps
Cisco vWLC**
100 Aps 3000 APs
2000 Clients 32000 Clients
Flexconnect mode
Up to 100 APs Up to 200 APs Up to 3000 APs Up to 6000 APs
The industry’s most comprehensive and
innovative access point portfolio
The best infrastructure leads to the best outcomes
Good - Enterprise class Better Best in class
Ideal for small to medium-sized deployments Mission critical High density
NEW
1815 Series 1830/1850 Series 2800 Series 3800 Series 4800

Indoor/high-powered Indoor • 3x3:2 SS 80 MHz/4x4:3 • 4x4:3 SS 160 MHz • 4x4:3 SS 160 MHz • 4 embedded radios
Wall plate/teleworker SS 80 MHz • 5 Gbps performance • 5 Gbps performance (3 Wi-Fi and 1 BLE)
• 2x2:2 SS 80 MHz • 867 Mbps or 1.7 Gbps • 2.4 and 5 GHz or • 2.4 and 5 GHz or • Cisco Intelligent Capture for
• 867 Mbps performance performance dual 5 GHz dual 5 GHz DNA Assurance
• Tx beamforming • 1 or 2 GE ports uplink • 2 GE ports uplink • 2 GE ports uplink or • Embedded Hyperlocation
• Integrated BLE1 • Internal or external antenna • Cisco CleanAir® and ClientLink 1 GE + 1 Multigigabit (5G) • 4x4:3 SS 160 MHz
• Max transmit power (dBm) (1850) • Internal or external antenna • Cisco CleanAir and ClientLink • 5 Gbps performance
per local regulations2 • Tx beamforming • Smart antenna connector • StadiumVision™ • 2.4 and 5 GHz or
• 3 GE local ports, including • USB 2.0 • USB 2.0 • Internal or external antenna dual 5 GHz
1 PoE out3 • Smart antenna connector • 2 GE ports uplink or
• Local ports 802.1X ready 3 • USB 2.0 1 GE + 1 Multigigabit (5G)
• USB 2.0 4 • Modularity for investment • Cisco CleanAir and ClientLink
protection • Internal antenna
• USB 2.0
• Integrated BLE
1 Future availability 2 Available for high-powered only 3 Available for wall plate and teleworker only 4 Available for teleworker only
Designed to be DNA Ready
Industry’s Most Comprehensive Outdoor AP
Portfolio
1540 1560 1570
New*
• 802.11ac Wave 2, MU-MIMO • 802.11ac Wave 2, MU-MIMO • 802.11ac Wave 1

• 2x2:2, 80MHz, 867 Mbps • 3x3:3, 80MHz, 1.3Gbps (I) • 4x4:3 80 MHz; 1.3 Gbps
• Ultra low profile • 2x2:2, 80MHz, 867Mbps (E/D) • External antenna model (EAC)
• Internal antenna only • Internal or External antenna model (I/E) • Cable Modem model (IC/EC)
• PoE (802.3af) power • Internal directional antenna model (D) • SFP/GPS
• Centralized, FlexConnect, Mesh and • SFP • PoE Out 802.3at (Ext Ant. only)
Mobility Express • Flexible Antenna Ports • Flexible Antenna Ports
• CleanAir and ClientLink • CleanAir and ClientLink
• Centralized, FlexConnect, Mesh and • Modularity (Ext Ant. only)
Mobility Express • Centralized, FlexConnect and Mesh
• Cable Modem Version Only (IC/EC)
• DOCSIS 3.0, 24x8
• Internal or External antenna
DNA Ready | RF Excellence | CMX
802.11ac Wave 2
Unified Wireless Deployment Options
BRANCH BRANCH CAMPUS
Mobility Express Flex Connect Centralized
WAN INTRANET
• Single/Multi site networks
• Low IT footprints
Single or Multi-Site FlexConnect Controller based in campus

Single/Multi-site networks Distributed Network Data Center hosted WLC
Low IT footprints Highly Scalable Campus Deployment
11ac Wave 2 AP (1800, 2800, 3800, 4800) vWLC, 3504, 5520, 8540 3504, 5520, 8540
DNA Center
Policy Automation Assurance Security ISE CMX
Designing Branch offices
using Local Wireless
LAN Controller
Branch Office with Local WLAN Controller
Central Site
Backup WLC
• Branches can have Local Controllers

• Small or mid branch with WLC 2504, WLC 3504
etc.
CAPWAP
• Cookie cutter configuration for every branch site
WAN • Layer-3 roaming with controller in each branch
• Full local control, no dependency on WAN
• WLC at each site, higher Capital Costs

WLC 3504 WLC 3504 WLC 2504 • Higher OpEX costs
` ` ` ` ` `
Remote Site A Remote Site B Remote Site C
Designing Branch offices
using FlexConnect
Branch Office Deployment
Central Site
FlexConnect Centralized
Traffic Centralized
• Hybrid architecture Traffic
• Single Management and Control point

• Data Traffic Switching
• Central Switching WAN
• Local Switching
• Traffic Switching is configured per AP

and per WLAN (SSID)
• Standalone Mode will preserve local
traffic Remote Office
Local
Traffic
FlexConnect Glossary
When FlexConnect AP can reach WLC, it gets
01 Connected Mode help from controller to complete client
authentication
When FlexConnect AP cannot reach
02 Standalone Mode WLC, it goes into standalone mode and

does client authentication by itself
Data traffic is tunneled back to

03 Central Switching WLC for the WLAN
Data traffic is switched

04 Local Switching onto local VLANs for the
WLAN
Configuring
FlexConnect Local
Switching
Steps to configure FlexConnect Local Switching
STEP 01
Access Point Mode • Configure FlexConnect Mode on the Access Point
STEP 02
Enable WLAN for Local
• Enable FlexConnect Local Switching on WLAN
Switching
STEP 03
Create WLAN to • Configure Native VLAN on FlexConnect AP
VLAN mapping • Configure WLAN-VLAN Mapping
Configure FlexConnect mode on Access Point
STEP 01
Access Point Mode
 Configure FlexConnect mode on AP

 Supported Access Points:
 AP-1540, AP-1560, AP-1570
 AP-1700, AP-2700, AP-3700
 AP-1800, AP-2800, AP-3800
NOTE: Older APs also supported

FlexConnect mode
Configure FlexConnect Local Switching on WLAN
STEP 02
Enable WLAN for Local Switching
 WLAN with “FlexConnect Local

Switching” enabled will allow
local switching of Data Traffic
on FlexConnect Access Point
Configure Native VLAN on FlexConnect AP
STEP 03a
Configure Native VLAN on FlexConnect AP
 When connecting with Native VLAN on AP, L2 switch port must
also match with corresponding Native VLAN configuration on the
AP
Configure WLAN to VLAN Mapping
STEP 03b
Configure WLAN-VLAN mapping
 Mapping of WLAN to VLAN can be done per FlexConnect AP or
FlexConnect Group. Also VLAN must be configured on switch port
1 2
Configure FlexConnect VLAN Mapping
Using Cisco Prime Infrastructure
• Prime Infrastructure provides simplified configuration to all FlexConnect APs with one
Lightweight AP Template
Evaluate FlexConnect
Architectural
Requirements
For Your
Flex Connect Design Considerations Reference
WAN Limitation Apply +

WAN RTT Latency
Deployment Type WAN Bandwidth (Min) Max APs per Branch Max Clients per Branch
(Max)
Data 64 kbps 300 ms 5 25
Data 640 kbps 300 ms 50 1000
Data 1.44 Mbps 1 sec 50 1000
Data+Voice 128 kbps 100 ms 5 25
Data+Voice 1.44 Mbps 100 ms 50 1000
Monitor 64 kbps 2 sec 5 N/A
Monitor 640 kbps 2 sec 50 N/A
It is highly recommended that the minimum bandwidth restriction remains 24 Kbps per AP with the round trip
C and 100 ms for Data + Voice deployments.
latency no greater than 300 ms for data deployments
For Your
Flex Connect Design Considerations Reference
Feature Limitations in Standalone mode and Local Switching +
 MAC/Web Authentication in Standalone Mode

 Service Discovery Gateway
 Native Profiling and Policy Classification
 IPv6 Mobility
 FlexConnect Feature Matrix
 http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-
controllers/112042-technote-wlc-00.html
 Feature Matrix for 802.11ac Wave 2 Access Points
 https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-
7/b_feature_matrix_for_802_11ac_wave2_access_points.html
IPv6 Support
✔
✔
✔
✔
✔
✔
✔
✔
✔
Significant support for IPv6 with Central Switching
IPv6 RA Guard and IPv6 Bridging fully supported with Local Switching
Why do we need AP
and FlexConnect
Groups?
Understanding AP Groups
Overview AP Group 1 Central Site

WLC5520
 AP Groups is a logical concept of
grouping AP’s which deliver similar
Wi-Fi services. These services can
be:
 By Physical location, and/or
 By Functional services (data, voice,
guest, etc.) WAN
Remote Site A Remote Site B
Scaling WLC-8540 WLC-5520 WLC-3504
# AP Groups 6000 1500 150 AP Group 3
# WLAN (SSID) 512 512 512
# VLAN (Interfaces) 4095 4095 4095
AP Group 2
AP Groups
Configuration: Create a New Group
AP Groups Use Case - SSID AP Group 1
@ Internet
Guest-Access
Central Site
Per Location SSID
Corporate-Voice
AP groups give the ability to enable Wi-

Fi Services (WLAN) based on physical
location Corporate-Data
 Central Site WAN

Corporate-Data, Corporate-Voice,
Guest-Access Manufacturing Site
Store
 Manufacturing Site AP Group 3

Corporate-Data, Corporate-Voice,
Scanners
Scanners
 Store AP Group 2 Corporate-Data

Corporate-Data, Guest-Access Guest-Access
Corporate-Data
Corporate-Voice
AP Groups Use Case – Access Control
AP Group 1 VLAN-1
Head Office
Per AP Group WLAN to VLAN Mapping Central Site
VLAN-2
 AP groups give the ability to
statically map Wi-Fi service
(WLAN) to VLAN based on physical VLAN-3
location
 Users see the same Corporate-Data
Wi-Fi service on all sites. WAN
 Admin can monitor and filter based

AP Group 3
on different IP@ each site Store
 Can also be used to have smaller
Wi-Fi subnets AP Group 2
Manufacturing Site Corporate-Data
• For example per floor subnets in a building.
Corporate-Data
Understanding FlexConnect Groups
Central Site
WLC5520
Overview
FlexConnect groups allow sharing of:

 CCKM/OKC fast roaming keys
 Local/backup RADIUS servers IP/keys
 Local EAP authentication WAN
 AAA-Override for Local Switching Remote Site Remote Site
 FlexConnect AVC
 Smart Image Upgrade
Scaling WLC-8540 WLC-5520 WLC-3504
FlexConnect
2000 1500 100
Groups
AP per Group 100 100 100

FlexConnect Group 1 FlexConnect Group 2
FlexConnect Groups and CCKM/OKC Keys
Overview Central Site CCKM Keys
RADIUS Server
 CCKM/OKC keys stored on FlexConnect

APs for Layer 2 fast roaming
 The FlexConnect APs receives WAN

CCKM/OKC keys from WLC
 If a FlexConnect AP boots up
in standalone mode, it will not get the
OKC/CCKM keys from the WLC
 FlexConnect supports 802.11r Fast

Transition with local key caching
FlexConnect Group 1 FlexConnect Group 2
FlexConnect Groups Creation
Step 1: Add a New FlexConnect Group

1
Step 2: Add APs to the

FlexConnect Group
FlexConnect Groups Template on PI For Your
Reference
FlexConnect Groups Template on PI For Your
Reference
Designing a Resilient
Wireless Branch
Network
FlexConnect Resiliency - WAN Failure
Central Site
WAN Failure
 FlexConnect APs will go to Standalone

mode
 No impact for locally switched SSIDs
 Disconnection of centrally switched WAN
SSIDs clients
 Static authentication keys are locally
stored in FlexConnect AP Remote Site
 Lost Features Application

Server
 RRM, WIDS, location, other AP modes
 Web authentication, NAC
FlexConnect Resiliency – N+1 HA Scenario
Central Site
WLC Failure scenario with N+1 HA
Secondary Primary
WLC WLC
 FlexConnect APs will go to Standalone mode
 No impact for locally switched SSIDs
 Disconnection of centrally switched SSIDs
clients
WAN
 CCKM roaming allowed in FlexConnect group
Remote Site
 FlexConnect AP will then search
for backup WLC; when backup WLC is found,
FlexConnect AP will resync with WLC and Application
Server
resume client sessions with central traffic
 Client sessions with Local Traffic are not
impacted during resync with Backup WLC
FlexConnect Resiliency – SSO HA Scenario
WLC failure scenario with SSO Central Site

Standby
Active
 True Box to box High Availability i.e. 1:1. Sub-
second failover to StandBy WLC
 Configuration(AP database, Client Run state etc.)
information on Active is synched to Standby WLC
 FlexConnect AP will NOT transition to Standalone WAN
because SSO kicks in
 AP will continue to be in Connected mode with the
Standby (now Active) WLC Application
Server
 Centrally Switched SSID will never go down
Remote Office
FlexConnect – AAA Survivability
Local Backup RADIUS
Local Backup RADIUS Central Site
Central
 Normal authentication is done centrally RADIUS
 On WAN failure, AP goes to Standalone mode

and authenticates new clients with locally
defined RADIUS server WAN
 Existing connected clients stay connected
Local Backup
 Clients can roam with RADIUS Remote Site
 CCKM fast roaming, or

 Re-authentication
FlexConnect Group
CCKM Fast Roaming

FlexConnect Group: Local Backup RADIUS
Configuration
Define primary and secondary local backup RADIUS server per FlexConnect group
FlexConnect - Local Authentication
Central Site
Local Authentication Central

RADIUS
 By default FlexConnect AP authenticates

WAN
clients through central controller
Local
 Local Authentication allow use of local RADIUS
Remote Site
RADIUS server directly from the FlexConnect
AP even when WAN is UP
FlexConnect Group
FlexConnect - Local Authentication
Configuration
FlexConnect Group: Local EAP Authentication
Local Backup Authentication Central Site
Central
 Normal authentication is done centrally RADIUS
 On WAN failure, AP authenticates new clients with its local

database
 Each FlexConnect AP has a copy of the local user DB
WAN
 Existing authenticated clients stay connected
 Clients can roam with: Remote Site
 CCKM fast roaming, or

 Local re-authentication
FlexConnect Group 1
Supported Security Types Release Version
LEAP 6.0
EAP-FAST 6.0
CCKM Fast
PEAP 7.5 Roaming
EAP-TLS 7.5 #CLUS BRKEWN-2016 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexConnect Group: Local EAP Authentication
Configuration
 Define users (max 100) and passwords

 Select supported Security protocols i.e. LEAP, EAP-FAST, PEAP or EAP-TLS
1 2
Designing Secure &
BYOD Enabled Branch
Network
FlexConnect Peer-to-
peer Blocking
Local Switching Peer-to-peer Blocking Starting
from 7.2
Central Site
Overview
 Support for Peer-to-Peer blocking in

WAN
FlexConnect AP
 Apply for clients on same FlexConnect AP

Remote Site
Application
 For P2P blocking inter-AP use ACL Server
 Standalone mode support
Local Switching Peer-to-peer Blocking
Configuration
Both modes of operation will drop the packet @ AP

Multiple Policy Touch
for Local Switching Points
enabled WLAN
* Central Switching WLAN will support “Forward - UpStream” and will send the packet to the next upstream
node connected to WLC
FlexConnect AAA VLAN
& QoS Override
FlexConnect AAA VLAN Override Starting
from 7.2
Description RADIUS Central Site
 AAA VLAN Override with local or VLAN 3

central authentication QoS = Silver
VLAN 7
 Up to 16 VLANs per FlexConnect AP QoS = Platinum
 VLAN ID must be enabled per AP or WAN

FlexConnect Group
Application
Server
Remote Site
FlexConnect Group
FlexConnect AAA VLAN Override For Your
Reference
Configuration IETF 65
IETF 64
IETF 81
WAN
ISE
Create Sub-Interface on
FlexConnect AP
VLAN Based Central Switching Central
Go to Default
VLAN ID
VLAN 3
Overview Central
RADIUS
VLAN 7
• While doing AAA VLAN Override with VLAN 3 does not
local switching: VLAN 7 Exist on this
WLC
• If VLAN ID does not exist at the AP, the
traffic is central switched to the central WAN
VLAN ID
• If the central VLAN ID does not exist, the Remote Site
traffic is centrally switched to the default

VLAN ID of the WLAN
VLAN 7
does not
VLAN 3 Exist on
does not this AP
Exist on
this AP
FlexConnect AAA QoS Override Starting
from 7.5
Description
 Dynamically assign QoS levels and/or Vendor ID/Vendor Attribute

bandwidth contracts for local switching, Type
centrally authenticated WLANs [14179\002] Aire-QoS-Level
 Web-authenticated WLANs and 802.1X- [14179\004] Aire-802.1P-Tag

authenticated WLANs supported
 Order of precedence for Rate Limiting [14179\007] Aire-Data-Bandwidth-
Average-Contract
parameters
 AAA override [14179\008] Aire-Real-Time-Bandwidth-
 QoS Profile of AAA override Average-Contract
 Local WLAN configuration [14179\009] Aire-Data-Bandwidth-Burst-

 QoS Profile of local WLAN configuration Contract
[14179\0010] Aire-Real-Time-Bandwidth-
Burst-Contract
AAA Override Deployment Scenario - VLAN Name
Problem Statement – Map clients to specific vlans based on their function
Central Site
VLAN 20
WAN
Application
Server
Function VLAN ID
Engineering 11
Marketing 21
Function VLAN ID Sales 31
Engineering 10 Application
Server
Marketing 20
Sales 30
VLAN 20
Remote Site A Remote Site B does not
exist
VLAN Name Mapping at FlexConnect Group Starting
from 8.1
Flex Group A Central Site Flex Group B

VLAN Name VLAN
VLAN Name VLAN ID VLAN Name VLAN
ID ID
Engineering 10
Engineering 10 Engineering 11
Marketing 20
VLAN Name VLAN
Marketing 20 Marketing 21
Sales ID
30
Sales 30 Sales 31
Engineering 11
. .
. Marketing 21 .
WAN
HR 160 Sales 31 HR 161
Remote Site B
Remote Site A
VLAN ID
VLAN ID
11
10 21
20 31
30
VLAN Name AAA Override - Solution Starting
from 8.1
Central Site
Aire-Interface-Name or
IETF Tunnel-Private-Group-ID
VLAN NAME=
Marketing
WAN
Application
Server
Remote Site Remote Site VLAN Name VLAN ID
VLAN 20 Engineering 11
Marketing 21
VLAN Name VLAN ID Sales 31
Engineering 10
Marketing 20
Sales 30
Remote Site A VLAN 21 Remote Site B
FlexConnect ACL VLAN
Mapping
FlexConnect ACL – VLAN Mapping
Overview Central Site
 FlexConnects ACL are applied per VLAN

 FlexConnect ACL are Ingress / Egress oriented
 FlexConnect ACL support AAA-returned Client
ACL
WAN
ACL Scale
Remote Site
512 FlexConnect ACL per WLC
 16 ingress ACL per AP Application
 16 egress ACL per AP Server
 64 ACL rules per ACL

 20 DNS rules per Pre-
Auth ACL
 No IPv6 ACL
FlexConnect Access Lists
Configuration – Create FlexConnect ACL
• FlexConnect ACL rule creation is similar to rule creation for Local Mode AP
3
2
Configuration – FlexConnect ACL per AP
2
• FlexConnect ACL can be applied per AP using
VLAN Mappings configuration
Configuration – FlexConnect ACL per FlexConnect Group
• FlexConnect ACL can be applied per FlexConnect Groups per VLAN in the ACL Mapping tab.
1 2
FlexConnect Split
Tunneling
(Using FlexConnect
Split ACL)
FlexConnect ACL – Split Tunneling Starting
from 7.3
Overview
 Split tunneling allow some traffic to be locally switched although the WLAN is defined
as centrally switched
 Split tunneling is using a NAT/PAT feature with ACL to perform the local switching
 Split tunneling is using the AP IP @ for the NAT/PAT feature
FlexConnect AP WLC Central Traffic

CAPWAP
NAT/PAT WAN
ACL
Central Server
Local Traffic
Local Printer
FlexConnect ACL – Split Tunneling
Configuration
• Create a centrally switched WLAN
Flex Local switching

should NOT be
checked
• Define Flex ACL to match traffic to be locally switched
Central subnet Local subnet
Configuration – Per Access Point
Configuration – Per FlexConnect Group
Deploying BYOD with
FlexConnect Local
Switching
(Using FlexConnect
WebPolicies ACL)
Bring Your Own Device(s) : The New Normal
BYOD - Device On-boarding in FlexConnect
Example: Apple iOS Device Provisioning
WLC ISE CA-Server

1
Initial Connection
Using PEAP
2
Device Provisioning
Wizard Client
Reconnects
3 WLC ISE CA-Server

Future Connections
using EAP-TLS
FlexConnect Access Lists fo BYOD
Create FlexConnect ACL
• Create FlexConnect ACL to allow access to Cisco ISE
3
2
FlexConnect Web Policy ACL
Configure Web Policy ACL per FlexConnect AP
• ACL Mapping can be configured per FlexConnect AP
FlexConnect Web Policy ACL
Configure Web Policy ACL per FlexConnect Group
• Use ACL Mapping tab in FlexConnect Group configuration

• WebPolicies ACL are not the same as VLAN ACL or
WebAuthentication ACL.
Cisco Wireless Central DHCP Processing
Configuration
• To support DHCP Profiling Probe with FlexConnect, DHCP request

must be sent to WLC. This is done by the « Central DHCP
Processing » configuration.
Deploying BYOD with FlexConnect Wireless ISE
802.1x/EAP Authentication
DHCP Server
FlexConnect AP
CAPWAP WLC
Web Server
WAN
WiFi Association
Unknown Device,
Redirect to registration
802.1x/EAP Request Radius Access-Request
Inside CAPWAP
Radius Access-Response
• Access-Type: Access-Accept
• URL-Redirect-ACL=FlexACLWebPolicy,
URL + ACL Redirect • URL-Redirect=http://……)
Inside CAPWAP
802.1x/EAP Response
Inside CAPWAP
DHCP Request
DHCP Server
FlexConnect AP
CAPWAP WLC
Web Server
WAN
DHCP Request
Inside CAPWAP
Device is
RADIUS-Accounting
an iPad
• host-name=MyiPad
• dhcp-class-identifier=APPLE
DHCP Lease
Inside CAPWAP
URL-Redirect
DHCP Server
FlexConnect AP
CAPWAP WLC
Web Server
WAN
HTTP HTTP Request

Request Redirected to WLC by AP
Inside CAPWAP
URL-Redirect
Registration & Provisioning
DHCP Server
FlexConnect AP
CAPWAP WLC
Web Server
WAN
Device Registration & Provisioning Device is Registrered

Trigger Change-of-Auth
EAP DeAuthentication RADIUS Change-of-Authorization

EAP Authentication
Summary – Device Access
DHCP Server
FlexConnect AP
CAPWAP WLC
Web Server
WAN
Radius Access-Request Device is Registrered

802.1x/EAP Request/Response
Radius Access-Response And Provisioned
Inside CAPWAP
Allow Access
DHCP Request/Response
Inside CAPWAP
Web Traffic
Summary of FlexConnect ACLs
1 VLAN-ACL Applied on the 802.3 interface of the FlexConnect AP
2 AAA returned Client ACL Applied on the 802.11 interface of the AP
3 Split Tunnel ACL. Allow some traffic to be locally switched
4 Web Policies ACL for BYOD with FlexConnect
Wireless TrustSec
Support
Starting
Wireless TrustSec Support from 8.4
5 Employee
6 Voice A B
7 Partner
Classification Propagation Enforcement

Assigning SGTs)
Inline SGT & SXP Security Group
Static & Dynamic
ACL
Assignments
SXPv4 on AP Inline Tagging on AP SGACL Enforcement
Local NO NO YES
Topology, location independent
Flex YES YES YES
Policy (SGT) stays with endpoint.
Simplifies ACL management traffic Mesh NO NO YES (Indoor only)
Service-Ready Branch
Application Visibility and Control
Video Stream
FlexConnect Application
Visibility and Control
How AVC solution works on wireless?
AireOS 8.1 App Visibility & AireOS 8.1
User Experience Report
App BW Transaction …
Time
WebEx 3 Mb 150 ms …
Citrix 10 Mb 500 ms …
Static
Netflow
AP
NBAR on AP
Deep Packet Perf. Collection & Visibility and User

Control
Inspection Exporting Experience
AP collects application info Use QoS to control

DPI engine (NBAR2) and export it to Advanced reporting tool
application bandwidth
identifies applications controller/switch every 90 aggregates and reports
usage to improve
using L7 signatures seconds application performance
application performance
AVC on FlexConnect APs
Katana
Gen2 AP, NBAR Engine 23, PP 14
BRANCH Netflow Export from AP to WLC

Real-time information
Stateful context for last 90 seconds
transfer on roam
WAN
Gen2 AP
Flow ID App Name Packets

Deployment WAN Bandwidth WAN RTT Max Aps Max Clients
1 WebEx 1000
Type ( Min) Latency(Ma per Branch per Branch
2 Msft-Lync 2300
x)
3 Skype 660
Data + Flex 75 Kbps 300 msec 5 25
AVC
AVC for FlexConnect APs
AP Functionality
• NBAR2 engine on FlexConnect AP

• Protocol Pack 14.0 WLC Functionality
• NBAR engine version 16
• Send flows to WLC every 90 sec using Netflow
• Classification and Control at AP
• Mark ( DSCP ) • Export to external Netflow supported
• Drop • Intra FlexConnect Group Roaming Support
• Rate-limit • Supported on all controller models except 2504
• Supported APs : 1600, 1800, 2600, 3600, 1700, • Supported APs : 1600, 1800, 2600, 3600, 1700,
2700, 2800, 3700, 3800, 1532, 1570 2700, 2800, 3700, 3800, 1532, 1570
• FlexConnect and Flex+bridge mode supported
AVC Configuration on Local Switching WLAN
WLAN AVC Configuration
Local Switching WLAN
AVC Configuration per FlexConnect Group
• FlexConnect Group specific AVC configuration takes precedence over WLAN AVC config
• No AP Specific AVC configuration.
• WLAN AVC configuration will be pushed to Flex APs where WLAN is broadcast
Application Visibility FlexConnect Group AVC

WLAN-Specific configuration
Enable/Disable
Enable/disable, Profile,
Monitor per WLAN
FlexConnect AVC Profiles
Can be associated under WLAN and/or
FlexConnect Group
FlexConnect AVC profiles
FlexConnect AVC Applications
Protocol Pack version 8.0

Engine version 16
Monitoring AVC Statistics per FlexConnect Group
Per Client AVC Statistics Per FlexConnect Group

AVC Statistics
FlexConnect
VideoStream
Video Multicast Delivery Challenges
Technical Challenges 802.11
• Multicast packets (UDP) are sent as
Data Rates
broadcast packets over the air per 802.11 1
standard 2
• Broadcast packets do not use error 5.5
correction: “fire and forget” 6

9
• Broadcast packets are sent at data rate B/G Video Impact
mandatory to all clients connected to the 11
WLAN 12
• Choppy, Unreliable Video
1 Mb for B/G (400K actual) 18
• Heavy utilization of channel due to high
6 Mb for A (2.7 Mb actual) 24
rate of very slow packets
36
48
• Video delivery is not reliable causing poor
Quality of Experience
54
M0
M1
Video N ...
Server M14
Default 802.11B/G M15

mandatory data rates
Video Multicast Delivery Solution Starting
from 8.0
802.11
Technical Solution Data Rates Video Impact
1
• IGMP state monitored for each client. 2

• Smooth, Reliable Video delivered to
Only send video to clients requesting 5.5
multiple clients
• Sent as unicast to individual clients at
6 • Quality of Video protected in varying
their data rate 9 channel load conditions
B/G 11
• Multicast packets replicated at AP • Prioritizes Business Video (QoS
12
Gold) over other video ( Best-effort )
18
24
36
48
54
M0
M1
Video N ...
Server M14
M15
Default 802.11B/G
mandatory data rates
FlexConnect VideoStream Configuration
Enable VideoStream - Global
(Cisco Controller) >config media-stream multicast-direct ?

enable Enable Global Multicast to Unicast Conversion
disable Disable Global Multicast to Unicast Conversion
Add Stream Configuration
(Cisco Controller) >configure media-stream add multicast-direct <media-stream-

name> <start-IP> <end-IP> [template | detail <bandwidth> <packet-size> <Re-
evaluation> video <priority> <drop|fallback>]’
Enable VideoStream - WLAN
(Cisco Controller) >config wlan media-stream multicast-direct 1 ?

enable Enables Multicast-direct on the WLAN
disable Disables Multicast-direct on the WLAN.
FlexConnect VideoStream Monitoring
Controller
(Cisco Controller) >show flexconnect media-stream client summary

Client Mac Stream Name Multicast IP AP-Name VLAN Type
----------------- -------------------- --------------- ------------------------- ----- ----------------
7c:d1:c3:86:7e:dc Media2 229.77.77.28 AP_1600 0 Multicast Direct
88:cb:87:bd:0c:ab Media2 229.77.77.28 AP_1600 0 Multicast Direct
d8:96:95:02:7e:b4 Media2 229.77.77.28 AP_1600 0 Multicast Direct
FlexConnect Bridge
Mode Support
FlexConnect on Mesh APs Starting
from 8.0
Centralized
Traffic
FlexConnect on Mesh APs
 New AP mode that allows

Flexconnect behavior across Central Site
mesh-enabled AP
 Flexconnect Groups WAN
 Max 8 Mesh hops, Max
32 MAPs per RAP
 Local AAA support
 A WLC have a mix of Bridge
and Flex + Bridge Local Remote
 MAPs inherent VLANs from Traffic Office
its connected RAP
Local Data WLAN
#CLUS BRKEWN-2016
Central Data WLAN
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexConnect-Bridge Failover Scenario
Secondary Primary
Failover Considerations
 AP SSO is supported for the RAP only. N+1
Recommended WAN
 Multi-sector RAP deployments can be used for

redundancy
Remote
Office
 RAP to standalone mode when WLC is not reachable Application
Server
 MAPs to standalone mode when WLC

 is not reachable but gateway is
 When in standalone mode no new

mesh AP can join the mesh tree
AP Modes Feature Comparison
For Your
Reference
Feature\AP Mode Local Mode Bridge Mode Flexconnect Mode Flex+Bridge Mode
Central Switching Yes Yes Yes Yes
Root Ethernet VLAN No Yes (secondary Ethernet Yes Yes

bridging hosts)
Secondary Ethernet No Yes No Yes
Access Ports
Secondary Ethernet No Yes No Yes
VLAN Trunk Ports
Local VLAN Inheritance No Yes - Secondary No Yes – both bridged
by MAPs from RAPs Ethernet “access” ports 802.11 WLANs and
only Ethernet “access”
Wireless Child Mesh APs No Yes No ports
Yes
Fault Tolerant Resilient No No Yes
Mode
Yes
Security ACLs per VLAN No No Yes
Yes (on RAPs)
on Ethernet Root Ports
Integrated IP Routing No No Yes Yes (on RAPs)
(PPP/PPPoE/NAT)
VLAN Transparent No No No No
Bridging
Path Control Protocol No Yes No Yes
FlexConnect Bridge Mode Configuration
Wireless  Access Points  AP_NAME  General
Wireless  Access Points AP_NAME  FlexConnect
AP will reboot
upon change
Same options
as an AP in Flex
Mode
Operating the Wireless
Branch
Branch Office Provisioning
Branch Office Upgrade over WAN
Branch Office
Provisioning
Network Plug-N-Play – Simple, Secure, Scalable
Today’s Process NetworkChallenges
Business
Central Staging Facility Direct Costs
1• Shipping after Configuring device
Ships Pre Provision
equipment Projects/Sites
• Install OS • Travel costs for IT installer
• Install Config
• Prime device Network Admin
Network
Reseller/Partner Admin Complexity
• Config errors
2
• Different products
Install & Power-on 3
/ processes
Monitor device
devices installation
Security
Installer • 3rd party not secure
Installer
Network Admin
Site-1 Site-2 Site-3 Time/Productivity

Site(s)
• Manual process
• Shipping , Storage, Travel
Network Plug & Play Discovery options
DHCP Option 43
01
PnP String: 5A1D;B2;K4;I172.19.45.222;J80
DHCP
Server
DNS Lookup
02
pnpserver.localdomain ---- e.g.172.19.45.222 (PnP Server)
DNS
Server
Cisco Cloud Redirection

03
Cisco PnP Cloud Re-direct Service to On-Prem PnP
Cloud
CAPWAP
03
CAPWAP based WLC discovery for AP
CAPWAP
Branch Provisioning with PnP Server
PID Serial # Hostname WLC IP a ddress A P Mode Flex Group name
AIR-CAP3702I-A-K9 RFD0PP2T025 AP-Store1-1 192.168.15.1 FlexConnect FlexGrp1
PnP Server
 Places AP in appropriate flexgroup
 Apply relevant flex configs to AP
Day 0
Network Admin
Network Admin pre Remote Installer on branch
Day 1
provisions branch • Mount and cable devices
APs in PnP server. • Power-on
WLC IP (Prim/Sec/Ter)
AP Name
AP Mode (Flex) * Resources required for PnP:
AP Group Name Installer 64 Gb RAM, 500 Gb Storage
Flex Group Name Scale: 10,000 devices
Branch Office Upgrade
over WAN
Upgrading a FlexConnect Deployment
Concerns
 Sites using FlexConnect AP are usually sites with low WAN bandwidth
 Each site may have small number of AP, but an enterprise may have a lot of branches
 Upgrading ~6000 AP through a low bandwidth WAN is a challenge :

 Time needed to download all the AP firmware
 Exhaust of the WAN link
 Risk of failures during the download
Goal is to minimize downloads over WAN
FlexConnect Smart AP Image Upgrade Starting
from 7.2
Firmware Image
Overview Old New

Cisco Prime New Old
New Primary Secondary
 Smart AP Image Upgrade use a « master » AP in

each FlexConnect Group to download the code. Wireless LAN
Central Site Controller
 Other FlexConnect AP download the code from

the master locally
1. Download WLC upgrade firmware (will
become primary)
WAN
2. Force the « boot image »
Remote Site-1 Remote Site-N
to be the secondary (and not the newly
downloaded one) to avoid parallel download
of all AP in case of unexpected WLC reboot
3. WLC elects a master AP in each FlexConnect
Group (can be also set manually)
Master AP
FlexConnect Smart AP Image Upgrade
Firmware Image
Description (Contd.) Old New

Cisco Prime New Old
Primary Secondary
4. Master AP « Pre-download » the
AP firmware in the secondary Wireless LAN
« boot image » (will not disrupt the Central Site Controller
actual service)—Can be started

group per group to limit WAN
exhaust
5. Slave AP « Pre-download » the AP WAN
firmware from the Master AP AP Firmware Image
Remote Site-1 AP Firmware Image Remote Site-N
6. Change the « boot Old New

Old New
image » of the WLC Primary Secondary
Primary Secondary
to the new image

7. Reboot the controller
Master AP
Configuration
Enable Efficient AP Image

Upgrade
Valid Range is 1-63
Random Backoff Interval
(100-300sec) between
each retry
Master AP Selection is
Optional
• “FlexConnect AP Upgrade” checkbox has to be enabled for each FlexConnect Group.
• By default, Master AP for each FlexConnect Group is selected using Lower-MAC

algorithm.
• One Master select per AP type.
Configuration contd.
Per Branch or FlexConnect

Group Upgrade
Upgrade across all Branches or

FlexConnect Groups whose
“FlexConnect AP Upgrade”
checkbox is set
Bringing All Together –
FlexConnect Best
Practices
FlexConnect Best Practices
Enable FlexConnect Groups
 Enable FlexConnect Groups
 CCKM/OKC Key sharing for Voice deployments
 VLAN Support and configure Native VLAN at Group
 VLAN-WLAN Mappings at FlexConnect Group Level
 VLAN Name override
 Consistent configuration across Primary and Backup WLCs
 Design for AAA Resiliency
 Enable Smart AP Image Upgrade
Summary
• Cisco Unified Wireless Network based on Controllers deliver Wireless Branch Solution
• FlexConnect is the feature designed to solve remote connectivity and WAN constraints
• Several Failover Scenario are targeted to offer Survivability of Small Remote Sites
References:
• Wireless LAN Controller Scale Comparison Guide - http://www.cisco.com/c/en/us/products/wireless/wireless-
lan-controller/product-comparison.html
• FlexConnect Branch Controller Deployment Guide - http://www.cisco.com/c/en/us/support/docs/wireless/flex-

7500-series-wireless-controllers/112973-flex7500-wbc-guide-00.html
• FlexConnect feature matrix - http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-

controllers/112042-technote-wlc-00.html
• Wireless Best Practices - http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-

wlan/82463-wlc-config-best-practice.html
Wireless Branch
Deployment
Cisco Mobility Express
Cisco Mobility Express: Simple by Design
Controller Function embedded into the access point
Runs WLAN Controller on

access point
Investment Protection - Add

controller without changing Mobile app/WebUI/PnP to
Access Point configure up to 100 access
points
Best Practices activated Simple UI monitors, manages and

by default troubleshoots your network
Simple, Fast IT Flexible

#CLUS BRKEWN-2016
Enterprise Class
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Mobility Express: Access Point Support
50 1000 50 1000 100 2000 100 2000

AIR-AP1815I/M-x-K9C AIR-AP1852-x-K9C AIR-AP3800-x-K9C AIR-AP1562-x-K9C
AIR-AP1815w-x-K9C AIR-AP1832-x-K9C AIR-AP2800-x-K9C AIR-AP1542-x-K9C
50 1000 50 1000 100 2000 50 1000
Mobility Express WLAN Deployment
Branch solution for small, medium or distributed enterprise with multiple management options
Mobile App or WebUI DNA Center
Policy Automation Assurance Security ISE CMX
Single Office Distributed Office Distributed Enterprise
Controller Based in
Mobility Express Mobility Express Mobility Express in Branch campus
Positioning Cisco Mobility Express
Small/Midsize
K-12 Education Hospitality Retail offices
Use innovative learning Connect to customers Accept mobile Provide robust Wifi to
tools and bring a large- through loyalty payments and offer employees along with
school experience to applications and offer your services to guest access. Same
smaller sites revenue-generating customers everywhere experience as bigger
services office
DNA ready for Small to Medium size, Single or Multi site deployments
Mobility Express Interoperability
AireOS 8.7 ISE 2.2 or higher DNA Center 1.2 EFT CMX Presence &
DNA Center 1.2.x GA Analytics CMX
Location
CMX Engage
DNA Ready for Small to Medium Size, Single or Multi site Deployments
Branch Offices with Cisco Mobility Express
Overview Network Plug and Play DNAC ISE
Central Site
 Mobility Express is based on

FlexConnect Architecture
 Supports Central Authentication,
Local Switching
 DNAC and ISE at Central Site
WAN
Advantages
 Cookie cutter configuration for Site A Site B Site C
every site
 Independent or centralized
manageability of each site
Deploying Cisco Mobility Express
Depending on the deployment, Mobility Express capable Access Points can be connected to an
access port or a trunk port on the switch. Management traffic is always untagged.
VLAN 10
VLAN 20
v20 v30 v40 VLAN 30
VLAN 10 VLAN 40
If Access Points and If Access Points and

v10
v10 v10
WLANs are all on the WLANs are all on different
same network, VLANs, Mobility Express
Mobility Express capable Access Points will
capable Access connect to a trunk port on
Points can connect to the switch and traffic for
an access port on the individual WLANs will be
switch port. switched locally on to local
VLANs.
Contractor Guest
Contractor Guest
Employee
Employee
Deployment methods for Cisco Mobility Express
01 OTAP Over-the-Air-Provisioning
02 Command Line Interface Setup Wizard using CLI
Using Network Plug and

03 Network Plug and Play
Play and DNAC
Over-the-Air Provisioning Devices
Cisco Wireless App (Free Download!)

Laptop
Provision Monitor
Setup Wizard – Over the Air Provisioning
CREATE WIRELESS
CREATE ADMIN ACCOUNT SET UP YOUR CONTROLLER CONFIRM SETTINGS
NETWORK
Deploying using APIC-EM/Network Plug and Play
APIC-EM controller can be reached by Mobility Express

Private Access Point in customer premises. Access Point can then
01 Cloud download the controller configuration file from Network

Plug and Play service.
Cloud based redirecting service which redirects Mobility

Cisco Express Access Point to an APIC-EM controller residing in
Cloud customer premises. These APs can download the
02 Redirect controller configuration file from Network Plug and Play
app service.
Network Plug and Play – Private Cloud
ip dhcp pool pnp_device_pool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1 Master AP
option 43 ascii running PnP
"5A1N;B2;K4;I192.168.1.123;J80" Agent
LAN/WAN
LAN
PnP Server uses
PnP Server
self signed SSL
certificate
DHCP Request
DHCP response with

APIC-EM IP address
in DHCP option 43
HTTP PnP work request with device serial number (UDI)
PnP Agent initiates HTTP communication
with the PnP and sends the device UDI
PnP Agent installs local trustpoint PnP Server receives UDI

for the server SSL certificate and sends server SSL
certificate over HTTP
HTTPS PnP work request with device serial number (UDI)
PnP Agent initiates HTTPS communication
with the server and sends the device UDI
Master AP reboots and will PnP Server receives UDI
run the controller and sends ME controller
configuration after it comes configuration over HTTPS
back up
Network Plug and Play – Public Cloud
ip dhcp pool pnp_device_pool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1 Master AP
dns-server 171.70.168.183 8.8.8.8 running PnP Cisco Cloud
domain-name cisco.com Agent Redirect Server
DMZ
Internet PnP Server uses
PnP Server self signed SSL
certificate
DHCP Request
DHCP server Device creates pre-defined cloud redirect server

responds with device name (devicehelper.cisco.com) and resolves for IP
IP, domain name and address
DNS server Device establishes HTTP request with device serial number (UDI)
communication with
Cloud Redirect Server Cloud redirect server
receives UDI and sends
APIC-EM IP address
PnP Agent initiates HTTP communication with HTTP PnP work request with device serial number (UDI)
the APIC-EM server and sends the device UDI
PnP Agent installs local trustpoint PnP Server receives UDI and
for the server SSL certificate sends server SSL certificate over
HTTPS PnP work request with device serial number (UDI) HTTP
PnP Agent initiates HTTPS communication
with the server and sends the device UDI
Master AP reboots and will PnP Server receives UDI and
run the controller sends ME controller configuration
configuration after it comes over HTTPS
back up #CLUS BRKEWN-2016 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Software Update
Software Update Transfer Modes
Requires external TFTP server to be configured
01 TFTP
with AP images
Local AP image file upload. Works if all

02 HTTP Access Points are the same type
Update directly from cisco.com.

Requires SmartNet on APs and
03 Cisco.com cisco.com account
Recommended option for s/w

04 SFTP(Release 8.7) updates over WAN. Requires
external SFTP with AP images
Available with 8.7
Day 0 + Software Update - Flow

Master AP
running PnP
Agent
8.8
8.7
WAN
LAN
PnP Server uses
PnP Server
self signed SSL
certificate
SFTP server with
AireOS 8.8 AP
images PnP Agent initiates HTTPS HTTPS PnP work request with device serial number (UDI)
communication with the
server and sends the device
UDI
PnP Server receives UDI
and sends ME controller
configuration over HTTPS
Configuration file has

trigger for s/w
update from SFTP
server
AireOS 8.8 AP
images sent to
ME network
Features
Evolution of Cisco Mobility Express
DEC, 2017
AireOS 8.6
JUL, 2017
AireOS 8.5
MAR, 2017
AireOS 8.4
FEB, 2016
AireOS 8.3 MR1
AUG, 2016
AireOS 8.3
 AP Groups
 RF Profiles
 Conversion Support in UI  802.1x on Access Points
DEC, 2015  Support for Fastlane in UI  AP Global Credentials
AireOS 8.2  Scale -100 APs/2000  TACACS+ and RADIUS Support  Preferred Master
clients  ACL Enhancements  Save Configuration Notification
 Day 0 using PnP  Configuring External Antennas  TLS Secure Tunnel
 Site Survey  Application Control  CALEA
 Support on 1562 AP  Support for Apple Features  Passpoint
SEP, 2015  Guest WLAN Enhancements  Centralized NAT
AireOS 8.1  MAC Filtering
 Support on 2800 & 3800  Lobby Ambassador
MR2  Expert View
 Internal DHCP server support
 Software Update – cisco.com
 CMX Cloud Support
 SNMPv3 Support
 Serviceability improvements
 Setup Wizard via CLI
 Software Update – HTTP
 NTP Pool support
Evolution of Cisco Mobility Express
JUL, 2018
AireOS 8.8
APR, 2018
AireOS 8.7
 mDNS support
 Videostream support(MC2UC)
 Optimal AP Join for heterogeneous network
 FQDN support SFTP
 DNA Centre support - WSA agent & enable DNA-C connectivity  Schedule WLAN
 Ability to update s/w during Day 0 using Network PnP  Cisco RFID Tag support
 Support for SFTP software download transfer mode  DNS Based ACL Rules(post auth ACL)
 Support for Optimal AP Join  EoGRE support
 Support for Bi-directional rate limit per client, BSSID and WLAN  Option 43 support for ME
 Ability to limit clients per WLAN, per radio
 Support for RLANs
 Support for Passive Clients
 802.1x supplicant support on AP with EAP-TLS and EAP-PEAP
 Walled Garden, Radius NAC
· DNS-based ACLs (Pre-auth ACL, IPv4 only)
· Central Web Authentication
· BYOD support
 Ability to import EAP DEV certificate and OID file
Site Survey
 Cisco Mobility Express supports internal
DHCP server and operates without a pingable
gateway. This enables Site Surveyor to take
the Access Point powered by a Battery Pack
and a client device to perform an active
survey
 For Site Survey, one must configure the

controller. This can be done via CLI or UI.
 NOTE: Recommendation is to use Release

8.5 or later on the Mobility Express AP for Site
Survey
WLAN Support
 Supports maximum of 16 WLANs
 WLAN Options:
 Open
 WPA2 Personal
 WPA2 Enterprise (External RADIUS, AP)
 Central Web Authentication (Release 8.7)
 For Guest WLANs, a number of capabilities are supported:

 CMX Engage
 Internal Splash Page, External Splash Page. For Internal and External Splash
Page, a number of Access Types are supported. They are as follows:
 Local User Account, Web Consent, Email Address
 RADIUS
 WPA2 Personal
Available with 8.6
Support for AP Groups

 AP Group creation available in Expert View
 Maximum of 50 AP Groups are supported
 Maximum of 100 APs / per AP Group (2800/3800 can support 100 APs)
 16 WLANs can be associated per AP Group
 RF Profiles can be associated for 2.4 and 5.0 GHz
Available with 8.7
Optimal AP Join
Use Cases Feature Supported AP Models
• Customer is adding an AP to • Enables a CAPWAP or • Supported on 2800, 3800,
the existing ME network but Mobility Express AP to and 1560 on 8.7
the AP being added has a download the ME code from
different code version than Master AP • All other Wave 2 APs in
ME-WLC. For the new AP to 8.8 via Efficient Join
join ME-WLC, software has • This feature eliminates the
to be updated on the AP dependency on an external • Not supported on 11ac
server(SFTP, TFTP or Wave 1 APs
cisco.com) for providing the
code at the time of AP Join
for 3800, 2800 and 1560
Series APs
Available with 8.7
Which APs can run Mobility Express?

Optimal AP Join
AIR-AP3802I AIR-AP1852I AIR-AP1815I
8.7 8.7 8.7

P
3800, 2800 and 1560

share the same AP
image
8.7 8.7 8.6 ME Capable
AIR-AP2802I AIR-AP1832I AIR-AP2802I
If 3800, 2800 and 1560 AP is being added and ME-WLC AP model is one of
these APs, an external server does not have to configured to provide the code
Available with 8.7
Bi-directional Rate Limiting Support

Use Cases Feature Implementation
• Upstream & downstream
• Use case for this is in • This feature adds the ability
rate limits are enforced on
hotspot situations (coffee to configure upstream and
the Access Point
shops, hospitality, airports, downstream throughput
etc.) where a company can limits on the wireless
• Upstream & downstream
offer a free low-throughput network
per-client rate limit is
service to everyone, and enforced first followed by
charge users for a high- • Bi-Directional Rate Limiting
BSSID and WLAN
throughput service can be applied on the
following:
• AAA returned Airespace
• Per WLAN
QoS attributes take
• Per BSSID
precedence over what is
• Per Client
configured on the WLAN
Available with 8.7
Bi-Directional Rate
Bidirectional Rate Limiting
Limiting – Standard
WebUI View
configuration
 Configuration available on the WLAN Traffic Shaping tab
 Standard view has a slider to configure BDRL and Expert view allows BDRL
configuration for real-time(UDP) traffic
Standard View Expert View

Available with 8.7
Client Limiting
Use Cases Feature Device Configuration
• Client Limiting on WLAN is • Client Limiting enables ability • Enter between 1 and 2000
useful in cases where you to limit the number of clients or select pre-selected
want to restrict the number on a wireless network. values
of clients on a WLAN. It • To limit clients per Radio
also ensures that the • Client Limiting is supported on an AP, enter 1 to 200
WLAN bandwidth is used on the following:
efficiently in the network • Per WLAN
• Per Radio / AP
• Client Limiting on AP Radio
is useful in cases where NOTE: By default, Mobility
you want to uniformly Express supports 2000 clients
distribute client load across and 200 clients per AP Radio
the AP radios for optimal
use of RF bandwidth
Available with 8.7
DNS Pre-Auth ACL Support

Use Cases Feature Scale
• Walled Garden: • Ability to support DNS • Total # of DNS rules/ACL
Hospitality Pre-Auth ACL in addition – 20
Customers/Retailers can to IP based rules
selectively allow URLs of • Max # of characters in
their choice pre- • Permit/Deny Rules DNS URL -255
authentication supported
• 10 DNS wild card rules
• Enables Social Login • Wildcard Match helps with supported
integration on Guest easy sub-domains match
Splash Pages • Total # of IPv4 ACLs – 32
• Intra AP roaming
supported • Total # of IPv4 rules/ACL
– 64
Available with 8.7
AAA Override
Use Cases Feature Device Configuration
• Clients connecting to a WLAN • AAA Override feature on a WLAN • AAA Override must be enabled
get their VLAN assignment from enables you to apply VLAN on the WLAN
AAA. For example, at a school, tagging, Quality of Service (QoS),
both Students & Teachers and Access Control Lists (ACLs) • For AAA Override of VLAN,
connect to the School-WiFi but to individual clients based on the VLAN which gets returned from
Teachers get assigned VLAN returned RADIUS attributes from AAA must exist on the
10 and Students get assigned the AAA server FlexConnect APs
VLAN 20
• For AAA Override of VLAN
• For single or multi-site Name, VLAN Name to VLAN ID
deployment with different VLAN mapping must exists on the
schemes, one can use AAA to FlexConnect APs
return a VLAN NAME instead of
VLAN ID to onboard clients on
the desired VLAN specific to
the site
Available with 8.7
AAA returnedWebUI
AAA Override VLAN configuration
Name Override
1. AAA Override must be enabled on 2. For AAA returned VLAN Name,
the WLAN from the Advanced Tab VLAN Name to VLAN ID mapping
as shown below must exist on WLAN
Application Visibility and Control
 Cisco Mobility Express can identify signatures of 1000+ applications. It runs NBAR
Engine 2 and Protocol Pack 14
 As part of control action, applications can be:

• Drop
• Rate Limit
• Mark
For Mark, one can select DSCP as Platinum, Gold, Silver, Bronze or Custom. If custom
is selected, one has to specific he DSCP value. For Rate Limit, one can specify the
Average Rate and Burst Rate for the application.
 Simplified workflow to create AVC profile and apply it to WLAN
Application Control
Action Drop – Shown from the Network Summary Page
 Steps
1. On the Network Summary page,
view the APPLICATIONS widget
in a tabular format
2. Click on the desired application to
add the rule. The Add AVC Rule
window will pop up
3. Select Drop from the Action drop
down list
4. Select the WLAN to apply this
AVC Rule
5. Click on the Apply button
Configuring RF Parameters
 Navigate to Advanced > RF
Optimization
 The following RF Parameters are
available on UI
 Client Density
 Traffic Type
 2.4 / 5.0 GHz band
 Flexible Radio Assignment
 Event Driven RRM
 CleanAir Detection
 5.0 GHz Channel Width
 2.4 and 5.0 GHz Data Rates
 DCA Channels
Available with 8.6
Support for RF Profiles – Default Profiles

 Pre-built six RF Profiles for High, Low and Typical client density are available by
default for both 2.4 GHz and 5GHz.
Profile are as follows:

 High-Client-Density-802.11a
 High-Client-Density-802.11bg
 Low-Client-Density-802.11a
 Low-Client-Density-802.11bg
 Typical-Client-Density-802.11
 Typical-Client-Density-
802.11bg
Available with 8.6
Support for RF Profiles – Custom Profiles

 Custom RF profiles can be created for both 2.4 and 5 GHz
 To add new RF Profiles, click on the Add new RF Profile button
The following parameters are

customizable-
• Max Clients per radio
• Rx SOP Threshold
• Data Rates
• MCS Settings
• Channel Width
• DCA Channel Selection
• Client Distribution Window
• Denial
Available with 8.6
Available with 8.6
HA - Master Election
Mobility Express – High Availability
Failure of Access Point running the controller function
 Upon controller failure, another Access Point will be elected to run the controller. Uses
VRRP.
 HA considerations
 No impact for connected clients on locally switched SSIDs
 Roaming allowed within FlexConnect group for already connected clients
 What about new clients? - Static keys are locally stored in FlexConnect AP: new
clients can join if authentication is PSK
 Lost features
 RRM, CleanAir
 Web authentication
 Total downtime will be 60-90s
Master Election Overview
 Master Election is a mechanism to elect a new Cisco Mobility Express CAPABLE
Access Point to run the controller function incase of a failure
 To have redundancy, you must have TWO or more Mobility Express Capable Access
Points in your network
 VRRP is used to detect the failure of Master AP which initiates the election of a new
Master. Failover typically takes 60-90s.
 Master Election is based on priorities

 User Defined –
 Next Preferred Master
 Automatic –
 Most Capable Access Point
 Least Client Load
 Lowest MAC Address
Available with 8.7
Ability to configure Next Preferred Master

 At any time, only one AP is the Active Master AP
 Upon failure of the Active Master, one of remaining

APs is elected as a Master
 In 8.6, one can configure the Next Preferred Master
from UI. This will allow admin to have control on
which AP should run the controller function upon
failure of the current active Master AP
 If the Preferred Master fails, a new Master is elected
per the Master Election process
 Only one Preferred Master can be configured
Electing a new Master Access Point
Master election process is based on a set of priorities. When an active Master Access Point fails, the
election process gets initiated and it elects a new AP to be master based on user defined priority or
automatic election
1. User Defined
a. User Defined Master - User can select an Access Point to be the Master Access Point. If such a selection is
made, no new Master will be elected in case of a failure of the active Master. After five minutes, if the current
Master is still not active, it will be assumed dead and Master Election will begin to elect a new Master.
b. User Defined Next Preferred Master – Admin can configure the Next Preferred Master from UI or CLI. When
this is configured and the active Master AP fails, the one configured as the Next Preferred Master will be
elected as a Master.
2. Automatic Election
a. Most Capable Access Point - If the first two priorities are not configured, Master AP election algorithm will
select the new Master based on the capability of the Access Point. For example, 3800 is the most capable
followed by 2800, 1850, 1830 and finally the 1815 Series. All 1815 Series Access Points have the same
capability.
b. Least Client Load – If here are multiple Access Points with the same capability i.e. multiple 3800 Access
points, the one with least client load is elected as the Master Access Point.
c. Lowest MAC Address – If all of the Access Points are the same and have the same client load, then Access
Point with the lowest MAC will be elected as a Master.
Mobility Express
Failure of Access Point running the controller function
• Election of a new controller using VRRP
• Heartbeat exchanged every 10s with Master AP
• After 3 missed heartbeats, master election is initiated and all Mobility Express
capable APs participate in Master Election
• APs fall into standalone mode while Master Election in-progress and within next
30s, a new Master is elected
• Standalone Access Points join the new elected master and go to connected mode
• Election Priorities
• Most capable Access Points. 3800 > 2800 > 1800.
• Access Client with least client load
• In case of tie, election based on lowest MAC Address
Master Election Process AIR-AP1852I-B-K9
P
AIR-AP2802I-B-K9 AIR-AP1852I-B-K9
Most capable Access

Point - 2800 vs. 1800 P
AIR-AP1852I-B-K9 AIR-AP3802I-B-K9 AIR-AP1852I-B-K9
MASTER AP
Least Client Load P
Lowest MAC address AIR-AP3702I-B-K9 AIR-AP1702E-B-K9
AIR-AP2702I-B-K9
Master Election Process AIR-AP1852I-B-K9
P
AIR-AP2802I-B-K9 AIR-AP1852I-B-K9
Most capable Access

Point - 2800 vs. 1800 P
AIR-AP1852I-B-K9 AIR-AP3802I-B-K9 AIR-AP1852I-B-K9
MASTER AP
Least Client Load P
Lowest MAC address AIR-AP3702I-B-K9 AIR-AP1702E-B-K9
AIR-AP2702I-B-K9
Cisco Mobility Express - Summary
Branch Solution for Appliance-less WLC-Based Networks for up to 100 APs
Ease of AVC & CMX RF Excellence & Guest & Security DNA Center &
Deployment with Apple Innovations Multi-site
Resiliency & Scale Deployment
• Manage up to 100 • Understand what is • Flexible Radio • Multiple guest • Day0 PnP with config
AP’s, 2000 clients running on your Assignment & Dual onboarding options & image download
without additional network 5GHz for best Wi-fi with built-in lobby • DNA Automation &
licensing costs • Bidirectional rate limit experience ambassador Assurance EFT
• Best practices on by per • Best in class RF with • Rogue detection & available with
default & built-in WLAN/SSID/Client HDX – ClientLink, classification DNAC1.2
redundancy for • CMX Location & CleanAir & Spectrum • ISE/Radius, Walled • DNA Automation &
resilient operations Presence Analytics Intelligence Garden support and Assurance GA in
• Localized with • CMX Engage/Cloud • Apple Fast Lane with BYOD integration DNAC 1.3
Chinese, Japanse & integration for optimized Wi-fi • 802.1x support on AP • Intelligent Capture
Korean personalized and connectivity & with EAP-TLS and EFT in DNAC 1.3 &
• Management relevant guest prioritize business EAP-PEAP AireOS 8.8
simplicity with mobile experience applications
app & WebUI
DNA Ready for Small to Medium Size,

C Single or Multi site Deployments
Cisco Enterprise Wireless Book
http://cs.co/wirelessbook
Cisco Wireless LAN Documentation
Click - https://www.youtube.com/user/CiscoWLAN/
Complete your online session evaluation
Give us your feedback to be entered

into a Daily Survey Drawing.
Complete your session surveys through
the Cisco Live mobile app or on
www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available for viewing
on demand after the event at www.CiscoLive.com/Online.
Continue
your Demos in
the Cisco
Walk-in
self-paced
Meet the
engineer
Related
sessions
education campus labs 1:1
meetings
Thank you
#CLUS
#CLUS

Brkewn 2016

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brkewn 2016

Uploaded by

Copyright:

Available Formats

#CLUS

Rajat Tayal (Technical Marketing Engineer)

Webex Teams will be moderated cs.co/ciscolivebot#BRKEWN-2016

Up to 100 APs Up to 200 APs Up to 3000 APs Up to 6000 APs

1815 Series 1830/1850 Series 2800 Series 3800 Series 4800

• 802.11ac Wave 2, MU-MIMO • 802.11ac Wave 2, MU-MIMO • 802.11ac Wave 1

DNA Ready | RF Excellence | CMX

Single or Multi-Site FlexConnect Controller based in campus

Policy Automation Assurance Security ISE CMX

• Branches can have Local Controllers

• WLC at each site, higher Capital Costs

Remote Site A Remote Site B Remote Site C

• Single Management and Control point

• Traffic Switching is configured per AP

When FlexConnect AP cannot reach

02 Standalone Mode WLC, it goes into standalone mode and

Data traffic is tunneled back to

Data traffic is switched

Access Point Mode • Configure FlexConnect Mode on the Access Point

Access Point Mode

 Configure FlexConnect mode on AP

NOTE: Older APs also supported

 WLAN with “FlexConnect Local

WAN Limitation Apply +

Feature Limitations in Standalone mode and Local Switching +

 MAC/Web Authentication in Standalone Mode

Overview AP Group 1 Central Site

# AP Groups 6000 1500 150 AP Group 3

# WLAN (SSID) 512 512 512

# VLAN (Interfaces) 4095 4095 4095

AP groups give the ability to enable Wi-

 Central Site WAN

 Manufacturing Site AP Group 3

 Store AP Group 2 Corporate-Data

 Admin can monitor and filter based

FlexConnect groups allow sharing of:

Scaling WLC-8540 WLC-5520 WLC-3504

AP per Group 100 100 100

Overview Central Site CCKM Keys

 CCKM/OKC keys stored on FlexConnect

 The FlexConnect APs receives WAN

 FlexConnect supports 802.11r Fast

Step 1: Add a New FlexConnect Group

Step 2: Add APs to the

 FlexConnect APs will go to Standalone

 Lost Features Application

WLC failure scenario with SSO Central Site

Local Backup RADIUS Central Site

 On WAN failure, AP goes to Standalone mode

 CCKM fast roaming, or

CCKM Fast Roaming

Local Authentication Central

 By default FlexConnect AP authenticates

 On WAN failure, AP authenticates new clients with its local

 Clients can roam with: Remote Site

 CCKM fast roaming, or

 Define users (max 100) and passwords

 Support for Peer-to-Peer blocking in

 Apply for clients on same FlexConnect AP

 Standalone mode support

Both modes of operation will drop the packet @ AP

Description RADIUS Central Site

 AAA VLAN Override with local or VLAN 3