Wireless Branch Office Network Architecture

Architecturing Network for Branch Offices with Cisco Wireless
BRKEWN-2016
BRKEWN-2018
2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Abstract
This session focuses on the architecture concepts of the branch office WLAN deployments, emphasising the core technologies that drive and enable mobility in retail, banking, education, entreprise or managed wlan services. Topics covered include in-depth protocol description of HReap/FlexConnect, all deployment options in practice, and are based on customer case studies for their application into the branch environment.
BRKEWN-2018
Cisco Public
Deploying Ciscos FlexConnect Wireless Branch Solution Increases Business Resiliency
BRKEWN-2018
Cisco Public
Agenda
Cisco Unified Wireless Principles (Reminder)
Branches Using Remote Controllers Understanding H-REAP Mode and Limitations
Understanding AP Groups and H-REAP Groups

Designing a Resilient Network Operating an H-REAPBased Branch Network Retail Case Study
BRKEWN-2018
Cisco Public
Agenda
Cisco Unified Wireless Principles

BRKEWN-2018
Cisco Public
Cisco Unified Wireless Principles

Components
Wireless LAN controllers Aironet access points Management System (WCS) Mobility Service Engine (MSE)
MSE Wireless LAN Controllers WCS
Principles
AP must have CAPWAP connectivity with WLC Configuration downloaded to AP by WLC All Wi-Fi traffic is forwarded to the WLC
Aironet Access Point
Campus Network
BRKEWN-2018
Cisco Public
Agenda
Branches Using Remote Controllers

Understanding H-REAP Mode and Limitations

BRKEWN-2018
Cisco Public
Branch Designs Using Remote Controllers

Overview
Branches can also have local remote controllers Small form factors WLC are available to have small campus : WLC-25xx or integrated controller modules in ISR/ISR-G2 High-availability design with central backup controller is supported; WAN limitations may apply
Central Site
Backup Central Controller
WAN
WLC-25xx WLCM for ISR/ISR-G2
Remote Site A
BRKEWN-2018 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Remote Site B
Branch Designs Using Remote Controllers

Advantages
Cookie cutter configuration for every branch site
Layer-3 roaming within the branch

ACL in the branch site Peer to peer blocking WGB support Reliable Multicast (filtering) Dynamic VLAN
Note: If you have ISR/ISR G2 at branch site then it is recommended to use the IOS Firewall at edge for unified access policies.
BRKEWN-2018
Cisco Public
Agenda
Branches Using Remote Controllers
Understanding H-REAP Mode and Limitations

BRKEWN-2018
Cisco Public
10
CAPWAP Overview
Control and Provisioning of Wireless Access Point
CAPWAP is a standard, interoperable protocol that enables an Access Controller (AC) to manage a collection of Wireless Termination Points (WTPs)
CAPWAP carries control and data traffic between the two
Control plane is DTLS encrypted Data plane is DTLS encrypted (optional)
CAPWAP supports only Layer 3 mode deployments

Business Application
Access Point Wi-Fi Client Data Plane
CAPWAP
Controller
Control Plane
11
CAPWAP Modes
Split MAC
The CAPWAP protocol supports two modes of operation

Split MAC (Centralized Mode) Local MAC (H-REAP/FlexConnect)
Split MAC
Wireless Frame Wireless Phy MAC Sublayer CAPWAP Data Plane
802.3 Frame
STA
WTP
AC
BRKEWN-2018
Cisco Public
12
CAPWAP Modes
Local MAC
Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames
Locally bridged
Wireless Frame Wireless Phy MAC Sublayer
802.3 Frame
STA
WTP
AC
H-REAP support locally bridged MAC and split MAC per SSID
13
CAPWAP Modes
Local MAC
Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames
Tunneled as 802.3 frames
Wireless Frame Wireless Phy MAC Sublayer 802.3 Frame CAPWAP Data Plane
802.3 Frame
STA
WTP
AC
Tunneled local MAC is not supported by Cisco

14
H-REAP Glossary
Connected mode When H-REAP can reach Controller (connected state), it gets help from controller to complete client authentication.
Standalone mode When controller is not reachable by H-REAP, it goes into standalone state and does client authentication by itself.
Local Switching Data traffic switched onto local VLANs for an SSID
Central Switching Data traffic tunneled back to WLC for an SSID
15
Branch Office Deployment

Hybrid architecture Single management and control point Data Traffic Switching
Centralized traffic (split MAC)
HREAP Hybrid Remote Edge Access Point

Central Site
Centralized Traffic
Cluster of WLC
Centralized Traffic
Or
Local traffic (local MAC)
WAN
HA will preserve local traffic only

Traffic Switching is configured per AP and per WLAN (SSID)
Local Traffic
Remote Office
16
Configure H-REAP Mode

Step 1: Configure Access Point Mode
Enable H-REAP mode per AP

Supported AP: AP-1130, AP-1240, AP-1040, AP-1140, AP-1260, AP-1250, AP-3500
BRKEWN-2018
Cisco Public
17
Configure H-REAP Local Switching

Step 2: Enable Local Switching per WLAN
Only WLAN with Local Switching enabled will allow local switching at the H-REAP AP
BRKEWN-2018
Cisco Public
18
Configure H-REAP VLAN Mapping

Step 3: H-REAP Specific Configuration
H-REAP AP can be connected on an access port (using native VLAN) or connected to a 802.1Q trunk port
VLAN mapping is a per AP configuration on WLC and by AP group using templates on a WCS
BRKEWN-2018
Cisco Public
19

Step 4: Per AP SSID to VLAN Mapping
Mapping of SSID to 802.1Q VLAN is done per H-REAP AP
Use WCS for configuration with templates

20

Step 4: Using WCS
With WCS, Configuration can be applied to all H-REAP AP with one template
BRKEWN-2018
Cisco Public
21
H-REAP Design Considerations

Some WAN limitations apply
RTT must be below 300 ms data (100 ms voice) Minimum 500 bytes WAN MTU (with maximum four fragmented packets)
Some features are not available in standalone mode or in local switching mode
ACL in local switching
MAC/Web Auth in standalone mode

See full list in H-REAP Feature Matrix http://www.cisco.com/en/US/products/ps6366/products_tec h_note09186a0080b3690b.shtml
BRKEWN-2018
Cisco Public
22
Economies of Scale for Lean Branches

Flex 7500 Wireless Controller
New
Key Differentiation
WAN Tolerance
High Latency Networks Access Points Clients Branches Access Points / Branch Deployment Model Form Factor IO Interface Upgrade Licenses 300-2,000 20,000 500 50 FlexConnect 1 RU 2x 10GE 100, 200, 500, 1K
WAN Survivability
Security
802.1x based port authentication
Voice support
Voice CAC
OKC/CCKM
BRKEWN-2018
Cisco Public
23
FlexConnect Improvements in New 7.0.116

WAN Survivability
FlexConnect AP provides wireless access and services to clients when the connection to the primary WLC fails
Local Authentication
Allows for the authentication capability to exist directly at the AP in FlexConnect instead of the WLC
Improved Scale
Group Scale: Max HREAP groups increased to 500 (7500s) and 100 (5500s) APs per Group: 50 (7500s) and 25 (5500s)
Fast roaming in remote branches

Opportunistic Key Caching (OKC) between APs in a branch
24
Agenda

BRKEWN-2018
Cisco Public
25
Understanding AP Groups
Overview
AP groups is a logical concept of grouping AP which deliver similar Wi-Fi services; these services can be:
By physical location, and/or
By functional services (data, voice, guest, )
Remote Site A AP Group 1
Central Site Flex 7500
WAN
Remote Site B
Same AP groups need to be defined in all WLC of a mobility group
AP Group 2
AP Group 3
BRKEWN-2018
Cisco Public
26
Understanding AP Groups
Rules to Know
Rules to know :
One AP can be in only one AP Group One WLAN(SSID) can be in several AP Groups WLAN with ID 1-16 can not be removed from the default-group WLAN with ID greater than 16 will never be part of the defaultgroup All AP with no AP Group name or an unknown AP Group name will be part of the default-group
Well known mistakes :

Create no AP group, but create a WLAN with ID 17+. Having AP groups defined, Create WLAN with ID 17+ but never map the WLAN to any AP Group.
27
AP Groups
Configuration: Create a New Group
BRKEWN-2018
Cisco Public
28
AP Groups
Configuration: Add AP to Group
BRKEWN-2018
Cisco Public
29
AP Groups Usage
@ Internet
Per Location SSID

AP groups give the ability to enable Wi-Fi Services (WLAN) based on physical location Example
Central Site
Corporate-Voice, Corporate-Data, Guest-Access
Guest-Access
AP Group 1
Central Site
Corporate-Voice
Corporate-Data
WAN/MAN
Manufacturing Plan
Store
Manufacturing Plan
Corporate-Voice, Corporate-Data, Scanners
AP Group 3
Store
Corporate-Data, Guest-Access
BRKEWN-2018
Scanners AP Group 2 Guest-Access
Corporate-Data
Cisco Public
30
AP Groups Usage
Per AP Group SSID to VLAN Mapping
AP groups give the ability to statically map Wi-Fi service (WLAN) to VLAN based on physical location
VLAN-1 AP Group 1
Central Site
VLAN-2
Users see the same Wi-Fi service on all sites but IP@ can be used for monitoring or filtering Can also be used to have smaller Wi-Fi subnets
VLAN-3
WAN/MAN
Corporate-Data Manufacturing Plan AP Group 2
Store AP Group 3
Corporate-Data Corporate-Data
BRKEWN-2018
Cisco Public
31
AP Groups
Configuration/VLAN Mapping
BRKEWN-2018
Cisco Public
32
AP Groups
Scaling
New Scaling # AP Groups # WLAN (SSID) # VLAN (Interfaces) Flex 7500 500 512 WLC 5508 500 512 WLC 4400 300 512 WLC 2100 50 512
512
512
512
512
BRKEWN-2018
Cisco Public
33
Understanding H-REAP Groups

Overview
Central Site Flex 7500 Cluster
H-REAP groups allow sharing of:

CCKM/OKC fast roaming keys Local backup RADIUS servers IP/keys Local user authentication Local EAP authentication
WAN
Remote Site Remote Site
Scaling information
500 H-REAP groups for Flex 7500
50 AP per H-REAP group
H-REAP Group 2
H-REAP Group 1
BRKEWN-2018
Cisco Public
34
H-REAP Groups and CCKM/OKC Keys

CCKM Keys
CCKM/OKC keys are stored on HREAP APs for Layer 2 fast roaming
The HREAP APs will receive the CCKM/OKC keys from the WLC
Central Site
RADIUS Server
If a HREAP AP boots up in the standalone mode, it will not get the CCKM keys from the WLC and fast roaming is not supported
Remote Site H-REAP Group 1
WAN
Remote Site H-REAP Group 2
BRKEWN-2018
Cisco Public
35
H-REAP Groups and CCKM Keys

Add a New H-REAP Group
Add APs to the H-REAP Group
BRKEWN-2018
Cisco Public
36
Agenda
Designing a Resilient Network

Operating an H-REAPBased Branch Network Retail Case Study
BRKEWN-2018
Cisco Public
37
H-REAP Backup Scenario

WAN Failure
Central Site
H-REAP will backup on local switched mode

No impact for locally switched SSIDs Disconnection of centrally switched SSIDs clients
Static authentication keys are locally stored in H-REAP AP Lost features

RRM, WIDS, location, other AP modes Web authentication, NAC
Remote Site
WAN
Application Server
BRKEWN-2018
Cisco Public
38

WLC Failure
H-REAP will first backup on local switched mode
No impact for locally switched SSIDs Disconnection of centrally switched SSIDs clients
Central Site
CCKM roaming allowed in H-REAP group H-REAP AP will then search for backup WLC; when backup WLC is found, H-REAP AP will resync with WLC and resume client session with central traffic.
WAN
Remote Site
Application Server
Client session with Local Traffic are not impacted during resync with Backup WLC.
39
H-REAP Group: Local Backup RADIUS

Backup Scenario
Central Site
Normal authentication is done centrally

On WAN failure, AP authenticate new client with locally defined RADIUS server Existing connected clients stay connected Clients can roam with
CCKM fast roaming, or Reauthentication
Central RADIUS
WAN
Local Backup RADIUS Remote Site
H-REAP Group 1
CCKM Fast Roaming

40
H-REAP Group: Local Backup RADIUS

Configuration
Define primary and secondary local backup RADIUS server per H-REAP group
BRKEWN-2018
Cisco Public
41
H-REAP Group: Local Backup Authentication

Backup Scenario
Normal authentication is done centrally On WAN failure, AP authenticate new client with its local database
Central Site
Central RADIUS
Each H-REAP AP has a copy of the local user DB

Existing authenticated clients stay connected Clients can roam with:
CCKM fast roaming, or Local re-authentication !
Remote Site
WAN
H-REAP Group 1
Only LEAP and EAP-FAST Supported

CCKM Fast Roaming
42
H-REAP Group: Local Backup Authentication

Configuration
Define users (max 100) and passwords

Define EAP parameters (LEAP or EAP-FAST)
BRKEWN-2018
Cisco Public
43

WAN Down Behavior (Bootup Standalone Mode)
Central Switched WLANs will shutdown

Web-auth WLANs will shutdown Local Switched WLANs will be up :
Only Open, Shared and WPA-PSK are allowed.
Local 802.1x allowed with local authentication or local RADIUS
Unsupported features
RRM, CCKM, WIDS, Location, Other AP Mode, NAC.
BRKEWN-2018
Cisco Public
44
Not Supported Backup Scenario

AP Changing Mode on Failure
Central Site
AP can not automatically change from local mode to H-REAP mode on local WLC failure
Changing mode is a configuration task of the AP WAN
Remote Site
Why it does not make sense

Need for dual configuration at the switch level (access port for central, 802.1Q for H-REAP) Lost controller features when going to H-REAP If you accept H-REAP locally, then dont but local WLC !
Application Server

45

Auto-Enabling Backup Local Switching
Central Site
Primary Application Server
H-REAP AP can not be configured with two SSID with same name; one in central switching mode, one in local switching mode; when central switching is down, local switched SSID becomes active
Changing enable status of an SSID is a configuration task of the WLC level
WAN
Remote Site H-REAP AP
Cisco recommends using Local Switching. Why?

Fault Tolerance will always keep client connection UP.
SSID Data (Central Switching)
Backup Application Server

SSID Data (Local Switching) Disable Enable
46
Failover Matrix
Feature Static Security Keys (WEP, WPA2/PSK) 802.1x/EAP RADIUS Local Authentication OKC Fast Roaming WebAuth & MAC Auth WAN Up (Connected) Yes Yes Yes Yes Yes Yes New New WAN Down (Standalone) Yes Yes Yes (local RADIUS Backup) Yes Yes (not new clients) No
BRKEWN-2018
Cisco Public
47
Agenda

Designing a Resilient Network
Operating an H-REAP Based Branch Network

Retail Case Study
BRKEWN-2018
Cisco Public
48
Monitor H-REAP Latency

RTT for H-REAP AP must be 300ms maximum
Latency tool will help monitor WAN latency
BRKEWN-2018
Cisco Public
49
Upgrading an H-REAP Deployment

Concerns
Sites using H-REAP AP are usually sites with low WAN bandwidth
Each site may have small number of AP, but an enterprise may have a lot of branches Upgrading ~2000 AP through a low bandwidth WAN is a challenge :
Time needed to download all the AP firmware

Exhaust of the WAN link Risk of failures during the download
BRKEWN-2018
Cisco Public
50

Safe Process
Firmware Image
Use Pre-Download Feature and Control the Process Before Effectively Do the Upgrade
1.Download WLC upgraded firmware (will become primary) 2.Force the boot image to be the secondary (and not the newly upgraded one) to avoid parallel download of all AP in case of unexpected WLC reboot
7.0 6.0 Primary 7.0
7.0 6.0 Secondary
Wireless Control System
Central Site
Wireless LAN Controller
WAN
Remote Site-1 Remote Site-N
BRKEWN-2018
Cisco Public
51

Safe Process (Cont)
3.
Firmware Image
Pre-download the AP firmware in the secondary boot image (will not disrupt the actual service) Can be started AP per AP to limit WAN exhaust Check that all the H-REAP AP are up-to-date (all download succeed) Swap the boot image of the AP to the new one, change the boot image of the WLC to the new one Reboot the controller
7.0 6.0 Primary
7.0 6.0 Secondary
Wireless Control System
Central Site
Wireless LAN Controller
4.
5.
WAN
Remote Site-1 AP Firmware Image Remote Site-N
7.0 6.0
7.0 6.0 Secondary
6.
Primary
BRKEWN-2018
Cisco Public
52
Agenda

Designing a Resilient Network Operating an H-REAPBased Branch Network
Retail Case Study
BRKEWN-2018
Cisco Public
53
Customer Requirements
~1000 Medium stores (Supermarket) Up to 5 AP per store.
L2 connectivity between the AP. AP on access port (no 802.1Q trunk today)
Existing local resources (servers, )
WLAN Services :
SSID for Scanners :
WPA-PSK will be used on scanners Same SSID name for all the stores, but different key per store

BRKEWN-2018
Local Switching in the store

WPA/TKIP or WPA2/AES for laptops Same SSID name and VLAN for all the stores Central RADIUS authentication Central Switching
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSID for Laptops :
54
RADIUS
WLAN 17 : Store 1
SSID=Scanner WPA-PSK=XYZ Local VLAN=native
CT-5508 Cluster
Data Center
WLAN 200 : Store-Data
SSID=Laptop WPA/RADIUS Central VLAN=Tag-
WLAN 17+N : Store-N

SSID=Scanner WPA-PSK=ZYX Local VLAN=native
WAN Store-1
Local Resource Local Resource
Store-N
1000 Stores H-REAP SSID-Scanner (Key-Store-1) SSID-Scanner (Key-Store-N) H-REAP
SSID-Laptop (WPA2)
SSID-Laptop (WPA2)
Scanners (WPA-PSK)
BRKEWN-2018
Laptops (WPA2)
Scanners (WPA-PSK)
Laptops (WPA2) 55
RADIUS
AP Group 1 : Store 1
WLANs : Store-1 Store-data
CT-5508 Cluster
Data Center
AP Group N : Store-N
SSID=Scanner WLANs : Store-N Store-data
WAN
Store-1
Local Resource
Store-N
AP-Group-1
Local Resource
AP-Group-N
1000 Stores H-REAP SSID-Scanner (Key-Store-1) SSID-Scanner (Key-Store-N) H-REAP
SSID-Laptop (WPA2)
SSID-Laptop (WPA2)
Scanners (WPA-PSK)
BRKEWN-2018
Laptops (WPA2)
Scanners (WPA-PSK)
Laptops (WPA2) 56
Project Scale
1000 Stores with an average of 5 AP per store : 5000 AP 10 x CT-5508-500 to support 5000 AP
1000 Stores means :

1000 WLAN profiles with 1000 same SSID for Scanners each with a different WPA2-PSK key per store (*) 1 WLAN profile with same SSID for Laptops with central switching and central WPA/Radius authentication 1000 AP Groups to map the WLAN profiles on each store
Capabilities to be supported by CT-5508-500 for this case study :

100 Stores managed by a CT-5508 100 different WLAN Profiles with same H-REAP SSID per CT 100 AP Groups per CT No H-REAP Groups for phase 1
BRKEWN-2018
Cisco Public
57
Summary
Summary
Cisco Unified Wireless Network based on Controllers deliver Wireless Branch Solution
H-REAP is the feature designed to solve remote connectivity and WAN constraints Several Failover Scenario are targeted to offer Survivability of Small Remote Sites
Deployment Guide URL- http://www.cisco.com/*****
BRKEWN-2018
Cisco Public
59
Deploying Ciscos FlexConnect Wireless Branch Solution Increases Business Resiliency
BRKEWN-2018
Cisco Public
60
Recommended Reading
BRKEWN-2018
Cisco Public
61
Visit the Cisco Store for Related Titles http://theciscostores.com
BRKEWN-2018
Cisco Public
62
Complete Your Online Session Evaluation

Receive 25 Cisco Preferred Access points for each session evaluation you complete.
Give us your feedback and you could win fabulous prizes. Points are calculated on a daily basis. Winners will be notified by email after July 22nd. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Dont forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.
BRKEWN-2018
Cisco Public
63
BRKEWN-2018
Cisco Public
64
Thank you.
BRKEWN-2018
Cisco Public
65

Wireless Branch Office Network Architecture

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Wireless Branch Office Network Architecture

Uploaded by

Copyright:

Available Formats

Architecturing Network for Branch Offices with Cisco Wireless

2011 Cisco and/or its affiliates. All rights reserved.

2011 Cisco and/or its affiliates. All rights reserved.

Deploying Ciscos FlexConnect Wireless Branch Solution Increases Business Resiliency

2011 Cisco and/or its affiliates. All rights reserved.

Understanding AP Groups and H-REAP Groups

2011 Cisco and/or its affiliates. All rights reserved.

Understanding AP Groups and H-REAP Groups

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Unified Wireless Principles

2011 Cisco and/or its affiliates. All rights reserved.

Branches Using Remote Controllers

Understanding AP Groups and H-REAP Groups

2011 Cisco and/or its affiliates. All rights reserved.

Branch Designs Using Remote Controllers

Branch Designs Using Remote Controllers

Layer-3 roaming within the branch

2011 Cisco and/or its affiliates. All rights reserved.

Understanding H-REAP Mode and Limitations

2011 Cisco and/or its affiliates. All rights reserved.

CAPWAP supports only Layer 3 mode deployments

The CAPWAP protocol supports two modes of operation

2011 Cisco and/or its affiliates. All rights reserved.

Tunneled local MAC is not supported by Cisco

Branch Office Deployment

HREAP Hybrid Remote Edge Access Point

HA will preserve local traffic only

Configure H-REAP Mode

Enable H-REAP mode per AP

2011 Cisco and/or its affiliates. All rights reserved.

Configure H-REAP Local Switching

2011 Cisco and/or its affiliates. All rights reserved.

Configure H-REAP VLAN Mapping

2011 Cisco and/or its affiliates. All rights reserved.

Configure H-REAP VLAN Mapping

Mapping of SSID to 802.1Q VLAN is done per H-REAP AP

Use WCS for configuration with templates

Configure H-REAP VLAN Mapping

2011 Cisco and/or its affiliates. All rights reserved.

H-REAP Design Considerations

MAC/Web Auth in standalone mode

2011 Cisco and/or its affiliates. All rights reserved.

Economies of Scale for Lean Branches

2011 Cisco and/or its affiliates. All rights reserved.

FlexConnect Improvements in New 7.0.116

Fast roaming in remote branches

Understanding AP Groups and H-REAP Groups

2011 Cisco and/or its affiliates. All rights reserved.

Central Site Flex 7500

Same AP groups need to be defined in all WLC of a mobility group

2011 Cisco and/or its affiliates. All rights reserved.

Well known mistakes :

2011 Cisco and/or its affiliates. All rights reserved.

2011 Cisco and/or its affiliates. All rights reserved.

Per Location SSID

Scanners AP Group 2 Guest-Access

2011 Cisco and/or its affiliates. All rights reserved.

2011 Cisco and/or its affiliates. All rights reserved.

2011 Cisco and/or its affiliates. All rights reserved.

2011 Cisco and/or its affiliates. All rights reserved.

Understanding H-REAP Groups

H-REAP groups allow sharing of:

50 AP per H-REAP group

2011 Cisco and/or its affiliates. All rights reserved.