Diving into Converged Access

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 1© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

“Diving into Converged Access” Cisco Tech Day January 17th, 2014

Steve PhillipsWireless Consulting Systems Engineer

[email protected]

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public2© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public2

Converged Access Solution and Platforms Overview

Converged Access Architecture and Components Review

Converged Access Roaming

Converged Access Quality of Service

Converged Access Security and Guest Access

Converged Access Design Options

Converged Access Migration

Wrap-up and Final Thoughts

Agenda Diving into Converged Access – Solution and Design Overview & Deep Dive

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public3

System Management

Capacity

Self Healing and Optimizing

Hotspot

Casual Pervasive indoors

Media RichApplications

Mission Critical

CleanAir

Very High Density

VXI Capable

Enterprise Wireless Evolution –From Best-Effort to Mission-Critical and Very High Density

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 4

Early 2000 2002 2004 2006 2008 2010 2012 2014 …

CLI

EN

TS

/ B

AN

DW

IDT

HMedia Rich ApplicationsPervasive Mission CriticalNice to Have

10Gbps

11Mbps

802.11n450 Mbps

802.11b11 Mbps

802.11g, 802.11a54 Mbps

802.11ac-11 Gbps

802.11ac-23.5 Gbps

Future

Wireless Standards –Past, Present, and Future


Wireless ControlSystem

Access ControlServer

LAN MgmtSolution

Identity Mgmt

NACProfiler

GuestServer

Cisco WirelessLAN Controller

InternalResources

Cisco FirewallCisco Access Point

Catalyst Switch

Corporate Network Internet

One ManagementPrime

One PolicyISE

IOS Based WLAN Control ler

• Consistent IOS and ASIC w/ Catalyst 3850

• Required to scale beyond 250 APor 16K client domains

Converged Access Mode

• Integrated wireless controller

• Distributed wired/wireless data plane (CAPWAP termination on switch)

New 5760

One Network

Catalyst 3850

One Network, with Converged Access –A New Deployment Option for Wired / Wireless


Scale with distributed wired

and wirelessdata plane

480G stack bandwidth;40G wireless / switch;

efficient multicast; 802.11ac fully ready

Maximum resiliency with

fast stateful recovery

Layered network high availability design with

stateful switchover

Singleplatform for

wired and wireless

Common IOS, same administration point,

one release

Uni f ied Access - One Po l icy | One Management | One Network

Network wide visibility for

fastertroubleshooting

Wired and wirelesstraffic visible at

every hop

Consistent security and

Quality of Service control

Hierarchical bandwidth management anddistributed policy

enforcement

Converged Wired / Wireless Access –Benefits – Overview

Cisco Converged Access Deployment


• Centralized deployment• L2/L3 Fast Roaming• Clean Air• Video Stream• Radio Resource

Management (RRM)• Wireless Security• Radio performance• 802.11ac Ready

Features: • Stacking, StackPower• Advanced Identity• Visibility and Control• Flexible NetFlow• Granular QoS• High Availability• EEM, scripting• IOS-XE Modular OS

Features:

B E N E F I T S• Built on UADP – Cisco’s Innovative

Flexparser ASIC technology• Eliminates operational complexity• Single Operating System for wired and

wireless

2 0 + Ye a r s o f I O S R i c h n e s s – N o w o n W i r e l e s s

WIRELESS WIRED

Catalyst 3850 –Single Platform for Wired and Wireless



B u i l t o n C i s c o ’s I n n o va ti v e “ UA D P ” A S I C

Wireless CAPWAP Termination

Up to 50 APs/2000 clients per stack, and 40G per switch

Up to 2000 Clients per Stack

40 Gbps Uplink Bandwidth (Modular)

Stackpower

Line Rate on All Ports

Multi-Core CPU

480 Gbps Stacking Bandwidth

Full POE+

FRU Fans, Power Supplies - HA

Granular QoS/Flexible NetFlow

Catalyst 3850 –Platform Overview



• CAPWAP termination and DTLS in Hardware• Up to 40G wireless capacity per switch

• Capacity increases with members

• 50 APs and 2000 clients per switch stack • Wireless switch peer group support for faster

roaming: latency sensitive applications• Supports IPv4 and IPv6 client mobility

• APs must be directly connected to Catalyst 3850

Best-in-ClassWired Switch –with Integrated

Wireless Mobilityfunctionality

Catalyst 3850 –Wireless Capabilities



Built on Cisco’s Innovative “UADP” ASIC

Centralized, or Converged Access

Deployment Modes

First IOS-BasedWireless LAN Controller

FRU Fans

802.11ac Optimized

6x 1/10G SFP+uplinks with LAG

FRU Power Supplies

60 Gbps Wireless BandwidthFlexible NetFlow

Up to 12,000 Concurrent ClientsUp to 1000 Access Points

Granular QoS

WLC 5760 –Platform Overview



One Policy, One Management, One Network

Unified Access Wireless

Unparalleled Deployment Flexibility

Autonomous FlexConnect(Private Cloud)

Centralized Converged Access

Ease of Use

Unified Network

Public Cloud

N.A.A.S.

New New

One Network –Wireless Deployment Mode Options, Overview


Cisco Converged Access –What I Am Going to Cover …

System Architecture

Roaming, QoS

Security, Design Options

CornerStones

Foundational Elementsfor the Converged Access Solution


We’ve Been Here Before…

Functionality split with CAPWAP

Hotspot deployments with nomadic roaming

AutonomousMode

CiscoUnified

Wireless

CiscoConverged

Access

Control plane functionality on NG Controller

(also possible on upgraded 5508s, WiSM2sfor brownfield deployments, or NG Converged Access switches for small, branch deployments)

Increased scalability, Centralized policy application

•Unified wired-wireless experience (security, policy, services)

•Common policy enforcement, Common services for wired and wireless traffic (NetFlow, advanced QoS, and more …)

Data plane functionality on NG Switches

(also possible on NG Controllers, for deployments in which a centralized approach is preferred)

StandaloneAccess Point

Access Point

Frees up the AP to focus on real-time communication, policy application and optimize RF & MAC functionality such as CleanAir, ClientLink

Centralized tunneling of user traffic to controller (data plane and control plane)

System-wide coordination for channel and power assignment, rogue detection, security attacks, interference, roaming

Controller

Cisco Converged Access –Network Requirements Driving Wireless Evolution …

Performance and Unified ExperienceScale and Services


Mobility Group

Data Center /Service blockArchitecture Constructs –

CUWN Tunnel Types

AP-Controller CAPWAP Tunnel802.11 Control Session + Data Plane

LE

GE

ND

AP AP AP AP

Inter-ControllerEoIP / CAPWAP Tunnel

SSID2 SSID3

Intranet

EoIP Mobility Tunnel ( < 7.2)CAPWAP Option in 7.3

SSID1

Inter-Controller (Guest Anchor)EoIP / CAPWAP Tunnel

Internet

Well-known,proven

architecture

SSID – VLAN Mapping

(at controller)

CAPWAPTunnels

Notes –• AP / WLC CAPWAP Tunnels are an IETF Standard• UDP ports used –

• 5246: Encrypted Control Traffic • 5247: Data Traffic (non-Encrypted or DTLS Encrypted (configurable)

• Inter-WLC Mobility Tunnels• EoIP – IP Protocol 97 … AireOS 7.3 introduces CAPWAP option• Used for inter-WLC L3 Roaming and Guest Anchor

Encrypted(see Notes)

WLC #2

Foreign WLC “Guest” AnchorWLC #1

Existing Unified Wireless Deployment today …

PI

ISE


Data Center /Service block

PI

ISE

Mobility Group

AP AP AP AP

SSID2 SSID3

Intranet

EoIP Mobility Tunnel ( < 7.2)CAPWAP Option in 7.3

SSID1

Internet

CAPWAPTunnels

Additionaldetails oncontroller

functionality

These will become important lateras we delve into the Converged Access deployment …

Architecture Constructs –CUWN Control Functions

LE

GE

ND

Foreign WLC “Guest” Anchor

Mobility ControllerHandles Roaming, RRM, WIPS, etc.

MCMC

MC

MC

Mobility AgentTerminates CAPWAP Tunnels,Maintains Client Database

MAMA

MA

MA


WLC #2WLC #1


Mobility Domain

Sub-Domain #1

Sub-Domain #2

Mobility Group

SPG SPG

PIISE

MAMAMA MAMAMA

MCMC

Converged Access –Deployment Overview



• Mobility Agent (MA) – Terminates CAPWAP from AP, Manages client database• Mobility Controller (MC) – Manages mobility within and across Sub-Domains• Mobility Oracle (MO) – Superset of MC,

allows for Scalable Mobility Management within a Domain

• Mobility Groups – Grouping of Mobility Controllers (MCs)to enable Fast Roaming, Radio Frequency Management, etc.

• Mobility Domain – Grouping of MCs to support seamless roaming• Switch Peer Group (SPG) – Localizes traffic for roams within Distribution Block

Physical Entities –

Logical Entities –

MA, MC, Mobility Group functionality all exist in today’s controllers (4400, 5500, WiSM2)

Converged Access –Components – Physical vs. Logical Entities



• Can act as a Mobility Agent (MA)for terminating CAPWAP tunnels for locally connected APs …

• as well as a Mobility Controller (MC)for other Mobility Agent (MA) switches, in small deployments

- MA/MC functionality works on a Stack of Catalyst 3850 Switches- MA/MC functionality runs on Stack Master- Stack Standby synchronizes some information (useful for intra-stack HA)

Best-in-ClassWired Switch –with Integrated

Wireless Mobilityfunctionality

Converged Access –Physical Entities – Catalyst 3850 Switch Stack

MC

MA



• Fast Roaming within an SPG

• MAs within an SPG are fully-meshed (auto-created at SPG formation)

• Made up of multiple Catalyst 3850 switches as Mobility Agents (MAs),plus an MC (on controller as shown)

• Handles roaming across SPG (L2 / L3)

• Multiple SPGs under the controlof a single MC form a Sub-Domain

SPGs are a logical construct, not a physical one …

SPGs can be formed across Layer 2 or Layer 3 boundaries

SPGs are designed to constrain roaming traffic to a smaller area, and optimize roaming capabilities and performance

Current thinking on best practices dictates thatSPGs will likely be built around buildings,around floors within a building, or otherareas that users are likely to roam most within

Roamed traffic within an SPG moves directlybetween the MAs in that SPG (CAPWAP full mesh)

Roamed traffic between SPGs movesvia the MC(s) servicing those SPGs

Hierarchicalarchitecture

is optimized forscalability and

roaming

Converged Access –Logical Entities – Switch Peer Groups

Sub-Domain 1

MAMA

SPG-B

MC

MAMA

SPG-A



Sub-Domain 2

MAMA

SPG-C

MAMA

SPG-D

Sub-Domain 1

MAMA

SPG-B

MAMA

SPG-A

Converged Access –Logical Entities – Switch Peer Groups and Mobility Group

Sub-Domain 3

MAMA

SPG-E

MAMA

SPG-F


MobilityGroup

MC MC

MC

• One Mobility Controller (MC) manages the RRM for entire Group

• RF Management (RRM) and Key Distribution for Fast Roaming

• Made up of MultipleMobility Controllers (MCs)

• Fast Roams are limited toMobility Group member MCs

• Handles roaming across MG (L2 / L3)

• Fast Roaming within an SPG

• MAs within an SPG are fully-meshed (auto-created at SPG formation)

• Made up of multiple Catalyst 3850 switches as Mobility Agents (MAs),plus an MC (on controller as shown)

• Handles roaming across SPG (L2 / L3)

• Multiple SPGs under the controlof a single MC form a Sub-Domain


As with any solution – there are scalability constraints to be aware of …• These are summarized below, for quick reference

Scalability 3850 as MC 5760 5508 WiSM2

Max number of MCs in a Mobility Domain 8 72 72 72

Max number of MCs in a Mobility Group 8 24 24 24

Max number of MAs in a Sub-domain (per MC) 16 350 350 350

Max number of SPGs in a Mobility Sub-Domain (per MC) 8 24 24 24

Max number of MAs in a SPG 16 64 64 64

Max number of WLANs 64 512 512 512

Converged Access –Scalability Considerations


For YourReference


PSTN

CUCM

WiSM2s / 5508s

MC MA MC MA

PoPPoA

Unified Wireless –Point of Presence (PoP), Point of Attachment (PoA)


Point of Presence (PoP) vs.Point of Attachment (PoA) –• PoP is where the wireless user

is seen to be within the wiredportion of the network

• Anchors client IP address• Used for security policy application

• PoA is where the wireless userhas roamed to while mobile

• Moves with user AP connectivity• Used for user mobility and QoS

policy application


PSTN

CUCM

WiSM2s / 5508s

Wired policiesimplemented

on switch

Wireless policiesimplementedon controller

MC MA MC MA

PoPPoA

Traffic Flows,Unified Wireless –• In this example, a VoIP user is on

today’s CUWN network, and ismaking a call from a wirelesshandset to a wired handset …

• We can see that all of the user’s traffic needs to be hairpinned back through the centralized controller, in both directions …

In this example, a total of 9 hopsare incurred for each directionof the traffic path (including the controllers – Layer 3 roamingmight add more hops) …

The sametraffic paths are

incurred for voice,video, data, etc. –

all centralized

Separatepolicies and

services for wiredand wireless

users

Unified Wireless –Traffic Flow



Data CenterCampus Services

ISE

PI

Data Center-DMZData Center

Campus ServicesCampus

Guest AnchorsInternet

CampusAccess

PI

ISE

MC MA

MC MA

• Initially, the user’s PoP and PoAare co-located on the same controller

• Note – in this deployment model, it is assumedthat all of the controllers across the Campusdo not share a common set of user VLANsat Layer 2 …(i.e. the controllers are all L3-separated)

• Initially, the user’s traffic flow is as shown …

Unified Wireless –Layer 3 Roaming (Campus Deployment)

Layer 3Mobility Group5508 /

WiSM-25508 /

WiSM-2

MC MA MC MA

PoP

PoA



Data CenterCampus Services

ISE

PI

Data Center-DMZData Center

Campus ServicesCampus

Guest AnchorsInternet

CampusAccess

PI

ISE

MC MA

MC MA

Layer 3Mobility Group5508 /

WiSM-25508 /

WiSM-2

• Now, the user roams to an AP handled bya different controller, within the sameMobility Group …

• The user’s PoA moves to the new controller handling that user after the roam – but the user’s PoP stays fixed on the original controller that the user associated to

• This is done to ensure that the user retains the same IP address across an L3 boundary roam – and also to ensure continuity of policy application during roaming

• After the roam, the user’straffic flow is as shown …

SymmetricMobility

Tunneling

Unified Wireless –Layer 3 Roaming (Campus Deployment)

PoP

MC MA MC MAPoA



PSTN

CUCM

SPG

More efficientsince traffic flowsare localized to

the 3850 switch –Performance

Increase

WiSM2s / 5508s / 5760s

Trafficdoes not

flowvia MCs

Traffic Flows, Comparison (Converged Access) –• Now, our VoIP user is on a Cisco

Converged Access network, and isagain making a call from a wirelesshandset to a wired handset …

• We can see that all of the user’straffic is localized to their PeerGroup, below the distribution layer, in both directions …

In this example, a total of 1 hopis incurred for each directionof the traffic path (assumingno roaming) … two additionalhops may be incurred for routing …

Convergedpolicies and


users

Wired andwireless policies

implementedon 3850 switch

Converged Access –Traffic Flow


MC MCMA MAMA MA

PoPPoA


PIISECentral Location

Guest Anchor

DMZ

WAN

CAPWAP tunnelto Guest Anchor

3850Switch

CAPWAP tunnels –control and data path

MA

MC

Roaming,Single Catalyst 3850 Switch Stack –

• In this example, the user roams within their 3850-based switch stack –for a small Branch site, this may be the only type of roam

Roaming within a stack does not change the user’s PoP or PoA –since the stack implements a single MA (redundant within the stack),and thus a user that roams to another AP serviced by the same stackdoes not cause a PoA move (PoA stays local to the stack)

Roamingacross Stack

(small branch)

Notice how the 3850 switch stackshown is an MC (as well as an MA) –in a branch such as this with 50 APsor less, no discrete controller isnecessarily required …

Converged Access –Traffic Flow and Roaming – Branch, Single Catalyst 3850 Stack

MC MA

PoA

PoP


Verycommonroaming

case


SPG

uRPF, Symmetrical Routing, NetFlow,

Stateful Policy Application …

Roaming, Within a SwitchPeer Group (Branch) –• Now, let’s examine a roam at a larger branch, with multiple

3850-based switch stacks joined together via a distribution layer

• In this example, the larger Branch site consists of a singleSwitch Peer Group – and the user roams within that SPG –again, at a larger Branch such as this, this may bethe only type of roam

The user may or may not have roamed across an L3 boundary (depends on wired setup) – however, users are always* taken back to their PoP for policy application

Roamingacross Stacks (larger branch)

Again, notice how the 3850 switch stack on theleft is an MC (as well as an MA) in this picture –in a larger branch such as this with 50 APsor less, no discrete controller is necessarily required …

* Adjustable via setting,may be useful for L2 roams

Converged Access –Traffic Flow and Roaming – L2 / L3 Roam (within SPG)

MC MA MA MA

PoA

PoP


Overall observation –

This looks exactly the same as a Layer 3inter-controller roam in CUWN …because it is exactly the same process –Just distributed, rather than centralized …

Verycommonroaming

case


PSTN

CUCM

SPG

WiSM2s / 5508s / 5760s



MC MC

PoPPoA

More efficientsince traffic flowsare still localized

to the SPG –Performance &

Scalability

Trafficstill doesnot flowvia MCs

Traffic Flows, Comparison (Converged Access) –• Now, our VoIP user on the Cisco

Converged Access network roams,while a call is in progress betweenthe wireless and wired handsets …

• We can see that all of the user’s traffic is still localized to their Switch Peer Group, below the distribution layer,in both directions …

In this example, a total of 3 hopsis incurred for each directionof the traffic path (assumingintra-SPG roaming) … two additional hops may beincurred for routing …



users

Converged Access –Traffic Flow and Roaming – with Intra-SPG Roam


MA MAMA MAPoP

PoA


SPG SPG

Roamingacross SPGs(L3 separation

assumed ataccess layer)

Roaming,Across SPGs (Campus) –• Now, let’s examine a few

more types of user roams

• In this example, the user roams across Switch Peer Groups – since SPGs are typically formed around floors or other geographically-close areas, this type of roamis possible, but less likelythan roaming within an SPG

Typically, this type of roam will take place across an L3 boundary (depends on wired setup) – however, users are always* taken back to their PoP for policy application

Converged Access –Traffic Flow and Roaming – L2 / L3 Roam (across Switch Peer Groups)


MC

MA MAMA MA MAMA

PoAPoP

Lesscommonroaming

case


Converged Access –Traffic Flow and Roaming – L2 / L3 Roam (across Switch Peer Groups)


SPG SPG

MC

MA MAMA MA MAMA

PoAPoP

10.101.1.109 10.101.6.109

10.125.11.14

Overall view –across the entire

Sub-Domain controlled by

the MCL09-5760-1# show wireless mobility controller client summaryNumber of Clients : 5

State is the Sub-Domain state of the client.* indicates IP of the associated Sub-domainAssociated Time in hours:minutes:seconds

MAC Address State Anchor IP Associated IP Associated Time--------------------------------------------------------------------------------001e.65b7.7d1a Local 10.101.1.109 10.101.6.109 00:04:36b817.c2f0.61b2 Local 0.0.0.0 10.101.7.109 00:21:0774e1.b65a.a8f3 Local 10.101.3.109 10.101.1.109 00:03:27cc08.e028.6fdd Local 0.0.0.0 10.101.1.109 00:04:57a467.06e2.813d Local 0.0.0.0 10.101.3.109 00:02:56

Roamed client, Switch 1 to Switch 6 (inter-SPG)Stationary client, Switch 7

Roamed client, Switch 3 to Switch 1 (intra-SPG)Stationary client, Switch 1Stationary client, Switch 3


There are multiple additional roaming scenarios –• These replicate the traffic flow expectations seen elsewhere with Converged Access

• Traffic within an SPG flows directly between MAs – traffic between SPGs flows via MCs•

• Catalyst 3850-based MC deployments are likely to be common in branches and even possibly smaller Campuses• Larger deployments are likely to use discrete controllers

(5760, 5508, WiSM2s) as MCs, for scalability and simplicity

• Rather than detail every roaming case here, some of these are summarized below –Full details are available in a deeper-dive session, upon request …

Converged Access –More Details – Roaming


For YourReference


As we saw previously, we can also optionally use a Catalyst 3850 switchas an MC + co-located MA for a Switch Peer Group … let’s explore this in more detail –• Single Catalyst 3850 MC supported per Switch Peer Group …• which can have up to 16 x MAs (stacks) per 3850-based MC

• Single Catalyst 3850 MC can handle up to 50 APs and 2,000 clientstotal … therefore, up to 50 APs and 2,000 clientsin a Catalyst 3850-based Switch Peer Group

• MC handles inter-SPG roaming,RRM, Guest Access, etc.

• More scalable MC capabilitycan be provided by 5760 /WiSM2 But what if

we want to scalelarger, withoutimplementing

5760 / WiSM2?

Is this possible?

Converged Access –Catalyst 3850-based MCs – Functionality


PIISE

Guest Anchor

MC MA

SPG

MC MA MA MA


PIISE

Mobility Group

SPG

MC MA MA MA

SPG

MC MA MA MA

Switch Peer Group / Mobility Group Scaling with Catalyst 3850 –• Up to 8 x Catalyst 3850 MCs can be formed into a Mobility Group

• Up to 250 APs total and 16,000 clients supported (maximum)across a Mobility Group made up solely of Catalyst 3850 switches

• Licensing is per MC – not pooled across MCs

• RRM, etc. is coordinatedacross the MCs in the sameMobility Group

Full mesh of MCsacross Mobility Group

• Guest tunneling is per MC –to Guest Anchor controller

Guest Anchor

MC MA

Converged Access –Catalyst 3850-based MCs – Scaling



Considerations –• Many larger designs (such as most Campuses) will likely utilize a discrete

controller, or group of controllers, as MCs. Combined with Catalyst 3850 switchesas MAs, this likely provides the most scalable design option for a larger network build.

• However, if using 3850 switches as MCs for smaller builds – and with the scalinglimits detailed on the previous slide in mind – we need to determine where tobest use this capability.

• Pros –

• CapEx cost savings – via the elimination of a controller-as-MC in some designs(typically, smaller use cases and deployments) … cost also need to take intoconsideration licensing on the Catalyst 3850 switches.

• Cons –

• OpEx complexity – due to some additional complexity that comes into roaming situationswhen using multiple 3850 switch-based MCs (as detailed in the preceding slide). Whilenot insurmountable, this does need to be factored in as part of the decision process.

Conclusion –In smaller designs (such as branches), the use of Catalyst 3850 switches as MCs is likely workable. In mid-sized designs, this may also be workable, but does lead to some additional roaming considerations(as detailed on the following slides). In large campus deployments, the use of controllers as MCs ismore likely, due to economies of scale.

Converged Access –Catalyst 3850-based MCs – When to Use



Key Takeaways –Converged Access – Exciting Platforms, and an Evolutionary Addition


Converged Access is a evolutionary advance to our Wireless deployment options.

CA addresses inflection points around device and bandwidth scale, and allows anunprecedented level of traffic visibility and control for wired / wireless deployments.

The Catalyst 3850 switch offers the best stackable switch platform in the industry,incorporating many important advances to the state-of-the-art in stackable switching.

Many of the terms and components used to describe Converged Access also exist in today’sUnified Wireless deployments. New components added with Converged Access include –

Switch Peer Group (SPG) – used to localize roaming

Mobility Oracle – used to allow greater Mobility Domain scalability

With CA, the Catalyst 3850 switch is a full partner in the mobility roaming domain.Roaming in Converged Access (by default) behaves as a Layer 3 roam does in Unified Access, incorporating MAs and MCs for seamless roaming with full visibility and control over traffic flows.

In small to mid-sized deployments, the Catalyst 3850 can be used as both an MC as well as an MA.

43© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public43

Current Mobility Architecture

AP AP AP AP

CAPWAP Tunnels

5508/WiSM2

Challenges –

Overlay model with multiple points of policy application*Limited visibility into applications Lack of granular classificationSoftware based QoS

Marking Policing

* Overlay model applies to CUWN local mode and FlexConnect centralized mode

CUWN Architecture –Overview – Challenges of QoS



Current QoS Architecture

WAN BLOCK

Campus BLOCK

5508/WiSM2

Distributed ManagementConfiguration

and Deployment



users


on switch

Wireless policies

implementedon controller pushed to AP

Marking Policing

Queuing

Existing QoS Deployments–How We Overlay QoS Policies Today



• Modular QoS based CLI (MQC)

Alignment with 4500E series(Sup6, Sup7)

Class-based Queueing, Policing, Shaping, Marking

• More Queues

Up to 2P6Q3T queuing capabilities

Standard 3750 provides 1P3Q3T

Not limited to 2 queue-sets

Flexible MQC Provisioning abstracts queuing hardware

• Granular QoS control at the wireless edgeTunnel termination allows customers to provide QoS treatment per SSIDs, per-Clients and common treatment of wired and wireless traffic throughout the network

• Enhanced Bandwidth Management Approximate Fair Drop (AFD) Bandwidth Management ensures fairness at Client, SSID and Radio levels for NRT traffic

• Wireless Specific Interface ControlPolicing capabilities Per-SSID, Per-Client upstream*** and downstream

AAA support for dynamic Client based QoS and Security policies

• Per SSID Bandwidth Management

Wired (Cat 3850) Wireless (Cat 3850 & CT 5760)

*** NOT available on CT 5760 at FCS

QoS – What’s New with Converged AccessCisco Converged Access Deployment


• Modular QoS based CLI

Alignment with 4500E series (Sup6, Sup7)


• More Queues





Wired (Cat 3850) Wireless (Cat 3850 & CT 5760)DMZISEPrime

UA 3850

46Employee Guest

BRANCH

WAN

INTEGRATED CONTROLLER

*** NOT available on CT 5760 at FCSMarking Policing


• Enhanced Bandwidth ManagementApproximate Fair Drop (AFD) Bandwidth Management ensures fairness at Client, SSID and Radio levels for NRT traffic









• More Queues







.11n AP

5 mbps Max bandwidth allowed:54 – (4 * 5) = 34Mbps

5 mbps

5 mbps

5 mbps

With the CT 5760 or CAT 3850Usage based fair allocation without configuration








• MQC based CLI



• More Queues






• MQC based CLI



• More Queues

Up to 2P6Q3T queueing capabilities



Flexible MQC Provisioning abstracts queueing hardware

Wired (Cat 3850)

• SSID: BYOD• QoS policy on 3850 used to police each client bidirectionally

• Policy can be sent via AAA to provide specific per-client policy

• Allocate Bandwidth or police/shape SSID as a whole

With the 3850Bidirectional policing at the edge per- user , per-SSID and in Hardware












• More Queues






EnterpriseGuest

10% BW 90% BW

Deterministic BW

With the CT 5760 or CAT 3850Deterministic bandwidth is allocated per SSID









• Modular QoS based CLI (MQC)



• More Queues





• Granular QoS control at the wireless edge

Tunnel termination allows customers to provide QoS treatment per SSIDs, per-Clients

• Enhanced Bandwidth ManagementAFD Bandwidth Management ensures fairness at Client, SSID and Radio levels for NRT traffic



• Per SSID bandwidth allocation


Policy-map PER-PORT-POLICING Class VOIP set dscp ef police 128000 conform-action transmit exceed-action drop Class VIDEO set dscp CS4 police 384000 conform-action transmit exceed-action drop Class SIGNALING set dscp cs3 police 32000 conform-action transmit exceed-action drop Class TRANSACTIONAL-DATA set dscp af21 Class class-default set dscp default




Into a wired port Out of a wireless port

• Classification• Policing• Marking

• Classification• Mutation*• Policing• Shaping*• Bandwidth• Priority

Shaped by default

200Mbps or 400Mbps

Client SSID Radio*

Shaped by default to Sum of Radios

• Priority• Police• Bandwidth

Port

NOTE: SSID policies are actually per AP or BSSID.

Marking is based on Table-map not Set

Entire SSID is Rate Limited, AFD

manages NRT traffic. Not Configurable -based on max rate radio can support

Priority queues must be configured they

are not on by default

QoS Touch Points –Port, Radio, SSID, Client – What Features Apply at Each Level, Downstream



Top of Mind Security Concerns

How can we enhance the level of Security?

How to deploy a consistent policy for all these devices?

How to ensure end-to-end security in a scalable way?

Device Proliferationwill lead to billions of devices

(Internet of Everything)

The Challenge

Help!

Converged Access –Security is Paramount!



Contractor Users

Guest Users

Employees

Services• LDAP• CA

BYOD Guest SSID (open)BYOD Corporate SSID (dot1x)

ISE

Cat 3850AP

Core

Internet

Converged Access –Security Architecture Overview



Contractor

Guest

Policy A

Policy B

Policy C

Policy C

Policy D

Policy G

Policy E

Policy E

Policy F

Policy F

How to define and apply security policy consistently across every device on the network?

User

Employee

Wired

Wireless

VPN

Wired

Wireless

Wired / Wireless

Wired

Wireless

Wired

Wireless

Personal Device

Personal Device

Corporate Device

Personal Device

Corporate Device

Converged Access –The Need for Integrated Policy


AuthZ with dVLAN 30;dACL Permit ip any any

6

Same-SSID

802.1q Trunk

Dot1X Authentication1

AuthZ with dVLAN 30;dACL Permit ip any any;

2


Authz with dVLAN 40;dACL Restricted Access

4

Corporate ResourcesVLAN 30

InternetVLAN 40

CorporateWiredDevice


Employee using the same SSID, can be associated to different VLAN interfaces and policy after EAP authentication

Employee using corporate wired and wireless device with their AD user id can be assigned to same VLAN 30 to have full access to the network

Employee using personal iDevice with their AD user id can be assigned to VLAN 40 and policy to access internet only

ISE

CorporateWirelessDevice

Employee PersonalDevice

One Policy –Wired and Wireless



• Policy management is done in IOS and policy enforcement is done in hardware for both wired & wireless device For wireless clients WCM will decide which policy to be applied

• Client Roaming L3 roam ACL policies will be applied on anchor switch (PoP)

L2 roam ACL polices hand-off to newer switch (PoA)

• ACLs – Centralized and Distributed Policy, IPv4 and IPv6

• URL Redirection / URL ACL

• VLANs

• Service Templates (distributed / centralized)

Converged Access – Policy EnforcementAuthorization – the Second “A” in AAA



• Before Cat3850: One port, one VLAN per access port (1:1)

• Exception: Voice (one Data Device untagged, one Voice Device tagged w/ VVLAN)

• Later: Allowing VLAN assignment on multi-authentication ports, but first device ‘rules’ the port.

• Now: Each session can have individual VLAN assigned

160 WIRED-EMPLOYEE active Gi1/0/13

VM

Gi1/0/13

Not a trunk!

170 WIRED-GUEST active Gi1/0/13

Per-Session VLAN Assignment –MAC-based VLANs



Mobility Controller

Mobility Agent

Peer Group

Mobility Agent

Mobility Agent

1. Wireless Client request Association

2. MA respond back with Association

3. WCM triggers IOS module to do authentication

4. IOS starts authentication process for client with AAA server

5. AAA server responds with ‘access accept’ including dACL name and version number in policy attributes

6. If switch has downloaded this dACL previously and has current version it uses the cached version

7. If switch does not have current version then it queries the server for latest dACL version1. Client Request

2. MA responds back

3. WCM triggers Auth Manager for Auth

4. Auth

Manager

starts Auth

Process

5. AAA server

Auth Success

with dACL name,

version & Policy

6. If MA has dACL, uses cached version

7. If Not, then

Queries server

again

ISE

Downloadable ACLSimilar



ISE Policy Definition Example –Same Authorization Policy for Wired AND Wireless



Cat 3850 CT5760 CT5508

BYOD Functionality YES YES YES

Rogue detect / classify / contain, RDLP

YES YES YES

Port Security YES YES NO

IP Source Guard YES YES NO

Dynamic ARP Inspection YES YES NO

LDAP, TACACS+, RADIUS

YES YES YES

LSC and MIC YES YES YES

AP dot1x EAP-FAST YES YES YES

Secure Fast Roaming YES YES YES

802.1X-rev-2010 (MACsec / MKA)

H/W Ready H/W Ready NO

Converged Access –MC Wireless Security Features Comparison



Cat 3850 CT5760 CT5508

IP Theft, DHCP Snooping, Data Gleaning

YES YES YES

IOS ACL YES YES YES

Adaptive wIPS, WPS YES YES YES

CIDS YES YES YES

TrustSec SGT / SGACL H/W Ready H/W Ready SXP

Guest Access YES YES YES

IPv6 RA Guard YES YES NO

MFP YES YES YES

IP Device Tracking YES YES NO

CoPP Static Static NO

Converged Access –MC Security Features Comparison continued



• Harmonized Security features for wired and wireless

• Integrated Policy for both wired and wireless

• Increased Scalability through optimizing a balance of centralized & distributed architecture

Key Takeaways –Converged Access Security Architecture provides with:




WebAuth Portal Characteristics

Small ~ Mid-Size Independent or Remote Branch

• Distributed Guest WebAuth Portal in each MA

• Wireless Guest Traffic get’s POP at MA

• WebAuth Portal on-box, Customizable Login Page, or re-direct, E-Mail input, Click-2-Accept Acceptable Use Page, Passthru/Consent, Logout Page

• HTTPS and HTTP redirect for Wired and Wireless

• Authenticating: local database/AAA/LDAP/Cisco Prime-Lobby Ambassador

• Security: Pre-Auth ACL, AAA override for DACL, Enhanced QOS(MQC) Class assignment, Session-Timeout, Black Listing

• Visibility: Flexible Netflow

• Seamless Mobility L2/L3 Roaming

CPI

AP CAPWAPTunnels

MC/MA MA MA

IntranetInternet

FW

ISE

WebAuth

Cat3850

SPGWebAuth WebAuth

AP AP APGuestGuestGuest

EmployeeEmployeeEmployee

Converged Access, Mid-Sized and Small Branch –Guest Access with Catalyst 3850 Only (< 250 APs, and no Guest Anchor)



WebAuth Portal & GA CharacteristicsSmall ~ Mid-Size Independent Branch With Cat3850

• Central Guest WebAuth Portal in CT5760 GA* Centralized Wireless Guest only at FCS

* Cat3850 only acts as Foreign.

• Wireless Guest Traffic get’s POP at GA

• Provides granular centralized profiling ISE Policy Decision Point (PDP) of Guest devices

• Provides simple aggregation to DMZ for Firewall and Web Filtering of all Guest.







CT5760 ISE CPI

FWIntranet

Data CenterService block

Guest Anchor

CAPWAP Mobility Tunnel

WebAuth

AP AP AP

MC/MA MA MAMA

AP

CAPWAPTunnels

GuestGuestGuest

EmployeeEmployeeEmployee

Guest

Employee

Cat3850Foreign

SPG

Converged Access, Mid-Sized and Small Branch –WebAuth & Guest Anchor with 5760 and 3850 (<250 APs per Branch)


WebAuth Portal & GA Characteristics

Large Independent Branch (No Cat3850) – “Classic Centralized CUWN”

• Central Guest WebAuth Portal in CT5760 GA

• Wireless Guest Traffic get’s POP at GA

• Provides granular centralized profiling (PDP) of Guest devices

• Provides simple aggregation to DMZ for Firewall and Web Filtering of all Guest.







AP AP AP AP

5760

5760 ISE CPI

FWIntranet


Guest Anchor

Guest GuestGuestGuestEmployeeEmployeeEmployeeEmployee


CAPWAPTunnels

DistributedService block

WebAuth

Cat3750

Converged Access, Large Campus –Campus WebAuth & Guest Anchor with Centralized 5760


© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public67 67

• Converged Access Cat3850 and CT5760 both support consistent CUWN - GA modes as AireOS 7.0.220.0 release features

• Anchor roles are supported on CT5760 and also CT5508 / WiSM-2 running New Hierarchal Mobility modes only 7.3.112.0

• Foreign Role is supported on Cat3850 / CT5760 / CT5508 / WiSM-2

• Authentication Methods –

‒ L3 Methods (WebAuth)

L3 Authentication happensat Anchor (PoP)

‒ L2 Methods (PSK, Dot1x)

L2 Authentication happensat Foreign (PoA)

67

CT5760 ISE CPI

FWIntranet


Guest Anchor


WebAuth

AP AP AP

MC/MA MA MAMA

AP

CAPWAPTunnels

Cat3850Foreign

SPG

CT5760

Guest Anchor (GA) –AireOS and IOS Deployment Highlights



NOTES:

1. New Mobility is only supported on AireOS CT5508 & WiSM-2 platforms but does not form any IRCM or GA with CT2500/CT7500/CT8500/v-WLC

2. Guest Anchor Termination is only supported on CT5760/CT5508/WiSM-2. CT5760/CT5508/WiSM-2/Cat3850 all supported as a Foreign

3. Rogue Detector Mode not supported

4. In Release 7.2 RF Profiles and groups was introduced. RRM for release 7.2 and later is not backwardly compatible with previous releases.

5. RRM Converged Access is compatible with CUWN release 7.3.112.0 but does not support RF Profiles and Groups introduced in 7.2

6. No AP SSO in IOS for CT5760. AP Intra-OS Platform Fast Failover Supported. AP Inter-OS Platform Image Download & Reboot performed.

CUWN Service 4.2.x.x 5.0.x.x 5.1.x.x 6.0.x.x 7.0.x.x 7.2.x.x 7.3.101.0 7.3.112.0Note: 1

IOS WCM 3.2.0SE

Layer 2 and Layer 3 Roaming Y – – Y Y Y Y 0 0

Wireless Guest Anchor/Termination Y Y Y Y Y Y Y 0 02

WiPS & AwISP Rogue Detection Y – – Y Y Y Y 0 03

Fast Roaming (CCKM) in a mobility group Y – – Y Y Y Y 0 0

Location Services Y – – Y Y Y Y 0 0

Radio Resource Management(RRM)

Y – – Y Y Y4 Y4 05 05

Management Frame Protection(MFP)

Y – – Y Y Y Y 0 0

AP Failover Y – – Y Y Y Y 06 06

Y = Compatibility in Classic Flat Mobility O = Compatibility in New Hierarchal Mobility


New Hierarchical Mobility Mode, with Guest Access –IRCM Compatibility Matrix: http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.htm

http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html

http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html


• Well Proven & Reliable GA Architecture as previously utilized across CUWN

• Robust GA Feature Set with new expanded QoS and Policy capabilities

• Simplified Configuration with rich IOS troubleshooting tools

Key Takeaways –Converged Access Guest Access Architecture provides with:



Converged Access –Small Branch – No Discrete Controllers, Catalyst 3850s as MC / MAs

Characteristics –• May be a lower-speed WAN link

(bandwidth and latency a concern only for Guest traffic)

• Allows for Advanced QoS, WAN optimization,NetFlow, and other services for wireless and wired traffic

• Supports Layer 3 roaming

• Supports VideoStream and optimized multicast

• Good availability due to MA/MC redundancy within the 3850 stack – provideswireless continuity with either WAN outage or switch failure within the stack

Up to50 APs Applicable

to a SmallBranch

Deployment

Deploymentcould consist

of multiple stacks –one stack as MC/MA,

rest of stacks asMAs only


Up to50 APs

Characteristics –• No discrete controllers deployed, even with multiple wiring

closets

• Allows for Advanced QoS, WAN optimization, NetFlow,and other services for wireless ad wired traffic



• Good availability due to MA/MC redundancy within the 3850 stacks – provides wireless continuity with either WAN outage or switch failure within the stack

Applicableto a Small to

Medium BranchDeployment

Converged Access – Small / Medium BranchNo Discrete Controllers, Catalyst 3850s as MC / MAs, Single SPG


Up to250 APs

Characteristics –• No discrete controllers deployed, even at a larger branch

• Allows for Advanced QoS, WAN optimization, NetFlow,and other services for wireless ad wired traffic



• Good availability due to MA/MC redundancy within the 3850 stacks – provides wireless continuity with either WAN outage or switch failure within the stack

Scalability …up to 8 x 3850-based MCs

Applicableto a Larger

BranchDeployment

Note – MCs handling oneor more SPGs each, all MCs meshed into a single Mobility Group for the site. Guest tunnel per MC to Anchor.

Converged Access – Large BranchNo Discrete Controllers, Catalyst 3850s as MCs / MAs, Multiple SPGs


Converged Access – Large BranchControllers as MCs, Catalyst 3850s as MAs only, Multiple SPGs

Characteristics –

• Greater scalability via the use of discrete controllers as MCs,in conjunction with Catalyst 3850 switches as Mas

• Allows for Advanced QoS, WAN optimization, NetFlow,and other services for wireless and wired traffic

• Supports Layer 3 roaming, VideoStream, and optimized multicast

• Good availability due to MA redundancy (3850 stacks) and MC redundancy (controllers) – provides wireless continuity with either WAN outage or switch / controller failure

• Simplified Mobility deployment vs.the use of 3850 switches as MCs / MAs

Applicableto a LargerBranch or

SmallCampus

>250 APs



Campus

Characteristics –

• Use of discrete controllers as MCs, combined with Catalyst 3850 switches as MAs, provides for a very scalable solution

• Allows for Advanced QoS, NetFlow,and other services for wireless and wired traffic

• Supports Layer 3 roaming – provides scalability bykeeping many roams localized to SPGs (below dist.)

• Good availability due to MAredundancy (3850 stacks) and MC redundancy (controllers)

• Simplified Mobility deployment using 3850 switches as MAs only, vs. the use of 3850 switches as MCs / MAs

>250 APsConverged Access –Large Campus – Centralized MCs, 3850s as MAs only


Characteristics –

• Use of discrete controllers as MCs,combined with 3850 switches as MAs,provides for a veryscalable solution

• Use of distributedcontrollers (vs. centralizedin DC) may be moreappropriate in somewireless deployments

• Allows for Advanced QoS, NetFlow, and other servicesfor wireless and wired traffic

• Supports Layer 3 roaming – provides scalability by keeping many roams localized to SPGs (below distribution)

• Good availability due to MAredundancy (3850 stacks) andMC redundancy (controllers)

• Simplified Mobility deploymentusing 3850 switches as MAs only,vs. the use of 3850 switchesas MCs / MAs)


Campus

>250 APsConverged Access –Large Campus – Distributed MCs, 3850s as MAs only


Data Center /Service block

IntranetMobility Group

5508 / WiSM2 5508 / WiSM2

EtherIP Mobility Tunnel

CAPWAP Tunnels

CAPWAP Tunnels

Well-knownand well-proven …

Prior to Migrationto Converged

Access



users


on switch

Wireless policiesimplementedon controller

All wirelesstraffic centralized

via controllersas shown

Existing Unified Wireless Deployment Today…

PIISE

Converged Wired / Wireless Access –Evolving from Overlay …


Intranet

Data Center /Service block PIISE

Mobility Group

5508 / WiSM2 5508 / WiSM2


CAPWAP Tunnels

CAPWAP Tunnels

In termediate s tep

Software upgrade

Software upgrade

SwitchPeer

Group

MA MA

InitialMigration Step –

Controller Upgrades,

Implementationof First CASwitches

Be awarethat feature

differences mayexist, based on

MA softwareversions


MC MA MC MA


EtherIP Mobility Tunnel

Catalyst 3850switches


Intranet


Mobility Group

5508 / WiSM2 5508 / WiSM2

In termediate s tep

Controllerupgrade

Controllerupgrade

SwitchPeer

Group

MA


MC MA MC MA

SwitchPeer

Group

MA MA

5760 Controller

5760 Controller

MC MA MC MA

FurtherMigration Step –Controller Upgrades,

Implementationof Additional CA

Switches


CAPWAP Tunnels

CAPWAP Tunnels

MA






IntranetMobility Group

5760 or upgraded WiSM2 / 5508


SwitchPeer

Groups

SwitchPeer

GroupsCatalyst 3850 switches

5760 or upgraded WiSM2 / 5508

CAPWAP Tunnels

CAPWAP Tunnels

MA MAMA MA MA MA MA MA

MC MA MC MA

Implementationof End-to-End

ConvergedAccess

Deployment



users



Increase in performance and

scalability via local termination of both wired and wireless

traffic

Increase invisibility and control (NetFlow, Advanced

QoS, etc) vialocal terminationof both wired and

wireless trafficCAPWAP Mobility Tunnel

Converged Wired / Wireless Access –… to Integrated


An Evolutionary Advance to Cisco’s Wired + Wireless Portfolio, to address device and bandwidth scale, and services demands ….

Control plane functionalityon NG Controller

(also possible on upgraded 5508s, WiSM2s for brownfield deployments, or NG Converged

Access switches for small, branch deployments) Next-Generation WLAN Controller (5760)

Data plane functionality on NG Switches (also possible on NG Controllers, for deployments

in which a centralized approach is preferred)

Next-Generation Switches (Catalyst 3850s)

Bringing Together Wired and Wireless –How Are We Addressing This Shift?

ControllerController


Enabled by Cisco’s strengthin Silicon and Systems …UADP ASIC


Mobility Domain

Sub-Domain #1

Sub-Domain #2

Mobility Group

SPG SPG

PIISE

MAMAMA MAMAMA

MCMC

An Evolutionary Advance to Cisco’s Wired + Wireless Portfolio, to address device and bandwidth scale, and services demands ….

CiscoConverged

AccessDeployment


Bringing Together Wired and Wireless –With a Next-Generation Deployment and Solution


Do You Have a Better Understanding …

of what Converged Access is …

of how Converged Access works …

and how you would use it in your network designs?

Converged Access –Tell Us How We Did!

Did We Achieve Our Objectives?


Thank you.


Diving into Converged Access

Technology

Transcript of Diving into Converged Access