Branch Office Wireless

LAN Design
Rajat Tayal ([email protected])
Technical Marketing Engineer
BRKEWN-2016
THANK YOU!!
Cisco Spark
Questions?
Use Cisco Spark to chat with the
speaker after the session

How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space

Cisco Spark spaces will be cs.co/ciscolivebot#BRKEWN-2016

available until July 3, 2017.

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
• Wireless Controller and Acess Point Portfolio
• Branch Deployment Options
• Evaluate FlexConnect Requirements and identify need for FlexConnect & AP Groups
• Design a Resilient, Secure, and BYOD enabled Branch Network
• Service-Ready Branch
• Provision and Operate Wireless Branch over WAN
• Deploying Small and medium sites using Cisco Mobility Express

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Platforms &
Wireless Controller Portfolio Large Enterprise, Branch
Virtualization

Control at Central Site

Mid-size Enterprise, Branch
Control at Central Site
Cisco 8540
Small Network Cisco vWLC 6000 APs
3000 APs 64,000 clients
32000 Clients 40 Gbps
Flexconnect mode

Mobility Express Cisco 3504 Cisco 5520

150 APs 1500 APs
50 APs/1000 Clients AP 18xx 3000 Clients
100 AP/2000 Clients: AP2/3K 20,000 Clients
4 Gbps 20 Gbps
Fleconnect mode

1-100 APs 150-1500 APs 1500-6000 APs

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
 Cisco Aironet 802.11ac Wave 2 Access Point Portfolio
Industry’s most comprehensive and innovative
Enterprise Class Mission Critical Best in Class
DNA Ready | RF Excellence | CMX | Centralized, FlexConnect or Mobility Express
Dual 5 GHz | Flexible Radio | HDX
Future Proof

3800
2800
1830 1850 • 4x4:3SS 160 MHz
1815 • 4x4:3SS 160 MHz • 5 Gbps Performance
Indoor / High-powered Indoor • 4x4:3SS 80 MHz • 5 Gbps Performance • 2.4 and 5GHz or
Wall Plate / Teleworker • 3x3:2SS 80 MHz Dual 5GHz
• 1.7 Gbps Performance • 2.4 and 5GHz or
• 2x2:2SS 80 MHz • 867 Mbps Performance Dual 5GHz • 2 GE Ports Uplink or
• Internal or External
• 867 Mbps Performance • Tx Beam Forming Antenna • 2 GE Ports Uplink 1 GE + 1 mGig (5G)
• Tx Beam Forming • 1 GE Port Uplink • Tx Beam Forming • CleanAir and ClientLink • CleanAir and ClientLink
• Integrated BLE Gateway1 • USB 2.0 • 2 GE Ports Uplink • Internal or External • StadiumVision
• Max Transmit Power (dBm) • USB 2.0 Antenna • Internal or External
per local regulations2 • Smart Antenna Antenna
• 3 GE Local Ports, including Connector • Smart Antenna Connector
1 PoE out3 • USB 2.0 • USB 2.0
• Local ports 802.1x ready3 • Investment Proof
• Centralized, FlexConnect and Mobility Express
• USB 2.04
1Future availability 2 Available for High-powered only 3 Available for wall-plate and teleworker only 4 Available for teleworker only
Modularity
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Aironet 802.11ac Outdoor Access Point Portfolio
Industry’s most comprehensive and innovative portfolio
DNA Ready | RF Excellence | CMX

New

New
1540
• 802.11ac Wave 2, MU-MIMO
• 2x2:2, 80MHz, 867 Mbps
• Ultra low profile
• Internal antenna model (I)
• Internal directional antenna model (D)
• PoE (802.3af) power
• Centralized, FlexConnect, Mesh* and
Mobility Express
802.11ac Wave 2
1560
• 802.11ac Wave 2, MU-MIMO
• 3x3:3, 80MHz, 1.3Gbps (I)
• 2x2:2, 80MHz, 867Mbps (E/D)
• Internal or External antenna model (I/E)
• Internal directional antenna model (D)
• SFP
• Flexible Antenna Ports
• CleanAir and ClientLink
• Centralized, FlexConnect, Mesh and
Mobility Express
1570
• 802.11ac Wave 1
• 4x4:3 80 MHz; 1.3 Gbps
• External antenna model (EAC)
• Cable Modem model (IC/EC)
• SFP
• GPS
• PoE Out 802.3at (Ext Ant. only)
• Flexible Antenna Ports
• CleanAir and ClientLink
• Modularity (Ext Ant. only)
• Centralized, FlexConnect and Mesh
Cable Modem Version Only (IC/EC)
• DOCSIS 3.0, 24x8
• Internal or External antenna

*Available mid CY17

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Unified Access: One Architecture, Multiple Deployment Options

WAN Intranet

MOBILITY EXPRESS FLEX CONNECT CENTRALIZED

Small Network Branch Large Campus

• Single site network • Distributed network • Data center hosted controller

• Low IT footprints • Highly scalable • Distributed enterprises
Aironet Access Points
• Controllers • Controllers
• Virtual controller function on AP
11ac Wave2 : 3800/2800/1800
• 11ac: 1800/2800/3800 • 350411ac: 3700/2700/1700 • 3504
• 5508 and 2600/
11n: 3600/ 55201600/ 700i/700w • 5508 and 5520
• 8510 and 8540 • 8510 and 8540

Prime Infrastructure, Identity Service Engine, Connected Mobile Experiences

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Wireless Branch Deployment
FlexConnect Deployment
Branch Office with Local WLAN Controller
Options Backup Central
Controller
Central Site
 Small or Mid-size Branch WLCs
 CT-3504, CAPWAP
 Integrated controller modules in
ISR/ISR-G2 WAN
 vWLC vWLC
WLC-35xx WLCM for
ISR/ISR-G2
Advantages
• Layer-3 roaming within the branch
• Cookie cutter configuration for
every branch site
Remote Site C
Remote Site A
Remote Site B
BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Branch Office Deployment
Central Site
FlexConnect
Centralized
• Hybrid architecture Traffic Centralized
Traffic
• Single management and control point
• Data Traffic Switching
• Centralized traffic
(split MAC) or
• Local traffic (local MAC)
WAN
• Traffic Switching is configured per AP
and per WLAN (SSID)
• Standalone Mode will preserve local traffic

Remote Office
Local
Traffic
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexConnect Glossary

01 Connected Mode
When FlexConnect AP can reach Controller, it gets help
from controller to complete client authentication

When FlexConnect AP cannot reach Controller,

02 Standalone Mode it goes into standalone mode and does client
authentication by itself

Data traffic is tunneled back to WLC

03 Central Switching for an SSID

Data traffic is switched onto

04 Local Switching local VLANs for an SSID

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Configuring FlexConnect Local
Switching
Step 1: Configure FlexConnect Mode on AP

 Enable FlexConnect mode per AP

 Supported APs:
• AP-1040, AP-1130, AP-1140, AP-1240,
AP-1250, AP-1260, AP-1520, AP-1530,
AP-1550, AP-1560, AP-1570, AP-1600,
AP-1700, AP-1800, AP-2600, AP-2700,
AP-2800, AP-3500, AP-3600, AP-3700,
AP-3800

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Step 2: Configure FlexConnect Local Switching on
WLAN
Only WLAN with “FlexConnect Local Switching” enabled will allow local
switching on the FlexConnect AP

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Step 3: Configure Native VLAN on FlexConnect AP
 When connecting with Native VLAN on AP, L2 switchport must also match with corresponding Native
VLAN configuration
 VLAN mapping can be performed per AP, per FlexConnect Group on WLC or using Cisco Prime
Infrastructure templates

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Step 4: Configure FlexConnect WLAN-VLAN
Mapping
 Mapping of WLAN to VLAN can be done per FlexConnect AP or FlexConnect Group
 Or use Cisco Prime Infrastructure via configuration templates
 Each corresponding WLAN that is allowed to be locally switch should be allowed on the
corresponding switchport
1 2

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Configure FlexConnect VLAN Mapping
Using Cisco Prime Infrastructure
 Prime Infrastructure provides simplified configuration to all FlexConnect APs
with one Lightweight AP Template

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Evaluate FlexConnect Architectural
Requirements
 For Your
Reference
FlexConnect Design Considerations
WAN Limitations Apply

Deployment WAN Bandwidth WAN RTT Max APs per Max Clients per
Type (Min) Latency (Max) Branch Branch

Data 64 kbps 300 ms 5 25

Data 640 kbps 300 ms 50 1000
Data 1.44 Mbps 1 sec 50 1000
Data+Voice 128 kbps 100 ms 5 25
Data+Voice 1.44 Mbps 100 ms 50 1000
Monitor 64 kbps 2 sec 5 N/A
Monitor 640 kbps 2 sec 50 N/A

It is highly recommended that the minimum bandwidth restriction remains 24 Kbps per AP with the round trip
latency no greater than 300 ms for data deployments and 100 ms for data + voice deployments.

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
FlexConnect Design Considerations
Feature Limitations in Standalone mode and Local Switching
• MAC/Web Auth in Standalone Mode
• IPv6 Mobility
• Service Discovery Gateway
• Native Profiling and Policy Classification
• FlexConnect Feature Matrix
• http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-wlc-00.html

• Feature Matrix for 802.11ac Wave 2 Access Points

• http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-3/b_feature_matrix_for_802_11ac_wave2_access_points.html

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
IPv6 Support

✔
✔
✔
✔
✔
✔
✔
✔
✔

Significant support for IPv6 with Central Switching

IPv6 RA Guard and IPv6 Bridging fully supported with Local Switching

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
 For Your
FlexConnect Feature Introduction Reference
FlexConnect Features Release Version
AAA-VLAN Override, ALCs & P2P Blocking 7.2
Smart AP Image Upgrade 7.2
External Web-Auth & Mobile Device On-boarding 7.2
Flex 7500 Scale Update 7.3
VLAN Based Central Switching 7.3
Split-tunneling 7.3
Work Group Bridge (WGB) Support 7.3
Bi-Directional Rate Limiting 7.4
ISE BYOD Registration & Provisioning 7.4
AAA-ACL & AAA-QoS Override 7.5
EAP-TLS & PEAP Support for Local Authentication 7.5
Ethernet Fallback 7.6
VideoStream for Local Switching 8.0
Faster time to deploy 8.0
FlexConnext on Mesh APs 8.0
AVC for FlexConnect 8.1
VLAN Name override for FlexConnect 8.1
FlexConnect Mode for AP from PnP 8.2
FlexConnect Group for AP from PnP and Default FlexConnect Group 8.3
TrustSec SXP/SGT 8.4
BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Optimized for High Scale Deployments
Functionality
Cisco 8540 Series Controller
Access Points 6,000
Key Differentiation Clients 64,000

Branches/locations 6,000 (2000 FlexGroups)

 High scale
• 4K VLANs
Access Points per 100
 Rich Features with deployment flexibility FlexConnect group
• Geo Separated AP/Client SSO
Deployment types Local (centralized),
• FlexConnect, Local mode and mesh support Right to use
FlexConnect and mesh
(with EULA) for ease of license enablement
• 3G Packet core integration: PMIPv6 MAG solution with Form Factor 2 RU
ASR5K (LMA)
• FlexConnect with HS2.0 for 3G offload IO Interface and Four x 10GE ports with LAG
redundancy
• Other key features:
802.11r fast roaming
Rate limit traffic flows
Video Stream for rich media flows

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Why do we need FlexConnect & AP
Groups?
 Understanding AP Groups
Overview AP Group 1 Central Site
WLC5520
• AP Groups is a logical concept of
grouping AP’s which deliver similar Wi-Fi
services; these services can be:
• By physical location, and/or
• By functional services
(data, voice, guest, etc..)

• Same AP groups need to be defined in all WAN

WLC’s of a mobility group Remote Site A Remote Site B

Scaling WLC-8540 WLC-5520 WLC-3504 AP Group 3

# AP Groups 6000 1500 150

# WLAN (SSID) 512 512 512

# VLAN (Interfaces) 4095 4095 4095

AP Group 2

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
AP Groups
Configuration: Create a New Group

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
 AP Groups Use Case @ Internet

Guest-Access AP Group 1 Central Site

Per Location SSID
Corporate-Voice

AP groups give the ability to enable Wi-Fi

Services (WLAN) based on physical
location Corporate-Data

Central Site WAN

Corporate-Data, Corporate-Voice, Guest-
Access Manufacturing Site
Store
Manufacturing Site
Corporate-Data, Corporate-Voice, AP Group 3
Scanners
Store
Corporate-Data, Guest-Access Scanners
AP Group 2 Corporate-Data
Guest-Access
Corporate-Data
Corporate-Voice
BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
 AP Groups Use Case
AP Group 1 VLAN-1
Per AP Group WLAN to VLAN Mapping Head Office Central Site

VLAN-2
• AP groups give the ability to statically
map Wi-Fi service (WLAN) to VLAN
based on physical location VLAN-3

• Users see the same

Wi-Fi service on all sites. Corporate-Data
WAN/MAN
• Admin can monitor and filter based on
different IP@ each site
AP Group 3
• Can also be used to have smaller Wi-Fi Store
subnets
• For example per floor subnets in a building. AP Group 2
Manufacturing Site Corporate-Data
Corporate-Data

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Understanding FlexConnect Groups
Central Site
WLC5520
Overview

FlexConnect groups allow sharing of:

• CCKM/OKC fast roaming keys
• Local/backup RADIUS servers IP/keys
• Local EAP authentication WAN
• AAA-Override for Local Switching Remote Site Remote Site

• Smart Image Upgrade

• FlexConnect AVC

Scaling WLC-8540 WLC-5520 WLC-3504

FlexConnect
2000 1500 100
Groups
AP per Group 100 100 100 FlexConnect Group 1 FlexConnect Group 2

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
FlexConnect Groups and CCKM/OKC Keys
Overview Central Site CCKM Keys

RADIUS Server

• CCKM/OKC keys stored on FlexConnect

APs for Layer 2 fast roaming

• The FlexConnect APs receives CCKM/OKC WAN

keys from WLC

• If a FlexConnect AP boots up
in standalone mode, it will not get the
OKC/CCKM keys from the WLC

• FlexConnect supports 802.11r Fast

Transition with local key caching
FlexConnect Group 1 FlexConnect Group 2

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
 FlexConnect Groups Creation
Step 1: Add a New FlexConnect Group
1

Step 2: Add APs to the

FlexConnect Group

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
 For Your
Reference
FlexConnect Groups Template on PI

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
 For Your
Reference
FlexConnect Groups Template on PI

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Designing a Resilient Wireless
Branch Network
FlexConnect Backup Scenario
Central Site
WAN Failure
 FlexConnect APs will go to Standalone mode
 No impact for locally switched SSIDs
 Disconnection of centrally switched SSIDs
clients
WAN
 Static authentication keys are locally stored in
FlexConnect AP
Remote Site
 Lost Features
 RRM, WIDS, location, other AP modes Application
 Web authentication, NAC Server

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
FlexConnect Backup Scenario
Central Site
WLC Failure scenario with N+1 HA
Secondary Primary
WLC WLC
 FlexConnect APs will go to Standalone mode
 No impact for locally switched SSIDs
 Disconnection of centrally switched SSIDs
clients WAN
 CCKM roaming allowed in FlexConnect group
 FlexConnect AP will then search Remote Site
for backup WLC; when backup WLC is found,
FlexConnect AP will resync with WLC and Application
resume client sessions with central traffic Server

 Client sessions with Local Traffic are not

impacted during resync with Backup WLC

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
FlexConnect Backup Scenario

WLC failure scenario with SSO Central Site

Standby

Active

 True Box to box High Availability i.e. 1:1. Sub-

second failover to StandBy WLC
 Configuration(AP database, Client Run state etc.)
information on Active is synched to Standby WLC WAN
 FlexConnect AP will NOT transition to Standalone
because SSO kicks in
 AP will continue to be in Connected mode with the
Standby (now Active) WLC Application
Server
 Centrally Switched SSID will never go down

Remote Office
BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
FlexConnect Group : Backup Scenario
Central Site
Local Backup RADIUS
Central
 Normal authentication is done centrally RADIUS

 On WAN failure, AP goes to Standalone

mode and authenticates new clients with
locally defined RADIUS server WAN
 Existing connected clients stay connected
Local Backup
 Clients can roam with RADIUS Remote Site

 CCKM fast roaming, or

 Re-authentication

CCKM Fast Roaming

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
FlexConnect Group: Local Backup RADIUS
Configuration
• Define primary and secondary local backup RADIUS server per FlexConnect
group

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Local Authentication
Central Site

Local Authentication Central

RADIUS

• By default FlexConnect AP authenticates

WAN
clients through central controller
Local
• Local Authentication allow use of local RADIUS
Remote Site
RADIUS server directly from the FlexConnect
AP even when WAN is UP

FlexConnect Group

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Local Authentication
Configuration

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
FlexConnect Group: Backup Scenario
Central Site
Local Backup Authentication
Central
 Normal authentication is done centrally RADIUS

 On WAN failure, AP authenticates new clients with its local

database
 Each FlexConnect AP has a copy of the local user DB
WAN
 Existing authenticated clients stay connected
Remote Site
 Clients can roam with:
 CCKM fast roaming, or
 Local re-authentication
FlexConnect Group 1
Supported Security Types Release Version
LEAP 6.0
EAP-FAST 6.0
PEAP 7.5 CCKM Fast
Roaming
EAP-TLS 7.5
BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
FlexConnect Group: Local Backup Authentication
Configuration

 Define users (max 100) and passwords

 Select supported Security protocols i.e. LEAP, EAP-FAST, PEAP or EAP-TLS
1 2

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Designing Secure & BYOD Enabled
Branch Network
FlexConnect Peer-to-peer
Blocking
 Starting
Local Switching Peer-to-peer Blocking from 7.2

Central Site

Overview

 Support for Peer-to-Peer blocking in

FlexConnect AP
WAN
 Apply for clients on same FlexConnect AP
Remote Site

 P2P blocking modes : disable or drop

Application
Server
 For P2P blocking inter-AP use ACL

 Standalone mode support

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
 Local Switching Peer-to-peer Blocking
Configuration

Both modes of operation will drop the packet @ AP

Multiple Policy Touch Points
for Local Switching enabled WLAN

* Central Switching WLAN will support “Forward - UpStream” and will send the packet to the next upstream
node connected to WLC

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
FlexConnect AAA VLAN & QoS
Override
 Starting
from 7.2
FlexConnect AAA VLAN Override
Description RADIUS Central Site

• AAA VLAN Override with local or central VLAN 3

authentication QoS = Silver
VLAN 7
• Up to 16 VLANs per FlexConnect AP QoS = Platinum

• VLAN ID must be enabled per AP or WAN

FlexConnect Group Application
Server
Remote Site

FlexConnect Group
BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
 For Your
FlexConnect AAA VLAN Override Reference

Configuration IETF 65
IETF 64
IETF 81

WAN

ISE

Create Sub-Interface on
FlexConnect AP

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
VLAN Based Central Switching Central
VLAN 3
Go to Default
VLAN ID

Overview Central
RADIUS

VLAN 7
• While doing AAA VLAN Override with VLAN 3 does not
local switching: VLAN 7 Exist on this
WLC
• If VLAN ID does not exist at the AP,
the traffic is central switched to the WAN
central VLAN ID
Remote Site
• If the central VLAN ID does not exist,
the traffic is centrally switched to the
default VLAN ID of the WLAN
VLAN 7
does not
VLAN 3 Exist on
does not this AP
Exist on
this AP
BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
 Starting
from 7.5
FlexConnect AAA QoS Override
Description

 Dynamically assign QoS levels and/or bandwidth Vendor ID/Vendor Type Attribute

contracts for local switching, centrally [14179\002] Aire-QoS-Level

authenticated WLANs
[14179\004] Aire-802.1P-Tag
 Web-authenticated WLANs and 802.1X-
authenticated WLANs supported [14179\007] Aire-Data-Bandwidth-Average-
Contract
 Order of precedence for Rate Limiting parameters [14179\008] Aire-Real-Time-Bandwidth-
 AAA override Average-Contract

 QoS Profile of AAA override [14179\009] Aire-Data-Bandwidth-Burst-

Contract
 Local WLAN configuration
[14179\0010] Aire-Real-Time-Bandwidth-
 QoS Profile of local WLAN configuration Burst-Contract

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
AAA Override Deployment Scenario
Problem Statement – Map clients to specific vlans based on their function

Central Site

VLAN 20

WAN

Application
Server
Function VLAN ID

Engineering 11
Marketing 21
Function VLAN ID Sales 31
Engineering 10 Application
Server
Marketing 20

Sales 30 VLAN 20
Remote Site A Remote Site B does not
exist
BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
 Starting
VLAN Name Mapping at FlexConnect Group from 8.1

Flex Group A Central Site Flex Group B

VLAN Name VLAN VLAN Name VLAN
VLAN Name VLAN
ID ID
ID
Engineering 10 Engineering 10
Engineering 11
VLAN Name
Marketing VLAN
20
Marketing 20 Marketing 21
ID
Sales 30 Sales 30
Sales 31
Engineering 11
. .
. Marketing 21
WAN .
HR 160 Sales 31 HR 161

Remote Site B
Remote Site A
VLAN ID
VLAN ID
11
10 21
20 31
30

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
 Starting
from 8.1
VLAN Name AAA Override - Solution
Central Site
Aire-Interface-Name or
IETF Tunnel-Private-Group-ID

VLAN NAME=
Marketing

WAN

Application
Server
Remote Site Remote Site VLAN Name VLAN ID

VLAN 20 Engineering 11
Marketing 21
VLAN Name VLAN ID Sales 31
Engineering 10

Marketing 20

Sales 30
Remote Site A VLAN 21 Remote Site B

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
FlexConnect ACL VLAN Mapping
& Per-Client ACL
 Starting

FlexConnect ACL – VLAN Mapping from 7.2

Overview Central Site

 FlexConnects ACL are applied per VLAN

 FlexConnect ACL are Ingress / Egress oriented
 Starting from 7.5 FlexConnect ACL support AAA-
returned Client ACL
WAN
ACL Scale
Remote Site

512 FlexConnect ACL per WLC Application

 16 ingress ACL per AP Server

 16 egress ACL per AP

 64 ACL rules per ACL
 No IPv6 ACL

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
FlexConnect Access Lists
Configuration – Create FlexConnect ACL
• FlexConnect ACL rule creation is similar to rule creation for Local Mode AP
1

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
FlexConnect ACL – VLAN Mapping
Configuration – FlexConnect ACL per AP
2
• FlexConnect ACL can be applied per AP
using VLAN Mappings configuration

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
FlexConnect ACL – VLAN Mapping
Configuration –FlexConnect ACL per FlexConnect Group
• FlexConnect ACL can be applied per FlexConnect Groups per VLAN in the ACL
Mapping tab.
1 2

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
FlexConnect Split Tunneling
(Using FlexConnect Split ACL)
 Starting

FlexConnect ACL – Split Tunneling from 7.3

Overview
 Split tunneling allow some traffic to be locally switched although the WLAN is defined as
centrally switched
 Split tunneling is using a NAT/PAT feature with ACL to perform the local switching
 Split tunneling is using the AP IP @ for the NAT/PAT feature

FlexConnect AP WLC Central Traffic

CAPWAP

NAT/PAT WAN
ACL

Central Server

Local Traffic
Local Printer
BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
FlexConnect ACL – Split Tunneling
Configuration
• Create a centrally switched WLAN

Flex Local switching should

not be checked

• Define Flex ACL to match traffic to be locally switched

Central subnet Local subnet

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
FlexConnect ACL – Split Tunneling
Configuration – Per Access Point

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
FlexConnect ACL – Split Tunneling
Configuration – Per FlexConnect Group

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Deploying BYOD with
FlexConnect Local Switching
(Using FlexConnect
WebPolicies ACL)
Bring Your Own Device(s) : The New Normal

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
BYOD - Device On-boarding in FlexConnect
Example: Apple iOS Device Provisioning

WLC ISE CA-Server

1
Initial Connection
Using PEAP

2
Device Provisioning
Wizard Client
Reconnects

3 WLC ISE CA-Server

Future Connections
using EAP-TLS
BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
FlexConnect Access Lists fo BYOD
Create FlexConnect ACL
• Create FlexConnect ACL to allow access to Cisco ISE
1

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
FlexConnect Web Policy ACL
Configure Web Policy ACL per FlexConnect AP
• ACL Mapping can be configured per FlexConnect AP

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
FlexConnect Web Policy ACL
Configure Web Policy ACL per FlexConnect Group
• Use ACL Mapping tab in FlexConnect Group configuration
• WebPolicies ACL are not the same as VLAN ACL or WebAuthentication ACL.

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Cisco Wireless Central DHCP Processing
Configuration
• To support DHCP Profiling Probe with FlexConnect, DHCP request must be
sent to WLC. This is done by the « Central DHCP Processing » configuration.

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Deploying BYOD with FlexConnect Wireless
Summary – 802.1x/EAP Authentication ISE

DHCP Server
FlexConnect AP
CAPWAP WLC

Web Server
WAN

WiFi Association
Unknown Device,
Redirect to registration
802.1x/EAP Request Radius Access-Request
Inside CAPWAP
Radius Access-Response
• Access-Type: Access-Accept
• URL-Redirect-ACL=FlexACLWebPolicy,
URL + ACL Redirect • URL-Redirect=http://……)
Inside CAPWAP

802.1x/EAP Response
Inside CAPWAP

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Deploying BYOD with FlexConnect Wireless
Summary – DHCP Request ISE

DHCP Server
FlexConnect AP
CAPWAP WLC

Web Server
WAN

DHCP Request
Inside CAPWAP
Device is
RADIUS-Accounting
an iPad
• host-name=MyiPad
• dhcp-class-identifier=APPLE
DHCP Lease
Inside CAPWAP

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Deploying BYOD with FlexConnect Wireless
Summary – URL-Redirect ISE

DHCP Server
FlexConnect AP
CAPWAP WLC

Web Server
WAN

HTTP HTTP Request

Request Redirected to WLC by AP
Inside CAPWAP

URL-Redirect

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Deploying BYOD with FlexConnect Wireless
Summary – Registration & Provisioning ISE

DHCP Server
FlexConnect AP
CAPWAP WLC

Web Server
WAN

Device Registration & Provisioning Device is Registrered

Trigger Change-of-Auth

EAP DeAuthentication RADIUS Change-of-Authorization

EAP Authentication

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Deploying BYOD with FlexConnect Wireless
Summary – Device Access ISE

DHCP Server
FlexConnect AP
CAPWAP WLC

Web Server
WAN

Radius Access-Request Device is Registrered

802.1x/EAP Request/Response
Radius Access-Response And Provisioned
Inside CAPWAP
Allow Access

DHCP Request/Response
Inside CAPWAP

Web Traffic

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Summary of FlexConnect ACLs

VLAN-ACL Applied on the 802.3 interface of the FlexConnect AP

AAA returned Client ACL Applied on the 802.11 interface of the AP

Split Tunnel ACL Allow some traffic to be locally switched

-
80

Web Policies ACL BYOD with FlexConnect

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Wireless TrustSec Support
 Starting
Wireless TrustSec Support from 8.4

5 Employee
6 Voice A B
7 Partner

Classification Propagation Enforcement

(Assigning SGTs)
Inline SGT & SXP
Static & Dynamic Security Group ACL
Assignments

SXPv4 on AP Inline Tagging on AP SGACL Enforcement

Local NO NO YES
Topology, location independent
Flex YES YES YES
Policy (SGT) stays with endpoint.
Simplifies ACL management traffic Mesh NO NO YES (Indoor only)

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Service-Ready Branch
FlexConnect VideoStream
Video Multicast Delivery Challenges
Technical Challenges 802.11
• Multicast packets (UDP) are sent as
Data Rates
broadcast packets over the air per 802.11 1
standard 2

• Broadcast packets do not use error 5.5

correction: “fire and forget” 6

• Broadcast packets are sent at data rate B/G 9

Video Impact
mandatory to all clients connected to the 11
WLAN 12
• Choppy, Unreliable Video
1 Mb for B/G (400K actual) 18
• Video Stream does not utilize 802.11n/ac
6 Mb for A (2.7 Mb actual) 24
High Throughput data rates
36
48
• Heavy utilization of channel due to high
rate of very slow packets
54
M0 • Video delivery is not reliable causing poor
Quality of Experience
M1
Video N ...
Server M14

Default 802.11B/G M15

mandatory data rates
BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
 Starting
from 8.0
Video Multicast Delivery Solution
802.11
Technical Solution Data Rates Video Impact
1

• IGMP state monitored for each client. 2

• Smooth, Reliable Video delivered to
Only send video to clients requesting 5.5
multiple clients
• Sent as unicast to individual clients at
6 • Quality of Video protected in varying
their data rate 9 channel load conditions
B/G 11
• Multicast packets replicated at AP • Prioritizes Business Video (QoS
12
Gold) over other video ( Best-effort )
18
24
36
48
54
M0
M1
Video N ...
Server M14
M15
Default 802.11B/G
mandatory data rates
BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
FlexConnect VideoStream Configuration
Enable VideoStream - Global

(Cisco Controller) >config media-stream multicast-direct ?

enable Enable Global Multicast to Unicast Conversion
disable Disable Global Multicast to Unicast Conversion

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
FlexConnect VideoStream Configuration
Add Stream Configuration

(Cisco Controller) >configure media-stream add multicast-direct <media-stream-

name> <start-IP> <end-IP> [template | detail <bandwidth> <packet-size> <Re-
evaluation> video <priority> <drop|fallback>]’

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
FlexConnect VideoStream Configuration
Enable VideoStream - WLAN

(Cisco Controller) >config wlan media-stream multicast-direct 1 ?

enable Enables Multicast-direct on the WLAN
disable Disables Multicast-direct on the WLAN.

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
FlexConnect VideoStream Monitoring
Controller

(Cisco Controller) >show flexconnect media-stream client summary

Client Mac Stream Name Multicast IP AP-Name VLAN Type
----------------- -------------------- --------------- ------------------------- ----- ----------------
7c:d1:c3:86:7e:dc Media2 229.77.77.28 AP_1600 0 Multicast Direct
88:cb:87:bd:0c:ab Media2 229.77.77.28 AP_1600 0 Multicast Direct
d8:96:95:02:7e:b4 Media2 229.77.77.28 AP_1600 0 Multicast Direct

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
FlexConnect Bridge Mode
Support
 Starting
from 8.0
FlexConnect on Mesh APs
Centralized
Traffic

FlexConnect on Mesh APs

• New AP mode that allows Central Site

Flexconnect behavior across
mesh-enabled AP
• Flexconnect Groups WAN
• Max 8 Mesh hops, Max 32 MAPs
per RAP
• Local AAA support
• A WLC have a mix of Bridge and
Flex + Bridge
• MAPs inherent VLANs from its Local Remote
connected RAP Traffic Office

Local Data WLAN

Central Data WLAN
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexConnect-Bridge Failover Scenario Secondary Primary

Failover Considerations

• AP SSO is supported for the RAP only. N+1

Recommended WAN
• Multi-sector RAP deployments can be used for
redundancy
Remote
Office
• RAP to standalone mode when WLC is not reachable Application
Server

• MAPs to standalone mode when WLC

is not reachable but gateway is

• When in standalone mode no new

mesh AP can join the mesh tree

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
 For Your
AP Modes Feature Comparison Reference

Feature\AP Mode Local Mode Bridge Mode Flexconnect Mode Flex+Bridge Mode

Central Switching Yes Yes Yes Yes

Root Ethernet VLAN No Yes (secondary Ethernet Yes Yes

bridging hosts)
Secondary Ethernet No Yes No Yes
Access Ports
Secondary Ethernet No Yes No Yes
VLAN Trunk Ports
Local VLAN Inheritance No Yes - Secondary No Yes – both bridged
by MAPs from RAPs Ethernet “access” ports 802.11 WLANs and
only Ethernet “access”
Wireless Child Mesh APs No Yes No ports
Yes
Fault Tolerant Resilient No No Yes
Yes
Mode
Security ACLs per VLAN No No Yes
Yes (on RAPs)
on Ethernet Root Ports
Integrated IP Routing No No Yes Yes (on RAPs)
(PPP/PPPoE/NAT)
VLAN Transparent No No No No
Bridging
Path Control Protocol No Yes No Yes

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
FlexConnect Bridge Mode Configuration
Wireless  Access Points  AP_NAME  General

Wireless  Access Points  AP_NAME  FlexConnect

AP will reboot
upon change

Same options
as an AP in Flex
Mode

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
FlexConnect Application Visibility
and Control
How AVC solution works on wireless?
AireOS 8.1 App Visibility & AireOS 8.1
User Experience Report
App BW Transaction …
Time
WebEx 3 Mb 150 ms …
Citrix 10 Mb 500 ms …
Static
Netflow
AP

NBAR on AP

Deep Packet Perf. Collection & Visibility and User

Control
Inspection Exporting Experience

AP collects application info Use QoS to control

DPI engine (NBAR2) and export it to Advanced reporting tool
application bandwidth
identifies applications controller/switch every 90 aggregates and reports
usage to improve
using L7 signatures seconds application performance
application performance

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
 AVC on FlexConnect APs
Katana
Gen2 AP, NBAR Engine 23, PP 14

BRANCH Netflow Export from AP to WLC

Real-time information
Stateful context for last 90 seconds
transfer on roam

WAN

Gen2 AP

Flow ID App Name Packets Deployment Type WAN Bandwidth ( Min) WAN RTT Max Aps per Max Clients per
1 WebEx 1000 Latency(Max) Branch Branch
2 Msft-Lync 2300 Data + Flex AVC 75 Kbps 300 msec 5 25
3 Skype 660

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
 AVC for FlexConnect APs

AP Functionality

• NBAR2 engine on FlexConnect AP

• Protocol Pack 14.0 WLC Functionality
• NBAR engine version 16
• Send flows to WLC every 90 sec using Netflow
• Classification and Control at AP
• Mark ( DSCP ) • Export to external Netflow supported
• Drop • Intra FlexConnect Group Roaming Support
• Rate-limit • Supported on all controller models except 2504
• Supported APs : 1600, 1800, 2600, 3600, 1700, 2700, • Supported APs : 1600, 1800, 2600, 3600, 1700, 2700,
2800, 3700, 3800, 1532, 1570 2800, 3700, 3800, 1532, 1570
• FlexConnect and Flex+bridge mode supported

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
AVC Configuration on Local Switching WLAN

WLAN AVC
Configuration

Local Switching WLAN

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
 AVC Configuration per FlexConnect Group
• FlexConnect Group specific AVC configuration takes precedence over WLAN AVC config
• No AP Specific AVC configuration.
• WLAN AVC configuration will be pushed to Flex APs where WLAN is broadcast

Application Visibility FlexConnect Group AVC

WLAN-Specific configuration
Enable/Disable

Enable/disable, Profile,
Monitor per WLAN

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
 FlexConnect AVC Profiles
Can be associated under WLAN and/or FlexConnect Group

FlexConnect AVC
profiles

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
FlexConnect AVC Applications

Protocol Pack version 8.0

Engine version 16

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Monitoring AVC Statistics per FlexConnect Group

Per Client AVC Statistics Per FlexConnect Group

AVC Statistics

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Operating the Wireless Branch
Branch Office Provisioning
 Network Plug-N-Play – Simple, Secure, Scalable
Today’s Process Business
Network Challenges
Direct Costs
Central Staging Facility
Ships • Shipping after Configuring device
Pre Provision
1• Travel
equipment costs for IT installer
Projects/Sites
• Install OS
• Install Config
• Prime device Network Admin
Network Complexity
Reseller/Partner Admin
• Config errors
• Different products / processes
2 Install & Power-on 3 Monitor device
devices installation
Security
• 3rd party not secure
Installer
Installer
Network Admin
Time/Productivity
Site-1 Site-2 Site-3
• Manual process
Site(s)
• Shipping , Storage, Travel

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Network Plug & Play Discovery options
DHCP Option 43
01
PnP String: 5A1D;B2;K4;I172.19.45.222;J80
DHCP
Server

DNS Lookup
02
pnpserver.localdomain ---- e.g.172.19.45.222 (PnP Server)
DNS
Server

CAPWAP
03
CAPWAP based WLC discovery for AP
CAPWAP

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
 Branch Provisioning with PnP Server
PID Serial # Hostname WLC IP address AP Mode Flex Group
name

AIR-CAP3702I- RFD0PP2 AP-Store1-1 192.168.15.1 FlexConnect FlexGrp1

A-K9 T025

PnP Server

Day 0
• Places AP in appropriate
flexgroup/default
• Apply relevant flex configs to
AP

Network Admin
Network Admin pre
Day 1
provisions branch APs in Remote Installer on branch
PnP server. • Mount and cable devices
WLC IP (Prim/Sec/Ter) • Power-on
AP Name
AP Mode (Flex) * Resources required for PnP:
AP Group Name Installer 64 Gb RAM, 500 Gb Storage
Flex Group Name Scale: 10,000 devices
BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Branch Office Upgrade over WAN
Upgrading a FlexConnect Deployment
Concerns
 Sites using FlexConnect AP are usually sites with low WAN bandwidth
 Each site may have small number of AP, but an enterprise may have a lot of
branches
 Upgrading ~6000 AP through a low bandwidth WAN is a challenge :
 Time needed to download all the AP firmware
 Exhaust of the WAN link
 Risk of failures during the download

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
 Starting
from 7.2
FlexConnect Smart AP Image Upgrade
Firmware Image

Overview Old New

Cisco Prime New Old
New Primary Secondary
 Smart AP Image Upgrade use a « master »
AP in each FlexConnect Group to download Wireless LAN
the code. Central Site Controller

 Other FlexConnect AP download the code

from the master locally
1. Download WLC upgraded firmware (will
become primary) WAN
2. Force the « boot image » Remote Site-1 Remote Site-N

to be the secondary (and not the newly

upgraded one) to avoid parallel download of
all AP in case of unexpected WLC reboot
3. WLC elects a master AP in each
FlexConnect Group (can be also set
manually) Master AP
BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
FlexConnect Smart AP Image Upgrade
Firmware Image

Description (Contd.) New

Cisco Prime Old
New Old
Primary Secondary

4. Master AP « Pre-download » the AP

firmware in the secondary « boot image » Central Site
Wireless LAN
Controller
(will not disrupt the actual service)—Can
be started group per group to limit WAN
exhaust
5. Slave AP « Pre-download » the AP
firmware from the Master AP WAN
AP Firmware Image
Remote Site-1 AP Firmware Image Remote Site-N
6. Change the « boot
image » of the WLC Old New
Old New
to the new image Primary Secondary
Primary Secondary

7. Reboot the controller

Master AP
BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
 FlexConnect Smart AP Image Upgrade
Configuration

Enable Efficient AP Image

Upgrade
Valid Range is 1-63
Random Backoff Interval
(100-300sec) between
each retry

Master AP Selection is
Optional
• “FlexConnect AP Upgrade” checkbox has to be enabled for each FlexConnect Group.
• By default, Master AP for each FlexConnect Group is selected using Lower-MAC algorithm.
• One Master select per AP type.

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
FlexConnect
() Smart AP Image Upgrade
Configuration contd.

Per Branch or FlexConnect Group

Upgrade

Upgrade across all Branches or

FlexConnect Groups whose
“FlexConnect AP Upgrade” checkbox
is set

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Bringing All Together – FlexConnect
Best Practices
FlexConnect Best Practices

 Enable FlexConnect Groups

 CCKM/OKC Key sharing for Voice deployments

CONNECT

Enable Smart AP Image Upgrade

FLEX

 Design for Resiliency

 VLAN Support and configure Native VLAN at Group
 VLAN-WLAN Mappings at FlexConnect Group Level
 VLAN Name override
 Consistent configuration across Primary and Backup WLCs

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
 Summary
• Cisco Unified Wireless Network based on Controllers deliver Wireless Branch Solution
• FlexConnect is the feature designed to solve remote connectivity and WAN constraints
• Several Failover Scenario are targeted to offer Survivability of Small Remote Sites

References:
• Wireless LAN Controller Scale Comparison Guide - http://www.cisco.com/c/en/us/products/wireless/wireless-lan-
controller/product-comparison.html

• FlexConnect Branch Controller Deployment Guide - http://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-

series-wireless-controllers/112973-flex7500-wbc-guide-00.html

• FlexConnect feature matrix - http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-

controllers/112042-technote-wlc-00.html

• Wireless Best Practices - http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/82463-wlc-

config-best-practice.html

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Wireless Branch Deployment
Cisco Mobility Express
What Cisco Mobility Express does?
Runs Wireless LAN Controller
01 function on an access point

Increases scalability without

replacing access points. You just
add a controller
05 Presents an over-the-air
wizard or Network Plug and
Cisco Mobility
Express
02 Play to configure up to 100
access points per controller

Activates best-practice
settings by default and
supports presence-based
analytics
04 Easily manages and
03 troubleshoots your network
using advanced software-
based functions

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Where can you use it?

K-12 Education Hospitality Retail

Use innovative learning Connect to customers Accept mobile

tools and bring a large- through loyalty payments and offer your
school experience to applications and offer services to customers
smaller sites revenue-generating everywhere
services

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Which APs can run Cisco Mobility Express?
50 1000 50 1000 100 2000
AIR-AP1815I-x-K9 AIR-AP1852-x-K9 AIR-AP3800-x-K9

AIR-AP1815w-x-K9 AIR-AP1832-x-K9 AIR-AP2800-x-K9 AIR-AP1562-x-K9

50 1000 50 1000 100 2000 50 1000

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Small/Medium Site with Cisco Mobility Express
Overview Network Plug and Play Prime Infrastructure ISE
Central Site

 Mobility Express is based on

FlexConnect Architecture
 Supports Central Authentication,
Local Switching
 APIC-EM, ISE, and Cisco Prime at
Central Site

WAN
Advantages
 Cookie cutter configuration for Site A Site B Site C
every site
 Independent or centralized
manageability of each site

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deploying Cisco Mobility Express
Depending on the deployment, Mobility Express capable Access Points can be connected to an access
port or a trunk port on the switch. Management traffic is always untagged.

VLAN 10
VLAN 20
v20 v30 v40 VLAN 30
VLAN 10 VLAN 40

If Access Points and If Access Points and

v10 v10 v10 v10
v10
WLANs are all on the WLANs are all on different
same network, VLANs, Mobility Express
Mobility Express capable Access Points will
capable Access connect to a trunk port on
Points can connect to the switch and traffic for
an access port on the individual WLANs will be
switch port. switched locally on to local
VLANs.
Contractor Guest
Contractor Guest
Employee
Employee
BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Deployment methods for Cisco Mobility Express

01 OTAP Over-the-Air-Provisioning

02 Command Line Interface Setup Wizard using CLI

03 Network Plug and Play Using APIC/Network

Plug and Play

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Over the Air Provisioning
Cisco Wireless App

Provision Monitor
Laptop

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
 Setup Wizard
CREATE WIRELESS
CREATE ADMIN ACCOUNT SET UP YOUR CONTROLLER CONFIRM SETTINGS
NETWORK

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Deploying using APIC-EM/Network Plug and Play

APIC-EM controller can be reached by Mobility Express

Private Access Point in customer premises. Access Point can then

01 Cloud download the controller configuration file from Network

Plug and Play service.

Cloud based redirecting service which redirects Mobility

Cisco Express Access Point to an APIC-EM controller residing in
Cloud customer premises. These APs can download the
02 Redirect
controller configuration file from Network Plug and Play
app service.

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
 Network Plug and Play – Private Cloud
ip dhcp pool pnp_device_pool
network 192.168.1.0 255.255.255.0 Master AP
default-router 192.168.1.1 running PnP
option 43 ascii Agent
"5A1N;B2;K4;I192.168.1.123;J80"

LAN/WAN
LAN
PnP Server uses
PnP Server
self signed SSL
certificate

DHCP Request

DHCP response with

APIC-EM IP address
in DHCP option 43
HTTP PnP work request with device serial number (UDI)
PnP Agent initiates HTTP communication
with the PnP and sends the device UDI

PnP Agent installs local trustpoint PnP Server receives UDI

for the server SSL certificate and sends server SSL
certificate over HTTP
HTTPS PnP work request with device serial number (UDI)
PnP Agent initiates HTTPS communication
with the server and sends the device UDI
Master AP reboots and will PnP Server receives UDI
run the controller and sends ME controller
configuration after it comes configuration over HTTPS
back up

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
 Network Plug and Play – Public Cloud
ip dhcp pool pnp_device_pool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1 Master AP
dns-server 171.70.168.183 8.8.8.8 running PnP Cisco Cloud
domain-name cisco.com Agent Redirect Server

DMZ
Internet PnP Server uses
PnP Server self signed SSL
certificate

DHCP server
responds with device
IP, domain name and
DNS server Device establishes
communication with
Cloud Redirect Server
PnP Agent initiates HTTP communication with
the APIC-EM server and sends the device UDI
PnP Agent installs local trustpoint
for the server SSL certificate
PnP Agent initiates HTTPS communication
with the server and sends the device UDI
Master AP reboots and will
run the controller
configuration after it comes
back up
DHCP Request
Device creates pre-defined cloud redirect server
name (devicehelper.cisco.com) and resolves for IP
address
HTTP request with device serial number (UDI)
Cloud redirect server
receives UDI and sends
APIC-EM IP address
HTTP PnP work request with device serial number (UDI)
PnP Server receives UDI and
sends server SSL certificate over
HTTPS PnP work request with device serial number (UDI) HTTP
PnP Server receives UDI and
sends ME controller configuration
over HTTPS
BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Cisco Mobility Express
Features
 Evolution of Cisco Mobility Express JUL 2017
MAR 2017 8.5
8.4
FEB, 2016
8.3 MR1
AUG, 2016
8.3

DEC, 2015  Scale -100 APs/2000 clients

8.2  Day 0 using PnP
 Site Survey
 Application Control
 Support on 1562 AP
 Support for Apple Features  Conversion Support in UI
 Guest WLAN Enhancements  Support for Fastlane in UI
 MAC Filtering  TACACS+ and RADIUS Support
 Support on 2800 and 3800 APs  Lobby Ambassador  ACL Enhancements
SEP, 2015  Internal DHCP server support  Expert View providing more UI  Configuring External Antennas
 Software Update – cisco.com knobs  CALEA
8.1 MR2  Support for Standalone Mode  Passpoint
 Guest Access enhancements  Centralized NAT
 CMX Cloud Support
 SNMPv3 Support
 Setup Wizard via CLI  Serviceability improvements
 Software Update – HTTP
 NTP Pool support

Mobility
Express
Introduced

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
WLAN Support
 Supports maximum of 16 WLANs.

 WLAN Options:
• Open
• WPA2 Personal
• WPA2 Enterprise (External RADIUS, AP)
NOTE : AP indicates Master AP and the authentication is done by the Controller.

 For Guest WLANs, a number of capabilities are supported:

• CMX Guest Connect
• Internal Splash Page
• External Splash Page

 For Internal and External Splash Page, a number of Access Types are supported. They are as follows:
• Local User Account
• Web Consent
• Email Address
• RADIUS
• WPA2 Personal
BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Application Visibility and Control
 Cisco Mobility Express can identify signatures of 1000+ applications. It runs
NBAR Engine 2 and Protocol Pack 14
 As part of control action, applications can be:
• Drop
• Rate Limit
• Mark
For Mark, one can select DSCP as Platinum, Gold, Silver, Bronze or Custom. If custom
is selected, one has to specific he DSCP value. For Rate Limit, one can specify the
Average Rate and Burst Rate for the application.
 Simplified workflow to create AVC profile and apply it to WLAN

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
CMX with Cisco Mobility Express
 Cisco Mobility Express works
with both CMX On-Premise
deployment as well as CMX in
the Cloud
 For CMX Cloud, one can open
an account a 60 Day trial
account at
https://cmxcisco.com/.
 Use Presence for Analytics
and Connect for onboarding
Guests.

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
Site Survey
 Cisco Mobility Express supports internal
DHCP server and operates without a
pingable gateway. This enables Site
Surveyor to take the Access Point powered
by a Battery Pack and a client device to
perform an active survey.

 For Site Survey, one must configure the

controller. This can be done via CLI or UI.

 NOTE: Recommendation is to use Release

8.4 or later on the Mobility Express AP for
Site Survey.

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
Configuring CMX connector on Mobility Express
 Steps
1. Navigate to Advanced > CMX
2. Enable the CMX Status
3. Enter the CMX Server URL
4. Enter the CMX Server Token
5. Click on the Apply button

NOTE: Click the Test Link button to

ensure Mobility Express can reach
your CMX Cloud Account

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Cisco Mobility Express
Software Update
Software Update Methods

Requires external TFTP server to

01 TFTP
be configured with AP images

Local AP image file upload.

02 HTTP Works if all Access Points are
the same type
Update directly from
03 Cisco.com cisco.com. Requires SmartNet
contract on Master AP and
valid cisco.com account

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Cisco Mobility Express
Resiliency (Master Election)
Master Election Overview
 Master Election is a mechanism to elect a new Cisco Mobility Express CAPABLE
Access Point to run the controller function incase of a failure
 CAPABLE means AP Image type is MOBILITY EXPRESS IMAGE and AP
Configuration is MOBILITY EXPRESS CAPABLE
 To have redundancy, you must have two or more Mobility Express capable Access
Points in your network
 VRRP is used to detect the failure of Master AP which initiates the election of a new
Master. Failover typically takes 60-90s.
 Master Election is based on priorities
1. User Defined Master
2. Next Preferred Master
3. Most Capable Access Point
4. Least Client Load
5. Lowest MAC Address

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Electing a new Master Access Point
Master election process is based on a set of priorities. When an active Master Access Point fails, the
election process gets initiated and it elects the Access Point with the highest priority as the Master AP.

1. User Defined Master - User can select an Access Point to be the Master Access Point. If such a
selection is made, no new Master will be elected in case of a failure of the active Master. After five
minutes, if the current Master is still not active, it will be assumed dead and Master Election will begin
to elect a new Master.
2. Next Preferred Master – Admin can configure the Next Preferred Master from CLI. When this is
configured and the active Master AP fails, the one configured as the Next Preferred Master will be
elected as a Master.
3. Most Capable Access Point - If the first two priorities are not configured, Master AP election algorithm
will select the new Master based on the capability of the Access Point. For example, 3800 is the most
capable followed by 2800, 1850, 1830 and finally the 1815 Series. All 1815 Series Access Points have
the same capability.
4. Least Client Load – If here are multiple Access Points with the same capability i.e. multiple 3800
Access points, the one with least client load is elected as the Master Access Point.
5. Lowest MAC Address – If all of the Access Points are the same and have the same client load, then
Access Point with the lowest MAC will be elected as a Master.
BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
 Summary
• Cisco Mobility Express is virtual Wireless LAN Controller embedded on 11ac Wave 2 Access Points. No
need for a separate controller h/w
• Ideal for small to medium sites – supports up to 100 Access Points, 2000 Clients
• Simplicity is the motto – Quick and Easy to setup, Simple Controller WebUI even for advanced features,
Best Practices are enabled out of the box, Redundancy with Master Election, Manageability via PI.
References:
• Cisco Mobility Express- http://www.cisco.com/c/en/us/solutions/enterprise-networks/mobility-express/index.html

• Cisco Mobility Express Deployment Guide - http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-

4/b_cisco_mobility_express_8_4.html

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
 Cisco Wireless LAN Documentation
INSTALLATION GUIDES RADIO CONFIGURATION CLIENT ADDRESSING POLICY ENGINE
• 5520 WLC • 802.11r BSS Fast Transition • Bi-Directional Rate Limiting • AVC
• 8540 WLC • Adaptive wIPS • Flex AP-EoGRE Tunnel Gtwy • Bonjour
• AP1570 • ATF Ph 1 & 2 • IPv6 • Chromecast
• AP1810 OE • CleanAir • Jabber • Device Classification
• AP1810W Wall Plate • CMX FastLocate • Jabber and UCM • Domain Filtering
• AP1850 • High Density • Microsoft Lync • mDNS Gateway w/Chromecast
• AP2700/3700 • Rogue Management • Passpoint Configuration • Wireless Device Profiling & Policy Classification
• AP2800/3800 • RRM RF Grouping Algorithm • Real-Time Traffic Over WLAN BEST PRACTICES
• AP702W • RRM White Paper • VideoStream • Apple Devices
• APIC-EM Wireless AP PnP • Vocera IP Phone in WLAN • Enterprise Mobility Design Guide
ENCRYPTION
• Flex7500 WLC • VoWLAN Troubleshooting • High Availability (SSO)
• BYOD for FlexConnect
• Mesh APs • HyperLocation
• BYOD with ISE
• Mobility Express • iPhone 6 Roaming
• Security Integration
• Smart Licensing • N+1 High Availability
• Univ. AP Regulatory Domain • WLAN Express
• Virtual WLC • WLC Configuration Best Practices

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Click - https://www.youtube.com/user/CiscoWLAN/

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
 VoD Links
Faster Innovation
• Fastlane App Demo https://www.youtube.com/watch?v=N1QMUcv3aRQ
• Cisco CMX Solution https://www.youtube.com/watch?v=KQRb8vfU0qM

• Cisco APIC-EM Wireless PnP Demo https://www.youtube.com/watch?v=_9P2-

• CMX Hyperlocation vs RSSI Demo bU66PU
https://www.youtube.com/watch?v=6ls7EHbSK4A
• Cisco Aironet Plug and Play Cloud Redirection
Reduce • Cisco Dual 5GHz Wi-Fi https://www.youtube.com/watch?v=mbpjiETvDXc https://www.youtube.com/watch?v=W7fBZ6xfSxw

Cost & • Cisco Aironet AP-3800 RF Excellence • Wireless LAN Controller Dashboard Review
https://www.youtube.com/watch?v=dBpGsTKeyNM&t=64s https://www.youtube.com/watch?v=af09TBaafRI&feature=youtu.be
Complexity
• Digital Network Architecture with Wave2 with 802.11ac • Cisco Wireless Mobile App https://www.youtube.com/watch?v=HyvZ4mbVAWs
https://www.youtube.com/watch?v=ySjN13hPhXY&t=2s
• WLC Advanced UI Client Troubleshooting
• Cisco Aironet Series – Flexible Radio Assignment https://www.youtube.com/watch?v=dZVxI6jOx_Q
https://www.youtube.com/watch?v=K_-BykT_YIM
• ISE Simplified Wireless Setup
https://www.youtube.com/watch?v=A3F2DrFu7Lo&feature=youtu.be
• TechWiseTV: Apple and Cisco: Fast-Tracking the Mobile Enterprise
https://www.youtube.com/watch?v=bh8rEvrzm7Y&feature=youtu.be
Lower • Cisco Wireless TrustSec Demo
https://www.youtube.com/watch?v=A3F2DrFu7Lo&feature=youtu.be
• Prioritised Business Apps
https://www.youtube.com/watch?v=z0EOKNxL964&feature=youtu.be
Risk
• Cisco Wireless Netflow Lancope Integration Demo
https://www.youtube.com/watch?v=TuWYkrt94CQ
• Apple and Cisco: Three Solutions Coming Together
https://www.youtube.com/watch?v=7MgsDkf55wQ&feature=youtu.be
• OpenDNS Integration with WLC
https://www.youtube.com/watch?v=cMdX8sBBYG4
• WiFi Optimised Feature
https://www.youtube.com/watch?v=xgPfxAolJoQ&feature=youtu.be

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
 Complete Your Online
Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
• Complete your session surveys
through the Cisco Live mobile
app or on www.CiscoLive.com/us.

Don’t forget: Cisco Live sessions will be

available for viewing on demand after the
event at www.CiscoLive.com/Online.

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions

BRKEWN-2016 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Thank you