- 1. Cisco Confidential For Cisco-Internal use only, at October
2012 BN SEVT, Not for Further DistributionIncreased scalability,
Centralized policy application Centralized tunneling of user
traffic to controller (data plane and control plane) System-wide
coordination for channel and power assignment, rogue detection,
security attacks, interference, roamingHotspot deployments with
nomadic roamingStandaloneFunctionality split with CAPWAPAutonomous
Mode 20121 Cisco and/or its affiliates. All rights reserved.(also
possible on upgraded 5508s, WiSM2s for brownfield deployments, or
NG Unified Access switches for small, branch deployments)Cisco
Unified AccessControllerCisco Unified WirelessAccess PointControl
plane functionality on NG ControllerAccess Point Frees up the AP to
focus on real-time communication, policy application and optimize
RF & MAC functionality such as CleanAir, ClientLinkScale and
ServicesData plane functionality on NG Switches (also possible on
NG Controllers, for deployments in which a centralized approach is
preferred) Unified wired-wireless experience (security, policy,
services) Common policy enforcement, Common services for wired and
wireless traffic (NetFlow, advanced QoS, and more )Performance and
Unified Experience1
2. AgendaCisco Confidential For Cisco-Internal use only, at
October 2012 BN SEVT, Not for Further Distribution Unified Access
Deployment Solution Overview Existing Wireless Deployment
Architecture Refresher The Unified Access Deployment in Detail -
Components of the Deployment Hardware and Software - Components of
the Deployment Terminology and Building Blocks - Unified Access
Deployment Traffic Flows and Roaming - Unified Access Deployment
High Availability- Unified Access Deployment IP Addressing -
Unified Access Design Options, Greenfield - Small Branch, Larger
Branch, and Campus - Migration Options Evolving to a Unified Access
Solution Summary 20122 Cisco and/or its affiliates. All rights
reserved.2 3. Cisco Confidential Data Center / Service blockFor
Cisco-Internal use only, at October 2012 BN SEVT, Not for Further
DistributionInternet ISENCSIntranet Mobility GroupEoIP Mobility
Tunnel ( < 7.2) CAPWAP Option in 7.3 Foreign WLC Guest AnchorWLC
#1Well-known, proven architectureLEGENDWLC #2CAPWAP
TunnelsEncrypted (see Notes)Notes Inter-Controller (Guest Anchor)
EoIP / CAPWAP Tunnel Inter-Controller EoIP / CAPWAP Tunnel
AP-Controller CAPWAP Tunnel 802.11 Control Session + Data Plane
APAPSSID VLAN Mapping (at controller)SSID2 SSID1 20123 Cisco and/or
its affiliates. All rights reserved.SSID3APAP / WLC CAPWAP Tunnels
are an IETF Standard UDP ports used 5246: Encrypted Control Traffic
5247: Data Traffic (non-Encrypted or DTLS Encrypted (configurable))
Inter-WLC Mobility Tunnels EoIP IP Protocol 97 AireOS 7.3
introduces CAPWAP option Used for inter-WLC L3 Roaming and Guest
AnchorAPExisting Unified Wireless Deployment today3 4. Cisco
Confidential Data Center / Service blockFor Cisco-Internal use
only, at October 2012 BN SEVT, Not for Further DistributionInternet
ISENCSIntranet Mobility GroupMAEoIP Mobility Tunnel ( < 7.2)
CAPWAP Option in 7.3WLC #1Foreign WLC Guest AnchorMAMCWLC
#2MCMCAPAPInter-Controller (Guest Anchor) EoIP / CAPWAP
TunnelLEGENDCAPWAP TunnelsAPMAAPAdditional details on controller
functionalityInter-Controller EoIP / CAPWAP Tunnel AP-Controller
CAPWAP Tunnel 802.11 Control Session + Data PlaneMA MCMobility
Agent Maintains Client Database Mobility Coordinator Handles
Roaming, RRM, WIPS, etc.These will become important later as we
delve into the Unified Access deployment SSID2 SSID1 20124 Cisco
and/or its affiliates. All rights reserved.SSID3Existing Unified
Wireless Deployment today4 5. Cisco Confidential For Cisco-Internal
use only, at October 2012 BN SEVT, Not for Further
DistributionMobility Domain Mobility GroupOne WLC Network Mobility
Group Up to 500 APs Up 7K Clients Up to 8 GB I/O for AP Traffic
CT5508 rel 7.2 Max theoretical scalability numbers Without
Considering FlexConnect 20125 Cisco and/or its affiliates. All
rights reserved. Up to 24 WLCs in a MG Up to 12K APs Up 168K
Clients Up to 192 GB I/O for AP TrafficMobility GroupMobility Group
Up to 72 WLCs in a MD Up to 36K APs Up to 504K Clients Up to 576GB
I/O for AP Traffic 5 6. Cisco Confidential For Cisco-Internal use
only, at October 2012 BN SEVT, Not for Further DistributionMobility
Domain Mobility GroupOne WLC Network Mobility Group Up to 1K APs Up
15K Clients Up to 20 GB I/O for AP Traffic WiSM-2 rel 7.2 Max
theoretical scalability numbers Without Considering FlexConnect
20126 Cisco and/or its affiliates. All rights reserved. Up to 24
WLCs in a MG Up to 24K APs Up 360K Clients Up to 480 GB I/O for AP
TrafficMobility GroupMobility Group Up to 72 WLCs in a MD Up to 72K
APs Up to 1.08M Clients Up to 1.44TB I/O for AP Traffic 6 7. Cisco
Confidential For Cisco-Internal use only, at October 2012 BN SEVT,
Not for Further DistributionData Center-DMZ Data Center Campus
ServicesMCMCMASiMAMCPoint of Presence (PoP) vs. Point of Attachment
(PoA) SiNCSPoPMAMAMCInternetMA MCSiWiSM2s / 5508s ISEGuest
AnchorsCampusSiPoASiSiSiSi SiSiPoP is where the wireless user is
seen to be within the wired portion of the network Anchors client
IP address Used for security policy applicationPoA is where the
wireless user has roamed to while mobile Moves with user AP
connectivity Used for user mobilityLayer 2 Mobility GroupNow, lets
see how mobility works when a user roams in this deployment model
Campus Access 20127 Cisco and/or its affiliates. All rights
reserved.Existing Unified Wireless Deployment today7 8. Cisco
Confidential For Cisco-Internal use only, at October 2012 BN SEVT,
Not for Further DistributionData Center-DMZ Data Center Campus
ServicesMCMCMASiMAMCInternetMA MCSiWiSM2s / 5508s ISEGuest
AnchorsCampusMANCSPoPMASiInitially, the users traffic flow is as
shown SiPoALayer 2 Mobility GroupNote in this deployment model, it
is assumed that all of the controllers within the DC share a common
set of user VLANs at Layer 2MCInitially, the users PoP and PoA are
co-located on the same controllerSiSiSiSi SiSiCampus Access 20128
Cisco and/or its affiliates. All rights reserved.Existing Unified
Wireless Deployment today8 9. Cisco Confidential For Cisco-Internal
use only, at October 2012 BN SEVT, Not for Further DistributionData
Center-DMZ Data Center Campus ServicesMCMCSiMAMCPoPMAThe users PoP
and PoA both move to the new controller handling that user after
the roam (possible since the controllers in this deployment model
are all L2-adjacent within the VLANs) After the roam, the users
traffic flow is as shown SiPoALayer 2 Mobility GroupSiSiSiSi
SiCampus Access 20129 Cisco and/or its affiliates. All rights
reserved.Now, the user roams to an AP handled by a different
controller, within the same Mobility Group SiNCSMAMAMCInternetMA
MCSiWiSM2s / 5508s ISEGuest AnchorsCampusSiMove of the users entire
Mobility ContextExisting Unified Wireless Deployment today9 10.
Cisco Confidential For Cisco-Internal use only, at October 2012 BN
SEVT, Not for Further DistributionData Center-DMZ Data Center
Campus ServicesGuest AnchorsCampusMC MCSiInternetMA
MASiISEInitially, the users PoP and PoA are co-located on the same
controllerSiNote in this deployment model, it is assumed that all
of the controllers across the Campus do not share a common set of
user VLANs at Layer 2 (i.e. the controllers are all
L3-separated)Initially, the users traffic flow is as shown SiNCS
SiSiPoP MCMAMCMAPoA 5508 / WiSM-2SiSi5508 / WiSM-2SiSiLayer 3
Mobility GroupCampus Access10 2012 Cisco and/or its affiliates. All
rights reserved.10 Existing Unified Wireless Deployment today 11.
Cisco Confidential For Cisco-Internal use only, at October 2012 BN
SEVT, Not for Further DistributionData Center-DMZ Data Center
Campus ServicesGuest AnchorsCampusMC MCSiInternetMA MASiISENow, the
user roams to an AP handled by a different controller, within the
same Mobility Group SiThe users PoA moves to the new controller
handling that user after the roam but the users PoP stays fixed on
the original controller that the user associated toThis is done to
ensure that the user retains the same IP address across an L3
boundary roam and also to ensure continuity of policy application
during roamingAfter the roam, the users traffic flow is as shown
SiNCS SiSiPoP MCMAMCMAPoA 5508 / WiSM-2SiSi5508 / WiSM-2Campus
Access11 2012 Cisco and/or its affiliates. All rights
reserved.SiSiLayer 3 Mobility GroupSymmetric Mobility Tunneling11
Existing Unified Wireless Deployment today 12. Cisco Confidential
For Cisco-Internal use only, at October 2012 BN SEVT, Not for
Further DistributionData Center-DMZ Data Center Campus
ServicesGuest AnchorsCampusMC MCSiInternetMAPoPMASiISENow, lets
examine roaming with Mobility Anchor use When using Mobility
Anchors, the users PoP is always located at the Mobility Anchor
controller ... while the users PoA moves as the user roams Again,
this is done to ensure that the user retains the same IP address
across an L3 boundary roam and also to ensure continuity of policy
application during roamingSiBefore the roam, the users traffic flow
is as shown (tunneling of user traffic back to the Mobility Anchor
guest traffic assumed)SiNCS SiMCMAMCSiMAPoA 5508 / WiSM-2SiSi5508 /
WiSM-2Campus Access12 2012 Cisco and/or its affiliates. All rights
reserved.SiSiLayer 3 Mobility Group12 Existing Unified Wireless
Deployment today 13. Cisco Confidential For Cisco-Internal use
only, at October 2012 BN SEVT, Not for Further DistributionData
Center-DMZ Data Center Campus ServicesGuest AnchorsCampusMC
MCSiInternetMAPoPMASiISENow, lets examine roaming with Mobility
Anchor use SiAfter the roam, the users PoA moves to the new
controller that handles the AP the user has roamed onto however,
the users PoP remains fixed at the Mobility Anchor controller After
the roam, the users traffic flow is as shown (tunneling of user
traffic back to the Mobility Anchor guest traffic assumed)SiNCS
SiMCMAMCSiMAPoA 5508 / WiSM-2SiSi5508 / WiSM-2SiSiLayer 3 Mobility
GroupCampus Access13 2012 Cisco and/or its affiliates. All rights
reserved.13 Existing Unified Wireless Deployment today 14. Cisco
Confidential WiSM2s / 5508sMCMAMCSeparate policies and services for
wired and wireless usersMAFor Cisco-Internal use only, at October
2012 BN SEVT, Not for Further DistributionPSTNPoP PoACUCMTraffic
Flows, Unified Wireless The same traffic paths are incurred for
voice, video, data, etc. all centralized Wired policies implemented
on switch14 2012 Cisco and/or its affiliates. All rights
reserved.In this example, a VoIP user is on todays CUWN network,
and is making a call from a wireless handset to a wired handset
Wireless policies implemented on controllerWe can see that all of
the users traffic needs to be hairpinned back through the
centralized controller, in both directions In this example, a total
of 9 hops are incurred for each direction of the traffic path
(including the controllers Layer 3 roaming might add more hops) 14
Existing Unified Wireless Deployment today 15. AgendaCisco
Confidential For Cisco-Internal use only, at October 2012 BN SEVT,
Not for Further Distribution Unified Access Deployment Solution
Overview Existing Wireless Deployment Architecture Refresher The
Unified Access Deployment in Detail - Components of the Deployment
Hardware and Software - Components of the Deployment Terminology
and Building Blocks - Unified Access Deployment Traffic Flows and
Roaming - Unified Access Deployment High Availability- Unified
Access Deployment IP Addressing - Unified Access Design Options,
Greenfield - Small Branch, Larger Branch, and Campus - Migration
Options Evolving to a Unified Access Solution Summary 15 2012 Cisco
and/or its affiliates. All rights reserved.15 16. Cisco
Confidential For Cisco-Internal use only, at October 2012 BN SEVT,
Not for Further DistributionCisco Prime Infrastructure (NCS 2.0)
Full UA Management Consistent Network Services and MultiDomain
Network Mgmt Troubleshoot End User Issues in Real-timeIdentity
Services Engine (ISE) BYOD Policy Mgmt Mobile device profiling and
posture Guest Access Portal Scales up for large ISE Enterprise
needs Who What Whe WhereHow ? ? n? ? ?Cisco PrimeUA Catalyst 3850
5760 Wireless UA Catalyst 3850 5760 Wireless Controller NG Catalyst
4500 Sup * Controller 480G Stack, StackPower Advanced Features:
Flex. Netflow, Adv. QoS 60G, 1k APs, N+1 Redundancy Terminates
Wireless at Access Switch Advanced Features: QoS, Netflow,
Scalability for 11ac wireless traffic downloadable ACLs Wired
multi-tier reliability for wireless Supports hybrid deployment
models Embedded controller for up to 50 APs IOS XE for wired and
wireless featuresBest-in-Class Performance, Security and Resiliency
16 2012 Cisco and/or its affiliates. All rights reserved.16 17.
Cisco Confidential For Cisco-Internal use only, at October 2012 BN
SEVT, Not for Further DistributionFeaturesHardware 40 Gig of uplink
bandwidth (4 x 10G ports) on 48-port switch model (2 x 10G on
24-port) Line rate on all ports PoE+ and MAC Sec support HW based
wireless support CAPWAP, DTLS and Fragmentation support Flexible
ASIC: multiple protocol support capability StackPowerWireless 480G
stacking interface HA support (.5 sec failover) Flexible Netflow
48k flows/stack MQC support 8 queues per port 2k policers and
Microflow policers SGT / SGACL & MACsec support *Best-in-Class
Wired Switch with Integrated Wireless Mobility functionalityIOS
EvolutionUnified wired & wireless IOS for wireless Uniform
wired & wireless policies Wireless switch group support for
faster roaming: latency sensitive applications17 2012 Cisco and/or
its affiliates. All rights reserved. * Roadmap Enabling Open
Service Platform 4 core CPU to host services Modern OS to leverage
Next-Gen switching hardware 15.0 Maintenance Strategy Wireshark *
NBAR *Up to 50 APs per UA 3850 switch stack / SPG Up to 2,000
clients per stack / SPG 17 18. Cisco Confidential For
Cisco-Internal use only, at October 2012 BN SEVT, Not for Further
DistributionPerformance & Scale Scalability Key Advantages
Investment protection for modular install base to new Unified
Access deploymentFlexible NetFlow with wireless attributes (Radio,
SSID, user)Low optics cost solutionExtended for other capabilities
like NBAR218 2012 Cisco and/or its affiliates. All rights
reserved.FRU Wireless Module 10G Bandwidth, 50 APs, 2000
UsersUplinks Scalable wirelessWireless Controller Wired - Wireless
convergence888 Gbps TCAM scale Sup-7E equivalent8 x 10G SFP+ (2 x
QSFP+) TRILL / FabricPath / LISPHigh Availability Virtual Switching
System (VSS)Up to 50 APs per NG 4500-E chassis Up to 2,000 clients
per chassis 18 19. Cisco Confidential For Cisco-Internal use only,
at October 2012 BN SEVT, Not for Further
DistributionIndustry-Leading Performance 60G throughput
(centralized deployments), 1000 APs 6 x 10G uplinks Hardware ready
for SGT / SGACL, Advanced Crypto, NBAR2 * Operational Simplicity
N+1 Redundancy Stateful AP Failover * Per user, Radio, SSID QoS
Policies Flexible Netflow IPv6 Client MobilityFlexible
DeploymentsUnified wired & wireless operations: IOS for
wireless Uniform wired & wireless policies NCS and ISE for
scalable management and policies19 2012 Cisco and/or its
affiliates. All rights reserved.Advanced Features* Roadmap Unified
WLAN deployment (local-mode) Unified Access deployment Hybrid
DeploymentsUp to 1,000 APs per 5760 controller Up to 12,000 clients
per 5760 19 20. AgendaCisco Confidential For Cisco-Internal use
only, at October 2012 BN SEVT, Not for Further Distribution Unified
Access Deployment Solution Overview Existing Wireless Deployment
Architecture Refresher The Unified Access Deployment in Detail -
Components of the Deployment Hardware and Software - Components of
the Deployment Terminology and Building Blocks - Unified Access
Deployment Traffic Flows and Roaming - Unified Access Deployment
High Availability- Unified Access Deployment IP Addressing -
Unified Access Design Options, Greenfield - Small Branch, Larger
Branch, and Campus - Migration Options Evolving to a Unified Access
Solution Summary 20 2012 Cisco and/or its affiliates. All rights
reserved.20 21. Cisco Confidential For Cisco-Internal use only, at
October 2012 BN SEVT, Not for Further Distribution Mobility
DomainNCSISEMOMobility Group MCMCSub-Domain #1SPGSPG MA21 2012
Cisco and/or its affiliates. All rights reserved.Sub-Domain
#2MAMAMAMAMA21 Cisco Unified Access Deployment 22. Cisco
Confidential For Cisco-Internal use only, at October 2012 BN SEVT,
Not for Further DistributionPhysical Entities Mobility Agent (MA)
Terminates CAPWAP tunnel from AP Mobility Coordinator (MC) Manages
mobility within and across Sub-Domains Mobility Oracle (MO)
Superset of MC, allows for Scalable Mobility Management within a
Domain Logical Entities Mobility Groups Grouping of Mobility
Coordinators (MC) to enable Fast Roaming, Radio Frequency
Management, etc. Switch Peer Group (SPG) Localizes traffic for
roams within its Distribution Block MA, MC, Mobility Group
functionality all exist in todays controllers (4400, 5500, WiSM2)
22 2012 Cisco and/or its affiliates. All rights reserved.22 Cisco
Unified Access Deployment 23. Cisco Confidential For Cisco-Internal
use only, at October 2012 BN SEVT, Not for Further
DistributionService BlockISE NCS MA is the first level in the
hierarchy of MA / MC / MO One MA per UA 3850 StackMAMAMA Maintains
Client DB of locally served clients Interfaces to the Mobility
Coordinator (MC) AP23APAPCisco Unified Access Deployment 24. Cisco
Confidential For Cisco-Internal use only, at October 2012 BN SEVT,
Not for Further DistributionService BlockISE NCSMCMC
AP24APAPMaintains Client DB within a SubDomain (1 x MC = One
Sub-Domain)Handles RF functions (including RRM)MAManages
mobility-related configuration of the downstream MAs MACan be
hosted on a MA (smaller deployments)MAMandatory element in
designMultiple MCs can be grouped together in a Mobility Group for
scalabilitySupported platforms are UA 3850, WiSM2, 5508, and 5760
Cisco Unified Access Deployment 25. Cisco Confidential For
Cisco-Internal use only, at October 2012 BN SEVT, Not for Further
DistributionBest-in-Class Wired Switch with Integrated Wireless
Mobility functionalityMA Can act as a Mobility Agent (MA)for
terminating CAPWAP tunnels for locally connected APs MC as well as
a Mobility Coordinator (MC)for other Mobility Agent (MA) switches,
in small deployments- MA/MC functionality works on a Stack of UA
3850 Switches - MA/MC functionality runs on Stack Master 25 2012
Cisco and/or its affiliates. All rights reserved.- Stack Standby
synchronizes some information (useful for intra-stack HA)25 26.
Cisco Confidential For Cisco-Internal use only, at October 2012 BN
SEVT, Not for Further DistributionSPG E MASub-Domain 3MASub-Domain
1SPG FSPG B MAMASPG A MA MAMA MC MCMobility GroupMade up of
multiple UA 3850 switches as Mobility Agents (MAs), plus an MC (on
controller as shown) Handles roaming across SPG (L2 / L3)MA MCSPG C
MAMAs within an SPG are fully-meshed (auto-created at SPG
formation)MAFast Roaming within an SPGMAMultiple SPGs under the
control of a single MC form a Sub-DomainHandles roaming across MG
(L2 / L3)RF Management (RRM) and Key Distribution for Fast
RoamingOne Mobility Coordinator (MC) manages the RRM for entire
GroupFast Roams are limited to Mobility Group member MCsSPG DMade
up of Multiple Mobility Coordinators (MC)Sub-Domain 226 2012 Cisco
and/or its affiliates. All rights reserved.MA26 Cisco Unified
Access Deployment 27. Cisco Confidential For Cisco-Internal use
only, at October 2012 BN SEVT, Not for Further DistributionService
BlockISEMONCS MCMC AP27APMaintains Client DB of clients across
multiple Mobility Coordinators (MCs)MAFurther enhances scalability
and performance by coordinating Inter-MC roams (removes need for N2
communications between MCs, improves client join performance) MATop
level in the MA/MC/MO Hierarchy - OptionalCan be a
Software-Upgraded WiSM2, 5508 or 5760 ControllerMAAPCisco Unified
Access Deployment 28. AgendaCisco Confidential For Cisco-Internal
use only, at October 2012 BN SEVT, Not for Further Distribution
Unified Access Deployment Solution Overview Existing Wireless
Deployment Architecture Refresher The Unified Access Deployment in
Detail - Components of the Deployment Hardware and Software -
Components of the Deployment Terminology and Building Blocks -
Unified Access Deployment Traffic Flows and Roaming - Unified
Access Deployment High Availability- Unified Access Deployment IP
Addressing - Unified Access Design Options, Greenfield - Small
Branch, Larger Branch, and Campus - Migration Options Evolving to a
Unified Access Solution Summary 28 2012 Cisco and/or its
affiliates. All rights reserved.28 29. Cisco Confidential For
Cisco-Internal use only, at October 2012 BN SEVT, Not for Further
DistributionPoint of Presence (PoP) vs. Point of Attachment (PoA)
MCMAMAPoA AP29 2012 Cisco and/or its affiliates. All rights
reserved.APAPBefore a user roams, PoP and PoA are in the same
placeNote for the purposes of illustratingMAPoPPoA is where the
wireless user has roamed to while mobile SPGPoP is where the
wireless user is seen to be within the wired portion of the
networkIf users associate and remain stationary, this is their
traffic flowroaming, we are showing the purple connections herein
that indicate the connections between the MAs and their
corresponding MC for the Switch Peer Group (or Groups) involved on
each slide notice that, in this example, the traffic does NOT flow
through the MC 29 Cisco Unified Access Deployment 30. Notice how
the UA switch stack shown is an MC (as well as an MA) in a branch
such as this with 50 APs or less, no discrete controller is
necessarily required Central LocationMCISEMA NCS CAPWAP tunnel to
Guest AnchorWANGuest Anchor DMZCAPWAP tunnels control and data
pathMCUA Switch MA PoPPoARoaming across Stack (small
branch)Roaming, Single UA Switch Stack In this example, the user
roams within their UA-based switch stack for a small Branch site,
this may be the only type of roam Roaming within a stack does not
change the users PoP or PoA since the stack implements a single MA
(redundant within the stack), and thus a user that roams to another
AP serviced by the same stack does not cause a PoA move (PoA stays
local to the stack)30 2012 Cisco and/or its affiliates. All rights
reserved.30 Cisco Unified Access Deployment 31. Cisco Confidential
For Cisco-Internal use only, at October 2012 BN SEVT, Not for
Further DistributionCentral LocationISENCS CAPWAP tunnel to Guest
Anchor MCWANPoPMAGuest AnchorDMZ CAPWAP tunnels control and data
pathMCPoAMAA Overview of Roaming with Guest / Mobility Anchors, in
the Context of PoP and PoA When using Guest / Mobility Anchors, all
Guest traffic has its PoP set to the uplink of the Mobility Anchor
controller while the users PoA moves within the network as they
roam This is always the case for user traffic that is anchored to
another controller within the network and always has been this is
inherent to how Mobility Anchors work 31 2012 Cisco and/or its
affiliates. All rights reserved.31 Cisco Unified Access Deployment
32. Cisco Confidential For Cisco-Internal use only, at October 2012
BN SEVT, Not for Further DistributionRoaming across StacksRoaming,
Within a Switch Peer Group (Branch) uRPF, Symmetrical Routing,
NetFlow, Stateful Policy Application (larger branch)Now, lets
examine a roam at a larger branch, with multiple UA-based switch
stacks joined together via a distribution layerIn this example, the
larger Branch site consists of a single Switch Peer Group and the
user roams within that SPG again, at a larger Branch such as this,
this may be the only type of roamCLI exampleSPG MCMAPoPMAMAThe user
may or may not have roamed across an L3 boundary (also Prime if
possible) (depends on wired setup) however, users are always* taken
back to their PoP for policy applicationPoAAgain, notice how the UA
switch stack on the left is an MC (as well as an MA) in this
picture in a larger branch such as this with 50 APs or less, no
discrete controller is necessarily required 32 2012 Cisco and/or
its affiliates. All rights reserved.* Adjustable via setting, may
be useful for L2 roams (detailed on following slide)32 Cisco
Unified Access Deployment 33. Cisco Confidential For Cisco-Internal
use only, at October 2012 BN SEVT, Not for Further
DistributionRoaming within an SPGMCuRPF, Symmetrical Routing,
NetFlow, Stateful Policy Application (L3 behaviour and default L2
behaviour)MAPoP33 2012 Cisco and/or its affiliates. All rights
reserved.MAMANote the traffic in this most common type of roam did
not have to be transported back to, or via, the MC (controller)
servicing the Switch Peer Group it stayed local to the SPG only
(i.e. under the distribution layer in this example not back through
the core)* Adjustable via setting, may be useful for L2 roams
(detailed on following slide)Now, lets examine a few different
types of user roamsSPGPoARoaming, Within an SPG (Campus) In this
example, the user roams within their Switch Peer Group since SPGs
are typically formed around floors or other geographicallyclose
areas, this is the most likely and most common type of roam The
user may or may not have roamed across an L3 boundary (depends on
wired setup) however, users are always* taken back to their PoP for
policy application 33 Cisco Unified Access Deployment 34. WiSM2s /
5508s / 5760sMCMAMCConverged policies and services for wired and
wireless usersMAPSTNCUCMTraffic Flows, Comparison (Unified Access)
Traffic does not flow via MCsMore efficient since traffic flows are
localized to the UA switch Performance IncreaseSPG PoPWired and
wireless policies implemented on UA switch 34 2012 Cisco and/or its
affiliates. All rights reserved.PoANow, our VoIP user is on a Cisco
Unified Access network, and is again making a call from a wireless
handset to a wired handset We can see that all of the users traffic
is localized to their Peer Group, below the distribution layer, in
both directions In this example, a total of 1 hop is incurred for
each direction of the traffic path (assuming no roaming) two
additional hops may be incurred for routing 34 Cisco Unified Access
Deployment 35. Cisco Confidential WiSM2s / 5508s / 5760sMCConverged
policies and services for wired and wireless usersMCPSTNCUCMFor
Cisco-Internal use only, at October 2012 BN SEVT, Not for Further
DistributionTraffic Flows, Comparison (Unified Access) Traffic
still does not flow via MCsMore efficient since traffic flows are
still localized to the SPG Performance & ScalabilitySPG MA
PoPWired and wireless policies implemented on UA switch 35 2012
Cisco and/or its affiliates. All rights reserved.PoAMAMAMANow, our
VoIP user on the Cisco Unified Access network roams, while a call
is in progress between the wireless and wired handsets We can see
that all of the users traffic is still localized to their Peer
Group, below the distribution layer, in both directions In this
example, a total of 3 hops is incurred for each direction of the
traffic path (assuming intra-SPG roaming) two additional hops may
be incurred for routing 35 Cisco Unified Access Deployment 36.
Cisco Confidential For Cisco-Internal use only, at October 2012 BN
SEVT, Not for Further DistributionRoaming, Across SPGs (Campus)
MCuRPF, Symmetrical Routing, NetFlow, Stateful Policy Application
Roaming across SPGs (L3 separation assumed at access layer)SPGSPG
MAMAMAMAMAMANow, lets examine a few different types of user roams
In this example, the user roams across Switch Peer Groups since
SPGs are typically formed around floors or other
geographically-close areas, this type of roam is possible, but less
likely than roaming within an SPGPoP PoA36 2012 Cisco and/or its
affiliates. All rights reserved.* Adjustable via setting, may be
useful for L2 roams (detailed on following slide)Typically, this
type of roam will take place across an L3 boundary (depends on
wired setup) however, users are always* taken back to their PoP for
policy application 36 Cisco Unified Access Architecture 37. Cisco
Confidential For Cisco-Internal use only, at October 2012 BN SEVT,
Not for Further DistributionMCuRPF, Symmetrical Routing, NetFlow,
Stateful Policy Application Roaming, Across SPGs and MCs (Campus)
MC Roaming across Controllers (L3 separation assumed at access
layer)SPGSPG MAMAMAMAMAIn this example, the user roams across
Switch Peer Groups and Controllers (within the same Mobility Group)
again, this type of roam is possible, but less likely than
intra-SPG roamingMAPoPTypically, this type of roam will take place
across an L3 boundary (depends on wired setup) however, users are
always* taken back to their PoP for policy applicationPoA37 2012
Cisco and/or its affiliates. All rights reserved.Now, lets examine
a few different types of user roams* Adjustable via setting, may be
useful for L2 roams (detailed on following slide)37 Cisco Unified
Access Architecture 38. MCRoaming, Across SPGs (Layer 2) MCLayer 2
ExtensionRoaming across networkNow, lets examine a few different
types of user roamsIn this example, the user roams across Switch
Peer Groups and Controllers (within the same Mobility Group) but in
this case, we have Layer 2 extended across the network(L2
separation across access layer in this example) SPGSPG MAMAMAPoP
PoA38 2012 Cisco and/or its affiliates. All rights reserved.Policy
moves with user move follows PoPMAMAMAThis would not be typical of
most Enterprise wired deployments however, if this setup is
present, an available setting allows for L2 roaming (move of both
PoP and PoA) 38 Cisco Unified Access Deployment 39. Cisco
Confidential For Cisco-Internal use only, at October 2012 BN SEVT,
Not for Further DistributionAs Noted When a user roams in a L2
environment, an optional setting allows for both the users PoA and
PoP to move.The benefits that accrue to a PoP move for an L2 user
roam are reduced end-to-end traffic latency for the user (less
traffic hops), as well as a reduction of state held within the
network (as the user needs to be kept track of only at the
roamed-to switch). PGThe drawback to a PoP move for an L2 user roam
are likely increased roam times, as user policy may be retrieved
from the AAA server, and applied at the roamed-to switch. The
combination of these two elements may introduce a level of
non-deterministic behaviour into the roam times if this option is
used.! "#! "#! "#PoP PoADefault Behaviour Policy movesL2 Roams
Disabled by default, all roams (whether across an L3 boundary or
not) with user move follows PoP carry the users traffic from their
roamed-to switch (where the users PoA has moved to), back to the
original switch the user associated through (where the users PoP
remains). In this case, the users policy application point remains
fixed, and roam times are more deterministic.This may also reduce
the load on the AAA server during user roams, as policy may not
need to be retrieved, and PKC within the Switch Peer Group can take
care of crypto key distribution.However, if desired, this behaviour
can be modified via a setting to allow for an L2 roam assuming the
network topology involved allows for the 39 39 2012 Cisco and/or
its affiliates. All rights reserved. Cisco Unified Access
Deployment appropriate Layer 2 extension across the network. 40.
Cisco Confidential For Cisco-Internal use only, at October 2012 BN
SEVT, Not for Further DistributionAs we saw previously, we can also
optionally use a UA 3850 switch as an MC + co-located MA for a
Switch Peer Group lets explore this in more detail Single UA 3850
MC supported per Switch Peer GroupSingle UA 3850 MC can handle up
to 50 APs and 2,000 clients total therefore, up to 50 APs and 2,000
clients per UA 3850-based Switch Peer GroupMore scalable MC
capability can be provided by 5760 / WiSM2MCMAMC handles inter-SPG
roaming, RRM, CleanAir, Rogue Detection, Guest, etc.Guest
AnchorISESPG MCMAMAMANCSBut what if we want to scale larger,
without implementing 5760 / WiSM2? Is this possible?40 2012 Cisco
and/or its affiliates. All rights reserved.40 Cisco Unified Access
Deployment 41. Cisco Confidential For Cisco-Internal use only, at
October 2012 BN SEVT, Not for Further DistributionSwitch Peer Group
/ Mobility Group Scaling with UA 3850 Up to 8 x UA 3850 MCs can be
formed into a Mobility GroupUp to 250 APs total and 16,000 clients
supported (maximum) across a Mobility Group made up solely of UA
3850 switches Guest tunneling is per MC to Guest Anchor controller
Guest AnchorLicensing is per MC not pooled across MCsRRM, CleanAir,
Rogue Detection, etc. is coordinated across the MCs in the same
Mobility GroupMCMAISEFull mesh of MCs across Mobility GroupNCS PG
PG "# ! PG "# !Mobility GroupPG "# ! PG "# ! PG "# ! ! "#SPG MC41
2012 Cisco and/or its affiliates. All rights reserved.MA! "#! "#!
"#! "#! "# ! "#! "# ! "#! "# ! "#! "#! "#! "# ! "#! "# ! "#! "# !
"#SPG MAMAMCMAMAMA41 Cisco Unified Access Deployment 42. Cisco
Confidential For Cisco-Internal use only, at October 2012 BN SEVT,
Not for Further DistributionBackground Many larger designs (such as
most Campuses) will likely utilize a discrete controller, or group
of controllers, as MCs. Combined with UA 3850 switches as MAs, this
likely provides the most scalable design option for a larger
network build.However, if using UA 3850 switches as MCs for smaller
builds and with the scaling limits detailed on the previous slide
in mind we need to determine where to best use this capability.Pros
PG ! "#! "#! "#CapEx cost savings via the elimination of a
controller-as-MC in some designs (typically, smaller use cases and
deployments) cost also need to take into consideration licensing on
UA 3850 switches (TBD).Cons ! "#OpEx complexity due to some
additional complexity that comes into roaming situations when using
multiple UA switch-based MCs (as detailed in the following slides).
While not insurmountable, this does need to be factored in as part
of the decision process.Roaming details provided on following
slidesConclusion In smaller designs (such as branches), the use of
UA 3850 switches as MCs is likely workable. In mid-sized designs,
this may also be workable, but does lead to some additional roaming
considerations (as detailed on the following slides). In large
campus deployments, the use of controllers as MCs 42 42 is rights
reserved. 2012 Cisco and/or its affiliates. All more likely, due to
economies of scale. Cisco Unified Access Deployment 43. Cisco
Confidential For Cisco-Internal use only, at October 2012 BN SEVT,
Not for Further DistributionRoaming, within a Stack (UA Switches as
MCs) Initially, all clients in this example are on their initial,
local UA switchesNow, a client roams and we see his resulting
traffic topologyRoaming within a stack does not change the users
PoP or PoA since the stack implements a single MA (redundant within
the stack), and thus a user that roams to another AP serviced by
the same stack does not cause a PoA moveGuest Anchor
MCPoAPoPMANCSCLI exampleSPG MCMAISEMobility GroupSPG MAMAMCNo
change to users PoP or PoA uRPF, Symmetrical Routing, NetFlow,
Stateful Policy Application (also Prime if
possible)MAMAPoPPoAMAScalability Max of 8 x UA 3850 switches as
MCs, grouped into a Mobility Group 250 APs total across all UA 3850
MCs Max. 50 APs per UA 3850 stack / SPG43 2012 Cisco and/or its
affiliates. All rights reserved.43 Cisco Unified Access Deployment
44. Cisco Confidential For Cisco-Internal use only, at October 2012
BN SEVT, Not for Further DistributionRoaming, within a Switch Peer
Group (UA Switches as MCs) Now, the client roams to an AP serviced
by another switch stack (within the same SPG)Lets examine his
resulting traffic topologyThe user has moved between MAs (switch
stacks) to maintain consistency of user connectivity (IP address)
and policy application, the users traffic is transported to the MA
that the user associated with initially (i.e. the users PoA moved,
but their PoP stayed static)Guest Anchor MCMAISEMost common roaming
caseNCSMobility GroupSPG MCMASPG MAMAMCMAMAPoPPoAMAScalability Max
of 8 x UA 3850 switches as MCs, grouped into a Mobility Group 250
APs total across all UA 3850 MCs Max. 50 APs per UA 3850 stack /
SPG44 2012 Cisco and/or its affiliates. All rights reserved.44
Cisco Unified Access Deployment 45. Cisco Confidential For
Cisco-Internal use only, at October 2012 BN SEVT, Not for Further
DistributionRoaming, across Switch Peer Groups (UA Switches as MCs)
Now, lets examine a more complex roam where the user roams across
SPGsIn this example the user roams to a separate SPG, onto the
stack serving as MC for that SPGThe users has moved between SPGs so
their traffic needs to be transported back to their PoP, which has
remained static and it does so by transiting between the two MCs
servicing these two Switch Peer Groups (MCs are fully meshed within
the MG)Guest Anchor MCMARoaming between PGs
(geographicallyseparated)ISENCSMobility GroupSPG MCMASPG
MAMAMCMAMAPoPPoAMAScalability Max of 8 x UA 3850 switches as MCs,
grouped into a Mobility Group 250 APs total across all UA 3850 MCs
Max. 50 APs per UA 3850 stack / SPG45 2012 Cisco and/or its
affiliates. All rights reserved.45 Cisco Unified Access
Architecture 46. Cisco Confidential For Cisco-Internal use only, at
October 2012 BN SEVT, Not for Further DistributionRoaming, across
Switch Peer Groups and MCs (UA Switches as MCs) Now, lets examine
the most complex type of roam across SPGs and MCs / MAsRemember
these types of roams are likely to be a minority case in most
deploymentsThe user has moved between MAs, MCs, and SPGs and their
traffic takes the path shown since, again, their PoP has remained
static, while the PoA moved as the user roamed (maintains user IP
address, maintains consistency of policy application)Guest Anchor
MCMARoaming between SPGs and MCs
(geographicallyseparated)ISENCSMobility GroupSPG MCMASPG
MAMAMCMAMAPoPPoAMAScalability Max of 8 x UA 3850 switches as MCs,
grouped into a Mobility Group 250 APs total across all UA 3850 MCs
Max. 50 APs per UA 3850 stack / SPG46 2012 Cisco and/or its
affiliates. All rights reserved.46 Cisco Unified Access
Architecture 47. Cisco Confidential For Cisco-Internal use only, at
October 2012 BN SEVT, Not for Further DistributionWhat happens when
Everyone enters the building via a common lobbyAPs in that lobby
are controlled by one UA switch stackAll the users, and their
traffic Guest Anchor MCGets pinned to that switch ... causing
issues for traffic load, switch load, DHCP pool exhaustion, etc.
MAISEMany users could end up staying in the lobby
logicallyNCSMobility GroupSPG MCMASPG MAMA PoP PoA47 2012 Cisco
and/or its affiliates. All rights reserved.PoP PoALobby
areaMCMAMAMAScalability Max of 8 x UA 3850 switches as MCs, grouped
into a Mobility Group 250 APs total across all UA 3850 MCs Max. 50
APs per UA 3850 stack 47 Cisco Unified Access Deployment 48. Cisco
Confidential For Cisco-Internal use only, at October 2012 BN SEVT,
Not for Further DistributionWhat can we do to address this issue?
User client association get distributed across UA switches in the
Switch Peer GroupUser load info is constantly shared within the SPG
with heartbeat (10s default, adjustable 1s-30s)At 50% client load,
the lobby UA switch distributes incoming client association
requests to its Switch Peer Group members the client is anchored
based on reported client loadGuest Anchor MCMAAddresses traffic
load, switch load, DHCP pool exhaustion, etc. ISE Client will be
anchored to the Mobility Group middle UA stack as it reported that
it had less clients associatedSPGMCMASPG MA50%
load!MAPoPMCMAMAMAPoP PoA48 2012 Cisco and/or its affiliates. All
rights reserved.NCSPoALobby area48 Cisco Unified Access Deployment
49. Cisco Confidential Mobility DomainFor Cisco-Internal use only,
at October 2012 BN SEVT, Not for Further DistributionSub-Domain - 1
5760 MC/MOMA=Mobility Agent MC=Mobility Coordinator SPG=Switch Peer
Group SD=Sub-Domain3850 MASPG - 1 Sub-Domain5760 MCMC/MA on one
SwitchSwitch Peer Group - 1MA-1MA-2 MA-16MA-3
Sub-DomainSubDomainSPG - 1 SPG - 2SPG - 4 5760 MCMA 1~4MA 6~849
2012 Cisco and/or its affiliates. All rights reserved.Sub-DomainSPG
- 1SPG N-1 SPG - 2SPG - 64 SPG - N 5760 MCMA 1~4Sub-Domain - 8MA
13~16 1 MC = 1 SD Up to 50 APs Up to 2K Clients Up to 50GB I/O for
AP TrafficSPG 2MA 6~8 Up to 16 MAs in an SPG Up to 64 SPGs in an SD
Up to 350 MAs per MC Up to 1K APs in an SD Up to 12K Clients Up to
1TB I/O for AP TrafficMA 346~350 72 Mobility SD in a MD Up to
25,200 MAs per MD Up to 72K APs Up to 864K Clients Up to 72TB I/O
for AP Traffic49 50. Cisco Confidential Mobility DomainFor
Cisco-Internal use only, at October 2012 BN SEVT, Not for Further
DistributionSub-Domain - 1 UA3850 MAMA=Mobility Agent MC=Mobility
Coordinator SPG=Switch Peer Group SD=Sub-DomainUA3850 MCSPG - 1
Sub-Domain3850 MCSwitch Peer Group - 1MA-1MA-2MA-3 MA-16
SubDomainSub-DomainSPG - 1SPG - 2SPG - 4 3850 MCMA 1~4MA 6~8SPG -
1SPG N-1SPG - 2SPG - 8 1 MC = 1 SD Up to 50 APs Up to 2K Clients Up
to 50 GB I/O for AP Traffic 50 2012 Cisco and/or its affiliates.
All rights reserved.3850 MCMA 1~2MA 3~4Sub-Domain - 8MA 13~16
Sub-DomainSPG - 2SPG - NMA 15~16 Up to 16 MAs in an SPG Up to 8
SPGs in an SD Up to 16 MAs per MC Up to 50 APs Up to 2K Clients Up
to 250 GB I/O for AP Traffic Up to 8 SDs in an MD Up to 128 MAs per
MD Up to 250 APs Up to 16K Clients Up to 250 GB I/O for AP
Traffic50 51. AgendaCisco Confidential For Cisco-Internal use only,
at October 2012 BN SEVT, Not for Further Distribution Unified
Access Deployment Solution Overview Existing Wireless Deployment
Architecture Refresher The Unified Access Deployment in Detail -
Components of the Deployment Hardware and Software - Components of
the Deployment Terminology and Building Blocks - Unified Access
Deployment Traffic Flows and Roaming - Unified Access Deployment
High Availability- Unified Access Deployment IP Addressing -
Unified Access Design Options, Greenfield - Small Branch, Larger
Branch, and Campus - Migration Options Evolving to a Unified Access
Solution Summary 51 2012 Cisco and/or its affiliates. All rights
reserved.51 52. Cisco Confidential For Cisco-Internal use only, at
October 2012 BN SEVT, Not for Further Distribution Revise HA
section (addition of 4-5 slides) to show the following Additional
details on intra-stack UA 3850 HA and failover / recovery
Additional details on AP SSO, Client SSO (FCS++) Impact of software
upgrades, AP pre-image download Document results from HA testing in
PoC Lab52 2012 Cisco and/or its affiliates. All rights reserved.52
53. Cisco Confidential For Cisco-Internal use only, at October 2012
BN SEVT, Not for Further DistributionExamining traffic topologies
Lets now examine a second client roam, with a subsequent MC
failover within a stack (failure of the MC switch in a UA stack,
for a Switch Peer Group)First, the traffic topology after the roam
as we saw before Again, this traffic pattern is normal for all of
the reasons stated previously (default behavior)Guest Anchor
MCMAISENCSMobility GroupSPG MCMASPG MAMAMCMAMAPoPMAPoA53 2012 Cisco
and/or its affiliates. All rights reserved.53 Cisco Unified Access
Deployment 54. Cisco Confidential For Cisco-Internal use only, at
October 2012 BN SEVT, Not for Further DistributionExamining state
within the stack (for MC) MMA/MCSLets now examine the state
maintained by the MC within a stack, and see what redundancy we
provide for this Guest Anchor MCMAISENCSMobility GroupSPG MC54 2012
Cisco and/or its affiliates. All rights reserved.MASPG
MAMAMCMAMAMA54 Cisco Unified Access Deployment 55. Cisco
Confidential For Cisco-Internal use only, at October 2012 BN SEVT,
Not for Further DistributionMA/MCMSAP Guest MC2MA Inter-MC SPG AP
Guest MC2MATunnel State is synced between Master and Standby Member
in stackInter-MC SPGCLI example MC55 2012 Cisco and/or its
affiliates. All rights reserved.MATunnel States are inactive on
Standby Member55 Cisco Unified Access Deployment 56. Cisco
Confidential For Cisco-Internal use only, at October 2012 BN SEVT,
Not for Further DistributionMC goes down in stack Standby MC must
now become MasterMA/MCMM SMA/MCGuest Anchor So what are the impacts
to local users, and to roamed users?MCMAISENCSMobility GroupSPG
MCMASPG MAMAPoPMCMAMAMAPoPPoA (Local Client re-auths, re-DHCPs) 56
2012 Cisco and/or its affiliates. All rights reserved. (No impact
to existing clients on MAs) (Roamed Client re-auths, re-DHCPs,
becomes local) (No impact to existing clients on MAs)56 Cisco
Unified Access Deployment 57. Cisco Confidential For Cisco-Internal
use only, at October 2012 BN SEVT, Not for Further
DistributionSwitch Peer Group Fault Tolerance with UA 3850 If an UA
3850-based MC is down in a Switch Peer Group Roaming within a
Switch Peer Group still worksRoaming between Switch Peer Groups
does not workPMKs (via PKC) will not be distributed if the MC is
down so no Fast Roaming for new clients until the MC is
restoredGuest Anchor MCMAISENCSMobility GroupSPG MCMAStack Blowed
totally up real down goodSPG MA 57 2012 Cisco and/or its
affiliates. All rights reserved.(no PMK, no fast roam)MAMC (Client
roams Seamlessly)MAMAMA (Client re-auths, re-DHCPs, becomes local)
57 Cisco Unified Access Deployment 58. Cisco Confidential For
Cisco-Internal use only, at October 2012 BN SEVT, Not for Further
DistributionSwitch Peer Group Fault Tolerance with UA 3850 If an UA
3850-based MC is down in a Switch Peer Group When MC is down, RRM,
CleanAir, Rogue Detection, and Guest Access (guest tunneling) do
not operate within the affected Switch Peer Group other Switch Peer
Groups are unaffected, howeverGuest Anchor MCMAISENCSMobility
GroupSPG MCStack totally downMASPG MAMA 58 2012 Cisco and/or its
affiliates. All rights reserved.(Guest access down)MCMAMAMA (Guest
access up)58 Cisco Unified Access Deployment 59. AgendaCisco
Confidential For Cisco-Internal use only, at October 2012 BN SEVT,
Not for Further Distribution Unified Access Deployment Solution
Overview Existing Wireless Deployment Architecture Refresher The
Unified Access Deployment in Detail - Components of the Deployment
Hardware and Software - Components of the Deployment Terminology
and Building Blocks - Unified Access Deployment Traffic Flows and
Roaming - Unified Access Deployment High Availability- Unified
Access Deployment IP Addressing - Unified Access Design Options,
Greenfield - Small Branch, Larger Branch, and Campus - Migration
Options Evolving to a Unified Access Solution Summary 59 2012 Cisco
and/or its affiliates. All rights reserved.59 60. Cisco
Confidential For Cisco-Internal use only, at October 2012 BN SEVT,
Not for Further Distribution Insert slides (6 8 total) to discuss
the following topic areas, related to UA deployment IP addressing
Recommendations for wired and wireless management VLANs
Recommendations for separate / mixed wired and wireless client
VLANs Client or OS issues relating to mixed subnets?
Recommendations on VLAN sizing for wireless Recommendations on VLAN
spanning for L2 roams Document results from setups in PoC Lab Best
practice recommendations, with reference to current SBA designs (if
possible within the October timeframe) 60 2012 Cisco and/or its
affiliates. All rights reserved.60 61. AgendaCisco Confidential For
Cisco-Internal use only, at October 2012 BN SEVT, Not for Further
Distribution Unified Access Deployment Solution Overview Existing
Wireless Deployment Architecture Refresher The Unified Access
Deployment in Detail - Components of the Deployment Hardware and
Software - Components of the Deployment Terminology and Building
Blocks - Unified Access Deployment Traffic Flows and Roaming -
Unified Access Deployment High Availability- Unified Access
Deployment IP Addressing - Unified Access Design Options,
Greenfield - Small Branch, Larger Branch, and Campus - Migration
Options Evolving to a Unified Access Solution Summary 61 2012 Cisco
and/or its affiliates. All rights reserved.61 62. Cisco
Confidential For Cisco-Internal use only, at October 2012 BN SEVT,
Not for Further DistributionCentral LocationISENCSWANGuest
Anchor(s) DMZCAPWAP tunnels control and data pathUA SwitchLikely
the most common deployment at FCSCharacteristics 62 2012 Cisco
and/or its affiliates. All rights reserved.May be a lower-speed WAN
link (bandwidth and latency a concern only for Guest traffic)
Deployment could consist of multiple stacks one stack as MC/MA,
rest of stacks as MAs onlyAllows for Advanced QoS, WAN
optimization, NetFlow, and other services for wireless and wired
trafficSupports Layer 3 roamingSupports VideoStream and optimized
multicastGood availability due to MA/MC redundancy within the UA
stack provides wireless continuity with either WAN outage or switch
failure within the UA stack 62 Cisco Unified Access Deployment 63.
Cisco Confidential For Cisco-Internal use only, at October 2012 BN
SEVT, Not for Further DistributionCentral LocationISENCSWANGuest
Anchor(s) DMZLikely the most common deployment at
FCSCharacteristics Applicable to a Smaller Branch with Several
Wiring ClosetsMC63 2012 Cisco and/or its affiliates. All rights
reserved.MAMAMAMAAllows for Advanced QoS, WAN optimization,
NetFlow, and other services for wireless ad wired trafficSiNo
discrete controllers deployed, even with multiple wiring
closetsSupports Layer 3 roaming Switch Peer GroupSupports
VideoStream and optimized multicastGood availability due to MA/MC
redundancy within the UA stacks provides wireless continuity with
either WAN outage or switch failure within the UA stack 63 Cisco
Unified Access Deployment 64. Cisco Confidential For Cisco-Internal
use only, at October 2012 BN SEVT, Not for Further
DistributionCentral LocationISENCSWANGuest Anchor(s) DMZApplicable
to a Larger Branch with Multiple Wiring ClosetsCharacteristics
Switch Peer GroupsMC64 2012 Cisco and/or its affiliates. All rights
reserved.MAMASiMCMAMAAllows for Advanced QoS, WAN optimization,
NetFlow, and other services for wireless ad wired trafficSupports
Layer 3 roamingSiMobility GroupNo discrete controllers deployed,
even at a larger branchSupports VideoStream and optimized
multicastGood availability due to MA/MC redundancy within the UA
stacks provides wireless continuity with either WAN outage or
switch failure within the UA stack 64 Cisco Unified Access
Deployment 65. Cisco Confidential For Cisco-Internal use only, at
October 2012 BN SEVT, Not for Further DistributionCentral
LocationISENCSWANGuest Anchor(s) DMZApplicable to a Larger Branch
or Small CampusCharacteristics 5760 / WiSM2 / 5508 Good
availability due to MA redundancy (UA stacks) and MC redundancy
(controllers) provides wireless continuity with either WAN outage
or switch / controller failure 65 2012 Cisco and/or its affiliates.
All rights reserved.Supports Layer 3 roaming, VideoStream, and
optimized multicastSimplified Mobility deployment vs. the use of UA
switches as MCs / MAsMCMobility Group Switch Peer GroupsAllows for
Advanced QoS, WAN optimization, NetFlow, and other services for
wireless and wired trafficMCGreater scalability via the use of
discrete controllers as MCs, in conjunction with UA switches as
MAsSiMAMASiMAMA65 Cisco Unified Access Deployment 66. Scalability
up to 8 UA 3850 MCs, up to 250 APs total (w/ inter-dist.
roaming)SiCampus / MetroSupports roaming between distribution
layers, keeps many roams localized below dist. layerSupports Layer
3 roamingMCMA66 2012 Cisco and/or its affiliates. All rights
reserved.MA MAMOSwitch Peer GroupsMCSiAllows for Advanced QoS,
NetFlow, and other services for wireless and wired trafficSiGuest
Anchors MCNo discrete controllers deployed, even at a small
CampusSiSiSiSiMobility Group MAMCMAFor Cisco-Internal use only, at
October 2012 BN SEVT, Not for Further DistributionISEData
CenterCharacteristics Cisco Confidential NCS (optional)Good
availability due to MC/MA redundancy within the UA stacks
moderately scalable using UA 3850s (up to 8 in total) as MCs,
combined with a single Mobility Group in the deployment Note MC
present per SPG, all SPG MCs meshed into single Mobility Group for
the site. Guest tunnel per MC to Anchor.SiApplicable to a Small
Campus (with interbuilding wireless coverage)MA66 Cisco Unified
Access Deployment 67. Scalability . > 8 UA 3850 MCs, > 250
APs total (w/o inter-dist. roaming)SiCampus / MetroNo support for
roaming across distribution layers (no inter-dist. RF
coverage)Switch Peer GroupsMC MCMASiMAMA 67 (Client roams
Seamlessly) 2012 Cisco and/or its affiliates. All rights
reserved.SiNo inter-MG RF coverageMobility Group 1MC MCMCNCS
(optional)Good availability due to MC/MA redundancy within the UA
stacks more scalable using UA 3850s (up to 8 total per Mobility
Group) as MCs, combined with multiple Mobility Groups in the
deploymentSupports Layer 3 roamingMCMAMOSiMCSiAllows for Advanced
QoS, NetFlow, and other services for wireless and wired
trafficSiGuest Anchors MCNo discrete controllers deployed, even at
a larger CampusFor Cisco-Internal use only, at October 2012 BN
SEVT, Not for Further DistributionISEData CenterCharacteristics
Cisco Confidential SiSiMobility Group 2Note MC present per SPG, all
SPG MCs meshed into multiple Mobility Groups for the site. Guest
tunnel per MC to Anchor.MAMA (Client re-auths, re-DHCPs, becomes
local)May by Applicable to a Small Campus (without any
interbuilding wireless coverage)No inter-dist. roaming no RRM, no
CleanAir, no Rogue Det. across separate Mob. Groups67 Cisco Unified
Access Deployment 68. Cisco Confidential For Cisco-Internal use
only, at October 2012 BN SEVT, Not for Further DistributionISEData
CenterGuest Anchors SiCampus / MetroSiMO5760s / WiSM2s /
5508sCampus ServicesCharacteristics MC SiUse of discrete
controllers as MCs, combined with UA switches as MAs, provides for
a very scalable solutionAllows for Advanced QoS, NetFlow, and other
services for wireless and wired trafficSiMCMobility
GroupMCSiSiSupports Layer 3 roaming provides scalability by keeping
many roams localized to SPGs (below dist.) SiSwitch Peer GroupsNCS
(optional)Applicable to a Larger CampusMA68 2012 Cisco and/or its
affiliates. All rights reserved.SiSiMASiMAMA)Good availability due
to MA redundancy (UA stacks) and MC redundancy (controllers)
Simplified Mobility deployment using UA switches as MAs only, vs.
the use of UA switches as MCs / MAs 68 Cisco Unified Access
Deployment 69. Cisco Confidential For Cisco-Internal use only, at
October 2012 BN SEVT, Not for Further DistributionCharacteristics
ISEData CenterUse of discrete controllers as MCs, combined with
Campus / Metro UA switches as MAs, provides for a very scalable
solution Use of distributed controllers (vs. centralized in DC) may
be more appropriate in some wireless deploymentsSi SiMOSiSiGuest
AnchorsNCS (optional)Applicable to a Larger CampusAllows for
Advanced QoS, NetFlow, and other services for wireless and wired
trafficMobility GroupSupports Layer 3 roaming provides scalability
by keeping many roams localized to SPGs (below distribution) MCMC
SiSwitch Peer GroupsMAMCMC SiSiMA MAMA 69 2012 Cisco and/or its
affiliates. All rights reserved.SiGood availability due to MA
redundancy (UA stacks) and 5760s / MC redundancy (controllers)
WiSM2s / 5508sSimplified Mobility deployment using UA switches as
MAs only, vs. the use of UA switches as MCs / MAs) 69 Cisco Unified
Access Deployment 70. AgendaCisco Confidential For Cisco-Internal
use only, at October 2012 BN SEVT, Not for Further Distribution
Unified Access Deployment Solution Overview Existing Wireless
Deployment Architecture Refresher The Unified Access Deployment in
Detail - Components of the Deployment Hardware and Software -
Components of the Deployment Terminology and Building Blocks -
Unified Access Deployment Traffic Flows and Roaming - Unified
Access Deployment High Availability- Unified Access Deployment IP
Addressing - Unified Access Design Options, Greenfield - Small
Branch, Larger Branch, and Campus - Migration Options Evolving to a
Unified Access Solution Summary 70 2012 Cisco and/or its
affiliates. All rights reserved.70 71. Cisco Confidential For
Cisco-Internal use only, at October 2012 BN SEVT, Not for Further
DistributionData Center / Service blockISENCSIntranet Mobility
Group EtherIP Mobility Tunnel MCMAMCMA5508 / WiSM25508 / WiSM2Prior
to Migration to Unified AccessCAPWAP Tunnels71 2012 Cisco and/or
its affiliates. All rights reserved.CAPWAP Tunnels71 Existing
Unified Wireless Deployment today 72. Cisco Confidential For
Cisco-Internal use only, at October 2012 BN SEVT, Not for Further
DistributionData Center / Service blockISEMONCS5760 / 5508 / WiSM2
(optional)Intermediate stepIntranetMobility Group Software
upgradeMCCAPWAP Mobility TunnelMAMCSoftware upgradeMA5508 /
WiSM25508 / WiSM2Initial Migration Step Controller Upgrades,
Implementation of First UA Switches MAMAPeer GroupBe aware that
feature differences may exist, based on MA software versions 72
2012 Cisco and/or its affiliates. All rights reserved.CAPWAP
TunnelsCAPWAP Tunnels72 Cisco Unified Access Deployment 73. Cisco
Confidential For Cisco-Internal use only, at October 2012 BN SEVT,
Not for Further DistributionData Center / Service blockISEMONCS5760
/ 5508 / WiSM2 (optional)Intermediate stepIntranetMobility Group
Controller upgradeMCCAPWAP Mobility TunnelMAMCMAController
upgrade5760 Controller5760 ControllerFurther Migration Step
Controller Upgrades, Implementation of Additional UA Switches
MAMAPeer Group CAPWAP Tunnels73 2012 Cisco and/or its affiliates.
All rights reserved.MAMAPeer Group CAPWAP TunnelsBe aware that
feature differences may exist, based on MC platforms and versions
73 Cisco Unified Access Deployment 74. Cisco Confidential For
Cisco-Internal use only, at October 2012 BN SEVT, Not for Further
DistributionData Center / Service blockISEMONCS5760 / 5508 / WiSM2
(optional)Eventual stateIntranetMobility Group CAPWAP Mobility
TunnelMCMC5760 Controller5760 ControllerFinal Migration Step
Implementation of End-to-End Unified Access Deployment MAMAMAPeer
GroupsMAMAMAPeer Groups CAPWAP Tunnels74 2012 Cisco and/or its
affiliates. All rights reserved.MAMACAPWAP Tunnels74 Cisco Unified
Access Deployment 75. AgendaCisco Confidential For Cisco-Internal
use only, at October 2012 BN SEVT, Not for Further Distribution
Unified Access Deployment Solution Overview Existing Wireless
Deployment Architecture Refresher The Unified Access Deployment in
Detail - Components of the Deployment Hardware and Software -
Components of the Deployment Terminology and Building Blocks -
Unified Access Deployment Traffic Flows and Roaming - Unified
Access Deployment High Availability- Unified Access Deployment IP
Addressing - Unified Access Design Options, Greenfield - Small
Branch, Larger Branch, and Campus - Migration Options Evolving to a
Unified Access Solution Summary 75 2012 Cisco and/or its
affiliates. All rights reserved.75 76. Cisco Confidential For
Cisco-Internal use only, at October 2012 BN SEVT, Not for Further
DistributionControl plane func onality on NG Controller (also
possible on upgraded 5508s, WiSM2s for brownfield deployments, or
NG Unified Access switches for small, branch
deployments)Next-Generation WLAN Controller (5760) ControllerData
plane func onality on NG Switches (also possible on NG Controllers,
for deployments in which a centralized approach is
preferred)Next-Generation Switches (UA 3850s)Enabled by Ciscos
strength in Silicon and Systems Doppler ASIC76 2012 Cisco and/or
its affiliates. All rights reserved.An Evolutionary Advance to
Ciscos Wired + Wireless Portfolio, to address device and bandwidth
scale, and services demands . 76 77. Cisco Confidential With a
Next-Generation Deployment and Solution Mobility DomainNCSISE!
"#For Cisco-Internal use only, at October 2012 BN SEVT, Not for
Further DistributionMobility Group ! "#! "#Cisco Unified Access
DeploymentPGPG ! "#77 2012 Cisco and/or its affiliates. All rights
reserved.! "#! "#! "#! "#! "#An Evolutionary Advance to Ciscos
Wired + Wireless Portfolio, to address device and bandwidth scale,
and services demands . 77