Unified access - Is your network ready

• 1. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionIncreased scalability, Centralized policy application Centralized tunneling of user traffic to controller (data plane and control plane) System-wide coordination for channel and power assignment, rogue detection, security attacks, interference, roamingHotspot deployments with nomadic roamingStandaloneFunctionality split with CAPWAPAutonomous Mode 20121 Cisco and/or its affiliates. All rights reserved.(also possible on upgraded 5508s, WiSM2s for brownfield deployments, or NG Unified Access switches for small, branch deployments)Cisco Unified AccessControllerCisco Unified WirelessAccess PointControl plane functionality on NG ControllerAccess Point Frees up the AP to focus on real-time communication, policy application and optimize RF & MAC functionality such as CleanAir, ClientLinkScale and ServicesData plane functionality on NG Switches (also possible on NG Controllers, for deployments in which a centralized approach is preferred) Unified wired-wireless experience (security, policy, services) Common policy enforcement, Common services for wired and wireless traffic (NetFlow, advanced QoS, and more )Performance and Unified Experience1

2. AgendaCisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Unified Access Deployment Solution Overview Existing Wireless Deployment Architecture Refresher The Unified Access Deployment in Detail - Components of the Deployment Hardware and Software - Components of the Deployment Terminology and Building Blocks - Unified Access Deployment Traffic Flows and Roaming - Unified Access Deployment High Availability- Unified Access Deployment IP Addressing - Unified Access Design Options, Greenfield - Small Branch, Larger Branch, and Campus - Migration Options Evolving to a Unified Access Solution Summary 20122 Cisco and/or its affiliates. All rights reserved.2 3. Cisco Confidential Data Center / Service blockFor Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionInternet ISENCSIntranet Mobility GroupEoIP Mobility Tunnel ( < 7.2) CAPWAP Option in 7.3 Foreign WLC Guest AnchorWLC #1Well-known, proven architectureLEGENDWLC #2CAPWAP TunnelsEncrypted (see Notes)Notes Inter-Controller (Guest Anchor) EoIP / CAPWAP Tunnel Inter-Controller EoIP / CAPWAP Tunnel AP-Controller CAPWAP Tunnel 802.11 Control Session + Data Plane APAPSSID VLAN Mapping (at controller)SSID2 SSID1 20123 Cisco and/or its affiliates. All rights reserved.SSID3APAP / WLC CAPWAP Tunnels are an IETF Standard UDP ports used 5246: Encrypted Control Traffic 5247: Data Traffic (non-Encrypted or DTLS Encrypted (configurable)) Inter-WLC Mobility Tunnels EoIP IP Protocol 97 AireOS 7.3 introduces CAPWAP option Used for inter-WLC L3 Roaming and Guest AnchorAPExisting Unified Wireless Deployment today3 4. Cisco Confidential Data Center / Service blockFor Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionInternet ISENCSIntranet Mobility GroupMAEoIP Mobility Tunnel ( < 7.2) CAPWAP Option in 7.3WLC #1Foreign WLC Guest AnchorMAMCWLC #2MCMCAPAPInter-Controller (Guest Anchor) EoIP / CAPWAP TunnelLEGENDCAPWAP TunnelsAPMAAPAdditional details on controller functionalityInter-Controller EoIP / CAPWAP Tunnel AP-Controller CAPWAP Tunnel 802.11 Control Session + Data PlaneMA MCMobility Agent Maintains Client Database Mobility Coordinator Handles Roaming, RRM, WIPS, etc.These will become important later as we delve into the Unified Access deployment SSID2 SSID1 20124 Cisco and/or its affiliates. All rights reserved.SSID3Existing Unified Wireless Deployment today4 5. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionMobility Domain Mobility GroupOne WLC Network Mobility Group Up to 500 APs Up 7K Clients Up to 8 GB I/O for AP Traffic CT5508 rel 7.2 Max theoretical scalability numbers Without Considering FlexConnect 20125 Cisco and/or its affiliates. All rights reserved. Up to 24 WLCs in a MG Up to 12K APs Up 168K Clients Up to 192 GB I/O for AP TrafficMobility GroupMobility Group Up to 72 WLCs in a MD Up to 36K APs Up to 504K Clients Up to 576GB I/O for AP Traffic 5 6. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionMobility Domain Mobility GroupOne WLC Network Mobility Group Up to 1K APs Up 15K Clients Up to 20 GB I/O for AP Traffic WiSM-2 rel 7.2 Max theoretical scalability numbers Without Considering FlexConnect 20126 Cisco and/or its affiliates. All rights reserved. Up to 24 WLCs in a MG Up to 24K APs Up 360K Clients Up to 480 GB I/O for AP TrafficMobility GroupMobility Group Up to 72 WLCs in a MD Up to 72K APs Up to 1.08M Clients Up to 1.44TB I/O for AP Traffic 6 7. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionData Center-DMZ Data Center Campus ServicesMCMCMASiMAMCPoint of Presence (PoP) vs. Point of Attachment (PoA) SiNCSPoPMAMAMCInternetMA MCSiWiSM2s / 5508s ISEGuest AnchorsCampusSiPoASiSiSiSi SiSiPoP is where the wireless user is seen to be within the wired portion of the network Anchors client IP address Used for security policy applicationPoA is where the wireless user has roamed to while mobile Moves with user AP connectivity Used for user mobilityLayer 2 Mobility GroupNow, lets see how mobility works when a user roams in this deployment model Campus Access 20127 Cisco and/or its affiliates. All rights reserved.Existing Unified Wireless Deployment today7 8. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionData Center-DMZ Data Center Campus ServicesMCMCMASiMAMCInternetMA MCSiWiSM2s / 5508s ISEGuest AnchorsCampusMANCSPoPMASiInitially, the users traffic flow is as shown SiPoALayer 2 Mobility GroupNote in this deployment model, it is assumed that all of the controllers within the DC share a common set of user VLANs at Layer 2MCInitially, the users PoP and PoA are co-located on the same controllerSiSiSiSi SiSiCampus Access 20128 Cisco and/or its affiliates. All rights reserved.Existing Unified Wireless Deployment today8 9. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionData Center-DMZ Data Center Campus ServicesMCMCSiMAMCPoPMAThe users PoP and PoA both move to the new controller handling that user after the roam (possible since the controllers in this deployment model are all L2-adjacent within the VLANs) After the roam, the users traffic flow is as shown SiPoALayer 2 Mobility GroupSiSiSiSi SiCampus Access 20129 Cisco and/or its affiliates. All rights reserved.Now, the user roams to an AP handled by a different controller, within the same Mobility Group SiNCSMAMAMCInternetMA MCSiWiSM2s / 5508s ISEGuest AnchorsCampusSiMove of the users entire Mobility ContextExisting Unified Wireless Deployment today9 10. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionData Center-DMZ Data Center Campus ServicesGuest AnchorsCampusMC MCSiInternetMA MASiISEInitially, the users PoP and PoA are co-located on the same controllerSiNote in this deployment model, it is assumed that all of the controllers across the Campus do not share a common set of user VLANs at Layer 2 (i.e. the controllers are all L3-separated)Initially, the users traffic flow is as shown SiNCS SiSiPoP MCMAMCMAPoA 5508 / WiSM-2SiSi5508 / WiSM-2SiSiLayer 3 Mobility GroupCampus Access10 2012 Cisco and/or its affiliates. All rights reserved.10 Existing Unified Wireless Deployment today 11. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionData Center-DMZ Data Center Campus ServicesGuest AnchorsCampusMC MCSiInternetMA MASiISENow, the user roams to an AP handled by a different controller, within the same Mobility Group SiThe users PoA moves to the new controller handling that user after the roam but the users PoP stays fixed on the original controller that the user associated toThis is done to ensure that the user retains the same IP address across an L3 boundary roam and also to ensure continuity of policy application during roamingAfter the roam, the users traffic flow is as shown SiNCS SiSiPoP MCMAMCMAPoA 5508 / WiSM-2SiSi5508 / WiSM-2Campus Access11 2012 Cisco and/or its affiliates. All rights reserved.SiSiLayer 3 Mobility GroupSymmetric Mobility Tunneling11 Existing Unified Wireless Deployment today 12. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionData Center-DMZ Data Center Campus ServicesGuest AnchorsCampusMC MCSiInternetMAPoPMASiISENow, lets examine roaming with Mobility Anchor use When using Mobility Anchors, the users PoP is always located at the Mobility Anchor controller ... while the users PoA moves as the user roams Again, this is done to ensure that the user retains the same IP address across an L3 boundary roam and also to ensure continuity of policy application during roamingSiBefore the roam, the users traffic flow is as shown (tunneling of user traffic back to the Mobility Anchor guest traffic assumed)SiNCS SiMCMAMCSiMAPoA 5508 / WiSM-2SiSi5508 / WiSM-2Campus Access12 2012 Cisco and/or its affiliates. All rights reserved.SiSiLayer 3 Mobility Group12 Existing Unified Wireless Deployment today 13. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionData Center-DMZ Data Center Campus ServicesGuest AnchorsCampusMC MCSiInternetMAPoPMASiISENow, lets examine roaming with Mobility Anchor use SiAfter the roam, the users PoA moves to the new controller that handles the AP the user has roamed onto however, the users PoP remains fixed at the Mobility Anchor controller After the roam, the users traffic flow is as shown (tunneling of user traffic back to the Mobility Anchor guest traffic assumed)SiNCS SiMCMAMCSiMAPoA 5508 / WiSM-2SiSi5508 / WiSM-2SiSiLayer 3 Mobility GroupCampus Access13 2012 Cisco and/or its affiliates. All rights reserved.13 Existing Unified Wireless Deployment today 14. Cisco Confidential WiSM2s / 5508sMCMAMCSeparate policies and services for wired and wireless usersMAFor Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionPSTNPoP PoACUCMTraffic Flows, Unified Wireless The same traffic paths are incurred for voice, video, data, etc. all centralized Wired policies implemented on switch14 2012 Cisco and/or its affiliates. All rights reserved.In this example, a VoIP user is on todays CUWN network, and is making a call from a wireless handset to a wired handset Wireless policies implemented on controllerWe can see that all of the users traffic needs to be hairpinned back through the centralized controller, in both directions In this example, a total of 9 hops are incurred for each direction of the traffic path (including the controllers Layer 3 roaming might add more hops) 14 Existing Unified Wireless Deployment today 15. AgendaCisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Unified Access Deployment Solution Overview Existing Wireless Deployment Architecture Refresher The Unified Access Deployment in Detail - Components of the Deployment Hardware and Software - Components of the Deployment Terminology and Building Blocks - Unified Access Deployment Traffic Flows and Roaming - Unified Access Deployment High Availability- Unified Access Deployment IP Addressing - Unified Access Design Options, Greenfield - Small Branch, Larger Branch, and Campus - Migration Options Evolving to a Unified Access Solution Summary 15 2012 Cisco and/or its affiliates. All rights reserved.15 16. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionCisco Prime Infrastructure (NCS 2.0) Full UA Management Consistent Network Services and MultiDomain Network Mgmt Troubleshoot End User Issues in Real-timeIdentity Services Engine (ISE) BYOD Policy Mgmt Mobile device profiling and posture Guest Access Portal Scales up for large ISE Enterprise needs Who What Whe WhereHow ? ? n? ? ?Cisco PrimeUA Catalyst 3850 5760 Wireless UA Catalyst 3850 5760 Wireless Controller NG Catalyst 4500 Sup * Controller 480G Stack, StackPower Advanced Features: Flex. Netflow, Adv. QoS 60G, 1k APs, N+1 Redundancy Terminates Wireless at Access Switch Advanced Features: QoS, Netflow, Scalability for 11ac wireless traffic downloadable ACLs Wired multi-tier reliability for wireless Supports hybrid deployment models Embedded controller for up to 50 APs IOS XE for wired and wireless featuresBest-in-Class Performance, Security and Resiliency 16 2012 Cisco and/or its affiliates. All rights reserved.16 17. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionFeaturesHardware 40 Gig of uplink bandwidth (4 x 10G ports) on 48-port switch model (2 x 10G on 24-port) Line rate on all ports PoE+ and MAC Sec support HW based wireless support CAPWAP, DTLS and Fragmentation support Flexible ASIC: multiple protocol support capability StackPowerWireless 480G stacking interface HA support (.5 sec failover) Flexible Netflow 48k flows/stack MQC support 8 queues per port 2k policers and Microflow policers SGT / SGACL & MACsec support *Best-in-Class Wired Switch with Integrated Wireless Mobility functionalityIOS EvolutionUnified wired & wireless IOS for wireless Uniform wired & wireless policies Wireless switch group support for faster roaming: latency sensitive applications17 2012 Cisco and/or its affiliates. All rights reserved. * Roadmap Enabling Open Service Platform 4 core CPU to host services Modern OS to leverage Next-Gen switching hardware 15.0 Maintenance Strategy Wireshark * NBAR *Up to 50 APs per UA 3850 switch stack / SPG Up to 2,000 clients per stack / SPG 17 18. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionPerformance & Scale Scalability Key Advantages Investment protection for modular install base to new Unified Access deploymentFlexible NetFlow with wireless attributes (Radio, SSID, user)Low optics cost solutionExtended for other capabilities like NBAR218 2012 Cisco and/or its affiliates. All rights reserved.FRU Wireless Module 10G Bandwidth, 50 APs, 2000 UsersUplinks Scalable wirelessWireless Controller Wired - Wireless convergence888 Gbps TCAM scale Sup-7E equivalent8 x 10G SFP+ (2 x QSFP+) TRILL / FabricPath / LISPHigh Availability Virtual Switching System (VSS)Up to 50 APs per NG 4500-E chassis Up to 2,000 clients per chassis 18 19. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionIndustry-Leading Performance 60G throughput (centralized deployments), 1000 APs 6 x 10G uplinks Hardware ready for SGT / SGACL, Advanced Crypto, NBAR2 * Operational Simplicity N+1 Redundancy Stateful AP Failover * Per user, Radio, SSID QoS Policies Flexible Netflow IPv6 Client MobilityFlexible DeploymentsUnified wired & wireless operations: IOS for wireless Uniform wired & wireless policies NCS and ISE for scalable management and policies19 2012 Cisco and/or its affiliates. All rights reserved.Advanced Features* Roadmap Unified WLAN deployment (local-mode) Unified Access deployment Hybrid DeploymentsUp to 1,000 APs per 5760 controller Up to 12,000 clients per 5760 19 20. AgendaCisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Unified Access Deployment Solution Overview Existing Wireless Deployment Architecture Refresher The Unified Access Deployment in Detail - Components of the Deployment Hardware and Software - Components of the Deployment Terminology and Building Blocks - Unified Access Deployment Traffic Flows and Roaming - Unified Access Deployment High Availability- Unified Access Deployment IP Addressing - Unified Access Design Options, Greenfield - Small Branch, Larger Branch, and Campus - Migration Options Evolving to a Unified Access Solution Summary 20 2012 Cisco and/or its affiliates. All rights reserved.20 21. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Mobility DomainNCSISEMOMobility Group MCMCSub-Domain #1SPGSPG MA21 2012 Cisco and/or its affiliates. All rights reserved.Sub-Domain #2MAMAMAMAMA21 Cisco Unified Access Deployment 22. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionPhysical Entities Mobility Agent (MA) Terminates CAPWAP tunnel from AP Mobility Coordinator (MC) Manages mobility within and across Sub-Domains Mobility Oracle (MO) Superset of MC, allows for Scalable Mobility Management within a Domain Logical Entities Mobility Groups Grouping of Mobility Coordinators (MC) to enable Fast Roaming, Radio Frequency Management, etc. Switch Peer Group (SPG) Localizes traffic for roams within its Distribution Block MA, MC, Mobility Group functionality all exist in todays controllers (4400, 5500, WiSM2) 22 2012 Cisco and/or its affiliates. All rights reserved.22 Cisco Unified Access Deployment 23. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionService BlockISE NCS MA is the first level in the hierarchy of MA / MC / MO One MA per UA 3850 StackMAMAMA Maintains Client DB of locally served clients Interfaces to the Mobility Coordinator (MC) AP23APAPCisco Unified Access Deployment 24. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionService BlockISE NCSMCMC AP24APAPMaintains Client DB within a SubDomain (1 x MC = One Sub-Domain)Handles RF functions (including RRM)MAManages mobility-related configuration of the downstream MAs MACan be hosted on a MA (smaller deployments)MAMandatory element in designMultiple MCs can be grouped together in a Mobility Group for scalabilitySupported platforms are UA 3850, WiSM2, 5508, and 5760 Cisco Unified Access Deployment 25. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionBest-in-Class Wired Switch with Integrated Wireless Mobility functionalityMA Can act as a Mobility Agent (MA)for terminating CAPWAP tunnels for locally connected APs MC as well as a Mobility Coordinator (MC)for other Mobility Agent (MA) switches, in small deployments- MA/MC functionality works on a Stack of UA 3850 Switches - MA/MC functionality runs on Stack Master 25 2012 Cisco and/or its affiliates. All rights reserved.- Stack Standby synchronizes some information (useful for intra-stack HA)25 26. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionSPG E MASub-Domain 3MASub-Domain 1SPG FSPG B MAMASPG A MA MAMA MC MCMobility GroupMade up of multiple UA 3850 switches as Mobility Agents (MAs), plus an MC (on controller as shown) Handles roaming across SPG (L2 / L3)MA MCSPG C MAMAs within an SPG are fully-meshed (auto-created at SPG formation)MAFast Roaming within an SPGMAMultiple SPGs under the control of a single MC form a Sub-DomainHandles roaming across MG (L2 / L3)RF Management (RRM) and Key Distribution for Fast RoamingOne Mobility Coordinator (MC) manages the RRM for entire GroupFast Roams are limited to Mobility Group member MCsSPG DMade up of Multiple Mobility Coordinators (MC)Sub-Domain 226 2012 Cisco and/or its affiliates. All rights reserved.MA26 Cisco Unified Access Deployment 27. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionService BlockISEMONCS MCMC AP27APMaintains Client DB of clients across multiple Mobility Coordinators (MCs)MAFurther enhances scalability and performance by coordinating Inter-MC roams (removes need for N2 communications between MCs, improves client join performance) MATop level in the MA/MC/MO Hierarchy - OptionalCan be a Software-Upgraded WiSM2, 5508 or 5760 ControllerMAAPCisco Unified Access Deployment 28. AgendaCisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Unified Access Deployment Solution Overview Existing Wireless Deployment Architecture Refresher The Unified Access Deployment in Detail - Components of the Deployment Hardware and Software - Components of the Deployment Terminology and Building Blocks - Unified Access Deployment Traffic Flows and Roaming - Unified Access Deployment High Availability- Unified Access Deployment IP Addressing - Unified Access Design Options, Greenfield - Small Branch, Larger Branch, and Campus - Migration Options Evolving to a Unified Access Solution Summary 28 2012 Cisco and/or its affiliates. All rights reserved.28 29. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionPoint of Presence (PoP) vs. Point of Attachment (PoA) MCMAMAPoA AP29 2012 Cisco and/or its affiliates. All rights reserved.APAPBefore a user roams, PoP and PoA are in the same placeNote for the purposes of illustratingMAPoPPoA is where the wireless user has roamed to while mobile SPGPoP is where the wireless user is seen to be within the wired portion of the networkIf users associate and remain stationary, this is their traffic flowroaming, we are showing the purple connections herein that indicate the connections between the MAs and their corresponding MC for the Switch Peer Group (or Groups) involved on each slide notice that, in this example, the traffic does NOT flow through the MC 29 Cisco Unified Access Deployment 30. Notice how the UA switch stack shown is an MC (as well as an MA) in a branch such as this with 50 APs or less, no discrete controller is necessarily required Central LocationMCISEMA NCS CAPWAP tunnel to Guest AnchorWANGuest Anchor DMZCAPWAP tunnels control and data pathMCUA Switch MA PoPPoARoaming across Stack (small branch)Roaming, Single UA Switch Stack In this example, the user roams within their UA-based switch stack for a small Branch site, this may be the only type of roam Roaming within a stack does not change the users PoP or PoA since the stack implements a single MA (redundant within the stack), and thus a user that roams to another AP serviced by the same stack does not cause a PoA move (PoA stays local to the stack)30 2012 Cisco and/or its affiliates. All rights reserved.30 Cisco Unified Access Deployment 31. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionCentral LocationISENCS CAPWAP tunnel to Guest Anchor MCWANPoPMAGuest AnchorDMZ CAPWAP tunnels control and data pathMCPoAMAA Overview of Roaming with Guest / Mobility Anchors, in the Context of PoP and PoA When using Guest / Mobility Anchors, all Guest traffic has its PoP set to the uplink of the Mobility Anchor controller while the users PoA moves within the network as they roam This is always the case for user traffic that is anchored to another controller within the network and always has been this is inherent to how Mobility Anchors work 31 2012 Cisco and/or its affiliates. All rights reserved.31 Cisco Unified Access Deployment 32. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionRoaming across StacksRoaming, Within a Switch Peer Group (Branch) uRPF, Symmetrical Routing, NetFlow, Stateful Policy Application (larger branch)Now, lets examine a roam at a larger branch, with multiple UA-based switch stacks joined together via a distribution layerIn this example, the larger Branch site consists of a single Switch Peer Group and the user roams within that SPG again, at a larger Branch such as this, this may be the only type of roamCLI exampleSPG MCMAPoPMAMAThe user may or may not have roamed across an L3 boundary (also Prime if possible) (depends on wired setup) however, users are always* taken back to their PoP for policy applicationPoAAgain, notice how the UA switch stack on the left is an MC (as well as an MA) in this picture in a larger branch such as this with 50 APs or less, no discrete controller is necessarily required 32 2012 Cisco and/or its affiliates. All rights reserved.* Adjustable via setting, may be useful for L2 roams (detailed on following slide)32 Cisco Unified Access Deployment 33. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionRoaming within an SPGMCuRPF, Symmetrical Routing, NetFlow, Stateful Policy Application (L3 behaviour and default L2 behaviour)MAPoP33 2012 Cisco and/or its affiliates. All rights reserved.MAMANote the traffic in this most common type of roam did not have to be transported back to, or via, the MC (controller) servicing the Switch Peer Group it stayed local to the SPG only (i.e. under the distribution layer in this example not back through the core)* Adjustable via setting, may be useful for L2 roams (detailed on following slide)Now, lets examine a few different types of user roamsSPGPoARoaming, Within an SPG (Campus) In this example, the user roams within their Switch Peer Group since SPGs are typically formed around floors or other geographicallyclose areas, this is the most likely and most common type of roam The user may or may not have roamed across an L3 boundary (depends on wired setup) however, users are always* taken back to their PoP for policy application 33 Cisco Unified Access Deployment 34. WiSM2s / 5508s / 5760sMCMAMCConverged policies and services for wired and wireless usersMAPSTNCUCMTraffic Flows, Comparison (Unified Access) Traffic does not flow via MCsMore efficient since traffic flows are localized to the UA switch Performance IncreaseSPG PoPWired and wireless policies implemented on UA switch 34 2012 Cisco and/or its affiliates. All rights reserved.PoANow, our VoIP user is on a Cisco Unified Access network, and is again making a call from a wireless handset to a wired handset We can see that all of the users traffic is localized to their Peer Group, below the distribution layer, in both directions In this example, a total of 1 hop is incurred for each direction of the traffic path (assuming no roaming) two additional hops may be incurred for routing 34 Cisco Unified Access Deployment 35. Cisco Confidential WiSM2s / 5508s / 5760sMCConverged policies and services for wired and wireless usersMCPSTNCUCMFor Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionTraffic Flows, Comparison (Unified Access) Traffic still does not flow via MCsMore efficient since traffic flows are still localized to the SPG Performance & ScalabilitySPG MA PoPWired and wireless policies implemented on UA switch 35 2012 Cisco and/or its affiliates. All rights reserved.PoAMAMAMANow, our VoIP user on the Cisco Unified Access network roams, while a call is in progress between the wireless and wired handsets We can see that all of the users traffic is still localized to their Peer Group, below the distribution layer, in both directions In this example, a total of 3 hops is incurred for each direction of the traffic path (assuming intra-SPG roaming) two additional hops may be incurred for routing 35 Cisco Unified Access Deployment 36. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionRoaming, Across SPGs (Campus) MCuRPF, Symmetrical Routing, NetFlow, Stateful Policy Application Roaming across SPGs (L3 separation assumed at access layer)SPGSPG MAMAMAMAMAMANow, lets examine a few different types of user roams In this example, the user roams across Switch Peer Groups since SPGs are typically formed around floors or other geographically-close areas, this type of roam is possible, but less likely than roaming within an SPGPoP PoA36 2012 Cisco and/or its affiliates. All rights reserved.* Adjustable via setting, may be useful for L2 roams (detailed on following slide)Typically, this type of roam will take place across an L3 boundary (depends on wired setup) however, users are always* taken back to their PoP for policy application 36 Cisco Unified Access Architecture 37. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionMCuRPF, Symmetrical Routing, NetFlow, Stateful Policy Application Roaming, Across SPGs and MCs (Campus) MC Roaming across Controllers (L3 separation assumed at access layer)SPGSPG MAMAMAMAMAIn this example, the user roams across Switch Peer Groups and Controllers (within the same Mobility Group) again, this type of roam is possible, but less likely than intra-SPG roamingMAPoPTypically, this type of roam will take place across an L3 boundary (depends on wired setup) however, users are always* taken back to their PoP for policy applicationPoA37 2012 Cisco and/or its affiliates. All rights reserved.Now, lets examine a few different types of user roams* Adjustable via setting, may be useful for L2 roams (detailed on following slide)37 Cisco Unified Access Architecture 38. MCRoaming, Across SPGs (Layer 2) MCLayer 2 ExtensionRoaming across networkNow, lets examine a few different types of user roamsIn this example, the user roams across Switch Peer Groups and Controllers (within the same Mobility Group) but in this case, we have Layer 2 extended across the network(L2 separation across access layer in this example) SPGSPG MAMAMAPoP PoA38 2012 Cisco and/or its affiliates. All rights reserved.Policy moves with user move follows PoPMAMAMAThis would not be typical of most Enterprise wired deployments however, if this setup is present, an available setting allows for L2 roaming (move of both PoP and PoA) 38 Cisco Unified Access Deployment 39. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionAs Noted When a user roams in a L2 environment, an optional setting allows for both the users PoA and PoP to move.The benefits that accrue to a PoP move for an L2 user roam are reduced end-to-end traffic latency for the user (less traffic hops), as well as a reduction of state held within the network (as the user needs to be kept track of only at the roamed-to switch). PGThe drawback to a PoP move for an L2 user roam are likely increased roam times, as user policy may be retrieved from the AAA server, and applied at the roamed-to switch. The combination of these two elements may introduce a level of non-deterministic behaviour into the roam times if this option is used.! "#! "#! "#PoP PoADefault Behaviour Policy movesL2 Roams Disabled by default, all roams (whether across an L3 boundary or not) with user move follows PoP carry the users traffic from their roamed-to switch (where the users PoA has moved to), back to the original switch the user associated through (where the users PoP remains). In this case, the users policy application point remains fixed, and roam times are more deterministic.This may also reduce the load on the AAA server during user roams, as policy may not need to be retrieved, and PKC within the Switch Peer Group can take care of crypto key distribution.However, if desired, this behaviour can be modified via a setting to allow for an L2 roam assuming the network topology involved allows for the 39 39 2012 Cisco and/or its affiliates. All rights reserved. Cisco Unified Access Deployment appropriate Layer 2 extension across the network. 40. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionAs we saw previously, we can also optionally use a UA 3850 switch as an MC + co-located MA for a Switch Peer Group lets explore this in more detail Single UA 3850 MC supported per Switch Peer GroupSingle UA 3850 MC can handle up to 50 APs and 2,000 clients total therefore, up to 50 APs and 2,000 clients per UA 3850-based Switch Peer GroupMore scalable MC capability can be provided by 5760 / WiSM2MCMAMC handles inter-SPG roaming, RRM, CleanAir, Rogue Detection, Guest, etc.Guest AnchorISESPG MCMAMAMANCSBut what if we want to scale larger, without implementing 5760 / WiSM2? Is this possible?40 2012 Cisco and/or its affiliates. All rights reserved.40 Cisco Unified Access Deployment 41. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionSwitch Peer Group / Mobility Group Scaling with UA 3850 Up to 8 x UA 3850 MCs can be formed into a Mobility GroupUp to 250 APs total and 16,000 clients supported (maximum) across a Mobility Group made up solely of UA 3850 switches Guest tunneling is per MC to Guest Anchor controller Guest AnchorLicensing is per MC not pooled across MCsRRM, CleanAir, Rogue Detection, etc. is coordinated across the MCs in the same Mobility GroupMCMAISEFull mesh of MCs across Mobility GroupNCS PG PG "# ! PG "# !Mobility GroupPG "# ! PG "# ! PG "# ! ! "#SPG MC41 2012 Cisco and/or its affiliates. All rights reserved.MA! "#! "#! "#! "#! "# ! "#! "# ! "#! "# ! "#! "#! "#! "# ! "#! "# ! "#! "# ! "#SPG MAMAMCMAMAMA41 Cisco Unified Access Deployment 42. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionBackground Many larger designs (such as most Campuses) will likely utilize a discrete controller, or group of controllers, as MCs. Combined with UA 3850 switches as MAs, this likely provides the most scalable design option for a larger network build.However, if using UA 3850 switches as MCs for smaller builds and with the scaling limits detailed on the previous slide in mind we need to determine where to best use this capability.Pros PG ! "#! "#! "#CapEx cost savings via the elimination of a controller-as-MC in some designs (typically, smaller use cases and deployments) cost also need to take into consideration licensing on UA 3850 switches (TBD).Cons ! "#OpEx complexity due to some additional complexity that comes into roaming situations when using multiple UA switch-based MCs (as detailed in the following slides). While not insurmountable, this does need to be factored in as part of the decision process.Roaming details provided on following slidesConclusion In smaller designs (such as branches), the use of UA 3850 switches as MCs is likely workable. In mid-sized designs, this may also be workable, but does lead to some additional roaming considerations (as detailed on the following slides). In large campus deployments, the use of controllers as MCs 42 42 is rights reserved. 2012 Cisco and/or its affiliates. All more likely, due to economies of scale. Cisco Unified Access Deployment 43. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionRoaming, within a Stack (UA Switches as MCs) Initially, all clients in this example are on their initial, local UA switchesNow, a client roams and we see his resulting traffic topologyRoaming within a stack does not change the users PoP or PoA since the stack implements a single MA (redundant within the stack), and thus a user that roams to another AP serviced by the same stack does not cause a PoA moveGuest Anchor MCPoAPoPMANCSCLI exampleSPG MCMAISEMobility GroupSPG MAMAMCNo change to users PoP or PoA uRPF, Symmetrical Routing, NetFlow, Stateful Policy Application (also Prime if possible)MAMAPoPPoAMAScalability Max of 8 x UA 3850 switches as MCs, grouped into a Mobility Group 250 APs total across all UA 3850 MCs Max. 50 APs per UA 3850 stack / SPG43 2012 Cisco and/or its affiliates. All rights reserved.43 Cisco Unified Access Deployment 44. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionRoaming, within a Switch Peer Group (UA Switches as MCs) Now, the client roams to an AP serviced by another switch stack (within the same SPG)Lets examine his resulting traffic topologyThe user has moved between MAs (switch stacks) to maintain consistency of user connectivity (IP address) and policy application, the users traffic is transported to the MA that the user associated with initially (i.e. the users PoA moved, but their PoP stayed static)Guest Anchor MCMAISEMost common roaming caseNCSMobility GroupSPG MCMASPG MAMAMCMAMAPoPPoAMAScalability Max of 8 x UA 3850 switches as MCs, grouped into a Mobility Group 250 APs total across all UA 3850 MCs Max. 50 APs per UA 3850 stack / SPG44 2012 Cisco and/or its affiliates. All rights reserved.44 Cisco Unified Access Deployment 45. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionRoaming, across Switch Peer Groups (UA Switches as MCs) Now, lets examine a more complex roam where the user roams across SPGsIn this example the user roams to a separate SPG, onto the stack serving as MC for that SPGThe users has moved between SPGs so their traffic needs to be transported back to their PoP, which has remained static and it does so by transiting between the two MCs servicing these two Switch Peer Groups (MCs are fully meshed within the MG)Guest Anchor MCMARoaming between PGs (geographicallyseparated)ISENCSMobility GroupSPG MCMASPG MAMAMCMAMAPoPPoAMAScalability Max of 8 x UA 3850 switches as MCs, grouped into a Mobility Group 250 APs total across all UA 3850 MCs Max. 50 APs per UA 3850 stack / SPG45 2012 Cisco and/or its affiliates. All rights reserved.45 Cisco Unified Access Architecture 46. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionRoaming, across Switch Peer Groups and MCs (UA Switches as MCs) Now, lets examine the most complex type of roam across SPGs and MCs / MAsRemember these types of roams are likely to be a minority case in most deploymentsThe user has moved between MAs, MCs, and SPGs and their traffic takes the path shown since, again, their PoP has remained static, while the PoA moved as the user roamed (maintains user IP address, maintains consistency of policy application)Guest Anchor MCMARoaming between SPGs and MCs (geographicallyseparated)ISENCSMobility GroupSPG MCMASPG MAMAMCMAMAPoPPoAMAScalability Max of 8 x UA 3850 switches as MCs, grouped into a Mobility Group 250 APs total across all UA 3850 MCs Max. 50 APs per UA 3850 stack / SPG46 2012 Cisco and/or its affiliates. All rights reserved.46 Cisco Unified Access Architecture 47. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionWhat happens when Everyone enters the building via a common lobbyAPs in that lobby are controlled by one UA switch stackAll the users, and their traffic Guest Anchor MCGets pinned to that switch ... causing issues for traffic load, switch load, DHCP pool exhaustion, etc. MAISEMany users could end up staying in the lobby logicallyNCSMobility GroupSPG MCMASPG MAMA PoP PoA47 2012 Cisco and/or its affiliates. All rights reserved.PoP PoALobby areaMCMAMAMAScalability Max of 8 x UA 3850 switches as MCs, grouped into a Mobility Group 250 APs total across all UA 3850 MCs Max. 50 APs per UA 3850 stack 47 Cisco Unified Access Deployment 48. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionWhat can we do to address this issue? User client association get distributed across UA switches in the Switch Peer GroupUser load info is constantly shared within the SPG with heartbeat (10s default, adjustable 1s-30s)At 50% client load, the lobby UA switch distributes incoming client association requests to its Switch Peer Group members the client is anchored based on reported client loadGuest Anchor MCMAAddresses traffic load, switch load, DHCP pool exhaustion, etc. ISE Client will be anchored to the Mobility Group middle UA stack as it reported that it had less clients associatedSPGMCMASPG MA50% load!MAPoPMCMAMAMAPoP PoA48 2012 Cisco and/or its affiliates. All rights reserved.NCSPoALobby area48 Cisco Unified Access Deployment 49. Cisco Confidential Mobility DomainFor Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionSub-Domain - 1 5760 MC/MOMA=Mobility Agent MC=Mobility Coordinator SPG=Switch Peer Group SD=Sub-Domain3850 MASPG - 1 Sub-Domain5760 MCMC/MA on one SwitchSwitch Peer Group - 1MA-1MA-2 MA-16MA-3 Sub-DomainSubDomainSPG - 1 SPG - 2SPG - 4 5760 MCMA 1~4MA 6~849 2012 Cisco and/or its affiliates. All rights reserved.Sub-DomainSPG - 1SPG N-1 SPG - 2SPG - 64 SPG - N 5760 MCMA 1~4Sub-Domain - 8MA 13~16 1 MC = 1 SD Up to 50 APs Up to 2K Clients Up to 50GB I/O for AP TrafficSPG 2MA 6~8 Up to 16 MAs in an SPG Up to 64 SPGs in an SD Up to 350 MAs per MC Up to 1K APs in an SD Up to 12K Clients Up to 1TB I/O for AP TrafficMA 346~350 72 Mobility SD in a MD Up to 25,200 MAs per MD Up to 72K APs Up to 864K Clients Up to 72TB I/O for AP Traffic49 50. Cisco Confidential Mobility DomainFor Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionSub-Domain - 1 UA3850 MAMA=Mobility Agent MC=Mobility Coordinator SPG=Switch Peer Group SD=Sub-DomainUA3850 MCSPG - 1 Sub-Domain3850 MCSwitch Peer Group - 1MA-1MA-2MA-3 MA-16 SubDomainSub-DomainSPG - 1SPG - 2SPG - 4 3850 MCMA 1~4MA 6~8SPG - 1SPG N-1SPG - 2SPG - 8 1 MC = 1 SD Up to 50 APs Up to 2K Clients Up to 50 GB I/O for AP Traffic 50 2012 Cisco and/or its affiliates. All rights reserved.3850 MCMA 1~2MA 3~4Sub-Domain - 8MA 13~16 Sub-DomainSPG - 2SPG - NMA 15~16 Up to 16 MAs in an SPG Up to 8 SPGs in an SD Up to 16 MAs per MC Up to 50 APs Up to 2K Clients Up to 250 GB I/O for AP Traffic Up to 8 SDs in an MD Up to 128 MAs per MD Up to 250 APs Up to 16K Clients Up to 250 GB I/O for AP Traffic50 51. AgendaCisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Unified Access Deployment Solution Overview Existing Wireless Deployment Architecture Refresher The Unified Access Deployment in Detail - Components of the Deployment Hardware and Software - Components of the Deployment Terminology and Building Blocks - Unified Access Deployment Traffic Flows and Roaming - Unified Access Deployment High Availability- Unified Access Deployment IP Addressing - Unified Access Design Options, Greenfield - Small Branch, Larger Branch, and Campus - Migration Options Evolving to a Unified Access Solution Summary 51 2012 Cisco and/or its affiliates. All rights reserved.51 52. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Revise HA section (addition of 4-5 slides) to show the following Additional details on intra-stack UA 3850 HA and failover / recovery Additional details on AP SSO, Client SSO (FCS++) Impact of software upgrades, AP pre-image download Document results from HA testing in PoC Lab52 2012 Cisco and/or its affiliates. All rights reserved.52 53. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionExamining traffic topologies Lets now examine a second client roam, with a subsequent MC failover within a stack (failure of the MC switch in a UA stack, for a Switch Peer Group)First, the traffic topology after the roam as we saw before Again, this traffic pattern is normal for all of the reasons stated previously (default behavior)Guest Anchor MCMAISENCSMobility GroupSPG MCMASPG MAMAMCMAMAPoPMAPoA53 2012 Cisco and/or its affiliates. All rights reserved.53 Cisco Unified Access Deployment 54. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionExamining state within the stack (for MC) MMA/MCSLets now examine the state maintained by the MC within a stack, and see what redundancy we provide for this Guest Anchor MCMAISENCSMobility GroupSPG MC54 2012 Cisco and/or its affiliates. All rights reserved.MASPG MAMAMCMAMAMA54 Cisco Unified Access Deployment 55. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionMA/MCMSAP Guest MC2MA Inter-MC SPG AP Guest MC2MATunnel State is synced between Master and Standby Member in stackInter-MC SPGCLI example MC55 2012 Cisco and/or its affiliates. All rights reserved.MATunnel States are inactive on Standby Member55 Cisco Unified Access Deployment 56. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionMC goes down in stack Standby MC must now become MasterMA/MCMM SMA/MCGuest Anchor So what are the impacts to local users, and to roamed users?MCMAISENCSMobility GroupSPG MCMASPG MAMAPoPMCMAMAMAPoPPoA (Local Client re-auths, re-DHCPs) 56 2012 Cisco and/or its affiliates. All rights reserved. (No impact to existing clients on MAs) (Roamed Client re-auths, re-DHCPs, becomes local) (No impact to existing clients on MAs)56 Cisco Unified Access Deployment 57. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionSwitch Peer Group Fault Tolerance with UA 3850 If an UA 3850-based MC is down in a Switch Peer Group Roaming within a Switch Peer Group still worksRoaming between Switch Peer Groups does not workPMKs (via PKC) will not be distributed if the MC is down so no Fast Roaming for new clients until the MC is restoredGuest Anchor MCMAISENCSMobility GroupSPG MCMAStack Blowed totally up real down goodSPG MA 57 2012 Cisco and/or its affiliates. All rights reserved.(no PMK, no fast roam)MAMC (Client roams Seamlessly)MAMAMA (Client re-auths, re-DHCPs, becomes local) 57 Cisco Unified Access Deployment 58. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionSwitch Peer Group Fault Tolerance with UA 3850 If an UA 3850-based MC is down in a Switch Peer Group When MC is down, RRM, CleanAir, Rogue Detection, and Guest Access (guest tunneling) do not operate within the affected Switch Peer Group other Switch Peer Groups are unaffected, howeverGuest Anchor MCMAISENCSMobility GroupSPG MCStack totally downMASPG MAMA 58 2012 Cisco and/or its affiliates. All rights reserved.(Guest access down)MCMAMAMA (Guest access up)58 Cisco Unified Access Deployment 59. AgendaCisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Unified Access Deployment Solution Overview Existing Wireless Deployment Architecture Refresher The Unified Access Deployment in Detail - Components of the Deployment Hardware and Software - Components of the Deployment Terminology and Building Blocks - Unified Access Deployment Traffic Flows and Roaming - Unified Access Deployment High Availability- Unified Access Deployment IP Addressing - Unified Access Design Options, Greenfield - Small Branch, Larger Branch, and Campus - Migration Options Evolving to a Unified Access Solution Summary 59 2012 Cisco and/or its affiliates. All rights reserved.59 60. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Insert slides (6 8 total) to discuss the following topic areas, related to UA deployment IP addressing Recommendations for wired and wireless management VLANs Recommendations for separate / mixed wired and wireless client VLANs Client or OS issues relating to mixed subnets? Recommendations on VLAN sizing for wireless Recommendations on VLAN spanning for L2 roams Document results from setups in PoC Lab Best practice recommendations, with reference to current SBA designs (if possible within the October timeframe) 60 2012 Cisco and/or its affiliates. All rights reserved.60 61. AgendaCisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Unified Access Deployment Solution Overview Existing Wireless Deployment Architecture Refresher The Unified Access Deployment in Detail - Components of the Deployment Hardware and Software - Components of the Deployment Terminology and Building Blocks - Unified Access Deployment Traffic Flows and Roaming - Unified Access Deployment High Availability- Unified Access Deployment IP Addressing - Unified Access Design Options, Greenfield - Small Branch, Larger Branch, and Campus - Migration Options Evolving to a Unified Access Solution Summary 61 2012 Cisco and/or its affiliates. All rights reserved.61 62. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionCentral LocationISENCSWANGuest Anchor(s) DMZCAPWAP tunnels control and data pathUA SwitchLikely the most common deployment at FCSCharacteristics 62 2012 Cisco and/or its affiliates. All rights reserved.May be a lower-speed WAN link (bandwidth and latency a concern only for Guest traffic) Deployment could consist of multiple stacks one stack as MC/MA, rest of stacks as MAs onlyAllows for Advanced QoS, WAN optimization, NetFlow, and other services for wireless and wired trafficSupports Layer 3 roamingSupports VideoStream and optimized multicastGood availability due to MA/MC redundancy within the UA stack provides wireless continuity with either WAN outage or switch failure within the UA stack 62 Cisco Unified Access Deployment 63. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionCentral LocationISENCSWANGuest Anchor(s) DMZLikely the most common deployment at FCSCharacteristics Applicable to a Smaller Branch with Several Wiring ClosetsMC63 2012 Cisco and/or its affiliates. All rights reserved.MAMAMAMAAllows for Advanced QoS, WAN optimization, NetFlow, and other services for wireless ad wired trafficSiNo discrete controllers deployed, even with multiple wiring closetsSupports Layer 3 roaming Switch Peer GroupSupports VideoStream and optimized multicastGood availability due to MA/MC redundancy within the UA stacks provides wireless continuity with either WAN outage or switch failure within the UA stack 63 Cisco Unified Access Deployment 64. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionCentral LocationISENCSWANGuest Anchor(s) DMZApplicable to a Larger Branch with Multiple Wiring ClosetsCharacteristics Switch Peer GroupsMC64 2012 Cisco and/or its affiliates. All rights reserved.MAMASiMCMAMAAllows for Advanced QoS, WAN optimization, NetFlow, and other services for wireless ad wired trafficSupports Layer 3 roamingSiMobility GroupNo discrete controllers deployed, even at a larger branchSupports VideoStream and optimized multicastGood availability due to MA/MC redundancy within the UA stacks provides wireless continuity with either WAN outage or switch failure within the UA stack 64 Cisco Unified Access Deployment 65. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionCentral LocationISENCSWANGuest Anchor(s) DMZApplicable to a Larger Branch or Small CampusCharacteristics 5760 / WiSM2 / 5508 Good availability due to MA redundancy (UA stacks) and MC redundancy (controllers) provides wireless continuity with either WAN outage or switch / controller failure 65 2012 Cisco and/or its affiliates. All rights reserved.Supports Layer 3 roaming, VideoStream, and optimized multicastSimplified Mobility deployment vs. the use of UA switches as MCs / MAsMCMobility Group Switch Peer GroupsAllows for Advanced QoS, WAN optimization, NetFlow, and other services for wireless and wired trafficMCGreater scalability via the use of discrete controllers as MCs, in conjunction with UA switches as MAsSiMAMASiMAMA65 Cisco Unified Access Deployment 66. Scalability up to 8 UA 3850 MCs, up to 250 APs total (w/ inter-dist. roaming)SiCampus / MetroSupports roaming between distribution layers, keeps many roams localized below dist. layerSupports Layer 3 roamingMCMA66 2012 Cisco and/or its affiliates. All rights reserved.MA MAMOSwitch Peer GroupsMCSiAllows for Advanced QoS, NetFlow, and other services for wireless and wired trafficSiGuest Anchors MCNo discrete controllers deployed, even at a small CampusSiSiSiSiMobility Group MAMCMAFor Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionISEData CenterCharacteristics Cisco Confidential NCS (optional)Good availability due to MC/MA redundancy within the UA stacks moderately scalable using UA 3850s (up to 8 in total) as MCs, combined with a single Mobility Group in the deployment Note MC present per SPG, all SPG MCs meshed into single Mobility Group for the site. Guest tunnel per MC to Anchor.SiApplicable to a Small Campus (with interbuilding wireless coverage)MA66 Cisco Unified Access Deployment 67. Scalability . > 8 UA 3850 MCs, > 250 APs total (w/o inter-dist. roaming)SiCampus / MetroNo support for roaming across distribution layers (no inter-dist. RF coverage)Switch Peer GroupsMC MCMASiMAMA 67 (Client roams Seamlessly) 2012 Cisco and/or its affiliates. All rights reserved.SiNo inter-MG RF coverageMobility Group 1MC MCMCNCS (optional)Good availability due to MC/MA redundancy within the UA stacks more scalable using UA 3850s (up to 8 total per Mobility Group) as MCs, combined with multiple Mobility Groups in the deploymentSupports Layer 3 roamingMCMAMOSiMCSiAllows for Advanced QoS, NetFlow, and other services for wireless and wired trafficSiGuest Anchors MCNo discrete controllers deployed, even at a larger CampusFor Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionISEData CenterCharacteristics Cisco Confidential SiSiMobility Group 2Note MC present per SPG, all SPG MCs meshed into multiple Mobility Groups for the site. Guest tunnel per MC to Anchor.MAMA (Client re-auths, re-DHCPs, becomes local)May by Applicable to a Small Campus (without any interbuilding wireless coverage)No inter-dist. roaming no RRM, no CleanAir, no Rogue Det. across separate Mob. Groups67 Cisco Unified Access Deployment 68. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionISEData CenterGuest Anchors SiCampus / MetroSiMO5760s / WiSM2s / 5508sCampus ServicesCharacteristics MC SiUse of discrete controllers as MCs, combined with UA switches as MAs, provides for a very scalable solutionAllows for Advanced QoS, NetFlow, and other services for wireless and wired trafficSiMCMobility GroupMCSiSiSupports Layer 3 roaming provides scalability by keeping many roams localized to SPGs (below dist.) SiSwitch Peer GroupsNCS (optional)Applicable to a Larger CampusMA68 2012 Cisco and/or its affiliates. All rights reserved.SiSiMASiMAMA)Good availability due to MA redundancy (UA stacks) and MC redundancy (controllers) Simplified Mobility deployment using UA switches as MAs only, vs. the use of UA switches as MCs / MAs 68 Cisco Unified Access Deployment 69. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionCharacteristics ISEData CenterUse of discrete controllers as MCs, combined with Campus / Metro UA switches as MAs, provides for a very scalable solution Use of distributed controllers (vs. centralized in DC) may be more appropriate in some wireless deploymentsSi SiMOSiSiGuest AnchorsNCS (optional)Applicable to a Larger CampusAllows for Advanced QoS, NetFlow, and other services for wireless and wired trafficMobility GroupSupports Layer 3 roaming provides scalability by keeping many roams localized to SPGs (below distribution) MCMC SiSwitch Peer GroupsMAMCMC SiSiMA MAMA 69 2012 Cisco and/or its affiliates. All rights reserved.SiGood availability due to MA redundancy (UA stacks) and 5760s / MC redundancy (controllers) WiSM2s / 5508sSimplified Mobility deployment using UA switches as MAs only, vs. the use of UA switches as MCs / MAs) 69 Cisco Unified Access Deployment 70. AgendaCisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Unified Access Deployment Solution Overview Existing Wireless Deployment Architecture Refresher The Unified Access Deployment in Detail - Components of the Deployment Hardware and Software - Components of the Deployment Terminology and Building Blocks - Unified Access Deployment Traffic Flows and Roaming - Unified Access Deployment High Availability- Unified Access Deployment IP Addressing - Unified Access Design Options, Greenfield - Small Branch, Larger Branch, and Campus - Migration Options Evolving to a Unified Access Solution Summary 70 2012 Cisco and/or its affiliates. All rights reserved.70 71. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionData Center / Service blockISENCSIntranet Mobility Group EtherIP Mobility Tunnel MCMAMCMA5508 / WiSM25508 / WiSM2Prior to Migration to Unified AccessCAPWAP Tunnels71 2012 Cisco and/or its affiliates. All rights reserved.CAPWAP Tunnels71 Existing Unified Wireless Deployment today 72. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionData Center / Service blockISEMONCS5760 / 5508 / WiSM2 (optional)Intermediate stepIntranetMobility Group Software upgradeMCCAPWAP Mobility TunnelMAMCSoftware upgradeMA5508 / WiSM25508 / WiSM2Initial Migration Step Controller Upgrades, Implementation of First UA Switches MAMAPeer GroupBe aware that feature differences may exist, based on MA software versions 72 2012 Cisco and/or its affiliates. All rights reserved.CAPWAP TunnelsCAPWAP Tunnels72 Cisco Unified Access Deployment 73. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionData Center / Service blockISEMONCS5760 / 5508 / WiSM2 (optional)Intermediate stepIntranetMobility Group Controller upgradeMCCAPWAP Mobility TunnelMAMCMAController upgrade5760 Controller5760 ControllerFurther Migration Step Controller Upgrades, Implementation of Additional UA Switches MAMAPeer Group CAPWAP Tunnels73 2012 Cisco and/or its affiliates. All rights reserved.MAMAPeer Group CAPWAP TunnelsBe aware that feature differences may exist, based on MC platforms and versions 73 Cisco Unified Access Deployment 74. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionData Center / Service blockISEMONCS5760 / 5508 / WiSM2 (optional)Eventual stateIntranetMobility Group CAPWAP Mobility TunnelMCMC5760 Controller5760 ControllerFinal Migration Step Implementation of End-to-End Unified Access Deployment MAMAMAPeer GroupsMAMAMAPeer Groups CAPWAP Tunnels74 2012 Cisco and/or its affiliates. All rights reserved.MAMACAPWAP Tunnels74 Cisco Unified Access Deployment 75. AgendaCisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further Distribution Unified Access Deployment Solution Overview Existing Wireless Deployment Architecture Refresher The Unified Access Deployment in Detail - Components of the Deployment Hardware and Software - Components of the Deployment Terminology and Building Blocks - Unified Access Deployment Traffic Flows and Roaming - Unified Access Deployment High Availability- Unified Access Deployment IP Addressing - Unified Access Design Options, Greenfield - Small Branch, Larger Branch, and Campus - Migration Options Evolving to a Unified Access Solution Summary 75 2012 Cisco and/or its affiliates. All rights reserved.75 76. Cisco Confidential For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionControl plane func onality on NG Controller (also possible on upgraded 5508s, WiSM2s for brownfield deployments, or NG Unified Access switches for small, branch deployments)Next-Generation WLAN Controller (5760) ControllerData plane func onality on NG Switches (also possible on NG Controllers, for deployments in which a centralized approach is preferred)Next-Generation Switches (UA 3850s)Enabled by Ciscos strength in Silicon and Systems Doppler ASIC76 2012 Cisco and/or its affiliates. All rights reserved.An Evolutionary Advance to Ciscos Wired + Wireless Portfolio, to address device and bandwidth scale, and services demands . 76 77. Cisco Confidential With a Next-Generation Deployment and Solution Mobility DomainNCSISE! "#For Cisco-Internal use only, at October 2012 BN SEVT, Not for Further DistributionMobility Group ! "#! "#Cisco Unified Access DeploymentPGPG ! "#77 2012 Cisco and/or its affiliates. All rights reserved.! "#! "#! "#! "#! "#An Evolutionary Advance to Ciscos Wired + Wireless Portfolio, to address device and bandwidth scale, and services demands . 77