Brkewn 2016 PDF

Design and Deployment of
Wireless for Branch and

Remote Offices
Wireless Branch Office Design
Sarath Gorthi
Technical Marketing Engineer, EN
BRKEWB-2016
Agenda
• Wireless Controller and Access Point Portfolio

• Branch Design Options
• Flex connect Architecture
• Resiliency, Segmentation & Security
• Provision and Operate Wireless Branch over WAN
• Deploying Branches Office using EWC
BRKEWN-2016 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Wireless Controller
and Access Point
Portfolio
Catalyst 9800 Wireless Controller
Deploy at any scale
Catalyst 9800-80
6000 APs, 64K clients
80 Gbps
Catalyst 9800-40
2000 Aps, 32K Clients,
40 Gbps
Catalyst 9800-CL
1000, 3000 or 6000 APs
10K, 32K or 64K Clients
Catalyst 9800-L
250 APs, 5K Clients,
5 Gbps
Catalyst 9800
Embedded Wireless**
200 APs, 4K Clients
Catalyst 9800
Embedded Wireless* Catalyst 9800-CL
100 APs, 2K Clients 1000 APs, 10K Clients *Supports Local Switching only
**SD-Access only
^Catalyst 9800 for Public cloud FlexConnect only
Up to 100 APs Up to 250 APs Up to 1000 APs Up to 3000 APs Up to 6000 APs
Distributed Branch & Small Campus Medium Campus Large Campus

New Cisco Catalyst 9100 Series access points
Ideal for small to medium-sized deployments Mission critical and scale deployment
Powered by Powered by
Cisco RF ASIC Cisco RF ASIC
9115AX 9117AX 9120AX 9130AX

• 4x4 + 4x4 • 8x8 + 4x4 • 4x4 + 4x4 • 8x8 + 4x4; 4x4 + 4x4 + 4x4
• MU-MIMO, OFDMA • MU-MIMO, OFDMA (only • Cisco RF ASIC for • Tri-radio: Dual 5GHz + 2.4GHz
DL) Next Gen CleanAir • Cisco RF ASIC for Next gen CleanAir
• Spectrum Intelligence
• Full iCap with data packets
• 1 x 2.5 mGig • Spectrum intelligence • Dual 5GHz, Next Gen HDX
• Dual 5GHz, Next Gen HDX
• TWT • 1 x 5 mGig • RF signature capture
• RF signature capture, TWT
• TWT • IoT ready (Zigbee) • Smart Antennas supporting up to 8x8
• Integrated Antenna only • Application Hosting • IoT ready (Zigbee)
• 1 x 2.5 mGig • Application Hosting
• TWT • 1 x 5 mGig
• First 8x8 AP with external antennas
Cisco DNA Assurance with iCAP Bluetooth 5 USB Integrated or external antenna SKUs
Branch Design Options
Branch Design Considerations
Central Traffic
WAN Bandwidth
Resiliency Security
Central IT
Lean IT
Cloud Policies Video Streaming
NAT Guest
Services Radius Branches Guest Portals
BYOD
SP Managed
Branch Wireless Design Options
Dedicated Local Embedded Local Remote
Controller Controller Controller
Local Controller Embedded Controller Options Flex Connect
BRANCH BRANCH
WLC
` WAN
• Single/Multi site networks
• Low IT footprints
` `
Single or Multi-Site FlexConnect

Local WLAN Controller Single/Multi-site networks Controller running in Data Center
Low IT footprints Distributed Network
Controller running on AP or Switch Highly Scalable
Cisco DNA
Center
Policy Automation Assurance Security ISE CMX
Branch Office with dedicated WLAN Controller
Central Site
Backup WLC
• Branches can have Local Controllers

• Small or mid branch WLC 9800-L , 9800-CL
(NFVIS or Virtual)
CAPWAP
WAN
• Layer-3 roaming with controller in each branch
• Full local control, no dependency on WAN
• WLC at each site, higher Capital Costs

WLC 9800-L WLC 9800-L WLC 9800-L
• Higher OpEX costs
` ` ` ` ` `
Remote Site A Remote Site B Remote Site C
Branch Office with Embedded WLAN Controller
Catalyst 9800 for Catalyst Switch Catalyst 9800 for Catalyst Access Point
• Branches can have Local embedded Controllers
Scale to 200 APs and 4,000 Clients Scale to 100 APs and 2000 Clients • No Separate Appliance
SDA Fabric FlexConnect Local Switching
Supported on Catalyst 9300, 9400 Support on Catalyst 9100 Series
and 9500 Series switches access points
• Full local control, no dependency on WAN

Branch Site Branch Site • Cookie Cutter configuration for each branch
B C
E
• Embedded controller on Cat9k switch is SDA
Fabric only
• Embedded controller on AP is local switching
only
Controller on C9k Switch Controller on AP
Branch Office with Flex Connect (Remote Controller)
Central Site
Data Center
WLC
• Wireless Controller is at a central site managing

AP’s across sites/branches
• Clients in branch roam independently
Capwap Control
Local Data
• Each site can have up to 100 AP’s in a Flex
WAN
connect group
• Client data is switched locally in the branch
• Supports standalone mode operations
• Highly Scalable
• Central management
• Supports optional central switching
` ` ` ` ` `
Remote Site A Remote Site B Remote Site C
Designing and Deployment
using FlexConnect
Introducing FlexConnect Central Site
Radius
Controller
Cluster
• Ease of Management via Controller
Central
• CAPWAP management and data plane are split: Switching
• Central Switching (SSID data traffic sent to WLC) WAN
• Local Switching (SSID data traffic sent to local VLAN)
• Two modes of operation from AP perspective:

• Connected (when WLC is reachable)
• Standalone (when WLC is not reachable)
Local
Switching
FlexConnect Glossary
When FlexConnect AP can reach Controller, it

01 Connected Mode gets help from controller to complete client
authentication
When FlexConnect AP cannot reach
02 Standalone Mode Controller, it goes into standalone mode

and does client authentication by itself
Data traffic is tunneled back to

03 Central Switching WLC for an SSID
Data traffic is switched

04 Local Switching onto local VLANs for an
SSID
Configuring
FlexConnect Local
Switching?
Cisco 9800 Catalyst 9800 Config Model
Access Points
Policy Tag RF
RF Tag
WLAN
Profile
Profile
2.4 GHz
RF
Policy
Profile
Profile
5 GHz
• Defines the Broadcast domain (list of • Defines the RF properties of

WLANs to be broadcasted) with the the group of APs
policies of the respective SSIDs
• “Equivalent” to AP Group in AireOS
SiteTag
AP • Defines the properties of the central/remote sites
Profile • Defines the roaming domain for Flex APs
• “Equivalent” to Flex Groups in AireOS but only for Flex APs
• Max Flex APs per site tag is 100 for seamless roaming
Flex
Profile • For local mode APs, there is no limit
Steps to configure FlexConnect Local Switching
STEP 01
Access Point Mode • Configure remote site on the Site Tag
STEP 02
Enable WLAN for Local
• Configure FlexConnect Local Switching on WLAN
Switching
by turning off central switching on policy profile
STEP 03
Create WLAN to • Configure Native VLAN on FlexConnect AP
VLAN mapping • Configure WLAN-VLAN Mapping
Configure FlexConnect mode on Access Point
STEP 01
Access Point Mode
 In Catalyst 9800 series , Access

point can be configured to Flex
Connect by enabling the Flex on
the site and associate AP’s to this
Site
Configure FlexConnect Local Switching on WLAN
STEP 02
Enable WLAN for Local Switching
 Configure the Policy Profile

with Central Switching off
and associate the WLAN
with this policy profile.
 This will allow local
switching of Data Traffic on
FlexConnect Access Point
Configure Native VLAN on AP
STEP 03a
Configure Native VLAN on FlexConnect AP Site and attach to the AP
 When connecting with Native VLAN on AP, L2 switch port must also
match with corresponding Native VLAN configuration on the AP
Configure WLAN to VLAN Mapping
STEP 03b
Configure WLAN-VLAN mapping
 Mapping of WLAN to VLAN can be done as part of the Policy profile .
The same need to be configured on switch port
Demo Time
Site Tag ( Flex Connect)
Understanding Site tag (Flex Connect)
Central Site
WLC
Overview
Each flexconnect site is a group and share the
following in this group
 CCKM/OKC fast roaming keys
 Local/backup RADIUS servers IP/keys WAN
 Local EAP authentication Remote Site Remote Site
 AAA-Override for Local Switching
 Smart Image Upgrade
 FlexConnect AVC
WLC WLC WLC
Scaling
9800-80 9800-40 9800-L
FlexConnect
6000 2000 250
Profiles
FlexConnect Site 1 FlexConnect Site 2
AP per Flex
100 100 100
Group
FlexConnect Groups and CCKM/OKC Keys
Overview Central Site CCKM Keys
RADIUS Server
 CCKM/OKC keys stored on FlexConnect

APs for Layer 2 fast roaming
 The FlexConnect APs receives WAN

CCKM/OKC keys from WLC
 If a FlexConnect AP boots up
in standalone mode, it will not get the
OKC/CCKM keys from the WLC
 FlexConnect supports 802.11r Fast

Transition with local key caching
FlexConnect Group 1 FlexConnect Group 2
Designing a
Resilient Wireless
Branch Network
F@#$?%! Router!!!
FlexConnect Resiliency - WAN Failure
Central Site
WAN Failure
 FlexConnect APs will go to Standalone

mode
 No impact for locally switched SSIDs
 Disconnection of centrally switched WAN
SSIDs clients
 Static authentication keys are locally
Remote Site
stored in FlexConnect AP
 Lost Features Application
Server
 RRM, WIDS, location, other AP modes
 Web authentication, NAC
FlexConnect Resiliency – N+1 HA Scenario
Central Site
WLC Failure scenario with N+1 HA
Secondary Primary
WLC WLC
 FlexConnect APs will go to Standalone mode
 No impact for locally switched SSIDs
 Disconnection of centrally switched SSIDs
clients
WAN
 CCKM roaming allowed in FlexConnect group
Remote Site
 FlexConnect AP will then search
for backup WLC; when backup WLC is found,
Application
FlexConnect AP will resync with WLC and Server
resume client sessions with central traffic
 Client sessions with Local Traffic are not
impacted during resync with Backup WLC
FlexConnect Resiliency – SSO HA Scenario
WLC failure scenario with SSO Central Site

Standby
Active
 True Box to box High Availability i.e. 1:1. Sub-
second failover to StandBy WLC
 Configuration(AP database, Client Run state etc.)
information on Active is synched to Standby WLC
 FlexConnect AP will NOT transition to Standalone WAN
because SSO kicks in
 AP will continue to be in Connected mode with the
Standby (now Active) WLC Application
Server
 Centrally Switched SSID will never go down
Remote Office
FlexConnect – AAA Survivability
Local Backup RADIUS
Central Site
Local Backup RADIUS
Central
 Normal authentication is done centrally RADIUS
 On WAN failure, AP goes to Standalone mode

and authenticates new clients with locally
defined RADIUS server WAN
 Existing connected clients stay connected
Local Backup
RADIUS Remote Site
 Clients can roam with
 CCKM fast roaming, or
 Re-authentication
CCKM Fast Roaming

FlexConnect Group: Local Backup RADIUS
Configuration
Define primary and secondary local backup RADIUS server per FlexConnect group
FlexConnect - Local Authentication
Central Site
Local Authentication Central

RADIUS
 By default FlexConnect AP authenticates

WAN
clients through central controller
Local
 Local Authentication allow use of local RADIUS
Remote Site
RADIUS server directly from the FlexConnect
AP even when WAN is UP
FlexConnect Group
FlexConnect - Local Authentication
Configuration
Segmentation & Security
in Branch Network
Segmentation
FlexConnect AAA VLAN
FlexConnect AAA VLAN Override
Description RADIUS Central Site
 AAA VLAN Override with local or central VLAN 3

authentication QoS = Silver
VLAN 7
 Up to 16 VLANs per FlexConnect AP QoS = Platinum
 VLAN ID must be enabled per AP or FlexConnect WAN

Group
Application
Server
Remote Site
FlexConnect Group
FlexConnect AAA VLAN Override
Configuration IETF 65
IETF 64
IETF 81
WAN
ISE
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
VLAN Based Central Switching Central
Go to Default
VLAN ID
VLAN 3
Overview Central
RADIUS
VLAN 7
• While doing AAA VLAN Override with VLAN 3 does not
local switching: VLAN 7 Exist on this
WLC
• If VLAN ID does not exist at the AP, the
traffic is central switched to the central WAN
VLAN ID
Remote Site
• If the central VLAN ID does not exist, the
traffic is centrally switched to the default
VLAN ID of the WLAN / Policy Profile
VLAN 7
does not
VLAN 3 Exist on
does not this AP
Exist on
this AP
VLAN Based Central Switching
• This can be enabled on the Policy

Profile
• Enable AAA Overide
• Enable VLAN Central switching
AAA Override Deployment Scenario
Problem Statement – Map clients to specific vlans based on their function
Central Site
VLAN 20
WAN
Application
Server
Function VLAN ID
Engineering 11
Marketing 21
Function VLAN ID Sales 31
Engineering 10 Application
Server
Marketing 20
Sales 30
VLAN 20 does
Remote Site A Remote Site B not exist
VLAN Name Mapping at FlexConnect Group /Profile
Flex Group A Central Site Flex Group B
VLAN Name VLAN
VLAN Name VLAN ID VLAN Name VLAN
ID ID
Engineering 10
Engineering 10 Engineering 11
Marketing 20
VLAN Name VLAN
Marketing 20 Marketing 21
Sales ID
30
Sales 30 Sales 31
Engineering 11
. .
. Marketing 21
WAN .
HR 160 Sales 31 HR 161
Remote Site B
Remote Site A
VLAN ID
VLAN ID
11
10 21
20 31
30
VLAN Name AAA Override - Solution
Central Site
Aire-Interface-Name or
IETF Tunnel-Private-Group-ID
VLAN NAME=
Marketing
WAN
Application
Server
Remote Site Remote Site VLAN Name VLAN ID
VLAN 20 Engineering 11
Marketing 21
VLAN Name VLAN ID Sales 31
Engineering 10
Marketing 20
Sales 30
Remote Site A VLAN 21 Remote Site B
Identity PSK
Challenges for Enterprises: Advanced security encryption across all
devices
Simple Operations
Increased demand for Identity security High Scale
IoT devices without 802.1x
Cost Effective
Keys Solution Asks:
Private PSK with RADIUS integration; Per client AAA override (VLAN / ACL, QoS etc)
Cisco Advantage:
Highly scalable identity PSK solution designed for a large multi controller network
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Identity PSK
✓ PSK WLAN
aabbcc ✓ MAC Filtering
✓ AAA Override
IOT Devices
xxyyzz
Access Point Wireless LAN Controller ISE
Sensors
No+=PSK
Cisco-AVPair attributes
"psk-mode=ascii”
Cisco-AVPair += "psk=aabbcc"
"psk=xxyyzz"
Device MAC Group Private PSK

IOT Devices aabbcc
Sensors xxyyzz
Employees ---
WLAN PSK
Employees © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexConnect ACL
FlexConnect ACL
Overview Central Site
1. Download 2. Apply ACL

ACL on to AP on AP
WAN
 ACL can be applied on WLAN (configured on Policy
Remote Site
Profile)
 ACL can be applied on a VLAN (configured in flex Application
Server
connect profile)
 FlexConnect ACL support AAA-returned Client ACL
ACL – Policy Profile Mapping
• Configuration – Map it to the Policy Profile
• For the ACL to be applied the

ACL needs to be downloaded to
AP
• Any ACL mapped to Policy
Profile mapped to wlan in the
policy tag will be downloaded to
AP Automatically
ACL – VLAN Mapping
• Configuration – Map it to the Flex Connect Profile on
• For the ACL to be applied the

ACL needs to be downloaded to
AP
• Any ACL mapped to VLANs on
Flex connect profile will be
downloaded to AP’s in the flex
connect profile Automatically
Policy ACL
• For a AAA Overide ACL to work on an AP in Flex Connect , the ACL should present on AP
• The ACL is Provisioned on AP

using the Flex Connect Profile
• This is done as part of Policy
ACL configuration on Flex Profile
• MAP the ACL and optionally any
PreAuth FQDN Filters as well to
be downloaded to the AP
• If the ACL Used is a WebAuth
ACL that is returned by AAA
Check the “Central Web Auth”
• Central Web Auth indicates that
deny to be used for redirect and
Permit to Allow
FlexConnect Split
Tunneling
(Using FlexConnect
Split ACL)
FlexConnect ACL – Split Tunneling
Overview
 Split tunneling allow some traffic to be locally switched although the WLAN is defined
as centrally switched
 Split tunneling is using a NAT/PAT feature with ACL to perform the local switching
 Split tunneling is using the AP IP @ for the NAT/PAT feature
FlexConnect AP WLC Central Traffic

CAPWAP
NAT/PAT WAN
ACL
Central Server
Local Traffic
Local Printer
FlexConnect ACL – Split Tunneling
Configuration
• Create a centrally switched

WLAN in policy Profile along
with Central DHCP
• DHCP Required should be
enabled
• Attach ACL in Policy Profile to
match traffic to be locally
switched
• Traffic Permitted will be
switched locally
• Traffic Denied in ACL will be
Switched Centrally
Operating the Wireless Branch
over WAN
Flex Connect Design Considerations
WAN Limitation Apply +

WAN RTT Latency
Deployment Type WAN Bandwidth (Min) Max APs per Branch Max Clients per Branch
(Max)
Data 64 kbps 300 ms 5 25
Data 640 kbps 300 ms 50 1000
Data 1.44 Mbps 1 sec 50 1000
Data+Voice 128 kbps 100 ms 5 25
Data+Voice 1.44 Mbps 100 ms 50 1000
Monitor 64 kbps 2 sec 5 N/A
Monitor 640 kbps 2 sec 50 N/A
It is highly recommended that the minimum bandwidth restriction remains 24 Kbps per AP with the round trip
C and 100 ms for Data + Voice deployments.
latency no greater than 300 ms for data deployments
WLC behind NAT
WLC IP
NAT IP
• WLC only supports 1-1 NAT ISE/AAA
Data Center
• External NAP IP must be configured on Wireless Internet
management interface AD
Branch network
• WLC will send the External NAT IP for AP to join .

• CAPWAP data keep alive will be enabled to keep
the tunnel active
• Use this configuration to allows AP join via
• Public NAT IP only
• Private IP Only
• Both Public and Private IP
Branch Office Upgrade
over WAN
Upgrading a FlexConnect Deployment
Concerns
 Sites using FlexConnect AP are usually sites with low WAN bandwidth
 Each site may have small number of AP, but an enterprise may have a lot of branches
 Upgrading ~6000 AP through a low bandwidth WAN is a challenge :

 Time needed to download all the AP firmware
 Exhaust of the WAN link
 Risk of failures during the download
Goal is to minimize downloads over WAN
Efficient AP join (enabled by default) in flex
connect profile
Feature Supported AP models
• Enables an CAPWAP to download the code from another AP in the network as • Supported on all 802.11ax and
long as it is of the same AP family. 802.11ac Wave 2 APs (indoor
and outdoor)
• For example, If you add a 9120AX and a 9115AX is present, code will be
• AP families sharing the same image:
downloaded from the 9115AX
• ap3g3: Aironet® 4800, 3800, 2800,
• This feature minimizes the data sent on WAN at the time of AP join or AP Image 1560 Series
Pre-download • ap1g5: Aironet 1815i,
1815w,1815m,1540, 1840 Series
• WLC elects a master AP in each FlexConnect Group for each Model /Type
• ap1g4: Aironet 1852, 1832
• ap1g7: Catalyst 9115AX,
9120AX Series
• ap1g6: Catalyst 9117AX Series
• ap1g6a: Catalyst 9130AX Series
Not supported on Wave 1 APs
Efficient AP join 16.12
.1
16.12
.2
WAN
M M
16.12
.2 16.12
16.12
16.12 16.12 .2
16.12 .2
.1 .1
.1
Catalyst Aironet Aironet
9115AX 1852i 1815i
Aironet Aironet Catalyst

2802i 1832i 9120AX
M
16.12
16.12 .2 16.12 16.12
16.12 16.12 .2
.1 .2
.1 .1
Works for all 802.11ax and 802.11ac Wave 2 APs
FlexConnect Efficient AP Image Upgrade
FlexConnect Best
Practices
FlexConnect Best Practices
Enable FlexConnect Groups

 Enable FlexConnect Profile
 CCKM/OKC Key sharing for Voice deployments
 VLAN Support and configure Native VLAN at Group
 VLAN-WLAN Mappings at FlexConnect Profile
 VLAN Name override
 Consistent configuration across Primary and Backup WLCs
 Design for Resiliency
 Enable Efficient AP Image Upgrade
Wireless Branch
Deployment
Embedded
Wireless Controller
EWC on Cisco Catalyst access points
Ready for enterprise deployments
Runs 9800 Series Cisco

Modern OS, scalable, open
IOS® XE wireless
and programmable,
controller on Cisco
supports telemetry
Catalyst access points
HA, SMU, adaptive wireless

Supports advanced
IPS (aWIPS), Cisco
enterprise feature set
Umbrella™, NetFlow, ICAP
Use mobile app, WebUI, and

Flexible
Cisco DNA Center to deploy,
management options
manage, and monitor
Migrate access points to

Investment protection controller for more than 100
access points
EWC ready for enterprise branch deployments
Resilient
<10 seconds
Redundancy with active and standby Active to standby switchover SMU (patching) support
controllers running simultaneously in a few seconds for both controller and
on two access points access point
Secure aWIPS,* rogue detection, Walled garden and Cloud-delivered

identification, and mitigation DNS blocking enterprise security with
Cisco Umbrella*
Intelligent, with
IT simplicity Simplified WebUI for monitoring,
provisioning, and day-N operations
Cisco DNA Center
Plug and Play (PnP),
Open standards-based
programmability with
Automation, and Assurance NETCONF and YANG
* Cisco IOS XE 17.1.

EWC: Management options
Cisco DNA Center Standards-based

WebUI or mobile app
(on-premises) interoperability
CI/CD tools
Mobile app for Use app to
iOS and Android deploy, monitor,
devices and manage
Policy Automation Analytics

Feature rich, Wizard-driven SDN controllers Network
yet simple provisioning flows management
systems
Embedded wireless Intent-based

controller network infrastructure
EWC on Cisco Catalyst 9100 access points
Ideal for single or multisite small to medium- Mission critical Best in class
sized enterprise deployments Best suited for high-density enterprise branch deployments
Powered by Powered by
Cisco RF ASIC Cisco RF ASIC
C9115AX-EWC C9117AX-EWC C9120AX-EWC C9130AX-EWC

• 50 APs, 1000 clients • 50 APs, 1000 clients • 100 APs, 2000 clients • 100 APs, 2000 clients
• 4x4 + 4x4 • 8x8 + 4x4 • 4x4 + 4x4 • 8x8 + 4x4 or 4x4 + 4x4 + 4x4
• MU-MIMO, OFDMA • MU-MIMO, OFDMA (only • MU-MIMO, OFDMA • Tri-radio (dual 5 GHz + 2.4 GHz),
• Spectrum Intelligence DL) • Cisco RF ASIC HDX
• Bluetooth 5 • Spectrum Intelligence • Dual 5 GHz, HDX • Cisco RF ASIC
• 1x 2.5 Multigigabit • Bluetooth 5 • RF signature capture • RF signature capture
• USB • 1x 5 Multigigabit • 1x 2.5 Multigigabit • Decrypted data packet ICAP
• Integrated or • USB • Integrated or external antenna • 1x 5 Multigigabit
external antenna • Integrated antenna only • 8-port smart antennas
Software feature parity Supports up to 100 APs, Supports Wave 2 APs as Cisco DNA Assurance
across APs 2000 clients client serving with ICAP
What about 802.11ac Wave 2 access points?
Supports client serving mode
Ideal for small to medium-sized deployments Mission critical
Indoor
1815w 1815i, 1815m 1832 1842 1852 2802 3802 4800
Outdoor
1540 1560
All 802.11ac Wave 2 access points can connect to the embedded wireless controller
Embedded Wireless Controller on Catalyst AP
vs. Mobility Express
EWC on 9100 Series Mobility Express on W2 APs

“9800 Controller running on Catalyst Access Point” “AireOS Controller running on W2 Access Point”
 Full enterprise Feature set  Reduced feature set/new GUI

 Same deployment architecture as Mobility Express  ME only runs on Wave 2 APs (x800 Series), other
 Same IOS XE look and feel across all Catalyst 9800 APs including Catalyst 9100 can operate as
Series Controllers (GUI and CLI) subordinate
 Support Wave 2 APs (x800 Series) as subordinate  Scale: 50-100 Access Points
 Enhanced HA (SMU, AP Service Pack/Device Pack)

 Scale: 50-100 Access Points
EWC on Catalyst 9100 access points
Interoperability matrix
Cisco IOS XE ISE 2.3 Cisco DNA Center Cisco DNA Spaces
16.12.2 1.3.2
Cisco DNA ready for small to medium-sized, single or multisite deployments
Deploying the Cisco Embedded Wireless
Controller
Deploying the Cisco Embedded
Wireless Controller
• EWC-capable access points can be connected to an access port or a trunk port on the switch, depending on the
deployment method
• Management traffic is always untagged
Internet VLAN 10 Internet VLAN 10

VLAN 20
VLAN 30
v20 v30 v40
VLAN 40
If access points and If access points and

WLANs are all on the WLANs are all on
same network, EWC- different VLANs, EWC-
capable access points capable access points
v10 v10 v10 v10 v10
can connect to an will connect to a trunk
access port on the port on the switch, and
switch port traffic for individual
WLANs will be
switched locally
Pros: Simple Pros: Flexible, secure

Contractor Guest Cons: Less flexible Contractor Guest Cons: More configuration
Employee Employee
How to provision?
OTAP Plug and Play
Over-the-air provisioning Cisco DNA Center

Mobile app, WebUI Plug and Play
Day-0 provisioning – What’s new?
• All APs join to EWC-AP in day 0
• Single “CiscoAirprovision-<ABCD>”
PSK SSID
• mywifi.cisco.com URL for accessing
EWC-AP WebUI
• Mobile app provisioning
• No need for static management IP
• No reboot of EWC-AP after

day-0 configuration
Over-The-Air Provisioning (OTAP)
Get your wireless network up and running in less than 10 minutes
Set up Configure Operate
“Cisco Wireless” mobile app WebUI
Day-0 EWC-AP selection
• Only the EWC-AP decides the AP on which the

controller is started. It uses Virtual Router
Redundancy Protocol (VRRP) to select the
C9115AX C9120AX C9117AX
EWC-AP on day 0 MAC: 1111.2222.BBBB MAC: 1111.2222.AAAA MAC: 1111.2222.CCCC
• Once EWC-AP is elected, all APs join (same

software version) and broadcast the single
CiscoAirProvision-<mac> SSID
• In this illustration C9120AX is elected as the

active EWC-AP and is broadcasting
CiscoAirprovision-AAAA. The SSID AAAA is the CiscoAirProvision-AAAA CiscoAirProvision-AAAA CiscoAirProvision-AAAA
last 4 digits of the Ethernet MAC address of the
C9120AX AP
• Image download on AP join will not be supported on day 0

• There is no standby EWC-AP election on day 0
Deploy using OTAP
• Connect to CiscoAirProvision-<MAC> SSID on your mobile phone or tablet

• The default password is password
Using WebUI on your computer

• Open mywifi.cisco.com to launch the Cisco WLAN Express Setup Wizard
Using the “Cisco Catalyst Wireless” mobile app:

• Open the Cisco Catalyst Wireless app
• Click the Setup icon to launch the Cisco WLAN Express Setup Wizard
Redundancy and
high availability
EWC: Resiliency
Unplanned events Infrastructure updates

Device and network interruptions Software maintenance and AP updates
• Active and standby controllers running simultaneously • Controller SMU support for hot and cold patching
on two Cisco Catalyst 9100 EWC-capable
• AP service pack support for resolving issues on
access points
access points
• No new master election. Faster switchover (less than
10 seconds) with standby controller • AP device pack updates enable new AP models
to be backward compatible with customer-
• After failover, another access point in the network will installed code versions
be elected to become a standby, providing
redundancy until the last available EWC-AP in
the network
Contain impact within release Faster resolution of critical issues

Fixes for defects and security issues Provides fixes to critical issues found in
without need to requalify a new release network devices that are time-sensitive
EWC on Catalyst access points: Resiliency
• Failure of active
controller triggers a
Always-on network switchover to
• APs continue to switch standby
data traffic
• Standby controller is
Always-on clients active in less than 10
How it
• Users and endpoints seconds, and
continue to stay connected
works another EWC-AP is
elected as a standby,
Always-on services CAPWAP-AP Active Standby
Active providing
• Less than 10 seconds EWC-AP Standby
EWC-AP redundancy
downtime of services
• APs fail over to the
new controller
EWC: Active-standby redundancy
• When subordinated EWC-capable 9100 APs join, the active EWC-AP selects a standby AP based on an
algorithm, and active-standby redundancy is formed
• In the event of a failure of the active AP, the standby EWC-AP becomes active and is elected as a
controller automatically
EWC: Standby election
• The active EWC-AP will wait until external APs join to begin standby election
• The active EWC-AP will assign a priority to all joined APs. An AP with the highest priority will be selected as the
standby. Priority is calculated based on following parameters:
• Explicit user configuration; choose a particular EWC-AP as the preferred controller (highest priority)
• AP model (for example, give the 9130AX models the highest priority)
• AP join time
• When an active EWC-AP fails, the standby becomes active. The election process is then initiated to elect the
next standby. It elects the access point with the highest priority as the standby AP
EWC-AP Active EWC-AP

Standby
EWC: Preferred controller and make controller
• At any time, only one AP is the active EWC-AP

• Preferred Controller indicates the AP that becomes
standby and hence will take over as active if the
current active AP fails
• Only one preferred controller can be configured
• Make Controller enables you to select an access
point to be the active EWC-AP
EWC: Active-Standby on EWC-AP
EWC: Seamless software update infrastructure
Active
• Installs controller-
Seamless SW updates specific updates
• Update (patch) EWC without (patches) without
client downtime client downtime to
fix issues seamlessly
AP service pack • Enables service
• Update specific AP updates for specific
models with AP How it
access point models
service pack works without impacting
AP device pack other models
• Introduce new AP models in AP model • New APs can join
your network without any the controller with an
downtime and without AP device pack
impacting other APs Standby without impacting
other APs
Software updates
Software upgrade options
17.1
http:// SFTP
TFTP
Software upgrades from Cisco.com will be available in Release 17.1.

Not required to have Cisco Smart Net Total Care® Service on AP for
software download
Mapping of AP images to AP models
AP images and WLC image AP Model AP Image

after unzipping C9800-AP<version>.zip C9115AX ap1g7
C9117AX ap1g6
C9120AX ap1g7
C9130AX ap1g6a
AIR-AP1815 ap1g5
AIR-AP1832 ap1g4
AIR-AP1840 ap1g5
AIR-AP1852 ap1g4
AIR-AP2802 ap3g3
AIR-AP3802 ap3g3
AIR-AP4802 ap3g3
AIR-AP1542 ap1g5
AIR-AP1562 ap3g3
Site Survey mode
Site Survey
Cisco EWC on Catalyst APs is next-generation autonomous and supports Site Survey in Cisco IOS
XE Release 16.12.2. The following access points with the EWC image support the Site
Survey capability:
• Cisco Catalyst 9120AX Series (C9120AX-x)
• Cisco Catalyst 9117AX Series (C9117AX-x) 192.168.0.1/24
192.168.0.X/24 Surveyor
Cisco EWC supports an internal DHCP server and operates without a pingable gateway. This
enables the user to take the access point powered by a battery pack and a client device to
perform an active survey
Converting AP
from CAPWAP to
EWC-AP
and vice versa
Conversion: CAPWAP AP to EWC-AP
Download EWC-AP software

from Cisco.com Execute conversion CLI
• Download the EWC-AP software .zip • Execute the conversion command from
from Cisco.com. This zip file has the the access point’s CLI.
access point and WLC images. Unzip the
file and put it on the TFTP server.
Note: Conversion requires two files to be downloaded on the AP: an AP image and a WLC image from the unzipped folder.
The ap1g6 is for the 9117AX Series, ap1g6a is for the 9130AX Series, and ap1g7 is for the 9115AX and 9120AX Series. The WLC image
file (C9800-AP-iosxe.wlc.bin) is the same for all Cisco Catalyst 9100 APs.
Converting a CAPWAP AP to EWC
CAPWAP AP
8.10/16.11
TFTP
DHCP request
1
DHCP response with IP address

2
AP#ap-type EWC-AP tftp://<tftp-server-ip>/<ap1gx(AP image)> tftp://tftp-server-ip>/< C9800-AP-iosxe-wlc.bin>

3
AP and ME image is sent by the TFTP server to the access point

4
Master AP
16.12.2
Converting an EWC-AP to a CAPWAP AP
There are typically two reasons why one would want to convert an access point
running the EWC image to CAPWAP
• You want to keep the access point in an EWC deployment but do not want the access point to
participate in the master election process upon a failover of the master AP
• You want to migrate one or more access points with EWC to an appliance or
vWLC-based deployment
EWC-AP to CAPWAP AP using the CLI
You can convert an EWC-AP to function only as CAPWAP by

executing a single command in the access point CLI.
Note: The access point will reboot and the AP type will change to NOT EWC CAPABLE. Also,
after the AP is converted to CAPWAP, it will no longer participate in the master election process.
AP#ap-type capwap
1
CAPWAP AP
Master AP 16.12
16.12.2
EWC to CAPWAP AP using WebUI
• Navigate to Configuration > Wireless > Access Points.

• Fields called Image Type and EWC Capable have been added.
• Select the appropriate AP(s) and click Convert to EWC or Convert to CAPWAP.
Migrating AireOS Mobility Express to EWC on an
AP
Translate
Export Import
configuration
Export the Process the Import the

AireOS controller exported AireOS translated
configuration file. configuration file configuration to
via the EWC WebUI or the EWC.
WLC Config Converter
tool at
https://cway.cisco.com/to
ols/WirelessConfigConvert
er
Bringing it all together
Embedded Controller Flex Connect
Local Controller
Options
WLC
WA
` • Single/Multi site N
networks
• Low IT footprints
` `
FlexConnect
Single/Multi-site networks Controller running in Data Center
Local WLAN Controller Low IT footprints Distributed Network , Highly Scalable
Controller running on AP or Switch
Cisco Provides flexible branch deployment options with enterprise features
Cisco Enterprise Wireless Book
http://cs.co/wirelessbook
TUE WED THU FRI
Opening Keynote 09:00 BRKEWN-2003

Optimize your WLANs 08:30
LABEWN-1098 BRKEWN-2670 for Small and Mobile
Walk in Lab: IOS-XE Every day Introduction to Cisco 08:30 Devices (Phones,
Embedded WLC on Catalyst 9800 Tablets and alike)
AP 9100 series Wireless Controller
LABEWN-1038 BRKEWN-2020
Walk in Lab: Migrate Every day Cisco SD-Access 11:00 BRKEWN-2027
from AireOS to Wireless Integration Design and 09:00
Cat9800 (IOS-XE) Deployment of
Outdoor Wireless
BRKEWN-2016 Networks
BRKEWN-2010 Design and Deployment 14:45
Introduction to Next 11:00 of Wireless for Branch
Generation Wireless and Remote Offices
Stack
LTREWN-2030 Guest Keynote 17:00

Hands-on Solutions 14:30
Cisco Live
MOB
Lab on Catalyst
Wireless 9800 Celebration 18:30
Portfolio &
Controllers
Design Mobility Track

Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.
Continue your education
Demos in the
Walk-In Labs
Cisco Showcase
Meet the Engineer

Related sessions
1:1 meetings
Thank you

Brkewn 2016 PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Brkewn 2016 PDF

Загружено:

Авторское право:

Доступные форматы

Design and Deployment of

Wireless for Branch and

• Wireless Controller and Access Point Portfolio

• Deploying Branches Office using EWC

Distributed Branch & Small Campus Medium Campus Large Campus

9115AX 9117AX 9120AX 9130AX

Single or Multi-Site FlexConnect

• Branches can have Local Controllers

• WLC at each site, higher Capital Costs

Remote Site A Remote Site B Remote Site C

• Full local control, no dependency on WAN

Controller on C9k Switch Controller on AP

• Wireless Controller is at a central site managing

Remote Site A Remote Site B Remote Site C

• Two modes of operation from AP perspective:

When FlexConnect AP can reach Controller, it

When FlexConnect AP cannot reach

02 Standalone Mode Controller, it goes into standalone mode

Data traffic is tunneled back to

Data traffic is switched

• Defines the Broadcast domain (list of • Defines the RF properties of

Access Point Mode • Configure remote site on the Site Tag

Access Point Mode

 In Catalyst 9800 series , Access

Enable WLAN for Local Switching

 Configure the Policy Profile

Overview Central Site CCKM Keys

 CCKM/OKC keys stored on FlexConnect

 The FlexConnect APs receives WAN

 FlexConnect supports 802.11r Fast

 FlexConnect APs will go to Standalone

WLC failure scenario with SSO Central Site

 On WAN failure, AP goes to Standalone mode

CCKM Fast Roaming

Local Authentication Central

 By default FlexConnect AP authenticates

 AAA VLAN Override with local or central VLAN 3

 VLAN ID must be enabled per AP or FlexConnect WAN

• This can be enabled on the Policy

• Enable VLAN Central switching

aabbcc ✓ MAC Filtering

Device MAC Group Private PSK

1. Download 2. Apply ACL

• For the ACL to be applied the

• For the ACL to be applied the

• The ACL is Provisioned on AP

 Split tunneling is using the AP IP @ for the NAT/PAT feature

FlexConnect AP WLC Central Traffic

• Create a centrally switched

WAN Limitation Apply +

• External NAP IP must be configured on Wireless Internet

• WLC will send the External NAT IP for AP to join .

 Upgrading ~6000 AP through a low bandwidth WAN is a challenge :

Goal is to minimize downloads over WAN

Feature Supported AP models

Aironet Aironet Catalyst

Works for all 802.11ax and 802.11ac Wave 2 APs

Enable FlexConnect Groups

 CCKM/OKC Key sharing for Voice deployments

 VLAN Support and configure Native VLAN at Group

 VLAN-WLAN Mappings at FlexConnect Profile

 VLAN Name override

 Consistent configuration across Primary and Backup WLCs