This document discusses different wireless network architectures from Cisco, including autonomous access points, centralized architecture, and FlexConnect architecture. Autonomous access points are managed individually while centralized architecture uses wireless LAN controllers for centralized management. FlexConnect is an extension of centralized that allows some local switching and control at remote branch sites for better WAN efficiency and high availability when the connection to the main controller fails. The document provides details on how each architecture works, available access point and controller options, benefits and limitations of each.
5. How It Works
Autonomous Access Points
• Since the beginning of times (1997)
• Each AP is individually managed
From AP CLI
From AP GUI
From Cisco Prime Infrastructure (WLSE)
• AP connected to 802.1q trunk switch port
• SSID = VLAN
• End-user is dropped in local VLAN
• End-user data traffic is locally switchedAccess Points
End-User Data Traffic
ISE Prime
Internal
Resources
Campus
Network
Management
Tools
7. Outdoor Autonomous Access Point Portfolio
1552I
1552E
1552EU
1552C
1552CU
• Integrated Antennas
• Low Power Consumption
• CleanAir
• ClientLink
• External Antennas
• High Power Gain
• Fiber SPF Option
• PoE Out
• CleanAir
• ClientLink
• Integrated DOCSIS 3.0 Cable
Modem
• Cable Plant Powered
• High Power Gain
• CleanAir
• ClientLink
1552H
1552S
• ATEX Certified Class1 / Div2/
Zone2
• Integrated Honeywell Sensor
Gateway (S)
• Fiber SPF Option
• PoE Out
• CleanAir
• ClientLink
8. Benefits
Autonomous Access Points
• Affordable entry level solution
No controllers and licensing
• Supports latest Wi-Fi standards:
802.11 a/b/g/n for connectivity
WPA2 for robust security
• Industry best range and throughput
Best of bread RF
• Investment protection
Can be upgraded to a controller-based architectureAccess Points
End-User Data Traffic
ISE Prime
Internal
Resources
Campus
Network
Management
Tools
9. Limitations
Autonomous Access Points
• Each AP is managed individually
Prone to configuration inconsistencies
Individual software upgrades
Each AP must be configured in RADIUS server
• Base level Wi-Fi functionality
No dynamic radio resource management
No Advanced security
Rogue detection and mitigation
WIPS
No guest access,
• Voice over WLAN (roaming)
Requires campus wide VLAN’s
Access Points
End-User Data Traffic
ISE Prime
Internal
Resources
Campus
Network
Management
Tools
10. Where / When To Use
Autonomous Access Points
• Hotspot deployments with nomadic roaming
• Static environments
• Customers without requirement for advanced
services
Guest access, location, rogue detection, WIPS, etc.
• Small business or small distributed branch
offices
• Small warehouses and plants
Access Points
End-User Data Traffic
ISE Prime
Internal
Resources
Campus
Network
Management
Tools
12. How It Works
Centralized Architecture
• Zero touch AP deployment
Auto discovery
AP joins WLC
AP established CAPWAP tunnel with WLC
Auto firmware update
Auto configuration
• Single centralized management point
From WLC GUI
From Cisco Prime Infrastructure
• End-user is dropped in a VLAN behind WLC
VLAN can be dynamically assigned
• End-user date traffic is centrally switchedAccess Points
AP-Controller CAPWAP tunnel (Control and Data Planes)
End-User Data Traffic
ISE Prime
Wireless LAN
Controller
Internal
Resources
Campus
Network
Management
Tools
16. Cisco Unified Access Pillars
Identity
Services Engine (ISE)
Prime
Management
Wired and Wireless Network
• Self-provisioning portal – My Devices
• Secure Group Access (SGA) -
simplified role-based access control
and enforcement based on context,
avoids manual ACL/VLAN configs
• Comprehensive Guest Management
• Consistent functionality across wired and
wireless
• Application Visibility and Control (AVC)
• Sub-second Stateful Switchover (SSO)
• Hierarchical QoS - Port, Access Point, Radio,
SSID, User, & application
• Advanced Analytics and Business Intelligence
• One application wired and wireless -
Cisco Prime Infrastructure 1.4
• Application visibility and assurance –
deterministic end user application
experience across wired and wireless
• Third Party device management
18. One Management
Cisco Prime
Infrastructure 1.2
Unified Visibility
Prime 360
Integrated Workflows Aligned
with Lifecycle Processes
Support the way network
operators do their job
Prime Assurance Manager
Enhanced Application Visibility
and Control (AVC)
Offering Wired and Wireless
Application Insight and Control
ISR G2 Routers NAM
ASR WLAN Controller
19. Benefits
Centralized Architecture
• Centralized management and troubleshooting
for lowest TCO
• Easy to deploy and manage
• Consistent configuration across all AP’s
• Radio Resource Management (RRM)
• Advanced security
Rogue detection and mitigation
WIPS
Identity Networking / RADIUS CoA / ISE
• Voice over WLAN (roaming)
• Guest accessAccess Points
AP-Controller CAPWAP tunnel (Control and Data Planes)
End-User Data Traffic
ISE Prime
Wireless LAN
Controller
Internal
Resources
Campus
Network
Management
Tools
20. Benefits
Centralized Architecture
• High availability (client SSO)
• AVC - Application Visibility and Control
• Location services
• CleanAir
• Videostream / multicast delivery optimisation
• CMX - Connected Mobile Experience / Analytics
• Apple Bonjour gateway
• Mesh (indoor and outdoor)
• Highly customizable and advanced feature setAccess Points
AP-Controller CAPWAP tunnel (Control and Data Planes)
End-User Data Traffic
ISE Prime
Wireless LAN
Controller
Internal
Resources
Campus
Network
Management
Tools
21. Network Based Application Recognition - NBAR2
Deep Packet Inspection et App ID
NBAR2 LIBRARY
Deep Packet inspection
Traffic
POLICY
Packet Mark and
Drop
Wireless LAN Controller
Netflix = 50%
YouTube = 15%
WebEx = 10%
Citrix = 9%
Exchange= 8%
Netflow v9 export
• Classify 1000+ applications with sub-classification within applications: e.g. Lync – desktop share, video/voice, file transfer
• Apply Granular policies - Per SSID, Device, Campus, Building, Floor
• Real-time troubleshooting on the Wireless LAN Controller
• Wired-wireless consistent export to standard netflow collectors
Application Visibility and Control (AVC)
22. Limitations
Centralized Architecture
• All end-user traffic is forwarded to the WLC
• Poor use of LAN/WAN infrastructure when
internal resources are distributed
• WLC may become a bottleneck
• WLC can be a single point of failure
Access Points
AP-Controller CAPWAP tunnel (Control and Data Planes)
End-User Data Traffic
ISE Prime
Wireless LAN
Controller
Internal
Resources
Campus
Network
Management
Tools
23. Where / When To Use
Centralized Architecture
• Flexible architecture for campus, large branch,
home, and outdoor
Enterprise campus
Large manufacturing plants
Hospitals
Education campus / universities
• Significant customization needs
• For VoWLAN deployments / real time
applications with roaming
• Need / prefer on-premise management
Access Points
AP-Controller CAPWAP tunnel (Control and Data Planes)
End-User Data Traffic
ISE Prime
Wireless LAN
Controller
Internal
Resources
Campus
Network
Management
Tools
25. How It Works
FlexConnect Architecture
• First available in 2005
• Originally named Hybrid Remote Edge Access
Point (Hybrid-REAP / H-REAP)
• Extension to the Centralised architecture
• End-user is can either be dropped in a VLAN
behind WLC, or in a VLAN in the switch to
which the AP is connected
Per SSID, user/group and/or per location
• End-user data traffic can be locally switchedAccess Points
AP-Controller CAPWAP tunnel (Control Plane)
End-User Data Traffic
ISE Prime
Wireless LAN
Controller
Internal
Resources
Campus
Network
Management
Tools
26. How It Works
FlexConnect Architecture
• First available in 2005
• Originally named Hybrid Remote Edge Access
Point (Hybrid-REAP / H-REAP)
• Extension to the Centralised architecture
• End-user is can either be dropped in a VLAN
behind WLC, or in a VLAN in the switch to
which the AP is connected
Per SSID, user/group and/or per location
• End-user data traffic can be locally switchedAccess Points
AP-Controller CAPWAP tunnel (Control Plane)
End-User Data Traffic
ISE Prime
Wireless LAN
Controller
Internal
Resources
WAN
Management
Tools
Branch
29. FlexConnect – Advanced Services
• High Availability – WAN Survivability
FlexConnect AP provides wireless access and services to clients when the
connection to the primary WLC fails
• Fast Secure Roaming in remote branches – for VoWLAN
• Dynamic VLAN and ACL assignment – per user
• Scalability
• Number of FlexConnect groups: 500 (7500s) and 100 (5500s)
• APs per Group: 50 (7500s) and 25 (5500s)
30. FlexConnect – WLC Authenticator
Branch OfficeData Center
WLC
ISR 3925 ISR 3925
VPN
AP
ISR 3925 ISR 3925
Dot1X Auth Req
Dot1x Auth Success
New Client1
2
AAA RADIUS
• All the client authentication requests travels through Central Controller
• If Controller is not reachable, then no clients can authenticate
31. FlexConnect – AP Authenticator
Branch OfficeData Center
WLC
ISR 3925 ISR 3925
VPN
AP
ISR 3925 ISR 3925
Dot1X Auth Req
Dot1x Auth Success
New Client
• All the client authentication requests travels straight from AP to RADIUS Server.
• If Controller is not reachable, clients can still continue to authenticate and access network services.
1
2
AAA RADIUS
32. FlexConnect – AP Authenticator
Branch OfficeData Center
WLC
ISR 3925 ISR 3925
AP
ISR 3925 ISR 3925
Dot1X Auth Req
Dot1x Auth
Success
New Client
• All the client authentication requests travels straight from AP to Local Branch RADIUS Server.
• If WAN link is down, clients can still continue to authenticate and access network services.
1
2
AAA RADIUS
33. FlexConnect – Local Authentication
Branch OfficeData Center
WLC
ISR 3925 ISR 3925
AP
ISR 3925 ISR 3925 Dot1X Auth Req
Dot1x Auth
Success
• All the client authenticated directly by the AP.
• If WAN link & Local Backup RADIUS Server is down clients can still continue to authenticate and access
network services.
1
2
AAA RADIUS
34. By The Way…
• SSID’s
on “Local Mode” AP’s
• Centrally Switched SSID’s
on FlexConnect AP’s
• End-user traffic is always
switched at the controller• “Local Mode”
35. Benefits
FlexConnect Architecture
• Same benefits as for the Centralised
Architecture (most of them) + …
• Flexible deployment and configuration options
• Simple wireless operations with DC hosted
controller (no need to distribute controllers)
• Efficient use of WAN resources for branches
Only desired traffic is tunneled to the controller
• Highly available and scalable for large number
of remote branchesAccess Points
AP-Controller CAPWAP tunnel (Control Plane)
End-User Data Traffic
ISE Prime
Wireless LAN
Controller
Internal
Resources
WAN
Management
Tools
Branch
36. Limitations
FlexConnect Architecture
• Some WAN limitations may apply
RTT must be below 300 ms data (100 ms voice)
Minimum 500 bytes WAN MTU (with maximum four
fragmented packets)
• Requires site wide VLAN for roaming
(VoWLAN)
• Some features are not available in standalone
mode or in local switching mode
AVC and VideoStream
See full list in « H-REAP Feature Matrix » at www.cisco.com
Access Points
AP-Controller CAPWAP tunnel (Control Plane)
End-User Data Traffic
ISE Prime
Wireless LAN
Controller
Internal
Resources
WAN
Management
Tools
Branch
37. Where / When To Use
FlexConnect Architecture
• Flexible architecture for small to medium size
branches (up to 50 AP’s per site)
Retail stores
Food / restaurant chains
Small warehouses
Branch offices
• Significant customization needs
• For VoWLAN deployments / real time
applications with roaming
• Need / prefer on-premise management
• Excellent migration option for autonomous AP’sAccess Points
AP-Controller CAPWAP tunnel (Control Plane)
End-User Data Traffic
ISE Prime
Wireless LAN
Controller
Internal
Resources
WAN
Management
Tools
Branch
39. How it works
Converged Access
• Similar to Centralised Architecture
• Mobility Agent (MA) is responsible for:
– AP CAPWAP termination
– Maintaining client database
– Policy enforcement
• Mobility Controller (MC) is responsible for:
– Client Mobility
– Radio Resource Management (RRM)
– WiPS, Spectrum Management
Access Points
ISE Prime
MC
MA
Wireless LAN
Controller
Internal
Resources
Campus
Network
Management
Tools
AP-Controller CAPWAP tunnel (Control and Data Planes)
End-User Data Traffic
40. How it works
Converged Access
• Similar to Centralised Architecture
• Mobility Agent (MA) is responsible for:
– AP CAPWAP termination
– Maintaining client database
– Policy enforcement
• Mobility Controller (MC) is responsible for:
– Client Mobility
– Radio Resource Management (RRM)
– WiPS, Spectrum Management
Access Points
ISE Prime
MC Wireless LAN
Controller
Internal
Resources
Campus
Network
Management
Tools
AP-Controller CAPWAP tunnel (Control and Data Planes)
End-User Data Traffic
MA
M
A
M
A
M
A
M
A
Catalyst 3850
41. Wireless Control
System
Access Control
Server
LAN Mgmt
Solution
Identity
Mgmt
NAC
Profiler
Guest
Server
Cisco Wireless
LAN Controller
Internal
Resources
Cisco FirewallCisco
Access Point
Catalyst
Switch
Corporate
Network Internet
One Management
Prime
One Policy
ISE
Delivering Converged Access
IOS Based WLAN Controller
• Consistent IOS and ASIC as Catalyst
3850
• Required to scale beyond 250 AP or 16K
client domains
Converged Access Mode
• Integrated wireless controller
• Distributed wired/wireless data plane
(CAPWAP termination on switch)
New 5760
One Network
Catalyst 3850
42. • 802.11n
• Clean Air
• Video Stream
• Radio Resource
Management (RRM)
• Wireless Intrusion
Prevention System
(WiPS)
• 802.11ac Ready
Features:
• Stacking, Stackpower
• Trustsec/Identity
• AVC/Medianet
• Flexible Netflow
• Granular QoS
• Smart Operations
• EnergyWise
• Virtualization
Features:
B e n e f i t s
• Built on Doppler – Cisco’s Innovative
Flexparser ASIC technology
• Eliminates operational complexity
• Single Operating System for wired and
wireless
Single Platform for Wired and Wireless
• 20+ Years of IOS Richness – Now on Wireless
WIRELESS WIRED
Note: All features may not be available on
new platforms at introduction but are
expected to be added within 12-18 months
43. Converged Wired/Wireless Access – Benefits
Scale with
distributed wired
and wireless
data plane
480G stack bandwidth;
40G wireless/switch; 16K
clients without separate
WLC – future proof
Maximum
resiliency with
fast stateful
recovery
Layered network high
availability design with
stateful switchover
Single
platform for
wired and
wireless
Common IOS, same
administration point,
one release
Unified Access - One Policy | One Management | One Network
Network wide
visibility for
faster
troubleshooting
Wired and wireless
traffic visible at
every hop
Consistent
security and
quality of
service control
Hierarchical bandwidth
management and
distributed policy
enforcement
45. How it works
Converged Access
• Similar to Centralised Architecture
• Mobility Agent (MA) is responsible for:
– AP CAPWAP termination
– Maintaining client database
– Policy enforcement
• Mobility Controller (MC) is responsible for:
– Client Mobility
– Radio Resource Management (RRM)
– WiPS, Spectrum Management
Access Points
ISE Prime
MC Wireless LAN
Controller
Internal
Resources
Campus
Network
Management
Tools
AP-Controller CAPWAP tunnel (Control and Data Planes)
End-User Data Traffic
MA
Catalyst 3850
46. How it works
Converged Access
• Similar to Centralised Architecture
• Mobility Agent (MA) is responsible for:
– AP CAPWAP termination
– Maintaining client database
– Policy enforcement
• Mobility Controller (MC) is responsible for:
– Client Mobility
– Radio Resource Management (RRM)
– WiPS, Spectrum Management
Access Points
ISE Prime
Internal
Resources
WAN
Management
Tools
AP-Controller CAPWAP tunnel (Control and Data Planes)
End-User Data Traffic
M
A
M
A
M
A
M
A
Catalyst 3850
M
C
M
C
M
C
M
C
47. Benefits
Converged Access
Access Points
ISE Prime
MC Wireless LAN
Controller
Internal
Resources
Campus
Network
Management
Tools
AP-Controller CAPWAP tunnel (Control and Data Planes)
End-User Data Traffic
M
A
M
A
M
A
M
A
Catalyst 3850
• Single platform for wired and wireless
• Consistent security and quality of service
control
• Distributed control plane
• Highly scalable
• 802.11ac ready – no bottleneck
• Centralized management and troubleshooting
for lowest TCO
• Radio Resource Management (RRM)
48. Benefits
Converged Access
Access Points
ISE Prime
MC Wireless LAN
Controller
Internal
Resources
Campus
Network
Management
Tools
AP-Controller CAPWAP tunnel (Control and Data Planes)
End-User Data Traffic
M
A
M
A
M
A
M
A
Catalyst 3850
• Highly customizable and advanced feature set
• Advanced security
Rogue detection and mitigation
WIPS
Identity Networking / RADIUS CoA / ISE
• High availability
• Voice over WLAN (roaming)
• Guest access
• Location services
• CleanAir
49. Limitations
Converged Access
Access Points
ISE Prime
MC Wireless LAN
Controller
Internal
Resources
Campus
Network
Management
Tools
AP-Controller CAPWAP tunnel (Control and Data Planes)
End-User Data Traffic
M
A
M
A
M
A
M
A
Catalyst 3850
• More complex to deploy and manage
• No full feature parity with AireOS controllers
AVC - Application Visibility and Control
Bonjour protocol optimisation
Mesh (indoor and outdoor)
50. Where / When to use
Converged Access
Access Points
ISE Prime
MC Wireless LAN
Controller
Internal
Resources
Campus
Network
Management
Tools
AP-Controller CAPWAP tunnel (Control and Data Planes)
End-User Data Traffic
M
A
M
A
M
A
M
A
Catalyst 3850
• Flexible architecture for campus and branches
Enterprise campus
Large manufacturing plants
Hospitals
Education campus / universities
• Significant customization needs
• For VoWLAN deployments / real time
applications with roaming
• Need / prefer on-premise management
52. How It Works
Cloud Managed
• Cisco acquired Meraki in December 2012
• Leader in cloud managed network solutions
• AP connected to 802.1q trunk switch port
• Local Authentication to RADIUS / AD
• End-user is dropped in local VLAN on AP
VLAN can be dynamically assigned
• End-user data traffic is locally switched
Access Points
Internal
Resources
LAN
Meraki
Dashboard
Internet
AP-Cloud management tunnel (Control Plane – 1 kbps)
End-User Data Traffic
53. 100% cloud managed edge networks
Meraki MS
Ethernet Switches
Meraki SM
Mobile Device Management
Meraki MR
Wireless LAN
Meraki MX
Security Appliances
54. Cisco Unified Access
100% Cloud ManagedUnparalleled Deployment Flexibility
Cisco Enterprise Portfolio Cisco Cloud Managed
Prime ISE
Catalyst 2K/3K/4K/6K
ASA - Firewall
ISR - Routing
MS Switch
MX Series Security
Appliances
Aironet Access Points & Controllers
Dashboard
Cisco Networking Portfolio
MR AP’s
Systems Manager3rd Party MDM Integration
55. MR wireless access points
55
Feature
highlights
5 models including indoor/outdoor, high performance and value-priced
Enterprise-class silicon including PoE, voice/video optimization
Lifetime warranty on indoor APs
BYOD policies
Application traffic shaping
Guest access
Enterprise security
WIDS / WIPS
Mesh routing
57. SaaS feature delivery, quarterly updates
WAN optimization
User/device fingerprinting Application firewall
Mobile application deployment
Content filtering Network access control
58. Scalable cloud infrastructure
Telmex
Nationwide hotspot and 3G
offload network
Next Retail
550 retail stores across the
UK
Motel 6
70,000 hotel room
deployment
Jeffco School District 80,000
student district with 100+
schools
59. Systems Manager MDM
Feature
highlights
Device Management controls iOS, Android, Mac, and Windows devices
Cloud-based - no on-site appliances or software, works with any vendor’s network
100% free - available at no cost to any organization, sign up at meraki.com/sm
Centralized app deployment
Device security
Rapid provisioning
Backpack™ file sharing
Asset management
60. Benefits
Cloud Managed
• It’s too easy!!!
• Simple to buy (2 SKUs)
• Easy to deploy and manage over the web
Add devices or sites in minutes
• Out-of-the-box optimized feature set
• Ongoing upgrades and enhancements
• Reliable
Highly available cloud with multiple datacenters
Network functions even if connection to cloud
is interruptedAccess Points
Internal
Resources
LAN
Meraki
Dashboard
Internet
AP-Cloud management tunnel (Control Plane)
End-User Data Traffic
61. Benefits
Cloud Managed
• Secure
No user traffic passes through cloud
Fully HIPAA / PCI compliant (level 1 certified)
3rd party security audits, daily penetration test
Reliability and security information at meraki.com/trust
• No bottlenecks
• And… did I say it’s easy?
Access Points
Internal
Resources
LAN
Meraki
Dashboard
Internet
AP-Cloud management tunnel (Control Plane)
End-User Data Traffic
62. Limitations
Cloud Managed
• Customer must embrace cloud services
• Limited customisation capability (compared to
on-premise controller based solutions)
• Single architecture – less flexibility
• No layer 3 roaming
• Requires site wide VLAN for roaming
(VoWLAN)
• Limited integration with 3rd party solutions
Access Points
Internal
Resources
LAN
Meraki
Dashboard
Internet
AP-Cloud management tunnel (Control Plane)
End-User Data Traffic
63. Where / When to Use
Cloud Managed
• Mid-market businesses / distributed sites
• Remote branches without on-site IT
Retail
Professional services
Lawyers offices
Clinics
Construction
K-12 Education
Hospitality
• Lean IT
• Cloud service users (salesforce, box.net, gmail)Access Points
Internal
Resources
LAN
Meraki
Dashboard
Internet
AP-Cloud management tunnel (Control Plane)
End-User Data Traffic
65. Autonomous Centralized FlexConnect
Converged
Access
Cloud
Managed
Best of Breed RF
One Policy—ISE
One Management—Prime
Sub-Second Failover N/A N/A
Advanced Features, Highly Scalable
Application Visibility and Control
TrustSec/SGA
Common Policy Enforcement for LAN and
WLAN
Network Wide Traffic Visibility
One Operating System LAN and WLAN
Unified Access—Wireless Deployment Modes
Highly Differentiated Value Across All Deployment Models
66. On-Premise and Cloud-Managed Networking Positioning
EnterpriseMid-Market / Commercial
Cisco Enterprise Portfolio
On-Premise Managed
- Deployment Flexibility
Cisco Cloud Networking Portfolio
Cloud Managed
- Lean, Generalist IT
- Distributed small sites
Network Size (Sites, Density)
Features/NetworkServices
Small Business
Cisco Small Business
Solutions
67. Cisco Unified Access: Flexibility
Autonomous AP Centralised FlexConnect
Converged
Access
Cloud Managed
• Intended for static installations
• Aironet Access Points
• Catalyst Switches
• Identity Services Engine
• Prime Infrastructure
• Premise-based Controller
• Controller at every location
• Optimized for campus
deployment
• Aironet Access Points
• Centralized Controllers
• Catalyst Switches
• Identity Services Engine
• Mobility Services Engine
• Prime Infrastructure
• Data Center hosted Controller
• No Controller at remote sites
• Optimized for small branch
deployment
• Aironet Access Points
• Centralized Controllers
• Catalyst Switches
• Identity Services Engine
• Mobility Services Engine
• Prime Infrastructure
• Common LAN & WLAN OS
• LAN & WLAN feature
consistency
• Optimized for high performance
• Optimized for campus & branch
• Aironet Access Points
• Catalyst 3850 Switch
• Identity Services Engine
• Mobility Services Engine
• Prime Infrastructure
• Common LAN & WLAN OS
• LAN & WLAN feature
consistency
• No Controllers
• Optimized for distributed
enterprise
• MR Access Points
• MS Switches
• MX Security
• Dashboard
WAN
Dashboard
WAN Internet
68.
69. Complete Your Paper
“Session Evaluation”
Give us your feedback and you could win
1 of 2 fabulous prizes in a random draw.
Complete and return your paper
evaluation form to the room attendant
as you leave this session.
Winners will be announced today.
You must be present to win!
..visit them at BOOTH# 100