Last Updated: March, This document describes how to deploy a Cisco FlexConnect wireless branch controller. The purpose of this document is to:. Note Prior to release 7.
|Country:||Sao Tome and Principe|
|Published (Last):||3 October 2018|
|PDF File Size:||19.71 Mb|
|ePub File Size:||13.72 Mb|
|Price:||Free* [*Free Regsitration Required]|
Last Updated: March, This document describes how to deploy a Cisco FlexConnect wireless branch controller. The purpose of this document is to:. Note Prior to release 7. Now it is called FlexConnect. There are no specific requirements for this document. This document is not restricted to specific software and hardware versions. Refer to Cisco Technical Tips Conventions for more information on document conventions.
Figure 1 Typical Wireless Branch Topology. FlexConnect is a wireless solution for branch office and remote office deployments. This next table describes the restrictions on WLAN L2 security types only for non-guest clients whose data traffic is also switched centrally at the Data Center. Note These authentication restrictions do not apply to clients whose data traffic is distributed at the branch.
Standalone mode is specified as the operational state the FlexConnect enters when it no longer has the connectivity back to the controller. The maximum transmission unit MTU must be at least bytes. Note It is highly recommended that the minimum bandwidth restriction remains Features above turned off. The rest of this document highlights the guidelines and describes the best practices for implementing secured distributed branch networks.
FlexConnect architecture is recommended for wireless branch networks that meet these design requirements. Figure 2 Wireless Branch Network Design. Branch customers find it increasingly difficult and expensive to deliver full-featured scalable and secure network services across geographic locations. In order to support customers, Cisco is addressing these challenges by introducing the FlexConnect deployment mode.
The FlexConnect solution virtualizes the complex security, management, configuration, and troubleshooting operations within the data center and then transparently extends those services to each branch. Deployments using FlexConnect are easier for IT to set up, manage and, most importantly, scale. The rest of the sections in the guide captures feature usage and recommendations to realize the network design shown in Figure 2.
Also, gives the flexibility of replicating configurations for similar branch sites. Improves the wireless branch resiliency and provides no operational downtime. Provide Adaptive wIPS functionality when serving clients without any impact to client performance. Functionality to automatically convert APs in FlexConnect for your branch.
If the rules have forensics enabled, the link utilization can go up by almost Kbps on an average. After creating WLANs on the controller, you can selectively publish them using access point groups to different access points in order to better manage your wireless network. In a typical deployment, all users on a WLAN are mapped to a single interface on the controller. However, you can choose to distribute the load among several interfaces or to a group of users based on specific criteria such as individual departments such as Marketing, Engineering or Operations by creating access point groups.
Additionally, these access point groups can be configured in separate VLANs to simplify network administration. This document uses AP groups to simplify network administration when managing multiple stores across geographic locations.
For operational ease, the document creates one AP-group per store to satisfy these requirements:. In this example, California is used as the location of the store. This step is optional and needed only if you want to allow Remote Resource access. Note Adding APs to the AP group is not captured in this document, but it is needed for clients to access network services. In most typical branch deployments, it is easy to foresee that client Because the above scenario is perfectly valid, it raises these concerns:.
FlexConnect Group is primarily designed and should be created to address these challenges. In addition, it eases organizing each branch site, because all the FlexConnect access points of each branch site are part of a single FlexConnect Group. You can configure the controller to allow a FlexConnect access point in standalone mode to perform full These servers are used only when the FlexConnect access point is not connected to the controller.
Before the 7. With the 7. As shown in Figure 4 , branch clients can continue to perform Note With Local Authentication turned on, the AP will always authenticate the clients locally, even when it is in connected mode. The configuration sample in Figure 6 illustrates the objective differences and mapping between the AP Group and FlexConnect group. Step 4 Click the Group Name Store 1 that you just created for further configuration.
Step 9 Click Add after the AP is chosen from the drop-down. Step 15 Repeat step 13 until your local user name list is exhausted. You cannot configure or add more than users. Step 16 Click Apply after step 14 is completed and the No of Users count is verified. This was created during the AP Group creation. See Figure 3. Client MAC Address Client Username Client State From 7.
Step 3 Add the AAA server details on the controller for In controller software releases 7. Further, prior to release 7. From release 7. With the introduction of ACLs on FlexConnect, there is a mechanism to cater to the need of access control at the FlexConnect AP for protection and integrity of locally switched data traffic from the AP.
These are then pushed to the AP. Step 5 Create rules for each ACL. Note Configure the rules as per the requirement. If the permit any rule is not configured at the end, there is an implicit deny which will block all traffic. In WLC releases prior to 7. The Split Tunneling functionality is designed to switch traffic locally for subnets which belong to the local site in order to avoid WAN bandwidth consumption.
FlexConnect Fault Tolerance allows wireless access and services to branch clients when:. This feature is enabled by default and cannot be disabled. It requires no configuration on the controller or AP. However, to ensure Fault Tolerance works smoothly and is applicable, this criteria should be maintained:.
Along with traffic segmentation, the need for restricting the total client accessing the wireless services arises. For example, limiting total Guest Clients from branch tunneling back to the Data Center.
Note This is not a form of QoS. By default, the feature is disabled and does not force the limit. This feature does not enforce client limit when the FlexConnect is in Standalone state of operation. Step 3 Set the client limit value for the Maximum Allowed Clients text field.
Default for Maximum Allowed Clients is set to 0, which implies there is no restriction and the feature is disabled. In controller software releases prior to 7. Peer-to-peer blocking can be configured on WLAN with any of these three actions:.
The FlexConnect APs will store this information in the reap config file in flash. With this, even when FlexConnect AP is in standalone mode, it can apply the P2P configuration on the corresponding sub-interfaces.
This feature allows the AP to download code while it is operational. The AP pre-image download is extremely useful in reducing the network downtime during software maintenance or upgrades.
Step 1 Upgrade the image on the primary and backup controllers. Step 2 Save the configurations on the controllers, but do not reboot the controller. Step 3 Issue the AP pre-image download command from the primary controller. Once the access point is chosen, click the Advanced tab. Click Download Primary to initiate pre-image download. Step 4 Reboot the controllers after all the AP images are downloaded. The APs now fall back to Standalone mode until the controllers are rebooting.
Once the controller is back, the APs automatically reboot with the pre-downloaded image. After rebooting, the APs re-join the primary controller and resume client's services. The pre-image download feature reduces the downtime duration to a certain extent, but still all the FlexConnect APs have to pre-download the respective AP images over the WAN link with higher latency.
The distribution of AP image from the server to the client will be on a local network and will not experience the latency of the WAN link.
FlexConnect Wireless Branch Controller Deployment Guide
Following topology diagram used for my testing. In a later post we will used ACS for authentication. Central Authentication, Central Switching. Once you do this AP will reboot automatically. Since we are planning to use this SSID even when Central site is not reachable from Remote office, we have to use suitable authentication mechanism work even that kind of situation.
H-Reap Design and Deployment Guide
It enables customers to configure and control access points in a branch or remote office from the corporate office through a wide area network WAN link without deploying a controller in each office. The H REAP access points can switch client data traffic locally and perform client authentication locally when the connection to the controller is lost. Refer to Cisco Technical Tips Conventions for more information on document conventions. In such a configuration, the controller is not only responsible for much of the processing of things such as This allows not only for direct wireless access to resources local to the access point, but it provides link resiliency by allowing the CAPWAP control path the link between AP and controller to be down while wireless service persists.