Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
991
Views
35
Helpful
10
Replies

SD-ACCESS Border/Control Node StackWise Virtual and WLC

Go to solution
stef.gesm
Level 1
Level 1

‎11-29-2022 04:04 AM

Hi all,
I'm struggling to find a validated design for the interconnection of the WLCs in an SD-Access environment (mid-size enterprise) that meets all the requirements of my scenario.
I have two C9500-32QC as Border/Control Nodes, and two Edge Nodes C9300X in stack-wise for each floor.
All the services (ISE, DHCP, DNS, DNAc), are provided by a remote DC ( taking into account all the latency requirements ).
Only the WLCs are local to the fabric, to meet latency requirements.
My idea is to configure the two C9500 in a StackWise Virtual (to provide redundancy) and interconnect the WLC to the Border using SVI in VRF Infra. In this way, I don't need a service block. 
On the CVD (Cisco Validated Design Guide) the use of the SVL is discouraged but I don't understand the reasons behind that. 
Any suggestions?
It is possible to connect the WLC directly to the Border Node or a service block is still needed? 

Regards,

Stefano

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
PabMar
Cisco Employee
Cisco Employee

‎11-30-2022 03:12 AM

Hi,

Ideally the WLCs would be connected external to the fabric (not directly to the B/CP nodes).

Again, SWV is not recommended either on the B/CP (adds another layer of mgmt)

If it's possible to add a switch stack module next to your FWs in this site where you can attach your WLCs then that would be recommended.

Regards.

View solution in original post

Go to solution
georgehewittuk1
Level 1
Level 1
In response to stef.gesm

‎12-01-2022 10:22 AM - edited ‎12-01-2022 10:25 AM

Hi Stef, my two cents on your post. 

(1) why do SVL for the 9500s personally I would prefer to trust the routing and have 2 logical border/control plane nodes. 

(2) WLC directly connected why not! As long as it’s reachable in GRT for the infrastructure. I would do it with your options and I’ve seen in an old Cisco doc wlc attached to border before. Technically I see no problems. Had it like this in lab for years. 

View solution in original post

10 Replies 10

Go to solution
PabMar
Cisco Employee
Cisco Employee

‎11-29-2022 04:37 AM

Hi,

Correct, due to the 20ms requirement between WLC and AP, a WLC is required local to the site.

The reason StackwiseVirtual is discouraged on an SD-Access fabric between border nodes, is that you already have a L3 network. In case of link/device failure, the L3 protocol will handle it. If you add SWV then you are adding another protocol into the mix and add up management of yet another protocol (BGP, LISP, ISIS, et).

Is there an upstream device to the borders on this site?

Regards.

Go to solution
stef.gesm
Level 1
Level 1
In response to PabMar

‎11-29-2022 07:44 AM

Hi PabMar,
thank you for the answer. 
Yes, there are two FW (act/stb) connected to the Border Nodes as Fusion routers.
Do you think I need another layer of switching to connect the WLCs or I can use the VSW in this scenario?
Regards
Stefano

0 Helpful

Go to solution
PabMar
Cisco Employee
Cisco Employee

‎11-30-2022 03:12 AM

Hi,

Ideally the WLCs would be connected external to the fabric (not directly to the B/CP nodes).

Again, SWV is not recommended either on the B/CP (adds another layer of mgmt)

If it's possible to add a switch stack module next to your FWs in this site where you can attach your WLCs then that would be recommended.

Regards.

Go to solution
stef.gesm
Level 1
Level 1

‎12-01-2022 01:07 AM

Hi PabMar,
It's clear. I'm just looking for a solution to avoid buying two switches only for connecting the WLC to the Fabric.
Thank you.
Regards.

0 Helpful

Go to solution
georgehewittuk1
Level 1
Level 1
In response to stef.gesm

‎12-01-2022 10:22 AM - edited ‎12-01-2022 10:25 AM

Hi Stef, my two cents on your post. 

(1) why do SVL for the 9500s personally I would prefer to trust the routing and have 2 logical border/control plane nodes. 

(2) WLC directly connected why not! As long as it’s reachable in GRT for the infrastructure. I would do it with your options and I’ve seen in an old Cisco doc wlc attached to border before. Technically I see no problems. Had it like this in lab for years. 

Go to solution
anthony.wild
Level 1
Level 1

‎12-06-2022 06:59 PM

Hi Stef and All,

I did notice that you can assign roles of Border Node, Control Plane, and eWLC to a Fabric Device. If a design goal is to optimize cost and effort with as little hardware as possible, could your design potentially be to leverage the 9500s with the Wireless Controller role included as well? We use the eWLC on 13 of our Fabrics in full production and haven't hit a capacity or resource constraint as of yet. Just a thought.

Go to solution
stef.gesm
Level 1
Level 1
In response to anthony.wild

‎12-12-2022 02:55 AM

Hi Anthony
Thank you for the suggestion. According to the datasheet the AP scale limit for the 9K family in eWLC mode is 200 AP. This number is close to our deployment scenario, which is why we use 2 external WLCs.
Stefano

0 Helpful

Go to solution
PabMar
Cisco Employee
Cisco Employee

‎12-07-2022 12:31 PM

Hi Anthony, the problem with a single/pair of 9500s as Fabric-in-a-box on a site is that the 9500s are SFP based. Although they support GLC-TE for copper endpoint connectivity, it would be a waste to use those 10G/25G ports for 1G connectivity. Also there's no PoE on 9500s so if you want to deploy APs or VoIP phones, you'll need external power injectors which isn't great. For FiaB the best platform you can select is the C9300 series. For those smaller sites the 9300 will most likely meet your performance requirements.

Regards.

Go to solution
anthony.wild
Level 1
Level 1
In response to PabMar

‎12-07-2022 12:34 PM - edited ‎12-07-2022 12:54 PM

Pabmar,

The OP stated that each floor would be complimented with C9300s in Edge Role. I assume the APs themselves would attach to that switching, not the 9500s. The 9500s would be CP/B/W role, and the 9300s would function as edge role. APs do not need to be directly connected to the device functioning a W role.

Edit: Screenshot included of example production fabric. IDF Switching in Edge Role with APs attached to upstream 9400s running FIAB. I see no reason though why you couldn't do the same with 9500s, excluding the Edge role, connecting your APs to the 9300s on each floor and running W on your 9500s to avoid having to buy and maintain hardware WLCs.

 

Picture1.png

Go to solution
PabMar
Cisco Employee
Cisco Employee

‎12-08-2022 01:58 AM

Anthony, no issues with that setup.

Just to note if HA is a requirement, HA SSO is supported within a dual-sup chassis and within a stackwise virtual pair.

Regards.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents