cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
3348
Views
125
Helpful
38
Replies
ciscomoderator
Community Manager

Ask the Expert: NGWC (3850/5760): Architecture and Deployment

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about NGWC (3850/5760): Architecture and Deployment.

Ask questions from Monday, April 13th, 2015 to Friday, April 24th, 2015

This Ask the Expert Session will cover questions spanning NGWC products (3850/5760) on Implementation and Deployment from the Wired and Wireless perspective. This will be more specific to Customer’s and Partners questions covering 3850/5760 configuration, Implementation and deployment.

Dhiresh Yadav is a customer support engineer in High-Touch Technical Services (HTTS)  handling supporting Wireless and Network Management based Cisco products and is based in Bangalore. His areas of expertise include Cisco Wireless CUWN and NGWC Product line. He has over 7 years of industry experience working with large enterprise and service provider networks. He also holds CCNP (RS) and CCIE (DC-Written) and CCIE Wireless certification.

Naveen Venkateshaiah is working as a Customer support engineer in High-Touch Technical Services (HTTS) handling  and supporting Lan-switching and Data center Products. His areas of expertise include Catalyst 3k,4k , 6500 , Nexus 7k Platform  He has over 7 years of industry experience working with large Enterprise and Service Provider networks. He also holds CCNA, CCNP (RS) and  CCDP-ARCH,CCIE-R&S Written, AWLANFE, LCSAWLAN Certification.

Find other  https://supportforums.cisco.com/expert-corner/events.

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

38 REPLIES 38
Rasika Nayanajith
VIP Mentor

Thanks for having this session.

Compare to other design models (Centralized, FlexConnect), I am seeing lack of design documents on Converged Access.

Can you share some design documents related to this converged access design (I have been to CiscoLive & watch those sessions related to CA, they are good) Here are the links for the some of the documents I have referred

https://supportforums.cisco.com/discussion/11984726/converged-access-design-information

looking for updated white paper/design guides to reflect changes took place within this CA architecture.

 

Rasika

Hi Rasika,

Thanks for your question.

All the documents which should be public (as per the policy) are already on CCO. Let me know if you have any issue in accessing any CCO doc.I will publish that for you. I went through the support link you provided and I can think of following points:

> Cisco teams are working in the backened to make more documents available on CA and hopefully we will have more documents on CCO on this.

> About the present content available and the question raised on the link you provided , I think teh best material to look for are the deployment guides for 5760/3850 (latest versions). There are deployment guides per version (updated per version).The mobility group number mentioned there are for a particular medium size design and depends if you are making 3850(normally should be MA) as MC or 5760 as MC

http://www.cisco.com/c/en/us/td/docs/wireless/technology/5760_deploy/CT5760_Controller_Deployment_Guide/Supported_Features.html

http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3850-series-switches/deployment_guide_c07-727067.html

> Apart from that , there are lot of design guides which Cisco is releasing per feature based , for example

http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/5700/software/release/ios_xe_33/iosXE_3point3_AVC_DG.html

These guides have all the necessary information from the design perspective for that feature.

> other source of information is off course from the material you mentioned i.e Cisco live and some Tech Talk sessions, below if the one given by me:

https://supportforums.cisco.com/blog/12116566/community-tech-talk-converged-access-architecture-and-mobility

I share you view that there should be more design guides and hopefully we should be seeing some more in the coming months.

Let me know if I am able to answer your question/comcern.

 

Regards

Dhiresh

 

Thanks Dhiresh for the details

As you know those config guides does not cover anything other than basic configuration steps.

There was one white paper dated June 2013 was available (link provided in my initial post) which goes into Architecture & Design details. I am looking for updated version of this document.

"CONVERGED ACCESS – WIRED / WIRELESS SYSTEM ARCHITECTURE, DESIGN, AND OPERATION"

I am in campus environment & trying to get this CA setup expand, but lately (based on Ciscolive presentations) cisco has scale down those scalability numbers (at least recommended vs max). So not too sure whether this model is scale to large campus environment. Is that something you can confirm ? Do you recommend CA over Centralized model for large campus environment ?   

Rasika

Hi Rasika,

Thanks for your question.

I see this document but really not finding it anywhere. I am not sure if some one made it specifically for Cisco live etc. I will try to search it internally and get back to you. In between , latest 3.6 based 5760 deployment guide is a very close match for that document ,almost having the same stuff.

"Do you recommend CA over Centralized model for large campus environment ?   "

I want to be honest with you here and the fact is that I dont have any answer to this question. This depends on Customer choice and preference and Accounts team/TMEs/SEs can guide you better on this.

For me, CUWN can support voice/video perfectly and is scalable with 8510 (New controllers are in pipeline ) supporting up to 6000 Aps but has flat architecture.For example if you have 10 buildings and five controllers are managing them all , then PMK of all the users would be shared with in mobility group even if roaming is not possible , lets say from building 2 to building 3 physically.

Converged access on the other hand is more hierarchical.So you can have one Switch peer group for each building with one MC and its up to you if you want to configure them in the same mobility group.All the MAs (lets say 10 MAs for 10 floors in building one) are not concerned about PMKs of any other building . You have qos and other policies applied at the edge only. There is no need of HReap/Flex etc as the directly connected switch is the controller. On top of that , many network administrators having special love and understanding for IOS-XE might find it very friendly.Anyway , 3850 is the next generation switch as well.

Like CUWN , this architecture can also support Voice/Video/data perfectly.

So you should contact your TME/SE to give advise on the products for any new deployment.

 

Regards

Dhiresh

 

 

i have some questions regarding CA deployment.

1. if 3850 being used as MA and 5508 as foreign MC, WAP will join MA well known but what about the WLANs and dynamic interface for users, where will be configured them?

2. if we have anchor controller as well for guest user access and residing in DMZ, for sure the communication tunnel between foreign and anchor would be new mobility,

and also ISE needs to be integrate for same guest users access for auth, BYOD, posture assessment etc.  how will be configuration and connectivity scenario in this case??

3. if i would have MSE also within the same deployment, which controllers would be added in MSE for aWIPS and Context aware profiles. would be that foreign controller or MA (3850) switches??

 

Thanks

Hi John,

 

Thanks for putting those questions. Please find the answers below:

1) Wlan and interfaces will be configured on the MA (3850) and not on the MC.

2) Please find the below document  which describes all the possible topologies, configuration briefly.

http://www.cisco.com/c/en/us/support/docs/wireless/5700-series-wireless-lan-controllers/117717-config-wlc-00.html

I think Topology 3 of this document describes your scenario. Basically Anchor sitting in the DMZ and the MA (3850) only needs to be configured. No configuration needed on the MC.

3) Individual controller will be added in the MSE for Wips/Context aware. So 3850 will be added in the MSE and the NMSP connection will terminate at the 3850.

Let me know if you have any other query.

Regards

Dhiresh

**Ratings encourage participation**

 

Hi Dhiyadav,

thank you for your reply it cleared some doubts that were in my mind but i need your more support to guide me a converged access deployment which i am going to deploy within few days.

i have 

2x5508 in HA as MC

30x3850 switches, and all will be used as MA(s) with multiple SPGs

2X5508  1:1 as an anchor controller

1xISE 1.3 for guest access

1xCPI for wireless mgmt and monitoring purpose

1xMSE3355 with wips and context aware licenses

200x cisco 3702i WAP

50x WSSI module for monitoring the channels

can you please put a light on the design and guide me that which are the best possible solutions to get this job done very smoothly.

i will also let you know about my proposed design scenario but for sure i need your recommendations as well :)

so,

i will use 2x5508 wlcs in HA as a MC which are AP-Count and HA licensed..

3850 switches will be MA and i ll configure SPGs per floor switches stacks 

WAPs will join on these 3850 MAs base on each floor

i would have 2 ssid like employee and guest

i will configure them on each 3850 stack MA along with their SVIs for users access like (empolyee and guest ssid)

here my question is for guest ssid and its vlan... do i configure it here or on anchor controller???

i want ISE to be integrated with wireless for employee 802.1x and for guest web Auth. so, how i will integrate ISE with wireless. i mean weather i will integrate it anchor controller or with each 3850 MA???

between foreign and anchor controller i will use new mobility instead of old EOIP!!!

where shall place ISE in my network, in DMZ or with Core switch?

my target for guest users to do not have access to any corporate network sources ?

MSE:

can i use both wips and context aware on the single MSE box?

if yes, than what is the best practice for configuring them?

are each 3850 MA will be added in MSE?

WSSI module . will be used for monitoring purpose for wips and context aware profiles.

all access point will be worked in local mode for serving users access.

thank you

 

 

Hi John

2x5508 in HA as MC

Be aware AireOS 8.1 onward MC functionality is not supported in AireOS. So if you are doing CA in this scale, it is prefer to get 5760 as MC.

Just my suggestion

Rasika

 

Hi ,

Thanks for the. With 4 5508 , you can have CUWN implementation also..:)

For implementing the way you said..yes it looks alright.Let me answer the question.

> here my question is for guest ssid and its vlan... do i configure it here or on anchor controller???

Again topology 3..it is configured only on MA which means 3850 (foreign controller) and the DMZ (Anchor controller). There is no need to do any configuration on the 5508 pair which is acting like MC.

> i want ISE to be integrated with wireless for employee 802.1x and for guest web Auth. so, how i will integrate ISE with wireless. i mean weather i will integrate it anchor controller or with each 3850 MA???

For 802.1x and if corporate ..there should not be any DMZ anchor and the traffic will hit MA (3850) and then aaa request to ISE and data forwarding will start.

Guest..It has different meaning these days. Traditionally it is a layer 3 security configured on the controller which is using local web server of the wlc. Another is CWA and the advanced version is BYOD and both require ISE. We you are looking at advanced versions then again as per the document shared , Only foreign wlc should be integrated with the ISE as this is a layer 2 kind of web-authentication taking place with the help of Mac authentication bypass.

>where shall place ISE in my network, in DMZ or with Core switch?

This can be placed anywhere if the proper ports are open and again depends on Webauth type. If using CWA/BYOD, the Foreign wlc will interact with the ISE for authentication while redirect url traffic will hit anchor wlc and redirection to ise portal will happen,. so communication should be allowed accordingly.Again , i will request to follow the 3rd toplogy.

> my target for guest users to do not have access to any corporate network sources ?

Map the SSID to some DMZ vlan on the Anchor.

> can i use both wips and context aware on the single MSE box?

No. Since 7.5 onwards we have clearly recommended to use separate MSE for WiPS and location. or else there are many MSE crashes.

> are each 3850 MA will be added in MSE?

Yes.

 

Regards

Dhiresh

**Ratings encourage participation**

Hi,

 

thank you for your reply Dhiresh Yadav.

can someone plz put a little more light and guide me for the best practice to utilize my guest anchor controller with CA deployment, where i would have 3850 as MA and 5508 as MC and another 5508 as guest anchor in DMZ. i am a bit of confuse and don't get the correct idea to accomplish this task.

i have Cisco ISE also for the same guests traffic for CWA and posture assessments etc.

how do i setup this in order to have a smooth guest access network?

i want to utilize guest anchor controller too!!! as wel as ISE also!!!

how would be configuration and integration steps here in this kind of setup within converged access wireless deployment?

any thoughts plz

Hi John,

I think your requirement matches exactly the way , topology 3 is configured in th e link I shared except ISE Posture assessment. But let me just try to break that in to few parts so that you understand that better and also the fact that you would need to consult combination of documents to finish your task.

Wireless controllers:

MA(3850)..Guest SSID will be configured here as per the shared document. It will be mac filter based with Radius NAC.The MA will be in sync with its MC i.e 5508 as verified by "Sh wireless mobility summary". No need of its sync up with the Anchor.In the SSID configuration , we will mention the Anchor IP address.

MC(5508)..No configuration for the SSID needed here.I just needs to be in sync with the MA (3850) via switch peer configuration  command.

Anchor (5508)..Here we again need Guest configuration as it is acting like anchor.Also it should be in the Mobility configuration of MC (5508) and the Mobility tunnel should be up between the Anchor (5508) and MC (5508).

The traffic for this ssid will be routed from the MA to MC and then to Anchor.Follow that document which is shared already to configure Guest SSID and ISE CWA side configuration.

For the other basic configuration like mobility tunnel ,Switch peer group to sync the MC and MA, or in general SSID configuration,AP joining to 3850 (MA), interfaces configuration on 3850 etc, Please refer to the following document:

 

Every topic like making ssid , Syncing MC to MA , Mobility group configuration is covered in topic wise chapters.

http://www.cisco.com/c/en/us/td/docs/wireless/technology/5760_deploy/CT5760_Controller_Deployment_Guide/Supported_Features.html

 

http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3850-series-switches/deployment_guide_c07-727067.html

ISE side.

Here it is a bit more easy:

CWA :

You need to follow few simple steps to make ISE ready for CWA and to serve the client sent by the controllers.CWA steps are covered under the same document ,topology 3.

Posture assessment:

This is also possible along with the CWA but since I am from wireless and not from security , I might not be able to give in depth steps for that but implementation is possible via this document:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html#anc5

 

There is no one document which will have all that information as per your requirement but the combination of these documents will definitely help  you in accomplishing your task.

 

Hope this clarifies.

 

Regards

Dhiresh

**Rating encourage participation**

Hi ,

Thanks for the. With 4 5508 , you can have CUWN implementation also..:)

For implementing the way you said..yes it looks alright.Let me answer the question.

> here my question is for guest ssid and its vlan... do i configure it here or on anchor controller???

Again topology 3..it is configured only on MA which means 3850 (foreign controller) and the DMZ (Anchor controller). There is no need to do any configuration on the 5508 pair which is acting like MC.

> i want ISE to be integrated with wireless for employee 802.1x and for guest web Auth. so, how i will integrate ISE with wireless. i mean weather i will integrate it anchor controller or with each 3850 MA???

For 802.1x and if corporate ..there should not be any DMZ anchor and the traffic will hit MA (3850) and then aaa request to ISE and data forwarding will start.

Guest..It has different meaning these days. Traditionally it is a layer 3 security configured on the controller which is using local web server of the wlc. Another is CWA and the advanced version is BYOD and both require ISE. We you are looking at advanced versions then again as per the document shared , Only foreign wlc should be integrated with the ISE as this is a layer 2 kind of web-authentication taking place with the help of Mac authentication bypass.

>where shall place ISE in my network, in DMZ or with Core switch?

This can be placed anywhere if the proper ports are open and again depends on Webauth type. If using CWA/BYOD, the Foreign wlc will interact with the ISE for authentication while redirect url traffic will hit anchor wlc and redirection to ise portal will happen,. so communication should be allowed accordingly.Again , i will request to follow the 3rd toplogy.

> my target for guest users to do not have access to any corporate network sources ?

Map the SSID to some DMZ vlan on the Anchor.

> can i use both wips and context aware on the single MSE box?

No. Since 7.5 onwards we have clearly recommended to use separate MSE for WiPS and location. or else there are many MSE crashes.

> are each 3850 MA will be added in MSE?

Yes.

 

Regards

Dhiresh

**Ratings encourage participation**

Hi ,

 

So this 3850 is stack switch ,how is it different from previous 3750 stack , I mean the way we connect stack etc or qos?

 

Regds

Hi,

Thanks for your question.

The hardware architecture between Cisco Catalyst 3750 switches and the Cisco Catalyst 3850 are different, So Stack design connectivity is not supported.The stacking cable is again different. You cannot stack a 3750 and a 3850 together, it has to be all 3850s.  The whole physical layout and connectors ,everything is different in the cable, so you cannot even insert this cable in a 3750. The cable and connector type used in StackWise-480 are different from the StackWise and StackWise Plus cables. Hence the newly redesigned hardware architecture of the next-generation StackWise-480 is incompatible with traditional StackWise Plus technology.

The cable lengths are around .5 meter, 1 meter, and 3 meter, as they shipped with the 3K, so the lengths are the same.

Few more differences are In 3750 Stacking bandwidth is 64 Gbps where as in 3850 we have 480 Gbps , 3750 do not have Multicore CPU for hosted services where has 3850 has it. Qos on 3750 is MLS and Qos on 3850 is MQC.

Please Let me know if I am able to answer your question/concern.


Regards,

Naveen Venkateshaiah.