Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2836
Views
9
Helpful
1
Comments

Best Practices and Golden Configs - Converged Access Branch Deployment

Viten Patel
Cisco Employee
Cisco Employee

‎06-05-2015 08:17 PM - edited ‎11-18-2020 03:10 AM

The purpose of this tech note is to enable correct and successful converged access deployment for Branch deployment.
 

Important Notes:

 
  • It is very crucial to have a right design foundation before you deploy converged access
  • 5760 WLC running in centralized mode is NOT converged access.
  • Incorporate all best practices config below to ensure there are no surprises in terms of functional issues
  • Decide on the correct code version depending on the feature set the customer requires. Software versions 3.3.5, 3.6.2aE and 3.7.1 (upcoming) are the codes to consider depending of the feature set requirements. Also, these versions may change when future maintenance releases come out.
 

Below is a overview of branch wireless deployment models

 
 

Comparison between traditional branch wireless deployment and Converged Access architecture

 
 
 
 

Building the right architectural foundation

 
 
 
Note: as you see above it is important to break away from the traditional method of deployment (one wireless vlan across the entire deployment). Recommended option is to have different client vlans per MA/MC (3850 and 3650). For roaming across switches, the default sticky anchoring feature automatically creates anchor / foreign pairs which aids in seamless roaming where client retains if ip address across roams. Even in case where sticky anchoring is disabled, there will be layer 3 roaming established which achieves seamless roams. Latency will not be a concern here as we are talking about branch deployment here where we would typically have 2-3 3650/3850 converged access switches.
 

Typical Branch network deployment (Small and Large branch networks)

 
 
  • Above figure shows both small and large branch networks
  • Typically for a branch deployment the average number of APs range from 50-150 APs and client count ranges from 1000-2000 clients
  • Depending on the size of the deployment, build basic blocks and expand as needed.

 

    • As shown on the figure on the left, you can use 2-4 MA (3650/3850) and a single MC (3650/3850, single sub domain) per building. A single Switch Peer group (SPG) is sufficient per MC
    • If the size if large than above point, you can just replicate the above design into 2 such sets or more (figure on the right)
    • Typically at the branch sites each building has non-contiguous RF hence there is no need to build mobility peering between MCs. Mobility peering is only needed in cases where there is contiguous RF between buildings where seamless roaming is required.
  • Typically for such a deployment you DO NOT need a standalone controller (5760) for AP and client management
  • It is still recommended to use a GUEST Anchor controller like a AireOS 5508 WLC across WAN (at a central location) for guest users (central webauth using ISE)
 

Best Practice Configuration

 
Note: the below configs are tried and tested on multiple deployments and it simply justWORKS. You can simply tweak the configs per customer topology and quickly bring up the network. If for some reason there is a glitch, please leave a comment and we will fine tune the recommendations.
 
 
 

Create necessary VLANs (management, clients and guest)

DHCP Snooping and ARP inspection: Enable DHCP snooping and ARP inspection on the guest VLAN. Configure L2 trunk connected to the network as trusted for ARP inspection and DHCP snooping
 
 
 
Security: Convert relevant authentication commands on the access switches to their Class-Based Policy Language (CPL) equivalents.
Note: this command permanently converts the legacy configuration on the switch to identity-based networking services. On entering this command, a message is displayed asking for your permission to continue. Please permit the conversion.
 
 
Wireless Management Interface Config
 
 
AAA Configs
 
 
WLAN Configs
 
 
 
 
 
Mobility Config (Guest Anchor Controller)
 
 
Mobility Config (Branch switch)
 
 
AVC
 
 
RF Group
 
 
Enable Fast SSID change
wireless client fast-said-change
Note: You add build advanced features set on top of these configs as per deployment needs.
Use of Cisco Prime Infrastructure workflow (use of templates to deploy multiple branch network within a few minutes) - Branch deployment Automation
 
Cisco PI 2.2.1 (and above running) Wireless Tech Pack 1.0.0 introduces templates for converged access (Small and Large network templates) which enables deploying converged access network with just a few clicks across multiple locations (if needed) at the same time.
Comments
haitham.jneid
Level 1
Level 1
‎10-04-2016 12:44 AM

Hi Viten,

I have a campus networks which consists of 5 buldings, which have respectively 9 MAs, 6 MAs, 8 MAs, 5 MAs, 1 MA.

I also have 2 WLC5760 that will be installed only in one of the building.

the buildings are connected together over an IP MPLS cloud.

is it possible to deploy a solution in which I use cisco 3850 MA in the branches and WLC5760 as the MC? meaning, I will not use cisco3850 MC at the branch side.

Also, is it possible to simplify the configuration you posted above along with the traffic flow for management VLAN, wireless VLAN and Guest VLAN.

thanks,

Haitham

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents