The purpose of this tech note is to enable correct and successful converged access deployment for Branch deployment.
It is very crucial to have a right design foundation before you deploy converged access
5760 WLC running in centralized mode is NOT converged access.
Incorporate all best practices config below to ensure there are no surprises in terms of functional issues
Decide on the correct code version depending on the feature set the customer requires. Software versions 3.3.5, 3.6.2aE and 3.7.1 (upcoming) are the codes to consider depending of the feature set requirements. Also, these versions may change when future maintenance releases come out.
Below is a overview of branch wireless deployment models
Comparison between traditional branch wireless deployment and Converged Access architecture
Building the right architectural foundation
Note: as you see above it is important to break away from the traditional method of deployment (one wireless vlan across the entire deployment). Recommended option is to have different client vlans per MA/MC (3850 and 3650). For roaming across switches, the default sticky anchoring feature automatically creates anchor / foreign pairs which aids in seamless roaming where client retains if ip address across roams. Even in case where sticky anchoring is disabled, there will be layer 3 roaming established which achieves seamless roams. Latency will not be a concern here as we are talking about branch deployment here where we would typically have 2-3 3650/3850 converged access switches.
Typical Branch network deployment (Small and Large branch networks)
Above figure shows both small and large branch networks
Typically for a branch deployment the average number of APs range from 50-150 APs and client count ranges from 1000-2000 clients
Depending on the size of the deployment, build basic blocks and expand as needed.
As shown on the figure on the left, you can use 2-4 MA (3650/3850) and a single MC (3650/3850, single sub domain) per building. A single Switch Peer group (SPG) is sufficient per MC
If the size if large than above point, you can just replicate the above design into 2 such sets or more (figure on the right)
Typically at the branch sites each building has non-contiguous RF hence there is no need to build mobility peering between MCs. Mobility peering is only needed in cases where there is contiguous RF between buildings where seamless roaming is required.
Typically for such a deployment you DO NOT need a standalone controller (5760) for AP and client management
It is still recommended to use a GUEST Anchor controller like a AireOS 5508 WLC across WAN (at a central location) for guest users (central webauth using ISE)
Best Practice Configuration
Note: the below configs are tried and tested on multiple deployments and it simply justWORKS. You can simply tweak the configs per customer topology and quickly bring up the network. If for some reason there is a glitch, please leave a comment and we will fine tune the recommendations.
Create necessary VLANs (management, clients and guest)
DHCP Snooping and ARP inspection: Enable DHCP snooping and ARP inspection on the guest VLAN. Configure L2 trunk connected to the network as trusted for ARP inspection and DHCP snooping
Security: Convert relevant authentication commands on the access switches to their Class-Based Policy Language (CPL) equivalents.
Note: this command permanently converts the legacy configuration on the switch to identity-based networking services. On entering this command, a message is displayed asking for your permission to continue. Please permit the conversion.
Wireless Management Interface Config
Mobility Config (Guest Anchor Controller)
Mobility Config (Branch switch)
Enable Fast SSID change
wireless client fast-said-change
Note: You add build advanced features set on top of these configs as per deployment needs.
Use of Cisco Prime Infrastructure workflow (use of templates to deploy multiple branch network within a few minutes) - Branch deployment Automation
Cisco PI 2.2.1 (and above running) Wireless Tech Pack 1.0.0 introduces templates for converged access (Small and Large network templates) which enables deploying converged access network with just a few clicks across multiple locations (if needed) at the same time.
Oon the CMX side, what we have is an on-prem virtual appliance running version 10.x. Our existing MSE is an AIR-MSE-3355-K9:V01:KQ45LZH physical appliance running 184.108.40.206 with 600 CAS's and is a physical appliance.There are a couple of things we n...
Hello, So it looks like I can upgrade 220.127.116.11 to 18.104.22.168 in one go, however there seems to be 4 files that I can download. https://software.cisco.com/download/home/282600534/type/280926587/release/22.214.171.124 We have 2 x 5508s and 27...
Ok, so I have a set up of eight WAP 371 in single point setup, and four different wireless networks configured in each radio (4 in 2.4GHZ and 4 in 5GHZ). Problem is that after a few hours of work devices stop connecting to the AP's. If the radio is deacti...
I am sitting in a hospital emergency room with my daughter. Tried to VPN in, but my phone tells me I need to enroll a new Mobile Pass token. I don't understand why, since we just did this 3 weeks when I receives my laptop. How can I requ...
Hello, We have an external captive portal with external Radius servers. The user authenticates in our portal and then we submit a POST request to the "switch_url" parameter contained in the captive portal redirect URL. In some vWLC it works ok but in...