Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1143
Views
32
Helpful
9
Replies

Access point to HQ via controller

Go to solution
BigK
Level 1
Level 1

‎05-23-2022 07:49 AM

Hello,

 

I am looking for a wireless solution to support remote user in a branch to access the internet and also be able to access HQ network via VPN tunnels. preferably access point to HQ via controller

 

Any recommendation will be helpful 

 

Thanks

Karim

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni
In response to BigK

‎05-23-2022 01:30 PM

Below are the design guides;

Understand FlexConnect on Catalyst 9800 Wireless Controller - Cisco

FlexConnect Wireless Branch Controller Deployment Guide - Cisco

 

Hardware wise you simply need AP's which supports FlexConnect (almost all the enterprise wireless AP's sold by Cisco supports flex connect) and WLC's. WLC's will be hosted in both DC's and then depending on your upstream device routing (In your case VPN edge device) you can have AP's register to any DC, if you are advertising both DC's as HUB's then you should be able to have N+1 redundancy.

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

View solution in original post

9 Replies 9

Go to solution
Flavio Miranda
VIP
VIP

‎05-23-2022 08:16 AM - edited ‎05-23-2022 08:16 AM

Hi

  The solution I´d be looking would be the Access Point in Flexconnect.  This can solve the first part of your solution which is to have an Access Point remotely but being managed but you WLC on the Data Center.

The Access Point in Flexconnect mode will send all traffic to local network, which is not what you want exactly, but, with the VPN in place you can fix that using split tunnel. Assuming, of course, that the client is able to stablish VPN from the Remote branch.

Once they stablishes VPN and have Split Tunnel you can control which traffic will be send to HQ and which site will be send to the Local internet.

 

Go to solution
BigK
Level 1
Level 1
In response to Flavio Miranda

‎05-23-2022 08:58 AM

Thanks Flavio,

 

What are the hardware requirement ?

 

Karim

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to BigK

‎05-23-2022 09:11 AM - edited ‎05-23-2022 09:12 AM

Access points dont have big discrepancy between models in terms of hardware. It will depend on the wlc you have today or intend to buy . 

 You need to worry more about compatibility.  

 Let me know which wlc you have or intend to have that I recommend you an AP model. 

 

But , if you wish indication for wlc too, 9800 is a good option. 

Go to solution
BigK
Level 1
Level 1
In response to Flavio Miranda

‎05-23-2022 09:59 AM

Thanks for the info. Can 9800 controller be at the data centers and create secure tunnel to the branch APs?

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to BigK

‎05-23-2022 10:14 AM

that´s correct. The WLC remains in the Data Center and stablish a capwap tunnel with the AP. All it needs is connectivity.

You can informe the WLC IP to the AP on the DHCP option. You can also manually inform the WLC ip or use DNS resolution by adding "Cisco-capwap-controller.local_domain" to you internal DNS.

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni

‎05-23-2022 08:28 AM

Design can vary on how the HQ to Branch connectivity will be;

1. MPLS or any private circuit connectivity -

You can deploy AP's in Flexconnect mode, Upstream edge will do the routing and local internet breakout for branch internet connection. 

2. VPN connectivity from branch edge to HQ - Same as point 1, upstream L3 device will do the routing.

3. Internet only branches - Consider OEAP, AP will connect via a secure tunnel directly to the HQ.

4. SD-Access - If you have SD-Access capable devices/licenses and DNAC then consider Fabric in a box.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Go to solution
Mythrain
Level 1
Level 1
In response to Arshad Safrulla

‎03-26-2023 10:23 AM

I want config mangerment ap via internet. But i don't know how to configure. Please help me !!!!

 

0 Helpful

Go to solution
BigK
Level 1
Level 1

‎05-23-2022 08:40 AM

Thanks Arshad, 

 

The design will be Internet only branches with secure tunnel directly to the HQ.. what are the hardware requirement for this connectivity. 

I have 2 data centers one in east coast and the other in the west coast for redundancy purposes. 

Any design examples or links are helpful. 

 

Thanks

Karim

0 Helpful

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni
In response to BigK

‎05-23-2022 01:30 PM

Below are the design guides;

Understand FlexConnect on Catalyst 9800 Wireless Controller - Cisco

FlexConnect Wireless Branch Controller Deployment Guide - Cisco

 

Hardware wise you simply need AP's which supports FlexConnect (almost all the enterprise wireless AP's sold by Cisco supports flex connect) and WLC's. WLC's will be hosted in both DC's and then depending on your upstream device routing (In your case VPN edge device) you can have AP's register to any DC, if you are advertising both DC's as HUB's then you should be able to have N+1 redundancy.

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card