09-19-2013 12:14 PM - edited 07-04-2021 12:53 AM
With Flavien Richard
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to overcome the challenges of planning, designing, deploying, and troubleshooting wireless networks with expert Flavien Richard.
High density, high availability, converged access, unified access, radio resource management, and site surveys: What do they have in common? They’re all complex and difficult to understand and implement properly, but there are tips and rules to follow that will make your life easier. Expert Flavien Richard will share best practices and make recommendations for the different phases, technologies, and features around enterprise wireless networks.
Flavien Richard is a technology solutions architect in the Borderless Networks team in France. He is an expert in wireless and mobility topics and serves as an escalation point of contact in the European theater. This gives him visibility over most of the biggest projects in EMEA. He is a technical interface between the Wireless business unit and Cisco customers, partners, and employees to help define and prioritize the new features and products for the mobility market. He is a frequent speaker and session manager at Cisco Live and other Cisco events on mobility. He also was a contributor to the writing of the first Wireless CCIE exams.
Remember to use the rating system to let Flavien know if you have received an adequate response.
Because of the volume expected during this event, Flavien might not be able to answer every question. Remember that you can continue the conversation in the Wireless Community, subcommunity Getting Started with Wireless shortly after the event. This event lasts through October 4, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
09-30-2013 10:49 AM
Hi Rasika,
I have been working on a document that is not public yet and that includes a section on IP Addressing. I am copying the entire section here as it should help you understand the pros and cons of Wireless ACCESS vlan deployments.
"
The options cover a range of cases and highlight the pros and cons of different design choices that involve dealing with same or different IP address pools for wireless and wired traffic, differentiated policy assignment, and ease of implementation.
This option separates wired and wireless VLANs per wiring closet, as shown in the following figure. In this example, there is a pair of VLANs in each closet. This is a simple design that allows the application of separate policies per VLAN to wireless and wired users and eliminates any contention for DHCP between wired and wireless.
However, because wireless clients are moving, it is important to consider how large the subnet must be for that wiring closet to accommodate these non-static clients. For wired connectivity, it is necessary only to count the number of available ports. Wireless usage is much more dynamic, so it is harder to determine the size of the DHCP scope that is required, and thus some of the IP address space as allocated might be wasted simply to accommodate for the maximum possible number of wireless clients that could potentially appear on the network simultaneously.
This approach for IP addressing is applicable mainly to a small or medium sized site or branch, where predicting the maximum size of the wireless subnets needed is easier, based on user and device populations at the small to medium branch involved.
In this option, the VLANs are merged and the same subnet is used for wired and wireless for each wiring closet, but separated for different wiring closets. For example, VLAN 11 is used for wired and wireless on wiring closet one, VLAN 21 for the second and so on. The main advantage of this option is in saving IP subnets, and thus conserving the associated IP address space to the greatest extent possible. There is still the challenge of sizing subnets, and as well there is the possibility in this deployment option of IP address space contention between wired and wireless clients, since wired and wireless users are mapped into common subnets in this deployment option. Wireless clients could consume all of the IP addresses within a given subnet, resulting in insufficient addresses for wired clients (or vice versa). Moreover, it is not possible to apply separate wired and wireless policies using VLAN based policies alone in this deployment option.
This option is a hybrid with separate wired subnets and one wireless subnet spread across multiple wiring closets below a common distribution layer. This deployment option retains the advantage of a separate per-VLAN policy for both wired and wireless users, and avoids IP address space contention between these user communities, as wired and wireless clients are still mapped into separate VLANs. Fewer IP subnets are needed because wireless clients are grouped into a single VLAN (per SSID) below the distribution layer. This deployment option typically requires a VSS deployment at the distribution layer or a single distribution switch with multiple supervisors, to avoid Layer 2 loops and any associated spanning tree blocking / forwarding issues.
Important information on what I said on my previous post about directly connected APs and vlans, with more details:
As an MA, the Catalyst 3850 supports only direct attached APs. For the AP to register, a management wireless VLAN interface (such as VLAN 20) to which the AP is connected is needed. If the AP is in any other VLAN, it cannot register, and an error message is generated on the console. This is because the
wireless management interface Vlan command, which activates the MA functionality, intercepts the CAPWAP messages and processes only those from the designated wireless management VLAN (into which all of the APs connected to this Catalyst 3850 must be deployed). If the command is not employed on the switch, the Catalyst 3850 functions just as any other Layer 2 or Layer 3 switch (CAPWAP passthrough), and the AP can be connected and registered to any other controller within the larger network.
Regards,
Flavien.
09-30-2013 12:38 PM
Hi Flavian,
Thank you very much for such detail explanation of each different option. Looking forward to see such a valuable document available to us to use a desing guide in this new deployment model.
If I understood correctly most preferred option for us is to go with "Spanned Wireless vlan". There is a pre-requisite VSS implementation at distribution layer to avoid any possible l2-looping issues.
Thanks again
Rasika
09-30-2013 01:19 PM
Rasika,
In your case, with the current network that you describe, Option 3 seems to be a good fit, indeed.
Best regards,
Flavien.
10-01-2013 05:29 AM
Hi Flavien,
I read your response couple of times and now I have another question on that. I understand for the wireless users better to have span vlan across building to have less IP contention.
Is this applicable to "wireless management vlan" as well ? Let's say we have 5 buildings (each 3 stories & having switch stack in each level). Assuming less than 10AP in each floor and allocationg 10 IPs for wireless management (for AP & SW wireless mgt). We do not want to control AP IPs too much & below is for an example scenario,
BLD1-L1 - 192.168.100.1-10
BLD1-L2 - 192.168.100.11-20
BLD1-L3 - 192.168.100.21-30
BLD2-L1 - 192.168.100.31-40
.
.
.
BLD5-L1- 192.168.100.121-130
BLD5-L2- 192.168.100.131-140
BLD5-L3- 192.168.100.141-150
When allocating DHCP for the AP, does this require local DHCP pools in each stack pointing to its own SVI as gateway for the AP mgt dhcp scope ? or Could we have single DHCP scope (somewhere in cetral DHCP server) pointing to SVI defined at Distribution layer (6506) for these buiding if we have SVI on the same vlan as wireless mgt. For example 192.168.100.254.
In otherwords if AP get's a default gateway different to local 3850 SVI IP (but on the same subnet as wireless mgt IP of 3850 stack) will that impact the CAPWAP termination of that switch stack ?
We would like to have central DHCP solution even for AP mgmt & would like to know that design rule can be maintain in the given scenario
Hope this clear
Rasika
10-01-2013 10:49 AM
Hi Rasika,
You can have a central DHCP scope for Access Points, and not use a local DHCP pool in the stack to do what you want and describe here. The default gateway parameter returned by the DHCP server won't be specific per stack, as it is the normal defaut gateway of the subnet. The switch itself on each floor will intercept the CAPWAP join request on the wireless management interface subnet locally, which will let it join the converged access stack.
Regards,
Flavien.
10-01-2013 01:16 PM
Thanks Flavien for the clarification.
09-30-2013 01:21 PM
Hi Flavien,
What is the feature set requirement for a 3850 to operate as MC/MA ? Does it require "ipbase" or "ipservices"
If 3850 comes with "lanbase" can it operate as MC/MA ?
Regards
Rasika
09-30-2013 01:31 PM
Lanbase does not have any Wireless termination support, so, you can only work in passthrough mode indicated above with this license.
Both ipbase and ipservices will allow Wireless support and termination the same way, and allow for MA and MC functionalities. (to activate MC you also need AP licenses on the switch or stack, not on the MA itself).
Regards,
Flavien.
09-30-2013 01:36 PM
Hi Flavian,
Thanks for this information, This is a very important piece of information when planning to roll-out 3850 in large scale. If you want to terminate APs locally on the switch stack & stack to act as a WLC, then you should have minimum "ipbase" feature set.
Thanks
Rasika
10-01-2013 05:46 AM
Hi Flavian,
I am not sure that this question belongs to this community or .....
We had implemneted the cisco ISE for Guest access.
I have some questions regarding ( via Cisco ISE sponsore portal) Guest email notification via Sponsor account.
Right now we have this kind of structure for Guest email notification:
Welcome to the XYZ Guest Portal.
Your guest account details:
Username: aefgh
Password: 4Z7Pk
Valid From: Mon Sep 30 10:15:45 CEST 2013
Valid To: Mon Sep 30 18:15:45 CEST 2013
Thanks
Now I want to add my company logo in this notification.(Email as well as in print format).
Can you please guide me to place my comapny logo in this notification.
Thanks
10-01-2013 09:02 AM
Hi
Richard
Please explain the two layer security in wireless mobility because one of my client wants the new wireless mobility with two layers security
Thanks and Regards
SNG
10-01-2013 10:23 PM
Hi SNG,
Can you please help me understand your question and be a little more specific on what you want me to let you know?
Regards,
Flavien.
10-01-2013 10:39 PM
Hi Flavien
I want to know regarding double layer security like authentication on Controller and AP differently.
Secondly he want to know that can only one SSID be used for different building for contineous communication
Regards
SNG
10-02-2013 12:15 AM
Hi,
For the first question on double authentication, please have a look at this document, as this is possible on wireless Lan controller versions 7.4 and above:
http://www.cisco.com/image/gif/paws/115951/web-auth-wlc-guide-00.pdf
Regarding setting up the same SSID between buildings for seamless roaming, this is definitely something that we recommend, and that is made possible to easily deploy thanks to our Wireless Lan controllers, both standalone like 5760, 5508, 8510s, or integrated into the switches for converged wired and wireless access like the 3650 and 3850.
Regards,
Flavien.
10-02-2013 02:25 AM
Hi Richard
Thanks for your early response and give reference I read it and it is benificial to explain the client in this regards
Thanks
SNG
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide