Central controller with multiple sites VS EWC AP at each site

DJW487 · ‎09-18-2024

Currently we run a 9800WLC in our data centre which controls AP's across 45 sites give or take.
(This is configured through Catalyst Center btw)

Guest network is central switched, central auth with ISE doing the guest portal.

Another SSID is central auth 802.1x cert based through NPS in data centre but locally switched in flex mode.

All other SSIDs are local auth WPA2/3 with local switching in flex.

Each SSID is configured for a different VLAN (AP's connected to trunk ports).

Since we have put in SDWAN and multiple direct internet links at most of these sites, we are looking to change things up and set each site up to be a little more self-reliant (and reduce the guest traffic tunnelling to data centre).

We want to configure guest vrf at each site and have the guest wifi traffic break out into local internet through isolated vrf (guest portal to be through local ISE PSN). No need for capwap, can be local switching with vlan on guest vrf.

Will move the 802.1x cert based network from NPS to ISE (with policy node at each site).

For our larger sites we'll spin up 9800WLCs and manage through cat centre.

For the smaller sites that don't have the VM resources we are looking to use EWC AP's (9120's), also managed through cat centre.

If you see any issues with using EWC AP in this environment, please voice your thoughts.

For me, I see a few things of concern:
The conversion to EWC mode document states:
The EWC cannot have its Gig 0 interface configured as trunk. This means the EWC AP cannot broadcast SSIDs as it will be on our management vlan? But another document I read shows example config where they configure the switchport as trunk...conflicting info.

Does the EWC AP provide all the detailed telemetry data to catalyst centre? We are using the AI-RF profiles and AI-ops for troubleshooting etc. I can't see anywhere if the EWC AP can provide the required info that a 9800 would.

If we had the central data centre 9800 configured as secondary management controller for the site in catalyst centre, would that work? Since I assume AP image version for those is the standard CAPWAP image, but in the EWC AP network the AP's would be running the EWC image but in CAPWAP mode. In the event the EWC goes down and the secondary 9800 tries to kick in as controller, would all the AP's go through an image download again (seems to take 45 min per AP for this)

Would like to hear your thoughts before I spend too much time labbing it up.

marce1000 · ‎09-18-2024

- Generally and to start with I would like you to inform you that the EWC based controller solutions have gone
EOL ,it's not advised to make big plans with that architecture :
https://www.cisco.com/c/en/us/products/collateral/wireless/embedded-wireless-controller-catalyst-access-points/wireless-ewc-access-point-eol.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

DJW487 · ‎09-19-2024

Wow, I spent some time today looking through the documentation for these including at the software download page for the EWC AP image and did NOT see that anywhere. Thanks for bringing it to my attention.

We had the same issue with the EWC on the 9300's which we had thought to try. Only to find out they got rid of that functionality except for SD-Access which we are not doing nor likely to do.

Looks like we keep the central controller now for the smaller sites that don't have the server capacity until they're upgraded.

balaji.bandi · ‎09-19-2024

Its all depends on what you looking to achieve.

Personally i would suggest to use WLC controller (again depends on what you looking branch side)

some suggestion you can use Cat 9300(switches if you have as Controller) if you looking Local WLC solution.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help