Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7415
Views
5
Helpful
12
Replies

WLAN design guide for branch office

Go to solution
gariup.guido
Level 1
Level 1

‎01-23-2012 06:41 PM - edited ‎07-03-2021 09:26 PM

Hi,

     Is there any document that explain different designs for branch offices? I have a customer with one head quarters with more than 150 branch offices. Today he has one or more autonomous APs per brach office connected directed to the BO switch. Each BO has its own IP address space. Beacuse all wireless client traffic has to travel to the HQ, he wants a controller based solution where all traffic is tunneled to the WLC and from there, it goes through a firewall in order to reach the servers farm.

     The problem is I don't realize how to manage all the different IPs of each BO in the HQ. Because when the WLC will send the packet to the core switch, the packet will reach the servers, but when the servers will respond that packet, it will go to the branch office directly. It won't be sent to the WLC in order to be delivered back to the branch office.

     I don't know if the most suitable solution is to create a big unique WLAN with one SSID for all the brach offices.

     Another idea could be to create one SSID per brach office, in order to have different IP address for wireless clients, but the customer doesn't want to change the IP addressing. He wants to keep all the branch office IP address, no matter if the client is wired or wireless.

     Another option is to use H-REAP, and make all the traffic between BO and HQ to go through the firewall.

     Finally, the idea is to know if it exists any design document where it explains the different ways to design a solution for branch offices with centralized controllers in order to evaluate all of them.

Thanks,

Guido.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
George Stefanick
VIP Alumni
VIP Alumni

‎01-23-2012 06:49 PM

Here is the offical HREAP Design Guide By Cisco

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080736123.shtml

Sound like LOCAL switch is the way to go. LOCAL switch is much like AUTONOMOUS. Keeps local IPs and traffic local as well.

What security are you using on your wifi clients in the BO ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

0 Helpful
12 Replies 12

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to Leo Laohoo

‎01-23-2012 06:49 PM

Leo, whats the starting size of a FLEX controller, do you know?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to George Stefanick

‎01-23-2012 06:56 PM

@george, the starting license for the 7500 is 300 AP

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to Stephen Rodriguez

‎01-23-2012 07:01 PM

Thanks Steve ... I dont think I will ever get a chance to play with a Flex... And they ONLY do LOCAL ... correct

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni

‎01-23-2012 06:49 PM

Here is the offical HREAP Design Guide By Cisco

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080736123.shtml

Sound like LOCAL switch is the way to go. LOCAL switch is much like AUTONOMOUS. Keeps local IPs and traffic local as well.

What security are you using on your wifi clients in the BO ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee

‎01-23-2012 06:49 PM

If you have low latency from the BO to the Central, then you can leave the AP in local mode.

In local mode the AP will send all the traffic to the WLC and the WLC will be the ingress-egress point for all the client traffic.

With this design the wireless clients will get an IP address from the central site, so the BO IP scheme won't come into play.

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Go to solution
gariup.guido
Level 1
Level 1
In response to Stephen Rodriguez

‎01-23-2012 07:10 PM

Thanks averybody. I'll check both documents and see if they help me.

I have a problem with latency because some BO have a satelite conection, and their latency is around 600ms. How many ms is the maximum that is supported for local mode?

Thanks,

Guido.

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to gariup.guido

‎01-23-2012 07:14 PM

My 2 cents...

HREAP- LOCAL SWITCH ... Keep it simple and you will have little change to what you are doing now. However if you are doing 802.1X security that could pose a problem..

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
marioderosa2008
Level 1
Level 1
In response to George Stefanick

‎02-29-2012 06:25 AM

Hi George,

can you elaborate on the 802.1x authentication problems...?

Sorry to Hijack this thread, but I am in the same boat where we have 100 or so DSL branch sites each wanting wireless and I need to make sure that all APs are managed and that all wireless clients are properly authenticated & posture checked.

Profiling would be nice too.

I am looking at the ISE. I understand that it works fine on a campus network where all APs tunnel back to a WLC, but what about branch offices that wont have controllers on them?

Any help would be great.

thanks

Mario De Rosa

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to marioderosa2008

‎02-29-2012 09:15 AM

No worries...

If you use 802.1X and your Radius lives at the centeral location if the WAN breaks new clients can not authenticate.

Make sense?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
marioderosa2008
Level 1
Level 1
In response to marioderosa2008

‎03-05-2012 02:43 AM

Hi George, thanks, I undersand that, but I thought that you could configure some sort of fallback authentication method in the APs or the WLC?

Also, do you know whether wireless clients can be posture checked at a wireless branch without needing a WLC or ISE onsite and without tunneling wireless traffic back to the DC?

thanks

Mario

0 Helpful

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to gariup.guido

‎01-23-2012 07:18 PM

really want to keep the latency to around 300ms. So as George said HREAP local switching would be the way to go. Then you can just PBR it to force the traffic to go through the firewall.

Steve

Sent from Cisco Technical Support iPad App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card