Converged Access MA and MC licensing

Similar Messages

• Converged Access Design Help (Catalyst 3850 and WLC 5508...Mobility Oracle)

  Hello,
  I am an engineer working with a Cisco Gold Partner in Saudi Arabia. We have a large university as our client where they are constructing a new
  building and require our services to build the network infrastructure. Therefore, we are to implement the routing and switching infrastructure as
  well as the Wireless solution.
  At present, I have no issues in implementing the R&S infrastructure as it is very straight forward but it has implications on the deployment of
  the wireless solution which I explain further below. The R&S infrastructure comprises of the typical Core, Distribution, and Access layers and we
  are focusing on the local distribution and access switches with regards to the new building. The client has a converged Layer 3 network spanning
  from distribution layer to core layer and they are running EIGRP for this convergence. This is not a problem and has already been implemented.
  Yet, the challenge arises in deploying the WLAN infrastructure. The client already has a Cisco WLAN infrastructure in place where they have a
  large number of LAPs that are registered with their controllers in the Data Center. They have two WLC 5508 where one is the Primary and the other
  the Secondary. The local distribution switch to which the WLC are connected also is the gateway for the SVIs for the SSIDs that are configured on
  the controllers. This means that once the packets from the AP come in to the WLC, they are tagged with the correct VLAN and sent to the directly
  connected distribution switch which then routes it into the rest of the Layer 3 network. Interestingly, the WLC 5508 are running AireOS 7.6 and
  support the "New Mobility" feature. The two controllers have formed a Mobility Group (MG) between each other.
  Now, the new building will have two Catalyst 3850 switches installed where each one has a total of 40 AP licenses pre-installed and activated
  i.e. a total of 80 APs can be supported by the two switches. A total of 67 LAPs will be deployed in the new building which can be accommodated
  between the two switches and their integrated controller.
  Yet, based on my understanding and research about Converged Access is that, ideally, the Catalyst 3850 will only run the Mobility Agent (MA)
  feature while a central controller would provide the Mobility Controller (MC) service. unfortunately, there are not enough licenses on the
  existing WLC 5508 nor can we migrate the new licenses that will facilitate such a split deployment.
  This means that I would need to configure the two Catalyst 3850 as independent MC and form a MG between them. I have done this and tested this
  already and the mobility is working fine. But my concern is not about getting the Catalyst 3850 to work as this is simple but rather it is
  focused on creating a common Mobility Domain (MD) so that clients can roam from this new building to the rest of the campus while maintaining the
  state of their connections to the WLAN infrastructure.
  To make things more complicated, since the new building will have its own Layer 3 distribution switch and the Catalyst 3850 switches will connect
  to this distribution switch, it means that new VLANs and SVIs need to be created for the SSIDs broadcast in the new building. This means that new
  subnets need to be assigned to the SSIDs.
  As such, I have the following questions:
  Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means
  that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG
  as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to
  the solution as per the next question. Please advise which is a better option?
  Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can
  then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD).
  Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
  Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
  Please advise at your earliest. To assist further, I have attached a topology diagram which may aid in explaining the situation with more
  clarity. If these things are clarified, I will be better able to wrap my head around the technology and in turn service my clients better.
  Regards,
  Amir

  Hi Amir,
  Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to the solution as per the next question. Please advise which is a better option?
  I would configure them in the same mobility group. Also configure same SPG for those two 3850 stacks if users are frequently roaming within these two buildings.
  Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD). Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
  MO is not required (it is only for very large scale deployments)
  Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
  Yes, documents are hard to find :(
  These notes may be useful to you based on my experience. I am running IOS-XE 3.6.1 in my production.
  http://mrncciew.com/2014/05/06/configuring-new-mobility/
  http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
  HTH
  Rasika
  *** Pls rate all useful responses ****

• How do I access the End User Licensing Agreement? I clicked on it and it gives me a message that I need to launch Adobe Reader, accept and close and reopen. Trouble is I can't get to an icon for file to launch. I am working on a Mac and have installed Mac

  I am using a Mac and have installed Adobe Reader for Mac, latest version. I cannot access the End User Licensing Agreement. I clicked on it and it gives me a message that I must launch Adobe, check that I agree, close and reopen. The problem is I can't find any way to launch Adobe because it appears nowhere on my launch pad, nor in my document files or on the control panel. Because of this, I cannot print bank statements nor can I get into my insurance companies billing department to make a payment. HELP!

  How about in your Applications folder?

• Has anyone deployed converged access with 3850 switches and 5760 WLCs?

  Has anyone deployed a converged access network architecture with 3850 switches and 5760 WLCs? I have done lots of projects with the 5508 WLCs In a centralized deployment. Basically with this design, I manage 2 logical networks as the wireless network is an overlay over the wired network. I can design firewall to segregate traffic between the wired and wireless hence I can carry both staff and guest traffic.
  Now Cisco is telling us that there is new design such that the dats plane traffic can be dropped locally through the 3850 switched. I am not sold on this and have not found any recommended best practices on when should we use a converged access architecture.
  Pros
  With converged access, data traffic is terminated at the MA which is on the switches, hence the WLC will not be a bottleneck? This is to prepare adoption for 802.11ac?
  Less hops for voice calls from user A to user B as data control traffic is dropped locally.
  Cons
  Now how do I segregate guest and staff traffic if my security folks say I need a firewall?
  Troubleshooting wireless client mobility will be a nightmare as the 3850 switches are MA.
  Pushing and upgrading code for the Code will mean upgrading the stack of switches in the LAN riser. This will be painful in a huge campus environment like an university.
  Can someone convince me why would a customer choose converged access?
  Sent from Cisco Technical Support iPad App

  They choose CA because of the capwap termination at the switch. You can still use a 5508 and tunnel guest to a DMZ segment if you wish. You will need a 5508 though is you want to tunnel traffic to an anchor WLC.
  Sent from Cisco Technical Support iPhone App

• 5508 to 5760 w/3850. Migrating from CUWN to Converged access.

  Hi!
  I have a 5508 WLC managing APs in local and flexconnect mode in the current environment. 
  There's a plan to migrate to converged access using 5760 WLC w/HA as MC, 3850 as MA and keep the 5508 as N+1 controller enabling new mobility. 
  It will look like this:
  1 MC 5760 w/HA
  10 3850 as MA
  1 5508 as N+1 (managing flexconnect APs and backup if the 5760 pair fails)
  The questions I have:
  1. After enabling new mobility in the 5508.
  Will I still be able to use flexconnect mode for the remote locations? I know the 5760 doesn't support flexconnect mode, but I'm not sure if the flexconnect feature is not supported in a converged access deployment.
  2. Will I be able to manage and configure everything in the 5760 (MC) and the WLC will push the configurations, WLANS, settings, etc to the 3850s (MA)? Or do I also need to configure WLANS, etc on each individual 3850?
  3. Current license count in the 5508 is at 350 APs.
  The new deployment will have 10 3850s with 5 AP licenses per switch and the 5760 will come with 25 AP licenses. That's a total 75 AP licenses. 
  I would need to purchase 225 additional licenses on the 5760 to make a total of 350 AP licenses.
  Will I be able to move the switches' AP licenses to the 5760 to make 350 AP licenses? 
  The plan is to keep the 5508 as a staging controller to move the APs in the event of a FW upgrade in the 5760.

  First of all 5760 & 5508 AP firmware are not same. So failing over between these two WLC will be same as doing AP fail over between two 5508 having different software version. (ie AP has to download the image & reboot every time). Also I would suggest you to start this migration step by step as you need to be familiar with this converged access setup (how it works & troubleshoot issues). I would setup 5760 & move one building AP to this CA & monitor it for 2-3 months & them move on.
  Here are the answer to other queries you have.
  1. After enabling new mobility in the 5508.
  Will I still be able to use flexconnect mode for the remote locations? I know the 5760 doesn't support flexconnect mode, but I'm not sure if the flexconnect feature is not supported in a converged access deployment.
  Yes, 5508 support FlexConnect irrespective of "new mobility" feature enable or not. Here is how you configure new mobility & peer a 5760 to a 5508. You need to have 7.6.x or 8.x code on your 5508 to do this.
  http://mrncciew.com/2014/05/06/configuring-new-mobility/
  2. Will I be able to manage and configure everything in the 5760 (MC) and the WLC will push the configurations, WLANS, settings, etc to the 3850s (MA)? Or do I also need to configure WLANS, etc on each individual 3850?
  I do not think you can do this yet, Cisco will make this happen in future. So you have to configure each & every MA identically. If you have prime, then IOS-XE 3.7.x onward it support template configuration. But IOS-XE 3.7 is recently released,so cannot guaranteed the stability. (I am using 3.6.1E in my production). Below post will give you some starting point on this configuration
  http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
  3. Current license count in the 5508 is at 350 APs.
  The new deployment will have 10 3850s with 5 AP licenses per switch and the 5760 will come with 25 AP licenses. That's a total 75 AP licenses.
  I would need to purchase 225 additional licenses on the 5760 to make a total of 350 AP licenses.
  Will I be able to move the switches' AP licenses to the 5760 to make 350 AP licenses?
  In the CA setup, licence only required at MC, not in MAs.It is right to use license model & Cisco trust what you configure is what you purchase (no license key/serial number like in 5508/2504/etc). Refer this for some detail
  http://mrncciew.com/2013/12/12/getting-started-with-5760/
  Like said earlier, start in small scale & get familiar with new setup, my blog may give some other useful posts on this converged access.
  Let us know if you have further queries on this & happy to help
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Ask the Experts: Single Sign-On with Cisco WebEx Meetings Server, Internet Reverse Proxy, and Enterprise License Manager Solutions

  With Arun Kumar
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Single Sign-On (SSO) with Cisco WebEx Meetings Server (Cisco WMS), Internet Reverse Proxy (IRP), and Enterprise License Manager (ELM) solutions.
  SSO standards such as Security Assertion Markup Language (SAML) 2.0 provide secure mechanisms for passing credentials and related information between different websites that have their own authorization and authentication systems. SSO enables simplified user authentication and management.
  IRP provides public access, enabling users to host or attend meetings from the Internet and mobile devices. Although IRP is optional, Cisco encourages its use because it provides a better user experience for your mobile workforce.
  Example question topics include:
  SSO profiles and SAML 2.0 Identity providers (IdPs) supported in Cisco WMS
  Basic configuration of IdPs
  Interaction between IdPs and Cisco WMS
  Difference between the cloud client implementation and Cisco WMS
  Meeting access behavior in a split-horizon network topology with SSO
  How to enable public access to Cisco WMS
  Cisco WMS ELM operations
  Cisco WMS ELM compared to other unified communications ELM or standalone ELM and compatibility/inoperability between them
  Arun Kumar is a team lead in the San Jose Conferencing Technical Assistance Center. He has over eight years of experience in conferencing technology and specializes in Cisco Unified Meeting Place Express and Cisco WebEx Meeting Server. He joined Cisco in 2010 as an escalation engineer for the Cisco Telepresence group. Before joining Cisco he worked for the UK's third-largest internet service provider Supanet on VoIP technology and the *Nix domain. Kumar holds a master of science degree in computer science from Sikkim Manipal University in India, and he holds CCIE (Voice) and VMware Certified Professional certifications.
  Remember to use the rating system to let Arun know if you have received an adequate response.
  Arun might not be able to answer each question because of the volume expected during this event. Remember that you can continue the conversation on the Collaboration, Voice, and Video community Other Subjects subcommunity shortly after the event. This event lasts through Monday May 17, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hello Mobile Service,
  CWMS and Jabber integrations:
  http://www.cisco.com/en/US/docs/voice_ip_comm/jabber/Windows/9_1/JABW_BK_E4CC9599_00_environment-configuration-guide_chapter_01.html#JABW_TK_SF2ED5E1_00
  In above link start from section: Set Up Cisco WebEx Meetings Server on Cisco Unified Presence
  then move to section: Add Cisco WebEx Meetings Server to a Profile
  Once done, move to section: Specify Conferencing Credentials in the Client side. You will see above server already listed there, just go ahead and enter your username and password (pleae make sure this user already exists on your CWMS) and accept any certificate/s if presented. Jabber Integration is done and you can start testing the same.
  Attached CWMS - AFDS integration doc.
  Please let me know if any furhter question.
  Thanks, Arun

• ISE Auth Policy with Converged Access

  Hi
  Im setting up a Dot1X authentication using ISE 1.3 and 5760/3850 WLAN controllers. The problem is that im not able to match my authentication policy defined on ISE. It jumps directly to the default policy, im using Called Station id= SSID but it is not able to match this.
  I have configured this before on WLC Air OS but not with converged access. Is there something that needs to be done on the 3850 wlc to send this info to ISE ?

  Yes i can see that everything is working, with certificate and other stuff..It is only that it is not matching the SSID.
  I have tried different ways to do the SSID filtering: 
  NAS port ID Equals SSID,
  Called Station ID  Equals SSID
  But noen of these works. Does anyone know if i have to do something different when doing this setup through converged access ?

• Tried to access programs and get Error: 16 message. What's the problem? Please help!

  Tried to access programs and get Error: 16 message. What's the problem? Please help! Photoshop, photoshop elements, Dreamweaver - none of my Creative Cloud apps will start-up, since my last update. I need to access these programs for jobs I'm working on.

  Hi wdriver,
  It seems like due to some unknown reason permission from the Licensing folder is removed. Please try launching any of the apps by right clicking and select Run as an Administrator, it should fix the issue by doing that.
  Please let us know if it helps.
  Regards,
  Abhijit

• Converged access

  Hi 
  Im about to set up a converged access solution with WLC 5760 as MC and several 3850 as MA. It is not clear to me what needs to be configured on the MC and what needs to be configured on the MA´s.
  I know that each MA has to be configured with the WLAN configuration , but what about things like security profile, acl ,radius ? Anyone has a good documentation explaining this ?

  Hi
  Below should help you to start with basic peering between MA & MC
  http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
  WLAN configuration to be done on MA
  http://mrncciew.com/2013/12/04/wlan-config-in-3850-part-1/
  http://mrncciew.com/2013/12/06/wlan-config-with-3850-part-2/
  Below post should also helps you on 5760/3850 basic configs
  http://mrncciew.com/2013/12/12/getting-started-with-5760/
  http://mrncciew.com/2013/09/29/getting-started-with-3850/
  http://mrncciew.com/2013/12/16/configuring-radius-on-5760/
  Also this thread listed some useful documentation about CA.
  https://supportforums.cisco.com/discussion/11984726/converged-access-design-information
  HTH
  Rasika
  **** Pls rate all useful responses ***

• ISE - Branch Wired Design - Non-Converged Access - Best policy on the switch??

  Hello,
  I would like to understand that it would be the solution the most adapted in architecture ISE when the PSN server is on the central site and my remote site does not possess PSN and no equipments converge access.
  What takes place it if my link between site central and remote site is down. In this case, which policy to put on my distant switch?
  1/ Check various policies (dot1x -> MAB -> Web-auth) then no block port but just to send a message to the administrator.
  2/ Put ACL on router site.
  3/ ?? other idea
  what would be the most adapted policy?
  Tks a lot
  bye

  https://supportforums.cisco.com/discussion/11602321/ise-nad-radius-fail-open

• Converged ACCESS CWA

  Hi
  Im doing CWA with my 3850 wlc, but the client seems to be stuck in "WEBAUTH_PEND " on the WLC client list.
  It all looks ok in the ISE logs and in the client detail i can see that it has gotten the redirect url, but nothing is happening.
  Someone who can give me some ideas to where i should look into ?

  See if these links help
  https://supportforums.cisco.com/document/147096/converged-access-%E2%80%93-configure-ssid-central-web-authentication-cwa-using-ise-catalyst
  HTH
  Rasika
  *** Pls rate all useful responses ***

• Missing physical media and volume license number

  Recently, we had a set of installer/content disks, case, and volume license number disappear. My employer, an art school, legally purchased a volume license giving us 107 licenses for Design Premium Creative Suite 3 for official school use.
  We are fairly certain that the physical media and license serial number in question were all stolen from us, and we have no clue what is presently being done with the whole lot. We fear that the unknown individuals will use our volume license serial number to exceed the number of installations we are legally allowed.
  We have already found relevant information regarding having the physical media replaced. We want to know what we must do as a school to continue using the software we legally purchased, whether it means being issued a new license serial number or not. Will we suddenly find ourselves unable to install and/or update CS3 around campus? Are we required to buy a new volume license?

  Hi,
  By using the below statemnt you can achive all the details of SM04.
  DATA :   USR_TABL       TYPE USRINFO    OCCURS 1 WITH HEADER LINE.
  CONSTANTS: OPCODE_LIST                     LIKE TH_OPCODE VALUE 2.
  DATA : TH_OPCODE(1)         TYPE X.
  * SM04 session details of users logged accessing SAP APO
    CALL 'ThUsrInfo' ID 'OPCODE' FIELD OPCODE_LIST
      ID 'TABUSR' FIELD USR_TABL-*SYS* .
  READ TABLE USR_TABL WITH KEY BNAME = <USer-name>.
  by double clicking this you can get the all the detsils of the User.
  regards,
  Prabhudas

• ArcReaderControl can be used with only ArcGIS Desktop License and Publisher License

  Using ArcGIS Desktop and Extension License can we able to access ArcReader Control .
  Please reply

  Hello Shruthi M V,
  I'm afraid you need to post this issue to some related forum,
  Both ArcReader Control
  http://help.arcgis.com/en/sdk/10.0/java_ao_adf/api/arcobjects/com/esri/arcgis/controls/ArcReaderControl.html and ArcGIS Desktop and Extension License are not Microsoft Products and should not be asked on MSDN.
  Regards,
  Barry
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Cannot Access using my Corporate License

  I had been connecting to TFS using my personal visual studio account, but we wanted to set up a corporate space to store our work at connectamerica.visualstudio.com. Now I cannot access anything, and I am being assigned a temporary stakeholder license, even
  after following the instructions for linking my work account.

  Hi John,
  Can you please provide specific steps? Need a clearer description to help you. Otherwise, many questions:
  When you say TFS, do you mean an on-premises Team Foundation Server? This is your company's TFS?
  What do you mean by personal VS account? A Microsoft account like [email protected]? Or a VS Online account like youraccount.visualstudio.com?
  Where did you link your work account? To an
  eligible MSDN subscription? This isn't enough unless your work account has the same sign-in address as a Microsoft account. If you don't have an eligible MSDN subscription, you'll get the Stakeholder license instead.
  Also, if your company uses Azure Active Directory (AD) to manage your work account, the VS Online account owner for connectamerica.visualstudio.com must
  set up work access for that VS Online account. And then make sure your sign-in address is in the connected directory. Otherwise, you can only use Microsoft accounts to sign in (unless your work account has the same sign-in address as a Microsoft account).
  Esther Fan | Visual Studio | If a post answers your question, please mark it as the answer. Thanks!

• 8.0 to 8.2 upgrade: ¿would it affect configuration and/or licensing?

  Hello team:
  I am planning the upgrade of an ASA 5550 Active/Passive cluster from 8.0 to 8.2 according to the "zero downtime upgrade" documentation available in the web.
  I do not have another cluster for comprehensive testing, but I executed a simple migration procedure on a tiny 5505 and neither licensing features nor the configuration (the command sintax) were affected by this process. I know this is something to care about if you go to 8.3, but this is not my case.
  I browsed the release notes of 8.2(5) and no special disclaimer was found by me with respect to this release. So everything should work just fine, but I would like to double check for input with respect to these two subjects:
  1.  ¿Will the licensed features (vpn, concurrent connections, etc) be preserved?                 
  2. ¿ Will the configuration be preserved ?
  Your recommendations will be greatly appreciated.
  Thanks a lot in advance.
  Rogelio Alvez
  Argentina

  An ASA 8.0 to 8.2 upgrade should not affect configuration or licensing. I have done it many times without any problem. Just follow the published procedure carefully and you will be fine.
  While you are working on the boxes, I recommend putting ASDM 6.4(7) on them (if it is not already in use) as it is the recommended version for all 8.x releases.