Converged access question

Similar Messages

• Converged Access Design Help (Catalyst 3850 and WLC 5508...Mobility Oracle)

  Hello,
  I am an engineer working with a Cisco Gold Partner in Saudi Arabia. We have a large university as our client where they are constructing a new
  building and require our services to build the network infrastructure. Therefore, we are to implement the routing and switching infrastructure as
  well as the Wireless solution.
  At present, I have no issues in implementing the R&S infrastructure as it is very straight forward but it has implications on the deployment of
  the wireless solution which I explain further below. The R&S infrastructure comprises of the typical Core, Distribution, and Access layers and we
  are focusing on the local distribution and access switches with regards to the new building. The client has a converged Layer 3 network spanning
  from distribution layer to core layer and they are running EIGRP for this convergence. This is not a problem and has already been implemented.
  Yet, the challenge arises in deploying the WLAN infrastructure. The client already has a Cisco WLAN infrastructure in place where they have a
  large number of LAPs that are registered with their controllers in the Data Center. They have two WLC 5508 where one is the Primary and the other
  the Secondary. The local distribution switch to which the WLC are connected also is the gateway for the SVIs for the SSIDs that are configured on
  the controllers. This means that once the packets from the AP come in to the WLC, they are tagged with the correct VLAN and sent to the directly
  connected distribution switch which then routes it into the rest of the Layer 3 network. Interestingly, the WLC 5508 are running AireOS 7.6 and
  support the "New Mobility" feature. The two controllers have formed a Mobility Group (MG) between each other.
  Now, the new building will have two Catalyst 3850 switches installed where each one has a total of 40 AP licenses pre-installed and activated
  i.e. a total of 80 APs can be supported by the two switches. A total of 67 LAPs will be deployed in the new building which can be accommodated
  between the two switches and their integrated controller.
  Yet, based on my understanding and research about Converged Access is that, ideally, the Catalyst 3850 will only run the Mobility Agent (MA)
  feature while a central controller would provide the Mobility Controller (MC) service. unfortunately, there are not enough licenses on the
  existing WLC 5508 nor can we migrate the new licenses that will facilitate such a split deployment.
  This means that I would need to configure the two Catalyst 3850 as independent MC and form a MG between them. I have done this and tested this
  already and the mobility is working fine. But my concern is not about getting the Catalyst 3850 to work as this is simple but rather it is
  focused on creating a common Mobility Domain (MD) so that clients can roam from this new building to the rest of the campus while maintaining the
  state of their connections to the WLAN infrastructure.
  To make things more complicated, since the new building will have its own Layer 3 distribution switch and the Catalyst 3850 switches will connect
  to this distribution switch, it means that new VLANs and SVIs need to be created for the SSIDs broadcast in the new building. This means that new
  subnets need to be assigned to the SSIDs.
  As such, I have the following questions:
  Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means
  that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG
  as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to
  the solution as per the next question. Please advise which is a better option?
  Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can
  then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD).
  Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
  Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
  Please advise at your earliest. To assist further, I have attached a topology diagram which may aid in explaining the situation with more
  clarity. If these things are clarified, I will be better able to wrap my head around the technology and in turn service my clients better.
  Regards,
  Amir

  Hi Amir,
  Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to the solution as per the next question. Please advise which is a better option?
  I would configure them in the same mobility group. Also configure same SPG for those two 3850 stacks if users are frequently roaming within these two buildings.
  Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD). Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
  MO is not required (it is only for very large scale deployments)
  Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
  Yes, documents are hard to find :(
  These notes may be useful to you based on my experience. I am running IOS-XE 3.6.1 in my production.
  http://mrncciew.com/2014/05/06/configuring-new-mobility/
  http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
  HTH
  Rasika
  *** Pls rate all useful responses ****

• 5508 to 5760 w/3850. Migrating from CUWN to Converged access.

  Hi!
  I have a 5508 WLC managing APs in local and flexconnect mode in the current environment. 
  There's a plan to migrate to converged access using 5760 WLC w/HA as MC, 3850 as MA and keep the 5508 as N+1 controller enabling new mobility. 
  It will look like this:
  1 MC 5760 w/HA
  10 3850 as MA
  1 5508 as N+1 (managing flexconnect APs and backup if the 5760 pair fails)
  The questions I have:
  1. After enabling new mobility in the 5508.
  Will I still be able to use flexconnect mode for the remote locations? I know the 5760 doesn't support flexconnect mode, but I'm not sure if the flexconnect feature is not supported in a converged access deployment.
  2. Will I be able to manage and configure everything in the 5760 (MC) and the WLC will push the configurations, WLANS, settings, etc to the 3850s (MA)? Or do I also need to configure WLANS, etc on each individual 3850?
  3. Current license count in the 5508 is at 350 APs.
  The new deployment will have 10 3850s with 5 AP licenses per switch and the 5760 will come with 25 AP licenses. That's a total 75 AP licenses. 
  I would need to purchase 225 additional licenses on the 5760 to make a total of 350 AP licenses.
  Will I be able to move the switches' AP licenses to the 5760 to make 350 AP licenses? 
  The plan is to keep the 5508 as a staging controller to move the APs in the event of a FW upgrade in the 5760.

  First of all 5760 & 5508 AP firmware are not same. So failing over between these two WLC will be same as doing AP fail over between two 5508 having different software version. (ie AP has to download the image & reboot every time). Also I would suggest you to start this migration step by step as you need to be familiar with this converged access setup (how it works & troubleshoot issues). I would setup 5760 & move one building AP to this CA & monitor it for 2-3 months & them move on.
  Here are the answer to other queries you have.
  1. After enabling new mobility in the 5508.
  Will I still be able to use flexconnect mode for the remote locations? I know the 5760 doesn't support flexconnect mode, but I'm not sure if the flexconnect feature is not supported in a converged access deployment.
  Yes, 5508 support FlexConnect irrespective of "new mobility" feature enable or not. Here is how you configure new mobility & peer a 5760 to a 5508. You need to have 7.6.x or 8.x code on your 5508 to do this.
  http://mrncciew.com/2014/05/06/configuring-new-mobility/
  2. Will I be able to manage and configure everything in the 5760 (MC) and the WLC will push the configurations, WLANS, settings, etc to the 3850s (MA)? Or do I also need to configure WLANS, etc on each individual 3850?
  I do not think you can do this yet, Cisco will make this happen in future. So you have to configure each & every MA identically. If you have prime, then IOS-XE 3.7.x onward it support template configuration. But IOS-XE 3.7 is recently released,so cannot guaranteed the stability. (I am using 3.6.1E in my production). Below post will give you some starting point on this configuration
  http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
  3. Current license count in the 5508 is at 350 APs.
  The new deployment will have 10 3850s with 5 AP licenses per switch and the 5760 will come with 25 AP licenses. That's a total 75 AP licenses.
  I would need to purchase 225 additional licenses on the 5760 to make a total of 350 AP licenses.
  Will I be able to move the switches' AP licenses to the 5760 to make 350 AP licenses?
  In the CA setup, licence only required at MC, not in MAs.It is right to use license model & Cisco trust what you configure is what you purchase (no license key/serial number like in 5508/2504/etc). Refer this for some detail
  http://mrncciew.com/2013/12/12/getting-started-with-5760/
  Like said earlier, start in small scale & get familiar with new setup, my blog may give some other useful posts on this converged access.
  Let us know if you have further queries on this & happy to help
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Converged Access MA and MC licensing

  Hello all,
  one question regarding the licensing for converged access. If I understand it correctly then when I have a deployment in which I already have a WLC (mobility controller) and I deploy a 3650/3850 switch as a mobility agent, then the AP count licensing needs to be maintained on the MC (WLC) and I dont need AP count licences on the MA (3650/3850)?
  Then the only thing I need is to point the MA to the MC IP address and I gain the benefits of converged access architecture (CAPWAP termination ...)?
  Thank you.
  Marek

  I probably found the answer in this document:
  http://www.cisco.com/c/en/us/products/collateral/wireless/5700-series-wireless-lan-controllers/qa_c67-726397.html
  Q. Do I need a wireless access point license on both the mobility agent and the mobility controller?
  A. The license to manage access points is only needed on the mobility controller.
  Marek

• Has anyone deployed converged access with 3850 switches and 5760 WLCs?

  Has anyone deployed a converged access network architecture with 3850 switches and 5760 WLCs? I have done lots of projects with the 5508 WLCs In a centralized deployment. Basically with this design, I manage 2 logical networks as the wireless network is an overlay over the wired network. I can design firewall to segregate traffic between the wired and wireless hence I can carry both staff and guest traffic.
  Now Cisco is telling us that there is new design such that the dats plane traffic can be dropped locally through the 3850 switched. I am not sold on this and have not found any recommended best practices on when should we use a converged access architecture.
  Pros
  With converged access, data traffic is terminated at the MA which is on the switches, hence the WLC will not be a bottleneck? This is to prepare adoption for 802.11ac?
  Less hops for voice calls from user A to user B as data control traffic is dropped locally.
  Cons
  Now how do I segregate guest and staff traffic if my security folks say I need a firewall?
  Troubleshooting wireless client mobility will be a nightmare as the 3850 switches are MA.
  Pushing and upgrading code for the Code will mean upgrading the stack of switches in the LAN riser. This will be painful in a huge campus environment like an university.
  Can someone convince me why would a customer choose converged access?
  Sent from Cisco Technical Support iPad App

  They choose CA because of the capwap termination at the switch. You can still use a 5508 and tunnel guest to a DMZ segment if you wish. You will need a 5508 though is you want to tunnel traffic to an anchor WLC.
  Sent from Cisco Technical Support iPhone App

• ISE Auth Policy with Converged Access

  Hi
  Im setting up a Dot1X authentication using ISE 1.3 and 5760/3850 WLAN controllers. The problem is that im not able to match my authentication policy defined on ISE. It jumps directly to the default policy, im using Called Station id= SSID but it is not able to match this.
  I have configured this before on WLC Air OS but not with converged access. Is there something that needs to be done on the 3850 wlc to send this info to ISE ?

  Yes i can see that everything is working, with certificate and other stuff..It is only that it is not matching the SSID.
  I have tried different ways to do the SSID filtering: 
  NAS port ID Equals SSID,
  Called Station ID  Equals SSID
  But noen of these works. Does anyone know if i have to do something different when doing this setup through converged access ?

• Converged access

  Hi 
  Im about to set up a converged access solution with WLC 5760 as MC and several 3850 as MA. It is not clear to me what needs to be configured on the MC and what needs to be configured on the MA´s.
  I know that each MA has to be configured with the WLAN configuration , but what about things like security profile, acl ,radius ? Anyone has a good documentation explaining this ?

  Hi
  Below should help you to start with basic peering between MA & MC
  http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
  WLAN configuration to be done on MA
  http://mrncciew.com/2013/12/04/wlan-config-in-3850-part-1/
  http://mrncciew.com/2013/12/06/wlan-config-with-3850-part-2/
  Below post should also helps you on 5760/3850 basic configs
  http://mrncciew.com/2013/12/12/getting-started-with-5760/
  http://mrncciew.com/2013/09/29/getting-started-with-3850/
  http://mrncciew.com/2013/12/16/configuring-radius-on-5760/
  Also this thread listed some useful documentation about CA.
  https://supportforums.cisco.com/discussion/11984726/converged-access-design-information
  HTH
  Rasika
  **** Pls rate all useful responses ***

• ISE - Branch Wired Design - Non-Converged Access - Best policy on the switch??

  Hello,
  I would like to understand that it would be the solution the most adapted in architecture ISE when the PSN server is on the central site and my remote site does not possess PSN and no equipments converge access.
  What takes place it if my link between site central and remote site is down. In this case, which policy to put on my distant switch?
  1/ Check various policies (dot1x -> MAB -> Web-auth) then no block port but just to send a message to the administrator.
  2/ Put ACL on router site.
  3/ ?? other idea
  what would be the most adapted policy?
  Tks a lot
  bye

  https://supportforums.cisco.com/discussion/11602321/ise-nad-radius-fail-open

• Converged ACCESS CWA

  Hi
  Im doing CWA with my 3850 wlc, but the client seems to be stuck in "WEBAUTH_PEND " on the WLC client list.
  It all looks ok in the ISE logs and in the client detail i can see that it has gotten the redirect url, but nothing is happening.
  Someone who can give me some ideas to where i should look into ?

  See if these links help
  https://supportforums.cisco.com/document/147096/converged-access-%E2%80%93-configure-ssid-central-web-authentication-cwa-using-ise-catalyst
  HTH
  Rasika
  *** Pls rate all useful responses ***

• WRT54GS V6 access question.

  Just set up the network.
  WRT54GS with a Wireless-G USB adapter
  2nd pc is linked and working great!
  Question is: How do I access the 2nd pc from the 1st pc?
  I click on my computer > network places > view computer work groups.
  When I click on the 2nd pc it ask for a password. Where would I find the password to access the 2nd pc? I checked the Easylink advisor but can't find anything.
  Anyone know? I would like to transfer files from one pc to the other.
  Message Edited by asgrafxx on 02-10-200712:09 PM

  Hi… This is the login password for you PC and nothing do with your router or adapter. If you have setup any account on this computer such as administrator or any other, you can provide login credentials for the same and access the shared resources on that PC.

• Expanding network with TC and access question

  Hi All
  I need to look at a new external hard disk since my current 160gb is just getting too full, so I figured it might be time to get a Time Capsule, probably the 1tb.
  I've got two questions before I do..
  1. Currently I have Sky Broadband. I've read a lot of people saying that it is not possible to make TC part of the existing network through wifi so have to connect. If thats the case I'm probably better off with standard network drive. Has anyone managed to do this yet? Im wondering if the reviews I've read are just that people couldn't work it out?
  2. I assume this is the case, but can I access the HD as a standard network drive for general storage? Is it possible to define how much space Time Machine can use say 500gb, and leave 500gb for general usage?
  Many thanks for any answers

  The issue I have is that Sky Broadband forces you to use their router for broadband access. They hide the user name and password on a chip so it is not possible to configure.
  Besides my phone is downstairs and my printer is upstairs in the little office. My plan was to have TC upstairs, with printer connected. Have both the TC and Sky Broadband router all part of the same network.
  Then I'd use a cable to do the first backup and use wireless for incremental backups.
  It does look as though I can't use this configuration. But its a bit strange, I thought it was part of standard wireless networks that you could use access points to extend them. I assume then that apple are not using all of the standards?
  If that is the case, I'd have to plug it into my router as a wired option, in which case any external HD with a network interface will do half the job I need.
  I'm just trying to find out if anyone has managed to get it extended from sky (or other router). Note I can change my sky router settings so in theory could change the sky one to use the apple settings, does that make a difference? Anyone had success that way?

• DVD @ access questions?

  I am putting together a short promo DVD for a client and I have a catalogue of their products as an image on the DVD that you can access via the main menu. What I want to do is have it so the products are 'clickable' and will take the user [when online] to the clients web site. I did a search but I cant find out how to link this page to the DVD access settings in the inspector. Any help? Also, can you link a button to open up and email application so the user can email direct from watching this DVD? Questions questions questions....thanks in advance. Oh, Im on DVDSP2.

  DVD@ccess is actually quite limited and not entirely compatible with the range of DVD playback software/hardware available on a PC... you might be better off using eDVD from Sonic (which is PC software, making use of the Interactual Player, rather than @ccess).
  However, @ccess links are embedded in to a menu - so any button you have got needs to go to a menu that simply has the @ccess URL embedded and the menu needs to time out to return to where the button was. For launching a web site simply use the standard URL for the site, include the http:// info in that.
  Now, sending an email is not going to work all of the time, but you can try it out and see if it has the functionality you want. The URL to place into the menu for DVD@ccess is the HTML 'mailto' code. simply write:
  mailto:[email protected], replacing name, domain and .com with the revelant info. If you have got the @ccess links enabled on your Mac, try simulating the menu with this in it... you should see Mail launch (it takes a moment for it to appear, but should work). Whether or not this will work on a PC with Outlook I don't know...

• Call Manager 4.13 Multi-Level Access Question

  I need to configure MLA and have read the CCO documentation. My question is - I'm not familiar with the ccmadministrator account and want to make sure that when I'm prompted to reset the password to this account immediately after enabling MLA - that I'm not going to muck up any underlying service that uses this account for something other than ccmadmin web access.

  Hi Pklos,
  I enabled the MLA and configured two functional groups and everything is working like a charm!
  Thanks!
  Amir

• File Access questions

  2 questions
  1.) I can't edit files from the portal, I can only view them, is this normal?
  2.) Can I view files on my smart phone? I've seen this work for SBS so I'm wondering if there is a way to do it here?
  Thanks!

  "Users" allows you to set up custom access permissions for users or groups you specify.
  For example, for some file:
  User: me - Read & Write
  User: mywife - Read only
  Others: No Access
  You can write to the file. Your wife can open it but not edit it. Your kids cannot access it.

• Newbie Database Access Question

  I am familiar with SQL and database access from web programming, but have never done these things from within a Java application. My google searching has been fruitless thus far, so I'd appreciate any references to beginner's guides about how to query databases from a Java app and manipulate the resulting recordsets. Anything on Access db's would be ideal.
  TIA,
  John

  Thanks for the reference. I have a question about this section of the tutorial:
  http://java.sun.com/docs/books/tutorial/jdbc/basics/connecting.html
  Under the section "Loading the Drivers" is the following paragraph:
  Loading the driver or drivers you want to use is very simple and involves just one line of code. If, for example, you want to use the JDBC-ODBC Bridge driver, the following code will load it:
  Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
  Your driver documentation will give you the class name to use. For instance, if the class name is jdbc.DriverXYZ , you would load the driver with the following line of code:
  Class.forName("jdbc.DriverXYZ");My question is: How do I decide which driver I need for connecting to an Access db on a Win XP machine? Is there perhaps another reference which answers these kinds of questions?
  Thanks again,
  John