Download
Share
Print this page
Cisco Flex 7500 Deployment Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Controller
  5. Flex 7500 Series
  6. Deployment manual

Cisco Flex 7500 Deployment Manual

Wireless branch controller
Hide thumbs Also See for Flex 7500:

Advertisement

Quick Links

Download this manual See also: Installation Manual
Flex 7500 Wireless Branch Controller
Deployment Guide
Last Updated: August, 2016
Introduction
This document describes how to deploy a Cisco Flex 7500 wireless branch controller. The purpose of
this document is to:
Note
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
This document is not restricted to specific software and hardware versions.
Cisco Systems, Inc.
www.cisco.com
Explain various network elements of the Cisco FlexConnect solution, along with their
communication flow.
Provide general deployment guidelines for designing the Cisco FlexConnect wireless branch
solution.
Prior to release 7.2, FlexConnect was called Hybrid REAP (HREAP). Now it is called
FlexConnect.

Advertisement

loading

Related Manuals for Cisco Flex 7500

Summary of Contents for Cisco Flex 7500

  • Page 1 Deployment Guide Last Updated: August, 2016 Introduction This document describes how to deploy a Cisco Flex 7500 wireless branch controller. The purpose of this document is to: Explain various network elements of the Cisco FlexConnect solution, along with their •...
  • Page 2 IT managers to configure, manage, and troubleshoot up to 6000 access points (APs) and 64,000 clients from the data center. The Cisco Flex 7500 series controller supports secure guest access, rogue detection for Payment Card Industry (PCI) compliance, and in-branch (locally switched) Wi-Fi voice and video.
  • Page 3 Product Specifications Product Specifications Data Sheet Refer to Cisco Flex 7500 Series Cloud Controller Data Sheet: http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ ps11635/data_sheet_c78-650053.html Platform Feature Figure 2 Flex 7500 Rear View Network Interface Ports Interface Ports Usage Fast Ethernet Integrated Management Module (IMM) Port 1: 1G...
  • Page 4 WLC 7500 displays BIOS version, PID/VID and Serial Number as part of inventory. Flex 7500 is currently shipped with VID=V02. Note Flex 7500 Boot Up Cisco boot loader options for software maintenance are identical to Cisco's existing controller platforms. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 5 Flex 7500 Boot Up Figure 3 Boot-Up Order Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 6 Flex 7500 Boot Up Figure 4 WLC Configuration Wizard The Flex 7500 boot up sequence is equivalent and consistent with existing controller platforms. Note Initial boot up requires WLC configuration using the Wizard. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 7 The Flex 7500 supports WLC code version 7.0.116.x and later only. Supported Access Points Access Points 3600, 3500, 2600, 1600, 1550, 1260, 1240, 1140, 1130,1040, 700, and 600 series, Cisco 891 Series Integrated Services Router and Cisco 881 Series Integrated Services Router.
  • Page 8 Advantages of Centralizing Access Point Control Traffic Single pane of monitoring and troubleshooting. • Ease of management. • Secured and seamless mobile access to Data Center resources. • Reduction in branch footprint. • • Increase in operational savings. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 9 Increase in branch scalability. Supports branch size that can scale up to 100 APs and 250,000 square feet (5000 sq. feet per AP). The Cisco FlexConnect solution also supports Central Client Data Traffic, but it is limited to Guest data traffic only. This next table describes the restrictions on WLAN L2 security types only for non-guest clients whose data traffic is also switched centrally at the Data Center.
  • Page 10 640 Kbps 300 ms 1000 Data 1.44Mbps 1 sec 1000 Data + Voice 128 Kbps 100 ms Data + Voice 1.44Mbps 100 ms 1000 Monitor 64 Kbps 2 sec Monitor 640 Kbps 2 sec Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 11 Branch size that can scale up to 100 APs and 250,000 square feet (5000 sq. feet per AP) • Central management and troubleshooting • No operational downtime • Client-based traffic segmentation • Seamless and secured wireless connectivity to corporate resources • PCI compliant • Support for guests • Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 12 The Flex 7500 solution virtualizes the complex security, management, configuration, and troubleshooting operations within the data center and then transparently extends those services to each branch. Deployments using Flex 7500 are easier for IT to set up, manage and, most importantly, scale. Advantages Increase scalability with 6000 AP support.
  • Page 13 Flexconnect APs implemented with WIPS mode can increase bandwidth utilization significantly based on the activity being detected by the APs. If the rules have forensics enabled, the link utilization can go up by almost 100 Kbps on an average. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 14 Centrally Switched SSID Data center across all stores for Local Store Manager administrative • access. Locally Switched SSID Store with different WPA2-PSK keys across all stores for hand-held • scanners. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 15 WLAN ID 17 and beyond because these are not part of the default group and can be limited to each store. Step 2 Under WLAN > Security, choose PSK from the Auth Key Mgmt drop-down list, choose ASCII from the PSK Format drop-down list, and click Apply. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 16 Click WLAN > General, verify the Security Policies change, and check the Status box to enable the WLAN. Repeat steps 1, 2 and 3 for new WLAN profile Store2, with SSID as store and ID as 18. Step 4 Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 17 Store. In this example, California is used as the location of the store. Click Add when done. Step 9 Click Add Group and create the AP Group Name as Store2 and the description as New York. Step 10 Click Add. Step 11 Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 18 Step 21 Under WLAN, from WLAN SSID drop-down, choose WLAN ID 18 store(18). Step 22 Click Add after WLAN ID 18 is selected. Repeat steps 14 -16 for WLAN ID 1 DataCenter(1). Step 23 Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 19 Adding APs to the AP group is not captured in this document, but it is needed for clients to Note access network services. Summary AP groups simplify network administration. • Troubleshooting ease with per branch granularity • Increased flexibility • Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 20 FlexConnect Groups FlexConnect Groups Figure 8 Central Dot1X Authentication (Flex 7500 Acting as Authenticator) In most typical branch deployments, it is easy to foresee that client 802.1X authentication takes place centrally at the Data Center as shown in Figure 8. Because the above scenario is perfectly valid, it raises these concerns: •...
  • Page 21 9, branch clients can continue to perform 802.1X authentication when the FlexConnect Branch APs lose connectivity with Flex 7500. As long as the RADIUS/ACS server is reachable from the Branch site, wireless clients will continue to authenticate and access wireless services.
  • Page 22 This feature along with Backup Radius and Local Authentication (Local-EAP) ensures no • operational downtime for your branch sites. CCKM/OKC fast roaming among FlexConnect and non-FlexConnect access points is not Note supported. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 23 Click New under Wireless > FlexConnect Groups. Step 1 Assign Group Name Store 1, similar to the sample configuration as shown in Figure Step 2 Click Apply when the Group Name is set. Step 3 Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 24 FlexConnect Groups Click the Group Name Store 1 that you just created for further configuration. Step 4 Step 5 Click Add AP. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 25 If you have created an AP-Group per Store (Figure 7), then ideally all the APs of that AP-Group should be part of this FlexConnect Group (Figure 11. Maintaining 1:1 ratio between the AP-Group and FlexConnect group simplifies network management. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 26 Step 12 Click Apply after the check box is set. Note If you have a backup controller, make sure the FlexConnect groups are identical and AP MAC address entries are included per FlexConnect group. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 27 Check the FlexConnect Local Auth box in order to enable Local Authentication in Connected Mode. Step 20 Local Authentication is supported only for FlexConnect with Local Switching. Note Always make sure to create the FlexConnect Group before enabling Local Authentication under Note WLAN. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 28 FlexConnect Groups NCS and Cisco Prime also provides the FlexConnect Local Auth check box in order to enable Local Authentication in Connected Mode as shown here: Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 29 FlexConnect Groups NCS and Cisco Prime also provides facility to filter and monitor FlexConnect Locally Authenticated clients as shown here: Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 30 FlexConnect Groups Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 31 In order to have dynamic VLAN assignment, AP would have the interfaces for the VLAN pre-created based on a configuration using existing WLAN-VLAN Mapping for individual FlexConnect AP or using ACL-VLAN mapping on a FlexConnect group. The WLC is used to pre-create the sub-interfaces at the AP. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 32 Create a WLAN for 802.1x authentication. Step 1 Enable AAA override support for local switching WLAN on the WLC. Navigate to WLAN GUI > Step 2 WLAN > WLAN ID > Advance tab. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 33 The AP is in local mode by default, so covert the mode to FlexConnect mode. Local mode APs can be Step 4 converted to FlexConnect mode by going to Wireless > All APs, and click the Individual AP. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 34 Navigate under WLC GUI > Wireless > FlexConnect Groups > Select FlexConnect Group > General tab > Add AP. The FlexConnect AP should be connected on a trunk port and WLAN mapped VLAN and AAA Step 6 overridden VLAN should be allowed on the trunk port. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 35 In order to configure AAA VLAN on the FlexConnect AP, navigate to WLC GUI > Wireless > FlexConnect Group, click the specific FlexConnect group > VLAN-ACL mapping, and enter VLAN in the Vlan ID field. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 36 Step 12 to check the client details. Limitations • Cisco Airespace-specific attributes will not be supported and IETF attribute VLAN ID will only be supported. A maximum of 16 VLANs can be configured in per-AP configuration either via WLAN-VLAN •...
  • Page 37 If the VLAN is not returned from an AAA server, the client will be assigned a WLAN mapped • VLAN on that FlexConnect AP and traffic will switch locally. Procedure Complete these steps: Step 1 Configure a WLAN for Local Switching and enable AAA override. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 38 FlexConnect VLAN Based Central Switching Enable Vlan based Central Switching on the newly created WLAN. Step 2 Set AP Mode to FlexConnect. Step 3 Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 39 In this example, VLAN 62 is configured on WLC as one of the dynamic interfaces and is not mapped to Step 5 the WLAN on the WLC. The WLAN on the WLC is mapped to Management VLAN (that is, VLAN 61). Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 40 WLAN mapped interface on the WLC (that is, VLAN 61 in this example setup), because the WLAN is mapped to the Management interface which is configured for VLAN 61. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 41 Limitations VLAN Based Central Switching is only supported on WLANs configured for Central Authentication • and Local Switching. The AP sub-interface (that is, VLAN Mapping) should be configured on the FlexConnect AP. • Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 42 Complete these steps: Step 1 Create a FlexConnect ACL on the WLC. Navigate to WLC GUI > Security > Access Control List > FlexConnect ACLs. Click New. Step 2 Configure the ACL Name. Step 3 Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 43 Map FlexConnect ACL configured above at AP level for individual VLANs under VLAN mappings for Step 8 individual FlexConnect AP. Navigate to WLC GUI > Wireless > All AP, click the specific AP > FlexConnect tab > VLAN Mapping. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 44 A maximum of 32 ACLs can be mapped per FlexConnect group or per FlexConnect AP. • At any given point in time, there is a maximum of 16 VLANs and 32 ACLs on the FlexConnect AP. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 45 The DHCP required should be enabled on WLANs configured for Split Tunneling. • The Split Tunneling configuration is applied per WLAN configured for central switching on per Flex • AP or for all the Flex APs in a FlexConnect Group. Procedure Complete these steps: Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 46 FlexConnect Split Tunneling Configure a WLAN for Central Switching (that is, Flex Local Switching should not be enabled). Step 1 Set DHCP Address Assignment to Required. Step 2 Set AP Mode to FlexConnect. Step 3 Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 47 Flex APs in a Flex Connect group. Complete these steps in order to push Flex ACL as a Local Split ACL to individual Flex AP: Click Local Split ACLs. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 48 FlexConnect Split Tunneling Select WLAN Id on which Split Tunnel feature should be enabled, choose Flex-ACL, and click Add. Flex-ACL is pushed as Local-Split ACL to the Flex AP. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 49 Select the WLAN Id on which the Split Tunneling feature should be enabled. On the WLAN-ACL mapping tab, select FlexConnect ACL from the FlexConnect group where particular Flex APs are added, and click Add. The Flex-ACL is pushed as LocalSplit ACL to Flex APs in that Flex group. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 50 This feature is enabled by default and cannot be disabled. It requires no configuration on the controller or AP. However, to ensure Fault Tolerance works smoothly and is applicable, this criteria should be maintained: WLAN ordering and configurations have to be identical across the primary and backup Flex 7500 • controllers.
  • Page 51 For example, limiting total Guest Clients from branch tunneling back to the Data Center. In order to address this challenge, Cisco is introducing Client Limit per WLAN feature that can restrict the total clients allowed on a per WLAN basis.
  • Page 52 Default for Maximum Allowed Clients is set to 0, which implies there is no restriction and the feature is disabled. NCS Configuration In order to enable this feature from the NCS, go to Configure > Controllers > Controller IP > WLANs > WLAN Configuration > WLAN Configuration Details. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 53 Client Limit per WLAN Configuration through Cisco Prime In order to enable this feature from the Cisco Prime, go to Configure > Controllers > Controller IP > WLANs > WLAN Configuration > WLAN Configuration Details. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 54 From release 7.2 onwards, peer-to-peer blocking is supported for clients associated on local switching WLAN. Per WLAN, peer-to-peer configuration is pushed by the controller to FlexConnect AP. Summary Peer-to-peer Blocking is configured per WLAN • Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 55 ACLs can be used as a workaround for this limitation. AP Pre-Image Download This feature allows the AP to download code while it is operational. The AP pre-image download is extremely useful in reducing the network downtime during software maintenance or upgrades. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 56 AP Pre-Image Download Summary • Ease of software management Schedule per store upgrades: NCS or Cisco Prime is needed to accomplish this. • Reduces downtime • Procedure Complete these steps: Upgrade the image on the primary and backup controllers. Step 1 Navigate under WLC GUI >...
  • Page 57 FlexConnect Smart AP Image Upgrade The pre-image download feature reduces the downtime duration to a certain extent, but still all the FlexConnect APs have to pre-download the respective AP images over the WAN link with higher latency. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 58 Reduces downtime and saves WAN bandwidth Procedure Complete these steps: Upgrade the image on the controller. Step 1 Navigate to WLC GUI > Commands > Download File in order to begin the download. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 59 Step 4 Click the FlexConnect AP Upgrade check box in order to achieve efficient AP image upgrade. Navigate to WLC GUI > Wireless > FlexConnect Groups, select FlexConnect Group > Image Upgrade tab. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 60 Manual field will be updated as yes. In order to automatically select Master AP, navigate to WLC GUI > Wireless > FlexConnect Groups, select FlexConnect Group > Image Upgrade tab, and click FlexConnect Upgrade. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 61 Master AP which is at the local site and is the reason under All AP page Upgrade Role will be updated as Slave/Local. In order to verify this, navigate to WLC GUI > Wireless. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 62 Smart AP image upgrade does not work when the Master AP is connected over CAPWAPv6. • Auto Convert APs in FlexConnect Mode The Flex 7500 provides these two options to convert the AP mode to FlexConnect: Manual mode • Auto convert mode •...
  • Page 63 This mode is available only for the Flex 7500 Controller and is supported only using CLI. This mode triggers the change on all the connected APs. It is recommended that Flex 7500 is deployed in a different mobility domain than existing WLC campus controllers before you enable this CLI: •...
  • Page 64 Flex AP transitions from Standalone to Connected mode. Wired/Wireless clients will inherit WGB’s configuration, which means no separate configuration like AAA authentication, AAA override, and FlexConnect ACL is required for clients behind WGB. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 65 No special configuration is needed in order to enable WGB/uWGB support on FlexConnect APs for WLANs configured for local switching as WGB. Also, clients behind WGB are treated as normal clients on local switching configured WLANs by Flex APs. Enable FlexConnect Local Switching on a WLAN. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 66 FlexConnect WGB/uWGB Support for Local Switching WLANs Set AP Mode to FlexConnect. Step 2 Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 67 In order to check the details for WGB, go to Monitor > Clients, and select WGB from the list of clients. Step 4 In order to check the details of the wired/wireless clients behind WGB, go to Monitor > Clients, and Step 5 select the client. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 68 RADIUS server. This is consistent with the present FlexConnect group configuration for the RADIUS server. Procedure Mode of configuration prior to release 7.4. Step 1 A maximum of 17 RADIUS servers can be configured under the AAA Authentication configuration. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 69 RADIUS servers configured on the AAA Authentication page. Mode of configuration at FlexConnect Group in release 7.4. Step 3 Primary and Secondary RADIUS servers can be configured under the FlexConnect Group using an IP address, port number and Shared Secret. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 70 Guest Access Support in Flex 7500 Flex 7500 will allow and continue to support creation of EoIP tunnel to your guest anchor controller in DMZ. For best practices on the wireless guest access solution, refer to the Guest Deployment Guide.
  • Page 71 For more information on managing WLC and discovering templates, refer to the Cisco Wireless Control System Configuration Guide, Release 7.0.172.0. Managing WLC 7500 with Cisco Prime The management of the WLC 7500 from Cisco Prime is identical to Cisco's existing WLCs. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 72 Generate CA certificate from the CA server. Import device and CA certificate into the WLC in .pem format. On Client: Generate client certificate. Get client certificate signed by CA server. Generate CA certificate from the CA server. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 73 In the example below, two WLANs have been created, one for EAP-TLS and the other for PEAP authentication. Figure 14 WLAN Configuration for PEAP and EAP-TLS Enable FlexConnect Local Switching and FlexConnect Local Auth Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 74 FlexConnect group with the existing LEAP and EAP-FAST options. Current controller release supports downloading of EAP device and root (CA) certificates to the controller and the same is stored in PEM format on the flash. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 75 Upon receiving a certificate message from the controller, the AP will import these certificates, store them in memory and use them for authenticating clients. EAP TLS Certificate Download option is provided to push any updated certificates to the AP. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 76 Figure 20 Files Stored in the Flash on AP Client Configuration Configure the wireless profile for EAP-TLS by selecting EAP Type EAP-TLS and specifying the Trusted Root certificate Authorities and the client certificate. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 77 Support for PEAP and EAP-TLS Authentication Figure 21 Wireless Profile for EAP-TLS Figure 22 Validate Server Identity Once the client is connected, Server Based Authentication will reflect EAP-TLS. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 78 Support for PEAP and EAP-TLS Authentication Figure 23 Client Authentication using EAP-TLS Client Certificates The Trusted Root and Client Certificates can be viewed as follows (These are the certificates as generated earlier) Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 79 Support for PEAP and EAP-TLS Authentication Figure 24 Certificates on Client Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 80 Support for PEAP and EAP-TLS Authentication Figure 25 Trusted Root (CA) Certificate on Client Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 81 Support for PEAP and EAP-TLS Authentication Figure 26 Trusted Client Certificate Show Commands The EAP type of the client will be reflected on the WLC and can be seen in the output of show client detail Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 82 PEAP (EAP-MSCHAPv2 and EAP-GTC) EAP Type is supported with release 7.5 and Users need to be added on the WLC as shown below. A maximum of 100 users can be added per FlexConnect group. User Creation Figure 28 User Addition for Local Authentication Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 83 Client Configuration Selecting EAP Type EAP-MSCHAPv2 or GTC can configure the wireless profile for EAP-PEAP. Figure 29 Wireless Profile for EAP-PEAP (EAP-MSCHAPv2) Users created on the controller need to be configured on the client. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 84 Support for PEAP and EAP-TLS Authentication Figure 30 User Name and Password for PEAP Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 85 Once the client is connected, Server Based Authentication will reflect PEAP(EAP-MSCHAPv2) Figure 32 Client Authentication using PEAP(EAP-MSCHAPv2) Once the client is authenticated, the EAP Type can be seen under the Client Detail page. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 86 Two new CLIs have been added to configure PEAP and EAP-TLS from the controller. config flexconnect group <groupName> radius ap peap <enable | disable> config flexconnect group <groupName> radius ap eap-tls <enable | disable> Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 87 With increasing number of APs in a deployment, there is a need to provide the capability of adding WLAN to VLAN maps from the FlexConnect group. This will be supported in release 7.5. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 88 The following figure depicts the order of precedence as it refers to WLAN-VLAN mapping at the WLAN, FlexConnect group and at the AP. Figure 36 Flow of Inheritance GUI Configuration Create WLAN for Local Switching Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 89 WLAN-VLAN mapping at FlexConnect Group Level Figure 37 WLAN for Local Switching Figure 38 FlexConnect Local Switching The WLAN is mapped to the management VLAN 56. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 90 WLAN Mapped to VLAN 56 Management Interface Figure 40 WLAN Mapped to VLAN 56 as Per WLAN-Specific Mapping When a client connects to this WLAN, it will get an IP in VLAN 56. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 91 Create WLAN-VLAN mapping under FlexConnect Groups. This capability is the new feature in release 7.5. Figure 42 WLAN Mapped to VLAN 57 under FlexConnect Group WLAN-VLAN mappings can be viewed per AP from the VLAN Mappings page Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 92 In this example, the WLAN is mapped to VLAN 57 on the FlexConnect Group, since the Group-specific mappings take precedence over WLAN-specific mappings. Figure 44 WLAN 1 Mapped to VLAN 57 as Per Group-Specific Configuration Inheritance The client is assigned an IP address in VLAN 57. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 93 Once this is done, the WLAN is mapped to VLAN 58 since AP-specific mappings take precedence over Group-specific and WLAN-specific mappings. Figure 46 WLAN Mapped to VLAN 58 as Per AP-Specific Mapping Inheritance The client is assigned an IP address in VLAN 58. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 94 <wlan_id> <ap_name> Figure 48 WLAN-VLAN Configuration at FlexConnect Group from CLI The command show flexconnect group detail can be used to see the WLAN-VLAN mapping for the FlexConnect group Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 95 Figure 50 show ap config general Output The following commands can be used to troubleshoot this feature: On WLC: • debug flexconnect wlan-vlan <enable | disable> On AP: • debug capwap flexconnect wlan-vlan Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 96 VLAN ACL, which is applied on the VLAN of the Ethernet interface of the Client ACL applied in addition to VLAN-ACL, both can exist simultaneously and are applied serially. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 97 Create Local Switching WLAN Turn on AAA override for the WLAN Enable AAA override Create a FlexConnect ACL FlexConnect ACL can be configured from the Security page as well as from the Wireless page. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 98 Client ACL Support Figure 52 Configure FlexConnect ACL Figure 53 Configure FlexConnect ACL Assign the FlexConnect ACL to the FlexConnect group or to the AP Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 99 Client ACL Support Figure 54 ACL Mapping on FlexConnect Group Figure 55 ACL Mapping on AP Configure the Airespace attribute on the Radius/Cisco ACS server/ISE. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 100 Client ACL Support Figure 56 Aire-Acl-Name on Cisco ACS Server Figure 57 Airespace ACL Name on ISE Authenticate the client. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 101 Each ACL will have a maximum of 64 rules. • If client is already authenticated, and ACL name is changed on the radius, then client will have to • do a full authentication again to get the correct client ACL. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 102 VideoStream for FlexConnect Local Switching Introduction Cisco Unified Wireless Network (CUWN) release 8.0 introduces a new feature—VideoStream for Local Switching, for branch office deployments. This feature enables the wireless architecture to deploy multicast video streaming across the branches, just like it is currently possible for enterprise deployments.
  • Page 103 IGMPv2 is the supported version on all of the controllers. VideoStream is supported on 802.11n models of APs consisting of Cisco Aironet 1140, 1250, 1260, 1520, 1530, 1550, 1600, 2600, 3500, 3600 series APs and 802.11ac models 3700 and 2700 series APs.
  • Page 104 Higher Video Scaling on Clients With Cisco VideoStream technology, all of the replication is done at the edge (on the AP), thus utilizing the overall network efficiently. At any point in time, there is only the configured media stream traversing the network, because the video stream is converted to unicast at the APs based on the IGMP requests initiated by the clients.
  • Page 105 Multicast routing is enabled on interface Multicast TTL threshold is 0 Multicast designated router (DR) is 9.5.56.1 (this system) IGMP querying router is 9.5.56.1 (this system) Multicast groups joined by this system (number of users): 224.0.1.40(1) Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 106 (*, 229.77.77.28), 4d15h/00:02:36, RP 0.0.0.0, flags: DC Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Vlan56, Forward/Sparse-Dense, 00:24:34/stopped (*, 224.0.1.40), 5d17h/00:02:41, RP 0.0.0.0, flags: DCL Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Vlan56, Forward/Sparse-Dense, 5d17h/stopped Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 107 WLC Configuration (Cisco Controller) >config network multicast global enable (Cisco Controller) >config network multicast igmp snooping enable To enable the VideoStream feature globally on the controller, navigate to Wireless > Media Stream > General and check the Multicast Direct Feature check box. Enabling the feature here populates some of the configuration parameters on the controller for VideoStream.
  • Page 108 The multicast direct button under WLAN > QoS appears on if the feature is enabled globally. This provides the flexibility to enable VideoStream feature per SSID and is described later in this document. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 109 Turn on Local Switching under WLAN > Advanced and ensure that the APs in the setup are in FlexConnect mode. Figure 62 Enable Local Switching on WLAN Figure 63 Change AP Mode to FlexConnect Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 110 Client ACL Support Add Media Stream Configuration To add a multicast stream to the controller, navigate to Wireless > Media Stream > Streams and click Add New. Figure 64 Media Stream Configuration Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 111 The rest of the clients will be enabled for appropriate QoS. To enable Multicast Direct on the WLAN, check the Multicast Direct check box as shown in Figure 65. This will enable the WLAN to service wireless clients with the VideoStream feature. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 112 Client ACL Support (Cisco Controller) >config wlan media-stream multicast-direct 1 ? enable Enables Multicast-direct on the WLAN disable Disables Multicast-direct on the WLAN. All wireless clients requesting to join a stream will be assigned video QoS priority on admission. Wireless client streaming video prior to enabling the feature on the WLAN will be streaming using normal multicast.
  • Page 113 (*, 229.77.77.28), 4d15h/00:02:44, RP 0.0.0.0, flags: DC Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Vlan56, Forward/Sparse-Dense, 00:17:24/stopped (*, 224.0.1.40), 5d17h/00:02:53, RP 0.0.0.0, flags: DCL Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Vlan56, Forward/Sparse-Dense, 5d17h/stopped Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 114 The Wireshark capture on the client shows the Multicast to Unicast Video Stream. The Ethernet header contains the MAC address of the client as the Destination MAC address, for example, 7c:d1:c3:86:7e:dc. Figure 68 Wireshark Capture Depicting mc2uc Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 115 [0 ,0 ,0 ] (Cisco Controller) >show client summary Number of Clients........ 2 Number of PMIPV6 Clients......0 GLAN/ RLAN/ MAC Address AP Name Slot Status WLAN Auth Protocol Port Wired PMIPV6 Role Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 116 229.77.77.28 AP_1600 Multicast Direct 88:cb:87:bd:0c:ab Media2 229.77.77.28 AP_1600 Multicast Direct d8:96:95:02:7e:b4 Media2 229.77.77.28 AP_1600 Multicast Direct (Cisco Controller) >show flexconnect media-stream client Media2 Media Stream Name........ Media2 IP Multicast Destination Address (start)..229.77.77.28 Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 117 WLAN ID 8 , Enabled State 0 WLAN ID 9 , Enabled State 0 WLAN ID 10, Enabled State 0 WLAN ID 11, Enabled State 0 WLAN ID 12, Enabled State 0 WLAN ID 13, Enabled State 0 Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 118 AP reboot. Similarly, changing of the AP sub mode to WIPS does not need reboot, but the rest of the sub mode configuration requires AP reboot. Figure 69 Conversion to FlexConnect - No Reboot Required Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 119 In controllers such as Cisco Flex 7500 Series Controller, when the autoconvert mode is set to “flexconnect”, during AP join, the AP gets converted to flexconnect mode and inherit config from default-flex-group thus supporting zero touch configuration.
  • Page 120 AP has FlexConnect Group configuration present, but FlexConnect group has reached its limit in terms of number of APs Default FlexConnect Group Web UI Step 1 To view the default FlexConnect Group choose WIRELESS > FlexConnect Groups > default-flex-group Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 121 APs from default-flex-group can be moved to an admin configured FlexConnect group. Select the Group Step 3 from “New Group Name” drop down menu and select the AP from the list and then click ‘Move’ Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 122 Group default-flex-group has already been configured (Cisco Controller) >config flexconnect group default-flex-group delete Group default-flex-group cannot be deleted manually (Cisco Controller) >config flexconnect group default-flex-group ap add 23:2f:d2:ff:12:7d AP cannot be manually added to the default-flex-group. (Cisco Controller) >config flexconnect group default-flex-group ap delete 23:2f:d2:ff:12:7d AP cannot be manually deleted from the default-flex-group.
  • Page 123 Web Links SNMP The existing tables cLReapGroupConfigTable and cLReapGroupApConfigTable in CISCO-LWAPP-REAP_MIB would return the configuration of the default-flex-group and the joined APs respectively Web Links • Cisco WLAN Controller Information: http://www.cisco.com/c/en/us/products/wireless/4400-series-wireless-lan-controllers/index.html http://www.cisco.com/c/en/us/products/wireless/2000-series-wireless-lan-controllers/index.html Cisco NCS Management Software Information: • http://www.cisco.com/c/en/us/products/wireless/prime-network-control-system-series-appliances/i ndex.html Cisco MSE Information: •...
  • Page 124 Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers. Below are just some of the most recent and relevant conversations happening right now. Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 125 Cisco 2000 Series Wireless LAN Controllers • Cisco Wireless Control System • Cisco 3300 Series Mobility Services Engine Cisco Aironet 3500 Series • Cisco Secure Access Control System • Technical Support & Documentation - Cisco Systems • Flex 7500 Wireless Branch Controller Deployment Guide...
  • Page 126 Related Information Flex 7500 Wireless Branch Controller Deployment Guide...