cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6572
Views
5
Helpful
12
Replies

WLAN design guide for branch office

gariup.guido
Level 1
Level 1

Hi,

     Is there any document that explain different designs for branch offices? I have a customer with one head quarters with more than 150 branch offices. Today he has one or more autonomous APs per brach office connected directed to the BO switch. Each BO has its own IP address space. Beacuse all wireless client traffic has to travel to the HQ, he wants a controller based solution where all traffic is tunneled to the WLC and from there, it goes through a firewall in order to reach the servers farm.

     The problem is I don't realize how to manage all the different IPs of each BO in the HQ. Because when the WLC will send the packet to the core switch, the packet will reach the servers, but when the servers will respond that packet, it will go to the branch office directly. It won't be sent to the WLC in order to be delivered back to the branch office.

     I don't know if the most suitable solution is to create a big unique WLAN with one SSID for all the brach offices.

     Another idea could be to create one SSID per brach office, in order to have different IP address for wireless clients, but the customer doesn't want to change the IP addressing. He wants to keep all the branch office IP address, no matter if the client is wired or wireless.

     Another option is to use H-REAP, and make all the traffic between BO and HQ to go through the firewall.

     Finally, the idea is to know if it exists any design document where it explains the different ways to design a solution for branch offices with centralized controllers in order to evaluate all of them.

Thanks,

Guido.

1 Accepted Solution

Accepted Solutions

George Stefanick
VIP Alumni
VIP Alumni

Here is the offical HREAP Design Guide By Cisco

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080736123.shtml

Sound like LOCAL switch is the way to go. LOCAL switch is much like AUTONOMOUS. Keeps local IPs and traffic local as well.

What security are you using on your wifi clients in the BO ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

12 Replies 12

Leo, whats the starting size of a FLEX controller, do you know?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

@george, the starting license for the 7500 is 300 AP

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Thanks Steve ... I dont think I will ever get a chance to play with a Flex... And they ONLY do LOCAL ... correct

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

George Stefanick
VIP Alumni
VIP Alumni

Here is the offical HREAP Design Guide By Cisco

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080736123.shtml

Sound like LOCAL switch is the way to go. LOCAL switch is much like AUTONOMOUS. Keeps local IPs and traffic local as well.

What security are you using on your wifi clients in the BO ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Stephen Rodriguez
Cisco Employee
Cisco Employee

If you have low latency from the BO to the Central, then you can leave the AP in local mode.

In local mode the AP will send all the traffic to the WLC and the WLC will be the ingress-egress point for all the client traffic.

With this design the wireless clients will get an IP address from the central site, so the BO IP scheme won't come into play.

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Thanks averybody. I'll check both documents and see if they help me.

I have a problem with latency because some BO have a satelite conection, and their latency is around 600ms. How many ms is the maximum that is supported for local mode?

Thanks,

Guido.

My 2 cents...

HREAP- LOCAL SWITCH ... Keep it simple and you will have little change to what you are doing now. However if you are doing 802.1X security that could pose a problem..

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Hi George,

can you elaborate on the 802.1x authentication problems...?

Sorry to Hijack this thread, but I am in the same boat where we have 100 or so DSL branch sites each wanting wireless and I need to make sure that all APs are managed and that all wireless clients are properly authenticated & posture checked.

Profiling would be nice too.

I am looking at the ISE. I understand that it works fine on a campus network where all APs tunnel back to a WLC, but what about branch offices that wont have controllers on them?

Any help would be great.

thanks

Mario De Rosa

No worries...

If you use 802.1X and your Radius lives at the centeral location if the WAN breaks new clients can not authenticate.

Make sense?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Hi George, thanks, I undersand that, but I thought that you could configure some sort of fallback authentication method in the APs or the WLC?

Also, do you know whether wireless clients can be posture checked at a wireless branch without needing a WLC or ISE onsite and without tunneling wireless traffic back to the DC?

thanks

Mario

really want to keep the latency to around 300ms. So as George said HREAP local switching would be the way to go. Then you can just PBR it to force the traffic to go through the firewall.

Steve

Sent from Cisco Technical Support iPad App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: