Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6052
Views
45
Helpful
39
Replies

Ask the Expert: Still Facing Challenges of Designing, Deploying, and Troubleshooting Wireless Networks?

ciscomoderator
Community Manager
Community Manager

‎09-19-2013 12:14 PM - edited ‎07-04-2021 12:53 AM

Configuring and Troubleshooting Border Gateway Protocol (BGP)With Flavien Richard

Welcome to the Cisco Support Community Ask the Expert conversation.  This  is an opportunity to learn and ask questions about how to overcome the challenges of planning, designing, deploying, and troubleshooting wireless networks with expert Flavien Richard.

High density, high availability, converged access, unified access, radio resource management, and site surveys: What do they have in common? They’re all complex and difficult to understand and implement properly, but there are tips and rules to follow that will make your life easier. Expert Flavien Richard will share best practices and make recommendations for the different phases, technologies, and features around enterprise wireless networks.

Flavien Richard is a technology solutions architect in the Borderless Networks team in France. He is an expert in wireless and mobility topics and serves as an escalation point of contact in the European theater. This gives him visibility over most of the biggest projects in EMEA. He is a technical interface between the Wireless business unit and Cisco customers, partners, and employees to help define and prioritize the new features and products for the mobility market. He is a frequent speaker and session manager at Cisco Live and other Cisco events on mobility. He also was a contributor to the writing of the first Wireless CCIE exams.

Remember to use the rating system to let Flavien know if you have received an adequate response.

Because of the volume expected during this event, Flavien might not be able to answer every question. Remember that you can continue the conversation in the Wireless Community, subcommunity Getting Started with Wireless shortly after the event. This event lasts through October 4, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

Labels:
0 Helpful
39 Replies 39

frichard
Level 4
Level 4
In response to Rasika Nayanajith

‎09-30-2013 10:49 AM

Hi Rasika,

I have been working on a document that is not public yet and that includes a section on IP Addressing. I am copying the entire section here as it should help you understand the pros and cons of Wireless ACCESS vlan deployments.

"

The options cover a range of cases and highlight the pros and cons of different design choices that involve dealing with same or different IP address pools for wireless and wired traffic, differentiated policy assignment, and ease of implementation.

Option 1. Separate Wired and Wireless VLANs Per Wiring Closet

This option separates wired and wireless VLANs per wiring closet, as shown in the following figure. In this example, there is a pair of VLANs in each closet. This is a simple design that allows the application of separate policies per VLAN to wireless and wired users and eliminates any contention for DHCP between wired and wireless.

However, because wireless clients are moving, it is important to consider how large the subnet must be for that wiring closet to accommodate these non-static clients. For wired connectivity, it is necessary only to count the number of available ports. Wireless usage is much more dynamic, so it is harder to determine the size of the DHCP scope that is required, and thus some of the IP address space as allocated might be wasted simply to accommodate for the maximum possible number of wireless clients that could potentially appear on the network simultaneously.

This approach for IP addressing is applicable mainly to a small or medium sized site or branch, where predicting the maximum size of the wireless subnets needed is easier, based on user and device populations at the small to medium branch involved.

Option 2. Merged Wired and Wireless VLANs Per Wiring Closet

In this option, the VLANs are merged and the same subnet is used for wired and wireless for each wiring closet, but separated for different wiring closets. For example, VLAN 11 is used for wired and wireless on wiring closet one, VLAN 21 for the second and so on. The main advantage of this option is in saving IP subnets, and thus conserving the associated IP address space to the greatest extent possible. There is still the challenge of sizing subnets, and as well there is the possibility in this deployment option of IP address space contention between wired and wireless clients, since wired and wireless users are mapped into common subnets in this deployment option. Wireless clients could consume all of the IP addresses within a given subnet, resulting in insufficient addresses for wired clients (or vice versa). Moreover, it is not possible to apply separate wired and wireless policies using VLAN based policies alone in this deployment option.

Option 3. Wired VLANs Per Wiring Closet and Spanned Wireless VLANs

This option is a hybrid with separate wired subnets and one wireless subnet spread across multiple wiring closets below a common distribution layer. This deployment option retains the advantage of a separate per-VLAN policy for both wired and wireless users, and avoids IP address space contention between these user communities, as wired and wireless clients are still mapped into separate VLANs. Fewer IP subnets are needed because wireless clients are grouped into a single VLAN (per SSID) below the distribution layer.  This deployment option typically requires a VSS deployment at the distribution layer or a single distribution switch with multiple supervisors, to avoid Layer 2 loops and any associated spanning tree blocking / forwarding issues.

Important information on what I said on my previous post about directly connected APs and vlans, with more details:

As an MA, the Catalyst 3850 supports only direct attached APs. For the AP to register, a management wireless VLAN interface (such as VLAN 20) to which the AP is connected is needed. If the AP is in any other VLAN, it cannot register, and an error message is generated on the console. This is because the

wireless management interface Vlan command, which activates the MA functionality, intercepts the CAPWAP messages and processes only those from the designated wireless management VLAN (into which all of the APs connected to this Catalyst 3850 must be deployed). If the command is not employed on the switch, the Catalyst 3850 functions just as any other Layer 2 or Layer 3 switch (CAPWAP passthrough), and the AP can be connected and registered to any other controller within the larger network.

Regards,

Flavien.

Rasika Nayanajith
VIP
VIP
In response to frichard

‎09-30-2013 12:38 PM

Hi Flavian,

Thank you very much for such detail explanation of each different option. Looking forward to see such  a valuable document available to us to use a desing guide in this new deployment model.

If I understood correctly most preferred option  for us is to go with "Spanned Wireless vlan". There is a pre-requisite VSS implementation at distribution layer to avoid any possible l2-looping issues.

Thanks again

Rasika

0 Helpful

frichard
Level 4
Level 4
In response to Rasika Nayanajith

‎09-30-2013 01:19 PM

Rasika,

In your case, with the current network that you describe, Option 3 seems to be a good fit, indeed.

Best regards,

Flavien.

0 Helpful

Rasika Nayanajith
VIP
VIP
In response to frichard

‎10-01-2013 05:29 AM

Hi Flavien,

I read your response couple of times and now I have another question on that. I understand for the wireless users better to have span vlan across building to have less IP contention.

Is this applicable to "wireless management vlan" as well ? Let's say we have 5 buildings (each 3 stories & having switch stack in each level). Assuming less than 10AP in each floor and allocationg 10 IPs for wireless management (for AP & SW wireless mgt). We do not want to control AP IPs too much & below is for an example scenario,

BLD1-L1 - 192.168.100.1-10

BLD1-L2 - 192.168.100.11-20

BLD1-L3 - 192.168.100.21-30

BLD2-L1 - 192.168.100.31-40

.

.

.

BLD5-L1- 192.168.100.121-130

BLD5-L2- 192.168.100.131-140

BLD5-L3- 192.168.100.141-150

When allocating DHCP for the AP, does this require local DHCP pools in each stack pointing to its own SVI as gateway for the AP mgt dhcp scope ? or Could we have single DHCP scope (somewhere in cetral DHCP server) pointing to SVI defined at Distribution layer (6506) for these buiding if we have SVI on the same vlan as wireless mgt. For example 192.168.100.254.

In otherwords if AP get's a default gateway different  to local 3850 SVI IP (but on the same subnet as wireless mgt IP of 3850 stack) will that impact the CAPWAP termination of that switch stack ?

We would like to have central DHCP solution even for AP mgmt & would like to know that design rule can be maintain in the given scenario

Hope this clear

Rasika

0 Helpful

frichard
Level 4
Level 4
In response to Rasika Nayanajith

‎10-01-2013 10:49 AM

Hi Rasika,

You can have a central DHCP scope for Access Points, and  not use a local DHCP pool in the stack to do what you want and describe here. The default gateway parameter returned by the DHCP server won't be specific per stack, as it is the normal defaut gateway of the subnet. The switch itself on each floor will intercept the CAPWAP join request on the wireless management interface subnet locally, which will let it join the converged access stack.

Regards,
Flavien.

Rasika Nayanajith
VIP
VIP
In response to frichard

‎10-01-2013 01:16 PM

Thanks Flavien for the clarification.

0 Helpful

Rasika Nayanajith
VIP
VIP

‎09-30-2013 01:21 PM

Hi Flavien,

What is the feature set requirement for a 3850 to operate as MC/MA ? Does it require "ipbase" or "ipservices"

If 3850 comes with "lanbase" can it operate as MC/MA ?

Regards

Rasika

0 Helpful

frichard
Level 4
Level 4
In response to Rasika Nayanajith

‎09-30-2013 01:31 PM

Lanbase does not have any Wireless termination support, so, you can only work in passthrough mode indicated above with this license.

Both ipbase and ipservices will allow Wireless support  and termination the same way, and allow for MA and MC functionalities. (to activate MC you also need AP licenses on the switch or stack, not on the MA itself).

Regards,

Flavien.

Rasika Nayanajith
VIP
VIP
In response to frichard

‎09-30-2013 01:36 PM

Hi Flavian,

Thanks for this information, This is a very important piece of information when planning to roll-out 3850 in large scale. If you want to terminate APs locally on the switch stack & stack to act as a WLC, then you should have minimum "ipbase" feature set.

Thanks

Rasika

0 Helpful

Sandeep Choudhary
VIP Alumni
VIP Alumni

‎10-01-2013 05:46 AM

Hi Flavian,

I am not sure that this question belongs to this community or .....

We had implemneted the cisco ISE for Guest access.

I have some questions regarding ( via Cisco ISE sponsore portal) Guest email notification via Sponsor account.

Right now we have this kind of structure for Guest email notification:

Welcome to the XYZ Guest Portal.

Your guest account details:

Username: aefgh
Password: 4Z7Pk
Valid From: Mon Sep 30 10:15:45 CEST 2013
Valid To: Mon Sep 30 18:15:45 CEST 2013

Thanks

Now I want to add my company logo in this notification.(Email as well as in print format).

Can you please guide me to place my comapny logo in this notification.

Thanks

0 Helpful

snarayan62
Level 1
Level 1
In response to Sandeep Choudhary

‎10-01-2013 09:02 AM

Hi

Richard

Please explain the two layer security in wireless mobility  because one of my client wants the new wireless mobility with two layers security

Thanks and Regards

SNG

0 Helpful

frichard
Level 4
Level 4
In response to snarayan62

‎10-01-2013 10:23 PM

Hi SNG,

Can you please help me understand your question and be a little more specific on what you want me to let you know?

Regards,

Flavien.

0 Helpful

snarayan62
Level 1
Level 1
In response to frichard

‎10-01-2013 10:39 PM

Hi Flavien

I want to know regarding double layer security like authentication on Controller and AP differently.

Secondly he want to know that can only one SSID be used for different building for contineous communication

Regards

SNG

0 Helpful

frichard
Level 4
Level 4
In response to snarayan62

‎10-02-2013 12:15 AM

Hi,

For the first question on double authentication, please have a look at this document, as this is possible on wireless Lan controller versions 7.4 and above:

http://www.cisco.com/image/gif/paws/115951/web-auth-wlc-guide-00.pdf

Regarding setting up the same SSID between buildings for seamless roaming, this is definitely something that we recommend, and that is made possible to easily deploy thanks to our Wireless Lan controllers, both standalone like 5760, 5508, 8510s, or integrated into the switches for converged wired and wireless access like the 3650 and 3850.

Regards,

Flavien.

0 Helpful

snarayan62
Level 1
Level 1
In response to frichard

‎10-02-2013 02:25 AM

Hi Richard

Thanks for your early response and give reference I read it and it is benificial to explain the client in this regards

Thanks

SNG

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card