Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WLAN design guide for branch office

Hi,

     Is there any document that explain different designs for branch offices? I have a customer with one head quarters with more than 150 branch offices. Today he has one or more autonomous APs per brach office connected directed to the BO switch. Each BO has its own IP address space. Beacuse all wireless client traffic has to travel to the HQ, he wants a controller based solution where all traffic is tunneled to the WLC and from there, it goes through a firewall in order to reach the servers farm.

     The problem is I don't realize how to manage all the different IPs of each BO in the HQ. Because when the WLC will send the packet to the core switch, the packet will reach the servers, but when the servers will respond that packet, it will go to the branch office directly. It won't be sent to the WLC in order to be delivered back to the branch office.

     I don't know if the most suitable solution is to create a big unique WLAN with one SSID for all the brach offices.

     Another idea could be to create one SSID per brach office, in order to have different IP address for wireless clients, but the customer doesn't want to change the IP addressing. He wants to keep all the branch office IP address, no matter if the client is wired or wireless.

     Another option is to use H-REAP, and make all the traffic between BO and HQ to go through the firewall.

     Finally, the idea is to know if it exists any design document where it explains the different ways to design a solution for branch offices with centralized controllers in order to evaluate all of them.

Thanks,

Guido.

1 ACCEPTED SOLUTION

Accepted Solutions

WLAN design guide for branch office

Here is the offical HREAP Design Guide By Cisco

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080736123.shtml

Sound like LOCAL switch is the way to go. LOCAL switch is much like AUTONOMOUS. Keeps local IPs and traffic local as well.

What security are you using on your wifi clients in the BO ?

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
12 REPLIES
Hall of Fame Super Gold

WLAN design guide for branch office

WLAN design guide for branch office

Leo, whats the starting size of a FLEX controller, do you know?

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Re: WLAN design guide for branch office

@george, the starting license for the 7500 is 300 AP

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered

Re: WLAN design guide for branch office

Thanks Steve ... I dont think I will ever get a chance to play with a Flex... And they ONLY do LOCAL ... correct

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

WLAN design guide for branch office

Here is the offical HREAP Design Guide By Cisco

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080736123.shtml

Sound like LOCAL switch is the way to go. LOCAL switch is much like AUTONOMOUS. Keeps local IPs and traffic local as well.

What security are you using on your wifi clients in the BO ?

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Re: WLAN design guide for branch office

If you have low latency from the BO to the Central, then you can leave the AP in local mode.

In local mode the AP will send all the traffic to the WLC and the WLC will be the ingress-egress point for all the client traffic.

With this design the wireless clients will get an IP address from the central site, so the BO IP scheme won't come into play.

Steve

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

WLAN design guide for branch office

Thanks averybody. I'll check both documents and see if they help me.

I have a problem with latency because some BO have a satelite conection, and their latency is around 600ms. How many ms is the maximum that is supported for local mode?

Thanks,

Guido.

WLAN design guide for branch office

My 2 cents...

HREAP- LOCAL SWITCH ... Keep it simple and you will have little change to what you are doing now. However if you are doing 802.1X security that could pose a problem..

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

WLAN design guide for branch office

Hi George,

can you elaborate on the 802.1x authentication problems...?

Sorry to Hijack this thread, but I am in the same boat where we have 100 or so DSL branch sites each wanting wireless and I need to make sure that all APs are managed and that all wireless clients are properly authenticated & posture checked.

Profiling would be nice too.

I am looking at the ISE. I understand that it works fine on a campus network where all APs tunnel back to a WLC, but what about branch offices that wont have controllers on them?

Any help would be great.

thanks

Mario De Rosa

WLAN design guide for branch office

No worries...

If you use 802.1X and your Radius lives at the centeral location if the WAN breaks new clients can not authenticate.

Make sense?

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

WLAN design guide for branch office

Hi George, thanks, I undersand that, but I thought that you could configure some sort of fallback authentication method in the APs or the WLC?

Also, do you know whether wireless clients can be posture checked at a wireless branch without needing a WLC or ISE onsite and without tunneling wireless traffic back to the DC?

thanks

Mario

Re: WLAN design guide for branch office

really want to keep the latency to around 300ms. So as George said HREAP local switching would be the way to go. Then you can just PBR it to force the traffic to go through the firewall.

Steve

Sent from Cisco Technical Support iPad App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
3095
Views
5
Helpful
12
Replies