design and deployment of branch office wireless networks live 2015 melbourne... · design and...
Post on 04-Jun-2020
1 Views
Preview:
TRANSCRIPT
#clmel
Design and Deployment of Branch Office Wireless Networks
Sujit Ghosh
Sr. Mgr. Technical Marketing
BRKEWN-2016
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Objective
3
Best Practices for Designing Resilient, Secure
and Service-Ready Branch Networks
BRKEWN-2016 Cisco Public© 2015 Cisco and/or its affi liates. All rights reserved.
Agenda
• Learn Cisco Unified Wireless LAN Principles
• Understand Wireless Branch Deployment Options
• Evaluate FlexConnect Architectural Requirements
• Identify the need for FlexConnect & AP Groups
• Design a Resilient Branch Network
• Design Secure & BYOD enabled Branch Network
• Operate Wireless Branch efficiently over WAN
• Service-Ready Branch
• FlexConnect Best Practices
4
Cisco Unified Wireless LAN Principles
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Wireless Controller: Deployment Modes
Autonomous FlexConnect Centralised Converged Access
Traffic Distributed at AP Traffic Centralisedat Controller
Traffic Distributed at SwitchStandalone APs
Target
PositioningSmall Wireless Network Branch Campus Branch and Campus
Scope Wireless only Wireless only Wireless only Wired and Wireless
High
Availability
• Can only claim AP quality
• No RF HA• No Network layer HA
• No services
• Full RF HA
• Client SSO when Local Switching
• Most complete solution • Exploits HA in IOS switches
Key
Considerations
• Limited features. Upgradable
to controller based
• Branch with WAN BW and
latency requirements• Full features
• Catalyst 3650/3850 in the access
layer
WAN
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Branch Office Deployment
• Hybrid architecture
• Single management and control point
• Data Traffic Switching
– Centralised traffic(split MAC)
– or
– Local traffic (local MAC)
• HA will preserve local traffic only
• Traffic Switching is configured per AP and per WLAN (SSID)
7
FlexConnect (HREAP)
WAN
Central Site
Remote Office
Centralised
Traffic
Centralised
Traffic
Local
Traffic
Wireless Branch Deployment Options
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Branch Office with Local WLAN Controller
• Branches can also have local controllers
• Small or Mid-size Branch WLCs
– CT-2504,
– Integrated controller modules in ISR/ISR-G2
– Converged Access Cat-3850
9
Overview
Remote Site B
Remote Site A
WLC-25xx
WLCM for
ISR/ISR-G2
Backup Central
Controller
WAN
Central Site
Remote Site C
Cat-3850
CAPWAP
• Cookie cutter configuration for every branch site
• Layer-3 roaming within the branch
• IPv6 L3 Mobility
Advantages
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Branch Office Deployment
• Hybrid architecture
• Single management and control point
• Data Traffic Switching
– Centralised traffic(split MAC)
– or
– Local traffic (local MAC)
• HA will preserve local traffic only
• Traffic Switching is configured per AP and per WLAN (SSID)
10
FlexConnect (HREAP)
WAN
Central Site
Remote Office
Centralised
Traffic
Centralised
Traffic
Local
Traffic
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect Glossary
11
Standalone Mode When FlexConnect AP cannot reach Controller, it goes into standalone state and does client authentication by itself.
Local Switching Data traffic switched onto local VLANs for an SSID
Central Switching Data traffic tunneled back to WLC for an SSID
Connected Mode When FlexConnect AP can reach Controller, it gets help from controller to complete client authentication.
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Configure FlexConnect Mode
• Enable FlexConnect mode per AP
• Supported APs:
AP-1130, AP-1240, AP-1040, AP-1140, AP-1260, AP-1250, AP-3500, AP-1600 , AP-2600 , AP-3600, AP-1700, AP-3700, AP-2700, AP 700, AP-1520, AP-1530, AP-1550, AP-1570
12
Step 1: Configure Access Point Mode
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Configure FlexConnect Local Switching
Only WLAN with “FlexConnect Local Switching” enabled will allow local switching on the FlexConnect AP
13
Step 2: Enable Local Switching per WLAN
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Configure FlexConnect VLAN Mapping
• FlexConnect AP can be connected on an access port or connected to a 802.1Q trunk port (using the native VLAN)
• VLAN mapping can be performed per AP configuration on WLC and/or by AP groups using Cisco Prime Infrastructure templates
14
Step 3: FlexConnect Specific Configuration
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Configure FlexConnect VLAN Mapping
• When connecting with Native VLAN on AP, L2 switchport must also match with corresponding Native VLAN configuration
• Each corresponding SSID that is allowed to be locally switch should be allowedon the corresponding switchport.
15
Step 4: FlexConnect Specific Configuration – Native Vlan
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Configure FlexConnect SSID-VLAN Mapping
• Mapping of SSID to 802.1Q VLAN is done per FlexConnect AP
• Or use Cisco Prime Infrastructure (NCS) via configuration templates
16
Step 5: Per AP SSID to VLAN Mapping
1 2
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Configure FlexConnect VLAN Mapping
• Prime Infrastructure provides simplifiedconfiguration to all FlexConnect APswith one Lightweight AP Template
17
Using Cisco Prime Infrastructure
Evaluate FlexConnect Architectural Requirements
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect Design Considerations
19
WAN Limitations Apply
Deployment Type
WAN Bandwidth(Min)
WAN RTT Latency
(Max)
Max APs per
BranchMax Clients per
Branch
Data 64 kbps 300 ms 5 25
Data 640 kbps 300 ms 50 1000
Data 1.44 Mbps 1 sec 50 1000
Data+Voice 128 kbps 100 ms 5 25
Data+Voice 1.44 Mbps 100 ms 50 1000
Monitor 64 kbps 2 sec 5 N/A
Monitor 640 kbps 2 sec 50 N/A
For YourReference
It is highly recommended that the minimum bandwidth restriction remains 24 Kbps per AP with the round trip
latency no greater than 300 ms for data deployments and 100 ms for data + voice deployments.
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect Design Considerations
– MAC/Web Auth in Standalone Mode
– IPv6 L3 Mobility
– SXP TrustSec
– Application Visibility and Control Coming in 8.1
– Service Discovery Gateway
– Native Profiling and Policy Classification
– See full list in « FlexConnect Feature Matrix »
– http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b3690b.shtml
Feature Limitations In Standalonemode and Local Switching
20
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
IPv6 Support
21
Significant support for IPv6 with Central Switching
IPv6 RA Guard and IPv6 Bridging fully supported with Local Switching
✔
✔
✔
✔
✔
✔
✔
✔
✔
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Economies of Scale For Lean BranchesFlex 7500 Wireless Controller
22
WAN Tolerance
• High Latency Networks
• WAN Survivability
Security
802.1x based port authentication
Voice support
• Voice CAC
• OKC/CCKM
Key Differentiation
Access Points 300-6,000
Clients 64,000
Branches ( Flex Groups ) 2000
Access Points / Branch 100
Deployment Model FlexConnect
Form Factor 1 RU
IO Interface 2 x 10GE
Upgrade Licenses 100, 200, 500, 1K
RTU Licenses
Functionality
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Optimised for High Scale DeploymentsCisco 8510 Series Controller
Access Points 300-6,000
Clients 64,000
Branches/locations 6,000 (2000 FlexGroups)
Access Points per
FlexConnect group
100
Deployment types Local (centralised),
FlexConnect and mesh
Form Factor 1 RU
IO Interface and
redundancy
Dual redundant 10GE ports
with LAG
* Indicates unique 8500 features
Functionality
High scale
• 4K VLANs
Rich Features with deployment flexibility
Geo Separated AP/Client SSO
• FlexConnect, Local mode and mesh support Right to use
(with EULA) for ease of license enablement
• 3G Packet core integration: PMIPv6 MAG solution with ASR5K (LMA)
• FlexConnect with HS2.0 for 3G offload
• Other key features:
802.11r fast roaming
Rate limit traffic flows
Video Stream for rich media flows
Key Differentiation
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect Feature Introduction
24
For YourReference
FlexConnect Features Release Version
AAA-VLAN Override, ALCs & P2P Blocking 7.2
Smart AP Image Upgrade 7.2
External Web-Auth & Mobile Device On-boarding 7.2
Flex 7500 Scale Update 7.3
VLAN Based Central Switching 7.3
Split-tunnelling 7.3
Work Group Bridge (WGB) Support 7.3
Bi-Directional Rate Limiting 7.4
ISE BYOD Registration & Provisioning 7.4
AAA-ACL & AAA-QoS Override 7.5
EAP-TLS & PEAP Support for Local Authentication 7.5
Ethernet Fallback 7.6
VideoStream for Local Switching 8.0
Faster time to deploy 8.0
FlexConnext on Mesh APs 8.0
AVC for FlexConnect 8.1
VLAN Name override for FlexConnect 8.1
Why Do We Need FlexConnect and AP Groups?
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Understanding AP Groups
• AP Groups is a logical concept of grouping AP’s which deliver similar Wi-Fi services; these services can be:
– By physical location, and/or
– By functional services (data, voice, guest, …)
• Same AP groups need to be defined in all WLC’s of a mobility group
Overview
26
Remote Site A Remote Site B
Central Site
WAN
AP Group 1
AP Group 2
AP Group 3
Flex 7500
Scaling 7500/8500 CT-5508 WiSM-2 CT-2504
# AP Groups 6000 500 1000 50
# WLAN
(SSID)512 512 512 16
# VLAN
(Interfaces)4095 512 512 16
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
AP Groups
Configuration: Create a New Group
27
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
AP Groups Usage
28
WAN
Central Site
StoreManufacturing Site
AP Group 2
AP Group 3
AP Group 1
Corporate-Voice
Guest-Access
Corporate-Data
Guest-Access
Corporate-Data
@ Internet
Scanners
AP groups give the ability to enable
Wi-Fi Services (WLAN) based on
physical location
Central SiteCorporate-Voice, Corporate-Data,
Guest-Access
Manufacturing SiteCorporate-Voice, Corporate-Data,
Scanners
StoreCorporate-Data, Guest-Access
Per Location SSID
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
AP Groups Usage
• AP groups give the ability to statically map Wi-Fi service (WLAN) to VLAN based on physical location
• Users see the sameWi-Fi service on all sites.
• Admincan monitor and filter basedon different IP@ each site
• Can also be used to have smallerWi-Fi subnets
• For example per floor subnets in a building.
Per AP Group SSID to VLAN Mapping
29
Corporate-Data
Corporate-Data
Corporate-Data
VLAN-1
VLAN-2
VLAN-3
Manufacturing Site
Store
Central Site
WAN/MAN
AP Group 1Head Office
AP Group 2
AP Group 3
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
AP Groups
Configuration/VLAN Mapping
30
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Understanding FlexConnect Groups
31
FlexConnect Group 1
Remote Site Remote Site
WAN
Central Site
FlexConnect Group 2
Flex 7500
Cluster
Scaling
Flex
7500/
8500
CT-5508 WiSM2 CT-2504
FlexConnect
Groups2000 100 100 30
AP per Group 100 25 25 25
Overview
FlexConnect groups allow sharing of:
• CCKM/OKC fast roaming keys
• Local/backup RADIUS servers IP/keys
• Local EAP authentication
• AAA-Override for Local Switching
• Smart Image Upgrade
• FlexConnect AVC (8.1)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect Groups and CCKM/OKC Keys
32
WAN
Central Site
RADIUS Server
CCKM Keys
FlexConnect Group 1 FlexConnect Group 2
• CCKM/OKC keys stored on FlexConnect
APs for Layer 2 fast roaming
• The FlexConnect APs receives CCKM/OKC
keys from WLC
• If a FlexConnect AP boots up in standalone mode, it will not get the
OKC/CCKM keys from the WLC
• FlexConnect supports 802.11r Fast
Transition with local key caching.
Overview
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect Groups Creation
33
Step 1: Add a New FlexConnect Group
Step 2: Add APs to the FlexConnect Group
1
2
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect Groups Template on PI
34
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect Groups Template on PI
35
Designing a Resilient Wireless Branch Network
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect Backup Scenario
• FlexConnect will backup on local switched mode
– No impact for locally switched SSIDs
– Disconnection of centrally switched SSIDs clients
• Static authenticationkeys are locally stored in FlexConnect AP
• Lost features
– RRM, WIDS, location, other AP modes
– Web authentication, NAC
WAN Failure
37
Remote Site
WAN
Central Site
Application
Server
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect Backup Scenario
• FlexConnect will first backup on local switched mode
– No impact for locally switched SSIDs
– Disconnection of centrally switched SSIDs clients
• CCKM roaming allowed in FlexConnect group
• FlexConnect AP will then searchfor backup WLC; when backup WLC is found, FlexConnect AP will resync with WLC and resume client sessions with central traffic.
• Client sessions with Local Traffic are not impacted during resync with Backup WLC.
WLC Failure scenario with N+1 HA
38
Remote Site
WAN
Central Site
Application
Server
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect Backup Scenario
• HA considerations:
– No impact for locally switched SSIDs
– Disconnection of centrally switched SSIDs clients with AP SSO
– No/minimal impact for centrally switched client with Client SSO (7.5 and above)
• FlexConnect AP will NOT transition to Standalone because SSO kicks in
• AP will continue to be in Connected mode with the Standby (now Active) WLC
39
WAN
Application
Server
Remote Office
Central SiteActive
StandbyWLC failure scenario with SSO
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect Group : Backup Scenario
• Normal authentication is done centrally
• On WAN failure, AP authenticates new clients with locally defined RADIUS server
• Existing connected clients stay connected
• Clients can roam with – CCKM fast roaming, or
– Re-authentication
Local Backup RADIUS
40
Remote Site
WAN
Central Site
Central
RADIUS
Local Backup
RADIUS
CCKM Fast Roaming
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect Group: Local Backup RADIUS
• Define primary and secondary local backup RADIUS server per FlexConnectgroup
Configuration
41
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Local Authentication
42
Remote Site
WAN
Central Site
FlexConnect Group
Central
RADIUS
Local
RADIUS
• By default FlexConnect AP authenticates clients through central
controller
• Local Authenticationallow use of local RADIUS server directly from the FlexConnect AP
Local Authentication
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Local AuthenticationConfiguration
43
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect Group: Backup Scenario
• Normal authentication is done centrally
• On WAN failure, AP authenticates new clients with its local database
• Each FlexConnect AP has a copy of the local user DB
• Existing authenticated clients stay connected
• Clients can roam with:
– CCKM fast roaming, or
– Local re-authentication
Local Backup Authentication
44
Remote Site
WAN
Central Site
Central
RADIUS
CCKM Fast
Roaming
FlexConnect Group 1
Supported Security Types Release Version
LEAP 6.0
EAP-FAST 6.0
PEAP 7.5
EAP-TLS 7.5
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect Group: Local Backup Authentication
• Define users (max 100) and passwords
• Select supported Security protocols i.e. LEAP, EAP-FAST, PEAP or EAP-TLS
Configuration
45
1 2
Designing Secure and BYOD Enabled Branch Network
FlexConnect Peer-to-peer Blocking
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Local Switching Peer-to-peer Blocking
48
Remote Site
WAN
Central Site
Application
Server
Starting from 7.2
Support for Peer-to-Peer blocking in FlexConnect AP
Apply for clients on same FlexConnect AP
P2P blockingmodes : disable or drop
For P2P blocking inter-AP use ACL or
Private VLAN function
Overview
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Local Switching Peer-to-peer BlockingConfiguration
49
Multiple Policy Touch Points
Both modes of operation will drop the packet @ AP for Local Switching
enabled WLAN
* Central Switching WLAN will support “Forward - UpStream” and will send the packet to the next upstream node connected to WLC
FlexConnect AAA VLAN and QoS Override
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
VLAN 7
QoS = Platinum
VLAN 3
QoS = Silver
FlexConnect AAA VLAN Override
• AAA VLAN Override with local or central authentication
• Up to 16 VLANs per FlexConnect AP
• VLAN ID must be enabled per AP or FlexConnect Group
• If VLAN ID does not exist, default VLAN isused, unless « VLAN Based Central Switching » enabled
• Starting from 7.5 AAA override for QoS isalso supported.
Description
51
Remote Site
WAN
Central Site
FlexConnect Group
RADIUS
Application
Server
Starting from 7.2
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect AAA VLAN OverrideConfiguration
52
WAN
ISE
Create Sub-Interface on FlexConnect
AP
IETF 81IETF 64IETF 65
For YourReference
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
VLAN Based Central Switching
• Whiledoing AAA VLAN Override withlocal switching :
• If VLAN ID does not exist at the AP, the traffic is central switched to the central VLAN ID
• If the central VLAN ID does not exist, the traffic is centrally switched to the default VLAN ID of the WLAN
Overview
53
Remote Site
WAN
Central
RADIUS
VLAN 7
VLAN 3
VLAN 7
VLAN 3
does notExist on
this AP
VLAN 7
does notExist on
this AP
VLAN 7
does not
Exist on
this WLC
Go to DefaultVLAN ID
Central VLAN 3
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect AAA QoS Override
Description
54
Dynamically assign QoS levels and/or bandwidth contracts for local switching, centrally authenticated WLANs
Web-authenticated WLANs and 802.1X-authenticated WLANs supported
Order of precedence for Rate Limiting parameters AAA override
QoS Profile of AAA override
Local WLAN configuration
QoS Profile of local WLAN configuration
Starting from 7.5
Vendor ID/Vendor Type Attribute
[14179\002] Aire-QoS-Level
[14179\004] Aire-802.1P-Tag
[14179\007] Aire-Data-Bandwidth-Average-
Contract
[14179\008] Aire-Real-Time-Bandwidth-
Average-Contract
[14179\009] Aire-Data-Bandwidth-Burst-
Contract
[14179\0010] Aire-Real-Time-Bandwidth-
Burst-Contract
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
AAA Override Deployment ScenarioProblem Statement
Remote Site BRemote Site A
Function VLAN ID
Engineering 10
Marketing 20
Sales 30
VLAN 20
WAN
Central Site
Application
Server
Function VLAN ID
Engineering 11
Marketing 21
Sales 31
VLAN 20
does not
exist
Application
Server
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
VLAN Name Mapping at FlexConnect Group
Remote Site B
Central Site
WAN
Remote Site A
Flex Group A
VLAN Name VLAN
ID
Engineering 10
Marketing 20
Sales 30
.
.
HR 160
VLAN ID
11
21
31
VLAN ID
10
20
30
VLAN Name VLAN
ID
Engineering 11
Marketing 21
Sales 31
Flex Group B
VLAN Name VLAN
ID
Engineering 11
Marketing 21
Sales 31
.
.
HR 161
VLAN Name VLAN
ID
Engineering 10
Marketing 20
Sales 30
Coming in 8.1
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public 57
VLAN Name AAA Override - Solution
Remote Site BRemote Site A
VLAN Name VLAN ID
Engineering 10
Marketing 20
Sales 30
VLAN NAME=
Marketing
Remote Site
WAN
Central Site
Application
Server
VLAN Name VLAN ID
Engineering 11
Marketing 21
Sales 31
Remote Site
VLAN 20
VLAN 21
Aire-Interface-Name or
IETF Tunnel-Private-Group-ID
Coming in 8.1
FlexConnect ACL VLAN Mapping and Per-Client ACL
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect ACL – VLAN Mapping
• FlexConnects ACL are applied per VLAN
• FlexConnect ACL are Ingress / Egress oriented
• Starting from 7.5 FlexConnect ACL support AAA-
returned Client ACL
Overview
59
Remote Site
WAN
Central Site
Application
Server
Starting from 7.2
512 FlexConnect ACL per WLC
• 16 ingress ACL & 16
egress ACL per AP
• 64 ACL rules per ACL
• No IPv6 ACL
ACL Scale
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect Access Lists
• FlexConnect ACL rule creation is similar to rule creation for Local Mode AP
Configuration – Create FlexConnect ACL
60
1
2
3
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect ACL – VLAN Mapping
• FlexConnect ACL can be applied per AP using VLAN Mappings configuration
Configuration – FlexConnect ACL per AP
61
1
2
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect ACL – VLAN Mapping
• FlexConnect ACL can be applied per FlexConnect Groups per VLAN in the ACL Mapping tab.
Configuration –FlexConnect ACL per FlexConnect Group
62
1 2
FlexConnect Split Tunnelling(Using FlexConnect Split ACL)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect ACL – Split Tunnelling
• Split tunnelling allow some traffic to be locally switched although the WLAN is defined as centrally switched
• Split tunnelling is using a NAT/PAT feature with ACL to perform the local switching
• Split tunnelling is using the AP IP@ for the NAT/PAT feature
Overview
64
WLCFlexConnect APCAPWAP
WAN
Central Server
Central Traffic
Local Printer
NAT/PAT
ACL
Local Traffic
Starting from 7.3
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect ACL – Split Tunnelling
• Create a centrally switched WLAN
• Define Flex ACL to match traffic to be locally switched
Configuration
65
Flex Local switching should not be checked
Central subnet Local subnet
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect ACL – Split TunnellingConfiguration – Per Access Point
66
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect ACL – Split TunnellingConfiguration – Per FlexConnect Group
67
Deploying External WebAuth with FlexConnect Local Switching (Using FlexConnect WebAuth ACL)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
External WebAuth with Local Switching
• Provides L3 Web Redirect from locallyswitched vlan
• Reduces WAN traffic by locally switchingguest traffic
• Flexible and centralised web portal creationfor multiple sites
• Provides flexible use of Conditional and Splash Page Web Redirect
• FlexConnect AP must be in Connectedstate with Centralised Controller for thisfunctionality to work
Description
69
Remote Site
WAN
Central Site
FlexConnect Group 1
VLAN
503
VLAN 7 - Employee
Internet
WebServer
Starting from
7.2.110
Guest
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
External WebAuth with Local SwitchingConfiguration
70
Step 1: Configure Pre-Auth ACL that will be applied to FlexConnect Group, AP or WLAN
External Web-Server IP
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
External WebAuth with Local SwitchingConfiguration
71
Step 2: Apply Pre-Auth ACL to WLAN
Apply Pre-Auth ACL to WLAN
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
External WebAuth with Local SwitchingConfiguration – Per AP
72
Step 3: Apply Pre-Auth ACL to FlexConnect AP
Map WLAN-Id to Pre-Auth ACL
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
External WebAuth with Local SwitchingConfiguration – Per FlexConnect Group
73
Or Step 3: Apply Pre-Auth ACL to FlexConnect Group
Map WLAN-Id to Pre-Auth ACL
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
External WebAuth with Local SwitchingConfiguration
74
Step 4: Configure External Web Server
External Web-Server IP
Deploying BYOD with FlexConnect Local Switching(Using FlexConnect WebPolicies ACL)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Bring Your Own Device(s) : The New Normal
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
CA-Server
BYOD Device On-Boarding in FlexConnectExample: Apple iOS Device Provisioning
77
ISEWLC
ISEWLC
Client Reconnects
CA-Server
Starting from 7.4
Initial Connection Using
PEAP 1
Device Provisioning
Wizard2
Future Connections
using EAP-TLS3
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect Access Lists for BYOD
• Create FlexConnect ACL to allow access to Cisco ISE
Create FlexConnect ACL
78
1
2
3
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect Web Policy ACL
• ACL Mapping can be configured per FlexConnect AP
Configure Web Policy ACL per FlexConnect AP
79
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect Web Policy ACL
• Use ACL Mapping tab in FlexConnect Group configuration
• WebPolicies ACL are not the same as VLAN ACL or WebAuthentication ACL.
Configure Web Policy ACL per FlexConnect Group
80
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Cisco Wireless Central DHCP Processing
• To support DHCP Profiling Probe with FlexConnect, DHCP request must be sent to WLC. This is done by the « Central DHCP Processing » configuration.
Configuration
81
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Deploying BYOD with FlexConnect WirelessSummary – 802.1x/EAP Authentication
82
ISE
WLCFlexConnect AP
CAPWAP
WANWeb Server
DHCP Server
802.1x/EAP Request Radius Access-Request
Radius Access-Response• Access-Type: Access-Accept
• URL-Redirect-ACL=FlexACLWebPolicy,
• URL-Redirect=http://……)
802.1x/EAP Response
Inside CAPWAP
Inside CAPWAP
URL + ACL Redirect
Inside CAPWAP
WiFi Association
Unknown Device,
Redirect to registration
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Deploying BYOD with FlexConnect WirelessSummary – DHCP Request
83
DHCP Request
RADIUS-Accounting• host-name=MyiPad
• dhcp-class-identifier=APPLEDHCP Lease
Inside CAPWAP
Inside CAPWAP
ISE
WLCFlexConnect AP
CAPWAP
WANWeb Server
DHCP Server
Device is
an iPad
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Deploying BYOD with FlexConnect WirelessSummary – URL-Redirect
84
HTTPRequest
ISE
WLCFlexConnect AP
CAPWAP
WANWeb Server
DHCP Server
URL-Redirect
Inside CAPWAP
HTTP Request Redirected to WLC by AP
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Deploying BYOD with FlexConnect WirelessSummary – Registration & Provisioning
85
Device Registration & Provisioning
ISE
WLCFlexConnect AP
CAPWAP
WANWeb Server
DHCP Server
RADIUS Change-of-AuthorisationEAP DeAuthentication
EAP Authentication
Device is Registrered
Trigger Change-of-Auth
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Deploying BYOD with FlexConnect WirelessSummary – Device Access
86
ISE
WLCFlexConnect AP
CAPWAP
WANWeb Server
DHCP Server
802.1x/EAP Request/ResponseRadius Access-Request
Inside CAPWAP
DHCP Request/Response
Inside CAPWAP
Radius Access-Response
Web Traffic
Device is Registrered
And ProvisionedAllow Access
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Summary of FlexConnect ACLs
87
87
Split Tunnel ACL Allow some traffic to be locally switched
Web Authentication ACL Provides L3 Web Redirect for local switching
Web Policies ACL BYOD with FlexConnect
VLAN-ACL Applied on the 802.3 interface of the FlexConnect AP
AAA returned Client ACL Applied on the 802.11 interface of the AP
Operating Wireless BranchSmart Upgrade over WAN
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Upgrading a FlexConnect Deployment
• Sites using FlexConnect AP are usually sites with low WAN bandwidth
• Each site may have small number of AP, but an enterprise may have a lot of branches
• Upgrading ~6000 AP through a low bandwidth WAN is a challenge :
– Time needed to download all the AP firmware
– Exhaust of the WAN link
– Risk of failures during the download
Concerns
89
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
WAN
FlexConnect Smart AP Image Upgrade
• Smart AP Image Upgrade use a « master » AP in each FlexConnect Group to downloadthe code.
• Other FlexConnect AP download the code from the master locally
1. Download WLC upgraded firmware (willbecome primary)
2. Force the « boot image » to be the secondary (and not the newlyupgraded one) to avoid parallel download of all AP in case of unexpected WLC reboot
3. WLC elects a master AP in eachFlexConnect Group (can be also set manually)
Overview
90
Remote Site-1 Remote Site-N
Cisco Prime
Wireless LAN
Controller
Primary Secondary
Firmware Image
New
OldNew
NewOld
Central Site
Master AP
Starting from 7.2
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
WAN
FlexConnect Smart AP Image Upgrade
4. Master AP « Pre-download » the AP firmware in the secondary « boot image » (will not disrupt the actual service)—Can be started group per group to limit WAN exhaust
5. Slave AP « Pre-download » the AP firmware from the Master AP
6. Change the « boot image » of the WLCto the new image
7. Reboot the controller
Description (Contd.)
91
OldNewNewOld
NewOld
Central Site
Remote Site-1 Remote Site-N
Wireless LAN
Controller
Primary Secondary
Firmware Image
Primary Secondary
AP Firmware Image
NewOld
Primary Secondary
AP Firmware Image
Master AP
Cisco Prime
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect Smart AP Image Upgrade
• “FlexConnect AP Upgrade” checkbox has to be enabled for each FlexConnect Group.
• By default, Master AP for each FlexConnect Group is selected using Lower-MAC algorithm.
• One Master select per AP type.
Configuration
92
Enable Efficient AP Image
Upgrade
Master AP Selection is
Optional
Random Backoff Interval
(100-300sec) between
each retry
Valid Range is 1-63
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Per Branch or FlexConnect Group
Upgrade
Upgrade across all Branches or
FlexConnect Groups whose
“FlexConnect AP Upgrade” checkbox
is set
FlexConnect Smart AP Image Upgrade Configuration contd.
93
()
Service-Ready Branch
FlexConnect VideoStream
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
• Choppy, Unreliable Video
• Video Stream does not utilise 802.11n/ac High Throughput data rates
• Heavy utilisation of channel due to high rate of very slow packets
• Video delivery is not reliable causing poor Quality of Experience
Video Impact
Video Multicast Delivery Challenges
802.11Data Rates
B/G
N
VideoServer
• Multicast packets (UDP) are sent as broadcast packets over the air per 802.11 standard
• Broadcast packets do not use error correction: “fire and forget”
• Broadcast packets are sent at data rate mandatory to all clients connected to the WLAN
1 Mb for B/G (400K actual)6 Mb for A (2.7 Mb actual)
Technical Challenges
Default 802.11B/Gmandatory data rates
1
2
5.5
6
9
11
12
18
24
36
48
54
M0
M1
...
M14
M15
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Video Multicast Delivery Solution802.11
Data Rates
• IGMP state monitored for each client. Only send video to clients requesting
• Sent as unicast to individual clients at their data rate
• Multicast packets replicated at AP
Technical Solution
• Smooth, Reliable Video delivered to multiple clients
• Quality of Video protected in varying channel load conditions
• Prioritises Business Video (QoSGold) over other video ( Best-effort )
Video Impact
Default 802.11B/Gmandatory data rates
N
VideoServer
B/G
1
2
5.5
6
9
11
12
18
24
36
48
54
M0
M1
...
M14
M15
Starting from 8.0
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect VideoStream Configuration
(Cisco Controller) >config media-stream multicast-direct ?
enable Enable Global Multicast to Unicast Conversion
disable Disable Global Multicast to Unicast Conversion
Enable VideoStream - Global
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect VideoStream ConfigurationAdd Stream Configuration
(Cisco Controller) >configure media-stream add multicast-direct <media-stream-
name> <start-IP> <end-IP> [template | detail <bandwidth> <packet-size> <Re-
evaluation> video <priority> <drop|fallback>]’
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect VideoStream ConfigurationEnable VideoStream - WLAN
(Cisco Controller) >config wlan media-stream multicast-direct 1 ?
enable Enables Multicast-direct on the WLAN
disable Disables Multicast-direct on the WLAN.
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
(Cisco Controller) >show flexconnect media-stream client summary
Client Mac Stream Name Multicast IP AP-Name VLAN Type
----------------- -------------------- --------------- ------------------------- ----- ----------------
7c:d1:c3:86:7e:dc Media2 229.77.77.28 AP_1600 0 Multicast Direct
88:cb:87:bd:0c:ab Media2 229.77.77.28 AP_1600 0 Multicast Direct
d8:96:95:02:7e:b4 Media2 229.77.77.28 AP_1600 0 Multicast Direct
FlexConnect VideoStream MonitoringController
FlexConnect Bridge Mode Support
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
• New AP mode that allows Flexconnect behaviour across
mesh-enabled AP • Flexconnect Groups
• Max 8 Mesh hops, Max 32 MAPs
per RAP
• Local AAA support
• A WLC have a mix of Bridge and Flex + Bridge
• MAPs inherent VLANs from its
connected RAP
FlexConnect on Mesh APs
103
WAN
Central Site
Remote
Office
Centralised
Traffic
Local
Traffic
Local Data WLAN
Central Data WLAN
Starting from 8.0
Per Location SSID
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect-Bridge Failover Scenario
WAN
Application
Server
Primary
Remote Office
Secondary
• AP SSO is supported for the RAP only. N+1
Recommended. SSO for MAPs coming in 8.1
• Multi-sector RAP deployments can be used for
redundancy
• RAP to standalone mode when WLC is not reachable
• MAPs to standalone mode when WLC is
not reachable but gateway is
• When in standalone mode no new
mesh AP can join the mesh tree
Failover Considerations
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
AP Modes Feature ComparisonFeature\AP Mode Local Mode Bridge Mode Flexconnect Mode
Central Switching Yes Yes Yes
Root Ethernet VLAN bridging
No Yes (secondary Ethernet hosts)
Yes
Secondary Ethernet Access Ports
No Yes No
Secondary Ethernet VLAN Trunk Ports
No Yes No
Local VLAN Inheritance by MAPs from RAPs
No Yes - Secondary Ethernet “access” ports only
No
Wireless Child Mesh APs No Yes No
Fault Tolerant Resilient Mode
No No Yes
Security ACLs per VLAN on Ethernet Root Ports
No No Yes
Integrated IP Routing (PPP/PPPoE/NAT)
No No Yes
VLAN Transparent Bridging
No No No
Path Control Protocol No Yes No
Flex+Bridge Mode
Yes
Yes
Yes
Yes
Yes – both bridged 802.11 WLANs and Ethernet “access” portsYes
Yes
Yes (on RAPs)
Yes (on RAPs)
No
Yes
For YourReference
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public 106
Wireless Access Points AP_NAME General
Wireless Access Points AP_NAME FlexConnect
FlexConnect Bridge Mode Configuration
AP will reboot
upon change
Same options
as an AP in Flex
Mode
FlexConnect Application Visibility and Control Coming in 8.1
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Use QoS to control
application bandwidth
usage to improve
application performance
Control
Advanced reporting tool
aggregates and reports
application performance
App Visibility &
User Experience Report
Reporting Tool
Static
Netflow
Perf. Collection & Exporting
How AVC Solution Works
App BW Transaction
Time
…
WebEx 3 Mb 150 ms …
Citrix 10 Mb 500 ms …
DPI engine (NBAR2)
identifies applications
using L7 signatures
Deep Packet Inspection
AP
NBAR on AP
AP collects application info
and export it to
controller/switch every 90
seconds
AireOS 8.1AireOS 8.1
Coming in 8.1
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
WAN
AVC on FlexConnect APs
Katana
Netflow Export from AP to WLC
NBAR2 (1000+ Applications) and Netflowwill be ported onto Access Points!
Stateful context transfer will be supported for intra FlexConnect Group roams
STATIC NETFLOW TO
CPI OR THIRD PARTY NETFLOW COLLECTOR
Flow ID App Name Packets
1 WebEx 1000
2 Msft-Lync 2300
3 Skype 660
Real-time information for
last 90 seconds
Gen2 AP
Stateful context
transfer on roam
Gen2 AP
BRANCH
Coming in 8.1
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public 110
• Export to external Netflow supported• Intra FlexConnect Group Roaming Support
• Supported on all controller models except 2504
• Supported on Gen 2 APs : 1600, 2600, 3600,
1700, 2700, 3700, 1532, 1570
• FlexConnect and Flex+bridge mode supported
Support on WLC • NBAR2 engine on FlexConnect AP
• Protocol Pack 8.0
• NBAR engine version 16
• Send flows to WLC every 90 sec using Netflow
• Classification and Control at AP• Mark ( DSCP )
• Drop
• Rate-limit
Support on AP
AVC for FlexConnect APs Coming in 8.1
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
AVC Configuration on Local Switching WLAN
WLAN AVC
Configuration
Local Switching WLAN
Coming in 8.1
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
AVC Configuration per FlexConnect Group
• FlexConnect Group specific AVC configuration takes precedence over WLAN AVC config
• No AP Specific AVC configuration.
• WLAN AVC configuration will be pushed to Flex APs where WLAN is broadcast
FlexConnect Group AVC
configuration
Enable/disable, Profile,
Monitor per WLAN
Application Visibility
WLAN-Specific
Enable/Disable
Coming in 8.1
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect AVC Profiles
Can be associated under WLAN and/or FlexConnect Group
FlexConnect AVC
profiles
Coming in 8.1
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect AVC Applications
Protocol Pack version 8.0
Engine version 16
Coming in 8.1
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Monitoring AVC Statistics per FlexConnect Group
Per Client AVC Statistics Per FlexConnect Group
AVC Statistics
FlexConnect Best Practices
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
BE
ST
P
RA
CT
ICE
S (A
irO
S)
Make it Easy Make it work Make it perform
INF
RA
ST
RU
CT
UR
EEnable High Availability (AP and Client SSO)
Enable AP Failover Priority
Enable AP Multicast Mode
Enable Multicast VLAN
Enable Pre-image download
Enable AVC
Enable NetFlow
Enable Local Profiling (DHCP and HTTP)
Enable NTP
Modify the AP Re-transmit Parameters
Enable FastSSID change
Enable Per-user BW contracts
Enable Multicast Mobility
Enable Client Load balancing
Disable Aironet IE
FlexConnect Groups and Smart AP Upgrade
Enable 802.1x and WPA/WPA2 on WLAN
Enable 802.1x authentication for APChange advance EAP timers Enable SSH and disable telnet
Disable Management Over WirelessDisable WiFi DirectPeer-to-peer blocking
Secure Web Access (HTTPS)Enable User PoliciesEnable Client exclusion policies
Enable rogue policies and Rogue Detection RSSIStrong password Policies Enable IDS
BYOD Timers
Set Bridge Group NameSet Preferred Parent
Multiple Root APs in each BGN
Set Backhaul rate to "Auto"Set Backhaul Channel Width to 40/80 MHz
Backhaul Link SNR > 25 dBm
Avoid DFS channels for Backhaul
External RADIUS server for Mesh MAC AuthenticationEnable IDS
Enable EAP Mesh Security Mode
ME
SH
WIR
EL
ES
S /
RF
SE
CU
RIT
Y
Disable 802.11b data rates
Restrict number of WLAN below 4Enable channel bonding – 40 or 80 MHz Enable BandSelect
Use RF Profiles and AP GroupsEnable RRM (DCA & TPC) to be autoEnable Auto-RF group leader selection
Enable Cisco CleanAir and EDRRMEnable Noise &Rogue Monitoring on all channels Enable DFS channels
Avoid Cisco AP Load
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
Best Practices RecommendationsFor YourReference
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
FlexConnect Best Practices
Enable FlexConnect Groups
CCKM/OKC Key sharing for Voice deployments
Enable Smart AP Image Upgrade
Design for Resiliency
VLAN-WLAN Mappings at Group Level
Consistent configuration across Primary and Backup WLCs
FLE
X
CO
NN
EC
T
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Summary• Cisco Unified Wireless Network based on Controllers deliver Wireless Branch Solution
• FlexConnect is the feature designed to solve remote connectivity and WAN constraints
• Several Failover Scenario are targeted to offer Survivability of Small Remote Sites
References:
• Wireless LAN Controller Scale Comparison Guidehttp://www.cisco.com/en/US/products/hw/wireless/products_category_buyers_guide.html#controllers
• FlexConnect Branch Controller Deployment Guidehttp://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/112973-flex7500-wbc-guide-00.html
• FlexConnect feature matrixhttp://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html
• Wireless Best Practiceshttp://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/82463-wlc-config-best-practice.html
119
Q & A
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN 2016 Cisco Public
Give us your feedback and receive a
Cisco Live 2015 T-Shirt!
Complete your Overall Event Survey and 5 Session
Evaluations.
• Directly from your mobile device on the Cisco Live
Mobile App
• By visiting the Cisco Live Mobile Site
http://showcase.genie-connect.com/clmelbourne2015
• Visit any Cisco Live Internet Station located
throughout the venue
T-Shirts can be collected in the World of Solutions
on Friday 20 March 12:00pm - 2:00pm
Complete Your Online Session Evaluation
Learn online with Cisco Live! Visit us online after the conference for full
access to session videos and
presentations. www.CiscoLiveAPAC.com
top related