Converged Access Small Branch (Single switch) Best Practices
Table of Content
Overview
Topology
Base Layer 2/3 Configuration
Deploying Converged Access
Mobility
Security
WLAN
Guest Solution
Advanced IOS Wireless Services
Wireless Best Practices
Summary
Overview
The small-size remote branch office or retail store may consist of a single or a stack of Ethernet switches to provide network connectivity to the wired and wireless users. Such small networks can converge the Ethernet switching with next-generation wireless capability on the same Catalyst switch.
For such network designs, the switch can integrate WLC Mobility Controller (MC) and Mobility Agent (MA) functions without requiring any additional Converged Access elements, such as Switch-Peer-Group (SPG) in the network. These networks may need Guest wireless services, as well as common security and network access policy enforcement across all branch offices.
Below is a typical topology of a single switch branch network and sample configuration which has been tried and tested at various customer deployment.
Topology
Below figure shows a reference topology for a typical branch network
Base Layer 2/3 Configuration
- VTP Mode: Transparent
vtp domain ‘name'
vtp mode transparent
- Spanning Tree: Rapid-PVST
spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default
spanning-tree extend system-id
- Create named VLANs
vlan 151
name Voice_VLAN
!
vlan 152
name Video_VLAN
!
vlan 155
name WM_VLAN
!
vlan 158
name 8021X_WiFi_VLAN
and so on …
- Configure Default Gateway
ip default-gateway
ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 172.26.150.1
- Configure Management VRF
interface GigabitEthernet0/0
description Connected to FlashNet - DO NOT ROUTE
vrf forwarding Mgmt-vrf
ip address 172.26.150.202 255.255.255.0
no ip redirects
no ip proxy-arp
load-interval 30
carrier-delay msec 0
negotiation auto
no cdp enable
vrf definition Mgmt-vrf
- Configure IP DHCP Snooping
ip dhcp snooping vlan 151-154,156-165
no ip dhcp snooping information option
ip dhcp snooping wireless bootp-broadcast enable
ip dhcp snooping
Note: Configure dhcp snooping for all wireless client VLANs and mark uplink ports as trust (covered under uplink ports)
- Configure ARP Inspection
ip arp inspection vlan 151-154,156-165
ip arp inspection validate src-mac dst-mac ip allow zeros
Note: Configure ARP Inspection for all wireless client VLANs and mark uplink ports as trust (covered under uplink ports)
- Uplink Ports / Port-Channel (allow necessary VLANs)
interface Port-channel1
description Connected Dist-1
switchport trunk native vlan 4002
switchport trunk allowed vlan 151-166,4093
switchport mode trunk
ip arp inspection trust
load-interval 30
carrier-delay msec 0
ip dhcp snooping trust
interface GigabitEthernet1/1/1
description Connected Dist-1
switchport trunk native vlan 4002
switchport trunk allowed vlan 151-166,4093
switchport mode trunk
ip arp inspection trust
load-interval 30
channel-protocol pagp
channel-group 1 mode desirable
ip dhcp snooping trust
interface GigabitEthernet1/1/2
description Connected Dist-1
switchport trunk native vlan 4002
switchport trunk allowed vlan 151-166,4093
switchport mode trunk
ip arp inspection trust
load-interval 30
channel-protocol pagp
channel-group 1 mode desirable
ip dhcp snooping trust
Mobility
- Wireless Management Interface
interface vlan 105
description Wireless Management Interface
ip address 10.101.1.109 255.255.255.240
load-interval 30
logging event link-status
no shutdown
wireless management interface vlan 105
wireless mobility group name 3850_Branch_1
wireless mobility group member ip 10.99.2.242 public-ip 10.99.2.242 group GA-Domain-1
wireless mobility group member ip 10.99.2.243 public-ip 10.99.2.243 group GA-Domain-2
Note: Above you are enabling wireless functionality and configuring Mobility peering with 5760 Guest Anchor. You can use a 5508, 8510 AireOS controller as Guest Anchor as well
Security
- Global Parameters
aaa new-model
aaa authentication login PRIME_RADIUS_AUTH_GRP group PRIME_RADIUS_SERVER_GRP
aaa authentication dot1x PRIME_RADIUS_AUTH_GRP group PRIME_RADIUS_SERVER_GRP
aaa authorization network PRIME_RADIUS_AUTHO_GRP group PRIME_RADIUS_SERVER_GRP
aaa authorization network PRIME_CWA_MAC_FILTER group PRIME_RADIUS_SERVER_GRP
aaa accounting Identity PRIME_RADIUS_ACCT_GRP start-stop group PRIME_RADIUS_SERVER_GRP
aaa server radius dynamic-author
client 10.100.1.49 server-key 7 02050D480809
auth-type any
!
!
radius server PRIME_RADIUS_SERVER_1
address ipv4 10.100.1.49 auth-port 1812 acct-port 1813
timeout 1
key 7 121A0C041104
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 31 send nas-port-detail
!
aaa group server radius PRIME_RADIUS_SERVER_GRP
server name PRIME_RADIUS_SERVER_1
WLAN
- 802.1X WLAN
wlan ABCCorp-8021X 1 ABCCorp-8021X
band-select
aaa-override
nac
wifidirect policy deny
client vlan 8021X_WiFi_VLAN
ip flow monitor wireless-avc-basic input
ip flow monitor wireless-avc-basic output
accounting-list PRIME_RADIUS_ACCT_GRP
security dot1x authentication-list PRIME_RADIUS_AUTH_GRP
session-timeout 21600
wmm require
no shutdown
- Pre-Shared Key WLAN
wlan ABCCorp_PSK 2 ABCCorp_PSK
band-select
client vlan PSK_WiFi_VLAN
ip flow monitor wireless-avc-basic input
ip flow monitor wireless-avc-basic output
no security wpa akm dot1x
security wpa akm psk set-key ascii 8 AAPAAQeRgFGCE_dLbEOcNPP[AAAAAAMcLKMPc^TcSbIhbU\HeaSXF_AAB
service-policy output ABCCorp_PSK-PARENT-POLICY
session-timeout 7200
wifidirect policy deny
wmm require
no shutdown
- Open WLAN
wlan ABCCorp_OPEN 3 ABCCorp_OPEN
band-select
client vlan Open_WiFi_VLAN
ip flow monitor wireless-avc-basic input
ip flow monitor wireless-avc-basic output
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
service-policy output ABCCorp_OPEN-PARENT-POLICY
session-timeout 1800
wifidirect policy deny
wmm require
no shutdown
Guest Solution
- CWA Guest WLAN
wlan ABCCorp-Guest 15 ABCCorp-Guest
aaa-override
accounting-list PRIME_RADIUS_ACCT_GRP
client vlan GUEST_VLAN
ip flow monitor wireless-avc-basic input
ip flow monitor wireless-avc-basic output
load-balance
security dot1x authentication-list PRIME_RADIUS_AUTH_GRP
mac-filtering PRIME_CWA_MAC_FILTER
mobility anchor 10.99.2.242
mobility anchor 10.99.2.243
nac
no security wpa
no security wpa am dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
session-timeout 7200
wmm require
no shutdown
- Mobility and Guest WLAN configuration on 5760 Guest Anchor 1
wireless mobility group name GA-Domain-1
wireless mobility group member ip 10.101.1.109 public-ip 10.101.1.109 group 3850_Branch_1
wlan ABCCorp-Guest 15 ABCCorp-Guest
aaa-override
accounting-list PRIME_RADIUS_ACCT_GRP
client vlan GUEST_WiFi_VLAN
ip flow monitor wireless-avc-basic input
ip flow monitor wireless-avc-basic output
load-balance
security dot1x authentication-list PRIME_RADIUS_AUTH_GRP
mac-filtering PRIME_CWA_MAC_FILTER
mobility anchor
nac
no security wpa
no security wpa am dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
session-timeout 7200
wmm require
no shutdown
- Redirect ACL for CWA (Central Web-Auth)
Extended IP access list PRIME-CWA-REDIRECT-ACL
10 deny icmp any any
20 deny udp any eq bootps any
30 deny udp any any eq bootpc
40 deny udp any eq bootpc any
50 deny udp any any eq domain
60 deny tcp any any eq domain
70 deny ip any host 10.100.1.49
80 permit tcp any any eq www
Advanced IOS Wireless Services
- AVC Configuration
flow exporter PRIME_FNF_COLLECTOR_1
description FLEXIBLE NETFLOW COLLECTOR
destination 10.100.1.82
dscp 46
transport udp 9991
!
!
flow monitor wireless-avc-basic
exporter PRIME_FNF_COLLECTOR_1
record wireless avc basic
- WLAN configuration example:
wlan ABCCorp-8021X 1 ABCCorp-8021X
ip flow monitor wireless-avc-basic input
ip flow monitor wireless-avc-basic output
<< .. Snip...Similar config for other WLANs….>>
- Egress Bandwidth Shaping for WLANs
policy-map ABCCrop-8021X-PARENT-POLICY
description PRIME-ABCCorp-8021X EGRESS PARENT POLICY
class class-default
shape average percent 40
queue-buffers ratio 0
policy-map ABCCorp-PSK-PARENT-Policy
description PRIME-ABCCorp-PSK EGRESS PARENT POLICY
class class-default
shape average percent 30
queue-buffers ratio 0
<<…Similar policy maps for other WLANs with desired shape average percent …>>
- WLAN configuration example:
wlan ABCCorp-8021X 1 ABCCorp-8021X
service-policy output ABCCorp-8021X-PARENT-POLICY
<<… Similar configs for other WLANs .. >>
Wireless Best practices
- Fast SSID change: wireless client fast-ssid-change
- Password encryption: passwd encryption on
passwd key obfuscate
Summary
This technote provides an overview of a typical branch deployment using Converged Access and related golden configurations. These configurations can be used as is across 100s or even 1000s of branches to deploy the Wireless network at the branch locations quickly with tried and tested configurations.