asked on
Cisco WLC 9800 Deployment: FlexConnect or Centralized Tunnel Mode
We are deploying Cisco WLC 9800 with 600 Access Points (APs), and there are no remote sites connecting to this WLC or backhauling traffic to the centralized WLC.
WLC is local to its site only.
Here are two questions on my mind:
Deployment Mode: Which is better Flex Connect or Centralized mode with CAPWAP tunneling with 600 APs effectively? What are the key considerations, pros, and cons for each deployment mode in this scenario?
Our wireless deployment shall be used for corporate wireless and Guest Access.
Thanks in advance!
ASKER
Please excuse my ignorance and I hope if my understanding is correct for guest traffic flow on WLC
So APs are connected to LAN access. For guest traffic as understood
CAPWAP tunnels over :
• access switch
• core switch
• WLC ingress management interface
De-encapsulation and client > ISE captive portal:
• DMZ switch
• Internet firewall
• dot1q trunk to LAN core then all the way to DC to reach ISE
After authentication, all other guest traffic become CAPWAP tunneled to WLC.
Yes your flow is correct.
Guest SSID uses central switching usually, so the WLC switches the client traffic not the AP or the switch that the AP connects to. ALL guest traffic is transported from AP to WLC in CAPWAP tunnel, then the WLC unwraps the CAPWAP and the guest traffic goes out of the correct WLC interface depending on the VLAN that the SSID is configured to use.
ASKER
Thank you once again, Craigbeck.
WLCs are connected to the cores directly.
APs are connected to access switches in a dedicated VLAN
Clients primarily require access to data center resources such as business applications, file servers, EMR systems, and eventually, internet/WAN access.
Internet firewalls are connected to Core switches, serving as the perimeter security.
Another question after reading through cisco live documents I came accross these point
Based on the statement above, the management VLAN SVI should have an L3 address configured on the WLC's management interface, but those ports on the WLC are trunked, so where IPs should be specifically assigned on WLC
We have 2 x 9800 WLCs planned to configured in SSO mode. We have 1 LAG connected to Core Switches on trunk port for corporate data and voice traffic. Furthermore, we would connect the one of the interface of the WLC to the DMZ DMZ for Guest Access traffic where m WLC will dump traffic to DMZ switch and there is a firewall at other end.
How does the traffic encapsulated and decapsulated on management interface when using CAPWAP tunnel for corporate and Guest SSId