Link to home
Create AccountLog in
Avatar of Techno Savvy
Techno SavvyFlag for Norway

asked on

Cisco WLC 9800 Deployment: FlexConnect or Centralized Tunnel Mode

We are deploying Cisco WLC 9800 with 600 Access Points (APs), and there are no remote sites connecting to this WLC or backhauling traffic to the centralized WLC.

WLC is local to its site only.


Here are two questions on my mind:


Deployment Mode: Which is better Flex Connect or Centralized mode with CAPWAP tunneling with 600 APs effectively? What are the key considerations, pros, and cons for each deployment mode in this scenario?


Our wireless deployment shall be used for corporate wireless and Guest Access.


Thanks in advance!

ASKER CERTIFIED SOLUTION
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of Techno Savvy

ASKER

Thank you once again, Craigbeck.


WLCs are connected to the cores directly.


APs are connected to access switches in a dedicated VLAN


Clients primarily require access to data center resources such as business applications, file servers, EMR systems, and eventually, internet/WAN access.



Internet firewalls are connected to Core switches, serving as the perimeter security.



Another question after reading through cisco live documents I came accross these point 


  • While using C9800 you have AP CAPWAP traffic and is terminated to the wireless management interface. There is only one wireless management interface.


Based on the statement above, the management VLAN SVI should have an L3 address configured on the WLC's management interface, but those ports on the WLC are trunked, so where IPs should be specifically assigned on WLC


We have 2 x 9800 WLCs planned to configured in SSO mode. We have 1 LAG connected to Core Switches on trunk port for corporate data and voice traffic. Furthermore, we would connect the one of the interface of the WLC to the DMZ DMZ for Guest Access traffic where m WLC will dump traffic to DMZ switch and there is a firewall at other end.


How does the traffic encapsulated and decapsulated on management interface when using CAPWAP tunnel for corporate and Guest SSId



SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.

Please excuse my ignorance and I hope if my understanding is correct for guest traffic flow on WLC


So APs are connected to LAN access. For guest traffic as understood 


CAPWAP tunnels over :


•   ⁠access switch

•   core switch

•   ⁠WLC ingress management interface


De-encapsulation and client  > ISE captive portal:


•   ⁠DMZ switch

•   ⁠Internet firewall

•   ⁠dot1q trunk to LAN core then all the way to DC to reach ISE


After authentication, all other guest traffic become CAPWAP tunneled to WLC.

Yes your flow is correct.


Guest SSID uses central switching usually, so the WLC switches the client traffic not the AP or the switch that the AP connects to. ALL guest traffic is transported from AP to WLC in CAPWAP tunnel, then the WLC unwraps the CAPWAP and the guest traffic goes out of the correct WLC interface depending on the VLAN that the SSID is configured to use.