Cisco Flex 7500 Series Quick reference guide
Cisco Systems, Inc.
www.cisco.com
Flex 7500 Wireless Branch Controller
Deployment Guide
Last Updated: August, 2016
Introduction
This document describes how to deploy a Cisco Flex 7500 wireless branch controller. The purpose of
this document is to:
•Explain various network elements of the Cisco FlexConnect solution, along with their
communication flow.
•Provide general deployment guidelines for designing the Cisco FlexConnect wireless branch
solution.
Note Prior to release 7.2, FlexConnect was called Hybrid REAP (HREAP). Now it is called
FlexConnect.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
This document is not restricted to specific software and hardware versions.
2
Flex 7500 Wireless Branch Controller Deployment Guide
Product Overview
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Product Overview
Figure 1 Cisco Flex 7500
The Cisco Flex 7500 Series Cloud Controller is a highly scalable branch controller for multi-site
wireless deployments. Deployed in the private cloud, the Cisco Flex 7500 series controller extends
wireless services to distributed branch offices with centralized control that lowers total cost of
operations.
The Cisco Flex 7500 series (Figure 1) can manage wireless access points in up to 2000 branch locations
and allows IT managers to configure, manage, and troubleshoot up to 6000 access points (APs) and
64,000 clients from the data center. The Cisco Flex 7500 series controller supports secure guest access,
rogue detection for Payment Card Industry (PCI) compliance, and in-branch (locally switched) Wi-Fi
voice and video.
The following table highlights the scalability differences between the Flex 7500, 8500, WiSM2 and
WLC 5500 controller:
Note Flex 7500 only operates in FlexConnect mode. Additional modes are supported in WiSM2, 5500,
and 8500 series controllers.
Note DTLS license is required for Office Extend AP support.
Scalability Flex 7500/8500 WiSM2 WLC 5500
Total Access Points 6,000 1000 500
Total Clients 64,000 15,000 7,000
Max FlexConnect
Groups
2000 100 100
Max APs per
FlexConnect Group
100 25 25
Max AP Groups 6000 1000 500
3
Flex 7500 Wireless Branch Controller Deployment Guide
Product Specifications
Product Specifications
Data Sheet
Refer to Cisco Flex 7500 Series Cloud Controller Data Sheet:
http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/
ps11635/data_sheet_c78-650053.html
Platform Feature
Figure 2 Flex 7500 Rear View
Network Interface Ports
Note • LAG support for 2x10G interfaces allows active-active link operation with fast failover link
redundancy. An additional active 10G link with LAG does not change the controller wireless
throughput.
•2x10G interfaces.
•2x10G interfaces support optic cable with SFP product # SFP-10G-SR and SFP-10G-LR.
•Switch side SFP or X2 product should be of the same type SR or LR.
Interface Ports Usage
Fast Ethernet Integrated Management Module (IMM)
Port 1: 1G WLC Service Port
Port 2: 1G WLC Redundant Port (RP)
Port 1: 10G WLC Management Interface
Port 2: 10G WLC Backup Management Interface Port (Port
Failure)
4
Flex 7500 Wireless Branch Controller Deployment Guide
Flex 7500 Boot Up
System MAC Addresses
Serial Console Redirect
The WLC 7500 enables console redirect by default at the baud rate of 9600, simulating Vt100 terminal
with no flow control.
Inventory Information
The following is the WLC 7500 Console:
(Cisco Controller) >show inventory
Burned-in MAC Address............................ E4:1F:13:65:DB:6C
Maximum number of APs supported.................. 2000
NAME: "Chassis" , DESCR: "Cisco Wireless Controller"
PID: AIR-CT7510-K9, VID: V01, SN: KQZZXWL
The Desktop Management Interface (DMI) table contains server hardware and BIOS information. The
WLC 7500 displays BIOS version, PID/VID and Serial Number as part of inventory.
Note Flex 7500 is currently shipped with VID=V02.
Flex 7500 Boot Up
Cisco boot loader options for software maintenance are identical to Cisco's existing controller platforms.
Port 1: 10G (Management Interface) System/Base MAC address
Port 2: 10G (Backup Management
Interface)
Base MAC address+5
Port 1: 1G (Service Port) Base MAC address+1
Port 2: 1G (Redundant Port) Base MAC address+3
5
Flex 7500 Wireless Branch Controller Deployment Guide
Flex 7500 Boot Up
Figure 3 Boot-Up Order
6
Flex 7500 Wireless Branch Controller Deployment Guide
Flex 7500 Boot Up
Figure 4 WLC Configuration Wizard
Note The Flex 7500 boot up sequence is equivalent and consistent with existing controller platforms.
Initial boot up requires WLC configuration using the Wizard.
7
Flex 7500 Wireless Branch Controller Deployment Guide
Flex 7500 Licensing
Flex 7500 Licensing
AP Base Count Licensing
AP Upgrade Licensing
Except for the base and upgrade counts, the entire licensing procedure that covers ordering, installation,
and viewing is similar to Cisco's existing WLC 5508.
Refer to the WLC 7.3 configuration guide, which covers the entire licensing procedure.
Software Release Support
The Flex 7500 supports WLC code version 7.0.116.x and later only.
Supported Access Points
Access Points 3600, 3500, 2600, 1600, 1550, 1260, 1240, 1140, 1130,1040, 700, and 600 series, Cisco
891 Series Integrated Services Router and Cisco 881 Series Integrated Services Router.
.
AP Base Count SKUs
300
500
1000
2000
3000
6000
AP Upgrade SKUs
100
250
500
1000
8
Flex 7500 Wireless Branch Controller Deployment Guide
FlexConnect Architecture
FlexConnect Architecture
Figure 5 Typical Wireless Branch Topology
FlexConnect is a wireless solution for branch office and remote office deployments.
The FlexConnect solution enables the customer to:
•Centralize control and manage traffic of APs from the Data Center.
–
Control traffic is marked by red dashes in Figure 5.
•Distribute the client data traffic at each Branch Office.
–
Data traffic is marked by blue, green, and purple dashes in Figure 5.
–
Each traffic flow is going to its final destination in the most efficient manner.
Advantages of Centralizing Access Point Control Traffic
•Single pane of monitoring and troubleshooting.
•Ease of management.
•Secured and seamless mobile access to Data Center resources.
•Reduction in branch footprint.
•Increase in operational savings.
9
Flex 7500 Wireless Branch Controller Deployment Guide
FlexConnect Architecture
Advantages of Distributing Client Data Traffic
•No operational downtime (survivability) against complete WAN link failures or controller
unavailability.
•Mobility resiliency within branch during WAN link failures.
•Increase in branch scalability. Supports branch size that can scale up to 100 APs and 250,000 square
feet (5000 sq. feet per AP).
The Cisco FlexConnect solution also supports Central Client Data Traffic, but it is limited to Guest data
traffic only. This next table describes the restrictions on WLAN L2 security types only for non-guest
clients whose data traffic is also switched centrally at the Data Center.
Note These authentication restrictions do not apply to clients whose data traffic is distributed at the
branch.
Table 1 L2 Security Support for Centrally Switched Non-Guest Users
WLAN L2 Security Type Result
None N/A Allowed
WPA + WPA2 802.1x Allowed
CCKM Allowed
802.1x + CCKM Allowed
PSK Allowed
802.1x WEP Allowed
Static WEP WEP Allowed
WEP + 802.1x WEP Allowed
CKIP - Allowed
Table 2 L3 Security Support for Centrally and Locally Switched Users
WLAN L3 Security Type Result
Web Authentication Internal Allowed
External Allowed
Customized Allowed
Web Pass-Through Internal Allowed
External Allowed
Customized Allowed
Conditional Web
Redirect
External Allowed
Splash Page Web
Redirect
External Allowed
10
Flex 7500 Wireless Branch Controller Deployment Guide
FlexConnect Architecture
For more information on Flexconnect external webauth deployment, please refer to Flexconnect External
WebAuth Deployment Guide
For more information on HREAP/FlexConnect AP states and data traffic switching options, refer to
Configuring FlexConnect.
FlexConnect Modes of Operation
For more information on FlexConnect Theory of Operations, refer to the H-Reap/FlexConnect Design
and Deployment Guide.
WAN Requirements
FlexConnect APs are deployed at the Branch site and managed from the Data Center over a WAN link.
The maximum transmission unit (MTU) must be at least 500 bytes.
FlexConnect Mode Description
Connected A FlexConnect is said to be in Connected Mode
when its CAPWAP control plane back to the
controller is up and operational, meaning the
WAN link is not down.
Standalone Standalone mode is specified as the operational
state the FlexConnect enters when it no longer has
the connectivity back to the controller.
FlexConnect APs in Standalone mode will
continue to function with last known
configuration, even in the event of power failure
and WLC or WAN failure.
Deployment
Type
WAN
Bandwidth
(Min)
WAN RTT
Latency
(Max)
Max APs per
Branch
Max Clients
per Branch
Data 64 Kbps 300 ms 5 25
Data 640 Kbps 300 ms 50 1000
Data 1.44Mbps 1 sec 50 1000
Data + Voice 128 Kbps 100 ms 5 25
Data + Voice 1.44Mbps 100 ms 50 1000
Monitor 64 Kbps 2 sec 5 N/A
Monitor 640 Kbps 2 sec 50 N/A
11
Flex 7500 Wireless Branch Controller Deployment Guide
Wireless Branch Network Design
Note It is highly recommended that the minimum bandwidth restriction remains 12.8 Kbps per AP
with the round trip latency no greater than 300 ms for data deployments and 100 ms for data +
voice deployments.
For large deployments with scale for max APs per branch = 100 and max clients per branch = 2000.
Key Features
Adaptive wIPS, Context Aware (RFIDs), Rogue Detection, Clients with central 802.1X auth and
CleanAir.
Test Results
For 100 APs, 2000 Clients, 1000 RFIDs, 500 Rogue APs, and 2500 Rogue Clients (Features above
turned on):
Recommended BW = 1.54 Mbps
Recommended RTT latency = 400 ms
Test Results
For 100 APs, 2000 Clients, no rogue, and no RFIDs. (Features above turned off).
Recommended BW = 1.024 Mbps
Recommended Latency = 300 ms
Wireless Branch Network Design
The rest of this document highlights the guidelines and describes the best practices for implementing
secured distributed branch networks. FlexConnect architecture is recommended for wireless branch
networks that meet these design requirements.
Primary Design Requirements
•Branch size that can scale up to 100 APs and 250,000 square feet (5000 sq. feet per AP)
•Central management and troubleshooting
•No operational downtime
•Client-based traffic segmentation
•Seamless and secured wireless connectivity to corporate resources
•PCI compliant
•Support for guests
12
Flex 7500 Wireless Branch Controller Deployment Guide
Features Addressing Branch Network Design
Figure 6 Wireless Branch Network Design
Overview
Branch customers find it increasingly difficult and expensive to deliver full-featured scalable and secure
network services across geographic locations. In order to support customers, Cisco is addressing these
challenges by introducing the Flex 7500.
The Flex 7500 solution virtualizes the complex security, management, configuration, and
troubleshooting operations within the data center and then transparently extends those services to each
branch. Deployments using Flex 7500 are easier for IT to set up, manage and, most importantly, scale.
Advantages
•Increase scalability with 6000 AP support.
•Increased resiliency using FlexConnect Fault Tolerance.
•Increase segmentation of traffic using FlexConnect (Central and Local Switching).
•Ease of management by replicating store designs using AP groups and FlexConnect groups.
Features Addressing Branch Network Design
The rest of the sections in the guide captures feature usage and recommendations to realize the network
design shown in Figure 6.
13
Flex 7500 Wireless Branch Controller Deployment Guide
Features Addressing Branch Network Design
Note Flexconnect APs implemented with WIPS mode can increase bandwidth utilization significantly
based on the activity being detected by the APs. If the rules have forensics enabled, the link
utilization can go up by almost 100 Kbps on an average.
Ta b l e 3 F e a t u re s
Primary Features Highlights
AP Groups Provides operational/management
ease when handling multiple branch
sites. Also, gives the flexibility of
replicating configurations for similar
branch sites.
FlexConnect Groups FlexConnect Groups provide the
functionality of Local Backup
Radius, CCKM/OKC fast roaming,
and Local Authentication.
Fault Tolerance Improves the wireless branch
resiliency and provides no
operational downtime.
ELM (Enhanced
Local Mode for
Adaptive wIPS)
Provide Adaptive wIPS functionality
when serving clients without any
impact to client performance.
Client Limit per
WLAN
Limiting total guest clients on branch
network.
AP Pre-image
Download
Reduces downtime when upgrading
your branch.
Auto-convert APs in
FlexConnect
Functionality to automatically
convert APs in FlexConnect for your
branch.
Guest Access Continue existing Cisco’s Guest
Access Architecture with
FlexConnect.
14
Flex 7500 Wireless Branch Controller Deployment Guide
IPv6 Support Matrix
IPv6 Support Matrix
Feature Matrix
Refer to FlexConnect Feature Matrix for a feature matrix for the FlexConnect feature.
AP Groups
After creating WLANs on the controller, you can selectively publish them (using access point groups)
to different access points in order to better manage your wireless network. In a typical deployment, all
users on a WLAN are mapped to a single interface on the controller. Therefore, all users associated with
that WLAN are on the same subnet or VLAN. However, you can choose to distribute the load among
several interfaces or to a group of users based on specific criteria such as individual departments (such
as Marketing, Engineering or Operations) by creating access point groups. Additionally, these access
point groups can be configured in separate VLANs to simplify network administration.
This document uses AP groups to simplify network administration when managing multiple stores
across geographic locations. For operational ease, the document creates one AP-group per store to
satisfy these requirements:
•Centrally Switched SSID Data center across all stores for Local Store Manager administrative
access.
•Locally Switched SSID Store with different WPA2-PSK keys across all stores for hand-held
scanners.
Features Centrally Switched Locally Switched
5500/
WiSM-2/8500
Flex 7500 5500 /
WiSM-2/8500
Flex 7500
IPv6 (Client
Mobility)
Supported Not Supported Not Supported Not Supported
IPv6 RA guard Supported Supported Supported Supported
IPv6 DHCP
guard
Supported Not Supported Not Supported Not Supported
IPv6 Source
guard
Supported Not Supported Not Supported Not Supported
RA throttling/
Rate limit
Supported Not Supported Not Supported Not Supported
IPv6 ACL Supported Not Supported Not Supported Not Supported
IPv6 Client
Visibility
Supported Not Supported Not Supported Not Supported
IPv6 Neighbor
discovery
caching
Supported Not Supported Not Supported Not Supported
IPv6 Bridging Supported Not Supported Supported Supported
15
Flex 7500 Wireless Branch Controller Deployment Guide
AP Groups
Figure 7 Wireless Network Design Reference Using AP Groups
Configurations from WLC
Complete the following steps:
Step 1 On the WLANs > New page, enter Store1 in the Profile Name field, enter store in the SSID field, and
choose 17 from the ID drop-down list.
Note WLAN IDs 1-16 are part of the default group and cannot be deleted. In order to satisfy our
requirement of using same SSID store per store with a different WPA2-PSK, you need to use
WLAN ID 17 and beyond because these are not part of the default group and can be limited to
each store.
Step 2 Under WLAN > Security, choose PSK from the Auth Key Mgmt drop-down list, choose ASCII from
the PSK Format drop-down list, and click Apply.
16
Flex 7500 Wireless Branch Controller Deployment Guide
AP Groups
Step 3 Click WLAN > General, verify the Security Policies change, and check the Status box to enable the
WLAN.
Step 4 Repeat steps 1, 2 and 3 for new WLAN profile Store2, with SSID as store and ID as 18.
17
Flex 7500 Wireless Branch Controller Deployment Guide
AP Groups
Step 5 Create and enable the WLAN profile with Profile Name DataCenter, SSID DataCenter and ID 1.
Note On creation, WLAN IDs from 1-16 are automatically part of the default-ap-group.
Step 6 Under WLAN, verify the status of WLAN IDs 1, 17 and 18.
Step 7 Click WLAN > Advanced > AP group > Add Group.
Step 8 Add AP Group Name as Store1, same as WLAN profile Store1, and Description as the Location of the
Store. In this example, California is used as the location of the store.
Step 9 Click Add when done.
Step 10 Click Add Group and create the AP Group Name as Store2 and the description as New York.
Step 11 Click Add.
18
Flex 7500 Wireless Branch Controller Deployment Guide
AP Groups
Step 12 Verify the group creation by navigating to WLAN > Advanced > AP Groups.
Step 13 Click AP Group Name Store1 to add or edit the WLAN.
Step 14 Click Add New to select the WLAN.
Step 15 Under WLAN, from the WLAN SSID drop-down, choose WLAN ID 17 store(17).
Step 16 Click Add after WLAN ID 17 is selected.
Step 17 Repeat steps (14 -16) for WLAN ID 1 DataCenter(1). This step is optional and needed only if you want
to allow Remote Resource access.
Step 18 Go back to the WLAN > Advanced > AP Groups screen.
Step 19 Click AP Group Name Store2 to add or edit WLAN.
Step 20 Click Add New to select the WLAN.
Step 21 Under WLAN, from WLAN SSID drop-down, choose WLAN ID 18 store(18).
Step 22 Click Add after WLAN ID 18 is selected.
Step 23 Repeat steps 14 -16 for WLAN ID 1 DataCenter(1).
19
Flex 7500 Wireless Branch Controller Deployment Guide
AP Groups
Note Adding multiple WLAN profiles with the same SSID under a single AP group is not permitted.
Note Adding APs to the AP group is not captured in this document, but it is needed for clients to
access network services.
Summary
•AP groups simplify network administration.
•Troubleshooting ease with per branch granularity
•Increased flexibility
20
Flex 7500 Wireless Branch Controller Deployment Guide
FlexConnect Groups
FlexConnect Groups
Figure 8 Central Dot1X Authentication (Flex 7500 Acting as Authenticator)
In most typical branch deployments, it is easy to foresee that client 802.1X authentication takes place
centrally at the Data Center as shown in Figure 8. Because the above scenario is perfectly valid, it raises
these concerns:
•How can wireless clients perform 802.1X authentication and access Data Center services if Flex
7500 fails?
•How can wireless clients perform 802.1X authentication if WAN link between Branch and Data
Center fails?
•Is there any impact on branch mobility during WAN failures?
•Does the FlexConnect Solution provide no operational branch downtime?
FlexConnect Group is primarily designed and should be created to address these challenges. In addition,
it eases organizing each branch site, because all the FlexConnect access points of each branch site are
part of a single FlexConnect Group.
Note FlexConnect Groups are not analogous to AP Groups.
Primary Objectives of FlexConnect Groups
Backup RADIUS Server Failover
You can configure the controller to allow a FlexConnect access point in standalone mode to perform full
802.1X authentication to a backup RADIUS server. In order to increase the resiliency of the branch,
administrators can configure a primary backup RADIUS server or both a primary and secondary backup
RADIUS server. These servers are used only when the FlexConnect access point is not connected to the
controller.
Note Backup RADIUS accounting is not supported.
Other manuals for Flex 7500 Series
1
Other Cisco Controllers manuals
Cisco
Cisco Catalyst 9800-80 User manual
Cisco
Cisco Catalyst 8500 Series Quick reference guide
Cisco
Cisco 8540 - Catalyst Campus Switch Router Modular Expansion... User manual
Cisco
Cisco SFS 3504 User manual
Cisco
Cisco 521G - Unified IP Phone VoIP User manual
Cisco
Cisco CSC-MEC User manual
Cisco
Cisco CS-MARS-20-K9 - Security MARS 20 User manual
Cisco
Cisco 5520 User manual
Cisco
Cisco AIR-WLC4402-50-K9 Operator's manual
Cisco
Cisco CLG-8202-SEC User manual
Cisco
Cisco Webex Room CE9.15 User manual
Cisco
Cisco Firepower 4100 Series User manual
Cisco
Cisco 5520 User manual
Cisco
Cisco 2100 Series User manual
Cisco
Cisco 2505 User manual
Cisco
Cisco Catalyst 9800-40 Instruction Manual
Cisco
Cisco 5520 Quick reference guide
Cisco
Cisco Cisco mds 9216 - fabric switch User manual
Cisco
Cisco OL-8335-02 User manual
Cisco
Cisco WS-C5008B - Power Supply - 1100 Watt User manual
