Which deployment option does the cisco 9800 cloud wireless controller for a private cloud support?
The Bring Your Own License (BYOL) version of next generation wireless controller (C9800-CL-K9) combines the advantages and flexibility of an AWS public cloud with the customization and features richness customers usually get with on-prem deployments. As part of Cisco's Cloud portfolio, the Catalyst 9800-CL Wireless Controller delivers high-speed always-on and secure wireless services with differentiating features
like Zero Touch AP provisioning, High Availability, Application Visibility & Control, and more. The C9800-CL-K9 AMI runs a modern Operation System, open Cisco IOS XE Software, that support model-driven programmability, streaming telemetry, and patching. Cisco Catalyst 9800-CL Wireless Controller supports the following deployment scenario in this release: the wireless controller is available in AWS Virtual Private Network (VPC) connected to the customer enterprise network via a managed VPN.
The VPN can be terminated either on the AWS Gateway Router or on a Cisco CSR. The deployment mode is Flex Central Authentication and Local Switching for IPv4 and IPv6 clients with fall back to Local Authentication. Learn more about Cisco's cloud portfolio: https://www.cisco.com/c/en/us/solutions/cloud/overview.html Operating System Linux/Unix, Other Cisco IOS XE Delivery
Methods Pricing InformationUsage InformationSupport InformationCustomer ReviewsCisco Catalyst 9800 Wireless Controller for Cloud on Microsoft Azure Deployment Guide Table of Contents Overview Integration with Azure Marketplace Required Resources MS Azure Deployment Section 0: Azure Deployment Workflow Section 1: Create Resource Group Section 2: Create Azure Virtual Network Section 3: Create Network Security Group (for Azure Virtual Machine Only) Section 4: Managed VPN 4.1 Create Virtual Network Gateway 4.2 Create Local Network Gateway 4.3 Add Connection 4.4 Download configuration and apply to router Section 5: Deploy the Catalyst 9800-CL Instance in Microsoft Azure 5.1 Deploy Catalyst 9800-CL Instance by Azure Virtual Machine 5.2 Deploy Catalyst 9800-CL Instance by Azure Application Section 6: Enable Public IP for AP to onboard OverviewThe IOS XE based Cisco Cloud Wireless LAN Controller sets the standard for Infrastructure as a Service (IaaS) secure wireless network services in the Microsoft Azure cloud, bringing the world's most popular networking wireless platform to Azure. The Public Cloud model chosen for the Cisco Catalyst 9800 for Cloud is Infrastructure as a Service (IaaS). In this model, the Public Cloud vendor provides the networking, computing, and security infrastructure while the customer fully manages the C9800-CL virtual machine in the cloud. There are many advantages in adopting Public Cloud, let’s list the ones that are most significant for the Catalyst 9800: · Agility: it takes a few minutes to spawn a C9800 instance in Azure. This makes it easy to quickly launch a wireless controller to test some new feature or functionality and terminate it when done. · Scalability: There are no physical limits in the public cloud, so new instances can be added as the requirements for additional APs or clients increase · Global footprint: This is important for latency but also for security and privacy policies. The public cloud providers have a global footprint so from any location that APs installed to reach a C9800-CL in the cloud with a lower latency. Some customers have a strict security policy dictating that user data and traffic need to stay within the region; the public cloud providers have a Data Center in every geographical region. · Cost effectiveness: reduce data center footprint and infrastructure costs. Shift from a capital expenditure (buying up front) model to an operational expenditure model. Integration with Azure MarketplaceOn Azure’s Marketplace, there are multiple types of offerings for any given product. Only 2 options are applicable for C9800-CL to keep it consistent with AWS and GCP. 1. Azure Virtual Machine: Cisco provides only the image to the user, and it is up to the user to configure the VM as per the data sheet. 2. Azure Application: “Azure application” allows us to support automating the deployment and configuration of a solution beyond a single virtual machine (VM). It can simplify the process of providing multiple resources, including VMs, networking, and storage resources to provide complex solutions. Required ResourcesLike AWS and GCP, Cisco support the following template. Users will be able to choose the scale when launching via marketplace. For more details on required resources and scale information, please visit Datasheet here MS Azure DeploymentSection 0: Azure Deployment WorkflowAbove is an example of Cisco Catalyst 9800 Wireless Controller Deployment in Azure. Please look at this workflow below that will help better understand and build up the deployment. Section 1: Create Resource GroupStep1: On MS Azure Home Page, Search for resource groups and Click on the result. Click on “Create”. Step2: 1. Select a subscription. 2. Give a name to the new resource group. 3. Select the region for the resource group. Section 2: Create Azure Virtual NetworkStep 1: On MS Azure Home Page, Search for Virtual networks and click on the search result. And then click on “Create” Step2: 1. Select the resource group that just created. 2. Give a name to the Virtual network 3. Select a region for the deployment. Step 3: 1. Click on “IP Address” 2. Enter the IPv4 address space for the Virtual network 3. Add subnets to the IPv4 address space Note: The Virtual Ip address space and subnet should be different from the Campus network. Note: The IPv4 address space and subnet are in CIDR notation e.g., 10.1.1.0/24 Step 3: Click on “Security”, leave the following in default:
Click on “Review + create” and review the configuration and click on “Create”. Section 3: Create Network Security Group (for Azure Virtual Machine Only)Note: This step is for deploying with Azure Virtual Machine only. If deploying with Azure Application, a network security group will be automatically generated by the preconfigured template in its resource group, it is not needed to create a new one here. Step1: On the Search bar, Search for “Network Security Group” and click on the search result. Step2: Click on “Create” and then: 1. Choose the resource group just created. 2. Give a name to the network security group. 3. Select current region for the deployment. Click on “Review Create” and “Create”. Step3: Add inbound rule Go back to Network Security Group page and click on the security group just created. On the left menu click on “Inbound Security Rules” Click on “add” 1. Add typical ports that are needed for the traffic going into the instance. For Security reason, only allow ports are needed based on the network architect. Below is a list of ports with corresponding protocol that Cisco Catalyst 9800-CL is normally used. 2. Give priority to this rule, rules are processed with priority order. The lower priority number is, the higher priority it has. 3. Give a name to this rule. Repeat this process until all the rules have been added to the inbound rule. Outbound Rules will be by default allow all. There is no requirement to change the default outbound rules. Section 4: Managed VPNNote: From 17.8.1 release, onboarding through public IP for APs is supported on all public cloud platforms. Please refer to Section 6. Note: As of 17.7.1, the C9800-CL in Azure does not support use of the public IP. For AP join, the APs need to be behind a VPN. Please follow the steps below to establish a VPN connection to on-prem network. 4.1 Create Virtual Network GatewayStep1: On the top Search bar, search for “Virtual network gateways” and click on the result Step2: Click on “Create” Step3:
1. Give a name for the gateway 2. Select current region for the deployment 3. Select the virtual network that you want to associate with the gateway, in this case, it will be the subnet where the C9800-CL is going to be located. 4. A new IP address can be created here, or it is also an option to choose the existing public IP address from the drop-down menu. 5. Give a name to the public IP address (only apply for creating a new public IP address) 6. Select the Availability zone Click on “Review + create” and then “Create” 4.2 Create Local Network GatewayStep1: On the top Search bar, search for “Local Network Gateways”, and click on the search result. Step2: Click on “Create” Step3: 1. Select the resource group for the deployment. 2. Select the current region of the deployment. 3. Give a name for the Local Network Gateway 4. Enter the public facing IP address from the On-Prem router 5. Add the address spaces from your On-Prem router. Click on “Review + create” and then “Create” 4.3 Add ConnectionStep1: Go to Virtual network gateways and click on the gateway that just deployed. Step2: On the left side menu, select “Connections” and then “Add” Step3: 1. Give a name for the connection 2. Select Site-to-Site (IPsec) 3. Keep it as the current Virtual network gateway 4. Choose the local network gateway that just created 5. Give a Shared key for the connection 6. Select IKEv2 Click on “OK” on the bottom 4.4 Download configuration and apply to routerAfter the connection is deployed, you can download the configuration in the connection page. Step1: Click on “Download configuration” Step2: Download the configuration for the on-prem router. 1. Select the Device Vendor 2. Select the device family 3. Select 15.x (IKEv2) 4. Click on Download Configuration Step3: Write the downloaded configuration in the router configuration, there is also rollback script at the end of the file to delete all the configuration that applied. It will take about 5 mins for the connection to be established, the status of the connection will change to connected. For more information regarding VPN connection, please check it here. Section 5: Deploy the Catalyst 9800-CL Instance in Microsoft Azure5.1 Deploy Catalyst 9800-CL Instance by Azure Virtual MachineStep 1: Click on Marketplace, Search for “Cisco Catalyst 9800-CL Wireless Controller”. Click on the box with “Virtual Machine” Click on “Create” Step 2: Basics 1. Click on Resource Group drop down menu and choose the Resource group just created 2. Give a name to C9800-CL, this name will also be your hostname after it deployed. 3. Select the Region that the C9800-CL is going to be deployed. Region needs to be chosen as the same region of the VPN. 4. In Authentication type, there are 2 options. For SSH public key, Azure will generate an SSH key pair to for SSH connection and could be stored for future use, existing key pair could also be uploaded and stored. For Password, a pair of username/password need to be entered for remote access to the console terminal (SSH/Telnet). Click on “Next : Disk”. Step 3: Disk Leave this page on default and click on “Next : Networking” Step 4: Networking 1. Under the Virtual network drop-down menu, click on the virtual network that created in the Resource group. 2. The C9800-CL can be accessed via the public IP address, a new public IP address can be created here, or an existing public IP address can be selected from the drop-down menu. 3. Choose the network security group that was created previously in the drop-down menu. Click on “Next : Management”. Step 5: Management (Optional) It is recommended to enable the custom storage account and create a new Diagnostics storage account, for console connection access from Azure serial console feature when you lose connection with the C9800-CL. 1. Select Enable with custom storage account 2. Create new or select the existing Diagnostics storage account 3. Click on “Next : Advanced” Step 6: Advanced The IOS bootstrap config can be input in Custom data box for configuring the VM while it is being provisioned. Example format: username admin privilege 15 password 0 admin123 Click on “Review + Create” and then “Create” Step 7: Day 0 Configuration After the deployment is done, the C9800-CL can be accessed with WebUI via public IP address or Private IP address for Day 0 Configuration page, the Steps on Day 0 configurations and after are the same as deploying C9800-CL on AWS and GCP. SSH and serial console will be used for Day 1 configuration. For more information on configuration, please click here. 5.2 Deploy Catalyst 9800-CL Instance by Azure ApplicationDeploying the C9800-CL from Azure Application requires an empty resource group, it is required to create a new resource group prior the deployment process or during the deployment process, for more detail on creating resource group prior the deployment process, please check the section “MS Azure Deployment-Create Resource Group”. Step1: Click on Marketplace, Search for “Cisco Catalyst 9800-CL Wireless Controller”. Click on the box with “Azure Application” Click on “Create” Step2: Basics 1. Select the newly created empty resource group, if there is no empty resource group, click on “Create new” under the drop-down menu. 2. Select your current region 3. Give a name to the C9800-CL, it will also be the host name of the device 4. Give a login username for the C9800-CL 5. In Authentication type, there are 2 options. For SSH public key, Azure will generate an SSH key pair to for SSH connection and could be stored for future use, existing key pair could also be uploaded and stored. For Password, a pair of username/password need to be entered for remote access to the console terminal (SSH/Telnet). In the username bar, give it an administrator username for C9800-CL 6. Give a login password for the C9800-CL 7. Confirm the password 8. Select an Image Version for the C9800-CL. Click on “Next : Cisco C9800-CL settings” Step3: Cisco C9800-CL settings 1. Select true on Boot diagnostics 2. The default size of the VM is the smallest scale, the size can be changed by clicking on “Change size” and choose between the three different sizes as shown below: 3. If there is bootstrap configuration that would like to be uploaded, select “Yes”, otherwise click on “No”. 4. Diagnostics Storage account is recommended, it is for connecting and screening the serial console. A new Diagnostic account can be created here. 5. The C9800-CL can be accessed via the public IP address, a new public IP address can be created here. 6. Keep it as default. 7. Select the Virtual network that maps the VPN connection that configured. 8. Select the Subnet that maps the VPN connection that configured. Click on “Review + create” and then Click on “Create” Step 4: Day 0 Configuration After the deployment is done, the C9800-CL can be accessed with WebUI via public IP address or Private IP address for Day 0 Configuration page, the Steps on Day 0 configurations and after are the same as deploying C9800-CL on AWS and GCP. SSH and serial console will be used for Day 1 configuration. For more information on configuration, please click here. Section 6: Enable Public IP for AP to onboardFrom 17.8.1 release, onboarding through public IP for APs is supported on public cloud. Please upgrade the image to 17.8.1 before performing the following feature. Step1: Enable public Discovery in AP join profile WebUI Configuration: In Main Menu, Select Configuration -> Tags & Profile -> AP join Click on the AP join Profile currently using. 1. Click on CAPWAP 2. Click on Advanced 3. Make sure Public Discovery is enabled. CLI Configuration: 1. configure terminal example: C9800-CL-VM#configure terminal 2. ap profile example: C9800-CL-VM(config)# ap profile default-ap-profile 3. capwap-discovery public example: C9800-CL-VM(config-ap-profile)# capwap-discovery public Note: If Public Discovery and Private Discovery are enabled at the same time in the AP join Profile. APs that with VPN connection will have a chance to join via public IP if it has the public IP access. To avoid this, it is needed to create a separate AP site tag and AP join profile with only Private Discovery enabled for these APs that need to be private onboarded. Step2: Add NAT-IP address on Wireless Management Interface WebUI Configuration: In the Main Menu, Select Configuration -> Interface -> Wireless Click on the current management wireless interface Edit the Wireless Management Interface NAT IPv4/IPv6 Server Address to the public IP address of the WLC. CLI Configuration: 1. configure terminal example: C9800-CL-VM#configure terminal 2. wireless management interface example: C9800-CL-VM(config)# wireless management interface GigabitEthernet1 3. public-ip example: C9800-CL-VM(config-mgmt-interface)# public-ip xxx.xxx.xxx.xxx Step3: Configure Primary base on AP console CLI configuration on AP console: 1. capwap ap primary-base example: AP# capwap ap primary-base C9800-CL xxx.xxx.xxx.xxx 2. capwap ap restart example: AP# capwap ap restart Now the AP will restart the CAPWAP process and join WLC via Public IP address How many access points are supported by embedded Catalyst 9800 Wireless Controller on c9500 switch?It supports up to 2000 access points and 32,000 clients.
What is cloud wireless controller?If you choose a cloud-controlled Wi-Fi architecture, it means you will not have to worry about running an on-premise wireless network. Your Wi-Fi network will be managed and monitored by a third-party managed services provider who will use a Wi-Fi controller to manage, monitor, and configure all access points.
What is the total throughput possible with a Cisco 9800 Series WLC?The Cisco Catalyst 9800-L Wireless Controller is an integral part of the intent-based networking portfolio. It provides support for 5-Gbps throughput and up to 250 access points and 5000 clients to help ensure high performance and scale for midmarket business-critical networks.
What is C9800 CL K9?The C9800-CL-K9 AMI runs a modern Operation System, open Cisco IOS XE Software, that support model-driven programmability, streaming telemetry, and patching.
|