Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Cisco Secure Remote Work Solutions for Network Connectivity Solution Overview

Networking Solutions Island of Content Event

Available Languages

Download Options

  • PDF
    (1.0 MB)
    View with Adobe Reader on a variety of devices
Updated:May 5, 2020

Available Languages

Download Options

  • PDF
    (1.0 MB)
    View with Adobe Reader on a variety of devices
Updated:May 5, 2020
 

2020欧洲杯体育官方网址

 

Overview

Five connectivity options for working remotely

The way we live and work is changing. As a result, you and your colleagues might find yourselves working remotely from a home office, micro office, or micro branch that wasn’t designed or set up with workplace applications and security in mind. Your network plays a crucial role in keeping your business going. Cisco recognizes this challenge and has solutions to enable you and your employees to safely and securely work remotely, with fast and reliable connectivity leveraging your existing inventory of Cisco® Aironet® or Cisco Catalyst® Wi-Fi access points, Cisco Meraki®2020欧洲杯体育官方网址 cloud-managed infrastructure, or Cisco Integrated Services Routers.

Benefits

      Securely and reliably extend your corporate network into the home or micro branch

      Rapid deployment by leveraging existing inventory

      Flexibility to use wired or wireless connectivity for remote work solutions

Remote Network Access using Wi-Fi

Cisco access points in OfficeExtend mode

You can quickly set up a secure Wi-Fi connection for work from home or micro office connectivity using any Cisco Catalyst or Aironet access point functioning in OfficeExtend mode. If you have existing inventory of these products, they can be deployed to provide a secure remote office or micro branch connection. Access points dating back three generations are compatible. Additionally, any controller (virtual or physical) can be used to create a secure tunnel, or you can use a dedicated controller set up in the Demilitarized Zone (DMZ).

Using Cisco access points configured in OfficeExtend mode, an employee at home or small group of employees in a micro branch will have access to the corporate Service Set Identifier (SSID) and your corporate network, without having to set up a VPN. This simple and secure connection is easy to set up, even for non-technical employees.

Cisco Meraki MR wireless access points

A second option for Wi-Fi connectivity is the Cisco Meraki teleworker access point (MR). The MR access points can securely extend your corporate network into your home or a micro branch. Perform Layer 7 traffic shaping to help ensure the performance of high-priority applications such as Office 365, VoIP telephony, and Cisco WebEx®. Meraki Systems Manager keeps devices secure when they are off the network and assists in the rapid deployment of Cisco security offerings. This option includes central cloud management for remote troubleshooting, control, support, and real-time reporting.

Remote Network Access using WAN

Cisco Virtual Office (CVO)

2020欧洲杯体育官方网址You can also set up a connection from home or another remote location without the need for onsite provisioning using a Cisco Integrated Services Router (ISR) along with a Cisco Virtual Office (CVO) license enabled.

Cisco Micro Branch

For micro branch environments, such as pop-up healthcare facilities where network connectivity is not yet available, a Cisco ISR can offer both embedded Wi-Fi and advanced LTE/cellular options to expand WAN coverage and enable backhauling over cellular, as well as backup and failover connectivity and active-active configurations. This connectivity option offers the most robust capabilities, is SD-WAN ready, and can serve many other purposes for both today’s challenges and those in the future.

Cisco Meraki Zero Touch Teleworker

2020欧洲杯体育官方网址Finally, Meraki provides an option for connectivity using Meraki appliances (MX, Z) that can securely extend your corporate network into your home or micro branch. Coupled with software-only Meraki Insight, IT administrators can proactively monitor the performance of cloud-based applications (Cisco WebEx, Office 365, G-Suite, etc.) as well as consumer-grade home broadband links. Meraki Systems Manager keeps devices secure when they are off the network and assists in rapid deployment of Cisco security offerings. This option includes central cloud management for control, support, and real-time reporting.

Making the connection

Solution

To deploy Remote Network Access using Wi-Fi with Cisco OfficeExtend access points2020欧洲杯体育官方网址, you will need an Internet connection (at the office where the Wireless LAN Controller [WLC] is deployed) and a home internet connection.

In an office environment, you can use:

      2020欧洲杯体育官方网址Virtual: Cisco Catalyst 9800-CL Wireless Controller for Cloud (free download)

      Cisco IOS® XE: Cisco Catalyst 9800-L, 9800-40, or 9800-80

      AireOS: Cisco 2504, 3504, 5500 Series, or 8500 Series Wireless Controllers

Notes:

      Can be any AireOS WLC: 3504, 5520, 8540, or even older 5508 or 8510 running AireOS 8.5 or later

      Cisco Catalyst 9800 Series appliance or 9800-CL in private cloud (OEAP mode supported)

      2020欧洲杯体育官方网址AireOS virtual WLC (vWLC) does not support OEAP

In the home, you can use:

      802.11ac/ax: Cisco Catalyst 9100 Access Points

      2020欧洲杯体育官方网址802.11ac Wave 2: Cisco Aironet 1800, 2800, 3800, or 4800 Series Access Points

      802.11ac Wave 1: Cisco Aironet 1700, 2700, or 3700 Series Access Points

      2020欧洲杯体育官方网址802.11n: Cisco Aironet 1600, 2600, or 3600 Series Access Points

Notes:

      Purpose-built 1815t teleworker access point: AireOS 8.5 and later; also Cisco IOS XE. Recommended versions are 8.5.161.0 to 8.10.112.0, 17.2

      2020欧洲杯体育官方网址Any Aironet 802.11n access point – 1600, 2600, or 3600 Series: AireOS 7.4 to 8.5. Not on Cisco IOS XE

      2020欧洲杯体育官方网址802.11ac Wave 1 access points – 1700, 2700, or 3700 Series: AireOS 8.3 and later; also Cisco IOS XE. Recommended versions are 8.5.161.0 to 8.10.112.0, 17.2

      2020欧洲杯体育官方网址802. 11ac Wave 2 access points – 1800, 2800, or 3800 Series: AireOS 8.3 and later; also Cisco IOS XE. Recommended versions are 8.5.161.0 to 8.10.112.0, 17.2

      2020欧洲杯体育官方网址802. 11ax access points – Cisco Catalyst 9115AX, 9117AX, 9120AX, 9130AX: AireOS 8.10 and later; also Cisco IOS . Recommended versions are 8.5.161.0 to 8.10.112.0, 17.2

Solution

For Remote Network Access using Wi-Fi with Cisco Meraki MR wireless access points, you’ll need a headend internet connection in the data center and a home internet connection.

In the data center/HQ, you will need:

      Support for full IP phone, wireless, data, and video services over an encrypted VPN

      Cloud-management license with zero-touch deployment and management

      Licenses: Enterprise or Security license for Meraki MX, depending on the model

      2020欧洲杯体育官方网址VPN headend: Meraki MX security and SD-WAN appliance

In the virtual office, you will need:

      2020欧洲杯体育官方网址Cisco Meraki MR wireless access point

    Recommended models are MR33, MR36, and MR42

      2020欧洲杯体育官方网址License needed: Cisco Meraki MR Series Enterprise or Advanced

Solution

For Remote Network Access using WAN with Cisco Virtual Office, you’ll need a headend internet connection in the data center and a home internet connection.

In the data center, you will need:

      Support for full IP phone, wireless, data, and video services over an encrypted VPN

    Cisco Virtual Office controllers with zero-touch deployment and management

    Licenses: CVO-1100-4P-CFG, CVO-1100-8P-CFG

    VPN headend: Cisco 4000 Series ISR for secure device provisioning, Cisco ASR 1000 Series

In the virtual office, you will need:

      Cisco Virtual Office (CVO) router with wireless:

    SD-WAN-ready Cisco 1000 Series ISR: C1121-8PLTEPW, C1111-4PW, C1111-8PW, C1117-4PW

    Security license for Cisco Virtual Office deployment to enable zone-based firewall, EasyVPN, and Dynamic Multipoint VPN (DMVPN) capabilities

Solution

To deploy Remote Network Access using WAN with Cisco Micro Branch2020欧洲杯体育官方网址, you’ll need a headend internet connection in the data center or headquarters and a home internet connection.

In the data center, you will need:

      Support for full IP phone, wireless, data, and video services over an encrypted VPN (Cisco ASR 1000 Series)

In the micro branch, you will need:

      2020欧洲杯体育官方网址Cisco remote office router with integrated wireless:

    2020欧洲杯体育官方网址SD-WAN-ready Cisco 1000 Series ISR: C1121-8PLTEPW, C1111-4PW, C1111-8PW, C1117-4PW

      2020欧洲杯体育官方网址Cellular options for failover, backhaul

    2020欧洲杯体育官方网址Modules: P-LTEAP18-GL, P-LTEA-EA, P-LTE

Solution

To deploy Remote Network Access using WAN with Cisco Meraki Zero Touch Teleworker with MX or Z3 appliances, you’ll need a headend internet connection in the data center or headquarters and a home internet connection.

In the data center/HQ, you will need:

      VPN headend: Cisco Meraki MX security and SD-WAN appliance

      2020欧洲杯体育官方网址License needed: Cisco Meraki MX Enterprise or Advanced Security with zero-touch deployment and management

In the home office, you will need:

      Cisco Meraki MX security and SD-WAN appliance or Z3 Teleworker Gateway:

      Suggested MX appliance models are MX64W, MX67W, MC68W, or MX68CW

      2020欧洲杯体育官方网址License needed: Cisco Meraki MX Enterprise or Advanced Security with true zero-touch deployment and management

      2020欧洲杯体育官方网址Recommended optional license: Cisco Meraki Insight with proactive cloud application and WAN monitoring and troubleshooting

      Suggested Z3 teleworker gateway models are Z3 or Z3C

      2020欧洲杯体育官方网址License needed: Cisco Meraki Enterprise with true zero-touch deployment and management

      Recommended optional license: Cisco Meraki Insight with proactive cloud application and WAN monitoring and troubleshooting

To get started, we have provided the following section on configuration information and additional resource links:

Solution

Configuring Cisco OfficeExtend access points

      2020欧洲杯体育官方网址Cisco Aironet Wireless LAN Controllers (WLC) require a public routable IP address so remote access points can reach the WLC from their home network (can be in the DMZ)

      That public IP can be added as a NAT IP on the WLC management interface

      Some ports like CAPWAP, radius etc. needs to be open on the Firewall as the OfficeExtend Access Point (OEAP) controllers located in the DMZ need to communicate using a number of services such as RADIUS, TACACS+, NTP, FTP and CAPWAP

      For non-OEAP models AP (e.g. Series 1600, 2600, 3600, 2700, 3700, 3800, 4800, etc.) - the administrator needs to change the AP mode to FlexConnect and then enable the OEAP option

      Pre-configure the OEAPs to join the WLC (i.e. configure OEAP with WLC management public IP address)

Configure AireOS Wireless LAN Controller

Step 1: Set up either physical or virtual controller to be used in DMZ

Step 2: Configure Management

In Controller > Interfaces, click the management interface

Step 3: Select Enable NAT Address

Step 4:2020欧洲杯体育官方网址 In the NAT IP Address box, enter the publicly reachable IP address, and then click Apply. (Example: 128.107.234.5)

Related image, diagram or screenshot

Related image, diagram or screenshot

Prime Access Point: Configuring AP mode to OEAP

Step 1: Have all access points join a WLC to start so that it’s connected and has the latest code

Step 2: From WIRELESS >All access points select the access points which needs to be converted to OEAP

Step 3: From General tab change the access points mode to FlexConnect

Step 4:2020欧洲杯体育官方网址 Then go to FlexConnect > OfficeExtend access points - enable OfficeExtend access point by checking the box

Step 5: Configure the high availability by providing the WLC name and IP address in Primary Controller option and click Apply

Now admin can take out the access point and give it to the remote worker where he connects it to the home router

Note: verify which access points are being sent to the employees. Most AP’s use an AC adapter, some access points might require a power injector or Power Over Ethernet (POE) to power up the access points.

Related image, diagram or screenshot

 

Related image, diagram or screenshot

 

Related image, diagram or screenshot

Related image, diagram or screenshot

Configure Cisco 9800 Wireless LAN Controller

Step 1:2020欧洲杯体育官方网址 Set up the virtual controller to be used in “Demilitarized Zone” (DMZ)

Step 2: If a publicly reachable IP address is not assigned directly to the controller, enter the NAT IP address by going to Configuration → Interface → Wireless (GUI option on 17.1.1) or using the CLI under the wireless management interface configuration

Step 3: Configure the WLAN and Policy for the wireless network that would be extended to the remote user. (Example based 802.1x)

Step 4: Navigate to Configuration → Tags & Profiles → Flex and modify the default-flex-profile (or create a new one) to enable OfficeExtend Access Points

Step 5: Go to Configuration → Tags & Profiles → AP Join to edit the default-ap-profile (or create a new one) an under the CAPWAP Advanced parameters make sure that Enable Data Encryption2020欧洲杯体育官方网址 is enabled to secure the traffic traversing the internet

Step 6: Go to Configuration → Tags & Profiles → Tags to edit the default-site-tag (or create a new one) that is mapped to the Flex

Profile from the previous step. Make sure that Enable Local Site is unchecked.

Related image, diagram or screenshot

Related image, diagram or screenshot

Solution

Cisco Virtual Office and Cisco Micro Branch

Cisco ISR 1000 Series Router Datasheet

Cisco Cellular WAN Datasheet

Cisco ISR 1000 Series Router Configuration Guides

Cisco SD-WAN Ordering Guide

2020欧洲杯体育官方网址Step-by-step guide to setting up a pop-up Cisco ISR 1000 Series router single box LTE/WiFi hotspot solution –

2020欧洲杯体育官方网址Step-by-step guide to setting up a pop-up Cisco ISR 1000 Series router single box LTE/WiFi hotspot solution –

Solution

Cisco Virtual Office (CVO) only

Cisco Virtual Office

Call to action

Cisco is providing offers to help with this transition. All of these offers can be found here.

For further information and support you can reach out to your Cisco account team.

Useful Links

OfficeExtend Access Point Configuration Guide (AireOS 8.5)

OfficeExtend Access Point Configuration Guide (AireOS 8.8)

OfficeExtend Access Point Cisco Validated Design

OfficeExtend Access Point Aironet 1815t Series Deployment Guide

OfficeExtend Access Point Wireless Solutions Software Compatibility Matrix

Learn more