Tecewn 3002

Advanced Enterprise
WLAN Deployment
Damodar Banodkar, Technical Marketing Engineer
Carlos Alcantara, Consulting Systems Engineer
Karan Sheth, Sr. Technical Marketing Engineer
Patrick Croak, Consulting Systems Engineer
TECEWN-3002
Agenda
• Centralized Controller Design
• Distributed Controller Design
• WLAN Security
• 802.11ac
• Application Visibility & Services Directory Note: To learn more about
• WLAN Policy Engine & ISE 1.3 Intro Converged Access Mobility
design, please sign-up for
• High Density Experience (HDX) BRKEWN-2022
• High Availability
• WLAN Best Practices
• Connected Mobile Experience (CMX)
Your Speakers Today
Damodar Banodkar Carlos Alcantara
Technical Marketing Engineer Consulting Systems Engineer
Patrick Croak Karan Sheth

Consulting Systems Engineer Technical Marketing Engineer
Agenda Timeline
Time Topic Who
08:00am Session Start
08:00 – 09:30 11ac, AVC, Bonjour Services Directory Policy Engine and ISE1.3 Damodar Banodkar
09:30 – 10:00 Break
10:00 – 12:00 High Density Experience and Centralized Controller Design Carlos Alcantara
12:00 – 1:00 Lunch Break
1:00 – 2:30 Distributed Controller Design and WLAN Security Karan Sheth
2:30 – 3:00 Break
3:00 – 5:00 Best Practices, High Availability and CMX Patrick Croak
5:00pm Session End

Agenda
• Wi-Fi Evolution: 802.11ac
• AVC
• Lync SDN
• Bonjour Services Gateway
• Local Policy Engine
• ISE 1.3 Introduction
802.11ac
802.11ac – The Next Generation in WiFi
What is
What is 802.11ac?
802.11ac? What Are the Features?
• Most efficient Wi-Fi standard to date • Operates in 5GHz Band only
• Optimized for high bandwidth applications • Wider Channels and More Spatial Streams
• Backwards compatible with 802.11n and .11a than 802.11n
• Promise of enhanced device/client scale for • Data rates Up to 1.3 Gbps (Wave 1) &
higher density deployments 2.6/3.5 Gbps (Wave 2)
• Optimized for better client battery life • Multi-User Mode (Wave 2)
What to expect with 802.11ac

• Wired-like experience at higher speed, noticeably faster connectivity for the end user
• Higher density deployments enabled through clients getting on and off the network faster
• Significantly better client battery life, as client devices use the network more efficiently
• Wide selection of client devices now available with integrated 802.11ac
General thoughts – Why do I need 802.11ac?
• Need for throughput

• More need for streaming HD video in the enterprise
• Need to move large amounts of data quickly
• 802.11ac brings significant performance to the network and is logical progression from
11b(11 Mbps), 11a/g (54 Mbps), 11n (600 Mbps), 11ac – Wave 1 (1300 Mbps), 11ac –Wave 2
(1733 Mbps)
• Beam-forming is now implemented in 11ac clients (but the AP also needs to be 11ac) to take
advantage of the specification so it’s still lots of value in ClientLink.
Note: Cisco AP-2700 & 3700 can go beyond the 11ac specification with ClientLink 3.0 and
actually Beam-form to 3-SS 11ac clients as well as non-11ac (.11a/g/n) clients
802.11ac Timeline of Events
For more see this URL:

http://www.wi-fi.org/beacon/wi-fi-alliance/wi-
fi-certified-ac-continues-to-innovate
8
6900** 6900** 8SS
802.11 Technology Evolution Spatial
Streams
4
3500** 4SS
Spatial
Streams
2340** 3SS
1730** 2SS
2 Laptops, Content Delivery
Spatial 4SS
1300* Stream Devices
3SS Laptops, Desktops
600 870*
2SS Tablets, Laptops
450
1SS Smartphones, Tablets
300
1
430* 430* 1SS
Spatial
Stream
= Connect Rates (Mbps)
65
Ethernet Uplinks
Ethernet Uplink
54 SS = Spatial Streams
2 Gigabit
Gigabit
24
11
2
*Assuming 80 MHz channel is available
802.11ac 802.11ac and suitable
802.11 802.11b 802.11a/g 802.11n
Wave 1 Wave 2
**Assuming 160 MHz channel is available
and suitable
1997 1999 2003 2007 2013 2015
Gigabit Wi-Fi - 802.11ac 6900 Mbps
8SS @ 160
6900 Mbps
8SS @160
3500 Mbps
4SS @ 160
• 802.11ac is the transformational technology
2340 Mbps
for the Gigabit Wi-Fi Edge 3SS @ 160
1730 Mbps
• Cisco is the Leader of 802.11ac amendment 1300 Mbps 2SS @ 160
3SS@80
for the 802.11 standard 600 Mbps 870 Mbps
2SS@80
450 Mbps
• Supports 802.11b/g/n, 802.11a/n, and 430 Mbps 430 Mbps
802.11ac 300Mbps 1SS @ 80 1SS @ 80
11ac Module
• Support for Wave 1 and Wave 2 Future
65 Mbps and
modules AP3700,
54 Mbps
AP2700 ≥GbE
≤GbE
11 Mbps 802.11ac Wave 1 802.11ac Wave 2
2 Mbps 2013
802.11 802.11b 802.11ag 802.11n
1999 2003 2007
Comparison of 802.11n vs. 802.11ac Improvements
Data Bits per Subcarrier
256QAM@r5/6
64QAM@r5/6
40MHz 80MHz 160MHz
Bandwidth
11n
4
11ac Wave One

8
#Spatial Streams
Video
Elements of 802.11ac – Wave1
802.11ac (Wave-1) improvements over 802.11n
• Faster modulation 256-QAM
• Same ability to use 1, 2 & 3 Spatial Streams
• Channel Bonding 20, 40 and now 80 MHz
• Beam-forming standard (for .11ac clients)
• Enhanced RTS/CTS for bonded channels
• Based on 802.11ac draft 2.0 standard

802.11ac Data Rates @ 1, 2 & 3 Spatial Streams (Wave1)
802.11ac rates @ 1 Spatial Stream

Elements of 802.11ac – Wave 2
• Ability to use 1, 2, 3 (and now 4) Spatial Streams Note: There are no .11ac
An extra Spatial Stream does give you a bump in (Wave-2) Wi-Fi certified
data rate @ 80MHz 1733 vs.1300 Mbps products at this time.
Expect Wave 2 clients to
• Same channel bonding 20, 40, 80 (now 160 MHz) start launching soon
1st Generation Wave-2 “1K” Series AP & most competitors
Will only support 80 MHz max.
• 11ac Beamforming (was in Wave-1) now implemented

Only 11ac clients participate in .11ac beamforming
(.11a/g/n clients still need ClientLink) & 11ac clients can benefit too Cisco starts plug-fest
process in June/July
• Multi-User MIMO (MU-MIMO) support 2015
Happens in Wave-2 for 11ac Wave 2 clients only
No benefit for 11a/b/g/n clients or Wave 1 Clients
Wave 2 Certification
program estimated to
• Based on IEEE 802.11ac final standard – ratified Dec’2013
start in 1HCY2016
For Your
Reference
802.11ac Wave-2 Rates at 4 Spatial Streams
Note: While 4-SS

appears attractive, it
is very difficult to
maintain a 4-SS link
given you cannot
beam-form a 4-SS
signal given you only
have 4 antennas
Beamforming
requires N+1
antennas
802.11n compared with 802.11ac:
802.11n – Today 802.11ac Wave 1 - Today 802.11ac Wave 2
Band 2.4 GHz & 5 GHz 5 GHz 5 GHz
MIMO Single User (SU) Single User (SU) Multi User (MU)
PHY Rate 450 Mbps 1.3 Gbps 2.34 Gbps – 3.5 Gbps
Channel Width 20 or 40 MHz 20, 40, 80 MHz 20, 40, 80, 80-80, 160 MHz
Modulation 64 QAM 256 QAM 256 QAM
Spatial Streams 3 3 3-4+
MAC
270 Mbps 780 Mbps 1.57 Gbps – 2.1 Gbps
Throughout*
Uplink –
Product GbE GbE GbE and GbE+
Specific
* Assuming a 60% MAC efficiency with highest MCS

Wireless Spectrum Management
Reforming 5 GHz to Optimize for 802.11ac
23dBm 30dBm 30dBm 36dBm 30dBm
Wave 2 Benefits Future 5GHz Opportunity

More non-overlapping channels Channel Bandwidth Non-overlapping
(MHz) Channels
6x 80 MHz channels (5 in Canada and Europe) 20 37
2x 160 MHz channels (1 in Canada) 40 18
5.35-5.47 GHz & 5.85-5.925 GHz spectrum liberalization 80 9

160 4
Understanding Channel Bonding
802.11ac introduced 80 MHz
One method to gain significant throughput

(2x or more) is to bond the channels using
more bandwidth.
This helps 1, 2 and 3-SS clients.

Bonding
Single spatial stream clients also realize
actually blends
physical size and battery life benefits.
the channels
together so
you gain a
small amount
of extra
spectrum for
data use
How Do Channels Bond in 40/80MHz?
Primary sets up beacons, Channel example

SSID… Extension is for data
Cisco Radio Resource Management (RRM) chooses based on your choice of 40 or 80

MHz – You can also manually set them – essentially disabling RRM
Guidelines when to use Channel Bonding
• Use 20 MHz channels
- If using voice only – or the spectrum has lots of radar activity forcing channel changes
- If you have lots of non 11n/ac capable 5 GHz clients (early .11a clients)
- If you have light/medium data requirements
- You have lots of non 11ac APs already @ 20 MHz & no plans to upgrade
- If using interactive or streaming video
- If requirements are for moderate or heavy data usage
- If using a significant amount of .11ac capable clients
- If you have lots of .11ac smart phones (1-SS) and need faster throughput
- High Definition Video streaming or other multimedia rich content applications
- Heavy data usage for high throughput - Example (CAD or medical documents)
One of the real benefits of bonding is spectrum efficiency and overall system capacity. By allowing the clients to send
and receive more data in a shorter period of time, the airwaves clear faster for other users and in some cases even
battery life on the client device increases as it spends less time in power draining transmit mode.
Comparison of 802.11n vs. 802.11ac (Wave 2)
Improvements
Data Bits per Subcarrier
256QAM@r5/6
64QAM@r5/6
40MHz 80MHz 160MHz
Bandwidth
11n AP
4
11ac Wave Two AP

8
#Spatial Streams Multi-User

MIMO
Multi-User MIMO (MU-MIMO)
How does it work? Why is it an advantage?
Some folks like to use the analogy of “Hub” and “Switch” (not exactly accurate) but in MU-MIMO
Clients are able to benefit in the downstream link for higher aggregate throughput by essentially “tuning
out” (nulling) portions of the RF to better decode their traffic.
This is Multi-User MIMO
This is Single-User MIMO
Max 3SS simultaneously

Multi-User MIMO (MU-MIMO)
Occurs when TxBF is able to focus the RF at a client while creating a null to the other clients
With TxBF we have 4 antennas, and can place While TxBF (directing) the signal at say User1,
the signal anywhere we want you have to also create a NULL or lower signal
for Users 2 & 3 etc.
MU-MIMO protocol advertisement
You can see some of this in the VHT Capabilities Element (191)
You can check the Beacons/Probe Responses to see that the SU Beamformer and
MU Beamformer bits are enabled Also, the number of sounding dimensions needs
to be non-zero and then you can check for same in the association responses.
Important “Best Practices” for 802.11ac Wave 1 or
2
5.0 GHz Gigabit WLAN to leverage more and cleaner channels / spectrum
Consistent -65 RSSI to solve for Data, Voice, Video, Location, and Capacity
10 - 20% cell overlap to optimize roaming and location calculations
Separate SSIDs for Corporate and Guest Access with Guest being Rate Limited
Wi-Fi Signal Strength - RSSI 802.11ac Wave 1

• -65 = Data, Voice, Video, Location, High Density • 40 MHz channel width – 1 cable for GE
• 1 Access Point per 2,500 square feet / every 50 feet 802.11ac Wave 2
• -67 = Data, Voice, Multicast Video, Unicast Video, Location • 80 to 160 MHz channel width – 2 cables for GE
• -70 = Data, Unicast Video
• -72 = Data Cable Category
• Category 5E or better recommended
POC: Testing your 802.11ac Wi-Fi Network
Wireless Spectrum
Tools Wired Network Clients
(Clean)
Make sure clients are
Paid Tools Tools: connected at 802.11ac rates
Using the tools, Cisco Spectrum Expert
Client 802.11ac
make sure the Capability
wired network MacBook Pro 3x3
does not drop MacBook Air 2x2
packets
Free Tools iPhone 6 1x1
iPad Air 2 2x2
Chanalyzer Pro with
Microsoft Surface 2x2
CleanAir
3
Samsung Galaxy 1x1 / 2x2
S4 / S5 /S6
Intel 7260/65 2x2
(Lenovo Thinkpad
T440, Dell Latitude
13)
Chanalyzer connecting WSSI module for analyzing spectrum
POC: Expected Results
Client Tx Rate
Test Setup
Client Distribution
http://nostringsattachedshow.com/AP2700/
Cisco Aironet Indoor Access Points Portfolio
Industry’s Best 802.11ac Series Access Points
Best in Class
New
Mission Critical 3700
Enterprise Class
Enterprise Class 2700
1700 1850
• 802.11ac W1, 1.3 Gbps PHY
• 802.11ac W2
• 802.11ac W1 • 4x4:3SS
• 1.7 Mbps PHY
• 802.11ac W1 • 1.3 Gbps PHY • HDX: High Density Experience
• 4x4:4SS
• 870 Mbps PHY • 3x4:3SS • CleanAir 80 MHz
• Spectrum Intelligence*
• 3x3:2SS • HDX: High Density Experience • ClientLink 3.0
• Tx Beam Forming
• CleanAir Express • CleanAir 80 MHz • StadiumVision
• 2 GbE Ports
• Tx Beam Forming • ClientLink 3.0 • Modularity: Security, 3G Small Cell
• USB 2.0
or Wave 2 802.11ac
• 2 GbE Ports • 2 GbE Ports
Enterprise Mission Critical Best In Class

* Post-FCS
Cisco 1850 Series Access Point New
8.1MR
Next Generation 802.11ac Wave 2 Access Points

 Enterprise-class 4x4 MIMO
802.11ac Wave 2 Access Point
 Dual Radio, 802.11ac Wave 2, 80MHz
 5GHz: 4x4 MIMO

 4 SS SU-MIMO
 3 SS MU-MIMO
 Up to 1.7 Gbps Max 5GHz PHY
 2x GbE and USB 2.0

 CleanAir Express
 Auto LAG
 Internal and External Antenna Models
Cisco Aironet Outdoor Access Points
Industry’s Best 802.11n & 802.11ac Series
Best in Class
High-Functionality
Base
1550 1570 NEW
1530
• Low Profile, Low Price • Multiple models & features • High-end Enterprise, MSO
• Europe: Low Profile • Enterprise, MSO • 11ac, 4x4:3
• Emerging SP: Low Price • NG-Cable: 24x8
• DOCSIS3.0 8x4
• Enterprise: Low profile & Price
• 11n, 2x3:2 • Int/External Antennas
• 11n, 2G: 3x3:3; 5G: 2x3:2
• Int/External Antennas • Modular: Future Proof
• Int/External Antennas
Summary
• 802.11ac Wave 1 represents a big upgrade in speed and leverages the cleaner
5GHz-band only.
• 802.11ac Wave 2 represents additional speed enhancements, but will come with
time, and that should not hinder an 802.11ac Wave 1 deployment today.
Application Visibility and
Control
What is the Need for Application Visibility and
Control? Who are the top 10 users?
Is someone running Bit-
torrent and bringing down
my business What are the top 10
Devices Apps applications? applications?
Should I add How much traffic is

more APs to BYOD generating on my
enhance the network?
capacity?
Application Visibility & Control
• Offering Wired and Wireless Application Insight and Control
NAM
ISR G2 Routers
Cisco Prime
or Third Party
Netflow Collector
ASR
WLAN Controllers
What is Application Visibility & Control ?
On Wireless Controllers
Don’t Allow
Voice
Traffic Video
Best-Effort
Background
Rate Limiting
NBAR2 LIBRARY POLICY NETFLOW (STATIC
Deep Packet Packet Mark / Drop / TEMPLATE)
inspection Rate-Limit provides Flow Export
CISCO PRIME
THIRD PARTY
CAPACITY NETFLOW
COMPLIANCE TROUBLESHOOTING
PLANNING COLLECTOR
Available in AireOS Version 8.0

Application Visibility and Control on WLC
Don’t Allow
Voice
Client Traffic Video
Best-Effort
Background
Rate Limiting
Identify Applications using NBAR2
Control Application Behavior
AVC on Gen 2 FlexConnect APs
Real-time information for
last 90 seconds
Katana
Gen2 AP
BRANCH Netflow Export from AP to WLC
Stateful context
transfer on roam
WAN
Gen2 AP WLC
Flow ID App Name Packets

1 WebEx 1000
2 Msft-Lync 2300
3 Skype 660 NBAR2 (1000+ Applications) will be ported onto Access Points
Stateful context transfer will be supported for intra FlexConnect Group roams
AVC Feature Background and Equipment Requirement
• AVC works on traffic from Cisco APs in “Local Mode”, FlexConnect (Central &
Local switching) and OEAP traffic.
• AVC is based on port, destination and heuristics which allows reliable packet
classification with deep visibility.
• AVC looks into the initial setup of the client flow (first 10-20 packets) so loading
on the controller system is minimal.
• Available for all current generation Cisco controllers supporting v7.4 and above
• Cisco 2504, 55xx, WiSM2, Flex 7500 and 85xx
Different Application Types that AVC Can Recognize
Enterprise
Applications
Non-HTTP
Applications
URL/HTTP(S)
Based Application
• The library within AVC includes web-based, real-time, voice, video, and
enterprise applications of all types.
How Does AVC Classify Applications: Peer to Peer
Most popular ports: 6881-6889
Stateless L4 Port based Random High Order ports: e.g. 56233
Stateful (flow based) L7 Signatures Deep Packet

Inspection
MPE (Multi packet engine)
Behavioral classification
DHT Handshake pattern
TCP and UDP payload bytes

NBAR2
Detect BitTorrent client behavior:
• uTorrent
• BitComet
• Azureus
• LibTorrent
How Does AVC Classify Applications: Cisco Jabber
Deep Packet Inspection
Three classifications flows for Cisco Jabber
Cisco Jabber Audio Cisco Jabber Video Cisco Jabber Control
Different Policies for different

components of a Jabber
Session
How Does AVC Classify Applications: MS Lync
Deep Packet Inspection
Three classifications flows for Microsoft Lync
MS-Lync Media MS-Lync

MS-Lync File Transfer
(Audio and Video Flows) (Desktop Sharing, Chat)
Different Policies for different

components of a Lync Session
Lync Certification:
http://technet.microsoft.com/en-us/lync/gg131938.aspx
Enabling Application Visibility and Control
• AVC is enabled per WLAN to Allow Deep Packet Inspection
1
Change the QoS level to

reflect the highest
application level for that
SSID
Enable Application Visibility
Ensure WMM is set to

“Allowed” or “Required”
Basic Application Visibility Added on the Controller
Home Screen
Top Applications
Show Sorted by
Bytes
Use “Monitor” ->

“Applications” to View
More Statistics
Viewing Real-Time Statistics
• Use for Assessing Current Usage or Troubleshooting
Real Time Stats (Last 90 Seconds) Application Usage Displayed

by % of Total Bytes for Last 90 Seconds
Average Packet Size to See Small

vs. Large Packet Flows
Viewing Historical Statistics
• Use for Assessing Overall Usage
Cumulative Statistics Application Usage Displayed

by % of Total Bytes
Total Bytes Transferred – Useful for Tracking Down

Bandwidth Hogs
AVC Application List
• 1039 Applications Can be Detected by Default
Configuring AVC Profiles
• Choosing an Application Group and Application
Application Group
Application
Application Control
Med
1 2 AVC Profile – Mark Citrix
AVC Profile – Drop Bit torrent Low
High
Medium
Low
3 AVC Profile – Rate Limit Facebook

Control
Control application
usage and
performance

Policy tie-in with AVC
User-aware and Device-aware
WLC v7.4 and later
Application-based Policies
Per WLAN
WLC v8.0
User-role aware
Device-aware
Alice cannot access Netflix but Bob can even though both are employees connecting to same SSID
Alice can access EHS records on (IT provisioned) Windows Laptop but cannot on personal (unsecure) iPad
AVC Profile Per User device
WLC AAA
Cisco-av-pair=avc-profile-name=<avc profile on wlc>
Cisco-av-pair=role=<role name>
Switch
Teacher Student
AP
YouTube Facebook Skype BitTorrent

YouTube Facebook Skype bittorrent
SSID: Classroom
Security:WPA2/802.1x
Teacher Network Student Network

Applying AVC Profiles For Your
Reference
1 Apply AVC Profile to WLAN

Create AVC Profile for Applications at Wireless > AVC
2 3
Apply AVC Profile per client Apply AVC Profile per
using Local profiling on client using AAA Override
WLC (Radius Server)
Maximum 32 Rules can be created per AVC

Profile
Cisco Wireless Controller Netflow Record
Client MAC NetFlow v9
Client IP  Monitors data from layer 2 thru 7
SSID  Determines applications by combination of port
Access Point MAC and payload
Packet Count NetFlow  Flow information contains Client, wireless

infrastructure, Application, QoS marking and
Octet Count bandwidth detail
Before AVC DSCP
 This is not a flexible Netflow export.
After AVC DSCP
Application Tag
Application Visibility at Cisco Prime
Application Filter / Visibility per:
• SSID
• Client
• Building
• Floor
• Device (AP/Controller)
Application Based Reporting
Wired/Wired with Third party

Netflow
Application Visibility with 3rd Party Vendors
• Using Netflow exports,

third party tools like
Plixer Scrutinizer can
visualize the data and
track it historically.
• Custom reports in this
3rd party tool allow
viewing of upstream,
downstream flows as
well as client DSCP
markings.
For Your
AVC Limitations and Scalability Reference
• A maximum of 16 AVC profiles can be created on a WLC.

• Each AVC profile/WLAN can be configured with a maximum of 32
rules.
• Only 1 NetFlow exporter and monitor can be configured on a WLC.
• IPv6 traffic is not currently classified.
• Multicast traffic is not currently classified.
NBAR2 – Regular Updates
In-service Application Definition Update
PP X (Major) PP Y (Major)
PP X.1 (Minor) PPY.1 (Minor)
•protocols~ 10 •Bug fixes • Protocols~10 •Bug fixes

• updates and •small updates • updates and •small updates
fixes fixes
• Standard Protocol Pack PP 12.0

• Includes only subset of protocols Available
• No Support for Traffic categorization and Attributes
• Available (as Default Protocol pack) in IP Base image
• No periodic releases and SLA NBAR2
• Advanced Protocol Pack Protocol Pack
• Includes all supported Protocols / Applications
Protocol1
Protocol2
Protocoln
• Support Traffic categorization and Attributes
• Available (as Default protocol pack) in DATA image
• Periodic releases and Offers SLA
NBAR2 Protocol Pack
Example
• Add new applications recognized by NBAR2 without WLC reload

• New protocol pack is published every two months on CCO
• Single IOS CLI to enable the protocol pack
For Your
AVC Deployment Considerations Reference
Cisco WLC deployment mode Network Management

AP deployment Centralized Distributed IOS-XE Feature/Platform Cisco Prime
Mode (Local Mode AP) (Flex Mode AP)
Protocol Pack PP 12.0* PP 8.0 PP 8.0 Performance Collection Flexible Netflow
Supported
Protocol Pack Update Yes No No License Prime Assurance
Netflow Export Yes No Yes
AVC (Drop, Mark, Yes Yes Yes

Rate-Limit) NBAR2 Limitations on WLC:
Code Supported AireOS 7.4 & above AireOS 8.1 IOS-XE 3.3** • When an AP is in flex connect mode,
NBAR is not supported
Per-User AVC Yes No Yes • IPv6 traffic cannot be classified
• Not supported by the vWLC or WLC on
Extra License No No No
SRE
*Default PP is 9.0, but can be upgraded to 12.0

Platforms Supported WLC 2500, 55xx, 85xx WLC 55xx, 7500, WLC 5760,
** Only visibility supported on IOS-XE 3.3. Control
85xx, vWLC Catalyst supported IOS-XE 3.6 and above
3850/3650
Application Visibility and Control Verification
Application Control Tested

• Citrix video streaming
quality improves by 55%
• Microsoft Lync Voice
MOS Score Rises to 4.20.
• Background traffic using
Windows File sharing
drops by 74%
Download - http://www.cisco.com/c/dam/en/us/products/collateral/wireless/cisco_avc_application_improvement.pdf
Lync SDN
Microsoft Lync SDN API & Cisco Strategy
Lync SDN API to address UC challenges
Cisco WLC & Prime integration with Lync SDN API

Lync SDN Integration Deep-Dive
HTTP
Control Plane
Receiver
Lync Call
Data Plane MS Lync Front End Server
Policy
Applied to
LYNC call
from WLC • Lync Call Statistics
• Real-time Lync Call Monitoring
• Lync Call diagnostics
Client Client
MS Lync Server
Lync SDN Integration Deep-Dive
• Classify Lync Voice, Video, Desktop & File

Sharing
XML-LDL
• Automate QoS policy to control Lync Calls
HTTP
• Highest level of visibility for Lync calls Control Plane
Receiver
Network
• Troubleshoot Lync issues in real time
• Supports L2/L3 roaming – policy and call info is
Data Plane
maintained
• Supported in centralized mode only (WLC Policy
supported 55xx, 85xx, WiSM2) Applied to
LYNC call
• Report/Monitor and assist with diagnostics of from WLC
endpoint detail:
Call status. Call type, Source/Destination
MOS, Jitter. Call Duration Client Lync Call Client
Lync SDN API Integration Steps
• Install Lync Dialog Listener on a Lync front-end server
• Install Lync SDN Manager on a separate Windows 2008/2012 server
• Multiple Lync front-end servers - install LDL on each FE and configure to point
at the Lync SDN manager.
• Register WLC information with each Lync SDN Manager
• Configure Global Lync Server on WLC
• Configure WLC CPU ACL to allow Lync SDN API communication.
• Enable/Disable Lync application and define QoS policies per WLAN
• Monitor Lync calls on WLC
http://www.microsoft.com/en-us/download/details.aspx?id=39714
Lync Configuration - Global
• Make sure that the Lync SDN server is also
configured for use with the same port.
• Global Configuration CLIs:
• config application lync enable/disable
• config application lync port <port-no>
• config application lync protocol http/https
(Cisco Controller) >show lync-sdn summary
Lync State....................................... Enabled

Protocol......................................... http
Port............................................. 15790
*https://msdn.microsoft.com/en-us/library/office/dn439302(v=office.15).aspx
Lync Configuration - WLAN
• Enable Lync SDN Sevice in WLAN

• Supports Fast SSID
• Multiple WLANs can be enabled for Lync
• WLAN Advanced Configuration:
• config wlan lync enable/disable <wlan-id> Call detail records will not be
process if service is not
enabled.
Lync Configuration - WLAN QoS
• Lync Policies can be overridden in WLAN QoS
• Audio, Video, Desktop Sharing, and File Transfer
• WLAN QoS Configuration:
• config wlan lync priority audio/video/desktop-sharing/file-

transfer Bronze/Silver/Gold/Platinum <wlan-id> Customer can have AVC
(Cisco Controller) >show WLAN 1 and other best practices
turned on simultaneously
Local Policy
----------------
Priority Policy Name
-------- ---------------
Lync State ...................................... Enabled
Audio QoS Policy................................. Platinum
Video QoS Policy................................. Gold
Desktop Sharing QoS Policy....................... Silver
File Transfer QoS Policy......................... Silver
Lync Monitoring
• UP to 15% of all Clients per WLC may be simultaneously on Lync

• Up to 250 active wireless Lync calls.
show lync-sdn active-calls summary
Number of Lync Calls............................. 1
Caller Callee
-------------------------------------------------------------------- --------------------------------------------------------------------
ID URI MAC Address IP Address AP Name URI MAC Address IP Address AP Name Call Type
--- ---------------- ----------------- --------------- ----------------- ---------------- ----------------- --------------- ----------------- ---------
0 sip:test2 60:45:bd:de:74:4e 10.10.20.109 AP3700-8.0-demo sip:pod1b 28:18:78:d6:03:0d 10.10.20.104 AP3700-8.0-demo Audio
Lync Call Detail
After Lync call:

• Caller/Callee
• Call Type
• IP address
• DSCP
• Packet Loss
• Jitter
• MOS
• BW Estimates
• Packet Loss
Lync Historical Calls
• Historical tracking for up to 20% of all Lync calls
• PI to aggregate long-term reports
• Multiple controllers forwards information obtained from Microsoft Lync SDN Server to Prime
Infrastructure
Lync certification updated for 802.11ac AireOS
8.0.100.0
and above
5508 Flex 7500 WISM2 5520 8510 8540
Indoor Indoor 802.11ac Outdoor

AP 2700 AP 3700 AP 1570
IOS-XE
03.07.00E
5760 Catalyst 3850 Catalyst 3650 and above
More Info: http://technet.microsoft.com/en-us/office/dn788945.aspx and click on the ‘Networking’ tab

Bonjour Gateway
Bonjour Protocol
 Bonjour Protocol helps apple devices discover services

 Uses mDNS protocol to advertise and discover services
 Link Local: Does not cross subnets
Bonjour Challenges across VLAN’s
Bonjour is Link-Local Multicast
and can’t be Routed
224.0.0.251 VLAN X
VLAN Y
CAPWAP Tunnel
WLC
AP Router
224.0.0.251
VLAN X
• Bonjour is link local multicast and thus forwarded on Local L2 domain Apple TV
(VLAN Y)
• mDNS operates at UDP port 5353 and sent to the reserved group addresses:
IPv4 Group Address – 224.0.0.251
IPv6 Group Address – FF02::FB
Bonjour mDNS Gateway on Cisco WLC
Bonjour Advertisement
VLAN 20
Apple TV CAPWAP Tunnel
WLC Switch
AP
AirPrint Offered
VLAN 23
VLAN 99
iPad Bonjour Advertisement
AirPrinter
 Step 1 – Listen for Bonjour Services (wired)
Bonjour Cache:
AirPlay – VLAN 20
AirPrint – VLAN 23
VLAN 20
WLC Switch
AirPrint Offered
AP
VLAN 23
VLAN 99
iPad
AirPrinter
 Step 2 –Bonjour Services cached on the controller (wired)
Bonjour Cache:
AirPlay – VLAN 20
VLAN 20
WLC Switch
AP
VLAN 23
VLAN 99
iPad
Bonjour Query
AirPrinter
 Step 3 –Listen for Client Service Queries for Services (wired)
Bonjour Response Bonjour Cache:
From Controller AirPlay – VLAN 20
VLAN 20
WLC Switch
AP
VLAN 23
VLAN 99
iPad
AirPrinter
 Step 4 –Respond to Client Queries (unicast) for Bonjour Services (wired)
Bonjour Traffic Optimization
mDNS Snooping ON
800
mDNS Client packets

mDNS Snooping OFF
• Traffic is
optimized by
sending Bonjour 80% less Traffic
responses only to
450
the devices who
requested them.
270
160 140
100 120
80
1 2 3 4
No of Access Points
Apple TV Bluetooth Discovery process
Enable Wi-Fi
iDevices iDevices can
and make sure
discovers start mirroring
its routable to
Apple TVs in
Apple TV subnet
Bluetooth
range (40 feet)
Bluetooth is used only to discover Bonjour AirPlay services
Does not apply for AirPrint, Backup, AirDrop etc.

Apple TV Bluetooth Discovery Implications on Wi-Fi
Wi-Fi Interference Bonjour Policy Control
Student
Apple TVs add new set of Bluetooth

interfering devices on network
Congested 2.4 GHz spectrum makes Teacher
Bluetooth discovery slow and unreliable Student can discover Apple TV and
gain AirPlay Access
Password mechanism lacks Role based policy

control
Filter Services by WLAN and VLAN
Services Directory
Guest
Service Policy
Employee
Service Policy
FileShare
FileShare
Guest Network Employee Network

Bonjour Policy Example for Education using v8.0
Teacher Service Student Service
Instance List Instance List
Teacher
Service Profile
Student
Service Profile
Apple TV1 Apple TV1
File
AirPrint AirPlay
Share
AirPlay iTunes AirPlay File AirPrint
Sharing Share
Apple TV2
Teacher Network Student
mDNS Service Instances Groups Network
Bonjour Policy Enhancement in 8.0
1 Create Bonjour Device group 2 Assign ID to Device Group
Teacher Bonjour Devices
User Role = Teacher 3 Assign Location
Classroom Classroom
Printer Apple TV
Common Bonjour Devices User Role = Teacher & Student
Library Library
Printer Apple TV Location?
• AP-Group
Student Bonjour Devices
• AP-Name
User Name= John • AP-Location
Personal
Apple TV
Bonjour Policy Enhancement in 8.0
Teacher Bonjour Teacher can discover Classroom Apple TV only when present in classroom
Devices
User Role = Teacher
Classroom
Apple TV
Location = ClassRoom
Teacher can discover Classroom Apple printer from anywhere on the campus
User Role = Teacher

Classroom
Printer
Location = Any
Location can be AP-Group, AP-Name or AP-Location
Bonjour Policy Configuration For Your
Reference
1. Enable mDNS policy on the controller from GUI or CLI

Bonjour Policy Configuration For Your
Reference
Configure Service Instances in the mDNS group, and role

Example
Enable Bonjour for Remote VLAN: mDNS AP
With mDNS-AP Bonjour services

can be seen from a remote VLAN
mDNS AP
(Trunk mode)
224.0.0.251 VLAN X
CAPWAP Tunnel Remote-Switch
CAPWAP Tunnel
WLC
AP Switch
VLAN Y
VLAN X
Bonjour Services Directory
Apple TV
(Remote VLAN)
Google ChromeCast With Cisco Wireless LAN
Controllers
How Does Google ChomeCast Work?
1. (mDNS Services Discovery)
_googlecast._tclp.local
224.0.0.251
Unicast Response
2. (Response with IP address of service)
• ChromeCast Deployment Guide:

• http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-6/chromecastDG76/ChromecastDG76.html
WLC Internal Policy Classification
Engine
What is BOYD?
I am an employee and I would

like to use my personal device
to connect to the network
Managing Policies for BYOD Network
Personal Devices on Securely Board the Application Simplified Bonjour

Network Device Experience Operations
rd Party
3rd3Party
Network Components Remote ISE
Wireless Wired Prime
Access MDMMDM
Optional
Profiling and Policy Strategies
ISE Wireless
ISE Base ISE Advanced
POLICY
Device • AAA
• AAA • Internal CA
Profiling
• Guest • Guest Provisioning
& Policy
Provisioning • Device Profiling
Control
by WLC • Device On-boarding
• Device Posturing
Profiling & Policy
• Partner MDM Integration Enforcement Across Any
Wireless Only Access Medium
Build BYOD Policy: Flexible Options
• Local Profiling & Policy on WLC
Network Components
POLICY
WLC Radius Server

Only Wireless
(e.g.. ISE Base, ACS)
Elements
User Role Device Type Authentication Time of Day
Policy Enforced
VLAN Access List QoS Application Services (Bonjour)

WLC Native Profiling for BYOD Deployments
IDENTITY
User-Role Radius Server
2
POLICY
1 VLAN 10
Profiling to Policy
Corporate identify device Decision Corporate
3 Resources
6
Auth-Type
Access Point Wireless LAN
Controller Internet Only
5
Personal VLAN 20
Enforcement
Unified Access ACl, VLAN, QoS
4 Management
Time
Configuring User-Role
User Role
Radius
role=Employee role=Contractor Controller
Employee Contractor
Privilege
Native Device Profiling on WLC
Step 2 Create Device Profiling Policy
Device Type
Step 1
Cisco WLC configuration
Step 3 156 Pre-Defined Device Signature
Enable DHCP and HTTP Profiling

on the WLC
WLC Device Profiling Example - iPad
Is the MAC Address

from Apple?
Does the Hostname

Contain “iPad”?
Is the Web Browser

Safari on an iPad?
Apple iPad
Updating Device Profiles on Cisco WLC
Export from ISE: Download from:

• Choose Policy > Profiling > Profiling > Profiling Policies http://standards.ieee.org/develop/regau
• Choose Export (Export All) th/oui/oui.txt
• Click OK to export the endpoint profiling policies in the
profiler_policies.xml file.
Native Profiling Authentication and Time Policy
Wireless Client Authentication EAP Type LEAP

Authentication EAP-FAST
EAP-TLS
PEAP
Active hours for Policy

Time of Day
Time based policy

Enforce Policy on the WLC
Enforced Policy
ACL*
VLAN
QoS*
Session Timeout
Application Control
mDNS Policy
* Supported in FlexConnect mode

Cisco Wireless Application Control
AVC provides Layer 7 policies per User (by Device Type and User Role)
Applications Priority User Role Applications Device Priority
Real Time Applications Exec

(Business )
High High
Non Real Time Applications

Employee
(Business)
Normal Normal
Casual Applications
Low Contractor
Low
Malicious Applications
Drop
Cisco Wireless Bonjour Services Control
Bonjour Gateway provides Services policies per User
User Role Bonjour Service Access
For the Employee and Exec
Exec user, Airplay and AirPrint
access is permitted
Employee
Contractor
For the contractor user,
Airplay access is denied
Applying Native profiling policy per WLAN / AP Group
Native Profiling per WLAN Native Profiling per AP Group
Restriction: First Matched Rule Applies
Maximum 16 polices can be created per WLAN / AP Groups and 64 globally

Employee Owned Devices
• If we have machine authentication in place, or even just certificates for
employees authenticating from corporate machines, then it’s relatively easy…
• What if not?
• Example: no machine authentication, employees authenticating from corporate
machines with their login/password and using the same credentials on personal
devices.
On the WLC
config advanced eap max-login-ignore-identity-response ?
enable ignore the same username reaching max in

the EAP identity response
disable check the same username reaching max in the
EAP identity response
Limitations in WLC Native Profiling and Policy
• When local profiling is enabled radius profiling is not allowed.

• If AAA override is enabled, the AAA override attributes will have higher precedence.
• Wired clients behind the WGB won’t be profiled and policy action will not be done.
• Only the first Policy rule which matches is applied,
• Up to 16 policies per WLAN can be configured and globally 64 policies will be
allowed.
• Policy action will be done after any of the following:
o L2 authentication is complete
o L3 authentication
o When device sends http traffic and gets the device profiled: profiling and policy actions may happen more than once
per client.
Profiling and Policy Strategies
ISE Wireless
POLICY
Device • AAA
• AAA • Internal CA
Profiling
& Policy
Control
by WLC • Device On-boarding
• Device Posturing
Profiling & Policy
Build BYOD Policy: Flexible Options
Different Deployment Requirements for Different Environments
• Certificate Authority
Internal
ISE CA • Centralized Policy
(Identity Services Engine) ACS • RADIUS Server
• Posture Assessment
NAC
Profiler • Guest Access Services
Guest • Device Profiling
Server
• Client Provisioning
NAC
Manager • MDM
Controller + ISE-Wireless BYOD NAC

• Monitoring
Server Troubleshooting
Reporting
ISE 1.3: Internal Certificate Authority
• Simplifying certificate management for BYOD devices
Single Management Console –
Manage endpoints and their certs.
Delete an endpoint ISE deletes the cert.
Simplified deployment – Supports

stand alone and subordinate
deployments. Removes corporate PKI
team from every BYOD interaction
Historically, Securing Access Was Complicated
The Past ISE 1.3
Easy-to-Deploy Guest and BYOD Access
Admin Friendly
Set up a Guest or BYOD
workflow in just a few clicks.
End User Visibility

ISE updates the portal workflow
in real-time with each change.
Simplifying Guest Access for the Enterprise
Desktop
Corporate Branding and Themes & Mobile
Ready!
Create Accounts
Print Email SMS
Streamlined Guest Creation
Your credentials
Mobile Guest Sponsorship username: trex42

password: littlearms
Guest Access Notification via SMS
Design Easily in Minutes, Deploy Securely in Just Hours

Automated Device Security
Posture Assessment and Compliance Check
MDM Integration
MDM Policy Check
Device registration status
Device compliance status
Disk encryption status
Pin lock status
Jailbreak status
Manufacturer
Model
IMEI
Serial number
OS version
Phone number
Corporate and Personal Device Posture Check and MDM Remediation

My Devices Portal
Enduser logs into

into Mydevices
Portal
Here are my
devices
Change the status

of a specific device
(Lost, Stolen..)
ISE Posture
What can be checked?
Microsoft Updates Antivirus • File data

• Installation and signatures • Services
• Service Packs
• Applications/processes
• Hotfixes Antispyware • Registry Keys
• OS/Browser versions • Installation and signatures
ISE Posture Policies
Persistent and / or dissolvable agent
Employee Policy: Contractor Policy:
• Microsoft patches updated • Any AV installed, running, and current
• McAfee AV installed, running, and current Guest Policy:
• Corp asset checks
• Accept AUP (No posture - Internet Only)
• Enterprise application running
ISE 1.3 Guest
What is Guest?
Guest is an end user

web application
companies use to let
people to access the
Internet through their
network.
Basic Supported Guest Flows
1. Hotspot
2. Self Service
3. Self Service Sponsor Approved
4. Sponsored
Hotspot
Guest Flow
• Allow guests on the
Internet with AUP
acceptance no matter
who they are.
• Remember who they
are next time so you Acceptable
Use Policy
don’t get in their way. I promise
to be good.
Day Ends
I Agree
44:6D:77:B4:FD:01
44:6D:77:B4:FD:01
Secret Code Controls Access to Guest Wi-Fi
• Registration code: require

the user to enter a code
before completing a self
What is the ?
service registration.
• Access code: require the

user to enter a code before
accessing a hotspot or
logging in using guest chemist
credentials.
Self Service
Self Service with SMS
• Allow guest on the Internet

as long as you have a 3rd
party identifier that proves
who the user is.
optional optional
Could we skip this step with a

link that jumps from #2 to #4?
Not in 1.3.
Self Service
Self Service with Email Verification
Fill In A Simple Form Check Your Email Connect to WFI
hansolo
nerfherder
Pre-Expiration Notification
You are about to

expire! Go here.
http://bit.ly/reup
DESKTOP Mobile
Self Service
Self Service with Sponsored Approval
ISE sends email
requesting approval
Visiting email?
Approved! credentials Logs into Sponsor Portal

username: trex42
password: littlearms and Approves or rejects
Approving Self Registration Requests
DESKTOP Mobile
Sponsored Guest Access
Sponsored Flow
Hi! Can I
get on your Sure. I just
Wi-Fi? need a little
information.
Print, email
& SMS
credentials.
Cool!
Creating a guest Count – Sponsor Mobile
Click on the icon in the top right of

the mobile screen and select “Create
Guest” to get started.
Creating a guest Count – Sponsor Desktop
Browser version of Account

creation by Sponsor
Create a Guest Account – Sponsor Desktop
• Once the sponsor clicks “Create”
the account is created.
• They are then presented with the

guest info and have the option to
notify the guest.
• The sponsor can then click

“Notify” and choose to deliver
credentials via branded printout,
email, and/or SMS.
Creating random accounts
Import Accounts
Notices When Creating Lots of Accounts
Managing Accounts as a Sponsor
Fields on the Manage Accounts Page

• Username
• State (of their account)
• First Name
• Last Name
• Email Address
• Phone Number
• Group Tag
• Sponsor (username)
• Guest Type
• Expiration Date (6/30/2014 15:54)
• Time Left (3 days,23 hours,35
minutes.)
Where does a Guest flow send Guests?
Page they
tried to reach.
Example:
google.com
Predefined URL
such as the
company page.
Custom ISE
Success Page
Hand Holding Guests When They
Exceed Device Limits
ISE Guest and Employee

onboarding flows support
the ability to limit a user to
a specific number of
devices.
Guest REST API
What is supported?
Features supported by the Guest REST API include:
• Create a Guest User (create an account and credentials

a guest can use to access the network)
• Get a Guest User
• Get All Guest Users (with search, filtering, sorting and
pagination)
• Update a Guest User (change their name, password, etc)
• Delete a Guest User
• Suspend a Guest User
• Reinstate a Guest User
Guest REST API
Post Request Examples
Remember to Avoid Re-Auth
The Old Way
#^@&
WHY!
ISE 1.3 has a smart solution to avoid re-auths

Remember to Avoid Re-Auth
With ISE 1.3
• Device/user logs in to hotspot or credentialed portal

• MAC automatically registered into GuestEndpoint group
• Authz policy for GuestEndpoint Group grants immediate access until
device purged
Guest Access
Authentication Policy
• Mac Authentication Bypass is used to send guest traffic

to be checked by the authorization policy
• The database Internal endpoints option need to be changed from
the default of DROP to CONTINUE.
Guest Access Vlans or SGT can
Authorization Policy Example also be used for
enforcement
Redirection to Guest Portal, Different portals are used here for different guest flows
What’s new in ISE 1.3 Portal Customization?
Notifications
Approved! credentials
username: trex42
password: littlearms
Create Accounts
Print Email SMS
Mobile and
Desktop Portals
Which Portals Are Customizable
All except the admin portal
1. Guest
Sponsor Portal
2. Sponsor
3. BYOD (Device Registration)
4. My Devices
5. Client Provisioning (Desktop Posture)
6. MDM (Mobile Device Management)
7. Blacklist
Guest Portals
Customize each portal independently
Anatomy of ISE Portal Customization
1. The “Live Portal Link” will open a new

browser tab and bring you to the portal
Live Portal Link Localization that you are customizing.
export/import
2. Localization export/import allows you
Themes & to bulk change language values for all
Look and Feel fields by exporting a language file,
Global images changing that file and uploading it back
into ISE.
Title & footer
3. Themes and look and feel settings
apply to all of this portals pages. They
allow you to change things like colors,
shapes and fonts.
4. Global images, page titles, and footers

can be set for all of this portals page in
Flow Pages & Preview & this one place.
Notifications
Page Settings 5. The preview area shows a real time
updated view of what the end-user will
see when they visit this page.
6. The flow pages and notifications

section is a complete list of all of the
pages or notifications that an end user
can see in this flow.
7. When you select a specific flow page

or notification this area can be used to
Customize Fields customize the content and fields visible
On Selected page on that selected page.
Customizing Portals
Previews
Desktop Preview
Customizing Portals
Logos and Text
Customizing Portals
Out of the box themes
Guest Theme Guest Theme Guest Theme Guest Theme

Default 2 3 4
Olive Fresh Blue High Contrast
Customizing Portals
Tweaking a theme
Page Content Customization
Page Content Settings
The Mini Editor
• Available in most pages

• Allows the admin to add
test messages that
include variables to
further enrich and
personalize the guest
experience
Customers will often want to add variable
The Mini Editor - Variables information to portal pages. Variables are text
that looks like $some_variable_name$ in
the mini editor and is replaced with an actual
value when the page or notification is rendered
to the end-user.
You can pick from a list of available variables

using the X button in the mini editor. Different
variables are available on different pages.
(You don’t know the first name of the user if
they haven’t logged in yet.)
In the depicted example, the text:
Welcome back $ui_first_name$! You have

$ui_time_left$ before your network
access is revoked and we unleash a giant
serpent to chase you out of the building.
would be rendered for Harry Potter as:
Welcome back Harry! You have 7 hours, 24

minutes before your network access is
revoked and we unleash a giant serpent to
chase you out of the building.
The Mini Editor - HTML Source Mode
Feature support for the

very Geeky
Localization
Import
Export
Language File
Live Edit and Preview By Language Bulk localization by

file export & import
Creating your own Theme
Export Theme
from ISE Portal 2 4 1
3
Import Theme
Into ISE Portal
1. Import into JqueryMobile Themeroller

2. Select Jquery Version 1.3.2
3. Make changes - WYSIWYG style.
4. Download theme
Select Your New Theme http://themeroller.jquerymobile.com/?ver=1.3.2
Example Custom Theme
Out of the Box Customized with

JqueryMobile
Themeroller
Guest Monitoring and Reporting
Hotspot Access
No name in log User logging in
as Guest
Guest Monitoring and Reporting
Agenda Timeline
Time Topic Who
09:30 – 10:00 Break
2:30 – 3:00 Break
5:00pm Session End

High Density Experience,
Centralized WLC design
Carlos Alcantara, Consulting Systems Engineer
TECEWN-3002
Agenda
• High Density Experience (HDX)

 RF Profiles, HD Optimization, Best Practices
• Centralized WLC design
 Considerations for centralized design
 Selecting the WLC & WLC image
 Security Best Practice
 Client Mobility Considerations
 IPv6 (Client and Infrastructure)
Designing for High
Density Using HDX
Features
Why High Density Wi-Fi?
• Wireless is the preferred access technology – and in
many cases the only practical one
• Started with stadiums/arenas but with users carrying
up to 3 devices – High Density is everywhere
• The explosion of smart devices and increasing
connection counts per seat are everywhere
• Application demands are increasing
• Even with advances - wireless is still a shared half-
duplex medium and requires efficient spectrum use to
succeed (decreasing channel utilization is key)
• Expect every wired client on your network to convert
to wireless over the next few years - Design for the
future, not the now!
Review HD Wi-Fi – Best Practices
Solid RF Design Basic Tuning Advanced
• Constrain RF • Minimize number of • Rx-SOP Tuning
 Directional Antennas, SSIDs  Greatly improves capacity
Down-Tilt
by reducing co-channel
• Good RF • Disable Low Data impact
Layout/Design: Rates  Also reduces sticky clients
 Channels, Tx Power  Helps with Sticky Clients,
 Enough AP’s in right Improves capacity • Optimized Multicast
location Video
 Design for 5GHz • Band Steering
 Push dual-band clients to • Optimized Roaming
• Eliminate Interference 5 GHz
 Rogues (Wi-Fi) and Non- • 2700’s and 3700’s
Wi-Fi Interference (Clean • RF Profiles
Air)
http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-mobility/density_wireless.html
POE+ / 802.3at to activate all Rx/Tx chains
• The 2700/3700 require 802.3at power for full functionality
• Will back down to 3x3:3 on 802.3af
Downlink Data Rate Comparison

Modulation MCS Data Rate Cisco 3700 Cisco 3700
(Mbps) 3x3 4x4
64 QAM m7 975 46% 0%
256 QAM m8 1170 49% 15%
256 QAM m9 1300 5% 85%
HDX RF management may require using RF Profiles
• RF Profiles allow the administrator to tune groups of AP’s sharing a common
coverage zone together.
• Selectively changing how RRM will operate the AP’s within that AP Group
• RF Profiles work in Conjunction with AP Groups

• RF Profiles are created for either the 2.4 GHz radio or 5GHz radio
• RF Profile – Providing administrative control over:
 802.11 data rates
 TPC Power Threshold and Min max Power settings
 DCA
 Coverage hole algorithm settings
 High Density – HDX configurations Rx-SOP, Client Limit, Mcast data rate
 Client Distribution
More granular control of the RF network
RF Profiles –Configuration
• From the Controller GUI select
WIRELESS > RF Profiles
Select New, this

opens the profile
creation dialogue
Select Apply, and the profile

dialogue opens to allow
customization of the power
parameters
In order to crate a profile you will assign a name to the
profile and select the band that you wish to create it for
RF Profiles – Granular Control
Data Rates
TPC, DCA, Coverage Hole
High Density Load Balancing

Guidelines for Using Channel Bonding
Guidelines When to Use Channel Bonding
Use 20 MHz Channels
• If using voice only - or the spectrum has lots of radar activity forcing channel changes
• If you have lots of non 11n/ac capable 5 GHz clients (early .11a clients)
• If you have light/medium data requirements
• You have lots of non 11ac APs already @ 20 MHz and no plans to upgrade
Improper Channel Widths lead to:
Use 40 MHz Channels • High Channel Utilization
• If using interactive or streaming video
• If requirements are for moderate or heavy data usage • Increased number of Retries
• High count of CRC errors
Use 80 MHz Channels
• If using a significant amount of .11ac capable clients
• Low Client Data rates
• If you have lots of .11ac smart phones (1-SS) and need faster throughput
• High Definition Video streaming or other multimedia rich content applications
• Heavy data usage for high throughput – Example (CAD or medical documents)
One of the real benefits of bonding is spectrum efficiency and overall system capacity. By allowing the clients to send and receive more data in a shorter period of time,
the airwaves clear faster for other users and in some cases even battery life on the client device increases as it spends less time in power draining transmit mode.
New in
AireOS 8.1
Dynamic Bandwidth Selection (DBS) – Solution

DBS improves the RRM DCA algorithm
The Goal of DBS is to
• Select the widest Channel Width BUT get the
 Highest Client Data Rates
 Lowest Channel Utilization per Radio
 Minimize Data Retries / CRC errors
• While avoiding
 Rogue APs
 CleanAir Interferers
Dynamic Bandwidth Selection (DBS) – Configuration
Global RF- Profile
config 802.11a channel global restart

Dynamic Frequency Selection (DFS) - Problem
• If a Radar Pulse is detected on a DFS
channel, then that DFS channel is blocked for
Reg Domain 20MHz Channels DFS Channels
30 mins (the AP cannot operate on that
-A 22 11
channel)
-E 15 11
• Majority of 5GHz channels require DFS

• There are many “radar like” events that may
cause false DFS detections due to:
 Client interference
 Misbehaving Rogue APs
 Random Pulses
New in
AireOS 8.1
Flex-DFS Solution
• Uses the CleanAir sAgE Chipset to Detect DFS Events
 Identify Radar frequency narrowed down to 1Mhz.
 Prevent False or Off-Channels Radar alarms
• Integrated with DBS to select correct channel widths

 Radar only affects a 20MHz Channel
 Prevents additional 20/40MHz channels from going unused
60
52
56
64
Primary Secondary
Secondary 40
20 20
40
20 52/56
80 MHz Channel 52
52/56/60/64
Radar Event on channel 56

60 52 56 60 64
New in
AireOS 8.1
Wi-Fi Interference Awareness at the AP

• Rogue Severity is now added to the ED-RRM metrics
• If Rogue is interfering with air space

 DO NOT wait until DCA Cycle
 Change immediately
• Same behavior as a CleanAir Interferer

Rx-SOP (Receive - Start of Packet) – What is it?
• Receiver Start of Packet Detection Threshold (Rx-SOP) determines the Wi-Fi
signal level in dBm at which an AP radio will demodulate and decode a packet.
• The AP demodulates all 802.11 packets stronger than the Rx-SOP Threshold
• Increasing the Rx-SOP Threshold causes
 The less sensitive the AP’s receiver
 The smaller AP’s receive cell size ( Reduces the AP’s coverage area )
 Potentially lower channel utilization
 Potentially greater transmit opportunities for the AP
 Potentially better client distribution
WARNING – This setting is a brick wall – if you set it above where your clients are being
heard – they will no longer be heard. Really.
Wireless Carrier Sense for High Density
• Virtual Carrier Sense – NAV ( network allocation
vector )
Network is busy
• NAV must be 0 for stations to transmit
Prevents collisions
• NAV value gets set to the duration value in all 802.11
packets that the header is demodulated Receive Range
• Physical Carrier Sense – CCA ( Clear Channel
Assessment )
After NAV and slots time bakeoffs, CCA is a Virtual Carrier Sense Range
instant check for energy in the channel just
before transmitting
We can create more Tx opportunities by increasing the Rx-SOP Threshold
We can strand clients by increasing the Rx-SOP Threshold too high
Receive Sensitivity Threshold (RX-SOP)
Without Custom RX-SOP With Custom RX-SOP
Threshold Threshold
(Default Radio Sensitivity)
-20 dBm -20 dBm
PROCESSED
PROCESSED FRAMES
Radio demodulates only
FRAMES
frames above the
Radio demodulates threshold
everything that it
can – any frame
with enough SNR
-81 dBm
Frames where SOP
IGNORED
FRAMES
(start of packet) is
heard below the
threshold are ignored
-99 dBm -99 dBm

RX-SOP Threshold – Configuration
• Settings High, Medium, Low, Auto
• Auto is default behavior, with RX-
SOP set to default which is linked to
CCA threshold
• Most networks can support a LOW
setting and see improvement
Recommend only be applied
through RF Profile’s to prevent Rx SOP Thresholds
coverage issues in Non HDX area’s. 802.11 Band High Medium Low
5 GHz -75 dBm -78 dBm -80 dBm
2.4 GHz -79 dBm -82 dBm -85 dBm
For Your
RF Profiles Recommended Values Reference
Dependency Typical High Density Low Density Legacy
(Enterprise - (Throughput) (Coverage (if disabled RF
default profile) Open Space) opt)
Global per band

TPC -65 dBm (5GHz) -60 dBm (5GHz)
Specific RF Profile per default default
Threshold -70 dBm (2.4GHz) -65 dBm (2.4 GHz)
band
Global per band
TPC Min Specific RF Profile per default 7 dBm default default
band
Global per band
TPC Max Specific RF Profile per default default default default
band
Rx Global per band
Sensitivity ( (Advanced Rx Sop) default Medium low default
Rx SOP) RF profiles
Global per band

Coverage
data and voice RSSI
RSSI default default Higher default
in (Coverage)
Threshold
RF Profile
Global per band

CCA
802.11 a only (hidden) default default default default
Threshold
RF Profile
For Your
RF Profiles Recommended Values Reference
Dependency Typical High Density Low Density Legacy
(Enterprise - (Throughput) (Coverage (if disabled RF
default profile) Open Space) opt)
Global Per band

Coverage
(Coverage Exception) Lower
Client default default default
RF Profiles (Coverage (1-3)
Count
Hole Detection)
12 Mbps 12 Mbps CCK rates
Global per band mandatory mandatory enable
Data Rates (network) 9 supported 9 supported 1,2, 5.5, 6, default
RF Profiles 1,2, 5.5, 6, 11 1,2, 5.5, 6, 11 9,11,12 Mbps
Mbps disable Mbps disable enable
Band
Per WLAN basis Enable Enabled Disable Enable
Select
Global per band
SI
(Clean Air ) Enable Enable
ED-RRM Enable Enable
Global per band (DCA) Disable Disable
Disable Disable
Global per band Enable
Enable Enable
(802.11a/802.11b Enable
PDA
channel…)
Load
Per WLAN basis Disable Enabled Disable Disable
Balancing
DCA
default High High default
Sensitivity
Global per band (DCA)
Channel default default default default
RF Profiles
New in
AireOS 8.1
Pre-built RF profiles
• Client Density specific pre-built RF profiles for 2.4 GHz and 5GHz Bands – to be
used with AP Groups
Pre-built RF profiles for

use with AP Groups
Air Time QoS - Problem Traffic
Voice
Video
Best-Effort
Background
• RF spectrum is non-deterministic
 APs, Clients, Interferers, Noise Cannot be controlled
• For Over the Air the AP needs to know
 Total Air-time available
 Air-time used by clients and APs
 Rogue client traffic patterns (client rates may change
depending on many factors such as range,
capabilities etc.)
• To solve this problem
 RF ownership needs to be measured dynamically
 Dynamic measurements allow our QoS strategies to
change on the AP for different BSSIDs, clients, ACs,
flows as the RF environment changes around us
New in
AireOS 8.1 MR1
Air Time Fairness (ATF) – Solution

• 8.1 MR1 Air Time Fairness
• Allocation is applied per SSID
• Applies to Downstream only
• Can be configured in WLC GUI/CLI and PI
• ATF Modes
• Disable
• Monitor Mode
• Enforce-Policy Mode
• Can be applied to all APs on a Network,

AP Group, or AP
• Supported on:
• AP1260, 1570, 1700, 2600, 2700, 3500, 3600,
3700
• Local and Flex-connect mode
ATF Monitor Mode
• Framework behind ATF, allows the user to view the airtime
• Report the Air Time usage for all the AP transmissions
• Reports can be viewed
• Per SSID/WLAN
• Per AP Group
• Per AP
• Report the Air Time at periodic intervals

• Block ACKs are not reported
• No Enforcement as part of Monitor Mode
ATF Enforce – Policy Mode
• Enforcement of Air-Time based on configured
policy
• Air-Time can be Enforced on a WLAN
• All APs connected within a WLC’s network
• Per AP group
• On an individual AP
• AP can have multiple WLANs with multiple
Policies (1:16)
 Strict Enforcement per WLAN – Air-Time used
by the WLANs on a Radio will be strictly
enforced up to the configured limits in the
Policies
• Optimal Enforcement per WLAN – share unused
air-time from other SSIDs
ATF – Configuration
• Step 1: Configure monitor mode
Select AP, AP Group, or

entire network
Select 2.4GHz or 5 GHz
View the APs and radios

that are configured
ATF – Monitoring Stats
• Shows ATF Stats per WLAN per AP with % used time
AP Name
• Step 2: Create Policies
Select Policy Name and

Weight
View all of the created

policies
• Step 3: Apply Policies to AP, AP Group, or a WLAN
• Step 4: Select optimization Select AP, AP Group, or
entire network
Select 2.4GHz or 5 GHz
Select the WLAN to Apply

Policy
Select the Policy for the

WLAN
Optimized allows sharing

between SSIDs
• Step 5: Periodically check ATF statistics
Case Study HDX Retail Store Design - Key steps
• RF design and AP placement based on site survey in prototype store
• Site survey showed that using directions delivered additional 20db of CCI isolation at the floor level (
client level )
• Most directional antenna's pointed straight down
• One AP /antenna pointed out front to cover KIOSK area outside store
• RF Profiles used for 3 areas ( front of house, back of house and kiosk in front of store)
• Standard HD density WLC configs ( turned off lower data rates, etc. )
• After installed
• Used PI and WLC Config analyzer to assess co-channel interference
• Used PI to run reports to determine what the weak signal strength clients were heard at to ensure were not stranding
any clients
• Adjusted RX-SOP -75 ( High )

• Extensive client test done after adjustments
Case Study HDX Retail Store Design
9 AP’s in ~5,000 sqft, used directional antenna’s
Note Channel Utilization before tuning RX-SOP was high on 2.4GHz
Case Study HDX Retail Store Design
Channel Utilization after setting Rx-SOP to -75
Note the reduction co-channel by reducing by increasing

the RX-SOP threshold
The RSSI the AP heard the clients was well understood
before increasing Rx-SOP and extensive testing was
done after Increasing Rx-SOP to make sure no stranded
client issues.
Config Analyzer for RF Analysis
Analyze & Mitigate
https://supportforums.cisco.com/document/7711/wlc-config-analyzer
MetaGeek Chanalyzer connecting to CleanAir AP
Campus WLAN Design
using a Centralized
Controller Model
Unified Access: Wireless Deployment Options
Cisco Unified Access: 1 Architecture, Many Deployment Modes
Prime Best L7 Visibility with NBAR, Flexible Mode Conversion, RF Excellence ISE
Intranet
WAN
MOBILITY EXPRESS FLEX CONNECT CENTRALIZED CONVERGED
• Small Autonomous Networks • Data center hosted controller • Premise-based controller • Simplified Branch
• Low IT Footprints • Distributed enterprises • Traditional Overlay Model • Consistent Wired/Wireless
• SP Hotspots • Highly Scalable
• Mobility Express Functionality • Controllers • Controllers • Controllers
• 11ac: 1850 • 85xx / 7510 / vWLC • 85xx / 5760 / 55xx / WiSM2 / • Integrated
• Aironet Access Points Supported • Aironet Access Points Supported 2504 / vWLC • 5760 external MC
• 11ac AP’s • 11ac AP’s • Aironet Access Points Supported • Aironet Access Points Supported
• Gen 2 11n AP’s • Gen 2 11n AP’s • 11ac AP’s • 11ac AP’s
• Gen 2 11n AP’s • Gen 2 11n AP’s
Evolve your network between deployment modes without Network Changes for:
IPv6, VLAN, Best-in-Class L7 Visibility with NBAR, Flexible Mode Conversion, RF Excellence
Cisco Unified Wireless Principles
Cisco Prime
• Components Infrastructure
 Wireless LAN controllers (WLC)

 Aironet access points (AP)
Wireless LAN
 Management (Prime Infrastructure) (PI) Controllers
 Mobility Service Engine (MSE) MSE
Campus
• Principles Network
• AP must have CAPWAP connectivity with WLC

• Configuration downloaded to AP by WLC
Aironet Access
• All Wi-Fi traffic is forwarded to the WLC Point
Centralized Wireless LAN Architecture
What Is CAPWAP?
• CAPWAP: Control and Provisioning of Wireless Access Points is used between APs and WLAN
controller and based on IETF RFC 5416 and LWAPP
• CAPWAP carries control and data traffic between the WLC and AP
 Control plane is DTLS encrypted – UDP 5246
 Data plane (optional DTLS encryption) – UDP 5247
 Robust PATH MTU discovery / monitoring
 CAPWAP Fragmentation/ re-assembly Business
Application
Data Plane
CAPWAP Controller
Wi-Fi Client
Access
Point Control Plane
Centralized WLC deployment strengths
• Seamless L3 roaming support • Services Gateway support Bonjour mDNS
caching and policy
• Assisted roaming 11k , Client load
balancing • Client Optimizations to conserve Wi-Fi
spectrum - IPv6 Optimizations
• Easy to manage Wireless Subnet and
VLAN’s • High Density optimizations
• Easy to add IP address assigned to a • IPMC optimization / Media Stream/
SSID – VLAN Select Stadium Features
• Clearly identified wireless insertion • Advanced client features/ passive client/
point sleeping client timer
• Advanced access control • Simplified Troubleshooting
• Dynamic ACL’s , QoS, AVC, TrustSec,
• Well suited for large campus
Radius COA
Which Controller ?
• Architecture Support
 Converged
 Flex Connect
 Centralized
• Capacity
 Number AP’s
 Number of Clients
 Throughput
• Access Point Models supported

• Features supported
WLAN Controller Portfolio
NEW NEW
2505 5508 WiSM2 5520 8510 8540
75 Aps 500 Aps 1000 Aps 1500 Aps 6000 Aps 6000 Aps
1000 clients 7000 clients 15000 clients 20000 clients 64000 clients 64000 clients
1 Gbps 8 Gbps 20 Gbps 20 Gbps 10 Gbps 40 Gbps
Small-Midsize Midsize-Large Large Enterprise/ Large Enterprise-

Business/ Branch Enterprise Large Branch Service Providers
5520 and 8450 Wireless LAN Controllers
5520 WLAN Controller 8540 WLAN Controller
NEW NEW
Access Points 1,500 Access Points 6,000

• 1500 AP Groups • 2000 AP Groups
• 1500 FlexConnect Groups, 100 Flex APs/FCG • 100 FlexConnect Groups, 100 Flex APs/FCG
Clients 20,000 Clients 64,000
• 320000 AVC Flows • 320000 AVC Flows
Deployment Modes Centralized, FlexConnect and Mesh Deployment Modes Centralized, FlexConnect and Mesh
Form Factor 1 RU Form Factor 2 RU
IO Interface Dual 1G or 10G ports with LAG IO Interface Four port 1G or 10G with LAG
Power AC w/Optional Redundant Power Supply Power Options AC or DC
Redundancy Solid State Drives Redundancy Dual Power supply and Solid State Drive with RAID
Product Warranty 3 years Product Warranty 3 years
WLC PI CMX ISE

8.1 2.2.2 10.1 1.3
5520/8540 Software Capabilities
AP SUPPORT IMAGE VERSION GUEST ANCHOR AND IRCM
 AP models supported on 8.1  Release 8.1 and beyond  Support for Guest Anchor
 All AP Modes  71 Anchor Tunnels
 Local, FlexConnect, Bridge, Flex bridge  8.1 IRCM with 7.6, 8.0 and 7.4.130.0
MC AND NEW MOBILITY TRUSTSEC FEATURES NOT SUPPORTED

 NO Support for MC function • Trustsec SXP Supported • Local Authentication
 Support for New Mobility • SGACLs and MACsec not • Internal DHCP server
supported • Wired Guest
 IRCM with 3.7
Connecting 5520/8540 SSO Pair to wired Network
Same configuration Same configuration
on both Po1 and Po2 Catalyst VSS Pair on both Po1 and Po2 Catalyst VSS Pair
Po 1 Po 2 Po 1 Po 2
Trunk Trunk
Port-channels Port-channels
L2 L2
5520 5520 8540 8540

Active WLC Standby WLC Active WLC Standby WLC
Spread the links in each Port-Channel among the two physical switches to prevent a WLC switchover upon a failure of one
of the VSS switch
CUWN Release – Key WLC Features
Aug CY14 Dec CY14 May CY15 Aug CY15
CUWN 8.0 CUWN 8.0 MR CUWN 8.1 CUWN 8.1 MR
Interop: CMX 8.0, ISE 1.3, PI 2.1 Interop: CMX 8.0, ISE 1.3, PI 2.1 Interop: CMX 10.1, ISE 1.3, PI 3.0 Interop: CMX 10.2, ISE1.3, PI
3.0
Native IPv6 (Centralized Mode Only) AP 1570 11ac Outdoor AP 5520 and 8540 Series Controller Hyper-location module
Bonjour filter per location, AAA iBeacon/BLE visibility & security WLAN Express with Best Practices on all Airtime Fairness(ATF)
override (per user) Controllers
AVC and Bonjour Policies with WLC World Reg. Domain SSO aware Microsoft SDN Lync 2.0 Access Point 1850
Policy Classification Engine
HD Experience Ph1 (Rx-SOP, HA WLC SKU monitoring MobilityExpress

Optimized Roaming, CL 3.0, CA 80Mhz,
TurboAgg)
VideoStream for FlexConnect Guest Anchor Redundancy MobileApp

Mesh support for FlexConnect
AP1600 CleanAir Express KVM support for vWLC
PMIPv6 MAG on AP TrustSec SXP on 8510, 5520, 8540
FIPS, CC, UcAPL, USGv6 HDX PH-2 (DBS, FlexDFS, Improved Wi-Fi
awareness, Wi-Fi event driven RRM,
Optimized Roaming v2)
AP 1570 11ac Outdoor AP (8.0MR1) Mesh Convergence
World Regulatory Domain (8.0MR1) EoGRE tunneling on AP & WLC
iBeacon/BLE visibility & security: Flexconnect AVC, AAA-Override
CleanAir + MSE location Integration
(MSE 10.x reqd.) (8.0MR1)
Where to place the Controllers - Distributed
 Each building has
its own WLC
 Each building can
have its own
WLC WLC
Mobility group Si Si Si Si
 Wireless insertion at L3 L3
distribution layer L3
Si Si
 Several distributed
Core
Si
Wireless VLANs Si
across the Campus

Data Center
Considerations: HA, traffic flow, roaming efficiency, Controller Costs
Where to place the Controllers – Centralized
• Concept of Wireless Service
Block
• Clearly Identified wireless
insertion points
• No Wireless VLANs Si Si Si Si
everywhere Building 1
L3 L3
Building 2
• Better performance with L2 CAPWAP Core

CAPWAP
Mobility Si L3 Si
Si
Si
Si Si
Considerations: Traffic Flow Data Center

and Controller Sizing WLC
L2
WLC
Wireless Service Block
IRCM and Guest Anchor - EoIP DMZ Guest Anchor 5520/8540
MOBILITY GROUP
Foreign Controller 5508 / Foreign Controller
8510/ 7510/ WISM2/2504 5520/8540 Si
Si
Si Si
Si Si EoIP Mobility
Tunnel
Si Si Si Si
EoIP GA Tunnel
Si Si
Si Si Si Si
Si Si
IRCM and Guest Anchor – CAPWAP DMZ Guest Anchor 5520/8540
MOBILITY GROUP
Foreign Controller 5760 Foreign Controller
5520/8540/5508/7510/8510/ Si
WiSM2/2504 Si
Si Si
Si Si
CAPWAP Mobility
Si Si Si Si
Tunnel
CAPWAP GA Tunnel
Si Si
Si Si Si Si
Si Si
Foreign Controller 3850/3650

Central Switched Client
Traffic Optimizations
Central switched – WLC manages egress VLAN
Data VLAN
WLC
AP
Management
CAPWAP Tunnel
VLAN
802.1Q Trunks
L3 connectivity
Plug AP anywhere, the WLC determines egress Voice VLAN

• WLAN mapping to interface (VLAN) per WLC
• WLAN mapping to interface (VLAN) per AP group
• WLAN mapping to interface group ( VLAN pooling / VLAN select )
• WLAN mapping to interface group map per AP group
• Client to interface per policy via 802.1x VSA ( WLAN AAA over ride )
• Client to interface group per policy via 802.11x VSA
• Client to VLAN per advanced policies via COA ( change of authorization)
• VLAN assigned based on WLC local policy
• Home VLAN for Static IP client
• IP address pool based on location (DHCP option 82)
AP-Groups mapping to interface / interface group
AP Group 1
AP Group 2
Any given WLAN can be mapped to different dynamic interfaces / interface group in
different AP Groups
WLAN AAA Override
• When AAA override is not enabled on a WLAN clients will be mapped to one
VLAN or one VLAN in the Interface Group.
• When AAA override is enabled clients will be mapped to the interface returned
by radius server VSA
VLAN Select / Interface Groups Review
VLAN1
VLAN2
Network
Network VLAN3
VLAN4
Interface group
• Map a WLAN to multiple VLANs

• Based on DHCP address pool availability select
client’s VLAN
• If DHCP address space is exhausted, mark VLAN
“dirty” move to the next
• This is based on IPv4 DHCP
VLAN Select
• Max 64 interfaces in a interface group

• A Interface ( VLAN ) can be in many interface groups
• Interfaces can dynamically be added to an interface group
• VLAN select used hashing algorithm which creates a index based on MAC
address of the client and number of interfaces in interface group
• When hashing algorithm returns the same index, the client will get assigned
to the same interface
• If all IP addresses are allocated in a interface then will return a different index
and client will get assigned to an interface via round robin
VLAN Select IP multicast optimization
• VLAN select can create duplicate multicast packets
• As many multi-casts as there are VLANs in the interface group
• Use multicast VLAN to select one VLAN as source for all multicast for interface group
• On the network interface the corresponding VLAN is still used for all their traffic
VLAN1
VLAN2
Network
Network (mcast_vlan)
VLAN3
VLAN4
Interface group
Broadcast Suppression
DA=FFFF:FFFF:FFFF
DA=FFFF:FFFF:FFF
F CAPWAP Tunnel
WLC AP
 Default behavior WLC blocks broadcast and multicast to wireless clients

 Default behavior WLC is ARP proxy responding to ARP requests on behalf of
wireless client ( gratuitous ARP )
 Conserves Air time
 Potentially allowing use of larger subnets
Media Stream for clients IPv4 or IPv6 (Video
Stream)
CAPWAP
IPv6
802.11 Multicast Group
A
Ethernet IPv4 CAPWAP IPv6 Ethernet VLAN IPv6
Stream A
• Media Stream supports Multicast to Unicast for IPv4 and IPv6 clients
• The multicast to unicast conversion occurs at the Access Point for efficiency and
scalability
Client Management
Features with Central
Switched
Load Balancing based on client count
• New clients associates to the AP with

the lightest load ( client count )
• Load balancing parameters are defined globally or per RF profile and
enabled on a per WLAN basis
• Two parameters are used for balancing decisions – window size and
denial count
• Client receives an 802.11 response with status code 17 indicating that
the access point is busy
• The client attempting to join the AP will receive a status code 17
response for each association attempt until the denial count is reached;
then client is admitted and a log entry is created
Passive Client Support
AP Controller
• Problem:
• Passive devices disappear from network. Example Zebra Printers, Hobart
Scales, medical devices, etc..
• Don’t send packets for long times and time out off network
• Don’t support DHCP, use static IP’s
• Information regarding the presence of passive devices is not available from the
network
• Solution:
• The “Passive Client “ feature will allow ARP requests and ARP responses to be
exchanged between wired and wireless side on a per VLAN /WLAN basis
Per WLAN Idle Timeout with Idle Threshold
• Used to remove the client session from the
WLC after a fixed time duration when client
traffic is below defined threshold
• Eliminates issue of only remove client’s that are
completely quiet / powered off
Sleeping Client Support for L3 Authentications
(Webauth and pass through)
• PROBLEM: To conserve power devices shut down Wi-Fi radio on sleepThis
requires re-authentication when they wake up
• SOLUTION: After successful authentication WLC stores client credentials to re

authenticate client when wake up
• On expiry of the sleep timer the stored client cerdentials are deleted
Supported for Local as

well as Flex modes
Client mac addr Username Password Time

40:6c:8f:23:0f:cd jeff blahblah 5 mins
40:6c:8f:23:0f:cc karan Blahblah 10 mins
Roaming with Central
switched WLAN
Mobility Defined
• Mobility is a key reason for wireless networks
• Mobility means the end-user device is capable of moving location in the
networked environment
• Roaming occurs when a wireless client moves association from one AP
and re-associates to another, typically because it’s mobile!
• Mobility presents new challenges:
• Need to scale the architecture to support client roaming—roaming can occur
intra-controller and inter-controller
• Need to support client roaming that is seamless (fast) and preserves security
Scaling the Architecture with Mobility Groups
• Mobility Group allows controllers to peer with each other to support seamless roaming across controller
boundaries
• APs learn the IPs of the other members of the mobility group after the CAPWAP Join process
• Support for up to: Controller-B
MAC: AA:AA:AA:AA:AA:02
24 controllers, 144000 APs per mobility group Mobility Group Name: MyMobilityGroup
Mobility Group Neighbors:

Controller-A, AA:AA:AA:AA:AA:01
• Mobility messages exchanged between Controller-A Controller-C, AA:AA:AA:AA:AA:03
controllers Mobility Group Name: MyMobilityGroup
Ethernet in IP Tunnel
• Data tunneled between controllers Controller-B, AA:AA:AA:AA:AA:02
Controller-C, AA:AA:AA:AA:AA:03
in EtherIP (RFC 3378)
• 7.6 has the option of using EoIP or
CAPWAP tunnels between controllers
Controller-C
Mobility Group Name: MyMobilityGroup

Controller-A, AA:AA:AA:AA:AA:01
Controller-B, AA:AA:AA:AA:AA:02 Mobility Messages
Scaling the Architecture with Mobility Groups
Mobility Domain
Mobility Group (7.4)
With Inter Release Controller Mobility
(IRCM) roaming is supported between 7.4,
7.6, 8.0
One
WLC Network Mobility Group (7.6)
Mobility Group
24 WLCs in a Mobility Group (8.0)

Mobility Group
72 WLCs in a
Mobility Domain
How Long Does an STA Roam Take?
• Time it takes for:
• Client to disassociate +
• Probe for and select a new AP +
• 802.11 Association +
• 802.1X/EAP Authentication +
• Rekeying +
• IP address (re) acquisition
• All this can be on the order of seconds… Can we make this faster?
Roaming Requirements
• Roaming must be fast … Latency can be introduced by:
• Client channel scanning and AP selection algorithms
• Re-authentication of client device and re-keying
• Refreshing of IP address
• Roaming must maintain security

• Open auth, static WEP—session continues on new AP
• WPA/WPAv2 Personal—New session key for encryption derived via standard
handshakes
• 802.1x, 802.11i, WPA/WPAv2 Enterprise—Client must be re-authenticated and new
session key derived for encryption
How Are We Going to Make Roaming Faster?
Focus on Where We Can Have the Biggest Impact:
• Eliminating the (re)IP address acquisition challenge
• Eliminating full 802.1X/EAP re-authentication
WAN
Cisco AAA
Server
(ACS or
ISE)
1. 802.1X Initial
Authentication
AP2 Transaction AP1
2. 802.1X
Reauthenti-
cation After
Roaming
L3 Client Roaming Intra-Controller
No IP Address refresh needed
VLAN X VLAN Z
WLC Client
Database
AP2 default
egress VLAN Z
Pre-roaming WLC
Data Path
AP2
AP1
Client Roamed to a
Different AP
L2 Inter-Controller Roaming
VLAN X
WLC-1 Client WLC-2 Client
Database Client Data Database
(MAC, IP, QoS,
Security)
WLC-1 Mobility Message Exchange WLC-2
 Client database entry with

new AP and appropriate
security context
Roaming Data
Path  No IP address refresh
needed
Client Roams to a
Different AP
L3 Inter-Controller Roaming
VLAN X VLAN Z
WLC-1 Client Client Data (MAC, IP, WLC-2 Client Database
Client Data (MAC,
Database QoS, Security) IP, QoS, Security)
Mobility Message Exchange

WLC-1 WLC-2
Anchor Foreign Controller

Controller Data Tunnel
Preroaming Data
Path
Client Roams to a
Different AP
VLAN Select Layer 3 Inter WLC roaming
Interface Interface
Group-1 Group-2
Layer 3
VLAN 1 VLAN 1
VLAN 1 VLAN 1
VLAN 2 WLC-1 Client WLC-2 Client VLAN 4
Client Data (MAC, IP, Client Data (MAC,
VLAN 3 Database QoS, Security) IP, QoS, Security)
Database VLAN 5

WLC-1 WLC-2

Preroaming Data
Path
• VLAN 1 exist in
Interface Group 2
• VLAN information sent
to WLC-2 and he
becomes Anchor for that
Client Roams to a client
Different AP
VLAN Select Layer 3 Inter WLC roaming
Interface Interface
Group-1 Group-2
Layer 3
VLAN 1 VLAN 1
VLAN 1 VLAN 2
VLAN 2 WLC-1 Client WLC-2 Client VLAN 4
Client Data (MAC, IP, Client Data (MAC,
VLAN 3 Database QoS, Security) IP, QoS, Security)
Database VLAN 5

WLC-1 WLC-2

Preroaming Data
Path
• VLAN 2 doesn't exist in

Interface Group 2
• VLAN information sent
to WLC-2 then Tunnel
Client Roams to a
Different AP
Created
Cisco Centralized Key Management (CCKM)
• Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available, especially
with application specific devices (ASDs)
• CCKM ported to CUWN architecture in 3.2 release
• In highly controlled test environments, CCKM roam times consistently measure
in the 5-8 msec range!
• CCKM is most widely implemented in ASDs, especially VoWLAN devices
• To work across WLCs, WLCs must be in the same mobility group
• CCX-based laptops may not fully support CCKM – depends on supplicant
capabilities
• CCKM is standardized in 802.11r
802.11r Introduction
• IEEE Standard for Fast Roaming – CCKM / OKC.
• Introduces a new concept of roaming where the handshake with the new AP is done
even before the client roams to the target AP.
• The initial handshake allows the client and APs to do PTK calculation in advance,
thus reducing roaming time.
• The pre-created PTK keys are applied to the client and AP once the client does the
re-association request / response exchange with new target AP.
• 802.11r provides 2 ways of roaming:
 Over-the-Air
 Over-the-DS (Distribution System)
• The FT (Fast Transition) key hierarchy is designed to allow the client to make fast
BSS transitions between APs without the need to re-authenticate at every AP.
• WLAN configuration will have new AKM type called FT (Fast Transition)
802.11r – Configuration
• Legacy clients may not associate with a WLAN that has 802.11r
enabled along with 802.11i. If the driver or the supplicant that is
responsible for parsing the Robust Security Network Information
Element (RSN IE) is old and confused by the additional AKM
(Authentication Key Management) suites advertised in the IE
(IE48), the driver will not attempt to start the association
process.
• Due to this limitation, legacy clients cannot send association
requests to WLANs with a FT PSK or FT 802.1x configuration.
• These legacy clients, however, can still associate with non-
802.11r WLANs.
• Therefore the recommendation is to have a new unique WLAN.
With unique SSIDs for the addition 802.11r FT WPA clients.
And an additional WLAN for the 802.11r FT 802.1x clients.
Client AP selection 11k AP Neighbor List
AP Channels RSSI AP Channels RSSI
AP1 1 Highest AP7 100 Highest
AP2 6 AP8 140

11k Neighbor
….. … ….. …
request
AP6 11 Lowest AP12 64 Lowest
2.4 GHz 5 GHz

AP Neighbor Lists (Subset of 802.11k ) in 7.4
 WLC recommends optimized list of up to 12 neighboring Aps
(6 per band) as roaming candidates
 Recommendation based on RRM information
 Supported by clients with 802.11k ( Apple) or CCXv4 support
 Client only needs to scan those limited channels instead of the
full set of Wi-Fi channels => Saves Power , faster roams
 Wi-Fi Alliance Voice-Enterprise support mandates
 Only supported on indoor 802.11n / 802.1ac AP’s
11k Neighbor List Information Elements
• AP beacon advertises support Neighbor List
• Client request neighbor in association request
Information elements used in the beacon and

probe response to signal sup port and
request.
•Country Element
•Power Constraint Element
•RRM enable Capabilities Element
•All 3 above indicate support
•When client associates sets bit to request
neighbor list
The 11k Neighbor List
• The 11k neighbor list
 11k list generated dynamically on demand and not maintained on the WLC
 11k list is tailored by the clients location without requiring an MSE
• Two clients on the same WLC but different APs can have different neighbor lists delivered
depending on their individual relationship to the surrounding Aps
• Default, only the neighbor in the same band

• Devices will only send a request for a neighbor list after association on APs that
advertise the RRM capabilities IE in the beacon
• The returned neighbor list shows the BSSID and RSSI of the neighboring radios
 Biased to prefer AP’s on same floor uses Prime information on floor
 Checks with neighbor list AP’s to see if client has been seen in last 55 seconds if not
biases the RSSI for the AP to -120
CCX Neighbor Neighbor List
• The CCX provides its own table for AP neighbor of a max of 7

neighbors
• This table is imported from the RRM based on two timers, a refresh
timer and a "settle" timer.
• Similar to 802.11k neighbor optimization algorithm but done without
client probe request and supplied per AP not per client.
• Provides a subset of the neighbor list optimization provided with
802.11k
Assisted Roaming for non-11k Clients
• Similar to Aggressive Load Balancing
 Configured global or per WLAN
 Denial count: maximum number of times a client will be refused association
 Prediction threshold: minimum number of entries in the prediction list to activate
• Utilizes the 11k generated neighbor list capabilities to optimize roaming for non-11k
clients with predicted neighbor list for each client without the need for client sending
a 11k neighbor list request.
• Discourages clients from roaming to less desirable neighbors by denying association
if the association request to an AP does not match the entries on the prediction
neighbor list
 Similar to load balancing, with a CCX status code 0xCC will be sent the client for “Association
denied due to non-optimized association”
• Since both Load Balancing and Assisted Roaming are designed to influence the AP
a client associates with they can not both be enabled on the same WLAN at the
same time
Assisted Roaming Configuration Commands
• Config wlan assisted-roaming neighbor-list enable/disable <wlanId>
• This is to enable or disable the neighbor list from the controller and also the RRM and Power Constraint IEs on the APs.
• Config wlan assisted-roaming dual-list enable/disable <wlanId>

• This is to enable or disable the a neighbor list including entries for both radio bands. Default is the band which the client is
currently associated
 Config wlan assisted-roaming prediction enable/disable <wlanId>
• This is to enable or disable the assisted-roaming with roaming optimization predict list. A warning will be printed out and load-
balancing will be disabled for the WLAN if load-balancing is already enabled on the same WLAN
• Config assisted-roaming neighbor-list floor bias <dB>

• The neigbor fllor bias the default is 15 dB.
 Config assisted-roaming prediction minimum <1-6>
• This is the minimum number of predicted APs for the assisted-roaming feature to take place. If the number of the AP in the
prediction assigned to the client is less than this number, the assisted-roaming feature will not apply on this roam.
• Config assisted-roaming denial maximum <1-10>

• This is the maximum number of times a client can be denied for association if the association request was sent to an AP does
not match any AP on the prediction list.
Client Roaming decision tree
Roam
Trigger
Roam
Scan
Roam
Candidate
selection
http://support.apple.com/en-us/HT203068
RSSI Check
RSSI Check to exclude clients
from associating with weak
RSSI
Optimized Roaming - Configuration
• Sets a threshold RSSI value and or
Minimum Data rate that a client will be
sent a deauth
• Developed to support Cellular Hand
Off
• Global configuration of 4 Parameters
available
 Enable/Disable
 Interval (seconds)
 Data Rate threshold
 RSSI threshold configured through Data
CHD
Data RSSI Data Rate Result
• Trigger is Pre-Coverage hole event – True Disable (default) Deauth
set under CHDM config
True False No Action
True True Deauth

Optimized Roaming – CHDM Configuration
• RSSI threshold – set through data RSSI
config in Coverage at the global level, and
under RRM in RF Profile
Optimized Roaming & Low RSSI feature
“WARNING”
• Low RSSI check is a completely separate feature – and sets a low RSSI
threshold which a client must be above to associate to the AP
• Optimized Roaming has a 6 dB hysteresis built in to prevent thrashing
• i.e. If Optimized roaming is set to -75, then to rejoin the AP the clients signal
must improve to -69 dBm
• The logic checks low RSSI – AND Optimized roaming before allowing a client to
Join – and both must pass
New in
AireOS 8.1
What can we do with 802.11v?

• An 802.11v capable client can send query frame to ask for a list of preferred
APs.
• Scenarios:
• Client can send this query anytime to look for a better option of AP to associate to
• Sent during client roaming for a faster roaming
• AP to Client:
• Send an unsolicited list of candidate neighboring APs
• Warn/Inform the client that it will get disassociated
• Client:
• May include this information in its roaming decision
802.11v – Configuration
Enables 802.11v BSS Transition

STA will be disassociated (must roam)
For solicited and unsolicited requests
For Unsolicited Optimized Roaming Requests
How Can We Benefit From This?
• Better Load-balancing:
 In legacy load balancing, we sent the 802.11 error code 17 to passively discourage a client from
joining a busy AP.
 With 802.11v, BSS Transition can be triggered by load-balancing decisions. This allows for a more
positive approach providing the Client with better AP options, and/or allow it to join momentarily
with a warning that it will be disconnected shortly.
• Better Optimized Roaming:

 The same idea can be applied to Optimized. Instead of flat disassociating the client, and 802.11v
client can have a better treatment.
IPv6 Infrastructure
Support
8.0 IPv6 Overview
IPv6 Client IP: 2001:db8:a:7/64

IPv4 Client Radius Server
802.11 IPv4 IPv6
802.11 IPv4 IPv6
CAPWAPv6 VLAN
Ethernet Ethernet
2001:db8:a:0:2329:9834:3231:1111
10.10.10.52 CAPWAPv6
Tunnel IPv4/v6 router
2001:db8:a:0:1827:91bf:c41b:9683
Mgmt: 2001:db8:a::2/64
10.10.10.2 2001:db8:a::1/64
IPv6 Client
10.10.10.1
IPv4 Client
802.11
2001:db8:a:0:8a56:caff:1547:9150
10.10.10.51 IP: 2001:db8:a:5/64 IP: 2001:db8:a:6/64
SNMP Server, Syslog Server, NTP Server
tftp/ftp/scp Server
WLC IPv6 address Overview
• ONE IPv6 address (+ LLA address) management solution

• Only IPv4 address support on Dynamic interfaces
• Only IPv4 Dynamic AP manager support
• Only IPv4 Redundancy-management/Redundancy port (HA interfaces are IPv4 only)
• Service-port can get an IPv6 address statically or using SLAAC (only SLAAC interface on WLC)
• LAG needed for IPv6 AP load balancing
• DHCPv6 Proxy not supported (ONLY IPv6 DHCP bridging support - like 7.6 legacy)
IPv6 Management Address Assignment
• Management default is the
unspecified IPv6 address
(::/128)
• Gateway must be the Link-
Local address of the next hop
router Statically assigned
IPv6 address
• Management Link Local is
assigned automatically but Link Local Address
Primary must be a globally of the next hop
unique address
Dynamic Interface Router/Switch
Configuration
• No IPv6 address ipv6 dhcp pool vlan20_pool
address prefix 2001:DB8:B::/64 lifetime 1800 60
dns-server 2001:DB8:B::1
• Traffic will be bridged on domain-name ipv6.rf-demo.com
!
the VLAN so an IPv6 interface Vlan20
ip address 10.10.20.1 255.255.255.0
address can exist on an ip nat inside
ip virtual-reassembly in
IPv6 enabled ipv6 address 2001:DB8:B::1/64
ipv6 enable
switch/router ipv6 nd prefix 2001:DB8:B::/64
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
• A DHCPv6 server or ipv6 dhcp server vlan20_pool rapid-commit
!
relay can exist on the
VLAN interface at the
Dynamic
switch/router
Interfaces
support IPv4
only
WLC Service Port
IOS Router Config
ipv6 unicast-routing
interface Vlan10
ipv6 address 2001:DB8:A::1/64
ipv6 enable
• Service Port can be statically assigned an address or select an address via

SLAAC
• This is the only SLAAC interface on the WLC, all other interfaces must be
statically assigned
Control and Management Protocols IPv6 Support
• CAPWAPv6 (AP Discovery / failover)
• Management Access
• Upload/Download using IPv6 with ftp/tftp/sftp
• RADIUSv6 Support
• TACACS+v6 Support
• NTPv3
• Syslog over IPv6
• SNMP Trap Receiver
• PINGv6
• IPv6 Guest Access
Management Access (telnet, SSH, HTTP, HTTPS)
Mgmt: 2001:db8:a::2/64
10.10.10.2
• WLC can be accessed from wired/wireless via its IPv6 Management Interface
using:
• telnet
• SSH
• HTTP
• HTTPS
CAPWAPv6
• Either IPv4 or IPv6 CAPWAP tunnel will be selected
CAPWAPv6
• AP can get IPv6 addresses from state-full
DHCPv6/SLAAC or static assignment
• If statically assigned, the gateway can be
the unique global or Link-Local address of
the router
• Either CAPWAPv4 or CAPWAPv6 can be
used, but not both
• APs in bridge mode do not support
CAPWAPv6
AP discovery Mechanisms
• DHCPv6 Option 52
• OPTION_CAPWAP_AC_V6 (52) RFC 5417
• As part of the DHCPv6 Reply, the server will provide the IPv6 WLC management IPv6
address
• AP will begin unicast CAPWAP discovery
• Multicast discovery
• Broadcast does not exist in IPv6
• Send CAPWAP discovery messages to "All ACs multicast address" (FF01::18C)
• Using DNS
• Configure DNS server to resolve cisco-capwap-controller.domain-name
• domain-name should be returned from DHCPv6 server
• AP Priming
• Preconfiguring the AP with a Primary, secondary, and tertiary IPv6 managed WLC
AP Failover
WLC1 WLC2 WLC3
• Management IP address must be
reachable
• One entry per WLC
• The AP will join either IPv4 or IPv6
address of the WLC (regardless of
Primary: WLC1
management IP listed)
Primary: WLC2 Primary: WLC3
Secondary: WLC2 Secondary: WLC3 Secondary: WLC2
Tertiary: WLC3 Tertiary: WLC1 Tertiary: WLC1 • All other AP Failover behavior is the
same as previous versions
IPv6 Multicast / Mobility Multicast
• Ensure IPv6 Multicast routing is enabled on IOS router/switch
Router(config)#ipv6 multicast-routing
• Mobility multicast messaging support for IPv6
• The Multicast group must be consistent across all WLCs

• The Mobility Group Members are displayed in Controller->Mobility Management
Guest Anchor
Mobility Groups / Auto Anchor CAPWAPv6 tunnel

8.0 code
EoIP tunnel
Mobility Group
8.0 code 7.6 code
• Guest Anchor should be 8.0 code

• This allows 8.0 WLCs sharing the mobility group to connect using CAPWAPv6
• WLCs running pre-8.0 will join using EoIP
• No need for New Mobility with this configuration
IPv6 Neighbor Binding
• 8 IPv6 addresses are supported per client

• Upon the 9th, the WLC removes oldest stale entry
• Reachable, stale, and down lifetimes can be
different across WLCs, routers, and switches but
Best practices is keep them the same
• Neighbor Binding is very chatty, which is very bad
over a wireless network
VLAN Select / Interface Groups with IPv6 Client
Assoc
• VLAN Select should not be used in a dual-stack
environment Find non-dirty
interface
• VLAN Select only works on the IPv4 address Mark interface
as dirty, but
• Client can get an IPv4 address from one VLAN IPv6 address
remains on
and IPv6 address from another “dirty” VLAN
• VLAN mismatch causes problems
Get IPv6 No DHCPv4

address but no &&
IPv4 address DHCPv6
Yes
Client in
RUN state
Upload/Download using IPv6 with ftp/tftp/sftp
IPv4/v6 router IP: 2001:db8:a:5/64

Mgmt: 2001:db8:a::2/64 tftp/ftp/sftp Server
10.10.10.2 2001:db8:a::1/64
10.10.10.1
• tftp/ftp/sftp upload/download can be WLC GUI  Commands

initiated via WLC
• Tftpd64 server is recommended
• Either IPv4 or IPv6 address can be
used
RADIUSv6 Support
• RADIUSv6 Servers can be added using their IPv6 address

• Currently there is no Cisco Enterprise IPv6 RADIUS support
• Internal testing was complete with FreeRADIUS
TACACS+v6 Support
• TACACS+v6 Servers can be added using their IPv6 address

• Internal testing was complete with ACS 5.4
NTPv3
Mgmt: 2001:db8:a::2/64 IPv4/v6 router

IP: 2001:db8:a:6/64
10.10.10.2 2001:db8:a::1/64
NTP Server
10.10.10.1
IOS CLI Configuration
• NTP server can be configured with IPv4
or IPv6 address
• Recommended NTP server is Cisco IOS
router/switch
• NTPv4 is not supported
Syslog over IPv6

Mgmt: 2001:db8:a::2/64 10.10.10.10
10.10.10.2 2001:db8:a::1/64
Syslog Server
10.10.10.1
• Syslog server can be IPv4 or IPv6

SNMP Trap Receiver

Mgmt: 2001:db8:a::2/64 SNMP trap receiver
10.10.10.2 2001:db8:a::1/64
10.10.10.1
• SNMP MIBs are send to the IPv6

destination
• Prime Infrastructure will not support
IPv6 until 2.2 release
• iREASONING MIB Browser was
used to test with IPv6
PINGv6
• Ping supports IPv4 and IPv6

• Link-local and Globally unique addresses
can be pinged
• Both WLC GUI and CLI supported
UDP Lite
WLC CLI: config ipv6 capwap udplite en/disable
• UDP Lite computes checksum on the pseudo header of datagram

• Enabling UDP Lite speeds up packet processing time
• The IP protocol id is 136, uses same CAPWAP ports as UDP
• Enabling UDP Lite would require that the network firewall allows protocol 136
• Switching between UDP and UDP Lite causes all APs to re-join WLC
• Enabled by default
CDPv6
• CDP detects both IPv4 / IPv6 Neighbors
(cisco_controller) >show ap cdp neighbors all
AP Name AP IP Neighbor Name Neighbor Port
------------------ --------------- ------------------ --------------
Ap1 10.10.10.104 LAB1 GigabitEthernet2/0/17
IP address: 10.10.10.104
Ap2 2001:db8:a:0:1827:91bf:c41b:9683 LAB1 GigabitEthernet2/0/5
IP address: 2001:db8:a::1
IPv6 address: 2001:db8:a::1 (global unicast)
IPv6 address: fd09:db8:a::1 (global unicast)
IPv6 address: fe80::6abd:abff:fe8c:7643 (link-local)

IPv6 Guest Access
• Virtual IP address is IPv4 only
• Uses IPv4-Mapped address for IPv6 web-
authentication clients
• Virtual IP should be the same for all WLCs in
the same mobility group
• For example the IPv6 address will display as
[::ffff:192.0.2.1]
IPv6 WLAN Client Optimizations
Router 1
SSID A
VLAN = 100 RA
VLAN = 100
CAPWAP
RA
VLAN = 200
VLAN = 200
ICMPv6 multicast messages are ICMPv6 messages are interpreted

unicast to each client at high data by the controller and forwarded only Router 2
rates. as needed.
• Client mobility: Preserved connectivity while roaming
• First hop security: Protection against new IPv6 vulnerabilities
• Network efficiency: Optimized ICMPv6 message delivery
IPv6 WLAN Client Optimizations (continued)
CAPWAP IPv6
Tunnel VLAN
Ethernet
IPv6
802.11
IPv6
CAPWAP
IPv4 Router Advertisement
Ethernet
Rate Limiting/
(Periodic)
Throttling
Neighbor Solicitation
Neighbor
Solicitation
Dropping NS at Controller for unknown
Suppression mobile clients
Neighbor Solicitation
Neighbor Neighbor Solicitation (NS) Suppression -
Discovery Response to NS with cache binding table
Suppression Proxy Neighbor Advertisement entries
Wireless IPv6 client First Hop Security on WLAN
CAPWAP IPv6
Tunnel VLAN
Ethernet
IPv6
802.11 IPv6
802.11
CAPWAP
IPv4
Ethernet
Router Advertisement
RA Guard - RA from client blocked at AP (Local and FlexConnect)
Undesired IPv6
Addresses/Prefix Source Guard
DHCP Server Advertisement

DHCP Server Guard
DHCP SA blocked at Wireless Controller
Using IPv6 ACL
IPv6 L3 Client Roaming Inter WLC
Anchor WLC
CAPWAP Router Advertisement

Tunnel Router 1
VLAN=100 Prefix = FE01
Roaming Mobility
Client Tunnel
CAPWAP Router Advertisement

Router Advertisement Tunnel Foreign WLC VLAN=200 Prefix = FE02 Router 2
Prefix = FE02
• Client must continue to receive the original IPv6 subnet router advertisements
• The anchor controller sends the RA to the foreign in the mobility tunnel
• When the Access Point receives the RA, it will convert the multicast RA to
unicast (mc2uc) and send RA to each client individually
Bringing All Together
Best Practices
For Your
Best Practices Recommendations
Make it Easy Make it work Reference
Enable High Availability (AP and Client SSO) Enable 802.1x and WPA/WPA2 on WLAN
Enable AP Failover Priority Enable 802.1x authentication for AP
Enable AP Multicast Mode Change advance EAP timers
Enable Multicast VLAN Enable SSH and disable telnet
BEST PRACTICES (AirOS)
INFRASTRUCTURE
SECURITY
Enable Pre-image download Disable Management Over Wireless
Enable AVC Disable WiFi Direct
Enable NetFlow Peer-to-peer blocking
Secure Web Access (HTTPS)
Enable Local Profiling (DHCP and HTTP)
Enable User Policies
Enable NTP
Enable Client exclusion policies
Modify the AP Re-transmit Parameters Enable rogue policies and Rogue Detection RSSI
Enable FastSSID change Strong password Policies
Enable Per-user BW contracts Enable IDS
Enable Multicast Mobility BYOD Timers
Enable Client Load balancing
Disable Aironet IE Disable 802.11b data rates
FlexConnect Groups and Smart AP Upgrade Restrict number of WLAN below 4
Enable channel bonding – 40 or 80 MHz
WIRELESS / RF
Set Bridge Group Name
Set Preferred Parent Enable BandSelect
Multiple Root APs in each BGN Use RF Profiles and AP Groups
MESH
Set Backhaul rate to "Auto" Enable RRM (DCA & TPC) to be auto
Set Backhaul Channel Width to 40/80 MHz Enable Auto-RF group leader selection
Backhaul Link SNR > 25 dBm Enable Cisco CleanAir and EDRRM
Avoid DFS channels for Backhaul Enable Noise &Rogue Monitoring on all channels
External RADIUS server for Mesh MAC Authentication
Enable DFS channels
Enable IDS
Enable EAP Mesh Security Mode Avoid Cisco AP Load
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
Summary
• Additional Reference material included in deck that was not covered in todays
session today
• RF profiles and Rx-SOP tuning allow for advanced high density tuning
• Centralized WLAN deployment best suited for large campus and where
advanced features are required
 Requires less configuration on switch AP is plugged into
 Provides robust roaming
 Supports the most advanced features
Agenda Timeline
Time Topic Who
09:30 – 10:00 Break
2:30 – 3:00 Break
5:00pm Session End

Distributed Controller
Design
Karan Sheth, Sr. Technical Marketing Engineer
TECEWN-3002
Objective
Best Practices for Designing Resilient, Secure

and Service-Ready Branch Networks
Agenda
• Understand Wireless Branch Deployment Options
• Evaluate FlexConnect Architectural Requirements
• Identify the need for FlexConnect & AP Groups
• Design a Resilient Branch Network - DEMO
• Design Secure & BYOD enabled Branch Network
• Operate Wireless Branch efficiently over WAN
• Service-Ready Branch
• FlexConnect Best Practices
• Wireless Security Best Practices
Wireless Controller Deployment Modes
Autonomous FlexConnect Centralized Converged Access
WAN
Standalone APs Traffic Distributed at AP Traffic Centralized Traffic Distributed at Switch

at Controller
Target
Small Wireless Network Branch Campus Branch and Campus
Positioning
Scope Wireless only Wireless only Wireless only Wired and Wireless
• Can only claim AP quality

• Full RF HA
High • No RF HA
• Client SSO when Local • Most complete solution • Exploits HA in IOS switches
Availability • No Network layer HA
Switching
• No services
Key • Limited features. Upgradable • Branch with WAN BW and • Catalyst 3650/3850 in the access
• Full features
Considerations to controller based latency requirements layer
Wireless Branch
Deployment Options
Branch Office with Local WLAN Controller
Overview Backup Central
Controller
• Branches can also have local Central Site

remote controllers
CAPWAP
• Small or Mid-size Branch WLCs
• CT-2504, WAN
• Integrated controller modules in
ISR/ISR-G2 WLC-25xx WLCM for Cat-3850
ISR/ISR-G2
• Converged Access Cat-3850
• High-availability design with

central backup controller is
supported; WAN limitations may
apply
Remote Site C
Remote Site A
Remote Site B
Branch Office Deployment
FlexConnect (HREAP) Central Site Cluster of
• Hybrid architecture Centralized WLC
Traffic
Centralized
• Single management and control point Traffic
• Data Traffic Switching

• Centralized traffic
(split MAC)
• or
• Local traffic (local MAC) WAN
• HA will preserve local traffic only

Local
• Traffic Switching is configured per AP and Traffic
per WLAN (SSID)

Remote Office
FlexConnect Glossary
Connected Mode When FlexConnect AP can reach Controller, it gets help from controller
to complete client authentication.
Standalone Mode When FlexConnect AP cannot reach Controller, it goes into

standalone state and does client authentication by itself.
Local Switching Data traffic switched onto local VLANs for an SSID
Central Switching Data traffic tunneled back to WLC for an SSID

Configure FlexConnect Mode
Step 1: Configure Access Point Mode
• Enable FlexConnect mode per AP

• Supported APs:
AP-1130, AP-1240, AP-1040, AP-1140, AP-
1260, AP-1250, AP-3500, AP-1600 , AP-
2600 , AP-3600, AP-3700, AP-2700, AP
700, AP-1520, AP-1530, AP-1550
Configure FlexConnect Local Switching
Step 2: Enable Local Switching per WLAN
• Only WLAN with “FlexConnect Local Switching” enabled will allow local
switching on the FlexConnect AP
Configure FlexConnect VLAN Mapping
Step 3: FlexConnect Specific Configuration
• FlexConnect AP can be connected on an access port or connected to a 802.1Q
trunk port (using the native VLAN)
• VLAN mapping can be performed per AP configuration on WLC and/or by AP
groups using Cisco Prime Infrastructure templates
Step 4: FlexConnect Specific Configuration – Native Vlan
• When connecting with Native VLAN on AP, L2 switchport must also match with
corresponding Native VLAN configuration
• Each corresponding SSID that is allowed to be locally switch should be allowed
on the corresponding switchport.
Configure FlexConnect SSID-VLAN Mapping
Step 5: Per AP SSID to VLAN Mapping
• Mapping of SSID to 802.1Q VLAN is done per FlexConnect AP

• Or use Cisco Prime Infrastructure (NCS) via configuration templates
1 2
Using Cisco Prime Infrastructure
• Prime Infrastructure provides simplified configuration to all FlexConnect APs

with one Lightweight AP Template
Evaluate FlexConnect
Architectural Requirements
For Your
FlexConnect Design Considerations Reference
WAN Limitations Apply

Deployment WAN Bandwidth WAN RTT Latency
Max APs per Branch
Max Clients per
(Min) (Max) Branch
Type
Data 64 kbps 300 ms 5 25
Data 640 kbps 300 ms 50 1000
Data 1.44 Mbps 1 sec 50 1000
Data+Voice 128 kbps 100 ms 5 25
Data+Voice 1.44 Mbps 100 ms 50 1000
Monitor 64 kbps 2 sec 5 N/A
Monitor 640 kbps 2 sec 50 N/A
It is highly recommended that the minimum bandwidth restriction remains 24 Kbps per AP with the round trip
latency no greater than 300 ms for data deployments and 100 ms for data + voice deployments.
FlexConnect Design Considerations
Feature Limitations Apply
• Some features are not available in standalone mode or in local switching mode
• MAC/Web Auth in Standalone Mode
• IPv6 L3 Mobility
• SXP TrustSec
• Service Discovery Gateway
• Native Profiling and Policy Classification
• See full list in « FlexConnect Feature Matrix »
• http://www.cisco.com/en/US/products/ps6366 products_tech_note09186a0080b3690b.shtml
IPv6 Support
✔
✔
✔
✔
✔
✔
✔
✔
✔
Significant support for IPv6 with Central Switching
IPv6 RA Guard and IPv6 Bridging fully supported with Local Switching
Economies of Scale For Lean Branches
Flex 7500 Wireless Controller
Key Differentiation
 WAN Tolerance
• High Latency Networks
Access Points 300-6,000

• WAN Survivability
Clients 64,000  Security
Branches 2000 802.1x based port authentication
Access Points / Branch 100
 Voice support
Deployment Model FlexConnect
• Voice CAC
Form Factor 1 RU
IO Interface 2 x 10GE • OKC/CCKM
Upgrade Licenses 100, 200, 500, 1K
RTU Licenses
Cisco 8510 series Controller * Indicates unique 8500 features
 High scale
Optimized for High Scale Deployments
• 4K VLANs
• 6000 local mode APs and 64,000 clients in
1RU
 Rich Features with deployment flexibility
 Geo Separated AP/Client SSO
 Outdoor AP support
Access Points 300-6,000
Clients 64,000
• FlexConnect, Local mode and mesh support
for 6000APs and 64,000 clients
Branches/locations 6,000 (2000 groups)
• Right to use (with EULA) for ease of license
Access Points per 100 enablement
FlexConnect group • 3G Packet core integration: PMIPv6 MAG
Deployment types Local (centralized), FlexConnect solution with ASR5K (LMA)
and mesh • FlexConnect with HS2.0 for 3G offload
Form Factor 1 RU • Other key features:
IO Interface and Dual redundant 10GE ports with
802.11r fast roaming
redundancy LAG
Rate limit traffic flows
Power options AC and DC
Power redundancy Dual redundant power supplies Video Stream for rich media flows
installed
Flex 7500 Scale & Feature Update - 7.0.116.0 vs. 7.4
Scalability 7.0.116.0 7.4
Total APs 2000 6000
Total Clients 20,000 64,000
Total FlexConnect Group 500 2000
Support for OEAPs No Yes
Central Switching BW Limit ~250 Mb ~1 Gb
Data DTLS Support No Yes
Central Switching 802.1x No Yes

FlexConnect Feature Introduction For Your
Reference
FlexConnect Features Release Version

AAA-VLAN Override, ALCs & P2P Blocking 7.2
Smart AP Image Upgrade 7.2
External Web-Auth & Mobile Device On-boarding 7.2
Flex 7500 Scale Update 7.3
VLAN Based Central Switching 7.3
Split-tunneling 7.3
Work Group Bridge (WGB) Support 7.3
Bi-Directional Rate Limiting 7.4
ISE BYOD Registration & Provisioning 7.4
AAA-ACL & AAA-QoS Override 7.5
EAP-TLS & PEAP Support for Local Authentication 7.5
Ethernet Fallback 7.6
VideoStream for Local Switching 8.0
Faster time to deploy 8.0
FlexConnext on Mesh APs 8.0
Why do we need
FlexConnect & AP Groups?
Understanding AP Groups
Overview AP Group 1
Central Site
Flex 7500
• AP Groups is a logical concept of
grouping AP’s which deliver similar Wi-
Fi services; these services can be:
• By physical location, and/or
• By functional services
(data, voice, guest, …) WAN
• Same AP groups need to be defined in Remote Site A Remote Site B

all WLC’s of a mobility group
AP Group 2 AP Group 3
Scaling 7500/8500 CT-5508 WiSM-2 CT-2504
# AP Groups 6000 500 1000 50
# WLAN
512 512 512 16
(SSID)
# VLAN
4095 512 512 16
(Interfaces)
AP Groups
Configuration: Create a New Group
AP Groups Usage @ Internet
Per Location SSID Guest-Access AP Group 1

Central Site
• AP groups give the ability to Corporate-Voice
enable Wi-Fi Services (WLAN)

based on physical location
• Example Corporate-Data
Central Site WAN/MAN

• Corporate-Voice, Corporate-Data,
Guest-Access Manufacturing Site
Store
Manufacturing Site
• Corporate-Voice, Corporate-Data, AP Group 3
Scanners
Store
Scanners
• Corporate-Data, Guest-Access AP Group 2 Corporate-Data
Guest-Access
AP Groups Usage Central Site
AP Group 1
Per AP Group SSID to VLAN Mapping Head Office
VLAN-1
• AP groups give the ability to VLAN-2

statically map Wi-Fi service (WLAN)
to VLAN based on physical location
VLAN-3
• Users see the same

Wi-Fi service on all sites. WAN/MAN
Corporate-Data
• Admin can monitor and filter based
on different IP@ each site
AP Group 3
• Can also be used to have smaller Store
Wi-Fi subnets
• For example per floor subnets in a AP Group 2
building. Manufacturing Site Corporate-Data
Corporate-Data
AP Groups
Configuration/VLAN Mapping
Understanding FlexConnect Groups
Overview
Central Site
• FlexConnect groups allow sharing of: Flex 7500
Cluster
• CCKM/OKC fast roaming keys
• Local/backup RADIUS servers IP/keys
• Local EAP authentication
• AAA-Override for Local Switching WAN
• Smart Image Upgrade
Remote Site Remote Site
• AVC
• Scaling information
Flex
Scaling CT-5508 WiSM2 CT-2504
7500/8500
FlexConnect
2000 100 100 30
Groups
AP per Group 100 25 25 25 FlexConnect Group 1 FlexConnect Group 2

FlexConnect Groups and CCKM/OKC Keys
Overview
Central Site
• CCKM/OKC keys are stored on CCKM Keys
FlexConnect APs for Layer 2 fast

RADIUS Server
roaming
• The FlexConnect APs will receive
the CCKM/OKC keys from the WLC
WAN
• If a FlexConnect AP boots up FlexConnect
Group 1
in standalone mode, it will not get
the OKC/CCKM keys from
the WLC and fast roaming
will not be supported
• FlexConnect supports 802.11r Fast
Transition with local key caching. FlexConnect Group 1 FlexConnect Group 2
FlexConnect Groups Creation
Step 1: Add a New FlexConnect Group 1
Step 2: Add APs to the

FlexConnect Group
Designing a Resilient
Wireless Branch Network
FlexConnect Backup Scenario Central Site
WAN Failure
• FlexConnect will backup on local

switched mode
• No impact for locally switched SSIDs
• Disconnection of centrally switched SSIDs clients
WAN
• Static authentication keys are locally stored in

FlexConnect AP Remote Site
• Lost features Application

Server
• RRM, WIDS, location, other AP modes
• Web authentication, NAC
FlexConnect Backup Scenario
WLC Failure with N+1 High Availability
Central Site
• FlexConnect will first backup on local switched

mode
• CCKM roaming allowed in WAN

FlexConnect group
• FlexConnect AP will then search Remote Site
for backup WLC; when backup WLC is found,

Application
FlexConnect AP will resync with WLC and Server
resume client sessions with central traffic.

• Client sessions with Local Traffic are not
impacted during resync with Backup WLC.
FlexConnect Backup Scenario
WLC failure scenario with SSO
Standby
• HA considerations: Central Site
Active
with AP SSO
• No/minimal impact for centrally switched client with
Client SSO (7.5 and above) WAN
• FlexConnect AP will NOT transition to

Standalone because SSO kicks in
• AP will continue to be in Connected mode with Application
Server
the Standby (now Active) WLC
Remote Office
FlexConnect Group: Local Backup RADIUS
Backup Scenario Central Site
• Normal authentication is done centrally Central RADIUS
• On WAN failure, AP authenticates new

clients with locally defined RADIUS server
• Existing connected clients stay connected WAN
• Clients can roam with Local Backup

RADIUS Remote Site
• CCKM fast roaming, or
• Reauthentication
FlexConnect Group 1
CCKM Fast Roaming

FlexConnect Group: Local Backup RADIUS
Configuration
• Define primary and secondary local backup RADIUS server per FlexConnect
group
Local Authentication
Central Site
• By default FlexConnect AP authenticates
clients through central controller Central RADIUS
• Local Authentication allow use of local

RADIUS server directly from the
FlexConnect AP
WAN
Local
RADIUS Remote Site
FlexConnect Group 1
Local Authentication
Configuration
FlexConnect Group: Local Backup Authentication
Backup Scenario
Central Site
• Normal authentication is done centrally
Central RADIUS
• On WAN failure, AP authenticates new clients
with its local database
• Each FlexConnect AP has a copy of the local
user DB WAN
• Existing authenticated clients stay connected

Remote Site
• Clients can roam with:
• CCKM fast roaming, or
• Local re-authentication
FlexConnect Group 1
Supported Security Types Release Version
LEAP 6.0
EAP-FAST 6.0
PEAP 7.5 CCKM Fast Roaming
EAP-TLS 7.5
FlexConnect Group: Local Backup Authentication
Configuration
• Define users (max 100) and passwords
• Select supported Security protocols i.e. LEAP, EAP-FAST, PEAP or EAP-TLS
1 2
Designing Secure & BYOD
Enabled Branch Network
FlexConnect Peer-to-peer
Blocking
Starting
Local Switching Peer-to-peer Blocking from 7.2
Description Central Site
• Support for Peer-to-Peer blocking in FlexConnect

AP
• Apply for clients on same FlexConnect AP
• P2P blocking modes : disable or drop WAN
• For P2P blocking inter-AP use ACL or Private

VLAN function Remote Site
Application
Server
Local Switching Peer-to-peer Blocking
Configuration
Both modes of operation

Multiple will drop
Policy Touch the packet
Points
@ AP for Local Switching enabled WLAN
* Central Switching WLAN will support “Forward - UpStream” and will send the packet to the next upstream
node connected to WLC
FlexConnect AAA VLAN &
QoS Override
Starting
from 7.2
FlexConnect AAA VLAN Override
Description Central Site
RADIUS
• AAA VLAN Override with local or central

authentication
VLAN 3
• Up to 16 VLANs per FlexConnect AP VLAN =7 Silver
QoS
QoS = Platinum
• VLAN ID must be enabled per AP or WAN
FlexConnect Group
Application
Server
• If VLAN ID does not exist, default VLAN Remote Site
is used, unless « VLAN Based Central

Switching » enabled
• Starting from 7.5 AAA override for QoS
is also supported.
FlexConnect Group 1
For Your
Reference
FlexConnect AAA VLAN Override
Configuration
IETF 65
IETF 64
IETF 81
WAN
ISE
Create Sub-Interface on FlexConnect

AP
Go to Default
VLAN Based Central Switching Central
VLAN ID
Overview VLAN 3
Central RADIUS
• While doing AAA VLAN Override with VLAN 7
local switching : VLAN 3 does not
Exist on
VLAN 7
this WLC
• If VLAN ID does not exist at the AP, the
traffic is central switched to the central WAN
VLAN ID
• If the central VLAN ID does not exist, Remote Site
the traffic is centrally switched to the

default VLAN ID of the WLAN
VLAN 7 VLAN 7
does not
VLAN 3 Exist on
does not this AP
Exist on
this AP
Starting
from 7.5
FlexConnect AAA QoS Override
Description
 Dynamically assign QoS levels and/or Vendor ID/Vendor Type Attribute
bandwidth contracts for local switching, [14179\002] Aire-QoS-Level

centrally authenticated WLANs
[14179\004] Aire-802.1P-Tag
 Web-authenticated WLANs and 802.1X-
authenticated WLANs supported [14179\007] Aire-Data-Bandwidth-Average-
Contract
 Order of precedence for Rate Limiting [14179\008] Aire-Real-Time-Bandwidth-

Average-Contract
parameters [14179\009] Aire-Data-Bandwidth-Burst-
 AAA override Contract
 QoS Profile of AAA override [14179\0010] Aire-Real-Time-Bandwidth-
 Local WLAN configuration Burst-Contract
 QoS Profile of local WLAN configuration
AAA Override Deployment Scenario
• Problem Statement
Central Site
VLAN 20
WAN
Application
Server
Function VLAN ID
Engineering 11
Marketing 21
Function VLAN ID Sales 31
Engineering 10 Application
Server
Marketing 20 VLAN 20
Sales 30 does not
Remote Site A Remote Site B
exist
Starting
VLAN Name Mapping at FlexConnect Group from 8.1
Flex Group A Central Site

Flex Group B
VLAN VLAN
VLAN Name VLAN Name VLAN
ID ID VLAN Name
ID
Engineering 10 Engineering 10
Engineering 11
Marketing 20 Marketing VLAN
20
VLAN Name Marketing 21
ID
Sales 30 Sales 30
Sales 31
Engineering 11
. .
. Marketing 21
WAN .
HR 160 Sales 31 HR 161
Remote Site B
Remote Site A
VLAN ID
VLAN ID
11
10 21
20 31
30
Starting
VLAN Name AAA Override - Solution from 8.1
Central Site
Aire-Interface-Name or
IETF Tunnel-Private-Group-ID
VLAN NAME=
Marketing
WAN
Application
Server
Remote Site Remote Site VLAN Name VLAN ID
VLAN 20 Engineering 11
Marketing 21
VLAN Name VLAN ID Sales 31
Engineering 10
Marketing 20
Sales 30 VLAN 21
Remote Site A Remote Site B
FlexConnect ACL VLAN
Mapping & Per-Client ACL
Starting
FlexConnect ACL – VLAN Mapping from 7.2
Overview
Central Site
• FlexConnects ACL are applied per VLAN

• FlexConnect ACL are Ingress / Egress oriented
• Starting from 7.5 FlexConnect ACL support AAA-
returned Client ACL
WAN
Scale
512 FlexConnect ACL per WLC Remote Site
• 16 ingress ACL & 16 egress ACL per AP Application

Server
• 64 ACL rules per ACL
• No IPv6 ACL
FlexConnect Access Lists
Configuration – Create FlexConnect ACL
• FlexConnect ACL rule creation is similar to rule creation for Local Mode AP
1
3
2
FlexConnect ACL – VLAN Mapping
Configuration – FlexConnect ACL per AP
2
• FlexConnect ACL can be applied per AP
using VLAN Mappings configuration
1
FlexConnect ACL – VLAN Mapping
Configuration –FlexConnect ACL per FlexConnect Group
• FlexConnect ACL can be applied per FlexConnect Groups per VLAN in the ACL
Mapping tab.
1 2
FlexConnect Split Tunneling
(Using FlexConnect Split ACL)
Starting
FlexConnect ACL – Split Tunneling from 7.3
Overview
• Split tunneling allow some traffic to be locally switched although the WLAN is defined as centrally
switched
• Split tunneling is using a NAT/PAT feature with ACL to perform the local switching
• Split tunneling is using the AP IP@ for the NAT/PAT feature
FlexConnect AP WLC Central Traffic

CAPWAP
NAT/PAT WAN
ACL
Central Server
Local Traffic
Local Printer
FlexConnect ACL – Split Tunneling
Configuration
• Create a centrally switched WLAN
Flex Local switching

should not be checked
• Define Flex ACL to match traffic to be locally switched
Central subnet Local subnet

Configuration – Per Access Point
Configuration – Per FlexConnect Group
Deploying External WebAuth with
FlexConnect Local Switching
(Using FlexConnect WebAuth
ACL)
Starting
External WebAuth with Local Switching from
7.2.110
Description
Central Site
• Provides L3 Web Redirect from locally
switched vlan
WebServer
• Reduces WAN traffic by locally
switching guest traffic
• Flexible and centralized web portal WAN
creation for multiple sites
Internet
• Provides flexible use of Conditional Remote Site
and Splash Page Web Redirect

VLAN
503
• FlexConnect AP must be in Connected
state with Centralized Controller for VLAN 7 - Employee
this functionality to work Guest
FlexConnect Group 1
External WebAuth with Local Switching
Configuration
Step 1: Configure Pre-Auth ACL that will be applied to FlexConnect Group, AP or

WLAN
External Web-Server IP
Configuration
Step 2: Apply Pre-Auth ACL to WLAN
Apply Pre-Auth ACL to

WLAN
Configuration – Per AP
Step 3: Apply Pre-Auth ACL to

FlexConnect AP
Map WLAN-Id to
Pre-Auth ACL
Configuration – Per FlexConnect Group
Or Step 3: Apply Pre-Auth ACL to FlexConnect Group
Map WLAN-Id to
Pre-Auth ACL
Configuration
Step 4: Configure External Web Server
External Web-Server IP
Deploying BYOD with FlexConnect
Local Switching
(Using FlexConnect WebPolicies
ACL)
BYOD Device On-Boarding in FlexConnect Starting
from 7.4
Example: Apple iOS Device Provisioning
Initial WLC ISE CA-Server

Connection
1 Using PEAP
Device
Provisioning
Wizard
2 Client
Reconnects
3 Future
Connections
Using EAP-TLS
WLC ISE CA-Server
FlexConnect Access Lists fo BYOD
Create FlexConnect ACL
• Create FlexConnect ACL to allow access to Cisco ISE
1
3
2
FlexConnect Web Policy ACL
Configure Web Policy ACL per FlexConnect AP
• ACL Mapping can be configured per FlexConnect AP
FlexConnect Web Policy ACL
Configure Web Policy ACL per FlexConnect Group
• Use ACL Mapping tab in FlexConnect Group configuration
• WebPolicies ACL are not the same as VLAN ACL or WebAuthentication ACL.
Cisco Wireless Central DHCP Processing
Configuration
• To support DHCP Profiling Probe with FlexConnect, DHCP request must be
sent to WLC. This is done by the « Central DHCP Processing » configuration.
Deploying BYOD with FlexConnect Wireless
Summary – 802.1x/EAP Authentication ISE
DHCP Server
FlexConnect AP
CAPWAP WLC
Web Server
WAN
WiFi Association
802.1x/EAP Request Radius Access-Request Unknown Device,

Inside CAPWAP Redirect to registration
Radius Access-Response
• Access-Type: Access-Accept
• URL-Redirect-ACL=FlexACLWebPolicy,
URL + ACL Redirect • URL-Redirect=http://……)
Inside CAPWAP
802.1x/EAP Response
Inside CAPWAP
Summary – DHCP Request ISE
DHCP Server
FlexConnect AP
CAPWAP WLC
Web Server
WAN
DHCP Request
Inside CAPWAP
Device is an
RADIUS-Accounting
Apple iPad
• host-name=MyiPad
• dhcp-class-identifier=APPLE
DHCP Lease
Inside CAPWAP
Summary – URL-Redirect ISE
DHCP Server
FlexConnect AP
CAPWAP WLC
Web Server
WAN
HTTP HTTP Request

Request Redirected to WLC by AP
Inside CAPWAP
URL-Redirect
Summary – Registration & Provisioning ISE
DHCP Server
FlexConnect AP
CAPWAP WLC
Web Server
WAN
Device Registration & Provisioning Device is Registrered

Trigger Change-of-Auth
EAP DeAuthentication RADIUS Change-of-Authorization

EAP Authentication
Summary – Device Access ISE
DHCP Server
FlexConnect AP
CAPWAP WLC
Web Server
WAN
Radius Access-Request Device is Registrered

802.1x/EAP Request/Response
Radius Access-Response And Provisioned
Inside CAPWAP
Allow Access
DHCP Request/Response
Inside CAPWAP
Web Traffic
Summary of FlexConnect ACLs
VLAN-ACL Applied on the 802.3 interface of the FlexConnect AP
AAA returned Client ACL Applied on the 802.11 interface of the AP
Split Tunnel ACL Allow some traffic to be locally switched

3
Web Authentication ACL Provides 7
L3 Web Redirect for local switching
7
Web Policies ACL BYOD with FlexConnect
Operating Wireless Branch
Smart Upgrade over WAN
Starting
from 7.2
Upgrading a FlexConnect Deployment
Concerns
• Sites using FlexConnect AP are usually sites with low WAN bandwidth
• Each site may have small number of AP, but an enterprise may have a lot of
branches
• Upgrading ~6000 AP through a low bandwidth WAN is a challenge :
• Time needed to download all the AP firmware
• Exhaust of the WAN link
• Risk of failures during the download
Starting
from 7.2
FlexConnect Smart AP Image Upgrade
Overview Firmware Image
• Smart AP Image Upgrade use a « master » AP in New

Old Old
New
Cisco Prime Primary Secondary
each FlexConnect Group to download the code. New
• Other FlexConnect AP download the code from the Wireless LAN

Central Site Controller
master locally
1. Download WLC upgraded firmware (will become
primary)
2. Force the « boot image »
to be the secondary (and not the newly upgraded WAN
one) to avoid parallel download of all AP in case
Remote Site-1 Remote Site-N
of unexpected WLC reboot
3. WLC elects a master AP in each FlexConnect
Group (can be also set manually)
Master AP
Description (Cont…) Firmware Image
4. Master AP « Pre-download » the AP firmware New

Old New
Old
Primary Secondary
in the secondary « boot image » (will not
disrupt the actual service)—Can be started
Wireless Control Wireless LAN
group per group to limit WAN exhaust System Controller
Central Site
5. Slave AP « Pre-download » the AP firmware
from the Master AP
6. Change the « boot
image » of the WLC
to the new image WAN
AP Firmware Image
Remote Site-1 AP Firmware Image Remote Site-N
7. Reboot the controller
Old New
Old New
Primary Secondary
Primary Secondary
Master AP
Configuration
Enable Efficient AP Image

Upgrade
Valid Range is 1-63
Random Backoff Interval
(100-300sec) between
each retry
Master AP Selection is
Optional
• “FlexConnect AP Upgrade” checkbox has to be enabled for each FlexConnect Group.
• By default, Master AP for each FlexConnect Group is selected using Lower-MAC algorithm.
• One Master select per AP type.
FlexConnect
() Smart AP Image Upgrade
Configuration contd.
Per Branch or FlexConnect Group

Upgrade
Upgrade across all Branches or

FlexConnect Groups whose
“FlexConnect AP Upgrade” checkbox
is set
FlexConnect VideoStream
Video Multicast Delivery Challenges
Technical Challenges 802.11
Data Rates
• Multicast packets (UDP) are sent as
1
broadcast packets over the air per 802.11
standard 2
5.5
• Broadcast packets do not use error
correction: “fire and forget” 6
9
• Broadcast packets are sent at data rate B/G 11
Video Impact
mandatory to all clients connected to the
WLAN 12
• Choppy, Unreliable Video
18
1 Mb for B/G (400K actual) • Video Stream does not utilize 802.11n/ac
24
6 Mb for A (2.7 Mb actual) High Throughput data rates
36
48
• Heavy utilization of channel due to high
rate of very slow packets
54
M0 • Video delivery is not reliable causing poor
Quality of Experience
N M1
...
Video M14
Server Default 802.11B/G M15
mandatory data rates
Video Multicast Delivery Solution Starting
from 8.0
802.11
Technical Solution Data Rates Video Impact
• IGMP state monitored for each client. 1 • Smooth, Reliable Video delivered to
Only send video to clients requesting 2 multiple clients
• Sent as unicast to individual clients at
5.5 • Quality of Video protected in varying
their data rate
6 channel load conditions
9
• Multicast packets replicated at AP 11
• Prioritizes Business Video (QoS
B/G Gold) over other video ( Best-effort )
12
18
24
36
48
54
M0
N M1
...
Video M14
Server M15
Default 802.11B/G
mandatory data rates
FlexConnect VideoStream Configuration
Enable VideoStream - Global
(Cisco Controller) >config media-stream multicast-direct ?

enable Enable Global Multicast to Unicast Conversion
disable Disable Global Multicast to Unicast Conversion
Add Stream Configuration
(Cisco Controller) >configure media-stream add multicast-direct <media-stream-

name> <start-IP> <end-IP> [template | detail <bandwidth> <packet-size> <Re-
evaluation> video <priority> <drop|fallback>]’
Enable VideoStream - WLAN
(Cisco Controller) >config wlan media-stream multicast-direct 1 ?

enable Enables Multicast-direct on the WLAN
disable Disables Multicast-direct on the WLAN.
FlexConnect VideoStream Monitoring
Controller
(Cisco Controller) >show flexconnect media-stream client summary

Client Mac Stream Name Multicast IP AP-Name VLAN Type
----------------- -------------------- --------------- ------------------------- ----- ----------------
7c:d1:c3:86:7e:dc Media2 229.77.77.28 AP_1600 0 Multicast Direct
88:cb:87:bd:0c:ab Media2 229.77.77.28 AP_1600 0 Multicast Direct
d8:96:95:02:7e:b4 Media2 229.77.77.28 AP_1600 0 Multicast Direct
FlexConnect Bridge Mode
Support
FlexConnect on Mesh APs Starting
from 8.0
• New AP mode that allows Central Site

WLCs
Flexconnect behavior across mesh-
enabled AP
• Control plane supports: Centralized
• Connected (WLC is reachable) Traffic
• Standalone (WLC not reachable)
• Data Plane supports:
• Centralized (split MAC)
• Local (local MAC)
• Flexconnect Groups
• Max 8 Mesh hops, Max 32 MAPs per WAN
RAP Remote
• Local AAA support Local
Traffic
Office
• A WLC have a mix of Bridge and
Flex + Bridge
• MAPs inherent VLANs from its
connected RAP
Local Data WLAN
Central Data WLAN
FlexConnect on Mesh AP Failover
Secondary Primary
• AP SSO is supported for the RAP only
• Flex+bridge deployments should be
implement with N+1 redundancy
• Multi-sector RAP deployments can be used
for redundancy
WAN
• RAP to standalone mode when WLC is not
reachable
Remote
• MAPs to standalone mode when WLC is not Office
reachable but gateway is
Application
• When in standalone mode no new mesh AP Server
can join the mesh tree

For Your
AP Modes Feature Comparison Reference
Feature\AP Mode Local Mode Bridge Mode Flexconnect Mode Flex+Bridge Mode
Central Switching Yes Yes Yes Yes
Root Ethernet VLAN No Yes (secondary Ethernet Yes Yes

bridging hosts)
Secondary Ethernet No Yes No Yes
Access Ports
Yes
Secondary Ethernet No Yes No
VLAN Trunk Ports Yes – both bridged
Local VLAN Inheritance No Yes - Secondary No 802.11 WLANs and
by MAPs from RAPs Ethernet “access” ports Ethernet “access”
only ports
Wireless Child Mesh APs No Yes No Yes
Fault Tolerant Resilient No No Yes Yes
Mode
Security ACLs per VLAN No No Yes Yes (on RAPs)
on Ethernet Root Ports
Integrated IP Routing No No Yes Yes (on RAPs)
(PPP/PPPoE/NAT)
VLAN Transparent No No No No
Bridging
Path Control Protocol No Yes No Yes
FlexConnect Bridge Mode Configuration
Wireless  Access Points  AP_NAME  General
Wireless  Access Points  AP_NAME  FlexConnect
AP will reboot
upon change Same options
as an AP in Flex
Mode
FlexConnect Application Visibility and
Control (Starting from 8.1)
Starting
How AVC solution works from 8.1
AireOS 8.1 App Visibility & AireOS 8.1

User Experience Report
App BW Transaction …
Time
WebEx 3 Mb 150 ms …
Citrix 10 Mb 500 ms …
Static
Netflow
AP
NBAR on AP
Deep Packet Perf. Collection &

Reporting Tool Control
Inspection Exporting
AP collects application info Use QoS to control

DPI engine (NBAR2) and export it to Advanced reporting tool
application bandwidth
identifies applications controller/switch every 90 aggregates and reports
usage to improve
using L7 signatures seconds application performance
application performance
Starting
AVC on FlexConnect APs from 8.0
Katana
Gen2 AP
BRANCH Netflow Export from AP to WLC

Real-time information for
Stateful context last 90 seconds
transfer on roam
WAN
Gen2 AP
STATIC NETFLOW TO
CPI OR THIRD PARTY
Flow ID App Name Packets NETFLOW COLLECTOR
1 WebEx 1000
2 Msft-Lync 2300
3 Skype 660
NBAR2 (1000+ Applications) and Netflow will be ported onto Access Points!
Stateful context transfer will be supported for intra FlexConnect Group roams
AVC for FlexConnect APs
Support on AP
• NBAR2 engine on FlexConnect AP

• Protocol Pack 8.0 Support on WLC
• NBAR engine version 16
• Send flows to WLC every 90 sec using Netflow • Export to external Netflow supported
• Classification and Control at AP • Intra FlexConnect Group Roaming Support
• Mark ( DSCP ) • Supported on all controller models except 2504
• Drop • Supported on Gen 2 APs : 1600, 2600, 3600,
• Rate-limit 1700, 2700, 3700, 1532, 1570
• FlexConnect and Flex+bridge mode supported
AVC Configuration on Local Switching WLAN
WLAN AVC
Configuration
Local Switching WLAN

AVC Configuration per FlexConnect Group
• FlexConnect Group specific AVC configuration takes precedence over WLAN AVC config
• No AP Specific AVC configuration.
• WLAN AVC configuration will be pushed to Flex APs where WLAN is broadcast
Application Visibility FlexConnect Group AVC

WLAN-Specific configuration
Enable/Disable
Enable/disable, Profile,
Monitor per WLAN
FlexConnect AVC Profiles
Can be associated under WLAN and/or

FlexConnect Group
FlexConnect AVC
profiles
Coming in 8.1
FlexConnect AVC Applications
Protocol Pack version 8.0

Engine version 16
Monitoring AVC Statistics per FlexConnect Group
Per Client AVC Statistics Per FlexConnect Group

AVC Statistics
FlexConnect Best Practices
CONNECT
 Enable FlexConnect Groups
 CCKM/OKC Key sharing for Voice deployments
FLEX
 Enable Smart AP Image Upgrade

 Design for Resiliency
 VLAN-WLAN Mappings at Group Level
 Consistent configuration across Primary and Backup WLCs
• Check AP model for FlexConnect Support
• AP-1130, AP-1240, AP-1040, AP-1140, AP-1260, AP-1250, AP-3500, AP-1600 , AP-2600 , AP-
3600, AP-3700, AP-1520, AP-1530, AP-1550
• Check Design Considerations

• Minimum WAN Bandwidth, Maximum RTT, Minimum MTU, fragmentation
• QoS to prioritize CAPWAP Control Channel - UDP 5246
• Consider Feature Limitations in Standalone mode/Local Switching

• Web-authentication, Layer 3 Roaming, TrustSec SXP
• Define FlexConnect Groups

• CCKM/OKC roaming for Voice, Local EAP, local Backup Radius, Smart AP Image Upgrade
• · Enable Local Switching on SSID, VLAN Support, Native VLAN ID on WLC

• Reduced WAN Bandwidth Utilization
• Switch port Trunk for multiple VLAN local switching, match native VLAN ID
FlexConnect Best Practices contd.
• Design for Resiliency
• Enable local Primary, Secondary backup Radius Server
• Enable Local EAP – EAP-FAST, PEAP(7.5), EAP-TLS (7.5)
• WLC Backup Management Interface Port ( in case of Port Failure)
• Smart AP Image Upgrade

• Conserves WAN bandwidth
• Reduces upgrade induced service downtime
• Reduces risk of download failure
• VLAN-ACL, WLAN-VLAN mapping precedence

• AP > FlexConnect Group > WLAN
• If VLAN is created at the AP using WLAN-VLAN mapping, the ACL should also be created on the
AP (not at FlexConnect group)
• wIPS and wIPS Enahanced Local mode supported

FlexConnect Best Practices contd.
• AAA override of ACL/VLAN

• ACL/VLAN should be pre-created using AP/FlexConnect group level config
• VLAN Based Local Switching : Best Effort to put client on VLAN returned from AAA Server
• VLAN tagging feature

• No native VLAN config for AP, all AP generated packets tagged
• Connect AP to trunk port
• Central DHCP and Local split tunnel feature

• Static IP Clients not supported
• Uses routing functionality of AP
• NAT-PAT support is mandatory for PPPOE APs

Summary
Summary
• Cisco Unified Wireless Network based on Controllers deliver Wireless Branch Solution
• FlexConnect is the feature designed to solve remote connectivity and WAN constraints
• Several Failover Scenario are targeted to offer Survivability of Small Remote Sites
References:
• Wireless LAN Controller Scale Comparison
Guidehttp://www.cisco.com/en/US/products/hw/wireless/products_category_buyers_guide.html#controll
ers
• FlexConnect Branch Controller Deployment
Guidehttp://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/112973-
flex7500-wbc-guide-00.html
• FlexConnect feature matrixhttp://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-
controllers/112042-technote-product-00.html
• Wireless Best Practiceshttp://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-
wlan/82463-wlc-config-best-practice.html
Wireless LAN Security &
Threat Mitigation
Objective
“Prevention is better than cure”
Without prevention you are screwed,

because Wireless has No Boundaries
Agenda
• Wireless Security Threats
• DEMO – Think like an Attacker
• Wireless Intrusion Prevention Best
Practices
• Attack Detection & Mitigation Techniques
• Network Design Considerations
Attend BRKEWN-2015 to learn

more about Wireless Security
Wireless Security Threats
Wireless Attack Vectors
On-Wire Attacks Over-the-Air Attacks
Ad-hoc Wireless Bridge Evil Twin/Honeypot AP Reconnaissance
HACKER HACKER’S HACKER
AP
Client-to-client backdoor access Connection to malicious AP Seeking network vulnerabilities
Rogue Access Points Denial of Service Cracking Tools

HACKER HACKER
DENIAL OF
SERVICE
Backdoor network access Service disruption Sniffing and eavesdropping
Non-802.11 Attacks
BLUETOOTH AP MICROWAVE BLUETOOTH RF-JAMMERS RADAR

Attackers Nirvana - Tools to hide from Infrastructure
OR
Kali NetHunter
(Post-2014) BSSID Radio MAC
ESSID Wireless SSID
Channel & Tx PowerNo Regulatory

Restrictions
OR
Bridge/NAT
DHCP, DNS, SSLstrip etc. Interfaces
USB Wireless Cards
Spoofing Pyramid
Demo – Think like an
Attacker
Demo
Guest
Dupe the Service Backdoor
portal
user disruption access
bypass
Watch Demo On YouTube
https://www.youtube.com/user/karanyuj
Wireless Intrusion
Prevention Best Practices
Wireless Security Pre-requisites
Secure Classify
Identify Users Control Access
Connection Applications
Across All Endpoints
Client Access Point Switch Wireless LAN Identity Services

Controller Engine
Secure the Connection
Authentication Best Practices:
Use WPA2-Enterprise
Strong Authentication
Tunneling-Based (Protective Cover) Certificate-

Based
EAP-PEAP Inner Methods (Authentication Credentials)
EAP-TTLS
EAP-GTC EAP-MSCHAPv2 EAP-TLS
EAP-FAST
Strong Encryption
• AES – Advanced Encryption Standard that requires Hardware Support &

achieves line-rate speeds
For Your
Reference
EAP Methods Comparison
EAP-TLS PEAP EAP-FAST
Fast Secure Roaming Yes Yes Yes
Local WLC Authentication Yes Yes Yes
OTP (One Time Password) Support No Yes Yes
Server Certificates Yes Yes No
Client Certificates Yes No No
PAC (Protected Access Credentials)* No No Yes
Deployment Complexity High Medium Low
* PACs can be provisioned anonymously for minimal complexity.

Secure Your Wireless Infrastructure End-Points
1 2
Configure
Enable Switch
802.1x RADIUS
Port Security
Supplicant
RADIUS
ISE
802.1x
Authentication
CAPWAP DTLS Default Out-of-the-Box

Using Manufactured Behavior for Mutual
Installed Certificates Authentication
Management Frame Protection (MFP)
Problem
Solution
Problem • Insert a signature (Message Integrity
• Wireless management frames are not Code/MIC) into the management frames
authenticated, encrypted, or signed • APs can instantly identify rogue/exploited
• A common vector for exploits management frames
• Optionally, Clients and APs use MIC to
validate authenticity of management frame
Beacons
Probes Beacons
Association Probes
Association
Infrastructure MFP Operation
1 3
Enable Infrastrutture MFP
WLC GUI> Security> Wireless
Protection Policies > MFP
2 Corporate Building 2
2
Corporate Building 1
Radios Cannot
Hear Each Other
BSSID BSSID BSSID
11:11:11:11:11:11 22:22:22:22:22:22 11:11:11:11:11:11
Client MFP and 802.11w Operation
Protected Management Frames with MIC
CCXv5
Probe Requests/
AP Beacons
Probe Responses
Associations/Re-Associations Disassociations
Authentications/
Action Management Frames
De-Authentications
Protected Frames with Security Association (SA)
Spoofing
AP & Client
Wi-Fi Direct Policy
Corporate
Corporate
Laptop WLAN
Unauthorized
Devices Backdoor Wi-Fi Direct allows simultaneous
Access access to Corporate WLAN &
Unauthorized Devices
Prevent access to Corporate WLAN

when Wi-Fi Direct is enabled on
Corporate Wireless Devices
Identify Users & Enforce Policy
Profiling Strategies
ISE Wireless
POLICY
Device
• AAA • AAA
Profiling
& Policy
Control • Device On-boarding
by WLC • Device Posturing Profiling & Policy
Profiling and Policy Enforcement Options
Network Components
POLICY
WLC Radius Server

Only Wireless
(e.g. ISE Base, ACS)
Profiling Factors
User Role Device Type Authentication Time of Day
Policy Enforced
VLAN Access List QoS Session Timeout AVC
Profiling & Policy Enforcement Workflow
ISE Base
VLAN 3
Auth. Request
QoS = Silver
POLICY VLAN 7 CAPWAP
Auth. Response QoS = Platinum
Cisco-AV-Pair Finance Corporate Personal

Role=Finance Device Device
AAA Services by
Device Profiling & Policy
ISE Base
Enforcement by WLC
7 3
Platinum
Classify Applications
& Control Access
What is the Need for Application Visibility and Control?
Should I add more
Why is the Wireless
Access Points to
Performance of my
improve the User
Network so Low?
Experience?
What if someone is running Bit-torrent against

company policy & hurting the overall user experience?
Introducing Application Visibility and Control on WLC
Don’t Allow
Voice
Client Traffic Video
Best-Effort
Background
Rate Limiting
Identify Applications using NBAR2
Control Application Behavior
Attack Detection &
Mitigation Techniques
Listening for Rogues
Two Different AP Modes for RRM Scanning
Local Mode AP Monitor Mode AP Rogue Detection Basics
Serve Scan Scan 1.2s RF Group = Corporate

Client for 50ms for per
16s Rogue channel
Any AP not Broadcasting
the same RF Group is
considered a Rogue
Best Effort Scanning 24x7 Scanning
RRM Channel Scanning Basics
Local Mode AP – Serves Data Detect
Time
AP on Channel 1 - 802.11 b/g/n (2.4GHz) – US Country Channels
10ms 10ms
16s 50ms 16s 50ms 16s 50ms 16s 50ms 16s 50ms 16s 50ms 16s
1 2 1 3 1 4 1 5 1 6 1 7 1 …
 Every 16s, a new channel is scanned for 50ms (180sec / 11 channels = ~16s)
AP on Channel 36 - 802.11 a/n (5Ghz) – US Country Channels (without UNII-2 Extended)

10ms 10ms
14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms
36 40 36 44 36 48 36 52 36 56 36 60 36 64 36 149 …
 Every 14.5s, a new channel is scanned for 50ms (180sec / 12 channels = ~14.5s)
RRM Channel Scanning Basics
Monitor Mode AP Detect
Time
802.11b/g/n (2.4GHz) – All Channels
10ms 10ms
1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s
1 2 3 4 5 6 7 8 9 10 11 12 …
 Each channel is scanned a total of ~10.7s ((180s / 1.2s) / 14ch) within the 180s channel scan duration
802.11a/n (5GHz) – All Channels

10ms 10ms
1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s
36 40 44 48 52 56 60 64 100 104 108 112 116 132 136 140 …
 Each channel is scanned a total of ~6.8s ((180s / 1.2s) / 22ch) within the 180s channel scan duration
Rogue Classification Rules – Who is more harmful?
 Classification based on threat severity and mitigation action
 Rules tailored to customer risk model
Friendly Malicious
Off-Network On-Network
Secured Open
Foreign SSID Our SSID
Weak RSSI Strong RSSI
Distant location On-site location
No clients Attracts clients
Rogue Classification Rules Example
Wired Rogue Detection Methods
Rogue Location Discovery
Rogue Detector AP Protocol (RLDP)
Trunk
Port
Data Serving Data Serving AP

Rogue Detector
 Detects all rogue client and Access Point ARP’s  Connects to Rogue AP as a client
 Controller queries rogue detector to determine if  Sends a packet to controller’s IP address
rogue clients are on the network  Only works with open rogue access points
 Does not work with NAT APs
Rogue Detector AP Operation
Cisco Prime
Alarm Changed from Minor to Critical
WLC Security Alert: Rogue with MAC Address 0021.4458.6651

Has Been Detected on the Wired Network
BSSID: 0021.4458.6652
Trunk Port
> debug capwap rm rogue detector
ROGUE_DET: Found a match for rogue entry 0021.4458.6652
ROGUE_DET: Sending notification to switch
Rogue Detector
ROGUE_DET: Sent rogue 0021.4458.6651 found on net msg
Rogue Detector AP Mode
Example Deployment Scenario
Rogue Detector
Bldg 3
Rogue Detector
Bldg 2
Rogue Detector
Bldg 1
 Install one rogue detector at each Layer 3 boundary.

 Put more simply - ensure all VLANs are monitored by a rogue
detector.
Rogue Detector AP Mode
Configuration
All Radios
WLC Become
Disabled
in This Mode
interface GigabitEthernet1/0/5
description Rogue Detector
switchport trunk encapsulation dot1q
switchport trunk native vlan 113 AP
Switch switchport mode trunk VLAN
spanning-tree portfast
Rogue Location Discovery Protocol (RLDP) Operation
Cisco
Prime
Alarm Changed from Minor to Critical
WLC Security Alert: Rogue with MAC Address 0021.4458.6652 Has

Been Detected on the Wired Network
> debug dot11 rldp

Successfully associated with rogue: 00:21:44:58:66:52
Sending DHCP packet through rogue AP 00:21:44:58:66:52
RLDP DHCP BOUND state for rogue 00:21:44:58:66:52
Returning IP 172.20.226.253, netmask 255.255.255.192, gw
172.20.226.193
Send ARLDP to 172.20.226.197 (00:1F:9E:9B:29:80)
BSSID:
Received 32 byte ARLDP message from: 172.20.226.253:52142
0021.4458.6652
Rogue Location Discovery Protocol
Automatic Operation
• Two automatic modes of operation:

– ‘AllAPs’ – Uses both Local and Monitor APs
– ‘MonitorModeAPs’ – Uses only Monitor mode
APs
• Recommended: Monitor Mode APs –
RLDP can impact service on client serving
Aps
Switchport Tracing (SPT) using Cisco Prime
CAM CAM
2 Table 3 Table
Cisco Prime
Core
1
Show CDP
Neighbors
Corporate AP
Switchport Tracing: On-Demand or Automatic SPT Matches On:
 Identifies CDP Neighbors of APs detecting the rogue Rogue Client MAC Address
Rogue Vendor OUI
 Queries the switches CAM table for the rogue’s MAC Rogue MAC +3/-3
 Works for rogues with security and NAT Rogue MAC Address
Switchport Tracing (SPT) Containment Action
Number of MACs
Uncheck Match Type Found on the Port
to Shut
the Port
Wireless Rogue AP Containment
Local Mode AP Monitor Mode AP
Broadcast & Unicast De-auth &

Unicast De-auth Unicast Dis-assoc
 A local mode AP can contain 3 rogues per radio  A monitor mode AP can contain 6 rogues per
 Containment packets are sent every 500ms radio
 Impacts associated clients performance  Containment packets are sent every 100ms
Automatic Rogue AP Containment
Ability to Use Only Monitor Mode APs for
Containment to Prevent Impact to Clients
WLC
• Use auto-containment only to nullify the most alarming threats

• Containment can have legal consequences when used improperly
Rogue Location
On-Demand using Cisco Prime
• Allows an individual Rogue AP to be located On-demand

• Keeps no historical record of rogue location
• Does not locate rogue clients
Rogue Location
In Real-Time with Prime and Mobility Services Engine (MSE) Context-Aware
WiFi Interferer
Non-WiFi Interferer
Microwave Bluetooth
• Track of multiple rogues in real-time (up to MSE limits)
• Can track and store rogue location historically
• Provides location of Rogue Clients, Rouge Ad-Hoc networks & Non-WiFi Interferers
Zone of Impact with Prime and MSE Context-Aware
Rogue Access Point Non-WiFi Interferers
Cisco’s Attack Detection Mechanisms
Cisco Prime
Core
WLC Base IDS Adaptive wIPS

• Alarm Aggregation, Consolidation and False
• Rogue AP and Client Detection Positive Reduction
• 17 Common Attack Signatures • Enhanced DoS Attack Behaviour Analysis –
115 attack signatures
• Coordinated Rogue Containment
• Anomaly Detection
• Forensic, Blacklisting, Auto Containment,
and Auto Immunity responses
Adaptive wIPS Signature Example
DNS Tunnel Action

Detection
ICMP Tunnel
Detection
Network Design
Considerations
Adaptive wIPS Deployment Recommendations
Enhanced Local Mode Monitor Mode AP WSSI Module
Local Local Monitor Local

Mode Mode Mode Mode
Serve Scan Serve Scan

Client for 50ms for Serve Scan 1.2s Clients 1.2ms for
16s Attacks Clients for Attacks Attacks
Best Effort Scanning 24x7 Scanning 24x7 Scanning

Enable ELM on every Deploy 1 MM AP for Deploy 1 WSSI for every
deployed AP every 5 Local Mode AP 5 Local Mode AP
Agenda Timeline
Time Topic Who
09:30 – 10:00 Break
2:30 – 3:00 Break
5:00pm Session End

High Availability Design
Patrick Croak
Consulting Systems Engineer
CCIE Wireless #34712
The New Normal
High Density
How many devices do you
have?
High Quality
No coverage holes
High Performance
Who wants Gigabit over WiFi?
What about High Availability?

What if the network goes down??
Agenda
• Radio Frequency (RF) High Availability (HA)
• Site Survey, RRM, CleanAir, etc.
• Network Infrastructure HA
• Wireless Controller HA
• Management and Mobility Services HA
Radio Frequency (RF) High Availability
• RF HA is the ability to have redundancy in the physical layer
• What does it translate to in practice?
• Creating a pervasive, stable, predictable RF environment (Proper Design, Site
Survey, Radio Planning)
• Dealing with coverage holes if an AP goes down (RF Management)
• Improving client (all clients!) received signal (Beamforming)
• Identifying, Classifying, Mitigating an interference source (Spectrum
Intelligence Solution)
Planning Recommendations
• Site Survey, site survey….and site survey

• Use “Active” survey
• Consider Client type (ex. Smartphone vs. Laptop)
• Coverage vs. Capacity
• AP positioning and antenna choice is Key

• Use common sense
• Light source analogy
• Internal antennas are designed to be mounted on ceiling
• External antennas: use same antennas on all connectors
Site Survey
• Site Survey:
• When was the last time you did a site survey?
• Coverage vs Capacity
• Client / AP types and technology
• Tools
• What you use is less important than how you use it
• Use the same tool to compare results
• If using clients use the least common denominator
• AP positioning is Key
• Proper installation and positioning of equipment is as important as managing the RF
environment.
• Sub-optimal wireless PHY can often continue to pass traffic at a reduced data rate. If
the traffic load is minimal, it can appear to be working correctly.
• Optimal PHY can always be measured by confirming expected data rates and
throughput
• Internal antennas are designed to be mounted in the ceiling
• Access Points like light sources should be in the clear and near the users
Channel Utilization
• Contributors:
Co-channel interference from:
• nearby APs, clients
Before 5% After
• Beacons and Probe Responses
• Transmissions from any other
radio on the same frequency Before 5% After
• Bluetooth, Microwave, etc.
• Mitigation
• Reduce # of SSIDs
• Turn off lower data rates
• Limit the interferes / rogues
• AP isolation vs density
Maximizing the Spectrum
PHY Rate Tuning: Why PHY Rates Matter
 How fast can we talk?
Client near AP:
18Mbps – Signal (RSSI) and Noise are key
24Mbps factors
Higher PHY Rate 36Mbps
More Efficient 48Mbps
 As client moves further from
(high signal-to-noise ratio) AP or as noise worsens,
54Mbps
client rate-shifts downward
 Lower rate, more airtime
Client far from AP:
consumed
Lower PHY Rate
Less Efficient  Position AP’s and antennas
(lower signal-to-noise ratio) to allow elimination of low
rates (i.e., <18mbps)
 Eliminate 802.11b rates
Maximizing the Spectrum
RSSI vs. SNR
 Check your noise floor in

each band during peak
usage
– Packet captures with a NIC that
you trust (MacBook Pro, etc.)
– Fluke AirCheck
– Spectrum Expert
– Metageek Chanalyzer for Clean
Air
RF Profiles
• RF Profiles allow the administrator to tune groups of
AP’s sharing a common coverage zone together.
• Selectively changing how RRM will operate the AP’s within that
coverage zone
• RF Profiles are created for either the 2.4 GHz radio or

5GHz radio
• Profiles are applied to groups of AP’s belonging to an AP Group, in
which all AP’s in the group will have the same Profile Settings
• There are two components to this feature:

• RF Groups – Existing capability – No impact on channel selection
algorithms
• RF Profile – providing administrative control over:
o Min/Max TPC values
o TPC Thresholds
o RxSOP *(8.0)
o Data Rates, etc
Spectrum Intelligence Solution - Cisco CleanAir
BEFORE AFTER
Wireless interference decreases CleanAir mitigates RF interference
reliability and performance improving reliability and performance
Wireless Client
Performance
AIR QUALITY PERFORMANCE AIR QUALITY PERFORMANCE
• Spectrum intelligence solution designed to proactively manage the challenges of a shared spectrum
• Assess impact to Wi-Fi performance; proactively change channel when needed
• CleanAir Radio ASIC: Only ASIC based solution can reliably detect interference sources
• Best Practice: turn it on if supported by your APs (3500, 1600*/2600/3600, 1700*/2700/3700)
For more info: http://www.cisco.com/en/US/netsol/ns1070
Spectrum Intelligence Solution - Cisco CleanAir
• CleanAir
• Hardware based Solution
• 32 times WiFi chip’s visibility

• Accurate classification
• Multiple device recognition
• Spectrum intelligence solution designed to proactively manage the challenges of a shared spectrum
• Assess impact to Wi-Fi performance; proactively change channels when needed
• CleanAir Radio ASIC: Only ASIC based solution can reliably detect interference sources
• Best Practice: turn it on if supported by your APs (3500, 1600*/2600/3600, 1700*/2700/3700)
For more info: http://www.cisco.com/en/US/netsol/ns1070
Client Beamforming – Cisco ClientLink
ClientLink Disabled ClientLink Enabled
Lower Data Rates Higher Data Rates Source: Miercom with Fluke Iperf Survey
• Cisco ClientLink a.k.a. Beamforming: reduced Coverage Holes for all clients
For more info: http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps11983/at_a_glance_c45-691984.pdf
Network Infrastructure HA
Connecting an AP to the wired network
Recommendations
• Create redundancy throughout the access layer
by homing APs to different switches
• If the AP is in Local mode, configure the port as
access with STP PortFast, BPDU guard, etc.
• If the AP is in Flex mode and Local Switching,
configure the port as trunk and allow only the
VLANs you need
Connecting a Controller to the wired network: options
1) To a single Modular Switch or StackWise
• Use EtherChannel (EC)/LAG Modular
Switch/Stack
• 2/4/8 ports in a bundle to optimize load sharing
WLC
• Spread ports across Line Cards/Stack members
2) To a VSS pair
VSS pair
• Same as Option 1
• Spread ports across VSS members
WLC
3) To a pair of Distribution switches
• Not supported by single AireOS Controllers Switch
• Use Multiple EtherChannel/LAG pair
• Use STP (recommended) or FlexLink (5760-WLC only) WLC
• L2 trunk connections to Distribution switches
Connecting a Controller to the wired network
Single AireOS Controllers (2504/5508/7500/8500/Wism2) Distribution
Layer Switch/Stack
Option 1: to single Modular Switch or StackWise

• Identical configuration on WLC and switch side (EC mode, trunk mode,
allowed VLANs, native VLAN, etc.)
• EC mode: only mode “ON” supported; no LACP, PAgP
• EC load-balancing: no restriction for 5508/2500/7500/8500
o Recommended to include L3 and L4 port for better hash results Trunk
• EC load-balancing for WISM2: Port-channel
o Need to set the EC load balancing method on the switch to “src-dest-IP”. Use CLI
“port-channel load-balance src_dest_ip”
• Note: no STP supported on AireOS Controllers. Do not disable it on switch
side. Use “switchport portfast trunk”
AireOS based WLC
Single AireOS Controllers (2504/5508/7500/8500/Wism2) Distribution
Layer Switch/Stack
Option 1: to single Modular Switch or StackWise

• Identical configuration on WLC and switch side (EC mode, trunk mode,
port-channel load-balance src-dst-mixed-ip-port
allowed VLANs, native ! VLAN, etc.)
• EC mode: only modeinterface
“ON” supported; no LACP, PAgP
GigabitEthernet1/0/1
• EC load-balancing: nodescription
restrictionto_WLC-1
for 5508/2500/7500/8500
o Recommended to switchport
include L3 and
trunkL4encapsulation
port for betterdot1q
hash results Trunk
o On the switch use:switchport
“port-channel load-balance
trunk allowed vlansrc-dst-mixed-ip-port”
10,11,20,30,40 Port-channel
• EC load-balancing forswitchport
WISM2: mode trunk
o Need to set the ECchannel-group
load balancing method
1 mode on on the switch to “src-dest-IP”. Use CLI
“port-channel load-balance src_dest_ip”
switchport portfast trunk
o For Catalyst 6500 with PFC3 use “port-channel load-balance src-dst-ip exclude
vlan” (command supported in 12.2(33)SXH6 and 12.2(33)SXI3 and above)
• Note: no STP supported on AireOS Controllers. Do not disable it on switch AireOS based WLC
side. Use “switchport portfast trunk”
Single IOS Controllers (5760/3850/3650) Distribution
Layer Switch/Stack
Option 1: to single Modular switch or Stack

• All EtherChannel modes supported: ON, LACP, PAgP
• Identical configuration on WLC and switch side
• EtherChannel mode :
o PAgP, by setting Desirable/Desirable on both sides
o LACP, by setting Active/Active on both sides Trunk
o EC load-balancing mode: Port-channel
o Include L3 and L4 port for better hash results
o Use: “port-channel load-balance src-dst-mixed-ip-port”
IOS based WLC

Single IOS Controllers (5760/3850/3650) Distribution
Layer Switch/Stack
Option 1: to single Modular switch or Stack

• All EtherChannel modes supported: ON, LACP, PAgP
• Identical configuration onload-balance
port-channel WLC and switch side
src-dst-mixed-ip-port
• EtherChannel!mode :
o PAgP, by interface
setting Desirable/Desirable
GigabitEthernet0/9on both sides
o LACP, by setting Active/Active
description to_5760 on both sides
Trunk
o EC load-balancing mode:trunk
switchport encapsulation dot1q Port-channel
o Include L3switchport
and L4 porttrunk
for better hash
allowed results
vlan 1,21-23
o Use: “port-channel load-balance
switchport mode trunk
src-dst-mixed-ip-port”
• STP supportedchannel-protocol
and recommended lacp
to keep default settings
channel-group 1 mode active
IOS based WLC

Single AireOS or IOS Controllers
Catalyst VSS Pair
Option 2: to a VSS pair

• Single LAG to the VSS pair
• Spread ports across VSS pair
• In case of failure of Primary switch traffic continues to flow
through Secondary switch in the VSS pair Trunk
• Same recommendations given for Option 1 also apply Port-channel
WLC
Single IOS Controller (5760/3850/3650) Distribution
Layer switches
Option 3: Pair of Distribution switches with STP Layer 2/Layer 3
• Configure two ECs, one to each distribution switch Po 1 Po 2

• Same configuration on both ECs on WLC and Switches side
• Enable Rapid Per-VLAN spanning-Tree (PVST+)
• Use L3 link between Distribution switches if the VLANs are
restricted to one WLC Same
• Use Layer 2 trunk links between Distribution switches if configuration on
both Po1 and Po2
VLANs span multiple WLCs (for L2 roaming)
• Apply the Campus Design tweaks to STP (VLAN load
balancing, HSRP active collocated with STP root, etc.)
No option 3 for AireOS controllers as STP and multiple IOS-WLC
LAGs are not supported
Single IOS Controller (5760/3850/3650) Distribution
Layer switches
spanning-tree mode rapid-pvst
Option 3a: Pair of Distribution switches with STP

spanning-tree vlan 1,21-23 priority 24576
!
Layer 2/Layer 3
interface GigabitEthernet0/9
• Configure two ECs,to_5760

description one to each distribution switch
• switchport trunk encapsulation dot1q
Same configuration on both ECs on WLC and Switches side
switchport trunk allowed vlan 1,21-23
• Enable Rapid Per-VLAN spanning-Tree (PVST+)
switchport mode trunk
• Use L3 linkchannel-protocol
between Distribution
lacp switches if the VLANs are
restricted to one WLC
channel-group 1 mode active
• !
Use Layer 2 trunk links between Distribution switches if
interface Vlan22
VLANs span multiple WLCs (for L2 roaming)
description client_VLAN_nosec
• Apply the Campus Design tweaks
ip address 192.168.22.11 to STP (VLAN load
255.255.255.0
balancing, standby
HSRP0 ipactive collocated with STP root, etc.)
192.168.22.100
standby 0 timers msec 250 msec 750
No option 3 for AireOS controllers as SPT and multiple

standby 0 priority 150
5760-WLC
standby 0 preempt delay minimum 180
LAGs are not supported
Single IOS Controllers (5760-WLC only)
Distribution
Option 3b: Pair of Distribution switches with FlexLink Layer Switches
Layer 2 Adjacent only

• FlexLink is another option to connect the 5760
to the Distribution switches
• With FlexLink one link is Active and the other
Standby.
• SPT is disable only on 5760 side
• Important: to reduce network downtime when
primary link fails, it is recommended for the This is the standby link
distribution switches to support the MAC This the primary link
5760 link is on standby,
address-table move update (MMU) feature no communication here
Switch communicates
with 5760 on this link
5760-WLC
Wireless Controller HA
Wireless Controller HA: Deployment Modes
Autonomous FlexConnect Centralized Converged Access
WAN
Standalone APs Traffic Distributed at AP Traffic Centralized Traffic Distributed at Switch

at Controller
Target
Small Wireless Network Branch Campus Branch and Campus
Positioning
Scope Wireless only Wireless only Wireless only Wired and Wireless
• Can only claim AP quality

• Full RF HA
High • No RF HA
• Client SSO when Local • Most complete solution • Exploits HA in IOS switches
Availability • No Network layer HA
Switching
• No services
Key • Limited features. Upgradable • Branch with WAN BW and • Catalyst 3650/3850 in the access
• Full features
Considerations to controller based latency requirements layer
Centralized Mode
Centralized Mode HA Requirements Benefits
Minimum release: 7.5
Active Client State is synched
WLC: 5508, WiSM2, 7500, 8510
AP state is synched
Client SSO L2 connection
No Application downtime
Same HW and software
HA-SKU available
1:1 box redundancy
Network Uptime
Release: 7.3 and 7.4

WLC: 5508, WiSM2, 7500, 8510 AP state is synched
AP SSO Direct physical connection No SSID downtime
(SSID stateful switchover) Same HW and SW HA-SKU available (> 7.4)
1:1 box redundancy
N+1 Redundancy Available on all controllers

(Deterministic/Stateless HA, Each Controller has to be Crosses L3 boundaries
a.k.a.: configured separately Flexible: 1:1, N:1, N:N
primary/secondary/tertiary) HA-SKU available (> 7.4)
N+1 Redundancy • Administrator statically assigns APs a primary,
WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C secondary, and/or tertiary controller
Assigned from controller interface (per AP) or
Prime Infrastructure (template-based)
You need to specify Name and IP if WLCs are
not in the same Mobility Group
• Pros:
Support for L3 network between WLCs
Flexible redundancy design options (1:1, N:1,
N:N:1)
Primary: WLAN-Controller-1 Primary: WLAN-Controller-2
Secondary: WLAN-Controller-2 Secondary: WLAN-Controller-3
Primary: WLAN-Controller-3 WLCs can be of different HW and SW
Secondary: WLAN-Controller-2
Tertiary: WLAN-Controller-3 Tertiary: WLAN-Controller-1
Tertiary: WLAN-Controller-1
Predictability: easier operational management
Faster failover timers configurable
“Fallback” option in the case of failover
• Cons:
Stateless redundancy
More upfront planning and configuration
N+1 Redundancy
Global backup Controllers
 Backup controllers configured for all APs under Wireless > High Availability
 Used if there are no primary/secondary/tertiary WLCs configured on the AP
 The backup controllers are added to the primary discovery request message
recipient list of the AP.
N+1 Redundancy
AP Primary Discovery Request Timer
• The access point maintains a list of backup controllers and periodically sends
primary discovery requests to each entry on the list.
• Configure a primary discovery request timer to specify the amount of time that a
controller has to respond to the discovery request
N+1 Redundancy
AP Failover mechanism
 When configured with Primary and backup

Controller: When failover happens
AP Boots UP
‒ AP uses heartbeats to validate current WLC
connectivity Reset
‒ AP uses Primary Discovery message to validate Discovery
backup WLC list (every 30 sec)
‒ When AP looses 5 heartbeats it start join Image Data
process to first backup WLC candidate DTLS
Setup
‒ Candidate Backup WLC is the first alive WLC in Run
this order : primary, secondary, tertiary, global
primary, global secondary.
Join Config
‒ Failover is pretty fast because AP goes back to
discovery state just to make sure the backup WLC
is UP and then immediately starts the JOIN
process
AP Failover
Fast Heartbeat
• AP sends HA heartbeat packets, by default

every 1 sec
• Fast Heartbeats reduce the amount of time it
takes to detect a controller failure
• When the fast heartbeat timer expires, the AP
sends a 3 fast echo requests to the WLC for
3 times
• If no response primary is considered dead and the AP selects an available controller
from its “backup controller” list in the order of primary, secondary, tertiary, primary
backup controller, and secondary backup controller.
• Fast Heartbeat only supported for Local and Flex mode
AP Failover Priority Critical AP fails over
• Assign priorities to APs: Critical, High, AP Priority: Critical Controller
Medium, Low
Medium priority
• Critical priority APs get precedence AP dropped
over all other APs when joining a AP Priority: Medium
controller
• In a failover situation, a higher priority
AP will be allowed in ahead of all other
APs
• If controller is full, existing lower priority
APs will be dropped to accommodate
higher priority APs
N+1 Redundancy
Best Practices
 Most common Design is N+1 with Redundant

WLAN-Controller-1 APs Configured With:
Primary: WLAN-
Controller-1
WLC in a geographically separate location Secondary: WLC-BKP
 Configure high availability parameters to

detect failure and faster failover (min 30 sec) WLAN-Controller-2
NOC or Data
APs Configured With:
Center
 Use AP priority in case of over subscription of WLC-BKP
Primary: WLAN-
Controller-2
redundant WLC Secondary: WLC-BKP
 Use HA SKU available for 5508, 7500, 8500 WLAN-Controller-n
and 2500 (from 7.5) controllers APs Configured With:

Primary: WLAN-
Controller-n
Secondary: WLC-BKP
For more info: http://www.cisco.com/en/US/docs/wireless/technology/hi_avail/N1_HA_Overview.html or
http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps10315/qa_c67-714540.html
N+1 Redundancy
HA-SKU
 It’s a zero AP license SKU for HA. Supported on 5508, WiSM2, Flex7500, 8510 and 2504
 HA-SKU Controller needs to be manually configured as a secondary controller (no auto synch)
 When backup takes over, 90-days counter is started
 The HA-SKU provides the capability of the maximum number of APs supported on that hardware
 From 7.6 you can add licenses to HA SKU and use it as Active controller
No licenses
Primary Controller: WiSM-2
needed on
License Count: 500
secondary
APs connected: 400
AIR-CT5508-HA-K9
Secondary Controller
500 APs
500-25
Max AP support: 475- ==
400 475
75APs
Primary Controller : 2504
License Count: 50
APs connected: 25
Centralized Mode – Stateful Switch Over
(SSO)
Stateful Switchover (SSO)
• True Box to Box High Availability i.e. 1:1
• One WLC in Active state and second WLC in Hot Standby state
• Secondary continuously monitors the health of Active WLC via dedicated link
• Configuration on Active is synched to Standby WLC

• This happens at startup and incrementally at each configuration change on the Active
• What else is synched between Active and Standby?

• AP CAPWAP state in 7.3 and 7.4: APs will not restart upon failover, SSID stays UP – AP SSO
• Active Client State in 7.5: client will not disconnect – Client SSO
• Downtime during failover reduced to 5 - 1000 msec depending on Failover

• In the case of power failure on the Active WLC it may take 350-500 msec
• In case of network failover it can take up to few seconds
• SSO is supported on 5500 / 7500 / 8500 / WiSM-2 and 5760

For more info: http://www.cisco.com/en/US/docs/wireless/controller/technotes/7.5/High_Availability_DG.html
SSO Failover Sequence
Keep-Alive
Redundancyfailure/Notify
Roleinfo
AP and Client SyncPeer
Negotiation
Redundancy Link Established

(Over dedicated Redundancy Port)
ACTIVE
STANDBY
ACTIVE
Client
Associate
AP session intact. Does
not re-establish
CAPWAP tunnel
Switch
AP Join
CLIENT SSO Client session intact.

Effective downtime for client is Does not reassociate
Detection time + Switchover time
Stateful Switch Over (SSO)
Redundancy Management Interface
• Redundancy Management Interface (RMI)
• To check gateway reachability sending ICMP packets every 1 sec
• Peer reachability once the Active does not respond to Keepalive on the Redundant Port
• Notification to standby in event of box failure or manual reset
• Communication with Syslog, NTP, TFTP server for uploading configurations
• Should be in same subnet as Management Interface
Redundancy Port
• Redundancy Port (RP):
• Peer reachability sending UDP keep alive messages every 100 msec
• Notification to standby in event of box failure
• Configuration synch from Active to Standby (Bulk and Incremental Config)
• Auto generated IP Address where last 2 octets are picked from the last 2 octets of Redundancy
Management Interface (First 2 octets are always 169.254)
Configuration
• Management interfaces on both WLCs must be

on the same subnet
• Mandatory Configuration for HA setup:
• Redundant Management IP Address
• Peer Redundant Management IP Address
• Redundancy Mode set to SSO enable (7.3 and 7.4
would show AP SSO)
• Primary/Secondary Configuration – Required if peer
WLC’s UDI is not HA SKU
• The Primary HA must have valid AP licenses Optional Configuration:
• Unit can be secondary if it has at least 50 AP • Service Port Peer IP
permanent licenses • Mobility MAC Address
• Keep Alive and Peer Search Timer
All can be configured on same page
Maintenance Mode
• Standby WLC may transition to Maintenance

Mode if:
• Gateway not reachable via Redundant Management
Interface
• Software mismatch
• WLC with HA SKU have never discovered its peer
• Redundant Port is down
• To remember:
• In Maintenance mode same rules to connect to
standby box apply
• WLC should be rebooted to bring it out of
Maintenance Mode
• From 7.6 it will recover automatically when pbs are fixed
Pairing the boxes
• HA Pairing is possible only between the same type of Active Controller

hardware and software versions
• 5500/7500/8500 have dedicated Redundancy Ports RP 1
• Direct connection supported in 7.3 and 7.4 L2 network (7.5)
Hot Stand-by Controller
• L2 connection supported in 7.5 and above
• WiSM-2 has dedicated Redundancy VLAN

RP 2
• Redundancy VLAN should be a non-routable VLAN
• WISM-2 can be deployed in single chassis OR multiple chassis
• WISM-2 in multiple chassis needs to use VSS (7.3, 7.4)
• WISM-2 in multiple chassis can be L2 connected in 7.5 and above
• Requirements for L2 connection: RTT Latency: < 80 ms;

Bandwidth: > 60 Mbps; MTU: 1500
Connecting AireOS HA Pair to the wired network
Option 1: to single Modular Switch or StackWise Single Switch or stack
Same configuration
on both Po1 and Po2
• The HA pair of AireOS WLCs should be considered as separated

WLCs with the same exact configuration Po 1 Po 2
• Ports on both WLCs are UP but only the ones on the Active WLC
are forwarding data traffic Trunk
• On WLC side: use same physical ports are connected to the Port-channels
network, for ex.: port 1-4 on WLC1 and port 1-4 on WLC2
• On switch side the configuration has to be the same. If using LAG, L2
for example, two Port-channel should be used with the same
configuration (same mode, same VLANs, same native, etc.) AireOS AireOS
• General recommendations for Option 1 AireOS WLC also apply Active WLC Standby WLC
Connecting AireOS HA Pair to the wired network
Same configuration
on both Po1 and Po2 Catalyst VSS Pair
Option 2: to VSS pair
• Use EC from each WLC to Distribution VSS
• Spread the links in each EC among the two
physical switches Po 1 Po 2
• Same considerations for connecting to a single Trunk
Distribution switch apply Port-channels
• General recommendations for Option 1 AireOS
WLC also apply L2
AireOS AireOS
Active WLC Standby WLC
Connecting AireOS HA Pair to the wired network Distribution
Layer Switches
Option 3: to Pair of Distribution switches Layer 2
• Use ECs to connect to Distribution switches

Po 1 Po 2
• Same exact configuration on both Dist. switches
• Use same physical ports on the WLCs
• Layer 2 between the distribution switches for the Wireless
VLANs
• Use STP on the Distribution switches
L2
AireOS AireOS
Active WLC Standby WLC
What you need to know…
• In Service Software Upgrade (ISSU) is not supported
• The Active and Standby decision is not an automated election process
• ONLY Clients in RUN state are maintained during failover
• Information not synced between Active and Standby
• CCX Based apps - need to be re-started post Switch-over
• Client Statistics, PMIPv6, NBAR, SIP static CAC
• WGB and clients associated to it are not synced
• OEAP(600) clients are not synced 8.0
• Passive clients are not synced
• Sleeping client database not synced
• SSO and MESH APs: only RAP are supported from 7.5, for MAPs the state is not synched
Connectivity to the boxes
Once SSO is enabled:
• Connect to Standby WLC using console or SSH to Service Port and RMI
• TFTP, NTP and Syslog traffic use the RMI interface on the Standby WLC
• Telnet / SSH / SNMP / Web Access is not available on Management and

Dynamic interface on Standby WLC
• There is no SNMP/GUI access on the service port for both the WLCs in the
HA setup
Integration with N+1 redundancy deployments
• Hybrid Design: SSO HA can work

together with N+1 failover
• SSO pair can act as the Primary
Controller and be deployed with
Secondary and Tertiary
• On failure of both Active and Standby
WLC in SSO setup, APs will fall back to
secondary and further to configured
tertiary controller
• Useful to reduce downtime for SSO pair
software upgrade
Licensing
• HA Pair with HA-SKU License on one WLC:
• HA-SKU is a new SKU with Zero AP Count License
• The device with HA-SKU becomes Standby first time it pairs up
• AP licenses will be pushed from Active to Standby
• On event of Active failure HA-SKU takes over with AP-count obtained and will start 90-
day count-down. The granularity of the same is in days.
• After 90-days, HA-SKU WLC starts nagging messages but won’t disconnect connected
APs
• With new WLC coming up HA SKU, at the time of paring, the Standby will get the AP
Count:
• If new WLC has higher AP count than previous, 90 days counter is reset.
• If new WLC has lower AP count than previous, 90 days counter is not reset.
• Elapsed time and AP-count are remembered on reboot
Management and Mobility
Services HA
Prime and MSE HA
Prime and MSE HA
Requirements Benefits
An active / standby (1:1) mode No database loss upon failover

Same software & hardware Failover Automatic or Manual
Failback is always manual
Prime HA 3 heartbeats (timeout 2 seconds)
No AP licenses needed on
missing to failover to standby PI
Standby Unit
RTU Standby SKU (2.0 and later) Support across L3 link
1:1 & 2:1 configuration (2:1 only HA for all services supported
with physical appliance) Failover times < 1 min
MSE HA Direct or L2 Network connection No HA licenses needed
Same software version Failover Automatic or Manual
Prime Infrastructure HA
Configuration
• The first step is to install and configure the Secondary

PI. When configuring the Primary PI for HA, the
Secondary PI needs to be installed and reachable by
the Primary PI
• The following parameters must be configured on the
Primary PI:
• name/IP address of secondary PI
• email address of network administrator for system notification
• manual or automatic failover option
• Secondary PI must always be a new installation and this
option must be selected during PI install process, i.e.
standalone or primary PI cannot be converted to secondary
PI. Standalone PI can be converted to HA Primary.
Prime Infrastructure HA
Health Monitor
• The Health Monitor (HM) is a process implemented in PI and is the primary component
that manages the high availability operation of the system
• Setting up database, file replication, and monitoring the application.
• It displays valuable logging and troubleshooting information

• To get to the Health Monitor direct the secondary PI to the 8082 port
• https://< secondary PI ip address>:8082
– Note – if you navigate to the primary’s
port 8082 you will not be able to login as
it is only available on the secondary PI
Best Practices – MSE High Availability
• 7.6MR3 or 8.0
• Pre 7.6 MR1 (ie 7.2, 7.4, etc)
Single Virtual IP address IP Address A IP Address B
HA pair in 8.0 got it right and you Previous MSE versions have issues
can confidently deploy using and you will get into trouble using HA
guidance from 7.2 HA Guide on these versions.
http://www.cisco.com/c/en/us/support/docs/wireless/mobility-services-engine/113462-mse-ha-config-dg-00.html
MSE HA
Configuration
1) Set HA mode in
startup script
Pair the secondary

MSE from PI
To check the
Status of HA
Wireless LAN Controller
Best Practices
Best Practices Recommendations
Make it Easy Make it work Make it perform
For Your
Reference
Enable High Availability (AP and Client SSO) Enable 802.1x and WPA/WPA2 on WLAN
BEST PRACTICES (AirOS)
Enable AP Failover Priority Enable 802.1x authentication for AP
Enable AP Multicast Mode Change advance EAP timers
Enable Multicast VLAN Enable SSH and disable telnet
INFRASTRUCTURE
Enable Pre-image download Disable Management Over Wireless
SECURITY
Enable AVC Disable WiFi Direct
Enable NetFlow Peer-to-peer blocking
Enable Local Profiling (DHCP and HTTP) Secure Web Access (HTTPS)
Enable NTP Enable User Policies
Modify the AP Re-transmit Parameters Enable Client exclusion policies
Enable rogue policies and Rogue Detection RSSI
Enable FastSSID change
Strong password Policies
Enable Per-user BW contracts
Enable IDS
Enable Multicast Mobility
BYOD Timers
Enable Client Load balancing
Disable Aironet IE
Disable 802.11b data rates
FlexConnect Groups and Smart AP Upgrade
Restrict number of WLAN below 4
Enable channel bonding – 40 or 80 MHz
WIRELESS / RF
Set Bridge Group Name
Set Preferred Parent Enable BandSelect
Multiple Root APs in each BGN Use RF Profiles and AP Groups
MESH
Set Backhaul rate to "Auto" Enable RRM (DCA & TPC) to be auto
Set Backhaul Channel Width to 40/80 MHz Enable Auto-RF group leader selection
Backhaul Link SNR > 25 dBm Enable Cisco CleanAir and EDRRM
Avoid DFS channels for Backhaul Enable Noise &Rogue Monitoring on all channels
External RADIUS server for Mesh MAC Authentication Enable DFS channels
Enable IDS
Avoid Cisco AP Load
Enable EAP Mesh Security Mode
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
Infrastructure Best Practices
 Enable High Availability (AP and Client SSO)
 Enable AP Failover Priority
INFRASTRUCTURE
 Enable AP Multicast Mode
 Enable Multicast VLAN
 Enable Pre-image download
 Enable AVC
 Enable NetFlow
 Enable Local Profiling (DHCP and HTTP)
 Enable NTP
 Modify the AP Re-transmit Parameters
 Enable FastSSID change
 Enable Per-user BW contracts
 Enable Multicast Mobility
 Enable Client Load balancing
 Disable Aironet IE
RF & RRM Best Practices
 Disable 802.11b data rates

 Restrict number of WLAN below 4
 Enable channel bonding – 40 or 80 MHz
RRM / RF
 Enable BandSelect
 Use RF Profiles and AP Groups
 Enable RRM (DCA & TPC) to be auto
 Enable Auto-RF group leader selection
 Enable Cisco CleanAir and EDRRM
 Enable Noise &Rogue Monitoring on all channels
 Enable DFS channels
 Avoid Cisco AP Load
Security & BYOD Best Practices
 Enable 802.1x and WPA/WPA2 on WLAN
 Enable 802.1x authentication for AP
 Change advance EAP timers
 Enable SSH and disable telnet
 Disable Management Over Wireless
SECURITY
 Disable WiFi Direct

 Peer-to-peer blocking
 Secure Web Access (HTTPS)
 Enable User Policies
 Enable Client exclusion policies
 Enable rogue policies and Rogue Detection RSSI
 Strong password Policies
 Enable IDS
 BYOD Timers
 Enable FlexConnect Groups

 CCKM/OKC Key sharing for Voice deployments
CONNECT
 Enable Smart AP Image Upgrade

FLEX
 Design for Resiliency

 VLAN-WLAN Mappings at Group Level
 Consistent configuration across Primary and Backup WLCs
Mesh Best Practices
 Set Bridge Group Name

 Set Preferred Parent
 Multiple Root APs in each BGN
MESH
 Set Backhaul rate to "Auto"

 Set Backhaul Channel Width to 40/80 MHz
 Backhaul Link SNR > 25 dBm
 Avoid DFS channels for Backhaul
 External RADIUS server for Mesh MAC Authentication
 Enable IDS
 Enable EAP Mesh Security Mode
Best Practices Checkpoints
WLC WLC
2. WLCCA CAA
WLAN Express Setup Best
AppPractice
Engage Audit Config Cisco
7.6 MR2, 8.0, 8.1 Dashboard View Analyzer Active Advisor
8.1
Best Practices defaults, Audit Page on Upgrade, Windows Executable Free, cloud based service
RF Parameter Optimization, Network One-click Fix It, “show run-config” Based Agentless – nothing to download
Profiles Manual Config Option Analyzer Tool
 Optimum starting point at Day 0/1 network  Compliance metric and reporting natively on  Downloadable client  Cisco Personalized device health score
setup WLC  Compare your wireless network
 Configuration stays local
 RF parameter setting Ease of use  Identify missing best practice configuration on configuration to Cisco’s recommended best
 Simplified operational use to quickly identify practices
 Enhanced performance, security, resiliency upgrade
and and fix problem areas
with best practice recommendations turned  Easy one-click fix It option to turn on Best  Automated Inventory Management and
 RF Health metrics, IOS Support, Mobility Network Scanning
on boot up time Practice Knobs
Group support
 Restore Defaults to revert configuration to
default
WLAN Express Setup
Day 0/1 Ease of Setup
WLC WLC
2. WLCCA CAA
WLAN Express Setup Upgrade Audit Workflow
App Engage Config Cisco
7.6 MR2, 8.0, 8.1 8.1 Analyzer Active Advisor
Wired Express Setup
• Introduced on 2504 in 7.6 MR2, 8.0
• Extended to 5508, vWLC, 7510, 8510 in 8.1
Best Practices defaults, • Extended to 5520, 8540 in 8.1
Audit Page on Upgrade, and
Windows Mobility Express
Executable Free,in 8.1
cloud MR2
based service
RF Parameter Optimization, Network One-click Fix It, “show run-config” Based Agentless – nothing to download
Profiles Manual Config Option Analyzer Tool
Wireless Over-The-Air (OTA) Setup
• Available in 8.1 and higher
• Supports Universal AP (UX) 
 Optimum starting point at Day 0/1 network  Compliance metric and reporting natively on  Downloadable client Cisco Personalized device health score
setup • Supported on 2504 and
WLC Mobility
 Configuration staysExpress
local  Compare your wireless network
 RF parameter setting Ease of use  Identify missing best practice configuration on configuration to Cisco’s recommended best
 Simplified operational use to quickly identify practices
 Enhanced performance, security, resiliency upgrade
and and fix problem areas
with best practice recommendations turned  Easy one-click fix It option to turn on Best  Automated Inventory Management and
 RF Health metrics, IOS Support, Mobility Network Scanning
on boot up time Practice Knobs
Group support
 Restore Defaults to revert configuration to
default
WLAN Express Setup
Cisco 5520 and Cisco 8540
Set Up Your Controller Create Wireless Networks RF Optimization

WLC Express Setup Best Practices
Best Practice Defaults
AVC Visibility Management over Wireless disabled
mDNS Snooping Load Balancing
New MDNS Profile for printer,
http Rogue Threshold Enabled
Local Profiling Client Exclusion Enabled
Band Select FastSSID Enabled Save Time & Money
DHCP Proxy
Infra MFP
Secure Web access
Multicast Forwarding Mode  Optimum starting point at
Virtual IP 192.0.2.1 Day 0/1 network setup
RRM-DCA Auto SNMPv3 (delete default)  RF parameter setting
RRM-TPC Auto ease of use
Mobility Name
 Enhanced performance,
CleanAir Enabled RF Group same as Mobility Name security, resiliency with
EDRRM Enabled best practice
DHCP Required on Guest WLAN recommendations turned
Channel Width 40 MHz
on at boot up time
5 GHz Channel Bonding
Aironet IE Disabled
Best Practices Audit Workflow
 Compliance level check
natively on WLC
 Identify Best Practice gaps

on upgrade
 Easy one-click Fix It Now
 Restore Default to revert

configuration to default
Best Practices Audit Workflow
Audit Upgrades
 Compliance metric and reporting

natively on WLC
 Identify missing best practice
configuration on upgrade
 Easy one-click fix It option to turn
on Best Practice Knobs
 Restore Defaults to revert
configuration to default
Monitoring Dashboard
• 10,000 feet view of Wireless
health
• APs
• Clients
• WLANs
• Applications and Devices
• Rogues and Interferes
• AP or Client search for

targeted troubleshooting
• Add/delete Widgets
• Tabular/Graphical View
Network Summary – Access Points List
• Inventory
• Uptime
• Usage
• Drill down into

specific APs of
interest
Network Summary – Access Point
Details
User Cases:
Incorrect configuration
Radios down
• Slow network connectivity
• Clients cannot connect
RF Interference
Legacy Devices
Too many Clients
impacting performance
Wireless Dashboard – AP Performance
Use Cases:
• Client Connectivity Issues
Band Select not enabled

Too many SSIDs
Lower Data Rates Enabled Insufficient coverage –
not enough APs
Excessive co-channel interference – Uneven distribution of clients

Too Many APs Load Balancing not enabled
Network Summary – Client List
• AP / Band Distribution
• Signal Quality
• Legacy Devices
Network Summary – Client Details
• Single pane of glass for client troubleshooting
Application Usage
Client Capabilities
Neighbouring APs
Correct Policy Assignment –

Security, QoS, mDNS, VLAN, Client Connection State
ACL Reachability and
Latency
Wireless Dashboard – Client Performance
Use Cases: Users cannot connect
• 802.11 association failure
• Client Connectivity Issues • DHCP Failure
• Web Auth failure
• Poor Client Performance • Admin Reset
Low RSSI caused by Sticky

High Noise causing Low SNR
Client and Legacy Devices
Client Band Distribution to

identify 11b/g devices
WLCCA Updates
• Compatible with 5520, 8540,
Mobility Express
• IOS XE Support – 3650/3850/5760
• AP MIC expiration warning show run-
config
• WLCCA - Version 3.6.5

• CAA – Coming Up!
https://supportforums.cisco.com/document/7711/wlc-config-analyzer
Compliance Level w/ and w/o Express WLAN Setup
7.6 MR2 without

Express WLAN Setup Analyze & Mitigate
 Downloadable client
 Configuration stays local
 Simplified operational use to
quickly identify and and fix
problem areas
 RF Health metrics, IOS Support,
Mobility Group support
8.1 with Express WLAN

Setup
RF Health Analysis
• Summarization of the RF Health
Single
AP aggregated per:
View  AP
 AP Group
 FlexConnect Group
 RF Neighborhood
Flex RF AP
Groups Health Groups
• Aggregation of the RF metrics per
each working entity, for flexibility of
analysis
RF
Neighbor-
hood
Introducing Cisco Active Advisor
• Free, cloud based service
• Agentless – nothing to download
• It provides customers:
• Security Advisories (PSIRTs)
• End-of-life & End-of-support dates
• Warranty & service contract status
• Device Health Score

• Accessible at:
www.CiscoActiveAdvisor.com
• IOS XE Support – Coming Up!

CAA Device Scanner
Cisco Active Advisor Personalized Health
Score
Improve
 Personalized device
health score
 Free, cloud-based
service
 Automatically takes an
inventory of your Cisco
network
CAA Wireless Health Tool New “Tools” workflow
• Analysis of Entire Wireless Network
• User selectable WLCs
• Overall Wireless Network Health
• Individual WLC Health
• Recommended Improvements for APs
• Targeting Release in June 2015
(Cisco Live San Diego)
RF Analysis
• AP Groups and Flex Groups Included
• Detailed RF Statistics for Groups
• Targeting Release in August 2015
CAA Wireless Health – Create Report
User selectable WLCs

CAA Wireless Health – View Report
Overall Wireless Network Health

Wireless Health Report - WLC View
Individual WLC Health

Wireless Health Report – AP View
Recommended Improvements for APs

Wireless Health Report – AP Group View
RF Analysis per AP Group

Wireless Health Report – FlexConnect Group
RF Analysis per FCG

8.1 Resiliency Best Practices
HA Standby Monitoring
• Important events at Standby WLC are reported in the form of SNMP traps - have some form of trap
receiver or monitor trap logs on WebUI/CLI
• Use compatible version of PI to monitor the Memory details, CPU details and traps of Standby WLC
• Recommended to use WebUI/CLI for peer process statistics as it is not supported on MIB
Fast Restart
Recommended to use ‘restart’ instead of ‘reset system’ for the following scenarios to reduce service
downtime:
• LAG Mode change
• Mobility Mode change
• Web-auth cert installation
• Clear Config
8.1 Feature Best Practices
MS Lync SDN
• As there is no dynamic QoS feedback mechanism to modify the QoS policies, its recommended to evaluate the network
congestion and then decide on the policy configuration.
• As the WLAN QoS policy still overrides the Lync policy, the administrator needs to decide on the Lync QoS policies in line
with WLAN.
Guest Anchor Redundancy
• Assign higher priority to Anchor controller that are closer in terms of physical proximity and that have stable and high
capacity links.
• As the GA grouping is done per WLAN and not globally, care should be exercised not to create imbalanced network load
distribution
8.1 FlexConnect Best
Practices
1. FlexConnect AVC
• Configure AVC per WLAN at the FlexConnect group for granularity and monitoring per site
• Do not mix Local mode and Flexconnect mode with a Local switch WLAN
• Add APs to FCG to have better control. APs not in FlexConnect Group inherit AVC configuration from WLAN.
2. VLAN Support/Native VLAN on FlexConnect group
• Configure FlexConnect Groups and use the override flag, to consolidate all the VLAN configuration at a single place
• Avoid per AP configuration unless absolutely necessary
3. Use VLAN Name Override to map users to VLANs across different branches
4. FlexConnect Client Troubleshooting
• Configure this feature at the FlexConnect Group to track roaming scenarios
• In cases like central authentication consider logs from WLC in addition to the debugs for the complete picture
8.1 RF Best Practices
Dynamic Bandwidth Selection
 Allow DCA with DBS to run every 10 minutes
 DBS should be set globally
 Channel Width should be set to “Best” on all deployments
 A global restart should be initiated when DBS is enabled “config 802.11a channel global restart”
WiFi Interference Awareness
 Enable WiFi Interference Awareness
 Configure Duty Cycle to 80%

Mobility Services Engine
and Connected Mobile
Experience (CMX)
MSE Context Aware Services
WiFi Based Location Calculation Basics
A WIFI device seen by one AP could When a device is seen by two AP
be located on anywhere in this circle then location must be in this line
Accuracy highest
when a device is
seen by at least 4
When a device is seen by four AP Access points
then location must be at this point.
Location Readiness
A point on floor map is

location-ready if:
~20m
~20m
• min. of 4 AP’s are
deployed
~20m
• min. of 3 AP’s are within
~20m (-75 dBm)
• At least 1 AP placed in
each of at least 3
surrounding quadrants
AP Placement Examples
Poor AP placement and
coverage for location –
linear AP placement
Proper AP placement and

coverage for location –
staggered AP placement
with perimeter coverage
With Cisco CMX, You Can
Detect Connect Engage
Guest Presence Guest Access Guest Experience

 Mobile device detected  Smooth, secure  API/SDK-Enabled Experience
Wi-Fi connection
 Location Analytics  App Engage
 Facebook or Custom Login
 Device Engage (future)
CMX App SDK
Access Points
Controller MSE
(Virtual/Physical) (Virtual/Physical)
Depending on Application Layer
LOCATION DATA
Apple Push Notification Service

Google Cloud Messaging
APPLICATION DATA
CMX Cloud Server SDK

Licensing
• Base Location license
• Provides advanced spectrum capability, with the ability to detect presence and track and trace rogue
devices, interferers, Wi-Fi clients, and RFID tags. The Base Location license also enables customers
and partners to use standard MSE APIs. For a list of partners, please see the Cisco Developer
Network Mobility Services API page.
• CMX license
• The CMX License provides Base Location license capabilities with CMX capabilities, including:
• CMX Analytics, a user-friendly location analytics platform to view and analyze how, where, and when
visitors move through a venue.
• CMX Connect for a seamless, customizable, and location-aware captive portal to onboard guest
users to Wi-Fi.
• CMX for Facebook Wi-Fi, helping guests seamlessly connect to Wi-Fi and use the Internet.
Enterprises or merchants gain social demographic data via Facebook Insights.
• CMX SDK, enabling organizations to integrate Wi-Fi-based indoor navigation with push notification
and auto-launch capabilities into mobile apps.
Resources
• CMX CVD
• http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_
Access/CMX/CMX_MSE.html
• CMX Config Guide 8.0
• http://www.cisco.com/c/en/us/td/docs/wireless/mse/8-
0/MSE_CMX/8_0_MSE_CAS.html
• MSE Virtual Appliance Deployment Guide
• http://www.cisco.com/en/US/products/ps9742/products_tech_note09186a0080bb497f.sh
tml
• MSE Sizing Guide
• http://173.37.206.125/aspnet_client/system_web/2_0_50727/CMX_calculator_v2.0/CMX
_calculator_v2.0.aspx
What’s New in CMX 10.1/10.2 ?
Location Improvements UI Improvements Scale Improvements
Customers
Better Understand
• Hyperlocation (10.2) • Real time Analytics (10.1) • 3X scaling (10.1)
• FastLocate Local Mode (10.2) • Work flow driven UI (10.1) • 5X latency improvement (10.1)
• BLE Aware (10.1) • Role-based Admin Access • 15X storage improvement (10.1)
• BLE Capable (10.2) (10.1)
10.1 – Posted in April

10.2 – June (Target)
Why You Should Care
Location Accuracy
Accurate Refresh Rate
Aggregate System Latency
Actionable
Before
Location Before Before
Movement Display
5-7 meters 1-2 updates per minute 10-20 sec system latency
Now Now Now

+/- 1 meter 8-10 updates per minute 2-4 sec
Licensing
CMX 10.1
MSE 8.0 Ad CMX License
Location
CMX License Connect
Analytics
Location
Analytics
Connect Base CMX
License
Base License Location
CleanAir Connect
Location
CleanAir
Included
Introducing the Cisco Hyperlocation Module
Angle of Arrival (AoA) Triangulation
+/-1 m accuracy
Integrated BLE Beacon

Reduce BLE deployment size
T=00s T=30s
Centralized Management
BLE and Wi-Fi visibility
Enhanced FastLocate
Faster refresh rates
Improved Security Coverage

Integrated Wireless Security Module
Hyperlocation Module
Most advanced location offering in the market
• Delivers High Accuracy with Angle of Arrival (AoA) triangulation
over WiFi (+/-1m accuracy) with fast refresh rates (~10 seconds)
• Integrated BLE Beacon covers broad use cases
• Worry-Free Beacon installation with centralized management
• Improves FastLocate for faster refresh rates ( ~8 seconds)
• Better Security Coverage for 802.11ac and 802.11n WiFi
deployments
• Compelling WiFi+BLE solution lowers Opex
Cisco Hyperlocation Technology & Solution
Before: Location approximated based on RSSI - After: Determine direction (AoA) to client in addition to
±5 to 10 meter accuracy distance => ±1 meter accuracy
Engage & Improve

Blue dot
Guest Experience spotlight
projected at
the user’s
feet
Room Level Range Inferred - Only RSSI High Multi technology Improved
Accuracy Prone to errors calculation Accuracy AoA, RSSI, BLE Calculation
Granular indoor location accuracy to contextually connect users

Innovation: Angle of Arrival(AOA) = ~+/-1 meter
accuracy
• Different antenna elements hear the signal a little earlier/later than others,
measured by the phase of the signal
• Favors line-of-sight with high degree of accuracy in cone under AP
• Single AP can provide X,Y Each antenna element is a fraction of a
wavelength closer/farther to the client than AP antenna
location its neighbor, and the exact value depend
on the client location (if underneath => 0,
array
if side on => element spacing)
ne
Wavefront
co
ee
(rays with a
gr
common distance)
de
90
Client
HALO Module is a Mainstream AoA Solution
• Halo module wraps around AP
• 32 extra antennas to turbo-
charge Angle of Arrival
• The Halo module will include
Bluetooth capability as well
NMSP Packet processing flow
4
I have received NMSP
3 packets and I am calculating
I am creating a NMSP
a location of client
packet with data from
11:22:33:44:55:66 if values
Ap1, AP2, etc. and
are higher then RSSI cutoff
sending it to MSE IP
address as configured in
1 ”auth-list”
I hear MAC
address
11:22:33:44:55:66
at -72dbM MSE1
MSE2
AP1
2
AP2
I hear MAC address
11:22:33:44:55:66 at -
65dbM
FastPath/Angle of Arrival (AoA) Packet processing
flow 3
4
AoA packet AoA packet

received, received, let me
change source
MAC to me and
calculate X,Y A WLC CMX
1 send
P 10.2 NMSP
MAC address
MSE1 I am a CMX 10.2
supporting
Hyperlocation,
11:22:33:44:55:66 is here is the UDP
associated so I will port I am listing on
– port 2003
start to listen for it
Ack
2 AP, send
AoA to this Decrypt
IP. UDP port messages
using this from AP
Here are all of the key using this
phase data for key Phases for MAC 1.2.3
Phases for MAC 1.2.3
11:22:33:44:55:66
Source Port 9999 Change Source Port 9999
Destination Port 2003 Source MAC Source IP WLC
Destination IP MSE address for Destination Port 2003
routing to me Destination IP MSE
Sender Info Changed
WSM Module Listening for ¼ Sec. on Each Channel
Scan Time on Channels (ms)
Channel 2.4Ghz 1
6
11
Channel 5 Ghz 36
40
44
48
52
60
64
149
4
153 SECONDS
157 PER LOOP
161
165
• When a client is constantly sending packets on a channel, network will get a

packet EVERY 4 seconds (250ms x 16 channels) and be able to gather values
once every 4 seconds.
• Location is calculated approximately 1 every 8 seconds. (~8 times per Minute)
Guest access – Location aware custom
portal
Two flavors of CMX Connect: Custom Portal
and Facebook Wi-Fi
Do you want to USE CASE:
host/control No Facebook will host the landing
the landing Facebook Wi-Fi page. You will be able to
engage by pinning ads on
page? Facebook page. You will also
get the demographic insights
from Facebook
Yes
CMX 10.1
Custom
Guest Portal
USE CASE 1: USE CASE 3:
Registration fields SMS as authentication method.
USE CASE 2: USE CASE 4: Coming soon!

Social authentication with data OSU/Hotspot 2.0
collected and store on MSE
USE CASE 5:
CMX 10.1 App as authentication
method
Guest Access – Cisco CMX for Facebook Connect
Wi-Fi
 Increase brand recognition
and gain insights through
Facebook Wi-Fi.
 User connects to Wi-Fi,
opens browser, and checks
in.
 Venue gains exposure
through news feeds,
notifying friends.
Guest Demographic Visibility
WLC WLAN Configuration – Facebook WiFi
Redirect config must be done
at the WLAN level
Select Web Passthrough
Preauth ACL is mandatory
Portal URL on MSE for FB WiFi

http://<mse>/fbwifi/forward
WLC WLAN Configuration – Custom Portal
Redirect config must be done
at the WLAN level
Select Web Passthrough
Preauth ACL is mandatory
Portal URL on CMX for custom portal

http://<cmx>/visitor/login
WLC Configuration – Pre-Auth ACL
Whitelist all HTTPs traffic for Social Auth
Permit HTTP traffic only to MSE (both directions)

CMX 10.1 - Custom Portal Configuration – Edit
Portal
Click on an element
in the preview to
edit it
CMX 10.1 – Connect Splash page authoring
BLE Monitoring – Visibility and Alerts
BLE mac address
Unique beacon
identifier
decoded
Beacon type
classified as an
active rogue
Major ID
typically
identifies store
or branch while
minor ID
typically
identifies aisle
or dept. within
Complete Your Online Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.
• Complete your session surveys
though the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you

Tecewn 3002

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Tecewn 3002

Uploaded by

Copyright:

Available Formats

Advanced Enterprise

Patrick Croak Karan Sheth

08:00am Session Start

09:30 – 10:00 Break

12:00 – 1:00 Lunch Break

2:30 – 3:00 Break

5:00pm Session End

What to expect with 802.11ac

• Need for throughput

For more see this URL:

40MHz 80MHz 160MHz

11ac Wave One

• Same ability to use 1, 2 & 3 Spatial Streams

• Channel Bonding 20, 40 and now 80 MHz

• Beam-forming standard (for .11ac clients)

• Enhanced RTS/CTS for bonded channels

• Based on 802.11ac draft 2.0 standard

802.11ac rates @ 1 Spatial Stream

• 11ac Beamforming (was in Wave-1) now implemented

Note: While 4-SS

Band 2.4 GHz & 5 GHz 5 GHz 5 GHz

Modulation 64 QAM 256 QAM 256 QAM

Spatial Streams 3 3 3-4+

* Assuming a 60% MAC efficiency with highest MCS

23dBm 30dBm 30dBm 36dBm 30dBm

Wave 2 Benefits Future 5GHz Opportunity

5.35-5.47 GHz & 5.85-5.925 GHz spectrum liberalization 80 9

One method to gain significant throughput

This helps 1, 2 and 3-SS clients.

Primary sets up beacons, Channel example

Cisco Radio Resource Management (RRM) chooses based on your choice of 40 or 80

40MHz 80MHz 160MHz

11ac Wave Two AP

#Spatial Streams Multi-User

Max 3SS simultaneously

Wi-Fi Signal Strength - RSSI 802.11ac Wave 1

Enterprise Mission Critical Best In Class

Next Generation 802.11ac Wave 2 Access Points

 Dual Radio, 802.11ac Wave 2, 80MHz

 5GHz: 4x4 MIMO

 2x GbE and USB 2.0

Should I add How much traffic is

Available in AireOS Version 8.0

BRANCH Netflow Export from AP to WLC

Flow ID App Name Packets

Stateless L4 Port based Random High Order ports: e.g. 56233

Stateful (flow based) L7 Signatures Deep Packet

TCP and UDP payload bytes

Deep Packet Inspection

Three classifications flows for Cisco Jabber

Cisco Jabber Audio Cisco Jabber Video Cisco Jabber Control

Different Policies for different

Deep Packet Inspection

Three classifications flows for Microsoft Lync

MS-Lync Media MS-Lync

Different Policies for different

Change the QoS level to

Enable Application Visibility

Ensure WMM is set to

Use “Monitor” ->

Real Time Stats (Last 90 Seconds) Application Usage Displayed

Average Packet Size to See Small