Professional Documents
Culture Documents
Tecewn 3002
Tecewn 3002
WLAN Deployment
Damodar Banodkar, Technical Marketing Engineer
Carlos Alcantara, Consulting Systems Engineer
Karan Sheth, Sr. Technical Marketing Engineer
Patrick Croak, Consulting Systems Engineer
TECEWN-3002
Agenda
• Centralized Controller Design
• Distributed Controller Design
• WLAN Security
• 802.11ac
• Application Visibility & Services Directory Note: To learn more about
• WLAN Policy Engine & ISE 1.3 Intro Converged Access Mobility
design, please sign-up for
• High Density Experience (HDX) BRKEWN-2022
• High Availability
• WLAN Best Practices
• Connected Mobile Experience (CMX)
Your Speakers Today
Damodar Banodkar Carlos Alcantara
Technical Marketing Engineer Consulting Systems Engineer
08:00 – 09:30 11ac, AVC, Bonjour Services Directory Policy Engine and ISE1.3 Damodar Banodkar
10:00 – 12:00 High Density Experience and Centralized Controller Design Carlos Alcantara
1:00 – 2:30 Distributed Controller Design and WLAN Security Karan Sheth
3:00 – 5:00 Best Practices, High Availability and CMX Patrick Croak
4
3500** 4SS
Spatial
Streams
2340** 3SS
1730** 2SS
2 Laptops, Content Delivery
Spatial 4SS
1300* Stream Devices
3SS Laptops, Desktops
600 870*
2SS Tablets, Laptops
450
1SS Smartphones, Tablets
300
1
430* 430* 1SS
Spatial
Stream
= Connect Rates (Mbps)
65
Ethernet Uplinks
Ethernet Uplink
54 SS = Spatial Streams
2 Gigabit
Gigabit
24
11
2
*Assuming 80 MHz channel is available
802.11ac 802.11ac and suitable
802.11 802.11b 802.11a/g 802.11n
Wave 1 Wave 2
**Assuming 160 MHz channel is available
and suitable
1997 1999 2003 2007 2013 2015
Gigabit Wi-Fi - 802.11ac 6900 Mbps
8SS @ 160
6900 Mbps
8SS @160
3500 Mbps
4SS @ 160
• 802.11ac is the transformational technology
2340 Mbps
for the Gigabit Wi-Fi Edge 3SS @ 160
1730 Mbps
• Cisco is the Leader of 802.11ac amendment 1300 Mbps 2SS @ 160
3SS@80
for the 802.11 standard 600 Mbps 870 Mbps
2SS@80
450 Mbps
• Supports 802.11b/g/n, 802.11a/n, and 430 Mbps 430 Mbps
802.11ac 300Mbps 1SS @ 80 1SS @ 80
11ac Module
• Support for Wave 1 and Wave 2 Future
65 Mbps and
modules AP3700,
54 Mbps
AP2700 ≥GbE
≤GbE
11 Mbps 802.11ac Wave 1 802.11ac Wave 2
2 Mbps 2013
802.11 802.11b 802.11ag 802.11n
1999 2003 2007
Comparison of 802.11n vs. 802.11ac Improvements
Data Bits per Subcarrier
256QAM@r5/6
64QAM@r5/6
Bandwidth
11n
4
#Spatial Streams
Video
Elements of 802.11ac – Wave1
802.11ac (Wave-1) improvements over 802.11n
• Faster modulation 256-QAM
Beamforming
requires N+1
antennas
802.11n compared with 802.11ac:
802.11n – Today 802.11ac Wave 1 - Today 802.11ac Wave 2
MIMO Single User (SU) Single User (SU) Multi User (MU)
PHY Rate 450 Mbps 1.3 Gbps 2.34 Gbps – 3.5 Gbps
Channel Width 20 or 40 MHz 20, 40, 80 MHz 20, 40, 80, 80-80, 160 MHz
MAC
270 Mbps 780 Mbps 1.57 Gbps – 2.1 Gbps
Throughout*
Uplink –
Product GbE GbE GbE and GbE+
Specific
256QAM@r5/6
64QAM@r5/6
Bandwidth
11n AP
4
With TxBF we have 4 antennas, and can place While TxBF (directing) the signal at say User1,
the signal anywhere we want you have to also create a NULL or lower signal
for Users 2 & 3 etc.
MU-MIMO protocol advertisement
You can see some of this in the VHT Capabilities Element (191)
You can check the Beacons/Probe Responses to see that the SU Beamformer and
MU Beamformer bits are enabled Also, the number of sounding dimensions needs
to be non-zero and then you can check for same in the association responses.
Important “Best Practices” for 802.11ac Wave 1 or
2
5.0 GHz Gigabit WLAN to leverage more and cleaner channels / spectrum
Consistent -65 RSSI to solve for Data, Voice, Video, Location, and Capacity
10 - 20% cell overlap to optimize roaming and location calculations
Separate SSIDs for Corporate and Guest Access with Guest being Rate Limited
• 1 Access Point per 2,500 square feet / every 50 feet 802.11ac Wave 2
• -67 = Data, Voice, Multicast Video, Unicast Video, Location • 80 to 160 MHz channel width – 2 cables for GE
• -70 = Data, Unicast Video
• -72 = Data Cable Category
• Category 5E or better recommended
POC: Testing your 802.11ac Wi-Fi Network
Wireless Spectrum
Tools Wired Network Clients
(Clean)
Make sure clients are
Paid Tools Tools: connected at 802.11ac rates
Using the tools, Cisco Spectrum Expert
Client 802.11ac
make sure the Capability
wired network MacBook Pro 3x3
does not drop MacBook Air 2x2
packets
Free Tools iPhone 6 1x1
iPad Air 2 2x2
Chanalyzer Pro with
Microsoft Surface 2x2
CleanAir
3
Samsung Galaxy 1x1 / 2x2
S4 / S5 /S6
Intel 7260/65 2x2
(Lenovo Thinkpad
T440, Dell Latitude
13)
Chanalyzer connecting WSSI module for analyzing spectrum
POC: Expected Results
Client Tx Rate
Test Setup
Client Distribution
http://nostringsattachedshow.com/AP2700/
Cisco Aironet Indoor Access Points Portfolio
Industry’s Best 802.11ac Series Access Points
Best in Class
New
Mission Critical 3700
Enterprise Class
Enterprise Class 2700
1700 1850
• 802.11ac W1, 1.3 Gbps PHY
• 802.11ac W2
• 802.11ac W1 • 4x4:3SS
• 1.7 Mbps PHY
• 802.11ac W1 • 1.3 Gbps PHY • HDX: High Density Experience
• 4x4:4SS
• 870 Mbps PHY • 3x4:3SS • CleanAir 80 MHz
• Spectrum Intelligence*
• 3x3:2SS • HDX: High Density Experience • ClientLink 3.0
• Tx Beam Forming
• CleanAir Express • CleanAir 80 MHz • StadiumVision
• 2 GbE Ports
• Tx Beam Forming • ClientLink 3.0 • Modularity: Security, 3G Small Cell
• USB 2.0
or Wave 2 802.11ac
• 2 GbE Ports • 2 GbE Ports
Best in Class
High-Functionality
Base
1550 1570 NEW
1530
• Low Profile, Low Price • Multiple models & features • High-end Enterprise, MSO
• Europe: Low Profile • Enterprise, MSO • 11ac, 4x4:3
• Emerging SP: Low Price • NG-Cable: 24x8
• DOCSIS3.0 8x4
• Enterprise: Low profile & Price
• 11n, 2x3:2 • Int/External Antennas
• 11n, 2G: 3x3:3; 5G: 2x3:2
• Int/External Antennas • Modular: Future Proof
• Int/External Antennas
Summary
• 802.11ac Wave 1 represents a big upgrade in speed and leverages the cleaner
5GHz-band only.
• 802.11ac Wave 2 represents additional speed enhancements, but will come with
time, and that should not hinder an 802.11ac Wave 1 deployment today.
Application Visibility and
Control
What is the Need for Application Visibility and
Control? Who are the top 10 users?
Is someone running Bit-
torrent and bringing down
my business What are the top 10
Devices Apps applications? applications?
NAM
ISR G2 Routers
Cisco Prime
or Third Party
Netflow Collector
ASR
WLAN Controllers
What is Application Visibility & Control ?
On Wireless Controllers
Don’t Allow
Voice
Traffic Video
Best-Effort
Background
Rate Limiting
NBAR2 LIBRARY POLICY NETFLOW (STATIC
Deep Packet Packet Mark / Drop / TEMPLATE)
inspection Rate-Limit provides Flow Export
CISCO PRIME
THIRD PARTY
CAPACITY NETFLOW
COMPLIANCE TROUBLESHOOTING
PLANNING COLLECTOR
Voice
Client Traffic Video
Best-Effort
Background
Rate Limiting
Identify Applications using NBAR2
Control Application Behavior
AVC on Gen 2 FlexConnect APs
Real-time information for
last 90 seconds
Katana
Gen2 AP
Stateful context
transfer on roam
WAN
Gen2 AP WLC
• AVC works on traffic from Cisco APs in “Local Mode”, FlexConnect (Central &
Local switching) and OEAP traffic.
• AVC is based on port, destination and heuristics which allows reliable packet
classification with deep visibility.
• AVC looks into the initial setup of the client flow (first 10-20 packets) so loading
on the controller system is minimal.
• Available for all current generation Cisco controllers supporting v7.4 and above
• Cisco 2504, 55xx, WiSM2, Flex 7500 and 85xx
Different Application Types that AVC Can Recognize
Enterprise
Applications
Non-HTTP
Applications
URL/HTTP(S)
Based Application
• The library within AVC includes web-based, real-time, voice, video, and
enterprise applications of all types.
How Does AVC Classify Applications: Peer to Peer
Most popular ports: 6881-6889
Behavioral classification
DHT Handshake pattern
Top Applications
Show Sorted by
Bytes
Application Group
Application
Application Control
Med
1 2 AVC Profile – Mark Citrix
AVC Profile – Drop Bit torrent Low
High
Medium
Low
Control application
usage and
performance
Application-based Policies
Per WLAN
WLC v8.0
User-role aware
Device-aware
Alice cannot access Netflix but Bob can even though both are employees connecting to same SSID
Alice can access EHS records on (IT provisioned) Windows Laptop but cannot on personal (unsecure) iPad
AVC Profile Per User device
WLC AAA
Cisco-av-pair=avc-profile-name=<avc profile on wlc>
Cisco-av-pair=role=<role name>
Switch
Teacher Student
AP
SSID: Classroom
Security:WPA2/802.1x
2 3
Apply AVC Profile per client Apply AVC Profile per
using Local profiling on client using AAA Override
WLC (Radius Server)
Protocol1
Protocol2
Protocoln
• Support Traffic categorization and Attributes
• Available (as Default protocol pack) in DATA image
• Periodic releases and Offers SLA
NBAR2 Protocol Pack
Example
Download - http://www.cisco.com/c/dam/en/us/products/collateral/wireless/cisco_avc_application_improvement.pdf
Lync SDN
Microsoft Lync SDN API & Cisco Strategy
Lync SDN API to address UC challenges
HTTP
Control Plane
Receiver
Lync Call
Data Plane MS Lync Front End Server
Policy
Applied to
LYNC call
from WLC • Lync Call Statistics
• Real-time Lync Call Monitoring
• Lync Call diagnostics
Client Client
MS Lync Server
Lync SDN Integration Deep-Dive
XML-LDL
• Automate QoS policy to control Lync Calls
HTTP
• Highest level of visibility for Lync calls Control Plane
Receiver
Network
• Troubleshoot Lync issues in real time
• Supports L2/L3 roaming – policy and call info is
Data Plane
maintained
• Supported in centralized mode only (WLC Policy
supported 55xx, 85xx, WiSM2) Applied to
LYNC call
• Report/Monitor and assist with diagnostics of from WLC
endpoint detail:
Call status. Call type, Source/Destination
MOS, Jitter. Call Duration Client Lync Call Client
Lync SDN API Integration Steps
• Install Lync Dialog Listener on a Lync front-end server
• Install Lync SDN Manager on a separate Windows 2008/2012 server
• Multiple Lync front-end servers - install LDL on each FE and configure to point
at the Lync SDN manager.
• Register WLC information with each Lync SDN Manager
• Configure Global Lync Server on WLC
• Configure WLC CPU ACL to allow Lync SDN API communication.
• Enable/Disable Lync application and define QoS policies per WLAN
• Monitor Lync calls on WLC
http://www.microsoft.com/en-us/download/details.aspx?id=39714
Lync Configuration - Global
• Make sure that the Lync SDN server is also
configured for use with the same port.
• Global Configuration CLIs:
• config wlan lync enable/disable <wlan-id> Call detail records will not be
process if service is not
enabled.
Lync Configuration - WLAN QoS
• Lync Policies can be overridden in WLAN QoS
• Audio, Video, Desktop Sharing, and File Transfer
Caller Callee
-------------------------------------------------------------------- --------------------------------------------------------------------
ID URI MAC Address IP Address AP Name URI MAC Address IP Address AP Name Call Type
--- ---------------- ----------------- --------------- ----------------- ---------------- ----------------- --------------- ----------------- ---------
0 sip:test2 60:45:bd:de:74:4e 10.10.20.109 AP3700-8.0-demo sip:pod1b 28:18:78:d6:03:0d 10.10.20.104 AP3700-8.0-demo Audio
Lync Call Detail
IOS-XE
03.07.00E
5760 Catalyst 3850 Catalyst 3650 and above
224.0.0.251 VLAN X
VLAN Y
CAPWAP Tunnel
WLC
AP Router
224.0.0.251
VLAN X
• Bonjour is link local multicast and thus forwarded on Local L2 domain Apple TV
(VLAN Y)
• mDNS operates at UDP port 5353 and sent to the reserved group addresses:
IPv4 Group Address – 224.0.0.251
IPv6 Group Address – FF02::FB
Bonjour mDNS Gateway on Cisco WLC
Bonjour Advertisement
VLAN 20
Apple TV CAPWAP Tunnel
WLC Switch
AP
AirPrint Offered
VLAN 23
VLAN 99
AirPrinter
Step 1 – Listen for Bonjour Services (wired)
Bonjour mDNS Gateway on Cisco WLC
Bonjour Cache:
AirPlay – VLAN 20
AirPrint – VLAN 23
VLAN 20
Apple TV CAPWAP Tunnel
WLC Switch
AirPrint Offered
AP
VLAN 23
VLAN 99
iPad
AirPrinter
Step 2 –Bonjour Services cached on the controller (wired)
Bonjour mDNS Gateway on Cisco WLC
Bonjour Cache:
AirPlay – VLAN 20
AirPrint – VLAN 23
VLAN 20
Apple TV CAPWAP Tunnel
WLC Switch
AP
VLAN 23
VLAN 99
iPad
Bonjour Query
AirPrinter
Step 3 –Listen for Client Service Queries for Services (wired)
Bonjour mDNS Gateway on Cisco WLC
Bonjour Response Bonjour Cache:
From Controller AirPlay – VLAN 20
AirPrint – VLAN 23
VLAN 20
Apple TV CAPWAP Tunnel
WLC Switch
AP
VLAN 23
VLAN 99
iPad
AirPrinter
Step 4 –Respond to Client Queries (unicast) for Bonjour Services (wired)
Bonjour Traffic Optimization
mDNS Snooping ON
800
160 140
100 120
80
1 2 3 4
No of Access Points
Apple TV Bluetooth Discovery process
Enable Wi-Fi
iDevices iDevices can
and make sure
discovers start mirroring
its routable to
Apple TVs in
Apple TV subnet
Bluetooth
range (40 feet)
Student
Services Directory
Guest
Service Policy
Employee
Service Policy
FileShare
FileShare
File
AirPrint AirPlay
Share
AirPlay iTunes AirPlay File AirPrint
Sharing Share
Apple TV2
Teacher Network Student
mDNS Service Instances Groups Network
Bonjour Policy Enhancement in 8.0
1 Create Bonjour Device group 2 Assign ID to Device Group
Teacher Bonjour Devices
User Role = Teacher 3 Assign Location
Classroom Classroom
Printer Apple TV
Library Library
Printer Apple TV Location?
• AP-Group
Student Bonjour Devices
• AP-Name
User Name= John • AP-Location
Personal
Apple TV
Bonjour Policy Enhancement in 8.0
Teacher Bonjour Teacher can discover Classroom Apple TV only when present in classroom
Devices
Classroom
Apple TV
Location = ClassRoom
Teacher can discover Classroom Apple printer from anywhere on the campus
mDNS AP
(Trunk mode)
224.0.0.251 VLAN X
CAPWAP Tunnel Remote-Switch
CAPWAP Tunnel
WLC
AP Switch
VLAN Y
VLAN X
Bonjour Services Directory
Apple TV
(Remote VLAN)
Google ChromeCast With Cisco Wireless LAN
Controllers
How Does Google ChomeCast Work?
1. (mDNS Services Discovery)
_googlecast._tclp.local
224.0.0.251
Unicast Response
ISE Wireless
ISE Base ISE Advanced
POLICY
Device • AAA
• AAA • Internal CA
Profiling
• Guest • Guest Provisioning
& Policy
Provisioning • Device Profiling
Control
by WLC • Device On-boarding
• Device Posturing
Profiling & Policy
• Partner MDM Integration Enforcement Across Any
Wireless Only Access Medium
Build BYOD Policy: Flexible Options
• Local Profiling & Policy on WLC
Network Components
POLICY
Elements
Policy Enforced
VLAN Access List QoS Application Services (Bonjour)
IDENTITY
User-Role Radius Server
2
POLICY
1 VLAN 10
Profiling to Policy
Corporate identify device Decision Corporate
3 Resources
6
Auth-Type
Access Point Wireless LAN
Controller Internet Only
5
Personal VLAN 20
Enforcement
Unified Access ACl, VLAN, QoS
4 Management
Time
Configuring User-Role
User Role
Radius
Employee Contractor
Privilege
Native Device Profiling on WLC
Step 2 Create Device Profiling Policy
Device Type
Step 1
Apple iPad
Updating Device Profiles on Cisco WLC
Enforced Policy
ACL*
VLAN
QoS*
Session Timeout
Application Control
mDNS Policy
Employee
Contractor
For the contractor user,
Airplay access is denied
Applying Native profiling policy per WLAN / AP Group
On the WLC
config advanced eap max-login-ignore-identity-response ?
ISE Wireless
ISE Base ISE Advanced
POLICY
Device • AAA
• AAA • Internal CA
Profiling
• Guest • Guest Provisioning
& Policy
Provisioning • Device Profiling
Control
by WLC • Device On-boarding
• Device Posturing
Profiling & Policy
• Partner MDM Integration Enforcement Across Any
Wireless Only Access Medium
Build BYOD Policy: Flexible Options
Different Deployment Requirements for Different Environments
• Certificate Authority
Internal
ISE CA • Centralized Policy
(Identity Services Engine) ACS • RADIUS Server
• Posture Assessment
NAC
Profiler • Guest Access Services
Guest • Device Profiling
Server
• Client Provisioning
NAC
Manager • MDM
Admin Friendly
Set up a Guest or BYOD
workflow in just a few clicks.
Desktop
Corporate Branding and Themes & Mobile
Ready!
Create Accounts
Print Email SMS
Your credentials
Here are my
devices
44:6D:77:B4:FD:01
44:6D:77:B4:FD:01
Secret Code Controls Access to Guest Wi-Fi
optional optional
hansolo
nerfherder
Pre-Expiration Notification
DESKTOP Mobile
Self Service
Self Service with Sponsored Approval
ISE sends email
requesting approval
Visiting email?
DESKTOP Mobile
Sponsored Guest Access
Sponsored Flow
Hi! Can I
get on your Sure. I just
Wi-Fi? need a little
information.
Print, email
& SMS
credentials.
Cool!
Sponsored Guest Access
Creating a guest Count – Sponsor Mobile
Page they
tried to reach.
Example:
google.com
Predefined URL
such as the
company page.
Custom ISE
Success Page
Hand Holding Guests When They
Exceed Device Limits
#^@&
WHY!
Redirection to Guest Portal, Different portals are used here for different guest flows
What’s new in ISE 1.3 Portal Customization?
Notifications
Approved! credentials
username: trex42
password: littlearms
Create Accounts
Print Email SMS
Mobile and
Desktop Portals
Which Portals Are Customizable
All except the admin portal
1. Guest
Sponsor Portal
2. Sponsor
3. BYOD (Device Registration)
4. My Devices
5. Client Provisioning (Desktop Posture)
6. MDM (Mobile Device Management)
7. Blacklist
Guest Portals
Customize each portal independently
Anatomy of ISE Portal Customization
Desktop Preview
Customizing Portals
Logos and Text
Customizing Portals
Out of the box themes
The Mini Editor - Variables information to portal pages. Variables are text
that looks like $some_variable_name$ in
the mini editor and is replaced with an actual
value when the page or notification is rendered
to the end-user.
Import
Export
Language File
Export Theme
from ISE Portal 2 4 1
3
Import Theme
Into ISE Portal
Hotspot Access
No name in log User logging in
as Guest
Guest Monitoring and Reporting
Agenda Timeline
Time Topic Who
08:00 – 09:30 11ac, AVC, Bonjour Services Directory Policy Engine and ISE1.3 Damodar Banodkar
10:00 – 12:00 High Density Experience and Centralized Controller Design Carlos Alcantara
1:00 – 2:30 Distributed Controller Design and WLAN Security Karan Sheth
3:00 – 5:00 Best Practices, High Availability and CMX Patrick Croak
http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-mobility/density_wireless.html
POE+ / 802.3at to activate all Rx/Tx chains
• The 2700/3700 require 802.3at power for full functionality
Data Rates
One of the real benefits of bonding is spectrum efficiency and overall system capacity. By allowing the clients to send and receive more data in a shorter period of time,
the airwaves clear faster for other users and in some cases even battery life on the client device increases as it spends less time in power draining transmit mode.
New in
AireOS 8.1
Flex-DFS Solution
• Uses the CleanAir sAgE Chipset to Detect DFS Events
Identify Radar frequency narrowed down to 1Mhz.
Prevent False or Off-Channels Radar alarms
60
52
56
64
Primary Secondary
Secondary 40
20 20
40
20 52/56
80 MHz Channel 52
52/56/60/64
WARNING – This setting is a brick wall – if you set it above where your clients are being
heard – they will no longer be heard. Really.
Wireless Carrier Sense for High Density
• Virtual Carrier Sense – NAV ( network allocation
vector )
Network is busy
• NAV must be 0 for stations to transmit
Prevents collisions
• NAV value gets set to the duration value in all 802.11
packets that the header is demodulated Receive Range
• Physical Carrier Sense – CCA ( Clear Channel
Assessment )
After NAV and slots time bakeoffs, CCA is a Virtual Carrier Sense Range
instant check for energy in the channel just
before transmitting
We can create more Tx opportunities by increasing the Rx-SOP Threshold
We can strand clients by increasing the Rx-SOP Threshold too high
Receive Sensitivity Threshold (RX-SOP)
Without Custom RX-SOP With Custom RX-SOP
Threshold Threshold
(Default Radio Sensitivity)
-20 dBm -20 dBm
PROCESSED
PROCESSED FRAMES
FRAMES
frames above the
Radio demodulates threshold
everything that it
can – any frame
with enough SNR
-81 dBm
Frames where SOP
IGNORED
FRAMES
(start of packet) is
heard below the
threshold are ignored
coverage issues in Non HDX area’s. 802.11 Band High Medium Low
5 GHz -75 dBm -78 dBm -80 dBm
2.4 GHz -79 dBm -82 dBm -85 dBm
For Your
RF Profiles Recommended Values Reference
Dependency Typical High Density Low Density Legacy
(Enterprise - (Throughput) (Coverage (if disabled RF
default profile) Open Space) opt)
Pre-built RF profiles
• Client Density specific pre-built RF profiles for 2.4 GHz and 5GHz Bands – to be
used with AP Groups
• ATF Modes
• Disable
• Monitor Mode
• Enforce-Policy Mode
AP Name
ATF – Configuration
• Step 2: Create Policies
• Standard HD density WLC configs ( turned off lower data rates, etc. )
• After installed
• Used PI and WLC Config analyzer to assess co-channel interference
• Used PI to run reports to determine what the weak signal strength clients were heard at to ensure were not stranding
any clients
https://supportforums.cisco.com/document/7711/wlc-config-analyzer
MetaGeek Chanalyzer connecting to CleanAir AP
Campus WLAN Design
using a Centralized
Controller Model
Unified Access: Wireless Deployment Options
Cisco Unified Access: 1 Architecture, Many Deployment Modes
Prime Best L7 Visibility with NBAR, Flexible Mode Conversion, RF Excellence ISE
Intranet
WAN
• Small Autonomous Networks • Data center hosted controller • Premise-based controller • Simplified Branch
• Low IT Footprints • Distributed enterprises • Traditional Overlay Model • Consistent Wired/Wireless
• SP Hotspots • Highly Scalable
• Mobility Express Functionality • Controllers • Controllers • Controllers
• 11ac: 1850 • 85xx / 7510 / vWLC • 85xx / 5760 / 55xx / WiSM2 / • Integrated
• Aironet Access Points Supported • Aironet Access Points Supported 2504 / vWLC • 5760 external MC
• 11ac AP’s • 11ac AP’s • Aironet Access Points Supported • Aironet Access Points Supported
• Gen 2 11n AP’s • Gen 2 11n AP’s • 11ac AP’s • 11ac AP’s
• Gen 2 11n AP’s • Gen 2 11n AP’s
Evolve your network between deployment modes without Network Changes for:
IPv6, VLAN, Best-in-Class L7 Visibility with NBAR, Flexible Mode Conversion, RF Excellence
Cisco Unified Wireless Principles
Cisco Prime
• Components Infrastructure
Campus
• Principles Network
Data Plane
CAPWAP Controller
Wi-Fi Client
Access
Point Control Plane
Centralized WLC deployment strengths
• Seamless L3 roaming support • Services Gateway support Bonjour mDNS
caching and policy
• Assisted roaming 11k , Client load
balancing • Client Optimizations to conserve Wi-Fi
spectrum - IPv6 Optimizations
• Easy to manage Wireless Subnet and
VLAN’s • High Density optimizations
• Easy to add IP address assigned to a • IPMC optimization / Media Stream/
SSID – VLAN Select Stadium Features
• Clearly identified wireless insertion • Advanced client features/ passive client/
point sleeping client timer
• Advanced access control • Simplified Troubleshooting
• Dynamic ACL’s , QoS, AVC, TrustSec,
• Well suited for large campus
Radius COA
Which Controller ?
• Architecture Support
Converged
Flex Connect
Centralized
• Capacity
Number AP’s
Number of Clients
Throughput
NEW NEW
2505 5508 WiSM2 5520 8510 8540
75 Aps 500 Aps 1000 Aps 1500 Aps 6000 Aps 6000 Aps
1000 clients 7000 clients 15000 clients 20000 clients 64000 clients 64000 clients
1 Gbps 8 Gbps 20 Gbps 20 Gbps 10 Gbps 40 Gbps
NEW NEW
Po 1 Po 2 Po 1 Po 2
Trunk Trunk
Port-channels Port-channels
L2 L2
Spread the links in each Port-Channel among the two physical switches to prevent a WLC switchover upon a failure of one
of the VSS switch
CUWN Release – Key WLC Features
Aug CY14 Dec CY14 May CY15 Aug CY15
CUWN 8.0 CUWN 8.0 MR CUWN 8.1 CUWN 8.1 MR
Interop: CMX 8.0, ISE 1.3, PI 2.1 Interop: CMX 8.0, ISE 1.3, PI 2.1 Interop: CMX 10.1, ISE 1.3, PI 3.0 Interop: CMX 10.2, ISE1.3, PI
3.0
Native IPv6 (Centralized Mode Only) AP 1570 11ac Outdoor AP 5520 and 8540 Series Controller Hyper-location module
Bonjour filter per location, AAA iBeacon/BLE visibility & security WLAN Express with Best Practices on all Airtime Fairness(ATF)
override (per user) Controllers
AVC and Bonjour Policies with WLC World Reg. Domain SSO aware Microsoft SDN Lync 2.0 Access Point 1850
Policy Classification Engine
FIPS, CC, UcAPL, USGv6 HDX PH-2 (DBS, FlexDFS, Improved Wi-Fi
awareness, Wi-Fi event driven RRM,
Optimized Roaming v2)
AP 1570 11ac Outdoor AP (8.0MR1) Mesh Convergence
World Regulatory Domain (8.0MR1) EoGRE tunneling on AP & WLC
iBeacon/BLE visibility & security: Flexconnect AVC, AAA-Override
CleanAir + MSE location Integration
(MSE 10.x reqd.) (8.0MR1)
Where to place the Controllers - Distributed
Each building has
its own WLC
Each building can
have its own
WLC WLC
Mobility group Si Si Si Si
Wireless insertion at L3 L3
distribution layer L3
Si Si
Several distributed
Core
Si
Wireless VLANs Si
everywhere Building 1
L3 L3
Building 2
Si
Si
Si Si
Si
Si Si
Si Si EoIP Mobility
Tunnel
Si Si Si Si
EoIP GA Tunnel
Si Si
Si Si Si Si
Si Si
IRCM and Guest Anchor – CAPWAP DMZ Guest Anchor 5520/8540
MOBILITY GROUP
Foreign Controller 5760 Foreign Controller
5520/8540/5508/7510/8510/ Si
WiSM2/2504 Si
Si Si
Si Si
CAPWAP Mobility
Si Si Si Si
Tunnel
CAPWAP GA Tunnel
Si Si
Si Si Si Si
Si Si
WLC
AP
Management
CAPWAP Tunnel
VLAN
802.1Q Trunks
L3 connectivity
AP Group 1
AP Group 2
Any given WLAN can be mapped to different dynamic interfaces / interface group in
different AP Groups
WLAN AAA Override
• When AAA override is not enabled on a WLAN clients will be mapped to one
VLAN or one VLAN in the Interface Group.
• When AAA override is enabled clients will be mapped to the interface returned
by radius server VSA
VLAN Select / Interface Groups Review
VLAN1
VLAN2
Network
Network VLAN3
VLAN4
Interface group
• On the network interface the corresponding VLAN is still used for all their traffic
VLAN1
VLAN2
Network
Network (mcast_vlan)
VLAN3
VLAN4
Interface group
Broadcast Suppression
DA=FFFF:FFFF:FFFF
DA=FFFF:FFFF:FFF
F CAPWAP Tunnel
WLC AP
• Media Stream supports Multicast to Unicast for IPv4 and IPv6 clients
• The multicast to unicast conversion occurs at the Access Point for efficiency and
scalability
Client Management
Features with Central
Switched
Load Balancing based on client count
AP Controller
• Problem:
• Passive devices disappear from network. Example Zebra Printers, Hobart
Scales, medical devices, etc..
• Don’t send packets for long times and time out off network
• Don’t support DHCP, use static IP’s
• Information regarding the presence of passive devices is not available from the
network
• Solution:
• The “Passive Client “ feature will allow ARP requests and ARP responses to be
exchanged between wired and wireless side on a per VLAN /WLAN basis
Per WLAN Idle Timeout with Idle Threshold
• Used to remove the client session from the
WLC after a fixed time duration when client
traffic is below defined threshold
• Eliminates issue of only remove client’s that are
completely quiet / powered off
Sleeping Client Support for L3 Authentications
(Webauth and pass through)
• PROBLEM: To conserve power devices shut down Wi-Fi radio on sleepThis
requires re-authentication when they wake up
24 controllers, 144000 APs per mobility group Mobility Group Name: MyMobilityGroup
Ethernet in IP Tunnel
Mobility Group Neighbors:
• Data tunneled between controllers Controller-B, AA:AA:AA:AA:AA:02
Controller-C, AA:AA:AA:AA:AA:03
in EtherIP (RFC 3378)
• 7.6 has the option of using EoIP or
CAPWAP tunnels between controllers
Controller-C
MAC: AA:AA:AA:AA:AA:03
72 WLCs in a
Mobility Domain
How Long Does an STA Roam Take?
• Time it takes for:
• Client to disassociate +
• Probe for and select a new AP +
• 802.11 Association +
• 802.1X/EAP Authentication +
• Rekeying +
• IP address (re) acquisition
• All this can be on the order of seconds… Can we make this faster?
Roaming Requirements
• Roaming must be fast … Latency can be introduced by:
• Client channel scanning and AP selection algorithms
• Re-authentication of client device and re-keying
• Refreshing of IP address
WAN
Cisco AAA
Server
(ACS or
ISE)
1. 802.1X Initial
Authentication
AP2 Transaction AP1
2. 802.1X
Reauthenti-
cation After
Roaming
L3 Client Roaming Intra-Controller
No IP Address refresh needed
VLAN X VLAN Z
WLC Client
Database
AP2 default
egress VLAN Z
Pre-roaming WLC
Data Path
AP2
AP1
Client Roamed to a
Different AP
L2 Inter-Controller Roaming
VLAN X
WLC-1 Client WLC-2 Client
Database Client Data Database
(MAC, IP, QoS,
Security)
Client Roams to a
Different AP
L3 Inter-Controller Roaming
VLAN X VLAN Z
WLC-1 Client Client Data (MAC, IP, WLC-2 Client Database
Client Data (MAC,
Database QoS, Security) IP, QoS, Security)
Preroaming Data
Path
Client Roams to a
Different AP
VLAN Select Layer 3 Inter WLC roaming
Interface Interface
Group-1 Group-2
Layer 3
VLAN 1 VLAN 1
VLAN 1 VLAN 1
VLAN 2 WLC-1 Client WLC-2 Client VLAN 4
Client Data (MAC, IP, Client Data (MAC,
VLAN 3 Database QoS, Security) IP, QoS, Security)
Database VLAN 5
Preroaming Data
Path
• VLAN 1 exist in
Interface Group 2
• VLAN information sent
to WLC-2 and he
becomes Anchor for that
Client Roams to a client
Different AP
VLAN Select Layer 3 Inter WLC roaming
Interface Interface
Group-1 Group-2
Layer 3
VLAN 1 VLAN 1
VLAN 1 VLAN 2
VLAN 2 WLC-1 Client WLC-2 Client VLAN 4
Client Data (MAC, IP, Client Data (MAC,
VLAN 3 Database QoS, Security) IP, QoS, Security)
Database VLAN 5
Preroaming Data
Path
• The FT (Fast Transition) key hierarchy is designed to allow the client to make fast
BSS transitions between APs without the need to re-authenticate at every AP.
• WLAN configuration will have new AKM type called FT (Fast Transition)
802.11r – Configuration
• Legacy clients may not associate with a WLAN that has 802.11r
enabled along with 802.11i. If the driver or the supplicant that is
responsible for parsing the Robust Security Network Information
Element (RSN IE) is old and confused by the additional AKM
(Authentication Key Management) suites advertised in the IE
(IE48), the driver will not attempt to start the association
process.
• Due to this limitation, legacy clients cannot send association
requests to WLANs with a FT PSK or FT 802.1x configuration.
• These legacy clients, however, can still associate with non-
802.11r WLANs.
• Therefore the recommendation is to have a new unique WLAN.
With unique SSIDs for the addition 802.11r FT WPA clients.
And an additional WLAN for the 802.11r FT 802.1x clients.
Client AP selection 11k AP Neighbor List
AP Channels RSSI AP Channels RSSI
AP1 1 Highest AP7 100 Highest
….. … ….. …
request
Roam
Scan
Roam
Candidate
selection
http://support.apple.com/en-us/HT203068
RSSI Check
RSSI Check to exclude clients
from associating with weak
RSSI
Optimized Roaming - Configuration
• Sets a threshold RSSI value and or
Minimum Data rate that a client will be
sent a deauth
• Developed to support Cellular Hand
Off
• Global configuration of 4 Parameters
available
Enable/Disable
Interval (seconds)
Data Rate threshold
RSSI threshold configured through Data
CHD
Data RSSI Data Rate Result
• Trigger is Pre-Coverage hole event – True Disable (default) Deauth
set under CHDM config
True False No Action
• AP to Client:
• Send an unsolicited list of candidate neighboring APs
• Warn/Inform the client that it will get disassociated
• Client:
• May include this information in its roaming decision
802.11v – Configuration
CAPWAPv6 VLAN
Ethernet Ethernet
2001:db8:a:0:2329:9834:3231:1111
10.10.10.52 CAPWAPv6
Tunnel IPv4/v6 router
2001:db8:a:0:1827:91bf:c41b:9683
Mgmt: 2001:db8:a::2/64
10.10.10.2 2001:db8:a::1/64
IPv6 Client
10.10.10.1
IPv4 Client
802.11
2001:db8:a:0:8a56:caff:1547:9150
10.10.10.51 IP: 2001:db8:a:5/64 IP: 2001:db8:a:6/64
SNMP Server, Syslog Server, NTP Server
tftp/ftp/scp Server
WLC IPv6 address Overview
Mgmt: 2001:db8:a::2/64
10.10.10.2
• WLC can be accessed from wired/wireless via its IPv6 Management Interface
using:
• telnet
• SSH
• HTTP
• HTTPS
CAPWAPv6
• Either IPv4 or IPv6 CAPWAP tunnel will be selected
CAPWAPv6
• AP can get IPv6 addresses from state-full
DHCPv6/SLAAC or static assignment
• If statically assigned, the gateway can be
the unique global or Link-Local address of
the router
• Either CAPWAPv4 or CAPWAPv6 can be
used, but not both
• APs in bridge mode do not support
CAPWAPv6
AP discovery Mechanisms
• DHCPv6 Option 52
• OPTION_CAPWAP_AC_V6 (52) RFC 5417
• As part of the DHCPv6 Reply, the server will provide the IPv6 WLC management IPv6
address
• AP will begin unicast CAPWAP discovery
• Multicast discovery
• Broadcast does not exist in IPv6
• Send CAPWAP discovery messages to "All ACs multicast address" (FF01::18C)
• Using DNS
• Configure DNS server to resolve cisco-capwap-controller.domain-name
• domain-name should be returned from DHCPv6 server
• AP Priming
• Preconfiguring the AP with a Primary, secondary, and tertiary IPv6 managed WLC
AP Failover
WLC1 WLC2 WLC3
• Management IP address must be
reachable
• One entry per WLC
• The AP will join either IPv4 or IPv6
address of the WLC (regardless of
Primary: WLC1
management IP listed)
Primary: WLC2 Primary: WLC3
Secondary: WLC2 Secondary: WLC3 Secondary: WLC2
Tertiary: WLC3 Tertiary: WLC1 Tertiary: WLC1 • All other AP Failover behavior is the
same as previous versions
IPv6 Multicast / Mobility Multicast
• Ensure IPv6 Multicast routing is enabled on IOS router/switch
Router(config)#ipv6 multicast-routing
Mobility Group
8.0 code 7.6 code
Yes
Client in
RUN state
Upload/Download using IPv6 with ftp/tftp/sftp
IP address: 10.10.10.104
IP address: 2001:db8:a::1
VLAN = 100 RA
VLAN = 100
CAPWAP
RA
VLAN = 200
VLAN = 200
IPv6
802.11
IPv6
CAPWAP
IPv4 Router Advertisement
Ethernet
Rate Limiting/
(Periodic)
Throttling
Neighbor Solicitation
Neighbor
Solicitation
Dropping NS at Controller for unknown
Suppression mobile clients
Neighbor Solicitation
Neighbor Neighbor Solicitation (NS) Suppression -
Discovery Response to NS with cache binding table
Suppression Proxy Neighbor Advertisement entries
Wireless IPv6 client First Hop Security on WLAN
CAPWAP IPv6
Tunnel VLAN
Ethernet
IPv6
802.11 IPv6
802.11
CAPWAP
IPv4
Ethernet
Router Advertisement
RA Guard - RA from client blocked at AP (Local and FlexConnect)
Undesired IPv6
Addresses/Prefix Source Guard
Enable High Availability (AP and Client SSO) Enable 802.1x and WPA/WPA2 on WLAN
Enable AP Failover Priority Enable 802.1x authentication for AP
Enable AP Multicast Mode Change advance EAP timers
Enable Multicast VLAN Enable SSH and disable telnet
BEST PRACTICES (AirOS)
INFRASTRUCTURE
SECURITY
Enable Pre-image download Disable Management Over Wireless
Enable AVC Disable WiFi Direct
Enable NetFlow Peer-to-peer blocking
Secure Web Access (HTTPS)
Enable Local Profiling (DHCP and HTTP)
Enable User Policies
Enable NTP
Enable Client exclusion policies
Modify the AP Re-transmit Parameters Enable rogue policies and Rogue Detection RSSI
Enable FastSSID change Strong password Policies
Enable Per-user BW contracts Enable IDS
Enable Multicast Mobility BYOD Timers
Enable Client Load balancing
Disable Aironet IE Disable 802.11b data rates
FlexConnect Groups and Smart AP Upgrade Restrict number of WLAN below 4
Enable channel bonding – 40 or 80 MHz
WIRELESS / RF
Set Bridge Group Name
Set Preferred Parent Enable BandSelect
Multiple Root APs in each BGN Use RF Profiles and AP Groups
MESH
Set Backhaul rate to "Auto" Enable RRM (DCA & TPC) to be auto
Set Backhaul Channel Width to 40/80 MHz Enable Auto-RF group leader selection
Backhaul Link SNR > 25 dBm Enable Cisco CleanAir and EDRRM
Avoid DFS channels for Backhaul Enable Noise &Rogue Monitoring on all channels
External RADIUS server for Mesh MAC Authentication
Enable DFS channels
Enable IDS
Enable EAP Mesh Security Mode Avoid Cisco AP Load
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
Summary
• Additional Reference material included in deck that was not covered in todays
session today
• RF profiles and Rx-SOP tuning allow for advanced high density tuning
• Centralized WLAN deployment best suited for large campus and where
advanced features are required
Requires less configuration on switch AP is plugged into
Provides robust roaming
Supports the most advanced features
Agenda Timeline
Time Topic Who
08:00 – 09:30 11ac, AVC, Bonjour Services Directory Policy Engine and ISE1.3 Damodar Banodkar
10:00 – 12:00 High Density Experience and Centralized Controller Design Carlos Alcantara
1:00 – 2:30 Distributed Controller Design and WLAN Security Karan Sheth
3:00 – 5:00 Best Practices, High Availability and CMX Patrick Croak
WAN
Target
Small Wireless Network Branch Campus Branch and Campus
Positioning
Scope Wireless only Wireless only Wireless only Wired and Wireless
Key • Limited features. Upgradable • Branch with WAN BW and • Catalyst 3650/3850 in the access
• Full features
Considerations to controller based latency requirements layer
Wireless Branch
Deployment Options
Branch Office with Local WLAN Controller
Overview Backup Central
Controller
Connected Mode When FlexConnect AP can reach Controller, it gets help from controller
to complete client authentication.
Local Switching Data traffic switched onto local VLANs for an SSID
It is highly recommended that the minimum bandwidth restriction remains 24 Kbps per AP with the round trip
latency no greater than 300 ms for data deployments and 100 ms for data + voice deployments.
FlexConnect Design Considerations
Feature Limitations Apply
• Some features are not available in standalone mode or in local switching mode
• MAC/Web Auth in Standalone Mode
• IPv6 L3 Mobility
• SXP TrustSec
• Service Discovery Gateway
• Native Profiling and Policy Classification
• See full list in « FlexConnect Feature Matrix »
• http://www.cisco.com/en/US/products/ps6366 products_tech_note09186a0080b3690b.shtml
IPv6 Support
✔
✔
✔
✔
✔
✔
✔
✔
✔
Significant support for IPv6 with Central Switching
IPv6 RA Guard and IPv6 Bridging fully supported with Local Switching
Economies of Scale For Lean Branches
Flex 7500 Wireless Controller
Key Differentiation
WAN Tolerance
• High Latency Networks
# WLAN
512 512 512 16
(SSID)
# VLAN
4095 512 512 16
(Interfaces)
AP Groups
Configuration: Create a New Group
AP Groups Usage @ Internet
Manufacturing Site
• Corporate-Voice, Corporate-Data, AP Group 3
Scanners
Store
Scanners
• Corporate-Data, Guest-Access AP Group 2 Corporate-Data
Guest-Access
AP Groups Usage Central Site
AP Group 1
Per AP Group SSID to VLAN Mapping Head Office
VLAN-1
FlexConnect
2000 100 100 30
Groups
Remote Office
FlexConnect Group: Local Backup RADIUS
Backup Scenario Central Site
FlexConnect Group 1
Local
RADIUS Remote Site
FlexConnect Group 1
Local Authentication
Configuration
FlexConnect Group: Local Backup Authentication
Backup Scenario
Central Site
• Normal authentication is done centrally
Central RADIUS
• On WAN failure, AP authenticates new clients
with its local database
• Each FlexConnect AP has a copy of the local
user DB WAN
1 2
Designing Secure & BYOD
Enabled Branch Network
FlexConnect Peer-to-peer
Blocking
Starting
Local Switching Peer-to-peer Blocking from 7.2
Application
Server
Local Switching Peer-to-peer Blocking
Configuration
* Central Switching WLAN will support “Forward - UpStream” and will send the packet to the next upstream
node connected to WLC
FlexConnect AAA VLAN &
QoS Override
Starting
from 7.2
FlexConnect AAA VLAN Override
Description Central Site
RADIUS
FlexConnect Group 1
For Your
Reference
FlexConnect AAA VLAN Override
Configuration
IETF 65
IETF 64
IETF 81
WAN
ISE
Overview VLAN 3
Central RADIUS
• While doing AAA VLAN Override with VLAN 7
local switching : VLAN 3 does not
Exist on
VLAN 7
this WLC
• If VLAN ID does not exist at the AP, the
traffic is central switched to the central WAN
VLAN ID
• If the central VLAN ID does not exist, Remote Site
Central Site
VLAN 20
WAN
Application
Server
Function VLAN ID
Engineering 11
Marketing 21
Function VLAN ID Sales 31
Engineering 10 Application
Server
Marketing 20 VLAN 20
Sales 30 does not
Remote Site A Remote Site B
exist
Starting
VLAN Name Mapping at FlexConnect Group from 8.1
Remote Site B
Remote Site A
VLAN ID
VLAN ID
11
10 21
20 31
30
Starting
VLAN Name AAA Override - Solution from 8.1
Central Site
Aire-Interface-Name or
IETF Tunnel-Private-Group-ID
VLAN NAME=
Marketing
WAN
Application
Server
Remote Site Remote Site VLAN Name VLAN ID
VLAN 20 Engineering 11
Marketing 21
VLAN Name VLAN ID Sales 31
Engineering 10
Marketing 20
Sales 30 VLAN 21
Remote Site A Remote Site B
FlexConnect ACL VLAN
Mapping & Per-Client ACL
Starting
Overview
Central Site
Scale
512 FlexConnect ACL per WLC Remote Site
3
2
FlexConnect ACL – VLAN Mapping
Configuration – FlexConnect ACL per AP
2
• FlexConnect ACL can be applied per AP
using VLAN Mappings configuration
1
FlexConnect ACL – VLAN Mapping
Configuration –FlexConnect ACL per FlexConnect Group
• FlexConnect ACL can be applied per FlexConnect Groups per VLAN in the ACL
Mapping tab.
1 2
FlexConnect Split Tunneling
(Using FlexConnect Split ACL)
Starting
Overview
• Split tunneling allow some traffic to be locally switched although the WLAN is defined as centrally
switched
• Split tunneling is using a NAT/PAT feature with ACL to perform the local switching
• Split tunneling is using the AP IP@ for the NAT/PAT feature
NAT/PAT WAN
ACL
Central Server
Local Traffic
Local Printer
FlexConnect ACL – Split Tunneling
Configuration
• Create a centrally switched WLAN
External Web-Server IP
External WebAuth with Local Switching
Configuration
Map WLAN-Id to
Pre-Auth ACL
External WebAuth with Local Switching
Configuration
External Web-Server IP
Deploying BYOD with FlexConnect
Local Switching
(Using FlexConnect WebPolicies
ACL)
BYOD Device On-Boarding in FlexConnect Starting
from 7.4
Example: Apple iOS Device Provisioning
Device
Provisioning
Wizard
2 Client
Reconnects
3 Future
Connections
Using EAP-TLS
WLC ISE CA-Server
FlexConnect Access Lists fo BYOD
Create FlexConnect ACL
• Create FlexConnect ACL to allow access to Cisco ISE
1
3
2
FlexConnect Web Policy ACL
Configure Web Policy ACL per FlexConnect AP
• ACL Mapping can be configured per FlexConnect AP
FlexConnect Web Policy ACL
Configure Web Policy ACL per FlexConnect Group
• Use ACL Mapping tab in FlexConnect Group configuration
• WebPolicies ACL are not the same as VLAN ACL or WebAuthentication ACL.
Cisco Wireless Central DHCP Processing
Configuration
• To support DHCP Profiling Probe with FlexConnect, DHCP request must be
sent to WLC. This is done by the « Central DHCP Processing » configuration.
Deploying BYOD with FlexConnect Wireless
Summary – 802.1x/EAP Authentication ISE
DHCP Server
FlexConnect AP
CAPWAP WLC
Web Server
WAN
WiFi Association
802.1x/EAP Response
Inside CAPWAP
Deploying BYOD with FlexConnect Wireless
Summary – DHCP Request ISE
DHCP Server
FlexConnect AP
CAPWAP WLC
Web Server
WAN
DHCP Request
Inside CAPWAP
Device is an
RADIUS-Accounting
Apple iPad
• host-name=MyiPad
• dhcp-class-identifier=APPLE
DHCP Lease
Inside CAPWAP
Deploying BYOD with FlexConnect Wireless
Summary – URL-Redirect ISE
DHCP Server
FlexConnect AP
CAPWAP WLC
Web Server
WAN
URL-Redirect
Deploying BYOD with FlexConnect Wireless
Summary – Registration & Provisioning ISE
DHCP Server
FlexConnect AP
CAPWAP WLC
Web Server
WAN
DHCP Server
FlexConnect AP
CAPWAP WLC
Web Server
WAN
DHCP Request/Response
Inside CAPWAP
Web Traffic
Summary of FlexConnect ACLs
Master AP
FlexConnect Smart AP Image Upgrade
Description (Cont…) Firmware Image
Master AP
FlexConnect Smart AP Image Upgrade
Configuration
Master AP Selection is
Optional
• “FlexConnect AP Upgrade” checkbox has to be enabled for each FlexConnect Group.
• By default, Master AP for each FlexConnect Group is selected using Lower-MAC algorithm.
• One Master select per AP type.
FlexConnect
() Smart AP Image Upgrade
Configuration contd.
802.11
Technical Solution Data Rates Video Impact
• IGMP state monitored for each client. 1 • Smooth, Reliable Video delivered to
Only send video to clients requesting 2 multiple clients
• Sent as unicast to individual clients at
5.5 • Quality of Video protected in varying
their data rate
6 channel load conditions
9
• Multicast packets replicated at AP 11
• Prioritizes Business Video (QoS
B/G Gold) over other video ( Best-effort )
12
18
24
36
48
54
M0
N M1
...
Video M14
Server M15
Default 802.11B/G
mandatory data rates
FlexConnect VideoStream Configuration
Enable VideoStream - Global
Feature\AP Mode Local Mode Bridge Mode Flexconnect Mode Flex+Bridge Mode
AP will reboot
upon change Same options
as an AP in Flex
Mode
FlexConnect Application Visibility and
Control (Starting from 8.1)
Starting
How AVC solution works from 8.1
NBAR on AP
Katana
Gen2 AP
WAN
Gen2 AP
STATIC NETFLOW TO
CPI OR THIRD PARTY
Flow ID App Name Packets NETFLOW COLLECTOR
1 WebEx 1000
2 Msft-Lync 2300
3 Skype 660
NBAR2 (1000+ Applications) and Netflow will be ported onto Access Points!
Stateful context transfer will be supported for intra FlexConnect Group roams
AVC for FlexConnect APs
Support on AP
WLAN AVC
Configuration
Enable/disable, Profile,
Monitor per WLAN
FlexConnect AVC Profiles
FlexConnect AVC
profiles
Coming in 8.1
FlexConnect AVC Applications
Non-802.11 Attacks
OR
Kali NetHunter
(Post-2014) BSSID Radio MAC
Bridge/NAT
DHCP, DNS, SSLstrip etc. Interfaces
USB Wireless Cards
Spoofing Pyramid
Demo – Think like an
Attacker
Demo
Guest
Dupe the Service Backdoor
portal
user disruption access
bypass
Watch Demo On YouTube
https://www.youtube.com/user/karanyuj
Wireless Intrusion
Prevention Best Practices
Wireless Security Pre-requisites
Secure Classify
Identify Users Control Access
Connection Applications
Strong Encryption
RADIUS
ISE
802.1x
Authentication
Beacons
Probes Beacons
Association Probes
Association
Infrastructure MFP Operation
1 3
Enable Infrastrutture MFP
WLC GUI> Security> Wireless
Protection Policies > MFP
2 Corporate Building 2
2
Corporate Building 1
Radios Cannot
Hear Each Other
BSSID BSSID BSSID
11:11:11:11:11:11 22:22:22:22:22:22 11:11:11:11:11:11
Client MFP and 802.11w Operation
Protected Management Frames with MIC
CCXv5
Probe Requests/
AP Beacons
Probe Responses
Associations/Re-Associations Disassociations
Authentications/
Action Management Frames
De-Authentications
Spoofing
AP & Client
Wi-Fi Direct Policy
Corporate
Corporate
Laptop WLAN
Unauthorized
Devices Backdoor Wi-Fi Direct allows simultaneous
Access access to Corporate WLAN &
Unauthorized Devices
ISE Wireless
ISE Base ISE Advanced
POLICY
Device
• AAA • AAA
Profiling
• Guest • Guest Provisioning
& Policy
Provisioning • Device Profiling
Control • Device On-boarding
by WLC • Device Posturing Profiling & Policy
• Partner MDM Integration Enforcement Across Any
Wireless Only Access Medium
Profiling and Policy Enforcement Options
Network Components
POLICY
Profiling Factors
Policy Enforced
VLAN Access List QoS Session Timeout AVC
Profiling & Policy Enforcement Workflow
ISE Base
VLAN 3
Auth. Request
QoS = Silver
POLICY VLAN 7 CAPWAP
Auth. Response QoS = Platinum
AAA Services by
Device Profiling & Policy
ISE Base
Enforcement by WLC
7 3
Platinum
Classify Applications
& Control Access
What is the Need for Application Visibility and Control?
Should I add more
Why is the Wireless
Access Points to
Performance of my
improve the User
Network so Low?
Experience?
Voice
Client Traffic Video
Best-Effort
Background
Rate Limiting
Identify Applications using NBAR2
Control Application Behavior
Attack Detection &
Mitigation Techniques
Listening for Rogues
Two Different AP Modes for RRM Scanning
Local Mode AP Monitor Mode AP Rogue Detection Basics
16s 50ms 16s 50ms 16s 50ms 16s 50ms 16s 50ms 16s 50ms 16s
1 2 1 3 1 4 1 5 1 6 1 7 1 …
Every 16s, a new channel is scanned for 50ms (180sec / 11 channels = ~16s)
14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms
36 40 36 44 36 48 36 52 36 56 36 60 36 64 36 149 …
Every 14.5s, a new channel is scanned for 50ms (180sec / 12 channels = ~14.5s)
RRM Channel Scanning Basics
Monitor Mode AP Detect
Time
802.11b/g/n (2.4GHz) – All Channels
10ms 10ms
1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s
1 2 3 4 5 6 7 8 9 10 11 12 …
Each channel is scanned a total of ~10.7s ((180s / 1.2s) / 14ch) within the 180s channel scan duration
1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s
36 40 44 48 52 56 60 64 100 104 108 112 116 132 136 140 …
Each channel is scanned a total of ~6.8s ((180s / 1.2s) / 22ch) within the 180s channel scan duration
Rogue Classification Rules – Who is more harmful?
Classification based on threat severity and mitigation action
Rules tailored to customer risk model
Friendly Malicious
Off-Network On-Network
Secured Open
Foreign SSID Our SSID
Weak RSSI Strong RSSI
Distant location On-site location
No clients Attracts clients
Rogue Classification Rules Example
Wired Rogue Detection Methods
Rogue Location Discovery
Rogue Detector AP Protocol (RLDP)
Trunk
Port
BSSID: 0021.4458.6652
Trunk Port
> debug capwap rm rogue detector
ROGUE_DET: Found a match for rogue entry 0021.4458.6652
ROGUE_DET: Sending notification to switch
Rogue Detector
ROGUE_DET: Sent rogue 0021.4458.6651 found on net msg
Rogue Detector AP Mode
Example Deployment Scenario
Rogue Detector
Bldg 3
Rogue Detector
Bldg 2
Rogue Detector
Bldg 1
All Radios
WLC Become
Disabled
in This Mode
interface GigabitEthernet1/0/5
description Rogue Detector
switchport trunk encapsulation dot1q
switchport trunk native vlan 113 AP
Switch switchport mode trunk VLAN
spanning-tree portfast
Rogue Location Discovery Protocol (RLDP) Operation
Cisco
Prime
Alarm Changed from Minor to Critical
Core
1
Show CDP
Neighbors
Corporate AP
Switchport Tracing: On-Demand or Automatic SPT Matches On:
Identifies CDP Neighbors of APs detecting the rogue Rogue Client MAC Address
Rogue Vendor OUI
Queries the switches CAM table for the rogue’s MAC Rogue MAC +3/-3
Works for rogues with security and NAT Rogue MAC Address
Switchport Tracing (SPT) Containment Action
Number of MACs
Uncheck Match Type Found on the Port
to Shut
the Port
Wireless Rogue AP Containment
Local Mode AP Monitor Mode AP
A local mode AP can contain 3 rogues per radio A monitor mode AP can contain 6 rogues per
Containment packets are sent every 500ms radio
Impacts associated clients performance Containment packets are sent every 100ms
Automatic Rogue AP Containment
Ability to Use Only Monitor Mode APs for
Containment to Prevent Impact to Clients
WLC
WiFi Interferer
Non-WiFi Interferer
Microwave Bluetooth
• Track of multiple rogues in real-time (up to MSE limits)
• Can track and store rogue location historically
• Provides location of Rogue Clients, Rouge Ad-Hoc networks & Non-WiFi Interferers
Zone of Impact with Prime and MSE Context-Aware
Rogue Access Point Non-WiFi Interferers
Cisco’s Attack Detection Mechanisms
Cisco Prime
Core
ICMP Tunnel
Detection
Network Design
Considerations
Adaptive wIPS Deployment Recommendations
Enhanced Local Mode Monitor Mode AP WSSI Module
08:00 – 09:30 11ac, AVC, Bonjour Services Directory Policy Engine and ISE1.3 Damodar Banodkar
10:00 – 12:00 High Density Experience and Centralized Controller Design Carlos Alcantara
1:00 – 2:30 Distributed Controller Design and WLAN Security Karan Sheth
3:00 – 5:00 Best Practices, High Availability and CMX Patrick Croak
High Performance
Who wants Gigabit over WiFi?
• Tools
• What you use is less important than how you use it
• Use the same tool to compare results
• If using clients use the least common denominator
• AP positioning is Key
• Proper installation and positioning of equipment is as important as managing the RF
environment.
• Sub-optimal wireless PHY can often continue to pass traffic at a reduced data rate. If
the traffic load is minimal, it can appear to be working correctly.
• Optimal PHY can always be measured by confirming expected data rates and
throughput
• Internal antennas are designed to be mounted in the ceiling
• Access Points like light sources should be in the clear and near the users
Channel Utilization
• Contributors:
Co-channel interference from:
• nearby APs, clients
Before 5% After
• Beacons and Probe Responses
• Transmissions from any other
radio on the same frequency Before 5% After
• Bluetooth, Microwave, etc.
• Mitigation
• Reduce # of SSIDs
• Turn off lower data rates
• Limit the interferes / rogues
• AP isolation vs density
Maximizing the Spectrum
PHY Rate Tuning: Why PHY Rates Matter
How fast can we talk?
Client near AP:
18Mbps – Signal (RSSI) and Noise are key
24Mbps factors
Higher PHY Rate 36Mbps
More Efficient 48Mbps
As client moves further from
(high signal-to-noise ratio) AP or as noise worsens,
54Mbps
client rate-shifts downward
Lower rate, more airtime
Client far from AP:
consumed
Lower PHY Rate
Less Efficient Position AP’s and antennas
(lower signal-to-noise ratio) to allow elimination of low
rates (i.e., <18mbps)
Eliminate 802.11b rates
Maximizing the Spectrum
RSSI vs. SNR
Wireless Client
Performance
• Spectrum intelligence solution designed to proactively manage the challenges of a shared spectrum
• Assess impact to Wi-Fi performance; proactively change channel when needed
• CleanAir Radio ASIC: Only ASIC based solution can reliably detect interference sources
• Best Practice: turn it on if supported by your APs (3500, 1600*/2600/3600, 1700*/2700/3700)
For more info: http://www.cisco.com/en/US/netsol/ns1070
Radio Frequency (RF) High Availability
Spectrum Intelligence Solution - Cisco CleanAir
• CleanAir
• Hardware based Solution
• Spectrum intelligence solution designed to proactively manage the challenges of a shared spectrum
• Assess impact to Wi-Fi performance; proactively change channels when needed
• CleanAir Radio ASIC: Only ASIC based solution can reliably detect interference sources
• Best Practice: turn it on if supported by your APs (3500, 1600*/2600/3600, 1700*/2700/3700)
For more info: http://www.cisco.com/en/US/netsol/ns1070
Radio Frequency (RF) High Availability
Client Beamforming – Cisco ClientLink
ClientLink Disabled ClientLink Enabled
Lower Data Rates Higher Data Rates Source: Miercom with Fluke Iperf Survey
• Cisco ClientLink a.k.a. Beamforming: reduced Coverage Holes for all clients
For more info: http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps11983/at_a_glance_c45-691984.pdf
Network Infrastructure HA
Network Infrastructure HA
Connecting an AP to the wired network
Recommendations
• Create redundancy throughout the access layer
by homing APs to different switches
• If the AP is in Local mode, configure the port as
access with STP PortFast, BPDU guard, etc.
• If the AP is in Flex mode and Local Switching,
configure the port as trunk and allow only the
VLANs you need
Network Infrastructure HA
Connecting a Controller to the wired network: options
1) To a single Modular Switch or StackWise
• Use EtherChannel (EC)/LAG Modular
Switch/Stack
• 2/4/8 ports in a bundle to optimize load sharing
WLC
• Spread ports across Line Cards/Stack members
2) To a VSS pair
VSS pair
• Same as Option 1
• Spread ports across VSS members
WLC
3) To a pair of Distribution switches
• Not supported by single AireOS Controllers Switch
• Use Multiple EtherChannel/LAG pair
• Use STP (recommended) or FlexLink (5760-WLC only) WLC
• L2 trunk connections to Distribution switches
Connecting a Controller to the wired network
Single AireOS Controllers (2504/5508/7500/8500/Wism2) Distribution
Layer Switch/Stack
WLC
Connecting a Controller to the wired network
Single IOS Controller (5760/3850/3650) Distribution
Layer switches
interface GigabitEthernet0/9
• !
Use Layer 2 trunk links between Distribution switches if
interface Vlan22
VLANs span multiple WLCs (for L2 roaming)
description client_VLAN_nosec
• Apply the Campus Design tweaks
ip address 192.168.22.11 to STP (VLAN load
255.255.255.0
balancing, standby
HSRP0 ipactive collocated with STP root, etc.)
192.168.22.100
standby 0 timers msec 250 msec 750
Distribution
Option 3b: Pair of Distribution switches with FlexLink Layer Switches
5760-WLC
Wireless Controller HA
Wireless Controller HA: Deployment Modes
Autonomous FlexConnect Centralized Converged Access
WAN
Target
Small Wireless Network Branch Campus Branch and Campus
Positioning
Scope Wireless only Wireless only Wireless only Wired and Wireless
Key • Limited features. Upgradable • Branch with WAN BW and • Catalyst 3650/3850 in the access
• Full features
Considerations to controller based latency requirements layer
Wireless Controller HA
Centralized Mode
Centralized Mode HA Requirements Benefits
Minimum release: 7.5
Active Client State is synched
WLC: 5508, WiSM2, 7500, 8510
AP state is synched
Client SSO L2 connection
No Application downtime
Same HW and software
HA-SKU available
1:1 box redundancy
Network Uptime
Backup controllers configured for all APs under Wireless > High Availability
Used if there are no primary/secondary/tertiary WLCs configured on the AP
The backup controllers are added to the primary discovery request message
recipient list of the AP.
N+1 Redundancy
AP Primary Discovery Request Timer
• The access point maintains a list of backup controllers and periodically sends
primary discovery requests to each entry on the list.
• Configure a primary discovery request timer to specify the amount of time that a
controller has to respond to the discovery request
N+1 Redundancy
AP Failover mechanism
Medium, Low
Medium priority
• Critical priority APs get precedence AP dropped
over all other APs when joining a AP Priority: Medium
controller
• In a failover situation, a higher priority
AP will be allowed in ahead of all other
APs
• If controller is full, existing lower priority
APs will be dropped to accommodate
higher priority APs
N+1 Redundancy
Best Practices
No licenses
Primary Controller: WiSM-2
needed on
License Count: 500
secondary
APs connected: 400
AIR-CT5508-HA-K9
Secondary Controller
500 APs
500-25
Max AP support: 475- ==
400 475
75APs
Primary Controller : 2504
License Count: 50
APs connected: 25
Wireless Controller HA
Centralized Mode – Stateful Switch Over
(SSO)
Stateful Switchover (SSO)
• True Box to Box High Availability i.e. 1:1
• One WLC in Active state and second WLC in Hot Standby state
• Secondary continuously monitors the health of Active WLC via dedicated link
Keep-Alive
Redundancyfailure/Notify
Roleinfo
AP and Client SyncPeer
Negotiation
• To remember:
• In Maintenance mode same rules to connect to
standby box apply
• WLC should be rebooted to bring it out of
Maintenance Mode
• From 7.6 it will recover automatically when pbs are fixed
Stateful Switchover (SSO)
Pairing the boxes
AireOS AireOS
Active WLC Standby WLC
Stateful Switchover (SSO)
Connecting AireOS HA Pair to the wired network Distribution
Layer Switches
AireOS AireOS
Active WLC Standby WLC
Stateful Switchover (SSO)
What you need to know…
• In Service Software Upgrade (ISSU) is not supported
• The Active and Standby decision is not an automated election process
• ONLY Clients in RUN state are maintained during failover
• Information not synced between Active and Standby
• CCX Based apps - need to be re-started post Switch-over
• Client Statistics, PMIPv6, NBAR, SIP static CAC
• WGB and clients associated to it are not synced
• OEAP(600) clients are not synced 8.0
• Passive clients are not synced
• Sleeping client database not synced
• SSO and MESH APs: only RAP are supported from 7.5, for MAPs the state is not synched
Stateful Switchover (SSO)
Connectivity to the boxes
• Connect to Standby WLC using console or SSH to Service Port and RMI
• TFTP, NTP and Syslog traffic use the RMI interface on the Standby WLC
• There is no SNMP/GUI access on the service port for both the WLCs in the
HA setup
Stateful Switchover (SSO)
Integration with N+1 redundancy deployments
1:1 & 2:1 configuration (2:1 only HA for all services supported
with physical appliance) Failover times < 1 min
MSE HA Direct or L2 Network connection No HA licenses needed
Same software version Failover Automatic or Manual
Prime Infrastructure HA
Configuration
HA pair in 8.0 got it right and you Previous MSE versions have issues
can confidently deploy using and you will get into trouble using HA
guidance from 7.2 HA Guide on these versions.
http://www.cisco.com/c/en/us/support/docs/wireless/mobility-services-engine/113462-mse-ha-config-dg-00.html
MSE HA
Configuration
1) Set HA mode in
startup script
Enable High Availability (AP and Client SSO) Enable 802.1x and WPA/WPA2 on WLAN
BEST PRACTICES (AirOS)
Enable AP Failover Priority Enable 802.1x authentication for AP
Enable AP Multicast Mode Change advance EAP timers
Enable Multicast VLAN Enable SSH and disable telnet
INFRASTRUCTURE
SECURITY
Enable AVC Disable WiFi Direct
Enable NetFlow Peer-to-peer blocking
Enable Local Profiling (DHCP and HTTP) Secure Web Access (HTTPS)
Enable NTP Enable User Policies
Modify the AP Re-transmit Parameters Enable Client exclusion policies
Enable rogue policies and Rogue Detection RSSI
Enable FastSSID change
Strong password Policies
Enable Per-user BW contracts
Enable IDS
Enable Multicast Mobility
BYOD Timers
Enable Client Load balancing
Disable Aironet IE
Disable 802.11b data rates
FlexConnect Groups and Smart AP Upgrade
Restrict number of WLAN below 4
Enable channel bonding – 40 or 80 MHz
WIRELESS / RF
Set Bridge Group Name
Set Preferred Parent Enable BandSelect
Multiple Root APs in each BGN Use RF Profiles and AP Groups
MESH
Set Backhaul rate to "Auto" Enable RRM (DCA & TPC) to be auto
Set Backhaul Channel Width to 40/80 MHz Enable Auto-RF group leader selection
Backhaul Link SNR > 25 dBm Enable Cisco CleanAir and EDRRM
Avoid DFS channels for Backhaul Enable Noise &Rogue Monitoring on all channels
External RADIUS server for Mesh MAC Authentication Enable DFS channels
Enable IDS
Avoid Cisco AP Load
Enable EAP Mesh Security Mode
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
Infrastructure Best Practices
Enable High Availability (AP and Client SSO)
Enable AP Failover Priority
INFRASTRUCTURE
Enable AP Multicast Mode
Enable Multicast VLAN
Enable Pre-image download
Enable AVC
Enable NetFlow
Enable Local Profiling (DHCP and HTTP)
Enable NTP
Modify the AP Re-transmit Parameters
Enable FastSSID change
Enable Per-user BW contracts
Enable Multicast Mobility
Enable Client Load balancing
Disable Aironet IE
RF & RRM Best Practices
Enable BandSelect
Use RF Profiles and AP Groups
Enable RRM (DCA & TPC) to be auto
Enable Auto-RF group leader selection
Enable Cisco CleanAir and EDRRM
Enable Noise &Rogue Monitoring on all channels
Enable DFS channels
Avoid Cisco AP Load
Security & BYOD Best Practices
Enable 802.1x and WPA/WPA2 on WLAN
Enable 802.1x authentication for AP
Change advance EAP timers
Enable SSH and disable telnet
Disable Management Over Wireless
SECURITY
Best Practices defaults, Audit Page on Upgrade, Windows Executable Free, cloud based service
RF Parameter Optimization, Network One-click Fix It, “show run-config” Based Agentless – nothing to download
Profiles Manual Config Option Analyzer Tool
Optimum starting point at Day 0/1 network Compliance metric and reporting natively on Downloadable client Cisco Personalized device health score
setup WLC Compare your wireless network
Configuration stays local
RF parameter setting Ease of use Identify missing best practice configuration on configuration to Cisco’s recommended best
Simplified operational use to quickly identify practices
Enhanced performance, security, resiliency upgrade
and and fix problem areas
with best practice recommendations turned Easy one-click fix It option to turn on Best Automated Inventory Management and
RF Health metrics, IOS Support, Mobility Network Scanning
on boot up time Practice Knobs
Group support
Restore Defaults to revert configuration to
default
WLAN Express Setup
Day 0/1 Ease of Setup
WLC WLC
2. WLCCA CAA
WLAN Express Setup Upgrade Audit Workflow
App Engage Config Cisco
7.6 MR2, 8.0, 8.1 8.1 Analyzer Active Advisor
Wired Express Setup
• Introduced on 2504 in 7.6 MR2, 8.0
• Extended to 5508, vWLC, 7510, 8510 in 8.1
Best Practices defaults, • Extended to 5520, 8540 in 8.1
Audit Page on Upgrade, and
Windows Mobility Express
Executable Free,in 8.1
cloud MR2
based service
RF Parameter Optimization, Network One-click Fix It, “show run-config” Based Agentless – nothing to download
Profiles Manual Config Option Analyzer Tool
Wireless Over-The-Air (OTA) Setup
• Available in 8.1 and higher
• Supports Universal AP (UX)
Optimum starting point at Day 0/1 network Compliance metric and reporting natively on Downloadable client Cisco Personalized device health score
setup • Supported on 2504 and
WLC Mobility
Configuration staysExpress
local Compare your wireless network
RF parameter setting Ease of use Identify missing best practice configuration on configuration to Cisco’s recommended best
Simplified operational use to quickly identify practices
Enhanced performance, security, resiliency upgrade
and and fix problem areas
with best practice recommendations turned Easy one-click fix It option to turn on Best Automated Inventory Management and
RF Health metrics, IOS Support, Mobility Network Scanning
on boot up time Practice Knobs
Group support
Restore Defaults to revert configuration to
default
WLAN Express Setup
Cisco 5520 and Cisco 8540
Audit Upgrades
• Add/delete Widgets
• Tabular/Graphical View
Network Summary – Access Points List
• Inventory
• Uptime
• Usage
RF Interference
Legacy Devices
Too many Clients
impacting performance
Wireless Dashboard – AP Performance
Use Cases:
• Signal Quality
• Legacy Devices
Network Summary – Client Details
• Single pane of glass for client troubleshooting
Application Usage
Client Capabilities
Neighbouring APs
https://supportforums.cisco.com/document/7711/wlc-config-analyzer
Compliance Level w/ and w/o Express WLAN Setup
Downloadable client
Configuration stays local
Simplified operational use to
quickly identify and and fix
problem areas
RF Health metrics, IOS Support,
Mobility Group support
Improve
Personalized device
health score
Free, cloud-based
service
Automatically takes an
inventory of your Cisco
network
CAA Wireless Health Tool New “Tools” workflow
• Analysis of Entire Wireless Network
• User selectable WLCs
• Overall Wireless Network Health
• Individual WLC Health
• Recommended Improvements for APs
• Targeting Release in June 2015
(Cisco Live San Diego)
RF Analysis
• AP Groups and Flex Groups Included
• Detailed RF Statistics for Groups
• Targeting Release in August 2015
CAA Wireless Health – Create Report
Fast Restart
Recommended to use ‘restart’ instead of ‘reset system’ for the following scenarios to reduce service
downtime:
• LAG Mode change
• Mobility Mode change
• Web-auth cert installation
• Clear Config
8.1 Feature Best Practices
MS Lync SDN
• As there is no dynamic QoS feedback mechanism to modify the QoS policies, its recommended to evaluate the network
congestion and then decide on the policy configuration.
• As the WLAN QoS policy still overrides the Lync policy, the administrator needs to decide on the Lync QoS policies in line
with WLAN.
• Assign higher priority to Anchor controller that are closer in terms of physical proximity and that have stable and high
capacity links.
• As the GA grouping is done per WLAN and not globally, care should be exercised not to create imbalanced network load
distribution
8.1 FlexConnect Best
Practices
1. FlexConnect AVC
• Configure AVC per WLAN at the FlexConnect group for granularity and monitoring per site
• Do not mix Local mode and Flexconnect mode with a Local switch WLAN
• Add APs to FCG to have better control. APs not in FlexConnect Group inherit AVC configuration from WLAN.
2. VLAN Support/Native VLAN on FlexConnect group
• Configure FlexConnect Groups and use the override flag, to consolidate all the VLAN configuration at a single place
• Avoid per AP configuration unless absolutely necessary
3. Use VLAN Name Override to map users to VLANs across different branches
4. FlexConnect Client Troubleshooting
• Configure this feature at the FlexConnect Group to track roaming scenarios
• In cases like central authentication consider logs from WLC in addition to the debugs for the complete picture
8.1 RF Best Practices
Dynamic Bandwidth Selection
A global restart should be initiated when DBS is enabled “config 802.11a channel global restart”
Accuracy highest
when a device is
seen by at least 4
When a device is seen by four AP Access points
then location must be at this point.
Location Readiness
LOCATION DATA
APPLICATION DATA
• CMX license
• The CMX License provides Base Location license capabilities with CMX capabilities, including:
• CMX Analytics, a user-friendly location analytics platform to view and analyze how, where, and when
visitors move through a venue.
• CMX Connect for a seamless, customizable, and location-aware captive portal to onboard guest
users to Wi-Fi.
• CMX for Facebook Wi-Fi, helping guests seamlessly connect to Wi-Fi and use the Internet.
Enterprises or merchants gain social demographic data via Facebook Insights.
• CMX SDK, enabling organizations to integrate Wi-Fi-based indoor navigation with push notification
and auto-launch capabilities into mobile apps.
Resources
• CMX CVD
• http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_
Access/CMX/CMX_MSE.html
• CMX Config Guide 8.0
• http://www.cisco.com/c/en/us/td/docs/wireless/mse/8-
0/MSE_CMX/8_0_MSE_CAS.html
• MSE Virtual Appliance Deployment Guide
• http://www.cisco.com/en/US/products/ps9742/products_tech_note09186a0080bb497f.sh
tml
• MSE Sizing Guide
• http://173.37.206.125/aspnet_client/system_web/2_0_50727/CMX_calculator_v2.0/CMX
_calculator_v2.0.aspx
What’s New in CMX 10.1/10.2 ?
Customers
Better Understand
• Hyperlocation (10.2) • Real time Analytics (10.1) • 3X scaling (10.1)
• FastLocate Local Mode (10.2) • Work flow driven UI (10.1) • 5X latency improvement (10.1)
• BLE Aware (10.1) • Role-based Admin Access • 15X storage improvement (10.1)
• BLE Capable (10.2) (10.1)
Location Accuracy
Accurate Refresh Rate
Aggregate System Latency
Actionable
Before
Location Before Before
Movement Display
5-7 meters 1-2 updates per minute 10-20 sec system latency
CleanAir
Included
Introducing the Cisco Hyperlocation Module
Angle of Arrival (AoA) Triangulation
+/-1 m accuracy
Centralized Management
BLE and Wi-Fi visibility
Enhanced FastLocate
Faster refresh rates
Room Level Range Inferred - Only RSSI High Multi technology Improved
Accuracy Prone to errors calculation Accuracy AoA, RSSI, BLE Calculation
ne
Wavefront
co
ee
(rays with a
gr
common distance)
de
90
Client
HALO Module is a Mainstream AoA Solution
• Halo module wraps around AP
• 32 extra antennas to turbo-
charge Angle of Arrival
• The Halo module will include
Bluetooth capability as well
NMSP Packet processing flow
4
I have received NMSP
3 packets and I am calculating
I am creating a NMSP
a location of client
packet with data from
11:22:33:44:55:66 if values
Ap1, AP2, etc. and
are higher then RSSI cutoff
sending it to MSE IP
address as configured in
1 ”auth-list”
I hear MAC
address
11:22:33:44:55:66
at -72dbM MSE1
MSE2
AP1
2
AP2
I hear MAC address
11:22:33:44:55:66 at -
65dbM
FastPath/Angle of Arrival (AoA) Packet processing
flow 3
4
MAC address
MSE1 I am a CMX 10.2
supporting
Hyperlocation,
11:22:33:44:55:66 is here is the UDP
associated so I will port I am listing on
– port 2003
start to listen for it
Ack
2 AP, send
AoA to this Decrypt
IP. UDP port messages
using this from AP
Here are all of the key using this
phase data for key Phases for MAC 1.2.3
Phases for MAC 1.2.3
11:22:33:44:55:66
Source Port 9999 Change Source Port 9999
Destination Port 2003 Source MAC Source IP WLC
Destination IP MSE address for Destination Port 2003
routing to me Destination IP MSE
Sender Info Changed
WSM Module Listening for ¼ Sec. on Each Channel
Scan Time on Channels (ms)
Channel 2.4Ghz 1
6
11
Channel 5 Ghz 36
40
44
48
52
60
64
149
4
153 SECONDS
157 PER LOOP
161
165
Yes
CMX 10.1
Custom
Guest Portal
USE CASE 1: USE CASE 3:
Registration fields SMS as authentication method.
Click on an element
in the preview to
edit it
CMX 10.1 – Connect Splash page authoring
BLE Monitoring – Visibility and Alerts
BLE mac address
Unique beacon
identifier
decoded
Beacon type
classified as an
active rogue
Major ID
typically
identifies store
or branch while
minor ID
typically
identifies aisle
or dept. within
Complete Your Online Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.
• Complete your session surveys
though the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you