Brkewn 2670

BRKEWN-2670
Wireless Best Practices for

Next-gen Workspace
Aparajita Sood, Technical Marketing Engineer

apsood@cisco.com
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKEWN-2670
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Enterprise Becomes Social
Customer & Employee Collaboration
Work Styles Have Evolved

Work anytime from anywhere
“Work is a thing you do, not a place you go to”
Video Becomes Pervasive

Across All Devices Any Time, Any Place
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What Do You Consider First?
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Agenda
Design Provision Optimize Analyze
• Designing for Performance and Resiliency

• Provisioning with Best Practices
• Optimizing RF and Security
• Analytics and Visibility
Deployment Lifecycle
The Bigger Picture
Planning Easy Setup Operate Analytics
• Mobility Design • Express Setup • Optimizing RF • Workspace

Guides • Plug and Play • Prioritize Apps Analytics
• Data Sheets
• RF Planner • Best Practices • Segment and • Monitoring and
• Site Survey Secure Real time
Diagnostics
Next-Gen Office Design Goals
Designing for RF Coverage and Performance

Media Access: Wi-Fi Networks are not Deterministic!
(like a teacher in a class)
More devices in cell Greater contention Increased risk of collisions

How Much Does Contention Affect Performance
The Breaking Point Depends on How Many Clients You Have
120%
100% As more clients associate and transmit,

WLAN contention increases for all clients.
80%
Throughput (%)
5% - 10%
contention
60% premium
10% -
40% 30%
30% -
20% 50% Retry attempts increase and each
50% -
station spends more and more time in
60% the “waiting and listening” state, driving
0% down performance
1 5 10 25 50 75 100
Clients
(source: IEEE 802.11-15/0351r2) BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Design for Density, not Coverage
3.2 Mbps cell edge 72.5 Mbps cell edge
People only use one real time
application at a time Application – By Use
Case
Throughput – Nominal
Web - Casual 500 Kbps

1. Check the bandwidth of each expected Web - Instructional 1 Mbps
applications in your network
Audio - Casual 100 Kbps
2. Multiply by number of users of that
application in the cell: Audio - instructional 1 Mbps
Video - Casual 1 Mbps
This is the bandwidth you need at the edge
Video - Instructional 2-4 Mbps
of the cell
Printing 1 Mbps
File Sharing - Casual 1 Mbps
File Sharing - Instructional 2-8 Mbps
Online Testing 2-4 Mbps
Device Backups 10-50 Mbps
An Example – Identifying the BW Needs in a Cell
• Skype 4 Business / Lync (Up and Down):
Call type Audio Audio HD Video Video HD

Typical 51Kbps 86Kbps 190kbps 2.5 Mbps
Bandwidth
• A few other examples:
• Jabber audio (G.711) ~100 kbps, Jabber video (HQ) ~750 kbps
• Facetime (video, iPhone 4S): 400 Kbps, (audio) 32 kbps
• Viber, Skype (video) 130 kbps, (audio) 30 kbps
• Netflix (video), from 600 kbps (low quality) to 10 Mbps (3D HD), average 2.2 Mbps
I need ~12 Mbps throughput
Real Life Example everywhere in the cell
. . . therefore I need it here
• Density studies show active 12 users / cell on average (-67dBm)
• Expected 2 HD video calls (Skype type)
• 5 audio calls
• Other users may browse
• Let’s do the math:

• 2 HD video calls = 2.5 Mbps x 2 x 2 ways = 10 Mbps
AP
• 5 audio calls… mmm what application?
• Maybe SfB 51 kbps x 5 x 2 ways = 510 kbps
• Others are browsing (5 people) = 250 kbps / user = 1.2 Mbps
• Total = ~12 Mbps needed
Cell Shape and Cell Size
 Your cell shape depends on the antenna you
use:
 Directional Omni
Directional Same areas
 Omnidirectional
 The cell size depends on 3 parameters:
1. The AP power level
2. The protocol you use

(802.11a/b/g/n/ac)
3. The Data rates you allow
Higher Power Does not Always Mean Better Signal
Is it better now?
Aim for:
Blah blah blah
•Noise level ≤ -92 dBm
You are a bit quiet
•RSSI ≥ 67 dBm
RSSI
-> 25 dB or better SNR

dBm
•Channel Utilization under 50%.
Noise Level
Time
 What’s the right power ? In short: half your worst client max power
• E.g. you design for 5 GHz, worst client max is at 11 dBm, set your AP power to 8 dBm
Design your Roaming Path

Where do You Need Coverage?
 Talk to end-users. Think what they will need and when, look for roaming paths
Follow AP Placement Guidelines
 Mount APs so that antennas are vertical (we use vertical polarization)
 Avoid metallic objects that can affect the signal to your clients
Really..? When RF cluelessness becomes art…
Rates and Cell Overlap
 Cell overlap is designed so that when a VoWLAN device gets to the –67 dBm
area, it is already in good range of another access point.
 20-percent overlap between cells is recommended
 How much is that? Use the -75 dBm rule if you are not sure.
The –75 dBm Rule
 First trick to know:
 Twice the distance = -6 dB
 Half the distance = + 6dB
At distance 2xd: (X-6) dBm At distance d: X dBm At distance d/2: (X+6) dBm
(e.g. -50 dBm) (e.g. -44 dBm)
(e.g. -56 dBm)
The –75 dBm Rule
 So if you stand at the “-67 dBm border”…
 Move away from AP 1 until you get – 67 dBm
 Then pull AP 2 in the other direction until you also hear it at – 67 dBm
AP 2 at – 67 dBm AP 1 at – 67 dBm
AP 2 AP 1
Half way point
The –75 dBm Rule
 Go back to AP 1
 AP2 should be at “– 67 – 6” = -73 dBm. Add 2-3dB loss if there is a plaster wall -> - 75 dBm
2 times the distance
1 times the distance

AP 2 at – 73 to - 75 dBm
AP 2 AP 1
The –75 dBm Rule
 Measure
 This is your average AP to AP distance
AP 2 at – 72 to - 75 dBm
AP 2 AP 1
Strategically Position Your Transition APs
 At “A” the phone is connected to AP 1

 At “B” the phone has AP 2 in the neighbor
A 1 B 2 list, AP 3 has not yet been scanned due
to the RF shadow caused by the elevator
bank
C
 At “C” the phone needs to roam, but AP 2
3 is the only AP in the neighbor list
 The phone then needs to rescan and
connect to AP 3
– 200 B frame @ 54 Mbps is sent in 3.7 μs
– 200 B frame @ 24 Mbps is sent in 8.3 μs
– Rate shifting from 54 Mbps to 24 Mbps can
waste 1100 μs
Strategically Position Your Transition APs
 At point A the phone is connected to
1 AP 1
A B 2  At point B the phone has AP 2 in the

neighbor list as it was able to scan it
while moving down the hall
C  At point C the phone needs to roam
and successfully selects AP 2
 The phone has sufficient time to scan
3 for AP 3 ahead of time
Avoid Ping Pong Zones
Ping Pong zone recipe:
Set overlap along pacing path
Let user head force the roam
Client stays here “Pacing back and forth” zone
Always on, Always Ready

Network Resiliency
Highly Available Design
Create redundancy throughout
the access layer by homing APs
into different switches
Access
Distribution
Core
High Availability SSO
A direct physical connection between Active and Standby Redundant Ports or Layer 2 connectivity is
required to provide stateful redundancy within or across datacenters
Catalyst VSS Pair

Same configuration on
both Po1 and Po2
Po 1 Po 2
Trunk
Port-channels
RP Port for HA SSO L2
WLC3504 WLC3504
Active Standby
Sub-second failover and zero SSID outage

The Bigger Picture
• Mobility Design • Day-0 Best • Optimizing RF • Workspace

Guides Practices • Prioritize Apps Analytics
• Data Sheets
• RF Planner • Express Setup • Segment and • Monitoring and
• Site Survey • Plug and Play Secure Real time
Diagnostics
Next-Gen Wireless Office Goal:
Easy Setup with Best Practices

WLAN Express Setup
w/ Best Practice Defaults
AVC Visibility
Management over Wireless disabled
mDNS Snooping
Load Balancing
Rogue Threshold Enabled
New MDNS Profile for printer, http
Client Exclusion Enabled
Local Profiling
FastSSID Enabled
Band Select
Infra MFP
DHCP Proxy Save Time & Money
Multicast Forwarding Mode
Secure Web access
SNMPv3 (delete default)
Virtual IP 192.0.2.1
Mobility Name  Optimum starting point at
RRM-DCA Auto Day 0/1 network setup
RF Group same as Mobility Name
RRM-TPC Auto  RF parameter setting
DHCP Required on Guest WLAN ease of use
CleanAir Enabled
EDRRM Enabled  Enhanced performance,
Channel Width 40 MHz
5 GHz Channel Bonding security, resiliency with
best practice
Aironet IE Disabled recommendations turned
on at boot up time
Best Practices Audit
Best Practices Audit
Add Ignored Best Practices
A popup that displays the ignored best practices

which can be re-added.
Adding a Best Practice
Clicking on an ignored best practice will re-add it.
8.5
Cisco and Apple Best Practices
http://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/technotes/8-3/Optimizing_WiFi_Connectivity_and_Prioritizing_Business_Apps.pdf
http://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/technotes/8-3/Enterprise_Best_Practices_for_Apple_Devices_on_Cisco_Wireless_LAN.pdf
Access Point Provisioning with PnP
PID Serial # Hostname WLC IP address AP Mode Flex Group
name
AIR-CAP3702I- RFD0PP2 AP-Store1-1 192.168.15.1 FlexConnect FlexGrp1

A-K9 T025
PnP Server
Day 0
• Places AP in appropriate Group

• Apply relevant configs to AP
Network Admin Cisco Public Cloud

Network Admin pre
provisions APs in PnP
server. • Mount and cable devices
WLC IP (Prim/Sec/Ter) • Power-on
AP Name
AP Mode (Flex) * Resources required for PnP:
AP Group Name 64 Gb RAM, 500 Gb Storage
Flex Group Name Installer Scale: 10,000 devices
The Bigger Picture
• Mobility Design • Day-0 Best • Optimizing RF • Workspace

Guides Practices • Prioritize Apps Analytics
• Data Sheets
• RF Planner • Express Setup • Segment and • Monitoring and
• Site Survey • Plug and Play Secure Real time
Diagnostics
Self-Optimizing RF Network
RF Optimized Connectivity XOR Radio Client Link 4.0
Optimized Roaming
RX-SOP
FRA
• Enabled by Dual 5GHz

Off-Channel
• Adjust Radio Bands to Better Serve the RRM, DCA, TPC, CHDM Event Driven
Scanning
Environment RRM
Cisco CleanAir® HDX Turbo

Performance
5GHz 2.4GHz
5/2.4GHz
Serving Serving
Monitor
Flex DFS
Load Balancing RF Profiles
DBS
Band Select
Self-Optimizing RF network BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
XOR Radio and FRA
5GHz. 2.4GHz
5GHz  FRA-auto (default value) or Manual
5GHz
2.4GHz 5GHz. Serving Serving
 Auto 2.4 -> 5GHz or Monitor Mode
Serving
Serving Serving
 Transition to 2.4 GHz if coverage drops
5GHz. 2.4-5GHz
2.4GHz
Serving Monitoring
Serving
Optimize Wi-Fi with CleanAir
Quickly Identify and Mitigate Wi-Fi Impacting Interference
48
 Interference on 20/40/80/160 MHz
 Air Quality and Interference by
48
AP/radio on WLC
48
 AQ Threshold trap and Interference
Device trap (per radio)
48
 CleanAir-enabled RRM
48
48
48
48
Channel 48 BRKEWN-2670
Network Air Quality and Interference Location with PI 3.1.x and MSE 8.0.
46
Better Support for Users on the Move
Optimized Roaming
Optimized Roaming: Wireless Devices

Client
ConnectStickiness
to the Most Effective AP
Better Client Connectivity
RXSOP, Load Balancing, Band Select
Fine-tuning HDX with RF Profiles
 Pre-canned RF Profiles
 Client Distribution Optimized Dynamic
 Data Rates Roaming Bandwidth
Selection
RX-SOP
 DCA, TPC, CHDM
 Profile Threshold for Traps
 High Density Features • CleanAir
• ClientLink 4.0
• Turbo Performance
TPC, DCA FlexDFS
CHDM
Event Driven
RRM
RF & RRM: Disable lower .11b Data Rates, Limit SSIDs
Wireless  802.11b/g/n  Network
Each SSID needs a separate probe response and beaconing, the

more SSIDs the less RF space available for real data traffic
Management frames sent at lowest mandatory rate - slows down the entire cell
RF design recommendations
• Channel Utilization < 40%.

• Client SNR >= 25 dB.
• 802.11 retransmissions < 15%
• Packet Loss < 1%
• Jitter < 100 ms.
Image courtesy: https://support.apple.com/en-us/HT203068
Apple client device should observe a minimum of 2 APs with an RSSI measurement of -67 dBm
Standard Density Data Rates
Wireless > 802.11a/n/ac > Network • Channel Utilization < 40%.
• Client SNR >= 25 dB.
• 802.11 retransmissions < 15%
• Packet Loss < 1%
• Jitter < 100 ms.
• Cisco highly recommends leaving all MCS rates enabled

Minimum data rate of 12Mbps and 24 Mbps as the mandatory rates 6 Mbps as the lowest mandatory rate, if coverage
marginal
Endeavour @NVIDIA, Santa Clara
• 4K Video @100 Mbps, all day every day
• 560 AP3800s across 500,000 sq feet Live speed test in one of the conference rooms
• 2 WLC8540s in HA during our visit DL: 407Mbps, UL: 395Mbps
• All APs connect to CAT 4500 series switches with
mGig and UPOE
Seamless connectivity
Cisco and Apple Optimized Roaming
Legacy client cannot Legacy client that does

join the same SSID not support 11r/k/v can
where 11r is enabled join the same SSID
I recognize that you

are an Apple iOS Association
device
11r is enabled for you
802.11k, 802.11v
are on by default
Non-Cisco-AP BRKEWN-2670
Cisco-AP
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Adaptive 11r/k/v
Features enabled by default on a newly created SSID
Roaming Performance :
10x Better end-user Browsing and App Experience
Time (s)*
No QoS, No 802.11r/k/v QoS, 802.11r/k/v

*Time Interval between last packet on previous AP, and first packet on next AP
Prioritize business-critical Apps

Fast Lane enables network administrator to prioritize
applications per your environment
Supports Supports
Admin can provision Apple IOS device with a QoS profile*
Fast lane Fast lane
Applications in whitelist get QoS marking**
Other applications get BE/BK
My profile for My profile for

this environment: this environment:
Webex= Realtime-interactive Webex = BE
Viber = BE Viber = Voice
Supports Fast lane Supports Fast lane
Cisco-AP Cisco-AP
*Without a profile, all applications are whitelisted by default in a Fast Lane cell
QoS**Fast
Profile | Voice
Lane does QoS
NOT override Trust
apps QoS, it |either
AutoQoS | Better
allowBRKEWN-2670
the app EDCA
© 2018
QoS or apply BECisco and/or its affiliates. All rights reserved. Cisco Public 61
Fast Lane
• Enabling Fast Lane:
• Sets the WLAN for
Platinum
• Sets WMM to Required
• Platinum profile sets Max
Priority to voice (UP 6),
non-WMM and multicast to
BE, 802.1p disabled,
bandwidth contracts
disabled
• EDCA profile is set to Fast
Lane
Fast Lane delivers a reliable voice experience even in a
congested environment
• In a congested environment, one voice packet is sent every 20 ms
• We measure the actual interval between voice packets in the upstream direction
Packet average interval is 40 ms (not so good)

Interval (seconds)
Packet average interval is 20 ms (good)
Interval (seconds)
Many glitches, of up to 0.6 second Very few glitches, of up to 0.1 second

(poor audio experience) (fair audio experience)
Capture time (seconds)

No Fast Lane Fast Lane
Cisco Apple Analytics
Release 8.5
Cisco Apple Wireless Features Journey
AireOS 8.3, 8.3 MR1 Phase 1
iOS 10.0+
QoS
MacOS
Analytics
Roaming
Optimizations
Optimizations
Optimizations
Optimizations
• 11k neighbor map: iOS
• Adaptive
• • Fastlane:802.11r: FastOS
11 clientbusiness-
Fastlane on Mac
sends a list of
Transition
relevant
10.13 isand
enabled
applications
later. Upstream
neighbor APs upon joining
automatically
prioritized
QoS for iOS 10
the prioritization
cell available
clients
• onDisconnection
iOS and Mac OS reason:
iOS 11 client tells us why
• Auto 802.11k/v: 11k/v are
it disconnects
enabled by default and
• Identity: the iOS client
optimized to provide ‘best
tells us who it is (model,
next AP’
iOS version)
AireOS 8.3 Phase 2 AireOS 8.5+

Mac OS 10.13 iOS 11.0+ 65
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Apple Phase 2 : iOS Analytics
1. Beacon Reporting to the Access Point by iOS Client
2. Enhanced Dis-Association Reason to the Access Point by iOS Client
3. iOS Version information to the Access Point by iOS Client
Video demo : https://youtu.be/1XCqV0Pux_s
How does the client see the Network
How does the client see the network ?
The infrastructure does not know why this AP was chosen,
because the infrastructure does not know how the client saw the
network
Why is this a problem?

Because without that view, the infrastructure cannot help this (or
other) client find the “best AP”
How do Cisco and Apple solve this?

Right after successful key-exchange during association, the iOS
11 device sends to its AP an 802.11k beacon report (
Unsolicited mode )
This is how I see the network

BSSID
bb:bb:cc:dd:ee:ff 52
?
Channel Signal
-72 dBm
cc:bb:cc:dd:ee:ff 149 -86 dBm
dd:bb:cc:dd:ee:ff 153 -68 dBm

Where can I see this Scan report on WLC ?
Client detail page in the controller UI as Client Scan Report
How can we use this neighbor map ?

• To draw a super-accurate RF map of the floor, and help other
clients roam
• When a new client enters the cell, and asks for a neighbor
map, we can tailor the map to this client location!
• When another client needs to roam, we can suggest the best
AP, seen from where the client sits!
This is how I see the network

BSSID Channel Signal
bb:bb:cc:dd:ee:ff 52 -72 dBm
cc:bb:cc:dd:ee:ff 149 -86 dBm
dd:bb:cc:dd:ee:ff 153 -68 dBm
How does the Network see the device
How does the network see the device ?

Usually as an iPad or iPhone with DHCP and HTTP Device
profiling
When is this not enough?

When we need to analyze device model and OS specific
behaviors in the network

After association, the iOS 11 client also tells us about itself. We
can the correlate platform, OS to behavior at different points of
time and space
Where can I see this on WLC ?

Client summary and client detail page
This is who I am
I am iOS 11.0, iPhone 7

?
Why did the Client go away ?
Do we know why client disassociated ?
When a client roams or disconnects, it sends a disassociation
message. The AP does not always know why… bad signal? Reasons for disassociation
Something else? DHCP Failed
EAP Timed out
Why is this a problem? 802.1x Failed
Device Idle
Without knowing why a client is gone, we cannot help other Captive Portal security Failed
clients in the same location (is this location okay? Is there a Decryption Failed
better AP there? Is there incompatibility in config at this WiFi Interface Disabled
User-Triggered Disassoc
location? Peer-Triggered Disassoc
Beacon Loss
The Apple device sends a proprietary reason code
Why I disassociated last

Reason Code
Why did the Client go away ?
Where can I see this Reason code on WLC ?
Client detail page in the controller UI
Reasons for disassociation
How can we use this Reason Code ?
• Help other clients in the same location if there is an RF issue DHCP Failed
Why I disassociated last
• Collect data to understand patterns (where clients go, etc) EAP Timed out
802.1x Failed
Reason Code
Device Idle
Captive Portal security Failed
Decryption Failed
Interface Disabled
User-Triggered Disassociation
An Example – Cisco Bedfont Lakes Roaming points
Support requests – Wi-Fi issues during Video VoWi call
Incident level (Before upgrade)

Count over 1 week
Level 0 (productivity Crusher) 13
- Call disconnected -
Level 1 (Productivity Inhibitor) 36
- Audio & video gaps -
Level 2 (Minor Annoyance) 131
- Audi glitch or light pixelization-
Total 180
1. Determine coverage gaps

2. If coverage is satisfactory, look at SW config
An Example – Cisco Bedfont Lakes
Support requests – Wi-Fi issues during Video VoWi call
Incident level (Before upgrade) (After upgrade) Change (%)

Count over 1 week Count over 1 week
Level 0 (productivity Crusher) 13 0 - 100%
- Call disconnected -
Level 1 (Productivity Inhibitor) 36 8 - 78%
- Audio & video gaps -
Level 2 (Minor Annoyance) 131 96 - 27%
- Audi glitch or light pixelization-
Total 180 104 -42 %
Security and Threat Mitigation
• User segmentation and end to end policy enforcement
• Secure BYOD and guest access
• Detection and mitigation of Rogues and interferers
Security and Threat
Mitigation P2P
802.1x TKIP Encryption Blocking
WPA2/AES
MAC Auth MFP, 802.11w

Rogue Detection
awIPS, ELM TrustSec AAA Override

SGT, SXP VLAN, ACL, QoS
Local Policy w/ BYOD

QoS and AVC NAC RADIUS Client Exclusion
Lower Risk
Simplified Security
Simplified and Consistent Access governed by TrustSec
Data Center
Regardless of topology or Shared Application

Services Servers
location, policy (Security
Group Tag) stays with Remediation DC Switch
users, devices, and
servers
TrustSec simplifies ACL Enterprise

Backbone ISE
management for intra/inter-
VLAN traffic
Wired/Wireless Wired/Wireless TrustSec enabled WLC &
AP receives policy for only
what is connected
Employee Tag
Supplier Tag
Non-Compliant Employee Employee Supplier Non-Compliant Non-Compliant Tag
VLAN: Data-2 VLAN: Data-1
Role Based Segmentation governed by TrustSec
Data Center
Access control based on the Shared Application

Services Servers
Role of the user
Remediation DC Switch
Enterprise
Backbone ISE
Wired/Wireless Wired/Wireless TrustSec enabled WLC &

AP receives policy for only
what is connected
Employee Tag
Supplier Tag
Supplier Employee Employee Supplier
VLAN: Data-2 VLAN: Data-1

Mitigate Rogues and Intrusion

Cisco Adaptive wIPS with AP3800/2800
Maintains Capacity and Avoids Interference
Good Better Best
Features ELM Monitor Mode AP ELM with FRA
Monitor Mode
Deployment Density Per AP 1 in 5 APs 1 radio per 5 APs
Client Serving with Security Y N Y
Monitoring
wIPS Security Monitoring 50 ms off-channel scan on selected 7 x 24 All Channels on 2.4GHz and 7 x 24 All Channels on 2.4GHz and
channels on 2.4 and 5 GHz 5GHz 5GHz
CleanAir Spectrum Intelligence 7 x 24 on client serving channel 7 x 24 All Channels on 2.4GHz and 7 x 24 All Channels on 2.4GHz and
5GHz 5GHz
2.4 GHz t
Serving channel Off-Ch Serving channel Off-Ch
Enhanced Local Mode
Access Point 5 GHz t
Serving channel Off-Ch Serving channel Off-Ch
 GOOD
… … …
2.4 GHz t
Ch1 Ch2 Ch11 Ch1 Ch2 Ch11 Ch1 Ch2 Ch11
Monitor Mode
Access Point … … … …
5 GHz t
Ch36 Ch38 Ch157 Ch161 Ch36 Ch38
 BETTER t
5 GHz
Serving channel Off-Ch 5GHz. / 2.4GHz.
Serving channel Off-Ch
t
ELM with FRA Wireless Security
Monitoring 2.4 GHz
… … .5GHz.
… …
/ Security t
Ch1 Ch2 Ch11 Ch36 Ch38 Ch157 Ch161
 BEST 5 GHz
Rogue Detection and Mitigation
 Rogue Classification and
Containment
• Rogue Rules
• Manual Classification –
Friendly/Malicious FRA with MM Data Serving AP
• Manual and Auto
Best Practice Recommendation:
Containment
• Set Rogue Detection Security Level to “low”
 CleanAir with Rogue AP • Set Detection threshold to <= -75 dB
Types Serve Client Scan 1.2s Serve Client Serve
• Wi-Fi Invalid Channel on dedicated 5 per channel on 2.4 GHz Clients on 5
• Wi-Fi Inverted GHz 50 ms off-
GHz
channel 50 ms off-
 Rogue Location channel
• Real-time with PI, MSE, Scan
CleanAir
• Location of Rogue APs 1.2s per
channel
and Clients , Ad-hoc
Rogue, Non-Wi-Fi
interferers
Monitor Mode AP
Category-based filtering
Content-based filtering and segmentation
Category-Based Filtering Policy Segmentation Security Activity Monitor
• The easy-to-use, cloud-delivered • Customize category-based filtering to • View security activity in real time with
administration console enables you to meet each network’s specific needs globally aggregated reports.
quickly set up, manage, and test different Per network, AP group, user, device • Schedule and send these reports to your
acceptable user policies or IP address, giving you greater inbox..
• Quickly create exceptions to allow or block control of your organization’s Internet
specific domains, regardless of whether it is usage.
in a category that is allowed or blocked.
Policy 1 Policy 2 Policy 3
Identity
Returns Server
attributes
Contract Guest
or Corp
Cisco Umbrella AccountBRKEWN-2670

and CiscoONE
Role Based Cisco Umbrella Policy
Cisco Umbrella Profile Mapping in Local Policy
Contractor Employee
Policy Policy
AAA user role
Contractor Employee
Location Based Cisco Umbrella Policy
Cisco Umbrella Profile Mapping in AP Group
Corporate Branch
Policy Policy
Corporate
HQ Branch Office
Enterprise SSID Security and Segmentation
Category-Based Filtering
Based on Umbrella Policy
Role Based Access Control Based
on Scalable Group Tags and SGACLs
Marketing Sales Contractors Server
✔ ✔ Marketing
Sales
Contractors
SGT = 4 SGT = 5 Server
802.1x
Enterprise
Backbone
✔
Access Point WLC ✔

Enterprise SSID ISE AAA
SGT = 6
Override
Employee VLAN ID = 10 Micro-segmentation
Policy Classification Engine using Cisco TrustSec
Contractor VLAN ID = 20
Umbrella Backend
User role VLAN Application Apple devices SGT
Policy Servers
user-role = Marketing
Mark Webex, Apple TV,
Marketing 10 Block ebay 4 PERMIT
Jabber Printer, iTunes
VLAN-Based Segmentation user-role = Contractor
Mark Webex, Apple TV,
Using AAA Override Sales 10 Block ebay 5 PERMIT
Jabber Printer, iTunes
Apple devices
user-role = Sales Block ebay,
Controlled access via Contractor 20 Drop Youtube Printer Only 6 DENY
CNN, BBC
mDNS Profile Facebook
Challenges for Enterprises: Advanced security encryption
across all devices
Simple Operations
Increased demand for IoT Identity security without High Scale
devices 802.1x
Cost Effective
Keys Solution Asks:

Private PSK with RADIUS integration; Per client AAA override (VLAN / ACL, QoS etc)
Cisco Advantage:
Highly scalable identity PSK solution designed for a large multi controller network
Identity PSK
✓ PSK WLAN
aabbcc ✓ MAC Filtering
✓ AAA Override
IOT Devices
xxyyzz
Access Point Wireless LAN Controller ISE
Sensors
No PSK
Cisco-AVPair attributes
+= "psk-mode=ascii”
"psk=xxyyzz"
Cisco-AVPair += "psk=aabbcc"
Device MAC Group Private PSK

IOT Devices aabbcc
Sensors xxyyzz
Employees ---
WLAN PSK
Employees BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
IOT SSID Security and Segmentation
IOT Sensors IOT Lighting Smart Devices
IOT Sensors
IOT Lighting
Smart Devices
SGT = 4 SGT = 5
✔
✔
Enterprise
✔ IPSK Backbone
Access Point WLC ✔

ISE AAA
SGT = 6 IOT SSID
Override
IOT Sensors IOT Sensors

PSK = aabbcc VLAN ID = 10
Identity Backend
VLAN ACL SGT
PSK Servers
IOT Lighting
IOT
IOT Lighting 10
aabbcc PERMIT 4 PERMIT
Sensors
PSK = eeffgg VLAN ID = 10
IOT Lighting eeffgg 10 PERMIT 5 DENY
Smart devices Smart Devices
Smart
PSK = xxyyzz xxyyzz
VLAN = 20 20 DENY 6 DENY
Devices
How Not to do #hotel #WiFi #Security
Source: https://badfi.com/bad-fi/
Security Best Practice: Enable 802.1x auth on WLAN and AP
Wireless  Access Points  Global Configurations
WLANs  Edit ‘WLAN_NAME’  Security
To enable 802.1X authentication on a switch port, on the switch CLI, enter

these commands:
Switch# configure terminal
Switch(config)# dot1x system-auth-control
Switch(config)# aaa new-model
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# radius-server host ip_addr auth-port port acct-port port
key key
Switch(config)# interface fastethernet2/1
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# dot1x port-control auto
Switch(config-if)# end
Provides greater network security on WLAN using 802.1x authentication
The Bigger Picture
• Mobility Design • Express Setup • Optimizing RF • Workspace

Guides • Plug and Play • Prioritize Apps Analytics
• Data Sheets
• RF Planner • Best Practices • Segment and • Monitoring and
• Site Survey Secure Real time
Diagnostics
Introducing DNA Center
Realizing vision of the intent-powered intuitive network
Assurance and
Policy Automation
Analytics
Translate business intent Reduce manual operations Use context to turn data into
into network policy and cost associated with intelligence
human errors
Industry Best-Practices Proactive Issue

Decouple Policy from
Configuration and Policy Identification and
Network Topology
Compliance Resolution
Assurance: Predict Issues Before They Happen
Visibility
Learn from the network
and clients attached to it
Troubleshoot Insights
Find root cause faster See problems before
with granular details your end users do
Automate Predictive Performance

Recognize changes and inform Understand how new services
the self-driving network will impact service levels
Industry’s First Self-Predicting Network Analytics Platform

Wireless Sensors Proactively Assess Performance
Test your network with existing APs at any time
 On-Boarding Tests
• 802.11 Association
• 802.11 Authentication & Key Exchange AP/Sensors Access point
• IP Addressing DHCP (IPv4) act as clients
 Network tests
• DNS (IPv4)
• RADIUS (IPv4) R1
• First Hop Router/Default gateway (IPv4)

• Intranet Host
• External Host (IPv4) Dedicated Sensor AP1800 Flexible Radio
 Application tests
• Email: POP3, IMAP, Outlook Web Access Flexible Radio Assignment Algorithm intelligently
identifies excessive radios and seamlessly converts
(IPv4) those into Sensor mode without client impact
• File Transfer: FTP (IPv4)
• Web: HTTP & HTTPS (IPv4)
Wireless Sensor Support
Flexible Radio as Sensor (2800/3800) Dedicated AP as Sensor

Dual 5 GHz Flexible Radios 1815/1830/1850 AP
Software defined radios automatically adjust to dual 5GHz
1800s dedicated sensor
Purpose-built Hardware for Analytics

Flexible radios can to provide simultaneous in-line monitoring to
DNA for analytics and insights while serving clients (future)
1815
• 2x2 with 2 spatial streams

• Multiple powering options:
• PoE Power
• USB Type “C” power
1830/1850 • Direct AC Power Plug
• Integrated BLE
5GHz.
• BRKEWN-3033: DNA Assurance – deep dive
XOR RADIO 2.4GHz. • Wednesday Jan 31, 4:30pm – 6:00pm with Jerome Henry
Sensor (Client Testing)
• BRKEWN-2032: DNA Assurance: bring intelligence to your WLAN issues
• Tuesday Jan 30, 4.30 pm with Jeremy Cohoe
Workspace Analytics
Making Buildings Smarter
Workspace Optimization
Lower Real-estate costs
Cisco Portfolio for Next-Gen
Wireless Workspace
DNA ready Wireless Controller Portfolio
Large Enterprise
Mid-size Enterprise
Small Network Cisco vWLC Cisco 8540

3000 APs
32000 Clients 6000 APs
Flexconnect mode 64,000 clients
40 Gbps
Cisco 3504 Cisco 5520

Mobility Express 150 APs 1500 APs
50 APs/1000 Clients AP 18xx 3000 Clients 20,000 Clients
100 AP/2000 Clients: AP2/3K 4 Gbps 20 Gbps
Up to 100 APs Up to 3000 APs Up to 6000 APs

Designed to be DNA Ready
Industry’s Most Comprehensive Indoor AP Portfolio:
Enterprise Class Mission Critical Best in Class
1815 1830 1850 2800 3800
Indoor / High-powered  3x3:2SS 80MHz  4x4:3SS 80Mhz  4x4:3SS 160 MHz  4x4:3SS 160 MHz
Indoor Wall Plate /  867 Mbps Performance  1.7 Gbps Performance  5 Gbps Performance  5 Gbps Performance
Teleworker
 2x2:2SS 80 MHz  Tx Beam Forming  Internal or External Antenna  2.4 and 5GHz or  2.4 and 5GHz or
Dual 5GHz Dual 5GHz
 867 Mbps Performance  1 GE Port Uplink  Tx Beam Forming
 2 GE Ports Uplink  2 GE Ports Uplink or
 Tx Beam Forming  USB 2.0  2 GE Ports Uplink
1 GE + 1 mGig (5G)
 Integrated BLE Gateway1  USB 2.0  CleanAir and ClientLink
 CleanAir and ClientLink
 Max Transmit Power (dBm)  Internal or External Antenna
 StadiumVision
per local regulations2  Smart Antenna Connector
 Internal or External Antenna
 3 GE Local Ports, including  USB 2.0
1 PoE out3  Smart Antenna Connector
 Local ports 802.1x ready3  USB 2.0
 USB 2.04  Investment Proof Modularity
DNA Ready | RF Excellence | CMX | Centralized, FlexConnect or Mobility Express

Dual 5 GHz | Flexible Radio | HDX
Future
© 2018 Cisco and/or its affiliates. All rights reserved. Proof
Cisco Public
Designed to be DNA Ready
Industry’s Most Comprehensive Outdoor AP Portfolio:
1540 1560 1570
New*
 802.11ac Wave 2, MU-MIMO  802.11ac Wave 2, MU-MIMO  802.11ac Wave 1

 2x2:2, 80MHz, 867 Mbps  3x3:3, 80MHz, 1.3Gbps (I)  4x4:3 80 MHz; 1.3 Gbps
 Ultra low profile  2x2:2, 80MHz, 867Mbps (E/D)  External antenna model (EAC)
 Internal antenna only  Internal or External antenna model (I/E)  Cable Modem model (IC/EC)
 PoE (802.3af) power  Internal directional antenna model (D)  SFP/GPS
 Centralized, FlexConnect, Mesh and Mobility  SFP  PoE Out 802.3at (Ext Ant. only)
Express  Flexible Antenna Ports  Flexible Antenna Ports
 CleanAir and ClientLink  CleanAir and ClientLink
 Centralized, FlexConnect, Mesh and  Modularity (Ext Ant. only)
Mobility Express  Centralized, FlexConnect and Mesh
 Cable Modem Version Only (IC/EC)
 DOCSIS 3.0, 24x8
 Internal or External antenna
DNA Ready | RF Excellence | CMX

802.11ac Wave 2 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Learning Resources
For Your
Best Practices
Make it Easy SummaryMake it work Reference
Enable High Availability (AP and Client SSO) Enable 802.1x and WPA/WPA2 on WLAN
Enable AP Failover Priority Enable 802.1x authentication for AP
Enable AP Multicast Mode Change advance EAP timers
Enable Multicast VLAN Enable SSH and disable telnet
Enable Pre-image download Disable Management Over Wireless
INFRASTRUCTURE
SECURITY
Enable AVC Disable Wi-Fi Direct
Enable NetFlow Peer-to-peer blocking
BEST PRACTICES (AireOS)
Enable Local Profiling (DHCP and HTTP) Secure Web Access (HTTPS)
Enable NTP Enable User Policies
Modify the AP Re-transmit Parameters Enable Client exclusion policies
Enable FastSSID change Enable rogue policies and Rogue Detection RSSI
Enable Per-user BW contracts Strong password Policies
Enable Multicast Mobility Enable IDS
Enable Client Load balancing BYOD Timers
Disable Aironet IE
FlexConnect Groups and Smart AP Upgrade Disable 802.11b data rates
Restrict number of WLAN below 4
Enable channel bonding – 40 or 80 MHz
WIRELESS / RF
Set Bridge Group Name
Set Preferred Parent Enable BandSelect
Multiple Root APs in each BGN Use RF Profiles and AP Groups
Set Backhaul rate to "Auto"
MESH
Enable RRM (DCA & TPC) to be auto

Set Backhaul Channel Width to 40/80 MHz
Enable Auto-RF group leader selection
Backhaul Link SNR > 25 dBm
Avoid DFS channels for Backhaul Enable Cisco CleanAir and EDRRM
External RADIUS server for Mesh MAC Authentication Enable Noise &Rogue Monitoring on all channels
Enable IDS Enable DFS channels
Enable EAP Mesh Security Mode Avoid Cisco AP Load
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
For Your
Reference
VoD Links
• Cisco CMX Solution https://www.youtube.com/watch?v=KQRb8vfU0qM • Fastlane App Demo https://www.youtube.com/watch?v=N1QMUcv3aRQ
• CMX Hyperlocation vs RSSI Demo https://www.youtube.com/watch?v=6ls7EHbSK4A • Cisco APIC-EM Wireless PnP Demo https://www.youtube.com/watch?v=_9P2-
bU66PU
• Cisco Dual 5GHz Wi-Fi https://www.youtube.com/watch?v=mbpjiETvDXc • Cisco Aironet Plug and Play Cloud Redirection
https://www.youtube.com/watch?v=W7fBZ6xfSxw
• Cisco Aironet AP-3800 RF Excellence
https://www.youtube.com/watch?v=dBpGsTKeyNM&t=64s • Wireless LAN Controller Dashboard Review
https://www.youtube.com/watch?v=af09TBaafRI&feature=youtu.be
• Digital Network Architecture with Wave2 with 802.11ac
https://www.youtube.com/watch?v=ySjN13hPhXY&t=2s • Cisco Wireless Mobile App https://www.youtube.com/watch?v=HyvZ4mbVAWs
• Cisco Aironet Series – Flexible Radio Assignment • WLC Advanced UI Client Troubleshooting
https://www.youtube.com/watch?v=K_-BykT_YIM https://www.youtube.com/watch?v=dZVxI6jOx_Q
• ISE Simplified Wireless Setup

• TechWiseTV: Apple and Cisco: Fast-Tracking the Mobile Enterprise https://www.youtube.com/watch?v=A3F2DrFu7Lo&feature=youtu.be
https://www.youtube.com/watch?v=bh8rEvrzm7Y&feature=youtu.be
• Cisco Wireless TrustSec Demo

• Prioritized Business Apps https://www.youtube.com/watch?v=A3F2DrFu7Lo&feature=youtu.be
https://www.youtube.com/watch?v=z0EOKNxL964&feature=youtu.be
• Cisco Wireless Netflow Lancope Integration Demo
• Apple and Cisco: Three Solutions Coming Together https://www.youtube.com/watch?v=TuWYkrt94CQ
https://www.youtube.com/watch?v=7MgsDkf55wQ&feature=youtu.be
• Cisco Umbrella Integration with WLC
• Wi-Fi Optimized Feature https://www.youtube.com/watch?v=cMdX8sBBYG4
https://www.youtube.com/watch?v=xgPfxAolJoQ&feature=youtu.be
Click - https://www.youtube.com/user/CiscoWLAN/
For Your
Reference
Cisco Wireless LAN Documentation
INSTALLATION GUIDES RADIO CONFIGURATION CLIENT ADDRESSING POLICY ENGINE
• 5520 WLC
• 802.11r BSS Fast Transition • Bi-Directional Rate Limiting • AVC
• 8540 WLC
• Adaptive wIPS • Flex AP-EoGRE Tunnel Gtwy • Bonjour
• AP1570
• ATF Ph 1 & 2 • IPv6 • Chromecast
• AP1810 OE
• CleanAir • Jabber • Device Classification
• AP1810W Wall Plate
• CMX FastLocate • Jabber and UCM • Domain Filtering
• AP1850
• High Density • Microsoft Lync • mDNS Gateway w/Chromecast
• AP2700/3700
• Rogue Management • Passpoint Configuration • Wireless Device Profiling & Policy Classification
• AP2800/3800
• RRM RF Grouping Algorithm • Real-Time Traffic Over WLAN BEST PRACTICES
• AP702W
• RRM White Paper • VideoStream • Apple Devices
• APIC-EM Wireless AP PnP
• Vocera IP Phone in WLAN • Enterprise Mobility Design Guide
• Flex7500 WLC ENCRYPTION
• VoWLAN Troubleshooting • High Availability (SSO)
• Mesh APs • BYOD for FlexConnect
• BYOD with ISE • HyperLocation
• Mobility Express
• Security Integration • iPhone 6 Roaming
• Smart Licensing
• N+1 High Availability
• Univ. AP Regulatory Domain
• WLAN Express
• Virtual WLC
• WLC Configuration Best Practices
Continue Your Education
BRKEWN-2003 Optimize your WLANs for Iphones (and welcome other mobile devices too) 01/30/2018Hall 8.0, Session Room 112 16:45:00
BRKEWN-2010 Design and Deployment of Enterprise WLANs 01/30/2018Hall 8.0, Session Room 101 14:15:00
BRKEWN-2017 Understanding RF Fundamentals and the Radio Design for 11ac Wireless Networks 01/30/2018Hall 8.0, Session Room 107 11:15:00
BRKEWN-2019 7 Ways to Fail as a Wireless Expert 01/30/2018Hall 8.0, Session Room 132 11:15:00
BRKEWN-2033 A Cloud-based Machine Learning / Analytics architecture for DNA (wireless/wired) Assurance 01/31/2018Hall 8.0, Session Room 137 16:30:00
BRKEWN-3014 Best practices to deploy high-availability in Wireless LAN Architectures 01/31/2018Hall 8.0, Session Room 112 14:30:00
Design and Use Cases of a location enabled Wi-Fi network supported by Connected Mobile
BRKEWN-2012 Experiences (CMX) 02/01/2018Hall 8.0, Session Room 106 14:30:00
Improve Enterprise WLAN Spectrum Quality with Cisco's advanced RF capacities (RRM, CleanAir,
BRKEWN-3010 ClientLink, etc) 02/01/2018Hall 8.0, Session Room 101 09:00:00
BRKEWN-2005 Securely Designing Your Wireless LAN for Threat Mitigation, Policy and BYOD 02/01/2018Hall 8.0, Session Room 139 11:30:00
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKEWN-2670
• Please complete your Online Complete Your Online
Session Evaluations after each
session
Session Evaluation
• Complete 4 Session Evaluations
& the Overall Conference
Evaluation (available from
Thursday) to receive your Cisco
Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
www.ciscolive.com/global/on-demand-library/.
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you
Supplementary Material
Configurations and Setup Instructions
Optimized WiFi Connectivity
Configuration
Adaptive 11r
Feature enabled by default on a newly created SSID
• Even if 802.11r is not enabled on the WLAN, it is enabled for the WLAN for the
Apple IOS 10 devices (adaptive 11r) by default:
Show wlan 3
…/…
Security
802.11 Authentication:........................ Open System

FT Support.................................... Adaptive
Adaptive 11r
• Adaptive 11r means that the WLAN security is set to WPA2 (NOT to static
802.11r, no need for “hybrid” mode either):
11k Configuration
• Feature enabled by default on a newly created SSID
• Dual band neighbor list selectively enable for Apple devices that supportive
Adaptive capability
11v Configuration
• 802.11v features are enabled by default on a newly created SSID
FastLane Feature Configuration
Fast lane on WLC
• Enabled from the QoS
tab
of WLAN configuration
• Enabling the first
WLAN
for Fastlane also
enables AutoQoS
(best QoS config)
globally
• Application Visibility is
semi-independent
Fast lane
• Enabling Fastlane:
• Configures best QoS globally
• Sets the WLAN for Platinum
• Sets WMM to Required
• (Notice AV is still disabled)
Fast lane
• Enabling Fastlane enables best QoS config
globally:
• Platinum profile sets Max Priority to voice (UP
6), non-WMM and multicast to BE, 802.1p
disabled, bandwidth contracts disabled
• EDCA profile is set to Fastlane
Fast lane
• Enabling Fastlane enables
best QoS config globally:
• ACM is enabled on both
bands (load-based), with
max RF bandwidth 50%
and roaming bandwidth to
6%
• Expedited bandwidth is
enabled
Fast lane
• Enabling Fastlane enables
best QoS config globally:
• DSCP is trusted upstream
(instead of UP)
• DSCP to UP map is
configured as per IETF
recommendations (“well-
known” DSCP values
mapped to IETF-
recommended values,
“unexpected” DSCP values
mapped to BE
Fast lane
• When Fastlane is enabled
on a WLAN, enabling AV
automatically applies the
AUTOQOS-AVC-
PROFILE
Fast lane
• As long as Fastlane is enabled, you cannot (and should not) change the AVC
Profile (you can disable/enable AV, but not change the AVC profile)
Cisco Apple Partnership
Spark Collaboration
Additional Information
Many Ways to Communicate
Seamless Collaboration with Cisco Spark
• Meet anywhere and everywhere
• Always-on, secure team messaging
and file sharing
• Integrated business phone with
• HD voice and video calling
Native Voice Experience
• New framework for integrated calling
over IP
• Answer calls from the Lock screen
• Make voice or video calls from
Contacts, Favorites, and Recents
• Make calls with Siri
• Switch seamlessly between VoIP and
cellular calls
• Use connected headsets and
accessories
Enterprise Voice Integration
• Users never miss a call
• Reliable, high-quality calling with

reduced costs
Cisco
iPhone Collaboration
Cloud
• Improved compliance for calls made
PBX Telco
through the corporate PBX
Switch
Desk Phone
• Accelerated user onboarding
Benefits of Voice and Collaboration
• Intuitive native user experience
• Extend existing investments to iOS
devices and reduce calling costs
• Integrate into your existing telephony
systems
• Expand collaboration tools beyond
voice
Network PnP with Public Cloud Redirect
Setup Steps
Network PnP support Workflow
Cisco Cloud Redirect
Cisco Cloud
Redirect Server
Internet
PnP Server uses
PnP Server self signed SSL
certificate
DHCP Request
DHCP server Device creates pre-defined cloud redirect server
responds with device name (devicehelper.cisco.com) and resolves for IP
IP, domain name and address
DNS server* Device establishes HTTP request with device serial number (UDI)
communication with
Cloud Redirect Server Cloud redirect server
receives UDI and sends
APIC-EM/ WLC IP address
PnP Agent initiates HTTP communication with HTTP PnP work request with device serial number (UDI)
the APIC-EM server and sends the device UDI
PnP Agent installs local trustpoint PnP Server receives UDI and
for the server SSL certificate sends server SSL certificate over
HTTPS PnP work request with device serial number (UDI) HTTP
PnP Agent initiates HTTPS communication
with the server and sends the device UDI
PnP Server receives UDI and
sends AP configuration over
HTTPS
Cisco Cloud Redirect Workflow
Go to
Navigate to “Plug and Play
https://software.cisco.com Add Controller ( WLC or Add Devices ( Device details
Redirect Service” under Connect Device Track Provisioning Status
and login using Smart APIC-EM ) profile like SN, PID, Controller etc. )
Provisioning tab
Account
Go to Navigate to “Plug and Play Add Devices ( Device
https://software.cisco.com Add Controller ( WLC or
and login using Smart Redirect Service” under APIC-EM ) profile
details like SN, PID, Connect Device Track Provisioning Status
Controller etc. )
Account Provisioning tab
Setting Up Controller Profile
Go to
Navigate to “Plug and Play Add Devices ( Device
https://software.cisco.com Add Controller ( WLC or APIC-EM )
Redirect Service” under details like SN, PID, Connect Device Track Provisioning Status
and login using Smart profile
Provisioning tab Controller etc. )
Account
Add Controller (
WLC or APIC-EM
) profile
Setting Up Device Profile – Access Points
Go to
Navigate to “Plug and Play
https://software.cisco.com Add Controller ( WLC or Add Devices ( Device details like SN,
Redirect Service” under Connect Device Track Provisioning Status
and login using Smart APIC-EM ) profile PID, Controller etc. )
Provisioning tab
Account
Add Devices (
Device details like
SN, PID, Controller
etc. )
AP Pending to connect to
APIC-EM server
AP Provisioned through
APIC-EM server
Track Access Points on Controller
ISE 2.2 Xenia
Simplified Guest Workflow Configuration
Secure Guest in Few Steps
Easy Guest Hotspot Setup
Step 1 : Register the wireless LAN

Controller
Click Register and you should see a card for

the WLC IP address.
Easy Guest Hotspot Setup
• Step 2 : Wizard shows any

existing that could be used
• Or new WLANs can be created.
• Step 3 : Create and Customize

Portal
Zero Touch WLC Config - Reference
Xenia automates WLC configuration without

GUI or CLI, a significant time savings.
• WLAN
• AAA Override
• Radius/ISE NAC
• RADIUS Servers
• CoA Enabled
• ACL (Pre-Auth)
A single workflow to achieve 100+ manual setup steps

Zero Touch ISE Config - Reference
ISE configuration is automated.

• ISE Auth Policies
• Auth Profiles
• NAD Client
• Custom Portal
• Active Directory
Minimize user complexity and errors while maximizing time savings

ISE 2.2 Xenia
Simplified 802.1x Workflow Configuration
Secure Wireless in Few
Steps
Secure Wireless in Few Steps
ISE 2.2 Xenia
Simplified BYOD Workflow Configuration
Secure BYOD in Few Steps
Secure BYOD in Few Steps
Wireless TrustSec Configuration
Wireless TrustSec – How to Setup
Basic infrastructure setup – Certificates, Active Directory integration, etc.
Create Security Group Tags to be used in the network
Setup Network Device Admission Control - NDAC
Define Authentication and Authorization policies for Users and Devices
Configure SGACL & Egress Policies
Security Group Tags in ISE
Define SGTs under ‘Components’ section in TrustSec Work Center (ISE 2.0 and above)
Define WLC in the ‘Network Devices’
• The Network Devices, e.g.

Wireless controllers, needs
to be defined here.
Configure parameters for TrustSec
 In addition to RADIUS secret, check ‘Advanced Trustsec
Settings’ and ‘Use Device ID for Trustsec’, then type
device password.
 This ID and Password needs to

be exactly same as you define
on network device CLI
Define authorization policies for Users and Devices
802.1X / MAB / Web

Authentication policy
to assign SGTs to the
Users and Devices
Configure Security Group ACLs
Configure SGACLs
first to be referenced
under the Egress
policy later
Configure parameters for TrustSec
 In addition to RADIUS secret,
check ‘Advanced Trustsec
Settings’ and ‘Use Device ID for
Trustsec’, then type device
password.
 This ID and Password needs to

be exactly same as you define
on network device CLI
TrustSec WLAN Configuration
TrustSec Policy Downloaded on WLC
SG-ACL enforcement
OpenDNS configuration and setup
OpenDNS – Account Setup
Create an OpenDNS account with

active subscription license.
Obtain API-Token from

dashboard to be used on
WLC
OpenDNS - Profile Creation on WLC
Map Profile to WLAN/AP
Configure OpenDNS Configure API Token Create Profiles
Group/Local Policy
Enable OpenDNS on WLC

Security > OpenDNS
Create two profiles – for employee and contractor roles
Category Based Filtering on OpenDNS
OpenDNS Reporting – Security Overview
 Visualize security activity in real

time with aggregated reports.
 Schedule and get reports to your
inbox.
 Pinpoint infected device or user
targeted by advanced attacks to
reduce time to remediation
OpenDNS Reporting – Activity Search
 Activity Search Filter by

Response for Blocked, Allowed,
Proxy
 Filter by time – Last 24 hours,
today, yesterday, last 7 days,
last 30 days
 Detail on activity eg. Which
OpenDNS policy blocked sites
Detailed Reporting Options
 Reports for Cloud Services, Top

Request, Activity Volume, Top
Domains, Top Categories, Top
Identities
 Service Details including %
Allowed, % Blocked, First Seen,
Last Seen, Identities, number of
requests to a particular Cloud
Service

Brkewn 2670

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brkewn 2670

Uploaded by

Copyright:

Available Formats

BRKEWN-2670

Wireless Best Practices for

Aparajita Sood, Technical Marketing Engineer

Work Styles Have Evolved

Video Becomes Pervasive

Design Provision Optimize Analyze

• Designing for Performance and Resiliency

Design Provision Optimize Analyze

Planning Easy Setup Operate Analytics

• Mobility Design • Express Setup • Optimizing RF • Workspace

Designing for RF Coverage and Performance

More devices in cell Greater contention Increased risk of collisions

100% As more clients associate and transmit,

3.2 Mbps cell edge 72.5 Mbps cell edge

Web - Casual 500 Kbps

Call type Audio Audio HD Video Video HD

• Let’s do the math:

 The cell size depends on 3 parameters:

1. The AP power level

2. The protocol you use

3. The Data rates you allow

-> 25 dB or better SNR

•Channel Utilization under 50%.

Design your Roaming Path

Half way point

2 times the distance

1 times the distance

 At “A” the phone is connected to AP 1

A B 2  At point B the phone has AP 2 in the

Client stays here “Pacing back and forth” zone

Always on, Always Ready

Catalyst VSS Pair

RP Port for HA SSO L2

Sub-second failover and zero SSID outage

Design Provision Optimize Analyze

Planning Easy Setup Operate Analytics

• Mobility Design • Day-0 Best • Optimizing RF • Workspace

Easy Setup with Best Practices

A popup that displays the ignored best practices

Adding a Best Practice

Clicking on an ignored best practice will re-add it.

Cisco and Apple Best Practices

AIR-CAP3702I- RFD0PP2 AP-Store1-1 192.168.15.1 FlexConnect FlexGrp1

• Places AP in appropriate Group

Network Admin Cisco Public Cloud

Design Provision Optimize Analyze

Planning Easy Setup Operate Analytics

• Mobility Design • Day-0 Best • Optimizing RF • Workspace

• Enabled by Dual 5GHz

Cisco CleanAir® HDX Turbo

Optimized Roaming: Wireless Devices

Each SSID needs a separate probe response and beaconing, the

• Channel Utilization < 40%.

Image courtesy: https://support.apple.com/en-us/HT203068

• Cisco highly recommends leaving all MCS rates enabled

Legacy client cannot Legacy client that does

I recognize that you

No QoS, No 802.11r/k/v QoS, 802.11r/k/v

Prioritize business-critical Apps

My profile for My profile for

Supports Fast lane Supports Fast lane

Packet average interval is 40 ms (not so good)

Many glitches, of up to 0.6 second Very few glitches, of up to 0.1 second