Professional Documents
Culture Documents
Brkewn 2670
Brkewn 2670
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKEWN-2670
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Enterprise Becomes Social
Customer & Employee Collaboration
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What Do You Consider First?
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Agenda
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deployment Lifecycle
The Bigger Picture
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Next-Gen Office Design Goals
80%
Throughput (%)
5% - 10%
contention
60% premium
10% -
40% 30%
30% -
20% 50% Retry attempts increase and each
50% -
station spends more and more time in
60% the “waiting and listening” state, driving
0% down performance
1 5 10 25 50 75 100
Clients
(source: IEEE 802.11-15/0351r2) BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Design for Density, not Coverage
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
People only use one real time
application at a time Application – By Use
Case
Throughput – Nominal
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
An Example – Identifying the BW Needs in a Cell
• Skype 4 Business / Lync (Up and Down):
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
I need ~12 Mbps throughput
Real Life Example everywhere in the cell
. . . therefore I need it here
• Density studies show active 12 users / cell on average (-67dBm)
• Expected 2 HD video calls (Skype type)
• 5 audio calls
• Other users may browse
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Cell Shape and Cell Size
Your cell shape depends on the antenna you
use:
Directional Omni
Directional Same areas
Omnidirectional
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Higher Power Does not Always Mean Better Signal
Is it better now?
Aim for:
Blah blah blah
•Noise level ≤ -92 dBm
You are a bit quiet
•RSSI ≥ 67 dBm
RSSI
Noise Level
Time
What’s the right power ? In short: half your worst client max power
• E.g. you design for 5 GHz, worst client max is at 11 dBm, set your AP power to 8 dBm
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Next-Gen Office Design Goals
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Follow AP Placement Guidelines
Mount APs so that antennas are vertical (we use vertical polarization)
Avoid metallic objects that can affect the signal to your clients
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Really..? When RF cluelessness becomes art…
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Rates and Cell Overlap
Cell overlap is designed so that when a VoWLAN device gets to the –67 dBm
area, it is already in good range of another access point.
20-percent overlap between cells is recommended
How much is that? Use the -75 dBm rule if you are not sure.
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
The –75 dBm Rule
First trick to know:
Twice the distance = -6 dB
Half the distance = + 6dB
At distance 2xd: (X-6) dBm At distance d: X dBm At distance d/2: (X+6) dBm
(e.g. -50 dBm) (e.g. -44 dBm)
(e.g. -56 dBm)
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
The –75 dBm Rule
So if you stand at the “-67 dBm border”…
Move away from AP 1 until you get – 67 dBm
Then pull AP 2 in the other direction until you also hear it at – 67 dBm
AP 2 at – 67 dBm AP 1 at – 67 dBm
AP 2 AP 1
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
The –75 dBm Rule
Go back to AP 1
AP2 should be at “– 67 – 6” = -73 dBm. Add 2-3dB loss if there is a plaster wall -> - 75 dBm
AP 2 AP 1
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
The –75 dBm Rule
Measure
This is your average AP to AP distance
AP 2 at – 72 to - 75 dBm
AP 2 AP 1
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Strategically Position Your Transition APs
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Strategically Position Your Transition APs
At point A the phone is connected to
1 AP 1
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Avoid Ping Pong Zones
Ping Pong zone recipe:
Set overlap along pacing path
Let user head force the roam
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Next-Gen Office Design Goals
Access
Distribution
Core
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
High Availability SSO
A direct physical connection between Active and Standby Redundant Ports or Layer 2 connectivity is
required to provide stateful redundancy within or across datacenters
Po 1 Po 2
Trunk
Port-channels
WLC3504 WLC3504
Active Standby
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Next-Gen Wireless Office Goal:
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Best Practices Audit
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Best Practices Audit
Add Ignored Best Practices
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
8.5
http://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/technotes/8-3/Optimizing_WiFi_Connectivity_and_Prioritizing_Business_Apps.pdf
http://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/technotes/8-3/Enterprise_Best_Practices_for_Apple_Devices_on_Cisco_Wireless_LAN.pdf
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Access Point Provisioning with PnP
PID Serial # Hostname WLC IP address AP Mode Flex Group
name
PnP Server
Day 0
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Next-Gen Wireless Office Goal:
Self-Optimizing RF Network
RF Optimized Connectivity XOR Radio Client Link 4.0
Optimized Roaming
RX-SOP
FRA
5GHz 2.4GHz
5/2.4GHz
Serving Serving
Monitor
Flex DFS
Load Balancing RF Profiles
DBS
Band Select
Self-Optimizing RF network BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
XOR Radio and FRA
5GHz. 2.4GHz
5GHz FRA-auto (default value) or Manual
5GHz
2.4GHz 5GHz. Serving Serving
Auto 2.4 -> 5GHz or Monitor Mode
Serving
Serving Serving
Transition to 2.4 GHz if coverage drops
5GHz. 2.4-5GHz
2.4GHz
Serving Monitoring
Serving
BRKEWN-2670 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Optimize Wi-Fi with CleanAir
Quickly Identify and Mitigate Wi-Fi Impacting Interference
48
Interference on 20/40/80/160 MHz
Air Quality and Interference by
48
AP/radio on WLC
48
AQ Threshold trap and Interference
Device trap (per radio)
48
CleanAir-enabled RRM
48
48
48
48
Channel 48 BRKEWN-2670
Network Air Quality and Interference Location with PI 3.1.x and MSE 8.0.
46
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Better Support for Users on the Move
Optimized Roaming
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Better Client Connectivity
RXSOP, Load Balancing, Band Select
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Fine-tuning HDX with RF Profiles
Pre-canned RF Profiles
Client Distribution Optimized Dynamic
Data Rates Roaming Bandwidth
Selection
RX-SOP
DCA, TPC, CHDM
Profile Threshold for Traps
High Density Features • CleanAir
• ClientLink 4.0
• Turbo Performance
TPC, DCA FlexDFS
CHDM
Event Driven
RRM
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
RF & RRM: Disable lower .11b Data Rates, Limit SSIDs
Wireless 802.11b/g/n Network
Management frames sent at lowest mandatory rate - slows down the entire cell
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
RF design recommendations
Apple client device should observe a minimum of 2 APs with an RSSI measurement of -67 dBm
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Standard Density Data Rates
Wireless > 802.11a/n/ac > Network • Channel Utilization < 40%.
• Client SNR >= 25 dB.
• 802.11 retransmissions < 15%
• Packet Loss < 1%
• Jitter < 100 ms.
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Endeavour @NVIDIA, Santa Clara
• 4K Video @100 Mbps, all day every day
• 560 AP3800s across 500,000 sq feet Live speed test in one of the conference rooms
• 2 WLC8540s in HA during our visit DL: 407Mbps, UL: 395Mbps
• All APs connect to CAT 4500 series switches with
mGig and UPOE
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Next-Gen Wireless Office Goal:
Seamless connectivity
Cisco and Apple Optimized Roaming
802.11k, 802.11v
are on by default
Non-Cisco-AP BRKEWN-2670
Cisco-AP
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Adaptive 11r/k/v
Features enabled by default on a newly created SSID
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Roaming Performance :
10x Better end-user Browsing and App Experience
Time (s)*
Cisco-AP Cisco-AP
*Without a profile, all applications are whitelisted by default in a Fast Lane cell
QoS**Fast
Profile | Voice
Lane does QoS
NOT override Trust
apps QoS, it |either
AutoQoS | Better
allowBRKEWN-2670
the app EDCA
© 2018
QoS or apply BECisco and/or its affiliates. All rights reserved. Cisco Public 61
Fast Lane
• Enabling Fast Lane:
• Sets the WLAN for
Platinum
• Sets WMM to Required
• Platinum profile sets Max
Priority to voice (UP 6),
non-WMM and multicast to
BE, 802.1p disabled,
bandwidth contracts
disabled
• EDCA profile is set to Fast
Lane
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Fast Lane delivers a reliable voice experience even in a
congested environment
• In a congested environment, one voice packet is sent every 20 ms
• We measure the actual interval between voice packets in the upstream direction
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Cisco Apple Analytics
Release 8.5
Cisco Apple Wireless Features Journey
AireOS 8.3, 8.3 MR1 Phase 1
iOS 10.0+
QoS
MacOS
Analytics
Roaming
Optimizations
Optimizations
Optimizations
Optimizations
• 11k neighbor map: iOS
• Adaptive
• • Fastlane:802.11r: FastOS
11 clientbusiness-
Fastlane on Mac
sends a list of
Transition
relevant
10.13 isand
enabled
applications
later. Upstream
neighbor APs upon joining
automatically
prioritized
QoS for iOS 10
the prioritization
cell available
clients
• onDisconnection
iOS and Mac OS reason:
iOS 11 client tells us why
• Auto 802.11k/v: 11k/v are
it disconnects
enabled by default and
• Identity: the iOS client
optimized to provide ‘best
tells us who it is (model,
next AP’
iOS version)
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
How does the client see the Network
How does the client see the network ?
The infrastructure does not know why this AP was chosen,
because the infrastructure does not know how the client saw the
network
bb:bb:cc:dd:ee:ff 52
?
Channel Signal
-72 dBm
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
How does the Network see the device
This is who I am
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Why did the Client go away ?
Where can I see this Reason code on WLC ?
Client detail page in the controller UI
Reasons for disassociation
How can we use this Reason Code ?
• Help other clients in the same location if there is an RF issue DHCP Failed
Why I disassociated last
• Collect data to understand patterns (where clients go, etc) EAP Timed out
802.1x Failed
Reason Code
Device Idle
Captive Portal security Failed
Decryption Failed
Interface Disabled
User-Triggered Disassociation
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
An Example – Cisco Bedfont Lakes Roaming points
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
An Example – Cisco Bedfont Lakes
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Security and Threat Mitigation
• User segmentation and end to end policy enforcement
• Secure BYOD and guest access
• Detection and mitigation of Rogues and interferers
Security and Threat
Mitigation P2P
802.1x TKIP Encryption Blocking
WPA2/AES
Lower Risk
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Next-Gen Wireless Office Goal:
Simplified Security
Simplified and Consistent Access governed by TrustSec
Data Center
Employee Tag
Supplier Tag
Non-Compliant Employee Employee Supplier Non-Compliant Non-Compliant Tag
VLAN: Data-2 VLAN: Data-1
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Role Based Segmentation governed by TrustSec
Data Center
Enterprise
Backbone ISE
Employee Tag
Supplier Tag
Supplier Employee Employee Supplier
CleanAir Spectrum Intelligence 7 x 24 on client serving channel 7 x 24 All Channels on 2.4GHz and 7 x 24 All Channels on 2.4GHz and
5GHz 5GHz
2.4 GHz t
Serving channel Off-Ch Serving channel Off-Ch
Enhanced Local Mode
Access Point 5 GHz t
Serving channel Off-Ch Serving channel Off-Ch
GOOD
… … …
2.4 GHz t
Ch1 Ch2 Ch11 Ch1 Ch2 Ch11 Ch1 Ch2 Ch11
Monitor Mode
Access Point … … … …
5 GHz t
Ch36 Ch38 Ch157 Ch161 Ch36 Ch38
BETTER t
5 GHz
Serving channel Off-Ch 5GHz. / 2.4GHz.
Serving channel Off-Ch
t
ELM with FRA Wireless Security
Monitoring 2.4 GHz
… … .5GHz.
… …
/ Security t
Ch1 Ch2 Ch11 Ch36 Ch38 Ch157 Ch161
BEST 5 GHz
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Rogue Detection and Mitigation
Rogue Classification and
Containment
• Rogue Rules
• Manual Classification –
Friendly/Malicious FRA with MM Data Serving AP
• Manual and Auto
Best Practice Recommendation:
Containment
• Set Rogue Detection Security Level to “low”
CleanAir with Rogue AP • Set Detection threshold to <= -75 dB
Types Serve Client Scan 1.2s Serve Client Serve
• Wi-Fi Invalid Channel on dedicated 5 per channel on 2.4 GHz Clients on 5
• Wi-Fi Inverted GHz 50 ms off-
GHz
channel 50 ms off-
Rogue Location channel
• Real-time with PI, MSE, Scan
CleanAir
• Location of Rogue APs 1.2s per
channel
and Clients , Ad-hoc
Rogue, Non-Wi-Fi
interferers
Monitor Mode AP
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Next-Gen Wireless Office Goal:
Category-based filtering
Content-based filtering and segmentation
• The easy-to-use, cloud-delivered • Customize category-based filtering to • View security activity in real time with
administration console enables you to meet each network’s specific needs globally aggregated reports.
quickly set up, manage, and test different Per network, AP group, user, device • Schedule and send these reports to your
acceptable user policies or IP address, giving you greater inbox..
• Quickly create exceptions to allow or block control of your organization’s Internet
specific domains, regardless of whether it is usage.
in a category that is allowed or blocked.
Identity
Returns Server
attributes
Contract Guest
or Corp
Contractor Employee
Policy Policy
Contractor Employee
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Location Based Cisco Umbrella Policy
Cisco Umbrella Profile Mapping in AP Group
Corporate Branch
Policy Policy
Corporate
HQ Branch Office
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Enterprise SSID Security and Segmentation
Category-Based Filtering
Based on Umbrella Policy
Role Based Access Control Based
on Scalable Group Tags and SGACLs
Marketing Sales Contractors Server
✔ ✔ Marketing
Sales
Contractors
802.1x
Enterprise
Backbone
✔
Simple Operations
Increased demand for IoT Identity security without High Scale
devices 802.1x
Cost Effective
Cisco Advantage:
Highly scalable identity PSK solution designed for a large multi controller network
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Identity PSK
✓ PSK WLAN
✓ AAA Override
IOT Devices
xxyyzz
Access Point Wireless LAN Controller ISE
Sensors
No PSK
Cisco-AVPair attributes
+= "psk-mode=ascii”
"psk=xxyyzz"
Cisco-AVPair += "psk=aabbcc"
IOT Sensors
IOT Lighting
Smart Devices
SGT = 4 SGT = 5
✔
✔
Enterprise
✔ IPSK Backbone
IOT Lighting
IOT
IOT Lighting 10
aabbcc PERMIT 4 PERMIT
Sensors
PSK = eeffgg VLAN ID = 10
IOT Lighting eeffgg 10 PERMIT 5 DENY
Smart devices Smart Devices
Smart
PSK = xxyyzz xxyyzz
VLAN = 20 20 DENY 6 DENY
Devices
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
How Not to do #hotel #WiFi #Security
Source: https://badfi.com/bad-fi/
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Security Best Practice: Enable 802.1x auth on WLAN and AP
Wireless Access Points Global Configurations
WLANs Edit ‘WLAN_NAME’ Security
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Deployment Lifecycle
The Bigger Picture
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Introducing DNA Center
Realizing vision of the intent-powered intuitive network
Assurance and
Policy Automation
Analytics
Translate business intent Reduce manual operations Use context to turn data into
into network policy and cost associated with intelligence
human errors
Troubleshoot Insights
Find root cause faster See problems before
with granular details your end users do
On-Boarding Tests
• 802.11 Association
• 802.11 Authentication & Key Exchange AP/Sensors Access point
• IP Addressing DHCP (IPv4) act as clients
Network tests
• DNS (IPv4)
• RADIUS (IPv4) R1
1815
5GHz.
• BRKEWN-3033: DNA Assurance – deep dive
XOR RADIO 2.4GHz. • Wednesday Jan 31, 4:30pm – 6:00pm with Jerome Henry
Sensor (Client Testing)
• BRKEWN-2032: DNA Assurance: bring intelligence to your WLAN issues
• Tuesday Jan 30, 4.30 pm with Jeremy Cohoe
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Workspace Analytics
Making Buildings Smarter
Workspace Optimization
Lower Real-estate costs
Cisco Portfolio for Next-Gen
Wireless Workspace
DNA ready Wireless Controller Portfolio
Large Enterprise
Mid-size Enterprise
Indoor / High-powered 3x3:2SS 80MHz 4x4:3SS 80Mhz 4x4:3SS 160 MHz 4x4:3SS 160 MHz
Indoor Wall Plate / 867 Mbps Performance 1.7 Gbps Performance 5 Gbps Performance 5 Gbps Performance
Teleworker
2x2:2SS 80 MHz Tx Beam Forming Internal or External Antenna 2.4 and 5GHz or 2.4 and 5GHz or
Dual 5GHz Dual 5GHz
867 Mbps Performance 1 GE Port Uplink Tx Beam Forming
2 GE Ports Uplink 2 GE Ports Uplink or
Tx Beam Forming USB 2.0 2 GE Ports Uplink
1 GE + 1 mGig (5G)
Integrated BLE Gateway1 USB 2.0 CleanAir and ClientLink
CleanAir and ClientLink
Max Transmit Power (dBm) Internal or External Antenna
StadiumVision
per local regulations2 Smart Antenna Connector
Internal or External Antenna
3 GE Local Ports, including USB 2.0
1 PoE out3 Smart Antenna Connector
Local ports 802.1x ready3 USB 2.0
USB 2.04 Investment Proof Modularity
New*
Enable High Availability (AP and Client SSO) Enable 802.1x and WPA/WPA2 on WLAN
Enable AP Failover Priority Enable 802.1x authentication for AP
Enable AP Multicast Mode Change advance EAP timers
Enable Multicast VLAN Enable SSH and disable telnet
Enable Pre-image download Disable Management Over Wireless
INFRASTRUCTURE
SECURITY
Enable AVC Disable Wi-Fi Direct
Enable NetFlow Peer-to-peer blocking
BEST PRACTICES (AireOS)
Enable Local Profiling (DHCP and HTTP) Secure Web Access (HTTPS)
Enable NTP Enable User Policies
Modify the AP Re-transmit Parameters Enable Client exclusion policies
Enable FastSSID change Enable rogue policies and Rogue Detection RSSI
Enable Per-user BW contracts Strong password Policies
Enable Multicast Mobility Enable IDS
Enable Client Load balancing BYOD Timers
Disable Aironet IE
FlexConnect Groups and Smart AP Upgrade Disable 802.11b data rates
Restrict number of WLAN below 4
Enable channel bonding – 40 or 80 MHz
WIRELESS / RF
Set Bridge Group Name
Set Preferred Parent Enable BandSelect
Multiple Root APs in each BGN Use RF Profiles and AP Groups
Set Backhaul rate to "Auto"
MESH
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
For Your
Reference
VoD Links
• Cisco CMX Solution https://www.youtube.com/watch?v=KQRb8vfU0qM • Fastlane App Demo https://www.youtube.com/watch?v=N1QMUcv3aRQ
• CMX Hyperlocation vs RSSI Demo https://www.youtube.com/watch?v=6ls7EHbSK4A • Cisco APIC-EM Wireless PnP Demo https://www.youtube.com/watch?v=_9P2-
bU66PU
• Cisco Dual 5GHz Wi-Fi https://www.youtube.com/watch?v=mbpjiETvDXc • Cisco Aironet Plug and Play Cloud Redirection
https://www.youtube.com/watch?v=W7fBZ6xfSxw
• Cisco Aironet AP-3800 RF Excellence
https://www.youtube.com/watch?v=dBpGsTKeyNM&t=64s • Wireless LAN Controller Dashboard Review
https://www.youtube.com/watch?v=af09TBaafRI&feature=youtu.be
• Digital Network Architecture with Wave2 with 802.11ac
https://www.youtube.com/watch?v=ySjN13hPhXY&t=2s • Cisco Wireless Mobile App https://www.youtube.com/watch?v=HyvZ4mbVAWs
• Cisco Aironet Series – Flexible Radio Assignment • WLC Advanced UI Client Troubleshooting
https://www.youtube.com/watch?v=K_-BykT_YIM https://www.youtube.com/watch?v=dZVxI6jOx_Q
Click - https://www.youtube.com/user/CiscoWLAN/
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
For Your
Reference
Cisco Wireless LAN Documentation
INSTALLATION GUIDES RADIO CONFIGURATION CLIENT ADDRESSING POLICY ENGINE
• 5520 WLC
• 802.11r BSS Fast Transition • Bi-Directional Rate Limiting • AVC
• 8540 WLC
• Adaptive wIPS • Flex AP-EoGRE Tunnel Gtwy • Bonjour
• AP1570
• ATF Ph 1 & 2 • IPv6 • Chromecast
• AP1810 OE
• CleanAir • Jabber • Device Classification
• AP1810W Wall Plate
• CMX FastLocate • Jabber and UCM • Domain Filtering
• AP1850
• High Density • Microsoft Lync • mDNS Gateway w/Chromecast
• AP2700/3700
• Rogue Management • Passpoint Configuration • Wireless Device Profiling & Policy Classification
• AP2800/3800
• RRM RF Grouping Algorithm • Real-Time Traffic Over WLAN BEST PRACTICES
• AP702W
• RRM White Paper • VideoStream • Apple Devices
• APIC-EM Wireless AP PnP
• Vocera IP Phone in WLAN • Enterprise Mobility Design Guide
• Flex7500 WLC ENCRYPTION
• VoWLAN Troubleshooting • High Availability (SSO)
• Mesh APs • BYOD for FlexConnect
• BYOD with ISE • HyperLocation
• Mobility Express
• Security Integration • iPhone 6 Roaming
• Smart Licensing
• N+1 High Availability
• Univ. AP Regulatory Domain
• WLAN Express
• Virtual WLC
• WLC Configuration Best Practices
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Continue Your Education
BRKEWN-2003 Optimize your WLANs for Iphones (and welcome other mobile devices too) 01/30/2018Hall 8.0, Session Room 112 16:45:00
BRKEWN-2010 Design and Deployment of Enterprise WLANs 01/30/2018Hall 8.0, Session Room 101 14:15:00
BRKEWN-2017 Understanding RF Fundamentals and the Radio Design for 11ac Wireless Networks 01/30/2018Hall 8.0, Session Room 107 11:15:00
BRKEWN-2019 7 Ways to Fail as a Wireless Expert 01/30/2018Hall 8.0, Session Room 132 11:15:00
BRKEWN-2033 A Cloud-based Machine Learning / Analytics architecture for DNA (wireless/wired) Assurance 01/31/2018Hall 8.0, Session Room 137 16:30:00
BRKEWN-3014 Best practices to deploy high-availability in Wireless LAN Architectures 01/31/2018Hall 8.0, Session Room 112 14:30:00
Design and Use Cases of a location enabled Wi-Fi network supported by Connected Mobile
BRKEWN-2012 Experiences (CMX) 02/01/2018Hall 8.0, Session Room 106 14:30:00
Improve Enterprise WLAN Spectrum Quality with Cisco's advanced RF capacities (RRM, CleanAir,
BRKEWN-3010 ClientLink, etc) 02/01/2018Hall 8.0, Session Room 101 09:00:00
BRKEWN-2005 Securely Designing Your Wireless LAN for Threat Mitigation, Policy and BYOD 02/01/2018Hall 8.0, Session Room 139 11:30:00
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKEWN-2670
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Complete Your Online
Session Evaluations after each
session
Session Evaluation
• Complete 4 Session Evaluations
& the Overall Conference
Evaluation (available from
Thursday) to receive your Cisco
Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
www.ciscolive.com/global/on-demand-library/.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Thank you
Supplementary Material
Configurations and Setup Instructions
Optimized WiFi Connectivity
Configuration
Adaptive 11r
Feature enabled by default on a newly created SSID
• Even if 802.11r is not enabled on the WLAN, it is enabled for the WLAN for the
Apple IOS 10 devices (adaptive 11r) by default:
Show wlan 3
…/…
Security
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Adaptive 11r
• Adaptive 11r means that the WLAN security is set to WPA2 (NOT to static
802.11r, no need for “hybrid” mode either):
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
11k Configuration
• Feature enabled by default on a newly created SSID
• Dual band neighbor list selectively enable for Apple devices that supportive
Adaptive capability
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
11v Configuration
• 802.11v features are enabled by default on a newly created SSID
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
FastLane Feature Configuration
Fast lane on WLC
• Enabled from the QoS
tab
of WLAN configuration
• Enabling the first
WLAN
for Fastlane also
enables AutoQoS
(best QoS config)
globally
• Application Visibility is
semi-independent
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Fast lane
• Enabling Fastlane:
• Configures best QoS globally
• Sets the WLAN for Platinum
• Sets WMM to Required
• (Notice AV is still disabled)
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Fast lane
• Enabling Fastlane enables best QoS config
globally:
• Platinum profile sets Max Priority to voice (UP
6), non-WMM and multicast to BE, 802.1p
disabled, bandwidth contracts disabled
• EDCA profile is set to Fastlane
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Fast lane
• Enabling Fastlane enables
best QoS config globally:
• ACM is enabled on both
bands (load-based), with
max RF bandwidth 50%
and roaming bandwidth to
6%
• Expedited bandwidth is
enabled
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Fast lane
• Enabling Fastlane enables
best QoS config globally:
• DSCP is trusted upstream
(instead of UP)
• DSCP to UP map is
configured as per IETF
recommendations (“well-
known” DSCP values
mapped to IETF-
recommended values,
“unexpected” DSCP values
mapped to BE
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Fast lane
• When Fastlane is enabled
on a WLAN, enabling AV
automatically applies the
AUTOQOS-AVC-
PROFILE
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Fast lane
• As long as Fastlane is enabled, you cannot (and should not) change the AVC
Profile (you can disable/enable AV, but not change the AVC profile)
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Cisco Apple Partnership
Spark Collaboration
Additional Information
Many Ways to Communicate
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Seamless Collaboration with Cisco Spark
• Meet anywhere and everywhere
• Always-on, secure team messaging
and file sharing
• Integrated business phone with
• HD voice and video calling
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Native Voice Experience
• New framework for integrated calling
over IP
• Answer calls from the Lock screen
• Make voice or video calls from
Contacts, Favorites, and Recents
• Make calls with Siri
• Switch seamlessly between VoIP and
cellular calls
• Use connected headsets and
accessories
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Enterprise Voice Integration
• Users never miss a call
Desk Phone
• Accelerated user onboarding
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Benefits of Voice and Collaboration
• Intuitive native user experience
• Extend existing investments to iOS
devices and reduce calling costs
• Integrate into your existing telephony
systems
• Expand collaboration tools beyond
voice
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
Network PnP with Public Cloud Redirect
Setup Steps
Network PnP support Workflow
Cisco Cloud Redirect
Cisco Cloud
Redirect Server
Internet
PnP Server uses
PnP Server self signed SSL
certificate
DHCP Request
DHCP server Device creates pre-defined cloud redirect server
responds with device name (devicehelper.cisco.com) and resolves for IP
IP, domain name and address
DNS server* Device establishes HTTP request with device serial number (UDI)
communication with
Cloud Redirect Server Cloud redirect server
receives UDI and sends
APIC-EM/ WLC IP address
PnP Agent initiates HTTP communication with HTTP PnP work request with device serial number (UDI)
the APIC-EM server and sends the device UDI
PnP Agent installs local trustpoint PnP Server receives UDI and
for the server SSL certificate sends server SSL certificate over
HTTPS PnP work request with device serial number (UDI) HTTP
PnP Agent initiates HTTPS communication
with the server and sends the device UDI
PnP Server receives UDI and
sends AP configuration over
HTTPS
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Cisco Cloud Redirect Workflow
Go to
Navigate to “Plug and Play
https://software.cisco.com Add Controller ( WLC or Add Devices ( Device details
Redirect Service” under Connect Device Track Provisioning Status
and login using Smart APIC-EM ) profile like SN, PID, Controller etc. )
Provisioning tab
Account
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Go to Navigate to “Plug and Play Add Devices ( Device
https://software.cisco.com Add Controller ( WLC or
and login using Smart Redirect Service” under APIC-EM ) profile
details like SN, PID, Connect Device Track Provisioning Status
Controller etc. )
Account Provisioning tab
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Setting Up Controller Profile
Go to
Navigate to “Plug and Play Add Devices ( Device
https://software.cisco.com Add Controller ( WLC or APIC-EM )
Redirect Service” under details like SN, PID, Connect Device Track Provisioning Status
and login using Smart profile
Provisioning tab Controller etc. )
Account
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
Add Controller (
WLC or APIC-EM
) profile
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Setting Up Device Profile – Access Points
Go to
Navigate to “Plug and Play
https://software.cisco.com Add Controller ( WLC or Add Devices ( Device details like SN,
Redirect Service” under Connect Device Track Provisioning Status
and login using Smart APIC-EM ) profile PID, Controller etc. )
Provisioning tab
Account
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Add Devices (
Device details like
SN, PID, Controller
etc. )
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
AP Pending to connect to
APIC-EM server
AP Provisioned through
APIC-EM server
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Track Access Points on Controller
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
ISE 2.2 Xenia
Simplified Guest Workflow Configuration
Secure Guest in Few Steps
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Easy Guest Hotspot Setup
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Easy Guest Hotspot Setup
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
Zero Touch WLC Config - Reference
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
Secure Wireless in Few Steps
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
ISE 2.2 Xenia
Simplified BYOD Workflow Configuration
Secure BYOD in Few Steps
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
Secure BYOD in Few Steps
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 161
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 163
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 164
Wireless TrustSec Configuration
Wireless TrustSec – How to Setup
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 166
Security Group Tags in ISE
Define SGTs under ‘Components’ section in TrustSec Work Center (ISE 2.0 and above)
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 167
Define WLC in the ‘Network Devices’
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 168
Configure parameters for TrustSec
In addition to RADIUS secret, check ‘Advanced Trustsec
Settings’ and ‘Use Device ID for Trustsec’, then type
device password.
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 169
Define authorization policies for Users and Devices
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 170
Configure Security Group ACLs
Configure SGACLs
first to be referenced
under the Egress
policy later
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 171
Configure parameters for TrustSec
In addition to RADIUS secret,
check ‘Advanced Trustsec
Settings’ and ‘Use Device ID for
Trustsec’, then type device
password.
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 172
TrustSec WLAN Configuration
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 173
TrustSec Policy Downloaded on WLC
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 174
SG-ACL enforcement
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 175
OpenDNS configuration and setup
OpenDNS – Account Setup
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 177
OpenDNS - Profile Creation on WLC
Map Profile to WLAN/AP
Configure OpenDNS Configure API Token Create Profiles
Group/Local Policy
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 178
Category Based Filtering on OpenDNS
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 179
OpenDNS Reporting – Security Overview
BRKEWN-2670 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 180
OpenDNS Reporting – Activity Search