D4C1S1 - SEVT Best Practices

Best Practices
Wireless LAN Controller based on Release 8.0
Felipe Amorim
feamorim@cisco.com
October 2014
Session Objectives
1
What is Best Practices?
WLC Config Analyzer
Cisco Active Advisor
4
5
Day0/Day1 Setup 2.0

Express WLAN Setup, Best Practices, RF Dashboard
Best Practices Recommendations

Infrastructure, RRM & RF, Security & BYOD, FlexConnect
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
Techniques or methods that are

superior to those achieved by other
means
Best Practices Evolve
Starting point and flexible
framework
Whats in it for me ?
Procedural Memorandums For More
Effective Living
Cisco Confidential
Make it Easy
Make it Easy
Day 0 Plan, Size

Product Guides
Data Sheets
CVD
Make it work
Day 1 Final Design, Configure, Deploy

Small Customers
May not pay for WLC,
MSE and PI OR
managing the network
Medium Customers
May not pay for RF
Planning or
Services
RF Capacity Planner
Hardware & Software
Advisor
Large Customers
Specialized IT team CCIEs focused on WLAN
Make it perform
Day 2 Live
Operate
Troubleshoot
Optimize
Monitor
Cisco Confidential
Make it Work
Make it Easy
New Innovations
addressing real
customer problems
WLAN Golden
Profiles
CVD Draft
Tweak DEFAULTS
Implement AUTO
Customer Feedback
Make it work (Quality)
Make it perform
QA Cycle
(System Profile)
Beta
Deployment Guide
CVD
Alignment with AS
Assurewave/CVD
(Solution Profile)
Config Tool
Self Check
Cisco Confidential
Make it Perform
Best Practices
Make it Easy
Make it work
Performance
Reliability
# of SSIDs ?
DFS channels ?
11ac ?
ClientLink ?
Bandselect & Smartroam
Is your network or AP
oversubscribed ?
What about your client
mix?
20/40/80 MHz?
High density of APs

ClientLink
Client SSO
CleanAir optimized ?
RRM turned on ?
Rogue APs in your
network ?
Make it perform
Service-Ready
11r, 11k and 11v
AVC
Videostream
Bonjour Gateway
CMX
Guest
Operational Efficiencies
Cisco Confidential
2013-2014
WIRELESS / RF
INFRASTRUCTURE
Make ititPerform
Make
perform
SECURITY
Makeititwork
Work
Make
Enable High Availability (AP and Client SSO)

Enable AP Failover Priority
Enable AP Multicast Mode
Enable Multicast VLAN
Enable Pre-image download
Enable AVC
Enable NetFlow
Enable Local Profiling (DHCP and HTTP)
Enable NTP
Modify the AP Re-transmit Parameters
Enable FastSSID change
Enable Per-user BW contracts
Enable Multicast Mobility
Enable Client Load balancing
Disable Aironet IE
FlexConnect Groups and Smart AP Upgrade
Set Bridge Group Name
Set Preferred Parent
Multiple Root APs in each BGN
Set Backhaul rate to "Auto"
Set Backhaul Channel Width to 40/80 MHz
Backhaul Link SNR > 25 dBm
Avoid DFS channels for Backhaul
External RADIUS server for Mesh MAC Authentication
Enable IDS
Cisco and/or its Enable
affiliates. All rights
EAPreserved.
Mesh Security Mode
MESH
BEST PRACTICES (AirOS)
Makeitit Easy
Easy
Make
For Your
Reference
Enable 802.1x and WPA/WPA2 on WLAN

Enable 802.1x authentication for AP
Change advance EAP timers
Enable SSH and disable telnet
Disable Management Over Wireless
Disable WiFi Direct
Secure Web Access (HTTPS)
Enable User Policies
Enable Client exclusion policies
Enable rogue policies and Rogue Detection RSSI
Strong password Policies
Enable IDS
BYOD Timers
Disable 802.11b data rates
Restrict number of WLAN below 4
Enable channel bonding 40 or 80 MHz
Enable BandSelect
Use RF Profiles and AP Groups
Enable RRM (DCA & TPC) to be auto
Enable Auto-RF group leader selection
Enable Cisco CleanAir and EDRRM
Enable Noise &Rogue Monitoring on all channels
Enable DFS channels
Avoid Cisco AP Load
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
Cisco Confidential
Best Practice Adoption MTAB Customers

BP adoption among various MTAB customers (US and APJC)
Best Practices Compliance
79.41%
USF
76.47%
UBC
Cisco IT
69.12%
Melbourne
69.12%
66.18%
GT
64.71%
Weber
57.35%
Cognizant
55.88%
JHMI
36.76%
HCL
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
Cisco Confidential
Best Practice Adoption on features MTAB Customers

ACL Enabled per WLAN
Client Exclusions Enabled
Telnet Disabled
SSH Enabled
89%
67%
67%
QoS Enabled WLAN

0%
0%
72%
89%
67%
0%
28%
28%
Client Load Balancing Enabled

Rogue Detection Enabled
100%
83%
100%
67%
CleanAir Enabled
78%
RRM Coverage Hole Detection
89%
100%
100%
100%
100%
RRM TPC - Auto

44%
RF Profiles
NTP Server
11%
AVC Visibility
WLAN Security Type
Channel Width (20/40/80)
78%
67%
0%
89%
61%
61%
Rogue AP List
89% DOES. !
ITS NOT WHAT THE SOFTWARE
61%
ITS WHAT THE
USER DOES.!
22%
2.4 Low Data Rates Disabled

2013-2014 Cisco and/or its affiliates. All rights
0%reserved.
72%
89%
20%
40%
60%
80%
100%
Cisco Confidential
120%
Cisco Wireless LAN Controller Configuration Best Practices

Document View Count
Cisco Confidential
10
Developed by
Javier Contreras
Technical Lead, ENG SW Wireless Escalation
Cisco Confidential
11
WLC Config Analyzer Incorporating Best Practices
Simplify operational use to quickly target and mitigate problem areas.
Drive adoption of best practices and feature implementation.
Strengthen customers security, network health and configuration

robustness.
Effectively, show customer trend, with measurable improvement of metrics

over time.
Version 3.6 will be posted end of this week
https://supportforums.cisco.com/document/7711/wlc-config-analyzer
Cisco Confidential
12
WLC Config Analyzer Deployment types

Addressing BP and features
based on deployment
Voice
Security
Flex
Mesh
Enterprise*
BYOD*
*Coming Soon !
Cisco Confidential
13
WLC Config Analyzer Per Controller Compliance
Best Practices categorized

into
General
AP
Mobility
RF
Security
Voice
Mesh
Flex
Per-Controller Compliance
Level for Each category
Total/Passed/Failed checks
0-40%
Red
41-80%
Yellow
81-100%
Green
Cisco Confidential
14
WLC Config Analyzer Best Practices detail
Individual Best Practice

knob compliance (Yes/ No)
0-40%
Red
41-80%
Yellow
81-100%
Green
Overall Compliance per

category
Cisco Confidential
15
WLC Config Analyzer All Controllers
Best Practices Compliance across controllers in the same Config Set #
Average across controllers for each category
Cisco Confidential
16
WLC Config Analyzer Site Summary Messages
Best Practices is NOT Config

Errors or Design decisions
It is - Works without but works

much better with
Verbose BP messages under

Global Messages and AP
Messages
Best practice messages
Cisco Confidential
17
WLC Config Analyzer Global Messages & AP Messages
Message
Severity
Color Coding
Error
( Critical )
Red
Warning
( Highly
Recommended)
Light Yellow
Informational
( Good to Have )
Light Blue
Message Category
Meaning
Config Error
Bad Configuration
Parsing Error
Error on File Processing
Informational
Informational messages
Best Practices
Compliance Checks
Cisco Confidential
18
Cisco Confidential
19
Why use Cisco Active Advisor?

Dimension Data Network Barometer Report, June 2014*
51%
Of All Network Devices are

Now Aging or Obsolete
#1 Recommendation from the report:
Have an accurate
inventory of your network
Most Networks are NOT Ready for

Enterprise Mobility Trends
Plan the steps from your

as-is state to your to-be
state
*http://www.dimensiondata.com/Global/Global-Microsites/NetworkBarometer/Pages/
Home.aspx (Requires Registration)
Cisco Confidential
20
Introducing Cisco Active Advisor
Free, cloud based service
Agentless nothing to download
It provides customers:
Security Advisories (PSIRTs)

End-of-life & End-of-support dates
Warranty & service contract status
Personalized device health score*
Accessible at:
www.CiscoActiveAdvisor.com
* Roadmap For Cisco Wireless Controllers. To be Launched Mid November 2014

Cisco Confidential
21
Health Score and Recommendations
* Roadmap For Cisco Wireless Controllers. To be Launched Mid November 2014

Cisco Confidential
22
3 Reasons for Cisco Active Advisor

Customer Benefits
Reduce Risk
Save Time & Money
Improve
Automated discovery of:

Software that has security
vulnerabilities (PSIRTs)
Free, cloud-based service

Automatically takes an inventory
of your Cisco network
End-of-life & unsupported

products
Expired service contracts
Covers 500+ part numbers

(Cisco switches, routers, wireless
controllers and access points),
with more being added
Personalized device health score

Compare your wireless network
configuration to Ciscos
recommended best practices
Expected to be available soon
for Ciscos wireless controllers
Cisco Confidential
23
User-First
Cisco Confidential
24
Day0/Day1 Setup Overview

User-First
Day0/Day1 Setup Phase 1.0
Day0/Day1 Setup Phase 2.0
Release 7.6MR2 and 8.0
Release 8.1
WLAN express setup on 2504 only
Extended to 5508, 7510, 8510, vWLC, WiSM2*
Some best practice features enabled as

part of WLAN express setup
New Best Practice defaults introduced

Pre-built Network and RF Profiles
Monitoring Dashboard Top Access

Points, Top Application, Top Client
Devices etc.
RF Dashboard Access Point Performance,

Client Performance charts
*WiSM2 does not support WLAN express setup and best

practice defaults
Cisco Confidential
25
For Your
Reference
Day0/Day1 Setup Best Practices

Previous best practices extended to all WLC controllers
Feature
7.6 MR2, 8.0

(2504)
8.1
AVC Visibility
Yes
Yes( 2504 only)
mDNS Snooping
Yes
Yes
New MDNS Prole for printer, h<p
Yes
Yes
Local Proling
Yes
Yes
Band Select
Yes
Yes
DHCP Proxy
Yes
Yes
Secure Web access
Yes
Yes
Virtual IP 192.0.2.1
Yes
Yes (congurable)
RRM-DCA Auto
Yes
Yes
RRM-TPC Auto
Yes
Yes
CleanAir Enabled
Yes
Yes
EDRRM Enabled
Yes
Yes
Channel Width 40 MHz
Yes
Yes
Aironet IE Disabled
Yes
Yes
Management over Wireless
Yes
No
User-First
Cisco Confidential
26
For Your
Reference

New Best Practices Introduced
Feature
7.6 MR2, 8.0

(2504)
8.1
No
Yes (High, typical Density)
Load Balancing
No
Yes (High Density)
Rogue Threshold Enabled
No
Yes
Client Exclusion Enabled
No
Yes
FastSSID Enabled
No
Yes
Infra MFP
No
Yes
MulTcast Forwarding Mode
No
Yes
SNMPv3 (delete default)
No
Yes
Mobility Name
No
Yes ( congurable )
RF Group same as Mobility Name
No
Yes
DHCP Required on Guest WLAN
No
Yes
5 GHz Channel Bonding
No
Yes
User-First
Cisco Confidential
27
WLAN Express Setup

7.6 MR2, 8.0
7.6 MR2, 8.0
8.1
New
Cisco Confidential
28
Network Profiles GUI

Sets pre-defined RF parameters depending on Client Density and Traffic
Type
Client Density : High,
Typical, Low
Traffic Type : Data, Data

and Voice
Cisco Confidential
29
For Your
Reference
Day0/Day1 Network Profiles

Dependency
Typical
(Enterprise default profile)
High Density
(Throughput)
Low Density
(Coverage
Open Space)
Legacy
(if disabled RF
opt)
TPC
Threshold
Global per band

Specific RF Profile per
band
default
TPC Min
Global per band

band
default
7 dBm
default
default
TPC Max
Global per band

band
default
default
default
default
default
Medium
low
default
Global per band

Rx Sensitivity
(Advanced Rx Sop)
(rxsop)
RF profiles
-65 dBm (5GHz) -60 dBm (5GHz)

-70 dBm(2.4GHz) -65 dBm(2.4 GHz)
default
Coverage
RSSI
Threshold
Global per band

data and voice RSSI in
(Coverage)
RF Profile
default
default
Higher
default
CCA
Threshold
Global per band

802.11 a only (hidden)
RF Profile
default
default
default
default
Cisco Confidential
30
For Your
Reference
Day0/Day1 Network Profiles

Dependency
Typical
(Enterprise default
profile)
High Density
(Throughput)
Low Density
(Coverage
Open Space)
Legacy
(if disabled RF
opt)
Coverage
Client
Count
Global Per band

(Coverage Exception)
RF Profiles (Coverage
Hole Detection)
default
default
Lower
(1-3)
default
Data Rates
Global per band

(network)
RF Profiles
12 Mbps
mandatory
9 supported
1,2, 5.5, 6, 11
Mbps disable
12 Mbps
mandatory
9 supported
1,2, 5.5, 6, 11
Mbps disable
CCK rates
enable
1,2, 5.5, 6,
9,11,12 Mbps
enable
default
Band Select
Per WLAN basis
Enable
Enabled
Disable
Enable
Global per band (Clean Air )

Global per band (DCA)
Global per band
(802.11a/802.11b channel)
Enable
Disable
Enable
Per WLAN basis
Disable
Enabled
Disable
Disable
default
High
High
default
default
default
default
default
SI
ED-RRM
PDA
Load
Balancing
DCA
Sensitivity
Channel
Global per band (DCA)

RF Profiles
Enable
Disable
Enable
Enable
Disable
Enable
Enable
Disable
Enable
Cisco Confidential
31
Network Profiles CLI

(Cisco Controller) >show network profile current!
!
Profile Configured............................ Typical Deployment with Data traffic!
*Power Threshold (802.11a)...................... -75!
Minimum Power Level (802.11a)................... -10!
Maximum Power Level (802.11a)................... 30!
Rx Sop Threshold (802.11a)...................... Auto!
CCA Threshold (802.11a)......................... 0!
Data RSSI Threshold (802.11a)................... -80!
Voice RSSI Threshold (802.11a).................. -80!
!
* indicates that original configured value has been modified by the user.!
!
(Cisco Controller) >show network profile details!
!
No Profile is Configured at this time.!
These Values will be configured for each of the profiles.!
!
Parameter Low Density Typical High Density !
------------------------------------------------- -------------- -------------- ---------------!
Power Threshold (802.11a) -60 -70 -65 !
Minimum Power Level (802.11a) -10 -10 7 !
Maximum Power Level (802.11a) 30 30 30 !
Rx Sop Threshold (802.11a) Low Auto Medium !
CCA Threshold 0 0 0 !
Data RSSI Threshold (802.11a) -90 -80 -80 !
Voice RSSI Threshold (802.11a) -90 -80 -80 !
Coverage Client Count (802.11a) 2 3 3 !
2013-2014
Cisco and/or its affiliates.
CleanAir
(802.11a)
All rights
reserved.
Enabled Enabled Enabled !
Cisco Confidential
32
Pre-built RF profiles
Client Density specific pre-built RF profiles for 2.4 GHz and 5GHz Bands to be used
with AP Groups
Pre-built RF profiles for

use with AP Groups
Cisco Confidential
33
Monitoring Dashboard
Wireless Networks
Access Points
Active Clients
Rogues
Interferers
Top Access Points
Top Applications
Health Summary
Top Client Devices
Cisco Confidential
34
RF Dashboard - Expected 8.1 FCS
Cisco Confidential
35
Monitoring Dashboard App
Cisco Confidential
36
HTTP Code Download
Download code from local machine via HTTP

Cisco Confidential
37
Config Analyzer Best Practice Compliance with Express WLAN Setup
7.6 MR2 without

Express WLAN Setup
8.1 with Express WLAN

Setup
Cisco Confidential
38
Make it Easy
Make it work
Make it perform
2013-2014
SECURITY
WIRELESS / RF
INFRASTRUCTURE

Enable AVC
Enable NetFlow
Enable NTP
Disable Aironet IE

Enable IDS
Mesh Security Mode
affiliates. AllEAP
rights reserved.
MESH
Best Practices Recommendations
For Your
Reference

Disable WiFi Direct
Peer-to-peer blocking
Enable IDS
BYOD Timers
Enable BandSelect
Enable DFS channels
Avoid Cisco AP Load
Cisco Confidential
39
Cisco Confidential
40
INFRASTRUCTURE
Infrastructure Best Practices

Enable AVC
Enable NetFlow
Enable NTP
Disable Aironet IE
Cisco Confidential
41
Infrastructure: Enable High Availability (AP & Client SSO)

A direct physical connection between Active and Standby Redundant Ports or Layer 2 connectivity is required
to provide stateful redundancy within or across datacenters
Sub-second failover and zero SSID outage
Cisco Confidential
42
Infrastructure: Enable High Availability (AP&Client SSO)

Controller Redundancy Global Configuration
Primary WLC
Backup WLC
Both AP and Client SSO reduce the network downtime in wireless networks
Cisco Confidential
43
Infrastructure: Enable AP Failover Priority
Wireless Access Points Global Configurations
Wireless Access Points All APs->AP_NAME High Availability
Allows certain APs to be assigned higher WLC join priorities, so they are given preference while
joining a WLC
Cisco Confidential
44
Infrastructure: Enable AP Multicast mode

Controller General AP Multicast Mode
User-First
Unique across WLCs and not

clashing with other protocols
Network infrastructure must provide multicast routing between the management

interface subnet and the AP sub-network.
Cisco Confidential
Forward multicast traffic to Access Points instead of sending unicast messages to each individual
AP
45
Infrastructure: Multicast VLAN for Interface Groups

WLANs WLAN Name General
VLAN1
Network
VLAN2 (mcast_vlan)
VLAN3
VLAN4
Interface group
To limit the multicast on the air to a single copy on a predefined multicast VLAN
Cisco Confidential
46
Infrastructure: Enable Pre-image download

Wireless Global Configurations AP Image Pre-download
Allows for less network downtime during software updates
Cisco Confidential
47
Infrastructure: Enable AVC

Wireless Application Visibility and Control AVC Profiles
User-First
Enable Application
Visibility
Add per
application rules
Classifies applications, provides real-time analysis, and allows users to drop or mark
data. Per-user, per-device granularity for control
Cisco Confidential
48
Infrastructure: Enable NetFlow in your WLC

Wireless Netflow Exporter Create New
Wireless Netflow Monitor New
Netflow export to Cisco Prime or third party network management tool
Cisco Confidential
49
Infrastructure: Enable Local Profiling

WLANs Edit WLAN_NAME Advanced
User-First
Client devices can be profiled based on their manufacturer and operating system
Cisco Confidential
50
Infrastructure: Enable NTP

Controller NTP Keys
Controller NTP Server
If NTP requires
authentication, first
add key
Synchronizes the time among all devices on the network including Access Point and
Controller as we have X.509 certificates installed in AP and WLC, Context-aware and
location services, MFP, Debugging
Cisco Confidential
51
Infrastructure: Modify the AP Re-transmit Parameters

Wireless Access Points Global Configuration
Number of times the AP will

try to join the WLC (3-8)
Number of seconds to wait

before rejoining (2-5sec)
Allows user to customize the way APs attempt to join a WLC.

Increase count and interval for larger latency links like FlexConnect and satellite links
Cisco Confidential
52
Infrastructure: Enable Fast SSID change

Controller General
User-First
Allows clients to move faster between SSIDs, by not clearing the client entry
Cisco Confidential
53
Infrastructure: Enable per-user bandwidth contract

WLANs Edit WLAN_NAME QoS
Limit data rates for Guest

and Contractor accounts
Enforces limits on non-mission critical clients
Cisco Confidential
54
Infrastructure: Enable Multicast Mobility for mobility domains

Controller General
Controller Multicast
Allows clients to announce messages to all mobility peers, instead of individual WLCs, benefiting
time, CPU usage, and network utilization. Multicast routing between controllers
Cisco Confidential
55
Infrastructure: Enable Client Load Balancing

WLANs Edit WLAN-NAME Advanced
User-First
Client Window Size 1-20

Maximum Denial Count 0-10
Balances the number of clients connect to a WLAN between multiple APs

Not suitable for Voice and single AP deployments like hotspots
Cisco Confidential
56
Infrastructure : Disable Aironet IE

User-First
Aironet IE 0x85 in beacons and

probe responses
AP name, load, client count etc.
Controller sends Aironet IEs 0x85

and 0x95 in the reassociation
response if it receives Aironet IE
0x85 in the reassociation request
Management IP address of WLC
IP address of AP
Can cause compatibility issues with some types of wireless clients

Enable for WGB and Cisco voice. Optional for CCX based clients
Cisco Confidential
57
Infrastructure: Same Virtual IP if same mobility name

User-First
Controller Interfaces virtual
Mobility Group
192.0.2.1
192.0.2.1
Inter-controller roaming can appear to work, but the hand-off does not complete and the
client loses connectivity when DHCP renew is performed if DHCP proxy enabled
Cisco Confidential
58
Cisco Confidential
59
RRM / RF
RF & RRM Best Practices

Enable BandSelect
Enable DFS channels
Avoid Cisco AP Load
Cisco Confidential
60
RF & RRM: Disabling .11b Data Rates

Wireless 802.11b/g/n Network
User-First
Management frames sent at lowest mandatory rate - slows down the entire cell
Cisco Confidential
61
RF & RRM: Disabling .11b Data Rates

Demonstrating the impact of 802.11b data rates on Channel Utilization
1 Mbps Mandatory : Channel Utilization 67%

6 Mbps Mandatory : Channel Utilization 23%
https://cisco.app.box.com/s/rzn20idytq2zedxigcei
Cisco Confidential
62
RF & RRM: Restrict Number of WLANs below 4

WLANs WLANs
Each SSID needs a separate probe response and beaconing, the more SSIDs the less
RF space available for real data traffic
Cisco Confidential
63
RF & RRM: Enable Channel Bonding 40 or 80 MHz

Wireless 802.11a/n/ac RRM DCA
User-First
40/80MHz wide channels in the 5GHz space can 2x/4x the amount of user data than can be
transmitted. For extreme HD deployments use 20 MHz channels to keep cell size small
Cisco Confidential
64
RF & RRM: Enable Client Band Select

User-First
Allows dual-band clients to move to the less congested 5GHz band

Not recommended for Voice deployments
Cisco Confidential
65
RF & RRM: RF Profiles
RF Profiles work in Conjunction with AP Groups (beginning in release 7.2)
You can create separate RF profiles for both 2.4 and 5 GHz
1 profile for each band (802.11a/802.11b) can be assigned to an AP group
Today
802.11 data rates

TPC Power Threshold and Min max Power settings
DCA
Coverage hole algorithm settings
High Density HDX configurations RX_SOP, Client Limit, Mcast data rate
Client Distribution
More granular control of the RF network
Cisco Confidential
66
RF Profiles : Granular Control
TPC, DCA, Coverage Hole

Data Rates
High Density
Load Balancing
Cisco Confidential
67
67
RF & RRM: Use AP Groups

WLAN Advanced AP Groups
Ability to enable Wi-Fi Services and segregation of traffic based on physical location
Cisco Confidential
68
RF & RRM: Enable RRM (DCA) to be auto

Wireless 802.11a/n/ac or 802.11b/g/n RRM DCA
User-First
Allows RRM to automatically select the best channel for each radio
DCA defaults work for typical carpeted offices
Cisco Confidential
69
RF & RRM: Enable Cisco EDRRM

User-First
Sensitivity threshold
recommended to Medium
EDRRM triggers RRM to run when an access point detects a certain level of interference
Cisco Confidential
70
RF & RRM: RF Group Leader must be an .11ac WLC (Release 7.5+)

in RF Groups with mixed versions
If the RF Group Leader does not support 802.11ac (Release 7.5+), APs in the RF Group
cannot select 80MHz channel widths
Cisco Confidential
71
RF & RRM: Enable RRM (TPC) to be auto

Wireless 802.11a/n/ac or 802.11b/g/n RRM TPC
User-First
Recommended to use
TPCv1
Allows RRM to automatically select the best transmit power for each radio
Tune RRM parameters with Network and pre-built RF profiles
Cisco Confidential
72
RF & RRM: Enable Cisco CleanAir

Wireless 802.11a/n/ac or 802.11b/g/n CleanAir
User-First
97
100
63
90
20
35
Enable CleanAir on both

radio bands
CleanAir identifies non-WIFI interferers and generates interferer and air quality reports
Cisco Confidential
73
RF & RRM: Enable Noise & Rogue Monitoring channels

Wireless 802.11a/n/ac or 802.11b/g/n RRM General
Scan All Channels for security, DCA Channels for performance
Cisco Confidential
74
RF & RRM: Enable DFS channels

Increase the number of channels in 5GHz band.

4-12 additional channels based on regulatory
domain
Allows more 5GHz channels (only in regulatory domains that support UNII-2 Extended).
Please note that some clients do not support DFS channels
Cisco Confidential
75
RF & RRM : Avoid Cisco AP Load

Wireless 802.11b/g/n RRM DCA
To avoid frequent changes in DCA due to varying Load conditions
Cisco Confidential
76
Cisco Confidential
77
SECURITY
Security & BYOD Best Practices

Disable WiFi Direct
Enable IDS
BYOD Timers
Cisco Confidential
78
Security : Enable 802.1x authentications on WLAN

WLANs Edit WLAN_NAME Security
Provides greater network security on WLAN using 802.1x authentication
Cisco Confidential
79
Security: Enable 802.1x authentications for AP

Wireless Access Points Global Configurations
To enable 802.1X authentication on a switch port, on the switch CLI, enter

these commands:!
Switch# configure terminal !
Switch(config)# dot1x system-auth-control !
Switch(config)# aaa new-model !
Switch(config)# aaa authentication dot1x default group radius !
Switch(config)# radius-server host ip_addr auth-port port acct-port port
key key !
Switch(config)# interface fastethernet2/1 !
Switch(config-if)# switchport mode access !
Switch(config-if)# dot1x pae authenticator !
Switch(config-if)# dot1x port-control auto !
Switch(config-if)# end !
!
Provides greater network security by enabling 802.1x on the switch port where AP is
connected. Not supported for Mesh deployments
Cisco Confidential
80
Security: Enable SSH and Disable Telnet

Management TelnetSSH
Disable Telnet and enable SSH as the default option
0 implies no sessions
will be allowed
Provides greater security by allowing secure access and denying unencrypted access
Cisco Confidential
81
Security: Disable Management Over Wireless

Management Mgmt Via Wireless
Disallow management of the Controller via Wireless
User-First
Cisco Confidential
82
Security : Disable WiFi Direct

WLANs WLAN Name Advanced
Unauthorized Devices
Corporate
Laptop
Corporate
WLAN
Prevent security hole if the device is connected to both the infrastructure and a
Personal Area Network (PAN) at the same time. Will break Android devices
Cisco Confidential
83
Security: Secure Web Access ( HTTPS )

Management HTTP-HTTPS
Provides greater security by allowing secure access
User-First
Cisco Confidential
84
Security: Enable User Login Policies

Security AAA User Login Policies
Range is between 0 8.
Zero indicates no limit
Prevent login attacks by restricting the numbers the users who can use the same login
credentials between 1 - 5
Cisco Confidential
85
Security: Enable Client Exclusion Policies

Security Wireless Protection Policies Client Exclusion Policies
User-First
Enable exclusion policies to prevent the network from Assoc/Auth failure attacks.
Disable for Voice deployments
Cisco Confidential
86
Security: Enable Strong Password Policies

Security AAA Password Policies
Enable strong user and AP password policies on the controller

Minimum password length of 8 is recommended
Cisco Confidential
87
Security: Enable Rogue Policies

Security Wireless Protection Policies Rogue Policies
User-First
General High
Friendly
Malicious
The Rogue Detection Security Level should be set at a minimum to High
Cisco Confidential
88
Security: Set Rogue Detection RSSI

Security Wireless Protection Policies Rogue Policies General
Set Rogue Detection Minimum Threshold to -70 to -75 dBm
Cisco Confidential
89
Security: Enable IDS Signatures

Security Wireless Protection Policies Standard Signatures
Enable the wireless IDS features in the controller and enable 17 built-in features to avoid
intrusion attacks
Cisco Confidential
90
Security : Enable CPU ACLs

Security Access Control Lists CPU Access Control Lists
Control overall access to the WLC by filtering management protocols such as SSH,
SNMP, etc such that they can only hit the CPU if they originate from our management
networks
Cisco Confidential
91
BYOD: Radius Timeout >=5 sec

Security AAA RADIUS Authentication
To prevent pre-mature failover since the default of 2 seconds is generally low for ISE as ISE relies on backend
databases
for
user
lookups
and group fetches. Too high causes queue issues on WLC
92
Cisco Confidential
2013-2014 Cisco
and/or
its affiliates.
All rights reserved.
BYOD: Client Idle Timeout

For networks where users stay largely within the coverage area the setting can be
increased to 3600 seconds for an SSID running 802.1x or RADIUS NAC against ISE.
Cisco Confidential
93
BYOD: Client Exclusion

180 seconds is the recommended default with ISE though 60 seconds is the WLC
default. The reason behind this is the minimum reject interval on ISE for miss-configured
supplicant detection is 5 minutes or 300 seconds
Cisco Confidential
94
BYOD: Session Timeout

Longer is better for AAA load up to a value of 86400 seconds for 802.1x SSIDs or 65535
seconds for open/CWA SSIDs, shorter is better from security point of view.
Cisco Confidential
95
BYOD: EAPoL and EAP Request Timeout

WLANs WLAN Name Security AAA Servers
Recommended EAPoL-Key Timeout < 1000 ms and EAPoL-Key Max Retries <= 2
Recommeded EAP Request timeout <30 sec ( 10 sec ) and EAP Max Retries =<2
Cisco Confidential
96
BYOD: Disable Interim Accounting

WLANs WLAN Name Security AAA Servers
Interim accounting adds additional unneeded load with no added benefit to ISE.
Cisco Confidential
97
BYOD : Disable Aggressive Failover
config radius aggressive-failover disable command to disable the

aggressive failover feature
show radius summary to check the status of this feature
Only fails over to the next AAA server if there are three consecutive
clients that fail to receive a response from the RADIUS server
In some circumstances it can cause the WLC to pre-maturely mark ISE dead in times of
high load and cause additional load on ISE
Cisco Confidential
98
BYOD : Set RADIUS Fallback Passive

Security AAA RADIUS Fallback
The WLC can be configured to check if

the primary server is available and
switch back to the primary RADIUS
server once it is available.
Recommended to configure RADIUS Fallback Mode to Passive
Cisco Confidential
99
Cisco Confidential
100
FLEX
CONNECT
FlexConnect Best Practices
Enable FlexConnect Groups

CCKM/OKC Key sharing, consistent WLAN mappings
Enable Smart AP Image Upgrade
Cisco Confidential
101
FlexConnect: Enable FlexConnect Groups

Wireless FlexConnect Groups Edit Groupname
Central Site
WAN
Allow users to assign specific APs to groups with set configurations, OKC/CCKM key
caching for Voice, Local RADIUS server configuration, consistent WLAN mappings
Cisco Confidential
102
FlexConnect: Enable FlexConnect AP Upgrade

Wireless Flexconnect Groups Edit Groupname Image Upgrade Tab
New
Wireless Control
System
Wireless LAN
Controller
WAN
Master AP
Avoids downloading multiple copies of the Access Point software over the slow WAN link to the
remote site, reduces service downtime and reduces risk of download failure
Cisco Confidential
103
Cisco Confidential
104
MESH
Mesh Best Practices

Enable IDS
Enable EAP Mesh Security Mode
Cisco Confidential
105
Mesh : Set Bridge Group Name ( BGN )

Wireless All APs AP Name Mesh Bridge Group Name
Enables mesh APs to join pre-determined Bridge Groups using the BGN
Cisco Confidential
106
Mesh : Set Preferred Parent

Wireless All APs AP Name Mesh Preferred Parent
Ability to influence how the mesh network is created
Cisco Confidential
107
Mesh : Multiple Root APs in each BGN

Wireless All APs AP Name Mesh
Provides redundancy if a Root AP goes offline
Cisco Confidential
108
Mesh : Set Backhaul Rate to auto

Wireless All APs AP Name Mesh Bridge Data Rate
Allow the backhaul data rate to change dynamically as the quality of the link fluctuates
Cisco Confidential
109
Mesh : Set Backhaul Channel width to 40/80 MHz

Wireless Access Points Radios 802.11a/n/ac Configure
Maximize backhaul speeds
Cisco Confidential
110
Mesh : Backhaul Link SNR > 25

show mesh path CLI states the Link-SNR
To avoid poor backhaul links that lead to poor overall mesh performance
Cisco Confidential
111
Mesh : Avoid DFS channels for Backhaul

Wireless Access Points Radios 802.11a/n/ac Configure
Minimizes the number of backhaul channel changes due to radar events

Only applies to US Regulatory Domain
Cisco Confidential
112
Mesh : External RADIUS server for Mesh MAC Authentication

Wireless Mesh
Improves the ease of manageability and debugging
Cisco Confidential
113
Mesh : Enable Mesh IDS

Wireless Mesh
Additional security by monitoring the wireless network for un-wanted rogue access
points or potential wireless attackers
Cisco Confidential
114
Mesh : Enable EAP Mesh Security Mode

Wireless Mesh
More security method for encrypting wireless data
Cisco Confidential
115
DEPLOY
Cisco Confidential
116
2013-2014
SECURITY
WIRELESS / RF
INFRASTRUCTURE

Enable AVC
Enable NetFlow
Enable NTP
Disable Aironet IE

Enable IDS
Mesh Security Mode
affiliates. AllEAP
rights reserved.
OUTDOOR
Make it Easy
Make it work
Make it perform
Best Practices
Recommendations
Summary
Disable WiFi Direct
Enable IDS
BYOD Timers
Enable BandSelect
Enable DFS channels
Avoid Cisco AP Load
Cisco Confidential
117
For Your
Reference

Previous best practices extended to all WLC controllers
Feature
7.6 MR2, 8.0

(2504)
8.1
AVC Visibility
Yes
Yes( 2504 only)
mDNS Snooping
Yes
Yes
New MDNS Prole for printer, h<p
Yes
Yes
Local Proling
Yes
Yes
Band Select
Yes
Yes
DHCP Proxy
Yes
Yes
Secure Web access
Yes
Yes
Virtual IP 192.0.2.1
Yes
Yes (congurable)
RRM-DCA Auto
Yes
Yes
RRM-DCA Auto
Yes
Yes
CleanAir Enabled
Yes
Yes
EDRRM Enabled
Yes
Yes
Channel Width 40 MHz
Yes
Yes
Aironet IE Disabled
Yes
Yes
Management over Wireless
Yes
No
Cisco Confidential
118
For Your
Reference

New Best Practices Introduced
Feature
7.6 MR2, 8.0

(2504)
8.1
No
Yes (Network prole)
Load Balancing
No
Yes (Network prole)
Rogue Threshold Enabled
No
Yes
Client Exclusion Enabled
No
Yes
FastSSID Enabled
No
Yes
Infra MFP
No
Yes
MulTcast Forwarding Mode
No
Yes
SNMPv3 (delete default)
No
Yes
Mobility Name
No
Yes
RF Group same as Mobility Name
No
Yes
DHCP Required on Guest WLAN
No
Yes
5 GHz Channel Bonding
No
Yes
Cisco Confidential
119
Config Analyzer Best Practice Compliance with Express WLAN Setup
7.6 MR2 without

Express WLAN Setup
8.1 with Express WLAN

Setup
Cisco Confidential
120
Documentation
Cisco Wireless LAN Controller Configuration Best Practiceshttp://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
AP3700 Deployment Guide - http://www.cisco.com/en/US/partner/docs/wireless/technology/apdeploy/7.6/Cisco_Aironet_3700AP.html
AP3600, 2600, 1600 Deployment Guide : http://www.cisco.com/en/US/partner/docs/wireless/technology/apdeploy/Cisco_Aironet.html
Virtual WLC Deployment Guide http://www.cisco.com/en/US/products/ps12723/products_tech_note09186a0080bd2d04.shtml
HA Deployment Guide http://www.cisco.com/en/US/partner/docs/wireless/controller/technotes/7.5/High_Availability_DG.html
Flex 7500 Deployment Guide http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml
Wireless Bi-Directional Rate Limiting Deployment Guide :
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bd3900.shtml
WLC8500 Deployment Guide: http://www.cisco.com/en/US/products/ps12722/products_tech_note09186a0080bd6504.shtml
WiSM-2 : http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080bb2500.shtml
Bonjour Deployment Guide :
http://www.cisco.com/en/US/docs/wireless/technology/bonjour/7.5/Bonjour_Gateway_Phase-2_WLC_software_release_7.5.html
Wireless Device Profiling and Policy Classification Engine on WLC, Release 7.5
http://www.cisco.com/en/US/docs/wireless/controller/technotes/7.5/NativeProfiling75.html
MSE Virtual Appliance Deployment Guide : http://www.cisco.com/en/US/products/ps9742/products_tech_note09186a0080bb497f.shtml
IPv6 Deployment Guide http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bae506.shtml
VLAN Select Deployment Guide :
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bb4900.shtml
Enterprise Best Practices for Apple Mobile Devices on Cisco Wireless LANs
http://www.cisco.com/en/US/docs/wireless/technology/vowlan/bestpractices/EntBP-AppMobDevs-on-Wlans.html
Cisco WLAN Passpoint Configuration Guide : //www.cisco.com/en/US/docs/wireless/controller/technotes/7.5/Hotspot_057.html
Cisco Confidential
121
121
Thank you.

D4C1S1 - SEVT Best Practices

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

D4C1S1 - SEVT Best Practices

Uploaded by

Copyright:

Available Formats

Best Practices

Wireless LAN Controller based on Release 8.0

What is Best Practices?

WLC Config Analyzer

Cisco Active Advisor

Day0/Day1 Setup 2.0

Best Practices Recommendations

2013-2014 Cisco and/or its affiliates. All rights reserved.

Techniques or methods that are

2013-2014 Cisco and/or its affiliates. All rights reserved.

Day 0 Plan, Size

Day 1 Final Design, Configure, Deploy

Make it work (Quality)

High density of APs

Enable High Availability (AP and Client SSO)

BEST PRACTICES (AirOS)

Enable 802.1x and WPA/WPA2 on WLAN

Best Practice Adoption MTAB Customers

2013-2014 Cisco and/or its affiliates. All rights reserved.

Best Practice Adoption on features MTAB Customers

QoS Enabled WLAN

Client Load Balancing Enabled

RRM Coverage Hole Detection

RRM TPC - Auto

2.4 Low Data Rates Disabled

Cisco Wireless LAN Controller Configuration Best Practices

Document View Count

2013-2014 Cisco and/or its affiliates. All rights reserved.

2013-2014 Cisco and/or its affiliates. All rights reserved.

WLC Config Analyzer Incorporating Best Practices

Simplify operational use to quickly target and mitigate problem areas.

Drive adoption of best practices and feature implementation.

Strengthen customers security, network health and configuration

Effectively, show customer trend, with measurable improvement of metrics

Version 3.6 will be posted end of this week

2013-2014 Cisco and/or its affiliates. All rights reserved.

WLC Config Analyzer Deployment types

WLC Config Analyzer Per Controller Compliance

Best Practices categorized

2013-2014 Cisco and/or its affiliates. All rights reserved.

WLC Config Analyzer Best Practices detail

Individual Best Practice

Overall Compliance per

2013-2014 Cisco and/or its affiliates. All rights reserved.

WLC Config Analyzer All Controllers

Best Practices Compliance across controllers in the same Config Set #

Average across controllers for each category

2013-2014 Cisco and/or its affiliates. All rights reserved.

WLC Config Analyzer Site Summary Messages

Best Practices is NOT Config

It is - Works without but works

Verbose BP messages under

2013-2014 Cisco and/or its affiliates. All rights reserved.

Best practice messages

WLC Config Analyzer Global Messages & AP Messages

2013-2014 Cisco and/or its affiliates. All rights reserved.

Error on File Processing

2013-2014 Cisco and/or its affiliates. All rights reserved.

Why use Cisco Active Advisor?

Of All Network Devices are

#1 Recommendation from the report:

Most Networks are NOT Ready for

Plan the steps from your