Professional Documents
Culture Documents
Felipe Amorim
feamorim@cisco.com
October 2014
Session Objectives
1
4
5
Cisco Confidential
Cisco Confidential
Make it Easy
Make it Easy
Make it work
Medium Customers
May not pay for RF
Planning or
Services
RF Capacity Planner
Hardware & Software
Advisor
2013-2014 Cisco and/or its affiliates. All rights reserved.
Large Customers
Specialized IT team CCIEs focused on WLAN
Make it perform
Day 2 Live
Operate
Troubleshoot
Optimize
Monitor
Cisco Confidential
Make it Work
Make it Easy
New Innovations
addressing real
customer problems
WLAN Golden
Profiles
CVD Draft
Tweak DEFAULTS
Implement AUTO
Customer Feedback
2013-2014 Cisco and/or its affiliates. All rights reserved.
Make it perform
QA Cycle
(System Profile)
Beta
Deployment Guide
CVD
Alignment with AS
Assurewave/CVD
(Solution Profile)
Config Tool
Self Check
Cisco Confidential
Make it Perform
Best Practices
Make it Easy
Make it work
Performance
Reliability
# of SSIDs ?
DFS channels ?
11ac ?
ClientLink ?
Bandselect & Smartroam
Is your network or AP
oversubscribed ?
What about your client
mix?
20/40/80 MHz?
Make it perform
Service-Ready
11r, 11k and 11v
AVC
Videostream
Bonjour Gateway
CMX
Guest
Operational Efficiencies
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
2013-2014
WIRELESS / RF
INFRASTRUCTURE
Make ititPerform
Make
perform
SECURITY
Makeititwork
Work
Make
MESH
Makeitit Easy
Easy
Make
For Your
Reference
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
Cisco Confidential
USF
76.47%
UBC
Cisco IT
69.12%
Melbourne
69.12%
66.18%
GT
64.71%
Weber
57.35%
Cognizant
55.88%
JHMI
36.76%
HCL
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
Cisco Confidential
89%
67%
67%
72%
89%
67%
0%
28%
28%
100%
83%
100%
67%
CleanAir Enabled
78%
89%
100%
100%
100%
100%
RF Profiles
NTP Server
11%
AVC Visibility
WLAN Security Type
Channel Width (20/40/80)
78%
67%
0%
89%
61%
61%
Rogue AP List
89% DOES. !
ITS NOT WHAT THE SOFTWARE
61%
ITS WHAT THE
USER DOES.!
22%
72%
89%
20%
40%
60%
80%
100%
Cisco Confidential
120%
Cisco Confidential
10
Developed by
Javier Contreras
Technical Lead, ENG SW Wireless Escalation
Cisco Confidential
11
https://supportforums.cisco.com/document/7711/wlc-config-analyzer
Cisco Confidential
12
Voice
Security
Flex
Mesh
Enterprise*
BYOD*
*Coming Soon !
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
13
General
AP
Mobility
RF
Security
Voice
Mesh
Flex
Per-Controller Compliance
Level for Each category
Total/Passed/Failed checks
0-40%
Red
41-80%
Yellow
81-100%
Green
Cisco Confidential
14
Red
41-80%
Yellow
81-100%
Green
Cisco Confidential
15
Cisco Confidential
16
Cisco Confidential
17
Message
Severity
Color Coding
Error
( Critical )
Red
Warning
( Highly
Recommended)
Light Yellow
Informational
( Good to Have )
Light Blue
Message Category
Meaning
Config Error
Bad Configuration
Parsing Error
Informational
Informational messages
Best Practices
Compliance Checks
Cisco Confidential
18
Cisco Confidential
19
51%
Have an accurate
inventory of your network
*http://www.dimensiondata.com/Global/Global-Microsites/NetworkBarometer/Pages/
Home.aspx (Requires Registration)
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
20
It provides customers:
Accessible at:
www.CiscoActiveAdvisor.com
Cisco Confidential
21
Cisco Confidential
22
Reduce Risk
Improve
Cisco Confidential
23
User-First
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
24
Release 8.1
Cisco Confidential
25
For Your
Reference
8.1
AVC Visibility
Yes
mDNS Snooping
Yes
Yes
Yes
Yes
Local Proling
Yes
Yes
Band Select
Yes
Yes
DHCP Proxy
Yes
Yes
Yes
Yes
Virtual IP 192.0.2.1
Yes
Yes (congurable)
RRM-DCA Auto
Yes
Yes
RRM-TPC Auto
Yes
Yes
CleanAir Enabled
Yes
Yes
EDRRM Enabled
Yes
Yes
Yes
Yes
Aironet IE Disabled
Yes
Yes
Yes
No
User-First
Cisco Confidential
26
For Your
Reference
8.1
No
Load Balancing
No
No
Yes
No
Yes
FastSSID Enabled
No
Yes
Infra MFP
No
Yes
No
Yes
No
Yes
Mobility Name
No
Yes ( congurable )
No
Yes
No
Yes
No
Yes
User-First
Cisco Confidential
27
8.1
New
Cisco Confidential
28
Cisco Confidential
29
For Your
Reference
Typical
(Enterprise default profile)
High Density
(Throughput)
Low Density
(Coverage
Open Space)
Legacy
(if disabled RF
opt)
TPC
Threshold
default
TPC Min
default
7 dBm
default
default
TPC Max
default
default
default
default
default
Medium
low
default
default
Coverage
RSSI
Threshold
default
default
Higher
default
CCA
Threshold
default
default
default
default
Cisco Confidential
30
For Your
Reference
Typical
(Enterprise default
profile)
High Density
(Throughput)
Low Density
(Coverage
Open Space)
Legacy
(if disabled RF
opt)
Coverage
Client
Count
default
default
Lower
(1-3)
default
Data Rates
12 Mbps
mandatory
9 supported
1,2, 5.5, 6, 11
Mbps disable
12 Mbps
mandatory
9 supported
1,2, 5.5, 6, 11
Mbps disable
CCK rates
enable
1,2, 5.5, 6,
9,11,12 Mbps
enable
default
Band Select
Enable
Enabled
Disable
Enable
Enable
Disable
Enable
Disable
Enabled
Disable
Disable
default
High
High
default
default
default
default
default
SI
ED-RRM
PDA
Load
Balancing
DCA
Sensitivity
Channel
2013-2014 Cisco and/or its affiliates. All rights reserved.
Enable
Disable
Enable
Enable
Disable
Enable
Enable
Disable
Enable
Cisco Confidential
31
Cisco Confidential
32
Pre-built RF profiles
Client Density specific pre-built RF profiles for 2.4 GHz and 5GHz Bands to be used
with AP Groups
Cisco Confidential
33
Monitoring Dashboard
Wireless Networks
Access Points
Active Clients
Rogues
Interferers
Top Access Points
Top Applications
Health Summary
Top Client Devices
Cisco Confidential
34
Cisco Confidential
35
Cisco Confidential
36
Cisco Confidential
37
Cisco Confidential
38
Make it Easy
Make it work
Make it perform
2013-2014
SECURITY
WIRELESS / RF
INFRASTRUCTURE
MESH
For Your
Reference
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
Cisco Confidential
39
Cisco Confidential
40
INFRASTRUCTURE
Cisco Confidential
41
Cisco Confidential
42
Primary WLC
Backup WLC
Both AP and Client SSO reduce the network downtime in wireless networks
Cisco Confidential
43
Allows certain APs to be assigned higher WLC join priorities, so they are given preference while
joining a WLC
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
44
User-First
45
VLAN1
Network
VLAN2 (mcast_vlan)
VLAN3
VLAN4
Interface group
To limit the multicast on the air to a single copy on a predefined multicast VLAN
Cisco Confidential
46
Cisco Confidential
47
User-First
Enable Application
Visibility
Add per
application rules
Classifies applications, provides real-time analysis, and allows users to drop or mark
data. Per-user, per-device granularity for control
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
48
Cisco Confidential
49
User-First
Client devices can be profiled based on their manufacturer and operating system
Cisco Confidential
50
Synchronizes the time among all devices on the network including Access Point and
Controller as we have X.509 certificates installed in AP and WLC, Context-aware and
location services, MFP, Debugging
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
51
Cisco Confidential
52
User-First
Allows clients to move faster between SSIDs, by not clearing the client entry
Cisco Confidential
53
Cisco Confidential
54
Controller Multicast
Allows clients to announce messages to all mobility peers, instead of individual WLCs, benefiting
time, CPU usage, and network utilization. Multicast routing between controllers
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
55
User-First
Cisco Confidential
56
User-First
Cisco Confidential
57
Mobility Group
192.0.2.1
192.0.2.1
Inter-controller roaming can appear to work, but the hand-off does not complete and the
client loses connectivity when DHCP renew is performed if DHCP proxy enabled
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
58
Cisco Confidential
59
RRM / RF
Cisco Confidential
60
User-First
Management frames sent at lowest mandatory rate - slows down the entire cell
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
61
https://cisco.app.box.com/s/rzn20idytq2zedxigcei
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
62
Each SSID needs a separate probe response and beaconing, the more SSIDs the less
RF space available for real data traffic
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
63
User-First
40/80MHz wide channels in the 5GHz space can 2x/4x the amount of user data than can be
transmitted. For extreme HD deployments use 20 MHz channels to keep cell size small
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
64
User-First
Cisco Confidential
65
You can create separate RF profiles for both 2.4 and 5 GHz
Today
Cisco Confidential
66
High Density
Load Balancing
Cisco Confidential
67
67
Ability to enable Wi-Fi Services and segregation of traffic based on physical location
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
68
User-First
Allows RRM to automatically select the best channel for each radio
DCA defaults work for typical carpeted offices
Cisco Confidential
69
User-First
Sensitivity threshold
recommended to Medium
EDRRM triggers RRM to run when an access point detects a certain level of interference
Cisco Confidential
70
If the RF Group Leader does not support 802.11ac (Release 7.5+), APs in the RF Group
cannot select 80MHz channel widths
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
71
User-First
Recommended to use
TPCv1
Allows RRM to automatically select the best transmit power for each radio
Tune RRM parameters with Network and pre-built RF profiles
Cisco Confidential
72
User-First
97
100
63
90
20
35
CleanAir identifies non-WIFI interferers and generates interferer and air quality reports
Cisco Confidential
73
Cisco Confidential
74
Allows more 5GHz channels (only in regulatory domains that support UNII-2 Extended).
Please note that some clients do not support DFS channels
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
75
Cisco Confidential
76
Cisco Confidential
77
SECURITY
Cisco Confidential
78
Cisco Confidential
79
Provides greater network security by enabling 802.1x on the switch port where AP is
connected. Not supported for Mesh deployments
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
80
0 implies no sessions
will be allowed
Provides greater security by allowing secure access and denying unencrypted access
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
81
User-First
Cisco Confidential
82
Unauthorized Devices
Corporate
Laptop
Corporate
WLAN
Prevent security hole if the device is connected to both the infrastructure and a
Personal Area Network (PAN) at the same time. Will break Android devices
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
83
User-First
Cisco Confidential
84
Range is between 0 8.
Zero indicates no limit
Prevent login attacks by restricting the numbers the users who can use the same login
credentials between 1 - 5
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
85
User-First
Enable exclusion policies to prevent the network from Assoc/Auth failure attacks.
Disable for Voice deployments
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
86
Cisco Confidential
87
User-First
General High
Friendly
Malicious
Cisco Confidential
88
Cisco Confidential
89
Enable the wireless IDS features in the controller and enable 17 built-in features to avoid
intrusion attacks
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
90
Control overall access to the WLC by filtering management protocols such as SSH,
SNMP, etc such that they can only hit the CPU if they originate from our management
networks
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
91
To prevent pre-mature failover since the default of 2 seconds is generally low for ISE as ISE relies on backend
databases
for
user
lookups
and group fetches. Too high causes queue issues on WLC
92
Cisco Confidential
2013-2014 Cisco
and/or
its affiliates.
All rights reserved.
For networks where users stay largely within the coverage area the setting can be
increased to 3600 seconds for an SSID running 802.1x or RADIUS NAC against ISE.
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
93
180 seconds is the recommended default with ISE though 60 seconds is the WLC
default. The reason behind this is the minimum reject interval on ISE for miss-configured
supplicant detection is 5 minutes or 300 seconds
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
94
Longer is better for AAA load up to a value of 86400 seconds for 802.1x SSIDs or 65535
seconds for open/CWA SSIDs, shorter is better from security point of view.
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
95
Recommended EAPoL-Key Timeout < 1000 ms and EAPoL-Key Max Retries <= 2
Recommeded EAP Request timeout <30 sec ( 10 sec ) and EAP Max Retries =<2
Cisco Confidential
96
Interim accounting adds additional unneeded load with no added benefit to ISE.
Cisco Confidential
97
Only fails over to the next AAA server if there are three consecutive
clients that fail to receive a response from the RADIUS server
In some circumstances it can cause the WLC to pre-maturely mark ISE dead in times of
high load and cause additional load on ISE
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
98
Cisco Confidential
99
Cisco Confidential
100
FLEX
CONNECT
Cisco Confidential
101
WAN
Allow users to assign specific APs to groups with set configurations, OKC/CCKM key
caching for Voice, Local RADIUS server configuration, consistent WLAN mappings
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
102
New
Wireless Control
System
Wireless LAN
Controller
WAN
Master AP
Avoids downloading multiple copies of the Access Point software over the slow WAN link to the
remote site, reduces service downtime and reduces risk of download failure
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
103
Cisco Confidential
104
MESH
Cisco Confidential
105
Enables mesh APs to join pre-determined Bridge Groups using the BGN
Cisco Confidential
106
Cisco Confidential
107
Cisco Confidential
108
Allow the backhaul data rate to change dynamically as the quality of the link fluctuates
Cisco Confidential
109
Cisco Confidential
110
To avoid poor backhaul links that lead to poor overall mesh performance
Cisco Confidential
111
Cisco Confidential
112
Cisco Confidential
113
Additional security by monitoring the wireless network for un-wanted rogue access
points or potential wireless attackers
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
114
Cisco Confidential
115
DEPLOY
Cisco Confidential
116
2013-2014
SECURITY
WIRELESS / RF
INFRASTRUCTURE
OUTDOOR
Make it Easy
Make it work
Make it perform
Best Practices
Recommendations
Summary
Enable 802.1x and WPA/WPA2 on WLAN
Enable 802.1x authentication for AP
Change advance EAP timers
Enable SSH and disable telnet
Disable Management Over Wireless
Disable WiFi Direct
Peer-to-peer blocking
Secure Web Access (HTTPS)
Enable User Policies
Enable Client exclusion policies
Enable rogue policies and Rogue Detection RSSI
Strong password Policies
Enable IDS
BYOD Timers
Disable 802.11b data rates
Restrict number of WLAN below 4
Enable channel bonding 40 or 80 MHz
Enable BandSelect
Use RF Profiles and AP Groups
Enable RRM (DCA & TPC) to be auto
Enable Auto-RF group leader selection
Enable Cisco CleanAir and EDRRM
Enable Noise &Rogue Monitoring on all channels
Enable DFS channels
Avoid Cisco AP Load
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
Cisco Confidential
117
For Your
Reference
8.1
AVC Visibility
Yes
mDNS Snooping
Yes
Yes
Yes
Yes
Local Proling
Yes
Yes
Band Select
Yes
Yes
DHCP Proxy
Yes
Yes
Yes
Yes
Virtual IP 192.0.2.1
Yes
Yes (congurable)
RRM-DCA Auto
Yes
Yes
RRM-DCA Auto
Yes
Yes
CleanAir Enabled
Yes
Yes
EDRRM Enabled
Yes
Yes
Yes
Yes
Aironet IE Disabled
Yes
Yes
Yes
No
Cisco Confidential
118
For Your
Reference
8.1
No
Load Balancing
No
No
Yes
No
Yes
FastSSID Enabled
No
Yes
Infra MFP
No
Yes
No
Yes
No
Yes
Mobility Name
No
Yes
No
Yes
No
Yes
No
Yes
Cisco Confidential
119
Cisco Confidential
120
Documentation
Cisco Wireless LAN Controller Configuration Best Practiceshttp://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
AP3700 Deployment Guide - http://www.cisco.com/en/US/partner/docs/wireless/technology/apdeploy/7.6/Cisco_Aironet_3700AP.html
AP3600, 2600, 1600 Deployment Guide : http://www.cisco.com/en/US/partner/docs/wireless/technology/apdeploy/Cisco_Aironet.html
Virtual WLC Deployment Guide http://www.cisco.com/en/US/products/ps12723/products_tech_note09186a0080bd2d04.shtml
HA Deployment Guide http://www.cisco.com/en/US/partner/docs/wireless/controller/technotes/7.5/High_Availability_DG.html
Flex 7500 Deployment Guide http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml
Wireless Bi-Directional Rate Limiting Deployment Guide :
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bd3900.shtml
WLC8500 Deployment Guide: http://www.cisco.com/en/US/products/ps12722/products_tech_note09186a0080bd6504.shtml
WiSM-2 : http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080bb2500.shtml
Bonjour Deployment Guide :
http://www.cisco.com/en/US/docs/wireless/technology/bonjour/7.5/Bonjour_Gateway_Phase-2_WLC_software_release_7.5.html
Wireless Device Profiling and Policy Classification Engine on WLC, Release 7.5
http://www.cisco.com/en/US/docs/wireless/controller/technotes/7.5/NativeProfiling75.html
MSE Virtual Appliance Deployment Guide : http://www.cisco.com/en/US/products/ps9742/products_tech_note09186a0080bb497f.shtml
IPv6 Deployment Guide http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bae506.shtml
VLAN Select Deployment Guide :
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bb4900.shtml
Enterprise Best Practices for Apple Mobile Devices on Cisco Wireless LANs
http://www.cisco.com/en/US/docs/wireless/technology/vowlan/bestpractices/EntBP-AppMobDevs-on-Wlans.html
Cisco WLAN Passpoint Configuration Guide : //www.cisco.com/en/US/docs/wireless/controller/technotes/7.5/Hotspot_057.html
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
121
121
Thank you.