Enterprise Wlan PDF

BRKEWN-2010
Design and Deployment of

Enterprise WLANs
Sujit Ghosh, Sr. Mgr. Technical Marketing, ENG

Agenda
• Intent Based Architecture
• Architecture Building Blocks
• Mobility in the Cisco Unified WLAN Architecture
• Deploying the Cisco Unified Wireless Architecture
• Bringing All Together – Best Practices
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Intent based networking: Bringing together best of
breed platforms with an integrated architecture
LEARNING
Cisco DNA Center
Policy Automation Assurance
INTENT CONTEXT
Intent-based Network Infrastructure
SECURITY
Today, we are introducing the next chapter in our
strategy
LEARNING
Cisco DNA Center
INTENT CONTEXT
Intent-based Network Infrastructure
SECURITY
Agenda
Intent based infrastructure – Wireless access points
High density redefined

Dual 5 GHz Flexible Radios increasing capacity by 200% to
onboard more users and things automatically
Zero-impact Intelligent Capture to resolve

network issues instantly
Probes the network and provides Cisco DNA Center with
deep analysis and resolves issues in minutes, and not days
Purpose-built hardware for analytics & performance

Drive location, telemetry, CleanAir, ClientLink, HDX and AVC
with no impact on performance to serving clients; and future
proof expandability with USB & module port
World’s Smartest Access Point
Cisco Aironet 4800 AP with Intelligent Capture
Users assume the wireless

Hours
72 hours Average amount of time to resolve
63% C
network is the problem Minutes
to minutes user issue with Aironet 4800
All-in-one AP
Cisco DNA Center Assurance (Best-in-class performance, security and analytics)
Zero Impact for Security and Analytics

24x7 dedicated radio for secure coverage monitoring
and analytics data
Real-time Telemetry w/ Deep Visibility

Tracks 240+ onboarding anomalies
Industry’s most granular view into wireless traffic
Industry Leading Hyperlocation

Aironet 4800 Access Point <3 meter median accuracy for Wi-Fi & BLE
Most Advanced Aironet Hardware
A• 2.4/5GHz Macro Cell Wide
Coverage (4 antennas)
B• Monitor / Sniffer (4 antennas)
C• Bluetooth Low Energy BLE

Beacon on Tx (1 antenna)
C
D• Hyperlocation Array (16
antennas) for Precise
Location
E• 5GHz Micro Cell
F• (4 antennas) High Density

Coverage
The industry’s most comprehensive and
innovative access point portfolio
The best infrastructure leads to the best outcomes
Good - Enterprise class Better Best in class
Ideal for small to medium-sized deployments Mission critical High density
NEW
1815 Series 1830/1850 Series 2800 Series 3800 Series 4800

Indoor/high-powered Indoor • 3x3:2 SS 80 MHz/4x4:3 • 4x4:3 SS 160 MHz • 4x4:3 SS 160 MHz • 4 embedded radios
Wall plate/teleworker SS 80 MHz • 5 Gbps performance • 5 Gbps performance (3 Wi-Fi and 1 BLE)
• 2x2:2 SS 80 MHz • 867 Mbps or 1.7 Gbps • 2.4 and 5 GHz or • 2.4 and 5 GHz or • Cisco Intelligent Capture for
• 867 Mbps performance performance dual 5 GHz dual 5 GHz Cisco DNA Assurance
• Tx beamforming • 1 or 2 GE ports uplink • 2 GE ports uplink • 2 GE ports uplink or • Embedded Hyperlocation
• Integrated BLE1 • Internal or external antenna • Cisco CleanAir® and ClientLink 1 GE + 1 Multigigabit (5G) • 4x4:3 SS 160 MHz
• Max transmit power (dBm) (1850) • Internal or external antenna • Cisco CleanAir and ClientLink • 5 Gbps performance
per local regulations 2 • Tx beamforming • Smart antenna connector • StadiumVision™ • 2.4 and 5 GHz or
• 3 GE local ports, including • USB 2.0 • USB 2.0 • Internal or external antenna dual 5 GHz
1 PoE out3 • Smart antenna connector • 2 GE ports uplink or
• Local ports 802.1X ready 3 • USB 2.0 1 GE + 1 Multigigabit (5G)
• USB 2.0 4 • Modularity for investment • Cisco CleanAir and ClientLink
protection • Internal antenna
• USB 2.0
• Integrated BLE
1 Future availability 2 Available for high-powered only 3 Available for wall plate and teleworker only 4 Available for teleworker only
Designed to be Cisco DNA Ready
Industry’s Most Comprehensive Outdoor AP Portfolio
1540 1560 1570
New*
• 802.11ac Wave 2, MU-MIMO • 802.11ac Wave 2, MU-MIMO • 802.11ac Wave 1

• 2x2:2, 80MHz, 867 Mbps • 3x3:3, 80MHz, 1.3Gbps (I) • 4x4:3 80 MHz; 1.3 Gbps
• Ultra low profile • 2x2:2, 80MHz, 867Mbps (E/D) • External antenna model (EAC)
• Internal antenna only • Internal or External antenna model (I/E) • Cable Modem model (IC/EC)
• PoE (802.3af) power • Internal directional antenna model (D) • SFP/GPS
• Centralized, FlexConnect, Mesh and • SFP • PoE Out 802.3at (Ext Ant. only)
Mobility Express • Flexible Antenna Ports • Flexible Antenna Ports
• CleanAir and ClientLink • CleanAir and ClientLink
• Centralized, FlexConnect, Mesh and • Modularity (Ext Ant. only)
Mobility Express • Centralized, FlexConnect and Mesh
• Cable Modem Version Only (IC/EC)
• DOCSIS 3.0, 24x8
• Internal or External antenna
Cisco DNA Ready | RF Excellence | CMX
802.11ac Wave 2
Sensor Anywhere Drives Intelligence of Cisco
DNA Assurance to the edge
Test Your Network Anywhere at Any time at Real-world Client Level
Aironet 1800S Active Sensor AP as a Sensor (1800/2800/3800/4800)

• 2x2 with 2 spatial streams Purpose-built Hardware for Analytics
• Multiple powering options In-line monitoring to Cisco DNA for
- PoE Power analytics and insights while serving clients
- USB Type “C” power
- Direct AC Power Plug
• Integrated BLE
• Ultra compact form factor
Dynamic
Onboarding & Configure Tests Global Issue
SLA Dashboard Sensor Test
Services Tests Remotely Creation
Trigger
Intent Based Infrastructure - Wireless LAN
Controller Portfolio
Multiple Deployment options & SD-Access Wireless Ready
SD-Access Wireless Ready
Branch Deployment Campus Deployment
Cisco 8540
6000 APs
Cisco 5520 64,000 clients,
1500 APs 40 Gbps
20,000 Clients, 20
Cisco 3504 Gbps
150 APs
3000 Clients,
Mobility Express 4 Gbps
Cisco vWLC**
100 Aps 3000 APs
2000 Clients 32000 Clients
Flexconnect mode
Up to 100 APs Up to 200 APs Up to 3000 APs Up to 6000 APs
Cisco Catalyst 9800
Wireless Controller
Appliances
Catalyst 9800 Series Wireless Controllers
Translate business intent into network policy and
Cisco DNA Center capture actionable insights with Cisco DNA Center
C9800-80 C9800-40
C9800 for Cloud C9800 on Cat 9k Switch
Aironet Access Works with Cisco Aironet 802.11ac

Points Wave 1 and Wave 2 Access Points
* GCP EFT Only BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Unprecedented throughput with Industry’s 1st
C9800 appliances 100GE uplink
%+
Accuracy with Investment
Encrypted Traffic Analytics
and Stealthwatch integration protection with
Catalyst 9800 Series Wireless
modular uplinks
Controller Appliances
C9800-40 and C9800-80
Always-on: Scale options for

High availability and
seamless software your campus
updates
Open standards based
programmability with
model-driven telemetry
Throughput option now Programmable multi-
available with C9800-80
going upto 80 Gbps core network processor
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Catalyst 9800 Wireless - Platform Support
Wireless Controller Access Points
Cisco Catalyst 9800

Wireless Controller
C9800-40-K9
C9800-80-K9
AP1810, AP2800/ AP1540/AP1560

AP1815, AP3800/AP4800
Cisco Catalyst 9800
Wireless Controller for AP1830, AP1850
Cloud
C9800-CL-K9 11ac Wave 1 and Wave 2 Access Points
AP18xx, 2802, 3802, 4800, 1540, 1560, 1700, 2700, 3700, 1570
Deployment Modes
Centralized, Distributed Branch, SDA and Mobility Express (Future)
Catalyst 9800 SD- AP Modes
Access Embedded Local, FlexConnect, Monitor, Mesh^, Flex+Mesh^, Sensor, Sniffer
Wireless
*GCP in 16.10 is EFT Only ^ supported

BRKEWN-2010 on Wave 1 and outdoor
© 2019 Wave
Cisco and/or 2 APsAll rights reserved.
its affiliates. Cisco Public
C9800-80: industry’s first modular wireless controller Orderable
with 100GE modular uplink and seamless software updates Now
Upto 6,000 APs Upto 64,000 Clients 80 Gbps
Redundant
SP/RP Port 8 X 10 GE Modular Uplinks -
Power Supply USB 3.0
Fiber RP Port Uplinks GE, 10GE, 40GE, 100GE
AC or DC
Fully programmable multi-core network processor Support for Netflow, AVC and ETA
Catalyst 9800-
80 Front Panel
EXTERNAL INTERFACES
• RJ-45 Console Port

• Mini USB Console Port
• 2 External USB Ports
• RJ-45 Ethernet Management Port (SP)
• RJ-45 Ethernet Redundancy port (RP)
• SFP Gigabit Ethernet Port
• BUILT-IN-6x10GE/2x1GE or 10GE
LEDs
• Power Status LED

• Alarm LED
• High availability LED
• USB console LED
• 10/100/1000 RJ45 Link LED
• 10/100/1000 RJ45 Activity LED
• SSD Activity LED
• System Status LED
• Power Supply (PEM 0) C9800-80

• Power Supply (PEM 1)
• Power Switch
8540
Industry’s First Controller with Modular 100G Uplink
C9800 Modules Support
• C9800-2X40GE • C9800-1X100GE
• C9800-1X40GE
• C9800-18X1GE • C9800-10X10GE
Eighteen 1GE-ports that support small form-factor Ten 10GE-ports that support small form-factor pluggable (SFP+)
pluggable (SFP) optical transceivers to provide network optical transceivers to provide network connectivity. Ports are
connectivity. Ports are numbered 0 – 17 numbered 0 – 9.
Evolution of Wireless Controllers
Enterprise Campus and Full-Service Branch
NOW Catalyst 9800-80
THEN 8540
• 6000 APs, 64000 Clients
•6000 APs, 64000 Clients • 80 Gbps Throughput
•
• 6000 Policy Tags

•6000 AP Groups
• • 6000 Site Tags,
• • 100 Flex APs/Site
•
•
• 4096 VLANs, 4096 Interface Groups
• • 128000 PMK Cache
•
• 4096 WLANs
•
• • 24000 Rogue APs, 32000 Rogue Clients
•
• 64000 RFIDs
• 12000 APs/RRM Group
• 800000 AVC Flows
Orderable
C9800-40: industry’s first fixed wireless controller Now
with seamless software updates

Upto 2,000 APs Upto 32,000 Clients 40 Gbps
4 x 1GE/10GE Ports
Console USB 3.0
SP/RP Port Fiber RP Port
Fully programmable multi-core network processor Support for Netflow, AVC and ETA
Catalyst 9800-40
Front Panel
EXTERNAL INTERFACES
• RJ-45 Console Port

• Mini USB Console Port
• 2 External USB Ports
• RJ-45 Ethernet Management Port (SP)
• RJ-45 Ethernet Redundancy port (RP)
• SFP Gigabit Ethernet Port
• 4 x 10GE/1GE SFP and SFP+ ports
LEDs
• Power Status LED

• Alarm LED
• High availability LED
• USB console LED Dimensions : 17.3” (439 mm) wide, 1.75”(44.4
• 10/100/1000 RJ45 Link LED mm) tall (1RU), and 18.3”(464 mm) deep*
• 10/100/1000 RJ45 Activity LED
• SSD Activity LED
• System Status LED
C9800-40-K9
AIR-CT-5508-K9
4 x 10GE/1GE SFP and SFP+ ports
Evolution of Wireless Controllers
Enterprise Campus and Full-Service Branch
NOW Catalyst 9800-40
THEN 5520
• 2000 APs, 24000 Clients
•1500 APs, 20000 Clients • 40 Gbps Throughput
•
• 2000 Policy Tags

•1500 AP Groups
• • 2000 Site Tags,
• • 100 Flex APs/Site
•
•
• 4096 VLANs, 100 VLAN Groups
• • 48000 PMK Cache
•
• 4096 WLANs
•
• • 8000 Rogue APs, 12000 Rogue Clients
•
• 24000 RFIDs
• 4000 APs/RRM Group
• 300000 AVC Flows
Catalyst 9800 for Private and Public cloud
Orderable
Now
Catalyst 9800 for Private Cloud Catalyst 9800 for Public Cloud
Scale to 1,000 APs and 10,000
Scale to 6,000 APs and 64,000 Clients^
Clients
Centralize, FlexConnect, Fabric FlexConnect Local Switching
Open and Programmable Open and Programmable
^Centralized support for 6000 APs in Future

Agenda
Cisco Unified Wireless Principles
Cisco Prime or
Cisco DNA
Center
Wireless LAN
Controllers
MSE/CMX
Campus
Network
Aironet Access
Point
Centralized Wireless LAN Architecture
What is CAPWAP?
• CAPWAP: Control and Provisioning of Wireless Access Points is used between APs and WLAN controller and
based on LWAPP over IPv4 or IPv6
• CAPWAP carries control and data traffic between the two

• Control plane is DTLS encrypted
• Data plane is DTLS encrypted (optional)
• LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP
controller is seamless
• CAPWAP is not supported on Layer 2 mode deployment
CAPWAP State Machine
AP Boots UP
Reset
Discovery
Image Data
DTLS
Setup
Run
Join Config
Mobility Defined
• Mobility is a key reason for wireless networks
• Mobility means the end-user device is capable of moving location in the
networked environment
• Roaming occurs when a wireless client moves association from one AP
and re-associates to another, typically because it’s mobile!
• Mobility presents new challenges:
• Need to scale the architecture to support client roaming—roaming can
occur intra-controller and inter-controller
• Need to support client roaming that is seamless (fast) and preserves
security
Scaling the Architecture with Mobility Groups
• Mobility Group allows controllers to peer with each other to support seamless roaming
across controller boundaries
• APs learn the IPs of the other members of the mobility group after the CAPWAP Join
process
Controller-B
MAC: AA:AA:AA:AA:AA:02
Mobility Group Name: MyMobilityGroup
• Support for up to Mobility Group Neighbors:
24 controllers, Controller-A Controller-A, AA:AA:AA:AA:AA:01

MAC: AA:AA:AA:AA:AA:01 Controller-C, AA:AA:AA:AA:AA:03
24000 APs per Mobility Group Name: MyMobilityGroup
mobility group
Ethernet in IP Tunnel
Mobility Group Neighbors:
Controller-B, AA:AA:AA:AA:AA:02
Controller-C, AA:AA:AA:AA:AA:03
• Mobility messages
exchanged
between
controllers Controller-C
MAC: AA:AA:AA:AA:AA:03
• Data tunneled between Mobility Group Name: MyMobilityGroup
controllers in EtherIP (RFC 3378) Mobility Group Neighbors:

Controller-A, AA:AA:AA:AA:AA:01
Controller-B, AA:AA:AA:AA:AA:02 Mobility Messages
Scaling the Architecture with Mobility Groups
Mobility Domain
• With Inter Release Controller Mobility (IRCM)

Mobility Group (8.8)
roaming is supported between 8.8, 8.5 and 8.3
One
WLC Network Mobility Group (8.5)
Mobility Group
24 WLCs in a Mobility Group (8.3)

Mobility Group
72 WLCs in a
Mobility Domain
Integrating with
existing AireOS
Deployments
Inter Release Controller Mobility
(IRCM) for AireOS and Catalyst 9800
IRCM : AireOS and Cisco Catalyst 9800
Secure Mobility
(CAPWAP) Seamless roaming b/w Catalyst 9800 and AireOS 8.8 MR1 (3504/5520/8540)
Secure Mobility
(CAPWAP)
Catalyst AireOS
9800 8.8
WLCMR1
Catalyst 9800 AireOS

Deployment Seamless Deployment
roaming,
L3 only
IRCM: AireOS and Cisco Catalyst 9800
Enabling seamless roaming across Campus
Secure Mobility EOIP-based

(CAPWAP) Mobility
Catalyst AireOS WLC AireOS WLC

9800 8.8 MR1
Catalyst 9800 Seamless AireOS Seamless AireOS

Deployment Deployment Deployment
roaming, (8.8. MR1)
roaming,
L3 only L2 and L3
Upgrade only the AireOS controller in the roaming path

BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved.
36 Cisco Public
Guest : AireOS and Cisco Catalyst 9800
AireOS Guest
Anchor
Guest Anchor Guest Anchor
Secure Mobility EOIP-based
(CAPWAP) AireOS Mobility
8.8 MR1
Catalyst AireOS WLC

9800
Catalyst 9800 AireOS

Deployment Deployment
Upgrade the AireOS Guest Anchor to 8.8 MR1 (on 3504/5520/8540)

and manage both Catalyst 9800 and AireOS© 2019
BRKEWN-2010
Foreign
Cisco and/or its affiliates. All rights reserved.
37 Cisco Public
Cisco DNA Centre
Assurance Overview
What is Cisco DNA Center Assurance?
The guarantee that the infrastructure is doing what you intended it
to do.
Proactive
Insights & visibility Troubleshooting Corrective actions
3600 Visibility, Context, Anomaly based Intelligent Guided Remediation,

Historical Insights, iOS Captures, Sensor Tests, Automated Updates,
Analytics, User Location On-Demand Analytics System optimization
Best in class user Minimize Downtime, IT Productivity

experience User Productivity
Cisco DNA Center Assurance
From Network Data to Business Insights
Network Telemetry Complex Event Guided

Correlated Insights
Contextual Data Processing Remediation
Traceroute
Complex
Clients Baseline
Syslog Netflow correlatio
n
AAA Router DHCP
Metadata
Telnet Wireless CLI extraction
DNS
OID IPSLA Ping
Steam
SNMP IPAM MIB Processing Application Network
AppD
CMX
Everything as a Sensor
Over 150+ Actionable Insights
Client | Applications | Wireless | Switching | Routing
Streaming Telemetry
Export enriched, consistent and concise data with context from

network devices for a better user and operator experience
Periodic or Structured Scalable Reduced CPU

On-Change Data Load
Components of Cisco DNA
C
Assurance
Streaming Telemetry
Ability to collect many KPIs from devices

C as close as possible to real time
With Streaming Telemetry we will support collection of many KPIs as close as
possible to real time
Subscription Publication
NETCONF RESTconf GNMI
• Periodic or on-change
• Structured data
YANG Data Model • Priority subscriptions
• Customized to recipient
Open Native Open Native • XML or JSON encoding
• NETCONF or HTTP/2
Programmable Configuration Operational transport
Interfaces • Increased scale
Device Features • Reduced CPU and
Physical and Virtual Network Infrastructure SNMP bandwidth consumption
Interface BGP QoS ACL …
Cisco DNA Center can manage all wireless deployment
modes for Automation and Assurance
Cisco DNA Center
Policy Automation Analytics
SDA-Wireless Centralized
Configure Flex Set
Connect
up Mobility Express
From a web browser or Simplified Controller-less
Policy Segmentation and Ease of Deployment Eliminate the need for a
Cisco wireless app, use
andthe
management deployment for distributed
consistent wired-wireless setup wizard for
to Controller at every Site for a
large
enablecampuses
multiple APs distributed deployment deployments and small sites
management
simultaneously
Key Innovations with
1.2.10 using 8.8/16.10
release
Wireless Innovations built ground-up for Assurance
Real-Time and 1800s Sensor to Intelligent Capture

Actionable validate end- (FCS) for Proactive
Insights user experience troubleshooting
• Real-time Client RF stats, Location • Validate RF experience of a client • Live and In-Service capture of
and Onboarding states while onboarding to a network Onboarding failures with PCAPs
• Roaming Insights for Fastlane with • Speed tests to validate Cloud app • Spectrum Analyzer for analyzing
iOS vs non-iOS client analysis performance and connectivity
Interference sources
• Client Onboarding Top N Analytics • IP SLA tests for Real-time AppX
with Sankey charts
• On-Demand AP stats for Wi-Fi
assessment for VOIP apps
troubleshooting
IOS-XE based Catalyst 9800 series wireless controllers will be supported on 1.2.10
Key Use Cases that are
solved
Use Case 1: Client is failing to on-board to a network
Client
Onboarding
Actionable Dashboards:
1 Onboarding Sankey charts
for better analysis
Sankey chart
Real-time Correlation:
Correlate Onboarding
2 events with poor RF and
client location for RCA
Intelligent Capture:
3 Onboarding failures with
In-service PCAPs
Use Case 2: Client is having a poor wireless
experience
Client and
Network
Experience
Health Dashboard:
Near-Real time Client
1 tracking (<60 sec) and
Top N AP analytics
Client 360:
Historical Time travel with
2 client RF correlated with
the Onboarding events
Intelligent Capture:
3 On-Demand AP stats for
Wi-Fi troubleshooting
Use Case 3: Client is having a poor App
experience
Application
Experience
Health Dashboard:
Overall health of business
1 relevant apps and Top N
App analytics
App 360:
Time travel with qualitative
2 and quantitative assessment
for network and S4B server
Sensor simulated SLA:

Cloud apps Speed and
3 AppX performance
simulation using 1800s
sensors
Agenda
• Cisco Mobility Express
Mobility Express WLAN Deployment
Branch solution for small, medium or distributed enterprise with multiple
management
Mobile App or WebUIoptions Cisco DNA Center
Policy Automation Assurance Security ISE CMX
Single Office Distributed Office Distributed Enterprise
Controller Based in
Mobility Express Mobility Express Mobility Express in Branch campus
Cisco Mobility Express
Branch Solution for Appliance-less WLC-Based Networks for up to 100 APs
Ease of AVC & CMX RF Excellence & Guest & Security Cisco DNA
Deployment with Apple Innovations Center &
Resiliency & Scale Multi-site
Deployment
• Manage up to 100 • Understand what is • Flexible Radio • Multiple guest • Day0 PnP with config
AP’s, 2000 clients running on your Assignment & Dual onboarding options & image download
without additional network 5GHz for best Wi-fi with built-in lobby • Cisco DNA
licensing costs • Bidirectional rate limit experience ambassador Automation &
• Best practices on by per • Best in class RF with • Rogue detection & Assurance EFT
default & built-in WLAN/SSID/Client HDX – ClientLink, classification available with
redundancy for • CMX Location & CleanAir & Spectrum • ISE/Radius, Walled CiscoDNAC1.2
resilient operations Presence Analytics Intelligence Garden support and • Cisco DNA
• Localized with • CMX Engage/Cloud • Apple Fast Lane with BYOD integration Automation &
Chinese, Japanse & integration for optimized Wi-fi • 802.1x support on AP Assurance GA in
Korean personalized and connectivity & with EAP-TLS and Cisco DNAC 1.3
• Management relevant guest prioritize business EAP-PEAP • Intelligent Capture
simplicity with mobile experience applications EFT in Cisco DNAC
app & WebUI 1.3 & AireOS 8.8
Cisco DNA Ready for Small to MediumCSize, Single or Multi site Deployments
Evolution of Mobility Express Solution Nov, 2018
AireOS 8.8 MR2
Oct, 2018
AireOS 8.8 MR1
Aug, 2018
AireOS 8.8
APR, 2018
AireOS 8.7
 Authentication Caching
 Post Auth DNS ACLs
 UMBRELLA SUPPORT  IPSK
 Support for TLS
 mDNS Gateway support Gateway
 Videostream support(MC2UC)
 Efficient AP Join
 S/W Update during Day 0 using Network PnP  Schedule WLAN
 Support for SFTP software download transfer mode  Option 43 support for ME
 Support for Optimal AP Join  FQDN support for SFTP Server
 Support for BDRL per client, BSSID and WLAN  Cisco RFID Tag support
 EoGRE support
 Ability to limit clients per WLAN, per radio
 Support for RLANs
 Support for Passive Clients
 802.1x supplicant support on AP with EAP-TLS and
EAP-PEAP
 Walled Garden, Radius NAC
· DNS ACLs (Pre-auth ACL, IPv4 only)
· Central Web Authentication
· BYOD support
Cisco Mobility Express: Indoor Access Point
Support
Enterprise Class Mission Critical Best in Class
1815 1830 1850 2800 3800
AIR-AP1815W-x-K9C AIR-AP1815I/M-x-K9C AIR-AP1832I-x-K9C AIR-AP1815I/M-x-K9C AIR-AP2802I/E-x-K9C AIR-AP3802I/E-x-K9C
50 1000 50 1000 50 1000 50 1000 100 2000 100 2000

AP clients AP clients AP clients AP clients AP clients AP clients
 4x4:3SS 160 MHz

 2x2:2SS 80 MHz  2x2:2SS 80 MHz  3x3:2SS 80MHz  4x4:3SS 80Mhz  4x4:3SS 160 MHz
 5 Gbps Performance
 867 Mbps Performance  867 Mbps Performance  867 Mbps Performance  1.7 Gbps Performance  5 Gbps Performance
 2.4 and 5GHz or Dual 5GHz
 Tx Beam Forming  Tx Beam Forming  Tx Beam Forming  Internal or External Antenna  2.4 and 5GHz or
Dual 5GHz  2 GE Ports Uplink or
 Spectrum Intelligence  Spectrum Intelligence  Spectrum Intelligence  Tx Beam Forming
1 GE + 1 mGig (5G)
 Integrated BLE Gateway  Integrated BLE Gateway  1 GE Port Uplink  Spectrum Intelligence  2 GE Ports Uplink
 CleanAir and ClientLink
 3 GE Local Ports, including  Max Transmit Power (dBm)  USB 2.0  2 GE Ports Uplink  CleanAir and ClientLink
 Internal or External Antenna
1 PoE out per local regulations  USB 2.0  Internal or External Antenna
 Smart Antenna Connector
 Local ports 802.1x ready  Smart Antenna Connector
 USB 2.0
 USB 2.0
 Investment Proof Modularity
802.11ac Wave 2, MU-MIMO | Cisco DNA Ready BRKEWN-2010

| RF Excellence | CMX
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Agenda
Best Practices For High Performance Mobile
Infrastructure
RF RF
2. High Application
Planning Optimization
App Engage Availability Visibility & Control
Engineer the WLAN for Optimise Gigabit Wi-Fi as Replicate the High Prioritise mission critical
data, voice, video, location, primary connectivity – Gig Availability of the LAN on business applications over
and client density Ethernet as fallback the WLAN personal applications
802.11ac : -65 to -67 RSSI Cisco CleanAir LAN SSO – Edge, Core, Disti Cisco AVC– Identify,
10 – 20% cell overlap Clientlink WLAN SSO – Client, AP, Prioritise, Control Apps
1 AP / 2500 sq ft RRM Controller across LAN, WLAN
Deploying the Cisco
Unified Wireless
Architecture
• High Availability (AP and Client SSO)
• RF Optimization - AP Groups / RF Groups /
HDX
• Security & Policies
• Local Profiling and Policy Classification
• Application Visibility Control
• Umbrella (OpenDNS)
• TrustSec
• Identity PSK
• IPv6 Deployment with Controllers
• Branch Office Designs
Centralized Mode HA Requirements Benefits
Minimum release: 8.0
Active Client State is synched
WLC: 5508, WiSM2, 7500, 8510
AP state is synched
Client SSO L2 connection
No Application downtime
Same HW and software
HA-SKU available
1:1 box redundancy
Network Uptime
Minimum release: 8.0

WLC: 5508, WiSM2, 7500, 8510 AP state is synched
AP SSO Direct physical connection No SSID downtime
(SSID stateful switchover) Same HW and SW HA-SKU available (> 7.4)
1:1 box redundancy
N+1 Redundancy Available on all controllers

(Deterministic/Stateless HA, Each Controller has to be Crosses L3 boundaries
a.k.a.: configured separately Flexible: 1:1, N:1, N:N
primary/secondary/tertiary) HA-SKU available (> 7.4)
Controller Redundancy
• Redundant WLC in a geographically
separate location WLAN-Controller-1
APs Configured With:
Primary: WLAN-Controller-1
Secondary: WLAN-Controller-BKP
• Layer-3 connectivity between the

AP connected to primary WLC and WLAN-Controller-2
the redundant WLC

NOC or Data Centre APs Configured With:
Primary: WLAN-Controller-2
WLAN-Controller-BKP
• Redundant WLC need not be part

of the same mobility group
WLAN-Controller-n
APs Configured With:

Primary: WLAN-Controller-n
• Configure high availability (HA) to

detect failure and faster failover
• Use AP priority in case of over
subscription of redundant WLC
Controller Redundancy – High Availability
• High Availability Principles : Primary WLC
 AP is registered with a WLC and

maintain a backup list of WLC.
 AP use heartbeats to validate WLC
connectivity
 AP use Primary Discovery message to
validate backup WLC list
 When AP loose 3 heartbeats it start
join process to first backup WLC Secondary WLC
candidate
 Candidate Backup WLC is the first
alive WLC in this order : primary,
secondary, tertiary, global primary, New Timers
global secondary. Heartbeat Timeout 1-30 secs

Fast Heartbeat Timer 1-10 secs
 AP does not re-initiate discovery AP Retransmit Interval 2-5 secs
process. AP Retransmit with FH Enabled 3-8 Times
AP Fallback to next WLC 12 secs
Stateful Switchover (SSO)
• True Box to Box High Availability i.e. 1:1
• One WLC in Active state and second WLC in Hot Standby state
• Secondary continuously monitors the health of Active WLC via dedicated link
• Configuration on Active is synched to Standby WLC

• This happens at startup and incrementally at each configuration change on the Active
• What else is synched between Active and Standby?

• AP CAPWAP state in 7.3 and 7.4: APs will not restart upon failover, SSID stays UP – AP SSO
• Active Client State in 8.0: client will not disconnect – Client SSO
• Downtime during failover reduced to 5 - 1000 msec depending on Failover

• In the case of power failure on the Active WLC it may take 350-500 msec
• In case of network failover it can take up to few seconds
• SSO is supported on 3504 /5500 / 8500 / WiSM-2

SSO Failover Sequence
Keep-Alive
Redundancyfailure/Notify
Roleinfo
AP and Client SyncPeer
Negotiation
Redundancy Link Established
(Over dedicated Redundancy Port)
ACTIVE
STANDBY
ACTIVE
Client
Associate
AP session intact. Does

not re-establish
capwap
Switch
AP Join
Client session intact.

CLIENT SSO Does not re-associate
Effective downtime for client is
Detection time + Switchover time
Pairing 5520/8540 for SSO
L
L 2
2
Back to Back as well as L2 RP Connectivity

Pairing 3504 for SSO
SP Port
RJ45 Serial Console
USB 2.0 Mini-B Serial Console Reset
USB 3.0
mGIG
4x 1GE, Port 3 and 4 provide 802.3at power
Status LEDs
RP Port for HA SSO
High Availability (Client SSO) with Catalyst 9800
Platforms
A direct physical connection between Active and Standby Redundant Ports or Layer 2 connectivity is
required to provide stateful redundancy within or across datacenters
Active Wireless Hot-Standby Wireless

Controller Controller
C9800-40-K9
Redundancy Port Connectivity
RP via L2
Gigabit SFP RP port Gigabit SFP RP port
C9800-80-K9
Active Wireless Redundancy Port Connectivity Hot-Standby Wireless

Controller RP Via L2 Controller
Sub-second failover and zero SSID outage

The only supported SFPs on Gigabit ©RP
BRKEWN-2010 port
2019 Cisco are
and/or:itsGLC-SX-MMD and
affiliates. All rights reserved. CiscoGLC-LH-SMD
Public
High Availability (Client SSO) with Catalyst 9800 Virtual
Platforms
ESXi
C9800-CL-K9
vWLC1-Active vWLC1-Standby
vWLC1-Active vWLC2-Standby vWLC2-Active vWLC1-Standby
C D C D
P P P P
C D C D C D C D
P P P P P P P P
HA interface
HA interface
vswitch
vswitch vswitch
vswitch
vswitch vswitch
switch
Redundancy Port switch

Connectivity
Redundancy Port Connectivity
RP via L2
Connecting 5520/8540 SSO Pair to Wired Recommended
Network
Network
Design
Same configuration Same configuration

on both Po1 and Po2 Catalyst VSS Pair on both Po1 and Po2 Catalyst VSS Pair
Po 1 Po 2 Po 1 Po 2
Trunk Trunk
Port-channels Port-channels
L2 L2
5520 5520 8540 8540

Active WLC Standby WLC Active WLC Standby WLC
Spread the links in each PC among the two physical switches to prevent a WLC switchover upon a failure of one of
the VSS switch
High Availability – Design and Deployment
• Connecting WLC3504 HA Pair to the wired network
Same configuration
Single Switch or stack on both Po1 and Po2 Catalyst VSS Pair
Same configuration
on both Po1 and Po2
Po 1 Po 2
Trunk Po 1 Po 2
Port-channels Trunk
Port-channels
L2
L2
WLC3504 WLC3504 WLC3504 WLC3504

Active Standby Active Standby
Web-GUI Configuration
SSO Behavior and Recommendations
• RTT latency on Redundancy Link : 80 milliseconds or less. 80% of keep alive timer.
• Preferred MTU on Redundancy Link : 1500 or above.
• Bandwidth on Redundancy Link : 60Mbps or more.
• WLC 55XX / 85XX : RP Connectivity between Active and Standby

 Via Switches
 Back-to-back
• WiSM-2 : single 6500 chassis OR different chassis using VSS setup/extending redundancy VLAN.
• Recommended to have Redundancy Link and RMI Connectivity between WLCs on different switches
or on different L2 networks
• Keep alive/Peer Discovery timers should be left with default timer values for better performance
• Default box failover detection time is 3 *100 = 300+60 = 360 +jitter (12 msec)= ~400 msec
Deploying the Cisco
Unified Wireless
Architecture
HDX
• TrustSec
• Identity PSK
AP-Groups - Default AP-Group
• The first 16 WLANs created (WLAN IDs 1–16) on the WLC are included in the
default AP-Group
• Default AP-Group cannot be modified
• APs with no assignment to an specific AP-Group will use the Default AP-Group
• The 17th and higher WLAN (WLAN IDs 17 and up) can be assigned to any AP-
Groups
• Any given WLAN can be mapped to different dynamic interfaces in different AP-
Groups
AP-Grouping in Campus
VLAN 100 VLAN 100 VLAN 100
Access
Si Si Si Si Si Si
Distribution
CAPWAP Si Si
Core
Si Si
Si Si
Si Si Distribution
VLAN 100 / 21
Access
Single WAN Data Centre Internet
SSID =
Employee WLC-1 WLC-2
AP-Grouping in Campus
AP-Group-1 AP-Group-2 AP-Group-3
VLAN 60 /23 VLAN 70 /23 VLAN 80 /23
Access
Si Si Si Si Si Si
Distribution
CAPWAP Si Si
Core
Si Si
VLAN 100 Si Si VLAN 60
Si Si Distribution
/21 VLAN 70
VLAN 80
Access
SSID =
Employee WLC-1 WLC-2
Default AP-Group
Network Name
Default AP Group
Only WLANs 1–16

Will Be Added in
Default AP Group
Multiple AP-Groups
AP Group 1
AP Group 2
AP Group 3
HD Config Tip: RF Profiles for Fine-Tuning
• RF Profiles work in Conjunction with AP Groups
• You can create separate RF profiles for both 2.4 and 5 GHz
• 1 profile for each band (802.11a/802.11b) can be assigned to an AP group

• Today
• 802.11 data rates
• TPC Power Threshold and Min max Power settings
• DCA
• Coverage hole algorithm settings
• High Density – HDX configurations RX_SOP, Client Limit, Mcast data rate
• Client Distribution
More granular control of the RF network

RF Profiles : Granular Control
TPC, DCA, Coverage Hole

Data Rates
Load Balancing
High Density
Network Profiles GUI
Sets pre-defined RF parameters depending on “Client” Density and Traffic Type
Client Density : High,
Typical, Low
Traffic Type : Data, Data

and Voice
Pre-built RF Profiles
Client Density specific pre-built RF profiles for 2.4 GHz and 5GHz Bands – to be used with
AP Groups
Use Pre-built RF profiles to

create your customised
profile in 8.3 and above
RF-Profile in Campus
RF-Profile-1 RF-Profile-2 RF-Profile-3
VLAN 60 /23 VLAN 70 /23 VLAN 80 /23 Access

VLAN 61 / 23 VLAN 71 /23 VLAN 81 /23
Si Si Si Si Si Si
Distribution
CAPWAP
Si Si
Core
Si Si
Si Si VLAN 60
Si Si Distribution
VLAN 61
VLAN 70
VLAN 71
VLAN 80 Access
VLAN 81
SSID =
Employee
WLC-1 WLC-2
Flexible Radio Assignment
5GHz 2.4GHz • Default operating mode
Serving Serving • Serve Clients on both 2.4GHz and 5GHz
5GHz 5GHz
• Dual 5GHz Support, both radios serving clients on 5GHz
Serving Serving • Maximum over the air data rate up to 5.2Gbps
Radio Role Assignment – Auto/Manual
• Selecting a 2800/3800/4800
802.11-abgn interface – config
• Auto (default) makes the radio
available to FRA
• Manual, takes the Radio out of Global
FRA
Cisco Dynamic Bandwidth Selection (DBS) 8.1
• Automatic Optimisation for 20-40-80 MHz

RF channel widths
Neighbour
Channels • DBS applies an additional layer of channel and
width recommendations on top of those applied
Channel
Wi-Fi in Core DCA
Interference
Overlap
Ratio • Useful for 11n-11ac mix AP networks and
Wave-2 (160MHz)
DBS Client
Non Wi-Fi Protocol &
Noise Traffic
11n/11ac DBS:
Channel Auto
Utilisation Configure
Globally
Deploying the Cisco
Unified Wireless
Architecture
HDX
• TrustSec
• Identity PSK
Local Profiling and
Policy Classification
Local Profiling and Policy Classification
ISE offers rich set of BYOD features: e.g. device identification,
onboarding, posture and policy
Customers not deploying ISE but requiring subset of ISE features
Native profiling of end devices based on MAC OUI, HTTP, DHCP
Device-based policies enforcement per user or per device policy
Policy Classification
MAC OUI Device type
Student Teacher
Username
User Role
Admin
Device Type
User-
Role
John
Identity
Session Time of
VLAN ACL QoS
timeout Day
Configuring Client Profiles
• Client profiling uses pre-existing profiles in the controller
• Custom profiles are not supported in this release
• Wireless clients are profiled based on the MAC OUI, DHCP,HTTP user agent
• DHCP is required for DHCP profiling, Webauth for HTTP user agent
• 8.7 release contains 234 pre-existing profiles:
(Cisco Controller) >show profiling policy summary

Number of Builtin Classification Profiles: 234
ID Name Parent Min CM Valid
==== ================================================ ====== ====== =====
0 2Wire-Device None 5 Yes
1 3Com-Device None 5 Yes
2 Aastra-Device None 5 Yes
3 Aastra-IP-Phone 2 10 Yes
4 Aerohive-Device None 10 Yes
5 Aerohive-Access-Point 4 20 Yes
6 American-Power-Conversion-Device None 10 Yes
7 Android None 30 Yes
8 Android-Amazon 7 40 Yes
9 Android-Amazon-Kindle 7 40 Yes
…/… BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Client Profiling Configuration
• At the WLAN level, enable Local Client Profiling (DHCP and HTTP)
• DHCP required is checked automatically when selecting DHCP profiling
config wlan profiling {local | radius} {dhcp | http | all} <wlan ID>
(Cisco Controller) >config wlan profiling local all enable 1
Client Profiles Details
Application Visibility and
Control
Why Do You Need AVC ?
Visibility
Threats (worms and Trojans) move laterally (east-west). Central
application sensor will not see this at all
Detection
Path to server may be different than return path—may not be able to
determine application
Troubleshooting
Essential to have visibility at multiple points to break down the problem
and get to resolution faster
Control
Latency metrics such as response time, transaction time, network
and application delay needed to control the apps
Enabling Application Visibility and Control
AVC is enabled per WLAN to Allow Deep Packet Inspection
1
Change the QoS level to

reflect the highest
application level for that
SSID
Enable Application Visibility
Ensure WMM is set to

“Allowed” or “Required”
How Does AVC Classify Applications: Cisco Jabber
Deep Packet Inspection
Three classifications flows for Cisco Jabber
Cisco Jabber Audio Cisco Jabber Video Cisco Jabber Control
Different Policies for different

components of a Jabber
Session
How Does AVC Classify Applications: MS Lync
Deep Packet Inspection
Three classifications flows for Microsoft Lync
MS-Lync Media MS-Lync-Video

MS-Lync File Transfer
(Audio and Video Flows) (Desktop Sharing, Chat)
Different Policies for different

components of a Lync Session
Policy tie-in with AVC
User-aware and Device-aware
WLC v7.4 and later
Application-based Policies
Per WLAN
WLC v8.0
User-role aware
Device-aware
Alice cannot access Netflix but Bob can even though both are employees connecting to same SSID
Alice can access EHS records on (IT provisioned) Windows Laptop but cannot on personal (unsecure) iPad
AVC Profile Per User Device
WLC AAA
Cisco-av-pair=avc-profile-name=<avc profile on
wlc>
Cisco-av-pair=role=<role name>
Switch
Teacher Student
AP
YouTube Facebook Skype BitTorrent

YouTube Facebook Skype bittorrent
SSID: Classroom
Security:WPA2/802.1x
Student Network
Teacher Network
Cisco Umbrella
WLC Integration 8.5
Cisco Umbrella- Offering Domain Level Visibility
Internet wide
visibility
CATEGORY IDENTITY
Ransomware,
Malware Internal IP malware/Botnet
Cisco Umbrella Phishing AD User
Cloud
COVERAGE
PROTECTION
Predictive Threat
DNS layer Security Intelligence
INTELLIGENCE
Security Visibility-
Application Insights,
Policy Compliance
• Cloud delivered network security service PERFORMANCE
• Malware and Breach Protection in real time

• Uses evolving Big Data and data mining methods
to proactively predict attacks RELIABILITY
• Category based Filtering (60+ content categories) High Speed,
Scalable
Cisco Umbrella- WLC Packet Flow
WLC and Cisco Umbrella
registration (One Time) Content Filtering
Security Enforcement
• On Cisco Umbrella account: Get API. Token for Cisco Umbrella
device registration Cloud
• On WLC: Apply Token and create Profile
Device (Profile) Registration
HTTPS used in this phase
Compliance Category based Filtering Whitelist & Blacklist
Internet
Wireless client traffic flow

DNS Request
• Client sends DNS query
DNS Response • WLC snoops DNS query, forwards it
with EDNS
• Cisco Umbrella applies Profile specific Policy
• Sends DNS response to WLC
+ • WLC forwards the response to client
Snoop DNS pkt
Tag it with Identity
Web Services
8.5 Identity PSK
Lower Risk and
Identity PSK: Meet Compliance
Multiple PSKs per SSID allows advanced security encryption across all
Integrated Advanced
devices Security Security
8.5!
Simple Operations
Increased demand for IoT Identity security without 802.1x High Scale
devices Cost Effective
• Private PSK with RADIUS integration
• Per client AAA override (VLAN / ACL etc)
Cisco Advantage:
Highly scalable identity PSK solution designed for a large multi controller network
Identity PSK
8.5!
✓ PSK WLAN
aabbcc ✓ MAC Filtering
✓ AAA Override
IOT Devices
xxyyzz
Access Point Wireless LAN Controller ISE
Sensors
No PSK
Cisco-AVPair attributes
+= "psk-mode=ascii”
"psk=xxyyzz"
Cisco-AVPair += "psk=aabbcc"
Device MAC Group Private PSK

IOT Devices aabbcc
Sensors xxyyzz
Employees ---
Employees
WLAN PSK BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Summarize - Security &
Policies
Enterprise SSID Security and Segmentation
Category-Based Filtering
Based on Umbrella Policy
Role Based Access Control Based
on Scalable Group Tags and SGACLs
Contractor
Marketing Sales Server
✔
s
✔ Marketing
Sales
Contractors
SGT = 4 SGT = 5
Server
802.1x
Enterprise
Backbone
✔
Access Point WLC ✔

Enterprise SSID ISE AAA
SGT = 6
Override
Employee VLAN ID = 10 Micro-segmentation
Policy Classification Engine using Cisco TrustSec
Contractor VLAN ID = 20
Umbrella Backend
User role VLAN Application Apple devices SGT
Policy Servers
user-role = M arketing
Mark Webex, Apple TV,
Marketing 10 Block ebay 4 PERMIT
Jabber Printer, iTunes
VLAN-Based Segmentation user-role = Contractor
Mark Webex, Apple TV,
Using AAA Override Sales 10 Block ebay 5 PERMIT
Jabber Printer, iTunes
Apple devices
user-role = Sales Block ebay,
Controlled access via Contractor 20 Drop Youtube Printer Only 6 DENY
CNN, BBC
mDNS Profile Facebook
Deploying the Cisco
Unified Wireless
Architecture
• High Availability (AP and Client
SSO)
• RF Optimization - AP Groups /
RF Groups / HDX
• IPv6 Deployment with
Controllers
IPv6 Overview
IPv6 Client IP: 2001:db8:a:7/64

IPv4 Client Radius Server
802.11 IPv4 IPv6
802.11 IPv4 IPv6
CAPWAPv6 VLAN
Ethernet Ethernet
2001:db8:a:0:2329:9834:3231:1111
10.10.10.52 CAPWAPv6
Tunnel IPv4/v6 router
2001:db8:a:0:1827:91bf:c41b:9683
Mgmt: 2001:db8:a::2/64
10.10.10.2 2001:db8:a::1/64
IPv6 Client
10.10.10.1
IPv4 Client
802.11
2001:db8:a:0:8a56:caff:1547:9150
10.10.10.51 IP: 2001:db8:a:5/64 IP: 2001:db8:a:6/64
SNMP Server, Syslog Server, NTP Server
tftp/ftp/scp Server
Management Access (telnet, SSH, HTTP, HTTPS)
Mgmt: 2001:db8:a::2/64
10.10.10.2
• WLC can be accessed from wired/wireless via its IPv6 Management Interface using:
• telnet
• SSH
• HTTP
• HTTPS
CAPWAPv6
• AP can get IPv6 addresses from state-full
DHCPv6/SLAAC or static assignment
• If statically assigned, the gateway can be
the unique global or Link-Local address of
the router
• Either CAPWAPv4 or CAPWAPv6 can be
used, but not both
• APs in bridge mode do not support
CAPWAPv6
AP Failover
WLC1 WLC2 WLC3
• Management IP address must be
reachable
• One entry per WLC
• The AP will join either IPv4 or IPv6

address of the WLC (regardless of
management IP listed)
Primary: WLC1
• All other AP Failover behavior is the
Primary: WLC2 Primary: WLC3
Secondary: WLC2 Secondary: WLC3 Secondary: WLC2
Tertiary: WLC3
same as previous versions

Tertiary: WLC1 Tertiary: WLC1
IPv6 Guest Access
• Virtual IP address is IPv4 only
• Uses IPv4-Mapped address for IPv6 web-authentication clients
• Virtual IP should be the same for all WLCs in the same mobility group
• For example the IPv6 address will display as [::ffff:192.0.2.1]
Wireless IPv6 client First Hop Security on WLAN
CAPWAP IPv6
Tunnel VLAN
Ethernet
IPv6
802.11 IPv6
802.11
CAPWAP
IPv4
Ethernet
Router Advertisement
RA Guard - RA from client blocked at AP (Local and FlexConnect)
Undesired IPv6
Addresses/Prefix Source Guard
DHCP Server Advertisement

DHCP Server Guard
DHCP SA blocked at Wireless Controller
Using IPv6 ACL
Deploying the Cisco
Unified Wireless
Architecture
• High Availability (AP and Client
SSO)
• RF Optimization - AP Groups /
RF Groups / HDX
• IPv6 Deployment with
Controllers
Branch Office with Local WLAN Controller
Overview
Backup Central
• Branches can also have local Central Site
Controller
controllers
• Small or Mid-size Branch WLCs CAPWAP
• WLC 3504 WAN

Mobility
• Mobility Express Express
WLC-3504
• High-availability design with WLC-3504
central backup controller is

supported; WAN limitations may
apply
Remote Site C
Remote Site A
Remote Site B
Branch Office Deployment
FlexConnect
• Hybrid architecture
• Single management and control point

• Data Traffic Switching
• Centralized traffic
(split MAC)
• or
• Local traffic (local MAC)
• HA will preserve local traffic only
• Traffic Switching is configured per AP and
per WLAN (SSID)
FlexConnect Glossary
Connected Mode When FlexConnect AP can reach Controller, it gets help from controller
to complete client authentication.
Standalone Mode When FlexConnect AP cannot reach Controller, it goes into

standalone state and does client authentication by itself.
Local Switching Data traffic switched onto local VLANs for an SSID
Central Switching Data traffic tunneled back to WLC for an SSID
Flex AVC WAN Bandwidth Considerations
Deployment Type WAN Bandwidth ( WAN RTT Max APs per Branch Max Clients per
Min) Latency(Max) Branch
Data + Flex AVC 75 Kbps 300 msec 5 25
Test Conditions :
• 5 APs, 25 Client Setup
• 1 Locally Switched WLAN with WPA2 and PEAP
• Local Authentication with RADIUS server on FCG
• Application Visibility turned on at FCG
• Applications HTTP, FTP, RTP
Agenda
• Controller-Based Architecture
Overview
• Mobility in the Cisco Unified
WLAN Architecture
• Deploying the Cisco Unified
Wireless Architecture
• Bringing All Together – Best
Practices
For Your
Make it Easy Make it Work Make it Perform
Make it Easy Make it work Make it perform Reference
Enable High Availability (AP and Client SSO)
Enable AP Failover Priority Enable 802.1x and WPA/WPA2 on WLAN
Enable AP Multicast Mode Enable 802.1x authentication for AP
Enable Multicast VLAN Change advance EAP timers
Enable Pre-image download
BEST PRACTICES (AirOS)
Enable SSH and disable telnet

INFRASTRUCTURE
SECURITY
Enable AVC Disable Management Over Wireless
Enable NetFlow Disable Wi-Fi Direct
Enable Local Profiling (DHCP and HTTP) Secure Web Access (HTTPS)
Enable NTP Enable User Policies
Modify the AP Re-transmit Parameters Enable Client exclusion policies
Enable FastSSID change Enable rogue policies and Rogue Detection RSSI
Enable Per-user BW contracts Strong password Policies
Enable Multicast Mobility Enable IDS
Enable Client Load balancing BYOD Timers
Disable Aironet IE
FlexConnect Groups and Smart AP Upgrade Disable 802.11b data rates
Restrict number of WLAN below 4
Set Bridge Group Name Enable channel bonding – 40 or 80 MHz
WIRELESS / RF
Set Preferred Parent Enable BandSelect
Multiple Root APs in each BGN Use RF Profiles and AP Groups
Set Backhaul rate to "Auto"
MESH
Enable RRM (DCA & TPC) to be auto

Set Backhaul Channel Width to 40/80 MHz Enable Auto-RF group leader selection
Backhaul Link SNR > 25 dBm Enable Cisco CleanAir and EDRRM
Avoid DFS channels for Backhaul Enable Noise &Rogue Monitoring on all channels
External RADIUS server for Mesh MAC Authentication Enable DFS channels
Enable IDS Avoid Cisco AP Load
Enable EAP Mesh Security Mode
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
WLC WLAN Express Setup Best Practices Day 0/1
Best Practice Knobs Best Practice Knobs
AVC Visibility 2.4 Low Data Rates Disabled

8.1
mDNS Snooping
Load Balancing
New MDNS Profile for printer,
http Rogue Threshold Enabled
Local Profiling
Client Exclusion Enabled
Band Select
DHCP Proxy FastSSID Enabled Save Time & Money
Secure Web access Infra MFP  Optimum starting point at
Virtual IP 192.0.2.1 Day 0/1 network setup
Multicast Forwarding Mode
RRM-DCA Auto  RF parameter setting
SNMPv3 (delete default) ease of use
RRM-TPC Auto
Mobility Name  Enhanced performance,
CleanAir Enabled security, resiliency with
EDRRM Enabled best practice
RF Group same as Mobility Name recommendations turned
Channel Width 40 MHz
on at boot up time
Aironet IE Disabled
DHCP Required on Guest WLAN
http://youtu.be/aNVM3rW-Zkc
Management over Wireless 5 GHz Channel Bonding https://www.youtube.com/watch?v=nGFH38peF-w
8.5
Cisco and Apple Best Practices
https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/technotes/8-6/Enterprise_Best_Practices_for_iOS_devices_and_Mac_computers_on_Cisco_Wireless_LAN.pdf
WLC Config Analyzer – Per Controller Compliance
• Best Practices categorised
into
• General
• AP
• Mobility
• RF
• Security
• Voice
• Mesh
• Flex
• Per-Controller Compliance
Level for Each category
• Total/Passed/Failed checks
https://cway.cisco.com/tools/WirelessAnalyzer/
Summary – Key Takeways
• Take advantage of the standards (CAPWAP, DTLS,802.11 i, e, k, r…..) and the Apple+Cisco
relationship
• Wide range of architecture / design choices and High Availability
• Brand new controllers (WLC3504, WLC5520 , WLC8540, Virtual WLC) portfolio with
investment protection
• Take advantage of innovations from Cisco (11ac wave2, Flexible Radio Architectrure (FRA),
CleanAir, BandSelect, ClientLink, Security, CCX, FlexConnect, etc)
• Cisco’s investment into technology – Cisco Prime, ISE , Stealthwatch, Umbrella and CMX
Cisco Enterprise Wireless Book
http://cs.co/wirelessbook
EN Booksprints
http://cs.co/cat9000book
http://cs.co/sdabook
http://cs.co/programmabilitybook
http://cs.co/wirelessbook
http://cs.co/assurancebook
Cisco Wireless LAN Documentation
https://www.cisco.com/c/en/us/support/wireless/wireless-lan-controller-software/products-technical-reference-list.html
Catalyst 9800
Catalyst 9800 Wireless
Wireless Controller
Controller Documentation
Documentation
Technical
Technical Configuration
Configuration Technical
Technical
References Guides Notes
https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-technical-reference-list.html
https://www.cisco.com/c/en/us/support/wireless/catalyst- 9800- series- wireless- controllers/products- technical- reference- list.html
https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-installation-and-configuration-guides-list.html
https://www.cisco.com/c/en/us/support/wireless/catalyst- 9800- series- wireless- controllers/products- installation- and- configuration- guides- list.html
https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-configuration-examples-list.html
https://www.cisco.com/c/en/us/support/wireless/catalyst- 9800- series- wireless- controllers/products- configuration- examples- list.html
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
BRKEWN-2010 S a l e s Tr ai n i n g
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Click - https://www.youtube.com/user/CiscoWLAN/
Q&A
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKEWN-2010
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations
Don’t forget: Cisco Live sessions will be available for viewing

on demand after the event at ciscolive.cisco.com
Continue Your Education
Demos in Meet the Related

Walk-in
the Cisco engineer sessions
self-paced
Showcase labs 1:1
meetings
Thank you

Enterprise Wlan PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Enterprise Wlan PDF

Uploaded by

Copyright:

Available Formats

BRKEWN-2010

Design and Deployment of

Sujit Ghosh, Sr. Mgr. Technical Marketing, ENG

Cisco DNA Center

Policy Automation Assurance

Intent-based Network Infrastructure

Cisco DNA Center

Intent-based Network Infrastructure

High density redefined

Zero-impact Intelligent Capture to resolve

Purpose-built hardware for analytics & performance

Users assume the wireless

Zero Impact for Security and Analytics

Real-time Telemetry w/ Deep Visibility

Industry Leading Hyperlocation

B• Monitor / Sniffer (4 antennas)

C• Bluetooth Low Energy BLE

E• 5GHz Micro Cell

F• (4 antennas) High Density

1815 Series 1830/1850 Series 2800 Series 3800 Series 4800

• 802.11ac Wave 2, MU-MIMO • 802.11ac Wave 2, MU-MIMO • 802.11ac Wave 1

Cisco DNA Ready | RF Excellence | CMX

Aironet 1800S Active Sensor AP as a Sensor (1800/2800/3800/4800)

Up to 100 APs Up to 200 APs Up to 3000 APs Up to 6000 APs

C9800 for Cloud C9800 on Cat 9k Switch

Aironet Access Works with Cisco Aironet 802.11ac

Always-on: Scale options for

Cisco Catalyst 9800

AP1810, AP2800/ AP1540/AP1560

*GCP in 16.10 is EFT Only ^ supported

Upto 6,000 APs Upto 64,000 Clients 80 Gbps

• RJ-45 Console Port

• Power Status LED

• Power Supply (PEM 0) C9800-80

• 6000 Policy Tags

C9800-40: industry’s first fixed wireless controller Now

with seamless software updates

• RJ-45 Console Port

• Power Status LED

4 x 10GE/1GE SFP and SFP+ ports

• 2000 Policy Tags

Open and Programmable Open and Programmable

^Centralized support for 6000 APs in Future

• CAPWAP carries control and data traffic between the two

• CAPWAP is not supported on Layer 2 mode deployment

Mobility Group Name: MyMobilityGroup

• Support for up to Mobility Group Neighbors:

24 controllers, Controller-A Controller-A, AA:AA:AA:AA:AA:01

24000 APs per Mobility Group Name: MyMobilityGroup

• Data tunneled between Mobility Group Name: MyMobilityGroup

controllers in EtherIP (RFC 3378) Mobility Group Neighbors:

• With Inter Release Controller Mobility (IRCM)

roaming is supported between 8.8, 8.5 and 8.3

24 WLCs in a Mobility Group (8.3)

Catalyst 9800 AireOS

Enabling seamless roaming across Campus

Secure Mobility EOIP-based

Catalyst AireOS WLC AireOS WLC

Catalyst 9800 Seamless AireOS Seamless AireOS

Upgrade only the AireOS controller in the roaming path

Catalyst AireOS WLC

Catalyst 9800 AireOS

Upgrade the AireOS Guest Anchor to 8.8 MR1 (on 3504/5520/8540)