Professional Documents
Culture Documents
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Intent based networking: Bringing together best of
breed platforms with an integrated architecture
LEARNING
INTENT CONTEXT
SECURITY
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Today, we are introducing the next chapter in our
strategy
LEARNING
INTENT CONTEXT
SECURITY
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Agenda
• Intent Based Architecture
• Architecture Building Blocks
• Mobility in the Cisco Unified WLAN Architecture
• Deploying the Cisco Unified Wireless Architecture
• Bringing All Together – Best Practices
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Intent based infrastructure – Wireless access points
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
World’s Smartest Access Point
Cisco Aironet 4800 AP with Intelligent Capture
All-in-one AP
Cisco DNA Center Assurance (Best-in-class performance, security and analytics)
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Most Advanced Aironet Hardware
A• 2.4/5GHz Macro Cell Wide
Coverage (4 antennas)
C
D• Hyperlocation Array (16
antennas) for Precise
Location
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
The industry’s most comprehensive and
innovative access point portfolio
The best infrastructure leads to the best outcomes
Good - Enterprise class Better Best in class
Ideal for small to medium-sized deployments Mission critical High density
NEW
1 Future availability 2 Available for high-powered only 3 Available for wall plate and teleworker only 4 Available for teleworker only
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Designed to be Cisco DNA Ready
Industry’s Most Comprehensive Outdoor AP Portfolio
1540 1560 1570
New*
802.11ac Wave 2
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Sensor Anywhere Drives Intelligence of Cisco
DNA Assurance to the edge
Test Your Network Anywhere at Any time at Real-world Client Level
Dynamic
Onboarding & Configure Tests Global Issue
SLA Dashboard Sensor Test
Services Tests Remotely Creation
Trigger
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Intent Based Infrastructure - Wireless LAN
Controller Portfolio
Multiple Deployment options & SD-Access Wireless Ready
SD-Access Wireless Ready
Branch Deployment Campus Deployment
Cisco 8540
6000 APs
Cisco 5520 64,000 clients,
1500 APs 40 Gbps
20,000 Clients, 20
Cisco 3504 Gbps
150 APs
3000 Clients,
Mobility Express 4 Gbps
Cisco vWLC**
100 Aps 3000 APs
2000 Clients 32000 Clients
Flexconnect mode
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Cisco Catalyst 9800
Wireless Controller
Appliances
Catalyst 9800 Series Wireless Controllers
Translate business intent into network policy and
Cisco DNA Center capture actionable insights with Cisco DNA Center
C9800-80 C9800-40
%+
Accuracy with Investment
Encrypted Traffic Analytics
and Stealthwatch integration protection with
Catalyst 9800 Series Wireless
modular uplinks
Controller Appliances
C9800-40 and C9800-80
Deployment Modes
Centralized, Distributed Branch, SDA and Mobility Express (Future)
Catalyst 9800 SD- AP Modes
Access Embedded Local, FlexConnect, Monitor, Mesh^, Flex+Mesh^, Sensor, Sniffer
Wireless
Redundant
SP/RP Port 8 X 10 GE Modular Uplinks -
Power Supply USB 3.0
Fiber RP Port Uplinks GE, 10GE, 40GE, 100GE
AC or DC
Fully programmable multi-core network processor Support for Netflow, AVC and ETA
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Catalyst 9800-
80 Front Panel
EXTERNAL INTERFACES
LEDs
8540
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Industry’s First Controller with Modular 100G Uplink
C9800 Modules Support
• C9800-2X40GE • C9800-1X100GE
• C9800-1X40GE
• C9800-18X1GE • C9800-10X10GE
Eighteen 1GE-ports that support small form-factor Ten 10GE-ports that support small form-factor pluggable (SFP+)
pluggable (SFP) optical transceivers to provide network optical transceivers to provide network connectivity. Ports are
connectivity. Ports are numbered 0 – 17 numbered 0 – 9.
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Evolution of Wireless Controllers
Enterprise Campus and Full-Service Branch
NOW Catalyst 9800-80
THEN 8540
• 6000 APs, 64000 Clients
•6000 APs, 64000 Clients • 80 Gbps Throughput
•
4 x 1GE/10GE Ports
Console USB 3.0
SP/RP Port Fiber RP Port
Fully programmable multi-core network processor Support for Netflow, AVC and ETA
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Catalyst 9800-40
Front Panel
EXTERNAL INTERFACES
LEDs
AIR-CT-5508-K9
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Evolution of Wireless Controllers
Enterprise Campus and Full-Service Branch
NOW Catalyst 9800-40
THEN 5520
• 2000 APs, 24000 Clients
•1500 APs, 20000 Clients • 40 Gbps Throughput
•
Catalyst 9800 for Private Cloud Catalyst 9800 for Public Cloud
Scale to 1,000 APs and 10,000
Scale to 6,000 APs and 64,000 Clients^
Clients
Centralize, FlexConnect, Fabric FlexConnect Local Switching
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Cisco Unified Wireless Principles
Cisco Prime or
Cisco DNA
Center
Wireless LAN
Controllers
MSE/CMX
Campus
Network
Aironet Access
Point
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Centralized Wireless LAN Architecture
What is CAPWAP?
• CAPWAP: Control and Provisioning of Wireless Access Points is used between APs and WLAN controller and
based on LWAPP over IPv4 or IPv6
• LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP
controller is seamless
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
CAPWAP State Machine
AP Boots UP
Reset
Discovery
Image Data
DTLS
Setup
Run
Join Config
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Mobility Defined
• Mobility is a key reason for wireless networks
• Mobility means the end-user device is capable of moving location in the
networked environment
• Roaming occurs when a wireless client moves association from one AP
and re-associates to another, typically because it’s mobile!
• Mobility presents new challenges:
• Need to scale the architecture to support client roaming—roaming can
occur intra-controller and inter-controller
• Need to support client roaming that is seamless (fast) and preserves
security
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Scaling the Architecture with Mobility Groups
• Mobility Group allows controllers to peer with each other to support seamless roaming
across controller boundaries
• APs learn the IPs of the other members of the mobility group after the CAPWAP Join
process
Controller-B
MAC: AA:AA:AA:AA:AA:02
mobility group
Ethernet in IP Tunnel
Mobility Group Neighbors:
Controller-B, AA:AA:AA:AA:AA:02
Controller-C, AA:AA:AA:AA:AA:03
• Mobility messages
exchanged
between
controllers Controller-C
MAC: AA:AA:AA:AA:AA:03
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Scaling the Architecture with Mobility Groups
Mobility Domain
One
WLC Network Mobility Group (8.5)
Mobility Group
72 WLCs in a
Mobility Domain
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Integrating with
existing AireOS
Deployments
Inter Release Controller Mobility
(IRCM) for AireOS and Catalyst 9800
IRCM : AireOS and Cisco Catalyst 9800
Secure Mobility
(CAPWAP) Seamless roaming b/w Catalyst 9800 and AireOS 8.8 MR1 (3504/5520/8540)
Secure Mobility
(CAPWAP)
Catalyst AireOS
9800 8.8
WLCMR1
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
IRCM: AireOS and Cisco Catalyst 9800
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Cisco DNA Center Assurance
From Network Data to Business Insights
Traceroute
Complex
Clients Baseline
Syslog Netflow correlatio
n
AAA Router DHCP
Metadata
Telnet Wireless CLI extraction
DNS
OID IPSLA Ping
Steam
SNMP IPAM MIB Processing Application Network
AppD
CMX
Everything as a Sensor
Over 150+ Actionable Insights
Client | Applications | Wireless | Switching | Routing
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Streaming Telemetry
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Components of Cisco DNA
C
Assurance
Streaming Telemetry
Subscription Publication
NETCONF RESTconf GNMI
• Periodic or on-change
• Structured data
YANG Data Model • Priority subscriptions
• Customized to recipient
Open Native Open Native • XML or JSON encoding
• NETCONF or HTTP/2
Programmable Configuration Operational transport
Interfaces • Increased scale
Device Features • Reduced CPU and
Physical and Virtual Network Infrastructure SNMP bandwidth consumption
Interface BGP QoS ACL …
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Cisco DNA Center can manage all wireless deployment
modes for Automation and Assurance
Cisco DNA Center
SDA-Wireless Centralized
Configure Flex Set
Connect
up Mobility Express
From a web browser or Simplified Controller-less
Policy Segmentation and Ease of Deployment Eliminate the need for a
Cisco wireless app, use
andthe
management deployment for distributed
consistent wired-wireless setup wizard for
to Controller at every Site for a
large
enablecampuses
multiple APs distributed deployment deployments and small sites
management
simultaneously
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Key Innovations with
1.2.10 using 8.8/16.10
release
Wireless Innovations built ground-up for Assurance
• Real-time Client RF stats, Location • Validate RF experience of a client • Live and In-Service capture of
and Onboarding states while onboarding to a network Onboarding failures with PCAPs
• Roaming Insights for Fastlane with • Speed tests to validate Cloud app • Spectrum Analyzer for analyzing
iOS vs non-iOS client analysis performance and connectivity
Interference sources
• Client Onboarding Top N Analytics • IP SLA tests for Real-time AppX
with Sankey charts
• On-Demand AP stats for Wi-Fi
assessment for VOIP apps
troubleshooting
IOS-XE based Catalyst 9800 series wireless controllers will be supported on 1.2.10
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Key Use Cases that are
solved
Use Case 1: Client is failing to on-board to a network
Client
Onboarding
Actionable Dashboards:
1 Onboarding Sankey charts
for better analysis
Sankey chart
Real-time Correlation:
Correlate Onboarding
2 events with poor RF and
client location for RCA
Intelligent Capture:
3 Onboarding failures with
In-service PCAPs
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Use Case 2: Client is having a poor wireless
experience
Client and
Network
Experience
Health Dashboard:
Near-Real time Client
1 tracking (<60 sec) and
Top N AP analytics
Client 360:
Historical Time travel with
2 client RF correlated with
the Onboarding events
Intelligent Capture:
3 On-Demand AP stats for
Wi-Fi troubleshooting
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Use Case 3: Client is having a poor App
experience
Application
Experience
Health Dashboard:
Overall health of business
1 relevant apps and Top N
App analytics
App 360:
Time travel with qualitative
2 and quantitative assessment
for network and S4B server
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Agenda
• Intent Based Architecture
• Architecture Building Blocks
• Mobility in the Cisco Unified WLAN Architecture
• Cisco Mobility Express
• Deploying the Cisco Unified Wireless Architecture
• Bringing All Together – Best Practices
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Mobility Express WLAN Deployment
Branch solution for small, medium or distributed enterprise with multiple
management
Mobile App or WebUIoptions Cisco DNA Center
Controller Based in
Mobility Express Mobility Express Mobility Express in Branch campus
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Cisco Mobility Express
Branch Solution for Appliance-less WLC-Based Networks for up to 100 APs
Ease of AVC & CMX RF Excellence & Guest & Security Cisco DNA
Deployment with Apple Innovations Center &
Resiliency & Scale Multi-site
Deployment
• Manage up to 100 • Understand what is • Flexible Radio • Multiple guest • Day0 PnP with config
AP’s, 2000 clients running on your Assignment & Dual onboarding options & image download
without additional network 5GHz for best Wi-fi with built-in lobby • Cisco DNA
licensing costs • Bidirectional rate limit experience ambassador Automation &
• Best practices on by per • Best in class RF with • Rogue detection & Assurance EFT
default & built-in WLAN/SSID/Client HDX – ClientLink, classification available with
redundancy for • CMX Location & CleanAir & Spectrum • ISE/Radius, Walled CiscoDNAC1.2
resilient operations Presence Analytics Intelligence Garden support and • Cisco DNA
• Localized with • CMX Engage/Cloud • Apple Fast Lane with BYOD integration Automation &
Chinese, Japanse & integration for optimized Wi-fi • 802.1x support on AP Assurance GA in
Korean personalized and connectivity & with EAP-TLS and Cisco DNAC 1.3
• Management relevant guest prioritize business EAP-PEAP • Intelligent Capture
simplicity with mobile experience applications EFT in Cisco DNAC
app & WebUI 1.3 & AireOS 8.8
Cisco DNA Ready for Small to MediumCSize, Single or Multi site Deployments
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Evolution of Mobility Express Solution Nov, 2018
AireOS 8.8 MR2
Oct, 2018
AireOS 8.8 MR1
Aug, 2018
AireOS 8.8
APR, 2018
AireOS 8.7
Authentication Caching
Post Auth DNS ACLs
UMBRELLA SUPPORT IPSK
Support for TLS
mDNS Gateway support Gateway
Videostream support(MC2UC)
Efficient AP Join
S/W Update during Day 0 using Network PnP Schedule WLAN
Support for SFTP software download transfer mode Option 43 support for ME
Support for Optimal AP Join FQDN support for SFTP Server
Support for BDRL per client, BSSID and WLAN Cisco RFID Tag support
EoGRE support
Ability to limit clients per WLAN, per radio
Support for RLANs
Support for Passive Clients
802.1x supplicant support on AP with EAP-TLS and
EAP-PEAP
Walled Garden, Radius NAC
· DNS ACLs (Pre-auth ACL, IPv4 only)
· Central Web Authentication
· BYOD support
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Cisco Mobility Express: Indoor Access Point
Support
Enterprise Class Mission Critical Best in Class
1815 1830 1850 2800 3800
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Best Practices For High Performance Mobile
Infrastructure
RF RF
2. High Application
Planning Optimization
App Engage Availability Visibility & Control
Engineer the WLAN for Optimise Gigabit Wi-Fi as Replicate the High Prioritise mission critical
data, voice, video, location, primary connectivity – Gig Availability of the LAN on business applications over
and client density Ethernet as fallback the WLAN personal applications
802.11ac : -65 to -67 RSSI Cisco CleanAir LAN SSO – Edge, Core, Disti Cisco AVC– Identify,
10 – 20% cell overlap Clientlink WLAN SSO – Client, AP, Prioritise, Control Apps
1 AP / 2500 sq ft RRM Controller across LAN, WLAN
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Deploying the Cisco
Unified Wireless
Architecture
• High Availability (AP and Client SSO)
• RF Optimization - AP Groups / RF Groups /
HDX
• Security & Policies
• Local Profiling and Policy Classification
• Application Visibility Control
• Umbrella (OpenDNS)
• TrustSec
• Identity PSK
• IPv6 Deployment with Controllers
• Branch Office Designs
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Centralized Mode HA Requirements Benefits
Minimum release: 8.0
Active Client State is synched
WLC: 5508, WiSM2, 7500, 8510
AP state is synched
Client SSO L2 connection
No Application downtime
Same HW and software
HA-SKU available
1:1 box redundancy
Network Uptime
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Controller Redundancy
• Redundant WLC in a geographically
separate location WLAN-Controller-1
APs Configured With:
Primary: WLAN-Controller-1
Secondary: WLAN-Controller-BKP
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Controller Redundancy – High Availability
• High Availability Principles : Primary WLC
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Stateful Switchover (SSO)
• True Box to Box High Availability i.e. 1:1
• One WLC in Active state and second WLC in Hot Standby state
• Secondary continuously monitors the health of Active WLC via dedicated link
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Pairing 5520/8540 for SSO
L
L 2
2
Status LEDs
RP Port for HA SSO
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
High Availability (Client SSO) with Catalyst 9800
Platforms
A direct physical connection between Active and Standby Redundant Ports or Layer 2 connectivity is
required to provide stateful redundancy within or across datacenters
C9800-40-K9
Redundancy Port Connectivity
RP via L2
Gigabit SFP RP port Gigabit SFP RP port
C9800-80-K9
vWLC1-Active vWLC1-Standby
vWLC1-Active vWLC2-Standby vWLC2-Active vWLC1-Standby
C D C D
P P P P
C D C D C D C D
P P P P P P P P
HA interface
HA interface
vswitch
vswitch vswitch
vswitch
vswitch vswitch
switch
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Connecting 5520/8540 SSO Pair to Wired Recommended
Network
Network
Design
Po 1 Po 2 Po 1 Po 2
Trunk Trunk
Port-channels Port-channels
L2 L2
Spread the links in each PC among the two physical switches to prevent a WLC switchover upon a failure of one of
the VSS switch
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
High Availability – Design and Deployment
• Connecting WLC3504 HA Pair to the wired network
Same configuration
Single Switch or stack on both Po1 and Po2 Catalyst VSS Pair
Same configuration
on both Po1 and Po2
Po 1 Po 2
Trunk Po 1 Po 2
Port-channels Trunk
Port-channels
L2
L2
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Web-GUI Configuration
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
SSO Behavior and Recommendations
• RTT latency on Redundancy Link : 80 milliseconds or less. 80% of keep alive timer.
• Preferred MTU on Redundancy Link : 1500 or above.
• Bandwidth on Redundancy Link : 60Mbps or more.
• Recommended to have Redundancy Link and RMI Connectivity between WLCs on different switches
or on different L2 networks
• Keep alive/Peer Discovery timers should be left with default timer values for better performance
• Default box failover detection time is 3 *100 = 300+60 = 360 +jitter (12 msec)= ~400 msec
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Deploying the Cisco
Unified Wireless
Architecture
• High Availability (AP and Client SSO)
• RF Optimization - AP Groups / RF Groups /
HDX
• Security & Policies
• Local Profiling and Policy Classification
• Application Visibility Control
• Umbrella (OpenDNS)
• TrustSec
• Identity PSK
• IPv6 Deployment with Controllers
• Branch Office Designs
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
AP-Groups - Default AP-Group
• The first 16 WLANs created (WLAN IDs 1–16) on the WLC are included in the
default AP-Group
• Default AP-Group cannot be modified
• APs with no assignment to an specific AP-Group will use the Default AP-Group
• The 17th and higher WLAN (WLAN IDs 17 and up) can be assigned to any AP-
Groups
• Any given WLAN can be mapped to different dynamic interfaces in different AP-
Groups
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
AP-Grouping in Campus
VLAN 100 VLAN 100 VLAN 100
Access
Si Si Si Si Si Si
Distribution
CAPWAP Si Si
Core
Si Si
Si Si
Si Si Distribution
VLAN 100 / 21
Access
Single WAN Data Centre Internet
SSID =
Employee WLC-1 WLC-2
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
AP-Grouping in Campus
AP-Group-1 AP-Group-2 AP-Group-3
VLAN 60 /23 VLAN 70 /23 VLAN 80 /23
Access
Si Si Si Si Si Si
Distribution
CAPWAP Si Si
Core
Si Si
VLAN 100 Si Si VLAN 60
Si Si Distribution
/21 VLAN 70
VLAN 80
Access
Single WAN Data Centre Internet
SSID =
Employee WLC-1 WLC-2
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Default AP-Group
Network Name
Default AP Group
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Multiple AP-Groups
AP Group 1
AP Group 2
AP Group 3
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
HD Config Tip: RF Profiles for Fine-Tuning
• You can create separate RF profiles for both 2.4 and 5 GHz
Load Balancing
High Density
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Network Profiles GUI
Sets pre-defined RF parameters depending on “Client” Density and Traffic Type
Client Density : High,
Typical, Low
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Pre-built RF Profiles
Client Density specific pre-built RF profiles for 2.4 GHz and 5GHz Bands – to be used with
AP Groups
Si Si Si Si Si Si
Distribution
CAPWAP
Si Si
Core
Si Si
Si Si VLAN 60
Si Si Distribution
VLAN 61
VLAN 70
VLAN 71
VLAN 80 Access
VLAN 81
Single WAN Data Centre Internet
SSID =
Employee
WLC-1 WLC-2
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Flexible Radio Assignment
5GHz 2.4GHz • Default operating mode
Serving Serving • Serve Clients on both 2.4GHz and 5GHz
5GHz 5GHz
• Dual 5GHz Support, both radios serving clients on 5GHz
Serving Serving • Maximum over the air data rate up to 5.2Gbps
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Radio Role Assignment – Auto/Manual
• Selecting a 2800/3800/4800
802.11-abgn interface – config
• Auto (default) makes the radio
available to FRA
• Manual, takes the Radio out of Global
FRA
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Cisco Dynamic Bandwidth Selection (DBS) 8.1
DBS Client
Non Wi-Fi Protocol &
Noise Traffic
11n/11ac DBS:
Channel Auto
Utilisation Configure
Globally
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Deploying the Cisco
Unified Wireless
Architecture
• High Availability (AP and Client SSO)
• RF Optimization - AP Groups / RF Groups /
HDX
• Security & Policies
• Local Profiling and Policy Classification
• Application Visibility Control
• Umbrella (OpenDNS)
• TrustSec
• Identity PSK
• IPv6 Deployment with Controllers
• Branch Office Designs
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Local Profiling and
Policy Classification
Local Profiling and Policy Classification
ISE offers rich set of BYOD features: e.g. device identification,
onboarding, posture and policy
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Policy Classification
Student Teacher
Username
User Role
Admin
Device Type
User-
Role
John
Identity
Session Time of
VLAN ACL QoS
timeout Day
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Configuring Client Profiles
• Client profiling uses pre-existing profiles in the controller
• Custom profiles are not supported in this release
• Wireless clients are profiled based on the MAC OUI, DHCP,HTTP user agent
• DHCP is required for DHCP profiling, Webauth for HTTP user agent
• 8.7 release contains 234 pre-existing profiles:
config wlan profiling {local | radius} {dhcp | http | all} <wlan ID>
(Cisco Controller) >config wlan profiling local all enable 1
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Client Profiles Details
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Application Visibility and
Control
Why Do You Need AVC ?
Visibility
Threats (worms and Trojans) move laterally (east-west). Central
application sensor will not see this at all
Detection
Path to server may be different than return path—may not be able to
determine application
Troubleshooting
Essential to have visibility at multiple points to break down the problem
and get to resolution faster
Control
Latency metrics such as response time, transaction time, network
and application delay needed to control the apps
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Enabling Application Visibility and Control
AVC is enabled per WLAN to Allow Deep Packet Inspection
1
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
How Does AVC Classify Applications: Cisco Jabber
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
How Does AVC Classify Applications: MS Lync
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Policy tie-in with AVC
User-aware and Device-aware
WLC v7.4 and later
Application-based Policies
Per WLAN
WLC v8.0
User-role aware
Device-aware
Alice cannot access Netflix but Bob can even though both are employees connecting to same SSID
Alice can access EHS records on (IT provisioned) Windows Laptop but cannot on personal (unsecure) iPad
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
AVC Profile Per User Device
WLC AAA
Cisco-av-pair=avc-profile-name=<avc profile on
wlc>
Cisco-av-pair=role=<role name>
Switch
Teacher Student
AP
SSID: Classroom
Security:WPA2/802.1x
Student Network
Teacher Network
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Cisco Umbrella
WLC Integration 8.5
Cisco Umbrella- Offering Domain Level Visibility
Internet wide
visibility
CATEGORY IDENTITY
Ransomware,
Malware Internal IP malware/Botnet
Cisco Umbrella Phishing AD User
Cloud
COVERAGE
PROTECTION
Predictive Threat
DNS layer Security Intelligence
INTELLIGENCE
Security Visibility-
Application Insights,
Policy Compliance
• Cloud delivered network security service PERFORMANCE
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Cisco Umbrella- WLC Packet Flow
WLC and Cisco Umbrella
registration (One Time) Content Filtering
Security Enforcement
• On Cisco Umbrella account: Get API. Token for Cisco Umbrella
device registration Cloud
• On WLC: Apply Token and create Profile
Device (Profile) Registration
HTTPS used in this phase
Compliance Category based Filtering Whitelist & Blacklist
Internet
Web Services
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
8.5 Identity PSK
Lower Risk and
Identity PSK: Meet Compliance
Multiple PSKs per SSID allows advanced security encryption across all
Integrated Advanced
devices Security Security
8.5!
Simple Operations
Increased demand for IoT Identity security without 802.1x High Scale
devices Cost Effective
• Private PSK with RADIUS integration
• Per client AAA override (VLAN / ACL etc)
Cisco Advantage:
Highly scalable identity PSK solution designed for a large multi controller network
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Identity PSK
8.5!
✓ PSK WLAN
✓ AAA Override
IOT Devices
xxyyzz
Access Point Wireless LAN Controller ISE
Sensors
No PSK
Cisco-AVPair attributes
+= "psk-mode=ascii”
"psk=xxyyzz"
Cisco-AVPair += "psk=aabbcc"
Employees
WLAN PSK BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Summarize - Security &
Policies
Enterprise SSID Security and Segmentation
Category-Based Filtering
Based on Umbrella Policy
Role Based Access Control Based
on Scalable Group Tags and SGACLs
Contractor
Marketing Sales Server
✔
s
✔ Marketing
Sales
Contractors
SGT = 4 SGT = 5
Server
802.1x
Enterprise
Backbone
✔
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
IPv6 Overview
CAPWAPv6 VLAN
Ethernet Ethernet
2001:db8:a:0:2329:9834:3231:1111
10.10.10.52 CAPWAPv6
Tunnel IPv4/v6 router
2001:db8:a:0:1827:91bf:c41b:9683
Mgmt: 2001:db8:a::2/64
10.10.10.2 2001:db8:a::1/64
IPv6 Client
10.10.10.1
IPv4 Client
802.11
2001:db8:a:0:8a56:caff:1547:9150
10.10.10.51 IP: 2001:db8:a:5/64 IP: 2001:db8:a:6/64
SNMP Server, Syslog Server, NTP Server
tftp/ftp/scp Server
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Management Access (telnet, SSH, HTTP, HTTPS)
Mgmt: 2001:db8:a::2/64
10.10.10.2
• WLC can be accessed from wired/wireless via its IPv6 Management Interface using:
• telnet
• SSH
• HTTP
• HTTPS
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
CAPWAPv6
• AP can get IPv6 addresses from state-full
DHCPv6/SLAAC or static assignment
• If statically assigned, the gateway can be
the unique global or Link-Local address of
the router
• Either CAPWAPv4 or CAPWAPv6 can be
used, but not both
• APs in bridge mode do not support
CAPWAPv6
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
AP Failover
WLC1 WLC2 WLC3
• Management IP address must be
reachable
• One entry per WLC
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
IPv6 Guest Access
• Virtual IP address is IPv4 only
• Virtual IP should be the same for all WLCs in the same mobility group
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Wireless IPv6 client First Hop Security on WLAN
CAPWAP IPv6
Tunnel VLAN
Ethernet
IPv6
802.11 IPv6
802.11
CAPWAP
IPv4
Ethernet
Router Advertisement
RA Guard - RA from client blocked at AP (Local and FlexConnect)
Undesired IPv6
Addresses/Prefix Source Guard
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Deploying the Cisco
Unified Wireless
Architecture
• High Availability (AP and Client
SSO)
• RF Optimization - AP Groups /
RF Groups / HDX
• Security & Policies
• IPv6 Deployment with
Controllers
• Branch Office Designs
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Branch Office with Local WLAN Controller
Overview
Backup Central
• Branches can also have local Central Site
Controller
controllers
• Small or Mid-size Branch WLCs CAPWAP
Remote Site C
Remote Site A
Remote Site B
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Branch Office Deployment
FlexConnect
• Hybrid architecture
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
FlexConnect Glossary
Connected Mode When FlexConnect AP can reach Controller, it gets help from controller
to complete client authentication.
Local Switching Data traffic switched onto local VLANs for an SSID
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Flex AVC WAN Bandwidth Considerations
Deployment Type WAN Bandwidth ( WAN RTT Max APs per Branch Max Clients per
Min) Latency(Max) Branch
Test Conditions :
• 5 APs, 25 Client Setup
• 1 Locally Switched WLAN with WPA2 and PEAP
• Local Authentication with RADIUS server on FCG
• Application Visibility turned on at FCG
• Applications HTTP, FTP, RTP
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Agenda
• Controller-Based Architecture
Overview
• Mobility in the Cisco Unified
WLAN Architecture
• Architecture Building Blocks
• Deploying the Cisco Unified
Wireless Architecture
• Bringing All Together – Best
Practices
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
For Your
Make it Easy Make it Work Make it Perform
Make it Easy Make it work Make it perform Reference
Enable High Availability (AP and Client SSO)
Enable AP Failover Priority Enable 802.1x and WPA/WPA2 on WLAN
Enable AP Multicast Mode Enable 802.1x authentication for AP
Enable Multicast VLAN Change advance EAP timers
Enable Pre-image download
BEST PRACTICES (AirOS)
SECURITY
Enable AVC Disable Management Over Wireless
Enable NetFlow Disable Wi-Fi Direct
Enable Local Profiling (DHCP and HTTP) Secure Web Access (HTTPS)
Enable NTP Enable User Policies
Modify the AP Re-transmit Parameters Enable Client exclusion policies
Enable FastSSID change Enable rogue policies and Rogue Detection RSSI
Enable Per-user BW contracts Strong password Policies
Enable Multicast Mobility Enable IDS
Enable Client Load balancing BYOD Timers
Disable Aironet IE
FlexConnect Groups and Smart AP Upgrade Disable 802.11b data rates
Restrict number of WLAN below 4
Set Bridge Group Name Enable channel bonding – 40 or 80 MHz
WIRELESS / RF
Set Preferred Parent Enable BandSelect
Multiple Root APs in each BGN Use RF Profiles and AP Groups
Set Backhaul rate to "Auto"
MESH
https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/technotes/8-6/Enterprise_Best_Practices_for_iOS_devices_and_Mac_computers_on_Cisco_Wireless_LAN.pdf
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
WLC Config Analyzer – Per Controller Compliance
• Best Practices categorised
into
• General
• AP
• Mobility
• RF
• Security
• Voice
• Mesh
• Flex
• Per-Controller Compliance
Level for Each category
• Total/Passed/Failed checks
https://cway.cisco.com/tools/WirelessAnalyzer/
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Summary – Key Takeways
• Take advantage of the standards (CAPWAP, DTLS,802.11 i, e, k, r…..) and the Apple+Cisco
relationship
• Wide range of architecture / design choices and High Availability
• Brand new controllers (WLC3504, WLC5520 , WLC8540, Virtual WLC) portfolio with
investment protection
• Take advantage of innovations from Cisco (11ac wave2, Flexible Radio Architectrure (FRA),
CleanAir, BandSelect, ClientLink, Security, CCX, FlexConnect, etc)
• Cisco’s investment into technology – Cisco Prime, ISE , Stealthwatch, Umbrella and CMX
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
Cisco Enterprise Wireless Book
http://cs.co/wirelessbook
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
EN Booksprints
http://cs.co/cat9000book
http://cs.co/sdabook
http://cs.co/programmabilitybook
http://cs.co/wirelessbook
http://cs.co/assurancebook
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Cisco Wireless LAN Documentation
https://www.cisco.com/c/en/us/support/wireless/wireless-lan-controller-software/products-technical-reference-list.html
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Catalyst 9800
Catalyst 9800 Wireless
Wireless Controller
Controller Documentation
Documentation
Technical
Technical Configuration
Configuration Technical
Technical
References Guides Notes
https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-technical-reference-list.html
https://www.cisco.com/c/en/us/support/wireless/catalyst- 9800- series- wireless- controllers/products- technical- reference- list.html
https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-installation-and-configuration-guides-list.html
https://www.cisco.com/c/en/us/support/wireless/catalyst- 9800- series- wireless- controllers/products- installation- and- configuration- guides- list.html
https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-configuration-examples-list.html
https://www.cisco.com/c/en/us/support/wireless/catalyst- 9800- series- wireless- controllers/products- configuration- examples- list.html
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
BRKEWN-2010 S a l e s Tr ai n i n g
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Click - https://www.youtube.com/user/CiscoWLAN/
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Q&A
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKEWN-2010
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Continue Your Education
BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Thank you