Design and Deployment of Enterprise WLANs

Design and Deployment of
Enterprise WLANs
Sujit Ghosh, Sr. Mgr. Technical Marketing, EISG
BRKEWN-2010

• Controller-Based Architecture Overview
• Mobility in the Cisco Unified WLAN Architecture
• Architecture Building Blocks
• Deploying the Cisco Unified Wireless Architecture
• Bringing All Together – Best Practices
Agenda

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4BRKEWN-2010
Cisco Unified Wireless Principles
• Components
• Wireless LAN controllers (WLC)
• Aironet access points (AP)
• Management (Prime Infrastructure) (PI)
• Mobility Service Engine (MSE) / CMX
• Principles
• AP must have CAPWAP connectivity with WLC
• Configuration downloaded to AP by WLC
• All Wi-Fi traffic is forwarded to the WLC
Wireless LAN
Controllers
Aironet Access
Point
Cisco Prime
Infrastructure
MSE/CMX
Campus
Network

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Centralised Wireless LAN Architecture
What is CAPWAP?
• CAPWAP: Control and Provisioning of Wireless Access Points is used
between APs and WLAN controller and based on LWAPP over IPv4 or
IPv6
• CAPWAP carries control and data traffic between the two
• Control plane is DTLS encrypted
• Data plane is DTLS encrypted (optional)
• LWAPP-enabled access points can discover and join a CAPWAP
controller, and conversion to a CAPWAP controller is seamless
• CAPWAP is not supported on Layer 2 mode deployment
BRKEWN-2010 5
CAPWAP Controller
Wi-Fi Client
Business
Application
Control Plane
Data Plane
Access
Point

CAPWAP State Machine
Discovery
Reset
Image Data
Config
Run
AP Boots UP
DTLS
Setup
Join

Network Plug-N-Play – Simple, Secure, Scalable
Central Staging Facility
Site-1
• Install OS
• Install Config
• Prime deviceNetwork
Admin
Installer
Site-3
Today’s Process
Site-2
Site(s)
Network PnP
Pre Provision
Projects/Sites
Network Admin
1
Install & Power-on
devices
2
Installer
Monitor device
installation
3
Network Admin
Reseller/Partner
Ships
equipment
Direct Costs
•Shipping after Configuring device
•Travel costs for IT installer
Complexity
•Config errors
•Different products / processes
Security
•3rd party not secure
Time/Productivity
•Manual process
•Shipping , Storage, Travel
Business Challenges

Network PnP Discovery Options
DHCP with Options 43
PnP String: 5A1D;B2;K4;I172.19.45.222;J80
Switches (Catalyst) Routers (ISR/ASR) Wireless AP
DHCP
Server
DNS
Server
DNS Lookup
pnpserver.localdomain ---- e.g.172.19.45.222 (PnP
Server)
Cloud re-direction
Manual - using Installer App
iPhone, iPad, Android,
1
2
3
4
5
CAPWAP
CAPWAP based WLC discovery
(For AP only)
Brand new
device only
Brand new
device only
BRKEWN-2010 9

Single Site Provisioning
BRKEWN-2010 10
WLC-1a
Central Site
Radius
Product ID Serial # Hostname WLC IP AP Mode FlexGroup
AIR-CAP3702I-A-K9 RFD0PP2T025 Site-1-AP WLC-1a FlexConnect Site-1Group
Site Rule WLC IP: WLC-1a
AP Name: Site-1-AP
AP Mode: FlexConnect
Flex Group: Site-1Group
WAN
PnP Server
Site-1
Group
Remote Site
WLC-1b

Mobility Defined
• Mobility is a key reason for wireless networks
• Mobility means the end-user device is capable of moving location in the
networked environment
• Roaming occurs when a wireless client moves association from one AP and re-
associates to another, typically because it’s mobile!
• Mobility presents new challenges:
• Need to scale the architecture to support client roaming—roaming can occur
intra-controller and inter-controller
• Need to support client roaming that is seamless (fast) and preserves security
12BRKEWN-2010

Scaling the Architecture with Mobility Groups
• Mobility Group allows controllers to peer with each other to support seamless
roaming across controller boundaries
• APs learn the IPs of the other members of the mobility group after the CAPWAP
Join process
• Support for up to
24 controllers,
24000 APs per
mobility group
• Mobility messages
exchanged
between
controllers
• Data tunneled between
controllers in EtherIP (RFC 3378)
• 7.6 has the option of using EOIP or
CAPWAP tunnels between controllers
BRKEWN-2010 13
EthernetinIPTunnel
Mobility Messages
Controller-C
MAC: AA:AA:AA:AA:AA:03
Mobility Group Name: MyMobilityGroup
Mobility Group Neighbours:
Controller-A, AA:AA:AA:AA:AA:01
Controller-B, AA:AA:AA:AA:AA:02
Controller-A
Controller-B, AA:AA:AA:AA:AA:02
Controller-C, AA:AA:AA:AA:AA:03
Controller-B
Controller-A, AA:AA:AA:AA:AA:01
Controller-C, AA:AA:AA:AA:AA:03

Scaling the Architecture with Mobility Groups
One
WLC Network
Mobility Group
Mobility Domain
24 WLCs in a
Mobility Group
Mobility Group (8.3)
72 WLCs in a
Mobility Domain
With Inter Release Controller Mobility
(IRCM) roaming is supported between 8.0,
8.2 and 8.3

How Long Does an STA Roam Take?
• Time it takes for:
• Client to disassociate +
• Probe for and select a new AP +
• 802.11 Association +
• 802.1X/EAP Authentication +
• Rekeying +
• IP address (re) acquisition
• All this can be on the order of seconds… Can we make this faster?
15BRKEWN-2010

Roaming Requirements
• Roaming must be fast … Latency can be introduced by:
• Client channel scanning and AP selection algorithms
• Re-authentication of client device and re-keying
• Refreshing of IP address
• Roaming must maintain security
• Open auth, static WEP—session continues on new AP
• WPA/WPAv2 Personal—New session key for encryption derived via standard
handshakes
• 802.1x, 802.11i, WPA/WPAv2 Enterprise—Client must be re-authenticated and new
session key derived for encryption
16BRKEWN-2010

How Are We Going to Make Roaming Faster?
• Eliminating the (re)IP address acquisition challenge
• Eliminating full 802.1X/EAP reauthentication
Focus on Where We Can Have the Biggest Impact
BRKEWN-2010 17

Intra-Controller Roaming:
Layer 2 Roaming
WLC-1 WLC-2
WLC-1 Client
Database
WLC-2 Client
Database
Mobility Message Exchange
Roaming Data
Path
Client Data
(MAC, IP, QoS,
Security)
VLAN X
Client Roams to a
Different AP
§ Client database entry with
new AP and appropriate
security context
§ No IP address refresh
needed

Client Roaming Between Subnets:
Layer 3
WLC-1 WLC-2
WLC-1 Client
Database
WLC-2 Client Database
Preroaming Data
Path
VLAN X
Client Data (MAC, IP,
QoS, Security)
Client Data (MAC,
IP, QoS, Security)
VLAN Z
Mobility Message Exchange
Foreign ControllerAnchor
Controller Data Tunnel
Client Roams to a
Different AP

Roaming: Inter-Controller
• L3 inter-controller roam: STA moves association between APs joined to the different
controllers but client traffic bridged onto different subnets
• Client must be re-authenticated and new security session established
• Client database entry copied to new controller – entry exists in both WLC client DBs
• Original controller tagged as the “anchor”, new controller tagged as the “foreign”
• WLCs must be in same mobility group or domain
• No IP address refresh needed
• Symmetric traffic path established -- asymmetric option has been eliminated as of 6.0
release
• Account for mobility message exchange in network design

Designing a Mobility Group/Domain
• Less roaming is better – clients and apps are happier
• While clients are authenticating/roaming, WLC CPU is doing the processing –
not as much of a big deal with latest controllers which has dedicated
management/control processor
• L3 roaming & fast roaming clients consume client DB slots on multiple
controllers – consider “worst case” scenarios in designing roaming domain size
• Leverage natural roaming domain boundaries
• Mobility Message transport selection: multicast vs. unicast
• Make sure the right ports and protocols are allowed

How Are We Going to Make Roaming Faster?
ü Eliminating the (re)IP address acquisition challenge
• Eliminating full 802.1X/EAP reauthentication
Focus on Where We Can Have the Biggest Impact
BRKEWN-2010 22

Fast Secure Roaming
Standard Wi-Fi Secure Roaming
802.1X authentication in wireless today requires three
“end-to-end” transactions with an overall transaction
time of > 500 ms
802.1X authentication in wireless today requires a
roaming client to reauthenticate, incurring an additional
500+ ms to the roam
Cisco AAA
Server
(ACS or
ISE)
WAN
AP1AP2
1. 802.1X Initial
Authentication
Transaction2. 802.1X
Reauthenti-
cation After
Roaming

Cisco Centralised Key Management (CCKM)
• Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available, especially with
application specific devices (ASDs)
• CCKM ported to CUWN architecture in 3.2 release
• In highly controlled test environments, CCKM roam times consistently measure in the 5-8
msec range!
• CCKM is most widely implemented in ASDs, especially VoWLAN devices
• To work across WLCs, WLCs must be in the same mobility group
• CCX-based laptops may not fully support CCKM – depends on supplicant capabilities
• CCKM is standardised in 802.11r, Apple iOS 6.0, iOS 7.0
24BRKEWN-2010

Protocols that Help Your BYOD Roam
• Issues will come as you reach the edge of the cell – you need to expedite the
jump to the next cell:
• 802.11k: helps the BYOD discover the next cell
• 802.11r (FT): helps the BYOD exchange credentials fast while roaming
• 802.11v BSS Transition Management: pushes the BYOD to the next cell
• How do you know if your BYOD supports 802.11k or 802.11r?
• Apple devices support both since IOS 6
• On Android… it depends on the device – vendors certify for 802.11r and/or 802.11k
devices targeted for the enterprise market, not for the home market
• Two URLs can help you:
• http://www.cisco.com/c/en/us/td/docs/wireless/controller/
technotes/8-0/device_classification_guide.html
• http://clients.mikealbano.com/ (look for RM fields in
frame captures for 802.11k support)
25BRKEWN-2010

Cisco and Apple join hands to build a fast lane
Apple iOS 10
Cisco AP
BRKEWN-2010 27

How does Fast Lane work for Apple devices
connecting to Cisco Wireless networks?
Apple iOS 10
Cisco AireOS 8.3
Aloha!
iOS 10 devices and Cisco APs perform a “handshake” that
allow them to recognise each other
Hello Amigo!
BRKEWN-2010 28

Three New Wireless Innovations Resulting from
Apple / Cisco Partnership
3. Centralised iOS App Policy Control
Better Roaming through Adaptive 11r
Proper QoS Handling
1. Enhanced QoS for iOS 10+
2. Improved Roaming
IT Administrator control of applications and QoS
BRKEWN-2010 29

Foundation 1: Enhanced QoS for iOS Devices
• Wireless is becoming the new edge of
the network
• Real-Time apps (voice and video) are
becoming the norm on WLANs
• Endpoint vendors QoS implementation
is weak, resulting in poor quality voice
and video experience over wireless

Wi-Fi’s Biggest QoS Challenge:
Shared, Half-Duplex and Contention Based!
• Only one station can send at a time, or it will
cause interference!
• All stations must first wait for the medium to go
quiet before attempting to transmit.
• What happens when you arrive at a 4-Way Stop?
31BRKEWN-2010

As WLANs become Busier, Each Client (and the AP)
Need to Wait Longer (bad for real-time apps)
32BRKEWN-2010
Wait
Wait
My MOS
score is
terrible!
Wait
Finished!
Wait
Wait
Wait
Wait
Wait
Wait
11ac
My MOS
score is
terrible!
My MOS
score is
terrible!
My MOS
score is
terrible!
Sending

How Much Does Contention Affect Performance
The Breaking Point Depends on How Many Clients You Have
33
0%
20%
40%
60%
80%
100%
120%
1 5 10 25 50 75 100
Throughput(%)
Clients
5% - 10%
contention
premium
30% -
50%
50% -
60%
10% -
30%
As more clients associate and
transmit, WLAN contention
increases for all clients. Retry
attempts increase and each
station spends more and more
time in the “waiting and listening”
state, driving down performance
(source: IEEE 802.11-15/0351r2)
BRKEWN-2010

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
802.11e Solves the Problem by creating wireless queues (Access Categories)
and forcing lower priority queues to wait longer before transmitting
Background Best Effort Video Voice
Application Data
Wait Time Before Attempting to Send
ShortLong
Fast Lane ensures that iOS
10+ devices correctly map
their applications to the
correct Access Categories,
ensuring the best possible
QoS. Without the correct
mappings, wireless QoS
can’t work!
BRKEWN-2010

802.11e QoS Mappings Before Fast Lane
Endpoint/Client Voice (EF) Video (AF41/42) Control (CS3)
WMM Convention 6 5 4
Jabber for iOS
(iPad, iPhone)
5 5 0
Jabber for
Android
6 5 3
Jabber for OSX 5 5 0
Jabber for Windows
(desktop)
5 4 3
MS
Lync
5 4 3
Unified IP Phones
(DX650, 9971)
6 5 4
Apple FaceTime
(iPad)
5 5 3
35

802.11e QoS Mappings After Fast Lane
Endpoint/Client Voice (EF) Video (AF41) Control (CS3)
Cisco
Recommendation
6 5 4
Jabber for iOS 10+
(iPad, iPhone)
6 5 5
Jabber for
Android
6 5 3
Jabber for OSX 5 5 0
Jabber for Windows
(desktop)
5 4 3
MS Lync / Skype for
Business (Win 10)
5 4 3
Unified IP Phones
(DX650, 9971)
6 5 4
Apple FaceTime
(iPad)
6 5 5
36BRKEWN-2010

Foundation 2: Improved Roaming Performance
In 802.11, delay in roaming causes poor
experience, especially for rich-media real-
time applications. Interoperability increases
complexity and prevents adoption.
Standards to the rescue?
• 802.11k – Neighbour List
• 802.11v – BSS Transition
• 802.11r – Fast Roaming

802.11k, 802.11v, 802.11r help efficient roaming
802.11r enables fast roaming without complete reauth
802.11k sends you list of neighbours
802.11v BSS Transition sends you the new best AP
Cisco-AP-2 to connect to
Association
Fast Transition (802.11r)
Cisco-AP-1 Cisco-AP-2

Association
Apple / Cisco Innovation: Adaptive 802.11r
Legacy client cannot
join the same SSID
where 11r is enabled
I recognise that you
are an Apple device
11r is enabled for you
802.11k, 802.11v
are on by default
Legacy client that does
not support 11r/k/v can
join the same SSID
Cisco-APNon-Cisco-AP

Foundation 3: Centralised Policy Management of
iOS 10 Devices
Today’s iOS devices have inability to
prioritise business-critical real-time
traffic all the way from clients to the
destination
• Today IT Administrators can classify
traffic ONLY at the access point. this
implies:
• Inability to prioritise between the client
and the AP.
• Burden on IT administrator to manage
the applications across the enterprise

BYOD: Prioritising Business Apps
on an Apple Network
Prioritise business critical apps and real time data
Don’t leave QoS up to the app developer
IT has control over which Apps get priority
41BRKEWN-2010

Cisco Apple Fast lane QoS Profiles
QoS Profile
Applications
White List
*By default, all applications are whitelisted. This means that if there is no profile,
all apps get QoS. If there is a profile, only the apps in the profile get QoS
QoS Profile is pushed to the Apple iOS device
using standard iOS Profiling techniques (MDM,
email, Web-based, etc.) This profile has a white list
of applications to be marked with QoS. All other
traffic from the Apple device will be sent as best
effort.
Apple iOS 10
Cisco AireOS 8.3
BRKEWN-2010

Creating Fast Lane Profiles
Apple Configurator
Meraki Systems
Manager MDM
BRKEWN-2010

Cisco Controller Portfolio
Mobility Express
50 APs/1000 Clients – AP 18xx
100 AP/2000 Clients – AP 2800/3800
Cisco 3504
150 APs
3000 Clients
4 Gbps
Cisco WISM2
1000 APs
15,000 clients
20 Gbps
Cisco 8540
6000 APs
64,000 clients
40 Gbps
6000 APs
64,000 clients
1 Gbps
Cisco Flex 7500
Cisco vWLC
3000 APs
32000 Clients
500 Mbps
75 APs
1000 clients
1 Gbps
Cisco 2500
500 APs
7000 clients
8 Gbps
Cisco 5508
Grow as Your Business Grows
Autonomous
APs
Cisco IOS 5760
1000 APs
12,000 clients
60 Gbps
Cisco vWLC
200APs
3000 clients
500 Mbps
Small Network, Small Branch
Mid-size Enterprise/Branch
Large Enterprise/Branch
Upto 150 APs 150-1500 APs 1500-6000 APs
6000 APs
64,000 clients
10 Gbps
Cisco 8510
Cisco 5520
1500 APs
20000 Clients
20 Gbps

Fast, Flexible and Feature-rich Small Controller
BRKEWN-2010 46
Access Points 150 in Centralised mode
Clients 3000 in Centralised mode
Throughput 4Gbps
HA Support Dedicated RP for HA SSO
Service Support Dedicated SP
Form factor Side by Side Primary/HA rack mount (1 RU)
I/O interface mGig + 4x1GE, USB
Console: RJ45, mini USB
Flexible
Deployment
3504 Series Wireless Controller
Compact, mGig ready, dedicated RP/SP ports, side by side rack mount and much more…
Access Points ü Powerful enough to handle 802.11ac
Wave 2 traffic loads
ü Up to 150 AP, 3000 clients, 4Gbps
Seamless
Scalability
ü Seamless migration (USB +
configuration migration tool from 2504
and 5508)
ü Seamless WLC portfolio – feature parity
across 3504 and 5520
Flexible Deployment ü mGig or 4x1GE
ü Rack Mount, Cabinet, Desktop ready:
• 1RU, side by side Rack Mount
• Quiet fanless for cabinet, desktop (up
to 30C ambient)
ü 10” depth to fit nicely in cabinet
HA Support ü Pairing with stateful switchover
DNA Opt Platforms &
Virtualization
Target FCS July 2017

Previous 12 Months
BRKEWN-2010 47
5520 WLAN Controller 8540 WLAN Controller
WLC 5520 and WLC8540 Controllers
Access Points 6,000
Clients 64,000
Deployment Modes Centralised, FlexConnect and Mesh
Form Factor 2 RU
IO Interface Four port 1G or 10G with LAG
Power Options AC or DC
Redundancy Dual Power supply and HDD w/RAID
Access Points 1,500
Clients 20,000
Deployment Modes Centralised, FlexConnect and Mesh
Form Factor 1 RU
IO Interface Dual 1G or 10G ports with LAG
Power Supply AC w/Optional Redundant Power
Supply
Highest
Scalability

• Centralized, FlexConnect and Mobility Express
Enterprise Class Mission Critical Best in Class
2 Available for High-powered only
1850
• 4x4:3SS 80Mhz
• 1.7 Gbps Performance
• Internal or External
Antenna
• Tx Beam Forming
• 2 GE Ports Uplink
• USB 2.0
2800
• 4x4:3SS 160 MHz
• 5 Gbps Performance
• 2.4 and 5GHz or
Dual 5GHz
• 2 GE Ports Uplink
• CleanAir and ClientLink
• Internal or External
Antenna
• Smart Antenna Connector
• USB 2.0
3800
• 4x4:3SS 160 MHz
• 5 Gbps Performance
• 2.4 and 5GHz or
Dual 5GHz
• 2 GE Ports Uplink or
1 GE + 1 mGig (5G)
• CleanAir and ClientLink
• StadiumVision
• Internal or External Antenna
• Smart Antenna Connector
• USB 2.0
• Investment Proof Modularity
1815
Indoor / High-powered Indoor
Wall Plate / Teleworker
• 2x2:2SS 80 MHz
• 867 Mbps Performance
• Tx Beam Forming
• Integrated BLE Gateway1
• Max Transmit Power (dBm)
per local regulations2
• 3 GE Local Ports, including
1 PoE out3
• Local ports 802.1x ready3
• USB 2.04
1830
• 3x3:2SS 80MHz
• 867 Mbps Performance
• Tx Beam Forming
• 1 GE Port Uplink
• USB 2.0
1Future availability 3 Available for wall-plate and teleworker only 4 Available for teleworker only
DNA Ready | RF Excellence | CMX | Centralized, FlexConnect or Mobility Express
Dual 5 GHz | Flexible Radio | HDX
Future Proof
Cisco Aironet 802.11ac Wave 2 Portfolio
Industry’s most comprehensive and innovative AP portfolio

Meet Any Wi-Fi Use Case
Expandability and Investment Protection
BRKEWN-2010 49
Custom
Application
Using Linux
Adv. Security
and Spectrum
Analysis
Bluetooth
Beacon
location
Antennas
Directional
Antennas
Stadium
Panel
Antenna
SMART
ANTENNA
PORT
MODULE
PORT
Self-Discover /
Self-Configure
Other
Other
PRIMARY
ANTENNAS
Potential Future
Expandability
Future Wi-Fi
Standard
Video
Surveillance
Custom
Application
Using Linux
Bluetooth
Beaconing
3G and
LTE
Small Cell
Offload
Other

Flexible Radio Assignment
Software defined radio automatically adjusts
to dual 5GHz to better serve high client
environment
Optimised Roaming
Intelligently Connects the Proper
Access Point as People Move
Turbo Performance
Scales to Support More Devices
Running High Bandwidth Apps.
Zero Impact AVC
Hardware Based Application Visibility and
Control without Impact to Performance.
Cisco CleanAir®
Remediates device Impacting Interference from
other WiFi and non-WiFi devices
Cisco ClientLink
Improves Performance of
Legacy and 802.11ac Devices.
Future Proof Expandability
Add Functionality Via Module, Smart
Antenna Port or USB Port
Multi-Gigabit Uplinks
Free Up Wireless With Faster Wired
Network Offload
Gb+
Flex Dynamic Frequency Selection
Automatically Adjusts So Not to Interfere
With Other Radio Systems
Wireless excellence and innovations delivered only by
Cisco Aironet 2800, 3800 Series Access Points
Apple Fast Lane
Automatically assures highest priority, fastest performance
for trusted apps on trusted Apple devices
LAS VEGAS TOKYO
BRKEWN-2010 50

Best Practices For High Performance Mobile
Infrastructure
Prioritise mission critical
business applications over
personal applications
Application
Visibility & Control
2.
App Engage
RF
Planning
High
Availability
RF
Optimisation
Engineer the WLAN for
data, voice, video, location,
and client density
Optimise Gigabit Wi-Fi as
primary connectivity – Gig
Ethernet as fallback
Replicate the High
Availability of the LAN on
the WLAN
802.11ac : -65 to -67 RSSI
10 – 20% cell overlap
1 AP / 2500 sq ft
Cisco CleanAir
Clientlink
RRM
LAN SSO – Edge, Core, Disti
WLAN SSO – Client, AP,
Controller
Cisco AVC– Identify,
Prioritise, Control Apps
across LAN, WLAN

• High Availability (AP and Client SSO)
• RF Optimisation - AP Groups / RF Groups / HDX
• Security & Policies
• Local Profiling and Policy Classification
• Application Visibility Control
• OpenDNS
• TrustSec
• IPv6 Deployment with Controllers
• CMX Cloud
• Branch Office Designs
Deploying the Cisco Unified Wireless Architecture

Centralised Mode HA
N+1 Redundancy
(Deterministic/Stateless HA,
a.k.a.:
primary/secondary/tertiary)
Each Controller has to be
configured separately
Available on all controllers
Crosses L3 boundaries
Flexible: 1:1, N:1, N:N
HA-SKU available (> 7.4)
AP SSO
(SSID stateful switchover)
Release: 7.3 and 7.4
WLC: 5508, WiSM2, 7500, 8510
Direct physical connection
Same HW and SW
1:1 box redundancy
AP state is synched
No SSID downtime
HA-SKU available (> 7.4)
Client SSO
Minimum release: 8.0
WLC: 5508, WiSM2, 7500, 8510
L2 connection
Same HW and software
1:1 box redundancy
Active Client State is synched
AP state is synched
No Application downtime
HA-SKU available
Requirements BenefitsNetworkUptime

Controller Redundancy
• Redundant WLC in a geographically
separate location
• Layer-3 connectivity between the AP
connected to primary WLC and the
redundant WLC
• Redundant WLC need not be part of
the same mobility group
• Configure high availability (HA) to
detect failure and faster failover
• Use AP priority in case of over
subscription of redundant WLC
APs Configured With:
Primary: WLAN-Controller-1
Secondary: WLAN-Controller-BKP
Primary: WLAN-Controller-2
Primary: WLAN-Controller-n
WLAN-Controller-1
WLAN-Controller-2
WLAN-Controller-n
WLAN-Controller-BKP
NOC or Data Centre

Controller Redundancy – High Availability
• High Availability Principles :
ð AP is registered with a WLC and
maintain a backup list of WLC.
ð AP use heartbeats to validate WLC
connectivity
ð AP use Primary Discovery
message to validate backup WLC list
ð When AP loose 3 heartbeats it start
join process to first backup WLC
candidate
ð Candidate Backup WLC is the first
alive WLC in this order : primary,
secondary, tertiary, global primary,
global secondary.
ð AP does not re-initiate discovery
process.
56BRKEWN-2010
Primary WLC
Secondary WLC
New Timers 7.2
Heartbeat Timeout 1-30 secs
Fast Heartbeat Timer 1-10 secs
AP Retransmit Interval 2-5 secs
AP Retransmit with FH Enabled 3-8 Times
AP Fallback to next WLC 12 secs

Stateful Switchover (SSO)
• True Box to Box High Availability i.e. 1:1
• One WLC in Active state and second WLC in Hot Standby state
• Secondary continuously monitors the health of Active WLC via dedicated link
• Configuration on Active is synched to Standby WLC
• This happens at startup and incrementally at each configuration change on the Active
• What else is synched between Active and Standby?
• AP CAPWAP state in 7.3 and 7.4: APs will not restart upon failover, SSID stays UP – AP SSO
• Active Client State in 7.5: client will not disconnect – Client SSO
• Downtime during failover reduced to 5 - 1000 msec depending on Failover
• In the case of power failure on the Active WLC it may take 350-500 msec
• In case of network failover it can take up to few seconds
• SSO is supported on 5500 / 7500 / 8500 / WiSM-2 and 5760
57BRKEWN-2010
For more info: http://www.cisco.com/en/US/docs/wireless/controller/technotes/7.5/High_Availability_DG.html

STANDBY
Redundancy Link Established
(Over dedicated Redundancy Port)
AP and Client info SyncKeep-Alive failure/Notify Peer
Client session intact.
Does not re-associate
Client
Associate
AP Join
AP session intact. Does
not re-establish
capwap
CLIENT SSO
Effective downtime for client is
Detection time + Switchover time
Switch
Redundancy Role Negotiation
ACTIVE
58BRKEWN-2010
SSO Failover Sequence
ACTIVE

Pairing 5520/8540 for SSO
L
2L
2
Back to Back as well as L2 RP
Connectivity

Connecting 5520/8540 SSO Pair to wired Network
8540
Standby WLC
Po 1 Po 2
8540
Active WLC
L2
Catalyst VSS Pair
Same configuration
on both Po1 and Po2
Trunk
Port-channels
Recommen
ded
Network
Design
5520
Standby WLC
Po 1 Po 2
5520
Active WLC
L2
Catalyst VSS Pair
Same configuration
on both Po1 and Po2
Trunk
Port-channels
Spread the links in each PC among the two physical switches to prevent a WLC switchover upon a failure of
one of the VSS switch

Web-GUI Configuration
BRKEWN-2010 61

• WLC 55XX / 85XX : RP Connectivity between Active and Standby
ü Via Switches
ü Back-to-back
• WiSM-2 : single 6500 chassis OR different chassis using VSS setup/extending redundancy VLAN.
• RTT latency on Redundancy Link : 80 milliseconds or less. 80% of keep alive timer.
• Preferred MTU on Redundancy Link : 1500 or above.
• Bandwidth on Redundancy Link : 60Mbps or more.
• Recommended to have Redundancy Link and RMI Connectivity between WLCs on different switches
or on different L2 networks
• Keep alive/Peer Discovery timers should be left with default timer values for better performance
• Default box failover detection time is 3 *100 = 300+60 = 360 +jitter (12 msec)= ~400 msec
SSO Behaviour and Recommendations

• OpenDNS
• TrustSec

AP-Groups - Default AP-Group
• The first 16 WLANs created (WLAN IDs 1–16) on the WLC are included in the
default AP-Group
• Default AP-Group cannot be modified
• APs with no assignment to an specific AP-Group will use the Default AP-Group
• The 17th and higher WLAN (WLAN IDs 17 and up) can be assigned to any AP-
Groups
• Any given WLAN can be mapped to different dynamic interfaces in different
AP-Groups
• WLC 2504 (AP groups:50),
WLC 5508 & WiSM-2 (AP groups: 500),
WLC 7500 & 8500 (AP Groups : 500)
64BRKEWN-2010

AP-Grouping in Campus
Data CentreWAN Internet
Access
Distribution
Core
Distribution
Access
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
WLC-2WLC-1
VLAN 100 / 21
CAPWAP
Single
SSID =
Employee
VLAN 100 VLAN 100 VLAN 100

AP-Grouping in Campus
Access
Distribution
Core
Distribution
Access
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
AP-Group-2 AP-Group-3
AP-Group-1
WLC-2WLC-1
VLAN 80 /23VLAN 70 /23VLAN 60 /23
VLAN 100
/21
CAPWAP
VLAN 60
VLAN 70
VLAN 80
Single
SSID =
Employee

Network Name
Default AP Group
Only WLANs 1–16
Will Be Added in
Default AP Group
67BRKEWN-2010
Default AP-Group

AP Group 1
AP Group 2
AP Group 3
68BRKEWN-2010
Multiple AP-Groups

HD Config Tip: RF Profiles for Fine-Tuning
• RF Profiles work in Conjunction with AP Groups (beginning in release 7.2)
• You can create separate RF profiles for both 2.4 and 5 GHz
• 1 profile for each band (802.11a/802.11b) can be assigned to an AP group
• Today
• 802.11 data rates
• TPC Power Threshold and Min max Power settings
• DCA
• Coverage hole algorithm settings
• High Density – HDX configurations RX_SOP, Client Limit, Mcast data rate
• Client Distribution
69BRKEWN-2010
More granular control of the RF network

RF Profiles : Granular Control
Data Rates
Load Balancing
TPC, DCA, Coverage Hole
High Density

Network Profiles GUI
71BRKEWN-2010
Client Density : High,
Typical, Low
Traffic Type : Data, Data
and Voice
Sets pre-defined RF parameters depending on “Client” Density and
Traffic Type
8.1

Pre-built RF Profiles
BRKEWN-2010 72
Use Pre-built RF profiles to
create your customised
profile in 8.3
Client Density specific pre-built RF profiles for 2.4 GHz and 5GHz Bands – to be used
with AP Groups

RF-Profile in Campus
Access
Distribution
Core
Distribution
Access
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
RF-Profile-2 RF-Profile-3RF-Profile-1
WLC-2WLC-1
VLAN 80 /23
VLAN 81 /23
VLAN 70 /23
VLAN 71 /23
VLAN 60 /23
VLAN 61 / 23
CAPWAP
VLAN 60
VLAN 61
VLAN 70
VLAN 71
VLAN 80
VLAN 81
Single
SSID =
Employee

• Default operating mode
• Serve Clients on both 2.4GHz and 5GHz
Flexible Radio Assignment
BRKEWN-2010 74
5GHz
Serving
2.4GHz
Serving
Wireless
Security
Mode
• Dual 5GHz Support, both radios serving clients on 5GHz
• Maximum over the air data rate up to 5.2Gbps
• Wireless Security Monitoring
• Scan both 2.4GHz and 5GHz for security threats
• Serve Client of 5GHz
* Denotes feature availability post-FCS
5GHz
Serving
5GHz
Serving
5GHz
Serving

• Selecting a 2800/3800
802.11-abgn interface –
config
• Auto (default) makes the
radio available to FRA
• Manual, takes the Radio
out of Global FRA
Radio Role Assignment – Auto/Manual
BRKEWN-2010 75

• If you choose Custom for
Channel
• Still need 100 MHz between Slot 0
(XOR) and Slot 1 (dedicated 5 GHz)
Dual 5 GHz operation – Custom Channel
BRKEWN-2010 76

• FRA – is Disabled by
Default
• Enable – and FRA is active
• Sensitivity=
• Low (100%)
• Medium (95%)
• High (90%)
• Interval
• 1-24 hours
• 1 hour default
FRA - Config
BRKEWN-2010 77

• Pervasive 2.4GHz and 5GHz coverage
• Default operating Role
FRA – Assignment Priority
BRKEWN-2010 78
5GHz
Serving
2.4GHz
Serving
Wireless
Security
Monitor
• Increase Network Capacity and Performance
• Maximum over the air data rate up to 5.2Gbps
• High Density Client Performance improvements
• Secure Network from Non-Wi-Fi Interference, wIPS
attackers, and Rogue Clients/Access Points
• Scan both 2.4GHz and 5GHz for security threats
5GHz
Serving
5GHz
Serving
5GHz
Serving
2
1
3

Cisco Dynamic Bandwidth Selection (DBS)
• Automatic Optimisation for 20-40-80 MHz channel
widths
• DBS applies an additional layer of channel and
width recommendations on top of those applied in
Core DCA
• Useful for 11n-11ac mix AP networks and Wave-2
(160MHz)
79BRKEWN-2010
RF
Neighbour
Channels
Channel
Overlap
Ratio
Client
Protocol &
Traffic
11n/11ac
Channel
Utilisation
Non WiFi
Noise
WiFi
Interference
D B S
DBS:
Auto
Configure
Globally
8.1

Local Profiling and Policy Classification
ISE offers rich set of BYOD features: e.g. device identification,
onboarding, posture and policy
Customers not deploying ISE but requiring subset of ISE features
Native profiling of end devices based on MAC OUI, HTTP, DHCP
Device-based policies enforcement per user or per device policy
81BRKEWN-2010

OUI
Username
82BRKEWN-2010
Policy Classification
User Role
Device type
MAC
VLAN ACL
Session
timeout
Time of
Day
QoS
User-
Role
Student Teacher
Admin
Identity
John
Device Type

Configuring Client Profiles
• Client profiling uses pre-existing profiles in the controller
• Custom profiles are not supported in this release
• Wireless clients are profiled based on the MAC OUI, DHCP,HTTP user agent
• DHCP is required for DHCP profiling, Webauth for HTTP user agent
• 8.3 release contains 233 pre-existing profiles:
(Cisco Controller) >show profiling policy summary
Number of Builtin Classification Profiles: 233
ID Name Parent Min CM Valid
==== ================================================ ====== ====== =====
0 Android None 30 Yes
1 Apple-Device None 10 Yes
2 Apple-MacBook 1 20 Yes
3 Apple-iPad 1 20 Yes
4 Apple-iPhone 1 20 Yes
…/…

Local Client Profiling Configuration
• At the WLAN level, enable Local Client Profiling (DHCP and HTTP)
• DHCP required is checked automatically when selecting DHCP profiling
config wlan profiling {local | radius} {dhcp | http | all} <wlan ID>
(Cisco Controller) >config wlan profiling local all enable 1

Client Profiles in 7.6 and Above
• When profiling is enabled, a client Device Type can be shown on WLAN.
85BRKEWN-2010

Why Do You Need AVC ?
Visibility
Threats (worms and Trojans) move laterally (east-west). Central
application sensor will not see this at all
Detection
Path to server may be different than return path—may not be able to
determine application
Troubleshooting
Essential to have visibility at multiple points to break down the problem
and get to resolution faster
Control
Latency metrics such as response time, transaction time, network
and application delay needed to control the apps
BRKEWN-2010 87

Cisco AVC ecosystem
Cisco AVC
Device Sensors/Platforms Orchestration/Management
3rd Party Visualization 3rd Party Security/Billing
Switch Router AP Controller FW VM
APIC-EM Prime Web GUI
BRKEWN-2010 88

Wi-Fi Calling Introduction
• Setting to use Wi-Fi for calls instead of cellular network
• Useful for poor cellular / good Wi-Fi scenarios, and SP offloading
• Available on iPhone 5/6 series w/ IOS8 and IOS9
• Integrated into the OS
• Available on select Android and Windows phones
• Requires an app compatible with phone and SP
• Still needs a SP to offer service
• T-Mobile (US), EE (UK), Google Voice (Hangout)
• Sprint supports on selected Android devices
• AT&T and Verizon planning support for mid 2015

How Does AVC Classify Applications: Cisco Jabber
Three classifications flows for Cisco Jabber
Cisco Jabber VideoCisco Jabber Audio Cisco Jabber Control
Different Policies for different
components of a Jabber
Session

How Does AVC Classify Applications: MS Lync
Three classifications flows for Microsoft Lync
Deep Packet Inspection
MS-Lync-Video
(Desktop Sharing,
Chat)
MS-Lync Media
(Audio and Video Flows)
MS-Lync File Transfer
Different Policies for different
components of a Lync Session

Enabling Application Visibility and Control
• AVC is enabled per WLAN to Allow Deep Packet Inspection
Change the QoS level to
reflect the highest
application level for that
SSID
1
Enable Application Visibility
2
Ensure WMM is set to
“Allowed” or “Required”
3

HTTPHTTP
HTTP
Integrated DPI engine (NBAR2)
recognises 1200+ applications
In-service application signature
update
L7 Classification
Export 17+ traffic statistics data
records
Export information using open
export protocols Netflow-v9 (
RFC 3954 )
Performance Collection
Netflow v9
Capacity Planning
Flow Monitoring &
Troubleshooting
Byte
Count
App Name
Source and
Dest IP
TOS
Protocol
VLAN ID
User
Name
Discover and Export
Identify and Monitor 1200+ Applications Natively

Enhanced Netflow Export on Cisco WLC
• Enhanced Netflow export of 17 new flow records to better integrate with Netflow partners like Lancope.
• Helps track applications & Traffic flows by User ID
• Supported on 5520 and 8500 series controllers
Lancope NetFlow
VisibilityEnhanced Netflow on
Cisco WLC
• Application Tag
• Client Mac Address
• AP Mac address
• WlanID
• Source IP
• Dest IP
• Source Port
• Dest Port
• Protocol
• Flow Start Time
• Flow End Time
• Direction
• Packet count
• Byte count
• VLAN Id – Mgmt/Dyn
• TOS - DSCP Value
• Dot1x username

Policy tie-in with AVC
User-aware and Device-aware
User-role aware
Device-aware
Application-based Policies
Per WLAN
WLC v7.4 and later
WLC v8.0
Alice cannot access Netflix but Bob can even though both are employees connecting to same SSID
Alice can access EHS records on (IT provisioned) Windows Laptop but cannot on personal (unsecure) iPad

Teacher
YouTube
YouTube Facebook bittorrent
Student
Cisco-av-pair=avc-profile-name=<avc profile on
wlc>
AAAWLC
Switch
AP
SSID: Classroom
Security:WPA2/802.1x
Cisco-av-pair=role=<role name>
Skype
Facebook Skype BitTorrent
AVC Profile Per User Device
Teacher Network
Student Network

Applying AVC Profiles
Create AVC Profile for Applications at Wireless > AVC Apply AVC Profile to WLAN
Maximum 32 Rules can be created per AVC
Profile
For Your
Reference
Apply AVC Profile per
client using AAA Override
(Radius Server)
Apply AVC Profile per client
using Local profiling on
WLC
1
2 3

OpenDNS- Offering Domain Level Visibility
99
COVERAGE
PROTECTION
INTELLIGENCE
PERFORMANCE
RELIABILITY
Predictive Threat
Intelligence
High Speed,
Scalable
Ransomware,
malware/Botnet
Security Visibility-
Application Insights,
Policy Compliance
Internet wide
visibility
• Cloud delivered network security service
• Malware and Breach Protection in real time
• Uses evolving Big Data and data mining methods
to proactively predict attacks
• Category based Filtering (60+ content categories)
OpenDNS Cloud
CATEGORY IDENTITY
Malware Internal IP
Phishing AD User
DNS layer Security
https://youtu.be/cMdX8sBBYG4

API Token
Issued from OpenDNS
Portal. Only used for
device registration
Device Identity
Unique device identifier.
Policy enforced per
identifier.
Extension mechanism for
DNS
EDNS FQDN
Fully Qualified Domain
Name
OpenDNS - Terminology. How does it work on WLC?
WLC intercepts DNS packet, redirects
query to OpenDNS cloud servers at
OpenDNS cloud, based on FQDN in
DNS query returns
•208.67.222.222IPv4
•208.67.220.220Ipv4
• Return blocked page to
clientMalicious FQDN
• Returns Destination IPSafe FQDN
NOTE If the blocked domain was from HTTPS request, client’s web browser will see certificate error because OpenDNS cloud may not have the certificates from the blocked server.
DNS request
precedes web request
DNS traffic redirects
to OpenDNS
OpenDNS resolves
request
1 2 3

OpenDNS Policy Segmentation
BRKEWN-2010 101
ISR 4K
Contractor
Corp
Guest
Policy 1
Policy
Policy 3
Wireless Controller for Dynamic
Evaluation of Attributes for Access Control
Current ISR Implementation
Site specific Policy, Enforced per Interface
Identity Server
Returns attributes
Guest networkCorp network
Policy 2

OpenDNS- WLC Solution Overview
BRKEWN-2010 102
Internet
Web Services
OpenDNS Cloud
DNS Request
DNS Response
• OpenDNS: Get API. Token for device registration
• WLC: Apply Token and create Profile
Device (Profile) Registration
HTTPS used in this phase
WLC and OpenDNS registration
(One Time)
• Client sends DNS query
• WLC snoops DNS query, forwards it
with EDNS
• OpenDNS applies Profile specific Policy
• Sends DNS response to WLC
• WLC forwards the response to client
Wireless client traffic flow
Snoop DNS pkt
Tag it with Identity
Security Enforcement Content Filtering
Compliance Category based Filtering Whitelist & Blacklist
+

access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993
access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216
access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878
access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467
104BRKEWN-2010
The Segmentation Challenge
Line of Business
BYODCompliance
Various Segmentation needs
Complex IP based policies
Employees
Contractors
Vendors
Guests
PCI Devices
Campus Branch
Extend segments over -
Layer 3 boundaries
VLANs
Need updates as topology changes
access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216
access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878
access-list 102 permit udp 126.183.90.85 0.0.0.255 eq 3256 114.53.254.245 255.255.255.255 lt 1780
access-list 102 deny icmp 203.36.110.37 255.255.255.255 lt 999 229.216.9.232 0.0.0.127 gt 3611
access-list 102 permit tcp 131.249.33.123 0.0.0.127 lt 4765 71.219.207.89 0.255.255.255 eq 606
access-list 102 deny tcp 112.174.162.193 0.255.255.255 gt 368 4.151.192.136 0.0.0.255 gt 4005
access-list 102 deny udp 130.237.66.56 255.255.255.255 lt 3943 141.68.48.108 0.0.0.255 gt 3782
Retain Security & Compliance
as network expand and grow
https://youtu.be/A7H4HtzpCwM

NXOS
Switches
Wireless
End-to-End TrustSec in Enterprise Network
105BRKEWN-2010
Data Centre
Network Campus
Network
Public
CloudDATA CENTRE
CAMPUS NETWORK
BRANCH OFFICE
SERVICES
IOS
Switches
WAN
Internet
Routers

DNA Security &
ComplianceSecurity and
Compliance
5 Employee
6 Voice
7 Partner
Classification
(Assigning SGTs)
Static & Dynamic
Assignments
A B
Propagation
Inline SGT & SXP
Enforcement
Security Group ACL
Wireless TrustSec Support
BRKEWN-2010 106
Feature Platform
Inline SGT
tagging and SG-
ACL enforcement
17xx, 27xx,37xx, 18xx, 28xx,
1560 and 38xx
3504*, 5520 and 8540
SXPv2 5520, 8540, 8510, 7510, vWLC,
5508, WISM2, 2504
SXPv4 17xx, 27xx,37xx, 18xx, 28xx,
1560 and 38xx
WLC 8.4 Switching
modes
SXP AP Inline Tagging WLC Inline Tagging Enforcement
Local/Flex
Mode/Central
Switching
✕
✓(v2) ✕ ✓ ✓
Flex
Mode/Local
Switching
✓ ✓ ✓ ✓
Flex + Bridge
✓Wave1
✕ 11acW2
✕ ✕
✓Wave1
✕ 11acW2
Mesh
✕
✓(v2) ✕ ✓
✓(Indoor
only)

Software Defined Segmentation – Wireless TrustSec
BRKEWN-2010 107
VLAN: Data-1VLAN: Data-2
Wired/Wireless
Data Centre
DC Switch
Application
Servers
ISE
Enterprise
Backbone
Remediation
Wired/Wireless
Employee Supplier Non-CompliantEmployeeNon-Compliant
Shared
Services
Employee Tag
Supplier Tag
Non-Compliant Tag
TrustSec enabled WLC &
AP receives policy for only
what is connected
Regardless of topology or
location, policy (Security
Group Tag) stays with
users, devices, and servers
TrustSec simplifies ACL
management for intra/inter-
VLAN traffic

IPv6 Overview
109BRKEWN-2010
CAPWAPv6
Tunnel
IPv4 Client
802.11
IPv6 Client
802.11
IPv6
802.11
IPv4
CAPWAPv6
Ethernet
IPv6IPv4
VLAN
Ethernet
Mgmt: 2001:db8:a::2/64
10.10.10.2
IP: 2001:db8:a:5/64
SNMP Server, Syslog Server,
tftp/ftp/scp Server
IP: 2001:db8:a:7/64
Radius Server
2001:db8:a:0:1827:91bf:c41b:9683
2001:db8:a:0:8a56:caff:1547:9150
IP: 2001:db8:a:6/64
NTP Server
IPv4/v6 router
2001:db8:a::1/64
10.10.10.1
10.10.10.52
IPv6 Client
IPv4 Client
10.10.10.51
2001:db8:a:0:2329:9834:3231:1111

Management Access (telnet, SSH, HTTP, HTTPS)
• WLC can be accessed from wired/wireless via its IPv6 Management Interface using:
• telnet
• SSH
• HTTP
• HTTPS
110BRKEWN-2010
Mgmt: 2001:db8:a::2/64
10.10.10.2

CAPWAPv6
• AP can get IPv6 addresses from
state-full DHCPv6/SLAAC or static
assignment
• If statically assigned, the gateway can
be the unique global or Link-Local
address of the router
• Either CAPWAPv4 or CAPWAPv6
can be used, but not both
• APs in bridge mode do not support
CAPWAPv6

AP Failover
• Management IP address must be
reachable
• One entry per WLC
• The AP will join either IPv4 or IPv6
address of the WLC (regardless of
management IP listed)
• All other AP Failover behaviour is the
same as previous versions
112BRKEWN-2010
WLC1 WLC2 WLC3
Primary: WLC1
Secondary: WLC2
Tertiary: WLC3
Primary: WLC2
Secondary: WLC3
Tertiary: WLC1
Primary: WLC3
Secondary: WLC2
Tertiary: WLC1

IPv6 Guest Access
• Virtual IP address is IPv4 only
• Uses IPv4-Mapped address for IPv6 web-authentication clients
• Virtual IP should be the same for all WLCs in the same mobility group
• For example the IPv6 address will display as [::ffff:192.0.2.1]
113BRKEWN-2010

Wireless IPv6 client First Hop Security on WLAN
114BRKEWN-2010
CAPWAP
IPv4
IPv6
Ethernet
IPv6
VLAN
Ethernet
IPv6
802.11
802.11
CAPWAP
Tunnel
Router Advertisement
DHCP Server Advertisement
RA Guard - RA from client blocked at AP (Local and FlexConnect)
DHCP Server Guard
DHCP SA blocked at Wireless Controller
Using IPv6 ACL
Undesired IPv6
Addresses/Prefix Source Guard

• OpenDNS
• TrustSec

Branch Office with Local WLAN Controller
• Branches can also have local
controllers
• Small or Mid-size Branch WLCs
• WLC 2504,
• Virtual WLC
• Converged Access Cat-3850
• High-availability design with central
backup controller is supported;
WAN limitations may apply
116
Overview
Remote Site B
Remote Site A
WLC-2504
vWLC
Backup Central
Controller
WAN
Central Site
Remote Site C
Cat-3850
CAPWAP

Branch Office Deployment
• Hybrid architecture
• Single management and control point
• Data Traffic Switching
• Centralised traffic
(split MAC)
• or
• Local traffic (local MAC)
• HA will preserve local traffic only
• Traffic Switching is configured per AP
and per WLAN (SSID)
117BRKEWN-2010
FlexConnect
WAN
Central Site
Remote Office
Centralised
Traffic
Centralised
Traffic
Local
Traffic

FlexConnect Glossary
118BRKEWN-2010
Standalone Mode When FlexConnect AP cannot reach Controller, it goes into
standalone state and does client authentication by itself.
Local Switching Data traffic switched onto local VLANs for an SSID
Central Switching Data traffic tunneled back to WLC for an SSID
Connected Mode When FlexConnect AP can reach Controller, it gets help from controller
to complete client authentication.

Flex AVC WAN Bandwidth Considerations
Deployment Type WAN Bandwidth (
Min)
WAN RTT
Latency(Max)
Max APs per Branch Max Clients per
Branch
Data + Flex AVC 75 Kbps 300 msec 5 25
Test Conditions :
• 5 APs, 25 Client Setup
• 1 Locally Switched WLAN with WPA2 and PEAP
• Local Authentication with RADIUS server on FCG
• Application Visibility turned on at FCG
• Applications HTTP, FTP, RTP

Bringing All Together –
Best Practices

BESTPRACTICES(AirOS) Make it Easy Make it work Make it performMake it Easy Make it Work Make it Perform
INFRASTRUCTURE
Enable High Availability (AP and Client SSO)
Enable AP Failover Priority
Enable AP Multicast Mode
Enable Multicast VLAN
Enable Pre-image download
Enable AVC
Enable NetFlow
Enable Local Profiling (DHCP and HTTP)
Enable NTP
Modify the AP Re-transmit Parameters
Enable FastSSID change
Enable Per-user BW contracts
Enable Multicast Mobility
Enable Client Load balancing
Disable Aironet IE
FlexConnect Groups and Smart AP Upgrade
Enable 802.1x and WPA/WPA2 on WLAN
Enable 802.1x authentication for AP
Change advance EAP timers
Enable SSH and disable telnet
Disable Management Over Wireless
Disable WiFi Direct
Secure Web Access (HTTPS)
Enable User Policies
Enable Client exclusion policies
Enable rogue policies and Rogue Detection RSSI
Strong password Policies
Enable IDS
BYOD Timers
Set Bridge Group Name
Set Preferred Parent
Multiple Root APs in each BGN
Set Backhaul rate to "Auto"
Set Backhaul Channel Width to 40/80 MHz
Backhaul Link SNR > 25 dBm
Avoid DFS channels for Backhaul
External RADIUS server for Mesh MAC Authentication
Enable IDS
Enable EAP Mesh Security Mode
MESH
WIRELESS/RF
SECURITY
Disable 802.11b data rates
Restrict number of WLAN below 4
Enable channel bonding – 40 or 80 MHz
Enable BandSelect
Use RF Profiles and AP Groups
Enable RRM (DCA & TPC) to be auto
Enable Auto-RF group leader selection
Enable Cisco CleanAir and EDRRM
Enable Noise &Rogue Monitoring on all channels
Enable DFS channels
Avoid Cisco AP Load
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
For Your
Reference

Best Practice Check Points
Measuring Compliance
Free, cloud based service
Agentless – nothing to
download
CAA
Cisco
Active Advisor
2.
App Engage
WLC
WLAN Express
Setup
7.6 MR2, 8.0, 8.1
WLCCA
Config
Analyser
WLC
Upgrade Audit
Workflow
8.1
Best Practices defaults,
RF Parameter Optimisation,
Network Profiles
Audit Page on Upgrade,
One-click Fix It,
Manual Config Option
Windows Executable
“show run-config” Based
Analyser Tool
§ Downloadable client
§ Configuration stays local
§ Simplified operational use to
quickly identify and and fix
problem areas
§ RF Health metrics, IOS Support,
Mobility Group support
§ Cisco Personalised device
health score
§ Compare your wireless network
configuration to Cisco’s
recommended best practices
§ Automated Inventory
Management and Network
Scanning
§ Compliance metric and reporting
natively on WLC
§ Identify missing best practice
configuration on upgrade
§ Easy one-click fix It option to turn
on Best Practice Knobs
§ Restore Defaults to revert
configuration to default
§ Optimum starting point at Day 0/1
network setup
§ RF parameter setting Ease of use
§ Enhanced performance, security,
resiliency with best practice
recommendations turned on boot
up time

WLAN Express Setup
7.6 MR2, 8.0
7.6 MR2, 8.0
8.1

Best Practice Knobs
AVC Visibility
mDNS Snooping
New MDNS Profile for printer,
http
Local Profiling
Band Select
DHCP Proxy
Secure Web access
Virtual IP 192.0.2.1
RRM-DCA Auto
RRM-TPC Auto
CleanAir Enabled
EDRRM Enabled
Channel Width 40 MHz
Aironet IE Disabled
Management over Wireless
WLC WLAN Express Setup Best Practices Day 0/1
BRKEWN-2010 124
Best Practice Knobs
2.4 Low Data Rates Disabled
Load Balancing
Rogue Threshold Enabled
Client Exclusion Enabled
FastSSID Enabled
Infra MFP
Multicast Forwarding Mode
SNMPv3 (delete default)
Mobility Name
RF Group same as Mobility
Name
DHCP Required on Guest WLAN
5 GHz Channel Bonding
§ Optimum starting point at
Day 0/1 network setup
§ RF parameter setting
ease of use
§ Enhanced performance,
security, resiliency with
best practice
recommendations turned
on at boot up time
Save Time &
Money
8.1
http://youtu.be/aNVM3rW-Zkc
https://www.youtube.com/watch?v=nGFH38peF-w

Best Practice Enhancements
BRKEWN-2010 125
Best Practices Score
Best practices count increased to 39.
Ignored Best Practices Score
The number of ignored best practices.
Add Ignored Best Practices
A popup that displays the ignored best practices which can
be re-added.

Best Practice Enhancements – Ignore Score
BRKEWN-2010 126
Controls
Clicking on Fix or Ignore will apply the selected best practice
or ignore it.

• Best Practices categorised
into
• General
• AP
• Mobility
• RF
• Security
• Voice
• Mesh
• Flex
• Per-Controller Compliance
Level for Each category
• Total/Passed/Failed checks
WLC Config Analyser – Per Controller Compliance
BRKEWN-2010 127
0-40% Red
41-80% Yellow
81-100% Green
Latest @ https://upload.cisco.com/cgi-bin/swc/fileexg/main.cgi?CONTYPES=wlc-conf-app-dev

Summary – Key Takeways
• Take advantage of the standards (CAPWAP, DTLS,802.11 i, e, k, r…..) and the
Apple+Cisco relationship
• Wide range of architecture / design choices amd High Availability
• Brand new controllers (WiSM-2, WLC 7500,WLC 8500, WLC 2504, Virtual
WLC) portfolio with investment protection
• Take advantage of innovations from Cisco (11ac wave2, Flexible Radio
Architectrure (FRA), CleanAir, BandSelect, ClientLink, Security, CCX,
FlexConnect, etc)
• Cisco’s investment into technology – Cisco Prime, ISE, New hardware and
CMX
128BRKEWN-2010

• 5520 WLC
• 8540 WLC
• AP1570
• AP1810 OE
• AP1810W Wall Plate
• AP1850
• AP2700/3700
• AP2800/3800
• AP702W
• APIC-EM Wireless AP PnP
• Flex7500 WLC
• Mesh APs
• Mobility Express
• Smart Licensing
• Univ. AP Regulatory Domain
• Virtual WLC
Cisco Wireless LAN Documentation
BRKEWN-2010 129
INSTALLATION GUIDES
• 802.11r BSS Fast Transition
• Adaptive wIPS
• ATF Ph 1 & 2
• CleanAir
• CMX FastLocate
• High Density
• Rogue Management
• RRM RF Grouping Algorithm
• RRM White Paper
RADIO CONFIGURATION
• BYOD for FlexConnect
• BYOD with ISE
• Security Integration
ENCRYPTION
• Bi-Directional Rate Limiting
• Flex AP-EoGRE Tunnel Gtwy
• IPv6
• Jabber
• Jabber and UCM
• Microsoft Lync
• Passpoint Configuration
• Real-Time Traffic Over WLAN
• VideoStream
• Vocera IP Phone in WLAN
• VoWLAN Troubleshooting
CLIENT ADDRESSING POLICY ENGINE
• AVC
• Bonjour
• Chromecast
• Device Classification
• Domain Filtering
• mDNS Gateway w/Chromecast
• Wireless Device Profiling & Policy Classification
BEST PRACTICES
• Apple Devices
• Enterprise Mobility Design Guide
• High Availability (SSO)
• HyperLocation
• iPhone 6 Roaming
• N+1 High Availability
• WLAN Express
• WLC Configuration Best Practices

Click - https://www.youtube.com/user/CiscoWLAN/

• Cisco CMX Solution https://www.youtube.com/watch?v=KQRb8vfU0qM
• CMX Hyperlocation vs RSSI Demo
https://www.youtube.com/watch?v=6ls7EHbSK4A
• Cisco Dual 5GHz Wi-Fi https://www.youtube.com/watch?v=mbpjiETvDXc
• Cisco Aironet AP-3800 RF Excellence
https://www.youtube.com/watch?v=dBpGsTKeyNM&t=64s
• Digital Network Architecture with Wave2 with 802.11ac
https://www.youtube.com/watch?v=ySjN13hPhXY&t=2s
• Cisco Aironet Series – Flexible Radio Assignment
https://www.youtube.com/watch?v=K_-BykT_YIM
• TechWiseTV: Apple and Cisco: Fast-Tracking the Mobile Enterprise
https://www.youtube.com/watch?v=bh8rEvrzm7Y&feature=youtu.be
• Prioritised Business Apps
https://www.youtube.com/watch?v=z0EOKNxL964&feature=youtu.be
• Apple and Cisco: Three Solutions Coming Together
https://www.youtube.com/watch?v=7MgsDkf55wQ&feature=youtu.be
• WiFi Optimised Feature
https://www.youtube.com/watch?v=xgPfxAolJoQ&feature=youtu.be
Faster Innovation
VoD Links
Reduce
Cost &
Complexity
Lower
Risk
• Fastlane App Demo https://www.youtube.com/watch?v=N1QMUcv3aRQ
• Cisco APIC-EM Wireless PnP Demo https://www.youtube.com/watch?v=_9P2-
bU66PU
• Cisco Aironet Plug and Play Cloud Redirection
https://www.youtube.com/watch?v=W7fBZ6xfSxw
• Wireless LAN Controller Dashboard Review
https://www.youtube.com/watch?v=af09TBaafRI&feature=youtu.be
• Cisco Wireless Mobile App https://www.youtube.com/watch?v=HyvZ4mbVAWs
• WLC Advanced UI Client Troubleshooting
https://www.youtube.com/watch?v=dZVxI6jOx_Q
• ISE Simplified Wireless Setup
https://www.youtube.com/watch?v=A3F2DrFu7Lo&feature=youtu.be
• Cisco Wireless TrustSec Demo
https://www.youtube.com/watch?v=A3F2DrFu7Lo&feature=youtu.be
• Cisco Wireless Netflow Lancope Integration Demo
https://www.youtube.com/watch?v=TuWYkrt94CQ
• OpenDNS Integration with WLC
https://www.youtube.com/watch?v=cMdX8sBBYG4

Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
132BRKEWN-2010

Complete Your Online Session Evaluation
134BRKEWN-2010
Learn online with Cisco Live!
Visit us online after the conference
for full access to session videos and
presentations.
www.CiscoLiveAPAC.com
Give us your feedback and receive a
Cisco Live 2017 Cap by completing the
overall event evaluation and 5 session
evaluations.
All evaluations can be completed via
the Cisco Live Mobile App.
Caps can be collected Friday 10 March
at Registration.

Design and Deployment of Enterprise WLANs

Design and Deployment of Enterprise WLANs

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Design and Deployment of Enterprise WLANs

Similaire à Design and Deployment of Enterprise WLANs (20)

Dernier

Dernier (20)

Design and Deployment of Enterprise WLANs