bezdrátové kontrolery cisco c9800 · 4/16/2019 · • extend policy based segmentation to...

Jaroslav Čížek, CiscoDuben 2019

Přehled, způsob nasazení, konfigurace, troubleshooting

Bezdrátové kontrolery Cisco C9800

Cisco TechClubWebináře

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Agenda – Cisco C9800

• Představení bezdrátových kontrolerůřady Cisco C9800

• HW/SW modely a způsob jejich nasazení

• Vlastnosti, konfigurace a dohled

• Licenční model, jak otestovat a nasadit do stávající nebo nové sítě

• C9800 Troubleshooting

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3

Value Beyond the Network

IT Efficiency | Business Intent | Service Assurance

Managed Services Application Development Integrators

Business

Agility

Open

Platform

Automation Security Policy And Behavior Analytics And Assurance

Network Value Beyond Connectivity

MNetwork

Efficiency

Integrated

Systems

Security Availability Performance

The Network is the Foundation

Network

ConnectivityBest of Breed

Products

Networking ReinventedKde je dnes hodnota sítě?

Intent Based Networking


Principles of Intent-Based Networking

Powered by IOS-XE

Physical and VirtualInfrastructure

ASIC

Applications

APIs

Domain Controllers

Cisco DNA Center

Automation, built-in security, streaming telemetry, rich analytics, programmability

Custom ASICs, Virtualization

Modular, scalable, highly available OS

4


Introducing the next chapter in our strategy IBN across the whole Access Network

Access SwitchesAccess Points Aggregation Switches

9200/9300/9400 Series

Catalyst Catalyst9500 Series

Catalyst9800 Series

Automation Security AnalyticsBuilt for intent-

based networking

The Full Experience End to End

Wireless Controller

5


Catalyst 9800Next Generation Wireless Controller

Cisco Catalyst Next Gen Wireless Architecture

The Most Deployed Controller

RF excellence │ Device ecosystem │ Wireless assurance High Availability │ Programmability │ Scale

A Modern Modular OS

Bringing together network leadership with RF innovation

ENCS

Built for Intent-based Networking | Powered by IOS XE | Deploy Anywhere

6


QFPQuantumFlow Processor

UADPUnified Access Data Plane

▪ Advanced, Multi-Core, Feature-Rich

▪ Fully Programmable

▪ Scalable

▪ Advanced on-chip QoS

▪ Secure

▪ Extensible Architecture

▪ Flexible, Programmable, High-Performance

▪ Fully Programmable

▪ Scalable

▪ Advanced on-chip QoS

▪ Secure

▪ Extensible Architecture

100% Cisco-developed Flexible Silicon – Unlocking the Power of DNA at Hardware Speeds

Cisco Catalyst 9800 – Next Gen Wireless ArchitectureBuilding on a Strong Hardware Foundation

Powered by IOS-XE

C9800 applianceC9800 embedded in Catalyst 9300


Multi-process software architecture▪ Processes are single threaded, non-blocking, ▪ New Wireless Network Controller process (WNCd). ▪ Multiple WNCd for horizontal scale▪ No single fault domain (e.g. memory separation)▪ Data model driven & data externalization▪ Process patchability & restartability*▪ Independent boot*

Cisco Catalyst 9800 – Next Gen Wireless Architecture

* System capable, roadmap item

WLAN

AP

Client

Thread

Thread

Thread

Thread

Single process software architecture▪ Wireless Controller Manager (WCM)▪ 30+ threads▪ Data contention cross threads▪ Single memory space▪ Single fault domain

WCM

Previous software architecture vs. Catalyst Wireless Controller

WNCd

WNCd Ops data

WNCd

WNCd Ops data

...

... RRM

RRM Ops data

...

IOSd

Mobility

Mobility Ops data

Config DBDB

managers Ops DB

High level view

High level view


Cisco Catalyst 9800 – Wireless benefits

Always-on

• Software updates with no disruption

• Rolling AP upgrades

• Seamlessly add new AP models

Deploy Anywhere

• On-Prem, Private/Public cloud, Embed wireless on a 9k switch

• AWS GovCloud ready

• Scale as you grow

Secure

• Detect encrypted threats with Encrypted Traffic Analytics (ETA)

• Integration with StealthWatch

• Automated macro/micro segmentation with SDA

• WPA3 Support**Future

Powered by IOS XEOpen and Programmable

Trustworthy SolutionsModular operating system

9


CMX 10.5.1 /Cisco DNA Space

- Connect / Detect / Engage- Hyperlocation- BLE

Cisco Catalyst 9800 Wireless as a solution!

Prime Infrastructure 3.5

- Configuration- Monitoring

ISE 2.2/2.3/2.4

- BYOD- Guest Access

Cisco DNA Center 1.2.10

- Automation- Assurance- Maps & topology

What Wireless controllers are

supported ?

- Physical: Cisco Catalyst C9800 Series Appliances

- Cloud: Private and Public Offering- Catalyst 9800 SD-Access

Embedded Wireless

What modes are supported?

- Local, Flex, Fabric, Cisco Catalyst 9800 on ME (Future)

What are the Differentiating features?

- High Availability, Patching, ETA Programmability, Telemetry

Cisco Catalyst 9800Wireless Controller 16.10

Access Points Supported

- 11ac Wave2- 11ac Wave1- 11ax (Future)

10

Catalyst 9800 software fact checkWith Confidence

Catalyst 9800 Series

Wireless Controller

WebUI

DNA-C

8000+Test

Cases

1500+ Hours

Testing Per DayLast 4 Months

1.5 MillionNew Lines of

Code

400+Engineers

20,000+Switchovers

Tested

Software Architecture

Centralized Control-Plane

Modular Software

Multiple EFTIn Production

Catalyst 9800 Series: Built with confidence

ENCS


Cisco Catalyst 9800 @ work!

C9800-40 HA pair

Alpha network in Cisco Software Development Building

VSL

Sup Sup

RP link

Cisco Corporate

network

4500 VSS pair

ISE / AD

Cisco DNA CenterCMX

…

Catalyst 9300

Blizzard SSID

420+ APs Local mode

Cisco DNA Center Automation & Assurance

2 Gbps peak traffic

10 GE links

1,900 client peak

SSO HA AVC enabled

12

Cisco Catalyst 9800HW/SW Appliances,Deployment Models

G loba l

Sa les T ra in ing

Translate business intent into network policy andcapture actionable insights with DNA Center

Aironet Access Points

Works with Cisco Aironet 802.11ac Wave 1 and Wave 2 Access Points

DNA Center

C9800-40C9800-80

C9800 for Cloud C9800 on Cat 9k Switch (SDA only)

Catalyst 9800 Series Wireless Controllers

* GCP EFT Only

All deployment modes:

Centralized, SDA,

FlexConnect, Mesh


C9800-40: Industry’s first fixed wireless controller with seamless software updates

4 x 1GE/10GE PortsSP/RP Port Fiber RP PortUSB 3.0Console

Up to 2,000 APs Up to 32,000 Clients 40 Gbps

Fully programmable multi-core network processor Support for Netflow, AVC and ETA


Evolution of Wireless Controllers Enterprise Campus and Full-Service Branch

16

•1500 APs, 20000 Clients•20 Gbps Throughput

THEN 5520

NOW C9800-40-K9

•1500 AP Groups•1500 FlexConnect Groups,• 100 Flex APs/FCG

•4096 VLANs, 512 Interface Groups•40000 PMK Cache•512 WLANs

•25000 RFIDs•3000 APs/RRM Group•320000 AVC Flows

• 2000 APs, 32000 Clients

• 40 Gbps Throughput

• 4096 VLANs, 100 VLAN Groups

• 64000 PMK Cache

• 4096 WLANs

• 32000 RFIDs

• 4000 APs/RRM Group

• 400000 AVC Flows

• 2000 Policy Tags

• 2000 Site Tags,

• 100 Flex APs/Site


C9800-80: Industry’s first modular wireless controller with 100GE modular uplink and seamless software updates

Redundant

Power Supply

AC or DC

SP/RP Port

Fiber RP Port8 X 10 GE

Uplinks

Modular Uplinks -

GE, 10GE, 40GE, 100GEUSB 3.0

Up to 6,000 APs Up to 64,000 Clients 80 Gbps

Fully programmable multi-core network processor Support for Netflow, AVC and ETA


Evolution of Wireless Controllers Enterprise Campus and Full-Service Branch

18

•6000 APs, 64000 Clients•40 Gbps Throughput

THEN 8540

NOW C9800-80-K9

•6000 AP Groups•2000 FlexConnect Groups,• 100 Flex APs/FCG

•4096 VLANs, 512 Interface Groups•64000 PMK Cache•512 WLANs

•50000 RFIDs•6000 APs/RRM Group•320000 AVC Flows

• 6000 APs, 64000 Clients

• 80 Gbps Throughput

• 4096 VLANs, 4096 Interface Groups

• 128000 PMK Cache

• 4096 WLANs

• 64000 RFIDs

• 12000 APs/RRM Group

• 800000 AVC Flows

• 6000 Policy Tags

• 6000 Site Tags,

• 100 Flex APs/Site


Catalyst 9800 Wireless Controller for Cloud

ISE / AD Cisco DNA Center

ASSURANCE

AUTOMATION

Cisco DNA Center 1.2.10 W1 & W2 802.11ac APs

Internet

Public Cloud

AD

Managed VPN

Enterprise network

NFVIS

ENCS

Hypervisors: ESXi, KVM, NFVIS on ENCS

All deployments mode: Centralized, SDA, FlexConnect, Mesh

ESXi

1,000 APs / 10,000 Clients

Amazon AWS with Managed VPN

FlexConnect local switching only

ISE/AAA


Campus

Private Cloud overview▪ Customer value prop:

o “Deploy wireless controller where you want it, how you want it”

o No AP mode or feature limitation vs. appliance

▪ Supporto VMware ESXi , KVM and ENCSo Wave 2 and Wave 1 APs onlyo All deployments and all AP modeso Centrally switched traffic <= 2.5 Gbpso VM Large: 6k APs, 64k clients at FCS is Flex local

switching and SDA. Limited scale with Local mode: 3K APs, 32K clients

o ESXi vCenter or KVM Virt-Mgr for VM provisioningo Automated VM bootstrap flow (ESXi vCenter only)

▪ Migration: o Migration tool (standalone and 9800 WebUI)o Prime & Cisco DNA Center automation and migration

flows

Corporate WAN

(MPLS /SD-WAN)

BranchFlex

APs

Flex AP

OnPrem DC

Branch

ESXi / KVM/

CAPWAP

ISP owned device

Customer owned device

Local mode AP

20


VMware specifications

• Supported hypervisor: VMware ESXi 6.0 and higher

Model Configuration Small (16.10) Medium(16.10) Large(16.10)*

Maximum Access Points 1,000 3,000 6,000

Maximum Clients Support 6,000 32,000 64,000

Minimum Number of vCPUs 4 6 10

Minimum Memory (GB) 8 16 32

Required Storage (GB) 8 8 8

Virtual NICs (vNIC) -3nd NIC is for High Availability

2 /(3) 2 /(3) 2 /(3)

vNIC driverVMXNET3, E1000E,

E1000VMXNET3, E1000E,

E1000VMXNET3, E1000E,

E1000

Virtual bridge Vswitch Vswitch Vswitch

vMotion, vNIC teaming, L2 LAG, SRIOV Planned for 16.11 Planned for 16.11 Planned for 16.11

*Limited scale with Local Mode and Flex Central switching : 3K APs, 32K clients


Internet

Public Cloud deployment

VPC

Enterprise network

Flex AP

CAPWAP VPN tunnel

ISE

Cloud VPN router

Branch

Branch

Flex AP

▪ Customer value prop: o Wireless as IaaS with Cloud flexibility

▪ Supported Public Cloud providerso Amazon AWS

▪ Supported Cloud deploymento Managed VPN (need a router at remote site)

o VPC is “just” an extension on on Prem DC theo VM can be provisioned via AWS o AWS CloudFormation template to ease the initial setupo Only N+1 HA supported in public cloudo AP deployment: Flex central auth and local switchingo ISE and AD typically on Premo Max scale is 1k APs and 10k clients @ FCS

▪ Migration: o Migration tool (standalone and WebUI)

VPN (e.g. IPSEC)

CAPWAP Control

AD/LDAP

C900-CL

22


On ApplianceOn Private CloudOn Switch

• Cisco IOS® XE Software

• C9800-CL• 1k AP, 10k Clients• 3k AP, 32k Clients• 6k AP, 64k Clients^

• Scale on demand

• Optimized for mobility

• Designed for IoT

• Always on Fabric with robust HA


• C9800-40-K9• 2k APs, 32k Clients

• C9800-80-K9• 6k APs, 64k Clients

• Optimized for mobility

• Designed for IoT



• Cat 9300• 200 AP, 4k Clients

• SD-Access wireless with Cat9800 Software Package

• Indirect AP Support

• Optimized for Mobility

• Centralize Control Plane


Small and Medium Campus Medium and Large CampusOptimized for Distributed Braches

SD-Access Everywhere

23

^Future

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicHighly Secure and Optimized Solution for Branch and Small Campus

Embedded Wireless“Cat 9k Switch”

Support 400 APs and 8000 Clients per Site

Policy stays with user

Seamless Mobility Cat9800 Wireless Controller Software on CAT9300

• Extend policy based segmentation to wireless• Extend rich C9K services like ETA to wireless• Seamless shared services and WAN integration

• Wireless scale for 802.11ax / Wave-2• Seamless Mobility (No VLAN spans)• No WAN Link dependency

• Lower TCO• Robust HA• Simple/Intuitive multi-site workflows with Cisco

DNA-C

Cisco DNA Center

AnalyticsPolicy Automation

Catalyst 9800 SD-Access Embedded Wireless

*Support 200 AP and 4000 clients per WLC

Cisco Catalyst 9800Features, Config

Catalyst 9800: Powered by IOS XE

Deploy AnywhereAlways-on




Secure

• Detect encrypted threats with ETA


• WPA3 Support*

• On-Prem, Private/Public cloud, Embed wireless on a Switch

• GovCloud ready


*Future



Custom DevelopmentDNA CenterStandards Based Interoperability

Flexible management options with Cisco Catalyst 9800 Series Wireless Controllers

AnalyticsPolicy AutomationZero Touch Provisioning

Guest Shell (On Box Python)

Model Driven Programmability

YANG Data Models

App HostingSDN Controllers

CI/CD Tools

NMS Systems

Intent-basedNetwork Infrastructure

Catalyst 9800 SeriesWireless Controllers

Complete control of your Day 0-N operations with open and programmable APIs

Day 0 Day 1 Day 2 Day N

Onboarding

Zero touch provisioning

Plug and Play

Configuration

YANG data modelsConfiguration protocols,NETCONF, RESTCONF*,

..

Monitoring

Streaming telemetry

Optimization

Guest shell*(on-box Python)

EEM Scripts

Provisioning Automation^

Model drivenprogrammability

Model driventelemetry

Software imagemanagement

^FutureIOS XE Programmability Book: http://cs.co/programmabilitybookAutomated Backup SSID with EEM on C9800 Wireless Controllers: https://community.cisco.com/t5/wireless-mobility-documents/automated-backup-

ssid-with-eem-on-catalyst-9800-wireless/ta-p/3743838

http://cs.co/programmabilitybook

https://community.cisco.com/t5/wireless-mobility-documents/automated-backup-ssid-with-eem-on-catalyst-9800-wireless/ta-p/3743838

YANG Models Example

YANG Models

XML Payload

YANG Models Data Models defined using the YANG language

Data

Gig 1/0/1

“CL rocks!”

enabled

https://github.com/YangModels/yang

https://github.com/openconfig

https://github.com/YangModels/yang

https://github.com/openconfig

Network Subscription

A subscription is a contract between the network device and a subscriber that specifies the type of data, the frequency, and

CollectorSubscribe to ietf-yangpush.yang

Specify xpath/KPI (defined within data model)

Instruction on:

• What data to collect

• Where and how to send

• How often and how much

sh telemetry ietf subscription 100 receiver

Subscription ID: 100

Address: 10.10.105.10

Port: 47870

Protocol: netconf

Profile:

State: Connected

Explanation:

<?xml version="1.0" encoding="UTF-8"?>

<rpc message-id=”id" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">

<establish-subscription xmlns="urn:ietf:params:xml:ns:yang:ietf-event-notifications"

xmlns:yp="urn:ietf:params:xml:ns:yang:ietf-yang-push">

<stream>yp:yang-push</stream>

<yp:xpath-filter>/wireless-location-oper:location-oper-data/location-rssi-measurements</yp:xpath-filter>

<yp:period>1000</yp:period>

</establish-subscription>

</rpc>

Trustworthy Systems make the Catalyst 9800, the most secure wireless controllers

Runtime Defenses64 bit ASLR

Secure BootBoot sequence check

Image SigningAuthentic OS

Integrity VerificationsMalware protection

PnP SUDI SupportTwo way trust

Hardware AuthenticityGenuine hardware

Catalyst 9800: Always-on





Secure



• WPA3 Support*


• GovCloud ready


*Future



Always-on in planned and unplanned scenarios

Contain impact within releaseFixes for defects and security issues without need to requalify a new release

Faster resolution to critical issuesProvide fixes to critical issues found in network devices that are time-sensitive

Unplanned EventsDevice and network interruptions

✓ Stateful Switch Over with an active standby

✓ N+1 redundancy for always-on network, services and clients

Infrastructure UpdatesSoftware maintenance & AP updates

✓ Seamless software updates for wireless controllers and APs

✓ AP device pack and flexible per-site updates contain impact area

Software Image UpgradesWireless controller image upgrades

✓ N+1 rolling AP upgrades ensure seamless client connectivity

✓ Radio resource management automates group creation

Catalyst 9800: Secure





Secure



• WPA3 Support*


• GovCloud ready


*Future




Intent-based wireless networks to secure the Air, Devices and Users with Catalyst 9800

Air UsersDevices

Rogue detection & Mitigation

Enhanced threat detection with ETA

Seamless BYOD onboarding with ISE

Standards compliance with WPA3*

Identity based segmentation with SDA

Secure device management with iPSK

- Enhanced security on open Wi-Fi- Robust password protection - Superior data protection- Seamless customer migration

*Future

35

101010100010101010100000101010101010101010101

111101010101010111100010101001010001001001001

010100100100101000100100011001001001001001001

001001010010010100100101010100010101010100000

101010101010101010101111101010101010111100010

101001010001001001001010100100100101000100100

011001001001001001001001001010010010100100

101010100010101010100000101010101010101010101

111101010101010111100010101001010001001001001

010100100100101000100100011001001001001001001

001001010010010100100010100001010101111010101

Introducing ETA on Cisco Catalyst 9800 Series Wireless Controllers

Enhance Visibility Promote ComplianceShorten Time to Response Save Time & Money

Malware detection and

cryptographic compliance

on Cisco Stealthwatch

Cisco Stealthwatch®

Netflow

Telemetry

Encrypted

Wireless Traffic

Supported on Catalyst 9800 Series Wireless

Controller in Centralized Wireless Deployment

Catalyst 9800: Deploy Anywhere





Secure



• WPA3 Support*


• GovCloud ready


*Future



Deploy Cisco Wireless Controllers in any form factor for campuses and distributed branches

Branch / Small HQ

Campus

Large Campus

Mobility Express

3504 Wireless Controller

C9800 embedded*

for Cat9k Switch

200 to 3000 APs**

3000 to 6000 APs** *SD-Access only**Refer to Datasheet for more information

^Centralized support for 6000 APs in Future+Catalyst 9800 for Public cloud FlexConnect only

Up to 200 APs**

C9800-80Catalyst 9800 on-prem

C9800-40Catalyst 9800 on-prem

newnew

newnew new

new new

new

C9800-CLC9800 for Public Cloud+

C9800-CLC9800 for Private Cloud^

C9800-CLC9800 for Private Cloud

C9800-CLC9800 for Public Cloud+

C9800-CLC9800 for Private Cloud

AireOS

Catalyst 9800 Configuration – GUI, CLI and API

Cat 9800 Wireless - New Configuration Model

Reusability

Config modularized

as objects

Simplicity

No inheritance or

containers

Easy Provisioning

With AP attribute

Tagging

Rule-based Tagging

For easy Day 1

configuration

Change Management

Site based filtering

Catalyst 9800 Higher Management transition

Intent based Best Practices driven

Highly CustomizedCustomer

Configuration

Intent BasedDNA Center

Prime or Wireless Controller UI

Config. Migration

(one time)

Flex, Centralized and SD-Access

Flex and Centralized

Mode Supported

DNA Center PrimeAutomation

DNA CenterAssurance DNA Center

DNA Center

Cisco Catalyst 9800Licensing Model,How to Test and DeployLinks to Guides

Catalyst 9800 Licensing

DNA Center Appliance



DNA licenses

Smart License Management

DNA License consumption & tracking with Smart Licensing and mandatory

Smart Accounts

DNA LicensingSeamless portability & investment

protectionwith DNA Licensing

Mandatory DNA license for every AP joining the Catalyst 9800 controller

All AP’s joining the controller will be at the same DNA level

Cisco DNA Advantage

Prime

Cisco DNA Advantage

3/5/7 Year SubscriptionsSingle SKU

AP License

Cisco DNA Essentials

Automation and Assurance

Enterprise Agreement Eligible

Base Automation


Prime


AP License



Prime

AP License

CMX Base

ISE Base + ISE Plus

Cisco DNA Advantage


Automation, Assurance, SDA, Security and Location

Enterprise Agreement Eligible

11AX, Wave 2 APs and Controllers - CAT 9800-40, CAT 9800-80, C9800-CL, Embedded Wireless

Wireless Subscription Offer StructureCisco DNA Premier

Software Support Service (SWSS) included in all subscriptions

*Customers can also get Cisco DNA software on 3504/5520/8540

Cisco DNA Spaces SEECisco DNA Space SEE

Catalyst 9800 Wireless Controller – Advantage vs. Essentials

▪ Cat 9800 controller includes the Perpetual Network Stack - Network Essentials or Network Advantage

▪ Mandatory to attach DNA License for every AP joining the Catalyst Wireless controller

▪ DNA License includes Wireless and DNA Center Features

Flexible Network Segmentation▪ VXLAN

Advanced Automation▪ SD-Access

▪ Location Plug and Play

▪ Automated ISE integration for guest

▪ 3rd party API integration

Policy Based Workflows▪ EasyQos configuration

▪ EasyQos monitoring

▪ Policy-based Automation

Network Advantage (Inclusive of Network Essentials)

DNA Advantage (Inclusive of DNA Essentials)

Assurance & Analytics▪ Guided Remediation

▪ Apple iOS Insights

▪ Proactive issue Detection

▪ Aironet Active Sensor Tests

▪ Intelligent capture

▪ Client Location Heatmaps

▪ Spectrum Analyzer

▪ Application performance (Packet Loss, Latency and

Jitter),

▪ App 360, AP 360, Client 360 and WLC 360

▪ Custom Reports*,

3,5,7 Year Terms

Advantage

High Availability & Resiliency▪ ISSU, Process Restart,

▪ Rolling AP Upgrades,

▪ Patching (CLI)

▪ AP service pack/AP device pack

Element Management▪ Patch Lifecycle Management

Perpetual Network Essentials

DNA Essentials 3,5,7 Year Terms

Essentials

Perpetual

Essential Wireless Capabilities▪ 802.1x authentications, Guest access, device

onboarding, Infra and client IPv6, ACLs, QoS,

Video stream, Smart defaults, RRM, Spectrum

intelligence, BLE, Zigbee, USB, TrustSec

SXP,SSO, Dynamic QoS, Analytics, ADP,

OpenDNS, mDNS, IPSec, AP and client SSO

Rogue Management and Detection, Mobility

DevOps Integration▪ PnP Agent

▪ NETCONF, RESTCONF*, gNMI*,

▪ Yang Data Models

▪ GuestShell (On-Box Python)*

Telemetry & Visibility▪ Model-driven Telemetry

▪ NETCONF dial-in, gRPC dial out*

Basic Automation▪ PnP Application

▪ Network Site Design and Device Provisioning

Element Management▪ Software Image Management

▪ Discovery, Network Topology

▪ AVC

Telemetry▪ Flexible NetFlow

Basic Assurance▪ Health dashboard (Network, Client and Application)

▪ AP Floor map and Coverage map

▪ Pre-defined Reports

C9800-80/C9800-40/C9800-CL/Embedded Wireless

*Future

Enhanced Security & IoT▪ Encrypted Traffic Analytics

▪ Advanced WIPS*Base Security▪ Basic WIPS*

IoT Optimized▪ Identity PSK, Enhanced Device profilers

Federal Certifications*▪ FIPS, CC,UCAPL,USGV6

Optimized RF▪ FRA, Client link, ClearAir Advanced,

▪ NG-HDX, Predictive/Proactive RRM

C9800 for Private Cloud

C9800 for Public Cloud

Navigate to the C9800 Wireless downloads section in software.cisco.com

Download appropriate package and install in Hypervisor

Go to the AWS Marketplace

Search for “Cisco Catalyst Wireless” or “C9800-CL”

Choose Image and deploy following the instructions

ZERO PRICE

ZERO PRICE

How to test Cat9800 in Your lab

https://www.cisco.com/c/en/us/td/docs/wireless/controller/tech

notes/8-8/b_c9800_wireless_controller_virtual_dg.html

https://www.cisco.com/c/en/us/td/docs/wireless/controll

er/technotes/8-

8/b_cisco_catalyst_9800_wireless_controller_aws.html

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-8/b_c9800_wireless_controller_virtual_dg.html

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-8/b_cisco_catalyst_9800_wireless_controller_aws.html


Seamless roaming b/w Catalyst 9800 and AireOS 8.8 MR2 (3504/5520/8540)

Catalyst 9800

IRCM : AireOS and Cisco Catalyst 9800

Catalyst 9800Deployment

AireOS WLC

AireOSDeployment

Secure Mobility(CAPWAP)


Seamless roaming, L3 only

Also supported on AireOS 8.5MR4 Special

AireOS8.8 MR2

Catalyst 9800

Brownfield scenario – Common RF plan

AireOS WLC

common RF Group

name

AP group = Floor1RF tag = Floor2

Policy tag = Floor 2

Adding C9800 to a AireOS network. RRM works in a mixed controller environment:

• C9800 and AireOS controllers can create one RF domain and share a common RF plan

• The RF group name on both AireOS and C9800 controllers needs to match

• 8.8 is required on AireOS (8.8MR1 recommended)

• A RF leader is elected (based on controller capacity) and common channel and power plan will be used for all APs

• APs will be not show up as rogue on the other controller

• NOTE: in a scenario where you want to have custom RF profiles or enable FRA, then the leader ( e.g. C9800 controller) needs to have Policy and RF tags matching the names of the AP Group names on AireOS WLC. Of course the settings of RF profiles on both controllers need to match as well.

CAPWAP tunnel

RF tag = Floor2Policy tag = Floor2

RF tag = Floor1Policy tag = Floor1

RF Leader

AP Group = Floor1

Catalyst 9800

Brownfield – Guest Anchor

Catalyst 9800Deployment


Guest Anchor

AireOS WLC

AireOS Deployment

EOIP-basedMobility

AireOS Guest Anchor

Guest Anchor

AireOS8.8 MR1

Upgrade the AireOS Guest Anchor to 8.8 MR2(on 3504/5520/8540)and manage both Catalyst 9800 and AireOS Foreign

Also supported on AireOS

8.5MR4 Special


Catalyst 9800 Wireless Controller Documentation

Technical Notes

Configuration Guides

Technical References

https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-technical-reference-list.htmlhttps://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-installation-and-configuration-guides-list.htmlhttps://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-configuration-examples-list.html

51

https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/tsd-products-support-series-home.html

https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-configuration-examples-list.html


https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-installation-and-configuration-guides-list.html

https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-technical-reference-list.html

https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-technical-reference-list.html

https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-installation-and-configuration-guides-list.html


IOS XE Programmability Book


Automated Backup SSID with EEM on C9800 Wireless Controllershttps://community.cisco.com/t5/wireless-mobility-

documents/automated-backup-ssid-with-eem-on-catalyst-

9800-wireless/ta-p/3743838


https://community.cisco.com/t5/wireless-mobility-documents/automated-backup-ssid-with-eem-on-catalyst-9800-wireless/ta-p/3743838

Cisco Catalyst 9800Troubleshooting


Cisco C9800 IOS-XE Troubleshooting Platform objectives

54

• A single way to enable debugs, not having to remember and enable dozens of debug commands

• Capacity to trace the path and time of a packet through the platform, including all the features it hits on the way

• Obtaining debug logs of past event in their context even without having enabled any debug manually

• Being able to verify things at every layer of the platform (control or data plane)

• Always on tracing, no need to turn on anything…

• AP not joining? > show log profile wireless filter mac <AP radio-mac> to-file <output-file>”

• Client issues? > show log profile wireless filter mac <client-mac> to-file <output-file>

show logging profile wireless internal reverse | inc Association received – to get the MAC of the client

• Explicit debug “debug wireless mac”

• This runs for 30 mins by default but you can set it or do “no debug” to stop it

• Automatically creates a file that you can view (name of the file is ra_trace_MAC_aaaabbbbcccc_HHMMSS.XXX_timezone_DayWeek_Month_Day_year.log)

• If you can’t fix it, then open a TAC case and provide these output:

• Show tech wireless and show tech

• Show tech licensing >> for licensing issues

• Show tech memory >> for memory related issues.

• In case of crash, get the system report which can be downloaded from GU > Troubleshooting

Having AP/client issues? Quick tips…


IOS-XE Logging Architecture

• General concepts

• Always-on tracing

• Trace-on-failure

• Conditional debugging : Radioactive tracing

• Non-conditional debugging :

Specific component debugging

56


C9800 IOS-XE Logging architecture

57

L2 Authentication Key Exchange Start. EAP type: PEAP, Resolved VLAN: 185, Audit Session id:ABCD

EAP Key management successful. AKM:FT-DOT1X Cipher:CCMP WPA2

Mobility discovery triggered. Client mode: Local

ADD MOBILE sent. Client state flags: 0x72 BSSID: MAC: abcd.abcd.cdef capwap IFID: 0x1234

Client IP learn successful. Method: IP Snooping IP: 10.0.0.1

Client state transition: S_CO_IP_LEARN_IN_PROGRESS -> S_CO_RUN

Oct 9 09:12:15.363 UTC: %CLIENT_ORCH_LOG-6-CLIENT_ADDED_TO_RUN_STATE: Chassis 2 R0/0:

wncd: Username entry (bob) joined with ssid (foo) for device with MAC: 1234.1234.5678

WNCd-0

IOSd

Btrace Library

IOS Logger

WNCd-0 tracelog (wncd_x_R0-0.2280_41.20181009080530.bin)

IOSd traceIog (IOSRP_R0-0.14671_21.20181009041228.bin)

Btrace Library

Client join messages

Final RUN state message

Oct 9 09:12:15.363 UTC: %CLIENT_ORCH_LOG-6-CLIENT_ADDED_TO_RUN_STATE: Chassis 2 R0/0:

wncd: Username entry (bob) joined with ssid (foo) for device with MAC: 1234.1234.5678

Syslog, VTY (term mon), console, …

• All binOS (i.e. non IOSd) processes log to files in flash/disk

• When a log file reaches its maximum size, it rotates and creates a new one

• Logs are written in binary and then compressed for archiving


IOS-XE logging architectureHow do we consult logs ?

58

#show logging continues to give us the log history of IOSd events

#show logging profile wireless to-file <filename> collates (and decodes) to the destination filename in flash all the wireless-relevant logs from ALL the log files on disk

Since there is a lot of logging, we have options like :

#show logging profile wireless level <severity> to-file <filename>

#show logging profile wireless level info filter mac <mac add>

to-file <filename>

#show logging profile wireless start timestamp “MM/DD/YYYY HH:MM:SS”

level info filter mac <mac addr> to-file <filename>

2-Critical3-Error4-Warning5-Notice6-Info7-Debug8-Verbose


Introducing always-on tracingLogs even without enabling debugs

59

• Each process constantly writes logs down to NOTICE level to give some context about normal but significant events happening

• We are tracking client connections (even successful) and their state machine changes

• Target : each process can log for at least 48 hours (on a fully loaded box)

• You can debug what happened to a client AFTER it happened and without having enabled anything beforehand ! 2-Critical

3-Error4-Warning5-Notice6-Info7-Debug8-Verbose


Always-on logging : client connection failure

[client-orch-sm] [32269]: (note): MAC: 0000.0a34.0001 Association received. BSSID 000b.cd00.060f, old BSSID 0000.0000.0000, WLAN 1, Slot 1 AP

000b.cd00.0600, EWLC-AK-SIM-AP-5

2018/09/18 08:58:40.149 {wncd_x_R0-1}{1}: [client-orch-state] [32269]: (note): MAC: 0000.0a34.0001 Client state transition:

client_orch_sm_state___none -> S_CO_ASSOCIATING

[dot11] [32269]: (note): MAC: 0000.0a34.0001 Association success. AID 1, Roaming = 0, WGB = 0, 11r = 0, 11w = 0

[client-orch-state] [32269]: (note): MAC: 0000.0a34.0001 Client state transition: S_CO_ASSOCIATING -> S_CO_ASSOCIATED_TR

[client-orch-state] [32269]: (note): MAC: 0000.0a34.0001 Client state transition: S_CO_ASSOCIATED_TR -> S_CO_L2_AUTH_IN_PROGRESS

[client-auth] [32269]: (note): MAC: 0000.0a34.0001 ADD MOBILE sent. Client state flags: 0x71 BSSID: MAC: 000b.cd00.060f capwap IFID:

0xf90400003

[client-auth] [32269]: (note): MAC: 0000.0a34.0001 L2 Authentication initiated. method DOT1X, Policy VLAN 1,AAA override = 1

[ewlc-infra-evq] [32269]: (note): Authentication Success. Resolved Policy bitmap:11 for client 0000.0a34.0001

[ewlc-infra-evq] [32269]: (ERR): SANET_AUTHC_FAILURE - Cred Fail username wpa2eapfast, audit session id 22100A09000002C8EBE72A99,

[client-orch-sm] [32269]: (note): MAC: 0000.0a34.0001 Client delete initiated. Reason:

CO_CLIENT_DELETE_REASON_CLIENT_CREDENTIAL_FAILURE

[client-orch-state] [32269]: (note): MAC: 0000.0a34.0001 Client state transition: S_CO_L2_AUTH_IN_PROGRESS -> S_CO_DELETE_IN_PROGRESS

[client-orch-state] [32269]: (note): MAC: 0000.0a34.0001 Client state transition: S_CO_DELETE_IN_PROGRESS -> S_CO_DELETED

60

show log profile wir filter mac 0000.0a34.0001 to-file output.txt


Always-on logging : AP join failures

Unsupported AP[apmgr-capwap-join] [1263]: UUID: 0, ra: 0, TID: 0 (ERR): d824.bde8.3690 Join request not accepted: Unsupported AP Model AIR-LAP1142N-A-K9

Reg Domain failure[apmgr-capwap-config] [1394]: UUID: 10000000002ed, (ERR): f44e.0597.fb50 Failed to verify reg domain slot. validation of country code(UX) to

regulatory domain(-A) error:1

[apmgr-capwap-config] [1394]: UUID: 10000000002ed, (ERR): f44e.0597.fb50 Failed to get ap default country code. Get default country code for AP error.

[apmgr-capwap-config] [1394]: UUID: 10000000002ed, (ERR): f44e.0597.fb50 Failed to set reg domain check status. country code US is not configured on

WLC

Cert Failure[apmgr-capwap-config] [1394]: UUID: 10000000002ed, (ERR), %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has

failed. The certificate (SN: 6B4F09560000001763DF) is not yet valid Validity period starts on 22:48:43 IST Sep 9 2014

Discovery to non wireless mgmt interface2017/09/22 01:51:02.168 {wncmgrd_R0-0}{2}: [capwapac-srvr] [16320]: UUID: 0, ra::0, TID: 0 (ERR): IP:3.3.3.1[5246], Discovery to non wireless mgmt

interface

61

show log profile wir filter mac <ap radio mac> to-file output.txt


Trace-on-Failure (TOF)

62

• Predefined failure codes are tracked

• You can pull statistics … ===>

• Or see indexed recent failures. It allows you to quickly see the latest issue on the box and have a precise timestamp + UUID pointer to the exact logs !

sh wireless stats trace-on-failure

001. AP radio reset......................................: 0

002. AP reset............................................: 0

003. Client disjoin due to AP radio reset................: 0

004. Client disjoin due to AP reset......................: 0

005. Export client MMIF..................................: 0

006. Export client MM....................................: 0

007. Export client generic...............................: 0

011. AP join failure.....................................: 0

012. AP initial configuration failure....................: 44335

…..


Time UUID Log--------------------------------------------------------------------------------------------2018/09/21 04:43:52.773 0x1000000004c93 2048.2000.0300 AP_CFG_STATUS_FAIL : Apmgr failure reason : Regulatory2018/09/21 04:43:52.990 0x1000000004cbf 2048.2000.0500 AP_CFG_STATUS_FAIL : Apmgr failure reason : Regulatory2018/09/21 04:43:53.030 0x1000000004ccc 2048.2000.0400 AP_CFG_STATUS_FAIL : Apmgr failure reason : Regulatory2018/09/21 04:43:53.068 0x1000000004ce5 2048.2000.0200 AP_CFG_STATUS_FAIL : Apmgr failure reason : Regulatory2018/09/21 04:43:53.226 0x1000000004d05 2048.2000.0700 AP_CFG_STATUS_FAIL : Apmgr failure reason : Regulatory2018/09/21 04:43:53.270 0x1000000004d17 2048.2000.0600 AP_CFG_STATUS_FAIL : Apmgr failure reason : Regulatory2018/09/21 04:43:55.626 0x1000000004e61 2048.2000.1200 AP_CFG_STATUS_FAIL : Apmgr failure reason : Regulatory2018/12/12 12:26:35.406 0x10000000cd09b 8875.56c6.f000 AP_JOIN_FAIL : Apmgr failure reason : Unsupported ap,2018/12/17 13:18:32.097 0x10000002c7428 08cc.68b4.4660 CAPWAPAC_HEARTBEAT_EXPIRY

IOS-XE Logging architectureShow logging trace-on-failure summary

63


more bootflash:<filename>

2018/12/12 12:26:35.406 {wncd_x_R0-3}{1}: [ewlc-infra-evq] [3862]: (note): Data type : Message handle2018/12/12 12:26:35.406 {wncd_x_R0-3}{1}: [apmgr-capwap-join] [3862]: (ERR): 8875.56c6.f000 Join request not accepted: Unsupported AP Model AIR-CAP3602I-E-K92018/12/12 12:26:35.406 {wncd_x_R0-3}{1}: [apmgr-capwap-join] [3862]: (ERR): 8875.56c6.f000 Failed to process join request. Unable to decode apmgr join response2018/12/12 12:26:35.406 {wncd_x_R0-3}{1}: [apmgr-ap-global] [3862]: (ERR): 8875.56c6.f000 Failed to handle ap sm join request. Unable to process apmgr join request2018/12/12 12:26:35.406 {wncd_x_R0-3}{1}: [ewlc-infra-evq] [3862]: (ERR): 8875.56c6.f000 AP_JOIN_FAIL : Apmgr failure reason : Unsupported ap, Policy tag : , Site tag : , Rf tag : default-rf-tag2018/12/12 12:26:35.406 {wncd_x_R0-3}{1}: [apmgr-db] [3862]: (ERR): Failed to get ap name mac map record for delete. Name: AP3602I-E-K9. Reason: No such file or directory2018/12/12 12:26:35.406 {wncd_x_R0-3}{1}: [apmgr-db] [3862]: (ERR): 8875.56c6.f000 Delete ap name map record from the apmgr failed: 22018/12/12 12:26:35.406 {wncd_x_R0-3}{1}: [capwapac-smgr-sess-fsm] [3862]: (ERR): Session-IP: 192.168.17.146[57187] Mac: 8875.56c6.f000 Unmapped previous state in transition S_JOIN_PROCESS to S_END on E_AP_INTERFACE_DOWN2018/12/12 12:26:35.406 {wncd_x_R0-3}{1}: [apmgr-db] [3862]: (ERR): 8875.56c6.f000 Mismatch in session handles. Record already deleted and recreated

IOS-XE Logging architectureShow log profile wir filter uuid 0x10000000cd09b to-file <filename>

64


Radioactive tracingBuilding on existing conditional debugging CLI

65

• Debug platform condition start/stop

• Debug platform condition interface/mac/ipv4/ipv6

• Debug platform software cond-debug verbose

• Show platform conditions

• Clear platform condition all.Drawbacks : • every independent

process in the flow must evaluate the condition separately

• Some process do not have access to the data required to evaluate the condition


RA tracing conditional debuggingsame commands for AP or client troubleshooting

66

• debug platform condition feature wireless mac <client mac>

• debug platform condition start

(reproduce issue)

• debug platform condition stop

• show logging profile wireless (start timestamp “Date&time”) level debug filter mac <client mac> to-file

<filename>

• more flash:<filename>

• debug platform condition feature wireless mac <AP mac>

• debug platform condition start

(reproduce issue)

• debug platform condition stop

• show logging profile wireless (start timestamp “Date&time”) level debug filter mac <AP mac> to-file

<filename>


AP troubleshooting

Client troubleshooting

”Clear platform condition all” when done


Too many commands ? We make it simple

67

WLC# debug wireless mac aaaa.bbbb.cccc ?

ftp-server Move log file to FTP server, default storage: "flash:/"

monitor-time Max time to trace the condition, Default: 30min

internal Collect all logs.(Default: only customer curated logs)

<cr> <cr>

This is a macro that runs the commands from the previous slides in a single command.

Can be run for a certain <monitor-time> or stopped with the “no” version of the command.

Automatically stops !


Non-conditional active debugging

• set platform software trace wireless chassis active r0 rrm all debug

(reproduce issue)

• show logging process rrm to-file <filename>


• set platform software trace nginx chassis active r0 all debug

(reproduce issue)

• show logging process nginx to-file <filename>


RRM (for all APs)

Web UI

68

Set back to “NOTICE” level when done !


Embedded Packet Capture web interfaceEmbedded Packet Capture web interface

• Web interface to the existing EPC CLI “monitor capture …”

• One click start/stop/download

• Physical and VLAN interfaces can be selected

69


Useful commands and toolsAdministration -> Command line interface page

70


Useful commands and toolsTroubleshooting page

71


Useful commands and toolsCollecting outputs with the debug bundle (UI)

72


AP COS troubleshooting

• AP COS can take a wired pcap of their gig interface with vlan tags

• LabAP#debug traffic wired ip capture% Writing packets to "/tmp/pcap/LabAP_capture.pcap0"reading from file /dev/click_wired_log, link-type EN10MB (Ethernet)##tcpdump: pcap_loop: error reading dump file: Interrupted system call 100.0%LabAP#undeb allAll possible debugging has been turned offLabAP#copy pcap LabAP_capture.pcap0 tftp: 192.168.68.52/LabAP_capture.pcap0######################################################################## 100.0%LabAP#debug traffic wired filter "port 5246" 13:20:26.960439 IP 192.168.68.134.5264 > 10.48.39.212.5246: UDP, length 641 13:20:26.960868 IP 10.48.39.212.5246 > 192.168.68.134.5264: UDP, length 81 13:20:47.288822 IP 192.168.68.134.5264 > 10.48.39.212.5246: UDP, length 97 13:20:47.289394 IP 10.48.39.212.5246 > 192.168.68.134.5264: UDP, length 81

73


AP COS troubleshooting

• AP COS can take a radio capture (of the control plane) and print it locally or remotely

• [*08/20/2018 09:12:01.834504] [LabAP] [00:ae:fa:78:36:89] <apr0v9> [D:W] DOT11_PROBE_RESPONSE : (.) [*08/20/2018 09:12:01.915985] [LabAP] [00:ae:fa:78:36:89] <apr1v9> [U:W] DOT11_AUTHENTICATION : (.) [*08/20/2018 09:12:01.916759] [LabAP] [00:ae:fa:78:36:89] <apr1v9> [D:W] DOT11_AUTHENTICATION : (.) [*08/20/2018 09:12:01.917507] [LabAP] [00:ae:fa:78:36:89] <apr1v9> [U:W] DOT11_ASSOC_REQUEST : (.) [*08/20/2018 09:12:01.919013] [LabAP] [00:ae:fa:78:36:89] <apr1v9> [D:W] DOT11_ASSOC_RESPONSE : (.) [*08/20/2018 09:12:01.924963] [LabAP] [00:ae:fa:78:36:89] <wired0> [D:E] EAPOL_KEY.M1

• LabAP#config ap client-trace output remote enable 192.168.68.68 5000

74


AP COS client troubleshooting

• LabAP#debug dot11 client rate address 00:AE:FA:78:36:89

• [*08/20/2018 14:17:28.0928] MAC Tx-Pkts Rx-Pkts Tx-Rate Rx-Rate RSSI SNR Tx-Retries• [*08/20/2018 14:17:28.0928] 00:AE:FA:78:36:89 0 0 12 a8.2-2s -45 53 0 • [*08/20/2018 14:17:29.0931] 00:AE:FA:78:36:89 7 18 12 a8.2-2s -45 53 0• [*08/20/2018 14:17:30.0934] 00:AE:FA:78:36:89 3 18 12 a8.2-2s -45 53 0 • [*08/20/2018 14:17:31.0937] 00:AE:FA:78:36:89 2 20 12 a8.2-2s -45 53 0• [*08/20/2018 14:17:32.0939] 00:AE:FA:78:36:89 2 20 12 a8.2-2s -45 53 0 • [*08/20/2018 14:17:33.0942] 00:AE:FA:78:36:89 2 21 12 a8.2-2s -46 52 0 • [*08/20/2018 14:17:34.0988] 00:AE:FA:78:36:89 1 4 12 a8.2-2s -46 52 0 • [*08/20/2018 14:17:35.0990] 00:AE:FA:78:36:89 9 23 12 a8.2-2s -46 52 0 • [*08/20/2018 14:17:36.0993] 00:AE:FA:78:36:89 3 7 12 a8.2-2s -46 52 0 • [*08/20/2018 14:17:37.0996] 00:AE:FA:78:36:89 2 6 12 a8.2-2s -46 52 0 • [*08/20/2018 14:17:38.0999] 00:AE:FA:78:36:89 2 14 12 a8.2-2s -46 52 0 • [*08/20/2018 14:17:39.1002] 00:AE:FA:78:36:89 2 10 12 a8.2-2s -46 52 0 • [*08/20/2018 14:17:40.1004] 00:AE:FA:78:36:89 1 6 12 a8.2-2s -46 52 0

75

Shrnutí a Q&A

G loba l

Sa les T ra in ing

Translate business intent into network policy andcapture actionable insights with DNA Center


Works with Cisco Aironet 802.11ac Wave 1 and Wave 2 Access Points

DNA Center

C9800-40C9800-80

C9800 for Cloud C9800 on Cat 9k Switch (SDA only)


* GCP EFT Only

All deployment modes:

Centralized, SDA,

FlexConnect, Mesh

Best Enterprise Wireless Solution - DNA, Catalyst 9800 and AP4800

Intelligent Capture

24x7 dedicated monitoring radio

<3m median Hyperlocation accuracy

Design, Provision, Automate

360◦ Context Graph

Apple iOS WiFi Analytics

Always-on

Secure

Deploy Anywhere


Aironet 4800 Access Point

AssurancePolicy Automation

DNA Center

Automate provisioning and policy on an infrastructure designed for IBN

Streaming telemetry and insights to take the right action at the right time

Digitize people, spaces and things with DNA Spaces

new

new

Registrace: https://www.eventtouch.eu/czech_republic/techclubdays/?locale=cs_CZ#nav4221=26841

https://www.eventtouch.eu/czech_republic/techclubdays/?locale=cs_CZ#nav4221=26841

bezdrátové kontrolery cisco c9800 · 4/16/2019 · • extend policy based segmentation to...

Documents