design and deployment of - alcatron.net live 2015 melbourne... · • cisco introduced cckm in...

#clmel

Design and Deployment of Enterprise WLANs

BRKEWN-2010

Sujit Ghosh

Sr. Mgr. Technical Marketing

© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public

Agenda

• Controller-Based Architecture Overview

• Mobility in the Cisco Unified WLAN Architecture

• Architecture Building Blocks

• Deploying the Cisco Unified Wireless Architecture

3


Agenda





4


Cisco Unified Wireless Principles

• Components• Wireless LAN controllers (WLC)

• Aironet access points (AP)

• Management (Prime Infrastructure) (PI)

• Mobility Service Engine (MSE)

• Principles• AP must have CAPWAP connectivity with WLC

• Configuration downloaded to AP by WLC

• All Wi-Fi traffic is forwarded to the WLC

Wireless LAN

Controllers

Aironet Access

Point

Cisco Prime

Infrastructure

MSE

Campus

Network

5


Centralised Wireless LAN ArchitectureWhat is CAPWAP?

• CAPWAP: Control and Provisioning of Wireless Access Points is used between APs and WLAN controller and based on LWAPP

• CAPWAP carries control and data traffic between the two– Control plane is DTLS encrypted

– Data plane is DTLS encrypted (optional)

• LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless

• CAPWAP is not supported on Layer 2 mode deployment

CAPWAP Controller

Wi-Fi Client

Business

Application

Control Plane

Data Plane

Access

Point

6


CAPWAP State Machine

DiscoveryReset

Image Data

Config

Run

AP Boots UP

DTLSSetup

Join

7


AP Controller Discovery

• Layer 2 join procedure attempted on LWAPP APs– (CAPWAP does not support Layer 2 APs)

– Broadcast message sent to discover controller on a local subnet

• Layer 3 join process on CAPWAP APs and on LWAPP APs after Layer 2 fails– Previously learned or primed controllers

– Subnet broadcast

– DHCP option 43

– DNS lookup

8


Efficient CAPWAP Operation

• Define the Wireless Access Point Device DHCP Scopes

• Default router IP Address for Access Point scope

• Helper address (forwarding UDP 5246 to the WLCs management interface)

• Domain name

• Appropriate DHCP Lease timer for Aps

• Pool sizes for WLAN devices in accordance to different types of sites

• If NAT is used, static 1-to-1 NAT to an outside address is recommended

9


7.4, 7.6, 8.0 ? Which Version Should I Use?

10

AireOS Release MSE Prime ISE

802.11n 7.4.130.0 (MR3) 8.0.110.0 (MR1) 2.2 1.3

802.11ac 8.0.110.0 (MR1) 8.0.110.0 (MR1) 2.2 1.3


Agenda





11


Mobility Defined

• Mobility is a key reason for wireless networks

• Mobility means the end-user device is capable of moving location in the networked environment

• Roaming occurs when a wireless client moves association from one AP and re-associates to another, typically because it’s mobile!

• Mobility presents new challenges:

– Need to scale the architecture to support client roaming—roaming can occur intra-controller and inter-controller

– Need to support client roaming that is seamless (fast) and preserves security

12


Scaling the Architecture with Mobility Groups

• Mobility Group allows controllers to peer with each other to support seamless roaming across controller boundaries

• APs learn the IPs of the other members of the mobility group after the CAPWAP Join process

• Support for up to 24 controllers, 24000 APs per mobility group

• Mobility messages exchanged between controllers

• Data tunneled between controllers in EtherIP (RFC 3378)

• 7.6 has the option of using EOIP or CAPWAP tunnels between controllers

Eth

ern

et

in I

P T

unnel

Mobility Messages

Controller-C

MAC: AA:AA:AA:AA:AA:03

Mobility Group Name: MyMobilityGroup

Mobility Group Neighbours:Controller-A, AA:AA:AA:AA:AA:01

Controller-B, AA:AA:AA:AA:AA:02

Controller-A



Mobility Group Neighbours:Controller-B, AA:AA:AA:AA:AA:02

Controller-C, AA:AA:AA:AA:AA:03

Controller-B



Mobility Group Neighbours:Controller-A, AA:AA:AA:AA:AA:01

Controller-C, AA:AA:AA:AA:AA:03

13


Scaling the Architecture with Mobility Groups

One

WLC NetworkMobility Group

Mobility Domain

24 WLCs in a

Mobility Group

Mobility Group (8.0)



72 WLCs in a

Mobility Domain

With Inter Release Controller Mobility (IRCM) roaming is supported between 7.4,

7.6, 8.0

14


How Long Does an STA Roam Take?

• Time it takes for:– Client to disassociate +

– Probe for and select a new AP +

– 802.11 Association +

– 802.1X/EAP Authentication +

– Rekeying +

– IP address (re) acquisition

• All this can be on the order of seconds… Can we make this faster?

15


Roaming Requirements

• Roaming must be fast … Latency can be introduced by:– Client channel scanning and AP selection algorithms

– Re-authentication of client device and re-keying

– Refreshing of IP address

• Roaming must maintain security– Open auth, static WEP—session continues on new AP

– WPA/WPAv2 Personal—New session key for encryption derived via standard handshakes

– 802.1x, 802.11i, WPA/WPAv2 Enterprise—Client must be re-authenticated and new session key derived for encryption

16


How Are We Going to Make Roaming Faster?

• Eliminating the (re)IP address acquisition challenge

• Eliminating full 802.1X/EAP reauthentication

Focus on Where We Can Have the Biggest Impact

17


Intra-Controller Roaming:

Lay

er 2 Roa

ming 18

WLC-1 WLC-2

WLC-1 Client Database


Mobility Message Exchange

Roaming Data

Path

Client Data (MAC, IP, QoS, Security)

VLAN X

Client Roams to a

Different AP

Client database entry with new AP and appropriate security context

No IP address refresh needed


Client Roaming Between Subnets:

Lay

er 319

WLC-1 WLC-2

WLC-1 Client

Database


Preroaming Data

Path

VLAN X

Client Data (MAC, IP,

QoS, Security)Client Data (MAC,

IP, QoS, Security)

VLAN Z

Mobility Message Exchange

Foreign ControllerAnchor

Controller Data Tunnel

Client Roams to a

Different AP


Roaming: Inter-Controller

• L3 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto different subnets

• Client must be re-authenticated and new security session established

• Client database entry copied to new controller – entry exists in both WLC client DBs

• Original controller tagged as the “anchor”, new controller tagged as the “foreign”

• WLCs must be in same mobility group or domain

• No IP address refresh needed

• Symmetric traffic path established -- asymmetric option has been eliminated as of 6.0 release

• Account for mobility message exchange in network design

Lay

er 320


How Are We Going to Make Roaming Faster?

Eliminating the (re)IP address acquisition challenge

• Eliminating full 802.1X/EAP reauthentication

Focus on Where We Can Have the Biggest Impact

21


Fast Secure RoamingStandard Wi-Fi Secure Roaming

22

• 802.1X authentication in wireless today requires three “end-to-end” transactions with an overall transaction

time of > 500 ms

• 802.1X authentication in wireless today requires a roaming client to reauthenticate, incurring an

additional 500+ ms to the roamCisco AAA

Server

(ACS or

ISE)

WAN

AP1AP2

1. 802.1X Initial

Authentication

Transaction2. 802.1X

Reauthenti-

cation After

Roaming


Cisco Centralised Key Management (CCKM)

• Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available, especially with application specific devices (ASDs)

• CCKM ported to CUWN architecture in 3.2 release

• In highly controlled test environments, CCKM roam times consistently measure in the 5-8 msec range!

• CCKM is most widely implemented in ASDs, especially VoWLAN devices

• To work across WLCs, WLCs must be in the same mobility group

• CCX-based laptops may not fully support CCKM – depends on supplicant capabilities

• CCKM is standardised in 802.11r, Apple iOS 6.0, iOS 7.0

23


802.11r Introduction

• IEEE Standard for Fast Roaming – CCKM / OKC.

• Introduces a new concept of roaming where the handshake with the new AP is done even before the client roams to the target AP.

• The initial handshake allows the client and APs to do PTK calculation in advance, thus reducing roaming time.

• The pre-created PTK keys are applied to the client and AP once the client does the re-association request / response exchange with new target AP.

• 802.11r provides 2 ways of roaming:1) Over-the-Air

2) Over-the-DS (Distribution System)

• The FT (Fast Transition) key hierarchy is designed to allow the client to make fast BSS transitions between APs without the need to re-authenticate at every AP.

• WLAN configuration will have new AKM type called FT (Fast Transition)

24


802.11r – Fast Transition (FT)WLAN Authentication ConfigurationLegacy clients may not associate with a WLAN that has 802.11r enabled along with 802.11i. If the driver or the supplicant that is responsible for parsing the Robust Security Network Information Element (RSN IE) is old and confused by the additional AKM (Authentication Key Management) suites advertised in the IE (IE48), the driver will not attempt to start the association process.

Due to this limitation, legacy clients cannot send association requests to WLANs with a FT PSK or FT 802.1x configuration.

These legacy clients, however, can still associate with non-802.11r WLANs.

Therefore the recommendation is to have a new unique WLAN. With unique SSIDs for the addition 802.11r FT WPA clients. And an additional WLAN for the 802.11r FT 802.1x clients. 25

An iPhone with 6.0 or 7.0 iOS could Authenticate to

WLAN with both of these

AKM’s. But because of

legacy clients this is NOT

recommended.

A non-6.0/7.0 iOS client can’t

associate.

© 2015 Cisco and/or its affi liates. All rights reserved.Presentation_ID Cisco Public

Multiple WLANs for Multiple Auth Types Each with a Unique SSID

802.1x & 802.1x FT WLANs Unique SSIDs

26

PSK & PSK FT WLANs With Unique SSIDs


Client AP Selection 11k AP Neighbour List

AP Channels RSSI

AP1 1 Highest

AP2 6

….. …

AP6 11 Low est

11

k N

eig

hb

our

req

ue

st

AP Channels RSSI

AP7 100 Highest

AP8 140

….. …

AP12 64 Low est

2.4 GHz 5 GHz

AP Neighbour Lists (Subset of 802.11k ) in 7.4

WLC recommends optimised list of up to 12 neighbouring Aps (6 per band) as roaming candidates

Recommendation based on RRM information

Supported by clients with 802.11k ( Apple) or CCXv4 support

Client only needs to scan those limited channels instead of the full set of Wi-Fi channels => Saves Power , faster roams

Wi-Fi Alliance Voice-Enterprise support mandates

Only supported on indoor 802.11n / 802.1ac AP’s27


The 11k Neighbour List

• The 11k neighbour list– 11k list generated dynamically on demand and not maintained on the WLC

– 11k list is tailored by the clients location without requiring an MSE• Two clients on the same WLC but different APs can have different neighbour lists delivered

depending on their individual relationship to the surrounding Aps

• Default, only the neighbour in the same band

• Apple devices will only send a request for a neighbour list after association on APs that advertise the RRM capabilities IE in the beacon

• The returned neighbour list shows the BSSID and RSSI of the neighbouringradios

– Biased to prefer AP’s on same floor uses Prime information on floor

– Checks with neighbour list AP’s to see if client has been seen in last 55 seconds if not biases the RSSI for the AP to -120

29


CCX Neighbour Neighbour List

• The CCX provides its own table for AP neighbour of a max of 7 neighbours

• This table is imported from the RRM based on two timers, a refresh timer and a "settle" timer.

• Similar to 802.11k neighbour optimisationalgorithm but done without client probe request and supplied per AP not per client.

• Provides a subset of the neighbour list optimisation provided with 802.11k

30


Assisted Roaming for non-11k Clients• Similar to Aggressive Load Balancing

– Configured global or per WLAN

– Denial count: maximum number of times a client will be refused association

– Prediction threshold: minimum number of entries in the prediction list to activate

• Utilises the 11k generated neighbour list capabilities to optimise roaming for non-11k clients with predicted neighbour list for each client without the need for client sending a 11k neighbour list request.

• Discourages clients from roaming to less desirable neighbours by denying association if the association request to an AP does not match the entries on the prediction neighbour list

— Similar to load balancing, with a CCX status code 0xCC will be sent the client for “Association denied due to non-optimised association”

• Since both Load Balancing and Assisted Roaming are designed to influence the AP a client associates with they can not both be enabled on the same WLAN at the same time

31


Client Roaming Decision Tree

33

http://support.apple.com/en-us/HT203068

Roam Trigger

Roam Scan

Roam Candidate selection



Client Roaming Decision Tree (Testing)

34




RSSI Check

• RSSI Check to exclude clients from associating with weak RSSI

35


What can we do with 802.11v?

• An 802.11v capable client can send query frame to ask for a list of preferred APs.

• Scenarios: Client can send this query anytime to look for a better option of AP to associate to

Sent during client roaming for a faster roaming

• AP to Client:

– Send an unsolicited list of candidate neighbouring APs

– Warn/Inform the client that it will get disassociated

• Client:

– May include this information in its roaming decision

– Only Cisco aIOS WGBs support .11v, no other clients

New in

AireOS 8.1


How Can We Benefit From This?

• Better Load-balancing:In legacy load balancing, we sent the 802.11 error code 17 to passively discourage a client from joining a busy AP.

With 802.11v, BSS Transition can be triggered by load-balancing decisions. This allows for a more positive approach providing the Client with better AP options, and/or allow it to join momentarily with a warning that it will be disconnected shortly.

• Better OptimisedRoaming:The same idea can be applied to Optimised. Instead of flat disassociating the client, and 802.11v client can have a better treatment.


Designing a Mobility Group/Domain

• Less roaming is better – clients and apps are happier

• While clients are authenticating/roaming, WLC CPU is doing the processing –not as much of a big deal with latest controllers which has dedicated management/control processor

• L3 roaming & fast roaming clients consume client DB slots on multiple controllers – consider “worst case” scenarios in designing roaming domain size

• Leverage natural roaming domain boundaries

• Mobility Message transport selection: multicast vs. unicast

• Make sure the right ports and protocols are allowed

39


New Mobility and MC Support

40

• New mobility enables client to roam across AireOS and IOS based solutions in Central as well as Converged Access mode

• Client cannot roam across AireOS WLC1 configured with old mobility and another AireOS WLC2 configured with new mobility

• UA FCS - 5508 & WiSM2 can operate on 7.6 and 8.0

Mobility Group

Central: Any AireOS WLC

with AireOS 7.6

CA: WLC 5760 and 3850

with UA FCS

CA: 5760 & 3850 with UA FCS OR

5508 & WiSM2 with AireOS 7.6/8.0


New Mobility Configuration

• You have to change your mobility mode from Unified to Converged Access

41


Agenda





42


CUWN Release - Key Controller FeaturesAugust 2013

CUWN 7.5

Interoperability w ith

MSE 7.5, ISE 1.1, and 1.2, PI 1.4

Q4CY13

CUWN 7.6


MSE 7.6, ISE 1.2, PI 1.4x

Q2CY14

CUWN 8.0


MSE 8.0, ISE 1.2 and 1.3, PI 2.1

AP3600: 802.11ac

11ac: Wave 1 Module

AP3700: Integrated 802.11ac

Wave 1—Modular AP

Native IPv6 (Centralised Mode Only)

AP700 Support AP1532 (Centralised, Mesh, Bridge) Bonjour filter per location, AAA override (per user)

OEAP 600 Split Tunnelling AP1552: With Emerson Sensor Gatew ay AVC and Bonjour Policies with WLC Policy

Classification Engine

OEAP Support on vWLC 3G Small Cell Module: For AP3600 and AP3700 VideoStream for FlexConnect

Mesh support for FlexConnect

WLC 2500 High-Availability

Licensing SKU (N:1)

AP3702P (w ith StadiumVision Antennas) AP1600 CleanAir Express

Guest Anchor Controller for

WLC 8500

FQDN Pre-Auth ACL for Onboarding PMIPv6 MAG on AP

Profiling and Policy on WLC AP700W (Wall mount) FIPS, CC, UcAPL, USGv6

Client SSO Over Any L2 Connection AP 1570 11ac Outdoor AP (8.0MR1)

AVC and BSD (Phase 2) World Regulatory Domain (8.0MR1)

FlexConnect Additions:

PEAP/EAP-TLS

AAA ACL, and QoS 802.11w

iBeacon/BLE visibility & security: CleanAir + MSE

location Integration (MSE 10.x reqd.) (8.0MR1)


WLAN Controller Portfolio

Small-Midsize

Business/ Branch

Midsize-Large

Enterprise

Large Enterprise/

Large Branch

Large Enterprise-

Service Providers

APs:200

Virtual

APs:75

Link: 1 Gbps

2500

APs:500

Link: 8 Gbps

5508

APs:6000

Link: 1 Gbps

7500

APs:6000

Link: 10 Gbps

8500

APs:1000

Link: 20 Gbps

WiSM2

APs:1000

Link: 60 Gbps

5760

APs:500

Link: 40 Gbps

3850

APs:25

Link: 40 Gbps

3650


Comprehensive & Differentiated 11ac Portfolio

Indoor

MR34802.11ac

Outdoor

1570802.11ac | HDX

1700802.11ac

IndoorIndoor

2700802.11ac | HDX

Indoor

3700802.11ac | HDX | Modular

3600802.11n w/ 802.11ac Module

On-Premise Cloud-Managed

Same Price as

Competitors Entry 802.11ac with Better

Coverage

Enterprise & SP

Models – Most Power allowed by the FCC

for Range and

Coverage

NEW

NEW


Agenda





46


Best Practices For High Performance Mobile Infrastructure

Prioritise mission critical business applications over

personal applications

Application

Visibility & Control2.

App Engage

RF

Planning

High

Availability

RF

Optimisation

Engineer the WLAN for data, voice, video, location,

and client density

Optimise Gigabit Wi-Fi as primary connectivity – Gig

Ethernet as fallback

Replicate the High Availability of the LAN on

the WLAN

802.11ac : -65 to -67 RSSI10 – 20% cell overlap

1 AP / 2500 sq ft

Cisco CleanAirClientlink

RRM

LAN SSO – Edge, Core, DistiWLAN SSO – Client, AP,

Controller

Cisco AVC– Identify, Prioritise, Control Apps

across LAN, WLAN


Deploying the Cisco Unified Wireless Architecture

• High Availability (AP and Client SSO)

• RF Optimisation - AP Groups / RF Groups / HDX

• Local Profiling and Policy Classification

• Application Visibility Control

• IPv6 Deployment with Controllers

• Branch Office Designs

48


Centralised Mode HA

49

N+1 Redundancy(Deterministic/Stateless HA,

a.k.a.: primary/secondary/tertiary)

Each Controller has to be

configured separately

Available on all controllers

Crosses L3 boundaries

Flexible: 1:1, N:1, N:N

HA-SKU available (> 7.4)

AP SSO(SSID stateful switchover)

Release: 7.3 and 7.4

WLC: 5508, WiSM2, 7500, 8510

Direct physical connection

Same HW and SW

1:1 box redundancy

AP state is synched

No SSID downtime

HA-SKU available (> 7.4)

Client SSO

Minimum release: 7.5

WLC: 5508, WiSM2, 7500, 8510

L2 connection

Same HW and software

1:1 box redundancy

Active Client State is synched

AP state is synched

No Application downtime

HA-SKU available

Requirements Benefits

Netw

ork

Up

tim

e


Controller Redundancy

• Redundant WLC in a geographically separate location

• Layer-3 connectivity between the AP connected to primary WLC and the redundant WLC

• Redundant WLC need not be part of the same mobility group

• Configure high availability (HA) to detect failure and faster failover

• Use AP priority in case of over subscription of redundant WLC

50

APs Configured W ith:

Primary: WLAN-Controller-1Secondary: WLAN-Controller-BKP


Primary: WLAN-Controller-2Secondary: WLAN-Controller-BKP


Primary: WLAN-Controller-nSecondary: WLAN-Controller-BKP

WLAN-Controller-1

WLAN-Controller-2

WLAN-Controller-n

WLAN-Controller-BKP

NOC or Data Centre


Controller Redundancy – High Availability

• High Availability Principles : AP is registered with a WLC and maintain a backup list of WLC.

AP use heartbeats to validate WLC connectivity

AP use Primary Discovery message to validate backup WLC list

When AP loose 3 heartbeats it start join process to first backup WLC candidate

Candidate Backup WLC is the first alive WLC in this order : primary, secondary, tertiary, global primary, global secondary.

AP does not re-initiate discovery process.

51

Primary WLC

Secondary WLC

New Timers 7.2

Heartbeat Timeout 1-30 secs

Fast Heartbeat Timer 1-10 secs

AP Retransmit Interval 2-5 secs

AP Retransmit w ith FH Enabled 3-8 Times

AP Fallback to next WLC 12 secs


HA-SKU as Secondary WLC - Configuration

52


Stateful Switchover (SSO)

53

• True Box to Box High Availability i.e. 1:1– One WLC in Active state and second WLC in Hot Standby state

– Secondary continuously monitors the health of Active WLC via dedicated link

• Configuration on Active is synched to Standby WLC– This happens at startup and incrementally at each configuration change on the Active

• What else is synched between Active and Standby?

– AP CAPWAP state in 7.3 and 7.4: APs will not restart upon failover, SSID stays UP – AP SSO

– Active Client State in 7.5: client will not disconnect – Client SSO

• Downtime during failover reduced to 5 - 1000 msec depending on Failover

– In the case of power failure on the Active WLC it may take 350-500 msec

– In case of network failover it can take up to few seconds

• SSO is supported on 5500 / 7500 / 8500 / WiSM-2 and 5760

For more info: http://www.cisco.com/en/US/docs/wireless/controller/technotes/7.5/High_Availability_DG.html

http://www.cisco.com/en/US/docs/wireless/controller/technotes/7.5/High_Availability_DG.html


STANDBY

Redundancy Link Established

(Over dedicated Redundancy Port)

AP and Client info SyncKeep-Alive failure/Notify Peer

Client session intact.

Does not re-associate

Client

Associate

AP Join

AP session intact. Does

not re-establish

capwap

CLIENT SSO

Effective downtime for client is

Detection time + Switchover time

Switch

Redundancy Role Negotiation

ACTIVE

SSO Failover Sequence

ACTIVE


Redundancy PortActive Controller

Hot Stand-by Controller

Active Controller

Hot Stand-by Controller

RP 1

RP 2

Redundancy

Port Connectivity

High Availability (AP and Client SSO)

• 5500/7500/8500 WLC have dedicated Redundancy Port which is used to sync configuration from Active to Standby WLC

• Keepalives are sent on RP port from Standby to Active WLC every100 msec (default timer) to check the health of Active WLC.

• ICMP packets are also sent everyone second from each WLC to check reachability to gatewayusing Redundant Management interface (RMI)

55

Flex 7500 or WLC 8500

WLC 5500


• Model is 1:1 (Active : Hot-Standby)

• Supported on 5500 / 7500 / 8500 and WiSM-2

• Same hardware and software version

• Two new interfaces

• Redundancy Port

• Redundancy Management Interface

• Same management IP on Active and Standby

• Static & dynamic system configurations synced

to standby.

• AP information synced to the standby.• Synced when AP Joins or it’s configuration changes.

• AP CAPWAP re-join is avoided on switchover.

• Detection time : 5-996 msec for box failover , 3-4

seconds for management gateway failover

• Back-to-back Connectivity on the Redundancy

Port between the two WLCs

• Clients are de-authenticated on failover ; forced to

re-associate

High Availability AP SSO Support 7.3/7.4

Effective service downtime – Detection time + Switch Over Time

(Network recovery/convergence) + Client re-association time


Web-GUI Configuration

57


1. Two 5508 , 7500 or 8500 connected via back-to-back RP port in the same data centre

2. Two 5508 , 7500 or 8500 connected via RP port over L2 VLAN/fibre in the same or different data centre

3. Two 5508, 7500 or 8500 connected to a VSS pair.

1. Two WiSM-2 on the same chassis

2. Two WiSM-2 on different chassis with redundancy VLAN extended over L2 network

3. Two WiSM-2 on different chassis in VSS mode

Supported HA Topologies – 7.6 and above

58


WLC 5508/7500/8500 Back-to-back RP ConnectivityConfiguration on Primary WLC:

• configure interface address management

9.5.56.2 255.255.255.0 9.5.56.1

• configure interface address

redundancy-management 9.5.56.10

peer-redundancy-management

9.5.56.11

• configure redundancy unit primary

• configure redundancy mode sso

Configuration on Hot Standby WLC:


9.5.56.3 255.255.255.0 9.5.56.1



peer-redundancy-management 9.5.56.10

• configure redundancy unit secondary

• configure redundancy mode ssoManagement GW is monitored with 12 pings ( ~15 sec)

59


WLC 5508/7500/8500 RP Connectivity via Switches

. RTT Latency : 80 ms or less default ; Bandwidth: 60 Mbps or more ; MTU: 1500

Configuration on Primary WLC:


9.5.56.2 255.255.255.0 9.5.56.1



peer-redundancy-management

9.5.56.11

• configure redundancy unit primary


Configuration on Hot Standby WLC:


9.5.56.3 255.255.255.0 9.5.56.1



peer-redundancy-management 9.5.56.10

• configure redundancy unit secondary


60


WiSM-2 connectivity over L2 Redundancy VLAN

Configuration on Cat6k

wism service-vlan 192 ( service port VLAN )

wism redundancy-vlan 169 ( redundancy port VLAN )

wism module 6 controller 1 allowed-vlan 24-38 (data

VLAN )

61


• 5500 / 7500 / 8500 : RP Connectivity between Active and Standby

Via Switches ( 7.6 or 8.0 )

Back-to-back ( 7.3, 7.4, 7.6 )

• WiSM-2 : single 6500 chassis OR different chassis using VSS setup/extending redundancy VLAN.

• RTT latency on Redundancy Link : 80 milliseconds or less. 80% of keepalive timer.

• Preferred MTU on Redundancy Link : 1500 or above.

• Bandwidth on Redundancy Link : 60Mbps or more.

• Recommended to have Redundancy Link and RMI Connectivity between WLCs on different switches

or on different L2 networks

• Keepalive/Peer Discovery timers should be left with default timer values for better performance

• Default box failover detection time is 3 *100 = 300+60 = 360 +jitter (12 msec)= ~400 msec

SSO Behaviour and Recommendations

62


• Active – Standby 1:1

Redundancy

• Both WLC share IP Address of management interface

• Bulk and Incremental ConfigSync

• APs does not go in Discovery state when Active WLC fails

• Supported on 5500 / 7500 / 8500 and WiSM-2 WLC

• Downtime 5 - 1000 msec in case of Box failover , ~3 seconds in case of Network Issues

• Auto-recovery from maintenance

mode once Peer-RP and default

gateway reach-ability is restored

• SSO Support for Internal DHCP

Server

• SSO support for sleeping clients

• SSO support for OEAP 600

• CAC method Bandwidth allocation parameters for both voice & video and Call Statistics synced to the Standby

• GW reach-ability check mechanism enhanced to avoid false positives

• Peer RMI ICMP ping replaced with UDP messages

• Faster HA Pair-up

• Active – Standby can be

geographically separated over L2

VLAN/Fibre

• Client database is synced to the

Standby

– Client information is

synced when client

moves to RUN state.

– Client re-association is

avoided on switch over

• Fully authenticated clients(RUN

state) are synced to the peer

• Effective service downtime =

Detection time + Switch Over

Time (Network

recovery/convergence)

Phase 1 : APSSO

7.3

Phase 2 : Client SSO

7.6

Phase 3 : Improvements

8.0

63









64


AP-Groups - Default AP-Group

• The first 16 WLANs created (WLAN IDs 1–16) on the WLC are included in the default AP-Group

• Default AP-Group cannot be modified

• APs with no assignment to an specific AP-Group will use the Default AP-Group

• The 17th and higher WLAN (WLAN IDs 17 and up) can be assigned to any AP-Groups

• Any given WLAN can be mapped to different dynamic interfaces in different AP-Groups

• WLC 2504 (AP groups:50),WLC 5508 & WiSM-2 (AP groups: 500), WLC 7500 & 8500 (AP Groups : 500)

65


AP-Grouping in Campus

66

Data CentreWAN Internet

Access

Distribution

Core

Distribution

Access

SiSi SiSi SiSi SiSi SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSi SiSi

WLC-2WLC-1

VLAN 100 / 21

CAPWAP

Single SSID =

Employee

VLAN 100 VLAN 100 VLAN 100


AP-Grouping in Campus

67


Access

Distribution

Core

Distribution

Access


SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSi SiSi

AP-Group-2 AP-Group-3AP-Group-1

WLC-2WLC-1

VLAN 80 /23VLAN 70 /23VLAN 60 /23

VLAN 100

/21

CAPWAP

VLAN 60

VLAN 70 VLAN 80

Single SSID =

Employee


Network Name

Default AP Group

Only WLANs 1–16 Will Be Added in

Default AP Group

Default AP-Group

68


AP Group 1

AP Group 2

AP Group 3

Multiple AP-Groups

69


RF-Profiles

• RF Profiles allow the administrator to tune groups of AP’s sharing a common coverage zone together.– Selectively changing how RRM will operate the AP’s within that coverage zone

• RF Profiles are created for either the 2.4 GHz radio or 5GHz radio– Profiles are applied to groups of AP’s belonging to an AP Group, in which all AP’s in

the group will have the same Profile Settings

• There are two components to this feature:– RF Profile – New in 7.2 providing administrative control over:

• Min/Max TPC values• TPCv1 Threshold • TPCv2 Threshold• Data Rates• High Density • Client Load Balancing

70


RF Profiles – RRM – Create

• RF Tuning parameters can be applied through profiles assigned in AP groups

• 2 Profiles per AP group – 1 ea. 2.4 and 5 GHz

• Profiles must be applied on ALL WLC’s from which AP’s will be assigned (same as AP Group)

• Permits control of granular groups of AP’s

• We love it…

71

Wireless=>RF Profiles


Profiles : Granular Control

72

Data Rates

Load Balancing

TPC, DCA, Coverage Hole

High Density


WHY– DCA in RF Profiles

• Multi Country Support – one AP group per country- each with a defined channel list in RF Profiles

• Managing mixed channel (802.11n/ac 40/80 MHz) environment

• Channel assignment by physical area –engineering on the 2nd floor, accounting on the first floor, you want engineering to limit their impact

• Conference Centre – allows the assignment of channel ranges to individual vendors and creation of buffer zones on main network to isolate


RRM DCA in RF Profiles – The Rules

• The country code must be set on the controller to allow other reg. domain channels.

• Channels must be selected under Global DCA on the controller to be available in profiles

• You must disable 802.11a/b networks to change DCA channels or Bandwidth (20/40/80)

• You can have a different assignment for bandwidth in an RF Profile than you have in Global

• RF Profiles, and AP groups must be present on every controller that has an AP you want to include in the AP group.


Profiles – Applied Through AP Groups

75

Create Profiles

Create or edit AP Groups

Apply Profiles (2.4/5 Ghz) to AP groups

Assign AP’s


RF-Profile in Campus

76


Access

Distribution

Core

Distribution

Access


SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSi SiSi

RF-Profile-2 RF-Profile-3RF-Profile-1

WLC-2WLC-1

VLAN 80 /23

VLAN 81 /23

VLAN 70 /23

VLAN 71 /23

VLAN 60 /23

VLAN 61 / 23

LWAPP/CAPWAP

VLAN 60

VLAN 61VLAN 70VLAN 71

VLAN 80VLAN 81

Single SSID =

Employee


Cisco High Density Experience (HDX)

*Future

Cisco CleanAir® 80Mhz

Optimised Roaming

Turbo Performance

Cisco ClientLink 3.0

Noise Reduction*


Optimised AP Roaming

Makes sure users on the move associate to the AP with the strongest signal for best performance


Cisco CleanAir 80 MHz Technology

Automatically Detect Wi-Fi interference

Automatically Identify Wi-Fi interference

Automatically Classify Wi-Fi interference

Automatically Mitigate Wi-Fi Interference


CleanAir 80 MHz

High-resolution interference detection and unique classification logic

built-in to Cisco’s Wi-Fi chip design.

Detect, Identify, and

Classify Interference

• Automatically Detect, Identify, and Classify interferers

• Constantly Monitor Air Quality

Microwav

e

63

Rogue

AP

100Wireless

Phone

67

Security

Cameras

90

Bluetooth

Headset

63


Cisco ClientLink 3.0 Technology:Advanced Beamforming Technology Improves Wireless Client Performance

Significantly improves a wireless device’s overall

connection quality and performance

Intelligently shapes and directs each packet to a

wireless device based on its current location

Enhances downstream performance for improved user

experience









82


Local Profiling and Policy Classification

ISE offers rich set of BYOD features: e.g. device identification, onboarding, posture and policy

Customers not deploying ISE but requiring subset of ISE features

Native profiling of end devices based on MAC OUI, HTTP, DHCP

Device-based policies enforcement per user or per device policy


OUI

Username

Policy Classification

User Role

Device type MAC

VLAN ACLSession timeout

Time of Day

QoS

User-Role

Student Teacher

Admin

Identity

John

Device Type


Configuring Client Profiles

• Client profiling uses pre-existing profiles in the controller– Custom profiles are not supported in this release

• Wireless clients are profiled based on the MAC OUI, DHCP,HTTP user agent– DHCP is required for DHCP profiling, Webauth for HTTP user agent

• 8.0 release contains 156 pre-existing profiles:

(Cisco Controller) >show profiling policy summary

Number of Builtin Classification Profiles: 156ID Name Parent Min CM Valid

==== ================================================ ====== ====== =====

0 Android None 30 Yes

1 Apple-Device None 10 Yes

2 Apple-MacBook 1 20 Yes

3 Apple-iPad 1 20 Yes

4 Apple-iPhone 1 20 Yes

…/…85


Local Client Profiling Configuration

• At the WLAN level, enable Local Client Profiling (DHCP and HTTP)– DHCP required is checked automatically when selecting DHCP profiling

config wlan profiling {local | radius} {dhcp | http | all} <wlan ID>

(Cisco Controller) >config wlan profiling local all enable 186


Client Profiles in 7.6 and Above

• When profiling is enabled, a client Device Type can be shown on WLAN.

87


Update Devices that are Profiled

• In 8.0, WLC supports profiling 156 types of devices

• New Devices are constantly developed

• This feature allows Device Profiles and OUI Updates to update the list of supported

devices on the WLC


OUI Update• OUI list supported by IEEE

• List is located at http://standards.ieee.org/develop/regauth/oui/oui.txt

• Must be saved as a .txt file

• Update does not require WLC reboot

http://standards.ieee.org/develop/regauth/oui/oui.txt









91


What is the Need for Application Visibility and Control?

92

Who are the top 10 users?

What are the top 10

applications?

How much traffic is

BYOD generating on my

network?

Is someone running Bit-

torrent and bringing down my business

applications?

Should I add

more APs to

enhance the

capacity?

Devices Apps

http://images.google.fr/imgres?imgurl=http://www.clikphoto.com/2003/Customers/images/Siebel.Logo.JPG&imgrefurl=http://www.clikphoto.com/2003/Customers/links.html&usg=__dY-YhzjlqXwgaBUa3GI7LkIC8nE=&h=137&w=363&sz=4&hl=fr&start=1&sig2=jRZ_dNmSZXrDAJLEkmINsA&um=1&tbnid=q54bb4J2TD1_uM:&tbnh=46&tbnw=121&prev=/images?q=siebel+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=CeHBSv6xGdi7jAfDrYHfBQ

http://images.google.fr/imgres?imgurl=http://www.clikphoto.com/2003/Customers/images/Siebel.Logo.JPG&imgrefurl=http://www.clikphoto.com/2003/Customers/links.html&usg=__dY-YhzjlqXwgaBUa3GI7LkIC8nE=&h=137&w=363&sz=4&hl=fr&start=1&sig2=jRZ_dNmSZXrDAJLEkmINsA&um=1&tbnid=q54bb4J2TD1_uM:&tbnh=46&tbnw=121&prev=/images?q=siebel+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=CeHBSv6xGdi7jAfDrYHfBQ

http://images.google.fr/imgres?imgurl=http://elbconsultingllc.com/images/SAP-Logo.jpg&imgrefurl=http://elbconsultingllc.com/index.html&usg=__ttrD8hVR0ZecJBAgUc1jjcxqsZQ=&h=551&w=945&sz=36&hl=fr&start=1&sig2=eDSzYadbfwaGzGedWvK1-g&um=1&tbnid=9f5hdQ6CnNYH3M:&tbnh=86&tbnw=148&prev=/images?q=sap+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=reDBSv2WCZa7jAfWrvXgBQ


http://images.google.fr/imgres?imgurl=http://www.nowhereelse.fr/wp-content/docs/youtube-logo5.jpg&imgrefurl=http://www.nowhereelse.fr/youtube-live-video-streaming-12525/&usg=__MyBsEJIR3joE8gm-rBq5Wel1qGA=&h=428&w=570&sz=33&hl=fr&start=1&sig2=z2krQGjzyqJMHPDfVwLLvg&um=1&tbnid=RKDnixEb39ds5M:&tbnh=101&tbnw=134&prev=/images?q=video+streaming+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=0czJSp79EcSD4QaBkoTHAQ


http://images.google.fr/imgres?imgurl=http://4.bp.blogspot.com/_UZImdYAiry8/Sb9qYmN0llI/AAAAAAAAPtc/a_qXEx69CB0/s400/oracle_logo.jpg&imgrefurl=http://vectorlogo.blogspot.com/2009/03/oracle-logo-eps.html&usg=__TTg6bQ4L8aDCa2kKWUD3Q4YWewM=&h=161&w=400&sz=7&hl=fr&start=3&sig2=xj4d94noyf1kS0Adw6tzJA&um=1&tbnid=LLEUA6II6jNxiM:&tbnh=50&tbnw=124&prev=/images?q=oracle+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=FeHBSvDVKsjKjAeGsfDoBQ

http://images.google.fr/imgres?imgurl=http://4.bp.blogspot.com/_UZImdYAiry8/Sb9qYmN0llI/AAAAAAAAPtc/a_qXEx69CB0/s400/oracle_logo.jpg&imgrefurl=http://vectorlogo.blogspot.com/2009/03/oracle-logo-eps.html&usg=__TTg6bQ4L8aDCa2kKWUD3Q4YWewM=&h=161&w=400&sz=7&hl=fr&start=3&sig2=xj4d94noyf1kS0Adw6tzJA&um=1&tbnid=LLEUA6II6jNxiM:&tbnh=50&tbnw=124&prev=/images?q=oracle+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=FeHBSvDVKsjKjAeGsfDoBQ


Application Visibility & Control• Offering Wired and Wireless Application Insight and Control

ISR G2 Routers

ASR

Cisco Prime

or Third Party

Netflow Collector

NAM

WLAN Controllers93


What is Application Visibility & Control?On Wireless Controllers

NBAR2 LIBRARY

Deep Packet inspection

NETFLOW (STATIC

TEMPLATE) provides Flow Export

POLICY

Packet Mark / Drop / Rate-Limit

Traffic

CISCO PRIME

TROUBLESHOOTINGCAPACITY

PLANNINGCOMPLIANCE

THIRD PARTY

NETFLOW COLLECTOR

VoiceVideo

Best-Effort

Background

Don’t Allow

Rate Limiting

Available in AireOS Version 8.0






Identify Applications using NBAR2

Application Visibility and Control on WLC

95

Voice

Video

Best-Effort

Background

Client Traffic

Control Application Behaviour

Don’t Allow

Rate Limiting






AVC Feature Background and Equipment Requirement

• AVC works on traffic from Cisco APs in “Local Mode”, FlexConnect central switching and OEAP traffic.

• AVC is based on port, destination and heuristics which allows reliable packet classification with deep visibility.

• AVC looks into the initial setup of the client flow (first 10-20 packets) so loading on the controller system is minimal.

• Available for all current generation Cisco controllers supporting v7.4 and above– Cisco 2504, 5508, WiSM2, Flex 7500 and 8500

• Software release 8.1 adds AVC support to FlexConnect

96


Different Application Types that AVC Can Recognise

• The library within AVC includes web-based, real-time, voice, video, and enterprise applications of all types.

URL/HTTP(S) Based Application

Non-HTTP

Applications

Enterprise

Applications

97


Most popular ports: 6881-6889

Random High Order ports: e.g. 56233

DHT Handshake pattern

TCP and UDP payload bytes

Detect BitTorrent client behaviour:• uTorrent• BitComet

• Azureus

• LibTorrent

NBAR2

Stateless L4 Port based

Stateful (flow based) L7 Signatures

MPE (Multi packet engine)

Behavioural classification

Deep Packet

Inspection

How Does AVC Classify Applications: Peer to Peer

98


How Does AVC Classify Applications: Cisco Jabber

Three classifications flows for Cisco Jabber

Cisco Jabber VideoCisco Jabber Audio Cisco Jabber Control

Different Policies for different

components of a Jabber Session


How Does AVC Classify Applications: MS Lync

Three classifications flows for Microsoft Lync

MS-Lync-Video

(Desktop Sharing, Chat)

MS-Lync Media

(Audio and Video Flows)MS-Lync File Transfer

Different Policies for different

components of a Lync Session

100


Enabling Application Visibility and Control• AVC is enabled per WLAN to Allow Deep Packet Inspection

101

Change the QoS level to

reflect the highest

application level for that

SSID

1

Enable Application Visibility

2

Ensure WMM is set to

“Allowed” or “Required”

3


Basic Application Visibility Added on the Controller Home Screen

102

Top Applications Show Sorted by

Bytes

Use “Monitor” ->

“Applications” to View

More Statistics


Viewing Real-Time Statistics• Use for Assessing Current Usage or Troubleshooting

103

Application Usage Displayedby % of Total Bytes for Last 90 Seconds

Average Packet Size to See Small vs. Large Packet Flows

Real Time Stats (Last 90 Seconds)


Viewing Historical Statistics• Use for Assessing Overall Usage

104

Cumulative Statistics Application Usage Displayed

by % of Total Bytes

Total Bytes Transferred – Useful for Tracking Down

Bandwidth Hogs


AVC Application List• 1039 Applications Can be Detected by Default

105


Configuring AVC Profiles• Choosing an Application Group and Application

106

Application Group

Application


Application Control

107

Med

Control application usage and

performance

Control

Low

High

Medium

Low

AVC Profile – Rate Limit Facebook

AVC Profile – Drop Bit torrentAVC Profile – Mark Citrix1 2

3

Available in AireOS Version 8.0


Policy tie-in with AVCUser-aware and Device-aware

User-role aware

Device-aware

Application-based Policies

Per WLAN

WLC v7.4 and later

WLC v8.0

Alice cannot access Netflix but Bob can even though both are employees connecting to same SSIDAlice can access EHS records on (IT provisioned) Windows Laptop but cannot on personal (unsecure) iPad

35


Teacher

YouTube

YouTube Facebook bittorrent

Student

Cisco-av-pair=avc-profile-name=<avc profile on wlc>AAAWLC

Switch

AP

SSID: Classroom

Security:WPA2/802.1x

Cisco-av-pair=role=<role name>

Skype

Facebook Skype BitTorrent

10

9

AVC Profile Per User Device

Teacher Network Student Network


Applying AVC Profiles

110

Create AVC Profile for Applications at Wireless > AVC Apply AVC Profile to WLAN

Maximum 32 Rules can be created per AVC Profile

For YourReference

Apply AVC Profile per client using AAA Override

(Radius Server)

Apply AVC Profile per client using Local profiling on

WLC

1

2 3








111



Wireless IPv6 Support - 7.2

• In releases 7.2, the controller now processes ICMPv6 messages allowing for optimised delivery, Layer 3 mobility and first hop security.

CAPWAP Tunnel

IPv6 ICMPv6 multicast messages

are unicast to each client at high

data rates.

IPv6 ICMPv6 messages are

interpreted by the controller and

forwarded only as needed.

112


8.0 IPv6 Overview

CAPWAPv6

Tunnel

IPv4 Client

802.11

IPv6 Client

802.11

IPv6

802.11

IPv4

CAPWAPv6

Ethernet

IPv6IPv4

VLAN

Ethernet

Mgmt: 2001:db8:a::2/64

10.10.10.2

IP: 2001:db8:a:5/64

SNMP Server, Syslog Server, tftp/ftp/scp Server

IP: 2001:db8:a:7/64

Radius Server

2001:db8:a:0:1827:91bf:c41b:9683

2001:db8:a:0:8a56:caff:1547:9150

IP: 2001:db8:a:6/64

NTP Server

IPv4/v6 router

2001:db8:a::1/64

10.10.10.1

10.10.10.52

IPv6 Client

IPv4 Client

10.10.10.51

2001:db8:a:0:2329:9834:3231:1111

113


o ONE IPv6 address (+ LLA address) management solution

o Only IPv4 address support on Dynamic interfaces

o Only IPv4 Dynamic AP manager support

o Only IPv4 Redundancy-management/Redundancy port (HA interfaces are IPv4 only)

o Service-port can get an IPv6 address statically or using SLAAC (only SLAAC interface on WLC)

o LAG needed for IPv6 AP load balancing

o DHCPv6 Proxy not supported (ONLY IPv6 DHCP bridging support - like 7.6 legacy)

WLC IPv6 Address Overview

114


• WLC can be accessed from wired/wireless via its IPv6 Management Interface using:– telnet

– SSH

– HTTP

– HTTPS

Management Access (telnet, SSH, HTTP, HTTPS)

Mgmt: 2001:db8:a::2/64

10.10.10.2

115


• AP can get IPv6 addresses from state-full DHCPv6/SLAAC or static assignment

• If statically assigned, the gateway can be the unique global or Link-Local address of the router

• Either CAPWAPv4 or CAPWAPv6 can be used, but not both

• APs in bridge mode do not support CAPWAPv6

CAPWAPv6

116


• DHCPv6 Option 52 – OPTION_CAPWAP_AC_V6 (52) RFC 5417

– As part of the DHCPv6 Reply, the server will provide the IPv6 WLC management IPv6 address

– AP will begin unicast CAPWAP discovery

• Multicast discovery– Broadcast does not exist in IPv6

– Send CAPWAP discovery messages to "All ACs multicast address" (FF01::18C)

• Using DNS– Configure DNS server to resolve cisco-capwap-controller.domain-name

– domain-name should be returned from DHCPv6 server

• AP Priming– Preconfiguring the AP with a Primary, secondary, and tertiary IPv6 managed WLC

AP Discovery Mechanisms

117


• Management IP address must be reachable

• One entry per WLC

• The AP will join either IPv4 or IPv6 address of the WLC (regardless of management IP listed)

• All other AP Failover behaviour is the same as previous versions

AP Failover

WLC1 WLC2 WLC3

Primary: WLC1

Secondary: WLC2Tertiary: WLC3

Primary: WLC2


Primary: WLC3


118


• Virtual IP address is IPv4 only

• Uses IPv4-Mapped address for IPv6 web-authentication clients

• Virtual IP should be the same for all WLCs in the same mobility group

• For example the IPv6 address will display as [::ffff:192.0.2.1]

IPv6 Guest Access

119


Control and Management Protocols IPv6 Support

• Upload/Download using IPv6 with ftp/tftp/sftp

• RADIUSv6 Support

• TACACS+v6 Support

• NTPv3

• Syslog over IPv6

• SNMP Trap Receiver

• PINGv6

• IPv6 Guest Access


Wireless IPv6 client First Hop Security on WLAN

CAPWAPIPv4

IPv6

Ethernet

IPv6VLAN

Ethernet

IPv6

802.11802.11

CAPWAP

Tunnel

Router Advertisement

DHCP Server Advertisement

RA Guard - RA from client blocked at AP (Local and FlexConnect)

DHCP Server Guard

DHCP SA blocked at Wireless Controller

Using IPv6 ACL

Undesired IPv6

Addresses/Prefix Source Guard

121



• Understanding AP Groups / RF Groups





122



Branch Office with Local WLAN Controller

• Branches can also have local controllers

• Small or Mid-size Branch WLCs

– CT-2504,

– Integrated controller modules in ISR/ISR-G2

– Converged Access Cat-3850

• High-availability design with central backup controller is supported; WAN limitations may apply

Overview

Remote Site B

Remote Site A

WLC-25xx

WLCM for

ISR/ISR-G2

Backup Central

Controller

WAN

Central Site

Remote Site C

Cat-3850

CAPWAP


Branch Office with Local WLAN Controller

– Cookie cutter configuration for every branch site

– Layer-3 roaming within the branch

– IPv6 L3 Mobility

• Note: If you have ISR/ISR G2 at branch site then it is recommended to use the IOS Firewall at edge for unified access policies.

Advantages


Branch Office Deployment

• Hybrid architecture

• Single management and control point

• Data Traffic Switching

– Centralised traffic(split MAC)

– or

– Local traffic (local MAC)

• HA will preserve local traffic only

• Traffic Switching is configured per AP and per WLAN (SSID)

FlexConnect (HREAP)

WAN

Central Site

Remote Office

Centralised

Traffic

Centralised

Traffic

Local

Traffic


FlexConnect Glossary

Standalone Mode When FlexConnect AP cannot reach Controller, it goes into standalone state and does client authentication by itself.

Local Switching Data traffic switched onto local VLANs for an SSID

Central Switching Data traffic tunneled back to WLC for an SSID

Connected Mode When FlexConnect AP can reach Controller, it gets help from controller to complete client authentication.


Medium Branch – Up to 25 access pointsLocal Controller Onsite

Remote Site B

Remote Site A

WLC-25xx WLCM for

ISR/ISR-G2

Backup Central

Controller

WAN

Central Site

Remote Site C

Cat-3650

CAPWAPCisco 2500 Series Controller

Catalyst 3650

Virtual Controllers (vWLC)


FlexConnect Design Considerations

128

For YourReference

Deployment

Type

WAN

Bandwidth

(Min)

WAN RTT

Latency (Max)

Max APs per

BranchMax Clients per

Branch

Data 128 kbps 300 ms 5 25

Data+Voice 128 kbps 100 ms 5 25

Data 128 kbps 1 sec 1 1

Monitor 128 kbps 2 sec 5 N/A

Data 1.44 Mbps 1 sec 50 1000

Data+Voice 1.44 Mbps 100 ms 50 1000

Monitor 1.44 Mbps 2 sec 50 1000


• Smart AP Image Upgrade

• ACL’s on FlexConnect AP

• AAA Over-ride of VLAN -dynamic VLAN assignment for locally switched clients

• FlexConnect Re-branding

• Fast Roaming for Voice Clients

• Peer to Peer Blocking

• PEAP and EAP-TLS Support (7.5)

• FlexConnect Group specific WLAN-VLAN mapping(7.5)

• AAA Client ACL(7.5)

• Flex 7500 Scale Update

• VLAN Based Central Switching

• Split Tunnelling

• Central DHCP Processing

• WGB/uWGB Support withlocal switching

• Bidirectional Rate Limiting

• Support for ISE BYOD Registration & Provisioning

129

• Ethernet Fallback (7.6)

• Videostream for Local switching (8.0)

• Faster time to deploy (8.0)

• Flex with Mesh deployment support (8.0)

Flex – 7.2 Flex – 7.3 & 7.4 Flex – 7.6, 8.0

Bringing All Together – Best Practices

130


BE

ST

P

RA

CT

ICE

S (A

irO

S)

Make it Easy Make it work Make it performMake it Easy Make it Work Make it Perform

INF

RA

ST

RU

CT

UR

EEnable High Availability (AP and Client SSO)

Enable AP Failover Priority

Enable AP Multicast Mode

Enable Multicast VLAN

Enable Pre-image download

Enable AVC

Enable NetFlow

Enable Local Profiling (DHCP and HTTP)

Enable NTP

Modify the AP Re-transmit Parameters

Enable FastSSID change

Enable Per-user BW contracts

Enable Multicast Mobility

Enable Client Load balancing

Disable Aironet IE

FlexConnect Groups and Smart AP Upgrade

Enable 802.1x and WPA/WPA2 on WLANEnable 802.1x authentication for APChange advance EAP timers

Enable SSH and disable telnetDisable Management Over WirelessDisable WiFi Direct

Secure Web Access (HTTPS)Enable User PoliciesEnable Client exclusion policies

Enable rogue policies and Rogue Detection RSSIStrong password Policies Enable IDS

BYOD Timers

Set Bridge Group Name

Set Preferred ParentMultiple Root APs in each BGNSet Backhaul rate to "Auto"

Set Backhaul Channel Width to 40/80 MHzBackhaul Link SNR > 25 dBmAvoid DFS channels for Backhaul

External RADIUS server for Mesh MAC AuthenticationEnable IDS Enable EAP Mesh Security Mode

ME

SH

WIR

EL

ES

S /

RF

SE

CU

RIT

Y

Disable 802.11b data rates

Restrict number of WLAN below 4Enable channel bonding – 40 or 80 MHz Enable BandSelect

Use RF Profiles and AP GroupsEnable RRM (DCA & TPC) to be autoEnable Auto-RF group leader selection

Enable Cisco CleanAir and EDRRMEnable Noise &Rogue Monitoring on all channels Enable DFS channels

Avoid Cisco AP Load

http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html

For YourReference


Best Practice Check PointsMeasuring Compliance

Free, cloud based service

Agentless – nothing to download

CAACisco

Active Advisor

2.

App Engage

WLCWLAN Express

Setup

7.6 MR2, 8.0, 8.1

WLCCAConfig

Analyser

WLC Upgrade Audit

Workflow

8.1

Best Practices defaults,RF Parameter Optimisation,

Network Profiles

Audit Page on Upgrade,One-click Fix It,

Manual Config Option

Windows Executable“show run-config” Based

Analyser Tool

Downloadable client

Configuration stays local

Simplified operational use to quickly identify and and fix problem areas

RF Health metrics, IOS Support, Mobility Group support

Cisco Personalised device health score

Compare your wireless network configuration to Cisco’s recommended best practices

Automated Inventory Management and Network Scanning

Compliance metric and reporting natively on WLC

Identify missing best practice configuration on upgrade

Easy one-click fix It option to turn on Best Practice Knobs

Restore Defaults to revert configuration to default

Optimum starting point at Day 0/1 network setup

RF parameter setting Ease of use

Enhanced performance, security, resiliency with best practice recommendations turned on boot up time


WLAN Express Setup

7.6 MR2, 8.0

7.6 MR2, 8.0

8.1


Best Practice Knobs

AVC Visibility

mDNS Snooping

New MDNS Profile for printer, http

Local Profiling

Band Select

DHCP Proxy

Secure Web access

Virtual IP 192.0.2.1

RRM-DCA Auto

RRM-TPC Auto

CleanAir Enabled

EDRRM Enabled

Channel Width 40 MHz

Aironet IE Disabled

Management over Wireless

WLC WLAN Express Setup Best Practices Day 0/1 Best Practice Knobs

2.4 Low Data Rates Disabled

Load Balancing

Rogue Threshold Enabled

Client Exclusion Enabled

FastSSID Enabled

Infra MFP

Multicast Forwarding Mode

SNMPv3 (delete default)

Mobility Name

RF Group same as Mobility Name

DHCP Required on Guest WLAN

5 GHz Channel Bonding

Optimum starting point at Day 0/1 network setup

RF parameter setting ease of use

Enhanced performance, security, resiliency with best practice recommendations turned on at boot up time

Save Time & Money

8.1

http://youtu.be/aNVM3rW-Zkchttps://www.youtube.com/watch?v=nGFH38peF-w

http://youtu.be/aNVM3rW-Zkc


WLC Upgrade Audit Workflow 8.1

Audit Upgrades

Compliance metric and reporting natively on WLC

Identify missing best practice configuration on upgrade

Easy one-click fix It option to turn on Best Practice Knobs

Restore Defaults to revert

configuration to default


• Best Practices categorisedinto

– General

– AP

– Mobility

– RF

– Security

– Voice

– Mesh

– Flex

• Per-Controller Compliance Level for Each category

• Total/Passed/Failed checks

WLC Config Analyser – Per Controller Compliance

0-40% Red

41-80% Yellow

81-100% Green


Config Analyser Best Practice Compliance with Express WLAN Setup

7.6 MR2 withoutExpress WLAN Setup

8.1 with Express WLAN Setup

Downloadable client

Configuration stays local

Simplified operational use to quickly identify and and fix

problem areas

RF Health metrics, IOS Support, Mobility Group support

Analyse & Mitigate

https://supportforums.cisco.com/document/7711/wlc-config-analyzer


Cisco Active Advisor (CAA) Personalised Health Score

Improve

Personalised device health score

Free, cloud-based service

Automatically takes an inventory of your Cisco network

www.CiscoActiveAdvisor.com

http://www.CiscoActiveAdvisor.com


Summary – Key Takeways

• Take advantage of the standards (CAPWAP, DTLS,802.11 i, e, k, r…..)

• Wide range of architecture / design choices

• Brand new controllers (WiSM-2, WLC 7500,WLC 8500, WLC 2504, Virtual WLC) portfolio with investment protection

• Take advantage of innovations from Cisco (11ac, CleanAir, BandSelect, ClientLink, Security, CCX, FlexConnect, etc)

• Cisco’s investment into technology– Cisco Prime, ISE, New hardware, Cloud controller

139


Documentation Master Document Link - http://www.cisco.com/c/en/us/support/wireless/5500-series-wireless-controllers/products-technical-reference-list.html

Best Practice Deployment Guide : http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html

AP700-W Deployment Guide - http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-6/702WAccessPointDG/CiscoAironetSeries_702w_AP_DG.html

Enterprise Best Practices for Apple Mobile Devices on Cisco Wireless LANs –http://www.cisco.com/en/US/docs/wireless/technology/vowlan/bestpractices/EntBP-

AppMobDevs-on-Wlans.html

AP3700 Deployment Guide - http://www.cisco.com/en/US/partner/docs/wireless/technology/apdeploy/7.6/Cisco_Aironet_3700AP.html

Virtual WLC Deployment Guide http://www.cisco.com/en/US/products/ps12723/products_tech_note09186a0080bd2d04.shtml

HA Deployment Guide http://www.cisco.com/en/US/partner/docs/wireless/controller/technotes/7.5/High_Availability_DG.html

Flex 7500 Deployment Guide http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml

WLC8500 Deployment Guide: http://www.cisco.com/en/US/products/ps12722/products_tech_note09186a0080bd6504.shtml

WiSM-2 : http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080bb2500.shtml

Bonjour Deployment Guide :http://www.cisco.com/en/US/docs/wireless/technology/bonjour/7.5/Bonjour_Gateway_Phase-2_WLC_software_release_7.5.html

Wireless Device Profiling and Policy Classification Engine on WLC, Release

7.5http://www.cisco.com/en/US/docs/wireless/controller/technotes/7.5/NativeProfiling75.html

MSE Virtual Appliance Deployment Guide : http://www.cisco.com/en/US/products/ps9742/products_tech_note09186a0080bb497f.shtml

IPv6 Deployment Guide http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bae506.shtml140

http://www.cisco.com/en/US/partner/docs/wireless/technology/apdeploy/7.6/Cisco_Aironet_3700AP.html

http://www.cisco.com/en/US/products/ps12723/products_tech_note09186a0080bd2d04.shtml

http://www.cisco.com/en/US/partner/docs/wireless/controller/technotes/7.5/High_Availability_DG.html

http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml

http://www.cisco.com/en/US/products/ps12722/products_tech_note09186a0080bd6504.shtml

http://www.cisco.com/en/US/docs/wireless/technology/bonjour/7.5/Bonjour_Gateway_Phase-2_WLC_software_release_7.5.html

http://www.cisco.com/en/US/docs/wireless/controller/technotes/7.5/NativeProfiling75.html

http://www.cisco.com/en/US/products/ps9742/products_tech_note09186a0080bb497f.shtml

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bae506.shtml


Give us your feedback and receive a

Cisco Live 2015 T-Shirt!

Complete your Overall Event Survey and 5 Session

Evaluations.

• Directly from your mobile device on the Cisco Live

Mobile App

• By visiting the Cisco Live Mobile Site

http://showcase.genie-connect.com/clmelbourne2015

• Visit any Cisco Live Internet Station located

throughout the venue

T-Shirts can be collected in the World of Solutions

on Friday 20 March 12:00pm - 2:00pm

Complete Your Online Session Evaluation

Learn online with Cisco Live! Visit us online after the conference for full

access to session videos and

presentations. www.CiscoLiveAPAC.com

http://showcase.genie-connect.com/clmelbourne2015

http://www.ciscoliveapac.com/

Thank you.

design and deployment of - alcatron.net live 2015 melbourne... · • cisco introduced cckm in...

Documents