#clmel
Design and Deployment of Enterprise WLANs
BRKEWN-2010
Sujit Ghosh
Sr. Mgr. Technical Marketing
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Agenda
• Controller-Based Architecture Overview
• Mobility in the Cisco Unified WLAN Architecture
• Architecture Building Blocks
• Deploying the Cisco Unified Wireless Architecture
3
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Agenda
• Controller-Based Architecture Overview
• Mobility in the Cisco Unified WLAN Architecture
• Architecture Building Blocks
• Deploying the Cisco Unified Wireless Architecture
4
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Cisco Unified Wireless Principles
• Components• Wireless LAN controllers (WLC)
• Aironet access points (AP)
• Management (Prime Infrastructure) (PI)
• Mobility Service Engine (MSE)
• Principles• AP must have CAPWAP connectivity with WLC
• Configuration downloaded to AP by WLC
• All Wi-Fi traffic is forwarded to the WLC
Wireless LAN
Controllers
Aironet Access
Point
Cisco Prime
Infrastructure
MSE
Campus
Network
5
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Centralised Wireless LAN ArchitectureWhat is CAPWAP?
• CAPWAP: Control and Provisioning of Wireless Access Points is used between APs and WLAN controller and based on LWAPP
• CAPWAP carries control and data traffic between the two– Control plane is DTLS encrypted
– Data plane is DTLS encrypted (optional)
• LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless
• CAPWAP is not supported on Layer 2 mode deployment
CAPWAP Controller
Wi-Fi Client
Business
Application
Control Plane
Data Plane
Access
Point
6
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
CAPWAP State Machine
DiscoveryReset
Image Data
Config
Run
AP Boots UP
DTLSSetup
Join
7
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
AP Controller Discovery
• Layer 2 join procedure attempted on LWAPP APs– (CAPWAP does not support Layer 2 APs)
– Broadcast message sent to discover controller on a local subnet
• Layer 3 join process on CAPWAP APs and on LWAPP APs after Layer 2 fails– Previously learned or primed controllers
– Subnet broadcast
– DHCP option 43
– DNS lookup
8
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Efficient CAPWAP Operation
• Define the Wireless Access Point Device DHCP Scopes
• Default router IP Address for Access Point scope
• Helper address (forwarding UDP 5246 to the WLCs management interface)
• Domain name
• Appropriate DHCP Lease timer for Aps
• Pool sizes for WLAN devices in accordance to different types of sites
• If NAT is used, static 1-to-1 NAT to an outside address is recommended
9
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
7.4, 7.6, 8.0 ? Which Version Should I Use?
10
AireOS Release MSE Prime ISE
802.11n 7.4.130.0 (MR3) 8.0.110.0 (MR1) 2.2 1.3
802.11ac 8.0.110.0 (MR1) 8.0.110.0 (MR1) 2.2 1.3
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Agenda
• Controller-Based Architecture Overview
• Mobility in the Cisco Unified WLAN Architecture
• Architecture Building Blocks
• Deploying the Cisco Unified Wireless Architecture
11
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Mobility Defined
• Mobility is a key reason for wireless networks
• Mobility means the end-user device is capable of moving location in the networked environment
• Roaming occurs when a wireless client moves association from one AP and re-associates to another, typically because it’s mobile!
• Mobility presents new challenges:
– Need to scale the architecture to support client roaming—roaming can occur intra-controller and inter-controller
– Need to support client roaming that is seamless (fast) and preserves security
12
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Scaling the Architecture with Mobility Groups
• Mobility Group allows controllers to peer with each other to support seamless roaming across controller boundaries
• APs learn the IPs of the other members of the mobility group after the CAPWAP Join process
• Support for up to 24 controllers, 24000 APs per mobility group
• Mobility messages exchanged between controllers
• Data tunneled between controllers in EtherIP (RFC 3378)
• 7.6 has the option of using EOIP or CAPWAP tunnels between controllers
Eth
ern
et
in I
P T
unnel
Mobility Messages
Controller-C
MAC: AA:AA:AA:AA:AA:03
Mobility Group Name: MyMobilityGroup
Mobility Group Neighbours:Controller-A, AA:AA:AA:AA:AA:01
Controller-B, AA:AA:AA:AA:AA:02
Controller-A
MAC: AA:AA:AA:AA:AA:01
Mobility Group Name: MyMobilityGroup
Mobility Group Neighbours:Controller-B, AA:AA:AA:AA:AA:02
Controller-C, AA:AA:AA:AA:AA:03
Controller-B
MAC: AA:AA:AA:AA:AA:02
Mobility Group Name: MyMobilityGroup
Mobility Group Neighbours:Controller-A, AA:AA:AA:AA:AA:01
Controller-C, AA:AA:AA:AA:AA:03
13
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Scaling the Architecture with Mobility Groups
One
WLC NetworkMobility Group
Mobility Domain
24 WLCs in a
Mobility Group
Mobility Group (8.0)
Mobility Group (7.6)
Mobility Group (7.4)
72 WLCs in a
Mobility Domain
With Inter Release Controller Mobility (IRCM) roaming is supported between 7.4,
7.6, 8.0
14
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
How Long Does an STA Roam Take?
• Time it takes for:– Client to disassociate +
– Probe for and select a new AP +
– 802.11 Association +
– 802.1X/EAP Authentication +
– Rekeying +
– IP address (re) acquisition
• All this can be on the order of seconds… Can we make this faster?
15
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Roaming Requirements
• Roaming must be fast … Latency can be introduced by:– Client channel scanning and AP selection algorithms
– Re-authentication of client device and re-keying
– Refreshing of IP address
• Roaming must maintain security– Open auth, static WEP—session continues on new AP
– WPA/WPAv2 Personal—New session key for encryption derived via standard handshakes
– 802.1x, 802.11i, WPA/WPAv2 Enterprise—Client must be re-authenticated and new session key derived for encryption
16
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
How Are We Going to Make Roaming Faster?
• Eliminating the (re)IP address acquisition challenge
• Eliminating full 802.1X/EAP reauthentication
Focus on Where We Can Have the Biggest Impact
17
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Intra-Controller Roaming:
Lay
er 2 Roa
ming 18
WLC-1 WLC-2
WLC-1 Client Database
WLC-2 Client Database
Mobility Message Exchange
Roaming Data
Path
Client Data (MAC, IP, QoS, Security)
VLAN X
Client Roams to a
Different AP
Client database entry with new AP and appropriate security context
No IP address refresh needed
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Client Roaming Between Subnets:
Lay
er 319
WLC-1 WLC-2
WLC-1 Client
Database
WLC-2 Client Database
Preroaming Data
Path
VLAN X
Client Data (MAC, IP,
QoS, Security)Client Data (MAC,
IP, QoS, Security)
VLAN Z
Mobility Message Exchange
Foreign ControllerAnchor
Controller Data Tunnel
Client Roams to a
Different AP
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Roaming: Inter-Controller
• L3 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto different subnets
• Client must be re-authenticated and new security session established
• Client database entry copied to new controller – entry exists in both WLC client DBs
• Original controller tagged as the “anchor”, new controller tagged as the “foreign”
• WLCs must be in same mobility group or domain
• No IP address refresh needed
• Symmetric traffic path established -- asymmetric option has been eliminated as of 6.0 release
• Account for mobility message exchange in network design
Lay
er 320
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
How Are We Going to Make Roaming Faster?
Eliminating the (re)IP address acquisition challenge
• Eliminating full 802.1X/EAP reauthentication
Focus on Where We Can Have the Biggest Impact
21
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Fast Secure RoamingStandard Wi-Fi Secure Roaming
22
• 802.1X authentication in wireless today requires three “end-to-end” transactions with an overall transaction
time of > 500 ms
• 802.1X authentication in wireless today requires a roaming client to reauthenticate, incurring an
additional 500+ ms to the roamCisco AAA
Server
(ACS or
ISE)
WAN
AP1AP2
1. 802.1X Initial
Authentication
Transaction2. 802.1X
Reauthenti-
cation After
Roaming
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Cisco Centralised Key Management (CCKM)
• Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available, especially with application specific devices (ASDs)
• CCKM ported to CUWN architecture in 3.2 release
• In highly controlled test environments, CCKM roam times consistently measure in the 5-8 msec range!
• CCKM is most widely implemented in ASDs, especially VoWLAN devices
• To work across WLCs, WLCs must be in the same mobility group
• CCX-based laptops may not fully support CCKM – depends on supplicant capabilities
• CCKM is standardised in 802.11r, Apple iOS 6.0, iOS 7.0
23
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
802.11r Introduction
• IEEE Standard for Fast Roaming – CCKM / OKC.
• Introduces a new concept of roaming where the handshake with the new AP is done even before the client roams to the target AP.
• The initial handshake allows the client and APs to do PTK calculation in advance, thus reducing roaming time.
• The pre-created PTK keys are applied to the client and AP once the client does the re-association request / response exchange with new target AP.
• 802.11r provides 2 ways of roaming:1) Over-the-Air
2) Over-the-DS (Distribution System)
• The FT (Fast Transition) key hierarchy is designed to allow the client to make fast BSS transitions between APs without the need to re-authenticate at every AP.
• WLAN configuration will have new AKM type called FT (Fast Transition)
24
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
802.11r – Fast Transition (FT)WLAN Authentication ConfigurationLegacy clients may not associate with a WLAN that has 802.11r enabled along with 802.11i. If the driver or the supplicant that is responsible for parsing the Robust Security Network Information Element (RSN IE) is old and confused by the additional AKM (Authentication Key Management) suites advertised in the IE (IE48), the driver will not attempt to start the association process.
Due to this limitation, legacy clients cannot send association requests to WLANs with a FT PSK or FT 802.1x configuration.
These legacy clients, however, can still associate with non-802.11r WLANs.
Therefore the recommendation is to have a new unique WLAN. With unique SSIDs for the addition 802.11r FT WPA clients. And an additional WLAN for the 802.11r FT 802.1x clients. 25
An iPhone with 6.0 or 7.0 iOS could Authenticate to
WLAN with both of these
AKM’s. But because of
legacy clients this is NOT
recommended.
A non-6.0/7.0 iOS client can’t
associate.
© 2015 Cisco and/or its affi liates. All rights reserved.Presentation_ID Cisco Public
Multiple WLANs for Multiple Auth Types Each with a Unique SSID
802.1x & 802.1x FT WLANs Unique SSIDs
26
PSK & PSK FT WLANs With Unique SSIDs
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Client AP Selection 11k AP Neighbour List
AP Channels RSSI
AP1 1 Highest
AP2 6
….. …
AP6 11 Low est
11
k N
eig
hb
our
req
ue
st
AP Channels RSSI
AP7 100 Highest
AP8 140
….. …
AP12 64 Low est
2.4 GHz 5 GHz
AP Neighbour Lists (Subset of 802.11k ) in 7.4
WLC recommends optimised list of up to 12 neighbouring Aps (6 per band) as roaming candidates
Recommendation based on RRM information
Supported by clients with 802.11k ( Apple) or CCXv4 support
Client only needs to scan those limited channels instead of the full set of Wi-Fi channels => Saves Power , faster roams
Wi-Fi Alliance Voice-Enterprise support mandates
Only supported on indoor 802.11n / 802.1ac AP’s27
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
The 11k Neighbour List
• The 11k neighbour list– 11k list generated dynamically on demand and not maintained on the WLC
– 11k list is tailored by the clients location without requiring an MSE• Two clients on the same WLC but different APs can have different neighbour lists delivered
depending on their individual relationship to the surrounding Aps
• Default, only the neighbour in the same band
• Apple devices will only send a request for a neighbour list after association on APs that advertise the RRM capabilities IE in the beacon
• The returned neighbour list shows the BSSID and RSSI of the neighbouringradios
– Biased to prefer AP’s on same floor uses Prime information on floor
– Checks with neighbour list AP’s to see if client has been seen in last 55 seconds if not biases the RSSI for the AP to -120
29
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
CCX Neighbour Neighbour List
• The CCX provides its own table for AP neighbour of a max of 7 neighbours
• This table is imported from the RRM based on two timers, a refresh timer and a "settle" timer.
• Similar to 802.11k neighbour optimisationalgorithm but done without client probe request and supplied per AP not per client.
• Provides a subset of the neighbour list optimisation provided with 802.11k
30
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Assisted Roaming for non-11k Clients• Similar to Aggressive Load Balancing
– Configured global or per WLAN
– Denial count: maximum number of times a client will be refused association
– Prediction threshold: minimum number of entries in the prediction list to activate
• Utilises the 11k generated neighbour list capabilities to optimise roaming for non-11k clients with predicted neighbour list for each client without the need for client sending a 11k neighbour list request.
• Discourages clients from roaming to less desirable neighbours by denying association if the association request to an AP does not match the entries on the prediction neighbour list
— Similar to load balancing, with a CCX status code 0xCC will be sent the client for “Association denied due to non-optimised association”
• Since both Load Balancing and Assisted Roaming are designed to influence the AP a client associates with they can not both be enabled on the same WLAN at the same time
31
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Client Roaming Decision Tree
33
http://support.apple.com/en-us/HT203068
Roam Trigger
Roam Scan
Roam Candidate selection
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Client Roaming Decision Tree (Testing)
34
http://support.apple.com/en-us/HT203068
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
RSSI Check
• RSSI Check to exclude clients from associating with weak RSSI
35
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
What can we do with 802.11v?
• An 802.11v capable client can send query frame to ask for a list of preferred APs.
• Scenarios: Client can send this query anytime to look for a better option of AP to associate to
Sent during client roaming for a faster roaming
• AP to Client:
– Send an unsolicited list of candidate neighbouring APs
– Warn/Inform the client that it will get disassociated
• Client:
– May include this information in its roaming decision
– Only Cisco aIOS WGBs support .11v, no other clients
New in
AireOS 8.1
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
How Can We Benefit From This?
• Better Load-balancing:In legacy load balancing, we sent the 802.11 error code 17 to passively discourage a client from joining a busy AP.
With 802.11v, BSS Transition can be triggered by load-balancing decisions. This allows for a more positive approach providing the Client with better AP options, and/or allow it to join momentarily with a warning that it will be disconnected shortly.
• Better OptimisedRoaming:The same idea can be applied to Optimised. Instead of flat disassociating the client, and 802.11v client can have a better treatment.
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Designing a Mobility Group/Domain
• Less roaming is better – clients and apps are happier
• While clients are authenticating/roaming, WLC CPU is doing the processing –not as much of a big deal with latest controllers which has dedicated management/control processor
• L3 roaming & fast roaming clients consume client DB slots on multiple controllers – consider “worst case” scenarios in designing roaming domain size
• Leverage natural roaming domain boundaries
• Mobility Message transport selection: multicast vs. unicast
• Make sure the right ports and protocols are allowed
39
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
New Mobility and MC Support
40
• New mobility enables client to roam across AireOS and IOS based solutions in Central as well as Converged Access mode
• Client cannot roam across AireOS WLC1 configured with old mobility and another AireOS WLC2 configured with new mobility
• UA FCS - 5508 & WiSM2 can operate on 7.6 and 8.0
Mobility Group
Central: Any AireOS WLC
with AireOS 7.6
CA: WLC 5760 and 3850
with UA FCS
CA: 5760 & 3850 with UA FCS OR
5508 & WiSM2 with AireOS 7.6/8.0
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
New Mobility Configuration
• You have to change your mobility mode from Unified to Converged Access
41
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Agenda
• Controller-Based Architecture Overview
• Mobility in the Cisco Unified WLAN Architecture
• Architecture Building Blocks
• Deploying the Cisco Unified Wireless Architecture
42
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
CUWN Release - Key Controller FeaturesAugust 2013
CUWN 7.5
Interoperability w ith
MSE 7.5, ISE 1.1, and 1.2, PI 1.4
Q4CY13
CUWN 7.6
Interoperability w ith
MSE 7.6, ISE 1.2, PI 1.4x
Q2CY14
CUWN 8.0
Interoperability w ith
MSE 8.0, ISE 1.2 and 1.3, PI 2.1
AP3600: 802.11ac
11ac: Wave 1 Module
AP3700: Integrated 802.11ac
Wave 1—Modular AP
Native IPv6 (Centralised Mode Only)
AP700 Support AP1532 (Centralised, Mesh, Bridge) Bonjour filter per location, AAA override (per user)
OEAP 600 Split Tunnelling AP1552: With Emerson Sensor Gatew ay AVC and Bonjour Policies with WLC Policy
Classification Engine
OEAP Support on vWLC 3G Small Cell Module: For AP3600 and AP3700 VideoStream for FlexConnect
Mesh support for FlexConnect
WLC 2500 High-Availability
Licensing SKU (N:1)
AP3702P (w ith StadiumVision Antennas) AP1600 CleanAir Express
Guest Anchor Controller for
WLC 8500
FQDN Pre-Auth ACL for Onboarding PMIPv6 MAG on AP
Profiling and Policy on WLC AP700W (Wall mount) FIPS, CC, UcAPL, USGv6
Client SSO Over Any L2 Connection AP 1570 11ac Outdoor AP (8.0MR1)
AVC and BSD (Phase 2) World Regulatory Domain (8.0MR1)
FlexConnect Additions:
PEAP/EAP-TLS
AAA ACL, and QoS 802.11w
iBeacon/BLE visibility & security: CleanAir + MSE
location Integration (MSE 10.x reqd.) (8.0MR1)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
WLAN Controller Portfolio
Small-Midsize
Business/ Branch
Midsize-Large
Enterprise
Large Enterprise/
Large Branch
Large Enterprise-
Service Providers
APs:200
Virtual
APs:75
Link: 1 Gbps
2500
APs:500
Link: 8 Gbps
5508
APs:6000
Link: 1 Gbps
7500
APs:6000
Link: 10 Gbps
8500
APs:1000
Link: 20 Gbps
WiSM2
APs:1000
Link: 60 Gbps
5760
APs:500
Link: 40 Gbps
3850
APs:25
Link: 40 Gbps
3650
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Comprehensive & Differentiated 11ac Portfolio
Indoor
MR34802.11ac
Outdoor
1570802.11ac | HDX
1700802.11ac
IndoorIndoor
2700802.11ac | HDX
Indoor
3700802.11ac | HDX | Modular
3600802.11n w/ 802.11ac Module
On-Premise Cloud-Managed
Same Price as
Competitors Entry 802.11ac with Better
Coverage
Enterprise & SP
Models – Most Power allowed by the FCC
for Range and
Coverage
NEW
NEW
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Agenda
• Controller-Based Architecture Overview
• Mobility in the Cisco Unified WLAN Architecture
• Architecture Building Blocks
• Deploying the Cisco Unified Wireless Architecture
46
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Best Practices For High Performance Mobile Infrastructure
Prioritise mission critical business applications over
personal applications
Application
Visibility & Control2.
App Engage
RF
Planning
High
Availability
RF
Optimisation
Engineer the WLAN for data, voice, video, location,
and client density
Optimise Gigabit Wi-Fi as primary connectivity – Gig
Ethernet as fallback
Replicate the High Availability of the LAN on
the WLAN
802.11ac : -65 to -67 RSSI10 – 20% cell overlap
1 AP / 2500 sq ft
Cisco CleanAirClientlink
RRM
LAN SSO – Edge, Core, DistiWLAN SSO – Client, AP,
Controller
Cisco AVC– Identify, Prioritise, Control Apps
across LAN, WLAN
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Deploying the Cisco Unified Wireless Architecture
• High Availability (AP and Client SSO)
• RF Optimisation - AP Groups / RF Groups / HDX
• Local Profiling and Policy Classification
• Application Visibility Control
• IPv6 Deployment with Controllers
• Branch Office Designs
48
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Centralised Mode HA
49
N+1 Redundancy(Deterministic/Stateless HA,
a.k.a.: primary/secondary/tertiary)
Each Controller has to be
configured separately
Available on all controllers
Crosses L3 boundaries
Flexible: 1:1, N:1, N:N
HA-SKU available (> 7.4)
AP SSO(SSID stateful switchover)
Release: 7.3 and 7.4
WLC: 5508, WiSM2, 7500, 8510
Direct physical connection
Same HW and SW
1:1 box redundancy
AP state is synched
No SSID downtime
HA-SKU available (> 7.4)
Client SSO
Minimum release: 7.5
WLC: 5508, WiSM2, 7500, 8510
L2 connection
Same HW and software
1:1 box redundancy
Active Client State is synched
AP state is synched
No Application downtime
HA-SKU available
Requirements Benefits
Netw
ork
Up
tim
e
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Controller Redundancy
• Redundant WLC in a geographically separate location
• Layer-3 connectivity between the AP connected to primary WLC and the redundant WLC
• Redundant WLC need not be part of the same mobility group
• Configure high availability (HA) to detect failure and faster failover
• Use AP priority in case of over subscription of redundant WLC
50
APs Configured W ith:
Primary: WLAN-Controller-1Secondary: WLAN-Controller-BKP
APs Configured W ith:
Primary: WLAN-Controller-2Secondary: WLAN-Controller-BKP
APs Configured W ith:
Primary: WLAN-Controller-nSecondary: WLAN-Controller-BKP
WLAN-Controller-1
WLAN-Controller-2
WLAN-Controller-n
WLAN-Controller-BKP
NOC or Data Centre
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Controller Redundancy – High Availability
• High Availability Principles : AP is registered with a WLC and maintain a backup list of WLC.
AP use heartbeats to validate WLC connectivity
AP use Primary Discovery message to validate backup WLC list
When AP loose 3 heartbeats it start join process to first backup WLC candidate
Candidate Backup WLC is the first alive WLC in this order : primary, secondary, tertiary, global primary, global secondary.
AP does not re-initiate discovery process.
51
Primary WLC
Secondary WLC
New Timers 7.2
Heartbeat Timeout 1-30 secs
Fast Heartbeat Timer 1-10 secs
AP Retransmit Interval 2-5 secs
AP Retransmit w ith FH Enabled 3-8 Times
AP Fallback to next WLC 12 secs
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
HA-SKU as Secondary WLC - Configuration
52
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Stateful Switchover (SSO)
53
• True Box to Box High Availability i.e. 1:1– One WLC in Active state and second WLC in Hot Standby state
– Secondary continuously monitors the health of Active WLC via dedicated link
• Configuration on Active is synched to Standby WLC– This happens at startup and incrementally at each configuration change on the Active
• What else is synched between Active and Standby?
– AP CAPWAP state in 7.3 and 7.4: APs will not restart upon failover, SSID stays UP – AP SSO
– Active Client State in 7.5: client will not disconnect – Client SSO
• Downtime during failover reduced to 5 - 1000 msec depending on Failover
– In the case of power failure on the Active WLC it may take 350-500 msec
– In case of network failover it can take up to few seconds
• SSO is supported on 5500 / 7500 / 8500 / WiSM-2 and 5760
For more info: http://www.cisco.com/en/US/docs/wireless/controller/technotes/7.5/High_Availability_DG.html
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
STANDBY
Redundancy Link Established
(Over dedicated Redundancy Port)
AP and Client info SyncKeep-Alive failure/Notify Peer
Client session intact.
Does not re-associate
Client
Associate
AP Join
AP session intact. Does
not re-establish
capwap
CLIENT SSO
Effective downtime for client is
Detection time + Switchover time
Switch
Redundancy Role Negotiation
ACTIVE
SSO Failover Sequence
ACTIVE
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Redundancy PortActive Controller
Hot Stand-by Controller
Active Controller
Hot Stand-by Controller
RP 1
RP 2
Redundancy
Port Connectivity
High Availability (AP and Client SSO)
• 5500/7500/8500 WLC have dedicated Redundancy Port which is used to sync configuration from Active to Standby WLC
• Keepalives are sent on RP port from Standby to Active WLC every100 msec (default timer) to check the health of Active WLC.
• ICMP packets are also sent everyone second from each WLC to check reachability to gatewayusing Redundant Management interface (RMI)
55
Flex 7500 or WLC 8500
WLC 5500
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
• Model is 1:1 (Active : Hot-Standby)
• Supported on 5500 / 7500 / 8500 and WiSM-2
• Same hardware and software version
• Two new interfaces
• Redundancy Port
• Redundancy Management Interface
• Same management IP on Active and Standby
• Static & dynamic system configurations synced
to standby.
• AP information synced to the standby.• Synced when AP Joins or it’s configuration changes.
• AP CAPWAP re-join is avoided on switchover.
• Detection time : 5-996 msec for box failover , 3-4
seconds for management gateway failover
• Back-to-back Connectivity on the Redundancy
Port between the two WLCs
• Clients are de-authenticated on failover ; forced to
re-associate
High Availability AP SSO Support 7.3/7.4
Effective service downtime – Detection time + Switch Over Time
(Network recovery/convergence) + Client re-association time
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Web-GUI Configuration
57
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
1. Two 5508 , 7500 or 8500 connected via back-to-back RP port in the same data centre
2. Two 5508 , 7500 or 8500 connected via RP port over L2 VLAN/fibre in the same or different data centre
3. Two 5508, 7500 or 8500 connected to a VSS pair.
1. Two WiSM-2 on the same chassis
2. Two WiSM-2 on different chassis with redundancy VLAN extended over L2 network
3. Two WiSM-2 on different chassis in VSS mode
Supported HA Topologies – 7.6 and above
58
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
WLC 5508/7500/8500 Back-to-back RP ConnectivityConfiguration on Primary WLC:
• configure interface address management
9.5.56.2 255.255.255.0 9.5.56.1
• configure interface address
redundancy-management 9.5.56.10
peer-redundancy-management
9.5.56.11
• configure redundancy unit primary
• configure redundancy mode sso
Configuration on Hot Standby WLC:
• configure interface address management
9.5.56.3 255.255.255.0 9.5.56.1
• configure interface address
redundancy-management 9.5.56.11
peer-redundancy-management 9.5.56.10
• configure redundancy unit secondary
• configure redundancy mode ssoManagement GW is monitored with 12 pings ( ~15 sec)
59
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
WLC 5508/7500/8500 RP Connectivity via Switches
. RTT Latency : 80 ms or less default ; Bandwidth: 60 Mbps or more ; MTU: 1500
Configuration on Primary WLC:
• configure interface address management
9.5.56.2 255.255.255.0 9.5.56.1
• configure interface address
redundancy-management 9.5.56.10
peer-redundancy-management
9.5.56.11
• configure redundancy unit primary
• configure redundancy mode sso
Configuration on Hot Standby WLC:
• configure interface address management
9.5.56.3 255.255.255.0 9.5.56.1
• configure interface address
redundancy-management 9.5.56.11
peer-redundancy-management 9.5.56.10
• configure redundancy unit secondary
• configure redundancy mode sso
60
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
WiSM-2 connectivity over L2 Redundancy VLAN
Configuration on Cat6k
wism service-vlan 192 ( service port VLAN )
wism redundancy-vlan 169 ( redundancy port VLAN )
wism module 6 controller 1 allowed-vlan 24-38 (data
VLAN )
61
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
• 5500 / 7500 / 8500 : RP Connectivity between Active and Standby
Via Switches ( 7.6 or 8.0 )
Back-to-back ( 7.3, 7.4, 7.6 )
• WiSM-2 : single 6500 chassis OR different chassis using VSS setup/extending redundancy VLAN.
• RTT latency on Redundancy Link : 80 milliseconds or less. 80% of keepalive timer.
• Preferred MTU on Redundancy Link : 1500 or above.
• Bandwidth on Redundancy Link : 60Mbps or more.
• Recommended to have Redundancy Link and RMI Connectivity between WLCs on different switches
or on different L2 networks
• Keepalive/Peer Discovery timers should be left with default timer values for better performance
• Default box failover detection time is 3 *100 = 300+60 = 360 +jitter (12 msec)= ~400 msec
SSO Behaviour and Recommendations
62
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
• Active – Standby 1:1
Redundancy
• Both WLC share IP Address of management interface
• Bulk and Incremental ConfigSync
• APs does not go in Discovery state when Active WLC fails
• Supported on 5500 / 7500 / 8500 and WiSM-2 WLC
• Downtime 5 - 1000 msec in case of Box failover , ~3 seconds in case of Network Issues
• Auto-recovery from maintenance
mode once Peer-RP and default
gateway reach-ability is restored
• SSO Support for Internal DHCP
Server
• SSO support for sleeping clients
• SSO support for OEAP 600
• CAC method Bandwidth allocation parameters for both voice & video and Call Statistics synced to the Standby
• GW reach-ability check mechanism enhanced to avoid false positives
• Peer RMI ICMP ping replaced with UDP messages
• Faster HA Pair-up
• Active – Standby can be
geographically separated over L2
VLAN/Fibre
• Client database is synced to the
Standby
– Client information is
synced when client
moves to RUN state.
– Client re-association is
avoided on switch over
• Fully authenticated clients(RUN
state) are synced to the peer
• Effective service downtime =
Detection time + Switch Over
Time (Network
recovery/convergence)
Phase 1 : APSSO
7.3
Phase 2 : Client SSO
7.6
Phase 3 : Improvements
8.0
63
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Deploying the Cisco Unified Wireless Architecture
• High Availability (AP and Client SSO)
• RF Optimisation - AP Groups / RF Groups / HDX
• Local Profiling and Policy Classification
• Application Visibility Control
• IPv6 Deployment with Controllers
• Branch Office Designs
64
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
AP-Groups - Default AP-Group
• The first 16 WLANs created (WLAN IDs 1–16) on the WLC are included in the default AP-Group
• Default AP-Group cannot be modified
• APs with no assignment to an specific AP-Group will use the Default AP-Group
• The 17th and higher WLAN (WLAN IDs 17 and up) can be assigned to any AP-Groups
• Any given WLAN can be mapped to different dynamic interfaces in different AP-Groups
• WLC 2504 (AP groups:50),WLC 5508 & WiSM-2 (AP groups: 500), WLC 7500 & 8500 (AP Groups : 500)
65
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
AP-Grouping in Campus
66
Data CentreWAN Internet
Access
Distribution
Core
Distribution
Access
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
WLC-2WLC-1
VLAN 100 / 21
CAPWAP
Single SSID =
Employee
VLAN 100 VLAN 100 VLAN 100
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
AP-Grouping in Campus
67
Data CentreWAN Internet
Access
Distribution
Core
Distribution
Access
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
AP-Group-2 AP-Group-3AP-Group-1
WLC-2WLC-1
VLAN 80 /23VLAN 70 /23VLAN 60 /23
VLAN 100
/21
CAPWAP
VLAN 60
VLAN 70 VLAN 80
Single SSID =
Employee
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Network Name
Default AP Group
Only WLANs 1–16 Will Be Added in
Default AP Group
Default AP-Group
68
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
AP Group 1
AP Group 2
AP Group 3
Multiple AP-Groups
69
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
RF-Profiles
• RF Profiles allow the administrator to tune groups of AP’s sharing a common coverage zone together.– Selectively changing how RRM will operate the AP’s within that coverage zone
• RF Profiles are created for either the 2.4 GHz radio or 5GHz radio– Profiles are applied to groups of AP’s belonging to an AP Group, in which all AP’s in
the group will have the same Profile Settings
• There are two components to this feature:– RF Profile – New in 7.2 providing administrative control over:
• Min/Max TPC values• TPCv1 Threshold • TPCv2 Threshold• Data Rates• High Density • Client Load Balancing
70
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
RF Profiles – RRM – Create
• RF Tuning parameters can be applied through profiles assigned in AP groups
• 2 Profiles per AP group – 1 ea. 2.4 and 5 GHz
• Profiles must be applied on ALL WLC’s from which AP’s will be assigned (same as AP Group)
• Permits control of granular groups of AP’s
• We love it…
71
Wireless=>RF Profiles
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Profiles : Granular Control
72
Data Rates
Load Balancing
TPC, DCA, Coverage Hole
High Density
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
WHY– DCA in RF Profiles
• Multi Country Support – one AP group per country- each with a defined channel list in RF Profiles
• Managing mixed channel (802.11n/ac 40/80 MHz) environment
• Channel assignment by physical area –engineering on the 2nd floor, accounting on the first floor, you want engineering to limit their impact
• Conference Centre – allows the assignment of channel ranges to individual vendors and creation of buffer zones on main network to isolate
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
RRM DCA in RF Profiles – The Rules
• The country code must be set on the controller to allow other reg. domain channels.
• Channels must be selected under Global DCA on the controller to be available in profiles
• You must disable 802.11a/b networks to change DCA channels or Bandwidth (20/40/80)
• You can have a different assignment for bandwidth in an RF Profile than you have in Global
• RF Profiles, and AP groups must be present on every controller that has an AP you want to include in the AP group.
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Profiles – Applied Through AP Groups
75
Create Profiles
Create or edit AP Groups
Apply Profiles (2.4/5 Ghz) to AP groups
Assign AP’s
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
RF-Profile in Campus
76
Data CentreWAN Internet
Access
Distribution
Core
Distribution
Access
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
RF-Profile-2 RF-Profile-3RF-Profile-1
WLC-2WLC-1
VLAN 80 /23
VLAN 81 /23
VLAN 70 /23
VLAN 71 /23
VLAN 60 /23
VLAN 61 / 23
LWAPP/CAPWAP
VLAN 60
VLAN 61VLAN 70VLAN 71
VLAN 80VLAN 81
Single SSID =
Employee
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Cisco High Density Experience (HDX)
*Future
Cisco CleanAir® 80Mhz
Optimised Roaming
Turbo Performance
Cisco ClientLink 3.0
Noise Reduction*
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Optimised AP Roaming
Makes sure users on the move associate to the AP with the strongest signal for best performance
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Cisco CleanAir 80 MHz Technology
Automatically Detect Wi-Fi interference
Automatically Identify Wi-Fi interference
Automatically Classify Wi-Fi interference
Automatically Mitigate Wi-Fi Interference
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
CleanAir 80 MHz
High-resolution interference detection and unique classification logic
built-in to Cisco’s Wi-Fi chip design.
Detect, Identify, and
Classify Interference
• Automatically Detect, Identify, and Classify interferers
• Constantly Monitor Air Quality
Microwav
e
63
Rogue
AP
100Wireless
Phone
67
Security
Cameras
90
Bluetooth
Headset
63
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Cisco ClientLink 3.0 Technology:Advanced Beamforming Technology Improves Wireless Client Performance
Significantly improves a wireless device’s overall
connection quality and performance
Intelligently shapes and directs each packet to a
wireless device based on its current location
Enhances downstream performance for improved user
experience
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Deploying the Cisco Unified Wireless Architecture
• High Availability (AP and Client SSO)
• RF Optimisation - AP Groups / RF Groups / HDX
• Local Profiling and Policy Classification
• Application Visibility Control
• IPv6 Deployment with Controllers
• Branch Office Designs
82
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Local Profiling and Policy Classification
ISE offers rich set of BYOD features: e.g. device identification, onboarding, posture and policy
Customers not deploying ISE but requiring subset of ISE features
Native profiling of end devices based on MAC OUI, HTTP, DHCP
Device-based policies enforcement per user or per device policy
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
OUI
Username
Policy Classification
User Role
Device type MAC
VLAN ACLSession timeout
Time of Day
QoS
User-Role
Student Teacher
Admin
Identity
John
Device Type
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Configuring Client Profiles
• Client profiling uses pre-existing profiles in the controller– Custom profiles are not supported in this release
• Wireless clients are profiled based on the MAC OUI, DHCP,HTTP user agent– DHCP is required for DHCP profiling, Webauth for HTTP user agent
• 8.0 release contains 156 pre-existing profiles:
(Cisco Controller) >show profiling policy summary
Number of Builtin Classification Profiles: 156ID Name Parent Min CM Valid
==== ================================================ ====== ====== =====
0 Android None 30 Yes
1 Apple-Device None 10 Yes
2 Apple-MacBook 1 20 Yes
3 Apple-iPad 1 20 Yes
4 Apple-iPhone 1 20 Yes
…/…85
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Local Client Profiling Configuration
• At the WLAN level, enable Local Client Profiling (DHCP and HTTP)– DHCP required is checked automatically when selecting DHCP profiling
config wlan profiling {local | radius} {dhcp | http | all} <wlan ID>
(Cisco Controller) >config wlan profiling local all enable 186
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Client Profiles in 7.6 and Above
• When profiling is enabled, a client Device Type can be shown on WLAN.
87
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Update Devices that are Profiled
• In 8.0, WLC supports profiling 156 types of devices
• New Devices are constantly developed
• This feature allows Device Profiles and OUI Updates to update the list of supported
devices on the WLC
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
OUI Update• OUI list supported by IEEE
• List is located at http://standards.ieee.org/develop/regauth/oui/oui.txt
• Must be saved as a .txt file
• Update does not require WLC reboot
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Deploying the Cisco Unified Wireless Architecture
• High Availability (AP and Client SSO)
• RF Optimisation - AP Groups / RF Groups / HDX
• Local Profiling and Policy Classification
• Application Visibility Control
• IPv6 Deployment with Controllers
• Branch Office Designs
91
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
What is the Need for Application Visibility and Control?
92
Who are the top 10 users?
What are the top 10
applications?
How much traffic is
BYOD generating on my
network?
Is someone running Bit-
torrent and bringing down my business
applications?
Should I add
more APs to
enhance the
capacity?
Devices Apps
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Application Visibility & Control• Offering Wired and Wireless Application Insight and Control
ISR G2 Routers
ASR
Cisco Prime
or Third Party
Netflow Collector
NAM
WLAN Controllers93
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
What is Application Visibility & Control?On Wireless Controllers
NBAR2 LIBRARY
Deep Packet inspection
NETFLOW (STATIC
TEMPLATE) provides Flow Export
POLICY
Packet Mark / Drop / Rate-Limit
Traffic
CISCO PRIME
TROUBLESHOOTINGCAPACITY
PLANNINGCOMPLIANCE
THIRD PARTY
NETFLOW COLLECTOR
VoiceVideo
Best-Effort
Background
Don’t Allow
Rate Limiting
Available in AireOS Version 8.0
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Identify Applications using NBAR2
Application Visibility and Control on WLC
95
Voice
Video
Best-Effort
Background
Client Traffic
Control Application Behaviour
Don’t Allow
Rate Limiting
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
AVC Feature Background and Equipment Requirement
• AVC works on traffic from Cisco APs in “Local Mode”, FlexConnect central switching and OEAP traffic.
• AVC is based on port, destination and heuristics which allows reliable packet classification with deep visibility.
• AVC looks into the initial setup of the client flow (first 10-20 packets) so loading on the controller system is minimal.
• Available for all current generation Cisco controllers supporting v7.4 and above– Cisco 2504, 5508, WiSM2, Flex 7500 and 8500
• Software release 8.1 adds AVC support to FlexConnect
96
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Different Application Types that AVC Can Recognise
• The library within AVC includes web-based, real-time, voice, video, and enterprise applications of all types.
URL/HTTP(S) Based Application
Non-HTTP
Applications
Enterprise
Applications
97
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Most popular ports: 6881-6889
Random High Order ports: e.g. 56233
DHT Handshake pattern
TCP and UDP payload bytes
Detect BitTorrent client behaviour:• uTorrent• BitComet
• Azureus
• LibTorrent
NBAR2
Stateless L4 Port based
Stateful (flow based) L7 Signatures
MPE (Multi packet engine)
Behavioural classification
Deep Packet
Inspection
How Does AVC Classify Applications: Peer to Peer
98
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
How Does AVC Classify Applications: Cisco Jabber
Three classifications flows for Cisco Jabber
Cisco Jabber VideoCisco Jabber Audio Cisco Jabber Control
Different Policies for different
components of a Jabber Session
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
How Does AVC Classify Applications: MS Lync
Three classifications flows for Microsoft Lync
MS-Lync-Video
(Desktop Sharing, Chat)
MS-Lync Media
(Audio and Video Flows)MS-Lync File Transfer
Different Policies for different
components of a Lync Session
100
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Enabling Application Visibility and Control• AVC is enabled per WLAN to Allow Deep Packet Inspection
101
Change the QoS level to
reflect the highest
application level for that
SSID
1
Enable Application Visibility
2
Ensure WMM is set to
“Allowed” or “Required”
3
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Basic Application Visibility Added on the Controller Home Screen
102
Top Applications Show Sorted by
Bytes
Use “Monitor” ->
“Applications” to View
More Statistics
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Viewing Real-Time Statistics• Use for Assessing Current Usage or Troubleshooting
103
Application Usage Displayedby % of Total Bytes for Last 90 Seconds
Average Packet Size to See Small vs. Large Packet Flows
Real Time Stats (Last 90 Seconds)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Viewing Historical Statistics• Use for Assessing Overall Usage
104
Cumulative Statistics Application Usage Displayed
by % of Total Bytes
Total Bytes Transferred – Useful for Tracking Down
Bandwidth Hogs
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
AVC Application List• 1039 Applications Can be Detected by Default
105
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Configuring AVC Profiles• Choosing an Application Group and Application
106
Application Group
Application
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Application Control
107
Med
Control application usage and
performance
Control
Low
High
Medium
Low
AVC Profile – Rate Limit Facebook
AVC Profile – Drop Bit torrentAVC Profile – Mark Citrix1 2
3
Available in AireOS Version 8.0
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Policy tie-in with AVCUser-aware and Device-aware
User-role aware
Device-aware
Application-based Policies
Per WLAN
WLC v7.4 and later
WLC v8.0
Alice cannot access Netflix but Bob can even though both are employees connecting to same SSIDAlice can access EHS records on (IT provisioned) Windows Laptop but cannot on personal (unsecure) iPad
35
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Teacher
YouTube
YouTube Facebook bittorrent
Student
Cisco-av-pair=avc-profile-name=<avc profile on wlc>AAAWLC
Switch
AP
SSID: Classroom
Security:WPA2/802.1x
Cisco-av-pair=role=<role name>
Skype
Facebook Skype BitTorrent
10
9
AVC Profile Per User Device
Teacher Network Student Network
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Applying AVC Profiles
110
Create AVC Profile for Applications at Wireless > AVC Apply AVC Profile to WLAN
Maximum 32 Rules can be created per AVC Profile
For YourReference
Apply AVC Profile per client using AAA Override
(Radius Server)
Apply AVC Profile per client using Local profiling on
WLC
1
2 3
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
• High Availability (AP and Client SSO)
• RF Optimisation - AP Groups / RF Groups / HDX
• Local Profiling and Policy Classification
• Application Visibility Control
• IPv6 Deployment with Controllers
• Branch Office Designs
111
Deploying the Cisco Unified Wireless Architecture
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Wireless IPv6 Support - 7.2
• In releases 7.2, the controller now processes ICMPv6 messages allowing for optimised delivery, Layer 3 mobility and first hop security.
CAPWAP Tunnel
IPv6 ICMPv6 multicast messages
are unicast to each client at high
data rates.
IPv6 ICMPv6 messages are
interpreted by the controller and
forwarded only as needed.
112
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
8.0 IPv6 Overview
CAPWAPv6
Tunnel
IPv4 Client
802.11
IPv6 Client
802.11
IPv6
802.11
IPv4
CAPWAPv6
Ethernet
IPv6IPv4
VLAN
Ethernet
Mgmt: 2001:db8:a::2/64
10.10.10.2
IP: 2001:db8:a:5/64
SNMP Server, Syslog Server, tftp/ftp/scp Server
IP: 2001:db8:a:7/64
Radius Server
2001:db8:a:0:1827:91bf:c41b:9683
2001:db8:a:0:8a56:caff:1547:9150
IP: 2001:db8:a:6/64
NTP Server
IPv4/v6 router
2001:db8:a::1/64
10.10.10.1
10.10.10.52
IPv6 Client
IPv4 Client
10.10.10.51
2001:db8:a:0:2329:9834:3231:1111
113
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
o ONE IPv6 address (+ LLA address) management solution
o Only IPv4 address support on Dynamic interfaces
o Only IPv4 Dynamic AP manager support
o Only IPv4 Redundancy-management/Redundancy port (HA interfaces are IPv4 only)
o Service-port can get an IPv6 address statically or using SLAAC (only SLAAC interface on WLC)
o LAG needed for IPv6 AP load balancing
o DHCPv6 Proxy not supported (ONLY IPv6 DHCP bridging support - like 7.6 legacy)
WLC IPv6 Address Overview
114
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
• WLC can be accessed from wired/wireless via its IPv6 Management Interface using:– telnet
– SSH
– HTTP
– HTTPS
Management Access (telnet, SSH, HTTP, HTTPS)
Mgmt: 2001:db8:a::2/64
10.10.10.2
115
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
• AP can get IPv6 addresses from state-full DHCPv6/SLAAC or static assignment
• If statically assigned, the gateway can be the unique global or Link-Local address of the router
• Either CAPWAPv4 or CAPWAPv6 can be used, but not both
• APs in bridge mode do not support CAPWAPv6
CAPWAPv6
116
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
• DHCPv6 Option 52 – OPTION_CAPWAP_AC_V6 (52) RFC 5417
– As part of the DHCPv6 Reply, the server will provide the IPv6 WLC management IPv6 address
– AP will begin unicast CAPWAP discovery
• Multicast discovery– Broadcast does not exist in IPv6
– Send CAPWAP discovery messages to "All ACs multicast address" (FF01::18C)
• Using DNS– Configure DNS server to resolve cisco-capwap-controller.domain-name
– domain-name should be returned from DHCPv6 server
• AP Priming– Preconfiguring the AP with a Primary, secondary, and tertiary IPv6 managed WLC
AP Discovery Mechanisms
117
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
• Management IP address must be reachable
• One entry per WLC
• The AP will join either IPv4 or IPv6 address of the WLC (regardless of management IP listed)
• All other AP Failover behaviour is the same as previous versions
AP Failover
WLC1 WLC2 WLC3
Primary: WLC1
Secondary: WLC2Tertiary: WLC3
Primary: WLC2
Secondary: WLC3Tertiary: WLC1
Primary: WLC3
Secondary: WLC2Tertiary: WLC1
118
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
• Virtual IP address is IPv4 only
• Uses IPv4-Mapped address for IPv6 web-authentication clients
• Virtual IP should be the same for all WLCs in the same mobility group
• For example the IPv6 address will display as [::ffff:192.0.2.1]
IPv6 Guest Access
119
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Control and Management Protocols IPv6 Support
• Upload/Download using IPv6 with ftp/tftp/sftp
• RADIUSv6 Support
• TACACS+v6 Support
• NTPv3
• Syslog over IPv6
• SNMP Trap Receiver
• PINGv6
• IPv6 Guest Access
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Wireless IPv6 client First Hop Security on WLAN
CAPWAPIPv4
IPv6
Ethernet
IPv6VLAN
Ethernet
IPv6
802.11802.11
CAPWAP
Tunnel
Router Advertisement
DHCP Server Advertisement
RA Guard - RA from client blocked at AP (Local and FlexConnect)
DHCP Server Guard
DHCP SA blocked at Wireless Controller
Using IPv6 ACL
Undesired IPv6
Addresses/Prefix Source Guard
121
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
• High Availability (AP and Client SSO)
• Understanding AP Groups / RF Groups
• Local Profiling and Policy Classification
• Application Visibility Control
• IPv6 Deployment with Controllers
• Branch Office Designs
122
Deploying the Cisco Unified Wireless Architecture
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Branch Office with Local WLAN Controller
• Branches can also have local controllers
• Small or Mid-size Branch WLCs
– CT-2504,
– Integrated controller modules in ISR/ISR-G2
– Converged Access Cat-3850
• High-availability design with central backup controller is supported; WAN limitations may apply
Overview
Remote Site B
Remote Site A
WLC-25xx
WLCM for
ISR/ISR-G2
Backup Central
Controller
WAN
Central Site
Remote Site C
Cat-3850
CAPWAP
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Branch Office with Local WLAN Controller
– Cookie cutter configuration for every branch site
– Layer-3 roaming within the branch
– IPv6 L3 Mobility
• Note: If you have ISR/ISR G2 at branch site then it is recommended to use the IOS Firewall at edge for unified access policies.
Advantages
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Branch Office Deployment
• Hybrid architecture
• Single management and control point
• Data Traffic Switching
– Centralised traffic(split MAC)
– or
– Local traffic (local MAC)
• HA will preserve local traffic only
• Traffic Switching is configured per AP and per WLAN (SSID)
FlexConnect (HREAP)
WAN
Central Site
Remote Office
Centralised
Traffic
Centralised
Traffic
Local
Traffic
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
FlexConnect Glossary
Standalone Mode When FlexConnect AP cannot reach Controller, it goes into standalone state and does client authentication by itself.
Local Switching Data traffic switched onto local VLANs for an SSID
Central Switching Data traffic tunneled back to WLC for an SSID
Connected Mode When FlexConnect AP can reach Controller, it gets help from controller to complete client authentication.
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Medium Branch – Up to 25 access pointsLocal Controller Onsite
Remote Site B
Remote Site A
WLC-25xx WLCM for
ISR/ISR-G2
Backup Central
Controller
WAN
Central Site
Remote Site C
Cat-3650
CAPWAPCisco 2500 Series Controller
Catalyst 3650
Virtual Controllers (vWLC)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
FlexConnect Design Considerations
128
For YourReference
Deployment
Type
WAN
Bandwidth
(Min)
WAN RTT
Latency (Max)
Max APs per
BranchMax Clients per
Branch
Data 128 kbps 300 ms 5 25
Data+Voice 128 kbps 100 ms 5 25
Data 128 kbps 1 sec 1 1
Monitor 128 kbps 2 sec 5 N/A
Data 1.44 Mbps 1 sec 50 1000
Data+Voice 1.44 Mbps 100 ms 50 1000
Monitor 1.44 Mbps 2 sec 50 1000
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
• Smart AP Image Upgrade
• ACL’s on FlexConnect AP
• AAA Over-ride of VLAN -dynamic VLAN assignment for locally switched clients
• FlexConnect Re-branding
• Fast Roaming for Voice Clients
• Peer to Peer Blocking
• PEAP and EAP-TLS Support (7.5)
• FlexConnect Group specific WLAN-VLAN mapping(7.5)
• AAA Client ACL(7.5)
• Flex 7500 Scale Update
• VLAN Based Central Switching
• Split Tunnelling
• Central DHCP Processing
• WGB/uWGB Support withlocal switching
• Bidirectional Rate Limiting
• Support for ISE BYOD Registration & Provisioning
129
• Ethernet Fallback (7.6)
• Videostream for Local switching (8.0)
• Faster time to deploy (8.0)
• Flex with Mesh deployment support (8.0)
Flex – 7.2 Flex – 7.3 & 7.4 Flex – 7.6, 8.0
Bringing All Together – Best Practices
130
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
BE
ST
P
RA
CT
ICE
S (A
irO
S)
Make it Easy Make it work Make it performMake it Easy Make it Work Make it Perform
INF
RA
ST
RU
CT
UR
EEnable High Availability (AP and Client SSO)
Enable AP Failover Priority
Enable AP Multicast Mode
Enable Multicast VLAN
Enable Pre-image download
Enable AVC
Enable NetFlow
Enable Local Profiling (DHCP and HTTP)
Enable NTP
Modify the AP Re-transmit Parameters
Enable FastSSID change
Enable Per-user BW contracts
Enable Multicast Mobility
Enable Client Load balancing
Disable Aironet IE
FlexConnect Groups and Smart AP Upgrade
Enable 802.1x and WPA/WPA2 on WLANEnable 802.1x authentication for APChange advance EAP timers
Enable SSH and disable telnetDisable Management Over WirelessDisable WiFi Direct
Secure Web Access (HTTPS)Enable User PoliciesEnable Client exclusion policies
Enable rogue policies and Rogue Detection RSSIStrong password Policies Enable IDS
BYOD Timers
Set Bridge Group Name
Set Preferred ParentMultiple Root APs in each BGNSet Backhaul rate to "Auto"
Set Backhaul Channel Width to 40/80 MHzBackhaul Link SNR > 25 dBmAvoid DFS channels for Backhaul
External RADIUS server for Mesh MAC AuthenticationEnable IDS Enable EAP Mesh Security Mode
ME
SH
WIR
EL
ES
S /
RF
SE
CU
RIT
Y
Disable 802.11b data rates
Restrict number of WLAN below 4Enable channel bonding – 40 or 80 MHz Enable BandSelect
Use RF Profiles and AP GroupsEnable RRM (DCA & TPC) to be autoEnable Auto-RF group leader selection
Enable Cisco CleanAir and EDRRMEnable Noise &Rogue Monitoring on all channels Enable DFS channels
Avoid Cisco AP Load
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
For YourReference
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Best Practice Check PointsMeasuring Compliance
Free, cloud based service
Agentless – nothing to download
CAACisco
Active Advisor
2.
App Engage
WLCWLAN Express
Setup
7.6 MR2, 8.0, 8.1
WLCCAConfig
Analyser
WLC Upgrade Audit
Workflow
8.1
Best Practices defaults,RF Parameter Optimisation,
Network Profiles
Audit Page on Upgrade,One-click Fix It,
Manual Config Option
Windows Executable“show run-config” Based
Analyser Tool
Downloadable client
Configuration stays local
Simplified operational use to quickly identify and and fix problem areas
RF Health metrics, IOS Support, Mobility Group support
Cisco Personalised device health score
Compare your wireless network configuration to Cisco’s recommended best practices
Automated Inventory Management and Network Scanning
Compliance metric and reporting natively on WLC
Identify missing best practice configuration on upgrade
Easy one-click fix It option to turn on Best Practice Knobs
Restore Defaults to revert configuration to default
Optimum starting point at Day 0/1 network setup
RF parameter setting Ease of use
Enhanced performance, security, resiliency with best practice recommendations turned on boot up time
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
WLAN Express Setup
7.6 MR2, 8.0
7.6 MR2, 8.0
8.1
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Best Practice Knobs
AVC Visibility
mDNS Snooping
New MDNS Profile for printer, http
Local Profiling
Band Select
DHCP Proxy
Secure Web access
Virtual IP 192.0.2.1
RRM-DCA Auto
RRM-TPC Auto
CleanAir Enabled
EDRRM Enabled
Channel Width 40 MHz
Aironet IE Disabled
Management over Wireless
WLC WLAN Express Setup Best Practices Day 0/1 Best Practice Knobs
2.4 Low Data Rates Disabled
Load Balancing
Rogue Threshold Enabled
Client Exclusion Enabled
FastSSID Enabled
Infra MFP
Multicast Forwarding Mode
SNMPv3 (delete default)
Mobility Name
RF Group same as Mobility Name
DHCP Required on Guest WLAN
5 GHz Channel Bonding
Optimum starting point at Day 0/1 network setup
RF parameter setting ease of use
Enhanced performance, security, resiliency with best practice recommendations turned on at boot up time
Save Time & Money
8.1
http://youtu.be/aNVM3rW-Zkchttps://www.youtube.com/watch?v=nGFH38peF-w
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
WLC Upgrade Audit Workflow 8.1
Audit Upgrades
Compliance metric and reporting natively on WLC
Identify missing best practice configuration on upgrade
Easy one-click fix It option to turn on Best Practice Knobs
Restore Defaults to revert
configuration to default
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
• Best Practices categorisedinto
– General
– AP
– Mobility
– RF
– Security
– Voice
– Mesh
– Flex
• Per-Controller Compliance Level for Each category
• Total/Passed/Failed checks
WLC Config Analyser – Per Controller Compliance
0-40% Red
41-80% Yellow
81-100% Green
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Config Analyser Best Practice Compliance with Express WLAN Setup
7.6 MR2 withoutExpress WLAN Setup
8.1 with Express WLAN Setup
Downloadable client
Configuration stays local
Simplified operational use to quickly identify and and fix
problem areas
RF Health metrics, IOS Support, Mobility Group support
Analyse & Mitigate
https://supportforums.cisco.com/document/7711/wlc-config-analyzer
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Cisco Active Advisor (CAA) Personalised Health Score
Improve
Personalised device health score
Free, cloud-based service
Automatically takes an inventory of your Cisco network
www.CiscoActiveAdvisor.com
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Summary – Key Takeways
• Take advantage of the standards (CAPWAP, DTLS,802.11 i, e, k, r…..)
• Wide range of architecture / design choices
• Brand new controllers (WiSM-2, WLC 7500,WLC 8500, WLC 2504, Virtual WLC) portfolio with investment protection
• Take advantage of innovations from Cisco (11ac, CleanAir, BandSelect, ClientLink, Security, CCX, FlexConnect, etc)
• Cisco’s investment into technology– Cisco Prime, ISE, New hardware, Cloud controller
139
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Documentation Master Document Link - http://www.cisco.com/c/en/us/support/wireless/5500-series-wireless-controllers/products-technical-reference-list.html
Best Practice Deployment Guide : http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
AP700-W Deployment Guide - http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-6/702WAccessPointDG/CiscoAironetSeries_702w_AP_DG.html
Enterprise Best Practices for Apple Mobile Devices on Cisco Wireless LANs –http://www.cisco.com/en/US/docs/wireless/technology/vowlan/bestpractices/EntBP-
AppMobDevs-on-Wlans.html
AP3700 Deployment Guide - http://www.cisco.com/en/US/partner/docs/wireless/technology/apdeploy/7.6/Cisco_Aironet_3700AP.html
Virtual WLC Deployment Guide http://www.cisco.com/en/US/products/ps12723/products_tech_note09186a0080bd2d04.shtml
HA Deployment Guide http://www.cisco.com/en/US/partner/docs/wireless/controller/technotes/7.5/High_Availability_DG.html
Flex 7500 Deployment Guide http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml
WLC8500 Deployment Guide: http://www.cisco.com/en/US/products/ps12722/products_tech_note09186a0080bd6504.shtml
WiSM-2 : http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080bb2500.shtml
Bonjour Deployment Guide :http://www.cisco.com/en/US/docs/wireless/technology/bonjour/7.5/Bonjour_Gateway_Phase-2_WLC_software_release_7.5.html
Wireless Device Profiling and Policy Classification Engine on WLC, Release
7.5http://www.cisco.com/en/US/docs/wireless/controller/technotes/7.5/NativeProfiling75.html
MSE Virtual Appliance Deployment Guide : http://www.cisco.com/en/US/products/ps9742/products_tech_note09186a0080bb497f.shtml
IPv6 Deployment Guide http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bae506.shtml140
Q & A
© 2015 Cisco and/or its affi liates. All rights reserved.BRKEWN-2010 Cisco Public
Give us your feedback and receive a
Cisco Live 2015 T-Shirt!
Complete your Overall Event Survey and 5 Session
Evaluations.
• Directly from your mobile device on the Cisco Live
Mobile App
• By visiting the Cisco Live Mobile Site
http://showcase.genie-connect.com/clmelbourne2015
• Visit any Cisco Live Internet Station located
throughout the venue
T-Shirts can be collected in the World of Solutions
on Friday 20 March 12:00pm - 2:00pm
Complete Your Online Session Evaluation
Learn online with Cisco Live! Visit us online after the conference for full
access to session videos and
presentations. www.CiscoLiveAPAC.com
Thank you.