Professional Documents
Culture Documents
Derive
Fine-tune Maximum CAA
Feature features to Potential from
Best Optimum Best WLAN
Practices Deployment
WLCCA
Agenda
http://bit.ly/clus2015
Best Practices Checkpoints
WLC WLC
2. WLCCA CAA
WLAN Express Setup Best
AppPractice
Engage Audit Config Cisco
7.6 MR2, 8.0, 8.1 Dashboard View Analyzer Active Advisor
8.1
Best Practices defaults, Audit Page on Upgrade, Windows Executable Free, cloud based service
RF Parameter Optimization, Network One-click Fix It, “show run-config” Based Agentless – nothing to download
Profiles Manual Config Option Analyzer Tool
Optimum starting point at Day 0/1 network Compliance metric and reporting natively on Downloadable client Cisco Personalized device health score
setup WLC Compare your wireless network
Configuration stays local
RF parameter setting Ease of use Identify missing best practice configuration on configuration to Cisco’s recommended best
Simplified operational use to quickly identify practices
Enhanced performance, security, resiliency upgrade
and and fix problem areas
with best practice recommendations turned Easy one-click fix It option to turn on Best Automated Inventory Management and
RF Health metrics, IOS Support, Mobility Network Scanning
on boot up time Practice Knobs
Group support
Restore Defaults to revert configuration to
default
Enhance
Usability & Drive Feature
Manageability Adoption
Experience
WLC WLC
2. WLCCA CAA
WLAN Express Setup Upgrade Audit Workflow
App Engage Config Cisco
7.6 MR2, 8.0, 8.1 8.1 Analyzer Active Advisor
Wired Express Setup
• Introduced on 2504 in 7.6 MR2, 8.0
• Extended to 5508, vWLC, 7510, 8510 in 8.1
Best Practices defaults, • Extended to 5520, 8540 in 8.1
Audit Page on Upgrade, Windows Executable Free, cloud based service
RF Parameter Optimization, Network One-click Fix It, “show run-config” Based Agentless – nothing to download
Profiles Manual Config Option Analyzer Tool
Wireless Over-The-Air (OTA) Setup
• Available in 8.1 and higher
• Supports Universal AP (UX)
Optimum starting point at Day 0/1 network Compliance metric and reporting natively on Downloadable client Cisco Personalized device health score
setup • Supported on 2504 Configuration stays local
WLC Compare your wireless network
RF parameter setting Ease of use Identify missing best practice configuration on configuration to Cisco’s recommended best
Simplified operational use to quickly identify practices
Enhanced performance, security, resiliency upgrade
and and fix problem areas
with best practice recommendations turned Easy one-click fix It option to turn on Best Automated Inventory Management and
RF Health metrics, IOS Support, Mobility Network Scanning
on boot up time Practice Knobs
Group support
Restore Defaults to revert configuration to
default
Wired and Wireless OTA Express Setup
Day 0/1 Ease of Setup
Confirm settings
Best Practices defaults, Audit Page on Upgrade, Windows Executable Free, cloud based service
RF Parameter Optimization, Network One-click Fix It, “show run-config” Based Agentless – nothing to download
Profiles Manual Config Option Analyzer Tool
Optimum starting point at Day 0/1 network Compliance metric and reporting natively on Downloadable client Cisco Personalized device health score
setup WLC Compare your wireless network
Configuration stays local
RF parameter setting Ease of use Identify missing best practice configuration on configuration to Cisco’s recommended best
Simplified operational use to quickly identify practices
Enhanced performance, security, resiliency upgrade
and and fix problem areas
with best practice recommendations turned Easy one-click fix It option to turn on Best Automated Inventory Management and
RF Health metrics, IOS Support, Mobility Network Scanning
on boot up time Practice Knobs
Group support
Restore Defaults to revert configuration to
default
Enhance Drive
Usability and
Manageability
Feature
Experience Adoption
Audit Upgrades
RF Interference
Legacy Devices
Too many Clients
impacting performance
Wireless Dashboard – AP Performance
Use Cases:
• AP / Band Distribution
• Signal Quality
• Legacy Devices
Network Summary – Client Details
• Single pane of glass for client troubleshooting
Application Usage
Client Capabilities
Neighbouring APs
• Client Connectivity
Issues
Best Practices defaults, Audit Page on Upgrade, Windows Executable Free, cloud based service
RF Parameter Optimization, Network One-click Fix It, “show run-config” Based Agentless – nothing to download
Profiles Manual Config Option Analyzer Tool
Optimum starting point at Day 0/1 network Compliance metric and reporting natively on Downloadable client Cisco Personalized device health score
setup WLC Compare your wireless network
Configuration stays local
RF parameter setting Ease of use Identify missing best practice configuration on configuration to Cisco’s recommended best
Simplified operational use to quickly identify practices
Enhanced performance, security, resiliency upgrade
and and fix problem areas
with best practice recommendations turned Easy one-click fix It option to turn on Best Automated Inventory Management and
RF Health metrics, IOS Support, Mobility Network Scanning
on boot up time Practice Knobs
Group support
Restore Defaults to revert configuration to
default
Enhance Drive
Usability and
Manageability
Feature
Experience Adoption
https://supportforums.cisco.com/document/7711/wlc-config-analyzer
WLC Config Analyzer – Deployment types
*Coming Soon !
WLC Config Analyzer – Per Controller Compliance
• Best Practices categorized
into
• General
• AP
• Mobility
• RF
• Security
• Voice
• Mesh
• Flex 0-40% Red
41-80% Yellow
• Per-Controller Compliance
81-100% Green
Level for Each category
• Total/Passed/Failed checks
WLC Config Analyzer – Best Practices detail
• Individual Best Practice knob compliance (Yes/ No)
0-40% Red
41-80% Yellow
81-100% Green
Message
Severity
Error
( Critical )
Warning
( Highly
Recommended)
Informational
( Good to Have )
WLCCA Updates
• Compatible with Next-Gen controllers 5520, 8540
• IOS XE Support – 3650/3850/5760
• AireOS Support since release 4.1
• AP MIC expiration warning
• WLCCA - Version 3.6.5
• CAA – Coming Up!
show run-config
Compliance Level w/ and w/o Express WLAN Setup
Downloadable client
Configuration stays local
Simplified operational use to
quickly identify and and fix
problem areas
RF Health metrics, IOS Support,
Mobility Group support
Best Practices defaults, Audit Page on Upgrade, Windows Executable Free, cloud based service
RF Parameter Optimization, Network One-click Fix It, “show run-config” Based Agentless – nothing to download
Profiles Manual Config Option Analyzer Tool
Optimum starting point at Day 0/1 network Compliance metric and reporting natively on Downloadable client Cisco Personalized device health score
setup WLC Compare your wireless network
Configuration stays local
RF parameter setting Ease of use Identify missing best practice configuration on configuration to Cisco’s recommended best
Simplified operational use to quickly identify practices
Enhanced performance, security, resiliency upgrade
and and fix problem areas
with best practice recommendations turned Easy one-click fix It option to turn on Best Automated Inventory Management and
RF Health metrics, IOS Support, Mobility Network Scanning
on boot up time Practice Knobs
Group support
Restore Defaults to revert configuration to
default
Introducing Cisco Active Advisor
• Free, cloud based service
• Agentless – nothing to download
• It provides customers:
• Security Advisories (PSIRTs)
• End-of-life & End-of-support dates
• Warranty & service contract status
• Device Health Score
• Accessible at:
www.CiscoActiveAdvisor.com
Improve
Personalized device
health score
Free, cloud-based
service
Automatically takes an
inventory of your Cisco
network
Enhance Drive
Usability &
Feature Manageability
Feature
Experience Adoption
Enable High Availability (AP and Client SSO) Enable 802.1x and WPA/WPA2 on WLAN
Enable AP Failover Priority Enable 802.1x authentication for AP
Enable AP Multicast Mode Change advance EAP timers
Enable Multicast VLAN Enable SSH and disable telnet
BEST PRACTICES (AirOS)
INFRASTRUCTURE
SECURITY
Enable Pre-image download Disable Management Over Wireless
Enable AVC Disable WiFi Direct
Enable NetFlow Peer-to-peer blocking
Secure Web Access (HTTPS)
Enable Local Profiling (DHCP and HTTP)
Enable User Policies
Enable NTP
Enable Client exclusion policies
Modify the AP Re-transmit Parameters Enable rogue policies and Rogue Detection RSSI
Enable FastSSID change Strong password Policies
Enable Per-user BW contracts Enable IDS
Enable Multicast Mobility BYOD Timers
Enable Client Load balancing
Disable Aironet IE Disable 802.11b data rates
FlexConnect Groups and Smart AP Upgrade Restrict number of WLAN below 4
Enable channel bonding – 40 or 80 MHz
WIRELESS / RF
Set Bridge Group Name
Set Preferred Parent Enable BandSelect
Multiple Root APs in each BGN Use RF Profiles and AP Groups
MESH
Set Backhaul rate to "Auto" Enable RRM (DCA & TPC) to be auto
Set Backhaul Channel Width to 40/80 MHz Enable Auto-RF group leader selection
Backhaul Link SNR > 25 dBm Enable Cisco CleanAir and EDRRM
Avoid DFS channels for Backhaul Enable Noise &Rogue Monitoring on all channels
External RADIUS server for Mesh MAC Authentication
Enable DFS channels
Enable IDS
Enable EAP Mesh Security Mode Avoid Cisco AP Load
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
Infrastructure Best Practices
Infrastructure Best Practices
Enable High Availability (AP and Client SSO)
Enable AP Failover Priority
INFRASTRUCTURE
Enable AP Multicast Mode
Enable Multicast VLAN
Enable Pre-image download
Enable AVC
Enable NetFlow
Enable Local Profiling (DHCP and HTTP)
Enable NTP
Modify the AP Re-transmit Parameters
Enable FastSSID change
Enable Per-user BW contracts
Enable Multicast Mobility
Enable Client Load balancing
Disable Aironet IE
Infrastructure: Enable High Availability (SSO)
A direct physical connection between Active and Standby Redundant Ports or Layer 2 connectivity is required
to provide stateful redundancy within or across datacenters
Allows certain APs to be assigned higher WLC join priorities, so they are given preference while
joining a WLC
Infrastructure: Enable AP Multicast mode
Controller General AP Multicast Mode
Network infrastructure must provide multicast routing between management interface subnet and AP subnet
Forward multicast traffic to Access Points instead of sending unicast messages to each individual AP
Infrastructure: Multicast VLAN for Interface Groups
WLANs WLAN Name General
VLAN1
VLAN2 (mcast_vlan)
Network VLAN3
VLAN4
Interface group
To limit the multicast on the air to a single copy on a predefined multicast VLAN
Infrastructure: Enable Pre-image download
Wireless Global Configurations AP Image Pre-download
Enable Application
Visibility
Add per
application rules
Classifies applications, provides real-time analysis, and allows users to drop or mark data. Per-
user, per-device granularity for control
Infrastructure: Enable NetFlow in your WLC
Wireless Netflow Exporter Create ‘New’
Client devices can be profiled based on their manufacturer and operating system
Infrastructure: Enable NTP
Controller NTP Keys
If NTP requires
authentication, first
add key
Synchronizes the time among all devices on the network including Access Point and Controller as
we have X.509 certificates installed in AP and WLC, Context-aware and location services, MFP,
Debugging
Infrastructure: Modify the AP Re-transmit Parameters
Wireless Access Points Global Configuration
Allows clients to move faster between SSIDs, by not clearing the client entry
Infrastructure: Enable per-user bandwidth contract
WLANs Edit ‘WLAN_NAME’ QoS
Allows clients to announce messages to all mobility peers, instead of individual WLCs, benefiting
time, CPU usage, and network utilization. Multicast routing between controllers
Infrastructure: Enable Client Load Balancing
WLANs Edit “WLAN-NAME” Advanced
Mobility Group
192.0.2.1 192.0.2.1
Inter-controller roaming can appear to work, but the hand-off does not complete and the
client loses connectivity when DHCP renew is performed if DHCP proxy enabled
Infrastructure: Fast Restart
73% Faster
Use Cases
LAG Configuration change
Clear Configuration
Process Restart to reduce network and service downtime
Post Configuration Wizard
Better Serviceability
Transfer Download of configuration
Supported on Cisco WLC 7510, 8510, 5520 8540 and
vWLC
CLI Command “restart”
Fast Restart to reduce network and service downtime and improve serviceability
RF & RRM Best Practices
RF & RRM Best Practices
Disable 802.11b data rates
Restrict number of WLAN below 4
Enable channel bonding – 40 or 80 MHz
RRM / RF
Enable BandSelect
Use RF Profiles and AP Groups
Enable RRM (DCA & TPC) to be auto
Enable Auto-RF group leader selection
Enable Cisco CleanAir and EDRRM
Enable Noise &Rogue Monitoring on all channels
Enable DFS channels
Avoid Cisco AP Load
RF & RRM: Disabling .11b Data Rates
Wireless 802.11b/g/n Network
Management frames sent at lowest mandatory rate - slows down the entire cell
RF & RRM: Disabling .11b Data Rates
Demonstrating the impact of 802.11b data rates on Channel Utilization
WLANs WLANs
Each SSID needs a separate probe response and beaconing, the more SSIDs the less
RF space available for real data traffic
RF & RRM: Enable Channel Bonding – DBS
40/80MHz wide channels in the 5GHz space can 2x/4x the amount of user data than can be
transmitted. For extreme HD deployments use 20 MHz channels to keep cell size small
RF & RRM: Enable Client Band Select
WLANs Edit “WLAN-NAME” Advanced
• Today
• 802.11 data rates
• TPC Power Threshold and Min max Power settings
• DCA
• Coverage hole algorithm settings
• High Density – HDX configurations RX_SOP, Client Limit, Mcast data rate
• Client Distribution
More granular control of the RF network
RF Profiles : Granular Control
Data Rates
Ability to enable Wi-Fi Services and segregation of traffic based on physical location
RF & RRM: Enable RRM (DCA) to be auto
Wireless 802.11a/n/ac or 802.11b/g/n RRM DCA
Allows RRM to automatically select the best channel for each radio
DCA defaults work for typical carpeted offices
RF & RRM: Enable Cisco EDRRM
Wireless 802.11a/n/ac or 802.11b/g/n RRM DCA
Sensitivity threshold
recommended to Medium
EDRRM triggers RRM to run when an access point detects a certain level of interference
RF & RRM: RF Group Leader must be an .11ac WLC (Release 7.5+)
in RF Groups with mixed versions
Wireless 802.11a/n/ac RRM DCA
If the RF Group Leader does not support 802.11ac (Release 7.5+), APs in the RF Group
cannot select 80MHz channel widths
RF & RRM: Enable RRM (TPC) to be auto
Wireless 802.11a/n/ac or 802.11b/g/n RRM TPC
Recommended to use
TPCv1
Allows RRM to automatically select the best transmit power for each radio
Tune RRM parameters with Network and pre-built RF profiles
RF & RRM: Enable Cisco CleanAir
Wireless 802.11a/n/ac or 802.11b/g/n CleanAir
97
100
63
90
20
35
CleanAir identifies non-WIFI interferers and generates interferer and air quality reports
RF & RRM: Enable Noise & Rogue Monitoring channels
Wireless 802.11a/n/ac or 802.11b/g/n RRM General
Allows more 5GHz channels (only in regulatory domains that support UNII-2 Extended).
Please note that some clients do not support DFS channels
RF & RRM : Disable Avoid Cisco AP Load
Wireless 802.11a/n/ac RRM DCA
Wireless 802.11b/g/n RRM DCA
Provides greater network security by enabling 802.1x on the switch port where AP is
connected. Not supported for Mesh deployments
Security: Enable SSH and Disable Telnet
Management Telnet–SSH
Disable Telnet and enable SSH as the default option
0 implies no sessions
will be allowed
Provides greater security by allowing secure access and denying unencrypted access
Security: Disable Management Over Wireless
Management Mgmt Via Wireless
Prevent security hole if the device is connected to both the infrastructure and a
Personal Area Network (PAN) at the same time. Will break Android devices
Security: Secure Web Access ( HTTPS )
Management HTTP-HTTPS
Range is between 0 – 8.
Zero indicates no limit
Prevent login attacks by restricting the numbers the users who can use the same login
credentials between 1 - 5
Security: Enable Client Exclusion Policies
Security Wireless Protection Policies Client Exclusion Policies
Enable exclusion policies to prevent the network from Assoc/Auth failure attacks.
Disable for Voice deployments
Security: Enable Strong Password Policies
Security AAA Password Policies
Friendly Malicious
Enable the wireless IDS features in the controller and enable 17 built-in features to avoid
intrusion attacks
Security : Enable CPU ACLs
Security Access Control Lists CPU Access Control Lists
Control overall access to the WLC by filtering management protocols such as SSH,
SNMP, etc such that they can only hit the CPU if they originate from our management
networks
BYOD: Radius Timeout >=5 sec
Security AAA RADIUS Authentication
To prevent pre-mature failover since the default of 2 seconds is generally low for ISE as ISE relies
on backend databases for user lookups and group fetches. Too high causes queue issues on WLC
BYOD: Session Timeout
WLANs WLAN Name Advanced
Longer is better for AAA load up to a value of 86400 seconds for 802.1x SSIDs or 65535
seconds for open/CWA SSIDs, shorter is better from security point of view.
BYOD: Client Idle Timeout
WLANs WLAN Name Advanced
For networks where users stay largely within the coverage area the setting can be
increased to 3600 seconds for an SSID running 802.1x or RADIUS NAC against ISE.
BYOD: Client Exclusion
WLANs WLAN Name Advanced
180 seconds is the recommended default with ISE though 60 seconds is the WLC
default. The reason behind this is the minimum reject interval on ISE for miss-configured
supplicant detection is 5 minutes or 300 seconds
BYOD: EAPoL and EAP Request Timeout
WLANs WLAN Name Security AAA Servers
Recommended EAPoL-Key Timeout < 1000 ms and EAPoL-Key Max Retries <= 2
Recommeded EAP Request timeout <30 sec ( 10 sec ) and EAP Max Retries =<2
BYOD: Disable Interim Accounting
Interim accounting adds additional unneeded load with no added benefit to ISE.
BYOD : Disable Aggressive Failover
Only fails over to the next AAA server if there are three consecutive clients that
fail to receive a response from the RADIUS server
In some circumstances it can cause the WLC to pre-maturely mark ISE dead in times of
high load and cause additional load on ISE
BYOD : Set RADIUS Fallback Passive
Security AAA RADIUS Fallback
FLEX
Central Site
WAN
Allow users to assign specific APs to groups with set configurations, OKC/CCKM key
caching for Voice, Local RADIUS server configuration, consistent WLAN mappings
FlexConnect: Configuration & Monitoring at Group
VLAN
Support/Native
FlexConnect AVC VLAN
New
Wireless Control Wireless
System LAN
Controller
WAN
Master AP
Avoids downloading multiple copies of the Access Point software over the slow WAN link
to the remote site, reduces service downtime and reduces risk of download failure
Best Practices Polling Results !
Save Time & Money Audit Upgrades Analyze & Mitigate Improve
Optimum starting point at Compliance metric and Downloadable client
reporting natively on WLC Personalized device
Day 0/1 network setup Configuration stays local health score
RF parameter setting ease Identify missing best practice Quickly identify and and fix
configuration on upgrade Free, cloud-based
of use problem areas service
Enhanced performance, Easy one-click fix It option to RF Health metrics, IOS
turn on Best Practice Knobs Automatically takes an
security, resiliency with Support, Mobility Group inventory of your Cisco
best practice support network
recommendations at boot
time
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Complete Your Online Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.
• Complete your session surveys
though the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you