Brkewn 2670 PDF

Best Practices for Configuring Cisco
Wireless LAN Controllers

Aparajita Sood
Technical Marketing Engineer
BRKEWN-2670
User-First Pillars and Checkpoints
Express
Setup
Enhance Audit
Usability and Drive Feature Upgrade
Monitoring & Manageability Adoption Workflow
RF Experience
Dashboard
Derive
Fine-tune Maximum CAA
Feature features to Potential from
Best Optimum Best WLAN
Practices Deployment
WLCCA
Agenda
 WLC Express Setup  WLCCA Update

 Wired Express Setup  RF Health Express
Monitoring Audit
and RF Upgrade
 OTA Express Setup Setup Dashboard Workflow
 Cisco Active Advisor
 WLC Dashboard View
 Device Health Score
 Monitoring
CAA WLCCA
 RF Health  Wireless Health Tool
 Mobile App  Feature Best Practices
 WLC Best Practice Audit Feature
 Infrastructure Best
 One-click Fix Practices
 RF/RRM
 Manual Configuration
 Security and BYOD
 FlexConnect
Participate in session polling and Q&A
Step 1: Download the Mobile App Step 2: Access the session
Get all the information you need at your Log into the app using your Cisco
fingertips! Live login & find your session
http://bit.ly/clus2015
Best Practices Checkpoints
WLC WLC
2. WLCCA CAA
WLAN Express Setup Best
AppPractice
Engage Audit Config Cisco
7.6 MR2, 8.0, 8.1 Dashboard View Analyzer Active Advisor
8.1
Best Practices defaults, Audit Page on Upgrade, Windows Executable Free, cloud based service
RF Parameter Optimization, Network One-click Fix It, “show run-config” Based Agentless – nothing to download
Profiles Manual Config Option Analyzer Tool
 Optimum starting point at Day 0/1 network  Compliance metric and reporting natively on  Downloadable client  Cisco Personalized device health score
setup WLC  Compare your wireless network
 Configuration stays local
 RF parameter setting Ease of use  Identify missing best practice configuration on configuration to Cisco’s recommended best
 Simplified operational use to quickly identify practices
 Enhanced performance, security, resiliency upgrade
and and fix problem areas
with best practice recommendations turned  Easy one-click fix It option to turn on Best  Automated Inventory Management and
 RF Health metrics, IOS Support, Mobility Network Scanning
on boot up time Practice Knobs
Group support
 Restore Defaults to revert configuration to
default
Enhance
Usability & Drive Feature
Manageability Adoption
Experience
Express Setup Fine-tune

Derive
Maximum
features to Potential from
Optimum Best WLAN
Deployment
WLAN Express Setup
Day 0/1 Ease of Setup
WLC WLC
2. WLCCA CAA
WLAN Express Setup Upgrade Audit Workflow
App Engage Config Cisco
7.6 MR2, 8.0, 8.1 8.1 Analyzer Active Advisor
Wired Express Setup
• Introduced on 2504 in 7.6 MR2, 8.0
• Extended to 5508, vWLC, 7510, 8510 in 8.1
Best Practices defaults, • Extended to 5520, 8540 in 8.1
Audit Page on Upgrade, Windows Executable Free, cloud based service
Wireless Over-The-Air (OTA) Setup
• Available in 8.1 and higher
• Supports Universal AP (UX) 
 Optimum starting point at Day 0/1 network  Compliance metric and reporting natively on  Downloadable client Cisco Personalized device health score
setup • Supported on 2504  Configuration stays local
WLC  Compare your wireless network
Group support
default
Wired and Wireless OTA Express Setup
Day 0/1 Ease of Setup
Wireless: Connect AP WLC port 3 or 4 (PoE)

Wired: Connect PC
Ethernet cable to any port
on the WLC for 2504 and to
SP port on other WLCS
Connect to SSID ‘CiscoAirProvision’ using

the key ‘password’
Wait for the SYS LED light

to be solid
If setup is Wireless, wait for

AP to power and broadcast SSID
Wired and Wireless OTA Express Setup
Day 0/1 Ease of Setup Enable RF Optimization
Open a web browser

and access
http://192.168.1.1
Confirm settings
Go through a setup wizard

WLC Express Setup Best Practices
AVC Visibility Management over Wireless disabled
mDNS Snooping
Load Balancing
New MDNS Profile for printer, http Rogue Threshold Enabled
Local Profiling
Client Exclusion Enabled
Band Select
FastSSID Enabled
DHCP Proxy Save Time & Money
Secure Web access Infra MFP
Virtual IP 192.0.2.1 Multicast Forwarding Mode  Optimum starting point at

Day 0/1 network setup
RRM-DCA Auto SNMPv3 (delete default)
 RF parameter setting
RRM-TPC Auto ease of use
Mobility Name
CleanAir Enabled  Enhanced performance,
RF Group same as Mobility Name security, resiliency with
EDRRM Enabled
best practice
Channel Width 40 MHz DHCP Required on Guest WLAN
recommendations turned
5 GHz Channel Bonding on at boot up time
Aironet IE Disabled
WLC WLC
2. WLCCA CAA
AppPractice
8.1
Group support
default
Enhance Drive
Usability and
Manageability
Feature
Experience Adoption
Best Practices Audit Fine-tune

features to
Derive
Maximum
Potential
Optimum
from WLAN
Best
Deployment
Best Practices Audit Workflow
 Compliance level check
natively on WLC
 Identify Best Practice gaps

on upgrade
 Easy one-click Fix It Now
 Restore Default to revert

configuration to default
 Learn more to understand

better
Best Practices Audit Workflow
Audit Upgrades
 Compliance metric and reporting

natively on WLC
 Identify missing best practice
configuration on upgrade
 Easy one-click fix It option to turn
on Best Practice Knobs
 Restore Defaults to revert
configuration to default
Enhance Drive
Usability and
Manageability
Feature
Experience Adoption
Dashboard Views Fine-tune

features to
Derive
Maximum
Potential
Optimum
from WLAN
Best
Deployment
Monitoring Dashboard
• 10,000 feet view of
Wireless health
• APs
• Clients
• WLANs
• Applications and Devices
• Rogues and Interferes
• AP or Client search for
targeted troubleshooting
• Add/delete Widgets
• Tabular/Graphical View
Network Summary – Access Points List
• Inventory
• Uptime
• Usage
• Drill down into
specific APs of
interest
Network Summary – Access Point Details
User Cases:
• Slow network connectivity

Incorrect configuration
Radios down
• Clients cannot connect
RF Interference
Legacy Devices
Too many Clients
impacting performance
Wireless Dashboard – AP Performance
Use Cases:
• Client Connectivity Issues
Band Select not enabled

Too many SSIDs
Lower Data Rates Enabled Insufficient coverage –
not enough APs
Excessive co-channel interference – Uneven distribution of clients

Too Many APs Load Balancing not enabled
Network Summary – Client List
• AP / Band Distribution
• Signal Quality
• Legacy Devices
Network Summary – Client Details
• Single pane of glass for client troubleshooting
Application Usage
Client Capabilities
Neighbouring APs
Correct Policy Assignment –

Security, QoS, mDNS, VLAN, Client Connection State
ACL Reachability and
Latency
Wireless Dashboard – Client Performance
Use Cases:
• Client Connectivity
Issues
• Poor Client Low RSSI caused by Sticky

High Noise causing Low SNR
Performance Client and Legacy Devices
Client Band Distribution to

identify 11b/g devices
Users cannot connect

• 802.11 association failure
• DHCP Failure
• Web Auth failure
• Admin Reset
Monitoring App – Network Summary
Monitoring App – RF Overview
Monitoring App – AP and Client Performance
WLC WLC
2. WLCCA CAA
AppPractice
8.1
Group support
default
Enhance Drive
Usability and
Manageability
Feature
Experience Adoption
WLC Config Analyzer Fine-tune

features to
Derive
Maximum
Potential
Optimum
from WLAN
Best
Deployment
WLC Config Analyzer – Incorporating Best Practices
• Simplify operational use to quickly target and mitigate problem areas.

• Drive adoption of best practices and feature implementation.
• Strengthen customers security, network health and configuration robustness.
• Effectively, show customer trend, with measurable improvement of metrics over
time.
https://supportforums.cisco.com/document/7711/wlc-config-analyzer
WLC Config Analyzer – Deployment types
Addressing BP and features based on deployment

• Voice
• Security
• Flex
• Mesh
• Enterprise*
• BYOD*
*Coming Soon !
WLC Config Analyzer – Per Controller Compliance
• Best Practices categorized
into
• General
• AP
• Mobility
• RF
• Security
• Voice
• Mesh
• Flex 0-40% Red
41-80% Yellow
• Per-Controller Compliance
81-100% Green
Level for Each category
• Total/Passed/Failed checks
WLC Config Analyzer – Best Practices detail
• Individual Best Practice knob compliance (Yes/ No)
0-40% Red
41-80% Yellow
81-100% Green
Overall Compliance per

category
WLC Config Analyzer – All Controllers
• Best Practices Compliance across controllers in the same Config Set #

• Average across controllers for each category
WLC Config Analyzer – Site Summary Messages
• Best Practices is NOT Config
Errors or Design decisions
• It is - “Works without but works
much better with”
• Verbose BP messages under
Global Messages and AP
Messages
Best practice messages
WLC Config Analyzer – Global Messages & AP Messages
Message Category Meaning

Config Error Bad Configuration
Parsing Error Error on File
Processing
Informational Informational
messages
Best Practices Compliance Checks
Message
Severity
Error
( Critical )
Warning
( Highly
Recommended)
Informational
( Good to Have )
WLCCA Updates
• Compatible with Next-Gen controllers 5520, 8540
• IOS XE Support – 3650/3850/5760
• AireOS Support since release 4.1
• AP MIC expiration warning
• WLCCA - Version 3.6.5
• CAA – Coming Up!
show run-config
Compliance Level w/ and w/o Express WLAN Setup
7.6 MR2 without Analyze & Mitigate

Express WLAN Setup
 Downloadable client
 Simplified operational use to
quickly identify and and fix
problem areas
 RF Health metrics, IOS Support,
Mobility Group support
8.1 with Express WLAN

Setup
RF Health Analysis
Single • Summarization of the RF Health

AP aggregated per:
 AP
 AP Group
 FlexConnect Group
 RF Neighborhood
Flex RF AP
Groups Health Groups
• Aggregation of the RF metrics per
each working entity, for flexibility of
analysis
RF
Neighbor-
hood
WLC WLC
2. WLCCA CAA
AppPractice
8.1
Group support
default
Introducing Cisco Active Advisor
• Free, cloud based service
• Agentless – nothing to download
• It provides customers:
• Security Advisories (PSIRTs)
• End-of-life & End-of-support dates
• Warranty & service contract status
• Device Health Score
• Accessible at:
www.CiscoActiveAdvisor.com
• IOS XE Support – Coming Up!

• AP MIC expiration Warning – Coming up!
Enhance Drive
Usability and
Manageability
Feature
Experience Adoption
Cisco Active Advisor Fine-tune

features to
Derive
Maximum
Potential
Optimum
from WLAN
Best
Deployment
CAA Device Scanner
Cisco Active Advisor Personalized Health Score
Improve
 Personalized device
health score
 Free, cloud-based
service
 Automatically takes an
inventory of your Cisco
network
Enhance Drive
Usability &
Feature Manageability
Feature
Experience Adoption
Best Practices Fine-tune

features to
Derive
Maximum
Potential
Optimum
from WLAN
Best
Deployment
For Your
Best Practices
Make it Easy Recommendations
Make it work Reference
Enable High Availability (AP and Client SSO) Enable 802.1x and WPA/WPA2 on WLAN
Enable AP Failover Priority Enable 802.1x authentication for AP
Enable AP Multicast Mode Change advance EAP timers
Enable Multicast VLAN Enable SSH and disable telnet
BEST PRACTICES (AirOS)
INFRASTRUCTURE
SECURITY
Enable Pre-image download Disable Management Over Wireless
Enable AVC Disable WiFi Direct
Enable NetFlow Peer-to-peer blocking
Secure Web Access (HTTPS)
Enable Local Profiling (DHCP and HTTP)
Enable User Policies
Enable NTP
Enable Client exclusion policies
Modify the AP Re-transmit Parameters Enable rogue policies and Rogue Detection RSSI
Enable FastSSID change Strong password Policies
Enable Per-user BW contracts Enable IDS
Enable Multicast Mobility BYOD Timers
Enable Client Load balancing
Disable Aironet IE Disable 802.11b data rates
FlexConnect Groups and Smart AP Upgrade Restrict number of WLAN below 4
Enable channel bonding – 40 or 80 MHz
WIRELESS / RF
Set Bridge Group Name
Set Preferred Parent Enable BandSelect
Multiple Root APs in each BGN Use RF Profiles and AP Groups
MESH
Set Backhaul rate to "Auto" Enable RRM (DCA & TPC) to be auto
Set Backhaul Channel Width to 40/80 MHz Enable Auto-RF group leader selection
Backhaul Link SNR > 25 dBm Enable Cisco CleanAir and EDRRM
Avoid DFS channels for Backhaul Enable Noise &Rogue Monitoring on all channels
External RADIUS server for Mesh MAC Authentication
Enable DFS channels
Enable IDS
Enable EAP Mesh Security Mode Avoid Cisco AP Load
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
Infrastructure Best Practices
Infrastructure Best Practices
 Enable High Availability (AP and Client SSO)
 Enable AP Failover Priority
INFRASTRUCTURE
 Enable AP Multicast Mode
 Enable Multicast VLAN
 Enable Pre-image download
 Enable AVC
 Enable NetFlow
 Enable Local Profiling (DHCP and HTTP)
 Enable NTP
 Modify the AP Re-transmit Parameters
 Enable FastSSID change
 Enable Per-user BW contracts
 Enable Multicast Mobility
 Enable Client Load balancing
 Disable Aironet IE
Infrastructure: Enable High Availability (SSO)
A direct physical connection between Active and Standby Redundant Ports or Layer 2 connectivity is required
to provide stateful redundancy within or across datacenters
Sub-second failover and zero SSID outage

Infrastructure: Enable AP Failover Priority
• Wireless  Access Points  Global Configurations
• Wireless  Access Points  All APs->AP_NAME  High Availability
Allows certain APs to be assigned higher WLC join priorities, so they are given preference while
joining a WLC
Infrastructure: Enable AP Multicast mode
Controller  General  AP Multicast Mode
Unique across WLCs and not

clashing with other protocols
Network infrastructure must provide multicast routing between management interface subnet and AP subnet
Forward multicast traffic to Access Points instead of sending unicast messages to each individual AP
Infrastructure: Multicast VLAN for Interface Groups
WLANs  WLAN Name  General
VLAN1
VLAN2 (mcast_vlan)
Network VLAN3
VLAN4
Interface group
To limit the multicast on the air to a single copy on a predefined multicast VLAN
Infrastructure: Enable Pre-image download
Wireless  Global Configurations  AP Image Pre-download
Allows for less network downtime during software updates

Infrastructure: Enable AVC
Wireless  Application Visibility and Control  AVC Profiles
Enable Application
Visibility
Add per
application rules
Classifies applications, provides real-time analysis, and allows users to drop or mark data. Per-
user, per-device granularity for control
Infrastructure: Enable NetFlow in your WLC
Wireless  Netflow  Exporter  Create ‘New’
Wireless  Netflow  Monitor  New
NetFlow export to Cisco Prime or third party network management tool

Infrastructure: Enable Local Profiling
WLANs  Edit  WLAN_NAME  Advanced
Client devices can be profiled based on their manufacturer and operating system
Infrastructure: Enable NTP
Controller  NTP  Keys
Controller  NTP  Server
If NTP requires
authentication, first
add key
Synchronizes the time among all devices on the network including Access Point and Controller as
we have X.509 certificates installed in AP and WLC, Context-aware and location services, MFP,
Debugging
Infrastructure: Modify the AP Re-transmit Parameters
Wireless  Access Points  Global Configuration
Number of times the AP will

try to join the WLC (3-8)
Number of seconds to wait

before rejoining (2-5sec)
Allows user to customize the way APs attempt to join a WLC.

Increase count and interval for larger latency links like FlexConnect and satellite links
Infrastructure: Enable Fast SSID change
Controller  General
Allows clients to move faster between SSIDs, by not clearing the client entry
Infrastructure: Enable per-user bandwidth contract
WLANs  Edit ‘WLAN_NAME’  QoS
Limit data rates for Guest

and Contractor accounts
Enforces limits on non-mission critical clients

Infrastructure: Enable Multicast Mobility for mobility domains
Controller  Multicast
Controller  General
Allows clients to announce messages to all mobility peers, instead of individual WLCs, benefiting
time, CPU usage, and network utilization. Multicast routing between controllers
Infrastructure: Enable Client Load Balancing
WLANs  Edit “WLAN-NAME”  Advanced
Client Window Size 1-20

Maximum Denial Count 0-10
Balances the number of clients connect to a WLAN between multiple APs

Not suitable for Voice, Low Density and single AP deployments like hotspots
Infrastructure : Disable Aironet IE
• Aironet IE 0x85 in beacons and

probe responses
• AP name, load, client count etc.
• Controller sends Aironet IEs 0x85

and 0x95 in the reassociation
response if it receives Aironet IE
0x85 in the reassociation request
• Management IP address of WLC
• IP address of AP
Can cause compatibility issues with some types of wireless clients

Enable for WGB and Cisco voice. Optional for CCX based clients
Infrastructure: Same Virtual IP if same mobility name
Controller  Interfaces  virtual
Mobility Group
192.0.2.1 192.0.2.1
Inter-controller roaming can appear to work, but the hand-off does not complete and the
client loses connectivity when DHCP renew is performed if DHCP proxy enabled
Infrastructure: Fast Restart
73% Faster
Use Cases
 LAG Configuration change
 Mobility Mode change
 Web-auth certificate installation
 Clear Configuration
 Process Restart to reduce network and service downtime
 Post Configuration Wizard
 Better Serviceability
 Transfer Download of configuration
 Supported on Cisco WLC 7510, 8510, 5520 8540 and
vWLC
 CLI Command “restart”
Fast Restart to reduce network and service downtime and improve serviceability
RF & RRM Best Practices
RF & RRM Best Practices
 Disable 802.11b data rates
 Restrict number of WLAN below 4
 Enable channel bonding – 40 or 80 MHz
RRM / RF
 Enable BandSelect
 Use RF Profiles and AP Groups
 Enable RRM (DCA & TPC) to be auto
 Enable Auto-RF group leader selection
 Enable Cisco CleanAir and EDRRM
 Enable Noise &Rogue Monitoring on all channels
 Enable DFS channels
 Avoid Cisco AP Load
RF & RRM: Disabling .11b Data Rates
Wireless  802.11b/g/n  Network
Management frames sent at lowest mandatory rate - slows down the entire cell
RF & RRM: Disabling .11b Data Rates
Demonstrating the impact of 802.11b data rates on Channel Utilization
1 Mbps Mandatory : Channel Utilization 67%

6 Mbps Mandatory : Channel Utilization 23%
RF & RRM: Restrict Number of WLANs < 4
WLANs  WLANs
Each SSID needs a separate probe response and beaconing, the more SSIDs the less
RF space available for real data traffic
RF & RRM: Enable Channel Bonding – DBS
Wireless  802.11a/n/ac  RRM  DCA
Select the widest Channel Width with:

• Highest Client Data Rates
• Lowest Channel Utilization per Radio
• Minimize Data Retries / CRC errors
• On the 5GHz Band
While avoiding:
• Rogue APs
• CleanAir Interferers
40/80MHz wide channels in the 5GHz space can 2x/4x the amount of user data than can be
transmitted. For extreme HD deployments use 20 MHz channels to keep cell size small
RF & RRM: Enable Client Band Select
Allows dual-band clients to move to the less congested 5GHz band

Not recommended for Voice deployments
RF & RRM: RF Profiles
• RF Profiles work in Conjunction with AP Groups (beginning in release 7.2)
• You can create separate RF profiles for both 2.4 and 5 GHz
• 1 profile for each band (802.11a/802.11b) can be assigned to an AP group
• Today
• 802.11 data rates
• TPC Power Threshold and Min max Power settings
• DCA
• Coverage hole algorithm settings
• High Density – HDX configurations RX_SOP, Client Limit, Mcast data rate
• Client Distribution
More granular control of the RF network
RF Profiles : Granular Control
TPC, DCA, Coverage Hole
Data Rates
Load Balancing High Density

Network Profiles
Sets pre-defined RF parameters depending on “Client” Density and Traffic
Type
Client Density : High,
Typical, Low
Traffic Type : Data, Data

and Voice
Pre-built RF profiles
Client Density specific pre-built RF profiles for 2.4 GHz and 5GHz Bands – to be used
with AP Groups
Pre-built RF profiles for

use with AP Groups
RF & RRM: Use AP Groups
WLAN  Advanced  AP Groups
Ability to enable Wi-Fi Services and segregation of traffic based on physical location
RF & RRM: Enable RRM (DCA) to be auto
Wireless  802.11a/n/ac or 802.11b/g/n  RRM  DCA
Allows RRM to automatically select the best channel for each radio
DCA defaults work for typical carpeted offices
RF & RRM: Enable Cisco EDRRM
Sensitivity threshold
recommended to Medium
EDRRM triggers RRM to run when an access point detects a certain level of interference
RF & RRM: RF Group Leader must be an .11ac WLC (Release 7.5+)
in RF Groups with mixed versions
If the RF Group Leader does not support 802.11ac (Release 7.5+), APs in the RF Group
cannot select 80MHz channel widths
RF & RRM: Enable RRM (TPC) to be auto
Wireless  802.11a/n/ac or 802.11b/g/n  RRM  TPC
Recommended to use
TPCv1
Allows RRM to automatically select the best transmit power for each radio
Tune RRM parameters with Network and pre-built RF profiles
RF & RRM: Enable Cisco CleanAir
Wireless  802.11a/n/ac or 802.11b/g/n  CleanAir
97
100
63
90
20
35
Enable CleanAir on both

radio bands
CleanAir identifies non-WIFI interferers and generates interferer and air quality reports
RF & RRM: Enable Noise & Rogue Monitoring channels
Wireless  802.11a/n/ac or 802.11b/g/n  RRM  General
Scan All Channels for security, DCA Channels for performance

RF & RRM: Enable DFS channels
Increase the number of channels in 5GHz band. 4-

12 additional channels based on regulatory domain
Allows more 5GHz channels (only in regulatory domains that support UNII-2 Extended).
Please note that some clients do not support DFS channels
RF & RRM : Disable Avoid Cisco AP Load
Wireless  802.11b/g/n  RRM  DCA
To avoid frequent changes in DCA due to varying Load conditions

Security & BYOD Best
Practices
Security & BYOD Best Practices
 Enable 802.1x and WPA/WPA2 on WLAN
 Enable 802.1x authentication for AP
 Change advance EAP timers
 Enable SSH and disable telnet
 Disable Management Over Wireless
SECURITY
 Disable WiFi Direct

 Peer-to-peer blocking
 Secure Web Access (HTTPS)
 Enable User Policies
 Enable Client exclusion policies
 Enable rogue policies and Rogue Detection RSSI
 Strong password Policies
 Enable IDS
 BYOD Timers
Security : Enable 802.1x on WLAN
WLANs  Edit ‘WLAN_NAME’  Security
Provides greater network security on WLAN using 802.1x authentication

Security: Enable 802.1x authentications for AP
Wireless  Access Points  Global Configurations
To enable 802.1X authentication on a switch port, on the switch CLI, enter

these commands:
Switch# configure terminal
Switch(config)# dot1x system-auth-control
Switch(config)# aaa new-model
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# radius-server host ip_addr auth-port port acct-port port
key key
Switch(config)# interface fastethernet2/1
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# dot1x port-control auto
Switch(config-if)# end
Provides greater network security by enabling 802.1x on the switch port where AP is
connected. Not supported for Mesh deployments
Security: Enable SSH and Disable Telnet
Management  Telnet–SSH
Disable Telnet and enable SSH as the default option
0 implies no sessions
will be allowed
Provides greater security by allowing secure access and denying unencrypted access
Security: Disable Management Over Wireless
Management  Mgmt Via Wireless
Disallow management of the Controller via Wireless

Security : Disable WiFi Direct
WLANs  WLAN Name  Advanced
Unauthorized Devices Corporate

Laptop Corporate
WLAN
Prevent security hole if the device is connected to both the infrastructure and a
Personal Area Network (PAN) at the same time. Will break Android devices
Security: Secure Web Access ( HTTPS )
Management  HTTP-HTTPS
Provides greater security by allowing secure access

Security: Enable User Login Policies
Security  AAA  User Login Policies
Range is between 0 – 8.
Zero indicates no limit
Prevent login attacks by restricting the numbers the users who can use the same login
credentials between 1 - 5
Security: Enable Client Exclusion Policies
Security  Wireless Protection Policies Client Exclusion Policies
Enable exclusion policies to prevent the network from Assoc/Auth failure attacks.
Disable for Voice deployments
Security: Enable Strong Password Policies
Security  AAA  Password Policies
Enable strong user and AP password policies on the controller

Minimum password length of 8 is recommended
Security: Enable Rogue Policies
Security  Wireless Protection Policies  Rogue Policies  General  Low
Friendly Malicious
The Rogue Detection Security Level should be set at a minimum to “low”

Security: Set Rogue Detection RSSI
Security  Wireless Protection Policies  Rogue Policies  General
Set Rogue Detection Minimum Threshold to -70 to -75 dBm

Security: Enable IDS Signatures
Security  Wireless Protection Policies  Standard Signatures
Enable the wireless IDS features in the controller and enable 17 built-in features to avoid
intrusion attacks
Security : Enable CPU ACLs
Security  Access Control Lists  CPU Access Control Lists
Control overall access to the WLC by filtering management protocols such as SSH,
SNMP, etc such that they can only hit the CPU if they originate from our management
networks
BYOD: Radius Timeout >=5 sec
Security  AAA  RADIUS  Authentication
To prevent pre-mature failover since the default of 2 seconds is generally low for ISE as ISE relies
on backend databases for user lookups and group fetches. Too high causes queue issues on WLC
BYOD: Session Timeout
Longer is better for AAA load up to a value of 86400 seconds for 802.1x SSIDs or 65535
seconds for open/CWA SSIDs, shorter is better from security point of view.
BYOD: Client Idle Timeout
For networks where users stay largely within the coverage area the setting can be
increased to 3600 seconds for an SSID running 802.1x or RADIUS NAC against ISE.
BYOD: Client Exclusion
180 seconds is the recommended default with ISE though 60 seconds is the WLC
default. The reason behind this is the minimum reject interval on ISE for miss-configured
supplicant detection is 5 minutes or 300 seconds
BYOD: EAPoL and EAP Request Timeout
WLANs  WLAN Name  Security  AAA Servers
Recommended EAPoL-Key Timeout < 1000 ms and EAPoL-Key Max Retries <= 2
Recommeded EAP Request timeout <30 sec ( 10 sec ) and EAP Max Retries =<2
BYOD: Disable Interim Accounting
WLANs  WLAN Name  Security  AAA Servers
Interim accounting adds additional unneeded load with no added benefit to ISE.
BYOD : Disable Aggressive Failover
config radius aggressive-failover disable command to disable the

aggressive failover feature
show radius summary to check the status of this feature
Only fails over to the next AAA server if there are three consecutive clients that
fail to receive a response from the RADIUS server
In some circumstances it can cause the WLC to pre-maturely mark ISE dead in times of
high load and cause additional load on ISE
BYOD : Set RADIUS Fallback Passive
Security  AAA  RADIUS  Fallback
The WLC can be configured to check if

the primary server is available and
switch back to the primary RADIUS
server once it is available.
Recommended to configure RADIUS Fallback Mode to Passive

FlexConnect Best Practices
FlexConnect Best Practices
 Enable FlexConnect Groups

 CCKM/OKC Key sharing for Voice deployments
CONNECT

FLEX
Design for Resiliency

 Enable Smart AP Image Upgrade
 Configuration and Monitoring at FlexConnect Group
 VLAN Support/Native VLAN at FlexConnect Group
FlexConnect: Enable FlexConnect Groups
Wireless  FlexConnect Groups  Edit “Groupname”
Central Site
WAN
Allow users to assign specific APs to groups with set configurations, OKC/CCKM key
caching for Voice, Local RADIUS server configuration, consistent WLAN mappings
FlexConnect: Configuration & Monitoring at Group
VLAN
Support/Native
FlexConnect AVC VLAN
Consistency of Mapping, Ease of Configuration and per-site monitoring capability

FlexConnect: Enable “FlexConnect AP Upgrade”
Wireless  Flexconnect Groups  Edit “Groupname”  Image Upgrade Tab
New
Wireless Control Wireless
System LAN
Controller
WAN
Master AP
Avoids downloading multiple copies of the Access Point software over the slow WAN link
to the remote site, reduces service downtime and reduces risk of download failure
Best Practices Polling Results !
Local Pre-image 802.1x Client Rogue Flex

SSO AVC Data Rates SSID Limit RF profiles
Profiling download WLAN Exclusion Detection Groups
Key Takeaways
Enhance Derive
Fine-tune
Usability and Drive Maximum
features to
Manageability Feature Potential
Optimum
Experience Adoption from WLAN
Best
Deployment
Save Time & Money Audit Upgrades Analyze & Mitigate Improve
 Optimum starting point at  Compliance metric and  Downloadable client
reporting natively on WLC  Personalized device
Day 0/1 network setup  Configuration stays local health score
 RF parameter setting ease  Identify missing best practice  Quickly identify and and fix
configuration on upgrade  Free, cloud-based
of use problem areas service
 Enhanced performance,  Easy one-click fix It option to  RF Health metrics, IOS
turn on Best Practice Knobs  Automatically takes an
security, resiliency with Support, Mobility Group inventory of your Cisco
best practice support network
recommendations at boot
time
Audit Monitoring Feature

Express and RF
Upgrade Dashboar
WLCCA CAA Best
Setup
Workflow d Practices
Participate in the “My Favorite Speaker” Contest
Promote Your Favorite Speaker and You Could Be a Winner
• Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)
• Send a tweet and include
• Your favorite speaker’s Twitter handle
• Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Complete Your Online Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.
• Complete your session surveys
though the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you

Brkewn 2670 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brkewn 2670 PDF

Uploaded by

Copyright:

Available Formats

Best Practices for Configuring Cisco

Wireless LAN Controllers

 WLC Express Setup  WLCCA Update

Express Setup Fine-tune

Wireless: Connect AP WLC port 3 or 4 (PoE)

Connect to SSID ‘CiscoAirProvision’ using

Wait for the SYS LED light

If setup is Wireless, wait for

Open a web browser

Go through a setup wizard

Virtual IP 192.0.2.1 Multicast Forwarding Mode  Optimum starting point at

Best Practices Audit Fine-tune

 Identify Best Practice gaps

 Easy one-click Fix It Now

 Restore Default to revert

 Learn more to understand

 Compliance metric and reporting

Dashboard Views Fine-tune

• Slow network connectivity

• Client Connectivity Issues

Band Select not enabled

Excessive co-channel interference – Uneven distribution of clients

Correct Policy Assignment –

• Poor Client Low RSSI caused by Sticky

Client Band Distribution to

Users cannot connect

WLC Config Analyzer Fine-tune

• Simplify operational use to quickly target and mitigate problem areas.

Addressing BP and features based on deployment

Overall Compliance per

• Best Practices Compliance across controllers in the same Config Set #

Message Category Meaning

7.6 MR2 without Analyze & Mitigate

8.1 with Express WLAN

Single • Summarization of the RF Health

• IOS XE Support – Coming Up!

Cisco Active Advisor Fine-tune

Best Practices Fine-tune

Sub-second failover and zero SSID outage

Unique across WLCs and not

Allows for less network downtime during software updates

Wireless  Netflow  Monitor  New

NetFlow export to Cisco Prime or third party network management tool

Controller  NTP  Server

Number of times the AP will

Number of seconds to wait

Allows user to customize the way APs attempt to join a WLC.

Limit data rates for Guest

Enforces limits on non-mission critical clients

Client Window Size 1-20

Balances the number of clients connect to a WLAN between multiple APs

• Aironet IE 0x85 in beacons and

• Controller sends Aironet IEs 0x85

Can cause compatibility issues with some types of wireless clients

Controller  Interfaces  virtual

 Mobility Mode change

 Web-auth certificate installation

1 Mbps Mandatory : Channel Utilization 67%

Wireless  802.11a/n/ac  RRM  DCA

Select the widest Channel Width with:

Allows dual-band clients to move to the less congested 5GHz band

TPC, DCA, Coverage Hole

Load Balancing High Density