Cisco WLAN Best Practice

7/23/2019 Cisco WLAN Best Practice

http://slidepdf.com/reader/full/cisco-wlan-best-practice 1/119

Best Pract ices for Con f igur ing C

Wireless LAN Con trol lers Aparajita Sood

Technical Marketing Engineer BRKEWN-2670

User-First Pillars and Checkpoints

EnhanceUsability andManageability

Experience

Drive Feature Adoption

Fine-tunefeatures to

Optimum Best

DeriveMaximumPotential from

WLANDeployment

Express

Monitoring &RF

Dashboard

FeatureBest

Practices

AuditUpgradeWorkflow

Agenda

WLC Express Setup Wired Express Setup

OTA Express Setup

WLC Dashboard View

Monitoring

RF Health

Mobile App

WLC Best Practice Audit

One-click Fix

Manual Configuration

WLCCA Update RF Health

Cisco Active Advisor

Device Health Score

Wireless Health Tool

Feature Best Practices

Infrastructure

RF/RRM

Security and BYOD

FlexConnect

ExpressSetup

Monitoand R

FeatuBes

Practi

Step 1: Download the Mobile App

Get all the information you need at yourfingertips!

Step 2: Access the

Log into the app usingLive login & find yo

http://bit.ly/clus2015

Participate in session polling and Q&A

Best Practices Checkpoints

Free, cloud Agentless –

2. App Engage

WLCWLAN Express Setup

7.6 MR2, 8.0, 8.1

WLCCAConfig

Analyzer

WLCBest Practice AuditDashboard View

Best Practices defaults,RF Parameter Optimization, Network

Profiles

Audit Page on Upgrade,One-click Fix It,

Manual Config Option

Windows Executable“show run-config” Based

Analyzer Tool

Downloadable client

Configuration stays local

Simplified operational use to quickly identifyand and fix problem areas

RF Health metrics, IOS Support, MobilityGroup support

Cisco Perso

Compare yoconfigurationpractices

Automated Network Sca

Compliance metric and reporting natively onWLC

Identify missing best practice configuration onupgrade

Easy one-click fix It option to turn on BestPractice Knobs

Restore Defaults to revert configuration todefault

Optimum starting point at Day 0/1 networksetup

RF parameter setting Ease of use

Enhanced performance, security, resiliencywith best practice recommendations turnedon boot up time

Express Setup

EnhanceUsability &

Manageability

Experience

Fine-tunefeatures to

Optimum Best

WLAN Express SetupDay 0/1 Ease of Setup

2. App Engage

WLAN Express Setup7.6 MR2, 8.0, 8.1

Config Analyzer

Upgrade Audit Workflow8.1

Profiles

Analyzer Tool

Downloadable client

Cisco Perso

Wired Express Setup• Introduced on 2504 in 7.6 MR2, 8.0• Extended to 5508, vWLC, 7510, 8510 in 8.1• Extended to 5520, 8540 in 8.1

Wireless Over-The-Air (OTA) Setup• Available in 8.1 and higher • Supports Universal AP (UX)• Supported on 2504

Wireless: Connect AP WLC port 3 or 4 (PoEWired: Connect PCEthernet cable to any port

on the WLC for 2504 and toSP port on other WLCS

If setup is Wireless, wait for AP to power and broadcast SSID

Wait for the SYS LED lightto be solid

Wired and Wireless OTA Express SetupDay 0/1 Ease of Setup

Connect to SS

the key ‘passw

Open a web browserand access

http://192.168.1.1

Enable RF Optimization

Confirm settings

Go through a setup wizard

Wired and Wireless OTA Express SetupDay 0/1 Ease of Setup

2. App Engage

Config Analyzer

Best Practice AuditDashboard View

Profiles

Analyzer Tool

Downloadable client

Cisco Perso

Best Practices Audit

Experience

Fine-tunefeatures toOptimum

Best Practices Audit Workflow

Compliance level check

natively on WLC

Identify Best Practice gaps

on upgrade

Easy one-click Fix It Now

Restore Default to revertconfiguration to default

Learn more to understand

better

Best Practices Audit Workflow

Complianatively

Identify mconfigur

Easy onon Best

Restore configur

Dashboard Views

Experience

Network Summary – Access Points List

Network Summary – Client List

• AP

• Si

• Le

Network Summary – Client Details

• Single pane of glass for client troubleshooting

Client Connection StatReachability andLatency

Client CapabilitiesNeighbouring APs

Correct Policy Assignment –Security, QoS, mDNS, VLAN,

Application Usage

Wireless Dashboard – Client Performance

Use Cases:

• Client ConnectivityIssues

• Poor ClientPerformance

Users cannot connect• 802.11 association failure• DHCP Failure• Web Auth failure• Admin Reset

Low RSSI caused by StickyClient and Legacy Devices

Client identif

Monitoring App – RF Overview

Monitoring App – AP and Client Performanc

App Engage

Config Analyzer

Best Practice AuditDashboard View8.1

Profiles

Analyzer Tool

Downloadable client

Cisco Perso

Addressing BP and features based on deployment

• Voice

• Security

• Flex

• Mesh

• Enterprise*

• BYOD*

*Coming Soon !

WLC Config Analyzer – Deployment types

• Best Practices categorizedinto

• General• AP

• Mobility

• RF

• Security

• Voice

• Mesh• Flex

• Per-Controller ComplianceLevel for Each category

• Total/Passed/Failed checks

WLC Config Analyzer – Per Controller Com

41-80%

81-100%

• Individual Best Practice knob compliance (Yes/ No)

WLC Config Analyzer – Best Practices deta

Overall Compliance per

category

41-80%

81-100%

• Best Practices is NOT ConfigErrors or Design decisions

• It is - “Works without but worksmuch better with”

• Verbose BP messages underGlobal Messages and APMessages

WLC Config Analyzer – Site Summary Mess

RF Health Analysis

RFHealth

Single

APGroups

RFNeighbor -

FlexGroups

• Summarization of the

aggregated per: AP AP Group FlexConnect Gro RF Neighborhood

• Aggregation of the RFeach working entity, foanalysis

Cisco Active Advisor Personalized Health Sc

Personahealth s

Free, closervice

Automainventonetwork

Feature

Best Practices

EnhanceUsability &

ManageabilityExperience

MaxPot

from Deplo

I f t t B t P ti

Infrastructure Best Practices

Enable High Availability (AP and Client SSO) Enable AP Failover Priority

Enable AP Multicast Mode Enable Multicast VLAN Enable Pre-image download Enable AVC Enable NetFlow Enable Local Profiling (DHCP and HTTP) Enable NTP Modify the AP Re-transmit Parameters Enable FastSSID change Enable Per-user BW contracts Enable Multicast Mobility Enable Client Load balancing Disable Aironet IE I N

F R A S

T R U C T U R E

Infrastructure: Enable AP Failover Priority

• Wireless Access Points Global Configurations

• Wireless Access Points All APs->AP_NAME High Availability

Allows certain APs to be assigned higher WLC join priorities, so they are given p joining a WLC

Infrastructure: Enable AP Multicast mode

Controller General AP Multicast Mode

Forward multicast traffic to Access Points instead of sending unicast messages to eac

Unique a

clashing

Network infrastructure must provide multicast routing between management interface sub

Infrastructure: Multicast VLAN for Interface G

WLANs WLAN Name General

To limit the multicast on the air to a single copy on a predefined mu

NetworkVLAN2 (mcast_vlan)

Interface group

Infrastructure: Enable AVC

Wireless Application Visibility and Control AVC Profiles

Classifies applications, provides real-time analysis, and allows users to drop or

user per-device granularity for control

Add per

application rules

Enable Application

Visibility

Infrastructure: Enable NTP

Controller NTP Keys

Controller

Server

Synchronizes the time among all devices on the network including Access Point we have X.509 certificates installed in AP and WLC, Context-aware and location Debugging

If NTP requires

authentication, first

add key

Infrastructure: Enable Multicast Mobility for mobility

Controller General

Controller Multicast

Allows clients to announce messages to all mobility peers, instead of individual Wtime, CPU usage, and network utilization. Multicast routing between controllers

Infrastructure: Enable Client Load Balancing

WLANs Edit “WLAN-NAME” Advanced

Balances the number of clients connect to a WLAN between muNot suitable for Voice, Low Density and single AP deployments lik

Client Window Size 1-20

Maximum Denial Count 0-10

Infrastructure: Same Virtual IP if same mobility nam

Controller Interfaces virtual

Inter-controller roaming can appear to work, but the hand-off does not cclient loses connectivity when DHCP renew is performed if DHCP proxy

Mobility Group

192.0.2.1 19

RF & RRM Best Practices

RF & RRM: Disabling .11b Data Rates

Wireless 802.11b/g/n Network

Management frames sent at lowest mandatory rate - slows down the e

RF & RRM: Disabling .11b Data Rates

Demonstrating the impact of 802.11b data rates on Channel Utiliza

1 Mbps Mandatory :6 Mbps Mandatory :

RF & RRM: Enable Channel Bonding – DBS

Wireless 802.11a/n/ac RRM DCA

40/80MHz wide channels in the 5GHz space can 2x/4x the amount of user data ttransmitted. For extreme HD deployments use 20 MHz channels to keep cell size

Select the widest Channel W• Highest Client Data• Lowest Channel Uti• Minimize Data Retri• On the 5GHz Band

While avoiding:

• Rogue APs• CleanAir Interferers

RF & RRM: Enable Client Band Select

WLANs Edit “WLAN-NAME” Advanced

Allows dual-band clients to move to the less congested 5GHzNot recommended for Voice deployments

RF & RRM: RF Profiles

• RF Profiles work in Conjunction with AP Groups (beginning in release 7.2)

• You can create separate RF profiles for both 2.4 and 5 GHz

• 1 profile for each band (802.11a/802.11b) can be assigned to an AP group

• Today

• 802.11 data rates

• TPC Power Threshold and Min max Power settings

• DCA

• Coverage hole algorithm settings

• High Density – HDX configurations RX_SOP, Client Limit, Mcast data ra

• Client Distribution

More granular control of the RF network

RF Profiles : Granular Control

Data Rates

Load Balancing

TPC, DCA, Coverag

Network Profiles

Client Dens

Typical, Low

Traffic Type : D

and Voice

Sets pre-defined RF parameters depending on “Client” Density and

Pre-built RF profiles

Pre-built RF pr

use with AP G

Client Density specific pre-built RF profiles for 2.4 GHz and 5GHz Bands – towith AP Groups

RF & RRM: Use AP Groups

WLAN Ad d AP G

WLAN Advanced AP Groups

Ability to enable Wi-Fi Services and segregation of traffic based on ph

RF & RRM: Enable RRM (DCA) to be autoWireless 802 11a/n/ac or 802 11b/g/n RRM DCA

Wireless 802.11a/n/ac or 802.11b/g/n RRM DCA

Allows RRM to automatically select the best channel for eachDCA defaults work for typical carpeted offices

RF & RRM: RF Group Leader must be an .11ac WLC (Rein RF Groups with mixed versions

If the RF Group Leader does not support 802.11ac (Release 7.5+), APscannot select 80MHz channel widths

RF & RRM: Enable RRM (TPC) to be auto

Wireless 802.11a/n/ac or 802.11b/g/n RRM TPC

Allows RRM to automatically select the best transmit power for eTune RRM parameters with Network and pre-built RF prof

Recommended to use

RF & RRM: Enable Cisco CleanAir Wireless 802 11a/n/ac or 802 11b/g/n CleanAir

Wireless 802.11a/n/ac or 802.11b/g/n CleanAir

CleanAir identifies non-WIFI interferers and generates interferer and a

Enable CleanAir on both

radio bands

RF & RRM: Enable Noise & Rogue Monitoring

Wireless 802.11a/n/ac or 802.11b/g/n RRM General

Scan All Channels for security, DCA Channels for performa

RF & RRM: Enable DFS channels

Wi l 802 11 / / 802 11b/ / RRM DCA

Wireless 802.11a/n/ac or 802.11b/g/n RRM DCA

Allows more 5GHz channels (only in regulatory domains that support UNPlease note that some clients do not support DFS channels

Increase the number of chann12 additional channels based o

RF & RRM : Disable Avoid Cisco AP Load

Wireless 802.11b/g/n RRM DCA

To avoid frequent changes in DCA due to varying Load cond

Security & BYOD BestPractices

Security & BYOD Best Practices

Enable 802 1x and WPA/WPA2 on WLAN

S E C U R I T Y

Enable 802.1x and WPA/WPA2 on WLAN Enable 802.1x authentication for AP Change advance EAP timers Enable SSH and disable telnet Disable Management Over Wireless Disable WiFi Direct Peer-to-peer blocking Secure Web Access (HTTPS) Enable User Policies Enable Client exclusion policies

Enable rogue policies and Rogue Detection RSSI Strong password Policies Enable IDS BYOD Timers

Security : Enable 802.1x on WLAN

WLANs Edit ‘WLAN NAME’ Security

WLANs Edit WLAN_NAME Security

Provides greater network security on WLAN using 802.1x authe

Security: Enable 802.1x authentications for

Wi l A P i t Gl b l C fi ti

Wireless Access Points Global Configurations

To enable 802.1X authentication on a switch port, o

these commands:

Switch# configure terminal

Switch(config)# dot1x system-auth-control

Switch(config)# aaa new-model

Switch(config)# aaa authentication dot1x default g

Switch(config)# radius-server host ip_addr auth-po

key key

Switch(config)# interface fastethernet2/1

Switch(config-if)# switchport mode access

Switch(config-if)# dot1x pae authenticator

Switch(config-if)# dot1x port-control autoSwitch(config-if)# end

Provides greater network security by enabling 802.1x on the switch pconnected. Not supported for Mesh deployments

Security: Enable SSH and Disable Telnet

Management Telnet SSH

Management Telnet –SSH

Disable Telnet and enable SSH as the default option

Provides greater security by allowing secure access and denying unen

0 implies no sessio

will be allowed

Security: Disable Management Over Wireles

Management Mgmt Via Wireless

Disallow management of the Controller via Wireless

Security : Disable WiFi Direct

WLANs WLAN Name Advanced

Prevent security hole if the device is connected to both the infrastructurPersonal Area Network (PAN) at the same time. Will break Android devi

Corporate

Laptop CorporateWLAN

Unauthorized Devices

Security: Secure Web Access ( HTTPS )

Management HTTP-HTTPS

Management HTTP HTTPS

Provides greater security by allowing secure access

Security: Enable User Login Policies

Security AAA User Login Policies

Prevent login attacks by restricting the numbers the users who can use credentials between 1 - 5

Range is between 0 – 8.

Zero indicates no limit

Security: Enable Client Exclusion Policies

Security Wireless Protection Policies Client Exclusion Policies

Enable exclusion policies to prevent the network from Assoc/Auth failureDisable for Voice deployments

Security: Enable Strong Password PoliciesSecurity AAA Password Policies

Enable strong user and AP password policies on the contrMinimum password length of 8 is recommended

Security: Enable Rogue Policies

Security Wireless Protection Policies Rogue Policies Gener

The Rogue Detection Security Level should be set at a minimum

Friendly Malic

Security: Set Rogue Detection RSSI

Security Wireless Protection Policies Rogue Policies Gen

Set Rogue Detection Minimum Threshold to -70 to -75 dB

Security: Enable IDS Signatures

Security Wireless Protection Policies Standard Signatures

Enable the wireless IDS features in the controller and enable 17 built-in intrusion attacks

Security : Enable CPU ACLs

Security Access Control Lists CPU Access Control Lists

Control overall access to the WLC by filtering management protocols suSNMP, etc such that they can only hit the CPU if they originate from ournetworks

BYOD: Session Timeout

Longer is better for AAA load up to a value of 86400 seconds for 802.1xseconds for open/CWA SSIDs, shorter is better from security point of vie

BYOD: Client Idle Timeout

For networks where users stay largely within the coverage area the settincreased to 3600 seconds for an SSID running 802.1x or RADIUS NAC

BYOD: Client Exclusion

180 seconds is the recommended default with ISE though 60 seconds isdefault. The reason behind this is the minimum reject interval on ISE forsupplicant detection is 5 minutes or 300 seconds

WLANs WLAN Name Security AAA Servers

BYOD: EAPoL and EAP Request Timeout

Recommended EAPoL-Key Timeout < 1000 ms and EAPoL-Key Ma

Recommeded EAP Request timeout <30 sec ( 10 sec ) and EAP Ma

BYOD: Disable Interim Accounting

Interim accounting adds additional unneeded load with no added be

BYOD : Disable Aggressive Failover

config radius aggressive-failover disable command taggressive failover feature

show radius summary to check the status of this feature

Only fails over to the next AAA server if there are three consecutive

fail to receive a response from the RADIUS server

In some circumstances it can cause the WLC to pre-maturely mark ISE high load and cause additional load on ISE

BYOD : Set RADIUS Fallback PassiveSecurity AAA RADIUS Fallback

Recommended to configure RADIUS Fallback Mode to Pas

The WLC can be c

the primary server

switch back to the

server once it is av

FlexConnect Best Practice

FlexConnect Best Practices

F L E X

C O N N E C T

Enable FlexConnect Groups

CCKM/OKC Key sharing for Voice deployments Design for Resiliency

Enable Smart AP Image Upgrade

Configuration and Monitoring at FlexConnect Group

VLAN Support/Native VLAN at FlexConnect Group

FlexConnect: Enable FlexConnect GroupsWireless FlexConnect Groups Edit “Groupname”

Allow users to assign specific APs to groups with set configurations, OKcaching for Voice, Local RADIUS server configuration, consistent WLAN

FlexConnect: Configuration & Monitoring at

Consistency of Mapping, Ease of Configuration and per-site monitor

FlexConnect AVC

VLASupport/

FlexConnect: Enable “FlexConnect AP UpgWireless Flexconnect Groups Edit “Groupname” Image Upgrade Ta

Avoids downloading multiple copies of the Access Point software over thto the remote site, reduces service downtime and reduces risk of downlo

Wireless ControlSystem

Master AP

Best Practices Polling Results !

SSO AVC Local

Prof i l ing Pre-imagedownload

Data Rates SSID L im it RF prof i les 802.1xWLAN

ClientExc lus ion

Key Takeaways

Experience

DriveFeature

Adoption

DerMaxiPote

from WD l

Optimum starting point atDay 0/1 network setup

RF parameter setting easeof use

Enhanced performance,security, resiliency with

best practicerecommendations at boottime

Save Time & Money Audit Upgrades

Compliance metric andreporting natively on WLC

Identify missing best practiceconfiguration on upgrade

Easy one-click fix It option toturn on Best Practice Knobs

Downloadable client

Quickly identify and and fixproblem areas

RF Health metrics, IOSSupport, Mobility Groupsupport

Analyze & Mitigate

ExpressSetup

Monitoringand RF

Dashboar d

AuditUpgradeWorkflow

WLCCA CAA

BestDeploy

Participate in the “My Favorite Speaker” Co

• Promote your favorite speaker through Twitter and you could win $

Promote Your Favorite Speaker and You Could Be a Winner

Promote your favorite speaker through Twitter and you could win $Press products (@CiscoPress)

• Send a tweet and include• Your favorite speaker’s Twitter handle

• Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speak

• Don’t forget to follow @CiscoLive and @CiscoPress

• View the official rules at http://bit.ly/CLUSwin

Complete Your Online Session Evaluation

• Give us your feedback to beentered into a Daily Survey

Don’t forget: Cisco Live sessionfor viewing on-demand after theCiscoLive.com/Online

entered into a Daily SurveyDrawing. A daily winner

will receive a $750 Amazongift card.

• Complete your session surveysthough the Cisco Live mobileapp or your computer on

Cisco Live Connect.

Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Table Topics• Meet the Engineer 1:1 meetings

• Related sessions

Thank you

Cisco WLAN Best Practice

Documents

Transcript of Cisco WLAN Best Practice

Cisco Wlan Design Guide

Cisco 3800 Series Integrated Services Routers 3D · The Cisco 3800 Series routers offer the award-winning Cisco IP Telephony solution for wired and cordless WLAN phones, with Cisco

Enterprise WLAN Architecture - uml.eduglchen/cs414-564/handouts/C05-WLAN_Arch.pdf · Enterprise WLAN Architecture ... © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Cisco Unified Wireless Network Wireless Solutionai3.itb.ac.id/~basuki/private/Cisco WLAN Training/Ch.01-Cisco Wirele… · portfolio for enterprise ... VideoStream No Yes Encrypted

Cisco 4 Practice Exam

Cisco WLAN Passpoint™ Configuration Guide - Cisco

Managing an Enterprise WLAN with Cisco Prime Network ...d2zmdbbm9feqrf.cloudfront.net/2012/anz/pdf/BRKEWN-2069.pdf · Managing an Enterprise WLAN with Cisco Prime Network Control

WLAN Maintenance and Troubleshooting Device Code …ai3.itb.ac.id/~basuki/private/Cisco WLAN Training/Ch.12. CWUN Maint... · WLAN Maintenance and Troubleshooting: Device Code and

Cisco Best Practice Reconmendations

Cisco Catalyst 3750-E Series...Cisco Catalyst 3750-E Series는 Cisco IP 폰, Cisco Cisco Aironet® WLAN(Wireless LAN) 액세스 포인트 또는 모든 IEEE 802.3af 호환 장치를

Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

NGWC – Central Webauth (CWA) using ISE - Cisco · NGWC – Central Webauth (CWA) using ISE ... Cisco Confidential 11 ... • WLAN configuration wlan Central_Webauth 7 viten_cwa

Nokia Enterprise Voice SolutionsSecure Corporate Intranet PSTN PSTN Network WLAN Access Point • Cisco Call Manager • CCM user license • Cisco WLAN Cisco Call Manager/Express

Cisco - Global Home Page - Configuring Mobility...Switch(config-wlan)# mobility anchor 10.10.10.2 Step 2 clientvlan Assignsavlantotheclientswlan. Example: Switch(config-wlan)#

© 2002, Cisco Systems, Inc. WLAN Standards and Security Solutions

Managing an Enterprise WLAN with Cisco Prime NCS & WCS

NPS - community.cisco.com · (Cisco Controller) >show wlan 2 WLAN Identifier..... 2 Profile Name..... NPS Network Name (SSID).....

WLAN @ Cisco ImPuls · WLAN @ Cisco ImPuls Gerhard Jäggle Heiko Gruber Consulting SE Product Sales Specialist gjaeggle@cisco.com hgruber@cisco.com München, 13. Februar 2017 . Changing

Корпоративные сети WLAN Cisco: варианты решений и необходимые технические данные

Application Note Ascom i62 Cisco WLC › legacyfs › online › legacy › 2 › 2 › 3...APPLICATION NOTE VoWiFi & WLAN Infrastructure (IEEE 802.11) Ascom i62 Cisco WLC 2106 WLAN