Advance WLAN

Design and Deployment of
Enterprise WLANs
Sujit Ghosh, Sr. Mgr. Technical Marketing, EISG

BRKEWN-2010
Agenda
Controller-Based Architecture Overview
Mobility in the Cisco Unified WLAN Architecture
Architecture Building Blocks
Deploying the Cisco Unified Wireless Architecture
Bringing All Together Best Practices
Cisco Unified Wireless Principles
Cisco Prime
Infrastructure
Components
Wireless LAN controllers (WLC)
Wireless LAN
Aironet access points (AP) Controllers
Management (Prime Infrastructure) (PI) MSE/CMX
Mobility Service Engine (MSE) / CMX
Campus
Principles Network
AP must have CAPWAP connectivity with WLC
Configuration downloaded to AP by WLC
All Wi-Fi traffic is forwarded to the WLC Aironet Access
Point
BRKEWN-2010 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Centralized Wireless LAN Architecture
What is CAPWAP?
CAPWAP: Control and Provisioning of Wireless Access Points is used

between APs and WLAN controller and based on LWAPP over IPv4 or
IPv6
CAPWAP carries control and data traffic between the two
Control plane is DTLS encrypted
Data plane is DTLS encrypted (optional)
LWAPP-enabled access points can discover and join a CAPWAP

controller, and conversion to a CAPWAP controller is seamless
Business
CAPWAP is not supported on Layer 2 mode deployment Application
Data Plane
CAPWAP Controller
Wi-Fi Client
Access
Point Control Plane
CAPWAP State Machine
AP Boots UP
Reset
Discovery
Image Data
DTLS
Setup
Run
Join Config
AP Controller Discovery
Layer 2 join procedure attempted on LWAPP APs

(CAPWAP does not support Layer 2 APs)
Broadcast message sent to discover controller on a
local subnet
Layer 3 join process on CAPWAP APs after Layer 2 fails
Previously learned or primed controllers
Subnet broadcast
DHCP option 43
DNS lookup
Efficient CAPWAP Operation
Define the Wireless Access Point Device DHCP Scopes

Default router IP Address for Access Point scope
Helper address (forwarding UDP 5246 to the WLCs management interface)
Domain name
Appropriate DHCP Lease timer for Aps
Pool sizes for WLAN devices in accordance to different types of sites
If NAT is used, static 1-to-1 NAT to an outside address is recommended
Cisco Wireless
Plug-N-Play
Network Plug-N-Play Simple, Secure, Scalable
Todays Process Business Challenges
Direct Costs
Central Staging Facility Shipping after Configuring device
Ships
equipment Travel costs for IT installer
Install OS
Install Config
Prime device Complexity
Network
Reseller/Partner Admin Config errors
Different products / processes
Security
3rd party not secure
Installer
Time/Productivity
Site-1 Site-2 Site-3 Manual process
Shipping , Storage, Travel
Network Plug-N-Play Simple, Secure, Scalable
Todays Process Network PnP
Central Staging Facility
Ships
Pre Provision
equipment 1 Projects/Sites
Install OS
Install Config
Prime device Network Admin
Network
Reseller/Partner Admin
2 Install & Power-on 3 Monitor device

devices installation
Installer
Installer
Network Admin
Site-1 Site-2 Site-3

Site(s)
Network PnP Discovery Options
Switches (Catalyst) Routers (ISR/ASR) Wireless AP
DHCP with Options 43

1 DHCP
Server
PnP String: 5A1D;B2;K4;I172.19.45.222;J80
Brand new
device only
DNS Lookup
2 DNS
Server pnpserver.localdomain ---- e.g.172.19.45.222 (PnP Server)
3 CAPWAP
CAPWAP based WLC discovery
(For AP only)
4 Cloud re-direction
Brand new
device only
Manual - using Installer App
5 iPhone, iPad, Android,
Branch Provisioning with PnP Server
PID Serial Hostna WLC IP AP Mode Flex
# me address Group Admin:
name Set auto convert feature
AIR- RFD0 AP- 192.168.15.1 FlexConnect Group-1
Configure DFG parameters
CAP3702I- PP2T0 Store1-1
A-K9 25
PnP Server
AP
Places AP in appropriate
flexgroup/default
Day 0 Apply relevant flex configs to
AP
Network Admin
Network Admin pre
provisions branch APs in Day 1
PnP server.
WLC IP (Prim/Sec/Ter) Remote Installer on branch
AP Name Mount and cable devices
AP Mode (Flex) Power-on
AP Group Name Installer * Resources required for PnP: 64 Gb RAM, 500 Gb Storage Scale: 10,000 devices
Flex Group Name
Rule Example in APIC-EM
Create a site. Associate it with AP name, Product ID, Serial or MAC
Upload config file.
Configuration file contains WLC IP (Prim/Sec/Ter), AP Name, AP Mode
(Flex/Local), AP Group Name, FlexConnect Group Name
Single Site Provisioning
Central Site
Site Rule WLC IP: WLC-1a
Product ID Serial # Hostname WLC IP AP Mode FlexGroup AP Name: Site-1-AP
AIR-CAP3702I-A-K9 RFD0PP2T025 Site-1-AP WLC-1a FlexConnect Site-1Group
AP Mode: FlexConnect
Flex Group: Site-1Group
PnP Server
Remote Site
WAN
WLC-1b
Site-1
Group
Radius WLC-1a
Agenda
Mobility Defined
Mobility is a key reason for wireless networks
Mobility means the end-user device is capable of moving location in the
networked environment
Roaming occurs when a wireless client moves association from one AP and re-
associates to another, typically because its mobile!
Mobility presents new challenges:
Need to scale the architecture to support client roamingroaming can occur
intra-controller and inter-controller
Need to support client roaming that is seamless (fast) and preserves security
Scaling the Architecture with Mobility Groups
Mobility Group allows controllers to peer with each other to support seamless
roaming across controller boundaries
APs learn the IPs of the other members of the mobility group after the
CAPWAP Join process Controller-B
MAC: AA:AA:AA:AA:AA:02
Mobility Group Name: MyMobilityGroup
Support for up to Mobility Group Neighbours:

Controller-A, AA:AA:AA:AA:AA:01
24 controllers, Controller-A
Controller-C, AA:AA:AA:AA:AA:03
24000 APs per Mobility Group Name: MyMobilityGroup
mobility group
Ethernet in IP Tunnel
Mobility Group Neighbours:
Controller-B, AA:AA:AA:AA:AA:02
Controller-C, AA:AA:AA:AA:AA:03
Mobility messages
exchanged
between
controllers Controller-C
Mobility Group Name: MyMobilityGroup
Data tunneled between Mobility Group Neighbours:

Controller-A, AA:AA:AA:AA:AA:01
controllers in EtherIP (RFC 3378) Controller-B, AA:AA:AA:AA:AA:02 Mobility Messages
Scaling the Architecture with Mobility Groups
With Inter Release Controller Mobility Mobility Domain
(IRCM) roaming is supported between 8.0, Mobility Group (8.0)
8.2 and 8.3
One
WLC Network Mobility Group (8.2)
Mobility Group
24 WLCs in a Mobility Group (8.3)

Mobility Group
72 WLCs in a
Mobility Domain
How Long Does an STA Roam Take?
Time it takes for:
Client to disassociate +
Probe for and select a new AP +
802.11 Association +
802.1X/EAP Authentication +
Rekeying +
IP address (re) acquisition
All this can be on the order of seconds Can we make this faster?
Roaming Requirements
Roaming must be fast Latency can be introduced by:
Client channel scanning and AP selection algorithms
Re-authentication of client device and re-keying
Refreshing of IP address
Roaming must maintain security
Open auth, static WEPsession continues on new AP
WPA/WPAv2 PersonalNew session key for encryption derived via standard
handshakes
802.1x, 802.11i, WPA/WPAv2 EnterpriseClient must be re-authenticated and new
session key derived for encryption
How Are We Going to Make Roaming Faster?
Focus on Where We Can Have the Biggest Impact
Eliminating the (re)IP address acquisition challenge
Eliminating full 802.1X/EAP reauthentication
Intra-Controller Roaming:
VLAN X
WLC-1 Client WLC-2 Client
Database Client Data Database
(MAC, IP, QoS,
Security)
WLC-1 Mobility Message Exchange WLC-2
Client database entry with

new AP and appropriate
security context
Roaming Data
Path No IP address refresh
needed
Client Roams to a
Different AP
Layer 2 Roaming
Client Roaming Between Subnets:
VLAN X VLAN Z
WLC-1 Client Client Data (MAC, IP, WLC-2 Client Database
Client Data (MAC,
Database QoS, Security) IP, QoS, Security)
Mobility Message Exchange

WLC-1 WLC-2
Anchor Foreign Controller

Controller Data Tunnel
Preroaming Data
Path
Client Roams to a
Different AP
Layer 3
Roaming: Inter-Controller
L3 inter-controller roam: STA moves association between APs joined to the different
controllers but client traffic bridged onto different subnets
Client must be re-authenticated and new security session established
Client database entry copied to new controller entry exists in both WLC client DBs
Original controller tagged as the anchor, new controller tagged as the foreign
WLCs must be in same mobility group or domain
No IP address refresh needed
Symmetric traffic path established -- asymmetric option has been eliminated as of 6.0
release
Account for mobility message exchange in network design
Designing a Mobility Group/Domain
Less roaming is better clients and apps are happier

While clients are authenticating/roaming, WLC CPU is doing the processing
not as much of a big deal with latest controllers which has dedicated
management/control processor
L3 roaming & fast roaming clients consume client DB slots on multiple
controllers consider worst case scenarios in designing roaming domain size
Leverage natural roaming domain boundaries
Mobility Message transport selection: multicast vs. unicast
Make sure the right ports and protocols are allowed
How Are We Going to Make Roaming Faster?
Focus on Where We Can Have the Biggest Impact
Eliminating the (re)IP address acquisition challenge
Eliminating full 802.1X/EAP reauthentication
Fast Secure Roamingtandard Wi-Fi Secure Roaming
802.1X authentication in wireless today requires three
end-to-end transactions with an overall transaction
time of > 500 ms
WAN
802.1X authentication in wireless today requires a
Cisco AAA roaming client to reauthenticate, incurring an
Server additional 500+ ms to the roam
(ACS or
ISE)
1. 802.1X Initial
Authentication
AP2 Transaction AP1
2. 802.1X
Reauthenti-
cation After
Roaming
Cisco Centralised Key Management (CCKM)
Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available, especially with

application specific devices (ASDs)
CCKM ported to CUWN architecture in 3.2 release
In highly controlled test environments, CCKM roam times consistently measure in the 5-8
msec range!
CCKM is most widely implemented in ASDs, especially VoWLAN devices
To work across WLCs, WLCs must be in the same mobility group
CCX-based laptops may not fully support CCKM depends on supplicant capabilities
CCKM is standardised in 802.11r, Apple iOS 6.0, iOS 7.0
Protocols that Help Your BYOD Roam
Issues will come as you reach the edge of the cell you need to expedite the
jump to the next cell:
802.11k: helps the BYOD discover the next cell
802.11r (FT): helps the BYOD exchange credentials fast while roaming
802.11v BSS Transition Management: pushes the BYOD to the next cell
How do you know if your BYOD supports 802.11k or 802.11r?
Apple devices support both since IOS 6
On Android it depends on the device vendors certify for 802.11r and/or 802.11k
devices targeted for the enterprise market, not for the home market
Two URLs can help you:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/
technotes/8-0/device_classification_guide.html
http://clients.mikealbano.com/ (look for RM fields in
frame captures for 802.11k support)
Apple & Cisco
Cisco and Apple join hands to build a fast lane
Cisco AP
Apple iOS 10
How does Fast Lane work for Apple devices
connecting to Cisco Wireless networks?
iOS 10 devices and Cisco APs perform a handshake that
allow them to recognize each other
Aloha! Hello Amigo!
Apple iOS 10
Cisco AireOS 8.3
Three New Wireless Innovations Resulting from
Apple / Cisco Partnership
1. Enhanced QoS for iOS 10+
Proper QoS Handling
2. Improved Roaming
Better Roaming through Adaptive 11r
3. Centralized iOS App Policy Control
IT Administrator control of applications and QoS
Foundation 1: Enhanced QoS for iOS Devices
Wireless is becoming the new edge of
the network
Real-Time apps (voice and video) are
becoming the norm on WLANs
Endpoint vendors QoS implementation
is weak, resulting in poor quality voice
and video experience over wireless
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Wi-Fis Biggest QoS Challenge:
Shared, Half-Duplex and Contention Based!
Only one station can send at a time, or it will

cause interference!
All stations must first wait for the medium to go
quiet before attempting to transmit.
What happens when you arrive at a 4-Way Stop?
TECEWN-3010 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
As WLANs become Busier, Each Client (and the AP)
Need to Wait Longer (bad for real-time apps)
My MOS
score is
terrible!
Wait Wait
Wait
Finished!
Wait
My MOS 11ac
My MOS
score is Sending Wait score is
terrible! Wait terrible!
My MOS
Wait Wait score is
terrible!
Wait
TECEWN-3010 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
How Much Does Contention Affect Performance
The Breaking Point Depends on How Many Clients You Have
120%
100%
As more clients associate and
Throughput (%)
80% transmit, WLAN contention

5% - 10% increases for all clients. Retry
contention
60% premium
attempts increase and each
station spends more and more
40%
10% - time in the waiting and listening
30%
state, driving down performance
30% -
20% 50%
50% -
60%
0%
1 5 10 25 50 75 100
Clients
(source: IEEE 802.11-15/0351r2)
802.11e Solves the Problem by creating wireless queues
(Access Categories) and forcing lower priority queues to wait
longer before transmitting
Application Data
Fast Lane ensures that iOS

10+ devices correctly map
their applications to the
correct Access Categories,
ensuring the best possible
QoS. Without the correct
mappings, wireless QoS
Background Best Effort Video Voice cant work!
Long Short
Wait Time Before Attempting to Send
802.11e QoS Mappings Before Fast Lane
Endpoint/Client Voice (EF) Video (AF41/42) Control (CS3)
WMM Convention 6 5 4
Jabber for iOS

5 5 0
(iPad, iPhone)
Jabber for
6 5 3
Android
Jabber for OSX 5 5 0
Jabber for Windows

5 4 3
(desktop)
MS
5 4 3
Lync
Unified IP Phones
6 5 4
(DX650, 9971)
Apple FaceTime
5 5 3
(iPad)
42
802.11e QoS Mappings After Fast Lane
Endpoint/Client Voice (EF) Video (AF41) Control (CS3)
Cisco
6 5 4
Recommendation
Jabber for iOS 10+
6 5 5
(iPad, iPhone)
Jabber for
6 5 3
Android
Jabber for OSX 5 5 0
Jabber for Windows

5 4 3
(desktop)
MS Lync / Skype for
5 4 3
Business (Win 10)
Unified IP Phones
6 5 4
(DX650, 9971)
Apple FaceTime
6 5 5
(iPad)
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Foundation 2: Improved Roaming Performance
In 802.11, delay in roaming causes poor
experience, especially for rich-media real-
time applications. Interoperability increases
complexity and prevents adoption.
Standards to the rescue?

802.11k Neighbor List
802.11v BSS Transition
802.11r Fast Roaming
802.11k, 802.11v, 802.11r help efficient roaming
Association
802.11r enables fast roaming without complete reauth
802.11k sends you list of neighbors
802.11v BSS Transition sends you the new best AP
Cisco-AP-2 to connect to
Fast Transition (802.11r)

Cisco-AP-1 Cisco-AP-2
Apple / Cisco Innovation: Adaptive 802.11r
Legacy client cannot Legacy client that does

join the same SSID not support 11r/k/v can
where 11r is enabled join the same SSID
I recognize that you

are an Apple device Association
11r is enabled for you
802.11k, 802.11v
are on by default
Non-Cisco-AP Cisco-AP
Foundation 3: Centralized Policy Management of
iOS 10 Devices
Todays iOS devices have inability to

prioritize business-critical real-time
traffic all the way from clients to the
destination
Today IT Administrators can classify
traffic ONLY at the access point. this
implies:
Inability to prioritize between the client

and the AP.
Burden on IT administrator to manage

the applications across the enterprise
BYOD: Prioritizing Business Apps on an
Apple Network
Prioritize business critical apps and real time data
Dont leave QoS up to the app developer
IT has control over which Apps get priority
Cisco Apple Fast lane QoS Profiles
QoS Profile is pushed to the Apple iOS device

QoS Profile using standard iOS Profiling techniques (MDM,
Applications email, Web-based, etc.) This profile has a white list
White List
of applications to be marked with QoS. All other
traffic from the Apple device will be sent as best
effort.
Apple iOS 10
Cisco AireOS 8.3
*By default, all applications are whitelisted. This means that if there is no profile,
all apps get QoS. If there is a profile, only the apps in the profile get QoS
Creating Fast Lane Profiles
Meraki Systems
Apple Configurator Manager MDM
Agenda
Cisco Controller Portfolio Large Enterprise/Branch
Mid-size Enterprise/Branch
Cisco 8540
Cisco vWLC
Small Network, Small Branch 1500 APs
6000 APs
64,000 clients
16000 Clients
500 Mbps 40 Gbps
Cisco 5520
1500 APs
Mobility Express Cisco 3504 3000 Clients
150 APs 20 Gbps
50 APs/1000 Clients AP 18xx 3000 Clients

100 AP/2000 Clients AP 2800/3800 4 Gbps Kukri
Cisco IOS 5760
Cisco 8510
Cisco WISM2
Cisco Flex 7500
Cisco 5508 1000 APs
12,000 clients
6000 APs
60 Gbps
Cisco 2500 64,000 clients
6000 APs 10 Gbps
1000 APs Cisco vWLC
500 APs 64,000 clients
Autonomous 7000 clients
15,000 clients
1 Gbps
APs 20 Gbps
75 APs 8 Gbps
1000 clients
1 Gbps 200APs
3000 clients
500 Mbps
Upto 150 APs Grow as Your Business

150-1500 APs Grows 1500-6000 APs
DNA Opt Platforms &
3504 Series Wireless Controller Virtualization
Fast, Flexible and Feature-rich Small Controller

Target FCS July 2017
Access Points Powerful enough to handle 802.11ac

Wave 2 traffic loads
Up to 150 AP, 3000 clients, 4Gbps
Seamless Seamless migration (USB +
Scalability configuration migration tool from 2504
Access Points 150 in Centralized mode and 5508)
Clients 3000 in Centralized mode Seamless WLC portfolio feature parity
across 3504 and 5520
Throughput 4Gbps
Flexible Deployment mGig or 4x1GE
HA Support Dedicated RP for HA SSO
Rack Mount, Cabinet, Desktop ready:
Service Support Dedicated SP
Flexible 1RU, side by side Rack Mount
Form factor Side by Side Primary/HA rack mount (1 RU)
Deployment Quiet fanless for cabinet, desktop (up
I/O interface mGig + 4x1GE, USB to 30C ambient)
Console: RJ45, mini USB 10 depth to fit nicely in cabinet

HA Support Pairing with stateful switchover
Compact, mGig ready, dedicated RP/SP ports, side by side rack mount and much more
Previous 12 Months
5520 WLAN Controller 8540 WLAN Controller
Highest
Scalability
Access Points 6,000

Access Points 1,500
Clients 64,000
Clients 20,000
Deployment Modes Centralized, FlexConnect and Mesh
Deployment Modes Centralized, FlexConnect and Mesh
Form Factor 2 RU
Form Factor 1 RU
IO Interface Four port 1G or 10G with LAG
IO Interface Dual 1G or 10G ports with LAG
Power Options AC or DC
Power Supply AC w/Optional Redundant Power
Supply Redundancy Dual Power supply and HDD w/RAID
Cisco Aironet 802.11ac Wave 2 Portfolio
Industrys most comprehensive and innovative AP portfolio
Enterprise Class Mission Critical Best in Class
DNA Ready | RF Excellence | CMX | Centralized, FlexConnect or Mobility Express
Dual 5 GHz | Flexible Radio | HDX
Future Proof
3800
2800
1830 1850 4x4:3SS 160 MHz
1815 4x4:3SS 160 MHz 5 Gbps Performance
Indoor / High-powered Indoor 4x4:3SS 80Mhz 5 Gbps Performance 2.4 and 5GHz or
Wall Plate / Teleworker 3x3:2SS 80MHz Dual 5GHz
1.7 Gbps Performance 2.4 and 5GHz or
2x2:2SS 80 MHz 867 Mbps Performance Dual 5GHz 2 GE Ports Uplink or
Internal or External
867 Mbps Performance Tx Beam Forming Antenna 2 GE Ports Uplink 1 GE + 1 mGig (5G)
Tx Beam Forming 1 GE Port Uplink Tx Beam Forming CleanAir and ClientLink CleanAir and ClientLink
Integrated BLE Gateway1 USB 2.0 2 GE Ports Uplink Internal or External StadiumVision
Max Transmit Power (dBm) USB 2.0 Antenna Internal or External Antenna
per local regulations2 Smart Antenna Connector Smart Antenna Connector
3 GE Local Ports, including USB 2.0 USB 2.0
1 PoE out3
Investment Proof Modularity
Local ports 802.1x ready3
Centralized, FlexConnect and Mobility Express

USB 2.04
1Future availability 2 Available for High-powered only 3 Available for wall-plate and teleworker only 4 Available for teleworker only
Meet Any Wi-Fi Use Case
Expandability and Investment Protection
PRIMARY
ANTENNAS
Bluetooth
Other
Beacon
Self-Discover / Potential Future

Self-Configure Expandability
Stadium 3G Security
Adv. and
Other Panel and LTE
Spectrum Bluetooth
Other
Antenna Small Cell
Analysis Beaconing
Offload
SMART MODULE
ANTENNA PORT
PORT
Custom
Custom
Directional location Future Wi-Fi Video
Application
Application
Antennas Antennas Standard Surveillance
Using Linux
Using Linux
Wireless excellence and innovations delivered only by
Cisco Aironet 2800, 3800 Series Access Points
LAS VEGAS TOKYO

Apple Fast Lane
Automatically assures highest priority, fastest
performance for trusted apps on trusted Apple devices
LAS VEGAS TOKYO

Apple Fast Lane
Automatically assures highest priority, fastest
performance for trusted apps on trusted Apple devices
LAS VEGAS TOKYO

Apple Fast Lane Cisco CleanAir
Automatically assures highest priority, fastest Remediates device Impacting Interference
performance for trusted apps on trusted Apple devices from other WiFi and non-WiFi devices
Zero Impact AVC Flex Dynamic Frequency Selection
Hardware Based Application Visibility and Automatically Adjusts So Not to Interfere
Control without Impact to Performance. With Other Radio Systems
Multi-Gigabit Uplinks Optimized Roaming

Free Up Wireless With Faster Gb+ Intelligently Connects the Proper
Wired Network Offload Access Point as People Move
Turbo Performance Cisco ClientLink

Scales to Support More Devices Improves Performance of
Running High Bandwidth Apps. Legacy and 802.11ac Devices.
Flexible Radio Assignment Future Proof Expandability

Software defined radio automatically Add Functionality Via Module, Smart
adjusts to dual 5GHz to better serve high Antenna Port or USB Port
client environment BRKEWN-2010 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Agenda
Best Practices For High Performance Mobile
Infrastructure
RF RF
2. High Application
Planning Optimization
App Engage Availability Visibility & Control
Engineer the WLAN for Optimize Gigabit Wi-Fi as Replicate the High Prioritize mission critical
data, voice, video, location, primary connectivity Gig Availability of the LAN on business applications over
and client density Ethernet as fallback the WLAN personal applications
802.11ac : -65 to -67 RSSI Cisco CleanAir LAN SSO Edge, Core, Disti Cisco AVC Identify,
10 20% cell overlap Clientlink WLAN SSO Client, AP, Prioritize, Control Apps
1 AP / 2500 sq ft RRM Controller across LAN, WLAN
High Availability (AP and Client SSO)

RF Optimization - AP Groups / RF Groups / HDX
Security & Policies
Local Profiling and Policy Classification
Application Visibility Control
OpenDNS
TrustSec
IPv6 Deployment with Controllers

CMX Cloud
Branch Office Designs
Centralized Mode HA Requirements Benefits
Minimum release: 8.0
Active Client State is synched
WLC: 5508, WiSM2, 7500, 8510 AP state is synched
Client SSO L2 connection
No Application downtime
Same HW and software
HA-SKU available
1:1 box redundancy
Network Uptime
Release: 7.3 and 7.4

WLC: 5508, WiSM2, 7500, 8510 AP state is synched
AP SSO Direct physical connection No SSID downtime
(SSID stateful switchover) Same HW and SW HA-SKU available (> 7.4)
1:1 box redundancy
N+1 Redundancy Available on all controllers

(Deterministic/Stateless HA, Each Controller has to be Crosses L3 boundaries
a.k.a.: configured separately Flexible: 1:1, N:1, N:N
primary/secondary/tertiary) HA-SKU available (> 7.4)
Controller Redundancy
Redundant WLC in a geographically
separate location WLAN-Controller-1
APs Configured With:
Primary: WLAN-Controller-1
Layer-3 connectivity between the AP Secondary: WLAN-Controller-BKP
connected to primary WLC and the WLAN-Controller-2

redundant WLC NOC or Data Centre
WLAN-Controller-BKP
Primary: WLAN-Controller-2
Secondary: WLAN-Controller-BKP
Redundant WLC need not be part of

the same mobility group WLAN-Controller-n

Primary: WLAN-Controller-n
Secondary: WLAN-Controller-BKP
Configure high availability (HA) to

detect failure and faster failover
Use AP priority in case of over
subscription of redundant WLC
Controller Redundancy High Availability
Primary WLC
High Availability Principles :
AP is registered with a WLC and
maintain a backup list of WLC.
AP use heartbeats to validate WLC
connectivity
AP use Primary Discovery
message to validate backup WLC list
When AP loose 3 heartbeats it start Secondary WLC
join process to first backup WLC
candidate
Candidate Backup WLC is the first
alive WLC in this order : primary,
secondary, tertiary, global primary, New Timers 7.2
global secondary. Heartbeat Timeout 1-30 secs
AP does not re-initiate discovery Fast Heartbeat Timer 1-10 secs
process. AP Retransmit Interval 2-5 secs

AP Retransmit with FH Enabled 3-8 Times
AP Fallback to next WLC 12 secs

Stateful Switchover (SSO)
True Box to Box High Availability i.e. 1:1
One WLC in Active state and second WLC in Hot Standby state
Secondary continuously monitors the health of Active WLC via dedicated link
Configuration on Active is synched to Standby WLC

This happens at startup and incrementally at each configuration change on the Active
What else is synched between Active and Standby?

AP CAPWAP state in 7.3 and 7.4: APs will not restart upon failover, SSID stays UP AP SSO
Active Client State in 7.5: client will not disconnect Client SSO
Downtime during failover reduced to 5 - 1000 msec depending on Failover

In the case of power failure on the Active WLC it may take 350-500 msec
In case of network failover it can take up to few seconds
SSO is supported on 5500 / 7500 / 8500 / WiSM-2 and 5760

For more info: http://www.cisco.com/en/US/docs/wireless/controller/technotes/7.5/High_Availability_DG.html
SSO Failover Sequence
AP and Client info Sync
Redundancy Link Established
(Over dedicated Redundancy Port)
ACTIVE STANDBY
Client
Associate
Switch
AP Join
Keep-Alive failure/Notify Peer
Redundancy Link Established
(Over dedicated Redundancy Port)
ACTIVE STANDBY
Client
Associate
Switch
AP Join
ACTIVE
STANDBY
ACTIVE
Client
Associate
Switch
AP Join
ACTIVE
STANDBY
ACTIVE
AP session intact. Does

not re-establish
capwap
Switch
Client session intact.

CLIENT SSO Does not re-associate
Effective downtime for client is
Detection time + Switchover time
Pairing 5520/8540 for SSO
L
L 2
2
Back to Back as well as L2 RP Connectivity

Recommend
Connecting 5520/8540 SSO Pair to wired Network ed Network
Design
Same configuration Same configuration

on both Po1 and Po2 Catalyst VSS Pair on both Po1 and Po2 Catalyst VSS Pair
Po 1 Po 2 Po 1 Po 2
Trunk Trunk
Port-channels Port-channels
L2 L2
5520 5520 8540 8540

Active WLC Standby WLC Active WLC Standby WLC
Spread the links in each PC among the two physical switches to prevent a WLC switchover upon a failure of one of
the VSS switch
Web-GUI Configuration
SSO Behaviour and Recommendations
RTT latency on Redundancy Link : 80 milliseconds or less. 80% of keep alive timer.
Preferred MTU on Redundancy Link : 1500 or above.
Bandwidth on Redundancy Link : 60Mbps or more.
WLC 55XX / 85XX : RP Connectivity between Active and Standby

Via Switches
Back-to-back
WiSM-2 : single 6500 chassis OR different chassis using VSS setup/extending redundancy VLAN.
Recommended to have Redundancy Link and RMI Connectivity between WLCs on different switches
or on different L2 networks
Keep alive/Peer Discovery timers should be left with default timer values for better performance
Default box failover detection time is 3 *100 = 300+60 = 360 +jitter (12 msec)= ~400 msec
Fast Restart Highlights 8.1
Use Cases
LAG Configuration change
Mobility Mode change
Web-auth certificate installation
Clear Configuration
Process Restart to reduce network and service downtime Post Configuration Wizard
Better Serviceability Transfer Download of configuration
Supported on Cisco WLC 7510, 8510, 5520 8540 and vWLC

CLI Command restart

Security & Policies
OpenDNS
TrustSec

CMX Cloud
AP-Groups - Default AP-Group
The first 16 WLANs created (WLAN IDs 116) on the WLC are included in the
default AP-Group
Default AP-Group cannot be modified
APs with no assignment to an specific AP-Group will use the Default AP-Group
The 17th and higher WLAN (WLAN IDs 17 and up) can be assigned to any AP-
Groups
Any given WLAN can be mapped to different dynamic interfaces in different
AP-Groups
WLC 2504 (AP groups:50),
WLC 5508 & WiSM-2 (AP groups: 500),
WLC 7500 & 8500 (AP Groups : 500)
AP-Grouping in Campus
VLAN 100 VLAN 100 VLAN 100
Access
Si Si Si Si Si Si
Distribution
CAPWAP Si Si
Core
Si Si
Si Si
Si Si Distribution
VLAN 100 / 21
Access
Single WAN Data Centre Internet
SSID =
Employee WLC-1 WLC-2
AP-Grouping in Campus
AP-Group-1 AP-Group-2 AP-Group-3
VLAN 60 /23 VLAN 70 /23 VLAN 80 /23
Access
Si Si Si Si Si Si
Distribution
CAPWAP Si Si
Core
Si Si
VLAN 100 Si Si VLAN 60
Si Si Distribution
/21 VLAN 70
VLAN 80
Access
SSID =
Default AP-Group
Network Name
Default AP Group
Only WLANs 116

Will Be Added in
Default AP Group
Multiple AP-Groups
AP Group 1
AP Group 2
AP Group 3
HD Config Tip: RF Profiles for Fine-Tuning
RF Profiles work in Conjunction with AP Groups (beginning in release 7.2)
You can create separate RF profiles for both 2.4 and 5 GHz
1 profile for each band (802.11a/802.11b) can be assigned to an AP group
Today
802.11 data rates
TPC Power Threshold and Min max Power settings
DCA
Coverage hole algorithm settings
High Density HDX configurations RX_SOP, Client Limit, Mcast data rate
Client Distribution
More granular control of the RF network

RF Profiles : Granular Control
TPC, DCA, Coverage Hole

Data Rates
Load Balancing
High Density
8.1
Network Profiles GUI
Sets pre-defined RF parameters depending on Client Density and
Traffic Type
Client Density : High,
Typical, Low
Traffic Type : Data, Data

and Voice
Pre-built RF Profiles
Client Density specific pre-built RF profiles for 2.4 GHz and 5GHz Bands to be used
with AP Groups
Use Pre-built RF profiles to

create your customized
profile in 8.3
RF-Profile in Campus
RF-Profile-1 RF-Profile-2 RF-Profile-3
VLAN 60 /23 VLAN 70 /23 VLAN 80 /23 Access

VLAN 61 / 23 VLAN 71 /23 VLAN 81 /23
Si Si Si Si Si Si
Distribution
CAPWAP
Si Si
Core
Si Si
Si Si VLAN 60
Si Si Distribution
VLAN 61
VLAN 70
VLAN 71
VLAN 80 Access
VLAN 81
SSID =
The Worlds Most Versatile Access Points
All The Benefits of 802.11ac Wave 2
Highest Wi-Fi Performance Ever Better End Device Efficiency
Higher Wider Simultaneous Better

Data Rate Channels Data Delivery Battery Life
NEW: Cisco Aironet 2800 NEW: Cisco Aironet 3800
Plus Cisco Innovations for High Density Environments

Self-Optimizing Network Optimized Mobile User Experience
New Flexible Radio New Multi-Gigabit Improved Improved Turbo

Assignment Uplinks Modularity ClientLink Performance
Improved New Zero Flexible Dynamic Optimized

CleanAir Impact AVC Frequency Selection New Smart Improved
Roaming
Antenna Enhanced Location*
Flexible Radio Assignment
5GHz 2.4GHz Default operating mode
Serving Serving Serve Clients on both 2.4GHz and 5GHz
5GHz 5GHz
Dual 5GHz Support, both radios serving clients on 5GHz
Serving Serving Maximum over the air data rate up to 5.2Gbps
5GHz Wireless
Wireless Security Monitoring
Serving Security Scan both 2.4GHz and 5GHz for security threats
Mode Serve Client of 5GHz
* Denotes feature availability post-FCS

Important Terminology Mode vs Role
An AP Mode applies to the AP Radio Modes 2800/3800 Radio Roles
whole AP both radios Local Client serving
BOTH Radios assume assume a MODE Flex* 2.4 GHz
Monitor 5 GHz
A Radio ROLE,
Sniffer* Monitor
is assigned to a single radio Interface
Spectrum Connect* WSM
2800/3800 WSA*
Slot 0 802.11-abgn= XOR radio
* Post FCS
Radio Role Assignment Auto/Manual
Selecting a 2800/3800
802.11-abgn interface
config
config
Auto (default) makes the
radio available to FRA
config
Auto (default) makes the
radio available to FRA
Manual, takes the Radio
out of Global FRA
Dual 5 GHz operation Custom Channel
If you choose Custom for

Channel
Still need 100 MHz between Slot 0
(XOR) and Slot 1 (dedicated 5 GHz)
Dual 5 GHz operation Custom Channel
If you choose Custom for

Channel
Still need 100 MHz between Slot 0
(XOR) and Slot 1 (dedicated 5 GHz)
FRA - Config
FRA is Disabled by
Default
Enable and FRA is active
Sensitivity=
Low (100%)
Medium (95%)
High (90%)
Interval
1-24 hours
1 hour default
FRA Assignment Priority
5GHz 2.4GHz Pervasive 2.4GHz and 5GHz coverage

1
Serving Serving Default operating Role
Increase Network Capacity and Performance

2 5GHz 5GHz Maximum over the air data rate up to 5.2Gbps
Serving Serving High Density Client Performance improvements
5GHz Wireless Secure Network from Non-Wi-Fi Interference, wIPS

3 Serving Security attackers, and Rogue Clients/Access Points
Monitor
Scan both 2.4GHz and 5GHz for security threats
Cisco Dynamic Bandwidth Selection (DBS) 8.1
Automatic Optimization for 20-40-80 MHz channel

RF widths
Neighbor
Channels DBS applies an additional layer of channel and
width recommendations on top of those applied in
Channel Core DCA
WiFi
Interference Overlap
Ratio Useful for 11n-11ac mix AP networks and Wave-2
(160MHz)
D B S
Client
Non WiFi Protocol &
Noise Traffic
11n/11ac
DBS:
Channel Auto
Utilization Configure
Globally

Security & Policies
OpenDNS
TrustSec

CMX Cloud
ISE offers rich set of BYOD features: e.g. device identification,
onboarding, posture and policy
Customers not deploying ISE but requiring subset of ISE features
Native profiling of end devices based on MAC OUI, HTTP, DHCP
Device-based policies enforcement per user or per device policy
Policy Classification
MAC OUI Device type
Student Teacher Username

User Role
Admin
Device Type
User-
Role John
Identity
Session Time of
VLAN ACL QoS
timeout Day
Configuring Client Profiles
Client profiling uses pre-existing profiles in the controller
Custom profiles are not supported in this release
Wireless clients are profiled based on the MAC OUI, DHCP,HTTP user agent
DHCP is required for DHCP profiling, Webauth for HTTP user agent
8.3 release contains 233 pre-existing profiles:
(Cisco Controller) >show profiling policy summary
Number of Builtin Classification Profiles: 233
ID Name Parent Min CM Valid
==== ================================================ ====== ====== =====
0 Android None 30 Yes
1 Apple-Device None 10 Yes
2 Apple-MacBook 1 20 Yes
3 Apple-iPad 1 20 Yes
4 Apple-iPhone 1 20 Yes
/ 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Client Profiling Configuration
At the WLAN level, enable Local Client Profiling (DHCP and HTTP)
DHCP required is checked automatically when selecting DHCP profiling
config wlan profiling {local | radius} {dhcp | http | all} <wlan ID>
(Cisco Controller) >config wlan profiling local all enable 1
Client Profiles in 7.6 and Above
When profiling is enabled, a client Device Type can be shown on WLAN.

Security & Policies
OpenDNS
TrustSec

CMX Cloud
Why Do You Need AVC ?
Visibility
Threats (worms and Trojans) move laterally (east-west). Central
application sensor will not see this at all
Detection
Path to server may be different than return pathmay not be able to
determine application
Troubleshooting
Essential to have visibility at multiple points to break down the problem
and get to resolution faster
Control
Latency metrics such as response time, transaction time, network
and application delay needed to control the apps
Cisco AVC ecosystem
Device Sensors/Platforms Orchestration/Management
Switch Router AP Controller FW VM
APIC-EM Prime Web GUI
Cisco AVC
3rd Party Visualization 3rd Party Security/Billing
Wi-Fi Calling Introduction
Setting to use Wi-Fi for calls instead of cellular network
Useful for poor cellular / good Wi-Fi scenarios, and SP offloading
Available on iPhone 5/6 series w/ IOS8 and IOS9

Integrated into the OS
Available on select Android and Windows phones

Requires an app compatible with phone and SP
Still needs a SP to offer service

T-Mobile (US), EE (UK), Google Voice (Hangout)
Sprint supports on selected Android devices
AT&T and Verizon planning support for mid 2015
How Does AVC Classify Applications: Cisco Jabber
Three classifications flows for Cisco Jabber
Cisco Jabber Audio Cisco Jabber Video Cisco Jabber Control
Different Policies for different

components of a Jabber
Session
How Does AVC Classify Applications: MS Lync
Deep Packet Inspection
Three classifications flows for Microsoft Lync
MS-Lync-Video
MS-Lync Media
(Desktop Sharing, MS-Lync File Transfer
(Audio and Video Flows)
Chat)
Different Policies for different

components of a Lync Session
Enabling Application Visibility and Control
AVC is enabled per WLAN to Allow Deep Packet Inspection
1
Change the QoS level to

reflect the highest
application level for that
SSID
Enable Application Visibility
Ensure WMM is set to

Allowed or Required
Discover and Export Capacity Planning
Identify and Monitor 1200+ Applications Natively
App Name
Source and
HTTP Byte
Dest IP
CountProtocol
TOS
Netflow v9
HTTPHTTP VLAN ID
User
Name
Flow Monitoring &
L7 Classification Performance Collection Troubleshooting
Export 17+ traffic statistics data

records
Integrated DPI engine (NBAR2)
recognises 1200+ applications Export information using open
export protocols Netflow-v9 (
In-service application signature RFC 3954 )
update
Enhanced Netflow Export on Cisco WLC
Lancope NetFlow
Enhanced Netflow on Application Tag Visibility
Cisco WLC Client Mac Address
AP Mac address
WlanID
Source IP
Dest IP
Source Port
Dest Port
Protocol
Flow Start Time
Flow End Time
Direction
Packet count
Byte count
VLAN Id Mgmt/Dyn
TOS - DSCP Value
Dot1x username
Enhanced Netflow export of 17 new flow records to better integrate with Netflow partners like Lancope.
Helps track applications & Traffic flows by User ID
Supported on 5520 and 8500 series controllers
Policy tie-in with AVC
User-aware and Device-aware
WLC v7.4 and later
Application-based Policies
Per WLAN
WLC v8.0
User-role aware
Device-aware
Alice cannot access Netflix but Bob can even though both are employees connecting to same SSID
Alice can access EHS records on (IT provisioned) Windows Laptop but cannot on personal (unsecure) iPad
AVC Profile Per User Device
WLC AAA
Cisco-av-pair=avc-profile-name=<avc profile on
wlc>
Cisco-av-pair=role=<role name>
Switch
Teacher Student
AP
YouTube Facebook Skype BitTorrent

YouTube Facebook Skype bittorrent
SSID: Classroom
Security:WPA2/802.1x
Student Network
Teacher Network
For Your
Applying AVC Profiles Reference
1 Apply AVC Profile to WLAN

Create AVC Profile for Applications at Wireless > AVC
2 3
Apply AVC Profile per client Apply AVC Profile per
using Local profiling on client using AAA Override
WLC (Radius Server)
Maximum 32 Rules can be created per AVC

Profile
8:4 OpenDNS WLC Integration
OpenDNS- Offering Domain Level Visibility
Internet wide
visibility
CATEGORY IDENTITY
Ransomware,
Malware Internal IP malware/Botnet
OpenDNS Cloud Phishing AD User
COVERAGE
PROTECTION
Predictive Threat
DNS layer Security Intelligence
INTELLIGENCE
Security Visibility-
Application Insights,
Policy Compliance
Cloud delivered network security service PERFORMANCE
Malware and Breach Protection in real time

Uses evolving Big Data and data mining methods
to proactively predict attacks RELIABILITY
Category based Filtering (60+ content categories) High Speed,
Scalable
https://youtu.be/cMdX8sBBYG4
OpenDNS - Terminology. How does it work on WLC?
API Token Device Identity EDNS FQDN
Issued from OpenDNS Unique device identifier.

Extension mechanism for Fully Qualified Domain
Portal. Only used for Policy enforced per
DNS Name
device registration identifier.
1 2 3
DNS request DNS traffic redirects OpenDNS resolves
precedes web request to OpenDNS request
WLC intercepts DNS packet, redirects OpenDNS cloud, based on FQDN in

query to OpenDNS cloud servers at DNS query returns
Return blocked page to

IPv4 208.67.222.222 Malicious FQDN
client
Ipv4 208.67.220.220 Safe FQDN Returns Destination IP
NOTE If the blocked domain was from HTTPS request, clients web browser will see certificate error because OpenDNS cloud may
2017 notand/or
Cisco haveitsthe certificates
affiliates. from theCisco
All rights reserved. blocked
Public server.
OpenDNS Policy Segmentation
Current ISR Implementation Wireless Controller for Dynamic
Site specific Policy, Enforced per Interface Evaluation of Attributes for Access Control
Policy
Policy 1 Policy 2 Policy 3
ISR 4K
Identity Server
Returns attributes
Contractor Guest
Corp network Guest network
Corp
OpenDNS- WLC Solution Overview
WLC and OpenDNS registration
(One Time) Content Filtering
Security Enforcement
OpenDNS: Get API. Token for device registration OpenDNS Cloud
WLC: Apply Token and create Profile
Device (Profile) Registration
HTTPS used in this phase
Compliance Category based Filtering Whitelist & Blacklist
Internet
Wireless client traffic flow

DNS Request
Client sends DNS query
DNS Response WLC snoops DNS query, forwards it
with EDNS
OpenDNS applies Profile specific Policy
Sends DNS response to WLC
+ WLC forwards the response to client
Snoop DNS pkt
Tag it with Identity
Web Services
8.4 Wireless TrustSec
access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993
access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216
access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878
The Segmentation Challenge

access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467
Employees
access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216
access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
Contractors
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878 Vendors VLANs
access-list 102 permit udp 126.183.90.85 0.0.0.255 eq 3256 114.53.254.245 255.255.255.255 lt 1780
access-list 102 deny icmp 203.36.110.37 255.255.255.255 lt 999 229.216.9.232 0.0.0.127 gt 3611
access-list 102 permit tcp 131.249.33.123 0.0.0.127 lt 4765 71.219.207.89 0.255.255.255 eq 606
Guests
access-list 102 deny tcp 112.174.162.193 0.255.255.255 gt 368 4.151.192.136 0.0.0.255 gt 4005
access-list 102 deny udp 130.237.66.56 255.255.255.255 lt 3943 141.68.48.108 0.0.0.255 gt 3782 PCI Devices
Campus Branch
Complex IP based policies Extend segments over -
Layer 3 boundaries
Need updates as topology changes
Line of Business
Compliance BYOD
Retain Security & Compliance
Various Segmentation needs as network expand and grow
https://youtu.be/A7H4HtzpCwM
End-to-End TrustSec in Enterprise Network
WAN
SERVICES
Routers
BRANCH OFFICE
Data Center
Campus Internet
Network
NXOS Network
Switches
Wireless IOS
Public
Switches Cloud
DATA CENTER
CAMPUS NETWORK
DNA Security &
Security and
Compliance
Compliance
Wireless TrustSec Support
5 Employee
6 Voice A B
7 Partner
Classification Propagation Enforcement

(Assigning SGTs)
Inline SGT & SXP
Static & Dynamic Security Group ACL
Assignments
WLC 8.4 Switching

SXP AP Inline Tagging WLC Inline Tagging Enforcement
modes
Feature Platform Local/Flex

Mode/Central
Switching (v2)
Inline SGT 17xx, 27xx,37xx, 18xx, 28xx,
tagging and SG- 1560 and 38xx Flex
ACL enforcement 3504*, 5520 and 8540 Mode/Local
Switching
SXPv2 5520, 8540, 8510, 7510, vWLC,
5508, WISM2, 2504 Wave1 Wave1
Flex + Bridge
11acW2 11acW2
SXPv4 17xx, 27xx,37xx, 18xx, 28xx,
1560 and 38xx (Indoor
Mesh
(v2) only)
Software Defined Segmentation Wireless TrustSec
Data Center
Regardless of topology or Shared Application

Services Servers
location, policy (Security
Group Tag) stays with Remediation DC Switch
users, devices, and servers
TrustSec simplifies ACL

Enterprise
management for intra/inter- Backbone ISE
VLAN traffic
Wired/Wireless Wired/Wireless TrustSec enabled WLC &

AP receives policy for only
what is connected
Employee Tag
Supplier Tag
Non-Compliant Employee Employee Supplier Non-Compliant Non-Compliant Tag
VLAN: Data-2 VLAN: Data-1

Security & Policies
OpenDNS
TrustSec

CMX Cloud
IPv6 Overview
IPv6 Client IP: 2001:db8:a:7/64

IPv4 Client Radius Server
802.11 IPv4 IPv6
802.11 IPv4 IPv6
CAPWAPv6 VLAN
Ethernet Ethernet
2001:db8:a:0:2329:9834:3231:1111
10.10.10.52 CAPWAPv6
Tunnel IPv4/v6 router
2001:db8:a:0:1827:91bf:c41b:9683
Mgmt: 2001:db8:a::2/64
10.10.10.2 2001:db8:a::1/64
IPv6 Client
10.10.10.1
IPv4 Client
802.11
2001:db8:a:0:8a56:caff:1547:9150
10.10.10.51 IP: 2001:db8:a:5/64 IP: 2001:db8:a:6/64
SNMP Server, Syslog Server, NTP Server
tftp/ftp/scp Server
Management Access (telnet, SSH, HTTP, HTTPS)
Mgmt: 2001:db8:a::2/64
10.10.10.2
WLC can be accessed from wired/wireless via its IPv6 Management Interface using:
telnet
SSH
HTTP
HTTPS
CAPWAPv6
AP can get IPv6 addresses from
state-full DHCPv6/SLAAC or static
assignment
If statically assigned, the gateway can
be the unique global or Link-Local
address of the router
Either CAPWAPv4 or CAPWAPv6
can be used, but not both
APs in bridge mode do not support
CAPWAPv6
AP Failover
WLC1 WLC2 WLC3
Management IP address must be
reachable
One entry per WLC
The AP will join either IPv4 or IPv6
address of the WLC (regardless of
management IP listed)
Primary: WLC1
Secondary: WLC2
Primary: WLC2
Secondary: WLC3
Primary: WLC3
Secondary: WLC2
All other AP Failover behaviour is the
Tertiary: WLC3 Tertiary: WLC1 Tertiary: WLC1
same as previous versions
IPv6 Guest Access
Virtual IP address is IPv4 only
Uses IPv4-Mapped address for IPv6 web-authentication clients
Virtual IP should be the same for all WLCs in the same mobility group
For example the IPv6 address will display as [::ffff:192.0.2.1]
Wireless IPv6 client First Hop Security on WLAN
CAPWAP IPv6
Tunnel VLAN
Ethernet
IPv6
802.11 IPv6
802.11
CAPWAP
IPv4
Ethernet
Router Advertisement
RA Guard - RA from client blocked at AP (Local and FlexConnect)
Undesired IPv6
Addresses/Prefix Source Guard
DHCP Server Advertisement

DHCP Server Guard
DHCP SA blocked at Wireless Controller
Using IPv6 ACL

Security & Policies
OpenDNS
TrustSec

CMX Cloud
Introducing CMX Cloud
CMX Cloud is an easy and scalable way to

deliver guest insights and experiences adding CMX Cloud
value to your Cisco on-premises wireless
network. Easy guest access
Deliver relevant content
Cloud delivered SaaS offer Discover customer insights
Based on CMX 10.x software

Compatible with WLC code 7.x
Wireless
Network
How CMX Cloud will work with WLC 8.3
Access Points
CMX Cloud
WLAN Controller
https
Web auth redirect

Presence
Future WLC versions will have Connect Captive Portal Analytics Data
native proxy functionality and not
require external device.
Generate Customer Insights Increase Mobile Engagement Boost Customer Satisfaction
Security & Policies
OpenDNS
TrustSec
CMX Cloud
Branch Office with Local WLAN Controller
Overview
Backup Central
Controller
Central Site
Branches can also have local
controllers
CAPWAP
Small or Mid-size Branch WLCs
WLC 2504, WAN
Cat-3850
WLC-2504
Virtual WLC
vWLC
Converged Access Cat-3850
High-availability design with central
backup controller is supported;
WAN limitations may apply
Remote Site C
Remote Site A
Remote Site B
Branch Office Deployment
Central Site
FlexConnect
Centralized
Hybrid architecture Traffic
Centralized
Traffic
Single management and control point
Data Traffic Switching
Centralised traffic
(split MAC)
or
WAN
Local traffic (local MAC)
HA will preserve local traffic only

Traffic Switching is configured per AP
and per WLAN (SSID)
Remote Office
Local
Traffic
FlexConnect Glossary
Connected Mode When FlexConnect AP can reach Controller, it gets help from controller
to complete client authentication.
Standalone Mode When FlexConnect AP cannot reach Controller, it goes into

standalone state and does client authentication by itself.
Local Switching Data traffic switched onto local VLANs for an SSID
Central Switching Data traffic tunneled back to WLC for an SSID
Flex AVC WAN Bandwidth Considerations
Deployment Type WAN Bandwidth ( WAN RTT Max APs per Branch Max Clients per
Min) Latency(Max) Branch
Data + Flex AVC 75 Kbps 300 msec 5 25
Test Conditions :
5 APs, 25 Client Setup
1 Locally Switched WLAN with WPA2 and PEAP
Local Authentication with RADIUS server on FCG
Application Visibility turned on at FCG
Applications HTTP, FTP, RTP
Agenda
Bringing All Together
Best Practices
For Your
Make it Easy Make it Work Make it Perform
Make it Easy Make it work Make it perform Reference
Enable High Availability (AP and Client SSO)
Enable AP Failover Priority Enable 802.1x and WPA/WPA2 on WLAN
Enable AP Multicast Mode Enable 802.1x authentication for AP
Enable Multicast VLAN Change advance EAP timers
Enable Pre-image download
INFRASTRUCTURE
BEST PRACTICES (AirOS)
Enable SSH and disable telnet
SECURITY
Enable AVC Disable Management Over Wireless
Enable NetFlow Disable WiFi Direct
Enable Local Profiling (DHCP and HTTP) Secure Web Access (HTTPS)
Enable NTP Enable User Policies
Modify the AP Re-transmit Parameters Enable Client exclusion policies
Enable FastSSID change Enable rogue policies and Rogue Detection RSSI
Enable Per-user BW contracts Strong password Policies
Enable Multicast Mobility Enable IDS
Enable Client Load balancing BYOD Timers
Disable Aironet IE
FlexConnect Groups and Smart AP Upgrade Disable 802.11b data rates
Restrict number of WLAN below 4
Set Bridge Group Name Enable channel bonding 40 or 80 MHz
WIRELESS / RF
Set Preferred Parent Enable BandSelect
Multiple Root APs in each BGN Use RF Profiles and AP Groups
Set Backhaul rate to "Auto"
MESH
Enable RRM (DCA & TPC) to be auto

Set Backhaul Channel Width to 40/80 MHz Enable Auto-RF group leader selection
Backhaul Link SNR > 25 dBm Enable Cisco CleanAir and EDRRM
Avoid DFS channels for Backhaul Enable Noise &Rogue Monitoring on all channels
External RADIUS server for Mesh MAC Authentication Enable DFS channels
Enable IDS Avoid Cisco AP Load
Enable EAP Mesh Security Mode
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
Best Practice Check Points
Measuring Compliance
WLC WLC
2. WLCCA CAA
WLAN Express Upgrade
App Audit
Engage Config Cisco
Setup Workflow Analyzer Active Advisor
7.6 MR2, 8.0, 8.1 8.1
Best Practices defaults, Audit Page on Upgrade, Windows Executable Free, cloud based service
RF Parameter Optimisation, One-click Fix It, show run-config Based Agentless nothing to
Network Profiles Manual Config Option Analyzer Tool download
Optimum starting point at Day 0/1 Downloadable client Cisco Personalized device
network setup Compliance metric and reporting health score
natively on WLC Configuration stays local
RF parameter setting Ease of use Compare your wireless network
Identify missing best practice Simplified operational use to configuration to Ciscos
Enhanced performance, security, configuration on upgrade quickly identify and and fix recommended best practices
resiliency with best practice problem areas
recommendations turned on boot Easy one-click fix It option to turn Automated Inventory
up time on Best Practice Knobs RF Health metrics, IOS Support, Management and Network
Mobility Group support
Restore Defaults to revert Scanning
configuration to default
WLAN Express Setup
7.6 MR2, 8.0
7.6 MR2, 8.0
8.1
WLC WLAN Express Setup Best Practices Day 0/1
Best Practice Knobs Best Practice Knobs
AVC Visibility 2.4 Low Data Rates Disabled

8.1
mDNS Snooping
Load Balancing
New MDNS Profile for printer,
http Rogue Threshold Enabled
Local Profiling
Client Exclusion Enabled
Band Select Save Time &
DHCP Proxy FastSSID Enabled
Secure Web access Infra MFP

Money
Virtual IP 192.0.2.1 Optimum starting point at
Multicast Forwarding Mode
Day 0/1 network setup
RRM-DCA Auto
SNMPv3 (delete default) RF parameter setting
RRM-TPC Auto
ease of use
CleanAir Enabled Mobility Name
RF Group same as Mobility Enhanced performance,
EDRRM Enabled security, resiliency with
Name
Channel Width 40 MHz best practice
DHCP Required on Guest WLAN recommendations turned
Aironet IE Disabled http://youtu.be/aNVM3rW-Zkc on at boot up time
Management over Wireless 5 GHz Channel Bonding
https://www.youtube.com/watch?v=nGFH38peF-w
Best Practice Enhancements
Best Practices Score Ignored Best Practices Score Add Ignored Best Practices
A popup that displays the ignored best practices which

Best practices count increased to 39. The number of ignored best practices. can be re-added.
8.5
WLC Config Analyser Per Controller Compliance
Best Practices categorized
into
General
AP
Mobility
RF
Security
Voice
Mesh
Flex
0-40% Red
Per-Controller Compliance
Level for Each category 41-80% Yellow
Total/Passed/Failed checks 81-100% Green
Latest @ https://upload.cisco.com/cgi-bin/swc/fileexg/main.cgi?CONTYPES=wlc-conf-app-dev
Summary Key Takeways
Take advantage of the standards (CAPWAP, DTLS,802.11 i, e, k, r..) and the
Apple+Cisco relationship
Wide range of architecture / design choices amd High Availability
Brand new controllers (WLC3504, WLC5520, WLC8540, vWLC) portfolio with
investment protection
Take advantage of innovations from Cisco (11ac wave2, Flexible Radio
Architectrure (FRA), CleanAir, BandSelect, ClientLink, Security, CCX,
FlexConnect, etc)
Ciscos investment into technology Cisco Prime, ISE, New hardware and
CMX
Cisco Wireless LAN Documentation
INSTALLATION GUIDES RADIO CONFIGURATION CLIENT ADDRESSING POLICY ENGINE
5520 WLC 802.11r BSS Fast Transition Bi-Directional Rate Limiting AVC
8540 WLC Adaptive wIPS Flex AP-EoGRE Tunnel Gtwy Bonjour
AP1570 ATF Ph 1 & 2 IPv6 Chromecast
AP1810 OE CleanAir Jabber Device Classification
AP1810W Wall Plate CMX FastLocate Jabber and UCM Domain Filtering
AP1850 High Density Microsoft Lync mDNS Gateway w/Chromecast
AP2700/3700 Rogue Management Passpoint Configuration Wireless Device Profiling & Policy Classification
AP2800/3800 RRM RF Grouping Algorithm Real-Time Traffic Over WLAN BEST PRACTICES
AP702W RRM White Paper VideoStream Apple Devices
APIC-EM Wireless AP PnP Vocera IP Phone in WLAN Enterprise Mobility Design Guide
ENCRYPTION
Flex7500 WLC VoWLAN Troubleshooting High Availability (SSO)
BYOD for FlexConnect
Mesh APs HyperLocation
BYOD with ISE
Mobility Express iPhone 6 Roaming
Security Integration
Smart Licensing N+1 High Availability
Univ. AP Regulatory Domain WLAN Express
Virtual WLC WLC Configuration Best Practices
Click - https://www.youtube.com/user/CiscoWLAN/
VoD Links
Faster Innovation
Cisco CMX Solution https://www.youtube.com/watch?v=KQRb8vfU0qM Fastlane App Demo
https://www.youtube.com/watch?v=N1QMUcv3aRQ
CMX Hyperlocation vs RSSI Demo
https://www.youtube.com/watch?v=6ls7EHbSK4A Cisco APIC-EM Wireless PnP Demo
https://www.youtube.com/watch?v=_9P2-bU66PU
Reduce Cisco Dual 5GHz Wi-Fi https://www.youtube.com/watch?v=mbpjiETvDXc
Cisco Aironet Plug and Play Cloud Redirection
https://www.youtube.com/watch?v=W7fBZ6xfSxw
Cost & Cisco Aironet AP-3800 RF Excellence
https://www.youtube.com/watch?v=dBpGsTKeyNM&t=64s
Wireless LAN Controller Dashboard Review
Complexity https://www.youtube.com/watch?v=af09TBaafRI&feature=youtu.be
Digital Network Architecture with Wave2 with 802.11ac
https://www.youtube.com/watch?v=ySjN13hPhXY&t=2s
Cisco Wireless Mobile App
https://www.youtube.com/watch?v=HyvZ4mbVAWs
Cisco Aironet Series Flexible Radio Assignment
https://www.youtube.com/watch?v=K_-BykT_YIM
WLC Advanced UI Client Troubleshooting
https://www.youtube.com/watch?v=dZVxI6jOx_Q
TechWiseTV: Apple and Cisco: Fast-Tracking the Mobile Enterprise
https://www.youtube.com/watch?v=bh8rEvrzm7Y&feature=youtu.be
Lower ISE Simplified Wireless Setup
https://www.youtube.com/watch?v=A3F2DrFu7Lo&feature=youtu.be
Prioritized Business Apps
https://www.youtube.com/watch?v=z0EOKNxL964&feature=youtu.be Risk
Cisco Wireless TrustSec Demo
https://www.youtube.com/watch?v=A3F2DrFu7Lo&feature=youtu.be
Apple and Cisco: Three Solutions Coming Together
https://www.youtube.com/watch?v=7MgsDkf55wQ&feature=youtu.be
Cisco Wireless Netflow Lancope Integration Demo
https://www.youtube.com/watch?v=TuWYkrt94CQ
WiFi Optimized Feature
https://www.youtube.com/watch?v=xgPfxAolJoQ&feature=youtu.be
OpenDNS Integration with WLC
https://www.youtube.com/watch?v=cMdX8sBBYG4
Complete Your Online Session Evaluation
Please complete your Online
Session Evaluations after each
session
Complete 4 Session Evaluations &
the Overall Conference Evaluation
(available from Thursday) to receive
your Cisco Live T-shirt
All surveys can be completed via
the Cisco Live Mobile App or the
Dont forget: Cisco Live sessions will be available
Communication Stations for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
Demos in the Cisco campus
Walk-in Self-Paced Labs
Lunch & Learn
Meet the Engineer 1:1 meetings
Related sessions
Call to Action: Learning more about IPv6
LTRSEC-3004 Advanced IOS IPSec VPN with FlexVPN hands-on Lab Tue 09:00:00
BRKIP6-2616 Addressing Networking challenges with latest Innovations in IPv6 Tue 11:15:00 Lunch and Learn:
BRKRST-2337 OSPF Deployment in Modern Networks Tue 11:15:00 IPv6 in the Enterprise: Tue 13:00
BRKEWN-2010 Design and Deployment of Enterprise WLANs Tue 14:15:00
BRKSEC-2501 Deploying AnyConnect SSL VPN with ASA5500 Tue 14:15:00 All Things IPv6: Wed 13:00
LTRRST-2005 Introductory - LISP Cloud extension, VPN and DC Mobility Tue 14:15:00
BRKRST-2116 Intermediate - IPv6 from Intro to Intermediate Tue 14:15:00
BRKRST-2022 IPv6 Routing Protocols Update Tue 16:45:00
Experiment with IPv6-only WiFi:
BRKSPG-2061 IPv6 Deployment Best Practices for the Cable Access Network Wed 09:00:00 SSID: CL-NAT64
BRKRST-3045 LISP - A Next Generation Networking Architecture Wed 09:00:00
LABSPG-7122 Advanced IPv6 Routing and services lab Wed 09:00:00
WPA passphrase: cl-nat64
BRKSEC-3200 Advanced IPv6 Security Threats and Mitigation Wed 11:30:00 SLAAC + stateless DHCP
BRKIPM-2239 Multicast and Segment Routing Wed 14:30:00
NAT64 included to access legacy
BRKIP6-2002 IPv6 for the World of IoT Wed 16:30:00
LABIPM-2007 Intermediate - IPv6 Hands on Lab Thu 09:00:00
BRKSEC-3003 Advanced IPv6 Security in the LAN Thu 11:30:00
Ask all World of Solutions exhibitors for
BRKRST-2336 EIGRP Deployment in Modern Networks Thu 11:30:00
their IPv6 support
LABSPG-7122 Advanced IPv6 Routing and services lab Thu 14:00:00
BRKRST-2045 BGP operational security best practices Thu 14:30:00
BRKCOL-2020 IPv6 in Enterprise Unified Communications Networks Thu 14:30:00 DevNet Zone: IPv6 Content Networking
LABIPM-2007 Intermediate - IPv6 Hands on Lab Fri 09:00:00
BRKRST-2301 Intermediate - Enterprise IPv6 Deployment Fri 09:00:00 + ask other demos
BRKSPG-2602 IPv4 Exhaustion: NAT and Transition to IPv6 for Service Providers Fri 11:30:00
Q&A
Thank You

Advance WLAN

Cargado por

Información del documento

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

Advance WLAN

Cargado por

Copyright:

Formatos disponibles

Design and Deployment of

Sujit Ghosh, Sr. Mgr. Technical Marketing, EISG

CAPWAP: Control and Provisioning of Wireless Access Points is used

LWAPP-enabled access points can discover and join a CAPWAP

Layer 2 join procedure attempted on LWAPP APs

Define the Wireless Access Point Device DHCP Scopes

2 Install & Power-on 3 Monitor device

Site-1 Site-2 Site-3

Switches (Catalyst) Routers (ISR/ASR) Wireless AP

DHCP with Options 43

Mobility Group Name: MyMobilityGroup

Support for up to Mobility Group Neighbours:

24000 APs per Mobility Group Name: MyMobilityGroup

Mobility Group Name: MyMobilityGroup

Data tunneled between Mobility Group Neighbours:

controllers in EtherIP (RFC 3378) Controller-B, AA:AA:AA:AA:AA:02 Mobility Messages

8.2 and 8.3

24 WLCs in a Mobility Group (8.3)

WLC-1 Mobility Message Exchange WLC-2

Client database entry with

Mobility Message Exchange

Anchor Foreign Controller

Less roaming is better clients and apps are happier

Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available, especially with

CCKM ported to CUWN architecture in 3.2 release

CCKM is most widely implemented in ASDs, especially VoWLAN devices

To work across WLCs, WLCs must be in the same mobility group

CCKM is standardised in 802.11r, Apple iOS 6.0, iOS 7.0

Proper QoS Handling

Better Roaming through Adaptive 11r

3. Centralized iOS App Policy Control

IT Administrator control of applications and QoS

Only one station can send at a time, or it will

80% transmit, WLAN contention

Fast Lane ensures that iOS

Jabber for iOS

Jabber for OSX 5 5 0

Jabber for Windows

Jabber for OSX 5 5 0

Jabber for Windows

Standards to the rescue?

Fast Transition (802.11r)

Legacy client cannot Legacy client that does

I recognize that you

Todays iOS devices have inability to

Inability to prioritize between the client

Burden on IT administrator to manage

Prioritize business critical apps and real time data

Dont leave QoS up to the app developer

IT has control over which Apps get priority

QoS Profile is pushed to the Apple iOS device

50 APs/1000 Clients AP 18xx 3000 Clients

Upto 150 APs Grow as Your Business

Fast, Flexible and Feature-rich Small Controller

Access Points Powerful enough to handle 802.11ac

Console: RJ45, mini USB 10 depth to fit nicely in cabinet

Access Points 6,000

Centralized, FlexConnect and Mobility Express

Self-Discover / Potential Future

LAS VEGAS TOKYO

LAS VEGAS TOKYO

LAS VEGAS TOKYO

Multi-Gigabit Uplinks Optimized Roaming

Turbo Performance Cisco ClientLink