cisco wlan best practice
TRANSCRIPT
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 1/119
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 2/119
Best Pract ices for Con f igur ing C
Wireless LAN Con trol lers Aparajita Sood
Technical Marketing Engineer BRKEWN-2670
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 3/119
User-First Pillars and Checkpoints
EnhanceUsability andManageability
Experience
Drive Feature Adoption
Fine-tunefeatures to
Optimum Best
DeriveMaximumPotential from
WLANDeployment
Express
Setup
Monitoring &RF
Dashboard
FeatureBest
Practices
AuditUpgradeWorkflow
WLCCA
C
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 4/119
Agenda
WLC Express Setup Wired Express Setup
OTA Express Setup
WLC Dashboard View
Monitoring
RF Health
Mobile App
WLC Best Practice Audit
One-click Fix
Manual Configuration
WLCCA Update RF Health
Cisco Active Advisor
Device Health Score
Wireless Health Tool
Feature Best Practices
Infrastructure
RF/RRM
Security and BYOD
FlexConnect
ExpressSetup
Monitoand R
Dashb
FeatuBes
Practi
CAA
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 5/119
Step 1: Download the Mobile App
Get all the information you need at yourfingertips!
Step 2: Access the
Log into the app usingLive login & find yo
http://bit.ly/clus2015
Participate in session polling and Q&A
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 6/119
Best Practices Checkpoints
Free, cloud Agentless –
Act
2. App Engage
WLCWLAN Express Setup
7.6 MR2, 8.0, 8.1
WLCCAConfig
Analyzer
WLCBest Practice AuditDashboard View
8.1
Best Practices defaults,RF Parameter Optimization, Network
Profiles
Audit Page on Upgrade,One-click Fix It,
Manual Config Option
Windows Executable“show run-config” Based
Analyzer Tool
Downloadable client
Configuration stays local
Simplified operational use to quickly identifyand and fix problem areas
RF Health metrics, IOS Support, MobilityGroup support
Cisco Perso
Compare yoconfigurationpractices
Automated Network Sca
Compliance metric and reporting natively onWLC
Identify missing best practice configuration onupgrade
Easy one-click fix It option to turn on BestPractice Knobs
Restore Defaults to revert configuration todefault
Optimum starting point at Day 0/1 networksetup
RF parameter setting Ease of use
Enhanced performance, security, resiliencywith best practice recommendations turnedon boot up time
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 7/119
Express Setup
EnhanceUsability &
Manageability
Experience
Fine-tunefeatures to
Optimum Best
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 8/119
WLAN Express SetupDay 0/1 Ease of Setup
Free, cloud Agentless –
Act
2. App Engage
WLC
WLAN Express Setup7.6 MR2, 8.0, 8.1
WLCCA
Config Analyzer
WLC
Upgrade Audit Workflow8.1
Best Practices defaults,RF Parameter Optimization, Network
Profiles
Audit Page on Upgrade,One-click Fix It,
Manual Config Option
Windows Executable“show run-config” Based
Analyzer Tool
Downloadable client
Configuration stays local
Simplified operational use to quickly identifyand and fix problem areas
RF Health metrics, IOS Support, MobilityGroup support
Cisco Perso
Compare yoconfigurationpractices
Automated Network Sca
Compliance metric and reporting natively onWLC
Identify missing best practice configuration onupgrade
Easy one-click fix It option to turn on BestPractice Knobs
Restore Defaults to revert configuration todefault
Optimum starting point at Day 0/1 networksetup
RF parameter setting Ease of use
Enhanced performance, security, resiliencywith best practice recommendations turnedon boot up time
Wired Express Setup• Introduced on 2504 in 7.6 MR2, 8.0• Extended to 5508, vWLC, 7510, 8510 in 8.1• Extended to 5520, 8540 in 8.1
Wireless Over-The-Air (OTA) Setup• Available in 8.1 and higher • Supports Universal AP (UX)• Supported on 2504
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 9/119
Wireless: Connect AP WLC port 3 or 4 (PoEWired: Connect PCEthernet cable to any port
on the WLC for 2504 and toSP port on other WLCS
If setup is Wireless, wait for AP to power and broadcast SSID
Wait for the SYS LED lightto be solid
Wired and Wireless OTA Express SetupDay 0/1 Ease of Setup
Connect to SS
the key ‘passw
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 10/119
Open a web browserand access
http://192.168.1.1
Enable RF Optimization
Confirm settings
Go through a setup wizard
Wired and Wireless OTA Express SetupDay 0/1 Ease of Setup
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 11/119
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 12/119
Best Practices Checkpoints
Free, cloud Agentless –
Act
2. App Engage
WLC
WLAN Express Setup7.6 MR2, 8.0, 8.1
WLCCA
Config Analyzer
WLC
Best Practice AuditDashboard View
8.1
Best Practices defaults,RF Parameter Optimization, Network
Profiles
Audit Page on Upgrade,One-click Fix It,
Manual Config Option
Windows Executable“show run-config” Based
Analyzer Tool
Downloadable client
Configuration stays local
Simplified operational use to quickly identifyand and fix problem areas
RF Health metrics, IOS Support, MobilityGroup support
Cisco Perso
Compare yoconfigurationpractices
Automated Network Sca
Compliance metric and reporting natively onWLC
Identify missing best practice configuration onupgrade
Easy one-click fix It option to turn on BestPractice Knobs
Restore Defaults to revert configuration todefault
Optimum starting point at Day 0/1 networksetup
RF parameter setting Ease of use
Enhanced performance, security, resiliencywith best practice recommendations turnedon boot up time
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 13/119
Best Practices Audit
EnhanceUsability andManageability
Experience
Fine-tunefeatures toOptimum
Best
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 14/119
Best Practices Audit Workflow
Compliance level check
natively on WLC
Identify Best Practice gaps
on upgrade
Easy one-click Fix It Now
Restore Default to revertconfiguration to default
Learn more to understand
better
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 15/119
Best Practices Audit Workflow
Aud
Complianatively
Identify mconfigur
Easy onon Best
Restore configur
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 16/119
Dashboard Views
EnhanceUsability andManageability
Experience
Fine-tunefeatures toOptimum
Best
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 17/119
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 18/119
Network Summary – Access Points List
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 19/119
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 20/119
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 21/119
Network Summary – Client List
• AP
• Si
• Le
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 22/119
Network Summary – Client Details
• Single pane of glass for client troubleshooting
Client Connection StatReachability andLatency
Client CapabilitiesNeighbouring APs
Correct Policy Assignment –Security, QoS, mDNS, VLAN,
ACL
Application Usage
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 23/119
Wireless Dashboard – Client Performance
Use Cases:
• Client ConnectivityIssues
• Poor ClientPerformance
Users cannot connect• 802.11 association failure• DHCP Failure• Web Auth failure• Admin Reset
Low RSSI caused by StickyClient and Legacy Devices
Client identif
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 24/119
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 25/119
Monitoring App – RF Overview
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 26/119
Monitoring App – AP and Client Performanc
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 27/119
Best Practices Checkpoints
Free, cloud Agentless –
Act
2.
App Engage
WLC
WLAN Express Setup7.6 MR2, 8.0, 8.1
WLCCA
Config Analyzer
WLC
Best Practice AuditDashboard View8.1
Best Practices defaults,RF Parameter Optimization, Network
Profiles
Audit Page on Upgrade,One-click Fix It,
Manual Config Option
Windows Executable“show run-config” Based
Analyzer Tool
Downloadable client
Configuration stays local
Simplified operational use to quickly identifyand and fix problem areas
RF Health metrics, IOS Support, MobilityGroup support
Cisco Perso
Compare yoconfigurationpractices
Automated Network Sca
Compliance metric and reporting natively onWLC
Identify missing best practice configuration onupgrade
Easy one-click fix It option to turn on BestPractice Knobs
Restore Defaults to revert configuration todefault
Optimum starting point at Day 0/1 networksetup
RF parameter setting Ease of use
Enhanced performance, security, resiliencywith best practice recommendations turnedon boot up time
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 28/119
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 29/119
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 30/119
Addressing BP and features based on deployment
• Voice
• Security
• Flex
• Mesh
• Enterprise*
• BYOD*
*Coming Soon !
WLC Config Analyzer – Deployment types
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 31/119
• Best Practices categorizedinto
• General• AP
• Mobility
• RF
• Security
• Voice
• Mesh• Flex
• Per-Controller ComplianceLevel for Each category
• Total/Passed/Failed checks
WLC Config Analyzer – Per Controller Com
0-40%
41-80%
81-100%
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 32/119
• Individual Best Practice knob compliance (Yes/ No)
WLC Config Analyzer – Best Practices deta
Overall Compliance per
category
0-40%
41-80%
81-100%
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 33/119
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 34/119
• Best Practices is NOT ConfigErrors or Design decisions
• It is - “Works without but worksmuch better with”
• Verbose BP messages underGlobal Messages and APMessages
WLC Config Analyzer – Site Summary Mess
Be
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 35/119
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 36/119
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 37/119
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 38/119
RF Health Analysis
RFHealth
Single
AP
APGroups
RFNeighbor -
hood
FlexGroups
• Summarization of the
aggregated per: AP AP Group FlexConnect Gro RF Neighborhood
• Aggregation of the RFeach working entity, foanalysis
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 39/119
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 40/119
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 41/119
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 42/119
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 43/119
Cisco Active Advisor Personalized Health Sc
Im
Personahealth s
Free, closervice
Automainventonetwork
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 44/119
Feature
Best Practices
EnhanceUsability &
ManageabilityExperience
DFea
Ado
Fine-tunefeatures toOptimum
Best
De
MaxPot
from Deplo
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 45/119
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 46/119
I f t t B t P ti
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 47/119
Infrastructure Best Practices
Enable High Availability (AP and Client SSO) Enable AP Failover Priority
Enable AP Multicast Mode Enable Multicast VLAN Enable Pre-image download Enable AVC Enable NetFlow Enable Local Profiling (DHCP and HTTP) Enable NTP Modify the AP Re-transmit Parameters Enable FastSSID change Enable Per-user BW contracts Enable Multicast Mobility Enable Client Load balancing Disable Aironet IE I N
F R A S
T R U C T U R E
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 48/119
Infrastructure: Enable AP Failover Priority
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 49/119
y
• Wireless Access Points Global Configurations
• Wireless Access Points All APs->AP_NAME High Availability
Allows certain APs to be assigned higher WLC join priorities, so they are given p joining a WLC
Infrastructure: Enable AP Multicast mode
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 50/119
Controller General AP Multicast Mode
Forward multicast traffic to Access Points instead of sending unicast messages to eac
Unique a
clashing
Network infrastructure must provide multicast routing between management interface sub
Infrastructure: Multicast VLAN for Interface G
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 51/119
WLANs WLAN Name General
To limit the multicast on the air to a single copy on a predefined mu
NetworkVLAN2 (mcast_vlan)
VLAN1
VLAN3
VLAN4
Interface group
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 52/119
Infrastructure: Enable AVC
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 53/119
Wireless Application Visibility and Control AVC Profiles
Classifies applications, provides real-time analysis, and allows users to drop or
user per-device granularity for control
Add per
application rules
Enable Application
Visibility
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 54/119
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 55/119
Infrastructure: Enable NTP
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 56/119
Controller NTP Keys
Controller
NTP
Server
Synchronizes the time among all devices on the network including Access Point we have X.509 certificates installed in AP and WLC, Context-aware and location Debugging
If NTP requires
authentication, first
add key
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 57/119
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 58/119
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 59/119
Infrastructure: Enable Multicast Mobility for mobility
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 60/119
Controller General
Controller Multicast
Allows clients to announce messages to all mobility peers, instead of individual Wtime, CPU usage, and network utilization. Multicast routing between controllers
Infrastructure: Enable Client Load Balancing
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 61/119
WLANs Edit “WLAN-NAME” Advanced
Balances the number of clients connect to a WLAN between muNot suitable for Voice, Low Density and single AP deployments lik
Client Window Size 1-20
Maximum Denial Count 0-10
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 62/119
Infrastructure: Same Virtual IP if same mobility nam
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 63/119
Controller Interfaces virtual
Inter-controller roaming can appear to work, but the hand-off does not cclient loses connectivity when DHCP renew is performed if DHCP proxy
Mobility Group
192.0.2.1 19
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 64/119
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 65/119
RF & RRM Best Practices
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 66/119
RF & RRM: Disabling .11b Data Rates
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 67/119
Wireless 802.11b/g/n Network
Management frames sent at lowest mandatory rate - slows down the e
RF & RRM: Disabling .11b Data Rates
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 68/119
Demonstrating the impact of 802.11b data rates on Channel Utiliza
1 Mbps Mandatory :6 Mbps Mandatory :
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 69/119
RF & RRM: Enable Channel Bonding – DBS
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 70/119
Wireless 802.11a/n/ac RRM DCA
40/80MHz wide channels in the 5GHz space can 2x/4x the amount of user data ttransmitted. For extreme HD deployments use 20 MHz channels to keep cell size
Select the widest Channel W• Highest Client Data• Lowest Channel Uti• Minimize Data Retri• On the 5GHz Band
While avoiding:
• Rogue APs• CleanAir Interferers
RF & RRM: Enable Client Band Select
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 71/119
WLANs Edit “WLAN-NAME” Advanced
Allows dual-band clients to move to the less congested 5GHzNot recommended for Voice deployments
RF & RRM: RF Profiles
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 72/119
• RF Profiles work in Conjunction with AP Groups (beginning in release 7.2)
• You can create separate RF profiles for both 2.4 and 5 GHz
• 1 profile for each band (802.11a/802.11b) can be assigned to an AP group
• Today
• 802.11 data rates
• TPC Power Threshold and Min max Power settings
• DCA
• Coverage hole algorithm settings
• High Density – HDX configurations RX_SOP, Client Limit, Mcast data ra
• Client Distribution
More granular control of the RF network
RF Profiles : Granular Control
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 73/119
Data Rates
Load Balancing
TPC, DCA, Coverag
Network Profiles
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 74/119
Client Dens
Typical, Low
Traffic Type : D
and Voice
Sets pre-defined RF parameters depending on “Client” Density and
Type
Pre-built RF profiles
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 75/119
Pre-built RF pr
use with AP G
Client Density specific pre-built RF profiles for 2.4 GHz and 5GHz Bands – towith AP Groups
RF & RRM: Use AP Groups
WLAN Ad d AP G
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 76/119
WLAN Advanced AP Groups
Ability to enable Wi-Fi Services and segregation of traffic based on ph
RF & RRM: Enable RRM (DCA) to be autoWireless 802 11a/n/ac or 802 11b/g/n RRM DCA
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 77/119
Wireless 802.11a/n/ac or 802.11b/g/n RRM DCA
Allows RRM to automatically select the best channel for eachDCA defaults work for typical carpeted offices
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 78/119
RF & RRM: RF Group Leader must be an .11ac WLC (Rein RF Groups with mixed versions
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 79/119
Wireless 802.11a/n/ac RRM DCA
If the RF Group Leader does not support 802.11ac (Release 7.5+), APscannot select 80MHz channel widths
RF & RRM: Enable RRM (TPC) to be auto
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 80/119
Wireless 802.11a/n/ac or 802.11b/g/n RRM TPC
Allows RRM to automatically select the best transmit power for eTune RRM parameters with Network and pre-built RF prof
Recommended to use
TPCv1
RF & RRM: Enable Cisco CleanAir Wireless 802 11a/n/ac or 802 11b/g/n CleanAir
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 81/119
Wireless 802.11a/n/ac or 802.11b/g/n CleanAir
CleanAir identifies non-WIFI interferers and generates interferer and a
Enable CleanAir on both
radio bands
RF & RRM: Enable Noise & Rogue Monitoring
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 82/119
Wireless 802.11a/n/ac or 802.11b/g/n RRM General
Scan All Channels for security, DCA Channels for performa
RF & RRM: Enable DFS channels
Wi l 802 11 / / 802 11b/ / RRM DCA
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 83/119
Wireless 802.11a/n/ac or 802.11b/g/n RRM DCA
Allows more 5GHz channels (only in regulatory domains that support UNPlease note that some clients do not support DFS channels
Increase the number of chann12 additional channels based o
RF & RRM : Disable Avoid Cisco AP Load
Wireless 802.11a/n/ac RRM DCA
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 84/119
Wireless 802.11a/n/ac RRM DCA
Wireless 802.11b/g/n RRM DCA
To avoid frequent changes in DCA due to varying Load cond
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 85/119
Security & BYOD BestPractices
Security & BYOD Best Practices
Enable 802 1x and WPA/WPA2 on WLAN
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 86/119
S E C U R I T Y
Enable 802.1x and WPA/WPA2 on WLAN Enable 802.1x authentication for AP Change advance EAP timers Enable SSH and disable telnet Disable Management Over Wireless Disable WiFi Direct Peer-to-peer blocking Secure Web Access (HTTPS) Enable User Policies Enable Client exclusion policies
Enable rogue policies and Rogue Detection RSSI Strong password Policies Enable IDS BYOD Timers
Security : Enable 802.1x on WLAN
WLANs Edit ‘WLAN NAME’ Security
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 87/119
WLANs Edit WLAN_NAME Security
Provides greater network security on WLAN using 802.1x authe
Security: Enable 802.1x authentications for
Wi l A P i t Gl b l C fi ti
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 88/119
Wireless Access Points Global Configurations
To enable 802.1X authentication on a switch port, o
these commands:
Switch# configure terminal
Switch(config)# dot1x system-auth-control
Switch(config)# aaa new-model
Switch(config)# aaa authentication dot1x default g
Switch(config)# radius-server host ip_addr auth-po
key key
Switch(config)# interface fastethernet2/1
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# dot1x port-control autoSwitch(config-if)# end
Provides greater network security by enabling 802.1x on the switch pconnected. Not supported for Mesh deployments
Security: Enable SSH and Disable Telnet
Management Telnet SSH
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 89/119
Management Telnet –SSH
Disable Telnet and enable SSH as the default option
Provides greater security by allowing secure access and denying unen
0 implies no sessio
will be allowed
Security: Disable Management Over Wireles
Management Mgmt Via Wireless
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 90/119
Management Mgmt Via Wireless
Disallow management of the Controller via Wireless
Security : Disable WiFi Direct
WLANs WLAN Name Advanced
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 91/119
WLANs WLAN Name Advanced
Prevent security hole if the device is connected to both the infrastructurPersonal Area Network (PAN) at the same time. Will break Android devi
Corporate
Laptop CorporateWLAN
Unauthorized Devices
Security: Secure Web Access ( HTTPS )
Management HTTP-HTTPS
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 92/119
Management HTTP HTTPS
Provides greater security by allowing secure access
Security: Enable User Login Policies
Security AAA User Login Policies
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 93/119
Security AAA User Login Policies
Prevent login attacks by restricting the numbers the users who can use credentials between 1 - 5
Range is between 0 – 8.
Zero indicates no limit
Security: Enable Client Exclusion Policies
Security Wireless Protection Policies Client Exclusion Policies
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 94/119
y
Enable exclusion policies to prevent the network from Assoc/Auth failureDisable for Voice deployments
Security: Enable Strong Password PoliciesSecurity AAA Password Policies
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 95/119
Enable strong user and AP password policies on the contrMinimum password length of 8 is recommended
Security: Enable Rogue Policies
Security Wireless Protection Policies Rogue Policies Gener
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 96/119
The Rogue Detection Security Level should be set at a minimum
Friendly Malic
Security: Set Rogue Detection RSSI
Security Wireless Protection Policies Rogue Policies Gen
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 97/119
y g
Set Rogue Detection Minimum Threshold to -70 to -75 dB
Security: Enable IDS Signatures
Security Wireless Protection Policies Standard Signatures
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 98/119
Enable the wireless IDS features in the controller and enable 17 built-in intrusion attacks
Security : Enable CPU ACLs
Security Access Control Lists CPU Access Control Lists
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 99/119
y
Control overall access to the WLC by filtering management protocols suSNMP, etc such that they can only hit the CPU if they originate from ournetworks
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 100/119
BYOD: Session Timeout
WLANs WLAN Name Advanced
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 101/119
Longer is better for AAA load up to a value of 86400 seconds for 802.1xseconds for open/CWA SSIDs, shorter is better from security point of vie
BYOD: Client Idle Timeout
WLANs WLAN Name Advanced
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 102/119
For networks where users stay largely within the coverage area the settincreased to 3600 seconds for an SSID running 802.1x or RADIUS NAC
BYOD: Client Exclusion
WLANs WLAN Name Advanced
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 103/119
180 seconds is the recommended default with ISE though 60 seconds isdefault. The reason behind this is the minimum reject interval on ISE forsupplicant detection is 5 minutes or 300 seconds
WLANs WLAN Name Security AAA Servers
BYOD: EAPoL and EAP Request Timeout
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 104/119
Recommended EAPoL-Key Timeout < 1000 ms and EAPoL-Key Ma
Recommeded EAP Request timeout <30 sec ( 10 sec ) and EAP Ma
BYOD: Disable Interim Accounting
WLANs WLAN Name Security AAA Servers
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 105/119
WLANs WLAN Name Security AAA Servers
Interim accounting adds additional unneeded load with no added be
BYOD : Disable Aggressive Failover
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 106/119
config radius aggressive-failover disable command taggressive failover feature
show radius summary to check the status of this feature
Only fails over to the next AAA server if there are three consecutive
fail to receive a response from the RADIUS server
In some circumstances it can cause the WLC to pre-maturely mark ISE high load and cause additional load on ISE
BYOD : Set RADIUS Fallback PassiveSecurity AAA RADIUS Fallback
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 107/119
Recommended to configure RADIUS Fallback Mode to Pas
The WLC can be c
the primary server
switch back to the
server once it is av
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 108/119
FlexConnect Best Practice
FlexConnect Best Practices
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 109/119
F L E X
C O N N E C T
Enable FlexConnect Groups
CCKM/OKC Key sharing for Voice deployments Design for Resiliency
Enable Smart AP Image Upgrade
Configuration and Monitoring at FlexConnect Group
VLAN Support/Native VLAN at FlexConnect Group
FlexConnect: Enable FlexConnect GroupsWireless FlexConnect Groups Edit “Groupname”
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 110/119
Allow users to assign specific APs to groups with set configurations, OKcaching for Voice, Local RADIUS server configuration, consistent WLAN
WAN
Cent
FlexConnect: Configuration & Monitoring at
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 111/119
Consistency of Mapping, Ease of Configuration and per-site monitor
FlexConnect AVC
VLASupport/
VLA
FlexConnect: Enable “FlexConnect AP UpgWireless Flexconnect Groups Edit “Groupname” Image Upgrade Ta
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 112/119
Avoids downloading multiple copies of the Access Point software over thto the remote site, reduces service downtime and reduces risk of downlo
WAN
Wireless ControlSystem
New
Master AP
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 113/119
Best Practices Polling Results !
SSO AVC Local
Prof i l ing Pre-imagedownload
Data Rates SSID L im it RF prof i les 802.1xWLAN
ClientExc lus ion
Key Takeaways
EnhanceUsability andManageability
Experience
DriveFeature
Adoption
Fine-tunefeatures toOptimum
Best
DerMaxiPote
from WD l
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 114/119
Optimum starting point atDay 0/1 network setup
RF parameter setting easeof use
Enhanced performance,security, resiliency with
best practicerecommendations at boottime
Save Time & Money Audit Upgrades
Compliance metric andreporting natively on WLC
Identify missing best practiceconfiguration on upgrade
Easy one-click fix It option toturn on Best Practice Knobs
Downloadable client
Configuration stays local
Quickly identify and and fixproblem areas
RF Health metrics, IOSSupport, Mobility Groupsupport
Analyze & Mitigate
ExpressSetup
Monitoringand RF
Dashboar d
AuditUpgradeWorkflow
WLCCA CAA
BestDeploy
Participate in the “My Favorite Speaker” Co
• Promote your favorite speaker through Twitter and you could win $
Promote Your Favorite Speaker and You Could Be a Winner
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 115/119
Promote your favorite speaker through Twitter and you could win $Press products (@CiscoPress)
• Send a tweet and include• Your favorite speaker’s Twitter handle
• Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speak
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Complete Your Online Session Evaluation
• Give us your feedback to beentered into a Daily Survey
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 116/119
Don’t forget: Cisco Live sessionfor viewing on-demand after theCiscoLive.com/Online
entered into a Daily SurveyDrawing. A daily winner
will receive a $750 Amazongift card.
• Complete your session surveysthough the Cisco Live mobileapp or your computer on
Cisco Live Connect.
Continue Your Education
• Demos in the Cisco campus
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 117/119
• Walk-in Self-Paced Labs
• Table Topics• Meet the Engineer 1:1 meetings
• Related sessions
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 118/119
Thank you
7/23/2019 Cisco WLAN Best Practice
http://slidepdf.com/reader/full/cisco-wlan-best-practice 119/119