cisco wlan best practice

7/23/2019 Cisco WLAN Best Practice

http://slidepdf.com/reader/full/cisco-wlan-best-practice 1/119



Best Pract ices for Con f igur ing C

Wireless LAN Con trol lers Aparajita Sood

Technical Marketing Engineer BRKEWN-2670



User-First Pillars and Checkpoints

EnhanceUsability andManageability

Experience

Drive Feature Adoption

Fine-tunefeatures to

Optimum Best

DeriveMaximumPotential from

WLANDeployment

Express

Setup

Monitoring &RF

Dashboard

FeatureBest

Practices

AuditUpgradeWorkflow

WLCCA

C



Agenda

WLC Express Setup Wired Express Setup

OTA Express Setup

WLC Dashboard View

Monitoring

RF Health

Mobile App

WLC Best Practice Audit

One-click Fix

Manual Configuration

WLCCA Update RF Health

Cisco Active Advisor

Device Health Score

Wireless Health Tool

Feature Best Practices

Infrastructure

RF/RRM

Security and BYOD

FlexConnect

ExpressSetup

Monitoand R

Dashb

FeatuBes

Practi

CAA



Step 1: Download the Mobile App

Get all the information you need at yourfingertips!

Step 2: Access the

Log into the app usingLive login & find yo

http://bit.ly/clus2015

Participate in session polling and Q&A



Best Practices Checkpoints

Free, cloud Agentless –

Act

2. App Engage

WLCWLAN Express Setup

7.6 MR2, 8.0, 8.1

WLCCAConfig

Analyzer

WLCBest Practice AuditDashboard View

8.1

Best Practices defaults,RF Parameter Optimization, Network

Profiles

Audit Page on Upgrade,One-click Fix It,

Manual Config Option

Windows Executable“show run-config” Based

Analyzer Tool

Downloadable client

Configuration stays local

Simplified operational use to quickly identifyand and fix problem areas

RF Health metrics, IOS Support, MobilityGroup support

Cisco Perso

Compare yoconfigurationpractices

Automated Network Sca

Compliance metric and reporting natively onWLC

Identify missing best practice configuration onupgrade

Easy one-click fix It option to turn on BestPractice Knobs

Restore Defaults to revert configuration todefault

Optimum starting point at Day 0/1 networksetup

RF parameter setting Ease of use

Enhanced performance, security, resiliencywith best practice recommendations turnedon boot up time



Express Setup

EnhanceUsability &

Manageability

Experience

Fine-tunefeatures to

Optimum Best



WLAN Express SetupDay 0/1 Ease of Setup


Act

2. App Engage

WLC

WLAN Express Setup7.6 MR2, 8.0, 8.1

WLCCA

Config Analyzer

WLC

Upgrade Audit Workflow8.1


Profiles




Analyzer Tool

Downloadable client




Cisco Perso










Wired Express Setup• Introduced on 2504 in 7.6 MR2, 8.0• Extended to 5508, vWLC, 7510, 8510 in 8.1• Extended to 5520, 8540 in 8.1

Wireless Over-The-Air (OTA) Setup• Available in 8.1 and higher • Supports Universal AP (UX)• Supported on 2504



Wireless: Connect AP WLC port 3 or 4 (PoEWired: Connect PCEthernet cable to any port

on the WLC for 2504 and toSP port on other WLCS

If setup is Wireless, wait for AP to power and broadcast SSID

Wait for the SYS LED lightto be solid

Wired and Wireless OTA Express SetupDay 0/1 Ease of Setup

Connect to SS

the key ‘passw



Open a web browserand access

http://192.168.1.1

Enable RF Optimization

Confirm settings

Go through a setup wizard

Wired and Wireless OTA Express SetupDay 0/1 Ease of Setup

http://192.168.1.1/

http://192.168.1.1/





Act

2. App Engage

WLC


WLCCA

Config Analyzer

WLC

Best Practice AuditDashboard View

8.1


Profiles




Analyzer Tool

Downloadable client




Cisco Perso












Best Practices Audit


Experience

Fine-tunefeatures toOptimum

Best



Best Practices Audit Workflow

Compliance level check

natively on WLC

Identify Best Practice gaps

on upgrade

Easy one-click Fix It Now

Restore Default to revertconfiguration to default

Learn more to understand

better



Best Practices Audit Workflow

Aud

Complianatively

Identify mconfigur

Easy onon Best

Restore configur



Dashboard Views


Experience


Best



Network Summary – Access Points List



Network Summary – Client List

• AP

• Si

• Le



Network Summary – Client Details

• Single pane of glass for client troubleshooting

Client Connection StatReachability andLatency

Client CapabilitiesNeighbouring APs

Correct Policy Assignment –Security, QoS, mDNS, VLAN,

ACL

Application Usage



Wireless Dashboard – Client Performance

Use Cases:

• Client ConnectivityIssues

• Poor ClientPerformance

Users cannot connect• 802.11 association failure• DHCP Failure• Web Auth failure• Admin Reset

Low RSSI caused by StickyClient and Legacy Devices

Client identif



Monitoring App – RF Overview



Monitoring App – AP and Client Performanc





Act

2.

App Engage

WLC


WLCCA

Config Analyzer

WLC

Best Practice AuditDashboard View8.1


Profiles




Analyzer Tool

Downloadable client




Cisco Perso












Addressing BP and features based on deployment

• Voice

• Security

• Flex

• Mesh

• Enterprise*

• BYOD*

*Coming Soon !

WLC Config Analyzer – Deployment types



• Best Practices categorizedinto

• General• AP

• Mobility

• RF

• Security

• Voice

• Mesh• Flex

• Per-Controller ComplianceLevel for Each category

• Total/Passed/Failed checks

WLC Config Analyzer – Per Controller Com

0-40%

41-80%

81-100%



• Individual Best Practice knob compliance (Yes/ No)

WLC Config Analyzer – Best Practices deta

Overall Compliance per

category

0-40%

41-80%

81-100%



• Best Practices is NOT ConfigErrors or Design decisions

• It is - “Works without but worksmuch better with”

• Verbose BP messages underGlobal Messages and APMessages

WLC Config Analyzer – Site Summary Mess

Be



RF Health Analysis

RFHealth

Single

AP

APGroups

RFNeighbor -

hood

FlexGroups

• Summarization of the

aggregated per: AP AP Group FlexConnect Gro RF Neighborhood

• Aggregation of the RFeach working entity, foanalysis



Cisco Active Advisor Personalized Health Sc

Im

Personahealth s

Free, closervice

Automainventonetwork



Feature

Best Practices

EnhanceUsability &

ManageabilityExperience

DFea

Ado


Best

De

MaxPot

from Deplo



I f t t B t P ti



Infrastructure Best Practices

Enable High Availability (AP and Client SSO) Enable AP Failover Priority

Enable AP Multicast Mode Enable Multicast VLAN Enable Pre-image download Enable AVC Enable NetFlow Enable Local Profiling (DHCP and HTTP) Enable NTP Modify the AP Re-transmit Parameters Enable FastSSID change Enable Per-user BW contracts Enable Multicast Mobility Enable Client Load balancing Disable Aironet IE I N

F R A S

T R U C T U R E



Infrastructure: Enable AP Failover Priority



y

• Wireless Access Points Global Configurations

• Wireless Access Points All APs->AP_NAME High Availability

Allows certain APs to be assigned higher WLC join priorities, so they are given p joining a WLC

Infrastructure: Enable AP Multicast mode



Controller General AP Multicast Mode

Forward multicast traffic to Access Points instead of sending unicast messages to eac

Unique a

clashing

Network infrastructure must provide multicast routing between management interface sub

Infrastructure: Multicast VLAN for Interface G



WLANs WLAN Name General

To limit the multicast on the air to a single copy on a predefined mu

NetworkVLAN2 (mcast_vlan)

VLAN1

VLAN3

VLAN4

Interface group



Infrastructure: Enable AVC



Wireless Application Visibility and Control AVC Profiles

Classifies applications, provides real-time analysis, and allows users to drop or

user per-device granularity for control

Add per

application rules

Enable Application

Visibility



Infrastructure: Enable NTP



Controller NTP Keys

Controller

NTP

Server

Synchronizes the time among all devices on the network including Access Point we have X.509 certificates installed in AP and WLC, Context-aware and location Debugging

If NTP requires

authentication, first

add key



Infrastructure: Enable Multicast Mobility for mobility



Controller General

Controller Multicast

Allows clients to announce messages to all mobility peers, instead of individual Wtime, CPU usage, and network utilization. Multicast routing between controllers

Infrastructure: Enable Client Load Balancing



WLANs Edit “WLAN-NAME” Advanced

Balances the number of clients connect to a WLAN between muNot suitable for Voice, Low Density and single AP deployments lik

Client Window Size 1-20

Maximum Denial Count 0-10



Infrastructure: Same Virtual IP if same mobility nam



Controller Interfaces virtual

Inter-controller roaming can appear to work, but the hand-off does not cclient loses connectivity when DHCP renew is performed if DHCP proxy

Mobility Group

192.0.2.1 19



RF & RRM Best Practices



RF & RRM: Disabling .11b Data Rates



Wireless 802.11b/g/n Network

Management frames sent at lowest mandatory rate - slows down the e

RF & RRM: Disabling .11b Data Rates



Demonstrating the impact of 802.11b data rates on Channel Utiliza

1 Mbps Mandatory :6 Mbps Mandatory :



RF & RRM: Enable Channel Bonding – DBS



Wireless 802.11a/n/ac RRM DCA

40/80MHz wide channels in the 5GHz space can 2x/4x the amount of user data ttransmitted. For extreme HD deployments use 20 MHz channels to keep cell size

Select the widest Channel W• Highest Client Data• Lowest Channel Uti• Minimize Data Retri• On the 5GHz Band

While avoiding:

• Rogue APs• CleanAir Interferers

RF & RRM: Enable Client Band Select



WLANs Edit “WLAN-NAME” Advanced

Allows dual-band clients to move to the less congested 5GHzNot recommended for Voice deployments

RF & RRM: RF Profiles



• RF Profiles work in Conjunction with AP Groups (beginning in release 7.2)

• You can create separate RF profiles for both 2.4 and 5 GHz

• 1 profile for each band (802.11a/802.11b) can be assigned to an AP group

• Today

• 802.11 data rates

• TPC Power Threshold and Min max Power settings

• DCA

• Coverage hole algorithm settings

• High Density – HDX configurations RX_SOP, Client Limit, Mcast data ra

• Client Distribution

More granular control of the RF network

RF Profiles : Granular Control



Data Rates

Load Balancing

TPC, DCA, Coverag

Network Profiles



Client Dens

Typical, Low

Traffic Type : D

and Voice

Sets pre-defined RF parameters depending on “Client” Density and

Type

Pre-built RF profiles



Pre-built RF pr

use with AP G

Client Density specific pre-built RF profiles for 2.4 GHz and 5GHz Bands – towith AP Groups

RF & RRM: Use AP Groups

WLAN Ad d AP G



WLAN Advanced AP Groups

Ability to enable Wi-Fi Services and segregation of traffic based on ph

RF & RRM: Enable RRM (DCA) to be autoWireless 802 11a/n/ac or 802 11b/g/n RRM DCA



Wireless 802.11a/n/ac or 802.11b/g/n RRM DCA

Allows RRM to automatically select the best channel for eachDCA defaults work for typical carpeted offices



RF & RRM: RF Group Leader must be an .11ac WLC (Rein RF Groups with mixed versions




If the RF Group Leader does not support 802.11ac (Release 7.5+), APscannot select 80MHz channel widths

RF & RRM: Enable RRM (TPC) to be auto



Wireless 802.11a/n/ac or 802.11b/g/n RRM TPC

Allows RRM to automatically select the best transmit power for eTune RRM parameters with Network and pre-built RF prof

Recommended to use

TPCv1

RF & RRM: Enable Cisco CleanAir Wireless 802 11a/n/ac or 802 11b/g/n CleanAir



Wireless 802.11a/n/ac or 802.11b/g/n CleanAir

CleanAir identifies non-WIFI interferers and generates interferer and a

Enable CleanAir on both

radio bands

RF & RRM: Enable Noise & Rogue Monitoring



Wireless 802.11a/n/ac or 802.11b/g/n RRM General

Scan All Channels for security, DCA Channels for performa

RF & RRM: Enable DFS channels

Wi l 802 11 / / 802 11b/ / RRM DCA



Wireless 802.11a/n/ac or 802.11b/g/n RRM DCA

Allows more 5GHz channels (only in regulatory domains that support UNPlease note that some clients do not support DFS channels

Increase the number of chann12 additional channels based o

RF & RRM : Disable Avoid Cisco AP Load





Wireless 802.11b/g/n RRM DCA

To avoid frequent changes in DCA due to varying Load cond



Security & BYOD BestPractices

Security & BYOD Best Practices

Enable 802 1x and WPA/WPA2 on WLAN



S E C U R I T Y

Enable 802.1x and WPA/WPA2 on WLAN Enable 802.1x authentication for AP Change advance EAP timers Enable SSH and disable telnet Disable Management Over Wireless Disable WiFi Direct Peer-to-peer blocking Secure Web Access (HTTPS) Enable User Policies Enable Client exclusion policies

Enable rogue policies and Rogue Detection RSSI Strong password Policies Enable IDS BYOD Timers

Security : Enable 802.1x on WLAN

WLANs Edit ‘WLAN NAME’ Security



WLANs Edit WLAN_NAME Security

Provides greater network security on WLAN using 802.1x authe

Security: Enable 802.1x authentications for

Wi l A P i t Gl b l C fi ti



Wireless Access Points Global Configurations

To enable 802.1X authentication on a switch port, o

these commands:

Switch# configure terminal

Switch(config)# dot1x system-auth-control

Switch(config)# aaa new-model

Switch(config)# aaa authentication dot1x default g

Switch(config)# radius-server host ip_addr auth-po

key key

Switch(config)# interface fastethernet2/1

Switch(config-if)# switchport mode access

Switch(config-if)# dot1x pae authenticator

Switch(config-if)# dot1x port-control autoSwitch(config-if)# end

Provides greater network security by enabling 802.1x on the switch pconnected. Not supported for Mesh deployments

Security: Enable SSH and Disable Telnet

Management Telnet SSH



Management Telnet –SSH

Disable Telnet and enable SSH as the default option

Provides greater security by allowing secure access and denying unen

0 implies no sessio

will be allowed

Security: Disable Management Over Wireles

Management Mgmt Via Wireless



Management Mgmt Via Wireless

Disallow management of the Controller via Wireless

Security : Disable WiFi Direct

WLANs WLAN Name Advanced




Prevent security hole if the device is connected to both the infrastructurPersonal Area Network (PAN) at the same time. Will break Android devi

Corporate

Laptop CorporateWLAN

Unauthorized Devices

Security: Secure Web Access ( HTTPS )

Management HTTP-HTTPS



Management HTTP HTTPS

Provides greater security by allowing secure access

Security: Enable User Login Policies

Security AAA User Login Policies



Security AAA User Login Policies

Prevent login attacks by restricting the numbers the users who can use credentials between 1 - 5

Range is between 0 – 8.

Zero indicates no limit

Security: Enable Client Exclusion Policies

Security Wireless Protection Policies Client Exclusion Policies



y

Enable exclusion policies to prevent the network from Assoc/Auth failureDisable for Voice deployments

Security: Enable Strong Password PoliciesSecurity AAA Password Policies



Enable strong user and AP password policies on the contrMinimum password length of 8 is recommended

Security: Enable Rogue Policies

Security Wireless Protection Policies Rogue Policies Gener



The Rogue Detection Security Level should be set at a minimum

Friendly Malic

Security: Set Rogue Detection RSSI

Security Wireless Protection Policies Rogue Policies Gen



y g

Set Rogue Detection Minimum Threshold to -70 to -75 dB

Security: Enable IDS Signatures

Security Wireless Protection Policies Standard Signatures



Enable the wireless IDS features in the controller and enable 17 built-in intrusion attacks

Security : Enable CPU ACLs

Security Access Control Lists CPU Access Control Lists



y

Control overall access to the WLC by filtering management protocols suSNMP, etc such that they can only hit the CPU if they originate from ournetworks



BYOD: Session Timeout




Longer is better for AAA load up to a value of 86400 seconds for 802.1xseconds for open/CWA SSIDs, shorter is better from security point of vie

BYOD: Client Idle Timeout




For networks where users stay largely within the coverage area the settincreased to 3600 seconds for an SSID running 802.1x or RADIUS NAC

BYOD: Client Exclusion




180 seconds is the recommended default with ISE though 60 seconds isdefault. The reason behind this is the minimum reject interval on ISE forsupplicant detection is 5 minutes or 300 seconds

WLANs WLAN Name Security AAA Servers

BYOD: EAPoL and EAP Request Timeout



Recommended EAPoL-Key Timeout < 1000 ms and EAPoL-Key Ma

Recommeded EAP Request timeout <30 sec ( 10 sec ) and EAP Ma

BYOD: Disable Interim Accounting





Interim accounting adds additional unneeded load with no added be

BYOD : Disable Aggressive Failover



config radius aggressive-failover disable command taggressive failover feature

show radius summary to check the status of this feature

Only fails over to the next AAA server if there are three consecutive

fail to receive a response from the RADIUS server

In some circumstances it can cause the WLC to pre-maturely mark ISE high load and cause additional load on ISE

BYOD : Set RADIUS Fallback PassiveSecurity AAA RADIUS Fallback



Recommended to configure RADIUS Fallback Mode to Pas

The WLC can be c

the primary server

switch back to the

server once it is av



FlexConnect Best Practice

FlexConnect Best Practices



F L E X

C O N N E C T

Enable FlexConnect Groups

CCKM/OKC Key sharing for Voice deployments Design for Resiliency

Enable Smart AP Image Upgrade

Configuration and Monitoring at FlexConnect Group

VLAN Support/Native VLAN at FlexConnect Group

FlexConnect: Enable FlexConnect GroupsWireless FlexConnect Groups Edit “Groupname”



Allow users to assign specific APs to groups with set configurations, OKcaching for Voice, Local RADIUS server configuration, consistent WLAN

WAN

Cent

FlexConnect: Configuration & Monitoring at



Consistency of Mapping, Ease of Configuration and per-site monitor

FlexConnect AVC

VLASupport/

VLA

FlexConnect: Enable “FlexConnect AP UpgWireless Flexconnect Groups Edit “Groupname” Image Upgrade Ta



Avoids downloading multiple copies of the Access Point software over thto the remote site, reduces service downtime and reduces risk of downlo

WAN

Wireless ControlSystem

New

Master AP



Best Practices Polling Results !

SSO AVC Local

Prof i l ing Pre-imagedownload

Data Rates SSID L im it RF prof i les 802.1xWLAN

ClientExc lus ion

Key Takeaways


Experience

DriveFeature

Adoption


Best

DerMaxiPote

from WD l



Optimum starting point atDay 0/1 network setup

RF parameter setting easeof use

Enhanced performance,security, resiliency with

best practicerecommendations at boottime

Save Time & Money Audit Upgrades

Compliance metric andreporting natively on WLC

Identify missing best practiceconfiguration on upgrade

Easy one-click fix It option toturn on Best Practice Knobs

Downloadable client


Quickly identify and and fixproblem areas

RF Health metrics, IOSSupport, Mobility Groupsupport

Analyze & Mitigate

ExpressSetup

Monitoringand RF

Dashboar d

AuditUpgradeWorkflow

WLCCA CAA

BestDeploy

Participate in the “My Favorite Speaker” Co

• Promote your favorite speaker through Twitter and you could win $

Promote Your Favorite Speaker and You Could Be a Winner



Promote your favorite speaker through Twitter and you could win $Press products (@CiscoPress)

• Send a tweet and include• Your favorite speaker’s Twitter handle

• Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speak

• Don’t forget to follow @CiscoLive and @CiscoPress

• View the official rules at http://bit.ly/CLUSwin

Complete Your Online Session Evaluation

• Give us your feedback to beentered into a Daily Survey

http://bit.ly/CLUSwin

http://bit.ly/CLUSwin



Don’t forget: Cisco Live sessionfor viewing on-demand after theCiscoLive.com/Online

entered into a Daily SurveyDrawing. A daily winner

will receive a $750 Amazongift card.

• Complete your session surveysthough the Cisco Live mobileapp or your computer on

Cisco Live Connect.

Continue Your Education

• Demos in the Cisco campus



• Walk-in Self-Paced Labs

• Table Topics• Meet the Engineer 1:1 meetings

• Related sessions



Thank you

cisco wlan best practice

Documents