CLMEL Design and Deployment of Enterprise Wlans

#CLMEL Design and Deployment of Enterprise WLANs

Sujit Ghosh, Sr. Mgr. Technical Marketing, ENG BRKEWN-2010

#CLMEL Cisco Webex Teams

Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Open the Cisco Events Mobile App 2 Find your desired session in the “Session Scheduler” 3 Click “Join the Discussion” 4 Install Webex Teams or go directly to the team space 5 Enter messages/questions in the team space cs.co/ciscolivebot#BRKEWN-2010

• Intent Based Architecture

• Architecture Building Blocks

• Mobility in the Cisco Unified WLAN Architecture

• Deploying the Cisco Unified Wireless Architecture

• Bringing All Together – Best Practices

LEARNING

Cisco DNA Center

Policy Automation Assurance

INTENT CONTEXT

Intent-based Network Infrastructure

SECURITY

LEARNING

Cisco DNA Center

INTENT CONTEXT

IntentIntent-based Network Infrastructure

SECURITY

• Intent Based Architecture

• Architecture Building Blocks

• Mobility in the Cisco Unified WLAN Architecture

• Deploying the Cisco Unified Wireless Architecture

• Bringing All Together – Best Practices

High density redefined Dual 5 GHz Flexible Radios increasing capacity by 200% to onboard more users and things automatically

Zero-impact Intelligent Capture to resolve network issues instantly Probes the network and provides Cisco DNA Center with deep analysis and resolves issues in minutes, and not days

Purpose-built hardware for analytics and performance Drive location, telemetry, CleanAir, ClientLink, HDX and AVC with no impact on performance to serving clients; and future proof expandability with USB and module port

Users assume the wireless Hours 72 hours Average amount of time to resolve 63% network is the problem C user issue with Aironet 4800 Minutes to minutes

All-in-one AP Cisco DNA Center Assurance (Best-in-class performance, security and analytics)

Zero Impact for Security and Analytics 24x7 dedicated radio for secure coverage monitoring and analytics data

Real-time Telemetry w/ Deep Visibility Tracks 240+ onboarding anomalies Industry’s most granular view into wireless traffic

Industry Leading Hyperlocation Aironet 4800 Access Point <3 meter median accuracy for Wi-Fi and BLE

A• 2.4/5GHz Macro Cell Wide Coverage (4 antennas)

B• Monitor / Sniffer (4 antennas)

C• Bluetooth Low Energy BLE Beacon on Tx (1 antenna)

D• Hyperlocation C Array (16 antennas) for Precise Location

E• 5GHz Micro Cell

F• (4 antennas) High Density Coverage

#CLMEL BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 The industry’s most comprehensive and innovative access point portfolio The best infrastructure leads to the best outcomes

Good - Enterprise class Better Best in class Ideal for small to medium-sized deployments Mission critical High density

NEW 1815 Series 1830/1850 Series 2800 Series 3800 Series 4800 Indoor/high-powered Indoor • 3x3:2 SS 80 MHz/4x4:3 • 4x4:3 SS 160 MHz • 4x4:3 SS 160 MHz • 4 embedded radios Wall plate/teleworker SS 80 MHz • 5 Gbps performance • 5 Gbps performance (3 Wi-Fi and 1 BLE) • 2x2:2 SS 80 MHz • 867 Mbps or 1.7 Gbps • 2.4 and 5 GHz or • 2.4 and 5 GHz or • Cisco Intelligent Capture for • 867 Mbps performance performance dual 5 GHz dual 5 GHz Cisco DNA Assurance • Tx beamforming • 1 or 2 GE ports uplink • 2 GE ports uplink • 2 GE ports uplink or • Embedded Hyperlocation 1 • Integrated BLE • Internal or external antenna • Cisco CleanAir® and ClientLink 1 GE + 1 Multigigabit (5G) • 4x4:3 SS 160 MHz • Max transmit power (dBm) (1850) • Internal or external antenna • Cisco CleanAir and ClientLink • 5 Gbps performance 2 per local regulations • Tx beamforming • Smart antenna connector • StadiumVision™ • 2.4 and 5 GHz or • 3 GE local ports, including • USB 2.0 • USB 2.0 • Internal or external antenna dual 5 GHz 3 1 PoE out • Smart antenna connector • 2 GE ports uplink or • Local ports 802.1X ready3 • USB 2.0 1 GE + 1 Multigigabit (5G) 4 • USB 2.0 • Modularity for investment • Cisco CleanAir and ClientLink protection • Internal antenna • USB 2.0 • Integrated BLE

1 Future availability 2 Available for high-powered only 3 Available for wall plate and teleworker only 4 Available for teleworker only

1540 1560 1570

New*

• 802.11ac Wave 2, MU-MIMO • 802.11ac Wave 2, MU-MIMO • 802.11ac Wave 1 • 2x2:2, 80MHz, 867 Mbps • 3x3:3, 80MHz, 1.3Gbps (I) • 4x4:3 80 MHz; 1.3 Gbps • Ultra low profile • 2x2:2, 80MHz, 867Mbps (E/D) • External antenna model (EAC) • Internal antenna only • Internal or External antenna model (I/E) • Cable Modem model (IC/EC) • PoE (802.3af) power • Internal directional antenna model (D) • SFP/GPS • Centralised, FlexConnect, Mesh and • SFP • PoE Out 802.3at (Ext Ant. only) Mobility Express • Flexible Antenna Ports • Flexible Antenna Ports • CleanAir and ClientLink • CleanAir and ClientLink • Centralised, FlexConnect, Mesh and • Modularity (Ext Ant. only) Mobility Express • Centralised, FlexConnect and Mesh • Cable Modem Version Only (IC/EC) • DOCSIS 3.0, 24x8 • Internal or External antenna

Cisco DNA Ready | RF Excellence | CMX

802.11ac Wave 2

Test Your Network Anywhere at Any time at Real-world Client Level

Aironet 1800S Active Sensor AP as a Sensor (1800/2800/3800/4800)

• 2x2 with 2 spatial streams Purpose-built Hardware for Analytics • Multiple powering options In-line monitoring to Cisco DNA for - PoE Power analytics and insights while serving clients - USB Type “C” power - Direct AC Power Plug • Integrated BLE • Ultra compact form factor

Onboarding Dynamic Configure Tests Global Issue SLA Dashboard and Services Sensor Test Remotely Creation Tests Trigger

#CLMEL BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Intent Based Infrastructure - Wireless LAN Controller Portfolio Multiple Deployment options and SD-Access Wireless Ready

SD-Access Wireless Ready Branch Deployment Campus Deployment Cisco 8540 6000 APs Cisco 5520 64,000 clients, 1500 APs 40 Gbps 20,000 Clients, 20 Cisco 3504 Gbps 150 APs 3000 Clients, 4 Gbps Mobility Express Cisco vWLC** 100 Aps 3000 APs 2000 Clients 32000 Clients Flexconnect mode

Up to 100 APs Up to 200 APs Up to 3000 APs Up to 6000 APs

Translate business intent into network policy and Cisco DNA Center capture actionable insights with Cisco DNA Center

C9800-80 C9800-40

C9800 for Cloud C9800 on Cat 9k Switch Aironet Access Works with Cisco Aironet 802.11ac * GCP EFT Only Points Wave 1 and Wave 2 Access Points

#CLMEL BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Unprecedented throughput with Industry’s 1st C9800 appliances 100 100GE uplink 99%+ Accuracy with Investment Encrypted Traffic Analytics and Stealthwatch integration protection with modular uplinks Catalyst 9800 Series Wireless Controller Appliances C9800-40 and C9800-80

Always-on: Scale options for High availability and seamless software your campus updates Open standards based programmability with 2x model-driven telemetry Throughput option now Programmable multi- available with C9800-80 going upto 80 Gbps core network processor

Cisco Catalyst 9800 Wireless Controller C9800-40-K9 C9800-80-K9

AP1810, AP2800/ AP1540/AP1560 Cisco Catalyst 9800 AP1815, AP3800/AP4800 Wireless Controller for AP1830, AP1850 Cloud C9800-CL-K9 11ac Wave 1 and Wave 2 Access Points AP18xx, 2802, 3802, 4800, 1540, 1560, 1700, 2700, 3700, 1570

Deployment Modes Centralised, Distributed Branch, SDA and Mobility Express (Future) Catalyst 9800 SD- Access Embedded AP Modes Wireless Local, FlexConnect, Monitor, Mesh^, Flex+Mesh^, Sensor, Sniffer

*GCP in 16.10 is EFT Only ^ supported on Wave 1 and outdoor Wave 2 APs

#CLMEL BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 C9800-80: industry’s first modular wireless controller Orderable with 100GE modular uplink and seamless software updates Now

Upto 6,000 APs Upto 64,000 Clients 80 Gbps

Redundant SP/RP Port 8 X 10 GE Modular Uplinks - Power Supply USB 3.0 Fibre RP Port Uplinks GE, 10GE, 40GE, 100GE AC or DC

Fully programmable multi-core network processor Support for Netflow, AVC and ETA

EXTERNAL INTERFACES

• RJ-45 Console Port • Mini USB Console Port • 2 External USB Ports • RJ-45 Ethernet Management Port (SP) • RJ-45 Ethernet Redundancy port (RP) • SFP Gigabit Ethernet Port • BUILT-IN-6x10GE/2x1GE or 10GE

LEDs

• Power Status LED • Alarm LED • High availability LED • USB console LED • 10/100/1000 RJ45 Link LED • 10/100/1000 RJ45 Activity LED • SSD Activity LED • System Status LED C9800-80 • Power Supply (PEM 0) • Power Supply (PEM 1) • Power Switch 8540

C9800 Modules Support

• C9800-2X40GE • C9800-1X100GE • C9800-1X40GE

• C9800-18X1GE • C9800-10X10GE

Eighteen 1GE-ports that support small form-factor Ten 10GE-ports that support small form-factor pluggable (SFP+) pluggable (SFP) optical transceivers to provide network optical transceivers to provide network connectivity. Ports are connectivity. Ports are numbered 0 – 17 numbered 0 – 9.

#CLMEL BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Evolution of Wireless Controllers Enterprise Campus and Full-Service Branch NOW Catalyst 9800-80 THEN 8540 • 6000 APs, 64000 Clients •6000 APs, 64000 Clients • 80 Gbps Throughput •40 Gbps Throughput • 6000 Policy Tags •6000 AP Groups •2000 FlexConnect Groups, • 6000 Site Tags, • 100 Flex APs/FCG • 100 Flex APs/Site

•4096 VLANs, 512 Interface Groups • 4096 VLANs, 4096 Interface Groups •64000 PMK Cache •512 WLANs • 128000 PMK Cache • 4096 WLANs •24000 Rogue APs, 32000 Rogue Clients •50000 RFIDs •6000 APs/RRM Group • 24000 Rogue APs, 32000 Rogue Clients •320000 AVC Flows • 64000 RFIDs • 12000 APs/RRM Group • 800000 AVC Flows

Upto 2,000 APs Upto 32,000 Clients 40 Gbps

4 x 1GE/10GE Ports Console USB 3.0 SP/RP Port Fibre RP Port

Fully programmable multi-core network processor Support for Netflow, AVC and ETA

EXTERNAL INTERFACES

• RJ-45 Console Port • Mini USB Console Port • 2 External USB Ports • RJ-45 Ethernet Management Port (SP) • RJ-45 Ethernet Redundancy port (RP) • SFP Gigabit Ethernet Port • 4 x 10GE/1GE SFP and SFP+ ports

LEDs

• Power Status LED • Alarm LED • High availability LED • USB console LED Dimensions : 17.3” (439 mm) wide, 1.75”(44.4 • 10/100/1000 RJ45 Link LED mm) tall (1RU), and 18.3”(464 mm) deep* • 10/100/1000 RJ45 Activity LED • SSD Activity LED • System Status LED C9800-40-K9

AIR-CT-5508-K9

4 x 10GE/1GE SFP and SFP+ ports

#CLMEL BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Evolution of Wireless Controllers Enterprise Campus and Full-Service Branch NOW Catalyst 9800-40 THEN 5520 • 2000 APs, 24000 Clients •1500 APs, 20000 Clients • 40 Gbps Throughput •20 Gbps Throughput • 2000 Policy Tags •1500 AP Groups •1500 FlexConnect Groups, • 2000 Site Tags, • 100 Flex APs/FCG • 100 Flex APs/Site

•4096 VLANs, 512 Interface Groups • 4096 VLANs, 100 VLAN Groups •40000 PMK Cache •512 WLANs • 48000 PMK Cache • 4096 WLANs •24000 Rogue APs, 32000 Rogue Clients •25000 RFIDs •3000 APs/RRM Group • 8000 Rogue APs, 12000 Rogue Clients •320000 AVC Flows • 24000 RFIDs • 4000 APs/RRM Group • 300000 AVC Flows

Catalyst 9800 for Private Cloud Catalyst 9800 for Public Cloud Scale to 1,000 APs and 10,000 Scale to 6,000 APs and 64,000 Clients^ Clients Centralise, FlexConnect, Fabric FlexConnect Local Switching

Open and Programmable Open and Programmable

^Centralised support for 6000 APs in Future

• Intent Based Architecture

• Architecture Building Blocks

• Mobility in the Cisco Unified WLAN Architecture

• Deploying the Cisco Unified Wireless Architecture

• Bringing All Together – Best Practices

Cisco Prime or Cisco DNA Center

Wireless LAN Controllers MSE/CMX

Campus Network

Aironet Access Point

#CLMEL BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 Centralised Wireless LAN Architecture What is CAPWAP? • CAPWAP: Control and Provisioning of Wireless Access Points is used between APs and WLAN controller and based on LWAPP over IPv4 or IPv6

• CAPWAP carries control and data traffic between the two

• Control plane is DTLS encrypted • Data plane is DTLS encrypted (optional)

• LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless

• CAPWAP is not supported on Layer 2 mode deployment

AP Boots UP Reset Discovery

Image Data DTLS Setup Run

Join Config

• Mobility is a key reason for wireless networks

• Mobility means the end-user device is capable of moving location in the networked environment

• Roaming occurs when a wireless client moves association from one AP and re-associates to another, typically because it’s mobile!

• Mobility presents new challenges: • Need to scale the architecture to support client roaming—roaming can occur intra-controller and inter-controller • Need to support client roaming that is seamless (fast) and preserves security

• Mobility Group allows controllers to peer with each other to support seamless roaming across controller boundaries • APs learn the IPs of the other members of the mobility group after the CAPWAP Join Controller-B process MAC: AA:AA:AA:AA:AA:02 Mobility Group Name: MyMobilityGroup • Support for up to Mobility Group Neighbours: Controller-A Controller-A, AA:AA:AA:AA:AA:01 24 controllers, MAC: AA:AA:AA:AA:AA:01 Controller-C, AA:AA:AA:AA:AA:03 24000 APs per Mobility Group Name: MyMobilityGroup Mobility Group Neighbours: mobility group Controller-B, AA:AA:AA:AA:AA:02 Controller-C, AA:AA:AA:AA:AA:03 • Mobility messages exchanged between Tunnel in EthernetIP

controllers Controller-C MAC: AA:AA:AA:AA:AA:03 • Data tunneled between Mobility Group Name: MyMobilityGroup Mobility Group Neighbours: controllers in EtherIP (RFC 3378) Controller-A, AA:AA:AA:AA:AA:01 Controller-B, AA:AA:AA:AA:AA:02 Mobility Messages

Mobility Domain • With Inter Release Controller Mobility (IRCM) Mobility Group (8.8) roaming is supported between 8.8, 8.5 and 8.3

One WLC Network Mobility Group (8.5) Mobility Group

24 WLCs in a Mobility Group (8.3) Mobility Group

72 WLCs in a Mobility Domain

Inter Release Controller Mobility (IRCM) for AireOS and Catalyst 9800 IRCM : AireOS and Cisco Catalyst 9800

Secure Mobility (CAPWAP) Seamless roaming b/w Catalyst 9800 and AireOS 8.8 MR1 (3504/5520/8540)

Secure Mobility (CAPWAP)

Catalyst AireOS 9800 8.8WLC MR1

Catalyst 9800 AireOS Deployment Seamless Deployment roaming, L3 only

Enabling seamless roaming across Campus

Secure Mobility EOIP-based (CAPWAP) Mobility

Catalyst AireOS WLC AireOS WLC 9800 8.8 MR1

Catalyst 9800 Seamless AireOS Seamless AireOS Deployment roaming, Deployment roaming, Deployment (8.8. MR1) L3 only L2 and L3 Upgrade only the AireOS controller in the roaming path 37

AireOS Guest Anchor Guest Anchor Guest Anchor

Secure Mobility EOIP-based (CAPWAP) AireOS Mobility 8.8 MR1

Catalyst AireOS WLC 9800

Catalyst 9800 AireOS Deployment Deployment

Upgrade the AireOS Guest Anchor to 8.8 MR1 (on 3504/5520/8540) and manage both Catalyst 9800 and AireOS Foreign 38

#CLMEL BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 Cisco DNA Center Assurance Overview What is Cisco DNA Center Assurance? The guarantee that the infrastructure is doing what you intended it to do. Proactive Insights and visibility Troubleshooting Corrective actions

0 360 Visibility, Context, Anomaly based Intelligent Guided Remediation, Historical Insights, iOS Captures, Sensor Tests, Automated Updates, Analytics, User Location On-Demand Analytics System optimisation

Best in class user Minimise Downtime, IT Productivity experience User Productivity

Network Telemetry Complex Event Guided Correlated Insights Contextual Data Processing Remediation

Traceroute Complex Clients Baseline Syslog Netflow correlatio n AAA Router DHCP Metadata extraction Telnet Wireless CLI DNS OID IPSLA Ping Steam MIB SNMP IPAM Processing Application Network AppD CMX Everything as a Sensor Over 150+ Actionable Insights Client | Applications | Wireless | Switching | Routing

Export enriched, consistent and concise data with context from network devices for a better user and operator experience

Periodic or Structured Scalable Reduced CPU On-Change Data Load

Ability to collect many KPIs from devicesC as close as possible to real time

With Streaming Telemetry we will support collection of many KPIs as close as possible to real time

Subscription Publication NETCONF RESTconf GNMI • Periodic or on-change • Structured data YANG Data Model • Priority subscriptions • Customised to recipient Open Native Open Native • XML or JSON encoding • NETCONF or HTTP/2 Programmable Configuration Operational transport Interfaces • Increased scale Device Features • Reduced CPU and Physical and Virtual Network Infrastructure SNMP bandwidth consumption Interface BGP QoS ACL …

Cisco DNA Center

Policy Automation Analytics

SDA-Wireless CentralisedConfigure Flex SetConnect up Mobility Express From a web browser or Simplified Controller-less Policy Segmentation and Ease of Deployment Eliminate the need for a Cisco wireless app, use deployment for distributed consistent wired-wireless andthe management setup wizard forto Controller at every Site for a deployments and small sites management largeenable campuses multiple APs distributed deployment simultaneously

Real-Time and 1800s Sensor to Intelligent Capture Actionable validate end- (FCS) for Proactive Insights user experience troubleshooting

• Real-time Client RF stats, Location • Validate RF experience of a client • Live and In-Service capture of and Onboarding states while onboarding to a network Onboarding failures with PCAPs • Roaming Insights for Fastlane with • Speed tests to validate Cloud app • Spectrum Analyser for analysing iOS vs non-iOS client analysis performance and connectivity Interference sources • Client Onboarding Top N Analytics • IP SLA tests for Real-time AppX • On-Demand AP stats for Wi-Fi with Sankey charts assessment for VOIP apps troubleshooting

IOS-XE based Catalyst 9800 series wireless controllers will be supported on 1.2.10

Client Onboarding

Actionable Dashboards: 1 Onboarding Sankey charts for better analysis Sankey chart

Real-time Correlation: Correlate Onboarding 2 events with poor RF and client location for RCA

Intelligent Capture: 3 Onboarding failures with In-service PCAPs

Client and Network Experience

Health Dashboard: Near-Real time Client 1 tracking (<60 sec) and Top N AP analytics

Client 360: Historical Time travel with 2 client RF correlated with the Onboarding events

Intelligent Capture: 3 On-Demand AP stats for Wi-Fi troubleshooting

Application Experience

Health Dashboard: Overall health of business 1 relevant apps and Top N App analytics

App 360: Time travel with qualitative 2 and quantitative assessment for network and S4B server

Sensor simulated SLA: Cloud apps Speed and 3 AppX performance simulation using 1800s sensors

• Architecture Building Blocks

• Mobility in the Cisco Unified WLAN Architecture

• Cisco Mobility Express

• Deploying the Cisco Unified Wireless Architecture

• Bringing All Together – Best Practices

#CLMEL BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52 Mobility Express WLAN Deployment Branch solution for small, medium or distributed enterprise with multiple managementMobile App or WebUI options Cisco DNA Center

Policy Automation Assurance Security ISE CMX

Single Office Distributed Office Distributed Enterprise

Controller Based in Mobility Express Mobility Express Mobility Express in Branch campus

Ease of AVC and CMX RF Excellence and Guest and Security Cisco DNA Deployment with Apple Innovations Center and Resiliency and Multi-site Scale Deployment • Manage up to 100 • Understand what is • Flexible Radio • Multiple guest • Day0 PnP with config AP’s, 2000 clients running on your Assignment and Dual onboarding options and image download without additional network 5GHz for best Wi-fi with built-in lobby • Cisco DNA licensing costs • Bidirectional rate limit experience ambassador Automation and • Best practices on by per • Best in class RF with • Rogue detection and Assurance EFT default and built-in WLAN/SSID/Client HDX – ClientLink, classification available with redundancy for • CMX Location and CleanAir and • ISE/Radius, Walled DNAC1.2 resilient operations Presence Analytics Spectrum Intelligence Garden support and • Cisco DNA • Localised with • CMX Engage/Cloud • Apple Fast Lane with BYOD integration Automation and Chinese, Japanse and integration for optimised Wi-fi • 802.1x support on AP Assurance GA in Korean personalised and connectivity and with EAP-TLS and DNAC 1.3 • Management relevant guest prioritise business EAP-PEAP • Intelligent Capture simplicity with mobile experience applications EFT in DNAC 1.3 and app and WebUI AireOS 8.8

Cisco DNA Ready for Small to MediumC Size, Single or Multi site Deployments

#CLMEL BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 Evolution of Mobility Express Solution Nov, 2018 AireOS 8.8 MR2 Oct, 2018 AireOS 8.8 MR1 Aug, 2018 AireOS 8.8

APR, 2018 AireOS 8.7

. Authentication Caching . Post Auth DNS ACLs . UMBRELLA SUPPORT . IPSK . Support for TLS . mDNS Gateway support Gateway . Videostream support(MC2UC) . Efficient AP Join . S/W Update during Day 0 using Network PnP . Schedule WLAN . Support for SFTP software download transfer mode . Option 43 support for ME . Support for Optimal AP Join . FQDN support for SFTP Server . Support for BDRL per client, BSSID and WLAN . Cisco RFID Tag support . EoGRE support . Ability to limit clients per WLAN, per radio . Support for RLANs . Support for Passive Clients . 802.1x supplicant support on AP with EAP-TLS and EAP-PEAP . Walled Garden, Radius NAC · DNS ACLs (Pre-auth ACL, IPv4 only) · Central Web Authentication · BYOD support

Enterprise Class Mission Critical Best in Class 1815 1830 1850 2800 3800

AIR-AP1815W-x-K9C AIR-AP1815I/M-x-K9C AIR-AP1832I-x-K9C AIR-AP1815I/M-x-K9C AIR-AP2802I/E-x-K9C AIR-AP3802I/E-x-K9C 50 1000 clients AP 50 1000 50 1000 50 1000 100 2000 100 2000 AP clients AP clients AP clients AP clients AP clients . 2x2:2SS 80 MHz . 4x4:3SS 160 MHz . 867 Mbps Performance . 2x2:2SS 80 MHz . 3x3:2SS 80MHz . 4x4:3SS 80Mhz . 4x4:3SS 160 MHz . 5 Gbps Performance . Tx Beam Forming . 867 Mbps Performance . 867 Mbps Performance . 1.7 Gbps Performance . 5 Gbps Performance . 2.4 and 5GHz or Dual 5GHz . Spectrum Intelligence . Tx Beam Forming . Tx Beam Forming . Internal or External Antenna . 2.4 and 5GHz or . 2 GE Ports Uplink or . Integrated BLE Gateway . Spectrum Intelligence . Tx Beam Forming Dual 5GHz . Spectrum Intelligence 1 GE + 1 mGig (5G) . 3 GE Local Ports, including . Integrated BLE Gateway . Spectrum Intelligence . 2 GE Ports Uplink . 1 GE Port Uplink . CleanAir and ClientLink 1 PoE out . Max Transmit Power (dBm) . 2 GE Ports Uplink . CleanAir and ClientLink . USB 2.0 . Internal or External Antenna . Local ports 802.1x ready per local regulations . USB 2.0 . Internal or External Antenna . Smart Antenna Connector . Smart Antenna Connector . USB 2.0 . USB 2.0 . Investment Proof Modularity

802.11ac Wave 2, MU-MIMO | Cisco DNA Ready | RF Excellence | CMX

• Intent Based Architecture

• Mobility in the Cisco Unified WLAN Architecture

• Architecture Building Blocks

• Deploying the Cisco Unified Wireless Architecture

• Bringing All Together – Best Practices

RF 2RF. High Application Planning AppOptimisation Engage Availability Visibility and Control

Engineer the WLAN for Optimise Gigabit Wi-Fi as Replicate the High Prioritise mission critical data, voice, video, location, primary connectivity – Gig Availability of the LAN on business applications over and client density Ethernet as fallback the WLAN personal applications

802.11ac : -65 to -67 RSSI Cisco CleanAir LAN SSO – Edge, Core, Disti Cisco AVC– Identify, 10 – 20% cell overlap Clientlink WLAN SSO – Client, AP, Prioritise, Control Apps 1 AP / 2500 sq ft RRM Controller across LAN, WLAN

#CLMEL BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 Deploying the Cisco Unified Wireless Architecture • High Availability (AP and Client SSO) • RF Optimisation - AP Groups / RF Groups / HDX • Security and Policies • Local Profiling and Policy Classification • Application Visibility Control • Umbrella (OpenDNS) • TrustSec • Identity PSK • IPv6 Deployment with Controllers • Branch Office Designs

5 9 Centralised Mode HA Requirements Benefits Minimum release: 8.0 Active Client State is synched WLC: 5508, WiSM2, 7500, 8510 AP state is synched L2 connection Client SSO No Application downtime Same HW and software HA-SKU available 1:1 box redundancy

Minimum release: 8.0 WLC: 5508, WiSM2, 7500, 8510 AP state is synched AP SSO Direct physical connection No SSID downtime (SSID stateful switchover) Same HW and SW HA-SKU available (> 7.4)

1:1 box redundancy Network Uptime Network N+1 Redundancy Available on all controllers (Deterministic/Stateless HA, Each Controller has to be Crosses L3 boundaries a.k.a.: configured separately Flexible: 1:1, N:1, N:N primary/secondary/tertiary) HA-SKU available (> 7.4)

• Redundant WLC in a geographically

WLAN-Controller-1 separate location APs Configured With: Primary: WLAN-Controller-1 Secondary: WLAN-Controller-BKP • Layer-3 connectivity between the AP

connected to primary WLC and the WLAN-Controller-2 NOC or Data Centre APs Configured With: redundant WLC Primary: WLAN-Controller-2 WLAN-Controller-BKP Secondary: WLAN-Controller-BKP • Redundant WLC need not be part of the same mobility group WLAN-Controller-n APs Configured With: Primary: WLAN-Controller-n • Configure high availability (HA) to detect Secondary: WLAN-Controller-BKP failure and faster failover

• Use AP priority in case of over subscription of redundant WLC

• High Availability Principles : Primary WLC  AP is registered with a WLC and maintain a backup list of WLC.  AP use heartbeats to validate WLC connectivity  AP use Primary Discovery message to validate backup WLC list  When AP loose 3 heartbeats it start join Secondary WLC process to first backup WLC candidate  Candidate Backup WLC is the first alive WLC in this order : primary, secondary, tertiary, global primary, global secondary. New Timers  AP does not re-initiate discovery Heartbeat Timeout 1-30 secs process. Fast Heartbeat Timer 1-10 secs AP Retransmit Interval 2-5 secs AP Retransmit with FH Enabled 3-8 Times

AP Fallback to next WLC 12 secs

• True Box to Box High Availability i.e. 1:1 • One WLC in Active state and second WLC in Hot Standby state • Secondary continuously monitors the health of Active WLC via dedicated link • Configuration on Active is synched to Standby WLC • This happens at startup and incrementally at each configuration change on the Active • What else is synched between Active and Standby? • AP CAPWAP state in 7.3 and 7.4: APs will not restart upon failover, SSID stays UP – AP SSO • Active Client State in 8.0: client will not disconnect – Client SSO • Downtime during failover reduced to 5 - 1000 msec depending on Failover • In the case of power failure on the Active WLC it may take 350-500 msec • In case of network failover it can take up to few seconds • SSO is supported on 3504 /5500 / 8500 / WiSM-2

#CLMEL BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 SSO Failover Sequence KeepRedundancyAP-Alive and Client failure/Notify Role info Negotiation Sync Peer Redundancy Link Established (Over dedicated Redundancy Port) STANDBYACTIVE ACTIVE Client Associate AP session intact. Does not re-establish capwap Switch AP Join

Client session intact. CLIENT SSO Does not re-associate Effective downtime for client is Detection time + Switchover time

L L 2 2

Back to Back as well as L2 RP Connectivity

SP Port RJ45 Serial Console USB 2.0 Mini-B Serial Console Reset USB 3.0 mGIG 4x 1GE, Port 3 and 4 provide 802.3at power

Status LEDs RP Port for HA SSO

A direct physical connection between Active and Standby Redundant Ports or Layer 2 connectivity is required to provide stateful redundancy within or across data centres

Active Wireless Hot-Standby Wireless Controller Controller

C9800-40-K9

Redundancy Port Connectivity RP via L2 Gigabit SFP RP port Gigabit SFP RP port

C9800-80-K9

Active Wireless Redundancy Port Connectivity Hot-Standby Wireless Controller RP Via L2 Controller Sub-second failover and zero SSID outage The only supported SFPs on Gigabit RP port are : GLC-SX-MMD and GLC-LH-SMD

vWLC1-Active vWLC1-Standby vWLC1-Active vWLC2-Standby vWLC2-Active vWLC1-Standby

C D C D P P P P C D C D C D C D P P P P P P P P

HA interface HA interface vswitch vswitch vswitch vswitch vswitch vswitch

switch

Redundancy Port switch Connectivity Redundancy Port Connectivity RP via L2

Same configuration Same configuration on both Po1 and Po2 Catalyst VSS Pair on both Po1 and Po2 Catalyst VSS Pair

Po 1 Po 2 Po 1 Po 2 Trunk Trunk Port-channels Port-channels

L2 L2

5520 5520 8540 8540 Active WLC Standby WLC Active WLC Standby WLC

Spread the links in each PC among the two physical switches to prevent a WLC switchover upon a failure of one of the VSS switch

• Connecting WLC3504 HA Pair to the wired network Single Switch or stack Same configuration on both Po1 and Po2 Catalyst VSS Pair Same configuration on both Po1 and Po2

Po 1 Po 2

Trunk Po 1 Po 2 Port-channels Trunk Port-channels L2 L2

WLC3504 WLC3504 WLC3504 WLC3504 Active Standby Active Standby

• RTT latency on Redundancy Link : 80 milliseconds or less. 80% of keep alive timer. • Preferred MTU on Redundancy Link : 1500 or above. • Bandwidth on Redundancy Link : 60Mbps or more.

• WLC 55XX / 85XX : RP Connectivity between Active and Standby  Via Switches  Back-to-back • WiSM-2 : single 6500 chassis OR different chassis using VSS setup/extending redundancy VLAN.

• Recommended to have Redundancy Link and RMI Connectivity between WLCs on different switches or on different L2 networks • Keep alive/Peer Discovery timers should be left with default timer values for better performance • Default box failover detection time is 3 *100 = 300+60 = 360 +jitter (12 msec)= ~400 msec

• HighArchitecture Availability (AP and Client SSO) • RF Optimisation - AP Groups / RF Groups / HDX • Security and Policies • Local Profiling and Policy Classification • Application Visibility Control • Umbrella (OpenDNS) • TrustSec • Identity PSK • IPv6 Deployment with Controllers • Branch Office Designs

7 3 AP-Groups - Default AP-Group

• The first 16 WLANs created (WLAN IDs 1–16) on the WLC are included in the default AP-Group • Default AP-Group cannot be modified • APs with no assignment to an specific AP-Group will use the Default AP-Group • The 17th and higher WLAN (WLAN IDs 17 and up) can be assigned to any AP- Groups • Any given WLAN can be mapped to different dynamic interfaces in different AP- Groups

Access

Si Distribution

CAPWAP Core

Distribution VLAN 100 / 21

Access Single WAN Data Centre Internet SSID = Employee WLC-1 WLC-2

Access

Si Distribution

CAPWAP Core

Distribution VLAN 100 VLAN 60 /21 VLAN 70 VLAN 80 Access Single WAN Data Centre Internet SSID = Employee WLC-1 WLC-2

Network Name

Default AP Group

Only WLANs 1–16 Will Be Added in Default AP Group

AP Group 1

AP Group 2

AP Group 3

• RF Profiles work in Conjunction with AP Groups • You can create separate RF profiles for both 2.4 and 5 GHz • 1 profile for each band (802.11a/802.11b) can be assigned to an AP group

• Today • 802.11 data rates • TPC Power Threshold and Min max Power settings • DCA • Coverage hole algorithm settings • High Density – HDX configurations RX_SOP, Client Limit, Mcast data rate • Client Distribution More granular control of the RF network

TPC, DCA, Coverage Hole Data Rates

Load Balancing High Density

Sets pre-defined RF parameters depending on “Client” Density and Traffic Type

Client Density : High, Typical, Low

Traffic Type : Data, Data and Voice

Client Density specific pre-built RF profiles for 2.4 GHz and 5GHz Bands – to be used with AP Groups

Use Pre-built RF profiles to create your customised profile in 8.3 and above

VLAN 60 /23 VLAN 70 /23 VLAN 80 /23 Access VLAN 61 / 23 VLAN 71 /23 VLAN 81 /23

Si Distribution

CAPWAP Core

VLAN 60 Distribution VLAN 61 VLAN 70 VLAN 71 VLAN 80 Access VLAN 81 Single WAN Data Centre Internet SSID = Employee WLC-1 WLC-2 #CLMEL BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83 Flexible Radio Assignment

5GHz 2.4GHz • Default operating mode Serving Serving • Serve Clients on both 2.4GHz and 5GHz

• Dual 5GHz Support, both radios serving clients on 5GHz 5GHz 5GHz Serving Serving • Maximum over the air data rate up to 5.2Gbps

• Selecting a 2800/3800/4800 802.11-abgn interface – config

• Auto (default) makes the radio available to FRA

• Manual, takes the Radio out of Global FRA

• Automatic Optimisation for 20-40-80 MHz RF channel widths Neighbour Channels • DBS applies an additional layer of channel and width recommendations on top of those applied Channel Wi-Fi in Core DCA Interference Overlap Ratio • Useful for 11n-11ac mix AP networks and Wave-2 (160MHz) D B S Client Non Wi-Fi Protocol Noise and Traffic

11n/11ac DBS: Channel Auto Utilisation Configure Globally

8 7 Local Profiling and Policy Classification Local Profiling and Policy Classification

ISE offers rich set of BYOD features: e.g. device identification, onboarding, posture and policy

Customers not deploying ISE but requiring subset of ISE features

Native profiling of end devices based on MAC OUI, HTTP, DHCP

Device-based policies enforcement per user or per device policy

MAC OUI Device type

Teacher Student Username Admin User Role Device Type User-Role John

Identity

Session Time of VLAN ACL QoS timeout Day

#CLMEL BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90 Configuring Client Profiles • Client profiling uses pre-existing profiles in the controller • Custom profiles are not supported in this release

• Wireless clients are profiled based on the MAC OUI, DHCP,HTTP user agent • DHCP is required for DHCP profiling, Webauth for HTTP user agent

• 8.7 release contains 234 pre-existing profiles: (Cisco Controller) >show profiling policy summary Number of Builtin Classification Profiles: 234 ID Name Parent Min CM Valid ======0 2Wire-Device None 5 Yes 1 3Com-Device None 5 Yes 2 Aastra-Device None 5 Yes 3 Aastra-IP-Phone 2 10 Yes 4 Aerohive-Device None 10 Yes 5 Aerohive-Access-Point 4 20 Yes 6 American-Power-Conversion-Device None 10 Yes 7 Android None 30 Yes 8 Android-Amazon 7 40 Yes 9 Android-Amazon-Kindle 7 40 Yes …/…

• At the WLAN level, enable Local Client Profiling (DHCP and HTTP) • DHCP required is checked automatically when selecting DHCP profiling

config wlan profiling {local | radius} {dhcp | http | all} (Cisco Controller) >config wlan profiling local all enable 1

Visibility Threats (worms and Trojans) move laterally (east-west). Central application sensor will not see this at all Detection Path to server may be different than return path—may not be able to determine application Troubleshooting Essential to have visibility at multiple points to break down the problem and get to resolution faster Control Latency metrics such as response time, transaction time, network and application delay needed to control the apps

Change the QoS level to reflect the highest application level for that SSID

Enable Application Visibility

Ensure WMM is set to “Allowed” or “Required”

Deep Packet Inspection

Three classifications flows for Cisco Jabber

Cisco Jabber Audio Cisco Jabber Video Cisco Jabber Control

Different Policies for different components of a Jabber Session

Deep Packet Inspection

Three classifications flows for Microsoft Lync

MS-Lync Media MS-Lync-Video MS-Lync File Transfer (Audio and Video Flows) (Desktop Sharing, Chat)

Different Policies for different components of a Lync Session

Application-based Policies Per WLAN

WLC v8.0

User-role aware

Device-aware

Alice cannot access Netflix but Bob can even though both are employees connecting to same SSID Alice can access EHS records on (IT provisioned) Windows Laptop but cannot on personal (unsecure) iPad

#CLMEL BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99 AVC Profile Per User Device AAA WLC Cisco-av-pair=avc-profile-name= Cisco-av-pair=role= Switch Teacher Student

YouTube Facebook Skype BitTorrent YouTube Facebook Skype bittorrent

SSID: Classroom Security:WPA2/802.1x

Student Network Teacher Network

Internet wide visibility CATEGORY IDENTITY Ransomware, Malware Internal IP malware/Botnet

Cisco Umbrella Phishing AD User Cloud COVERAGE

PROTECTION Predictive Threat DNS layer Security Intelligence

INTELLIGENCE

Security Visibility- Application Insights, Policy Compliance • Cloud delivered network security service PERFORMANCE • Malware and Breach Protection in real time • Uses evolving Big Data and data mining methods to proactively predict attacks RELIABILITY • Category based Filtering (60+ content High Speed, Scalable categories)

WLC and Cisco Umbrella registration (One Time) Security Enforcement Content Filtering • On Cisco Umbrella account: Get API. Token for Cisco Umbrella device registration Cloud • On WLC: Apply Token and create Profile Device (Profile) Registration HTTPS used in this phase Compliance Category based Filtering Whitelist and Blacklist

Internet

Wireless client traffic flow

DNS Request • Client sends DNS query DNS Response • WLC snoops DNS query, forwards it with EDNS • Cisco Umbrella applies Profile specific Policy • Sends DNS response to WLC + • WLC forwards the response to client Snoop DNS pkt Tag it with Identity

Web Services #CLMEL BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 105 8.5 Identity PSK Lower Risk and Identity PSK: Meet Compliance Multiple PSKs per SSID allows advanced security encryption across all Integrated Advanced devices Security Security

8.5!

Simple Operations

Increased demand for IoT Identity security without 802.1x High Scale devices Cost Effective • Private PSK with RADIUS integration • Per client AAA override (VLAN / ACL etc)

Cisco Advantage: Highly scalable identity PSK solution designed for a large multi controller network

8.5! ✓ PSK WLAN

aabbcc ✓ MAC Filtering ✓ AAA Override IOT Devices

xxyyzz Access Point Wireless LAN Controller ISE Sensors Cisco--AVPairNo PSK += "pskattributes--mode=ascii” Cisco--AVPair += "psk=aabbcc""psk=xxyyzz"

Device MAC Group Private PSK IOT Devices aabbcc Sensors xxyyzz Employees --- WLAN PSK Employees #CLMEL BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108 Summarise - Security and Policies Enterprise SSID Security and Segmentation

Category-Based Filtering Based on Umbrella Policy Role Based Access Control Based on Scalable Group Tags and SGACLs

Contractor Marketing Sales Server s

✔ ✔ Marketing

Sales

Contractors SGT = 4 SGT = 5 Server

Enterprise 802.1x Backbone ✔

Access Point WLC ✔ Enterprise SSID ISE AAA SGT = 6 Override

Employee VLAN ID = 10 Micro-segmentation Policy Classification Engine using Cisco TrustSec Contractor VLAN ID = 20 Umbrella Backend User role VLAN Application Apple devices SGT Policy Servers user-role = Marketing Mark Webex, Apple TV, Marketing 10 Block ebay 4 PERMIT Jabber Printer, iTunes VLAN-Based Segmentation user-role = Contractor Mark Webex, Apple TV, Sales 10 Block ebay 5 PERMIT Using AAA Override Jabber Printer, iTunes Apple devices user-role = Sales Controlled access via Block ebay, Contractor 20 Drop Youtube Printer Only CNN, BBC 6 DENY mDNS Profile Facebook #CLMEL BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110 Deploying the Cisco Unified Wireless Architecture • High Availability (AP and Client SSO)

• RF Optimisation - AP Groups / RF Groups / HDX

• Security and Policies

• IPv6 Deployment with Controllers

• Branch Office Designs

1 1 IPv6 Overview

IPv6 Client IP: 2001:db8:a:7/64 IPv4 Client Radius Server

802.11 IPv4 IPv6

802.11 IPv4 IPv6 CAPWAPv6 VLAN Ethernet Ethernet 2001:db8:a:0:2329:9834:3231:1111 10.10.10.52 CAPWAPv6 Tunnel IPv4/v6 router 2001:db8:a:0:1827:91bf:c41b:9683 Mgmt: 2001:db8:a::2/64 10.10.10.2 2001:db8:a::1/64 IPv6 Client 10.10.10.1 IPv4 Client 802.11

2001:db8:a:0:8a56:caff:1547:9150 10.10.10.51 IP: 2001:db8:a:5/64 IP: 2001:db8:a:6/64 SNMP Server, Syslog Server, NTP Server tftp/ftp/scp Server

Mgmt: 2001:db8:a::2/64 10.10.10.2

• WLC can be accessed from wired/wireless via its IPv6 Management Interface using: • telnet • SSH • HTTP • HTTPS

• AP can get IPv6 addresses from state-full DHCPv6/SLAAC or static assignment

• If statically assigned, the gateway can be the unique global or Link-Local address of the router

• Either CAPWAPv4 or CAPWAPv6 can be used, but not both

• APs in bridge mode do not support CAPWAPv6

WLC1 WLC2 WLC3 • Management IP address must be reachable • One entry per WLC • The AP will join either IPv4 or IPv6 address of the WLC (regardless of management IP listed)

Primary: WLC1 Primary: WLC2 Primary: WLC3 Secondary: WLC2 Secondary: WLC3 Secondary: WLC2 • All other AP Failover behavior is the Tertiary: WLC3 Tertiary: WLC1 Tertiary: WLC1 same as previous versions

• Virtual IP address is IPv4 only

• Uses IPv4-Mapped address for IPv6 web-authentication clients

• Virtual IP should be the same for all WLCs in the same mobility group

• For example the IPv6 address will display as [::ffff:192.0.2.1]

IPv6 802.11 IPv6 802.11 CAPWAP IPv4 Ethernet Router Advertisement RA Guard - RA from client blocked at AP (Local and FlexConnect)

Undesired IPv6 Addresses/Prefix Source Guard

DHCP Server Advertisement DHCP Server Guard DHCP SA blocked at Wireless Controller Using IPv6 ACL

• RF Optimisation - AP Groups / RF Groups / HDX

• Security and Policies

• IPv6 Deployment with Controllers

• Branch Office Designs

1 1 Branch Office with Local WLAN Controller Overview Backup Central Controller • Branches can also have Central Site local controllers CAPWAP • Small or Mid-size Branch WLCs WAN Mobility • WLC 3504 Express WLC-3504 WLC-3504 • Mobility Express

• High-availability design with central backup controller is supported; WAN limitations may apply Remote Site C Remote Site A Remote Site B

• Single management and control point

• Data Traffic Switching • Centralised traffic (split MAC) • or • Local traffic (local MAC)

• HA will preserve local traffic only

• Traffic Switching is configured per AP and per WLAN (SSID)

Connected Mode When FlexConnect AP can reach Controller, it gets help from controller to complete client authentication.

Standalone Mode When FlexConnect AP cannot reach Controller, it goes into standalone state and does client authentication by itself.

Local Switching Data traffic switched onto local VLANs for an SSID

Central Switching Data traffic tunneled back to WLC for an SSID

Deployment Type WAN Bandwidth ( WAN RTT Max APs per Branch Max Clients per Min) Latency(Max) Branch

Data + Flex AVC 75 Kbps 300 msec 5 25

Test Conditions :

• 5 APs, 25 Client Setup • 1 Locally Switched WLAN with WPA2 and PEAP • Local Authentication with RADIUS server on FCG • Application Visibility turned on at FCG • Applications HTTP, FTP, RTP

• Mobility in the Cisco Unified WLAN Architecture

• Architecture Building Blocks

• Deploying the Cisco Unified Wireless Architecture

• Bringing All Together – Best Practices

Enable High Availability (AP and Client SSO) Enable AP Failover Priority Enable 802.1x and WPA/WPA2 on WLAN Enable AP Multicast Mode Enable 802.1x authentication for AP Enable Multicast VLAN Change advance EAP timers Enable Pre-image download Enable SSH and disable telnet Enable AVC Disable Management Over Wireless Enable NetFlow Disable Wi-Fi Direct Enable Local Profiling (DHCP and HTTP) Secure Web Access (HTTPS) Enable NTP Enable User Policies Modify the AP Re-transmit Parameters SECURITY Enable Client exclusion policies Enable FastSSID change Enable rogue policies and Rogue Detection RSSI Enable Per-user BW contracts Strong password Policies Enable Multicast Mobility Enable IDS INFRASTRUCTURE Enable Client Load balancing BYOD Timers Disable Aironet IE FlexConnect Groups and Smart AP Upgrade Disable 802.11b data rates Restrict number of WLAN below 4 Set Bridge Group Name Enable channel bonding – 40 or 80 MHz Set Preferred Parent Enable BandSelect Multiple Root APs in each BGN Use RF Profiles and AP Groups Set Backhaul rate to "Auto" Enable RRM (DCA and TPC) to be auto Set Backhaul Channel Width to 40/80 MHz Enable Auto-RF group leader selection

BEST PRACTICES (AirOS) BESTPRACTICES Backhaul Link SNR > 25 dBm Enable Cisco CleanAir and EDRRM MESH Avoid DFS channels for Backhaul Enable Noise and Rogue Monitoring on all channels

External RADIUS server for Mesh MAC Authentication WIRELESS / RF Enable DFS channels Enable IDS Avoid Cisco AP Load Enable EAP Mesh Security Mode

http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463#CLMEL BRKEWN-2010 ©- wlc2019 Cisco-config and/or its- affiliates.best All- practice.htmlrights reserved. Cisco Public 125 WLC WLAN Express Setup Best Practices Day 0/1

Best Practice Knobs Best Practice Knobs

AVC Visibility 2.4 Low Data Rates Disabled 8.1 mDNS Snooping Load Balancing New MDNS Profile for printer, http Rogue Threshold Enabled Local Profiling Client Exclusion Enabled Band Select Save Time and DHCP Proxy FastSSID Enabled Money Secure Web access Infra MFP . Optimum starting point at Virtual IP 192.0.2.1 Day 0/1 network setup Multicast Forwarding Mode RRM-DCA Auto . RF parameter setting SNMPv3 (delete default) ease of use RRM-TPC Auto Enhanced performance, Mobility Name . CleanAir Enabled security, resiliency with EDRRM Enabled best practice RF Group same as Mobility Name recommendations turned Channel Width 40 MHz on at boot up time DHCP Required on Guest WLAN Aironet IE Disabled http://youtu.be/aNVM3rW-Zkc Management over Wireless 5 GHz Channel Bonding https://www.youtube.com/watch?v=nGFH38peF-w

https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/technotes/8-6/Enterprise_Best_Practices_for_iOS_devices_and_Mac_computers_on_Cisco_Wireless_LAN.pdf

#CLMEL BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 127 #CLMEL BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 128 WLC Config Analyser – Per Controller Compliance

• Best Practices categorised into • General • AP • Mobility • RF • Security • Voice • Mesh • Flex • Per-Controller Compliance Level for Each category • Total/Passed/Failed checks

https://cway.cisco.com/tools/WirelessAnalyzer/

• Take advantage of the standards (CAPWAP, DTLS,802.11 i, e, k, r…..) and the Apple+Cisco relationship

• Wide range of architecture / design choices and High Availability

• Brand new controllers (WLC3504, WLC5520 , WLC8540, Virtual WLC) portfolio with investment protection

• Take advantage of innovations from Cisco (11ac wave2, Flexible Radio Architectrure (FRA), CleanAir, BandSelect, ClientLink, Security, CCX, FlexConnect, etc)

• Cisco’s investment into technology – Cisco Prime, ISE , Stealthwatch, Umbrella and CMX

http://cs.co/wirelessbook

#CLMEL BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 131 EN Booksprints http://cs.co/cat9000book http://cs.co/sdabook http://cs.co/programmabilitybook http://cs.co/wirelessbook http://cs.co/assurancebook

https://www.cisco.com/c/en/us/support/wireless/wireless-lan-controller-software/products-technical-reference-list.html

Technical Configuration Technical References Guides Notes

https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-technical-reference-list.html https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-installation-and-configuration-guides-list.html https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-configuration-examples-list.html

#CLMEL #CLMEL BRKEWN-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 137 Complete Your Online Session Evaluation • Give us your feedback and receive a complimentary Cisco Live 2019 Power Bank after completing the overall event evaluation and 5 session evaluations. • All evaluations can be completed via the Cisco Live Melbourne Mobile App. • Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at:

https://ciscolive.cisco.com/on-demand-library/

#CLMEL #CLMEL