Design and Deployment

of Enterprise WLANs
Sujit Ghosh
Sr. Mgr. Technical Marketing

BRKEWN-2010
Agenda
• Controller-Based Architecture Overview
• Mobility in the Cisco Unified WLAN Architecture
• Architecture Building Blocks
• Deploying the Cisco Unified Wireless Architecture
Cisco Unified Wireless Principles
Cisco Prime
Infrastructure

• Components
• Wireless LAN controllers (WLC)
Wireless LAN
• Aironet access points (AP) Controllers
• Management (Prime Infrastructure) (PI) MSE
• Mobility Service Engine (MSE)
Campus
Network
• Principles
• AP must have CAPWAP connectivity with WLC
• Configuration downloaded to AP by WLC Aironet Access
• All Wi-Fi traffic is forwarded to the WLC Point
Centralised Wireless LAN Architecture
What is CAPWAP?

• CAPWAP: Control and Provisioning of Wireless Access Points is used

between APs and WLAN controller and based on LWAPP over IPv4 or
IPv6
• CAPWAP carries control and data traffic between the two
• Control plane is DTLS encrypted
• Data plane is DTLS encrypted (optional)

• LWAPP-enabled access points can discover and join a CAPWAP

controller, and conversion to a CAPWAP controller is seamless
Business
• CAPWAP is not supported on Layer 2 mode deployment Application

Data Plane
CAPWAP Controller
Wi-Fi Client

Access
Point Control Plane
CAPWAP State Machine

AP Boots UP
Reset
Discovery

Image Data
DTLS
Setup Run

Join Config
AP Controller Discovery

• Layer 2 join procedure attempted on LWAPP APs

• (CAPWAP does not support Layer 2 APs)
• Broadcast message sent to discover controller on a
local subnet
• Layer 3 join process on CAPWAP AP’s after Layer 2 fails
• Previously learned or primed controllers
• Subnet broadcast
• DHCP option 43
• DNS lookup
Efficient CAPWAP Operation

• Define the Wireless Access Point Device DHCP Scopes

• Default router IP Address for Access Point scope
• Helper address (forwarding UDP 5246 to the WLCs management interface)
• Domain name
• Appropriate DHCP Lease timer for Aps
• Pool sizes for WLAN devices in accordance to different types of sites
• If NAT is used, static 1-to-1 NAT to an outside address is recommended
7.4, 7.6, 8.0, 8.1 ? Which Version Should I Use?
AireOS Release MSE Prime ISE

802.11n 7.4.130.0 (MR3) 8.0.110.0 (MR1) 2.2 1.3

802.11ac 8.0.115.0 (MR1) 8.0.110.0 (MR1) 2.2 1.3

Agenda
• Controller-Based Architecture
Overview
• Mobility in the Cisco Unified
WLAN Architecture
• Architecture Building Blocks
• Deploying the Cisco Unified
Wireless Architecture
Mobility Defined
• Mobility is a key reason for wireless networks
• Mobility means the end-user device is capable of moving location in the
networked environment
• Roaming occurs when a wireless client moves association from one AP and re-
associates to another, typically because it’s mobile!
• Mobility presents new challenges:
• Need to scale the architecture to support client roaming—roaming can occur
intra-controller and inter-controller
• Need to support client roaming that is seamless (fast) and preserves security
Scaling the Architecture with Mobility Groups
• Mobility Group allows controllers to peer with each other to support seamless
roaming across controller boundaries
• APs learn the IPs of the other members of the mobility group after the CAPWAP
Join process Controller-B
MAC: AA:AA:AA:AA:AA:02

• Support for up to Mobility Group Name: MyMobilityGroup

24 controllers, Mobility Group Neighbours:

Controller-A, AA:AA:AA:AA:AA:01
24000 APs per Controller-A
MAC: AA:AA:AA:AA:AA:01
Controller-C, AA:AA:AA:AA:AA:03

mobility group Mobility Group Name: MyMobilityGroup

Ethernet in IP Tunnel
Mobility Group Neighbours:
• Mobility messages Controller-B, AA:AA:AA:AA:AA:02
Controller-C, AA:AA:AA:AA:AA:03
exchanged
between
controllers
• Data tunneled between Controller-C

controllers in EtherIP (RFC 3378) MAC: AA:AA:AA:AA:AA:03

Mobility Group Name: MyMobilityGroup

• 7.6 has the option of using EOIP or Mobility Group Neighbours:

Controller-A, AA:AA:AA:AA:AA:01

CAPWAP tunnels between controllers Controller-B, AA:AA:AA:AA:AA:02 Mobility Messages

Scaling the Architecture with Mobility Groups
With Inter Release Controller Mobility Mobility Domain
(IRCM) roaming is supported between 7.4, Mobility Group (7.4)

8.0, 8.1

One
WLC Network Mobility Group (8.0)
Mobility Group

24 WLCs in a Mobility Group (8.1)

Mobility Group

72 WLCs in a
Mobility Domain
How Long Does an STA Roam Take?
• Time it takes for:
• Client to disassociate +
• Probe for and select a new AP +
• 802.11 Association +
• 802.1X/EAP Authentication +
• Rekeying +
• IP address (re) acquisition
• All this can be on the order of seconds… Can we make this faster?
Roaming Requirements
• Roaming must be fast … Latency can be introduced by:
• Client channel scanning and AP selection algorithms
• Re-authentication of client device and re-keying
• Refreshing of IP address

• Roaming must maintain security

• Open auth, static WEP—session continues on new AP
• WPA/WPAv2 Personal—New session key for encryption derived via standard
handshakes
• 802.1x, 802.11i, WPA/WPAv2 Enterprise—Client must be re-authenticated and new
session key derived for encryption
How Are We Going to Make Roaming Faster?
Focus on Where We Can Have the Biggest Impact
• Eliminating the (re)IP address acquisition challenge
• Eliminating full 802.1X/EAP reauthentication
 Intra-Controller Roaming:
VLAN X
WLC-1 Client WLC-2 Client
Database Client Data Database
(MAC, IP, QoS,
Security)

WLC-1 Mobility Message Exchange WLC-2

 Client database entry with

new AP and appropriate
security context
Roaming Data
Path  No IP address refresh
needed

Client Roams to a
Different AP

• Layer 2 Roaming
Client Roaming Between Subnets:
VLAN X VLAN Z
WLC-1 Client Client Data (MAC, IP, WLC-2 Client Database
Client Data (MAC,
Database QoS, Security) IP, QoS, Security)

Mobility Message Exchange

WLC-1 WLC-2

Anchor Foreign Controller

Controller Data Tunnel

Preroaming Data
Path

Client Roams to a
Different AP

• Layer 3
Roaming: Inter-Controller
• L3 inter-controller roam: STA moves association between APs joined to the different
controllers but client traffic bridged onto different subnets
• Client must be re-authenticated and new security session established
• Client database entry copied to new controller – entry exists in both WLC client DBs
• Original controller tagged as the “anchor”, new controller tagged as the “foreign”
• WLCs must be in same mobility group or domain
• No IP address refresh needed
• Symmetric traffic path established -- asymmetric option has been eliminated as of 6.0
release
• Account for mobility message exchange in network design
How Are We Going to Make Roaming Faster?
Focus on Where We Can Have the Biggest Impact
 Eliminating the (re)IP address acquisition challenge
• Eliminating full 802.1X/EAP reauthentication
Fast Secure Roaming
Standard Wi-Fi Secure Roaming
• 802.1X authentication in wireless today requires three
“end-to-end” transactions with an overall transaction
time of > 500 ms
WAN
• 802.1X authentication in wireless today requires a
Cisco AAA roaming client to reauthenticate, incurring an
Server additional 500+ ms to the roam
(ACS or
ISE)

1. 802.1X Initial
Authentication
AP2 Transaction AP1
2. 802.1X
Reauthenti-
cation After
Roaming
Cisco Centralised Key Management (CCKM)
• Cisco introduced CCKM in CCXv2 (pre-802.11i), so widely available, especially with
application specific devices (ASDs)

• CCKM ported to CUWN architecture in 3.2 release

• In highly controlled test environments, CCKM roam times consistently measure in the 5-8
msec range!

• CCKM is most widely implemented in ASDs, especially VoWLAN devices

• To work across WLCs, WLCs must be in the same mobility group

• CCX-based laptops may not fully support CCKM – depends on supplicant capabilities

• CCKM is standardised in 802.11r, Apple iOS 6.0, iOS 7.0

Protocols that Help Your BYOD Roam
• Issues will come as you reach the edge of the cell – you need to expedite the
jump to the next cell:
• 802.11k: helps the BYOD discover the next cell
• 802.11r (FT): helps the BYOD exchange credentials fast while roaming
• 802.11v BSS Transition Management: pushes the BYOD to the next cell

• How do you know if your BYOD supports 802.11k or 802.11r?

• Apple devices support both since IOS 6
• On Android… it depends on the device – vendors certify for 802.11r and/or 802.11k
devices targeted for the enterprise market, not for the home market
• Two URLs can help you:
• http://www.cisco.com/c/en/us/td/docs/wireless/controller/
technotes/8-0/device_classification_guide.html
• http://clients.mikealbano.com/ (look for RM fields in
frame captures for 802.11k support)
802.11k: Help your BYOD Discover the Next Cell

Enables neighbor list optimization for non-802.11k clients*

Enables 802.11k**
802.11k neighbors on the other band***

Small prints:
* We use client probes to check which AP sees what client and build a list of next best AP based on client RSSI on all detecting APs,
then deny association to “bad APs”

** CLI allows for additional option about floor RSSI bias.

*** Means you allow 2.4 <-> 5 GHz roams. Not always a good idea.
802.11r (FT): Help BYOD Exchange Credentials Fast
While Roaming
• FT key management is different from standard WPA2. Clients MUST support
802.11r to join this SSID

Enables FT
Default is over the air
Max time between FT Authentication Request
and Re-association Request
802.11v: Send your BYOD to the Next (Better) Cell
• 802.11v: Wait, which part?
• 802.11v is a 433-page amendment for “Wireless network management” (exchange
information to improve the life of clients and the overall performance of the wireless
network)
• Not associated with a specific WFA certification
• Some vendors (Apple w/IOS 7 later) implement some 802.11v features, we implement
the supporting infrastructure part
• BSS Max Idle Period, Directed Multicast Service (8.0): saves on battery consumption
• 802.11v BSS Transition Management (8.1): this is about roaming optimization
 802.11v: Send your BYOD to the Next (Better) Cell
• 802.11k vs 802.11v BSS Transition Management
Need to roam, what AP do
What could
my next AP be?
you recommend? 802.11v Solicited request

Try this one

Here are the
best 6 for you
Your RSSI / rates are too
low, roam to there instead

802.11k neighbor list Want to join your cell

Nah, load too high, go there

802.11v Unsolicited
instead Optimized Roaming request

802.11v Unsolicited request

802.11v: Send your BYOD to the Next (Better) Cell
• 802.11v BSS Transition Management Configuration

Enables 802.11v BSS Transition

STA will be disassociated (must roam)
For solicited and unsolicited requests
For Unsolicited Optimized Roaming Requests
(TBTT = beacon intervals)
Summary of Configuration Recommendations
Implement 802.11k and 802.11v, roaming is MUCH more efficient*
• Devices that support 802.11k/v will benefit, other will not be affected

Implement 802.11r only if you know that your devices support it

• Any Apple BYOD with IOS 6 or later, most Samsung, LG higher end clients, Sony Xperia

• *With 802.11k, the IOS device will scan up to 6 channels

• Bursts of 20 ms in 50 ms dwell time = less than 0.5 second

• Without 802.11k, the IOS device can scan up to 35 channels

• Bursts of 20 ms in 50 ms dwell time one each band = can be more than 2 seconds (this is just next AP discovery time)
Designing a Mobility Group/Domain

• Less roaming is better – clients and apps are happier

• While clients are authenticating/roaming, WLC CPU is doing the processing –
not as much of a big deal with latest controllers which has dedicated
management/control processor
• L3 roaming & fast roaming clients consume client DB slots on multiple
controllers – consider “worst case” scenarios in designing roaming domain size
• Leverage natural roaming domain boundaries
• Mobility Message transport selection: multicast vs. unicast
• Make sure the right ports and protocols are allowed
New Mobility Configuration

• New mobility enables client to roam

across AireOS and IOS based
solutions in Central as well as
Converged Access mode
• Client cannot roam across AireOS
WLC1 configured with old mobility
and another AireOS WLC2
configured with new mobility
• UA FCS - 5508 & WiSM2 can
operate on 7.6 and 8.0
IRCM and Guest Anchor Support
Old Mobility – EOIP DMZ Guest Anchor 5520/8540
MOBILITY GROUP
Foreign Controller 5508 / Foreign Controller
8510/ 7510/ WISM2/2504 5520/8540 Si

Si

Si Si

Si Si EOIP Mobility
Tunnel
Si Si Si Si

EOIP GA Tunnel
Si Si
Si Si Si Si
Si Si
IRCM and Guest Anchor Support
New Mobility – CAPWAP DMZ Guest Anchor 5520/8540
MOBILITY GROUP
Foreign Controller 5760 Foreign Controller
5520/8540/5508/7510/8510/ Si

WiSM2/2504 Si

Si Si

Si Si

CAPWAP Mobility
Si Si Si Si
Tunnel

CAPWAP GA Tunnel
Si Si
Si Si Si Si
Si Si

Foreign Controller 3850/3650

Agenda
• Controller-Based Architecture
Overview
• Mobility in the Cisco Unified
WLAN Architecture
• Architecture Building Blocks
• Deploying the Cisco Unified
Wireless Architecture
CUWN Release - Key Controller Features
Dec CY14
CUWN 8.0 MR
Interop: CMX 8.0, ISE 1.3, PI 2.1
AP 1570 11ac Outdoor AP
iBeacon/BLE visibility & security
World Reg. Domain
May CY15 Aug CY15
CUWN 8.1 CUWN 8.1 MR
Interop: CMX 10.1, ISE 1.3, PI 3.0 Interop: CMX 10.2, ISE1.3, PI 3.0
5520 and 8540 Series Controller Hyper-location module
WLAN Express with Best Practices on all Airtime Fairness(ATF)
Controllers
SSO aware Microsoft SDN Lync 2.0 Access Point 1850
HA WLC SKU monitoring MobileApp
Guest Anchor Redundancy
KVM support for vWLC
TrustSec SXP on 8510, 5520, 8540
HDX PH-2 (DBS, FlexDFS, Improved Wi-Fi
awareness, Wi-Fi event driven RRM,
Optimized Roaming v2)
Mesh Convergence
EoGRE tunneling on AP & WLC
Flexconnect AVC, AAA-Override
Introducing the Cisco 5520 and 8540
Feature-Rich, Multi-mode and Ready for Wave 2 8011ac

Built for addressing Scale of BYOD

 5520 scales up to 1500 AP & 20,000 clients

 8540 scales up to 6000 AP & 64,000 clients

Throughput to address needs of Wave-2 11ac

 5520 supports 20 Gig of throughput

 8540 supports 40 Gig of throughput

5520
Services Ready
 Ability to host multiple services such as Application Visibility and Control,
Bonjour Services Directory, TrustSec, Guest, High Availability with SSO

8540  Support for centralized, distributed and Mesh deployments

Simplified Migration and Manageability

 Right To Use Licensing, Ease of Enablement and Porability

 Utilizes the NEW WLAN Express WEBGUI with best practices enabled

 Allows administrator to easily migrate config from previous WLC

 5520 and 8540 Wireless LAN Controllers
5520 WLAN Controller
• Previous 12 Months 8540 WLAN Controller

NEW NEW

Access Points 1,500 Access Points 6,000

Clients 20,000 Clients 64,000

Deployment Modes Centralized, FlexConnect and Mesh Deployment Modes Centralized, FlexConnect and Mesh

Form Factor 1 RU Form Factor 2 RU

IO Interface Dual 1G or 10G ports with LAG IO Interface Four port 1G or 10G with LAG

Power AC w/Optional Redundant Power Supply Power Options AC or DC

Redundancy Solid State Drives Redundancy Dual Power supply and SSD with RAID

Product Warranty 3 years (NEW) Product Warranty 3 years (NEW)

WLC PI CMX ISE

8.1 2.2.2 10.1 1.3
Key drivers behind new 5520 and 8540 controllers
Optimized for next gen wireless networks
High Scalability Integrated Services

• Optimized for 802.11ac Wave 2 • AVC, Bonjour

• Flexible Connectivity (1/10 Gbps) • Policy Classification
• 20G or 40G Throughput • Security
• Up to 6,000 AP and 64,000 Clients
• Greater compute and Crypto Power

Return on Investment HA Resiliency

• Simplified Licensing (RTU) with ability to • HA Pair – Stateful Switchover

scale as you grow (Single AP adder) • Fast Restart – Enhanced Uptime
• License portability (5520 & 8540) • No Moving Parts – Solid State Drives
• Simplified(WLAN Express) • HW Redundancy – PS, Fan’s
• IRCM and Guest Anchor with IOS WLC • Ease of maintenance – PS, Fans, SSD

Software
• AireOS 8.1 (and above)
• Flex, Mesh & Centralized modes
 WLAN Controller Portfolio
Large Campus and Service Provider
NEW NEW
AireOS 5508 IOS 5760 AireOS WISM2 AireOS 5520 AireOS 8510 AireOS 8540

• 500 APs
• 1000 APs • 1000 APs • 1500 APs • 6000 APs • 6000 APs
• 7000 clients
• 12,000 clients • 15,000 clients • 20,000 clients • 64,000 clients • 64,000 clients
• 8 Gbps
• 60 Gbps • 20 Gbps • 20 Gbps • 10 Gbps • 40 Gbps

Small Campus / Branch (Controller On-Premise) Branch (Controller in DC)

Doubled AP scale With 3.7 MR
AireOS Mobility Scale With 8.2
Express AireOS Flex 7500
AireOS 2500 IOS Catalyst 3650 IOS Catalyst 3850 IOS Catalyst 4500-E SUP AireOS Virtual WLC

With 8.1 MR

• • 100 APs per stack • ESXi & KVM • 6000 APs

50 APs per switch/stack • 100 APs per SUP
• 25 APs • 75 APs Directly connected APs Directly connected APs • 1.5K APs • 64,000 clients
Indirectly connected APs
• 500 clients • 1000 clients • • 2K clients per stack • 16K clients • 1 Gbps
1000 clients per stack • 2K clients per stack
• Flexconnect • 1 Gbps • • 40 Gbps per switch • 500 Mbps
40 Gbps per switch • 40 Gbps per switch
 New
8.1

Cisco 1850 Series Access Point

Next Generation 802.11ac Wave 2 Access Points
• Industry’s First Enterprise-class 4x4 MIMO
802.11ac Wave 2 Access Point
• Dual Radio, 802.11ac Wave 2, 80MHz
• 5GHz: 4x4 MIMO
• 4 SS SU-MIMO
• 3 SS MU-MIMO
• Up to 1.7 Gbps Max 5GHz PHY
• 2x GbE and USB 2.0
• CleanAir Express
• Auto LAG
• Internal and External Antenna Models
Cisco Aironet Indoor Access Points Portfolio
Industry’s Best 802.11ac Series Access Points Best in Class
New
Enterprise Class
Mission Critical 3700
Enterprise Class
1850 2700
1700
• 802.11ac W2 • 802.11ac W1, 1.3 Gbps PHY
• 1.7 Mbps PHY • 802.11ac W1 • 4x4:3SS
• 802.11ac W1 • 4x4:4SS • 1.3 Gbps PHY • HDX: High Density Experience
• 870 Mbps PHY • CleanAir Express • 3x4:3SS • CleanAir 80 MHz
• 3x3:2SS • Tx Beam Forming • HDX: High Density Experience • ClientLink 3.0
• CleanAir Express • 2 GbE Ports, LAG • CleanAir 80 MHz • StadiumVision
• Tx Beam Forming • USB 2.0 • ClientLink 3.0 • Modularity: Security, 3G Small Cell or
Wave 2 802.11ac
• 2 GbE Ports • Mobility Express • 2 GbE Ports
Primary AP

Enterprise Mission Critical Best In Class

* Post-FCS
 New
Hyperlocation Module with Advanced Security 8.1
Unprecedented WiFi Location Accuracy and Wireless Security
 New
Hyperlocation Module with Advanced Security Mid 2015

Value Differentiation at a Glance

Feature** AP Only AP + Wireless Security Module AP + Hyperlocation Module
(with CleanAir) (WSM) with Advanced Security (HMAS)

Off-Channel Scan for WIPS, Rogue

✔ ✔
Security

-
Detection, Location, CleanAir, RRM

Rogue Containment / NDP* - - ✔

Bandwidth Scan - 20 MHz 20, 40, 80 MHz
WiFi Location ✔ ✔ ✔
(Distance) (5 meter) (5 meter) (1 meter)

Angle of Arrival Technology - - ✔

Location

Location with Single AP - - ✔

Fast Locate ✔ ✔ ✔
(Blue Dot Refresh Rate) (4 refresh per min) (8-10 refresh per min) (8-10 refresh per min)
BLE Detection / Location ✔ ✔ ✔
BLE Beacon - - ✔
Security
HW: HMAS
SW: WLC 8.1MR1, CMX 10.2, PI 3.0
Software and Hardware
- WSM Module
Consideration Hyperlocation
* Future HMAS + Hyperlocation Antenna
** Native Capabilities, without Dedicated Monitor AP Overlay SW: WLC 8.1MR1, CMX 10.2, PI 3.0
Agenda
• Controller-Based Architecture
Overview
• Mobility in the Cisco Unified
WLAN Architecture
• Architecture Building Blocks
• Deploying the Cisco Unified
Wireless Architecture
Best Practices For High Performance Mobile
Infrastructure

RF RF
2. High Application
Planning Optimisation
App Engage Availability Visibility & Control

Engineer the WLAN for Optimise Gigabit Wi-Fi as Replicate the High Prioritise mission critical
data, voice, video, location, primary connectivity – Gig Availability of the LAN on business applications over
and client density Ethernet as fallback the WLAN personal applications

802.11ac : -65 to -67 RSSI Cisco CleanAir LAN SSO – Edge, Core, Disti Cisco AVC– Identify,
10 – 20% cell overlap Clientlink WLAN SSO – Client, AP, Prioritise, Control Apps
1 AP / 2500 sq ft RRM Controller across LAN, WLAN
Deploying the Cisco Unified Wireless Architecture
• High Availability (AP and Client SSO)
• RF Optimisation - AP Groups / RF Groups / HDX
• Local Profiling and Policy Classification
• Application Visibility Control
• IPv6 Deployment with Controllers
• Branch Office Designs
Centralized Mode HA
Requirements Benefits
Minimum release: 7.5
Active Client State is synched
WLC: 5508, WiSM2, 7500, 8510
AP state is synched
Client SSO L2 connection
No Application downtime
Same HW and software
HA-SKU available
1:1 box redundancy
Network Uptime

Release: 7.3 and 7.4

WLC: 5508, WiSM2, 7500, 8510
AP SSO Direct physical connection
(SSID stateful switchover)
Same HW and SW
1:1 box redundancy
AP state is synched
No SSID downtime
HA-SKU available (> 7.4)

N+1 Redundancy Available on all controllers

(Deterministic/Stateless HA, Each Controller has to be Crosses L3 boundaries
a.k.a.: configured separately Flexible: 1:1, N:1, N:N
primary/secondary/tertiary) HA-SKU available (> 7.4)
Controller Redundancy
• Redundant WLC in a geographically
separate location WLAN-Controller-1
APs Configured With:
Primary: WLAN-Controller-1

• Layer-3 connectivity between the AP Secondary: WLAN-Controller-BKP

connected to primary WLC and the WLAN-Controller-2

redundant WLC NOC or Data Centre
WLAN-Controller-BKP
APs Configured With:
Primary: WLAN-Controller-2
Secondary: WLAN-Controller-BKP

• Redundant WLC need not be part of

the same mobility group WLAN-Controller-n

APs Configured With:

Primary: WLAN-Controller-n
Secondary: WLAN-Controller-BKP

• Configure high availability (HA) to

detect failure and faster failover
• Use AP priority in case of over
subscription of redundant WLC
Controller Redundancy – High Availability
Primary WLC
• High Availability Principles :
 AP is registered with a WLC and
maintain a backup list of WLC.
 AP use heartbeats to validate WLC
connectivity
 AP use Primary Discovery
message to validate backup WLC list
 When AP loose 3 heartbeats it start Secondary WLC
join process to first backup WLC
candidate
 Candidate Backup WLC is the first
alive WLC in this order : primary,
secondary, tertiary, global primary, New Timers 7.2
global secondary. Heartbeat Timeout 1-30 secs

 AP does not re-initiate discovery Fast Heartbeat Timer 1-10 secs

process. AP Retransmit Interval 2-5 secs

AP Retransmit with FH Enabled 3-8 Times

AP Fallback to next WLC 12 secs

HA-SKU as Secondary WLC - Configuration
Stateful Switchover (SSO)
• True Box to Box High Availability i.e. 1:1
• One WLC in Active state and second WLC in Hot Standby state
• Secondary continuously monitors the health of Active WLC via dedicated link

• Configuration on Active is synched to Standby WLC

• This happens at startup and incrementally at each configuration change on the Active

• What else is synched between Active and Standby?

• AP CAPWAP state in 7.3 and 7.4: APs will not restart upon failover, SSID stays UP – AP SSO
• Active Client State in 7.5: client will not disconnect – Client SSO

• Downtime during failover reduced to 5 - 1000 msec depending on Failover

• In the case of power failure on the Active WLC it may take 350-500 msec
• In case of network failover it can take up to few seconds

• SSO is supported on 5500 / 7500 / 8500 / WiSM-2 and 5760

For more info: http://www.cisco.com/en/US/docs/wireless/controller/technotes/7.5/High_Availability_DG.html

SSO Failover Sequence
Keep-Alive
Redundancyfailure/Notify
Roleinfo
AP and Client SyncPeer
Negotiation

Redundancy Link Established

(Over dedicated Redundancy Port)
ACTIVE
STANDBY
ACTIVE
Client
Associate
AP session intact. Does
not re-establish
capwap
Switch
AP Join

Client session intact.

CLIENT SSO Does not re-associate
Effective downtime for client is
Detection time + Switchover time
Resiliency on WLC 5520 and 8540
N+1 and SSO High Availability

Enhanced system uptime with fast system restart

Hot-swappable SSD based storage – 8540

Only
Redundant, hot-swappable power supply

Redundant 1Gigabit or 10 Gigabit Ethernet Connectivity

Pairing 5520/8540 for SSO

L
L 2
2

Back to Back as well as L2 RP Connectivity

Connecting 5520/8540 SSO Pair to wired Network
Recommend
ed Network
Design

Same configuration Same configuration

on both Po1 and Po2 Catalyst VSS Pair on both Po1 and Po2 Catalyst VSS Pair

Po 1 Po 2 Po 1 Po 2
Trunk Trunk
Port-channels Port-channels

L2 L2

5520 5520 8540 8540

Active WLC Standby WLC Active WLC Standby WLC

Spread the links in each PC among the two physical switches to prevent a WLC switchover upon a failure of one of
the VSS switch
Web-GUI Configuration
Supported HA Topologies – 7.6 and above

1. Two 55XX , 7500 or 85XX connected via back-to-back RP port in the same data centre
2. Two 55XX , 7500 or 85XX connected via RP port over L2 VLAN/fibre in the same or different data
centre
3. Two 55XX, 7500 or 85XX connected to a VSS pair.

1. Two WiSM-2 on the same chassis

2. Two WiSM-2 on different chassis with redundancy VLAN extended over L2 network
3. Two WiSM-2 on different chassis in VSS mode
WLC 5520/5508/7500/8500 Back-to-back RP
Connectivity
Configuration on Primary WLC:

• configure interface address management

9.5.56.2 255.255.255.0 9.5.56.1
• configure interface address
redundancy-management 9.5.56.10
peer-redundancy-management 9.5.56.11
• configure redundancy unit primary
• configure redundancy mode sso

Configuration on Hot Standby WLC:

• configure interface address management

9.5.56.3 255.255.255.0 9.5.56.1
• configure interface address
redundancy-management 9.5.56.11
peer-redundancy-management
9.5.56.10
• configure redundancy unit secondary
• configure redundancy mode sso
Management GW is monitored with 12 pings ( ~15 sec)
WLC 5520/5508/7500/8500 RP Connectivity via
Switches
Configuration on Primary WLC:

• configure interface address management

9.5.56.2 255.255.255.0 9.5.56.1
• configure interface address
redundancy-management 9.5.56.10
peer-redundancy-management 9.5.56.11
• configure redundancy unit primary
• configure redundancy mode sso

Configuration on Hot Standby WLC:

• configure interface address management

9.5.56.3 255.255.255.0 9.5.56.1
• configure interface address
redundancy-management 9.5.56.11
peer-redundancy-management
9.5.56.10
• configure redundancy unit secondary
• configure redundancy mode sso
RTT Latency : 80 ms or less default ; Bandwidth: 60 Mbps or more ; MTU: 1500
.
WiSM-2 connectivity over L2 Redundancy VLAN
Configuration on Cat6k

wism service-vlan 192 ( service port VLAN )

wism redundancy-vlan 169 ( redundancy port VLAN )
wism module 6 controller 1 allowed-vlan 24-38 (data
VLAN )
SSO Behavior and Recommendations
• RTT latency on Redundancy Link : 80 milliseconds or less. 80% of keepalive timer.
• Preferred MTU on Redundancy Link : 1500 or above.
• Bandwidth on Redundancy Link : 60Mbps or more.

• 5500 / 7500 / 8500 : RP Connectivity between Active and Standby

 Via Switches ( 7.6 or 8.0 )
 Back-to-back ( 7.3, 7.4, 7.6 )
• WiSM-2 : single 6500 chassis OR different chassis using VSS setup/extending redundancy VLAN.

• Recommended to have Redundancy Link and RMI Connectivity between WLCs on different switches
or on different L2 networks
• Keepalive/Peer Discovery timers should be left with default timer values for better performance
• Default box failover detection time is 3 *100 = 300+60 = 360 +jitter (12 msec)= ~400 msec
 8.1
Fast Restart Highlights

Use Cases
 LAG Configuration change

 Mobility Mode change

 Web-auth certificate installation

 Clear Configuration

• Process Restart to reduce network and service downtime  Post Configuration Wizard

• Better Serviceability  Transfer Download of configuration

• Supported on Cisco WLC 7510, 8510, 5520 8540 and vWLC

• CLI Command “restart”
Deploying the Cisco Unified Wireless Architecture
• High Availability (AP and Client SSO)
• RF Optimisation - AP Groups / RF Groups / HDX
• Local Profiling and Policy Classification
• Application Visibility Control
• IPv6 Deployment with Controllers
• Branch Office Designs
AP-Groups - Default AP-Group
• The first 16 WLANs created (WLAN IDs 1–16) on the WLC are included in the
default AP-Group
• Default AP-Group cannot be modified
• APs with no assignment to an specific AP-Group will use the Default AP-Group
• The 17th and higher WLAN (WLAN IDs 17 and up) can be assigned to any AP-
Groups
• Any given WLAN can be mapped to different dynamic interfaces in different
AP-Groups
• WLC 2504 (AP groups:50),
WLC 5508 & WiSM-2 (AP groups: 500),
WLC 7500 & 8500 (AP Groups : 500)
 AP-Grouping in Campus
VLAN 100 VLAN 100 VLAN 100

Access

Si Si Si Si Si Si

Distribution

CAPWAP Core
Si Si

Si Si
Si Si
Si Si Distribution
VLAN 100 / 21

Access
Single WAN Data Centre Internet
SSID =
Employee WLC-1 WLC-2
 AP-Grouping in Campus
AP-Group-1 AP-Group-2 AP-Group-3
VLAN 60 /23 VLAN 70 /23 VLAN 80 /23

Access

Si Si Si Si Si Si

Distribution

CAPWAP Core
Si Si

Si Si
VLAN 100 Si Si
VLAN 60
Si Si Distribution
/21 VLAN 70
VLAN 80

Access
Single WAN Data Centre Internet
SSID =
Employee WLC-1 WLC-2
Default AP-Group
Network Name

Default AP Group

Only WLANs 1–16

Will Be Added in
Default AP Group
Multiple AP-Groups

AP Group 1

AP Group 2

AP Group 3
HD Config Tip: RF Profiles for Fine-Tuning
• RF Profiles work in Conjunction with AP Groups (beginning in release 7.2)
• You can create separate RF profiles for both 2.4 and 5 GHz
• 1 profile for each band (802.11a/802.11b) can be assigned to an AP group

• Today
• 802.11 data rates
• TPC Power Threshold and Min max Power settings
• DCA
• Coverage hole algorithm settings
• High Density – HDX configurations RX_SOP, Client Limit, Mcast data rate
• Client Distribution

More granular control of the RF network

 RF Profiles : Granular Control

TPC, DCA, Coverage Hole

Data Rates

Load Balancing High Dens

 8.1
Network Profiles GUI
Sets pre-defined RF parameters depending on “Client”
Density and Traffic Type
Client Density : High,
Typical, Low

Traffic Type : Data, Data

and Voice
Pre-built RF profiles 8.1

Client Density specific pre-built RF profiles for 2.4 GHz and 5GHz Bands – to be used
with AP Groups

Pre-built RF profiles for

use with AP Groups
 RF-Profile in Campus
RF-Profile-1 RF-Profile-2 RF-Profile-3

VLAN 60 /23 VLAN 70 /23 VLAN 80 /23 Access

VLAN 61 / 23 VLAN 71 /23 VLAN 81 /23

Si Si Si Si Si Si

Distribution

LWAPP/CAPWAP Core
Si Si

Si Si
Si Si
VLAN 60
Si Si Distribution
VLAN 61
VLAN 70
VLAN 71
VLAN 80 Access
VLAN 81
Single WAN Data Centre Internet
SSID =
Employee
WLC-1 WLC-2
Cisco High Density Experience (HDX) for 802.11ac Wi-Fi
Turbo Performance
Improves the efficiency of airtime
utilization and channel capacity
Optimized Roaming
Intelligently determines the
optimum time to roam
Cisco CleanAir® 80Mhz
Mitigates interference and improves
channel capacity
Cisco ClientLink 3.0
Improves legacy and 802.11ac
Client performance
Noise Reduction
Enables Dense Access Point
Coexistence / implementation
Dynamic BW Selection
Optimizes MU-MIMO on a per
packet basis for 80 MHz channels
Optimized AP Roaming

Makes sure users on the move associate to the AP with the

strongest signal for best performance
Cisco CleanAir 80 MHz Technology

Automatically Detect Wi-Fi interference

Automatically Identify Wi-Fi interference

Automatically Classify Wi-Fi interference

Automatically Mitigate Wi-Fi Interference

CleanAir 80 MHz
67
Detect, Identify, and
63
Wireless
Phone
100
Classify Interference
Rogue
AP
Microwav
e 90 63
• Automatically Detect, Identify, and
Security Classify interferers
Bluetooth
Cameras Headset • Constantly Monitor Air Quality

High-resolution interference detection and unique classification logic

built-in to Cisco’s Wi-Fi chip design.
Cisco ClientLink 3.0 Technology:
Advanced Beamforming Technology Improves Wireless Client Performance

 Significantly improves a wireless device’s overall

connection quality and performance

 Intelligently shapes and directs each packet to a

wireless device based on its current location

 Enhances downstream performance for improved user

experience
Cisco Dynamic Bandwidth Selection (DBS) 8.1

• Automatic Optimization for 20-40-80 MHz channel

RF widths
Neighbor
Channels • DBS applies an additional layer of channel and
width recommendations on top of those applied in
Channel Core DCA
WiFi
Interference Overlap
Ratio • Useful for 11n-11ac mix AP networks and Wave-2
(160MHz)

DBS
Client
Non WiFi Protocol &
Noise Traffic
11n/11ac
DBS:
Channel Auto
Utilization Configure
Globally
 8.1
MR1
What is Cisco Air Time Fairness Feature?
• Monitoring Per AP, Per WLAN, Per AP Group
SSID WLAN 1
• Statistics Reports for Airtime Usage
Air Time SSID WLAN 2
Monitoring • Visibility of Network Airtime helps to determine
SSID WLAN 3
how to set Air Time policy enforcement

10%
SSID WLAN 1
• Dynamic Airtime Allocation

• Per WLAN, Per AP, Per AP Group Air Time SSID WLAN 2 60%
Policy Enforcement Policy Enforcement
SSID WLAN 3
• Optimization / Strict Enforcement
30%
Deploying the Cisco Unified Wireless Architecture
• High Availability (AP and Client SSO)
• RF Optimisation - AP Groups / RF Groups / HDX
• Local Profiling and Policy Classification
• Application Visibility Control
• IPv6 Deployment with Controllers
• Branch Office Designs
Local Profiling and Policy Classification
ISE offers rich set of BYOD features: e.g. device identification,
onboarding, posture and policy

Customers not deploying ISE but requiring subset of ISE features

Native profiling of end devices based on MAC OUI, HTTP, DHCP

Device-based policies enforcement per user or per device policy

 Policy Classification

MAC OUI Device type

Student Teacher Username

User Role
Admin
Device Type
User-
Role John

Identity

Session Time of
VLAN ACL QoS
timeout Day
Configuring Client Profiles
• Client profiling uses pre-existing profiles in the controller
• Custom profiles are not supported in this release
• Wireless clients are profiled based on the MAC OUI, DHCP,HTTP user agent
• DHCP is required for DHCP profiling, Webauth for HTTP user agent
• 8.0 release contains 156 pre-existing profiles:
(Cisco Controller) > show profiling policy summary
Number of Builtin Classification Profiles: 156
ID Name Parent Min CM Valid
==== ================================================ ====== ====== =====
0 Android None 30 Yes
1 Apple-Device None 10 Yes
2 Apple-MacBook 1 20 Yes
3 Apple-iPad 1 20 Yes
4 Apple-iPhone 1 20 Yes
…/…
Local Client Profiling Configuration
• At the WLAN level, enable Local Client Profiling (DHCP and HTTP)
• DHCP required is checked automatically when selecting DHCP profiling

config wlan profiling {local | radius} {dhcp | http | all} <wlan ID>
(Cisco Controller) >config wlan profiling local all enable 1
Client Profiles in 7.6 and Above

• When profiling is enabled, a client Device Type can be shown on WLAN.

 Update Devices that are Profiled
• In 8.0, WLC supports profiling 156 types of devices
• New Devices are constantly developed
• This feature allows Device Profiles and OUI Updates to update the list of supported
devices on the WLC
OUI Update
• OUI list supported by IEEE
• List is located at http://standards.ieee.org/develop/regauth/oui/oui.txt
• Must be saved as a .txt file
• Update does not require WLC reboot
Update Devices Profile
• The Device profile is a XML file with all supported devices
• Match devices list supported by ISE
• Updated periodically as new devices are introduced
• Update does not require WLC reboot
Deploying the Cisco Unified Wireless Architecture
• High Availability (AP and Client SSO)
• RF Optimisation - AP Groups / RF Groups / HDX
• Local Profiling and Policy Classification
• Application Visibility Control
• IPv6 Deployment with Controllers
• Branch Office Designs
What is the Need for Application Visibility and Control?
Is someone running Bit- Who are the top 10 users?
torrent and bringing down
my business What are the top 10
Devices Apps applications? applications?

Should I add How much traffic is

more APs to BYOD generating on my
enhance the network?
capacity?
Application Visibility and Control on WLC
Don’t Allow

Voice
Client Traffic Video
Best-Effort
Background

Rate Limiting
Identify Applications using NBAR2
Control Application Behaviour
AVC Feature Background and Equipment Requirement
• AVC works on traffic from Cisco APs in “Local Mode”, FlexConnect and OEAP
traffic
• AVC is based on port, destination and heuristics which allows reliable packet
classification with deep visibility
• AVC looks into the initial setup of the client flow (first 10-20 packets) so loading
on the controller system is minimal
• Available for all current generation Cisco controllers supporting v7.4 and above
• Cisco 2504, 5508, 5520, WiSM2, Flex 7500 , 8500 and 8540
• Software release 8.1 adds AVC support to FlexConnect
How Does AVC Classify Applications: Cisco Jabber

Three classifications flows for Cisco Jabber

Cisco Jabber Audio Cisco Jabber Video Cisco Jabber Control

Different Policies for different

components of a Jabber
Session
How Does AVC Classify Applications: MS Lync

Three classifications flows for Microsoft Lync

MS-Lync Media MS-Lync-Video

MS-Lync File Transfer
(Audio and Video Flows) (Desktop Sharing, Chat)

Different Policies for different

components of a Lync Session
Enabling Application Visibility and Control
• AVC is enabled per WLAN to Allow Deep Packet Inspection
1

Change the QoS level to

reflect the highest
application level for that
SSID

Enable Application Visibility

Ensure WMM is set to

“Allowed” or “Required”
Basic Application Visibility Added on the Controller
Home Screen

Top Applications
Show Sorted by
Bytes

Use “Monitor” ->

“Applications” to View
More Statistics
Viewing Real-Time Statistics
• Use for Assessing Current Usage or Troubleshooting

Real Time Stats (Last 90 Seconds) Application Usage Displayed

by % of Total Bytes for Last 90 Seconds

Average Packet Size to See Small

vs. Large Packet Flows
Configuring AVC Profiles
• Choosing an Application Group and Application

Application Group

Application
 Application Control
Med
1 2 AVC Profile – Mark Citrix
AVC Profile – Drop Bit torrent Low
High

Medium

Low

3 AVC Profile – Rate Limit Facebook

Control

Control application
usage and
performance

Available in AireOS Version 8.0

Policy tie-in with AVC
User-aware and Device-aware
WLC v7.4 and later

Application-based Policies
Per WLAN

WLC v8.0

User-role aware

Device-aware

Alice cannot access Netflix but Bob can even though both are employees connecting to same SSID
Alice can access EHS records on (IT provisioned) Windows Laptop but cannot on personal (unsecure) iPad
 AVC Profile Per User Device
WLC AAA
Cisco-av-pair=avc-profile-name=<avc profile on wlc>

Cisco-av-pair=role=<role name>

Switch
Teacher Student

AP

YouTube Facebook Skype BitTorrent

YouTube Facebook Skype bittorrent

SSID: Classroom
Security:WPA2/802.1x

Student Network
Teacher Network
 For Your
Applying AVC Profiles Reference

1 Apply AVC Profile to WLAN

Create AVC Profile for Applications at Wireless > AVC

2 3
Apply AVC Profile per client Apply AVC Profile per
using Local profiling on client using AAA Override
WLC (Radius Server)

Maximum 32 Rules can be created per AVC

Profile
Deploying the Cisco Unified Wireless Architecture
• High Availability (AP and Client SSO)
• RF Optimisation - AP Groups / RF Groups / HDX
• Local Profiling and Policy Classification
• Application Visibility Control
• IPv6 Deployment with Controllers
• Branch Office Designs
 8.0 IPv6 Overview
IPv6 Client IP: 2001:db8:a:7/64
IPv4 Client Radius Server
802.11 IPv4 IPv6

802.11 IPv4 IPv6

CAPWAPv6 VLAN

Ethernet Ethernet

2001:db8:a:0:2329:9834:3231:1111
10.10.10.52 CAPWAPv6
Tunnel IPv4/v6 router
2001:db8:a:0:1827:91bf:c41b:9683
Mgmt: 2001:db8:a::2/64
10.10.10.2 2001:db8:a::1/64
IPv6 Client
10.10.10.1
IPv4 Client
802.11

2001:db8:a:0:8a56:caff:1547:9150
10.10.10.51 IP: 2001:db8:a:5/64 IP: 2001:db8:a:6/64
SNMP Server, Syslog Server, NTP Server
tftp/ftp/scp Server
 WLC IPv6 Address Overview

o ONE IPv6 address (+ LLA address) management solution

o Only IPv4 address support on Dynamic interfaces
o Only IPv4 Dynamic AP manager support
o Only IPv4 Redundancy-management/Redundancy port (HA interfaces are IPv4 only)
o Service-port can get an IPv6 address statically or using SLAAC (only SLAAC interface on WLC)
o LAG needed for IPv6 AP load balancing
o DHCPv6 Proxy not supported (ONLY IPv6 DHCP bridging support - like 7.6 legacy)
 Management Access (telnet, SSH, HTTP, HTTPS)

Mgmt: 2001:db8:a::2/64
10.10.10.2

• WLC can be accessed from wired/wireless via its IPv6 Management Interface using:
• telnet
• SSH
• HTTP
• HTTPS
CAPWAPv6
• AP can get IPv6 addresses from
state-full DHCPv6/SLAAC or static
assignment
• If statically assigned, the gateway can
be the unique global or Link-Local
address of the router
• Either CAPWAPv4 or CAPWAPv6
can be used, but not both
• APs in bridge mode do not support
CAPWAPv6
AP Discovery Mechanisms
• DHCPv6 Option 52
• OPTION_CAPWAP_AC_V6 (52) RFC 5417
• As part of the DHCPv6 Reply, the server will provide the IPv6 WLC management IPv6
address
• AP will begin unicast CAPWAP discovery

• Multicast discovery
• Broadcast does not exist in IPv6
• Send CAPWAP discovery messages to "All ACs multicast address" (FF01::18C)
• Using DNS
• Configure DNS server to resolve cisco-capwap-controller.domain-name
• domain-name should be returned from DHCPv6 server
• AP Priming
• Preconfiguring the AP with a Primary, secondary, and tertiary IPv6 managed WLC
AP Failover
WLC1 WLC2 WLC3
• Management IP address must be
reachable
• One entry per WLC
• The AP will join either IPv4 or IPv6
address of the WLC (regardless of
management IP listed)
Primary: WLC1
Secondary: WLC2
Primary: WLC2
Secondary: WLC3
Primary: WLC3
Secondary: WLC2
• All other AP Failover behaviour is the
Tertiary: WLC3 Tertiary: WLC1 Tertiary: WLC1
same as previous versions
IPv6 Guest Access
• Virtual IP address is IPv4 only
• Uses IPv4-Mapped address for IPv6 web-authentication clients
• Virtual IP should be the same for all WLCs in the same mobility group
• For example the IPv6 address will display as [::ffff:192.0.2.1]
Control and Management Protocols IPv6 Support
• Upload/Download using IPv6 with ftp/tftp/sftp
• RADIUSv6 Support
• TACACS+v6 Support
• NTPv3
• Syslog over IPv6
• SNMP Trap Receiver
• PINGv6
• IPv6 Guest Access
Wireless IPv6 client First Hop Security on WLAN
CAPWAP IPv6
Tunnel VLAN
Ethernet

IPv6
802.11 IPv6
802.11
CAPWAP
IPv4
Ethernet
Router Advertisement
RA Guard - RA from client blocked at AP (Local and FlexConnect)

Undesired IPv6
Addresses/Prefix Source Guard

DHCP Server Advertisement

DHCP Server Guard
DHCP SA blocked at Wireless Controller
Using IPv6 ACL
Deploying the Cisco Unified Wireless Architecture
• High Availability (AP and Client SSO)
• Understanding AP Groups / RF Groups
• Local Profiling and Policy Classification
• Application Visibility Control
• IPv6 Deployment with Controllers
• Branch Office Designs
Branch Office with Local WLAN Controller
Overview
Backup Central
Controller
Central Site
• Branches can also have local
controllers
CAPWAP
• Small or Mid-size Branch WLCs
• CT-2504, WAN
Cat-3850
WLC-25xx
• Integrated controller modules in
WLCM for
ISR/ISR-G2 ISR/ISR-G2
• Converged Access Cat-3850

• High-availability design with central

backup controller is supported;
WAN limitations may apply
Remote Site C
Remote Site A
Remote Site B
Branch Office with Local WLAN Controller
Advantages

• Cookie cutter configuration for every branch site

• Layer-3 roaming within the branch
• IPv6 L3 Mobility

• Note: If you have ISR/ISR G2 at branch site then it is recommended to use the
IOS Firewall at edge for unified access policies.
Branch Office Deployment
Central Site
FlexConnect (HREAP)

Centralised
• Hybrid architecture Traffic
Centralised
Traffic
• Single management and control point
• Data Traffic Switching
• Centralised traffic
(split MAC)
• or
WAN
• Local traffic (local MAC)

• HA will preserve local traffic only

• Traffic Switching is configured per AP
and per WLAN (SSID)
Remote Office
Local
Traffic
FlexConnect Glossary
Connected Mode When FlexConnect AP can reach Controller, it gets help from controller
to complete client authentication.

Standalone Mode When FlexConnect AP cannot reach Controller, it goes into

standalone state and does client authentication by itself.

Local Switching Data traffic switched onto local VLANs for an SSID

Central Switching Data traffic tunneled back to WLC for an SSID

FlexConnect Improvments
7.0 2011 7.2 Feb 2012 7.2 MR1 May 2012 7.3 Aug 2012)
• 8510 and Flex7500: Scale:
• Flex7500: Scale: 2K APs, 20,000 Scale: 3K APs, 30,000 clients, 1000 flex 6K AP,64,000 clients,
clients, 500 flex groups, 50 APs per groups, 50Aps per group 2000 Flex Groups,
group, Throughput 250 Mbps, No data Throughput 1 Gbps 100APs/ group
DTLS Data DTLS OEAP • Virtual Controllers

New features –
New features –
New features – 1.802.11r
1.Single SSID device onboarding
1.Flexconnect ACL (AP) 2.HS2.0
and profiling (ISE 1.1MR in local
2.Flexconnect AP efficient upgrade 3.Profiling with http
and central switched)
3.Support for .1x central, AAA vlan 4.Split tunnel
2.External web-auth in local
override, auth parity, fast roaming for 5.AP SSO, HA SKU
switched mode
voice, Context aware support 6.ISE1.2 support
3.Outdoor RAP
7.WGB/UWGB

7.4 Dec 2012 7.5 June 2013 7.6 Dec 2013 8.0 June 2014
New Features New Features New Features
11w
New Features
PEAP/EAP-TLS on AP in Flex standalone EAP timers Videostream
Aggressive Load balancing mode Ethernet Fall-back RAP to support Flex
Increased scale of radius server per AAA ACL override
Flexgroup to 100 AAA QoS override and rate limit
AAA override individual client bandwidth WLAN to vlan mapping based on 8.1 April 2015
contract Flexgroups New Features
Flex + AVC
 AVC on Gen 2 FlexConnect APs Real-time information for
last 90 seconds

Katana
Gen2 AP

BRANCH Netflow Export from AP to WLC

Stateful context
transfer on roam

WAN
Gen2 AP WLC

Flow ID App Name Packets

1 WebEx 1000
2 Msft-Lync 2300
3 Skype 660 NBAR2 (1000+ Applications) will be ported onto Access Points
Stateful context transfer will be supported for intra FlexConnect Group roams
AVC for FlexConnect APs
Support on AP Support on WLC

• NBAR2 engine on FlexConnect AP

• Protocol Pack 8.0 , NBAR engine version 16
• Send flows to WLC in static NetFlow
template every 90 sec
• Intra FlexConnect Group Roaming Support
• Supported on all controller models except 2504
• Supported vWLC and Mobility Express

• On Gen 2 APs - 1600, 2600, 3600, 1700, • FlexConnect and Flex+Bridge mode support
2700, 3700, 1532, 1570

• Control at AP – Mark , Drop, Rate-limit

FlexConnect AVC Applications
• Protocol Pack 8.0
• Engine Version 16
• 1078 Applications

Enterprise
Applications

Non-HTTP
Applications

URL/HTTP(S)
Based Application
AVC Configuration on Local Switching WLAN

WLAN AVC Configuration

Visibility and AVC Profile

Local Switching WLAN

FlexConnect Group Configuration
• 16 WLAN-AVC Mappings per FlexConnect Group
• Inheritance based AVC configuration : Group-Specific > WLAN-Specific

Enable Application Visibility

And Control
FlexConnect AVC Statistics per FlexConnect Group
• Use for Assessing Current Usage or Troubleshooting

Cumulative Statistics

Application Usage Displayed

by % of Total Bytes
FlexConnect AVC Statistics per Client
Flex AVC WAN Bandwidth Considerations
Deployment Type WAN Bandwidth ( WAN RTT Max APs per Branch Max Clients per
Min) Latency(Max) Branch

Data + Flex AVC 75 Kbps 300 msec 5 25

Test Conditions :
• 5 APs, 25 Client Setup
• 1 Locally Switched WLAN with WPA2 and PEAP
• Local Authentication with RADIUS server on FCG
• Application Visibility turned on at FCG
• Applications HTTP, FTP, RTP
Bringing All Together –
Best Practices
 For Your
Makeitit Easy
Make Easy Makeititwork
Make Work Make
MakeititPerform
perform Reference

Enable High Availability (AP and Client SSO)

Enable AP Failover Priority Enable 802.1x and WPA/WPA2 on WLAN
Enable AP Multicast Mode Enable 802.1x authentication for AP
Enable Multicast VLAN Change advance EAP timers
BEST PRACTICES (AirOS)

INFRASTRUCTURE

Enable Pre-image download Enable SSH and disable telnet

SECURITY
Enable AVC Disable Management Over Wireless
Enable NetFlow Disable WiFi Direct
Enable Local Profiling (DHCP and HTTP) Secure Web Access (HTTPS)
Enable NTP Enable User Policies
Modify the AP Re-transmit Parameters Enable Client exclusion policies
Enable rogue policies and Rogue Detection RSSI
Enable FastSSID change
Strong password Policies
Enable Per-user BW contracts
Enable IDS
Enable Multicast Mobility
BYOD Timers
Enable Client Load balancing
Disable Aironet IE
Disable 802.11b data rates
FlexConnect Groups and Smart AP Upgrade
Restrict number of WLAN below 4
Set Bridge Group Name Enable channel bonding – 40 or 80 MHz

WIRELESS / RF
Set Preferred Parent Enable BandSelect
Multiple Root APs in each BGN Use RF Profiles and AP Groups
Set Backhaul rate to "Auto"
MESH

Enable RRM (DCA & TPC) to be auto

Set Backhaul Channel Width to 40/80 MHz Enable Auto-RF group leader selection
Backhaul Link SNR > 25 dBm Enable Cisco CleanAir and EDRRM
Avoid DFS channels for Backhaul Enable Noise &Rogue Monitoring on all channels
External RADIUS server for Mesh MAC Authentication Enable DFS channels
Enable IDS Avoid Cisco AP Load
Enable EAP Mesh Security Mode
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
User-First Pillars and Checkpoints
Express
Setup
Enhance Audit
Monitorin Usability and Drive Feature Upgrade
g and RF Manageability Adoption Workflow
Dashboar Experience
d

Derive
Fine-tune Maximum CAA
8.1 Best features to Potential from
Practices
Optimum Best WLAN
Deployment
WLCCA
Best Practice Check Points
Measuring Compliance
WLC
WLAN Express
Setup
7.6 MR2, 8.0, 8.1
Best Practices defaults,
RF Parameter Optimisation,
Network Profiles
 Optimum starting point at Day 0/1
network setup
 RF parameter setting Ease of use
 Enhanced performance, security,
resiliency with best practice
recommendations turned on boot
up time
WLC
2.
Upgrade
App Audit
Engage
Workflow
8.1
Audit Page on Upgrade,
One-click Fix It,
Manual Config Option
 Compliance metric and reporting
natively on WLC
 Identify missing best practice
configuration on upgrade
 Easy one-click fix It option to turn
on Best Practice Knobs
 Restore Defaults to revert
configuration to default
WLCCA
Config
Analyser
Windows Executable
“show run-config” Based
Analyser Tool
 Downloadable client
 Configuration stays local
 Simplified operational use to
quickly identify and and fix
problem areas
 RF Health metrics, IOS Support,
Mobility Group support
CAA
Cisco
Active Advisor
Free, cloud based service
Agentless – nothing to
download
 Cisco Personalised device
health score
 Compare your wireless network
configuration to Cisco’s
recommended best practices
 Automated Inventory
Management and Network
Scanning
WLAN Express Setup
7.6 MR2, 8.0

7.6 MR2, 8.0

8.1
WLC WLAN Express Setup Best Practices Day 0/1
Best Practice Knobs Best Practice Knobs

AVC Visibility 2.4 Low Data Rates Disabled

8.1
mDNS Snooping
Load Balancing
New MDNS Profile for printer,
http Rogue Threshold Enabled
Local Profiling
Client Exclusion Enabled
Band Select
DHCP Proxy FastSSID Enabled Save Time & Money
Secure Web access Infra MFP
Virtual IP 192.0.2.1  Optimum starting point at
Multicast Forwarding Mode
Day 0/1 network setup
RRM-DCA Auto
SNMPv3 (delete default)  RF parameter setting
RRM-TPC Auto
ease of use
CleanAir Enabled Mobility Name
 Enhanced performance,
EDRRM Enabled RF Group same as Mobility Name security, resiliency with
Channel Width 40 MHz best practice
DHCP Required on Guest WLAN recommendations turned
Aironet IE Disabled on at boot up time
5 GHz Channel Bonding http://youtu.be/aNVM3rW-Zkc
Management over Wireless
https://www.youtube.com/watch?v=nGFH38peF-w
WLC Upgrade Audit Workflow 8.1

Audit Upgrades

 Compliance metric and reporting

natively on WLC
 Identify missing best practice
configuration on upgrade
 Easy one-click fix It option to turn
on Best Practice Knobs
 Restore Defaults to revert
configuration to default
WLC Config Analyser – Per Controller Compliance
• Best Practices categorised
into
• General
• AP
• Mobility
• RF
• Security
• Voice
• Mesh
• Flex 0-40% Red
• Per-Controller Compliance
41-80% Yellow
Level for Each category
• Total/Passed/Failed checks 81-100% Green
Config Analyser Best Practice Compliance with Express WLAN Setup

7.6 MR2 without Analyse & Mitigate

Express WLAN Setup
 Downloadable client
 Configuration stays local
 Simplified operational use to
quickly identify and and fix
problem areas
 RF Health metrics, IOS Support,
Mobility Group support

8.1 with Express WLAN

Setup https://supportforums.cisco.com/document/7711/wlc-config-analyzer
Cisco Active Advisor (CAA) Personalised Health Score

Improve

 Personalised device
health score
 Free, cloud-based
service
 Automatically takes an
inventory of your Cisco
network

www.CiscoActiveAdvisor.com
Summary – Key Takeways
• Take advantage of the standards (CAPWAP, DTLS,802.11 i, e, k, r…..)
• Wide range of architecture / design choices
• Brand new controllers (WiSM-2, WLC 7500,WLC 8500, WLC 2504, Virtual
WLC) portfolio with investment protection
• Take advantage of innovations from Cisco (11ac, CleanAir, BandSelect,
ClientLink, Security, CCX, FlexConnect, etc)
• Cisco’s investment into technology – Cisco Prime, ISE, New hardware, Cloud
controller
 Documentation
Master Document Link - http://www.cisco.com/c/en/us/support/wireless/5500-series-wireless-controllers/products-technical-reference-list.html

Best Practice Deployment Guide : http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html

AP700-W Deployment Guide - http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-6/702WAccessPointDG/CiscoAironetSeries_702w_AP_DG.html

Enterprise Best Practices for Apple Mobile Devices on Cisco Wireless LANs –http://www.cisco.com/en/US/docs/wireless/technology/vowlan/bestpractices/EntBP-
AppMobDevs-on-Wlans.html

AP3700 Deployment Guide - http://www.cisco.com/en/US/partner/docs/wireless/technology/apdeploy/7.6/Cisco_Aironet_3700AP.html

Virtual WLC Deployment Guide http://www.cisco.com/en/US/products/ps12723/products_tech_note09186a0080bd2d04.shtml

HA Deployment Guide http://www.cisco.com/en/US/partner/docs/wireless/controller/technotes/7.5/High_Availability_DG.html

Flex 7500 Deployment Guide http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml

WLC8500 Deployment Guide: http://www.cisco.com/en/US/products/ps12722/products_tech_note09186a0080bd6504.shtml

WiSM-2 : http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080bb2500.shtml

Bonjour Deployment Guide :http://www.cisco.com/en/US/docs/wireless/technology/bonjour/7.5/Bonjour_Gateway_Phase-2_WLC_software_release_7.5.html

Wireless Device Profiling and Policy Classification Engine on WLC, Release 7.5http://www.cisco.com/en/US/docs/wireless/controller/technotes/7.5/NativeProfiling75.html

MSE Virtual Appliance Deployment Guide : http://www.cisco.com/en/US/products/ps9742/products_tech_note09186a0080bb497f.shtml

IPv6 Deployment Guide http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bae506.shtml

Q&A
Participate in the “My Favorite Speaker” Contest
Promote Your Favorite Speaker and You Could Be a Winner
• Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)
• Send a tweet and include
• Your favorite speaker’s Twitter handle
• Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Complete Your Online Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.
• Complete your session surveys
though the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you
Wireless Cisco Education Offerings
Course
• Conducting Cisco Unified Wireless Site Survey
• Implementing Cisco Unified Wireless Voice
Networks
• Implementing Cisco Unified Wireless Mobility
Services
• Implementing Cisco Unified Wireless Security
Services
Description Cisco Certification
Professional level instructor led trainings to prepare candidates to conduct CCNP® Wireless
site surveys, implement, configure and support APs and controllers in
converged Enterprise networks. Focused on 802.11 and related
technologies to deploy voice networks, mobility services, and wireless
security.

Implementing Cisco Unified Wireless Network Prepares candidates to design, install, configure, monitor and conduct CCNA® Wireless
Essential basic troubleshooting tasks of a Cisco WLAN in Enterprise installations.

For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact ask-edu-pm-dcv@cisco.com