Prévia do material em texto
Mark Krischer Paul Nguyen
Brian O'Donoghue Peter Jerhamre
TECEWN-2002
Enterprise WLAN
Deployment
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Your Speakers Today
3
Mark Krischer
Wireless Technology Lead
APJC
Peter Jerhamre
Systems Engineer
Sweden
Paul Nguyen
Sr. Technical Marketing Engineer
Enterprise Solutions
Brian O'Donoghue
Systems Engineer
Ireland
Agenda
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002 4
• Understanding Wireless
Mark Krischer
• RF Fundamentals
• 802.11 Fundamentals
• Cisco Wireless Design
Brian O'Donoghue
• Product Portfolio
• Design Concepts
• Deployment Modes
• High Availability
• Cisco Wireless Automation
Paul Nguyen
• Wireless Controller Automation
• Planning Site and Maps
• IBN for Wireless Design
• Brownfield Support
• Prime Migration
• Cisco Wireless Services
Peter Jerhamre
• Location Based Services
• Cisco DNA Spaces
• Cisco Umbrella & ETA
• Wireless Best Practices
Enterprise WLAN Deployment
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002 5
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002 5
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Understanding Wireless
RF Fundamentals
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• Radio Waves
• Micro Waves
• Infrared Radiation
• Visible Light
• Ultraviolet Radiation
• X-Rays
• Gamma Rays
Electromagnetic Spectrum
Colour Frequency Wavelength
Violet 668-789 THz 380-450nm
Blue 606-668 THz 450-495nm
Green 526-606 THz 495-570nm
Yellow 508-526 THz 570-590nm
Orange 484-508 THz 590-620nm
Red 400-484 THz 620-750nm
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• Frequency and Wavelength
• f = c / λ
• c = the speed of light in a vacuum
• 2.45GHz = 12.3cm
• 5.0GHz = 6cm
• Amplitude
• Phase
Radio Frequency Fundamentals
A2
λ2
λ1
A1
ϕ
9
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• Signal Strength
• Gain and Amplification
• Loss and Attenuation
Radio Frequency Fundamentals
• Wave Propagation
• Attenuation and Free Space
Path Loss
• Reflection and Absorption
10
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Inverse-Square Law
11
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• dB is a logarithmic ratio of values
(voltages, power, gains, losses)
• We add gains
• We subtract losses
• dBm is a power measurement
relative to 1mW
• dBi is the forward gain of an
antenna compared to isotropic
antenna
RF Mathematics
12
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• Any RF signals other than what
we want is interference
• SNR is a ratio
• The signal strength is a result of
• Transmit power
• Receive sensitivity
• Two Levers
• Increase the signal
• Or decrease the noise
Interference and Signal to Noise Ratio
13
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Azimuth Elevation
Antenna Design
Omni-Directional Antennas
14
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Antenna Design
Patch Antennas
Azimuth Elevation
15
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Antenna Design
Dual Band Antennas
2.4GHz Antenna Combined 2.4 and 5GHz Antenna
16
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Antenna Design
Internal Antennas
2.4 GHz
Azimuth
5 GHz
Elevation
5 GHz
Azimuth
2.4 GHz
Elevation
17
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Antenna Design
Frequency Variations
18
5 GHz Azimuth 5 GHz Elevation
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Antenna Design
High-Gain Antennas
First Null is “Filled In”
Second Null is not as deep
Low signal regions occur close to tower
to minimize the impact
Low Signal Low Signal
19
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Multipath Propagation
DirectDirect
20
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Destructive and Constructive Interference
21
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Antenna Diversity
22
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Diversity Combining
23
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Multiple Input Multiple Output
Maximal Ratio Combining
3 Antenna Rx Signals
Combined Effect (Adding all Rx Paths)
24
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Transmit Beamforming
25
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Transmit Beamforming
26
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Multiple Input Multiple Output
ClientLink
1SS 1SS 2SS 3SS
802.11a/g/n/ac
27
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Spatial Multiplexing
28
TheData
The quick
brown fox
Data
The
quickData
The quick
brown fox
Data
The quick
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Spatial Multiplexing
29
The
Data
The quick
brown fox
Data
The quick
brown
Data
The quick
brown fox
Data
The quick
brown fox
quick
fox
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• Three basic methods
1. Modulate the Amplitude
2. Modulate the Frequency
3. Modulate the Phase
Digital Modulation Techniques
Carrier
Modulation
Amplitude Modulated Carrier
30
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• Quadrature Phase Shift Keying
(QPSK)
• Each possible shift represents 2
bits
• Quadrature Amplitude Modulation
(QAM)
• Symbols are a combination of
amplitude and phase
• High Spectral Efficiency
• Difficult to demodulate in the
presence of noise
Digital Modulation Techniques
Carrier
Modulating value from two bits
0
(00)
2
(10)
1
(01)
3
(11)
Modulated
Result
31
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Modulation, SNR and Data Rates
SNR=6SNR=104-QAM
32
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Rate vs Range and the Laws of Physics
4-QAM
64-QAM
16-QAM
33
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Rate vs Range and the Laws of Physics
256-QAM Constellation
34
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Relationship Between Modulation and SNR
35
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• Transmit Diversity improves
signal strength at the client
• This results in a 15% improvement
in data rate by making MCS m8/m9
usable
Transmit and Receive Diversity
• Receive Diversity improves ability
to receive 3SS frames from the
client
• N+1 is necessary to effectively
deliver on spatial multiplexing
benefits
36
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• Orthogonal Frequency Division
Multiplexing (OFDM)
• Combines modulation and
multiplexing techniques to further
improve spatial efficiency
• The transmission channel is divided
into subchannels or subcarriers
• To avoid overlap between subcarriers,
they are orthogonal (at 90˚ angle)
to one another
• Modulation techniques such QPSK or
QAM are then used in each subcarrier• E.g. Assign a specific dynamic interface, VLAN, QoS Tag, Bandwidth restrictions,
or Access Control List (ACL) on a per-user basis
• Can help in optimizing RF utilization, by reducing the number of SSIDs
broadcast (reduces beacon/probe activity)
AAA Policy Override.............................. Enabled
184
Catalyst 9800 Wireless
Controller Configuration
Model
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
High Density HDX
Data Rates
DCA, TPC, CHDM
Profile threshold
for traps
Client Distribution
AireOS vs. Catalyst 9800 Config Model
Granular & simplified
What Policies on which Sites
with what RF characteristics
Going towards a more Modularized and Reusable model with Logical decoupling of configuration entities
Basic
Wireless
Advanced
Wireless
Wireless Security
Switching Policy
Network Policy
WLAN AP Group Flex Group
Network Policies
Wireless site
settings
RF Parameters
Site Specific
Policies
RF Profiles
Network Policies
Wireless security
Remote Site
Config
Remote site
parameters
Switching Policies
RF Profile
High Density HDX
Data Rates
DCA, TPC, CHDM
Profile threshold
for traps
Client Distribution
WLAN
Policy
Profile
Flex
Profile
AP Join
Profile
Basic
Wireless
Advanced
Wireless
Wireless Security
Switching Policy
Network Policy
Site
Tag
RF
Tag
Wireless site
settings
Site Specific
Policies
Remote Site
Config
Remote site
parameters
High Density HDX
Data Rates
DCA, TPC, CHDM
Profile threshold
for traps
Client Distribution
RF Profile
Policy
Tag
Site
Tag
RF Tag
Decouple
Modularize
AireOS Config Model
Policy
Tag
b/g
a/n/ac
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Catalyst 9800 Config Model
187
WLAN
Profile
Policy
Profile
Policy Tag
AP Join
Profile
Flex
Profile
RF
Profile
2.4 GHz
RF
Profile
5 GHz
SiteTag
RF Tag
Access Points
Defines the RF properties of
the network
Defines the properties of the
central and the remote site APs
Defines the broadcast domain (list of
WLANs to be broadcasted) with the
properties of the respective SSIDs
Cisco Wireless
Deployment Modes
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco WLAN Deployment Mode options
• With Cisco there is no one-size-fits-all
• Cisco Enterprise wireless offers the best solution for many different
environments (small office, multi-site, large campus etc.)
• The following section discusses unique design characteristics of each
deployment mode
• Centralized
• FlexConnect
• Mobility Express
• Software Defined Access
• We finish the section with a brief discussion on Meraki Cloud deployment
option
189
Centralized Mode
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Centralized Wireless Deployment
• Simple IP Addressing and mobility
• All wireless client traffic is switched at the WLC
• Client IP addressing & VLAN(s) defined on the WLC
• Client Layer 3 roaming without re-ipaddressing
• Single point of connection to the wired network
• Easier to apply security & QoS policies for wireless users
• Simplified Overlay Design
• Traffic is tunnelled (using CAPWAP Protocol) from AP to
WLC
• Can be deployed on top of any wired infrastructure
• Throughput governed by WLC capabilities
191
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Enterprise with Local WLAN Controllers @ each
site
WLC 5520
Central Site
WAN
CAPWAP
• Branches can have Local Controllers
• Small or mid branch WLC 3504 etc.
• Cookie cutter configuration for every branch site
• Layer-3 roaming with controller in each branch
• Full local control, no dependency on WAN
• WLC at each site, higher Capital Costs
• Higher OpEX costs
` `
WLC 3504
Remote Site A
` `
WLC 3504
Remote Site B
` `
WLC 3504
Remote Site C
192
FlexConnect Mode
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
FlexConnect Wireless Deployment
• WAN Distributed Branch Offices, with resiliency
• Survivability across WAN for small, medium &
large sites (client data & authentication)
• Optimized Control and Data Planes
• Client data traffic can be switched locally, while
APs are managed centrally
• Throughput not governed by central WLC
• Efficient AP Upgrade across WAN
• With the Smart Image Upgrade, software only sent
to Master AP, reducing WAN bandwidth reqs
194
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Branch Office Deployment
• Hybrid architecture
• Single Management and Control point
• Data Traffic Switching
• Central Switching
• Local Switching
• Traffic Switching is configured per AP
and per WLAN (SSID)
• L2 Roaming within a site
• Standalone Mode will preserve local
traffic
FlexConnect
WAN
Central Site
Remote Office
Centralized
Traffic
Centralized
Traffic
Local
Traffic
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Standalone Mode
Connected Mode
Central Switching
Local Switching
01
02
03
04
When FlexConnect AP can reach Controller, it
gets help from controller to complete client
authentication
When FlexConnect AP cannot reach
Controller, it goes into standalone mode
and does client authentication by itself
Data traffic is tunneled back to
WLC for an SSID
Data traffic is switched
onto local VLANs for an
SSID
FlexConnect Glossary
196
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Configure FlexConnect mode on Access Point
Access Point Mode
STEP 01
Enable FlexConnect mode per AP
Can be automated if using PnP
197
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Configure FlexConnect Local Switching on WLAN
Enable WLAN for Local Switching
STEP 02
WLAN with “FlexConnect Local
Switching” enabled will allow
local switching of Data Traffic
on FlexConnect Access Point
198
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Configure Native VLAN on AP
When connecting with Native VLAN on AP, L2 switch port must also
match with corresponding Native VLAN configuration on the AP
Configure Native VLAN on FlexConnect AP
STEP 03a
199
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Configure WLAN to VLAN Mapping
Mapping of WLAN to VLAN can be done per FlexConnect AP or
FlexConnect Group. Also VLAN must also be configured on switch port
Configure WLAN-VLAN mapping
STEP 03b
21
200
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Flex Connect Design Considerations
WAN Limitation Apply
Deployment Type WAN Bandwidth (Min)
WAN RTT Latency
(Max)
Max APs per Branch Max Clients per Branch
Data 64 kbps 300 ms 5 25
Data 640 kbps 300 ms 50 1000
Data 1.44 Mbps 1 sec 50 1000
Data+Voice 128 kbps 100 ms 5 25
Data+Voice 1.44 Mbps 100 ms 50 1000
Monitor 64 kbps 2 sec 5 N/A
Monitor 640 kbps 2 sec 50 N/A
C
It is highly recommended that the minimum bandwidth restriction remains 24 Kbps per AP with the round trip
latency no greater than 300 ms for data deployments and 100 ms for Data + Voice deployments.
+
For Your
Reference
https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-7/b_feature_matrix_for_802_11ac_wave2_access_points.html
201
http://www.youtube.com/watch?v=QiCOmqvWUaw
https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-7/b_feature_matrix_for_802_11ac_wave2_access_points.html
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
FlexConnect Resiliency - WAN Failure
FlexConnect APs will go to Standalone
mode
No impact for locally switched SSIDs
Disconnection of centrally switched
SSIDs clients
Static authentication keys are locally
stored in FlexConnectAP
Lost Features
RRM, WIDS, location, other AP modes
Web authentication, NAC
WAN Failure
Remote Site
WAN
Central Site
Application
Server
202
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
FlexConnect – AAA Survivability
Local Backup RADIUS
Normal authentication is done centrally
On WAN failure, AP goes to Standalone mode
and authenticates new clients with locally
defined RADIUS server
Existing connected clients stay connected
Clients can roam with
CCKM fast roaming, or
Re-authentication
Local Backup RADIUS
Remote Site
WAN
Central Site
Central
RADIUS
CCKM Fast Roaming
Local Backup
RADIUS
203
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
VLAN 7
QoS = Platinum
VLAN 3
QoS = Silver
FlexConnect AAA VLAN Override
AAA VLAN Override with local or central
authentication
Up to 16 VLANs per FlexConnect AP
VLAN ID must be enabled per AP or FlexConnect
Group
Description
Remote Site
WAN
Central Site
FlexConnect Group
RADIUS
Application
Server
204
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
FlexConnect AAA VLAN Override
Configuration
WAN
ISE
Create Sub-Interface on
FlexConnect AP
IETF 81
IETF 64
IETF 65
For Your
Reference
205
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
VLAN Name AAA Override - Solution
Remote Site BRemote Site A
VLAN Name VLAN ID
Engineering 10
Marketing 20
Sales 30
VLAN NAME=
Marketing
Remote Site
WAN
Central Site
Application
Server
VLAN Name VLAN ID
Engineering 11
Marketing 21
Sales 31
Remote Site
VLAN 20
VLAN 21
Aire-Interface-Name or
IETF Tunnel-Private-Group-ID
Starting
from 8.1
206
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
FlexConnect ACL – Split Tunneling
Split tunneling allow some traffic to be locally switched although the WLAN is defined
as centrally switched
Split tunneling is using a NAT/PAT feature with ACL to perform the local switching
Split tunneling is using the AP IP @ for the NAT/PAT feature
Overview
WLCFlexConnect AP
CAPWAP
WAN
Central Server
Central Traffic
Local Printer
NAT/PAT
ACL
Local Traffic
207
Mobility Express Mode
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Mobility Express Deployment
• Controller function is run on Cisco Access Points (802.11ac Wave 1 and
above)
• Suited to small and medium sized business with a limited number of APs
• Configuration Simplicity and Easy to use GUI
• GUI is unique to ME deployments
• Day 0 AP setup automated
• Zero licensing costs
• More affordable, with enterprise class features
209
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Branch Offices with Cisco Mobility Express
Central Site
Network Plug and Play DNAC ISE
Site B Site CSite A
WAN
Mobility Express is based on
FlexConnect Architecture
Supports Central Authentication,
Local Switching
Cisco DNAC and ISE at Central Site
Cookie cutter configuration for
every site
Independent or centralized
manageability of each site
Overview
Advantages
210
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Deploying Cisco Mobility Express
Depending on the deployment, Mobility Express capable Access Points can be connected to an access
port or a trunk port on the switch. Management traffic is always untagged.
Employee
Contractor Guest
v10v10 v10
VLAN 10
Employee
Contractor Guest
v30v20 v40
VLAN 10
VLAN 20
VLAN 30
VLAN 40
If Access Points and
WLANs are all on different
VLANs, Mobility Express
capable Access Points will
connect to a trunk port on
the switch and traffic for
individual WLANs will be
switched locally on to local
VLANs.
If Access Points and
WLANs are all on the
same network,
Mobility Express
capable Access
Points can connect to
an access port on the
switch port.
211
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Deployment methods for Cisco Mobility Express
Command Line Interface
OTAP
Network Plug and Play
01
02
03
Over-the-Air-Provisioning
Setup Wizard using CLI
Using Network Plug and
Play and Cisco DNAC
212
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Over-the-Air Provisioning Devices
Provision Monitor
Cisco Wireless App (Free Download!)
Laptop
213
https://play.google.com/store/apps/details?id=com.cisco.dashboard.view
https://itunes.apple.com/us/app/cisco-wireless/id1005756119?ls=1&mt=8
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Deploying using APIC-EM/Network Plug and Play
APIC-EM / Cisco DNAC controller can be reached by
Mobility Express Access Point in customer premises.
Access Point can then download the controller
configuration file from Network Plug and Play service.
Cloud based redirecting service which redirects Mobility
Express Access Point to an APIC-EM / Cisco DNAC
controller residing in customer premises. These APs can
download the controller configuration file from Network
Plug and Play app service.
01
Private
Cloud
02
Cisco
Cloud
Redirect
214
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Network Plug and Play – Private Cloud
Master AP
running PnP
Agent
DHCP Request
DHCP response with
APIC-EM IP address
in DHCP option 43
HTTP PnP work request with device serial number (UDI)
PnP Agent initiates HTTP communication
with the PnP and sends the device UDI
PnP Server receives UDI
and sends server SSL
certificate over HTTP
PnP Agent installs local trustpoint
for the server SSL certificate
HTTPS PnP work request with device serial number (UDI)
PnP Agent initiates HTTPS communication
with the server and sends the device UDI
LAN
PnP Server
PnP Server uses
self signed SSL
certificate
LAN/WAN
ip dhcp pool pnp_device_pool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
option 43 ascii
"5A1N;B2;K4;I192.168.1.123;J80"
PnP Server receives UDI
and sends ME controller
configuration over HTTPS
Master AP reboots and will
run the controller
configuration after it comes
back up
215
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Network Plug and Play – Public Cloud
Master AP
running PnP
Agent
DHCP Request
HTTP PnP work request with device serial number (UDI)PnP Agent initiates HTTP communication with
the APIC-EM server and sends the device UDI
PnP Server receives UDI and
sends server SSL certificate over
HTTP
PnP Agent installs local trustpoint
for the server SSL certificate
PnP Server
PnP Server uses
self signed SSL
certificate
Internet
HTTPS PnP work request with device serial number (UDI)PnP Agent initiates HTTPS communication
with the server and sends the device UDI
Cisco Cloud
Redirect Server
DHCP server
responds with device
IP, domain name and
DNS server
Device creates pre-defined cloud redirect server
name (devicehelper.cisco.com) and resolves for IP
address
Cloud redirect server
receives UDI and sends
APIC-EM IP address
Device establishes
communication with
Cloud Redirect Server
HTTP request with device serial number (UDI)
DMZ
ip dhcp pool pnp_device_pool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 171.70.168.183 8.8.8.8
domain-name cisco.com
PnP Server receives UDI and
sends ME controller configuration
over HTTPS
Master AP reboots and will
run the controller
configuration after it comes
back up 216
Cisco Mobility Express
Features
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Evolution of Mobility Express Solution
APR, 2018
AireOS 8.7
S/W Update during Day 0 using Network PnP
Support for SFTP softwaredownload transfer mode
Support for Optimal AP Join
Support for BDRL per client, BSSID and WLAN
Ability to limit clients per WLAN, per radio
Support for RLANs
Support for Passive Clients
802.1x supplicant support on AP with EAP-TLS and
EAP-PEAP
Walled Garden, Radius NAC
· DNS ACLs (Pre-auth ACL, IPv4 only)
· Central Web Authentication
· BYOD support
Aug, 2018
AireOS 8.8
mDNS Gateway support
Videostream support(MC2UC)
Efficient AP Join
Schedule WLAN
Option 43 support for ME
FQDN support for SFTP Server
Cisco RFID Tag support
EoGRE support
Dec, 2018
AireOS 8.8 MR1
UMBRELLA SUPPORT
Dec, 2018
AireOS 8.8 MR2
Authentication Caching
Post Auth DNS ACLs
IPSK
Support for TLS
Gateway
218
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
ME WLAN Support
Supports maximum of 16 WLANs
WLAN Options:
Open
WPA2 Personal
WPA2 Enterprise (External RADIUS, AP)
Central Web Authentication (Release 8.7)
For Guest WLANs, a number of capabilities are supported:
Cisco DNA Spaces Act
Internal Splash Page, External Splash Page. For Internal and External Splash
Page, a number of Access Types are supported. They are as follows:
Local User Account, Web Consent, Email Address
RADIUS
WPA2 Personal
219
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
AP Group creation available in Expert View
Maximum of 50 AP Groups are supported
Maximum of 100 APs / per AP Group (2800/3800 can support 100 APs)
16 WLANs can be associated per AP Group
RF Profiles can be associated for 2.4 and 5.0 GHz
Support for AP Groups
Available with 8.6
220
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Feature Use Cases Supported AP Models
Optimal AP Join
• Enables a CAPWAP or Mobility
Express AP to download the ME
code from Master AP
• This feature eliminates the
dependency on an external
server(SFTP, TFTP or cisco.com)
for providing the code at the time
of AP Join for 3800, 2800 and
1560 Series APs.
• Supported on 2800, 3800, and
1560 on 8.7
• All other Wave 2 APs in 8.8 via
Efficient Join
• Not supported on Wave 1 APs
• Customer is adding an AP to the
existing ME network but the AP
being added has a different code
version than ME-WLC. For the
new AP to join ME-WLC,
software has to be updated on
the AP.
Available with 8.7
221
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Schedule WLAN
Feature Use Cases Configuration
UI configuration shown below• Customer wants to automatically
disable WLAN after office hours
or store hours
• Why? Perhaps want to minimize
possibility of attacks on their
wireless network when they are
not in the best position to
address it
• One can create a weekly
schedule for when the WLANs
should be enabled or disabled
during the week
• Disables the WLAN
• Available in Expert View under
WLAN > Scheduling tab
• Can have different schedule for
different WLANs
8.8
222
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
DHCP Option 43 Support for ME APs
Feature Use Cases Option 43 Syntax
• User can configure the
DHCP option 43 along with the
sub option '0xF2' followed by
the length(05), WLC IP
address(s) and convert
value(01).
• Example: option 43 hex
F205AC14E51201
• 05 – For One WLC
• 09 – For Two WLCs
• 13 – For Three WLCs
• Customer wants to order
CAPWAP APs but mistakenly
orders Mobility Express APs. This
forces customer to do conversion
from ME to CAPWAP before APs
can join the WLC resulting in
significant overhead for the
customer
• Configure Option 43 on DHCP
scope with sub type to convert
AP type ME to CAPWAP
• There are different sub types
• 0xF1 - Normal DHCP
option 43 configuration
• 0xF2 - Used for
converting ME COS APs
• After receiving DHCP option 43
and sub type 0xF2, AP will
convert AP Type from Mobility
Express Capable to NOT Mobility
Express Capable and follow the
regular WLC join process
8.8
223
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Umbrella Support on Mobility Express
Feature Use Cases Caveats
• Supported for IPv4 addresses
• If a client device has both IPv4
& IPv6 address, policy
enforcement will not work.
Trying to address this in 8.8
MR2. Workaround is to disable
IPv6 on the DHCP router.
• Profile is mapped to WLAN and
not individual clients i.e. all
clients to the WLAN will see the
same policy enforcement.
• Customer wants to provide
defense against threats on the
internet such as Phishing,
malware and ransomware etc.
• Customer wants to gain visibility
into internet activity across all
locations, devices and also
filter/block access to content on
the internet
• Cisco Umbrella can provide
comprehensive content filtering
capability based on individual
sites(www.facebook.com) or
category (gambling)
• Simple and easy profile
registration process via Token
• Both Ignore and Forced mode is
supported for WLAN
• DHCP Override option available
on the WLAN to send Umbrella
DNS IPs to client instead of what
is on DHCP
8.8
MR1
224
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Mobility Express – High Availability
Failure of Access Point running the controller function
Upon controller failure, another Access Point will be elected to run the controller. Uses
VRRP.
HA considerations:
No impact for connected clients on locally switched SSIDs
Roaming allowed within FlexConnect group for already connected clients
What about new clients? - Static keys are locally stored in FlexConnect AP: new
clients can join if authentication is PSK
Lost features
RRM, CleanAir
Web authentication
Total downtime will be 60-90s
225
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
AIR-AP1852I-B-K9
AIR-AP1702E-B-K9
AIR-AP2802I-B-K9
AIR-AP3702I-B-K9
AIR-AP2702I-B-K9
AIR-AP1852I-B-K9
Most capable Access
Point - 1850 vs. 1830
Least Client Load
Lowest MAC address
AIR-AP3802I-B-K9
MASTER AP
P
AIR-AP1852I-B-K9 AIR-AP1852I-B-K9
P
P
Master Election Process
226
SDA Mode
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Software Defined Access (SDA)
• Simplifying Data, Control and Management Planes
• Control Plane centralized at WLC
• Forwarding (Data) Plane separated from services plane
(reside in different fabrics)
• Data plane is distributed
• Cisco DNA Center single management touchpoint
• Simplified Policy
• Separation of policy (QoS, security etc.) from client IP
address / location
• Seamless Roaming Domain
• Stretch client subnet without extending same VLAN
everywhere 228
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
ISE / AD
WLC
CAPWAP (Control)
Simplified IP addressing? WLC as mobility
Anchor
Yes with WLCSimplified operations?
CAPWAPNetwork Overlay?
WLC as Mobility
Anchor
L3 roaming across
Campus?
Foreign-AnchorGuest traffic segmentation?
Centralized Unified Wireless Network Strengths
CAPWAP (Data)
229
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
ISE / AD
Distributed Feature Plane AVC, NetFlow,
VRF-Lite, MPLSSegmentation
Scalable TCAMs
Complex ACL
capabilities
Scalable and
ReliableDistributed Data Plane
12-class, Queuing
Comprehensive QoS
capable
Wired Network Strengths
230
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002 231
SD-Access Wireless brings you the
Best of both worlds
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
SD-Access Fabric Architecture
Roles and Terminology
ISE / AD
Control-Plane (CP) Node – Map System that
manages Endpoint IDto Location relationships.
Also known as Host Tracking DB (HTDB)
Edge Nodes – A Fabric device (e.g.. Access
or Distribution) that connects wired endpoints
to the SDA Fabric
Group Repository – External ID Services
(e.g.. ISE) is leveraged for dynamic User or
Device to Group mapping and policy
definition
Border Nodes – A Fabric device (e.g.. Core)
that connects External L3 network(s) to the
SDA Fabric
Group
Repository
SD-Access Fabric
Intermediate
Nodes (Underlay)
Fabric Mode
WLC
Fabric Edge
Nodes
DNA Controller – Enterprise SDN Controller
provides GUI management abstraction via
multiple Service Apps, which share
information
Cisco DNA
Controller
C
Control-Plane
Nodes
B
Fabric Wireless Controller – Wireless
Controller (WLC) fabric-enabled, participate
in LISP control planeFabric
Mode APs
Fabric Mode APs – Access Points that are
fabric-enabled. Wireless traffic is VXLAN
encapsulated at AP
Fabric Border
B
BRKCRS-2810
232
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
SD-Access Wireless Architecture
Bringing the best of both architectures by...
1
2
3
Simplifying the Control & Management Plane
Optimizing the Data Plane
Integrating Policy & Segmentation E2E
233
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
SD-Access Wireless Architecture
Simplifying the Control Plane
ISE / AD
WLC
Cisco DNAC
SD-Access
Fabric
BB
Policy
Abstraction and
Configuration
Automation
Automation
DNAC simplifies the Fabric deployment,
Including the wireless integration component
C
Fabric enabled WLC:
WLC is part of LISP control
plane
Centralized Wireless Control Plane
WLC still provides client session management
AP Mgmt, Mobility, RRM, etc.
Same operational advantages of CUWN
CAPWAP
Cntrl plane
LISP
Cntrl plane
1
LISP control plane Management
WLC integrates with LISP control plane
WLC updates the CP for wireless clients
Mobility is integrated in Fabric thanks to LISP CP
234
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
ISE / AD
WLC
Cisco DNAC
SD-Access
Fabric
BB
Policy
Abstraction and
Configuration
Automation
C
Fabric enabled WLC:
WLC is part of LISP control
plane
VXLAN from the AP
Carrying hierarchical policy segmentation starting
from the edge of the network
Optimized Distributed Data Plane
Fabric overlay with Anycast GW + Stretched subnet
VLAN extension with no complications
All roaming are Layer 2Fabric enabled AP:
AP encapsulates Fabric
SSID traffic in VXLAN
CAPWAP
Cntrl plane
VXLAN
Data plane
LISP
Cntrl plane
VXLAN
(Data Plane)
2SD-Access Wireless Architecture
Optimizing the Data Plane
Automation
Cisco DNAC simplifies the Fabric deployment,
Including the wireless integration component
Centralized Wireless Control Plane
WLC still provides client session management
AP Mgmt, Mobility, RRM, etc.
Same operational advantages of CUWN
LISP control plane Management
WLC integrates with LISP control plane
WLC updates the CP for wireless clients
Mobility is integrated in Fabric thanks to LISP CP
235
Wireless and SDA
Deployment Modes
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
SD-Access Wireless: true integration in Fabric
ISE / AD
SD-Access
Fabric
C
BB
APIC-EM
SD-Access Wireless
Fabric enabled
APs
Fabric
enabled WLC
CAPWAP Control Plane, VXLAN Data plane
WLC/APs integrated in Fabric, SD-Access advantages
Requires software upgrade (8.5+)
Optimized for 802.11ac Wave 2 APs
CAPWAP
Cntrl plane
VXLAN
Data plane
Cisco DNA Center True wireless integration with Fabric
Provides all the advantages of SDA for
wireless clients:
Full automation with Cisco DNA Center
Hierarchical segmentation (VRF and SGT)
Same policy as wired
Distributed Data Plane with no drawbacks
Optimized traffic path for Guest
Recommended option
237
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless on top of SDA Fabric
ISE / AD
SD-Access
Fabric
C
BB
APIC-EM
CUWN wireless Over The Top (OTT)
Non-Fabric
WLC
Non-Fabric
APs
CAPWAP for Control Plane and Data Plane
SDA Fabric is just a transport
Supported on any WLC/AP software and hardware
Only Centralized mode is supported at FCS
CAPWAP
Control & Data
No SDA advantages for wireless
Migration step to full SD-Access
Customer wants/need to first migrate
wired (different Ops teams managing
wired and wireless, get familiar with
Fabric, different buying cycles, etc.) and
leave wireless “as it is”
Customer cannot migrate to Fabric yet
(older APs, need to certify the new
software, etc.)
238
Cisco DNA Center
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
FlexConnect local switching is not
supported in SDA 1.2 (today)
Will it work? Probably yes but it has not
been fully tested hence it is not officially
supported
This applies also to 3rd party APs that
bridge traffic at the AP
Wireless on top of SDA Fabric
ISE / AD
SD-Access
Fabric
C
BB
APIC-EM
FlexConnect Over The Top (OTT)
Non-Fabric
WLC
Flex APs
CAPWAP for Control Plane
Data plane is locally switched. Wireless traffic is
treated like wired traffic.
Not supported today (1.2)
CAPWAP Control
Ethernet traffic
239
Cisco DNA Center
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Integration in SDA Fabric
ISE / AD
SD-Access
Fabric
C
BB
APIC-EM
Mixed Mode
Fabric
WLC
non-Fabric SSID: client traffic is CAPWAP
encapsulated to WLC
Fabric SSID: client traffic is VXLAN encapsulated
Supported in SDA 1.1 in greenfield only
CAPWAP
Control & Data
Fabric SSID
+
CUWN SSID
VXLAN
CAPWAP Control
240
Mixed mode: mix of Fabric and non-
Fabric (centralized) SSIDs
Mixed mode is supported both on the
same AP or different APs
With Cisco DNA Center 1.1 mixed mode
is supported only for greenfield
deployments
Automation for Foreign-Anchor Guest
SSID is supported in Cisco DNA Center
1.2
Cisco DNA Center
Cisco Meraki Cloud
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco Meraki Deployment
SaaS wireless offering
• Simplified IT with Cloud Management
• Wireless, switching, security, SD-WAN, application
performance management, unified endpoint management
(UEM), and security cameras
• Easiest solution to deploy, manage, and maintain
• Preconfigure networks before equipment is powered on or
connected for rapid, plug-and-play deployment.
• Scale quickly without limits or bottlenecks — no need to
purchase wireless LAN controllers
• Manage wired & wireless from one place for
centralized, end-to-end visibility and control
• Meraki Dashboard
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco IaaS Public Cloud Play : 9800-CL
Infrastructure
Application
services
Application
Stack components
User interface,
Dashboard
OS, Database, APIs,
APP Svr, Monitoring,
etc..
Network, Servers,
Firewall, Storage, etc..
Service model Responsibility
Ia
a
SP
a
a
S
S
a
a
S
V
e
n
d
o
r V
e
n
d
o
r
V
e
n
d
o
r
User Login, registration
C
u
s
to
m
e
r
C
u
s
to
m
e
r
C
u
s
to
m
e
r
Network ServicesC9800-CL for
Public Cloud
243
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco DNA Center and Meraki Integration
Inventory Visibility
(DNAC 1.1)
Up/Down Status
(DNAC 1.1)
• Add Meraki Dashboard into Cisco DNAC
• Visualize the Meraki Devices (AP’s, Switches, Security
Appliance, Cameras) along with Cisco’s Routers, Switches, AP’s
and WLC’s in the Cisco DNAC Inventory
• Cross Launch to Meraki Dashboard for additional details
• Visualize the Up/Down Status (Reachability) for Meraki Devices
within the Cisco DNAC Inventory
Singledashboard within
Cisco DNAC to visualize
both Cisco & Meraki
Devices across the
Enterprise
• A single topological view for the Enterprise to show the Physical
Topology for both Meraki & Cisco Devices
Topology
(DNAC 1.2)
244
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Links for more information
For Your
Reference
Product Homepage:
https://meraki.cisco.com/products/wireless
MR Best Pratices:
https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Mer
aki_Best_Practice_Design/Best_Practice_Design_-_MR_Wireless
Meraki Session @ Cisco Live: BRKEWN-2028
245
https://meraki.cisco.com/products/wireless
https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/Best_Practice_Design_-_MR_Wireless
High Availability
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
AP Device
Pack
New AP Model
Flexible
Per-Site,
Per-Model
Updates
Unplanned Events
Device and network interruptions
High Availability
16.10 Supported Supported after 16.10
Cisco Catalyst
9800 Wireless
Controller
Differentiators
Reducing downtime for Upgrades and Unplanned Events
Controller Software Update
Software Maintenance updates ( SMU^ )
Access Point Updates
New AP Model & AP updates*
Software Image Upgrades
Wireless controller image upgrades
Cold Patch
HA install on SSO Pair
Hot Patch
(No Wireless Controller
reboot)
Auto Install on Standby
Rolling AP Update
(No Wireless Controller
Reboot)
N+1 Hitless Rolling AP
Upgrade
^ MD Release Only
SSO Active-
Standby
N+1 Primary,
Secondary
Per AP Primary,
Secondary,
Tertiary
247
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Centralized Mode HA
N+1 Redundancy
(Deterministic/Stateless HA,
a.k.a.:
primary/secondary/tertiary)
Each Controller has to be
configured separately
Available on all controllers
Crosses L3 boundaries
Flexible: 1:1, N:1, N:N
Use Smart Licensing to reduce
licensing costs
Client SSO
Minimum release: 8.0
WLC: 3504, 5520, 8540, 9800
L2 connection
Same HW and software
1:1 box redundancy
Active Client State is synched
AP state is synched
No Application downtime
Requirements Benefits
N
e
tw
o
rk
U
p
ti
m
e
248
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
N+1 Controller Redundancy
• Redundant WLC in a
geographically separate location
• Layer-3 connectivity between the
AP connected to primary WLC and
the redundant WLC
• Redundant WLC need not be part
of the same mobility group
• Configure high availability (HA) to
detect failure and faster failover
• Use AP priority in case of over
subscription of redundant WLC
APs Configured With:
Primary: WLAN-Controller-1
Secondary: WLAN-Controller-BKP
APs Configured With:
Primary: WLAN-Controller-2
Secondary: WLAN-Controller-BKP
APs Configured With:
Primary: WLAN-Controller-n
Secondary: WLAN-Controller-BKP
WLAN-Controller-1
WLAN-Controller-2
WLAN-Controller-n
WLAN-Controller-BKP
NOC or Data Centre
249
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Controller Redundancy - Stateful Switchover
(SSO)
• True Box to Box High Availability i.e. 1:1
• One WLC in Active state and second WLC in Hot Standby state
• Secondary continuously monitors the health of Active WLC via dedicated link
• Configuration on Active is synched to Standby WLC
• This happens at startup and incrementally at each configuration change on the Active
• What else is synched between Active and Standby?
• AP CAPWAP state in 7.3 and 7.4: APs will not restart upon failover, SSID stays UP – AP SSO
• Active Client State in 8.0: client will not disconnect – Client SSO
• Downtime during failover reduced to 5 - 1000 msec depending on Failover
• In the case of power failure on the Active WLC it may take 350-500 msec
• In case of network failover it can take up to few seconds
• SSO is supported on 3504 /5520 / 8540 / 9800
250
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Pairing 5520/8540 for SSO
L
2L
2
Back to Back as well as L2 RP Connectivity
251
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
vWLC1-Standby
vWLC2-Standby
High Availability (Client SSO) with Catalyst 9800 Virtual
Platforms
vWLC1-Active
C
P
D
P
vswitch
vWLC2-Active
C
P
D
P
vWLC1-Standby
C
P
D
P
vswitch
vswitchvswitch
HA interface
C
P
D
P
vWLC1-Active
C
P
D
P
vswitch
Redundancy Port
Connectivity
vswitch
HA interface
C
P
D
P
ESXi
C9800-CL-K9
Redundancy Port Connectivity
RP via L2
switch
switch
252
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• WLC 55XX / 85XX : RP Connectivity between Active and Standby
Via Switches
Back-to-back
• WiSM-2 : single 6500 chassis OR different chassis using VSS setup/extending redundancy VLAN.
• RTT latency on Redundancy Link : 80 milliseconds or less. 80% of keep alive timer.
• Preferred MTU on Redundancy Link : 1500 or above.
• Bandwidth on Redundancy Link : 60Mbps or more.
• Recommended to have Redundancy Link and RMI Connectivity between WLCs on different switches
or on different L2 networks
• Keep alive/Peer Discovery timers should be left with default timer values for better performance
• Default box failover detection time is 3 *100 = 300+60 = 360 +jitter (12 msec)= ~400 msec
SSO Behavior and Recommendations
253
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Controller and AP software upgrades
Controller
Updates
Controller update or bug fixes
New AP Model
Support
Hot-patchable support for Device Pack
PSIRTs, fixes
on APs
AP update or bug fixes
Future
SMU on MD
Release only
Contain impact within release
Fixes for defects and security issues without
need to requalify a new release
Faster resolution to critical issues
Provide fixes to critical issues found in network
devices that are time-sensitive
SMU AP Service Pack AP Device Pack
254
Wireless Controller SMU
(Software Maintenance
Update)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Controller SMU
Wireless Controller SMU installation
Options
Hot Patch
(No Wireless Controller reboot)
Auto Install on Standby
Cold Patch
Wireless Controller Reboot
Hot-Patching
Inline replace of functions
without restarting the
process
On SSO Systems, patch will
be applied on both active
and standby without any
reload
Cold Patching
Install of a SMU will require a
system reload
On SSO systems, SMU
updates can be installed on
the HA Pair with zero
downtime
SMU Infrastructure will be available in 16.10 FCS release
SMUs for C9800 will be available starting the first MD Release
Software Maintenance Update (SMU) is the
ability to apply patch fixes on a software
release in the customer network
Current mechanism relies on Engineering
Specials
• Entire image is rebuilt and delivered to
customer
256
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Standalone
box
Redundant
box
Controller SMU
Standalone vs Redundant Wireless Controller
Hot Patch
(No Wireless Controller reboot)
Auto Install on Standby
Cold Patch
Wireless Controller Reboot
Reload controller. AP &
Client sessions would be
affected.
Follows ISSU path and both
Standby & Active controller
reloaded but there is no
impact to AP and Client
session.
No reload of Controller. AP &
Client session won’t be affected.
SMU activation applies patch on
Active & Standby. There is no
controller reload and there is no
impact to AP and Client sessions.
257
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Catalyst 9800 SMU Cold Patch + AP Service Pack
Follows ISSU path and both
Standby& Active controller
reloaded but there is no
impact to AP and Client
session.
Rolling AP upgrade
if AP image needs update
(Reset AP in staggered way)
SMU
Active Standby
SMU
SMU
Standby Active
SMU
Standby
SMU
Active
SMU
Install SMU on Standby
Switchover to Activate SMU
Install SMU on New Standby
258
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Rolling AP Update/Upgrade
Infrastructure
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
N+1 rolling AP upgrades: Zero client downtime
during image upgrades
N+1 Catalyst 9800
Series Wireless
Controllers
Wave1/Wave2
Access Points
Key Highlights
Automated group creation with
Radio Resource management for
N+1 rolling AP upgrades
No more manual intervention to
create groups in Prime
Infrastructure
Manage all your software updates
and upgrades through Cisco DNA
Center*
*Future
260
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
User selects % of APs to upgrade in one go [5, 15, 25]
For 25%, Neighbors marked = 6 [Expected number of iterations ~ 5]
For 15%, Neighbors marked = 12 [Expected number of iterations ~ 12]
For 5%, Neighbors marked = 24 [Expected number of iterations ~ 22]
Neighbor Marking
N=8 Neighbor APs N=24 Neighbor APsN=4 Neighbor APs
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
802.11v
• Clients steered from candidate
APs to non-candidate APs
• 802.11v BSS Transition
Request
• Dissociation imminent
• If clients do not honor this, they will be de-
authenticated before AP reload
Client Steering
262
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
AP
Version : X Version: X+1
1. Device auto selects candidate APs based
on selected % and RRM AP Neighbor
Map
2. Upgrade process kicks-in
• Image download to Primary Wireless
Controller
• Image pre-download to APs
• Selective redirect of clients using 11v
• APs moved to N+1 Wireless
Controller in rolling manner
• Primary Wireless Controller Reboot
• APs moved back to Primary Wireless
Controller (optional)
3. Monitor progress on the Device
Version : X+1
Primary
Trigger Rolling Upgrade
Upgraded N+1
N+1 Rolling AP Upgrade
Wireless Controller image upgrade using N+1 staging Controller
Mobility Group
RRM – Radio Resource
Management
RF Group Planning
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
RRM—Radio Resource Management
• What are RRM’s objectives?
• To dynamically balance the RF Group coverage and mitigate changes
• Monitor and maintain coverage for all clients
• Manage Spectrum Efficiency and maintain the optimal throughput
• What RRM does not do
• Substitute for a site survey
• Correct an incorrectly architected network
• Manufacture spectrum
https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-3/b_RRM_White_Paper/b_RRM_White_Paper_chapter_01.html
265
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
The RF Group is –
The single repository of RF data for the RF Group
• RF Group data includes
• Noise (e.g., radar, Bluetooth devices, microwave ovens)
• Interference (802.11—rogue APs)
• Signal – (our AP’s)
• Load
• Gathered for every AP in the group
• In context of RF Neighbor AP’s
• All of RRM’s decisions based on this data
• Location, 802.11k,v, CleanAir severity, DCA
The RRM Configurations (DCA, TPC, Coverage) present on the controller selected as
RF Group Leader are the configurations that will be used for the entire RF Group
266
Agenda
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002 267
• Wireless Controller Non-Fabric Automation Workflow
• Planning Site and Maps
• IBN for Wireless Design
• Provision Workflow
• Brownfield Support
• Prime Migration
Cisco DNA Center Wireless Automation
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco DNA Center
Intent based Automation & Assurance Platform
268
Cisco DNA Center
Policy
Provision
Design
Assurance
Physical and Virtual Infrastructure
Cisco & 3rd Party
Cisco DNA Center Appliance
Intent based Platform
• Single pane of glass for all devices
• End-to-end health info in real time
• Granular visibility
• Simplified workflows
Automation for Provisioning
• Zero-touch deployment
• Device Lifecycle Management
• Policy enforcement
Analytics for Assurance
• Verify intent of network settings
• Proactively resolve issues
• Reduce time spent troubleshooting
Platform for Extensibility
• Integrate APIs with 3rd party solutions
• Integrate and customize ServiceNow
• Evolve operational tools and processes
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Day 0 and Day N updates via multiple
CLI template or composite templates
Manual failure recovery via another CLI template
Intent
Based Automation
Configuration - Traditional Network Management
vs Intent Based
269
Traditional
Management
Provisioning is achieved using Templates & Config
Groups
Service Based network level Provisioning via Profiles &
Policy Abstraction
Config Templates are mostly customer provided
CLIs pushed via management console
Abstract services normalized across device types
Pushes Cisco CVD best practices
Maintain profile versions with In-built transactionality
Capability to roll back on failure
Simplified Day 0/N updates via settings and profiles at
site/regional level
Wireless Automation
Workflow
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Scenario
271
Campus Core
WAN/Internet
Typical Customer Network
A Large Enterprise is refreshing their Wireless infrastructure across their
retail stores
Intent
Need to have Enterprise &
Guest SSID’s with a high
density client population for RF
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Automation - Overview
Plan Design
Network
Services
Design
Business
Intent
Provision
272
C9800 Wireless
Controller Support in
Cisco DNA Center 1.2.8
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• Same Day-0 Design and Provision Workflows as AireOS WLC.
• Provisioning is done via NETCONF, not CLI.
• Day-0 onboarding templates are not supported.
• Though Cat9840 and Cat9880 support PnP agent in 16.10 release, PnP claim
is not supported yet in Cisco DNA Center 1.2.8 .
Key Points of Cat9800 Wireless Controller
Support
274
Plan
Site Hierarchy & Maps
Plan Design Network
Services
Design
Business
Intent
Provision
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Plan
Step -1 Create Site Hierarchy along with Buildings and Floors
Step -2 Import Floor Maps
Step -3 Manage Floor Map Properties
Step -4
Export the Site Hierarchy and Maps from PI and import
into Cisco DNAC (PI Customers)
or
276
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Export Sites and Maps from Prime Infrastructure
Export Sites
Site.CSV
Step 1 Step 2
277
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Export Sites and Maps from Prime Infrastructure
Export Maps
Step 2Step 1
Maps.tar.gz
278
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Design Workflow
Create Sites
Define Network
Settings
Define Wireless
Settings
Create Templates
(Optional)
Define Wireless
Network Profile
Assign Wireless
Network Profile to Sites
1
Area Level
Building Level
Floor Level
279
Design Network
Services
Plan Design Network
Services
Design
Business
Intent
Provision
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Challenges with Network Services & Credentials Vary by:
Location
Differences in Network
Design
Information often stored in files
• Error prone
Day 2 Updates become a
challenge
281
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Network Services and Credentials
• AAA (Network and Client)
• DNS, DHCP
• NTP
Network Services
• Syslog
• Traps
• Netflow and Application Visibility
Monitoring Services
• CLI
• SNMP
• HTTP
Credentials
282
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Design Workflow
Create Sites
Define Network
Settings
Define Wireless
Settings
Create Templates
(Optional)
Define Wireless
Network Profile
Assign Wireless
Network Profile to Sites
2
TACACS
Policy Admin
Node
Policy Service
Node
Radius
2a) AAA Settings
283
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Design Workflow
2
2b) Non-AAA
Common Settings
Create Sites
Define Network
Settings
Define Wireless
Settings
Create Templates
(Optional)
Define Wireless
Network Profile
Assign Wireless
Network Profile to Sites
284
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Design Workflow
2
Inheritance logo
Overridden
2c) Site-Level
Inheritance and
Override
Create Sites
Define Network
Settings
Define Wireless
Settings
Create Templates
(Optional)
Define Wireless
Network Profile
Assign Wireless
Network Profile to Sites
285
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Controller Design Workflow
2
2d) Device
Credentials
Create Sites
Define Network
Settings
Define Wireless
Settings
Create Templates
(Optional)
Define Wireless
Network Profile
Assign Wireless
Network Profile to Sites
286
Plan Design Network
Services
Design
Business
Intent
Provision
Design Business Intent
for Wireless
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Network Deployment using Profiles
Campus Core
WAN/Internet
Typical Customer Network
A Single Profile
can be mapped to
multiple sites with
multiple devices
Small Sites - Small Profile
Medium Sites - Medium Profile
Large Sites - Large Profile
288
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Network Deployment using Profile
289
Network
Design
Deployment
Standardization
Network
Compliance
Before
During
After
Profile Based Deployment
• Plan for the network
deployment
• Feature and Capabilities to be
enabled based on requirements
• Topology for network
deployment
• PnP Based Day 0 Deployment
• Version management of Profile
for Day 2 Change Management
• Configuration Compliance
Validation against Profile
• Remediation of Configuration to
Golden Configuration
Configuration Consistency
Simplified Network
Deployment
Integrated IT
Process Flows
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Settings
Device Credentials
Network Settings
CLI Templates
Wireless Network Profile
System Generated Configuration by
Cisco DNA Center UI Orchestration
(~70%-80% of the WLC Config or
more)
• Network Settings
• Device Credentials
• Wireless Settings
• SSID
• Guest Network
• RF Profiles
• Deployment mode
• ..
User Defined Configuration (~20%-
30% of the WLC Config or less)
• CLI Templates
290
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Attributes Applied by Cisco DNAC
Enterprise Personal Open Guest-External Guest-ISE
AVC Enabled Enabled Enabled Disabled Disabled
Allow AAA Override Enabled Disabled Disabled Enabled Enabled
Coverage Hole Detection Enabled Enabled Enabled Enabled Enabled
Session Timeout 1800 Disabled Disabled Disabled Disabled
Client Exclusion Enabled Enabled Enabled Enabled Enabled
11ac MU-MIMO Enabled Enabled Enabled Enabled Enabled
11k Neighbor List Enabled Enabled Enabled Enabled Enabled
11k Dual Band Neighbor List Disabled Disabled Disabled Disabled Disabled
MFP Client Protection Optional Optional Optional Optional Optional
NAC State None None None None ISE NAC
Local Client Profiling Enabled Enabled Enabled Enabled Enabled
11v Enabled Enabled Enabled Enabled Enabled
291
Plan Design Network
Services
Design
Business
Intent
Provision
Provision Workflows
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Controller Provision Workflow
Discover WLC
Provision
WLC to Site
APs Discover
Cisco DNA-
C via PnP
Provision
APs to Site
293
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Provision Workflow
Discover WLC
Provision WLC to
Site
APs Discover Cisco
DNA-C via PnP
Provision APs to
Site
1
Minimum Configuration on Cat9800 Wireless Controller for
successful discovery and management on Cisco DNA
Center:
• SSH and NETCONF are enabled
• CLI Login Credentials
• Wireless Management Interface
294
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Controller Provision Workflow
Discover WLC
Provision WLC to
Site
APs Discover Cisco
DNA-C via PnP
Provision APs to
Site
1 Ensure NETCONF is
enabled (C9800)
295
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Controller Provision Workflow
Discover WLC
Provision WLC to
Site
APs Discover Cisco
DNA-C via PnP
Provision APs to
Site
1 The following configuration is added to Cat9800 after
discovery:
• Install multiple certificates:
• Cisco DNA Center device certificate issuing ca, sd-network-infra-iwan
• Enroll device certificate of Cat9800 to sdn-network-infra-iwan
• Cisco DNA Center server certificate and its issuing ca certificate
• Cisco smart licensing agent root CA
• Generate self-signed certificate named “ewlc-tp1” for AP joining
• SNMP credentials
• SSH/HTTP source interface from management SVI/IP
• Enable network assurance telemetry
296
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Controller Provision Workflow
Discover WLC
Provision WLC to
Site
APs Discover Cisco
DNA-C via PnP
Provision APs to
Site
2
297
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Controller Provision Workflow
Discover WLC
Provision WLC to
Site
APs Discover Cisco
DNA-C via PnP
Provision APs to
Site
2
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Controller Provision Workflow
Discover WLC
Provision WLC to
Site
APs Discover Cisco
DNA-C via PnP
Provision APs to
Site
2
Logically managed sites by WLC,
where require WLC is assigned first
before provisioning APs to later.
299
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Controller Provision Workflow
Discover WLC
Provision WLC to
Site
APs Discover Cisco
DNA-C via PnP
Provision APs to
Site
2
300
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Controller Provision Workflow
Discover WLC
Provision WLC to
Site
APs Discover Cisco
DNA-C via PnP
Provision APs to
Site
2
Example Cat9800 Wireless
Controller
• Network Settings:
TACACS, Radius, SNMP, Syslog,
DHCP, DNS, NTP and etc.
301
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Controller Provision Workflow
Discover WLC
Provision WLC to
Site
APs Discover Cisco
DNA-C via PnP
Provision APs to
Site
2
On Cat9800 Wireless
Controller
• Country Code
• Create Policy Profile
• Create WLAN Profile and associate
with policy profile
Note that wlan index starts on 17
302
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Controller Provision Workflow
DiscoverWLC
Provision WLC to
Site
APs Discover Cisco
DNA-C via PnP
Provision APs to
Site
2
ISE
a) Network Settings - AAA
Cisco DNA-C add WLC into ISE
as network device for Radius and
TACACS via ERS API call.
303
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Provision Workflow - AP’s
304
Provision AP
Claim AP to Site
Onboard AP - Plug & Play
More Control on AP
Provisioning
AP gets automatically
claimed and provisioned
Import a CSV with the AP
S/N, AP Name, Location, RF
Profile
Option - 1 Option - 2
Zero touch Deployment
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Controller Provision Workflow
Discover WLC
Provision WLC to
Site
APs Discover Cisco
DNA-C via PnP
Provision APs to
Site
3
Cisco DNA Center
Policy Automation Analytics
PnP Server
AP
DHCP
Server
Option 43
5A1D;B2;K4;I192.168.139.151;J80
1
Cisco
DNA-C IP
2
SSL
3
305
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Controller Provision Workflow
Discover WLC
Provision WLC to
Site
APs Discover Cisco
DNA-C via PnP
Provision APs to
Site
3
306
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Controller Provision Workflow
Discover WLC
Provision WLC to
Site
APs Discover Cisco
DNA-C via PnP
Provision APs to
Site
4
What will be provisioned?
• On APs (via PnP):
• Primary WLC Hostname
• Primary WLC IP
• AP Hostname
• On WLC (via NETCONF):
• Create RF Profile if applicable
• Create Wireless Flex Profile if applicable
• Create Policy, Site and RF tags
• Assign AP mode with corresponding policy, site and RF tags
307
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Controller Provision Workflow
Discover WLC
Provision WLC to
Site
APs Discover Cisco
DNA-C via PnP
Provision APs to
Site
4
308
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Controller Provision Workflow
Discover WLC
Provision WLC to
Site
APs Discover Cisco
DNA-C via PnP
Provision APs to
Site
4
APs must be
assigned to
floor level.
AP is configured as FlexConnect AP if any
SSID in the site profile is enabled with
“FlexConnect Local Switching”.
309
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Controller Provision Workflow
Discover WLC
Provision WLC to
Site
APs Discover Cisco
DNA-C via PnP
Provision APs to
Site
4 RF profile is used to
generate RF Tag and
associate it to AP.
310
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Controller Provision Workflow
Discover WLC
Provision WLC to
Site
APs Discover Cisco
DNA-C via PnP
Provision APs to
Site
4
311
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Controller Provision Workflow
Discover WLC
Provision WLC to
Site
APs Discover Cisco
DNA-C via PnP
Provision APs to
Site
4
After AP joins Cat9800 wireless controller successfully, AP join SNMP trap will be sent to Cisco
DNA Center so that AP can be added into inventory.
312
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Controller Provision Workflow
Discover WLC
Provision WLC to
Site
APs Discover Cisco
DNA-C via PnP
Provision APs to
Site
4
Provision AP via PnP
Sample AP Log for Provisioning AP via PnP
313
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Controller Provision Workflow
Discover WLC
Provision WLC to
Site
APs Discover Cisco
DNA-C via PnP
Provision APs to
Site
4
Cat9800 Wireless
Controller
RF Tag
Policy Tag
Site Tag
Flex Profile
314
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Controller Provision Workflow
Discover WLC
Provision WLC to
Site
APs Discover Cisco
DNA-C via PnP
Provision APs to
Site
4
AP is in Flex mode and assigned with newly created policy, site and RF tags.
AP Configuration on
Cat9800 Wireless Controller
315
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
How did the AP’s find their WLC ?
316
Site : San Jose
SJC-WLC-1
San Jose - Building 1
RTP - Building 1
Floor 1 AP’s
Floor 1,2 AP’s
AP’s Floor
Information
(Eg : SJC-B1-F1) PnP with
DNS/ DHCP-
Option 43
Claim AP
WLC Provisioning
Managed AP
Locations
(Eg : SJC-B1-F1)
AP Provisioning
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Option - 2 : Bulk AP Deployment
317
Import APs1
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Option - 2 : Bulk AP Deployment
318
Prepare AP Bulk Import CSV and Upload2
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Option - 2 : Bulk AP Deployment
319
Status: Import APs vs. Actively
Connected APs
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Option - 2 : Bulk AP Deployment
320
Auto Claim APs when they contact Cisco DNA-C via PnP3
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002 321
How Wireless Deployment comes together
Profile Mapped to
Site
WLC Mapped to
Sites
AP Mapped to Site
Site/Building
Map sites
that WLC
will manage
SSIDs and RF
Parameters that
represent wireless
network
APs inherits the
properties of the Profile
associated to site
Network Services
Mapped to Sites
Common settings
for Sites
Brownfield Support
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Brownfield Migration to Profiles
323
Discover Learn
Generate
Profile
Re-
Provision
• WLC Added to
Cisco DNAC
Inventory
• SSID’s
• RF Profiles
• AP Locations
• Map to existing
Profile
• Create new Profile
• Assign Profiles to
Sites
• Re provision WLC
for Cisco DNAC to
manage the WLC
using Profile
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Brown Field Support
324
Discover Learn Generate Profile Re-provision
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Brown Field Support
325
Discover Learn Generate Profile Re-provision
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Brown Field Support
326
Assign WLC to Site
Discover Learn Generate Profile Re-provision
1
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Brown Field Support
327
Learn Network
Settings
2
Discover Learn Generate Profile Re-provision
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Brown Field Support
328
Learn Wireless
Settings
Discover Learn Generate Profile Re-provision
3
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Brown Field Support
329
Note that entire SSID configuration will
be discarded due to conflict on AAA
server
Discover Learn Generate Profile Re-provision
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Brown Field Support
330
Discover Learn Generate Profile Re-provision
Prime Coexistence
Scenarios
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Deployment with Prime and Cisco DNA Center
332
• Cisco DNA Center is used
for Day 0 and Day 2.
• One time migration from
Prime to Cisco DNA Center
• Run Cisco DNA-C and
Prime together in the
network
• Cisco DNA Center is used
for Automation or
Assurance or both for parts
of the network
Cisco DNA Center
Managed Network
Prime and Cisco DNA
Center Managed Network
There is only one system that will make changes to the network
© 2019 Cisco and/or its affiliates. All rightsreserved. Cisco PublicTECEWN-2002
Migration Scenarios
333
Full Migration from Prime to Cisco DNAC
Prime and Cisco DNAC Co-existence
Cisco DNAC on Automation Mode3 PI = RO, DNAC = R/W
Cisco DNAC on Assurance Mode1 PI = R/W, DNAC = RO
Cisco DNAC on Automation + Assurance Mode2 PI = RO, DNAC = R/W
There is only one system that will make changes to the network
Workflows for Embedded Cisco Catalyst
9800 on Cisco Catalyst 9300 Switches
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Pre-requisites
• The Cisco Catalyst 9300 switch should be booted in “INSTALL” mode.
• Cisco Catalyst 9300 boots in “INSTALL” mode by default, from
factory.
• SSH should be enabled on the Catalyst 9300 switch.
• NETCONF should be enabled in the discovery via Cisco DNA-Center.
• NETCONF is used to deploy the Wireless configurations.
335
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Create Wireless SSID in Design
1
2
3
4
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Enable Embedded Cisco Catalyst 9800
1
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Embedded WLC on Border/CP - Complete
Agenda
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002 339
• Architecture Building Blocks
• Aironet Architecture
for Cisco DNA Wireless
Assurance
• Wireless Client and Network
Health
• Client Insights using Apple
analytics and Aironet Active
Sensor
• Wireless Issue analysis
• Real-Time Wireless
Troubleshooting using
Intelligent Capture
Cisco DNA Wireless Assurance
Cisco DNA Analytics
and Assurance
Architecture Overview
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco DNA Center
Assurance and
AnalyticsAutomation
Streaming telemetry
& network data
Network and telemetry
configuration
Telemetry, alerts,
violations
Network inventory,
topology, and
configuration
Power of Analytics and Automation working in sync
341
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Customer Datacenter
Cisco DNA
Automation
Network
Control
Platform
Cisco DNA Center Assurance UI
Network Services DC
WAN
Office Site
DHC
P
CMX
Customer
Network
Network Control Points
Protocols & APIs (WSA, gRPC, SNMP, NetFlow, Syslog, Location, CLI, ...)
Metrics, Events, Config, ...
Control, Notifications, ...
Feedback
Cloud Based
ML Engine)
Cisco
DNA Cloud
Analytics
Data
Cisco DNA Assurance Architecture
Insights
ssh
Cisco
DNA Assurance
Network Data Platform
342
Wireless Assurance
Design considerations
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Assurance Architecture
344Enable Assurance across all deployments
Fabric Campus site Non Fabric Campus Large Medium
Core
Internet
WAN
Distribution
Access
ACI Fabric
Shared
Services
Internet Edge
WAN Edge
WAN Sites
Small
Assurance
Enabled
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Assurance Wireless Feature Support Matrix
345
Device Category Minimum OS Telemetry channel
to Cisco DNAC
3rd party
telemetry
Note
WLC
3504/5520/8540
8.5.120 WSA
NetFlow
Webhook
(Req. 8.8)
Recommend
8.5 or 8.8 Track
C9800 16.10.1 WSA
NetFlow
Telemetry
ME 8.8 WSA n.a Up to 200 ME support from
Cisco DNAC
AP4800 8.7.106 gRPC (Req 8.8) n.a Full PCAP capture
AP as a Sensor on 8.5MR4
AP2800/3800 8.5.120 gRPC (Req 8.8) n.a AP as a Sensor on 8.5MR4
AP1800 8.5.257 AP-WSA n.a No DNS Stat support
Active Sensor
AP1800S
8.7.258 AP-WSA n.a Unique image versioning
802.11n AP 8.5.120 n.a n.a No support beyond 8.5
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Key Use Cases on Wireless Assurance in
1.2.5
346
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Key Use Cases on Wireless Assurance in 1.2.5
347
Client
Onboarding
Actionable Dashboards:
Onboarding Sankey charts
for better analysis
Real-time Correlation:
Correlate Onboarding
events with poor RF and
client location for RCA
Intelligent Capture:
Onboarding failures with
In-service PCAPs
1
2
3
Sankey chart
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Key Use Cases on Wireless Assurance in 1.2.5
348
Client and
Network
Experience
Health Dashboard:
Near-Real time Client
tracking (AP RF Stat Intervals 30 sec N.A N.A
Client RF Stat
Intervals
5 sec N.A N.A
On-Boarding Event
Viewer Intervals
2 sec N.A N.A
Spectrum Analyzer 5 sec N.A N.A
Output
Update Interval
on Cisco DNAC
30 sec N.A N.A
*Available with 8.8 and 1.2.5 only
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco DNA Center
Assurance
WSA Architecture Overview
• WSA is a streaming telemetry
service that runs on new
WLC with the AireOS 8.5+
• WSA posts model-driven
telemetry data over HTTPS to
Cisco DNA Center
• The server receives the data
for further processing,
analytics, or visualization
within Assurance
355
WLC 8.5
Wireless Service Assurance
Yang
Models
Certificate
Store
Subscription Topics
30+ Models
HTTPS POST
Data remains within
the CAPWAP tunnel
from the AP to the
WLC
CAPWAP TUNNEL
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
AireOS WLC
8.5 +
“WSA”
Wireless Service Assurance
8.7 +
“Webhook”
Cisco DNA Center Assurance Webhook
Yang Models
7 Subscriptions, 27 Yang Models
AP, Client, System, Network,
Rogue, Mapserver, interferer
Subscription per model
YANG models not published
JSON encoded
payloads are sent
over HTTPS POST
Certificate generated manually and installed on WLC and into 3rd Party server
(config transfer datatype webhook-ca-cert)
Cisco DNAC generates and manages HTTPS certificate
(config transfer datatype NaServerCaCert)
• Pub/Sub Feature: Subscribe to topics on the WLC and data is pushed to Cisco DNAC or 3rd Party Server
• Configurable interval
• Configurable model subscriptions
• Full of Differential payloads
• No compression
• Configurable interval
• Configurable model subscriptions
• All models enabled by Cisco DNAC
• Differential, compressed payloads
available
Telemetry in AireOS
Interval: 2, 15, 30, 90, 300 seconds Interval: 30 or 300 seconds
356
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Streaming Telemetry in AireOS/WLC
357
ver Feature Use Subscri
ptions
Models Interval
(seconds)
Diff-
Sync Notes
Release Date
8.5 WSA Cisco
DNA
Center
1 per
model
32 30, 60, 300 Globally • Cisco
DNAC
minimum
October 2017
8.7 WSA or
Webhook
(beta)
Cisco
DNA
Center
3rd party
7 27 30, 300 Globally • DNS KPI on
AP2/3/4K
April 2018
8.8 WSA AND
Webhook
(FCS)
Cisco
DNA
Center
3rd party
1 per
model
47 Special Filtered
Channel for WSA
(2sec. and 5 sec)
15, 30, 60, 90, 300
Per
model
• DNS KPI on
AP1800
• WSA +
Webhook
concurrent
operation
TBD:Aug 2018
Wireless Client and
Network Health
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Overall Health Summary View
• Hierarchical Site View
• Per Site
• Per Building
• Geo map with Health Score
per Site
• Health Score is percentage of
good device/client
• Client Health Score and
Network Health Score
summary
• Recent Top 10 Global Issues
359
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Client Health Summary View and Workflow
• All Client or breakdown of the client health site
score for Wired and Wireless clients
• In 1.2.5 last 5min view is provided across all
widgets
• Trendline health summary chart for the 24 hrs.
view
• From this page, we can navigate to:
• The individual site specific Client summary page
• Network Time Travel using 24 hours Client Health
Trend
• Enhanced Client List View
360
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Client Health Score Details – Wireless Client
RSSI
= -45
dBm
SNR 0 ~ 9 10 11 ~ 12 13 ~ 14 15 ~ 19 20 ~ 39 >= 40
Connected
Health
Score
0 1 2 3 4 5 6
Onboarding Score by status:
• 1 – Red (Not onboarded)
• 4 – Green (Onboarded)
• Health Score = Single KPI that indicate client connection status & quality
• Calculated per every 5 min, using client RSSI and SNR from WLC streaming telemetry
arrives in 30-90 sec. interval
• Device score is chosen from the highest Client Health Score KPI
Connected Health Score – Selected
between RSSI and SNR, select higher
health score*
• 0 to 6 based on RSSI/SNR Range
*Client with RSSI -71 dBm & SNR 16 = RSSI -71 dBm is tied with Heath Score 1.
but because SNR is 16, Health Score will be 4, since Connected Health Score will choose ‘high’ KPI
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Enhanced Client Health
362
• Last 5 Minutes View
for current snapshot
• New Sankey Chart,
Success/Failed/Failed Reason
• Combined Identifier for
MAC/Username/Hostname
• Connected, Not Connected
Status
• Contextual Filter
• Customizable column
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Client Health Analytics Charts
363
• Client Attempts by Onboarding Time
- Distribution of total onboarding time taken by clients
• Connectivity RSSI / SNR chart
- RSSI / SNR distribution received from wireless clients
• Drill-down view of each widget and
details
• 5 min. or 24 hr (custom) trend
• Network Time Travel
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Client Health Drill Down – OnBoarding
364
• Break down view of Assoc.
time, AAA time, DHCP time,
• Per Server View on AAA &
DHCP
• Select any sub-section will
show client lists in selected
category
• Display Applied Filter on top of
list
• Show Onboarding
performance of each client
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Client 360
365
• Shows Details on specific client
• Timeseries metric chart of the client
health score
• Individual Client issues
• Onboarding Event Viewer
• Application Experience
• Using Router – App Health derived from
Network Delay, App Delay, Packet Loss
• Path Trace Tool for Troubleshooting
• RF and Usage Details
215 Kbps
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Client 360 – Event Viewer
• Client Onboarding State Analytics
• Always On for All of Clients
• Highlight any Onboarding Failure,
Roaming Failure, De-authentication
from AP or Client
• Each Events are aggregated per
onboarding session, provide
session details
• Provide Onboarding delay and
duration per each step
• Browse with Network Time Travel
feature
• Store up to 7 Days
366
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Overall Health Summary View
367
• Shows aggregated
Client/Network health score
• Geo-map or Location List-
based health overview
• Shows % healthy devices
• health score trend line
(3/24hr/7days)
• Top 10 Global Issues
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Network Health View – Top section
368
• Provide toggle view on site health in the geo-map / Site list / Network Topology
Topology View
Geomap ViewLocation List view
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Network Health Summary
369
• Network health = % of all good (healthy) devices from total devices
• Device score is chosen from lowest Device KPI type
• Health Score assignment is Based on the Cisco Best Practice KPI threshold
value
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• Health Score = Single KPI that indicate network device and link condition
• Calculated per every 5 min, with 15 min window.
• Single Network Health Score refers multiple KPIs, categorized into two section,
System Health and Data Path Health
• Network health = % of all good (healthy) devices from total devices
• Device score is chosen from lowest Device KPI type
• Health Score assignment is Based on the Cisco Best Practice KPI threshold value
Network Health Score Details
370
System Health
• CPUMulti-Carrier Modulation
37
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Channel Bonding
20-MHz
40-MHz
20-MHz
Gained Space
40-MHz
80-MHzGained Space
Gained Space
Gained Space
38
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Channel Bonding Guidelines
39
20MHz
• Significant radar
activity forcing
channel
changes
• Light to medium
data
requirements
• VoWLAN
• Legacy .11a
clients
40MHz
• Real-time video
• Streaming video
• Moderate to
heavy data
usage
80MHz
• Majority of
802.11ac clients
• Majority of smart
phones and
tablets
• High Definition
Video streaming
• Heavy data
usage for high
throughput
160MHz
• Majority of
.11ac Wave 2
capable clients
• Using point-to-
point bridge or
WGB mode
• Very heavy data
usage
• Low density of
APs
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
2.4GHz Spectrum
40
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
5GHz Spectrum
41
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• A shared medium
• In unlicensed spectrum
• Unlicensed
• Not Unregulated
• Laws regulating spectrum use
• Maximum transmit power
• Maximum antenna gain
• Interference
• Eavesdropping
Wi-Fi Spectrum
42
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Hardware Matters
43
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
CleanAir
Detects and Mitigates Interference
44
• Spectrum Analysis Engine (SAgE)
• The SAgE core has a highly granular spectral resolution of 78.125 kHz which helps
enable a broad interference detection and analysis
• Digital Signal Processor (DSP) Vector Accelerator (DAvE)
• The DAvE core performs intensive signal processing operations for detailed RF
fingerprint analysis
• Event Driven Radio Resource Management (EDRRM)
• Historical view of interference events
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
CleanAir
Spectrum Visibility
Cisco CleanAir Wi-Fi chipset
Spectral Resolution at 78 kHz
P
o
w
e
r
Standard Wi-Fi chipset
Spectral Resolution at 5 MHz
Microwave Oven
Bluetooth
P
o
w
e
r
?
45
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Spectrum Analysis
Cisco DNA Assurance
46
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
1. Dynamic Channel Assignment (DCA)
2. Transmit Power Control (TPC)
3. Coverage Hole Detection and Mitigation (CHDM)
Radio Resource Management
• What It Doesn’t Do
• Substitute for a site survey
• Correct a poor RF design
• Manufacture spectrum or
otherwise counteract the laws
of physics…
• What It Does
• Dynamically balances
infrastructure and
mitigate changes
• Monitor and maintain
coverage for all clients
• Provide the optimal throughput
under changing conditions
47
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• Neighbour Discovery Protocol (NDP)
• Provides visibility of the RF
environment from AP perspective
• An AP is considered a neighbour if
heard at a minimum of -80dBm
• Defines RF Groups
• NDP messages
• Sent at the highest allowable power
• Sent at the lowest data rate
Neighbour Discovery Protocol
48
• DCA channels
• TPC power levels
• Coverage Hole Detection
• Optimised Roaming
• 802.11k/v
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Dynamic Channel Assignment
49
• Avoid Foreign AP Interference
• Increases bias on Rogue APs
• Encourages DCA to work around
the neighbouring AP
• Can cause an increase in channel
changes in the presence of
transient rogue devices
• Optimises channel assignments
within the RF group domain
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Dynamic Bandwidth Selection
Dynamic Channel Assignment
50
• Improves the DCA algorithm to
consider channel bonding
scenarios
• Optimise channel width
• Highest client data rate
• Lowest channel utilisation
• Minimise retries
• Event Driven RRM
• Avoid CleanAir interfering sources
• Avoid Rogue APs
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Dynamic Frequency Selection
Dynamic Channel Assignment
51
• If a Radar Pulse is detected on a
DFS channel, then that channel is
blocked for 30 mins
• Majority of 5GHz channels
require DFS
• There are many “radar-like”
events that may cause false DFS
detections
• Client interference
• Misbehaving Rogue APs
• Random Pulses
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• Uses the CleanAir to Detect DFS
Events
• Radar frequency detection
narrowed to 1MHz
• Minimises False or Off-Channels
Radar Alarms
• Integrated with DBS to select
correct channel widths
• Radar only affects a 20MHz
Channel
• Prevents additional 20/40MHz
channels from going unused
5
2
5
6
6
0
6
4
Flex-DFS
Dynamic Channel Assignment
52
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Transmit Power Control
53
• Optimises power levels
• Reduces RF signal bleed and
inter-AP interference
• When APs boot up for the first
time they transmit at their
maximum power level
• When APs are power cycled or
rebooted, they use their last
configured power settings
• TPC adjustments will
subsequently occur as calculated
by the algorithm
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• Based on the RSSI detected at
the AP
• Can differentiate between data
and voice clients
• Not all detected holes are
legitimate
• Detects sticky clients
• Poor RF design
Coverage Hole Detection and Mitigation
54
• Minimum Client Level determines
the minimum number of clients
that must be in a coverage hole
before mitigation is considered
• Exception Level defines the
percentage clients which must
be in a coverage hole for
mitigation to be considered
• Both conditions must be satisfied
for mitigation to occur
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Dual 5GHz
• Improves Client Performance and
Capacity
• Improves the Effective Spectrum
Utilisation
• Micro-Cell
• 802.11ac clients near the AP
• Clients connecting at 802.11ac data
rates
• Macro-Cell
• 802.11ac client further from the AP
• Clients connecting at legacy data rates
Micro-Cell
Macro-Cell
55
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Antenna Design
Macro-Cell Antenna
56
Azimuth Elevation
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Antenna Design
Micro-Cell Antenna
57
Azimuth Elevation
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Macro/Macro
Dual Band
58
• The further a client is from the AP,
the lower the data rate will used
• Data Rate is a function of SNR
• The higher the SNR, the higher the
data rate which can be sustained
• A single 5GHz cell has a finite amount
of Air Time
• Capacity is the sum of all clients
within the cells Air Time
• You can’t get more than
one second out of 1s of Air Time
-63 dBm
-60 dBm
-58 dBm
-68 dBm
-71 dBm
-73 dBm
-75 dBm
-51 dBm
Channel Utilisation (36) = 60%
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Macro/Micro
Dual 5GHz
59
• Creates two RF diverse 5GHz cells
• Doubles available Air Time
• Optimising Connections
(Macro vs Micro) keeps like
performing clients together
• RRM optimises based on RSSI
• Other possibilities being explored:
• 802.11 Protocol
• Supported data rates
• Support number of spatial streams
-63 dBm
-60 dBm
-58 dBm
-68 dBm
-71 dBm
-73 dBm
-75 dBm
-51 dBm
Channel• Memory
• Free MBuf
• Free Timer
Data Path Health
• Uplink Status (Switch)
• Link Error (Switch, AP, WLC)
• Noise, Air Quality, Interference,
Radio Utilization (AP)
• Packet Pools, WQE Pools
(WLC)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Network Health by Role/Type
371
Breakdown of Device Health per type, with snapshot (15min) or historical (24hr) view
Control Plane provides a score for fabric
control plane connectivity. Applies to
fabric devices only.
System Health gives the
health based on CPU, memory
metrics
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Latest addition - AP Analytic Widgets
372
• In-widget band filter on Top-N AP with interference widget
• All of Widgets has LATEST and TREND (24hrs) view
CMX Integration
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
CMX integration
WLC Cisco DNA-CAP
CMX
Subscribe
Notify
NMSP
Fast Path
• Client updates sent via existing methods
• From WLC via NMSP
• Directly from AP (switched through WLC via Fast Path)
• Cisco DNAC to subscribe/register for location updates for one or list of clients
• CMX to notify Cisco DNAC of client updates
374
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
CMX-DNA Center integration
• Add CMX On-Prem instance
• [DESIGN][Network Settings][Wireless]
CMX Settings
• Type GUI (admin) and CLI (cmxadmin)
login credential
• CMX 10.4.1.15 and above
• Add WLC to CMX
• [SYSTEM][Settings][Controller and
Maps Setup][Advanced]
• Add WLC through snmp RW
• Cisco DNA Center 1.2.x
375
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco DNA-CMX Integration Feature
376
• Accessible via [DESIGN][Network Hierarchy]
• Display All of connected Clients locations
Display Connected Client
Health Score
Client Detail
Client Location
Playback
Client Location, Client
Density heatmap
Any Changes in Floor Map will
be automatically sync’ed with
CMX Map, vice versa
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Real-Time Client location Tracking
377
2. Live Coverage
Hole Analysis
36
10.10.1.25
• Live Coverage Hole analysis that provides real-time client movement
over-layered with Client onboarding events and Client RF metrics
• Historical Client Location Playback feature on any given moment for
past 7 days
Client Insights using
Apple analytics
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Advanced Client Insights– Apple iOS Analytics
379
Insights into the clients view
of the network – Neighboring
Access Points
Detailed Client device profile
information – device model,
OS details
Provide clarity into the
reliability of connectivity –
client disassociation details
Capability unique to
Cisco Wireless
Networks only !!
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
iOS Device Support for Cisco Apple Analytics
Device Type iPhone iPad
Device Hardware iPhone 7
Internal Name: iPhone9,1 and iPhone9,3
iPhone 7 Plus
Internal Name: iPhone9,2 and iPhone9,4
Or Newer
iPad (9.7-inch) 6th Gen
Internal Name: iPad7,5and iPad7,6
iPad (9.7-inch) 5th Gen
Internal Name: iPad6,11 and iPad6,12
iPad Pro (12.9-inch, 2nd gen)
Internal Name: iPad7,1and iPad7,2
iPad Pro (10.5-inch)
Internal Name: iPad7,3 and iPad7,4
Apple iOS Software 11.0 and higher 11.0 and higher
Cisco AireOS Software 8.5+ 8.5+
Access Point Support 802.11n/ac APs 802.11n/ac APs
1st Gen, iPad Pro 2015/2016 model ( iPad6,3/6,4/6,7/6.8)is not supported
Client Insights using
Wireless Sensor
Proactive Troubleshooting from
client perspective
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Aironet 1800S Active Sensor AP as a Sensor
(1800/2800/3800/4800)
Sensor Anywhere Drives Intelligence of Cisco
DNA Assurance to the edge
382
Test Your Network Anywhere at Any time at Real-world Client Level
• 2x2 with 2 spatial streams
• Multiple powering options
- PoE Power
- USB Type “C” power
- Direct AC Power Plug
• Integrated BLE
• Ultra compact form factor
Purpose-built Hardware for Analytics
In-line monitoring to Cisco DNA for
analytics and insights while serving
clients
SLA Dashboard
Onboarding &
Services Tests
Configure Tests
Remotely
Global Issue
Creation
Dynamic Sensor
Test Trigger
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Two types of Sensor, Two types of discovery
path to Cisco DNAC
Learn Cisco DNAC IP address
via DHCP Option 43 or DNSAP1800S
WSA Channel
AP1800/
AP2K/3K/4800*
*AP2/3/4K’s AP as a Sensor will be supported in 8.5MR4
WLC
Cisco DNAC
383
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Active Sensor Workflow - Step 1
Dedicate Sensor discover Cisco DNA Center via
DHCP Option 43 or DNS Hostname
1. Connect
Learn Cisco DNAC IP address
via DHCP Option 43
or DNS hostname, ”PNPSERVER”
1
2
https (JWT)
Cisco DNA Center
AP1/2/3/4800
AP1800S
DHCP Server
1. Configure DHCP Option 43 with following string
value in ascii.
5A1N;B2;K4;I192.168.2.206;J80
5A1N - Specifies DHCP option for plug and play
B2 - IP address type (IPv4) [ B1 - Hostname / B2 -
IPv4]
K4 - HTTP (default) [4- HTTP/ 5-HTTPS]
I - PNP Server IP Address (in this
case Cisco DNA-C IP Address)
J80 - (Port to connect to Cisco DNAC, 80 for
HTTP and 443 for HTTPS)
WLC
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Active Sensor Workflow - Step 1
DHCP/DNS Server Configuration
385
1. Connect
Create entry “PNPSERVER”
and assign Cisco DNAC IP Address
Create Option 43
“5A1N;B2;K4;I10.13.1.100;J80"
OR
From DHCP Server From DNS Server
10.13.1.100 – Cisco DNAC IP Address
Notes:
• If Option 43 field is already
used for other purpose, Use
conditional Option 43 using
VCI string. AP1800S’s VCI
string is “Cisco AP C1800”
• 8.5.257 requires additional
NTP (DHCP Option42) setup
on DHCP server. NTP option
is no longer required on
8.7.257 and later
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Provisioning Config
Create Wireless Provisioning SSID for AP1800S
When using the 1800s sensor (without the PoE
module) the sensor would be provisioned over the
WLAN by enabling the provisional SSID on the AP
This will allow the sensor to
connect AP wirelessly, and find the
Cisco DNAC IP over Wireless
using DHCP Option 43 or DNS.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Active Sensor Workflow - Step 2
Convert AP as a Sensor using Cisco DNAC
automation
387
2. Convert
1 ssh
WLC
Cisco DNA Center
AP1/2/3/4800
AP as a Sensor
2
AP as a Sensor mode will remain in Sensor until Sensor Test config is removed from Cisco DNAC
3a. Sensor HTTP heartbeat per every min.
3b. Cisco DNAC send ACK with test config version
3c. Sensor detects deletion of associated test config
3d. Sensor mode convert back to AP
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Active Sensor Workflow - Step 3
Sensor-Test config downloaded to Sensor
388
3. Download
Test Config
WLC
Cisco DNA Center
AP1/2/3/4800
AP as a Sensor
AP1800S
Dedicate Sensor
Sensor use HTTPS to Cisco DNAC for sensor programming and reporting
1a. Sensor HTTP heartbeat per every min.
1b. Cisco DNAC send ACK with test config version
1c. Sensor detects new test config version
1d. Sensor request download new test config
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Active Sensor Workflow - Step 4
Sensor-Test result send directly to
Cisco DNAC
389
4. Report
Test Result
Cisco DNA Center
AP1800S
Dedicate SensorAP1/2/3/4800
Wired PoE
WLC
Sensor Test result is directly reported to Cisco DNAC using Wireless Backhaul SSID or Wired Backhaul
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Backhaul SSID Configuration
390
• Assign one of WLC SSID as “Sensor SSID”. This will be used by a sensor to connect
Cisco DNAC and communicate over the air.
• Sensor SSID will be used to push sensor-test config, receive test results to the Cisco
DNAC
• Ensure that the SSID name and security matches an existing WLAN
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
2. Create Wireless SSID for Sensor
1. Create Wireless SSID Settings
for Sensor Test report
[DESIGN] [Network Settings][Sensor Settings]
This step is preparing dedicate Wireless SSID that will be used by
AP1800S for its sensor test report channel. this settings will be provisioned only to Sensor,
not to the WLC
Cisco DNA Step 1 : Provision AP1800S to Cisco DNAC
Create SSID Profile for Wireless Test result report
391
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
1
2
1. Go to [Provision] Menu then
2. Go to [Unclaimed Devices], newly discovered AP1800S
will be appeared as “UNCLAIMED” Status
3. Select newly discovered AP1800
Click [Claim Device]
4
[PROVISION] [Devices][Unclaimed Devices]
New AP1800S sensor will appear once Sensor discovers Cisco DNAC via
DHCP Option 43 or DNS : PNPSERVER.
1
2
3
3
4
Cisco DNA Step 2 : AP1800S Sensor Provisioning
Assign Sensor Provision profile to Sensors
392
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco DNA Step 3 : AP1800S Sensor Provisioning
Assign Sensor Provision profile to Sensors
393
Assign Location “Site / Bld. / Flr.”
Assign Sensor Backhaul SSID
Regardless wired or wireless provisioning
[PROVISION] [Devices]
Important!
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco DNA Step 4 : AP1800S Sensor Provisioning
Place Sensor to actual sensor location
394
[DESIGN] [Network Hierarchy]
Note: Once AP1800S provisioned and assigned to floor, Admin need to place
Sensor to actual location on the map using DESIGN module
Assign Location “Site/Bld/Flr.”
One device is pending for placement
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Schedule Sensor Testing: Step1
Create Sensor-Driven Test
Step1. Create Sensor-Driven Test
Step2. Add Test – Schedule, SSID selection
[ASSURANCE] [Manage][Sensor-Driven Tests]
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Sensor – Target AP Threshold
RSSI Threshold: -35 ~ -90 dBm
Target AP # : 1 ~ 5
Setp3. Select Tests
Step 4.
Select Test Sensor
Schedule Sensor Testing: Step2
Select tests and Assign Sensor
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Sensor Dashboard
397
• Common filter set as Client Health Page
• Network Time Travel Navigation up to 7 Days
• Customizable Dashlets
Sensor Test Result Detail per sensor
Wireless Issue analysis
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco DNA-C Wireless Assurance
From Network Data to Business Insights
Issues
Insights
Correlation
Complex Event Processing
Unified Network Telemetry
Contextual Data
NetworkApplication
BaselineClients
INSI GHTS
Network Device
- CPU, Mem utilization
- Crash, AP Join
Failure, Flapping AP
- Power supply failure
- Radio Utilization
66 Wireless Actionable Insights
Guided Remediation
- Now
Auto Fix It - Future
App Experience
- Throughput analysis
- App Performance –
Packet Loss, Latency
and Jitter
- DNS Issues
Client RF
Experience
- Sticky client, Ping
pong
- Coverage Hole
- Client Capacity
Client
Onboarding
- Association failures
- Authentication
failures
- IP address failures
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Client Issues
400
iOS Client Issues – based on
iOS Disconnect Reason
Connected Issue – Coverage, Sticky
Onboarding Issue
- Slow, Onboarding/Roaming Failure
Cisco DNA to generate
Client Issue
Notification API
WSA Events
Connected
Anomaly Events
• Smart Edge Analytics can trigger Client Anomaly Event w/ PCAP
• Cisco DNAC to correlated, aggregate Client Events from AP& WLC and generate issue
• Issue can be reported to ServiceNow using Northbound API
Edge Analytics
Sensor Issue – Multiple Sensor Test Failures
PCAP
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Device (WLC & AP) – Issues
401
Cisco DNA to generate
AP/WLC Issue
Notification
API
AP, WLC Events
• Smart Edge Analytics can trigger AP Anomaly Event (Beacon Miss, Beacon Recovered) w/ PCAP
• Cisco DNAC to correlated, aggregate Device Events from AP& WLC and generate issue
• Suggested Action with possible CLI auto-run for further verification
Edge Analytics
Intelligent Capture
for Real-Time Wireless
Troubleshooting
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Real-Time Location Update
• Configuration:
• From Cisco DNA (automation channel) to WLC
• Require NTP across components
• Streaming Telemetry:
• AP data exported directly to northbound system using gRPC (HTTP 2.0)
• Real time Client RF stats and AP stats (programmable up to 5 sec).
• Anomalies-based PCAP, Anomaly Events, Spectrum Data
• WLC data export types using JWT
• Events or Anomalies: onboarding, RRM, AP and AAA failure
• KPI & Stats for Clients, AP, WLC, Rogue, Application Usages
WLC
HTTPS/JWT
Cisco DNA Center
AP
CAPWAP Automation
gNMI (PCAP, Anomaly Events, Real Time AP and Client RF Stats) up to 5 sec.
Automation for AP/WLC
CAPWAP
Data (Client & AP Stats) RT stats (client, AP, AAA, etc)
Events: onboarding, RRM, etc up to 2 sec.
NMSP for Probe-based Location
Fast Path
Fast Path for Data RSSI, Hyperlocation
CMX
Intelligent Capture
Architecture
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Intelligent Capture config on AireOS 8.8
Automated via Cisco DNA Assurance
404
Complicated, error-prone
Device-level Config
Intent-based, Cisco DNA Automation
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Intelligent Capture
Automated Stitching from Multiple APs Capture
405
• Multiple APs tracking clients during
packet capture
• Single PCAP generated upon
Multiple AP roaming scenarios
• Zero Packet Loss during Client Roam
• Auto Decrypted Data Packet
• Capture Across AP, across Floor
• Pre-Scheduled Packet Capture
• Automated Packet Capture
Cisco DNA Center
00111101
00000111
11111001
Roam
Roam
2.4GHz / 6 Ch
5 GHz / 36 Ch
5 GHz / 161 Ch
00111101
11111001
00000111
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Intelligent Capture ~ Real-Time Analytics and
troubleshooting tool
• On-demand Intelligent Capture
• Real-time Event Viewer and Automated Filtered
Packet capture
• Auto Packet Analyzer
• Real-time Client location Map
• Real-Time Client RF Stat Graph
• AP4800 3rd radio Full packet capture
• Real-Time Application Analyzer integration
• Packet Capture across multiple APs
• Wireless Decrypted Packet Capture
• Real-Time RF Visualization with Location
• Spectrum Analyzer on Cisco DNA Assurance
• Real Time Client RF Stat update
• Real Time AP RF Stat update
• Multi-Device Onboarding Capture
• Client Onboarding Issue with Automated
PCAP
• Radio Anomaly Issue with PCAP
Single Device VIP capture Multi-Device Onboarding capture Real-Time RF / Spectrum AnalyzerAutomated PCAP
On-Demand and Scheduled Automated
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Intelligent Capture
FlexConnect Local Switching
WAN
BRANCH CORPORATE CENTRAL
WLCHTTP/JSON
Cisco DNA Center
AP in FlexConnect
gRPC/Protobuf (PCAP, Anomaly Events, Real Time AP and Client RF Stats)
Automation for AP/WLC
CAPWAP
Data (Client & AP Stats)
nRT stats (client, AP, AAA, etc)
Events: onboarding, RRM, etc
CAPWAP
• Intelligent Capture is deployment mode agnostic
• Need to ensure WAN links have enough bandwidth to handle PCAP traffic
from AP
407
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Intelligent Capture
VIP Troubleshooting
408
• AP4800 3rd radio Full packet
capture
• Real-time Client location Map with
trail of movement
• Download Onboard Packet
• Highlight Deauth/Disassoc Packets
• RSSI Chart per Packet
• Interpacket Gap (ms) bar chart
36
10.10.1.25
0
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
AP/Client Issue triggered from AP/Client Anomalies report
409
Type Title Descriptions
Connected
Client
Transmit Packet to sleeping client AP radio inadvertently transmitted packets to sleeping client
Excessive Transmission Failure AP radio {slot} is experiencing high transmission failure to
Client
TIM bit not cleared AP does not clear TIM (Traffic Indication Map) bit from the
Beacon after client indicated receive of buffered data.
No trigger frame PS client AP is observing No trigger frame being sent from WMM Power
Save mode client.
Packet Sequence number jumped AP is observing packet sequence jump from clients.
Associated Client sent deauthentication
to AP
AP triggered Deauth after AP receives disassoc/deauth
message from associated client
Client
Onboarding
Station sent too many DHCP Request AP detected too many DHCP requests from client
Client failed to renew Broadcast Key Client failed to update Broadcast Key and deauthenticated to
reset connection
AP Radio AP Radio failed to broadcast SSID due
to radio congestion
AP radio failed to broadcast SSID. This is indication of high
radio utilization and noise
AP Radio recovered from Beacon Miss
condition
AP radio recovered from beacon stuck. No immediate action
required.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Advanced RF Insights from Intelligent Capture
410
• Advanced AP RF Analysis w/ High Density
telemetry (30 sec. interval).
• Channel Utilization per type
• Channel Utilization per SSID
• Top N Packet Transmission Failure Clients
• Frame Count per type (Management,
Data Frame)
• Frame Re-transmission #
• Multicast/Broadcast Chart
• DFS Event Monitor
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Intelligent Capture
Real-Time Application Analysis
411
Data Center
vNAM
WLC
AP4800 AP4800 AP4800
AP4800
Branch/FlexConnectWAN
Cisco DNA-C
vNAM retrieve packet
capture from Cisco DNA-C
Packet Capture
• vNAM can be deployed as
Out-of-Band Deployment
• vNAM is consumer of Cisco DNA-C using PCAP
• Packet capture from AP4800
• On-Demand Packet Analysis
• Deployment Agnostics – works on
Central, FlexConnect or Fabric mode
• Use-Cases
• RTP (VoIP) analysis
• TCP Analysis
• Real Client Traffic Analysis
• Raw Packet Analysis
• Advantages
• Single Node deployment
• Remote node Analysis
• Zero User Throughput Impact
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Intelligent Capture
Real Time Application Analytics
412
• Application Analysis through Full
PCAP Analysis
• Application Identification
• Identify WMM (L2), DSCP(L4)
Marking of each App
• Packet Loss
• Wireless Delay
• RTP Jitter
Supported on AP 4800 using 3rd Radio
Enabled by vNAM-DNAC Integration
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
AP4800 Full Packet Capture create two PCAP
files per single capture
• Concurrent, Dual PCAP File capture
• Wireless PCAP
• Wired PCAP
7c468520795e_80211_1530109006495976.pcap 7c468520795e_ethernet_1530109005954280.pcap 413
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Available Packet Type per Capture
PCAP
Type
How to
trigger
Media
Type
Captured
Protocol
Features Supported
AP and
capture
method
Full PCAP On-demand • Wireless
PCAP w/
radio header
• Wired PCAP
w/ ethernet
header
• 802.11 with Radio
Header
(Mgmt, Control,
Data Frame)
• 802.3 with Ethernet
Header
• Application Analyzer,
• Wireless Delay, Wireless
Packet Loss Chart
• Jitter chart using RTP
(Wired & Wireless)
• Data Packet auto
decryption
AP4800 – 3rd
Radio w/ Self-
Sniffing feature
Partial PCAP On-demand or
Scheduled or
automated
• Wireless
PCAP
802.11 mgmt.
(Auth, Assoc)
Data – (802.1x/EAP,
DHCP, DNS, ARP,
ICMP)
• Auto Packet Analyzer
• Downloadable from
anywhere using Web
browser
• Automated Onboard
Failure PCAP up to 100
packet per session
• Data Packet auto
decryption
AP2800/3800/48
00 –
Inline-based
Packet capture
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Intelligent Capture Scale Guideline
• Peak Packet capture rate in system (across all clients) - Scale up to
hundreds Mbps
• How long will packet capture sessions last – Recommended up to 100 MB
• How long does it have to be stored – up to 1 week
• How many clients enabled for real time statistics - 16 clients/WLC
• How many APs enabled for real time monitoring - All APs
415
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Intelligent Capture Real-Time Streaming Frequency
416
DataType Frequency Clients or APs Supported
Full PCAP Immediate Single Client with scale cap
(16 clients at any point in time on Cisco DNA Assurance for
4000 AP deployment)
Client RF stats Default: 30 sec
Programmable to 5 sec
All On-Boarding / Roaming Failure Clients for 4000 AP
deployment on a Cisco DNA Assurance
Client Onboarding Events (WLC) Default: 30 sec
Programmable to 15 sec
Partial PCAP (Mgmt., DHCP/ICMP,
EAP, etc.)
Immediate
AP RF Stats,
Other AP Stats
30 sec APs at any point in time on Cisco DNA Assurance for 4000
AP deployment
Client RF Stats 5 sec Single Client with scale cap (16 client per Cisco DNA
Assurance)
Spectogram View 5 sec AP2800/3800/4800
Anomaly Events Immediate All APs for 4000 AP deployment on a Cisco DNA
Assurance
Regular Client Location Update 5-6 sec All On-Boarding / Roaming Failure Clients for 4000 AP
deployment on a Cisco DNA Assurance
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco DNA Wireless Assurance powered by
Cisco Aironet
417
Active Sensor
Testing
Wi-Fi iOS
Analytics
Streaming
Telemetry
Network Time
Travel
Intelligent Capture
Auto PCAPs
Intelligent Capture
Forensics
Actionable
Insights
Guided
Remediation
Aironet 2800,3800, 4800
AP with Intelligent Capture
Aironet Active Sensor
with proactive wireless
network test
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
We’re Living in a Mobile World…
418
Agenda
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002 419
• Introduction to LBS
• Indoor Location Techniques and Design
• Cisco DNA Spaces
• Demo
• Umbrella
• Encrypted Traffic Analytics
• Cisco Apple
• Wireless Best Practices
Wireless Services
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
A Mobile World
*Cisco Visual Networking Index: Forecast and Trends, 2017-2022
https://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/white-paper-c11-741490.html#_Toc529314182
Mobile Devices will account for
79% of Internet traffic by 2022*
Organizations Looking to
Monetize Wi-Fi
Wi-Fi as a Platform to
Deliver Services
420
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Powered By Intent. Informed by Context.
Digital Business
SecurityMobile IoTMultiCloudNetwork
Intent Context
Security
Learning
Intent-based Networking
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
THE
DATA BLINDSPOT
The Blindspot at Physical Spaces
422
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
What If You Could…?
423
Engage
shoppers
Drive visits
Increase AOV
Enhance
customer
service &
loyalty
Service
residents &
guests
Sell capacity
Drive
incremental
services sales
Event
navigation
Service the
traveller
Increase in-
airport spend
Promote airport
retailers
Reduce patient
stress
Promote health
Build brand
loyalty
Asset Tracking
Build fan
excitement
Increase in-
venue spend
Sell more
tickets
Guided tours
Retail and
Malls
Higher Ed and
Stadiums
Healthcare
Travel and
Airports
Hospitality and
Convention
Enhance
education
Promote visits
Increase loyalty
Increase
donations
Museums and
Attractions
Indoor Location
Techniques and Design
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Location Tracking Approaches
• Real-time location tracking and positioning systems can be classified by the
measurement techniques they employ to determine mobile device location
• Approaches differ in terms of the specific technique used to sense and measure the
position of the mobile device in the target environment
• Real-Time Location Systems (RTLS) can be grouped into four basic categories of
systems that determine position on the basis of the following:
425
Cell of origin (nearest cell) Distance based (lateration) Angle based (Angulation) Location patterning
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Indoor LBS
No Single Technology Delivers for All Use Cases
BLE
• Navigation / Wayfinding
• Proximity Marketing
• Analytics / Insights
• Asset Tracking
• Space: Open, hallways, …
• Ceiling Height
• Etc.
Align with Customer
Use Case & Venue
Wi-Fi
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Indoor Location Accuracy Continuum
GOOD BETTER BEST
Greater Location Granularity
Increased Business Value
427
WiFi Location
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wi-Fi based location
429
3rd party
mobile app
server
WLC
CMX
Client RSSI 1
Client RSSI 2
Client RSSI 3
Client RSSI 1,2,3
(consolidated)
Location X, Y
XML / JSON
API
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
AP Placement for wireless location
• If possible, mount antennas such that they have an unencumbered 360º view of all areas
around them without being blocked at close range by large objects like a pillar, column,
advertisement boards.
• Minimum of 4 APs required
• AP to AP Distance: 12 – 20m
• Height: below 6m
• -75 dBm Client RSSI on 3 APs
• In some cases however, inter-access point
spacing below 12 m may be necessary to
satisfy the requirements of some applications
for high signal strength thresholds, especially
in environments where high path loss is
present.
430
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Think of it as a convex hull
• APs that form the perimeter and corners of the floor can be thought of as
outlining the convex hull
• Set of possible device locations where the best potential for high accuracy and
precision exists
431
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Enhanced accuracy with Hyperlocation
432
After: Determine direction (AoA) to client in addition to
distance => 1-3 meter accuracy (50% CFD)
Before: Location approximated based on RSSI -
±5 to 10 meter accuracy
Engage & Improve
Guest Experience
Room Level
Accuracy
Range Inferred -
Prone to errors
Only RSSI
calculation
High
Accuracy
Multi locating
technology
AoA, RSSI
Improved
Calculation
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wi-Fi Location with Fast Locate
• Based on Data Frames send by mobile device: RSSI
• Accuracy 5m – 7m
• Update Frequency depending on application behavior or wakeup
frames from AP (5 – 20 sec)
• Works only for associated devices
• Good for
• CMX Analytics
• CMX Connect
• Blue Dot Applications
• App Engage
433
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
How Location Is Calculated with FastLocate
• Access points detect mobile devices
and measure RSSI from all frames sent
over Wi-Fi.
• Client is associated just to one AP, other
APs have to scan the same channel
• APs synchronise to measure RSSI at
multiple APs at the same time using:
• Enhanced Local Mode
• Additional WSM Radio Module
434
D1
D2
D3
Derived D1
Measured Strength:
-33 dBm
Derived D3
Measured Strength:
-50 dBm
Derived D2
Measured Strength:
-40 dBm
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
*Apple iOS MAC Randomisation
• Introduced in iOS 8, improved in iOS 9
• Changing MAC every 63sec when not
connected
• Real MAC only used when connecting
to configured SSID
• No Analytics for non-connected
Devices
• Probing about 2 times per Minute
435
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
*Android 6 MAC Randomisation
• Introduced in Android 6
• Real MAC only used when connecting to configured SSID
• Probing behaviour depending on Battery Saving Settings
• But about 1-2 times per Minute
436
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Summary: Wi-Fi location
• Pros
• Supported on all endpoints with Wi-Fi enabled
• Supported by the Wi-Fi infrastructure already deployed for uplink data
• Location calculations done at CMX level, no need for extra functions
• Even without a mobile app we can collect analytics data
• AP’s density smaller than BLE’s density
• Cons
• Less precise than BLE (> 1m)
437
BLE Location
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
BLE based location
439
UUID Acme, Major 10, Minor 1, Tx 1
UUID Acme, Major 10, Minor 2, Tx 2
UUID Acme, Major 10, Minor 3, Tx 3
“I don’t know what to do with these...
but someone else can tell me.”
Location calculated
3rd party
mobile app
server
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Use cases for BLE.
Use Case Why BLE ? Next Best Option
Proximity Messaging Installed Mobile Applications can wake from
sleep when a BLE Beacon is detected and push
messages to users screen when application is
not in foreground.
GPS based app notification
messaging is limited to about 100ft of
accuracy. WiFi based messaging
relies on the client joining the WIFI
network.
Indoor Wayfinding Mobile devices makers allow map applications
to read reported values from the BLE radio
every 500ms providing the fastest update rate
for indoor location and this results in more
accurate indoor location.
WiFi network based indoor wayfinding
can provide an update approximately
every 3 seconds at best.
Asset Tracking BLE Chipsets continue to get cheaper and are
being integrated into more products. This leads
to cheaper asset tracking tags.
WiFi RFID asset tags can have a
better level of accuracy, however,
they are more expensive and do not
have as many advances in chip
technology.
440
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002 441
Challenges with BLE Deployments
CTraditional BLE features and app based BLE Management Cannot Keep Up!
Secure Onboarding Complex to Manage Slow Issue Resolution
How to ensure BLE
devices in network are
beaconing out correct
values and how to ensure
that data received from
BLE devices is not
compromised.
Deploymenttraditionally
completed by application
on Mobile devices. This
can be complex and time
consuming for updates.
No easy way to determine
issues such as low battery
in BLE devices from a
centralized location.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco Answers the Challenge of BLE
Deployments
Cisco Wireless
Network
Consistent wireless
experience at scale
Scalable and easy to
deploy
Allows for BLE
functions from
different vendors
End to End BLE solution
based on BLE enabled
APs
Cloud based BLE
Management Layer
Open EcoSystem of
multiple players based on
Cisco DNA-LTX*
* Cisco DNA-LTX = Cisco DNA Location and Telemetry Exchange protocol, formally CCX 2.0
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
BLE Capabilities pervasive in all Access Points
• All new APs after March 2017 have
Integrated BLE (1815, AP4800,
1800S)
• Current Wave 2 APs will use USB
Dongle to add BLE Radio capabilities
to existing 1800/2800/3800 APs that
do not have native BLE radio –
Target March 2019
• Meraki AP all have integrated BLE
High
End
Low End
SensorOutdoor
USB Dongle
443
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
BLE Beacon transmit to enable proximity and wayfinding applications
with 3rd applications: Phunware or Mazemap.
Software
Requirements:
• AirOS 8.8
• CMX 10.5
• PI 3.4
What BLE applications can AP4800 enable today?
(4) 2.4/5GHz Macro
Antenna Elements
(4) 5GHz Macro Cell
Antenna Elements
(16) Element Directional
Antenna Array (Digitally
Switched) for
Location Tracking
(16) Omni-Directional
Elements (Digitally
Switched) for 24x7
Monitoring Analytics
Cisco DNA Assurance
BLE Element
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
How BLE Management works
445
(3) BLE
Management
Cloud
WLC
CMX
10.5
nmsp
Requires:
1. CMX 10.5
2. WLC 8.8
3. BLE Management Cloud
4. AP4800 / AP1815
All control and management data go
through four hops.
BLE TX: From AP for Proximity Messaging and Wayfinding
BLE RX: Data to AP for Asset tracking from BLE Asset Tags.
BLE Radio does constant TX, then goes into RX on specified interval
(default every 10 seconds)
BLE signals
BLE tags
BLE TX/RX
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
BLE Manager
446
• A single place to set
functions of BLE Radios.
• Configure the BLE Radio on
an AP at a specific location to
beacon out in a specific
manner.
• Provides enterprise wide
management of BLE radios
inside of Cisco AP as well as
Cisco DNA-LTX compatible
Floor Beacons (coming
soon!)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Summary: BLE based location
• Pros
• Very precise (PublicTECEWN-2002
Location Personas
Profile customers based on their at-location behavior and
build Location Personas
458
Returning
Guest
Frequent
Weekend
Visitor
Restaurant
Visitor
Employee VIP Loyal
Member
Multi-location
Visitor
Frequent
Weekday
Visitor
Retail area
visitor
• Tag and segment visitors based on the their
behavior at physical spaces, identify key personas
and deliver engagements.
• Integrate location personas with existing digital
personas to create a 360-degree view of
customers.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Operational Insights
Identify and monitor assets, detect anomalies, optimize operations and
response times through alerts and integrate with enterprise systems
459
Rules
Create rules and alert
notifications for assets
Tag
Clients, Wi-Fi or Bluetooth Low
Energy (BLE) tags on assets
Classify
Classify tagged assets by
location, type, and more
Track and trace
Track and analyze telemetry
data from assets
Reports
Generate historical data in
customizable reports
Alerts
Trigger alerts based on a
set of actions
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Solution Implementation Components
460
WLC RFID/Client Data
Prime Map Client List – MAC to Name
spreadsheet
Updates ~ 1 per second
Static (Mostly)
CMX Location Calculations
HTTPS
3rd party app such as Cisco
Spark Bot App
OI Cloud
Operational Insights
Demo
Cisco Umbrella
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco Umbrella
Built into the foundation of the internet
Intelligence to see attacks before launched
Visibility and protection everywhere
Enterprise-wide deployment in minutes
Integrations to amplify existing investments
Cloud security platform
Malware
C2 Callbacks
Phishing
208.67.222.222
463
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Malware
C2 Callbacks
Phishing
Benefits
Block malware before
it hits the enterprise
Contains malware
if already inside
Internet access is faster
Provision globally in minutes
Where does Umbrella fit?
HQ
Sandbox
NGFW
Proxy
Netflow
AV AV
BRANCH
Router/UTM
AV AV
First line
AV
ROAMING
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Built into foundation
of the internet
Umbrella provides:
Connection for safe requests
Prevention for user and malware-
initiated connections
Proxy inspection for risky domains
Safe
request
Blocked
request
465
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Category based content filtering and
segmentation
Policy Segmentation
• Customize category-based filtering
to meet each network’s specific
needs Per network, AP group,
user, device or IP address, giving
you greater control of your
organization’s Internet usage.
Security Activity Monitor
• View security activity in real time with
globally aggregated reports.
• Schedule and send these reports to
your inbox..
Category-Based Filtering
• The easy-to-use, cloud-delivered
administration console enables you to
quickly set up, manage, and test different
acceptable user policies
• Quickly create exceptions to allow or
block specific domains, regardless of
whether it is in a category that is allowed
or blocked.
Contract
or Corp
Guest
Policy 1 Policy 3
Identity
ServerReturns
attributes
Policy 2
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco
Public
Cisco Umbrella Account and CiscoONE
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Umbrella- WLC Packet Flow
Internet
Web Services
Umbrella Cloud
DNS Request
DNS Response
• Umbrella: Get API. Token for device registration
• WLC: Apply Token and create Profile
Device (Profile) Registration
HTTPS used in this phase
WLC and Umbrella registration
(One Time)
• Client sends DNS query
• WLC snoops DNS query, forwards it
with EDNS
• Umbrella applies Profile specific Policy
• Sends DNS response to WLC
• WLC forwards the response to client
Wireless client traffic flow
Snoop DNS pkt
Tag it with Identity
Security Enforcement Content Filtering
Compliance Category based Filtering Whitelist & Blacklist
+
467
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Umbrella Umbrella
Role Based Cisco Umbrella Policy
Cisco Umbrella Profile Mapping in Local Policy
Contractor Employee
Contractor
Policy
Employee
Policy
AAA user role
468
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Umbrella Umbrella
Location Based Cisco Umbrella Policy
Cisco Umbrella Profile Mapping in AP Group
Branch
Policy
Corporate
Policy
Corporate
HQ Branch Office
469
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Category Based Filtering on Umbrella
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Umbrella Reporting – Security Overview
Visualize security activity in
real time with aggregated
reports.
Schedule and get reports to
your inbox.
Pinpoint infected device or
user targeted by advanced
attacks to reduce time to
remediation
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Umbrella Reporting – Activity Search
Activity Search Filter by
Response for Blocked,
Allowed, Proxy
Filter by time – Last 24 hours,
today, yesterday, last 7 days,
last 30 days
Detail on activity eg. Which
OpenDNS policy blocked sites
Encrypted Traffic
Analytics ETA
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Encryption Is Changing The Threat Landscape
Source: Thales and Vormetric
Straight line
Projection
16%
20% 19%
22%
23% 23%
25%
27%
30%
34%
41%
10%
20%
30%
40%
0%
FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 FY15 2017 2019
60%
Extensive deployment
of encryption
Percent of the IT budget
earmarked for encryption
50%
474
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Network threats are getting smarter…and finding
ways to stay hidden
*Source: Cisco ThreatGrid Analysis 2015
JULY AUGUST SEPTEMBER OCTOBER NOVEMBER DECEMBER
10%
15%
All rights reserved. Cisco PublicTECEWN-2002
• Talos maps the Who-is-who of
the Internet’s dark side
• Models use up to 20 features of
150 million of malicious, risky or
otherwise security-relevant
endpoints on the Internet.
• These data features include
domain data, whois data, TLS
certificate data, usage statistics
and behavioral data for each
server
Image: http://census2012.sourceforge.net/images.html
Cisco’s Threat
Intelligence Map
480
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• HTTPS header contains several
information-rich fields
• Server name provides domain
information
• Crypto information educates us on
client and server behavior and
application identity
• Certificate information is similar to
whois information for a domain
• And much more can be understood
when we combine the information with
global data
Initial Data Packet
481
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• Size and timing of the first packets allow us to estimate the type of the data
inside the encrypted channel
• We can distinguish video, web, API calls, voice and other data types from
each other and characterize the source within the class
Sequence of Packet Lengths and Times
482
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Stealthwatch: Encrypted Traffic Analytics
Incident
483
Apple + Cisco
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco Apple Wireless Features Journey
AireOS 8.5+
iOS 11.0+
AireOS 8.3
Mac OS 10.13
Phase 2
QoS
Optimizations
• Fastlane: business-
relevant applications
prioritized
Roaming
Optimizations
• Adaptive 802.11r: Fast
Transition is enabled
automatically for iOS 10
clients
• Auto 802.11k/v: 11k/v
are enabled by default
and optimized to provide
‘best next AP’
AireOS 8.3, 8.3 MR1
iOS 10.0+
Phase 1
485
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco Apple Wireless Features Journey
AireOS 8.5+
iOS 11.0+
AireOS 8.3
Mac OS 10.13
Phase 2
Analytics
Optimizations
• 11k neighbor map: iOS
11 client sends a list of
neighbor APs upon
joining the cell
• Disconnection reason:
iOS 11 client tells us
why it disconnects
• Identity: the iOS client
tells us who it is (model,
iOS version)
MacOS
Optimizations
• Fastlane on Mac OS
10.13 and later.
Upstream QoS
prioritization available on
iOS and Mac OS
QoS
Optimizations
• Fastlane: business-
relevant applications
prioritized
Roaming
Optimizations
• Adaptive 802.11r: Fast
Transition is enabled
automatically for iOS 10
clients
• Auto 802.11k/v: 11k/v
are enabled by default
and optimized to provide
‘best next AP’
AireOS 8.3, 8.3 MR1
iOS 10.0+
Phase 1
486
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
The Subtle Way: 802.11k (and 802.11v)
487
• Let’s start with 802.11k
4. Device loses WiFi connectivity
with AP1 before re-establishing
connection with AP2. (Non-
seamless handover)Post-Association Steering:
-70 dBm, I need to roam and scan:
ch 36, 40, 44, 48, 52, 56, 60, 64,
149, 153, 157, 161, 165, then 100,
104, 108, 112, 116, 120, 124, 128,
132, 136, 140
Total score: 6 seconds
Without 802.11k
-70 dBm, I need to roam and scan:
scan shortlist ch 40, 48, 157.
Found usable AP? yes -> roam
Total score: 200 ms
No usable Ap found? -> full scan
With 802.11k
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
802.11v: Send your BYOD to the Next (Best) Cell
488
• 802.11k vs 802.11v BSS Transition Management
What could
my next AP be?
Here are the
best 6 for you
Need to roam, what AP do
you recommend?
Try this one
Want to join your cell
Nah, load too high, go there
instead
802.11k neighbor list
Your RSSI / rates are too
low, roam to there instead
802.11v Solicited request
802.11v Unsolicited
Optimized Roaming request
802.11v Unsolicited request
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
802.11r: Fast BSS Transition (AKA Fast Roaming)
489
RADIUS
802.11r (FT)
Score: less than 100 ms
Standard WPA2 (802.1x)
Score: up to 6 seconds
RADIUS
Disassociation
Full reauth
4 way handshake
-> new key
Disassociation
4 way handshake
-> new key
MDIE
MDIE
PMKR1 PMKR2
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Association
Cisco and Apple Optimized Roaming
Legacy client cannot
join the same SSID
where 11r is enabled
I recognize that you
are an Apple iOS device
11r is enabled for you
802.11k, 802.11v
are on by default
Legacy client that does
not support 11r/k/v can
join the same SSID
Cisco-APNon-Cisco-AP
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Adaptive 11r/k/v
Features enabled by default on a newly created SSID
491
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Roaming Performance :
10x Better end-user Browsing and App Experience
QoS, 802.11r/k/vNo QoS, No
802.11r/k/v
Time (s)*
*Time Interval between last packet on previous AP, and first packet on next AP
492
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Fast Lane enables network administrator to
prioritize applications per your environment
Supports
Fast lane
Admin can provision Apple IOS device with a QoS profile*
Applications in whitelist get QoS marking**
Other applications get BE/BK
Supports
Fast lane
My profile for
this environment:
Webex= Realtime-interactive
Viber = BE
My profile for
this environment:
Webex = BE
Viber = Voice
Cisco-AP
Supports Fast laneSupports Fast lane
Cisco-AP
*Without a profile, all applications are whitelisted by default in a Fast Lane cell
**Fast Lane does NOT override apps QoS, it either allow the app QoS or apply
BE
QoS Profile | Voice QoS Trust | AutoQoS | Better EDCA
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Fast Lane
• Enabling Fast Lane:
• Sets the WLAN for Platinum
• Sets WMM to Required
• Platinum profile sets Max
Priority to voice (UP 6),
non-WMM and multicast to
BE, 802.1p disabled,
bandwidth contracts
disabled
• EDCA profile is set to Fast
Lane
494
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco Apple Phase 2 : iOS Analytics
• Beacon Reporting to the Access Point by iOS Client
• Enhanced Dis-Association Reason to the Access Point by iOS Client
• iOS Version information to the Access Point by iOS Client
495
Video demo : https://youtu.be/1XCqV0Pux_s
https://youtu.be/1XCqV0Pux_s
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
How does the client see the network ?
The infrastructure does not know why this AP was chosen,
because the infrastructure does not know how the client saw
the network
Why is this a problem?
Because without that view, the infrastructure cannot help this
(or other) client find the “best AP”
How do Cisco and Apple solve this?
Right after successful key-exchange during association, the
iOS 11 device sends to its AP an 802.11k beacon report (
Unsolicited mode )
?
How does the client see the Network
This is how I see the network
BSSID Channel Signal
bb:bb:cc:dd:ee:ff 52 -72 dBm
cc:bb:cc:dd:ee:ff 149 -86 dBm
dd:bb:cc:dd:ee:ff 153 -68 dBm
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Where can I see this Scan report on WLC ?
Client detail page in the controller UI as Client Scan Report
How can we use this neighbor map ?
• To draw a super-accurate RF map of the floor, and help
other clients roam
• When a new client enters the cell, and asks for a neighbor
map, we can tailor the map to this client location!
• When another client needs to roam, we can suggest the
best AP, seen from where the clientsits!
This is how I see the network
BSSID Channel Signal
bb:bb:cc:dd:ee:ff 52 -72 dBm
cc:bb:cc:dd:ee:ff 149 -86 dBm
dd:bb:cc:dd:ee:ff 153 -68 dBm
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
How does the network see the device ?
Usually as an iPad or iPhone with DHCP and HTTP Device
profiling
When is this not enough?
When we need to characterize device model and OS specific
behaviors in the network
How do Cisco and Apple solve this?
After association, the iOS 11 client also tells us about itself.
We can the correlate platform, OS to behavior at different
points of time and space
Where can I see this on WLC ?
Client summary and client detail page
?This is who I am
I am iOS 11.0, iPhone 7
How does the Network see the device
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Reasons for disassociation
DHCP Failed
EAP Timed out
802.1x Failed
Device Idle
Captive Portal security Failed
Decryption Failed
WiFi Interface Disabled
User-Triggered Disassoc
Peer-Triggered Disassoc
Beacon Loss
Why I disassociated last
Reason Code
Do we know why client disassociated ?
When a client roams or disconnects, it sends a disassociation
message. The AP does not always know why… bad signal?
Something else?
Why is this a problem?
Without knowing why a client is gone, we cannot help other
clients in the same location (is this location okay? Is there a
better AP there? Is there incompatibility in config at this
location?
How do Cisco and Apple solve this?
The Apple device sends a proprietary reason code
Why did the Client go away ?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Reasons for disassociation
DHCP Failed
EAP Timed out
802.1x Failed
Device Idle
Captive Portal security Failed
Decryption Failed
Interface Disabled
User-Triggered Disassociation
Why I disassociated last
Reason Code
Why did the Client go away ?
Where can I see this Reason code on WLC ?
Client detail page in the controller UI
How can we use this Reason Code ?
• Help other clients in the same location if there is an RF
issue
• Collect data to understand patterns (where clients go, etc)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Device Profile
Client shares these
details
1. iPhone 7, iPad Pro
2. iOS 11
Support per device-
group Policies and
Analytics
1 Wi-Fi Analytics
Client shares these
details
1. BSSID
2. RSSI
3. Channel #
Insights into the clients
view of the network
2
Assurance
Client shares these
details
Error code for why did it
previously disconnected
Provide clarity into the
reliability of connectivity
3
Cisco DNA-C Assurance Apple Insights
501
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco DNAC Client 360°
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Platform Support for Cisco Apple Analytics
Device Type iPhone iPad
Device Hardware iPhone 7
Internal Name: iPhone9,1 and iPhone9,3
iPhone 7 Plus
Internal Name: iPhone9,2 and iPhone9,4
iPhone 8
Internal Name: iPhone10,1 and
iPhone10,4
iPhone 8 Plus
Internal Name: iPhone10,2 and
iPhone10,5
iPhone X
Internal Name: iPhone 10,3
and iPhone 10,6
iPad Pro (12.9-inch)
Internal Name: iPad6,7and iPad6,8
iPad Pro (9.7-inch)
Internal Name: iPad6,3 and iPad6,4
iPad Pro (12.9-inch, 2nd gen)
Internal Name: iPad7,1and iPad7,2
iPad Pro (10.5-inch)
Internal Name: iPad7,3 and iPad7,4
Apple iOS Software 11.0 and higher 11.0 and higher
Cisco AireOS Software 8.5+ 8.5+
Access Point Support 802.11 ac APs 802.11 ac APs
503
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• Extend visibility and control
to iOS devices
• Single app to enable multiple
security technologies
• Deploy to supervised devices
through MDM solutions
• No impact to employees’
mobile experience
Cisco Security Connector
504
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
The technology behind it
• Ensure all DNS requests are sent
to Umbrella
• Adds protection when iOS users
are off-network; on public Wi-FI
and cellular networks
• Simplest, most user friendly
solution in the market
• Licensed by number of user seats
Umbrella
• Enable audit of iOS device users
and their applications
• Visibility into usage and network
resources accessed by mobile
apps
• First vendor to get this level
of access to iOS
• Licensed by number of devices
Clarity (AMP for Endpoints)
505
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Download the Cisco Fast Lane QoS App
506
Download URL http://cs.co/fastlaneqos
http://cs.co/fastlaneqos
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco & Apple Best Practices
507
http://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/technotes/8-
3/Enterprise_Best_Practices_for_Apple_Devices_on_Cisco_Wireless_LAN.pdf
• Wireless LAN Considerations
• Quality of Service
• Application Visibility and Control
• Roaming Enhancements for Apple
Devices
• Wi-Fi calling with Apple Devices on
Cisco WLAN
• Apple Bonjour Services on Cisco
WLAN
• Knowing your Wireless Environment
http://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/technotes/8-3/Enterprise_Best_Practices_for_Apple_Devices_on_Cisco_Wireless_LAN.pdf
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Learn More
508
Cisco Website
cisco.com/go/apple
Cisco Live Sessions
ciscolive.com
Apple Webpage
apple.com/ipad/business/work-with-apple/cisco/
WWDC Sessions
developer.apple.com/wwdc/live/
http://cisco.com/c/r/en/us/internet-of-everything-ioe/ios-business-collaboration.html
http://ciscolive.com/
apple.com/ipad/business/work-with-apple/cisco
developer.apple.com/wwdc/live
Wireless Best Practices
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Deployment Lifecycle
The Bigger Picture
Design Optimize Assurance
Planning Easy Setup Analytics
• Day-0 Best
Practices
• Express Setup
• Plug and Play
Provision
Operate
• Mobility Design
Guides
• Data Sheets
• RF Planner
• Site Survey
• Optimizing RF
• Prioritize Apps
• Segment and
Secure
• Workspace
Analytics
• Monitoring and
Real time
Diagnostics
510
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Easy Setup with Best Practices
Next-Gen Wireless Office Goal:
511
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
AVC Visibility
mDNS Snooping
New MDNS Profile for printer, http
Local Profiling
Band Select
DHCP Proxy
Secure Web access
Virtual IP 192.0.2.1
RRM-DCA Auto
RRM-TPC Auto
CleanAir Enabled
EDRRM Enabled
Channel Width 40 MHz
Aironet IE Disabled
WLAN Express Setup
w/ Best Practice Defaults
Management over Wireless disabled
Load Balancing
Rogue Threshold Enabled
Client Exclusion Enabled
FastSSID Enabled
Infra MFP
Multicast Forwarding Mode
SNMPv3 (delete default)
Mobility Name
RF Group same as Mobility Name
DHCP Required on Guest WLAN
5 GHz Channel Bonding
Optimum starting point at
Day 0/1 network setup
RF parameter setting
ease of use
Enhanced performance,
security, resiliency with
best practice
recommendations turned
on at boot up time
Save Time &
Money
512
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Best Practices Audit
Add Ignored Best Practices
A popup that displays the ignored best practices
which can be re-added.
Adding a Best Practice
Clicking on an ignored best practice will re-add it.
514
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco and Apple Best Practices
http://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/technotes/8-3/Optimizing_WiFi_Connectivity_and_Prioritizing_Business_Apps.pdfhttp://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/technotes/8-3/Enterprise_Best_Practices_for_Apple_Devices_on_Cisco_Wireless_LAN.pdf
8.5
515
http://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/technotes/8-3/Optimizing_WiFi_Connectivity_and_Prioritizing_Business_Apps.pdf
http://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/technotes/8-3/Enterprise_Best_Practices_for_Apple_Devices_on_Cisco_Wireless_LAN.pdf
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
PID Serial # Hostname WLC IP address AP Mode Flex Group
name
AIR-CAP3702I-
A-K9
RFD0PP2
T025
AP-Store1-1 192.168.15.1 FlexConnect FlexGrp1
Access Point Provisioning with PnP
* Resources required for PnP:
64 Gb RAM, 500 Gb Storage
Scale: 10,000 devices
• Mount and cable
devices
• Power-on
PnP Server
Network Admin
Network Admin pre
provisions APs in PnP
server.
WLC IP (Prim/Sec/Ter)
AP Name
AP Mode (Flex)
AP Group Name
Flex Group Name Installer
Day 0
• Places AP in appropriate Group
• Apply relevant configs to AP
Cisco Public Cloud
518
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Deployment Lifecycle
The Bigger Picture
Design Optimize Assurance
Planning Easy Setup Analytics
• Day-0 Best
Practices
• Express Setup
• Plug and Play
Provision
Operate
• Mobility Design
Guides
• Data Sheets
• RF Planner
• Site Survey
• Optimizing RF
• Prioritize Apps
• Segment and
Secure
• Workspace
Analytics
• Monitoring and
Real time
Diagnostics
519
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Self-Optimizing RF network
5GHz
Serving
2.4GHz
Serving
5/2.4GH
z
Monitor
• Enabled by Dual 5GHz
• Adjust Radio Bands to Better Serve the
Environment
RF Optimized Connectivity Optimized Roaming
RX-SOP
HDX Turbo
Performance
Event Driven
RRM
XOR Radio
FRA
Cisco CleanAir®
RF Profiles
RRM, DCA, TPC, CHDM
Load Balancing
Band Select
Client Link 4.0
Off-Channel
Scanning
Flex DFS
DBS
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
XOR Radio and FRA
521
2.4GHz
Serving
2.4-5GHz
Monitoring
5GHz.
Serving
5GHz.
Serving
2.4GHz
Serving
5GHz.
Serving
5GHz
Serving5GHz
Serving
2.4GHz
Serving
FRA-auto (default value) or Manual
Auto 2.4 -> 5GHz or Monitor Mode
Transition to 2.4 GHz if coverage drops
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Optimize Wi-Fi with CleanAir
Quickly Identify and Mitigate Wi-Fi Impacting Interference
Channel 48
48
48
48
48
48
48
48
48
48
48
48
Interference on 20/40/80/160 MHz
Air Quality and Interference by
AP/radio on WLC
AQ Threshold trap and Interference
Device trap (per radio)
CleanAir-enabled RRM
Network Air Quality and Interference Location with PI 3.1.x and MSE 8.0.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
FlexDFS with Dynamic Bandwidth Selection
Identifies
radar
frequency to
1 MHz
FlexDFS
isolates
radar
event to
20MHz
DBS allows
best
channel and
width
Interference is impacting
only channel 60
FlexDFS + DBS
Automatic and intelligent use of spectrum
5
2
5
6
6
0
6
4
DBS combined with FlexDFS: Increased confidence in using wider channel bandwidth; reduced radio flapping
Primary
20
Secondary
20
Secondary
40
52 56 60 64
Optimizes
HD Experience
523
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Better Support for Users on the Move
Optimized Roaming
Optimized Roaming: Wireless Devices
Connect to the Most Effective AP
Client Stickiness
524
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Better Client Connectivity
RXSOP, Load Balancing, Band Select
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Fine-tuning HDX with RF Profiles
Event Driven
RRM
Optimized
Roaming
RX-SOP
Dynamic
Bandwidth
Selection
TPC, DCA
CHDM
FlexDFS
• CleanAir
• ClientLink 4.0
• Turbo Performance
Pre-canned RF Profiles
Client Distribution
Data Rates
DCA, TPC, CHDM
Profile Threshold for Traps
High Density Features
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
RF & RRM: Disable lower .11b Data Rates, Limit SSIDs
Wireless 802.11b/g/n Network
Management frames sent at lowest mandatory rate - slows down the entire cell
Each SSID needs a separate probe response and beaconing, the
more SSIDs the less RF space available for real data traffic
527
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
RF design recommendations
Apple client device should observe a minimum of 2 APs with an RSSI measurement of -67
dBm
• Channel Utilization = 25 dB.
• 802.11 retransmissions 802.11a/n/ac > Network • Channel Utilization = 25 dB.
• 802.11 retransmissionsMobile Enterprise
https://www.youtube.com/watch?v=bh8rEvrzm7Y&feature=youtu.be
• Prioritized Business Apps
https://www.youtube.com/watch?v=z0EOKNxL964&feature=youtu.be
• Apple and Cisco: Three Solutions Coming Together
https://www.youtube.com/watch?v=7MgsDkf55wQ&feature=youtu.be
• Wi-Fi Optimized Feature
https://www.youtube.com/watch?v=xgPfxAolJoQ&feature=youtu.be
• Fastlane App Demo https://www.youtube.com/watch?v=N1QMUcv3aRQ
• Cisco APIC-EM Wireless PnP Demo
https://www.youtube.com/watch?v=_9P2-bU66PU
• Cisco Aironet Plug and Play Cloud Redirection
https://www.youtube.com/watch?v=W7fBZ6xfSxw
• Wireless LAN Controller Dashboard Review
https://www.youtube.com/watch?v=af09TBaafRI&feature=youtu.be
• Cisco Wireless Mobile App
https://www.youtube.com/watch?v=HyvZ4mbVAWs
• WLC Advanced UI Client Troubleshooting
https://www.youtube.com/watch?v=dZVxI6jOx_Q
• ISE Simplified Wireless Setup
https://www.youtube.com/watch?v=A3F2DrFu7Lo&feature=youtu.be
• Cisco Wireless TrustSec Demo
https://www.youtube.com/watch?v=A3F2DrFu7Lo&feature=youtu.be
• Cisco Wireless Netflow Lancope Integration Demo
https://www.youtube.com/watch?v=TuWYkrt94CQ
• Cisco Umbrella Integration with WLC
https://www.youtube.com/watch?v=cMdX8sBBYG4
For Your
Reference
Click - https://www.youtube.com/user/CiscoWLAN/
533
https://www.youtube.com/watch?v=KQRb8vfU0qM
https://www.youtube.com/watch?v=6ls7EHbSK4A
https://www.youtube.com/watch?v=mbpjiETvDXc
https://www.youtube.com/watch?v=dBpGsTKeyNM&t=64s
https://www.youtube.com/watch?v=ySjN13hPhXY&t=2s
https://www.youtube.com/watch?v=K_-BykT_YIM
https://www.youtube.com/watch?v=bh8rEvrzm7Y&feature=youtu.be
https://www.youtube.com/watch?v=z0EOKNxL964&feature=youtu.be
https://www.youtube.com/watch?v=7MgsDkf55wQ&feature=youtu.be
https://www.youtube.com/watch?v=xgPfxAolJoQ&feature=youtu.be
https://www.youtube.com/watch?v=N1QMUcv3aRQ
https://www.youtube.com/watch?v=_9P2-bU66PU
https://www.youtube.com/watch?v=W7fBZ6xfSxw
https://www.youtube.com/watch?v=af09TBaafRI&feature=youtu.be
https://www.youtube.com/watch?v=HyvZ4mbVAWs
https://www.youtube.com/watch?v=dZVxI6jOx_Q
https://www.youtube.com/watch?v=A3F2DrFu7Lo&feature=youtu.be
https://www.youtube.com/watch?v=A3F2DrFu7Lo&feature=youtu.be
https://www.youtube.com/watch?v=TuWYkrt94CQ
https://www.youtube.com/watch?v=cMdX8sBBYG4
https://www.youtube.com/user/CiscoWLAN/
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Best Practices Summary
B
E
S
T
P
R
A
C
T
IC
E
S
(
A
ir
e
O
S
)
IN
F
R
A
S
T
R
U
C
T
U
R
E
Enable High Availability (AP and Client SSO)
Enable AP Failover Priority
Enable AP Multicast Mode
Enable Multicast VLAN
Enable Pre-image download
Enable AVC
Enable NetFlow
Enable Local Profiling (DHCP and HTTP)
Enable NTP
Modify the AP Re-transmit Parameters
Enable FastSSID change
Enable Per-user BW contracts
Enable Multicast Mobility
Enable Client Load balancing
Disable Aironet IE
FlexConnect Groups and Smart AP Upgrade
Enable 802.1x and WPA/WPA2 on WLAN
Enable 802.1x authentication for AP
Change advance EAP timers
Enable SSH and disable telnet
Disable Management Over Wireless
Disable WiFi Direct
Peer-to-peer blocking
Secure Web Access (HTTPS)
Enable User Policies
Enable Client exclusion policies
Enable rogue policies and Rogue Detection RSSI
Strong password Policies
Enable IDS
BYOD Timers
Set Bridge Group Name
Set Preferred Parent
Multiple Root APs in each BGN
Set Backhaul rate to "Auto"
Set Backhaul Channel Width to 40/80 MHz
Backhaul Link SNR > 25 dBm
Avoid DFS channels for Backhaul
External RADIUS server for Mesh MAC Authentication
Enable IDS
Enable EAP Mesh Security Mode
M
E
S
H
W
IR
E
L
E
S
S
/
R
F
S
E
C
U
R
IT
Y
Disable 802.11b data rates
Restrict number of WLAN below 4
Enable channel bonding – 40 or 80 MHz
Enable BandSelect
Use RF Profiles and AP Groups
Enable RRM (DCA & TPC) to be auto
Enable Auto-RF group leader selection
Enable Cisco CleanAir and EDRRM
Enable Noise &Rogue Monitoring on all channels
Enable DFS channels
Avoid Cisco AP Load
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
For Your
Reference
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco Wireless LAN Documentation
535
• 5520 WLC
• 8540 WLC
• AP1570
• AP1810 OE
• AP1810W Wall Plate
• AP1850
• AP2700/3700
• AP2800/3800
• AP702W
• APIC-EM Wireless AP PnP
• Flex7500 WLC
• Mesh APs
• Mobility Express
• Smart Licensing
• Univ. AP Regulatory Domain
• Virtual WLC
INSTALLATION GUIDES
• 802.11r BSS Fast Transition
• Adaptive wIPS
• ATF Ph 1 & 2
• CleanAir
• CMX FastLocate
• High Density
• Rogue Management
• RRM RF Grouping Algorithm
• RRM White Paper
RADIO CONFIGURATION
• BYOD for FlexConnect
• BYOD with ISE
• Security Integration
ENCRYPTION
• Bi-Directional Rate Limiting
• Flex AP-EoGRE Tunnel Gtwy
• IPv6
• Jabber
• Jabber and UCM
• Microsoft Lync
• Passpoint Configuration
• Real-Time Traffic Over WLAN
• VideoStream
• Vocera IP Phone in WLAN
• VoWLAN Troubleshooting
CLIENT ADDRESSING POLICY ENGINE
• AVC
• Bonjour
• Chromecast
• Device Classification
• Domain Filtering
• mDNS Gateway w/Chromecast
• Wireless Device Profiling & Policy Classification
BEST PRACTICES
• Apple Devices
• Enterprise Mobility Design Guide
• High Availability (SSO)
• HyperLocation
• iPhone 6 Roaming
• N+1 High Availability
• WLAN Express
• WLC Configuration Best Practices
For Your
Reference
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-1/5520-WLC-DG/b_Cisco-5520-WLC-deployment-guide.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-1/8540-WLC-DG/b_Cisco-8540-WLC-deployment-guide.html
http://www.cisco.com/c/en/us/td/docs/wireless/technology/apdeploy/8-0/AP_1570_DG/b_Aironet_AP1570_DG.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-3/b_Cisco_OfficeExtend_Access_Point_.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-3/b_AIR_AP_1810W_Wall_Plate_Deployment_Guides.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-1/1850_DG/b_Cisco_Aironet_Series_1850_Access_Point_Deployment_Guide.html
http://www.cisco.com/c/en/us/td/docs/wireless/technology/apdeploy/7-6/Cisco_Aironet_3700AP.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-3/b_cisco_aironet_series_2800_3800_access_point_deployment_guide.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-6/702WAccessPointDG/CiscoAironetSeries_702w_AP_DG.html
http://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-2/b_APIC-EM-PNP-deployment-guide.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-3/Flex_7500_DG.html
http://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-3/b_mesh_83.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-3/b_Cisco_Mobility_Express_Deployment_Guide.html
http://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-2/b_Smart_Licensing_Deployment_Guide.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-0/AP_Regulatory_Domain_DG/b_universal_AP_regulatory_domain_DG.html
http://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-2/b_Virtual_Wireless_LAN_Controller_Deployment_Guide_8-2.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/80211r-ft/b-80211r-dg.html
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wips/deployment/guide/WiPS_deployment_guide.html
http://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-2/b_Air_Time_Fairness_Phase1_and_Phase2_Deployment_Guide.html
http://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/cleanair-technology/white_paper_c11-599260.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-0/CMX_FastLocate_DG/b_CMX-FastLocate-DG.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-1/HDX-DG/b_hdx_dg_final.html
http://www.cisco.com/c/en/us/td/docs/wireless/technology/roguedetection_deploy/Rogue_Detection.htmlUtilisation (36) = 20%
Channel Utilisation (108) = 24%
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Intra-Cell Roaming
Macro to Micro
60
• The most likely scenario is a client will
associate to the Macro cell first
• Due to higher power and larger footprint
• A client that has RSSI at the AP above the
Micro cell threshold of -55 dBm will be
moved into the Micro cell
• -55 dBm default, configurable by user
• For an 802.11v client, on association we will
send an 11v BSS Transition request with the
Micro Cell BSSID as the only candidate
• For a non 802.11v client, we will send an
802.11k neighbour list and a disassociate
request
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Intra-Cell Roaming
Micro to Macro
61
• A client could associate to the Micro cell first
• Less likely, but possible based on device scan
and channels heard
• A client that has RSSI at the AP below the
Macro cell threshold of -65 dBm will be
moved into the Micro cell
• -65 dBm default, configurable by user
• For an 802.11v client, on association we will
send an 802.11v BSS Transition request with
the Macro Cell BSSID as the only candidate
• For a non 802.11v client, we will send an
802.11k neighbour list and a disassociate
request
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Macro/Macro
Dual 5GHz
62
• Using the DART connector on the -E
Model enables Dual 5 GHz cells with
discrete external antennas
• Doubles the effective coverage for
the cost of one additional antenna
• Doubles the effective capacity on
existing cable plan
• mGig enables necessary throughput
• Currently only support on the 3800
series
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• Consider underlying requirements
• Coverage Area
• Number of Users
• Application Type
• Location Accuracy
• AP placement considerations
• Consider environmentals
• Characterise the -67dBm edges
• For location a minimum of three AP
should be able to hear the device with
a a signal strength of -75dBm or higher
• Understand existing spectrum use
Site Surveys
63
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• All models are wrong
• Some of them are useful
• Planning tools can be useful
for developing a preliminary
design and identifying
deployment problems
• The model MUST be
calibrated to ensure what you
see is what you get
Planning Tools
64
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• Always verify predicted
coverage with an actual
measurement
• Always remain conservative
with power
• Middle to lower end of the range
should be selected
• Many tools default to high power
and can be very misleading.
• Coverage and capacity should
be balanced
Planning Tools
65
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• One simple change reduced the
channel utilisation to 5%
• Remove the low data rates
• Large cells = Low density
• More users spread across a
larger area, connecting at
lower data rates
• Small cells = High density
• Removing lower data rates constrains
cell size
Channel Utilisation
66
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002 67
Wireless Standards
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• 2.4GHz and 5GHz
• 40MHz Channels
• 5GHz band only
• Support for up to 4 SS
• Only 3 Ultimately Deployed
• 64-QAM – 6b/symbol
• OFDM
802.11n – Wi-Fi 4
• 40MHz Channel and 3 SS = 450Mbps
• 20MHz Channel = 216.70Mbps
• 40MHz Channel and 2 SS = 300Mbps
• 20MHz Channel = 144.40Mbps
• 40MHz Channel and 1 SS = 150Mbps
• 20MHz Channel = 72.20Mbps
68
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• 5GHz only
• 80MHz Channels
• Support for up to 8 SS
• 256-QAM – 8b/symbol
• OFDM
802.11ac
1SS 1SS 2SS 3SS
• 80MHz Channel and 3 SS = 1.3Gbps
• 80MHz Channel and 2 SS = 866.6Mbps
• 80MHz Channel and 1 SS = 433.3Mbps
69
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• 160MHz Channels
• MU-MIMO
• Improves spectrum efficiency
• Does not increase bandwidth
or create spectrum
• You can’t get more than one
second out of 1s of Air Time
802.11ac Wave 2 – Wi-Fi 5
• 160MHz Channel and 1 SS = 866.7Mbps
• 160MHz Channel and 3 SS = 2.34Gbps
• 160MHz Channel and 4 SS = 3.47Gbps
• 160MHz Channel and 8 SS = 6.93Gbps!
1SS 1SS 2SS 3SS
70
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• 2.4GHz and 5GHz
• 80+80MHz Channels
• 1024 QAM – 10b/symbol
802.11ax – Wi-Fi 6
71
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
8x4 Spatial Streams8x8 Spatial Streams
• 2.4GHz and 5GHz
• 160MHz and 80+80MHz Channels
• 1024 QAM
• Support for up to 8 SS
802.11ax – Wi-Fi 6
72
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• 2.4GHz and 5GHz
• 160MHz and 80+80MHz Channels
• 1024 QAM
• Support for up to 8 SS
• OFDMA
802.11ax – Wi-Fi 6
73
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• 2.4GHz and 5GHz
• 160MHz and 80+80MHz Channels
• 1024 QAM
• Support for up to 8 SS
• OFDMA
• Spatial Reuse
• BSS Colouring
802.11ax – Wi-Fi 6
74
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• Spatial Dimension
• Multi-User
• Frequency Dimension
• Sub-Channel Bandwidths
• Time Dimension
• Scheduled Transmissions
• Variable Frequency Bandwidth
per receiver
• Variable MCS per receiver
11ax OFDMA Concepts
S
p
a
ti
a
l
Longer Packet Length
per exchange
reduces overhead
RUs in Sub-Channel
Bandwidths
75
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Resource Units
DL and UL OFDMA
76
• Users can be assigned different
Resource Unit bandwidths
• 2MHz
• 4MHz
• 8MHz
• 20MHz
• 40MHz
• 80MHz
• 160MHz
AP
User #1
40MHz
User #2
20MHz
User #3
8MHz
User #4
8MHz
40MHz
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002 77
OFDMA is Multi-User
Now overlay MU-MIMO
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• Within OFDMA any RU 106 or
larger can multiplex up to 8 SS
split between users
• DL/UL MU-MIMO
• Within the same 802.11ax frame,
some RU’s can be SU and others
MU
• A 40 MHz BW signal has 4x
RU106
OFDMA and MU-MIMO
78
User 1
USR 2
User 3
User 4
R
U
1
0
6
User 2
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Understanding RF
• Two levers for improving signal quality
• Increase the signal
• Or decrease the noise
• Three dimensions to increasing throughput
• Channel Bonding
• Digital Modulation
• Spatial Multiplexing
• You can’t get more than one second out of 1s of Air Time
79
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Understanding Wireless
802.11 Fundamentals
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
ALOHAnet
• Pure ALOHA
• If you have data, send it
• If you receive data while sending, there is a
message collision and you must retransmit
• Slotted ALOHA
• Stations only send at start of timeslot
• Reduces collisions
• Clear Channel Assessment
• Energy detection
• Hidden Node Problem
Carrier Sense Multiple Access / Collision Detect
8181
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
802.11 Fundamentals
• Back-off Timer
• Random number for countdown
• Contention Window (CW)
• Backoff timer range
• CWMin → CWMax
• Differentiated back-off times to
implement priorities
• Network Allocation Vector (NAV)
• Total wait timehttp://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-4/RRM_DG_74.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-3/b_RRM_White_Paper.html
http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-000.html
ttp://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113476-wireless-byod-ise-00.html
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/secwlandg20/sw2dg.html
http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113682-bdr-limit-guide-00.html
http://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-3/b_CUWN83-WLC-and-FC-AP-EoGRE-Tunnel-Gateway-DG.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-0/IPV6_DG.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-1/Jabber_in_WLAN/b_Jabber_in_WLAN.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-0/Jabber_in_WLAN/b_Jabber_in_WLAN.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-1/Lync_SDN/b_Lync-Client-Server-in-Cisco-Wireless-LAN.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/Hotspot_057.html
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/RToWLAN/CCVP_BK_R7805F20_00_rtowlan-srnd.html
http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112889-cuwns-vidstrm-guide-00.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-4/vocera_config_guide/vocera_config_guide.html
http://www.cisco.com/c/en/us/td/docs/wireless/technology/vowlan/troubleshooting/vowlan_troubleshoot.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-3/AVC_8point3_dg.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-1/WLAN-Bonjour-DG/WLAN-Bonjour-DG.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-6/chromecastDG76/ChromecastDG76.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-0/device_classification_guide.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-3/b_domain_filtering.html
http://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-2/b_mDNS_gateway_chromecast_support_feature_deployment_guide.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/NativeProfiling75.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-2/b_Enterprise_Best_Practices_for_Apple_Devices_on_Cisco_Wireless_LAN.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/Enterprise-Mobility-8-1-Design-Guide/Enterprise_Mobility_8-1_Deployment_Guide.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-1/HA_SSO_DG/High_Availability_DG.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-2/b_hyperLocation_best_practices_and_troubleshooting_guide.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-0/iPhone_roam/b_iPhone-roaming.html
http://www.cisco.com/c/en/us/td/docs/wireless/technology/hi_avail/N1_High_Availability_Deployment_Guide.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-1/WLAN-Express-Setup-and-BP-DG/b_WLAN-Express-Setup-BP-DG.html
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/8-1/82463-wlc-config-best-practice.html
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
Find this session in the Cisco Events Mobile App
Click “Join the Discussion”
Install Webex Teams or go directly to the team space
Enter messages/questions in the team space
How
1
2
3
4
536
cs.co/ciscolivebot#TECEWN-2002
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Don’t forget: Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations
Complete your online
session survey
537
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Demos in
the Cisco
Showcase
Walk-in
self-paced
labs
Meet the
engineer
1:1
meetings
Related
sessions
Continue Your Education
538
Thank youbefore sending
• Adjusted on energy detect
Carrier Sense Multiple Access / Collision Avoidance
8282
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
802.11 Fundamentals
Listen Before Talk
83
• Using 10 dBm Tx power
• Cutoff -82 dBm
• Cutoff -76 dBm
• Cutoff -72 dBm
• Managed today using
• High Gain directional antennas
• Data Rates
• RX-SOP
-82 DBm-76 DBm-72 dBm
100 ft
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• Rx SOP Threshold
• Determines the signal level in dBm
at which the AP will demodulate
and decode a packet
• Increase RxSOP
• Decrease radio sensitivity
• Reduce cell size
• Auto setting uses the radio default
threshold
• Custom can be used for fine tuning
in very specific areas
Receiver Start of Packet
84
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
802.11ax – Wi-Fi 6
BSS Colouring – Spatial Reuse
85
• Each BSS assigned a different
“colour”
• Transmissions with same color
are detected at the lowest
possible level in order to prevent
intra-BSS collisions
• Transmissions with a different
color are deferred to based on a
more aggressive CCA value
• High value leads to more concurrent
transmissions but lower SNR
• Low value leads to fewer concurrent
transmissions but higher SNR
• Advantage goes to minimizing TP
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
802.11 Fundamentals
• Short Inter-frame Spacing (SIFS)
• Silence between unicast frame
and ACK
• Acknowledgement (ACK)
• Acknowledgement frame sent by
receiver to confirm receipt of the packet
• DCF Inter-frame Spacing (DIFS)
• Silence between transmissions
• Arbitration Inter-frame Spacing (AIFS)
• DIFS equivalent for 802.11e QoS
Distributed Coordination Function (DCF)
8686
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
802.11 Fundamentals
Beacons and Probes
SSID = blizzard, Security = WPA2-Enterprise
SSID = ciscolive, Security = Open
Beacon
Beacon
SSID = blizzard
SSID = blizzard, Security = WPA2-Enterprise
Probe Request
Probe Response
SSID = ciscolive
SSID = ciscolive, Security = Open
Probe Request
Probe Response
87
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Association Request
Association Response
Disassociation Request
Disassociation Response
Reassociation Request
Association Response
802.11 Fundamentals
Association
SSID = blizzard
SSID = blizzard, Security = WPA2-Enterprise
CAPWAP
SSID = blizzard
SSID = blizzard
SSID = blizzard
SSID = blizzard, Security = WPA2-Enterprise
Wireless LAN Controller
88
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Optimised Roaming
Optimised Roaming
• Wireless clients are
“encouraged” to
connect to the most
effective Access Point
Sticky Client Problem
• Wireless clients make
poor roaming decisions
89
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Wireless Protected Access
• A snapshot of the 802.11i Standard
• Commonly used with TKIP encryption
WPA
• Final version of 802.11i
• Commonly used with AES encryption
WPA2
• Personal (PSK – Pre-Shared Key)
• Enterprise (802.1X/EAP)
Authentication
Mechanisms
• Wi-Fi Alliance security update
• Includes new capabilities and new certification requirements
WPA3
90
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
802.11 Fundamentals
Authentication
CAPWAP RADIUS
Supplicant Authenticator
Authentication
Server
Wireless LAN Controller Identity Services Engine
91
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
802.11 Fundamentals
Authentication
LDAP
Credential
Server
CAPWAP RADIUS
Supplicant Authenticator
Authentication
Server
Wireless LAN Controller Identity Services Engine
92
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
802.11 Fundamentals
Authentication
93
CAPWAP RADIUS
Authenticator
Authentication
Server
Wireless LAN Controller Identity Services Engine
EAPRADIUS802.1x
LDAP
Credential
Server
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
802.11 Fundamentals
Authentication
Identity Request
Identity Response Identity Response
EAP Type Negotiation
Authentication Sequence Between Supplicant and Authentication Server
EAP Success EAP Success
CAPWAP RADIUS
Wireless LAN Controller Identity Services Engine
Association Response
94
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
WPA-Enterprise
802.1x and Extensible Authentication Protocols
Tunnel-Based
Outer Methods
EAP-PEAP
EAP-FAST
Inner Methods
EAP-MSCHAPv2 EAP-GTC EAP-TLS
Certificate-Based
EAP-TLS
static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams,
uint8_t *signature, UInt16 signatureLen)
{
OSStatus err;
...
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
goto fail;
goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
goto fail;
err = sslRawVerify(...);
fail:
SSLFreeBuffer(&signedHashes);
SSLFreeBuffer(&hashCtx);
return err;
}
NTHash = MD4(User Password) — 16 byte value
Challenge Response = DESNTHash[1:7] (ChallengeHash) ||
DESNTHash[8:14] (ChallengeHash) ||
DESNTHash[15:21](ChallengeHash)
NTHash[1:7] NTHash[8:14] NTHash[15:21]
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 0 0 0
95
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
CAPWAP RADIUS
Wireless LAN Controller Identity Services Engine
EAP Success EAP Success (PMK)
AES
802.11 Fundamentals
Encryption
PMK PMK
PTK = SHA(PMK + ANonce + SNonce + AP MAC + STA MAC)
ANonce
PTK SNonce, MIC PTK, GTK
ANonce, MIC, GTK, Sequence #
ACK
EAP Success
Four-Way
Handshake
96
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• How do you know a transmission was
received successfully?
• The receiving station must send an ACK
• If an ACK is not received, the sender
doubles the previous CW size and picks a
new random number
• This continues until CW reaches a maximum
size of 1023 slot times
• Cisco APs will attempt to send the frame for a
maximum of 64 tries before the frame is
discarded
The Impact of Retries
98
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
0%
20%
40%
60%
80%
100%
120%
1 5 10 25 50 75 100
T
h
ro
u
g
h
p
u
t
(%
)
Clients
The Contention Breaking Point
99
• As more clients associate and
transmit, WLAN contention
increases for all clients
• Retries and back off windows
increase
• Each station spends more and
more time in the “waiting and
listening” state
• This results in a significant
decrease in per-station
performance
5-10%
contention
premium
30-50%
50-60%
10-30%
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Low Latency MAC
100
• What happens if an ACK is not received?
• By default, CW is doubled
• The AP retries 64 times
• When Low Latency MAC is enabled,
frames in Voice AC are only retried 3 times
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• Enhanced Distributed Channel
Access (EDCA)
• EDCA established 4 queues known
as Access Categories
• Corresponds to 802.11e User Priority
(UP) QoS Field
• Each AC queue maintains different
• Arbitration Inter Frame Spacing
(AIFS) timers
• Contention Window sizes
• CWmin and Cwmax
802.11e / WMM QoS Enhancements
101
Background Best Effort Video Voice
Bronze Silver Gold Platinum
© 2019 Cisco and/or its affiliates. All rights reserved.Cisco PublicTECEWN-2002
• Enhanced Distributed Channel
Access (EDCA)
• EDCA established 4 queues known
as Access Categories
• Corresponds to 802.11e User Priority
(UP) QoS Field
• Each AC queue maintains different
• Arbitration Inter Frame Spacing
(AIFS) timers
• Contention Window sizes
• CWmin and Cwmax
802.11e / WMM QoS Enhancements
101
• Transmission Opportunity (TXOP)
• A bounded time interval during which
the STA can send as many frames as
possible
• Call Admission Control (CAC)
• Transmission Specification (TSpec)
• CAC with TSpec aims to reserve
traffic bandwidth on the AP
• Enables the AP to decline association
requests if insufficient bandwidth
• Forces the STA to roam and find a less
congested AP
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
QoS Profiles
103
• QoS profiles limit the maximum IP
DSCP allowed on a CAPWAP
tunnel, limiting the 802.11 UP
value
• QoS profiles may be used and
applied to each WLAN (SSID)
• For enterprise class and mixed-
use WLANs, use the Platinum
profile
• For hotspots, use Silver or
Bronze
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
QoS Profiles
103
• QoS profiles limit the maximum IP
DSCP allowed on a CAPWAP
tunnel, limiting the 802.11 UP
value
• QoS profiles may be used and
applied to each WLAN (SSID)
• For enterprise class and mixed-
use WLANs, use the Platinum
profile
• For hotspots, use Silver or
Bronze
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
QoS Profiles
103
• QoS profiles limit the maximum IP
DSCP allowed on a CAPWAP
tunnel, limiting the 802.11 UP
value
• QoS profiles may be used and
applied to each WLAN (SSID)
• For enterprise class and mixed-
use WLANs, use the Platinum
profile
• For hotspots, use Silver or
Bronze
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
QoS Fastlane
Cisco – Apple Partnership
106
• Apple devices and Cisco network
identify each other and confirm
capabilities
• Administrators can provision Apple
IOS devices with a QoS profile
• Applications in whitelist get QoS marking
• All other applications are marked BE
• Without a profile, all applications are
whitelisted by default
• On a non-Cisco network QoS Profile
is not considered
• Applications can only mark
802.1p/802.11e UP and not IP DSCP
I support
Fastlane
I support
FastlaneMy profile:
• Minecraft = BE
• Cisco Spark = Voice
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Secure Fast Roaming
Challenges
• Client channel scanning and
AP selection
• Re-authentication of client device and
re-keying
107
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Secure Fast Roaming
Cisco Compatible Extensions
• Client channel scanning and AP
selection
• Improved via Cisco Compatible
Extensions (CCX) Neighbour Lists
• Re-authentication of client device and
re-keying
• Cisco Centralised Key Management
(CCKM)
• In controlled test environments,
CCKM roam times measure 5-8ms
• Available in CCX enabled clients
108
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Secure Fast Roaming
802.11k/v/r and Wi-Fi Agile Multiband
• Client channel scanning and AP
selection
• 802.11v BSS Transition
• 802.11k Neighbour Lists
109
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Secure Fast Roaming
802.11k/v/r and Wi-Fi Agile Multiband
• Client channel scanning and AP
selection
• 802.11v BSS Transition
• 802.11k Neighbour Lists
• Re-authentication of client device
and re-keying
• 802.11r based on CCKM
• Available in Wi-Fi Agile Multiband
certified clients
• Due to changes to 802.11 management
frames, older client drivers may not
understand the 11r response frame
109
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
802.11r Fast Transition
Over the DS Over the Air
111
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
QoS, 802.11r/k/vNo QoS, No 802.11r/k/v
Time
Roaming Performance
Time indicates interval between last packet on previous AP, and first packet on next AP
Roaming Performance
112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Adaptive 802.11r
Cisco – Apple Partnership
113
• Legacy devices without explicit
support for 802.11r cannot
connect to SSIDs with Fast
Transition enabled
• Apple devices and Cisco network
identify each other and confirm
capabilities
• Adaptive 802.11r is enabled
specifically for iOS devices
• Legacy devices successfully join
the same SSID without 802.11r
enabled for them
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Management Frame Protection
• Infrastructure Management Frame Protection
• Detection
• Client Management Frame Protection
• Prevention
MFP Protected
MFP Protected
Enterprise
Network
115
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Management Frame Protection
802.11w Protected Management Frames
• Unicast Management Frames
• Confidentiality and Integrity Protection
• Multicast Management Frames
• Integrity Protection
Enterprise
Network
802.11w Protected
116
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
802.11w Protected
Reject: Try again later
Comeback Timer
Protected SA Query Request
Reassociation Request
Reassociation Response
Protected SA Query Request
SA Query Timeout
Association Response
Reassociation Request
Reassociation Request Accepted
Protected SA Query Request
Security Association Teardown Protection
802.11w Protected Management Frames
117
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
802.11w Protected
Reject: Try again later
Reassociation Request Ignored
Reassociation Request
Reassociation Response
Protected SA Query Request
Protected SA Query Response
Security Association Teardown Protection
802.11w Protected Management Frames
117
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002 119
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
WPA Personal
Pre-Shared Key
ANonce
SNonce
PMK PMK
PTK
GTK
ACK
PTK, GTK Four-Way
Handshake
AES RADIUS
Wireless LAN Controller Identity Services Engine
CAPWAP
120
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
WPA Personal
Pre-Shared Key
• Offline Attack
• Dictionary
• Rainbow Table
• Strong Passwords Matter
PSK PSK
ANonce
SNoncePTK
GTK
ACK
PTK, GTK Four-Way
Handshake
AES
PTK = SHA(PSK + ANonce + SNonce + AP MAC + STA MAC)
120
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
WPA Personal
Pre-Shared Key
• Offline Attack
• Dictionary
• Rainbow Table
• Strong Passwords Matter
PSK PSK
ANonce
SNoncePTK
GTK
ACK
PTK, GTK Four-Way
Handshake
AES
PTK = SHA(PSK + ANonce + SNonce + AP MAC + STA MAC)
120
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• Unify the Wi-Fi Alliance security efforts
• To be part of 802.11ax certification
• Provide a solid technology foundation for the
future of Wi-Fi security
• Continuous Evolution of Security
• Decrease complexity and use of legacy
security protocols
• Eliminate the mix and match error prone patchwork
of security protocols that consumers are expected
understand
• Provide them with the most secure options
• Remove transition modes that compromise security
• Negative testing
• Ensure that bad acting AP/STA are identified early
WPA3 and Enhanced Open
123
• Mandatory Features
• Security Improvements
• Handlethe unexpected
• Protected Management Frames
• Enabled by default
• Simultaneous Authentication of Equals (SAE)
• PSK replacement / Offline attack resistance
• KRACK Testing
• Mandatory for STAs
• Conditional mandatory for 11r/ai APs
• Optional Features
• Suite B
• Quantum computer resistant encryption
• Device Provisioning Protocol (DPP)
• Setup for devices with no UI / IoT
• Wi-Fi Certified Enhanced Open
• Opportunistic Wireless Encryption (OWE)
• Encryption for Open SSIDs
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
124
124
Agenda
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• Product Portfolio Overview
• Controllers
• Access Points
• Management Tools
• Wireless Services
• Design Concepts
• AP Groups / RF Groups / Flex
Groups
• RADIUS AAA Override
• New C9800 Design Concepts
• Deployment Modes
• Centralised (incl HA)
• Flex
• ME
• SDA (+C9800)
• Meraki (position vs on-prem)
• High Availability
• 1:1, N+1, RRM
• SMUs, Rolling AP Upgrades
Cisco Wireless Design Options
125
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco Unified Wireless Principles
Wireless LAN
Controllers
Aironet Access
Point
Cisco Prime or
DNA Center
MSE/CMX
(Cisco DNA
Spaces)
Campus
Network
126
Cisco WLAN Product
Portfolio Overview
Wireless LAN Controllers
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco WLAN Controller Key Functions
Centralized control of Access Points
• Traditional AireOS & recently released IOS-XE based devices (Catalyst 9800 series)
• Provides a central management point for Access Points in an Enterprise Network,
using CAPWAP protocol
• Which SSIDs to broadcast/hide
• What level of security to apply (e.g. 802.1X, MAB, WebAuth)
• Performs central software upgrade for APs
• Manages Radio Frequency (RF) dynamically
• Radio Resource Management (RRM) – TPC etc.
• Manages association and authentication of wireless clients
• Manages client roaming events
• Autonomous Mode APs no longer supported (802.11ac APs onwards)
128
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
CAPWAP (RFC 5415)
• CAPWAP: Control and Provisioning of Wireless Access Points is used between APs
and WLAN controller and based on LWAPP over IPv4 or IPv6
• CAPWAP carries control and data traffic between AP and WLC
• Control plane is DTLS encrypted
• Data plane is DTLS encrypted (optional)
• CAPWAP is not supported on Layer 2 mode deployment
129
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Intent Based Infrastructure - Wireless LAN
Controller Portfolio (AireOS)
Multiple Deployment options & SD-Access Wireless Ready
Branch Deployment Campus Deployment
SD-Access Wireless Ready
Up to 150 APs Up to 3000 APs Up to 6000 APsUp to 100 APs
Mobility Express
100 Aps
2000 Clients
Cisco 3504
150 APs
3000 Clients,
4 Gbps
Cisco 8540
6000 APs
64,000 clients,
40 Gbps
Cisco 5520
1500 APs
20,000 Clients, 20
Gbps
Cisco vWLC
3000 APs
32000 Clients
Flexconnect mode
https://www.cisco.com/c/en/us/products/wireless/wireless-lan-controller/compare-wireless-lan-controllers.html
130
https://www.cisco.com/c/en/us/products/wireless/wireless-lan-controller/compare-wireless-lan-controllers.html
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Access Points 150 in Centralized mode
Clients 3000 in Centralized mode
Throughput 4Gbps
HA Support Dedicated RP for HA SSO
Service Support Dedicated SP
Form factor Side by Side Primary/HA rack mount (1 RU)
I/O interface mGig + 4x1GE, USB
Console: RJ45, mini USB
Flexible
Deployment
Access Points Powerful enough to handle 802.11ac
Wave 2 traffic loads
Up to 150 AP, 3000 clients, 4Gbps
Seamless Scalability Seamless migration (configuration
migration tool from 2504 and 5508)
Seamless WLC portfolio – feature parity
across 3504 and 5520
Flexible Deployment mGig or 4x1GE
Rack Mount, Cabinet, Desktop ready:
• 1RU, side by side Rack Mount
• Quiet fanless for cabinet, desktop (up to
30C ambient)
10” depth to fit nicely in cabinet
HA Support Pairing with stateful switchover
Compact (1 RU) | mGig ready | Dedicated RP/SP ports | HA SSO | Side by Side rack mount
WLC3504 Series Wireless LAN Controller
Industry’s first Wireless LAN Controller with Multigigabit Ethernet
131
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
5520 WLAN Controller
5520 Wireless LAN Controller
Access Points 1,500
Clients 20,000
Deployment Modes Centralized, FlexConnect and Mesh
Form Factor 1 RU
IO Interface Dual 1G or 10G ports with LAG
Power AC w/Optional Redundant Power Supply
Redundancy Solid State Drives
Product Warranty 3 years
HA Resiliency
• HA Pair – Stateful Switchover
• Fast Restart – Enhanced Uptime
• No Moving Parts – Solid State Drives
• HW Redundancy – PS, Fan’s
• Ease of maintenance – PS, Fans, SSD
Integrated Services
• AVC, Bonjour
• Policy Classification
• Security
Return on Investment
• Simplified Licensing (RTU and Smart
Licensing) with ability to scale
• License portability (3504 to 5520 & 8540)
• Simplified(WLAN Express)
• IRCM and Guest Anchor with IOS WLC
132
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
8540 WLAN Controller
8540 Wireless LAN Controller
Access Points 6,000
Clients 64,000
Deployment Modes Centralized, FlexConnect and Mesh
Form Factor 2 RU
IO Interface Four port 1G or 10G with LAG
Power Options AC or DC
Redundancy Dual Power supply and Solid State Drive with RAID
Product Warranty 3 years
HA Resiliency
• HA Pair – Stateful Switchover
• Fast Restart – Enhanced Uptime
• No Moving Parts – Solid State Drives
• HW Redundancy – PS, Fan’s
• Ease of maintenance – PS, Fans, SSD
Return on Investment
• Simplified Licensing (RTU and Smart
Licensing) with ability to scale
• License portability (3504 to 5520 & 8540)
• Simplified(WLAN Express)
• IRCM and Guest Anchor with IOS WLC
Integrated Services
• AVC, Bonjour
• Policy Classification
• Security
133
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Catalyst 9800 Wireless Controller Portfolio (IOS-XE)
Multiple Deployment options & SD-Access Wireless Ready
Branch Deployment Campus Deployment
SD-Access Wireless Ready
Up to 1000 APs Up to 3000 APs Up to 6000 APsUp to 200 APs
SD Access Embedded
Wireless C9800-SW
on Catalyst 9300
200 Aps
4000 Clients
Cisco Catalyst 9800-CL
1000 Aps
1000 Clients
Flex Connect Mode
Cisco Catalyst
9800-80
6000 APs
64,000 clients, 80
Gbps
Cisco Catalyst
9800-40
2000 APs
32,000 Clients, 40
Gbps
Cisco Catalyst 9800-CL
3000 APs
32000 Clients
C9800
Cisco Catalyst 9800-CL
6000 APs
64000 Clients
Flex Connect Mode
Cisco Catalyst 9800-CL
1000 APs
10000 Clients
ESXi NFVIS
ENCS
ESXi ESXi
134
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Catalyst Wireless Controllers
Building on rich AireOS controller history
Support for public cloud
Open & Programmable
ETA
3rd Party integration
Rolling AP Upgrades
Patching
AP Pack
Higher Scale
Higher Performance
Catalyst 9800 Series
Wireless Controllers
AireOS
Wireless Controllers
*GCP EFT Only
135
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
C9800-40: industry’s first fixed wireless controller
with seamless software updates
4 x 1GE/10GE Ports
SP/RP Port Fiber RP Port
USB 3.0Console
Up to 2,000 APs Up to 32,000 Clients 40 Gbps
Fully programmable multi-core network processor Support for Netflow, AVC and ETA
136
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Evolution of Wireless Controllers
Enterprise Campus and Full-Service Branch
•1500 APs, 20000 Clients
•
5520Catalyst 9800-40
•1500 AP Groups
•
•
•
•
•
•
•
•
•
• 2000 APs, 24000 Clients
• 40 Gbps Throughput
• 4096 VLANs, 100 VLAN Groups
• 48000 PMK Cache
• 4096 WLANs
• 8000 Rogue APs, 12000 Rogue Clients
• 24000 RFIDs
• 4000 APs/RRM Group
• 300000 AVC Flows
• 2000 Policy Tags
• 2000 Site Tags,
• 100 Flex APs/Site
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
C9800-80: industry’s first modular wireless controller
with 100GE modular uplink
Redundant
Power Supply
AC or DC
SP/RP Port
Fiber RP Port
8 X 10 GE
Uplinks
Modular Uplinks -
GE, 10GE, 40GE, 100GE
USB 3.0
Up to 6,000 APs Up to 64,000 Clients 80 Gbps
Fully programmable multi-core network processor Support for Netflow, AVC and ETA
138
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Evolution of Wireless Controllers
Enterprise Campus and Full-Service Branch
•6000 APs, 64000 Clients
•
8540
Catalyst 9800-80
•6000 AP Groups
•
•
•
•
•
•
•
•
•
• 6000 APs, 64000 Clients
• 80 Gbps Throughput
• 4096 VLANs, 4096 Interface Groups
• 128000 PMK Cache
• 4096 WLANs
• 24000 Rogue APs, 32000 Rogue Clients
• 64000 RFIDs
• 12000 APs/RRM Group
• 800000 AVC Flows
• 6000 Policy Tags
• 6000 Site Tags,
• 100 Flex APs/Site
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Scale to 6,000 APs and 64,000 Clients^
Centralize, FlexConnect, Fabric
Open and Programmable
Scale to 1,000 APs and 10,000
Clients
FlexConnect Local Switching
Open and Programmable
Catalyst 9800 for Private and Public cloud
Catalyst 9800 for Private Cloud Catalyst 9800 for Public Cloud
^Centralized support for 6000 APs in Future
140
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Campus
Private Cloud overview
Customer value prop:
o “Deploy wireless controller where you want it, how
you want it”
o No AP mode or feature limitation vs. appliance
Support
o VMware ESXi , KVM and ENCS
o Wave 2 and Wave 1 APs only
o All deployments and all AP modes
o Centrally switched traffic(E/D)
• Internal or External antenna model (I/E)
• Internal directional antenna model (D)
• SFP
• Flexible Antenna Ports
• CleanAir and ClientLink
• Centralized, FlexConnect, Mesh and
Mobility Express
• IP67 rated
• 802.11ac Wave 1
• 4x4:3 80 MHz; 1.3 Gbps
• External antenna model (EAC)
• Cable Modem model (IC/EC)
• SFP/GPS
• PoE Out 802.3at (Ext Ant. only)
• Flexible Antenna Ports
• CleanAir and ClientLink
• Modularity (Ext Ant. only)
• Centralized, FlexConnect and Mesh
• Cable Modem Version Only (IC/EC)
• DOCSIS 3.0, 24x8
• Internal or External antenna
• IP67 rated
• 802.11ac Wave 2, MU-MIMO
• 2x2:2, 80MHz, 867 Mbps
• Ultra low profile
• Internal antenna only
• PoE (802.3af) power
• Centralized, FlexConnect, Mesh and
Mobility Express
• IP67 rated
New*
Cisco DNA Ready | RF Excellence | CMX
802.11ac Wave 2
Industry’s Most Comprehensive Outdoor AP
Portfolio
150
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Aironet 1800S Active Sensor AP as a Sensor *
(1800/2800/3800/4800)
Aironet Sensors
Test Your Network Anywhere at Any time at Real-world Client Level
• 2x2 with 2 spatial streams
• Multiple powering options
- PoE Power
- USB Type “C” power
- Direct AC Power Plug
• Integrated BLE
• Ultra compact form factor
Purpose-built Hardware for Analytics
Can be configured as dedicate Sensor
when it’s configured AP as a Sensor
Automatically converted to Sensor or AP
by Cisco DNAC
SLA Dashboard
Onboarding &
Services Tests
Configure Tests
Remotely
Global Issue
Creation
Dynamic Sensor
Test Trigger
*AP2800/3800/4800 w/ 8.5MR4 or 8.8MR1
151
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco Wireless Access Point highlights
High density redefined
Dual 5 GHz Flexible Radios increasing capacity by 200% to
onboard more users and things automatically
Zero-impact Intelligent Capture to resolve
network issues instantly
Probes the network and provides Cisco DNA Center with
deep analysis and resolves issues in minutes, and not days
Purpose-built hardware for analytics & performance
Drive location, telemetry, CleanAir, ClientLink, HDX and AVC
with no impact on performance to serving clients; and future
proof expandability with USB & module port
152
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Client Link 4.0
• ClientLink uses multiple transmit antennas to focus
transmissions in the direction of the client
• In the mixed-client networks, optimizes overall
network capacity by helping ensure that 802.11a/n
and 802.11ac clients operate at the best possible
rates, especially when they are near cell boundaries.
• Client agnostic since Multiple Antennas Design Work
for All Clients
Wireless
APn
n
AP
ac
ac
n
ac
http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps11983/at_a_glance_c45-691984.pdf
153
http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps11983/at_a_glance_c45-691984.pdf
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
CleanAir
• Provides continual, system-wide discovery
without performance impact
• Accurately identifies source, location, and scope
of interference
• Takes automatic action to avoid current and future
interference, with full history reporting
• Cisco AP 28/38/4800 provide complete visibility
over 160 MHz 11ac spectrum
40 MHz
80 MHz
160 MHz
802.11ac 160 MHz Spectrum
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Flexible Radio Assignment (FRA)
5GHz
Serving
2.4GHz
Serving
Wireless
Security
Monitor
5GHz
Serving
5GHz
Serving
5GHz
Serving
• Dual 5GHz Support, both radios serving clients on
5GHz
• Maximum over the air data rate up to 5.2Gbps
• Wireless Security Monitoring
• Scan both 2.4GHz and 5GHz for security threats
• Serve Client on 5GHz
• Default operating mode
• Serve Clients on both 2.4GHz and 5GHz
155
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
C
World’s Smartest Access Point
Cisco Aironet 4800 AP with Intelligent Capture
Users assume the wireless
network is the problem
72 hours
to minutes
Average amount of time to resolve
user issue with Aironet 4800
Hours
Minutes
63%
Industry Leading Hyperlocation
Intent based Automation & Assurance Platform
Cisco DNA Center
Policy
Provision
Design
Assurance
Physical and Virtual Infrastructure
Cisco & 3rd Party
Cisco DNA Center Appliance
Intent based Platform
• Single pane of glass for all devices
• End-to-end health info in real time
• Granular visibility
• Simplified workflows
Automation for Provisioning
• Zero-touch deployment
• Device Lifecycle Management
• Policy enforcement
Analytics for Assurance
• Verify intent of network settings
• Proactively resolve issues
• Reduce time spent troubleshooting
Platform for Extensibility
• Integrate APIs with 3rd party solutions
• Integrate and customize ServiceNow
• Evolve operational tools and processes
164
Cisco WLAN Product
Portfolio Overview
Additional Services
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco CMX (aka Cisco DNA Spaces)
A
N
A
L
Y
T
IC
S
D
A
T
A
WLC
(Virtual/Physical)
~CMX
(Virtual/Physical)
Access Points
Analytics UI
Depending on Application
Layer
Use CMX API to enhance
3rd Party Application or
App
Real-time
Notifications
Pull Data
REST API
166
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Cisco DNA-CMX Integration Feature
• Accessible via [DESIGN][Network Hierarchy]
• Display All of connected Clients locations
Display Connected Client
Health Score
Client Detail
Client Location
Playback
Client Location, Client
Density heatmap
Any Changes in Floor Map will
be automatically sync’ed with
CMX Map, vice versa
167
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
• Centralized Policy
• RADIUS Server
• Posture Assessment
• Guest Access Services
• Device Profiling
• Client Provisioning
• MDM
• Monitoring & Troubleshooting
• SIEM Integration
• Device Admin / TACACS+
ACS
NAC
Profiler
Guest
Server
NAC
Manager
NAC
Server
Identity
Services
Engine
Identity Based Networking - Cisco Identity Services Engine (ISE)
168
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
IDENTITY PROFILING
Wireless LAN
Controller
DHCP
RADIUS
SNMP
NETFLOW
HTTP
DNS
ISE
Unified Access
Management
Access Point
802.1X EAP
Machine/User
Authentication
HQ
2:38pm
Profiling to
identify device
Full or partial
access granted
Personal
asset
Company
asset
Posture
of the device
Policy
Decision
4
6
Corporate
Resources
Internet Only
1
2
3
Securing the client: Client Context and Policies
Control and Enforcement
5
Enforcement
dACL, VLAN,
SGA
169
Design Concepts
Mobility Groups
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Scaling the Architecture with Mobility Groups
• Mobility Group allows controllers to peer with each other to support seamless roaming
across controller boundaries
• APs learn the IPs of the other members of the mobility group after the CAPWAP Join
process
• Support for up to
24 controllers,
24000 APs per
mobility group
• Mobility messages
exchanged
between
controllers
• Data tunneled between
controllers in EtherIP (RFC 3378)
E
th
e
rn
e
t
in
I
P
T
u
n
n
e
l
Mobility Messages
Controller-C
MAC: AA:AA:AA:AA:AA:03
Mobility Group Name: MyMobilityGroup
Mobility Group Neighbors:
Controller-A, AA:AA:AA:AA:AA:01
Controller-B, AA:AA:AA:AA:AA:02
Controller-A
MAC: AA:AA:AA:AA:AA:01
Mobility Group Name: MyMobilityGroup
Mobility Group Neighbors:
Controller-B, AA:AA:AA:AA:AA:02
Controller-C, AA:AA:AA:AA:AA:03
Controller-B
MAC: AA:AA:AA:AA:AA:02
Mobility Group Name: MyMobilityGroup
Mobility Group Neighbors:
Controller-A, AA:AA:AA:AA:AA:01
Controller-C, AA:AA:AA:AA:AA:03
config mobility secure-mode enable to encrypt
172
AP Groups
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Understanding AP Groups
• AP Groups is a logical concept of grouping APs
which deliver similar Wi-Fi services; these
services can be:
• By physical location, and/or
• By functional services
(data, voice, guest, …)
• Same AP groups need to be defined in all WLC’s
of a mobility group
Overview
Remote Site A Remote Site B
Central Site
WAN
AP Group 1
AP Group 2
AP Group 3
Flex WLC
Scaling 8540 5520
9800-
40
9800-
80
3504
# AP
Groups
6000 1500 2000* 6000* 150
# WLAN
(SSID)
512 512 4096 4096 64
# VLAN
(Interfaces
)
4096 4096 4096 4096 64
174
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
AP Groups Usage
WAN
Central Site
Store Site
Manufacturing Site
AP Group 2
AP Group 3
AP Group 1
Corporate-Voice
Guest-Access
Corporate-Data
Guest-Access
Corporate-Data
@ Internet
Scanners
AP groups give the ability to enable
Wi-Fi Services (WLAN) based on
physical location
Central Site
Corporate-Voice, Corporate-Data,
Guest-Access
Manufacturing Site
Corporate-Voice, Corporate-Data,
Scanners
Store
Corporate-Data, Guest-Access
Per Location SSID
175
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
AP Groups Usage
• AP groups give the ability to statically
map Wi-Fi service (WLAN) to VLAN
based on physical location
• Users see the same
Wi-Fi service on all sites.
• Admin can monitor and filter based on
different IP@ each site
• Can also be used to have smaller Wi-Fi
subnets
• For example per floor subnets in a
building.
Corporate-Data
Corporate-Data
Corporate-Data
VLAN-1
VLAN-2
VLAN-3
Manufacturing Site
Store
Central Site
WAN/MAN
AP Group 1
Head Office
AP Group 2
AP Group 3
Per AP Group SSID to VLAN
Mapping
176
FlexConnect Groups
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Understanding FlexConnect Groups
FlexConnect Group 1
Remote Site Remote Site
WAN
Central Site
FlexConnect Group 2
Flex 8500
ClusterOverview
FlexConnect groups allow sharing of:
• CCKM/OKC fast roaming keys
• Local/backup RADIUS servers IP/keys
• Local EAP authentication
• AAA-Override for Local Switching
• Smart Image Upgrade
• FlexConnect AVC
Scaling
7500/
8500
5520
vWLC
(high
VM)
vWLC
(low
VM)
5508 3504
Flex
Connect
Groups
2000 1500 1500 100 100 100
AP per
Group
100 100 100 100 25 100
178
RF Profiles
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
RF management may require using RF Profiles
• RF Profiles allow the administrator to tune groups of AP’s sharing a common coverage zone
together
• APs in Auditorium
• APs in Hallways
• APs in Outdoor Areas
• RF Profile – Providing administrative control over:
• 802.11 data rates
• TPC Power Threshold and Min max Power settings
• DCA
• Coverage hole algorithm settings
• High Density – HDX configurations Rx-SOP, Client Limit, Mcast data rate
• Client Distribution
More granular control of the RF network
180
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
RF Profiles – Granular Control
Load Balancing
Data Rates
High Density
181
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Coverage Hole
RF Profiles – Creation/Configuration GUI
Transmit Power
Control
Dynamic Channel Assignment
• Select Channel Width
• Select available channels list (RF
profile channels are derived from
global DCA setting)
Select if required the
minimum and/or Maximum
TPC settings – the
minimum or maximum
power that the AP’s this
profile is assigned to will be
allowed to use
“BEST” Auto Channel Width
• RRM auto-selects channel width
of 20/ 40/ 80/ 160
182
RADIUS AAA Override
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2002
Override settings in Identity-based networks
• Can be used to consolidate WLANs, while separating clients with different
security requirements into subnetworks
• AAA-Override feature allows you to assign per user settings or attributesMais conteúdos dessa disciplina
Mobilidade em Redes Sem Fio- PROVA DE TRANSMISSÃO DIGITAL
- Tipos de Redes de Transmissão
- Robótica_5 - Livro
- ATIVIDADE DE APRENDIZADO DISC N 25 ELEMENTOS DE UMA REDE
- ATIVIDADE DE APRENDIZADO DISC N 17- TELECOMUNICAÇÕES -2025
- Configuração e Segurança de Redes
- Análise de Redes Lag Digitais
- 5G e Comunicações Avançadas
- Protocolo MQTT e IoT
- simulado 1
- Em uma comunicação por radiofrequência, marque a opção que representa corretamente o dispositivo cuja função é converter sinais elétricos vindos do rá
- Corresponde ao tipo de documento que demonstra as diretrizes, princípios e atitudes a serem mantidos e incentivados no ambiente profissional de uma...
- Questão 2/10 - Fundamentos de Sistemas de Comunicações Ler em voz alta Na modulação em amplitude a amplitude de um sinal senoidal, denominado por...
- Assinale a alternativa com o fator que interfere de forma negativa no bem-estar animal durante o transporte de ruminantes: Questão 34Escolha uma opção
- Exercícios Pontes
- Livro Queijo Araxa
