Upload
cisco-public-sector
View
189
Download
2
Tags:
Embed Size (px)
DESCRIPTION
CLLE FL 092014
Citation preview
Local Edition
Cisco On-Premise Wireless Update
Robert PalmerConsulting Systems Engineer
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Network Level HAAutonomous FlexConnect Centralized Converged Access
Traffic Distributed at AP Traffic Centralized at Controller
Traffic Distributed at SwitchStandalone APs
Target Positioning Small Wireless Network Branch Campus Branch and Campus
Purchase Decision
Wireless only Wireless only Wireless only Wired and Wireless
High Availability
• Can only claim AP quality• No RF HA• No Network layer HA • No services
• Full RF HA• Client SSO when Local
Switching• Most complete solution • Exploits HA in IOS switches
Key Considerations
• Limited features. Upgradable to controller based
• Branch with WAN BW and latency requirements
• Full features• Catalyst 3650/3850 in the access
layer
WAN
Local Edition
Network Infrastructure HA – Centralized Mode
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Centralized Mode HA
4
N+1 Redundancy(Deterministic/Stateless HA,
a.k.a.: primary/secondary/tertiary)
Each Controller has to be configured separately
Available on all controllersCrosses L3 boundariesFlexible: 1:1, N:1, N:N
HA-SKU available (> 7.4)
AP SSO(SSID stateful switchover)
Release: 7.3 and 7.4WLC: 5508, WiSM2, 7500, 8510
Direct physical connectionSame HW and SW1:1 box redundancy
AP state is synched No SSID downtime
HA-SKU available (> 7.4)
Client SSO
Minimum release: 7.6WLC: 5508, WiSM2, 7500, 8510
L2 connectionSame HW and software
1:1 box redundancy
Active Client State is synched AP state is synched
No Application downtimeHA-SKU available
Requirements Benefits
Net
wo
rk U
pti
me
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
N+1 Redundancy
5
• Administrator statically assigns APs a primary, secondary, and/or tertiary controller
Assigned from controller interface (per AP) or Prime Infrastructure (template-based)
You need to specify Name and IP if WLCs are not in the same Mobility Group
• Pros:
Support for L3 network between WLCs
Flexible redundancy design options (1:1, N:1, N:N:1)
WLCs can be of different HW and SW
Predictability: easier operational management
Faster failover times configurable
“Fallback” option in the case of failover
• Cons:
Stateless redundancy
More upfront planning and configuration
WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C
Primary: WLAN-Controller-1Secondary: WLAN-Controller-2Tertiary: WLAN-Controller-3
Primary: WLAN-Controller-2Secondary: WLAN-Controller-3Tertiary: WLAN-Controller-1
Primary: WLAN-Controller-3Secondary: WLAN-Controller-2Tertiary: WLAN-Controller-1
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
N+1 RedundancyGlobal backup Controllers
6
Backup controllers configured for all APs under Wireless > High Availability
Used if there are no primary/secondary/tertiary WLCs configured on the AP
The backup controllers are added to the primary discovery request message recipient list of the AP.
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
8
AP Failover
• The access point maintains a list of backup controllers and periodically sends primary discovery requests to each entry on the list.
• Configure a primary discovery request timer to specify the amount of time that a controller has to respond to the discovery request
AP Primary Discovery Request Timer
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
9
AP Failover
• AP sends HA heartbeat packets, by default every 1 sec• Fast Heartbeats reduce the amount of time it takes to detect a controller failure• When the fast heartbeat timer expires, the AP sends a 3 fast echo requests to the WLC for 3 times• If no response primary is considered dead and the AP selects an available controller from its
“backup controller” list in the order of primary, secondary, tertiary, primary backup controller, and secondary backup controller.
• Fast Heartbeat only supported for Local and Flex mode
Fast Heartbeat
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
10
AP Failover
• Assign priorities to APs: Critical, High, Medium, Low
• Critical priority APs get precedence over all other APs when joining a controller
• In a failover situation, a higher priority AP will be allowed in ahead of all other APs
• If controller is full, existing lower priority APs will be dropped to accommodate higher priority APs
AP Failover Priority
AP Priority: Critical
AP Priority: Medium
Controller
Critical AP fails over
Medium priorityAP dropped
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
N+1 RedundancyBest Practices
11
Most common Design is N+1 with Redundant WLC in a geographically separate location
Configure high availability parameters to detect failure and faster failover (min 30 sec)
Use AP priority in case of over subscription of redundant WLC, or
Use HA SKU available for 5508, 7500, 8500 and 2500 (from 7.5) controllers
APs Configured With:Primary: WLAN-Controller-1Secondary: WLC-BKP
APs Configured With:Primary: WLAN-Controller-2Secondary: WLC-BKP
APs Configured With:Primary: WLAN-Controller-nSecondary: WLC-BKP
WLAN-Controller-1
WLAN-Controller-2
WLAN-Controller-n
WLC-BKP
NOC or Data Center
For more info: http://www.cisco.com/en/US/docs/wireless/technology/hi_avail/N1_HA_Overview.html or http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps10315/qa_c67-714540.html
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
N+1 RedundancyHA-SKU
12
No need to purchase licenses on backup WLC. When backup takes over, 90-days counter is started HA-SKU Controller needs to be configured normally as you would do with the secondary controller
(no auto synch). Supported on 5508, WiSM2, Flex7500, 8510 and 2504 The HA-SKU provides the capability of the maximum number of APs supported on that hardware From 7.6 you can add licenses to HA SKU and use it as Active controller
Primary Controller: WiSM-2 License Count: 500APs connected: 400
Primary Controller : 2504License Count: 50APs connected: 25
AIR-CT5508-HA-K9Secondary ControllerAIR-CT5508-HA-K9Secondary ControllerAIR-CT5508-HA-K9Secondary ControllerMax AP support:500 APs
No licenses needed on secondary
Local Edition
Centralized Mode: Stateful Switchover
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Stateful Switchover (SSO)
• True Box to Box High Availability i.e. 1:1– One WLC in Active state and second WLC in Hot Standby state – Secondary continuously monitors the health of Active WLC via dedicated link
• Configuration on Active is synched to Standby WLC– This happens at startup and incrementally at each configuration change on the Active
• What else is synched between Active and Standby?– AP CAPWAP state in 7.3 and 7.4: APs will not restart upon failover, SSID stays UP – AP SSO– Active Client State in 7.6 and 8.0 : client will not disconnect – Client SSO
• Downtime during failover reduced to 5 - 1000 msec depending on Failover– In the case of power failure on the Active WLC it may take 350-500 msec
– In case of network failover it can take up to few seconds
• SSO is supported on 5500 / 7500 / 8500 and WiSM-2 WLC
15
For more info: http://www.cisco.com/en/US/docs/wireless/controller/technotes/7.5/High_Availability_DG.html
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
STANDBY
Redundancy Link Established(Over dedicated Redundancy Port)
AP and Client info SyncKeep-Alive failure/Notify Peer
GARP
Client session intact. Does not re-associate
Client Associate
AP Join
AP session intact. Does not re-establish
capwap
CLIENT SSOEffective downtime for client is
Detection time + Switchover time
Switch
Redundancy Role Negotiation
ACTIVE
Client SSO Failover sequence
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Stateful Switch Over (SSO)
• Redundancy Management Interface (RMI)– To check gateway reachability sending ICMP packets every 1 sec– To verify peer reachability via the network once the Active does not respond to keepalives on the Redundant Port– Notification to standby in event of box failure or manual reset– Communication with Syslog, NTP, TFTP server for uploading configurations– Should be in same subnet as Management Interface
Redundancy Management Interface
18
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Stateful Switchover (SSO)
• Redundancy Port (RP):
– To check peer reachability sending udp keep alive messages every 100 msec
– Notification to standby in event of box failure
– Configuration synch from Active to Standby (Bulk and Incremental Config)
– Auto generated IP Address where last 2 octets are picked from the last 2 octets of Redundancy Management Interface (First 2 octets are always 169.254)
– If NTP is not configured manual time synch is done from Active to Standby
Redundancy Port
19
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Stateful Switchover (SSO)
• Before configuring HA, Management interfaces on both WLCs must be on the same subnet
• Mandatory Configuration for HA setup:
– Redundant Management IP Address
– Peer Redundant Management IP Address
– Redundancy Mode set to SSO enable (7.3 and 7.4 would show AP SSO)
– Primary/Secondary Configuration – Required if peer WLC’s UDI is not HA SKU
– The Primary HA must have valid AP licenses
– Unit can be secondary of it has at least 50 AP permanent licenses
Configuration
20
Optional Configuration:• Service Port Peer IP• Mobility MAC Address• Keep Alive and Peer Search Timer All can be configured on same page
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Stateful Switchover (SSO)
• Pairing is possible only between same type of hardware and software version.
• Reboot of WLC is required after HA is enabled. Pairing happens when WLC is booting.
• WLC looks for peer (120 sec), the role is determined, configuration is synched from the Active WLC to the Standby WLC via the Redundant Port.
• Initially, the WLC configured as Secondary will report XML mismatch and will download the configuration from Active and reboot again
HA Pairing
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Stateful Switchover (SSO)
• During the second reboot, after role determination, Secondary WLC will validate the configuration again, report no XML mismatch, and process further in order to establish itself as the Standby WLC
HA Pairing
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Stateful Switchover (SSO)
• While config is synching from Active to Standby WLC or Standby WLC is booting no config operation is possible on Active WLC.
• Active and Standby election is not an automated process: – Active/Standby WLC is decided based on HA SKU. HA SKU is always the Standby– If no HA SKU present, Active/Standby is configurable
• No configuration is possible on Standby WLC once paired:
HA Pairing
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Stateful Switchover (SSO)Configuration validation
24
Main command is “show redundancy summary”
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Stateful Switchover (SSO)
Only Console and Service Port is available to connect to Standby WLC
TFTP, NTP and Syslog traffic use the Redundant Management Interface on the Standby WLC
Telnet / SSH / SNMP / Web Access is not available on Management and Dynamic interface on Standby WLC
When SSO is enabled, there is no SNMP/GUI access on the service port for both the WLCs in the HA setup
Connectivity to the boxes
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Stateful Switchover (SSO)
• Standby WLC may transition to Maintenance Mode if– Gateway not reachable via Redundant Management Interface
– Software mismatch
– WLC with HA SKU have never discovered its peer
– Redundant Port is down
In Maintenance mode same rule to connect to standby box apply
WLC should be rebooted to bring it out of Maintenance Mode
─ From 7.6 it will recover automatically after the network converges again
Maintenance Mode
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Active Controller
Hot Stand-by Controller
RP 1
RP 2
Stateful Switchover (SSO)
How shall I connect the HA Controllers?
• 5500/7500/8500 have dedicated Redundancy Ports– Direct connection supported in 7.3 and 7.4– L2 connection supported in 7.6 and above
• WiSM-2 has dedicated Redundancy VLAN– Redundancy VLAN should be a non-routable VLAN, meaning a
Layer 3 interface should not be created for this VLAN
– WISM-2 can be deployed in single chassis OR multiple chassis
– WISM-2 in multiple chassis needs to use VSS (7.3, 7.4)
– WISM-2 in multiple chassis can be L2 connected in 7.5 and above
• Requirements for L2 connection: RTT Latency: < 80 ms; Bandwidth: > 60 Mbps; MTU: 1500
Design & Deployment considerations
L2 network (7.5)
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Stateful Switchover (SSO)
• HA Pairing is possible only between the same type of hardware and software versions
• Physical connection between Redundant Ports should be done first before HA configuration
• Keepalive and Peer Discovery timers should be left at default values for better performance
• Internal DHCP is not supported when HA configuration is enabled
• Location, Rogue information, Device and root certificates are not auto synched
• When HA is disabled on Active it will be pushed to Standby and after reboot all the ports will come up on Active and will be disabled on Standby
• SSO and MESH APs: only RAP are supported from 7.5, for MAPs the state is not synched
• In Service Software upgrades are not supported (ISSU): plan for down time when upgrading software
Design & Deployment considerations
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Stateful Switchover (SSO)
• ONLY Clients in RUN state are maintained during failover– Transient list is deleted– Clients in transitions like roaming, dot1x key regeneration, webauth logout, etc. are disassociated– Posture and NAC OOB are not supported, since client is not in RUN state
• Some clients and related information are not synced between Active and Standby– CCX Based apps - need to be re-started post Switch-over– Client Statistics are not synced– PMIPv6, NBAR, SIP static CAC tree are not synced, need to be re-learned after SSO– WGB and clients associated to it are not synced– Passive clients are not synced
Design & Deployment considerations specific to 7.6 (client SSO)
30
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Stateful Switchover (SSO)
Hybrid Design: SSO HA can work together with N+1 failover
SSO pair can act as the Primary Controller and be deployed with Secondary and Tertiary
On failure of both Active and Standby WLC in SSO setup, APs will fall back to secondary and further to configured tertiary controller
Useful to reduce downtime for SSO pair software upgrade
Design: Integration with N+1 deployments
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Stateful Switchover (SSO)
• HA Pair with HA-SKU License on one WLC:– HA-SKU is a new SKU with Zero AP Count License
– The device with HA-SKU becomes Standby first time it pairs up
– AP-count license info will be pushed from Active to Standby
– On event of Active failure HA-SKU will let APs join with AP-count obtained and will start 90-day count-down. The granularity of the same is in days.
– After 90-days, HA-SKU WLC starts nagging messages but won’t disconnect connected APs
– With new WLC coming up HA SKU, at the time of paring, the Standby will get the AP Count:
• If new WLC has higher AP count than previous, 90 days counter is reset.
• If new WLC has lower AP count than previous, 90 days counter is not reset.
• Elapsed time and AP-count are remembered on reboot
Licensing
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
• Active – Standby 1:1 Redundancy
• Both WLC share IP Address of management interface
• Bulk and Incremental Config Sync
• APs does not go in Discovery state when Active WLC fails
• Supported on 5500 / 7500 / 8500 and WiSM-2 WLC
• Downtime 5 - 1000 msec in case of Box failover , ~3 seconds in case of Network Issues
• Auto-recovery from maintenance mode once Peer-RP and default gateway reach-ability is restored
• SSO Support for Internal DHCP Server
• SSO support for sleeping clients
• SSO support for OEAP 600
• CAC method Bandwidth allocation parameters for both voice & video and Call Statistics synced to the Standby
• GW reach-ability check mechanism enhanced to avoid false positives
• Peer RMI ICMP ping replaced with UDP messages
• Faster HA Pair-up
• Active – Standby can be geographically separated over L2 VLAN/Fiber
• Client database is synced to the Standby
– Client information is synced when client moves to RUN state.
– Client re-association is avoided on switch over
• Fully authenticated clients(RUN state) are synced to the peer
• Effective service downtime = Detection time + Switch Over Time (Network recovery/convergence)
Phase 1 : APSSO 7.3
Phase 2 : Client SSO 7.5
Phase 3 : Improvements
8.0
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
AFTERNetwork Based Application Recognition –
NBAR2 Deep Packet Inspection and App ID
Cisco WLAN AVC and Prime Assurance Provides Unparalleled Visibility and Control
BEFOREApplication View and ControL Based
On L4 Firewall Sessions
Cisco’s Application Visibility and ControlIdentify, Analyze, and Optimize Application Traffic
NBAR2 LIBRARYDeep Packet Inspection
Real TimeInteractiveNon-Real TimeBackground
POLICYPacket Mark
and Drop
First Generation Firewall
Visibility to the port level interaction but not the applications running within the port
View, Control and Troubleshoot – End User Application ExperienceFW L4 Session Visibility and Control
HTTP = 75%SMTP = 15%FTP = 2%Telnet = 1%SNMP = 3%
Wireless LAN Controller Improved
Visibility and Control
Traffic
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Application classification and Control of 1039 applications with NBAR2 engine
Support of 16 AVC profiles with 32 rules per profile
One AVC profiles support per WLAN; same profile support on multiple WLANs
AVC profile mapped to WLAN has a rule for MARK or DROP action
Graphical presentation on the controller of all classified applications
One NetFlow exporter and monitor can be configured on WLC
AVC NetFlow monitoring on PI with PAM license
Protocol Pack 4.1 Support in AVC phase 2
Additional application support – total of 1056
Protocol Pack dynamic load to update applications support
Protocol Pack 9.0
NBAR Engine rel 3.1
AAA AVC Profile over-ride for clients
AVC Per Application, Per Client based Rate limiting on WLAN
Integration of AVC profiles to the Local Policy classification per user and per device
AVC Directional QoS DSCP Marking for Upstream and Downstream traffic
Support for 1088 applications
AVC - 7.4Phase-1
AVC – 7.5Phase-2
AVC – 8.0Phase-3
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
AAA AVC Profile Override for Clients
In Rel 8.0 AAA AVC profile over-ride per clients to obtain different AVC profiles even though they are connected to the same WLAN.
AAA attribute for client or for a user profile can be configured on AAA servers, e.g. Open Radius/Cisco ACS/ISE.
The AAA attribute is defined as a generic Cisco “AV-Pair” and can be defined as a string and value pair in AAA.
The AAA AVC Profile is defined as a Cisco AV Pair. The String is defined as “avc-profile-name” . This has to be configured for any AVC profile existing on the WLC.
Prior to rel 8.0 AVC Profile is configured on a WLAN and all clients connected to that WLAN would inherit the same AVC profile.
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Teacher
YouTube
Teacher Student
YouTube Facebook bittorrent
Student
Cisco-av-pair=avc-profile-name=<avc profile on wlc>PI/AAAWLC
Switch
AP
SSID: ClassroomSecurity:WPA2/802.1x
Cisco-av-pair=role=<role name>
Skype
Facebook Skype bittorrent
AAA profile enables different users /clients obtain different mDNS/AVC profiles even though they are connected to same SSID which is tied to the same VLAN
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
If you have Several Traffic Types to Target: Use Application Visibility and Control• Internal application
recognitionengine based on NBAR
• More than 1000 applicationsrecognized, including Netflix,Skype, Lync audio, Lync video viber, ventrilo, etc.
38
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Application Visibility and Control
• With AVC, you can create rules to mark untagged applications (but also to permit or deny some application traffic!):
1. Create a new policy
2. Add rules, including what application to recognize, and what to do with it:
• Marking application will help prioritization between AP and WLC, and from AP to the cell
Wireless > AVC > AVC Profiles > New
39
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Application Visibility and Control
3. Apply your policy to the WLAN:
4. Watch your traffic:
40
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
AVC configuration for AAA overrideExample – Teacher, Student
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
(WLC) >show client detail 18:20:32:bd:52:b7
Client MAC Address............................... 18:20:32:bd:52:b7
Client Username ................................. student1
Client State..................................... Associated
Client User Group................................ student
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 2
Wireless LAN Network Name (SSID)................. ClassroomAVC
Wireless LAN Profile Name........................ ClassroomAVC
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
Audit Session ID................................. 0a0a0a0500000061533434e9
AAA Role Type.................................... student
Local Policy Applied............................. None
AVC Profile Name: ............................... student-AVC
CLI AVC client configuration> show client detail
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
AVC Profile Applied on the WLAN
(WLC-IPv6) >show avc profile detailed <Profile Name>
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Granular Policy for AVC – Use CasesUser and Device specific Application Policies
ROLE BASED APPLICATION POLICY• Alice(Nurse) and Bob(IT Admin) are both employees in a hospital • Both Alice and connected to same SSID.• Bob can access certain applications (for e.g. YouTube), Alice cannot
ROLE BASED + DEVICE TYPE APPLICATION POLICY• Alice can access EMR info on an IT provisioned Windows Laptop• Alice cannot access EMR info on her personal iPAD
ROLE BASED + DEVICE TYPE + APPLICATION SPECIFIC POLICY• Alice has limited access (rate limit) to Skype on her iPhone and limited
download (directional) for Bittorrent
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Client Profiling
• ISE offers a rich set of BYOD features: e.g. device identification, onboarding, posture and policy
• Customers who do not deploy ISE but still require some of ISE features directly in WLC:• Native profiling of identifying network end devices based on
protocols like HTTP, DHCP• Device-based policies enforcement per user or per device
policy on the network. • Statistics based on per user or per device end points and
policies applicable per device.
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Client Profiling
• WLC-based local policy consists of 2 separate elements.– Profiling can be based on:
• Role - defining user type or the user group the user belongs to.• Device type – e.g. Windows, OS_X, iPad, iPhone, Android, etc.• EAP Type - check what EAP method the client is getting connected to.
– Action is policy that can be enforced after profiling:• VLAN - override WLAN interface with VLAN id on WLC• QoS level – override WLAN QoS• ACL – override with named ACL• Session timeout – override WLAN session timeout value• Time of day – policy override based on time of the day, else default to
WLAN.• AVC and mDNS Policy
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Client Profiles• When profiling is enabled, a client Device Type can be shown on
WLAN.
(Cisco Controller) >show client summary devicetype
Number of Clients................................ 3
MAC Address AP Name Status Device Type ----------------- ---------------- ------------- --------------------------------
14:10:9f:ea:b8:c2 AP3600MM Associated OS_X-Workstation c8:d7:19:34:7e:dd AP3600MM Associated Windows7-Workstation d8:d1:cb:9a:28:f8 AP3600MM Associated Apple-iPhone
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Security Local Policies
Match - How to Identify a Device• Role• EAP Type• Device Type
Action - Policy to Enforce• VLAN• QoS• Session Timeout• Sleeping Client
Timeout• Time of Day
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Bandwidth Control – per Device Type
• You can also identify connecting devices, from the WLC or though Cisco ISE, and create a policy based on what they are:
How to identify that deviceWhat policy to apply
Close to 100 types on WLC
49
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
AVC profile and Local Policy configuration
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Configuring Policies
• You can then apply the policies to the WLANs, in the order you want them to be applied, up to 16 policies per WLAN:
• Each policy can groupseveral devices
Set the index.
Pick the policy, then click Add
51
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
CAPWAP Tunnel
Apple TV
224.0.0.251
Bonjour is Link-Local Multicast and can’t be Routed
224.0.0.251
VLAN X
VLAN X
VLAN Y
Deployment Challenges
• Bonjour is link local multicast
• AirPlay (Apple TV) and AirPrint supported only on a single VLAN
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Bonjour GW on WLCStep 1 – Listen for Bonjour Services
CAPWAP Tunnel
AirPrint
Apple TV
VLAN 23
Bonjour Advertisement
VLAN 20
VLAN 99 iPad
AirPlay Offered
AirP
rint
Offe
red
Bonjour Advertisement
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Bonjour GW on WLCStep 2 – Cache Bonjour Services on Controller
CAPWAP Tunnel
AirPrint
Apple TV
VLAN 23
VLAN 20
VLAN 99 iPad
AirPlay Offered
AirP
rint
Offe
red
Bonjour Cache:AirPlay – VLAN 20AirPrint – VLAN 23
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Bonjour GW on WLCStep 3 – Listen for Client Service Queries for Services
CAPWAP Tunnel
AirPrint
Apple TV
VLAN 23
VLAN 20
VLAN 99 iPad
Bonjour Cache:AirPlay – VLAN 20AirPrint – VLAN 23
Is AirPlay Offered?
Bonjour Query
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Bonjour GW on WLCStep 4 – Respond to Client Queries for Bonjour Services
CAPWAP Tunnel
AirPrint
Apple TV
VLAN 23
VLAN 20
VLAN 99 iPad
Bonjour Cache:AirPlay – VLAN 20AirPrint – VLAN 23
AirPlay is available on VLAN20
Bonjour Response From Controller
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
CAPWAP Tunnel
Apple TV
224.0.0.251
With mDNS-AP Bonjour services can be seen from any VLAN
224.0.0.251
VLAN X
VLAN X VLAN Y
Deployment Changes with Bonjour Services Phase 2
• Bonjour is link local multicast and thus forwarded on Local L2 domain
• mDNS AP snoop Bonjour services behind the Router or not L2 adjacent VLANs and forwards them to WLC in CAPWAP tunnel.
Apple Services
mDNS AP
CAPWAP Tunnel
VLAN Y
VLAN Y
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
AirPlay
Bonjour Policy Example for Education
Teacher Network
mDNS Service Instances Groups
StudentNetwork
AirPrint AirPlay FileShare
Teacher Service Profile
AirPlay FileShare
StudentService Profile
iTunesSharing
Same WLAN
Apple TV1 Apple TV1
Apple TV2
AirPrint
Teacher Service Instance List
Student Service Instance List
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Location and Role filtering in release 8.0
Bonjour Policies allow creation of the mDNS Service Groups and Service Instances within the Group
Service Instance mandates how the service instance is shared by configuring o MAC address of the Service Instance o Name of the Service Instanceo Location Type Of the Services Instance by AP Group, AP Name or AP Locationo Location configuration allows access the “service instance” i.e. client location
Location configuration applied to wired and wireless instances of all services and printers as in Any, Same or one AP Name.
This allows selective sharing of service instances based on the location and
rule (=user-id and role ) on the Same WLAN
Bonjour Policy enhancements in 8.0
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Service Instance associated with mac address can be configured in multiple service groups Currently we support a maximum of 5 service groups for a single mac address. Service group configurations can be done even when mDNS snooping is disabled Number of Service instances per Service group is limited by the platform
supported (ie 6400 on 5508)
Location Filtering of Service instance can be limited by following attributes:
Bonjour Policy enhancements in 8.0
“any” –clients from any location can access the service subject to role and user-id credentials being allowed by the policy associated with the service group for the said mac address.
“same” - only clients from the SAME location as that of the device can access that Service Instance publishing the service can access the service.
“ap-name” – only clients associated to that AP can access the Service Instance
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Allows articulation as “service instance” is shared with whom i.e. user-id, “service instance is shared with which role/s” i.e. teacher or student
With Bonjour access policy there will now be two levels of filtering client queries1. At the service type level by using the mDNS profile
mDNS profile can be user specific and be overridden with ISE “av-pair “returned to WLC that overrides default profile
2. At the Service Instance level using the access policy associated with each Service Instance.
Note: Service instances which are not configured with any access policy will be mapped to the default access policy that allows configured <roles/names> to receive the service instances
Bonjour Policy enhancements in 8.0
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
1. Enable mDNS policy on the controller from GUI or CLI
Bonjour Policy Configuration
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
2. Create mDNS Service Group
Bonjour Policy Configuration
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
3. Configure Service Instances in the mDNS group, and role
Bonjour Policy Configuration
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Why High Density Wi-Fi?
• Wireless has become the preferred access technology -- and in many cases the only practical one
• The need for high density started with stadiums and auditoriums – but has reached every network
• The explosion of smart devices and increasing connection counts per seat are everywhere
• Application demands are increasing
• Even with advances - wireless is still a shared half-duplex medium and requires efficient use to succeed.
2 to 3 devices per user
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
What are Some Typical Challenges?
• Interference from other WiFi networks in the venue
• Interference from non-WiFi systems operating in the same band
• Co-channel interference: Many APs in the venue, but effectively no more capacity
• Clients operating at low data rates (ex. 802.11b) pull down the performance of the network
• Clients mistakenly choose a 2.4 GHz radio (louder signal) instead of 5 GHz (less load)
• Sticky Clients: Clients mistakenly stay on the same AP, even when person has moved from one end of the venue to another
• Limitations on mounting assets. Hard to put APs where you want them
• Probe storms: 2.4 GHz clients probe on all 11 overlapping channels
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Advanced
Solid RF Design Basic Tuning
• Constrain RF– Directional Antennas,
Down-Tilt
• Good RF Layout/Design: – Channels, Tx Power
• Eliminate Interference– Rogues and Non-Wi-
Fi Interference
• Minimize SSIDs
• Disable Low Data Rates– Helps with Sticky
Clients, Improves capacity
• Band Steering– Push dual-band
clients to 5 GHz
• RF Profiles
• Rx-SOP Tuning– Greatly improves
capacity by reducing co-channel impact
– Also reduces sticky clients
• Optimized Multicast Video
HD Wi-Fi -- Best Practices
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Cisco High Density Experience TechnologyOptimized for high Client Density Networks
CleanAir 80 MHzOptimal performance for high throughput, high density environmentsRF interference detection & mitigation optimized for 802.11ac’s wider channel bandwidths
ClientLink 3.0Increase performance & range by up to 60% Cisco patented implicit beamforming technology for 802.11ac clients, complementing Explicit BF. Also extend capabilities to 802.11a/g/n clients.
Optimized RoamingIntelligently assist client roaming based on configurable attributesRight size WiFi cell to better assist client handoff in a dense network
RF Turbo PerformanceSupport highly dense clients without performance degradationScale seamlessly to 60+ 802.11ac clients using interactive video and multimedia traffic with no performance degradation.
*Available post-FCS
RF Noise Reduction*Enables higher density AP deployments to support client density and increased bandwidthIncrease spectrum usage efficiency to improve co-channel performance
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Indoor Access Point Comparison
Aironet Indoor Series 700 1600 2700 3700Wireless Standards 802.11a/g/n 802.11a/g/n 802.11a/g/n/ac 802.11a/g/n/ac
Max Data Rate 600 Mbps 600 Mbps Over 1 Gbps Over 1 Gbps
RF Design MIMO:Spatial Stream
2x2:2 3x3:2 3x4:3 4x4:3
Performance uu uuu uuuu uuuuu
Max No. of Clients per AP 200 256 400 400
RRM ✔ ✔ ✔ ✔
CleanAir CleanAir Express* ✔ ✔
High Density Experience ✔ ✔
ClientLink ClientLink 2.0 ClientLink 3.0 ClientLink 3.0
Max No. of ClientLink Clientsper AP
64 256 256
BandSelect ✔ ✔ ✔ ✔
VideoStream ✔ ✔ ✔ ✔
Rogue AP Detection ✔ ✔ ✔ ✔
Adaptive wIPS ✔ ✔ ✔ ✔
External Antenna Opt ✔ ✔ ✔
Other Benefits700w: 4 GigE Ports,
PoE Out
StadiumVision Option;Module Options: Security, 3G Small Cell* or Wave 2
802.11ac*
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
AP-3700 Architecture
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Disable Mandatory Lower Data Rates
24Mbps
Without Disabling Lower Data Rates
I can hear beacons from the AP, so I can
associate with it & reduce the overall
performance
24Mbps
Disabling Lower Data Rates
I cannot hear beacons from the AP, so now I am forced to search for a AP with a
stronger signal
18Mbps
12Mbps
9Mbps
6Mbps
Cell Size reduction increase efficiency and
lowers duty cycle
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Low RSSI Check
-85dB-86dB
-80dB -80dB
Without Low RSSI Check With Low RSSI Check Set to -80dBm (Default)
My “Association Request” will Receive
“Association Response” SUCCESS
My “Association Request” will Receive “Association
Response” REJECT – Poor Channel
“Association Response” SUCCESS is restricted to clients
within CELL range better than -80dBm
-81dB
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
RX-SOP – (Receive - Start of Packet) – What is it?
• Receiver Start of Packet Detection Threshold (RX-SOP) determines the Wi-Fi signal level in dBm at which an AP radio will demodulate and decode a packet.
• The higher the level, the less sensitive the radio is and the smaller the receiver cell size will be
• By reducing the cell size we can affect every thing from the distribution of clients to our perception of channel utilization
• This is for High Density designs – and requires knowledge of the behavior you want to support
• A client needs to have someplace to go if you ignore it on the current cell
WARNING – This setting is a brick wall – if you set it above where your clients are being heard – they will no longer be heard. Really.
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
RX-SOP – Why Use It?
• Reduce sensitivity to interference and noise – reduce Channel Utilization
• It sharpens the cell edge – we will hear what we intend to cover
• Caveats – – You can significantly reduce coverage– You can make it impossible for intended clients to associate or communicate with your AP
• This feature is to be used in conjunction with a known design to solve a specific problems when you understand the coverage and usage of the network by the users
• RX-SOP is available at the global level as well as in RF profiles – Strongly recommend applying only through profiles – to solve specific problems with HDX
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
RX-SOP configuration
• Settings High, Medium, Low, Auto
• Auto is default behavior, and leaves RX-SOP function linked to CCA threshold for automatic adjustment
• Most networks can support a LOW setting and see improvement
• This affects all packets seen at the receiver
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Participate in the “My Favorite Speaker” Contest
• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)
• Send a tweet and include – Your favorite speaker’s Twitter handle <Speaker – enter your twitter handle here>– Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could be a Winner
76
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Complete Your Online Session Evaluation
• Give us your feedback and youcould win fabulous prizes. Winners announced daily.
• Complete your session evaluation through the Cisco Live mobile appor visit one of the interactive kiosks located throughout the convention center.
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
77
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
78
Local Edition