Cisco - - PowerPoint PPT Presentation

cisco
SMART_READER_LITE
LIVE PREVIEW

Cisco - - PowerPoint PPT Presentation

Jun 09, 2023 186 likes •777 views

Cisco , Technical Solutions Architect , -

slide-1
SLIDE 1

Флавьен Ришар, Technical Solutions Architect Виктор Платов, Системный инженер-консультант

Рекомендации по настройке контроллеров БЛВС Cisco

slide-2
SLIDE 2

Содержание

2

Ø Рекомендованные настройки § Инфраструктура § RF/RRM § Безопасность и BYOD § FlexConnect

Express Setup

Monitoring and RF Dashboard

Audit Upgrade Workflow Feature Best Practices WLCCA Cisco Active Advisor

slide-3
SLIDE 3

Инфраструктура

3

slide-4
SLIDE 4

Рекомендации по инфраструктурным настройкам

4

Ø Включить High Availability (Client SSO) Ø Включить AP Failover Priority Ø Включить AP Multicast Mode Ø Включить Multicast VLAN Ø Включить Pre-image download Ø Включить AVC Ø Включить NetFlow Ø Включить Local Profiling (DHCP and HTTP) Ø Включить NTP Ø Изменить the AP Re-transmit Parameters Ø Включить FastSSID change Ø Включить Per-user BW contracts Ø Включить Multicast Mobility Ø Включить Client Load balancing Ø Отключить Aironet IE

Инфраструктура

http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html

slide-5
SLIDE 5

Инфраструктура: Включить High Availability (Client SSO)

5

Для работы данной технологии требуется прямой физический или L2 линк между Active и Standby Redundant портами

Cходимость в пределах одной секунды

slide-6
SLIDE 6

Инфраструктура: Включить AP Failover Priority

6

Wireless à Access Points à Global Configurations Wireless à Access Points à All APs->AP_NAME à High Availability Позволяет настроить приоритет ТД, учитываемый при перегрузке контроллера

slide-7
SLIDE 7

Инфраструктура: Включить AP Multicast mode

7

Controller à General à AP Multicast Mode

Отсылает мультикаст пакет всем ТД вместо юникаст пакетов каждой ТД

Уникален среди всех WLC и не пересекается с другими протоколами

Сетевая инфраструктура должна обеспечивать мультикаст маршрутизацию между management интерфейсом и подсетью ТД

slide-8
SLIDE 8

Инфраструктура: Multicast VLAN для Interface Groups

8

WLANs à WLAN Name à General Ограничивает отсылку мультикаст пакетов в эфир только одним vlan-ом Network

VLAN2 (mcast_vlan)

VLAN1

VLAN3 VLAN4

Interface group

slide-9
SLIDE 9

Инфраструктура: Включить Pre-image download

9

Wireless à Global Configurations à AP Image Pre-download Меньшее время на обновление ПО в рамках всей сети

slide-10
SLIDE 10

Инфраструктура: Включить AVC

10

Wireless à Application Visibility and Control à AVC Profiles

Classifies applications, provides real-time analysis, and allows users to drop or mark data. Per- user, per-device granularity for control

Add per application rules Включить Application Visibility

slide-11
SLIDE 11

Инфраструктура: Включить NetFlow на контроллере

11

Wireless à Netflow à Exporter à Create ‘New’ Wireless à Netflow à Monitor à New NetFlow export to Cisco Prime or third party network management tool

slide-12
SLIDE 12

Инфраструктура: Включить Local Profiling

12

WLANs à Edit à WLAN_NAME à Advanced Client devices can be profiled based on their manufacturer and operating system

slide-13
SLIDE 13

Инфраструктура: Включить NTP

13

Controller à NTP à Keys Controller à NTP à Server

Synchronizes the time among all devices on the network including Access Point and Controller as we have X.509 certificates installed in AP and WLC, Context-aware and location services, MFP, Debugging

If NTP requires authentication, first add key

slide-14
SLIDE 14

Инфраструктура: Изменить параметры AP Re-transmit

14

Wireless à Access Points à Global Configuration Allows user to customize the way APs attempt to join a WLC. Increase count and interval for larger latency links like FlexConnect and satellite links

Number of times the AP will try to join the WLC (3-8) Number of seconds to wait before rejoining (2-5sec)

slide-15
SLIDE 15

Инфраструктура: Включить Fast SSID change

15

Controller à General Allows clients to move faster between SSIDs, by not clearing the client entry

slide-16
SLIDE 16

Инфраструктура: Включить per-user bandwidth contract

16

WLANs à Edit ‘WLAN_NAME’ à QoS Enforces limits on non-mission critical clients

Limit data rates for Guest and Contractor accounts

slide-17
SLIDE 17

Инфраструктура: Включить Multicast Mobility for mobility domains

17

Controller à General Controller à Multicast

Allows clients to announce messages to all mobility peers, instead of individual WLCs, benefiting time, CPU usage, and network utilization. Multicast routing between controllers

slide-18
SLIDE 18

Инфраструктура: Включить Client Load Balancing

18

WLANs à Edit “WLAN-NAME” à Advanced Balances the number of clients connect to a WLAN between multiple APs Not suitable for Voice, Low Density and single AP deployments like hotspots

Client Window Size 1-20 Maximum Denial Count 0-10

slide-19
SLIDE 19

Инфраструктура : Отключить Aironet IE

19

WLANs à Edit “WLAN-NAME” à Advanced Can cause compatibility issues with some types of wireless clients Включить для WGB и Cisco voice. Optional for CCX based clients

  • Aironet IE 0x85 in beacons and

probe responses

  • AP name, load, client count etc.
  • Controller sends Aironet IEs 0x85

and 0x95 in the reassociation response if it receives Aironet IE 0x85 in the reassociation request

  • Management IP address of WLC
  • IP address of AP
slide-20
SLIDE 20

Инфраструктура: Same Virtual IP if same mobility name

20

Controller à Interfaces à virtual Inter-controller roaming can appear to work, but the hand-off does not complete and the client loses connectivity when DHCP renew is performed if DHCP proxy enabled

Mobility Group

192.0.2.1 192.0.2.1

slide-21
SLIDE 21

Инфраструктура: Fast Restart

21

Supported on Cisco WLC 7510, 8510, 5520, 8540 and vWLC Version 8.1 required

Use Cases

ü LAG <-> no LAG ü 10 G <-> 1 G ü High Availability SSO Pairing ü Post Configuration Wizard ü Web-auth certificate

installation

ü Transfer Download of XML

73% Faster

Process Restart to reduce network and service downtime and improve serviceability Commands à Restart

slide-22
SLIDE 22

Рекомендации RF & RRM

RF = Radio Frequencies RRM = Radio Resources Management

22

slide-23
SLIDE 23

Рекомендации RF & RRM

23
slide-24
SLIDE 24

Wireless à 802.11b/g/n à Network

RF & RRM: Отключить 802.11b Data Rates

24

Management frames sent at lowest mandatory rate - slows down the entire cell

slide-25
SLIDE 25

RF & RRM: Отключить 802.11b Data Rates

25

Demonstrating the impact of 802.11b data rates on Channel Utilization

1 Mbps Mandatory : Channel Utilization 67% 6 Mbps Mandatory : Channel Utilization 23%

slide-26
SLIDE 26

WLANs à WLANs

RF & RRM: Restrict Number of WLANs below 4

26

Each SSID needs a separate probe response and beaconing, the more SSIDs the less RF space available for real data traffic

slide-27
SLIDE 27

Wireless à 802.11a/n/ac à RRM à DCA

RF & RRM: Включить Channel Bonding – Best

27

40/80MHz wide channels in the 5GHz space can 2x/4x the amount of user data than can be

  • transmitted. For extreme HD deployments use 20 MHz channels to keep cell size small.

“Best” Automatically selects the widest Channel Width with:

  • Highest Client Data Rates
  • Lowest Channel Utilization per Radio
  • Minimize Data Retries / CRC errors
  • On the 5GHz Band

While avoiding:

  • Rogue APs
  • CleanAir Interferers
slide-28
SLIDE 28

RF & RRM : Отключить Avoid Cisco AP Load

28

Wireless à 802.11a/n/ac à RRM à DCA Wireless à 802.11b/g/n à RRM à DCA To avoid frequent changes in DCA due to varying Load conditions

slide-29
SLIDE 29

RF & RRM: Включить Client Band Select

29

WLANs à Edit “WLAN-NAME” à Advanced Allows dual-band clients to move to the less congested 5GHz band Not always recommended for Voice deployments

slide-30
SLIDE 30
  • RF Profiles work in Conjunction with AP Groups (since release 7.2)
  • You can create separate RF profiles for both 2.4 and 5 GHz
  • 1 profile for each band (802.11a/802.11b) can be assigned to an AP group
  • Today with 8.x, you can use RF Profiles for:
  • 802.11 data rates
  • TPC Power Threshold and Min max Power settings
  • DCA (Dynamic Channel number Assignment)
  • Coverage hole Mitigation algorithm settings
  • High Density – HDX configurations like RX_SOP, Client Limit, Multicast data rate
  • Client Distribution

RF & RRM: make use of RF Profiles

30

More granular control of the RF network

slide-31
SLIDE 31

RF Profiles : Granular Control

31

Data Rates Load Balancing TPC, DCA, Coverage Hole High Density

slide-32
SLIDE 32

Network Profiles

32

Client Density : High, Typical, Low Traffic Type : Data, Data and Voice

Sets pre-defined RF parameters depending on “Client” Density and Traffic Type

slide-33
SLIDE 33

Pre-built RF profiles

33

Pre-built RF profiles for use with AP Groups

Client Density specific pre-built RF profiles for 2.4 GHz and 5GHz Bands – to be used with AP Groups

slide-34
SLIDE 34

RF & RRM: RF Group Leader must be an .11ac WLC (Release 7.5+) in RF Groups with mixed versions

34

Wireless à 802.11a/n/ac à RRM à DCA If the RF Group Leader does not support 802.11ac (Release 7.5+), APs in the RF Group cannot select 80MHz channel widths

slide-35
SLIDE 35

RF & RRM: Включить Cisco CleanAir

35

Wireless à 802.11a/n/ac or 802.11b/g/n à CleanAir

100 63 35 97 90 20

CleanAir identifies non-WIFI interferers and generates interferer and air quality reports

Включить CleanAir on both radio bands

slide-36
SLIDE 36

RF & RRM: Включить Cisco EDRRM

36

Wireless à 802.11a/n/ac or 802.11b/g/n à RRM à DCA EDRRM triggers RRM to run when an access point detects a certain level of interference

Sensitivity threshold recommended to Medium Enable WiFi Interference Awareness Configure Duty Cycle to 80%

slide-37
SLIDE 37

RF & RRM: Включить Noise & Rogue Monitoring all channels

37

Wireless à 802.11a/n/ac or 802.11b/g/n à RRM à General Scan All Channels for security, DCA Channels for performance

slide-38
SLIDE 38

Security & BYOD Best Practices

38

slide-39
SLIDE 39

Security & BYOD Best Practices

39

Безопасность

Ø Включить 802.1x and WPA/WPA2 on WLAN Ø Включить 802.1x authentication for AP Ø Change advance EAP timers Ø Включить SSH and Отключить telnet Ø Отключить Management Over Wireless Ø Peer-to-peer blocking Ø Secure Web Access (HTTPS) Ø Включить User Policies Ø Включить Client exclusion policies Ø Включить rogue policies and Rogue Detection RSSI Ø Strong password Policies Ø Включить IDS Ø BYOD Timers

slide-40
SLIDE 40

Безопасность: Включить 802.1x authentications on WLAN

40

WLANs à Edit ‘WLAN_NAME’ à Security Provides greater network security on WLAN using 802.1x authentication for clients

slide-41
SLIDE 41

Security: Включить 802.1x authentications for APs

41

Wireless à Access Points à Global Configurations

To enable 802.1X authentication on a switch port, on the switch CLI, enter these commands: Switch# configure terminal Switch(config)# dot1x system-auth-control Switch(config)# aaa new-model Switch(config)# aaa authentication dot1x default group radius Switch(config)# radius-server host ip_addr auth-port port acct-port port key key Switch(config)# interface fastethernet2/1 Switch(config-if)# switchport mode access Switch(config-if)# dot1x pae authenticator Switch(config-if)# dot1x port-control auto Switch(config-if)# end

Provides greater network security by enabling 802.1x on the switch port where AP is

  • connected. Not supported for Mesh deployments
slide-42
SLIDE 42

Безопасность: Включить SSH и Отключить Telnet

42

Management à Telnet–SSH

Отключить Telnet and Включить SSH as the default option

Provides greater security by allowing secure access and denying unencrypted access

0 implies no sessions will be allowed

slide-43
SLIDE 43

Безопасность: Отключить Management Over Wireless

43

Management à Mgmt Via Wireless Disallow management of the Controller via Wireless

slide-44
SLIDE 44

Безопасность: Отключить WiFi Direct

44

WLANs à WLAN Name à Advanced Prevent security hole if the device is connected to both the Инфраструктура and a Personal Area Network (PAN) at the same time. Will break Android devices

Corporate Laptop Corporate WLAN Unauthorized Devices

slide-45
SLIDE 45

Безопасность: Secure Web Access ( HTTPS )

45

Management à HTTP-HTTPS Provides greater security by allowing secure access

slide-46
SLIDE 46

Security: Включить Client Exclusion Policies

46

Security à Wireless Protection Policies àClient Exclusion Policies Включить exclusion policies to prevent the network from Assoc/Auth failure attacks. Отключить for Voice deployments

slide-47
SLIDE 47

Безопасность: Включить Rogue Policies

47

Security à Wireless Protection Policies à Rogue Policies à General à Low The Rogue Detection Security Level should be set at a minimum to “low”

Friendly Malicious

slide-48
SLIDE 48

BYOD: Radius Timeout >=5 sec

48

Security à AAA à RADIUS à Authentication

To prevent pre-mature failover since the default of 2 seconds is generally low for ISE as ISE relies

  • n backend databases for user lookups and group fetches. Too high causes queue issues on WLC
slide-49
SLIDE 49

Отключить the aggressive failover feature using the following CLI command: config radius aggressive-failover disable show radius summary to check the status of this feature Only fails over to the next AAA server if there are three consecutive clients that fail to receive a response from the RADIUS server

BYOD : Отключить Aggressive Failover

49

In some circumstances, having it enabled can cause the WLC to pre-maturely mark ISE dead in times of high load and cause additional load on ISE

slide-50
SLIDE 50

BYOD: Client Idle Timeout

50

WLANs à WLAN Name à Advanced For networks where users stay largely within the coverage area the setting can be increased to 3600 seconds for an SSID running 802.1x or RADIUS NAC against ISE.

slide-51
SLIDE 51

BYOD: Client Exclusion

51

WLANs à WLAN Name à Advanced 180 seconds is the recommended default with ISE though 60 seconds is the WLC

  • default. The reason behind this is the minimum reject interval on ISE for miss-configured

supplicant detection.

slide-52
SLIDE 52

FlexConnect Best Practices

52

slide-53
SLIDE 53

FlexConnect Best Practices

53

Ø Включить FlexConnect Groups Ø CCKM/OKC Key sharing, consistent WLAN mappings Ø Включить Smart AP Image Upgrade Ø Use FlexConnect Group level for VLAN Configuration Ø Use VLAN Name Override to map users to VLANs across different branches Ø Configure AVC per WLAN at the FlexConnect Group level FLEX CONNECT

slide-54
SLIDE 54

FlexConnect: Включить FlexConnect Groups

54

Wireless à FlexConnect Groups à Edit “Groupname” Allow users to assign specific APs to groups with set configurations, OKC/CCKM key caching for Voice, Local RADIUS server configuration, consistent WLAN mappings

WAN

Central Site

slide-55
SLIDE 55

FlexConnect: Включить “FlexConnect AP Upgrade”

55

Wireless à Flexconnect Groups à Edit “Groupname” à Image Upgrade Tab

Avoids downloading multiple copies of the Access Point software over the slow WAN link to the remote site, reduces service downtime and reduces risk of download failure

WAN

Wireless Control System Wireless LAN Controller New Master AP

slide-56
SLIDE 56

Выводы

56

§ Optimum starting point at Day 0/1 network setup § RF parameter setting ease

  • f use

§ Enhanced performance, security, resiliency with best practice recommendations at boot time

Экономия времени и денег Аудит текущей конфигурации

§ Compliance metric and reporting natively on WLC § Identify missing best practice configuration on upgrade § Easy one-click ‘Fix It’ option to turn on Best Practice knobs (or ignore)

Оптимизация

§ Personalized device health score § Free, cloud-based service § Automatically takes an inventory of your Cisco network § Downloadable client § Configuration stays local § Quickly identify and and fix problem areas § RF Health metrics, IOS Support, Mobility Group support

Анализ и устранение проблем

Express Setup

Monitoring and RF Dashboard

Audit Upgrade Workflow Feature Best Practices WLCCA Cisco Active Advisor

Enhance your Usability and Manageability Experience Maximize use

  • f your

embedded advanced features Fine-tune features to their Optimum Best Derive Maximum Potential from your WLAN

slide-57
SLIDE 57

CiscoRu Cisco CiscoRussia

Ждем ваших сообщений с хештегом #CiscoConnectRu

CiscoRu

Пожалуйста, заполните анкеты. Ваше мнение очень важно для нас.

Спасибо

Флавьен Ришар & Виктор Платов

57

slide-58
SLIDE 58