Cisco on premise wireless update

Local Edition

Cisco On-Premise Wireless Update

Robert PalmerConsulting Systems Engineer

© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition

Network Level HAAutonomous FlexConnect Centralized Converged Access

Traffic Distributed at AP Traffic Centralized at Controller

Traffic Distributed at SwitchStandalone APs

Target Positioning Small Wireless Network Branch Campus Branch and Campus

Purchase Decision

Wireless only Wireless only Wireless only Wired and Wireless

High Availability

• Can only claim AP quality• No RF HA• No Network layer HA • No services

• Full RF HA• Client SSO when Local

Switching• Most complete solution • Exploits HA in IOS switches

Key Considerations

• Limited features. Upgradable to controller based

• Branch with WAN BW and latency requirements

• Full features• Catalyst 3650/3850 in the access

layer

WAN

Local Edition

Network Infrastructure HA – Centralized Mode


Centralized Mode HA

4

N+1 Redundancy(Deterministic/Stateless HA,

a.k.a.: primary/secondary/tertiary)

Each Controller has to be configured separately

Available on all controllersCrosses L3 boundariesFlexible: 1:1, N:1, N:N

HA-SKU available (> 7.4)

AP SSO(SSID stateful switchover)

Release: 7.3 and 7.4WLC: 5508, WiSM2, 7500, 8510

Direct physical connectionSame HW and SW1:1 box redundancy

AP state is synched No SSID downtime

HA-SKU available (> 7.4)

Client SSO

Minimum release: 7.6WLC: 5508, WiSM2, 7500, 8510

L2 connectionSame HW and software

1:1 box redundancy

Active Client State is synched AP state is synched

No Application downtimeHA-SKU available

Requirements Benefits

Net

wo

rk U

pti

me


N+1 Redundancy

5

• Administrator statically assigns APs a primary, secondary, and/or tertiary controller

Assigned from controller interface (per AP) or Prime Infrastructure (template-based)

You need to specify Name and IP if WLCs are not in the same Mobility Group

• Pros:

Support for L3 network between WLCs

Flexible redundancy design options (1:1, N:1, N:N:1)

WLCs can be of different HW and SW

Predictability: easier operational management

Faster failover times configurable

“Fallback” option in the case of failover

• Cons:

Stateless redundancy

More upfront planning and configuration

WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C

Primary: WLAN-Controller-1Secondary: WLAN-Controller-2Tertiary: WLAN-Controller-3




N+1 RedundancyGlobal backup Controllers

6

Backup controllers configured for all APs under Wireless > High Availability

Used if there are no primary/secondary/tertiary WLCs configured on the AP

The backup controllers are added to the primary discovery request message recipient list of the AP.


8

AP Failover

• The access point maintains a list of backup controllers and periodically sends primary discovery requests to each entry on the list.

• Configure a primary discovery request timer to specify the amount of time that a controller has to respond to the discovery request

AP Primary Discovery Request Timer


9

AP Failover

• AP sends HA heartbeat packets, by default every 1 sec• Fast Heartbeats reduce the amount of time it takes to detect a controller failure• When the fast heartbeat timer expires, the AP sends a 3 fast echo requests to the WLC for 3 times• If no response primary is considered dead and the AP selects an available controller from its

“backup controller” list in the order of primary, secondary, tertiary, primary backup controller, and secondary backup controller.

• Fast Heartbeat only supported for Local and Flex mode

Fast Heartbeat


10

AP Failover

• Assign priorities to APs: Critical, High, Medium, Low

• Critical priority APs get precedence over all other APs when joining a controller

• In a failover situation, a higher priority AP will be allowed in ahead of all other APs

• If controller is full, existing lower priority APs will be dropped to accommodate higher priority APs

AP Failover Priority

AP Priority: Critical

AP Priority: Medium

Controller

Critical AP fails over

Medium priorityAP dropped


N+1 RedundancyBest Practices

11

Most common Design is N+1 with Redundant WLC in a geographically separate location

Configure high availability parameters to detect failure and faster failover (min 30 sec)

Use AP priority in case of over subscription of redundant WLC, or

Use HA SKU available for 5508, 7500, 8500 and 2500 (from 7.5) controllers

APs Configured With:Primary: WLAN-Controller-1Secondary: WLC-BKP

APs Configured With:Primary: WLAN-Controller-2Secondary: WLC-BKP

APs Configured With:Primary: WLAN-Controller-nSecondary: WLC-BKP

WLAN-Controller-1

WLAN-Controller-2

WLAN-Controller-n

WLC-BKP

NOC or Data Center

For more info: http://www.cisco.com/en/US/docs/wireless/technology/hi_avail/N1_HA_Overview.html or http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps10315/qa_c67-714540.html

http://www.cisco.com/en/US/docs/wireless/technology/hi_avail/N1_HA_Overview.html

http://www.cisco.com/en/US/docs/wireless/technology/hi_avail/N1_HA_Overview.html

http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps10315/qa_c67-714540.html

http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps10315/qa_c67-714540.html


N+1 RedundancyHA-SKU

12

No need to purchase licenses on backup WLC. When backup takes over, 90-days counter is started HA-SKU Controller needs to be configured normally as you would do with the secondary controller

(no auto synch). Supported on 5508, WiSM2, Flex7500, 8510 and 2504 The HA-SKU provides the capability of the maximum number of APs supported on that hardware From 7.6 you can add licenses to HA SKU and use it as Active controller

Primary Controller: WiSM-2 License Count: 500APs connected: 400

Primary Controller : 2504License Count: 50APs connected: 25

AIR-CT5508-HA-K9Secondary ControllerAIR-CT5508-HA-K9Secondary ControllerAIR-CT5508-HA-K9Secondary ControllerMax AP support:500 APs

No licenses needed on secondary

Local Edition

Centralized Mode: Stateful Switchover


Stateful Switchover (SSO)

• True Box to Box High Availability i.e. 1:1– One WLC in Active state and second WLC in Hot Standby state – Secondary continuously monitors the health of Active WLC via dedicated link

• Configuration on Active is synched to Standby WLC– This happens at startup and incrementally at each configuration change on the Active

• What else is synched between Active and Standby?– AP CAPWAP state in 7.3 and 7.4: APs will not restart upon failover, SSID stays UP – AP SSO– Active Client State in 7.6 and 8.0 : client will not disconnect – Client SSO

• Downtime during failover reduced to 5 - 1000 msec depending on Failover– In the case of power failure on the Active WLC it may take 350-500 msec

– In case of network failover it can take up to few seconds

• SSO is supported on 5500 / 7500 / 8500 and WiSM-2 WLC

15

For more info: http://www.cisco.com/en/US/docs/wireless/controller/technotes/7.5/High_Availability_DG.html

http://www.cisco.com/en/US/docs/wireless/controller/technotes/7.5/High_Availability_DG.html

http://www.cisco.com/en/US/docs/wireless/controller/technotes/7.5/High_Availability_DG.html


STANDBY

Redundancy Link Established(Over dedicated Redundancy Port)

AP and Client info SyncKeep-Alive failure/Notify Peer

GARP

Client session intact. Does not re-associate

Client Associate

AP Join

AP session intact. Does not re-establish

capwap

CLIENT SSOEffective downtime for client is

Detection time + Switchover time

Switch

Redundancy Role Negotiation

ACTIVE

Client SSO Failover sequence


Stateful Switch Over (SSO)

• Redundancy Management Interface (RMI)– To check gateway reachability sending ICMP packets every 1 sec– To verify peer reachability via the network once the Active does not respond to keepalives on the Redundant Port– Notification to standby in event of box failure or manual reset– Communication with Syslog, NTP, TFTP server for uploading configurations– Should be in same subnet as Management Interface

Redundancy Management Interface

18



• Redundancy Port (RP):

– To check peer reachability sending udp keep alive messages every 100 msec

– Notification to standby in event of box failure

– Configuration synch from Active to Standby (Bulk and Incremental Config)

– Auto generated IP Address where last 2 octets are picked from the last 2 octets of Redundancy Management Interface (First 2 octets are always 169.254)

– If NTP is not configured manual time synch is done from Active to Standby

Redundancy Port

19



• Before configuring HA, Management interfaces on both WLCs must be on the same subnet

• Mandatory Configuration for HA setup:

– Redundant Management IP Address

– Peer Redundant Management IP Address

– Redundancy Mode set to SSO enable (7.3 and 7.4 would show AP SSO)

– Primary/Secondary Configuration – Required if peer WLC’s UDI is not HA SKU

– The Primary HA must have valid AP licenses

– Unit can be secondary of it has at least 50 AP permanent licenses

Configuration

20

Optional Configuration:• Service Port Peer IP• Mobility MAC Address• Keep Alive and Peer Search Timer All can be configured on same page



• Pairing is possible only between same type of hardware and software version.

• Reboot of WLC is required after HA is enabled. Pairing happens when WLC is booting.

• WLC looks for peer (120 sec), the role is determined, configuration is synched from the Active WLC to the Standby WLC via the Redundant Port.

• Initially, the WLC configured as Secondary will report XML mismatch and will download the configuration from Active and reboot again

HA Pairing



• During the second reboot, after role determination, Secondary WLC will validate the configuration again, report no XML mismatch, and process further in order to establish itself as the Standby WLC

HA Pairing



• While config is synching from Active to Standby WLC or Standby WLC is booting no config operation is possible on Active WLC.

• Active and Standby election is not an automated process: – Active/Standby WLC is decided based on HA SKU. HA SKU is always the Standby– If no HA SKU present, Active/Standby is configurable

• No configuration is possible on Standby WLC once paired:

HA Pairing


Stateful Switchover (SSO)Configuration validation

24

Main command is “show redundancy summary”



Only Console and Service Port is available to connect to Standby WLC

TFTP, NTP and Syslog traffic use the Redundant Management Interface on the Standby WLC

Telnet / SSH / SNMP / Web Access is not available on Management and Dynamic interface on Standby WLC

When SSO is enabled, there is no SNMP/GUI access on the service port for both the WLCs in the HA setup

Connectivity to the boxes



• Standby WLC may transition to Maintenance Mode if– Gateway not reachable via Redundant Management Interface

– Software mismatch

– WLC with HA SKU have never discovered its peer

– Redundant Port is down

In Maintenance mode same rule to connect to standby box apply

WLC should be rebooted to bring it out of Maintenance Mode

─ From 7.6 it will recover automatically after the network converges again

Maintenance Mode


Active Controller

Hot Stand-by Controller

RP 1

RP 2


How shall I connect the HA Controllers?

• 5500/7500/8500 have dedicated Redundancy Ports– Direct connection supported in 7.3 and 7.4– L2 connection supported in 7.6 and above

• WiSM-2 has dedicated Redundancy VLAN– Redundancy VLAN should be a non-routable VLAN, meaning a

Layer 3 interface should not be created for this VLAN

– WISM-2 can be deployed in single chassis OR multiple chassis

– WISM-2 in multiple chassis needs to use VSS (7.3, 7.4)

– WISM-2 in multiple chassis can be L2 connected in 7.5 and above

• Requirements for L2 connection: RTT Latency: < 80 ms; Bandwidth: > 60 Mbps; MTU: 1500

Design & Deployment considerations

L2 network (7.5)



• HA Pairing is possible only between the same type of hardware and software versions

• Physical connection between Redundant Ports should be done first before HA configuration

• Keepalive and Peer Discovery timers should be left at default values for better performance

• Internal DHCP is not supported when HA configuration is enabled

• Location, Rogue information, Device and root certificates are not auto synched

• When HA is disabled on Active it will be pushed to Standby and after reboot all the ports will come up on Active and will be disabled on Standby

• SSO and MESH APs: only RAP are supported from 7.5, for MAPs the state is not synched

• In Service Software upgrades are not supported (ISSU): plan for down time when upgrading software

Design & Deployment considerations



• ONLY Clients in RUN state are maintained during failover– Transient list is deleted– Clients in transitions like roaming, dot1x key regeneration, webauth logout, etc. are disassociated– Posture and NAC OOB are not supported, since client is not in RUN state

• Some clients and related information are not synced between Active and Standby– CCX Based apps - need to be re-started post Switch-over– Client Statistics are not synced– PMIPv6, NBAR, SIP static CAC tree are not synced, need to be re-learned after SSO– WGB and clients associated to it are not synced– Passive clients are not synced

Design & Deployment considerations specific to 7.6 (client SSO)

30



Hybrid Design: SSO HA can work together with N+1 failover

SSO pair can act as the Primary Controller and be deployed with Secondary and Tertiary

On failure of both Active and Standby WLC in SSO setup, APs will fall back to secondary and further to configured tertiary controller

Useful to reduce downtime for SSO pair software upgrade

Design: Integration with N+1 deployments



• HA Pair with HA-SKU License on one WLC:– HA-SKU is a new SKU with Zero AP Count License

– The device with HA-SKU becomes Standby first time it pairs up

– AP-count license info will be pushed from Active to Standby

– On event of Active failure HA-SKU will let APs join with AP-count obtained and will start 90-day count-down. The granularity of the same is in days.

– After 90-days, HA-SKU WLC starts nagging messages but won’t disconnect connected APs

– With new WLC coming up HA SKU, at the time of paring, the Standby will get the AP Count:

• If new WLC has higher AP count than previous, 90 days counter is reset.

• If new WLC has lower AP count than previous, 90 days counter is not reset.

• Elapsed time and AP-count are remembered on reboot

Licensing


• Active – Standby 1:1 Redundancy

• Both WLC share IP Address of management interface

• Bulk and Incremental Config Sync

• APs does not go in Discovery state when Active WLC fails

• Supported on 5500 / 7500 / 8500 and WiSM-2 WLC

• Downtime 5 - 1000 msec in case of Box failover , ~3 seconds in case of Network Issues

• Auto-recovery from maintenance mode once Peer-RP and default gateway reach-ability is restored

• SSO Support for Internal DHCP Server

• SSO support for sleeping clients

• SSO support for OEAP 600

• CAC method Bandwidth allocation parameters for both voice & video and Call Statistics synced to the Standby

• GW reach-ability check mechanism enhanced to avoid false positives

• Peer RMI ICMP ping replaced with UDP messages

• Faster HA Pair-up

• Active – Standby can be geographically separated over L2 VLAN/Fiber

• Client database is synced to the Standby

– Client information is synced when client moves to RUN state.

– Client re-association is avoided on switch over

• Fully authenticated clients(RUN state) are synced to the peer

• Effective service downtime = Detection time + Switch Over Time (Network recovery/convergence)

Phase 1 : APSSO 7.3

Phase 2 : Client SSO 7.5

Phase 3 : Improvements

8.0


AFTERNetwork Based Application Recognition –

NBAR2 Deep Packet Inspection and App ID

Cisco WLAN AVC and Prime Assurance Provides Unparalleled Visibility and Control

BEFOREApplication View and ControL Based

On L4 Firewall Sessions

Cisco’s Application Visibility and ControlIdentify, Analyze, and Optimize Application Traffic

NBAR2 LIBRARYDeep Packet Inspection

Real TimeInteractiveNon-Real TimeBackground

POLICYPacket Mark

and Drop

First Generation Firewall

Visibility to the port level interaction but not the applications running within the port

View, Control and Troubleshoot – End User Application ExperienceFW L4 Session Visibility and Control

HTTP = 75%SMTP = 15%FTP = 2%Telnet = 1%SNMP = 3%

Wireless LAN Controller Improved

Visibility and Control

Traffic


Application classification and Control of 1039 applications with NBAR2 engine

Support of 16 AVC profiles with 32 rules per profile

One AVC profiles support per WLAN; same profile support on multiple WLANs

AVC profile mapped to WLAN has a rule for MARK or DROP action

Graphical presentation on the controller of all classified applications

One NetFlow exporter and monitor can be configured on WLC

AVC NetFlow monitoring on PI with PAM license

Protocol Pack 4.1 Support in AVC phase 2

Additional application support – total of 1056

Protocol Pack dynamic load to update applications support

Protocol Pack 9.0

NBAR Engine rel 3.1

AAA AVC Profile over-ride for clients

AVC Per Application, Per Client based Rate limiting on WLAN

Integration of AVC profiles to the Local Policy classification per user and per device

AVC Directional QoS DSCP Marking for Upstream and Downstream traffic

Support for 1088 applications

AVC - 7.4Phase-1

AVC – 7.5Phase-2

AVC – 8.0Phase-3


AAA AVC Profile Override for Clients

In Rel 8.0 AAA AVC profile over-ride per clients to obtain different AVC profiles even though they are connected to the same WLAN.

AAA attribute for client or for a user profile can be configured on AAA servers, e.g. Open Radius/Cisco ACS/ISE.

The AAA attribute is defined as a generic Cisco “AV-Pair” and can be defined as a string and value pair in AAA.

The AAA AVC Profile is defined as a Cisco AV Pair. The String is defined as “avc-profile-name” . This has to be configured for any AVC profile existing on the WLC.

Prior to rel 8.0 AVC Profile is configured on a WLAN and all clients connected to that WLAN would inherit the same AVC profile.


Teacher

YouTube

Teacher Student

YouTube Facebook bittorrent

Student

Cisco-av-pair=avc-profile-name=<avc profile on wlc>PI/AAAWLC

Switch

AP

SSID: ClassroomSecurity:WPA2/802.1x

Cisco-av-pair=role=<role name>

Skype

Facebook Skype bittorrent

AAA profile enables different users /clients obtain different mDNS/AVC profiles even though they are connected to same SSID which is tied to the same VLAN


If you have Several Traffic Types to Target: Use Application Visibility and Control• Internal application

recognitionengine based on NBAR

• More than 1000 applicationsrecognized, including Netflix,Skype, Lync audio, Lync video viber, ventrilo, etc.

38


Application Visibility and Control

• With AVC, you can create rules to mark untagged applications (but also to permit or deny some application traffic!):

1. Create a new policy

2. Add rules, including what application to recognize, and what to do with it:

• Marking application will help prioritization between AP and WLC, and from AP to the cell

Wireless > AVC > AVC Profiles > New

39


Application Visibility and Control

3. Apply your policy to the WLAN:

4. Watch your traffic:

40


AVC configuration for AAA overrideExample – Teacher, Student


(WLC) >show client detail 18:20:32:bd:52:b7

Client MAC Address............................... 18:20:32:bd:52:b7

Client Username ................................. student1

Client State..................................... Associated

Client User Group................................ student

Client NAC OOB State............................. Access

Wireless LAN Id.................................. 2

Wireless LAN Network Name (SSID)................. ClassroomAVC

Wireless LAN Profile Name........................ ClassroomAVC

Policy Manager State............................. RUN

Policy Manager Rule Created...................... Yes

Audit Session ID................................. 0a0a0a0500000061533434e9

AAA Role Type.................................... student

Local Policy Applied............................. None

AVC Profile Name: ............................... student-AVC

CLI AVC client configuration> show client detail


AVC Profile Applied on the WLAN

(WLC-IPv6) >show avc profile detailed <Profile Name>


Granular Policy for AVC – Use CasesUser and Device specific Application Policies

ROLE BASED APPLICATION POLICY• Alice(Nurse) and Bob(IT Admin) are both employees in a hospital • Both Alice and connected to same SSID.• Bob can access certain applications (for e.g. YouTube), Alice cannot

ROLE BASED + DEVICE TYPE APPLICATION POLICY• Alice can access EMR info on an IT provisioned Windows Laptop• Alice cannot access EMR info on her personal iPAD

ROLE BASED + DEVICE TYPE + APPLICATION SPECIFIC POLICY• Alice has limited access (rate limit) to Skype on her iPhone and limited

download (directional) for Bittorrent


Client Profiling

• ISE offers a rich set of BYOD features: e.g. device identification, onboarding, posture and policy

• Customers who do not deploy ISE but still require some of ISE features directly in WLC:• Native profiling of identifying network end devices based on

protocols like HTTP, DHCP• Device-based policies enforcement per user or per device

policy on the network. • Statistics based on per user or per device end points and

policies applicable per device.


Client Profiling

• WLC-based local policy consists of 2 separate elements.– Profiling can be based on:

• Role - defining user type or the user group the user belongs to.• Device type – e.g. Windows, OS_X, iPad, iPhone, Android, etc.• EAP Type - check what EAP method the client is getting connected to.

– Action is policy that can be enforced after profiling:• VLAN - override WLAN interface with VLAN id on WLC• QoS level – override WLAN QoS• ACL – override with named ACL• Session timeout – override WLAN session timeout value• Time of day – policy override based on time of the day, else default to

WLAN.• AVC and mDNS Policy


Client Profiles• When profiling is enabled, a client Device Type can be shown on

WLAN.

(Cisco Controller) >show client summary devicetype

Number of Clients................................ 3

MAC Address AP Name Status Device Type ----------------- ---------------- ------------- --------------------------------

14:10:9f:ea:b8:c2 AP3600MM Associated OS_X-Workstation c8:d7:19:34:7e:dd AP3600MM Associated Windows7-Workstation d8:d1:cb:9a:28:f8 AP3600MM Associated Apple-iPhone


Security Local Policies

Match - How to Identify a Device• Role• EAP Type• Device Type

Action - Policy to Enforce• VLAN• QoS• Session Timeout• Sleeping Client

Timeout• Time of Day


Bandwidth Control – per Device Type

• You can also identify connecting devices, from the WLC or though Cisco ISE, and create a policy based on what they are:

How to identify that deviceWhat policy to apply

Close to 100 types on WLC

49


AVC profile and Local Policy configuration


Configuring Policies

• You can then apply the policies to the WLANs, in the order you want them to be applied, up to 16 policies per WLAN:

• Each policy can groupseveral devices

Set the index.

Pick the policy, then click Add

51


CAPWAP Tunnel

Apple TV

224.0.0.251

Bonjour is Link-Local Multicast and can’t be Routed

224.0.0.251

VLAN X

VLAN X

VLAN Y

Deployment Challenges

• Bonjour is link local multicast

• AirPlay (Apple TV) and AirPrint supported only on a single VLAN


Bonjour GW on WLCStep 1 – Listen for Bonjour Services

CAPWAP Tunnel

AirPrint

Apple TV

VLAN 23

Bonjour Advertisement

VLAN 20

VLAN 99 iPad

AirPlay Offered

AirP

rint

Offe

red

Bonjour Advertisement


Bonjour GW on WLCStep 2 – Cache Bonjour Services on Controller

CAPWAP Tunnel

AirPrint

Apple TV

VLAN 23

VLAN 20

VLAN 99 iPad

AirPlay Offered

AirP

rint

Offe

red

Bonjour Cache:AirPlay – VLAN 20AirPrint – VLAN 23


Bonjour GW on WLCStep 3 – Listen for Client Service Queries for Services

CAPWAP Tunnel

AirPrint

Apple TV

VLAN 23

VLAN 20

VLAN 99 iPad


Is AirPlay Offered?

Bonjour Query


Bonjour GW on WLCStep 4 – Respond to Client Queries for Bonjour Services

CAPWAP Tunnel

AirPrint

Apple TV

VLAN 23

VLAN 20

VLAN 99 iPad


AirPlay is available on VLAN20

Bonjour Response From Controller


CAPWAP Tunnel

Apple TV

224.0.0.251

With mDNS-AP Bonjour services can be seen from any VLAN

224.0.0.251

VLAN X

VLAN X VLAN Y

Deployment Changes with Bonjour Services Phase 2

• Bonjour is link local multicast and thus forwarded on Local L2 domain

• mDNS AP snoop Bonjour services behind the Router or not L2 adjacent VLANs and forwards them to WLC in CAPWAP tunnel.

Apple Services

mDNS AP

CAPWAP Tunnel

VLAN Y

VLAN Y


AirPlay

Bonjour Policy Example for Education

Teacher Network

mDNS Service Instances Groups

StudentNetwork

AirPrint AirPlay FileShare

Teacher Service Profile

AirPlay FileShare

StudentService Profile

iTunesSharing

Same WLAN

Apple TV1 Apple TV1

Apple TV2

AirPrint

Teacher Service Instance List

Student Service Instance List


Location and Role filtering in release 8.0

Bonjour Policies allow creation of the mDNS Service Groups and Service Instances within the Group

Service Instance mandates how the service instance is shared by configuring o MAC address of the Service Instance o Name of the Service Instanceo Location Type Of the Services Instance by AP Group, AP Name or AP Locationo Location configuration allows access the “service instance” i.e. client location

Location configuration applied to wired and wireless instances of all services and printers as in Any, Same or one AP Name.

This allows selective sharing of service instances based on the location and

rule (=user-id and role ) on the Same WLAN

Bonjour Policy enhancements in 8.0


Service Instance associated with mac address can be configured in multiple service groups Currently we support a maximum of 5 service groups for a single mac address. Service group configurations can be done even when mDNS snooping is disabled Number of Service instances per Service group is limited by the platform

supported (ie 6400 on 5508)

Location Filtering of Service instance can be limited by following attributes:


“any” –clients from any location can access the service subject to role and user-id credentials being allowed by the policy associated with the service group for the said mac address.

“same” - only clients from the SAME location as that of the device can access that Service Instance publishing the service can access the service.

“ap-name” – only clients associated to that AP can access the Service Instance


Allows articulation as “service instance” is shared with whom i.e. user-id, “service instance is shared with which role/s” i.e. teacher or student

With Bonjour access policy there will now be two levels of filtering client queries1. At the service type level by using the mDNS profile

mDNS profile can be user specific and be overridden with ISE “av-pair “returned to WLC that overrides default profile

2. At the Service Instance level using the access policy associated with each Service Instance.

Note: Service instances which are not configured with any access policy will be mapped to the default access policy that allows configured <roles/names> to receive the service instances



1. Enable mDNS policy on the controller from GUI or CLI

Bonjour Policy Configuration


2. Create mDNS Service Group



3. Configure Service Instances in the mDNS group, and role



Why High Density Wi-Fi?

• Wireless has become the preferred access technology -- and in many cases the only practical one

• The need for high density started with stadiums and auditoriums – but has reached every network

• The explosion of smart devices and increasing connection counts per seat are everywhere

• Application demands are increasing

• Even with advances - wireless is still a shared half-duplex medium and requires efficient use to succeed.

2 to 3 devices per user


What are Some Typical Challenges?

• Interference from other WiFi networks in the venue

• Interference from non-WiFi systems operating in the same band

• Co-channel interference: Many APs in the venue, but effectively no more capacity

• Clients operating at low data rates (ex. 802.11b) pull down the performance of the network

• Clients mistakenly choose a 2.4 GHz radio (louder signal) instead of 5 GHz (less load)

• Sticky Clients: Clients mistakenly stay on the same AP, even when person has moved from one end of the venue to another

• Limitations on mounting assets. Hard to put APs where you want them

• Probe storms: 2.4 GHz clients probe on all 11 overlapping channels


Advanced

Solid RF Design Basic Tuning

• Constrain RF– Directional Antennas,

Down-Tilt

• Good RF Layout/Design: – Channels, Tx Power

• Eliminate Interference– Rogues and Non-Wi-

Fi Interference

• Minimize SSIDs

• Disable Low Data Rates– Helps with Sticky

Clients, Improves capacity

• Band Steering– Push dual-band

clients to 5 GHz

• RF Profiles

• Rx-SOP Tuning– Greatly improves

capacity by reducing co-channel impact

– Also reduces sticky clients

• Optimized Multicast Video

HD Wi-Fi -- Best Practices


Cisco High Density Experience TechnologyOptimized for high Client Density Networks

CleanAir 80 MHzOptimal performance for high throughput, high density environmentsRF interference detection & mitigation optimized for 802.11ac’s wider channel bandwidths

ClientLink 3.0Increase performance & range by up to 60% Cisco patented implicit beamforming technology for 802.11ac clients, complementing Explicit BF. Also extend capabilities to 802.11a/g/n clients.

Optimized RoamingIntelligently assist client roaming based on configurable attributesRight size WiFi cell to better assist client handoff in a dense network

RF Turbo PerformanceSupport highly dense clients without performance degradationScale seamlessly to 60+ 802.11ac clients using interactive video and multimedia traffic with no performance degradation.

*Available post-FCS

RF Noise Reduction*Enables higher density AP deployments to support client density and increased bandwidthIncrease spectrum usage efficiency to improve co-channel performance


Indoor Access Point Comparison

Aironet Indoor Series 700 1600 2700 3700Wireless Standards 802.11a/g/n 802.11a/g/n 802.11a/g/n/ac 802.11a/g/n/ac

Max Data Rate 600 Mbps 600 Mbps Over 1 Gbps Over 1 Gbps

RF Design MIMO:Spatial Stream

2x2:2 3x3:2 3x4:3 4x4:3

Performance uu uuu uuuu uuuuu

Max No. of Clients per AP 200 256 400 400

RRM ✔ ✔ ✔ ✔

CleanAir CleanAir Express* ✔ ✔

High Density Experience ✔ ✔

ClientLink ClientLink 2.0 ClientLink 3.0 ClientLink 3.0

Max No. of ClientLink Clientsper AP

64 256 256

BandSelect ✔ ✔ ✔ ✔

VideoStream ✔ ✔ ✔ ✔

Rogue AP Detection ✔ ✔ ✔ ✔

Adaptive wIPS ✔ ✔ ✔ ✔

External Antenna Opt ✔ ✔ ✔

Other Benefits700w: 4 GigE Ports,

PoE Out

StadiumVision Option;Module Options: Security, 3G Small Cell* or Wave 2

802.11ac*


AP-3700 Architecture


Disable Mandatory Lower Data Rates

24Mbps

Without Disabling Lower Data Rates

I can hear beacons from the AP, so I can

associate with it & reduce the overall

performance

24Mbps

Disabling Lower Data Rates

I cannot hear beacons from the AP, so now I am forced to search for a AP with a

stronger signal

18Mbps

12Mbps

9Mbps

6Mbps

Cell Size reduction increase efficiency and

lowers duty cycle


Low RSSI Check

-85dB-86dB

-80dB -80dB

Without Low RSSI Check With Low RSSI Check Set to -80dBm (Default)

My “Association Request” will Receive

“Association Response” SUCCESS

My “Association Request” will Receive “Association

Response” REJECT – Poor Channel

“Association Response” SUCCESS is restricted to clients

within CELL range better than -80dBm

-81dB


RX-SOP – (Receive - Start of Packet) – What is it?

• Receiver Start of Packet Detection Threshold (RX-SOP) determines the Wi-Fi signal level in dBm at which an AP radio will demodulate and decode a packet.

• The higher the level, the less sensitive the radio is and the smaller the receiver cell size will be

• By reducing the cell size we can affect every thing from the distribution of clients to our perception of channel utilization

• This is for High Density designs – and requires knowledge of the behavior you want to support

• A client needs to have someplace to go if you ignore it on the current cell

WARNING – This setting is a brick wall – if you set it above where your clients are being heard – they will no longer be heard. Really.


RX-SOP – Why Use It?

• Reduce sensitivity to interference and noise – reduce Channel Utilization

• It sharpens the cell edge – we will hear what we intend to cover

• Caveats – – You can significantly reduce coverage– You can make it impossible for intended clients to associate or communicate with your AP

• This feature is to be used in conjunction with a known design to solve a specific problems when you understand the coverage and usage of the network by the users

• RX-SOP is available at the global level as well as in RF profiles – Strongly recommend applying only through profiles – to solve specific problems with HDX


RX-SOP configuration

• Settings High, Medium, Low, Auto

• Auto is default behavior, and leaves RX-SOP function linked to CCA threshold for automatic adjustment

• Most networks can support a LOW setting and see improvement

• This affects all packets seen at the receiver


Participate in the “My Favorite Speaker” Contest

• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)

• Send a tweet and include – Your favorite speaker’s Twitter handle <Speaker – enter your twitter handle here>– Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speakers

• Don’t forget to follow @CiscoLive and @CiscoPress

• View the official rules at http://bit.ly/CLUSwin

Promote Your Favorite Speaker and You Could be a Winner

76

http://bit.ly/CLUSwin


Complete Your Online Session Evaluation

• Give us your feedback and youcould win fabulous prizes. Winners announced daily.

• Complete your session evaluation through the Cisco Live mobile appor visit one of the interactive kiosks located throughout the convention center.

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

77

https://www.ciscolive.com/online


Continue Your Education

• Demos in the Cisco Campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

78

Local Edition

Cisco on premise wireless update

Technology

Transcript of Cisco on premise wireless update