Cisco Wireless LAN Controller Configuration Best Practices. Release: Cisco Wireless LAN Controller (WLC) Configuration Best Practices, Release 8. Network Design. The following sections list out the best practices for network design. Use Port. Fast on AP Connected Switch Ports. For APs in local mode, configure the switch port with Port. Fast. To configure Port. Fast, set the port to be connected as a “host” port (switchport host command) or directly with the portfast command. This allows a faster join process for an AP. There is no risk of loops, as the CAPWAP APs never bridges between VLANs. Headset is perfect to use while exercising or traveling; Connectivity technology: Wireless, Wireless operating distance: 500' Comes in black/silver color and features. Note: For AP's in local mode, the round- trip latency must not exceed 2. Interfaces Source (DHCP, SNMP, RADIUS, Multicast, and so on.)Per design, most of the CPU initiated traffic is sent from the management address in the controller, for example, SNMP traps, RADIUS authentication requests, multicast forwarding, and so on. You can also enable “radius interface overwrite” on each SSID, and then the radius for this WLAN will be sent from the dynamic interface. However, this creates design issues with Bring Your Own Device (BYOD) flow and Change of Authorization (Co. A). It is important to avoid configuring a dynamic interface in the same sub- network as a server, for example RADIUS server, that is reachable from the controller, as it might cause asymmetric routing issues. This should be used only when needed by the specific topologies. Recommended Switch. Port Modes and VLAN Pruning. Always configure the switchports in “access mode” for the APs in local mode. For the switchports in trunk mode, that go to the APs in Flex. Connect mode (that do local switching) and to the WLCs, always prune the VLANs to allow only those VLANS configured on the Flex. Connect AP and WLC. In addition, enter the switchport nonegotiate command on those trunks to disable Dynamic Trunking Protocol (DTP) on the switchport and to avoid the need for the AP/WLC to process frames that are not needed as they do not support DTP. Also, resources would be wasted on the switch, which would attempt to negotiate with a device that cannot support it. Network Connectivity. It is recommended to reload the controllers after you change these configuration settings. For untagged interface, the packet sent to and from the management interface assumes the Native VLAN of the trunk port to which the WLC is connected. However, if you want the management interface to be on a different VLAN, tag it to the appropriate VLAN with the command: (Cisco Controller) > config interface vlan management < vlan- id> Ensure that the corresponding VLAN is allowed on the switchport and tagged by the trunk (non- native VLAN). It might affect DHCP handling in the controller. Enterprise support at no additional cost. Cisco Meraki’s simple, all-inclusive pricing includes enterprise-class phone support. We will help you deploy your first. There are arguments for and against disabling low data rates, and it’s my hope, that after reading this blog, you will understand why disabling lower legacy data. Calculate the cost of Meraki's hardware, licenses, and accessories. If you are a teacher searching for educational material, please visit PBS LearningMedia for a wide range of free digital resources spanning preschool through 12th grade. To verify: (Cisco Controller) > show interface summary. Interface Name Port Vlan Id IP Address Type Ap Mgr- -- -- -- -- -- -- -- -- -- - - -- - - -- -- -- - - -- -- -- -- -- -- -- - -- -- -- - -- -- -ap- manager LAG 1. Static Yes example LAG 3. Dynamic No management LAG 1. Static No service- port N/A N/A 1. Static No –Do not use link aggregation (LAG) unless all ports of the controller have the same Layer 2 configuration on the switch side. For example, avoid filtering some VLANs in one port, and not the others.–While using LAG, the traffic must arrive on the same data plane. The controller relies on the switch for the load balancing decisions on traffic that come from the network. The controller expects that traffic that belongs to an AP to always enter on the same data plane. WISM2 and 8. 50. 0 are WLCs with two data planes. Whenever possible, the traffic needs to arrive on the same data plane. Generally, there is sufficient bandwidth to move frames between data planes. However, if there is limited bandwidth, the traffic may be dropped. To verify the Ether. Channel load balancing mechanism: Switch#show etherchannel load- balance. Ether. Channel Load- Balancing Configuration: src- dst- ip. Ether. Channel Load- Balancing Addresses Used Per- Protocol: Non- IP: Source XOR Destination MAC address. IPv. 4: Source XOR Destination IP address. IPv. 6: Source XOR Destination IP address. To change the switch configuration (IOS): Switch(config)#port- channel load- balance src- dst- ip With the Cisco IOS Software Release 1. SXH6 and above, there is an option for PFC3. C mode chassis to exclude VLAN in the Load- distribution. Use the port- channel load- balance src- dst- ip exclude vlan command to implement this feature. This feature ensures that traffic that belongs to an LAP enters on the same port.–LAG, while using VSS, stacked switch (3. Nexus VPC, should work as long as the fragments of an IP packet are sent to the same port. The idea is that if you go to multiple switches, the ports must belong to the same L2 “entity” with regard to load balancing decisions.–To connect the WLC to more than one switch, you must create an AP manager for each physical port and disable LAG. This provides redundancy and scalability.–Do not create a backup port for an AP- manager interface, even if it is allowed in older software versions. The redundancy is provided by the multiple AP- manager interfaces as mentioned earlier in this document. Use Multicast Forwarding Mode. Use multicast forwarding mode for the best performance with less bandwidth utilization. Networks with large IPV6 client counts, heavy multicast application, such as Video Streaming and Bonjour without m. DNS proxy, would benefit greatly with multicast mode. To verify the multicast mode on the controller: (Cisco Controller) > show network summary. RF- Network Name............... Enable. Secure Web Mode............... Enable. Secure Web Mode Cipher- Option High..... Disable. Secure Web Mode Cipher- Option SSLv. Disable. Secure Web Mode RC4 Cipher Preference.... Disable. OCSP.................... Disabled. OCSP responder URL............. Secure Shell (ssh)............. Enable. Telnet................... Enable. Ethernet Multicast Forwarding........ Enable. Ethernet Broadcast Forwarding........ Enable IPv. 4 AP Multicast/Broadcast Mode...... Multicast Address : 2. IGMP snooping................ Enabled. IGMP timeout................ IGMP Query Interval............. MLD snooping................ Enabled. To configure multicast- multicast operations on the WLC command line: (Cisco Controller) > config network multicast mode multicast 2. Cisco Controller) > config network multicast global enable. Ensure that the multicast address does not match another address in use on your network by other protocols. For example, if you use 2. DNS used by some third party applications. Cisco recommends that the address be in the private range (2. Also, ensure that the multicast IP address is set to a different value on each WLC. You do not want a WLC that speaks to its APs to reach the APs of another WLC. This feature is very limited and is often used for a simple demonstration or proof- of- concept, for example in a lab environment. The best practice is NOT to use this feature in an enterprise production network. The show interface detailed management command is used to find if an internal DHCP server is used. The primary DHCP server address is the same as the management IP address. See the following example: (Cisco Controller) > show interface detailed management. Interface Name.................. IP Netmask.................... IP Gateway.................... External NAT IP State.............. Disabled. External NAT IP Address............. Link Local IPv. 6 Address............. NONEPrimary IPv. 6 Address............... NONEPrimary IPv. 6 Gateway............... NONESecondary IPv. Gateway.............. Quarantine- vlan................. Active Physical Port............... Primary Physical Port.............. Backup Physical Port............... Unconfigured. DHCP Proxy Mode................. Global. Primary DHCP Server............... Change the internal DHCP server (management IP address) to a production DHCP server: (Cisco Controller) > config interface dhcp management primary < primary- server> It is recommended to disable/clean up existing internal DHCP scope: (Cisco Controller) > show dhcp summary. Scope Name Enabled Address Range. Scope. 1 Yes 1. 0. To disable the scope: (Cisco Controller) > config dhcp delete- scope < scope name> or (Cisco Controller) > config dhcp disable < scope name> Fast Restart. It is recommended to use restart instead of reset system for the following scenarios to reduce network and service downtime and provide better serviceability: ? Updating license storage.. Done. Security. The following sections list out the best practices for security. Authentication for APFor increased security, configure 8. X authentication between a lightweight access point (AP) and a Cisco switch. The AP acts as an 8. X supplicant and is authenticated by the switch using EAP- FAST with anonymous PAC provisioning. This is configurable on the global authentication settings. To configure the global authentication username and password for all APs, which are currently joined to the controller as well as any AP that will join the controller in the future: (Cisco Controller) > config ap 8. Xuser add username < ap- username> password < ap- password> all. To verify the configuration: (Cisco Controller) > show ap summary. Number of APs.................. Global AP User Name............... Disable the Management over Wireless feature for security reasons. To verify management over wireless interface: (Cisco Controller) > show network summary. RF- Network Name............... Enable. Secure Web Mode............... Enable. Secure Web Mode Cipher- Option High..... Disable. Secure Web Mode Cipher- Option SSLv. Disable. Secure Web Mode RC4 Cipher Preference.... Enable. To disable management over wireless: (Cisco Controller) > config network mgmt- via- wireless disable. Enable Secure Web Access. For increased security, enable HTTPS and disable HTTP for management access. To see the network summary: (Cisco Controller) > show network summary. RF- Network Name...............
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
October 2017
Categories |