Upload
cisco-russia
View
2.149
Download
2
Embed Size (px)
Citation preview
Флавьен Ришар, Technical Solutions Architect Виктор Платов, Системный инженер-консультант
Рекомендации по настройке контроллеров БЛВС Cisco
Содержание
2
Ø Рекомендованные настройки § Инфраструктура § RF/RRM § Безопасность и BYOD § FlexConnect
Express Setup
Monitoring and RF
Dashboard
Audit Upgrade Workflow
Feature Best
Practices
WLCCA Cisco Active
Advisor
Инфраструктура
3
Рекомендации по инфраструктурным настройкам
4
Ø Включить High Availability (Client SSO) Ø Включить AP Failover Priority Ø Включить AP Multicast Mode Ø Включить Multicast VLAN Ø Включить Pre-image download Ø Включить AVC Ø Включить NetFlow Ø Включить Local Profiling (DHCP and HTTP) Ø Включить NTP Ø Изменить the AP Re-transmit Parameters Ø Включить FastSSID change Ø Включить Per-user BW contracts Ø Включить Multicast Mobility Ø Включить Client Load balancing Ø Отключить Aironet IE И
нфраструктура
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html
Инфраструктура: Включить High Availability (Client SSO)
5
Для работы данной технологии требуется прямой физический или L2 линк между Active и Standby Redundant портами
Cходимость в пределах одной секунды
Инфраструктура: Включить AP Failover Priority
6
Wireless à Access Points à Global Configurations Wireless à Access Points à All APs->AP_NAME à High Availability
Позволяет настроить приоритет ТД, учитываемый при перегрузке контроллера
Инфраструктура: Включить AP Multicast mode
7
Controller à General à AP Multicast Mode
Отсылает мультикаст пакет всем ТД вместо юникаст пакетов каждой ТД
Уникален среди всех WLC и не пересекается с другими протоколами
Сетевая инфраструктура должна обеспечивать мультикаст маршрутизацию между management интерфейсом и подсетью ТД
Инфраструктура: Multicast VLAN для Interface Groups
8
WLANs à WLAN Name à General
Ограничивает отсылку мультикаст пакетов в эфир только одним vlan-ом
Network VLAN2 (mcast_vlan)
VLAN1
VLAN3 VLAN4
Interface group
Инфраструктура: Включить Pre-image download
9
Wireless à Global Configurations à AP Image Pre-download
Меньшее время на обновление ПО в рамках всей сети
Инфраструктура: Включить AVC
10
Wireless à Application Visibility and Control à AVC Profiles
Classifies applications, provides real-time analysis, and allows users to drop or mark data. Per-user, per-device granularity for control
Add per application rules
Включить Application Visibility
Инфраструктура: Включить NetFlow на контроллере
11
Wireless à Netflow à Exporter à Create ‘New’
Wireless à Netflow à Monitor à New
NetFlow export to Cisco Prime or third party network management tool
Инфраструктура: Включить Local Profiling
12
WLANs à Edit à WLAN_NAME à Advanced
Client devices can be profiled based on their manufacturer and operating system
Инфраструктура: Включить NTP
13
Controller à NTP à Keys Controller à NTP à Server
Synchronizes the time among all devices on the network including Access Point and Controller as we have X.509 certificates installed in AP and WLC, Context-aware and location services, MFP, Debugging
If NTP requires authentication, first add key
Инфраструктура: Изменить параметры AP Re-transmit
14
Wireless à Access Points à Global Configuration
Allows user to customize the way APs attempt to join a WLC. Increase count and interval for larger latency links like FlexConnect and satellite links
Number of times the AP will try to join the WLC (3-8)
Number of seconds to wait before rejoining (2-5sec)
Инфраструктура: Включить Fast SSID change
15
Controller à General
Allows clients to move faster between SSIDs, by not clearing the client entry
Инфраструктура: Включить per-user bandwidth contract
16
WLANs à Edit ‘WLAN_NAME’ à QoS
Enforces limits on non-mission critical clients
Limit data rates for Guest and Contractor accounts
Инфраструктура: Включить Multicast Mobility for mobility domains
17
Controller à General Controller à Multicast
Allows clients to announce messages to all mobility peers, instead of individual WLCs, benefiting time, CPU usage, and network utilization. Multicast routing between controllers
Инфраструктура: Включить Client Load Balancing
18
WLANs à Edit “WLAN-NAME” à Advanced
Balances the number of clients connect to a WLAN between multiple APs Not suitable for Voice, Low Density and single AP deployments like hotspots
Client Window Size 1-20 Maximum Denial Count 0-10
Инфраструктура : Отключить Aironet IE
19
WLANs à Edit “WLAN-NAME” à Advanced
Can cause compatibility issues with some types of wireless clients Включить для WGB и Cisco voice. Optional for CCX based clients
• Aironet IE 0x85 in beacons and probe responses
• AP name, load, client count etc.
• Controller sends Aironet IEs 0x85 and 0x95 in the reassociation response if it receives Aironet IE 0x85 in the reassociation request
• Management IP address of WLC • IP address of AP
Инфраструктура: Same Virtual IP if same mobility name
20
Controller à Interfaces à virtual
Inter-controller roaming can appear to work, but the hand-off does not complete and the client loses connectivity when DHCP renew is performed if DHCP proxy enabled
Mobility Group
192.0.2.1 192.0.2.1
Инфраструктура: Fast Restart
21
Supported on Cisco WLC 7510, 8510, 5520, 8540 and vWLC Version 8.1 required
Use Cases ü LAG <-> no LAG
ü 10 G <-> 1 G
ü High Availability SSO Pairing
ü Post Configuration Wizard
ü Web-auth certificate installation
ü Transfer Download of XML
73% Faster
Process Restart to reduce network and service downtime and improve serviceability
Commands à Restart
Рекомендации RF & RRM RF = Radio Frequencies RRM = Radio Resources Management
22
Рекомендации RF & RRM
23
Wireless à 802.11b/g/n à Network
RF & RRM: Отключить 802.11b Data Rates
24
Management frames sent at lowest mandatory rate - slows down the entire cell
RF & RRM: Отключить 802.11b Data Rates
25
Demonstrating the impact of 802.11b data rates on Channel Utilization
1 Mbps Mandatory : Channel Utilization 67% 6 Mbps Mandatory : Channel Utilization 23%
WLANs à WLANs
RF & RRM: Restrict Number of WLANs below 4
26
Each SSID needs a separate probe response and beaconing, the more SSIDs the less RF space available for real data traffic
Wireless à 802.11a/n/ac à RRM à DCA
RF & RRM: Включить Channel Bonding – Best
27
40/80MHz wide channels in the 5GHz space can 2x/4x the amount of user data than can be transmitted. For extreme HD deployments use 20 MHz channels to keep cell size small.
“Best” Automatically selects the widest Channel Width with:
• Highest Client Data Rates • Lowest Channel Utilization per Radio • Minimize Data Retries / CRC errors • On the 5GHz Band
While avoiding:
• Rogue APs • CleanAir Interferers
RF & RRM : Отключить Avoid Cisco AP Load
28
Wireless à 802.11a/n/ac à RRM à DCA Wireless à 802.11b/g/n à RRM à DCA
To avoid frequent changes in DCA due to varying Load conditions
RF & RRM: Включить Client Band Select
29
WLANs à Edit “WLAN-NAME” à Advanced
Allows dual-band clients to move to the less congested 5GHz band Not always recommended for Voice deployments
• RF Profiles work in Conjunction with AP Groups (since release 7.2)
• You can create separate RF profiles for both 2.4 and 5 GHz
• 1 profile for each band (802.11a/802.11b) can be assigned to an AP group
• Today with 8.x, you can use RF Profiles for: • 802.11 data rates • TPC Power Threshold and Min max Power settings • DCA (Dynamic Channel number Assignment) • Coverage hole Mitigation algorithm settings • High Density – HDX configurations like RX_SOP, Client Limit, Multicast data rate • Client Distribution
RF & RRM: make use of RF Profiles
30
More granular control of the RF network
RF Profiles : Granular Control
31
Data Rates
Load Balancing
TPC, DCA, Coverage Hole
High Density
Network Profiles
32
Client Density : High, Typical, Low
Traffic Type : Data, Data and Voice
Sets pre-defined RF parameters depending on “Client” Density and Traffic Type
Pre-built RF profiles
33
Pre-built RF profiles for use with AP Groups
Client Density specific pre-built RF profiles for 2.4 GHz and 5GHz Bands – to be used with AP Groups
RF & RRM: RF Group Leader must be an .11ac WLC (Release 7.5+) in RF Groups with mixed versions
34
Wireless à 802.11a/n/ac à RRM à DCA
If the RF Group Leader does not support 802.11ac (Release 7.5+), APs in the RF Group cannot select 80MHz channel widths
RF & RRM: Включить Cisco CleanAir
35
Wireless à 802.11a/n/ac or 802.11b/g/n à CleanAir
100
63
35
97
90 20
CleanAir identifies non-WIFI interferers and generates interferer and air quality reports
Включить CleanAir on both radio bands
RF & RRM: Включить Cisco EDRRM
36
Wireless à 802.11a/n/ac or 802.11b/g/n à RRM à DCA
EDRRM triggers RRM to run when an access point detects a certain level of interference
Sensitivity threshold recommended to Medium
Enable WiFi Interference Awareness Configure Duty Cycle to 80%
RF & RRM: Включить Noise & Rogue Monitoring all channels
37
Wireless à 802.11a/n/ac or 802.11b/g/n à RRM à General
Scan All Channels for security, DCA Channels for performance
Security & BYOD Best Practices
38
Security & BYOD Best Practices
39
Безопасность
Ø Включить 802.1x and WPA/WPA2 on WLAN Ø Включить 802.1x authentication for AP Ø Change advance EAP timers Ø Включить SSH and Отключить telnet Ø Отключить Management Over Wireless Ø Peer-to-peer blocking Ø Secure Web Access (HTTPS) Ø Включить User Policies Ø Включить Client exclusion policies Ø Включить rogue policies and Rogue Detection RSSI Ø Strong password Policies Ø Включить IDS Ø BYOD Timers
Безопасность: Включить 802.1x authentications on WLAN
40
WLANs à Edit ‘WLAN_NAME’ à Security
Provides greater network security on WLAN using 802.1x authentication for clients
Security: Включить 802.1x authentications for APs
41
Wireless à Access Points à Global Configurations To enable 802.1X authentication on a switch port, on the switch CLI, enter
these commands:Switch# configure terminal Switch(config)# dot1x system-auth-control Switch(config)# aaa new-model Switch(config)# aaa authentication dot1x default group radius Switch(config)# radius-server host ip_addr auth-port port acct-port port key key Switch(config)# interface fastethernet2/1 Switch(config-if)# switchport mode access Switch(config-if)# dot1x pae authenticator Switch(config-if)# dot1x port-control auto Switch(config-if)# end
Provides greater network security by enabling 802.1x on the switch port where AP is connected. Not supported for Mesh deployments
Безопасность: Включить SSH и Отключить Telnet
42
Management à Telnet–SSH Отключить Telnet and Включить SSH as the default option
Provides greater security by allowing secure access and denying unencrypted access
0 implies no sessions will be allowed
Безопасность: Отключить Management Over Wireless
43
Management à Mgmt Via Wireless
Disallow management of the Controller via Wireless
Безопасность: Отключить WiFi Direct
44
WLANs à WLAN Name à Advanced
Prevent security hole if the device is connected to both the Инфраструктура and a Personal Area Network (PAN) at the same time. Will break Android devices
Corporate Laptop Corporate
WLAN
Unauthorized Devices
Безопасность: Secure Web Access ( HTTPS )
45
Management à HTTP-HTTPS
Provides greater security by allowing secure access
Security: Включить Client Exclusion Policies
46
Security à Wireless Protection Policies àClient Exclusion Policies
Включить exclusion policies to prevent the network from Assoc/Auth failure attacks. Отключить for Voice deployments
Безопасность: Включить Rogue Policies
47
Security à Wireless Protection Policies à Rogue Policies à General à Low
The Rogue Detection Security Level should be set at a minimum to “low”
Friendly Malicious
BYOD: Radius Timeout >=5 sec
48
Security à AAA à RADIUS à Authentication
To prevent pre-mature failover since the default of 2 seconds is generally low for ISE as ISE relies on backend databases for user lookups and group fetches. Too high causes queue issues on WLC
Отключить the aggressive failover feature using the following CLI command:
config radius aggressive-failover disable
show radius summary to check the status of this feature
Only fails over to the next AAA server if there are three consecutive clients that fail to receive a response from the RADIUS server
BYOD : Отключить Aggressive Failover
49
In some circumstances, having it enabled can cause the WLC to pre-maturely mark ISE dead in times of high load and cause additional load on ISE
BYOD: Client Idle Timeout
50
WLANs à WLAN Name à Advanced
For networks where users stay largely within the coverage area the setting can be increased to 3600 seconds for an SSID running 802.1x or RADIUS NAC against ISE.
BYOD: Client Exclusion
51
WLANs à WLAN Name à Advanced
180 seconds is the recommended default with ISE though 60 seconds is the WLC default. The reason behind this is the minimum reject interval on ISE for miss-configured supplicant detection.
FlexConnect Best Practices
52
FlexConnect Best Practices
53
Ø Включить FlexConnect Groups Ø CCKM/OKC Key sharing, consistent WLAN mappings Ø Включить Smart AP Image Upgrade Ø Use FlexConnect Group level for VLAN Configuration Ø Use VLAN Name Override to map users to VLANs across different branches Ø Configure AVC per WLAN at the FlexConnect Group level
FLE
X
CO
NN
EC
T
FlexConnect: Включить FlexConnect Groups
54
Wireless à FlexConnect Groups à Edit “Groupname”
Allow users to assign specific APs to groups with set configurations, OKC/CCKM key caching for Voice, Local RADIUS server configuration, consistent WLAN mappings
WAN
Central Site
FlexConnect: Включить “FlexConnect AP Upgrade”
55
Wireless à Flexconnect Groups à Edit “Groupname” à Image Upgrade Tab
Avoids downloading multiple copies of the Access Point software over the slow WAN link to the remote site, reduces service downtime and reduces risk of download failure
WAN
Wireless Control System
Wireless LAN Controller
New
Master AP
Выводы
56
§ Optimum starting point at Day 0/1 network setup
§ RF parameter setting ease of use
§ Enhanced performance, security, resiliency with best practice recommendations at boot time
Экономия времени и денег
Аудит текущей конфигурации
§ Compliance metric and reporting natively on WLC
§ Identify missing best practice configuration on upgrade
§ Easy one-click ‘Fix It’ option to turn on Best Practice knobs (or ignore)
Оптимизация
§ Personalized device health score
§ Free, cloud-based service
§ Automatically takes an inventory of your Cisco network
§ Downloadable client § Configuration stays local § Quickly identify and and fix
problem areas § RF Health metrics, IOS
Support, Mobility Group support
Анализ и устранение проблем
Express Setup
Monitoring and RF
Dashboard
Audit Upgrade Workflow
Feature Best
Practices WLCCA
Cisco Active
Advisor
Enhance your Usability and Manageability
Experience
Maximize use of your
embedded advanced features
Fine-tune features to
their Optimum
Best
Derive Maximum Potential from your
WLAN
CiscoRu Cisco CiscoRussia
Ждем ваших сообщений с хештегом #CiscoConnectRu
CiscoRu
Пожалуйста, заполните анкеты. Ваше мнение очень важно для нас.
Спасибо Флавьен Ришар & Виктор Платов
57