Solution Overview

This guide explains how to use Cisco DNA Center 2.3.5.5 to deploy and manage a legacy wireless local area network (WLAN) within an enterprise network, using Cisco Catalyst 9800 Series Wireless Controllers, Cisco IOS XE Cupertino 17.9.4a.

This guide provides technical guidance to design, deploy, and operate a Cisco WLAN using Cisco DNA Center.

The implementation flow showcases four main steps: define, design, deploy, and operate.

This guide contains the following main sections:

  • Define the wireless network presents a high-level overview of the campus, remote office, and cloud-based WLAN that is designed and deployed through Cisco DNA Center.

  • Design the wireless network discusses the integration of Cisco DNA Center with Cisco Identity Services Engine (Cisco ISE); creation of the site hierarchy—including the importing of floor maps—within Cisco DNA Center; configuration of various network services necessary for network operations, such as AAA, DNS, DHCP, NTP, SNMP, and Syslog servers; and configuration of wireless settings, including WLANs/SSIDs, VLANs, and RF profiles for the WLAN deployment.

  • Deploy the wireless network discusses discovery of the wireless controllers, managing the software images running on the wireless controllers, configuring HA SSO redundancy on the wireless controllers, provisioning the enterprise and guest wireless controllers within Cisco DNA Center, joining APs to the enterprise wireless controller HA SSO pair, provisioning the APs within Cisco DNA Center, and positioning the APs on the floor maps within Cisco DNA Center.

  • Monitor and operate the wireless network discusses how to use Cisco DNA Assurance to monitor and troubleshoot the WLAN deployment.

The audience for this guide includes network design engineers and network operations personnel who want to use Cisco DNA Center to deploy a Cisco WLAN within their wireless networks.

Prerequisites

Before you can deploy and manage a legacy WLAN within an enterprise network, Cisco DNA Center must be installed and properly configured. For more information about installing and configuring Cisco DNA Center, see the Cisco DNA Center Installation Guide.

The following table displays the round-trip time (RTT) requirements between Cisco DNA Center and the specified network elements.

The latency between the Cisco DNA Center appliance and a managed device should be ~100 milliseconds RTT or less. After 100 milliseconds, longer execution times could be experienced for certain events, such as inventory collection, provisioning, and image update (SWIM). Cisco does not support an RTT of more than 300 milliseconds. For more details on RTT and supported scale, see the Cisco DNA Center Data Sheet.

Table 1. Cisco Recommended RTT
Source Device Target Device Maximum RTT Supported

Cisco DNA Center Node

Cisco DNA Center Node

10 milliseconds

Cisco DNA Center Node

Cisco ISE

300 milliseconds

Cisco DNA Center Node

Wireless Controller

200 milliseconds

Wireless Controller

Access Points

20 milliseconds (local mode)

Wireless Controller

Access Points

300 milliseconds (flex mode)

Wireless Controller

Cisco ISE

100 milliseconds

Table 2. Cisco Supported Scale Numbers for Wireless Controller Models
Wireless Controller Model Maximum Number of APs Maximum Number of Clients

Catalyst 9800-L

250

5000

Catalyst 9800-40

2000

32,000

Catalyst 9800-80

6000

64,000

Catalyst 9800-CL (4 CPU/8 GB RAM)

1000

10,000

Catalyst 9800-CL (6 CPU/16 GB RAM)

3000

32,000

Catalyst 9800-CL (10 CPU/32 GB RAM)

6000

64,000

Table 3. Cisco DNA Center 1-Node System Scale
SKU DN-SW-APL DN2-HW-APL DN2-HW-APL-L DN2-HW-APL-XL

Legacy Devices (switch, router, wireless controller)

1000

1000

2000

5000

Legacy Wireless Access Points

4000

4000

6000

13,000

Wireless Sensors

600

600

800

1600

Concurrent Endpoints

25,000

25,000

40,000

100,000

Transient Endpoints (over a 14-day period)

75,000

75,000

120,000

250,000

Ratio of Endpoints to Wired

Any

Any

Any

Any

Ratio of Endpoints to Wireless

Any

Any

Any

Any

Site Elements

2500

2500

5000

10,000

Wireless Controller

500

500

1000

2000

Ports

48,000

48,000

192,000

768,000

API Rate Limit (APIs/minute)

50

50

50

50

NetFlow (flows/second)

30,000

30,000

48,000

120,000

Concurrent Software Image Updates

100

100

100

100

Table 4. Scale for 3-Node DN2-HW-APL-XL Cluster
Description Supported Scale

Devices (switch, router, wireless controller)

10,000

Wireless Access Points

25,000

Concurrent Endpoints

300,000

Transient Endpoints (over a 14-day period)

750,000

NetFlow (flows/second)

250,000

Number of Floors (per wireless controller)

1000

Required Network Ports

Cisco DNA Center requires that specific ports are open for traffic flows to and from the appliance, whether you open them using firewall settings or a proxy gateway. For more information, see the "Required Network Ports" topic in the Cisco DNA Center Second-Generation Appliance Installation Guide.

Certificate Management for Cisco DNA Center

By default, Cisco DNA Center uses self-signed certificates, but you can use a certificate that is signed by your internal certificate authority during deployment. To replace the default certificate, see the "Manage Certificates" topic in the Cisco DNA Center Security Best Practices Guide.

Define the Wireless Network

This section presents a high-level overview of the campus, remote office, and cloud-based WLAN that is designed and deployed through Cisco DNA Center.

There are three scenarios that outline three types of typical, legacy wireless deployments. In the first scenario, a campus wireless deployment with APs in local mode uses wireless controllers in a high availability (HA) configuration; the wireless controllers are located in the same campus building. In the second scenario, a remote office wireless deployment with APs in flex mode uses wireless controllers in an N+1 configuration; the wireless controllers are located in the data center. In the third scenario, a wireless network for a corporate event uses a wireless controller that is hosted in a cloud environment, such as Amazon Web Services (AWS).

Campus Wireless Deployment

The campus wireless deployment uses a pair of Cisco Catalyst 9800-40 Wireless Controllers in a high availability (HA) SSO configuration. Located on multiple floors within multiple buildings of the campus, the wireless controller pair functions as the enterprise wireless controller for access points (APs) in local mode. Wireless guest access is provided through a separate Cisco Catalyst 9800-CL Wireless Controller, which functions as a traditional guest wireless controller and is anchored to the enterprise (foreign) wireless controller.

The design and deployment of the WLAN is fully automated, utilizing intent-based networking (IBN). Cisco DNA Center is designed for IBN and provides a level of abstraction from the device-level user interface.


Note


In the production environment, the guest anchor wireless controller is typically connected to a DMZ segment off of a firewall to separate guest wireless traffic from internal employee traffic. In such designs, the firewall policy must be configured to allow the necessary traffic between the enterprise foreign wireless controller and the guest anchor wireless controller.


Figure 1. High-Level Design for Campus Wireless Deployment
The high-level design for the campus wireless deployment depicts the guest anchor wireless controller and the enterprise wireless controller connected to the same switch.

The campus wireless deployment includes the following features:

  • Site hierarchy consisting of a single area (Milpitas) and multiple buildings (Building 23 and Building 24), each with multiple floors (Floor 1 and Floor 2)

  • Legacy, centralized campus wireless deployment in which all wireless traffic is backhauled to the wireless controller

  • Enterprise SSID and guest SSID

  • A single pair of enterprise Catalyst 9800-40 Wireless Controllers in an HA SSO configuration

  • Guest wireless access through a dedicated guest Catalyst 9800-CL Wireless Controller, which is auto-anchored to the enterprise HA SSO wireless controller pair


Note


The Cisco DNA Center CLI templates can be used to configure anything that cannot be configured through the intent-based profiles and/or the model config. This guide discusses the specific wireless controller features that can be configured in Cisco DNA Center.


Wireless controllers must be assigned to sites during the Cisco DNA Center provisioning process. For this deployment guide, a Catalyst 9800-40 Wireless Controller HA SSO pair (C9800-40) will be assigned to Building 23 within the Milpitas area. There can only be one primary enterprise (nonguest) wireless controller for the APs on a floor at a given time, meaning that only one enterprise wireless controller can be provisioned per floor within Cisco DNA Center. The APs on Floor 1 and Floor 2 within Building 23 and the APs on Floor 1 within Building 24 will be provisioned to C9800-40 through Cisco DNA Center.

Remote Office Wireless Deployment

The remote office wireless deployment uses a pair of Cisco Catalyst 9800-40 Wireless Controllers in a high availability (HA) N+1 configuration. Located on multiple floors within a remote office building, the wireless controller pair functions as the enterprise wireless controller for access points (APs) in flex mode. Wireless guest access is locally switched, and employee (nonguest) wireless traffic is centrally switched. All authentication, whether for employee (WPA2/802.1X) or guest (WebAuth) wireless traffic, is centrally performed through Cisco ISE, highlighting the use of Cisco ISE as both a AAA server and a guest portal.

The design and deployment of the WLAN is fully automated, utilizing intent-based networking (IBN). Cisco DNA Center is designed for IBN and provides a level of abstraction from the device-level user interface.


Note


Alternate designs for guest wireless traffic, including local termination with Direct Internet Access (DIA) at the remote office, may be implemented when combining WLAN functionality with Cisco SD-WAN. For more information, see Cisco SD-WAN: Enabling Direct Internet Access.


Figure 2. High-Level Design for Remote Office Wireless Deployment
The high-level design for the remote office wireless deployment depicts the AP in flex mode.

The remote office wireless deployment includes the following features:

  • Site hierarchy consisting of a single area (New York) and a single building (Branch 5) with multiple floors (Floor 1, Floor 2, and Floor 3)

  • Legacy, flex mode in which data traffic is centrally switched for the enterprise SSID and locally switched for the guest SSID

  • Enterprise SSID and guest SSID

  • A single pair of enterprise Catalyst 9800-40 Wireless Controllers in an HA N+1 configuration


Note


The Cisco DNA Center CLI templates can be used to configure anything that cannot be configured through the intent-based profiles and/or the model config.


The wireless controllers must be assigned to sites during the Cisco DNA Center provisioning process. For this deployment guide, a Catalyst 9800-40 Wireless Controller HA SSO pair (C9800-40) will be assigned to Branch 5 within the New York area, even though the pair is physically located in the data center. There can be only one primary enterprise (nonguest) wireless controller for the APs on a floor at a given time, meaning only one enterprise wireless controller can be provisioned per floor within Cisco DNA Center. The APs on Floor 1 and Floor 2 within Branch 5, New York will be provisioned to C9800-40 through Cisco DNA Center.

Wireless Controller Hosted on AWS Deployment

This wireless deployment uses a Cisco Catalyst 9800-CL Wireless Controller hosted on Amazon Web Services (AWS). Located on an event center floor, the wireless controller is configured as the enterprise wireless controller for access points (APs) in flex mode. All authentication, whether for employee (WPA2/802.1X) or guest (WebAuth) wireless traffic, is centrally performed through Cisco ISE and located in the data center.

Cisco DNA Center is designed for IBN and provides a level of abstraction from the device-level user interface.

Figure 3. High-Level Design for Cisco Catalyst 9800-CLWireless Controller Hosted on AWS
The high-level design for this wireless deployment depicts a Catalyst 9800-CL Wireless Controller hosted on AWS.

This wireless deployment includes the following features:

  • Site hierarchy consisting of a single area (San Jose) with an event center (Eventcenter) that has a single floor (Eventcenterfloor)

  • Legacy, flex wireless deployment where all wireless traffic is backhauled to the wireless controller

  • Flex mode in which data traffic is locally switched

  • Enterprise SSID and corporate special event SSID

  • A Catalyst 9800-CL Wireless Controller hosted on AWS


Note


The Cisco DNA Center CLI templates can be used to configure anything that cannot be configured through the intent-based profiles and/or the model config.


The wireless controllers must be assigned to sites during the Cisco DNA Center provisioning process. For this deployment guide, a Catalyst 9800 Wireless Controller (C9800-CL) on AWS will be assigned to Eventcenter within the San Jose area. There can be only one primary enterprise (nonguest) wireless controller for the APs on a floor at a given time, meaning only one enterprise wireless controller can be provisioned per floor within Cisco DNA Center. The APs on Eventcenterfloor within Eventcenter will be provisioned to C9800-CL on AWS through Cisco DNA Center.

Migration from the Legacy Network

This section provides an overview of the following migrations from the legacy network, using Cisco AireOS Wireless Controller or Cisco Prime Infrastructure:

  • Legacy Cisco AireOS Wireless Controller to Cisco Catalyst 9800 Series Wireless Controller

  • Cisco Prime Infrastructure to Cisco DNA Center

Migrate APs from a Legacy Cisco AireOS Wireless Controller to a Cisco Catalyst 9800 Series Wireless Controller

This section explains how to migrate access points (APs) from a legacy Cisco AireOS Wireless Controller to a Cisco Catalyst 9800 Series Wireless Controller. For this migration, the minimum AireOS version that is required is 8.5, with support for IRCM.

Procedure

Step 1

Add a temporary floor to the legacy site, which is managed by the Cisco AireOS Wireless Controller.

Step 2

Discover the Catalyst 9800 Series Wireless Controller and provision the wireless controller to the legacy site that manages the newly added floor.

Step 3

Enter the interface details, such as VLAN for legacy flow.

Step 4

Configure a mobility tunnel between the Cisco AireOS Wireless Controller and the Catalyst 9800 Series Wireless Controller.

Step 5

Migrate the APs to the Catalyst 9800 Series Wireless Controller using one of the following methods:

Note

 

The APs will be migrated to a new wireless controller using the AP config workflow, which will configure the new wireless controller as the primary wireless controller.

  1. Iterative migration: Only specific APs on a floor are migrated (Milpitas/Building 23/Floor2).

    1. On a single floor, identify some of the APs that need to be moved from the Cisco AireOS Wireless Controller to the Catalyst 9800 Series Wireless Controller.

      Do not select all the APs on a single floor.

    2. Create a new temporary floor (Floor 2_1) that is managed by the Catalyst 9800 Series Wireless Controller.

    3. Move the subset of APs to the Catalyst 9800 Series Wireless Controller using the AP config workflow.

      Through the workflow, the Catalyst 9800 Series Wireless Controller will be configured as the primary wireless controller.

    4. Once the subset of APs join the Catalyst 9800 Series Wireless Controller, provision the APs to Catalyst 9800 Series Wireless Controller, which is a part of Floor 2_1.

      At this point, a subset of APs are now managed by the Catalyst 9800 Series Wireless Controller, and the remaining APs are managed by the Cisco AireOS Wireless Controller. As a result, service is not disrupted on that floor.

    5. Iteratively move the remaining APs from the floor to the Catalyst 9800 Series Wireless Controller.

  2. Floor-by-floor migration: An entire set of APs on a floor are migrated to the Catalyst 9800 Series Wireless Controller.

    1. Create a new temporary floor (Floor 2_1) that is managed by the Catalyst 9800 Series Wireless Controller.

    2. Move all the APs on a single floor to the Catalyst 9800 Series Wireless Controller.

    3. Provision the APs to the Catalyst 9800 Series Wireless Controller, which is a part of Floor 2_1.

    4. Provision the Catalyst 9800 Series Wireless Controller to manage Floor 2.

    5. Either iteratively or by entire floor, provision the APs to Floor 2.

    6. Delete the temporary floor, Floor 2_1.

    7. Repeat the first six steps in substep b for your desired sites, buildings, and floors.

    8. Delete the temporary floor created in Step 1.

Step 6

(Optional) Remove the Cisco AireOS Wireless Controller from the inventory using the config cleanup option.


Migrate from Cisco Prime Infrastructure to Cisco DNA Center

Before you begin
Procedure

Step 1

Perform a readiness check using the Cisco Prime Infrastructure Cisco DNA Center Assessment and Readiness Tool (PDART).

For more information about using PDART, see Use PDART - a Cisco DNA Center Readiness Tool.

Step 2

Once you have assessed the readiness of the migration, use the PDMT to migrate your sites and devices from Cisco Prime Infrastructure to Cisco DNA Center.


Design the Wireless Network

Ensure that the prerequisites are met, as described in Prerequisites.

This section contains the following topics and processes:

  • Integrate Cisco Identity Services Engine (ISE) with Cisco DNA Center

  • Cisco ISE and third-party AAA server

  • Configure the site hierarchy in Cisco DNA Center

  • Configure network services for network operation

  • Campus wireless deployment settings

  • Remote office wireless deployment settings

  • Design the Cisco Catalyst 9800-CL Wireless Controller hosted on AWS

Integrate Cisco ISE with Cisco DNA Center

The integration of Cisco Identity Services Engine (ISE) with Cisco DNA Center enables the sharing of information between the two platforms, including device and group information. Specific to this guide, the integration allows you to create a guest portal in Cisco ISE through a workflow in Cisco DNA Center. The guest portal is created when the guest wireless network is defined within a wireless profile in Cisco DNA Center. For more information, see Campus Wireless Deployment Settings.

Use the following procedures to integrate Cisco ISE with Cisco DNA Center:

Cisco ISE and Third-Party AAA Server

Even though Cisco DNA Center supports third-party AAA servers for RADIUS and TACACS+ authentications, Cisco ISE provides additional analytics for endpoints.

Configure Cisco ISE as an Authentication and Policy Server to Cisco DNA Center

Before you begin
To complete this action, your user profile must be assigned the SUPER-ADMIN-ROLE or the NETWORK-ADMIN-ROLE.
Procedure

Step 1

Log in to the Cisco DNA Center web console using an IP address or a fully qualified domain name.

Example:
https://<Cisco_DNA_Center_IPaddr_or_FQDN>

Step 2

From the top-left corner, click the menu icon and choose System > Settings.

Step 3

In the left pane, from the External Services drop-down list, choose Authentication and Policy Servers.

Step 4

From the Add drop-down list, choose ISE.

The Add ISE server slide-in pane is displayed.

Step 5

Enter the server details in the required fields.

The following table describes the fields in the Add ISE server slide-in pane.

Field Settings Description

Server IP Address

Text Field

IP address of the Cisco ISE server. If multiple IP addresses are configured, ensure this IP address is shown on the Cisco ISE deployment instance.

Shared Secret

Text Field

The shared secret used by network devices for communicating with the Cisco ISE server. Within the IOS XE device configuration, this is known as the PAC key.

Username

Text Field

The username of the default super admin account, which you created during Cisco ISE installation.

Password

Text Field

The password of the default super admin account, which you created during Cisco ISE installation.

FQDN

Text Field

The fully qualified domain name of the Cisco ISE server.

Virtual IP Address

Text Field

One or more Policy Services Nodes (PSNs) may be behind a single load balancer. When this happens, you can add the load balancer IP(s) in the Virtual IP field.

Advanced Settings > Protocol

Multiple Choice Radio Button

Determines the authentication protocol(s). You can choose from the following protocol options:

  • RADIUS: The default setting, which uses the RADIUS protocol.

  • TACACS: Uses the TACACS protocol.

Advanced Settings > Authentication Port

Text Field

When RADIUS is selected, the default port is 1812.

Advanced Settings > Accounting Port

Text Field

When RADIUS is selected, the default port is 1813.

Advanced Settings > Port

Text Field

This field appears only when TACACS is selected. The default port is 49.

Retries

Number

The number of authentication retries before failure. The default is 3 retries.

Timeout (seconds)

Number

The number of seconds before an attempt times out. The default is 4 seconds.

For this design and deployment guide, the following information was entered.

Field Value

Server IP Address

172.23.240.152

Shared Secret

Cisco ISE Server

On

Username

admin

Password

FQDN

cvdise31.cagelab.local

Subscriber Name

admin

SSH Key

Virtual IP Address

Advanced Settings > Protocol

RADIUS

Advanced Settings > Authentication Port

1812

Advanced Settings > Accounting Port

1813

Retries

3

Timeout (seconds)

4

Note

 

Before adding Cisco ISE, confirm that the following prerequisites are met:

  • Your version of Cisco ISE is compatible with your version of Cisco DNA Center.

    For more information, see the Cisco DNA Center Compatibility Matrix.

  • The Cisco ISE GUI password matches the Cisco ISE CLI password.

  • PxGrid is enabled for the Cisco ISE deployment instance.

  • The ERS on the Cisco ISE server is enabled for read/write.

Step 6

Click Add to create the Cisco ISE server within Cisco DNA Center.

The ISE server Integration slide-in pane displays a message about accepting the Cisco ISE certificate and establishing trust.

The ISE server integration slide-in pane displays the options to accept or decline the Cisco ISE certificate.

Step 7

Click Accept.

After the integration is complete, the Authentication and Policy Servers window is displayed. The new Cisco ISE server should display an ACTIVE status.

If you want to change any server settings, hover your cursor over the ellipsis icon () in the Actions column and choose Edit.

The Edit ISE server slide-in pane displays the server settings that can be changed.

Configure Site Hierarchy and Import Floor Maps

The configuration of the site hierarchy includes defining the network sites for deployment and defining the hierarchical relationships of the network sites, which consist of areas, buildings, and floors. Child sites automatically inherit certain attributes from parent sites, but you can override the attributes within the child site.

The following table summarizes the site hierarchy for this guide. A single area (Milpitas) is provisioned, containing multiple buildings (Buildings 23 and Building 24) with multiple floors (Floor 1 and Floor 2).

Name Type of Site Parent Additional Information

Milpitas

Area

Global

Building 23

Building

Milpitas

Address: 560 McCarthy Boulevard, Milpitas, California 95035

Building 24

Building

Milpitas

Address: 510 McCarthy Boulevard, Milpitas, California 95035

Floor 1

Floor

Building 23

Dimensions: 200 ft. x 274 ft. x 10 ft.

APs on this floor are provisioned to the Cisco Catalyst 9800 Series Wireless Controller HA pair.

Floor 2

Floor

Building 23

Dimensions: 200 ft. x 274 ft. x 10 ft.

APs on this floor are provisioned to the Cisco Catalyst 9800 Series Wireless Controller HA pair.

Floor 1

Floor

Building 24

Dimensions: 200 ft. x 250 ft. x 10 ft.

APs on this floor are provisioned to the Cisco Catalyst 9800 Series Wireless Controller HA pair.

Floor 2

Floor

Building 24

Dimensions: 200 ft. x 250 ft. x 10 ft.

APs on this floor are provisioned to the Cisco Catalyst 9800 Series Wireless Controller HA pair.

This section contains the following processes:

  • Create an area

  • Create a building within an area

  • Create a floor in a building

  • Create and position a planned AP by using the Cisco DNA Center GUI or by importing from Cisco Prime Infrastructure or Ekahau

Create an Area

Before you begin

To complete this action, your user profile must be assigned the SUPER-ADMIN-ROLE or the NETWORK-ADMIN-ROLE.

Procedure

Step 1

Login to the Cisco DNA Center web console using an IP address or a fully qualified domain name.

Example:
https://<Cisco_DNA_Center_IPaddr_or_FQDN>

Step 2

From the top-left corner, click the menu icon and choose Design > Network Hierarchy.

The Network Hierarchy window is displayed.

If this is the first time you have configured the network hierarchy, the left hierarchy pane may only display a single Global entry.

The + Add Site option sits above a map of the United States, with the global entry drop-down list shown in the left hierarchy pane.

Step 3

Click + Add Site > Add Area.

The Add Area dialog box is displayed.

The Add Area pop-up window shows the area name, parent, and the options to cancel the request or add the area.

Step 4

In the Add Area dialog box, from the Parent drop-down list, enter the Area Name and choose the desired parent.

For this deployment guide, choose Global for the Parent and create an area named Milpitas within an area named US.

Step 5

Click Add.


Create a Building Within an Area

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Hierarchy.

Step 2

Click + Add Site > Add Building.

The Add Building dialog box is displayed.

The Add Building pop-up window contains the following fields: building name, parent, address, latitude, and longitude.

Step 3

In the Add Building dialog box, enter the Building Name and choose the desired area from the Parent drop-down list.

For this deployment guide, enter Building 23 for the Building Name. For the Parent, choose Milpitas | Global/US.

Step 4

Enter the building address or GPS coordinates using one of the following methods:

  • In the Address field, enter the building address and choose the correct address from the list of available options. Latitude and longitude will be automatically entered in the Latitude and Longitude fields for the chosen address.

  • Enter the GPS coordinates of the building in the Latitude and Longitude fields. If you use this method, you do not need to enter an address.

For this deployment guide, enter the address 560 McCarthy Boulevard, Milpitas, California 95035, which is configured for Building 23.

Step 5

Click Add.

For this deployment guide, repeat Step 1 through Step 5 to add a second building, Building 24, to the Milpitas area.


Create a Floor in a Building

AP locations and wireless coverage (heatmaps) can be displayed from the floor maps. Floors are referenced during wireless provisioning.

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Hierarchy.

Step 2

Click + Add Site > Add Floor.

The Add Floor dialog box is displayed.

The Add Floor dialog box shows the various configurable fields: floor name, site, type (RF model), floor number, floor type, thickness, floor image, width (ft), length (ft), and height (ft).

Step 3

In the Add Floor dialog box, enter the Floor Name and choose the desired area from the Site drop-down list.

For this deployment guide, enter Floor 1 for the Floor Name. For the Site, choose Milpitas | Global/US, and for the Building, choose Building 23 | Global/US/Milpitas/.

Step 4

Choose the appropriate space type from the Type (RF Model) drop-down list and enter the associated Floor Number.

Step 5

Choose the appropriate floor type from the Floor Type drop-down list and enter the associated Thickness (ft).

Step 6

Add the floor plan to the Floor Image area using one of the following methods:

  • Drag and drop the floor plan file into the Floor Image area.

  • Click Upload file and choose the floor plan file that you want to upload.

Note

 

If you have floor map diagrams in DXF, DWG, JPG, GIF, or PNG formats you can add them to any defined floors. If you import a map archive that has been exported from Cisco Prime Infrastructure, ensure that the site hierarchy configured in Cisco DNA Center is identical to the site hierarchy configured in Cisco Prime Infrastructure.

Step 7

Click the Width (ft) radio button and enter the floor width in feet.

Step 8

Click the Length (ft) radio button and enter the floor length in feet.

Step 9

In the Height (ft) field, enter the ceiling height in feet.

Note

 

Adding the floor width, floor length, and ceiling height allows you to scale the floor plan correctly, impacting wireless coverage (heatmaps) and AP positioning.

For this deployment guide, enter 200 for the Width (ft). For the Length (ft), enter 275, and for the Height (ft), enter 10.

Step 10

Click Add.

For this deployment guide, repeat Step 1 through Step 10 three times to add Floor 2 to Building 23, Floor 1 to Building 24, and Floor 2 to Building 24.


Create and Position a Planned AP in Cisco DNA Center

There are three ways to get a planned AP on a floor map:

  • Create a planned AP in Cisco DNA Center UI

  • Import a map that has been exported from Cisco Prime Infrastructure

  • Import a map that has been exported from Ekahau

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Hierarchy.

Step 2

In the left hierarchy pane from the Global drop-down list, choose the desired floor for the AP.

Step 3

Click Add/Edit.

Step 4

From the Planned AP Models drop-down list, click Add model.

The Floor 1 map shows the planned AP model for Floor 1.

Step 5

In the Select AP models to add dialog box, choose the AP model from the drop-down list.

Step 6

Click Add AP models.

Step 7

From the Planned AP Models drop-down list, choose the desired AP model.

Step 8

In the floor map, move your cursor to the desired location of the AP and click the location.

Step 9

In the Edit Planned AP slide-in pane, ensure the Planned AP Name matches the real AP host name.

If a red octagon with an X is displayed, choose an Antenna from the Antenna drop-down list.

Step 10

Click Save.


Import a Map from Cisco Prime Infrastructure

Before you begin
This section assumes that the map has already been exported from Cisco Prime Infrastructure. For more information, see the "Export Maps Archive" topic in the Cisco Prime Infrastructure 3.10 User Guide.
Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Hierarchy.

Step 2

In the left hierarchy pane, choose Global.

Cisco Prime Infrastructure maps can be imported at the Global level.

Step 3

Click Import > Import Maps.

The Cisco DNA Center user interface shows the global map and the functionality for importing maps.

Step 4

In the Import Maps dialog box, import the map using one of the following methods:

  • Click Choose a file and choose the map file that you want to upload.

  • Drag and drop the map file into the Import Maps upload area.

Step 5

Click Import.


Export a Map from Cisco DNA Center as an Ekahau Project File

To create and position a planned AP using Ekahau, first create the sites in Cisco DNA Center and export the sites as an Ekahau project. Then, create the planned AP in Ekahau and save the AP as an Ekahau project. Finally, import the Ekahau project back into Cisco DNA Center.


Note


You can only export an Ekahau project file at a non-nested site level, which means there can be only one site with buildings within the chosen site.


The following steps explain this process:

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Hierarchy.

Step 2

In the left hierarchy pane, choose the appropriate site for your map.

For this deployment guide, choose Milpitas.

Step 3

Hover your cursor over the ellipsis icon () and choose Export Maps.

The Cisco DNA Center UI displays the map for Milpitas and shows the option to export maps.

Step 4

In the Export Maps dialog box, enter the desired file name and click the Ekahau Project radio button.

The Export Maps dialog box shows the project file name and the export format options: Ekahau Project and Prime.

Step 5

Click Export.


Import a Map from Ekahau

Before you begin
The maps imported from Ekahau are in Ekahau project file format. Ensure that the map is imported from the same site level at which the map was exported. For example, if the map was exported from the Milpitas site, you must import the map from Milpitas.
Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Hierarchy.

Step 2

In the left hierarchy pane, choose the appropriate site for your map.

For this deployment guide, choose Milpitas.

Step 3

Hover your cursor over the ellipsis icon () and choose Import Ekahau Project.

The Cisco DNA Center UI displays the map for Milpitas and shows the option to import a Ekahau project.

Step 4

In the Import Ekahau Project dialog box, import the map using one of the following methods:

  • Click Choose a file and choose the project file that you want to upload.

  • Drag and drop the map file into the Import Ekahau Project upload area.

Step 5

Click Import.


Configure Network Services for Network Operation

This section explains how to configure AAA, DHCP, DNS, NTP, SNMP, and syslog services that align with the site hierarchy in Cisco DNA Center. If the services use the same servers across the entire site hierarchy, you can configure the services globally. The inheritance properties of the site hierarchy allow global settings to be available to all sites. Differences for individual sites can then be applied on a site-by-site basis. This guide shows the network services created globally.

Procedure


Step 1

From the top-left corner, click the menu icon and choose Design > Network Settings > Network.

Step 2

In the left hierarchy pane, choose Global.

Step 3

Click + Add Servers.

Step 4

In the Add Servers dialog box, check the AAA check box and the NTP check box.

This guide does not require the deployment of Image Distribution or Stealthwatch Flow Destination, so do not check the Image Distribution check box or the Stealthwatch Flow Destination check box.

Step 5

Click OK.

An AAA server and an NTP server are now displayed in the Network window.

Step 6

Configure the relevant fields for the AAA Server.

For both network devices and wireless clients, this design and deployment guide uses Cisco ISE as the AAA server (which uses the RADIUS protocol). For this guide, the following fields were configured for the AAA Server.

Table 5. AAA Server Configuration
Field Value

Network

Checked

Client/Endpoint

Checked

Network > Servers

ISE

Network > Protocol

TACACS

Network > Network

172.23.240.152

Network > IP Address (Primary)

10.4.48.152

Network > Shared Secret

Client/Endpoint > Servers

ISE

Client/Endpoint > Protocol

RADIUS

Client/Endpoint > Network

172.23.240.152

Client/Endpoint > IP Address (Primary)

10.4.48.152

Client/Endpoint > Shared Secret

Figure 4. AAA Server Configuration in Cisco DNA Center
The AAA Server section displays the configuration options for the AAA server.

Step 7

Configure the relevant fields for the DHCP Server.

This design and deployment guide uses a single Microsoft Active Directory (AD) server, which functions as both the DNS and DHCP servers for the network. For this guide, the following field was configured for the DHCP Server.

Table 6. DHCP Server Configuration
Field Value

DHCP

10.4.48.9

Figure 5. DHCP Server Configuration in Cisco DNA Center
The DHCP Server section displays the configuration option for the DHCP server.

Step 8

Configure the relevant fields for the DNS Server.

Because this design and deployment guide uses a lab network, the DNS Server configuration only used a single DNS domain. For this guide, the following fields were configured for the DNS Server.

Table 7. DNS Server Configuration
Field Value

Domain Name

cagelab.local

Primary

10.4.48.9

Figure 6. DNS Server Configuration in Cisco DNA Center
The DNS Server section displays the configuration options for the DNS server.

Step 9

Configure the relevant fields for the NTP Server.

For production networks, multiple NTP servers can be added for resiliency and accuracy. Time synchronization within a network is essential for any logging functions, as well as secure connectivity such as SSH. Because this design and deployment guide uses a lab network, the NTP Server configuration only used a single NTP server. For this guide, the following fields were configured for the NTP Server.

Table 8. NTP Server Configuration
Field Value

IP Address

10.4.48.17

Time Zone

GMT

Figure 7. NTP Server Configuration in Cisco DNA Center
The NTP Server section displays the configuration options for the NTP server.

Step 10

Choose the desired time zone from the Time Zone drop-down list.

Because this design and deployment guide uses a lab network, a single time zone is used for the site hierarchy. In a production network, each site within the site hierarchy would reflect the time zone of the location.

Step 11

For the Message of the day, check the Do not overwrite the existing MOTD banner on the device check box or enter your desired message in the text box.

The Message of the day field controls the message displayed when logging in to the network device. This setting is not applicable to this design and deployment guide, so for this guide, the check box was checked for Do not overwrite the existing MOTD banner on the device.

Step 12

Click Save.

Step 13

At the top of the window, click Telemetry.

Step 14

From SNMP Traps, configure the SNMP trap server.

This design and deployment guide uses Cisco DNA Center as the SNMP server. If you check the Use Cisco DNA Center as SNMP server check box, SNMP trap information will be sent to Cisco DNA Center for Cisco AI Network Analytics. For this guide, the following fields were configured for the SNMP server.

Table 9. SNMP Server Configuration
Field Value

Use Cisco DNA Center as SNMP server

Checked

SNMP > IP Address

Figure 8. SNMP Server Configuration in Cisco DNA Center
The SNMP Traps section displays the following options for configuration: "Use Cisco DNA Center as SNMP trap server" or "Add an external SNMP trap server."

Step 15

From Syslogs, configure the syslog server.

This design and deployment guide uses Cisco DNA Center as the syslog server. If you check the Use Cisco DNA Center as syslog server check box, syslog information will be sent to Cisco DNA Center for Cisco AI Network Analytics. For this guide, the following fields were configured for the syslog server.

Table 10. Syslog Server Configuration
Field Value

Use Cisco DNA Center as syslog server

Checked

Syslog > IP Address

Figure 9. Syslog Server Configuration in Cisco DNA Center
The Syslogs section displays the following options for configuration: "Use Cisco DNA Center as syslog server" or "Add an external syslog server."

Step 16

Click Save.


Campus Wireless Deployment Settings

To configure the campus wireless deployment settings, you need to create the following in Cisco DNA Center:

  • Wireless interfaces: The Ethernet interfaces (VLANs) that are used for terminating wireless traffic.

  • Enterprise wireless networks: Consist of the nonguest WLANs/SSIDs for the deployment.

  • Guest wireless networks: Consist of the guest WLANs/SSIDs for the deployment.

  • Wireless radio frequency (RF) profiles: Includes the radio frequency profiles for the deployment.

  • Wireless sensor settings: Wireless sensors provide the ability to run diagnostic tests on the WLAN and perform packet captures. For information about wireless sensors, see Monitor and Operate the Wireless Network.

  • CMX servers: Integration with CMX servers allows the location of wireless clients to be displayed on floor maps. For information about integration with CMX servers, see Monitor and Operate the Wireless Network.

  • Native VLAN: The native VLAN configuration is specific to FlexConnect Access Point (AP) deployments.


    Note


    This deployment guide describes a wireless network with APs that operate in the centralized (local) mode.

Recommendations

When configuring the campus wireless deployment settings, consider the following recommendations:

  • Similar to any production deployment, you must place the APs in a VLAN that is different from the Wireless Management Interface (WMI). If you must configure the APs in the same VLAN as the WMI for staging or testing purposes, Cisco recommends that you limit the number of APs to less than 100.

  • For APs in local mode, the round-trip latency must not exceed 20 milliseconds between the access point and the controller.

  • Use PortFast on AP switch ports for APs in local mode, supporting only the central switched WLANs. To configure the switch port for PortFast, set the port to be connected as a host port, using the switch port host command or the PortFast command. This configuration allows for a faster AP join process. There is no risk of loops, as the local mode APs never directly bridge traffic between VLANs. You can set the port directly on access mode.

  • For APs in Flex mode and local switching, the switch port needs to be in trunk mode for most scenarios. In such cases, use spanning-tree portfast trunk on the switch port.

  • To optimize the TCP client traffic encapsulation in CAPWAP, Cisco recommends that you always enable the TCP Maximum Segment Size (MSS) feature, as it can reduce the overall amount of CAPWAP fragmentation, thereby improving the overall wireless network performance. You must adjust the MSS value depending on the traffic type and Maximum Transmission Unit (MTU) of the Cisco Wireless Controller-to-AP path.

  • In the Cisco Catalyst 9800 Series Wireless Controller, TCP MSS adjust is enabled by default, with a value of 1250 bytes, which is considered an acceptable value for most deployments. You can further optimize the value depending on your setup. You must configure directly on the wireless controller or via the Template Hub.

Configure Wireless Interfaces

In Cisco DNA Center, the enterprise and guest WLANs terminate on the Ethernet VLAN interfaces. For this design and deployment guide, the following table shows the wireless interfaces created for the enterprise and guest WLANs.

Table 11. Wireless Interfaces
Name VLAN Usage

employee

160

Employee voice and data VLAN

guest-dmz

125

Guest data VLAN

flex

180

Flex client VLAN

Procedure

Step 1

Log in to Cisco DNA Center using the IP address or the fully qualified domain name of your instance.

For example: https://<Cisco_DNA_Center_IPaddr_or_FQDN>. The credentials (user ID and password) you enter must have SUPER-ADMIN-ROLE or NETWORK-ADMIN-ROLE privileges.

Step 2

From the top-left corner, click the menu icon and choose Design > Network Settings > Wireless.

The Wireless Network Settings dashboard is displayed.

Figure 10. Wireless Network Settings Dashboard
The image displays the Wireless Network Settings dashboard.
Figure 11. Wireless Interfaces Window
The image explains how to enter interfaces within the design or wireless page.

Note

 

Wireless settings are hierarchical. Settings defined at lower levels of the site hierarchy override the settings defined in higher levels. By default, you are taken to the global level, which is the highest level of the site hierarchy. You must define the wireless interfaces at the global level of the site hierarchy.

Step 3

Click Add next to Wireless Interfaces.

The New Wireless Interface slide-in pane is displayed.

Figure 12. New Wireless Interface Slide-in Pane
Image displays the new Wireless Interface panel.

Step 4

Enter the Interface Name and VLAN ID for the wireless interface corresponding to the enterprise VLAN (employee), and then click Add.

Repeat this procedure to add the wireless interface for the guest VLAN (guest-dmz). The two new wireless interfaces are displayed in the Wireless Network Settings dashboard.


Configure Enterprise Wireless SSID

Enterprise wireless networks are the nonguest WLANs/SSIDs that are available for broadcast across the deployment, and you must define these wireless networks at the global level of the site hierarchy. Once defined, you can apply the enterprise wireless networks to wireless profiles, and then you can assign wireless profiles to one or more sites within the hierarchy.


Note


Cisco recommends limiting the number of Service Set Identifiers (SSIDs) configured on the controller. You can configure 16 simultaneous WLANs/SSIDs (per radio on each AP). Each WLAN/SSID needs separate probe responses and beaconing transmitted at the lowest mandatory rate, and the RF pollution increases as more SSIDs are added.

Some smaller wireless stations such as PDAs, Wi-Fi phones, and barcode scanners cannot cope with a high number of Basic SSIDs (BSSIDs) over the air, resulting in lockups, reloads, or association failures. Cisco recommends that you have one to three SSIDs for an enterprise and one SSID for high-density designs. By using the AAA override feature, you can reduce the number of WLANs/SSIDs while assigning individual per user VLAN/settings in a single SSID scenario.


For this deployment guide, a single enterprise WLAN/SSID named lab3employee is provisioned.

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Settings > Wireless.

Step 2

Click SSIDs.

Step 3

Hover your cursor over + Add and choose Enterprise.

The Basic Settings window is displayed.

Figure 13. Basic Settings Window to Create an Enterprise Wireless SSID
Creating an Enterprise Wireless Network SSID.
Figure 14. Security Settings for the Enterprise SSID
Set the Security Settings for Enterprise SSID.
Figure 15. AAA Server for the Enterprise SSID
Set AAA Server for the Enterprise SSID.
Figure 16. Advanced Settings for the Enterprise SSID
Advanced Settings for Enterprise SSID.
Figure 17. Additional Advanced Settings for the Enterprise SSID
Additional Advanced Settings for Enterprise SSID.

Note

 

Enabling the neighbor list (802.11k) may cause some legacy devices to react incorrectly to unknown information. Most devices will ignore the 802.11k information (even if they do not support it), but a disconnection or a failure to associate may occur for some devices. It is advisable to test before enabling this option.

In scenarios where clients would move in and out of coverage areas or when the client is battery operated and may go to sleep frequently, you may consider increasing the idle time out to 3600 seconds (60 minutes) to reduce the likelihood of client deletion.

For information about features that can be configured for enterprise wireless networks via Cisco DNA Center, see Enterprise Wireless Network Features Configurable via Cisco DNA Center.

Step 4

Enter the information for the Basic Settings and click Next.

The next screen in the workflow is displayed. You can either attach the enterprise wireless network to an existing wireless profile, or you can create a new wireless profile and attach the enterprise wireless network.

Note

 

For information about the settings for the enterprise wireless network configured for this deployment guide, see Enterprise Wireless Network Settings Configured in the Deployment Guide.

Figure 18. Associate SSID to Profile
Add Profile to Associate to SSID.

Step 5

Click + Add Profile to create and add a new wireless profile.

The Create a Wireless Profile side panel is displayed.

Figure 19. Create a New Wireless Profile
Creating a new Wireless Profile.

Step 6

In Profile Name, enter the name of the new wireless profile, and then click Associate Profile.

For this deployment guide, create a wireless profile named Corporate.

Step 7

Click the newly created profile and select the interface to be associated with this profile.

Step 8

Click Save, and then click Next.

Step 9

(Skip this step if SD-Access App is not deployed.) Under Fabric, select No.

The Select Interface field is displayed. This deployment guide only discusses non-SDA wireless deployments using Cisco DNA Center.

Step 10

From the Select Interface drop-down menu, select the employee to terminate the lab3Employee SSID onto the employee VLAN (VLAN 160) created in the previous procedure.

Step 11

Under Guest Anchor option, choose No.

Step 12

Uncheck the Flex Connect Local Switching check box, and then click Save to save an existing profile.

If a profile does not already exist, create a new profile, and click Save.

Step 13

Click Next.

Step 14

Review the summary for the Network Profile, and click Save.

Step 15

From the top-left corner, click the menu icon and choose Design > Network Profiles.

Step 16

In the Wireless Profiles table, from the Sites column, click Assign Site for your desired profile.

For this deployment guide, click Assign Site for the newly created wireless profile, Corporate.

Step 17

In the Global section, click > to display the Milpitas area.

Step 18

Choose the Milpitas area.

All of the child site locations are automatically selected: Building 23 with Floor 1, Floor 2, and Floor 3 and Building 24 with Floor 1, Floor 2, and Floor 3.

Step 19

Click OK to close the site hierarchy side panel.

Step 20

Click Edit under summary of Network Profiles Attach Template(s) to add CLI-based templates to the enterprise wireless network configuration.

Note

 

You must define all the templates within the Template Editor dashboard of Cisco DNA Center. This design and deployment guide will not discuss the addition of templates because the guide does require knowledge of the CLI syntax for the specific Cisco Wireless Controller platform. The Cisco DNA Center CLI templates can be used to configure anything that cannot be configured through the intent-based profiles and/or the model config.

Step 21

Click Save.

The wireless profile named Corporate is assigned to the Milpitas area. The wireless profile contains the lab3employee SSID, so when wireless controllers and APs are assigned to the Milpitas area, the APs will broadcast the lab3employee SSID.

Step 22

Click Finish to add the lab3employee enterprise wireless network.

The new enterprise wireless network displays in the Wireless Network Settings dashboard.

For information about configuring overrides, see Define Site Override Support.


Enterprise Wireless Network Features Configurable via Cisco DNA Center

Table 12. Enterprise Wireless Network Features Configurable via Cisco DNA Center
Feature Type Description

Wireless Network Name (SSID)

Text Field

The SSID for the WLAN.

WLAN Profile Name

Text Field

Cisco DNA Center considers SSID_Profile to be the default, which is based on the SSID name. You can change the WLAN profile name as per your requirements.

Policy Profile Name

Non Editable

Policy Profile Name is the same as the WLAN Profile Name and is not editable.

Based on the WLAN profile name, Cisco DNA Center automatically generates the policy profile name for the Cisco Catalyst 9800 Series Wireless Controller.

BROADCAST SSID

On/Off Toggle

Determines whether the SSID will be broadcast in wireless beacons and probe responses.

SSID STATE

On/Off Toggle

Use the toggle button to turn on or turn off the radios on the APs. When the Admin Status is disabled, the APs remain associated with the wireless controller and are accessible, but the APs still require licenses.

Sensor

On/Off Toggle

Ensure that Sensor is disabled.

WIRELESS OPTION

Radio Button

Determines in which RF bands the SSID will be broadcast. The following wireless options are available:

  • Multiband operation (2.4 GHz, 5 GHz, and 6 GHz).

  • Multiband operation with band select. Band selection enables client radios that are capable of operating in both the 2.4 GHz and 5 GHz band to move to the typically less congested 5 GHz band by delaying probe responses on the 2.4 GHz channels.

  • 5 GHz only.

  • 2.4 GHz only.

  • 6 GHz only.

LEVEL OF SECURITY

Radio Button

Determines the Layer 2 (L2) security settings for the WLAN. Choose the encryption and authentication type for the network. The sites, buildings, and floors inherit settings from the global hierarchy. You can override the level of security at the site, building, or floor level. The following choices are available:

  • Enterprise: You can configure both WPA2 and WPA3 security authentication by checking the respective check boxes.

    Note

     

    Wi-Fi Protected Access (WPA2) uses the stronger Advanced Encryption Standard encryption algorithm using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP).

    WPA3 is the latest version of WPA, which is a suite of protocols and technologies that provide authentication and encryption for Wi-Fi networks. WPA3-Enterprise provides higher-grade security protocols for sensitive data networks.

    For multiband operation using only 2.4 GHz and 5 GHz bands, you must enable WPA2 (WPA3 is optional). For multiband operation using 2.4 GHz, 5 GHz, and 6 GHz bands, you must enable WPA3 and disable WPA2 for the 6 GHz band to be operational on the devices running Cisco IOS Release 17.7 and later.

  • Personal: You can configure both WPA2 and WPA3 security authentication by checking the respective check boxes. By default, the WPA2 check box is enabled. If you choose Personal, enter the passphrase key in the Passphrase field. This key is used as the pairwise master key (PMK) between the clients and authentication server.

    Note

     

    WPA3-Personal brings better protection to individual users by providing more robust password-based authentication, making the brute-force dictionary attack much more difficult and time-consuming.

    For WPA2-Personal, you can override a preshared key (PSK) at the site, building, or floor level. If you override a PSK at the building level, the subsequent floors inherit the new settings. For information, see Preshared Key Override.

    For multiband operation using only 2.4-GHz and 5-GHz bands, you must enable WPA2 (WPA3 is optional). For multiband operation using 2.4 GHz, 5 GHz, and 6 GHz bands, you must enable WPA3 and disable WPA2 for the 6 GHz band to be operational on the devices running Cisco IOS Release 17.7 and later.

    (Optional) For WPA2-Personal, do the following to configure multi-preshared key (MPSK) support:

    1. Click Configure MPSK.

    2. In the Configure MPSK dialog box, click Add to an MPSK. You can add up to five MPSKs.

    3. From the Priority drop-down list, choose a priority.

      Note

       

      If the priority 0 key is not configured in central web authentication (CWA) flex mode, client connection to the WLAN may fail.

      From the Passphrase Type drop-down list, choose a passphrase type.

    4. In the Passphrase field, enter a passphrase.

    5. Click Save.

    MPSK applies to Layer 2 security configuration for WPA2- Personal.

  • Open Secured: From the Assign Open SSID drop-down list, choose an open SSID to redirect the clients to an open-secured SSID. The open-secured policy provides the least security.

    Note

     

    Fast Transition is not applicable for open-secured SSID.

  • Open: The open policy provides no security. It allows any device to connect to the wireless network without any authentication.

Primary Traffic Type

Drop Box

For Catalyst 9800 Series Wireless Controllers, the setting applies a precious metals QoS SSID policy in both the upstream and downstream direction for the WLAN/SSID. Precious metals policies control the maximum DSCP marking within the CAPWAP header as traffic is tunneled between the AP and the Cisco Wireless Controller in centralized (local mode) designs.

The following choices are available:

  • VoIP (Platinum): QoS on the wireless network is optimized for wireless voice and data traffic.

  • Video (Gold): QoS on the wireless network is optimized for video traffic.

  • Best Effort (Silver): QoS on the wireless network is optimized for wireless data traffic only.

  • Non-real Time (Bronze): QoS on the wireless network is optimized for low-bandwidth usage.

Fastlane

Check Box

You can check this check box only when the type of Enterprise Network is Voice and Data.

For the Catalyst 9800 Series Wireless Controller, the Fastlane check box enables Auto QoS in Fastlane mode. Auto QoS in Fastlane mode configures the Fastlane EDCA profile for both the 5 GHz and 2.4 GHz bands. However, no precious metals QoS SSID policy is applied to the WLAN/SSID when the Fastlane check box is selected.

Configure AAA

Link

Click Configure AAA to add and configure the AAA servers for the enterprise wireless network SSID. Select the Authentication, Authorization, and Accounting server from Drop Box.

Click + to add a server.

Note

 

You can configure a maximum of six AAA servers for an SSID of an enterprise wireless network for Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series Switches.

From the Additional Server drop-down list, choose the server IP address.

To use the AAA server for accounting, check the Copy Same Servers for Accounting check box.

To configure a different accounting server for an SSID, do the following:

  1. From the Configure Accounting Server drop-down list, you can either search for a server IP address by entering its name in the Search field or choose the accounting server IP address.

  2. Click + to add a server.

    Note

     

    You can configure a maximum of six accounting servers for an SSID of enterprise wireless network for Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series Switches.

  3. From the Additional Server drop-down list, choose the server IP address.

Cisco DNA Center allows you to override the set of AAA server configurations for the SSID at the site level. For each set of overridden AAA settings per SSID, Cisco DNA Center creates a new WLAN profile with the corresponding AAA servers mapped to it. If an SSID is overridden for different floors, and you make changes in the AAA servers, Cisco DNA Center creates the new WLAN profiles equal to the number of floors.

You must reprovision the device to override the AAA servers at the site level.

Deny RCM Clients

Check Box

Check the check box to deny clients with randomized MAC addresses.

Mac Filtering

Check Box

This is an additional L2 security settings that applies MAC address filtering for the WLAN.

AAA Override

Check Box

Check box to enable the AAA override functionality.

By default, this check box is dimmed. You must configure an AAA server using the Configure AAA option to use this check box.

Enable Posture

Check Box

Check this check box to enable posture assessment. The Pre-Auth ACL List Name drop-down list appears when you enable posture. Posture is a service in Cisco Identity Services Engine (Cisco ISE) that allows you to check the state, also known as posture, of all the endpoints that are connecting to a network for compliance with corporate security policies. This allows you to control clients' access to protected areas of a network.

Pre-Auth ACL List Name

Drop Box

Choose the ACL list name that you already created to map with the SSID.

Note

 

AAA configuration is mandatory for posturing. Click Configure AAA to add AAA servers for the enterprise wireless network SSID.

Advanced Settings – FAST TRANSITION (802.11r)

Radio Button and Check Box

Additional L2 security settings for the WLAN that controls 802.11r Fast Transition (FT). The following radio button choices are available:

  • Adaptive: This setting allows devices that support 802.11r Fast Transition to use it, as well as other 802.11r and non-802.11r devices to associate in a non-Fast Transition state. This is the default setting.

  • Enable: This setting enables 802.11r Fast Transition.

  • Disable: This setting disables 802.11r Fast Transition.

Over the DS: Check box that enables Over-the-DS (Distribution System) Fast Transition. With Over-the-DS Fast Transition, the wireless station communicates with the target AP through the current AP, which is then forwarded through the wireless controller. The Cisco-Apple best practice is to disable Over-the-DS, even though the default is enabled.

Advanced Settings – Protected Management Frame (802.11w)

Radio Button

The options available under Protected Management Frame (802.11w) vary based on the settings that you chose under Level of Security. The following options may be available:

  • Optional

  • Required

  • Disabled

The Required option is mandatory for WPA3.

Advanced Settings – Session timeout

Check Box and Integer Field

Configures the maximum time for a client session to remain active before requiring reauthorization. The range is between 300 and 86,400 seconds (5 minutes and 24 hours). The default is enabled with a time of 1800 seconds (30 minutes).

Advanced Settings – Client Exclusion

Check Box and Integer Field

Configures the amount of time a wireless client is excluded from attempting to authenticate after the maximum number of authentication failures has been exceeded. The default is enabled with a time of 180 seconds (3 minutes).

Advanced Settings – MFP CLIENT PROTECTION

Radio Button

Additional security setting that controls the use of 802.11w Protected Management Frames for the WLAN. The following radio button choices are available:

  • Optional: This setting allows wireless stations to use the 802.11w Protected Management Frames that they support and allows other wireless stations that do not support PMFs to coexist on the WLAN. This is the default setting.

  • Required: The wireless client is required to use Protected Management Frames on the WLAN.

  • Disabled: Protected Management Frames are disabled on the WLAN.

Advanced Settings – 11k Neighbor List

Check Box

Controls the use of 802.11k Assisted Roaming neighbor lists for the WLAN, which can limit the need for passive and active scanning by the wireless client. The default setting is enabled for the band (5 GHz or 2.4 GHz) with which the client is associated.

Advanced Settings – Client User Idle Timeout

Check box

Client User Idle Timeout: Check this check box to set the user idle timeout for a WLAN.

Note

 

If the data sent by the client is more than the threshold quota specified as the user idle timeout, the client is considered to be active and the wireless controller begins another timeout period.

By default, Client User Idle Timeout is enabled with a user idle timeout of 300 seconds.

NAS-ID

Drop-down list

NAS-ID Opt drop-down list, choose the required type of network access server identifier (NAS ID).

To specify a custom script for the NAS ID, choose Custom Option from the NAS-ID Opt drop-down list and enter the custom script in the corresponding Custom Script for Opt field. You can enter up to 31 alphanumeric characters, special characters, and spaces for the custom script. Cisco DNA Center does not support the special characters ?, ", < , and trailing spaces for the custom script.

Note

 

Cisco DNA Center supports NAS ID with custom script only for Catalyst 9800 Series Wireless Controllers that run Cisco IOS XE Release 17.7 or later.

(Optional) Click + to add another NAS ID. You can add up to three NAS IDs.

Advanced Settings – Coverage Hole Detection

Toggle button

Use the Coverage Hole Detection toggle button to enable or disable the coverage hole detection functionality.

Advanced Settings – Client Rate Limit

Integer Field

Configure Client Rate Limit: Enter a value for the client rate limit in bits per second. The valid range is from 8000 through 100,000,000,000. The value must be a multiple of 500.

The following are the valid ranges for client rate limit on Cisco IOS XE devices:

  • The valid range for the Cisco Catalyst 9800-L Wireless Controller, the Cisco Catalyst 9800-40 Wireless Controller, and the Cisco Catalyst 9800-80 Wireless Controller is from 8000 through 67,000,000,000 bits per second.

  • The valid range for the Cisco Catalyst 9800-CL Wireless Controller is from 8000 through 10,000,000,000 bits per second.

  • The valid range for the Cisco Embedded Wireless Controller on Catalyst Access Points is from 8000 through 2,000,000,000 bits per second.

  • The valid range for the Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series Switches is from 8000 through 100,000,000,000 bits per second.

Advanced Settings – Directed Multicast Service

Check box

Directed Multicast Service: Check this check box to enable directed multicast service.

Note

 

By default, Directed Multicast Service (DMS) is enabled. Using the DMS, the client requests APs to transmit the required multicast packets as unicast frames, which allows clients to sleep for a longer time and saves the battery power.

Advanced Settings – Radius Client Profiling

Toggle button

For RADIUS Client Profiling, use this toggle button to enable or disable RADIUS profiling on a WLAN.

Note

 

At least one AAA or PSN server is required to enable this feature.

Advanced Settings – CCKM

Toggle button

Configure CCKM: Use this toggle button to enable CCKM as the authentication key management option in Cisco DNA Center.

Timestamp Tolerance: This field is visible only if you enable CCKM. Enter the CCKM tolerance level.

Note

 

You can configure CCKM only if SSID has Layer 2 security as Enterprise in WPA2 or WPA2+WPA3.

Advanced Settings – 11v BSS TRANSITION SUPPORT

Multiple Check Boxes and Integer Field

Additional settings for support of 802.11v Wireless Network Management (WNM) for the WLAN. The following settings are available:

BSS Max Idle Service: Check box that enables the maximum idle service for the WLAN. Allows APs to send the timeout value to the wireless client within association and reassociation response frames. The default setting is enabled.

Enterprise Wireless Network Settings Configured in the Deployment Guide

Table 13. Enterprise Wireless Network Settings Configured in the Deployment Guide
Feature Settings

Wireless Network Name (SSID)

lab3employee

Broadcast SSID

On

Admin Status

On

Wireless Option

Multi band operation (2.4 GHz, 5 GHz, 6 GHz)

Primary Traffic Type

VoIP (platinum)

Configure AAA

AAA configured

Level of Security

WPA2

AAA Override

Enabled

Enable Posture

Unchecked

Deny RCM Clients

Unchecked

Advanced Security Options - Mac Filtering

Unchecked

Advanced Security Options - Fast Transition

Adaptive

Type of Enterprise Network

Voice and Data

Fastlane

Unchecked

Advanced Settings – FAST TRANSITION (802.11r)

Adaptive, Over the DS Checked

Advanced Settings – Mac Filtering

Checked

Advanced Settings – Session timeout

Checked, 1800 seconds

Advanced Settings – Client Exclusion

Checked, 180 seconds

Advanced Settings – MFP CLIENT PROTECTION

Optional

Advanced Settings –Protected Management Frame

Disabled

Advanced Settings – 11k Neighbor List

Checked

Advanced Settings – Radius Client Profiling

Unchecked

Advanced Settings – Configure Client Rate Limit

Blank

Advanced Settings – Coverage Hole Detection

Checked

Configure CCKM

Unchecked

NAS-ID

Blank

Advanced Settings – 11v BSS TRANSITION SUPPORT

BSS Max Idle Service – Checked

Client Idle User Timeout – Checked, 300 seconds

Directed Multicast Service - Checked

Define Site Override Support

WLAN profiles created with different AAA settings can be assigned at different site levels. Site level overrides will push a new WLAN profile to the wireless controller. You can override the global SSID with the settings based on area, buildings and floor levels. Perform the following procedure to configure the overrides.

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Settings > Wireless.

Step 2

Click SSIDs.

Step 3

Expand the sites, and then click on the desired site in the left pane.

Step 4

Select lab3employee SSID, and then click Edit.

Figure 20. SSID Site Override Settings
The image displays SSID Site Override Settings.

Step 5

Click Next and configure the override settings for the selected site.

Figure 21. Override Settings for a Site
The image displays override settings for a site.

Step 6

Click Save in the last page to assign the profile to the site.

The next time the wireless controller is provisioned, the configuration will be pushed to the wireless controller managing that site.

Note

 

Cisco recommends updating the WLAN Profile Name when making any site level overrides for the SSID. If the same WLAN profile name is already configured in the wireless controller that manages the selected sites, a provisioning failure will occur.

Only L2 Security, AAA Configuration, NAS-ID, Mac Filtering, AP Impersonation, Radius Client Profiling, CCKM, MPSK, Protected Management Frame (802.11w), AAA Override, and WLAN Profile Name can be overridden at the site levels. To edit other parameters, navigate to the global level.


Configure Guest Wireless SSID

Guest wireless networks must be defined at the global level of the site hierarchy. Once defined, you can apply guest wireless networks to wireless profiles. You can then assign wireless profiles to one or more sites within the hierarchy.

For this deployment guide, a single guest wireless network (SSID) named lab3guest is provisioned.

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Settings > Wireless.

Step 2

Click SSIDs.

Step 3

Hover your cursor over + Add and choose Guest.

The Basic Settings window is displayed.

Figure 22. Basic Settings Window to Create a Guest Wireless SSID
Create a Guest Wireless SSID.

For information about the features that can be configured for guest wireless networks via Cisco DNA Center, see Guest Wireless Network Features Configurable via Cisco DNA Center.

Step 4

Enter the information for the Basic Settings and click Next.

The next screen in the workflow is displayed. Here, you can attach the guest wireless network to the existing corporate wireless profile.

For information about the settings for the guest wireless network configured for this deployment guide, see Guest Wireless Network Settings Configured in the Deployment Guide.

Figure 23. Create a Guest Wireless Profile
Create a Guest Wireless Profile.

Step 5

Choose the Corporate Wireless profile.

Step 6

Click Edit in the Wireless Profile side panel to add the guest wireless network.

Figure 24. Edit a Wireless Profile Side Panel
Edit a Wireless Profile side panel.

Step 7

Under Fabric, choose No.

Selecting No will automatically cause additional fields to appear.

This deployment guide only discusses non-SDA wireless deployments using Cisco DNA Center.

Step 8

Select Yes next to Do you need a Guest Anchor for this Guest SSID.

This will configure a traditional autoanchor relationship between the enterprise (foreign) and the guest (anchor) wireless controller. Typically, the guest (anchor) wireless controller is located within an Internet Edge DMZ segment of the campus network. If you choose Yes, from the Select Anchor Group drop-down list, choose an anchor group for the SSID.

To create an anchor group, do the following:

  1. From the top-left corner, click the menu icon and choose Design > Network Settings.

  2. Click the Wireless tab.

  3. From the left hierarchy tree, choose Global.

  4. Click Anchor Groups.

    The Anchor Groups window opens.

  5. In the Anchor Group table, click Add.

  6. In the Anchor Group Name field of the Anchor Group slide-in pane, enter the anchor group name.

  7. To add a managed wireless controller as an anchor, click Add Managed WLC and do the following in the Add Managed WLC dialog box:

    1. Check the check box next to the name of the devices that you want to add as anchors.

      To search for a device, in the Search Table search field, enter either the partial name or the full name of the device and press Enter.

    2. Click Add.

  8. (Optional) To add an external wireless controller as an anchor, click Add External WLC and do the following in the Add External WLC dialog box:

    1. In the Device Name field, enter the device name.

    2. From the Device Series drop-down list, choose a device series.

    3. In the Peer IP Address field, enter the peer IP address.

    4. (Optional) In the NAT IP Address field, enter the Network Address Translation (NAT) IP address.

    5. In the MAC Address field, enter the MAC address of the device.

    6. In the Mobility Group Name field, enter the mobility group name.

    7. (Optional) In the Hash field, enter the hash for the Cisco Catalyst 9800 Series Wireless Controller.

      Note

       

      This field is available for only the Cisco Catalyst 9800-CL Wireless Controllers.

    8. Click Add.

  9. (Optional) To add an existing external wireless controller as an anchor, click Add Existing External WLC and do the following in the Add Existing External WLC dialog box:

    1. Check the check box next to the name of the devices that you want to add as anchors.

      To search for a device, in the Search Table search field, enter either the partial name or the full name of the device and press Enter.

    2. Click Add.

  10. (Optional) To set the priority for an anchor, from the Priority Order drop-down list, choose the priority for the anchor wireless controller.

  11. Click Save.

    For more information, see the "Create an Anchor Group" topic in the Cisco DNA Center User Guide.

Step 9

From the Select Interface drop-down menu, select guest-dmz.

This will terminate guest traffic on the guest-dmz VLAN (VLAN 125).

Step 10

Click Next.

The Portal Customization page is displayed.

Figure 25. Create a Guest Wireless Network Portal Customization
Create a Guest Wireless Network Portal Customization.

Step 11

To add a new guest portal within Cisco ISE, click Create Portal.

The Portal Builder page is displayed.

You have the option to leave without portal creation.

Figure 26. Portal Builder Screen
The image displays the Portal Builder Screen.

Step 12

Enter the necessary information. You must at least name the guest portal.

For this deployment guide, the portal has been named Lab3_Guest_Portal. The drop-down menu in the top center of the Portal Builder allows you to customize the Login Page, Registration Page, Registration Success, and Success Page of the portal. You can customize the color scheme, fonts, page content, logo, and background for the web portal. You can also preview the portal to see what it will look like on a smart phone, tablet, and computer.

Step 13

Click Save to create the new guest portal on the Cisco ISE server and return to the guest wireless network workflow.

The new guest portal is now displayed.

Step 14

Click Next.

The Summary page of Guest SSID Configuration is displayed.

Step 15

Click Save.

The guest wireless SSID (lab3guest) is displayed in the Wireless Network Settings dashboard.

Step 16

Click Sites in network profile summary page to bring up a panel displaying the site hierarchy.

Step 17

Under Global, click the >to display the Milpitas area.

Step 18

Select the Milpitas area.

The child site locations, Building 23 - Floor 1, Floor 2, and Floor 3 and Building 24 - Floor 1, Floor 2, and Floor 3, are automatically selected.

Note

 

It is best practice to only select floors in a wireless network profile assignment. Selecting floors helps you to make changes, like removing a floor from network hierarchy or applying a different wireless network profile for a particular set of floors without significant disruption. If you have different SSIDs on different floors or enable 6E with a different profile per floor, different network profiles might be necessary. If you create different sets of SSIDs on the same floor, you will have to split the floor into multiple, different network profiles.

Step 19

Click OK to close the site hierarchy side panel.

Step 20

Click + Add under Attach Template(s) to add the CLI-based templates to the enterprise wireless network configuration.

You must define all the templates within the Template Editor dashboard of Cisco DNA Center. This design and deployment guide will not discuss the addition of templates because the guide does not require knowledge of the CLI syntax for the specific Cisco Wireless Controller platform. Wireless features not supported by the web-based graphical user interface of Cisco DNA Center may be added through templates.

Step 21

Click Save in the Edit a Wireless Profile side panel to save the edits to the corporate wireless profile.

lab3guest SSID is added to the corporate wireless profile. This ensures that when wireless controllers and APs are assigned to the Milpitas area, the APs will broadcast the lab3guest SSID.

Step 22

Click Save to add the lab3guest guest wireless network to the corporate wireless profile.

Figure 27. Wireless Network Settings Dashboard with Enterprise and Guest SSIDs
Wireless Network Settings dashboard with enterprise and guest SSIDs.

For information about provisioning ISE Settings from Cisco DNA Center, see Provision Cisco ISE Settings from Cisco DNA Center.


Guest Wireless Network Features Configurable via Cisco DNA Center

Table 14. Guest Wireless Network Features Configurable via Cisco DNA Center
Feature Type Description

Wireless Network Name (SSID)

Text Field

The SSID for the WLAN.

WLAN Profile Name

Text Field

Cisco DNA Center will take SSID_Profile as default based on SSID Name. You can change the WLAN profile name as per your requirements.

Policy Profile Name

Non Editable

Policy Profile Name is the same as the WLAN Profile Name and is not editable.

Based on the WLAN profile name, Cisco DNA Center automatically generates the policy profile name for the Cisco Catalyst 9800 Series Wireless Controller.

WIRELESS OPTION

Radio Button

Determines in which RF bands the SSID will be broadcast. The following choices are available:

  • Multiband operation (2.4 GHz, 5 GHz, and 6 GHz)

  • Multiband operation with band select. Band selection enables client radios that are capable of operating in both the 2.4 GHz and 5 GHz band to move to the typically less congested 5 GHz band by delaying probe responses on the 2.4 GHz channels.

  • 5 GHz only.

  • 2.4 GHz only.

  • 6 GHz only.

Primary Traffic Type

Drop Box

For Catalyst 9800 Series Wireless Controllers, this setting applies a precious metals QoS SSID policy in both the upstream and downstream direction for the WLAN/SSID. Precious metals policies control the maximum DSCP marking within the CAPWAP header, as traffic is tunneled between the AP and the Cisco Wireless Controller in centralized (local mode) designs.

For Cisco AireOS Wireless Controllers, this setting applies the Platinum QoS profile to the WLAN/SSID. Application Visibility is enabled on the WLAN/SSID, but no AVC profile is applied. The Fastlane EDCA profile is set for both the 802.11a/n/ac (5 GHz) and the 802.11b/g/n (2.4 GHz) radios.

  • VoIP (Platinum): QoS on the wireless network is optimized for wireless voice and data traffic.

  • Video (Gold): QoS on the wireless network is optimized for video traffic.

  • Best Effort (Silver): QoS on the wireless network is optimized for wireless data traffic only.

  • Nonreal Time (Bronze): QoS on the wireless network is optimized for low-bandwidth usage.

Broadcast SSID

On/Off Toggle

Determines whether the SSID will be broadcast in wireless beacons and probe responses. The default setting is on.

SSID STATE

On/Off Toggle

Use this toggle button to turn on or turn off the radios on the APs. When the Admin Status is disabled, the APs remain associated with the wireless controller and are accessible, but the APs still require licenses.

LEVEL OF SECURITY

L2 Security

Radio Button

Determines the Layer 2 (L2) security settings for the WLAN. Choose the encryption and authentication type for the network. The sites, buildings, and floors inherit settings from the global hierarchy. You can override the level of security at the site, building, or floor level.

The following choices are available:

  • Enterprise: You can configure both WPA2 and WPA3 security authentication by checking the respective check boxes.

    Note

     

    Wi-Fi Protected Access (WPA2) uses the stronger Advanced Encryption Standard encryption algorithm using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP).

    WPA3 is the latest version of WPA, which is a suite of protocols and technologies that provide authentication and encryption for Wi-Fi networks. WPA3-Enterprise provides higher-grade security protocols for sensitive data networks.

    For multiband operation using only 2.4 GHz and 5 GHz bands, you must enable WPA2 (WPA3 is optional). For multiband operation using 2.4 GHz, 5 GHz, and 6 GHz bands, you must enable WPA3 and disable WPA2 for the 6 GHz band to be operational on the devices running Cisco IOS Release 17.7 and later.

  • Personal: You can configure both WPA2 and WPA3 security authentication by checking the respective check boxes. By default, the WPA2 check box is enabled. If you choose Personal, enter the passphrase key in the Passphrase field. This key is used as the pairwise master key (PMK) between the clients and authentication server.

    Note

     

    WPA3-Personal brings better protection to individual users by providing more robust password-based authentication, making the brute-force dictionary attack much more difficult and time-consuming.

    For WPA2-Personal, you can override a preshared key (PSK) at the site, building, or floor level. If you override a PSK at the building level, the subsequent floors inherit the new settings. For information, see Preshared Key Override.

    For multiband operation using only 2.4 GHz and 5 GHz bands, you must enable WPA2 (WPA3 is optional). For multiband operation using 2.4 GHz, 5 GHz, and 6 GHz bands, you must enable WPA3 and disable WPA2 for the 6 GHz band to be operational on the devices running Cisco IOS Release 17.7 and later.

    (Optional) For WPA2-Personal, do the following to configure multi-preshared key (MPSK) support:

    1. Click Configure MPSK.

    2. In the Configure MPSK dialog box, click Add to an MPSK. You can add up to five MPSKs.

    3. From the Priority drop-down list, choose a priority.

      Note

       

      If the priority 0 key is not configured in central web authentication (CWA) flex mode, the client connection to the WLAN may fail.

      From the Passphrase Type drop-down list, choose a passphrase type.

    4. In the Passphrase field, enter a passphrase.

    5. Click Save.

    MPSK is not supported on Cisco AireOS Wireless Controllers. MPSK applies to Layer 2 security configuration for WPA2- Personal.

  • Open Secured: From the Assign Open SSID drop-down list, choose an open SSID to redirect the clients to an open-secured SSID. The open-secured policy provides the least security.

    Note

     

    Fast Transition is not applicable for open-secured SSID.

  • Open: The open policy provides no security. It allows any device to connect to the wireless network without any authentication.

LEVEL OF SECURITY

L3 security

Radio Button

Determines the Layer 3 security settings for the WLAN. The following options are available:

  • Web Auth: Specifies Web Authentication, where guest devices are redirected to a web portal for authentication. This is the default setting.

  • Open: Specifies an open SSID with no authentication.

AUTHENTICATION SERVER

Drop Box

This selection is only available if Web Auth is selected within LEVEL OF SECURITY. Determines the web portal and authentication server for Web Auth.

  • Central Web Authentication: This setting configures Central Web Authentication (CWA), where the Cisco ISE server defined under System Settings > Settings > Authentication and Policy Servers is both the web portal and the authentication server. This is the default setting.

  • Web Authentication Internal: Web authentication or Web Auth is a Layer 3 security method that allows a client to pass Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) traffic only until the client has passed some form of authentication. For web authentication internal, the client is redirected to a page that is constructed by the Cisco Wireless Controller.

  • Web Authentication External: The client is redirected to the specified URL. Enter a redirect URL in the Web Auth URL field.

  • Web Passthrough Internal: Web passthrough is a solution that is used for guest access and requires no authentication credentials. In web passthrough authentication, wireless users are redirected to the usage policy page when they use the internet for the first time. After accepting the policy, the clients are allowed to use the internet.

  • Web Passthrough External: The client is redirected to the specified URL. Enter a redirect URL in the Web Auth URL field.

  • Open: There is no security at layer 3 level and any device can connect to SSID.

AUTHENTICATION SERVER > ISE Authentication > What kind of portal are you creating today?

Drop-down Menu

The selection is only available if ISE Authentication is chosen. Determines the type of guest portal that will be created within the Cisco ISE server. The following options are available:

  • Self Registered: With this type of portal, guests onboard themselves to the network. This is the default setting.

  • Hotspot: This configures an 802.11u hotspot portal.

AUTHENTICATION SERVER > ISE Authentication > Where will your guests redirect after successful authentication?

Drop-down Menu

This selection is only available if ISE Authentication is selected. Determines what web page is displayed after guests have successfully authenticated to the network. The following options are available:

  • Success Page: A dedicated page you create that indicates authentication was successful. From there, the guest would need to retype the original URL that they were attempting to reach.

  • Original URL: Once authentication is successful, the guest is automatically redirected to the original URL that they were attempting to reach. This is the default setting.

  • Custom URL: Once authentication is successful, the guest is automatically redirected to a URL of your choice.

AUTHENTICATION SERVER > External Authentication > Web Auth URL?

Text Field

This selection is only available if External Authentication is selected. Specifies the URL of the Web Auth server. The guest will be redirected to this URL to be authenticated to the network.

Configure AAA

Link

Click Configure AAA to add and configure the AAA servers for the enterprise wireless network SSID. Choose Authentication, Authorization, and Accounting server from Drop Box.

Click + to add a server.

Note

 

You can configure a maximum of six AAA servers for an SSID of enterprise wireless network for the Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series Switches.

From the Additional Server drop-down list, choose the server IP address.

To use the AAA server for accounting, check the Copy Same Servers for Accounting check box.

To configure a different accounting server for an SSID, do the following:

  1. From the Configure Accounting Server drop-down list, you can either search for a server IP address by entering the name in the Search field or choose the accounting server IP address.

  2. Click + to add a server.

    Note

     

    You can configure a maximum of six accounting servers for an SSID of enterprise wireless network for the Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series Switches.

  3. From the Additional Server drop-down list, choose the server IP address.

Cisco DNA Center allows you to override the set of AAA server configurations for the SSID at the site level. For each set of overridden AAA settings per SSID, Cisco DNA Center creates a new WLAN profile with the corresponding AAA servers mapped to it. If an SSID is overridden for different floors, and you make changes in the AAA servers, Cisco DNA Center creates the new WLAN profiles equal to the number of floors.

You must reprovision the device to override the AAA servers at the site level.

Mac Filtering

Check Box

Check this check box to enable MAC-based access control or security in the wireless network.

Note

 

When MAC filtering is enabled, only the MAC addresses that you add to the wireless LAN are allowed to join the network.

AAA Override

Check Box

Check box to enable the AAA override functionality.

By default, this check box is dimmed. You must configure an AAA server using the Configure AAA option to use this check box.

Timeout Settings for Sleeping Clients

Select radio button

If you choose Web Authentication Internal, Web Authentication External, Web Passthrough Internal, or Web Passthrough External for Timeout Settings for sleeping clients, choose one of the following authentication options:

Always authenticate: Enables authentication for sleeping clients.

Authenticate after: Enter the duration for which sleeping clients are to be remembered before reauthentication becomes necessary. The valid range is from 10 minutes through 43,200 minutes, and the default duration is 720 minutes.

Note

 

Clients with guest access and web authentication are allowed to sleep and wake up without having to go through another authentication process through the login page. You can configure the duration for which the sleeping clients are to be remembered before reauthentication becomes necessary. The valid range is from 10 minutes through 43,200 minutes, and the default is 720 minutes. You can configure the duration on a WLAN and on a user group policy that is mapped to the WLAN. The sleeping timer becomes effective after the idle timeout. If the client timeout is less than the time configured on the sleeping timer of the WLAN, the lifetime of the client is used as the sleeping time.

Deny RCM Clients

Check Box

Check this check box to deny clients with randomized MAC addresses.

Pre-Auth ACL List Name

Drop Box

Choose the ACL list name that you already created to map with the SSID.

Fastlane

Check Box

This box can only be checked when the Type of Enterprise Network has been chosen as Voice and Data.

For Catalyst 9800 Series Wireless Controllers, the Fastlane check box enables Auto QoS in Fastlane mode. Auto QoS in Fastlane mode configures the Fastlane EDCA profile for both the 5 GHz and 2.4 GHz bands. However, no precious metals QoS SSID policy is applied to the WLAN/SSID when the Fastlane check box is selected.

For Cisco AireOS Wireless Controllers, this setting enables the Fastlane macro for the WLAN/SSID. The Fastlane macro applies the Platinum QoS profile to the WLAN/SSID. Application Visibility is enabled on the WLAN/SSID with the AVC profile named AUTOQOS-AVC-PROFILE. The QoS Map is modified to trust DSCP in the upstream direction. In the downstream direction, Cisco best practices are implemented when mapping DSCP-to-UP values.

Advanced Settings – Session timeout

Check Box and Integer Field

Configures the maximum time for a client session to remain active before requiring reauthorization. The range is between 300 and 86,400 seconds (5 minutes and 24 hours). The default is enabled with a time of 1800 seconds (30 minutes).

Advanced Settings – Client Exclusion

Check Box and Integer Field

Configures the amount of time a wireless client is excluded from attempting to authenticate after maximum authentication failures has been exceeded. The default is enabled with a time of 180 seconds (3 minutes).

Advanced Settings – MFP CLIENT PROTECTION

Radio Button

Additional security setting that controls the use of 802.11w Protected Management Frames for the WLAN. The following options are available:

  • Optional: This setting allows wireless stations to use the 802.11w Protected Management Frames that they support and allows other wireless stations that do not support PMFs to coexist on the WLAN. This is the default setting.

  • Required: The wireless client is required to use Protected Management Frames on the WLAN.

  • Disabled: Protected Management Frames are disabled on the WLAN.

Advanced Settings – 11k Neighbor List

Check Box

Controls the use of 802.11k Assisted Roaming neighbor lists for the WLAN, which can limit the need for passive and active scanning by the wireless client. The default setting is enabled for the band (5 GHz or 2.4 GHz) with which the client is associated.

Advanced Settings – 11v BSS TRANSITION SUPPORT

Multiple Check Boxes and Integer Field

Additional settings for support of 802.11v Wireless Network Management (WNM) for the WLAN. The following settings are available:

  • BSS Max Idle Service: Check box that enables the maximum idle service for the WLAN. Allows APs to send the timeout value to the wireless client within association and reassociation response frames. The default setting is enabled.

  • Client User Idle Timeout: Check box with bounded integer field that specifies the maximum amount of time an AP keeps a wireless client associated without receiving any frames from the client for the WLAN. This allows the client to sleep longer and conserve battery usage for mobile devices. The default setting is enabled with a time of 300 seconds.

  • Directed Multicast Service: Check box that allows the client to request that multicast streams be sent as unicast streams to the client from the AP. By default, this setting is enabled.

NAS-ID

Drop-down List

From the NAS-ID Opt drop-down list, choose the required type of network access server identifier (NAS ID).

To specify a custom script for the NAS ID, choose Custom Option from the NAS-ID Opt drop-down list and enter the custom script in the corresponding Custom Script for Opt field. You can enter up to 31 alphanumeric characters, special characters, and spaces for the custom script. Cisco DNA Center does not support the special characters ?, ", < , and trailing spaces for the custom script.

Note

 

Cisco DNA Center supports NAS ID with custom script only for Cisco Catalyst 9800 Series Wireless Controllers that run Cisco IOS XE Release 17.7 or later.

(Optional) Click + to add another NAS ID. You can add up to three NAS IDs.

Cisco DNA Center applies only one NAS ID for Cisco AireOS Wireless Controllers. You can overwrite the NAS ID at the site level from Design > Network Settings > Wireless.

Advanced Settings – Coverage Hole Detection

Toggle button

Coverage Hole Detection toggle button to enable or disable the coverage hole detection functionality.

Advanced Settings – Client Rate Limit

Integer Field

To configure the Client Rate Limit, enter a value for the client rate limit in bits per second. The valid range is from 8000 through 100,000,000,000. The value must be a multiple of 500.

Note

 

This configuration is not applicable for Cisco AireOS Wireless Controllers. To configure client rate limit for Cisco AireOS Wireless Controllers, click the menu icon and choose Tools > Model Config Editor > Wireless > Advanced SSID Configuration. For more information, see Create a Model Config Design for Advanced SSID.

The following are the valid ranges for a client rate limit on Cisco IOS XE devices:

  • The valid range for the Cisco Catalyst 9800-L Wireless Controller, the Cisco Catalyst 9800-40 Wireless Controller, and the Cisco Catalyst 9800-80 Wireless Controller is from 8000 through 67,000,000,000 bits per second.

  • The valid range for the Cisco Catalyst 9800-CL Wireless Controller is from 8000 through 10,000,000,000 bits per second.

  • The valid range for the Cisco Embedded Wireless Controller on Catalyst Access Points is from 8000 through 2,000,000,000 bits per second.

  • The valid range for the Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series Switches is from 8000 through 100,000,000,000 bits per second.

Advanced Settings – Radius Client Profiling

Toggle button

For Radius Client Profiling, use this toggle button to enable or disable RADIUS profiling on a WLAN.

Note

 

At least one AAA or PSN server is required to enable this feature.

Advanced Settings – CCKM

Toggle button

Configure CCKM: Use this toggle button to enable CCKM as the authentication key management option in Cisco DNA Center.

Timestamp Tolerance: This field is visible only if you enable CCKM. Enter the CCKM tolerance level. The CCKM tolerance level is not applicable for the Cisco AireOS Wireless Controller platform.

Note

 

You can configure CCKM only if SSID has Layer 2 security as Enterprise in WPA2 or WPA2+WPA3.

Advanced Settings – Protected Management Frame (802.11w)

Radio Button

The options available under Protected Management Frame (802.11w) vary based on the settings that you chose under Level of Security. The following options may be available:

  • Optional

  • Required

  • Disabled

Guest Wireless Network Settings Configured in the Deployment Guide

Table 15. Guest Wireless Network Settings Configured in the Deployment Guide
Feature Settings

Wireless Network Name (SSID)

lab3guest5

Broadcast SSID

On

Admin Status

On

Wireless Option

Multi band operation (2.4 GHz, 5 GHz, 6 GHz)

Primary Traffic Type

Best Effort (Silver)

LEVEL OF SECURITY

Web Auth

AUTHENTICATION SERVER

ISE Authentication

AUTHENTICATION SERVER > ISE Authentication > What kind of portal are you creating today?

Self Registered

AUTHENTICATION SERVER > ISE Authentication > Where will your guests redirect after successful authentication?

Original URL

Configure AAA

AAA configured

AAA Override

Enabled

Mac Filtering

Checked

Fastlane

Unchecked

Deny RCM Clients

Unchecked

Pre Auth ACL

Select configured Pre auth ACL

Advanced Settings – FAST TRANSITION (802.11r)

Disabled

Advanced Settings – MFP CLIENT PROTECTION

Optional

Advanced Settings –Protected Management Frame

Disabled

Advanced Settings – Session timeout

Checked, 1800 seconds

Advanced Settings – Client Exclusion

Checked, 180 seconds

Advanced Settings – MFP CLIENT PROTECTION

Optional

Advanced Settings – 11k Neighbor List

Checked

Advanced Settings – Radius Client Profiling

Unchecked

Advanced Settings – Configure Client Rate Limit

Blank

Advanced Settings – Coverage Hole Detection

Checked

Configure CCKM

Unchecked

NAS-ID

Blank

Advanced Settings – 11v BSS TRANSITION SUPPORT

BSS Max Idle Service – Checked

Client Idle User Timeout – Checked, 300 seconds

Directed Multicast Service - Checked

Provision Cisco ISE Settings from Cisco DNA Center

When a guest SSID profile is assigned to a site, Cisco DNA Center will push the required authentication, authorization, and guest portal configurations to Cisco ISE according to the settings in the guest SSID profile.

Procedure

Step 1

Choose Lab3_Guest_Portal to verify the portal details.

Figure 28. Guest Portal in Cisco ISE
The image displays the Guest Portal in ISE.

ISE will display a new guest portal named Lab3_Guest_Portal.

.

Step 2

Click the 1 rules link to check the authorization policy created by Cisco DNA Center.

Figure 29. Guest Portal Redirect Policy
The image displays the Guest Portal Redirect Policy.
Figure 30. Guest Portal Preview
Displays the Guest Portal Preview.

Step 3

From the top-left corner, click the menu icon and choose Policy > Policy sets.

Step 4

Click Default.

Step 5

Go to Authorization Policy to verify the authorization policy pushed by Cisco DNA Center.

Figure 31. Guest SSID Authorization Policy
Displays the Guest SSID Authorization Policy.

Remote Office Wireless Deployment Settings

This section provides an overview of a remote office wireless network using APs in FlexConnect mode, which will be provisioned using Cisco DNA Center.

The site hierarchy consists of the following:

  • A branch area (New York) with a building (Branch 5) and multiple floors (Floor 1, Floor2, and Floor 3).

  • An SSID for employee traffic (lab3branch5) and an SSID for guest traffic (lab3guest5), both advertised by the APs within the branch.

  • A non-Cisco SDA (legacy) remote office wireless deployment, in which all employee branch wireless traffic is centrally switched.

The guest wireless traffic within the branch is locally switched. Cisco Wireless Controllers will be in N+1 HA mode and must be assigned to sites during the Cisco DNA Center provisioning process.


Note


For this deployment guide, both Catalyst 9800-40 wireless controllers (C9800-Flex-CVD and C9800-CVD-Nplus1) will be assigned to building Branch 5 within the New York area.


Within Cisco DNA Center, sites (areas, buildings, or floors) containing APs are assigned as either primary managed AP locations or secondary managed AP locations. There can be only one primary enterprise wireless controller assigned to a site at a given time, meaning that a site can only be assigned as a primary managed AP location for one enterprise wireless controller at a time. For this deployment guide, APs on Floor 1 within Branch 5, will be provisioned to C9800-Flex-CVD through Cisco DNA Center.

Cisco DNA Center supports the configuration of AP high availability, in which the AP tries to associate with primary and secondary wireless controllers and form a CAPWAP control connection. If the primary wireless controller is unavailable, the AP will attempt to establish a CAPWAP control connection to the secondary wireless controller. In Cisco DNA Center, this is accomplished by configuring sites containing APs as secondary managed AP locations.


Note


For this design and deployment guide, wireless controller C9800-Flex-CVD will be provisioned so that Floor 1 of Branch 5 is a primary managed AP location. For the APs within Branch 5, wireless controller C9800-CVD-Nplus1 will serve as the secondary wireless controller in an N+1 wireless controller redundancy configuration.


Recommendations

When configuring the remote office wireless deployment settings, consider the following recommendations:

  • Use PortFast on AP switch ports for APs in FlexConnect mode, supporting only the central switched WLANs. To configure the switch port for PortFast, set the port to be connected as a host port, using the switch port host command or the PortFast command. This configuration allows for a faster AP join process. There is no risk of loops, as the local mode APs never directly bridge traffic between VLANs. You can set the port directly on access mode.

  • For APs in FlexConnect mode, when using locally switched WLANs mapped to different VLANs (the AP switch port is in trunk mode), prune or limit the VLANs present on the port to match the AP-configured VLANs.

Configure Wireless Interface

In Cisco DNA Center, the enterprise and guest WLANs terminate on the wireless interfaces known as Ethernet VLAN interfaces. The following table shows the wireless interfaces created for this design and deployment guide for the enterprise and guest WLANs.

Table 16. Wireless Interfaces
Name VLAN Usage

branchemployee

100

VLAN for centrally switched employee traffic.

branchguest-dmz

110

VLAN for guest traffic locally switched on a VLAN on switch.


Note


The native VLAN (AP VLAN) configuration is specific to FlexConnect AP deployments. The FlexConnect locally switched traffic terminates on a specific VLAN, which is configured in the wireless profile for this design and deployment guide. Therefore, the field will be left blank.


The following steps explain how to configure wireless interfaces within Cisco DNA Center.

Before you begin

To complete this action, you must have SUPER-ADMIN-ROLE or the NETWORK-ADMIN-ROLE privileges.

Procedure

Step 1

Login to Cisco DNA Center web console using the IP address or fully qualified domain name of your instance.

Example:
https://<Cisco_DNA_Center_IPaddr_or_FQDN>

Step 2

From the top-left corner, click the menu icon and choose Design > Network Settings > Wireless.

The Wireless Network Settings dashboard is displayed. An example is shown in the following figure.

Figure 32. Adding Wireless Interface
The image shows how to add a Wireless Interface.

Step 3

Enter the Interface Name and VLAN ID for the wireless interface corresponding to the enterprise VLAN (branchemployee).

Step 4

Click Add.

Figure 33. Interface and VLAN Under Wireless Interfaces
The image displays Interface and VLAN under Wireless Interfaces.

Repeat the procedure to add the wireless interface for the guest VLAN (guest-dmz). When completed, the two new wireless interfaces should appear in the Wireless Network Settings dashboard, as shown in the figure below:

Figure 34. Created Wireless Interfaces
The image shows the created Wireless Interfaces.

Configure Enterprise Wireless SSID

Enterprise wireless networks are the nonguest WLAN/SSIDs that are available for broadcast across the deployment. You must define them at the global level of the site hierarchy. Once defined, you can apply the enterprise wireless networks to wireless profiles and assign wireless profiles to one or more sites within the hierarchy.

For the design and deployment guide, a single enterprise WLAN SSID named lab3branch5 is provisioned.

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Settings > Wireless.

Step 2

Click SSIDs.

Step 3

Hover your cursor over + Add and choose Enterprise.

The Basic Settings window is displayed.

Figure 35. Basic Settings Window to Create a New Enterprise SSID
The image shows the creation of new Enterprise SSID.

For information about features that can be configured for enterprise wireless networks via Cisco DNA Center, see Enterprise Wireless Network Features Configurable via Cisco DNA Center.

Step 4

Enter the information for the Basic Settings and click Next.

Note

 

For information about the settings for the enterprise wireless network configured for this deployment guide, see Enterprise Wireless Network Settings Configured in the Deployment Guide.

Figure 36. Security Setting for the Enterprise SSID
The image displays Security Setting for the Enterprise SSID.
Figure 37. Advanced Settings for the Enterprise SSID
Advanced Settings for Enterprise SSID

Step 5

Click + Add to add a new wireless profile.

Note

 

You can either attach the enterprise wireless network to an existing wireless profile, or you can create a new wireless profile and attach the enterprise wireless network.

Figure 38. Attach Enterprise Wireless Network to Wireless Profile
Attach Enterprise Wireless Network to Wireless Profile.

Step 6

Enter the Wireless Profile Name.

For this deployment guide, create a wireless profile named branch5.

Step 7

(Skip this step if SD-Access App is not deployed.) Under Fabric, select No.

The Select Interface field is displayed. This deployment guide only discusses non-SDA wireless deployments using Cisco DNA Center.

Step 8

From the Select Interface drop-down menu, choose branchemployee.

Step 9

Check the box next to FlexConnect Local Switching.

Step 10

Enter VLAN ID 100 in Local to VLAN.

For terminating branch employee traffic, you have selected the branchemployee interface on the enterprise wireless controller, but all branch employee traffic will be locally switched onto VLAN 100 of the branch switch.

Step 11

Click Next.

The Summary page displays SSID basic settings, security, advanced settings, and network profiles.

Step 12

Click Save.

Note

 

Even though Cisco DNA Center allows multiple network profiles to be associated with a single SSID, be sure to avoid associating a single SSID with network profiles that have both flex and nonflex profiles. Each of these profiles require the APs to be in different modes, flex and local respectively.

Step 13

Click Configure Network Profiles.

Step 14

Click Assign Sites in branch network profiles.

Step 15

Select the New York area.

All of the child site locations are automatically selected: Building 23 with Floor 1, Floor 2, and Floor 3 and Building 24 with Floor 1, Floor 2, and Floor 3.

Step 16

Click OK to close the site hierarchy side panel and return to the Create a Wireless Profile side panel.

Figure 39. Assign Site in Branch Network Profile
The image displays steps to assign Site in Branch Network Profile.

Step 17

Click + Add under Attach Template(s) to add the CLI-based templates to the enterprise wireless network configuration.

Note

 
You must have defined all the templates within the Template Editor dashboard of Cisco DNA Center. This design and deployment guide will not discuss the addition of templates because the guide does require knowledge of the CLI syntax for the specific Cisco Wireless Controller platform. However, you can add the wireless features that are not supported by the web-based GUI of Cisco DNA Center through templates.

The new enterprise wireless network, lab3branch5, appears in the Wireless Network Settings dashboard.


Configure FlexConnect Settings

The following procedure describes the steps to configure the FlexConnect settings using Cisco DNA Center, which is where the native VLAN and the client VLAN can be set.

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Settings > Wireless > FlexConnect Settings.

Figure 40. FlexConnect Settings Page
Displays the Flex Connect Settings Page.

Step 2

Configure Native VLAN and AAA override VLAN in the global settings.

Note

 

In global settings, you can override native VLAN and AAA override VLAN at the area, building, and floor levels.


Configure FlexConnect in the Model Config Editor

Model configs are a set of model-based, discoverable, and customizable configuration capabilities, which you can deploy on your network devices with high-level service intent and device-specific CLI templates. The following procedure describes the steps to perform a model config for FlexConnect.

Procedure

Step 1

From the top-left corner, click the menu icon and choose Tools > Model Config Editor.

Step 2

Click Flex Configuration.

Step 3

Click Add and enter the design name.

For example, enter branch as the design name.

Step 4

Enable IP Overlap.

Figure 41. Model Config for Flex Configuration
The image displays the Model Config for Flex Configuration.

Map FlexConnect Model Config to Network Profiles

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Profiles.

Step 2

Click Edit branch5 network profile.

Step 3

Click the Model Config tab, and then click Add Model Config.

Step 4

Choose Wireless Controller as the Device Type.

Step 5

Click Wireless > Flex Configuration, and then select the configured model config.

Step 6

Click Add and save the changes.

Figure 42. Add Model Config to Flex Network Profile
The image displays steps to add Model Config to Flex Network Profile.

Configure Guest Wireless SSID

Guest wireless networks must be defined at the global level of the site hierarchy. Once defined, guest wireless networks are applied to wireless profiles. Wireless profiles are then assigned to one or more sites within the hierarchy. For this deployment guide, a single guest wireless network (SSID) named lab3guest5 is provisioned.

Procedure

Step 1

Step 2

From the top-left corner, click the menu icon and choose Design > Network Settings > Wireless.

Step 3

Click SSIDs.

Step 4

Hover your cursor over + Add and choose Guest.

The Basic Settings window is displayed.

Figure 43. Basic Settings Window to Create a Guest Wireless SSID
The image displays the Flex Guest SSID Basic Settings page.
Figure 44. Security Settings for Guest SSID
The image displays the Security Setting for Flex mode of Guest SSID.
Figure 45. AAA Settings for Flex Guest SSID
The image displays the AAA Settings for Flex Guest SSID.
Figure 46. Advanced Settings for Flex Guest SSID
The image displays the advanced settings for Flex Guest SSID.

For information about features that can be configured for guest wireless networks via Cisco DNA Center, see Guest Wireless Network Features Configurable via Cisco DNA Center.

Step 5

Enter the information for the relevant fields and click Next.

Note

 

For information about the settings for the enterprise wireless network configured for this deployment guide, see Guest Wireless Network Settings Configured in the Deployment Guide.

Step 6

Attach the guest wireless network to the existing branch5 wireless profile.

Figure 47. Attach Wireless Profile to Flex Guest SSID
The image shows how to attach Wireless Profile to Flex Guest SSID.

Step 7

From the Select Interface drop-down menu, choose branchguest-dmz.

The guest traffic on the branchguest-dmz VLAN (VLAN 110) will be terminated.

Step 8

Click FlexConnect Local switching and enter Local Vlan 110.

Step 9

Click Next.

The Portal Customization page is displayed.

Figure 48. Guest Portal Customization for Flex Guest Wireless SSID
The image shows Guest Portal Customization for Flex Guest Wireless SSID.

Step 10

Click Create Portal to add a new guest portal in Cisco ISE.

The Portal Builder page is displayed. You have the option to leave without portal creation.

Figure 49. Flex Guest SSID Portal Builder Screen
The image displays the Flex Guest SSID Portal Builder Screen.

Step 11

Enter the relevant information.

You must at least name the guest portal. For this deployment guide, the portal has been named Lab3_Guest_Portal. The drop-down menu in the Portal Builder allows you to customize the Login Page, Registration Page, Registration Success, and Success Page of the portal. You can customize the color scheme, fonts, page content, logo, and background for the web portal. You can also preview the portal to see what it will look like on a smart phone, tablet, and computer.

Step 12

Click Save to create the new guest portal on the Cisco ISE server and return to the guest wireless network workflow.

Step 13

Click Next.

The summary page will show SSID basic settings, security, advanced settings, and network profiles.

Figure 50. Flex Guest SSID Summary Page
The image displays the Flex Guest SSID Summary page.

Step 14

Click Save.

Step 15

Click Configure Network Profiles.

Step 16

Click Assign Sites in Branch Network Profiles.

Step 17

Select the New York area. This should automatically check the child site locations: Branch 5 with Floor 1, Floor 2, and Floor 3.

Automatically, the child site locations are selected: Branch 5 with Floor 1, Floor 2, and Floor 3.

Step 18

Click OK to close the site hierarchy side panel and return to the Create a Wireless Profile side panel.

Figure 51. Site Assignment to Flex Guest Profile
Displays steps involved in site assignment to Flex Guest Profile.

Step 19

Click + Add under Attach Template(s) to add the CLI-based templates to the enterprise wireless network configuration.

Note

 

You must have defined all the templates within the Template Editor window of Cisco DNA Center. This design and deployment guide will not discuss the addition of templates because the guide does require knowledge of the CLI syntax for the specific Cisco Wireless Controller platform. However, you can add the wireless features that are not supported by the web-based GUI of Cisco DNA Center through templates.

The new enterprise wireless network, lab3branch5, is displayed in the Wireless Network Settings window.

Note

 

WLAN profiles created with different AAA settings can be assigned at different site levels. Site level overrides will push a new WLAN profile to the wireless controller. You can override the Global SSID with the settings based on area, buildings, and floor levels.

Cisco recommends updating the WLAN Profile Name when making any site level overrides for the SSID. If the same WLAN profile name is already configured in the wireless controller that manages the selected sites, a provisioning failure will occur.

Only L2 Security, AAA Configuration, NAS-ID, Mac Filtering, AP Impersonation, Radius Client Profiling, CCKM, MPSK, Protected Management Frame (802.11w), AAA Override, and WLAN Profile Name can be overridden at site levels. To edit other parameters, navigate to the global level.


Configure FlexConnect Settings for Guest SSID

The following procedure describes how to configure the FlexConnect settings for a guest SSID.

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network settings > Wireless Flex connect settings.

Step 2

Configure native VLAN and AAA override VLAN in global settings.

Note

 

You can override the native VLAN and AAA override VLAN in global settings at the area, building, and floor levels.

Figure 52. FlexConnect Settings for Flex Guest SSID Image
The image displays the Flex Connect Settings for Flex Guest SSID.

Configure Model Config Editor for Flex Guest SSID

This section describes the procedure to configure the model config for a flex guest SSID.
Procedure

Step 1

From the top-left corner, click the menu icon and choose Tools > Model Config Editor.

Step 2

Click Flex Configuration.

Step 3

Click Add and provide design name as branch.

Step 4

Enable IP Overlap.

Figure 53. Model Config for Flex Guest SSID
Displays the Model Config for Flex Guest SSID.

Map Flex Guest SSID Model Config to Network Profiles

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Profile.

Step 2

Choose the Edit branch5 network profile.

Step 3

Click Model Config and add a model config.

Step 4

For Device Type, choose wireless controller.

Step 5

Click Wireless > Flex Configuration and choose the configured model config.

Step 6

Click Add and save the changes.

Figure 54. Map FlexConnect Model Config to Guest Network Profile
The image displays the Map Flex Connect Model Config to Guest Network Profile.

Customize Wireless RF Profiles

The Wireless Radio Frequency Profile section of the Wireless Settings dashboard allows you to do the following:

  • Visually inspect the settings for each of the three preconfigured RF profiles within Cisco DNA Center. These RF profiles are also preconfigured within the Cisco Catalyst 9800 Series Wireless Controller.

  • Create custom RF profiles in which you can fine tune various RF aspects of your wireless deployment.

  • Choose either a preconfigured or custom RF profile as the default RF profile that is assigned to APs within Cisco DNA Center.

When provisioning APs in Cisco DNA Center, the default RF profile configured within the Wireless Settings dashboard will be applied. However, you can also override this setting for each AP.

The following preconfigured RF profiles are available:

  • LOW: This profile tunes the RF attributes in both bands (2.4 GHz and 5 GHz) for low client density deployments.

  • TYPICAL: This profile tunes the RF attributes in both bands (2.4 GHz and 5 GHz) for medium client density deployments.

  • HIGH: This profile tunes the RF attributes in in both bands (2.4 GHz and 5 GHz) for high client density deployments, such as stadiums, auditoriums, etc.


Note


Appendix D explains the specific settings within each of the three preconfigured RF profiles within Cisco DNA Center.

Set the desired TPC threshold on the RF group, based on the AP density and installed height. For large deployments, there can be significant variations in the RF environment, so it is important to properly adjust TPC to ensure optimal coverage in each location.

Together with transmit power, data rates are the primary mechanism to influence the client roaming behavior. Changing data rates to the lowest mandatory rate can modify when the client may trigger a new roam, which is especially important for large open spaces that suffer from sticky client problems.

When setting up RF profiles, try to avoid configuring adjacent AP groups and RF profiles with different DCA channel sets, as this can negatively impact DCA calculations.

Users can add a nonsupported channel to the RF profile DCA list, even if the channel is not supported in the configured regulatory domain. The recommendation is to always check if the configured channels are allowed in the country domain. There is no impact on network operations because the DCA would not assign the unsupported channels to the APs. However, starting in release 17.5, the C9800 has a validation to check if the added channels are allowed.


Procedure

Step 1

From the Wireless Network Settings dashboard, locate the Wireless Radio Frequency Profile section.

The Wireless Radio Frequency Profile section of the Wireless Settings dashboard can only be accessed at the global level of the site hierarchy.

Step 2

By default, the TYPICAL RF profile is set as the default RF profile. You will know this because it will appear as TYPICAL (Default) as shown in the following figure. To change the RF profile, check the check box next to the name of one of the available profiles, and then click the default button.

Figure 55. Wireless Radio Frequency Profile
The image displays the Wireless Radio Frequency Profile section.

For this design and deployment guide, the TYPICAL RF profile was selected, indicating that the deployment is meant for an environment with medium client density.

The FlexConnect design for a remote office is now complete.


Design the Cisco Catalyst 9800-CL Wireless Controller Hosted on AWS

This section describes the wireless controller hosted on AWS deployment, which uses a cloud-based Cisco Catalyst 9800-CL Wireless Controller hosted on AWS. For more information, see Deployment guide for Cisco Catalyst 9800 Wireless Controller for Cloud (C9800-CL) on Amazon Web Services (AWS).

Launching a Cisco Catalyst 9800 Amazon Machine Image (AMI) occurs directly from the AWS Marketplace. The Cisco Catalyst 9800 Series Wireless Controller will be deployed on an Amazon EC2 in an Amazon Virtual Private Cloud (VPC).

Cisco supports the following instance type for the first release of the Cisco Catalyst 9800 Series Wireless Controller on the cloud:

C5.xlarge: 4 vCPUs, 8 GB RAM, 8GB Disk with 1 vNIC.

The allocated resources will allow the instance to scale to 1000 APs and 10,000 clients.

Prerequisites for Deploying the Cisco Catalyst 9800-CL Wireless Controller on AWS

  • Create a managed VPN connection from the corporate network to the VPC.

  • Create a VPC with the desired subnet for the wireless management interface on the Catalyst 9800 Series Wireless Controller.

  • Catalyst 9800 Series Wireless Controller CloudFormation template: You do not have to configure the CloudFormation template because the template is automatically integrated in the launching procedure. If desired, you can download and view the CloudFormation template file from the AWS Marketplace page for the product.

  • Amazon Machine Instance ID (AMI-ID) for the desired Catalyst 9800 Series Wireless Controller software release: The AMI will be available in the AWS marketplace.

  • AP access can be restricted to your instance for security reasons. For example, CAPWAP from a single, specific IP range can be allowed so that only those APs are able to register to the controller. The following table shows the ports that need to be opened in the firewall to allow the AP to communicate with the wireless controller on AWS.

Table 17. Ports Required to be Opened in Firewall
Ports Protocol

UDP 5246/5247/5248

CAPWAP

TCP 22

SSH, SCP

TCP 21

FTP

ICMP

Ping

UDP 161, 162

SNMP/SNMP Traps

TCP 443/80

HTTPs/HTTP

TCP/UDP 49

TACACS+

UDP 53

DNS Server

UDP 1812/1645/1813/1646

Radius

UDP 123

NTP Server

UDP 514

Syslog

Install the Cisco Catalyst 9800-CL Wireless Controller on AWS

Procedure

Step 1

Navigate to the AWS Marketplace.

Step 2

Locate the Cisco Catalyst 9800-CL Wireless Controller product page by searching the AWS Marketplace for "C9800-CL."

Step 3

Choose the Cisco Catalyst 9800-CL Wireless Controller for Cloud and click Continue to Subscribe.

Step 4

Choose the fulfillment option: Cloud Formation Template (recommended) or Amazon Machine Image (AMI).

If you choose AMI, you can use the AWS Console or the AWS Marketplace interface.

For both fulfillment options, you will be guided through the steps to launch a new Catalyst 9800-CL Wireless Controller instance.

Step 5

During the installation process, you will be prompted to select the following:

  • The desired AWS region.

  • The VPC (custom or default) and installation location for the Catalyst 9800-CL Wireless Controller.

  • The desired IP subnet for the Catalyst 9800-CL Wireless Controller management and wireless management interface.

  • The security group associated with the VPC.

  • The key pair for SSH connection.

Step 6

Click Review and Launch and ensure that the information is accurate.

Step 7

Click Launch Instances.

Step 8

Go to AWS Console > EC2 services and wait for your instance to indicate a state of running. You will have to wait a few minutes before you can connect to your Catalyst 9800-CL Wireless Controller instance.

Step 9

Connect to the IP address assigned to your Catalyst 9800-CL Wireless Controller instance and use the WebUI wizard for Day 0 configuration and setup.

Step 10

Alternatively, connect to your instance using an SSH client, providing the necessary credentials or the private SSH key selected during setup.

For example: ssh -i mykeypair.pem ec2-user@<IP of the instance>

Step 11

Once SSH has connected, you should see the IOS XE command prompt on the Catalyst 9800-CL Wireless Controller. You may now begin configuring your instance.


Configure Enterprise Wireless Networks (SSIDs)

Wireless settings are hierarchical. Settings at lower levels of the site hierarchy can override settings defined in higher levels. By default, you are taken to the global level, which is the highest level of the site hierarchy.

Enterprise wireless networks are the nonguest WLANs/SSIDs that are available for broadcast across the deployment, and these networks must be defined at the global level of the site hierarchy. Once defined, enterprise wireless networks are applied to wireless profiles, which are assigned to one or more sites within the hierarchy. For this design and deployment guide, a single enterprise WLAN/SSID named corpevent is provisioned. The following steps explain how to configure the enterprise wireless network within Cisco DNA Center.

Before you begin

To complete this action, your user profile must be assigned the SUPER-ADMIN-ROLE or the NETWORK-ADMIN-ROLE.

Procedure

Step 1

Log in to the Cisco DNA Center web console using an IP address or a fully qualified domain name.

Example:

http://<Cisco_DNA_Center_IPaddr_or_FQDN>

Step 2

From the top-left corner, click the menu icon and choose Design > Network Settings > Wireless.

Step 3

From the Wireless Network Settings dashboard, hover your cursor over + Add and choose Enterprise.

The Create an Enterprise Wireless Network dialog box is displayed.

Figure 56. Wireless Network Settings
wireless Network Settings
Figure 57. Selecting an Enterprise for Wireless Network Settings
Selecting an Enterprise for Wireless Network Settings

Step 4

Enter the necessary information and click Next.

The settings used in this deployment are provided in the following table.

Table 18. Settings for Enterprise SSID
Feature Settings

Wireless Network Name (SSID)

Corpevent

Broadcast SSID

On

Wireless Option

Multiband operation (2.4GHz, 5GHz, 6GHz)

Primary Traffic Type

VoIP (Platinum)

Level of Security

Personal, WPA2

Advanced Security Options - Mac Filtering

Unchecked

Passphrase Type

<Enter passphrase>

Fastlane

Unchecked

Identify PSK

Unchecked

Deny RCM clients

Unchecked

Advanced Settings – FAST TRANSITION (802.11r)

Adaptive, Over the DS Unchecked

Advanced Settings – MFP Client Protection

Optional

Advanced Settings – Protected Management Frame (802.11w)

Disabled

Advanced Settings – Session timeout

Checked, 1800 seconds

Advanced Settings – Client Exclusion

Checked, 300 seconds

Advanced Settings – MFP CLIENT PROTECTION

Optional

Advanced Settings – 11k Neighbor List

Checked

Advanced Settings – 11v BSS TRANSITION SUPPORT

BSS Max Idle Service – Checked

Client Idle User Timeout – Checked, 300 seconds

Directed Multicast Service - Checked

Step 5

The next page in the workflow is displayed. You can attach the enterprise wireless network to an existing wireless profile, or you can create a new wireless profile and attach the enterprise wireless network.

Step 6

Click Add to add a new wireless profile.

Figure 58. Associate SSID to Network Profile
Associate SSID to Network Profile

Step 7

In the Wireless Profile Name field, enter the name of the new wireless profile. For this deployment guide, a wireless profile named corpevent-profile was created.

Step 8

From Fabric, click the No radio button.

This deployment guide only discusses non-SDA wireless deployments using Cisco DNA Center. When you choose No, the Select Interface field is automatically displayed.

Step 9

From the Select Interface drop-down list, choose Management.

Note

 

The AWS wireless controller does not support layer 2 VLAN because it is not needed for a publicly deployed wireless controller, and the AWS wireless controller is never in use. When doing manual config on an AWS or Azure wireless controller, you can skip this step. However, with Cisco DNA Center provisioning, the FlexConnnect flow requires a VLAN to be pushed, even though the VLAN is not in use on an AWS or Azure wireless controller. These wireless controllers only support flex local switching. To avoid Cisco DNA Center from provisioning a VLAN, choose Management for the interface.

Step 10

Check the FlexConnect Local Switching check box.

Step 11

In the Local to VLAN field, enter VLAN ID 16.

All branch employee traffic will be locally switched onto VLAN 16 of the branch switch.

Figure 59. Assign VLAN for Enterprise SSID
Assign VLAN for Enterprise SSID

Step 12

Click Associate Profile to attach the profile to wireless SSID.

Figure 60. Successful Association of SSID to Network Profile
Successful Association of SSID to Network Profile

Step 13

Click Next to review the summary, and then click Save.

Figure 61. Summary Page for Reviewing Enterprise SSID Configuration
Summary Page for Reviewing Enterprise SSID Configuration

Step 14

Click Configure Network Profile to go to the Network Profiles page to assign the site for the wireless profile.

Figure 62. Site Assignment for Network Profile
Site Assignment for Network Profile

Step 15

Click Assign Site.

Step 16

In the left hierarchy tree, choose Global > Milpitas area.

The child site locations are automatically selected: Branch 5 and Floor 1 and Floor 2.

Step 17

Click OK to close the site hierarchy side panel and return to Create a Wireless Profile.

The design of the wireless controller on AWS is complete, and you can go to the Deploy the wireless network section.


Deploy the Wireless Network

This section of the design and deployment guide implements the use case discussed in the Solution Overview section of this document. Cisco DNA Center is used to automate the deployment of the wireless profile created in the Design the wireless network section of this document to a Cisco Catalyst 9800-40 enterprise wireless controller HA SSO pair (WLC-9800-2) and a Cisco Catalyst 9800-CL guest wireless controller (WLC-9800-CL).

This section contains the following topics and processes:

  • Discover and manage the Catalyst 9800 Series Wireless Controllers

  • Manage software images for the Catalyst 9800 Series Wireless Controllers

  • Use software image management (SWIM) to update the Catalyst 9800 Series Wireless Controller software

  • Configure high availability (HA) stateful switch-over (SSO) on the Catalyst 9800-40 enterprise wireless controllers

  • Provision the Catalyst 9800-40 enterprise wireless controller HA SSO pair

  • Provision the Catalyst 9800-CL guest anchor wireless controller

  • Join the new APs to the enterprise wireless controller HA SSO pair

  • Provision the new APs

  • Position the new APs on the floor map

  • Local RRM Vs cloud-based RRM

  • Enable cloud-based RRM

  • Template programmer for additional wireless configurations

Enterprise WLAN for Campus Wireless Deployment

This section explains how to provision the campus wireless deployment for the Milpitas site. For this scenario, the wireless controllers are discovered, and their images are updated and provisioned. These procedures are explained in the following sections.

Discover and Manage the Cisco Catalyst 9800 Series Wireless Controller

This deployment guide uses IP address ranges for discovery of both of the Cisco Catalyst 9800-40 Wireless Controllers deployed as enterprise wireless controllers and the Cisco Catalyst 9800-CL Wireless Controller deployed as the guest wireless controller. Before initiating the discovery, IP connectivity must be enabled to the devices. When using IP address ranges, you can reduce the range to just the wireless controllers to speed the discovery.


Note


Alternatively, you can supply an initial device for discovery and direct Cisco DNA Center to use Cisco Discovery Protocol (CDP) to find connected neighbors.


The following assumptions are made for this procedure:

  • The two Catalyst 9800-40 Wireless Controllers (WLC-9800-1 and WLC-9800-2) are connected to the network as standalone wireless controllers. Configuration of the two Catalyst 9800-40 Wireless Controllers into an HA SSO pair will be done within Cisco DNA Center in a later process.

  • NETCONF is enabled on all of the Cisco Catalyst 9800 Series Wireless Controllers (WLC-9800-1, WLC-9800-2, and WLC-9800-CL).

  • All Catalyst 9800 Series Wireless Controllers are on the network, with management IP addresses configured for reachability.

  • SSH access is enabled on all of the Catalyst 9800 Series Wireless Controllers, with a user ID and password configured within the local user database.

  • All Catalyst 9800 Series Wireless Controllers have hostnames configured (WLC-9800-1, WLC-9800-2, and WLC-9800-CL), which will allow the devices to be identified by their hostnames within the Cisco DNA Center inventory after discovery.

For this design and deployment guide, the following table shows the hostnames, platform models, and IP addresses for Cisco DNA Center.

Table 19. Hostnames, Platform Models, and IP Addresses for Cisco DNA Center
Hostname Platform Model IP Address

WLC-9800-1

Cisco Catalyst 9800-40 Wireless Controller

10.4.50.2

WLC-9800-2

Cisco Catalyst 9800-40 Wireless Controller

10.4.50.22

WLC-9800-CL

Cisco Catalyst 9800-CL Wireless Controller

10.4.48.153

This section contains the following processes:

  • Discover the two Catalyst 9800-40 Wireless Controllers, which serve as the enterprise HA SSO pair for the WLAN deployment.

  • Discover the Catalyst 9800-CL Wireless Controller, which serves as the guest anchor wireless controller for the WLAN deployment.

Discover and Manage the Cisco Catalyst 9800-CL Wireless Controller Deployed on AWS

The discovery process is the same for other Cisco Catalyst 9800-CL Wireless Controllers.

Discover the Cisco Catalyst 9800-40 Wireless Controllers Serving as the Enterprise HA SSO Pair for WLAN Deployment

The following steps explain how to discover the Cisco Catalyst 9800-40 Wireless Controllers (WLC-9800-1 and WLC-9800-2).

Procedure

Step 1

Navigate to the main Cisco DNA Center dashboard.

Step 2

From the top-left corner, click the menu icon and choose Tools > Discovery.

The Discovery Dashboard is displayed.

Figure 63. Discovery Dashboard
Discovery Dashboard

Step 3

Click + Add Discovery to create a new discovery.

The New Discovery window is displayed.

Figure 64. New Discovery Window
New Discovery Window

Step 4

From IP Address/Range, for Discovery Type, click the Range radio button.

Step 5

In the From field, enter the beginning IP address, and in the To field, enter the ending IP address.

The range configured is 10.4.50.2 - 10.4.50.22, which is sufficient to discover the two Catalyst 9800-40 Wireless Controllers (WLC-9800-1 and WLC-9800-2).

Step 6

For Preferred Management IP, if a device has a loopback interface used for management, click the Use Loopback radio button. Otherwise, click the None radio button.

For this deployment, the VLAN 174 interface is configured as the wireless management interface, so Preferred Management IP is set to None.

Step 7

Make sure the CLI, SNMP, and NETCONF credential toggle buttons are set to On.

All Catalyst 9800 Series Wireless Controllers require NETCONF for discovery and provisioning. The user ID and password used for NETCONF access to the wireless controllers is the same as the SSH password.

Step 8

From the Advanced section, for Protocol Order, check the SSH check box.

It is not recommended to enable Telnet because Telnet traffic is sent in clear text across the network, which could pose a security vulnerability.

Step 9

Click Start to begin the discovery.

The discovery details are displayed while the discovery runs. After discovery is complete, the discovery details are displayed.

Figure 65. Discovery Details
Discovery Details

Step 10

After the discovery process is complete, navigate to the main Cisco DNA Center dashboard.

Step 11

From the top-left corner, click the menu icon and choose Provision > Inventory.

The list of devices known to Cisco DNA Center will be displayed, including the two Catalyst 9800-40 Wireless Controllers (WLC-9800-1 and WLC-9800-2) that were discovered. The Catalyst 9800-40 Wireless Controllers should show a Last Sync Status of Managed.

Cisco DNA Center can now access the devices, synchronize the inventory, and make configuration changes on the devices.


Discover the Cisco Catalyst 9800-CL Wireless Controller Serving as the Guest Anchor Wireless Controller for WLAN Deployment

To discover the Cisco Catalyst 9800-40 Wireless Controller for the Cisco Catalyst 9800-CL guest Wireless Controller (WLC-9800-CL), repeat the steps in Discover the Cisco Catalyst 9800-40 Wireless Controllers Serving as the Enterprise HA SSO Pair for WLAN Deployment.

For this deployment guide, the IP address range for discovery of the Catalyst 9800-CL guest Wireless Controller (WLC-9800-CL) is a single IP address: 10.4.174.36 - 10.4.174.36.


Note


Optionally, you can discover all the wireless controllers in a single discovery that includes the IP address range of both the Catalyst 9800-40 enterprise Wireless Controllers (WLC-9800-1 and WLC-9800-2) and the Catalyst 9800-CL guest Wireless Controller (WLC-9800-CL).


Manage Software Images for the Cisco Catalyst 9800 Series Wireless Controllers

This process is used to upload the latest software images for the Cisco Catalyst 9800 Series Wireless Controllers to the Cisco DNA Center software image repository. The following table shows the platforms and software images uploaded for this deployment.

Table 20. Software Images for Catalyst 9800 Series Wireless Controller
Platform Software Version Software Image

Cisco Catalyst 9800-40 Wireless Controller

IOS XE Release 17.9.4a

C9800-40-universalk9_wlc.17.09.04a.SPA.bin

Cisco Catalyst 9800-CL Wireless Controller

IOS XE Release 17.9.4a

C9800-CL-universalk9.17.09.04a.SPA.bin

A minimum of IOS XE release 16.10.1 is required for operability between the Catalyst 9800 Series Wireless Controllers and Cisco DNA Center.

The following procedures are included in this process:

  • Upload the software image for the Cisco Catalyst 9800-40 Wireless Controller.

  • Upload the software image for the Cisco Catalyst 9800-CL Wireless Controller.

Upload the Software Image for the Cisco Catalyst 9800-40 Wireless Controllers

The following steps discuss the image upload process for the Cisco Catalyst 9800-40 Wireless Controllers (WLC-9800-1 and WLC-9800-2).

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Image Repository.

The Image Repository window is displayed in the following figure.

Figure 66. Image Repository
Image Repository

Step 2

You can get a new image into the Cisco DNA Center image repository by doing one of the following:

  • Download the image from the Cisco website.

  • Import the image from your local machine.

Step 3

For your desired image, click download image icon. The image will begin to download from the Cisco website.

For this deployment guide, image 17.9.4a was downloaded.

Figure 67. Download Image
Download image from Cisco site.

Step 4

Alternatively, click Import to import a new image.

The Import Image/Add-on dialog box is displayed.

Figure 68. Import Image
Import Catalyst 9800-40 software image

Step 5

Click Choose File.

Step 6

Navigate to the Catalyst 9800-40 software image on your computer and choose the desired image.

For this deployment guide, C9800-40-universalk9_wlc.17.09.04a.SPA.bin was chosen.

Step 7

Under Source, click the Cisco radio button because this is a Cisco software image.

Step 8

Click Import to upload the image to the Cisco DNA Center image repository.

A status bar shows the progress of the upload. Once the upload is complete, the main Image Repository window is displayed.

Step 9

Click Show Tasks to verify that the image was imported successfully.

The Recent Tasks (Last 50) side panel is displayed. The new image transitions are shown in yellow. The tasks that are completed successfully are shown with a green check mark.

Step 10

Close the Recent Tasks (Last 50) side panel.

Step 11

From the Image Repository window, click > next to Imported Images to expand the list of imported images.

Step 12

Click Assign next to the image file you just uploaded.

The Assign Device Family side-in pane is displayed.

Figure 69. Assign Device Family
Assign image to it device family.

Step 13

Choose the Cisco Catalyst 9800-40 Wireless Controller and click Assign to assign this image to its device family.

Step 14

Under the Family column in the list of devices in the main repository window, locate the Catalyst 9800-40 Wireless Controllers and expand the list of available images for the device.

You should now see the new image you just uploaded in the list of images available for the device family.

Step 15

Click the star for Golden Image to mark the image as the preferred one for the Catalyst 9800-40 Wireless Controller platform.

Figure 70. Mark Golden Image
Mark the chosen image as Golden image.

Repeat the entire procedure for the Catalyst 9800-CL guest Wireless Controller (WLC-9800-CL). For this deployment guide, the Catalyst 9800-CL guest Wireless Controller upload image name is C9800-CL-universalk9.17.09.04a.SPA.bin.


Update the Software Image for the Cisco Catalyst 9800-CL Wireless Controller

This section outlines the procedure for updating the wireless controller image after the image is marked as golden.

Use Software Image Management (SWIM) to Update the Catalyst 9800 Series Wireless Controller Software

This process is used for the following purposes:

  • Distribute (download) the software image from the Cisco DNA Center image repository to the wireless controllers.

  • Upgrade the software images running on the wireless controllers.

Both steps can be run immediately, or the steps can be scheduled to run at a specified date and time to comply with existing network change schedules.

Cisco DNA Center runs a compliance check, which compares the devices in the inventory with images marked as a golden images. Devices that are out of compliance with the golden image are marked as Outdated in the inventory. Before you can update an image to the version marked as golden, the inventory collection must be successfully completed, and the device must be in a Managed state.

The following procedures are included in this process:

  • Upgrade the software images for the Catalyst 9800-40 Wireless Controllers.

  • Upgrade the software image for the Catalyst 9800-CL Wireless Controller.

Upgrade the Software Image for the Cisco Catalyst 9800-40 Wireless Controllers

The following procedure explains how to upgrade the software images for the Cisco Catalyst 9800-40 Wireless Controllers (WLC-9800-1 and WLC-9800-2).

Procedure

Step 1

From the top-left corner, click the menu icon and choose Provision > Inventory.

Step 2

From the Focus drop-down list, choose Software Images.

The window displays the software image running on each device in the inventory.

Figure 71. Inventory Window
Inventory window

Step 3

From the list of devices, locate one of the Catalyst 9800-40 Wireless Controllers (WLC-9800-1 or WLC-9800-2).

Step 4

Under the Software Image column for the Catalyst 9800-40 Wireless Controller, click Needs Update.

The Image Update Readiness Check slide-in pane is displayed.

Figure 72. Image Update Readiness Check Window
Image Update Readiness Check Window

Ensure that the Status column shows either a green icon indicating success or a yellow icon indicating a warning. If any of the checks show a red icon indicating failure, the image on the platform was not upgraded. In this deployment guide, the Config register check shows a red icon because the config register value needs to be 0x2102 or 0x102, but the device is using a value of 0x0.

If necessary, correct any issues on the wireless controller which result in a failure.

Step 5

Click Re-Execute Check to rerun the readiness assessment.

Note

 

Configuring a time zone in IOS XE devices through the clock timezone IOS CLI command may cause a warning to appear in the Image Update Readiness Check slide-in pane, indicating that the time is significantly different between your device and Cisco DNA Center. You may be able to clear this warning by removing the clock timezone command from the device, resyncing the device in the inventory, and clicking Re-Execute Check to run the readiness assessment again. As a result, the time format of the device will be displayed in UTC time rather than the local time zone.

Step 6

When you have corrected all checks which indicate a failure, close the Image Update Readiness Check slide-in pane.

Step 7

Repeat Step 1 through Step 6 for the other Catalyst 9800-40 Wireless Controller.

Step 8

Check the check boxes for both of the Catalyst 9800-40 Wireless Controllers (Wireless Controller-9800-1 and Wireless Controller-9800-2).

Step 9

From the Actions drop-down list, choose Software Image > Image Update.

The Image Update slide-in pane is displayed.

  1. Enter a unique name in the Task Name field.

    For this deployment guide, the name is entered as c9800update.

    Figure 73. Enter Task Name
    Enter a unique name for image update task.
  2. Click Next.

  3. Check the check box for the device name to choose the device.

    Figure 74. Select Devices Window
    Select devices window in image update workflow.
  4. Click Next to proceed to the customized software distribution checks.

    Figure 75. Custom Distribution Check
    Custom Distribution Check
  5. If customization is not needed, choosing the default Flash check is optional.

    Figure 76. Update Image Distribution
    Update image distribution
  6. Click Next to proceed to Software Activation Checks. By default, Config register check and Startup config check are chosen.

  7. Click Add a custom check to add additional custom checks.

    For this guide, only the default checks are chosen.

    Figure 77. Software Activation Checks
    Software Activation Check
  8. Click Next and choose the Device Activation order if there is more than one device.

    For this guide, there is only one device, so only that device is chosen.

    Figure 78. Device Activation Order
  9. Click Next to schedule the distribution and activation for a later time. To execute the distribution and activation immediately, click Now.

    If the software has not been distributed (downloaded from the Cisco DNA Center repository to the wireless controllers) you cannot choose the Now option. However, you can schedule the software to be activated immediately after the software distribution is complete, or you can schedule the software activation for a later date and time. If you schedule the activation time to be too close to the distribution time, you will receive a warning that the update may fail because the distribution of the image to the devices may not complete before the scheduled activation time.

    Note

     

    It is always recommended to upgrade software images only during scheduled network operations change windows.

Step 10

Enable Software Activation After Distribution.

Alternatively, click the Later radio button and adjust the date and time for the image distribution.

Enabling Software Activation After Distribution will activate the image immediately after it is distributed. This action combines the download and activation of the image into a single scheduled process, rather than scheduling download and activation separately.

Figure 79. Distribution and Activation Window
  1. Click Next to proceed to the Summary window and review your selections before submitting the task to update the device image.

    Figure 80. Review Summary Before Submitting Upgrade Task
  2. Click Submit.

    The status window is displayed, showing the progress of the update.

    Figure 81. Image Update Status

Step 11

Click Image Update Status, which takes you to the update progress window.

Alternatively, click the menu icon and choose Activities > Tasks. The scheduled task window is displayed.

Figure 82. Scheduled Tasks Window
Scheduled Task window for updating software image.

You can expand the task to see the details regarding the distribution and activation of the image.

Figure 83. Operating System Update in Progress

On successful completion of the task, an icon is displayed next to the task, indicating that the update was successful. Again, you can expand the task to see the details regarding the distribution and activation of the image.

Step 12

Close the scheduled tasks slide-in pane.

Step 13

From the top-left corner, click the menu icon and choose Provision > Inventory to go back to the inventory list in the main provisioning window.

The image for the Catalyst 9800-40 Wireless Controller now shows that it has updated to the chosen IOS version.

Repeat the entire procedure for the Catalyst 9800-CL Guest Wireless Controller (Cisco Catalyst 9800 Series Wireless Controller-CL).


Configure HA SSO on the Cisco Catalyst 9800-40 Enterprise Wireless Controllers

Cisco Catalyst 9800 Series Wireless Controllers support the ability to be configured in an active or standby high availability (HA) stateful switch-over (SSO) pair. Cisco DNA Center supports the ability to take two controllers of the same model, running the same operating system version, and configure them as an HA SSO pair.


Note


  • Before you turn on HA SSO, the RP ports are connected, either directly or through a dedicated L2 network. You can connect either the fiber SFP or Ethernet RJ-45 port. The fiber SFP HA connectivity takes priority over RJ-45. If SFP is connected when RJ-45 HA is up and running, the HA pair reloads.

  • When connecting the RP ports directly, back-to-back, Cisco recommends using a copper cable with a length less than 30 meters (100 feet). If you need to go beyond 30 meters (100 feet), it is recommended to connect the RP ports using a fiber cable.

  • Both the boxes are running the same software and are in the same boot mode (install mode is the recommended boot mode).

  • For physical appliances, use the same hardware type (for example, you cannot pair a C9800-L-C with a C9800-L-F).

  • For the Catalyst 9800-CL Wireless Controller, pick the same scale template (large, medium, or small) on both virtual machines.

  • Before forming an HA pair, it is recommended to delete the existing certificates and keys in each of the Catalyst 9800 Series Wireless Controllers that were previously deployed as standalone. Doing this avoids the risk of the same trustpoint being present on both wireless controllers with different keys, which would cause issues after a switchover.

  • Set the keep-alive retries to 5 (the default for release 17.1).

  • Set the higher priority (2) on the chassis that you want to be the active wireless controller.


The following steps explain how to configure the Catalyst 9800-40 Wireless Controllers (WLC-9800-1 and WLC-9800-2) as an HA SSO pair.

Procedure

Step 1

From the top-left corner, click the menu icon and choose Provision > Inventory.

The main provisioning window displays the devices. By default, the Focus is set for Inventory.

Step 2

Locate and check the check box for the Catalyst 9800-40 Wireless Controller which will be the primary wireless controller of the HA SSO wireless controller pair.

For this design and deployment guide, WLC-9800-2 was selected as the primary wireless controller.

Step 3

From the Actions drop-down list, select Provision > Configure WLC HA.

The High Availability slide-in pane is displayed.

Figure 84. High Availability Window
High Availability window

Step 4

Enter the required information in the respective fields and click Configure HA.

The following table shows the high availability information for this deployment guide:

Table 21. High Availability Settings
Field Value

Primary Cisco Catalyst 9800 Series Wireless Controller

WLC-9800-1.cisco.local

Redundancy Management IP

10.4.174.132

Select Secondary Cisco Catalyst 9800 Series Wireless Controller

WLC-9800-2.cisco.local

Peer Redundancy Management IP

10.4.174.134

Netmask

24

Note

 

The Redundancy Management IP and the Peer Redundancy Management IP addresses must be in the same IP subnet as the wireless management interface.

A dialog box is displayed, notifying you that the wireless controllers will be rebooted when they are placed in the high availability mode.

Step 5

Click OK to accept and put the two Catalyst 9800-40 Wireless Controllers in HA SSO mode.

It will take several minutes for the wireless controllers to reboot and display in HA SSO mode. All configurations from the primary Catalyst 9800-40 Wireless Controller, including the IP address of the management interface, will be copied to the secondary Catalyst 9800-40 Wireless Controller. Cisco DNA Center will no longer show two wireless controllers in the inventory. Instead, only a single Wireless Controller HA SSO pair with two serial numbers will appear in the inventory.

For this deployment guide, the wireless controller HA SSO pair is WLC-9800-2.

Step 6

If you choose the wireless controller (WLC-9800-2), and from the Actions drop-down list, choose Provision > Configure WLC HA, you can see additional information about the Catalyst 9800-40 Wireless Controller HA SSO pair.

Figure 85. Catalyst 9800-40 Wireless Controller HA SSO Pair Details
wireless controller HA SSO pair details.

Note

 

If you click Disable HA, both Catalyst 9800-40 Wireless Controllers will revert to standalone mode, with the secondary wireless controller reset to factory settings. It is recommended that you establish console access to the wireless controllers before disabling HA. You will need to change the IP address and hostname of one of the wireless controllers to rediscover the controller in Cisco DNA Center after disabling HA.


Provision the Cisco Catalyst 9800-40 Enterprise Wireless Controller HA SSO Pair

The following steps explain how to provision the corporate wireless profile to the Cisco Catalyst 9800-40 enterprise Wireless Controller HA SSO pair, known as Cisco Catalyst 9800-40-CVD.cagelab.local.

Procedure

Step 1

From the top-left corner, click the menu icon and choose Provision > Inventory.

The main provisioning window displays the devices in the inventory. By default, Inventory is chosen from the Focus drop-down list.

Step 2

Locate and check the check box for C9800-40-CVD.cagelab.local.

Step 3

From the Actions drop-down list, choose Provision > Provision Device.

You are taken through a four-step workflow for provisioning the enterprise wireless controller HA SSO pair (C9800-40-CVD.cagelab.local), starting with Assign Site.

Step 4

In the Assign Site window, click Choose a Site. A slide-in pane is displayed, which shows the site hierarchy configured for Cisco DNA Center.

For this deployment guide, the enterprise wireless controller HA SSO pair (C9800-40-CVD.cagelab.local) is assigned to the building level.

Step 5

Expand the site hierarchy for Milpitas and choose Building 23.

Figure 86. Assign Site to Building Level
Assign site to building level.

Note

 
  • The enterprise wireless controller HA SSO pair (C9800-40-CVD.cagelab.local) must be assigned to a building or floor within the Cisco DNA Center site hierarchy. It cannot be assigned to Milpitas area or to the global level of the site hierarchy, even though C9800-40-CVD.cagelab.local is assigned to Building 23 in this deployment guide. APs located on floors in other buildings are supported by the wireless controller.

  • When the wireless controller is assigned to a site, the wireless controller is added as a device to Cisco ISE.

Step 6

Click Save to assign C9800-40-CVD.cagelab.local to Building 23.

Step 7

Click Next.

The Configuration window is displayed.

Step 8

In the Configuration window, choose Active Main for the wireless controller Role.

Step 9

Click Select Primary Managed AP locations.

The Managed AP Location slide-in pane is displayed, showing the site hierarchy for Cisco DNA Center.

Cisco DNA Center supports the ability to configure N+1 redundancy for APs and HA SSO for a wireless controller. As a result, you can configure both primary and secondary managed AP locations. Primary managed AP locations are sites that include buildings and/or floors, where the wireless controller will serve as the primary wireless controller within the AP high availability configuration. Secondary managed AP locations are sites where the wireless controller will serve as the secondary wireless controller within the AP high availability configuration. If the primary wireless controller or wireless controller HA SSO pair fail, APs will reestablish CAPWAP connections to the wireless controller.

For this guide, the Catalyst 9800-40 Wireless Controller HA SSO pair (C9800-40-CVD.cagelab.local) will be the primary wireless controller, managing APs on Floors 1 and Floor 2 of Building 23 and Building 24. No secondary managed AP locations will be configured because the wireless controller HA SSO pair already provides redundancy in a campus network, where all the APs are operating in a centralized mode deployment.

Step 10

Expand the site hierarchy and choose Floors 1 and Floor 2 for Building 23 and Floors 1 and Floor 2 for Building 24.

Step 11

Click Save.

Because you have selected this wireless controller to be an Active Main wireless controller, additional fields are displayed. The corporate wireless profile has defined the enterprise SSID as lab3employee and the wireless interface on which the SSID terminates as employee on VLAN ID 160, so this enterprise SSID and wireless interface will be automatically displayed. Likewise, because the corporate wireless profile has defined the guest SSID as lab3guest and the wireless interface on which the SSID terminates as guest-dmz on VLAN ID 125, this information will also be automatically displayed.

Step 12

Enter the values for IP address, Gateway IP address, LAG/Port Number, and Subnet Mask (in bits) for each SSID.

The following table shows the values entered for this deployment guide.

Table 22. Enterprise Wireless Controller Settings
Field Value

SSID Name

lab3employee

Interface Name

employee

VLAN ID

160

IP Address

10.4.160.2

Gateway IP Address

10.4.160.1

LAG/Port Number

1

Subnet Mask (in bits)

24

SSID Name

lab3guest

Interface Name

Guest-dmz

VLAN ID

125

IP Address

10.4.125.2

Gateway IP Address

10.4.125.1

LAG/Port Number

1

Subnet Mask (in bits)

24

Figure 87. Enterprise Wireless Controller Settings in Cisco DNA Center
Enterprise wireless controller settings in Cisco DNA Center.

Note

 

The guest-dmz interface is defined on the enterprise foreign wireless controller. When the anchor tunnel is up between the enterprise foreign wireless controller and the guest anchor wireless controller, guest wireless traffic is automatically terminated on the guest-dmz interface of the guest anchor wireless controller. However, if the anchor tunnel is down, guest wireless traffic is terminated on the guest-dmz interface of the enterprise foreign wireless controller. It is a best practice to specify an isolated Layer 2 VLAN for the guest-dmz interface on the enterprise foreign wireless controller, with no DHCP server to supply IP addresses to guest wireless devices. By doing so, if the anchor tunnel is down, guest wireless devices are isolated to a Layer 2 subnet with no network access.

Step 13

Click Next.

The Advanced Configuration window is displayed. If you have configured a template within the Template Editor for the device type and the site, you can apply the template here. This deployment guide does not discuss the use of templates for advanced configuration of the Catalyst 9800-40 wireless controller HA SSO pair (C9800-40-CVD.cagelab.local).

Step 14

Click Next.

The Summary window is displayed. This window provides a summary of the configuration which will be provisioned to the Catalyst 9800-40 Wireless Controller HA SSO pair (WLC-9800-2). You can expand each section to see the details of the configuration, which is based on the corporate wireless profile created in the Design the wireless network section of this deployment guide.

Step 15

Click Deploy to deploy the configuration to the Catalyst 9800-40 Wireless Controller HA SSO pair (C9800-40-CVD.cagelab.local). A slide-in pane is displayed, asking if you wish to deploy the configuration now or schedule the configuration for later.

Note

 

It is best practice to make configuration changes and provision new devices in your network only during scheduled network operation change windows.

Step 16

Click the Now radio button and click Apply to apply the configuration. You will be redirected to the Inventory window in Provisioning. The provisioning status of the device will temporarily show Provisioning, but the status should change to Success after a few minutes. Click See Details below the provisioning status of the device for more information.

Cisco DNA Center will dynamically create two new WLAN profiles within the Catalyst 9800-40 enterprise Wireless Controller HA SSO pair (C9800-40-CVD.cagelab.local). Each WLAN profile has a dynamically generated name based on the SSID name specified in the corporate wireless profile. The following table shows the names of the WLAN profiles and their respective SSIDs, automatically generated by Cisco DNA Center during the provisioning of C9800-40-CVD.cagelab.local for this deployment guide.

Table 23. WLAN Profiles Dynamically Generated by Cisco DNA Center
WLAN Profile Name SSID WLAN ID

lab3guest_profile

lab3guest

17

lab3employee_profile

lab3employee

18

Note

 

It is best practice to create a custom profile for a site and create policy tags with user configured profile names to make the cross-verification process easier on the wireless controller. If default profiles are used, Cisco DNA Center will prefix the name with SSID.

An example of the WLAN configuration, as seen from the web-based GUI of C9800-40-CVD.cagelab.local is shown in the following figure.

The WLAN IDs corresponding to the two SSIDs, lab3guest and lab3employee, are 17 and 18, respectively. When APs are assigned the policy tag default-policy-tag, APs joined to Cisco Catalyst 9800 Series Wireless Controller will broadcast SSIDs of WLANs with IDs from 1 to 16. In order to avoid creating WLAN IDs which are broadcast with the default-policy-tag, Cisco DNA Center creates WLANs and SSIDs starting with a WLAN ID of 17 and higher.

During provisioning, Cisco DNA Center also creates two new policy profiles within the C9800-40-CVD.cagelab.local. The names of the new policy profiles match the names of the created WLAN profiles. An example of the configuration, as seen from the web-based GUI of C9800-40-CVD.cagelab.local is shown in the following figure.

At this point in the provisioning process, the policy profiles and the WLAN profiles are not mapped to any policy tag that has been applied to any AP.


Provision the Cisco Catalyst 9800-CL Guest Anchor Wireless Controller

Use the following procedure to provision the corporate wireless profile to the Cisco Catalyst 9800-CL guest anchor Wireless Controller, known as C9800-CL-CVD.cagelab.local.

Procedure

Step 1

From the top-left corner, click the menu icon and choose Provision > Inventory.

The main provisioning screen displays the devices in the inventory. By default, Inventory is chosen from the Focus drop-down list.

Step 2

Locate and check the check box for C9800-CL-CVD.cagelab.local.

Step 3

From the Actions drop-down list, choose Provision > Provision Device.

You are taken through a four-step workflow for provisioning the guest wireless controller (C9800-CL-CVD), starting with Assign Site.

Step 4

In the Assign Site window, click Choose a Site.

A slide-in pane is displayed, showing the site hierarchy configured for Cisco DNA Center. For this deployment guide, the guest anchor wireless controller (C9800-CL-CVD.cagelab.local) is assigned to the building level.

Step 5

Expand the site hierarchy for Milpitas and select Building 23.

Note

 

The guest wireless controller (C9800-CL-CVD.cagelab.local) must be assigned to a building or floor in the Cisco DNA Center site hierarchy. The controller cannot be assigned to Milpitas or to the global level of the site hierarchy, even though C9800-CL-CVD.cagelab.local is assigned to Building 23 in this deployment guide. APs located on floors in other buildings are supported by the wireless controller.

Step 6

Click Save to assign C9800-CL-CVD.cagelab.local to Building 23.

Step 7

Click Next.

The Configuration window is displayed.

Step 8

In the Configuration window, choose Guest Anchor for the wireless controller Role.

Step 9

Click Select Primary Managed AP locations.

The Managed AP Location slide-in pane is displayed, showing the site hierarchy for Cisco DNA Center.

For this deployment guide, the guest anchor wireless controller (C9800-Flex-CVD.cagelab.local) will manage APs on Floor 1, Floor 2, and Floor 3 in building branch5.

Step 10

Expand the site hierarchy and choose the desired sites within the site hierarchy.

Step 11

Click Save.

The Managed AP Location slide-in pane will close. Because you have selected this wireless controller to be a Guest wireless controller, additional fields are displayed. The corporate wireless profile has defined the enterprise SSID as lab3guest and the wireless interface on which the SSID terminates as branchguest-dmz on VLAN ID 110, so this enterprise SSID and wireless interface will be automatically displayed.

Step 12

Enter the values for IP address, Gateway IP address, LAG/Port Number, and Subnet Mask (in bits) for the SSID. The following table shows the values entered for this deployment guide.

Table 24. Guest Wireless Controller Settings
Field Value

SSID Name

lab3guest

Interface Name

guest-dmz

VLAN ID

125

IP Address

10.4.125.2

Gateway IP Address

10.4.125.1

LAG/Port Number

1

Subnet Mask (in bits)

24

Figure 88. Guest Wireless Controller Settings in Cisco DNA Center

Step 13

Click Next.