Solution Overview

This guide explains how to use Catalyst Center to deploy and manage a legacy wireless local area network (WLAN) within an enterprise network, using Cisco Catalyst 9800 Series Wireless Controllers, Cisco IOS XE Cupertino 17.12.3.

This guide provides technical guidance to design, deploy, and operate a Cisco WLAN using Catalyst Center.

The implementation flow showcases four main steps: define, design, deploy, and operate.

This guide contains the following main sections:

  • Define the wireless network presents a high-level overview of the campus, remote office, and cloud-based WLAN that is designed and deployed through Catalyst Center.

  • Design the wireless network discusses the integration of Catalyst Center with Cisco Identity Services Engine (Cisco ISE); creation of the site hierarchy—including the importing of floor maps—within Catalyst Center; configuration of various network services necessary for network operations, such as AAA, DNS, DHCP, NTP, SNMP, and Syslog servers; and configuration of wireless settings, including WLANs/SSIDs, VLANs, and RF profiles for the WLAN deployment.

  • Deploy the wireless network discusses discovery of the wireless controllers, managing the software images running on the wireless controllers, configuring HA SSO redundancy on the wireless controllers, provisioning the enterprise and guest wireless controllers within Catalyst Center, joining APs to the enterprise wireless controller HA SSO pair, provisioning the APs within Catalyst Center, and positioning the APs on the floor maps within Catalyst Center.

  • Monitor and operate the wireless network discusses how to use Assurance to monitor and troubleshoot the WLAN deployment.

The audience for this guide includes network design engineers and network operations personnel who want to use Catalyst Center to deploy a Cisco WLAN within their wireless networks.


Note


Cisco DNA Center has been rebranded as Catalyst Center. During the rebranding process, you will see both names used in different collaterals, but both names refer to the same product.


Prerequisites

Before you can deploy and manage a legacy WLAN within an enterprise network, Catalyst Center must be installed and properly configured. For more information about installing and configuring Catalyst Center, see the Catalyst Center Installation Guide.

The following table displays the round-trip time (RTT) requirements between Catalyst Center and the specified network elements.

The latency between the Catalyst Center appliance and a managed device should be ~100 milliseconds RTT or less. After 100 milliseconds, longer execution times could be experienced for certain events, such as inventory collection, provisioning, and image update (SWIM). Cisco does not support an RTT of more than 300 milliseconds. For more details on RTT and supported scale, see the Catalyst Center Data Sheet.

Table 1. Cisco Recommended RTT
Source Device Target Device Maximum RTT Supported

Catalyst Center Node

Catalyst Center Node

10 milliseconds

Catalyst Center Node

Cisco ISE

300 milliseconds

Catalyst Center Node

Wireless Controller

200 milliseconds

Wireless Controller

Access Points

20 milliseconds (local mode)

Wireless Controller

Access Points

300 milliseconds (flex mode)

Wireless Controller

Cisco ISE

100 milliseconds

Table 2. Cisco Supported Scale Numbers for Wireless Controller Models
Wireless Controller Model Maximum Number of APs Maximum Number of Clients

Catalyst 9800-L

250

5000

Catalyst 9800-40

2000

32,000

Catalyst 9800-80

6000

64,000

Catalyst 9800-CL (4 CPU/8 GB RAM)

1000

10,000

Catalyst 9800-CL (6 CPU/16 GB RAM)

3000

32,000

Catalyst 9800-CL (10 CPU/32 GB RAM)

6000

64,000

Table 3. Catalyst Center 1-Node System Scale
SKU DN-SW-APL/DNA-SW-OVA DN2-HW-APL DN2-HW-APL-L DN2-HW-APL-XL

Legacy Devices (switch, router, wireless controller)

1000

1000

2000

5000

Legacy Wireless Access Points

4000

4000

6000

13,000

Wireless Sensors

600

600

800

1600

Concurrent Endpoints

25,000

25,000

40,000

100,000

Transient Endpoints (over a 14-day period)

250,000

250,000

400,000

1,000,000

Ratio of Endpoints to Wired

Any

Any

Any

Any

Ratio of Endpoints to Wireless

Any

Any

Any

Any

Site Elements

2500

2500

5000

10,000

Wireless Controller

500

500

1000

2000

Ports

48,000

48,000

192,000

768,000

API Rate Limit (APIs/minute)

50

50

50

50

NetFlow (flows/second)

30,000

30,000

48,000

120,000

Concurrent Software Image Updates

100

100

100

100

Table 4. Scale for 3-Node DN2-HW-APL-XL Cluster
Description Supported Scale

Devices (switch, router, wireless controller)

10,000

Wireless Access Points

25,000

Concurrent Endpoints

300,000

Transient Endpoints (over a 14-day period)

3,000,000

NetFlow (flows/second)

250,000

Number of Floors (per wireless controller)

1000

Required Network Ports

Catalyst Center requires that specific ports are open for traffic flows to and from the appliance, whether you open them using firewall settings or a proxy gateway. For more information, see the "Required Network Ports" topic in the Catalyst Center Second-Generation Appliance Installation Guide.

Certificate Management for Catalyst Center

By default, Catalyst Center uses self-signed certificates, but you can use a certificate that is signed by your internal certificate authority during deployment. To replace the default certificate, see the "Manage Certificates" topic in the Catalyst Center Security Best Practices Guide.

Define the Wireless Network

This section presents a high-level overview of the campus, remote office, and cloud-based WLAN that is designed and deployed through Catalyst Center.

There are three scenarios that outline three types of typical, legacy wireless deployments. In the first scenario, a campus wireless deployment with APs in local mode uses wireless controllers in a high availability (HA) configuration; the wireless controllers are located in the same campus building. In the second scenario, a remote office wireless deployment with APs in flex mode uses wireless controllers in an N+1 configuration; the wireless controllers are located in the data center. In the third scenario, a wireless network for a corporate event uses a wireless controller that is hosted in a cloud environment, such as Amazon Web Services (AWS).

Campus Wireless Deployment

The campus wireless deployment uses a pair of Cisco Catalyst 9800-40 Wireless Controllers in a high availability (HA) SSO configuration. Located on multiple floors within multiple buildings of the campus, the wireless controller pair functions as the enterprise wireless controller for access points (APs) in local mode. Wireless guest access is provided through a separate Cisco Catalyst 9800-CL Wireless Controller, which functions as a traditional guest wireless controller and is anchored to the enterprise (foreign) wireless controller.

The design and deployment of the WLAN is fully automated, utilizing intent-based networking (IBN). Catalyst Center is designed for IBN and provides a level of abstraction from the device-level user interface.


Note


In the production environment, the guest anchor wireless controller is typically connected to a DMZ segment off of a firewall to separate guest wireless traffic from internal employee traffic. In such designs, the firewall policy must be configured to allow the necessary traffic between the enterprise foreign wireless controller and the guest anchor wireless controller.


Figure 1. High-Level Design for Campus Wireless Deployment
The high-level design for the campus wireless deployment depicts the guest anchor wireless controller and the enterprise wireless controller connected to the same switch.

The campus wireless deployment includes the following features:

  • Site hierarchy consisting of a single area (Milpitas) and multiple buildings (Building 23 and Building 24), each with multiple floors (Floor 1 and Floor 2)

  • Legacy, centralized campus wireless deployment in which all wireless traffic is backhauled to the wireless controller

  • Enterprise SSID and guest SSID

  • A single pair of enterprise Catalyst 9800-40 Wireless Controllers in an HA SSO configuration

  • Guest wireless access through a dedicated guest Catalyst 9800-CL Wireless Controller, which is auto-anchored to the enterprise HA SSO wireless controller pair


Note


The Catalyst Center CLI templates can be used to configure anything that cannot be configured through the intent-based profiles and/or the model config. This guide discusses the specific wireless controller features that can be configured in Catalyst Center.


Wireless controllers must be assigned to sites during the Catalyst Center provisioning process. For this deployment guide, a Catalyst 9800-40 Wireless Controller HA SSO pair (C9800-40) will be assigned to Building 23 within the Milpitas area. There can only be one primary enterprise (nonguest) wireless controller for the APs on a floor at a given time, meaning that only one enterprise wireless controller can be provisioned per floor within Catalyst Center. The APs on Floor 1 and Floor 2 within Building 23 and the APs on Floor 1 within Building 24 will be provisioned to C9800-40 through Catalyst Center.

Remote Office Wireless Deployment

The remote office wireless deployment uses a pair of Cisco Catalyst 9800-40 Wireless Controllers in a high availability (HA) N+1 configuration. Located on multiple floors within a remote office building, the wireless controller pair functions as the enterprise wireless controller for access points (APs) in flex mode. Wireless guest access is locally switched, and employee (nonguest) wireless traffic is centrally switched. All authentication, whether for employee (WPA2/802.1X) or guest (WebAuth) wireless traffic, is centrally performed through Cisco ISE, highlighting the use of Cisco ISE as both a AAA server and a guest portal.

The design and deployment of the WLAN is fully automated, utilizing intent-based networking (IBN). Catalyst Center is designed for IBN and provides a level of abstraction from the device-level user interface.


Note


Alternate designs for guest wireless traffic, including local termination with Direct Internet Access (DIA) at the remote office, may be implemented when combining WLAN functionality with Cisco SD-WAN. For more information, see Cisco SD-WAN: Enabling Direct Internet Access.


Figure 2. High-Level Design for Remote Office Wireless Deployment
The high-level design for the remote office wireless deployment depicts the AP in flex mode.

The remote office wireless deployment includes the following features:

  • Site hierarchy consisting of a single area (New York) and a single building (Branch 5) with multiple floors (Floor 1, Floor 2, and Floor 3)

  • Legacy, flex mode in which data traffic is centrally switched for the enterprise SSID and locally switched for the guest SSID

  • Enterprise SSID and guest SSID

  • A single pair of enterprise Catalyst 9800-40 Wireless Controllers in an HA N+1 configuration


Note


The Catalyst Center CLI templates can be used to configure anything that cannot be configured through the intent-based profiles or the model config.


The wireless controllers must be assigned to sites during the Catalyst Center provisioning process. For this deployment guide, a Catalyst 9800-40 Wireless Controller HA SSO pair (C9800-40) will be assigned to Branch 5 within the New York area, even though the pair is physically located in the data center. There can be only one primary enterprise (nonguest) wireless controller for the APs on a floor at a given time, meaning only one enterprise wireless controller can be provisioned per floor within Catalyst Center. The APs on Floor 1 and Floor 2 within Branch 5, New York will be provisioned to C9800-40 through Catalyst Center.

The provisioning time of wireless controllers and APs under scale depends on factors such as the type of day-n operation, the number of site tags, the high availability deployment type (such as SSO or N+1), the number of SSIDs broadcasted by the APs, and the Catalyst Center model.

Day-n operations such as RF profile changes and AP zone modifications require APs to be provisioned, which takes around 1.5 minutes per AP. All other day-n operations—such as adding SSIDs, modifying SSIDs, or making VLAN changes—require only wireless controller provisioning, which depends on the scale of the network. For large deployments with more than 100 sites with unique site tags, you could choose to split those sites into multiple wireless network profiles and attach all of those to the common wireless controller. Doing so provides greater flexibility to stagger rollout of changes—such as changing existing SSID parameters or adding new SSIDs—from a single wireless controller to a large number of sites.

One example of a day-n operation is enabling Fast Transition on SSIDs and changing the AP RF profile. In an N+1 deployment of 124 branches with one AP per branch and a DN1-HW-APL appliance, the operation takes 30 minutes. The following table summarizes the data.

Catalyst Center Model Catalyst Center Version Deployment Preview Time for Wireless Controller and AP Provision Time for Wireless Controller and AP

DN1-HW-APL

2.3.5.6

124 branches with 1 AP per branch, N+1 and 16 SSIDs

23 minutes

29 minutes

DN1-HW-APL

2.3.7.6

124 branches with 1 AP per branch, N+1 and 16 SSIDs

22 minutes

29 minutes

Wireless Controller Hosted on AWS Deployment

This wireless deployment uses a Cisco Catalyst 9800-CL Wireless Controller hosted on Amazon Web Services (AWS). Located on an event center floor, the wireless controller is configured as the enterprise wireless controller for access points (APs) in flex mode. All authentication, whether for employee (WPA2/802.1X) or guest (WebAuth) wireless traffic, is centrally performed through Cisco ISE and located in the data center.

Catalyst Center is designed for IBN and provides a level of abstraction from the device-level user interface.

Figure 3. High-Level Design for Cisco Catalyst 9800-CL Wireless Controller Hosted on AWS
The high-level design for this wireless deployment depicts a Catalyst 9800-CL Wireless Controller hosted on AWS.

This wireless deployment includes the following features:

  • Site hierarchy consisting of a single area (San Jose) with an event center (Eventcenter) that has a single floor (Eventcenterfloor)

  • Legacy, flex wireless deployment where all wireless traffic is backhauled to the wireless controller

  • Flex mode in which data traffic is locally switched

  • Enterprise SSID and corporate special event SSID

  • A Catalyst 9800-CL Wireless Controller hosted on AWS


Note


The Catalyst Center CLI templates can be used to configure anything that cannot be configured through the intent-based profiles and/or the model config.


The wireless controllers must be assigned to sites during the Catalyst Center provisioning process. For this deployment guide, a Catalyst 9800 Wireless Controller (C9800-CL) on AWS will be assigned to Eventcenter within the San Jose area. There can be only one primary enterprise (nonguest) wireless controller for the APs on a floor at a given time, meaning only one enterprise wireless controller can be provisioned per floor within Catalyst Center. The APs on Eventcenterfloor within Eventcenter will be provisioned to C9800-CL on AWS through Catalyst Center.

Migration from the Legacy Network

This section provides an overview of the following migrations from the legacy network, using Cisco AireOS Wireless Controller or Cisco Prime Infrastructure:

  • Legacy Cisco AireOS Wireless Controller to Cisco Catalyst 9800 Series Wireless Controller

  • Cisco Prime Infrastructure to Catalyst Center

Migrate APs from a Legacy Cisco AireOS Wireless Controller to a Cisco Catalyst 9800 Series Wireless Controller

This section explains how to migrate APs from a legacy Cisco AireOS Wireless Controller to a Cisco Catalyst 9800 Series Wireless Controller. For this migration, the minimum AireOS version that is required is 8.5, with support for IRCM. For a detailed migration document, see here.

Procedure

Step 1

Add a temporary floor to the legacy site, which is managed by the Cisco AireOS Wireless Controller.

Step 2

Discover the Catalyst 9800 Series Wireless Controller and provision the wireless controller to the legacy site that manages the newly added floor.

Step 3

Enter the interface details, such as VLAN for legacy flow.

Step 4

Configure a mobility tunnel between the Cisco AireOS Wireless Controller and the Catalyst 9800 Series Wireless Controller.

Step 5

Migrate the APs to the Catalyst 9800 Series Wireless Controller using one of the following methods:

Note

 

The APs will be migrated to a new wireless controller using the AP config workflow, which will configure the new wireless controller as the primary wireless controller.

  1. Iterative migration: Only specific APs on a floor are migrated (Milpitas/Building 23/Floor2).

    1. On a single floor, identify some of the APs that need to be moved from the Cisco AireOS Wireless Controller to the Catalyst 9800 Series Wireless Controller.

      Do not select all the APs on a single floor.

    2. Create a new temporary floor (Floor 2_1) that is managed by the Catalyst 9800 Series Wireless Controller.

    3. Move the subset of APs to the Catalyst 9800 Series Wireless Controller using the AP config workflow.

      Through the workflow, the Catalyst 9800 Series Wireless Controller will be configured as the primary wireless controller.

    4. Once the subset of APs join the Catalyst 9800 Series Wireless Controller, provision the APs to Catalyst 9800 Series Wireless Controller, which is a part of Floor 2_1.

      At this point, a subset of APs are now managed by the Catalyst 9800 Series Wireless Controller, and the remaining APs are managed by the Cisco AireOS Wireless Controller. As a result, service is not disrupted on that floor.

    5. Iteratively move the remaining APs from the floor to the Catalyst 9800 Series Wireless Controller.

  2. Floor-by-floor migration: An entire set of APs on a floor are migrated to the Catalyst 9800 Series Wireless Controller.

    1. Create a new temporary floor (Floor 2_1) that is managed by the Catalyst 9800 Series Wireless Controller.

    2. Move all the APs on a single floor to the Catalyst 9800 Series Wireless Controller.

    3. Provision the APs to the Catalyst 9800 Series Wireless Controller, which is a part of Floor 2_1.

    4. Provision the Catalyst 9800 Series Wireless Controller to manage Floor 2.

    5. Either iteratively or by entire floor, provision the APs to Floor 2.

    6. Delete the temporary floor, Floor 2_1.

    7. Repeat the first six steps in substep b for your desired sites, buildings, and floors.

    8. Delete the temporary floor created in Step 1.

Step 6

(Optional) Remove the Cisco AireOS Wireless Controller from the inventory using the config cleanup option.


Migrate from Cisco Prime Infrastructure to Catalyst Center

Before you begin
Procedure

Step 1

Perform a readiness check using the Cisco Prime Infrastructure Catalyst Center Assessment and Readiness Tool (PDART).

For more information about using PDART, see Use PDART - a Catalyst Center Readiness Tool.

Step 2

Once you have assessed the readiness of the migration, use the PDMT to migrate your sites and devices from Cisco Prime Infrastructure to Catalyst Center.


Design the Wireless Network

Ensure that the prerequisites are met, as described in Prerequisites.

This section contains the following topics and processes:

  • Integrate Cisco Identity Services Engine (ISE) with Catalyst Center

  • Cisco ISE and third-party AAA server

  • Configure the site hierarchy in Catalyst Center

  • Configure network services for network operation

  • Campus wireless deployment settings

  • Remote office wireless deployment settings

  • Design the Cisco Catalyst 9800-CL Wireless Controller hosted on AWS

Integrate Cisco ISE with Catalyst Center

The integration of Cisco Identity Services Engine (ISE) with Catalyst Center enables the sharing of information between the two platforms, including device and group information. Specific to this guide, the integration allows you to create a guest portal in Cisco ISE through a workflow in Catalyst Center. The guest portal is created when the guest wireless network is defined within a wireless profile in Catalyst Center. For more information, see Campus Wireless Deployment Settings.

Use the following procedures to integrate Cisco ISE with Catalyst Center:

Cisco ISE and Third-Party AAA Server

Even though Catalyst Center supports third-party AAA servers for RADIUS and TACACS+ authentications, Cisco ISE provides additional analytics for endpoints.

Configure Cisco ISE as an Authentication and Policy Server to Catalyst Center

Before you begin
To complete this action, your user profile must be assigned the SUPER-ADMIN-ROLE or the NETWORK-ADMIN-ROLE.
Procedure

Step 1

Log in to the Catalyst Center web console using an IP address or a fully qualified domain name.

Example:
https://<Catalyst_Center_IPaddr_or_FQDN>

Step 2

From the top-left corner, click the menu icon and choose System > Settings.

Step 3

In the left pane, from the External Services drop-down list, choose Authentication and Policy Servers.

Step 4

From the Add drop-down list, choose ISE.

The Add ISE server slide-in pane is displayed.

Step 5

Enter the server details in the required fields.

The following table describes the fields in the Add ISE server slide-in pane.

Field Settings Description

Server IP Address

Text Field

IP address of the Cisco ISE server. If multiple IP addresses are configured, ensure this IP address is shown on the Cisco ISE deployment instance.

Shared Secret

Text Field

The shared secret used by network devices for communicating with the Cisco ISE server. Within the IOS XE device configuration, this is known as the PAC key.

Username

Text Field

The username of the default super admin account, which you created during Cisco ISE installation.

Password

Text Field

The password of the default super admin account, which you created during Cisco ISE installation.

FQDN

Text Field

The fully qualified domain name of the Cisco ISE server.

Virtual IP Address

Text Field

One or more Policy Services Nodes (PSNs) may be behind a single load balancer. When this happens, you can add the load balancer IP(s) in the Virtual IP field.

Advanced Settings > Protocol

Multiple Choice Radio Button

Determines the authentication protocol(s). You can choose from the following protocol options:

  • RADIUS: The default setting, which uses the RADIUS protocol.

  • TACACS: Uses the TACACS protocol.

Advanced Settings > Authentication Port

Text Field

When RADIUS is selected, the default port is 1812.

Advanced Settings > Accounting Port

Text Field

When RADIUS is selected, the default port is 1813.

Advanced Settings > Port

Text Field

This field appears only when TACACS is selected. The default port is 49.

Retries

Number

The number of authentication retries before failure. The default is 3 retries.

Timeout (seconds)

Number

The number of seconds before an attempt times out. The default is 4 seconds.

For this design and deployment guide, the following information was entered.

Field Value

Server IP Address

172.23.240.152

Shared Secret

—

Cisco ISE Server

On

Username

admin

Password

—

FQDN

cvdise31.cagelab.local

Subscriber Name

admin

SSH Key

—

Virtual IP Address

—

Advanced Settings > Protocol

RADIUS

Advanced Settings > Authentication Port

1812

Advanced Settings > Accounting Port

1813

Retries

3

Timeout (seconds)

4

Note

 

Before adding Cisco ISE, confirm that the following prerequisites are met:

  • Your version of Cisco ISE is compatible with your version of Catalyst Center.

    For more information, see the Catalyst Center Compatibility Matrix.

  • The Cisco ISE GUI password matches the Cisco ISE CLI password.

  • PxGrid is enabled for the Cisco ISE deployment instance.

  • The ERS on the Cisco ISE server is enabled for read/write.

Step 6

Click Add to create the Cisco ISE server within Catalyst Center.

The ISE server Integration slide-in pane displays a message about accepting the Cisco ISE certificate and establishing trust.

The ISE server integration slide-in pane displays the options to accept or decline the Cisco ISE certificate.

Step 7

Click Accept.

After the integration is complete, the Authentication and Policy Servers window is displayed. The new Cisco ISE server should display an ACTIVE status.

If you want to change any server settings, hover your cursor over the ellipsis icon () in the Actions column and choose Edit.

The Edit ISE server slide-in pane displays the server settings that can be changed.

Configure Site Hierarchy and Import Floor Maps

The configuration of the site hierarchy includes defining the network sites for deployment and defining the hierarchical relationships of the network sites, which consist of areas, buildings, and floors. Child sites automatically inherit certain attributes from parent sites, but you can override the attributes within the child site.

The following table summarizes the site hierarchy for this guide. A single area (Milpitas) is provisioned, containing multiple buildings (Buildings 23 and Building 24) with multiple floors (Floor 1 and Floor 2).

Name Type of Site Parent Additional Information

Milpitas

Area

Global

—

Building 23

Building

Milpitas

Address: 560 McCarthy Boulevard, Milpitas, California 95035

Building 24

Building

Milpitas

Address: 510 McCarthy Boulevard, Milpitas, California 95035

Floor 1

Floor

Building 23

Dimensions: 200 ft. x 274 ft. x 10 ft.

APs on this floor are provisioned to the Cisco Catalyst 9800 Series Wireless Controller HA pair.

Floor 2

Floor

Building 23

Dimensions: 200 ft. x 274 ft. x 10 ft.

APs on this floor are provisioned to the Cisco Catalyst 9800 Series Wireless Controller HA pair.

Floor 1

Floor

Building 24

Dimensions: 200 ft. x 250 ft. x 10 ft.

APs on this floor are provisioned to the Cisco Catalyst 9800 Series Wireless Controller HA pair.

Floor 2

Floor

Building 24

Dimensions: 200 ft. x 250 ft. x 10 ft.

APs on this floor are provisioned to the Cisco Catalyst 9800 Series Wireless Controller HA pair.

This section contains the following processes:

  • Create an area

  • Create a building within an area

  • Create a floor in a building

  • Create and position a planned AP by using the Catalyst Center GUI or by importing from Cisco Prime Infrastructure or Ekahau

Create an Area

Before you begin

To complete this action, your user profile must be assigned the SUPER-ADMIN-ROLE or the NETWORK-ADMIN-ROLE.

Procedure

Step 1

Login to the Catalyst Center web console using an IP address or a fully qualified domain name.

Example:
https://<Catalyst_Center_IPaddr_or_FQDN>

Step 2

From the top-left corner, click the menu icon and choose Design > Network Hierarchy.

The Network Hierarchy window is displayed.

If this is the first time you have configured the network hierarchy, the left hierarchy pane may only display a single Global entry.

The + Add Site option sits above a map of the United States, with the global entry drop-down list shown in the left hierarchy pane.

Step 3

Click + Add Site > Add Area.

The Add Area dialog box is displayed.

The Add Area pop-up window shows the area name, parent, and the options to cancel the request or add the area.

Step 4

In the Add Area dialog box, from the Parent drop-down list, enter the Area Name and choose the desired parent.

For this deployment guide, choose Global for the Parent and create an area named Milpitas within an area named US.

Step 5

Click Add.


Create a Building Within an Area

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Hierarchy.

Step 2

Click + Add Site > Add Building.

The Add Building dialog box is displayed.

The Add Building pop-up window contains the following fields: building name, parent, address, latitude, and longitude.

Step 3

In the Add Building dialog box, enter the Building Name and choose the desired area from the Parent drop-down list.

For this deployment guide, enter Building 23 for the Building Name. For the Parent, choose Milpitas | Global/US.

Step 4

Enter the building address or GPS coordinates using one of the following methods:

  • In the Address field, enter the building address and choose the correct address from the list of available options. Latitude and longitude will be automatically entered in the Latitude and Longitude fields for the chosen address.

  • Enter the GPS coordinates of the building in the Latitude and Longitude fields. If you use this method, you do not need to enter an address.

For this deployment guide, enter the address 560 McCarthy Boulevard, Milpitas, California 95035, which is configured for Building 23.

Step 5

Click Add.

For this deployment guide, repeat Step 1 through Step 5 to add a second building, Building 24, to the Milpitas area.


Create a Floor in a Building

AP locations and wireless coverage (heatmaps) can be displayed from the floor maps. Floors are referenced during wireless provisioning.

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Hierarchy.

Step 2

Click + Add Site > Add Floor.

The Add Floor dialog box is displayed.

The Add Floor dialog box shows the various configurable fields: floor name, site, floor type, floor number, thickness, floor image, width (ft), length (ft), and height (ft).

Step 3

In the Add Floor dialog box, enter the Floor Name and choose the desired area from the Site drop-down list.

For this deployment guide, enter Floor 1 for the Floor Name. For the Site, choose Milpitas | Global/US, and for the Building, choose Building 23 | Global/US/Milpitas/.

Step 4

Choose the appropriate space type from the Type (RF Model) drop-down list and enter the associated Floor Number.

Step 5

Choose the appropriate floor type from the Floor Type drop-down list and enter the associated Thickness (ft).

Step 6

Add the floor plan to the Floor Image area using one of the following methods:

  • Drag and drop the floor plan file into the Floor Image area.

  • Click Upload file and choose the floor plan file that you want to upload.

Note

 

If you have floor map diagrams in DXF, DWG, JPG, GIF, or PNG formats you can add them to any defined floors. If you import a map archive that has been exported from Cisco Prime Infrastructure, ensure that the site hierarchy configured in Catalyst Center is identical to the site hierarchy configured in Cisco Prime Infrastructure.

Step 7

Click the Width (ft) radio button and enter the floor width in feet.

Step 8

Click the Length (ft) radio button and enter the floor length in feet.

Step 9

In the Height (ft) field, enter the ceiling height in feet.

Note

 

Adding the floor width, floor length, and ceiling height allows you to scale the floor plan correctly, impacting wireless coverage (heatmaps) and AP positioning.

For this deployment guide, enter 200 for the Width (ft). For the Length (ft), enter 275, and for the Height (ft), enter 10.

Step 10

Click Add.

For this deployment guide, repeat Step 1 through Step 10 three times to add Floor 2 to Building 23, Floor 1 to Building 24, and Floor 2 to Building 24.


Create and Position a Planned AP in Catalyst Center

There are three ways to get a planned AP on a floor map:

  • Create a planned AP in Catalyst Center UI

  • Import a map that has been exported from Cisco Prime Infrastructure

  • Import a map that has been exported from Ekahau

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Hierarchy.

Step 2

In the left hierarchy pane from the Global drop-down list, choose the desired floor for the AP.

Step 3

Click Add/Edit.

Step 4

From the Planned AP Models drop-down list, click Add model.

The Floor 1 map shows the planned AP model for Floor 1.

Step 5

In the Select AP models to add dialog box, choose the AP model from the drop-down list.

Step 6

Click Add AP models.

Step 7

From the Planned AP Models drop-down list, choose the desired AP model.

Step 8

In the floor map, move your cursor to the desired location of the AP and click the location.

Step 9

In the Edit Planned AP slide-in pane, ensure the Planned AP Name matches the real AP host name.

If a red octagon with an X is displayed, choose an Antenna from the Antenna drop-down list.

Step 10

Click Save.


Import a Map from Cisco Prime Infrastructure

Before you begin
This section assumes that the map has already been exported from Cisco Prime Infrastructure. For more information, see the "Export Maps Archive" topic in the Cisco Prime Infrastructure 3.10 User Guide.
Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Hierarchy.

Step 2

In the left hierarchy pane, choose Global.

Cisco Prime Infrastructure maps can be imported at the Global level.

Step 3

Click Import > Import Maps.

The Catalyst Center user interface shows the global map and the functionality for importing maps.

Step 4

In the Import Maps dialog box, import the map using one of the following methods:

  • Click Choose a file and choose the map file that you want to upload.

  • Drag and drop the map file into the Import Maps upload area.

Step 5

Click Import.


Export a Map from Catalyst Center as an Ekahau Project File

To create and position a planned AP using Ekahau, first create the sites in Catalyst Center and export the sites as an Ekahau project. Then, create the planned AP in Ekahau and save the AP as an Ekahau project. Finally, import the Ekahau project back into Catalyst Center.


Note


You can only export an Ekahau project file at a non-nested site level, which means there can be only one site with buildings within the chosen site.


The following steps explain this process:

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Hierarchy.

Step 2

In the left hierarchy pane, choose the appropriate site for your map.

For this deployment guide, choose Milpitas.

Step 3

Hover your cursor over the ellipsis icon () and choose Export Maps.

The Catalyst Center UI displays the map for Milpitas and shows the option to export maps.

Step 4

In the Export Maps dialog box, enter the desired file name and click the Ekahau Project radio button.

The Export Maps dialog box shows the project file name and the export format options: Ekahau Project and Prime.

Step 5

Click Export.


Import a Map from Ekahau

Before you begin
The maps imported from Ekahau are in Ekahau project file format. Ensure that the map is imported from the same site level at which the map was exported. For example, if the map was exported from the Milpitas site, you must import the map from Milpitas.
Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Hierarchy.

Step 2

In the left hierarchy pane, choose the appropriate site for your map.

For this deployment guide, choose Milpitas.

Step 3

Hover your cursor over the ellipsis icon () and choose Import Ekahau Project.

The Catalyst Center UI displays the map for Milpitas and shows the option to import a Ekahau project.

Step 4

In the Import Ekahau Project dialog box, import the map using one of the following methods:

  • Click Choose a file and choose the project file that you want to upload.

  • Drag and drop the map file into the Import Ekahau Project upload area.

Step 5

Click Import.


Configure Network Services for Network Operation

This section explains how to configure AAA, DHCP, DNS, NTP, SNMP, and syslog services that align with the site hierarchy in Catalyst Center. If the services use the same servers across the entire site hierarchy, you can configure the services globally. The inheritance properties of the site hierarchy allow global settings to be available to all sites. Differences for individual sites can then be applied on a site-by-site basis. This guide shows the network services created globally.

Procedure


Step 1

From the top-left corner, click the menu icon and choose Design > Network Settings > Network.

Step 2

In the left hierarchy pane, choose Global.

Step 3

Click + Add Servers.

Step 4

In the Add Servers dialog box, check the AAA check box and the NTP check box.

This guide does not require the deployment of Image Distribution or Stealthwatch Flow Destination, so do not check the Image Distribution check box or the Stealthwatch Flow Destination check box.

Step 5

Click OK.

An AAA server and an NTP server are now displayed in the Network window.

Step 6

Configure the relevant fields for the AAA Server.

For both network devices and wireless clients, this design and deployment guide uses Cisco ISE as the AAA server (which uses the RADIUS protocol). For this guide, the following fields were configured for the AAA Server.

Table 5. AAA Server Configuration
Field Value

Network

Checked

Client/Endpoint

Checked

Network > Servers

ISE

Network > Protocol

TACACS

Network > Network

172.23.240.152

Network > IP Address (Primary)

10.4.48.152

Network > Shared Secret

—

Client/Endpoint > Servers

ISE

Client/Endpoint > Protocol

RADIUS

Client/Endpoint > Network

172.23.240.152

Client/Endpoint > IP Address (Primary)

10.4.48.152

Client/Endpoint > Shared Secret

—

Figure 4. AAA Server Configuration in Catalyst Center
The AAA Server section displays the configuration options for the AAA server.

Step 7

Configure the relevant fields for the DHCP Server.

This design and deployment guide uses a single Microsoft Active Directory (AD) server, which functions as both the DNS and DHCP servers for the network. For this guide, the following field was configured for the DHCP Server.

Table 6. DHCP Server Configuration
Field Value

DHCP

10.4.48.9

Figure 5. DHCP Server Configuration in Catalyst Center
The DHCP Server section displays the configuration options for the DHCP server.

Step 8

Configure the relevant fields for the DNS Server.

Because this design and deployment guide uses a lab network, the DNS Server configuration only used a single DNS domain. For this guide, the following fields were configured for the DNS Server.

Table 7. DNS Server Configuration
Field Value

Domain Name

cagelab.local

Primary

10.4.48.9

Figure 6. DNS Server Configuration in Catalyst Center
The DNS Server section displays the configuration options for the DNS server.

Step 9

Configure the relevant fields for the NTP Server.

For production networks, multiple NTP servers can be added for resiliency and accuracy. Time synchronization within a network is essential for any logging functions, as well as secure connectivity such as SSH. Because this design and deployment guide uses a lab network, the NTP Server configuration only used a single NTP server. For this guide, the following fields were configured for the NTP Server.

Table 8. NTP Server Configuration
Field Value

IP Address

10.4.48.17

Time Zone

GMT

Figure 7. NTP Server Configuration in Catalyst Center
The NTP Server section displays the configuration options for the NTP server.

Step 10

Choose the desired time zone from the Time Zone drop-down list.

Because this design and deployment guide uses a lab network, a single time zone is used for the site hierarchy. In a production network, each site within the site hierarchy would reflect the time zone of the location.

Step 11

For the Message of the day, check the Do not overwrite the existing MOTD banner on the device check box or enter your desired message in the text box.

The Message of the day field controls the message displayed when logging in to the network device. This setting is not applicable to this design and deployment guide, so for this guide, the check box was checked for Do not overwrite the existing MOTD banner on the device.

Step 12

Click Save.

Step 13

At the top of the window, click Telemetry.

Step 14

From SNMP Traps, configure the SNMP trap server.

This design and deployment guide uses Catalyst Center as the SNMP server. If you check the Use Catalyst Center as SNMP trap server check box, SNMP trap information will be sent to Catalyst Center for Cisco AI Network Analytics. For this guide, the following fields were configured for the SNMP server.

Table 9. SNMP Server Configuration
Field Value

Use Catalyst Center as SNMP trap server

Checked

SNMP > IP Address

—

Figure 8. SNMP Server Configuration in Catalyst Center
The SNMP Traps section displays the options to use Catalyst Center as an SNMP trap server or add an external SNMP trap server.

Step 15

From Syslogs, configure the syslog server.

This design and deployment guide uses Catalyst Center as the syslog server. If you check the Use Catalyst Center as syslog server check box, syslog information will be sent to Catalyst Center for Cisco AI Network Analytics. For this guide, the following fields were configured for the syslog server.

Table 10. Syslog Server Configuration
Field Value

Use Catalyst Center as syslog server

Checked

Syslog > IP Address

—

Figure 9. Syslog Server Configuration in Catalyst Center
The Syslogs section displays the options to use Catalyst Center as a syslog server or add an external syslog server.

Step 16

Click Save.


Campus Wireless Deployment Settings

To configure the campus wireless deployment settings, you need to create the following in Catalyst Center:

  • Wireless interfaces: The Ethernet interfaces (VLANs) that are used for terminating wireless traffic.

  • Enterprise wireless networks: Consist of the nonguest WLANs/SSIDs for the deployment.

  • Guest wireless networks: Consist of the guest WLANs/SSIDs for the deployment.

  • Wireless radio frequency (RF) profiles: Includes the radio frequency profiles for the deployment.

  • Wireless sensor settings: Wireless sensors provide the ability to run diagnostic tests on the WLAN and perform packet captures. For information about wireless sensors, see Monitor and Operate the Wireless Network.

  • CMX servers: Integration with CMX servers allows the location of wireless clients to be displayed on floor maps. For information about integration with CMX servers, see Monitor and Operate the Wireless Network.

  • Native VLAN: The native VLAN configuration is specific to FlexConnect Access Point (AP) deployments.


    Note


    This deployment guide describes a wireless network with APs that operate in the centralized (local) mode.

Recommendations

When configuring the campus wireless deployment settings, consider the following recommendations:

  • Similar to any production deployment, you must place the APs in a VLAN that is different from the Wireless Management Interface (WMI). If you must configure the APs in the same VLAN as the WMI for staging or testing purposes, Cisco recommends that you limit the number of APs to less than 100.

  • For APs in local mode, the round-trip latency must not exceed 20 milliseconds between the access point and the controller.

  • Use PortFast on AP switch ports for APs in local mode, supporting only the central switched WLANs. To configure the switch port for PortFast, set the port to be connected as a host port, using the switch port host command or the PortFast command. This configuration allows for a faster AP join process. There is no risk of loops, as the local mode APs never directly bridge traffic between VLANs. You can set the port directly on access mode.

  • For APs in Flex mode and local switching, the switch port needs to be in trunk mode for most scenarios. In such cases, use spanning-tree portfast trunk on the switch port.

  • To optimize the TCP client traffic encapsulation in CAPWAP, Cisco recommends that you always enable the TCP Maximum Segment Size (MSS) feature, as it can reduce the overall amount of CAPWAP fragmentation, thereby improving the overall wireless network performance. You must adjust the MSS value depending on the traffic type and Maximum Transmission Unit (MTU) of the Cisco Wireless Controller-to-AP path.

  • In the Cisco Catalyst 9800 Series Wireless Controller, TCP MSS adjust is enabled by default, with a value of 1250 bytes, which is considered an acceptable value for most deployments. You can further optimize the value depending on your setup. You must configure directly on the wireless controller or via the Template Hub.

Configure Wireless Interfaces

In Catalyst Center, the enterprise and guest WLANs terminate on the Ethernet VLAN interfaces. For this design and deployment guide, the following table shows the wireless interfaces created for the enterprise and guest WLANs.

Table 11. Wireless Interfaces
Name VLAN Usage

employee

160

Employee voice and data VLAN

guest-dmz

125

Guest data VLAN

flex

100

Flex client VLAN

Before you begin

To complete this action, your user profile must be assigned the SUPER-ADMIN-ROLE or the NETWORK-ADMIN-ROLE.

Procedure

Step 1

Log in to Catalyst Center using an IP address or a fully qualified domain name.

For example: https://<Catalyst_Center_IPaddr_or_FQDN>.

Step 2

From the top-left corner, click the menu icon and choose Design > Network Settings > Wireless.

The Wireless Network Settings tiles are displayed.

Figure 10. Wireless Network Settings Tiles
The Wireless Network Settings tiles display the available configurations and customizations for wireless network settings.

Step 3

Click Interfaces & VLAN Groups.

Figure 11. Wireless Interfaces Window
The configurable interfaces and VLAN groups are displayed.

Note

 

Wireless settings are hierarchical. Settings defined at lower levels of the site hierarchy override the settings defined in higher levels. By default, you are taken to the global level, which is the highest level of the site hierarchy. You must define the wireless interfaces at the global level of the site hierarchy.

Step 4

Click + Add next to Wireless Interfaces.

The Create a Wireless Interface slide-in pane is displayed.

Figure 12. Create a Wireless Interface Slide-in Pane
The Create a Wireless Interface slide-in pane is displayed, with fields for an interface name and VLAN ID.

Step 5

Enter the Interface Name and VLAN ID for the wireless interface corresponding to the enterprise VLAN (employee).

Step 6

Click Add.

Repeat this procedure to add the wireless interface for the guest VLAN (guest-dmz). The two new wireless interfaces are displayed in the Wireless Network Settings dashboard.


Configure Enterprise Wireless SSID

Enterprise wireless networks are the nonguest WLANs/SSIDs that are available for broadcast across the deployment, and you must define these wireless networks at the global level of the site hierarchy. Once defined, you can apply the enterprise wireless networks to wireless profiles, and then you can assign wireless profiles to one or more sites within the hierarchy.


Note


We recommend limiting the number of Service Set Identifiers (SSIDs) configured on the controller. You can configure 16 simultaneous WLANs/SSIDs (per radio on each AP). Each WLAN/SSID needs separate probe responses and beaconing transmitted at the lowest mandatory rate, and the RF pollution increases as more SSIDs are added.

Some smaller wireless stations such as PDAs, Wi-Fi phones, and barcode scanners cannot cope with a high number of Basic SSIDs (BSSIDs) over the air, resulting in lockups, reloads, or association failures. We recommend that you have one to three SSIDs for an enterprise and one SSID for high-density designs. By using the AAA override feature, you can reduce the number of WLANs/SSIDs while assigning individual per user VLAN/settings in a single SSID scenario.


For this deployment guide, a single enterprise WLAN/SSID named lab3employee is provisioned.

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Settings > Wireless.

Step 2

Click SSIDs.

Step 3

Hover your cursor over + Add and choose Enterprise.

Step 4

Enter the Basic Settings information and click Next.

Figure 13. Basic Settings Page to Create an Enterprise Wireless SSID
The Basic Settings page displays the following sections: radio policy, quality of service (QoS), and SSID state.

Step 5

Enter the Security Settings information.

Figure 14. Security Settings for the Enterprise SSID
The Security Settings page shows the configuration settings for security level and authentication, authorization, and accounting.

Step 6

To configure the AAA server, click Configure AAA.

Step 7

Enter the configuration values and click Configure.

Figure 15. AAA Server for the Enterprise SSID
The Configure AAA Server dialog box shows the authentication and authorization server(s) and the accounting server.

Step 8

Choose AAA Override, choose 802.1x-SHA256 (802.1X-SHA2), and click Next.

Step 9

Enter the Advanced Settings information.

The Advanced Settings page displays the additional configuration settings options for the enterprise SSID.

Note

 

Enabling the neighbor list (802.11k) may cause some legacy devices to react incorrectly to unknown information. Most devices will ignore the 802.11k information (even if they do not support it), but a disconnection or a failure to associate may occur for some devices. It is advisable to test before enabling this option.

In scenarios where clients would move in and out of coverage areas or when the client is battery operated and may go to sleep frequently, you may consider increasing the idle time out to 3600 seconds (60 minutes) to reduce the likelihood of client deletion.

For information about features that can be configured for enterprise wireless networks via Catalyst Center, see Enterprise Wireless Network Features Configurable via Catalyst Center.

Step 10

Click Next to associate the feature template. (For this document, no special templates are selected.(

The Associate Model Config to SSID page is displayed. For the SSID in this deployment guide, there is no model config.

Step 11

Click Next.

Step 12

On the Associate SSID to Profile page, either attach the enterprise wireless network to an existing wireless profile or create a new wireless profile and attach the enterprise wireless network.

Note

 

For information about the settings for the enterprise wireless network configured for this deployment guide, see Enterprise Wireless Network Settings Configured in the Deployment Guide.

To attach the enterprise network to an existing network profile, do the following:

  1. Click the available profile in the profile pane.

    Figure 16. Associate SSID to Profile
    The Associate SSID to Profile page shows the existing profiles and the option to add a new profile.
  2. Click Associate Profile.

To create a new wireless profile and attach the enterprise network, do the following:

  1. Click + Add Profile.

    Figure 17. Create a New Wireless Profile
    The following profile settings are displayed: profile name, WLAN profile name, policy profile name, fabric option, interface option, interface name, anchor, and FlexConnect local switching.
  2. In Profile Name field, enter the name of the new wireless profile.

    For this deployment guide, the wireless profile Corporate was created.

  3. Click Associate Profile.

  4. Click the newly created profile.

  5. (Skip this step if SD-Access App is not deployed.) Under Fabric, choose No.

    The Interface field is displayed. This deployment guide only discusses non-SDA wireless deployments using Catalyst Center.

  6. From the Interface Name drop-down menu, choose the employee to terminate the lab3Employee SSID onto the employee VLAN (VLAN 160) created in the previous procedure.

  7. Choose No for Do you need Anchor for this SSID?.

  8. Uncheck the Flex Connect Local Switching check box.

  9. Click Save.

Step 13

Click Next.

Step 14

Review the summary for the Network Profile and click Save.

Step 15

From the top-left corner, click the menu icon and choose Design > Network Profiles.

Step 16

In the Network Profiles table, from the Sites column, click Assign Site for your desired profile.

For this deployment guide, click Assign Site for the newly created wireless profile, corporate.

Step 17

In the Add Sites to Profile slide-in pane, expand the Global section and its subsections to display the Milpitas area.

Step 18

Check the Milpitas check box.

All of the Milpitas child site locations are automatically selected: Building 23 with Floor 1, Floor 2, and Floor 3 and Building 24 with Floor 1, Floor 2, and Floor 3.

Step 19

Click Save.

Step 20

Click Edit under summary of Network Profiles Attach Template(s) to add CLI-based templates to the enterprise wireless network configuration.

Note

 

You must define all the templates within the Template Editor dashboard of Catalyst Center. This design and deployment guide will not discuss the addition of templates because the guide does require knowledge of the CLI syntax for the specific Cisco Wireless Controller platform. The Catalyst Center CLI templates can be used to configure anything that cannot be configured through the intent-based profiles and/or the model config.

Step 21

Click Save.

The Corporate wireless profile is assigned to the Milpitas area. The wireless profile contains the lab3employee SSID, so when wireless controllers and APs are assigned to the Milpitas area, the APs will broadcast the lab3employee SSID.

Step 22

Click Finish to add the lab3employee enterprise wireless network.

The new enterprise wireless network is displayed in the Wireless Network Settings dashboard.

For information about configuring overrides, see Define Site Override Support.


Enterprise Wireless Network Features Configurable via Catalyst Center

Table 12. Enterprise Wireless Network Features Configurable via Catalyst Center
Feature Type Description

Wireless Network Name (SSID)

Text Field

The SSID for the WLAN.

WLAN Profile Name

Text Field

Catalyst Center considers SSID_Profile to be the default, which is based on the SSID name. You can change the WLAN profile name as per your requirements.

Policy Profile Name

Non Editable

Policy Profile Name is the same as the WLAN Profile Name and is not editable.

Based on the WLAN profile name, Catalyst Center automatically generates the policy profile name for the Cisco Catalyst 9800 Series Wireless Controller.

BROADCAST SSID

On/Off Toggle

Determines whether the SSID will be broadcast in wireless beacons and probe responses.

SSID STATE

On/Off Toggle

Use the toggle button to turn on or turn off the radios on the APs. When the Admin Status is disabled, the APs remain associated with the wireless controller and are accessible, but the APs still require licenses.

Sensor

On/Off Toggle

Ensure that Sensor is disabled.

WIRELESS OPTION

Radio Button

Determines in which RF bands the SSID will be broadcast. The following wireless options are available:

  • Multiband operation (2.4 GHz, 5 GHz, and 6 GHz).

  • Multiband operation with band select. Band selection enables client radios that are capable of operating in both the 2.4 GHz and 5 GHz band to move to the typically less congested 5 GHz band by delaying probe responses on the 2.4 GHz channels.

  • 5 GHz only.

  • 2.4 GHz only.

  • 6 GHz only.

LEVEL OF SECURITY

Radio Button

Determines the Layer 2 (L2) security settings for the WLAN. Choose the encryption and authentication type for the network. The sites, buildings, and floors inherit settings from the global hierarchy. You can override the level of security at the site, building, or floor level. The following choices are available:

  • Enterprise: You can configure both WPA2 and WPA3 security authentication by checking the respective check boxes.

    Note

     

    Wi-Fi Protected Access (WPA2) uses the stronger Advanced Encryption Standard encryption algorithm using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP).

    WPA3 is the latest version of WPA, which is a suite of protocols and technologies that provide authentication and encryption for Wi-Fi networks. WPA3-Enterprise provides higher-grade security protocols for sensitive data networks.

    For multiband operation using only 2.4 GHz and 5 GHz bands, you must enable WPA2 (WPA3 is optional). For multiband operation using 2.4 GHz, 5 GHz, and 6 GHz bands, you must enable WPA3 and disable WPA2 for the 6 GHz band to be operational on the devices running Cisco IOS Release 17.7 and later.

  • Personal: You can configure both WPA2 and WPA3 security authentication by checking the respective check boxes. By default, the WPA2 check box is enabled. If you choose Personal, enter the passphrase key in the Passphrase field. This key is used as the pairwise master key (PMK) between the clients and authentication server.

    Note

     

    WPA3-Personal brings better protection to individual users by providing more robust password-based authentication, making the brute-force dictionary attack much more difficult and time-consuming.

    For WPA2-Personal, you can override a preshared key (PSK) at the site, building, or floor level. If you override a PSK at the building level, the subsequent floors inherit the new settings. For information, see Preshared Key Override.

    For multiband operation using only 2.4-GHz and 5-GHz bands, you must enable WPA2 (WPA3 is optional). For multiband operation using 2.4 GHz, 5 GHz, and 6 GHz bands, you must enable WPA3 and disable WPA2 for the 6 GHz band to be operational on the devices running Cisco IOS Release 17.7 and later.

    (Optional) For WPA2-Personal, do the following to configure multi-preshared key (MPSK) support:

    1. Click Configure MPSK.

    2. In the Configure MPSK dialog box, click Add to an MPSK. You can add up to five MPSKs.

    3. From the Priority drop-down list, choose a priority.

      Note

       

      If the priority 0 key is not configured in central web authentication (CWA) flex mode, client connection to the WLAN may fail.

      From the Passphrase Type drop-down list, choose a passphrase type.

    4. In the Passphrase field, enter a passphrase.

    5. Click Save.

    MPSK applies to Layer 2 security configuration for WPA2- Personal.

  • Open Secured: From the Assign Open SSID drop-down list, choose an open SSID to redirect the clients to an open-secured SSID. The open-secured policy provides the least security.

    Note

     

    Fast Transition is not applicable for open-secured SSID.

  • Open: The open policy provides no security. It allows any device to connect to the wireless network without any authentication.

Primary Traffic Type

Drop Box

For Catalyst 9800 Series Wireless Controllers, the setting applies a precious metals QoS SSID policy in both the upstream and downstream direction for the WLAN/SSID. Precious metals policies control the maximum DSCP marking within the CAPWAP header as traffic is tunneled between the AP and the Cisco Wireless Controller in centralized (local mode) designs.

The following choices are available:

  • VoIP (Platinum): QoS on the wireless network is optimized for wireless voice and data traffic.

  • Video (Gold): QoS on the wireless network is optimized for video traffic.

  • Best Effort (Silver): QoS on the wireless network is optimized for wireless data traffic only.

  • Non-real Time (Bronze): QoS on the wireless network is optimized for low-bandwidth usage.

Fastlane

Check Box

You can check this check box only when the type of Enterprise Network is Voice and Data.

For the Catalyst 9800 Series Wireless Controller, the Fastlane check box enables Auto QoS in Fastlane mode. Auto QoS in Fastlane mode configures the Fastlane EDCA profile for both the 5 GHz and 2.4 GHz bands. However, no precious metals QoS SSID policy is applied to the WLAN/SSID when the Fastlane check box is selected.

Configure AAA

Link

Click Configure AAA to add and configure the AAA servers for the enterprise wireless network SSID. Select the Authentication, Authorization, and Accounting server from Drop Box.

Click + to add a server.

Note

 

You can configure a maximum of six AAA servers for an SSID of an enterprise wireless network for Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series Switches.

From the Additional Server drop-down list, choose the server IP address.

To use the AAA server for accounting, check the Copy Same Servers for Accounting check box.

To configure a different accounting server for an SSID, do the following:

  1. From the Configure Accounting Server drop-down list, you can either search for a server IP address by entering its name in the Search field or choose the accounting server IP address.

  2. Click + to add a server.

    Note

     

    You can configure a maximum of six accounting servers for an SSID of enterprise wireless network for Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series Switches.

  3. From the Additional Server drop-down list, choose the server IP address.

Catalyst Center allows you to override the set of AAA server configurations for the SSID at the site level. For each set of overridden AAA settings per SSID, Catalyst Center creates a new WLAN profile with the corresponding AAA servers mapped to it. If an SSID is overridden for different floors, and you make changes in the AAA servers, Catalyst Center creates the new WLAN profiles equal to the number of floors.

You must reprovision the device to override the AAA servers at the site level.

Deny RCM Clients

Check Box

Check the check box to deny clients with randomized MAC addresses.

Mac Filtering

Check Box

This is an additional L2 security settings that applies MAC address filtering for the WLAN.

AAA Override

Check Box

Check box to enable the AAA override functionality.

By default, this check box is dimmed. You must configure an AAA server using the Configure AAA option to use this check box.

Enable Posture

Check Box

Check this check box to enable posture assessment. The Pre-Auth ACL List Name drop-down list appears when you enable posture. Posture is a service in Cisco Identity Services Engine (Cisco ISE) that allows you to check the state, also known as posture, of all the endpoints that are connecting to a network for compliance with corporate security policies. This allows you to control clients' access to protected areas of a network.

Pre-Auth ACL List Name

Drop Box

Choose the ACL list name that you already created to map with the SSID.

Note

 

AAA configuration is mandatory for posturing. Click Configure AAA to add AAA servers for the enterprise wireless network SSID.

Advanced Settings – FAST TRANSITION (802.11r)

Radio Button and Check Box

Additional L2 security settings for the WLAN that controls 802.11r Fast Transition (FT). The following radio button choices are available:

  • Adaptive: This setting allows devices that support 802.11r Fast Transition to use it, as well as other 802.11r and non-802.11r devices to associate in a non-Fast Transition state. This is the default setting.

  • Enable: This setting enables 802.11r Fast Transition.

  • Disable: This setting disables 802.11r Fast Transition.

Over the DS: Check box that enables Over-the-DS (Distribution System) Fast Transition. With Over-the-DS Fast Transition, the wireless station communicates with the target AP through the current AP, which is then forwarded through the wireless controller. The Cisco-Apple best practice is to disable Over-the-DS, even though the default is enabled.

Advanced Settings – Protected Management Frame (802.11w)

Radio Button

The options available under Protected Management Frame (802.11w) vary based on the settings that you chose under Level of Security. The following options may be available:

  • Optional

  • Required

  • Disabled

The Required option is mandatory for WPA3.

Advanced Settings – Session timeout

Check Box and Integer Field

Configures the maximum time for a client session to remain active before requiring reauthorization. The range is between 300 and 86,400 seconds (5 minutes and 24 hours). The default is enabled with a time of 1800 seconds (30 minutes).

Advanced Settings – Client Exclusion

Check Box and Integer Field

Configures the amount of time a wireless client is excluded from attempting to authenticate after the maximum number of authentication failures has been exceeded. The default is enabled with a time of 180 seconds (3 minutes).

Advanced Settings – MFP CLIENT PROTECTION

Radio Button

Additional security setting that controls the use of 802.11w Protected Management Frames for the WLAN. The following radio button choices are available:

  • Optional: This setting allows wireless stations to use the 802.11w Protected Management Frames that they support and allows other wireless stations that do not support PMFs to coexist on the WLAN. This is the default setting.

  • Required: The wireless client is required to use Protected Management Frames on the WLAN.

  • Disabled: Protected Management Frames are disabled on the WLAN.

Advanced Settings – 11k Neighbor List

Check Box

Controls the use of 802.11k Assisted Roaming neighbor lists for the WLAN, which can limit the need for passive and active scanning by the wireless client. The default setting is enabled for the band (5 GHz or 2.4 GHz) with which the client is associated.

Advanced Settings – Client User Idle Timeout

Check box

Client User Idle Timeout: Check this check box to set the user idle timeout for a WLAN.

Note

 

If the data sent by the client is more than the threshold quota specified as the user idle timeout, the client is considered to be active and the wireless controller begins another timeout period.

By default, Client User Idle Timeout is enabled with a user idle timeout of 300 seconds.

NAS-ID

Drop-down list

NAS-ID Opt drop-down list, choose the required type of network access server identifier (NAS ID).

To specify a custom script for the NAS ID, choose Custom Option from the NAS-ID Opt drop-down list and enter the custom script in the corresponding Custom Script for Opt field. You can enter up to 31 alphanumeric characters, special characters, and spaces for the custom script. Catalyst Center does not support the special characters ?, ", < , and trailing spaces for the custom script.

Note

 

Catalyst Center supports NAS ID with custom script only for Catalyst 9800 Series Wireless Controllers that run Cisco IOS XE Release 17.7 or later.

(Optional) Click + to add another NAS ID. You can add up to three NAS IDs.

Advanced Settings – Coverage Hole Detection

Toggle button

Use the Coverage Hole Detection toggle button to enable or disable the coverage hole detection functionality.

Advanced Settings – Client Rate Limit

Integer Field

Configure Client Rate Limit: Enter a value for the client rate limit in bits per second. The valid range is from 8000 through 100,000,000,000. The value must be a multiple of 500.

The following are the valid ranges for client rate limit on Cisco IOS XE devices:

  • The valid range for the Cisco Catalyst 9800-L Wireless Controller, the Cisco Catalyst 9800-40 Wireless Controller, and the Cisco Catalyst 9800-80 Wireless Controller is from 8000 through 67,000,000,000 bits per second.

  • The valid range for the Cisco Catalyst 9800-CL Wireless Controller is from 8000 through 10,000,000,000 bits per second.

  • The valid range for the Cisco Embedded Wireless Controller on Catalyst Access Points is from 8000 through 2,000,000,000 bits per second.

  • The valid range for the Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series Switches is from 8000 through 100,000,000,000 bits per second.

Advanced Settings – Directed Multicast Service

Check box

Directed Multicast Service: Check this check box to enable directed multicast service.

Note

 

By default, Directed Multicast Service (DMS) is enabled. Using the DMS, the client requests APs to transmit the required multicast packets as unicast frames, which allows clients to sleep for a longer time and saves the battery power.

Advanced Settings – Radius Client Profiling

Toggle button

For RADIUS Client Profiling, use this toggle button to enable or disable RADIUS profiling on a WLAN.

Note

 

At least one AAA or PSN server is required to enable this feature.

Advanced Settings – CCKM

Toggle button

Configure CCKM: Use this toggle button to enable CCKM as the authentication key management option in Catalyst Center.

Timestamp Tolerance: This field is visible only if you enable CCKM. Enter the CCKM tolerance level.

Note

 

You can configure CCKM only if SSID has Layer 2 security as Enterprise in WPA2 or WPA2+WPA3.

Advanced Settings – 11v BSS TRANSITION SUPPORT

Multiple Check Boxes and Integer Field

Additional settings for support of 802.11v Wireless Network Management (WNM) for the WLAN. The following settings are available:

BSS Max Idle Service: Check box that enables the maximum idle service for the WLAN. Allows APs to send the timeout value to the wireless client within association and reassociation response frames. The default setting is enabled.

Enterprise Wireless Network Settings Configured in the Deployment Guide

Table 13. Enterprise Wireless Network Settings Configured in the Deployment Guide
Feature Settings

Wireless Network Name (SSID)

lab3employee

Broadcast SSID

On

Admin Status

On

Radio Policy

2.4 GHz, 5 GHz, 6 GHz

Primary Traffic Type

VoIP (platinum)

Configure AAA

AAA configured

Level of Security

WPA3

AAA Override

Enabled

Enable Posture

Unchecked

Deny RCM Clients

Unchecked

Advanced Security Options - Mac Filtering

Unchecked

Advanced Security Options - Fast Transition

Adaptive

Type of Enterprise Network

Voice and Data

Fastlane

Unchecked

Advanced Settings – FAST TRANSITION (802.11r)

Adaptive, Over the DS Checked

Advanced Settings – Mac Filtering

Checked

Advanced Settings – Session timeout

Checked, 1800 seconds

Advanced Settings – Client Exclusion

Checked, 180 seconds

Advanced Settings – MFP CLIENT PROTECTION

Optional

Advanced Settings –Protected Management Frame

Disabled

Advanced Settings – 11k Neighbor List

Checked

Advanced Settings – Radius Client Profiling

Unchecked

Advanced Settings – Configure Client Rate Limit

Blank

Advanced Settings – Coverage Hole Detection

Checked

Configure CCKM

Unchecked

NAS-ID

Blank

Advanced Settings – 11v BSS TRANSITION SUPPORT

BSS Max Idle Service – Checked

Client Idle User Timeout – Checked, 300 seconds

Directed Multicast Service - Checked

Define Site Override Support

WLAN profiles created with different AAA settings can be assigned at different site levels. Site-level overrides will push a new WLAN profile to the wireless controller. You can override the global SSID with the settings based on area, buildings, and floor levels. Perform the following procedure to configure the overrides.

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Settings > Wireless.

Step 2

Click SSIDs.

Step 3

Expand the sites, and then click the desired site in the left pane.

Step 4

Choose lab3employee SSID, and then click Edit.

Figure 18. SSID Site Override Settings
The existing SSIDs for enterprise and guest wireless networks.

Step 5

Click Next and configure the override settings for the selected site.

Figure 19. Override Settings for a Site
The basic settings required to set up the SSID, including wireless network name, WLAN profile name, policy profile name, radio policy, and quality of service.

Step 6

Click Save in the last page to assign the profile to the site.

The next time the wireless controller is provisioned, the configuration will be pushed to the wireless controller managing that site.

Note

 

We recommend updating the WLAN Profile Name when making any site-level overrides for the SSID. If the same WLAN profile name is already configured in the wireless controller that manages the selected sites, a provisioning failure occurs.

Only L2 Security, AAA Configuration, NAS-ID, Mac Filtering, AP Impersonation, Radius Client Profiling, CCKM, MPSK, Protected Management Frame (802.11w), AAA Override, and WLAN Profile Name can be overridden at the site levels. To edit other parameters, navigate to the global level.

When network profile override and site-level override are configured, site-level override takes precedence for a given site.

As a best practice, assign network profiles and managed AP locations at a higher level in the site hierarchy so that when newer buildings are added to an existing site, the wireless controller settings are inherited automatically.


Configure Guest Wireless SSID

Guest wireless networks must be defined at the global level of the site hierarchy. Once defined, you can apply guest wireless networks to wireless profiles. You can then assign wireless profiles to one or more sites within the hierarchy.

For this deployment guide, a single guest wireless network (SSID) named lab3guest is provisioned.

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Settings > Wireless.

Step 2

Click SSIDs.

Step 3

Hover your cursor over + Add and choose Guest.

The Basic Settings window is displayed.

Figure 20. Basic Settings Window to Create a Guest Wireless SSID
The Basic Settings window shows the information needed to complete the basic setup for an SSID: name, wireless options, state, and network.

For information about the features that can be configured for guest wireless networks via Catalyst Center, see Guest Wireless Network Features Configurable via Catalyst Center.

Step 4

Enter the information for the Basic Settings and click Next.

For information about the settings for the guest wireless network configured for this deployment guide, see Guest Wireless Network Settings Configured in the Deployment Guide.

Step 5

Enter the Security Settings.

The following setttings were used for this deployment guide:

  • L2 SECURITY: Open

  • L3 SECURITY: Web Policy

Step 6

Click Next.

Step 7

Enter the Advanced Settings.

For this deployment guide, the default settings are used.

Step 8

Click Next.

The Associate Model Config to SSID page is displayed. For the SSID in this deployment guide, there is no model config.

Step 9

Click Next.

Step 10

In the Associate SSID to Profile page, click the corporate wireless profile.

Figure 21. Edit a Wireless Profile
The available profile settings can be changed: WLAN profile name, fabric option, interface, and anchor.

Step 11

Under Fabric, choose No.

Choose No will automatically cause additional fields to be displayed.

This deployment guide only discusses non-SDA wireless deployments using Catalyst Center.

Step 12

From the Interface Name drop-down menu, choose guest-dmz.

This will terminate guest traffic on the guest-dmz VLAN (VLAN 125).

Step 13

Select Yes for Do you need a Guest Anchor for this Guest SSID?.

This will configure a traditional autoanchor relationship between the enterprise (foreign) and the guest (anchor) wireless controller. Typically, the guest (anchor) wireless controller is located within an Internet Edge DMZ segment of the campus network. If you choose Yes, from the Select Anchor Group drop-down list, choose an anchor group for the SSID.

To create an anchor group, do the following:

  1. From the top-left corner, click the menu icon and choose Design > Network Settings.

  2. Click the Wireless tab.

  3. From the left hierarchy tree, choose Global.

  4. Click Anchor Groups.

    The Anchor Groups window opens.

  5. In the Anchor Group table, click Add.

  6. In the Anchor Group Name field of the Anchor Group slide-in pane, enter the anchor group name.

  7. To add a managed wireless controller as an anchor, click Add Managed WLC and do the following in the Add Managed WLC dialog box:

    1. Check the check box next to the name of the devices that you want to add as anchors.

      To search for a device, in the Search Table search field, enter either the partial name or the full name of the device and press Enter.

    2. Click Add.

  8. (Optional) To add an external wireless controller as an anchor, click Add External WLC and do the following in the Add External WLC dialog box:

    1. In the Device Name field, enter the device name.

    2. From the Device Series drop-down list, choose a device series.

    3. In the Peer IP Address field, enter the peer IP address.

    4. (Optional) In the NAT IP Address field, enter the Network Address Translation (NAT) IP address.

    5. In the MAC Address field, enter the MAC address of the device.

    6. In the Mobility Group Name field, enter the mobility group name.

    7. (Optional) In the Hash field, enter the hash for the Cisco Catalyst 9800 Series Wireless Controller.

      Note

       

      This field is available for only the Cisco Catalyst 9800-CL Wireless Controllers.

    8. Click Add.

  9. (Optional) To add an existing external wireless controller as an anchor, click Add Existing External WLC and do the following in the Add Existing External WLC dialog box:

    1. Check the check box next to the name of the devices that you want to add as anchors.

      To search for a device, in the Search Table search field, enter either the partial name or the full name of the device and press Enter.

    2. Click Add.

  10. (Optional) To set the priority for an anchor, from the Priority Order drop-down list, choose the priority for the anchor wireless controller.

  11. Click Save.

    For more information, see the "Create an Anchor Group" topic in the Cisco Catalyst Center User Guide.

Step 14

Click Save.

Step 15

To attach the guest network to an existing network profile, do the following:

  1. Click the available profile in the profile pane.

  2. Click Associate Profile.

Step 16

Click Next.

The Portal Customization page is displayed.

Figure 22. Create a Guest Wireless Network Portal Customization
No self registration portal is available, and the Create Portal button is displayed.

Step 17

To add a new guest portal within Cisco ISE, click Create Portal.

The Portal Builder page is displayed.

You have the option to leave without portal creation.

Figure 23. Portal Builder Screen
The Portal Builder contains fields to enter your username and password.

Step 18

Enter the necessary information. You must at least name the guest portal.

For this deployment guide, the portal has been named Lab3_Guest_Portal. The drop-down menu in the top center of the Portal Builder allows you to customize the Login Page, Registration Page, Registration Success, and Success Page of the portal. You can customize the color scheme, fonts, page content, logo, and background for the web portal. You can also preview the portal to see what it will look like on a smart phone, tablet, and computer.

Step 19

Click Save to create the new guest portal on the Cisco ISE server and return to the guest wireless network workflow.

The new guest portal is now displayed.

Step 20

Click Next.

The Summary page of Guest SSID Configuration is displayed.

Step 21

Click Save.

The guest wireless SSID (lab3guest) is displayed in the Wireless Network Settings dashboard.

Step 22

Click Sites in network profile summary page to bring up a panel displaying the site hierarchy.

Step 23

Under Global, click the >to display the Milpitas area.

Step 24

Select the Milpitas area.

The child site locations, Building 23 - Floor 1, Floor 2, and Floor 3 and Building 24 - Floor 1, Floor 2, and Floor 3, are automatically selected.

Note

 

It is best practice to only select floors in a wireless network profile assignment. Selecting floors helps you to make changes, like removing a floor from network hierarchy or applying a different wireless network profile for a particular set of floors without significant disruption. If you have different SSIDs on different floors or enable 6E with a different profile per floor, different network profiles might be necessary. If you create different sets of SSIDs on the same floor, you will have to split the floor into multiple, different network profiles.

Step 25

Click OK to close the site hierarchy side panel.

Step 26

Click + Add under Attach Template(s) to add the CLI-based templates to the enterprise wireless network configuration.

You must define all the templates within the Template Editor dashboard of Catalyst Center. This design and deployment guide will not discuss the addition of templates because the guide does not require knowledge of the CLI syntax for the specific Cisco Wireless Controller platform. Wireless features not supported by the web-based graphical user interface of Catalyst Center may be added through templates.

Step 27

Click Save in the Edit a Wireless Profile side panel to save the edits to the corporate wireless profile.

lab3guest SSID is added to the corporate wireless profile. This ensures that when wireless controllers and APs are assigned to the Milpitas area, the APs will broadcast the lab3guest SSID.

Step 28

Click Save to add the lab3guest guest wireless network to the corporate wireless profile.

Figure 24. Wireless Network Settings Dashboard with Enterprise and Guest SSIDs
The SSIDs for enterprise and guest wireless networks are shown, with the options to edit the SSIDs or add a new SSID.

For information about provisioning ISE Settings from Catalyst Center, see Provision Cisco ISE Settings from Catalyst Center.


Guest Wireless Network Features Configurable via Catalyst Center

Table 14. Guest Wireless Network Features Configurable via Catalyst Center
Feature Type Description

Wireless Network Name (SSID)

Text Field

The SSID for the WLAN.

WLAN Profile Name

Text Field

Catalyst Center will take SSID_Profile as default based on SSID Name. You can change the WLAN profile name as per your requirements.

Policy Profile Name

Non Editable

Policy Profile Name is the same as the WLAN Profile Name and is not editable.

Based on the WLAN profile name, Catalyst Center automatically generates the policy profile name for the Cisco Catalyst 9800 Series Wireless Controller.

WIRELESS OPTION

Radio Button

Determines in which RF bands the SSID will be broadcast. The following choices are available:

  • Multiband operation (2.4 GHz, 5 GHz, and 6 GHz)

  • Multiband operation with band select. Band selection enables client radios that are capable of operating in both the 2.4 GHz and 5 GHz band to move to the typically less congested 5 GHz band by delaying probe responses on the 2.4 GHz channels.

  • 5 GHz only.

  • 2.4 GHz only.

  • 6 GHz only.

Primary Traffic Type

Drop Box

For Catalyst 9800 Series Wireless Controllers, this setting applies a precious metals QoS SSID policy in both the upstream and downstream direction for the WLAN/SSID. Precious metals policies control the maximum DSCP marking within the CAPWAP header, as traffic is tunneled between the AP and the Cisco Wireless Controller in centralized (local mode) designs.

For Cisco AireOS Wireless Controllers, this setting applies the Platinum QoS profile to the WLAN/SSID. Application Visibility is enabled on the WLAN/SSID, but no AVC profile is applied. The Fastlane EDCA profile is set for both the 802.11a/n/ac (5 GHz) and the 802.11b/g/n (2.4 GHz) radios.

  • VoIP (Platinum): QoS on the wireless network is optimized for wireless voice and data traffic.

  • Video (Gold): QoS on the wireless network is optimized for video traffic.

  • Best Effort (Silver): QoS on the wireless network is optimized for wireless data traffic only.

  • Nonreal Time (Bronze): QoS on the wireless network is optimized for low-bandwidth usage.

Broadcast SSID

On/Off Toggle

Determines whether the SSID will be broadcast in wireless beacons and probe responses. The default setting is on.

SSID STATE

On/Off Toggle

Use this toggle button to turn on or turn off the radios on the APs. When the Admin Status is disabled, the APs remain associated with the wireless controller and are accessible, but the APs still require licenses.

LEVEL OF SECURITY

L2 Security

Radio Button

Determines the Layer 2 (L2) security settings for the WLAN. Choose the encryption and authentication type for the network. The sites, buildings, and floors inherit settings from the global hierarchy. You can override the level of security at the site, building, or floor level.

The following choices are available:

  • Enterprise: You can configure both WPA2 and WPA3 security authentication by checking the respective check boxes.

    Note

     

    Wi-Fi Protected Access (WPA2) uses the stronger Advanced Encryption Standard encryption algorithm using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP).

    WPA3 is the latest version of WPA, which is a suite of protocols and technologies that provide authentication and encryption for Wi-Fi networks. WPA3-Enterprise provides higher-grade security protocols for sensitive data networks.

    For multiband operation using only 2.4 GHz and 5 GHz bands, you must enable WPA2 (WPA3 is optional). For multiband operation using 2.4 GHz, 5 GHz, and 6 GHz bands, you must enable WPA3 and disable WPA2 for the 6 GHz band to be operational on the devices running Cisco IOS Release 17.7 and later.

  • Personal: You can configure both WPA2 and WPA3 security authentication by checking the respective check boxes. By default, the WPA2 check box is enabled. If you choose Personal, enter the passphrase key in the Passphrase field. This key is used as the pairwise master key (PMK) between the clients and authentication server.

    Note

     

    WPA3-Personal brings better protection to individual users by providing more robust password-based authentication, making the brute-force dictionary attack much more difficult and time-consuming.

    For WPA2-Personal, you can override a preshared key (PSK) at the site, building, or floor level. If you override a PSK at the building level, the subsequent floors inherit the new settings. For information, see Preshared Key Override.

    For multiband operation using only 2.4 GHz and 5 GHz bands, you must enable WPA2 (WPA3 is optional). For multiband operation using 2.4 GHz, 5 GHz, and 6 GHz bands, you must enable WPA3 and disable WPA2 for the 6 GHz band to be operational on the devices running Cisco IOS Release 17.7 and later.

    (Optional) For WPA2-Personal, do the following to configure multi-preshared key (MPSK) support:

    1. Click Configure MPSK.

    2. In the Configure MPSK dialog box, click Add to an MPSK. You can add up to five MPSKs.

    3. From the Priority drop-down list, choose a priority.

      Note

       

      If the priority 0 key is not configured in central web authentication (CWA) flex mode, the client connection to the WLAN may fail.

      From the Passphrase Type drop-down list, choose a passphrase type.

    4. In the Passphrase field, enter a passphrase.

    5. Click Save.

    MPSK is not supported on Cisco AireOS Wireless Controllers. MPSK applies to Layer 2 security configuration for WPA2- Personal.

  • Open Secured: From the Assign Open SSID drop-down list, choose an open SSID to redirect the clients to an open-secured SSID. The open-secured policy provides the least security.

    Note

     

    Fast Transition is not applicable for open-secured SSID.

  • Open: The open policy provides no security. It allows any device to connect to the wireless network without any authentication.

LEVEL OF SECURITY

L3 security

Radio Button

Determines the Layer 3 security settings for the WLAN. The following options are available:

  • Web Auth: Specifies Web Authentication, where guest devices are redirected to a web portal for authentication. This is the default setting.

  • Open: Specifies an open SSID with no authentication.

AUTHENTICATION SERVER

Drop Box

This selection is only available if Web Auth is selected within LEVEL OF SECURITY. Determines the web portal and authentication server for Web Auth.

  • Central Web Authentication: This setting configures Central Web Authentication (CWA), where the Cisco ISE server defined under System Settings > Settings > Authentication and Policy Servers is both the web portal and the authentication server. This is the default setting.

  • Web Authentication Internal: Web authentication or Web Auth is a Layer 3 security method that allows a client to pass Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) traffic only until the client has passed some form of authentication. For web authentication internal, the client is redirected to a page that is constructed by the Cisco Wireless Controller.

  • Web Authentication External: The client is redirected to the specified URL. Enter a redirect URL in the Web Auth URL field.

  • Web Passthrough Internal: Web passthrough is a solution that is used for guest access and requires no authentication credentials. In web passthrough authentication, wireless users are redirected to the usage policy page when they use the internet for the first time. After accepting the policy, the clients are allowed to use the internet.

  • Web Passthrough External: The client is redirected to the specified URL. Enter a redirect URL in the Web Auth URL field.

  • Open: There is no security at layer 3 level and any device can connect to SSID.

AUTHENTICATION SERVER > ISE Authentication > What kind of portal are you creating today?

Drop-down Menu

The selection is only available if ISE Authentication is chosen. Determines the type of guest portal that will be created within the Cisco ISE server. The following options are available:

  • Self Registered: With this type of portal, guests onboard themselves to the network. This is the default setting.

  • Hotspot: This configures an 802.11u hotspot portal.

AUTHENTICATION SERVER > ISE Authentication > Where will your guests redirect after successful authentication?

Drop-down Menu

This selection is only available if ISE Authentication is selected. Determines what web page is displayed after guests have successfully authenticated to the network. The following options are available:

  • Success Page: A dedicated page you create that indicates authentication was successful. From there, the guest would need to retype the original URL that they were attempting to reach.

  • Original URL: Once authentication is successful, the guest is automatically redirected to the original URL that they were attempting to reach. This is the default setting.

  • Custom URL: Once authentication is successful, the guest is automatically redirected to a URL of your choice.

AUTHENTICATION SERVER > External Authentication > Web Auth URL?

Text Field

This selection is only available if External Authentication is selected. Specifies the URL of the Web Auth server. The guest will be redirected to this URL to be authenticated to the network.

Configure AAA

Link

Click Configure AAA to add and configure the AAA servers for the enterprise wireless network SSID. Choose Authentication, Authorization, and Accounting server from Drop Box.

Click + to add a server.

Note

 

You can configure a maximum of six AAA servers for an SSID of enterprise wireless network for the Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series Switches.

From the Additional Server drop-down list, choose the server IP address.

To use the AAA server for accounting, check the Copy Same Servers for Accounting check box.

To configure a different accounting server for an SSID, do the following:

  1. From the Configure Accounting Server drop-down list, you can either search for a server IP address by entering the name in the Search field or choose the accounting server IP address.

  2. Click + to add a server.

    Note

     

    You can configure a maximum of six accounting servers for an SSID of enterprise wireless network for the Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series Switches.

  3. From the Additional Server drop-down list, choose the server IP address.

Catalyst Center allows you to override the set of AAA server configurations for the SSID at the site level. For each set of overridden AAA settings per SSID, Catalyst Center creates a new WLAN profile with the corresponding AAA servers mapped to it. If an SSID is overridden for different floors, and you make changes in the AAA servers, Catalyst Center creates the new WLAN profiles equal to the number of floors.

You must reprovision the device to override the AAA servers at the site level.

Mac Filtering

Check Box

Check this check box to enable MAC-based access control or security in the wireless network.

Note

 

When MAC filtering is enabled, only the MAC addresses that you add to the wireless LAN are allowed to join the network.

AAA Override

Check Box

Check box to enable the AAA override functionality.

By default, this check box is dimmed. You must configure an AAA server using the Configure AAA option to use this check box.

Timeout Settings for Sleeping Clients

Select radio button

If you choose Web Authentication Internal, Web Authentication External, Web Passthrough Internal, or Web Passthrough External for Timeout Settings for sleeping clients, choose one of the following authentication options:

Always authenticate: Enables authentication for sleeping clients.

Authenticate after: Enter the duration for which sleeping clients are to be remembered before reauthentication becomes necessary. The valid range is from 10 minutes through 43,200 minutes, and the default duration is 720 minutes.

Note

 

Clients with guest access and web authentication are allowed to sleep and wake up without having to go through another authentication process through the login page. You can configure the duration for which the sleeping clients are to be remembered before reauthentication becomes necessary. The valid range is from 10 minutes through 43,200 minutes, and the default is 720 minutes. You can configure the duration on a WLAN and on a user group policy that is mapped to the WLAN. The sleeping timer becomes effective after the idle timeout. If the client timeout is less than the time configured on the sleeping timer of the WLAN, the lifetime of the client is used as the sleeping time.

Deny RCM Clients

Check Box

Check this check box to deny clients with randomized MAC addresses.

Pre-Auth ACL List Name

Drop Box

Choose the ACL list name that you already created to map with the SSID.

Fastlane

Check Box

This box can only be checked when the Type of Enterprise Network has been chosen as Voice and Data.

For Catalyst 9800 Series Wireless Controllers, the Fastlane check box enables Auto QoS in Fastlane mode. Auto QoS in Fastlane mode configures the Fastlane EDCA profile for both the 5 GHz and 2.4 GHz bands. However, no precious metals QoS SSID policy is applied to the WLAN/SSID when the Fastlane check box is selected.

For Cisco AireOS Wireless Controllers, this setting enables the Fastlane macro for the WLAN/SSID. The Fastlane macro applies the Platinum QoS profile to the WLAN/SSID. Application Visibility is enabled on the WLAN/SSID with the AVC profile named AUTOQOS-AVC-PROFILE. The QoS Map is modified to trust DSCP in the upstream direction. In the downstream direction, Cisco best practices are implemented when mapping DSCP-to-UP values.

Advanced Settings – Session timeout

Check Box and Integer Field

Configures the maximum time for a client session to remain active before requiring reauthorization. The range is between 300 and 86,400 seconds (5 minutes and 24 hours). The default is enabled with a time of 1800 seconds (30 minutes).

Advanced Settings – Client Exclusion

Check Box and Integer Field

Configures the amount of time a wireless client is excluded from attempting to authenticate after maximum authentication failures has been exceeded. The default is enabled with a time of 180 seconds (3 minutes).

Advanced Settings – MFP CLIENT PROTECTION

Radio Button

Additional security setting that controls the use of 802.11w Protected Management Frames for the WLAN. The following options are available:

  • Optional: This setting allows wireless stations to use the 802.11w Protected Management Frames that they support and allows other wireless stations that do not support PMFs to coexist on the WLAN. This is the default setting.

  • Required: The wireless client is required to use Protected Management Frames on the WLAN.

  • Disabled: Protected Management Frames are disabled on the WLAN.

Advanced Settings – 11k Neighbor List

Check Box

Controls the use of 802.11k Assisted Roaming neighbor lists for the WLAN, which can limit the need for passive and active scanning by the wireless client. The default setting is enabled for the band (5 GHz or 2.4 GHz) with which the client is associated.

Advanced Settings – 11v BSS TRANSITION SUPPORT

Multiple Check Boxes and Integer Field

Additional settings for support of 802.11v Wireless Network Management (WNM) for the WLAN. The following settings are available:

  • BSS Max Idle Service: Check box that enables the maximum idle service for the WLAN. Allows APs to send the timeout value to the wireless client within association and reassociation response frames. The default setting is enabled.

  • Client User Idle Timeout: Check box with bounded integer field that specifies the maximum amount of time an AP keeps a wireless client associated without receiving any frames from the client for the WLAN. This allows the client to sleep longer and conserve battery usage for mobile devices. The default setting is enabled with a time of 300 seconds.

  • Directed Multicast Service: Check box that allows the client to request that multicast streams be sent as unicast streams to the client from the AP. By default, this setting is enabled.

NAS-ID

Drop-down List

From the NAS-ID Opt drop-down list, choose the required type of network access server identifier (NAS ID).

To specify a custom script for the NAS ID, choose Custom Option from the NAS-ID Opt drop-down list and enter the custom script in the corresponding Custom Script for Opt field. You can enter up to 31 alphanumeric characters, special characters, and spaces for the custom script. Catalyst Center does not support the special characters ?, ", < , and trailing spaces for the custom script.

Note

 

Catalyst Center supports NAS ID with custom script only for Cisco Catalyst 9800 Series Wireless Controllers that run Cisco IOS XE Release 17.7 or later.

(Optional) Click + to add another NAS ID. You can add up to three NAS IDs.

Catalyst Center applies only one NAS ID for Cisco AireOS Wireless Controllers. You can overwrite the NAS ID at the site level from Design > Network Settings > Wireless.

Advanced Settings – Coverage Hole Detection

Toggle button

Coverage Hole Detection toggle button to enable or disable the coverage hole detection functionality.

Advanced Settings – Client Rate Limit

Integer Field

To configure the Client Rate Limit, enter a value for the client rate limit in bits per second. The valid range is from 8000 through 100,000,000,000. The value must be a multiple of 500.

Note

 

This configuration is not applicable for Cisco AireOS Wireless Controllers. To configure client rate limit for Cisco AireOS Wireless Controllers, click the menu icon and choose Tools > Model Config Editor > Wireless > Advanced SSID Configuration. For more information, see Create a Model Config Design for Advanced SSID.

The following are the valid ranges for a client rate limit on Cisco IOS XE devices:

  • The valid range for the Cisco Catalyst 9800-L Wireless Controller, the Cisco Catalyst 9800-40 Wireless Controller, and the Cisco Catalyst 9800-80 Wireless Controller is from 8000 through 67,000,000,000 bits per second.

  • The valid range for the Cisco Catalyst 9800-CL Wireless Controller is from 8000 through 10,000,000,000 bits per second.

  • The valid range for the Cisco Embedded Wireless Controller on Catalyst Access Points is from 8000 through 2,000,000,000 bits per second.

  • The valid range for the Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series Switches is from 8000 through 100,000,000,000 bits per second.

Advanced Settings – Radius Client Profiling

Toggle button

For Radius Client Profiling, use this toggle button to enable or disable RADIUS profiling on a WLAN.

Note

 

At least one AAA or PSN server is required to enable this feature.

Advanced Settings – CCKM

Toggle button

Configure CCKM: Use this toggle button to enable CCKM as the authentication key management option in Catalyst Center.

Timestamp Tolerance: This field is visible only if you enable CCKM. Enter the CCKM tolerance level. The CCKM tolerance level is not applicable for the Cisco AireOS Wireless Controller platform.

Note

 

You can configure CCKM only if SSID has Layer 2 security as Enterprise in WPA2 or WPA2+WPA3.

Advanced Settings – Protected Management Frame (802.11w)

Radio Button

The options available under Protected Management Frame (802.11w) vary based on the settings that you chose under Level of Security. The following options may be available:

  • Optional

  • Required

  • Disabled

Guest Wireless Network Settings Configured in the Deployment Guide

Table 15. Guest Wireless Network Settings Configured in the Deployment Guide
Feature Settings

Wireless Network Name (SSID)

lab3guest5

Broadcast SSID

On

Admin Status

On

Radio Policy

2.4 GHz, 5 GHz, 6 GHz

Primary Traffic Type

Best Effort (Silver)

LEVEL OF SECURITY

Web Auth

AUTHENTICATION SERVER

ISE Authentication

AUTHENTICATION SERVER > ISE Authentication > What kind of portal are you creating today?

Self Registered

AUTHENTICATION SERVER > ISE Authentication > Where will your guests redirect after successful authentication?

Original URL

Configure AAA

AAA configured

AAA Override

Enabled

Mac Filtering

Checked

Fastlane

Unchecked

Deny RCM Clients

Unchecked

Pre Auth ACL

Select configured Pre auth ACL

Advanced Settings – FAST TRANSITION (802.11r)

Disabled

Advanced Settings – MFP CLIENT PROTECTION

Optional

Advanced Settings –Protected Management Frame

Disabled

Advanced Settings – Session timeout

Checked, 1800 seconds

Advanced Settings – Client Exclusion

Checked, 180 seconds

Advanced Settings – MFP CLIENT PROTECTION

Optional

Advanced Settings – 11k Neighbor List

Checked

Advanced Settings – Radius Client Profiling

Unchecked

Advanced Settings – Configure Client Rate Limit

Blank

Advanced Settings – Coverage Hole Detection

Checked

Configure CCKM

Unchecked

NAS-ID

Blank

Advanced Settings – 11v BSS TRANSITION SUPPORT

BSS Max Idle Service – Checked

Client Idle User Timeout – Checked, 300 seconds

Directed Multicast Service - Checked

Provision Cisco ISE Settings from Catalyst Center

When a guest SSID profile is assigned to a site, Catalyst Center will push the required authentication, authorization, and guest portal configurations to Cisco ISE according to the settings in the guest SSID profile.

Procedure

Step 1

Choose Lab3_Guest_Portal to verify the portal details.

Figure 25. Guest Portal in Cisco ISE
The Guest Portals page shows the three predefined portal types.

Cisco ISE displays a new guest portal named Lab3_Guest_Portal.

Step 2

Click the 1 rules link to check the authorization policy created by Catalyst Center.

Figure 26. Guest Portal Redirect Policy
The Rule Name dialog box.
Figure 27. Guest Portal Preview
The Guest Portal Preview shows the available page customizations.

Step 3

From the top-left corner, click the menu icon and choose Policy > Policy sets.

Step 4

Click Default.

Step 5

Go to Authorization Policy to verify the authorization policy pushed by Catalyst Center.

Figure 28. Guest SSID Authorization Policy
The list of available authorization policies.

Remote Office Wireless Deployment Settings

This section provides an overview of a remote office wireless network using APs in FlexConnect mode, which will be provisioned using Catalyst Center.

The site hierarchy consists of the following:

  • A branch area (New York) with a building (Branch 5) and multiple floors (Floor 1, Floor2, and Floor 3).

  • An SSID for employee traffic (lab3branch5) and an SSID for guest traffic (lab3guest5), both advertised by the APs within the branch.

  • A non-Cisco SDA (legacy) remote office wireless deployment, in which all employee branch wireless traffic is centrally switched.

The guest wireless traffic within the branch is locally switched. Cisco Wireless Controllers will be in N+1 HA mode and must be assigned to sites during the Catalyst Center provisioning process.


Note


For this deployment guide, both Catalyst 9800-40 wireless controllers (C9800-Flex-CVD and C9800-CVD-Nplus1) will be assigned to building Branch 5 within the New York area.


Within Catalyst Center, sites (areas, buildings, or floors) containing APs are assigned as either primary managed AP locations or secondary managed AP locations. There can be only one primary enterprise wireless controller assigned to a site at a given time, meaning that a site can only be assigned as a primary managed AP location for one enterprise wireless controller at a time. For this deployment guide, APs on Floor 1 within Branch 5, will be provisioned to C9800-Flex-CVD through Catalyst Center.

Catalyst Center supports the configuration of AP high availability, in which the AP tries to associate with primary and secondary wireless controllers and form a CAPWAP control connection. If the primary wireless controller is unavailable, the AP will attempt to establish a CAPWAP control connection to the secondary wireless controller. In Catalyst Center, this is accomplished by configuring sites containing APs as secondary managed AP locations.


Note


For this design and deployment guide, wireless controller C9800-Flex-CVD will be provisioned so that Floor 1 of Branch 5 is a primary managed AP location. For the APs within Branch 5, wireless controller C9800-CVD-Nplus1 will serve as the secondary wireless controller in an N+1 wireless controller redundancy configuration.


Recommendations

When configuring the remote office wireless deployment settings, consider the following recommendations:

  • Use PortFast on AP switch ports for APs in FlexConnect mode, supporting only the central switched WLANs. To configure the switch port for PortFast, set the port to be connected as a host port, using the switch port host command or the PortFast command. This configuration allows for a faster AP join process. There is no risk of loops, as the local mode APs never directly bridge traffic between VLANs. You can set the port directly on access mode.

  • For APs in FlexConnect mode, when using locally switched WLANs mapped to different VLANs (the AP switch port is in trunk mode), prune or limit the VLANs present on the port to match the AP-configured VLANs.

Configure Wireless Interface

In Catalyst Center, the enterprise and guest WLANs terminate on the wireless interfaces known as Ethernet VLAN interfaces. The following table shows the wireless interfaces created for this design and deployment guide for the enterprise and guest WLANs.

Table 16. Wireless Interfaces
Name VLAN Usage

branchemployee

100

VLAN for centrally switched employee traffic.

branchguest-dmz

110

VLAN for guest traffic locally switched on a VLAN on switch.


Note


The native VLAN (AP VLAN) configuration is specific to FlexConnect AP deployments. The FlexConnect locally switched traffic terminates on a specific VLAN, which is configured in the wireless profile for this design and deployment guide. Therefore, the field will be left blank.


The following steps explain how to configure wireless interfaces within Catalyst Center.

Before you begin

To complete this action, you must have SUPER-ADMIN-ROLE or NETWORK-ADMIN-ROLE privileges.

Procedure

Step 1

Log in to the Catalyst Center web console using an IP address or a fully qualified domain name.

Example:
https://<Catalyst_Center_IPaddr_or_FQDN>

Step 2

From the top-left corner, click the menu icon and choose Design > Network Settings > Wireless.

The Wireless Network Settings dashboard is displayed.

Figure 29. Wireless Interface Dashboard
The dashboard displays the available interfaces and VLAN groups, with options to edit, delete, and add.

Step 3

Click Interfaces & VLAN Groups.

Step 4

Click + Add.

Step 5

In the Create a Wireless Interface slide-in pane, enter the Interface Name and VLAN ID for the wireless interface corresponding to the enterprise VLAN (branchemployee).

Figure 30. Create a Wireless Interface Slide-in Pane
The Create a Wireless Interface slide-in pane contains the fields to name the interface and enter the VLAN ID.

Step 6

Click Save.

Repeat the procedure to add the wireless interface for the guest VLAN (guest-dmz). When completed, the two new wireless interfaces should appear in the Wireless Network Settings dashboard, as shown in the figure below:

Figure 31. Created Wireless Interfaces
The Wireless Network Settings dashboard shows all created wireless interfaces.

Configure Enterprise Wireless SSID

Enterprise wireless networks are the nonguest WLAN/SSIDs that are available for broadcast across the deployment. You must define them at the global level of the site hierarchy. Once defined, you can apply the enterprise wireless networks to wireless profiles and assign wireless profiles to one or more sites within the hierarchy.

For the design and deployment guide, a single enterprise WLAN SSID named lab3branch5 is provisioned.

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Settings > Wireless.

Step 2

Click SSIDs.

Step 3

Hover your cursor over + Add and choose Enterprise.

For information about features that can be configured for enterprise wireless networks via Catalyst Center, see Enterprise Wireless Network Features Configurable via Catalyst Center.

Step 4

Enter the information for the Basic Settings and click Next.

Figure 32. Basic Settings to Create a New Enterprise SSID
The Basic Settings page displays the options to set up an SSID: name, wireless options, state, and network.

Note

 

For information about the settings for the enterprise wireless network configured for this deployment guide, see Enterprise Wireless Network Settings Configured in the Deployment Guide.

Step 5

Enter the information for the Security Settings and click Next.

Figure 33. Security Settings for the Enterprise SSID
The Security Settings page shows the options to configure the security level and authentication, authorization, and accounting for the SSID.

Step 6

Enter the information for the Advanced Settings and click Next.

Figure 34. Advanced Settings for the Enterprise SSID
The advanced settings configurable for the SSID include fast transition, MFP client protection, protected management frame, WPA2 encryption, auth key management, and more.

Step 7

On the Associate Model Config to SSID page, click Next.

Step 8

On the Associate SSID to Profile page, either attach the enterprise wireless network to an existing wireless profile or create a new wireless profile and attach the enterprise wireless network.

To attach the enterprise network to an existing network profile, do the following:

  1. Click the available profile in the profile pane.

  2. Click Associate Profile.

To create a new wireless profile and attach the enterprise network, do the following:

  1. Click + Add Profile.

  2. Enter the Profile Name.

    For this deployment guide, create a wireless profile named branch5.

  3. (Skip this step if SD-Access App is not deployed.) Under Fabric, choose No.

    The Interface field is displayed. This deployment guide only discusses non-SDA wireless deployments using Catalyst Center.

  4. From the Interface drop-down menu, choose branchemployee.

  5. Choose No for Do you need Anchor for this SSID?.

  6. Check the FlexConnect Local Switching check box.

  7. Enter 100 in Local to VLAN.

    For terminating branch employee traffic, you have selected the branchemployee interface on the enterprise wireless controller, but all branch employee traffic will be locally switched onto VLAN 100 of the branch switch.

  8. Click Associate Profile.

Step 9

Click Next.

The Summary page displays SSID basic settings, security, advanced settings, and network profiles.

Step 10

Click Save.

Note

 

Even though Catalyst Center allows multiple network profiles to be associated with a single SSID, be sure to avoid associating a single SSID with network profiles that have both flex and nonflex profiles. Each of these profiles require the APs to be in different modes, flex and local respectively.

Step 11

From the top-left corner, click the menu icon and choose Design > Network Profiles.

Step 12

In the Network Profiles table, from the Sites column, click Assign Site for your desired profile.

For this deployment guide, click Assign Site for the newly created wireless profile, branch5.

Step 13

In the Add Sites to Profile slide-in pane, expand the Global section and its subsections to display the New York area.

Step 14

Check the New York check box.

All of the child site locations are automatically selected: Building 23 with Floor 1, Floor 2, and Floor 3 and Building 24 with Floor 1, Floor 2, and Floor 3.

Figure 35. Assign Site in Branch Network Profile
The Add Sites to Profile slide-in pane displays the selected New York site with its selected child sites: Branch 5, Floor1, Floor2, and Floor 3.

Step 15

Click Save.

Step 16

From the Action column, click Edit for your desired profile.

Step 17

Click Templates.

Step 18

From the Onboarding Template(s) tab or the Day-N Template(s) tab, click Attach Templates to add the CLI-based templates to the enterprise wireless network configuration.

Note

 
You must have defined all the templates within the Template Editor dashboard of Catalyst Center. This design and deployment guide will not discuss the addition of templates because the guide does require knowledge of the CLI syntax for the specific Cisco Wireless Controller platform. However, you can add the wireless features that are not supported by the web-based GUI of Catalyst Center through templates.

The new enterprise wireless network, lab3branch5, is displayed in the Wireless Network Settings dashboard.


Configure FlexConnect Settings

The following procedure describes the steps to configure the FlexConnect settings using Catalyst Center, which is where the native VLAN and the client VLAN can be set.

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Settings > Wireless > FlexConnect Settings.

Figure 36. FlexConnect Settings Page
The FlexConnect Settings page shows the settings for FlexConnect VLAN and AAA Override VLAN.

Step 2

Configure Native VLAN and AAA override VLAN in the global settings.

Note

 

In global settings, you can override native VLAN and AAA override VLAN at the area, building, and floor levels.


Configure FlexConnect in the Model Config Editor

Model configs are a set of model-based, discoverable, and customizable configuration capabilities, which you can deploy on your network devices with high-level service intent and device-specific CLI templates. The following procedure describes the steps to perform a model config for FlexConnect.

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Feature Templates.

Step 2

Click Flex Configuration.

Step 3

Click + Add and enter the design name.

For example, enter branch as the design name.

Step 4

Enable IP Overlap.

Figure 37. Model Config for Flex Configuration
The Add Flex Configuration slide-in pane displays the options to name the design and enable IP overlap.

Step 5

Click Save.


Map FlexConnect Model Config to Network Profiles

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Profiles.

Step 2

Click Edit branch5 network profile.

Step 3

Click the Feature Templates tab, and then click Add Feature Template.

Step 4

Choose Wireless Controller as the Device Type.

Step 5

Click Wireless > Flex Configuration, and then select the configured model config.

Step 6

Click Add and save the changes.

Figure 38. Add Model Config to Flex Network Profile
The Add Model Config slide-in pane displays the options to filter by device type, search the model config designs, and add the model config.

Configure Guest Wireless SSID

Guest wireless networks must be defined at the global level of the site hierarchy. Once defined, guest wireless networks are applied to wireless profiles. Wireless profiles are then assigned to one or more sites within the hierarchy. For this deployment guide, a single guest wireless network (SSID) named lab3guest5 is provisioned.

Procedure

Step 1

Step 2

From the top-left corner, click the menu icon and choose Design > Network Settings > Wireless.

Step 3

Click SSIDs.

Step 4

Hover your cursor over + Add and choose Guest.

The Basic Settings window is displayed.

For information about features that can be configured for guest wireless networks via Catalyst Center, see Guest Wireless Network Features Configurable via Catalyst Center.

Figure 39. Basic Settings Window to Create a Guest Wireless SSID
The Basic Settings window includes the options needed to set up an SSID: name, wireless options, state, and network.

Step 5

Enter the Basic Settings information and click Next.

Note

 

For information about the settings for the enterprise wireless network configured for this deployment guide, see Guest Wireless Network Settings Configured in the Deployment Guide.

Step 6

Enter the Security Settings information.

Figure 40. Security Settings for Guest SSID
The Security Settings allow you to configure security level and authentication, authorization, and accounting for an SSID.

Step 7

To configure the AAA server, click Configure AAA.

Figure 41. AAA Settings for Flex Guest SSID
The Configure AAA Server dialog box displays the configurations for the authentication and authorization servers and for the accounting server.

Step 8

Enter the configuration values and click Configure.

Step 9

Click Next.

Step 10

Enter the information for the Advanced Settings and click Next.

Figure 42. Advanced Settings for Flex Guest SSID
The Advanced Settings include fast transition, MFP client protection, protected management frame, 11k, 11v BSS transition support, radius client profiling, NAS-ID, client rate limit, and more.

Step 11

The Associate Model Config to SSID page is displayed. Click Next.

Step 12

In the Associate SSID to Profile page, attach the guest wireless network to the existing branch5 wireless profile.

Figure 43. Attach Wireless Profile to Flex Guest SSID
The configurable settings for the SSID include profile name, WLAN profile name, fabric option, interface option, anchor, and FlexConnect local switching.
  1. In the profile pane, click branch5.

  2. From the Interface Name drop-down menu, choose branchguest-dmz.

    The guest traffic on the branchguest-dmz VLAN (VLAN 110) will be terminated.

  3. Choose No for Do you need Anchor for this SSID?.

  4. Check the Flex Connect Local Switching check box and enter 110 for Local to VLAN.

  5. Click Associate Profile.

Step 13

Click Next.

The Portal Customization page is displayed.

Figure 44. Guest Portal Customization for Flex Guest Wireless SSID
Because no self registration portal is available, the create portal button is displayed.

Step 14

Click Create Portal to add a new guest portal in Cisco ISE.

The Portal Builder page is displayed. You have the option to leave without portal creation.

Figure 45. Flex Guest SSID Portal Builder Screen
The Portal Builder displays the option to sign in with your username and password.

Step 15

Enter the relevant information.

You must at least name the guest portal. For this deployment guide, the portal has been named Lab3_Guest_Portal. The drop-down menu in the Portal Builder allows you to customize the Login Page, Registration Page, Registration Success, and Success Page of the portal. You can customize the color scheme, fonts, page content, logo, and background for the web portal. You can also preview the portal to see what it will look like on a smart phone, tablet, and computer.

Step 16

Click Save to create the new guest portal on the Cisco ISE server and return to the guest wireless network workflow.

Step 17

Click Next.

The summary page will show SSID basic settings, security, advanced settings, and network profiles.

Figure 46. Flex Guest SSID Summary Page
The Summary page lists the setting types with their associated configuration details.

Step 18

Click Save.

Step 19

From the top-left corner, click the menu icon and choose Design > Network Profiles.

Step 20

From the Sites column for profile branch5, click Assign Site.

Step 21

In the Add Sites to Profile slide-in pane, expand the Global site and its subsites and check the New York check box.

Automatically, the child site locations are selected: Branch 5 with Floor 1, Floor 2, and Floor 3.

Step 22

Click Save.

Figure 47. Site Assignment to Flex Guest Profile
The New York site is selected, with its child sites of Branch 5, Floor 1, Floor 2, and Floor 3 also selected.

Step 23

From the Action column for profile branch5, click Edit.

Step 24

Click Templates.

Step 25

From the Onboarding Template(s) tab or the Day-N Template(s) tab, click Attach Templates to add the CLI-based templates to the enterprise wireless network configuration.

Note

 

You must have defined all the templates within the Template Editor window of Catalyst Center. This design and deployment guide will not discuss the addition of templates because the guide does require knowledge of the CLI syntax for the specific Cisco Wireless Controller platform. However, you can add the wireless features that are not supported by the web-based GUI of Catalyst Center through templates.

Step 26

Click Save.

The new enterprise wireless network, lab3branch5, is displayed in the Wireless Network Settings dashboard.

Note

 

WLAN profiles created with different AAA settings can be assigned at different site levels. Site level overrides will push a new WLAN profile to the wireless controller. You can override the Global SSID with the settings based on area, buildings, and floor levels.

Cisco recommends updating the WLAN Profile Name when making any site level overrides for the SSID. If the same WLAN profile name is already configured in the wireless controller that manages the selected sites, a provisioning failure will occur.

Only L2 Security, AAA Configuration, NAS-ID, Mac Filtering, AP Impersonation, Radius Client Profiling, CCKM, MPSK, Protected Management Frame (802.11w), AAA Override, and WLAN Profile Name can be overridden at site levels. To edit other parameters, navigate to the global level.


Configure FlexConnect Settings for Guest SSID

The following procedure describes how to configure the FlexConnect settings for a guest SSID.

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Settings > Wireless > FlexConnect Settings.

Step 2

Configure native VLAN and AAA override VLAN in global settings.

Note

 

You can override the native VLAN and AAA override VLAN in global settings at the area, building, and floor levels.

Figure 48. FlexConnect Settings for Flex Guest SSID Image
The FlexConnect Settings page displays the configuration settings for FlexConnect VLAN and AAA Override VLAN.

Step 3

Click Save.


Configure Model Config Editor for Flex Guest SSID

This section describes the procedure to configure the model config for a flex guest SSID.
Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Feature Templates.

Step 2

Click Flex Configuration.

Step 3

Click + Add and enter the design name.

Step 4

Enable IP Overlap.

Figure 49. Model Config for Flex Guest SSID
The Add Flex Configuration slide-in pane displays the options to name the design and enable IP overlap.

Step 5

Click Save.


Map Flex Guest SSID Feature Template to Network Profiles

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Profile.

Step 2

Choose the Edit branch5 network profile.

Step 3

Click Feature Templates and click Add Feature Template.

Step 4

For Device Type, choose the appropriate wireless controller model.

Step 5

Click Wireless > Flex Configuration and choose the configured template.

Step 6

Click Add and save the changes.

Figure 50. Map FlexConnect Feature Template to Guest Network Profile
The Add Feature Template slide-in pane displays the options to filter by device type, search the feature template designs, and add the feature template.

Customize Wireless RF Profiles

The Wireless Radio Frequency Profile section of the Wireless Settings dashboard allows you to do the following:

  • Visually inspect the settings for each of the three preconfigured RF profiles within Catalyst Center. These RF profiles are also preconfigured within the Cisco Catalyst 9800 Series Wireless Controller.

  • Create custom RF profiles in which you can fine tune various RF aspects of your wireless deployment.

  • Choose either a preconfigured or custom RF profile as the default RF profile that is assigned to APs within Catalyst Center.

When provisioning APs in Catalyst Center, the default RF profile configured within the Wireless Settings dashboard will be applied. However, you can also override this setting for each AP.

The following preconfigured RF profiles are available:

  • LOW: This profile tunes the RF attributes in both bands (2.4 GHz and 5 GHz) for low client density deployments.

  • TYPICAL: This profile tunes the RF attributes in both bands (2.4 GHz and 5 GHz) for medium client density deployments.

  • HIGH: This profile tunes the RF attributes in in both bands (2.4 GHz and 5 GHz) for high client density deployments, such as stadiums, auditoriums, etc.


Note


Appendix D explains the specific settings within each of the three preconfigured RF profiles within Catalyst Center.

Set the desired TPC threshold on the RF group, based on the AP density and installed height. For large deployments, there can be significant variations in the RF environment, so it is important to properly adjust TPC to ensure optimal coverage in each location.

Together with transmit power, data rates are the primary mechanism to influence the client roaming behavior. Changing data rates to the lowest mandatory rate can modify when the client may trigger a new roam, which is especially important for large open spaces that suffer from sticky client problems.

When setting up RF profiles, try to avoid configuring adjacent AP groups and RF profiles with different DCA channel sets, as this can negatively impact DCA calculations.

Users can add a nonsupported channel to the RF profile DCA list, even if the channel is not supported in the configured regulatory domain. The recommendation is to always check if the configured channels are allowed in the country domain. There is no impact on network operations because the DCA would not assign the unsupported channels to the APs. However, starting in release 17.5, the C9800 has a validation to check if the added channels are allowed.


Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Network Settings > Wireless > RF Profiles.

The Wireless Radio Frequency Profile section of the Wireless Settings dashboard can only be accessed at the global level of the site hierarchy.

Step 2

By default, the TYPICAL RF profile is set as the default RF profile. To change the default RF profile, do the following:

  1. Check the check box next to the name of one of the available profiles.

  2. Hover your cursor over the Actions drop-down menu and choose Mark Default.

Figure 51. Wireless Radio Frequency Profile
The RF Profiles window displays the existing profiles with their type, 2.4 GHz data rates, 5 GHz and 6GHz data ranges, amd channel width.

For this design and deployment guide, the TYPICAL RF profile was selected, indicating that the deployment is meant for an environment with medium client density.

The FlexConnect design for a remote office is now complete.


Design the Cisco Catalyst 9800-CL Wireless Controller Hosted on AWS

This section describes the wireless controller hosted on AWS deployment, which uses a cloud-based Cisco Catalyst 9800-CL Wireless Controller hosted on AWS. For more information, see Deployment guide for Cisco Catalyst 9800 Wireless Controller for Cloud (C9800-CL) on Amazon Web Services (AWS).

Launching a Cisco Catalyst 9800 Amazon Machine Image (AMI) occurs directly from the AWS Marketplace. The Cisco Catalyst 9800 Series Wireless Controller will be deployed on an Amazon EC2 in an Amazon Virtual Private Cloud (VPC).

Cisco supports the following instance type for the first release of the Cisco Catalyst 9800 Series Wireless Controller on the cloud:

C5.xlarge: 4 vCPUs, 8 GB RAM, 8GB Disk with 1 vNIC.

The allocated resources will allow the instance to scale to 1000 APs and 10,000 clients.

Prerequisites for Deploying the Cisco Catalyst 9800-CL Wireless Controller on AWS

  • Create a managed VPN connection from the corporate network to the VPC.

  • Create a VPC with the desired subnet for the wireless management interface on the Catalyst 9800 Series Wireless Controller.

  • Catalyst 9800 Series Wireless Controller CloudFormation template: You do not have to configure the CloudFormation template because the template is automatically integrated in the launching procedure. If desired, you can download and view the CloudFormation template file from the AWS Marketplace page for the product.

  • Amazon Machine Instance ID (AMI-ID) for the desired Catalyst 9800 Series Wireless Controller software release: The AMI will be available in the AWS marketplace.

  • AP access can be restricted to your instance for security reasons. For example, CAPWAP from a single, specific IP range can be allowed so that only those APs are able to register to the controller. The following table shows the ports that need to be opened in the firewall to allow the AP to communicate with the wireless controller on AWS.

Table 17. Ports Required to be Opened in Firewall
Ports Protocol

UDP 5246/5247/5248

CAPWAP

TCP 22

SSH, SCP

TCP 21

FTP

ICMP

Ping

UDP 161, 162

SNMP/SNMP Traps

TCP 443/80

HTTPs/HTTP

TCP/UDP 49

TACACS+

UDP 53

DNS Server

UDP 1812/1645/1813/1646

Radius

UDP 123

NTP Server

UDP 514

Syslog

Install the Cisco Catalyst 9800-CL Wireless Controller on AWS

Procedure

Step 1

Navigate to the AWS Marketplace.

Step 2

Locate the Cisco Catalyst 9800-CL Wireless Controller product page by searching the AWS Marketplace for "C9800-CL."

Step 3

Choose the Cisco Catalyst 9800-CL Wireless Controller for Cloud and click Continue to Subscribe.

Step 4

Choose the fulfillment option: Cloud Formation Template (recommended) or Amazon Machine Image (AMI).

If you choose AMI, you can use the AWS Console or the AWS Marketplace interface.

For both fulfillment options, you will be guided through the steps to launch a new Catalyst 9800-CL Wireless Controller instance.

Step 5

During the installation process, you will be prompted to select the following:

  • The desired AWS region.

  • The VPC (custom or default) and installation location for the Catalyst 9800-CL Wireless Controller.

  • The desired IP subnet for the Catalyst 9800-CL Wireless Controller management and wireless management interface.

  • The security group associated with the VPC.

  • The key pair for SSH connection.

Step 6

Click Review and Launch and ensure that the information is accurate.

Step 7

Click Launch Instances.

Step 8

Go to AWS Console > EC2 services and wait for your instance to indicate a state of running. You will have to wait a few minutes before you can connect to your Catalyst 9800-CL Wireless Controller instance.

Step 9

Connect to the IP address assigned to your Catalyst 9800-CL Wireless Controller instance and use the WebUI wizard for Day 0 configuration and setup.

Step 10

Alternatively, connect to your instance using an SSH client, providing the necessary credentials or the private SSH key selected during setup.

For example: ssh -i mykeypair.pem ec2-user@<IP of the instance>

Step 11

Once SSH has connected, you should see the IOS XE command prompt on the Catalyst 9800-CL Wireless Controller. You may now begin configuring your instance.


Configure Enterprise Wireless Networks (SSIDs)

Wireless settings are hierarchical. Settings at lower levels of the site hierarchy can override settings defined in higher levels. By default, you are taken to the global level, which is the highest level of the site hierarchy.

Enterprise wireless networks are the nonguest WLANs/SSIDs that are available for broadcast across the deployment, and these networks must be defined at the global level of the site hierarchy. Once defined, enterprise wireless networks are applied to wireless profiles, which are assigned to one or more sites within the hierarchy. For this design and deployment guide, a single enterprise WLAN/SSID named corpevent is provisioned. The following steps explain how to configure the enterprise wireless network within Catalyst Center.

Before you begin

To complete this action, your user profile must be assigned the SUPER-ADMIN-ROLE or the NETWORK-ADMIN-ROLE.

Procedure

Step 1

Log in to the Catalyst Center web console using an IP address or a fully qualified domain name.

Example:

http://<Catalyst_Center_IPaddr_or_FQDN>

Step 2

From the top-left corner, click the menu icon and choose Design > Network Settings > Wireless > SSIDs.

Figure 52. Wireless Network Settings
The configurable wireless network settings are displayed as tiles.

Step 3

From the Wireless Network Settings dashboard, hover your cursor over + Add and choose Enterprise.

Figure 53. Selecting an Enterprise for Wireless Network Settings
The option to add an enterprise SSID or guest SSID.

Step 4

Enter the settings information and click Next.

The settings used in this deployment are provided in the following table.

Table 18. Settings for Enterprise SSID
Feature Settings

Wireless Network Name (SSID)

Corpevent

Broadcast SSID

On

Radio Policy

2.4GHz, 5GHz, 6GHz

Quality of Service (QoS)

VoIP (Platinum)

Level of Security

Personal, WPA2

Advanced Security Options - Mac Filtering

Unchecked

Passphrase Type

<Enter passphrase>

Fastlane

Unchecked

Identify PSK

Unchecked

Deny RCM clients

Unchecked

Advanced Settings – FAST TRANSITION (802.11r)

Adaptive, Over the DS Unchecked

Advanced Settings – MFP Client Protection

Optional

Advanced Settings – Protected Management Frame (802.11w)

Disabled

Advanced Settings – Session timeout

Checked, 1800 seconds

Advanced Settings – Client Exclusion

Checked, 300 seconds

Advanced Settings – MFP CLIENT PROTECTION

Optional

Advanced Settings – 11k Neighbor List

Checked

Advanced Settings – 11v BSS TRANSITION SUPPORT

BSS Max Idle Service – Checked

Client Idle User Timeout – Checked, 300 seconds

Directed Multicast Service - Checked

Step 5

The next page in the workflow is displayed. You can attach the enterprise wireless network to an existing wireless profile, or you can create a new wireless profile and attach the enterprise wireless network.

Step 6

Click + Add Profile to add a new wireless profile.

Figure 54. Associate SSID to Network Profile
The option to add a new profile to the existing SSID.

Step 7

In the Wireless Profile Name field, enter the name of the new wireless profile. For this deployment guide, a wireless profile named corpevent-profile was created.

Step 8

From Fabric, click the No radio button.

This deployment guide only discusses non-SDA wireless deployments using Catalyst Center. When you choose No, the Select Interface field is automatically displayed.

Step 9

From the Select Interface drop-down list, choose Management.

Note

 

The AWS wireless controller does not support layer 2 VLAN because it is not needed for a publicly deployed wireless controller, and the AWS wireless controller is never in use. When doing manual config on an AWS or Azure wireless controller, you can skip this step. However, with Catalyst Center provisioning, the FlexConnnect flow requires a VLAN to be pushed, even though the VLAN is not in use on an AWS or Azure wireless controller. These wireless controllers only support flex local switching. To avoid Catalyst Center from provisioning a VLAN, choose Management for the interface.

Step 10

Check the FlexConnect Local Switching check box.

Step 11

In the Local to VLAN field, enter VLAN ID 16.

All branch employee traffic will be locally switched onto VLAN 16 of the branch switch.

Figure 55. Assign VLAN for Enterprise SSID
The SSID configurable settings include WLAN profile name, fabric option, interface option, anchor, and FlexConnect local switching.

Step 12

Click Associate Profile to attach the profile to wireless SSID.

Figure 56. Successful Association of SSID to Network Profile
The profile with the green check mark has been successfully associated to the SSID.

Step 13

Click Next to review the summary, and then click Save.

Figure 57. Summary Page for Reviewing Enterprise SSID Configuration
The Summary page shows the details for the various settings, organized by type.

Step 14

Click Configure Network Profile to go to the Network Profiles page to assign the site for the wireless profile.

Figure 58. Site Assignment for Network Profile
The Assign Site option is available for profiles that have not yet been assigned to a site.

Step 15

Click Assign Site.

Step 16

In the left hierarchy tree, choose Global > Milpitas area.

The child site locations are automatically selected: Branch 5 and Floor 1 and Floor 2.

Step 17

Click OK to close the site hierarchy side panel and return to Create a Wireless Profile.

The design of the wireless controller on AWS is complete, and you can go to the Deploy the wireless network section.


Deploy the Wireless Network

This section of the design and deployment guide implements the use case discussed in the Solution Overview section of this document. Catalyst Center is used to automate the deployment of the wireless profile created in the Design the Wireless Network section of this document to a Cisco Catalyst 9800-40 enterprise wireless controller HA SSO pair (WLC-9800-2) and a Cisco Catalyst 9800-CL guest wireless controller (WLC-9800-CL).

This section contains the following topics and processes:

  • Discover and manage the Catalyst 9800 Series Wireless Controllers

  • Manage software images for the Catalyst 9800 Series Wireless Controllers

  • Use software image management (SWIM) to update the Catalyst 9800 Series Wireless Controller software

  • Configure high availability (HA) stateful switch-over (SSO) on the Catalyst 9800-40 enterprise wireless controllers

  • Provision the Catalyst 9800-40 enterprise wireless controller HA SSO pair

  • Provision the Catalyst 9800-CL guest anchor wireless controller

  • Join the new APs to the enterprise wireless controller HA SSO pair

  • Provision the new APs

  • Position the new APs on the floor map

  • Local RRM Vs cloud-based RRM

  • Enable cloud-based RRM

  • Template programmer for additional wireless configurations

Enterprise WLAN for Campus Wireless Deployment

This section explains how to provision the campus wireless deployment for the Milpitas site. For this scenario, the wireless controllers are discovered, and their images are updated and provisioned. These procedures are explained in the following sections.

Discover and Manage the Cisco Catalyst 9800 Series Wireless Controller

This deployment guide uses IP address ranges for discovery of both of the Cisco Catalyst 9800-40 Wireless Controllers deployed as enterprise wireless controllers and the Cisco Catalyst 9800-CL Wireless Controller deployed as the guest wireless controller. Before initiating the discovery, IP connectivity must be enabled to the devices. When using IP address ranges, you can reduce the range to just the wireless controllers to speed the discovery.


Note


Alternatively, you can supply an initial device for discovery and direct Catalyst Center to use Cisco Discovery Protocol (CDP) to find connected neighbors.


The following assumptions are made for this procedure:

  • The two Catalyst 9800-40 Wireless Controllers (WLC-9800-1 and WLC-9800-2) are connected to the network as standalone wireless controllers. Configuration of the two Catalyst 9800-40 Wireless Controllers into an HA SSO pair will be done within Catalyst Center in a later process.

  • NETCONF is enabled on all of the Cisco Catalyst 9800 Series Wireless Controllers (WLC-9800-1, WLC-9800-2, and WLC-9800-CL).

  • All Catalyst 9800 Series Wireless Controllers are on the network, with management IP addresses configured for reachability.

  • SSH access is enabled on all of the Catalyst 9800 Series Wireless Controllers, with a user ID and password configured within the local user database.

  • All Catalyst 9800 Series Wireless Controllers have hostnames configured (WLC-9800-1, WLC-9800-2, and WLC-9800-CL), which will allow the devices to be identified by their hostnames within the Catalyst Center inventory after discovery.

For this design and deployment guide, the following table shows the hostnames, platform models, and IP addresses for Catalyst Center.

Table 19. Hostnames, Platform Models, and IP Addresses for Catalyst Center
Hostname Platform Model IP Address

WLC-9800-1

Cisco Catalyst 9800-40 Wireless Controller

10.4.50.2

WLC-9800-2

Cisco Catalyst 9800-40 Wireless Controller

10.4.50.22

WLC-9800-CL

Cisco Catalyst 9800-CL Wireless Controller

10.4.48.153

This section contains the following processes:

  • Discover the two Catalyst 9800-40 Wireless Controllers, which serve as the enterprise HA SSO pair for the WLAN deployment.

  • Discover the Catalyst 9800-CL Wireless Controller, which serves as the guest anchor wireless controller for the WLAN deployment.

Discover and Manage the Cisco Catalyst 9800-CL Wireless Controller Deployed on AWS

The discovery process is the same for other Cisco Catalyst 9800-CL Wireless Controllers.

Discover the Cisco Catalyst 9800-40 Wireless Controllers Serving as the Enterprise HA SSO Pair for WLAN Deployment

The following steps explain how to discover the Cisco Catalyst 9800-40 Wireless Controllers (WLC-9800-1 and WLC-9800-2).

Procedure

Step 1

From the top-left corner, click the menu icon and choose Tools > Discovery.

If discovery devices already exist, the Discovery Dashboard will be displayed. If you are starting for the first time, the Add Discovery button will be displayed.

Figure 59. Discovery Dashboard
The Discovery dashboard displays the Add Discovery button, which is used to create a discovery.

Step 2

Click Add Discovery to create a new discovery.

The Discover Devices window is displayed. This window begins the workflow for discovering new devices from the network.

Figure 60. Discover Devices Window
The Discover Devices window includes the configurable settings for a discovery job: discovery job name, discovery type, IP address range, and preferred management IP address.

Step 3

Enter a name in the Discovery Job Name field.

Step 4

From DISCOVERY TYPE, choose IP Address Range.

Step 5

Enter the Starting IP Address and the Ending IP Address.

The range configured is 10.4.50.2 - 10.4.50.22, which is sufficient to discover the two Catalyst 9800-40 Wireless Controllers (WLC-9800-1 and WLC-9800-2).

Step 6

For PREFERRED MANAGEMENT IP ADDRESS, if a device has a loopback interface used for management, click the Use Loopback (If Applicable) radio button. Otherwise, click the None radio button.

For this deployment, the VLAN 50 interface is configured as the wireless management interface, so the PREFERRED MANAGEMENT IP ADDRESS is set to None.

Step 7

Click Next.

Step 8

Provide CLI, SNMP, and NETCONF credentials by clicking the associated tab and clicking + Add Credentials.

All Catalyst 9800 Series Wireless Controllers require NETCONF for discovery and provisioning. The user ID and password used for NETCONF access to the wireless controllers is the same as the SSH password.

Step 9

Click Next.

Step 10

In the Advanced Settings page, for PROTOCOL ORDER, enable SSH.

It is not recommended to enable Telnet because Telnet traffic is sent in clear text across the network, which could pose a security vulnerability.

Step 11

Click Next.

Step 12

In the Assign Devices to Site page, click the Skip site assignment for now radio button and click Next.

Step 13

In the Schedule Job page, choose Now and click Next.

The Summary page is displayed.

Step 14

Click Start Discovery.

The discovery details are displayed while the discovery runs. After discovery is complete, the discovery details are displayed.

Figure 61. Discovery Details
The Discovery Details display the following information for each discovery job: discovery name, type, status, IP address/range, reachable devices, and actions.

Step 15

After the discovery process is complete, navigate to the main Catalyst Center dashboard.

Step 16

From the top-left corner, click the menu icon and choose Provision > Inventory.

The list of devices known to Catalyst Center will be displayed, including the two Catalyst 9800-40 Wireless Controllers (WLC-9800-1 and WLC-9800-2) that were discovered. The Catalyst 9800-40 Wireless Controllers should show a Last Sync Status of Managed.

Catalyst Center can now access the devices, synchronize the inventory, and make configuration changes on the devices.


Discover the Cisco Catalyst 9800-CL Wireless Controller Serving as the Guest Anchor Wireless Controller for WLAN Deployment

To discover the Cisco Catalyst 9800-40 Wireless Controller for the Cisco Catalyst 9800-CL guest Wireless Controller (WLC-9800-CL), repeat the steps in Discover the Cisco Catalyst 9800-40 Wireless Controllers Serving as the Enterprise HA SSO Pair for WLAN Deployment.

For this deployment guide, the IP address range for discovery of the Catalyst 9800-CL guest Wireless Controller (WLC-9800-CL) is a single IP address: 10.4.174.36 - 10.4.174.36.


Note


Optionally, you can discover all the wireless controllers in a single discovery that includes the IP address range of both the Catalyst 9800-40 enterprise Wireless Controllers (WLC-9800-1 and WLC-9800-2) and the Catalyst 9800-CL guest Wireless Controller (WLC-9800-CL).


Manage Software Images for the Cisco Catalyst 9800 Series Wireless Controllers

This process is used to upload the latest software images for the Cisco Catalyst 9800 Series Wireless Controllers to the Catalyst Center software image repository. The following table shows the platforms and software images uploaded for this deployment.

Table 20. Software Images for Catalyst 9800 Series Wireless Controller
Platform Software Version Software Image

Cisco Catalyst 9800-40 Wireless Controller

IOS XE Release 17.12.3

C9800-40-universalk9_wlc.17.12.03.SPA.bin

Cisco Catalyst 9800-CL Wireless Controller

IOS XE Release 17.12.3

C9800-CL-universalk9.17.12.03.SPA.bin

A minimum of IOS XE release 16.10.1 is required for operability between the Catalyst 9800 Series Wireless Controllers and Catalyst Center.

The following procedures are included in this process:

  • Upload the software image for the Cisco Catalyst 9800-40 Wireless Controller.

  • Upload the software image for the Cisco Catalyst 9800-CL Wireless Controller.

Upload the Software Image for the Cisco Catalyst 9800-40 Wireless Controllers

The following steps discuss the image upload process for the Cisco Catalyst 9800-40 Wireless Controllers (WLC-9800-1 and WLC-9800-2).

Procedure

Step 1

From the top-left corner, click the menu icon and choose Design > Image Repository.

The Image Repository window is displayed.

Figure 62. Image Repository
The Image Repository shows a summary of the device families, total images, and advisories for running, golden, and imported images.

Step 2

You can get a new image into the Catalyst Center image repository by doing one of the following:

  • Download the image from the Cisco website.

  • Import the image from your local machine.

Step 3

For your desired image, click download image icon. The image will begin to download from the Cisco website.

For this deployment guide, image 17.12.3 was downloaded.

Step 4

Alternatively, click Import to import a new image.

The Import Image/Add-on dialog box is displayed.

Figure 63. Import Image
The Import Image/Add-on dialog box displays the option to import a new image from your computer.

Step 5

Click Choose File.

Step 6

Navigate to the Catalyst 9800-40 software image on your computer and choose the desired image.

For this deployment guide, C9800-40-universalk9_wlc.17.12.3.SPA.bin was chosen.

Step 7

Under Source, click the Cisco radio button because this is a Cisco software image.

Step 8

Click Import to upload the image to the Catalyst Center image repository.

A status bar shows the progress of the upload. Once the upload is complete, the main Image Repository window is displayed.

Step 9

Click Show Tasks to verify that the image was imported successfully.

The Recent Tasks (Last 50) side panel is displayed. The new image transitions are shown in yellow. The tasks that are completed successfully are shown with a green check mark.

Step 10

Close the Recent Tasks (Last 50) side panel.

Step 11

From the Image Repository window, click > next to Imported Images to expand the list of imported images.

Step 12

Click Assign next to the image file you just uploaded.

The Assign Device Family slide-in pane is displayed.

Step 13

Choose the Cisco Catalyst 9800-40 Wireless Controller and click Assign to assign this image to its device family.

Step 14

Under the Family column in the list of devices in the main repository window, locate the Catalyst 9800-40 Wireless Controllers and expand the list of available images for the device.

You should now see the new image you just uploaded in the list of images available for the device family.

Step 15

Click the star for Golden Image to mark the image as the preferred one for the Catalyst 9800-40 Wireless Controller platform.

Figure 64. Mark Golden Image
For each image, the following is listed: image name, version, image status, critical, high, and device role and tags.

Repeat the entire procedure for the Catalyst 9800-CL guest Wireless Controller (WLC-9800-CL). For this deployment guide, the Catalyst 9800-CL guest Wireless Controller upload image name is C9800-CL-universalk9.17.12.3.SPA.bin.


Update the Software Image for the Cisco Catalyst 9800-CL Wireless Controller

This section outlines the procedure for updating the wireless controller image after the image is marked as golden.

Use Software Image Management (SWIM) to Update the Catalyst 9800 Series Wireless Controller Software

This process is used for the following purposes:

  • Distribute (download) the software image from the Catalyst Center image repository to the wireless controllers.

  • Upgrade the software images running on the wireless controllers.

Both steps can be run immediately, or the steps can be scheduled to run at a specified date and time to comply with existing network change schedules.

Catalyst Center runs a compliance check, which compares the devices in the inventory with images marked as a golden images. Devices that are out of compliance with the golden image are marked as Outdated in the inventory. Before you can update an image to the version marked as golden, the inventory collection must be successfully completed, and the device must be in a Managed state.

The following procedures are included in this process:

  • Upgrade the software images for the Catalyst 9800-40 Wireless Controllers.

  • Upgrade the software image for the Catalyst 9800-CL Wireless Controller.

Upgrade the Software Image for the Cisco Catalyst 9800-40 Wireless Controllers

The following procedure explains how to upgrade the software images for the Cisco Catalyst 9800-40 Wireless Controllers (WLC-9800-1 and WLC-9800-2).

Procedure

Step 1

From the top-left corner, click the menu icon and choose Provision > Inventory.

Step 2

From the Focus drop-down list, choose Software Images.

The window displays the software image running on each device in the inventory.

Figure 65. Inventory Window
For each device, the following information is displayed: device name, IP address, device family, software image, OS update status, site, provisioning status, and manageability.

Step 3

From the list of devices, locate one of the Catalyst 9800-40 Wireless Controllers (WLC-9800-1 or WLC-9800-2).

Step 4

Under the Software Image column for the Catalyst 9800-40 Wireless Controller, click Needs Update.

The Image Update Readiness Check slide-in pane is displayed.

Figure 66. Image Update Readiness Check Window
The Image Update Readiness Check slide-in pane shows the device details and readiness checks results.

Ensure that the Status column shows either a green icon indicating success or a yellow icon indicating a warning. If any of the checks show a red icon indicating failure, the image on the platform was not upgraded. In this deployment guide, the Config register check shows a red icon because the config register value needs to be 0x2102 or 0x102, but the device is using a value of 0x0.

If necessary, correct any issues on the wireless controller which result in a failure.

Step 5

Click Re-Execute Check to rerun the readiness assessment.

Note

 

Configuring a time zone in IOS XE devices through the clock timezone IOS CLI command may cause a warning to appear in the Image Update Readiness Check slide-in pane, indicating that the time is significantly different between your device and Catalyst Center. You may be able to clear this warning by removing the clock timezone command from the device, resyncing the device in the inventory, and clicking Re-Execute Check to run the readiness assessment again. As a result, the time format of the device will be displayed in UTC time rather than the local time zone.

Step 6

When you have corrected all checks which indicate a failure, close the Image Update Readiness Check slide-in pane.

Step 7

Repeat Step 1 through Step 6 for the other Catalyst 9800-40 Wireless Controller.

Step 8

Check the check boxes for both of the Catalyst 9800-40 Wireless Controllers (Wireless Controller-9800-1 and Wireless Controller-9800-2).

Step 9

From the Actions drop-down list, choose Software Image > Image Update.

The Image Update slide-in pane is displayed.

  1. Enter a unique name in the Task Name field.

    For this deployment guide, the task name 9800update is used.

    Figure 67. Enter Task Name
    The Task Name page shows the field to enter the task name.
  2. Click Next.

  3. Check the check box for the device name to choose the device.

  4. Click Next to proceed to the customized software distribution checks.

    Figure 68. Custom Distribution Check
    The New Custom Check dialog box shows the name of the custom check, commands, test device, command patterns to ignore, and additional criteria.
  5. If customization is not needed, choosing the default Flash check is optional.

    Figure 69. Update Image Distribution
    The prechecks and postchecks are listed for the software distribution.
  6. Click Next to proceed to Software Activation Checks. By default, Config register check and Startup config check are chosen.

  7. Click Add a custom check to add additional custom checks.

    For this guide, only the default checks are chosen.

    Figure 70. Software Activation Checks
    The prechecks and postchecks are listed for the software activation.
  8. Click Next and choose the Device Activation order if there is more than one device.

    For this guide, there is only one device, so only that device is chosen.

    Figure 71. Device Activation Order
    The Device Activation Order window shows the device name, IP address, site, device series, current image, and update image.
  9. Click Next to schedule the distribution and activation for a later time. To execute the distribution and activation immediately, click Now.

    If the software has not been distributed (downloaded from the Catalyst Center repository to the wireless controllers) you cannot choose the Now option. However, you can schedule the software to be activated immediately after the software distribution is complete, or you can schedule the software activation for a later date and time. If you schedule the activation time to be too close to the distribution time, you will receive a warning that the update may fail because the distribution of the image to the devices may not complete before the scheduled activation time.

    Note

     

    It is always recommended to upgrade software images only during scheduled network operations change windows.

Step 10

Enable Software Activation After Distribution.

Alternatively, click the Later radio button and adjust the date and time for the image distribution.

Enabling Software Activation After Distribution will activate the image immediately after it is distributed. This action combines the download and activation of the image into a single scheduled process, rather than scheduling download and activation separately.

Figure 72. Schedule Task and Clean Up Window
The Schedule Task and Clean Up window displays the options to schedule the software distribution, activation, and clean up of a device.
  1. Click Next to proceed to the Summary window and review your selections before submitting the task to update the device image.

    Figure 73. Review Summary Before Submitting Upgrade Task
    The Summary window allows you to review your scheduled task, including its device name, device series, site, current image, and update image.
  2. Click Submit.

    The status window is displayed, showing the progress of the update.

Step 11

Click Image Update Status, which takes you to the update progress window.

Alternatively, click the menu icon and choose Activities > Tasks. The scheduled task window is displayed.

You can expand the task to see the details regarding the distribution and activation of the image.

On successful completion of the task, an icon is displayed next to the task, indicating that the update was successful. Again, you can expand the task to see the details regarding the distribution and activation of the image.

Step 12

Close the scheduled tasks slide-in pane.

Step 13

From the top-left corner, click the menu icon and choose Provision > Inventory to go back to the inventory list in the main provisioning window.

The image for the Catalyst 9800-40 Wireless Controller now shows that it has updated to the chosen IOS version.

Repeat the entire procedure for the Catalyst 9800-CL Guest Wireless Controller (Cisco Catalyst 9800 Series Wireless Controller-CL).


Configure HA SSO on the Cisco Catalyst 9800-40 Enterprise Wireless Controllers

Cisco Catalyst 9800 Series Wireless Controllers support the ability to be configured in an active or standby high availability (HA) stateful switch-over (SSO) pair. Catalyst Center supports the ability to take two controllers of the same model, running the same operating system version, and configure them as an HA SSO pair.


Note


  • Before you turn on HA SSO, the RP ports are connected, either directly or through a dedicated L2 network. You can connect either the fiber SFP or Ethernet RJ-45 port. The fiber SFP HA connectivity takes priority over RJ-45. If SFP is connected when RJ-45 HA is up and running, the HA pair reloads.

  • When connecting the RP ports directly, back-to-back, Cisco recommends using a copper cable with a length less than 30 meters (100 feet). If you need to go beyond 30 meters (100 feet), it is recommended to connect the RP ports using a fiber cable.

  • Both the boxes are running the same software and are in the same boot mode (install mode is the recommended boot mode).

  • For physical appliances, use the same hardware type (for example, you cannot pair a C9800-L-C with a C9800-L-F).

  • For the Catalyst 9800-CL Wireless Controller, pick the same scale template (large, medium, or small) on both virtual machines.

  • Before forming an HA pair, it is recommended to delete the existing certificates and keys in each of the Catalyst 9800 Series Wireless Controllers that were previously deployed as standalone. Doing this avoids the risk of the same trustpoint being present on both wireless controllers with different keys, which would cause issues after a switchover.

  • Set the keep-alive retries to 5 (the default for release 17.1).

  • Set the higher priority (2) on the chassis that you want to be the active wireless controller.


The following steps explain how to configure the Catalyst 9800-40 Wireless Controllers (WLC-9800-1 and WLC-9800-2) as an HA SSO pair.

Procedure

Step 1

From the top-left corner, click the menu icon and choose Provision > Inventory.

The main provisioning window displays the devices. By default, the Focus is set for Inventory.

Step 2

Locate and check the check box for the Catalyst 9800-40 Wireless Controller which will be the primary wireless controller of the HA SSO wireless controller pair.

For this design and deployment guide, WLC-9800-2 was selected as the primary wireless controller.

Step 3

From the Actions drop-down list, select Provision > Configure WLC HA.

The High Availability slide-in pane is displayed.

Figure 74. High Availability Window
The High Availability window shows the primary 9800, option to select the secondary 9800, netmask, redundancy management IP, and peer redundancy IP.

Step 4

Enter the required information in the respective fields and click Configure HA.

The following table shows the high availability information for this deployment guide:

Table 21. High Availability Settings
Field Value

Primary Cisco Catalyst 9800 Series Wireless Controller

WLC-9800-1.cisco.local

Redundancy Management IP

10.4.174.132

Select Secondary Cisco Catalyst 9800 Series Wireless Controller

WLC-9800-2.cisco.local

Peer Redundancy Management IP

10.4.174.134

Netmask

24

Note

 

The Redundancy Management IP and the Peer Redundancy Management IP addresses must be in the same IP subnet as the wireless management interface.

A dialog box is displayed, notifying you that the wireless controllers will be rebooted when they are placed in the high availability mode.

Step 5

Click OK to accept and put the two Catalyst 9800-40 Wireless Controllers in HA SSO mode.

It will take several minutes for the wireless controllers to reboot and display in HA SSO mode. All configurations from the primary Catalyst 9800-40 Wireless Controller, including the IP address of the management interface, will be copied to the secondary Catalyst 9800-40 Wireless Controller. Catalyst Center will no longer show two wireless controllers in the inventory. Instead, only a single Wireless Controller HA SSO pair with two serial numbers will appear in the inventory.

For this deployment guide, the wireless controller HA SSO pair is WLC-9800-2.

Step 6

If you choose the wireless controller (WLC-9800-2), and from the Actions drop-down list, choose Provision > Configure WLC HA, you can see additional information about the Catalyst 9800-40 Wireless Controller HA SSO pair.

Figure 75. Catalyst 9800-40 Wireless Controller HA SSO Pair Details
The Redundancy Summary section shows the high availability configuration details.

Note

 

If you click Disable HA, both Catalyst 9800-40 Wireless Controllers will revert to standalone mode, with the secondary wireless controller reset to factory settings. It is recommended that you establish console access to the wireless controllers before disabling HA. You will need to change the IP address and hostname of one of the wireless controllers to rediscover the controller in Catalyst Center after disabling HA.


Provision the Cisco Catalyst 9800-40 Enterprise Wireless Controller HA SSO Pair

The following steps explain how to provision the corporate wireless profile to the Cisco Catalyst 9800-40 enterprise Wireless Controller HA SSO pair, known as Cisco Catalyst 9800-40-CVD.cagelab.local.

Procedure

Step 1

From the top-left corner, click the menu icon and choose Provision > Inventory.

The main provisioning window displays the devices in the inventory. By default, Inventory is chosen from the Focus drop-down list.

Step 2

Locate and check the check box for C9800-40-CVD.cagelab.local.

Step 3

From the Actions drop-down list, choose Provision > Provision Device.

You are taken through a four-step workflow for provisioning the enterprise wireless controller HA SSO pair (C9800-40-CVD.cagelab.local), starting with Assign Site.

Step 4

In the Assign Site window, click Choose a Site. A slide-in pane is displayed, which shows the site hierarchy configured for Catalyst Center.

For this deployment guide, the enterprise wireless controller HA SSO pair (C9800-40-CVD.cagelab.local) is assigned to the building level.

Step 5

Expand the site hierarchy for Milpitas and choose Building 23.

Figure 76. Assign Site to Building Level
The Assign Site step for provisioning a device shows the associated serial number, devices, and site location.

Note

 
  • The enterprise wireless controller HA SSO pair (C9800-40-CVD.cagelab.local) must be assigned to a building or floor within the Catalyst Center site hierarchy. It cannot be assigned to Milpitas area or to the global level of the site hierarchy, even though C9800-40-CVD.cagelab.local is assigned to Building 23 in this deployment guide. APs located on floors in other buildings are supported by the wireless controller.

  • When the wireless controller is assigned to a site, the wireless controller is added as a device to Cisco ISE.

  • As a best practice, review the compliance reports before provisioning the wireless controller. All reported violations will be overridden in the next provisioning operation. If device values must be maintained, adjust the intent and network profile as needed.

Step 6

Click Save to assign C9800-40-CVD.cagelab.local to Building 23.

Step 7

Click Next.

The Configuration window is displayed.

Step 8

In the Configuration window, choose Active Main for the wireless controller Role.

Step 9

Click Select Primary Managed AP locations.

The Managed AP Location slide-in pane is displayed, showing the site hierarchy for Catalyst Center.

Figure 77. Assign Managed Location for Wireless Controller
The Managed AP Location slide-in pane, shows Building 23 with Floor 1 and Floor 2 selected for the wireless controller.

Catalyst Center supports the ability to configure N+1 redundancy for APs and HA SSO for a wireless controller. As a result, you can configure both primary and secondary managed AP locations. Primary managed AP locations are sites that include buildings and/or floors, where the wireless controller will serve as the primary wireless controller within the AP high availability configuration. Secondary managed AP locations are sites where the wireless controller will serve as the secondary wireless controller within the AP high availability configuration. If the primary wireless controller or wireless controller HA SSO pair fail, APs will reestablish CAPWAP connections to the wireless controller.

For this guide, the Catalyst 9800-40 Wireless Controller HA SSO pair (C9800-40-CVD.cagelab.local) will be the primary wireless controller, managing APs on Floors 1 and Floor 2 of Building 23 and Building 24. No secondary managed AP locations will be configured because the wireless controller HA SSO pair already provides redundancy in a campus network, where all the APs are operating in a centralized mode deployment.

Step 10

Expand the site hierarchy and choose Floors 1 and Floor 2 for Building 23 and Floors 1 and Floor 2 for Building 24.

Step 11

Click Save.

Because you have selected this wireless controller to be an Active Main wireless controller, additional fields are displayed. The corporate wireless profile has defined the enterprise SSID as lab3employee and the wireless interface on which the SSID terminates as employee on VLAN ID 160, so this enterprise SSID and wireless interface will be automatically displayed. Likewise, because the corporate wireless profile has defined the guest SSID as lab3guest and the wireless interface on which the SSID terminates as guest-dmz on VLAN ID 125, this information will also be automatically displayed.

Step 12

Enter the values for IP address, Gateway IP address, LAG/Port Number, and Subnet Mask (in bits) for each SSID.

The following table shows the values entered for this deployment guide.

Table 22. Enterprise Wireless Controller Settings
Field Value

SSID Name

lab3employee

Interface Name

employee

VLAN ID

160

IP Address

10.4.160.2

Gateway IP Address

10.4.160.1

LAG/Port Number

1

Subnet Mask (in bits)

24

SSID Name

lab3guest

Interface Name

Guest-dmz

VLAN ID

125

IP Address

10.4.125.2

Gateway IP Address

10.4.125.1

LAG/Port Number

1

Subnet Mask (in bits)

24

Figure 78. Enterprise Wireless Controller Settings in Catalyst Center
The Configuration step includes the wireless controller settings.

Note

 

The guest-dmz interface is defined on the enterprise foreign wireless controller. When the anchor tunnel is up between the enterprise foreign wireless controller and the guest anchor wireless controller, guest wireless traffic is automatically terminated on the guest-dmz interface of the guest anchor wireless controller. However, if the anchor tunnel is down, guest wireless traffic is terminated on the guest-dmz interface of the enterprise foreign wireless controller. It is a best practice to specify an isolated Layer 2 VLAN for the guest-dmz interface on the enterprise foreign wireless controller, with no DHCP server to supply IP addresses to guest wireless devices. By doing so, if the anchor tunnel is down, guest wireless devices are isolated to a Layer 2 subnet with no network access.

Step 13

Click Next.

The Advanced Configuration window is displayed. If you have configured a template within the Template Editor for the device type and the site, you can apply the template here. This deployment guide does not discuss the use of templates for advanced configuration of the Catalyst 9800-40 wireless controller HA SSO pair (C9800-40-CVD.cagelab.local).

Step 14