Solution Overview
This guide explains how to use Catalyst Center to deploy and manage a legacy wireless local area network (WLAN) within an enterprise network, using Cisco Catalyst 9800 Series Wireless Controllers, Cisco IOS XE Cupertino 17.12.3.
This guide provides technical guidance to design, deploy, and operate a Cisco WLAN using Catalyst Center.
This guide contains the following main sections:
-
Define the wireless network presents a high-level overview of the campus, remote office, and cloud-based WLAN that is designed and deployed through Catalyst Center.
-
Design the wireless network discusses the integration of Catalyst Center with Cisco Identity Services Engine (Cisco ISE); creation of the site hierarchy—including the importing of floor maps—within Catalyst Center; configuration of various network services necessary for network operations, such as AAA, DNS, DHCP, NTP, SNMP, and Syslog servers; and configuration of wireless settings, including WLANs/SSIDs, VLANs, and RF profiles for the WLAN deployment.
-
Deploy the wireless network discusses discovery of the wireless controllers, managing the software images running on the wireless controllers, configuring HA SSO redundancy on the wireless controllers, provisioning the enterprise and guest wireless controllers within Catalyst Center, joining APs to the enterprise wireless controller HA SSO pair, provisioning the APs within Catalyst Center, and positioning the APs on the floor maps within Catalyst Center.
-
Monitor and operate the wireless network discusses how to use Assurance to monitor and troubleshoot the WLAN deployment.
The audience for this guide includes network design engineers and network operations personnel who want to use Catalyst Center to deploy a Cisco WLAN within their wireless networks.
Note |
Cisco DNA Center has been rebranded as Catalyst Center. During the rebranding process, you will see both names used in different collaterals, but both names refer to the same product. |
Prerequisites
Before you can deploy and manage a legacy WLAN within an enterprise network, Catalyst Center must be installed and properly configured. For more information about installing and configuring Catalyst Center, see the Catalyst Center Installation Guide.
The following table displays the round-trip time (RTT) requirements between Catalyst Center and the specified network elements.
The latency between the Catalyst Center appliance and a managed device should be ~100 milliseconds RTT or less. After 100 milliseconds, longer execution times could be experienced for certain events, such as inventory collection, provisioning, and image update (SWIM). Cisco does not support an RTT of more than 300 milliseconds. For more details on RTT and supported scale, see the Catalyst Center Data Sheet.
Source Device | Target Device | Maximum RTT Supported |
---|---|---|
Catalyst Center Node |
Catalyst Center Node |
10 milliseconds |
Catalyst Center Node |
Cisco ISE |
300 milliseconds |
Catalyst Center Node |
Wireless Controller |
200 milliseconds |
Wireless Controller |
Access Points |
20 milliseconds (local mode) |
Wireless Controller |
Access Points |
300 milliseconds (flex mode) |
Wireless Controller |
Cisco ISE |
100 milliseconds |
Wireless Controller Model | Maximum Number of APs | Maximum Number of Clients |
---|---|---|
Catalyst 9800-L |
250 |
5000 |
Catalyst 9800-40 |
2000 |
32,000 |
Catalyst 9800-80 |
6000 |
64,000 |
Catalyst 9800-CL (4 CPU/8 GB RAM) |
1000 |
10,000 |
Catalyst 9800-CL (6 CPU/16 GB RAM) |
3000 |
32,000 |
Catalyst 9800-CL (10 CPU/32 GB RAM) |
6000 |
64,000 |
SKU | DN-SW-APL/DNA-SW-OVA | DN2-HW-APL | DN2-HW-APL-L | DN2-HW-APL-XL |
---|---|---|---|---|
Legacy Devices (switch, router, wireless controller) |
1000 |
1000 |
2000 |
5000 |
Legacy Wireless Access Points |
4000 |
4000 |
6000 |
13,000 |
Wireless Sensors |
600 |
600 |
800 |
1600 |
Concurrent Endpoints |
25,000 |
25,000 |
40,000 |
100,000 |
Transient Endpoints (over a 14-day period) |
250,000 |
250,000 |
400,000 |
1,000,000 |
Ratio of Endpoints to Wired |
Any |
Any |
Any |
Any |
Ratio of Endpoints to Wireless |
Any |
Any |
Any |
Any |
Site Elements |
2500 |
2500 |
5000 |
10,000 |
Wireless Controller |
500 |
500 |
1000 |
2000 |
Ports |
48,000 |
48,000 |
192,000 |
768,000 |
API Rate Limit (APIs/minute) |
50 |
50 |
50 |
50 |
NetFlow (flows/second) |
30,000 |
30,000 |
48,000 |
120,000 |
Concurrent Software Image Updates |
100 |
100 |
100 |
100 |
Description | Supported Scale |
---|---|
Devices (switch, router, wireless controller) |
10,000 |
Wireless Access Points |
25,000 |
Concurrent Endpoints |
300,000 |
Transient Endpoints (over a 14-day period) |
3,000,000 |
NetFlow (flows/second) |
250,000 |
Number of Floors (per wireless controller) |
1000 |
Required Network Ports
Catalyst Center requires that specific ports are open for traffic flows to and from the appliance, whether you open them using firewall settings or a proxy gateway. For more information, see the "Required Network Ports" topic in the Catalyst Center Second-Generation Appliance Installation Guide.
Certificate Management for Catalyst Center
By default, Catalyst Center uses self-signed certificates, but you can use a certificate that is signed by your internal certificate authority during deployment. To replace the default certificate, see the "Manage Certificates" topic in the Catalyst Center Security Best Practices Guide.
Define the Wireless Network
This section presents a high-level overview of the campus, remote office, and cloud-based WLAN that is designed and deployed through Catalyst Center.
There are three scenarios that outline three types of typical, legacy wireless deployments. In the first scenario, a campus wireless deployment with APs in local mode uses wireless controllers in a high availability (HA) configuration; the wireless controllers are located in the same campus building. In the second scenario, a remote office wireless deployment with APs in flex mode uses wireless controllers in an N+1 configuration; the wireless controllers are located in the data center. In the third scenario, a wireless network for a corporate event uses a wireless controller that is hosted in a cloud environment, such as Amazon Web Services (AWS).
Campus Wireless Deployment
The campus wireless deployment uses a pair of Cisco Catalyst 9800-40 Wireless Controllers in a high availability (HA) SSO configuration. Located on multiple floors within multiple buildings of the campus, the wireless controller pair functions as the enterprise wireless controller for access points (APs) in local mode. Wireless guest access is provided through a separate Cisco Catalyst 9800-CL Wireless Controller, which functions as a traditional guest wireless controller and is anchored to the enterprise (foreign) wireless controller.
The design and deployment of the WLAN is fully automated, utilizing intent-based networking (IBN). Catalyst Center is designed for IBN and provides a level of abstraction from the device-level user interface.
Note |
In the production environment, the guest anchor wireless controller is typically connected to a DMZ segment off of a firewall to separate guest wireless traffic from internal employee traffic. In such designs, the firewall policy must be configured to allow the necessary traffic between the enterprise foreign wireless controller and the guest anchor wireless controller. |
The campus wireless deployment includes the following features:
-
Site hierarchy consisting of a single area (Milpitas) and multiple buildings (Building 23 and Building 24), each with multiple floors (Floor 1 and Floor 2)
-
Legacy, centralized campus wireless deployment in which all wireless traffic is backhauled to the wireless controller
-
Enterprise SSID and guest SSID
-
A single pair of enterprise Catalyst 9800-40 Wireless Controllers in an HA SSO configuration
-
Guest wireless access through a dedicated guest Catalyst 9800-CL Wireless Controller, which is auto-anchored to the enterprise HA SSO wireless controller pair
Note |
The Catalyst Center CLI templates can be used to configure anything that cannot be configured through the intent-based profiles and/or the model config. This guide discusses the specific wireless controller features that can be configured in Catalyst Center. |
Wireless controllers must be assigned to sites during the Catalyst Center provisioning process. For this deployment guide, a Catalyst 9800-40 Wireless Controller HA SSO pair (C9800-40) will be assigned to Building 23 within the Milpitas area. There can only be one primary enterprise (nonguest) wireless controller for the APs on a floor at a given time, meaning that only one enterprise wireless controller can be provisioned per floor within Catalyst Center. The APs on Floor 1 and Floor 2 within Building 23 and the APs on Floor 1 within Building 24 will be provisioned to C9800-40 through Catalyst Center.
Remote Office Wireless Deployment
The remote office wireless deployment uses a pair of Cisco Catalyst 9800-40 Wireless Controllers in a high availability (HA) N+1 configuration. Located on multiple floors within a remote office building, the wireless controller pair functions as the enterprise wireless controller for access points (APs) in flex mode. Wireless guest access is locally switched, and employee (nonguest) wireless traffic is centrally switched. All authentication, whether for employee (WPA2/802.1X) or guest (WebAuth) wireless traffic, is centrally performed through Cisco ISE, highlighting the use of Cisco ISE as both a AAA server and a guest portal.
The design and deployment of the WLAN is fully automated, utilizing intent-based networking (IBN). Catalyst Center is designed for IBN and provides a level of abstraction from the device-level user interface.
Note |
Alternate designs for guest wireless traffic, including local termination with Direct Internet Access (DIA) at the remote office, may be implemented when combining WLAN functionality with Cisco SD-WAN. For more information, see Cisco SD-WAN: Enabling Direct Internet Access. |
The remote office wireless deployment includes the following features:
-
Site hierarchy consisting of a single area (New York) and a single building (Branch 5) with multiple floors (Floor 1, Floor 2, and Floor 3)
-
Legacy, flex mode in which data traffic is centrally switched for the enterprise SSID and locally switched for the guest SSID
-
Enterprise SSID and guest SSID
-
A single pair of enterprise Catalyst 9800-40 Wireless Controllers in an HA N+1 configuration
Note |
The Catalyst Center CLI templates can be used to configure anything that cannot be configured through the intent-based profiles or the model config. |
The wireless controllers must be assigned to sites during the Catalyst Center provisioning process. For this deployment guide, a Catalyst 9800-40 Wireless Controller HA SSO pair (C9800-40) will be assigned to Branch 5 within the New York area, even though the pair is physically located in the data center. There can be only one primary enterprise (nonguest) wireless controller for the APs on a floor at a given time, meaning only one enterprise wireless controller can be provisioned per floor within Catalyst Center. The APs on Floor 1 and Floor 2 within Branch 5, New York will be provisioned to C9800-40 through Catalyst Center.
The provisioning time of wireless controllers and APs under scale depends on factors such as the type of day-n operation, the number of site tags, the high availability deployment type (such as SSO or N+1), the number of SSIDs broadcasted by the APs, and the Catalyst Center model.
Day-n operations such as RF profile changes and AP zone modifications require APs to be provisioned, which takes around 1.5 minutes per AP. All other day-n operations—such as adding SSIDs, modifying SSIDs, or making VLAN changes—require only wireless controller provisioning, which depends on the scale of the network. For large deployments with more than 100 sites with unique site tags, you could choose to split those sites into multiple wireless network profiles and attach all of those to the common wireless controller. Doing so provides greater flexibility to stagger rollout of changes—such as changing existing SSID parameters or adding new SSIDs—from a single wireless controller to a large number of sites.
One example of a day-n operation is enabling Fast Transition on SSIDs and changing the AP RF profile. In an N+1 deployment of 124 branches with one AP per branch and a DN1-HW-APL appliance, the operation takes 30 minutes. The following table summarizes the data.
Catalyst Center Model | Catalyst Center Version | Deployment | Preview Time for Wireless Controller and AP | Provision Time for Wireless Controller and AP |
---|---|---|---|---|
DN1-HW-APL |
2.3.5.6 |
124 branches with 1 AP per branch, N+1 and 16 SSIDs |
23 minutes |
29 minutes |
DN1-HW-APL |
2.3.7.6 |
124 branches with 1 AP per branch, N+1 and 16 SSIDs |
22 minutes |
29 minutes |
Wireless Controller Hosted on AWS Deployment
This wireless deployment uses a Cisco Catalyst 9800-CL Wireless Controller hosted on Amazon Web Services (AWS). Located on an event center floor, the wireless controller is configured as the enterprise wireless controller for access points (APs) in flex mode. All authentication, whether for employee (WPA2/802.1X) or guest (WebAuth) wireless traffic, is centrally performed through Cisco ISE and located in the data center.
Catalyst Center is designed for IBN and provides a level of abstraction from the device-level user interface.
This wireless deployment includes the following features:
-
Site hierarchy consisting of a single area (San Jose) with an event center (Eventcenter) that has a single floor (Eventcenterfloor)
-
Legacy, flex wireless deployment where all wireless traffic is backhauled to the wireless controller
-
Flex mode in which data traffic is locally switched
-
Enterprise SSID and corporate special event SSID
-
A Catalyst 9800-CL Wireless Controller hosted on AWS
Note |
The Catalyst Center CLI templates can be used to configure anything that cannot be configured through the intent-based profiles and/or the model config. |
The wireless controllers must be assigned to sites during the Catalyst Center provisioning process. For this deployment guide, a Catalyst 9800 Wireless Controller (C9800-CL) on AWS will be assigned to Eventcenter within the San Jose area. There can be only one primary enterprise (nonguest) wireless controller for the APs on a floor at a given time, meaning only one enterprise wireless controller can be provisioned per floor within Catalyst Center. The APs on Eventcenterfloor within Eventcenter will be provisioned to C9800-CL on AWS through Catalyst Center.
Migration from the Legacy Network
This section provides an overview of the following migrations from the legacy network, using Cisco AireOS Wireless Controller or Cisco Prime Infrastructure:
-
Legacy Cisco AireOS Wireless Controller to Cisco Catalyst 9800 Series Wireless Controller
-
Cisco Prime Infrastructure to Catalyst Center
Migrate APs from a Legacy Cisco AireOS Wireless Controller to a Cisco Catalyst 9800 Series Wireless Controller
This section explains how to migrate APs from a legacy Cisco AireOS Wireless Controller to a Cisco Catalyst 9800 Series Wireless Controller. For this migration, the minimum AireOS version that is required is 8.5, with support for IRCM. For a detailed migration document, see here.
Procedure
Step 1 |
Add a temporary floor to the legacy site, which is managed by the Cisco AireOS Wireless Controller. |
||
Step 2 |
Discover the Catalyst 9800 Series Wireless Controller and provision the wireless controller to the legacy site that manages the newly added floor. |
||
Step 3 |
Enter the interface details, such as VLAN for legacy flow. |
||
Step 4 |
Configure a mobility tunnel between the Cisco AireOS Wireless Controller and the Catalyst 9800 Series Wireless Controller. |
||
Step 5 |
Migrate the APs to the Catalyst 9800 Series Wireless Controller using one of the following methods:
|
||
Step 6 |
(Optional) Remove the Cisco AireOS Wireless Controller from the inventory using the config cleanup option. |
Migrate from Cisco Prime Infrastructure to Catalyst Center
Before you begin
-
Using the Cisco Prime Infrastructure and Catalyst Center Compatibility Matrix, identify the Prime Data Migration Tool (PDMT) release that is compatible with your version of Catalyst Center.
-
Download the compatible PDMT release using the Cisco Software Download Tool.
Procedure
Step 1 |
Perform a readiness check using the Cisco Prime Infrastructure Catalyst Center Assessment and Readiness Tool (PDART). For more information about using PDART, see Use PDART - a Catalyst Center Readiness Tool. |
Step 2 |
Once you have assessed the readiness of the migration, use the PDMT to migrate your sites and devices from Cisco Prime Infrastructure to Catalyst Center. |
Design the Wireless Network
Ensure that the prerequisites are met, as described in Prerequisites.
This section contains the following topics and processes:
-
Integrate Cisco Identity Services Engine (ISE) with Catalyst Center
-
Cisco ISE and third-party AAA server
-
Configure the site hierarchy in Catalyst Center
-
Configure network services for network operation
-
Campus wireless deployment settings
-
Remote office wireless deployment settings
-
Design the Cisco Catalyst 9800-CL Wireless Controller hosted on AWS
Integrate Cisco ISE with Catalyst Center
The integration of Cisco Identity Services Engine (ISE) with Catalyst Center enables the sharing of information between the two platforms, including device and group information. Specific to this guide, the integration allows you to create a guest portal in Cisco ISE through a workflow in Catalyst Center. The guest portal is created when the guest wireless network is defined within a wireless profile in Catalyst Center. For more information, see Campus Wireless Deployment Settings.
Use the following procedures to integrate Cisco ISE with Catalyst Center:
-
Configure Cisco ISE as an authentication policy server
See Configure Cisco ISE as an Authentication and Policy Server to Catalyst Center.
-
Allow pxGrid connectivity from Catalyst Center into Cisco ISE
See the "Cisco pxGrid Cloud and Cisco ISE Integration" topic in the Cisco pxGrid Cloud Solution Guide.
Cisco ISE and Third-Party AAA Server
Even though Catalyst Center supports third-party AAA servers for RADIUS and TACACS+ authentications, Cisco ISE provides additional analytics for endpoints.
Configure Cisco ISE as an Authentication and Policy Server to Catalyst Center
Before you begin
Procedure
Step 1 |
Log in to the Catalyst Center web console using an IP address or a fully qualified domain name. Example: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Step 2 |
From the top-left corner, click the menu icon and choose . |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Step 3 |
In the left pane, from the External Services drop-down list, choose Authentication and Policy Servers. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Step 4 |
From the Add drop-down list, choose ISE. The Add ISE server slide-in pane is displayed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Step 5 |
Enter the server details in the required fields. The following table describes the fields in the Add ISE server slide-in pane.
For this design and deployment guide, the following information was entered.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Step 6 |
Click Add to create the Cisco ISE server within Catalyst Center. The ISE server Integration slide-in pane displays a message about accepting the Cisco ISE certificate and establishing trust. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Step 7 |
Click Accept. After the integration is complete, the Authentication and Policy Servers window is displayed. The new Cisco ISE server should display an ACTIVE status. If you want to change any server settings, hover your cursor over the ellipsis icon () in the Actions column and choose Edit. |
Configure Site Hierarchy and Import Floor Maps
The configuration of the site hierarchy includes defining the network sites for deployment and defining the hierarchical relationships of the network sites, which consist of areas, buildings, and floors. Child sites automatically inherit certain attributes from parent sites, but you can override the attributes within the child site.
The following table summarizes the site hierarchy for this guide. A single area (Milpitas) is provisioned, containing multiple buildings (Buildings 23 and Building 24) with multiple floors (Floor 1 and Floor 2).
Name | Type of Site | Parent | Additional Information |
---|---|---|---|
Milpitas |
Area |
Global |
— |
Building 23 |
Building |
Milpitas |
Address: 560 McCarthy Boulevard, Milpitas, California 95035 |
Building 24 |
Building |
Milpitas |
Address: 510 McCarthy Boulevard, Milpitas, California 95035 |
Floor 1 |
Floor |
Building 23 |
Dimensions: 200 ft. x 274 ft. x 10 ft. APs on this floor are provisioned to the Cisco Catalyst 9800 Series Wireless Controller HA pair. |
Floor 2 |
Floor |
Building 23 |
Dimensions: 200 ft. x 274 ft. x 10 ft. APs on this floor are provisioned to the Cisco Catalyst 9800 Series Wireless Controller HA pair. |
Floor 1 |
Floor |
Building 24 |
Dimensions: 200 ft. x 250 ft. x 10 ft. APs on this floor are provisioned to the Cisco Catalyst 9800 Series Wireless Controller HA pair. |
Floor 2 |
Floor |
Building 24 |
Dimensions: 200 ft. x 250 ft. x 10 ft. APs on this floor are provisioned to the Cisco Catalyst 9800 Series Wireless Controller HA pair. |
This section contains the following processes:
-
Create an area
-
Create a building within an area
-
Create a floor in a building
-
Create and position a planned AP by using the Catalyst Center GUI or by importing from Cisco Prime Infrastructure or Ekahau
Create an Area
Before you begin
To complete this action, your user profile must be assigned the SUPER-ADMIN-ROLE or the NETWORK-ADMIN-ROLE.
Procedure
Step 1 |
Login to the Catalyst Center web console using an IP address or a fully qualified domain name. Example: |
Step 2 |
From the top-left corner, click the menu icon and choose . The Network Hierarchy window is displayed. If this is the first time you have configured the network hierarchy, the left hierarchy pane may only display a single Global entry. |
Step 3 |
Click .The Add Area dialog box is displayed. |
Step 4 |
In the Add Area dialog box, from the Parent drop-down list, enter the Area Name and choose the desired parent. For this deployment guide, choose Global for the Parent and create an area named Milpitas within an area named US. |
Step 5 |
Click Add. |
Create a Building Within an Area
Procedure
Step 1 |
From the top-left corner, click the menu icon and choose . |
Step 2 |
Click .The Add Building dialog box is displayed. |
Step 3 |
In the Add Building dialog box, enter the Building Name and choose the desired area from the Parent drop-down list. For this deployment guide, enter Building 23 for the Building Name. For the Parent, choose Milpitas | Global/US. |
Step 4 |
Enter the building address or GPS coordinates using one of the following methods:
For this deployment guide, enter the address 560 McCarthy Boulevard, Milpitas, California 95035, which is configured for Building 23. |
Step 5 |
Click Add. For this deployment guide, repeat Step 1 through Step 5 to add a second building, Building 24, to the Milpitas area. |
Create a Floor in a Building
AP locations and wireless coverage (heatmaps) can be displayed from the floor maps. Floors are referenced during wireless provisioning.
Procedure
Step 1 |
From the top-left corner, click the menu icon and choose . |
||
Step 2 |
Click .The Add Floor dialog box is displayed. |
||
Step 3 |
In the Add Floor dialog box, enter the Floor Name and choose the desired area from the Site drop-down list. For this deployment guide, enter Floor 1 for the Floor Name. For the Site, choose Milpitas | Global/US, and for the Building, choose Building 23 | Global/US/Milpitas/. |
||
Step 4 |
Choose the appropriate space type from the Type (RF Model) drop-down list and enter the associated Floor Number. |
||
Step 5 |
Choose the appropriate floor type from the Floor Type drop-down list and enter the associated Thickness (ft). |
||
Step 6 |
Add the floor plan to the Floor Image area using one of the following methods:
|
||
Step 7 |
Click the Width (ft) radio button and enter the floor width in feet. |
||
Step 8 |
Click the Length (ft) radio button and enter the floor length in feet. |
||
Step 9 |
In the Height (ft) field, enter the ceiling height in feet.
For this deployment guide, enter 200 for the Width (ft). For the Length (ft), enter 275, and for the Height (ft), enter 10. |
||
Step 10 |
Click Add. For this deployment guide, repeat Step 1 through Step 10 three times to add Floor 2 to Building 23, Floor 1 to Building 24, and Floor 2 to Building 24. |
Create and Position a Planned AP in Catalyst Center
There are three ways to get a planned AP on a floor map:
-
Create a planned AP in Catalyst Center UI
-
Import a map that has been exported from Cisco Prime Infrastructure
-
Import a map that has been exported from Ekahau
Procedure
Step 1 |
From the top-left corner, click the menu icon and choose . |
Step 2 |
In the left hierarchy pane from the Global drop-down list, choose the desired floor for the AP. |
Step 3 |
Click Add/Edit. |
Step 4 |
From the Planned AP Models drop-down list, click Add model. |
Step 5 |
In the Select AP models to add dialog box, choose the AP model from the drop-down list. |
Step 6 |
Click Add AP models. |
Step 7 |
From the Planned AP Models drop-down list, choose the desired AP model. |
Step 8 |
In the floor map, move your cursor to the desired location of the AP and click the location. |
Step 9 |
In the Edit Planned AP slide-in pane, ensure the Planned AP Name matches the real AP host name. If a red octagon with an X is displayed, choose an Antenna from the Antenna drop-down list. |
Step 10 |
Click Save. |
Import a Map from Cisco Prime Infrastructure
Before you begin
Procedure
Step 1 |
From the top-left corner, click the menu icon and choose . |
Step 2 |
In the left hierarchy pane, choose Global. Cisco Prime Infrastructure maps can be imported at the level. |
Step 3 |
Click . |
Step 4 |
In the Import Maps dialog box, import the map using one of the following methods:
|
Step 5 |
Click Import. |
Export a Map from Catalyst Center as an Ekahau Project File
To create and position a planned AP using Ekahau, first create the sites in Catalyst Center and export the sites as an Ekahau project. Then, create the planned AP in Ekahau and save the AP as an Ekahau project. Finally, import the Ekahau project back into Catalyst Center.
Note |
You can only export an Ekahau project file at a non-nested site level, which means there can be only one site with buildings within the chosen site. |
The following steps explain this process:
Procedure
Step 1 |
From the top-left corner, click the menu icon and choose . |
Step 2 |
In the left hierarchy pane, choose the appropriate site for your map. For this deployment guide, choose Milpitas. |
Step 3 |
Hover your cursor over the ellipsis icon () and choose Export Maps. |
Step 4 |
In the Export Maps dialog box, enter the desired file name and click the Ekahau Project radio button. |
Step 5 |
Click Export. |
Import a Map from Ekahau
Before you begin
Procedure
Step 1 |
From the top-left corner, click the menu icon and choose . |
Step 2 |
In the left hierarchy pane, choose the appropriate site for your map. For this deployment guide, choose Milpitas. |
Step 3 |
Hover your cursor over the ellipsis icon () and choose Import Ekahau Project. |
Step 4 |
In the Import Ekahau Project dialog box, import the map using one of the following methods:
|
Step 5 |
Click Import. |
Configure Network Services for Network Operation
This section explains how to configure AAA, DHCP, DNS, NTP, SNMP, and syslog services that align with the site hierarchy in Catalyst Center. If the services use the same servers across the entire site hierarchy, you can configure the services globally. The inheritance properties of the site hierarchy allow global settings to be available to all sites. Differences for individual sites can then be applied on a site-by-site basis. This guide shows the network services created globally.
Procedure
Step 1 |
From the top-left corner, click the menu icon and choose . |
||||||||||||||||||||||||||
Step 2 |
In the left hierarchy pane, choose Global. |
||||||||||||||||||||||||||
Step 3 |
Click + Add Servers. |
||||||||||||||||||||||||||
Step 4 |
In the Add Servers dialog box, check the AAA check box and the NTP check box. This guide does not require the deployment of Image Distribution or Stealthwatch Flow Destination, so do not check the Image Distribution check box or the Stealthwatch Flow Destination check box. |
||||||||||||||||||||||||||
Step 5 |
Click OK. An AAA server and an NTP server are now displayed in the Network window. |
||||||||||||||||||||||||||
Step 6 |
Configure the relevant fields for the AAA Server. For both network devices and wireless clients, this design and deployment guide uses Cisco ISE as the AAA server (which uses the RADIUS protocol). For this guide, the following fields were configured for the AAA Server.
|
||||||||||||||||||||||||||
Step 7 |
Configure the relevant fields for the DHCP Server. This design and deployment guide uses a single Microsoft Active Directory (AD) server, which functions as both the DNS and DHCP servers for the network. For this guide, the following field was configured for the DHCP Server.
|
||||||||||||||||||||||||||
Step 8 |
Configure the relevant fields for the DNS Server. Because this design and deployment guide uses a lab network, the DNS Server configuration only used a single DNS domain. For this guide, the following fields were configured for the DNS Server.
|
||||||||||||||||||||||||||
Step 9 |
Configure the relevant fields for the NTP Server. For production networks, multiple NTP servers can be added for resiliency and accuracy. Time synchronization within a network is essential for any logging functions, as well as secure connectivity such as SSH. Because this design and deployment guide uses a lab network, the NTP Server configuration only used a single NTP server. For this guide, the following fields were configured for the NTP Server.
|
||||||||||||||||||||||||||
Step 10 |
Choose the desired time zone from the Time Zone drop-down list. Because this design and deployment guide uses a lab network, a single time zone is used for the site hierarchy. In a production network, each site within the site hierarchy would reflect the time zone of the location. |
||||||||||||||||||||||||||
Step 11 |
For the Message of the day, check the Do not overwrite the existing MOTD banner on the device check box or enter your desired message in the text box. The Message of the day field controls the message displayed when logging in to the network device. This setting is not applicable to this design and deployment guide, so for this guide, the check box was checked for Do not overwrite the existing MOTD banner on the device. |
||||||||||||||||||||||||||
Step 12 |
Click Save. |
||||||||||||||||||||||||||
Step 13 |
At the top of the window, click Telemetry. |
||||||||||||||||||||||||||
Step 14 |
From SNMP Traps, configure the SNMP trap server. This design and deployment guide uses Catalyst Center as the SNMP server. If you check the Use Catalyst Center as SNMP trap server check box, SNMP trap information will be sent to Catalyst Center for Cisco AI Network Analytics. For this guide, the following fields were configured for the SNMP server.
|
||||||||||||||||||||||||||
Step 15 |
From Syslogs, configure the syslog server. This design and deployment guide uses Catalyst Center as the syslog server. If you check the Use Catalyst Center as syslog server check box, syslog information will be sent to Catalyst Center for Cisco AI Network Analytics. For this guide, the following fields were configured for the syslog server.
|
||||||||||||||||||||||||||
Step 16 |
Click Save. |
Campus Wireless Deployment Settings
To configure the campus wireless deployment settings, you need to create the following in Catalyst Center:
-
Wireless interfaces: The Ethernet interfaces (VLANs) that are used for terminating wireless traffic.
-
Enterprise wireless networks: Consist of the nonguest WLANs/SSIDs for the deployment.
-
Guest wireless networks: Consist of the guest WLANs/SSIDs for the deployment.
-
Wireless radio frequency (RF) profiles: Includes the radio frequency profiles for the deployment.
-
Wireless sensor settings: Wireless sensors provide the ability to run diagnostic tests on the WLAN and perform packet captures. For information about wireless sensors, see Monitor and Operate the Wireless Network.
-
CMX servers: Integration with CMX servers allows the location of wireless clients to be displayed on floor maps. For information about integration with CMX servers, see Monitor and Operate the Wireless Network.
-
Native VLAN: The native VLAN configuration is specific to FlexConnect Access Point (AP) deployments.
Note
This deployment guide describes a wireless network with APs that operate in the centralized (local) mode.
Recommendations
When configuring the campus wireless deployment settings, consider the following recommendations:
-
Similar to any production deployment, you must place the APs in a VLAN that is different from the Wireless Management Interface (WMI). If you must configure the APs in the same VLAN as the WMI for staging or testing purposes, Cisco recommends that you limit the number of APs to less than 100.
-
For APs in local mode, the round-trip latency must not exceed 20 milliseconds between the access point and the controller.
-
Use PortFast on AP switch ports for APs in local mode, supporting only the central switched WLANs. To configure the switch port for PortFast, set the port to be connected as a host port, using the switch port host command or the PortFast command. This configuration allows for a faster AP join process. There is no risk of loops, as the local mode APs never directly bridge traffic between VLANs. You can set the port directly on access mode.
-
For APs in Flex mode and local switching, the switch port needs to be in trunk mode for most scenarios. In such cases, use spanning-tree portfast trunk on the switch port.
-
To optimize the TCP client traffic encapsulation in CAPWAP, Cisco recommends that you always enable the TCP Maximum Segment Size (MSS) feature, as it can reduce the overall amount of CAPWAP fragmentation, thereby improving the overall wireless network performance. You must adjust the MSS value depending on the traffic type and Maximum Transmission Unit (MTU) of the Cisco Wireless Controller-to-AP path.
-
In the Cisco Catalyst 9800 Series Wireless Controller, TCP MSS adjust is enabled by default, with a value of 1250 bytes, which is considered an acceptable value for most deployments. You can further optimize the value depending on your setup. You must configure directly on the wireless controller or via the Template Hub.
Configure Wireless Interfaces
In Catalyst Center, the enterprise and guest WLANs terminate on the Ethernet VLAN interfaces. For this design and deployment guide, the following table shows the wireless interfaces created for the enterprise and guest WLANs.
Name | VLAN | Usage |
---|---|---|
employee |
160 |
Employee voice and data VLAN |
guest-dmz |
125 |
Guest data VLAN |
flex |
100 |
Flex client VLAN |
Before you begin
To complete this action, your user profile must be assigned the SUPER-ADMIN-ROLE or the NETWORK-ADMIN-ROLE.
Procedure
Step 1 |
Log in to Catalyst Center using an IP address or a fully qualified domain name. For example: https://<Catalyst_Center_IPaddr_or_FQDN>. |
||
Step 2 |
From the top-left corner, click the menu icon and choose . The Wireless Network Settings tiles are displayed. |
||
Step 3 |
Click Interfaces & VLAN Groups.
|
||
Step 4 |
Click + Add next to Wireless Interfaces. The Create a Wireless Interface slide-in pane is displayed. |
||
Step 5 |
Enter the Interface Name and VLAN ID for the wireless interface corresponding to the enterprise VLAN (employee). |
||
Step 6 |
Click Add. Repeat this procedure to add the wireless interface for the guest VLAN (guest-dmz). The two new wireless interfaces are displayed in the Wireless Network Settings dashboard. |
Configure Enterprise Wireless SSID
Enterprise wireless networks are the nonguest WLANs/SSIDs that are available for broadcast across the deployment, and you must define these wireless networks at the global level of the site hierarchy. Once defined, you can apply the enterprise wireless networks to wireless profiles, and then you can assign wireless profiles to one or more sites within the hierarchy.
Note |
We recommend limiting the number of Service Set Identifiers (SSIDs) configured on the controller. You can configure 16 simultaneous WLANs/SSIDs (per radio on each AP). Each WLAN/SSID needs separate probe responses and beaconing transmitted at the lowest mandatory rate, and the RF pollution increases as more SSIDs are added. Some smaller wireless stations such as PDAs, Wi-Fi phones, and barcode scanners cannot cope with a high number of Basic SSIDs (BSSIDs) over the air, resulting in lockups, reloads, or association failures. We recommend that you have one to three SSIDs for an enterprise and one SSID for high-density designs. By using the AAA override feature, you can reduce the number of WLANs/SSIDs while assigning individual per user VLAN/settings in a single SSID scenario. |
For this deployment guide, a single enterprise WLAN/SSID named lab3employee is provisioned.
Procedure
Step 1 |
From the top-left corner, click the menu icon and choose . |
||
Step 2 |
Click SSIDs. |
||
Step 3 |
Hover your cursor over + Add and choose Enterprise. |
||
Step 4 |
Enter the Basic Settings information and click Next. |
||
Step 5 |
Enter the Security Settings information. |
||
Step 6 |
To configure the AAA server, click Configure AAA. |
||
Step 7 |
Enter the configuration values and click Configure. |
||
Step 8 |
Choose AAA Override, choose 802.1x-SHA256 (802.1X-SHA2), and click Next. |
||
Step 9 |
Enter the Advanced Settings information.
For information about features that can be configured for enterprise wireless networks via Catalyst Center, see Enterprise Wireless Network Features Configurable via Catalyst Center. |
||
Step 10 |
Click Next to associate the feature template. (For this document, no special templates are selected.( The Associate Model Config to SSID page is displayed. For the SSID in this deployment guide, there is no model config. |
||
Step 11 |
Click Next. |
||
Step 12 |
On the Associate SSID to Profile page, either attach the enterprise wireless network to an existing wireless profile or create a new wireless profile and attach the enterprise wireless network.
To attach the enterprise network to an existing network profile, do the following: To create a new wireless profile and attach the enterprise network, do the following: |
||
Step 13 |
Click Next. |
||
Step 14 |
Review the summary for the Network Profile and click Save. |
||
Step 15 |
From the top-left corner, click the menu icon and choose . |
||
Step 16 |
In the Network Profiles table, from the Sites column, click Assign Site for your desired profile. For this deployment guide, click Assign Site for the newly created wireless profile, corporate. |
||
Step 17 |
In the Add Sites to Profile slide-in pane, expand the Global section and its subsections to display the Milpitas area. |
||
Step 18 |
Check the Milpitas check box. All of the Milpitas child site locations are automatically selected: Building 23 with Floor 1, Floor 2, and Floor 3 and Building 24 with Floor 1, Floor 2, and Floor 3. |
||
Step 19 |
Click Save. |
||
Step 20 |
Click Edit under summary of Network Profiles Attach Template(s) to add CLI-based templates to the enterprise wireless network configuration.
|
||
Step 21 |
Click Save. The Corporate wireless profile is assigned to the Milpitas area. The wireless profile contains the lab3employee SSID, so when wireless controllers and APs are assigned to the Milpitas area, the APs will broadcast the lab3employee SSID. |
||
Step 22 |
Click Finish to add the lab3employee enterprise wireless network. The new enterprise wireless network is displayed in the Wireless Network Settings dashboard. For information about configuring overrides, see Define Site Override Support. |
Enterprise Wireless Network Features Configurable via Catalyst Center
Feature | Type | Description | ||||||||
---|---|---|---|---|---|---|---|---|---|---|
Wireless Network Name (SSID) |
Text Field |
The SSID for the WLAN. |
||||||||
WLAN Profile Name |
Text Field |
Catalyst Center considers SSID_Profile to be the default, which is based on the SSID name. You can change the WLAN profile name as per your requirements. |
||||||||
Policy Profile Name |
Non Editable |
Policy Profile Name is the same as the WLAN Profile Name and is not editable. Based on the WLAN profile name, Catalyst Center automatically generates the policy profile name for the Cisco Catalyst 9800 Series Wireless Controller. |
||||||||
BROADCAST SSID |
On/Off Toggle |
Determines whether the SSID will be broadcast in wireless beacons and probe responses. |
||||||||
SSID STATE |
On/Off Toggle |
Use the toggle button to turn on or turn off the radios on the APs. When the Admin Status is disabled, the APs remain associated with the wireless controller and are accessible, but the APs still require licenses. |
||||||||
Sensor |
On/Off Toggle |
Ensure that Sensor is disabled. |
||||||||
WIRELESS OPTION |
Radio Button |
Determines in which RF bands the SSID will be broadcast. The following wireless options are available:
|
||||||||
LEVEL OF SECURITY |
Radio Button |
Determines the Layer 2 (L2) security settings for the WLAN. Choose the encryption and authentication type for the network. The sites, buildings, and floors inherit settings from the global hierarchy. You can override the level of security at the site, building, or floor level. The following choices are available:
|
||||||||
Primary Traffic Type |
Drop Box |
For Catalyst 9800 Series Wireless Controllers, the setting applies a precious metals QoS SSID policy in both the upstream and downstream direction for the WLAN/SSID. Precious metals policies control the maximum DSCP marking within the CAPWAP header as traffic is tunneled between the AP and the Cisco Wireless Controller in centralized (local mode) designs. The following choices are available:
|
||||||||
Fastlane |
Check Box |
You can check this check box only when the type of Enterprise Network is Voice and Data. For the Catalyst 9800 Series Wireless Controller, the Fastlane check box enables Auto QoS in Fastlane mode. Auto QoS in Fastlane mode configures the Fastlane EDCA profile for both the 5 GHz and 2.4 GHz bands. However, no precious metals QoS SSID policy is applied to the WLAN/SSID when the Fastlane check box is selected. |
||||||||
Configure AAA |
Link |
Click Configure AAA to add and configure the AAA servers for the enterprise wireless network SSID. Select the Authentication, Authorization, and Accounting server from Drop Box. Click + to add a server.
From the Additional Server drop-down list, choose the server IP address. To use the AAA server for accounting, check the Copy Same Servers for Accounting check box. To configure a different accounting server for an SSID, do the following:
Catalyst Center allows you to override the set of AAA server configurations for the SSID at the site level. For each set of overridden AAA settings per SSID, Catalyst Center creates a new WLAN profile with the corresponding AAA servers mapped to it. If an SSID is overridden for different floors, and you make changes in the AAA servers, Catalyst Center creates the new WLAN profiles equal to the number of floors. You must reprovision the device to override the AAA servers at the site level. |
||||||||
Deny RCM Clients |
Check Box |
Check the check box to deny clients with randomized MAC addresses. |
||||||||
Mac Filtering |
Check Box |
This is an additional L2 security settings that applies MAC address filtering for the WLAN. |
||||||||
AAA Override |
Check Box |
Check box to enable the AAA override functionality. By default, this check box is dimmed. You must configure an AAA server using the Configure AAA option to use this check box. |
||||||||
Enable Posture |
Check Box |
Check this check box to enable posture assessment. The Pre-Auth ACL List Name drop-down list appears when you enable posture. Posture is a service in Cisco Identity Services Engine (Cisco ISE) that allows you to check the state, also known as posture, of all the endpoints that are connecting to a network for compliance with corporate security policies. This allows you to control clients' access to protected areas of a network. |
||||||||
Pre-Auth ACL List Name |
Drop Box |
Choose the ACL list name that you already created to map with the SSID.
|
||||||||
Advanced Settings – FAST TRANSITION (802.11r) |
Radio Button and Check Box |
Additional L2 security settings for the WLAN that controls 802.11r Fast Transition (FT). The following radio button choices are available:
Over the DS: Check box that enables Over-the-DS (Distribution System) Fast Transition. With Over-the-DS Fast Transition, the wireless station communicates with the target AP through the current AP, which is then forwarded through the wireless controller. The Cisco-Apple best practice is to disable Over-the-DS, even though the default is enabled. |
||||||||
Advanced Settings – Protected Management Frame (802.11w) |
Radio Button |
The options available under Protected Management Frame (802.11w) vary based on the settings that you chose under Level of Security. The following options may be available:
The Required option is mandatory for WPA3. |
||||||||
Advanced Settings – Session timeout |
Check Box and Integer Field |
Configures the maximum time for a client session to remain active before requiring reauthorization. The range is between 300 and 86,400 seconds (5 minutes and 24 hours). The default is enabled with a time of 1800 seconds (30 minutes). |
||||||||
Advanced Settings – Client Exclusion |
Check Box and Integer Field |
Configures the amount of time a wireless client is excluded from attempting to authenticate after the maximum number of authentication failures has been exceeded. The default is enabled with a time of 180 seconds (3 minutes). |
||||||||
Advanced Settings – MFP CLIENT PROTECTION |
Radio Button |
Additional security setting that controls the use of 802.11w Protected Management Frames for the WLAN. The following radio button choices are available:
|
||||||||
Advanced Settings – 11k Neighbor List |
Check Box |
Controls the use of 802.11k Assisted Roaming neighbor lists for the WLAN, which can limit the need for passive and active scanning by the wireless client. The default setting is enabled for the band (5 GHz or 2.4 GHz) with which the client is associated. |
||||||||
Advanced Settings – Client User Idle Timeout |
Check box |
Client User Idle Timeout: Check this check box to set the user idle timeout for a WLAN.
|
||||||||
NAS-ID |
Drop-down list |
NAS-ID Opt drop-down list, choose the required type of network access server identifier (NAS ID). To specify a custom script for the NAS ID, choose Custom Option from the NAS-ID Opt drop-down list and enter the custom script in the corresponding Custom Script for Opt field. You can enter up to 31 alphanumeric characters, special characters, and spaces for the custom script. Catalyst Center does not support the special characters ?, ", < , and trailing spaces for the custom script.
(Optional) Click + to add another NAS ID. You can add up to three NAS IDs. |
||||||||
Advanced Settings – Coverage Hole Detection |
Toggle button |
Use the Coverage Hole Detection toggle button to enable or disable the coverage hole detection functionality. |
||||||||
Advanced Settings – Client Rate Limit |
Integer Field |
Configure Client Rate Limit: Enter a value for the client rate limit in bits per second. The valid range is from 8000 through 100,000,000,000. The value must be a multiple of 500. The following are the valid ranges for client rate limit on Cisco IOS XE devices:
|
||||||||
Advanced Settings – Directed Multicast Service |
Check box |
Directed Multicast Service: Check this check box to enable directed multicast service.
|
||||||||
Advanced Settings – Radius Client Profiling |
Toggle button |
For RADIUS Client Profiling, use this toggle button to enable or disable RADIUS profiling on a WLAN.
|
||||||||
Advanced Settings – CCKM |
Toggle button |
Configure CCKM: Use this toggle button to enable CCKM as the authentication key management option in Catalyst Center. Timestamp Tolerance: This field is visible only if you enable CCKM. Enter the CCKM tolerance level.
|
||||||||
Advanced Settings – 11v BSS TRANSITION SUPPORT |
Multiple Check Boxes and Integer Field |
Additional settings for support of 802.11v Wireless Network Management (WNM) for the WLAN. The following settings are available: BSS Max Idle Service: Check box that enables the maximum idle service for the WLAN. Allows APs to send the timeout value to the wireless client within association and reassociation response frames. The default setting is enabled. |
Enterprise Wireless Network Settings Configured in the Deployment Guide
Feature | Settings |
---|---|
Wireless Network Name (SSID) |
lab3employee |
Broadcast SSID |
On |
Admin Status |
On |
Radio Policy |
2.4 GHz, 5 GHz, 6 GHz |
Primary Traffic Type |
VoIP (platinum) |
Configure AAA |
AAA configured |
Level of Security |
WPA3 |
AAA Override |
Enabled |
Enable Posture |
Unchecked |
Deny RCM Clients |
Unchecked |
Advanced Security Options - Mac Filtering |
Unchecked |
Advanced Security Options - Fast Transition |
Adaptive |
Type of Enterprise Network |
Voice and Data |
Fastlane |
Unchecked |
Advanced Settings – FAST TRANSITION (802.11r) |
Adaptive, Over the DS Checked |
Advanced Settings – Mac Filtering |
Checked |
Advanced Settings – Session timeout |
Checked, 1800 seconds |
Advanced Settings – Client Exclusion |
Checked, 180 seconds |
Advanced Settings – MFP CLIENT PROTECTION |
Optional |
Advanced Settings –Protected Management Frame |
Disabled |
Advanced Settings – 11k Neighbor List |
Checked |
Advanced Settings – Radius Client Profiling |
Unchecked |
Advanced Settings – Configure Client Rate Limit |
Blank |
Advanced Settings – Coverage Hole Detection |
Checked |
Configure CCKM |
Unchecked |
NAS-ID |
Blank |
Advanced Settings – 11v BSS TRANSITION SUPPORT |
BSS Max Idle Service – Checked Client Idle User Timeout – Checked, 300 seconds Directed Multicast Service - Checked |
Define Site Override Support
WLAN profiles created with different AAA settings can be assigned at different site levels. Site-level overrides will push a new WLAN profile to the wireless controller. You can override the global SSID with the settings based on area, buildings, and floor levels. Perform the following procedure to configure the overrides.
Procedure
Step 1 |
From the top-left corner, click the menu icon and choose . |
||
Step 2 |
Click SSIDs. |
||
Step 3 |
Expand the sites, and then click the desired site in the left pane. |
||
Step 4 |
Choose lab3employee SSID, and then click Edit. |
||
Step 5 |
Click Next and configure the override settings for the selected site. |
||
Step 6 |
Click Save in the last page to assign the profile to the site. The next time the wireless controller is provisioned, the configuration will be pushed to the wireless controller managing that site.
|
Configure Guest Wireless SSID
Guest wireless networks must be defined at the global level of the site hierarchy. Once defined, you can apply guest wireless networks to wireless profiles. You can then assign wireless profiles to one or more sites within the hierarchy.
For this deployment guide, a single guest wireless network (SSID) named lab3guest is provisioned.
Procedure
Step 1 |
From the top-left corner, click the menu icon and choose . |
||
Step 2 |
Click SSIDs. |
||
Step 3 |
Hover your cursor over + Add and choose Guest. The Basic Settings window is displayed. For information about the features that can be configured for guest wireless networks via Catalyst Center, see Guest Wireless Network Features Configurable via Catalyst Center. |
||
Step 4 |
Enter the information for the Basic Settings and click Next. For information about the settings for the guest wireless network configured for this deployment guide, see Guest Wireless Network Settings Configured in the Deployment Guide. |
||
Step 5 |
Enter the Security Settings. The following setttings were used for this deployment guide:
|
||
Step 6 |
Click Next. |
||
Step 7 |
Enter the Advanced Settings. For this deployment guide, the default settings are used. |
||
Step 8 |
Click Next. The Associate Model Config to SSID page is displayed. For the SSID in this deployment guide, there is no model config. |
||
Step 9 |
Click Next. |
||
Step 10 |
In the Associate SSID to Profile page, click the corporate wireless profile. |
||
Step 11 |
Under Fabric, choose No. Choose No will automatically cause additional fields to be displayed. This deployment guide only discusses non-SDA wireless deployments using Catalyst Center. |
||
Step 12 |
From the Interface Name drop-down menu, choose guest-dmz. This will terminate guest traffic on the guest-dmz VLAN (VLAN 125). |
||
Step 13 |
Select Yes for Do you need a Guest Anchor for this Guest SSID?. This will configure a traditional autoanchor relationship between the enterprise (foreign) and the guest (anchor) wireless controller. Typically, the guest (anchor) wireless controller is located within an Internet Edge DMZ segment of the campus network. If you choose Yes, from the Select Anchor Group drop-down list, choose an anchor group for the SSID. To create an anchor group, do the following: |
||
Step 14 |
Click Save. |
||
Step 15 |
To attach the guest network to an existing network profile, do the following:
|
||
Step 16 |
Click Next. The Portal Customization page is displayed. |
||
Step 17 |
To add a new guest portal within Cisco ISE, click Create Portal. The Portal Builder page is displayed. You have the option to leave without portal creation. |
||
Step 18 |
Enter the necessary information. You must at least name the guest portal. For this deployment guide, the portal has been named Lab3_Guest_Portal. The drop-down menu in the top center of the Portal Builder allows you to customize the Login Page, Registration Page, Registration Success, and Success Page of the portal. You can customize the color scheme, fonts, page content, logo, and background for the web portal. You can also preview the portal to see what it will look like on a smart phone, tablet, and computer. |
||
Step 19 |
Click Save to create the new guest portal on the Cisco ISE server and return to the guest wireless network workflow. The new guest portal is now displayed. |
||
Step 20 |
Click Next. The Summary page of Guest SSID Configuration is displayed. |
||
Step 21 |
Click Save. The guest wireless SSID (lab3guest) is displayed in the Wireless Network Settings dashboard. |
||
Step 22 |
Click Sites in network profile summary page to bring up a panel displaying the site hierarchy. |
||
Step 23 |
Under Global, click the >to display the Milpitas area. |
||
Step 24 |
Select the Milpitas area. The child site locations, Building 23 - Floor 1, Floor 2, and Floor 3 and Building 24 - Floor 1, Floor 2, and Floor 3, are automatically selected.
|
||
Step 25 |
Click OK to close the site hierarchy side panel. |
||
Step 26 |
Click + Add under Attach Template(s) to add the CLI-based templates to the enterprise wireless network configuration. You must define all the templates within the Template Editor dashboard of Catalyst Center. This design and deployment guide will not discuss the addition of templates because the guide does not require knowledge of the CLI syntax for the specific Cisco Wireless Controller platform. Wireless features not supported by the web-based graphical user interface of Catalyst Center may be added through templates. |
||
Step 27 |
Click Save in the Edit a Wireless Profile side panel to save the edits to the corporate wireless profile. lab3guest SSID is added to the corporate wireless profile. This ensures that when wireless controllers and APs are assigned to the Milpitas area, the APs will broadcast the lab3guest SSID. |
||
Step 28 |
Click Save to add the lab3guest guest wireless network to the corporate wireless profile. For information about provisioning ISE Settings from Catalyst Center, see Provision Cisco ISE Settings from Catalyst Center. |
Guest Wireless Network Features Configurable via Catalyst Center
Feature | Type | Description | ||||||||
---|---|---|---|---|---|---|---|---|---|---|
Wireless Network Name (SSID) |
Text Field |
The SSID for the WLAN. |
||||||||
WLAN Profile Name |
Text Field |
Catalyst Center will take SSID_Profile as default based on SSID Name. You can change the WLAN profile name as per your requirements. |
||||||||
Policy Profile Name |
Non Editable |
Policy Profile Name is the same as the WLAN Profile Name and is not editable. Based on the WLAN profile name, Catalyst Center automatically generates the policy profile name for the Cisco Catalyst 9800 Series Wireless Controller. |
||||||||
WIRELESS OPTION |
Radio Button |
Determines in which RF bands the SSID will be broadcast. The following choices are available:
|
||||||||
Primary Traffic Type |
Drop Box |
For Catalyst 9800 Series Wireless Controllers, this setting applies a precious metals QoS SSID policy in both the upstream and downstream direction for the WLAN/SSID. Precious metals policies control the maximum DSCP marking within the CAPWAP header, as traffic is tunneled between the AP and the Cisco Wireless Controller in centralized (local mode) designs. For Cisco AireOS Wireless Controllers, this setting applies the Platinum QoS profile to the WLAN/SSID. Application Visibility is enabled on the WLAN/SSID, but no AVC profile is applied. The Fastlane EDCA profile is set for both the 802.11a/n/ac (5 GHz) and the 802.11b/g/n (2.4 GHz) radios.
|
||||||||
Broadcast SSID |
On/Off Toggle |
Determines whether the SSID will be broadcast in wireless beacons and probe responses. The default setting is on. |
||||||||
SSID STATE |
On/Off Toggle |
Use this toggle button to turn on or turn off the radios on the APs. When the Admin Status is disabled, the APs remain associated with the wireless controller and are accessible, but the APs still require licenses. |
||||||||
LEVEL OF SECURITY L2 Security |
Radio Button |
Determines the Layer 2 (L2) security settings for the WLAN. Choose the encryption and authentication type for the network. The sites, buildings, and floors inherit settings from the global hierarchy. You can override the level of security at the site, building, or floor level. The following choices are available:
|
||||||||
LEVEL OF SECURITY L3 security |
Radio Button |
Determines the Layer 3 security settings for the WLAN. The following options are available:
|
||||||||
AUTHENTICATION SERVER |
Drop Box |
This selection is only available if Web Auth is selected within LEVEL OF SECURITY. Determines the web portal and authentication server for Web Auth.
|
||||||||
AUTHENTICATION SERVER > ISE Authentication > What kind of portal are you creating today? |
Drop-down Menu |
The selection is only available if ISE Authentication is chosen. Determines the type of guest portal that will be created within the Cisco ISE server. The following options are available:
|
||||||||
AUTHENTICATION SERVER > ISE Authentication > Where will your guests redirect after successful authentication? |
Drop-down Menu |
This selection is only available if ISE Authentication is selected. Determines what web page is displayed after guests have successfully authenticated to the network. The following options are available:
|
||||||||
AUTHENTICATION SERVER > External Authentication > Web Auth URL? |
Text Field |
This selection is only available if External Authentication is selected. Specifies the URL of the Web Auth server. The guest will be redirected to this URL to be authenticated to the network. |
||||||||
Configure AAA |
Link |
Click Configure AAA to add and configure the AAA servers for the enterprise wireless network SSID. Choose Authentication, Authorization, and Accounting server from Drop Box. Click + to add a server.
From the Additional Server drop-down list, choose the server IP address. To use the AAA server for accounting, check the Copy Same Servers for Accounting check box. To configure a different accounting server for an SSID, do the following:
Catalyst Center allows you to override the set of AAA server configurations for the SSID at the site level. For each set of overridden AAA settings per SSID, Catalyst Center creates a new WLAN profile with the corresponding AAA servers mapped to it. If an SSID is overridden for different floors, and you make changes in the AAA servers, Catalyst Center creates the new WLAN profiles equal to the number of floors. You must reprovision the device to override the AAA servers at the site level. |
||||||||
Mac Filtering |
Check Box |
Check this check box to enable MAC-based access control or security in the wireless network.
|
||||||||
AAA Override |
Check Box |
Check box to enable the AAA override functionality. By default, this check box is dimmed. You must configure an AAA server using the Configure AAA option to use this check box. |
||||||||
Timeout Settings for Sleeping Clients |
Select radio button |
If you choose Web Authentication Internal, Web Authentication External, Web Passthrough Internal, or Web Passthrough External for Timeout Settings for sleeping clients, choose one of the following authentication options: Always authenticate: Enables authentication for sleeping clients. Authenticate after: Enter the duration for which sleeping clients are to be remembered before reauthentication becomes necessary. The valid range is from 10 minutes through 43,200 minutes, and the default duration is 720 minutes.
|
||||||||
Deny RCM Clients |
Check Box |
Check this check box to deny clients with randomized MAC addresses. |
||||||||
Pre-Auth ACL List Name |
Drop Box |
Choose the ACL list name that you already created to map with the SSID. |
||||||||
Fastlane |
Check Box |
This box can only be checked when the Type of Enterprise Network has been chosen as Voice and Data. For Catalyst 9800 Series Wireless Controllers, the Fastlane check box enables Auto QoS in Fastlane mode. Auto QoS in Fastlane mode configures the Fastlane EDCA profile for both the 5 GHz and 2.4 GHz bands. However, no precious metals QoS SSID policy is applied to the WLAN/SSID when the Fastlane check box is selected. For Cisco AireOS Wireless Controllers, this setting enables the Fastlane macro for the WLAN/SSID. The Fastlane macro applies the Platinum QoS profile to the WLAN/SSID. Application Visibility is enabled on the WLAN/SSID with the AVC profile named AUTOQOS-AVC-PROFILE. The QoS Map is modified to trust DSCP in the upstream direction. In the downstream direction, Cisco best practices are implemented when mapping DSCP-to-UP values. |
||||||||
Advanced Settings – Session timeout |
Check Box and Integer Field |
Configures the maximum time for a client session to remain active before requiring reauthorization. The range is between 300 and 86,400 seconds (5 minutes and 24 hours). The default is enabled with a time of 1800 seconds (30 minutes). |
||||||||
Advanced Settings – Client Exclusion |
Check Box and Integer Field |
Configures the amount of time a wireless client is excluded from attempting to authenticate after maximum authentication failures has been exceeded. The default is enabled with a time of 180 seconds (3 minutes). |
||||||||
Advanced Settings – MFP CLIENT PROTECTION |
Radio Button |
Additional security setting that controls the use of 802.11w Protected Management Frames for the WLAN. The following options are available:
|
||||||||
Advanced Settings – 11k Neighbor List |
Check Box |
Controls the use of 802.11k Assisted Roaming neighbor lists for the WLAN, which can limit the need for passive and active scanning by the wireless client. The default setting is enabled for the band (5 GHz or 2.4 GHz) with which the client is associated. |
||||||||
Advanced Settings – 11v BSS TRANSITION SUPPORT |
Multiple Check Boxes and Integer Field |
Additional settings for support of 802.11v Wireless Network Management (WNM) for the WLAN. The following settings are available:
|
||||||||
NAS-ID |
Drop-down List |
From the NAS-ID Opt drop-down list, choose the required type of network access server identifier (NAS ID). To specify a custom script for the NAS ID, choose Custom Option from the NAS-ID Opt drop-down list and enter the custom script in the corresponding Custom Script for Opt field. You can enter up to 31 alphanumeric characters, special characters, and spaces for the custom script. Catalyst Center does not support the special characters ?, ", < , and trailing spaces for the custom script.
(Optional) Click + to add another NAS ID. You can add up to three NAS IDs. Catalyst Center applies only one NAS ID for Cisco AireOS Wireless Controllers. You can overwrite the NAS ID at the site level from . |
||||||||
Advanced Settings – Coverage Hole Detection |
Toggle button |
Coverage Hole Detection toggle button to enable or disable the coverage hole detection functionality. |
||||||||
Advanced Settings – Client Rate Limit |
Integer Field |
To configure the Client Rate Limit, enter a value for the client rate limit in bits per second. The valid range is from 8000 through 100,000,000,000. The value must be a multiple of 500.
The following are the valid ranges for a client rate limit on Cisco IOS XE devices:
|
||||||||
Advanced Settings – Radius Client Profiling |
Toggle button |
For Radius Client Profiling, use this toggle button to enable or disable RADIUS profiling on a WLAN.
|
||||||||
Advanced Settings – CCKM |
Toggle button |
Configure CCKM: Use this toggle button to enable CCKM as the authentication key management option in Catalyst Center. Timestamp Tolerance: This field is visible only if you enable CCKM. Enter the CCKM tolerance level. The CCKM tolerance level is not applicable for the Cisco AireOS Wireless Controller platform.
|
||||||||
Advanced Settings – Protected Management Frame (802.11w) |
Radio Button |
The options available under Protected Management Frame (802.11w) vary based on the settings that you chose under Level of Security. The following options may be available:
|
Guest Wireless Network Settings Configured in the Deployment Guide
Feature | Settings |
---|---|
Wireless Network Name (SSID) |
lab3guest5 |
Broadcast SSID |
On |
Admin Status |
On |
Radio Policy |
2.4 GHz, 5 GHz, 6 GHz |
Primary Traffic Type |
Best Effort (Silver) |
LEVEL OF SECURITY |
Web Auth |
AUTHENTICATION SERVER |
ISE Authentication |
AUTHENTICATION SERVER > ISE Authentication > What kind of portal are you creating today? |
Self Registered |
AUTHENTICATION SERVER > ISE Authentication > Where will your guests redirect after successful authentication? |
Original URL |
Configure AAA |
AAA configured |
AAA Override |
Enabled |
Mac Filtering |
Checked |
Fastlane |
Unchecked |
Deny RCM Clients |
Unchecked |
Pre Auth ACL |
Select configured Pre auth ACL |
Advanced Settings – FAST TRANSITION (802.11r) |
Disabled |
Advanced Settings – MFP CLIENT PROTECTION |
Optional |
Advanced Settings –Protected Management Frame |
Disabled |
Advanced Settings – Session timeout |
Checked, 1800 seconds |
Advanced Settings – Client Exclusion |
Checked, 180 seconds |
Advanced Settings – MFP CLIENT PROTECTION |
Optional |
Advanced Settings – 11k Neighbor List |
Checked |
Advanced Settings – Radius Client Profiling |
Unchecked |
Advanced Settings – Configure Client Rate Limit |
Blank |
Advanced Settings – Coverage Hole Detection |
Checked |
Configure CCKM |
Unchecked |
NAS-ID |
Blank |
Advanced Settings – 11v BSS TRANSITION SUPPORT |
BSS Max Idle Service – Checked Client Idle User Timeout – Checked, 300 seconds Directed Multicast Service - Checked |
Provision Cisco ISE Settings from Catalyst Center
When a guest SSID profile is assigned to a site, Catalyst Center will push the required authentication, authorization, and guest portal configurations to Cisco ISE according to the settings in the guest SSID profile.
Procedure
Step 1 |
Choose Lab3_Guest_Portal to verify the portal details. Cisco ISE displays a new guest portal named Lab3_Guest_Portal. |
Step 2 |
Click the 1 rules link to check the authorization policy created by Catalyst Center. |
Step 3 |
From the top-left corner, click the menu icon and choose . |
Step 4 |
Click Default. |
Step 5 |
Go to Authorization Policy to verify the authorization policy pushed by Catalyst Center. |
Remote Office Wireless Deployment Settings
This section provides an overview of a remote office wireless network using APs in FlexConnect mode, which will be provisioned using Catalyst Center.
The site hierarchy consists of the following:
-
A branch area (New York) with a building (Branch 5) and multiple floors (Floor 1, Floor2, and Floor 3).
-
An SSID for employee traffic (lab3branch5) and an SSID for guest traffic (lab3guest5), both advertised by the APs within the branch.
-
A non-Cisco SDA (legacy) remote office wireless deployment, in which all employee branch wireless traffic is centrally switched.
The guest wireless traffic within the branch is locally switched. Cisco Wireless Controllers will be in N+1 HA mode and must be assigned to sites during the Catalyst Center provisioning process.
Note |
For this deployment guide, both Catalyst 9800-40 wireless controllers (C9800-Flex-CVD and C9800-CVD-Nplus1) will be assigned to building Branch 5 within the New York area. |
Within Catalyst Center, sites (areas, buildings, or floors) containing APs are assigned as either primary managed AP locations or secondary managed AP locations. There can be only one primary enterprise wireless controller assigned to a site at a given time, meaning that a site can only be assigned as a primary managed AP location for one enterprise wireless controller at a time. For this deployment guide, APs on Floor 1 within Branch 5, will be provisioned to C9800-Flex-CVD through Catalyst Center.
Catalyst Center supports the configuration of AP high availability, in which the AP tries to associate with primary and secondary wireless controllers and form a CAPWAP control connection. If the primary wireless controller is unavailable, the AP will attempt to establish a CAPWAP control connection to the secondary wireless controller. In Catalyst Center, this is accomplished by configuring sites containing APs as secondary managed AP locations.
Note |
For this design and deployment guide, wireless controller C9800-Flex-CVD will be provisioned so that Floor 1 of Branch 5 is a primary managed AP location. For the APs within Branch 5, wireless controller C9800-CVD-Nplus1 will serve as the secondary wireless controller in an N+1 wireless controller redundancy configuration. |
Recommendations
When configuring the remote office wireless deployment settings, consider the following recommendations:
-
Use PortFast on AP switch ports for APs in FlexConnect mode, supporting only the central switched WLANs. To configure the switch port for PortFast, set the port to be connected as a host port, using the switch port host command or the PortFast command. This configuration allows for a faster AP join process. There is no risk of loops, as the local mode APs never directly bridge traffic between VLANs. You can set the port directly on access mode.
-
For APs in FlexConnect mode, when using locally switched WLANs mapped to different VLANs (the AP switch port is in trunk mode), prune or limit the VLANs present on the port to match the AP-configured VLANs.
Configure Wireless Interface
In Catalyst Center, the enterprise and guest WLANs terminate on the wireless interfaces known as Ethernet VLAN interfaces. The following table shows the wireless interfaces created for this design and deployment guide for the enterprise and guest WLANs.
Name | VLAN | Usage |
---|---|---|
branchemployee |
100 |
VLAN for centrally switched employee traffic. |
branchguest-dmz |
110 |
VLAN for guest traffic locally switched on a VLAN on switch. |
Note |
The native VLAN (AP VLAN) configuration is specific to FlexConnect AP deployments. The FlexConnect locally switched traffic terminates on a specific VLAN, which is configured in the wireless profile for this design and deployment guide. Therefore, the field will be left blank. |
The following steps explain how to configure wireless interfaces within Catalyst Center.
Before you begin
To complete this action, you must have SUPER-ADMIN-ROLE or NETWORK-ADMIN-ROLE privileges.
Procedure
Step 1 |
Log in to the Catalyst Center web console using an IP address or a fully qualified domain name. Example: |
Step 2 |
From the top-left corner, click the menu icon and choose . The Wireless Network Settings dashboard is displayed. |
Step 3 |
Click Interfaces & VLAN Groups. |
Step 4 |
Click + Add. |
Step 5 |
In the Create a Wireless Interface slide-in pane, enter the Interface Name and VLAN ID for the wireless interface corresponding to the enterprise VLAN (branchemployee). |
Step 6 |
Click Save. Repeat the procedure to add the wireless interface for the guest VLAN (guest-dmz). When completed, the two new wireless interfaces should appear in the Wireless Network Settings dashboard, as shown in the figure below: |
Configure Enterprise Wireless SSID
Enterprise wireless networks are the nonguest WLAN/SSIDs that are available for broadcast across the deployment. You must define them at the global level of the site hierarchy. Once defined, you can apply the enterprise wireless networks to wireless profiles and assign wireless profiles to one or more sites within the hierarchy.
For the design and deployment guide, a single enterprise WLAN SSID named lab3branch5 is provisioned.
Procedure
Step 1 |
From the top-left corner, click the menu icon and choose . |
||
Step 2 |
Click SSIDs. |
||
Step 3 |
Hover your cursor over + Add and choose Enterprise. For information about features that can be configured for enterprise wireless networks via Catalyst Center, see Enterprise Wireless Network Features Configurable via Catalyst Center. |
||
Step 4 |
Enter the information for the Basic Settings and click Next.
|
||
Step 5 |
Enter the information for the Security Settings and click Next. |
||
Step 6 |
Enter the information for the Advanced Settings and click Next. |
||
Step 7 |
On the Associate Model Config to SSID page, click Next. |
||
Step 8 |
On the Associate SSID to Profile page, either attach the enterprise wireless network to an existing wireless profile or create a new wireless profile and attach the enterprise wireless network. To attach the enterprise network to an existing network profile, do the following:
To create a new wireless profile and attach the enterprise network, do the following: |
||
Step 9 |
Click Next. The Summary page displays SSID basic settings, security, advanced settings, and network profiles. |
||
Step 10 |
Click Save.
|
||
Step 11 |
From the top-left corner, click the menu icon and choose . |
||
Step 12 |
In the Network Profiles table, from the Sites column, click Assign Site for your desired profile. For this deployment guide, click Assign Site for the newly created wireless profile, branch5. |
||
Step 13 |
In the Add Sites to Profile slide-in pane, expand the Global section and its subsections to display the New York area. |
||
Step 14 |
Check the New York check box. All of the child site locations are automatically selected: Building 23 with Floor 1, Floor 2, and Floor 3 and Building 24 with Floor 1, Floor 2, and Floor 3. |
||
Step 15 |
Click Save. |
||
Step 16 |
From the Action column, click Edit for your desired profile. |
||
Step 17 |
Click Templates. |
||
Step 18 |
From the Onboarding Template(s) tab or the Day-N Template(s) tab, click Attach Templates to add the CLI-based templates to the enterprise wireless network configuration.
The new enterprise wireless network, lab3branch5, is displayed in the Wireless Network Settings dashboard. |
Configure FlexConnect Settings
The following procedure describes the steps to configure the FlexConnect settings using Catalyst Center, which is where the native VLAN and the client VLAN can be set.
Procedure
Step 1 |
From the top-left corner, click the menu icon and choose . |
||
Step 2 |
Configure Native VLAN and AAA override VLAN in the global settings.
|
Configure FlexConnect in the Model Config Editor
Model configs are a set of model-based, discoverable, and customizable configuration capabilities, which you can deploy on your network devices with high-level service intent and device-specific CLI templates. The following procedure describes the steps to perform a model config for FlexConnect.
Procedure
Step 1 |
From the top-left corner, click the menu icon and choose . |
Step 2 |
Click Flex Configuration. |
Step 3 |
Click + Add and enter the design name. For example, enter branch as the design name. |
Step 4 |
Enable IP Overlap. |
Step 5 |
Click Save. |
Map FlexConnect Model Config to Network Profiles
Procedure
Step 1 |
From the top-left corner, click the menu icon and choose . |
Step 2 |
Click Edit branch5 network profile. |
Step 3 |
Click the Feature Templates tab, and then click Add Feature Template. |
Step 4 |
Choose Wireless Controller as the Device Type. |
Step 5 |
Click , and then select the configured model config. |
Step 6 |
Click Add and save the changes. |
Configure Guest Wireless SSID
Guest wireless networks must be defined at the global level of the site hierarchy. Once defined, guest wireless networks are applied to wireless profiles. Wireless profiles are then assigned to one or more sites within the hierarchy. For this deployment guide, a single guest wireless network (SSID) named lab3guest5 is provisioned.
Procedure
Step 1 |
|||
Step 2 |
From the top-left corner, click the menu icon and choose . |
||
Step 3 |
Click SSIDs. |
||
Step 4 |
Hover your cursor over + Add and choose Guest. The Basic Settings window is displayed. For information about features that can be configured for guest wireless networks via Catalyst Center, see Guest Wireless Network Features Configurable via Catalyst Center. |
||
Step 5 |
Enter the Basic Settings information and click Next.
|
||
Step 6 |
Enter the Security Settings information. |
||
Step 7 |
To configure the AAA server, click Configure AAA. |
||
Step 8 |
Enter the configuration values and click Configure. |
||
Step 9 |
Click Next. |
||
Step 10 |
Enter the information for the Advanced Settings and click Next. |
||
Step 11 |
The Associate Model Config to SSID page is displayed. Click Next. |
||
Step 12 |
In the Associate SSID to Profile page, attach the guest wireless network to the existing branch5 wireless profile. |
||
Step 13 |
Click Next. The Portal Customization page is displayed. |
||
Step 14 |
Click Create Portal to add a new guest portal in Cisco ISE. The Portal Builder page is displayed. You have the option to leave without portal creation. |
||
Step 15 |
Enter the relevant information. You must at least name the guest portal. For this deployment guide, the portal has been named Lab3_Guest_Portal. The drop-down menu in the Portal Builder allows you to customize the Login Page, Registration Page, Registration Success, and Success Page of the portal. You can customize the color scheme, fonts, page content, logo, and background for the web portal. You can also preview the portal to see what it will look like on a smart phone, tablet, and computer. |
||
Step 16 |
Click Save to create the new guest portal on the Cisco ISE server and return to the guest wireless network workflow. |
||
Step 17 |
Click Next. The summary page will show SSID basic settings, security, advanced settings, and network profiles. |
||
Step 18 |
Click Save. |
||
Step 19 |
From the top-left corner, click the menu icon and choose . |
||
Step 20 |
From the Sites column for profile branch5, click Assign Site. |
||
Step 21 |
In the Add Sites to Profile slide-in pane, expand the Global site and its subsites and check the New York check box. Automatically, the child site locations are selected: Branch 5 with Floor 1, Floor 2, and Floor 3. |
||
Step 22 |
Click Save. |
||
Step 23 |
From the Action column for profile branch5, click Edit. |
||
Step 24 |
Click Templates. |
||
Step 25 |
From the Onboarding Template(s) tab or the Day-N Template(s) tab, click Attach Templates to add the CLI-based templates to the enterprise wireless network configuration.
|
||
Step 26 |
Click Save. The new enterprise wireless network, lab3branch5, is displayed in the Wireless Network Settings dashboard.
|
Configure FlexConnect Settings for Guest SSID
The following procedure describes how to configure the FlexConnect settings for a guest SSID.
Procedure
Step 1 |
From the top-left corner, click the menu icon and choose . |
||
Step 2 |
Configure native VLAN and AAA override VLAN in global settings.
|
||
Step 3 |
Click Save. |
Configure Model Config Editor for Flex Guest SSID
Procedure
Step 1 |
From the top-left corner, click the menu icon and choose . |
Step 2 |
Click Flex Configuration. |
Step 3 |
Click + Add and enter the design name. |
Step 4 |
Enable IP Overlap. |
Step 5 |
Click Save. |
Map Flex Guest SSID Feature Template to Network Profiles
Procedure
Step 1 |
From the top-left corner, click the menu icon and choose . |
Step 2 |
Choose the Edit branch5 network profile. |
Step 3 |
Click Feature Templates and click Add Feature Template. |
Step 4 |
For Device Type, choose the appropriate wireless controller model. |
Step 5 |
Click and choose the configured template. |
Step 6 |
Click Add and save the changes. |
Customize Wireless RF Profiles
The Wireless Radio Frequency Profile section of the Wireless Settings dashboard allows you to do the following:
-
Visually inspect the settings for each of the three preconfigured RF profiles within Catalyst Center. These RF profiles are also preconfigured within the Cisco Catalyst 9800 Series Wireless Controller.
-
Create custom RF profiles in which you can fine tune various RF aspects of your wireless deployment.
-
Choose either a preconfigured or custom RF profile as the default RF profile that is assigned to APs within Catalyst Center.
When provisioning APs in Catalyst Center, the default RF profile configured within the Wireless Settings dashboard will be applied. However, you can also override this setting for each AP.
The following preconfigured RF profiles are available:
-
LOW: This profile tunes the RF attributes in both bands (2.4 GHz and 5 GHz) for low client density deployments.
-
TYPICAL: This profile tunes the RF attributes in both bands (2.4 GHz and 5 GHz) for medium client density deployments.
-
HIGH: This profile tunes the RF attributes in in both bands (2.4 GHz and 5 GHz) for high client density deployments, such as stadiums, auditoriums, etc.
Note |
Appendix D explains the specific settings within each of the three preconfigured RF profiles within Catalyst Center. Set the desired TPC threshold on the RF group, based on the AP density and installed height. For large deployments, there can be significant variations in the RF environment, so it is important to properly adjust TPC to ensure optimal coverage in each location. Together with transmit power, data rates are the primary mechanism to influence the client roaming behavior. Changing data rates to the lowest mandatory rate can modify when the client may trigger a new roam, which is especially important for large open spaces that suffer from sticky client problems. When setting up RF profiles, try to avoid configuring adjacent AP groups and RF profiles with different DCA channel sets, as this can negatively impact DCA calculations. Users can add a nonsupported channel to the RF profile DCA list, even if the channel is not supported in the configured regulatory domain. The recommendation is to always check if the configured channels are allowed in the country domain. There is no impact on network operations because the DCA would not assign the unsupported channels to the APs. However, starting in release 17.5, the C9800 has a validation to check if the added channels are allowed. |
Procedure
Step 1 |
From the top-left corner, click the menu icon and choose . The Wireless Radio Frequency Profile section of the Wireless Settings dashboard can only be accessed at the global level of the site hierarchy. |
Step 2 |
By default, the TYPICAL RF profile is set as the default RF profile. To change the default RF profile, do the following:
For this design and deployment guide, the TYPICAL RF profile was selected, indicating that the deployment is meant for an environment with medium client density. The FlexConnect design for a remote office is now complete. |
Design the Cisco Catalyst 9800-CL Wireless Controller Hosted on AWS
This section describes the wireless controller hosted on AWS deployment, which uses a cloud-based Cisco Catalyst 9800-CL Wireless Controller hosted on AWS. For more information, see Deployment guide for Cisco Catalyst 9800 Wireless Controller for Cloud (C9800-CL) on Amazon Web Services (AWS).
Launching a Cisco Catalyst 9800 Amazon Machine Image (AMI) occurs directly from the AWS Marketplace. The Cisco Catalyst 9800 Series Wireless Controller will be deployed on an Amazon EC2 in an Amazon Virtual Private Cloud (VPC).
Cisco supports the following instance type for the first release of the Cisco Catalyst 9800 Series Wireless Controller on the cloud:
C5.xlarge: 4 vCPUs, 8 GB RAM, 8GB Disk with 1 vNIC.
The allocated resources will allow the instance to scale to 1000 APs and 10,000 clients.
Prerequisites for Deploying the Cisco Catalyst 9800-CL Wireless Controller on AWS
-
Create a managed VPN connection from the corporate network to the VPC.
-
Create a VPC with the desired subnet for the wireless management interface on the Catalyst 9800 Series Wireless Controller.
-
Catalyst 9800 Series Wireless Controller CloudFormation template: You do not have to configure the CloudFormation template because the template is automatically integrated in the launching procedure. If desired, you can download and view the CloudFormation template file from the AWS Marketplace page for the product.
-
Amazon Machine Instance ID (AMI-ID) for the desired Catalyst 9800 Series Wireless Controller software release: The AMI will be available in the AWS marketplace.
-
AP access can be restricted to your instance for security reasons. For example, CAPWAP from a single, specific IP range can be allowed so that only those APs are able to register to the controller. The following table shows the ports that need to be opened in the firewall to allow the AP to communicate with the wireless controller on AWS.
Ports | Protocol |
---|---|
UDP 5246/5247/5248 |
CAPWAP |
TCP 22 |
SSH, SCP |
TCP 21 |
FTP |
ICMP |
Ping |
UDP 161, 162 |
SNMP/SNMP Traps |
TCP 443/80 |
HTTPs/HTTP |
TCP/UDP 49 |
TACACS+ |
UDP 53 |
DNS Server |
UDP 1812/1645/1813/1646 |
Radius |
UDP 123 |
NTP Server |
UDP 514 |
Syslog |
Install the Cisco Catalyst 9800-CL Wireless Controller on AWS
Procedure
Step 1 |
Navigate to the AWS Marketplace. |
Step 2 |
Locate the Cisco Catalyst 9800-CL Wireless Controller product page by searching the AWS Marketplace for "C9800-CL." |
Step 3 |
Choose the Cisco Catalyst 9800-CL Wireless Controller for Cloud and click Continue to Subscribe. |
Step 4 |
Choose the fulfillment option: Cloud Formation Template (recommended) or Amazon Machine Image (AMI). If you choose AMI, you can use the AWS Console or the AWS Marketplace interface. For both fulfillment options, you will be guided through the steps to launch a new Catalyst 9800-CL Wireless Controller instance. |
Step 5 |
During the installation process, you will be prompted to select the following:
|
Step 6 |
Click Review and Launch and ensure that the information is accurate. |
Step 7 |
Click Launch Instances. |
Step 8 |
Go to AWS Console > EC2 services and wait for your instance to indicate a state of running. You will have to wait a few minutes before you can connect to your Catalyst 9800-CL Wireless Controller instance. |
Step 9 |
Connect to the IP address assigned to your Catalyst 9800-CL Wireless Controller instance and use the WebUI wizard for Day 0 configuration and setup. |
Step 10 |
Alternatively, connect to your instance using an SSH client, providing the necessary credentials or the private SSH key selected during setup. For example: |
Step 11 |
Once SSH has connected, you should see the IOS XE command prompt on the Catalyst 9800-CL Wireless Controller. You may now begin configuring your instance. |
Configure Enterprise Wireless Networks (SSIDs)
Wireless settings are hierarchical. Settings at lower levels of the site hierarchy can override settings defined in higher levels. By default, you are taken to the global level, which is the highest level of the site hierarchy.
Enterprise wireless networks are the nonguest WLANs/SSIDs that are available for broadcast across the deployment, and these networks must be defined at the global level of the site hierarchy. Once defined, enterprise wireless networks are applied to wireless profiles, which are assigned to one or more sites within the hierarchy. For this design and deployment guide, a single enterprise WLAN/SSID named corpevent is provisioned. The following steps explain how to configure the enterprise wireless network within Catalyst Center.
Before you begin
To complete this action, your user profile must be assigned the SUPER-ADMIN-ROLE or the NETWORK-ADMIN-ROLE.
Procedure
Step 1 |
Log in to the Catalyst Center web console using an IP address or a fully qualified domain name. Example:http://<Catalyst_Center_IPaddr_or_FQDN> |
||||||||||||||||||||||||||||||||||||||||
Step 2 |
From the top-left corner, click the menu icon and choose . |
||||||||||||||||||||||||||||||||||||||||
Step 3 |
From the Wireless Network Settings dashboard, hover your cursor over + Add and choose Enterprise. |
||||||||||||||||||||||||||||||||||||||||
Step 4 |
Enter the settings information and click Next. The settings used in this deployment are provided in the following table.
|
||||||||||||||||||||||||||||||||||||||||
Step 5 |
The next page in the workflow is displayed. You can attach the enterprise wireless network to an existing wireless profile, or you can create a new wireless profile and attach the enterprise wireless network. |
||||||||||||||||||||||||||||||||||||||||
Step 6 |
Click + Add Profile to add a new wireless profile. |
||||||||||||||||||||||||||||||||||||||||
Step 7 |
In the Wireless Profile Name field, enter the name of the new wireless profile. For this deployment guide, a wireless profile named corpevent-profile was created. |
||||||||||||||||||||||||||||||||||||||||
Step 8 |
From Fabric, click the No radio button. This deployment guide only discusses non-SDA wireless deployments using Catalyst Center. When you choose No, the Select Interface field is automatically displayed. |
||||||||||||||||||||||||||||||||||||||||
Step 9 |
From the Select Interface drop-down list, choose Management.
|
||||||||||||||||||||||||||||||||||||||||
Step 10 |
Check the FlexConnect Local Switching check box. |
||||||||||||||||||||||||||||||||||||||||
Step 11 |
In the Local to VLAN field, enter VLAN ID 16. All branch employee traffic will be locally switched onto VLAN 16 of the branch switch. |
||||||||||||||||||||||||||||||||||||||||
Step 12 |
Click Associate Profile to attach the profile to wireless SSID. |
||||||||||||||||||||||||||||||||||||||||
Step 13 |
Click Next to review the summary, and then click Save. |
||||||||||||||||||||||||||||||||||||||||
Step 14 |
Click Configure Network Profile to go to the Network Profiles page to assign the site for the wireless profile. |
||||||||||||||||||||||||||||||||||||||||
Step 15 |
Click Assign Site. |
||||||||||||||||||||||||||||||||||||||||
Step 16 |
In the left hierarchy tree, choose Global > Milpitas area. The child site locations are automatically selected: Branch 5 and Floor 1 and Floor 2. |
||||||||||||||||||||||||||||||||||||||||
Step 17 |
Click OK to close the site hierarchy side panel and return to Create a Wireless Profile. The design of the wireless controller on AWS is complete, and you can go to the Deploy the wireless network section. |
Deploy the Wireless Network
This section of the design and deployment guide implements the use case discussed in the Solution Overview section of this document. Catalyst Center is used to automate the deployment of the wireless profile created in the Design the Wireless Network section of this document to a Cisco Catalyst 9800-40 enterprise wireless controller HA SSO pair (WLC-9800-2) and a Cisco Catalyst 9800-CL guest wireless controller (WLC-9800-CL).
This section contains the following topics and processes:
-
Discover and manage the Catalyst 9800 Series Wireless Controllers
-
Manage software images for the Catalyst 9800 Series Wireless Controllers
-
Use software image management (SWIM) to update the Catalyst 9800 Series Wireless Controller software
-
Configure high availability (HA) stateful switch-over (SSO) on the Catalyst 9800-40 enterprise wireless controllers
-
Provision the Catalyst 9800-40 enterprise wireless controller HA SSO pair
-
Provision the Catalyst 9800-CL guest anchor wireless controller
-
Join the new APs to the enterprise wireless controller HA SSO pair
-
Provision the new APs
-
Position the new APs on the floor map
-
Local RRM Vs cloud-based RRM
-
Enable cloud-based RRM
-
Template programmer for additional wireless configurations
Enterprise WLAN for Campus Wireless Deployment
This section explains how to provision the campus wireless deployment for the Milpitas site. For this scenario, the wireless controllers are discovered, and their images are updated and provisioned. These procedures are explained in the following sections.
Discover and Manage the Cisco Catalyst 9800 Series Wireless Controller
This deployment guide uses IP address ranges for discovery of both of the Cisco Catalyst 9800-40 Wireless Controllers deployed as enterprise wireless controllers and the Cisco Catalyst 9800-CL Wireless Controller deployed as the guest wireless controller. Before initiating the discovery, IP connectivity must be enabled to the devices. When using IP address ranges, you can reduce the range to just the wireless controllers to speed the discovery.
Note |
Alternatively, you can supply an initial device for discovery and direct Catalyst Center to use Cisco Discovery Protocol (CDP) to find connected neighbors. |
The following assumptions are made for this procedure:
-
The two Catalyst 9800-40 Wireless Controllers (WLC-9800-1 and WLC-9800-2) are connected to the network as standalone wireless controllers. Configuration of the two Catalyst 9800-40 Wireless Controllers into an HA SSO pair will be done within Catalyst Center in a later process.
-
NETCONF is enabled on all of the Cisco Catalyst 9800 Series Wireless Controllers (WLC-9800-1, WLC-9800-2, and WLC-9800-CL).
-
All Catalyst 9800 Series Wireless Controllers are on the network, with management IP addresses configured for reachability.
-
SSH access is enabled on all of the Catalyst 9800 Series Wireless Controllers, with a user ID and password configured within the local user database.
-
All Catalyst 9800 Series Wireless Controllers have hostnames configured (WLC-9800-1, WLC-9800-2, and WLC-9800-CL), which will allow the devices to be identified by their hostnames within the Catalyst Center inventory after discovery.
For this design and deployment guide, the following table shows the hostnames, platform models, and IP addresses for Catalyst Center.
Hostname | Platform Model | IP Address |
---|---|---|
WLC-9800-1 |
Cisco Catalyst 9800-40 Wireless Controller |
10.4.50.2 |
WLC-9800-2 |
Cisco Catalyst 9800-40 Wireless Controller |
10.4.50.22 |
WLC-9800-CL |
Cisco Catalyst 9800-CL Wireless Controller |
10.4.48.153 |
This section contains the following processes:
-
Discover the two Catalyst 9800-40 Wireless Controllers, which serve as the enterprise HA SSO pair for the WLAN deployment.
-
Discover the Catalyst 9800-CL Wireless Controller, which serves as the guest anchor wireless controller for the WLAN deployment.
Discover and Manage the Cisco Catalyst 9800-CL Wireless Controller Deployed on AWS
The discovery process is the same for other Cisco Catalyst 9800-CL Wireless Controllers.
Discover the Cisco Catalyst 9800-40 Wireless Controllers Serving as the Enterprise HA SSO Pair for WLAN Deployment
The following steps explain how to discover the Cisco Catalyst 9800-40 Wireless Controllers (WLC-9800-1 and WLC-9800-2).
Procedure
Step 1 |
From the top-left corner, click the menu icon and choose . If discovery devices already exist, the Discovery Dashboard will be displayed. If you are starting for the first time, the Add Discovery button will be displayed. |
Step 2 |
Click Add Discovery to create a new discovery. The Discover Devices window is displayed. This window begins the workflow for discovering new devices from the network. |
Step 3 |
Enter a name in the Discovery Job Name field. |
Step 4 |
From DISCOVERY TYPE, choose IP Address Range. |
Step 5 |
Enter the Starting IP Address and the Ending IP Address. The range configured is 10.4.50.2 - 10.4.50.22, which is sufficient to discover the two Catalyst 9800-40 Wireless Controllers (WLC-9800-1 and WLC-9800-2). |
Step 6 |
For PREFERRED MANAGEMENT IP ADDRESS, if a device has a loopback interface used for management, click the Use Loopback (If Applicable) radio button. Otherwise, click the None radio button. For this deployment, the VLAN 50 interface is configured as the wireless management interface, so the PREFERRED MANAGEMENT IP ADDRESS is set to None. |
Step 7 |
Click Next. |
Step 8 |
Provide CLI, SNMP, and NETCONF credentials by clicking the associated tab and clicking + Add Credentials. All Catalyst 9800 Series Wireless Controllers require NETCONF for discovery and provisioning. The user ID and password used for NETCONF access to the wireless controllers is the same as the SSH password. |
Step 9 |
Click Next. |
Step 10 |
In the Advanced Settings page, for PROTOCOL ORDER, enable SSH. It is not recommended to enable Telnet because Telnet traffic is sent in clear text across the network, which could pose a security vulnerability. |
Step 11 |
Click Next. |
Step 12 |
In the Assign Devices to Site page, click the Skip site assignment for now radio button and click Next. |
Step 13 |
In the Schedule Job page, choose Now and click Next. The Summary page is displayed. |
Step 14 |
Click Start Discovery. The discovery details are displayed while the discovery runs. After discovery is complete, the discovery details are displayed. |
Step 15 |
After the discovery process is complete, navigate to the main Catalyst Center dashboard. |
Step 16 |
From the top-left corner, click the menu icon and choose . The list of devices known to Catalyst Center will be displayed, including the two Catalyst 9800-40 Wireless Controllers (WLC-9800-1 and WLC-9800-2) that were discovered. The Catalyst 9800-40 Wireless Controllers should show a Last Sync Status of Managed. Catalyst Center can now access the devices, synchronize the inventory, and make configuration changes on the devices. |
Discover the Cisco Catalyst 9800-CL Wireless Controller Serving as the Guest Anchor Wireless Controller for WLAN Deployment
To discover the Cisco Catalyst 9800-40 Wireless Controller for the Cisco Catalyst 9800-CL guest Wireless Controller (WLC-9800-CL), repeat the steps in Discover the Cisco Catalyst 9800-40 Wireless Controllers Serving as the Enterprise HA SSO Pair for WLAN Deployment.
For this deployment guide, the IP address range for discovery of the Catalyst 9800-CL guest Wireless Controller (WLC-9800-CL) is a single IP address: 10.4.174.36 - 10.4.174.36.
Note |
Optionally, you can discover all the wireless controllers in a single discovery that includes the IP address range of both the Catalyst 9800-40 enterprise Wireless Controllers (WLC-9800-1 and WLC-9800-2) and the Catalyst 9800-CL guest Wireless Controller (WLC-9800-CL). |
Manage Software Images for the Cisco Catalyst 9800 Series Wireless Controllers
This process is used to upload the latest software images for the Cisco Catalyst 9800 Series Wireless Controllers to the Catalyst Center software image repository. The following table shows the platforms and software images uploaded for this deployment.
Platform | Software Version | Software Image |
---|---|---|
Cisco Catalyst 9800-40 Wireless Controller |
IOS XE Release 17.12.3 |
C9800-40-universalk9_wlc.17.12.03.SPA.bin |
Cisco Catalyst 9800-CL Wireless Controller |
IOS XE Release 17.12.3 |
C9800-CL-universalk9.17.12.03.SPA.bin |
A minimum of IOS XE release 16.10.1 is required for operability between the Catalyst 9800 Series Wireless Controllers and Catalyst Center.
The following procedures are included in this process:
-
Upload the software image for the Cisco Catalyst 9800-40 Wireless Controller.
-
Upload the software image for the Cisco Catalyst 9800-CL Wireless Controller.
Upload the Software Image for the Cisco Catalyst 9800-40 Wireless Controllers
The following steps discuss the image upload process for the Cisco Catalyst 9800-40 Wireless Controllers (WLC-9800-1 and WLC-9800-2).
Procedure
Step 1 |
From the top-left corner, click the menu icon and choose . The Image Repository window is displayed. |
Step 2 |
You can get a new image into the Catalyst Center image repository by doing one of the following:
|
Step 3 |
For your desired image, click download image icon. The image will begin to download from the Cisco website. For this deployment guide, image 17.12.3 was downloaded. |
Step 4 |
Alternatively, click Import to import a new image. The Import Image/Add-on dialog box is displayed. |
Step 5 |
Click Choose File. |
Step 6 |
Navigate to the Catalyst 9800-40 software image on your computer and choose the desired image. For this deployment guide, C9800-40-universalk9_wlc.17.12.3.SPA.bin was chosen. |
Step 7 |
Under Source, click the Cisco radio button because this is a Cisco software image. |
Step 8 |
Click Import to upload the image to the Catalyst Center image repository. A status bar shows the progress of the upload. Once the upload is complete, the main Image Repository window is displayed. |
Step 9 |
Click Show Tasks to verify that the image was imported successfully. The Recent Tasks (Last 50) side panel is displayed. The new image transitions are shown in yellow. The tasks that are completed successfully are shown with a green check mark. |
Step 10 |
Close the Recent Tasks (Last 50) side panel. |
Step 11 |
From the Image Repository window, click > next to Imported Images to expand the list of imported images. |
Step 12 |
Click Assign next to the image file you just uploaded. The Assign Device Family slide-in pane is displayed. |
Step 13 |
Choose the Cisco Catalyst 9800-40 Wireless Controller and click Assign to assign this image to its device family. |
Step 14 |
Under the Family column in the list of devices in the main repository window, locate the Catalyst 9800-40 Wireless Controllers and expand the list of available images for the device. You should now see the new image you just uploaded in the list of images available for the device family. |
Step 15 |
Click the star for Golden Image to mark the image as the preferred one for the Catalyst 9800-40 Wireless Controller platform. Repeat the entire procedure for the Catalyst 9800-CL guest Wireless Controller (WLC-9800-CL). For this deployment guide, the Catalyst 9800-CL guest Wireless Controller upload image name is C9800-CL-universalk9.17.12.3.SPA.bin. |
Update the Software Image for the Cisco Catalyst 9800-CL Wireless Controller
This section outlines the procedure for updating the wireless controller image after the image is marked as golden.
Use Software Image Management (SWIM) to Update the Catalyst 9800 Series Wireless Controller Software
This process is used for the following purposes:
-
Distribute (download) the software image from the Catalyst Center image repository to the wireless controllers.
-
Upgrade the software images running on the wireless controllers.
Both steps can be run immediately, or the steps can be scheduled to run at a specified date and time to comply with existing network change schedules.
Catalyst Center runs a compliance check, which compares the devices in the inventory with images marked as a golden images. Devices that are out of compliance with the golden image are marked as Outdated in the inventory. Before you can update an image to the version marked as golden, the inventory collection must be successfully completed, and the device must be in a Managed state.
The following procedures are included in this process:
-
Upgrade the software images for the Catalyst 9800-40 Wireless Controllers.
-
Upgrade the software image for the Catalyst 9800-CL Wireless Controller.
Upgrade the Software Image for the Cisco Catalyst 9800-40 Wireless Controllers
The following procedure explains how to upgrade the software images for the Cisco Catalyst 9800-40 Wireless Controllers (WLC-9800-1 and WLC-9800-2).
Procedure
Step 1 |
From the top-left corner, click the menu icon and choose . |
||
Step 2 |
From the Focus drop-down list, choose Software Images. The window displays the software image running on each device in the inventory. |
||
Step 3 |
From the list of devices, locate one of the Catalyst 9800-40 Wireless Controllers (WLC-9800-1 or WLC-9800-2). |
||
Step 4 |
Under the Software Image column for the Catalyst 9800-40 Wireless Controller, click Needs Update. The Image Update Readiness Check slide-in pane is displayed. Ensure that the Status column shows either a green icon indicating success or a yellow icon indicating a warning. If any of the checks show a red icon indicating failure, the image on the platform was not upgraded. In this deployment guide, the Config register check shows a red icon because the config register value needs to be 0x2102 or 0x102, but the device is using a value of 0x0. If necessary, correct any issues on the wireless controller which result in a failure. |
||
Step 5 |
Click Re-Execute Check to rerun the readiness assessment.
|
||
Step 6 |
When you have corrected all checks which indicate a failure, close the Image Update Readiness Check slide-in pane. |
||
Step 7 |
Repeat Step 1 through Step 6 for the other Catalyst 9800-40 Wireless Controller. |
||
Step 8 |
Check the check boxes for both of the Catalyst 9800-40 Wireless Controllers (Wireless Controller-9800-1 and Wireless Controller-9800-2). |
||
Step 9 |
From the Actions drop-down list, choose . The Image Update slide-in pane is displayed. |
||
Step 10 |
Enable Software Activation After Distribution. Alternatively, click the Later radio button and adjust the date and time for the image distribution. Enabling Software Activation After Distribution will activate the image immediately after it is distributed. This action combines the download and activation of the image into a single scheduled process, rather than scheduling download and activation separately. |
||
Step 11 |
Click Image Update Status, which takes you to the update progress window. Alternatively, click the menu icon and choose . The scheduled task window is displayed. You can expand the task to see the details regarding the distribution and activation of the image. On successful completion of the task, an icon is displayed next to the task, indicating that the update was successful. Again, you can expand the task to see the details regarding the distribution and activation of the image. |
||
Step 12 |
Close the scheduled tasks slide-in pane. |
||
Step 13 |
From the top-left corner, click the menu icon and choose to go back to the inventory list in the main provisioning window. The image for the Catalyst 9800-40 Wireless Controller now shows that it has updated to the chosen IOS version. Repeat the entire procedure for the Catalyst 9800-CL Guest Wireless Controller (Cisco Catalyst 9800 Series Wireless Controller-CL). |
Configure HA SSO on the Cisco Catalyst 9800-40 Enterprise Wireless Controllers
Cisco Catalyst 9800 Series Wireless Controllers support the ability to be configured in an active or standby high availability (HA) stateful switch-over (SSO) pair. Catalyst Center supports the ability to take two controllers of the same model, running the same operating system version, and configure them as an HA SSO pair.
Note |
|
The following steps explain how to configure the Catalyst 9800-40 Wireless Controllers (WLC-9800-1 and WLC-9800-2) as an HA SSO pair.
Procedure
Step 1 |
From the top-left corner, click the menu icon and choose . The main provisioning window displays the devices. By default, the Focus is set for Inventory. |
||||||||||||||
Step 2 |
Locate and check the check box for the Catalyst 9800-40 Wireless Controller which will be the primary wireless controller of the HA SSO wireless controller pair. For this design and deployment guide, WLC-9800-2 was selected as the primary wireless controller. |
||||||||||||||
Step 3 |
From the Actions drop-down list, select . The High Availability slide-in pane is displayed. |
||||||||||||||
Step 4 |
Enter the required information in the respective fields and click Configure HA. The following table shows the high availability information for this deployment guide:
A dialog box is displayed, notifying you that the wireless controllers will be rebooted when they are placed in the high availability mode. |
||||||||||||||
Step 5 |
Click OK to accept and put the two Catalyst 9800-40 Wireless Controllers in HA SSO mode. It will take several minutes for the wireless controllers to reboot and display in HA SSO mode. All configurations from the primary Catalyst 9800-40 Wireless Controller, including the IP address of the management interface, will be copied to the secondary Catalyst 9800-40 Wireless Controller. Catalyst Center will no longer show two wireless controllers in the inventory. Instead, only a single Wireless Controller HA SSO pair with two serial numbers will appear in the inventory. For this deployment guide, the wireless controller HA SSO pair is WLC-9800-2. |
||||||||||||||
Step 6 |
If you choose the wireless controller (WLC-9800-2), and from the Actions drop-down list, choose , you can see additional information about the Catalyst 9800-40 Wireless Controller HA SSO pair.
|
Provision the Cisco Catalyst 9800-40 Enterprise Wireless Controller HA SSO Pair
The following steps explain how to provision the corporate wireless profile to the Cisco Catalyst 9800-40 enterprise Wireless Controller HA SSO pair, known as Cisco Catalyst 9800-40-CVD.cagelab.local.
Procedure
Step 1 |
From the top-left corner, click the menu icon and choose . The main provisioning window displays the devices in the inventory. By default, Inventory is chosen from the Focus drop-down list. |
||||||||||||||||||||||||||||||||
Step 2 |
Locate and check the check box for C9800-40-CVD.cagelab.local. |
||||||||||||||||||||||||||||||||
Step 3 |
From the Actions drop-down list, choose . You are taken through a four-step workflow for provisioning the enterprise wireless controller HA SSO pair (C9800-40-CVD.cagelab.local), starting with Assign Site. |
||||||||||||||||||||||||||||||||
Step 4 |
In the Assign Site window, click Choose a Site. A slide-in pane is displayed, which shows the site hierarchy configured for Catalyst Center. For this deployment guide, the enterprise wireless controller HA SSO pair (C9800-40-CVD.cagelab.local) is assigned to the building level. |
||||||||||||||||||||||||||||||||
Step 5 |
Expand the site hierarchy for Milpitas and choose Building 23.
|
||||||||||||||||||||||||||||||||
Step 6 |
Click Save to assign C9800-40-CVD.cagelab.local to Building 23. |
||||||||||||||||||||||||||||||||
Step 7 |
Click Next. The Configuration window is displayed. |
||||||||||||||||||||||||||||||||
Step 8 |
In the Configuration window, choose Active Main for the wireless controller Role. |
||||||||||||||||||||||||||||||||
Step 9 |
Click Select Primary Managed AP locations. The Managed AP Location slide-in pane is displayed, showing the site hierarchy for Catalyst Center. Catalyst Center supports the ability to configure N+1 redundancy for APs and HA SSO for a wireless controller. As a result, you can configure both primary and secondary managed AP locations. Primary managed AP locations are sites that include buildings and/or floors, where the wireless controller will serve as the primary wireless controller within the AP high availability configuration. Secondary managed AP locations are sites where the wireless controller will serve as the secondary wireless controller within the AP high availability configuration. If the primary wireless controller or wireless controller HA SSO pair fail, APs will reestablish CAPWAP connections to the wireless controller. For this guide, the Catalyst 9800-40 Wireless Controller HA SSO pair (C9800-40-CVD.cagelab.local) will be the primary wireless controller, managing APs on Floors 1 and Floor 2 of Building 23 and Building 24. No secondary managed AP locations will be configured because the wireless controller HA SSO pair already provides redundancy in a campus network, where all the APs are operating in a centralized mode deployment. |
||||||||||||||||||||||||||||||||
Step 10 |
Expand the site hierarchy and choose Floors 1 and Floor 2 for Building 23 and Floors 1 and Floor 2 for Building 24. |
||||||||||||||||||||||||||||||||
Step 11 |
Click Save. Because you have selected this wireless controller to be an Active Main wireless controller, additional fields are displayed. The corporate wireless profile has defined the enterprise SSID as lab3employee and the wireless interface on which the SSID terminates as employee on VLAN ID 160, so this enterprise SSID and wireless interface will be automatically displayed. Likewise, because the corporate wireless profile has defined the guest SSID as lab3guest and the wireless interface on which the SSID terminates as guest-dmz on VLAN ID 125, this information will also be automatically displayed. |
||||||||||||||||||||||||||||||||
Step 12 |
Enter the values for IP address, Gateway IP address, LAG/Port Number, and Subnet Mask (in bits) for each SSID. The following table shows the values entered for this deployment guide.
|
||||||||||||||||||||||||||||||||
Step 13 |
Click Next. The Advanced Configuration window is displayed. If you have configured a template within the Template Editor for the device type and the site, you can apply the template here. This deployment guide does not discuss the use of templates for advanced configuration of the Catalyst 9800-40 wireless controller HA SSO pair (C9800-40-CVD.cagelab.local). |
||||||||||||||||||||||||||||||||
Step 14 |