cisco tech update wireless...dnac 1.2.8 / w1 & w2 802.11ac aps internet public cloud ad managed...
TRANSCRIPT
© 2018 Cisco and/or its affiliates. All rights reserved.
Nicholas Swiatecki, Systems Engineer, <[email protected]>
November 2018
Tech Update – Wireless
© 2018 Cisco and/or its affiliates. All rights reserved.
Agenda
1
2
3
4
Software versioner
802.11ax / WiFi 6 + WPA3
Nyt i 8.8
Catalyst 9800
New Cisco Catalyst 9800 Series Wireless Controllers
Deploy Anywhere
Powered by IOS XEOpen and Programmable
Trustworthy SolutionsModular operating system
Always-on
• Software updates with no disruption
• Rolling AP upgrades
• Seamlessly add new APs
Secure
• Detect encrypted threats with ETA
• Automated macro/micro segmentation with SDA
• WPA3 Support*
• On-Prem, Private/Public cloud, Embed in a Switch
• Gov Cloud ready
• Scale as you grow
*Future
Cisco Catalyst 9800 Wireless - Platform Support
Wireless Controller
Cisco Catalyst 9800 Wireless Controller for
Cloud
Cisco Catalyst 9800 Wireless Controller
Catalyst 9800 SD-Access Embedded
Wireless
C9800-40-K9C9800-80-K9
C9800-CL-K9
Access Points
AP1810, AP1815, AP1830, AP1850
AP2800/ AP3800/AP4800
11ac Wave 1 and Wave 2 Access PointsAP18xx, 2802, 3802, 4800, 1540, 1560, 1700, 2700, 3700, 1570
Deployment ModesCentralized, Distributed Branch, SDA and Mobility Express (Future)
AP ModesLocal, FlexConnect, Monitor, Mesh^, Flex+Mesh^, Sensor, Sniffer
AP1540/AP1560
*GCP in 16.10 is EFT Only ^ supported on Wave 1 and outdoor Wave 2 APs
Unplanned EventsDevice and network interruptions
Always on - High Availability
16.10 Supported Supported after 16.10
Cisco Catalyst
9800 Wireless
Controller
Differentiators
Reducing downtime for Upgrades and Unplanned Events
Controller Software UpdateSoftware Maintenance updates ( SMU^ )
Cold PatchHA install on SSO Pair
Hot Patch(No Wireless Controller
reboot)Auto Install on Standby
AP Device PackNew AP Model
FlexiblePer-Site, Per-Model Updates
Access Point UpdatesNew AP Model & AP updates*
Rolling AP Update (No Wireless Controller
Reboot)
Software Image UpgradesWireless controller image upgrades
N+1 Hitless Rolling AP Upgrade
^ MD Release Only
SSO Active-Standby
N+1 Primary, Secondary
Per AP Primary, Secondary,
Tertiary
Deploy anywhere*
Catalyst 9800-806000 APs, 64K Clients, 80 Gbps
Catalyst 9800-402000 APs, 32K Clients, 40 Gbps
Catalyst 9800-CL6000 APs, 64K Clients^
Catalyst 9800-CL+
1000 APs, 10K Clients
Catalyst 9800-SW*200 APs, 4K Clients
Catalyst 9800-CL3000 APs, 32K Clients
200 APs 1000 APs 6000 APs2000 APs 3000 APs
*SD-Access only+C9800-CL for Public Cloud with Flexconnect; GCP for EFT only
^Centralized support for 6000 APs in FutureGCP- EFT ready
SD-Access Ready
ENCS
Kun SDA
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ing
Cloud Wireless offer – FCS 16.10
ISE / AD DNA Center
ASSURANCE
AUTOMATION
DNAC 1.2.8 / W1 & W2 802.11ac APs
Internet
Public Cloud
AD
Managed VPN
Enterprise network
NFVIS
ENCS
Hypervisors: ESXi, KVM, NFVIS on ENCS
All deployments mode: Centralized, SDA, FlexConnect, Mesh
ESXi
W1 & W2 802.11ac APs
Amazon AWS, Google GCP (EFT Only) with Managed VPN
FlexConnect local switching only
Google Cloud Platform(EFT only)
ISE/AAA
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ing
C9800-CLAireOS vWLC
8
C9800-CL brings in the best of appliance features to Private Cloud
NoSSO High Availability Yes
Flex OnlyDeployment Modes Flex, Local, Fabric
NoGuest Anchor Yes
NoDNA-C Automation & Assurance Yes
500 MbpsMax Throughput 2.5 Gbps
3k APs, 32k ClientsMax AP and Client Scale 6k APs, 64k Clients
MultipleInstallation Image Single for any scale
vs.
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ing
101010100010101010100000101010101010101010101
111101010101010111100010101001010001001001001
010100100100101000100100011001001001001001001
001001010010010100100101010100010101010100000
101010101010101010101111101010101010111100010
101001010001001001001010100100100101000100100
011001001001001001001001001010010010100100
101010100010101010100000101010101010101010101
111101010101010111100010101001010001001001001
010100100100101000100100011001001001001001001
001001010010010100100010100001010101111010101
Introducing ETA on Cisco Catalyst 9800 Series
Enhance Visibility Promote ComplianceShorten Time to Response Save Time & Money
Malware detection and
cryptographic compliance
on Cisco Stealthwatch
Cisco Stealthwatch®
Netflow
Telemetry
Encrypted
Wireless Traffic
Supported on Catalyst 9800 Series Wireless
Controller in Centralized Wireless Deployment
Seamlessly migrate existing DNA enabled customers to Catalyst 9800 Wireless Controllers
Portability with DNA licenses
Catalyst 9800 Series Wireless Controllers
Any AireOS
Wireless Controller
*GCP EFT Only
Mandatory DNA LicensingSeamless portability & investment protection
with DNA Licensing
Smart License Management DNA License consumption & tracking with Smart
Licensing and mandatory Smart Accounts
Catalyst 9800 Series Wireless Controller availability / release timeline
November 2018
December 2018
March 2019
• Orderable:• C9800-40• C9800-80• C9800-CL*• C9800-SW• C9800 Modules
• Downloadable / Deployable:• C9800-CL • C9800-SW
• 16.10.1 Release• Enterprise Ready
• DNA 1.2.8 Release• C9800 ready
• 16.11.1 Release
• DNA 1.3 Release• Enhanced C9800 Flows
• FCS:• C9800-40 • C9800-80• C9800 Modules
*GCP for EFT only
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ingG loba l
Sa les T ra in ing
Rolling AP Update/Upgrade Infrastructure
AP Device PackNew AP Model
FlexiblePer-Site, Per-Model Updates
Unplanned EventsDevice and network interruptions
High Availability
16.10 Supported Supported after 16.10
Cisco Catalyst
9800 Wireless
Controller
Differentiators
Reducing downtime for Upgrades and Unplanned Events
Controller Software UpdateSoftware Maintenance updates ( SMU^ )
Access Point UpdatesNew AP Model & AP updates*
Software Image UpgradesWireless controller image upgrades
Cold PatchHA install on SSO Pair
Hot Patch(No Wireless Controller
reboot)Auto Install on Standby
Rolling AP Update (No Wireless Controller
Reboot)
N+1 Hitless Rolling AP Upgrade
^ MD Release Only
SSO Active-Standby
N+1 Primary, Secondary
Per AP Primary, Secondary,
Tertiary
User selects % of APs to upgrade in one go [5, 15, 25]For 25%, Neighbors marked = 6 [Expected number of iterations ~ 5]For 15%, Neighbors marked = 12 [Expected number of iterations ~ 12]For 5%, Neighbors marked = 24 [Expected number of iterations ~ 22]
Neighbor Marking
N=8 Neighbor APs N=24 Neighbor APsN=4 Neighbor APs
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ing
802.11v
• Clients steered from candidate APs to non-candidate APs
• 802.11v BSS Transition Request
• Dissociation imminent
• If clients do not honor this, they will be de-authenticated before AP reload
Client Steering
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ingG loba l
Sa les T ra in ing
Using Rolling AP Infrastructure
Hitless N+1 Image Upgrade
AP Device PackNew AP Model
FlexiblePer-Site, Per-Model Updates
Unplanned EventsDevice and network interruptions
High Availability
16.10 Supported Supported after 16.10
Cisco Catalyst
9800 Wireless
Controller
Differentiators
Reducing downtime for Upgrades and Unplanned Events
SSO Active-Standby
N+1 Primary, Secondary
Per AP Primary, Secondary,
Tertiary
Controller Software UpdateSoftware Maintenance updates ( SMU^ )
Access Point UpdatesNew AP Model & AP updates*
Software Image UpgradesWireless controller image upgrades
Cold PatchHA install on SSO Pair
Hot Patch(No Wireless Controller
reboot)Auto Install on Standby
Rolling AP Update (No Wireless Controller
Reboot)
N+1 Hitless Rolling AP Upgrade
^ MD Release Only
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ing
AP
Version : X Version: X+1
1. Device auto selects candidate APs based on selected % and RRM AP Neighbor Map
2. Upgrade process kicks-in • Image download to Primary Wireless
Controller• Image pre-download to APs• Selective redirect of clients using
11v• APs moved to N+1 Wireless
Controller in rolling manner• Primary Wireless Controller Reboot• APs moved back to Primary
Wireless Controller (optional)
3. Monitor progress on the Device
Version : X+1
Primary
Trigger Rolling Upgrade
Upgraded N+1
N+1 Rolling AP UpgradeWireless Controller image upgrade using N+1 staging Controller
Mobility Group
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ing
Benefits of New Config Model
Reusability
Config modularized as
objects
Simplicity
No inheritance or
containers
Easy Provisioning
With AP attribute
Tagging
Rule-based
Using rules on
PnP and Wireless
Controller
Change Management
MAC, Location, Name
filtering
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ing
Hvad forsøger vi at undgå?
High Density HDX
Data Rates
DCA, TPC, CHDM
Profile threshold
for traps
Client Distribution
AireOS vs. Catalyst 9800 Config ModelGranular & simplified
What Policies on which Sites with what RF
characteristics
Going towards a more Modularized and Reusable model with Logical decoupling of configuration entities
Basic
Wireless
Advanced
Wireless
Wireless Security
Switching Policy
Network Policy
WLAN AP Group Flex Group
Network Policies
Wireless site
settings
RF Parameters
Site Specific
Policies
RF Profiles
Network Policies
Wireless security
Remote Site
Config
Remote site
parameters
Switching Policies
RF Profile
High Density HDX
Data Rates
DCA, TPC, CHDM
Profile threshold
for traps
Client Distribution
WLAN
Policy
Profile
Flex
Profile
AP Join
Profile
Basic
Wireless
Advanced
Wireless
Wireless Security
Switching Policy
Network Policy
Site
Tag
RF
Tag
Wireless site
settings
Site Specific
Policies
Remote Site
Config
Remote site
parameters
High Density HDX
Data Rates
DCA, TPC, CHDM
Profile threshold
for traps
Client Distribution
RF Profile
Policy
Tag
Site
Tag
RF Tag
Decouple
Modularize
AireOS Config Model
Policy
Tag
b/g
a/n/ac
© 2018 Cisco and/or its affiliates. All rights reserved.
• Tag = Samling afprofiles
• 3 typer tags:
• Site
• RF
• Policy
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ing
Cisco Catalyst 9800 Wireless Config Model
WLAN Profile
Policy Profile
Policy Tag
AP Join Profile
Flex Profile
RF Profile 2.4 GHz
RF Profile 5 GHz
SiteTag
RF Tag
Access Points
Defines the RF properties of
the network
Defines the properties of the
central and the remote site APs
Defines the broadcast domain (list of
WLANs to be broadcasted) with the
properties of the respective SSIDs
Components of Policy Tag
WLAN
Profile
Policy
Profile
Policy Tag
VLAN - Mgmt. Vlan
Session timeout – 1800
Idle time out - 300
AVC profile - null
Client Qos(input/and output) – default
BSSID Qos(input/and output) – default
ACL – None
Local switching – disabled (all other
related parameters are disabled)
Central switching – enabled
Central DHCP – disabled
Central Assoc – disabled
Central Authentication – enabled
Local profiling – disabled
Policy map - none
Authentication - Central
Components of Policy Profile
Profile Name
Status
WLAN ID
SSID
Broadcast SSID
L2 Security
L3 Security
AAA Servers
Coverage Hole detection
Aironet IE
Diagnostic Channel
P2P blocking
Max Client connections
11v BSS transition Support
Off channel Scan defer
Load Balance
Band Select
Components of WLAN Profile
Components of Site Tag
AP Join
Profile
Flex
Profile
SiteTag
Com
pon
en
ts o
f F
lex
Pro
file
AP
Jo
in P
rofi
le -
def
au
lts
LED state – Enable
Heartbeat timer– 30 secs
Primary discovery timer – 120 sec
Primed join timeout – 0 seconds
Discovery timeout - 10 secs
Fast heart beat timer – 1 sec
Fast heart beat – disabled
TCP/MSS - enabled (set to 1250)
Retransmit count – 5 secs
Retransmit interval – 15 secs
Dot1x authentication – disabled
UDP lite – disabled
11u venue group – unspecified
Username/password – “current default”
Preferred mode – IPV4
11u venue type – unspecified
Client QinQ – disabled
DHCP QinQ – disabled
Reset - Disable
Static nameserver/domain name – current
default
Backup primary/secondary – current default
Core dump – “current default”
Syslog - “current default”
Hyperlocation – disable
Native VLAN ID
HTTP Proxy Port
HTTP Proxy IP Address
Fallback Radio Shut
ARP Caching
Efficient Image Upgrade
Local Authentication
Local Auth Users
Policy ACL
VLAN Name and ID
Data Rates
MCS Settings
Maximum and Minimum Power Level Assignment
Power Threshold v1/v2
DCA Channel Width
DCA Foreign AP Interference Avoid Enable
DCA Channel list
Coverage Hole Detection Parameters (Data/Voice
RSSI, Coverage Exception, Coverage Level)
Profile Threshold for Traps
(Interference/Clients/Noise/Utilization)
Maximum Clients
Multicast Data Rates
Rx Sop Threshold
Load Balancing (window & denial)
Band Select Parameters (Applicable only for
802.11bg)
Components of RF Tag
RF
Profile 2.4 GHz
RF Tag
RF
Profile
5 GHz
Components of RF Profile
• 1 step configuration : Create SSID [1-16]
• Default Policy Tag is used
• Default Site Tag is used
• Default RF Tag is used
• APs Tagged with Defaults automatically
Use cases : Central site – Default config with minimal changes
Default RF Tag
Default Site Tag
Default Policy Tag WLAN
Default AP Join
Profile
Default RF
Profile
Default Policy
Profile
WLAN
Profile
Policy
Profile
Policy Tag AP
Join
Profile
Flex
Profile
SiteTagRF
Profile 2.4 GHz
RF Tag
RF
Profile
5 GHz
Requirements
1. Classrooms have University SSIDs for students and teachers
2. Dorms to broadcast the above plus guest SSIDs
3. Dining Hall to broadcast the above plus guest SSIDs
4. Same policies across campus
5. RF characteristic of Dining Hall is different than the classroom(default RF) and the dorm(dorm RF)
Use Case: Central Site University Environment
Dining Hall RF
Tag
Default Site Tag
Default Policy Tag
University
SSID
Default AP Join Profile
Dorm RF TagClassroom RF
Tag
Guest SSID
Default Policy
Profile
Guest Policy Profile
Classroom DormDining Hall
WLAN
Profile
Policy
Profile
Policy Tag AP
Join
Profile
Flex
Profile
SiteTagRF
Profile 2.4 GHz
RF Tag
RF
Profile
5 GHz
University SSID
Default Policy Profile
Initial Requirements
1. All sites should broadcast the same common SSID ‘Store’
2. All the sites should have same policies per SSID
3. Roaming is expected per store/flex-grp
4. All sites should have the same Site parameters
Use Case: Multi-site Retail Environment
Site 1
Seamless roaming
within site
Site 2
Seamless roaming
within site
Site 3
Seamless roaming
within site
Store WLAN profile Store policy profile
Store Policy Tag
Common RF Tag
Common Flex Profile
WLAN
Profile
Policy
Profile
Policy Tag AP Join
Profile
Flex
Profile
SiteTagRF
Profile
2.4 GHz
RF Tag
RF
Profile 5
GHz
Additional Requirements
1. APs near freezer needs to have a different RF policy
2. Site 2 and 3 have additionally ‘Guest’ SSIDs
3. Independent Per site parameters
Use Case: Multi-site Retail Environment
Site 1
Seamless roaming
within site
Site 2
Seamless roaming
within site
Site 3
Seamless roaming
within site
Sto
re s
ectio
n R
F
Freezer section – different
RF characteristics
Store
RF Tag
Freezer RF
TagCommon RF Tag
Store
WLAN
profile
Common
policy
profile
Guest WLAN profile Common policy profile
WLAN
Profile
Policy
Profile
Policy Tag AP Join
Profile
Flex
Profile
SiteTag
RF
Profile
2.4 GHz
RF Tag
RF
Profile 5
GHz
Store WLAN profile Common policy profile
Site 1 Tag Site 2 Tag Site 3 Tag
Additional Requirements
• The Common SSID need to have store-specific policies
Use Case: Multi-site Retail Environment
Site 1
Seamless roaming
within site
Site 2
Seamless roaming
within site
Site 3
Seamless roaming
within site
Sto
re s
ectio
n R
F
Store
RF Tag
Freezer RF
TagCommon RF Tag
Store WAN
profile
Store1
policy profile
Guest WLAN
profile
Guest
policy
profile
Store WLAN
profile
Store2 policy
profile
StoreWLAN
profile
Store3 policy
profile
Site 1 Tag Site 2 Tag Site 3 Tag
WLAN
Profile
Policy
Profile
Policy Tag AP Join
Profile
Flex
Profile
SiteTag
RF
Profile
2.4 GHz
RF Tag
RF
Profile 5
GHz
Guest WLAN
profile
Guest
policy
profile
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ingG loba l
Sa les T ra in ing
Integrating with existing AireOSDeployments
Inter Release Controller Mobility (IRCM) for AireOS and Catalyst 9800
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ing
Seamless roaming b/w Catalyst 9800 and AireOS 8.8 MR2 (3504/5520/8540)
Catalyst 9800
IRCM : AireOS and Cisco Catalyst 9800
Catalyst 9800Deployment
AireOS WLC
AireOSDeployment
Secure Mobility(CAPWAP)
Secure Mobility(CAPWAP)
Seamless roaming, L3 only
Also supported on AireOS 8.5MR4 Special
AireOS8.8 MR2
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ing
AireOS Deployment(8.8. MR2)
Catalyst 9800
IRCM: AireOS and Cisco Catalyst 9800
Catalyst 9800Deployment
AireOS WLC8.8 MR2
Seamless roaming, L3 only
AireOS WLC
34
AireOSDeployment
Seamless roaming,
L2 and L3
Upgrade only the AireOS controller in the roaming path
Enabling seamless roaming across Campus
Secure Mobility(CAPWAP)
EOIP-basedMobility
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ing
Catalyst 9800
Guest : AireOS and Cisco Catalyst 9800
Catalyst 9800Deployment
Secure Mobility(CAPWAP)
Guest Anchor
AireOS WLC
35
AireOSDeployment
EOIP-basedMobility
AireOS Guest Anchor
Guest Anchor
Upgrade the AireOS Guest Anchor to 8.8 MR2 (on 3504/5520/8540)and manage both Catalyst 9800 and AireOS Foreign
AireOS8.8 MR2
© 2018 Cisco and/or its affiliates. All rights reserved.
Software Versioner
© 2018 Cisco and/or its affiliates. All rights reserved.
• 8.2 – Ikke flere MR
• 8.3 – Ikke flere MR (muligvis en PSIRT opsamling i April)
• 8.5 – “long life”, MRs indtil 2020. MR4 ude nu!
• 8.8 – Næste “long-life” MR.
• 8.9 – Primo 2019
• 16.10.1 ude nu – vær OBS!
• 16.11.x forventes marts. Feature parity med 8.8
Software versioner
© 2018 Cisco and/or its affiliates. All rights reserved.
8.3: “TAC recommends 8.3.143.0” Brug kun hvis behovet for gamle APer er der
8.5 - Generelt anbefalet
• AireOS 8.5.135.0. ”Customers who do not require any post-8.5 features or hardware should stay with the 8.5 train”.
• 20/11: ”fifth & final refresh of 8.5MR4 Interim version 8.5.137.107 for PRODUCTION deployments”
• Brugt ved Cisco Lives i 2018 samt MWC
Mobility Express: 8.5.135.0 – (dog mange super features i 8.8)
TAC anbefalet SW versioner
https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html#anc2
© 2018 Cisco and/or its affiliates. All rights reserved.
AP og Controllere
• 1131/1242 (EOL/LDOS) 8.0 (EOL)
• 1142/1260 (EOL/LDOS) 8.3
• 3500, 1600, 2600,3600 (EOS) 8.5
• 1700, 2700, 3700 (EOS 04/19) 8.5
• 1800, 2800, 3800 8.5
• 1540, 1815m og 1815t 8.5
• 4800 8.7/8.8
• 2504/5508/8510 (EOS) + WISM2/7510 (EOS) 8.5 (sidsterelease)
• 3504 Starter ved 8.5
• 5520/8540 8.5
• 9800 Starter ved 16.10.1
© 2018 Cisco and/or its affiliates. All rights reserved.
AireOS 8.8 (og 8.7)
© 2018 Cisco and/or its affiliates. All rights reserved.
• Daisy Chain support for AP 1560 and 1542I/D
• Wave 2 Aps:Bidirectional Rate limiting - FlexSupport for DHCP Opt 60Support for Remote LAN (RLAN) on Aux portSupport for Wired 802.1x EAP-TLS & PEAPFlex+Bridge supportIPv6 SDA + Outdoor AP SDA SupportFlexConnect Split-tunneling supportPlanlagt til MR1 WGB support on models 3800/2800/1562
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/201007-AireOS-feature-list-per-release.html#anc8
Nyt i 8.7 + 8.8
Generelt rigtig meget nyt ift. Wave 2 AP, bl.a.
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ing
Encryption on the RP interfaces in rel 8.8
Encrypted
Encrypted Redundancy Link Between two controllers in HA mode
8.8
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ingG loba l
Sa les T ra in ing
Policy Enforcement and Quota management
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ing
Quota Policy Enforcement
Wireless clients are allotted QoS policy and data rate limits on authenticating with AAA Server
WLC does not support dynamic ‘run-time' policy enforcement as the client gets new policies during full authentication
RFC-5176 allows dynamic rate limiting using Change-of-Authorization(CoA) request / response
End clients get provisioned with maximum allotted Quota by Service providers based on prepaid / postpaid data plans
External billing servers notify AAA on reaching maximum data limit per client basis
8.8
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ing
Policy Enforcement Use Case
• A Service Provider had requirement to manage Policy and Quota dynamically on the fly without disconnecting the wireless customer
• Prior to release 8.8 our controller didn’t accept TLV (Type-Length-Value) from the Accounting or Billing severs dynamically in real time and thus users had to be disconnected when quota was exceeded
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ing
Quota ManagementWLC will accept the Radius user Change of Authorization (CoA) request and allocate different quota to the same user without disconnecting the user
• AP monitors the bandwidth usage and reports the statistics to the controller
• The controller sends the Interim update to the radius server for IPv4 and/or IPv6 users
• If SP allotted Quota is exhausted, AAA sends CoA to change the policy to a different default
plan - (CoA override)
• A client gets moved to a new lower plan without being disconnected from the network
This feature is supported in:
• Local and Bridge (Central Switching)
• Flex and Flex+Bridge (Local Switching)
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ing
CoA GUI Configuration
AAA will respond with Access-Accept with the new policy on rate/bandwidth
enforcement
WLC will forward these new QoSparameters to AP using existing
AP_AAA_QOS_PARAMS_PAYLOAD
AP will apply the new QoS values to the flex local switched client.
There will not be any Disassociation / De-Authentication message sent from WLC or AP to the end client
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ingG loba l
Sa les T ra in ing
Captive Portal with Multiple Splash Pages per WLAN
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ing
Captive Portal – Multiple Splash Pages on the same WLAN
This feature allows users to have multiple splash pages per WLAN/AP Group/Flex Group
Users will have the capability to have different Splash Pages in different Locations based FC or AP grouping.
If both WLAN and AP group configurations do not override it
If either WLAN or AP group configuration overrides the global config
If both WLAN and AP group configurations override the global config
Global URLConfig Used
Specific URL Used
AP Group URL Used
8.8
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ing
Captive Portal Use Case
• A Service Provider had an issue where they had to utilize hundreds of Captive Portals without AAA override in different geo-locations
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ing
Captive Portal – WLAN Override Global Configuration
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ing
Captive Portal – AP Group Override Global Configuration
(WLC)config wlan apgroup custom-web global <apgroup_name> enable/disable
(WLC)config wlan apgroup custom-web ext-webauth-url add/del <ext-webauth-url> <apgroup_name>
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ing
Default DSCP Value for AVC Profile
Prior to rel 8.8 with AVC enabled, we cannot override all applications DSCP values only for Application flows configured on
the AVC profile
For a flow where a rule is not configured in the AVC Profile, NO action is performed & DSCP is left intact
AVC profile supports 32 application rules – not sufficient for typical managed services flows
The new AVC enhancement allows a “default-class” rule to override the DSCP values for all application flows where AVC Rule is not
configured.
"default-class" is like last rule with Any/Any conditions
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ing
AVC Default DSCP Use Case
• Many apps come in but we can only control 32, rest of them not controlled and DSCP values are left in tact
• Other, non control application can starve wireless bandwidth
• This new feature will override the default DSCP values more like last rule of Any/Any condition
© 2018 Cisco and/or its affiliates. All rights reserved.
Identity PSK (iPSK) – fra 8.5 Ét SSID, multiple PSK - nøgler
Wireless LAN Controller
Device MAC Group Private PSK
IOT Devices aabbcc
Sensors xxyyzz
Employees ---
IOT Devices
Sensors
Employees
Cisco-AVPair += "psk-mode=ascii”Cisco-AVPair += "psk=xxyyzz"
WLAN PSK
xxyyzz
aabbcc
ISEAccess Point
© 2018 Cisco and/or its affiliates. All rights reserved.
P2P blokering mellem iPSK grupper (8.8)
• Intra-gruppe trafik kanblokeres eller accepters
• Gruppe medlemskab erbaseret på PSK
© 2018 Cisco and/or its affiliates. All rights reserved.
iPSK config
https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-8/b_Identity_PSK_Feature_Deployment_Guide.html
© 2018 Cisco and/or its affiliates. All rights reserved. G loba l
Sa les T ra in ing
P2P Blocking with iPSK on Flex Connect APs
If the P2P blocking configuration in WLAN is set to ‘Allow Private Group’ the AP Data plane will:
Forward the traffic up stream - if the destination MAC is found in the PMK cache and the devices have the same Tag values, but not associate to the same AP
Forward the traffic up stream - if the destination MAC is NOT found in the PMK cache
Bridge the traffic - if the devices have the same Tag values and the destination MAC is found in the PMK cache, and associate to the same AP
Drop the traffic - if the destination MAC is found in the PMK cache and the devices have different Tag values
8.8 MR2
© 2018 Cisco and/or its affiliates. All rights reserved.
802.11ax (WiFi 6) + WPA3
© 2018 Cisco and/or its affiliates. All rights reserved.
802.11ax (WiFi 6)
• Klienter forventes eftersommeren 2019
• WFA WiFi 6 = 2019Q3
• 802.11ax endeligstandard = slut 2019
• “Infliction point” for klienter = 2020
© 2018 Cisco and/or its affiliates. All rights reserved.
WPA3
• Ca. Midt 2019
• Ingen klienter endnu
• x800 serie AP’er (pga. crypto)
© 2018 Cisco and/or its affiliates. All rights reserved.
The industry’s most comprehensive and innovative access point portfolioThe best infrastructure leads to the best outcomes
Good - Enterprise class Better Best in class
Ideal for small to medium-sized deployments Mission critical High density
2800 Series• 4x4:3 SS 160 MHz
• 5 Gbps performance
• 2.4 and 5 GHz or dual 5 GHz
• 2 GE ports uplink
• Cisco CleanAir® and ClientLink
• Internal or external antenna
• Smart antenna connector
• USB 2.0
3800 Series• 4x4:3 SS 160 MHz
• 5 Gbps performance
• 2.4 and 5 GHz or dual 5 GHz
• 2 GE ports uplink or 1 GE + 1 Multigigabit (5G)
• Cisco CleanAir and ClientLink
• StadiumVision™
• Internal or external antenna
• Smart antenna connector
• USB 2.0
• Modularity for investment protection
4800• 4 embedded radios
(3 Wi-Fi and 1 BLE)
• 4x4:3 SS 160 MHz
• 5 Gbps performance
• 2.4 and 5 GHz or dual 5 GHz
• 2 GE ports uplink or 1 GE + 1 Multigigabit (5G)
• Embedded Hyperlocation
• Real-time analytics and packet capture
• Cisco CleanAir and ClientLink
• Internal antenna
• USB 2.0
• Integrated BLE
1815 SeriesIndoor/high-powered Indoor Wall plate/teleworker
• 2x2:2 SS 80 MHz
• 867 Mbps performance
• Tx beamforming
• Integrated BLE1
• Max transmit power (dBm) per local regulations2
• 3 GE local ports, including 1 PoE out3
• Local ports 802.1X ready3
• USB 2.04
1830/1850 Series• 3x3:2 SS 80 MHz/4x4:3
SS 80 MHz
• 867 Mbps or 1.7 Gbpsperformance
• 1 or 2 GE ports uplink
• Internal or external antenna (1850)
• Tx beamforming
• USB 2.0
2 Available for high-powered only1 Future availability 3 Available for wall plate and teleworker only 4 Available for teleworker only
© 2018 Cisco and/or its affiliates. All rights reserved.
AP-4800 is a more advanced than the AP-3800Similar to the AP-3800i but it has an additional Flexible Radio for Analytics + Advanced Hyperlocation antenna array
• Location Antenna array is now integrated
• Bluetooth Low Energy radio is now integrated
• Embedded analytics/location radio is now integrated
Hyperlocation
antenna array
+ =DNA Analytics, Monitoring
and Location Radio AP-4800
Best in ClassRadio 0: Dual band (2.4GHz/5GHz) (XOR) radio
Radio 1: Dedicated 5GHz radio
Radio 2: Hyperlocation Rx only(XOR) radio
© 2018 Cisco and/or its affiliates. All rights reserved.
AP-4800 Integrating Proven Technology
A – 2.4/5GHz Macro Cell
Wide Coverage
(4 antennas)
B – Monitor / Sniffer
(4 antennas)
C – Bluetooth Low Energy
BLE Beacon on Tx
(1 antenna)
D – Hyperlocation Array
(16 antennas) for
Precise Location
E – 5GHz Micro Cell
High Density Coverage
(4 antennas)
Hyperlocation
AP-4800 Antenna System
▪ Full 2.4 and 5 GHz sweeps
▪ Client Serving on Slot 0 and Slot1
2800/3800 series AP’s - Dual 5 GHz Client Serving Role
Metageek/Spectrum Expert Enabled!
Hyper
5 GHz
Hyper
2.4 Ghz
Metageek/Spectrum Expert Enabled! 4800 series AP’s Only - Same as WSM on Slot 2/Hyperlocate Radio
© 2018 Cisco and/or its affiliates. All rights reserved.
AP4800 ophæng
AP4800 AP3800i Length 251.46mm
Width 220.47mm
Thickness 72.9mm
Weight 2.54 kg
Length 219.96mm
Width 220.47mm
Thickness 62.48mm
Weight 2.09 kg
Bruger standard “Bracket-1” og “Bracket-2”
Deployment Recommendations AP-3800 & AP-4800
• Greenfield – Install new AP-4800’s
• Brownfield – do not “salt and pepper” 3800 & 4800’s keep like devices together. This will allow for better accuracy when using DNA features such as “Intelligent Capture”.
• Use AP3800e for applications requiring external antennas
• Use AP3800e for designs requiring Macro/Macro cells
• Use AP3800i/e for designs requiring modularity support