Cisco 9800 WLC best practices.
When you configure a 9800 WLC from scratch there are a few things you need to know and a few things that are considered best practice.
WLC tags
The 9800 WLC is built from scratch to supersede the long-lasted Cisco AIRONET WLC. The C9800 WLC is all about configuration models.โจProfiles & Tags.ย Profiles (Policy, AP Join, and Radio Frequency (RF)) and tags are the new configuration constructs, and Profiles are assigned via tags. โจEvery AP needs to be assigned to the three AP tags (Policy, Site, RF)
Naming convention in the WLC
Using good naming conventions will safe you a lot of time when troubleshooting. For the tags start with the tag type. RF_ for the Radio Tag, ST_ for the site tag, and PT_ for Policy tag.ย When creating tags use underscores or dashes _ –ย This will help you electing the whole name with a double-click for copying/pasting in text editors and client terminals.โจ
WLC trustpoint and best practise
Another 9800 WLC best practice is to check your trustpoint for the WMI (Wireless Management Interface) . Without it the APs wonโt be able to join to the management interface. Physical boxes have them build in. You can view them by entering:
show wireless management trustpoint. It should be set to โCISCO_IDEVID_SUDIโ
show crypto pki trustpoints
You can set it again by using the following commands:โจโจ
no wireless management trustpointโจ
wireless management trustpoint CISCO_IDEVID_SUDI
On a virtual 9800-CL (cloud WLC) we need to generate itย and If not automatically associated to the WMI, we need to do it manually.โจFirst create the trustpoint:โจโจ
wireless config vwlc-ssc key-size 2048 signature-algo sha256 password 0 <OUR_PWD>
show wireless management trust point
show crypto PKI trustpointsโจ
Increase the consistency of GUI access
It is also best practice for the Cisco 9800 WLC to increase the โconsistencyโ of GUI access, we can fix a trust point, to keep it simple, it could be the same as the WMI, as well as a source interface, for all HTTPS admin traffic.
no ip http serverโจ
ip http authentication localโจ
ip http secure-serverโจ
ip http secure-trustpoint <HTTPS_TRUSTPOINT>โจ
ip http client source-interface VlanX
Time stamps in the 9800 WLC
For easier troubleshooting logs/debugs the correct time is very important.
service timestamps debug datetime msec localtime service timestamps log datetime msec localtimeโจ
Avoid stale ssh and HTTPS sessions
To avoid โstaleโ SSH/HTTPS sessions to your C9800 WLC it is best practise to set the keep alive timer:
service tcp-keepalives-inโจ
service tcp-keepalives-out
9800 WLC SVIโs
ย
Switch Virtual Interface (SVI) for wireless management interface is recommended. โจDo not configure SVIs for client VLANs, unless really needed (e.g., DHCP relay) โ โจthis is different from AireOS where a Dynamic interface is required. In the 9800 architecture, there should normally only be 1 SVI interface and thatโs the WMI (Wireless Management Interface)โจConnect the uplink ports in a port channel, configured as a trunk to a pair of switches in Stack Wise virtual or similar technologies. Same AireOS best practice โจC9800-CL in the public cloud must use a single L3 port (not SVI) and hence has the following feature limitation: no support for sniffer mode AP and Hyper Location โจ
The default ARP Behaviour of a 9800 WLC is to forward ARP traffic by changing โจdestination MAC from broadcast to unicast โจโจStarting at code 17.3.1ย the 9800 canย be configured to act as a proxy and respond on behalf of a registered client โจ
In C9800 DHCP proxy is not needed as IOS-XE has embedded security features like DHCP snooping, ARP inspection, etc. that donโt require an L3 interface. DHCP bridging is the recommended mode and should be used if the DHCP relay can be configured on the upstream switch or if the DHCP server is on the client VLAN. Here is an illustration:
Change the session time out to 8 hours. The default session timeout in the policy profile is 30 minutes and some clients donโt like frequent re-auth and re-keying there have been multiple issues we have seen especially during roaming and rekey at the same kind. It also relieves the pressure on AAA servers.
Keep your WLC resources clean best practices
APs are distributed across Wireless Network Controller processes (WNCd) within a C9800 Distributing APs (and clients) across WNCd processes gives better scale and performance.
Since version 17.9.3 we can add the load if you think the Site exceeds more than 500 APs or even more than 250 it’s good to put in the expected AP load count. In this way, the WLC can distribute this SiteTag over more than 1 WNCd resource unit.
WNCD facilitates the efficient distribution of Access Points (APs) among session handling processes, ensuring optimal performance and seamless connectivity.
Create custom Site Tags tags instead of default tags. This strategic approach enables precise control over the assignment of APs, optimizing WNCD processes for enhanced performance.โจDonโt break roaming experiences and assign the same site tag to all APs within a roaming domain. This can be on floor level, part of building level or a whole building approach Maintain an optimal balance by limiting the number of APs per site tag to 500, whenever feasible for local and fabric-enabled APs. This prudent step prevents overloading and contributes to a smoother distribution of network resources, promoting reliability. Stay within the specified thresholds to guarantee network stability. Avoid exceeding the recommended maximum number of APs per site tag, safeguarding against potential bottlenecks, and ensuring a robust and responsive wireless infrastructure. You can view them by entering
show wireless stats AP balance summary
If you run it through WCAE โ Wireless Config Analyzer Express, you can see a visual mapping of it. This tool can help you analyze your WLC configurations against Cisco’s best practices.
Not that in this example they wncdโs are not all equally occupied with handling APs. This is because it is a work in progress. 2000 APs will be added later.
Are you looking for a quick scan of your WLC config, and need help with it? Or do you want us to deploy one for you? Contact us today!