Contact opnemen

Cisco 9800 WLC best practices

Cisco 9800 WLC best practices.

When you configure a 9800 WLC from scratch there are a few things you need to know and a few things that are considered best practice.

WLC tags

The 9800 WLC is built from scratch to supersede the long-lasted Cisco AIRONET WLC. The C9800 WLC is all about configuration models.โ€จProfiles & Tags.ย  Profiles (Policy, AP Join, and Radio Frequency (RF)) and tags are the new configuration constructs, and Profiles are assigned via tags. โ€จEvery AP needs to be assigned to the three AP tags (Policy, Site, RF)

Naming convention in the WLC

Using good naming conventions will safe you a lot of time when troubleshooting. For the tags start with the tag type. RF_ for the Radio Tag, ST_ for the site tag, and PT_ for Policy tag.ย  When creating tags use underscores or dashes _ –ย  This will help you electing the whole name with a double-click for copying/pasting in text editors and client terminals.โ€จ

WLC trustpoint and best practise

Another 9800 WLC best practice is to check your trustpoint for the WMI (Wireless Management Interface) . Without it the APs wonโ€™t be able to join to the management interface. Physical boxes have them build in. You can view them by entering:

show wireless management trustpoint. It should be set to โ€œCISCO_IDEVID_SUDIโ€

show crypto pki trustpoints

You can set it again by using the following commands:โ€จโ€จ

no wireless management trustpointโ€จ

wireless management trustpoint CISCO_IDEVID_SUDI

On a virtual 9800-CL (cloud WLC) we need to generate itย  and If not automatically associated to the WMI, we need to do it manually.โ€จFirst create the trustpoint:โ€จโ€จ

wireless config vwlc-ssc key-size 2048 signature-algo sha256 password 0 <OUR_PWD>

show wireless management trust point

show crypto PKI trustpointsโ€จ

Increase the consistency of GUI access

It is also best practice for the Cisco 9800 WLC to increase the โ€œconsistencyโ€ of GUI access, we can fix a trust point, to keep it simple, it could be the same as the WMI, as well as a source interface, for all HTTPS admin traffic.

no ip http serverโ€จ

ip http authentication localโ€จ

ip http secure-serverโ€จ

ip http secure-trustpoint <HTTPS_TRUSTPOINT>โ€จ

ip http client source-interface VlanX

Time stamps in the 9800 WLC

For easier troubleshooting logs/debugs the correct time is very important.

service timestamps debug datetime msec localtime service timestamps log datetime msec localtimeโ€จ

Avoid stale ssh and HTTPS sessions

To avoid โ€œstaleโ€ SSH/HTTPS sessions to your C9800 WLC it is best practise to set the keep alive timer:

service tcp-keepalives-inโ€จ

service tcp-keepalives-out

9800 WLC SVIโ€™s

ย 

Switch Virtual Interface (SVI) for wireless management interface is recommended. โ€จDo not configure SVIs for client VLANs, unless really needed (e.g., DHCP relay) โ€“ โ€จthis is different from AireOS where a Dynamic interface is required. In the 9800 architecture, there should normally only be 1 SVI interface and thatโ€™s the WMI (Wireless Management Interface)โ€จConnect the uplink ports in a port channel, configured as a trunk to a pair of switches in Stack Wise virtual or similar technologies. Same AireOS best practice โ€จC9800-CL in the public cloud must use a single L3 port (not SVI) and hence has the following feature limitation: no support for sniffer mode AP and Hyper Location โ€จ

The default ARP Behaviour of a 9800 WLC is to forward ARP traffic by changing โ€จdestination MAC from broadcast to unicast โ€จโ€จStarting at code 17.3.1ย  the 9800 canย  be configured to act as a proxy and respond on behalf of a registered client โ€จ

In C9800 DHCP proxy is not needed as IOS-XE has embedded security features like DHCP snooping, ARP inspection, etc. that donโ€™t require an L3 interface. DHCP bridging is the recommended mode and should be used if the DHCP relay can be configured on the upstream switch or if the DHCP server is on the client VLAN. Here is an illustration:



Change the session time out to 8 hours. The default session timeout in the policy profile is 30 minutes and some clients donโ€™t like frequent re-auth and re-keying there have been multiple issues we have seen especially during roaming and rekey at the same kind. It also relieves the pressure on AAA servers.

wlan-timeout

Keep your WLC resources clean best practices

APs are distributed across Wireless Network Controller processes (WNCd) within a C9800 Distributing APs (and clients) across WNCd processes gives better scale and performance.

Since version 17.9.3 we can add the load if you think the Site exceeds more than 500 APs or even more than 250 it’s good to put in the expected AP load count. In this way, the WLC can distribute this SiteTag over more than 1 WNCd resource unit.

tags

WNCD facilitates the efficient distribution of Access Points (APs) among session handling processes, ensuring optimal performance and seamless connectivity.

Create custom Site Tags tags instead of default tags. This strategic approach enables precise control over the assignment of APs, optimizing WNCD processes for enhanced performance.โ€จDonโ€™t break roaming experiences and assign the same site tag to all APs within a roaming domain. This can be on floor level, part of building level or a whole building approach Maintain an optimal balance by limiting the number of APs per site tag to 500, whenever feasible for local and fabric-enabled APs. This prudent step prevents overloading and contributes to a smoother distribution of network resources, promoting reliability. Stay within the specified thresholds to guarantee network stability. Avoid exceeding the recommended maximum number of APs per site tag, safeguarding against potential bottlenecks, and ensuring a robust and responsive wireless infrastructure. You can view them by entering

show wireless stats AP balance summary

loadbalacing

If you run it through WCAE โ€“ Wireless Config Analyzer Express, you can see a visual mapping of it. This tool can help you analyze your WLC configurations against Cisco’s best practices.



Not that in this example they wncdโ€™s are not all equally occupied with handling APs. This is because it is a work in progress. 2000 APs will be added later.

Are you looking for a quick scan of your WLC config, and need help with it? Or do you want us to deploy one for you? Contact us today!

ย 
ย 

Deel deze blog op social media

Facebook
Twitter
LinkedIn
Scroll to Top