Tecccie 3106

CCIE Wireless
Stephen Orr, Javier Contreras, Jerome Henry, Erik Vangrunderbeek

TECCCIE-3106
Disclaimer
Objective
Agenda
1. Introduction
2. CCIE Program Overview
3. The DIAGNOSTIC module (sample)
4. CCIE Wireless V3 highlights
5. How to prepare?
6. Q&A
CCIE Program Overview
CCIEs Worldwide
• Most highly respected IT certification since 20+ years!
• Industry standard validating and endorsing expert-level skills and experience
• Demonstrate strong commitment and investment to networking career, life-long
learning, and dedication to remaining an active CCIE
• Less than 2% of Cisco certified people hold a CCIE certification
• A good part of the CCIE Wireless certified individuals holds another CCIE.
CCIE and CCDE Tracks
Routing & Switching Security Voice Design
• Expert level knowledge of • Expert level knowledge of security •Expert level knowledge of Cisco •Expert level knowledge of
networking across LAN and WAN and VPN solutions Voice over IP (VoIP) products and network design principles for the
interfaces and variety of routers and solutions Layer 2 and 3 network
switches • Demonstrate in-depth infrastructure
•Solve complex connectivity understanding of Layer 2 and 3 •Capable of building and configuring
problems to increase bandwidth, network infrastructure; Solid complex end-to-end telephony •Capable of assessing and
improve response times, maximize understanding of Windows, Unix, network, troubleshooting and translating network business
performance, and support global Linux and HTTP, SMTP, FTP and resolving VoIP-related problems requirements into technical
operations DNS designs
Data Center Service Provider SP Operations Wireless

•Expert level knowledge of Data •Expert level knowledge of IP •Expert level knowledge of SP IP •Expert level knowledge of
Center Technologies, including DC fundamentals and technologies NGN technologies Enterprise WLAN technologies
infrastructure, storage, compute and Expertise in building an extensible
virtualization service provider network •Capable of troubleshooting SP •Provides next step for individuals
networks, managing SP processes interested in a career in managing or
•Capable of building, configuring, •Expert level knowledge to (incident, fault, change, working with Cisco wireless
and troubleshooting an end-to-end troubleshoot and maintain complex configuration, and performance), technologies
virtualized Data Center using Cisco service provider networks and knowledge of NMS technology
DC technologies
CCIE Program Overview
CCIE Lab Locations – Wireless (v2 vs v3) Mobile
Beijing Tokyo RTP
Brussels
Hong Kong
San Jose
Bangalore
Sydney Dubai
Certification Process
Written Exam pass Practical pass

400-351 Exam
• Pearson Vue • Select Cisco locations

• 2 hours • 8 hours
• Multiple choices • DIAG + CFT/TS
• Flash items • Troubleshooting
• No documentation • Cisco documentation
• Immediately scored • Scored within 48h
Proactive and Holistic Candidate Feedback
Input Feedback
 Candidate Exam and Item
 Cisco Business Units Comments
 Cisco Technology groups
JTA  Candidate Satisfaction Surveys
 Cisco Technical Support teams  Customer Service Cases
(TAC, AS, ..)
Blueprint  EAG (Exam Advisory Groups)
 Cisco-Internal and Cisco-External
Subject Matter Experts  Cisco Learning Network
 Customer Advisory Boards
Exam Content  Blogs
 Customer Focus Groups  Psychometrics
 Customer and Cisco field surveys
(Marketing) Launch
 Cisco Product Manager, Marketing Exam
Manager, Program Manager
Exams
Exam Live
CCIE Wireless v3 Curriculum Overview
• September 14, 2015
• Certification process unchanged
• The exam curriculum and format changed, introduces recent Wireless
technologies and Best Practices, as seen in the field today.
• Designed and validated with industry experts (Cisco internals and externals)
• Aligned with evolution of job role and relevant technologies.
Check the official information (including blueprints) on CLN
https://learningnetwork.cisco.com/community/certifications/ccie_wireless
CCIE Wireless v3 Equipment List
Cisco Wireless Access Points Cisco Wireless Access Points
Cisco Aironet 1260AG Series Cisco Aironet 1600 Series
Cisco Aironet 3500AG Series Cisco Aironet 3700 Series
Cisco Aironet 1040AG Series
Cisco Wireless LAN Controllers Cisco Wireless LAN Controllers
Cisco 5508 Series Cisco 5508 Series
Cisco Wireless Phones Cisco 5760 Series
Cisco Unified Wireless IP Phone 7925G
Cisco Catalyst Switches: Cisco Catalyst Switches:
Cisco Catalyst 3560-E Series Switches Cisco Catalyst 3650 Series
Cisco Catalyst 2960 Series Switches Cisco Catalyst 4500-E Series
Cisco Catalyst 650X-E Series Switches
Other Other
Cisco MSE 3310, ACS, Secure ACS, Anyconnect Cisco MSE 3310, ISE, PI, Anyconnect 4.x; Jabber 10.x
CCIE Wireless v3 Software
• Cisco Unified Wireless Network Software Release 8.0
• Cisco Aironet Access Points Cisco IOS Release 15.3
• Cisco IOS-XE Software 3.6E
• Cisco Catalyst 4500-E Series Switches Cisco IOS Software, IOS-XE Software Release 3.6E
• Cisco Catalyst 3650 Series Switches Cisco IOS Software, IOS-XE Software Release 3.6E
• Cisco Prime Infrastructure 2.2
• Cisco Identity Services Engine 1.3
• Anyconnect 4.x
• Jabber 10.x
CCIE Wireless v3 Curriculum Overview
Written (%) LAB (%)

1 Planning & Designing WLAN Technologies 14 0
2 Configure and Troubleshoot the network Infrastructure 10 12
3 Configure and Troubleshoot an Autonomous Deployment Model 10 10
4 Configure and Troubleshoot a Unified Deployment Model (Centralized) 20 23
5 Configure and Troubleshoot a Unified Deployment Model (Converged) 14 17
6 Configure and Troubleshoot Security & Identity Management 12 15
7 Configure and Troubleshoot Prime Infrastructure and MSE 10 10
8 Configure and Troubleshoot WLAN media and application services 10 13
Blueprint sections = Exam sections = Score report sections

CCIE Wireless v3
1 Planning & Designing WLAN Technologies
2 Configure and Troubleshoot the network Infrastructure
3 Configure and Troubleshoot an Autonomous Deployment Model
CCIE Wireless v3 4 Configure and Troubleshoot a Unified Deployment Model (Centralized)

5 Configure and Troubleshoot a Unified Deployment Model (Converged)
6 Configure and Troubleshoot Security & Identity Management
7 Configure and Troubleshoot Prime Infrastructure and MSE
8 Configure and Troubleshoot WLAN media and application services
2Configure and Troubleshoot the network Infrastructure 10%

2.1Configure and troubleshoot wired infrastructure to support WLAN's
(a) VLANs
(b) VTP
(c) STP
(d) Etherchannel
(e) HSRP
(f) VSS
(g) Stacking
2.2Plan network infrastructure capacity
2.3Configure and troubleshoot network connectivity for:
(a) WLAN Clients
(b) WLCs
(c) Lightweight APs
(d) Autonomous APs
CCIE Wireless Written Exam (400-351)
• Available worldwide at Pearson VUE
• Two-hour exam with 90-110 multiple-choice questions: MC-SA/MA and/or DnD.
• Closed book; no outside reference materials allowed
• Pass/fail results are available immediately following the exam; the passing score is set by
statistical analysis and is subject to periodic change
• Candidates who pass a CCIE written exam must wait a minimum of six months before
taking the same exam
• You “must” take first lab exam attempt within 18 months after passing
• No “skip-question” functionality
• Retake policy (FAIL:15 days, PASS: 180 days, max of 4 attempts per year)
Examples, Formats
MCSA or MCMA
Refer to the exhibit. Which Cisco WLC IP addresses will be returned to a Cisco AP that requests
an IP address from this DHCP pool?
a) 192.168.129.11 and 192.168.129.20

b) 192.168.129.11 and 192.168.129.19
c) 192.168.129.12 and 192.168.129.17
d) 192.168.129.12 and 192.168.129.18
Examples, Formats
Drag and Drop

Drag the AP mode type from the left-hand choices to match its definition on the right.
CCIE Wireless LAB Exam
• Available at Cisco locations
• Eight-hour hands-on exam
• Open book (Cisco Documentation)
• Pass/fail results are available within 48 hours
• You “must” take first lab exam attempt within 18 months after passing the written
• Retake policy ~ score result
CCIE Wireless Lab Exam Format
• Introduction of a DIAGNOSTIC module
• The DIAG module is scenario based, not equipment based
• Both DIAG and CFG/TS modules have a fixed time length.
• Overall cut-score AND per-module minimum score
Web-based delivery
DIAG CFG/TS
(1h) (7h)
CCIE Wireless v3 New Diagnostic Module
Web-based delivery
DIAG Configuration & Troubleshooting
(1h) (7h)
• Assessing new skills

• Analyzing, correlating and discerning multiple sources of documentation
• Support ticket scenario (TAC)
• Deterministic grading
• Item format is similar to multiple choices item: MC, DnD or point and click.
CCIE Wireless v3 Scoring Logic
Web-based delivery
(1h) (7h)
minScore minScore
Cut Score
• Al minimum score is set upon module level

• A cut-score is set upon exam level
if {[∀mod: (mod_Score ≥ mod_minScore)] && [∑(mod_Score) ≥ Lab_CutScore]};

then PASS
CCIE Wireless v3 Lab Skills Assessment
Web-based delivery
(1h) (7h)
• Perceive problem areas • Understand how infrastructure components

• Analyze symptoms of networking interoperate
issues, identify and describe root • Implement Network technologies (any topic on the
cause blueprint)
• Correlate information from multiple • Design appropriate solutions to network
sources infrastructure’s challenges within constraints and
• Discern appropriate solution verify functionality
• Apply Troubleshooting Methodologies • Troubleshoot and fix resolve networking problems
• Troubleshoot Network technologies • Use IOS Troubleshooting tools
(any topic on the blueprint) • Implement and verify working solution of networking
issues
CCIE Wireless v3 Lab Modules Format
Web-based delivery
(1h) (7h)
• All tickets visible at start, inc. score • All tickets visible at start, inc. score
• No devices • Real devices
• Multiple scenarios • Single topology/scenario
• Independent tickets • Interdependent items
• Analyze & correlate info • Implement, configure and verify working scenario
CCIE Wireless v3 New Diagnostic module
• Independent scenarios putting candidate into the role of a Network Support
engineer who diagnoses networking issues
• Analyze, identify, locate and explain the root cause
• Recommend optimal troubleshooting procedures leading to the root cause
• Recommend network changes isolating the issue without causing more harm
• Etc…
• Analyzing, correlating and discerning multiple sources of documentation

• Email threads
• Network topology diagrams
• Console sessions log
• Syslogs, configs, debugs, network traffic captures, etc.
• Format “similar” to written exam items (MC-MA)
• Each DIAG form contains multiple scenarios that are totally independent
• The WebGUI offers an always-visible-ToC to easily jump between the
scenarios and between the different resource documents (minimize scrolling).
• Each scenario is the may contain multiple questions of any format (radio
button, check box, drop down, etc).
Sample questions:
• What document points you to the root cause?

• What information is missing in order to identify or confirm the root cause of the issue?
• What are the next troubleshooting steps?
• Which step of the process/protocol is failing?
• What is the sequence of events that led to this issue?
• What is the life of a packet explaining this issue?
• Which device/interface/link is responsible for causing the issue?
• How can the issue be fixed without causing any downtime?
Example of CCIE RS DIAG
Scenario #1
(called ‘task…’)
Floatable ToC
Countdown timer Multi-dropdown: candidate

must select both dropdown
correctly to get the 1 point.
Task#1
Task#2
Documents resources
Image-map:
candidate must point and
click on one region, shown
by a red circle...
Mouse-over a red circle turns

its background to black…
Drag ‘n drop:
Candidate must drag and drop
three options on the left to the
right, in the correct sequence
Timer:
Modal message appears and
timer turns red when there
are less than 5 minutes left.
CCIE Wireless v3 Lab Format
Web-based delivery
(1h) (7h)
CCIE Wireless Configuration & Troubleshooting
General Information
• Available in selected Cisco lab locations for $1,400 USD, adjusted for exchange
rates and local taxes where applicable, not including travel and lodging
• 7 hour exam which requires configurations and troubleshooting skills
• Cisco documentation available documentation via Cisco Web; no personal
materials of any kind allowed in lab
• Minimum score of about 80% to pass (Angoff)
• No partial credits
• Scores can be viewed normally online within 48 hours and failing score reports
indicate areas where additional study may be useful.
Practical Information
• Each candidate has his/her own PC and rack of equipment
• Equipment rack may or may not be with candidates desk and PC
• Equipment requires no HW or Cabling configuration by candidate
• If the candidate feels that a HW intervention is needed the CCIE lab proctor
must be involved. 10 min rule!
• Check the CCIE web page for the latest equipment list and SW versions,
upcoming changes are announced well in advance
Rack Access
LDS
Candidate PC
Comm Server
LOCAL REMOTE
• The Comm Server is pre-configured

ISE
Rack Access PI
MSE
LDS
Client PC
Candidate PC
Jabber
• Access to Client PC is provided through Remote Desktop Shortcuts to access other VMs
are provided on the candidate PC (RDP, HTTPS, SSH etc)
• WLC / APs are accessible through the GUI, given IP connectivity is available.. Details are
provided in your lab exam document.
Practical Information READ THE GUIDELINES FIRST!
DIAGNOSTIC sample
Diagnostic module
• Ticket#1 : My AP does not join the WLC.
• Ticket#2 : Client are unable to join the newly deployed SSID.
• Ticket#3 : The WLAN is not working anymore.
CCIE Wireless V3 highlights
What is new in 8.0?
A lot of changes since 7.0….
• Main things to keep an eye:
• HA, 7.3, 7.5, 8.0 changes, design errors
• Flex: Local switching, + external webauth, Flex groups
• New mobility support
• NBAR/AVC
• mDNS/Bonjour
Application Visibility and Control
• NBAR2 from IOS ported to WLC
• Deep packet inspection
• Recognizes applications and passes the information to QoS, control, Netflow
• QoS Integration: identifies traffic so proper priorities can be set per application
• Netflow data export
NBAR Processing on the 2504/5508/7500/8500
Series Controllers
1 2
AppQoSDB In Out STATE GRAPH

Data Plane
QoS Subsystem
NBAR2 Engine
Policy ID Sub Tables Cavium Clock

Flow table AGEING
TIMER 30 Sec 10 Ms ticks
Definitions Signatures Control Plane

Flow
Cache Client MAC | IP | QoS | Sec | WLAN | AP | StILE PDLM NBAR2
DB
BROFFU Library Compiler CP code
Statistics Task
What's Collected & What We Do With It
• Controllers leverage the IOS code for NBAR2 Control and Data Plane
— Using NBAR we can classify and maintain statistics on 1039 different applications on
the WLC
• Data Plane keeps statistics for each client associated to the WLAN
— Client statistics for every client for every application is memory prohibitive
• Client statistics are only collected for the first 128 applications classified in 90 sec
• Collected statistics are both exported and displayed in the WLC GUI
• Netflow is a protocol for collecting IP traffic information from network devices for
traffic monitoring. The netflow architecture consists of:
— Collector : An entity that collects all the IP traffic info from various network elements
— Exporter: A network entity that exports the template of the information that will be
exported along with the actual data which maps to the exported template.
Classifying Application Traffic
• Application control is provided by either remarking or dropping traffic for an
application - traffic must first be classified by the NBAR engine to achieve this
• Packet must be contiguous to be properly classified otherwise we only pass the
first fragment to NBAR engine for the signature match
• A flow table entry is created when the first TCP/UDP packet is received
— NBAR engine then uses the state graph to determine if any port-lookup or heuristic
match succeeds
• If a match succedes a protocol ID for the packet is returned
• If a match is unsuccessful an unknown classification is returned
• Fixed timer (30 sec) is started on receipt of the first packet in a flow*
— Timer is reset on receipt of each subsequent packet in the flow
— When the timer expires the entry is dropped from the flow table
Classifying Application Traffic (Cont)
• NBAR can require between 1 and 15 packets to classify the traffic – depending
on the protocol
— Payload packets with only static signatures in NBAR are classified after all single &
multi-packet protocols are processed and failed
— Therefore a max of 15 payload packets can be classified as unknown until a final
classification decision is made
• Once classified, application Control is provided by NBAR2 using hooks into the
QoS subsystem
• Each WLAN has either a QoS profile or a QoS Policy ID attached
— A QoS profile only sets the priority of a packet
Controlling Applications
• AVC and QoS are applied independently
• AVC on ingress, QoS on egress, AVC DCSP can be overriden
• Each WLAN has either a QoS profile or a QoS Policy ID attached
— A QoS profile only sets the priority of a packet
• QoS Policy ID defines the action to take for classified packets
— Classified packets are either PERMITTED, DROPPED, or REMARKED
•
Where We see Application Statistics
• Netflow engine is integrated to the WLC for it to export client IP traffic related
information – WLC plays the role of an Exporter
— Recall the use of the Flow cache
• Controller GUI Monitor page also displays both the Packet and Byte count for the
top 10 applications across all WLANs in the last 90 seconds
— Same frequency as Flow Cache updates
See the Top Applications on a WLAN
To achieve a more granular view of a particular WLAN
Then the WLAN ID you are interested in
1st Select
Applications
Shows the Top 10
applications over the
last 90 seconds along
with the cumulative
stats for the Top 10
apps on the WLAN
Enabling AVC From the Controller GUI
When AVC is enabled on any WLAN
the Global Statistics

become available
on the Monitor After Before
Summary screen
Verification and
Troubleshooting
Useful Debug Commands
debug avc error enable/disable
debug avc events enable/disable
(Cisco Controller) >debug avc events enable
*broffu_SocketReceive: Oct 24 09:43:25.276: apfMsAvcClientStatsSave:Called for 2 clients

*broffu_SocketReceive: Oct 24 09:43:25.276: apfMsAvcStatsSave:Got AVC Stats for client
18:20:32:cb:04:70 with 2 type 0
*broffu_SocketReceive: Oct 24 09:43:25.276: apfMsAvcStatsSave:Got AVC Stats so far 0
*broffu_SocketReceive: Oct 24 09:43:25.276: apfMsAvcStatsSave:Allocating chunk no 0
*broffu_SocketReceive: Oct 24 09:43:25.276: apfMsAvcStatsSave:Using j 0, i 0 k 0 start 0
netflix
*broffu_SocketReceive: Oct 24 09:43:25.276: apfMsAvcStatsFindAppById: Matching chunk id 1 app 1
<snip>
*broffu_SocketReceive: Oct 24 09:44:55.313: apfMsAvcStatsSave:Using j 0, i 3 k 3 start 0 ping
<snip>
youtube
Useful Debug Commands (Cont)
• debug fastpath dump scbdb is a valuable command that allows for verification
of which AP and WLAN a client is associated to along with the NBAR and data
plane owners
(Cisco Controller) >debug fastpath dump scbdb
FP0.08:
SCB DB
FP0.08:================================================== NBAR owner
FP0.08:Free Entries: 24988, Used Entries of ContToFreeList = 10 255 indicates this is a
FP0.08: Which Client Where Associated
non-WISM platform
Total #of Client Count in DP = 2
FP0.08: [1820.32cb.0470 ifIndexToDs 112 ifIndexToDsLocalBridge 112 ifIndexToSta 3077
ifIndexToPeer 65535 ifIndextoNbar 65535 pmipv6_user 0 ap 5 wlan 2 rwlan 2 rs 3 ms 1 IPv4 acl 65535
IPv6 acl 65535 system-acl 65535 tclas 65535,65535 radio 1, max1p 131, learnIpPktCount 1 ipAddr
172.16.3.32 rtBktId 4294967295 nonrtBktId 4294967295 sendHttpFlag 0 ] dpOwner 0 tunnelType 1 cipher
0 nbarOwner 255 gre_upstream_key 0 gre_downstream_key 0, dfGw 0.0.0.0
FP0.08: [0024.d745.4e6c ifIndexToDs 112 ifIndexToDsLocalBridge 112 ifIndexToSta 3073
ifIndexToPeer 65535 ifIndextoNbar 65535 pmipv6_user 0 ap 1 wlan 2 rwlan 2 rs 3 ms 1 IPv4 acl 65535
IPv6 acl 65535 system-acl 65535 tclas 65535,65535 radio 1, max1p 131, learnIpPktCount 1 ipAddr
172.16.3.33 rtBktId 4294967295 nonrtBktId 4294967295 sendHttpFlag 0 ] dpOwner 0 tunnelType 1 cipher
0 nbarOwner 255 gre_upstream_key 0 gre_downstream_key 0, dfGw 0.0.0.0
mDNS 101
Overview about the protocol
mDNS 101
• mDNS stands for Multicast DNS
• Joint effort by participants of the IETF, Zero Configuration Networking (zeroconf) and
DNS Extensions (dnsext) working groups
• Perform DNS-like operations on the local link in the absence of any DNS server.
• It designates a portion of the DNS namespace to be free for local use
• Uses multicast IP Address 224.0.0.251 as destination IP Address and 5353 as
UDP destination port.
• Major Differences from DNS
• Uses Multicast
• UDP Port 5353 instead of 53
• Allows larger UDP Packets
• Uses unsolicited responses to announce new records
mDNS 101
Any Service of type
_printer._tcp?
room201._printer._tcp
mDNS
Adv.
• Link local only: 224.0.0.251:5353 mDNS

Query
What is Bonjour?
Overview and Use
What is Bonjour?
• Apple Service Discovery Protocol
• Locates devices such as printers, computers and services that those devices offer on the
local network
• Uses Multicast Domain Name System (mDNS)
• Layer 2 link local multicast protocol (cannot route across subnets or VLANS)
• Result: Clients can’t see services on other subnets
What Actually is Bonjour Doing?
mDNS cache Router
L3 • Printer-1 Si
L2
VLAN 3 VLAN 1 VLAN 1 VLAN 2
User-3 Printer-1 User-1 User-2
Original “Reflected” “Cached” mDNS

mDNS Adv. mDNS Adv. mDNS Adv. Query
Sample Scenario Revisited with Bonjour
• Step 1 – Listen for Bonjour Services
172.31.255.x 224.0.0.251
Bonjour Advertisement
Corporate Guest
VLAN 23
VLAN 20 VLAN Y
• Step 2 – Cache Bonjour Services on Controller
Bonjour Cache:
AirPlay – VLAN 20
AirPrint – VLAN 23
172.31.255.x 224.0.0.251
Corporate Guest
VLAN 23
VLAN 20 VLAN Y
Step 3 – Listen for Client Service Queries for Services
172.31.255.x 224.0.0.251
Bonjour Query
Corporate Guest
VLAN 23
VLAN 20 VLAN Y
• Step 4 – Respond to Client Queries for Bonjour Services
Bonjour Response
From Controller
172.31.255.x 224.0.0.251
Corporate Guest
VLAN 23
VLAN 20 VLAN Y
The Bonjour
Policy Profile is a
The Bonjour service profile Service Policy list of allowed
provides filtering to allow only
network
certain WLANs, interfaces or applications. (i.e.
users to access specific service
File
AirPlay or
types. AirPrint AirPlay
Share Printing)
Enforced via Multiple Methods
Per Interface Per-User

Per VLAN
Per Group
(AP Group)
WLAN
Master-service-list Database
A list of all services available on bonjour can be found at : http://www.dns-sd.org/ServiceTypes.html

1. When a WLAN is disabled, all the clients on the WLAN would get
disassociated and the client’s mscb would be deleted
2. When AP-disassociation or radio disable happens the clients
associated with the ap/radio are disassociated and the client mscb will
be deleted.
3. When a Bonjour client / server (providing some Bonjour service) does
a L2 roam the client mscb will be deleted.
4. Whenever a new service is registered with the master-service-list
database, a trigger will affect the sending of a one-time query
message for the said service.
• The WLC supports sending periodic mDNS query messages (service specific query)
for services that do not send service advertisements after power-on.
• Printer Services – Devices that do not advertise the services on power-on.
• To enable / disable query for a service.

# config mdns service query enable/disable <service-name>
• To configure query interval. [ range = 10 minutes to 2 hours, default is 15 min]
# config mdns query interval <value in minutes>
Bonjour - 7.4 Bonjour - 7.5 Bonjour - 8.0
Phase -1 Phase -2 Phase -3
• Bonjour service with mDNS • Introduction of mDNS AP • Bonjour GW with access
• Bonjour Service policy for Bonjour service policy controlled service
snooping on 10 Wired discovery
applied per Interface, group
of interfaces, or per WLAN VLANs
• Device service mapping to
• LSS – Location Specific access policy
• mDNS services cached on
the controller Services • Bonjour Group and single
• Priority MAC of Bonjour access policy management
• Bonjour services available
on all Controller seen L2 service • Bonjour profile control by local
domains policy
• Origin Based service
• 100 services and 64 discovery • Bonjour Device management
service-providers from ISE portal
• 6400 services and
• Support of Flex Connect service-providers per • Introduction of Bonjour admin
APs in central switching service type to manage specific Bonjour
services from Cisco Prime
• Support of mDNS services
across L3 domains
Bonjour Policy enhancements in 8.0
• Location and Role filtering in release 8.0
• Bonjour Policies allow creation of the mDNS Service Groups and Service
Instances within the Group
• Service Instance mandates how the service instance is shared by configuring
o MAC address of the Service Instance
o Name of the Service Instance
o Location Type Of the Services Instance by AP Group, AP Name or AP Location
o Location configuration allows access the “service instance” i.e. client location
 Location configuration applied to wired and wireless instances of all services and
printers as in Any, Same or one AP Name.
 This allows selective sharing of service instances based on the location and
rule (=user-id and role ) on the Same WLAN
• Service Instance associated with mac address can be configured in multiple service
groups
 Currently we support a maximum of 5 service groups for a single mac address.
 Service group configurations can be done even when mDNS snooping is disabled
 Number of Service instances per Service group is limited 100 and maximum of 100
service-group can be created
• Location Filtering of Service instance can be limited by following attributes:
 “any” –clients from any location can access the service subject to
role or user-id credentials being allowed by the policy associated
with the service group for the said mac address.
 “same” - only clients from the SAME location (same AP-GROUP
or AP-NAME or AP-LOCATION as per config) as that of the device
can access that Service Instance publishing the service can
access the service. Applicable for wireless only.
 “ap-name” – only clients associated to that AP can access the
Service Instance
 Allows articulation as “service instance” is shared with whom i.e. user-id,
“service instance is shared with which role/s” i.e. teacher or student
 With Bonjour access policy there will now be two levels of filtering client queries
1. At the service type level by using the mDNS profile
 mDNS profile can be user specific and be overridden with ISE “av-pair “returned to
WLC that overrides default profile
2. At the Service Instance level using the access policy associated with each
Service Instance.
Note: Service instances which are not configured with any access policy will be mapped to the
default access policy that allows configured <roles/names> to receive the service instances
Debug Commands
To display events related to mdns.
WLC >debug mdns message <enable/disable>
To display mdns details of the events.

WLC >debug mdns details <enable/disable>
To display errors related to mdns processing.

WLC >debug mdns error <enable/disable>
To enable all debugs

WLC >debug mdns all <enable/disable>
Bonjour Troubleshooting in 8.0
• No new tshoot command (use debug mdns all enable), but a hidden show command (list
all mdns services):
(8500-1) >show mdns service all
=======================================================
========== PRINTING MSAL-DB ENTRIES =========
******** PRINTING MSAL-DB AVL TREE ENTRIES ***************

TOTAL ENTRIES IN MSAL-DB AVL TREE..... = 13
-------------------------------------------------
Service-ID............................ = 1
Service-Name.......................... = AFP
Service-String........................ = _afpovertcp._tcp.local.
Bitmap of Profiles using this srv..... = 100001000100
Is a default service.................. = No
Service is Queried Periodically....... = No
Is Location Specific Service enabled.. = Disabled [ 0 ]
Service can be learnt from............ = Wired [ 2 ]
TTL OVERRIDE ENABLED ................... = NO
Profile-ID's using this service....... =
Priority Mac address count............ = 0
-------------------------------------------------
Service-ID............................ = 2
FlexConnect Split Tunneling
Accessing Local Resources– prior to 7.3
Traffic is then sent back across the WAN link outside the CAPWAP tunnel to the
resource located in the Remote Office
WLAN
Controller
The same traffic destined for a FlexConnect AP
local resource has now

unnecessarily consumed WAN
bandwidth
TWICE!
Accessing Local Resources – Split Tunneling
Implemented in 7.3
• Traffic is classified based on the packet destination and Split Tunneling is used
to route the traffic.
• Enabled per WLAN for centrally switched WLANs only
• Unicast IP traffic destined for a host at the local site is locally switched by the AP
• Accomplished using NAT/PAT so multicast IP traffic is not supported for local

switching – Only unicast L4 IP traffic is supported
• All other traffic is sent across the CAPWAP tunnel and centrally
switched at the Controller
• Split tunnel configuration can be applied either:
• Per AP
• Per FlexConnect Group
Split Tunnel Operation – No Split Allowed
Traffic destined for addresses not permitted by the NAT source ACL is CAPWAP
encapsulated and forwarded the the WLC where it is passed to the data plane and
switched to the network
WLAN 172.16.0.5
Controller
10.10.10.1
10.10.10.11 FlexConnect AP
LaRes3502i
LaRes3502i#show access-lists 10.10.10.16
Extended IP access list Split_Tunnel
10 permit icmp any host 172.16.0.5 (4 matches)
20 permit icmp any host 10.10.10.11 (4 matches) 172.31.255.21
Extended IP access list reap_local_central_acl
10 permit ip 172.31.255.0 0.0.0.255 any (12 matches)
LaRes3502i#
Split Tunnel Operation – Same Subnet
If the Inside Global address is in the same subnet as the Outside Global address
the AP ARPs for the MAC address of the destination - rewrites the adjacency and
switches the traffic out of the BVI on the local segment
WLAN 172.16.0.5
Controller
LaRes3502i
10.10.10.16
LaRes3502i#show ip nat translations
Pro Inside global Inside local Outside local Outside global
172.31.255.21
icmp 10.10.10.16:1 172.31.255.21:1 10.10.10.11:1 10.10.10.11:1
icmp 10.10.10.16:1 172.31.255.21:1 172.16.0.5:1 172.16.0.5:1
LaRes3502i#
Split Tunnel Operation – Different Subnet
If the Outside global address is not in the same subnet as the Inside Global
address the the packet is forwarded to the configured default gateway and routed
to the destination
WLAN 172.16.0.5
Controller
10.10.10.1
LaRes3502i
10.10.10.16
LaRes3502i#show ip nat translations
Pro Inside global Inside local Outside local Outside global
172.31.255.21
icmp 10.10.10.16:1 172.31.255.21:1 10.10.10.11:1 10.10.10.11:1
icmp 10.10.10.16:1 172.31.255.21:1 172.16.0.5:1 172.16.0.5:1
LaRes3502i#
High Availability
Enhancements
Phase 1 : APSSO Phase 2 : Client SSO Phase 3 : Improvements
7.3 7.5 8.0
• Auto-recovery from maintenance mode
• Active – Standby 1:1 • Active – Standby can be once Peer-RP and default gateway
Redundancy geographically separated over reach-ability is restored
L2 VLAN/Fiber
• Both WLC share IP Address of • SSO Support for Internal DHCP Server
management interface • Client database is synced to the • SSO support for sleeping clients
Standby
• Bulk and Incremental Config • SSO support for 802.11ac clients
Sync • Client information is
synced when client • SSO support for OEAP 600
• APs does not go in Discovery moves to RUN state.
state when Active WLC fails • CAC method Bandwidth allocation
• Client re-association is parameters for both voice & video and
• Supported on 5500 / 7500 / avoided on switch over Call Statistics synced to the Standby
8500 and WiSM-2 WLC
• Fully authenticated clients(RUN • Enhanced GW reachability check
mechanism enhanced to avoid false
• Downtime 5 - 1000 msec in state) are synced to the peer positives
case of Box failover , ~3
seconds in case of Network • Effective service downtime = • Peer RMI ICMP ping replaced with
Issues Detection time + Switch Over UDP messages
Time (Network • Faster HA Pair-up
recovery/convergence)
ICMP ping on RMI is replaced with UDP message
• Beneficial when ICMP pings may get discarded under heavy loads
Default GW reachability enhancement : Upon 6 consecutive ping drops, ARP is sent to GW

• Under heavy loads ICMP may get discarded but not ARPs. An ARP response is considered for GW reachability to avoid
false positives which makes this mechanism more deterministic
Standby WLC enters into MTC mode ‘on-the-fly’ without reboot

• Upon Peer-RP and default gateway reach-ability, MTC mode auto-recovery will reboot the WLC and pair it with Active
WLC (Release 7.6 feature)
• Upon “Peer-RP” and/or default gateway reach-ability is lost, Standby WLC will enter into MTC mode on-the-fly without
a reboot (8.0)
Faster HA Pair Up - No comparison of XMLs and no reboot of standby WLC during Pair Up
• XMLs will be sent from the to-be-Active to to-be-Standby at the time of initialization, just before the validation of XMLs .
Double reboots avoided.
• In 7.3/7.4, AP SSO relies on direct connection of the Redundancy Ports (RP)
• Keepalive (every 100 ms) and configuration is exchanged over RPs
• Both WLCs Management Interface must be in same subnet (can be across L2 switches, RTT less than 80 ms)
• Another interface (Redundancy Management Interface, RMI) in Management subnet is created on Management port, used to
test connectivity once RP connectivity fails, check gateway reachability and exchange update between WLCs in case of
manual reset or switchover.
Derived from RMI last 2 bytes

RP, e.g. 169.254.61.21 RP, e.g. 169.254.61.23
Management Interface, e.g. 9.9.61.2 Management Interface, e.g. 9.9.61.3

RMI, e.g. 9.9.61.21 RMI, e.g. 9.9.61.23
• In 7.5, AP SSO supports L2 connection for Redundancy Ports (RP)
• RP RTT must be less than 80 ms if keepalive timer left to default (100 ms), OR 80% of keepalive timer if keepalive timer
configured (range 100-400 ms)
• Failure detection time is 3 *100 = 300+60 = 360 +jitter (12 msec)= ~400 msec
• Bandwidth between RP must be 60 Mbps or higher
• MTU: 1500 bytes or larger
Derived from RMI last 2 bytes

RP, e.g. 169.254.61.21 RP, e.g. 169.254.61.23
Management Interface, e.g. 9.9.61.2 Management Interface, e.g. 9.9.61.3

RMI, e.g. 9.9.61.21 RMI, e.g. 9.9.61.23
• Standby maintains 2 client lists:
• List for client in RUN state
• Transient list for clients in all other states
• ONLY Clients in RUN state are maintained during failover

• Transient list is deleted
• Clients in transitions like roaming, dot1x key regeneration, webauth logout, etc. are disassociated
• Posture and NAC OOB are not supported, since client is not in RUN state
• Some clients, and some information about clients are not sync between Active and Standby
• CCX Based apps - need to be re-started post Switch-over
• Client Statistics are not synced
• PMIPv6, NBAR, SIP static CAC tree are not synced, need to be re-learned after SSO
• WGB and clients associated to it are not synced
• OEAP(600) clients are not synced
• Passive clients are not synced
• Same commands as 7.4, client SSO is also displayed:
IPv6 support
IPv4 Client IPv4 IPv6
802.11
802.11
CAPWAP IPv4 IPv6
IPv4 VLAN
Ethernet Ethernet
IPv4 CAPWAP
Tunnel IPv4/v6 router
IPv6 Client
802.11
WLC bridges all IPv6 client traffic

IPv6 Client IP: 2001:db8:a:7/64
IPv4 Client Radius Server
802.11 IPv4 IPv6
802.11 IPv4 IPv6
CAPWAPv6 VLAN
Ethernet Ethernet
2001:db8:a:0:2329:9834:3231:1111
10.10.10.52 CAPWAPv6
Tunnel IPv4/v6 router
2001:db8:a:0:1827:91bf:c41b:9683
Mgmt: 2001:db8:a::2/64
10.10.10.2 2001:db8:a::1/64
IPv6 Client
10.10.10.1
IPv4 Client
802.11
2001:db8:a:0:8a56:caff:1547:9150
10.10.10.51 IP: 2001:db8:a:5/64 IP: 2001:db8:a:6/64
SNMP Server, Syslog Server, NTP Server
tftp/ftp/scp Server
o ONE IPv6 address (+ LLA address) management solution
o Only IPv4 address support on Dynamic interfaces
o Only IPv4 Dynamic AP manager support
o Only IPv4 Redundancy-management/Redundancy port (HA interfaces are IPv4 only)
o Service-port can get an IPv6 address statically or using SLAAC (only SLAAC interface on WLC)
o LAG needed for IPv6 AP load balancing
o DHCPv6 Proxy not supported (ONLY IPv6 DHCP bridging support - like 7.6 legacy)
• Management default is the
unspecified IPv6 address
(::/128)
• Gateway must be the Link-Local
address of the next hop router Statically assigned
IPv6 address
• Management Link Local is
assigned automatically but Link Local Address
Primary must be a globally of the next hop
unique address or a Unique
Local Address (fc00::/7)
Router/Switch
Configuration
ipv6 dhcp pool vlan20_pool
• No IPv6 address address prefix 2001:DB8:B::/64 lifetime 1800 60
dns-server 2001:DB8:B::1
domain-name ipv6.rf-demo.com
• Traffic will be bridged on the !
interface Vlan20
VLAN so an IPv6 address ip address 10.10.20.1 255.255.255.0
ip nat inside
can exist on an IPv6 ip virtual-reassembly in
ipv6 address 2001:DB8:B::1/64
enabled switch/router ipv6 enable
ipv6 nd prefix 2001:DB8:B::/64
ipv6 nd managed-config-flag
• A DHCPv6 server or relay ipv6 nd other-config-flag
ipv6 dhcp server vlan20_pool rapid-commit
can exist on the VLAN !
interface at the switch/router

Dynamic
Interfaces
support IPv4
only
Mgmt: 2001:db8:a::2/64
10.10.10.2
• WLC can be accessed from wired/wireless via its IPv4 or IPv6 Management Interface
using:
• telnet
• SSH
• HTTP
• HTTPS
• Prefer-mode is to allow administrator to configure capwap L3 transport (ipv4 and ipv6)
through which APs will join to WLC (based on its primary/secondary/tertiary configuration).
• There are two level of prefer-mode
• 1) ApGroup Specific
• 2) Global
• ApGroup specific prefer-mode will be pushed to the AP if prefer-mode of ApGroup is
configured to which Ap belongs
• Global prefer-mode will be pushed to default-group Aps and to those ApGroups who
do not have prefer-mode configured
• By-default values of prefer-mode for ApGroup and Global will be un-configured and
IPv4 respectively
• Static ip configuration will take precedence over prefer mode.
• Example:
• Preferred mode configured as Ipv4
• Static IPv6 configuration on AP using CLI or GUI
• AP will join WLC using IPv6 transport mode
• AP can get IPv6 addresses from state-full
DHCPv6/SLAAC or static assignment
• If statically assigned, the gateway can be the
unique global or Link-Local address of the
router
• Either ‘CAPWAPv4’ or ‘CAPWAPv6’ can be
used, but not both
• APs in bridge mode do not support
CAPWAPv6
• DHCPv6 Option 52
• OPTION_CAPWAP_AC_V6 (52) RFC 5417
• As part of the DHCPv6 Reply, the server will provide the IPv6 WLC management IPv6
address
• AP will begin unicast CAPWAP discovery
• Multicast discovery
• Broadcast does not exist in IPv6
• Send CAPWAP discovery messages to "All ACs multicast address" (FF01::18C)
• Using DNS
• Configure DNS server to resolve cisco-capwap-controller.domain-name
• domain-name should be returned from DHCPv6 server
• AP Priming
• Preconfiguring the AP with a Primary, secondary, and tertiary IPv6 managed WLC
WLC CLI: config ipv6 capwap udplite en/disable
• UDP Lite computes checksum on the pseudo header of datagram

• Enabling UDP Lite speeds up packet processing time
• The IP protocol id is 136, uses same CAPWAP ports as UDP
• Enabling UDP Lite would require that the network firewall allows protocol 136
• Switching between UDP and UDP Lite causes all APs to re-join WLC
• Enabled by default
 Deployment Modes  Misc. configuration Options
 Flexconnect – Local switched  Internal DHCPv6 Server
DHCPv6 Proxy
 Mesh/Outdoor
Auto configuration
 Teleworker/OEAP
Dynamic interfaces
 Converged Access
RA Interfaces
 Services OSCP and CA Server URL
 Bonjour VLAN pooling
 AVC
 Protocols
 Trustsec
NTP v4
 Unsupported APs: MLD v2
 Bridge mode APs/AP with 64Mb RAM IPsec v3 and IKE v2
 OEAP 600
 ISR 800/802 RLDP and CIDS
 1130/1240/1250 PMIP v6
 1310/1410
 1520 New Mobility
• IPv6 had its own set of command family for clients (this is not new):
(Cisco Controller) >debug ipv6 ?
neighbor-binding Configures the IPV6 neighbor-binding debug options

address-learning Configures the IPV6 address-learning debug options
rules Configures the IPV6 address-learning debug options
dhcp Configures the IPV6 dhcp debug options
• For native IPv6, debug command shave been modified to include IPv6 info:
(Cisco Controller) >debug capwap packet enable
*spamApTask4: Jun 01 07:55:40.291: CAPWAP Control mesg Sent to 2001:14::209, Port 43147
*spamApTask4: Jun 01 07:55:40.292: Msg Type : CAPWAP_WTP_EVENT_RESPONSE
*spamApTask4: Jun 01 07:55:40.292: Msg Length : 0
*spamApTask4: Jun 01 07:55:40.292: Msg SeqNum : 50
*spamApTask4: Jun 01 07:55:40.292: <<<< End of CAPWAP Packet >>>>
Flexconnect Mappings
Flex Components - Mapping
Wlan2
Wlan1 Wlan3
AAA Level
Control Tunnel Vlan Override
Trunk
WLAN Level
Data Tunnel Wlan/Vlan Mappings
vlan1 vlan3
vlan2
AP Level
Wlan/Vlan Mappings Flexgroup Level
Wlan/Vlan Mappings
Flex Components – Mapping
AP Level
Wlan/Vlan Mappings
WLAN Level
Wlan/Vlan Mappings
Flex Components - Mapping
Flexgroup Level
Wlan/Vlan Mappings
Flex Components – AP WLC change
Wlan1
Wlan2 Wlan2
Wlan1 Wlan3
Wlan3
Trunk
vlan1 vlan3 Wlan4

vlan2 AP Level
Wlan/Vlan Mappings
Wlan2
Flex Components – AP WLC change
Wlan1
Wlan2 Wlan2
Wlan1 Wlan3
Wlan3
Trunk
vlan1 vlan3 Wlan4

vlan2
AP Level Wlan2
Wlan/Vlan Mappings
Flex Components – AP config
a2-ap3600-sw2-12#sh capwap reap saved
Reading from file:flash:/lwapp_reap.cfg
=================reapPayloadSaved_t============
===================Config Read===================
Size = 95004
Magic num: DABBA7A2
Version: 7.6.130.0
Valid Flags: 15
===================reapVlanPayload_t=============
Native VLAN: 2
Number of Entries: 2
WLAN ID VLAN ID
------- -------
01 257
02 0
===================reapVlanProfPayload_t=============
Native VLAN: 2
Number of Entries: 1
WLAN ID VLAN ID WLAN PROFILE

------- ------- ------------
01 257 pass
==================hreapVlanAclMapping_t=============
Index VLAN Number BitFlag IN Acl Name OUT Acl Name
----- ----------- ------- ----------- ------------
Flex Components – AP config
a2-ap3600-sw2-12#sh capwap client detailrcb
Control packet retransmission interval: 255
Control packet retransmission count: 255
Radio 0
------------------------------------------------------------------
------------------------------------------------------------------
RLDP State = 0
TxPower
NumOfVaps : 1
BSSID : 84:78:AC:99:59:80
All WLANs
WLAN Index slot 0
ssid : pass
Capability : 0x421
vapId : 1
encryptPolicy : 1
wmeDataLen : 26
wmeData : DD18050F22118003A40027A40042435E062322F00000000DD7050F221180000000
wmeOldQoSConfig : 0
wmeDataInfoElement : DD7050F221180
wapiDataLen : 0
dot11eDataLen : 0
dot11eInfoElement : 2E1000000000000000000000000000000
maxPriority : 3
defaultUnicastPriority : 3
defaultMulticastPriority : 3
authType : 0
dot11eBandwidth : 23437
broadcastSSID : 1
aironetIeSupport : 1
gprSupport : 0
Flex – Take Away
• Use Flexgroup level settings when possible

• Backup WLC with different config will force AP config loss
• Flex configuration is sum of different levels
AAA override
AP Specific Settings
FlexGroup
What a client will see
WLAN
Converged Access
Stages of enlightenment……
Stage 1: UGH! Stage 2: Hmmm… Stage 3: Aha!

Converged Access Deployment –
Use Cases
INTEGRATED CONTROLLER OPTIONS EXTERNAL MOBILITY CONTROLLER NEEDED
ISE Prime
ISE Prime ISE Prime
Mobility Mobility 5508 or
Controller Controller WISM2 with
DMZ SW Upgrade
or new 5760
WAN
Catalyst INTEGRATED
CONTROLLER
3850 INTEGRATED Mobility Agent
New INTEGRATED New
CONTROLLER CONTROLLER New
Catalyst Catalyst
Catalyst Catalyst 3750
3850 3850
3850
Access Access
Employee
23 Guest Points Points
AP CAPWAP Tunnels
BRANCH SMALL/MEDIUM CAMPUS LARGE CAMPUS
UP TO 50 ACCESS POINTS UP TO 250 ACCESS POINTS UP TO 72,000 ACCESS POINTS

UP TO 2,000 CLIENTS UP TO 16,000 CLIENTS UP TO 864,000 CLIENTS
ALL WAN SERVICES AVAILABLE VISIBILITY, CONTROL, RESILIENCY LARGEST LAYER 3 ROAMING DOMAINS
Capwap Tunnel Standard Ethernet, No Tunnels Guest Tunnel from Switch to DMZ Controller
Converged Access
Quick review
 Mobility Agent (MA): MA

Terminates CAPWAP tunnels for locally connected Aps. Handles local clients Database
 Mobility Controller (MC): MC

Control Plane functions: Handles RRM, Roaming, Switch Peer Groups, etc.
Wireless Controller
 Switch Peer Group (SPG): SPG function in IOS on the
Group of geographically adjacent switches (MAs) to optimize roaming Access switch
 A distributed wireless and wired data plane brings:

– Scalability, as wireless is terminated at access switch, no hair pinning to a central location
– Optimized roaming
– Traffic Visibility as traffic is not CAPWAP tunneled to a central WLC
– Same tools for troubleshooting that are available for wired
– Single Point of Ingress for wired and wireless traffic. Common Policy enforcement point for wired and wireless
– Rich media optimization: support mission critical application with Qos applied closest to the source
Converged Access –
Physical Entities – Mobility Agents (MAs)
Service Block ISE
PI
• MA is the first level in the

hierarchy of MA / MC
• One MA per Catalyst 3850

MA MA MA Stack
• Maintains Client DB
of locally served clients
AP AP AP • Interfaces to the Mobility
Controller (MC)
Physical Entities – Mobility Controllers (MCs)
Service Block ISE
PI
MC MC
• Mandatory element in design

• Can be hosted on a MA (smaller deployments)
• Manages mobility-related
state of the downstream MAs
• Maintains Client DB within a Sub-
Domain (1 x MC = One Sub-Domain)
MA MA MA • Handles RF functions (including RRM)
• Multiple MCs can be grouped together
in a Mobility Group for scalability
AP AP AP
• Supported platforms are
Catalyst 3850, and 5760
Converged Access
Logical Entities – Switch Peer Groups
Sub-Domain 1 SPGs are a logical construct, not a
SPG-B physical one …
MA MA SPGs can be formed across Layer 2 or Layer 3 boundaries
MC
SPG-A SPGs are designed to constrain roaming traffic to a
smaller area, and optimize roaming capabilities and
MA MA
performance
SPGs will likely be built around buildings,
around floors within a building, or other
• Made up of multiple Catalyst areas that users are likely to roam most within
3850/3650/3650 switches as Mobility Roamed traffic within an SPG moves directly
Agents (MAs), between the MAs in that SPG (CAPWAP full mesh)
plus an MC (on controller as shown)
• Handles roaming across SPG (L2 / L3) Roamed traffic between SPGs moves
via the MC(s) servicing those SPGs
• MAs within an SPG are fully-meshed
(auto-created at SPG formation)
• Fast Roaming within an SPG
• Multiple SPGs under the control
of a single MC form a Sub-Domain
Converged Access
Logical Entities – Switch Peer Groups and Mobility Group
Sub-Domain 1 Sub-Domain 3
SPG-B SPG-E
MA MA MA MA
MC MC
SPG-A SPG-F
MA MA MA MA
Mobility
Group
• Made up of multiple Catalyst
• Made up of Multiple
3850/3650 switches as Mobility MC
Mobility Controllers (MCs)
Agents (MAs),
plus an MC (on controller as shown) SPG-C • Handles roaming across MG (L2 / L3)
• Handles roaming across SPG (L2 / L3)
MA MA • RF Management (RRM) and Key
• MAs within an SPG are fully-meshed SPG-D Distribution for Fast Roaming
(auto-created at SPG formation) • One Mobility Controller (MC) manages
MA MA
• Fast Roaming within an SPG the RRM for entire Group
Sub-Domain 2
• Multiple SPGs under the control • Fast Roams are limited to
of a single MC form a Sub-Domain Mobility Group member MCs
Connecting a Controller to the wired network
Single IOS Controllers (5760/3850/3650) Distribution
Layer Switch/Stack
Option 1: to single Modular switch or Stack
• All EtherChannel modes supported: ON, LACP, PAgP

• Identical configuration on WLC and switch side
• EtherChannel mode :
o PAgP, by setting Desirable/Desirable on both sides
o LACP, by setting Active/Active on both sides Trunk
o Keep PAGP/LACP timers with default settings Port-channel
o EC load-balancing mode:
o Include L3 and L4 port for better hash results
o Use: “port-channel load-balance src-dst-mixed-ip-port”
IOS based WLC

Single IOS Controllers (5760/3850/3650) Distribution
Layer Switch/Stack
Option 1: to single Modular switch or Stack
• All EtherChannel modes supported: ON, LACP, PAgP

• Identical configuration onload-balance
port-channel WLC and switch side
src-dst-mixed-ip-port
• EtherChannel!mode :
o PAgP, by interface
setting Desirable/Desirable
GigabitEthernet0/9on both sides
o LACP, by setting Active/Active
description to_5760 on both sides
Trunk
o Keep PAGP/LACP timers with default settings
switchport trunk encapsulation dot1q Port-channel
o EC load-balancing mode:trunk
switchport allowed vlan 1,21-23
o Include L3switchport
and L4 portmode
for better
trunk
hash results
o Use: “port-channel load-balance src-dst-mixed-ip-port”
channel-protocol lacp
• STP supportedchannel-group
and recommended to keep default settings
1 mode active
IOS based WLC

Connecting a Controller to the wired network Recommended
Network
Design
Single AireOS or IOS Controllers

Catalyst VSS Pair
Option 2: to a VSS pair
• Single LAG to the VSS pair

• Spread ports across VSS pair
• In case of failure of Primary switch traffic continues to flow
through Secondary switch in the VSS pair Trunk
• Same recommendations given for Option 1 also apply Port-channel
WLC
Single IOS Controller (5760/3850/3650) Distribution
Layer switches
Option 3: Pair of Distribution switches with STP Layer 2/Layer 3
• Configure two ECs, one to each distribution switch Po 1 Po 2

• Same configuration on both ECs on WLC and Switches side
• Enable Rapid Per-VLAN spanning-Tree (PVST+)
• Use L3 link between Distribution switches if the VLANs are
restricted to one WLC Same
• Use Layer 2 trunk links between Distribution switches if configuration on
both Po1 and Po2
VLANs span multiple WLCs (for L2 roaming)
• Apply the Campus Design tweaks to STP (VLAN load
balancing, HSRP active collocated with STP root, etc.)
No option 3 for AireOS controllers as SPT and multiple IOS-WLC
LAGs are not supported
Single IOS Controller (5760/3850/3650) Distribution
Layer switches
spanning-tree mode rapid-pvst
Option 3a: Pair of Distribution switches with STP
spanning-tree vlan <VLAN Range – even > root primary
Layer 2/Layer 3
spanning-tree vlan <VLAN Range – odd > root secondary
!
• Configure interface
two ECs, one to each distribution switch
GigabitEthernet0/9
• switchport trunk encapsulation dot1q

Same configuration on both ECs on WLC and Switches side
switchport trunk allowed vlan 1,21-23
• Enable Rapid Per-VLAN spanning-Tree (PVST+)
switchport mode trunk
• Use L3 linkchannel-protocol
between Distribution
lacp switches if the VLANs are
restricted to one WLC
channel-group 1 mode active
• !
Use Layer 2 trunk links between Distribution switches if
interface Vlan22
VLANs span multiple WLCs (for L2 roaming)
description client_VLAN_nosec
• Apply the Campus Design tweaks
ip address 192.168.22.11 to STP (VLAN load
255.255.255.0
balancing, standby
HSRP0 ipactive collocated with STP root, etc.)
192.168.22.100
standby 0 timers msec 250 msec 750
No option 3 for AireOS controllers as SPT and multiple

standby 0 priority 150
5760-WLC
standby 0 preempt delay minimum 180
LAGs are not supported
Converged Access – Subnet Design Decisions
Design – 1 Design – 2 Design – 3
Distribution
Access
Wired +
Wired VLAN 101 201 301 Wireless VLAN 101 201 301 Wired VLAN 101 201 301
Wireless VLAN 102 202 302 Wireless VLAN 102
Pros Pros Pros

 Structured and Intuitive addressing plan  Less VLANs and Subnets  Partial structured addressing plan
 Contained flood/fault domain  Traditional CUWN VLAN design
 Unique policy for Wired vs Wireless  Unique policy Wired vs Wireless
 Deterministic DHCP pool operation
 Cisco recommended design
Cons Cons Cons
 May require more subnets  Dual-home device may impact application  VSS/StackWise required in Distribution
 Subnet sizing may require extra planning  Cannot enforce unique access policies  Large link local bcast/mcast flood domain
 Challenging to plan Subnet  STP fault domain widens in large network
IP Addressing – For Wireless Management / APs
Wireless LAN Management for directly-attached APs on Catalyst 3850
APs need to be in the same VLAN as the Wireless Management interface:
interface GigabitEthernet1/0/1 interface Vlan20

description to_AP ip address 10.0.20.1 255.255.255.0
switchport access vlan 20 !
switchport mode access wireless management interface Vlan20
If you do not define a wireless management VLAN on the 3850

(i.e. no “wireless management interface vlan X” in the config),
the switch will then be transparent to AP attachment and everything will
continue to operate as it does today on a 3750-X, i.e. AP attachment to
centralized controller, DHCP option 43 controller assignment, etc.
• As soon as you define a «Wireless management interface VLAN», the Catalyst 3850
will intercept all incoming AP requests, and terminate / process them at the local CPU.
Traffic Flow and Roaming – L2 Roam (impact of policy moves)
• When a user roams in a L2 environment, an optional setting
allows for both the user’s PoA and PoP to move.
• The benefits that accrue to a PoP move for an L2 user roam are reduced end-to-end
latency for the user (less traffic hops), as well as a reduction of state held within the
network (as the user needs to be kept track of only at the roamed-to switch).
• The drawback to a PoP move for an L2 user roam are likely increased roam
times, as user policy may be retrieved from the AAA server, and applied at the
roamed-to switch. The combination of these two elements may introduce a
level of non-deterministic behaviour into the roam times if this option is used.
• Default Behaviour –
• L2 Roams Disabled – by default, all roams (whether across an L3 boundary or not) Policy moves
with user move –
carry the user’s traffic from their roamed-to switch (where the user’s PoA has moved to), follows PoP
back to the original switch the user associated through (where the user’s PoP remains).
In this case, the user’s policy application point remains fixed, and roam times are more deterministic.
• However, if desired, this behaviour can be modified via a setting to allow for an L2 roam –
assuming the network topology involved allows for the appropriate Layer 2 extension across the network.
Configuring an MA – two commands
3850-MA(config)#wireless management interface vlan22
3850-MA(config)#wireless mobility controller ip 10.1.5.55 public-ip 10.1.5.55
Apr 17 04:48:22.004: %LINK-3-UPDOWN: Interface Capwap0, changed state to up
Apr 17 04:48:23.006: %LINEPROTO-5-UPDOWN: Line protocol on Interface Capwap0, changed state to up
3850-MA#show wireless mobility summary

Mobility Agent Summary:
3850-MA#show wireless interface summary Mobility Role : Mobility Agent
Mobility Protocol Port : 16666
Mobility Switch Peer Group Name :
Wireless Interface Summary Multicast IP Address : 0.0.0.0
DTLS Mode : Enabled
Mobility Domain ID for 802.11r : 0xac34
Interface Name Interface Type VLAN ID IP Address IP Mobility Keepalive Interval : 10
Netmask MAC Address Mobility Keepalive Count :3
Mobility Control Message DSCP Value :0
-------------------------------------------------------------------------------- Switch Peer Group Members Configured :0
Vlan22 Management 22 10.1.22.254 Link Status is Control Link Status : Data Link Status
255.255.255.0 2037.06cf.9968
The status of Mobility Controller:
IP Public IP Link Status
------------------------------------------------
10.1.5.55 10.1.5.55 DOWN : DOWN
Configuring an MC on 5760 – two commands
5760 by default is an MC
5760-MC(config)#wireless mobility controller peer-group CiscoLive
5760-MC(config)#wireless mobility controller peer-group CiscoLive member ip 10.1.21.1 public-ip 10.1.21.1
5760-MC(config)#wireless management interface vlan 5
Apr 17 05:00:46.542: %LINEPROTO-5-UPDOWN: Line protocol on Interface Capwap0, changed state to down
Apr 17 05:00:46.544: %LINEPROTO-5-UPDOWN: Line protocol on Interface Capwap1, changed state to down
Apr 17 05:01:03.002: %IOSXE-6-PLATFORM: 1 process wcm: *capwapPingSocketTask: %MM-6-MEMBER_UP:
Data path to mobility member 10.1.21.1 is UP.
To configure a 3850 as an MC – the following command must be entered first:

3850-MA(config)#wireless mobility controller
MC-MA tunnels up
5760-MC#sh wireless mobility summary
Mobility Controller Summary: 3850-MA#show wireless mobility summary
Mobility Role : Mobility Controller Mobility Agent Summary:
Mobility Protocol Port : 16666
Mobility Group Name : default
Mobility Oracle : Disabled Mobility Role : Mobility Agent
Mobility Oracle IP Address : 0.0.0.0 Mobility Protocol Port : 16666
DTLS Mode : Enabled Mobility Switch Peer Group Name : CiscoLive
Mobility Domain ID for 802.11r : 0xac34
Mobility Keepalive Interval : 10 Multicast IP Address : 0.0.0.0
Mobility Keepalive Count :3 DTLS Mode : Enabled
Mobility Control Message DSCP Value :0 Mobility Domain ID for 802.11r : 0xac34
Mobility Domain Member Count :1 Mobility Keepalive Interval : 10
Link Status is Control Link Status : Data Link Status Mobility Keepalive Count :3
Mobility Control Message DSCP Value :0
Controllers configured in the Mobility Domain: Switch Peer Group Members Configured :2
IP Public IP Group Name Multicast IP Link Status
------------------------------------------------------------------------------- Link Status is Control Link Status : Data Link Status
10.1.5.55 - default 0.0.0.0 UP : UP
The status of Mobility Controller:
Switch Peer Group Name : CiscoLive
Switch Peer Group Member Count : 1
Bridge Domain ID :0 IP Public IP Link Status
Multicast IP Address : 0.0.0.0 ------------------------------------------------
10.1.5.55 10.1.5.55 UP : UP
IP Public IP Link Status
--------------------------------------------------
10.1.21.1 10.1.21.1 UP : UP
Wireless QoS
IOS-XE QoS Advantage

 Hardware Accelerated
 Layer 2 – 7 Deep QoS Per AP
 Multi-Level Granular Decision 2.4 Ghz 5 GHz
 Increased Buffer/Queue capacity Per Radio

 Highly Scalable SSID SSID SSID SSID
Per SSID 1 2 1 2
 Simplified with MQC
Per Client
Per Application
QoS – What’s New with Converged Access
Wired (Cat 3850) Wireless(Cat 3850 & CT 5760)
• Modular QoS based CLI (MQC) • Granular QoS control at the wireless
• Alignment with 4500E series edge
Tunnel termination allows customers to provide QoS treatment per
• Class-based Queueing, Policing, SSIDs, per-Clients and common treatment of wired and wireless
traffic throughout the network
Shaping, Marking
• More Queues • Enhanced Bandwidth Management
• Up to 2P6Q3T queuing capabilities Approximate Fair Drop (AFD) Bandwidth Management ensures
fairness at Client, SSID and Radio levels for NRT traffic
• Standard 3750 provides 1P3Q3T
• Wireless Specific Interface Control
• Not limited to 2 queue-sets
Policing capabilities Per-SSID, Per-Client upstream and
downstream
• Flexible MQC Provisioning abstracts
queuing hardware AAA support for dynamic Client based QoS and Security policies
• Per SSID Bandwidth Management

Wired
DMZ (Cat 3850) Wireless(Cat 3850 & CT 5760)
Prime ISE
• Modular QoS based CLI • Granular QoS control at the wireless

• Alignment with 4500E series (Sup6, edge
Sup7) Tunnel termination allows customers to provide QoS treatment per
WAN SSIDs, per-Clients and common treatment of wired and wireless
• Class-based Queueing, Policing,
Shaping, Marking
• Enhanced Bandwidth Management
• More Queues Approximate Fair Drop (AFD) Bandwidth Management ensures
INTEGRATED
UpUAto3850
CONTROLLER
• 2P6Q3T queuing capabilities
• Standard 3750 provides 1P3Q3T • Wireless Specific Interface Control
• Not limited to 2 queue-sets downstream
Employee Guest
• Flexible MQC Provisioning abstracts AAA support for dynamic Client based QoS and Security policies
queuing hardware
BRANCH
Marking Policing
With the CT 5760 or CAT 3850
Wired (Cat 3850)
Usage based fair allocation without configuration
Wireless(Cat 3850 & CT 5760)
• Modular QoS based CLI
• Alignment with 4500E series (Sup6, • Granular QoS control at the wireless
Sup7) edge
• Class-based Queueing, Policing, Tunnel termination allows customers to provide QoS treatment per
SSIDs, per-Clients and common treatment of wired and wireless
Shaping, Marking .11n AP traffic throughout the network
• More Queues • Enhanced Bandwidth Management

• Up to 2P6Q3T queuing capabilities Approximate Fair Drop (AFD) Bandwidth Management ensures
• Standard 3750 provides 1P3Q3T
5 mbps
• Not limited to 2 queue-sets • Wireless Specific Interface Control
5 mbps 5 mbps Policing capabilities Per-SSID, Per-Client upstream*** and
• Flexible MQC Provisioning Max bandwidth allowed:
abstracts
5 mbps downstream
54 – (4 * 5) = 34Mbps
queuing hardware AAA support for dynamic Client based QoS and Security policies

With the 3850
Wired (Cat 3850)
Bidirectional policing at the edge per- user , per- Wireless(Cat 3850 & CT 5760)
SSID and in Hardware
• MQC
MQC based
basedCLI
CLI • Granular QoS control at the wireless
•Alignment
Alignment with
with 4500E
4500E series
series (Sup6,
(Sup6,
edge
Sup7)
Sup7) Tunnel termination allows customers to provide QoS treatment per
• Class-based Queueing, Policing,
Class-based Queueing, Policing,
Shaping, Marking
Shaping, Marking • Enhanced Bandwidth Management
• More Queues fairness at Client, SSID and Radio levels for NRT traffic
• Up to 2P6Q3T queuing capabilities
Up to 2P6Q3T queueing capabilities
Standard
• Not
• SSID: BYOD limited3750 provides 1P3Q3T
to 2 queue-sets
downstream
• QoS policy on 3850 used to police each client bidirectionally
• Policy can be
Notvia
• sent limited
Flexible MQC
AAA
to 2Provisioning
queue-sets
to provide abstracts
specific per-client policy
AAA support for dynamic Client based QoS and Security policies
queuing
• Allocate Bandwidth hardware
or police/shape
Flexible SSID as a whole
MQC Provisioning abstracts • Per SSID Bandwidth Management
queueing hardware
With the CT 5760 or CAT 3850
Wired (Cat 3850)
Deterministic bandwidth is allocated per SSID Wireless(Cat 3850 & CT 5760)
• Modular QoS based CLI • Granular QoS control at the wireless
• Alignment with 4500E series (Sup6, edge
10% BW Sup7) 90% BW Tunnel termination allows customers to provide QoS treatment per
•
Class-based Queueing, Policing,
Guest Shaping, Marking Enterprise • Enhanced Bandwidth Management
• Up to 2P6Q3T queuing capabilities
• Not limited to 2 queue-sets
Deterministic BW downstream
• Flexible MQC Provisioning abstracts AAA support for dynamic Client based QoS and Security policies
queuing hardware
Wired (Cat 3850) Wireless(Cat 3850 & CT 5760)
• Modular QoS based CLI (MQC) • Granular QoS control at the wireless
edge
• Alignment with 4500E series (Sup6, Policy-map PER-PORT-POLICING
Tunnel termination allows customers to provide QoS
Sup7) Class VOIP treatment per SSIDs, per-Clients
set dscp ef
• Class-based Queueing, Policing, police 128000 conform-action transmit exceed-action drop
Class VIDEO• Enhanced Bandwidth Management
Shaping, Marking set dscp CS4 AFD Bandwidth Management ensures fairness at Client, SSID
police 384000 conform-action transmit
and Radio levels exceed-action
for NRT traffic drop
• More Queues Class SIGNALING
• Up to 2P6Q3T queuing capabilities • Wireless Specific Interface Control
set dscp cs3
police 32000 conform-action transmit exceed-action drop
Class TRANSACTIONAL-DATA
• Standard 3750 provides 1P3Q3T set dscp af21 downstream
Class class-defaultAAA support for dynamic Client based QoS and Security
• Not limited to 2 queue-sets set dscp default policies
• Flexible MQC Provisioning abstracts

queuing hardware • Per SSID bandwidth allocation
QoS Touch Points: Port, Radio, SSID, Client
What Features Apply at Each Level Downstream
Marking is based Priority queues must
be configured they
Client on table-map
SSID not Radio* Port are not on by default
set
• Classification Shaped by
• Classification • Mutation* Shaped
• Policing default to
• Policing by Sum of
• Marking • Shaping* default
• Bandwidth Radios
Entire SSID is rate • Priority • Priority
limited, AFD 200Mbps
manages NRT traffic. or - • Police
Not configurable • Bandwidth
400Mbps
based on max rate
radio can support
NOTE: SSID policies are actually per AP or

Into a wired port BSSID. Out of a wireless port
QoS Touch Points –
Cisco Converged Access Deployment
Port, Radio, SSID, Client – What Features Apply at Each Level, Upstream
Port Upstream port SSID Client

queuing policy up
to 8 queues
• Classification • Classification • Classification
• Marking • Mutation* • Policing
• Policing • Policing • Marking
• Shaping
• Bandwidth
• Priority Ingress Client policy
SSID policy can same structure as
wired policies today
be used as an
aggregation point
Out of a wired port Into a wireless port

Converged Access Policy Enforcement
• Policy management is done in IOS and policy enforcement is done in hardware
for both wired & wireless device
• For wireless clients WCM will decide which policy to be applied
• Client Roaming:
• L3 roam ACL policies will be applied on anchor switch
• L2 Roam ACL polices handoff to newer switch
• ACL type supported – Centralized and Distributed Policy
 Per-User ACL : - Highly centralized group-to-policy
 Downloadable ACL :- Optimized centralized group-to-policy. Group-specific ACL are
defined on authentication server.
 Redirect ACL : URL redirection
 PACL, RACL, VACL :- ACL for routed ports and MAC, ACL for IPV4 and IPV6 traffic,
ACL for VLAN. Policy resides on the switch. Another distributed group-to-policy
Downloadable ACL 1. Wireless Client request Association
2. MA respond back with Association
ISE
3. WCM triggers IOS module to do
authentication
4. Auth Manager starts authentication
process for client with AAA server
5. AAA server respond with
authentication success with dACL
Mobility name and version number in policy
Controller
attributes
6. If switch has downloaded this dACL
previously and has current version it
Mobility Mobility uses cache version
Agent Agent
Mobility 7. If switch does not have current
Agent version then it query server for latest
Peer Group dACL
Managed AP
Downloadable ACL cont
• Downloadable ACL can be defined for both Wired and Wireless client
• It provides network policy enforcement based on user/device authorization
profile
• Configuring dACL policy on the fly and it get pushed
Device Enrollment and Provisioning Single SSID
1. Employee associates to BYOD-
ISE
Secure SSID
Policy 2. Employee enters username and
password
3. MA does PEAP authentication
3. PEAP 4. Server authenticate
Mobility
Authentication 5. MA does client URL redirection
Controller
6. Device registration page load & MAC
4. Server get prepopulated
Authenticate
7. Employee registers device
Mobility Mobility Mobility
8. Supplicant Provisioned and
Agent Agent CoA Agent
certificate installed
5. URL- 9. CoA occurs and supplicant
Peer Group redirect authenticate using EAP-TLS
10. dVLAN, dACL, QoS policy for
1. Connect Employee pushed to MA
Managed AP
Corp SSID
2. Enter
username/password
Device Enrollment and Provisioning Dual SSID
ISE 1. User(Employee or Guest)
associates to BYOD-Open SSID
Policy 2. User redirected to CWA guest
portal
3. Based on credential user redirect
Mobility to guest or employee registration
Controller portal
4. Mac address pre-populated user
registers device
5. Supplicant gets provisioned &
Mobility Mobility Mobility
Agent Agent CoA Agent certificate installed
6. CoA occurs and supplicant re-
authenticate using EAP-TLS
Peer Group 2. URL redirect
7. Corporate dVLAN, dACL, QoS
on MA
policy for Employee pushed to
Managed AP 1. Connect MA
Open SSID 8. Guest in Guest VLAN, Internet
only ACL, Guest Qos
Device Enrollment Configuration
Secure Corporate Access SSID
Guest Access SSID
Wired port Configuration

Device Enrollment and Provisioning Single SSID
Authentication, Authorization and

Accounting profile
Dot1x enable
Change of Authorization
Radius server attributes 6,8,25 are

attributes for Service-type, framed-IP
and class
• User connects to provisioning SSID and gets redirected to Guest Portal after
launching browser
Converged Access WLC configurations - CLI
Access-List Configuration
ip access-list extended CWA_Redirect
deny icmp any any
deny udp any any eq bootps
deny udp any any eq bootpc
deny udp any any eq domain
deny tcp any host 192.168.159.32 eq 8443
permit tcp any any
WLC Troubleshooting (Debugging)
debug client mac-address <mac>

debug ip http all
debug ip admission all
debug access-session all
debug access-session feature spi al
debug access-session feature webauth all
debug aaa authentication
debug radius authentication
WLC Client Debugging (Sample Output)
*May 5 15:59:43.152: %IOSXE-7-PLATFORM: 1 process wcm: 286a.bae8.4406 Association received from mobile on AP 5087.89a4.bd60
*May 5 15:59:43.156: RADIUS(00000024): Send Access-Request to 192.168.159.32:1645 id 1645/34, len 245
*May 5 15:59:43.156: RADIUS: User-Name [1] 14 "286abae84406"
*May 5 15:59:43.156: RADIUS: Calling-Station-Id [31] 19 "28:6a:ba:e8:44:06"
*May 5 15:59:43.156: RADIUS: Called-Station-Id [30] 32 "50:87:89:a4:bd:60:clabrams_CWA"
*May 5 15:59:43.156: RADIUS: NAS-Port [5] 6 60000
*May 5 15:59:43.156: RADIUS: NAS-Port-Id [87] 3 "0"
*May 5 15:59:43.156: RADIUS: Vendor, Airespace [26] 12
*May 5 15:59:43.156: RADIUS: Airespace-WLAN-ID [1] 6 1
*May 5 15:59:43.156: RADIUS: Service-Type [6] 6 Call Check [10]
*May 5 15:59:43.156: RADIUS: Vendor, Cisco [26] 31
*May 5 15:59:43.156: RADIUS: Cisco AVpair [1] 25 "service-type=Call Check"
*May 5 15:59:43.156: RADIUS: Framed-MTU [12] 6 1300
*May 5 15:59:43.156: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
*May 5 15:59:43.157: RADIUS: Cisco AVpair [1] 43 "audit-session-id=c0a89f0b5548e8ef00000024"
*May 5 15:59:43.157: RADIUS: Tunnel-Type [64] 6 00:VLAN [13]
*May 5 15:59:43.157: RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6]
*May 5 15:59:43.157: RADIUS: Tunnel-Private-Group[81] 5 "259"
*May 5 15:59:43.157: RADIUS: User-Password [2] 18 *
*May 5 15:59:43.157: RADIUS: NAS-IP-Address [4] 6 192.168.159.11
******************************************************************Output Omitted****************************************************************************
Full Debug of session can be found below

WLC Client Debugging (cont.)
*May 5 15:59:43.186: RADIUS: Received from id 1645/34 192.168.159.32:1645, Access-Accept, len 393
*May 5 15:59:43.186: RADIUS: authenticator 8E D5 1D E4 2E 47 1C 2B - 7C 65 63 04 24 D4 8C 6B
*May 5 15:59:43.186: RADIUS: User-Name [1] 19 "28-6A-BA-E8-44-06"
*May 5 15:59:43.186: RADIUS: State [24] 40
*May 5 15:59:43.186: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 63 30 [ReauthSession:c0]
*May 5 15:59:43.186: RADIUS: 61 38 39 66 30 62 35 35 34 38 65 38 65 66 30 30 [a89f0b5548e8ef00]
*May 5 15:59:43.186: RADIUS: 30 30 30 30 32 34 [ 000024]
*May 5 15:59:43.186: RADIUS: Class [25] 54
*May 5 15:59:43.186: RADIUS: 43 41 43 53 3A 63 30 61 38 39 66 30 62 35 35 34 [CACS:c0a89f0b554]
*May 5 15:59:43.186: RADIUS: 38 65 38 65 66 30 30 30 30 30 30 32 34 3A 63 6C [8e8ef00000024:cl]
*May 5 15:59:43.186: RADIUS: 61 62 72 61 6D 73 2F 32 31 37 37 39 34 33 33 37 [abrams/217794337]
*May 5 15:59:43.187: RADIUS: 2F 31 33 30 [ /130]
*May 5 15:59:43.187: RADIUS: Cisco AVpair [1] 31 "url-redirect-acl=CWA_Redirect"
*May 5 15:59:43.187: RADIUS: Cisco AVpair [1] 186 "url-redirect=https://192.168.159.32:8443/portal/gateway?sessionId=c0a89f0b5548e8ef00000024&portal=c8492fa0-f010-11e4-bdd6-

005056a170c6&action=cwa&token=84f66371407c6c01b95cceaa22b7a84d"
*May 5 15:59:43.187: RADIUS: Cisco AVpair [1] 25 "profile-name=Apple-iPad"

Web Auth Typical Problems Encountered
• Layer 2 type issues

• Are the WLC and ISE aware of each other as network devices?
• Do the devices have network connectivity?
• Do shared secret keys match?
• Does ISE send back “Access-Accept” or “Access-Reject”?
• Layer 3 type issues

• Does the client get DHCP after Authentication
• Is DHCP server reachable?
• Does the Pre-Auth ACL allow DHCP?
• Is the client able to resolve DNS?
• Is DNS blocked by the ACL?
• Is the ISE server reachable from the client’s VLAN?
• Is it blocked by the ACL?
• Is port 8443 blocked by the ACL?
• Is there accidentally a “Permit-Any” statement at the end of the ACL?
Prepare?
Test Taking Tips
Preparing for the exam – Overall
• Use the latest blueprints on CLN to determine your experience and knowledge level in
the major topic areas
• https://learningnetwork.cisco.com/community/certifications/ccie_wireless/written-exam-v3
• https://learningnetwork.cisco.com/community/certifications/ccie_wireless/lab-exam-v3
• For weak areas, look for reading material, training, boot camps, etc
• For strength areas, practice speed!
• Note the reading list materials are suggestions only
• Do not study for the Qualification Exam and the lab at the same time. The written test
stresses networking theory more than configuration skills!
• Beware of rumors!
Test Taking Tips
Preparing for the exam – Lab Exam
• Hands-On practice is a must, find equipment!
• Break and fix! Learn show and debug commands

• Go beyond the basics, practice additional features
• Know the Product Pages (former Cisco documentation CD)
• In general the test is based on Best Practices, but realize our primary goal is to validate
knowledge!
• If a protocol has multiple ways of configuring a feature, practice all of them. During the
lab specific requirements and restrictions will be laid out in the question.
• Speed is vital on the exam; be prepared to configure the basics blindfolded and at
lightning speed.
• Bootcamps?
Test Taking Tips
Lab exam test taking strategy
• Read the general guidelines of the exam. It contains crucial information with regards to
passwords, do’s and don’ts in the exam, etc
• Read the entire exam before you start
• Redraw – study the exam topology
• Make sure to meet ALL requirements and restrictions within each question.
• Realize there is NO partial marking!
• Ask the proctor for clarification in case of doubt
• Make Notes - Check List
• Time Management – You do not need to score%
• Lab troubleshooting (10 minute rule)
• Do not make any drastic changes in the last half hour of the exam!
Test Taking Tips
Lab exam test taking strategy cont’d.
• Test your configuration! You only get credit for working solutions! Choose the appropriate
verification option for each question.
• Show CMD – debug output – Client PC - other
(WLC-1) >config 802.11b disable network
(WLC-2) >config 802.11b disable network
HQ
X
WLC1 – WLC2
(WLC-3) >show client summary

RO (WLC-3) >show client detail 00:15:6d:84:95:50
Client State...................... Associated

2.4 Ghz IP address........................ X.X.X.X
WLC3
Mobility State.................... Export Anchor
Mobility Foreign IP Address....... X.X.X.X
Policy Manager State.............. RUN
Access VLAN....................... 137
Preparation Resources
Information Resources
Blueprint, Equipment List, SW List, Reading list,etc
https://learningnetwork.cisco.com/community/certifications/ccie_wireless/written-exam-v3
Cisco Product Pages (former Cisco Documentation CD)
http://www.cisco.com/web/psa/products/index.html
CCIE Customer support and FAQ
http://www.cisco.com/go/certsupport
Ask-the-experts forum
https://supportforums.cisco.com/community/4931/wireless-mobility
CCIE blog
https://learningnetwork.cisco.com/blogs/certifications-and-labs-delivery
Preparation Resources
www.ciscopress.com
Thank you
Participate in the “My Favorite Speaker” Contest
Promote Your Favorite Speaker and You Could Be a Winner
• Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)
• Send a tweet and include
• Your favorite speaker’s Twitter handle
• Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Complete Your Online Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.
• Complete your session surveys
through the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Internet of Things (IoT) Cisco Education Offerings
Course Description Cisco Certification
NEW! CCNA Industrial An associate level instructor led training course designed to prepare you CCNA® Industrial
for the CCNA Industrial certification
Managing Industrial Networks with This curriculum addresses foundational skills needed to manage and Cisco Industrial
Cisco Networking Technologies (IMINS) administer networked industrial control systems. It provides plant Networking Specialist
administrators, control system engineers and traditional network engineers
with an understanding of the networking technologies needed in today's
connected plants and enterprises
Control Systems Fundamentals For IT and Network Engineers, covers basic concepts in Industrial Control
for Industrial Networking (ICINS) systems including an introduction to automation industry verticals,
automation environment and an overview of industrial control networks
Networking Fundamentals For Industrial Engineers and Control System Technicians, covers basic IP
for Industrial Control Systems (INICS) and networking concepts, and introductory overview of Automation
industry Protocols.
For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact ask-edu-pm-dcv@cisco.com
Business Transformation Cisco Education Offerings
For IT and Network Professionals:
Building Business Specialist Skills • Builds non-technical skills key to ensure business impact and influence. Cisco Enterprise IT
Topics include: business analysis, finance, technology adoption and Business Specialist
effective communications.
• Bridges IT and business impacts of mature and emerging solutions

including cloud plus Internet of Everything
For Technology Sellers:

Applying Cisco Specialized Business Value Builds skills to discover and address technology needs using a business- Cisco Business Value Specialist
Analysis Skills focused, consultative sales approach
Executing Advanced Cisco Business Value Enables customer transformation through business architecture and Cisco Certified Business
Analysis and Design Techniques solution selling expertise Value Practitioner
Performing Cisco Business-Focused Provides skills and an approach to build a strategic roadmap of IT Cisco Transformative
Transformative Architecture Engagements initiatives, aligned to business priorities Architecture Specialist

Security Cisco Education Offerings
Implementing Cisco IOS Network Security (IINS) Focuses on the design, implementation, and monitoring of a comprehensive CCNA® Security
security policy, using Cisco IOS security features
Implementing Cisco Edge Network Security Solutions
(SENSS) Configure Cisco perimeter edge security solutions utilizing Cisco Switches, Cisco
Routers, and Cisco Adaptive Security Appliance (ASA) Firewalls
Implementing Cisco Threat Control Solutions (SITCS)
Deploy Cisco’s Next Generation Firewall (NGFW) as well as Web Security, Email
Implementing Cisco Secure Access Solutions (SISAS) Security and Cloud Web Security
Implementing Cisco Secure Mobility Solutions Deploy Cisco’s Identity Services Engine and 802.1X secure network access
(SIMOS)
Protect data traversing a public or shared infrastructure such as the Internet by
implementing and maintaining Cisco VPN solutions
Securing Cisco Networks with Threat Detection and Designed for professional security analysts, the course covers essential areas of Cisco Cybersecurity Specialist
Analysis (SCYBER) competency including event monitoring, security event/alarm/traffic analysis, and
incident response
Network Security Product and Solutions Training For official product training on Cisco’s latest security products, including Adaptive
Security Appliances, NGIPS, Advanced Malware Protection, Identity Services
Engine, Email and Web Security Appliances see
www.cisco.com/go/securitytraining

R&S Related Cisco Education Offerings
CCIE R&S Advanced Workshops (CIERS-1 & Expert level trainings including: instructor led workshops, self CCIE® Routing & Switching
CIERS-2) plus assessments, practice labs and CCIE Lab Builder to prepare candidates
Self Assessments, Workbooks & Labs for the CCIE R&S practical exam.
• Implementing Cisco IP Routing v2.0 Professional level instructor led trainings to prepare candidates for the CCNP® Routing & Switching
• Implementing Cisco IP Switched CCNP R&S exams (ROUTE, SWITCH and TSHOOT). Also available in
Networks V2.0 self study eLearning formats with Cisco Learning Labs.
• Troubleshooting and Maintaining
Cisco IP Networks v2.0
Interconnecting Cisco Networking Devices: Configure, implement and troubleshoot local and wide-area IPv4 and IPv6 CCNA® Routing & Switching
Part 2 (or combined) networks. Also available in self study eLearning format with Cisco Learning
Lab.
Interconnecting Cisco Networking Devices: Installation, configuration, and basic support of a branch network. Also CCENT® Routing & Switching
Part 1 available in self study eLearning format with Cisco Learning Lab.

Wireless Cisco Education Offerings
• Conducting Cisco Unified Wireless Site Survey Professional level instructor led trainings to prepare candidates to conduct CCNP® Wireless
• Implementing Cisco Unified Wireless Voice site surveys, implement, configure and support APs and controllers in
Networks converged Enterprise networks. Focused on 802.11 and related
• Implementing Cisco Unified Wireless Mobility technologies to deploy voice networks, mobility services, and wireless
Services security.
• Implementing Cisco Unified Wireless Security
Services
Implementing Cisco Unified Wireless Network Prepares candidates to design, install, configure, monitor and conduct CCNA® Wireless
Essential basic troubleshooting tasks of a Cisco WLAN in Enterprise installations.

Design Cisco Education Offerings
Designing Cisco Network Service Architectures Provides learner with the ability to perform conceptual, intermediate, and CCDP® (Design Professional)
(ARCH) detailed design of a network infrastructure that supports desired capacity,
performance, availability required for converged Enterprise network
services and applications.
Designing for Cisco Internetwork Solutions Instructor led training focused on fundamental design methodologies used CCDA® (Design Associate)
(DESGN) to determine requirements for network performance, security, voice, and
wireless solutions. Prepares candidates for the CCDA certification exam.

Service Provider Cisco Education Offerings
Deploying Cisco Service Provider Network Routing SPROUTE covers the implementation of routing protocols (OSPF, IS-IS, BGP), CCNP Service Provider®
(SPROUTE) & Advanced (SPADVROUTE) route manipulations, and HA routing features; SPADVROUTE covers advanced
routing topics in BGP, multicast services including PIM-SM, and IPv6;
Implementing Cisco Service Provider Next-Generation
Core Network Services (SPCORE) SPCORE covers network services, including MPLS-LDP, MPLS traffic engineering,
QoS mechanisms, and transport technologies;
Edge Network Services (SPEDGE) SPEDGE covers network services, including MPLS Layer 3 VPNs, Layer 2 VPNs,
and Carrier Ethernet services; all within SP IP NGN environments.
Building Cisco Service Provider Next-Generation The two courses introduce networking technologies and solutions, including OSI CCNA Service Provider®
Networks, Part 1&2 (SPNGN1), (SPNGN2) and TCP/IP models, IPv4/v6, switching, routing, transport types, security, network
management, and Cisco OS (IOS and IOS XR).
Implementing Cisco Service Provider Mobility UMTS The three courses (SPUMTS, SPCDMA, SPLTE) cover knowledge and skills Cisco Service Provider Mobility
Networks (SPUMTS); required to understand products, technologies, and architectures that are found in CDMA to LTE Specialist;
Implementing Cisco Service Provider Mobility CDMA Universal Mobile Telecommunications Systems (UMTS) and Code Division Multiple Cisco Service Provider Mobility UMTS
Networks (SPCDMA); Access (CDMA) packet core networks, plus their migration to Long-Term Evolution to LTE Specialist
Implementing Cisco Service Provider Mobility LTE (LTE) Evolved Packet Systems (EPS), including Evolved Packet Core (EPC) and
Networks (SPLTE) Radio Access Networks (RANs).
Implementing and Maintaining Cisco Technologies Service Provider/Enterprise engineers to implement, verification-test, and optimize Cisco IOS XR Specialist
Using IOS XR (IMTXR) core/edge technologies in a Cisco IOS XR environment.

Collaboration Cisco Education Offerings
CCIE Collaboration Advanced Workshop (CIEC) Gain expert-level skills to integrate, configure, and troubleshoot complex CCIE® Collaboration
collaboration networks
Implementing Cisco Collaboration Applications Understand how to implement the full suite of Cisco collaboration CCNP® Collaboration
(CAPPS) applications including Jabber, Cisco Unified IM and Presence, and Cisco
Unity Connection.
Implementing Cisco IP Telephony and Video Learn how to implement Cisco Unified Communications Manager, CUBE, CCNP® Collaboration
Part 1 (CIPTV1) and audio and videoconferences in a single-site voice and video network.
Implementing Cisco IP Telephony and Video Obtain the skills to implement Cisco Unified Communications Manager in a
Part 2 (CIPTV2) modern, multisite collaboration environment.
Troubleshooting Cisco IP Telephony and Video Troubleshoot complex integrated voice and video infrastructures
(CTCOLLAB)
Implementing Cisco Collaboration Devices Acquire a basic understanding of collaboration technologies like Cisco Call CCNA® Collaboration
(CICD) Manager and Cisco Unified Communications Manager.
Implementing Cisco Video Network Devices Learn how to evaluate requirements for video deployments, and implement
(CIVND) Cisco Collaboration endpoints in converged Cisco infrastructures.

Data Center / Virtualization Cisco Education Offerings
Cisco Data Center CCIE Unified Fabric Prepare for your CCIE Data Center practical exam with hands on lab CCIE® Data Center
Workshop (DCXUF); exercises running on a dedicated comprehensive topology
Cisco Data Center CCIE Unified Computing
Workshop (DCXUC)
Implementing Cisco Data Center Unified Fabric Obtain the skills to deploy complex virtualized Data Center Fabric and CCNP® Data Center
(DCUFI); Computing environments with Nexus and Cisco UCS.
Implementing Cisco Data Center Unified
Computing (DCUCI)
Introducing Cisco Data Center Networking Learn basic data center technologies and how to build a data center CCNA® Data Center
(DCICN); Introducing Cisco Data Center infrastructure.
Technologies (DCICT)
Product Training Portfolio: DCAC9k, DCINX9k, Get a deep understanding of the Cisco data center product line including
DCMDS, DCUCS, DCNX1K, DCNX5K, DCNX7K the Cisco Nexus9K in ACI and NexusOS modes

Network Programmability Cisco Education Offerings
Integrating Business Applications with Network Learn networking concepts, and how to deploy and troubleshoot Cisco Business Application
Programmability (NIPBA); programmable network architectures with these self-paced courses. Engineer Specialist Certification
Integrating Business Applications with Network
Programmability for Cisco ACI (NPIBAACI)
Developing with Cisco Network Programmability Learn how to build applications for network environments and effectively Cisco Network Programmability
(NPDEV); bridge the gap between IT professionals and software developers. Developer Specialist Certification
Developing with Cisco Network Programmability
for Cisco ACI (NPDEVACI)
Designing with Cisco Network Programmability Learn how to expand your skill set from traditional IT infrastructure to Cisco Network Programmability
(NPDES); application integration through programmability. Design Specialist Certification
Designing with Cisco Network Programmability
for Cisco ACI (NPDESACI)
Implementing Cisco Network Programmability Learn how to implement and troubleshoot open IT infrastructure Cisco Network Programmability
(NPENG); technologies. Engineer Specialist Certification
Implementing Cisco Network Programmability
for Cisco ACI (NPENGACI)

Cloud Cisco Education Offerings
Designing the FlexPod Solution (FPDESIGN); Learn how to design, implement and administer FlexPod solutions FlexPod Design Specialist;
Implementing and Administering the FlexPod FlexPod Implementation &
Solution (FPIMPADM) Administration Specialist
UCS Director (UCSDF) Learn how to manage physical and virtual infrastructure using
orchestration and automation functions of UCS Director.
Cisco Prime Service Catalog Learn how to deliver data center, workplace, and application services in an
on-demand, automated, and repeatable method.
Cisco Intercloud Fabric Learn how to implement end-to-end hybrid clouds with Intercloud Fabric
for Business and Intercloud Fabric for Providers.
Cisco Intelligent Automation for Cloud Learn how to implement and manage cloud deployments with Cisco
Intelligent Automation for Cloud


Tecccie 3106

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Tecccie 3106

Hochgeladen von

Copyright:

Verfügbare Formate

CCIE Wireless

Stephen Orr, Javier Contreras, Jerome Henry, Erik Vangrunderbeek

Data Center Service Provider SP Operations Wireless

Beijing Tokyo RTP

Written Exam pass Practical pass

• Pearson Vue • Select Cisco locations

Written (%) LAB (%)

Blueprint sections = Exam sections = Score report sections

CCIE Wireless v3 4 Configure and Troubleshoot a Unified Deployment Model (Centralized)

2Configure and Troubleshoot the network Infrastructure 10%

a) 192.168.129.11 and 192.168.129.20

Drag and Drop

• Assessing new skills

• Al minimum score is set upon module level

if {[∀mod: (mod_Score ≥ mod_minScore)] && [∑(mod_Score) ≥ Lab_CutScore]};

• Perceive problem areas • Understand how infrastructure components

• No devices • Real devices

• Multiple scenarios • Single topology/scenario

• Independent tickets • Interdependent items

• Analyzing, correlating and discerning multiple sources of documentation

• What document points you to the root cause?

Countdown timer Multi-dropdown: candidate

Mouse-over a red circle turns

• The Comm Server is pre-configured

AppQoSDB In Out STATE GRAPH

Policy ID Sub Tables Cavium Clock

Definitions Signatures Control Plane

Then the WLAN ID you are interested in

the Global Statistics

*broffu_SocketReceive: Oct 24 09:43:25.276: apfMsAvcClientStatsSave:Called for 2 clients

• Link local only: 224.0.0.251:5353 mDNS

VLAN 3 VLAN 1 VLAN 1 VLAN 2

User-3 Printer-1 User-1 User-2

Original “Reflected” “Cached” mDNS

Enforced via Multiple Methods

Per Interface Per-User

A list of all services available on bonjour can be found at : http://www.dns-sd.org/ServiceTypes.html

• To enable / disable query for a service.

To display mdns details of the events.

To display errors related to mdns processing.

To enable all debugs

******** PRINTING MSAL-DB AVL TREE ENTRIES ***************

The same traffic destined for a FlexConnect AP

local resource has now

• Accomplished using NAT/PAT so multicast IP traffic is not supported for local

Default GW reachability enhancement : Upon 6 consecutive ping drops, ARP is sent to GW

Standby WLC enters into MTC mode ‘on-the-fly’ without reboot

Derived from RMI last 2 bytes

Management Interface, e.g. 9.9.61.2 Management Interface, e.g. 9.9.61.3

Derived from RMI last 2 bytes

Management Interface, e.g. 9.9.61.2 Management Interface, e.g. 9.9.61.3

• ONLY Clients in RUN state are maintained during failover

WLC bridges all IPv6 client traffic

802.11 IPv4 IPv6

interface at the switch/router

• UDP Lite computes checksum on the pseudo header of datagram

neighbor-binding Configures the IPV6 neighbor-binding debug options

(Cisco Controller) >debug capwap packet enable

vlan1 vlan3 Wlan4

vlan1 vlan3 Wlan4

WLAN ID VLAN ID WLAN PROFILE

• Use Flexgroup level settings when possible

Stage 1: UGH! Stage 2: Hmmm… Stage 3: Aha!

PRINTING MSAL-DB AVL TREE ENTRIES *******