Beruflich Dokumente
Kultur Dokumente
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Agenda
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Lab Topology
Internet
SSIDs
#POD1
POD1 #POD1-Guest DNAC
10.10.105.30
POD1-AP1915 Gi0
NAT
Router
ESXi running VMs
SSIDs
#POD2 Sw1
POD1-C9800 10.10.10.3
#POD2-Guest
POD2 Gig1/0/2
Gig1/0/8 Trunk .
.
POD2-AP1915 .
Gi0
POD10-C9800 10.10.100.3
CORE-SW-3850
Sw2 VLAN10:10.10.10.1 ISE 10.10.105.35
.
.
VLAN100:10.10.100.1
VLAN105:10.10.105.1
SSIDs
#PODX Port 1
#PODX-Guest
PODX
PODX-AP1915 Gi0
WLC-3504 Anchor
MGMT = 10.10.200.3 VLAN 200
X = POD number
PODs IP addressing Scheme
IP addressing
Devices VLAN ID IP address/URL Gateway User Name/PW Password/Enable
DHCP server PodX X0 10.10.X0.1 10.10.X0.1 N/A N/A
PodX C9800 X0 10.10.X0.3 10.10.X0.1 admin/Cisco123 Cisco123
ISE 2.3 105 10.10.105.35 10.10.105.1 admin Public123!
You will obtain an IP address from VLAN 200: 10.10.200.0 /24 subnet and then user can access there respective POD network (10.10.X0.0/24 )
*Please use your own device for wireless connectivity.
The Lab is divided into different sections with step by step configurations and sections for reference as indicated.
POD1 POD2 POD3 POD4 POD5 POD6 POD7 POD8 POD9 POD10
.
Please DO NOT change any settings and configurations unless instructed in the Lab Exercise.
Please follow the Lab guide to complete the exercises if any questions and issues feel free to ask or consult your lab proctors.
Save your configurations as you proceed with Lab Exercises as not to lose configs in case of a crash or outage.
Exercise 1:
Catalyst Wireless Controller New Configuration Model TASKS
1) Configuring 802.1x WLAN with Wireless Basic Workflow
2) Configuring Webauth Guest WLAN with Wireless Advanced Workflow
Global
S a l e s Tr a i n i n g
Task 1 Adding AAA for Radius/802.1x authentication
Step1: Login to WLC –WLC9800 https://10.10.X0.3 (admin/Cisco123) Here X is the POD number
From WLC main menu go to Configuration > AAA > +AAA Wizard and configure the following:
Server: Name= ISE, Server Address=10.10.105.35, Shared Secret=cisco and click Next
Server Group Association: Name=ISE-Server-Group, From Available Servers select ISE, click ‘>’ to assigned list, and click Next
MAP AAA: Select Authentication > Method List Name enter ISE-ML, Type=dot1x, Under Available Server Groups select ISE-Server-Group then Apply to Device
For Authorization, select Type = network. Under Available Server Groups select ISE-Server-Group then Apply to Device button
Configuring 802.1x WLAN with Wireless Basic Workflow
Step3: Under General configure the following:
Step1: From WLC page top right menu Click on Wireless Location Name as “pod-site” description can be any name
Wizard icon and select Basic Wireless setup Location Type (whether it is local or Flex/remote site); we are configuring
Local/Central site so choose Local
Leave the Client density as Typical (user can choose low, typical or high)
Step 2: To start configuring the basic wireless setup click ‘Add’ Step 4: Next, we need to create the WLAN for this location In Wireless Network tab,
Click +Add then click on Define new
Step 5: Create Profile Name and SSID as #PODX (where X is the pod Step 7: Make sure your #PODx WLAN is selected.
number) and enable status Under Policy Details select Management VLAN = VLAN00x0.
Then click the check Add button to continue.
Step 6: Check Security>Layer2>Security Mode = WPA + WPA2 and Auth Key Mgmt = 802.1x
Go to tab AAA and select ISE-ML from Authentication List, click Apply to Device
Similarly, go to Configuration > Policy and verify that tag for policy profile name pod-site_WLANID_1 tied to pod-site_#PodX
Also verify the site tag Configuration > Tags > Site > Pod-site has Name and AP Join Profile set to Pod-site which we created from the wizard.
As this is a Central Site i.e. AP operating in local modes the ‘Enable Local Site’ box shows Enabled.
Client Connect to Pod-SSID:
Connect a client to the SSID PODX( username= podx / password= Cisco123) and the user should get the IP address from VLAN105
(select your Management VLAN) ( 10.10.x0.xxx)
Go to WLC Monitoring>Clients page and click on the client to verify the Policy profile is pod-site_WLANID_1
Task 2 Configuring Webauth Guest WLAN with Wireless Advanced Workflow
Step1: Login to C9800 PODx http://10.10.X0.3 (admin/Cisco123) and click on
Wireless Wizard icon and Select Advanced option (x is POD #) Step2: Create Profile Name and SSID with naming convention as #PODX-Guest and
enable the status. From the Security tab select Layer 2 security to ‘None’ and click
Click on Start Now > WLAN Profile then click on button
Save & Apply to Device
Task 2 Configuring Webauth Guest WLAN with Wireless Advanced Workflow Cont’d
Step 3: Navigate to policy profile and click on to configure a guest policy profile
by naming it ‘guest-policy-profile’ Step 4: Navigate to policy Tag and click on Edit.
Enable the Status and make sure Central Switching, Central Auth, Central DHCP, Central Click on pod-site that has already been created and click on +Add in order
Association are Enabled (Checked) to add Guest SSID and WLAN Profile
Move to Access Policy tab and from VLAN/VLAN Group select VLAN 105 (all PODs) – Guest
Click Save & Apply to Device
Task 2 Configuring Webauth Guest WLAN with Wireless Advanced Workflow Cont’d
Step 5: To configure Local Web Auth. Navigate to Configuration > Security > Web Auth
and click on Global which is created by default. Create a Banner Text that you
desire to show when a client connects to the SSID and hit Apply. You can also
create a different Parameter Map Name by clicking on Add
Step 6: Navigate to Configuration> AAA and click on Authentication to add a login Authentication method as shown below
Step 7: Navigate back to WLAN Profile. Select Guest SSID and click on Security > Layer 3 and map Webauth Parameter Map as ‘global’ which we
have modified in previous step.
Step 8: Navigate to Administration> User administration and click on ADD to create username and password (Cisco123) for Local webauth
Step 9: Connect a client to Guest WLAN and use credentials created and verify The
default banner Cisco Systems is displayed on your client device.
guest
Cisco123
Exercise 2
FlexConnect - Configure 802.1x WLAN for
Central Authentication, Local Switching
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Step 1: Navigate to Wireless Advanced Workflow and click on WLAN Profile in order to create a new WLAN for Flex Exercise.
Select WLAN Profile Name as PODx-Flex and enable Status as shown below.
Click on Policy Profile and click on Add
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Step 2: From Policy profile. Select Policy profile name and appropriate VLAN as shown below
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Step 3: From Wireless Advanced Setup Work flow, Navigate to Policy Tags to add a new Policy Tag for Flex.
Select Policy Tag name and click on Add to map Flex SSID created and policy Profile created to the appropriate Flex SSID
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Step 4: From Advanced Wireless Flow navigate to Flex Profile and click on Add to create Flex profile with appropriate settings.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Step 5: From Advanced Wireless Work Flow navigate to Site Tag and click on Add.
Select Site Tag Name/description and uncheck the Enable Local Site check box to be able to select Flex Profile as
shown below
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Step 6: You have finished with creating Policy, Site and RF Tags.
Next Step is to attach these Tags to the APs and push the configuration to the APs
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Basic Wireless Setup for FlexConnect For reference Only – ANO way
Step 1: Navigate to Configuration>Basic and click on Add in order to create a new site for FlexConnect
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Basic Wireless Setup for FlexConnect For reference Only – ANO way
Step 2: Define location and select Flex for location Type.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Basic Wireless Setup for FlexConnect For reference Only – ANO way
Step 3: Click on Wireless Network and create a WLAN by clicking on define now.
Select appropriate VLAN and switching method as show below
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Basic Wireless Setup for FlexConnect For reference Only – ANO way
Step 4: Click on AP provisioning and select appropriate Access points to be added to Remote site.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Exercise 3
RRM/ RF Profile
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
RRM Parameter adjustments
(1) Navigate to Configuration> RRM. Set appropriate trap thresholds for your environment and Adjust monitor intervals
– (defaults are sufficient).
(2) Repeat Steps for 2.4 GHz band
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
(3) Click on Coverage. Enable/Disable Global Coverage Hole Detection- Defaults values are fine.
(4) Repeat Steps for 2.4 GHz band
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
(5) Click on DCA. Choose DCA operational mode. Select DCA operating channels
(6) Repeat steps for 2.4 GHz band
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
(9) Click on RF Grouping. Choose operational
(7) Click on TPC. Choose TPC operational mode and set
mode and identify Current RF group leader and
your TPC threshold value.
Group members.
(8) Repeat steps for 2.4 GHz band.
(10) Repeat steps for 2.4GHz
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Exercise 4
AVC/ QoS
Global
S a l e s Tr a i n i n g
Configuring Application Visibility(AV) on WLC
Step1:. From C9800 main menu go to Configuration>Services>Application Visibility
Step 2: User can see the Available Profiles and select the one on which to enable the AVC.
Select the pod-site_WLANID_1 profile and enable it.
Then click Apply
Step 3: Now connect a client to the #PODx SSID and pass traffic Step 5: Similarly, if the user want to view per client AV
by browsing to different sites. Now wait for few seconds and then stats then click on Clients tab and select the client and
go to C9800 main menu Monitor > Application Visibility click on View Application Details button
Step 4: The page will show a graphical view of the over all
apps running on the network. This will show all the apps usage in a % based pie-chart and in
User can filter it per SSID, direction and time ( up to 48 hrs.). tabular format
User can see the apps which clients are accessing.
Applying Application Visibility and Control (AVC) through QoS
Step 1: Now if the user wants to control the applications ( Mark, Drop or Rate limit) or the traffic then he can configure AVC.
In this exercise we will create a QoS policy to drop the YouTube application.
Go to Configuration > Services > QoS
Click on Add button and it will take you to QoS policy page.
Step 2: Configure the ‘Policy Name’ as pod#-QoS.
Click Add Class-Maps then from AVC/User Defined select AVC and check Drop box to mark the traffic to be dropped.
Match Type = protocol. From the Available Protocol(s) Select YouTube** and Twitter as dropped, then click Save
Select the profile on which user wants to apply this QoS policy, pod-site_WLANID_1 and click Save & Apply to Device
Step 3 Verification: Connect a client to the SSID #PODX and try accessing different sites e.g. cisco.com and also try accessing
YouTube or Twitter.
The client should be able to browse to all sites except YouTube or Twitter which are marked to be dropped
in the QoS policy.
PROCTOR NOTES
CLEAN UP WLC
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g