《思科(Cisco):2022年企业无线解决方案-Wi-Fi 直观易用之旅自此开始(英文版)(188页).pdf》由会员分享,可在线阅读,更多相关《思科(Cisco):2022年企业无线解决方案-Wi-Fi 直观易用之旅自此开始(英文版)(188页).pdf(188页珍藏版)》请在三个皮匠报告上搜索。
1、Cisco Enterprise WirelessIntuitive Wi-Fi starts here2nd edition785032471PrefaceAuthorsAcknowledgmentsOrganization of this bookIntended audienceBook writing methodologyWhat is new in this edition of the book?IntroductionIntent-based networkingIntroducing Cisco IOSXE f
2、or Cisco CatalystwirelessBenefits of Cisco IOS XECisco wireless portfolioInfrastructure componentsIntroductionDeployment mode flexibilityResiliency in wireless networksWireless network automationProgrammabilityRadio excellenceIntroduction802.11ax/Wi-Fi 6High density experience(HDX)777879838587899197
3、98920156160Hardware innovationsIntroductionDual 5 GHz radioModularityMultigigabitCleanAir-SAgERF ASIC-software defined radioInnovative AP deployment solutionsInfrastructure securityIntroductionSecuring the networkSecuring the airEncrypted Traffic Analytics(ETA)WPA3Po
4、licyIntroductionSecurity policyQoS policyAnalyticsIntroductionEnhanced experience through partnershipsCisco DNA Center wireless assuranceCisco location technology explainedCisco DNA Spaces78183Migrating to Catalyst 9800The Catalyst 9800 configuration modelConfiguration conversi
5、on toolsInter-Release Controller Mobility(IRCM)SummaryThe next generation of wirelessReferencesAcronymsFurther readingPreface8PrefaceAuthorsIn May 2018,a group of engineers from diverse backgrounds and geographies gatheredtogether in San Jose,California in an intense week-long collaborative effort t
6、o writeabout their common passion,enterprise wireless networks.This book is a result of thateffort.Aparajita Sood-Technical MarketingDamodar Banodkar-Product ManagementFrederick Niehaus-Technical MarketingJake Fussell-Customer ExperienceJerome Henry-Technical MarketingJim Florwick-Technical Marketin
7、gPaul Nguyen-Technical MarketingRajat Tayal-Technical MarketingSimone Arena-Technical MarketingSujit Ghosh-Technical MarketingVishal Desai-EngineeringIn April 2019 a further group of engineers came together to produce an update to thisbook.The results of that update are what you hold in your hands!T
8、he followingengineers worked on this revised and updated version:Ali Ali-Technical MarketingAparajita Sood-Technical MarketingBill Rubino-MarketingPreface9Dave Zacks-Technical MarketingFrederick Niehaus-Technical MarketingJerome Henry-Technical MarketingJosh Suhr-Customer ExperiencePriya Ramarathnam
9、-Product ManagementSarath Gorthi-Technical MarketingSujit Ghosh-Technical Marketing10PrefaceAcknowledgmentsWe are not going to do that!That said,first and foremost,we would like to express our gratitude to the families ofthe authors who were supportive,given the extensive time it took to be away fro
10、mthem and the challenges of“shutting out the world”for this intense effort.We also thank you,the reader,for choosing this particular book to enrich yourunderstanding of enterprise wireless networks.A special thanks to the Cisco Enterprise Networking Business Product Management,Engineering and Servic
11、es management teams who supported the realization of thisbook along with the entire Book Sprints team()for their constantguidance throughout the process of writing this book.The authors of this book aresimply a voice for the extensive work of Cisco engineers in San Jose,California;Richfield,Ohio;Res
12、earch Triangle Park,North Carolina;Dallas,Texas;Bangalore,India;Vancouver,Canada;Ecublens,Switzerland and sites around the world where innovativework is constantly being done.These teams have brought to market the innovations youwill read about in this book and for that,we are truly grateful.There i
13、s a new trend among authors to thank every famous person forinspiration,non-existent assistance,and/or some casual reference to theauthors work.Authors do this to pump themselves up.Wild FireWild FireWild Fire,byNelson DemillePreface11Organization of this bookThere are many considerations in wireles
14、s networks ranging from coverage andcapacity to onboarding,security,and policy.The intent of this book is to offer thereader solutions addressing a wide range of use cases and challenges likely to be facedin wireless networks every day.This book is not intended to be a configuration ordeployment gui
15、de.The book begins with an introduction to Cisco intent-based networking and thensystematically drills down into key technologies and Cisco innovations that enable thevery best in radio technology,security and end-user experience in the enterprise.Following a brief introduction on how wireless fits
16、into the overall Cisco enterpriseintent-based networking strategy,the initial chapter introduces key elements of theCisco wireless network infrastructure-namely flexibility,automation,and resiliency.Next,the book dives into Cisco hardware and software radio innovations that complywith the IEEE 802.1
17、1 specifications,and indeed go beyond them to introduce newcapabilities and innovations to the market.In addition to infrastructure and radio excellence,this book examines the topics ofnetwork security,over-the-air threat detection/mitigation and network segmentation,location and assurance analytics
18、,and WLC migration strategies.Finally,this book provides useful references and suggestions for further reading.12PrefaceIntended audienceNetwork administrators,engineers,and architects are always looking for ways to stayupdated with the latest offerings in technology to build and maintain a secure a
19、ndreliable wireless network.This book is designed to address these concerns,and alsoinform anyone who is interested in learning about Cisco innovative hardware andsoftware wireless solutions.The elements in this book cover Cisco intent-based networking products and solutionsthat are designed to meet
20、 a diverse customer base which expands across all verticalsand deployment sizes.The book explains how Cisco offerings can be used bynetworking professionals to address complex challenges in an ever-changing wirelessenvironment.Preface13Book writing methodologyA group of Cisco engineers came together
21、 in a collaborative effort to write a bookencompassing the various components that are needed in an enterprise wirelessnetwork.The authors,who are all subject matter experts in their own respective areasof technology,as part of the process,reviewed the content created by their peers withthe goal of
22、simplifying complex elements of an enterprise wireless LAN intounderstandable topics for those designing wireless networks.The Book Sprints()methodology captured each of our uniquestrengths,enabling a team-oriented environment and accelerating the overall time tocompletion.14PrefaceWhat is new in th
23、is edition of the book?In this edition of the book we have added and updated following topicsIntroduction to Cisco IOS XE catalyst for Cisco Catalyst wirelessIntroduction to Wi-Fi 6 technologyUpdated wireless portfolioIntroduction of Catalyst 9800 platform and its enhanced capabilitiesIntroduction o
24、f Catalyst 9100 access points and Cisco RF innovationsDetails about interoperability of AireOS and Cisco IOS XE controllers andmigration procedureIntroduction of Cisco DNA SpacesIntroduction16IntroductionIntent-based networkingInternet of Things(IoT)adoption in the enterprise is fostering an explosi
25、on of devicesconnecting to the network.The Cisco Visual Networking Index reports that there are17 billion devices connected to worldwide networks today and this will increase to 27billion by 2021,most of which will be connected via wireless.This trend brings highdensity,scalability and security chal
26、lenges.The need for open workspaces and ubiquitous mobility has further driven the need fora flexible,resilient and secure Wi-Fi network.Additionally,transformations ofcomputing and storage are gaining maturity and organizations are anticipatingreplicating virtualization benefits at the network leve
27、l.These new digital requirements bring the need for a fundamentally different approachto wireless networking.Cisco is innovating to build networks for the new digital age:what if the network could be made intuitive by translating a user intent into a networkconfiguration?Could the network automatica
28、lly adapt to changes in density of users?Could the network automatically capture the user traffic to better analyze a reportedconnectivity problem and heal itself?Could the network learn to defend itself againstmalware and threats?A wireless network that aspires to be considered a platform for the d
29、igital world needsto have certain characteristics:Intelligence in the infrastructure-a network that is self-optimizing,self-healing and self-aware.Best security-securing the network elements,securing the data transport andmaking sure that the right user or device gets the right policy,end-to-end.Bes
30、t user experience through automation,analytics,and assurance-designing the network,defining the user and device policies should be easy.Insights extracted from the network should facilitate network operations andtmIntroduction17intelligent correlation should confirm that the network has delivered on
31、 the userintent.These characteristics create a closed-loop mechanism where the network learns,provides feedback to the administrator,and an option to self-heal is offered,asillustrated in the figure below.DIAGRAMCisco intent-based networking architecture componentsIn the digitization era where the r
32、equirements and opportunities of mobility,cloud,andIoT are the main subjects of discussion for business,there is a tendency to discount thenetwork as just simple transport,to think that all access points and wireless LANcontrollers are made equal and that the value comes from higher levels in the OS
33、I stack.But how can this be true?All the critical applications that enable the company tooperate are run on the network,more so increasingly,on the wireless network.This book highlights how Cisco intent-based networking provides a comprehensiveend-to-end solution with unique capabilities to meet the
34、se new requirements.18IntroductionIntroducing Cisco IOSXE for CiscoCatalystwirelessFor many years now,Cisco wireless LAN controllers(WLCs)have used an operatingsystem called AireOS.With the expansion of wireless into the Catalyst portfolio,Ciscohas introduced a new model of the controllers called th
35、e Cisco Catalyst 9800 Serieswireless controllers based on the Cisco IOS XE platform.Cisco IOS XE provides manynew foundational benefits-including increased scale,programmability and analyticsimprovements,and software upgrades without disruption.The move to a new platformhas also enabled many enhance
36、d capabilities specific to the ongoing operation of thewireless network,such as the ability to leverage a completely redesigned,robust,andflexible configuration model.With the introduction of a new operating system for wireless devices,migration andinteroperability become key considerations.Several
37、mechanisms have beenconstructed with the express purpose of providing a seamless transition from AireOS-based WLCs to newer Cisco IOS XE-based WLCs,including specialized configurationmigration tools and seamless cross-platform roaming capabilities with Inter-ReleaseController Mobility(IRCM).These ca
38、pabilities that help ease the transition to CiscoCatalyst 9800 Series wireless controllers will be discussed in depth later in this book.Introduction19Benefits of Cisco IOS XEWith the modern ever-changing software-defined environment,it is imperative thatthe operating system(OS)software foundation f
39、or wireless platforms be open,easy touse,flexible,and secure.Cisco IOS XE is an open and modular OS,common acrossmultiple enterprise network products for both wired and wireless platforms,whichbrings a number of benefits to customers.Cisco IOS XE modularity,standard database,object-based models,and
40、containers provide key capabilities that help networkadministrators and engineers with operational tasks and reduce operational costs.Several years ago,Cisco introduced Cisco IOS XE,designed to restructure themonolithic code of Cisco IOS into a more modular and modern software architecture.With Cisc
41、o IOS XE,the OS was subdivided into multiple components to achievemodularity and portability of the features.A low-level Linux kernel was introduced toprovide CPU load balancing,memory management,and enhanced hardware resourcemanagement.Cisco IOS now runs as a modular process on top of the Linux ker
42、nel,known as Cisco IOSd.This approach allows other modular functions to be introduced,such as an embedded wireless LAN controller capability with the Catalyst 9800.Moreapplications will be embedded on Cisco IOS XE in the future,following a similarapproach.Cisco IOS XE is continually evolving.With ne
43、w applications continually appearing,theestablished models for configuration and monitoring,such as CLI and SNMP,arebeginning to be replaced by standardized APIs for configuration and monitoring datamodels.Cisco IOS XE software helps to address key customer needs:Providing a common OS for enterprise
44、 networks across both wired and wirelessplatformsRapid introduction of new features and technologiesA secure OS to protect the network20IntroductionModularity and high availabilityStreamlined patching capability with software maintenance upgrades(SMUs)Programmability and automationFewer software ima
45、ges to manageFaster certification of software featuresUnified,consistent experience across platformsAbility to run any feature anywhereIn addition,if there is a need to bring a feature from one platform to another,the use ofCisco IOS XE makes this much easier due to the use of a unified code release
46、.In mostcases,importing a feature from one platform to another only requires platform-dependent code changes,significantly improving code portability and making it mucheasier and faster to move features between platforms.This in turn provides the abilityfor features to be used at more places in the
47、network,more rapidly and seamlessly thanhas ever been the case previously.This also enables consistency of features across bothphysical and virtual appliances thus providing the option of deploying the infrastructurein a platform of choice without compromising the functionality.In addition,the Cisco
48、 IOS XE architecture decouples the data from the code.The CiscoIOS XE database stores the configuration and operational state of the system,with thestored data retained in a standardized format.One of the major benefits of storing thestate information in a centralized database includes being able to
49、 share informationeasily between different components of Cisco IOS XE.In addition,this standard CiscoIOS XE database makes system data easier to express as data models,such as YANG,and provides efficient export using model-driven telemetry(MDT),including NETCONFand gRPC.Finally,Cisco IOS XE provides
50、 a solid foundation for Ciscos newest wireless productsand platforms to function as trustworthy elements within the network,able to assistprevention of attacks against the network infrastructure.As a trustworthy solution,Introduction21Cisco IOS XE verifies the authenticity of the platform,prevents m
51、alicious codeexecution,establishes run-time defenses,and secures communication.In summary,the use of Cisco IOS XE moves Cisco wireless platforms into the future-enabling a whole new suite of future-proofed,robust functionality.Importantly,CiscoIOS XE also does so in a way that retains backwards comp
52、atibility and interoperabilitywith existing AireOS-based solutions and capabilities,allowing deployments to migrateat their own pace and as their business and operational demands dictate.22Introduction123Cisco wireless portfolioCisco Wi-Fi portfolio provides a wide array of options that span across
53、multipledeployment scenarios and use cases based on functionality and scale.The portfolioconsists of:Access points(indoor,outdoor and active sensor)Wireless controllers(hardware and virtualized)Solution components for network management,security,and location servicesCisco wireless access pointsIndoo
54、r access pointsThe Cisco Catalyst 9100 Series access points are the latest generation of Ciscoenterprise APs,designed to be resilient,secure,and intelligent.The Cisco Catalyst 9100 Series access points are enterprise-class products built toaddress the current and future needs of a growing digital ne
55、twork.With support forWi-Fi 6 combined with Cisco innovation,the Catalyst 9100 Series access points willdrive your enterprise networks towards the future as the demand for wirelessbandwidth continues to grow.Key features:Wi-Fi 6 certifiableThree radios:2.4 GHz(4x4),5 GHz(4x4),and Bluetooth Low Energ
56、y(BLE)Orthogonal Frequency Division Multiple Access(OFDMA)Multi-User,Multiple-Input,Multiple-Output(MU-MIMO)Introduction23Target Wake Time(TWT)Multigigabit supportInternal or external antennaThe following diagram provides a high-level view of the Wi-Fi 6 indoor access pointsportfolio:DIAGRAMCurrent
57、Cisco Catalyst indoor access point portfolioCisco also offers Aironet 802.11ac Wave 2 access points which support Wi-Fi 5standards-based technologies.Overall,Cisco offers a comprehensive portfolio of accesspoints to meet a wide range of deployments needs and scenarios.The followingdiagram provides a
58、 high-level view of the Wi-Fi 5 indoor access points portfolio:24IntroductionDIAGRAMCurrent Cisco Aironet indoor access points portfolioOutdoor access pointsCisco outdoor access points help extend Wi-Fi connectivity beyond the building as wellas in rugged and hazardous locations where there is a nee
59、d for wireless equipment tobe highly resistant to weather and temperature conditions.Introduction25The following diagram outlines the Cisco outdoor AP portfolio:DIAGRAMCurrent Cisco Aironet outdoor access points portfolioFor more information on all Cisco Aironet access points(including both Wi-Fi 6
60、and Wi-Fi 5 products,for both indoor and outdoor use),see http:/cs.co/9004D5Q9mhttp:/cs.co/9004D5Q9mhttp:/cs.co/9004D5Q9mAironet Active SensorIn addition to indoor and outdoor access points,Cisco has introduced a device that canact as a client to test the Wi-Fi network and provide insights.Cisco Air
61、onet 1800s is anactive,802.11 a/b/g/n/ac(Wi-Fi 5-802.11ac Wave 2)sensor,which attaches to thewireless network and functions as a client.As such,it is able to monitor and measurewireless network onboarding and performance issues,and is used in conjunction withCisco DNA Center to monitor,measure,and t
62、roubleshoot the wireless networkfunctionality and performance.For more information on the AC-powered version of the Aironet 1800s wireless sensor,please see http:/cs.co/9009D5QiVhttp:/cs.co/9009D5QiVhttp:/cs.co/9009D5QiVTM26IntroductionCisco Wireless LAN controller portfolioCisco wireless LAN contro
63、ller portfolio deliver the industrys most scalable and highestperforming controller solution.These controllers provide unique network security andoptimization for all wireless clients.Cisco offers a comprehensive range of controllersto address different scale,form-factors and performance requirement
64、s.As the latest generation of Cisco WLCs,the Catalyst 9800 Series wireless controllerscombine the best of RF excellence and hardware-based functionality with many of theCisco IOS XE benefits as outlined in the previous section.The Catalyst 9800 Serieswireless controller platforms are the industrys m
65、ost reliable and highly securecontrollers,ready to deploy anywhere-including the cloud of your choice.Available inboth physical appliance as well as virtual form-factors,the Catalyst 9800 WLCs offerthe maximum in terms of deployment flexibility,as outlined in the following diagram:DIAGRAMWireless LA
66、N Controller portfolioIntroduction27Cisco also continues to offer the Cisco AireOS Series of WLCs.These controllers,whichhave a long legacy of robust service in service providers,enterprises,and large campusdeployments,offer excellent scalability and well-known functionality to Ciscocustomers worldw
67、ide.The following diagram outlines the many choices of Cisco AireOS WLCs available:DIAGRAMWireless LAN controller portfolioFor more information on the complete portfolio of Cisco wireless LAN controllers,leveraging both Cisco IOS XE as well as AireOS,see http:/cs.co/9004D5QcOhttp:/cs.co/9004D5QcOhtt
68、p:/cs.co/9004D5QcOAdditional solution componentsIn addition to the APs and wireless LAN controllers,the components used to build acomplete end-to-end secure wireless solution include the following importantelements and capabilities:28IntroductionCisco DNA Center-is the hub of Ciscos intent-based net
69、work architecture,which uses AI and machine learning to automate much of the legwork networkadministrators typically do when provisioning networks and their hardware.Seehttp:/cs.co/9005D5QY3http:/cs.co/9005D5QY3http:/cs.co/9005D5QY3Cisco Identity Services Engine(ISE)-is a security solution that cont
70、rols accessacross wired,wireless,and VPN connections to the corporate network andenriches Cisco DNA Center with user and device details for more actionableintelligence.See http:/cs.co/9009D5Qlthttp:/cs.co/9009D5Qlthttp:/cs.co/9009D5QltCisco StealthWatch Enterprise-collects and analyzes flow records
71、and usesmachine learning to quickly adapt to new and changing vulnerabilities.StealthWatch also integrates with Cisco DNA Center network managementsoftware to optimize traffic performance and security of the network.See http:/cs.co/9005D5Qlhhttp:/cs.co/9005D5Qlhhttp:/cs.co/9005D5QlhCisco Connected M
72、obile Experiences(CMX)-is a software solution that usesclient location from Cisco wireless infrastructure to generate analytics andrelevant services such as operational insights and workplace analytics.See http:/cs.co/9004D5Qmyhttp:/cs.co/9004D5Qmyhttp:/cs.co/9004D5QmyCisco DNA Spaces-synthesis loca
73、tion data across your properties and wirelessinfrastructure to deliver location-based services at scale.See http:/cs.co/9007EdfYUhttp:/cs.co/9007EdfYUhttp:/cs.co/9007EdfYUCisco Umbrella WLAN-is cloud security technology which protects againstmalware,botnets,and phishing before a connection is ever m
74、ade,stoppingthreats earlier.See http:/cs.co/9003D5Qmlhttp:/cs.co/9003D5Qmlhttp:/cs.co/9003D5QmlCisco Prime Infrastructure-provides wired and wireless lifecyclemanagement,and application visibility and control.It also offers policymonitoring,troubleshooting,and location-based tracking of mobility dev
75、ices.See http:/cs.co/9006D5QmChttp:/cs.co/9006D5QmChttp:/cs.co/9006D5QmCTMInfrastructurecomponents30Infrastructure componentsIntroductionIntent-based networking for wireless offers secure,scalable,cost-effective wirelessLANs for business-critical mobility.A mobile user requires the same accessibilit
76、y,security,quality of service(QoS),and high availability currently enjoyed by wired users.These mobile requirements mandate a robust network that enables seamless mobilityand secure connectivity.The core components of intent-based networks for wireless are the following:Aironet and Catalyst access p
77、oints(APs)Wireless LAN controllers(WLCs)Management software(Cisco DNA Center and Prime)Services such as Cisco DNA Spaces and Connected Mobile Experience(CMX)The following diagram illustrates the primary components of intent-based networks forwireless:Infrastructure components31DIAGRAMPrimary compone
78、nts of intent-based networks for wireless32Infrastructure componentsDeployment mode?exibilityIn networking,there is no one size fits all.Various different customers and types ofdeployments demand different strategies for network design and implementation.WithCisco wireless,a suitable deployment mode
79、 is available for every customer scenariofrom a small office,to a multi-site distributed environment,or a large enterprisecampus with multiple buildings.Cisco wireless offers the best solution for each deployment,but with flexibility comeschoices.In this chapter,the unique design characteristics of
80、each deployment mode arepresented for centralized,SD-Access,FlexConnect,and Mobility Express modes sooptimal design choices can be made.Deploying enterprise campus wireless with centralized modeThe default mode of operation is centralized,also known as“local”mode.In this mode,the control plane and d
81、ata plane of the wireless solution are centralized at the wirelessLAN controller,as shown in the following diagram.Infrastructure components33DIAGRAMCentralized wireless deploymentFollowing are some key design advantages of the centralized deployment mode forwireless:IP addressing and mobility made
82、easy-All the wireless client traffic iscentralized at the wireless LAN controller.The client gets an IP address from theVLAN defined on the WLC which corresponds to their SSID.This means that theclient can roam seamlessly between different access points while keeping thesame IP address.Also,there is
83、 no need to define VLANs at the AP level.Single point of connection to the wired network-Since all client traffic iscentralized at the WLC,the switch port/ports where the controller isconnected represents a single point of attachment to the wired network.Thismakes it extremely easy to apply security
84、 or QoS policies to the wireless users.34Infrastructure componentsSimplified overlay design-Since traffic is tunneled from the AP to the WLCfollowing the Control and Provisioning of Wireless Access Points(CAPWAP)protocol,the wireless network becomes a network overlay to the wiredinfrastructure.This
85、means that wireless can be deployed on top of any wiredinfrastructure.SD-Access:integrating wired and wireless in the enterprisecampusSoftware-Defined Access wireless brings the benefits of SD-Access fabric to wirelessusers.For a more comprehensive view on SD-Access wireless implementation,pleasesee
86、 the Cisco SD-Access Wireless Design and Deployment Guide,located at http:/cs.co/9001D5thFhttp:/cs.co/9001D5thFhttp:/cs.co/9001D5thFSimplifying the control and management planesSD-Access fabric creates a separation between the forwarding plane and the servicesplane.A robust,redundant,secure underlay
87、 network can be left untouched while all theservices for end users and devices attached to the network are deployed on the overlay.This deployment is done using Cisco DNA Center,which simplifies the creation andmanagement of the SD-Access wireless network.All components,from SSIDs topolicies,are cre
88、ated with a few clicks.The wireless control plane is still centralized at the wireless LAN controller and thecontroller continues to provide functions such as client sessions management,RRM,APmanagement,and troubleshooting,just as in centralized mode.However,SD-Accesswireless leverages a distributed
89、 data plane for greater scale,by leveraging thecapabilities of the SD-Access fabric itself to provide stretched subnets and a distributedanycast gateway functionality that makes the fabric appear to be the same from anyattachment point for fabric clients.Infrastructure components35Simplified policyN
90、etwork policy is a fundamental construct that all networks use in one way or another.Network policies in an enterprise are heavily used,for example,to mark packets andapply QoS rules or enforce restrictions using ACLs.The way these policies have traditionally been deployed is by leveraging the five-
91、tuplein the IP packet header:source and destination IP addresses,ports and protocol.This isbecause the five-tuple is carried throughout the network,end-to-end.However,thisdependency of policy on the IP address and the VLAN constructs has made networksmore complex as they have grown in size over time
92、.The reason for this complexity isthat the five-tuple doesnt carry user or device information.However,policies areusually centered around rules applied to devices and users.This results in what is called an IP address overload because the IP address is beingused to identify the user and its location
93、 in the network.Every time a new policy isdefined for a category of devices or users,a mapping has to happen to identify theirassociated IP addresses.The dependency of policy on IP address may lead to complexACLs across many nodes of the network that track all the possible IP addresses for allpossib
94、le categories of devices,users,and applications.SD-Access wireless breaks this dependency and allows for greater simplicity andflexibility,by abstracting the policy definitions and separating them from networkconstructs(IP address,subnet,VLAN,etc.).This abstraction helps simplify hownetworks are dep
95、loyed.Policy is defined irrespective of the user or device IP address orVLAN.Cisco DNA Center is the single touchpoint for policy definition and the SD-Access fabric nodes are the single points of policy enforcement as shown in thefollowing diagram.36Infrastructure componentsDIAGRAMSD-Access-enabled
96、 wireless networkSeamless roaming domainThe SD-Access wireless architecture provides a way to segment the network withoutcomplicated technologies.This can be used to provide both macro level segmentation(using VRFs,or virtual routing and forwarding instances,to define VNs,virtualnetworks),as well as
97、 micro level segmentation with SGTs(Scalable Group Tags,identifiers as to which group a user or device belongs to).By being able to easily defineboth macro and micro segmentation constructs and policies using Cisco DNA Center,Infrastructure components37users,devices,and things can easily be provided
98、 with appropriate network-level accesscontrols to implement enterprise-wide security policies.Such policies apply to bothwired and wireless users of the SD-Access fabric.These two levels of segmentation arean inherent property of the SD-Access fabric deployment,and are a key value ofdefining and usi
99、ng the SD-Access solution.SD-Access also inherently provides the ability to stretch the client subnet across afabric site,without extending the same VLAN everywhere.The entire SD-Access fabricappears to the endpoints as if it were one big switch or one large roaming domain.Asshown in the below figur
100、e,this architecture optimizes the data plane because the datatermination is distributed across the network infrastructure-allowing for greaterscalability,a ley consideration as wireless users,devices,applications,and bandwidthutilization all continue to grow.DIAGRAMWireless roaming with SD-Access38I
101、nfrastructure componentsDesigning distributed branch officesProviding resiliency across the WANBranch offices are usually connected across an uncontrolled(and potentially unreliable)WAN link and thus are inherently prone to the constraints of the WAN.FlexConnect is aCisco wireless solution for branc
102、h and remote office deployments designed toovercome remote connectivity WAN challenges.FlexConnect ensures survivabilityacross the WAN for small,medium and large sites.Infrastructure components39DIAGRAMDistributed branch o?ce deployment with FlexConnectOptimizing control and data planesSince the maj
103、ority of the resources(such as printers,for example)at a remote site arelocal to that site,the FlexConnect solution enables the administrator to terminate andswitch the client data traffic locally at that site,while centralizing control traffic andmanagement of APs.In the event of a WAN link or WLC
104、failure,local traffic continues toflow and roaming remains seamless for the remote site users.FlexConnect also allows40Infrastructure componentsan option for certain SSIDs to be centrally-switched in the event that this is desirablefor some use cases.Centralized AP management brings a single pane fo
105、r monitoringand troubleshooting,providing ease of management,and reducing the branch hardwarefootprint.Efficiently upgrading access points across the WANSites using FlexConnect APs are sometimes sensitive to WAN bandwidth consumption(due to limited WAN bandwidth).The FlexConnect Smart Image upgrade
106、addresses thischallenge by selecting a master AP in each site and downloading the image only to thatmaster AP,prompting all other APs in the branch to download the code from thatmaster AP.This reduces the time,probability of failure and bandwidth associated withimage upgrades across the WAN.Simple,a
107、ffordable enterprise Wi-FiMobility Express is an Enterprise Class feature-rich solution that provides the ability torun the controller function itself on Cisco access points.It is well suited for small andmid-sized businesses with a limited number of access points.It is designed aroundconfiguration
108、simplicity and an easy-to-use interface to allow for over-the-airmanagement and Day 0 seamless deployments.Infrastructure components41Resiliency in wireless networksWireless is mission-critical and resiliency is the most important aspect of designing ahighly available wireless network.The main goal
109、of resiliency is to reduce networkdowntime and improve client experience.In addition to resiliency at the access layerwith the wireless controller and switching infrastructure,this also includes resiliency atthe radio frequency(RF)layer,as well as redundancy for solution components such asCisco DNA
110、Center,Cisco Prime Infrastructure and CMX.Cisco DNA Centerredundancy is built on the concept of multi-node clustering.Cisco Prime Infrastructureand CMX use an active/standby model to maximize availability and minimizedowntime.However,designing for an always-on network isnt just limited to handling h
111、ardwareand network failures,it is also about providing resiliency throughout the lifecycle ofdeployment.This includes the need for controller and AP updates and image upgradeson the network.This is where the power of Cisco IOS XE with the Cisco Catalyst 9800wireless controller comes in to leverage c
112、apabilities that allow for timely fixes andupdates to be put into the network.Using the patching capabilities of Cisco IOS XE,forexample,helps contain the impact of a necessary software change within an alreadyreleased image for defects and updates without the need to requalify a new release,inturn
113、providing faster resolution to critical issues that are time-sensitive.Resiliency at the radio frequency layerRF resiliency is about pervasive availability at the physical layer.The administratorshould think about the RF layer as one of the most important foundations for thereliability of the wirele
114、ss network.If the foundations are not stable,the whole wirelessnetwork and client experience will be affected.This requirement translates into bestpractices for managing a wireless network based on the following components:42Infrastructure componentsRadio resource management(RRM)and coverage hole de
115、tection and mitigation(CHDM)Cisco CleanAir-identifying,classifying,and mitigating interferencesCisco ClientLink-improving client received signal(beamforming)Cisco radio resource management(RRM)and coverage hole detection and mitigation(CHDM)Radio resource management determines the optimal power and
116、channel plan based onaccess point layout and environmental information continually reported by each AP.Akey component of RRM is the CHDM algorithm.The AP actively scans the air andcontinuously reports channel load,interference,and the received signal strengthindicator(RSSI)information about clients
117、to the WLC.In an event when an AP fails anda coverage hole appears,the CHDM algorithm kicks in and increases the power ofneighboring radios,allowing clients to roam to neighboring APs.For example,a manufacturing company with a large warehouse is having connectivityissues as stock levels change.The w
118、ireless signal might get blocked as stock levelsincrease(as there is more physical stock on the shelves in the warehouse,serving toblock or interfere with the wireless signal)-and in turn creating dead spots(coverageholes)and causing connectivity issues.Cisco RRM proactively monitors nearby accesspo
119、ints(neighbors)and client-received signals,then dynamically raises the transmitpower on nearby access points as needed to compensate.However,good features cannot correct for bad design.The network should have beendesigned with redundancy in mind,with a proper site survey performed at optimal APpower
120、 settings.A proper site survey implies that the same tool,the same wirelessadapter and client device are used across the survey areas so that results arecomparable.Also,the wireless architect should design the network for the devices thatare actually going to be used:there is no point in optimizing
121、the coverage for high-endlaptops if most of the users will connect using a smartphone that has half thetransmitting power and fewer antennas.Infrastructure components43Cisco CleanAir-identifying,classifying,mitigating an interference sourceInterferers not only can significantly lower the capacity an
122、d performance of thewireless network but also its availability by reducing the airtime for clients.In order toovercome this challenge,Cisco created an innovative solution,Cisco CleanAir.CleanAircan accurately detect and identify interference sources impacting the wireless network.CleanAir provides a
123、 spectrum intelligence solution which can assess the impact ofinterferences and proactively change the channel when needed,allowing the AP andthe related cell and clients to continue to operate reliably.Cisco ClientLink-improving client received signal(beamforming)In a wireless network,there are sev
124、eral types of wireless client devices.These could bea mix of new and old Wi-Fi technologies 802.11ac,802.11n,and 802.11a/g connections.To keep the older and slower clients from adversely impacting the performance ofnewer and faster 802.11ac connections,there is Cisco ClientLink.ClientLink is a hardw
125、are-based beamforming capability built into Cisco Aironet wirelessLAN access points.When the access point concentrates signals toward the receivingclient,that client is better able to“hear”the AP transmission,so throughput is higher.ClientLink enhances the performance in the downlink(AP to client)di
126、rection.Theresult is an improved and more stable coverage for all clients.Wireless LAN controller high availabilityThe wireless LAN controller is the brain of the wireless network.Wireless LANcontroller availability is provided for by deploying multiple controllers.If one controllerfails,the others
127、can provide backup.The load can also be balanced among controllers.Cisco Wireless supports two modes of high availability,N+1 and Stateful Switch Over(SSO).Deciding which wireless controller redundancy model depends on one simpleaspect:what is the acceptable network downtime?N+1 wireless controller
128、redundancyIn N+1 redundancy,each AP is configured with the IP address and name of theirpreferred primary,secondary and tertiary WLCs.If the primary WLC becomesunreachable,the AP will failover to its configured secondary WLC(then tertiary).This44Infrastructure componentsredundancy model is called N+1
129、,which means that a WLC is available to support the APsif any primary WLC becomes unreachable.The main advantages of N+1 redundancymodel are as follows:Failover predictability-the AP is preconfigured with a primary,secondary andtertiary controller;the network admin always knows where the AP will end
130、 up.Flexible redundancy design options-N+N,N+1 and a combination of the twoGeo-separated redundancy-redundant WLCs can be deployed across Layer 3networks,for example across two data centers in different disaster recoveryareas.Fallback option in the case of failover-APs can be configured to go back t
131、othe primary controller when it comes back up,or stay on the secondary.Priority AP failover-if the secondary WLC gets oversubscribed,theadministrator can decide which APs are more important.The N+1 model can provide redundancy for centralized,FlexConnect and SD-Accessdeployments.The secondary/tertia
132、ry WLC is managed independently and does notshare configuration with the primary WLCs.Each WLC needs to be configured andmanaged separately.The same configuration must be defined on the redundant WLC toensure seamless operation during a failover.The N+1 model is outlined in the followingfigure:Infra
133、structure components45DIAGRAMN+1 high availability architectureHigh availability-stateful switch over(SSO)SSO is the highest level of high availability with zero network downtime.One WLC is inactive state and the second WLC is in hot standby state.The standby WLC continuouslymonitors the health of t
134、he active WLC via dedicated redundancy links.Both the activeand standby WLCs share the same set of synchronized configurations.When a failure ofthe active WLC is detected,the standby WLC takes over without impact on the networkoperations.Client information is also synced between WLCs and thus,client
135、 re-association is avoided when a switchover occurs,making the failover seamless for theAPs as well as for the clients.SSO is supported across geographically separated data recovery sites provided a lowlatency Layer 2 interconnection is established.46Infrastructure componentsThe SSO high availabilit
136、y model is outlined in the following figure:DIAGRAMStateful switchover high availabilityHigh availability across the WANThe FlexConnect architecture has multiple features to build a resilient distributednetwork.Infrastructure components47Protecting against WAN or WLC failureAccess points in FlexConn
137、ect mode have the ability to function even when connectivityto the controller is lost.The FlexConnect AP will continue to function with the last known configuration ifcontact to the WLC is temporarily lost,and traffic is locally switched so there is nodisruption of traffic flow for existing clients.
138、Fast Roaming keys are locally stored on theaccess point so roaming continues to work for clients that have already authenticated.Additionally,the RADIUS servers can be configured per remote site which makes theonboarding of new clients seamless even in the event of a failure.Protecting against RADIU
139、S server failureAuthentication is normally done using a common RADIUS server at a central site.However,even in the event of RADIUS server failure or central site outage,theFlexConnect architecture can continue to authenticate and onboard clients onto thewireless network using local authentication.Wi
140、th local authentication,the APauthenticates new clients on a locally defined RADIUS server or an authenticationserver running natively on each access point in the branch.Existing clients stayconnected,do not re-authenticate and can also fast roam across the entire branch.High availability on Catalys
141、t 9800 wireless controller withpatching and rolling AP upgradesIn addition to the capabilities listed above,the Cisco Catalyst 9800 wireless controllerbrings in the ability to provide:Controller fixes and updates using Software Maintenance Updates(SMUs)Access point fixes and updates using an AP Serv
142、ice Pack(APSP)New AP model support using an AP Device Pack(APDP)48Infrastructure componentsDIAGRAMPatching options on Catalyst 9800Controller patching using software maintenance updates(SMU)A software maintenance update(SMU)is a package that is installed on a system toprovide a patch fix or security
143、 resolution to an already released controller image.AnSMU package is provided on a per release and per component basis and is specific tothe platform.There are two types of SMUs one that can be hot-patched and one that can only becold-patched.A hot patch does not need a system reload which means the
144、 clients andAPs will not be affected.A cold patch on the other hand requires a reload.However,acold patch can be installed without bringing the network down with an SSO pair.Thefigure shown below illustrates the process of installing a cold patch on an SSO pair.DIAGRAMCold patch installation on HA p
145、air of Catalyst 9800Infrastructure components49The system installs the SMU on the standby controller and reloads the standby.Oncethe standby is up,a switchover occurs,pushing all AP and client sessions to the newactive controller.After this,the SMU is installed on the new standby and the process ofS
146、MU activation is complete.Access point patching using AP service pack(APSP)Rolling access point update infrastructureCisco Catalyst 9800 wireless controller supports deploying critical AP bug fixes usingan AP service pack(APSP)without upgrading the controller code.The Catalyst 9800wireless controlle
147、r supports doing this in a staggered or rolling manner such that anappropriate number of APs are always up and running in the network in order toprovide RF coverage to clients.The rolling AP update infrastructure provides automatic candidate AP selection usingthe RRM-based AP neighbor information.Th
148、e device auto-selects the candidate APs tobe upgraded in each iteration based on the configured percentage of APs to beupgraded in each iteration(5%,15%or 25%with the default being 15%).There is also anoption for rolling out the AP service pack in one shot,without the rolling AP update forapplying d
149、uring a maintenance window.DIAGRAMRRM based candidate AP selection50Infrastructure componentsDuring the rolling AP upgrade,clients from candidate APs are actively steered awayusing an 802.11v packet with the dissociation imminent information element to makesure seamless network connectivity continue
150、s as APs are being upgraded.DIAGRAM11v based client steeringPer-site and per-model AP service pack rolloutIn addition,to control the propagation of an AP service pack in the network,thecapability is provided for a service pack to be applied on a per-site and per-AP modelbasis.At the time of AP servi
151、ce pack(APSP)activation,a user selects the sites where theAP service pack should be rolled out.All APs on this site will be updated with thedesignated service pack,including any new APs that join the site after the filter isapplied.An example use case follows the workflow in the figure below.This ca
152、mpus has threesites,each with several buildings.A fix for 2800/3800 APs is available as a service packand the customer wants to try it on site A to first verify the bug fix update.The filter isset to Site A and the APSP is rolled out to all relevant AP models in that site.Infrastructure components51
153、DIAGRAMAPSP activation on Site AOnce the fix is verified,the same is then rolled out to all the sites by clearing the sitefilter as shown in the following figure:DIAGRAMAPSP rollout to all sitesSeamless controller image upgradeZero-downtime network upgrades are a challenge for wireless networks.The
154、reason isthat these networks are made up of a set of interlocked devices,WLCs and a set of APs,which all need to be up to keep the network operational.52Infrastructure components12The advent of the rolling AP upgrade feature opens up new possibilities for upgradingthe controller code in a network wi
155、thout bringing the network down using an N+1controller.This can effectively achieve a zero-downtime network upgrade in a N+1deployment.The idea here is to upgrade access points in a wireless network in astaggered manner,using the same rolling AP update infrastructure as described above,such that an
156、appropriate number of APs are always up and running in the network andproviding RF coverage to clients.The solution for N+1 Network Upgrade using rolling AP upgrade takes the form of threeprimitives which the administrator can use to achieve zero-downtime upgrade:The target version is installed on N
157、+1 controller and it is added to the samemobility group as primary.The target image is also downloaded to the primarycontroller and pre-downloaded to the associated APs.The device creates upgrade groups by auto-selecting the candidate APs to beupgraded in each iteration based on the percentage of AP
158、s to be upgraded periteration and RRM AP neighbor information,as shown in the figure below.Infrastructure components53DIAGRAM N+1 rolling AP upgrade work?owThe APs are then rolled over in a staggered manner to the N+1 controller.54Infrastructure componentsDIAGRAM N+1 rolling AP upgrade work?owOnce t
159、his move is complete,the target image is activated on the primary controllerwith a reload.Infrastructure components55DIAGRAM N+1 rolling AP upgrade work?owOnce the primary controller is up,the APs can optionally be rolled back in a staggeredmanner from the N+1 to the primary controller.56Infrastruct
160、ure componentsDIAGRAM N+1 rolling AP upgrade work?owNew AP model support using AP device pack(APDP)The Cisco Catalyst 9800 wireless controller provides the ability to introduce new APmodels into customer networks using an AP device pack(APDP)without the customerhaving to move to a new WLC software v
161、ersion.This allows faster deployment of theAPs,confining impact within the already installed and validated controller image,effectively with zero downtime since the APDP can be activated as a hot patch that doesnot require a reload on the controller.Infrastructure components57DIAGRAMAPDP update per
162、siteUsing all of these capabilities allows for AP and controller updates and upgrades to beinstalled without causing a service disruption on the wireless network,thus providinghigh availability across the lifecycle of deployment;from unplanned network events toplanned upgrades.High availability on C
163、isco mobility expressCisco mobility express is a wireless LAN controller function embedded on an accesspoint.The AP which runs the wireless LAN controller function is called the master AP.The master AP election process determines which access point will be elected to runthe wireless LAN controller f
164、unction.In case of the failure of a current master AP,theelection of the next master is done automatically.58Infrastructure componentsWireless network automationAs more applications,users,devices,and services come onto the network,the growingcomplexity of ensuring that they all receive the appropria
165、te level of service becomes achallenging and expensive task.Reducing complexity and the associated cost are one ofthe prime benefits that can be derived from automation.For network administrators,automation means having an opportunity to minimize mundane operational activitiesand play a more strateg
166、ic role in the business;for the company,automation ultimatelyresults in increasing speed to market and the ability to lower operational costs.Wireless automation with Cisco DNA CenterCisco DNA Center is the automation platform for the Cisco wireless solution.One of theprimary tasks handled by Cisco
167、DNA Center is the translation of the administratorsintent into meaningful device-level configurations.Cisco DNA Center provides multiplelevels of automation and orchestration for the different wireless deployment modes andgreatly simplifies network setup and initialization.Cisco DNA Center automatio
168、n brings multiple benefits:Agility-Reducing the time required to design,deploy and/or optimize thewireless network.In the design phase,the wireless administrator can quicklycreate a hierarchical site structure for each specific wireless deployment.CiscoDNA Centers automation flow makes it extremely
169、easy to then define settings(device credentials,network settings,etc.)and apply them globally or specificallyto a site.This helps ensure consistency of configuration at scale.Reliability-Automation brings reliability by streamlining the configuration flowand provides consistent deployment of prescri
170、ptive best practices.Forexample,when defining an SSID,the administrator has to specify only a fewimportant parameters;all the key best practice configurations are automaticallyapplied in the background.Simplification-Cisco DNA Center minimizes the management touchpoints.Forexample,the administrator
171、uses a single pane of glass to define the desiredInfrastructure components59policy between groups of wireless users.Cisco DNA Center integrates withCisco Identity Service Engine(ISE)where the resulting policies are configuredautomatically.Abstraction-Cisco DNA Center uses easy-to-understand concepts
172、 andconstructs that abstract out the underlying feature and technologyimplementation specifics.If an SSID has to be broadcast only at a specific site,the administrator does not need to deal with constructs such as WLAN IDs andAP groups,but simply assigns the SSID and APs to a site,and the intent ist
173、ranslated to configurations automatically at the WLC.Network provisioningIn enterprise environments,initial network device setup is often done at a centralstaging area where the network admin installs the target system image and applies abasic standardized configuration.Once the device reaches its i
174、ntended location,askilled person completes the installation and applies the final configuration.Thisprocess is time-consuming and expensive,error-prone and not very secure.Ciscosimplifies WLC and access point deployment with an easy-to-use initialization flow.In the case of WLCs,the WLC express setu
175、p simplifies the WLC provisioning processdown to three easy steps and automatically enables industry-recommended bestpractices.In the case of access points,which are typically deployed in large quantities,theprovisioning process becomes an IT and operational challenge.Network Plug and Play(PnP)is a
176、very simple to use,scalable solution.PnP enables the administrator toprovision devices from a central site.Once the access points are installed,they areredirected during initial bootup to a PnP instance running either on-premise or in theCisco public cloud.The PnP service provisions the AP with the
177、controller IP and otherindividual settings that onboard the access point without manual intervention,asshown in the diagram below.60Infrastructure componentsDIAGRAMSimpli?ed AP deployment with PnPInfrastructure components61ProgrammabilityAs the single OS for enterprise wired and wireless access,aggr
178、egation,core and WAN,Cisco IOS XE,and by that virtue,the Cisco intent-based network infrastructureprovides a range of manageability options Cisco DNA Center for policy,automationand analytics,standards-based network management systems,and SDN andprogrammability and telemetry using open and native YA
179、NG models.Since the next generation Catalyst 9800 wireless LAN controller is based on Cisco IOSXE software,all the feature richness available in Cisco IOS XE is available on thiscontroller and this provides several options for programmatic configuration.Cisco IOSXE supports the Yet Another Next Gene
180、ration(YANG)data modeling language.YANGcan be used with the Network Configuration Protocol(NETCONF)to provide thedesired solution of automated and programmable network operations.Traditional methods for configuring the WLC include the CLI or WebUI and SNMP buthave now been expanded to include the la
181、test programmatic interfaces.YANG datamodels define what data is accessible over the programmatic interfaces,and they comein several varieties.Cisco IOS XE features are defined within the native data models,while standard and vendor agnostic features are defined within the open data models.Either mo
182、del can be used for many tasks.For a complete understanding of Cisco IOS XE programmability please refer to thefollowing book:http:/cs.co/9004EerhGhttp:/cs.co/9004EerhGhttp:/cs.co/9004EerhGRadio excellence64Radio excellenceIntroductionIn an information-centric economy,mobility is centered around a k
183、ey concept:work issomething you do,and not necessarily a place you go.In other words,productivity isoptimized when users can work wherever and whenever they need.The most important element for such mobility is an available,reliable,and securewireless LAN(Wi-Fi)connection.This ensures that everyone h
184、as the capacity they needto be productive with any application,from the web and cloud service access to real-time streaming video and voice.Within the enterprise,open workspaces encourage collaboration,communication,andteam-based productivity.Wireless is becoming the critical and preferred way tocon
185、nect.The baseline requirement for an efficient open workspace is to guarantee notonly ubiquitous Wi-Fi coverage but also capacity everywhere.A reliable,secure,andscalable network is critical.However,the individual radios need to be coordinated infrequency and power to provide a seamless and consiste
186、nt experience for the users.Environments are often not isolated,meaning that there will be neighboring wirelessnetworks using the same channels as the local access points.Each access pointrepresents a finite amount of bandwidth potential in a given cell.More capacity meansmore radios in closer proxi
187、mity.Optimal channel selection,bandwidth assignment,andpower coordination become critical.To achieve this goal,Cisco has brought to market multiple innovations:Infrastructure-Cisco Aironet access points(supporting Wi-Fi 5/802.11ac Wave2)and Cisco Catalyst 9100 Series access points(supporting Wi-Fi 6
188、)for higherthroughput(up to 5Gbps).Beamforming-Enhanced implementations of beamforming technologies(MU-MIMO),so that multiple clients can simultaneously receive transmissions from asingle access point.Radio excellence65Centralized radio resource management-Providing holistic RF optimizationacross th
189、e network Flexible radio assignment(FRA)-Ensuring that dual-radio APs form micro andmacro cells that will maximize capacity for all clients Dynamic bandwidth selection(DBS)-Optimizing the channel width on each AP FlexDFS and Dual DFS-optimizing the response to radar detection andavoidance66Radio exc
190、ellence802.11ax/Wi-Fi 6802.11ac brought a dramatic increase in connection speed,with theoretical rates closeto 7 Gbps.However,speed is not the only concern.As Wi-Fi becomes the primarymethod to access most networks,the question of density becomes critical:each userhas more devices,and each device co
191、nsumes more airtime and more bandwidth thanbefore.With IoT,new devices come in large numbers to the network,even in theabsence of any nominally associated user.Locations without neighboring Wi-Finetworks have become increasingly rare.Providing speed is critical,but managing theever-increasing densit
192、y of devices including IoT,this growth has become a majorconcern,especially as Wi-Fi is now a critical component to a majority of business andorganizations.In many cases,the loss of Wi-Fi connection or poor Wi-Fi performancescan have an immense impact on the efficiency of businesses and organization
193、s.The Institute of Electrical and Electronics Engineers(IEEE)has created a successor to802.11ac that specifically addresses these challenges of reliability and density of devicesincluding IoT.As this new standard,IEEE 802.11ax,is being finalized,the Wi-Fi Alliancehas answered the needs of the indust
194、ry and created a first certification program thatimplements some key 802.11ax features.The Wi-Fi Alliance has also simplified thenaming convention of its programs.As this certification program represents the 6thgeneration for Wi-Fi speed and efficiency,the program is called Wi-Fi 6,as illustratedbel
195、ow.Radio excellence67DIAGRAMWi-Fi Alliance programsWi-Fi 6 includes support for security features,such as WPA3(Wi-Fi Protected Access)or protected management frames(PMF),but is primarily centered around 802.11axfeatures,such as 8 spatial streams,1024-QAM(Quadrature Amplitude Modulation),TWT(Target W
196、ake Time),spatial reuse,and OFDMA(orthogonal frequency-division multipleaccess).802.11ax featuresMore streams and faster modulationWi-Fi 5 allowed for four concurrent signals(spatial streams)from the sender to thesame receiver(beamforming)or different receivers(MU-MIMO).Wi-Fi 6 allows foreight spati
197、al streams.Wi-Fi 6 also adds a more complex coding method,1024-QAM,that allows 25%throughput increase(compared to Wi-Fi 5)for exchanges at close or mid-range.OFDMA comes to Wi-FiWi-Fi 6 also introduces OFDMA to Wi-Fi.With this technique,each client can beallocated a small segment of time and frequen
198、cy within the overall channel.This way,68Radio excellenceeach client can benefit from a segment of the channel.This mechanism is particularlyuseful for IoT devices and other clients that do not need to transmit enough data tooccupy the full channel.By allocating a subset of the channel,the AP can al
199、low moreclients(stations,or STAs)to communicate at the same time without collisions,asillustrated in the figure below.DIAGRAMWi-Fi 6 scheduled MACWi-Fi cells are in colorIn high AP density environments,multiple APs are radio neighbors.In this context,Cisco RRM optimizes each AP channel and power to
200、provide the best contiguouscoverage.However,beyond a certain AP density,the number of available channels willresult in some neighboring APs being on the same channel.Clients close to an AP maynot notice,but clients at the edge between two cells on the same channel will sufferfrom traffic to the neig
201、hboring cells.Radio excellence69As this scenario is guaranteed to happen,Wi-Fi 6 introduces the concept of coloring.With this mechanism,a client can report Wi-Fi interferences on its channel,asdisplayed in the illustration below,and its associated AP can set a color to its cell(avalue added to each
202、frame sent by the AP or its clients).When the edge client detects aframe with the right color,it considers this frame as part of its local cell traffic.If thecolor value is different,the client considers the frame as noise,reduces its sensitivity tothat noise and can then continue to communicate wit
203、h its cell members withoutsuffering from the neighboring cells traffic.DIAGRAMWi-Fi 6 AP density e?ciencyIoT enters Wi-FiWi-Fi 6 also introduces features that will benefit IoT devices.For example,with targetwake time(TWT),the AP can instruct a client to sleep longer,limiting collisions when a70Radio
204、 excellencelarge number of objects are present in the cell,and allowing the low transmitter toconserve battery power.In theory,an IoT object could request to sleep for up to 5 yearsat a time!The signal transmission structure is also optimized for IoT,with narrower sub-channels(tones)that require les
205、s energy during transmissions.At the same time,preamble andsymbols are longer,allowing for more robust transmissions in outdoor or reflectiveenvironments.For more information on the technical features of the 802.11ax standard,please read ourtechnical white paper titled:IEEE 802.11ax,The Sixth Genera
206、tion of Wi-Fi located here https:/ excellence71High density experience(HDX)Some of the innovations that Cisco has introduced over the years come directly fromthe use case of increasing capacity and client density.These innovations are collectivelygrouped under the name Cisco High Density Experience(
207、HDX).ClientLinkCisco introduced ClientLink back in the days of 802.11n,and enhanced the feature tosupport 802.11ac Wave 1 clients.The primary purpose is to use an additional transmitterto enhance the perception of the received signal at the client by forming thetransmitted elements into a focused be
208、am.This is transmit beamforming(TxBF).Theeffect of ClientLink is to improve the clients Signal-to-Noise Ratio(SNR)in thedownlink direction by 3-6 dB,enabling the client to maintain a higher data rate forlonger.The figure below depicts this advantage with an example deployment.WhenClientLink is enabl
209、ed,the available data rate stays at 1300 Mbps throughout a largeportion of the floor,while without ClientLink,such a data rate is only available close tothe AP.Since a good part of the traffic flows downstream,this directly translates into amore efficient use of airtime.72Radio excellenceDIAGRAME?ci
210、ent use of ClientLinkThe current implementation of ClientLink maintains these advantages and addsadditional considerations for new advancements in standards.Standards-basedmethods of beamforming became a reality with Wi-Fi 5 and Wi-Fi 6,and beamformingis now being supported by both recent clients an
211、d access points.Cisco ClientLink stillprovides distinct advantages to all 802.11a/g/n and 11ac Wave 1 clients,while standardbeamforming only applies to Wi-Fi 5 and Wi-Fi 6 clients.Flexible Radio Assignment(FRA)Wi-Fi networks have grown denser over time to keep up with capacity requirements.Asmore ac
212、cess points are added within the same area,channel separation becomes evenmore important to ensure that the RF network runs efficiently.Traditional accessRadio excellence73points are dual-band,meaning that they have one dedicated 2.4 GHz radio and onededicated 5 GHz radio.However,2.4 GHz is a limite
213、d spectrum that only contains 3usable channels.When creating a dense access point network designed with 5 GHz inmind(leveraging up to 26 channels),interference in the 3 non-overlapping channels of2.4 GHz space is inherently created.In the past,this over-density in 2.4 GHz broughtimplementers to sele
214、ctively disable some of the 2.4 GHz radios on access points theyjust deployed.In response to this issue,Cisco created a flexible radio access pointwhich allows a dual-band radio to be used for multiple beneficial roles within thenetwork,instead of being limited to 2.4 GHz service.FRA algorithms use
215、RRMs RF maps to evaluate the coverage in 2.4 GHz and identifyradio resources which are not needed.FRA first identifies redundant interfaces,andthen calculates and manages the assignments.For instance,FRA can choose to re-assign the redundant radio as a second 5 GHz interface on the access point(inst
216、antlydoubling the capacity within the cell).If 5 GHz is already at peak efficiency,a monitorrole can be assigned to that flexible radio.A monitor radio is a dedicated scanning radioand benefits security,location services,and even RRMs resolution on the network.FRAincreases RRMs ability to optimize c
217、overage and increase the efficiency of the Wi-Fideployment.DIAGRAMFRA Client Aware radio role allocation74Radio excellenceFor example,one way in which FRA optimization techniques are used is in a modecalled Client Aware,illustrated in the previous figure.In this scenario,a company has alarge event i
218、n an open space area which usually only receives a mild volume of traffic.Because this area doesnt normally require a lot of Wi-Fi capacity,most flexible radioshave been assigned to a monitor role.The event,however,brings more users than usualinto this physical area.Client Aware monitors the dedicat
219、ed 5 GHz radio and,when theclient load passes a pre-set threshold,automatically changes the flexible radioassignment from a monitor role into a 5 GHz client-serving role,effectively doublingthe capacity of the cell on demand.Once the capacity crisis is over and Wi-Fi loadreturns to normal,the radios
220、 resume their previous roles.DBS,FlexDFS and Dual DFS FilterAs Wi-Fi has progressed,802.11 standards have increased capacity and speed byallowing the bonding of two or more channels together.802.11n could use 2 x 20MHzchannels to create a 40MHz super channel.802.11ac and 802.11ax enabled the ability
221、 touse 80MHz(4 x 20MHz channels)or even 160MHz(8 x 20MHz channels).When40MHz,or 80MHz bandwidths are chosen,APs require two or four channels for everyradio interface.If there are not enough channels to keep the access points isolated infrequency,the APs suffer from self-interference.Additionally,160
222、MHz can be largelywasted if the clients only support 40 or 80MHz.To ensure more efficient allocation of bandwidth,Cisco created dynamic bandwidthselection(DBS)which adds an algorithm to the RRM dynamic channel assignment(DCA)suite.DBS tracks the client types and real-time media use(voice,video)for e
223、ach radio,and automatically assigns the right bandwidth for the cell,based on the requirements ofthese clients.This mechanism allows the channel width to be adjusted as needed,optimizing channel performances while preserving optimal cell separation to avoidinterference.FlexDFS(dynamic frequency sele
224、ction)solves a different problem that appeared alongwith bonded channels.Radars(primarily for weather reporting near airports)use asegment of the 5 GHz band that access points also use.According to the DFS rules,if anAP detects a radar on its channel,then the AP and its clients must abandon the chan
225、neland defer to the radar.The impact is limited if the channel is only 20MHz.But if thatRadio excellence75channel is 40,80,or 160MHz,the AP must abandon the entire channel,even if theradar only impacted a single 20MHz sub-segment.Cisco DFS identifies a radar operating frequency with a resolution of
226、1MHz and alsoidentifies which specific 20MHz channel segment is impacted by the radar.Relying onDBS,Cisco FlexDFS can then re-design the channel to avoid the radar while maintainingthe remaining channels that are not impacted.For example,a 80MHz channel is 4 x20MHz segments.If a radar is detected on
227、 any of the four segments,without FlexDFS,the full 80MHz is blacklisted(not allowed to be used)for 30 minutes minimum.WithFlexDFS,other options are possible and dynamically applied by RRM.One such optioncould be to dynamically reduce the active channel to 40MHz,blacklist only the affected20MHz segme
228、nt,and make the remaining 20MHz segment available to the rest of thesystem(to be allocated to a nearby AP).Even when affecting a single 20MHz channel,DFS can be a disrupting event as the APand all its clients have to interrupt their exchanges to find another channel.Radarblasts are often coming from
229、 distant systems,are short lived,and may be received whilethe active radio is receiving or transmitting Wi-Fi signals.False positive detection maybe better than no detection,but bringing false positives as close as possible to zero is akey goal.With Dual DFS Filter,the AP has a specialized Cisco RF
230、ASIC that works inparallel with the serving 5 GHz radio.This second opinion system ensures that a DFSevent is triggered only when both radios confirm that the energy detected on thechannel came from a radar,dramatically reducing the risk of false positives.BandSelect and load balancingMost Wi-Fi dev
231、ices are dual-band capable,which means that they are capable ofconnecting to either 2.4 or 5 GHz.However,many of these devices prefer,for anynumber of reasons,to connect on the more congested 2.4 GHz band instead of 5 GHzband.This diminishes the quality of experience for the users of that cell.The c
232、lientalone makes the determination on which band to use.Some of these clients have overlysimplified logic and simply prefer the band that has the strongest signal.2.4 GHzpropagates farther than 5 GHz,so is extremely attractive under these criteria.To avoidthis default choice of the 2.4 GHz band and
233、by enabling Cisco BandSelect,clients can tobe encouraged or steered to the 5 GHz band.BandSelect identifies true single-bandclients and separates these from dual-band capable clients.If a dual-band client76Radio excellenceattempts to connect to the 2.4 GHz interface,the 2.4 GHz probe response is del
234、ayedand 5 GHz probe responses are sent,steering the client to 5 GHz.In high-density deployments with a large number of access points and clients,sometimes the load distribution between APs turns out to be uneven.This is largely afunction of the client devices.Client load balancing is a feature that
235、attempts to balancethe client load between APs in the network.In the figure below,the access point on theright is overloaded and refuses the new client.That client then successfully joins theaccess point on the left,where the load is lower.DIAGRAMClient load balancingHardware innovations78Hardware i
236、nnovationsIntroductionAs technology keeps evolving at a faster pace,features that may have been relevant fiveyears ago may become obsolete next year.In order to continuously offer feature andproduct excellence,Cisco has made the choice to innovate both in hardware andsoftware.Innovative and in-house
237、 developed hardware provides a strong and flexiblefoundation on which innovative software can be built.This allows for tighter integration between the hardware and innovative features thatwork consistently and reliably for any situation.With off-the-shelf hardware,vendorsare limited to a set of pre-
238、existing good enough features.With customized hardware,Cisco engineers have unparalleled flexibility to evolve functions of access points andwireless LAN controllers as new challenges appear.Hardware innovations79Dual 5 GHz radioWith the proliferation of Wi-Fi 5 and Wi-Fi 6 devices and increasing ap
239、plicationcapacity requirements,a single 5 GHz radio often isnt enough to handle a high densityof wireless multimedia devices and related network load.Flexible radio assignmenttechnology integrated into Cisco Aironet 2800,3800,4800 access points and theCatalyst 9120 access points,enables revolutionar
240、y dual 5 GHz operation on-demand.Implemented along with a multigigabit ethernet connection,FRA doubles the capacityof a single Wi-Fi access point without requiring additional cabling support.Dual 5 GHznot only increases RF capacity,but its innovative design also equips each access pointfor efficient
241、 spectrum usage.Embedding dual 5 GHz radios on the same platform is not only an innovative hardwaredesign but an industry-first design.Traditionally,the ability to co-locate“same band”radios in close proximity is a challenge due to the required radio signal isolation neededbetween the two radios.Wit
242、hout this isolation,the radio link can suffer frominterference due to the adjacent same band radio.Cisco select Wi-Fi 5 and Wi-Fi 6 access points can overcome the signal isolationchallenge differently for their internal antenna and external antenna models.On theexternal antenna model,the access poin
243、t includes an additional hybrid RF-digital smartantenna connector as shown in the picture below,that can be used as for an external2.4 GHz or a second 5 GHz data radio antenna.Having the ability to connect a variety ofexternal antennas to dual radios with a simple click of a button is in itself an i
244、ndustryfirst and leverages Cisco innovative FlexPort feature.With the smart antennaconnector,an installer can connect multiple complementary 2.4 GHz and 5 GHzantennas in a non-obtrusive way that preserves and enhances the signal isolation andreduces the installation complexity.80Hardware innovations
245、DIAGRAMSmart antenna connector detailThe internal antenna access point models have the added isolation challenge that theantennas must all co-locate physically within the same housing.In order to do this,Cisco chose to implement a micro/macro design.This design effectively creates a cellwithin a cel
246、l.The solution includes antenna polarity diversity,channel/frequencydiversity,and enforced power allocation limits.The antennas for the“macrocell”havestrong vertical polarization and are designed to provide high gain to clients on thehorizon.In the same two-dimensional plane,the micro set of antenna
247、s provides astrong horizontal polarization,resulting in high signal isolation between the two sets ofantennas at 5 GHz.The illustration below represents overlaid radiation patterns of themicro and macro cells.Hardware innovations81DIAGRAMMicrocell and macrocell radiation patternsReducing the transmi
248、tter power of the microcell reduces the radio signal level noisefloor received at the macrocell,which effectively limits the interference.In turn,theeffect of the macrocells transmitted noise floor on the receiver of the microcell isminimized because the range of the coverage of the microcell is red
249、uced.In typical Wi-Fi deployments,an access point serves clients both near and far,associatedsimultaneously(multiplexed)over time.With the macro/micro approach,the accesspoint can serve near clients with the microcell at the same time it serves distant clients,resulting in as much as a double the to
250、tal AP capacity,as illustrated in the figure below.Cisco has also developed innovative techniques to steer the clients between microcellsand macrocells.82Hardware innovationsDIAGRAMMacro and micro 5 GHz cellLeveraging this innovation requires no additional knowledge or changes in the way thewireless
251、 network is designed and deployed,as the cell size remains the same as withtraditional dual-radio cells.Cell capacity doubles with no additional management ordeployment overhead.Hardware innovations83ModularityBenefit-Enhanced functionality and expandable options(future protection)The Wi-Fi 5 Cisco
252、Aironet 3800 access point supports a module port for futureexpandability.The module port,along with the Cisco Aironet Developer Platform(ADP),enables developers to easily prototype both hardware and software applications basedon readily available development platforms.The ADP includes a reference Ha
253、rdwareDevelopment Kit(HDK)which interfaces with the access point.The HDK providesEthernet and power connectivity as well as support and mounting accommodations formany of the popular development platforms,such as Raspberry Pi,Intel Next Unit ofComputing(NUC),and others.Developers can also create cus
254、tom modules that plug into the AP expansion moduleconnector port,as illustrated in the figure below.Possible modules could be devicessuch as BLE readers,electronic shelf labeling(ESL),physical security,camera sensorgateways,LED lighting,and potentially other radio hardware based on technologiessuch
255、as 802.11ad(60 GHz),3.5 GHz(Citizens Broadband Radio Service-CBRS),etc.Inanticipation that some developers may design cellular radio modules for the AP-3800,Cisco has incorporated cellular filtering into the design of the AP for module isolation.DIAGRAMAP modularity84Hardware innovationsWithout such
256、 modularity options,developers would need to build a custom solutionbased on an access point board,increasing development time and cost.Additionally,separate infrastructure elements would need to be built to provide connectivity andpower.With AP modularity,Cisco has made the process simple and cost-
257、effective.Hardware innovations85MultigigabitCisco Multigigabit(mGig)technology delivers speeds up to 10Gbps on existing Category5e/6 cables.The technology also supports Power over Ethernet(PoE),PoE+,and CiscoUniversal PoE(UPoE)to avoid installing new electrical circuits to power the Wi-Fi 5 andWi-Fi
258、 6 access points.Cisco is a founding member of the NBASE-T Alliance created in2014 which merged with the Ethernet Alliance in April 2019 and has provided thoughtleadership to develop the technology and ratify the standard.Cisco has a wide range ofMultigigabit capable switches.Here are the main benef
259、its of mGig:Multiple speeds-Cisco mGig technology supports auto-negotiation of multiplespeeds on switch ports(100Mbps,1Gbps,2.5Gbps,and 5 bps on Category(Cat)5e cable;and up to 10Gbps over Cat 6a cabling),as illustrated in the figure below Cable type-The technology supports a wide range of cable typ
260、es including Cat5e,Cat 6,and Cat 6a or above PoE power-The technology supports PoE,PoE+,and UPoE(up to 60W)for allthe supported speeds and cable types,providing access points with additionalpower for advanced features such as hyperlocation and modularityDIAGRAMCisco Multigigabit(mGig)using NBASE-T/E
261、thernet Alliancetechnology86Hardware innovationsCisco Aironet 3800 and 4800 series access points(Wi-Fi 5)and Cisco Catalyst 9100series(Wi-Fi 6)support Cisco Multigigabit technology at speeds of 2.5 and 5Gbps.Thistechnology protects the investment in the cabling infrastructure,allowing for new andfas
262、ter 802.11 technologies to be transported over the same physical Ethernetinfrastructure.Hardware innovations87CleanAir-SAgECisco CleanAirCisco CleanAir technology is a solution that provides proactive,high-speed spectrumintelligence across 20,40,80,and 160MHz-wide channels to accurately measure Wi-F
263、ichannel quality and identify non-Wi-Fi sources of interference.Interfering sources thatare not Wi-Fi can be tricky to detect and at the same time can consume partial,orsometimes the complete spectrum,resulting in a reduction of access point capacity.Traditional Wi-Fi chipsets categorize received si
264、gnals into two basic categories:Wi-Fisignals that the Wi-Fi chipset understands,and noise(any energy that it doesntunderstand).Non-Wi-Fi sources of interference are all seen as noise.As a result,theseinterferers can only be understood with the limitations of a Wi-Fi process.Interferences that are sm
265、aller than a Wi-Fi signal are not seen,and those whichtransmission pattern does not match that of Wi-Fi signals are not well understood.Cisco SAgEUnlike competitors who use purely software-based interferer detection,Cisco has builtcustomized silicon to enable full spectrum analysis and integrated th
266、is hardwarecapability into its access points.The spectrum analysis engine(SAgE),integrated intothe Cisco Aironet and Catalyst access points,is specifically designed to identify sourcesof non-Wi-Fi interference,at the highest resolution,in the most simple and effectiveway.There are no other integrate
267、d spectrum analyzers similar to Cisco SAgE on the market.There are handheld analyzers,however,the skillset required to operate them is highlyadvanced and mandates a local operator.In the years since this SAgE integration,Ciscohas continued to innovate in the field of non-Wi-Fi interference managemen
268、t anddetection.For example,Cisco added BLE detection along with hyperlocation to providea solution for angle of arrival(AoA)for both Wi-Fi and BLE.Similarly,Cisco SAgE wasthe first in the industry to perform sub-millisecond detection of radar signals.88Hardware innovationsWith Cisco SAgE,Cisco acces
269、s points that support CleanAir can detect 25 distinct typesof interference,and track hundreds of individual instances of such types per radio.Beyond the ability to detect,the information needs to be actionable.Understanding thepotential impact of a given interference source requires context.For this
270、,the ability tomap the source location in relation to the resources of the network was created toprovide context.Cisco CleanAir identifies which are affected by the interferer.Avisualization software,such as Cisco Prime Infrastructure or CMX,can be used torepresent the zone of impact.For example,a c
271、ompany has remodeled and moved to an open office environment usingWi-Fi as the primary medium of access.However,wireless connectivity issues(slowthroughput and disconnections)are occurring during certain times of the day.CiscoCleanAir is able to identify two sources of interference,a leaky microwave
272、 oven in thelunchroom,and a 5 GHz transmitter that is being used to extend a video surveillancecamera feed.CleanAir mitigates interferences by moving the AP away from the highutilization channels.The IT administrator is alerted and is able to replace the defectiveoven and eventually move the camera
273、to a wired connection.Hardware innovations89RF ASIC-software de?ned radioNext generation Wi-Fi 6 access points,starting with the Catalyst 9120 Series,contain anew radio based on Cisco custom-designed silicon(an ASIC,application-specificintegrated circuit).This analytics radio enhances the performanc
274、e of the access pointsclient-serving radios by letting them dedicate their time and resource to client serviceas the RF ASIC takes charge of the RF analysis tasks.The function of the Cisco RF ASIC is to analyze a frequency(or range of frequencies)ofinterest,converting the received RF signal into I/Q
275、 data(the representation of thechange in amplitude and magnitude of the signal).This I/Q data is then passed onto adedicated baseband processor for a deep RF analysis,to compare the received I/Q tothe expected I/Q for that transmission modulation.The I/Q data is then evaluated bythe Spectrum Analysi
276、s Engine(SAgE)to identify sources of non-Wi-Fi interference athigh resolution.Think of the RF ASIC as a unique piece of hardware that not only contains CleanAir andSAgE,but also provides advanced RF analysis features and the ability to be programmedfor future additional functions as they become usef
277、ul.For example,the RF ASIC alsoperforms DFS(Dynamic Frequency Selection)event sensing,to augment the servingradios analysis of DFS.This greatly improves spectrum analysis and provides an alwayson second opinion of the radio spectrum.This is referred to as Dual DFS.90Hardware innovationsDIAGRAMCisco
278、RF ASICHardware innovations91Innovative AP deployment solutionsIn order to ensure a consistent quality of experience to users,Wi-Fi infrastructurehardware needs to be adaptable to a wide range of physical installations.For instance,amanufacturing plant deployment is very different from a carpeted of
279、fice.Cisco providesflexible options to meet the challenging physical requirements.Specialty antennasThe internal antenna AP model is optimized for carpeted office space where the ceilingmay not exceed 12ft/3.5m.Given the physical nature of RF,performance degradeswith distance from the AP.When the de
280、ployment requires an antenna position beyond12ft/3.5m,other antenna designs might be required.Cisco offers various antennadesign options to provide consistent coverage and performance regardless of thephysical installation requirements.When the application requires dual 5 GHz macrocells,for example,
281、an antenna indoorsand one outdoors,or perhaps two different RF coverage cells within an auditorium,themodel to be used would typically be an access point such as the 2800e/3800e orCatalyst AP with an external antenna.Different types of directional antennas can alsobe used.Environments such as very h
282、igh ceilings,long corridors and/or manufacturingareas,are places where the need to focus the energy in a given direction is desirable.Hyperlocation antenna arrays are unique antennas designed specifically for trackingclient location with high accuracy,using angle of arrival(AoA).Cisco 4800 access po
283、intintegrates the hyperlocation antenna directly within the AP.The 4800 access point alsoprovides a dual 5 GHz macro-micro cell antenna system along with an intelligentanalytics radio that processes location and packet analysis.Using this hyperlocationantenna array,radio troubleshooting of integrate
284、d analytics becomes much easier.Models with flexible antenna portsCisco offers the unique capability to change the antenna port logic of the AP,which isdesirable in many deployment scenarios.A Cisco AP antenna port default mode is dualband(the access point uses a single antenna for both 2.4 and 5 GH
285、z bands),also called92Hardware innovationsDRE(Dual Radiating Element).However,the AP port can be set to a mode where theradios are segmented into discrete bands using different antennas for each band.Thismode is known as SRE(Single Radiating Element).This flexibility allows for different types of in
286、stallations.For example,one AP canconnect to a directional antenna for one band such as 5 GHz(providing a backhaul linkfor mesh functionality)while another type of antenna(e.g.omnidirectional)can be usedfor the other band(2.4 GHz).In another AP of the same model,the same antennas canbe used for both
287、 2.4 GHz and 5 GHz connectivity,as illustrated in the figure below.DIAGRAMFlexible antenna use caseAccess point smart antenna connectorIn some cases,you may want to connect external antennas through a common cablebundle.As discussed in Chapter 5.2 Dual 5 GHz-Cisco(Aironet and Catalyst)accesspoints h
288、ave two different models i and e with the i series having integratedantennas and the e series supporting external antenna options.The external antennamodels have four antenna ports on top of the device referred to as RP-TNC connectors.The default mode dual band(meaning 2.4 and 5 GHz)are shared on ea
289、ch of the portslabeled A-D with the primary 5 GHz radio and the 2.4 GHz radio combined at theHardware innovations93antenna ports for dual band operation.In this mode a DART(Digital Analog RadioTermination)connector is not used.Models that support dual 5 GHz mode,have a unique XOR radio,meaning that
290、the 2.4GHz radio has the ability disable its 2.4 GHz mode and change itself into another 5 GHzradio for better 5 GHz performance.When this happens,it can no longer share the fourconnections on top of the device as they are on similar frequency bands,so 5 GHz radioenergy is now present on the access
291、point DART connector.DIAGRAMDART connector and adapterUpon insertion of a DART connector,the primary 5 GHz radio remains on the topconnectors and the XOR radio can be configured to be either 2.4 or 5 GHz and nowutilizes the DART connector.94Hardware innovations123456DART is short for Digital Analog
292、Radio Termination,a method by which smartantennas can be introduced which allows for a one-insertion connection point insteadof individual discrete RF connectors.This allows for deployment flexibility enablingmany new and different modes,such as.Dual 5 GHz cells fully configurable as any combination
293、 of micro or macro cellsAny combination of omni or directional antennas can be usedDifferent cell areas within a stadium or auditorium can be covered for betteruser capacityAllows antennas to cover two different areas like indoor and outdoor,manufacturing/retail(inside freezer and outside freezer)Le
294、gacy single band antennas can be used as 2.4 and 5 GHz can be split from DualRadiating Element(DRE)into Single Radiating Element(SRE)with 2.4 GHz goingout the DART connector-this also allows some government agencies to use up/down converters to relocate Wi-Fi signals into another part of the spectru
295、mthey have authority to operate in(for example,military frequency).Future options with mesh networking where one radio can have a directionalbackhaul while the other radio services clients in the near field(omni-directional)Hardware innovations95DIAGRAMOmni and directional antenna deploymentAccess p
296、oint enclosuresCisco access points are designed for use in many different and challengingenvironments such as manufacturing,steel mills,nuclear power plants,large warehousefreezers,hot tire manufacturing plants,medical clean rooms,etc.Cisco access pointenclosures are built to resist harsh environmen
297、ts and are designed without vent holesand with a strong seal to withstand chemical sprays,dust or caustic vapors.Heatdissipation happens through a metal plate to reinforce the enclosure resistance toelements and remove the need for vent holes.Cisco outdoor-rated APs do not need anadditional enclosur
298、e,are designed to resist a wide range of temperatures andenvironmental conditions,and comply with stringent vibration,corrosion,and icingprotection standards.Flexible mounting optionsCarpeted office spaces and other areas can have unique challenges,especially whenaesthetics require the access point
299、to be installed above the ceiling tiles.Cisco access96Hardware innovationspoints are UL-2043 compliant,allowing the AP to be installed above the tiles in what isknown as the plenum airspace.Cisco and its third-party partners offer a wide variety of mounting options that allowthe access point in carp
300、eted areas to be mounted on the ceiling gridwork(both in-tileand locking security tiles)or above the ceiling tile in the plenum rated area.Whenindoor access points are placed in harsh environments or outdoors,a NEMA(NationalElectrical Manufacturers Association)enclosure can also be used to limit exp
301、osure ofthe AP to the elements.Infrastructure security98Infrastructure securityIntroductionWith the proliferation of IoT and personal wireless-enabled devices,wireless networksecurity is vital.Businesses around the world risk billions of dollars every year due tosecurity breaches,ransomware and othe
302、r network attacks.Cisco provides a solid set of best practice features to secure the wireless network.Theunique Cisco approach to security turns each element in the network into a securitysensor and monitoring system,giving a powerful and scalable solution for gaining deepvisibility into threats wit
303、hin the network space,building a first line of defence withinnovative technologies such as Encrypted Traffic Analytics(ETA).These insights into security analytics are streamed constantly from the networkdirectly to Cisco DNA Center.These elements continuously monitor the networkconditions and automa
304、te policies to ensure business intent is fulfilled and the networkis secure.Securing the wireless network includes securing the client with policies,and securingthe infrastructure,as shown in the diagram below.This second element includes thefollowing components:First secure the network by implement
305、ing Cisco trustworthy solutions,centralized encryption,and guest traffic segmentation.Second,secure the air with Cisco CleanAir Technology and Cisco aWIPSsolution.Infrastructure security99DIAGRAMWireless integrated security100Infrastructure security12Securing the networkWireless security is a combin
306、ation of hardware and software technologies designed toprotect the network.An effective approach to network security covers multiple layers:Securing the network elementsSecuring the transportSecuring the network elementsCounterfeit products are not designed with built-in protections.As a result,they
307、 have ahigher exposure to downtime,backdoors,built-in malware and spyware,inferiorcomponents,and denial-of-service attacks.Security is at the forefront of Cisco productdesign.Cisco has created the trustworthy solutions framework that provides a comprehensiveprocess to verify hardware and software in
308、tegrity.This approach includes all aspects ofthe secure development lifecycle,as illustrated below,including product securityrequirements,third-party security,secure design,secure coding,secure analysis,andvulnerability testing.Infrastructure security101DIAGRAMTrustworthy solutions frameworkCisco se
309、cure development lifecycleOne of the key elements of Cisco trustworthy solutions process is Cisco SecureDevelopment Lifecycle(CSDL)illustrated in the figure below.CSDL is a provenmethodology of a repeatable and measurable process designed to increase theresiliency and trustworthiness of Cisco produc
310、ts.Being ISO-compliant,CSDL is appliedto thousands of Cisco products,including all of Cisco wireless LAN controllers andCisco Catalyst and Aironet access points.102Infrastructure securityDIAGRAMCisco secure development lifecycleCSDL protects manufacturing,product delivery,boot,and runtime of devices
311、 toprevent tampering.Securing protocols,boot process,signed images,and defaultsettings ensures secure communication across the network,thereby protecting thedevice from being attacked by an individual with malicious intent.CSDL uses trust anchor technologies that consist of defenses for secure boot
312、andsigned images.Trust anchor authenticates hardware to provide a highly securefoundation,an immutable identity,secure storage,random number generation,andencryption.In addition,during the production lifecycle,ongoing security testing including probesand attacks validates the following key elements:
313、Integrity and robustness of the protocols that are implemented in the productWhich ports and services are enabled by defaultResistance to common attacks and scans by common open source andcommercial hacker tools.Infrastructure security103All Cisco Aironet wireless LAN controllers and access points h
314、ave gone through theextensive CSDL process to ensure highest security posture and resiliency.All CiscoAironet wireless products have the following global government certifications:FIPS-Federal Information Processing StandardsCC-Common Criteria for Information Technology Security EvaluationUCAPL-Depa
315、rtment of Defenses(DoD)Unified Capabilities Approved ProductsListCSfC-National Security Agencys(NSA)Commercial Solutions for ClassifiedSecuring the access pointAccess points(AP)need to be placed in open and common areas where the clients arelocated and hence they are necessarily more physically acce
316、ssible than controllers,switches or routers.APs need extra protection and Cisco provides a unique capabilityfor reaching this objective:AP placement-using external antennas,Cisco APs can be hidden so they dontattract attention.Physical security-Cisco AP offers a secure lockable bracket to fix the AP
317、 to themounting infrastructure so the AP cannot be taken down and tampered with.Consider lockable enclosures(designed for wireless AP)to hide APs as needed.LED mode-disable the LED indicator to limit the visual attraction of APs.In addition to physical security,Cisco has some distinctive capabilitie
318、s to protect thecommunication between APs and WLC such as:802.1X Supplicant-Access points can be authorized to the network using802.1X supplicant,with various EAP methods(EAP-FAST,EAP-PEAP and EAP-TLS).For a higher level of security,Cisco APs authenticates against RADIUSservers where the AP credenti
319、als and certificates are stored.This way,unauthorized devices cannot connect to the network on the AP switch port.104Infrastructure securityCertificate-based join process-During the join process,Cisco Aironet andCatalyst access point and controllers verify each others identity using either amanufact
320、urer installed certificate(MIC)or self-signed certificate(SSC).Also,during the join process,both AP and WLC derive a security key that is used toencrypt the control plane channel so that any configuration and managementexchanges are secure.Secure certificate-Cisco access points leverage secure uniqu
321、e device identifier(SUDI)certificates.SUDI is a X.509-compliant device certificate burned into thedevices secured chip(ACT2)during manufacturing.The SUDI certificatecontains the devices serial number,private-public keys,and the Cisco CAsignature.Its impossible to access this secure information even
322、if an AP is lostor stolen.AP Policy-Access points can also be restricted from joining a controller basedon user-defined AP policies.These are rules based on the type(s)of certificatesthat the WLC would accept(SSC,MIC,LSC)when authorizing APs against a localor remote authority such as RADIUS.Now that
323、 the wireless network infrastructure is secured(AP and WLC),protectingclient data traffic across the network is also critical.Securing the transportMost access points are deployed in a secure network within a company building,sodata protection is usually not necessary.In contrast,for teleworkers,the
324、 trafficbetween an home office access point and the controller travels through an unsecuredpublic network;or sometimes the network admin may have no control on the wiredinfrastructure used as transport.For these scenarios,the Cisco wireless solution hasthe distinctive capability of protecting the in
325、tegrity of the client data as it traversesunsecured wired networks.Datagram Transport Layer Security(DTLS)encryptionData and control traffic between the AP and the Wireless LAN controller use differenttunnels,as illustrated in the picture below.Access point control traffic exchanges withInfrastructu
326、re security105the controller is always encrypted.Client data forwarded to the controller can beencrypted with DTLS.DIAGRAMWireless control and data tra?c tunnels.However,over-the-air encryption for client traffic is managed at the access point level,adopting a distributed model(AP-based)instead of c
327、entralized one(controller-based).Two main considerations have driven this choice:Packet encryption optimization-802.11 frame aggregation is negotiatedbetween the AP and the client.When encryption is performed at the AP level,the AP and client can negotiate the right aggregate size,and the AP can the
328、nencrypt the entire aggregate.When encryption is performed at the WLC,suchflexibility is lost.As a result,aggregation loses efficiency.Increased security-In a centralized encryption deployment,it could bepossible to spoof a client MAC address and send encrypted packets with awrong key.If the AP is n
329、ot processing the frame,it will have no way to know ifthe packets are encrypted correctly and will blindly pass them to the WLC.Thiswill result in a DoS attack,where the controller will have to process and discardall the malformed frames.By distributing the encryption,the AP will drop thesepackets r
330、ight away and protect the whole network from these attacks.Guest anchorGuest traffic needs to be secured and separated from the corporate enterprise network.An element of such isolation is to forward guest traffic to dedicated anchor controllerslocated in the demilitarized zone(DMZ),as illustrated i
331、n the figure below.106Infrastructure securityDIAGRAMSecure isolation with guest anchorGuest traffic is received on the access points,forwarded to the foreign controller,andtunneled automatically to the anchor controller.Traffic between controllers can also beencrypted.This topology provides a clear
332、separation(or isolation),as guest trafficcannot make its way back to the corporate network through the firewall,and is onlyforwarded to the internet.Any risk for malicious activity that may occur is constrainedInfrastructure security107within the non-trusted area.Cisco guest anchoring provides an ad
333、ditional level ofsecurity and performance,since anchor controllers can be solely dedicated tosupporting guest access functions(providing guest tunnel termination),and not usedfor managing access points in the enterprise.Anchor controller redundancy can also be built into the design to add an additionallayer of reliability for guest services.If an active anchor fails or becomes unreachable,the fore