《为大型复杂环境设计企业无线网络.pdf》由会员分享,可在线阅读,更多相关《为大型复杂环境设计企业无线网络.pdf(72页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveAlan Dumdei TSA Wireless COEBRKEWN-2036for Large Complex EnvironmentsDesigning Enterprise Wireless NetworksGoals for this sessionUnderstanding of some of the challenges of complex environments.Be able to relate these challenges and solutions to your network.Arm you with:Things to
2、 watch out forSolutions and work aroundsTools to help you in your wireless deployment 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in
3、the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12344https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKEWN
4、- 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe important stuff!JulieBoPreslyMalilahRunning/Biking/ExploringJust funBuildPlayWho is Al?5BRKEWN-2036Its Texaswe smoke everything!Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicIntroductionAnalysi
5、s of 3 VerticalsHigh Level ArchitecturesHigh AvailabilityMulticastRF Design6GHzAI RRMSecurity ConcernsBRKEWN-20366Analysis of 3 verticals 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGeneral requirements and use casesHigher EdScale10-20K AP200K+Clients ReliabilityKeyCos
6、t/PerformanceCostHospitalityScale20-50K AP200K+ClientsReliabilityKeyCost/PerformanceBalancedHealth CareScale6-8K AP40K+ClientsReliabilityKey+Cost/PerformancePerformanceBRKEWN-20368 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveArchitectural and use case requirementsHighe
7、r EdArchitectureL3 to the buildingsBonjourFragmentedTypical Use CasesEduroamDormitory&Personal UseBYODUnique ChallengesR&D FacilitiesMultiple CampusesHospitalityArchitectureL3 to MDFHybrid Data CenterOperations and guest experienceTypical Use CasesGuestRLANsHigh-Capacity VenuesUnique ChallengesAesth
8、eticsConstantly changing environmentInternational operationsHealth CareArchitectureL3 to floor w/segmentationMulticastLocation Services(BLE/Wi-Fi)Typical Use CasesStill have 2.4GHz only devicesAlways onBYODUnique ChallengesRadiologyOperating RoomsVoWiFiBRKEWN-20369 2023 Cisco and/or its affiliates.A
9、ll rights reserved.Cisco Public#CiscoLiveDeployment and operational use casesHigher EdOperationalSeasonal Change WindowsOften have coding skills on staffVisibility CriticalSecurity ChallengesResearch and DevelopmentStudentsRF DesignLarge outdoor areasAreas of high capacityLeakage between buildingsHo
10、spitalityOperationalOff hoursRelatively small staffVisibility CriticalSecurity ChallengesGamingOffice/BOHRF DesignArenas/Conference SpaceMetal ceilingHigh rise structuresHealth CareOperationalZero down timeConsistent performanceVisibility CriticalSecurity ChallengesHIPPAPatient monitoring devicesWir
11、ed devicesRF DesignLots of cinderblock constructionMust balance 2.4GHz with 5 and 6GHzBRKEWN-203610High Level ArchitecturesConsiderations in wired/wireless architectures 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWired considerations for wireless architectures Switchi
12、ngL3/L2 challengesSwitching/RoutingRoamingPoECloud ConsiderationsPrivate vs PublicMust be FlexConnect LSManageability Gateway RequirementsCAM TableThroughputIP helperSegmentation VLAN VRF SGTBRKEWN-203612 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThink scale!ScalingR
13、ates of authenticationsNumber of concurrent subscribersNumber of subscribers in 24 hoursTypes of authenticationDHCP exhaustionCAM limitsTimersIdleSessionEAPIts about the total countIts about the ratesWait not that kind of scale!BRKEWN-203613 2023 Cisco and/or its affiliates.All rights reserved.Cisco
14、 Public#CiscoLiveArchitecture/scale example for events centerConference lets out and 15K subscribers will roam from conference center to the hotel.Using open SSID with Web Auth(as an example)Watch out for“Pull out your phones and”RF discussion not covered here(in RF Design Section).Central Switching
15、 used to minimize large L2 domains(L3 to the AP)but similar design considerations are made for local switching.Know your requirements first!BRKEWN-203614 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveArchitecture/scale example for events centerDesign considerations(PLAN!
16、)Where are the L3 roaming boundaries?Dot1x authentication rates(75-150 Auth/sec per node depending on types)MAB(400+Auth/sec per node depending on type)15K concurrent subscribers(AAA/WLC/DHCP/Switch)CAM table on core switchare there multiple controllers?Multiple hops to GW?Subnet sizes/VLAN Groups E
17、nable Proxy ARP to minimize broadcast/unicast trafficPure capacity phones(1-8Mbps streaming)target-65dBm)Can have RNR with PSC and FILS or UBRBRKEWN-203640 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUse Cases3 Band SSIDAll WPA3Control of devicesBOH/OfficeSeparate 2.4+
18、5 and 6GHzWPA 2 legacyWPA 3 6GHzSame SSIDGeneral UseSeparate 2.4+5 and 6GHzWPA 2 legacyWPA 3 6GHzDifferent 6GHz SSIDSpecial CaseSeparate 2.4+5 and 6GHzWPA 2 transition legacyWPA 3 6GHzSame 6GHz SSIDNot recommendedBOH/Office If you can control the devices.Cisco has this deployed in certain officesFas
19、t roaming works across bandsGeneral useAccommodates legacy clientsNot fast roaming between bandsSome clients may“bounce”causing disruption to client and network loading.Typically recommended for EduroamSpecial CaseLike General UseCan help reduce the bounce in general useRNR is still effectiveClients
20、 will often stay at 5GHzNot recommendedIt worksClient may think they are on WPA3 when on WPA217.12 adds support for Transition Mode1 profile to rule them all!BRKEWN-203641AI RRMThe next generation of RF management 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAI Enhanced
21、 RRMNEW!In Cisco DNAC 2.3.4What is RRM?The goal for AI Enhanced RRM since the beginning has been to provide clear,and actionable informationInsights give Actionable suggestions on how to improve the configurationsAI RF Profile Simulator allows the Admin to model the suggestions in a safe environment
22、 using their own data from the Analytics CloudBRKEWN-203643 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKEWN-2036448.WNCdWhat is it and how does it affect my design 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWNCd,what is itAireOS was s
23、ingle threaded,a task was received,scheduled and processed.This worked ok but when it became busy it affected everything.Sort of all or nothing approachIOS-XE(C9800)added multithreaded supportThe Wireless Network Control daemon(WNCd)was createdThe number of WNCd processes varied from 1 to 8 based on
24、 the size of the Wireless Lan Controller.Each process runs independent of the other processes.The processes are responsible for managing AP and Client sessions BRKEWN-203646 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMore about WNCdWNCd1CAPWAPDOT11AAAIP LearnPolicy Mg
25、rLISPWNCd2CAPWAPDOT11AAAIP LearnPolicy MgrLISPWNCd3CAPWAPDOT11AAAIP LearnPolicy MgrLISPWNCd4CAPWAPDOT11AAAIP LearnPolicy MgrLISPPlatformPlatformWNCdWNCdInstancesInstancesEWC(AP or C9k switch)1C9800-L1C9800-CL(S)1C9800-CL(M)3C9800-405C9800-CL(L)7C9800-808BRKEWN-203647 2023 Cisco and/or its affiliates
26、.All rights reserved.Cisco Public#CiscoLiveHow does this affect my designHigh CPU can cause APs to drop.Target less than 500 APs per WNCd.Roaming between APs on different WNCdprocess will add latency to the roam.Site Tags are used to map APs to WNCdprocess.Two methods of assigning Site Tags to WNCdp
27、rocesses.Old round robin New weighted groupingWNCd 1500WNCd 2150Site 1200Site 2100Site 3300Site 450WNCd 1300WNCd 2350Site 1 200Site 2100Site 3300Site 45017.12 Automatic WNCd Load BalancingBRKEWN-203648 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWNCd Example#1High prob
28、e count can cause high WNCd CPU.Poor coverage can drive up client probe ratesCoverage between buildings in campusAreas where clients are entering and exitingOutdoor areasHigh roaming can increase client probe ratesClass lets outEvent starting or endingIf an AP goes offline this cascadesSolutionFix t
29、he coverage issuesReduce probe queue depthBRKEWN-203649 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWNCd Example#2High volumes of mDNS traffic cause WNCdCPUmDNS gateway should be enable to limit mDNSEnabling Apple Continuity cause high volumes of mDNSTypically meant fo
30、r home use.Dormitory student useGuest rooms guest useMonterey update allows MacBook to advertise as TVClassroomsMeeting/conference roomsSolutionWith mDNS gateway enabled,removed any service not required for the venue.For services that are enabled assign them to specific locations.BRKEWN-203650Securi
31、ty ConcernsBasic Concepts in Wireless Security 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWireless Security52BRKEWN-2036Manage the EnvironmentProtectionSegmentationSwitch-port TracingRLDPRogue ManagementBasic Wireless SecurityWIPSAdvanced Wireless SecurityCisco CleanA
32、irVisibility of non-WiFi interferersWhats your policy!PMF or MFP(RMF)Secure the controlEncryptionAES,CCMP,GCMPAuthenticationAccessAuthorizationTo what?PSIRTSVulnerabilitiesKey Management802.1x,PSK,SAE,OWETaggingVLAN,SGTACLIP ACL,SG ACL,dACL,URL ACLRoutingPBR,VRF,P2PFabricMacro/MicroRBACLeast require
33、d,TACACsDHCP SpoofingHide GiAddr,DNCP Snooping8.Other Design ConsiderationsConsiderations often overlooked 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGuest Architectures(Anchor)L3 NetworkInternetInternalISESpacesOpenRoamingAAABRKEWN-203654 2023 Cisco and/or its affili
34、ates.All rights reserved.Cisco Public#CiscoLiveGuest Architectures L3 NetworkInternetInternalISESpacesOpenRoamingAAA17.12 VRF from the WLCBRKEWN-203655 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInter-Release Controller MobilityThis will work for areas where you have
35、both AireOS and IOS-XE controllers but:9800 to/from AireOS is L3 Only!This uses a session on both controllers.Hits WNCd process.Other Solutions:Minimize areas for roaming,no salt&pepper.17.9.3 now allows for X700 series APs to coexist with X800 and all Catalyst APs.BRKEWN-203656 2023 Cisco and/or it
36、s affiliates.All rights reserved.Cisco Public#CiscoLiveSleeping Clients57BRKEWN-2036Static IP 1.2.3.4Certain static IP devices such as:PrintersIOTMedical devicesWithout this enabled,devices time out with DHCP policy timeoutEnabled per WLANBut:when enabled unknown ARP requests are broadcast!11.Typica
37、l Use CasesExample design requirements and solutions 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUniversity Campus(requirements)Periodic High Roaming times(Class Break)High authentication/AAAHigh dot11 activityHigh probingmDNSBRKEWN-203659 2023 Cisco and/or its affilia
38、tes.All rights reserved.Cisco Public#CiscoLiveUniversity CampusDesign strategiesGroup dorm and classrooms in the same WNCdReduce probe queue depthEnable fast roaming/key cachingIf local AAA(ISE)use distributed architecture with load balancingEnsure good coverage where roaming will occurSee WNCd Exam
39、ple 2 for mDNS solutionsClean Air shows hundreds of thousands of interferersdisable that band on Clean AirBRKEWN-203660 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEvent Center(Requirements)Coverage is good but:High client counts(200)High roaming loads at certain times
40、Wide range of clients and client behaviorBRKEWN-203661 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEvent CenterDesign SolutionsDisable.11K as this is only useful at peak times and hit WNCd CPUWatch out for high numbers of clients in authenticating stateMay need to decr
41、ease EAP timeout to flush sessions not established(default is good)Look for APs set to abnormally high-power levels.Consider more directional antennas and APsDo not enable passive clientCheck for high ARP rates and police(2000 Packets/sec)In the case of multiple controllers on one core switch mac ad
42、dress capacity(CAM)is a concern.BRKEWN-203662 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHospital VoIP/Badge PagingNormally VoIP traffic is unicast(QoS/AVC)Paging is multicastServer send message to clients which Multicast Group to joinAll members join the group and ge
43、t page from one of the clientsWLC becomes a multicast clientServerVoIP ClientVoIP ClientVoIP ClientBRKEWN-203663 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHospital VoIP/Badge PagingDesign solutionsEnable snoopingEnabled Multicast-Multicast mode on the WLCPIM Sparse M
44、ode is usedL3 interfaces for AP management need PIML3 interfaces on the switch connecting to the WLC need PIM.BRKEWN-203664Useful ReferencesThings to use later for your designs 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveReally good toolshttps:/ Config Analyzer Express
45、 WCAEWLAN PollerWiFi HawkWireless Debug AnalyzerWLC Config Converter BETABRKEWN-203666 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUseful ReferencesWiFi 6E 6GHz WW allocations:https:/www.wi-fi.org/countries-enabling-wi-fi-in-6-ghz-wi-fi-6e9800 Best Practices:https:/ De
46、ployment Paper:https:/ part 1:https:/ part 2:https:/spaces.at.internet2.edu/display/eduroam/eduroam-US+Knowledge+BaseISE Scale Documents:https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session s
47、urveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.BRKEWN-203668
48、2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your education(related sessions)BRKEWN-2087 High Density Wi-Fi Design,Deployment,and OptimizationBRKEWN-2846 High Availability Design with Cisco Catalyst 9800 ControllersBRKEWN-2031-Design and deployment of Modern Wireless Net
49、worksBRKEWN-2000 Design/Deployment and tuning of Outdoor Wi-Fi&Work Group BridgesBRKEWN-3413-Advanced RF Tuning for Wi-Fi 6E with Catalyst Wireless:Become an Expert,while getting a little help from AIBRKEWN-1053-Troubleshoot Cisco Wireless using Cisco DNA at a UniversityBRKEWN-2658-Implement and Tro
50、ubleshoot New Features from Cisco DNA Spaces to Deliver Next Generation Location Base SolutionsBRKEWN-2926-Cisco Wi-Fi:how to tune your design and configurations for your most demanding clients and applicationsBRKEWN-203669 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive#CiscoLive