Introduction to Cisco Catalyst 9800 Wireless - Cisco Live

Aparajita Sood, Technical Marketing Engineer

BRKEWN-2670

Introduction to Cisco Catalyst 9800 Wireless Controller

Questions? Use Cisco Webex Teams to chat with the speaker after the session

Find this session in the Cisco Events Mobile App

Click “Join the Discussion”

Install Webex Teams or go directly to the team space

Enter messages/questions in the team space

How

1

2

3

4

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Webex Teams

TECEWN-2005 3


Agenda

Why Catalyst 9800 ?

Platform Support | Software Interoperability | IRCM

Cisco Catalyst 9800 Wireless Controller Appliances

Cisco Catalyst 9800 Wireless Controller Public and Private Cloud

Cisco Catalyst 9800 Series Wireless Controller for SDA

Embedded Wireless Controller on Catalyst 9100

Differentiators

High Availability

Security

Programmability and Telemetry

Adoption

New Configuration Model

Migration Strategies

TECEWN-2005 4


INTENT CONTEXT

Intent-based Network Infrastructure

Intent-Based Networking (IBN) strategy

CONTEXT

LEARNING

SECURITY

INTENT

DNA Center

Policy Automation Assurance

TECEWN-2005 5


Best Access Experience for IT and IoTstarts with the Catalyst Access Network

Automation Security AnalyticsBuilt for intent-based networking

Fully Integrated End to End

Access SwitchesAccess Points Distribution/Core Wireless Controller

9200/9300/9400

Catalyst Catalyst9500/9600 Series

Catalyst9800 Series

Catalyst9100 Series

Most comprehensive mGig portfolio

Wi-Fi 6

Campus Optimized 25G/40G/100G

Industry’s only modular WLC with 40G/100G

uplinks

Wi-Fi 6, 802.3bt Ready

48P 5G + 25G/40G uplinks

Wi-Fi 6

Wi-Fi 6

Wi-Fi 6


Cisco Catalyst 9800 Wireless Controllers

Cisco Catalyst 9100 Access Points

Cisco’s Next Gen Wireless Stack is Ready for Scale Deployments

7TECEWN-2005

Enabling next-generation mobility powered for Wi-Fi 6

Resilient Secure Intelligent

Translate business intent into network policy and capture actionable insights

Cisco DNA Center Cisco DNA Spaces

Digitize people, spaces and things

Managed by Digitized by


Catalyst Wireless Stack Innovations

8TECEWN-2005

Catalyst 9800 Launched

WLC SMUAP SP and AP DPProgrammability

Encrypted Traffic AnalyticsSoftware Define Access

iPSK, Rogue, wIPS

Cisco DNA-C Assurance

AI/ML Base AnalyticsApp Visibility and Experience

Intelligent CaptureNetwork Sensor

Apple, Samsung Analytics

Innovations on Wireless Stack

ISSUIoT Gateway

Open RoamingBLE Management

11ax Analytics

Catalyst 9100Launched

11ax features like OFDMA, MUMIMO, BSS Coloring, TWT,

Spectrum IntelligenceDevice Eco System

Cisco DNA Spaces

Partner App integrationRoom Finder

Location AnalyticsGuest portal management


C

2,000+ unique customers

ENCS

7000+ units sold

Catalyst 9800 - Fastest Ramping Wireless Controller

9TECEWN-2005


QFPQuantumFlow Processor

UADPUnified Access Data Plane

▪ Advanced, Multi-Core, Feature-Rich

▪ Fully Programmable

▪ Scalable

▪ Advanced on-chip QoS

▪ Secure

▪ Extensible Architecture

▪ Flexible, Programmable, High-Performance

▪ Fully Programmable

▪ Scalable

▪ Advanced on-chip QoS

▪ Secure

▪ Extensible Architecture

100% Cisco-developed Flexible Silicon – Unlocking the Power of DNA at Hardware Speeds

Cisco Catalyst 9800 – Next Gen Wireless ArchitectureIBN starts from a strong Hardware Foundation

Powered by IOS-XE

C9800 applianceC9800 embedded in Catalyst 9000

TECEWN-2005 10


Managed (Cisco DNAC/Prime)Fully ProgrammableCisco DNAC Automation Cisco DNAC AssuranceHot and cold patchesZero downtime software upgrades

Built from scratch, modular, highly available, scalable, multi-process, wirelesssoftware architecture

No MC/MA complex tunnelingIndirect AP Support

Policy abstraction: no VLAN/IP/ACLsL2 mobility made easy

Stretch subnet without spanning VLANs

Control Plane is always centralizedOptimize data plane for Enterprise

(options: CAPWAP, VXLAN, 802.1q)

Network Architecture

Software Architecture

SDA vs. CAManagement &

Operations

What makes C9800

different?

Cisco Catalyst 9800 – Next Gen Wireless ArchitectureNext gen Software architecture

11TECEWN-2005


Next Generation Wireless Infrastructure For Any Scale

12TECEWN-2005

Catalyst 9800-80 6000 APs, 64K clients80 Gbps

Catalyst 9800-402000 Aps, 32K Clients, 40 Gbps

Catalyst 9800-L250 APs, 5K Clients, 5 Gbps

Catalyst 9800 Embedded Wireless*100 APs, 2K Clients

Catalyst 9800Embedded Wireless**200 APs, 4K Clients

Catalyst 9800-CL***

1000 APs, 10K Clients

Up to 250 APs Up to 3000 APs Up to 6000 APsUp to 100 APs

*Supports Local Switching only**SD-Access only

***Catalyst 9800 for Public cloud FlexConnect only

Up to 1000 APs

Distributed Branch & Small Campus Medium Campus Large Campus

Catalyst 9800-CL1000, 3000 or 6000 APs10K, 32K or 64K Clients


Best in Class

Introducing Catalyst 9130AX Access Point

13TECEWN-2005

Cisco DNA Assurance withiCAP

Integrated or external antenna SKUsBluetooth 5 USB

Mission criticalIdeal for small to medium deployments

9117AX

• 8x8 + 4x4• MU-MIMO, OFDMA (only DL)• Spectrum intelligence• 1 x 5 mGig• TWT• Integrated Antenna only

9115AX

• 4x4 + 4x4• MU-MIMO, OFDMA• Spectrum Intelligence• 1 x 2.5 mGig• TWT

9120AX

• 4x4 + 4x4• Cisco RF ASIC• Dual 5GHz, HDX• RF Layer 1 detail• IoT ready (Zigbee, Thread)• Application Hosting• 1 x 2.5 mGig• TWT

Powered by Cisco RF ASIC

9130AX

• 8x8 + 4x4 or 4x4 + 4x4 + 4x4• Tri-radio (Dual 5GHz + 2.4GHz), HDX• Cisco RF ASIC• RF Layer 1 detail, Application Hosting• Decrypted data packet iCAP• IoT ready (Zigbee, Thread)• Industry-first 8x8 AP with external

antennas• 8 port Smart Antennas• 1 x 5 mGig

Cisco Catalyst 9800Wireless Controller Appliances


Unprecedented throughput with C9800 appliances

2xThroughput option now

available with C9800-80 going up to 80 Gbps

Always-on:High availability and seamless software

updates

Accuracy with Encrypted Traffic Analytics

and Stealthwatch integration

Catalyst 9800 Series Wireless Controller Appliances

C9800-40 and C9800-80

Open standards based programmability with

model-driven telemetry

Scale options for your campus

Programmable multi-core network processor

Investment protection with modular uplinks

99%+

Industry’s 1st

100GE uplink100

Globa l

Sa les Tra in ing

EXTERNAL INTERFACES

• RJ-45 Console Port• Mini USB Console Port• 2 External USB Ports • RJ-45 Ethernet Management Port (SP)• RJ-45 Ethernet Redundancy port (RP)• SFP Gigabit Ethernet Port• BUILT-IN-6x10GE/2x1GE or 10GE• C9800 Modules

LEDs

• Power Status LED• Alarm LED• High availability LED• USB console LED• 10/100/1000 RJ45 Link LED• 10/100/1000 RJ45 Activity LED• SSD Activity LED • System Status LED

• Power Supply (PEM 0)• Power Supply (PEM 1)• Power Switch

C9800-80-K9 Front Panel

C9800-80-K9

8540

Dimensions of C9800-80-K9: 17.3” (439.42 mm) wide, 3.5” (88.9 mm)tall (2RU), and 22.0” (558.8 mm) deep

Gigabit SFP RP Port

(Compared to 30.8 “ for 8540)


SFP/SFP+ Support for C9800-80-K9

• GLC-BX-D

• GLC-BX-U

• GLC-LH-SMD

• GLC-SX-MMD

• GLC-ZX-SMD

• GLC-TE

Note:

SFP-GE-S, SFP-GE-L and SFP-GE-Z are End-of-Sale, and will not be officially

supported

10G ports will operate in 1GE mode but will not support operation at 10/100M.

Hence the 10G ports will not support the following SFPs for 10/100M:

• GLC-GE-100FX=

• SFP-GE-T

• GLC-TE

• SFP-10G-SR

• SFP-10G-SR-X

• SFP-10G-LR

• SFP-10G-LRM

• SFP-10G-LR-X

• SFP-10G-ER

• SFP-10G-ZR

• SFP-H10GB-ACU7M

• SFP-H10GB-ACU10M

• DWDM-SFP10G-30.33 –DWDM-SFP10G-61.41

SFP MODULES SFP+ MODULES

TECEWN-2005 17


Industry’s First Controller with Modular 100G Uplink

• C9800-18X1GE

Eighteen 1GE-ports that support small form-factor pluggable (SFP) optical transceivers to provide network connectivity. Ports are numbered 0 – 17

C9800 Modules Support

• C9800-2X40GE• C9800-1X40GE

• C9800-1X100GE

• C9800-10X10GE

Ten 10GE-ports that support small form-factor pluggable (SFP+) optical transceivers to provide network connectivity. Ports are numbered 0 – 9.

• QSFP-40G-SR4• QSFP-40G-LR4• QSFP-40GE-LR4• QSFP-40G-ER4• QSFP-40G-SR4-S• QSFP-40G-LR4-S• QSFP-40G-SR-BD• QSFP-40G-BD-RX

QSFP MODULES

TECEWN-2005 18


Evolution of Wireless Controllers Enterprise Campus and Full-Service Branch

•6000 APs, 64000 Clients•40 Gbps Throughput

THEN 8540

NOW C9800-80-K9

•6000 AP Groups•2000 FlexConnect Groups,• 100 Flex APs/FCG

•4096 VLANs, 512 Interface Groups•64000 PMK Cache•512 WLANs

•50000 RFIDs•6000 APs/RRM Group•320000 AVC Flows

• 6000 APs, 64000 Clients

• 80 Gbps Throughput

• 4096 VLANs, 4096 Interface Groups

• 128000 PMK Cache

• 4096 WLANs

• 64000 RFIDs

• 12000 APs/RRM Group

• 800000 AVC Flows

• 6000 Policy Tags

• 6000 Site Tags,

• 100 Flex APs/Site

TECEWN-2005 19

Globa l

Sa les Tra in ing

EXTERNAL INTERFACES

• RJ-45 Console Port• Mini USB Console Port• 2 External USB Ports • RJ-45 Ethernet Management Port (SP)• RJ-45 Ethernet Redundancy port (RP)• SFP Gigabit RP Port• 4 x 10GE/1GE SFP and SFP+ ports

LEDs

• Power Status LED• Alarm LED• High availability LED• USB console LED• 10/100/1000 RJ45 Link LED• 10/100/1000 RJ45 Activity LED• SSD Activity LED • System Status LED

C9800-40-K9 Front Panel

Gigabit SFP RP Port

Dimensions : 17.3” (439 mm) wide, 1.75”(44.4 mm) tall (1RU), and 18.3”(464 mm) deep*

*compared to 30.98” (786 mm) in 5520

C9800-40-K9

AIR-CT-5508-K9

AIR-CT-5520-K9


Evolution of Wireless Controllers Enterprise Campus and Full-Service Branch

•1500 APs, 20000 Clients•20 Gbps Throughput

THEN 5520

NOW C9800-40-K9

•1500 AP Groups•1500 FlexConnect Groups,• 100 Flex APs/FCG

•4096 VLANs, 512 Interface Groups•40000 PMK Cache•512 WLANs

•25000 RFIDs•3000 APs/RRM Group•320000 AVC Flows



• 4096 VLANs, 100 VLAN Groups

• 64000 PMK Cache

• 4096 WLANs

• 32000 RFIDs


• 400000 AVC Flows


• 2000 Site Tags,


TECEWN-2005 21

Cisco Catalyst 9800-L


C9800- L: Industry’s first fixed Wireless Controller with Seamless software Updates

4 x 2.5G Ports

SP/RP Port10G/ mgig PortsUSB 3.0

Up to 250 APs Up to 5,000 Clients 5 Gbps

Fully programmable multi-core network processor Support for Netflow, AVC and ETA

Console

TECEWN-2005 23


C9800-L Racking tray

Fit 2 units in 1RU with a ‘toolless' snap-in rackmount installation (with exception to the rack screws)

TECEWN-2005 24


Evolution of Wireless Controllers

• 150 APs, 3000 Clients• 4 Gbps Throughput

3504

NOW C9800-L

• 150 AP Groups• 100 FlexConnect Groups,• 100 Flex APs/FCG

• 4094 VLANs, 512 Interface Groups• 14000 PMK Cache

• 600 Rogue APs, 1500 Rogue Clients, 1500 RFIDs• 500 APs/RRM Group



• 4096 VLANs, 4096 Interface Groups

• 10000 PMK Cache

• 4096 WLANs

• 5000 RFIDs



• 250 Site Tags


TECEWN-2005 25

Embedded Wireless Controller (EWC)on Catalyst 9100 APs

Simplicity without compromise


Embedded Wireless Controller on Catalyst 9100 Ready for Enterprise deployments

Use Mobile App, WebUIand DNA-C to Deploy, Manage and Monitor

Flexible Management Options

HA, SMU, aWIPS, Umbrella, NetFlow, ICAP

Supports Advanced Enterprise Feature Set

Modern OS, scalable, open and programmable, supports telemetry

Runs C9800 IOS-XEWireless Controller on Catalyst Access Points

Migrate Access Points to controller for more than 100 Access Points

Investment Protection


SMU(patching) support for both Controller and Access Point

aWIPS*, Rogue detection, identification and mitigation

Cloud Delivered Enterprise Security with Cisco Umbrella*

Walled Garden & DNS Blocking1

Embedded Wireless Controller ready for Enterprise Branch Deployments

Redundancy with Active & Standby Controllers running simultaneously on

two Access Points

Resilient

Secure

Intelligent & IT Simplicity PnP, Automation and

Assurance

DNA Center

Open standards based programmability with NETCONF,

YANG

Simplified WebUI for Monitoring, Provisioning and

Day-N Operations

Active to Standby switchover in a few seconds

<10seconds

* IOS-XE 17.1


EWC - Management options

DNA Center(On-Prem)

AnalyticsPolicy Automation

Standards Based Interoperability

SDN Controllers

CI/CD Tools

NMS Systems

Intent-basedNetwork Infrastructure

Embedded Wireless Controller

WebUI/Mobile App

Use App to Deploy,

Monitor and Manage

Featue rich, yet simple

Mobile App for iOS and

Android devices

Wizard driven provisioning

flows

TECEWN-2005 29


Embedded Wireless Controller - WLAN Deployment Next-Gen Wi-Fi designed for Single or Multi-Site Small to Medium Size Enterprises

Single Office Distributed Office Distributed Enterprise

Mobile App or WebUI

Embedded Wireless Controller

DNA Center

AssuranceAutomationPolicy Security CMXISE

Embedded Wireless ControllerController in CampusEmbedded Wireless Controller

in Branch

TECEWN-2005 30


Embedded Wireless Controller Catalyst 9100 Access Points

C9117AX-EWC

• 50 Access Point, 1000 Clients• 8x8 + 4x4• MU-MIMO, OFDMA (only DL)• Spectrum intelligence• Bluetooth 5• 1 x 5 mGig• USB• Integrated Antenna only

C9115AX-EWC

• 50 Access Point, 1000 Clients• 4x4 + 4x4• MU-MIMO, OFDMA• Spectrum intelligence• Bluetooth 5• 1 x 2.5 mGig• USB• Integrated or External antenna

C9120AX-EWC

• 100 Access Point, 2000 Clients• 4x4 + 4x4• MU-MIMO, OFDMA• Cisco RF ASIC• Dual 5GHz, HDX• RF signature capture• 1 x 2.5 mGig• Integrated or External antenna

Nov ‘19

Nov ‘19

Nov ‘19

Software Feature Parity across APs

Supports up to 100 APs, 2000 Clients

Supports Wave 2 APs as client serving

C9130AX-EWC

• 100 Access Point, 2000 Clients• 8x8 + 4x4 or 4x4 + 4x4 + 4x4• Tri-radio (Dual 5GHz + 2.4GHz), HDX• Cisco RF ASIC• RF signature capture• Decrypted data packet iCAP• 1 x 5 mGig• 8 port Smart Antennas

Nov ‘19

Mission Critical Best in Class

Powered by Cisco RF ASIC Powered by Cisco RF ASIC

Best suited for High Density Enterprise Branch Deployments

Ideal for single or multi-site small to medium Enterprise deployments

Cisco DNA Assurance with ICAP

TECEWN-2005 31


What about 802.11ac Wave 2 Access Points?Supports client serving mode

Mission criticalIdeal for small to medium-sized deployments

ALL 11ac Wave 2 Access Points can connect to Embedded Wireless Controller

1815W 1815I, 1815M 1832 1852

1540 1560

2802 3802 4800

Outdoor

Indoor

1842

TECEWN-2005 32


AP support on ME and EWC-AP Deployments

ME APs Subordinate APs (no ME)

AIR-AP1815 C9100 (Release 8.9.111.0 +)

AIR-AP1832 AP1700/2700/3700 Series APs

AIR-AP1840 AP1800i

AIR-AP1852 AP1810w

AIR-AP2802 AP700 Series APs

AIR-AP3802

AIR-AP4802

AIR-AP1542

AIR-AP1562

APs Supported in Cisco AireOS Mobility Express

EWC APs Subordinate APs (no EWC)

C9100 (16.12.2 +) All C9100

AIR-AP1815

AIR-AP1832

AIR-AP1840

AIR-AP1852

AIR-AP2802

AIR-AP3802

AIR-AP4802

AIR-AP1542

AIR-AP1562

Cisco APs Supported in Cisco Catalyst EWC-AP

• Only C9100 APs can be EWC-AP i.e. running controller functionality• 11AC Wave2 APs can be subordinate APs • No EWC-AP support on 11AC Wave 2

• Only 11AC Wave2 APs can have ME functionality• C9100 Series and 11AC Wave1 APs can be subordinate APs• No AireOS ME on C9100 Series APs 33


Embedded Wireless Controller on C9100 Interoperability Matrix

IOS-XE 16.12.2

ISE 2.3 DNA Center 1.3.2 DNA Spaces

DNA Ready for Small to Medium Size, Single or Multi site Deployments

TECEWN-2005 34

Someone said Cloud??


❑ Customer has unique access to dedicated DC virtualized or physical resources

❑ The resources are onPrem DC or hosted by a Colo provider

❑ WLC as a Virtual Machine

Some definitions first…

❑ Customer doesn’t own the infrastructure (computing, storage, networking).

❑ WLC is consumed as Infrastructure as a Service (IaaS)

❑ Simply the reality…❑ Customer will have

both Private and Public cloud deployments for some time

TECEWN-2005 36


Catalyst 9800 Wireless Controller for Cloud

ISE / AD Cisco DNA Center

ASSURANCE

AUTOMATION

Cisco DNA Center 1.3 Wi-Fi 6, W1 & W2 802.11ac APs

Internet

Public Cloud

AD

Managed VPN

Enterprise network

NFVIS

ENCS

Hypervisors: ESXi, KVM, NFVIS on ENCS

All deployments mode: Centralized, SDA, FlexConnect, Mesh

ESXi

3,000 APs / 32,000 Clients (starting 16.11)

Amazon AWS with Managed VPN

FlexConnect local switching only

ISE/AAA

TECEWN-2005 37

Private Cloud


Campus

Catalyst 9800 Private Cloud deployment

▪ Customer value prop: • Deploy wireless controller where you want it,

how you want it• All AP modes supported• Feature parity with appliance (only exception

is GuestShell)

▪ Support• VMware ESXi , KVM and ENCS• Wi-Fi 6, Wave2 and Wave1 APs• Centrally switched traffic <= 1.5 Gbps• ESXi vCenter or KVM Virt-Mgr for VM

provisioning• Automated VM bootstrap flow (ESXi

vCenter only)

Corporate WAN

(MPLS /SD-WAN)

BranchFlex APs

Flex AP

OnPrem/Colo provider DC

Branch

ESXi / KVM/

CAPWAP

ISP owned device

Customer owned device

Local mode AP

TECEWN-2005 39


VMware specifications

40TECEWN-2005

• Supported hypervisor: VMware ESXi 6.0 and higher

Model Configuration Small (16.10) Medium(16.10) Large(16.10)

Maximum Access Points 1,000 3,000 6,000

Maximum Clients Support 6,000 32,000 64,000

Minimum Number of vCPUs 4 6 10

Minimum Memory (GB) 8 16 32

Required Storage (GB) 8 8 8

Virtual NICs (vNIC) -3nd NIC is for High Availability

2 /(3) 2 /(3) 2 /(3)

vNIC driverVMXNET3, E1000E,

E1000VMXNET3, E1000E,

E1000VMXNET3, E1000E,

E1000

Virtual bridge Vswitch Vswitch Vswitch


KVM specification

41TECEWN-2005

▪ Supported Linux distribution: RHEL 7.1 & 7.2, Ubuntu 14.04, 16.04 LTS

Model Configuration Small(16.10) Medium(16.10) Large(16.10)

Maximum Access Points 1,000 3,000 6,000

Maximum Clients Support 6,000 32,000 64,000

Minimum Number of vCPUs 4 6 10

Minimum Memory (GB) 8 16 32

Required Storage (GB) 8 8 8

Virtual NICs (vNIC)3nd NIC is for High Availability

3 3 3

vNIC driver VIRTIO VIRTIO VIRTIO

Virtual bridgeOVS

Linux bridge (brctl)OVS

Linux bridge (brctl)OVS

Linux bridge (brctl)

Public Cloud


Public Cloud deployment models

Infrastructure

Application services

Application

Stack components

User interface,Dashboard

OS, Database, APIs, APP Svr, Monitoring, etc..

Network, Servers, Firewall, Storage, etc..

Service model Responsibility

IaaSP

aaS

SaaS

Vendor Vendor V

endor

User Login, registration

Custo

mer

Custo

mer

Custo

mer

Network Services

TECEWN-2005 43


Pioneering IaaS Public Cloud Play : 9800-CL

44TECEWN-2005

Infrastructure

Application services

Application

Stack components

User interface,Dashboard

OS, Database, APIs, APP Svr, Monitoring, etc..

Network, Servers, Firewall, Storage, etc..

Service model Responsibility

IaaSP

aaS

SaaS

Vendor Vendor V

endor

User Login, registration

Custo

mer

Custo

mer

Custo

mer

Network Services

C9800-CL for Public Cloud

Cisco Catalyst 9800 in the Cloud


Advantages of C9800-CL in Public Cloud

Up to 50%Cost Savings seen by a large

enterprise by deploying C9800-CL for Private Cloud

7minutesTime taken to deploy C9800-CL for AWS

$0The C9800-CL Wireless

Controller price

VMware® VMotion

No more planned / unplanned outages

Host the Catalyst 9800 Series controller in AWS’ FedRAMP

certified GovCloud

Global Footprint

Scale based on network size

Cost Effective

Agility - simple to deploy


Catalyst 9800 Wireless Controller for Cloud

Internet

Public Cloud

AD

Managed VPN

Enterprise network

Smart License Management &DNA subscription based AP licenses

Amazon AWS with Managed VPN

3,000 APs / 32,000 Clients

ISE/AAA

FlexConnect local switching only

ISE and AD typically on Prem

N+1 high availability

TECEWN-2005 46


Public Cloud – Managed VPN

Cloud Provider

VPN-GW

VPN connection

Corporate NetworkCustomer Router/FW

Flex APsVPC

Internet

C9800-CL

TECEWN-2005 47

Cisco Catalyst 9800 Wireless Controller for SD-Access


On ApplianceOn Private CloudOn Switch

• Cisco IOS® XE Software

• C9800-CL• 1k AP, 10k Clients• 3k AP, 32k Clients• 6k AP, 64k Clients^

• Scale on demand

• Optimized for mobility

• Designed for IoT

• Always on Fabric with robust HA


• C9800-40-K9• 2k APs, 32k Clients

• C9800-80-K9• 6k APs, 64k Clients

• Optimized for mobility

• Designed for IoT



• Cat 9300• 200 AP, 4k Clients

• SD-Access wireless with Cat9800 Software Package

• Indirect AP Support

• Optimized for Mobility

• Centralize Control Plane


Small and Medium Campus Medium and Large CampusOptimized for Distributed Braches

SD-Access Everywhere

^Future

TECEWN-2005 49

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS

c

Catalyst 9800 SD-Access WirelessIntroducing SD-Access Multi-Site Wireless Solution

c

Cisco DNA Center


IoT

SD-Access

SD-Access Wireless Campus

User Mobility

Policy stays with user

Embedded Wireless“Cat 9k Switch”

Policy stays with user

Seamless Mobility

SD-WAN

(Viptela)

MPLS | Metro

4G/5G/LTE | Internet

SD-Access Wireless Distributed Sites

Highly Secure and Optimized Solution for Campus and Distributed Sites

C9800 Appliance or Private Cloud


c

C9800-SW

Co-Located Border & Control Plane

Extended Nodes

Ente

rprise

Cam

pus

Exte

nded

Ente

rprise Extended Nodes

Dis

trib

ute

d

Bra

nch

Exte

nded

Bra

nch

Fabric in a Box with Wireless

SD-WAN

(Viptela)

MPLS | Metro

4G/5G/LTE | Internet

Fabric Edge

Border + CP + Wireless

Border + CP + Fabric Edge + Wireless

Function Catalyst

Fabric in a Box (with Wireless Controller)

9300 (16.11) + DNAC 1.39400 (16.11) + DNAC 1.3 DNA Center


Catalyst 9800 SD-Access Embedded WirelessDNAC 1.3

C9800-SW

Highly Secure and Optimized Solution for Branch and Small Campus

Function Catalyst

Co-located Border and Control +

Wireless Controller

9300 ( 16.11) + DNAC 1.39400 (16.11) + DNAC 1.39500 (16.11) + DNAC 1.3

Fabric Edge 9300 (16.11) + DNAC 1.39400 (16.11) + DNAC 1.39200 (16.11) + DNAC 1.3

SDA Compatibility Matrix: https://www.cisco.com/c/en/us/solutions/enterprise-networks/software-defined-access/compatibility-matrix.html


SD-Access Support

52TECEWN-2005

Digital Platforms for your Cisco Digital Network Architecture

WirelessRoutingSwitching Extended

Catalyst 3560-CX

Cisco IE 4K/5K

ISR 4430

ISR 4451

ISR 4330

BETA

AIR-CT5520AIR-CT8540

AIR-CT3504

Cisco Digital Building

Catalyst 9200Catalyst 9400

Catalyst 9300NEW

Catalyst 3650 & 3850

Catalyst 9500 Catalyst 9800

NEW

Catalyst 4500E Catalyst 6800 Nexus 7700

For more details: cs.co/sda-compatibility-matrix

ASR-1000-X

ASR-1000-HXNEW

NEW

Wave 2 APs (1800,2800, 3800)

4800

Wave 1 APs* (1700,2700,3700)ENCS 5400

NEW

NEW

Wave 2 outdoor APs (1540, 1560)*

(*) only supported in Local mode no mesh

http://cs.co/sda-compatibility-matrix


Wave 2 APAireOS WLC Catalyst 9800 Wave 1 AP*

• AIR-CT3504

• AIR-CT5520

• AIR-CT8540

• Catalyst 9800-40/80

• Catalyst 9800-CL

• C9K Embedded WLC

• 1800/2800/38001500 and 4800

• 802.11ac Wave2

• 1G/mG RJ45 (Uplink)

• 1700/2700/3700

• 3600 with 11ac

• 802.11ac Wave1

• 1G/mG RJ45 (Uplink)

SD-Access PlatformsFabric Enabled Wireless

For more details: cs.co/sda-compatibility-matrix

NEW

* No IPv6, AVC, FNFNEW

TECEWN-2005 53

http://cs.co/sda-compatibility-matrix

Cisco Recommended ReleasesCatalyst 9800 and 3504/5520/8540 AireOS Wireless Controllers

54TECEWN-2005

Access Points

IOS-XE AireOS DNA-C Prime CMX ISE

C9115AX, C9117AX,

C9120AX, 9130AX16.12.2s 8.10.105.0 1.3.2 3.7MR1 10.6.2

2.22.42.6

Wave 2 16.12.2s 8.5.161.0 1.3.2 3.7MR1 10.6.22.22.42.6

Wave 2 4800 APs

16.12.2s 8.8.125.0 1.3.2 3.7MR1 10.6.22.22.42.6


Resiliency


How long can people survive without Internet ?

2,000,000 years

1990

5.26 min

Beginning of Time

Now

per Year !

TECEWN-2005 56


AP Device PackNew AP Model

FlexiblePer-Site, Per-Model Updates

High Availability Reducing downtime for Upgrades and Unplanned Events

16.11

Controller Software UpdateSoftware Maintenance updates ( SMU^ )

Access Point UpdatesAP Updates and new AP models

Software Image UpgradesWireless controller image upgrades

Cold PatchHA install on

SSO Pair

Hot Patch(No Wireless

Controller reboot)

Auto Install on Standby

Rolling AP Update (No Wireless Controller

Reboot)

N+1 Hitless Rolling AP Upgrade

^ MD Release Only

Unplanned EventsDevice and network interruptions

16.10

SSO Stateful Switchover

N+1 High Availability

TECEWN-2005 57


High Availability – Stateful Switch Over (SSO)

A direct physical connection between Active and Standby Redundant Ports or Layer 2 connectivity is required to provide stateful redundancy within or across datacenters

Sub-second failover and zero SSID outageActive Wireless

Controller

Active Wireless Controller

Hot-Standby Wireless Controller

Hot-Standby Wireless Controller

Redundancy Port ConnectivityRP via L2

Redundancy Port ConnectivityRP Via L2

C9800-40-K9

C9800-80-K9

The only supported SFPs on Gigabit RP port are : GLC-SX-MMD and GLC-LH-SMD

Gigabit SFP RP port Gigabit SFP RP port

TECEWN-2005 58


vWLC1-Standby

vWLC2-Standby

High Availability – Stateful Switch Over (SSO)

vWLC1-Active

CP

DP

vswitch

vWLC2-Active

CP

DP

vWLC1-Standby

CP

DP

vswitch

vswitchvswitch

HA interface

CP

DP

vWLC1-Active

CP

DP

vswitch

Redundancy Port Connectivity

vswitch

HA interface

CP

DP

ESXi

C9800-CL-K9

Redundancy Port ConnectivityRP via L2

switch

switch

TECEWN-2005 59


Enterprise network

Single VSS switch (or stack/VSL pair/modular switch)SSO HA pair

▪ For SSO HA, connect the Standby in the same way (same ports)

▪ Single L2 port-channel on each box. Ports connected to Active and ports connected to Standby must be put in different port-channel

▪ Enable dot1q to carry multiple VLANs

▪ IMPORTANT: only LAG with mode ON is supported

▪ IMPORTANT: spread the uplinks across the VSS pair and connect the RP back to back (no L2 network in between)

▪ Make sure that switch can scale in terms of ARP and MAC table entries

▪ This is the recommended topology

VSS/vPC pair

L2 port channels+ dot1q trunk

Active Standby

RP port RP port

TECEWN-2005 60


Enterprise network

Dual Distribution switches with HSRP (before 17.1)SSO HA pair

▪ For SSO HA, connect the Standby in the same way



▪ IMPORTANT: only LAG with mode ON is supported

▪ IMPORTANT: connect RP port to the same distribution switch as the uplinks and not back to back


▪ This is a supported topology

L2 port channel+ dot1q trunk

Active Standby

RP port RP port

HSRP Active HSRP Standby

L2 link

TECEWN-2005 61


Enterprise network

Dual Distribution switches with HSRP (17.1 and higher)SSO HA pair

▪ For SSO HA, connect the Standby in the same way


▪ Port-channel PagP and LACP supported



▪ This is a Recommended topology

L2 port channel+ dot1q trunk

Active Standby

RP port RP port

HSRP Active HSRP Standby

L2 link

TECEWN-2005 62

Planned Updates Wireless Controller and AP SW Updates


Controller and AP software upgrades

Controller Updates

Controller update or bug fixes

New AP Model Support

Hot-patchable support for Device Pack

PSIRTs, fixes on APs

AP update or bug fixes

FutureSMU on MD Release only

Contain impact within releaseFixes for defects and security issues without need to requalify a new release

Faster resolution to critical issuesProvide fixes to critical issues found in network devices that are time-sensitive

SMU AP Service Pack AP Device Pack

TECEWN-2005 64

Controller Patching using Software Maintenance Updates


Wireless Controller SMU

Wireless Controller SMU installation Options

Hot Patch(No Wireless Controller reboot)

Auto Install on Standby

Cold PatchWireless Controller Reboot

Hot-Patching

Inline replace of functions without restarting the process

On SSO Systems, patch will be applied on both active and standby without any reload

Cold Patching

Install of a SMU will require a system reload

On SSO systems, SMU updates can be installed on the HA Pair with zero downtime

▪ Software Maintenance Update (SMU) is the ability to apply patch fixes on a software release in the customer network

▪ Current mechanism relies on Engineering Specials• Entire image is rebuilt and delivered to

customer

✓ SMUs for C9800 are available starting the first MD Release 16.12

TECEWN-2005 66

Controller Patching demo

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2005 68

AP Patching using Rolling AP Infrastructure


User selects % of APs to upgrade in one go [5, 15, 25]For 25%, Neighbors marked = 6 [Expected number of iterations ~ 5]For 15%, Neighbors marked = 12 [Expected number of iterations ~ 12]For 5%, Neighbors marked = 24 [Expected number of iterations ~ 22]

Neighbor Marking


802.11v

Client Steering

• Clients steered from candidate APs to non-candidate APs

• 802.11v BSS Transition Request

• Dissociation imminent

• If clients do not honor this, they will be de-authenticated before AP reload

TECEWN-2005 71

Per-site & per-AP Model AP Service Pack

New in 16.11


Per-site / Per-model AP Service Pack

Update on Subset APsFix applied on a subset of APs in the deployment using a site-filter

Per-AP model Service PackAPSP can have a subset of APs that are affected by the update

Controlled PropagationEnables user to control the propagation of APSP in the network

AP

Serv

ice P

acks

Supported on all platforms and all

deployment scenarios (Flex, Local and

Fabric)

Pre-downloaded to and activated on the affected AP

models only

Per-model APSP works in conjunction

with site-specific rollout

TECEWN-2005 73


ap image site-filter file <file> add <site-tag>

APSP Activation Success Workflow

CLI APsWLC

Install add

Install prepare activate

Install activate

SUCCESS

Download Images to AP based on AP model and Site-tag filter

Per-site per-model rolling AP upgrade

Install commitTECEWN-2005 74


ap image site-filter file <file> add <site-tag>

APSP Activation Fail Workflow

CLI APsWLC

Install add

Install prepare activate

Install activate

FAIL

Download Images to AP based on AP model and Site-tag filter

Per-site per-model rolling AP upgrade

Install rollbackTECEWN-2005 75


SiteCSiteA

APSP Workflow Applying APSP for 3800/2800 APs on per-site and per model basis

3800 APs 2800 APs

ap image site-filter file APSP1 add SiteAInstall prepare activate Install activate Install commit

Apply on Site A in rolling AP fashion

ap image site-filter file APSP1 add Site Bap image file APSP1 site-filter apply

Not applicable for building with 9115AX

SiteB

3800 APs 2800 APs9115AX APs

TECEWN-2005 76

AP Device Pack


Note : Even if new AP software supports extra wireless functionality, only the functionality supported by WLC will be enabled.

AP Device Pack

78TECEWN-2005

Traditionally ..

Reduce Lifecycle delaysFaster deployment of latest AP hardware and technology

Contain Impact within releaseDeploy new hardware without need to requalify a new controller release

Zero Network Downtime Applied as HOT patch on the controller with no service impact for APs and Clients

Plan for Upgrading

entire network

New AP hardware models need new

WLC software

Wait for CCO version and re-

qualify new release

With A

P D

evic

e P

acks


APDP Installation Workflow

CLI New APWLC

Install add

Install activate

New AP Joins WLC

Install commit

TECEWN-2005 79


APDP Installation Workflow

3800 APs

Install add file new-dp.binInstall activate file new-dp.binInstall commit

Add Building/New site with newer AP model

9115AX APs

Note: Fixes for the AP installed via APDP will be via AP Service packs like a baseline supported AP

TECEWN-2005 80

Hitless N+1 Image UpgradeUsing Rolling AP Infrastructure


AP

Version : X Version: X+1

1. Device auto selects candidate APs based on selected % and RRM AP Neighbor Map

2. Upgrade process kicks-in • Image download to Primary

Wireless Controller• Image pre-download to APs• Selective redirect of clients using

11v• APs moved to N+1 Wireless

Controller in rolling manner• Primary Wireless Controller Reboot• APs moved back to Primary

Wireless Controller (optional)

3. Monitor progress on the Device

Version : X+1

Primary

Trigger Rolling Upgrade

Upgraded N+1

N+1 Rolling AP UpgradeWireless Controller image upgrade using N+1 staging Controller

Mobility Group

TECEWN-2005 82

Security


Intent-based wireless networks to secure the Air, Devices and Users with Catalyst 9800

Air UsersDevices

Rogue detection & Mitigation

Enhanced threat detection with ETA

Seamless BYOD onboarding with ISE

Standards compliance with WPA3*

Identity based segmentation with SDA

Secure device management with iPSK

- Enhanced security on open Wi-Fi- Robust password protection - Superior data protection- Seamless customer migration

*Future

TECEWN-2005 84


Security and Threat Mitigation

Lower Risk

P2PBlocking

Client Exclusion

802.1x WPA2/AES

WPA3

AAA Override VLAN, ACL, QoS

Local Policy w/QoS and AVC

802.11w

TrustSecSGT, SXP

ETA

MAC Auth Rogue Detection

BYOD NAC RADIUS

Programmability &Telemetry


Custom DevelopmentCisco DNA CenterStandards Based Interoperability

Flexible management options with Cisco Catalyst 9800 Wireless Controllers

AnalyticsPolicy AutomationZero Touch Provisioning

Guest Shell (On Box Python)

Model Driven Programmability

YANG Data Models

App HostingSDN Controllers

CI/CD Tools

NMS Systems

Intent-basedNetwork Infrastructure

Catalyst 9800Wireless Controllers

TECEWN-2005 87


YANG Data Models

NETCONF RESTCONF* gNMI* gRPC*

Device Features

Interface BGP QoS ACL …

SNMP

Open Native

Configuration and Operation

Intent-based Network Infrastructure

The NETCONF, RETCONF, gNMI and gRPC are programmatic interfaces that provide additional methods for interfacing with the device

YANG data models define the data that is available for configuration and streaming telemetry

*Future

Wireless Programmability “Stack”

TECEWN-2005 88


2011

NETCONF Interface

2010

V 1.1

• RFC 6241

Base NETCONF Protocol

• RFC 6242NETCONF over SSH

“NETCONF is a protocol defined by the IETF to install, manipulate, and delete the configuration of network devices”

2006

V 1.0

• RFC 4741

Base NETCONF Protocol

• RFC 4742NETCONF over SSH

Extensions

• RFC 5277 Notifications

• RFC 5717 Partial Locking

• RFC 6243 With defaults

• RFC 6020 YANG

https://tools.ietf.org/html/rfc6241

• Transactional• Either all configuration is applied or nothing

• Avoids inconsistent state

• Both at Single Device and Network-wide level

• Error Management• OK or error code

• Capability Exchange

• Models Download from a Device

ssh -p 830 [email protected] -s netconf

NETCONF

C3850-1#conf tEnter configuration commands, one per line. End with CNTL/Z.C3850-1(config)#aaa new-modelC3850-1(config)#aaa authentication login default localC3850-1(config)#aaa authorization exec default localC3850-1(config)#username admin password cisco

C3850-1(config)#netconf-yangC3850-1(config)#

TECEWN-2005 89

http://www.rfc-editor.org/rfc/rfc6241.txt









https://tools.ietf.org/html/rfc6241


Config vs Operational YANG data models

90TECEWN-2005

Config-data Operational-data

Examples:switch> show run interface Loopback0switch(config)# interface Loopback0

Examples:switch> show interface Loopback0

‘snmpget’ results

• What the device is told to do

• It’s the way you express intent

• What the device is actually doing

• It’s what you see from most show commands

access-pointclientfqdn

lisp-agentmcastmesh

mobilitynmsp

rf-profilerfid

roguerrm

apapf

cts-sxpdot11fabricflexfqdn

generallocationmesh

mobilitymstream

rfrfid

roguerrm

securitysitewlan

Cisco-IOS-XE-Wireless: Config models Cisco-IOS-XE-Wireless: Oper models

https://github.com/YangModels/yang

https://github.com/openconfig

https://github.com/YangModels/yang

https://github.com/openconfig


Model Driven Telemetry

NETCONF RESTCONF* gNMI*

Device Features

Interface BGP QoS ACL …

SNMP

Physical and Virtual Network Infrastructure

Programmable

Interfaces

Collector

SubscriptionPeriodic or on-change

tcollector

YANG Data Models

Open Native

Configuration and Operation

*Future

TECEWN-2005 91


Network Subscription

A subscription is a contract between the network device and a subscriber that

specifies the type of data, the frequency, and

CollectorSubscribe to ietf-yangpush.yang

Specify xpath/KPI (defined within data model)

Instruction on:

• What data to collect

• Where and how to send

• How often and how much

sh telemetry ietf subscription 100 receiver

Subscription ID: 100

Address: 10.10.105.10

Port: 47870

Protocol: netconf

Profile:

State: Connected

Explanation:

<?xml version="1.0" encoding="UTF-8"?>

<rpc message-id=”id" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">

<establish-subscription xmlns="urn:ietf:params:xml:ns:yang:ietf-event-notifications"

xmlns:yp="urn:ietf:params:xml:ns:yang:ietf-yang-push">

<stream>yp:yang-push</stream>

<yp:xpath-filter>/wireless-location-oper:location-oper-data/location-rssi-measurements</yp:xpath-filter>

<yp:period>1000</yp:period>

</establish-subscription>

</rpc>

TECEWN-2005 92

Catalyst 9800 Configuration

Wireless Basic Setup Workflow

Day 1 – Wireless Basic Setup

Intent-based configuration with Sites, WLANs, Policy and RF attributes


Wireless Basic Configuration Model

WLAN

Profile

Policy

Profile

Policy Tag

AP

Join

Profile

RF

Profile 2.4

GHz

RF

Profile

5 GHz

Site Tag

RF Tag

Site 1

Site N

Global Site

#Tags and Policies created

behind the Scenes

Flex

Profile

• Creation of Local and

Remote sites

• Creation of Custom

Policy, RF and Site

Tags and profiles in the

backend

TECEWN-2005 96


Local Site Definition

and Client Density

Selection

Wireless Basic Configuration – Adding Local Site

Add existing WLANs to

the site OR define a

new one

TECEWN-2005 97


Wireless Basic Configuration – Adding Remote Site

Remote Site

configuration with site

specific Native VLAN

ID and AAA Servers

Local switching and

Local authentication

options for WLANs

defined local to remote

site

TECEWN-2005 98


Adding Remote Site - behind the scenes

WLAN

Profile

Policy

Profile

Policy Tag

AP

Join

Profile

RF

Profile 2.4

GHz

RF

Profile

5 GHz

Site Tag

RF Tag

Site 1

Site N

Global Site


behind the Scenes

Profile

• User simply creates a

remote site

• Creation of remote Site

involves creation of

Flex Profile in the

backend.

• Flex Profile is added to

Site Tag automatically

TECEWN-2005 99


Access Points

2. Provision

Provisioning APs to Site

WLAN

Profile

Policy

Profile

Policy Tag

AP

Join

Profile

Flex

Profile

RF

Profile 2.4

GHz

RF

Profile

5 GHz

Site Tag

RF Tag

Site 1

Site N

Global Site1. Design + Policy


behind the Scenes


Select from available

APs to the Associated

AP list for this site

Static AP MAC

Address list to add APs

not yet joined to the

controller

Wireless Basic Configuration – Provisioning APs to Site

TECEWN-2005 101


Benefits of New Configuration Model

Reusability

Config modularized as

objects

Simplicity

No inheritance or

containers

Easy Provisioning

With AP attribute

Tagging

Rule-based

Tagging

For easy Day 1

configuration

Change Management

Site based filtering

TECEWN-2005 102


High Density HDX

Data Rates

DCA, TPC, CHDM

Profile threshold for traps

Client Distribution

AireOS vs. Catalyst 9800 Config Model

Granular & simplified

What Policies on which Sites

with what RF characteristics

Going towards a more Modularized and Reusable model with Logical decoupling of configuration entities

Basic Wireless

Advanced Wireless

Wireless Security

Switching Policy

Network Policy

WLAN AP Group Flex Group

Network Policies

Wireless site settings

RF Parameters

Site Specific Policies

RF Profiles

Network Policies

Wireless security

Remote Site Config

Remote site parameters

Switching Policies

RF Profile

High Density HDX

Data Rates

DCA, TPC, CHDM


Client Distribution

WLAN

Policy

Profile

Flex

Profile

AP Join

Profile

Basic Wireless

Advanced Wireless

Wireless Security

Switching Policy

Network Policy

Wireless site settings

Site Specific Policies

Remote Site Config

Remote site parameters

High Density HDX

Data Rates

DCA, TPC, CHDM


Client Distribution

RF Profile

Policy

Tag

Site

Tag

RF Tag

Decouple

Modularize

AireOS Config Model

Policy Tag

b/g

a/n/ac

Site Tag

RF Tag


Important facts:

▪ C9800 has a multi-process software architecture

▪ APs are load-balanced across Wireless Network Controller processes (WNCd) within a C9800

▪ The number of WNCd varies from platform to platform

▪ Load balancing of APs (and clients) gives better scale and performances

▪ Today the load balancing is done based on SITE tags

▪ If using default site tag, the APs are load balanced across WNCd instances in round robin fashion

Design: recommended use of AP Site Tags

Enterprise network

WNCd(1)

WNCd Ops data

WNCd(2)

WNCd Ops data

...

...

IOSd Config DBDB

Manager Ops DB

WNCd(n)

WNCd Ops data

...

...

...

...

...

...

Catalyst 9800

Bldg. 1

Site tag

Bldg. 2

Site tag

Bldg. N

Site tag

...

TECEWN-2005 104


Design Recommendation:

▪ The pb: 11k/v, CHD (and in general everything proximity based) are managed within the WNCd. So these features will break if neighbor APs are on different WNCds

▪ For best performance use site tag to group APs at a roaming domain level > SITE TAG = Roaming Domain

▪ Also make sure that the max number of APs per site tag doesn’t exceed 400-500 APs

▪ A good design choice would be to choose the site tag corresponding to a building.

▪ Do not use site tag per floor it could break roaming

▪ NOTE: roaming (and fast roaming) works fine across site tags

Design: recommended use of AP Site Tags

105TECEWN-2005

Enterprise network

WNCd(1)

WNCd Ops data

WNCd(2)

WNCd Ops data

...

...

IOSd Config DBDB

Manager Ops DB

WNCd(n)

WNCd Ops data

...

...

...

...

...

...

Catalyst 9800

Bldg. 1

Site tag

Bldg. 2

Site tag

Bldg. N

Site tag

...


Recommended use of AP Site Tags

What if my customer has a building with more than 400 APs?

Recommendation: split the building in two from a site tag perspective

UP

Site tag

UP

Site tag

What if customer has a roaming domain that spans across multiple buildings with more than 400 APs?

Recommendation: configure a site tag per building. Roaming will work

BLDG1

Site tag

BLDG2

Site tag

What if customer has multiple buildings with less than 400 APs?

Recommendation: configure just one name site tag and don’t use the default site tag

CAMPUS

Site tag

TECEWN-2005 106


Components of Policy Tag

WLAN

Profile

Policy

Profile

Policy Tag

VLAN - Mgmt. Vlan

Session timeout – 1800

Idle time out - 300

AVC profile - null

Client Qos(input/and output) – default

BSSID Qos(input/and output) – default

ACL – None

Local switching – disabled (all other

related parameters are disabled)

Central switching – enabled

Central DHCP – disabled

Central Assoc – disabled

Central Authentication – enabled

Local profiling – disabled

Policy map - none

Authentication - Central

Components of Policy Profile

Profile Name

Status

WLAN ID

SSID

Broadcast SSID

L2 Security

L3 Security

AAA Servers

Coverage Hole detection

Aironet IE

Diagnostic Channel

P2P blocking

Max Client connections

11v BSS transition Support

Off channel Scan defer

Load Balance

Band Select

Components of WLAN Profile

TECEWN-2005 107


Components of Site Tag

AP Join

Profile

Flex

Profile

SiteTag

Com

pon

ents

of

Fle

x P

rofi

le

AP

Jo

in P

rofi

le -

def

au

lts

LED state – Enable

Heartbeat timer– 30 secs

Primary discovery timer – 120 sec

Primed join timeout – 0 seconds

Discovery timeout - 10 secs

Fast heart beat timer – 1 sec

Fast heart beat – disabled

TCP/MSS - enabled (set to 1250)

Retransmit count – 5 secs

Retransmit interval – 15 secs

Dot1x authentication – disabled

UDP lite – disabled

11u venue group – unspecified

Username/password – “current default”

Preferred mode – IPV4

11u venue type – unspecified

Client QinQ – disabled

DHCP QinQ – disabled

Reset - Disable

Static nameserver/domain name – current

default

Backup primary/secondary – current default

Core dump – “current default”

Syslog - “current default”

Hyperlocation – disable

Native VLAN ID

HTTP Proxy Port

HTTP Proxy IP Address

Fallback Radio Shut

ARP Caching

Efficient Image Upgrade

Local Authentication

Local Auth Users

Policy ACL

VLAN Name and ID


Data Rates

MCS Settings

Maximum and Minimum Power Level Assignment

Power Threshold v1/v2

DCA Channel Width

DCA Foreign AP Interference Avoid Enable

DCA Channel list

Coverage Hole Detection Parameters (Data/Voice

RSSI, Coverage Exception, Coverage Level)

Profile Threshold for Traps

(Interference/Clients/Noise/Utilization)

Maximum Clients

Multicast Data Rates

Rx Sop Threshold

Load Balancing (window & denial)

Band Select Parameters (Applicable only for

802.11bg)

Components of RF Tag

RF

Profile 2.4 GHz

RF Tag

RF

Profile

5 GHz

Components of RF Profile

TECEWN-2005 109

Wireless Advanced Setup Workflow


Guided UI Configuration Workflow

WLAN

Profile

Policy

Profile

Policy Tag AP Join

Profile

Flex

Profile

SiteTag

RF

Profile

2.4 GHz

RF Tag

RF

Profile 5

GHz

TECEWN-2005 111


WLAN Profile

List of WLANs

created, including

those at Day 0

Create new WLAN or

edit existing WLAN for

General, Security and

Advanced knobs


Policy ProfileAdd new Policy profile

or use default-policy-

profile

Access Policies, QoS,

AVC, mobility and

other advanced

network policy

settings

TECEWN-2005 113


Policy TagWLAN Profile + Policy Profile

SSID to Policy Profile

Mapping to define

behavior of client

policy

Default Policy Tag

containing default-

policy profile

TECEWN-2005 114


AP Join profile

AP Management

features such as AP

Dot1x Credentials

CAPWAP parameters

such as CAPWAP and

retransmit timers, N+1

configuration

TECEWN-2005 115


Flex Profile

Local authentication

EAP Profile and local

auth user entries

CAPWAP parameters

such as CAPWAP and

retransmit timers, N+1

configuration

TECEWN-2005 116


Site Tag

• AP Join Profile + Flex Profile ( only for Remote Site )

Enable Local Site for

sites in the Campus.

Associate AP Join

profile

Disabling Local Site

implies a remote site

and a Flex Profile can

be added to the Site

Tag

TECEWN-2005 117


RF Profile

Pre-canned RF

profiles for Low,

Typical and High

Density on 2.4 and

5GHz

802.11, RRM and

Advanced RF features

TECEWN-2005 118


RF Tag2.4 RF Profile + 5 GHz RF Profile

Default RF Tag is a

combination of Global

Configurations on 2.4

and 5GHz

Custom RF Tags can

have Custom RF

Profiles for 2.4 and

5GHz Band

TECEWN-2005 119


Tagging Access Points

AP Tagging with

Policy, Site and RF

Tags

TECEWN-2005 120


Static assignment of AP

MAC address to Policy,

Site and RF Tags


Rule Based filter to

map AP MAC address

to Policy, Site and RF

Tags

Best Practices

Release 16.12


Best Practices

• Infrastructure• Security• RF Management• Apple Devices

• In Cisco IOS-XE Release 16.12 and higher

Catalyst 9800 Controller Migration

C9800AireOSWireless LAN

Controller


Wireless Controller Positioning and TransitionRefresh old 2504, 5508, 8510 to 9800 and position 9800 in new opportunities

Medium Campus

Large Campus C9800-80C9800-CL

C9800 for cloud

C9800-CLC9800 for cloud

150 to 1500 APs

1500 to 6000 APs

Up to 100 APs

3504 Wireless Controller

C9800-CLC9800 for cloud

100-150 APs

5508, 5520Wireless Controller

C9800-L

7510, 8510, 8540Wireless Controller

C9800-40

SMB, Small Campus and branch

2504 Wireless Controller

Distributed Branch, Small Campus

Embedded Wireless in Catalyst APsMobilityExpress

AireOS and C9800 coexistence


Catalyst 9800

AireOS to C9800 migration - Roaming

• Mobility Group provides seamless roaming between wireless controllers

• Mobility Group between AireOS and IOS-XE WLCs is only supported on:

• 3504, 5520, 8540 with 8.8.111 and higher

• 5508 and 8510 with 8.5.151 special

• This is because C9800 only support CAPWAP based mobility tunnels (Secure Mobility)

• Note: Secure Mobility is NOT supported on WISM2, 7510, 2500

Catalyst 9800Deployment

AireOS WLC

AireOS Deployment

Secure Mobility(CAPWAP)

AireOS8.8.111

8.5.151 S

TECEWN-2005 128


Catalyst 9800


• All client roaming between AireOS WLC and C9800 are L3 roaming

• The client session will be anchored to the first WLC that the client joined

• For centrally switched SSIDs it is IMPORTANT to map them to different VLANs on the two controllers, otherwise customer may see some dropped packets as user roam from C9800 to AireOS


AireOS WLC

AireOS Deployment


Seamless roaming*

AireOS8.8.111

8.5.151 S

TECEWN-2005 129



• For migration with older AireOS WLC it is necessary to use a 5520/8540/3504 to “bridge” the mobility gap and form a mobility group with the C9800

AireOS Deployment(8.8.111+ or

8.5.151)

Catalyst 9800


Seamless roaming

WISM2

WISM2 AireOS Deployment

Seamless roaming


EOIP-basedMobility

AireOS8.8.111

8.5.151 S

Seamless roaming not supported TECEWN-2005 130


AireOS to C9800 migration - Mobility Group

• Configure both sides to create the mobility tunnel

• IMPORTANT: Secure Mobility (CAPWAP Control Plane encryption) must be always enabled on AireOS. Data Link encryption is optional. Group name must match for seamless mobility

• Hash is needed only is peering with a C9800-CL (VM). To get the hash, use the following CLI on the C9800: “show wireless management trustpoint”

Secure Mobility needs to be ENABLED

Data Encryption is optional

C9800 AireOS

TECEWN-2005 131


Catalyst 9800

AireOS to C9800 migration - Guest

• For Guest, AireOS WLC running 8.8.111 and higher can talk both tunneling protocols

• It can provide Guest Anchor functionalities for both the new C9800 based deployments and the legacy AireOS based network


AireOS WLC

AireOS Deployment

EOIP-basedMobility

AireOS Guest Anchor

AireOS8.8.111

Also supported on AireOS 8.5.151 Son 5508 and 8510


TECEWN-2005 132


Catalyst 9800

AireOS to C9800 migration - common RF Group

AireOS WLC

common RF Group

name

AP group = Floor1RF tag = Floor2

Policy tag = Floor 2

RRM works in a mixed controller environment and we can have one RF master:

• C9800 and AireOS controllers can create one RF domain and share a common RF plan

• The RF group name on both AireOS and C9800 controllers needs to match

• 8.8 is required on AireOS (8.8.111 recommended)

• A RF leader is elected (based on controller capacity) and common channel and power plan will be used for all APs

• APs will be not show up as rogue on the other controller

• NOTE: in a scenario where you want to have custom RF profiles or enable FRA, then the leader ( e.g. C9800 controller) needs to have Policy and RF tags matching the names of the AP Group names on AireOS WLC. Of course the settings of RF profiles on both controllers need to match as well.

CAPWAP tunnel

RF tag = Floor2Policy tag = Floor2

RF tag = Floor1Policy tag = Floor1

RF Leader

AP Group = Floor1

TECEWN-2005 133


Things to keep in mind:

• Make sure the AP can join the C9800 (W1/W2/AX APs)

• To move the AP from AireOS to C9800:

from GUI:

from CLI: “capwap ap primary-base <name> <IPaddress>”

• The first time you move an AP from AireOS to C9800 (or vice versa), the AP will download the new image, reboot and join the new controller

• If the AP has the image as a backup because had already joined that controller, then there is no download

AireOS to C9800 migrationMoving APs between Controllers

SW download

Catalyst 9800

AireOS WLC

common RF Group

name

AP group = Floor1RF tag = Floor2

Policy tag = Floor 2

CAPWAP tunnel

RF Leader

AP migration should happen in chunks (floor or roaming domain/building)

TECEWN-2005 134

Migration Tools


Migration tool

• Migration tool is now alive and managed by TAC

• Tool is available here https://cway.cisco.com/tools/WirelessConfigConverter/

Tool provides following config:• Translated• Unmapped• Unsupported• Not Applicable

• AireOS CLIs and the correspondent translated IOS-XE commands

• Always recommended to analyze the translated config before paste it

TECEWN-2005 136

https://cway.cisco.com/tools/WirelessConfigConverter/


AireOS Config Translator

137TECEWN-2005

To access the tool, go under Configuration > Services > AireOS Config Translator


Migration from AireOS WLC to C9800 with DNAC

• It covers AireOS to C9800 migration using DNAC

• Step by step configuration

• Note: DNAC only learns a subset of configurations from AireOS, the ones that are mapped to the Design flow

• Direct link

TECEWN-2005 138

https://www.youtube.com/watch?v=Z_vdG2MJXoY

Migration using Prime


AireOS Config Translator on PI 3.5

1 Select Source and Target Wireless Controllers

TECEWN-2005 140



2 Translate and Verify/Update Passwords, Shared Secrets, IP and ports

TECEWN-2005 141



Configuration pushed to Wireless Controller after “Deploy”

Deploy Translated and Updated Configuration 3

TECEWN-2005 142



Discover Templates from migrated Wireless Controller 4

TECEWN-2005 143

Catalyst 9800 Wireless Controller is ready for prime time!


Cisco Catalyst 9800 Wireless Controllers

Cisco Catalyst 9100 Access Points

Cisco’s Next Gen Wireless Stack is Ready for Scale Deployments

145TECEWN-2005

Enabling next-generation mobility powered for Wi-Fi 6

Resilient Secure Intelligent

Translate business intent into network policy and capture actionable insights

Cisco DNA Center Cisco DNA Spaces

Digitize people, spaces and things

Managed by Digitized by


Don’t miss the Cisco Wireless book!

It’s an e-book and you can download it from herehttps://www.cisco.com/c/dam/en/us/products/collateral/wireless/nb-06-wireless-wifi-starts-here-ebook-cte-en.pdf

TECEWN-2005 146

https://www.cisco.com/c/dam/en/us/products/collateral/wireless/nb-06-wireless-wifi-starts-here-ebook-cte-en.pdf

Additional Resources

• Deployment guides

• Configuration Examples and Tech notes

• Cisco Wireless YouTube channel

https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-configuration-examples-list.html

https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-technical-reference-list.html

https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-configuration-examples-list.html

https://www.youtube.com/channel/UC71Fsxeo3aLgQuUZCHSqFog


References for Compatibility Matrix

• Compatibility Matrix https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

• https://www.cisco.com/c/en/us/support/cloud-systems-management/dna-center/products-device-support-tables-list.html

• Recommended IOS XE releases https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214749-tac-recommended-ios-xe-builds-for-wirele.html

• Recommened AireOS releases https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html

And TAC Recommended releases

TECEWN-2005 148

https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

https://www.cisco.com/c/en/us/support/cloud-systems-management/dna-center/products-device-support-tables-list.html

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214749-tac-recommended-ios-xe-builds-for-wirele.html

https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html

Mobility Learning Maps

#CLEMEA

MOBMobility Track

11:00

BRKEWN-2010Introduction to Next Generation Wireless

Stack

09:00Opening Keynote

14:30

LTREWN-2030Hands-on Solutions

Lab on Catalyst Wireless 9800

Controllers

17:00Guest Keynote

18:30Cisco Live

Celebration

09:00

BRKEWN-2027Design and

Deployment of Outdoor Wireless

Networks

11:00

BRKEWN-2020Cisco SD-Access

Wireless Integration

14:45

BRKEWN-2016Design and Deployment

of Wireless for Branch and Remote Offices

08:30

BRKEWN-2670Introduction to Cisco

Catalyst 9800 Wireless Controller

08:30

BRKEWN-2003Optimize your WLANs

for Small and Mobile Devices (Phones, Tablets and alike)

Every day

LABEWN-1098Walk in Lab: IOS-XE Embedded WLC on

AP 9100 series

Every day

LABEWN-1038Walk in Lab: Migrate

from AireOS to Cat9800 (IOS-XE)

Portfolio & Design

#CLEMEA

11:00

BRKEWN-3010Cisco Catalyst RF Innovations, WiFi6

and Beyond!


14:30

BRKEWN-2017RF Fundamentals

from WiFi to WiFi6 (11ax) Wireless

Networks

17:00Guest Keynote

18:30Cisco Live

Celebration

16:45

BRKEWN-24397 New ways to Fail as

a Wireless Expert...

08:30

BRKEWN-3010Cisco Catalyst RF

Innovations, WiFi6 and

Beyond!

14:45


from WiFi to WiFi6

(11ax) Wireless

Networks

RF Optimization

MOBMobility Track

#CLEMEA


14:30

BRKEWN-2006Advancements in Wireless Security

17:00

BRKEWN-2005Securely Designing Your Wireless LAN

for Threat Mitigation, Policy and BYOD

17:00Guest Keynote

18:30Cisco Live

Celebration

14:45

BRKEWN-2014Be my guest! -

Design and Deploy Wireless Guest

Access that Works

11:15

BRKWEN-2028Meraki Wireless under the hood

Security

MOBMobility Track

#CLEMEA

09:30

LTREWN-2673Lab: Build your

Wireless Network Programmability & Telemetry solution

from scratch!


17:00

BRKEWN-2050Telemetry and

Programmability in the Next Generation

Wireless Stack

17:00Guest Keynote

18:30Cisco Live

Celebration

14:45

BRKEWN-2033Next generation WifiNetworks enhanced

with Cisco DNA Analytics and

Machine Learning

16:45

BRKEWN-2034Cisco DNA Wireless

Assurance: Isolate problems for faster

troubleshooting

11:15

BRKEWN-2026Wireless Network

Automation with Cisco DNA Center

Management, Analytics & Assurance

MOBMobility Track

#CLEMEA

Opening Keynote 09:00

14:00

PSOEN-2817Cisco DNA Spaces -

Wi-Fi as a behavior sensor enabling

business outcomes

Every day

17:00

BRKEWN-2012Design and Use

Cases of a location enabled Wi-Fi

network, supported by Cisco DNA Spaces

LABEWN-2127Walk in Lab:

Integration of DNA Spaces with Aironet and Catalyst Based

wireless networks

Services

MOBMobility Track

#CLEMEA

Every day

LABEWN-1505Cisco 9800 Controllers

- Understanding, deploying and

troubleshooting


17:00Guest Keynote

18:30Cisco Live

Celebration

09:00

BRKEWN-3013Advanced

Troubleshooting of Cisco Catalyst 9800 Wireless Controller

11:00

BRKEWN-3011Advanced

Troubleshooting of Wireless LANs

16:45

BRKEWN-2480Plan, design and

troubleshoot your Cisco DNA driven 9800 WLC wireless network: Best Practices and lessons

learnt from the field

14:45

BRKEWN-2809The Final Fails. 6 for

(WiFi) 6

Troubleshooting

MOBMobility Track

#CLEMEA

MOBMobility Track

11:00

BRKEWN-2010Introduction to Next Generation Wireless

Stack


14:30

LTREWN-2030Hands-on Solutions

Lab on Catalyst Wireless 9800

Controllers

17:00Guest Keynote

18:30Cisco Live

Celebration

09:00

BRKEWN-2027Design and

Deployment of Outdoor Wireless

Networks

11:00

BRKEWN-2020Cisco SD-Access

Wireless Integration

14:45

BRKEWN-2016Design and Deployment

of Wireless for Branch and Remote Offices

08:30

BRKEWN-2670Introduction to Cisco

Catalyst 9800 Wireless Controller

08:30

BRKEWN-2003Optimize your WLANs

for Small and Mobile Devices (Phones, Tablets and alike)

Every day

LABEWN-1098Walk in Lab: IOS-XE Embedded WLC on

AP 9100 series

Every day

LABEWN-1038Walk in Lab: Migrate

from AireOS to Cat9800 (IOS-XE)

Portfolio & Design

FRITHUWEDTUE

https://www.ciscolive.com/emea/learn/sessions/content-catalog.html?search=KEY-1001%20LABEWN-1098%20LABEWN-1038%20BRKEWN-2010%20LTREWN-2030%20BRKEWN-2670%20BRKEWN-2020%20BRKEWN-2016%20BRKEWN-2003%20KEY-1002%20BRKEWN-2027#/

#CLEMEA

MOBMobility Track

11:00

BRKEWN-3010Cisco Catalyst RF Innovations, WiFi6

and Beyond!


14:30


from WiFi to WiFi6 (11ax) Wireless

Networks

17:00Guest Keynote

18:30Cisco Live

Celebration

16:45

BRKEWN-24397 New ways to Fail as

a Wireless Expert...

08:30

BRKEWN-3010Cisco Catalyst RF

Innovations, WiFi6 and

Beyond!

14:45


from WiFi to WiFi6

(11ax) Wireless

Networks

RF Optimization

THUWEDTUE

https://www.ciscolive.com/emea/learn/sessions/content-catalog.html?search=KEY-1001%20BRKEWN-3010%20BRKEWN-2017%20BRKEWN-2439%20KEY-1002%20BRKEWN-2013&search.day=20200127&search.day=20200128&search.day=20200129&search.day=20200130&search.day=20200131#/

#CLEMEA

MOBMobility Track


14:30

BRKEWN-2006Advancements in Wireless Security

17:00

BRKEWN-2005Securely Designing Your Wireless LAN

for Threat Mitigation, Policy and BYOD

17:00Guest Keynote

18:30Cisco Live

Celebration

14:45

BRKEWN-2014Be my guest! -

Design and Deploy Wireless Guest

Access that Works

11:15

BRKWEN-2028Meraki Wireless under the hood

Security

THUWEDTUE

https://www.ciscolive.com/emea/learn/sessions/content-catalog.html?search=KEY-1001%20BRKEWN-2006%20BRKEWN-2005%20BRKEWN-2014%20BRKEWN-2028%20KEY-1002&search.day=20200127&search.day=20200128&search.day=20200129&search.day=20200130&search.day=20200131#/

#CLEMEA

MOBMobility Track

09:30

LTREWN-2673Lab: Build your

Wireless Network Programmability & Telemetry solution

from scratch!


17:00

BRKEWN-2050Telemetry and

Programmability in the Next Generation

Wireless Stack

17:00Guest Keynote

18:30Cisco Live

Celebration

14:45

BRKEWN-2033Next generation WifiNetworks enhanced

with Cisco DNA Analytics and

Machine Learning

16:45

BRKEWN-2034Cisco DNA Wireless

Assurance: Isolate problems for faster

troubleshooting

11:15

BRKEWN-2026Wireless Network

Automation with Cisco DNA Center

Management, Analytics & Assurance

THUWEDTUE

https://www.ciscolive.com/emea/learn/sessions/content-catalog.html?search=KEY-1001%20LTREWN-2673%20BRKEWN-2050%20BRKEWN-2033%20BRKEWN-2034%20BRKEWN-2026%20KEY-1002&search.day=20200127&search.day=20200128&search.day=20200129&search.day=20200130&search.day=20200131#/

#CLEMEA

MOBMobility Track

Opening Keynote 09:00

14:00

PSOEN-2817Cisco DNA Spaces -

Wi-Fi as a behavior sensor enabling

business outcomes

Every day

17:00

BRKEWN-2012Design and Use

Cases of a location enabled Wi-Fi

network, supported by Cisco DNA Spaces

LABEWN-2127Walk in Lab:

Integration of DNA Spaces with Aironet and Catalyst Based

wireless networks

Services

TUEMON

#CLEMEA

Every day

LABEWN-1505Cisco 9800 Controllers

- Understanding, deploying and

troubleshooting


17:00Guest Keynote

18:30

Cisco Live Celebration

09:00

BRKEWN-3013Advanced

Troubleshooting of Cisco Catalyst 9800 Wireless Controller

11:00

BRKEWN-3011Advanced

Troubleshooting of Wireless LANs

16:45

BRKEWN-2480Plan, design and

troubleshoot your Cisco DNA driven 9800 WLC wireless network: Best Practices and lessons

learnt from the field

14:45

BRKEWN-2809The Final Fails. 6 for

(WiFi) 6

Troubleshooting MOBMobility Track

FRITHUWEDTUE

Complete your online session survey • Please complete your session survey

after each session. Your feedback is very important.

• Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live t-shirt.

• All surveys can be taken in the Cisco Events Mobile App or by logging in to the Content Catalog on ciscolive.com/emea.

Cisco Live sessions will be available for viewing on demand after the event at ciscolive.com.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco PublicTECEWN-2005 162

https://www.ciscolive.com/emea.html

http://ciscolive.com/


Related sessions

Walk-In LabsDemos in the Cisco Showcase

Meet the Engineer 1:1 meetings

Continue your education

163TECEWN-2005

Thank youThank you

Introduction to Cisco Catalyst 9800 Wireless - Cisco Live

Documents