Cisco Tech Club Webináře · 2/18/2020 · Resilient • Software updates with minimal...

Cisco Tech Club Webináře

On-line každých 14 dní

Jaroslav Čížek, CiscoÚnor 2020

AP C9100, WLC C9800, PI/DNAC, DNA Spaces

Nové Cisco portfolio pro bezdrátové sítě

Cisco TechClubWebináře

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public

• Úvod, trendy v bezdrátových sítích• Intent-based Networking, Cisco Next-Gen Wireless Stack, Wi-Fi 6 / 802.11ax, WPA3

• Cisco Next-Generation Wireless Stack• WLAN klienti – partnerství s výrobci koncových zařízení, Samsung Analytics

• Cisco AP C9100, Cisco WLC C9800

• Cisco Prime Infrastructure, Cisco DNA Center, Cisco DNA Spaces

• Vybrané technické detaily• Postupná migrace z AireOS (WLC5520/3504/5508) na IOS-XE (C9800)

• Doporučené verze AireOS / IOS-XE, PI / DNAC, DNA Spaces

• Shrnutí

Agenda

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco PublicALL the domains must cooperate to meet business intent

Cisco’s Vision: Enable Intent-based Networking Everywhere

Users & Devices

• Identify and onboard everything

• Authenticate and authorize access

Multi-Cloud

• Deliver application experience

• Secure internet and cloud access

SDAccess

(Cisco DNA Center)

SDNDC

(Cisco APIC)

SDWAN

(Cisco vManage)

Data & Applications

• Automate resources and workloads

• Prevent data breaches


Principles of Intent-Based Networking

Powered by IOS-XE

Physical and VirtualInfrastructure

ASIC

Applications

APIs

Domain Controllers

Cisco DNA Center

Automation, built-in security, streaming telemetry, rich analytics, programmability

Custom ASICs, Virtualization

Modular, scalable, highly available OS

5


Introducing Cisco’s Next Gen Wireless Stack

6


Access SwitchesAccess Points Core Switches Wireless Controller

9200/9300/9400

Catalyst Catalyst9500/9600 Series

Catalyst9800 Series

The Full Experience End to End

Catalyst9100 Series

Most comprehensive mGig portfolio

Wi-Fi 6

Campus Optimized 25G/40G/100G

Industry’s only modular WLC with 40G/100G

uplinks

Wi-Fi 6, 802.3bt Ready

48P 5G + 25G/40G uplinks

Wi-Fi 6

Wi-Fi 6

Wi-Fi 6

Built for Intent-based networking

Security AnalyticsAutomation

Cisco Catalyst - End-to-end leadership Enabling next-generation Wi-Fi 6 mobility


Higher data rates

• 1024-QAM for up to 9.6 Gbps per radio and single-antenna speeds of 1.2 Gbps

• 8x8:8SS

• Enables next-generation 4K/8K and AR/VR video

• 3x to 4x more throughput than 802.11ac via OFDMA

• Up to 4x capacity gain in dense scenarios with BSS coloring

• Multiuser MIMO gains on all client types

Increase in overall network capacity

• Scheduled uplink and downlink OFDMA for deterministic “cellular-like” latency, reliability, and QoS

• Optimized for IoT scale with hundreds of devices per AP

Reduced latency and greater reliability

• Up to 3x better battery life with Target Wake Time (TWT)

• New coding structure and signaling procedures for better transmit and receive efficiency

Improved power efficiency

For more information, see: https://www.cisco.com/c/en/us/products/collateral/wireless/white-paper-c11-740788.html

Wi-Fi 6 / IEEE 802.11axExperience: What is the big deal?

https://www.cisco.com/c/en/us/products/collateral/wireless/white-paper-c11-740788.html


Wi-Fi 6 is here and now

9

2018

Wi-Fi 6 WFA Certification

C9115AX, C9117AX, C9120AX

First Wi-Fi 6 device:

Samsung Galaxy S10

First Wi-Fi 6 laptops powered by Intel: HP, Dell

Samsung Galaxy

Note 10

Apple iPhone 11

Microsoft Surface Pro 7

Surface Laptop

C9130AX

Apr2019 Feb Jun OctSepJul Aug Nov 2020

IEEE 802.11ax Ratification


Wi-Fi Protected Access (WPA) 3Coming up with AireOS, IOS-XE and 802.11ac W2 and Wi-Fi 6 APs

New Wi-Fi Alliance (WFA) certification

It certifies new security options defined in the IEEE 802.11-2016 standard

3 main innovations:

o Simultaneous Authentication of Equals (SAE) for WPA3-Personal (a variant of the Dragonfly handshake, resistant to offline dictionary attacks)

o Protected Management Frame (PMF) now mandatorywith WPA3 (already available but not always enforced)

o 192-bit security equivalent for WPA3-Enterprise(256-bit AES-GCM + 384-bit elliptic curves + SHA384 + 3072 bits RSA keys)

WPA3-Personal = WPA3 PSK based SSIDWPA3-Enterprise = WPA3 802.1X based SSID

10

WPA3 Mandatory Features

• Simultaneous Authentication of Equals (SAE)

• PSK replacement / Offline attack resistance

• Protected Management Frames (PMF)

• KRACK Testing

WPA3 Optional Features

• Suite B Cryptography

Wi-Fi Certified Enhanced Open

• Opportunistic Wireless Encryption (OWE)

• Encryption for Open SSIDs

Wi-Fi Certified Easy Connect*

• Device Provisioning Protocol (DPP)

• Setup for devices with no UI / IoT


Cisco Next-GenerationWireless Stack


Catalyst 9100 Access Points

Catalyst 9800 Wireless Controllers

DNA Automation & Assurance

DNA Spaces

Shipping

Next Generation Cisco Wireless Stack – Resilient, Secure & Intelligent

WLAN Campus of the FutureNext-Gen Cisco Wireless Stack Designed for Wi-Fi 6

Wi-Fi 6 Clients are here Today! ~300 Clients in Cisco Interop Testbed

Wi-Fi 6 Clients

DNA Assurance helps with Wi-Fi 6 Migration, Troubleshooting & Analysis

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public

v

Increasing Wi-Fi adoption

13

Cisco partners with major manufacturers to provide the best device experience

• Client & network interoperability

• Maximize performance increase

• Consistent & Reliable

• Improved power efficiency

• Client network analytics

• A client-centric view to DNAC Assurance

• Improve Wi-Fi roaming

• Performance: 5x faster Wi-Fi & cellular handoff

• Enable partners to integrate with Cisco autonomously

• Standards + features across multiple client devices

• TTM Differentiation • Grow Wi-Fi market

Best Wi-Fi 6 standards solution

Differentiation through standards +

Open Partner Framework


Device ecosystem: Samsung Analytics

14

Client classification Client onboarding

Client roaming Wi-Fi coverage*

Device Type | SW-OS | Firmware version | Tx Power

Adaptive 11r : Samsung clients support 11r on Adaptive 11r SSIDClient-side forensics: Leverage client authentication failures while roaming

Client-side forensics: Leverage client onboarding state machine failures to root cause issues

Client RF View: Use client’s RF to draw coverage view

*Roadmap


Cisco’s Next Gen Wireless Stack

15

More resilient, more secure and intelligent than ever before

Intelligent

• Enhanced analytics with Cisco DNA

• Spectral Intelligence

• Deploy in infrastructure of choice and cloud of choice

Secure

• Detect encrypted threats with Encrypted Traffic Analytics (ETA)

• WPA3 support

• Software Define Access

• Multi Lingual Radio

Resilient

• Software updates with minimal disruption: ISSU, Rolling AP Upgrades, Hot patching

• Deterministic capacity at scale

• Superior battery life for IoT andmobile devices

Delivering the best experience Extending Cisco’s

Intent-based network Leadership in RF innovation

Powered by Cisco IOS® XEOpen and programmable

Powered by Wi-Fi 6 technologySuperior RF experience

Cisco Catalyst 9100Access Points

Cisco Catalyst 9800 Wireless Controllers


Cisco® Catalyst® 9100 Increased capacity with Wi-Fi 6 technology

Resiliency• Superior battery life for IoT and mobile devices

• Steady performance in demanding environments

Integrated security• WPA3, Trustworthy systems

• Multi-lingual AP with RF snapshots

Intelligent• Analytics for iOS and enhanced Cisco DNA Assurance

• Container support to host IOT applications

Platform benefits

Delivering RFinnovations

Expanding the device ecosystem

Extending Cisco’s intent-based network

Next-generation Cisco Catalyst access pointsReady for next-generation applications and devices


Mission criticalIdeal for small to medium deployments Best in ClassPowered by Cisco RF ASIC

Cisco DNA Assurance withiCAP

Integrated or external antenna SKUsBluetooth 5 USB

9117AX

• 8x8 + 4x4• MU-MIMO, OFDMA (only DL)• 1 x 5 mGig• Spectrum intelligence• Integrated Antenna only

9115AX

• 4x4 + 4x4• MU-MIMO, OFDMA• 1 x 2.5 mGig• Spectrum Intelligence

9120AX

• 4x4 + 4x4• MU-MIMO, OFDMA• 1 x 2.5 mGig• Cisco RF ASIC for Next gen CleanAir• Dual 5GHz, Next Gen HDX• RF L1 details• IoT ready (Zigbee)• Application Hosting

9130AX

• 8x8 + 4x4 or 4x4 + 4x4 + 4x4• MU-MIMO, OFDMA• 1 x 5 mGig• Cisco RF ASIC for Next gen CleanAir• Tri-radio: Dual 5GHz + 2.4GHz• RF L1 details• IoT ready (Zigbee)• Application Hosting• Full iCap with data packets• First 8x8 AP with external antennas

NEW

New Cisco Catalyst 9100 Series Access PointsBest in Class Wi-Fi 6 technology


Cisco RF ASIC

Catalyst 9120 & 9130 Access Point powered by Cisco RF ASICEmbedded with superior analytics and security for mission critical deployments

*Roadmap© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Clean Air, Off-channel RRM, FRA

Dual Filter DFS,Zero-Wait DFS*

WIPS/WIDS/Rogue Detection

RF Signature Capture*

Fast Locate w/o performance

impact

Optimised Roaming for mobile devices


C9130AXi/e C9120AXi/e

19

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco PublicCleanAir on C9120/9130AX


• Off Channel Scanning - legacy AP (anything with 2 radio interfaces today)

• All Channels must be scanned EVERY 180s within 3 Minutes

• Dwell time is 50 ms, 10 ms for channel change = 60 ms off channel

• 180s / 25 Channels = off channel dwell every 7.2s

• Off Channel Scanning for WSSI/WSM module and 4800 AP

• Continuous cycle 1200 ms Dwell across 2.4 and 5 GHz

• Supports RRM, aWIPS/WIDS, Rogue, FastLocate, CleanAir

• Serving Radio still required for NDP* Tx off channel as the module/third radio has no active transmitter

Spectrum Management Requires DataOff Channel Scanning – on Every Cisco AP

OffChannel RRM

Catalyst AP with RF ASIC:All the above!

Plus: Better radios, Custom ASIC, Tx for NDP, and more…*Neighbor Discovery Protocol


High-Density Client Test- ResultsCisco Wi-Fi 6 vs Wi-Fi 5 APs

Cisco 9100 series APs have clear advantage over Cisco Wave 2/Wi-Fi 5 APs

Cisco 9120AX overperforms Cisco

AP2800 by 25%

OffChannel RRM


▪ Pervasive 2.4 GHz and 5 GHz coverage (default mode)

Why Dual 5 GHz and FRA*?

5GHz

Serving

2.4GHz

Serving

▪ High Density Client Performance improvements

▪ Maximum over the air data rate up to 5.2 Gbps

5GHz

Serving

5GHz

Serving

• PROBLEM: You designed a network for dense 5 GHz coverage, now you have too many 2.4 GHz radios(2.4 GHz range is approx. 1.5x farther)

• Prior to dual 5 GHz/FRA your only option was to disable these radios.

• Disabling the radio provides no value other than making the 2.4 GHz spectrum manageable. → you effectively wasted ½ the functionality of the Access Point crippling it to 5 GHz only.

*Flexible Radio Assignment

Dual Band

Dual 5GHz

BENEFIT of Dual 5 GHz/FRA: allows the AP to run at 100%, increasing network capacity

& performance


Catalyst 9100 Series Flexible power options: 802.3af support for ALL Wi-Fi 6 APs

* If USB is enabled 5GHz will be reduced to 4x4

AP Model Power source Power Type 2.4 GHz Radio 5 GHz Radio Link Speed USB Power Draw

C9130AXI / C9130AXE 802.3at PoE+ 4x4 8x8 5G OFF 25.5W

C9130AXI 802.3at PoE+ 4x4 4x4 5G ON 25.4W

C9130AXI / C9130AXE 802.3bt UPoE 4x4 8x8 5G ON 30.5W

C9130AXI / C9130AXE 802.3af PoE 1x1 1x1 1G OFF 13.4W

C9120AXI 802.3at PoE+ 4x4 4x4 2.5G ON 25.5W

C9120AXE 802.3at PoE+ 4x4 4x4 2.5G ON 25.5W

C9120AXI / C9120AXE 802.3af PoE 1x1 1x1 1G OFF 13.4 W

C9120AXI / C9120AXE 802.3af PoE 2x2 N 1G OFF 13.4 W

C9120AXI / C9120AXE 802.3af PoE N 2x2 1G OFF 13.4 W

C9115AXI / C9115AXE 802.3at PoE+ 4x4 4x4 2.5G ON 20.4W

C9115AXI / C9115AXE 802.3af PoE 2x2 2x2 1G OFF 15.4W

C9117AXI 802.3bt UPoE 4x4 8x8 5G ON 28.9W

C9117AXI 802.3at PoE+ 4x4 8x8 5G OFF* 25.4W

C9117AXI 802.3af PoE 2x2 2x2 2.5G OFF 13.5W

Reference

91

15

91

20

91

30

91

17


3 new antennas to support 8 port external antenna AP C9130AXE:

• 8-DART connector to simplify installation

• Self Identifying Antenna (SIA) circuitry to automate provisioning

• LED to mimic AP LED status

• New Industrial Design to match new 11ax APs

NEW - 8x8 SIA External Antennas for AP C9130

C-ANT9101= C-ANT9102= C-ANT9103=


NEW - Self Identifying Antennas for AP C9120

Product ID Description Gain Models*

AIR-ANT2524DW-RS/= 2.4 GHz 2 dBi/5 GHz 4 dBi Dipole Ant., White, connectors RP-TNC 2 dBi (2.4 GHz)

4 dBi (5 GHz)9120E9120P

AIR-ANT2535SDW-RS/= 2.4 GHz 3dBi/5 GHz 5 dBi Low Profile Antenna, White, connectors RP-TNC3 dBi (2.4 GHz)

5 dBi (5 GHz)

9120E9120P

AIR-ANT2566P4W-RS= 2.4 GHz 6 dBi/5 GHz 6 dBi Directionnel Ant., 4-port, connectors RP-TNC6 dBi (2.4 GHz)

6 dBi (5 GHz)

9120E9120P

AIR-ANT2524V4C-RS= 2.4GHz 2 dBi/5GHz 4 dBi Ceiling Mount Omni Ant., 4-port, connectors RP-TNC2 dBi (2.4 GHz)

4 dBi (5 GHz)

9120E9120P

AIR-ANT2544V4M-RS= 2.4GHz 4 dBi/5GHz 4 dBi Wall Mount Omni Ant., 4-port, connectors RP-TNC 4 dBi (2.4 GHz)

4 dBi (5 GHz)

9120E9120P

AIR-ANT2566D4M-RS= 2.4 GHz 6 dBi/5 GHz 6 dBi 60 Deg. Patch Ant., 4-port, RP-TNC 6 dBi (2.4 GHz)

6 dBi (5 GHz)

9120E9120P



27


Intelligent




Secure


• WPA3 support



Resilient











Cisco Catalyst 9800 Series Wireless Controllers

28

Cisco DNA CenterTranslate business intent into network policy and capture actionable insight with Cisco DNA Center

Cisco Catalyst 9800-40Cisco® Catalyst® 9800-80 Cisco Catalyst 9800-L

Works with Cisco Aironet 802.11ac Wave 1, Wave 2 and 802.11axCatalyst 9100 access points

*Supports 802.11ac Wave 2 access points as client serving

Cisco Catalyst 9800 Series Wireless Controllers for Catalyst 9000 switches

Cisco Embedded Wireless Controllerfor Catalyst 9100 access points

Cisco Catalyst 9800 for Cloud


Cisco Catalyst 9800-L Wireless Controller

29

Up to 250 APs Up to 5,000 Clients 5 Gbps

Console

Port

USB

3.0

SP/RP

Ports

10 GE mGig

Ports4x 1GE/2.5GE mGig Ports

NEW – Performance License (500 APs, 10k clients, up to 9 Gbps)


Embedded Wireless Controller on Catalyst 9100 Ready for Enterprise deployments

Use Mobile App, WebUIand DNA-C to Deploy, Manage and Monitor

Flexible Management Options

HA, SMU, aWIPS, Umbrella, NetFlow, ICAP

Supports Advanced Enterprise Feature Set

Modern OS, scalable, open and programmable, supports telemetry

Runs C9800 IOS-XEWireless Controller on Catalyst Access Points

Migrate Access Points to controller for more than 100 Access Points

Investment Protection

IOS-XE 16.12.2 with Cisco DNA-C 1.3.2


Deploying Cisco Embedded Wireless Controller

• EWC capable Access Points can be connected to an access port or a trunk port on the switch depending on the deployment method• Management traffic is always untagged

Embedded Wireless Controller for Catalyst 9100 Series

EmployeeContractor Guest

VLAN 10

If Access Points and WLANs are all on different VLANs, EWC capable Access Points will connect to a trunk port on the switch and traffic for individual WLANs will be switched locally.

If Access Points and WLANs are all on the same network, EWC capable Access Points can connect to an access port on the switch port.

Pros: SimpleCons: Less Flexible

Pros: Flexible, Secure Cons: More configuration

EmployeeContractor Guest

VLAN 10

VLAN 20

VLAN 30

VLAN 40

31


Embedded Wireless Controller - WLAN Deployment Next-Gen Wi-Fi designed for Single or Multi-Site Small to Medium Size Enterprises

Single Office Distributed Office Distributed Enterprise

Mobile App or WebUI

Embedded Wireless Controller

DNA Center

AssuranceAutomationPolicy Security CMXISE

Embedded Wireless ControllerController in CampusEmbedded Wireless Controller

in Branch


AP support on ME and EWC-AP Deployments

ME APs Subordinate APs (no ME)

AIR-AP1815 C9100 (Release 8.9.111.0 +)

AIR-AP1832 AP1700/2700/3700 Series APs

AIR-AP1840 AP1800i

AIR-AP1852 AP1810w

AIR-AP2802 AP700 Series APs

AIR-AP3802

AIR-AP4802

AIR-AP1542

AIR-AP1562

APs Supported in Cisco AireOS Mobility Express

EWC APs Subordinate APs (no EWC)

C9100 (16.12.2 +) All C9100

AIR-AP1815

AIR-AP1832

AIR-AP1840

AIR-AP1852

AIR-AP2802

AIR-AP3802

AIR-AP4802

AIR-AP1542

AIR-AP1562

Cisco APs Supported in Cisco Catalyst EWC-AP

• Only C9100 APs can be EWC-AP i.e. running controller functionality• 11AC Wave2 APs can be subordinate APs • No EWC-AP support on 11AC Wave 2

• Only 11AC Wave2 APs can have ME functionality• C9100 Series and 11AC Wave1 APs can be subordinate APs• No AireOS ME on C9100 Series APs

Reference


Next-generation wireless infrastructure for any scale

34

Distributed branch and small campus Medium-sized campus Large campus

Cisco Catalyst 9800 Embedded Wireless*100 APs, 2000 clients

Cisco Catalyst 9800 Embedded Wireless**200 APs, 4000 clients

Cisco Catalyst 9800-L250 APs, 5000 clients, 5 Gbps

Cisco Catalyst 9800-CL***1000 APs, 10,000 clients

Cisco Catalyst 9800-402000 APs, 32,000 clients, 40 Gbps

Cisco Catalyst 9800-CL1000, 3000, or 6000 APs

10,000, 32,000 or 64,000 clients

Cisco Catalyst 9800-80 6000 APs, 64,000 clients 80 Gbps

Up to 100 APs Up to 250 APs Up to 1000 APs Up to 3000 APs Up to 6000 APs

*Supports Cisco FlexConnect® local switching only

**SD-Access only

***Cisco Catalyst 9800 for public cloud: Cisco FlexConnect only

ENCS

Reference



35


Intelligent




Secure


• WPA3 support



Resilient











Catalyst 9800 High Availability

36

Contain impact within releaseFixes for defects and security issues without need to requalify a new release

Faster resolution to critical issuesProvide fixes to critical issues found in network devices that are time-sensitive

Unplanned EventsDevice and network interruptions

✓ Stateful Switch Over with an active standby

✓ N+1 redundancy for always-on network, services and clients

Infrastructure UpdatesSoftware maintenance & AP updates

✓ Seamless software updates for wireless controllers and APs

✓ AP device pack and flexible per-site updates contain impact area

Software Image UpgradesWireless controller image upgrades

✓ N+1 rolling AP upgrades ensure seamless client connectivity

✓ Radio resource management automates group creation


Unplanned Events

37

Catalyst 9800 High Availability

Always on NetworkAPs continue to stay associated

Always on ServicesUninterrupted voice, video and data services

Always on ClientsUsers and end-points continue to stay connected

How it Works

✓ Upstream device and network interruptions trigger a switchover to maintain end-point connectivity

✓ Hot standby controller takes over in case of failure of an active controller

✓ Seamless connectivity with Stateful Switchover (SSO) for end-points


End-to-End Wireless Network Security

Air UsersDevices

Rogue intrusion detection and prevention - wIPS

Enhanced threat detection with ETA

Seamless BYOD onboarding with ISE

Standards compliance with WPA3• Enhanced security on open Wi-Fi

• Robust password protection

• Superior data protection

• Seamless customer migration

Identity-Based segmentation with SD-Access

Secure device management with MPSK and iPSK

38


Secure device management with MPSK and iPSKWLAN Endpoint Population

Guest IoT (Internet of Things) BYOD (Bring Your Own Device)

Employee Device (Organization Provided)

Level of Trust None Low Medium High

Control Low Low Medium High

Access Requirement Internet Internet and/or IoT Controller

Internet and/or Limited Internal

Full Access

Authentication method Open, WebAuth PSK PSK, 802.1X 802.1X


MAC-Filtering

wlan C9800-MPSK 1 C9800-MPSK

mac-filtering default

security wpa psk set-key ascii 0 Cisco123

no security wpa akm dot1x

security wpa akm psk

security wpa wpa2 mpsk

priority 0 set-key ascii 0 Cisco123

priority 1 set-key ascii 0 zD235o1M

priority 2 set-key ascii 0 Ktghmo9M

priority 3 set-key ascii 0 uTx6oDm1

priority 4 set-key ascii 0 PY9CK5tL

Secure device management with MPSK and iPSKMPSK (Multi-PSK)

• Can configure up to 5 different PSK per WLAN

• (Optional) ISE may be used for validating MAC address

• Supported with C9800 16.10.1, Embedded WLC on Catalyst AP

(AKA IOS-XE Mobility Express AP)16.12.2

Cisco ISEPSK WLAN

PSK=Cisco123

PSK= uTx6oDm1

PSK= PY9CK5tL

PSK= Ktghmo9M

PSK= Ktghmo9M

PSK= uTx6oDm1

PSK= PY9CK5tL

PSK= Ktghmo9M

PSK= zD235o1M

C9800 &Embedded WLC on

Catalyst AP


Secure device management with MPSK and iPSKiPSK (identity PSK) with optional P2P blocking

• Each endpoints associate to the single WLAN with it’s own PSK value,

Endpoints with same PSK value defines segmented network

• ISE provides mapping of MAC address to PSK

• Supported with AireOS 8.5, C9800 16.10.1, Mobility Express AP 8.8MR2,

Embedded WLC on Catalyst AP 16.12.2, Meraki MR 26.5

• P2P blocking requires AireOS Controller running 8.8 or C9800 Running 17.1

PSK WLAN

PSK= uTx6oDm1

PSK= Ktghmo9M

PSK= Ktghmo9M

PSK=Cisco123

PSK= PY9CK5tL

Cisco ISEAireOS WLC, C9800

MAC-Filtering

MAC= 20:C9:D0:2B:80:F7 PSK= PY9CK5tL

PSK= uTx6oDm1

PSK= Ktghmo9M

PSK= Ktghmo9MMAC= 50:C7:BF:BA:D9:75

MAC= 50:C7:BF:BA:D3:23

MAC= 9C:3D:CF:4A:72:4D

Group == Medical Cart PSK= zD235o1M

PSK= 8GB10vaqProfile == Smart TV


Complete control of your Day 0-N operations with open and programmable APIs

Day 0 Day 1 Day 2 Day N

Onboarding

Zero touch provisioning

Plug and Play

Configuration

YANG data modelsConfiguration protocols,

NETCONF, RESTCONF, ..

Monitoring

Streaming telemetryNETCONF, gRPC, gNMI

Optimization

Guest shell(on-box Python)

EEM Scripts

Provisioning Automation^

Model drivenprogrammability

Model driventelemetry

Software imagemanagement

^FutureIOS XE Programmability Book: http://cs.co/programmabilitybookAutomated Backup SSID with EEM on C9800 Wireless Controllers: https://community.cisco.com/t5/wireless-mobility-documents/automated-backup-

ssid-with-eem-on-catalyst-9800-wireless/ta-p/3743838

http://cs.co/programmabilitybook

https://community.cisco.com/t5/wireless-mobility-documents/automated-backup-ssid-with-eem-on-catalyst-9800-wireless/ta-p/3743838


Cisco DNA CenterCisco Prime Infrastructure


Network complexity and High costs of operation

Too many tools

Offers fragmented visibility

Reactive SystemsPlaying catch up analysis after the problem

$60B Annually spent on network operations, labor, and tools1

75%of OpEx is spent on

changes and troubleshooting

Legacy Approach

SNMP based polls; no real-time visibility

Limited InsightsYour report vs my report

1Cisco McKinsey Study


Intent base Network Management

• No events/alarms, but insights and impact analytics with Guided remediation

• Automation, day0, day1, day2

• Policy and segmentation control

• Software update (ITSM, Compliance)

• Network telemetry data collection

• Baselining over time, baseline against others

• No manual configuration required

• API and Business API

Traditional Network Management

• Software Image Distribution

• Configuration Archive/Backup

• Templating for Automation

• Reporting

• Assurance

• Events

• Tons of data, but not enoughinsights

• Semiclosed system with predefinedconfigurations

Prime InfrastructureCisco DNA

Center

Cisco DNA Center


Operating Model with Prime – DNAC Co-existence

Prime DNAC

• Network wide reports• Alarms and

Notifications for the network

• Maps and day 2 changes

• Configuration management of network changes

• Adv troubleshooting with granular data

• Sensor based proactive troubleshooting

• iCAP and Packet troubleshooting

• ML/AI • CMX integration

Cisco Prime Infrastructure to Cisco Digital Network Architecture (DNA) Center Co-existence Guide

https://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-8/migration/guide/bk_Cisco_Prime_Infrastructure_to_CiscoDNAC_Co-existence_Guide.html


Cisco DNA Center

Policy AssuranceDesignProvision

Physical and virtual infrastructure

Cisco and third party

Cisco DNA Center ApplianceComplete network management system• Single pane of glass for all devices

• End-to-end health information in real time

• Granular visibility

• Simplified workflows

Automation for provisioning• Zero-touch deployment

• Device lifecycle management

• Policy enforcement

Analytics for assurance • Verify intent of network settings

• Proactively resolve issues

• Reduce time spent troubleshooting

Platform for extensibility • Integrate APIs with third-party solutions

• Integrate and customize ServiceNow

• Evolve operational tools and processes

Cisco DNA Center


Cisco DNA Wireless AssuranceTroubleshooting Tool-kits for a Network operator

Active SensorTesting

iOS and SamsungAnalytics

Streaming Telemetry

AI NetworkInsight

Intelligent Capture Auto PCAPs

AI AnomalyBaselining

MachineReasoning

Active Sensor for Wireless Network SLA assessment

AI

Aironet 2800/3800/4800, C9xxx AP with Intelligent Capture


Network Health


Network Health


Network Health


Wireless Assurance


Wireless Assurance


Wireless Assurance


Client Health


Client Health


Client Health


Client Health


Wireless Active SensorSensor Tests






iOS and Samsung Analytics

• Samsung

• S10 Series (S10e/S10/S10+/S10 5G), Note10, Galaxy Fold

• Galaxy M10, M20, Galaxy Tab S5e, A10.1(2019)

• Apple

• iPhone 7

• iPad Pro 2017

• iOS 10

Wireless Client Insights

Device Profile

Client shares these details1. Model2. OS version

Wi-Fi analytics

Client shares these details1. BSSID2. RSSI3. Channel number

Assurance

Client provides disassociation reason code

Clarity into the reliability of connectivity

Insights into the client’s view of the network

Support per-device-group policies and analytics


Cisco AI Network Analytics

Intelligently define personalized ”network normal” using unified global telemetry collected

Increase signal-to-noise, improve issue relevancy, and accurately identify trends and root causes

Create automated resolution options for IT to act on based on machine reasoning algorithms

Visibility: Personalized Baselining

Insight: Intelligent Analysis

Action: Accelerated RemediationCisco DNA Center

vAI Network Analytics


Solving the Most common Wireless problems through AI/ML -

Focus on Client Experience

Wireless Onboarding Application Experience

Wireless User Failed to ConnectWireless User took too long to Connect

Wireless User’s Application throughput is declining

Excessive TimeExcessive Failures

Excessive DHCP Time

Excessive DHCP Failures

Excessive AAA Time

Excessive AAA Failures

Excessive Assoc. Time

Excessive Assoc. Failures

Total RadioMedia Application

Throughput

Cloud ApplicationSocial Application

Throughput

• Wi-Fi Onboarding Analytics

• Wi-Fi Radio Performance Analytics

• App Perf.Analytics on Wi-Fi network

Analytics and OutlierDetection on


Predictive Modelling

• Static thresholds can often lead to false positives and negatives

• Dynamic threshold generated based on predictive model

• Improves alert quality



Predictive Modelling

• Static thresholds can often lead to false positives and negatives

• Dynamic threshold generated based on predictive model

• Improves alert quality

• Correlation with other network issues

• Potential root cause analysis



Network HeatmapsCisco AI Network Analytics


Anomaly Detection

• Analyses trends and identifies changes in behaviour

• Automatically generated on a weekly basis

• Illustrates weekly trends over the previous month

• Links back to Network Heatmap and AP360 for additional contextual information



Cisco DNA Spaces


Cisco Wireless Network :

Connectivity + Digitization

See what’s happening at your spaces

Leverage digitization toolkits to act on insights

Drive business outcomes with partner apps and enterprise extensions

See

Act

Extend

Cisco DNA SpacesDigitizing Spaces: People & Things


Providing Insights and Enabling ExperiencesLine of Business ITOperations

Optimize OperationsEnterprise Integrations and Data Export

Employee Productivity Centralized Management

Drive Efficiencies Compliance

Reduce manual processes and save cost

End-to-End Monitoring and SLAs

Boost Satisfaction

Customer Acquisition & Loyalty

Improve Experience

Understand Visitor Behavior


Cisco DNA Spaces: SEE

Open Roaming

• Auto Onboarding to Guest Wi-Fi• Improved Guest Wi-Fi Experience

Cisco PI / DNA-C Integration

• Client Location• Intelligent Capture• Assurance• Rogue Location

DNA Spaces Cloud

• Behavior metrics• Right now metrics• Location hierarchy• Cloud Detect & Locate (Base)• Location Analytics (Base)• Report Export

73


Cisco DNA Spaces: EXTEND

Partner

• Partner Dashboard• Partner Stream (e.g. for Stanley)• Partner Firehose• SLA & Monitoring for APIs

App Center

• Advanced Analytics• Indoor Mapping and Wayfinding• Digital Signage• Asset Management• Productivity

And many more

Includes SEE

Customer• On-prem and cloud APIs• Customer Firehose• Streaming Data Export

Enterprise SoftwareExtend location data into enterprise software platforms such as CRMs, Data hubs, Analytics Platforms, Marketing clouds, etc.

74


Cisco DNA Spaces: ACT

Smart Captive Portals

• Acquire & identify visitors and map to enterprise identity

Applications

• Location Personas : Profile and segment

visitors based on at-location behavior

• Engagement Rules: Trigger notifications

to visitors & employees via multiple

channels

• DNA Spaces SDK: Coming Soon

• Edge Device Manager: Coming Soon

Cloud Detect & Locate (enhanced)

• RSSI location in Cloud• Cloud Location APIs• Cloud Location History (Coming Soon)

Hyperlocation• 1-3m accuracy with AP4800

Location Analytics (Advanced)• Zone based (Coming Soon)

Includes SEE and EXTEND

75


Vybrané technické detaily


• Link to public document: https://www.cisco.com/c/dam/en/us/products/collateral/security/at-a-glance-c45-741619.pdf

• As of November 2018, there are no plans to make an end-of-sale announcement for the 3504, 5520 and 8540 platforms within the next two years. This means that the EOS is currently anticipated to be at least three years away . Cisco’s standard practice is to support the hardware for an additional five years after EOS.

AireOS Statement of Direction

https://www.cisco.com/c/dam/en/us/products/collateral/security/at-a-glance-c45-741619.pdf


AireOS Mobility Innovations Journey

8.6 8.8 and 8.8MR1/2 8.7

• Scheduled AP upgrade

• Securing the Network protocols - CSDL

• MSP features

• Diagnostic Support bundle

• EoGRE enhancements

• Sensor AP 1800s

• Wave 2 11ac features

• Beacon Point Module

4800 AP Intro

Intelligent Capture

BLE Strategy

Infrastructure

• HA Monitoring Enhancement

• Encrypted Tunnel

• Cloud PnP Support

• Improved Web-authScale

Wave 2 AP features

• DNS Pre-auth ACL

• 802.1x on AP (EAP-TLS, EAP-PEAP )

• AUX Ethernet Port Enabled

• Flex Connect IOS Parity

ME Enhancements

8.8 Infrastructure

▪ Intelligent Capture

▪ P2P blocking with iPSK

▪ AVC PP – Zoom and Wi-Fi Calling

▪ AVC Engine and PP update

▪ Flex+Mesh Captive Portal

▪ Default DSCP assignment for Apps

▪ EoGRE enhancements

▪ Rate limiting with CoA

▪ Flex Connect IOS Parity

▪ ME enhancements

▪ Flex Auto-LAG

8.8 Security / CSDL

▪ ASLR - address space logical randomization

▪ Object Size checking library ( OSCL )

▪ IPv6 DNS Filtering for BYOD

8.8 MR1and MR2 Features

▪ WGB on Wave-2 APs- MR1

▪ IRCM between eWLC and Legacy WLC-MR1

▪ P2P blocking with iPSK on Flex Connect APs- MR2

▪ 4000 SSID scale on WLC – MR2

▪ FIPS Certification – MR2

▪ Additional ME enhancements –MR2

8.9 and 8.10

8.9 Wi-Fi 6 802.11ax AP support

• C9115/C9117/C9120

8.10 Oct 2019

• C9130, IW6300

• Wi-Fi6 Features –OFDMA, MU-MIMO, HE

• WPA3 (SAE, ENT, Enhanced Open)

• Mesh support for indoor w2 APs 1815/2800 (2017+) /3800 (2017+) /4800

• Air Time Fairness (ATF) for AP 2800/3800/4800/1560 and IW6300

• Intelligent Capture on ac w2 and ax APs


Migration Strategy to the Next-Gen WLAN Stack

Evaluation• Understand the advantages of NG stack

• Build the knowledge of NG stack

• Verify platform support

• Evaluate feature gaps

• Evaluate new licensing model

Design• Select the C9800 and AP platform and

chose the deployment mode

• Design for C9800 vs. AireOS WLC coexistence and AP migration areas

• Understand the gotchas

• Choose a Management Platform

Implementation• Check the Site Survey & Heat Map

• Replace the legacy APs

• Check switch PoE

• Lab validation

• Go-Live and Day 2 Support


AireOS and C9800 - coexistence and migration RF Group, Roaming, Guest


Cisco Recommended ReleasesCatalyst 9800 and AireOS Wireless Controllers

Access Points IOS-XE AireOS DNA-C Prime CMX ISE

C9115AX, C9117AX, C9120AX, C9130AX

16.12.2s 8.10.112.0 1.3.1.4 3.7 10.6.22.42.6

Wave (1/)2 APs 16.12.2s8.10.112.08.5.161.0

1.3.1.4 3.710.6.2

2.42.6

Older APs NA8.5.161.08.3.15x.0

NA 3.x 10.6.22.42.6

Please check these links for the latest infohttps://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214749-tac-recommended-ios-xe-builds-for-wirele.htmlhttps://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html

For YourReference

81

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214749-tac-recommended-ios-xe-builds-for-wirele.html

https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html


Shrnutí


PI / DNA-C

Transition to Cisco Next-Gen Wireless Stack

C9800

Wi-Fi 6

ISEISE Services

PrimeNetwork

Management

AireOSWireless LAN

Controller

Access Points

Clients andSensors

MSE


Cisco DNA Advantage

Prime

Cisco DNA Advantage

3/5/7 Year SubscriptionsSingle SKU

AP License

Cisco DNA Essentials

Automation and Assurance

Enterprise Agreement Eligible

Base Automation


Prime


AP License



Prime

AP License

CMX Base

ISE Base + ISE Plus

Cisco DNA Advantage


Automation, Assurance, SDA, Security and Location

Enterprise Agreement Eligible

11AX, Wave 2 APs and Controllers - CAT 9800-40, CAT 9800-80, C9800-CL, Embedded Wireless

Cisco Wireless Subscription Offer StructureCisco DNA Premier

Software Support Service (SWSS) included in all subscriptions

*Customers can also get Cisco DNA software on 3504/5520/8540

Cisco DNA Spaces SEECisco DNA Space SEE

Reference


Cisco DEVNET Wireless – Wi-Fi6, C9800, …

https://developer.cisco.com/wireless/

https://developer.cisco.com/wireless/

Date post:	28-Jul-2020
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

Cisco Tech Club Webináře · 2/18/2020 · Resilient • Software updates with minimal...

Documents