These are the best practices based on WLC software code 7.6.
- Use Portfast on AP connected switch ports
- Interface Source – except for DHCP related traffic
- Switchport modes and VLAN Pruning – AP Access mode for Local mode AP’s and prune vlan’s on FlexConnect AP’s to what is actually needed
- Reload controllers after any changes in Management address, SNMP configuration, HTTPS encryption settings, or LAG changes
- Vlan TAG Management interface for QOS. Untagged packets are not subject to QOS settings
- Use Multicast Forwarding mode for best performance with less Bandwidth utilization
- Disable Internal DHCP – very limited and not easy managed for production networks. Only use for POC or Guest WLAN’s
- Only use WPA2 with AES
- Use AAA Override – Allows you to assign per user settings
- Use Faster RADIUS Timeouts – default is 2 seconds. Lower to 1 second to improve capacity handling. If using ISE over slow WAN it is recommended to have a longer timeout of 5 seconds
- Increase EAP Identity request timeout when implementing One Time Passwords )OTP) on Smart Card where the user interaction is needed in answering the identity request
- EAPol Key Timeout and Max Retries need to be as small as possible for voice clients. Max retries should be increased if RF environment is operating less than optimal
- EAP Request Timeout and Max Retries with slow devices may have issues but newer and faster devices will benefit with shorter timeouts and longer retry count for faster recovery in bad RF environments
- CCKM Timestamp Validation should be 5 seconds to avoid pico-cells or roaming issues
- TACACS+ Management Timeouts should be increased if experiencing repeated re-authentication attempts or when using One Time Passwords (OTP)
- Enable Infrastructure and Client Management Frame Protection (MFP) – Client side should be optional unless all clients support Client MFP.
- Enable 802.11w Support – PMF (Protected Management Frame) Ensure clients support this before enabling
- Change or delete SNMPv2c and SNMPv3 Default communities and User
- Enable NTP
- Enable 802.11r Fast Transition – Standard for fast roaming. Ensure clients support this. A lot of clients currently do not support this. In that case it is recommended to have to SSID’s, on with it enabled and the other disabled.
- Require DHCP. This forces clients to do a DHCP address request/renew every time the associate to the WLAN. This allows for more strick control of IP Addresses and allows Cisco ISE to profile the device for any CoA. Just keep in mind this will increase roaming times. This is not recommended for Voice WLAN’s.
- Enable Rogue management and detection to detect, disable, locate and manage rogue/intruder threats automatically and in real time
- Disallow Wi-Fi direct clients from associating with the WLAN. This stops devices from making direct connections to one another quickly and conveniently like printing, synchronizing, and sharing content.
- Scan all channels for Rogues – Requires AP’s in monitor mode. This is the quickest way to detect Rouge AP’s and RF Intruders.
- Enable Adhoc Rogue Detection for public WLAN’s to stop client to client RF connectivity
- Enable Rogue Client AAA Validation – For areas where Adhoc rogues are needed validates AAA
- Enable Rogue Client MSE Validation – This makes sure the MSE validates weather a client is valid or a threat.
- Disable Low Data Rates – Disable at least 802.11b data rates
- Lower the number of SSID’s – Each SSID requires a separate probe response and beaconing which pollutes the RF. Recommendation is below 4 SSID’s for optimal performance.
- Enable Band Select – Forces clients to 802.11a/n which has less interference
- Enable Client Load Balancing in non VOIP and single AP deployments for client/AP Load balancing
- Channel Widths – 80MHz has the most bandwidth but uses the most channels. 40MHz is normally the most optimal in a normal Enterprise deployment. Only enable 20MHz in a high density area and 80MHz in a low density area.
- Enable Application Visibility and Control (AVC) – Currently only Local mode AP’s and non-flex connect WLAN’s support this. AVC provides application visibility and the ability to provide bandwidth controls based on the application/user
- Enable Local Profiling – Client devices can be profiled based on Manufactor and OS. Helps in reporting and utilization reports
- Enable Netflow if using PRIME or 3rd party tools that support WLC Netflow for better application visibility.
- Enable 802.11k for optimal Roaming – 802.11k standard allows clients to request neighbor reports containing neighbor AP that are candidates for a service set transition. This solves “sticky clients” when a client sticks to an AP when there are more optimal AP’s closer by.
- Disable Aironet IE on non-WOIP WLAN’s – Causes compatibility issues with some wireless clients. Enable only for WBG and Cisco VOIP. Optimal for CCX based clients.
- Avoid Cisco AP Load – Avoids frequent changes in DCA die to varying Load conditions
- Same non-routable virtual ip address, same version of WLC code, same group names
- Configure Mobility Multicast Mode. Lowers WLC peer times, CPU usage, and network utilization
- Enable Fast SSID changing – needed for Apple IOS devices when changing from one SSID to another
- Enable CleanAir – Especially important in 802.11b/g RF Environments since they have the most interferes
- Enable EDRRM – Triggers RRM to run when an access point detects a certain level of interference
- Enable High Availability Client/AP SSO – This allows the AP to establishes a CAPWAP tunnel with both the Primary and Secondary WLC for fast failover in the event a WLC fails or is rebooted.
- RF Group Leaders must be an 802.11ac WLC – If the leader does not support 802.11ac it can not select 80MHz channel widths
- Enable FlexConnect Groups – Allows assignments of specific AP’s to groups with set configurations, OKC/CCKM key caching for VOIP, Local RADIUS, and consistent WLAN Mappings
- Enable FlexConnect Ap Upgrades – Avoids downloading multiple copies of the AP software over slow WAN links