Best Practices For Cisco Wlan Management

wireless that works Best Practices: WLAN Security Today wireless network management software Core AirWave Messaging Best Practices for Managing a Cisco WLAN David Gau AirWave Regional Sales Director

Today’s Key Question

Lower user support costs?

Automate routine tasks?

Extend the life of existing infrastructure?

Reduce compliance costs?

“ Rightsize” your entire network?

Consolidate disparate management systems?

Can you save money by re-examining your wireless LAN Management strategy?

Which Kind of Cisco Customer Are You?

“ 100% Autonomous Customers”

Currently use Aironet ‘fat’ APs – either IOS or VxWorks based

No plans to switch to ‘thin AP’ architecture

“ Hybrid Network Users”

Intentionally use a combination of autonomous and LWAPP access points

Often LWAPP in large campus environments and fat APs in remote offices, branches, retail stores, etc.

“ Migration Customers”

Switching WLAN architectures gradually

“ 100% LWAPP Customers”

Pure “thin AP” and controller networks

“ Multi-vendor Customers”

Combine Cisco and other vendors’ products on a single network

Which Kind of Cisco Customer Are You?

“ Autonomous Customers”

KEY MANAGEMENT CHALLENGE: Reliable configuration management and user monitoring

“ Hybrid Network Users”

KEY MANAGEMENT CHALLENGE: Cost-effective management of multiple product lines from a single console

“ Migration Customers”

KEY MANAGEMENT CHALLENGE: Managing the LWAPP conversion process smoothly and effectively with minimal data loss

“ 100% LWAPP Customers”

KEY MANAGEMENT CHALLENGE: Providing visibility to all network users to enable the Level 1/Level 2 Help Desk support

“ Multi-vendor Customers”

KEY MANAGEMENT CHALLENGE: Providing consistent policy enforcement & support across a heterogeneous network

Strategy for Integrating WLAN Management

Most organizations today have a broader strategic framework for overall network management

ITIL is increasingly becoming a standard within the enterprise

Wireless element management tools from hardware vendors are too often ‘stand-alone’ point solutions

Do not integrate into the broader framework

vs . Wireless Element Mgmt. CMDB Service Desk Network Monitor Asset Tracking Wireless Mgmt.

Configuration Management

Cisco wireless products are configured in different ways:

IOS access points typically via CLI (similar to routers, switches)

LWAPP controllers via HTML user interface

Controller-based architecture simplifies configuration management

Generally done via GUI based tools

Managing configurations for autonomous access points without centralized management is extremely difficult

Cisco IOS access points have hundreds of configurable settings

Each setting represents an opportunity for human error

As many as 30% of autonomous APs may not comply with policy (AirWave user data)

A Brief Focus on IOS Access Points

Best way to manage IOS APs is often via templates

Define a ‘golden configuration’

All AP settings are not created equal

Telnet vs. SSH

SNMPv1 vs SNMPv2 vs SNMPv3

Some settings must be uniform for security and seamless roaming

Other settings may be (or even should be) allowed to vary from AP to AP

Managing firmware versions on IOS APs can be challenging

Configuration should be schedulable

Configuration history is important

IOS

A Brief Focus on LWAPP Access Points

Most controller configuration is done via the GUI interface

Controllers have significantly more configuration settings than IOS devices

When primary and backup controllers are not configured the same, issues can arise when APs move from controller to controller.

When migrating older IOS devices to LWAPP, SSC (Self Signed Certificates) can be an issue

LWAPP

Delivering Level 1 and Level 2 Support

Wireless networks enable critical new mobile applications like voice, video surveillance, and more.

IT will inevitably be drawn into supporting more users and more classes of devices

Today’s wireless management model cannot scale:

End User Reports wireless problems Helpdesk Lacks the tools and training to differentiate between Network Engineer Ends up handling everything from client device configuration to network infrastructure failures

Empowering the Help Desk

Giving the Level 1 and Level 2 Help Desk the tools and the training to support all classes of end users is critical to success

End User

Helpdesk

Able to diagnose and resolve the most common user-reported problems

When escalation is required, Helpdesk is able to pass snapshot information to Network Engineering

Network Engineer Only a limited number of true network-related issues are escalated Faster response, lower operational costs, efficient division of labor

Location Information

Major difference in managing a mobile environment: You MUST know where the user is located in physical space

A port-based approach to management is no longer acceptable

Location information must be tracked for every user and device

Management solutions must provide open API’s to enable higher-level applications to access location information

Need to be able to do a remote “site survey” without dispatching a technician or contractor

Large organizations simply can’t do physical surveys of all locations

For the helpdesk, a picture is worth a thousand words!

Location Information

Accurate location information is critical for:

Trouble-shooting end-user problems

Diagnosing RF problems

Tracking assets

Assessing usage patterns and trends

Monitoring roaming patterns

Identifying Rogue Access Points

Cisco enterprise-grade wireless access points are relatively easy to discover on the network

Cisco APs are rarely ‘rogues’

Cisco APs can be used to detect unknown, unauthorized wireless APs broadcasting within range

But rogues are less often installed within range of managed APs

Rogues are often in remote branch offices without an authorized wireless network

Organizations need an effective strategy to detect rogues that are not in range of the existing network

WLSE can provide some information

Rogue detection across the wired network is essential

Wireline OS identification is important to help reduce false positives

Reporting in a Cisco Network

Key historical trends to monitor:

Users per AP

SSID usage

Usage by encryption type (WEP  WPA)

Each class of user has specific reporting needs:

Network Engineer: Utilization/capacity, uptime, inventory, SSID data

Help Desk: Utilization by location, client roaming history, Device Level Management, authentication issues, etc.

Security: Client migration status, PCI, audit reports, IDS alerts, etc.

CIO: Overall utilization, uptime, etc.

Data may need to be retained for HIPAA, PCI and other compliance programs

Consider “Rightsizing” Your Network

Monitoring WLAN utilization patterns over time is critical

Determine whether users are shifting to wireless as their primary access network

Laptop/data users are typically early candidates

As users begin to shift, examine LAN switch utilization rates and look for unused and under-used ports

Use data to assess your network needs

Are switch upgrades really required?

Can you reduce the number of active ports on your network?

Cut annual maintenance and support costs

Save on cable pulls and moves/adds/changes

Alerting in a Cisco Network

Alerts are used to notify admins about changes in the network and potential problems.

Common alerts include:

Too many users on an AP

Low memory/High CPU on wireless devices

Missing/stolen device alerts

Alerts should be able to be sent in multiple methods

SNMP

Email distribution lists

Management of 3 rd Party Devices

Organizations rarely set out to create heterogeneous network infrastructures but they are almost inevitable

“ Best-of-breed” solutions required for specific operating environments

Rapidly evolving technologies and architectures (yesterday’s leader is today’s follower)

Product lines inevitably face an “end-of-life” (EOL)

Mergers and acquisitions

Consolidation among vendors

Vendor price competition and negotiation

Changes to Cisco’s own product roadmap and strategy

Even “all-Cisco” customers must have a strategy for managing heterogeneous environments in the future

Aironet  VxWorks | Aironet  IOS | Airespace  LWAPP

What is AirWave Wireless?

Premier provider of multi-vendor wireless network management software

Division of Aruba Networks, Inc.

Supports leading wireless hardware products

Integrates with industry leading enterprise management systems

750+ customers world-wide

AirWave’s Approaches to WLAN Management Network Engineering Executive Mgmt. Security & Audit Group Role-based administrative access Easy-to-use console Full network control Compliance reports Usage & trend reports AirWave Wireless Management Suite™ Operations Management Solution AirWave: WLAN management for your entire IT department

Role based monitoring and reporting

Visibility into every user & device

Historical trend reporting

Threshold-based alerts

Scheduling of events and reports

Multi-vendor management

Centralized software updates

Automated compliance audits

Wireless & Wireline rogue detection

Monitoring of routers & switches

Help Desk Monitoring & Visualization Config. Mgmt. & Diagnostics Compliance & Security Mgmt. Reporting & Analysis Multi-vendor, Multi-architecture Platform

The AirWave Wireless Management Suite

AirWave Management Platform wireless management application

VisualRF software module for location tracking and RF maps

RAPIDS software module for rogue access point detection and WIDS

AirWave Master Console for large WLANs (75,000+ devices)

Failover licenses are available for high availability environments

AirWave Management Platform

Centralized network management

Network discovery

Configuration of APs & controllers

Automated compliance audits

Firmware distribution

Monitoring of every device and user connected to the wireless network

Real-time and historical trend reports

Granular administrative access

Role-based (i.e., Admin vs. Help Desk)

Network segment (i.e., “Retail Store” network vs. “Corporate HQ” network)

Flexible device support

‘ Thin’, ‘thick’, mesh and WiMAX

Multi-vendor support

Current and legacy hardware

Centralize control of the entire wireless infrastructure

RAPIDS Rogue AP Detection Module Combines wired & wireless detection to find rogues anywhere Data Sources Router/Switch Polling SNMP/HTTP Fingerprint Scans Enterprise APs Enterprise Controllers Laptop Client Utility Customizable Rules Correlate Wired + Wireless Reduce false positives Protect your SSID Programmatically filter neighbors Alerts Email SNMP Syslog Reports By Network By Region Schedulable Email XML Suspect Rogue Neighbor Valid Rogue

VisualRF Mapping & Location Software