Managing Policies for BYOD Network
BRKEWN-2020
Damodar Banodkar
Technical Marketing Engineer
For Your
Reference
For Your Reference
• There are slides in your PDF that will not be presented, or quickly presented.
• They are there usually valuable, but included only “For your Reference”.
For Your
Reference
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
3
The Need for managing devices and applications
4X
Smartphone connection speeds
will grow 4-fold from 2011 to 2016
90%
Mobile video traffic will have annual
growth rate of 90% 2011 to 2016 —Cisco VNI
56%
100%
BRKEWN-2020
—Cisco VNI
of US information workers spend time
working outside the office
—Forrester
of IT staff is struggling to keep
up with mobility trends
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
—Gartner
2
Agenda: Managing Policies for BYOD Network
Personal Devices on
Network
Securely Board the
Device
Application
Experience
Step 1
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Step 2
5
Simplified Services
Operations
3rd Party
Step 3
MDM
Wireless BYOD
• Drivers and Assumptions
Drivers
• Majority of new network devices have no wired port
• Users will change devices more frequently than in the past
• Mobile devices have become an extension of our Personality and Work
• Guest / Contractor access and accountability has become a mandatory business need
Assumptions
• Guest and Contractors must be isolated and accounted for.
• Users will have 1 wired and 2+ wireless devices moving forward
• The wireless network must be secure and as predictable as the wired network
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
6
Spectrum of BYOD Strategies
• Different Deployment Requirements for Different Environments
Cisco WLAN
Controller
ISE
(Identity Services Engine)
Cisco Catalyst Switch
ASA Firewall
Controller only BYOD
Controller + ISE-Wireless BYOD
Wireless Only
Wireless Only
Basic Profiling and Policy
on WLC
BRKEWN-2020
AAA+ Advanced Profiling + Device Posture +
Client On-board + Guest + Mobile Device
Management (MDM)
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
7
Controller + ISE-Advanced BYOD
Wired + Wireless + Remote Access
AAA + Advanced Profiling + Device Posture +
Client On-board + Guest + MDM
Cisco BYOD Device Policy Steps
EAP
Phase 1
Authentication
Phase 2
Device / User Identification
Phase 3
Posture assessment, MDM,
Lost device containment
Phase 4
Device Policy Enforcement
ISE
MAC, DHCP, DNS, HTTP
ISE
Client Supplicant
ISE
InternetOnly
Allowed
Device?
WLC
QoS
ACL
VLAN
AVC
Allowed
Access
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
8
• Silver
• Allow-All
• Employee
• Block Youtube
Contextual Policy for BYOD Deployments
• Control and Enforcement
IDENTITY
PROFILING
ISE
1
802.1x EAP
User
Authentication
NETFLOW
HQ
DNS
RADIUS
Policy
Decision
Profiling to
identify device
Corporate
Resources
4
Access Point
2:38pm
Personal
asset
SNMP
VLAN 10
VLAN 20
2
Company
asset
HTTP
Wireless LAN
Controller
3
Posture
of the device
Internet Only
5
Unified Access
Management
Enforcement
dACl, VLAN,
SGA, Application
With the ISE, Cisco wireless can support multiple users
and device types on a single SSID.
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
DHCP
9
6
Full or partial
access granted
Integrating WLC and ISE for Authentication
and Profiling
Extensible Authentication Protocol (EAP) — Protocol
Flow
Layer 2 Point-to-Point
Supplicant
EAP over LAN
(EAPoL)
Layer 3 Link
Authenticator
RADIUS
Auth Server
EAPoL Start
Beginning
EAPoL Request Identity
EAP-Response Identity: Alice
The EAP Type is
negotiated between
Client and RADIUS
Server
RADIUS Access Request
[AVP: EAP-Response: Alice]
RADIUS Access-Challenge
EAP-Request: PEAP
Middle
[AVP: EAP-Request PEAP]
EAP-Response: PEAP
RADIUS Access Request
[AVP: EAP-Response: PEAP]
Secure Tunnel
Multiple
ChallengeRequest
Exchanges
Possible
Authentication conversation between Client and Auth Server
RADIUS Access-Accept
EAP Success
End
[AVP: EAP Success]
[AVP: VLAN 10, dACL-n]
• 802.1X (EAPoL) is a delivery mechanism and it doesn't provide the actual authentication mechanisms.
• When utilizing 802.1X, you need to choose an EAP type, such as Transport Layer Security (EAP-TLS) or PEAP, which defines
how the authentication takes place.
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
11
EAP Authentication Types
• Different Authentication Options Leveraging Different Credentials
CertificateBased
Tunneling-Based
EAPPEAP
EAPTTLS
Inner Methods
EAP-GTC
EAP-MSCHAPv2
EAP-TLS
EAP-FAST
 Tunnel-based - Common deployments use a tunneling protocol (EAP-PEAP) combined
with an inner EAP type such as EAP-MSCHAPv2. PEAP Requires only a server-side
certificate.
This provides security for the inner EAP type which may be vulnerable by itself.
 Certificate-based – For more security EAP-TLS provides mutual authentication of both
the server and client.
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
12
Factors in Choosing an EAP Method
• The Most Common EAP Types are PEAP and EAP-TLS
Security vs.
Complexity
Client
Support
Authentication
Server
Support
EAP Type(s)
Deployed

Most clients such as Windows, Mac OS X, Apple iOS devices support EAP-TLS, PEAP (MS-CHAPv2).
‒
Additional supplicants can add more EAP types (Cisco AnyConnect).

Certain EAP types (TLS) can be more difficult to deploy than others depending on device type.

Cisco ISE Supplicant Provisioning can aid in the deployment.
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
13
The RADIUS Protocol
• It’s initiated by the client to the server, but not CoA…
• RADIUS protocol is initiated by the network devices
• No way to change authorization from the ISE
Now I can control
ports when I want to!
RADIUS
CoA
Authenticator
• Now network devices listens to CoA request from ISE
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
14
Auth Server
• Re-authenticate session
• Terminate session
• Terminate session with port bounce
• Disable host port
IEEE 802.1X with Change of Authorization (CoA)
Layer 3 Link
Layer 2 Point-to-Point
Supplicant
EAP over LAN
(EAPoL)
Authenticator
RADIUS
Auth Server
RADIUS CoA-Request
[VSA: subscriber: reauthenticate]
Change of
Authorization
RADIUS CoA-Ack
EAPoL Request Identity
EAP-Response Identity: Alice
RADIUS Access Request
[AVP: EAP-Response: Alice]
Re-Authentication
RADIUS Access-Challenge
EAP-Request: PEAP
[AVP: EAP-Request PEAP]
EAP-Response: PEAP
RADIUS Access Request
[AVP: EAP-Response: PEAP]
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
15
Multiple
ChallengeRequest
Exchanges
Possible
Change of Authorization (CoA)
Changing Connection Policy Attributes Dynamically
Before –
After –
Posture Assessment and Profiling
Employee Policy Applied
Client Status • Profiled, Workstation
Client Status • Unknown
VLAN
• Limited Access
VLAN
ACL
• Posture-Assessment
ACL
• None
QoS
• Silver
QoS
• Gold
Application
• Block Youtube
Application
• Allow Youtube
User and Device
Specific Attributes
User and Device
Specific Attributes
ISE
BRKEWN-2020
• Employee
© 2014 Cisco and/or its affiliates. All rights reserved.
ISE
Cisco Public
16
For Your
Reference
Enable CoA – AAA Override
1
Allow AAA
Override to
Permit ISE to
Modify User
Access
Permissions
(CoA)
2
Allow AAA
Override to
Permit ISE to
redirect client
to a specific
URL
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
17
Cisco Wireless Controller User-Based Policy AAA
Override Attributes
VLAN
Access Control List (ACL)
Quality of Service (QoS)
CoA
Application Control (AVC)
Bonjour Service Policy
URL Redirect
Available in AireOS Version 8.0
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
18
FlexConnect and AAA Override
Setting the VLAN for Locally Switched Clients
IETF 81
IETF 65
IETF 64
WAN
WLC
AP
ISE
Create Sub-Interface on
FlexConnect AP and Set the
ACL on the VLAN
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
19
URL Redirection
Central Web Auth, Client Provisioning, Posture, MDM, Guest Services
External URL Redirect (ISE):
Redirect URL:.
cisco:cisco-av-pair=url-redirect= https://url
Example: TCP Traffic Flow for Login Page
Redirect ACL:.
cisco:cisco-av-pair=url-redirect-acl= ACL-POSTURE
TCP port 80 SYN
User opens browser
SYN-ACK
ACK
HTTP GET
http://www.google.com
Redirect: HTTP Login Page
Username, Password
HTTP GET
http://www.google.com
Host
WLC
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
20
ISE
Cisco Wireless LAN Controller ACLs
Layer 3-4 Filtering at Line-rate.
Inbound
WLC
Wired
LAN
Outbound
AP
• ACLs provide L3-L4 policy and can be applied per interface or per user.
• Cisco 2500, 5508 and WiSM2 implement hardware, line-rate ACLs.
• Up to 64 rules can be configured per ACL.
Implicit Deny All at the End
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
21
Unified Access BYOD - Downloadable ACL Support
Download - http://www.miercom.com/2013/05/cisco-wlc-5760/
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
22
Cisco Wireless User-Based QoS Capabilities
Allowing Per-User and Per-Devices Limiting of the Maximum QoS Level
For the contractor user, the
AAA server returned QoSSilver so even packets
marked with DSCP EF are
confined to the Best Effort
Queue.
WMM Queue
For the Employee user, the
AAA server returned
QoS-Platinum so packets
marked with DSCP EF are
allowed to enter the WMM
Voice Queue.
Voice
Video
Best Effort
Background
Employee –
Platinum QoS
Call Manager
WLC
Access
Point
QoS Tagged Packets
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
23
Contractor –
Silver QoS
Cisco Wireless Application Control
AVC provides Layer 7 policies per User (by Device Type and User Role)
Applications
Priority
User Role
Real Time Applications
(Business )
Non Real Time Applications
(Business)
Applications
Device
Priority
Exec
High
High
Normal
Employee
Normal
Casual Applications
Low
Contractor
Low
Malicious Applications
Drop
Available in AireOS Version 8.0
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
18
Cisco Wireless Bonjour Services Control
Bonjour Gateway provides Services policies per User
User Role
Bonjour Service Access
For the Employee and Exec
user, Airplay and AirPrint
access is permitted
Exec
Employee
Contractor
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
For the contractor user,
Airplay access is denied
Cisco Public
25
Cisco BYOD Policy Elements
VLAN
Access Control List (ACL)
Quality of Service (QoS)
CoA
Application Control (AVC)
Bonjour Service Policy
URL Redirect
Available in AireOS Version 8.0
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
26
Cisco BYOD Device Policy Steps
EAP
Phase 1
Authentication
Phase 2
Device / User Identification
Phase 3
Posture assessment, MDM,
Lost device containment
Phase 4
Device Policy Enforcement
ISE
MAC, DHCP, DNS, HTTP
ISE
Client Supplicant
ISE
InternetOnly
Allowed
Device?
WLC
QoS
ACL
VLAN
AVC
Allowed
Access
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
27
• Silver
• Allow-All
• Employee
• Block Youtube
BYOD Policy
Elements
BYOD with ISE (Identity Services)
ISE Device Profiling Example - iPad
• Once the device is profiled, it is stored within the
ISE for future associations:
Is the MAC Address
from Apple?
Does the Hostname
Contain “iPad”?
Is the Web Browser
Safari on an iPad?
Apple iPad
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
29
Client Attributes Used for ISE Profiling
How RADIUS, HTTP, DNS and DHCP (and Others) Are Used to Identify Clients.
2
The Client’s DHCP/HTTP
1 This provides the
Attributes are captured
MAC Address
which is checked
against the
known vendor
OUI database.
• The ISE uses multiple attributes to
build a complete picture of the end
client’s device profile.
by the AP and provided
in RADIUS Accounting
messages.
DHCP
HTTP
DHCP/
HTTP
Sensor
DNS Server
RADIUS
– The ISE can even kick off an NMAP
scan of the host IP to determine more
details.
4
HTTP UserAgent
3
The device is redirected using a
captive portal to the ISE for web
browser identification.
BRKEWN-2020
• Information is collected from
sensors which capture different
attributes
© 2014 Cisco and/or its affiliates. All rights reserved.
ISE
Cisco Public
A look up of the DNS
entry for the client’s
IP address reveals
the Hostname.
30
ISE Device Profiling Capabilities
• Over 200 Built-in Device Policies, Defined Hierarchically by Vendor
Smart Phones
Minimum
Confidence for a
Match
Gaming
Consoles
Multiple
Rules to Establish
Confidence Level
Workstations
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
31
1
2
Defining a BYOD Policy Within ISE
32
ISE Authentication Sources
User and/or Machine
Authentication
Active Directory,
Generic LDAP or PKI
EAPoL
RADIUS
Local DB
user1
C#2!ç@_E(
User/
Passwo
rd
BRKEWN-2020
RSA SecureID
Certificate
Token
Backend Database(s)
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
33
• Cisco ISE can reference
variety of backend
identity stores including
Active Directory, PKI,
LDAP and RSA
SecureID.
• The local database can
also be used on the ISE
itself for small
deployments.
Steps for Configuring ISE Policies
1. Authentication Rules
• Define what identity stores to reference.
• Example – Active Directory, CA Server or Internal DB.
BYOD Policy
Elements
2. Authorization Rules
• Define what users and devices get access to resources.
• Example – All Employees, with Windows Laptops have full
access.
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
34
Authentication Rules
Example for PEAP and EAP-TLS
1
1
Reference Active Directory for PEAP
Authentication
2
Create Another Profile to Reference the
Certificate Store
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
35
Authorization Rules Configuration
Flexible Conditions Connecting Both User and Device
1Policy  Authorization - Simple
Specific Device Type
2
Active Directory
Groups Can Be
Referenced
Groups (such as
Workstations or iPods) Can
Be Utilized
3
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
The Authorization Rule Results in Attributes to
Enforce Policy on End Devices
36
Authorization Rule “Results”
The Actual Permissions Referenced by the Authorization Rules
1
Simple VLAN Override by
Specifying the Tag
• The authorization rules provide a
set of conditions to select an
authorization profile.
• The profile contains all of the
connection attributes including
VLAN, ACL and QoS.
2
BRKEWN-2020
• These attributes are sent to the
controller for enforcement, and
they can be changed at a later
time using CoA (Change of
Authorization).
All WLC Attributes are
Exposed to Override
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
37
Authorization Rule “Results”
The Application and Bonjour profile referenced in Authorization profile
VLAN
Access Control List (ACL)
Quality of Service (QoS)
Application Control (AVC)
Bonjour Service Policy
URL Redirect
WLC Attributes for AVC and
Bonjour policy override
Available in AireOS Version 8.0
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
BYOD Device Provisioning
39
Simplified On-Boarding for BYOD
Putting the End User in Control
Cert
Provisioning
MyDevices
Portal
Supplicant
Provisioning
Device
Onboarding
iOS
Android
Windows
MAC OS
BRKEWN-2020
Self-Service
Model
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
40
Apple iOS Device Provisioning
1
WLC
Initial Connection
Using PEAP
ISE
CA-Server
Device Provisioning
Wizard
2
Change of
Authorization
Future Connections
Using EAP-TLS
3
BRKEWN-2020
WLC
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
41
ISE
CA-Server
Defining the Supplicant Provisioning Authorization
Profile
1
Configure Redirect ACL On WLC
2
Choose “Supplicant Provisioning” for the Redirect Portal
URL Redirect
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
42
“My Devices” Portal
• Self-Registration and Self-Blacklisting of BYOD Devices
Devices can be marked
lost by the User.
2
3
1
New Devices Can be Added with
a Description
Demo Video:
www.youtube.com/watch?v=lgJCJNgFjEM
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
45
Lost devices can be blackholed using
url-redirect
Ensuring Endpoint Compliance
• Endpoint Health assessment
Wired, Wireless,
VPN User
Temporary Limited Network
Access Until Remediation Is
Complete
NonCompliant
Sample Employee Policy:
Challenge:
Value:
• Microsoft patches updated
• Understanding health of device
• Temporal (web-based) or
• McAfee AV installed, running,
• Varying level of control over devices
and current
• Corp asset checks
• Enterprise application running
BRKEWN-2020
• Cost of Remediation
© 2014 Cisco and/or its affiliates. All rights reserved.
Persistence Agent
• Automatic Remediation
• Differentiated policy enforcement-
based on role
Cisco Public
48
MDM Integration
ISE Registered
MDM Registered
Encryption
PIN Locked
Jail Broken
PIN Locked
Jail Broken
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view
a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does
49
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
not imply a partnership relationship between Cisco and any other company. (1110R)
Visibility with Prime Infrastructure and ISE Integration
1
Both Wired +
Wireless Clients in a
Single List
2
Device Identity from
ISE Integration
AAA Override
Parameters Applied
to Client
3
Policy Information
Including Windows
AD Domain
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
50
Local Profiling on WLC
Build BYOD Policy: Flexible Options
• Different Deployment Requirements for Different Environments
• Centralized Policy
ISE
ACS
(Identity Services Engine)
NAC
Profiler
Guest
Server
NAC
Manager
NAC
Server
Controller + ISE-Wireless BYOD
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
52
• RADIUS Server
• Posture Assessment
• Guest Access Services
• Device Profiling
• Client Provisioning
• MDM
• Monitoring
Troubleshooting
Reporting
Build BYOD Policy: Flexible Options
• Local Profiling & Policy on WLC
Network Components
POLICY
WLC
Radius Server
(e.g.. ISE Base, ACS)
Only Wireless
Elements
Device Type
User Role
Policy Enforced
BRKEWN-2020
VLAN
© 2014 Cisco and/or its affiliates. All rights reserved.
Access List
Cisco Public
Authentication
QoS
Application
Time of Day
Services (Bonjour)
WLC Native Profiling for BYOD Deployments
IDENTITY
Radius Server
User-Role
2
POLICY
VLAN 10
1
Corporate
3
Policy
Decision
Profiling to
identify device
6
Corporate
Resources
Auth-Type
Access Point
Wireless LAN
Controller
5
Personal
4
Time
BRKEWN-2020
Internet Only
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Enforcement
Unified Access ACl, VLAN, QoS,
Management
Application,
Bonjour
54
VLAN 20
Configuring User-Role
User Role
Radius
role=Employee
Employee
Controller
role=Contractor
Contractor
Privilege
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
55
Native Device Profiling on WLC
Step 2
Device Type
Create Device Profiling Policy
Step 1
Cisco WLC configuration
Step 3
156 Pre-Defined Device Signature
Enable DHCP and HTTP Profiling
on the WLC
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
56
Native Profiling Authentication and Time Policy
Wireless Client Authentication EAP Type
Authentication
LEAP
EAP-FAST
EAP-TLS
PEAP
Time of Day
Active hours for Policy
Time based policy
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
57
Enforce Policy on the WLC
Enforced Policy
ACL*
VLAN
QoS*
Session Timeout
Application Control
mDNS Policy
* Supported in FlexConnect mode
58
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Applying Native profiling policy per WLAN / AP Group
Native Profiling per AP Group
Native Profiling per WLAN
Restriction: First Matched Rule Applies
Maximum 16 polices can be created per WLAN / AP Groups and 64 globally
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
59
Required Network Components and Versions
For Your
Reference
Cisco Wireless LAN
Feature/Platform
OS Version
5508 / WiSM2
7500
2500
AireOS 7.2.x onwards
CoA Support
8500
Unified Access (5760/3850)
AireOS 7.3.x
onwards
IOS XE 3.2.2 onwards
440x/WiSM1
AireOS 7.0.116 onwards
802.1x and L3 Web-auth WLAN
802.1x WLAN only
Access Point Mode for
Profiling and Posture
Local and FlexConnect mode
Local Mode only
Limited Profiling and
Policy on WLC
AireOS 7.5 onwards*
N/A
Extra License
None
*FlexConnect mode: No WLC BYOD support for Local Auth on AP
Identity Services Engine
BRKEWN-2020
210x
Identity Services Engine Version
Licenses for Onboarding, Profiling, Posture and
MDM
Version 1.1.1 onwards
Advanced / Wireless License
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
60
Beyond BYOD
The Optimized Experience for Every Workspace
Device Onboarding and
Network Access
Unified BYOD
Policy
Beyond BYOD
BYOD
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Application
Experience
Cisco Public
Simplified
Operations
Application Visibility and Control (AVC)
What is the Need for AVC?
Who are the top 10 users?
Devices
Apps
Is someone running
Bit-torrent and bringing
down my business
applications?
Should I add
more APs to
enhance the
capacity?
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
63
What are the top 10
applications?
How much traffic is
BYOD generating on my
network?
What is Application Visibility & Control ?
On Wireless Controllers
Real Time
Interactive
Traffic
Non-Real Time
Background
NBAR2 LIBRARY
Deep Packet
inspection
NETFLOW (STATIC
TEMPLATE)
provides Flow Export
POLICY
Packet Mark and Drop
CISCO PRIME
COMPLIANCE
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
CAPACITY
PLANNING
Cisco Public
TROUBLESHOOTING
THIRD PARTY
NETFLOW
COLLECTOR
How Does AVC Classify Applications: Cisco Jabber
Three classifications flows for Cisco Jabber
Cisco Jabber Audio
Cisco Jabber Video
Different Policies for different
components of a Jabber
Session
Demo Video:
www.youtube.com/watch?v=1kt2hvo4UL4
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Cisco Jabber Control
Enabling Application Visibility and Control
• AVC is enabled per WLAN to Allow Deep Packet Inspection
1
Change the QoS level to
reflect the highest
application level for that
SSID
2
Enable Application Visibility
3
Ensure WMM is set to
“Allowed” or “Required”
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
67
Basic Application Visibility Added on the Controller
Home Screen
Top Applications
Show Sorted by
Bytes
Use “Monitor” ->
“Applications” to View
More Statistics
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
68
Viewing Real-Time Statistics
• Use for Assessing Current Usage or Troubleshooting
Real Time Stats (Last 90 Seconds)
Application Usage Displayed
by % of Total Bytes for Last 90 Seconds
Average Packet Size to See Small
vs. Large Packet Flows
DSCP marking per client (Last 90 Seconds)
Real-Time QoS Markings
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
69
Viewing Historical Statistics
• Use for Assessing Overall Usage
Cumulative Statistics
Application Usage Displayed
by % of Total Bytes
Total Bytes Transferred – Useful for Tracking Down
Bandwidth Hogs
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
70
Application Control
1
Med
2
AVC Profile – Drop Bit torrent
AVC Profile – Mark Citrix
Low
High
Medium
Low
3
Control
Control application
usage and
performance
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
71
AVC Profile – Rate Limit Facebook
AVC configuration for AAA override
Example – Teacher, Student
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
For Your
Reference
Applying AVC Profiles
1
Create AVC Profile for Applications at Wireless > AVC
2
Maximum 32 Rules can be created per AVC
Profile
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
74
Apply AVC Profile to WLAN
Apply AVC Profile per client
using Local profiling on
WLC
3
Apply AVC Profile per
client using AAA Override
(Radius Server)
NBAR2 – Regular Updates
In-service Application Definition Update
PP X (Major)
PP Y (Major)
PP X.1 (Minor)
•protocols~ 10
• updates and
fixes
PPY.1 (Minor)
•Bug fixes
•small updates
•Bug fixes
•small updates
• Protocols~10
• updates and
fixes
PP 6.3
Available
• Standard Protocol Pack
Includes only subset of protocols
No Support for Traffic categorization and Attributes
Available (as Default Protocol pack) in IP Base image
No periodic releases and SLA
Includes all supported Protocols / Applications
Support Traffic categorization and Attributes
Available (as Default protocol pack) in DATA image
Periodic releases and Offers SLA
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Protocol Pack
Protocoln
–
–
–
–
Protocol2
• Advanced Protocol Pack
NBAR2
Protocol1
–
–
–
–
NBAR2 Protocol Pack
Example
• Add new applications recognized by NBAR2 without WLC reload
• New protocol pack is published every two months on CCO
• Single CLI to enable the protocol pack
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Application Visibility at Cisco Prime
Application Filter / Visibility per:
•
SSID
•
Client
•
Building
•
Floor
•
Device (AP/Controller)
Application Based Reporting
Wired/Wired with Third party
Netflow
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Application Visibility with 3rd Party Vendors
• Using Netflow exports,
third party tools like
Plixer Scrutinizer can
visualize the data and
track it historically.
• Custom reports in this
3rd party tool allow
viewing of upstream,
downstream flows as
well as client DSCP
markings.
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
78
Cisco Wireless Netflow Record
NetFlow v9
Client MAC
Client IP
 Monitors data from layer 2 thru 7
 Determines applications by combination of port
and payload
SSID
Access Point MAC
Packet Count
NetFlow
 Flow information contains Client, wireless
infrastructure, Application, QoS marking and
bandwidth detail
Octet Count
Before AVC DSCP
After AVC DSCP
Application Tag
What applications, how much bandwidth, flow direction?
(NetFlow and NBAR2)
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
79
Netflow Collection and Export Configuration
Create Netflow Monitor and Exporter at Wireless > Netflow
WLC
NFv9
Reporting Tools
Apply Netflow monitor per WLAN
Netflow Collection &
Exporting
WLC collects
application bandwidth,
export to management
tool for reporting
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
80
For Your
Reference
Application Visibility and Control Verification
Application Control Tested
•
•
•
Citrix video streaming
quality improves by 55%
Microsoft Lync Voice
MOS Score Rises to 4.20.
Background traffic using
Windows File sharing
drops by 74%
Download - http://dcc.syr.edu/PDF/Cisco-AVC-Application-Improvement-Report-Feb-2013.pdf
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
81
Bonjour Services Gateway
Bonjour Protocol
 Bonjour Protocol helps Apple devices discover Services
 Uses mDNS protocol to advertise and discover services
 Link Local: Does not cross subnets
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
83
Bonjour Challenges across VLAN’s
Bonjour is Link-Local Multicast
and can’t be Routed
VLAN X
224.0.0.251
VLAN Y
CAPWAP Tunnel
WLC
AP
Router
224.0.0.251
VLAN X
•
Bonjour is link local multicast and thus forwarded on Local L2 domain
•
mDNS operates at UDP port 5353 and sent to the reserved group addresses:
IPv4 Group Address – 224.0.0.251
IPv6 Group Address – FF02::FB
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
84
Apple TV
(VLAN Y)
Apple TV Bluetooth Discovery process
Enable Wi-Fi
and make sure
its routable to
Apple TV subnet
iDevices
discovers
Apple TVs in
Bluetooth
range (40 feet)
iDevices can
start mirroring
Bluetooth is used only to discover Bonjour AirPlay services
Does not apply for AirPrint, Backup, AirDrop etc.
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
85
Apple TV Bluetooth Discovery Implications on Wi-Fi
Bonjour Policy Control
Wi-Fi Interference
Student
Apple TVs add new set of Bluetooth
interfering devices on network
Congested 2.4 GHz spectrum makes
Bluetooth discovery slow and unreliable
Teacher
Student can discover Apple TV and
gain AirPlay Access
Password mechanism lacks Role based policy
control
No Bluetooth discovery for Mac OSX
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
86
Bonjour mDNS Gateway on Cisco WLC
Bonjour Advertisement
VLAN 20
CAPWAP Tunnel
WLC
AP
VLAN 99
Bonjour Advertisement
iPad
© 2014 Cisco and/or its affiliates. All rights reserved.
VLAN 23
AirPrinter
(wired)
 Step 1 – Listen for Bonjour Services
BRKEWN-2020
Switch
AirPrint Offered
Apple TV
Cisco Public
87
Bonjour mDNS Gateway on Cisco WLC
Bonjour Cache:
AirPlay – VLAN 20
AirPrint – VLAN 23
VLAN 20
Apple TV
AP
VLAN 99
iPad
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Switch
VLAN 23
AirPrinter
(wired)
 Step 2 –Bonjour Services cached on the controller
BRKEWN-2020
WLC
AirPrint Offered
CAPWAP Tunnel
88
Bonjour mDNS Gateway on Cisco WLC
Bonjour Cache:
AirPlay – VLAN 20
AirPrint – VLAN 23
VLAN 20
Apple TV
CAPWAP Tunnel
AP
WLC
Switch
VLAN 23
VLAN 99
iPad
Bonjour Query
AirPrinter
(wired)
 Step 3 –Listen for Client Service Queries for Services
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
89
Bonjour mDNS Gateway on Cisco WLC
Bonjour Cache:
AirPlay – VLAN 20
AirPrint – VLAN 23
Bonjour Response
From Controller
VLAN 20
Apple TV
CAPWAP Tunnel
AP
WLC
Switch
VLAN 23
VLAN 99
iPad
 Step 4 –Respond to Client Queries (unicast) for Bonjour Services
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
90
AirPrinter
(wired)
Bonjour traffic optimization
80% less Bonjour Traffic*
100% less Bonjour Multicast Traffic
Bonjour Cache:
AirPrint – VLAN 23
Airplay – VLAN 20
* For 4 Access Point Deployment
6400 Entries per
Controller
WLC
Reason for Traffic optimization
Bonjour Service query is cached on
Controller
 Not forwarded
Bonjour Client Query
 Unicast Response
 Not forwarded
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
91
Filter Services by WLAN and VLAN
Services Directory
Contractor
Service Policy
Employee
Service Policy
WLC
FileShare
Single - SSID
AP
FileShare
Contractor Network
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Employee Network
Cisco Public
92
Bonjour Policy Example for Education using v8.0
Teacher
Service Profile
Teacher Service
Instance List
Student Service
Instance List
Student
Service Profile
Apple TV1
AirPrint
AirPlay
File
Share
Apple TV1
AirPlay
iTunes
Sharing
AirPlay
File
Share
Apple TV2
Teacher Network
mDNS Service Instances Groups
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
95
Student
Network
AirPrint
Bonjour Policy enhancements in v8.0
• Location and Role filtering in release v8.0
• Bonjour Policies allow creation of the mDNS Service Groups and Service
Instances within the Group
• Service Instance mandates how the service instance is shared by configuring
o
o
o
o
MAC address of the Service Instance
Name of the Service Instance
Location Type Of the Services Instance by AP Group, AP Name or AP Location
Location configuration allows access the “service instance” i.e. client location
 Location configuration applied to wired and wireless instances of all services and
printers as in Any, Same or one AP Name.
 This allows selective sharing of service instances based on the location and
rule (=user-id and role ) on the Same WLAN
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
96
96
Bonjour Policy Configuration
Configure Service Instances in the mDNS group, and role
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
97
Bonjour Policy enhancements in v8.0
• Service Instance associated with mac address can be configured in multiple service
groups
 Currently we support a maximum of 5 service groups for a single mac address.
 Service group configurations can be done even when mDNS snooping is disabled
 Number of Service instances per Service group is limited by the platform supported
(ie
6400 on 5508)
• Location Filtering of Service instance can be limited by following attributes:
 “any” –clients from any location can access the service subject
to role and user-id credentials being allowed by the policy
associated with the service group for the said mac address.
 “same” - only clients from the SAME location as that of the
device can access that Service Instance publishing the service
can access the service.
 “ap-name” – only clients associated to that AP can
access the Service Instance
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
98
98
Bonjour Policy enhancements in v8.0
• Allows articulation as “service instance” is shared with whom i.e. user-id,
“service instance is shared with which role/s” i.e. teacher or student
• With Bonjour access policy there will now be two levels of filtering client
queries
1. At the service type level by using the mDNS profile
 mDNS profile can be user specific and be overridden with ISE “av-pair
“returned to WLC that overrides default profile
2. At the Service Instance level using the access policy associated with
each Service Instance.
Note: Service instances which are not configured with any access policy will be mapped
to the default access policy that allows configured <roles/names> to receive the service
instances
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Location Specific Service for Bonjour
With LSS Bonjour services
can be location specific
Bonjour Services
Directory
mDNS AP
CAPWAP Tunnel
CAPWAP Tunnel
Localization can be any
service specific
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
100
Apple Services
Enable Bonjour for Remote VLAN: mDNS AP
With mDNS-AP Bonjour services
can be seen from a remote VLAN
mDNS AP
(Trunk mode)
224.0.0.251
VLAN X
CAPWAP Tunnel
Remote-Switch
CAPWAP Tunnel
WLC
Switch
AP
VLAN Y
VLAN X
Bonjour Services Directory
Apple TV
(Remote VLAN)
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
101
Google ChromeCast With Cisco Wireless LAN
Controllers
How Does Google ChomeCast Work?
1. (Services Discovery Request)
239.255.255.250
Unicast Response
2. (Response with IP address of service)
• ChromeCast Deployment Guide:
– http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/76/chromecastDG76/ChromecastDG76.html
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
102
For Your
Reference
AVC and Bonjour Gateway Network Requirements
Network Management
Cisco Wireless LAN
Feature/Platform
5508 / WiSM2
7500
8500
2500
Feature/Platform
Cisco Prime
Flexible Netflow
AVC
AireOS 7.4 onwards
Performance Collection
Access Point Mode for
AVC
Local Mode Only
License
AVC Protocol Pack
Update
Bonjour Gateway
AireOS 7.5 onwards
AireOS 7.5 onwards
mDNS AP feature
AireOS 7.5 onwards
Access Point mode for
Bonjour Gateway
Local Mode Only
BRKEWN-2020
N/A
AireOS 7.4 onwards
Bonjour Location
Specific Service
Extra License
Prime Assurance
NBAR2 Limitations on WLC:
• When an AP is in flex connect mode,
NBAR is not supported
• IPv6 traffic cannot be classified
• Not supported by the vWLC or WLC on
SRE
None
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
103
Summary: Managing Policies for BYOD Network
Personal Devices on
Network
Network Components
Application
Experience
Securely Board the
Device
Wireless
Remote
Access
Wired
ISE
Simplified Bonjour
Operations
Prime
rd Party
3rd3Party
MDMMDM
Optional
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
104
Participate in the “My Favorite Speaker” Contest
Promote Your Favorite Speaker and You Could be a Winner
• Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)
• Send a tweet and include
– Your favorite speaker’s Twitter handle <Speaker – enter your twitter handle here>
– Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
105
Complete Your Online Session Evaluation
• Give us your feedback and you
could win fabulous prizes. Winners
announced daily.
• Complete your session evaluation
through the Cisco Live mobile app
or visit one of the interactive kiosks
located throughout the convention
center.
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
106
Continue Your Education
• Demos
• Labs
• Lunch
• Topics
• Final copy TBD
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
107
Configurations for Your Reference
108
Steps for Integrating the Controller and ISE
1. Configure WLAN for 802.1x Authentication
• Configure RADIUS Server on Controller
• Setup WLAN for AAA Override, Profiling and RADIUS NAC
2. Configure ISE Profiling
• Enable profiling sensors
3. Setup Access Restrictions
• Configure ACLs to filter and control network access.
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
109
For Your
Reference
Configuring ISE as the Authentication Server
and Accounting Server
1
Enable “RFC 3576” for
Support Change of
Authorization
2
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
110
Add to Accounting Servers
to Receive Session
Statistics
For Your
Reference
Configuring the WLAN for Secure Connectivity
For Your
Reference
Enabling Secure Authentication and Encryption with WPA2-Enterprise
1
WPA2 Security with AES
Encryption
2
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
111
Assign Radius Server per
WLAN
Setting the WLAN QoS Level for Override
Using WMM, the QoS Level is Based on the Marking of the Packet.
This Acts As An
Upper Limit, or
Ceiling for the
WLAN’s QoS
Configuration
1
• If WMM is set to Allowed, the Quality of Service configuration serves as a limit for the
entire SSID.
• Ensure all controller uplinks, media servers and Access Points have proper Quality of
Service trust commands in IOS.
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
112
For Your
Reference
Configuring the WLAN for ISE Identity-based
Networking Cont’d
1
For Your
Reference
2
Allow AAA
Override to
Permit ISE to
Modify User
Access
Permissions
BRKEWN-2020
Enable RADIUS
NAC to allow
ISE to use
Change of
Authorization.
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
113
3
Enable Radius
Client Profiling
to Send DHCP
and HTTP
attributes to
ISE.
Configuring the Controller ACL
1
This ACL will be referenced by name by the
ISE to restrict the user.
2
Use the ISE server’s IP address to allow only
traffic to that site.
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
114
For Your
Reference
Configuring ISE Profiling Sensors
For Your
Reference
• Profiling relies on a multitude of “sensors” to
assess the client’s device type.
• Profiling can always be achieved through a span
port, more efficient profiling is achieved through
sensors which selectively forward attributes.
• For DHCP Profiling:
– Option A: Use v7.2 MR1 code to send DHCP attributes
in RADIUS accounting messages.
– Option B: Use Cisco IOS “ip helper” addressed to ISE
on switches adjacent to the WLC.
• For HTTP Profiling:
– Use the Web-Authentication redirect to get the HTTP
user agent.
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
115
Steps for Configuring Device Provisioning
For Your
Reference
1. Configure Integration with External CA Server
• Define SCEP URL and certificates.
• Example – Active Directory, CA Server or Internal DB.
2. Define Supplicant Provisioning Profile
• Define what security and EAP type is deployed to end
devices.
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
116
Configuring SCEP Integration on the ISE
For Your
Reference
• The ISE Must Point to the SCEP Server and Have a Valid Certificate Signed by the CA
1
Configure the SCEP URL Pointing
to the Microsoft Windows 2008
Server or other CA
2
Request a Certificate for the ISE
from the CA Server
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
117
Configuring Certificates on the ISE
For Your
Reference
• Certificates are Used for HTTPS and EAP Connections
1
The Web Server Certificate Can Be The
Same, or Different than the EAP/RADIUS
Certificate
2
Use the Certificate from Your CA
Server for EAP Authentication
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
118
Configuring the Web-Authentication Redirect ACL
For Your
Reference
• The ACL is Used in HTTP Profiling as Well as Posture and Client Provisioning.
1
This ACL will be referenced by name by the
ISE to restrict the user.
2
Use the ISE server’s IP address to allow only
traffic to that site.
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
119
Defining the Supplicant Provisioning
Authorization Profile
1
Configure Redirect ACL On WLC
2
Choose “Supplicant Provisioning” for the
Redirect Portal
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
120
For Your
Reference
BYOD configuration for Unified Access
121
For Your
Reference
Unified Access BYOD Config
Change Of Authorization (CoA)
Network Access Control
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
122
Steps for AVC configuration
Configure AVC policy and Netflow
• Define AVC profile and apply to WLAN.
• Define netflow export profile and apply to WLAN.
Update NBAR2 protocol pack
• Steps to update protocol pack on controller.
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
123
For Your
Reference
For Your
Reference
Applying AVC Profiles
Create AVC Profile for Applications at Wireless > AVC
Apply AVC Profile to WLAN
Maximum 32 Rules can be created per AVC Profile
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
124
Netflow Collection and Export Configuration
Create Netflow Monitor and Exporter at Wireless > Netflow
WLC
NFv9
Reporting Tools
Apply Netflow monitor per WLAN
Netflow Collection &
Exporting
WLC collects
application bandwidth,
export to management
tool for reporting
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
125
For Your
Reference
AVC: Steps updating AVC Protocol Pack
For Your
Reference
 Protocol Pack allows adding more applications without upgrading or reloading AireOS
 NBAR2 Protocol List:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html
 Protocol Pack are released for specific NBAR Engine
– AireOS 7.5 WLC has NBAR Engine 13 (protocol pack will be pp-adv-asr1k-152-4.S-13-3.0.0.pac)
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
126
Steps for Bonjour configuration
For Your
Reference
Bonjour Profile
• Steps to configure mDNS profile
• Steps to Apply the mDNS profile per interface.
Location specific Bonjour Service
• Steps to enable location specific services on
controller
Remote VLAN bonjour Service
• Steps to discover bonjour service on remote VLAN
by enabling mDNS AP
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
127
Bonjour Gateway Services filter
For Your
Reference
Enable mDNS Globally / Add Services
mDNS Profile for Employee
Max. of 64 services can be enabled
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
128
Applying the Bonjour Gateway Profile
WLAN
VLAN
Controlling Bonjour Gateway Profile per Interface
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
129
For Your
Reference
Bonjour:
Steps Configuring LSS service from CLI
1. Once the basic bonjour gateway setup is configured the LSS can be enabled by
accessing the WLC CLI, LSS is disabled by default on the WLC
2. Configure LSS services from CLI:
(WLC) >config mdns service lss <enable / disable> <service_name/all>
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
130
For Your
Reference
Bonjour:
Configure mDNS- AP from CLI
1. Configure switch port for mDNS-AP in trunk mode or Access Mode
2. Configure mDNS-AP Trunk Mode or Access Mode:
(WLC)> config mdns ap enable/disable <APName/all> vlan <vlan-id>
(WLC) >config mdns ap vlan add/delete <vlanid> <AP Name>
(WLC)> config mdns ap enable/disable <APName/all> - no VLAN Config in Access Mode
BRKEWN-2020
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
131
For Your
Reference