WIFI Controller

Secure

• Secure your network with simplified segmentation, and detect encrypted threats.

Intelligent

• Deploy your wireless network on-premises or in the cloud. Manage it with DNA Center or programmable APIs.

Optimal user experience

• Get contextual insights to troubleshoot faster and deliver personalized experiences.

Always on

• Upgrade your network with no disruption.

1. High Capacity Load Balancing

Wireless networks were originally planned for coverage only, but with all the smartphones, tablets, laptops etc. out there--today’s wireless networks must be planned for capacity.

With the increased demand on both your wireless and wired infrastructure, you must incorporate high capacity load balancing.

This means, when one access point is overloaded, the system will actively shift users from one access point to another depending on the capacity that is available.

2. Scalability

The growth in popularity of new wireless devices will only continue to increase. Your network needs to have the ability to start small if necessary, but expand in terms of coverage and capacity as needed--without having to overhaul or build an entirely new network. Trust me, if you don’t need it now, you will need it later.

3. Network Management System

Modern day wireless networks are much more complex and may consist of hundreds or even thousands of access points, switches, firewalls, managed power and various other components.

You need to have a smarter way of managing the entire network from a centralized point. Deploying a network management system gives you that ability and so much more.

4. Role Based Access Control

Role based access control (RBAC) allows you to assign roles based on who, what, where, when and how a user or device is trying to access your network.

Once the role of the device or end-user is defined, access control policies or rules can be enforced.

5. Indoor as well as Outdoor coverage options

Although you may feel you only need indoor WiFi at first, its possible that later you might need to add outdoor coverage as well.

For example, to parking lots, courtyards, etc. It's important that your wireless system has the capability of adding outdoor coverage, even after the fact.

6. The Ability to Measure Performance

With user expectations increasing, it's critical that you're continuously measuring performance from the end-users perspective. This means having the ability to see your end-users in real time, what type of devices they are using, what types of applications they are using, and the status of the different networking components that may affect the use of those devices. You should also have the ability to run proactive testing to help avoid potential problems before they happen.

7. Network Access Control

Whether you refer to it as mobile device registration or network access control, it is essential to have a secure method for registering and securing the devices that you don't own.

Primarily, NAC controls the role of the user and enforces policies. Network access control can allow your users to register themselves to the network--a helpful feature that enhances the user experience.

8. Ability to communicate with both 2.4 GHz devices and 5 GHz devices

Baby scanners, blue tooth, microwaves, and many of today’s common use devices can interfere with users on 2.4 GHz devices--simply put, it’s a “crowded spectrum”. Since many devices still operate in that spectrum, you’ll need dual radio access points that can manage users on both 2.4 GHz and 5 GHz at the same time.

9. Web Content/Application Filtering

More than ever before, network security must become application aware in order to alleviate threats.

You should have application filtering in place in order to protect users from content that might contain malicious threats as well as to prevent possible performance issues.

10. Mobile Device Management

Think about how many mobile devices will be accessing your wireless network; now think about the thousands of applications you’re going to have running on those mobile devices.

How do you plan on managing all of this, especially as devices come and go from your business.

Mobile device management can provide control of how you will manage access to applications and programs. You can even remotely wipe the device if it’s lost or stolen.

11. Application Prioritization

Application prioritization is exactly what it sounds like; it's the ability to guarantee performance levels to applications that you have selected as mission-critical.

This means your business can ensure that the applications that are most important to your operations have exactly what they need to function at a high-level, even as other less critical applications are accessing the network at the same time.

Without application prioritization there is no way to control the balance between business applications and recreational applications, and no way to ensure that your mission-critical processes and systems maintain the performance they need--in other words, it would be chaos.

12. Roaming

You shouldn't have to worry about dropped connections, slower speeds or any disruption in service as you move throughout your office or even from building to building—wireless needs to be mobile-first..

Mobile devices are just that, mobile, meaning your users will expect to maintain the same level of performance no matter where they are or if they are on the move.

Planning for WiFi today means planning for roaming. Roaming allows your end-users to successfully move from one access point to another without ever noticing a dip in performance.

For example, allowing a student to check their Facebook news-feed as they walk from one class to the next.

13. Redundancy

“Downtime” is a productivity and moral killer—if the WiFi goes down everything comes to a grinding stop.

The level or amount of redundancy your WiFi system requires depends on your specific environment and needs.

For example, a hospital environment will need a higher level of redundancy than say a coffee-shop, however, at the end of the day they both need to have a back-up plan in place.

14. Adaptive Radio Management

Technical expertise is both expensive and hard to find; it takes years of training and experience to know how to get it right—that’s time and money most businesses just don’t have.

Adaptive radio management or ARM, is like having an RF or WiFi expert on site that helps to maximize performance for your end-users.

It does this by collecting RF data from your access points and then using that data to make intelligent decisions about power levels, channels, air-time fairness, client-loads and even roaming.

*It should be noted that while ARM can be a powerful tool to help fix RF issues, it’s not a magic wand—nothing can replace having a proper wireless network design.

15. Proper Security Means Using the Right Firewall

Building an “air-tight” network doesn’t come down to just one component alone; it’s about many components all working together just right to keep your data and your end-users safe.

However, the backbone of that system is your network firewall. For example, with the right firewall in place you’ll be able to:

See and control both your applications and end-users

Create the right balance between performance and security

Reduce complexity with baked-in features such as:

Anti-virus protection

Spam filtering

Deep packet inspection (DPI)

Application filtering

Protect your network and end-users against known and unknown threats including:

Ransomware

Encrypted malware

Zero-day

Malicious botnets

16. Switching

Basically, a network switch is the traffic cop of your network—making sure that everyone and every device gets to where they need to go.

They’re an essential part of every fast, secure wireless network for several reasons:

They help the traffic on your network flow more efficiently

They minimize unnecessary traffic

They create a better user experience by ensuring your traffic is going to the right places.

In many cases, performance issues arise from bottlenecks or choke points caused by using the wrong type of switch or from outdated switches.

Whether you’re updating your current wireless system or deploying wireless for the first time, you can’t ignore or forget about your switching.

17. 802.11ac Access Points

Finally, we get to your access points. Access points are one of the most well-known components within your entire system—they’re the lead singer if you will.

There are many different types of APs available from a variety of different manufacturers. However, no matter which route you go, you need to make sure your APs are at the very least 802.11ac—currently Wave 2.

From there, it gets a little bit more complicated. There are many factors that will impact the performance of your access points, from the amount deployed, their configuration, and even your wired infrastructure.

Q. How do I configure the switch to connect with the WLC?

A. Configure the switch port, to which the WLC is connected, as an IEEE 802.1Q trunk port. Make sure that only the necessary VLANs are allowed on the switch. Usually, the management and the AP-Manager interface of the WLC are left untagged. This means that they assume the native VLAN of the connected switch. This is not necessary. You can assign a separate VLAN to these interfaces.

Q. Does all network traffic from and to a WLAN client tunnel through a Wireless LAN Controller (WLC) once the access point (AP) gets registered with the controller?

A. When the AP joins a WLC, a Control and Provisioning of Wireless Access Points protocol (CAPWAP) tunnel is formed between the two devices. All traffic, which includes all client traffic, is sent through the CAPWAP tunnel.

The only exception to this is when an AP is in hybrid-REAP mode. The hybrid-REAP access points can switch client data traffic locally and perform client authentication locally when their connection to the controller is lost. When they are connected to the controller, they can also send traffic back to the controller.

Q. How many WLANs are supported on WLC?

A. Since software version 5.2.157.0, WLC can now control up to 512 WLANs for lightweight access points. Each WLAN has a separate WLAN ID (1 through 512), a separate profile name, and a WLAN SSID, and can be assigned unique security policies. The controller publishes up to 16 WLANs to each connected access point, but you can create up to 512 WLANs on the controller and then selectively publish these WLANs (using access point groups) to different access points to better manage your wireless network.

Q. How can I configure VLANs on my Wireless LAN Controller (WLC)?

A. In the WLC, VLANs are tied to an interface configured in a unique IP subnet. This interface is mapped onto a WLAN. Then, the clients that associate to this WLAN belong to the VLAN of the interface and are assigned an IP address from the subnet to which the interface belongs.

Q. We have provisioned two WLANs with two different dynamic interfaces. Each interface has its own VLAN, which is different than the management interface VLAN. This seems to work, but we have not provisioned the trunk ports to allow the VLANs that our WLANs use. Does the access point (AP) tag the packets with the management interface VLAN?

A. The AP does not tag packets with the management interface VLAN. The AP encapsulates the packets from the clients in Lightweight AP Protocol (LWAPP)/CAPWAP, and then passes the packets on to the WLC. The WLC then strips the LWAPP/CAPWAP header and forwards the packets to the gateway with the appropriate VLAN tag. The VLAN tag depends on the WLAN to which the client belongs. The WLC depends on the gateway to route the packets to their destination. In order to be able to pass traffic for multiple VLANs, you must configure the uplink switch as a trunk port. This diagram explains how VLANs work with controllers:

Q. Which IP address of the WLC is used for authentication with the AAA server?

A. The WLC uses the IP address of the management interface for any authentication mechanism (Layer 2 or Layer 3) that involves a AAA server.

Q. What is the validity period of manufacturer installed certificates (MICs) on a wireless LAN controller and of the lightweight AP's certificates?

A. The validity period of a MIC on a WLC is 10 years. The same validity period of 10 years applies to the lightweight AP's certificates from creation (whether it is a MIC or a Self-Signed Certificate (SSC)).

Q. I have two wireless LAN controllers (WLCs) named WLC1 and WLC2 configured within the same mobility group for failover. My Lightweight Access Point (LAP) is currently registered with WLC1. If WLC1 fails, does the AP registered to WLC1 reboot during its transition towards the surviving WLC (WLC2)? Also, during this failover, does the WLAN client lose WLAN connectivity with the LAP?

A. Yes, the LAP does de-register from WLC1, reboot, and then re-registers with WLC2, if WLC1 fails. Because the LAP reboots, the associated WLAN clients lose the connectivity to the rebooting LAP.

Q. What is the roaming process that occurs when a client decides to roam to a new access point (AP) or controller?

A. This is the sequence of events that occurs when a client roams to a new AP:

1. The client sends a reassociation request to the WLC through the LAP.

2. WLC sends the mobility message to other WLCs in the mobility group in order to find out with which WLC the client was previously associated.

3. The original WLC responds with information, such as the MAC address, IP address, QoS, Security context, etc. about the client through the mobility message.

4. The WLC updates its database with the provided client details; the client then goes through the reauthentication process, if necessary. The new LAP with which the client is currently associated is also updated along with other details in the database of the WLC. This way, the client IP address is retained across roams between WLCs, which helps to provide seamless roaming.

Q. Can I use the internal DHCP server on the Wireless LAN Controller (WLC) in order to assign IP addresses to the Lightweight Access Points (LAPs)?

A. The controllers contain an internal DHCP server. This server is typically used in branch offices that do not already have a DHCP server. I

Q. What does the DHCP Required field under a WLAN signify?

A. DHCP Required is an option that can be enabled for a WLAN. It necessitates that all clients that associate to that particular WLAN obtain IP addresses through DHCP. Clients with static IP addresses are not allowed to associate to the WLAN. This option is found under the Advanced tab of a WLAN. WLC allows the traffic to/from a client only if its IP address is present in the MSCB table of the WLC. WLC records the IP address of a client during its DHCP Request or DHCP Renew.

Q. Is there a way to track the name of the Lightweight Access Point (LAP) when it is not registered to the controller?

A. If your AP is completely down and not registered to the controller, there is no way you can track the LAP through the controller. The only way that remains is that you can access the switch on which these APs are connected, and you can find the switchport on which they are connected using this command:

show mac-address-table address <mac address>

Q. I have configured 512 users on my controller. Is there any way to increase the number of users on the Wireless LAN Controller (WLC)?

A. The local user database is limited to a maximum of 2048 entries at the Security > General page. This database is shared by local management users (which includes lobby ambassadors), net users (which includes guest users), MAC filter entries, Access point authorization list entries, and Exclusion list entries.

Q. How do I enforce a strong password policy on WLCs?

A. WLCs allow you to define a strong password policy. This can be done using either the CLI or GUI.

In the GUI, go to Security > AAA > Password Policies.