Download - Managing Policies for BYOD Network BRKEWN-2020 Damodar Banodkar Technical Marketing Engineer
Managing Policies for BYOD Network
BRKEWN-2020
Damodar Banodkar
Technical Marketing Engineer
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
For Your Reference
• There are slides in your PDF that will not be presented, or quickly presented.
• They are there usually valuable, but included only “For your Reference”.
For YourReference
3
For YourReference
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
56% of US information workers spend time
working outside the office —Forrester
100%
of IT staff is struggling to keep
up with mobility trends —Gartner
—Cisco VNI4X
90% —Cisco VNI
Smartphone connection speeds will grow 4-fold from 2011 to 2016
Mobile video traffic will have annual growth rate of 90% 2011 to 2016
The Need for managing devices and applications
2
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 5
Agenda: Managing Policies for BYOD Network
Securely Board the Device
Application Experience
Simplified Services
Operations
Personal Devices on Network
Step 1 Step 2 3rd Party
MDMStep 3
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Wireless BYOD
Drivers• Majority of new network devices have no wired port
• Users will change devices more frequently than in the past
• Mobile devices have become an extension of our Personality and Work
• Guest / Contractor access and accountability has become a mandatory business need
Assumptions• Guest and Contractors must be isolated and accounted for.
• Users will have 1 wired and 2+ wireless devices moving forward
• The wireless network must be secure and as predictable as the wired network
Drivers and Assumptions
6
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 7
ISE(Identity Services Engine)
Spectrum of BYOD StrategiesDifferent Deployment Requirements for Different Environments
Controller only BYOD Controller + ISE-Wireless BYOD
Cisco WLAN Controller
Wireless Only
Basic Profiling and Policy on WLC
Wireless Only
AAA+ Advanced Profiling + Device Posture + Client On-board + Guest + Mobile Device
Management (MDM)
Cisco Catalyst Switch
ASA Firewall
Controller + ISE-Advanced BYOD
Wired + Wireless + Remote Access
AAA + Advanced Profiling + Device Posture + Client On-board + Guest + MDM
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Cisco BYOD Device Policy Steps
8
Phase 1 Authentication
Phase 2 Device / User Identification
EAP
Allowed Device?
Allowed Access
Phase 4 Device Policy Enforcement
• SilverQoS• Allow-AllACL• EmployeeVLAN• Block YoutubeAVC
WLC
Internet-Only
MAC, DHCP, DNS, HTTPISE
ISE
Phase 3 Posture assessment, MDM, Lost device containmentClient Supplicant
ISE
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 9
IDENTITY PROFILING
VLAN 10VLAN 20
Wireless LAN Controller
DHCP
RADIUS
SNMP
NETFLOW
HTTP
DNS
ISE
Unified Access Management
Access Point
802.1x EAP User
Authentication
HQ
2:38pm
Profiling to identify device
Full or partial access granted
Personalasset
Company asset
Posture of the device
PolicyDecision
4
6
Corporate Resources
Internet Only
1
2
3
Contextual Policy for BYOD DeploymentsControl and Enforcement
5
EnforcementdACl, VLAN,
SGA, ApplicationWith the ISE, Cisco wireless can support multiple users and device types on a single SSID.
Integrating WLC and ISE for Authentication and Profiling
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 11
EAPoL Start
EAPoL Request IdentityBeginning
EAP-Response Identity: Alice RADIUS Access Request[AVP: EAP-Response: Alice]
EAP-Request: PEAP
EAP-Response: PEAP
RADIUS Access-Challenge
[AVP: EAP-Request PEAP]
RADIUS Access Request
[AVP: EAP-Response: PEAP]
Multiple Challenge-Request Exchanges Possible
Middle
EAP SuccessRADIUS Access-Accept
[AVP: EAP Success][AVP: VLAN 10, dACL-n]
End
Layer 2 Point-to-Point Layer 3 Link
Authenticator Auth ServerSupplicant EAP over LAN(EAPoL)
RADIUS
• 802.1X (EAPoL) is a delivery mechanism and it doesn't provide the actual authentication mechanisms. • When utilizing 802.1X, you need to choose an EAP type, such as Transport Layer Security (EAP-TLS) or PEAP, which defines
how the authentication takes place.
The EAP Type is negotiated
between Client and RADIUS Server
Extensible Authentication Protocol (EAP) — Protocol Flow
Authentication conversation between Client and Auth ServerSecure Tunnel
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
EAP Authentication Types Different Authentication Options Leveraging Different Credentials
12
Tunneling-BasedEAP-PEAP
EAP-TTLS
EAP-FAST
Inner Methods
EAP-GTC EAP-MSCHAPv2
Tunnel-based - Common deployments use a tunneling protocol (EAP-PEAP) combined with an inner EAP type such as EAP-MSCHAPv2. PEAP Requires only a server-side certificate.
This provides security for the inner EAP type which may be vulnerable by itself.
Certificate-based – For more security EAP-TLS provides mutual authentication of both the server and client.
Certificate-Based
EAP-TLS
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Factors in Choosing an EAP MethodThe Most Common EAP Types are PEAP and EAP-TLS
13
EAP Type(s) Deployed
Client Support
Security vs. Complexity
Authentication Server
Support
Most clients such as Windows, Mac OS X, Apple iOS devices support EAP-TLS, PEAP (MS-CHAPv2).
‒ Additional supplicants can add more EAP types (Cisco AnyConnect).
Certain EAP types (TLS) can be more difficult to deploy than others depending on device type.
Cisco ISE Supplicant Provisioning can aid in the deployment.
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 14
The RADIUS Protocol
• RADIUS protocol is initiated by the network devices
• No way to change authorization from the ISE
• Now network devices listens to CoA request from ISE
It’s initiated by the client to the server, but not CoA…
RADIUS
CoA
• Re-authenticate session• Terminate session• Terminate session with port bounce• Disable host port
Auth ServerAuthenticator
Now I can control ports when I want to!
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 15
Layer 2 Point-to-Point Layer 3 Link
AuthenticatorSupplicantEAP over LAN
(EAPoL)RADIUS
RADIUS CoA-Request
[VSA: subscriber: reauthenticate]
RADIUS CoA-Ack
Change of Authorization
EAP-Response Identity: AliceRADIUS Access Request[AVP: EAP-Response: Alice]
EAP-Request: PEAP
EAP-Response: PEAP
RADIUS Access-Challenge
[AVP: EAP-Request PEAP]
RADIUS Access Request
[AVP: EAP-Response: PEAP]
EAPoL Request Identity
Re-Authentication Multiple Challenge-Request Exchanges Possible
IEEE 802.1X with Change of Authorization (CoA)
Auth Server
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 16
Change of Authorization (CoA)
Before – Posture Assessment and Profiling
After – Employee Policy Applied
•UnknownClient Status
•Limited AccessVLAN
•Posture-AssessmentACL
•SilverQoS
•Block YoutubeApplication
•Profiled, WorkstationClient Status
•EmployeeVLAN
•NoneACL
•GoldQoS
•Allow YoutubeApplication
User and DeviceSpecific Attributes
User and DeviceSpecific Attributes
ISE ISE
Changing Connection Policy Attributes Dynamically
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Enable CoA – AAA Override
17
Allow AAA Override to
Permit ISE to Modify User
Access Permissions
(CoA)
1
For YourReference
Allow AAA Override to
Permit ISE to redirect client to a specific
URL
2
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 18
VLAN
Cisco Wireless Controller User-Based Policy AAA Override Attributes
Quality of Service (QoS)
Access Control List (ACL)
URL Redirect
CoA
Available in AireOS Version 8.0NEW
in 8.0
Application Control (AVC)
Bonjour Service PolicyNEW
in 8.0
NEW
in 8.0
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
FlexConnect and AAA Override
19
Setting the VLAN for Locally Switched Clients
WAN
VLAN 504
VLAN 100
ISE
IETF 81
IETF 64
IETF 65
Create Sub-Interface on FlexConnect AP and Set the
ACL on the VLAN
WLC
AP
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 20
URL Redirection
Example: TCP Traffic Flow for Login Page
TCP port 80 SYN
SYN-ACK
ACK
HTTP GET
Redirect: HTTP Login Page
Username, Password
HostWLC
User opens browser
http://www.google.com
HTTP GET http://www.google.com
Central Web Auth, Client Provisioning, Posture, MDM, Guest Services
ISE
External URL Redirect (ISE):
Redirect URL:. cisco:cisco-av-pair=url-redirect= https://url
Redirect ACL:. cisco:cisco-av-pair=url-redirect-acl= ACL-POSTURE
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 21
Cisco Wireless LAN Controller ACLsLayer 3-4 Filtering at Line-rate.
• ACLs provide L3-L4 policy and can be applied per interface or per user.
• Cisco 2500, 5508 and WiSM2 implement hardware, line-rate ACLs.
• Up to 64 rules can be configured per ACL.
Wired LAN
Implicit Deny All at the End
Inbound
Outbound
WLC
AP
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Unified Access BYOD - Downloadable ACL Support
22
Download - http://www.miercom.com/2013/05/cisco-wlc-5760/
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Cisco Wireless User-Based QoS Capabilities
23
Allowing Per-User and Per-Devices Limiting of the Maximum QoS Level
Voice
Video
Best Effort
Background
Call Manager AccessPoint
Employee – Platinum QoS
WMM Queue
QoS Tagged Packets
Contractor – Silver QoSWLC
For the Employee user, the AAA server returned
QoS-Platinum so packets marked with DSCP EF are allowed to enter the WMM
Voice Queue.
For the contractor user, the AAA server returned QoS-
Silver so even packets marked with DSCP EF are confined to the Best Effort
Queue.
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Cisco Wireless Application ControlAVC provides Layer 7 policies per User (by Device Type and User Role)
Applications Priority
Real Time Applications(Business )
High
Non Real Time Applications(Business)
Normal
Casual Applications
Low
Malicious Applications
Drop
User Role Applications Device Priority
Exec
High
Employee
Normal
Contractor
Low
18Available in AireOS Version 8.0NEW
in 8.0
NEW
in 8.0
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 25
Cisco Wireless Bonjour Services Control
User Role Bonjour Service Access
Exec
Employee
ContractorFor the contractor user, Airplay access is denied
For the Employee and Exec user, Airplay and
AirPrint access is permitted
Bonjour Gateway provides Services policies per User
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 26
VLAN
Cisco BYOD Policy Elements
Quality of Service (QoS)
Access Control List (ACL)
URL Redirect
CoA
Available in AireOS Version 8.0NEW
in 8.0
Application Control (AVC)
Bonjour Service PolicyNEW
in 8.0
NEW
in 8.0
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Cisco BYOD Device Policy Steps
27
Phase 1 AuthenticationEAP
Allowed Device?
Allowed Access
Phase 4 Device Policy Enforcement
• SilverQoS• Allow-AllACL• EmployeeVLAN• Block YoutubeAVC
WLC
Internet-Only
ISE
Phase 2 Device / User IdentificationMAC, DHCP, DNS, HTTPISE
Phase 3 Posture assessment, MDM, Lost device containmentClient Supplicant
ISE
BYOD Policy Elements
BYOD with ISE (Identity Services)
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
ISE Device Profiling Example - iPad
29
• Once the device is profiled, it is stored within the ISE for future associations:
Is the MAC Address from Apple?
Does the Hostname Contain “iPad”?
Is the Web Browser Safari on an iPad?
Apple iPad
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Client Attributes Used for ISE Profiling
30
How RADIUS, HTTP, DNS and DHCP (and Others) Are Used to Identify Clients.
• The ISE uses multiple attributes to build a complete picture of the end client’s device profile.
• Information is collected from sensors which capture different attributes– The ISE can even kick off an NMAP
scan of the host IP to determine more details.
RADIUS
DHCP
DNS Server
DNS
A look up of the DNS entry for the client’s IP
address reveals the Hostname.
HTTP UserAgent
The device is redirected using a captive portal to the ISE for web
browser identification.
ISE
3
4
DHCP/ HTTP Sensor
The Client’s DHCP/HTTP Attributes are captured by
the AP and provided in RADIUS Accounting
messages.
2
This provides the MAC Address
which is checked against the
known vendor OUI database.
1
HTTP
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
ISE Device Profiling CapabilitiesOver 200 Built-in Device Policies, Defined Hierarchically by Vendor
31
Smart Phones
Gaming Consoles
Workstations
MultipleRules to Establish Confidence Level
Minimum Confidence for a
Match
1
2
Defining a BYOD Policy Within ISE
32
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
ISE Authentication Sources
33
• Cisco ISE can reference variety of backend identity stores including Active Directory, PKI, LDAP and RSA SecureID.
• The local database can also be used on the ISE itself for small deployments.
EAPoL
User/Passwo
rd
user1C#2!ç@_E(
Certificate
RADIUS
Token
Active Directory,Generic LDAP or PKI
RSA SecureID
Local DB
Backend Database(s)
User and/or MachineAuthentication
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Steps for Configuring ISE Policies
34
1. Authentication Rules
• Define what identity stores to reference.• Example – Active Directory, CA Server or Internal DB.
2. Authorization Rules• Define what users and devices get access to resources.
• Example – All Employees, with Windows Laptops have full access.
BYOD Policy Elements
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Authentication Rules
35
Example for PEAP and EAP-TLS
1
Create Another Profile to Reference the Certificate Store
2
Reference Active Directory for PEAP Authentication
1
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Authorization Rules Configuration
36
Flexible Conditions Connecting Both User and Device
Policy Authorization - SimpleSpecific Device Type Groups (such as
Workstations or iPods) Can Be Utilized
1Active Directory Groups Can Be
Referenced
2
The Authorization Rule Results in Attributes to Enforce Policy on End Devices
3
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 37
Authorization Rule “Results”The Actual Permissions Referenced by the Authorization Rules
The authorization rules provide a set of conditions to select an authorization profile.
The profile contains all of the connection attributes including VLAN, ACL and QoS.
These attributes are sent to the controller for enforcement, and they can be changed at a later time using CoA (Change of Authorization).
Simple VLAN Override by Specifying the Tag
1
All WLC Attributes are Exposed to Override
2
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Authorization Rule “Results”The Application and Bonjour profile referenced in Authorization profile
Available in AireOS Version 8.0NEW
in 8.0
NEW
in 8.0
NEW
in 8.0
WLC Attributes for AVC and Bonjour policy override
URL Redirect
VLAN
Quality of Service (QoS)
Access Control List (ACL)
Application Control (AVC)
Bonjour Service Policy
NEW in
8.0
BYOD Device Provisioning
39
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 40
Putting the End User in Control
Simplified On-Boarding for BYOD
DeviceOnboarding
Cert Provisioning
SupplicantProvisioning
Self-Service Model
iOSAndroid
WindowsMAC OS
MyDevicesPortal
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
CA-Server
Apple iOS Device Provisioning
41
Initial Connection Using PEAP
ISEWLC
1
Device Provisioning Wizard
2
Future Connections Using EAP-TLS
3
Change of Authorization
CA-ServerISEWLC
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Defining the Supplicant Provisioning Authorization Profile
42
Configure Redirect ACL On WLC1
Choose “Supplicant Provisioning” for the Redirect Portal
2
URL Redirect
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
“My Devices” PortalSelf-Registration and Self-Blacklisting of BYOD Devices
45
Devices can be marked lost by the User.
Lost devices can be blackholed using url-redirect
3
2
New Devices Can be Added with a Description
1
Demo Video: www.youtube.com/watch?v=lgJCJNgFjEM
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 48
Wired, Wireless, VPN User
Non-Compliant
Temporary Limited Network Access Until Remediation Is
Complete
Sample Employee Policy:
• Microsoft patches updated
• McAfee AV installed, running, and current
• Corp asset checks
• Enterprise application running
Challenge:
• Understanding health of device
• Varying level of control over devices
• Cost of Remediation
Value:
• Temporal (web-based) or Persistence Agent
• Automatic Remediation
• Differentiated policy enforcement-based on role
Ensuring Endpoint ComplianceEndpoint Health assessment
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
MDM Integration
49
Jail BrokenPIN Locked
EncryptionISE Registered PIN LockedMDM Registered Jail Broken
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Visibility with Prime Infrastructure and ISE Integration
50
Device Identity from ISE Integration
Policy Information Including Windows
AD Domain
AAA Override Parameters Applied
to Client
Both Wired + Wireless Clients in a
Single List
2
3
1
Local Profiling on WLC
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 52
ISE(Identity Services Engine)
Build BYOD Policy: Flexible OptionsDifferent Deployment Requirements for Different Environments
Controller + ISE-Wireless BYOD
ACS
NACProfiler
Guest Server
NAC Manager
NAC Server
• Centralized Policy
• RADIUS Server
• Posture Assessment
• Guest Access Services
• Device Profiling
• Client Provisioning
• MDM
• MonitoringTroubleshootingReporting
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Build BYOD Policy: Flexible OptionsLocal Profiling & Policy on WLC
Time of DayAuthenticationDevice TypeUser Role
POLICY
WLC Radius Server (e.g.. ISE Base, ACS)
Network Components
Elements
Policy EnforcedVLAN Access List QoS Services (Bonjour)
Only Wireless
Application
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 54
IDENTITY
VLAN 10
VLAN 20
Wireless LAN Controller
Radius Server
Unified Access Management
Access Point
Profiling to identify device
Personal
Corporate
User-Role
PolicyDecision Corporate
Resources
Internet Only
1
2
WLC Native Profiling for BYOD Deployments
5
EnforcementACl, VLAN, QoS,
Application, Bonjour
POLICY
6
4
Time
3
Auth-Type
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Configuring User-Role
55
User Role
Privilege
Controller
Radius
Employee Contractor
role=Employee role=Contractor
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Native Device Profiling on WLC
56
Device Type
Cisco WLC configuration
Enable DHCP and HTTP Profiling on the WLC
156 Pre-Defined Device Signature
Create Device Profiling Policy
Step 1
Step 2
Step 3
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Native Profiling Authentication and Time Policy
57
Time of Day
AuthenticationLEAP
EAP-FAST
EAP-TLS
PEAP
Wireless Client Authentication EAP Type
Active hours for Policy
Time based policy
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Enforce Policy on the WLC
58
ACL*
VLAN
QoS*
Session Timeout
Application Control
mDNS Policy
Enforced Policy
* Supported in FlexConnect mode
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Applying Native profiling policy per WLAN / AP Group
59
Restriction: First Matched Rule Applies
Maximum 16 polices can be created per WLAN / AP Groups and 64 globally
Native Profiling per WLAN Native Profiling per AP Group
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Required Network Components and Versions
60
Cisco Wireless LAN
Feature/Platform 5508 / WiSM2 7500 2500 8500 Unified Access (5760/3850) 440x/WiSM1 210x
OS Version
CoA Support
Access Point Mode for Profiling and Posture
Limited Profiling and Policy on WLC
Extra License
AireOS 7.2.x onwards AireOS 7.3.x onwards IOS XE 3.2.2 onwards AireOS 7.0.116 onwards
802.1x and L3 Web-auth WLAN 802.1x WLAN only
Local and FlexConnect mode Local Mode only
AireOS 7.5 onwards* N/A
None
Identity Services Engine Version Licenses for Onboarding, Profiling, Posture and MDM
Version 1.1.1 onwards Advanced / Wireless License
Identity Services Engine *FlexConnect mode: No WLC BYOD support for Local Auth on AP
For YourReference
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Beyond BYODThe Optimized Experience for Every Workspace
BYOD Beyond BYOD
Device Onboarding and Network Access
Unified BYOD Policy
Application Experience
Simplified Operations
Application Visibility and Control (AVC)
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 63
What is the Need for AVC?Who are the top 10 users?
What are the top 10
applications?
How much traffic is BYOD generating on my
network?
Is someone running Bit-torrent and bringing
down my business applications?
Should I add more APs to enhance the
capacity?
Devices Apps
VisibilityControl
Plan
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
What is Application Visibility & Control ?On Wireless Controllers
Real Time
Interactive
Non-Real Time
Background
NBAR2 LIBRARYDeep Packet
inspection
NETFLOW (STATIC TEMPLATE)
provides Flow Export
POLICYPacket Mark and Drop
Traffic
CISCO PRIME
TROUBLESHOOTINGCAPACITY PLANNINGCOMPLIANCE
THIRD PARTY NETFLOW
COLLECTOR
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
How Does AVC Classify Applications: Cisco Jabber
Three classifications flows for Cisco Jabber
Deep Packet Inspection
Cisco Jabber VideoCisco Jabber Audio Cisco Jabber Control
Different Policies for different components of a Jabber
Session
Demo Video: www.youtube.com/watch?v=1kt2hvo4UL4
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Enabling Application Visibility and ControlAVC is enabled per WLAN to Allow Deep Packet Inspection
67
Change the QoS level to reflect the highest
application level for that SSID
1
Enable Application Visibility
2
Ensure WMM is set to “Allowed” or “Required”
3
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 68
Basic Application Visibility Added on the Controller Home Screen
Top Applications Show Sorted by
Bytes
Use “Monitor” -> “Applications” to View
More Statistics
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 69
Viewing Real-Time StatisticsUse for Assessing Current Usage or Troubleshooting
Application Usage Displayed by % of Total Bytes for Last 90 Seconds
Average Packet Size to See Small vs. Large Packet Flows
Real Time Stats (Last 90 Seconds)
DSCP marking per client (Last 90 Seconds)
Real-Time QoS Markings
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 70
Viewing Historical StatisticsUse for Assessing Overall Usage
Cumulative Statistics Application Usage Displayed by % of Total Bytes
Total Bytes Transferred – Useful for Tracking Down Bandwidth Hogs
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Application Control
71
Med
Control application usage and
performance
Control
Low
Control
High
Medium
Low
AVC Profile – Rate Limit Facebook
AVC Profile – Drop Bit torrentAVC Profile – Mark Citrix1
2
3
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
AVC configuration for AAA overrideExample – Teacher, Student
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 74
Applying AVC ProfilesCreate AVC Profile for Applications at Wireless > AVC
Apply AVC Profile to WLAN
Maximum 32 Rules can be created per AVC Profile
For YourReference
Apply AVC Profile per client using AAA Override
(Radius Server)
Apply AVC Profile per client using Local profiling
on WLC
1
2 3
NEW
in 8.0 NEW
in 8.0
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
NBAR2 – Regular UpdatesIn-service Application Definition Update
• Standard Protocol Pack– Includes only subset of protocols– No Support for Traffic categorization and Attributes – Available (as Default Protocol pack) in IP Base image – No periodic releases and SLA
• Advanced Protocol Pack– Includes all supported Protocols / Applications – Support Traffic categorization and Attributes – Available (as Default protocol pack) in DATA image– Periodic releases and Offers SLA
Protocol Pack
Pro
toco
l1
Pro
toco
l2
Pro
toco
ln
NBAR2
PP X (Major)
•protocols~ 10• updates and fixes
PP X.1 (Minor)
•Bug fixes•small updates
PP Y (Major)
• Protocols~10• updates and fixes
PPY.1 (Minor)
•Bug fixes•small updates
PP 6.3Available
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
NBAR2 Protocol PackExample
• Add new applications recognized by NBAR2 without WLC reload• New protocol pack is published every two months on CCO• Single CLI to enable the protocol pack
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Application Visibility at Cisco Prime
Application Filter / Visibility per:
• SSID
• Client
• Building
• Floor
• Device (AP/Controller)
Application Based Reporting
Wired/Wired with Third party
NetflowPlan
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Application Visibility with 3rd Party Vendors
• Using Netflow exports, third party tools like Plixer Scrutinizer can visualize the data and track it historically.
• Custom reports in this 3rd party tool allow viewing of upstream, downstream flows as well as client DSCP markings.
78
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Cisco Wireless Netflow Record
79
NetFlow
Client MAC
Access Point MAC
Before AVC DSCPAfter AVC DSCP
SSID
Application Tag
Client IP
Packet Count
Octet Count
NetFlow v9 Monitors data from layer 2 thru 7
Determines applications by combination of port and payload
Flow information contains Client, wireless infrastructure, Application, QoS marking and bandwidth detail
What applications, how much bandwidth, flow direction?(NetFlow and NBAR2)
Visibility
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Netflow Collection and Export Configuration
80
WLC collects application bandwidth, export to management
tool for reporting
NFv9
WLC
Netflow Collection & Exporting
Reporting Tools
Plan
For YourReference
Create Netflow Monitor and Exporter at Wireless > Netflow
Apply Netflow monitor per WLAN
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Application Visibility and Control Verification
Application Control Tested
• Citrix video streaming quality improves by 55%
• Microsoft Lync Voice MOS Score Rises to 4.20.
• Background traffic using Windows File sharing drops by 74%
81
Download - http://dcc.syr.edu/PDF/Cisco-AVC-Application-Improvement-Report-Feb-2013.pdf
Bonjour Services Gateway
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Bonjour Protocol
83
Services
Clients
Bonjour Protocol helps Apple devices discover Services
Uses mDNS protocol to advertise and discover services
Link Local: Does not cross subnets
VLAN 20
VLAN 10
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Bonjour Challenges across VLAN’s
84
CAPWAP Tunnel
Apple TV(VLAN Y)
224.0.0.251
Bonjour is Link-Local Multicast and can’t be Routed
224.0.0.251
VLAN X
VLAN X
VLAN Y
• Bonjour is link local multicast and thus forwarded on Local L2 domain
• mDNS operates at UDP port 5353 and sent to the reserved group addresses:
IPv4 Group Address – 224.0.0.251
IPv6 Group Address – FF02::FB
WLCAP Router
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 85
Apple TV Bluetooth Discovery process
Enable Wi-Fi and make sure its routable to
Apple TV subnet
iDevices discovers
Apple TVs in Bluetooth
range (40 feet)
iDevices can start mirroring
Bluetooth is used only to discover Bonjour AirPlay services
Does not apply for AirPrint, Backup, AirDrop etc.
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 86
Apple TV Bluetooth Discovery Implications on Wi-Fi
Wi-Fi Interference Bonjour Policy Control
Apple TVs add new set of Bluetooth interfering devices on network
Congested 2.4 GHz spectrum makes Bluetooth discovery slow and unreliable Student can discover Apple TV and
gain AirPlay Access
Student
Teacher
No Bluetooth discovery for Mac OSX Password mechanism lacks Role based policy control
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Bonjour mDNS Gateway on Cisco WLC
87
Step 1 – Listen for Bonjour Services
CAPWAP TunnelApple TV
VLAN 23
Bonjour Advertisement
VLAN 20
VLAN 99
iPad
AirPlay Offered
AirP
rint
Offe
red
Bonjour Advertisement
AirPrinter(wired)
WLCAP
Switch
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Bonjour mDNS Gateway on Cisco WLC
88
Step 2 –Bonjour Services cached on the controller
CAPWAP TunnelApple TV
VLAN 23
VLAN 20
VLAN 99
iPad
AirPlay Offered
AirP
rint
Offe
red
Bonjour Cache:AirPlay – VLAN 20AirPrint – VLAN 23
AirPrinter(wired)
WLCAP
Switch
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Bonjour mDNS Gateway on Cisco WLC
89
Step 3 –Listen for Client Service Queries for Services
CAPWAP TunnelApple TV
VLAN 23
VLAN 20
VLAN 99
iPad
Bonjour Cache:AirPlay – VLAN 20AirPrint – VLAN 23
Is AirPlay Offered?
Bonjour Query
AirPrinter(wired)
WLCAP
Switch
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Bonjour mDNS Gateway on Cisco WLC
90
Step 4 –Respond to Client Queries (unicast) for Bonjour Services
CAPWAP TunnelApple TV
VLAN 23
VLAN 20
VLAN 99
iPad
Bonjour Cache:AirPlay – VLAN 20AirPrint – VLAN 23
AirPlay is available on VLAN20
Bonjour Response From Controller
AirPrinter(wired)
WLCAP
Switch
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Bonjour traffic optimization
91
80% less Bonjour Traffic*100% less Bonjour Multicast Traffic* For 4 Access Point Deployment
Bonjour Cache:AirPrint – VLAN 23Airplay – VLAN 20
Bonjour Service query is cached on Controller
Not forwarded
Bonjour Client Query
Unicast Response
Not forwarded
Reason for Traffic optimization
6400 Entries per Controller
WLC
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Filter Services by WLAN and VLAN
92
Contractor Network
Services Directory
Employee Network
FileShare
ContractorService Policy
Employee Service Policy
FileShare
Single - SSID
WLC
AP
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 95
AirPlay
Bonjour Policy Example for Education using v8.0
Teacher Network
mDNS Service Instances GroupsStudentNetwork
AirPrint AirPlay FileShare
Teacher Service Profile
AirPlay FileShare
StudentService Profile
iTunesSharing
Apple TV1 Apple TV1
Apple TV2
AirPrint
Teacher Service Instance List
Student Service Instance List
NEW
in 8.0
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 96
• Location and Role filtering in release v8.0
• Bonjour Policies allow creation of the mDNS Service Groups and Service Instances within the Group
• Service Instance mandates how the service instance is shared by configuring o MAC address of the Service Instance
o Name of the Service Instance
o Location Type Of the Services Instance by AP Group, AP Name or AP Location
o Location configuration allows access the “service instance” i.e. client location
Location configuration applied to wired and wireless instances of all services and printers as in Any, Same or one AP Name.
This allows selective sharing of service instances based on the location and
rule (=user-id and role ) on the Same WLAN
Bonjour Policy enhancements in v8.0
96
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 97
Configure Service Instances in the mDNS group, and role
Bonjour Policy Configuration
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 98
• Service Instance associated with mac address can be configured in multiple service groups Currently we support a maximum of 5 service groups for a single mac address. Service group configurations can be done even when mDNS snooping is disabled Number of Service instances per Service group is limited by the platform supported (ie
6400 on 5508)
• Location Filtering of Service instance can be limited by following attributes:
Bonjour Policy enhancements in v8.0
“any” –clients from any location can access the service subject to role and user-id credentials being allowed by the policy associated with the service group for the said mac address.
“same” - only clients from the SAME location as that of the device can access that Service Instance publishing the service can access the service.
“ap-name” – only clients associated to that AP can access the Service Instance
98
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Bonjour Policy enhancements in v8.0
• Allows articulation as “service instance” is shared with whom i.e. user-id, “service instance is shared with which role/s” i.e. teacher or student
• With Bonjour access policy there will now be two levels of filtering client queries1. At the service type level by using the mDNS profile mDNS profile can be user specific and be overridden with ISE “av-pair “returned
to WLC that overrides default profile
2. At the Service Instance level using the access policy associated with each Service Instance.
Note: Service instances which are not configured with any access policy will be mapped to the default access policy that allows configured <roles/names> to receive the service instances
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Location Specific Service for Bonjour
100
CAPWAP Tunnel
With LSS Bonjour services can be location specific
Apple Services
mDNS AP
CAPWAP Tunnel
Localization can be any service specific
Bonjour Services Directory
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Enable Bonjour for Remote VLAN: mDNS AP
101
CAPWAP Tunnel
Apple TV (Remote VLAN)
With mDNS-AP Bonjour services can be seen from a remote VLAN
224.0.0.251
VLAN X
mDNS AP(Trunk mode)
CAPWAP Tunnel
VLAN Y
WLCAP Switch
Remote-Switch
224.0.0.251
VLAN X
Bonjour Services Directory
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 102
Google ChromeCast With Cisco Wireless LAN Controllers
• ChromeCast Deployment Guide:– http://
www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-6/chromecastDG76/ChromecastDG76.html
239.255.255.250
Unicast Response
1. (Services Discovery Request)
2. (Response with IP address of service)
How Does Google ChomeCast Work?
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
AVC and Bonjour Gateway Network Requirements
103
Cisco Wireless LAN
Feature/Platform 5508 / WiSM2 7500 8500 2500
AVC
Access Point Mode for AVC
AVC Protocol Pack Update
Bonjour Gateway
Bonjour Location Specific Service
mDNS AP feature
Access Point mode for Bonjour Gateway
Extra License
AireOS 7.4 onwards
Local Mode Only
AireOS 7.5 onwards
AireOS 7.4 onwards
For YourReference
AireOS 7.5 onwards
AireOS 7.5 onwards
Local Mode Only
None
Feature/Platform Cisco Prime
Performance Collection Flexible Netflow
License Prime Assurance
Network Management
NBAR2 Limitations on WLC: • When an AP is in flex connect mode,
NBAR is not supported• IPv6 traffic cannot be classified• Not supported by the vWLC or WLC on
SRE
N/A
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Summary: Managing Policies for BYOD Network
104
Securely Board the Device
Application Experience
Simplified BonjourOperations
Personal Devices on Network
Wireless WiredRemote Access
ISE PrimeNetwork Components 3rd Party
MDM
3rd Party MDM
Optional
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 105
Participate in the “My Favorite Speaker” Contest
• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)
• Send a tweet and include – Your favorite speaker’s Twitter handle <Speaker – enter your twitter handle here>– Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could be a Winner
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Complete Your Online Session Evaluation
• Give us your feedback and youcould win fabulous prizes. Winners announced daily.
• Complete your session evaluation through the Cisco Live mobile appor visit one of the interactive kiosks located throughout the convention center.
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
106
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Continue Your Education
• Demos
• Labs
• Lunch
• Topics
• Final copy TBD
107
Configurations for Your Reference
108
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Steps for Integrating the Controller and ISE
109
1. Configure WLAN for 802.1x Authentication• Configure RADIUS Server on Controller• Setup WLAN for AAA Override, Profiling and RADIUS NAC
2. Configure ISE Profiling• Enable profiling sensors
3. Setup Access Restrictions• Configure ACLs to filter and control network access.
For YourReference
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 110
Configuring ISE as the Authentication Server and Accounting Server
Enable “RFC 3576” for Support Change of
Authorization
Add to Accounting Servers to Receive Session
Statistics
1
2
For YourReference
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 111
Configuring the WLAN for Secure ConnectivityEnabling Secure Authentication and Encryption with WPA2-Enterprise
WPA2 Security with AES Encryption
1
For YourReference
Assign Radius Server per WLAN
2
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Setting the WLAN QoS Level for Override
112
Using WMM, the QoS Level is Based on the Marking of the Packet.
• If WMM is set to Allowed, the Quality of Service configuration serves as a limit for the entire SSID.
• Ensure all controller uplinks, media servers and Access Points have proper Quality of Service trust commands in IOS.
This Acts As An Upper Limit, or Ceiling for the WLAN’s QoS Configuration
1
For YourReference
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Configuring the WLAN for ISE Identity-based Networking Cont’d
113
Allow AAA Override to
Permit ISE to Modify User
Access Permissions
Enable RADIUS NAC to allow
ISE to use Change of
Authorization.
Enable Radius Client Profiling to Send DHCP
and HTTP attributes to
ISE.
1 2
3
For YourReference
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 114
Configuring the Controller ACL
Use the ISE server’s IP address to allow only traffic to that site.
2
This ACL will be referenced by name by the ISE to restrict the user.
1
For YourReference
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Configuring ISE Profiling Sensors
115
• Profiling relies on a multitude of “sensors” to assess the client’s device type.
• Profiling can always be achieved through a span port, more efficient profiling is achieved through sensors which selectively forward attributes.
• For DHCP Profiling:– Option A: Use v7.2 MR1 code to send DHCP attributes
in RADIUS accounting messages.– Option B: Use Cisco IOS “ip helper” addressed to ISE
on switches adjacent to the WLC.
• For HTTP Profiling:– Use the Web-Authentication redirect to get the HTTP
user agent.
For YourReference
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
1. Configure Integration with External CA Server• Define SCEP URL and certificates.• Example – Active Directory, CA Server or Internal DB.
2. Define Supplicant Provisioning Profile• Define what security and EAP type is deployed to end
devices.
Steps for Configuring Device Provisioning
116
For YourReference
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Configuring SCEP Integration on the ISEThe ISE Must Point to the SCEP Server and Have a Valid Certificate Signed by the CA
117
Configure the SCEP URL Pointing to the Microsoft Windows 2008
Server or other CA
1
Request a Certificate for the ISE from the CA Server
2
For YourReference
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Configuring Certificates on the ISECertificates are Used for HTTPS and EAP Connections
118
Use the Certificate from Your CA Server for EAP Authentication
2
The Web Server Certificate Can Be The Same, or Different than the EAP/RADIUS
Certificate
1
For YourReference
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Configuring the Web-Authentication Redirect ACL
The ACL is Used in HTTP Profiling as Well as Posture and Client Provisioning.
119
Use the ISE server’s IP address to allow only traffic to that site.
2
This ACL will be referenced by name by the ISE to restrict the user.
1
For YourReference
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Defining the Supplicant Provisioning Authorization Profile
120
Configure Redirect ACL On WLC1
Choose “Supplicant Provisioning” for the Redirect Portal
2
For YourReference
BYOD configuration for Unified Access
121
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Unified Access BYOD Config
122
Change Of Authorization (CoA)
Network Access Control
For YourReference
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Configure AVC policy and Netflow
• Define AVC profile and apply to WLAN.• Define netflow export profile and apply to WLAN.
Update NBAR2 protocol pack
• Steps to update protocol pack on controller.
Steps for AVC configuration
123
For YourReference
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 124
Applying AVC ProfilesCreate AVC Profile for Applications at Wireless > AVC
Apply AVC Profile to WLAN
Maximum 32 Rules can be created per AVC Profile
For YourReference
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Netflow Collection and Export Configuration
125
WLC collects application bandwidth, export to management
tool for reporting
NFv9
WLC
Netflow Collection & Exporting
Reporting Tools
Plan
Create Netflow Monitor and Exporter at Wireless > Netflow
Apply Netflow monitor per WLAN
For YourReference
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
AVC: Steps updating AVC Protocol Pack
126
Protocol Pack allows adding more applications without upgrading or reloading AireOS
NBAR2 Protocol List: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html
Protocol Pack are released for specific NBAR Engine– AireOS 7.5 WLC has NBAR Engine 13 (protocol pack will be pp-adv-asr1k-152-4.S-13-3.0.0.pac)
For YourReference
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Bonjour Profile • Steps to configure mDNS profile• Steps to Apply the mDNS profile per interface.
Location specific Bonjour Service• Steps to enable location specific services on
controllerRemote VLAN bonjour Service• Steps to discover bonjour service on remote VLAN
by enabling mDNS AP
Steps for Bonjour configuration
127
For YourReference
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Bonjour Gateway Services filter
128
mDNS Profile for Employee
Enable mDNS Globally / Add Services
Max. of 64 services can be enabled
For YourReference
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Applying the Bonjour Gateway Profile
129
WLAN VLAN
Controlling Bonjour Gateway Profile per Interface
For YourReference
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Bonjour: Steps Configuring LSS service from CLI
130
1. Once the basic bonjour gateway setup is configured the LSS can be enabled by accessing the WLC CLI, LSS is disabled by default on the WLC
2. Configure LSS services from CLI:(WLC) >config mdns service lss <enable / disable> <service_name/all>
For YourReference
© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public
Bonjour:Configure mDNS- AP from CLI
131
1. Configure switch port for mDNS-AP in trunk mode or Access Mode
2. Configure mDNS-AP Trunk Mode or Access Mode: (WLC)> config mdns ap enable/disable <APName/all> vlan <vlan-id> (WLC) >config mdns ap vlan add/delete <vlanid> <AP Name> (WLC)> config mdns ap enable/disable <APName/all> - no VLAN Config in Access Mode
For YourReference