Cisco 5500 Series Wireless Controllers

Introduction

Cisco Prime Network Control System (NCS) is the next generation of Cisco network management platform for managing wired/wireless access networks.

WLAN Lifecycle Management: Comprehensive WLAN Lifecycle Management includes a full range of planning, deployment, monitoring and troubleshooting, remediation and optimization.

• Planning—Built-in planning and design tools simplify defining access point placement and coverage. Additionally, information from third-party site survey tools can be imported into Cisco NCS to aid in WLAN design and deployment.

• Deployment—A broad set of integrated controller and access point configuration templates deliver quick and cost-effective deployments. Network auditing is supported for effective configuration management. NCS also provides tools to aid in monitoring, upgrading, and migrating Cisco Aironet standalone (autonomous) access points to operate as lightweight access points and run CAPWAP. Role-based access control provides flexibility to segment the wireless network into one or more virtual domains controlled by a single Cisco NCS platform.

• Monitoring and Troubleshooting—Centralized monitoring of the entire WLAN helps maintain robust WLAN performance and an optimal wireless experience. Cisco CleanAir provides detailed information about RF interference events, air quality, and interference security threats to help more efficiently assess, prioritize, and manage RF interference issues. Easy-to-use graphical displays serve as a starting point for maintenance, security, troubleshooting, and future capacity planning. Graphs, charts, and tables are interactive for quick configuration and reconfiguration. Hierarchical mapping trees, color-coding, and icons support quick visualization and status assessments of the network, devices, and air quality. Ever-present alarm summary provides robust fault, event, and alarm management. Persistent search tool facilitates cross-network access to immediate and historic information about devices and assets located anywhere in the access network, including endpoint and session attributes, association history, endpoint location, RF performance, statistics, radio resource management (RRM), and air quality. A built-in Client Troubleshooting tool provides a step-by-step method to analyze problems for all wired and wireless client devices. This robust client troubleshooting tool helps reduce operating costs by speeding the resolution of trouble tickets for a variety of Wi-Fi client device types.

The Role of NCS in the Network

This figure depicts Cisco wireless network architecture with Cisco Prime NCS. The interactions between the various network elements, which are wireless LAN controller, AP, Cisco Catalyst switch, Mobility Services Engine, Network Control System, client network management station, and third-party application.

Ports Used by NCS

Device Support and Software Versions

* - supported controller software releases are listed in NCS Release Notes.

NCS has two deployment options:

1. hardware appliance

2. virtual appliance

The virtual appliance is an OVA file that can be deployed on VMware ESX/ESXi 4.x and 5.0. This table provides scale numbers for devices managed by NCS.

Note: Platform scale numbers for wireless LAN controllers (WLC;s) are max. scale. WLCs do not count against NCS license count.

This table lists the hardware requirements for the virtual appliance based on wired/wireless scale.

NCS Home Page

NCS 1.1 provides the ability to monitor IPv6 clients. A new home page dashlet, Client Count by IP Address Type, provides a visual indicator of clients based on IP address type. Not detected refers to clients whose IP address cannot be determined; typically wired clients in cases where IPv6 snooping is not available/supported on the device.

Browser Support

NCS 1.1 supports these browsers:

• Firefox 3.6 and later

• Google Chrome 12.0.742.x

• Microsoft Internet Explorer with Chrome plug-in

  Note: Native Internet Explorer is not supported.

This document provides architectural understanding and design guidance for NCS deployments.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on the Cisco Prime NCS 1.1.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Installation

Physical Appliance: ISO Installation

NCS is available as both physical and virtual appliance. This section provides the steps to install ISO image on a physical appliance.

1. Download and burn ISO to DVD. ISO is posted on Download Software (registered customers only) . Use your Cisco.com username and password.

2. Install ISO. Reboot machine with ISO inserted. This window appears. Choose option 1 or 2, which depends on how you are connected to the appliance

   

3. Installation takes approximately 30 minutes to complete. After ISO image is installed, the server reboots. After your appliance reboots, go to the Physical/Virtual Appliance Setup section.

Virtual Appliance: VMware OVA Installation

Complete these steps in this section in order to deploy OVA in VMware ESX/ESXi 4.x. After OVA has been installed, continue with the Physical/Virtual Appliance Setup section. The time it takes to deploy varies based upon network connection speed to the ESX host.

Deploy OVA File. OVA is posted on Download Software (registered customers only) . Download the appropriate OVA based on the number of devices that is managed by this NCS server.

Use vSphere Client to install OVA

Complete these steps:

1. Launch VMware vSphere Client. Choose File > Deploy OVF Template.

   

   NCS VMware image is packaged as an OVA (open virtualization archive) file. The menu item in the previous screenshot is for an OVF template. An OVA is a collection of items in a single archive. These items typically consist of a virtual machine description file (*.ova), a manifest file (*.mf), and virtual hard drive file (*.vmdk).

2. Choose Browse and locate the NCS OVA file. Click Next.

   

3. After the OVA file is selected, VMware ESX/ESXi reads the OVA file attributes. Continue through the steps in order to chose the OVA file that you want to install in ESX/ESXi. In the Disk Format page, choose the Thick provisioned format option.

   

4. Summary page lists the options that were chosen. Click Next. NCS reboots. After the virtual machine has been built, it appears on the left-hand side of the window. In order to launch the virtual machine, choose it from the left-hand menu that lists the installed virtual machines and click the open console icon. At this point, NCS is installed as virtual machine. The rest of the setup steps are identical for a physical and virtual machine.

Physical/Virtual Appliance Upgrade

Complete these steps:

1. Obtain the url of the file location where the NCS upgrade image is stored on the server. Run these commands in order to upgrade the NCS installation:

   ncs1/admin# ncs stop
   Stopping Network Control System...
   This may take a few minutes...
   Network Control System successfully shutdown.

2. Once NCS has been stopped, enter configuration mode and place the file location URL into the repository:

   ncs1/admin# conf t
   Enter configuration commands, one per line.  End with CNTL/Z.
   ncs1/admin(config)# repository NCS58
   ncs1/admin(config-Repository)# url http://xxxx/sanity/1.X.X.10/wcs-cars-appbundle/
   ncs1/admin(config-Repository)# exit
   ncs1/admin(config)# exit

3. Verify that the repository accesses the file specified with the URL earlier:

   ncs1/admin# show repository NCS58
   ncs-upgrade-bundle-1.1.0.58.tar.gz

4. Run these commands in order to initiate the upgrade process from repository.

   ncs1/admin# application upgrade ncs-upgrade-bundle-1.1.0.58.tar.gz NCS58 
   Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
   Generating configuration...
   Saved the ADE-OS running configuration to startup successfully
   Initiating Application Upgrade...

5. A message should appear that indicates that the upgrade process is now complete.

Starting NCS

After the server reboots, log into system as admin using the password that you provided as part of setup step . After you have logged into the server, start the NCS server with the admin@ncs-server opt]# ncs start command.

Console messages indicate when NCS is running. Log into your NCS server via web browser as user root with the password you chose during the installation. The root password can be changed after you log into NCS through the browser login.

Migrating from WCS to NCS

You must upgrade their Cisco WCS server to one of these releases before you attempt to perform the migration process to NCS 1.1.x.x.

• 7.0.164.3

• 7.0.172.0

• 7.0.220.0

This section provides instructions for how to migrate the WCS on either a Windows or Linux server to NCS. The NCS release is a major release to provide for converged management of wired and wireless devices, and increased scalability. The NCS platform is based on Linux 64 bit OS, and the backend database is Oracle DBMS. The existing WCS platforms are either Windows or Linux 32 bit and the backend database is Solid DB.

Data Migration from WCS

Export Data from WCS

Export data from WCS 7.x through the CLI. The export userdata CLI command is available in WCS Release 7.x and later, which creates the .zip file that contains the WCS data file. The CLI does not provide any option to customize what can be exported; all non-global user-defined items are exported. Complete these steps in order to export WCS data:

1. Stop the WCS server.

2. Run the export command through the script file and provide the path and export filename when prompted.

3. For Linux, run the export.sh all /data/wcs.zip command. For Windows, run the export.bat all \data\wcs.zip command.

Migrating WCS Data to NCS

Complete these steps in order to migrate WCS data:

1. Place the WCS export .zip file (for example, wcs.zip) in a repository or folder (for example, repositories).

2. Log in as admin user and stop the NCS server by entering the ncs stop command. Configure the FTP repository on the NCS appliance with the repository command:

   ncs-appliance/admin#configure 
   ncs-appliance/admin(config)# repository ncs-ftp-repo 
   ncs-appliance/admin(config-Repository)# url ftp://209.165.200.227// 
   ncs-appliance/admin(config-Repository)# user ftp-user password plain ftp-user
   

   Note: Make sure the archived file is available with the show repository repositoryname command.

3. Enter the ncs migrate command in order to restore the WCS database.

   ncs-appliance/admin# ncs migrate wcs-data wcs.zip repository ncs-ftp-repo
   

4. By default, no WCS events are migrated. Enter the ncs start command in order to start the NCS server after the upgrade is completed. Log in to the NCS user interface with the root login and the root password.

   This data is not migrated from WCS to NCS:

   • Subset of reports—AP Image Predownload, AP Profile Status, AP Summary, Client Count, Client Summary, Client Traffic, PCI Report, PCI Compliance Detailed and Summary reports, Preferred Call Network Summary report, Rogue APs, Adhoc Rogues, New Adhoc Rogues and Security Summary reports.

   • Dashboard customization

   • Client Station Statistics information is not populated with old WCS data in clients charts, client details page, dashboards and reports.

   • Client historical session information does get upgraded.

   • Events history stored in WCS database are not migrated to NCS.

   • RADIUS/TACACS server IP and credentials are not migrated and need to be added again after the migration is complete. You need to copy the latest custom attributes from NCS and include them in AAA server for user authentication/authorization in TACACS+/RADIUS.

     Note: Make sure RADIUS/TACACS server is enabled as AAA mode in the Administration > AAA > AAA Mode Settings page.

   • Only alarms with Root Virtual Domain are migrated from Release 7.0 to NCS.

   • The root password is not migrated from Release 7.0.164.3 or 7.0.172.0 to NCS Release 1.1.x.x. The user must change the root password during the installation of the application. Non root users and their credentials are migrated during migration.

   • Alarm categories and subcategories are not restored after migration to NCS Alarm Summary.

Upgrade NCS from NCS 1.0.x to 1.1

You can upgrade from NCS Releases 1.0.0.96, 1.0.1.4, 1.0.2.28, and 1.0.2.29 to NCS 1.1.x.x.

These items should be noted prior to the upgrade process:

• Ensure that you perform a backup before you attempt to upgrade.

• Disable High Availability before you perform the upgrade.

• Shut down NCS before you perform the upgrade. Run the ncs stop command in order to stop NCS.

Use this command in order to upgrade from NCS 1.0 to NCS 1.1.x.x:

# application upgrade NCS-upgrade-bundle-1.0.2.x.tar.gz wcs-ftp-repo 

In the previous command, NCS-upgrade-bundle-1.1.x.x.tar.gz is the upgrade bundle file, which is available on Download Software (registered customers only) . The repository used in the example, wcs-ftp-repo, can be any valid repository. These are examples of repository configurations:

FTP Repository:

# 
configure (config)# 
repository wcs-ftp-repo (config-Repository)# 
url ftp://ip-address (config-Repository)# 
user ftp-user password plain ftp-user (config-Repository)# 
exit (config)# 
exit #

SFTP Repository:

# configure 
(config)# repository wcs-sftp-repo 
(config-Repository)# url sftp://ip-address 
(config-Repository)# user ftp-user password plain ftp-user 
(config-Repository)# exit (config)# exit #

TFTP Repository:

# configure 
(config)# repository wcs-tftp-repo 
(config-Repository)# url tftp://ip-address 
(config-Repository)# exit (config)# exit #

Import Maps from WCS

The map export/import feature is available in WCS 7.0. This feature is described in detail in the WCS 7.0 Configuration Guide.

After you export maps from your WCS server, you can import this set of maps in your NCS server. The steps to import your maps are covered in the WCS 7.0 Configuration Guide.

Note: It is important that APs in your WCS server are first added to your NCS server prior to importing maps since APs on your WCS maps are also included during the export process. APs that have not been added to your NCS but are present on exported floor maps result in errors that are displayed when you import those maps into NCS.

High Availability - Basic Theory of Operation

The NCS HA implementation in NCS allows for up to two primary NCS systems to fail over to one secondary (backup) NCS. A second server is required that has sufficient resources (CPU, hard drive, network connection) in order to take over NCS operation in the event that the primary NCS fails. Each database instance on the secondary NCS is a hot standby for the corresponding primary NCS.

The notation that is used to describe primary and secondary systems is N:M , where N = number of primary systems in operation and M = number of secondary systems that are backing up the primary system(s).

In NCS, these HA configurations are supported:

1:1 – 1 Primary, 1 Secondary 

The size of secondary server must be larger than or equal to primary server, for example if the primary NCS server is medium OVA, then the secondary NCS server must be medium or large OVA.

The primary and secondary server can be a mix of a physical and virtual appliance. For example, if the primary NCS server is a physical appliance, the secondary server can be either physical appliance or large OVA virtual appliance, for example, the server configuration and sizing of large OVA is the same as physical appliance.

The Health Monitor (HM) is a new process implemented in NCS, that is the primary component that manages the HA operation of the system. HM is divided into these multiple sub-modules, each of which handle a specific set of functions:

• Core HM—responsible for these tasks:

  • configuration of the overall HA system

  • maintains state machine for the HA system

  • start/stop of HM and the NCS JVM

  • start/stop and monitor of other sub-modules within the HM

  • handles registration of primary/secondary pair

  • authenticates the HM specific session

  • makes all decisions about failover and failback

• Heart Beat—Heart Beat submodule is responsible for maintaining communication between the primary and secondary HMs. Communication occurs over HTTPS (default port is 8082). The timeout value is 2 seconds. A retry mechanism has been implemented to retry establishing connectivity between the P-HM and S-HM. If the HM does not receive a response after sending a heartbeat request within the timeout period, it retries establishing communication by sending another heartbeat request. The total number of retries is 3. After communication has not be established after 3 retries, the HMs take appropriate action as per the scenarios defined:

  • primary server goes down: this is the classic failover case. In this scenario, when the S-HM does not receive HeartBeat requests for 6 seconds (3 retries x 2 seconds), it initiates the failover mechanism on the secondary NCS.

  • secondary server goes down: in this scenario, the P-HM does not receive HeartBeat response from the S-HM for 6 seconds (3 retries x 2 seconds). When this happens, the P-HM changes its state to PRIMARY_ALONE, raises alarms and changes into listening mode – waiting to receive any messages from the secondary for re-establishing the link between P-HM and S‐HM.

• Application Monitor—Application Monitor submodule is responsible for communication with NCS framework (NCS JVM) on the local server to retrieve status information. Communication is via SOAP over HTTPS.

• DB Monitor—DB Monitor sub-module configures the DB for replication. It is not responsible for the DB replication itself as this is accomplished via the database proprietary replication protocol.

• File Sync—File Synchronization sub-module has 4 sub-components:

  1. File Archiver: periodically scans directories looking for files that have been modified. It collects any such files and adds them to a TAR archive

  2. File Transfer Agent (FTA): responsible for transferring the compress TAR archive to the destination (other server, i.e. primary to secondary or secondary to primary).

  3. File Upload Servlet (FUS): runs on the secondary server and is the counterpart to the FTA. When it receives a file, the FUS streams it directly to the TAR extractor rather than create the file on the local disk (avoids unnecessary disk activity). The FTA and FUS communicate over HTTPS.

  4. Statistics Collector: keeps statistics of file transfer operations from the time that server starts.

The NCS database is the core data storage element of the system and must be replicated between primary and backup systems in real‐time without data loss. This is fundamental to the operation of NCS HA. Data is stored in 1 of 2 ways:

1. NCS database

2. Application data

Application data is a set of flat files that contains this data:

• database password file: replicated in real time (11 seconds)

• NCS license files: replicated via batch processing (every 500 seconds)

• all files under tftp root directory: replicated via batch processing (every 500 seconds)

• scheduled generated reports: replicated in real time (11 seconds)

Health Monitor: the health monitor (HM) is the primary component that manages/monitors the HA availability of the system. There are multiple submodules that handle various functions with HM.

Core HM: responsible for these talks:

• Configures the HA system

• Maintains state machine for HW system

• Start/stop HM

• Start/stop and monitor other sub-modules within HM

• Handles registration of primary-secondary pair

• Makes all decisions regarding failover and failback

Failover Operation

After initial deployment of NCS, the entire configuration of primary NCS is replicated to the host of the secondary NCS. During normal operation (i.e. primary NCS is operational), database from primary is replicated to secondary NCS.

In addition to the database replication, application data files are also replicated to the secondary NCS. Replication frequency is 11 seconds (real‐time files) and 500 seconds (batch files).

NCS Requirements for using NCS HA Feature

Customer must be running same NCS version on both primary and secondary NCS servers. The NCS HA feature is transparent to wireless controller, i.e. there is no software version requirement for WLC, AP’s and MSE.

Configuration of HA Feature

These parameters must be configured on the primary NCS:

• name/IP address of secondary NCS

• email address of network administrator for system notification

• manual or automatic failover option

Secondary NCS must always be a new installation and this option must be selected during NCS install process. For example, standalone or primary NCS cannot be converted to secondary NCS. Standalone NCS can be converted to HA Primary.

Note: Database replication between P-NCS and S-NCS uses port 1522, so ensure that this port is open on all network devices, such as firewalls, switches, routers and so forth, along the network path between primary and secondary NCS servers.

Example – Installation and Configuration Process

In this example, this is a 1:1 NCS HA system

Primary NCS: 172.19.27.84

Secondary NCS: 172.19.27.159

The first step is to install and configure the Secondary NCS. When configuring the Primary NCS for HA, the Secondary NCS needs to be installed and reachable by the Primary NCS.

Note: A key point to remember is that when P-NCS is running/operational, S-NCS is not running. When the Secondary server is in standby mode, these services are running on the secondary server: HM, Apache and database. When P-NCS goes to a down state, HM on the Secondary server starts the NCS JVM process. Only then does S-NCS become accessible.

Health Monitor port needs to set up on target NCS installation machine. Default port value is port 8082. This port number only has local machine significance (local machine port).

Check Health Monitor Port...
Please change the Health Monitor web port if needed. Health Monitor (DEFAULT: 8082): [root@NCSlinux1NCS]#

Authentication Key for Health Monitor must also be created during the installation process. This key is only used internally by the P‐HM and S‐HM for authentication. It must be the same key on both the primary and secondary servers.

As stated earlier, only one NCS server license needs to be purchased. For example, a separate NCS license does not need to be purchased for the secondary NCS. The same NCS license file resides on both the primary and secondary NCS. Since the NCS JVM is only running on either the primary or secondary (not both), the license file is only active on one system at a given point in time.

The network administrator also needs to provide email server settings for email notification for the HA process. This is required for manual HA operation (system manager intervention). Navigate to this page as follows: Administration >Settings >Mail Server

Configuration on Primary NCS Secondary

NCS Settings

Choose Administration >High Availability. As highlighted, HA is not currently configured on this system.

From the menu on the left-hand side of the screen, choose HA Configuration. This takes you to this window. When you enter the requested information in the General heading section and click the Save & Enable button, the configuration is saved and HA is enabled.

You need to input this information: IP address of S-NCS, authentication key, email address for notifications to be sent, failover type. You can choose to save this information without enabling HA, or save and enable HA.

Monitoring NCS HA operation

After you complete the previous step, message status information in NCS provides information on HA configuration and whether it is enabled.

Health Monitor – Secondary NCS

On the Health Monitor screen on the secondary NCS, you can see state information of secondary NCS and the failover type that has been configured. Also this allows network administrator to set logging message level type and the ability to capture/download log files. You can also view events seen by S-HM with associated time stamps.

Primary Failure example – Manual Failover

In this example, the secondary NCS was configured with manual failover. For example, the network administrator is notified through email that the primary NCS had experienced a down condition. The Health Monitor on Secondary NCS detects failure condition of Primary NCS. Since manual failover has been configured, network administrator needs to manually trigger S-NCS to take over NCS functionality from NCS Primary. This is done if you log into S-HM. Even though S-NCS is not running, S-HM can be connected to through this syntax:

https://<S‐NCS_ip_address>:HM_port/

The S-HM displays messages in regards to events that are seen. Since Manual Failover has been configured, the S-HM waits for the system administrator to invoke the failover process. Once Manual Failover has been chosen, this message is displayed as S-NCS starts. Once the failover process has been completed, which means that the NCS database replication process is completed and S-NCS JVM process has started, then S-NCS is the active NCS.

Health Monitor on NCS Secondary provides status information of both NCS Primary and Secondary servers. Failback can be initiated through S-HM once P-NCS has recovered from failure condition. Failback process is always initiated manually as to avoid a flapping condition that can sometimes occur when there is a network connectivity problem.

Failback

When the issues on the server that host P-NCS have been resolved, failback can be manually initiated. Once this is done, the screen is displayed on S-NCS. When you initiate failback, the NCS database on S-NCS and any other files that have changed since S-NCS took over NCS operation are synchronized between S-NCS and P-NCS. Once database synchronization has been completed, P-NCS JVM is started by P-HM. When P-NCS JVM is running, this screen is displayed on S-HM.

Automatic Failover

Automatic failover is a much simpler process. All of the configuration steps are the same except Automatic Failover is selected. Once configured, the network administrator does not need to interact with the S‐HM in order for the failover operation to take place. Only during failback is human intervention required.

Add a Controller to NCS

• Choose Configure > Controllers > Add Controller in order to add a switch. Cisco wireless controllers (WLCs) can be added in manually or through the CSV file.

• After you add the controllers, they are placed temporarily in the Monitor > Unknown Devices page while NCS attempts to communicate with the controllers that you have added. Once communication with the controller has been successful, the controller moves from the Monitor > Unknown Devices page to the Monitor > Controllers page. If NCS is not able to successfully communicate with a controller, it remains in the Monitor > Unknown Devices and an error condition is displayed.

Add a Switch to NCS

Choose Configure > Switches > Add Switches in order to add a switch. Switches can be added individually or multiple switches can be imported through the CSV file.

After a switch is added, it is placed temporarily in the Monitor > Switches page while NCS attempts to communicate with this switch. Once communication with the switch has been successful, NCS moves the switch from the Monitor > Unknown Devices page to the Monitor > Switches page. If NCS is not able to successfully communicate with a switch, it remains in the Monitor > Unknown Devices and an error condition is displayed.

Catalyst Switch Configuration

There are three steps for client security configuration on Cisco Catalyst switches: AAA, RADIUS and 802.1x/MAC authentication.

aaa new-model
!
aaa authentication login login-none none
aaa authentication dot1x default group radius
aaa authorization network default group radius 
aaa authorization auth-proxy default group radius 
aaa accounting update periodic 2
aaa accounting dot1x default start-stop group radius
!
ip device tracking

Refer to AAA Overview for more information.

This configuration is Cisco switch configuration for RADIUS authentication for both Cisco ISE/ACS and non-Cisco RADIUS servers.

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server host 40.40.1.10 auth-port 1812 acct-port 1813 key secret
radius-server timeout 10
radius-server key secret
radius-server vsa send cisco-nas-port
radius-server vsa send accounting
radius-server vsa send authentication

Refer to these documents for more information:

• RADIUS Server Reorder on Failure

• RADIUS Attribute 8 (Framed-IP-Address) in Access Requests

• Cisco IOS Security Command Reference

802.1X and MAC Auth Configuration—This switch configuration provides three functions: authentication for 802.1x clients, allow clients to continue on the network that fail 802.1x authentication (event is generated/sent to NCS for failed 802.1x authentication), MAC authentication bypass (MAB) for IP devices that don’t have 802.1x supplicant.

dot1x system-auth-control
interface <interface>
 description *** Dot1x Client ***             
 switchport mode access
 authentication port-control auto
 authentication open  

< - monitor mode: allows client on the network if it fails 802.1x auth

 dot1x pae authenticator
 mab
 authentication order mab dot1x 

<- for devices without 802.1x capability or credentials

!

Refer to Configuring IEEE 802.1X Port-Based Authentication for more information.

MAC Notification for Traps (non-identity clients)—This Cisco IOS switch feature forwards SNMP traps from the switch to NMS, for example, NCS server, for MAC notifications, non-802.1x clients.

mac address-table notification change interval 5
mac address-table notification change history-size 10
mac address-table notification change
 
interface <interface>
 description non-identity clients
 switchport access vlan <VLAN ID>
 switchport mode access
 snmp trap mac-notification change added  <- interface level config for MAC Notification
  snmp trap mac-notification change removed <- interface level config for MAC Notification

Debug Commands debug snmp packets

Show Commands show mac address-table notification change

Refer to Configuring MAC Change Notification Traps for more information.

Syslog Configuration (identity clients only)—This configuration forwards syslog messages from Catalyst switch to NCS server.

archive
 log config
  notify syslog contenttype plaintext
logging facility auth
logging <IP address of NCS server>

Wireless Network Planning

Planning Tool

The built-in planning tool provides a way for network administrators in determining what is required in the deployment of a wireless network. As part of the planning process, various criteria are inputted into the planning tool. Complete these steps:

1. Specify AP prefix and AP placement method (automatic vs. manual).

2. Choose the AP type and specify the antenna for both the 2.4GHz and 5GHz band.

3. Choose the protocol (band) and minimum desired throughput per band that is required for this plan

4. Enable planning mode for advance options for data, voice, location. Data and Voice provide safety margins for design help. Safety margins help design for certain RSSI thresholds, which is detailed in online help. The location with monitor-mode factors in AP(s) that could be deployed to augment location accuracy. The location typically requires a denser deployment than data and the location checkbox helps plan for the advertised location accuracy.

5. Both the Demand and Override options allow for planning for any special cases where there is a high-density of client presence such conference rooms or lecture halls.

   

   Generated proposal contains these:

   • Floor Plan Details

   • Disclaimer/Scope/Assumptions

   • Proposed AP Placement

   • Coverage and Data Rate Heatmap

   • Coverage Analysis

Map Editor

The integrated map editor in NCS accounts for objects and obstacles on a floor. The modification of floor map characteristics results in a more precise RF propagation model that is displayed in predictive heat maps. Attenuation characteristics for objects and obstacles help predictive engine display a more realistic predictive heat map. edits made to floor map helps specify areas and regions such as:

• Coverage Area and Markers—used for location notifications

• Perimeter—defines the outer boundary

• Location Inclusion and Exclusion Regions — used for location events and notifications

Objects and obstacles that may be specified:

• Walls (Light and Heavy)—2dB and 13dB

• Cubicle (Walls)—1dB

• Doors (Light and Heavy)—4dB and 15dB

• Glass (doors, windows, walls)—1.5dB

Import Maps from WCS to NCS

The map export/import feature is available in WCS 7.0. This feature is described in detail in the WCS 7.0 Configuration Guide.

After the exportation of maps from the source WCS server, this set of maps can be imported into the destination NCS server. The steps to import your maps are covered in the NCS Configuration Guide.

Note: It is important that APs in the WCS server are first added to NCS server prior to importing maps since APs on the WCS maps are also included during the export process. APs that have not been added to your NCS but are present on exported floor maps result in errors being displayed when you import those maps into NCS.

Use NCS to Deploy a Wireless LAN

Configuration Templates

Configuration templates are sets of configurations that may be applied to devices at a system or global level. They can be re-used in order to modify existing configurations. Templates can also be used to replicate configuration to other devices added subsequently. Configuration templates can be used to schedule config changes at predefined date and time. The audit capabilities in NCS can also leverage config templates to determine config differences between NCS and existing controller configuration.

Configuration Groups (Config-Groups)

Config-groups are an easy way to group controllers logically. This feature provides a way to manage controllers with similar configurations. Templates can be extracted from existing controller to provision new controllers or existing controllers with additional configuration parameters. Config groups can also be used to schedule configuration sets from being provisioned. Controller reboots can also be scheduled/cascaded depending on operational requirements. Mobility groups, DCA, and controller configuration auditing can also be managed using config-groups.

Config-Groups are used when grouping sites together for easier management (mobility groups, DCA and regulatory domain settings) and for scheduling remote configuration changes. Groups sites to ensure compliance with configuration policies .

• Adding Controllers—Controllers in WCS are presented and can be moved over to the newly config group

• Applying Templates—Discovered or already present template(s) can then be applied to controller

• Auditing—Ensure template-based audit is selected in audit settings and then audit controllers in group to ensure they comply with policies

Use NCS to Monitor/Troubleshoot a Wireless Network

RRM /CleanAir

RF Profiles and Groups is supported in NCS version 1.1 for both RF Profile creation templates, and AP Group templates. If you use NCS 1.1 to create the RF Profiles through the creation of templates, this gives the administrator a simple way to create and apply templates consistently to groups of controllers. The process flows the same as was previously discussed in the Controller feature set with some minor but important differences.

The process is the same as previously discussed in that you first create RF Profiles, then apply the profiles through the AP Groups. Differences are in how this is done from NCS and in the use of Templates to deploy across the network.

Build an RF Profile with Cisco Prime NCS 1.1

On The Cisco Prime NCS there are two ways that you can approach building or managing an RF Profile. Choose Configure > Controllers > (IP address of controller) > 802.11 > RF Profiles in order to access profiles for an individual controller.

This displays all the RF Profiles currently present on the chosen controller and allow you to make changes to Profiles or AP Group assignments. The same limitations in regards to a profile that is currently applied to an AP Group is in effect as with the Controller GUI. You have to disable the network or un-assign the RF profile from the AP Group.

When you create a new profile, NCS prompts you to choose an existing template. If this is the first time it is being accessed, you are directed to the Template Creation dialogue for an 802.11 Controller template.

Choose Configure > Controller Template Launch Pad > 802.11 > RF Profiles in order to go to the Controller Template Launch Pad directly.

In both cases, a new RF profile is created on NCS through the use of a template. This is a preferred method, since it allows the administrator to leverage the workflow of NCS and apply templates and configurations to all or select groups of controllers and reduce configuration errors and mismatches.

Complete these steps:

1. In order to create a RF Profile Template, choose new:

   

2. Configuration of the template/settings is almost identical with the addition of a template name. Make this descriptive for easy recognition in the future. Change settings as needed or required and choose Save.

   Note: If you choose a threshold value for TPCv2 and it is not the chosen TPC algorithm for the RF group, then this value is ignored.

   Note: A simple setting to change for validation is the minimum TPC power. The minimum power can be raised if you choose a dBm value that is more than the current power level assigned by RRM. This helps to validate the RF Profiles operation.

3. Once you depress Save The options at the bottom of the screen change

   

   Choose Apply to Controllers and the controller dialogue box appears to display the list of controllers managed by this NCS server.

   

4. Choose save config to flash, choose the controller that you wish to have the profile available on, and choose Save.

   

5. Now when you view the RF Profiles screen, you can see the new template created.

   

   The previous steps can be repeated in order to create and apply additional templates as required, for example, for 802.11b.

Apply RF Profiles to AP Groups with NCS

As with the WLC configuration for RF Profiles, newly created profiles can be applied to a controller through the use of AP groups they are assigned to. In order to do this, either previously saved AP Group VLANs template or newly created template can be used.

Choose Configure > Controller Template Launch Pad and choose AP Group VLANs.

In order to create a new template, choose New and fill in the required information.

Choose the RF Profiles tab in order to add RF Profiles.

If you save the template, a warning message appears.

As stated in the previous message, the change of the interface that the assigned WLAN uses disrupts the VLAN mappings for FlexConnect APs applied in this group. Ensure that the interface is the same before you proceed.

Once you choose OK, the dialogue is replaced with the option to Apply to Controllers. Choose this option.

Choose the controller(s) to which the template needs to be applied.

NCS responds with operational status on whether the template was successfully applied to the selected controller(s).

If the template was not pushed successfully, NCS provides a message that states the reason for the failure. In this example, the RF profile that is applied to the group is not present on one of the controllers to which the template was applied.

Apply the RF Profile again, specifically to that controller and then re-apply the AP group in order to generate a successful message.

Once the AP Group has been deployed with the RF Profiles applied (choose the Apply to Access Points button), only access points attached to the controllers where the AP Group was deployed successfully are available to select from.

Note: Until this point, no real changes were made to the RF Infrastructure, but this changes when APs are moved into the group that contain new RF Profiles. When an AP is moved into or out of an AP group, the AP reboots in order to take up the new configuration.

Choose the APs in order to add to the AP Group and choose OK. A warning message appears.

NCS displays the status of the change.

Use NCS to Remediate Issues

• CleanAir

• client troubleshooting

• audit tool

• security dashboard

• SPT

Use NCS to Optimize the Operation of the Wireless Network

• reports

• wireless network performance (RRM)

• performance (WAN bandwidth)

Dashboard

Dashboard components have been enhanced in NCS 1.0. there are a number of enhancements to home page components:

• wired/wireless integration: components now also display wired client and switch information

• component customization workflow: what can be customized, how to customize

• individual components can be refreshed. Refresh rate can be configured individually as well.

• ease of component and home page customization: all editing is completed directly on the home page (no need to navigate to edit page). Drag and drop for adding/moving components

• intuitive workflow: component hyperlinks provide ease of navigation, e.g. client auth distribution to filtered client list page

These are the main user customizations for the Dashboard:

• dashlet drag-and-drop: components can be re-arranged on the page

• add/deleting dashboards: add/delete new tabs

• dashboard reordering

• dashboard renaming

• editing layout: can specify number of columns for dashlets, adding/deleting dashlets

• renaming dashlets

• multiple instances of dashlet: user can add same dashlet and customize content in each one

• user-configurable dashboard layout: number of columns on page for components

  

Dashlet customization:

• manual refresh: allows users to refresh individual dashlet contents

• edit dashlet name

• resize: minimize (reduce to title and status bar), restore (restores to original size), maximize (active dashlet occupies dashboard area)

• detach: detach/redisplays dashlet content in new window

• close: removes dashlet from Dashboard. Can be added again via “Add Dashlet” screen

• multiple display options: graph or table

• visual indicator to display whether dashlet has been customized.

  

Single view of wired/wireless clients in dashlet

There are eleven dashlet components that provide information on wired/wireless clients:

• Client Count by Association/Authentication

• Client Count by Wireless/Wired

• Client Traffic

• Client Alarm and Events Summary

• Client Traffic

• Client Troubleshooting

• Client Posture Status

• Inventory Detail Status

• Device Uptime

• Top 5 Devices by CPU Utilization

• Top 5 Devices by Memory Utilization

Wired-only dashlets

• Wired Client Speed Distribution

• Top 5 Switches by Client Count

Customization of area charts

Charts in dashlets like Client Count By Wireless/Wired and Client Count By Association/ Authentication have multiple area charts that depend upon the selection of adhoc filter bar of the charts that has All/Wireless/Wire” and Associated/Authenticated respectively as the options in the filter bar. The area charts seen can be overlaid (multiple areas cross each other) or stacked (multiple areas are vertically stacked – one over the other). The indication of whether it is stacked or overlaid is shown alongside the y-axis title. The reason for the different types of views (stacked or overlaid) is to give the user better indication of the data set being shown.

Monitoring Clients and Users

NCS provides the ability to monitor both wired and wireless clients (Monitor > Clients and Users). This provides a unified view of all clients on the network. These filters are available.

During the navigation to Clients and Users list page, All Associated Clients are displayed by default. There are 14 present filters that allow the user to view a subset of clients. Details are provided in the table. Additionally, there is the option to create custom filters:

• Quick Filter

• Advanced Filter

Columns in Client List Table can be customized directly on this page.

Columns in Client List Table can be customized directly on the Clients and Users list page. Select or unselect columns in order to display or hide the column immediately.

Default set of displayed columns and their order can be reset to default value through the Reset button.

In order o reorder columns, drag the column directly on the page and move it to the desired order/location.

The Toolbar the client/user list provides a set of tools that can be invoked on selected (one or more) clients.

Example Action: Operational Parameters

The radio button to the on the left-hand side chooses a particular client to display client details in this client list.

lightweight wireless client

wired client

In this screenshot, the client at the bottom of the list is a lightweight wireless client (Type: Lightweight wireless).

The example is for the wired client.

Wired/Wireless Client Troubleshooting

In NCS 1.0, both wired and wireless monitoring and troubleshooting has been integrated with identity services. Integration between wired/wireless network management has been achieved via three network elements:

• Cisco wireless LAN controllers (WLC)

• Cisco Catalyst switch security features: AAA, RADIUS, 802.1x and MAC authentication, MAC notification traps (non-identity clients), syslog (identity clients only)

• Cisco Identity Services Engine (ISE)

All clients – wired and wireless – are displayed in the Clients and Users page (Monitor > Clients and Users).

Wired clients display AP Name as N/A. Switch port information is provided in Interfaces.

Wireless Client Troubleshooting

In order to launch Client Troubleshooting Tool, click on the radio button to the left of the client list item. Once the client is selected, click on the Troubleshooting icon in the toolbar.

The window is displayed for the client.

Log messages can be retrieved from the controller with the use of the Log Analysis tool.

Refer to Policy Enforcement Module (PEM) for more information on the PEM state.

Event History tool provides user with event messages from client and AP.

Wired Client Troubleshooting

NCS 1.0 provides integrated management of wired and wireless devices/clients. One of the major features in NCS 1.0 is monitoring and troubleshooting for wired and wireless clients. SNMP is used to discover clients and collect client data. ISE is polled periodically to collect client statistics and other attributes to populate related dashboard components and reports.

If ISE is added to the systems and devices are authenticating to it, Client Details page displays an additional details labeled as Security.

In order to navigate to the Client Troubleshooting page, click on the Troubleshooting icon on the tools menu at the top of the page.

This takes the user to the page shown in the screen shot. In this example, the client device has link connectivity, but failed MAC authentication.

On the right-hand side of the screen is a tool bar with these items all related to troubleshooting:

• Client Troubleshooting Tool

• Log Analysis

• Event History

• Context Aware History

Event History provides messages related to connectivity events for this client. In this example, the client failed to successfully authenticate. Date/time is provided to assist the network administrator in troubleshooting this client.

ISE provides authentication records to NCS via REST API. Network administrator can choose time period for retrieving authentication records from ISE. In this example, the authentication record indicates that the user was not found in ISE database.

RF/Wireless Features

Track Clients

This feature allows a network administrator to track specific clients and be notified when these clients connect to the network. This feature is enabled from the Monitor > Users and Clients page.

To track single client, click the Add button and a sub-window appears where the user can enter the MAC address of the client along with tracking expiration (Never or specified end date).

If the user wants to track multiple clients, the client list can be imported. The resulting window allows the user to import list of client MAC addresses through the csv file.

A sample csv file can be downloaded that provides data format.

# MACAddress, Expiration: Never/Date in MM/DD/YYYY format
00:40:96:b6:02:cc,10/07/2010
00:02:8a:a2:2e:60,Never

Notification Settings

There are three options for notifications:

1. Purged Expired Entries—user can set duration to keep tracked clients in NCS database. Clients can be purged:

   • after 1 week

   • after 2 weeks

   • after 1 month

   • after 2 months

   • after 6 months

   • kept indefinitely

2. Notification Frequency—user can specify when NCS sends notification of tracked client:

   • on first detection

   • on every detection

3. Notification Method—user can specify for tracked client event to generate alarm or send email.

Displaying Tracked Clients

After tracked user information has been entered, the Tracked Clients window allows the user to view the status of existing tracked clients.

Unknown User ID

Not all users/devices are authenticated via 802.1x (e.g. printers). In this event, network administers have the option to assign a name to the device.

If a client device is authenticated to the network via web auth, WCS may not have username info for that client. In this scenario, customers may want to have usernames mapped to clients, even if they are using web auth.

1. Choose Monitor > Clients.

   Both wireless and wired clients are displayed. As previously described, a toolbar is located in the previous list of clients that allows the user to invoke a number of actions:

   • troubleshoot

   • test (link test, radio measurement, CCXv5 statistics, operation parameters)

   • disable

   • remove (disassociate wireless client)

   

2. Click the Identify Unknown Users icon in the toolbar.

   

   This results with a pop-up window.

3. Click Add in order to enter client details.

   

   Individual MAC address and corresponding username can be added.

   

   Once a client and MAC address has been added, WCS uses this table for client lookup based on matching MAC address.

Real-Time Heat Maps

One of the new features in NCS 1.0, is the option to display real-time heat maps. This is enabled by default. Choose Monitor > Maps > Properties in order to navigate to the settings.

Monitoring Cisco Catalyst Switches Using NCS

Wired inventory information is determined by these methods:

• Wired client discovery via SNMP traps, SNMP polling and syslog messages from switches

• ISE northbound API for additional information, such as posture, profiler, accounting, and so forth

NCS provides feature parity with WCS 7.x for client monitoring and reporting on all clients (wired and wireless). Additionally, NCS cross-launches ISE troubleshooting for wired clients. Further level of ISE integration is via cross-launch of ISE reports with data not contained in WCS.

This switch information is provided in NCS:

• Physical Assets, for example, chassis, modules, port, and power supply from Entity MIB

• Flash Device/Partition/Files

• Software Installed Image

• Ethernet Interface

• IP interface

• VLAN interface

• VLAN and VTP

• Etherchannel

• STP

• StackWise (supported only on Cisco Catalyst 3750 switches)

Monitor > Switch displays this switch information:

• IP address

• Device Name: hostname as given in switch IOS configuration

• Device Type: switch model

• Reachability: SNMP connectivity

• Client Count: number of clients directly connected to the switch

The displayed IP address is a hyperlink, and clicking on it takes the user to Configure > Ethernet Switch > (IP address) > Summary screen.

Wired clients are discovered via SNMP traps, SNMP polling and syslog messages from switches.

With NCS, Cisco Catalyst switches can be monitored for this information:

• Chassis: UDI, model name, uptime

• Memory/CPU utilization

• Ports/interfaces status

• Layer 2 (VLAN, VTP, spanning tree)

• Environment: status of power supplies and fans

• Memory and files in the system

• Clients (wired)

Spanning Tree

Spanning tree details for each spanning tree instance is provided:

• STP Port

• Port Role

• Port Priority

• Path Cost

• Port State

• Port Type

Cisco StackWise

For Cisco Catalyst switches that support StackWise technology, each switches role in the stack is provided including its role in the stack, switch priority, state and software version.

Interface Details

Status information on all Ethernet interfaces is displayed.

Layer 3 information is also provided (VLAN to IP subnet mapping).

VLAN Info

VLAN details are also available from NCS. Both system default and user-configured VLANs are displayed. VLAN ID, name and type are displayed on a single screen.

Client List Pages

Reports (Cross-Launch and Scale)

NCS 1.0 provides integrated management of wired and wireless devices/clients. SNMP is used to collect client data. ISE is polled periodically to collect client statistics and other attributes to populate related reports.

Choose Reports > Reports Launch Pad. Choose report for creation/customization.

New Reports

Top N Connections

This reports shows top N users in a given period of time based on these metrics:

• Connection Attempts

• Passed Attempts

• Failed Attempts

This report contains these columns:

• Username

• Number of total connection attempts

• Number of passed connection attempts

• Number of failed connection attempts

AP Association

This report lists all AP association details for wireless clients and is similar to Client Session reports.

Posture Status Count

This report provides a trend chart to show client posture status over time. The chart is an area chart; the bottom area is the number of clients passed the posture check and top area is the number of clients that failed the posture check.

Alarms/Events

Alarms and events provides a single page view of alarms and events for wired and wireless. Persistent alarm summary and browser is displayed in the bottom right of the screen regardless of what screen the user is on. NCS 1.0 provides generic alarm views including these pages:

• Alarm list pages

• Alarm detail pages

• Event list pages

• Event detail pages

• Alarm search by category & sub category

• Alarm summary window

• Alarm dashboard

• Alarm actions (acknowledge, clear, assign, unassign, delete, etc.)

• Alarm notification (Email, trap)

• Alarm page navigations (from and to different views)

• Alarm overview panel - drilldown to filtered list

• Launch existing WCS troubleshooting page from alarm page

Columns can be customized such as displayed, hidden, and reordered. Actions can be taken on one or more alarms simultaneously.

Quick Filter

This feature allows a user to filter on one or more columns based on text string entered in the filter filed at the top of each column. It provides an optional filtered view of alarms for wired and wireless alarms.

Advanced Filter

Advanced filter provides even greater search capability. It provides the ability to search on specific fields with various conditions, such as contains, does not contain, starts with, and ends with. This diagram shows the various filter options. Additionally, Advanced Filter allows nesting of condition and Boolean (AND/OR) conditions to be specified.

Similarly, Events can be displayed and filter on easily. It also has preset, quick and advanced filters. These filters work in much the same way as these same filter in Alarms.

AAA User Authentication via TACACS+/RADIUS using ACS 4.2

For TACACS+ users to authenticate successfully in NCS, a few changes are required in ACS 4.2. A new Service NCS HTTP needs to be added in Interface Configuration page for TACACS+ (Cisco IOS).

The entire set of NCS User Group Task list TACACS+ Custom Attributes needs to be copied in the NCS HTTP Custom attributes text area as shown in the screen shot for an AAA user. The same holds good for User Group.

For Radius User Authentication, you need to copy the new NCS User group task list Radius custom attributes in the Cisco IOS/PIX 6.x RADIUS Attributes section for User/User Group.

From NCS, add the new TACACS+/Radius server entry in Administration > AAA > TACACS+ Servers / Radius. Set the AAA mode in Administration > AAA > AAA Mode Settings to TACACS+ / Radius accordingly. Re-login as AAA user.

Related Information

• Technical Support & Documentation - Cisco Systems