Infrastructure

Cisco Mobility Express enables all options under Best Practices except those that need manual configuration, for example, NTP, WLAN with 802.1x/WPA2, and High SSID counts.

AVC Visibility

  • Description—Application Visibility and Control (AVC) classifies applications using Cisco's deep packet inspection techniques with a Network-Based Application Recognition (NBAR2) engine and provides application-level visibility and control into a Wi-Fi network. After recognizing the applications, the AVC visibility feature allows you to either drop or mark traffic.

    AVC visibility is enabled by default on all WLANs in the Cisco Mobility Express. Using AVC visibility, the Cisco Mobility Express virtual controller can detect more than 1000 applications.

  • Status:
    • Selected—Enabled on one or more WLANs.

    • Unselected—Disabled on all WLANs.

  • CLI Option—Enable AVC visibility on a WLAN by entering this command:

    (Cisco Controller) >config flexconnect group default-flexgroup avc wlan-id visibility enable

Band Select

  • Description—Allows dual-band clients to move to the less congested 5-GHz band. It is not recommended for Voice deployments.

  • Status:
    • Selected—Band select is enabled on one or more WLANs.

    • Unselected—Band select is not enabled on any WLAN.

  • CLI Option—Enable band select by entering this command:

    (Cisco Controller) >config wlan band-select allow enable wlan-id

Disable Aironet IE

  • Description— Aironet IE is a Cisco proprietary attribute used by Cisco devices for better connectivity. It contains information, such as the access point name, load, number of associated clients, and so on sent out by the access point (AP) in the beacon and probe responses of the Cisco Mobility Express controller. The Cisco Client Extensions (CCX) clients use this information to choose the best AP with which to associate.

    The CCX software is licensed to manufacturers and vendors of third-party client devices. The CCX code resident on these clients enables them to communicate wirelessly with Cisco APs and to support Cisco features that other client devices do not. The features are related to increased security, enhanced performance, fast roaming, and power management.

    Aironet IE is optional for CCX based clients, however it can cause compatibility issues with some types of wireless clients. The recommendation is to enable for WGB and Cisco voice, but for general production network, it can be beneficial to disable Aironet IE after testing.

    CCX Aironet IE feature should be disabled.

  • Status:
    • Selected—CCX Aironet IE disabled on all WLANs.

    • Unselected—CCX Aironet IE enabled on all WLANs.

  • CLI Option—Disable support for Aironet IEs for a particular WLAN by entering this command:

    (Cisco Controller) >config wlan ccx aironetIeSupport disable wlan-id

Fast SSID

  • Description—When fast SSID changing is enabled, the controller allows clients to move faster between SSIDs. When fast SSID is enabled, the client entry is not cleared and the delay is not enforced. This is very important for supporting Apple IOS devices.

    Fast SSID should be enabled.

  • Status:
    • Selected—Enabled

    • Unselected—Disabled

  • CLI Option—Enable fast SSID by entering this command:

    (Cisco Controller) >config network fast-ssid-change enable

HTTPs for Management

  • Description—HTTPs for management provides greater security by allowing secure access.

    Secure Web Access (HTTPS) should be enabled for managing the Cisco Mobility Express controller. Web Access (HTTP) should be disabled.

  • Status:
    • Selected—HTTPS enabled; HTTP disabled

    • Unselected—HTTPS enabled, HTTP enabled or HTTPS disabled, HTTP enabled

  • CLI Options:
    • Disable the web mode to deny users to access the controller GUI using http://ip-address, by entering this command:

      (Cisco Controller) >config network webmode disable
    • Enable Secure Web Access mode to allow users to access the controller GUI using https://ip-address, by entering this command:

      (Cisco Controller) >config network secureweb enable

Local Profiling

  • Description—The virtual controller in Cisco Mobility Express-enabled APs can determine the client type from the information received when a client device associates with the controller. This virtual controller acts as the collector of the information, and either displays the information directly on the Cisco Mobility Express GUI dashboard or sends required data to the ISE optimally.

    Local profiling (DHCP/HTTP) should be enabled on the Cisco Mobility Express controller. This may impact service at the time.

  • Status:
    • Selected—Enabled on all WLANs. It is shown in Green state if RADIUS profiling is enabled

    • Unselected—Disabled

  • CLI Option—Enable local profiling (DHCP/HTTP) on all WLANs by entering this command:

    (Cisco Controller) >config wlan profiling local all enable

NTP

  • Description—Network Time Protocol (NTP) is very important for several features. It is mandatory to use NTP synchronization on the Cisco Mobility Express virtual controller if you use any of these features: Location, SNMPv3, access point authentication, or MFP. The controller supports synchronization with NTP .

    The NTP server is used to sync the Cisco Mobility Express virtual controller's time.

  • Status—If disabled, click Manual Configuration to manually configure the syncing with the NTP server.
    • Selected—NTP is configured on the Cisco Mobility Express controller.

    • Unselected—NTP is not configured on the Cisco Mobility Express controller.

  • CLI Option:
    • Enable NTP server by entering this command:

      (Cisco Controller) >config time ntp server ntp-server-index ntp-server-ip-address

WLAN not on Management VLAN

  • Description—We recommend that you have WLANs that are not mapped to the management VLANs.

  • Status—If disabled, click Manual Configuration to manually configure non-management WLANs.
    • Selected—No WLAN is mapped to the management VLAN.

    • Unselected—One or more WLANs are mapped to the management VLAN.

  • CLI Option—Configure WLAN not on Management VLAN by entering this command:

    (Cisco Controller) >config flexconnect group default-flexgroup wlan-vlan wlan wlan-id add vlan vlan-id