Infrastructure
Cisco Mobility Express enables all options under Best Practices except those that need manual configuration, for example, NTP, WLAN with 802.1x/WPA2, and High SSID counts.
- AVC Visibility
- Band Select
- Disable Aironet IE
- Fast SSID
- HTTPs for Management
- Local Profiling
- NTP
- WLAN not on Management VLAN
AVC Visibility
-
Description—Application Visibility and Control (AVC) classifies applications using Cisco's deep packet inspection techniques with a Network-Based Application Recognition (NBAR2) engine and provides application-level visibility and control into a Wi-Fi network. After recognizing the applications, the AVC visibility feature allows you to either drop or mark traffic.
AVC visibility is enabled by default on all WLANs in the Cisco Mobility Express. Using AVC visibility, the Cisco Mobility Express virtual controller can detect more than 1000 applications.
-
Status: -
CLI Option—Enable AVC visibility on a WLAN by entering this command:
(Cisco Controller) >config flexconnect group default-flexgroup avc wlan-id visibility enable
Band Select
Disable Aironet IE
-
Description— Aironet IE is a Cisco proprietary attribute used by Cisco devices for better connectivity. It contains information, such as the access point name, load, number of associated clients, and so on sent out by the access point (AP) in the beacon and probe responses of the Cisco Mobility Express controller. The Cisco Client Extensions (CCX) clients use this information to choose the best AP with which to associate.
The CCX software is licensed to manufacturers and vendors of third-party client devices. The CCX code resident on these clients enables them to communicate wirelessly with Cisco APs and to support Cisco features that other client devices do not. The features are related to increased security, enhanced performance, fast roaming, and power management.
Aironet IE is optional for CCX based clients, however it can cause compatibility issues with some types of wireless clients. The recommendation is to enable for WGB and Cisco voice, but for general production network, it can be beneficial to disable Aironet IE after testing.
CCX Aironet IE feature should be disabled.
-
Status: -
CLI Option—Disable support for Aironet IEs for a particular WLAN by entering this command:
(Cisco Controller) >config wlan ccx aironetIeSupport disable wlan-id
Fast SSID
-
Description—When fast SSID changing is enabled, the controller allows clients to move faster between SSIDs. When fast SSID is enabled, the client entry is not cleared and the delay is not enforced. This is very important for supporting Apple IOS devices.
Fast SSID should be enabled.
-
Status: -
CLI Option—Enable fast SSID by entering this command:
(Cisco Controller) >config network fast-ssid-change enable
HTTPs for Management
-
Description—HTTPs for management provides greater security by allowing secure access.
Secure Web Access (HTTPS) should be enabled for managing the Cisco Mobility Express controller. Web Access (HTTP) should be disabled.
-
Status: -
CLI Options: -
Disable the web mode to deny users to access the controller GUI using http://ip-address, by entering this command:
(Cisco Controller) >config network webmode disable -
Enable Secure Web Access mode to allow users to access the controller GUI using https://ip-address, by entering this command:
(Cisco Controller) >config network secureweb enable
-
Local Profiling
-
Description—The virtual controller in Cisco Mobility Express-enabled APs can determine the client type from the information received when a client device associates with the controller. This virtual controller acts as the collector of the information, and either displays the information directly on the Cisco Mobility Express GUI dashboard or sends required data to the ISE optimally.
Local profiling (DHCP/HTTP) should be enabled on the Cisco Mobility Express controller. This may impact service at the time.
-
Status: -
CLI Option—Enable local profiling (DHCP/HTTP) on all WLANs by entering this command:
(Cisco Controller) >config wlan profiling local all enable
NTP
-
Description—Network Time Protocol (NTP) is very important for several features. It is mandatory to use NTP synchronization on the Cisco Mobility Express virtual controller if you use any of these features: Location, SNMPv3, access point authentication, or MFP. The controller supports synchronization with NTP .
The NTP server is used to sync the Cisco Mobility Express virtual controller's time.
-
Status—If disabled, click Manual Configuration to manually configure the syncing with the NTP server. -
CLI Option:
WLAN not on Management VLAN
-
Description—We recommend that you have WLANs that are not mapped to the management VLANs.
-
Status—If disabled, click Manual Configuration to manually configure non-management WLANs. -
CLI Option—Configure WLAN not on Management VLAN by entering this command:
(Cisco Controller) >config flexconnect group default-flexgroup wlan-vlan wlan wlan-id add vlan vlan-id