Infrastructure

All best practices, except those that need manual configuration, are enabled by default in a Cisco Mobility Express network. These exceptions include NTP, WLAN with WPA2 or 802.1x, and high SSID counts.

Disable Aironet IE

  • Description— Aironet IE is a Cisco proprietary attribute used by Cisco devices for better connectivity. It contains information, such as the access point name, load, number of associated clients, and so on sent out by the access point (AP) in the beacon and probe responses of the Cisco Mobility Express controller. The Cisco Client Extensions (CCX) clients use this information to choose the best AP with which to associate.

    The CCX software is licensed to manufacturers and vendors of third-party client devices. The CCX code resident on these clients enables them to communicate wirelessly with Cisco APs and to support Cisco features that other client devices do not. The features are related to increased security, enhanced performance, fast roaming, and power management.

    Aironet IE is optional for CCX based clients, however it can cause compatibility issues with some types of wireless clients. The recommendation is to enable for WGB and Cisco voice, but for general production network, it can be beneficial to disable Aironet IE after testing.

    CCX Aironet IE feature should be disabled.

  • Status:

    • Selected—CCX Aironet IE disabled on all WLANs.

    • Unselected—CCX Aironet IE enabled on all WLANs.

  • CLI Option—Disable support for Aironet IEs for a particular WLAN by entering this command:

    (Cisco Controller) >config wlan ccx aironetIeSupport disable wlan-id

Fast SSID

  • Description—When fast SSID changing is enabled, the controller allows clients to move faster between SSIDs. When fast SSID is enabled, the client entry is not cleared and the delay is not enforced. This is very important for supporting Apple IOS devices.

    Fast SSID should be enabled.

  • Status:

    • Selected—Enabled

    • Unselected—Disabled.

      Note

      You can turn off Fast SSID by clicking the Disable button.

  • CLI Option—Enable fast SSID by entering this command:

    (Cisco Controller) >config network fast-ssid-change enable

HTTPs for Management

  • Description—HTTPs for management provides greater security by allowing secure access.

    Secure Web Access (HTTPS) should be enabled for managing the Cisco Mobility Express controller. Web Access (HTTP) should be disabled.

  • Status:

    • Selected—HTTPS enabled; HTTP disabled

    • Unselected—HTTPS enabled, HTTP enabled or HTTPS disabled, HTTP enabled

  • CLI Options:

    • Disable the web mode to deny users to access the controller GUI using http://ip-address, by entering this command:

      (Cisco Controller) >config network webmode disable .

    • Enable Secure Web Access mode to allow users to access the controller GUI using https://ip-address, by entering this command:

      (Cisco Controller) >config network secureweb enable .

NTP

  • Description—Network Time Protocol (NTP) is very important for several features. It is mandatory to use NTP synchronization on the Cisco Mobility Express virtual controller if you use any of these features: Location, SNMPv3, access point authentication, or MFP. The controller supports synchronization with NTP .

    The NTP server is used to sync the Cisco Mobility Express virtual controller's time.

  • Status—If disabled, click Manual Configuration to manually configure the syncing with the NTP server.

    • Selected—NTP is configured on the Cisco Mobility Express controller.

    • Unselected—NTP is not configured on the Cisco Mobility Express controller.

  • CLI Option:

    • Enable NTP server by entering this command:

      (Cisco Controller) >config time ntp server ntp-server-index ntp-server-ip-address