Aironet IE is a Cisco proprietary attribute used by Cisco devices for better connectivity. It contains information, such as the access point name, load, number of associated clients, and so on sent out by the access point (AP) in the beacon and probe responses of the Cisco Embedded Wireless Controller on Catalyst Access Points. The Cisco Client Extensions (CCX) clients use this information to choose the best AP with which to associate.

If disabled, click Fix it Now to enable the disable Aironet IE best practice.

CCX Aironet IE feature should be disabled.

The Cisco WLAN solution Disable Management over Wireless feature allows Cisco WLAN solution operators to monitor and configure local controller using a wireless client.

Management over wireless should be disabled for security reasons.

If disabled, click Fix it Now to enable the disable management over wireless best practice.

HTTPs for management provides greater security by allowing secure access. Secure Web Access (HTTPS) should be enabled for managing Cisco Embedded Wireless Controller on Catalyst Access Points.

Web Access (HTTP) should be disabled.

If disabled, click Fix it Now to enable the HTTPS for management.

In dense production networks, controllers have been verified to function optimally with load balancing ON and window size set at 5 or higher. In practical, this means load balancing behavior is only enabled when, for example, a large group of people congregate in a conference room or open area (meeting or class). Load balancing is very useful to spread these users between various available APs in such scenarios.

Load balancing should be enabled. For time sensitive application such as voice, it can cause roaming issues. Therefore, it is recommended to test before enabling load balancing on the Cisco Embedded Wireless Controller on Catalyst Access Points.

Click Fix it Now to disable load balancing on all active WLANs.

Click Toggle Configuration to disable load balancing best practice.

Network Time Protocol (NTP) is very important for several features. It is mandatory to use NTP synchronization on the Cisco Embedded Wireless Controller on Catalyst Access Points, if you use any of these features: Location, SNMPv3, access point authentication, or MFP. The controller supports synchronization with NTP.

The NTP server is used to sync the Cisco Embedded Wireless Controller on Catalyst Access Points's time.

If disabled, click Manual Configuration to manually configure the syncing with the NTP server.

Virtual gateway IP should be enabled. Clicking Fix it Now enables virtual gateway IP.

If enabled, click Manual Configuration to manually configure the virtual gateway IP.

The controller in the embedded wireless controller-enabled APs can determine the client type from the information received when a client device associates with the controller. This controller acts as the collector of the information, and either displays the information directly on the Cisco Embedded Wireless Controller on Catalyst Access Points GUI dashboard or sends required data to the ISE optimally.

Local profiling (DHCP/HTTP) should be enabled on the Cisco Embedded Wireless Controller on Catalyst Access Points. This may impact service at the time.

If disabled, click Manual Configuration to manually configure local profiling.

WLAN should be using 802.1x or WPA2 security. You can enable this from the WLAN page. The default day 0 setting does not mandate configuring 802.1x.

If enabled, click Manual Configuration to specify the security setting of the WLAN.

When the user fails to authenticate, the controller excludes the client. The client cannot connect to the network until the exclusion timer expires or is manually overridden by the administrator.

Client exclusion is enabled by default on the master AP allowing it to exclude clients from joining the controller during the above events.

The user login policies are provided to limit the number of concurrent logins of the local netusers of the controller. You can limit the number of concurrent logins, and the recommendation is greater than default of 0 (unlimited).

Auto CHD should be enabled.

The controller uses the quality of client signal levels reported by the APs to determine if the power level of that AP needs to be increased. Coverage Hole Detection (CHD) is controller independent, so the RF group leader is not involved in those calculations. The controller knows how many clients are associated with a particular AP and what are the signal-to-noise ratio (SNR) values for each client.

If a client SNR drops below the configured threshold value on the controller, the AP increases its power level to try to compensate for the client. The SNR threshold is based on the transmit power of the AP and the coverage profile settings on the controller.

For instructions on how to configure auto CHD, see Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide.

Auto DCA should be enabled to allow RRM to select best channels for each radio.

When a wireless network is first initialized, all radios participating require a channel assignment to operate without interference - optimizing the channel assignments to allow for interference free operation is DCA's job. Wireless network does this using the air metrics reported by each radio on every possible channel, and providing a solution that maximizes channel bandwidth and minimizes RF interference from all sources - Self (signal), other networks (foreign interference), Noise (everything else).

DCA is enabled by default and provides a global solution to channel planning for your network.

The controller dynamically controls the access point transmit power based on real-time wireless LAN conditions. You can choose between two versions of transmit power control: TPCv1 and TPCv2. With TPCv1, power can be kept low to gain extra capacity and reduce interference. With TPCv2, transmit power is dynamically adjusted with the goal of minimum interference. TPCv2 is suitable for dense networks. In this mode, there could be higher roaming delays and coverage hole incidents.

Auto TPC is enabled by default to allow RRM to select best transmit power for each radio.

CleanAir should be enabled.

To effectively detect and mitigate RF interference, enable CleanAir whenever possible. There are recommendations to various sources of interference to trigger security alerts, such as generic DECT phones, jammer, and so on.

Event driven RRM is enabled by default.

Spontaneous interference is interference that appears suddenly on a network, perhaps jamming a channel or a range of channels completely. The Cisco CleanAir spectrum event-driven radio resource management (RRM) feature allows you to set a threshold for air quality (AQ) that, if exceeded, triggers an immediate channel change for the affected access point. Most RF management systems can avoid interference, but this information takes time to propagate through the system. Cisco CleanAir relies on AQ measurements to continuously evaluate the spectrum and can trigger a move within 30 seconds. For example, if an access point detects interference from a video camera, it can recover by changing channels within 30 seconds of the camera becoming active. Cisco CleanAir also identifies and locates the source of interference so that more permanent mitigation of the device can be performed at a later time.

Click Fix it Now to disable event driven RRM on both radios (5GHz and 2.4GHz).

Click Toggle Configuration to enable event driven RRM on both radios (5GHz and 2.4GHz).

Rogue Severity was added to the ED-RRM metrics to improve handling of WiFi Interference. If a rogue access point is generating interference above a given threshold, this feature changes channels immediately instead of waiting until the next DCA cycle.

This should be used when ED-RRM is enabled. It should be avoided on buildings with very large number of collocated WiFi networks (multi-tenant buildings) that are 100% overlapping.

Click Fix it Now to disable WIFI Interference.

Avoid using this option to avoid frequent changes in DCA due to varying load conditions, this is disabled by default.

Dynamic bandwidth selection selects the widest channel width with the highest client data rates and lowest channel utilization per radio. This minimizes data retries and CRC errors on the 5 GHz band while avoiding rogue APs and CleanAir Interferers.

Flexible Radio Assignment (FRA) enables automatic assignment of the XOR 2.4 GHz radios to other roles such as 5 GHz and Monitor.

We recommend that you enable FRA when you have APs such as the Cisco Aironet 2800 and 3800 Series that support XOR operation.

Click Fix it Now to disable FRA and Toggle Conffiguration to enable FRA.

Number of WLANs should be less than 4.

We recommend limiting the number of service set identifiers (SSIDs) configured at the controller. You can configure 16 simultaneous SSIDs (per radio on each AP), but as each WLAN/SSID needs separate probe responses and beaconing, the RF pollution increases as more SSIDs are added. Furthermore, some smaller wireless stations like PDA, WiFi Phones, and barcode scanners cannot cope with a high number of basic SSID (BSSID) information. This results in lockups, reloads, or association failures. Also the more SSIDs, the more beaconing needed, so less RF time is available for real data transmits. Cisco recommends one to three SSIDs for corporate, and one SSID for high-density designs. AAA override can be leveraged for per user VLAN/ settings on a single SSID scenario.

Band selection should be enabled. However, if there is interactive traffic such as voice or video on the WLAN, do not use band selection.

Click Manual Configuration to redirect to the WLAN page.

We recommend that low data rates of 6 and 9 Mbps are disabled on 5GHz for better performance.

Note: Low data rates should not be disabled for low density deployments where these data rates are expected to be present.

If disabled, click Manual Configuration to manually configure 5GHz low data rates.

Low data rates of 1, 2, and 5.5 Mbps should be disabled on 2.4GHz and 11 Mbps set to not mandatory on 2.4GHz for better performance.

Note: Low data rates should not be disabled for low density deployments where these data rates are expected to be present.

If disabled, click Manual Configuration to manually configure 2.4GHz low data rates.

Allows you to identify if the WLAN is configured with recommended L2 security, QoS, and Advanced settings for Apple devices. Application Visibility should be enabled.

Click Detailed to manually configure the L2 security, QoS, and advanced settings for Apple devices for individual, active WLANs.

Optimized roaming should be disabled because Apple devices use the newer 802.11r, 802.11k, or 802.11v roaming improvement.

Configuring the EDCA Profile as Fastlane improves Apple device performance on 5GHz networks.

Enable the 5GHz radio to provide a faster and less interfering network for Apple devices.

All the MCS Rates (0-31) should be enabled on the 5GHz networks to help improve the performance of Apple client devices.