Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
BRKEWN--2012
Session Objective
This session focuses on design and deployment fundamentals, as well as operational best practices to optimize the performance and accuracy of Cisco ContextAware Services. Troubleshooting techniques for resolving issues related to tracking client and active RFID tags will be covered. You will learn the advantages of deploying wIPS to secure your wireless deployment and how it provides greater visibility over threats and mitigation for your wireless network. Finally the optimum deployment and redundancy mechanisms for the MSE appliance will be discussed.
Presentation_ID
Cisco Public
Agenda
Technology Background System Architecture Deploying Context Aware Services MSE 7.0-MR1 Enhancements and New Features Best Practices Guidelines
Presentation_ID
Cisco Public
Technology Background
Location API via SOAP/XML over HTTPS Cisco Wireless LAN Controller NMSP over SSL Cisco Catalyst Switch Access Point Cisco Mobility Services Engine (MSE)
Wireless Client
Wired Client
Cisco Public
Context-Aware Architecture
Application and Management
Context-Aware Applications
Asset Visibility Business Process Network Visibility Telemetry
Mobility Services Engine
Si
Si
Network
Chokepoint
Medianet Medianet
NETWORK VISIBILITY
ASSET VISIBILITY
Presentation_ID
Cisco Public
Network Visibility
Context Aware Services provide a single view showing clients, rogues, tags
client tag:
Presentation_ID
Interferer Details
Presentation_ID
Cisco Public
NMSP status
10
Mitigate
Wireless LAN Controller
POOR GOOD
CH 1
CH 11
AIR QUALITY
PERFORMANCE
Cisco CleanAir
Presentation_ID 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
11
Licensing Requirements
None
Functionality
Multi-interferer Detection & Classification AirQuality Monitoring Self-Healing Event Driven RRM AirQuality Aware RRM Self-Learning Persistent Device Avoidance Spectrum Expert Connect AirQuality and Interferer Alerts Interferer Tracking & Zone of impact Merging or correlating interferers from multiple WLCs (psuedo MAC) Location Calculations History Storage Remote Client Troubleshooting AirQuality Visualization and Mapping Forensics Tools Location Visualization Impact Analysis History Playback
12
Standard per AP
Context Aware endpoints required for each interferer tracked MSE adds support for 100 interferers when AP3500 present (5 per AP, license is additive) Standard per AP count WCS: Plus required for MSE NCS: Single license model (CleanAir supported by default)
WCS/NCS
Presentation_ID
Cisco Public
System Architecture
Network
Tracking clients (indoor) Context aware engine for clients (Cisco engine) Utilizes CAPWAP infrastructure Managed by Cisco WCS
AeroScout
Presentation_ID 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
15
Presentation_ID
Cisco Public
16
Outdoor Location
TDOA Receivers challenges
costly require extra synchronization require License require third party software platform for configuration MSE successfully connects to WLC with mesh APs RFID tags detected by mesh APs and are shown on the campus map Location Accuracy Tool works with Mesh APs nearest AP support device will be displayed near the AP (with higher RSSI)
Recommendations
RFID tags should be placed at some height (4 to 5 ft.) above ground to avoid any blockage follow Mesh AP s deployment guidelines
Presentation_ID
Cisco Public
17
Important Points
Only CCX Tags can be tracked Tags vendors have implemented CCXv1 Tags only operate in 2.4 GHz band Need Third Party Tag Activator to program Tags May need Third Party tools for Calibration
Calculation Method
Received Signal Strength Indication Chokepoint for Zone Level Location
Presentation_ID
Cisco Public
18
100 Permanent Interferers licenses are embedded in MSE. These Interferer Licenses open up as Clean Air APs (AP3500) are detected, in stages of 5 per 3500 AP Once the license is installed it is usage based, depending upon the service is enabled/disabled
Presentation_ID
Cisco Public
19
1000
Y Y Y
0
Clients / Tags
Y Y
1000
Y
2000
20
12000 6000 0
Y Y Y Y
0
2011 Cisco and/or its affiliates. All rights reserved.
Clients / Tags
Y Y Y
1000
Cisco Public
Y Y
2000
Y
3000
21
System Scalability
MSE can be managed by only 1 WCS WCS can manage up to 5 MSE s 1 WLC can have up to 10 NMSP sessions
WLC with wIPS AP s cannot establish NMSP session with multiple MSE s
Max. number of coverage areas: 50/floor End-to-end latency: up to 6 seconds under full load APs per Floor: 100 (Limit on WCS side) Floors per Building in a campus: 20
Presentation_ID 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
22
2,500
1,250
625
500
Presentation_ID
Cisco Public
25
IBM x3550M3 Platform / 1RU Form Factor 2 CPUs (Quad Core) Intel E5504 Nehalem, 4Mb L2 cache 16G DDR3 1333 MHz memory 4 x 146GB hot-swappable SAS drives / 10K RPM / RAID 1+0 Dual Gigabit Ethernet NICs Dual Hot-swappable Energy Star certified Power supplies Redundant internal cooling fans
Presentation_ID 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
27
Platform Overview
Latest Nehalem architecture based processor High Performance SAS disk drives 6 Gbps transfer rate High Performance RAID card with 512 MB onboard cache Four Disk drives in RAID1+0 configuration; double the throughput of a RAID1 configuration with same reliability Six internal redundant cooling fans in three zones (2 fans per zone) IMM based out-of-band management for trouble free monitoring and management
Presentation_ID
Cisco Public
28
Storage Capacity 147 GB Disk transfer rate 3 Gbps Installed memory 8 (PC2-5300) Power supplies Management Monitoring 2 (hot swappable) iLo not enabled Disk only RAID card cache 256 Mb
Presentation_ID
Cisco Public
29
If a single motor in a fan fails, an alarm is sent to WCS and the box must be replaced Power Supply status is also monitored Physical Existence of both power supplies Both power supplies being active (connected to power source) Health of power supplies Failure in any of the above triggers an alarm to WCS
Presentation_ID 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
30
Presentation_ID
Cisco Public
31
Troubleshooting
Critical components (disk, power supply, fans) are actively monitored Scripts are run every 10-20 minutes to check health The Light Path Diagnostics Panel A unique accessory that provides critical information about the state of the hardware MSE Installation guide provides details on the various LEDs and conditions IMM is very reliable and easily accessible for monitoring the entire system System event log contains every event and can be viewed via IMM or using the ipmitool
Presentation_ID 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
32
Presentation_ID
Cisco Public
34
Presentation_ID
Cisco Public
35
Presentation_ID
Cisco Public
37
WLC
Alarm aggregation
Unique attacks seen over the air are correlated and aggregated into a single alarm.
Forensics
Provides the ability to capture attack forensics for further investigation and troubleshooting purposes.
WCS
38
Range
Presentation_ID 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Placement, Density
39
Option B: ELM
Enhanced Local Mode
wIPS Monitor Mode or CleanAir MM + wIPS MM on CleanAir AP: Recommendation Ratio of 1:5 MMAP to Local Mode APs
Presentation_ID 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
40
Presentation_ID
Cisco Public
41
1 2 3
2
MSE> /opt/mse/wips/bin/wips_cli wIPS> show alarm list
Presentation_ID
Cisco Public
42
CCX Enhancements
CCXv5 creates a path loss measurement (PLM) request by an AP to be sent to the client which then causes the clients to send bursts of path loss measurement frames at regular intervals back to the AP Enable MSE to get more periodic data for cleaner client RSSI values. Compensates missing RSSIs and RSSI variations from challenging environment. Wireless adapter with optional CCXv5 features is Cisco AIR-CB21AG-A-K9. CCXv4 is more common, e.g. laptops with Intel wireless NICs w/ CCX V2+ capable.
Presentation_ID
Cisco Public
44
CCX Calibration
Does not require MSE
MSE only needed when apply and sync calibration to map.
Client needs to be associated WCS may show associated but WLC must show client is in run state. Client must be CCxV2 and above.
Intel PROSet/WIFI settings enable CCX - radio management Cisco CB21ABG w/ ADU
Presentation_ID
Cisco Public
45
Presentation_ID
Cisco Public
46
CCX Logs
Location is \Prog~ \WCS-7.0-MR\webnms \logs Download log file includes calibration data. Validate connected client Check if CCX is enabled, e.g. CCX Radio Measurement
Presentation_ID
Cisco Public
47
Logs
Validating client card Calibration model name Instantiating = Start
X,Y Location
Samples collected
Priming samples
Access Points
Presentation_ID 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
10 samples per AP
48
Element counts
Rogue index
License Capacity
Top MSEs
Presentation_ID
Cisco Public
50
Presentation_ID
Cisco Public
51
Location History
History logging must be enabled MSE tracks transition changes Filter history based on time period or state Movement, client association, network status
Enable logging for location history
Client status
Presentation_ID 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
52
Map Enhancement
Additional icons: rogue client, guest Troubleshooting Notes section added to map
Troubleshooting notes
Rogue AP
Presentation_ID
Rogue Client
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Guest
53
54
For good location fidelity, access points should be located 50-70 linear feet apart (15-22m) Typically about one access point every 2500 5000 square feet (230 460 sqm) APs/antennas height should be from 10 ft to 20 ft Enable antenna diversity AP s placed too close to each other can cause co-channel interference
Presentation_ID 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
56
AP Positioning
Optimal AP positioning can greatly improve accuracy Even distribution of APs provides better stability and repeatability of the data points
Wi-FI device
Presentation_ID
Cisco Public
57
Presentation_ID
Cisco Public
58
Local mode AP placement and density may be sufficient for data/voice applications Normal Coverage Deployment places the Local Mode Aps in the Centre of the Bldg Good for periphery of buildings to improve location accuracy without adding extra traffic that may impact voice or client services Use TOMM AP s to fill in coverage gaps
59
Wi-Fi device
Local TOMM Local
Customer Needs/Has:
Existing 802.11n deployments 1140, 1250 Competitive Installed 802.11n deployments
Deploy:
Pervasively deploy 3500 in local mode
Deploy:
Sprinkle In 3500 in monitor mode (1 monitor AP for 5 data APs)
Regions defined in WCS and pushed (via synchronization process to MSE) In MSE, it works for only clients. Cells & Masks feature in Aero Scout Systems Manager can be used for tags
Presentation_ID 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
61
Location Accuracy
WCS Location Readiness Tool
Presentation_ID
Cisco Public
62
Presentation_ID
Cisco Public
63
90%/13.6m
50%/7.0m
Presentation_ID
Cisco Public
64
Improving Accuracy
Legacy
Non CCX Or CCXv1 APs do not know Tx Power of the probes Aps do not know channel frequency of the probes Probes can be detected on a wrong channel at a reduced power Probes transmitted infrequently Path Loss Model can show very large scale RSSI variations
CCXv2
CCXv2 or higher APs do not know Tx Power of the probes Aps do not know channel frequency of the probes Probes can be detected on a wrong channel at a reduced power Frames scheduled periodically Path Loss Model can show RSSI variations- but variations are averaged as more frequent info available
Cisco Public
CCXv4
Presentation_ID
66
Presentation_ID
Cisco Public
67
Presentation_ID
Cisco Public
68
-1dB Cubicle -1.5dB Glass -2dB Light Wall -4dB Light door -13dB Thick Wall -15dB Heavy Door
Presentation_ID
Cisco Public
69
Calibration Models
After installation, calibration function available within WCS can be used for higher location accuracy
pre-defined models
WCS provides a way for user to calibrate signal characteristics for a particular indoor environment or similar areas More accurate the model used, the results in better location accuracy Point calibration: client at fixed location. One location at a time Linear calibration: data collected between two different points (straight line) Calibration with non CCX clients is not supported
Monitor > Clients > Client Details to verify CCX version
Presentation_ID 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
70
Disable RRM AP Power mode Calibration should be performed for every band
Presentation_ID 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
71
MSE is not involved during Calibration process After calibration model is created, the following steps are essential: Apply this model to the floor map(s) Synchronize WCS with MSE
Presentation_ID 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
72
Calculated Location Test Point Participating Aps displayed with RSSI values
Scrolling mouse pointer on the area displays test points and also identifies the APs who participated in calibration as blue with RSSI values
Presentation_ID 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
73
Event Notifications
Types of Notifications
Notifications from MSE can be classified into 2 broad categories. Northbound Notifications - applicable only for Tags. Conditional Notifications or Track Event based Notification applies to tags, wireless clients, rogues APs and clients and interferers. (Note: not wired clients)
Presentation_ID
Cisco Public
75
Northbound Notifications
Applicable to only Tags. Configuration done using the Notification Parameter page on the Context Aware Service -> Advanced Submenu under MSE on WCS. Note: The advanced Parameter settings on the same page do not apply to Northbound notifications.
Can also be configured MSE API Configurable parameters include:
Trigger - On what condition should the notification be triggered Contents The data of interest to the destination in the notification Destinations Destination IP or hostname, Port and http/https option. (This can only be a SOAP destination)
Contents Destinations
Trigger
Presentation_ID
Cisco Public
76
Presentation_ID
Cisco Public
77
Presentation_ID
Cisco Public
78
Presentation_ID
Cisco Public
79
Presentation_ID
Cisco Public
80
Presentation_ID
Cisco Public
81
Troubleshooting: Not Getting Notifications for Clients, Rogues, Interferers and Wired clients Only tags are supported. Suggest setting up track group events with a generic condition (explore) for other devices.
Presentation_ID
Cisco Public
82
83
84
Presentation_ID
Cisco Public
85
No Notifications Received
Check whether the track group event definition was enabled Check whether the track group was synchronized with the MSE and any errors during sync. Check whether the destination IP and port is pingable from MSE. Check the correctness of the event definition. Check whether the device is detected by the MSE.
Presentation_ID
Cisco Public
86
Missing Notification
Check correctness of event definition and whether they are all enabled. Check errors during sync. Check whether the devices configured in the events definitions are detected by MSE. If the WCS is the notification receiver then the first notification will show up as an Alarm on the Notification Summary page and subsequent notifications will show up as events.
Presentation_ID
Cisco Public
87
Dropped notification
Analyze the Notification Statistics. Other troubleshooting steps similar to that of Northbound notification
Presentation_ID
Cisco Public
88
SNMP v3
Enhanced to support SNMPv3 trap capability in the following areas: Location Event Notifications:
SNMPv3 transport will be supported in addition to SNMPv2 Track Group SNMP transport definition will be extended to support SNMPv3 configuration
Presentation_ID
Cisco Public
89
90
92
getserverinfo Command
Total Active Elements(Wireless Clients, Tags, Rogue APs, Rogue Clients, Interferers, Wired Clients): 381 Active Wireless Clients: 206 Active Tags: 58 Active Rogue APs: 50 Active Rogue Clients: 50 Active Interferers: 17 Active Wired Clients: 0 Active Elements(Wireless Clients, Rogue APs, Rogue Clients, Interferers, Wired Clients, Tags) Limit: 2100 Active Sessions: 1 Wireless Clients Not Tracked due to the limiting: 0 Tags Not Tracked due to the limiting: 0 Rogue APs Not Tracked due to the limiting: 390 Rogue Clients Not Tracked due to the limiting: 31 Interferers Not Tracked due to the limiting: 0 Wired Clients Not Tracked due to the limiting: 0 Total Elements(Wireless Clients, Rogue APs, Rogue Clients, Interferers, Wired Clients) Not Tracked due to the limiting: 421-----------Context Aware Sub Services ------------Subservice Name: Cisco Tag Engine Admin Status: Enabled Operation Status: Up
Presentation_ID
Cisco Public
93
Presentation_ID
Cisco Public
94
Time Synchronization/Configuration
possible symptom of clock discrepancy between WLC and MSE: can t establish NMSP connection after adding MSE to the system suggested course of action:
Use NTP server for synchronizing clocks (recommended) Manual configuration (controller time should be equal to or ahead of time on MSE)
Presentation_ID
Cisco Public
95
MAC address and key hash for authenticating NMSP session between MSE and WLC
WLC (Cisco controller) >config auth-list add lbs-ssc <MSE Ethernet MAC> <MSE key hash> (Cisco Controller) >show auth-list! Mac Addr ----------------------00:1e:0b:61:35:60 ! Cert Type ---------LBS-SSC Key Hash! ------------------------------------------! 5384ed3cedc68eb9c05d36d98b62b06700c707d9!
96
Presentation_ID
Cisco Public
97
!RxEchoReq !--------!18006
TxData -------163023
RxData! ------- ! 10 !
Active Elements(Clients, Rogues, Interferers) Limit: 100 Active Tag Limit: 100 Active Wired Clients Limit: 0 Active Sessions: 1
Presentation_ID
Cisco Public
98
Presentation_ID
Cisco Public
99
Presentation_ID
Cisco Public
100
Synchronization History
Synchronization History shows
Automatic Synchronization Automatic Controller Selection/Assignment Smart Synchronization
Presentation_ID
Cisco Public
101
If checked (Enabled), only then: Devices will be tracked History will be available
Presentation_ID 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
102
History Parameters
Number of days to save history is not limited in WCS UI
Limited by disk space and system performance
Element is declared inactive if it remains inactive for an hour. If it remains inactive for 24 hours, it is removed from tracking table , and it is not possible to see elements historical location on the WCS Monitoring page. Absent Data Cleanup Interval helps to control tracking table .
Presentation_ID 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
103
Minimizing Latency
Tag notification frame interval for stationary tag 3-5 minutes Tag notification frame interval for moving tags <10sec WLC NMSP aggregation window is 2 sec by default Correct aggregation window should be set to make sure that WLC has received updates from all the APs, before sending data to MSE via NMSP From WLC CLI aggregation window can be set independently for clients, tags, rogue APs, rogue clients and Rfids
(Cisco Controller) >config nmsp notification interval rssi ? clients rfid rogues
Presentation_ID
Measurement interval for clients. Measurement interval for rfid tags. Measurement interval for rogue APs and rogue clients
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
104
Context-Aware Software
MSE
Si
Si
802.11 Clients
Indoor Environment
Presentation_ID
105
106
Switches report to MSE switch port mapping of connected devices MSE actively tracks communicated information and location of both devices and chassis MSE maintains history of device connect, connection location, and device disconnect MSE provides SOAP XML API to external systems that are interested in location of chassis or endpoint devices Applications can query or receive async events when devices or chassis move location
C3750-E
CDP/LLDPMED
Presentation_ID
Cisco Public
107
Switch
and
MSE
communicate
using
NMSP
Switches
no-fy
MSE
of
wired
client
associa-on
/
disassocia-on
Switches
supported
-
Catalyst
2960,
3750,
3750E,
3560,
3560E,
4500,
4900
Required
soRware
versions
Catalyst
switches
12.2(50)SE
WCS
6.0.x
onwards
MSE
6.0.x
onwards
Presentation_ID 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
108
Deployment Checklist
Follow proper AP placement guidelines (location and density) Configure NTP server on both WLC and MSE or manually synchronize both the devices (and preferably WCS) with the correct time and time zone. Check the NMSP connection status on the controller Ensure that tracking is enabled for the right devices Ensure that the maps and AP positions are synchronized between the WCS and MSE Ensure that location calculations are taking place either on the tracking page or the MSE console For Clients Verify tracking is enabled on MSE Verify clients are detected by controller Max calculation time taken into account For Tags Verify tracking is enabled on MSE Verify tags are detected by controller Max calculation time taken into account
Presentation_ID 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
109
Key Takeaways
Cisco Mobility Services Engine enables the deployment of advanced services (Context Aware, CleanAir, wIPS) Implementing Context Aware Services requires following a set of best practices for optimal results 7.0-MR1 software release has a number of feature enhancements specific to the MSE and associated services
Presentation_ID
Cisco Public
110
Recommended Reading
Cisco Mobility Services Engine - Context Aware Mobility Solution Deployment Guide http://www.cisco.com/en/US/products/ps9742/ products_tech_note09186a00809d1529.shtml Cisco Context-Aware Service Configuration Guide http://www.cisco.com/en/US/products/ps9742/ products_installation_and_configuration_guides_list.html Cisco 3300 Series Mobility Services Engine Licensing and Ordering Guide http://www.cisco.com/en/US/prod/collateral/wireless/ps9733/ps9742/ data_sheet_c07-473865.html WiKi Page External http://www.cisco.com/en/US/products/ps9806/ products_qanda_item09186a0080af9513.shtml AeroScout Support Page http://support.aeroscout.com
Presentation_ID
Cisco Public
111
Thank you.
Presentation_ID
Cisco Public
112