Infrastructure https://wlc.mmki.co.id/bp/helpfiles/r-infrastructure.

html

Infrastructure
Application Visibility
Description— Application Visibility should be enabled. Clicking Fix it Now enables Application Visibility on all WLANs.
Status:
Compliant—Enabled on one or more WLANs
Non-Compliant—Disabled on all WLANs
CLI Option—Enable AVC on a WLAN by entering this command:
(Cisco Controller) >config wlan avc wlan-id visibility enable

Disable Aironet IE
Description—CCX Aironet IE feature should be disabled. Clicking Fix it Now disables CCX Aironet IE.
Aironet IE is a Cisco proprietary attribute used by Cisco devices for better connectivity. It contains information, such as the
access point name, load, number of associated clients, and so on sent out by the access point (AP) in the beacon and probe
responses of the WLAN. The Cisco Client Extensions (CCX) clients use this information to choose the best AP with which to
associate.
The CCX software is licensed to manufacturers and vendors of third-party client devices. The CCX code resident on these
clients enables them to communicate wirelessly with Cisco APs and to support Cisco features that other client devices do not.
The features are related to increased security, enhanced performance, fast roaming, and power management.
Aironet IE is optional for CCX based clients, however it can cause compatibility issues with some types of wireless clients.
The recommendation is to enable for WGB and Cisco voice, but for general production network, it can be beneficial to
disable Aironet IE after testing.
Status:
Compliant—CCX Aironet IE disabled on all WLANs.
Non-Compliant—CCX Aironet IE enabled on one or more WLANs.
CLI Option—Disable support for Aironet IEs for a particular WLAN by entering this command:
(Cisco Controller) >config wlan ccx aironetIeSupport disable wlan-id

Disable Internal DHCP

Description—Internal DHCP is not intended for large scale deployments and should be used for internal testing purposes. We
recommend that you use an external DHCP server instead.
Status:
Compliant—Internal DHCP server is disabled
Non-Compliant—Internal DHCP server is in use
CLI Option—Enable Internal DHCP by entering this command:
(Cisco Controller) >config interface dhcp management primary ip-address

Note The IP address should not be management IP address.

Controller High Availability

Description—High Availability should be enabled. If redundancy mode is not set, assume HA is not enabled.
Status:
Compliant—Enabled
Non-Compliant—Disabled

Disable Management over Wireless

1 of 5 12/20/2022, 11:22 AM
Infrastructure https://wlc.mmki.co.id/bp/helpfiles/r-infrastructure.html

Description—The Cisco WLAN solution Management over Wireless feature allows Cisco WLAN solution operators to monitor
and configure local WLCs using a wireless client. Management over wireless should be disabled for security reasons. Clicking
Fix it Now disables management over wireless.
Status:
Compliant—Management over Wireless is disabled
Non-Compliant—Management over Wireless is disabled
CLI Option—Disable management over wireless by entering this command:
(Cisco Controller) >config network mgmt-via-wireless disable

Fast SSID
Description—Fast SSID should be enabled. Clicking Fix it Now enables fast SSID.
Status:
Compliant—Enabled
Non-Compliant—Disabled
CLI Option—Enable fast SSID by entering this command:
(Cisco Controller) >config network fast-ssid-change

HTTPS for Management

Description—Secure Web Access should be enabled. Web Access should be disabled. Clicking Fix it Now enables HTTPS and
disables HTTP.
Status:
Compliant—HTTPS enabled; HTTP disabled
Non-Compliant—HTTPS enabled, HTTP enabled or HTTPS disabled, HTTP enabled
CLI to configure:
Disable the web mode to deny users to access the WLC GUI using http://ip-address, by entering this command:
(Cisco Controller) >config network webmode disable
Enable Secure Web Access mode to allow users to access the WLC GUI using https://ip-address, by entering this
command:
(Cisco Controller) >config network secureweb enable

Load Balancing
Description—We recommend that you not use load balancing when interactive traffic such as voice or video is used on the
WLAN. Clicking Fix it Now enables load balancing on all WLANs, which may impact service at the time.
Status:
Compliant—Enabled on one or more WLANs
Non-Compliant—Disabled on all WLANs
CLI Option—Enable load balancing on a WLAN by entering this command:
(Cisco Controller) >config wlan load-balance allow enable wlan-id

Load Balancing Window

Description—When client load balancing is enabled, we recommend that you set the window size to 5 or higher to avoid an
aggressive load balancing algorithm.
Status:
Compliant—Load balancing window is 5 or higher
Non-Compliant—Load balancing window is less than 5
CLI Option—Enable load balancing window by entering this command:
(Cisco Controller) >config wlan disable wlan-id
(Cisco Controller) >config wlan load-balance allow enable wlan-id

2 of 5 12/20/2022, 11:22 AM
Infrastructure https://wlc.mmki.co.id/bp/helpfiles/r-infrastructure.html

(Cisco Controller) >config load-balancing window client-count-more-than-5

(Cisco Controller) >config wlan enable wlan-id

Local Profiling
Description—Local profiling should be enabled. Clicking Fix it Now enables local profiling (DHCP/HTTP) on all WLANs; this
may impact service at the time.
Status:
Compliant—Enabled on one or more WLANs.
Non-Compliant—Disabled on all WLANs.
CLI Option—Enable local profiling (DHCP/HTTP) on all WLANs by entering this command:
(Cisco Controller) >config wlan profiling local all enable

mDNS Gateway
Description—mDNS snooping should be enabled. Clicking Fix it Now enables mDNS snooping.
Status:
Compliant—Enabled
Non-Compliant—Disabled
CLI Option—Enable mDNS snooping by entering this command:
(Cisco Controller) >config mdns snooping enable

Multicast Forwarding
Description—Use multicast forwarding mode for the best performance with less bandwidth utilization.
Use multicast forwarding mode for the best performance with less bandwidth utilization. Networks with large IPv6 client
counts, heavy multicast application such as Video Streaming, or mDNS without mDNS proxy, would benefit greatly with
multicast mode.
Status:
Compliant—Enabled
Non-Compliant—Disabled
To verify the multicast mode on the controller:
(Cisco Controller) >show network summary
To configure multicast-multicast operations:
(Cisco Controller) >config network multicast mode multicast multicast-group-ip-address
(Cisco Controller) >config network multicast global enable

Note The multicast address is used by the WLC to forward traffic to Access Points (APs). It is important that the
multicast address does not match another address in use on your network by other protocols. For example, if
you use 224.0.0.251, it breaks mDNS used by some third party applications. We recommend that the address
be in the private range (239.0.0.0 – 239.255.255.255, which does not include 239.0.0.x and 239.128.0.x). It is
also important that the multicast IP address be set to a different value on each WLC. You would not want a
WLC that speaks to its APs to reach the APs of another WLC.
If the APs are on a different subnetwork than the one used on the management interface, your network
infrastructure must provide multicast routing between the management interface subnet and the AP
subnetwork.

Multicast Mobility
Description—Allows WLCs to announce messages to all mobility peers instead of individual WLC with CPU and network
benefits. Ensure multicast traffic is passing between WLCs when their management is on different subnets.
Status:

3 of 5 12/20/2022, 11:22 AM
Infrastructure https://wlc.mmki.co.id/bp/helpfiles/r-infrastructure.html

Compliant—Enabled
Non-Compliant—Disabled
CLI Option—Configure the mobility multicast mode by entering this command:
(Cisco Controller) >config mobility multicast-mode enable local-multicast-address

Multicast VLAN
Description—With interface groups in use, we recommend that you enable multicast VLAN to limit multicast on the air to a
single copy on a predefined multicast VLAN.
Status:
Compliant—Multicast VLAN is enabled for all WLANs that are mapped to an interface group
Non-Compliant—Multicast VLAN is not enabled for one or more WLANs that are mapped to an interface group
CLI Option—Enable Multicast VLAN by entering this command:
(Cisco Controller) >config wlan multicast interface wlan-id enable interface-group

NTP
Description— NTP server should be used to sync the WLC time.
Network Time Protocol (NTP) is very important for several features. It is mandatory to use NTP synchronization on WLCs if
you use any of these features: Location, SNMPv3, access point authentication, or MFP. The WLC supports synchronization
with NTP using authentication.
Status:
Compliant—Configured
Non-Compliant—Not configured
CLI Option:
Enable NTP server by entering this command:
(Cisco Controller) >config time ntp server ntp-server-index ntp-server-ip-address
Enable NTP authentication by entering this command:
(Cisco Controller) >config time ntp auth enable ntp-server-index
(Cisco Controller) >config time ntp key-auth add key-index

Tagged Management VLAN

Description—We highly recommend that you tag the RMI and management interfaces for HA, IPv6, and WGB VLAN support.
Status:
Compliant—Management VLAN is tagged
Non-Compliant—Management VLAN is untagged
CLI Option—Enable Tagged Management VLAN by entering this command:
(Cisco Controller) >config interface vlan management vlan-id

Virtual Gateway IP
Description—We recommend that you configure a non-routable IP address for the virtual interface. Ensure that this non-
routable IP address does not overlap with network infrastructure addresses. Use one of the options proposed in RFC 5737;
for example, 192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24 networks.
Status:
Compliant—Virtual IP address is not overlapping with Internet Allocated Addresses
Non-Compliant—Virtual IP address is overlapping with Internet Allocated Addresses
CLI Option—Enable Virtual Gateway IP by entering this command:
(Cisco Controller) >config interface address virtual virtual-ip-address

4 of 5 12/20/2022, 11:22 AM
Infrastructure https://wlc.mmki.co.id/bp/helpfiles/r-infrastructure.html

WLAN not on Management Interface

Description—We recommend that you have the non-management WLANs mapped to dynamic interfaces to split user traffic
from management traffic.
Status:
Compliant—No user WLAN is mapped to the management interface
Non-Compliant—One or more WLANs are mapped to management interface
CLI Option—Enable WLAN not on Management interface by entering this command:
(Cisco Controller) >config wlan interface wlan-id interface-name

Note The interface should not be a management interface.

5 of 5 12/20/2022, 11:22 AM