Cisco Expert

300-430

ENWLSI (Enterprise Wireless Network Implementation)

The Implementing Cisco Enterprise Wireless Networks (300-430 ENWLSI) is a concentration exam for the CCNP Enterprise certification, focusing on implementing and configuring enterprise wireless networks. This expert-level exam validates hands-on skills in deploying, configuring, and troubleshooting Cisco wireless solutions including FlexConnect, QoS, multicast, advanced location services, and wireless security.

The exam covers FlexConnect architecture and configuration for branch office wireless deployments, QoS on wireless networks including DSCP mapping, priority queuing, and bandwidth management, multicast for wireless including IGMP snooping and multicast direct, advanced location services using Cisco DNA Spaces and CMX, and wireless client connectivity security including 802.1X authentication, EAP methods, AAA integration, and troubleshooting wireless security issues.

This certification is designed for senior wireless engineers, wireless implementation specialists, and network engineers responsible for deploying and supporting enterprise wireless infrastructure. Unlike the design-focused ENWLSD, this exam emphasizes hands-on configuration, implementation, and troubleshooting skills.

Updated Feb 2024 Networking

Питања

Пробни тестови

83%

Пролазни резултат

Прегледи

Укупно покушаја

Просечан резултат

Стопа пролазности

Дискусије

Пробни тестови Флеш картице Теме испита Шалабахтер

€5.00

300-430 Practice Exam 1

Comprehensive Cisco ENWLSI practice exam covering FlexConnect, QoS on wireless, multicast, advanced location services, and security for wireless client connectivity across 65 professional-level questions.

65 Q 90 минута 70%

Пробна вожња

€5.00

300-430 Practice Exam 2

65 Q 90 минута 70%

Пробна вожња

€5.00

300-430 Practice Exam 3

Comprehensive ENWLSI practice exam covering FlexConnect, QoS on wireless, multicast, advanced location services, and security for wireless client connectivity across 65 professional-level questions.

65 Q 90 минута 70%

Пробна вожња

€5.00

300-430 Practice Exam 4

Comprehensive ENWLSI practice exam covering FlexConnect, QoS on wireless, multicast, advanced location services, and security for wireless client connectivity across 65 professional-level questions.

65 Q 90 минута 70%

Пробна вожња

€5.00

300-430 Practice Exam 5

Comprehensive ENWLSI practice exam covering FlexConnect, QoS on wireless, multicast, advanced location services, and security for wireless client connectivity across 65 professional-level questions.

65 Q 90 минута 70%

Пробна вожња

€5.00

300-430 Practice Exam 6

Comprehensive ENWLSI practice exam covering FlexConnect, QoS on wireless, multicast, advanced location services, and security for wireless client connectivity across 65 professional-level questions.

65 Q 90 минута 70%

Пробна вожња

Откључајте сав садржај за 300-430

6 Пробни тест(ови) — 3 месеца приступа

€30.00 €20.99 Уштедите 30%

или укључено у месечну претплату / Комплет садржаја

300-430 Cheat Sheet

Брзи референтни водич - 6 секција

Бесплатан приступ

FlexConnect Overview

FlexConnect (formerly H-REAP) allows branch office APs to switch client data traffic locally at the remote site while the control plane remains with the Wireless LAN Controller (WLC) at the central site. This architecture reduces WAN bandwidth consumption, improves resiliency during WAN outages, and enables distributed branch deployments without requiring a controller at every site. FlexConnect APs communicate with the WLC over CAPWAP control channel (UDP 5246) while data traffic can be switched either centrally (tunneled back to the WLC) or locally (switched at the AP).

FlexConnect Modes of Operation

Connected Mode: AP has an active CAPWAP tunnel to WLC. All authentication and policy decisions flow through the controller.
Standalone Mode: AP has lost connectivity to WLC. Locally switched SSIDs remain operational. Clients can still authenticate using locally cached credentials or local EAP.
Authentication-Central / Switch-Central: Traditional CAPWAP operation, data tunneled to WLC.
Authentication-Central / Switch-Local: Authentication via WLC, data switched locally at AP.
Authentication-Local / Switch-Local: Both authentication and switching happen at the AP. Required for standalone mode survivability.

FlexConnect Groups

FlexConnect Groups allow you to centrally configure settings that apply to multiple FlexConnect APs at a branch, including backup RADIUS servers, local EAP authentication, CCKM/OKC fast roaming, local users, VLAN-to-SSID mappings, and WLAN-VLAN overrides. Up to 100 APs per FlexConnect group on AireOS WLCs.

Fast Roaming in FlexConnect

Roaming Method	Description	Scope
CCKM	Cisco Centralized Key Management, proprietary	Within FlexConnect Group
OKC	Opportunistic Key Caching	Within FlexConnect Group
802.11r FT	Fast BSS Transition, standards-based	Within FlexConnect Group
PMK Caching	Sticky key caching on same AP	Per-AP

VLAN Mapping and Native VLAN

For locally switched WLANs, FlexConnect APs map each WLAN to a specific VLAN on the local switch. The switchport connecting the AP must be configured as an 802.1Q trunk with the AP's management interface on the native VLAN.

! Catalyst switch configuration for FlexConnect AP
interface GigabitEthernet1/0/10
 description FlexConnect AP Branch Site
 switchport mode trunk
 switchport trunk native vlan 10
 switchport trunk allowed vlan 10,20,30,40,50
 spanning-tree portfast trunk
 no shutdown
!

Configuring FlexConnect on AireOS WLC

! Enable FlexConnect mode on an AP
(Cisco Controller) > config ap mode flexconnect AP-BRANCH-01

! Create a FlexConnect Group
(Cisco Controller) > config flexconnect group BRANCH-GROUP add

! Add AP to FlexConnect Group
(Cisco Controller) > config flexconnect group BRANCH-GROUP ap add AA:BB:CC:DD:EE:FF

! Enable local switching on WLAN 2
(Cisco Controller) > config wlan flexconnect local-switching 2 enable

! Map WLAN 2 to VLAN 20 on the AP
(Cisco Controller) > config ap flexconnect vlan wlan 2 20 AP-BRANCH-01

! Enable VLAN support on the AP
(Cisco Controller) > config ap flexconnect vlan enable AP-BRANCH-01

Split Tunneling

Split tunneling allows specific traffic (defined via ACL) to be switched locally while the rest is tunneled to the WLC. This is commonly used with OEAP (Office Extend AP) deployments for teleworkers, where corporate traffic tunnels to HQ but Internet-bound traffic egresses locally.

! Create split tunnel ACL
(Cisco Controller) > config flexconnect acl create SPLIT-TUNNEL-ACL
(Cisco Controller) > config flexconnect acl rule add SPLIT-TUNNEL-ACL 1
(Cisco Controller) > config flexconnect acl rule source address SPLIT-TUNNEL-ACL 1 10.0.0.0 255.0.0.0
(Cisco Controller) > config flexconnect acl rule action SPLIT-TUNNEL-ACL 1 permit
(Cisco Controller) > config flexconnect acl apply SPLIT-TUNNEL-ACL

! Apply split tunnel ACL to WLAN
(Cisco Controller) > config wlan flexconnect split-tunnel 5 enable
(Cisco Controller) > config wlan flexconnect split-tunnel acl 5 SPLIT-TUNNEL-ACL

OfficeExtend AP (OEAP)

OEAP provides secure corporate WLAN access for teleworkers. The AP at the home office forms a DTLS-encrypted CAPWAP tunnel over the Internet to the corporate WLC in the DMZ. Key features:

DTLS encryption of data and control planes (UDP 5246/5247)
Personal SSID for home use (unencrypted tunnel)
Corporate SSIDs tunneled back to HQ
Split tunneling for local Internet breakout
Supported on 1810/1815/1830/1850/2800/3800/4800 APs with OEAP feature
Requires WLC in DMZ with public IP or NAT

FlexConnect ACLs

FlexConnect ACLs can be applied at the VLAN level, WLAN level, or per-client via AAA override. They filter traffic at the AP for locally switched WLANs. Rules support source/destination IP, protocol, and port matching.

AP Upgrade and Image Predownload

! Enable FlexConnect AP image upgrade (master AP)
(Cisco Controller) > config flexconnect group BRANCH-GROUP predownload enable
(Cisco Controller) > config flexconnect group BRANCH-GROUP master-ap AA:BB:CC:DD:EE:FF enable

! Check predownload status
(Cisco Controller) > show ap image all

The master AP downloads the image from the WLC once, then distributes it to slave APs in the group over the local LAN, dramatically reducing WAN bandwidth during upgrades.

FlexConnect Design Considerations

Maximum WAN latency between FlexConnect AP and WLC: 300 ms (100 ms recommended)
Minimum WAN bandwidth per AP: 128 kbps (control plane only in locally switched mode)
Up to 25 APs in standalone mode for authentication-local/switch-local WLANs
Local EAP supports LEAP, EAP-FAST, PEAP, and EAP-TLS
DHCP must be available at the branch for locally switched clients

802.1X Authentication Framework

802.1X is the IEEE standard for port-based network access control. In wireless deployments, the client (supplicant) authenticates to the authenticator (AP/WLC) which relays credentials to the authentication server (RADIUS/ISE). EAP (Extensible Authentication Protocol) is the transport framework that carries authentication messages over EAPOL (EAP over LAN) between supplicant and authenticator, and over RADIUS between authenticator and server.

EAP Methods Comparison

EAP Method	Server Cert	Client Cert	Inner Auth	Use Case
EAP-TLS	Required	Required	None (mutual cert)	Highest security, BYOD w/ PKI
PEAP-MSCHAPv2	Required	Optional	MSCHAPv2	AD integration, Windows domains
PEAP-GTC	Required	Optional	Token/OTP	Two-factor, OTP tokens
EAP-FAST	Optional (PAC)	Optional	MSCHAPv2/GTC	Cisco, no PKI required
EAP-TTLS	Required	Optional	PAP/CHAP/MSCHAP	Non-Microsoft environments
LEAP	No	No	MSCHAP	Deprecated, vulnerable to dictionary attacks

RADIUS Configuration on WLC

! Add RADIUS authentication server (ISE)
(Cisco Controller) > config radius auth add 1 10.1.1.10 1812 ascii MySharedSecret
(Cisco Controller) > config radius auth network 1 enable
(Cisco Controller) > config radius auth management 1 disable
(Cisco Controller) > config radius auth rfc3576 1 enable
(Cisco Controller) > config radius auth keywrap enable

! Add RADIUS accounting server
(Cisco Controller) > config radius acct add 1 10.1.1.10 1813 ascii MySharedSecret
(Cisco Controller) > config radius acct network 1 enable

! Apply RADIUS to WLAN
(Cisco Controller) > config wlan radius_server auth add 5 1
(Cisco Controller) > config wlan radius_server acct add 5 1
(Cisco Controller) > config wlan security wpa akm 802.1x enable 5

TACACS+ for WLC Management

! TACACS+ configuration for device admin
(Cisco Controller) > config tacacs auth add 1 10.1.1.10 49 ascii TacSharedSecret
(Cisco Controller) > config tacacs auth server-enable 1
(Cisco Controller) > config tacacs acct add 1 10.1.1.10 49 ascii TacSharedSecret
(Cisco Controller) > config tacacs author add 1 10.1.1.10 49 ascii TacSharedSecret

! Set authentication order for management
(Cisco Controller) > config aaa auth mgmt tacacs local

ISE Integration and Policy Sets

Cisco Identity Services Engine (ISE) provides centralized AAA, posture assessment, profiling, BYOD onboarding, and guest services. Integration with WLC involves:

Network Access Device (NAD): Add WLC as a RADIUS client in ISE with matching shared secret
Change of Authorization (CoA): Enable RFC 3576 on WLC so ISE can dynamically change session state (disconnect, reauth, URL redirect)
Authorization Profiles: Push VLAN, dACL, Airespace ACL, URL redirect, SGT via RADIUS attributes
Policy Sets: Match conditions (SSID, NAD location, user group) to authentication and authorization rules

ISE Posture Assessment

Posture evaluates endpoint compliance (AV, patches, registry, file existence) before granting full access. Flow:

Client authenticates via 802.1X, ISE matches posture-required policy
ISE returns url-redirect-acl and url-redirect RADIUS attributes
WLC redirects HTTP traffic to ISE posture portal
AnyConnect posture module assesses endpoint, reports to ISE
On compliance, ISE sends CoA to WLC to apply full access authorization

Management Frame Protection (MFP)

MFP protects management frames (deauth, disassoc, beacons) from spoofing attacks. Two variants:

Infrastructure MFP: APs sign their management frames. Other APs validate signatures and report anomalies. Transparent to clients.
Client MFP (802.11w PMF): Protected Management Frames. Requires client support. Encrypts action frames, deauth, disassoc using IGTK derived from 4-way handshake.

! Enable 802.11w PMF on WLAN
(Cisco Controller) > config wlan security pmf required 5
(Cisco Controller) > config wlan security pmf association-comeback 5 1
(Cisco Controller) > config wlan security pmf saquery-retrytimeout 5 200

Rogue AP Detection and Classification

Classification	Meaning
Unclassified	Detected, no rule matched
Friendly	Known neighbor, manually marked or matched MAC
Malicious	Threat to network (on-wire, matches malicious rule)
Custom	Matches custom rule-based classification

Rogue Containment

! Enable rogue detection globally
(Cisco Controller) > config rogue detection enable

! Configure RLDP (Rogue Location Discovery Protocol)
(Cisco Controller) > config rogue ap rldp enable

! Auto-contain rogue APs matching rules
(Cisco Controller) > config rogue rule add ap priority 1 classify malicious CONTAIN-RULE
(Cisco Controller) > config rogue rule condition ap set ssid CorpSSID CONTAIN-RULE
(Cisco Controller) > config rogue rule enable CONTAIN-RULE

! Manually contain a rogue AP
(Cisco Controller) > config rogue ap contain AA:BB:CC:DD:EE:FF 4

aWIPS (Adaptive Wireless IPS)

aWIPS provides advanced threat detection including deauth floods, honeypot APs, ad-hoc networks, KRACK attacks, and more. Requires wIPS license and integration with Cisco Prime Infrastructure or DNA Center. Monitor Mode APs or ELM (Enhanced Local Mode) APs scan off-channel for threats.

AP Authorization (MIC/SSC/LSC)

MIC (Manufacturer Installed Certificate): Default X.509 cert burned in at factory, used for CAPWAP DTLS
SSC (Self-Signed Certificate): Legacy, AP generates own cert, added to WLC authorization list
LSC (Locally Significant Certificate): Issued by customer PKI/CA, replaces MIC for enhanced security

Wireless QoS Fundamentals

Wireless QoS is essential because the RF medium is a shared half-duplex resource. Unlike wired QoS which manages output queues, wireless QoS primarily controls channel access via EDCA (Enhanced Distributed Channel Access) defined in 802.11e/WMM. Higher priority traffic gets shorter contention windows and arbitration interframe spaces (AIFS), winning channel access more often.

WLC QoS Profiles

Profile	Max Priority	802.1p (UP)	DSCP	Use Case
Platinum	Voice	6	46 (EF)	VoIP, real-time
Gold	Video	5	34 (AF41)	Video streaming, conferencing
Silver	Best Effort	0	0	Data, default traffic
Bronze	Background	1	10 (AF11)	Guest, scavenger

WMM Access Categories

WMM (Wi-Fi Multimedia) defines four Access Categories (AC) derived from 802.1p user priorities:

AC_VO (Voice): UP 6,7 - shortest AIFS (2), smallest CW
AC_VI (Video): UP 4,5 - AIFS 2, slightly larger CW
AC_BE (Best Effort): UP 0,3 - AIFS 3, default CW
AC_BK (Background): UP 1,2 - AIFS 7, largest CW

DSCP to UP Mapping (RFC 8325)

Cisco recommends RFC 8325 mapping which corrects legacy mismatches. Key mappings:

DSCP (Name)	DSCP Value	802.11 UP	WMM AC
EF (Voice)	46	6	AC_VO
CS6 (Network Control)	48	7 (mapped to 0 in RFC8325)	AC_BE
AF41 (Video)	34	5	AC_VI
CS3 (Signaling)	24	4	AC_VI
AF11	10	1	AC_BK
BE	0	0	AC_BE

Configuring QoS on WLAN

! Set QoS profile on WLAN 3 (voice)
(Cisco Controller) > config wlan qos 3 platinum

! Enable WMM (required for QoS)
(Cisco Controller) > config wlan wmm allow 3

! Enable 802.11e CAC for voice
(Cisco Controller) > config 802.11a cac voice acm enable
(Cisco Controller) > config 802.11a cac voice max-bandwidth 75
(Cisco Controller) > config 802.11a cac voice roam-bandwidth 6

! Configure video CAC
(Cisco Controller) > config 802.11a cac video acm enable
(Cisco Controller) > config 802.11a cac video max-bandwidth 25

Call Admission Control (CAC)

CAC prevents oversubscription of the RF medium for voice/video by limiting new calls. Three types:

Static CAC (Load-Based): Uses configured bandwidth percentage thresholds
Dynamic CAC (SIP CAC): Inspects SIP INVITE to track active calls
Expedited Bandwidth Request: E911 and priority calls bypass CAC limits

AVC (Application Visibility and Control)

AVC uses NBAR2 (Network-Based Application Recognition) to identify 1000+ applications via DPI. Enables per-application marking, dropping, or rate-limiting. Requires AVC license on WLC.

! Enable AVC visibility on WLAN 5
(Cisco Controller) > config wlan avc 5 visibility enable

! Create AVC profile
(Cisco Controller) > config avc profile CORP-AVC create
(Cisco Controller) > config avc profile CORP-AVC rule add 1 mark webex-meeting dscp 34
(Cisco Controller) > config avc profile CORP-AVC rule add 2 drop bittorrent
(Cisco Controller) > config avc profile CORP-AVC rule add 3 rate-limit netflix average-rate 1000

! Apply AVC profile to WLAN
(Cisco Controller) > config wlan avc 5 profile CORP-AVC enable

Cisco Fastlane (Apple Enterprise)

Fastlane is a joint Cisco-Apple optimization for iOS devices. When enabled:

Apple devices prioritize business traffic per MDM-defined whitelist
WLC signals QoS capability via vendor-specific IE in beacons
Platinum QoS profile applied to WLAN
WMM required and 802.1X security preferred
Sets optimal PHY parameters (RSSI thresholds, DTIM, etc.)

! Enable Fastlane on WLAN
(Cisco Controller) > config qos fastlane wlan enable 5

! Disable and return to previous QoS
(Cisco Controller) > config qos fastlane wlan disable 5

Per-User and Per-SSID Bandwidth Contracts

! Per-user bandwidth limits on WLAN 6 (guest)
(Cisco Controller) > config wlan override-rate-limit 6 per-user average-data-rate 2000
(Cisco Controller) > config wlan override-rate-limit 6 per-user burst-data-rate 4000
(Cisco Controller) > config wlan override-rate-limit 6 per-user average-realtime-rate 500

! Per-SSID aggregate limits
(Cisco Controller) > config wlan override-rate-limit 6 per-ssid average-data-rate 20000
(Cisco Controller) > config wlan override-rate-limit 6 per-ssid burst-data-rate 40000

Trust Boundary and DSCP Marking

WLC should trust DSCP from trusted sources (wired LAN) and re-mark untrusted traffic (wireless clients). By default, WLC caps outer CAPWAP DSCP at the WLAN QoS profile ceiling (platinum=46, gold=34, etc.). For end-to-end QoS, enable DSCP trust on the switch connecting the AP and WLC.

Multicast Delivery Modes on WLC

WLCs support two multicast forwarding modes. Choose based on network topology and scale requirements.

Mode	Mechanism	Pros	Cons
Unicast	WLC sends copy to each AP via CAPWAP unicast	Simple, no multicast routing	High WLC CPU, bandwidth inefficient
Multicast-Multicast	WLC sends single packet to CAPWAP multicast group, APs join	Efficient, scales well	Requires multicast routing in network

Configuring Multicast on WLC

! Enable multicast globally
(Cisco Controller) > config network multicast global enable

! Set multicast forwarding mode to multicast-multicast
(Cisco Controller) > config network multicast mode multicast 239.10.10.1

! Enable IGMP snooping
(Cisco Controller) > config network multicast igmp snooping enable
(Cisco Controller) > config network multicast igmp timeout 60

! Enable MLD snooping for IPv6 multicast
(Cisco Controller) > config network multicast mld snooping enable

IGMP Snooping

IGMP snooping on the WLC tracks which wireless clients have joined multicast groups so that multicast traffic is only forwarded to APs serving interested clients. Without snooping, multicast is sent to all APs regardless of client interest, wasting RF airtime.

Multicast Direct (VideoStream)

VideoStream converts multicast streams to unicast over the air, dramatically improving video quality for wireless clients:

Multicast frames sent at basic/mandatory data rate (e.g., 6 Mbps) are unreliable and unacknowledged
Multicast Direct sends unicast copies at higher rates with 802.11 ACKs
Per-radio, per-WLAN limits prevent AP oversubscription
Requires IGMP snooping enabled globally
RRC (Resource Reservation Control) ensures admission

! Enable Multicast Direct globally
(Cisco Controller) > config media-stream multicast-direct enable

! Configure media stream for a video source
(Cisco Controller) > config media-stream add CORP-VIDEO 239.1.1.100 239.1.1.100
    video 2000 500 periodic low enable enable

! Enable on WLAN
(Cisco Controller) > config wlan media-stream multicast-direct 5 enable

! Set per-radio and per-client limits
(Cisco Controller) > config 802.11a media-stream multicast-direct admission-besteffort enable
(Cisco Controller) > config 802.11a media-stream multicast-direct client-maximum 15
(Cisco Controller) > config 802.11a media-stream multicast-direct radio-maximum 20

mDNS (Bonjour) Gateway

The WLC acts as an mDNS (Multicast DNS) proxy/gateway, intercepting Bonjour queries and responses across VLAN boundaries. This enables Apple devices (AirPlay, AirPrint) to discover services on different VLANs without requiring multicast routing for the 224.0.0.251 link-local group.

! Enable mDNS snooping globally
(Cisco Controller) > config mdns snooping enable

! Add service for discovery
(Cisco Controller) > config mdns service create AirPrint _ipp._tcp.local. origin All lss disable

! Create mDNS profile
(Cisco Controller) > config mdns profile create CORP-MDNS
(Cisco Controller) > config mdns profile service add CORP-MDNS AirPrint
(Cisco Controller) > config mdns profile service add CORP-MDNS AirTunes

! Apply profile to WLAN
(Cisco Controller) > config wlan mdns profile 5 CORP-MDNS
(Cisco Controller) > config wlan mdns 5 enable

Location Specific Services (LSS)

LSS filters mDNS service responses based on the client and service provider location. Only services on APs near the requesting client are returned, preventing cross-campus AirPlay discovery chaos. Requires Cisco Prime or DNA Center location context.

Dynamic Routing on WLC

Most WLC deployments rely on Layer 2 dynamic interfaces and static routes. However, some deployments (e.g., FlexConnect central switching over WAN, mobility groups across subnets) benefit from dynamic routing.

Protocol	WLC Support	Notes
Static Routes	All WLCs	Default, used for service-port and overlapping networks
OSPF	Limited (via CLI on older AireOS)	Not recommended, use L3 switch upstream
Mobility Tunnels	All WLCs	EoIP (AireOS) or CAPWAP (9800) between controllers

! Static route configuration
(Cisco Controller) > config route add 10.50.0.0 255.255.0.0 10.1.1.1

! Show routing table
(Cisco Controller) > show route summary
(Cisco Controller) > show network summary

Mobility Groups and Anchor Controllers

Mobility groups enable seamless inter-controller roaming using CAPWAP mobility tunnels. Anchor controllers are used for guest traffic tunneling, where a foreign WLC tunnels guest data to a DMZ anchor WLC for centralized Internet egress and isolation from corporate networks.

! Configure mobility group
(Cisco Controller) > config mobility group name CORP-MOBILITY
(Cisco Controller) > config mobility group member add 10.1.1.5 11:22:33:44:55:66 CORP-MOBILITY

! Configure WLAN as anchored (on foreign WLC)
(Cisco Controller) > config wlan mobility anchor add 7 10.2.1.100

! On anchor WLC (DMZ), enable WLAN in anchor role
(Cisco Controller) > config wlan mobility anchor add 7 10.2.1.100

CAPWAP and Multicast Interaction

CAPWAP control: UDP 5246, unicast AP-WLC
CAPWAP data: UDP 5247, carries multicast/unicast client traffic
In multicast-multicast mode, WLC uses a dedicated multicast group (e.g., 239.10.10.1) for AP forwarding
APs must be able to join this group; enable PIM sparse-mode on L3 devices between WLC and APs

Cisco Location Services Portfolio

Cisco's wireless location services have evolved from MSE (Mobility Services Engine) to CMX (Connected Mobile Experiences) to DNA Spaces (now Cisco Spaces). These platforms use RF fingerprinting, RSSI trilateration, BLE, and hyperlocation (AoA) to determine client location for presence analytics, wayfinding, asset tracking, and guest engagement.

Location Platform Comparison

Platform	Deployment	Key Features	Status
MSE	On-prem VM/appliance	Legacy location, wIPS, CleanAir	Deprecated
CMX	On-prem VM/appliance	Presence, location, analytics, hyperlocation	End-of-Sale
DNA Spaces / Cisco Spaces	Cloud SaaS	Cloud analytics, IoT, BLE, captive portal, Webex integration	Current

RF Location Techniques

Presence (Cell of Origin): Determines which AP sees the strongest signal; zone-level accuracy (10-20m)
RSSI Trilateration: Uses 3+ APs to calculate position; accuracy 5-10m
RF Fingerprinting: Compares live RSSI to a calibrated heatmap; accuracy 3-5m
Hyperlocation (AoA): Angle-of-Arrival with Hyperlocation antenna array on 3600/3700/4800 APs; accuracy 1-3m
FastLocate: Uses data packets in addition to probes for faster updates (every 1-5 sec)
BLE (Bluetooth Low Energy): iBeacon/Eddystone tags, proximity 1-10m; Catalyst 9120/9130 and 4800 APs have BLE radios

Cisco CMX Services

Location Service: Core service computing client X/Y coordinates
Analytics Service: Dwell time, visit frequency, paths, heatmaps
Connect Service: Captive portal with social login (Facebook, Twitter) and SMS
Presence Service: Lightweight zone-level tracking without full maps

WLC to CMX/DNA Spaces Integration

WLC sends NMSP (Network Mobility Services Protocol) messages to CMX over TCP 16113 with TLS. NMSP carries measurements (RSSI, probe, info-pos) and configuration. For DNA Spaces cloud, the WLC communicates via a Spaces Connector appliance or directly via DTLS tunnel.

! Check NMSP status and CMX connectivity
(Cisco Controller) > show nmsp status
(Cisco Controller) > show nmsp subscription summary

! Enable RFID tag tracking
(Cisco Controller) > config rfid status enable
(Cisco Controller) > config rfid timeout 1200

! Enable client location
(Cisco Controller) > config location expiry client 300
(Cisco Controller) > config location expiry tags 1200
(Cisco Controller) > config location expiry rogue-aps 1200

Establishing CMX Trust with WLC

! On CMX CLI - get hash
[cmxadmin@cmx ~]$ cmxctl config controllers add

! On WLC - add CMX as NMSP server
(Cisco Controller) > config auth-list add sha256-lbs-ssc 00:0c:29:ab:cd:ef 

! Verify NMSP subscriptions for RSSI, info, stats
(Cisco Controller) > show nmsp subscription detail

Cisco DNA Spaces (Cisco Spaces)

Cisco Spaces is the cloud-based evolution offering three tiers: SEE (location analytics), ACT (engagement, captive portal, IoT), EXTEND (app platform). Integration options:

Spaces Connector: VM appliance on-site that relays data from WLC to cloud; supports AireOS and Catalyst 9800
Direct Connect: Catalyst 9800 native support for cloud tunnel (DTLS) without Connector
Meraki Cloud: Native integration for Meraki MR access points

Hyperlocation Configuration

Hyperlocation uses Angle-of-Arrival via a Hyperlocation antenna module (HALO) with 32 antennas in a ring. Provides 1-3m accuracy.

Supported APs: 3600 (HALO), 3700 (HALO), 4800 (built-in)
Requires CMX 10.x+ with Hyperlocation license
APs should be placed 40-60 ft apart in a grid
Enable FastLocate on WLC for more frequent updates

! Enable Hyperlocation globally
(Cisco Controller) > config advanced hyperlocation enable

! Enable per AP (if needed)
(Cisco Controller) > config ap hyperlocation enable AP-3700-01

! Verify hyperlocation
(Cisco Controller) > show advanced hyperlocation summary

BLE Beacons and Asset Tracking

APs with integrated BLE radios (e.g., 4800, 9120, 9130) can act as BLE beacons (transmitting iBeacon/Eddystone frames) or BLE scanners (detecting tags/phones). This enables:

Indoor wayfinding via mobile apps reading beacon frames
Asset tracking with BLE-enabled tags (Kontakt.io, BlueCats)
Proximity marketing and engagement in retail
IoT sensor data relay (environmental, occupancy)

! Configure BLE beacon on AP (Catalyst 9800)
WLC9800(config)# ap profile CORP-AP-PROFILE
WLC9800(config-ap-profile)# ble-beacon
WLC9800(config-ap-profile)# ble beacon uuid ACME-UUID major 100 minor 1
WLC9800(config-ap-profile)# ble tx-power 3

! Show BLE status
WLC9800# show ap ble summary

Structured Troubleshooting Methodology

Effective wireless troubleshooting follows a layered approach: verify physical/RF layer, then MAC/association, then authentication, then IP/DHCP, and finally application. Always gather baseline data before changes: client MAC, AP name, RSSI/SNR, channel, data rate, and timestamp of the issue.

Essential Show Commands (AireOS)

! Client inspection
(Cisco Controller) > show client summary
(Cisco Controller) > show client detail aa:bb:cc:dd:ee:ff
(Cisco Controller) > show client ap 802.11a AP-NAME
(Cisco Controller) > show client roam-history aa:bb:cc:dd:ee:ff

! AP inspection
(Cisco Controller) > show ap summary
(Cisco Controller) > show ap config general AP-NAME
(Cisco Controller) > show ap channel AP-NAME
(Cisco Controller) > show ap auto-rf 802.11a AP-NAME

! WLAN and interfaces
(Cisco Controller) > show wlan summary
(Cisco Controller) > show interface summary
(Cisco Controller) > show mobility summary

! CAPWAP and RADIUS
(Cisco Controller) > show capwap client rcb
(Cisco Controller) > show radius summary
(Cisco Controller) > show radius auth statistics

Show Commands (Catalyst 9800 IOS-XE)

! Catalyst 9800 WLC show commands
WLC9800# show wireless client summary
WLC9800# show wireless client mac-address aa:bb:cc:dd:ee:ff detail
WLC9800# show wireless stats client delete reasons
WLC9800# show ap summary
WLC9800# show ap name AP-01 config general
WLC9800# show ap name AP-01 dot11 5ghz
WLC9800# show wireless wlan summary
WLC9800# show platform software trace level wncd chassis active R0
WLC9800# show logging profile wireless filter mac aa:bb:cc:dd:ee:ff to-file flash:trace.txt

Debug Commands

Use debug judiciously - high-volume debugs can crash controllers. Always filter by client MAC when possible:

! Filter debug output by client MAC
(Cisco Controller) > debug client aa:bb:cc:dd:ee:ff

! Authentication debugs
(Cisco Controller) > debug dot1x events enable
(Cisco Controller) > debug aaa events enable
(Cisco Controller) > debug aaa detail enable

! DHCP issues
(Cisco Controller) > debug dhcp message enable
(Cisco Controller) > debug dhcp packet enable

! Mobility issues
(Cisco Controller) > debug mobility handoff enable

! Always disable when done
(Cisco Controller) > debug disable-all

RF Metrics and Interpretation

Metric	Excellent	Good	Poor
RSSI	-30 to -55 dBm	-56 to -70 dBm	Below -75 dBm
SNR	Above 40 dB	25-40 dB	Below 20 dB
Noise Floor	Below -95 dBm	-90 to -95 dBm	Above -85 dBm
Channel Utilization	Below 30%	30-50%	Above 70%
Retry Rate	Below 10%	10-20%	Above 30%

RRM (Radio Resource Management)

RRM auto-tunes channel (DCA) and power (TPC) based on neighbor measurements. Key algorithms:

DCA (Dynamic Channel Assignment): Selects channels to minimize interference; runs every 10 min by default
TPC (Transmit Power Control): TPCv1 lowers power when neighbors heard strongly; TPCv2 for dense deployments
CHD (Coverage Hole Detection): Detects weak client SNR and raises AP power
Flexible Radio Assignment (FRA): On tri-radio APs (3800/4800/9120), dynamically assigns 2.4/5/monitor roles

! View RRM configuration
(Cisco Controller) > show advanced 802.11a channel
(Cisco Controller) > show advanced 802.11a txpower
(Cisco Controller) > show advanced 802.11a monitor

! Tune RRM
(Cisco Controller) > config advanced 802.11a channel global auto
(Cisco Controller) > config advanced 802.11a tx-power-control-thresh -65

! Run DCA immediately
(Cisco Controller) > config advanced 802.11a channel update

CleanAir Spectrum Intelligence

CleanAir uses a dedicated SAgE ASIC to classify non-Wi-Fi interferers (microwave, Bluetooth, cordless phones, jammers). EDRRM (Event-Driven RRM) reacts to severe interference by changing channel.

AQ (Air Quality) score 0-100 (100 = no interference)
AQ below 35 triggers EDRRM channel change
Supported on CleanAir-capable APs: 3600, 3700, 3800, 4800

! Enable CleanAir and EDRRM
(Cisco Controller) > config 802.11a cleanair enable
(Cisco Controller) > config 802.11a cleanair alarm air-quality enable
(Cisco Controller) > config advanced 802.11a channel cleanair-event enable
(Cisco Controller) > config advanced 802.11a channel cleanair-event sensitivity high

! View air quality
(Cisco Controller) > show 802.11a cleanair air-quality summary
(Cisco Controller) > show 802.11a cleanair device type all

AP CLI Troubleshooting

! SSH/console into AP
AP-01# show capwap client config
AP-01# show capwap client rcb
AP-01# show dot11 traffic
AP-01# show interfaces dot11Radio 0
AP-01# show dot11 associations
AP-01# debug capwap console cli
AP-01# debug dot11 client data-path aa:bb:cc:dd:ee:ff

Packet Captures

Sniffer Mode AP: Configure AP in sniffer mode, stream captures to Wireshark remote interface
AP Embedded Capture: debug traffic wired/wireless capture
WLC SPAN: Mirror management interface to analyzer port
Catalyst 9800 EPC: Embedded Packet Capture - monitor capture

! Catalyst 9800 EPC example
WLC9800# monitor capture CAP interface GigabitEthernet1 both
WLC9800# monitor capture CAP match ipv4 any host 10.1.1.50
WLC9800# monitor capture CAP start
WLC9800# monitor capture CAP stop
WLC9800# monitor capture CAP export flash:cap.pcap

! Sniffer mode AP configuration
(Cisco Controller) > config ap mode sniffer AP-SNIFFER
(Cisco Controller) > config ap sniff 802.11a enable 36 10.1.1.200 AP-SNIFFER

Common Issue Scenarios

Symptom	Likely Cause	Diagnostic
Client can't authenticate	RADIUS reachability, shared secret, cert issues	debug aaa events, show radius auth stats
Client can't get IP	DHCP relay, VLAN mapping wrong	debug dhcp message, show interface detailed
AP not joining WLC	DTLS cert, DHCP option 43, DNS	debug capwap events, show ap join stats
Slow roaming	Missing FT/OKC, sticky client	show client roam-history, check PMF/FT config
Poor throughput	Low SNR, channel utilization, interference	show ap auto-rf, CleanAir AQ, client RSSI

300-430

ENWLSI (Enterprise Wireless Network Implementation)

300-430 Practice Exam 1

300-430 Practice Exam 2

300-430 Practice Exam 3

300-430 Practice Exam 4

300-430 Practice Exam 5

300-430 Practice Exam 6

Откључајте сав садржај за 300-430

Флеш картице

Доступни језици

Теме испита

300-430 Cheat Sheet

FlexConnect Overview

FlexConnect Modes of Operation

FlexConnect Groups

Fast Roaming in FlexConnect

VLAN Mapping and Native VLAN

Configuring FlexConnect on AireOS WLC

Split Tunneling

OfficeExtend AP (OEAP)

FlexConnect ACLs

AP Upgrade and Image Predownload

FlexConnect Design Considerations

802.1X Authentication Framework

EAP Methods Comparison

RADIUS Configuration on WLC

TACACS+ for WLC Management

ISE Integration and Policy Sets

ISE Posture Assessment

Management Frame Protection (MFP)

Rogue AP Detection and Classification

Rogue Containment

aWIPS (Adaptive Wireless IPS)

AP Authorization (MIC/SSC/LSC)

Wireless QoS Fundamentals

WLC QoS Profiles

WMM Access Categories

DSCP to UP Mapping (RFC 8325)

Configuring QoS on WLAN

Call Admission Control (CAC)

AVC (Application Visibility and Control)

Cisco Fastlane (Apple Enterprise)

Per-User and Per-SSID Bandwidth Contracts

Trust Boundary and DSCP Marking

Multicast Delivery Modes on WLC

Configuring Multicast on WLC

IGMP Snooping

Multicast Direct (VideoStream)

mDNS (Bonjour) Gateway

Location Specific Services (LSS)

Dynamic Routing on WLC

Mobility Groups and Anchor Controllers

CAPWAP and Multicast Interaction

Cisco Location Services Portfolio

Location Platform Comparison

RF Location Techniques

Cisco CMX Services

WLC to CMX/DNA Spaces Integration

Establishing CMX Trust with WLC

Cisco DNA Spaces (Cisco Spaces)

Hyperlocation Configuration

BLE Beacons and Asset Tracking

Structured Troubleshooting Methodology

Essential Show Commands (AireOS)

Show Commands (Catalyst 9800 IOS-XE)

Debug Commands

RF Metrics and Interpretation

RRM (Radio Resource Management)

CleanAir Spectrum Intelligence

AP CLI Troubleshooting

Packet Captures

Common Issue Scenarios