Recommendations
This section provides some recommendations that you can keep in mind while using the Cisco Catalyst 9800 Series Wireless Controller configuration model.
-
When you design your Cisco Catalyst wireless network, it is important to consider site tags and the way these are mapped to APs. For the best performance of your Cisco Catalyst 9800 Series Wireless Controller, it is recommended that you:
-
Use custom site tags and not the default site tag.
-
Assign the same site tag to all the APs in the same roaming domain.
-
Limit the number of APs to 500 per site tag whenever possible.
-
Do not exceed the following maximum number of APs per site tag:
Table 1. Maximum Number of APs per Site Tag Platform
Maximum Number of APs per Site Tag
-
Cisco Catalyst 9800-80 Series Wireless Controller (medium and large)
-
Cisco Catalyst 9800-CL Wireless Controller for Cloud (medium and large)
1600
Cisco Catalyst 9800-40 Series Wireless Controller
800
Any other Cisco Catalyst 9800 platform
Equal to the maximum number of APs supported.
-
-
-
When designing your policy tag assignment, ensure that all APs in the same roaming domain should have the same policy profile. In case you need to assign different policies, then we recommend that you use Cisco IOS XE Amsterdam 17.3.x and later releases.
-
We recommend that you limit the number of SSIDs configured on the controller. You can configure 16 simultaneous WLANs or SSIDs (per radio on each AP). Because each WLAN or SSID needs separate probe responses and beacons transmitted at the lowest mandatory rate, the RF pollution increases as more SSIDs are added.
Also, some smaller wireless stations such as PDAs, Wi-Fi phones, and barcode scanners cannot cope with a high number of Basic SSIDs (BSSIDs) over the air. This results in lockups, reloads, or association failures. It is recommended that you have one to three SSIDs for an enterprise, and one SSID for high-density designs. By using the AAA override feature, you can reduce the number of WLANs or SSIDs while assigning individual per-user VLAN/settings in a single-SSID scenario.
-
Because you can modify the existing tags, create new ones, and attach these tags to APs in different ways, we recommend that you validate the tag configuration using the following command:
Device# wireless config validate
-
Do not mix clients with DHCP and static IP address on the same SSID when associating with a VLAN group.
-
To enhance security, ensure that all clients obtain their IP addresses from the DHCP server. The DHCP-Required option in the Policy profile settings forces clients to request or renew a DHCP address every time they associate with a WLAN, before they are allowed to send or receive other traffic in the network. The DHCP-Required option allows for strict control over the IP addresses in use.
-
Set the per-WLAN user idle timeout to 3600 seconds (60 minutes) to reduce the likelihood of client getting deleted when moving out of coverage areas or when the client is battery-operated and may go to sleep frequently.
-
If you have devices that are still using Cisco Centralized Key Management, ensure that you change Cisco Centralized Key Management validation to 5 seconds to avoid roaming issues when using Cisco-based clients.