High Availability: Redundancy management interface has overlapping address with wireless management, this can cause serious network problems Action: Modify the command redun-management using non-overlapping addresses. |
| 230078 | High Availability: Redundancy state indicates a possible problem. Please check status of the other unit Action: RMI configuration was detected, and the current redundancy state indicates a problem. Check the status of the other unit |
| 230124 | Management: HTTP server does not have an IPv4 access class set. To improve security, it is advisable to set ACL explicitly allowing address that can configure the controller |
| 230001 | Version: IOS-XE Controller with not recommended code:17.9.4a, please check software download page for the current version for your hardware Action: Controller is running not recommended code and should be upgraded, better, similar code is available. |
| 230023 | NTP: Controller with no valid time source (sync has not happened) or file without NTP information, please check if controller has valid NTP server configured Action: No active time source detected for this controller. It could be incomplete configuration. Command: config time ntp server |
| 230038 | Management: To prevent WebUI issues while using some large GUI options (VLANs for example), it is advisable to increase the VTY count to 50 Action: Use the command 'line vty 0 50' to increase the VTY count |
| 230056 | Management: Service tcp-keepalive in/out, should be enabled to reduce lingering inactive connections to management points Action: Add: service tcp-keepalives in/service tcp-keepalives out to configuration |
| 230065 | Webauth: The Webauth Global parameter map, does not have IPv6 virtual address. It is advisable to add one Action: Depending on your client types, it is good idea to define IPv6 virtual address for Webauth. It can reduce redirection errors. Use 'parameter-map type webauth global' config command, then 'virtual-ip ipv6 ADDRESS' |
| 230085 | LAG: LAG was detected in use, and port channel load balancing is not set to src-dst-mixed-ip-port. Per best practices, please change both the controller and the switch for optimal port balancing Action: Best practices recommend to use command port-channel load-balance src-dst-mixed-ip-port, for best port balancing. This must be configured as well on the switch side |
| 230129 | Security: Current configuration is vulnerable to CVE-2023-48795/CSCwi59338, Chacha20 should be removed from SSH encryption options Action: CVE-2023-48795 describes a security problem on some SSH extensions present in OpenSSH for specific encryption protocols. It is recommended to remove this option from SSH configuration. Use command: ip ssh server algorithm encryption aes128-gcm@openssh.com aes256-gcm@openssh.com aes128-gcm aes256-gcm aes128-ctr aes192-ctr aes256-ctr. |
| 230140 | Interfaces: More than one Port Channel interface with same allowed VLAN list Action: Allowing same VLANs across Port Channels, may cause traffic loop, and possible instability issues. It is advisable to filter out vlans that are not required to be duplicated. Check your topology, as this may depend on switch side configuration as well, and could be fine for your config. Command: switchport trunk allowed vlan |
| 230057 | DHCP: If DHCP helper (relay) is defined, the interface should have dhcp relay source interface command pointing to wireless management interface, to avoid asymmetric DHCP routing scenarios. Interfaces: Vlan1 Action: Add: ip dhcp relay source-interface to the interface SVI/Vlan configuration |
| 240020 | 11k: 11k Neighbor List is in use, but dual band is disabled. if not using single-band devices, enable both for best results. WLAN(s): JAYHAWK Action: For best results, it is better to enable dual band support for 11k. This should only be avoided, if single band devices are present on the network. This is part of the WLAN profile |
| 250014 | ARP: ARP proxy is disabled. To save client battery and other performance improvements, it is recommended to enable. Profiles: default-policy-profile Action: Go to the policy profile and enable ARP proxy setting. This is available from 17.3 |
| 250015 | Security: Profile with vlan set to default or 1. This is not recommended, even for AAA override scenarios. Profiles: default-policy-profile Action: Go to the policy profile configure a VLAN. Default should only be used on small network, with low security requirements |
| 290004 | Syslog: Syslog host is not set (using default broadcast value). For best practices, it is recommended to use a syslog server. AP Profiles: default-ap-profile Action: To ensure data is available for future troubleshooting in case of problems, it is best practices to define a syslog server for all APs on the Join profile |
| 230026 | 11b: Legacy rate enabled in Global Config . Disabling low data rates/11b can help to optimise the channel utilisation on the 2.4 band. Depending on RF coverage, or if using legacy clients, this may cause problems. Please validate before enforcing the changes, as this may have important RF dependencies. Action: In most scenarios, it is good idea to disable 11b data rates (1,2,5.5,11), as they would use more RF time, and be more sensible to interference, it is advisable to only enable 11g rates, unless you need to support legacy devices. Command:config 802.11b rate disabled X |
| 230045 | Client Profiling: Device Classification (client profiling) is not globally enabled, it is recommended to use it Action: Use Device classification as best practice, to help on troubleshooting, network characterization or problem isolation |
| 230046 | RRM: ED-RRM is not in use. It is recommended to enable for enterprise environments. Band(s): 2.4 GHz 5 GHz Action: This is purely a general recommendation, please validate if applicable in your environment. ED-RRM could provide fast reaction to severe RF issues |
| 230042 | Security: Password Encryption is not enabled. This is optional feature to protect keys/passwords in configuration Action: Use password encryption aes command.For more information, check 9800 Best practices guide |
| 230083 | Tags: For versions 17.6 and higher, it is advisable to use AP tag persistency command, to ensure tags are preserved if AP is temporarily moved to another controller Action: Configure ap tag persistency enable, this is specially important for N+1 redundancy scenarios |
| 230099 | Rogues: Rogue AP policies and rules should be defined, specially around managed SSIDs |
| 290005 | Monitoring: AP system monitoring statistics are not enabled. To improve AP status visibility it would be recommended to use it. AP Profiles: default-ap-profile Action: Monitor System Statistics is a feature in 17.5 and higher, to enable AP CPU and memory monitoring , you can enable it on AP profile, AP tab, AP statistics section |
