Wireless/Redundant Edge Services xl Module Management and Configuration Guide WS.02.xx and greater

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

Table Of Contents

ProCurve Wireless Edge Services xl Module and ProCurve Redundant Wireless Services xl Module
Title Page
Copyright and Disclaimer Notices
Table of Contents
1. Introduction
- Contents
- ProCurve Wireless Edge Services xl Module
- Radio Ports
- Redundancy Groups
- Layer 2 and Layer 3 Roaming Between RPs and Modules
2. Configuring the ProCurve Wireless Edge Services xl Module
- Contents
- Management Interfaces
- Radio Port Adoption
- System Maintenance
- SNMP Traps and Error Reporting
- Radio Port Licenses
- Setting System Information-Name, Time, and Country Code
- Enabling Secure Network Time Protocol (NTP)
- Digital Certificates
3. Radio Port Configuration
- Contents
- Overview
- Country-Code and Regulatory Procedures
- Configuring Radio Settings
  - Creating a Radio Adoption Default Configuration
  - Creating a Radio Configuration for a Particular Radio
- Considerations for Enabling Client Roaming
- Quality of Service (QoS) on RP Radios
  - WMM
  - SpectraLink Voice Priority (SVP)
4. Wireless Local Area Networks (WLANs)
- Contents
- Overview
- Configuration Options: Normal Versus Advanced Mode
  - Normal Mode Configuration
  - Advanced Mode Configuration
- Configuring a WLAN
- VLAN Assignment
  - WLAN-Based VLAN Assignment
    - Considerations for WLAN-Based VLAN Assignment
  - Identity-Based, or Dynamic, VLAN Assignment
- Traffic Management (QoS)
5. Web Authentication for Mobile Users
- Contents
- Overview
- Configuring Web-Auth
- Copying Logo Files to the Module’s Flash
- Configuring Custom Web-Auth Pages
  - Configuring the CGI Commands for the Login Page
  - Configuring the CGI Commands for the Welcome Page
6. IP Services-IP Settings, DHCP, and DNS
- Contents
- IP Settings
- IP Routing
- DNS Client
- DHCP Server
7. Access Control Lists (ACLs)
- Contents
- Overview
- Configuring ACLs
8. Configuring Network Address Translation (NAT)
- Contents
- Overview
- Planning the NAT Configuration
  - Consider Your Company’s Requirements for NAT
  - Record Necessary IP Addresses and Select the NAT Implementation Method
    - Planning the Configuration for Dynamic NAT
    - Planning the Configuration for Static NAT
- Configuring Standard ACLs for Dynamic NAT
- Configuring NAT
9. Fast Layer 2 Roaming and Layer 3 Mobility
- Contents
- Overview
- Configuring Fast Layer 2 Roaming for WPA/WPA2 with 802.1X
- Configuring Layer 3 Mobility
- Verifying and Managing Layer 3 Mobility
  - Monitoring Peers
  - Viewing a Station’s Status
10. Redundancy Groups
- Contents
- High Availability for Wireless Services
- Configuring a Redundancy Group
11. RADIUS Server
- Contents
- Overview
- RADIUS Authentication
  - Configuring the Internal RADIUS Server
  - Enabling Authentication to the Internal Server on a WLAN
- RADIUS Accounting
  - Enabling Accounting to the Internal RADIUS Server on a WLAN
  - Viewing the Internal RADIUS Server’s Accounting Logs
12. Configuring Tunnels with Generic Routing Encapsulation
- Contents
- Overview
- Configuring GRE Tunnels
- Viewing GRE Tunnels and WLAN Mappings
13. Wireless Network Management
- Contents
- Overview
- Monitoring the Wireless Network
- AP Detection
- Configuring Station Intrusion Detection
- Logging and Alarms
  - Configuring Logging
  - Managing the Alarm Log
- MAC Filters (Local MAC Authentication)
- Network Self Healing
  - Neighbor Recovery
  - Interference Avoidance
14. sFlow Agent
- Contents
- Overview
- Configuring sFlow Using the Web Browser Interface
Appendix A - ProCurve Wireless Services xl Module Command Line Reference
- Contents
- Overview
- Manager Commands
- Global Commands
- Interface Commands
- Wireless Commands
- Show Commands
- Show Commands (All Contexts)
- Show Commands (Wireless)
- Support Commands
- Support Commands (All Contexts)
- Support Commands (Wireless)
Index
Back Cover

Management and

Configuration Guide

www.procurve.com

ProCurve Wireless Edge Services xl Module and

ProCurve Redundant Wireless Services xl Module

Summary of content (1014 pages)

PAGE 1
Management and Configuration Guide ProCurve Wireless Edge Services xl Module and ProCurve Redundant Wireless Services xl Module www.procurve.
PAGE 2
PAGE 3
ProCurve Wireless Edge Services xl Module and ProCurve Redundant Wireless Services xl Module June 2007 WS.02.
PAGE 4
© Copyright 2006, 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. All Rights Reserved. This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard.
PAGE 5
Contents 1 Introduction Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 ProCurve Wireless Edge Services xl Module . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Wireless Networks and WLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 The Interface Between the Wireless and Wired Networks . . . . . . . . . 1-7 Communicating with RPs: Radio Port VLANs . . . . . . . . . . . . . . . .
PAGE 6
Traffic Management and QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-46 SVP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-47 WMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-48 WLAN Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-49 Voice Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 7
Layer 2 and Layer 3 Roaming Between RPs and Modules . . . . . . . . . . . . . 1-80 Roaming Between RPs on a Single Wireless Edge Services xl Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-80 Roaming Between RPs on Different Wireless Edge Services xl Modules at Layer 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-81 Roaming Between RPs on Different Wireless Edge Services xl Modules at Layer 3 . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 8
Choosing SNMP Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29 Setting Up the Internal FTP Server . . . . . . . . . . . . . . . . . . . . . . . . 2-32 Changing the Password for the Default SNMP v3 Users (Operator or Manager) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-35 Configuring Web-Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-40 Logging In to the Module as a WebUser Administrator . . . . . . . . . . .
PAGE 9
Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-85 Viewing Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-86 Transferring, or Copying, Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-88 Transferring Configuration Files from an FTP or TFTP Server to the Wireless Edge Services xl Module . . . . . . . .
PAGE 10
Setting System Information—Name, Time, and Country Code . . . . . . . . 2-136 Enabling Secure Network Time Protocol (NTP) . . . . . . . . . . . . . . . . . . . . 2-138 Secure NTP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-138 NTP Modes and Communications . . . . . . . . . . . . . . . . . . . . . . . . 2-139 NTP Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-139 Secure NTP Enhancements . . . . . . . . . . . . . . . . . .
PAGE 11
3 Radio Port Configuration Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Country-Code and Regulatory Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Configuring Radio Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 12
Advanced Mode Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11 Why Use Advanced Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12 Enabling WLANs Using Advanced Mode Configuration . . . . . . . 4-13 Using Normal and Advanced Mode Together . . . . . . . . . . . . . . . . 4-23 Changing from Advanced Mode to Normal Mode Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-23 Configuring a WLAN . . . . . . . .
PAGE 13
WMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-92 Prioritization with WMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-93 Enabling WMM on a WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-96 Changing the Protocol that Prioritizes Traffic and Enabling Admission Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-97 Viewing Station WMM Parameters . . . . . . . . . . . . . . . . . . . .
PAGE 14
6 IP Services—IP Settings, DHCP, and DNS Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Viewing VLAN Interfaces and Enabling Secure Management . . . . . . . 6-3 Assigning an IP Address to a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 Deleting the IP Address Assigned to a VLAN . . . . . . . .
PAGE 15
7 Access Control Lists (ACLs) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Stateful ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 ACL Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 16
8 Configuring Network Address Translation (NAT) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Translating Between an Inside and an Outside Network . . . . . . . . . . . 8-3 Local and Global Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 NAT Implementation Methods . . . . . . .
PAGE 17
9 Fast Layer 2 Roaming and Layer 3 Mobility Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 Layer 2 Roaming on a Single Wireless Edge Services xl Module . . . . 9-2 Fast Layer 2 Roaming for WPA/WPA2 with 802.1X . . . . . . . . . . . . . . . 9-3 Pre-authentication . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 18
Configuring a Redundancy Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-11 Configuring Redundancy Group Settings . . . . . . . . . . . . . . . . . . . . . . 10-12 Adding Members to the Redundancy Group . . . . . . . . . . . . . . . . . . . 10-14 Enabling Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-16 Viewing Information about the Redundancy Group . . . . . . . . . . . . . 10-18 History . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 19
12 Configuring Tunnels with Generic Routing Encapsulation Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2 Configuring GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4 Creating GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 20
AP Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-39 Configuring AP Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-40 Creating Lists of Detected APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-46 Creating Rules That Define Allowed APs . . . . . . . . . . . . . . . . . . 13-47 Monitoring Detected APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 21
Network Self Healing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-88 Neighbor Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-88 Enabling Neighbor Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-89 Specifying Neighbors Manually . . . . . . . . . . . . . . . . . . . . . . . . . . 13-91 Configuring Radios to Automatically Detect Neighbors . . . . . . 13-94 Selecting the Self-Healing Action . . . . . . . .
PAGE 22
18
PAGE 23
1 Introduction Contents ProCurve Wireless Edge Services xl Module . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Wireless Networks and WLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 The Interface Between the Wireless and Wired Networks . . . . . . . . . 1-7 Communicating with RPs: Radio Port VLANs . . . . . . . . . . . . . . . . 1-8 Communicating with the Ethernet Network: Uplink VLANs . . . 1-12 Forwarding Traffic Between the Wireless Network and the Ethernet Network . . . .
PAGE 24
Introduction Contents Traffic Management and QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-46 SVP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-47 WMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-48 WLAN Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-49 Voice Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 25
Introduction Contents Layer 2 and Layer 3 Roaming Between RPs and Modules . . . . . . . . . . . . 1-80 Roaming Between RPs on a Single Wireless Edge Services xl Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-80 Roaming Between RPs on Different Wireless Edge Services xl Modules at Layer 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-81 Roaming Between RPs on Different Wireless Edge Services xl Modules at Layer 3 . . . . . . . . . . . . . . . . .
PAGE 26
Introduction ProCurve Wireless Edge Services xl Module ProCurve Wireless Edge Services xl Module The ProCurve Wireless Edge Services xl Module transforms a ProCurve Switch 5300xl Series into a wireless services-enabled switch. Together with one or more radio ports (RPs), this wireless services-enabled switch creates a Wireless LAN System. With its default RP license, each Wireless Edge Services xl Module can support up to 12 RPs (for a total of 24 radios).
PAGE 27
Introduction ProCurve Wireless Edge Services xl Module Among other functions, the Wireless Edge Services xl Module: ■ manages a set of wireless LANs (WLANs)—each of which is identified by a service set identifier (SSID) and defines various network and security policies ■ receives traffic from wireless stations via RPs and places this traffic into the correct VLAN to be forwarded into the wired network ■ adopts connecting RPs and automatically deploys configurations to them Depending on how you config
PAGE 28
Introduction ProCurve Wireless Edge Services xl Module Wireless Networks and WLANs In this guide, the term wireless network is used to encompass all the devices (such as stations, RPs, access points [APs], Wireless Edge Services xl Modules, and wireless services-enabled switches) involved in your organization’s wireless functions. The term Wireless LAN System refers to a Wireless Edge Services xl Module and all of its adopted RPs, which function together as a single entity.
PAGE 29
Introduction ProCurve Wireless Edge Services xl Module One of the Wireless Edge Services xl Module’s primary tasks is act as the interface between the wireless and wired networks. That is, the module bridges traffic from a WLAN to a VLAN. The WLAN is said to be mapped to that VLAN.
PAGE 30
Introduction ProCurve Wireless Edge Services xl Module Communicating with RPs: Radio Port VLANs The Wireless Edge Services xl Module uses a Radio Port VLAN to send traffic to and receive traffic from the RPs it adopts. The RPs are designed to isolate traffic that they transmit into your network until the Wireless Edge Services xl Module can control this traffic. An RP encapsulates each wireless frame, leaving the 802.11 header and any encryption intact, and forwards it to the module on the Radio Port VLAN.
PAGE 31
Introduction ProCurve Wireless Edge Services xl Module Figure 1-1 shows the VLAN tagging if auto-provisioning remains enabled on the wireless services-enabled switch. Figure 1-1. Auto-Provisioned Radio Port VLANs Note If, for whatever reason, you do not want an RP placed in the default Radio Port VLAN, you can manually create a different Radio Port VLAN on the wireless services-enabled switch. (In this case, you should turn off autoprovisioning.
PAGE 32
Introduction ProCurve Wireless Edge Services xl Module Manually Establishing a Radio Port VLAN. If you connect an RP to an infrastructure switch instead of directly connecting it to the wireless servicesenabled switch, you must manually establish the Radio Port VLAN on that infrastructure switch. The wireless services-enabled switch still uses auto-provisioning to create VLAN 2100 and tag the module’s internal downlink port for this VLAN.
PAGE 33
Introduction ProCurve Wireless Edge Services xl Module Although it is usually a good idea to use auto-provisioning on the wireless services-enabled switch and to create the same Radio Port VLAN on the infrastructure switches that directly connect to RPs, you can use any valid VLAN numbers for Radio Port VLANs. Simply remember to tag the Wireless Edge Services xl Module’s downlink port for that VLAN. In Figure 1-3, the network administrator has decided to use VLAN 300 for one of the RPs.
PAGE 34
Introduction ProCurve Wireless Edge Services xl Module Note You might also need to perform some configuration tasks on the wireless services-enabled switch, such as raising the maximum number of VLANs. (See the ProCurve Series 6400cl Switches, 5300xl Switches, and 3400cl Switches Management and Configuration Guide and ProCurve Series 6400cl Switches, 5300xl Switches, and 3400cl Switches Advanced Traffic Management Guide.) Dynamically Establishing a Radio Port VLAN.
PAGE 35
Introduction ProCurve Wireless Edge Services xl Module ■ Otherwise, the module determines the WLAN to which the station belongs and assigns it to the VLAN specified for that WLAN. By default, the only uplink VLAN is VLAN 1, and the module’s internal uplink port is tagged for this VLAN. As for any switch port, you must tag the uplink port for other VLANs if you want the module to forward network traffic in those VLANs.
PAGE 36
Introduction ProCurve Wireless Edge Services xl Module Figure 1-5 illustrates a network in which the Wireless Edge Services xl Module assigns traffic from WLAN 1 to VLAN 24, a VLAN reserved for wireless traffic. In this network, the wireless station receives an IP address from the module’s internal DHCP server, and the module routes the station’s traffic to servers in the private, Ethernet network. Figure 1-5.
PAGE 37
Introduction ProCurve Wireless Edge Services xl Module 3. The module assigns the traffic to the VLAN specified in that station’s association. 4. The module determines whether it is acting as the router for this traffic and takes action accordingly: a. If the module is acting as router (that is, the frame’s destination MAC address belongs to the module), the module looks up the route for the packet’s destination.
PAGE 38
Introduction ProCurve Wireless Edge Services xl Module 3. The module creates the correct 802.11 frame, drawing on information specified in the association with the destination station. The module also encrypts the frame, if necessary. 4. The module encapsulates the 802.11 frame. The encapsulation header includes a tag for the Radio Port VLAN specified for the radio to which the destination station has associated. 5. The module forwards the traffic toward its destination on its downlink port.
PAGE 39
Introduction ProCurve Wireless Edge Services xl Module Ethernet subnetwork (VLAN). When transmitting traffic back to wireless stations, the module also acts at Layer 2, forwarding traffic based on the associations to those stations. After the module bridges a frame to a VLAN interface, the module can handle the inner packet at Layer 3. Note that this VLAN interface may or may not be tagged on the uplink port.
PAGE 40
Introduction ProCurve Wireless Edge Services xl Module The module then forwards the traffic to the wireless services-enabled switch at Layer 2, and the same devices that route and control traffic from traditional users can handle traffic from the wireless users. In this scenario, the module may perform few or none of the Layer 3 functions listed in “Wireless Edge Services xl Module Operations” on page 1-16.
PAGE 41
Introduction ProCurve Wireless Edge Services xl Module If your wired network has adequate firewalls and other security measures, you might prefer having the wired infrastructure handle the wireless traffic. In this case, follow a similar design to that in“Using the Same VLANs for Wireless and Wired Users” on page 1-17. However, create a VLAN just for wireless traffic: ■ Have the Wireless Edge Services xl Module map a WLAN to a VLAN reserved for wireless users.
PAGE 42
Introduction ProCurve Wireless Edge Services xl Module ■ Terminate that VLAN on the module. In other words, do not tag the module’s uplink port for the VLAN. ■ Enable routing on the module. This design requires the Wireless Edge Services xl Module to take over many of the functions otherwise performed by network servers and infrastructure devices. For example, the module can act as the DHCP server for wireless stations, and it can perform dynamic NAT, masquerading as the source for all wireless traffic.
PAGE 43
Introduction ProCurve Wireless Edge Services xl Module Reserving VLANs for Wireless Users in a Network with Multiple Wireless Edge Services xl Modules A network that has more than one Wireless Edge Services xl Module introduces another factor that you must consider: roaming between the modules. To facilitate roaming and consistent network services, every module should assign the same WLAN to the same VLAN (subnetwork) when possible.
PAGE 44
Introduction ProCurve Wireless Edge Services xl Module Figure 1-9. Designing VLANs for a Wireless Network That Includes Multiple Modules Now that you have considered the services that your Wireless Edge Services xl Module should provide, you can start to look at individual services in more detail. The following sections describe the capabilities of the module, including, in addition to the Layer 3 services introduced above, the module’s many capabilities in securing and managing the wireless network.
PAGE 45
Introduction ProCurve Wireless Edge Services xl Module IP Routing The module can implement basic routing between its VLANs. It can have up to eight directly connected routes (one on each VLAN interface), and you can manually add static routes. The module also has one active default route. IP routing is disabled by default. Even if wireless stations use a different router, you might want to enable IP routing because several module capabilities require routing to be active.
PAGE 46
Introduction ProCurve Wireless Edge Services xl Module Security Features As a network administrator, you must constantly consider how to secure your network, particularly as you add wireless access. The Wireless Edge Services xl Module supports a variety of security features both for wireless traffic and for the interface between the wireless and wired network. Authentication Options for WLANs A key function of the Wireless Edge Services xl Module is to establish settings for your network’s WLANs.
PAGE 47
Introduction ProCurve Wireless Edge Services xl Module With its internal RADIUS server, the Wireless Edge Services xl Module can also act as the authentication server. 802.1X relies on Extensible Authentication Protocol (EAP), which comes in several varieties designed by various product developers. Although the actual process varies according to the specific method, the basic process is outlined below: 1. A wireless station associates to the WLAN. 2.
PAGE 48
Introduction ProCurve Wireless Edge Services xl Module Web-Auth. The Wireless Edge Services xl Module can also provide Web-Auth for stations that do not support 802.1X authentication. In this case, the module confines unauthenticated wireless users’ access to a list of allowed IP addresses. The module forces a user to authenticate itself by redirecting all nonapproved traffic to a login page on a Web server.
PAGE 49
Introduction ProCurve Wireless Edge Services xl Module After users authenticate, the Wireless Edge Services xl Module can control users’ network access with dynamic ACLs stored in the external RADIUS server’s database (perhaps configured with software such as ProCurve IDM). You can also control the VLAN associated with Web-Auth with manual ACLs. The Wireless Edge Services xl Module grants users that fail to authenticate the same guest status that it grants unauthenticated users.
PAGE 50
Introduction ProCurve Wireless Edge Services xl Module Figure 1-11. RADIUS MAC Authentication Local MAC Authentication. RADIUS MAC authentication allows you to control stations centrally. Alternatively, you can control traffic locally with MAC standard ACLs. On the Wireless Edge Services xl Module, these ACLs are called filters and are configured separately from other ACLs. You configure the following ACLs and associate them with WLANs: ■ Deny ACLs—Stations are prevented from connecting to your network.
PAGE 51
Introduction ProCurve Wireless Edge Services xl Module Authenticating to a RADIUS Server. Each of the authentication methods described in the sections above involve an authentication server.
PAGE 52
Introduction ProCurve Wireless Edge Services xl Module The internal RADIUS server supports these types of authentication: ■ MAC authentication ■ Web-Auth ■ 802.1X with EAP: • EAP-TLS • EAP-TTLS with PAP • EAP-TTLS with MD5 • PEAP with MS-CHAP v2 The internal RADIUS server can draw on one of two repositories for checking user credentials: ■ Local database—The local database consists of user accounts and groups.
PAGE 53
Introduction ProCurve Wireless Edge Services xl Module Table 1-1 compares EAP methods and the support that the Wireless Edge Services xl Module provides for them. Table 1-1.
PAGE 54
Introduction ProCurve Wireless Edge Services xl Module WEP did not succeed at creating per-frame keys for several reasons that are beyond the scope of this overview to describe. You simply need to know that, in an enterprise setting, you should always use the more secure WPA or WPA2. WPA requires TKIP, a protocol that implements key mixing to successfully create per-frame keys.
PAGE 55
Introduction ProCurve Wireless Edge Services xl Module Table 1-2 lists the encryption options that are available with each authentication option. Table 1-2. Options for Authentication and Encryption on the Wireless Edge Services xl Module Authentication Option Encryption Options Name of Security Provided 802.1X • dynamic WEP • WEP with 64-bit or 128-bit keys • WPA/WPA2 with 802.1X • WPA/WPA2: – with TKIP – with AES – with both TKIP and AES (802.
PAGE 56
Introduction ProCurve Wireless Edge Services xl Module Controlling Traffic with Policies To this point, the overview of the Wireless Edge Services xl Module’s security capabilities has focused on the security that module provides in the wireless network.
PAGE 57
Introduction ProCurve Wireless Edge Services xl Module The Wireless Edge Services xl Module can read these attributes from an external RADIUS server: ■ VLAN assignment ■ ACL ■ rate limit, which applies to ingress traffic (traffic from the wireless station to the network) Remember that the Wireless Edge Services xl Module can also act as a RADIUS server. The module supports only dynamic VLAN assignments on its internal RADIUS server.
PAGE 58
Introduction ProCurve Wireless Edge Services xl Module If you are using your Wireless Edge Services xl Module’s internal RADIUS server, you can set this user-based policy: VLAN ID. Controlling Traffic Manually. You can also control traffic according to manually created rules on the Wireless Edge Services xl Module; however, such policies are generally less flexible.
PAGE 59
Introduction ProCurve Wireless Edge Services xl Module Wireless Edge Services xl Module Firewall The section above introduced you to the idea of controlling traffic with policies. The Wireless Edge Services xl Module’s firewall is one of the components that helps you to do so. The module’s firewall examines routed packets.
PAGE 60
Introduction ProCurve Wireless Edge Services xl Module You have created a unique VLAN for wireless stations, which is unknown to devices within the wired network. NAT allows the Wireless Edge Services xl Module to masquerade as the source of all wireless traffic, so devices in the wired network direct all return traffic for the wireless network to the module. For more information about NAT, see “NAT” on page 1-41 and Chapter 8: Configuring Network Address Translation (NAT).
PAGE 61
Introduction ProCurve Wireless Edge Services xl Module You can create the following types of ACLs: ■ MAC standard ACLs ■ MAC extended ACLs ■ standard IP ACLs ■ extended IP ACLs As discussed in “MAC Authentication” on page 1-27, MAC standard ACLs filter traffic according to the source MAC address. These ACLs act as authentication: rather than control which network services a user can access, MAC ACLs either allow or block traffic from a station entirely.
PAGE 62
Introduction ProCurve Wireless Edge Services xl Module The Wireless Edge Services xl Module applies an ACL to traffic that arrives on a particular interface: ■ You can apply one IP ACL to a VLAN interface. Traffic arrives on a VLAN interface in these two circumstances: • The Wireless Edge Services xl Module maps a wireless frame to that VLAN. In other words, the module decapsulates the frame received from a WLAN, removes the 802.11 header, and adds an Ethernet header with a tag for that VLAN.
PAGE 63
Introduction ProCurve Wireless Edge Services xl Module Figure 1-15. Applying ACLs to Interfaces NAT. NAT, another function the Wireless Edge Services xl Module’s firewall offers, modifies addresses in packets’ IP headers. The module supports NAT on both source addresses and destination addresses.
PAGE 64
Introduction ProCurve Wireless Edge Services xl Module ■ Static source NAT with optional port translation—The module translates a single source IP address to a single new address. Typically, the address after translation is an IP address that is assigned to the Wireless Edge Services xl Module. However, you can use a different IP address as long as it is not assigned to another device.
PAGE 65
Introduction ProCurve Wireless Edge Services xl Module The Wireless Edge Services xl Module performs NAT in much the same way, and you can use the module to ready traffic for transmission on the Internet. Other typical uses include: ■ isolating wireless and wired traffic and preserving IP addresses You should guard the threshold between the wireless and wired network rigorously. As mentioned before, one of the best ways to protect the wired network is to create VLANs specifically for wireless traffic.
PAGE 66
Introduction ProCurve Wireless Edge Services xl Module Digital signatures, created by a public-private key pair, authenticate data. To create the digital signature, a key pair relies on asymmetric encryption, which means that data encrypted by a private key is decrypted by the corresponding public key. A host “signs” data by encrypting it with its private key—something only that host can do because only it knows the private key.
PAGE 67
Introduction ProCurve Wireless Edge Services xl Module Before creating a certificate or certificate request, the Wireless Edge Services xl Module must generate a public/private key pair. The module can create Rivest-Shamir-Adleman (RSA) keys of between 1024 and 2048 bytes. Each certificate can use a unique key pair, or multiple certificates can share a key pair.
PAGE 68
Introduction ProCurve Wireless Edge Services xl Module For instructions on establishing GRE tunnels, see Chapter 12: Configuring Tunnels with Generic Routing Encapsulation. Note The Wireless Edge Services xl Module also establishes tunnels with other members of a Layer 3 mobility domain (see “Roaming Between RPs on Different Wireless Edge Services xl Modules at Layer 3” on page 1-83). However, these tunnels are created automatically when you set up the Layer 3 mobility domain.
PAGE 69
Introduction ProCurve Wireless Edge Services xl Module Figure 1-16. QoS Mechanisms Supported by the Wireless Edge Services xl Module This chapter will discuss these features at a high level; to learn how to configure them, see Chapter 4: Wireless Local Area Networks (WLANs). SVP SVP maintains a high QoS in the wireless network, specifically for VoWLAN devices that are SVP-capable. SVP is implemented in wireless phone handsets, wireless APs, and SpectraLink servers. This IEEE 802.
PAGE 70
Introduction ProCurve Wireless Edge Services xl Module WMM WMM is a more comprehensive QoS solution because it can provide differentiated handling for any type of traffic based on its priority. Like 802.1p and Differentiated Services (DiffServ) in Ethernet networks, WMM divides traffic into multiple priority queues and then assigns different settings to each queue.
PAGE 71
Introduction ProCurve Wireless Edge Services xl Module For more instruction on configuring these settings, see Chapter 4: Wireless Local Area Networks (WLANs) and Chapter 3: Radio Port Configuration. WLAN Classification WMM allows RPs to queue frames according to priority marking. Alternatively, RPs can place all traffic that is destined to stations associated with a particular WLAN in the same queue.
PAGE 72
Introduction ProCurve Wireless Edge Services xl Module In addition to managing the module’s software and configuration, the SNMP server can also analyze the wireless traffic processed by the module. The Wireless Edge Services xl Module acts as an sFlow agent, sampling wireless traffic and forwarding the samples to the SNMP server or other sFlow collector. The module can also poll RP radios for overall traffic statistics and submit the results to the sFlow collector.
PAGE 73
Introduction ProCurve Wireless Edge Services xl Module Table 1-4.
PAGE 74
Introduction Radio Ports Radio Ports Because the RPs are a critical component of the wireless network—establishing the actual radio signal and transmitting wireless traffic to and from stations—you should understand how these RPs function. The Wireless Edge Services xl Module can manage the following ProCurve RPs: ■ RP 210—includes one 802.11bg radio. The radio has two omnidirectional diversity antennas. ■ RP 220—includes two radios, one 802.11a and one 802.11bg.
PAGE 75
Introduction Radio Ports 802.11 Overview 802.11 is the IEEE standard for wireless networks. It specifies Physical Layer standards such as radio channel frequencies and the modulation techniques used to encode data. At the Data Link Layer, the standard also specifies the format for 802.11 frames. At its most fundamental level, an 802.11 network can be defined as a set of devices that communicates over the same medium.
PAGE 76
Introduction Radio Ports The 802.11a standard enables data rates from 6.0 Mbps to 54 Mbps, depending on the quality of the signal level. Overhead and competition for the shared medium often lowers actual throughput to about half the theoretical data rate. The second radio on the RP 220 and on the RP 230 supports 802.11a. 802.11b. This standard defines the Physical Layer for wireless networks that operate in the 2.4 GHz band—one of the radio bands available to any private entity.
PAGE 77
Introduction Radio Ports Many countries require support for 802.11h as a condition to using certain 802.11a channels. The countries operate military radar on those channels; With 802.11h, the private radios to share the channels without interfering with the military. The second radio on the RP 220 and on the RP 230 supports 802.11a. 802.11 Frames In addition to Physical Layer standards, 802.11 defines Data Link Layer standards. 802.
PAGE 78
Introduction Radio Ports Figure 1-18. BSS A BSS operates in infrastructure mode, which means that instead of communicating with each other, wireless stations communicate with an RP. This is the typical mode for a wireless network used to grant mobile users access to an Ethernet network, as well as the mode in which the ProCurve RPs operate. (See Figure 1-19.
PAGE 79
Introduction Radio Ports A wireless station must send all traffic to it RP. However, the RP can then forward the traffic to another station in the BSS. For tighter security, you can block these inter-station communications entirely, or you can force them to pass through the Wireless Edge Services xl Module, where ACLs can be applied. See “Controlling Inter-Station Traffic” on page 4-63 of Chapter 4: Wireless Local Area Networks (WLANs). Figure 1-19.
PAGE 80
Introduction Radio Ports Figure 1-20. ESS Similarly, when configuring the Wireless Edge Services xl Module, you are often more interested in the WLAN to which users connect than in the particular RP to which a user connects at any given moment. SSID Versus BSSID As indicated above, the SSID identifies a group of BSSs that make up a single WLAN. All frames transmitted in a WLAN are marked with this SSID.
PAGE 81
Introduction Radio Ports It is important to understand the relationship between SSIDs and BSSIDs. An SSID identifies a WLAN; the two are connected with a one-to-one correspondence. As a MAC address, a BSSID identifies an RP in that WLAN— one of the perhaps many RPs that offer wireless stations a connection to that WLAN. Like switches that can carry traffic for multiple VLANs, most RPs, including the ProCurve RPs, can support multiple WLANs, each of which is identified by its own SSID.
PAGE 82
Introduction Radio Ports The two radios on a single RP generally support the same WLANs, as shown in Table 1-5. However, using advanced mode configuration, you can enable different WLANs on an RP’s two built-in radios; in this case, a single RP with two radios can support up to 32 WLANs. Using advanced mode configuration raises several concerns that are discussed in Chapter 4: Wireless Local Area Networks (WLANs). Table 1-5.
PAGE 83
Introduction Radio Ports For example, WLAN 1 and WLAN 5 have been assigned to the same BSSID. The RP advertises the SSID for WLAN 1 in the beacon frame from that BSSID, but not the SSID for WLAN 5. However, if a wireless station sends a probe request for WLAN 5’s SSID, then the RP responds, and the station can associate. In other words, WLAN 1 operates in open system, and WLAN 5 operates in closed system.
PAGE 84
Introduction Radio Ports ■ It receives data traffic from associated wireless stations and forwards this traffic to an upstream Ethernet device, or if permitted, to other wireless stations. ■ It forwards return traffic to associated wireless stations. Masters communicate with managed stations; they do not communicate with each other.
PAGE 85
Introduction Radio Ports The single-channel detector listens passively for beacons from APs. It listens only on its own radio channel and can simultaneously respond to association requests from wireless stations. The dedicated detector, on the other hand, does not respond to association requests from wireless stations. Instead, the dedicated detector sends probes on each channel: ■ used by its 802.
PAGE 86
Introduction Radio Ports ■ Note WLAN assignment—When you enable a WLAN, the Wireless Edge Services xl Module automatically configures radios to support that WLAN. It creates a radio configuration that specifies which SSIDs should be assigned to which of the radio’s BSSIDs. If you use advanced mode configuration, then you must manually specify the WLAN assignment for a radio configuration.
PAGE 87
Introduction Radio Ports Table 1-6. Factory Default Settings for Radio Adoption Default Configurations Setting 802.11a 802.11bg Placement Indoors Indoors Channel Random Random Power Depends on country code Depends on country code Rate settings (in Mbps) Basic: 6, 12, 24 Basic: 1, 2, 5.5, 11 Supported: 6, 9, 12, 18, 24, 36, Supported: 1, 2, 5.
PAGE 88
Introduction Radio Ports Table 1-7. Radio Adoption Default Configuration WLAN Assignment Setting 802.11a / 802.11bg BSSID 1 SSIDs for: WLAN 1 (5, 9, 13) BSSID 2 SSIDs for: WLAN 2 (6, 10, 14) BSSID 3 SSIDs for: WLAN 3 (7, 11, 15) BSSID 4 SSIDs for: WLAN 4 (8, 12, 16) You can use advanced mode configuration to change these settings. See Chapter 4: Wireless Local Area Networks (WLANs).
PAGE 89
Introduction Radio Ports You configure settings for particular radios from the Network Setup > Radio screens, as described in Chapter 3: Radio Port Configuration. The Wireless Edge Services xl Module still automatically manages WLAN assignments for these radios (unless you are using advanced mode configuration). Note The Wireless Edge Services xl Module associates the radio’s MAC address with the override configuration, so it persists even if the RP is powered down.
PAGE 90
Introduction Radio Ports Figure 1-22. Communications Between an RP and the Wireless Edge Services xl Module If you must place your RP on a different subnetwork from the Radio Port VLAN, the messages listed above fail to receive a response from the Wireless Edge Services xl Module.
PAGE 91
Introduction Radio Ports ■ DNS requests—request the IP address for the Wireless Edge Services xl Module. If the RP does not receive option 189 from the DHCP server, it uses DNS to discover the module’s IP address. At its factory settings, the RP requests the IP address for this hostname: PROCURVE-WESM. The RP also adds the domain suffix that it received in the DHCP configuration. For example: PROCURVE-WESM.procurve.
PAGE 92
Introduction Radio Ports Figure 1-23.
PAGE 93
Introduction Radio Ports When a Wireless Edge Services xl Module receives an adoption request from an unadopted RP—whether as a broadcast or as a targeted message—the module must decide whether or not to adopt the RP. You can configure the module to automatically adopt any identified, nonconfigured RP. The simple plug-in installation makes this option ideal, as long as your organization secures access to its network devices.
PAGE 94
Introduction Radio Ports Figure 1-24. Deploying a Configuration Managing RPs in a Self-Healing Network A Wireless Edge Services xl Module collects a variety of information from managed RPs. For example, RPs configured as detectors report information about neighboring APs. The module then processes this information into lists of authorized and unauthorized APs, according to rules that you configure.
PAGE 95
Introduction Radio Ports The Wireless Edge Services xl Module also collects information about the wireless network in order to improve its functioning. For example, if you enable interference avoidance, the module has RPs change their channel when they report excessive congestion. Intrusion detection is one useful self-healing feature. The Wireless Edge Services xl Module can also implement neighbor recovery and create a highly availability, self-healing network.
PAGE 96
Introduction Radio Ports RP Deployment Requirements This section provides a brief overview of features on the ProCurve RPs that affect their deployment. For information about installing your RPs, refer to the appropriate Installation and Getting Started Guide. Power over Ethernet (PoE) PoE, based on the IEEE 802.3af standard, defines a mechanism by which a device receives power over the Ethernet cable on which it also sends and receives data. ProCurve RPs 210, 220, and 230 must be powered by PoE.
PAGE 97
Introduction Redundancy Groups Redundancy Groups A good network design builds in redundancy so that, in the unlikely event of a hardware or link failure, users continue to access the resources that they need.
PAGE 98
Introduction Redundancy Groups Rules of Redundancy Groups A redundancy group consists of up to 12 members; each member is either a primary module or a redundant module. Up to two modules can be installed in the same wireless services-enabled switch. Within the redundancy group, you can combine primary and redundant modules in any proportion. For example, you could have two primary modules and one redundant module; or you could group three primary modules and four redundant modules.
PAGE 99
Introduction Redundancy Groups Redundancy Group Operation Modes Group members can operate in either active mode or standby mode. The type of module (primary or redundant) has no relation to the operation mode. You can place a primary module in standby mode, or more typically, you can place a redundant module in active mode. An active redundant module adds capacity by loading balancing RPs with other members of the group.
PAGE 100
Introduction Redundancy Groups Figure 1-25. Redundancy Module Adopting RPs To provide consistent service, the standby member continues to support the RPs even after the active member comes back up.
PAGE 101
Introduction Redundancy Groups Remember that standby members support all the same services as the active members, so you must configure the same wireless settings on all members of a redundancy group. A simple way to ensure successful failover is to upload one module’s configuration onto each other module, edit the configuration with module-specific settings (such as IP address and redundancy group settings), and save the edited configurations.
PAGE 102
Introduction Layer 2 and Layer 3 Roaming Between RPs and Modules Layer 2 and Layer 3 Roaming Between RPs and Modules One of the principle attractions of wireless networking is the mobility that it offers users, and users often want to roam further than the range of a single radio. The 802.11 standard gives guidelines for roaming between the coverage areas, or cells, provided by two APs (or RPs), but leaves the implementation largely to the makers of wireless network interface cards (NICs).
PAGE 103
Introduction Layer 2 and Layer 3 Roaming Between RPs and Modules In other words, the module functions much like a single, high-capability AP with many remote radios (the RPs). Therefore, when a station disassociates from one RP and reassociates with another RP adopted by the same module, the module already has in place the association, the authentication, and the encryption keys. The roam is fast and seamless. The Wireless Edge Services xl Module also supports these 802.
PAGE 104
Introduction Layer 2 and Layer 3 Roaming Between RPs and Modules However, Wireless Edge Services xl Modules supports these mechanisms to facilitate and speed roaming between RPs adopted by different modules: ■ PMK caching—enables fast roaming back to a module in a WLAN that requires WPA/WPA2 with 802.1X. A station disassociates from one of the module’s RPs and moves to an RP on a different module. As far as the first module knows, the station has left the WLAN.
PAGE 105
Introduction Layer 2 and Layer 3 Roaming Between RPs and Modules Roaming Between RPs on Different Wireless Edge Services xl Modules at Layer 3 Roaming always occurs within a WLAN—that is, a station can roam only to another RP if that RP supports the same SSID. Otherwise, the station does not roam; it connects to a new network. For the roaming described in the previous sections, the roaming station’s traffic arrives in the same VLAN when it is bridged into the Ethernet network.
PAGE 106
Introduction Layer 2 and Layer 3 Roaming Between RPs and Modules Figure 1-26. Network Requiring Layer 3 Roaming Note It is important that the difference in subnetwork be reflected in different VLAN IDs because Layer 3 roaming relies on a changing VLAN ID to detect a Layer 3 roam. In other words, the two modules in Figure 1-26, which are in different subnetworks, correctly place WLAN A traffic on different VLANs.
PAGE 107
Introduction Layer 2 and Layer 3 Roaming Between RPs and Modules ■ When necessary, tunnel traffic back to a station’s HM—Every module in the Layer 3 roaming domain establishes a tunnel to every other module. A module tunnels traffic only when necessary, which is when a station that has an HM on a different VLAN roams to the module. If a station that has an HM on the same VLAN roams to the module, the module simply becomes the station’s new HM.
PAGE 108
Introduction Layer 2 and Layer 3 Roaming Between RPs and Modules 1-86
PAGE 109
2 Configuring the ProCurve Wireless Edge Services xl Module Contents Management Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 The Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 Determining the Dynamic IP Address or Assigning a Static Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 Accessing the Web Browser Interface . . . . . . . . . . . . . . . . . . . . .
PAGE 110
Configuring the ProCurve Wireless Edge Services xl Module Contents Changing the Password for the Default SNMP v3 Users (Operator or Manager) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-35 Configuring Web-Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-40 Logging In to the Module as a WebUser Administrator . . . . . . . . . . . 2-48 Creating Guest Accounts on the Local RADIUS Database . . . . . 2-49 Viewing and Deleting Guest Accounts . . . . . . . . . .
PAGE 111
Configuring the ProCurve Wireless Edge Services xl Module Contents Returning the Startup-Config File to Factory Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-97 Update Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-98 Checking the Software Image File . . . . . . . . . . . . . . . . . . . . . . . . . 2-98 Checking the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 112
Configuring the ProCurve Wireless Edge Services xl Module Contents Configuring NTP Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-152 Configuring the Wireless Edge Services xl Module as a Broadcast Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-155 Viewing NTP Associations and Status . . . . . . . . . . . . . . . . . . . . . . . . 2-158 Viewing Secure NTP Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 113
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Management Interfaces To configure and manage the ProCurve Wireless Edge Services xl Module, you can use one of the following management interfaces: ■ Web browser interface—Accessed through a Web browser, this intuitive interface provides comprehensive information to help you manage and monitor your company’s wireless services. The menus and online help guide you through configuration steps.
PAGE 114
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Determining the Dynamic IP Address or Assigning a Static Address Initially, you must access the Wireless Edge Services xl Module through the CLI of the wireless services-enabled switch 5300xl—either to determine the IP address that is assigned to the module through a Dynamic Host Configuration Protocol (DHCP) server or to assign the module a static IP address.
PAGE 115
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Replace with the letter for the chassis slot in which the Wireless Edge Services xl Module is installed. For example, if the module is installed in chassis slot C, you would enter: ProCurve# wireless-services c You access the Wireless Edge Services xl Module CLI with the same rights (either manager or operator) that you have to the switch CLI.
PAGE 116
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces The command saves to the running-config as a default route in which the gateway IP address is the IP address of the next hop. For example, you enter: ProCurve(wireless-services-C) (config)# ip default-gateway 10.1.10.1 The running-config displays: ip route 0.0.0.0/0 10.1.10.1 Note Be careful when you change the default gateway IP address.
PAGE 117
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Enable Secure Management. Secure management forces managers to access the Wireless Edge Services xl Module at the IP address configured on the management VLAN. For example, you configure VLAN 2 as the management VLAN, and the module’s IP address on VLAN 2 is 10.1.2.30. The module also has an IP address on VLAN 4: 10.1.4.30.
PAGE 118
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Accessing the Web Browser Interface for the Wireless ServicesEnabled Switch. You can also access the module’s Web browser interface from the Web browser interface for the wireless services-enabled switch. (Like the module’s Web browser interface, the switch’s Web browser interface uses Java applets.) To access the switch’s Web browser interface, enter the IP address for the management interface as the URL in your Web browser.
PAGE 119
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Logging in to the Web Browser Interface Whichever way you attempt to access the Web browser interface, you are prompted to enter a username and password. (See Figure 2-2.) Figure 2-2. Logging In to the Module’s Web Browser Interface In the Username field, enter manager, and in the Password field, enter the default password procurve. (The Wireless Edge Services xl Module also supports the operator user.
PAGE 120
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Overview of the Web Browser Interface The Web browser interface includes a navigation bar on the left. (See Figure 2-3.) Using this navigation bar, you can access: ■ Information screens that help you manage and troubleshoot your wireless services ■ Configuration screens that allow you to tailor wireless services for your particular environment Navigation bar Figure 2-3.
PAGE 121
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces ■ running-config—When the Wireless Edge Services xl Module loads the startup-config, all the configurations become part of the running-config, which is held in RAM. When you make and apply configuration changes in the Web browser interface, these changes become part of the runningconfig as well.
PAGE 122
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Save changes to startup-config Remove unapplied changes Apply changes to running-config Access online help Figure 2-4. Applying or Saving Changes Logging Out or Refreshing the Screen In addition to the Save link, the Web browser interface includes three links at the top of the screen: Note ■ Refresh—updates the screen with current information ■ Support—links you to ProCurve Networking’s Web site at http://www.procurve.
PAGE 123
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Figure 2-5. Help Navigator Screen From the Help Navigator screen, you can select one of the following tabs: ■ Content—The Content tab provides a list of available topics. You simply double-click a topic to view the Help information. ■ Search—The Search tab allows you to enter keywords or Boolean expressions to find all the information about a specific topic.
PAGE 124
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Using Filtering Options Filtering allows you to limit the amount of data displayed on a configuration screen by narrowing the criteria that is displayed. You can use the filtering options on certain configuration screens in order to list items that meet certain criteria. Screens that can be filtered contain a Show Filtering Options link, as shown in the example in Figure 2-6. Figure 2-6.
PAGE 125
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Filters affect the display. The filter selects rows according to values in columns. For example, you can filter the Network Setup > WLANs screen to display rows only for those WLANs that list Web-Auth in the Authentication column. Click the Show Filtering Options link to begin creating a filter. Figure 2-7.
PAGE 126
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces When you select two criteria, you must use Boolean operators to link the two: ■ AND—Only rows that match both criteria display. ■ OR—Rows that match either or both criteria display. In the fields to the right of the drop-down menus (see Figure 2-7 on page 2-17), you create the actual filter. The format for the filter depends on the type of column: ■ Match operators—for columns that include a string.
PAGE 127
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Figure 2-8. Filtering Options WLANs Example 2. In the Filter Options section, on the first line, use the first drop-down menu to select the criterion for the filter. The drop-down menu includes the name of every column in the screen. In the example in Figure 2-8, you can select from Index, Enabled, SSID, and so on. 3.
PAGE 128
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces 4. If you are also filtering for a second criterion, on the second line, use the drop-down menu to select the Boolean operator for linking the two criteria: • AND—to list items that meet the criteria on both lines • OR—to list items that meet the criteria on either line The OR operator is not an “exclusive OR” operator; it will list items that meet the criteria on either or both lines. 5.
PAGE 129
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces 6. Note After you set the filter criteria, click the Filter Entire Table button. Only the tunnels that match the filter are now listed on the screen. If you want, you can refine your filter criteria and click the Filter Entire Table button again. Throughout the Wireless Edge Services xl Module interface (whether or not you are using filtering), you can sort data lines by clicking on the respective column headings.
PAGE 130
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces When you are prompted for a password, enter the password for the manager user on the wireless services-enabled switch. Accessing the Switch CLI Through a Telnet or SSH Session You can also use a Telnet or SSH application to access the CLI for the wireless services-enabled switch. For instructions on establishing a Telnet or SSH session, see the management and configuration guide for your switch.
PAGE 131
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces From the enable context, you can enter show commands to view information about the Wireless Edge Services xl Module, and you can perform some operations such as erasing the startup-config file and copying configuration files to and from the module. To make configuration changes, however, you must move to the global configuration context.
PAGE 132
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Security In addition to supporting the latest security standards for wireless communications, the Wireless Edge Services xl Module allows you to secure management access. To protect communications between the Wireless Edge Services xl Module and your management workstation, the module supports Secure Hypertext Transfer Protocol (HTTPS) over Secure Socket Layer (SSL), and SNMP v3.
PAGE 133
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces SNMP v3 encrypts management communications. For example, SNMP v3 support secures messages between the Java applet running the Web browser interface and your management workstation even when you use HTTP rather than HTTPS. SNMP Communities. SNMP v1/v2c uses communities to control various types of management access.
PAGE 134
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces In addition, SNMP v3 secures communications between the user and the managed device, transforming the traffic with an encryption algorithm, an authentication algorithm, or both. Default SNMP v3 Users—Manager and Operator. There are two default users: ■ Manager—The manager has read-write access, which means the manager can configure settings and view information.
PAGE 135
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces The operator user is particularly useful if you want to assign a new IT staff member the task of monitoring certain module functions; however, you do not want this IT staff member to change the existing configuration. In this case, you could give this IT staff member the password for the operator user but reserve the manager user password for only senior-level IT staff.
PAGE 136
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Figure 2-11. Management > Web Access Control Screen 2. Uncheck the Enable HTTP box to disable insecure HTTP access to the Wireless Edge Services xl Module. Check the box to re-enable this server. 3. Uncheck the Enable HTTPS box to disable HTTPS access to the Wireless Edge Services xl Module. Check the box to re-enable this server. 4.
PAGE 137
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces By default, the HTTPS server submits the self-signed certificate in the default-trustpoint. The HTTPS Trustpoint drop-down menu includes this trustpoint and any other trustpoint configured on the module. The drop-menu also includes the option. Select this option to open the Certificates Wizard, which guides you through the process of creating or installing a certificate.
PAGE 138
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Figure 2-12. Management > Web Access Control Screen 2. Uncheck the Enable SNMP v2 box to disable SNMP v2 access to the Wireless Edge Services xl Module. Check the box to re-enable such access. 3. Uncheck the Enable SNMP v3 box to disable SNMP v3 access to the Wireless Edge Services xl Module. A screen is displayed, warning you that disabling SNMP v3 locks you out of the Web browser interface.
PAGE 139
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Figure 2-13. Disable SNMP V3 Warning If you are sure that you want to disable SNMP v3 and Web access, click the Yes button. You have one more chance to change your mind: you must click the Apply button in the Management > Web Access Control to actually disable the server. 4. Configure other SNMP options: a.
PAGE 140
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Setting Up the Internal FTP Server The Wireless Edge Services xl Module includes an FTP server, which can send files stored in the module’s flash memory to FTP clients. For example, you could upload a configuration file directly from one module to another— eliminating the middle step of transferring the file to an external FTP server. The FTP server has these properties: ■ Port—The server listens on the standard FTP port, 21.
PAGE 141
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Browse button Figure 2-14. Setting Up the Internal FTP Server 3. In the Password box, enter a string, which can include alphanumeric and special characters. 4. In the Root Dir field, specify the name of the directory with the files that clients will request. For example, enter flash:/. If the file is stored in a directory within flash, the client must request the file with the correct extension.
PAGE 142
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces To use the browse button to select the root directory, follow these steps: 1. Click the browse button next to the Root Dir field. The Select Directory file screen is displayed. This screen displays three buttons, one for each of the Wireless Edge Services xl Module’s three file systems: 2.
PAGE 143
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Click the directory twice to view and select subdirectories within that directory. To return to the original directory, click [up one level], which is displayed in the left section with the subdirectories. 4. Alternatively, create a new directory (in the flash memory only). a. Click the New Folder button. The New Folder screen is displayed. Figure 2-16. New Folder Screen 5. b.
PAGE 144
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Table 2-1. Default Passwords for the Operator and Manager Users User Password operator operator manager procurve To protect your network, you should change the passwords for both users. Because the usernames and passwords are managed through SNMP v3, you must select a password that meets SNMP v3 standards: the password must be at least eight characters. The password does not only authenticate the user.
PAGE 145
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Figure 2-17. Management > SNMP Access > V3 Screen 2. Select the username that you want to modify, and then click the Edit button. The Edit SnmpV3 screen is displayed.
PAGE 146
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Figure 2-18. Edit SnmpV3 Screen 3. In the Old Password field, enter the current password. 4. In the New Password and Confirm Password fields, enter the new password. 5. Click the OK button. If you change the password for the manager user, you are logged out of the Web browser interface and must enter the new password in order to log back in to the interface.
PAGE 147
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Changing Passwords for the Default Users Through Web-User Settings. To change the passwords for the manager or operator user through their Web-User settings, follow these steps: 1. Select Management > Web-Users > Local Users. Figure 2-19. Default Users in the Management > Web-Users > Local Users Screen 2. Select the user for which you want to change the password. 3. Click the Edit button. The Edit User screen is displayed.
PAGE 148
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Figure 2-20. Adding a Web-User 4. In the Password and Confirm Password fields, enter a new password between 8 and 32 characters. The password can include spaces and special characters. 5. Click the OK button. 6. Click the Save link to copy these changes to the Wireless Edge Services xl Module’s startup-config.
PAGE 149
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces The Wireless Edge Services module can authenticate these users against a local list of users, or you can have a RADIUS server authenticate the users. By default, the module uses its local list to authenticate the users. In either case, you must add users to the local list to assign the user a role, which determines the user’s rights. Web-User Roles.
PAGE 150
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces ■ ■ System Administrator—read-only rights and rights to management tasks: • view settings and statistics, including detailed information • export statistics and other device information • complete limited tasks in the Network Setup screens: – add, delete, and edit VLAN interfaces – configure Internet Protocol settings (such as routes) • complete any task in the Management screens, including: – control access to the Web
PAGE 151
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Figure 2-21. Management > Web-Users > Local Users Screen 2. Click the Add button. The Add User screen is displayed.
PAGE 152
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Figure 2-22. Adding a Web-User 3. In the User Name field, enter a string between 1 and 28 characters. You can include spaces and special characters. 4. In the Password and Confirm Password fields, enter a password between 8 and 32 characters. The password can include spaces and special characters. 5. Check the boxes in the Associated Roles section to assign one or more roles to this user.
PAGE 153
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Configuring Authentication for Web-Users. Instead of (or in addition to) using the local list to authenticate users, you can use a RADIUS server. If the RADIUS server authenticates a user, that user has the rights configured on the RADIUS database. Note If you do not correctly configure the RADIUS server to send a user’s rights, you can lock yourself out of the Wireless Edge Services xl Module Web browser interface.
PAGE 154
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Figure 2-23. Configuring Authentication for Web-Users 3. Choose the primary authentication method from the Preferred method drop-down menu. You can choose local (which is the list of local users configured on the Local Users tab) or radius. 4. If you want to use both authentication methods, choose the other method from the Alternate method drop-down menu. If the preferred method fails, the alternate is attempted.
PAGE 155
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces If you do not check the box and authentication services become unavailable, users will have not access to the Web browser interface at all. (They must access the module CLI from the wireless services-enabled switch CLI.) 6. Click the Apply button. 7. If you have selected RADIUS for either authentication method, you must specify the RADIUS server: a. Click the Add button. The Add RADIUS Server screen is displayed.
PAGE 156
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces e. In the next field, specify how long the module waits for a reply from the RADIUS server before retrying (or, on the final retry, declaring the authentication service unavailable). The timeout value is in seconds; specify a number from 1 to 1000. f. In the next field, enter the shared secret. This string must match the secret specified for the Wireless Edge Services xl Module in the list of clients on the RADIUS server.
PAGE 157
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Figure 2-25. Guest Registration Screen From this screen, the WebUser Administrator can: ■ create guest accounts ■ view all guest accounts ■ delete guest accounts ■ print records for the guest accounts added during the current management session Creating Guest Accounts on the Local RADIUS Database Follow these steps to add a guest user account: 1.
PAGE 158
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Figure 2-26. Creating a Guest Account as a WebUser Administrator 2. Enter the username in the User Name field. The username can be up to 64 characters and can include alphanumeric and special characters. Alternatively, click the Create button to have the Wireless Edge Services xl Module OS automatically generate a random username. 3. In the Password field, enter the user’s password.
PAGE 159
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces 4. In the User Group drop-down menu, select the name of a guest group policy. The group policy determines the days of the week and times of day at which the user is allowed to access the network. The group policy can also dictate a dynamic VLAN assignment. (However, dynamic assignment must be enabled on the WLAN to which the guest connects for this setting to take effect.) The WebUser Administrator cannot create groups.
PAGE 160
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces 6. Click the Submit button. 7. The interface asks you to confirm the creation of the account. Click the Yes button. At any time before you submit the guest account, you can click the Clear button to erase the settings. When you are finished managing the guest accounts, click the Logoff link. You do not need to take any further step to save your changes to the startup-config.
PAGE 161
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Figure 2-27. Viewing and Deleting Guest Accounts as the WebUser Administrator 3. The screen displays a list of all guest user accounts and the start and end time for these accounts. When you select an account, the Assigned Groups section displays the group of which the user is a member. 4. To delete a user, select the user and click the Delete button. 5.
PAGE 162
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces Printing Records of Guest Accounts You can also print records of guest accounts. A record includes: ■ the username ■ the password (in plaintext) ■ the time and date at which the account starts and expires You can only print accounts created during the current management session. This requirement protects guest users’ passwords.
PAGE 163
Configuring the ProCurve Wireless Edge Services xl Module Management Interfaces 2. Click the Print link at the top of the screen. The Print screen is displayed. If you have not yet created a guest account, you receive an error message. You must click the Submit button before you can print the record of an account. Figure 2-29. Printing a User Record 3. From the drop-down menu, choose the username for the account that you want to print. The account information is displayed below. 4.
PAGE 164
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Adoption Radio Port Adoption By default, the Wireless Edge Services xl Module automatically adopts radio ports (RPs) that it detects on the network. For more security, you can disable automatic RP adoption and configure the module to adopt only those RPs for which you manually enter the MAC address.
PAGE 165
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Adoption Network Requirements for Layer 2 Adoption Before the Wireless Edge Services xl Module can adopt an RP that is connected to your network, the module must detect that RP. Detection is dependent upon network connectivity: all the network interfaces between the module and the RP must be correctly configured to carry traffic in the Radio Port VLAN.
PAGE 166
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Adoption Figure 2-31. RPs Attached to the Wireless Services-Enabled Switch Are Automatically Assigned to a Radio Port VLAN Attaching RPs to Infrastructure Switches If you connect an RP to an infrastructure switch, rather than to the wireless services-enabled switch, the VLAN memberships are not automatically created on the infrastructure switch.
PAGE 167
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Adoption VLAN. (See Figure 2-32.) However, if the downlink ports on both switches carry only traffic from the Radio Port VLAN, you can make these ports untagged members of the Radio Port VLAN. Figure 2-32. Radio Port VLAN for an Indirectly Connected RP Instead of using the default Radio Port VLAN, you can use any VLAN in your network—even a VLAN that is used to transmit wired traffic.
PAGE 168
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Adoption Note Because the traffic transmitted between the RPs and the Wireless Edge Services xl Module is encapsulated, this wireless traffic remains separated from the other traffic on your company’s network—even if the RP is assigned to a VLAN used to transmit other types of traffic. To simplify management and troubleshooting, however, ProCurve Networking recommends that you dedicate a VLAN to RP traffic. Figure 2-33.
PAGE 169
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Adoption Note You might also need to perform some configuration tasks on the wireless services-enabled switch, such as raising the maximum number of VLANs.
PAGE 170
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Adoption Figure 2-34. RPs Requiring Layer 3 Adoption An RP first attempts to be adopted at Layer 2. If Layer 2 adoption fails, the RP initiates Layer 3 adoption. The RP sends a DHCP request so that it can begin to communicate at Layer 3. After receiving an IP address, the RP attempts to contact the Wireless Edge Services xl Module at Layer 3.
PAGE 171
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Adoption ■ the correct bootloader code The bootloader code allows the RP to request a DHCP configuration and contact the Wireless Edge Services xl Module at Layer 3. If the RP did not ship with this code, it must first be adopted at Layer 2 by a Wireless Edge Services xl Module that is running software version 02.XX.
PAGE 172
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Adoption ■ optionally, a DNS server that maps the name that the RP knows for the Wireless Edge Services xl Module to the module’s IP address (required only if you select the DNS strategy) • By default, the RP sends a DNS request for this name: PROCURVE-WESM The RP appends the domain suffix that it received through DHCP. For example: PROCURVE-WESM.procurve.com • Note You can change the name that the RP looks up.
PAGE 173
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Adoption Replace with the number of the port to which the RP connects. The CLI displays the RP’s boot code in the System Description field as the HwBoot Version. For example, the bootloader code for an RP that was last adopted by a version 01.XX module is 0.4. If the RP has the old boot code (0.4), you must have a Wireless Edge Services xl Module that runs version 02.XX software pre-adopt the RP at Layer 2.
PAGE 174
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Adoption You can easily allow the RP to use the same pool as other stations. The DHCP server does not send the 189 option unless the device requests it. If, however, for whatever reason, you want to create a fixed configuration for the RP, you should specify the RP’s Ethernet MAC address as the client ID. You can find this MAC address on the undercarriage of a ProCurve RP 210 or 230 or the top face of a ProCurve RP 220. 3.
PAGE 175
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Adoption You can check your RP’s boot code through the CLI of the switch to which it attaches. For example, enter this command on a ProCurve 5300xl Switch: ProCurve# show lldp info remote-device Replace with the number of the port to which the RP connects. The CLI displays the RP’s boot code in the System Description field as the HwBoot Version.
PAGE 176
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Adoption 2. Verify that your DHCP server has a configuration that the RPs can use: • IP address in the RPs’ subnetwork • IP address of a default gateway • IP address of a DNS server • typically, a default domain name 3. Check the configuration of your network’s DNS server, if necessary adding an entry that maps the Wireless Edge Services xl Module’s hostname to its IP address. 4.
PAGE 177
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Adoption 7. One of the Wireless Edge Services xl Module’s internal ports must be tagged for the VLAN on which RPs’ messages arrive—that is, the VLAN on which the module has the IP address specified on the DNS server. The module’s uplink port is probably already tagged for this VLAN. The RP can be adopted on the uplink port.
PAGE 178
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Adoption The screen should list the Layer 3 RP just as it lists other RPs. However, the IP Address field shows the Layer 3 RP’s IP address. (This field shows N/A for Layer 2 RPs.) Note The IP address is for informational purposes only. For example, you can ping the RP at this address, but you cannot attempt to access or manage the RP.
PAGE 179
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Adoption Configuring Manual Adoption for RPs To manually adopt RPs, you must edit the global settings for RPs. Complete these steps: 1. Select Network Setup > Radio and click the Configuration tab. Figure 2-38. Network Setup > Radio Screen 2. Click the Global Settings button. The Global screen is displayed.
PAGE 180
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Adoption Figure 2-39. Network Setup > Radio > Global Settings Screen 3. Uncheck the Adopt unconfigured radios automatically box. 4. Click the OK button to apply the change to the running-config. 5. Find the MAC address of the RPs that you want to manually adopt by selecting Device Information > Radio Adoption Statistics and clicking the Unadopted tab. The unadopted RPs and their MAC addresses are listed on this screen. 6.
PAGE 181
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Adoption Figure 2-40. Device Information > Radio Adoption Statistics Screen 7. Click the Adopt button at the bottom of the screen. The Add Radio screen is displayed. Figure 2-41.
PAGE 182
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Adoption 8. If you selected an unadopted RP before clicking the Add button, the RP MAC Address field displays the MAC address of that RP. Otherwise, enter the RP’s Ethernet MAC address. 9. In the Radio Settings section, check the boxes for the radio types that you want—802.11a or 802.11bg (or both). 10. For each radio type that you select, in the corresponding Radio Index field enter a number to identify this RP. 11.
PAGE 183
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Adoption 2. In the RP MAC Address field, enter the MAC address for the RP’s Ethernet interface. 3. In the Radio Settings section, check the boxes for the radio types that you want—802.11a or 802.11bg (or both). 4. For each radio type that you select, in the corresponding Radio Index field enter a number to identify this RP. 5. Click the OK button.
PAGE 184
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Adoption You set an RP’s ID by selecting one of its radios in the Network Setup > Radio > Configuration screen and clicking the Edit button. Set the adoption preference ID to match the module that should adopt the RP. Figure 2-44. Radio Configuration Radio Settings Then enter a value from 1 to 65535 in the Adoption Preference ID field. Match the ID that you set for the Wireless Edge Services xl Module that should adopt this RP.
PAGE 185
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Adoption You can create a radio configuration manually by clicking the Add button in the Network Setup > Radio > Configuration screen and entering the RP’s Ethernet MAC address. You can then edit the configuration and set the adoption preference ID to match the module that should adopt that RP. For a more efficient alternative, have one module pre-adopt all RPs and edit the radio configurations on that module.
PAGE 186
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Adoption The default username and password on all ProCurve 200 Series RPs are admin and procurve. ProCurve Networking suggests that you use pre-adoption to change these settings, using a Wireless Edge Services xl Module to load new credentials on your organization’s RPs. You can then move these RPs to their final locations and be sure that only these RPs can connect to your network. Configuring 802.
PAGE 187
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Adoption Figure 2-46. Configure Port Authentication Screen 4. 5. Note Configure a username and password. • Check the Use Default Values box to use the default username and password: – username: admin – password: procurve • Or, in the Username and Password fields, enter the username and password that you want to use. Click the OK button, and then click the OK button on the Global screen.
PAGE 188
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance System Maintenance The Web browser interface allows you to manage: ■ software images ■ configuration files ■ SNMP support ■ password encryption Software Images The Wireless Edge Services xl Module maintains two software images: ■ primary ■ secondary Typically, the primary image loads when the Wireless Edge Services xl Module is rebooted.
PAGE 189
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance Viewing the Software Images To view the version of the primary and secondary images, access the Management > System Maint.—Software screen. (See Figure 2-47.) Figure 2-47. Management > System Maint.—Software Screen The Management > System Maint.—Software screen includes the following fields: ■ Image—This field indicates whether the image is the primary or secondary image.
PAGE 190
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance ■ Built Time—This field reports the date and time that this software image was created. ■ Install Time—This field reports the date and time that this software image was updated on the Wireless Edge Services xl Module. Selecting the Software Image That Is Used to Reboot You can specify which software image the Wireless Edge Services xl Module will use the next time it is rebooted—the primary or the secondary.
PAGE 191
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance If you do not want the Wireless Edge Services xl Module to automatically reboot using the other image, you can disable this failover capability. Complete these steps: 1. Select Management > System Maint.—Software. Figure 2-49. Management > System Maint.—Software Screen 2. Click the Global Settings button at the bottom of the screen. The Software Global Settings screen is displayed. Figure 2-50.
PAGE 192
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance 3. Uncheck the Enable Image Failover box, and then click the OK button. The change is applied to the running-config. 4. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. Manually Updating the Software Image ProCurve Networking periodically updates the software image for the Wireless Edge Services xl Module.
PAGE 193
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance 6. In the Port field, if needed, change the port number for your FTP or TFTP server. In most cases, the defaults (port 21 for FTP, port 69 for TFTP) should apply to your server. 7. In the IP Address field, enter the IP address of the FTP or TFTP server. 8. If you are using an FTP server, enter the login credentials for that server. 9. a. In the User ID field, enter the username. b.
PAGE 194
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance Table 2-2. Configuration Files Stored in Internal Flash Name of Configuration File Location in Internal Flash startup-config NVRAM other configuration files flash Viewing Configuration Files To view a configuration file, select Management > System Maint.—Config Files.
PAGE 195
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance Figure 2-53. Viewing the Contents of the startup-config Click the Refresh button to update the information displayed in the screen. Click the Close button to return to the Management > System Maint.—Config Files screen.
PAGE 196
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance Transferring, or Copying, Files The Web browser interface allows you to transfer, or copy, configuration files. You simply specify a source and a destination for the transfer. Valid selections are listed in Table 2-3: Table 2-3.
PAGE 197
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance Figure 2-54. Management > System Maint.—Config Files > Transfer Screen 3. In the Source section, specify the source as an FTP or a TFTP server: a. In the From field, use the drop-down menu to select Server. b. In the File field, enter the name of the configuration file. c. In the Using field, use the drop-down menu to select either FTP or TFTP. d.
PAGE 198
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance 4. 5. In the Target section, specify the destination as the Wireless Edge Services xl Module: a. In the To field, use the drop-down menu to select Wireless Services Module. b. In the File field, enter the name that you want to give to the configuration file. Click the Transfer button. In the Status section at the bottom of the screen, a message is displayed, reporting whether the transfer was successful.
PAGE 199
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance 3. In the Target section, specify the destination. Choose a destination from the To drop-down menu: • Wireless Services Module—copy the file to another location on the module • Server—copy the file to an external FTP or TFTP server • Local Disk—copy the file to the workstation on which you are running the Web browser The Target fields below change depending on the target type.
PAGE 200
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance Browse button Figure 2-56. Transferring a File to a New Location on the Module At any point during the transfer, you can click the Abort button to cancel the process. After you have finished transferring files, click the Close button. Copying a File to an External Server. Follow these steps to upload a file to an external FTP or TFTP server: 1.
PAGE 201
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance 8. Click the Transfer button. In the Status section at the bottom of the screen, a message is displayed, reporting whether the transfer was successful. At any point during the transfer, you can click the Abort button to cancel the process. After you have finished transferring files, click the Close button. Copying a File to the Local Disk. To specify the local hard disk as the destination, follow these steps: 1.
PAGE 202
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance Managing the Directory Structure and Browsing for Files The browse button appears when are choosing where to download files to the Wireless Edge Services xl Module. Browse button Figure 2-58. Browse Button To use the browse button to search and manage the Wireless Edge Services xl Module’s directory structure, follow these steps: 1. In the Target section, click the browse button next to the File field.
PAGE 203
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance Subdirectories (or folders) Flash file system Files saved in this directory Figure 2-59. Select Config file Screen The nvram stores the startup-config, and the system memory (volatile) holds the running-config. 3. In the left section, choose the folder in which you want to save the file. 4. Alternatively, create a new folder (in the flash memory only). a. Click the New Folder button. The New Folder screen is displayed.
PAGE 204
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance 5. Choose the filename. The path to the folder you have selected is displayed in the field at the bottom of the screen. Files in this folder display to the right. You can select one of these files and write over it, or you can choose a new file. To create a new file, add the filename to the path in the field at the bottom of the screen. For example: flash/myfolder/configA. 6. Click the OK button. 7.
PAGE 205
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance Note If you attempt to delete the startup-config file, the Web browser interface allows you to go through the steps of deleting the file, but when you confirm that you want to delete the file, the following message is displayed at the bottom of the navigation bar: You have selected the system startup-config file. This file cannot be edited.
PAGE 206
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance Update Server The Wireless Edge Services xl Module can communicate with an Update Server, on which you can store backup copies of the software image and the configuration file for your Wireless Edge Services xl Module.
PAGE 207
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance Whenever the module requests the software image file from the Update Server, it also requests the configuration file. The configuration file that the Update Server sends must be exactly the same as the startup-config saved on the module. You can ensure that these files are the same by always saving the latest startup-config to the Update Server.
PAGE 208
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance Avoiding Problems in Using the Update Server To ensure that the Wireless Edge Services xl Module does not boot with the wrong software image or the factory default settings, follow these guidelines: ■ Keep the Update Server settings current.
PAGE 209
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance Configure the update server to ignore checksums Figure 2-63.
PAGE 210
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance Table 2-4.
PAGE 211
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance Table 2-5 shows which software image and configuration file are loaded in other circumstances. Table 2-5.
PAGE 212
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance Configuring the Update Server Settings To configure the Update Server settings, complete these steps: 1. Select Management > System Maint.—Update Server. Figure 2-64. Management > System Maint.—Update Server Screen 2-104 2. Check the Update Server Unreachable box if you do not want the Wireless Edge Services xl Module to use the Update Server. 3.
PAGE 213
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance 5. 6. Enter the login credentials for the FTP server. a. In the User ID field, enter the username. b. In the Password field, enter the password for this username. In the Software section, configure the version number, filename and path for the software image. a. In the Version field, enter the version of the software image that is stored on the FTP or TFTP server. b.
PAGE 214
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance By default, only two types of passwords are encrypted when you view the configuration: ■ SNMP v3 user passwords ■ Web-User passwords (encrypted by SHA) Other types display in plaintext, by default: ■ passwords for users in the local RADIUS database ■ shared secrets for the RADIUS servers specified in WLAN settings ■ shared secret for globally configured RADIUS servers (used for authentication, authorization, and accountin
PAGE 215
Configuring the ProCurve Wireless Edge Services xl Module System Maintenance Set the encryption key for passwords Figure 2-65. ConfigPasswdEn Button 2. Click the ConfigPasswdEn button. Figure 2-66.
PAGE 216
Configuring the ProCurve Wireless Edge Services xl Module SNMP Traps and Error Reporting 3. Set the key that encrypts passwords in the Password and Confirm Password fields. The key can be between 8 and 32 alphanumeric and special characters. 4. Click the OK button.
PAGE 217
Configuring the ProCurve Wireless Edge Services xl Module SNMP Traps and Error Reporting Each community name is assigned an access control, which determines the operations an SNMP server can complete on the Wireless Edge Services xl Module: ■ Read-only—The SNMP server can retrieve information from the module. ■ Read-write—The SNMP server can retrieve information and modify the configuration settings.
PAGE 218
Configuring the ProCurve Wireless Edge Services xl Module SNMP Traps and Error Reporting Figure 2-67. Management > SNMP Access > V1/V2c Screen 2. Select the community that you want to modify, and then click the Edit button. The Edit SnmpV1/V2c screen is displayed. (See Figure 2-68.) Figure 2-68. Edit SNMPV1/V2c Screen 2-110 3. In the Community Name field, enter the new name for the community. 4. In the Access Control field, use the drop-down menu to select the access control. 5.
PAGE 219
Configuring the ProCurve Wireless Edge Services xl Module SNMP Traps and Error Reporting 6. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. SNMP Statistics You can view a number of SNMP statistics. To understand these statistics, you should know the five basic messages exchanged between SNMP servers and agents: ■ GET—SNMP servers send a GET message to request information about a setting.
PAGE 220
Configuring the ProCurve Wireless Edge Services xl Module SNMP Traps and Error Reporting Figure 2-69. Management > SNMP Access > Statistics Screen SNMP Traps To generate alarm logs, you must enable the Wireless Edge Services xl Module to generate SNMP traps, and you must enable specific SNMP traps. For example, you may want the module to generate an alarm if file system space becomes low or if a user fails to authenticate.
PAGE 221
Configuring the ProCurve Wireless Edge Services xl Module SNMP Traps and Error Reporting Enabling SNMP Traps By default, all SNMP traps are disabled. To enable SNMP traps, complete these steps: 1. Select Management > SNMP Trap Configuration and click the Configuration tab. Figure 2-70.
PAGE 222
Configuring the ProCurve Wireless Edge Services xl Module SNMP Traps and Error Reporting • SNMP • Wireless 2. Check the Allow Traps to be generated box. 3. To view the SNMP traps in a category, click the Plus ( + ) sign next to the category. To view the SNMP traps in all categories, click the Expand all items button. 4. To enable all the traps, select All Traps and click the Enable all sub-items button. 5.
PAGE 223
Configuring the ProCurve Wireless Edge Services xl Module SNMP Traps and Error Reporting 7. Click the Apply button to save the change to the running-config. 8. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. Disabling SNMP Traps To disable an SNMP trap that you previously enabled, complete these steps: 1. Select Management > SNMP Trap Configuration and click the Configuration tab. 2. To disable a specific SNMP trap, expand the SNMP category.
PAGE 224
Configuring the ProCurve Wireless Edge Services xl Module SNMP Traps and Error Reporting Figure 2-72. Management > SNMP Trap Configuration > Wireless Statistics Thresholds Screen Table 2-6 shows which thresholds you can set for stations, radios, and WLANs, and for the Wireless Edge Services xl Module itself.
PAGE 225
Configuring the ProCurve Wireless Edge Services xl Module SNMP Traps and Error Reporting Table 2-6.
PAGE 226
Configuring the ProCurve Wireless Edge Services xl Module SNMP Traps and Error Reporting Figure 2-73. Management > SNMP Trap Receivers Screen 2. Click the Add button. The Add Trap receivers screen is displayed. Figure 2-74. Add Trap Receivers Screen 3. 2-118 In the IP Address field, enter the IP address of the SNMP server.
PAGE 227
Configuring the ProCurve Wireless Edge Services xl Module SNMP Traps and Error Reporting 4. In the Port Number field, enter the port on which your SNMP server listens for traps. The valid range is from 1 to 65535. The default port is 162. 5. Chose v2c or v3 from the Protocol Options drop-down menu. 6. Click the OK button. The configuration change is applied to the runningconfig. 7. Click the Save link at the top of the Web browser interface to save the changes to the startup-config.
PAGE 228
Configuring the ProCurve Wireless Edge Services xl Module SNMP Traps and Error Reporting 2. Select the snmptrap user and click the Edit button. Figure 2-76. Changing the Password for SNMP v3 Traps 2-120 3. In the Old Password field, enter the current password—by default, procurve. 4. In the New Password and Confirm Password fields, enter the new password. 5. Click the OK button.
PAGE 229
Configuring the ProCurve Wireless Edge Services xl Module SNMP Traps and Error Reporting View Information About SNMP Receivers. After you define an SNMP server, the server is displayed in the Management > SNMP Trap Receivers screen. Figure 2-77. Management > SNMP Trap Receivers Screen You can view the following information about that server: ■ Destination Address—the IP address of the SNMP server ■ Port—the port number that the module uses to communicate with the SNMP server.
PAGE 230
Configuring the ProCurve Wireless Edge Services xl Module SNMP Traps and Error Reporting Edit an SNMP Trap Receiver. If you define an SNMP trap receiver and later need to change its IP address, complete these steps: 1. Select Management > SNMP Trap Receivers. 2. Click the Edit button. 3. You can change these settings: • IP address • port To change the SNMP version, you must delete the receiver from the Management > SNMP Trap Receivers screen and re-add it with the correct version. 2-122 4.
PAGE 231
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Licenses Radio Port Licenses Each Wireless Edge Services xl Module (J9001A) ships with 12 nonremovable RP licenses. When you install the Wireless Edge Services xl Module into a switch, the module can automatically adopt up to 12 RPs. If you move the Wireless Edge Services xl Module to another switch, these 12 RP licenses move with the module. They cannot be uninstalled or transferred to another Wireless Edge Services xl Module.
PAGE 232
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Licenses If you install additional RP licenses on a Wireless Edge Services xl Module, these licenses remain with the module if you move the module: ■ from one slot to another slot in the same wireless services-enabled switch ■ from one wireless services-enabled switch to another It is possible, however, to move additive licenses—those purchased through the Wireless Services Module 12 RP License—from one Wireless Edge Services xl Modul
PAGE 233
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Licenses Figure 2-78. Sample Network with Additive Licenses Installed on the Wireless Services-Enabled Switch in the North Building In situations such as this one, you can uninstall the Wireless Services Module 12 RP License from the Wireless Edge Services xl Module in the North building. You can then install the Wireless Services Module 12 RP License on the Wireless Edge Services xl Module in the South building.
PAGE 234
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Licenses Figure 2-79.
PAGE 235
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Licenses Only the Wireless Edge Services xl Module (J9001A) has RP licenses. The Redundant Wireless Services xl Module does not include radio port licenses and cannot independently adopt radio ports. When the Redundant Wireless Services xl Module is configured as part of a Redundancy Group, however, it can adopt radio ports under certain circumstances (such as if the Wireless Edge Services xl Module fails).
PAGE 236
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Licenses If you have not yet registered with the My ProCurve Web portal, visit http://my.procurve.com and follow the registration instructions. Understanding the Numbers: IDs and Keys Installing and uninstalling the Wireless Services Module 12 RP License involves several different numbers: ■ Registration ID—The Wireless Services Module 12 RP License includes a registration ID. You do not input this number to install the license.
PAGE 237
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Licenses Figure 2-80. My ProCurve Web Portal 4. Click ProCurve Device Software. You can now begin to generate a license key. (See Figure 2-81.
PAGE 238
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Licenses Figure 2-81. Enter the Registration ID 5. Enter the registration ID that you located in step 1 in the Registration ID field and click Next. The Hardware ID page is displayed. 6. Find out the hardware ID for the Wireless Edge Services xl Module. a. Open a second browser (if you have not already done so) and access the Web browser interface for the Wireless Edge Services xl Module. b.
PAGE 239
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Licenses Figure 2-82. The License-Install Summary Screen c. Click the Install button at the bottom of the screen. The Install License (Step 1 and Step 2) screen is displayed. (See Figure 2-83.) Figure 2-83.
PAGE 240
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Licenses d. In the Step 1—Generate Hardware ID section, click the Gen-Hw-ID button. e. When a number is displayed in the System Generated Hardware Id field, copy it (using Ctrl-C) or write it down. (Copying the number is easier and more accurate.) You must enter this number on the My ProCurve Web portal. 7. Return to the My ProCurve Web portal. In the Enter Hardware ID# field, paste (using Ctrl-V) or enter the hardware ID. 8.
PAGE 241
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Licenses To simplify the process of uninstalling a license, you may want to use two Web browsers as you complete these steps: 1. Access the Web browser interface for the Wireless Edge Services xl Module. 2. Select Management > Licenses and click the License-Install Summary tab. 3. Highlight the license that you want to uninstall and click the Uninstall button at the bottom of the screen. The Un-Install License screen is displayed.
PAGE 242
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Licenses 8. Note When the uninstall verification key is displayed, copy the key (using Ctrl-C) or write it down. (Copying the key is easier and more accurate.) You will enter the key on the My ProCurve Web portal. If you forget or misplace the uninstall verification key, you can view it by selecting Management > Licenses and clicking the License_Uninstall Summary tab.
PAGE 243
Configuring the ProCurve Wireless Edge Services xl Module Radio Port Licenses 13. Paste (using Ctrl-V) or enter the uninstall verification key in the Uninstall verification ID# field, and the click the Next button. The My ProCurve Web portal generates and displays a new registration ID. The portal emails the registration ID to you and maintains a record of it. 14. To view your registration IDs, click the View available reg IDS link on the My ProCurve Web portal.
PAGE 244
Configuring the ProCurve Wireless Edge Services xl Module Setting System Information—Name, Time, and Country Code Setting System Information—Name, Time, and Country Code Access the Network Setup screen to configure system information: ■ system name and other information that the Wireless Edge Services xl Module reports to an SNMP server ■ the time and time zone for the internal clock ■ the country code You can also view information about the wireless services-enabled switch and reset passwords for th
PAGE 245
Configuring the ProCurve Wireless Edge Services xl Module Setting System Information—Name, Time, and Country Code Follow these steps to configure the system information, which the Wireless Edge Services xl Module reports to an SNMP server: 1. Name the module by entering a string in the System Name field. The string can include spaces and special characters. The default name is “Wireless Services.
PAGE 246
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) The country code configures the Wireless Edge Services xl Module to choose legal channels and transmit powers for RP radios. You must set the country code before the module can adopt RPs. Follow these steps: 1. From the Country drop-down menu, select your country. (See Figure 2-87.) 2. The Wireless Edge Services xl Module OS warns you that you must select the correct country code. Click the OK button.
PAGE 247
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) NTP Modes and Communications NTP relies on the standard client-server relationship: ■ Clients send time requests to servers. ■ Servers respond with the time. The Wireless Edge Services xl Module can operate as both a client and a server. To configure the module as a client, you must configure an NTP neighbor that acts as the module’s server.
PAGE 248
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) Figure 2-88. NTP Clock Stratum Levels The devices at stratum 0 are GPS clocks or other radio clocks. These devices are not attached to the network but are locally connected to computers. Computers at stratum 1 are attached to stratum 0 devices. Stratum 1 devices can act as time servers for timing requests from stratum 2 servers via NTP. Computers at stratum 2 send NTP requests to stratum 1 servers.
PAGE 249
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) Several organizations on the Internet offer NTP servers at stratums 1 through 3. Some require you to purchase the service, and others grant it for free. You can configure your Wireless Edge Services xl Module to communicate with one of these servers and then, acting as a server, pass the time on to clients in your network.
PAGE 250
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) By encrypting the cookie with the client’s public key, the server ensures that only the client can use the cookie. The client, for its part, must initially trust the server. After this initial trust, the client knows that the same server is sending the time because only that server has the cookie that generates the correct keys.
PAGE 251
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) • Add up to three neighbors. The correct neighbor configuration depends on your network’s NTP implementation: – Your module acts as the master clock and is your network’s only time server. No neighbors are required. – Your module acts as your network’s only time server and receives its time from one or more servers on the Internet. Specify up to three Internet servers as neighbors in server mode.
PAGE 252
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) Configuring Secure NTP Options To configure a Secure NTP server, complete these steps: 1. Select Special Features > Secure NTP > Configuration. Figure 2-89. Special Features > Secure NTP > Configuration Screen 2. Optionally, in the Other Settings section, check the Authenticate Time Sources box.
PAGE 253
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) If you enable your module to act as the master clock, it can serve the time whether or not it receives the time from another server or peer. 4. If you checked the Act as NTP Master Clock box (in step 3), in the Clock Stratum field enter how many hops (from 1 to 15) the Wireless Edge Services xl Module is from an NTP time source.
PAGE 254
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) Applying ACLs to NTP Services For additional security, you can set access controls on the NTP messages that your Wireless Edge Services xl Module receives. The module only accepts a particular type of message if the ACL applied to that type permits it. You will first need to configure the ACLs for NTP resource access before completing this task. (See Chapter 7: Access Control Lists (ACLs).
PAGE 255
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) You can control four types of access to NTP resources: ■ Full Access—The Wireless Edge Services xl Module accepts all messages from devices permitted by the associated ACL and will synchronize with these devices. This is typically the type of access that you would grant your NTP neighbors. ■ Only Control Queries—The module accepts only control queries from devices permitted by the ACL.
PAGE 256
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) Configuring Authentication for Secure NTP When the Wireless Edge Services xl Module requires authentication for secure NTP, it drops all NTP packets unless they are encrypted with the correct key. Authentication ensures that the server providing system time to the Wireless Edge Services xl Module is trusted.
PAGE 257
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) Figure 2-91. Enabling Auto Key for Secure NTP 3. In the Auto Key field, use the drop-down menu to enable auto key: • Host Enabled—The Wireless Edge Services xl Module requires clients and neighbors to use auto key to authenticate themselves. • Client only Enabled—The module uses auto key only to authenticate itself to a server. 4. Click the Apply button. 5.
PAGE 258
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) 6. Click the Save link. 7. Make sure that your Wireless Edge Services xl Module has the proper certificates. See “Digital Certificates” on page 2-165. Adding Symmetric Keys. Symmetric key authentication uses a single (symmetric) key for encryption and decryption. Because both the sender and the receiver must know the same key, it is also referred to as shared key cryptography.
PAGE 259
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) Figure 2-92. Special Features > Secure NTP > Symmetric Keys Screen 3. Click the Add button. The ADD screen is displayed. (See Figure 2-93.) Figure 2-93. Add Symmetric Key Screen 4. In the Key ID field, enter the key ID, from 1 through 65534.
PAGE 260
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) 5. In the Key Value field, enter any string up to 32 characters for the authentication key value. This key must match the key configured on the neighbor for which you specify this key ID. 6. To define this key as a trusted key, check the Trusted Key box. The Wireless Edge Services xl Module considers a neighbor that uses this key to be a trusted source.
PAGE 261
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) Figure 2-94. Special Features > Secure NTP > NTP Neighbor Screen 2. Click the Add button. The Add Neighbor screen is displayed.
PAGE 262
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) Figure 2-95. Add Neighbor Screen 3. 4. 2-154 Select the neighbor type: • Peer—A peer is another NTP server in a close relationship with your Wireless Edge Services xl Module. The module synchronizes with its peers, and at any given moment only one peer in the group acts as the NTP server.
PAGE 263
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) 5. In the NTP Version field, use the drop-down menu to select the version of NTP to use with this configuration. Although the latest version of the NTP implementation is NTPv4, the official Internet standard is NTPv3. 6. Select the authentication method: • No Authentication—No authentication is used.
PAGE 264
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) Figure 2-96. Special Features > Secure NTP > NTP Neighbor Screen 2. 2-156 Click the Add button. The Add Neighbor screen is displayed.
PAGE 265
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) Figure 2-97. Add Neighbor Screen 3. Select Broadcast Server for the neighbor type. 4. In the IP Address field, enter the broadcast address for the module’s subnetwork. For example, you want the module to run the broadcast server on its VLAN 8 interface, which has the address 10.4.8.30/24. Enter 10.4.8.255. 5.
PAGE 266
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) 7. If you selected Symmetric Key Authentication in step 6, in the Key ID field enter the symmetric key ID. The key ID references the symmetric key that you created earlier. (See “Adding Symmetric Keys” on page 2-150). You must configure clients in this network to match the key referenced by the ID. 8. Click the OK button.
PAGE 267
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) Figure 2-98. Special Features > Secure NTP > NTP Associations Screen The screen includes the following fields: ■ Address—the numeric IP address of the resource providing NTP updates to the switch Typically, the NTP system is a peer or server that you have configured as your Wireless Edge Services xl Module’s neighbor.
PAGE 268
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) ■ When—the number of seconds since a message has been received from the remote resource ■ Peer Poll—the maximum interval between successive messages, in seconds (always a power of 2 value, such as 8 or 64) ■ Reach—the status of the last eight NTP messages displayed in octal format If an NTP packet reaches the resource successfully, the packet is assigned the value of 1.
PAGE 269
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) Figure 2-99. Details Screen The Details screen includes the following additional information: ■ Association—state of the association ■ Sanity—an indicator of the “sanity” of NTP packets The sanity indicates whether the time sent by the resource seems reasonable based on time from other resources.
PAGE 270
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) ■ Host Mode—the Wireless Edge Services xl Module’s mode: client—The module is associated with a resource that operates in server mode. The module polls the server, but does not respond to polls from the server. If the server sends valid NTP packets, the module may synchronize with it. server—The module allows itself to be polled by clients that want to synchronize with it.
PAGE 271
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) By tracking timestamps for all NTP exchanges, the Wireless Edge Services xl Module calculates the following: ■ Root Delay—a 32-bit signed fixed-point number indicating the total roundtrip delay to the primary reference source, in seconds with fraction point between bits 15 and 16 Note that this variable can take on both positive and negative values, depending on the relative time and frequency offsets.
PAGE 272
Configuring the ProCurve Wireless Edge Services xl Module Enabling Secure Network Time Protocol (NTP) Viewing Secure NTP Status The Special Features > Secure NTP > Secure NTP Status screen displays current status information for the Wireless Edge Services xl Module’s NTP services. (The NTP Associations tab shows the status for all associations with potential time sources.) Figure 2-100.
PAGE 273
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates ■ Precision—the precision (accuracy) of the Wireless Edge Services xl Module’s time clock, in Hz The values that normally are displayed in this field range from -6 for mainsfrequency clocks to -20 for microsecond clocks found in some workstations.
PAGE 274
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates Overview Digital certificates rely on asymmetric encryption with public/private key pairs. Data encrypted by a private key must be decrypted by the corresponding public key. A host “signs” data by encrypting it with its private key—something only it can do because only it knows the private key. Other hosts verify the signature by decrypting the signature with the public key.
PAGE 275
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates Configuring Digital Certificates On the Wireless Edge Services xl Module, you create and manage trustpoints, in which you create or load the following elements: ■ Server certificate, which is the certificate that identifies and authenticates the module For a self-signed certificate, you create the server certificate yourself and have the Wireless Edge Services xl Module sign it.
PAGE 276
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates 6. Use the CLI to upload the CRL. You access the Certificates Wizard, as well as manage trustpoints, in the Management > Certificate Management screen. Figure 2-101.Management > Certificate Management Screen The Management > Certificate Management screen has two main tabs: ■ 2-168 Trustpoints—This screen lists the trustpoints on the Wireless Edge Services xl Module and the certificates associated with each trustpoint.
PAGE 277
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates ■ Keys—This screen lists the key pairs that have been created on the Wireless Edge Services xl Module. You can associate a key pair with a trustpoint, and the module includes the public key for that pair in the selfsigned certificate or the certificate request. (The Keys tab is shown in Figure 2-114 on page 2-191.
PAGE 278
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates Figure 2-102.Certificates Wizard Welcome Screen On this screen, you can select the certificate operations that you want to perform, which are documented in the following sections.
PAGE 279
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates Creating a Self-Signed Certificate. To create a new self-signed certificate, complete these steps: 1. On the Certificates Wizard Welcome screen, in the Select a certificate operation section, select Create a new certificate. 2. Click the Next button. The screen shown in Figure 2-103 is displayed. Figure 2-103.Certificate Wizard Options Screen (Self-Signed Certificate) 3.
PAGE 280
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates 4. 5. Note • Use existing trustpoint—You can select a trustpoint that you have created previously from the drop-down menu. (This option is available only when an existing trustpoint does not have a current certificate.) • Create a new trustpoint—Enter the trustpoint name in the field.
PAGE 281
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates Figure 2-104.Certificate Credentials Screen (Self-Signed Certificate) 7. If you specified in step 4 that you are creating a new trustpoint, check the Configure the trustpoint box to configure the trustpoint. 8. Select Automatically generate certificate with default values to generate a certificate with default credential values.
PAGE 282
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates • City—the city in which the module operates • Organization—your organization (typically your company name) • Organizational Unit—your organizational unit (typically your department name) • Common Name—the URL that you use to access the Web browser interface The text that you enter must replicate the URL exactly and cannot include spaces or special characters other than periods ( . ) and hyphens ( - ).
PAGE 283
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates Figure 2-105.Certificate Wizard Options Screen (Certificate Request) 3. In the Select a certificate operation section, select Prepare a certificate request to send to a certificate authority. 4. In the Select a trustpoint for the new certificate section, select one of the following: • Use existing trustpoint—You can select a trustpoint that you have created previously from the drop-down menu.
PAGE 284
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates 5. Note • Automatically generate a key—Generate a key specifically for this certificate. • Use existing key—Use a key pair that you created previously; select the key from the drop-down menu. • Create a new key—Create a new key pair for this certificate that you can also use for future certificates. – In the Key Label field, enter a name for the key.
PAGE 285
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates Figure 2-106.Certificate Credentials Screen (Certificate Request) 7.
PAGE 286
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates Note • Email Address—a valid email address for you or the person responsible for managing the Wireless Edge Services xl Module (optional) • FQDN—the module’s fully qualified domain name (optional) • IP Address—the IP address for the certificate (optional) • Password—a password that must be entered to install the certificate (optional; only specify a password if requested by your CA) Do not type special characters in any
PAGE 287
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates Figure 2-107.Copy or Save Certificate Request 10. To save the text of the certificate request to send to a CA, you can do either (or both) of the following: • Check the Copy the certificate request to clipboard box; after you click the Next button in step 11, you can paste the text into a text file.
PAGE 288
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates iii. Choose FTP or TFTP from the Using drop-down menu, and if necessary choose the port for your server. (The default port is usually correct.) iv. Specify the server’s IP address. v. For FTP, enter the username and password. vi. Leave the Path field blank to save to the server’s base directory. Or enter a valid directory path on the server.
PAGE 289
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates Figure 2-108.Certificates Wizard—Uploading a Certificate 2. Click the Next button. The screen shown in Figure 2-109 is displayed.
PAGE 290
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates Figure 2-109.Upload Certificate to Trustpoint 3. 4.
PAGE 291
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates You can select either or both certificates to upload. However, you can only upload a certain type of certificate if the selected trustpoint does not already include that type. If you want to upload a new certificate, first delete the current certificate. See “Deleting Trustpoints, Certificates, and Keys” on page 2-183. 5.
PAGE 292
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates Figure 2-110.Certificates Wizard—Deleting Certificates 2. 2-184 Click the Next button. The screen shown in Figure 2-111 is displayed.
PAGE 293
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates Figure 2-111.Certificate Wizard Delete Operations 3. Select your delete operations: • To delete an entire trustpoint, select Delete trustpoint and all certificates inside it. Then use the drop-down menu to select the trustpoint to delete. This selection deletes the trustpoint and everything it contains, including certificates, a certificate request, and a CRL.
PAGE 294
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates 4. Click the Next button. 5. On the confirmation screen, click the Next button to confirm the deletion. Or, click the Cancel button to cancel the deletion. 6. After the deletion is complete, on the completion screen that is displayed, click the Finish button. 7. Click the Save link at the top of the Web browser interface to save the changes to the startup-config.
PAGE 295
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates When you transfer a trustpoint, you copy these elements (if included in that particular trustpoint): ■ server certificate ■ CA certificate ■ CRL Transferring Trustpoints from the Wireless Edge Services xl Module to a Server To transfer a trustpoint from the Wireless Edge Services xl Module to a server, complete these steps: 1. Select Manager > Certificate Management and click the Trustpoints tab. 2.
PAGE 296
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates 6. From the Using drop-down menu, select the protocol for the trustpoint transfer, either FTP or TFTP. 7. In the Port field, enter the respective FTP or TFTP port number; the default port number (port 21 for FTP, port 69 for TFTP) should apply in most cases. 8. In the IP Address field, enter the IP address of the FTP or TFTP server. 9. If you are using an FTP server, enter the login credentials. a.
PAGE 297
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates Figure 2-113.Transfer Trustpoints from Server 3. In the Source section, select Server from the From field. 4. In the File field, enter the filename of the source trustpoint file. 5. In the Using drop-down menu, select the protocol for the external server, either FTP or TFTP. 6.
PAGE 298
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates 13. After the trustpoint transfer is complete, click the Close button. Certificate Keys A certificate relies on a public/private key pair. You can use the same key pair for multiple certificates, or you can use a different pair for each certificate. When you configure certificate requests and self-signed certificates, you can automatically create a public/private key pair for the certificate.
PAGE 299
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates Figure 2-114.Management > Certificate Management > Keys Screen 2. Click the Add button. The Add Key screen is displayed. Figure 2-115.Add Key Screen 3. In the Key Name field, enter a name for the key. Enter between 2 and 64 characters. The only permissible special character is “_”.
PAGE 300
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates 4. In the Key Size field, enter the key size, from 1,024 through 2,048 bytes. 5. Click the OK button. Transferring Keys You can transfer key pairs to a secure location for archiving. Transferring keys is recommended to ensure that server certificate key information is available if problems are encountered with the switch and this data needs to be retrieved.
PAGE 301
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates 3. In the Source section, in the From field, use the drop-down menu to select Wireless Services Module. 4. Use the next drop-down menu to select the key to be transferred. 5. In the Pass phrase field, enter a passphrase, which can include spaces and special characters. The passphrase encrypts the key pair, and, although optional, is recommended for security.
PAGE 302
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates Figure 2-117.Transfer Keys from Server or Local Disk Screen 3. In the Source section, in the From field, use the drop-down menu to select either Server or Local Disk. 4. In the File field, enter the filename of the source key file. If you selected Local Disk as the source in step 3, include the path with the filename. 5.
PAGE 303
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates 6. In the Pass phrase field, enter the passphrase to encrypt the key. Unless you enter the correct passphrase, the Wireless Edge Services xl Module cannot install the key. However, if the key has not been encrypted, leave this field empty. 7. In the Target section, in the File field, enter the filename of the target key file. 8. Click the Transfer button.
PAGE 304
Configuring the ProCurve Wireless Edge Services xl Module Digital Certificates 2-196
PAGE 305
3 Radio Port Configuration Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Country-Code and Regulatory Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Configuring Radio Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 Creating a Radio Adoption Default Configuration . . . . . . . . . . . . . . . . 3-8 Viewing and Configuring Properties . . . . . . . . . . . . . . . .
PAGE 306
Radio Port Configuration Overview Overview The ProCurve Wireless Edge Services xl Module manages the ProCurve Radio Ports (RPs) 210, 220, and 230. Using their Ethernet port and one or two radios, these IEEE 802.11-compliant RPs grant wireless stations access to an Ethernet network. RPs provide the radio signal and the physical connection to wireless users, but little intelligence on their own.
PAGE 307
Radio Port Configuration Country-Code and Regulatory Procedures tions on enabling the best possible roaming between RPs adopted by multiple Wireless Edge Services xl Modules can be found in Chapter 9: Fast Layer 2 Roaming and Layer 3 Mobility. In addition, the ProCurve RPs improve quality of service (QoS) in the wireless network with support for Wi-Fi Multimedia (WMM). Each radio can divide outbound wireless traffic into four queues based on priority value or on WLAN.
PAGE 308
Radio Port Configuration Country-Code and Regulatory Procedures Figure 3-1. Configuring the Country Code Refer to http://www.hp.com/rnd/support/manuals/rports.htm for information about each country’s regulations and permissible radio settings.
PAGE 309
Radio Port Configuration Configuring Radio Settings Configuring Radio Settings You configure radio settings for the ProCurve RPs 210, 220, and 230 through the Wireless Edge Services xl Module. The ProCurve RP 220 and 230 each have two built-in radios; one radio supports 802.11a standards while the other supports 802.11bg standards. The ProCurve 210 has a single radio that supports the 802.11bg standards.
PAGE 310
Radio Port Configuration Configuring Radio Settings Figure 3-2. Default Configuration Screen for a Radio Type The screen for configuring the radio adoption default settings is labeled Network Setup > Radio Adoption Defaults > Configuration > Edit. The top left on the screen reads Configuration, and the top right displays the radio type: 802.11a or 802.11bg. For ease of reference, this guide will call that screen a radio type’s default Configuration screen.
PAGE 311
Radio Port Configuration Configuring Radio Settings Figure 3-3. Configuration Screen for a Radio Be careful to make configuration changes on the correct screen. Otherwise, the changes will not take effect as expected. Table 3-1 summarizes how you edit the radio configurations and how the Wireless Edge Services xl Module deploys them. For more information, see Chapter 1: Introduction. Table 3-1.
PAGE 312
Radio Port Configuration Configuring Radio Settings Creating a Radio Adoption Default Configuration The Wireless Edge Services xl Module stores two radio adoption default configurations, one for 802.11a radios and one for 802.11bg radios. It deploys the configurations to radios on any unconfigured RP that it adopts. These configurations only affect newly adopted radios.
PAGE 313
Radio Port Configuration Configuring Radio Settings As described above, you establish settings for a radio adoption default configuration from a radio type’s default Configuration screen. To access this screen, complete these steps: 1. Select Network Setup > Radio Adoption Defaults and click the Configuration tab. This screen includes two rows, one for 802.11a and one for 802.11bg.
PAGE 314
Radio Port Configuration Configuring Radio Settings Model Radio Type Background AP detection Dedicated to detecting rogue APs Figure 3-5. Radio Adoption Default Configuration Properties This screen includes three sections: Properties, Radio Settings, and Advanced Properties. In the following sections, you will learn how to configure each of the settings on this screen. Viewing and Configuring Properties For the most part, you view, rather than configure, settings in this section.
PAGE 315
Radio Port Configuration Configuring Radio Settings When you configure this setting as part of the default configuration, you dedicate all radios of that 802.11 mode. For example, if your network does not include any stations that use 802.11a mode, you could dedicate all 802.11a radios in your network to scanning for rogue APs. (Note, however, that these radios will only detect APs operating in an 802.11a channel.) Note As a security measure, you can configure all RPs to be adopted as detectors.
PAGE 316
Radio Port Configuration Configuring Radio Settings Configuring Radio Settings Configure the basic radio settings in the default Configuration screen’s Radio Settings section, as shown in Figure 3-6. These settings include: ■ radio placement ■ channel selection method ■ transmit power ■ rate settings You should configure the settings in this order; the radio placement setting dictates available channel options, and the channel selection method affects available power levels.
PAGE 317
Radio Port Configuration Configuring Radio Settings overcome distance-based signal loss, but an indoor RP should broadcast at a lower power to accommodate closer stations and minimize interference with other local RPs. In addition, some countries allow certain channels to be used only outdoors. Unless you are certain that all RPs will operate outdoors, you should leave the Placement setting at Indoors for the radio adoption default configurations.
PAGE 318
Radio Port Configuration Configuring Radio Settings 3. In the Desired Channel field, use the drop-down menu to select either Random or ACS. 4. Click the OK button. If you want to set channels manually, then you must do so for particular radios after they are adopted. (See “Configuring Radio Settings for a Particular Radio” on page 3-30). Setting the Desired Radio Power. After you have selected a channel, you must select the radio power.
PAGE 319
Radio Port Configuration Configuring Radio Settings Note A warning box may be displayed, reminding you to be careful when setting a power for a radio that is using external antennas. Verify that the power and channel settings are within local limits, and then click the OK button. Configuring Rate Settings. You can specify the data rates, in Mbps, that default radios support for traffic passing between the radio and a station.
PAGE 320
Radio Port Configuration Configuring Radio Settings The basic rates are rates for which RP radios advertise support. A radio uses and allows stations to use basic rates for: ■ management frames ■ broadcast frames ■ multicast frames Such frames are sent to all stations associated to a basic service set (BSS); therefore, if an RP is to support 802.11b stations, it must use only the rates (1, 2, 5.5, and 11 Mbps) supported by those slower stations. If an 802.11bg radio does not need to support 802.
PAGE 321
Radio Port Configuration Configuring Radio Settings In addition, even when you have selected g rates (such as 6, 12, and 24) for the basic rates, you should consider allowing b rates (1, 2, 5.5, and 11) for the supported rates. 802.11b stations still cannot connect to the WLAN, but RPs and 802.11g stations can use the b rates to avoid interference from any 802.11b stations that might be in the vicinity.
PAGE 322
Radio Port Configuration Configuring Radio Settings The RTS Threshold, Beacon Interval, and Self Healing Offset fields are accompanied by a column that describes the units in which these settings are configured. For example, the RTS threshold is configured in bytes, and the beacon interval is configured in units of 1,000 microseconds (or 1 millisecond). Options Max Stations Antenna Mode Units Adoption Pref ID Short Preamble Figure 3-9.
PAGE 323
Radio Port Configuration Configuring Radio Settings You can select one of three options for the antenna mode: diversity, primary, and secondary. The Diversity option requires the RP radio to have a diversity antenna (either internal or external). If an RP radio uses a non-diversity external antenna, you must specify to which connector you have attached it by selecting Primary or Secondary.
PAGE 324
Radio Port Configuration Configuring Radio Settings A Wireless Edge Services xl Module preferentially adopts RPs that have the same ID as the module itself. (See “Configure an Adoption Preference for the Module” on page 10-28 in Chapter 10: Redundancy Groups for instructions on setting this ID.
PAGE 325
Radio Port Configuration Configuring Radio Settings 4. Click the OK button. To force another Wireless Edge Services xl Module to adopt a particular radio, change the radio’s preference ID to the ID on that second module, as explained in “Configuring Advanced Properties for a Particular Radio” on page 3-32. Enabling Support for a Short Preamble. As part of the 802.11 standards, stations and radios are required to prepend a preamble to transmitted frames.
PAGE 326
Radio Port Configuration Configuring Radio Settings Stations can avoid transmitting at the same time by exchanging RTS and Clear to Send (CTS) packets with the RP. A wireless station sends an RTS packet to notify the radio that it would like to transmit. If the channel is clear, the radio sends a CTS packet to the requesting station. This procedure clears the air for a specific transmission when many stations may be contending for transmission time.
PAGE 327
Radio Port Configuration Configuring Radio Settings Setting the Beacon Interval. A beacon is an 802.11 management frame that is broadcast by an RP radio to advertise its presence as a network point of access and to keep the network synchronized.
PAGE 328
Radio Port Configuration Configuring Radio Settings To set the default number of beacons between DTIMs that radios in your network broadcast, complete these steps: 1. Select Network Setup > Radio Adoption Defaults and click the Configuration tab. 2. Select the radio type and click the Edit button. 3. In the DTIM field, enter the number of beacons between DTIMs. 4. Click the OK button. Setting the Self Healing Offset.
PAGE 329
Radio Port Configuration Configuring Radio Settings Creating a Radio Configuration for a Particular Radio When the Wireless Edge Services xl Module is powered on, it can identify and adopt the RPs that are connected to the network. In “Creating a Radio Adoption Default Configuration” on page 3-8, you learned how to configure the settings that the module deploys to RPs when first adopted. In this section, you will learn about configuring override settings for particular identified radios.
PAGE 330
Radio Port Configuration Configuring Radio Settings Figure 3-10. Network Setup > Radio > Configuration Screen The Network Setup > Radio > Configuration screen lists all of the radios that the Wireless Edge Services xl Module has identified and their current settings and status. Radios are listed by index number. (The first radio that the module identifies is typically assigned the first index, and so on.) Radios are further identified by a name and a type.
PAGE 331
Radio Port Configuration Configuring Radio Settings To create the configuration, select the unadopted radio, click the Edit button, and configure the settings. The Wireless Edge Services xl Module deploys the configuration after it adopts the RP. For each RP radio, the Network Setup > Radio screen lists information in these columns: ■ Index—the radio’s index number, by default assigned in the order in which radios are adopted ■ Name—a descriptor for the radio.
PAGE 332
Radio Port Configuration Configuring Radio Settings Description Detector Unapproved APs MAC Address Radio Type Index Type Figure 3-11. Radio Configuration Properties Configuring Properties The Properties section on a radio’s Configuration screen differs from that in a radio type’s default Configuration screen: the radio’s reports more detailed information about the specific radio, including the radio’s base MAC address, its radio type, and its index type.
PAGE 333
Radio Port Configuration Configuring Radio Settings To modify the description, complete these steps: 1. Select Network Setup > Radio and click the Configuration tab. 2. In the Radio Descr. field, enter a text string of up to 20 characters to describe the radio. 3. Click the OK button. Dedicating a Radio as a Detector for Unapproved APs. You can dedicate a particular radio to detecting APs in your environment.
PAGE 334
Radio Port Configuration Configuring Radio Settings Base Radio MAC. The MAC address displayed in the Properties section is the hardware MAC address for that radio. A dual-radio RP has two separate radio MAC addresses (as well as an Ethernet MAC address). A BSSID, which is the MAC address that the radio uses to carry traffic for a particular WLAN (or WLANs), is generated from this base MAC address. Each RP radio includes four BSSIDs, each of which can carry traffic for four WLANs. Radio Type.
PAGE 335
Radio Port Configuration Configuring Radio Settings Placement Actual Column Channel Selection Power Options Figure 3-12. Radio Configuration Radio Settings To change the radio settings, complete these steps: 1. Select Network Setup > Radio and click the Configuration tab. 2. Select the radio that you want to configure and click the Edit button. 3. In the Placement field, use the drop-down menu to select the placement, Indoors or Outdoors.
PAGE 336
Radio Port Configuration Configuring Radio Settings 5. If you want, in the Desired Channel field, use the drop-down menu to select either: • Random • ACS • a specific channel number Channel numbers will vary, depending on the type of radio (802.11a or 802.11bg) that you are configuring, the radio’s country code, and the radio’s placement (indoors or outdoors). 6. If you want, in the Desired Power (dBm) field, use the drop-down menu to select a non-default transmit power.
PAGE 337
Radio Port Configuration Configuring Radio Settings ■ Adoption Preference ID ■ Short Preambles only (802.11 bg radios only) ■ RTS Threshold ■ Beacon Interval ■ DTIM Period ■ Self Healing Offset See “Setting Advanced Radio Properties” on page 3-17 for more information on each setting. Setting the DTIM Period is slightly different for the targeted radio configuration; see “Setting DTIM Periods for a Particular Radio” on page 3-33. You can alter any of these settings for a particular radio.
PAGE 338
Radio Port Configuration Configuring Radio Settings However, a particular RP radio sends out beacons on each of its four BSSIDs, and the Wireless Edge Services xl Module allows you to set a different DTIM period for each BSSID. In this way, you can, for example, set a higher DTIM period on a BSSID that supports a traditional data WLAN, but a lower DTIM period on a BSSID that supports a voice WLAN. To find the BSSID used by your WLAN (with normal configuration), see Table 3-3.
PAGE 339
Radio Port Configuration Configuring Radio Settings Set different DTIM periods for the radio’s four BSSIDs Figure 3-13. Radio Configuration Radio Settings 3. In the Advanced Properties section, click the DTIM Periods button. The DTIM Periods screen is displayed. Figure 3-14. DTIM Periods 4. In the field for each BSS, enter the number of beacons between DTIMs. 5. Click the OK button.
PAGE 340
Radio Port Configuration Configuring Radio Settings Configuring Multiple Radios at Once To save time, you can configure settings for multiple radios at once. Hold down as you select the radios and click the Edit button. The Configuration screen is displayed. You can edit the configuration much as you would for a single radio. However, certain parameters are grayed out; these parameters are restricted to configuration on one radio at a time.
PAGE 341
Radio Port Configuration Configuring Radio Settings Running ACS is one of the Tools Figure 3-15. Running ACS on All RP Radios 2. Click the Tools button. 3. On the pop-up menu that is displayed, select Run ACS Now. The Wireless Edge Services xl Module scans all channels and discovers which radios are adopted and using which channels. The module then analyzes the radios’ channels and moves each ACS-enabled radio to the channel where it is least likely to experience interference from other radios.
PAGE 342
Radio Port Configuration Configuring Radio Settings Figure 3-16. Running ACS Resetting a Radio It may become necessary for you to reboot an RP. For a dual-radio RP (such as the RP 220 or 230), you can either reset the entire RP or only one of its radios. Complete these steps: 3-38 1. Select Network Setup > Radio and click the Configuration tab. 2. Select the radio that you want to reset and click the Tools button.
PAGE 343
Radio Port Configuration Configuring Radio Settings Reset Radio1 Figure 3-17. Resetting a Radio 3. On the pop-up menu that is displayed, select Reset. The Confirm Reset screen is displayed. Figure 3-18. Resetting a Radio 4. Select a reset option: • If you click the Reset Radio only button, only the selected radio will reset. • If you click the Reset entire Radio Port button, the RP for the selected radio will reset, along with both radios on the same RP.
PAGE 344
Radio Port Configuration Configuring Radio Settings Managing RP Radios You can perform several actions on an RP radio in the Network Setup > Radio screen. Select the radio from the list and clicking the buttons at the bottom of the screen: ■ Click the Edit button to alter a radio’s configuration. The Configuration screen for that radio is displayed. (See “Configuring Radio Settings for a Particular Radio” on page 3-30.) ■ Click the Delete button to delete a radio configuration and unadopt the radio.
PAGE 345
Radio Port Configuration Configuring Radio Settings Enter the RP’s Ethernet MAC address in the RP MAC Address field. Then choose the appropriate radio or radios for the RP and assign them index numbers not currently used on this Wireless Edge Services xl Module. Click OK, and you can then select and edit the configuration for this RP’s radios before the RP is even adopted. ■ ■ Click the Tools button to view a pop-up menu with the following options: • Reset—Select this option to reboot the radio.
PAGE 346
Radio Port Configuration Configuring Radio Settings LLDP Button Figure 3-20. LLDP Button The LLDP screen is displayed. If you select a radio before clicking the LDAP button, the MAC Address field is automatically filled with the RP’s Ethernet MAC address. See Figure 3-21.
PAGE 347
Radio Port Configuration Configuring Radio Settings Figure 3-21. LLDP Screen You might have already customized the radio’s name. Select Set Radio Name as LLDP Name to use this name for the LLDP name as well. Alternatively, manually enter a name in the LLDP Name field. (The name can include alphanumeric and special characters, as well as spaces.) In the MAC Address field, enter the Ethernet MAC address of the RP. Or enter 00-00-00-00-00-00 to apply the LLDP name to all radios. Then click the OK button.
PAGE 348
Radio Port Configuration Considerations for Enabling Client Roaming Considerations for Enabling Client Roaming A mobile station may roam back and forth between several RPs. Ideally, such roaming is hidden from wireless users, who do not need to know when they connect to a new RP. They simply want their applications to continue functioning smoothly. A station itself determines when it needs to roam (typically, in order to associate to a radio with a better signal).
PAGE 349
Radio Port Configuration Considerations for Enabling Client Roaming Setting the power level lower than the maximum can help you provide seamless coverage. Place RPs more closely together and configure self healing, as described in “Network Self Healing” on page 13-88 of Chapter 13: Wireless Network Management. ■ the antenna type The RP 210’s and RP 230’s internal radios use omnidirectional diversity antennas, which send out the signal in all directions equally.
PAGE 350
Radio Port Configuration Quality of Service (QoS) on RP Radios Quality of Service (QoS) on RP Radios All traffic on a radio shares the same medium. So an RP radio may queue traffic for multiple WLANs together. By default, RPs queue traffic according to the classification of the WLAN to which it belongs. Because, by default, this classification is normal for all WLANs, all traffic receives the same handling. That is, each frame must contend for the medium on equal footing.
PAGE 351
Radio Port Configuration Quality of Service (QoS) on RP Radios Each outbound radio queue is defined by different WMM parameters, which determine how the RP contends for the medium in order to transmit frames in that queue.
PAGE 352
Radio Port Configuration Quality of Service (QoS) on RP Radios For more information about WMM and other QoS mechanisms, see “Traffic Management (QoS)” on page 4-90 of Chapter 4: Wireless Local Area Networks (WLANs). To learn how to customize RP WMM parameters, see “Viewing and Customizing RP WMM Parameters” on page 4-104 on Chapter 4: Wireless Local Area Networks (WLANs).
PAGE 353
4 Wireless Local Area Networks (WLANs) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 Configuration Options: Normal Versus Advanced Mode . . . . . . . . . . . . . . 4-4 Normal Mode Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 Why Use Normal Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 Enabling WLANs Using Normal Mode . . . . . . . . . . . . . . . . . .
PAGE 354
Wireless Local Area Networks (WLANs) Contents Configuring Global WLAN Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-76 Enabling the WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-77 VLAN Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-81 WLAN-Based VLAN Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-83 Considerations for WLAN-Based VLAN Assignment . . . . . . . .
PAGE 355
Wireless Local Area Networks (WLANs) Overview Overview A wireless LAN (WLAN) is a LAN that uses a wireless medium; typically it provides wireless stations a connection to a private LAN, the Internet, or both. The WLAN might include multiple radio ports (RPs), each of which is identified by an individual basic service set identifier (BSSID), but supports the same service set identifier (SSID). Stations associated to one RP can roam to another RP that provides access to the same WLAN (shares the same SSID).
PAGE 356
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Configuration Options: Normal Versus Advanced Mode When the Wireless Edge Services xl Module deploys a WLAN’s configuration to an RP, it assigns the SSID associated with that WLAN to a BSSID on the RP’s radio (or radios). You can configure the module to assign WLANs to RPs in one of two modes: normal or advanced.
PAGE 357
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Enabling WLANs Using Normal Mode In normal mode, to configure and activate WLANs, you complete these steps: 1. Configure the SSID, VLAN, and other options for each WLAN that you want to include in your network. See “Configuring a WLAN” on page 4-26 for instructions on how to do so. 2. On the Network Setup > Radio Setup screen, select the WLANs and click Enable.
PAGE 358
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Figure 4-2 shows the screen in which you can verify that radios have received the WLAN assignment. Figure 4-2. Assigning WLANs to a Radio (Normal) To view the screen in Figure 4-2, select Network Setup > Radio and click the WLAN Assignment tab. Select a radio, and information is displayed in the area in the right of the screen, called Assigned WLANs.
PAGE 359
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Figure 4-3. Assigning WLANs to the Second Radio (Normal) You must understand that these assignments are constant: WLAN 2 is always assigned to BSSID 2, even if you have not enabled WLAN 1. Enabling More Than Four WLANs Using Normal Mode Using normal mode, you can configure and enable up to 16 WLANs, which all adopted RP radios will support.
PAGE 360
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode As always, if the RP includes two radios, every WLAN is assigned to a BSSID on each. This process is illustrated in the figures below. Figure 4-4.
PAGE 361
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Figure 4-5. Viewing Six WLANs Assigned to a Radio (Normal) RP radios send beacon frames to announce the WLANs that they support. The source of a beacon frame is a BSSID, and each beacon can include only one SSID. Therefore, if you enable more than four WLANs, RPs support all of them, but only announce the first four.
PAGE 362
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode In other words, with normal configuration, WLANs 5 through 16 always operate in partially closed system. If you want these WLANs to operate in completely closed system, you should disable responses to probe requests. You cannot disable closed system. See “Enabling Closed System Operations” on page 4-66 to learn more about configuring this features described above.
PAGE 363
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Table 4-1. WLAN Assignment to BSSID SSIDs for WLANs BSSID 1, 5, 9, 13 1 2, 6, 10, 14 2 3, 7, 11, 15 3 4, 8, 12, 16 4 When deciding which WLAN index number to use for a WLAN, keep in mind that this number determines on which BSSID RPs carry that WLAN’s traffic. You should generally avoid mixing bulk data and time-sensitive data such as voice on the same BSSID.
PAGE 364
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Why Use Advanced Mode Reasons that you might use advanced mode include: ■ You want to restrict access to a WLAN to a certain area. For example, if a WLAN allows wireless users to access sensitive financial information, you might not want your network to support that WLAN, even protected by encryption, in a public lobby. Advanced mode allows you to assign a WLAN to certain RPs only, so you control where the WLAN exists.
PAGE 365
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode ■ You want your RPs to announce more than four SSIDs. While a single RP radio can only beacon four SSIDs, it is possible to customize WLAN assignments so that different RP radios beacon different SSIDs. That is, you can configure certain WLANs as the primary WLANs on some of your organization’s RPs, and other WLANs as primary on others.
PAGE 366
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Figure 4-8. Global WLAN Settings Screen c. Check the Advanced Configuration box, and then click the OK button. 3. Enable the WLANs. 4. You must now manually assign the WLANs to RP radios. You can do this in two ways: • You can manually assign WLANs as a part of a default configuration to be sent to any newly adopted RP.
PAGE 367
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Manually Assigning WLANs to the Radio Adoption Default Configuration. Configure the radio adoption default configuration to customize the WLANs that the Wireless Edge Services xl Module sends to all newly adopted radios. This configuration actually divides into two parts—one for 802.11a radios and one for 802.11bg radios.
PAGE 368
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Figure 4-9 displays an environment such as this. This figure also shows the option of enabling SSID A (WLAN 1) on the default configuration, but having SSID E (WLAN 5) be the primary WLAN. (Stations in WLAN 1 can then roam into areas in which WLAN 1 operates in closed system.) In this example, WLAN 1 is less a restricted WLAN than a WLAN that is primarily used by employees in one area. Figure 4-9.
PAGE 369
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode To modify the default configuration using advanced mode, complete these steps: 1. Select Network Setup > Radio Adoption Defaults and click the WLAN Assignment tab. Figure 4-10. Customizing WLAN Assignment for the Radio Adoption Default (Advanced Mode) 2. Note Choose the radio type from the Select Radio drop-down menu.
PAGE 370
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode 5. Select a BSSID from one of the four listed under the radio. Check the Assign box for each WLAN that you want to assign to this BSSID. (You can choose up to four. Generally, but not always, you should fill all four BSSIDs before you assign multiple WLANs to a BSSID.) Figure 4-11. Assigning WLANs to a BSSID in the Default Configuration 6.
PAGE 371
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode To manually assign WLANs, complete these steps: 1. Select Network Setup > Radio and click the radio that you want to configure. 2. Click the WLAN Assignment tab. 3. Click the Edit button. The Network Setup > Radio > Assign Wireless Lans to Radios screen is displayed. (See Figure 4-12.) Figure 4-12. Assigning WLANs to a Specific RP Radio 4.
PAGE 372
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode 5. As shown in Figure 4-13, check the Assign box for each WLAN that you want the radio (or radios) to support. You can select up to 16 WLANs, but, as in normal mode, the RP radio only beacons SSIDs for the four WLANs with the lowest index numbers. Click the Apply button. 6. Alternatively, you can assign a WLAN to a specific BSSID on the radio: a. In the left area, Select Radio/BSS, select that BSSID. b.
PAGE 373
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode 7. c. You can select which SSID RPs include in beacons by selecting a WLAN from the Primary WLAN drop-down menu. d. Repeat this step for the other BSSIDs until you have assigned all the WLANs that you want this radio to support. Generally, you should assign at least one WLAN to each BSSID before you add multiple WLANs to a BSSID. This maximizes the number of SSIDs that RPs can beacon to wireless stations.
PAGE 374
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode For example, you use advanced mode configuration to assign WLANs 2, 4, 5, and 6 to a particular RP radio. The Wireless Edge Services xl Module assigns SSID B (for WLAN 2) to BSSID 1, SSID D (for WLAN 4) to BSSID 2, and so on. Figure 4-15 illustrates this configuration. Figure 4-15. Manually Assigning WLANs to an RP Radio Figure 4-14 shows the Network Setup > Radio screen in which you would check this configuration.
PAGE 375
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Using Normal and Advanced Mode Together Rather than using advanced mode alone, it is often a good idea to first enable WLANs in normal mode, producing a template WLAN assignment that you can then alter with advanced mode configuration. To use normal and advanced mode together, complete these steps: 1. Select Network Setup > WLAN Setup. 2. Configure the WLANs, as described in “Configuring a WLAN” on page 4-26. 3.
PAGE 376
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode If necessary, reconfigure the WLAN assignments as described in “Enabling WLANs Using Advanced Mode Configuration” on page 4-13. You must also remove all WLANs with indexes 17 and higher from the BSSIDs. Note WLANs 17 through 32 are not available in normal mode.
PAGE 377
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Caution Take care when selecting the button. Clicking the Yes button and clicking the No button will both disable advanced mode. However, clicking the Yes button also disables all WLANs. If you click the No button but the WLAN assignment is incorrect, the screen shown in Figure 4-17 is displayed. Figure 4-17. Failing to Disable Advanced Configuration Click the OK button.
PAGE 378
Wireless Local Area Networks (WLANs) Configuring a WLAN Configuring a WLAN To configure a WLAN, you must set: ■ the SSID ■ the VLAN (or tunnel) in which traffic will be forwarded ■ security options, which include: • authentication method • encryption option Optionally, you can configure: ■ ■ advanced settings for individual WLANs, which include: • inter-station blocking • closed system operations • inactivity timeouts global settings for all WLANs, which include: • proxy Address Resolutio
PAGE 379
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-18. Network Setup > WLAN Setup > Configuration Screen As you can see in Figure 4-18, this screen displays the 32 WLANs that are available for configuration. Remember that in normal configuration mode, you can only configure WLANs 1 through 16. On the Wireless Edge Services xl Module, you do not create WLANs as such. The module has already created them; you configure options for and enable the WLANs.
PAGE 380
Wireless Local Area Networks (WLANs) Configuring a WLAN ■ Enabled—Indicates whether the WLAN has been enabled. The Wireless Edge Services xl Module does not deploy a WLAN configuration to RPs until you enable the WLAN. By default, all WLANs are disabled. ■ SSID—Displays the WLAN’s SSID. By default, this SSID simply indicates the WLAN’s index number. You will change this to a network name when you configure the WLAN. ■ Description—Describes the WLAN so that you can quickly see its purpose.
PAGE 381
Wireless Local Area Networks (WLANs) Configuring a WLAN The screen illustrated in Figure 4-19 is displayed: this is the Edit screen for the selected WLAN. On this screen, you configure settings for your WLAN. Figure 4-19. Editing a WLAN In the Configuration section, you create the WLAN’s basic settings. Configure security standards in the Authentication and Encryption sections. If you choose an authentication option that requires a RADIUS server, the RADIUS Config...
PAGE 382
Wireless Local Area Networks (WLANs) Configuring a WLAN Setting Basic Configuration Options: SSID and Interface You must set the following options in the Configuration section of a WLAN’s Edit screen: ■ the SSID The SSID identifies the WLAN; stations associated to the same SSID are in the same WLAN regardless of the RP radio to which they have associated.
PAGE 383
Wireless Local Area Networks (WLANs) Configuring a WLAN To configure these options, follow these steps: 1. Access the Edit screen for the WLAN, as described in “Configuring a WLAN” on page 4-26. 2. Under Configuration, in the SSID field, enter the SSID that you have selected for this WLAN. Figure 4-20. Configuring the SSID When you enable the WLAN, the Wireless Edge Services xl Module automatically configures this SSID on all adopted RP radios (as long as you are using normal mode).
PAGE 384
Wireless Local Area Networks (WLANs) Configuring a WLAN For example, if this WLAN provides network access for sales representatives in conference rooms, you could enter “Sales/Conference Rooms.” (This information is for reference only and is not sent to the RPs nor broadcast to wireless stations.) 4. Select the interface to which the module maps wireless traffic. Choose one of the following: • Select VLAN ID and enter a value in the corresponding field to map the WLAN to a particular VLAN.
PAGE 385
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-21. Setting the VLAN ID 5. Check the Dynamic Assignment box to enable the Wireless Edge Services xl Module to apply dynamic (or user-based) VLAN assignments received from a RADIUS server. Do not use dynamic VLAN assignment when the WLAN requires Layer 3 mobility. If the WLAN uses Web-Auth set the DHCP lease for the WLAN’s static VLAN very low.
PAGE 386
Wireless Local Area Networks (WLANs) Configuring a WLAN Necessary Configurations on the Wireless Services-Enabled Switch The VLAN for which the Wireless Edge Services xl Module tags WLAN traffic is called an uplink VLAN. If you decide to have your Ethernet infrastructure devices route traffic from the wireless stations, you must tag the module’s uplink port for the stations’ VLAN. You make this configuration from the wireless services-enabled switch.
PAGE 387
Wireless Local Area Networks (WLANs) Configuring a WLAN You configure authentication methods as part of each individual WLAN’s settings, and, as far as that WLAN is concerned, they are mutually exclusive. For example, a WLAN can require stations to authenticate using 802.1X or using Web-Auth, but not both. However, one WLAN can require 802.1X and a different WLAN, Web-Auth. The MAC authentication configured on a WLAN is MAC authentication to a RADIUS server.
PAGE 388
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-22. Enabling 802.1X Authentication To configure 802.1X authentication for a WLAN, complete these steps: 4-36 1. Click Network Setup > WLAN Setup. 2. Select the WLAN and click the Edit button. 3. Under Authentication, select 802.1X EAP.
PAGE 389
Wireless Local Area Networks (WLANs) Configuring a WLAN 4. Optionally, click the Config button next to 802.1X EAP to configure some advanced settings for the station: Figure 4-23. Specifying 802.1X EAP Settings a. Enter a value in the Station Timeout field to control how long the module will wait for a station to authenticate itself. The Station Timeout can be from 1 to 60 seconds, and the default setting is 5 seconds. b.
PAGE 390
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-24. Radius Configuration Screen 6. In the Radius Configuration screen, under Server, specify settings for your network’s RADIUS servers. Enter settings for your primary server in the fields in the Primary column: a. In the RADIUS Server Address field, specify the IP address of your network’s primary RADIUS server. To use the module’s internal server, enter 127.0.0.1. b.
PAGE 391
Wireless Local Area Networks (WLANs) Configuring a WLAN c. In the RADIUS Shared Secret field, enter a character string up to 127 characters. The RADIUS server uses the secret to identify the Wireless Edge Services xl Module as a legitimate client. You must match the secret configured for the module in your RADIUS server’s configuration. If you are using the module’s internal server, do not enter a shared secret. d. 7.
PAGE 392
Wireless Local Area Networks (WLANs) Configuring a WLAN Web-Auth. Web-Auth allows wireless stations that do not support 802.1X to authenticate to a RADIUS server. Web-Auth is an easy-to-use option that is often selected for wireless networks that provide Internet or limited network access to a broad range of users. The instructions below simply guide you through the most basic Web-Auth settings.
PAGE 393
Wireless Local Area Networks (WLANs) Configuring a WLAN 3. Note Under Authentication, select Web-Auth. On the configuration screens that appear in this procedure, you can quickly get the WLAN running by completing these minimal steps. (Learn more about the process in Chapter 5: Web Authentication for Mobile Users.) 4. Click the Config button next to Web-Auth. The Web-Auth screen is displayed. Figure 4-26. Configuring the Allow 5.
PAGE 394
Wireless Local Area Networks (WLANs) Configuring a WLAN The Wireless Edge Services xl Module automatically handles traffic such as DHCP and Domain Name System (DNS) requests. In this basic configuration, you are using Web-Auth pages stored on the module, so you are not required to add any IP addresses to the Allow list. For more advanced options, see Chapter 5: Web Authentication for Mobile Users. 6. Leave other settings at their defaults and click the OK button. 7.
PAGE 395
Wireless Local Area Networks (WLANs) Configuring a WLAN 8. In the Radius Configuration screen, under Server, specify settings for your network’s RADIUS servers. Enter settings for your primary server in the fields in the Primary column: a. In the RADIUS Server Address field, specify the IP address of your network’s primary RADIUS server. To use the module’s internal server, enter 127.0.0.1. b. Leave the RADIUS Port field at the default value unless you know that your server uses a different port.
PAGE 396
Wireless Local Area Networks (WLANs) Configuring a WLAN 12. Optionally, enter a value in the DSCP/TOS field to prioritize traffic to the RADIUS server. Valid values range from 0 through 63. 13. Leave the other settings at their defaults and click the OK button. 14. You should now configure the encryption options. See “Configuring Encryption” on page 4-48. MAC Authentication. The MAC Authentication option refers to RADIUS MAC authentication.
PAGE 397
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-28. Enabling MAC Authentication 2. Under Authentication, select MAC Authentication. 3. This authentication option requires a RADIUS server to act as the authentication server. Click the Radius Config button at the bottom of the screen. The Radius Configuration screen is displayed.
PAGE 398
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-29. Radius Configuration Screen for MAC Authentication 4. In the Radius Configuration screen, under Server, specify settings for your network’s RADIUS servers. Enter settings for your primary server in the fields in the Primary column: a. In the RADIUS Server Address field, specify the IP address of your network’s primary RADIUS server. To use the module’s internal server, enter 127.0.0.1. b.
PAGE 399
Wireless Local Area Networks (WLANs) Configuring a WLAN c. In the RADIUS Shared Secret field, enter a character string up to 127 characters. The RADIUS server uses the secret to identify the Wireless Edge Services xl Module as a legitimate client. You must match the secret configured for the module in your RADIUS server’s configuration. If you are using the module’s internal server, you do not need to enter a shared secret. d. 5.
PAGE 400
Wireless Local Area Networks (WLANs) Configuring a WLAN 9. In the MAC Address section, choose the format in which the Wireless Edge Services xl Module forwards the MAC address. The module sends the station’s MAC address as the username and the password in the RADIUS request. The username and password must match exactly those in the account against which the RADIUS server checks them. For example, if the account uses delimiters in the MAC address, the module must use delimiters in the same places.
PAGE 401
Wireless Local Area Networks (WLANs) Configuring a WLAN Table 4-2 displays the names that this management and configuration guide uses for combinations of authentication and encryption options. Table 4-2.
PAGE 402
Wireless Local Area Networks (WLANs) Configuring a WLAN Note By default, all WLANs use open-key authentication for WEP, which means that all stations can associate. However, the Wireless Edge Services xl Module quietly drops any incorrectly encrypted frames, ensuring that only stations that have the correct key can forward data and truly connect to the WLAN. An alternative to open-key authentication, shared-key authentication, has been denigrated because it leaks information about the WEP key.
PAGE 403
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-30. Configuring WEP Encryption with No Authentication 2. Under Authentication, select No Authentication. 3. Under Encryption, check either the WEP 64 or WEP 128 box. 4. Click the corresponding Config button. The WEP 64 or WEP 128 screen is displayed.
PAGE 404
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-31. Configuring a Static WEP Key 5. Specify the static key. The Wireless Edge Services xl Module provides several options for configuring static keys: • It can automatically generate four hex keys from a manually entered pass key. Enter a string from 4 to 32 characters in the Pass Key field and click the Generate button.
PAGE 405
Wireless Local Area Networks (WLANs) Configuring a WLAN The number of characters for the key depends on the WEP key length and on the format in which you enter the key. Table 4-3 summarizes these requirements. Table 4-3. Key Length for Static WEP Keys Key Length Format Characters 64-bit Hexadecimal 10 ASCII 5 Hexadecimal 26 ASCII 13 128-bit The key next to the selected circle (Key 1 in Figure 4-31) is the key that currently encrypts and decrypts data.
PAGE 406
Wireless Local Area Networks (WLANs) Configuring a WLAN To configure this type of security for a WLAN, complete these steps: 1. Access the Edit screen for the WLAN that is to use dynamic WEP: a. Select Network Setup > WLAN Setup and click the Configuration tab. b. Select the WLAN and click the Edit button. The Edit screen is displayed. (See Figure 4-30.) 2. Enable 802.1X authentication and specify the RADIUS server. (See “802.1X EAP” on page 4-35.) 3.
PAGE 407
Wireless Local Area Networks (WLANs) Configuring a WLAN If you click the Config button, the message in Figure 4-33 is displayed. The message does not indicate a problem: it simply informs you that you have completed all necessary steps for configuring encryption on this WLAN. Figure 4-33. No Need to Configure WEP Keys When the WLAN Uses 802.1X Configuring WPA/WPA2 with 802.1X. WPA and WPA2 are similar standards, both of which provide more robust encryption than WEP and rely on 802.1X authentication.
PAGE 408
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-34. Configuring WPA/WPA2 Encryption Table 4-4 displays the types of stations supported by each option. It also lists which protocols each option uses to generate group (multicast and broadcast) keys and to generate pairwise (per-session) keys.
PAGE 409
Wireless Local Area Networks (WLANs) Configuring a WLAN Table 4-4.
PAGE 410
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-35. Advanced Options for WPA/WPA2 b. If you want, check the Broadcast Key Rotation box. Because all stations must use the same broadcast key, this key is clearly more vulnerable to hackers than the per-session keys. Periodically changing the broadcast key helps to protect your WLAN. By default, the Wireless Edge Services xl Module does not rotate the broadcast key.
PAGE 411
Wireless Local Area Networks (WLANs) Configuring a WLAN Check these boxes to enable the Wireless Edge Services xl Module’s fast roaming capabilities: d. 5. – PMK Caching—The RP and the wireless station agree on a PMK identifier for their session, which each stores even after the station disassociates. If the wireless station roams back to the RP, the two can quickly exchange the PMK identifier and renegotiate necessary keys, instead of completing the entire authentication process.
PAGE 412
Wireless Local Area Networks (WLANs) Configuring a WLAN 2. Under Authentication, select No Authentication. 3. Under Encryption, select your encryption protocol: • To use TKIP, check the WPA/WPA2-TKIP box. The Wireless Edge Services xl Module and wireless stations will use TKIP for all encryption. Note that both WPA and WPA2 stations can connect, but WPA2 stations will use TKIP. • To use AES, check the WPA2-AES box.
PAGE 413
Wireless Local Area Networks (WLANs) Configuring a WLAN b. Enter the preshared key. As always, you should select a key that conforms to the highest security standards. The longer the key and the more special characters it contains, the more secure it is. (The key must be at least 22 characters to withstand a brute force attack.) You can enter the key in one of two ways: – Select ASCII Passphrase, and then enter a password of from 8 to 63 characters. Users must enter the same characters to access the WLAN.
PAGE 414
Wireless Local Area Networks (WLANs) Configuring a WLAN Table 4-5.
PAGE 415
Wireless Local Area Networks (WLANs) Configuring a WLAN Table 4-6.
PAGE 416
Wireless Local Area Networks (WLANs) Configuring a WLAN For increased security, you can prevent two wireless stations in a particular WLAN from communicating with each other. You have three options for controlling wireless station-to-station traffic in a particular WLAN: ■ allow all inter-station traffic When a wireless station attempts to communicate with another station in the WLAN, the Wireless Edge Services xl Module forwards the packet toward the second station’s RP.
PAGE 417
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-37. Controlling Inter-Station Traffic 3. Click the OK button. Remember that this setting applies to a WLAN; it does not apply to an RP as a whole, which might associate with stations in several WLANs. If you want to prevent the Wireless Edge Services xl Module from forwarding traffic between wireless stations in different WLANs, you must configure this option for both WLANs.
PAGE 418
Wireless Local Area Networks (WLANs) Configuring a WLAN Enabling Closed System Operations Wireless stations have two ways that they can discover the SSID for a WLAN: ■ RPs send beacons that include the SSID for the WLAN. All wireless stations listen for beacons. ■ RPs answer probes from stations requesting the RP to send all SSIDs that it supports. RPs can only beacon the SSIDs for the four primary WLANs (with normal configuration, WLANs 1 through 4).
PAGE 419
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-38. Enabling Closed System 2. In the Advanced section, check the Closed System box. 3. Uncheck the Answer Broadcast ESS box to prevent RPs from telling wireless stations the SSID in response to probes. 4. Click the OK button.
PAGE 420
Wireless Local Area Networks (WLANs) Configuring a WLAN Configuring the Inactivity Timeout Users do not always bother to disconnect from wireless connections when they turn off or leave their stations. Although the user is no longer truly connected, the Wireless Edge Services xl Module continues to store the station’s association. On an RP nearing its maximum number of stations, an unterminated association can prevent a new station from connecting to the wireless network.
PAGE 421
Wireless Local Area Networks (WLANs) Configuring a WLAN Inactivity Timeout field Figure 4-39. Setting the Inactivity Timeout 2. Under Advanced, in the Inactivity Timeout field, enter a value from 60 seconds (one hour) through 86400 seconds (one day). The default timeout is 1800 seconds (30 minutes). In Figure 4-39, the administrator has lowered the timeout to 300 seconds (five minutes). 3. Click the OK button.
PAGE 422
Wireless Local Area Networks (WLANs) Configuring a WLAN You can configure the module to use these types of accounting: ■ syslog—The Wireless Edge Services xl Module forwards logs about stations in this WLAN to a syslog server. ■ RADIUS—The Wireless Edge Services xl Module sends messages to a RADIUS accounting server when a station connects or disconnects and, optionally, at universally throughout the connection.
PAGE 423
Wireless Local Area Networks (WLANs) Configuring a WLAN Select the Accounting Mode Figure 4-40. Enabling Syslog Accounting on a WLAN 3. In the Advanced section, in the Accounting Mode field, use the drop-down menu to select Syslog. 4. Click the Syslog Config button. The Accounting screen is displayed.
PAGE 424
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-41. Specifying the Syslog Server 5. In the Syslog Server IP field, specify the Syslog server’s IP address. 6. In the Syslog Server Port field, enter your server’s UDP port or keep the default 514. 7. Click the OK button. 8. In the WLAN’s Edit screen, click the OK button. 9. Click the Save link at the top of the Web browser interface to save the changes to the startup-config.
PAGE 425
Wireless Local Area Networks (WLANs) Configuring a WLAN Select the Accounting Mode Figure 4-42. Enabling RADIUS Accounting for a WLAN 3. In the Advanced section, in the Accounting Mode field, use the drop-down menu to select Radius. Users must authenticate to a RADIUS server for RADIUS accounting to function. Select 802.1X EAP, Web-Auth, or MAC Authentication for the authentication method. 4. Click the Radius Config button. The Radius Configuration screen is displayed.
PAGE 426
Wireless Local Area Networks (WLANs) Configuring a WLAN Accounting settings Figure 4-43. Specifying the Accounting Server in the Radius Configuration Screen To enforce RADIUS accounting, the WLAN must use 802.1X authentication, Web-Auth, or MAC authentication for the Authentication mode. 5. Configure settings for the primary accounting server in the Primary column of the Accounting section. a. Specify the server’s IP address in the Accounting Server Address field.
PAGE 427
Wireless Local Area Networks (WLANs) Configuring a WLAN c. In the Accounting Shared Secret field, enter a string up to 127 characters long. (The string can include alphanumeric and special characters.) The accounting server uses the shared secret to verify that reports are from a legitimate source. The key you specify must match the key configured for the module in the accounting server’s client configurations. If you are using the module’s internal server, you don’t need to specify a key. 6.
PAGE 428
Wireless Local Area Networks (WLANs) Configuring a WLAN 11. Click the OK button. 12. In the WLAN’s Edit screen, click the OK button. 13. Click the Save link at the top of the Web browser interface to save the changes to the startup-config.
PAGE 429
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-44. Global WLAN Settings Screen 3. Note Check the boxes for the features that you want to enable. The Advanced Configuration selection refers to how SSIDs are assigned to RP radios; see “Advanced Mode Configuration” on page 4-11. 4. Click the OK button. Enabling the WLAN RPs in your wireless network will not support the WLAN until you enable it. To enable the WLAN, complete these steps: 1.
PAGE 430
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-45. Enabling a WLAN 4. Click the OK button. As long as you are operating in normal mode, all radios on all RPs that the Wireless Edge Services xl Module has adopted or will adopt support the enabled WLANs. You can confirm that RPs are actually supporting the enabled WLANs by selecting Network Setup > Radio and checking the WLAN Assignment tab. Select an RP radio to view which SSIDs are mapped to that radio’s BSSIDs.
PAGE 431
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-46. Viewing the WLANs Assigned to Radios in the Default Configuration The radio supports all five WLANs. However, some of the WLANs share a BSSID. For example, when BSS 1 is selected in the section on the left, the section on the right shows the two WLANs that share this BSSID. See Figure 4-47.
PAGE 432
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-47. Viewing the WLANs Assigned to a BSSID in the Default Configuration To review how the Wireless Edge Services xl Module assigns WLANs to RP radios, see “Normal Mode Configuration” on page 4-4.
PAGE 433
Wireless Local Area Networks (WLANs) VLAN Assignment VLAN Assignment The instructions for configuring a WLAN include the basic mechanics for assigning all traffic from a WLAN to a VLAN. This section will explain in more depth when and why you would assign one WLAN to one VLAN and another WLAN to another VLAN.
PAGE 434
Wireless Local Area Networks (WLANs) VLAN Assignment users. On the other hand, you might tag the port for the wired VLANs (depending on whether the module has VLAN interfaces for those VLANs or simply knows routes to them). The Wireless Edge Services xl Module determines the VLAN to which to assign incoming wireless traffic based on one of two criteria: ■ the wireless user’s identity ■ the wireless station’s WLAN You configure WLAN-based VLAN assignments manually.
PAGE 435
Wireless Local Area Networks (WLANs) VLAN Assignment WLAN-Based VLAN Assignment You configure WLAN-based VLAN assignment by manually assigning the WLAN to a VLAN. Typically, you complete this step at the same time that you configure the SSID and security settings, as described in “Setting Basic Configuration Options: SSID and Interface” on page 4-30 and as shown in Figure 4-49. Figure 4-49.
PAGE 436
Wireless Local Area Networks (WLANs) VLAN Assignment Figure 4-50. Network Setup > WLAN Setup > VLAN/Tunnel Assignment Screen In the first two columns, the Network Setup > WLAN Setup > VLAN Assignment screen shows this information for each WLAN: ■ Description (if configured) ■ SSID All the VLANs to which at least one WLAN has been assigned compose the subsequent columns. If you have configured a WLAN to forward traffic over a tunnel, the tunnel interface is also displayed, as shown in Figure 4-50.
PAGE 437
Wireless Local Area Networks (WLANs) VLAN Assignment See “Identity-Based, or Dynamic, VLAN Assignment” on page 4-88 for an explanation of how the Wireless Edge Services xl Module can dynamically match WLAN traffic to multiple VLANs. Considerations for WLAN-Based VLAN Assignment By default, all WLANs are mapped to VLAN 1. In some networks that use multiple VLANs, this VLAN is reserved for the management VLAN.
PAGE 438
Wireless Local Area Networks (WLANs) VLAN Assignment ■ Who will be connecting to this WLAN? • Guests—In this case as well, you could assign the WLAN to a VLAN reserved for wireless users. Network administrators could then control traffic from that VLAN appropriately—for example, limiting wireless users to Internet access or to certain network servers.
PAGE 439
Wireless Local Area Networks (WLANs) VLAN Assignment Note When the Wireless Edge Services xl module places traffic in a VLAN, it tags it for that VLAN. You must remember to tag the module’s uplink port for each VLAN to which you manually assign a WLAN. (For more on configuring the wireless services-enabled switch, see the Wireless Edge Services xl MOdule Supplement to the ProCurve 6400cl/5300xl/3400cl Management and Configuration Guide.
PAGE 440
Wireless Local Area Networks (WLANs) VLAN Assignment Identity-Based, or Dynamic, VLAN Assignment The Wireless Edge Services xl Module can also divide traffic from wireless users into VLANs based on those users’ identities.
PAGE 441
Wireless Local Area Networks (WLANs) VLAN Assignment b. One of the easiest ways to configure the assignment on an external server itself is via an Identity Driven Manager (IDM) agent installed on the server. In this case, you would configure the assignment through ProCurve IDM and its Policy Manager. You would: – – – Configure communities that include the wireless users. Create policies that match these communities to the appropriate VLANs.
PAGE 442
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Traffic Management (QoS) Contemporary users demand more from wireless connections—more bandwidth and more multimedia applications—but they also demand less jitter and fewer dropped calls. The ProCurve Wireless Edge Services xl Module helps RPs to deliver a high QoS for voice, video, and other high-priority or time-sensitive traffic.
PAGE 443
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-52. QoS Mechanisms Supported by the Wireless Edge Services xl Module SVP SVP maintains a high QoS specifically for VoWLAN devices that are SVPcapable. SVP is implemented in wireless phones, wireless APs, and SpectraLink servers. This IEEE 802.
PAGE 444
Wireless Local Area Networks (WLANs) Traffic Management (QoS) The Wireless Edge Services xl Module can configure RPs to support SVP— that is, to recognize SVP frames, place them in priority queues, and transmit them with a zero backoff time. If your network includes a SpectraLink server and SVP-capable phones, you should enable this support in the WLAN that includes these phones. To enable SVP support, complete these steps: 1. Note Access the Edit screen for the WLAN that includes voice devices: a.
PAGE 445
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Prioritization with WMM WMM improves QoS by dividing traffic into priority queues, one for each of four access categories (ACs). The higher the AC, the higher the QoS the traffic requires. The Wireless Edge Services xl Module can use WMM to prioritize the following traffic: ■ traffic sent from RP radios to wireless stations ■ traffic sent from wireless stations to RP radios Priority Queuing and ACs.
PAGE 446
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Table 4-8. Priority Values for WMM ACs Queue Number AC 802.1p Priority DSCP 1 Background 1, 2 8-23 2 Best Effort 0, 3 0-7. 24-31 3 Video 4, 5 32-47 4 Voice 6, 7 48-63 By default, the module uses 802.1p priority to place traffic in a queue. You can choose DSCP instead; see “Customizing Station WMM Parameters” on page 4-101. Priority Queuing on Traffic Transmitted from RPs to Wireless Stations.
PAGE 447
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-53. Using WMM to Prioritize Traffic Transmitted from RPs to Wireless Stations Priority Queuing on Traffic Transmitted from Wireless Stations to RPs. Only when you enable WMM on a WLAN, WMM-enabled stations also implement priority queuing on traffic they transmit. RPs broadcast station WMM parameters throughout the WLAN. WMMenabled stations queue traffic according to 802.
PAGE 448
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-54. Using WMM to Prioritize Traffic Transmitted From Wireless Stations to RPs Note that the station WMM parameters can differ from the RP WMM parameters. Enabling WMM on a WLAN Enabling WMM on a WLAN, enables the following: ■ RP radios use QoS marks (802.1p, by default) to queue traffic destined to stations in this WLAN Radios grant better QoS to high priority queues by using different parameters to transmit traffic in those queues.
PAGE 449
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Enable WMM Figure 4-55. Enabling WMM on a WLAN 2. Under Advanced, in the Access Category drop-down menu, select Automatic/WMM. 3. Click the OK button. The next section explains how to make some advanced configurations for WMM. Changing the Protocol that Prioritizes Traffic and Enabling Admission Control As discussed earlier, when you enable WMM, wireless devices queue frames according to QoS marks.
PAGE 450
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Another advanced WMM parameter is admission control, a feature available for Video and Voice queues. The more stations that use high priority settings, the less effect those settings have. Admission control restricts the number of stations in a wireless cell that can use the high priority settings by forcing stations to check with the RP first. To configure these advanced options, follow these steps: 1.
PAGE 451
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-57. Editing Station EDCA (WMM) Parameters 3. Select the prioritization protocol used by your wireless stations: • 802.1p is a Layer 2 protocol that marks traffic in the VLAN tag for one of eight priorities. • DSCP is a Layer 3 protocol that marks traffic in the IP header for one of 64 priorities. Wireless devices queue frames according to the priority marked by the selected protocol. For example, if you select 802.
PAGE 452
Wireless Local Area Networks (WLANs) Traffic Management (QoS) 4. To restrict the number of stations allowed to use the settings for this queue, check the Admission Control box and enter a value from 1 to 255. This option is only available for the Voice and Video ACs. 5. Click the OK button.
PAGE 453
Wireless Local Area Networks (WLANs) Traffic Management (QoS) The Idx column lists the WLAN and the queue number. For example, the first row displays the settings for queue 1 on WLAN 1. To see the AC for this queue, look at the Access column. For example, queue 1 is the Background queue. The SSID and Description columns further identify the WLAN in question.
PAGE 454
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-59. Station WMM Parameters 2. 4-102 Select the queue for which you want to alter the settings, and then click the Edit button. The Edit WMM screen is displayed.
PAGE 455
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-60. Editing Station EDCA (WMM) Parameters 3. View the SSID and Access Category settings to verify that you are configuring the correct queue. In Figure 4-60, the Best Effort queue (queue 1) in MyWLAN is being customized. 4. Enter the desired values in the AIFSN, Transmit Ops, CW Minimum, and CW Maximum fields. The values for the AIFSN and Transmit Ops are in ms.
PAGE 456
Wireless Local Area Networks (WLANs) Traffic Management (QoS) • By default, high-priority queues on the RP use an AIFSN value of 1 ms; high-priority queues on stations use an AIFSN value of 2 ms. You might want to reserve the 1-ms AIFSN for RPs. • When you grant a queue a Transmit Ops, you allow a station that wins access to the radio continued access to the medium for that length of time.
PAGE 457
Wireless Local Area Networks (WLANs) Traffic Management (QoS) To customize the RP WMM parameters, complete these steps: 1. 2. Choose whether you are configuring parameters for any newly adopted radio or for a particular radio: • To configure settings for any newly adopted radio, select Network Setup > Radio Adoption Defaults. • To configure settings for particular radios, select Network Setup > Radio. Click the WMM tab.
PAGE 458
Wireless Local Area Networks (WLANs) Traffic Management (QoS) 3. To change the parameters for a particular queue, select the queue and click the Edit button. The Edit WMM screen is displayed. Figure 4-62. Edit WMM Screen for Radio 1’s Voice AC 4. To change the AIFSN value, enter a new value between 0 and 15 in the AIFSN field. This value is in ms. 5. To change the Transmit Ops value, enter a new value between 0 and 65,535 in the Transmit Ops field. This value is in ms. 6.
PAGE 459
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Table 4-9. Priority Values for WMM ACs Queue Number AC 802.1p Priority DSCP 1 Background 1, 2 8-23 2 Best effort 0, 3 0-7. 24-31 3 Video 4, 5 32-47 4 Voice 6, 7 48-63 The mapping of priority value to AC occurs as traffic is prepared for transmission in a WLAN.
PAGE 460
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-63. Customizing QoS Mappings 3. Use the Access Category to 802.1p section to configure the Wireless Edge Services xl Module, to mark incoming wireless traffic with a QoS value for priority handling in the wired network. Click a field in the 802.1p Prioritization column. Then enter a value between 0 and 7. The module marks traffic that arrives in this AC with this 802.1p value. 4. If you are using 802.
PAGE 461
Wireless Local Area Networks (WLANs) Traffic Management (QoS) 5. If you are using DSCP to prioritize traffic in at least one WLAN, configure the QoS mappings in the DSCP to Access Category section. To select the AC to which a particular DSCP maps, click the Access Category column in the row for that value. Then choose Best Effort, Background, Video, or Voice from the drop-down menu. 6. Click the OK button.
PAGE 462
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-64. Setting a WLAN’s AC 2. Choose the name of an AC from the Access Category drop-down menu in the Advanced section.
PAGE 463
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Enabling Prioritization of Voice Traffic Voice prioritization improves the QoS for traffic destined to VoWLAN devices. The Wireless Edge Services xl Module configures RPs to monitor all packets from stations in a WLAN; if the IP type in a packet’s header indicates that it is a voice packet, the module marks all traffic destined to the packet’s source as high-priority voice packets.
PAGE 464
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Set the multicast address for voice traffic Figure 4-65. Setting the Multicast Address 4-112 3. Under Advanced, in the MCast Addr 1 field, enter the address for voice traffic. 4. If you want, enter a second address in the MCast Addr 2 field. 5. Click the OK button.
PAGE 465
5 Web Authentication for Mobile Users Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 The Web-Auth Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Authentication Through a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . 5-5 Web Pages for the Login Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6 Allow List . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 466
Web Authentication for Mobile Users Overview Overview With the ProCurve Wireless Edge Services xl Module, you can require mobile users to authenticate by entering their login credentials on a Web page. Like other authentication methods, Web authentication (Web-Auth) is verified through a Remote Access Dial In User Service (RADIUS) server. You can use Web-Auth to provide limited network services for mobile users who visit your company’s office.
PAGE 467
Web Authentication for Mobile Users Overview The Web-Auth Process To provide limited network access to mobile users through Web-Auth, you set up a Dynamic Host Configuration Protocol (DHCP) server and instruct the users to configure their stations to receive a dynamic IP address from this server. (This DHCP server can be an external server or the Wireless Edge Services xl Module’s internal server.
PAGE 468
Web Authentication for Mobile Users Overview After a station successfully receives an IP address and associates with the WLAN, the station enters the Web-Auth state. (See Figure 5-2.) In this state, the station can access only the network devices that you have added to the Web-Auth Allow list. This list includes the IP address of any device that you want unauthenticated users to be able to access.
PAGE 469
Web Authentication for Mobile Users Overview Figure 5-2. The Web-Auth Process Authentication Through a RADIUS Server To allow mobile users to access the Internet and selected services on your company’s network, you configure Web-Auth as the authentication method for a WLAN and define a RADIUS server that verifies each user’s login credentials. You can specify both a primary RADIUS server and a secondary RADIUS server, ensuring high availability.
PAGE 470
Web Authentication for Mobile Users Overview Web Pages for the Login Process To enable authentication through the Web, the Wireless Edge Services xl Module provides three default Web pages that guide users through the login process: ■ Login page—When users associate with a WLAN that is configured for Web-Auth and try to access a valid Web site, their Web browser is redirected to the login page, and they are prompted to enter a username and password. (See Figure 5-3.) Figure 5-3.
PAGE 471
Web Authentication for Mobile Users Overview Figure 5-4. Default Welcome Page ■ Failed page—If users do not enter a valid username and password on the login page, the failed page is displayed. This page includes a link back to the Login screen. (See Figure 5-5.) Figure 5-5. Default Failed Page You can use the default Web pages as they are, or you can modify them for your environment. You can change the text that displays and add your organization’s logo.
PAGE 472
Web Authentication for Mobile Users Overview Table 5-1 shows the location of these pages in the Wireless Edge Services xl Module’s file system. When you enable Web-Auth and choose to use these pages, the OS copies them to a directory for that WLAN. For example, if you use Web-Auth on WLAN 1, the login page is saved as flash:/hotspot/wlan1/ login.html. In Table 5-1, X indicates the WLAN’s index number. Table 5-1.
PAGE 473
Web Authentication for Mobile Users Overview The Wireless Edge Services xl Module automatically permits certain station traffic, even when the destination is not on the Allow list: ■ DHCP requests—The station must receive an IP address before it can access the Web login page and authenticate. ■ Domain Name System (DNS) requests—The station must attempt to reach a valid IP address in order for the Wireless Edge Services xl Module to redirect the browser to the login page.
PAGE 474
Web Authentication for Mobile Users Configuring Web-Auth Note The Wireless Edge Services xl Module automatically allows unauthenticated stations access to the IP address on the static VLAN for the Web-Auth WLAN. (Such access is necessary for the stations to complete Web-Auth.) Even though management access to the module is protected by a password, you might want to protect such access further. Make sure to assign the Web-Auth WLAN to a different VLAN than the module’s management VLAN.
PAGE 475
Web Authentication for Mobile Users Configuring Web-Auth Configuring Basic Options and Accessing the Web-Auth Screen To configure a WLAN to use Web-Auth, complete these steps: 1. Select Network Setup > WLAN Setup > Configuration. Figure 5-6.
PAGE 476
Web Authentication for Mobile Users Configuring Web-Auth 2. Select the WLAN that you want to use Web-Auth, and then click the Edit button. The Edit screen is displayed. Figure 5-7. WLAN Edit Screen 3. Under Configuration, enter an SSID for this WLAN in the SSID field. 4. In the Description field, you can enter information that will help you identify this WLAN. This field is optional. 5. By default, the Wireless Edge Services xl Module places all wireless traffic in VLAN 1.
PAGE 477
Web Authentication for Mobile Users Configuring Web-Auth Note For more information about configuring SSIDs, VLANs, and advanced configuration options, such as interstation blocking and voice prioritization, see Chapter 4: Wireless Local Area Networks (WLANs). 6. Under Authentication, select Web-Auth. 7. Click the Radius Config button at the bottom of the screen. The Radius Configuration screen is displayed. Figure 5-8.
PAGE 478
Web Authentication for Mobile Users Configuring Web-Auth 8. In the fields in the Server area, define the primary RADIUS server under the Primary heading. a. In the RADIUS Server Address field, enter the IP address of the RADIUS server that authenticates users. Enter 127.0.0.1 if you are using the Wireless Edge Services xl Module’s internal RADIUS server. b. In the RADIUS Port field, leave the port number at the default value (1812) unless your RADIUS server uses a different port. c.
PAGE 479
Web Authentication for Mobile Users Configuring Web-Auth Figure 5-9. Configuring the Login Page 15. Select the location for the Web-Auth Web pages from the drop-down menu at the top of the screen. You can select one of three options for these Web pages: • Internal—three default pages stored on the Wireless Edge Services xl Module • External—three pages stored on an external Web server • Advanced—pages that you have loaded onto the Wireless Edge Services xl Module’s flash memory 16.
PAGE 480
Web Authentication for Mobile Users Configuring Web-Auth Configuring Internal Web-Auth Pages At its factory default settings, the Wireless Edge Services xl Module includes three pages for Web-Auth. See “Web Pages for the Login Process” on page 5-6 for descriptions and illustrations of these default pages. You can customize the text and add your company’s logo to the default pages. Follow these steps: Note 1. Complete the steps described in “Configuring Web-Auth” on page 5-10. 2.
PAGE 481
Web Authentication for Mobile Users Configuring Web-Auth Header text Descriptive text The small logo displays beneath the Log in button Footer text Figure 5-10. Displaying a Small Logo on the Web-Auth Login Page e. In the Main Logo URL field, enter the name of a logo file to include a logo at the top of the login page. (See Figure 5-11.) You must copy this logo to the flash on the Wireless Edge Services xl Module.
PAGE 482
Web Authentication for Mobile Users Configuring Web-Auth The main logo is displayed at the top of the page Header text Descriptive text Footer text Figure 5-11. Displaying the Main Logo on the Web-Auth Login Page 4. Configure the welcome page, which mobile users see if they enter a valid username and password and the RADIUS server authenticates them. a. 5-18 Click the Welcome tab. (See Figure 5-12.
PAGE 483
Web Authentication for Mobile Users Configuring Web-Auth Figure 5-12. Configuring the Welcome Page Note b. In the Title Text field, accept the default text shown on the screen, or enter the text that you want to use. c. In the Header Text field, accept the default text shown on the screen, or enter the text that you want users to see when they log in. (See Figure 5-13.) If you customize the Header Text, Footer Text, or Descriptive Text fields, you can enter a maximum of 1,024 characters. d.
PAGE 484
Web Authentication for Mobile Users Configuring Web-Auth e. In the Small Logo URL field, enter the name of a logo file to include a small logo on the welcome page. (See Figure 5-13.) You must copy this logo to the flash on the Wireless Edge Services xl Module. (For instructions on how to copy the logo file to flash, see “Copying Logo Files to the Module’s Flash” on page 5-32.
PAGE 485
Web Authentication for Mobile Users Configuring Web-Auth The main logo is displayed at the top of the page Header text Descriptive text Disconnect link Duration of the connection Figure 5-14. Displaying the Main Logo on the Web-Auth Welcome Page 5. Configure the failed page, which mobile users see if they enter an invalid username and password. a. Click the Failed tab. (See Figure 5-15.
PAGE 486
Web Authentication for Mobile Users Configuring Web-Auth Figure 5-15. Configuring the Failed Page Note b. In the Title Text field, accept the default text shown on the screen, or change the text as needed. c. In the Header Text field, accept the default text shown on the screen, or enter the text that you want users to see if they fail to log in. (See Figure 5-16.) If you customize the Header Text, Footer Text, or Descriptive Text fields, you can enter a maximum of 1,024 characters. d.
PAGE 487
Web Authentication for Mobile Users Configuring Web-Auth e. In the Small Logo URL field, enter the name of a logo file to include a small logo on the failed page. (See Figure 5-16.) You must copy this logo to the module’s flash. (For instructions on how to copy the logo file to flash, see “Copying Logo Files to the Module’s Flash” on page 5-32.) Header text Descriptive text Link to the login page The small logo is displayed above the footer Footer text Figure 5-16.
PAGE 488
Web Authentication for Mobile Users Configuring Web-Auth The main logo is displayed at the top of the page Header text Descriptive text Link to the login page Footer text Figure 5-17. Displaying the Main Logo on the Web-Auth Failed Page 6. Configure the Allow list as described in “Configuring the Allow List” on page 5-28. Configuring Web-Auth to an External Web Server The Wireless Edge Services xl Module can implement Web-Auth using pages stored on an external Web server.
PAGE 489
Web Authentication for Mobile Users Configuring Web-Auth Figure 5-18. Specifying the URL for Web-Auth Pages That Are Stored on an External Web Server 4. 5. Under External Web Pages, specify the correct URL for each page. a. In the Login Page URL field, specify the URL of the login page, which users see when they try to access a Web site. For example, you might enter a URL such as http://192.168.1.1/login.html or http:// www.yourcompany.com/login.html. b.
PAGE 490
Web Authentication for Mobile Users Configuring Web-Auth Loading Custom Pages onto the Wireless Edge Services xl Module’s Internal Server (Advanced) As discussed earlier, the Wireless Edge Services xl Module can act as the Web server for Web-Auth. As an alternative to using the module’s default (preconfigured) Web-Auth pages, you can load your own pages onto the module. This advanced option gives you greater freedom in designing your Web pages than simply customizing the text on the default pages.
PAGE 491
Web Authentication for Mobile Users Configuring Web-Auth Figure 5-19. Configuring Advanced Web-Auth 5. In the File field, enter the name of the directory that contains the custom Web pages. 6. Select the type of server that stores the directory (FTP or TFTP) from the Using drop-down menu. 7. Enter the server’s IP address and port in the IP Address and Port fields. The default port for FTP is 21, and the default port for TFTP is 69. 8.
PAGE 492
Web Authentication for Mobile Users Configuring Web-Auth 9. In the Path field, specify the name of the server directory in which the file that you are loading is stored. If the file is stored in the server’s base directory, leave the field empty. For some FTP servers, you might need to enter /. To specify a directory within the base directory, include (/)—for example, /MyDirectory. 10. Click the Install button. The file immediately copies to the module’s flash. 11.
PAGE 493
Web Authentication for Mobile Users Configuring Web-Auth 4. Click the OK button to apply your settings and close the Web-Auth screen. 5. If you want, configure encryption for the WLAN. See “Configuring Encryption for a Web-Auth WLAN” on page 5-29. 6. Otherwise, click the OK button on the Edit screen and the Save link at the top of the screen. Configuring Encryption for a Web-Auth WLAN By itself, Web-Auth ensures that only the proper wireless users can access your private network.
PAGE 494
Web Authentication for Mobile Users Configuring Web-Auth Figure 5-20. Configuring Encryption for a WLAN that Enforces Web-Auth 2. In the Encryption section, check the box for your selection. 3. If you have selected a WEP encryption type, click its Config button and specify the WEP keys. You can enter up to four keys. The currently selected key acts as the password.
PAGE 495
Web Authentication for Mobile Users Configuring Web-Auth See “Wireless Local Area Networks (WLANs)” on page 4-1 of Chapter 4: Wireless Local Area Networks (WLANs) for more information on configuring the preshared key. 5. Click the OK button to close the WLAN Edit screen and save your configuration changes to the running-config. You are returned to the Network Setup > WLAN Setup > Configuration screen. (See Figure 5-21.) Figure 5-21. Network Setup > WLAN Setup > Configuration Screen 6.
PAGE 496
Web Authentication for Mobile Users Copying Logo Files to the Module’s Flash Copying Logo Files to the Module’s Flash If you want to display your company’s logo on the Web-Auth login, welcome, or failed page, you must copy the logo file to the appropriate directory on the Wireless Edge Services xl Module’s flash. The module’s flash contains a hotspot directory that, in turn, contains a subdirectory for each WLAN on the module.
PAGE 497
Web Authentication for Mobile Users Copying Logo Files to the Module’s Flash 3. 4. Specify the source for the file transfer: a. In the From field under Source, use the drop-down menu to select Server. b. In the File field, enter the name of the logo file. c. In the Using field, use the drop-down menu to select either FTP or TFTP. d. In the IP Address field, enter the IP address of the FTP or TFTP server. e. If you are using an FTP server, enter the login credentials. i.
PAGE 498
Web Authentication for Mobile Users Copying Logo Files to the Module’s Flash Figure 5-23. Management > System Maint.—Config Files > Transfer Screen 5. 5-34 Click the Transfer button. In the Status area at the bottom of the screen, a message is displayed, reporting whether the transfer was successful.
PAGE 499
Web Authentication for Mobile Users Configuring Custom Web-Auth Pages Configuring Custom Web-Auth Pages You can design your own Web-Auth pages and either store them on an external server or upload them to the Wireless Edge Services xl Module’s flash memory (advanced configuration). The custom Web-Auth pages must include a login page, a welcome page, and a failed page. However, in addition to those pages, you can configure links to as many other pages as you desire.
PAGE 500
Web Authentication for Mobile Users Configuring Custom Web-Auth Pages <
PAGE 501
Web Authentication for Mobile Users Configuring Custom Web-Auth Pages Configuring the CGI Commands for the Welcome Page Like the login page, the welcome page can include any text and graphical elements that you want as long as you include the CGI code that the Wireless Edge Services xl Module needs to handle Web-Auth properly. The welcome page requires just one line of CGI code, which provides a Disconnect link: ■ for an external Web page—
PAGE 502
Web Authentication for Mobile Users Configuring Custom Web-Auth Pages 5-38
PAGE 503
6 IP Services—IP Settings, DHCP, and DNS Contents IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Viewing VLAN Interfaces and Enabling Secure Management . . . . . . . 6-3 Assigning an IP Address to a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 Deleting the IP Address Assigned to a VLAN . . . . . . . . . . . . . . . . . . . . 6-6 Editing the IP Address Assigned to a VLAN . . . . . . . . . . . . . . . . . . . . .
PAGE 504
IP Services—IP Settings, DHCP, and DNS Contents Configuring Extended DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . 6-36 Setting Up Global Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-36 Specifying the Value for an Extended Option in a DHCP Pool . 6-38 Configuring Dynamic DNS (DDNS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-40 Viewing DHCP Leases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 505
IP Services—IP Settings, DHCP, and DNS IP Settings IP Settings To function as a Layer 3 device, the Wireless Edge Services xl Module requires only one IP address, usually assigned to the default management interface. (The default management interface is virtual LAN [VLAN] 1.) For some network environments, however, you may want to assign IP addresses to other VLAN. To do so, you must create VLAN interfaces.
PAGE 506
IP Services—IP Settings, DHCP, and DNS IP Settings Figure 6-1. Network Setup > Ethernet > Configuration Screen The following information is listed for each VLAN: ■ Name ■ VLAN ID ■ DHCP Enabled This column has a green check mark if the DHCP client is enabled on this VLAN (so that the VLAN receives a dynamic address). ■ IP Address ■ Subnet Mask ■ Admin Status This column lists the status (either up or down) of the internal uplink port.
PAGE 507
IP Services—IP Settings, DHCP, and DNS IP Settings Only one VLAN can be selected as the management interface, and that VLAN is identified with a green check mark. All other VLANs show a red x in the Management Interface field. When secure management is enabled, you can access the Wireless Edge Services xl Module’s Web browser interface only through the IP address assigned to this VLAN. To enable secure management, click the Enable Secure Management VLAN button at the bottom of the screen.
PAGE 508
IP Services—IP Settings, DHCP, and DNS IP Settings 5. If you want this VLAN to be the management interface for the Wireless Edge Services xl Module, check the Set as Management Interface box. 6. Click the OK button to apply the changes to the running-config. 7. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. After you assign an IP address to a VLAN, the route for the directly connected interface is listed on the module’s route table.
PAGE 509
IP Services—IP Settings, DHCP, and DNS IP Settings Figure 6-3. Configuration Screen for the vlan1 Interface 3. Change the settings as needed and then click the OK button. 4. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. Viewing Statistics for VLANs That Are Assigned IP Addresses The Wireless Edge Services xl Module tracks statistics for VLANs that are assigned IP addresses.
PAGE 510
IP Services—IP Settings, DHCP, and DNS IP Settings Figure 6-4. Network Setup > Ethernet > Statistics Screen You can view the following information: 6-8 ■ Name—VLAN ID (also referred to as the interface). ■ Bytes In—total number of bytes received on the interface. ■ Packets In—total number of packets received on the interface, including packets dropped and error packets. ■ Packets In Dropped—number of incoming packets that are dropped.
PAGE 511
IP Services—IP Settings, DHCP, and DNS IP Settings ■ ■ Packets Out Dropped—number of outgoing packets dropped. Conditions that result in dropped packets include: • The output queue assigned to the interface is saturated. • Collisions have occurred. Packets Out Error—number of outgoing packets with errors such as malformed packets. To view more detailed information about a VLAN, select that VLAN and click the Details button at the bottom of the screen. The Interface Statistics screen is displayed.
PAGE 512
IP Services—IP Settings, DHCP, and DNS IP Settings Viewing Graphs for VLANs That Are Assigned IP Addresses The Wireless Edge Services xl Module can create graphs of statistics for a VLAN that has been assigned an IP address. These graphs display how the statistics change over time. To view a graph, follow these steps: 1. Select Network Setup > Ethernet > Statistics. Figure 6-6. Network Setup > Ethernet > Statistics 6-10 2. Select a VLAN from the list. 3. Click the Graph button.
PAGE 513
IP Services—IP Settings, DHCP, and DNS IP Settings Figure 6-7. Interface Statistics Graph To generate a graph, you must select the statistic that you want to track. Initially, the graph shows input bytes. You can choose any of the statistics displayed in the Details screen (refer to “Viewing Statistics for VLANs That Are Assigned IP Addresses” on page 6-7 for more information about a statistic). Select the appropriate box for the statistic you want to view.
PAGE 514
IP Services—IP Settings, DHCP, and DNS IP Routing IP Routing As discussed in Chapter 1: Introduction, the Wireless Edge Services xl Module and its internal uplink port operate at Layer 3 of the Open Systems Interconnection (OSI) model. As part of this Layer 3 functionality, the Wireless Edge Services xl Module maintains a route table. You can view the route table, which automatically lists directly connected interfaces, and you can add static routes to the route table.
PAGE 515
IP Services—IP Settings, DHCP, and DNS IP Routing Figure 6-8. Network Setup > Internet Protocol > IP Forwarding Screen If you assign an IP address to any other VLAN (as described in “IP Settings” on page 6-3), the Wireless Edge Services xl Module recognizes the subnetwork attached to that VLAN and lists it as a directly connected route. To view the module’s route table, select Network Setup > Internet Protocol and click the IP Forwarding tab. (See Figure 6-8.
PAGE 516
IP Services—IP Settings, DHCP, and DNS IP Routing ■ Protocol—lists the name of the protocol through which the route was obtained. Routes can be obtained in the following ways: • DHCP—Routes can be included with the IP address that the module receives from a DHCP server. • Static—Routes can be entered manually. • Connected—Routes can be directly connected to an interface.
PAGE 517
IP Services—IP Settings, DHCP, and DNS IP Routing 6. Click the OK button to apply the change to the running-config. 7. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. Specifying a Default Route and Gateway A default route is a special static route that applies to all traffic for which the Wireless Edge Services xl Module does not know another route.
PAGE 518
IP Services—IP Settings, DHCP, and DNS IP Routing Although you can add another default route manually (or, from the CLI, specify another default gateway), only one default route is active—the first route configured. To avoid confusion, ProCurve Networking recommends that you delete all but one default route. This route has no effect unless you delete the first route Two default routes Figure 6-11.
PAGE 519
IP Services—IP Settings, DHCP, and DNS IP Routing Figure 6-12. Add Static Route Screen 7. Click the OK button to apply the change to the running-config. 8. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. Address Resolution Table The Wireless Edge Services xl Module maintains an address resolution table, which displays the media access control (MAC) addresses associated with particular IP addresses.
PAGE 520
IP Services—IP Settings, DHCP, and DNS IP Routing Figure 6-13. Network Setup > Internet Protocol > Address Resolution Screen The Interface column lists the VLAN on which the IP address can be reached, and the Type column indicates how the module learned to map that IP address to that MAC address. For example, in Figure 6-13, Dynamic indicates that the module learned the mapping by listening to frames received from the device at 10.4.1.100.
PAGE 521
IP Services—IP Settings, DHCP, and DNS DNS Client DNS Client DNS is the Internet protocol for translating domain names or hostnames into IP addresses. The hostname is the familiar, alphanumeric name for a host on the Internet (for example, www.procurve.com), and the IP address is the 32-bit address that devices on a TCP/IP network use to reach each other. DNS allows users to enter more readily memorable and intuitive hostnames rather than IP addresses.
PAGE 522
IP Services—IP Settings, DHCP, and DNS DNS Client Figure 6-14. Network Setup > Internet Protocol > Domain Name System Screen 2. Click the Add button at the bottom of the screen. The Add DNS Server screen is displayed. Figure 6-15. Add DNS Server Screen 6-20 3. In the Server IP Address field, enter the IP address of the DNS server. 4. Click the OK button. The DNS server is now listed on the Network Setup > Internet Protocol > Domain Name System screen. 5.
PAGE 523
IP Services—IP Settings, DHCP, and DNS DNS Client Deleting a DNS Server If you want to remove a DNS server that is listed on the Network Setup > Internet Protocol > Domain Name System screen, complete these steps: 1. Select Network Setup > Internet Protocol and click the Domain Name System tab. 2. Select the DNS server that you want to delete and click the Delete button at the bottom of the screen. A prompt is displayed, asking if you want to delete the item. 3.
PAGE 524
IP Services—IP Settings, DHCP, and DNS DHCP Server DHCP Server The Wireless Edge Services xl Module can function as a DHCP server. Although the module can provide DHCP services for your entire network, it is more appropriately used as the DHCP server for your wireless network. Overview A DHCP server issues dynamic configurations to stations. The DHCP server on the Wireless Edge Services xl Module can assign stations a variety of settings, or options, in the configuration.
PAGE 525
IP Services—IP Settings, DHCP, and DNS DHCP Server As a DHCP server, the Wireless Edge Services xl Module can also implement dynamic DNS (DDNS), which updates a DNS server whenever a host’s IP address changes. Finally, the Wireless Edge Services xl Module supports DHCP relay. Configuring the DHCP Server If you want the Wireless Edge Services xl Module to assign IP addresses to devices on your network, you must configure it as a DHCP server by following the steps outlined in the following sections.
PAGE 526
IP Services—IP Settings, DHCP, and DNS DHCP Server When you use network pools, you can also specify a range of excluded addresses, which are addresses in a pool that the Wireless Edge Services xl Module is not allowed to assign. Use the excluded addresses to protect IP addresses on your network that you want to remain fixed, such as the IP addresses of routers and DNS servers. A host pool contains a single fixed IP address and is designated to a specific device.
PAGE 527
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-17. Network Setup > DHCP Server > Configuration Screen 2. Click the Add button. The Add Pool screen is displayed.
PAGE 528
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-18. Add Pool Screen for Network Pools 3. In the Pool Name field, enter a name for the pool. You can enter up to 255 alphanumeric characters (no special characters). The name is typically a descriptive text string that helps identify the purpose of the pool or the set of clients that it is intended to serve. 4. In the Domain field, enter the domain name for the network on which the Wireless Edge Services xl Module is running. 5.
PAGE 529
IP Services—IP Settings, DHCP, and DNS DHCP Server 6. In the Lease Time section, specify the lease length for IP addresses assigned by the DHCP server. Either select Infinite or specify a lease time (in dd:hh:mm format). The maximum number of days is 365, the maximum number of hours is 23, and the maximum number of minutes is 59. Therefore, the maximum lease time is roughly one year. 7.
PAGE 530
IP Services—IP Settings, DHCP, and DNS DHCP Server b. If you select a hybrid, mixed, or peer-to-peer node type, you must specify the WINS server that maps devices’ names to their IP addresses: i. In the Servers section, select NetBios (WINS) from the left column. ii. Click the top of the right column and enter the WINS server’s IP address. iii. Optionally, click the Insert button and add up to eight WINS servers. 10.
PAGE 531
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-19. Network Setup > DHCP Server > Host Pool Screen 2. Click the Add button. The Add Pool screen is displayed.
PAGE 532
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-20. Add Pool Screen for Host Pools 3. In the Pool Name field, enter the name of the pool to which this IP address will belong. For example, you might enter the name of the device. The name can include up to 255 alphanumeric characters. 4. In the IP Address field, enter the fixed address for this device.
PAGE 533
IP Services—IP Settings, DHCP, and DNS DHCP Server 6. Enter either a hexadecimal client identifier (ID) in the Client ID field or a MAC address in the Hardware Address field, but not both. When a device sends a DHCP request, the request includes a client ID, either a customized ID or the device’s MAC address. The Wireless Edge Services xl Module uses this value to match the device to the correct host pool and fixed IP address.
PAGE 534
IP Services—IP Settings, DHCP, and DNS DHCP Server Excluding Addresses from a Network Pool You may sometimes want to prevent the DHCP server from assigning specific IP addresses within the network pool or pools that you have configured. For example, you would not want the DHCP server to assign an IP address that is already configured statically on another network device. In such cases, simply add exclusions to the DHCP server configuration.
PAGE 535
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-22. Network Setup > DHCP Server > Excluded Screen 5. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. You can specify multiple ranges. Enabling the DHCP Server To enable the DHCP server, complete these steps: 1. Select Network Setup > DHCP Server > Configuration. 2. Check the Enable DHCP Server box.
PAGE 536
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-23. Enabling the DHCP Server 3. Click the Apply button. 4. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. To disable the DHCP server, uncheck the Enable DHCP Server box and click the Apply button.
PAGE 537
IP Services—IP Settings, DHCP, and DNS DHCP Server include a server already configured to serve these devices. In this case, you should configure the Wireless Edge Services xl Module to ignore BOOTP requests so that they can reach the proper server. ■ Ping interval—Before assigning an IP address to a station, the Wireless Edge Services xl Module pings the address twice to verify that the address is available. You can configure the number of seconds that the module waits in between the two pings.
PAGE 538
IP Services—IP Settings, DHCP, and DNS DHCP Server 4. Click the Apply button. Configuring Extended DHCP Options The Wireless Edge Services xl Module allows you to configure extended DHCP options for both network and host pools. For example, in addition to assigning clients a DNS server address, you might want to assign them a Network Time Protocol (NTP) server address. An NTP server address is defined through option 42.
PAGE 539
IP Services—IP Settings, DHCP, and DNS DHCP Server Some option names are reserved for DHCP options automatically enabled on the Wireless Edge Services xl Module. You cannot use the names listed in Table 6-1. Table 6-1. Names Not Allowed for Global DHCP Options Reserved Names subnet-mask routers domain-name-servers domain-name broadcast-address netbios-name-servers netbios-node-type bootfile-name user-class next-server dynamic-bootp In the Code field, enter a value between 0 and 254.
PAGE 540
IP Services—IP Settings, DHCP, and DNS DHCP Server 6. The Type drop-down menu includes two options: ip and ascii. The setting that you select determines the type of value that you enter when you actually configure the option in a pool. (See “Specifying the Value for an Extended Option in a DHCP Pool” on page 6-38.) In this example, you are setting up an option to specify an IP address for an NTP server, so you select ip. Selecting ascii allows you to enter alphanumeric characters for the option.
PAGE 541
IP Services—IP Settings, DHCP, and DNS DHCP Server 3. 4. To configure an option for a host pool, complete these steps and then proceed to step 4: a. Click the Host Pool tab. b. Select one of the pools. (See “Creating a Host Pool” on page 6-28 for instructions on creating the pool.) c. Click the Options button. The Pool Options screen is displayed. In the Pool Options screen, click the Insert button. Figure 6-27. Specifying the Value for an Extended Option 5. Click the Name field.
PAGE 542
IP Services—IP Settings, DHCP, and DNS DHCP Server Configuring Dynamic DNS (DDNS) A DNS server resolves hostnames to IP addresses. For the DNS server to function correctly, clearly its table must include the correct IP address for each hostname. However, a device that acts as a DHCP client might unexpectedly receive a new IP address, invalidating the DNS server’s hostname table. DDNS addresses this problem by updating a DNS server whenever a client’s IP address changes.
PAGE 543
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-28. Configuring DDNS 4. In the Domain Name field, enter an alphanumeric string. In DDNS updates, a client’s name follows this format: • user class, if the client has sent such a class • client’s MAC address • the domain name that you specify in this step For example, an update might identify a client as follows: 00:C0:49:F7:82:13.procurve.com. 5. Specify the time-to-live for updates in the TTL field.
PAGE 544
IP Services—IP Settings, DHCP, and DNS DHCP Server 6. 7. From the Automatic Update drop-down menu, select which device sends the dynamic updates: • Select Server Update to have the Wireless Edge Services xl Module send an update whenever one of its DHCP clients accepts an IP address from it. • Select Client Update to have each DHCP client send an update when it receives an IP address from the DHCP server. In this case, the client must support DDNS. • Select Off to disable automatic updates.
PAGE 545
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-29. Viewing DHCP Leases The screen displays a list of leases, with information in these columns: ■ IP Address—the IP address assigned to the station ■ MAC Address/Client ID—the station’s MAC address or, if it sent a customized ID, its ID ■ Type—the method that the Wireless Edge Services xl Module used to select the IP address Automatic indicates that the module chose the IP address from a network pool.
PAGE 546
IP Services—IP Settings, DHCP, and DNS DHCP Server Configuring DHCP Relay Your network might already include a DHCP server. The Wireless Edge Services xl Module can provide DHCP relay services to this server. A DHCP server serves only clients on the same subnetwork or VLAN. DHCP relay passes DHCP requests from clients on one subnetwork to a DHCP server on a different subnetwork, eliminating the need for a DHCP server on each local network segment.
PAGE 547
IP Services—IP Settings, DHCP, and DNS DHCP Server 3. In the Interface field, use the drop-down menu to select the VLAN interface that receives the DHCP requests. 4. In the Server fields, enter the IP addresses for up to four DHCP servers. In each applicable Gateway field, use the drop-down menu to specify the corresponding interfaces by which the DHCP servers may be reached. For example, if the module’s default gateway knows how to route traffic to the DHCP server, you would select the default VLAN.
PAGE 548
IP Services—IP Settings, DHCP, and DNS DHCP Server 6-46
PAGE 549
7 Access Control Lists (ACLs) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Stateful ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 ACL Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Standard IP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Extended IP ACLs . . . . .
PAGE 550
Access Control Lists (ACLs) Overview Overview You can configure access control lists (ACLs) on the ProCurve Wireless Edge Services xl Module to control traffic to and from wireless stations. An ACL is an ordered list of rules that select packets according to header information and dictate whether the module should permit (forward) or deny (drop) those packets. ACLs allow you to control wireless users’ network rights.
PAGE 551
Access Control Lists (ACLs) Overview ACL Types The Wireless Edge Services xl Module supports two basic ACL types: ■ IP ACLs—based on the IP header (Layer 3) IP ACLs control traffic inbound on an interface. They can apply to the Wireless Edge Services xl Module’s virtual LAN (VLAN) interfaces or to its two physical interfaces: the internal uplink and downlink ports. If applied to a physical port, the IP ACLs control inbound traffic on all VLANs tagged for that interface.
PAGE 552
Access Control Lists (ACLs) Overview You can apply an extended IP ACL to inbound traffic on either a logical (VLAN or tunnel) interface or a physical (internal uplink or downlink) interface. Again, an ACL on a logical interface only affects traffic that the Wireless Edge Services xl Module actually routes. MAC Standard ACLs MAC standard ACLs permit and deny traffic according to the source MAC address in the frame.
PAGE 553
Access Control Lists (ACLs) Overview All ACLs include an implicit “deny any” rule at the end. In other words, if traffic does not match any of the ACL’s rules, the ACL drops the traffic. MAC standard ACLs, which are configured as filters for local MAC authentication, are the exception. They include an implicit “permit any” rule at the end. See “MAC Filters (Local MAC Authentication)” on page 13-74 of Chapter 13: Wireless Network Management.
PAGE 554
Access Control Lists (ACLs) Overview ■ protocol By default, a rule matches all IP packets, but you can limit the rule to a specific protocol including: • ICMP • TCP • UDP ■ for ICMP packets, ICMP type and ICMP code ■ for TCP and UDP packets, source and destination ports In this way, you can control traffic according to the application. For example, configure a rule to select Web traffic by specifying the TCP protocol and destination port 80.
PAGE 555
Access Control Lists (ACLs) Overview Permit and Deny. These operations allow you to control users’ network access. Remember, the operation only affects traffic that meets all of the criteria of the rule. Also, the operation is explicit. That is, the module performs the operation on selected traffic, but does not perform the opposite action on traffic that is not selected. Instead, the module attempts to match the traffic against the next rule in order of precedence.
PAGE 556
Access Control Lists (ACLs) Overview ■ TOS—a mechanism for implementing QoS at Layer 3 The value for the IP header’s one-byte TOS field can range from 0 through 255. Typically, only values 0 through 63 are used—the six-bit Differential Services (DiffServ) Code Point (DSCP) values. (The other two bits make up the explicit congestion notification field.) Again, higher values typically receive higher priority, but the exact handling depends on your network’s implementation.
PAGE 557
Access Control Lists (ACLs) Overview ■ permitting or denying traffic based on the WLAN from which it arrives Perhaps your Wireless Edge Services xl Module places all wireless traffic in the same VLAN, VLAN 16. However, one WLAN grants guests access, and you want to prohibit guest access to VLAN 2, which include servers holding sensitive information.
PAGE 558
Access Control Lists (ACLs) Configuring ACLs Configuring ACLs To configure an ACL, you must complete these steps: 1. Create the list and select the ACL type. 2. Create a series of ordered permit, deny, or mark rules. 3. Apply the list to an interface. Do not complete the final step if you are using a standard IP ACL for a function other than controlling traffic. These functions include: ■ NAT—The ACL selects traffic for dynamic source NAT; you specify the ACL in the NAT configuration.
PAGE 559
Access Control Lists (ACLs) Configuring ACLs Figure 7-1. Security > ACLs > Configuration 2. Click the Add button. The Add ACL screen is displayed. (See Figure 7-2.
PAGE 560
Access Control Lists (ACLs) Configuring ACLs Figure 7-2. Add ACL Screen 3. In the ACL Type field, use the drop-down menu to select either the standard IP, extended IP, or MAC extended ACL type. 4. In the ACL ID field, specify the ACL ID, which uniquely identifies the ACL. ACL IDs can be either an ASCII string or a numeric value.
PAGE 561
Access Control Lists (ACLs) Configuring ACLs Figure 7-3. Security > ACLs > Configuration with ACL Configuring Rules for ACLs After you create an ACL, you must add rules to it. These rules actually select and control the traffic.
PAGE 562
Access Control Lists (ACLs) Configuring ACLs Creating Rules for Standard IP ACLs The standard IP ACL offers a variety of options for rules. However, some of these options only take effect on certain interfaces. As you create the rule, keep in mind the interface for which you are designing this ACL. In Table 7-3, an X under the interface means that the option is supported for that interface. Table 7-3.
PAGE 563
Access Control Lists (ACLs) Configuring ACLs Figure 7-4. Add Rule Screen for Standard IP ACLs 3. In the Precedence field, specify the precedence for the rule, from 1 through 5,000. The Wireless Edge Services xl Module processes rules in ascending order (starting at 1, moving to 2, and so on). As you assign precedence values to rules for a given ACL, consider using nonconsecutive numbers (for example, 10, 20, 30, and so on), in case you need to insert new rules “between” existing rules later. 4.
PAGE 564
Access Control Lists (ACLs) Configuring ACLs 7. In the Source Wildcard/Mask field, use the drop-down menu to select one of the following: • any—The rule will apply to traffic from any IP address. (This allows you to filter traffic based on fields other than the source IP address.) • host—The rule will apply specifically to a single source IP address. Enter this address in the Source Address field.
PAGE 565
Access Control Lists (ACLs) Configuring ACLs Table 7-4. Valid Options for Extended IP ACLs Depending on Interface Option VLAN/Tunnel Interface Uplink Port Downlink Port deny operation X X X permit operation X X X mark operation X X source IP address X and mask X X destination IP X address and mask X X protocol X X X protocol options X X X WLAN index X To create a rule for an extended IP ACL, complete these steps: 1.
PAGE 566
Access Control Lists (ACLs) Configuring ACLs Figure 7-5. Add Rule Screen for Extended IP ACLs 3. In the Precedence field, specify the precedence for the rule, from 1 through 5,000. The Wireless Edge Services xl Module processes rules in ascending order (starting at 1, moving to 2, and so on). As you assign precedence values to rules for a given ACL, consider using nonconsecutive numbers (for example, 10, 20, 30, and so on) in case you need to insert new rules in between existing rules later. 4.
PAGE 567
Access Control Lists (ACLs) Configuring ACLs 6. If you selected the mark operation in step 4, under Attribute to mark, select one of the following: • 802.1p—Then specify the traffic service class value, from 0 through 7. • TOS—Then specify the value for the TOS octet, from 0 through 255. Standard DSCP values are from 0 through 63. Remember that higher values typically mark traffic for better QoS. 7.
PAGE 568
Access Control Lists (ACLs) Configuring ACLs Figure 7-7. ICMPv6 Message Packet In the ICMPv6 message packet: – The ICMP type value is based on the first eight bits (bits 0 through 7). ICMP type values from 0 through 127 are used for error messages, and ICMP type values from 128 through 255 are used for information messages. – The ICMP code value is based on the second eight bits (bits 8 through 15). This value depends on the ICMP message type, and specifies the type of packet with more granularity.
PAGE 569
Access Control Lists (ACLs) Configuring ACLs ICMP Type Type Description ICMP Code Code Description 4 Parameter Problem message 0 Erroneous header field encountered 1 Unrecognized Next Header type encountered 2 Unrecognized IPv6 option encountered 128 Echo Request message 0 129 Echo Reply message 0 Figure 7-8. TCP/UDP Options Screen b. If you selected the TCP or UDP protocol, the TCP/UDP Options screen is displayed.
PAGE 570
Access Control Lists (ACLs) Configuring ACLs Click the OK button to return to the Add Rule screen and finish configuring other filters. 9. In the Source Wildcard/Mask field, use the drop-down menu to select one of the following: • any—The rule will apply to traffic from any IP address. (This allows you to filter traffic based on fields other than the source IP address.) • host—The rule will apply specifically to a single source IP address. Enter this address in the Source Address field.
PAGE 571
Access Control Lists (ACLs) Configuring ACLs Creating Rules for MAC Extended ACLs To create a rule for a MAC extended ACL, complete these steps: 1. On the Security > ACLs > Configuration screen, in the ACL section, select a MAC extended ACL. 2. Click the Add button under Associated Rules. The Add Rule screen is displayed. Figure 7-9. Add Rule Screen for MAC Extended ACLs 3. In the Precedence field, specify the precedence for the rule, from 1 through 5,000.
PAGE 572
Access Control Lists (ACLs) Configuring ACLs 4. In the Operation field, use the drop-down menu to select the operation (deny, permit, or mark) for the rule. 5. If you selected the mark operation in step 4, under Attribute to mark, select one of the following: • 802.1p—Then specify the traffic service class value, from 0 through 7. • TOS—Then specify the value for the TOS octet, from 0 through 255. Standard DSCP values are from 0 through 63.
PAGE 573
Access Control Lists (ACLs) Configuring ACLs 9. Optionally, check the box to filter frames according to the following criteria: • Vlan ID—Select traffic with the specified VLAN ID Valid values range from 1 through 4,095. • 802.1p Priority—Select traffic with the specified QoS class. Valid values range from 0 through 7. • Ethertype—Select traffic according to the encapsulated protocol.
PAGE 574
Access Control Lists (ACLs) Configuring ACLs Applying ACLs to Interfaces An ACL does not take effect on the Wireless Edge Services xl Module until you apply it to an interface. Although you can create and configure many ACLs, you are limited in the number of ACLs that you can apply: ■ You can apply one IP ACL to each logical (VLAN or tunnel) interface. See “IP Settings” on page 6-3 in Chapter 6: IP Services—IP Settings, DHCP, and DNS to learn how to create a VLAN interface.
PAGE 575
Access Control Lists (ACLs) Configuring ACLs Figure 7-10. Security > ACLs > Attach 2. Click the Add button. The Add ACL Association screen is displayed. Figure 7-11.
PAGE 576
Access Control Lists (ACLs) Configuring ACLs 3. 4. From the Interface drop-down menu, select one of the following interfaces: • uplink—the module’s internal uplink port • downlink—the module’s internal downlink port • an uplink VLAN configured on the module Select the ACL to control incoming traffic on the selected interface. The options available depend on the type of interface: • For VLAN interfaces, select an IP-type ACL from the IP ACL drop-down menu.
PAGE 577
Access Control Lists (ACLs) Configuring ACLs Figure 7-12. Security > ACLs > Statistics Screen ACL statistics are displayed on the screen. (If you do not see any statistics, you may need to edit your rules and check the Logging box.) Each row provides information about one ACL rule: ■ Interface—the interface to which the ACL rule is applied (uplink, downlink, VLAN, or tunnel interface) ■ Action—whether the module forwards selected packets or drops them Refer to Table 7-6 for a key to the action ID.
PAGE 578
Access Control Lists (ACLs) Configuring ACLs Table 7-7. Protocol IDs for ACL Statistics ID Protocol -1 IP 1 ICMP 6 TCP 17 UDP ■ Low Source IP—the lowest source IP address specified for the rule ■ High Source IP—the highest source IP address specified for the rule ■ Low Destination IP—the lowest destination IP address specified for the rule (always 0.0.0.0 for standard ACLs) ■ High Destination IP—the highest destination IP address specified for the rule (always 0.0.0.
PAGE 579
Access Control Lists (ACLs) Configuring ACLs Figure 7-13. Security > ACLs > Details Screen In addition to the information that you viewed on the Security > ACLs > Statistics screen, you can monitor the traffic associated with this rule. Total Flows reports the total number of sessions established using this rule and typically matches the value for Times Used. Active Flows shows how many of those sessions are still active.
PAGE 580
Access Control Lists (ACLs) Configuring ACLs 7-32
PAGE 581
8 Configuring Network Address Translation (NAT) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Translating Between an Inside and an Outside Network . . . . . . . . . . . 8-3 Local and Global Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 NAT Implementation Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 Dynamic, or Many-to-One, NAT . . . . . . . . . . . . . . .
PAGE 582
Configuring Network Address Translation (NAT) Contents Configuring Static Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-27 Configuring Static Source NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-28 Configuring Static Destination NAT . . . . . . . . . . . . . . . . . . . . . . . 8-31 Viewing NAT Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 583
Configuring Network Address Translation (NAT) Overview Overview You can configure the ProCurve Wireless Edge Services xl Module to perform Network Address Translation (NAT) on traffic routed between two subnetworks—typically, traffic exchanged between the wireless and the wired network. The module can translate either the source or the destination IP address in a packet’s IP header to a new address. The Wireless Edge Services xl Module allows you to implement NAT in several different ways.
PAGE 584
Configuring Network Address Translation (NAT) Overview Figure 8-1. Dividing Interfaces into Inside and Outside Interfaces The Wireless Edge Services xl Module always performs NAT on traffic as the traffic arrives on an interface. Because the module can apply NAT to both inside and outside interfaces, it can perform NAT in both directions. Note When the Wireless Edge Services xl Module maps wireless traffic to a VLAN, that traffic is considered to have arrived on the VLAN interface.
PAGE 585
Configuring Network Address Translation (NAT) Overview NAT Implementation Methods On the Wireless Edge Services xl Module, you can configure: ■ dynamic NAT ■ static NAT Dynamic NAT affects only source IP addresses while static NAT can translate either source or destination IP addresses. Dynamic, or Many-to-One, NAT Perhaps the most common implementation of NAT is dynamic NAT, sometimes called many-to-one NAT because it allows multiple stations to share the same IP address after translation.
PAGE 586
Configuring Network Address Translation (NAT) Overview Figure 8-2 illustrates this configuration, which allows wireless stations to use IP addresses local to the wireless network but still to open sessions with servers in the Ethernet network. Figure 8-2. Dynamic Source NAT on Wireless Traffic You can also implement NAT on the module to ready wireless traffic for transmission to the Internet—if you do not have another device that does so.
PAGE 587
Configuring Network Address Translation (NAT) Overview You might use dynamic NAT on wired traffic when your wireless network receives a great deal of public traffic. You can then conceal the IP addresses of devices in your private network from the wireless users. (See Figure 8-3.) Figure 8-3. Dynamic Source NAT Again, whether you apply dynamic NAT to inside or outside traffic depends on how you have defined interfaces.
PAGE 588
Configuring Network Address Translation (NAT) Overview The Wireless Edge Services xl Module uses this port number to forward return traffic, which is destined to the single global IP address, to the correct local IP address. For example, Table 8-1 lists possible IP address for the network shown in Figure 8-3. In this case, the module translates all inside addresses (in the 192.168.1.0/24 subnetwork) to 10.1.1.1. If a packet arrives for 10.1.1.
PAGE 589
Configuring Network Address Translation (NAT) Overview Configure destination NAT to allow wireless users to send traffic toward a server’s publicly known address. The Wireless Edge Services xl Module translates the traffic’s destination address to the correct local address. When the server replies, the module automatically translates the source address back to the address to which the traffic was originally destined, and the private address remains concealed.
PAGE 590
Configuring Network Address Translation (NAT) Overview One principle to remember: on the Wireless Edge Services xl Module, you define which VLANs are inside interfaces and which are outside. Figure 8-4 shows a configuration in which the VLAN used in the Ethernet network is an outside interface. So you configure the destination NAT on inside interfaces (these interfaces receive traffic that is destined to the outside VLAN).
PAGE 591
Configuring Network Address Translation (NAT) Overview Figure 8-5. Outside Destination NAT with Port Forwarding When the module translates the destination IP address, it can also perform port translation, assigning the traffic to the particular port used by the destination device.
PAGE 592
Configuring Network Address Translation (NAT) Overview Static NAT on Source Addresses Static source NAT is an alternative to dynamic source NAT. However, instead of allowing many stations to share one global address, static source NAT sets up a one-to-one correspondence between a particular IP address and a translated IP address. Use this option only when relatively few devices in one network (inside or outside) need to access devices in the other network.
PAGE 593
Configuring Network Address Translation (NAT) Overview Table 8-2 summarizes this terminology. Table 8-2.
PAGE 594
Configuring Network Address Translation (NAT) Planning the NAT Configuration Planning the NAT Configuration Before you access the Security > NAT screen and begin to set up NAT for your wireless network, you should plan your configuration: 1. Consider your company’s network topology and security needs and determine the requirements for NAT. In other words, which NAT methods do you need to configure, and which traffic should be translated. 2. Record the IP addresses necessary for your NAT configuration.
PAGE 595
Configuring Network Address Translation (NAT) Planning the NAT Configuration ■ You want to conceal IP addresses used in your LAN from wireless users. Separate the VLANs for wired traffic from the VLANs for wireless traffic: When you specify the uplink VLANs in which the Wireless Edge Services xl Module places traffic from WLANs, choose different VLANs from those already used in the wired network. Next, define the wired VLANs as inside interfaces and define the wireless VLANs as outside interfaces.
PAGE 596
Configuring Network Address Translation (NAT) Planning the NAT Configuration You should also determine which NAT implementation method you are using. For example, if you want to conserve IP addresses on your LAN, you will probably decide to use dynamic NAT on inside traffic. If you want to allow wireless users access to private Web or FTP servers with concealed IP addresses, you will use static NAT.
PAGE 597
Configuring Network Address Translation (NAT) Planning the NAT Configuration For this NAT implementation, you would record the IP addresses specified in the DHCP pool and configure an ACL that selects those addresses. Table 8-3 lists the actual IP addresses that you would record for the sample network shown in Figure 8-7. Table 8-3.
PAGE 598
Configuring Network Address Translation (NAT) Planning the NAT Configuration To configure static source NAT, you must know: ■ the local address to which the module must apply NAT ■ the global address to which the module should translate the original address You can optionally specify a new source port for the translated traffic. In Figure 8-8, for example, the company wants to conceal the actual IP address of its Web server—192.168.1.25.
PAGE 599
Configuring Network Address Translation (NAT) Planning the NAT Configuration When you record the global address for destination NAT, identify the inside device’s IP address as it appears in the destination network. For the sample network, the Web server’s actual IP address is 192.168.1.25. You would, therefore, record 192.168.1.25 as the global address. Because the sample network is also using port address translation, you should record the port for the translated traffic, as shown in Table 8-4. Table 8-4.
PAGE 600
Configuring Network Address Translation (NAT) Configuring Standard ACLs for Dynamic NAT Configuring Standard ACLs for Dynamic NAT To configure dynamic translation, you use a standard ACL to select the IP addresses that the Wireless Edge Services xl Module NATs. Although you can use any ACL that you have configured, you will probably want to configure ACLs to meet the specific requirements for your NAT implementation.
PAGE 601
Configuring Network Address Translation (NAT) Configuring Standard ACLs for Dynamic NAT The full procedure for adding rules to ACLs is documented in Chapter 7: Access Control Lists (ACLs). The following rule guidelines apply to ACLs used for NAT: ■ In the Operation field, the permit operation means that traffic will be subject to NAT; the deny operation means that traffic will not be subject to NAT. (The mark operation does not apply to NAT.
PAGE 602
Configuring Network Address Translation (NAT) Configuring NAT Configuring NAT To configure NAT, follow these steps: 1. Enable routing. See “IP Settings” on page 6-3 of Chapter 6: IP Services—IP Settings, DHCP, and DNS. 2. Define interfaces as inside or outside interfaces. When you create a NAT definition, you will select whether this definition applies to inside or outside traffic.
PAGE 603
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-10. Security > NAT > Interfaces Screen 2. Click the Add button. The Add Interface screen is displayed. Figure 8-11. Add Interface Screen 3. In the Interfaces field, use the drop-down menu to select an interface configured on the module.
PAGE 604
Configuring Network Address Translation (NAT) Configuring NAT 4. In the Type field, use the drop-down menu to select either Inside (Private) or Outside (Public). 5. Click the OK button. The interface is now listed on the Security > NAT > Interfaces screen. Figure 8-12. Interface Assignment in Security > NAT > Interfaces Screen Configuring Dynamic NAT For each NAT configuration that will use dynamic NAT, you must first set up an ACL.
PAGE 605
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-13. Security > NAT > Dynamic Translation Screen 2. Click the Add button. The Add Dynamic Translation screen is displayed. Figure 8-14.
PAGE 606
Configuring Network Address Translation (NAT) Configuring NAT 3. In the NAT Interface field, use the drop-down menu to select the type of interfaces to which the module applies NAT: • Inside (Private)—traffic that arrives from the inside network In other words, inside NAT applies to incoming traffic on an inside interface; typically, the inside traffic should be bound to the outside network.
PAGE 607
Configuring Network Address Translation (NAT) Configuring NAT The definition for dynamic translation is now listed on the Security > NAT > Dynamic Translation screen. Remember: the translation does not take effect unless you define an interface as the type on which you configured dynamic NAT. (See “Defining Interfaces as Outside or Inside” on page 8-22.) Figure 8-15.
PAGE 608
Configuring Network Address Translation (NAT) Configuring NAT Configuring Static Source NAT When the Wireless Edge Services xl Module stands between two networks that use different IP addresses, static source NAT allows a device in one network to reach devices in the other network. The module translates traffic’s source address so that the device that sent the traffic appears to have a valid IP address in the other network.
PAGE 609
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-17. Add Static Translation Screen 3. In the NAT section, select the Interface Type and Address Type: a. The Interface Type determines to which interfaces the Wireless Edge Services xl Module applies the static NAT definition: – Outside (Public)—incoming traffic on an outside interface – Inside (Private)—incoming traffic on an inside interface b.
PAGE 610
Configuring Network Address Translation (NAT) Configuring NAT Table 8-5. Determining the IP Address for the Local Address Field Interface Type Address Type IP Address for the Local Address Field Inside (Private) Source IP address of an inside device as it appears on the inside network Outside (Public) Source IP address of an outside device as it appears on the outside network For example, for source NAT, enter the configured IP address assigned to a device in its own network.
PAGE 611
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-18. Static NAT Definition in the Security > NAT > Static Translation Screen Configuring Static Destination NAT Again, the Wireless Edge Services xl Module stands between two networks that use different IP addresses. Destination NAT allows clients in one network to open sessions with servers in the other network. You must configure destination NAT statically. To configure a static destination translation, complete these steps: 1.
PAGE 612
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-19. Security > NAT > Static Translation Screen 2. 8-32 Click the Add button. The Add Static Translation screen is displayed.
PAGE 613
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-20. Add Static Translation Screen 3. In the NAT section, select the Interface Type and Address Type: a. The Interface Type determines to which interfaces the Wireless Edge Services xl Module applies the static NAT definition: – Outside (Public)—incoming traffic on an outside interface – Inside (Private)—incoming traffic on an inside interface b.
PAGE 614
Configuring Network Address Translation (NAT) Configuring NAT 4. Select either TCP or UDP in the Protocol drop-down menu. This setting, which is available only for destination NAT, allows you to configure port forwarding. Choose the protocol for the application for which you are creating the NAT definition. For example, if you are setting up destination NAT to allow wireless stations to reach your Web server, select TCP. 5.
PAGE 615
Configuring Network Address Translation (NAT) Configuring NAT See Table 8-6 for guidelines on specifying this address. Table 8-8.
PAGE 616
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-21. Static NAT Definition in the Security > NAT > Static Translation Screen Viewing NAT Status To view current translations, select Security > NAT and click the Status tab. Alternatively, you can select Security and click the NAT Status tab. (See Figure 8-22.
PAGE 617
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-22. Security > NAT > Status Screen Each active session to which the Wireless Edge Services xl Module has applied NAT is displayed in a row.
PAGE 618
Configuring Network Address Translation (NAT) Configuring NAT The number after a colon indicates the port. For example, the module has translated the source IP addresses in the first three rows to the same global source address, but different port numbers. On the other hand, for a session using static destination NAT on outside traffic, the translation appears in the Outside-Global and Outside-Local columns.
PAGE 619
Configuring Network Address Translation (NAT) Configuring NAT The logged information is saved to a comma-separated values (CSV) file on your workstation, which lets you: ■ save information that might be important later, while keeping logs or statistics clear for future events ■ send a file to support staff for troubleshooting help ■ pool information from multiple devices in a central location ■ track patterns of network activity 8-39
PAGE 620
Configuring Network Address Translation (NAT) Configuring NAT 8-40
PAGE 621
9 Fast Layer 2 Roaming and Layer 3 Mobility Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 Layer 2 Roaming on a Single Wireless Edge Services xl Module . . . . 9-2 Fast Layer 2 Roaming for WPA/WPA2 with 802.1X . . . . . . . . . . . . . . . 9-3 Pre-authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 622
Fast Layer 2 Roaming and Layer 3 Mobility Overview Overview The type of roaming that your ProCurve Wireless Edge Services xl Modules support depends on your network topology and module configurations, as well as on other factors.
PAGE 623
Fast Layer 2 Roaming and Layer 3 Mobility Overview Fast Layer 2 Roaming for WPA/WPA2 with 802.1X WPA’s Temporal Key Integrity Protocol (TKIP) (and WPA2’s Counter Mode CBC-MAC Protocol [CCMP]) derive encryption keys from a unique Pairwise Master Key (PMK) for each association with a wireless station. Because the PMK is necessary for the station and the Wireless Edge Services xl Module to communicate, the module must ensure that it maintains the key for a roaming station.
PAGE 624
Fast Layer 2 Roaming and Layer 3 Mobility Overview The 802.11i standard (on which WPA is modeled) includes a section on preauthentication, a mechanism that speeds up Layer 2 roaming. A station can associate to only one RP and Wireless Edge Services xl Module at a time. However, the station can detect beacons from other RPs—including RPs connected to other modules.
PAGE 625
Fast Layer 2 Roaming and Layer 3 Mobility Overview same redundancy group. When a user authenticates to one module, that module uses the redundancy group communications to transmit the user’s credentials to all modules in the group. (You can set up encryption to protect the credentials.) The other modules cache the credentials so that they are ready to be sent to the RADIUS server should the user later roam to one of these modules.
PAGE 626
Fast Layer 2 Roaming and Layer 3 Mobility Overview Figure 9-1. Network Requiring Layer 3 Mobility To implement Layer 3 mobility, Wireless Edge Services xl Modules perform these functions: ■ The modules support a Layer 3 mobility domain. The area in which stations can roam freely (no matter which subnetworks are supported in that area of the wired network) is the Layer 3 mobility domain. The Wireless Edge Services xl Modules in the roaming domain are referred to as peers.
PAGE 627
Fast Layer 2 Roaming and Layer 3 Mobility Overview ■ The modules store information about all stations associated to any module in the Layer 3 mobility domain. The Wireless Edge Services xl Module responsible for handling a station’s traffic is that station’s home module (HM). All the peers in the Layer 3 roaming domain must track all stations’ HM and HM VLAN.
PAGE 628
Fast Layer 2 Roaming and Layer 3 Mobility Overview Figure 9-2. Layer 2 and Layer 3 Roaming Domains Roaming Behavior This section summarizes which features you must configure on your Wireless Edge Services xl Modules to enable the best possible roaming behavior in various circumstances. Keep in mind that this section discusses the behavior the modules support. Stations’ capabilities also affect roaming.
PAGE 629
Fast Layer 2 Roaming and Layer 3 Mobility Overview ■ Seamless roaming—The defining feature of a seamless roam is not speed, but preservation of the user’s authentication, IP address, and active sessions. The user does not need to re-login, and a user browsing the Internet probably would not notice a seamless roam; a user accessing a real-time application may detect a slight lag.
PAGE 630
Fast Layer 2 Roaming and Layer 3 Mobility Overview WLAN Security Option Layer 2 Roam Best Without Special Layer 2 Configuration Roam Requirements for Layer 3 Roam Best Best Layer 2 Without Special Layer 3 Roam Configuration Roam Requirements for Best Layer 3 Roam WPA/WPA2 with 802.
PAGE 631
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Fast Layer 2 Roaming for WPA/WPA2 with 802.1X In other words, a Layer 3 mobility domain can include members in multiple redundancy groups, but a redundancy group can include members in at most one Layer 3 mobility domain. Configuring Fast Layer 2 Roaming for WPA/WPA2 with 802.1X Fast roaming facilitates roaming in a WLAN that requires WPA/WPA2 with 802.1X authentication.
PAGE 632
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Fast Layer 2 Roaming for WPA/WPA2 with 802.1X Figure 9-3. Configuring Settings for a WLAN That Uses Pre-Authentication 5. 9-12 Click the Config button next to the encryption standard. A screen for editing the encryption options is displayed.
PAGE 633
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Fast Layer 2 Roaming for WPA/WPA2 with 802.1X Figure 9-4. Enabling Pre-Authentication 6. Check the box for Pre-authentication. Remember that pre-authentication messages do not cross subnetwork (VLAN) boundaries, so the module receives them only from modules or APs that assign the WLAN to the same subnetwork. 7. By default, PMK Caching and Opportunistic Key Caching are enabled and you should leave them so.
PAGE 634
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Layer 3 Mobility Configuring Layer 3 Mobility You must complete these tasks to configure Layer 3 mobility: 1. Configure Layer 3 mobility settings for the local Wireless Edge Services xl Module: • IP address • WLANs on which Layer 3 mobility is enabled 2. Specify the peers’ IP addresses. 3. Enable Layer 3 mobility. 4. Save the configuration and complete these steps on all other Wireless Edge Services xl Modules in the Layer 3 mobility domain.
PAGE 635
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Layer 3 Mobility Configuring Layer 3 Mobility Settings The first step in establishing a Layer 3 mobility domain is configuring local Layer 3 mobility settings on your Wireless Edge Services xl Module.
PAGE 636
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Layer 3 Mobility Dynamic VLAN assignment is incompatible with Layer 3 mobility. If the WLAN requires Layer 3 mobility, you must access the WLAN’s Edit screen and uncheck the Dynamic Assignment box. (See “Setting Basic Configuration Options: SSID and Interface” on page 4-30 of Chapter 4: Wireless Local Area Networks (WLANs).) 4. Click the Apply button. Figure 9-6 displays an example configuration. Figure 9-6.
PAGE 637
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Layer 3 Mobility 2. Click the Add button. Figure 9-7. Adding a Layer 3 Mobility Peer 3. Enter the peer’s IP address in the Add screen. 4. Click the OK button. Repeat steps 2 through 4 to add multiple peers (up to 11). Enabling Layer 3 Mobility After configuring your Layer 3 mobility settings and specifying peers, you enable Layer 3 mobility by completing these steps: 1. Select Network Setup > Layer 3 Mobility and click the Configuration tab.
PAGE 638
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Layer 3 Mobility Figure 9-8. 4. 9-18 Enabling Layer 3 Mobility Click the Save link to write the configuration to the startup-config.
PAGE 639
Fast Layer 2 Roaming and Layer 3 Mobility Verifying and Managing Layer 3 Mobility Verifying and Managing Layer 3 Mobility To verify that Layer 3 mobility is functioning correctly, check the following: ■ The local Wireless Edge Services xl Module begins communicating with its peers. ■ Stations that roam to an RP adopted by a Wireless Edge Services xl Module on a different VLAN preserve their IP addresses and active sessions.
PAGE 640
Fast Layer 2 Roaming and Layer 3 Mobility Verifying and Managing Layer 3 Mobility The Idle status usually indicates that the local Wireless Edge Services xl Module has not enabled Layer 3 roaming. Even if the Enable Mobility box is checked, the module does not enable Layer 3 mobility until you specify a valid local IP address. A Wireless Edge Services xl Module that remains at the Active-Connecting or Passive-Connecting status also cannot connect to the peer.
PAGE 641
Fast Layer 2 Roaming and Layer 3 Mobility Verifying and Managing Layer 3 Mobility ■ L3-Roams—When a Wireless Edge Services xl Module receives a reassociation request from a station with a different HM VLAN than the module uses, it determines that a Layer 3 roam is necessary. The new module becomes the station’s current module (CM), sends an L3-Roam message to the HM, and begins tunneling the station’s traffic back to the HM.
PAGE 642
Fast Layer 2 Roaming and Layer 3 Mobility Verifying and Managing Layer 3 Mobility To track the messages, select Network Setup > Layer 3 Mobility and click the Peer Statistics tab. A screen displays all peers, which are identified by their IP address. (See Figure 9-11.
PAGE 643
Fast Layer 2 Roaming and Layer 3 Mobility Verifying and Managing Layer 3 Mobility Viewing a Station’s Status A successful Layer 3 roam should meet these criteria: ■ The station roams seamlessly at Layer 2—that is, the station reassociates and re-authenticates in the background. ■ The station maintains its IP address. ■ The Wireless Edge Services xl Module that supports the station’s new RP becomes the station’s CM and tunnels traffic back to the station’s HM.
PAGE 644
Fast Layer 2 Roaming and Layer 3 Mobility Verifying and Managing Layer 3 Mobility The screen displays the following information for every station associated with any Wireless Edge Services xl Module in the Layer 3 mobility domain: ■ Station MAC—station MAC address ■ Station IP—station IP address ■ Home Module IP—HM IP address ■ Home Module VLAN—HM VLAN ID ■ Curr Module IP—CM IP address ■ Roam—This column tracks Layer 3 roams.
PAGE 645
10 Redundancy Groups Contents High Availability for Wireless Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 Redundant Wireless Services xl Module . . . . . . . . . . . . . . . . . . . . . . . 10-2 Redundancy Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 Active or Standby Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 Adopting RPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 646
Redundancy Groups High Availability for Wireless Services High Availability for Wireless Services For many companies, wireless access has become as critical to their business as traditional wired access. Recognizing the importance of wireless access, ProCurve Networking has designed its wireless services with high availability in mind. To protect the availability of your company’s wireless services, purchase multiple Wireless Edge Services xl Modules and place them in a redundancy group.
PAGE 647
Redundancy Groups High Availability for Wireless Services The redundant module has its own software image and configuration file. Before a redundant module can deliver wireless services for your network, you must configure it to provide those services—just as you would configure a primary module.
PAGE 648
Redundancy Groups High Availability for Wireless Services Figure 10-1. Failover Capabilities for the Wireless Edge Services xl Module Active or Standby Mode When you configure a module to be part of a redundancy group, you must select a mode, which determines the module’s role in the group.
PAGE 649
Redundancy Groups High Availability for Wireless Services ■ Standby mode—In standby mode, the module is primarily responsible for providing failover capabilities if a module in active mode becomes unavailable. (A module in standby mode can adopt RPs in the circumstances described in “Adopting RPs” on page 10-5.) Both Wireless Edge Services xl Modules and Redundant Wireless Services xl Modules support both modes.
PAGE 650
Redundancy Groups High Availability for Wireless Services Adopting RPs in Standby Mode In standby mode, a redundancy group member adopts RPs only in certain circumstances: ■ The standby member does not receive a heartbeat from an active member for the length of time specified in the hold period option. In a group with multiple active members, the standby member takes action should even one member fail. ■ All active members fail to adopt an RP, although the group has enough RP licenses to adopt the RP.
PAGE 651
Redundancy Groups High Availability for Wireless Services The number of licenses for the redundancy group equals the number of licenses installed on the group member with the most licenses.
PAGE 652
Redundancy Groups High Availability for Wireless Services compare their redundancy group settings to ensure that they are the same. If the modules are not using the same settings, they cannot establish a functioning redundancy group. ■ Online state—If the modules can reach each other and they are using the same redundancy group settings, they change their status to online. In this state, a standby module can take over for an active module if the active module becomes unavailable.
PAGE 653
Redundancy Groups High Availability for Wireless Services Creating Matching Configurations for the Redundancy Group To establish a redundancy group, modules must support the same redundancy group settings. Typically, you also want all modules in the redundancy group to provide the same wireless services. You can use one module’s configuration file as a starting point for configuring other modules.
PAGE 654
Redundancy Groups High Availability for Wireless Services You cannot enter some commands from the redundancy group configuration mode context. For example, you cannot configure IP settings and redundancy group settings. These you must set on members on an individual basis. If you paste a configuration file into the redundancy group configuration mode context, the invalid commands simply do not take effect.
PAGE 655
Redundancy Groups Configuring a Redundancy Group Configuring a Redundancy Group When you configure a redundancy group, you must define the following on each module that is a member of the group: ■ the interface IP address for the module that you are configuring ■ the member IP addresses (which are the IP addresses for the other modules in the redundancy group) These two settings enable each module to send messages to and receive messages from other modules.
PAGE 656
Redundancy Groups Configuring a Redundancy Group Configuring Redundancy Group Settings Redundancy group settings must match on all members of the group. (However, each member has its own IP address.) To configure the redundancy group settings a module, complete these steps: 1. Select Network Setup > Redundancy Group and click the Configuration tab. Figure 10-3. Network Setup > Redundancy Group > Configuration Screen 2.
PAGE 657
Redundancy Groups Configuring a Redundancy Group Note If you have assigned an IP address to more than one VLAN on the module, you should use the IP address assigned to the default management interface (which, by default, is VLAN 1). If you decide to enter the IP address for a different VLAN, however, you must ensure that the redundancy traffic (such as the heartbeat and update messages) can be transmitted to the other module in the group.
PAGE 658
Redundancy Groups Configuring a Redundancy Group 7. In the Hold Period field, accept the default setting of 15 seconds, or enter a number from 1 through 255 seconds. This setting determines the number of seconds that the module waits when it does not receive a heartbeat from another module in the redundancy group. If no heartbeats are received for the number of seconds specified in the hold period, the module determines that the other module in the group is unavailable.
PAGE 659
Redundancy Groups Configuring a Redundancy Group Figure 10-4. Network Setup > Redundancy Group > Member Screen 2. Click the Add button. The Add Members screen is displayed. Figure 10-5.
PAGE 660
Redundancy Groups Configuring a Redundancy Group 3. Enter the IP address of one of the other modules in the redundancy group. This address should match the address that you configure for the Interface IP in the other module’s redundancy group settings. 4. Click the OK button. The module is now listed on the Network Setup > Redundancy Group > Member screen. 5. Repeat this step for each additional module in the redundancy group.
PAGE 661
Redundancy Groups Configuring a Redundancy Group Figure 10-6. Redundancy Group Enabled 3. Click the Apply button to save the configuration to the running-config. 4. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. 5. Access the Web browser interfaces for each of the other modules in the redundancy group and configure those modules in the same way.
PAGE 662
Redundancy Groups Configuring a Redundancy Group Viewing Information about the Redundancy Group To view information about the redundancy group, select Network Setup > Redundancy Group and select the State tab. Figure 10-7. Network Setup > Redundancy Group > State Screen After the primary module and the redundant modules establish a redundancy group, each module tracks the following information about the group: ■ Redundancy state is—This field lists the current state of the module.
PAGE 663
Redundancy Groups Configuring a Redundancy Group ■ Module Authorization Level—This field displays the number of RPs this module’s licenses allow it to adopt when it functions on its own. The authorization level for a redundant module, however, is taken from the level of the primary module with the most licenses. ■ Protocol Version—When the modules attempt to establish a redundancy group, each module includes its protocol version in the update messages sent during the discovery stage.
PAGE 664
Redundancy Groups Configuring a Redundancy Group Other fields in the Network Setup > Redundancy Group > State screen allow you to monitor activity both on this particular module and throughout the group. For example, you can compare the Unapproved Radio Ports on this module value to the Unapproved Radio Ports in the group value to see whether this module’s RPs seem to detect more rogue APs—a sign of a possible security issue in a particular location of your network.
PAGE 665
Redundancy Groups Configuring a Redundancy Group History At the bottom of the Network Setup > Redundancy Group > Configuration screen, you can also view the history of redundancy events that have occurred on this module. Figure 10-8. Redundancy Group History The module records an event each time its redundancy state changes. For example, when you enable redundancy on the module, its state changes to startup, and the module records this event in the history. (The most recent events are listed first.
PAGE 666
Redundancy Groups Configuring a Redundancy Group Viewing Information about the Other Members of the Redundancy Group In addition to viewing information about the redundancy group, you can view information about the other members of the group. Select Network Setup > Redundancy Group and click the Member tab. Figure 10-9.
PAGE 667
Redundancy Groups Configuring a Redundancy Group • Not Seen—The module can no longer exchange heartbeats with the member. • Established—The module and this member have successfully established a redundancy group.
PAGE 668
Redundancy Groups Configuring a Redundancy Group ■ Updates Received—the number of updates that the module has received from this member ■ Radio Portals—the number of radios adopted by this member (some RPs have two radios) ■ Associated Stations—the number of stations associated to RPs adopted by this member ■ Rogue AP—the number of unapproved APs detected by RPs adopted by this member ■ Self Healing Radios—the number of radios adopted by this member that are configured for self healing When you ha
PAGE 669
Redundancy Groups Configuring a Redundancy Group 1. Assign a different adoption preference ID to each active module in the redundancy group. Record the IDs in a table such as Table 10-3 on page 10-27. 2. Assign RPs to the modules that should adopt them. Record the Ethernet MAC addresses for the RPs in a table such as Table 10-3 on page 10-27. 3. On every module in the redundancy group, configure the redundancy settings and enable redundancy. Verify that all members are connected. 4.
PAGE 670
Redundancy Groups Configuring a Redundancy Group You can use the redundancy group configuration mode context to speed this process. For example, you could view the running-config of the module that adopted the RPs and copy the radio configurations. Then paste these commands in the global configuration mode context of the redundancy group configuration mode. 8. Note After you have created a configuration for every RP in your network on every active module, reset the RPs.
PAGE 671
Redundancy Groups Configuring a Redundancy Group Table 10-3.
PAGE 672
Redundancy Groups Configuring a Redundancy Group Configure an Adoption Preference for the Module To set an adoption preference for the module itself, complete these steps: 1. Select Network Setup > Radio and click the Configuration tab. 2. Click the Global Settings button. The Global screen is displayed. (See Figure 10-11.) Figure 10-11.Global Settings Screen 3. In the Module Adoption Preference ID field, enter a number, and then click the OK button. 4.
PAGE 673
Redundancy Groups Configuring a Redundancy Group Figure 10-12.Network Setup > Radio > Configuration Screen 2. Select the radio or radios to which you want to assign the adoption preference ID. Hold down Ctrl while selecting the radios to select multiple radios and assign them the same ID. 3. Click the Edit button. The radios’ Edit screen is displayed. If you have selected multiple radios, the screen has limited configurable options. (See Figure 10-13.) However, you can change the adoption preference ID.
PAGE 674
Redundancy Groups Configuring a Redundancy Group Figure 10-13.Network Setup > Radio > Edit Screen for Multiple Radios 5. Click the OK button. 6. Click the Save link to copy the radio configurations to the startup-config. Configure an Adoption Preference for Newly Adopted Radios To configure an adoption preference ID for all adopted RPs, edit the radio adoption default configuration. Complete these steps: 1. 10-30 Select Network Setup > Radio Adoption Defaults and click the Configuration tab.
PAGE 675
Redundancy Groups Configuring a Redundancy Group Figure 10-14.Network Setup > Radio Adoption Defaults > Configuration Screen 2. Select a radio type and click the Edit button. The Configuration screen is displayed. (See Figure 10-15.
PAGE 676
Redundancy Groups Configuring a Redundancy Group Figure 10-15.802.11bg Configuration Screen 3. Under Advanced Properties, in the Adoption Preference ID field, enter a preference ID, and then click the OK button. 4. Click the Save link at the top of the Web browser interface to save the changes to the startup-config.
PAGE 677
Redundancy Groups Configuring a Redundancy Group Reverting RPs Adopted by a Standby Member to the Active Member When an active member of a redundancy group fails, a standby member of the group adopts the RPs. For continuity of service, the standby member continues to support the RPs even when the active member comes back online. However, eventually you may want to return the RPs to the original module. You can manually revert a standby module, which means that you force it to unadopt all of its RPs.
PAGE 678
Redundancy Groups Configuring a Redundancy Group Figure 10-16.Revert Now Button in the Network Setup > Redundancy Group > Configuration Screen The module immediately unadopts all RPs when you click the button. The RPs are adopted by any active member that can accept them, not necessarily the recovered module. However, either load balancing or adoption preference IDs, will probably guide most of the RPs toward the recovered module.
PAGE 679
11 RADIUS Server Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 Configuring the Internal RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . 11-4 Choosing the Authentication Type for 802.1X/EAP . . . . . . . . . . . 11-5 Specifying the RADIUS Server’s Digital Certificate . . . . . . . . . . .
PAGE 680
RADIUS Server Overview Overview A Remote Access Dial In User Service (RADIUS) server provides centralized authentication (and sometimes accounting) for a network. The RADIUS protocol regulates communications between network access servers (NASs) and RADIUS servers. The NASs are devices such as switches and Wireless Edge Services xl Modules, which provide network access to stations. First, however, they can force the stations to authenticate themselves.
PAGE 681
RADIUS Server RADIUS Authentication RADIUS Authentication The Wireless Edge Services xl Module’s RADIUS authentication server fulfils these roles: ■ ■ ■ decides whether a user can connect to a WLAN that enforces one of these types of security: • 802.
PAGE 682
RADIUS Server RADIUS Authentication Table 11-1. EAP Methods EAP Type Characteristics EAP-TLS The wireless station and the module’s RADIUS server exchange digital certificates in a three-step TLS handshake. EAP-TTLS with MD5 • The module’s RADIUS server authenticates itself with a digital certificate and creates a secure TLS tunnel with the wireless station. • Inside the secure tunnel, the wireless station submits a username and a hashed (MD5) password.
PAGE 683
RADIUS Server RADIUS Authentication Depending on your environment, you might also need to complete these tasks: ■ Specify proxy RADIUS servers to which the local RADIUS server forwards queries—This step allows the Wireless Edge Services xl Module to relay authentication requests in certain domains to external servers. ■ Specify RADIUS clients, which query the local RADIUS server— This step allows the module to authenticate users who connect to different NASs—in both the wired and wireless network.
PAGE 684
RADIUS Server RADIUS Authentication Table 11-2.
PAGE 685
RADIUS Server RADIUS Authentication Choose the EAP method for 802.1X authentication Figure 11-2. Choosing the EAP Method 2. From the 802.1x EAP/Auth Type drop-down menu, select a method. Select all to allow users to authenticate with any of the supported methods. 3. Next, choose your server’s digital certificates (explained in the section below). Or click the Apply button and, when the screen is displayed asking you to restart the server, click the Yes button.
PAGE 686
RADIUS Server RADIUS Authentication Specifying the RADIUS Server’s Digital Certificate As an authentication server, the Wireless Edge Services xl Module requires various certificates: ■ a server certificate No matter which EAP type you select, the internal RADIUS server must authenticate itself using a digital certificate. By default, the module identifies itself to users with the server certificate in the default-trustpoint.
PAGE 687
RADIUS Server RADIUS Authentication Then follow these steps: 1. Select Network Setup > Radius Server and click the Authentication tab. 2. In the Cert Trustpoint drop-down menu, select the trustpoint in which you have loaded the server certificate for RADIUS authentication. Selecting opens the Certificates Wizard and guides you through the creation or installation of certificates. 3. If you have selected EAP-TLS, choose a trustpoint from the CA Cert Trustpoint drop-down menu.
PAGE 688
RADIUS Server RADIUS Authentication Choose the location for user credentials Figure 11-3. Choosing the Source for Credentials 11-10 2. In the Auth Data Source field, use the drop-down menu to select the source for policies and credentials, either local or ldap. 3. Click the Apply button and, when the screen is displayed asking you to restart the server, click the Yes button. 4. Click the Save link to copy the configuration to the startup-config.
PAGE 689
RADIUS Server RADIUS Authentication Depending on your choice, you must complete one of the following tasks: ■ configure the local database (see “Configuring the Local RADIUS Database” on page 11-12) ■ configure LDAP server settings and at least one group in the local database (see “Using LDAP for the Data Source” on page 11-20) Table 11-3 explains the requirements for configuring credentials for each EAP method, depending on whether the Wireless Edge Services xl Module uses its local database or an LDA
PAGE 690
RADIUS Server RADIUS Authentication Configuring the Local RADIUS Database You must complete the following tasks to configure the local database: 1. Create groups, which define policies for users. 2. Add user accounts to the group. Creating a Group.
PAGE 691
RADIUS Server RADIUS Authentication 2. Click the Add button. The ADD screen is displayed. Figure 11-5. Adding a RADIUS Server Group 3. In the Name field, enter a meaningful name—for example, “Faculty.” 4. In the VLAN ID field, enter the dynamic VLAN for users in this group. If you enter 0, the Wireless Edge Services xl Module assigns the user to the VLAN configured for the user’s WLAN. You should not use dynamic VLANs with Web-Auth.
PAGE 692
RADIUS Server RADIUS Authentication 5. Specify the times of day when users in this group can connect to the wireless network. a. In the Time of Access Start field, enter the earliest time that users can connect. b. In the Time Access End field, enter the latest time users can connect. Always enter times in four digits, the first two digits being the hour in the 24-hour clock and the second two digits being the minutes.
PAGE 693
RADIUS Server RADIUS Authentication To modify a group, select it and click the Edit button. In the EDIT screen that is displayed, configure the settings just as you would for a new group. (However, you cannot change the group’s name nor whether it is a normal or guest group.) When you are finished, click the OK button. To delete a group, select it in the Network Setup > Local RADIUS Server > Groups screen and click the Delete button.
PAGE 694
RADIUS Server RADIUS Authentication Figure 11-6. Creating a User in the Local RADIUS Database 3. In the User ID field, enter the username. The username can be up to 64 characters and can include alphanumeric and special characters. 4. Check the Guest User box if this is a temporary account for a guest. 5. In the Password and Confirm Password fields, specify the user’s password. The password can be up to 21 characters and can include alphanumeric and special characters.
PAGE 695
RADIUS Server RADIUS Authentication Note By default, this password is displayed in plaintext in the Wireless Edge Services xl Module’s configuration. To learn how to encrypt the password, see “Password Encryption” on page 2-105 of Chapter 2: Configuring the ProCurve Wireless Edge Services xl Module. 6. For a guest user, you must specify the period during which the account is active.
PAGE 696
RADIUS Server RADIUS Authentication The guest account is active only for the period between the two times. To alter the times, follow these steps: a. In the Start Date & Time field, enter the date and time at which this account is enabled.
PAGE 697
RADIUS Server RADIUS Authentication You must never assign a user to groups with overlapping access days or times: such a configuration prevents you from determining which policy applies to the user during the overlapping times. For example, if one group allows access at all times and another group allows access only during normal work hours, you cannot assign a user to both groups. During the day, the policies would conflict. 9. Click the OK button.
PAGE 698
RADIUS Server RADIUS Authentication Using LDAP for the Data Source The Wireless Edge Services xl Module’s internal RADIUS server can authenticate users against an LDAP data source.
PAGE 699
RADIUS Server RADIUS Authentication • With the group login filter, the internal RADIUS server checks that the supplicant is a member of a group that is allowed access. You must also specify the names of attributes that the RADIUS server retrieves during these searches, including the password and group memberships. To configure LDAP settings, complete these steps: 1. Select Network Setup > Local RADIUS Server and click the Authentication tab. 2. From the Auth Data Source drop-down menu, select ldap.
PAGE 700
RADIUS Server RADIUS Authentication 4. In the IP Address and Port # fields, specify your LDAP server’s IP address and port. The port number can be from 1 through 65535. The default port for LDAP is 389. 5. Configure the information that the internal RADIUS server submits to bind to the LDAP server: a. In the Bind DN field, enter the distinguished name for an administrator account on the LDAP server.
PAGE 701
RADIUS Server RADIUS Authentication These strings configure the internal RADIUS server to submit the username without appending a domain name. Make sure that the attribute you chose lists the username in this form. 8. In the Password Attribute field, specify the attribute that stores a user’s password. When looking up a user’s account, the internal RADIUS server also requests a check on the user’s password (or, depending on the EAP type, a hash of that password).
PAGE 702
RADIUS Server RADIUS Authentication The RADIUS server replaces with the string that you enter in the Group Attribute field. (See step 11). The server replaces with the name of the group configured in the local RADIUS database. 10. In the Group Membership Attribute field, specify the attribute that stores a user’s group memberships. The internal RADIUS server requests this attribute in the search for the user accounts.
PAGE 703
RADIUS Server RADIUS Authentication Follow these steps to configure the group and set policies for it: 1. Select Network Setup > Radius Server and click the Groups tab. Figure 11-9.
PAGE 704
RADIUS Server RADIUS Authentication 2. Click the Add button, The ADD screen is displayed. Figure 11-10.Adding a RADIUS Server Group 3. In the Name field, enter a name that matches the name of a group on your directory server. This is the group that is allowed wireless access; make sure that all potential wireless users are members. (Or create multiple groups.) The name you assign the group must match exactly the group name as stored on your LDAP server.
PAGE 705
RADIUS Server RADIUS Authentication You should be careful when using dynamic VLANs with Web-Auth. The user’s station receives an IP address in the static VLAN before the user can login and receive the dynamic VLAN assignment. So you must set the lease for the DHCP address in the static VLAN very low. Then the station will automatically renew its address soon after it receives the dynamic assignment. Note You must enable dynamic VLANs in the WLAN to which users connect for this setting to take effect.
PAGE 706
RADIUS Server RADIUS Authentication Figure 11-11.Network Setup > Radius Server > Configuration Screen 2. In the lower section of the screen, click the Domain Proxy Servers tab. 3. Click the Add button. The ADD screen is displayed. Figure 11-12.
PAGE 707
RADIUS Server RADIUS Authentication 4. In the Realm Name field, enter the domain name for users who authenticate to the domain proxy server. When a user submits his or her username, the Wireless Edge Services xl Module’s internal server checks the domain name. If this name matches the name in the Realm Name field, the internal RADIUS server queries the proxy server specified below. For example, you enter “procurve.com” in the Realm Name field.
PAGE 708
RADIUS Server RADIUS Authentication Figure 11-13.Viewing Domain Proxy Servers 8. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. Specifying Global RADIUS Settings Global RADIUS settings regulate the Wireless Edge Services xl Module’s RADIUS server’s communications with proxy RADIUS servers. To configure these settings, follow these steps: 1. Select Network Setup > Local RADIUS Server > Configuration. 2.
PAGE 709
RADIUS Server RADIUS Authentication 3. In the Retries field, specify the number of times the module should re-send a proxy request that times out. The default number of retries is 3 (which means that the module will send up to four requests). Valid values are from 3 to 6. 4. Click the OK button to apply the settings, remembering to save your configuration by clicking the Save link.
PAGE 710
RADIUS Server RADIUS Authentication If the client has more than one IP address, make sure to specify the address that it includes in RADIUS requests. 5. In the Shared Secret field, enter the client’s password. Of course, you must specify this same password when you configure the client device to query this module. 6. Click the OK button. The client is displayed in the Network Setup > Radius Server > Configuration screen under the Clients tab. 7.
PAGE 711
RADIUS Server RADIUS Authentication Enabling Authentication to the Internal Server on a WLAN WLANs that use the following authentication methods require authentication to a RADIUS server: ■ 802.1X ■ Web-Auth ■ MAC Authentication In Chapter 4: Wireless Local Area Networks (WLANs), you learned how to configure a WLAN to require authentication to an external RADIUS server. This section explains how to configure the Wireless Edge Services xl Module’s internal RADIUS server to take over authentication.
PAGE 712
RADIUS Server RADIUS Authentication Figure 11-16.WLAN Edit Screen 11-34 3. If you have configured the RADIUS server to place users in dynamic VLANs, check the Dynamic Assignment box. 4. Configure other WLAN settings as described in Chapter 4: Wireless Local Area Networks (WLANs). 5. In the Authentication section, select 802.1X EAP, Web-Auth, or MAC Authentication. 6. Click the RADIUS Config… button at the bottom of the screen. The Radius Configuration screen is displayed.
PAGE 713
RADIUS Server RADIUS Authentication Figure 11-17.Configuring a WLAN to Require Authentication to the Internal RADIUS Server 7. Specify 127.0.0.1 in the primary RADIUS server’s RADIUS Server Address field. 8. Do not enter anything in the RADIUS Shared Secret field. By default, the module can communicate with the internal server. If you enter a string in this field, the module’s internal server will no longer work on this WLAN.
PAGE 714
RADIUS Server RADIUS Accounting 9. If you want the module’s RADIUS server to periodically re-authenticate stations, check the Re-authentication box. Then specify how often (in seconds) stations re-authenticate in the Re-authentication Period field. The valid range for the re-authentication period is 30 to 65535 seconds (about 18 hours). The default setting is 3600 seconds (1 hour). 10. Choose CHAP or PAP for the Authentication Protocol.
PAGE 715
RADIUS Server RADIUS Accounting A message includes information such as the identity of the user, the duration of the session, and the bandwidth consumed. Table 11-4 shows a complete list of fields in the report. Some fields are present in all messages; others are specific to certain types of messages. Table 11-4.
PAGE 716
RADIUS Server RADIUS Accounting Field Meaning Acct-Output-Packets • number of packets sent by the station over the entire duration of the session (stop message) • number of packets sent by the station since the beginning of the session (interim message) Acct-Input-Octets • number of bytes received by the station over the entire duration of the session (stop message) • number of bytes received by the station since the beginning of the session (interim message) Acct-Output-Octets • number of bytes sen
PAGE 717
RADIUS Server RADIUS Accounting Figure 11-18.Enabling RADIUS Accounting for a WLAN 3. In the Advanced section, in the Accounting Mode field, use the drop-down menu to select Radius. 4. Click the Radius Config button. The Radius Configuration screen is displayed.
PAGE 718
RADIUS Server RADIUS Accounting Figure 11-19.Specifying the Accounting Server in the Radius Configuration Screen To enforce RADIUS accounting, the WLAN must use 802.1X authentication, Web-Auth, or MAC authentication for the Authentication mode. 5. Configure settings for the primary accounting server in the Primary column of the Accounting section. a. Specify the server’s IP address in the Accounting Server Address field.
PAGE 719
RADIUS Server RADIUS Accounting c. You should not specify a key when you use the module’s internal server. If you have already specified a key, erase the Accounting Shared Secret field. 6. Optionally, configure settings for a secondary server by completing the fields in the Secondary column of the Accounting section. 7. From the Accounting Mode drop-down menu, choose when the Wireless Edge Services xl Module forwards a message to its internal server: 8.
PAGE 720
RADIUS Server RADIUS Accounting Figure 11-20.Network Setup > Local RADIUS Server > Accounting Logs Screen The panel at the left of the screen shows the directories in the main RADIUS accounting directory (flash:/log/radius). By default, RADIUS reports are logged to the radacct directory, which you can see in Figure 11-20. Doubleclick the directory name to view log files within the directory.
PAGE 721
RADIUS Server RADIUS Accounting Figure 11-21.Viewing RADIUS Accounting Log Files Within a Directory The screen displays the following information for each log file: ■ Filename—accounting.log, for the default file ■ Type—Log, for logged reports ■ Size—the size of the file in bytes A log file might include multiple RADIUS accounting messages. As the Wireless Edge Services xl Module’s internal RADIUS server receives the messages, it adds them to the log file.
PAGE 722
RADIUS Server RADIUS Accounting Note 11-44 The module only creates accounting logs for its own activities as RADIUS server if you specifically enable RADIUS accounting to the internal server on a WLAN. See “Enabling Accounting to the Internal RADIUS Server on a WLAN” on page 11-38.
PAGE 723
12 Configuring Tunnels with Generic Routing Encapsulation Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2 Configuring GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4 Creating GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4 Mapping a WLAN to a GRE Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 724
Configuring Tunnels with Generic Routing Encapsulation Overview Overview The ProCurve Wireless Edge Services xl Module can forward all of a wireless LAN’s (WLAN’s) traffic to another device to be processed. To enable this feature, you must complete these steps: 1. Configure a Generic Routing Encapsulation (GRE) tunnel to that device. 2. Configure your Wireless Edge Services xl Module to forward all traffic received on a particular WLAN over that GRE tunnel.
PAGE 725
Configuring Tunnels with Generic Routing Encapsulation Overview For example, you might establish a wireless network at a remote office. You want all the wireless traffic to return to the main office, so you create a GRE tunnel from the Wireless Edge Services xl Module to the router at the main office. You could also tunnel traffic to a WAN router to protect your internal network from guests in a WLAN that is intended to provide access to the Internet only.
PAGE 726
Configuring Tunnels with Generic Routing Encapsulation Configuring GRE Tunnels Configuring GRE Tunnels This section explains how to: ■ create GRE tunnels ■ map WLANs to the GRE tunnels If a device such as a router will act as the remote endpoint, you should also verify that this device can receive and forward the traffic. Use the documentation included with that product to do so.
PAGE 727
Configuring Tunnels with Generic Routing Encapsulation Configuring GRE Tunnels 3. In the Name field, enter a number for the tunnel. You can enter a number from 1 through 32. The number you enter will be appended to the word tunnel to form the name of the tunnel interface (such as tunnel1, tunnel2, and so on). 4. In the Source IP field, enter a valid IP address on this Wireless Edge Services xl Module for a virtual LAN (VLAN) tagged on the uplink port.
PAGE 728
Configuring Tunnels with Generic Routing Encapsulation Configuring GRE Tunnels Figure 12-2. Security > GRE Tunnels Screen 10. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. Mapping a WLAN to a GRE Tunnel In a typical WLAN configuration, the Wireless Edge Services xl Module takes the following action when it receives traffic from a WLAN: it removes the 802.11 header, adds an Ethernet header, and forwards the traffic on the specified VLAN interface.
PAGE 729
Configuring Tunnels with Generic Routing Encapsulation Configuring GRE Tunnels To allow the Wireless Edge Services xl Module to send traffic from a WLAN over a tunnel, you must map the tunnel interface that you created to the appropriate WLAN. Complete these steps: 1. Select Network Setup > WLAN Setup > Configuration. 2. Select the WLAN and click the Edit button. The Edit screen for that WLAN is displayed. Figure 12-3. WLAN Edit Screen 3.
PAGE 730
Configuring Tunnels with Generic Routing Encapsulation Configuring GRE Tunnels b. In the Gateway and Mask fields, specify the default gateway and subnet mask for the tunnel subnetwork. This IP address should be the IP address of the remote endpoint on the tunnel subnetwork. In Figure 12-4, for example, the tunnel interface on the local module has the IP address of 10.200.1.2/24, and the tunnel destination is 10.1.2.30.
PAGE 731
Configuring Tunnels with Generic Routing Encapsulation Configuring GRE Tunnels Figure 12-5. Network Setup > WLAN Setup Screen Enabling Proxy ARP for WLANs Mapped to Tunnels A GRE tunnel does not carry non-IP traffic such as Address Resolution Protocol (ARP). Therefore, a Wireless Edge Services xl Module that maps a WLAN to a tunnel must be able to respond to ARP requests on behalf of wireless stations. Proxy ARP is enabled by default. If it has been disabled, complete these steps to re-enable it: 1.
PAGE 732
Configuring Tunnels with Generic Routing Encapsulation Configuring GRE Tunnels Figure 12-6. Global WLAN Settings Screen 3. Check the Proxy ARP handling for Stations box. 4. Click the OK button. 5. Click the Save link at the top of the Web browser interface to save the changes to the startup-config.
PAGE 733
Configuring Tunnels with Generic Routing Encapsulation Configuring GRE Tunnels Ensuring That the Remote Endpoint Can Forward Traffic A Wireless Edge Services xl Module GRE tunnel has two endpoints: ■ one that receives traffic from a WLAN and forwards it over the tunnel, or (for return traffic) receives traffic over the tunnel and forwards it to the WLAN The Wireless Edge Services xl Module plays this role.
PAGE 734
Configuring Tunnels with Generic Routing Encapsulation Viewing GRE Tunnels and WLAN Mappings Viewing GRE Tunnels and WLAN Mappings To view GRE tunnels, select Security > GRE Tunnels. Figure 12-7. Viewing a GRE Tunnel’s WLAN Mappings When you select one of the GRE tunnels listed on the Security > GRE Tunnels screen, all WLANs mapped to the GRE tunnel are listed in the WLAN Mappings section of the screen, as shown in Figure 12-7. You can also view tunnels’ status on the Security > GRE Tunnels screen.
PAGE 735
13 Wireless Network Management Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3 Monitoring the Wireless Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4 Wireless Stations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4 Viewing Wireless Stations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4 Disconnecting a Wireless Station . . . . . . .
PAGE 736
Wireless Network Management Contents Monitoring Detected APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-50 Managing the Unapproved APs List . . . . . . . . . . . . . . . . . . . . . . . 13-50 Managing the Approved APs List . . . . . . . . . . . . . . . . . . . . . . . . . 13-53 Configuring the Module to Report Unapproved APs . . . . . . . . . 13-54 Configuring Station Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 737
Wireless Network Management Overview Overview In this chapter you will learn how to monitor and manage your wireless network.
PAGE 738
Wireless Network Management Monitoring the Wireless Network Monitoring the Wireless Network This section explains how you can access information about wireless stations and wireless network activity. It then provides some tips for interpreting this information.
PAGE 739
Wireless Network Management Monitoring the Wireless Network Figure 13-1. Viewing Wireless Station Associations The screen displays this information for each station associated with one of the WLANs on this module: ■ Station Index—Stations are listed in the order in which they associated. ■ MAC Address—Each station’s Media Access Control (MAC) address is listed. ■ IP Address—A station must receive an IP address to receive complete network connectivity.
PAGE 740
Wireless Network Management Monitoring the Wireless Network Although power save extends a station’s battery life, it might result in jittery performance for real-time applications. If a user complains of low quality of service (QoS) and you see that the user’s station implements power save, you could suggest that the user disable this feature. ■ WLAN—The index number of the WLAN to which the station has connected is listed. (This column does not show the service set identifier [SSID]).
PAGE 741
Wireless Network Management Monitoring the Wireless Network Disconnecting a Wireless Station If you access the Device Information > Wireless Stations screen and see a wireless station that should not connect to your network, you can immediately disassociate the station. Select the station and click the Disconnect button. Because the station can immediately reassociate unless you take steps to prevent this, the prompt shown in Figure 13-2 is displayed. Figure 13-2.
PAGE 742
Wireless Network Management Monitoring the Wireless Network Viewing Details about a Wireless Station If you want to view more information about a particular station’s capabilities and connection, select that station on the Device Information > Wireless Stations screen, and then click the Details button. The Details screen is displayed. (See Figure 13-4.) Figure 13-4.
PAGE 743
Wireless Network Management Monitoring the Wireless Network In addition to the information that is listed on the Device Information > Wireless Stations screen (such as MAC address, IP address, Power Save, WLAN, and VLAN), you can view: ■ Authentication—This field displays the authentication method used— 802.1X Extensible Authentication Protocol (EAP), Web authentication (Web-Auth), MAC authentication, or none.
PAGE 744
Wireless Network Management Monitoring the Wireless Network ■ Roam Count (No de-authentication)—The module tracks the number of times that the station has de-authenticated, which indicates the number of times that the station has roamed away from the module (not between RPs on the same module). ■ IDM Attributes—If you are using ProCurve Identity Driven Manager (IDM), this section lists IDM settings received for the user accessing the network through this station.
PAGE 745
Wireless Network Management Monitoring the Wireless Network Figure 13-5.
PAGE 746
Wireless Network Management Monitoring the Wireless Network Wireless Statistics for Stations Like the Device Information > Wireless Stations screen, the Device Information > Wireless Statistics screen lists every station associated with RPs adopted by the Wireless Edge Services xl Module. However, this screen focuses on activity on the connection. Figure 13-6.
PAGE 747
Wireless Network Management Monitoring the Wireless Network A high number of retries can indicate interference or excessive congestion. Wireless phones, which send traffic to a multicast address, may have a high percentage of nonunicast traffic. For traditional stations, a high percentage of nonunicast traffic can be normal for brief periods—for example, when the station first associates and requests a DHCP address.
PAGE 748
Wireless Network Management Monitoring the Wireless Network The Station Properties section displays the same information that is listed on the Device Information > Wireless Stations screen, including the station’s MAC and IP address. However, you can also see whether the station supports QoS capabilities such as Voice and WMM. You can use the Traffic section to monitor the quality and performance of the connection.
PAGE 749
Wireless Network Management Monitoring the Wireless Network To view this graph, follow these steps: 1. Select Device Information > Wireless Statistics. 2. Select the station (identified by MAC address) from the list. Graph button Figure 13-8. Graph Button in the Device Information > Wireless Statistics Screen 3. Click the Graph button. The Station Statistics screen is displayed.
PAGE 750
Wireless Network Management Monitoring the Wireless Network Figure 13-9. Station Statistics Graph The Station Statistics screen displays the station’s MAC address and IP address in the upper right corner. To generate a graph, you must select the statistic that you want to track. (Initially, the graph shows packets per sec.
PAGE 751
Wireless Network Management Monitoring the Wireless Network ■ Avg Bits per sec—average bit speed for all traffic sent and received by this station ■ NUcast Pkts—percentage of multicast and broadcast packets (as compared to total packets) ■ Avg Retries—average number of times the station must retransmit a packet, whether due to a collision or another error ■ Avg Signal (dBm)—average signal level detected from this station ■ Avg Noise (dBm)—average background noise in the wireless cell ■ Avg SNR (d
PAGE 752
Wireless Network Management Monitoring the Wireless Network The x-axis of the graph displays the time—in Figure 13-10 the time is labelled in 10 second intervals. The y-axis adds a label that matches the box that you chose. It also displays the correct units for that type of statistic. A line that is the same color as the y-axis label plots the statistic as it changes over time. For example, the graph in Figure 13-10 shows this station’s total throughput, which experienced a spike just before 15:00.
PAGE 753
Wireless Network Management Monitoring the Wireless Network Every radio adopted by the module is listed, identified by: ■ Index ■ Description ■ Type (802.11a or 802.11bg) In addition to providing this information, the Network Setup > Radio > Statistics screens lists the number of stations that are connected to each RP.
PAGE 754
Wireless Network Management Monitoring the Wireless Network Figure 13-12.Radio Statistics Details The Information section describes this radio and shows the number of stations currently associated to it. You should check the Current Channel listing; if the radio is configured with a manual channel but currently uses a different channel, the channel number is listed in red. On the Details screen, statistics for wireless traffic are broken down into received and transmitted traffic.
PAGE 755
Wireless Network Management Monitoring the Wireless Network View the Errors section to monitor for congestion. Statistics include: ■ Avg Number of Retries—average number of retries the radio must make to successfully transmit a packet A high value (over 10 or 20 percent) may indicate excessive congestion or interference from another wireless device.
PAGE 756
Wireless Network Management Monitoring the Wireless Network Graph button Figure 13-13.Graph Button in the Device Information > Wireless Statistics Screen 4. Click the Graph button. The RP Statistics screen is displayed.
PAGE 757
Wireless Network Management Monitoring the Wireless Network Figure 13-14.RP Statistics Graph The RP Statistics screen displays the radio’s name and MAC address in the upper right corner. To generate a graph, you must select the statistic that you want to track. (Initially, the graph shows packets per second.) You can choose any of the statistics displayed in the Details screen for radio statistics. The statistics apply to all stations associated to the radio.
PAGE 758
Wireless Network Management Monitoring the Wireless Network ■ Throughput (Mbps)—total throughput for data transmitted and received by this radio • TX Tput (Mbps)—throughput for data transmitted by this radio • RX Tput (Mbps)—throughput for data received by this radio ■ Avg Bits per sec—average bit speed for traffic when the radio actually transmits or receives it ■ NUcast Pkts—percentage of multicast and broadcast packets sent and received by the radio (as compared to total packets) ■ Avg Retries—
PAGE 759
Wireless Network Management Monitoring the Wireless Network Figure 13-15.Comparing RP Statistics The x-axis of the graph displays the time—in Figure 13-15, marked at 5 second intervals. The y-axis adds a label that matches your choice. It also displays the correct units for that type of statistic. A line that is the same color as the y-axis label plots the statistic as it changes over time. You can select more than one box and compare statistics against each other.
PAGE 760
Wireless Network Management Monitoring the Wireless Network WLAN Statistics To monitor wireless activity on a WLAN-wide scale, select Network Setup > WLAN Setup and click the Statistics tab. Module Statistics button Figure 13-16.Network Setup > WLAN Setup > Statistics Screen This screen lists every WLAN that is enabled on the module. WLANs are identified by: ■ Index (the WLAN’s number) ■ SSID ■ Description ■ VLAN The Stations column shows the number of stations currently connected to that WLAN.
PAGE 761
Wireless Network Management Monitoring the Wireless Network ■ Throughput Mbps—the total throughput for all data transmitted in the WLAN in Mbps ■ Bit Speed (Avg.
PAGE 762
Wireless Network Management Monitoring the Wireless Network Select a WLAN and click this button to view: ■ the percentage of packets in this WLAN transmitted at each data rate ■ the percentage of packets in this WLAN that required a certain number of retries (for 0 to 15) Figure 13-18.Module Statistics Screen Click the Refresh button to update the statistics. When you have finished viewing the screen, click the Close button.
PAGE 763
Wireless Network Management Monitoring the Wireless Network Figure 13-19.WLAN Statistics Details The Information section shows settings for this WLAN including: ■ SSID ■ VLAN ■ security settings • authentication type • encryption type The Information section also displays the number of stations associated to the WLAN and of radios mapped to the WLAN. (If the Wireless Edge Services xl Module is using normal mode configuration, all adopted radios are mapped to the WLAN.
PAGE 764
Wireless Network Management Monitoring the Wireless Network The RF Status section displays statistics dealing with the status of the radio medium.
PAGE 765
Wireless Network Management Monitoring the Wireless Network Graph button Figure 13-20.Graph Button in the Device Information > Wireless Statistics Screen 3. Select the WLAN. 4. Click the Graph button. The WLAN Statistics screen is displayed.
PAGE 766
Wireless Network Management Monitoring the Wireless Network Figure 13-21.WLAN Statistics Graph The WLAN Statistics screen displays the WLAN’s SSID and static VLAN ID in the upper right corner. To generate a graph, you must select the statistic that you want to track. (Initially, the graph shows packets per second.) You can choose any of the statistics displayed in the Details screen for WLAN statistics. (Refer to “Viewing Detailed WLAN Statistics” on page 13-28 for more information on a statistic.
PAGE 767
Wireless Network Management Monitoring the Wireless Network ■ Throughput (Mbps)—total throughput for data transmitted and received in this WLAN • TX Tput (Mbps)—throughput for data transmitted in this WLAN • RX Tput (Mbps)—throughput for data received in this WLAN ■ Avg Bits per sec—average bit speed for all traffic transmitted and received in the WLAN ■ NUcast Pkts—percentage of multicast and broadcast packets sent and received in the WLAN (as compared to total packets) ■ Avg Retries—average numb
PAGE 768
Wireless Network Management Monitoring the Wireless Network Figure 13-22.Comparing WLAN Statistics The x-axis of the graph displays the time—in Figure 13-22, marked at 5 second intervals. The y-axis adds a label that matches your choice. It also displays the correct units for that type of statistic. A line that is the same color as the y-axis label plots the statistic as it changes over time. You can select up to four boxes at once and compare statistics against each other.
PAGE 769
Wireless Network Management Monitoring the Wireless Network Figure 13-23.Network Setup > Module Statistics Screen The top of the screen displays: ■ the number of stations currently associated with RPs on this module ■ the number of RPs adopted by this module ■ the number of RP radios adopted by this module The Traffic section contains statistics similar to those discussed in “Wireless Statistics for Stations” on page 13-12: ■ Pkts per second ■ Throughput in Mbps ■ Avg.
PAGE 770
Wireless Network Management Monitoring the Wireless Network You can use the RF Status section to monitor the quality of radio media on a network-wide level, and you can use the Errors section to look for problems with congestion or interference. You can then examine these statistics for radios or for WLANs to pinpoint the source of a problem.
PAGE 771
Wireless Network Management Monitoring the Wireless Network Figure 13-24.Device Information > Radio Adoption Statistics > Adopted RP Screen Select the Adopted RP tab to view the RPs that the module has actually adopted, and the Unadopted RP tab to view other detected RPs. The number of RPs adopted by this module is listed at the bottom of the Device Information > Radio Adoption Statistics > Adopted RP screen.
PAGE 772
Wireless Network Management Monitoring the Wireless Network ■ Protocol Version—RPs and the Wireless Edge Services xl Module communicate with a particular protocol. If an RP experiences problems, you should verify that the two devices’ protocol versions match. Also check the hardware version and the bootloader version. ■ SW Version—You should verify that the software version with which the RP loads is up-to-date. ■ Radio Indices—The RP includes one or two radios.
PAGE 773
Wireless Network Management AP Detection AP Detection People may introduce unauthorized APs into your network for several reasons. Sometimes attackers set up rogue APs in your environment, hoping to lure wireless users to authenticate to them instead of to your network’s RPs. In this way, attackers can collect sensitive information, including passwords with which they can then access your private network and view, steal, or damage data.
PAGE 774
Wireless Network Management AP Detection Figure 13-26.Configuring and Managing AP Detection Configuring AP Detection By default, AP detection is disabled. To configure AP detection, you must complete two main steps: you must enable AP detection, and you must configure at least one radio to scan for APs.
PAGE 775
Wireless Network Management AP Detection Table 13-1. Comparing Single-Channel Detectors and Dedicated Detectors Single-Channel Detector Dedicated Detector Radio passively listens for beacons Radio actively sends probe requests Radio listens on its own channel only Radio sends probes on all channels in its frequency that are allowed by its country’s regulations Radio supports wireless stations Radio does not support wireless stations Figure 13-27.
PAGE 776
Wireless Network Management AP Detection You can configure a radio as a single-channel detector or a dedicated detector in one of two ways: ■ as part of an override configuration for a particular radio For example, your organization might install an RP that is entirely dedicated to searching out rogue APs. Another reason to dedicate a radio as a detector is so it can monitor all nearby RPs in your wireless network and take action if an RP experiences problems.
PAGE 777
Wireless Network Management AP Detection Figure 13-28.Enabling AP Detection and Configuring Settings b. Check the Enable box. c. Customize the timeout setting for approved and unapproved APs. (For more information about approved and unapproved APs, see “Creating Lists of Detected APs” on page 13-46.) – Approved AP timeout—specifies how long the module retains information about APs that you have defined as allowed.
PAGE 778
Wireless Network Management AP Detection Figure 13-29.Dedicating a Radio as a Detector 13-44 d. On the radio’s Configuration screen, check the option that you want for AP detection: – Dedicate this Radio as a Detector – Single-channel scan for Unapproved APs e. Click the OK button.
PAGE 779
Wireless Network Management AP Detection Figure 13-30.Viewing the Radio State The radio state should now be listed as Detector on the Network Setup > Radio > Configuration screen, as shown in Figure 13-30. Note The Wireless Edge Services xl Module stores the configuration for a particular radio with its MAC address so that this configuration persists even if the radio powers down. For more information on radio configurations, see Chapter 3: Radio Port Configuration. 3.
PAGE 780
Wireless Network Management AP Detection Figure 13-31.Network Setup > Radio Adoption Default > Configuration Screen 4. b. Select the radio type (802.11a, 802.1b, or 802.11bg). c. Click the Edit button. d. On the radio type’s Configuration screen, check the option that you want for AP detection: – Dedicate this Radio as a Detector – Single-channel scan for Unapproved APs e. Click the OK button. Click the Save link at the top of the screen to save your changes to the startup-config.
PAGE 781
Wireless Network Management AP Detection You should configure the module to allow APs that meet certain criteria—for example, that are part of your wireless network. The module then moves these APs to an approved APs list so that they do not clutter the unapproved list and make it difficult for you to identify actual threats to network security.
PAGE 782
Wireless Network Management AP Detection Figure 13-32.Viewing Allowed APs 2. Click the Add button. 3. In the Index field, enter a value from 1 through 200. Each rule must have a unique index. By default, the field displays the next available index number. 4. Create one of the three types of rules: a. 13-48 Allow an AP with a particular MAC address no matter what WLAN it supports, as shown in Figure 13-33: i. Select the second field under Radio MAC Address and then enter the address. ii.
PAGE 783
Wireless Network Management AP Detection Figure 13-33.Allowing a Particular AP Based on MAC Address b. Allow any AP that is a member of a particular WLAN, as shown in Figure 13-34: i. Select the second field under SSID and then enter the WLAN’s SSID. ii. Leave the Radio MAC Address selection at Any MAC Address. Figure 13-34.
PAGE 784
Wireless Network Management AP Detection c. Allow a particular AP only if it is a member of the correct WLAN, as shown in Figure 13-35: i. Select the Radio MAC Address field and then enter the address. ii. Select the SSID field and then enter the WLAN’s SSID. Figure 13-35.Allowing a Particular AP in a Particular WLAN 5. Click the OK button. The AP is now listed in the Allowed APs section of the Special Features > Access Point Detection > Configuration screen.
PAGE 785
Wireless Network Management AP Detection Figure 13-36.Viewing the Unapproved APs List Note You can also view this list by selecting Device Information > Access Point Detection and clicking the Unapproved APs tab. However, you can only view information about APs on the other screen; you cannot allow the APs as described below. As shown in Figure 13-36, the list includes the following information for each AP: ■ BSS MAC Address—This address is the AP’s BSSID.
PAGE 786
Wireless Network Management AP Detection ■ Last Seen (In Seconds)—This column indicates how recent the information is. ■ SSID—If a radio has an unapproved MAC address but one of your WLAN’s SSIDs, this may signal a hacker phishing for passwords and other sensitive data. If this list becomes too long and unmanageable, you should take one or more of these steps: ■ Lower the timeout value for unapproved APs. (See “Configuring AP Detection” on page 13-40.) ■ Move legitimate APs to the approved APs list.
PAGE 787
Wireless Network Management AP Detection 2. If you so desire, you can change these settings. (For example, you could allow the MAC address, but any SSID.) 3. Click the OK button. In a way, allowing an AP is like acknowledging an alarm. You are letting other administrators know that you have checked the potential threat.
PAGE 788
Wireless Network Management AP Detection If a rogue AP is on this list, you should reconfigure the rule that allowed it. For example, to screen APs you may need to use MAC addresses instead of, or in addition to, SSIDs. Configuring the Module to Report Unapproved APs You can configure the Wireless Edge Services xl Module to trigger a Simple Network Management Protocol (SNMP) trap whenever a radio detects an unapproved AP. Complete these steps: 1.
PAGE 789
Wireless Network Management AP Detection Figure 13-40.Enabling an SNMP Trap for AP Detection 5. Click the Apply button. If an RP detects an external AP, a log is displayed on the Device Information > Alarm Log screen, as shown in Figure 13-41.
PAGE 790
Wireless Network Management AP Detection Figure 13-41.Receiving an Alarm about an External AP The module will log the alarm, as well as forward it to a trap receiver (if one has been specified). (For instructions on configuring the trap receiver, see Chapter 2: Configuring the ProCurve Wireless Edge Services xl Module.
PAGE 791
Wireless Network Management Configuring Station Intrusion Detection Configuring Station Intrusion Detection AP detection protects your network against unauthorized APs. The Wireless Edge Services xl Module can also guard against hackers who use stations to launch attacks.
PAGE 792
Wireless Network Management Configuring Station Intrusion Detection Configuring Thresholds for Station Intrusion Detection To configure station intrusion detection, complete these steps: 1. Select Special Features > Station Intrusion Detection > Configuration. Figure 13-42.Configuring Station Intrusion Detection 13-58 2. In the Detection Window field, enter a value from 5 through 300 seconds. This setting determines the length of time to which each threshold applies.
PAGE 793
Wireless Network Management Configuring Station Intrusion Detection • Excessive Disassociation • Excessive Authentication failure • Excessive Crypto replays • Excessive 802.11 replays • Excessive Decryption failures • Excessive Unassociated Frames • Excessive EAP Start Frames Again, enter a number from 0 through 65,535. 5.
PAGE 794
Wireless Network Management Configuring Station Intrusion Detection Figure 13-43.Enabling Intrusion Detection Traps 3. Select Intrusion Detection and click the Enable all sub-items button. (Alternatively, select one of the sub-items and click the Enable button.) 4. Make sure that the Allow Traps to be generated box is checked. 5. Click the Apply button. The module will log the alarm, as well as forward it to a trap receiver (if one has been specified).
PAGE 795
Wireless Network Management Configuring Station Intrusion Detection Viewing Blocked Stations If a station exceeds the thresholds that you set, the Wireless Edge Services xl Module blocks the station. You can view any stations that have been blocked by selecting Special Features > Station Intrusion Detection and clicking the Filtered Stations tab. Figure 13-44.
PAGE 796
Wireless Network Management Logging and Alarms Logging and Alarms The Wireless Edge Services xl Module generates logs for various events that occur on a system; these logs report on messages that the module receives and actions that the module takes. The module can log events to: ■ its buffer ■ the console ■ an external server Events are ranked according to severity, as shown in Table 13-2. The lower the number, the greater the risk to network functionality. Table 13-2.
PAGE 797
Wireless Network Management Logging and Alarms Table 13-3.
PAGE 798
Wireless Network Management Logging and Alarms Figure 13-45.Configuring Logging You can configure the module to store events for up to 60 seconds before logging them, by entering a value in the Logging aggregation time field. (If the value is 0, then events are logged immediately.) Forwarding Logs to an External Server You can also configure the Wireless Edge Services xl Module to forward logs to up to three external syslog servers. Complete these steps: 1.
PAGE 799
Wireless Network Management Logging and Alarms Figure 13-46.Forwarding Logs to an External Syslog Server 2. Check the Enable logging to Syslog Server box. 3. From the corresponding drop-down menu, select the lowest severity for logs that the module will forward. The default level is level 6, Info. 4. In the Server Facility field, use the drop-down menu to select the facility that your syslog server uses to receive such logs. Local7 is typically reserved for network devices. 5.
PAGE 800
Wireless Network Management Logging and Alarms The top section of the screen displays files of logs that the module has stored. Each file is identified by its name, its size in bytes, the time at which it was created, and the time at which it was last modified (that is, when a new event was added to it). The local log file stores the events that the Wireless Edge Services xl Module logs to its buffer. You can view the types of events in a file by selecting the file.
PAGE 801
Wireless Network Management Logging and Alarms Figure 13-48.Viewing Logged Events The most recent events are listed at the top of the screen. The color code helps you to quickly identify the most important events (that is, those with the lowest level, or greatest severity). For each event, the log reports: ■ Time stamp—Remember to look at the time stamp to make sure that you are not examining obsolete logs. (Quickly checking the time stamp when you preview the log file can also save you time.
PAGE 802
Wireless Network Management Logging and Alarms ■ Mnemonic—This field includes an abbreviated identification of the type of event. ■ Description—The description gives you the most information about the event. You can click on any column heading to organize events according to the information in that column. The bottom of the screen shows you which line in the log file that you are currently examining.
PAGE 803
Wireless Network Management Logging and Alarms To transfer the local log file, complete these steps: 1. Click the Transfer Files button. The Transfer screen is displayed. Figure 13-49.Transferring Log Files to a Server or Workstation 2. In the From field in the Source section, use the drop-down menu to select Wireless Services Module. In the File field, use the drop-down menu to select the log file that you want to transfer. 3. Select the destination for the file.
PAGE 804
Wireless Network Management Logging and Alarms – 4. Path—Enter the path for the directory in which the destination file should be saved. Depending on your server, you may or may not need to enter / before the directory name. Leave this field empty (or simply enter /) to save the file to the server’s default directory. Click the Transfer button. Managing the Alarm Log In order for the Wireless Edge Services xl Module to log an alarm, you must activate the corresponding trap.
PAGE 805
Wireless Network Management Logging and Alarms ■ Status—If the alarm has been acknowledged, then an administrator has seen it and presumably dealt with it. ■ Time Stamp—Among other purposes, you can view the time stamp to: • check whether a problem is ongoing • look for the cause of a behavior that you know occurred at a particular time • track patterns of activity • determine the duration of a problem ■ Severity—Severity signals the relative threat to network functions and security.
PAGE 806
Wireless Network Management Logging and Alarms Details When you do not know what an alarm means, or when you need direction in solving the problem indicated, you should view alarm details. Select the alarm from the list, and then click the Details button. The screen that is displayed points you toward the cause of the alarm and possible solutions for an associated problem. (See Figure 13-51.) Figure 13-51.
PAGE 807
Wireless Network Management Logging and Alarms Acknowledge alarms Delete alarms Export alarms off the module Figure 13-52.Using Buttons in the Device Information > Alarm Log Screen Acknowledge Sometimes you will want to store an alarm in the log even after you have viewed it, either because you want another administrator to see it or because you want to track a particular pattern of activity. In this case, instead of deleting the alarm, you should click the Acknowledge button to change its status.
PAGE 808
Wireless Network Management MAC Filters (Local MAC Authentication) ■ pool information from multiple devices in a central location ■ track patterns of network activity To export the information in one or more alarms, select those alarms and click the Export button. On the screen that is displayed, select a filename and a location for the logs, which are saved as a comma-separated file.
PAGE 809
Wireless Network Management MAC Filters (Local MAC Authentication) ■ The module processes ACLs that are applied to a WLAN starting with the ACL that has the lowest index number. The module stops processing the ACLs as soon as it finds a match for the station’s MAC address. ■ The module supports two types of ACLs: ■ • Allow ACLs—If the module matches a station to this ACL, it permits traffic from the station.
PAGE 810
Wireless Network Management MAC Filters (Local MAC Authentication) Figure 13-53.Security > MAC Filters Screen 2. Click the Add button. The Add ACL screen is displayed. Figure 13-54.
PAGE 811
Wireless Network Management MAC Filters (Local MAC Authentication) 3. Enter a value from 1 through 1,000 in the Station-ACL Index field. Each ACL must have a unique index number. Pay close attention to this number because, when a station matches more than one entry, only the entry with the lowest number affects the station. 4. Enter a range of MAC addresses, placing the first address in the Starting MAC field and the last address in the Ending MAC field.
PAGE 812
Wireless Network Management MAC Filters (Local MAC Authentication) Figure 13-55.Assigning ACLs to WLANs 3. Check the boxes for the WLANs to which you want to apply the ACL. WLANs are displayed by index (not SSID). The module will use the ACL to filter traffic on the selected WLANs. If you have selected multiple ACLs, they are listed in separate columns by index number. (See Figure 13-56.
PAGE 813
Wireless Network Management MAC Filters (Local MAC Authentication) Figure 13-56.Assigning ACLs to WLANs 4. Click the OK button. When you select this ACL on the Security > Wireless Filters screen, the selected WLANs appear in the Associated WLANs section. (See Figure 13-57.) In this screen, you can view the WLAN’s SSID, as well as other security options for that WLAN.
PAGE 814
Wireless Network Management MAC Filters (Local MAC Authentication) Figure 13-57.Associating ACLs with WLANs Note that it is possible to prevent a station from associating to one WLAN but to allow the station to associate to another. Just as you can make an ACL a member of more than one WLAN, you can associate more than one ACL to a WLAN. The module filters traffic first against the ACL with the lowest index number, then against the ACL with the next lowest number, and so on.
PAGE 815
Wireless Network Management MAC Filters (Local MAC Authentication) and as long as these ACLs have an index number lower than 100, the Wireless Edge Services xl Module will process them before it processes the ACL that denies all stations. Exporting and Importing MAC Standard ACLs (Filters) You can export the MAC standard ACLs (filters) configured on the Wireless Edge Services xl Module to the local disk of the management station.
PAGE 816
Wireless Network Management MAC Filters (Local MAC Authentication) Export button Figure 13-58.Exporting ACLs 3. Click the Export button. 4. A dialog screen is displayed for saving the file to the local disk of your management station. Name the file and choose the directory in which to save it. Then confirm the save. 5. A screen reports that the export was successful. Click the OK button. Figure 13-59.
PAGE 817
Wireless Network Management MAC Filters (Local MAC Authentication) Importing MAC Standard ACLs Instead of (or in addition to) manually configuring MAC standard ACLs (filters) on your Wireless Edge Services xl Module, you can import a .cvs file that includes these ACLs to your module. The file should be saved on the local disk of your management station. You can create the ACLs file using a spreadsheet application. Include four columns for each ACL.
PAGE 818
Wireless Network Management MAC Filters (Local MAC Authentication) To import MAC standard ACLs to your Wireless Edge Services xl Module, follow these steps: 1. Select Security > MAC Filters. 2. Click the Import button. Import button Figure 13-60.Importing ACLs 3. A dialog screen is displayed for choosing the file from the local disk of your management station. Find your file and confirm the import. 4. A screen reports the results of the import.
PAGE 819
Wireless Network Management MAC Filters (Local MAC Authentication) Figure 13-61.ACL Import Result 5. Click the OK button. 6. For the imported ACLs to take effect, you must assign them WLAN memberships: a. Select the new ACLs. You can select multiple ACLs by holding down Ctrl as you select them. b. Click the Memberships button. c. Check boxes to assign the ACLs to WLANs. d. Click the OK button. See “Configuring WLAN Memberships” on page 13-77 for more information. Resolving Import Errors.
PAGE 820
Wireless Network Management MAC Filters (Local MAC Authentication) Figure 13-62.ACL Import Result Screen Error Messages Errors include: ■ messages informing you that a field contains an invalid value: • “ACL index must be an integer” • “Invalid starting MAC.” • “Invalid ending MAC.” • “ACL mode must be either Allow or Deny” As explained earlier, each line in the file must include four fields with valid values for index number, MAC addresses, and ACL mode (allow or deny).
PAGE 821
Wireless Network Management MAC Filters (Local MAC Authentication) The ACL in the line indicated conflicts with an ACL already configured on the Wireless Edge Services xl Module. That is, they have the same index number. Make one of two choices: • Click the OK button, and import the file despite the conflict. The module retains all of its already-configured ACLs. However, any nonconflicting ACLs are imported normally. • Click the Cancel button, and cancel the import.
PAGE 822
Wireless Network Management Network Self Healing Network Self Healing Self healing keeps your wireless network functioning optimally in response to changing conditions.
PAGE 823
Wireless Network Management Network Self Healing ■ Neighbors no longer receive beacons from the radio. An RP checks the beacons that it has received every 30 seconds. If the RP has not received beacons from a neighbor in the last two seconds, it reports that neighbor as down. In other words, an RP considers a neighbor failed when it loses contact with that neighbor for more than two seconds; however, the RP only checks whether it has lost contact with a neighbor every 30 seconds.
PAGE 824
Wireless Network Management Network Self Healing An RP radio only responds to the loss of a radio if that radio is defined as one of its neighbors. To further configure neighbor recovery, you must: ■ specify neighbors ■ specify the action that a radio takes if one of its neighbors fails Select Special Features > Self Healing and click the Neighbor Details tab. Figure 13-64.
PAGE 825
Wireless Network Management Network Self Healing You can configure the neighbors in one of two ways: manually or with automatic neighbor detection. Specifying Neighbors Manually Keep these concepts in mind as you configure neighbors: ■ The neighbor relationship is reciprocal: if you configure a neighbor list on radio 1 that includes radio 3, radio 3’s neighbor list automatically adds radio 1. (See Figure 13-64.
PAGE 826
Wireless Network Management Network Self Healing All RP radios adopted by this module are listed. The screen lists all RP radios adopted by this module, displaying this information for each: 2. • Radio Index—index number • Description—name • Type—802.11bg or 802.11a • RP Ethernet MAC—Ethernet MAC address for the RP that includes this radio • Action—self-healing action when a neighbor fails • Neighbor Radio Indices—neighbors’ index numbers Select a radio and click the Edit button.
PAGE 827
Wireless Network Management Network Self Healing 3. To add a neighbor, select a radio from the field on the left and then click the Add button. The radio moves to the right; it is now the neighbor of the radio that you are editing. You can add up to 16 neighbors, including radios that use a different 802.11 mode than the radio for which you are selecting neighbors. Keep in mind, however, that if the second radio’s wireless stations do not support the other mode, then this radio cannot help them. 4.
PAGE 828
Wireless Network Management Network Self Healing Configuring Radios to Automatically Detect Neighbors Instead of manually configuring neighbors, you can have RP radios detect each other and choose their own neighbors. In this case, each radio will select the three other radios from which it receives the strongest signal. To use this option, complete these steps: 1. Select Special Features > Self Healing and click the Neighbor Details tab. Figure 13-67.Configuring Neighbors 2.
PAGE 829
Wireless Network Management Network Self Healing Note As soon as you enable this feature, every RP disassociates its wireless stations and begins scanning for neighboring RPs. For this reason, it is particularly important that you configure self healing when the wireless network is inactive. Remember also that any manually defined neighbors for radios are erased when you click the Detect Neighbors button. 3. To confirm that you want RPs to begin detecting neighbors, click the Yes button.
PAGE 830
Wireless Network Management Network Self Healing Figure 13-69.Self Healing Action for Neighbor Recovery ■ both raise its transmit power and open its data rates (see Figure 13-69) Sometimes you lower radios’ transmit power so that closely grouped RPs can support higher data rates within their relatively small coverage areas. When an RP radio raises its transmit power to take over a failed neighbor’s coverage area, it can no longer support high data rates for all stations (some are too far away).
PAGE 831
Wireless Network Management Network Self Healing ■ take no action Remember that radios are always neighbors to each other. However, you might want one radio to respond to the failure of a second radio, but you might not want the second radio to respond to the failure of the first radio. For example, the second radio might be in a more important location. When editing the second radio, configure it to take no action.
PAGE 832
Wireless Network Management Network Self Healing Figure 13-70.Defining the Action 3. 4. In the Self Healing Action field, use the drop-down menu to select the action: • Open Rates—to configure the radio to support all data rates • Raise Power—to configure the radio to raise its power to the legal maximum. See “Configuring a Self Healing Offset” on page 13-98 to determine whether you will need to configure a self healing offset. • Both—to configure the radio to take both of these actions.
PAGE 833
Wireless Network Management Network Self Healing The Wireless Edge Services xl Module subtracts the offset from the maximum power allowed in your regulatory domain to define the maximum power for that radio. To configure this parameter, complete these steps: 1. Select Network Setup > Radio > Configuration. 2. Select the radio and click the Edit button. The Configuration screen for the selected radio is displayed. (See Figure 13-71.) Self Healing Offset Figure 13-71.
PAGE 834
Wireless Network Management Network Self Healing Interference Avoidance Also called dynamic channel selection, interference avoidance helps your RP radios choose the best channel in your environment at the moment. If the Wireless Edge Services xl Module detects interference on a radio’s current channel, it has the radio use Auto-Channel Selection (ACS) to choose a new channel. The module implements this procedure for interference avoidance: 1.
PAGE 835
Wireless Network Management Network Self Healing Figure 13-72.Enabling Interference Avoidance 2. Select the Enable Interference Avoidance box. 3. Typically, you should leave the settings for this feature at their defaults. However, you can customize them: a. In the Average Retries field, enter a value from 1 through 15 to set the threshold for the number of times stations must resend frames during a 30-second interval.
PAGE 836
Wireless Network Management Network Self Healing b. In the Hold Time field, enter a time from 0 through 65,535 seconds. This setting determines how long a radio must wait in between selecting a new channel and again running ACS. If you set this value too low, then radios might begin to run ACS continuously, preventing stations from associating to them. By default, the Hold Time is set at 3,600 seconds (one hour). 4. 13-102 Click the Apply button.
PAGE 837
14 sFlow Agent Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2 Flow Sampling by the sFlow Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2 Counter Polling by the sFlow Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3 sFlow Receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4 Configuring sFlow Receiver Instances . . . . . . . . . . . . . . . . . . .
PAGE 838
sFlow Agent Overview Overview The Procurve Wireless Edge Services xl Module contains an sFlow agent. The sFlow agent samples traffic, treating the traffic that arrives on each adopted RP radio as a separate flow. In other words, the module’s sFlow agent monitors each radio much as a switch might monitor each physical interface. The sFlow agent forwards traffic information to an sFlow collector. Another term for an sFlow collector is an sFlow receiver.
PAGE 839
sFlow Agent Overview On the Wireless Edge Services xl Module, data sources are RP radios, and “n,” the packet sampling rate, is configurable per-radio and sampling instance (up to six per radio). In other words, the module orders radios to send approximately every “nth” packet to the module’s sFlow agent to be sampled, packaged, and sent to the sFlow receiver or receivers. Note Only 802.11 data frames are sampled. The sFlow agent does not sample management and control frames such as beacons.
PAGE 840
sFlow Agent Overview Counter polling works with flow sampling to create a more comprehensive picture of network traffic. The counters for total traffic supplement the more detailed information collected for samples. The sFlow agent obtains the counters by periodically polling radios. The agent polls radios as needed to fill datagrams most efficiently. However, you can configure the maximum time that can elapse before a radio must be polled.
PAGE 841
sFlow Agent Overview The Wireless Edge Services xl Module can accommodate up to six sFlow receivers. The module’s receiver instances can be configured in one of three ways: 1. The sFlow receiver contacts the module’s agent and uses SNMP to reserve and configure a receiver instance (only instances 4, 5, and 6). The sFlow receiver reserves the instance by writing its owner string into that instance on the sFlow receiver table. The receiver also configures a receiver timeout value for itself.
PAGE 842
sFlow Agent Overview You must specify all settings, including the sFlow receiver’s IP address and port, as well as owner string and timeout. To enable packet sampling or counter polling, you must configure an available sFlow instance of the appropriate type. Then match the instance to the receiver instance. This chapter focuses on configuring sFlow manually through the Web browser interface.
PAGE 843
sFlow Agent Configuring sFlow Using the Web Browser Interface Configuring sFlow Using the Web Browser Interface The Wireless Edge Services xl Module’s sFlow agent is enabled by default. If your sFlow receiver (sometimes called an sFlow collector) can control the agent through SNMP, you do not need to configure the module further. You can check the module’s sFlow agent and verify that it is compatible with your sFlow receiver’s SNMP capabilities. Select Special Features > sFlow > Agent. Figure 14-1.
PAGE 844
sFlow Agent Configuring sFlow Using the Web Browser Interface In order to manage an sFlow agent, an sFlow receiver must know how the agent implements sFlow. The screen displays this information about the agent: ■ sFlow MIB Version—the agent’s MIB version. The MIB specifies how the agent extracts and bundles sampled data, and the sFlow receiver must support the agent’s MIB. The Wireless Edge Services xl Module’s MIB version is 1.3, so your sFlow collector’s version must also be at least 1.3.
PAGE 845
sFlow Agent Configuring sFlow Using the Web Browser Interface Each receiver has its own receiver instance. Many receivers can configure the instance automatically. If you decide to configure instances manually, you can configure three receiver instances (1, 2, and 3) only through the CLI. (See Appendix A: ProCurve Wireless Services xl Module Command Line Reference.) The other receiver instances (4, 5, and 6), you can configure through the Web browser interface.
PAGE 846
sFlow Agent Configuring sFlow Using the Web Browser Interface Figure 14-3. Receiver Configuration Screen 4. In the Owner field, enter a string to identify the sFlow receiver. 5. In the Time Out field, specify a value in seconds from 1 to 999999999 (roughly 31 years). The timeout reserves this receiver instance for the specified receiver for the set amount of time. Generally, when you configure an sFlow receiver instance manually, you should set the timeout very high (to days or weeks).
PAGE 847
sFlow Agent Configuring sFlow Using the Web Browser Interface 9. From the 802.11 Map drop-down menu, choose how the module’s sFlow agent creates the sample. The default setting is Unchanged; the module creates the sample as specified by the 802.11 extensions to sFlow. For example, it includes the 802.11 header. If your sFlow receiver does not support the 802.11 extension, select Convert to Ethernet from the drop-down menu. The module’s sFlow agent then packages 802.
PAGE 848
sFlow Agent Configuring sFlow Using the Web Browser Interface Figure 14-4. Special Features > sFlow > Flow Sampling Screen The Wireless Edge Services xl Module’s sFlow agent begins sampling a flow when either of two conditions are met: ■ An sFlow receiver contacts the module’s sFlow agent and claims an open flow sampling instance (the Receiver Instance column displays 0). In this case, the receiver configures the sampling rate.
PAGE 849
sFlow Agent Configuring sFlow Using the Web Browser Interface Figure 14-5. Flow Sampling Configuration Screen 4. From the Receiver Instance drop-down menu, choose the receiver index number associated with the sFlow receiver to which the module should send the samples. To easily track which settings apply to a specific sFlow collector, match the sFlow instance number to the receiver instance number. However, matching the numbers is not mandatory.
PAGE 850
sFlow Agent Configuring sFlow Using the Web Browser Interface Of course, the activity on a radio changes over time, so there are no absolute rules for determining the best sampling rate. 6. Optionally, alter the value in the Maximum Header Size field to set the amount of data (in bytes) included in a sample. The module samples the specified number of bytes. For example, if you set the Maximum Header Size to 100, the module places the first 100 bytes of every sampled frame in a datagram.
PAGE 851
sFlow Agent Configuring sFlow Using the Web Browser Interface Figure 14-6. Special Features > sFlow > Counter Polling Screen The separate instances allow the agent to report counters to up to six sFlow receivers. By default, counter polling is disabled: the instances are not mapped to receivers and the polling interval is set to 0.
PAGE 852
sFlow Agent Configuring sFlow Using the Web Browser Interface 3. Click the Edit button. The Counter Polling Configuration screen is displayed. For the Data Source, the screen displays the index and name of the radio that the module’s agent polls. The sFlow Instance shows which of the six instances you are currently configuring. Figure 14-7. Counter Polling Configuration 4. Select 4, 5, or 6 from the Receiver Instance drop-down menu.
PAGE 853
A ProCurve Wireless Services xl Module Command Line Reference Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2 Manager Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3 acknowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-5 cd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 854
ProCurve Wireless Services xl Module Command Line Reference Contents mkdir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-21 more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-22 no . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-22 page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 855
ProCurve Wireless Services xl Module Command Line Reference Contents Interface Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-51 description (interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-51 ip (interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-52 management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-53 mtu .
PAGE 856
ProCurve Wireless Services xl Module Command Line Reference Contents show redundancy-history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-90 show redundancy-member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-91 show running-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-92 show snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-94 show sntp . . . . . . . . .
PAGE 857
ProCurve Wireless Services xl Module Command Line Reference Contents Support Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-125 Support Commands (All Contexts) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-127 support clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-127 support copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-127 support diag . .
PAGE 858
ProCurve Wireless Services xl Module Command Line Reference Overview Overview This chapter describes the commands provided by the CLI. The CLI commands can be broken down into their respective context groups. A-6 Command Group Description Page Manager Commands run from the Manager Context. A-7 Global Configuration Commands run from the Global Context. A-35 Interface Configuration Commands run from the Interface Context. A-55 Wireless Configuration Commands run from the Wireless Context.
PAGE 859
ProCurve Wireless Services xl Module Command Line Reference Manager Commands Manager Commands These commands are used to configure the manager commands on the access point. Command Function Page acknowledge alarm-log (all | <1-65535> ) Acknowledges alarms. A-9 cd (DIR|) Changes directory. A-9 clear (alarm-log | arp | logging| wireless-statistics) Clears cache and reporting logs. A-10 configure (terminal) Enters configure context. A-10 copy FILE| URL Copies from one file to another.
PAGE 860
ProCurve Wireless Services xl Module Command Line Reference Manager Commands Command Function Page rename FILENAME NEWFILENAME Renames a file. A-29 rmdir DIR Deletes a directory. A-30 telnet WORD | WORD PORT Opens a telnet connection. A-31 terminal length | width Sets width and length parameters on a screen. A-32 upgrade URL Upgrades the software image. A-32 upgrade-abort Aborts an ongoing upgrade.
PAGE 861
ProCurve Wireless Services xl Module Command Line Reference Manager Commands acknowledge This command acknowledges the presence of alarms. Syntax acknowledge alarm-log (all | <1-65535>) • alarm-log - Acknowledge the alarm logs. – all - Acknowledge all alarms. – <1-65535> - Acknowledge specific alarm ID Default Setting N/A Command Mode Manager Example ProCurve(wireless-services-B)#acknowledge alarm-log 65535 ProCurve(wireless-services-B)# cd This command changes the current directory.
PAGE 862
ProCurve Wireless Services xl Module Command Line Reference Manager Commands clear This command resets specified cache and reporting logs. Syntax clear (alarm-log | arp | arp | logging | wireless-statistics ) • alarm-log (<1-65535> | acknowledged |all | new)- Clear alarm log. – <1-65535> - Clear specific alarm id. – acknowledged - Clear acknowledged alarms. – all - Clear all alarms. – new- Clear new alarms. • arp - Clear arp cache. • logging - Modify message logging facilities.
PAGE 863
ProCurve Wireless Services xl Module Command Line Reference Manager Commands Example ProCurve(wireless-services-B)#configure terminal ProCurve (wireless-services-B)(config)# copy This command copies from one file to another. Syntax copy FILE | URL • FILE -File from which to copy. – Files: flash: /path/file nvram: startup-pconfig system: running-config Filenames are case sensitive and limited to 45 chars. • URL -URL from which to copy.
PAGE 864
ProCurve Wireless Services xl Module Command Line Reference Manager Commands Default Setting N/A Command Mode Manager Exec Example ProCurve(wireless-services-B)#debug all ProCurve(wireless-services-B)# debug cc This command traces cellcontroller (wireless) debugging messages. The no command negates the trace. Syntax debug cc (err | warn | info | all) • err- Trace error messages from the cellcontroller. The no version of the command negates the trace.
PAGE 865
ProCurve Wireless Services xl Module Command Line Reference Manager Commands debug imi This command traces integrated management debugging messages. The no command negates the trace. Syntax debug imi (all | cli | errors | init) • all- Traces all messages from the integrated management interface. The no version of the command negates the trace. • cli- Trace cli commands to/from the protocol modules. The no version of the command negates the trace.
PAGE 866
ProCurve Wireless Services xl Module Command Line Reference Manager Commands • monitor - Trace logging to monitors. The no version of the command negates the trace. • subagent - Trace logging to the subagent. The no version of the command negates the trace.
PAGE 867
ProCurve Wireless Services xl Module Command Line Reference Manager Commands Example ProCurve(wireless-services-B)#debug mgmt cgi ProCurve(wireless-services-B)# ProCurve(wireless-services-B)#no debug mgmt sys ProCurve(wireless-services-B)# debug nsm This command traces network service module (NSM). The no command negates the trace. Syntax debug nsm (all | events | kernel | packet) • all- Trace all messages from the network service module. The no version of the command negates the trace.
PAGE 868
ProCurve Wireless Services xl Module Command Line Reference Manager Commands debug pktdrvr This command traces pktdrvr (kernel wireless) debugging messages. The no command negates the trace. Syntax debug pktdrv (debug | err | info | rate-limit | warn | all) • debug - Trace all messages from the pktdrvr. • err- Trace error messages from the pktdrvr. Default if no parameter is specified. • info - Trace error, warning, and informational messages from the pktdvr.
PAGE 869
ProCurve Wireless Services xl Module Command Line Reference Manager Commands • proc- Trace process state machine messages. The no version of the command negates the trace. • shutdown- Trace shutdown process messages. The no version of the command negates the trace. • subagent- Trace subagent messages. The no version of the command negates the trace. • sys- Trace system state machine messages. The no version of the command negates the trace.
PAGE 870
ProCurve Wireless Services xl Module Command Line Reference Manager Commands • shutdown- Trace shutdown messages. • states- Trace redundancy state machine messages. • subagent - Trace subagent messages. • timer- Trace timer handling messages. • warnings- Trace warning messages. Default Setting N/A Command Mode Manager Example ProCurve(wireless-services-B)#debug redundancy ccmsg ProCurve(wireless-services-B)# debug upd-server This command traces update server debugging messages.
PAGE 871
ProCurve Wireless Services xl Module Command Line Reference Manager Commands Example ProCurve(wireless-services-B)#debug upd-server autoinstall ProCurve(wireless-services-B)# ProCurve(wireless-services-B)#no debug upd-server cli ProCurve(wireless-services-B)# debug wireless-statistics This command traces wireless statistics debugging messages. The no command negates the trace. Syntax debug wireless-statistics (all | error |) • all- Trace all messages from wireless-statistics.
PAGE 872
ProCurve Wireless Services xl Module Command Line Reference Manager Commands Default Setting N/A Command Mode Manager Example ProCurve(wireless-services-B)#diff TESTFILE TESTFILE2 --- TESTFILE +++ TESTFILE2 @@ -1 +1 @@ -testing edit, view, and delete file. +testing edit, erase, and contents of file. ProCurve(wireless-services-B)# dir This command displays list of available files on the filesystem. Syntax dir (all | recursive |) (DIR | all-filesystems |) • all - Display all available files.
PAGE 873
ProCurve Wireless Services xl Module Command Line Reference Manager Commands ExampleOne ProCurve(wireless-services-B)# dir all ------------------------------------------------------------------Directory of flash:/ drwx 1024 Wed Dec 7 17:06:32 2005 hotspot drwx 1024 Thu Dec 8 09:31:07 2005 crashinfo drwx 80 Mon Feb 13 09:35:10 2006 log Directory of nvram:/ -rw625 Thu Dec 2 Directory of system:/ -rw- 08:53:36 2006 startup-config running-config ProCurve(wireless-services-B)# ExampleTwo ProCurve(wirele
PAGE 874
ProCurve Wireless Services xl Module Command Line Reference Manager Commands edit This command edits an existing file or creates a new text file. Syntax edit FILE • FILE -Name of file to edit or create. Default Setting N/A Command Mode Manager Example ProCurve(wireless-services-B)#edit TESTFILE GNU nano 1.2.
PAGE 875
ProCurve Wireless Services xl Module Command Line Reference Manager Commands erase This command deletes a specified file from the system. Syntax erase FILE • FILE- Name of the specified file to be deleted. – FILES: + flash:/path/file + startup-config - Resets configuration back to factory default. Default Setting N/A Command Mode Manager Example ProCurve(wireless-services-B)#erase startup-config Startup config is deleted.
PAGE 876
ProCurve Wireless Services xl Module Command Line Reference Manager Commands Example This example shows how to return to the previous command levels starting from the Manager Configuration mode and finally logging out of the CLI session. ProCurve(wireless-services-B)#exit ProCurve (config)#exit ProCurve#exit ProCurve>exit Do you want to log out [y/n]?y Do you want to save your current configuration?n Connection to host lost. halt This command halts the wireless module.
PAGE 877
ProCurve Wireless Services xl Module Command Line Reference Manager Commands Command Mode Manager Example ProCurve(wireless-services-B)#help CLI provides advanced help feature. When you need help, anytime at the command line please press '?'. If nothing matches, the help list will be empty and you must backup until entering a '?' shows the available options. Two styles of help are provided: 1. Full help is available when you are ready to enter a command argument (e.g.
PAGE 878
ProCurve Wireless Services xl Module Command Line Reference Manager Commands Syntax mkdir DIR • DIR - Directory name. Default Setting N/A Command Mode Manager Example ProCurve(wireless-services-B)#mkdir TESTDIR ProCurve(wireless-services-B)# more This command displays the contents of a file. Syntax more FILE • FILE- File name.
PAGE 879
ProCurve Wireless Services xl Module Command Line Reference Manager Commands no • debug - Debug functions. To access individual debug commands, begin with the basic command “debug all” on page A-11. • page - Toggle paging. See “page” on page A-27. • show - Show commands. To access individual show commands, “debug all” on page A-11.
PAGE 880
ProCurve Wireless Services xl Module Command Line Reference Manager Commands ping WORD • WORD - Hostname or IP address of the host. Default Setting N/A Command Mode Manager Command Usage • Use the ping command to see if another site on the network can be reached. • The following are some results of the ping command: – Normal response - The normal response occurs in one to ten seconds, depending on network traffic.
PAGE 881
ProCurve Wireless Services xl Module Command Line Reference Manager Commands Command Mode Manager Example ProCurve(wireless-services-B)#pwd flash:/ ProCurve(wireless-services-B)# reload This command halts and performs a warm reboot. Syntax reload Default Setting N/A Command Mode Manager Example ProCurve(wireless-services-B)#reload Wireless module will be rebooted, do you want to continue? (y/n): y Do you want to save current configuration? (y/n):y ProCurve(config)# rename This command renames a file.
PAGE 882
ProCurve Wireless Services xl Module Command Line Reference Manager Commands Command Mode Manager Example To validate the name change, use the DIR command.
PAGE 883
ProCurve Wireless Services xl Module Command Line Reference Manager Commands Example To validate the directory is deleted, use the DIR command.
PAGE 884
ProCurve Wireless Services xl Module Command Line Reference Manager Commands terminal This command sets terminal line parameters. Syntax terminal length | width • length - Set number of lines on a screen. – <2-1000> - Number of lines on a screen. • width - Set width of display terminal. – <61-1920> - Number of characters on a screen line.
PAGE 885
ProCurve Wireless Services xl Module Command Line Reference Manager Commands Example ProCurve(wireless-services-B)#upgrade tftp://192.168.1.10/ WS.00.01.img ProCurve(wireless-services-B)# upgrade-abort This command aborts an ongoing upgrade. Syntax upgrade-abort Default Setting N/A Command Mode Manager Example ProCurve(wireless-services-B)#upgrade-abort ProCurve(wireless-services-B)# write This command writes the running configuration to memory or terminal.
PAGE 886
ProCurve Wireless Services xl Module Command Line Reference Manager Commands Example ProCurve(wireless-services-B)#write terminal ! ! configuration of ProCurveWLANModule Wireless Services version WS.01.XX.0551Sw6 ! version 1.
PAGE 887
ProCurve Wireless Services xl Module Command Line Reference Global Commands Global Commands These commands are used to configure the global commands. Command Function Page boot Reboots wireless module. A-36 country-code Configures the country code. A-36 crypto Encryption related commands. A-38 end Ends current mode and changes back to Manager mode. A-38 enrollment Enrollment parameters. A-39 exit Detailed in Manager Command Section.
PAGE 888
ProCurve Wireless Services xl Module Command Line Reference Global Commands boot This command reboots the wireless module. Syntax boot flash (primary | secondary ) • flash - Specifies the boot image to use after reboot. – primary - Primary image. – secondary - Secondary image.
PAGE 889
ProCurve Wireless Services xl Module Command Line Reference Global Commands Table A-1.
PAGE 890
ProCurve Wireless Services xl Module Command Line Reference Global Commands crypto This command configures encryption related parameters. Syntax crypto pki (enroll | trustpoint ) • crypto pki - Configures public key infrastructure commands. – enroll - Request a certificate from a CA. – + local - CA server name. trustpoint- Define a CA trustpoint. + local - CA server name.
PAGE 891
ProCurve Wireless Services xl Module Command Line Reference Global Commands Example ProCurve(wireless-services-B)#configure ProCurve(wireless-services-B)(config)#end ProCurve(wireless-services-B)# enrollment This command configures enrollment related parameters. Syntax enrollment (selfsigned) • selfsigned - Generates a self signed certificate.
PAGE 892
ProCurve Wireless Services xl Module Command Line Reference Global Commands Command Mode Global Configuration Example ProCurve(wireless-services-B)#configure ProCurve(wireless-services-B)(config)#no fallback enable ProCurve(wireless-services-B)(config)# hostname This command sets the system’s network name. The no command negates this configuration. Syntax hostname (LINE) no hostname • LINE - The system’s network name.
PAGE 893
ProCurve Wireless Services xl Module Command Line Reference Global Commands Syntax interface (IFNAME) no interfaces • IFNAME - Specifies interfaces (vlan1 - vlan4094). Default Setting N/A Command Mode Global Configuration Example ProCurve(wireless-services-B)#configure ProCurve(wireless-services-B)(config)#interface vlan1 ProCurve(wireless-services-B)(config-if)# ip (global) This command configures ip parameters.The no command negates this configuration.
PAGE 894
ProCurve Wireless Services xl Module Command Line Reference Global Commands • routing - Turns on IP routing. • web-management - Configures web server. Default Setting N/A Command Mode Global Configuration Example ProCurve(wireless-services-B)#configure ProCurve(wireless-services-B)(config)#ip route 10.0.0.1/4 255.255.255.
PAGE 895
ProCurve Wireless Services xl Module Command Line Reference Global Commands Command Mode Global Configuration Example ProCurve(wireless-services-B)#configure ProCurve(wireless-services-B)(config)#licenses hardware-id radio-ports The hardware Id for package radio-ports is SG528WC011-H-EXAMPLE-8KJKPT6-T67XT6P-3GT8QJ9 ProCurve(wireless-services-B)(config)# Related Commands show licenses (page A-91) logging This command modifies message logging facilities. The no command negates the logging configuration.
PAGE 896
ProCurve Wireless Services xl Module Command Line Reference Global Commands • facility - Sets syslog facility in which log messages are sent. – local0 - Syslog facility local0. – local1 - Syslog facility local1. – local2 - Syslog facility local2. – local3 - Syslog facility local3. – local4 - Syslog facility local4. – local5 - Syslog facility local5. – local6 - Syslog facility local6. – local7 - Syslog facility local7. • host - Configures remote host to receive log messages. – A.B.C.
PAGE 897
ProCurve Wireless Services xl Module Command Line Reference Global Commands Default Setting Disabled Command Mode Global Configuration Example ProCurve(wireless-services-B)#configure ProCurve(wireless-services-B)(config)#password-encryption secret 2 pass ProCurve(wireless-services-B)(config)# Related Commands show password-encryption (page A-92) redundancy This command configures redundancy group parameters. The no negates the configuration.
PAGE 898
ProCurve Wireless Services xl Module Command Line Reference Global Commands • member-ip - Adds member to this redundancy group. – - IP address of the member. • mode - Sets the redundancy mode. – active - Mode can be active. – standby - Mode can be standby. Default Setting Disabled Command Mode Global Configuration Example ProCurve(wireless-services-B)#configure ProCurve(wireless-services-B)(config)#redundancy ip 10.10.1.20 ProCurve(wireless-services-B)(config)#redundancy 10.10.1.
PAGE 899
ProCurve Wireless Services xl Module Command Line Reference Global Commands snmp-server This command modifies the snmp-server parameters. Use the no form to remove the specified snmp-server parameters. Syntax snmp-server (community | contact | enable | host | location | manager | user ) no snmp-server • community - Sets community string and access privileges. – WORD - SNMP community string. (private | public) +restricted - Read-only access with this community string.
PAGE 900
ProCurve Wireless Services xl Module Command Line Reference Global Commands -ids - Enable wireless IDS traps. ++excessiveAuthAssocation - Excessive association authentication. ++excessiveProbes - Excessive probes. -radio - Enable wireless radio traps. ++adopted - Radio adopted. ++detectedRadar - Radio detected radar. ++unadopted - Radio unadopted. -self-healing - Enable self healing traps. ++activated - Self healing activated. - station - Enable wireless station traps.
PAGE 901
ProCurve Wireless Services xl Module Command Line Reference Global Commands The following three commands share the rate parameters. - radio - Modify radio rate traps. - station - Modify station rate traps. - wlan - Modify wlan rate traps. ++avg-bit-speed-less-than - Average bit speed in Mbps is less than. ++avg-retry-greater-than - Average retry is greater than. ++avg-signal-less-than - Average signal in dBm is less than. ++gave-up-percent-greater-than - Percentage of pkts dropped is greater than.
PAGE 902
ProCurve Wireless Services xl Module Command Line Reference Global Commands - encrypted - Specifying password as md5 digests. ++auth - Authentication parameters for the user. - -md5 - Use HMAC MD5 algorithm for authentication – +++PASSWD - Authentication password for user. operator - Operator user. +v3 - User using v3 security model. - auth - Authentication parameters for the user. ++md5 - Use HMAC MD5 algorithm for authentication. - -PASSWD - Authentication password for user.
PAGE 903
ProCurve Wireless Services xl Module Command Line Reference Global Commands sntp This command configures simple NTP. The no command negates this configuration. Syntax sntp (enable | server1 | sever2 | server3) no sntp • enable - Enables time synchronization with Simple NTP servers. • server1 - Configures first SNTP server. – A.B.C.D - IP address of first SNTP server. • server2 - Configures second SNTP server. – A.B.C.D - IP address of second SNTP server. • server3 - Configures first SNTP server.
PAGE 904
ProCurve Wireless Services xl Module Command Line Reference Global Commands Command Mode Global Configuration Example ProCurve(wireless-services-B)#configure ProCurve(wireless-services-B)(config)#time 20:32:26 ProCurve(wireless-services-B)(config)# Related Commands show time (page A-102) timezone This command configures timezone parameters.The no command negates this configuration. Syntax timezone (TIMEZONE) no timezone • TIMEZONE - File containing the timezone.
PAGE 905
ProCurve Wireless Services xl Module Command Line Reference Global Commands upd-server This command configures autoinstall update server parameters. The no command negates this configuration. Syntax upd-server (cfg-file-loc | img-file-loc | ip | unreachable) no upd-server • cfg-file-loc - Sets configuration file location on the ftp/tftp server. – WORD - Config file ftp/tftp location. • img-file-loc - Sets image file location. – WORD - Image file ftp/tftp location. +img-file-ver- Image file version.
PAGE 906
ProCurve Wireless Services xl Module Command Line Reference Global Commands wireless This command accesses the wireless context. This section does not detail the commands in the wireless context, refer to the Wireless Context Command Section.
PAGE 907
ProCurve Wireless Services xl Module Command Line Reference Interface Commands Interface Commands These commands are used to configure the Interface Context commands. Command Function Page [no] description (Negates) Interface specific description. A-55 end Detailed in Global Command Section. A-38 exit Detailed in Manager Command Section. A-23 help Detailed in Manager Command Section A-24 [no] ip (Negates) Sets the IP address of the interface.
PAGE 908
ProCurve Wireless Services xl Module Command Line Reference Interface Commands Example ProCurve(wireless-services-B)#configure ProCurve(wireless-services-B)(config)#interface vlan1 ProCurve(wireless-services-B)(config-if)#description EXAMDES ProCurve(wireless-services-B)(config-if)# Related Commands show interfaces (page A-88) ip (interface) This command configures ip parameters of the interface. The no command negates this configuration.
PAGE 909
ProCurve Wireless Services xl Module Command Line Reference Interface Commands management This command configures the selected interface as the management interface.
PAGE 910
ProCurve Wireless Services xl Module Command Line Reference Interface Commands Example ProCurve(wireless-services-B)#configure ProCurve(wireless-services-B)(config)#interface vlan1 ProCurve(wireless-services-B)(config-if)#mtu 600 ProCurve(wireless-services-B)(config-if)# A-58
PAGE 911
ProCurve Wireless Services xl Module Command Line Reference Wireless Commands Wireless Commands These commands are used to configure the Wireless Context commands. Command Function Page [no] adopt-unconf-radio (Negates) Adopts an unconfigured radio. A-60 [no] adoption-pref-id (Negates) Configures a preference identifier. A-60 [no] advanced-config (Negates) Enables advanced configuration. A-61 [no] ap-detection (Negates) Configures neighboring access point detection.
PAGE 912
ProCurve Wireless Services xl Module Command Line Reference Wireless Commands adopt-unconf-radio This command adopts a radio even if its not yet configured. The default templates are used for configuration. The no command negates this configuration. Syntax adopt-unconf-radio (enable) no adopt-unconf-radio enable • enable - Enables the adoption of unconfigured radios.
PAGE 913
ProCurve Wireless Services xl Module Command Line Reference Wireless Commands Example ProCurve(wireless-services-B)#configure ProCurve(wireless-services-B)(config)#wireless ProCurve(wireless-services-B)(config-wireless)#adoptionpref-id 600 ProCurve(wireless-services-B)(config-wireless)# advanced-config This command allows advanced configuration of wlan settings . The no command negates this configuration. Syntax advanced-config no advanced-config • enable - Enables support for the advanced configuration.
PAGE 914
ProCurve Wireless Services xl Module Command Line Reference Wireless Commands Syntax ap-detection (approved | enable | max-aps | timeout ) no ap-detection • approved - Configures the approved detection list. – add - Add an entry to the approved AP list . +<1-200> - Index where this approved entry will be added: <1-200>. - MAC - MAC address in AA-BB-CC-DD-EE-FF format. ++LINE - A string of up to 32 characters. ++any - Any SSID. - any - Any MAC address. ++LINE - A string of up to 32 characters.
PAGE 915
ProCurve Wireless Services xl Module Command Line Reference Wireless Commands Related Commands show wireless ap-detection-config (page A-107) dot11-shared-key-auth This command enables support for 802.11 shared key authentication. The no command negates the support. Note Shared key authentication has known weaknesses that can compromise your WEP key. It should only be configured to accommodate wireless stations that are unable to carry out Open-System authentication.
PAGE 916
ProCurve Wireless Services xl Module Command Line Reference Wireless Commands • excessive-associations - Monitors the number of association requests from stations. – <0-65535> - Maximum number of association requests per second . • excessive-probes - Monitors the number of probe requests from stations. – <0-65535> - Maximum number of association requests per second . • filter-ageout - Set the number of seconds to filter a station that off IDS. – <0-65535> - Time in seconds.
PAGE 917
ProCurve Wireless Services xl Module Command Line Reference Wireless Commands +MAC - Starting MAC address in AA-BB-CC-DD-EE-FF format. - MAC - Ending MAC address in AA-BB-CC-DD-EE-FF format. – ++WORD - A list (eg: 1,3,7) or range (eg: 3-7) of wlan indices. deny - Deny stations that match this rule to associate. +MAC - Starting MAC address in AA-BB-CC-DD-EE-FF format. - MAC - Ending MAC address in AA-BB-CC-DD-EE-FF format. ++WORD - A list (eg: 1,3,7) or range (eg: 3-7) of wlan indices.
PAGE 918
ProCurve Wireless Services xl Module Command Line Reference Wireless Commands Example ProCurve(wireless-services-B)#configure ProCurve(wireless-services-B)(config)#wireless ProCurve(wireless-services-B)(config-wireless)#proxy-arp enable ProCurve(wireless-services-B)(config-wireless)# radio This command configures the radio parameters. The no command negates the radio parameter configuration. Note To configure many of the radio parameters, you must first configure the country code. See country code.
PAGE 919
ProCurve Wireless Services xl Module Command Line Reference Wireless Commands – bss - Map wireless LANs to radio BSSIDs. +<1-4> - The BSS where wireless LANs will be mapped. - WLAN - A list (eg: 1,3,7) or range (eg: 3-7) of WLAN indices. When a BSS is also specified, the first WLAN will be used as the primary WLAN. When the auto option is used, the system will automatically assign the first four WLANs as primaries on their respective BSS. +auto - Automatic assignment of BSS.
PAGE 920
ProCurve Wireless Services xl Module Command Line Reference Wireless Commands – – reset-rp - Resets the parent rp (this will reset all radios on that radio-port). rts-threshold - RTS threshold. – +<100-2346> - RTS threshold in bytes. run-acs - Runs auto-channel-selection on a radio. The radio should already have been configured for ACS. self-heal-offset - Configure the self-healing offset for regulatory. – – +<0-65535> - The self-heal offset in dB. short-preamble - Short preamble.
PAGE 921
ProCurve Wireless Services xl Module Command Line Reference Wireless Commands • add - Adds a new radio. – <1-1000> - Index where this radio is to be added. + - Mac address in AA-BB-CC-DD-EE-FF format. -11a - 802.11a type radio. -11bg - 802.11bg type radio. • configure-8021X - Configures 802.1X username and password onto all currently adopted radio-ports. – username - Specify the 802.1X username the radio-port must use. +WORD - 802.1X username. -password - Specify the 802.
PAGE 922
ProCurve Wireless Services xl Module Command Line Reference Wireless Commands Example ProCurve(wireless-services-B)#configure ProCurve(wireless-services-B)(config)#wireless ProCurve(wireless-services-B)(config-wireless)#radio 1 adoption-pref-id 5 ProCurve(wireless-services-B)(config-wireless)#radio 1 antenna-mode diversity ProCurve(wireless-services-B)(config-wireless)#radio 1 beacon-interval 50 ProCurve(wireless-services-B)(config-wireless)#radio 1 channel-power indoor acs 10 Regulatory parameter values d
PAGE 923
ProCurve Wireless Services xl Module Command Line Reference Wireless Commands • interference-avoidance - Interference Avoidance configuration. – enable - Enables/disables interference avoidance. – hold-time - The number of seconds to disable interference avoidance after a detection. This prevents a radio from changing channels continuously. – • +<0-65535> - A number of seconds between 0-65535. retries - The average number retries to cause a radio to re-run auto channel selection.
PAGE 924
ProCurve Wireless Services xl Module Command Line Reference Wireless Commands Example ProCurve(wireless-services-B)#configure ProCurve(wireless-services-B)(config)#wireless ProCurve(wireless-services-B)(config-wireless)#self-heal interference-avoidance enable ProCurve(wireless-services-B)(config-wireless)#self-heal neighbor-recovery enable ProCurve(wireless-services-B)(config-wireless)#self-heal neighbor-recovery neighbors 5 5 ProCurve(wireless-services-B)(config-wireless)#self-heal neighbor-recovery run-n
PAGE 925
ProCurve Wireless Services xl Module Command Line Reference Wireless Commands – dot11i - Configures IEEE 802.11i (TKIP/AES) parameters. +key - Configures the key (PMK). -0 - Password is specified UNENCRYPTED. ++WORD - The 256 bit (64 hex characters) long key. -2 - Password is encrypted with password-encryption secret. ++WORD - The 256 bit (64 hex characters) long key. -WORD - The 256 bit (64 hex characters) long key.
PAGE 926
ProCurve Wireless Services xl Module Command Line Reference Wireless Commands – – – inactivity-timeout - Inactivity timeout in seconds. If a frame is not received from a station for this amount of time, the station is disassociated. +<60-86400> - Inactivity timeout in seconds. inter-station-blocking - Prevents station to station traffic on this WLAN. qos - Quality of Service commands. +mcast1 - The Egress prioritization multicast mask. - MAC - MAC address in AA-BB-CC-DD-EE-FF format.
PAGE 927
ProCurve Wireless Services xl Module Command Line Reference Wireless Commands ++burst - Transmit-opportunity: an interval of time when a particular WMM STA has the right to initiate transmissions onto the wireless medium. - -<0-65535> - The transmit-opportunity in 32 microSecond units. ++cw - Contention Window parameters: wireless stations pick a number between 0 and the minimum contention window to wait before retrying transmission.
PAGE 928
ProCurve Wireless Services xl Module Command Line Reference Wireless Commands +timeout - Time the wireless module waits for a response from the radius server before retrying. - <1-60> - Timeout in seconds. ++retransmit- Number of retries before the wireless module will give up and disassociate the station. – - - <1-10> - Retry count. station - Modifies Radius/802.1X supplicant related parameters. +timeout - Time the wireless module waits for a response from the radius server before retrying.
PAGE 929
ProCurve Wireless Services xl Module Command Line Reference Wireless Commands The failure/login/welcome parameters share these parameters: - -description - Text that is displayed as the main body (normal font, middle of page) of the webpage. - -footer - Text that is displayed at the footer (smaller font, bottom section ) of the webpage. - -header - Text that is displayed as a header (large font, top section) of the webpage. - -main-logo - Main image (large size) that will be served up by the local webpage.
PAGE 930
ProCurve Wireless Services xl Module Command Line Reference Wireless Commands +phrase - Specify a passphrase from which the keys are to be derived. -LINE - The passphrase between 4 and 32 characters long. +web-default-key - Configures the transmit key index. -<1-4>- The key index to be used for transmission from AP to MU.
PAGE 931
ProCurve Wireless Services xl Module Command Line Reference Wireless Commands wlan-prioritization This command uses WLAN priority weights to determine packet order. The no command disables this support. queueing Syntax wlan-prioritization (enable) no wlan-prioritization enable • enable- Enables prioritization across wireless LANs.
PAGE 932
ProCurve Wireless Services xl Module Command Line Reference Show Commands Show Commands These commands are common commands used to display configured parameters in all contexts. Command Function Page Show Commands (All Contexts) A-80 show alarm-log (<1-65535> | acknowledged | all | new |) Displays list of alarms occurring since boot. A-83 show commands Shows command lists. A-84 show crypto pki (certificates | trustpoints |) Displays encryption related commands.
PAGE 933
ProCurve Wireless Services xl Module Command Line Reference Show Commands Command Function show sntp Displays sntp configuration. A-100 show startup-config Displays contents of startup configuration. A-100 show terminal Displays terminal configuration parameters. A-101 show time Displays system clock. A-102 show timezone Displays time zone. A-102 show upd-server Displays server information. A-103 show upgrade-status (detail) Displays status of the last image upgrade.
PAGE 934
ProCurve Wireless Services xl Module Command Line Reference Show Commands A-82 Command Function Page show wireless radio-status Displays radio status. show wireless regulatory Displays regulatory (allowed channel/power) A-115 information for a particular country. show wireless rp-images Displays list of radio-port images on the wireless module. A-118 show wireless rp-unadopted Displays status of adopted radio-port.
PAGE 935
ProCurve Wireless Services xl Module Command Line Reference Show Commands (All Contexts) Show Commands (All Contexts) This section details the show commands displayed in all available contexts. show alarm-log This command displays all alarms since the last boot. Syntax show alarm-log (<1-65535> | acknowledged | all | new |) • <1-65535> - Display details for specific alarm id. • acknowledged - Display acknowledged alarms since boot. • all - Display all alarms occurred since boot.
PAGE 936
show commands This command displays command lists.
PAGE 937
ProCurve Wireless Services xl Module Command Line Reference Show Commands (All Contexts) show crypto This command displays encryption related commands. Syntax show crypto pki (certificates | trustpoints |) • pki - Display public key infrastructure commands. – certificates - Display certificates.
PAGE 938
ProCurve Wireless Services xl Module Command Line Reference Show Commands (All Contexts) Example ProCurve(wireless-services-B)#show debug debugging is off ProCurve(wireless-services-B)# show file This command displays filesystem information. Syntax show file (information | systems |) • information - Display file information. – FILE - Display information on file. • systems - Display filesystems.
PAGE 939
ProCurve Wireless Services xl Module Command Line Reference Show Commands (All Contexts) show flash This command displays flash information. Syntax show flash Default Setting N/A Command Mode Manager Example ProCurve(wireless-services-B)#show flash Image Build Date Install Date ------------------------------------------Primary Nov 17 22:16:26 2005 Nov 22 15:18:17 2005 Secondary Nov 17 22:16:26 2005 Nov 21 13:10:07 2005 Version -------------WS.01.XX.0551Swami WS.01.XX.
PAGE 940
ProCurve Wireless Services xl Module Command Line Reference Show Commands (All Contexts) Example ProCurve(wireless-services-B)#show history 1 show hostname 2 show history ProCurve(wireless-services-B)# show hostname This command displays the network name of the system.
PAGE 941
ProCurve Wireless Services xl Module Command Line Reference Show Commands (All Contexts) Example ProCurve(wireless-services-B)#show interfaces Interface dnlink Hardware Type Ethernet, Interface Mode Layer 2, address is 00-01-e6-f5-86-fc index 2 metric 1 mtu 1500 Speed: Admin Auto, Operational 1g Duplex: Admin Auto, Operational Full input packets 2693, bytes 204774, dropped 0, multicast packets 0 input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0 output pa
PAGE 942
ProCurve Wireless Services xl Module Command Line Reference Show Commands (All Contexts) • route - Display ip routing table. • routing- Display ip routing status. • web-management - Display web-server status. Default Setting N/A Command Mode Manager Examples ProCurve(wireless-services-B)#show ip arp IP Address MAC Address Interface 192.168.15.1 00-14-bf-bf-72-30 vlan1 Type dynamic ProCurve(wireless-services-B)# show ip dns 68.87.76.178 dynamic 68.87.66.
PAGE 943
ProCurve Wireless Services xl Module Command Line Reference Show Commands (All Contexts) show licenses This command displays installed licenses. Syntax show licenses (uninstalled) • uninstalled - Display uninstalled licenses.
PAGE 944
ProCurve Wireless Services xl Module Command Line Reference Show Commands (All Contexts) Example ProCurve(wireless-services-B)#show logging Syslog logging: enabled Aggregation time: disabled Console logging: level debugging Monitor logging: disabled Buffer logging: disabled Trap logging: disabled Log Buffer (0 bytes): ProCurve(wireless-services-B)# show management This command displays L3 management interface name.
PAGE 945
ProCurve Wireless Services xl Module Command Line Reference Show Commands (All Contexts) Command Mode Manager Example ProCurve(wireless-services-B)#show password-encryption status Password encryption is enabled ProCurve(wireless-services-B)# show redundancy-group This command displays redundancy group parameters. Syntax show redundancy-group (config | runtime ) • config - Displays configured redundancy group information. • runtime - Displays runtime redundancy group information.
PAGE 946
ProCurve Wireless Services xl Module Command Line Reference Show Commands (All Contexts) Examples: These examples display runtime and group information. ProCurve(wireless-services-B)#show redundancy-group runtime Redundancy Group Runtime Information Redundancy Protocol Version : 1.
PAGE 947
ProCurve Wireless Services xl Module Command Line Reference Show Commands (All Contexts) Command Mode Manager Example ProCurve(wireless-services-B)#show redundancy-history State Transition History Time Event Triggered State --------------------------------------------------------Apr 25 07:42:30 2006 Redundancy Disabled Disabled ProCurve(wireless-services-B)# show redundancy-member This command displays redundancy group parameters. Syntax show redundancy-member (A.B.C.D) • A.B.C.
PAGE 948
ProCurve Wireless Services xl Module Command Line Reference Show Commands (All Contexts) show running-config This command displays current operating configuration. Syntax show running-config (include-factory | interface ) • include-factory - Include the factory defaults. • interface - Displays interface configuration. – IFNAME - Interface name.
PAGE 949
ProCurve Wireless Services xl Module Command Line Reference Show Commands (All Contexts) Example ProCurve(wireless-services-B)#show running-config ! configuration of ProCurveWLANModule Wireless Services version WS.01.03 on Tue6 ! version 1.0 ! no country-code redundancy group-id 50 redundancy interface-ip 10.10.1.20 redundancy holdtime-period 20 redundancy discovery-period 10 redundancy handle-stp enable redundancy member-ip 10.10.1.
PAGE 950
ProCurve Wireless Services xl Module Command Line Reference Show Commands (All Contexts) show snmp This command displays snmp engine parameters. Syntax show snmp [user (manager | operator) | server | ] • user - Display snmp user details. – manager - Display snmp manager details. – operator - DIsplay snmp operator details. • server - Display snmp server details. – traps - Display trap flags. – – – – + wireless statistics - Display wireless stats rate traps. ++ radio - Display radio rate traps.
PAGE 951
ProCurve Wireless Services xl Module Command Line Reference Show Commands (All Contexts) Examples ProCurve(wireless-services-B)#show snmp user userName manager operator access rw ro engineId 0000000c000000007f000001 0000000c000000007f000001 Auth MD5 MD5 Priv DES DES ProCurve(wireless-services-B)#show snmp-server traps ---------------------------------------------------------------------Global enable flag for Traps N ---------------------------------------------------------------------Enable flag statu
PAGE 952
ProCurve Wireless Services xl Module Command Line Reference Show Commands (All Contexts) show sntp This command displays simple NTP configuration. Syntax show sntp Default Setting N/A Command Mode Manager Example ProCurve(wireless-services-B)#show sntp Simple NTP is Disabled Simple NTP Servers: No Simple NTP servers are configured ProCurve(wireless-services-B)# show startup-config This command displays contents of startup configuration.
PAGE 953
ProCurve Wireless Services xl Module Command Line Reference Show Commands (All Contexts) Example ProCurve(wireless-services-B)#show startup-config ! factory default configuration ! prompt to include indication of crash files support prompt crash-info ! vlan 1 gets an IP address via DHCP interface vlan1 ip address dhcp ! web and snmp are enabled to allow the management java applet to function ip web-management snmp-server manager v2 snmp-server manager v3 snmp-server user manager v3 encrypted auth md5 0x709
PAGE 954
ProCurve Wireless Services xl Module Command Line Reference Show Commands (All Contexts) show time This command displays the system clock. Syntax show time Default Setting N/A Command Mode Manager Example ProCurve(wireless-services-B)#show time Feb 21 16:56:46 2006 ProCurve(wireless-services-B)# show timezone This command displays the timezone.
PAGE 955
ProCurve Wireless Services xl Module Command Line Reference Show Commands (All Contexts) show upd-server This command displays update server parameters.
PAGE 956
ProCurve Wireless Services xl Module Command Line Reference Show Commands (All Contexts) Command Mode Manager Example ProCurve(wireless-services-B)#show upgrade-status Last Image Upgrade Status : Successful Last Image Upgrade Time : Tue Nov 22 15:18:17 2005 ProCurve(wireless-services-B)#show upgrade-status detail Last Image Upgrade Status : Successful Last Image Upgrade Time : Tue Nov 22 15:18:17 2005 -------------------------------------------------------var2 is 13 percent full /tmp is 35 percent full Fre
PAGE 957
ProCurve Wireless Services xl Module Command Line Reference Show Commands (All Contexts) Command Mode Manager Example ProCurve(wireless-services-B)#show version ProCurveWLANModule version WS.01.XX.0551Swami Copyright (c) 2005 Symbol Technologies, Inc. Booted from primary.
PAGE 958
ProCurve Wireless Services xl Module Command Line Reference Show Commands (All Contexts) Default Setting N/A Command Mode Manager Example ProCurve(wireless-services-B)#show vlans Downlink: VLAN ID VLAN Name Ports 2100 VLAN2100 ADP,C1-C24 Uplink: VLAN ID VLAN Name Ports 1 DEFAULT_VLAN AUP,B1-B4,C1-C24,D1-D24 ProCurve(wireless-services-B)# A-106
PAGE 959
ProCurve Wireless Services xl Module Command Line Reference Show Commands (Wireless) Show Commands (Wireless) This section details the show commands pertaining to the wireless parameters. show wireless ap-detection-config This command displays detected access point configuration parameters.
PAGE 960
ProCurve Wireless Services xl Module Command Line Reference Show Commands (Wireless) Default Setting N/A Command Mode Manager Configuration Context Global Configuration Context Interface Configuration Context Wireless Configuration Context show wireless channel-power This command displays available channel and power levels for a radio. Syntax show wireless channel-power (11a | 11bg) • 11a - Radio is of type 802.11a. – Indoor - Radio is placed indoor. – Outdoor - Radio is placed outdoors.
PAGE 961
ProCurve Wireless Services xl Module Command Line Reference Show Commands (Wireless) Example ProCurve(wireless-services-B)(config-wireless)#show wireless channel-power 11a indoor Channel Max Power (dBm) Radar Detected 36 (5180 MHz) 17 40 (5200 MHz) 17 44 (5220 MHz) 17 48 (5240 MHz) 17 52 (5260 MHz) 20 56 (5280 MHz) 20 60 (5300 MHz) 20 64 (5320 MHz) 20 149 (5745 MHz) 20 153 (5765 MHz) 20 157 (5785 MHz) 20 161 (5805 MHz) 20 165 (5825 MHz) 20 ProCurve(wireless-services-B)(config-wireless)#show wireless channe
PAGE 962
ProCurve Wireless Services xl Module Command Line Reference Show Commands (Wireless) Default Setting N/A Command Mode Manager Configuration Context Global Configuration Context Interface Configuration Context Wireless Configuration Context Example ProCurve(wireless-services-B)(config-wireless)#show wireless config country-code : us adoption-pref-id : 1 proxy-arp : disabled wlan-prioritization : disabled adopt-unconf-radio : enabled dot11-shared-key-auth: disabled ap-detection : enabled advanced-config : di
PAGE 963
ProCurve Wireless Services xl Module Command Line Reference Show Commands (Wireless) Example ProCurve(wireless-services-B)(config-wireless)#show wireless ids filter-agetout : 60 seconds excessive-probes : disabled excessive-associations : disabled ProCurve(wireless-services-B)(config-wireless)# show wireless mac-auth-local entries This command displays the mac-auth-local entries.
PAGE 964
ProCurve Wireless Services xl Module Command Line Reference Show Commands (Wireless) Command Mode Manager Configuration Context Global Configuration Context Interface Configuration Context Wireless Configuration Context Example ProCurve(wireless-services-B)(config-wireless)#show wireless phrase-to-key wep128 help 1) d7aad741102ccc216ed1b59322 2) 2cdd3865719e93719d5a2a87c6 3) 984590afb106774126f8c0b583 4) 792ebf65147269f968cc23c204 ProCurve(wireless-services-B)(config-wireless)# show wireless radio-config
PAGE 965
ProCurve Wireless Services xl Module Command Line Reference Show Commands (Wireless) Example ProCurve(wireless-services-B)(config-wireless)#show wireless radio-config index description radio port mac type wlans-mapped 1 ] RADIO1 00-14-C2-A0-0B-EC 11bg 2 ] RADIO2 00-14-C2-A0-0B-EC 11a 3 ] RADIO3 00-14-C2-A0-1B-3E 11bg 4 ] RADIO4 00-14-C2-A0-1B-3E 11a 5 ] RADIO5 A1-B2-C3-D4-E5-F6 11a def-11a ] DEFAULT-11A FF-FF-FF-FF-FF-FF 11a def-11bg] DEFAULT-11BG FF-FF-FF-FF-FF-FF 11bg ProCurve(wireless-services-B)(config
PAGE 966
ProCurve Wireless Services xl Module Command Line Reference Show Commands (Wireless) Example ProCurve(wireless-services-B)(config-wireless)#show wireless radio-statistics ***** Radio-1 ********************* stations Associated : 1 ------ Traffic ------------------------------------------------------Total Rx Tx ---------------- ---------------- ---------------30s 1hr 30s 1hr 30s 1hr 29.43 8.60 0.00 0.00 29.43 8.60 pps 0.01 0.00 0.00 0.00 0.01 0.
PAGE 967
ProCurve Wireless Services xl Module Command Line Reference Show Commands (Wireless) Command Mode Manager Configuration Context Global Configuration Context Interface Configuration Context Wireless Configuration Context Example ProCurve(wireless-services-B)(config-wireless)#show wireless radio-status # Radio Port MAC Start BSS Radio State Channel Pwr Idx-tye 1] 00-14-C2-A0-0B-EC 00-14-C2-A0-4E-EC 11bg normal 11 (rnd) 15 dyna 2] 00-14-C2-A0-0B-EC 00-14-C2-A0-CF-34 11a normal 60 (rnd) 15 dyna 3] 00-14-C2-A0-
PAGE 968
ProCurve Wireless Services xl Module Command Line Reference Show Commands (Wireless) – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – A-116 cz Czech Republic de Germany dk Denmark ec Ecuador ee Estonia eg Egypt es Spain fi Finland fr France gr Greece hk Hong Kong hr Croatia hu Hungary id Indonesia ie Ireland il Israel in India is Iceland it Italy jo Jordan jp Japan kr South Korea kw Kuwait kz Kazakhstan li Liechtenstein lk Sri Lanka lt Lithuania lu Luxembourg lv Lat
PAGE 969
ProCurve Wireless Services xl Module Command Line Reference Show Commands (Wireless) – – – – – – – – – – – – – – – sa Saudi Arabia se Sweden sg Singapore si Slovenia sk Slovak Republic th Thailand tr Turkey tw Taiwan ua Ukraine uk United Kingdom us United States uy Uruguay ve Venezuela vn Vietnam za South Africa Default Setting N/A Command Mode Manager Configuration Context Global Configuration Context Interface Configuration Context Wireless Configuration Context A-117
PAGE 970
ProCurve Wireless Services xl Module Command Line Reference Show Commands (Wireless) Example ProCurve(wireless-services-B)(config-wireless)#show wireless regulatory us 802.11a Outdoor Channels : 52 56 60 64 149 153 157 161 165 Power(dBm): 20 20 20 20 20 20 20 20 20 802.11a Indoor Channels : 36 40 44 48 52 56 60 64 149 153 157 161 165 Power(dBm): 17 17 17 17 20 20 20 20 20 20 20 20 20 802.11bg Outdoor Channels : 1 2 Power(dBm): 20 20 3 20 4 20 5 20 6 20 7 20 8 20 9 10 11 20 20 20 802.
PAGE 971
ProCurve Wireless Services xl Module Command Line Reference Show Commands (Wireless) Example ProCurve(wireless-services-B)(config-wireless)#show wireless rp-images Idx Image-File Version Release Date Size (bytes) 1 ProCurve-200-Series 00.02-27 [00] 04 Feb 2006 293320 ProCurve(wireless-services-B)(config-wireless)# show wireless rp-status This command displays the status of adopted radio-port.
PAGE 972
ProCurve Wireless Services xl Module Command Line Reference Show Commands (Wireless) show wireless rp-unadopted This command displays a list of unadopted radio-port.
PAGE 973
ProCurve Wireless Services xl Module Command Line Reference Show Commands (Wireless) Command Mode Manager Configuration Context Global Configuration Context Interface Configuration Context Wireless Configuration Context Example ProCurve(wireless-services-B)(config-wireless)#show wireless self-heal-config interference-avoidance : disabled retries : 14.
PAGE 974
ProCurve Wireless Services xl Module Command Line Reference Show Commands (Wireless) show wireless station-statistics This command displays the statistics of associated stations. Syntax show wireless station-statistics • station-statistics - station statistics. – AA-BB-CC-DD-EE-FF - MAC address of station. +detail - MAC address of station.
PAGE 975
ProCurve Wireless Services xl Module Command Line Reference Show Commands (Wireless) show wireless web-auth-config This command displays the WLAN web-auth configuration. Syntax show wireless web-auth-config • web-auth-config - Wlan web-auth configuration. – <1-32> - A WLAN index.
PAGE 976
ProCurve Wireless Services xl Module Command Line Reference Show Commands (Wireless) show wireless wireless-module-statistics This command displays the wireless module statistics. Syntax show wireless wireless-module-statistics wireless-module-statistics - wireless-module statistics. – detail - detailed wireless-module statistics.
PAGE 977
ProCurve Wireless Services xl Module Command Line Reference Show Commands (Wireless) show wireless wlan-config This command displays the WLAN configuration. Syntax show wireless wlan-config • wlan-config - WLAN configuration. – <1-32> - A WLAN index. – all - all WLANs in configuration.
PAGE 978
ProCurve Wireless Services xl Module Command Line Reference Show Commands (Wireless) Example ProCurve(wireless-services-B)(config-wireless)#show wireless wlan-config # enabled ssid authentication encryption vlan description 1 Y Finance none wep128 1 Bldg-3-Finance 2 Y Employees eap aes 2 Bldg-2 3 N SSID 3 none none 1 4 N SSID 4 none none 1 5 N SSID 5 none none 1 6 N SSID 6 none none 1 7 N SSID 7 none none 1 8 Y Mngmnt eap tkip-aes 1 Bldg-1 9 N SSID 9 none none 1 10 N SSID 10 none none 1 11 N SSID 11 none n
PAGE 979
ProCurve Wireless Services xl Module Command Line Reference Show Commands (Wireless) • wlan-statistics - WLAN statistics. – <1-32> - A WLAN index. +detail - detailed WLAN statistics.
PAGE 980
ProCurve Wireless Services xl Module Command Line Reference Show Commands (Wireless) Example ProCurve(wireless-services-B)(config-wireless)#show wireless wlan-statistics ***** WLAN-1 ********************* stations Associated : 1 Radios active : 2 ------ Traffic ------------------------------------------------------- Pkts per sec: Throughput: Mbps Avg bit speed: % Non-unicast pkts: Total Rx Tx ---------------- ---------------- ---------------30s 1hr 30s 1hr 30s 1hr 0.00 27.34 0.00 0.00 0.00 27.
PAGE 981
ProCurve Wireless Services xl Module Command Line Reference Support Commands Support Commands These commands are common commands used for advanced support duties in all contexts. Command Function Page Support Commands (All Context) support clear (all | cores | dumps | panics | pm ) Displays command history for switch. A-131 support copy tech-support URL Displays resets the functions. A-131 [no] support diag (enable | period ) (Negate) Configures diagnostics.
PAGE 982
ProCurve Wireless Services xl Module Command Line Reference Support Commands Command Function Page Support Commands (Wireless) A-130 [no]support wireless dump-core Creates a core file of the ccsrvr process. A-141 [no] support wireless dump-scale Creates a ccsrvr.dump file in nvram with internal state information. A-141 [no]support wireless rate-scale Enables wireless rate scaling (default) A-142 [no] support wireless spectrummanagement Enables 802.11h+d spectrum management on A-142 all 802.
PAGE 983
ProCurve Wireless Services xl Module Command Line Reference Support Commands (All Contexts) Support Commands (All Contexts) This section details the support commands available to all contexts. support clear This command resets the functions. Syntax support clear (all | cores | dumps | panics | pm ) • all - Removes all core, dump, panic, and pm files. • cores - Removes all core files. • dumps - Removes all dump files. • panics - Removes all kernel panic files.
PAGE 984
ProCurve Wireless Services xl Module Command Line Reference Support Commands (All Contexts) • tech-support - Copy extensive system information useful to technical support for troubleshooting a problem. – URL - URL to which to copy. URLs: tftp:///path/file ftp://:@/path/file scp://@/path/file Default Setting N/A Command Mode Manager Example ProCurve(wireless-services-B)#support copy tech-support tftp://192.168.1.
PAGE 985
ProCurve Wireless Services xl Module Command Line Reference Support Commands (All Contexts) support diag-shell This command provides diagnostic shell access. The no command negates the shell access. Syntax support diag-shell Default Setting N/A Command Mode Manager Example ProCurve(wireless-services-B)#support diag-shell Diagnostic shell started for testing diag > support kill This command kills specified session. Syntax support kill session • session - Active session number. – <1-16> - Session ID.
PAGE 986
ProCurve Wireless Services xl Module Command Line Reference Support Commands (All Contexts) support pm This command supports the process monitor. The no command negates the process configuration. Syntax support pm (max-sys-restarts | sys-restart) • max-sys-restarts - Maximum number of times PM will restart the system because of failure. – <1-5> - Number of system restarts. • sys-restart - Enable PM to restart the system when a process fails.
PAGE 987
ProCurve Wireless Services xl Module Command Line Reference Support Commands (All Contexts) support rp This command configures radio-port serviceability parameters. Syntax support rp (force-dump) • force-dump - Trigger the radio port to send a crash dump to the blade. Default Setting N/A Command Mode Manager Example ProCurve(wireless-services-B)#support rp force-dump ProCurve(wireless-services-B)# support save cli-tree This command saves cli tree for all modes in HTML format.
PAGE 988
ProCurve Wireless Services xl Module Command Line Reference Support Commands (All Contexts) support set This command sets service parameters. Syntax support set (command-history | reboot-history | upgrade-history ) • command-history - Set size of command history. Default: 200. – <10-300> - History size. • reboot-history - Set size of reboot history. Default: 50. – <10-100> - History size. • upgrade-history - Set size of upgrade history. Default: 50. – <10-100> - History size.
PAGE 989
ProCurve Wireless Services xl Module Command Line Reference Support Commands (All Contexts) – – period - Shows the period (ms) for the in service diagnostics. stats - Shows the curent diagnostics statistics. • info - Shows snapshot of available support information. • last-passwd - Displays last password used to enter shell. • pm - Process Monitor. – history - States changes for a process, the time they happened and the events that triggered them. +WORD - Process name. +all - All processes.
PAGE 990
ProCurve Wireless Services xl Module Command Line Reference Support Commands (All Contexts) ProCurve(wireless-services-B)#support show info 4.0M out of 4.0M available for logs. 6.7M out of 8.2M available for history. 3.5M out of 4.8M available for crashinfo. List of Files: /flash/crashinfo/ccsrvr.dump 0 Nov 1 09:57 /var/log/messages.log 0 Feb 27 09:09 /var/log/startup.log 11.2k Feb 27 09:09 /var2/history/command.history 834 Feb 27 15:17 /var2/history/reboot.history 3.4k Feb 27 09:09 /var2/history/upgrade.
PAGE 991
ProCurve Wireless Services xl Module Command Line Reference Support Commands (All Contexts) support start-shell This command provides access into the shell. Syntax support start-shell Default Setting N/A Command Mode Manager Example ProCurve(wireless-services-B)#support start-shell Password: ProCurve(wireless-services-B)# support terminal This command sets terminal line parameters. Syntax support terminal • monitor - copy debug output to the current terminal line.
PAGE 992
ProCurve Wireless Services xl Module Command Line Reference Support Commands (All Contexts) support tethereal This command dumps and analyzes network traffic. Syntax support tethereal • LINE - tethereal options in the format.
PAGE 993
ProCurve Wireless Services xl Module Command Line Reference Support Commands (Wireless) Support Commands (Wireless) This section details the support commands available for the Wireless parameters. support wireless dump-core This command creates a core file of the ccsrvr process.
PAGE 994
ProCurve Wireless Services xl Module Command Line Reference Support Commands (Wireless) Example ProCurve(wireless-services-B)(config-wireless)#support wireless dump-state ProCurve(wireless-services-B)(config-wireless)# support wireless rate-scale This command enables wireless rate scaling. The no command negates the configuration of the wireless parameters. Syntax support wireless rate-scale no support wireless rate-scale • rate-scale - Enable wireless rate scaling (default).
PAGE 995
ProCurve Wireless Services xl Module Command Line Reference Support Commands (Wireless) Command Mode Manager Example ProCurve(wireless-services-B)(config-wireless)#no support wireless spectrum-management ProCurve(wireless-services-B)(config-wireless)# support wireless tkip-countermeasures This command enables countermeasures on all tkip-enabled wireless LANs. The no command negates the configuration of the wireless parameters.
PAGE 996
ProCurve Wireless Services xl Module Command Line Reference Support Commands (Wireless) A-144
PAGE 997
Index Numerics 5300xl Series See wireless services-enabled switch … 1-4 802.11 frame types … 1-55 management frames … 1-55 overview … 1-53 802.11 replay attack … 13-57 802.11a defined … 1-53 radio adoption defaults for … 3-9 802.11b defined … 1-54 radio adoption defaults for … 3-9 802.11g 802.11g only … 3-16 defined … 1-54 radio adoption defaults for … 3-9 802.11h … 1-54 802.
PAGE 998
viewing statistics … 7-28 action ID … 7-29 details … 7-30 protocol ID … 7-30 times used … 7-30 ACS See auto-channel select active mode for redundancy group … 1-77, 10-4 address resolution table … 6-17 adoption automatic versus manual … 2-70 failure, reasons for … 1-77 Layer 2 auto-provisioning … 2-57 connecting RP to infrastructure switch … 2-58 connecting RP to wireless services-enabled switch … 2-57 network requirements for … 2-57 Layer 3 compared to Layer 2 … 2-56 customizing RPs’ DNS request … 2-68 defa
PAGE 999
options for WLAN … 1-24 RADIUS MAC … 1-27, 4-44 See also 802.1X See also MAC authentication See also Web-Auth shared-key … 4-76 Web-Auth … 1-26, 4-40, 5-2 authentication failure attack … 13-57 auto-channel select configuring for specific radio … 3-32 configuring in radio adoption defaults … 3-13 running … 3-37, 3-41 auto-provisioning … 1-8, 2-57 B basic rate settings 802.
PAGE 1000
configuration files deleting … 2-96 managing … 2-85 startup-config, returning to factory defaults … 2-97 transferring … 2-88 viewing … 2-86 contention window See CW Max See CW Min counter polling defined … 14-3 interval … 14-16 manually activating … 14-14 See also sFlow country code … 2-136, 3-3 CRL uploading … 2-186 CW Max defined … 4-93 radio … 4-106 station … 4-103 CW Min defined … 4-93 radio … 4-106 station … 4-103 D decryption attack … 13-57 default gateway single active … 2-8 specifying in the CLI …
PAGE 1001
domain name system See DNS domain proxy RADIUS server settings for … 11-30 specifying … 11-27 downlink port … 1-7, 1-8 DTIM period defined … 3-23 different value for each BSSID … 3-34 specifying for specific radio … 3-33 specifying in radio adoption defaults … 3-23 dynamic DNS … 6-40 client update … 6-42 server update … 6-42 Dynamic Frequency Selection … 1-54 Dynamic host configuration protocol See DHCP pool See DHCP relay See DHCP requests See DHCP server dynamic index (radio) … 1-66, 3-30 dynamic NAT conf
PAGE 1002
flow sampling defined … 14-2 manually activating … 14-11 rate … 14-13 sample size … 14-14 See also sFlow FTP server external downloading files from … 2-88 saving files to … 2-92 internal … 2-32 G Generic Routing Encapsulation See GRE tunnel … 12-2 GRE tunnel … 1-45 configuration steps … 12-4 creating the interface … 12-4 destination IP address … 12-5 gateway IP address … 12-8 interface IP address … 12-5 overview … 12-2 proxy ARP required for … 12-9 source IP address … 12-5 stations’ IP settings … 12-10 tim
PAGE 1003
K key certificate, for See public/private keys license … 2-128 multicast … 4-57 static WEP … 4-52 WPA/WPA2-PSK … 4-60 L Layer 2 adoption auto-provisioning … 2-57 connecting RP to infrastructure switch … 2-58 connecting RP to wireless services-enabled switch … 2-57 network requirements for … 2-57 of radio ports … 1-67 Layer 3 adoption compared to Layer 2 … 2-56 customizing RPs’ DNS request … 2-68 default DNS request … 2-64 DHCP option 189 … 2-64 DNS lookup … 2-66 network requirements for … 2-61 of radio por
PAGE 1004
MAC authentication local … 13-74 MAC standard ACL … 1-39 overview … 1-27 RADIUS configuring … 4-44 defined … 4-35 format … 4-48 overview … 1-27 protocol … 4-47 server for … 11-36 server settings … 4-47 management interfaces CLI … 2-21 options … 2-5 SNMP applications … 2-5 Web browser interface … 2-5 management VLAN secure … 2-9, 2-29 specifying … 2-8 manager user changing password … 2-35 logging in as … 2-11 SNMP v3 and … 2-25 marking traffic extended IP ACL … 7-19 MAC extended ACL … 7-24 overview … 7-7 phy
PAGE 1005
normal mode configuration enabling more than four WLANs … 4-7 overview … 4-4 NTP See secure NTP O online help … 2-14 open-key authentication … 4-50 operator user changing password … 2-35 SNMP v3 and … 2-26 opportunistic key caching defined … 9-3 enabling … 4-59, 9-13 outdoors radio specifying for specific radio … 3-31 specifying in radio adoption defaults … 3-12 P packet sampling … 14-2 See also flow sampling See also sFlow password changing manager or operator … 2-35 encryption in config … 2-105 roaming
PAGE 1006
auto-channel select (ACS) … 3-36 configured before adoption … 1-66, 3-27, 3-30 configuring a specific radio … 1-66, 3-25 advanced properties … 3-32 antenna mode … 3-32 beacon interval … 3-33 channel … 3-32 dedicated detector … 3-29 DTIM period … 3-33 maximum stations … 3-32 placement … 3-31 rate settings … 3-32 screen … 3-6 self healing offset … 3-33 short preamble … 3-33 single-channel detector … 3-29 transmission power … 3-32 configuring multiple radios … 3-36 description … 3-28 detector mode … 1-62 failu
PAGE 1007
external shared secret … 4-39 Web-Auth … 5-5, 5-14 internal … 1-29 access times in group policy … 11-14 authenticating wired stations … 11-31 authenticating wireless stations … 11-33 CA certificate … 11-8 certificate (server) … 11-8 clients … 11-31 configuration steps … 11-4 data source for … 11-9 domain proxy server … 11-27, 11-30 dynamic VLAN assignment … 11-13 EAP method for 802.
PAGE 1008
fast Layer 2 enabling … 4-59, 9-11 overview … 9-3 pre-authentication … 9-3 Layer 2 … 1-80, 1-81, 9-2 Layer 3 … 1-83, 9-5 See also Layer 3 mobility seamless coverage … 3-44 Web-Auth and … 5-2, 9-4 route table default route … 6-15 one active … 6-16 overview … 6-12 static routes in … 6-14 routing … 1-23 capabilities requiring … 6-12 enabling … 6-12 RP See radio port running-config applying changes to … 2-13 S secure management … 2-9, 2-29 secure Network Time Protocol See secure NTP secure NTP ACLs controlling
PAGE 1009
statistics … 2-111 thresholds … 2-115 traps … 2-108 disabling … 2-115 enabling … 2-112 v3, controlled by … 2-26, 2-109 version … 2-24, 2-29 version 3 default users … 2-35 manager … 2-35 operator … 2-35 Web-Users … 2-40 Web-Users authenticating … 2-45 creating … 2-42 roles … 2-41 snmptrap user default password … 2-120 software image … 2-80 failover capabilities … 2-82 selecting, used to boot … 2-82 updating manually … 2-84 viewing … 2-81 source NAT configuring dynamic … 8-24 configuring static … 8-28 uses fo
PAGE 1010
tunnel gateway … 4-32 GRE … 1-45 mapping WLAN to … 4-30, 4-32 U uninstall verification key … 2-128 Update Server configuring … 2-104 explained … 2-98 guidelines for using … 2-100 redundancy group config … 2-105 software image … 2-105 startup-config file … 2-105 upgrades software image … 2-84 uplink port … 1-7, 4-89 tagging … 4-87 uplink VLAN … 1-12, 4-34 user login filter … 11-22 user-based policies … 1-34 See also dynamic VLAN assignment username Web browser interface … 2-11 V video classifying WLAN as …
PAGE 1011
configuring on WLAN … 4-40, 5-10 definition of … 5-2 encryption for WLAN with … 5-29 logo adding to failed page … 5-23 adding to login page … 5-16, 5-17 adding to welcome page … 5-20 overview … 1-26 process explained … 5-3 illustrated … 5-5 RADIUS server … 5-5, 5-14 server settings … 4-43 roaming between modules … 9-4 VLAN interface required … 5-9 Web pages advanced … 5-26 failed page … 5-7, 5-21 location in flash memory … 5-8 login page … 5-6, 5-16 logos for … 5-32 on external server … 5-24 on internal ser
PAGE 1012
defined … 1-6 enabling … 4-77 enabling more than 16 … 4-13 enabling more than four … 4-7 inactivity timeout … 4-68 Layer 3 mobility for … 9-15 manually assigning to radio … 4-18 manually assigning to radio adoption defaults … 4-15, 4-17 security for … 4-34 SSID … 4-31 tunnel, mapped to … 12-6 viewing … 4-27 VLAN, mapped to considerations … 4-85 specifying … 4-32 VLAN/Tunnel Assignment tab … 4-83 WMM 802.
PAGE 1013
PAGE 1014
Technical information in this document is subject to change without notice. © Copyright 2006, 2007 Hewlett-Packard Development Company, L.P. Reproduction, adaptation, or translation without prior written permission is prohibited except as allowed under the copyright laws.