53-1003099-01 20 January 2014 Brocade Mobility RFS Controller System Reference Guide Supporting software release 5.5.0.
Copyright © 2014 Brocade Communications Systems, Inc. All Rights Reserved. ADX, AnyIO, Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, ICX, MLX, MyBrocade, OpenScript, VCS, VDX, and Vyatta are registered trademarks, and HyperEdge, The Effortless Network, and The On-Demand Data Center are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned may be trademarks of their respective owners.
Contents About This Document Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Text formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Notes, cautions, and warnings . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Controller Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Controller Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Access Point Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Access Point Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Access Point Inventory.
Wireless LAN Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252 Basic WLAN Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . .254 Configuring WLAN Security . . . . . . . . . . . . . . . . . . . . . . . . . . . .256 Configuring WLAN Firewall Support . . . . . . . . . . . . . . . . . . . . .275 Configuring Client Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .281 Configuring WLAN Accounting Settings . . . . . . . . . . . . . . . . . .
Profile Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391 Ethernet Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .391 Virtual Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . . .399 Port Channel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . .403 VM Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Access Point Radio Configuration. . . . . . . . . . . . . . . . . . . . . .
Advanced Profile Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . .531 Client Load Balance Configuration . . . . . . . . . . . . . . . . . . . . . .532 Configuring MINT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .535 Advanced Profile Miscellaneous Configuration . . . . . . . . . . . .540 Chapter 9 Rf Domain Configuration Managing RF Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .544 RF Domain Basic Configuration . . . . . . . . .
Smart Caching. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .653 Basic Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655 HTTP Access Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .658 Cache Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .661 Aging Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .663 URL Lists. . . . . . . . . . . . . .
RF Domain Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748 Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749 Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .752 Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .754 AP Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .755 Wireless Clients .
Access Point Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .885 Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .886 Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .888 Device Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .891 Adoption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .892 AP Detection . . . . . .
About This Document Supported hardware and software This manual supports the following Access Point, controller and service platform models: • Wireless Controllers – Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms - Brocade Mobility RFS9510 • Access Points – Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 7131 Access Point, Brocade Mobility 1240 Access Point Document conventions T
Notes, cautions, and warnings The following notices and statements are used in this manual. They are listed below in order of increasing severity of potential hazards. NOTE A note provides a tip, guidance or advice, emphasizes important information, or provides a reference to related information. CAUTION A Caution statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware, firmware, software, or data.
Chapter 1 Overview Brocade’ family of Access Points, RFS series controllers and service platforms provide a centralized distribution of high performance, secure and resilient wireless voice and data services to remote locations with the scalability required to meet the needs of large distributed enterprises. Brocade controllers and service platforms provide a single platform capable of delivering wireless voice and data inside and outside the enterprise for small, medium and large enterprise deployments.
1 Within a Mobility managed network, up to 80% of the network traffic can remain on the wireless mesh, and never touch the wired network, so the 802.11n load impact on the wired network is negligible. In addition, latency and associated costs are reduced while reliability and scalability are increased. A Mobility managed network enables the creation of dynamic wireless traffic flows, so any bottleneck is avoided, and the destination is reached without latency or performance degradation.
Chapter Web Features 2 The Brocade Mobility software contains a Web UI allowing network administrators to manage and view Access Point, controller and service platform settings, configuration data and status. This Graphical User Interface (GUI) allows full control of all administration features. Access Points, controllers and service platforms also share a Command Line Interface (CLI) for managing and viewing settings, configuration and status.
2 Once the computer has an IP address, point the Web browser to: https://192.168.0.1/ and the following login screen will display. FIGURE 1 Web UI Login Screen Enter the default username admin in the Username field. Enter the default password admin123 in the Password field. Click the Login button to load the management interface. If this is the first time the UI has been accessed, a dialogue displays to begin an initial setup wizard.
2 Global Icons Glossary of Icons Used This section lists global icons available throughout the interface. Logout– Select this icon to log out of the system. This icon is always available and is located at the top right corner of the UI. Add – Select this icon to add a row in a table. When selected, a new row is created in the table or a dialog box displays where you can enter values for a particular list. Delete – Select this icon to remove a row from a table. When selected, the selected row is deleted.
2 These icons indicate the current state of various controls in a dialog. These icons enables you to gather the status of all the controls in a dialog. The absence of any of these icons next to a control indicates the value in that control has not been modified from its last saved configuration. Entry Updated – Indicates a value has been modified from its last saved configuration. Entry Update – States that an override has been applied to a device profile configuration.
2 These icons indicate device status, operations, or any other action that requires a status returned to the user. Fatal Error – States there is an error causing a managed device to stop functioning. Error – Indicates an error exits requiring intervention. An action has failed, but the error is not system wide. Warning – States a particular action has completed, but errors were detected that did not prevent the process from completing. Intervention might still be required to resolve subsequent warnings.
2 Radio QoS Policy – Indicates a radio’s QoS configuration has been impacted. AAA Policy – Indicates an Authentication, Authorization and Accounting (AAA) policy has been impacted. AAA policies define RADIUS authentication and accounting parameters. Association ACL – Indicates an Access Control List (ACL) configuration has been impacted. An ACL is a set of configuration parameters either allowing or denying access to network resources. Smart RF Policy – States a Smart RF policy has been impacted.
2 Advanced WIPS Policy – States the conditions of an advanced WIPS policy have been invoked. Device Categorization – Indicates a device categorization policy has been applied. This is used by the intrusion prevention system to categorize Access Points or wireless clients as either sanctioned or unsanctioned devices. This enables devices to bypass the intrusion prevention system. Captive Portals – States a captive portal is being applied.
2 These configuration icons are used to define the following: Configuration – Indicates an item capable of being configured by an interface. View Events / Event History – Defines a list of events. Click this icon to view events or view the event history. Core Snapshots – Indicates a core snapshot has been generated. A core snapshot is a file that records status events when a process fails on a wireless controller or Access Point. Panic Snapshots – Indicates a panic snapshot has been generated.
2 The following icons display a user access type: Web UI – Defines a Web UI access permission. A user with this permission is permitted to access an associated device’s Web UI. Telnet – Defines a TELNET access permission. A user with this permission is permitted to access an associated device using TELNET. SSH – Indicates a SSH access permission. A user with this permission is permitted to access an associated device using SSH. Console – Indicates a console access permission.
2 Monitor – Defines a monitor role. This role provides no configuration privileges. A user with this role can view the system configuration but cannot modify it. Help Desk – Indicates help desk privileges. A help desk user is allowed to use troubleshooting tools like sniffers, execute service commands, view or retrieve logs and reboot the controller or service platform. Web User – Indicates a web user privilege. A Web user is allowed accessing the device’s Web UI.
Chapter 3 Quick Start RFS4011 model controllers utilize an initial setup wizard to streamline getting on the network for the first time. This wizard configures location, network and WLAN settings and assists in the discovery of Access Points and their connected clients. For instructions on how to use the initial setup wizard, see Using the Initial Setup Wizard on page 3-13.
3 5. Select the Login button to load the management interface. NOTE When logging in for the first time, you are prompted to change the password to enhance device security in subsequent logins. NOTE If you get disconnected when running the wizard, you can connect again and resume the wizard setup.\ FIGURE 2 Initial Setup Wizard - Introduction The Introduction screen displays first (on the right-hand side of the screen), and lists the various actions that can be performed using the setup wizard.
3 FIGURE 3 Initial Setup Wizard - Navigation Panel A green checkmark to the left of an item in the Navigation Panel defines the task as having its minimum required configuration set correctly. A red X defines a task as still requiring at least one parameter be defined correctly. Select Save/Commit within each page to save the updates made to that page's configuration. Select Next to proceed to the next page listed in the Navigation Panel.
3 FIGURE 4 7. Initial Setup Wizard - Networking Mode Select one of the following network mode options: • Router Mode - In Router Mode, connected Access Points route traffic between the local network (LAN) and the Internet or external network (WAN). Router mode is recommended in a deployment supported by just a single Access Point. When Router Mode is selected, an additional WAN screen is available in wizard screen flow to configure interface settings for an Access Point’s WAN port.
3 FIGURE 5 Initial Setup Wizard - LAN Configuration Set the following DHCP, Static IP Address/Subnet and VLAN information for the LAN interface: • Use DHCP - Select Use DHCP to enable an automatic network address configuration using local DHCP server resources. • Static IP Address/Subnet - Enter an IP Address and a subnet for the LAN interface. If Use DHCP is selected, this field is not available.
3 • Primary DNS - Enter an IP Address for the main Domain Name Server providing DNS services for the LAN interface. • Secondary DNS - Enter an IP Address for the backup Domain Name Server providing DNS services for the LAN interface. Use the spinner control to select a VLAN ID for the LAN Interface. Optionally select Advanced VLAN Configuration to populate the screen with additional VLAN parameters for the LAN interface. Select Next.
3 • VLAN ID for the WAN Interface - Set the VLAN ID (virtual interface) to associate with the physical WAN Interface. The default setting is VLAN 2100. • Port for External Network - Select the physical port connected to the WAN interface. The list of available ports varies based on the RFS4011 controllers or NX4500 and NX6500 service platform model. • Enable NAT on the WAN Interface - Select the option to allow traffic to pass between WAN and LAN interfaces. Select Next.
3 • EAP Authentication and WPA2 Encryption Select Next. The wizard displays the System Information screen to set device deployment, administrative contact and system time information. The system time can either be set manually or be supplied by a dedicated Network Time Protocol (NTP) resource.
3 • Time Zone - Set the time zone where the controller or service platform is deployed. This is a required parameter. The setting should be complimentary with the selected deployment country. Refer to the Select protocols that will be enabled for device access area and enable those controller or service platform interfaces for accessing the controller or service platform. HTTP and Telnet are considered relatively insecure and only should be enabled is necessary. Select Next.
3 22 Brocade Mobility RFS Controller System Reference Guide 53-1003099-01
Chapter 4 Dashboard The dashboard enables administrators to review and troubleshoot network device operation. Additionally, the dashboard allows an administrative review of the network’s topology, an assessment of network’s component health and a diagnostic review of device performance. By default, the Dashboard displays the System screen, which is the top level in the device hierarchy. To view information for Access Points, RF Domains or Controllers select the associated item in the tree.
4 FIGURE 1 System Dashboard screen - Health tab Device Listing Summary The device menu displays information as a hierarchical tree, comprised of system, controller/service platform and Access Point connection relationships.
4 FIGURE 2 Dashboard Menu Tree The Search option, at the bottom of the screen, enables you to filter (search amongst) RF Domains. The By drop-down menu refines the search. You can further refine a search using the following: • • • • • Auto – The search is automatically set to device type. Name – The search is performed for the device name specified in the Search text box. WLAN – The search is performed for the WLAN specified in the Search text box.
4 FIGURE 3 System Dashboard screen - Health tab The Health screen is partitioned into the following fields: • The Devices field displays a ratio of offline versus online devices within the system. The information is displayed in pie chart format to illustrate device support ratios. • The Device Type field displays a numerical representation of the different controller, service platform and Access Point models in the current system. Their online and offline device connections are also displayed.
4 individual links that can be selected to RF Domain information in greater detail. Use this diagnostic information to determine what measures can be taken to improve radio performance in respect to wireless client load and the radio bands supported. The quality is measured as: • • • • 0-20 – Very poor quality 20-40 – Poor quality 40-60 – Average quality 60-100 – Good quality • The System Security field displays RF intrusion prevention stats and their associated threat level.
4 FIGURE 4 System screen - Inventory tab The information within the Inventory tab is partitioned into the following fields: • The Devices field displays a ratio of peer controllers and service platforms as well as their managed Access Point radios. The information is displayed in pie chart format. The Device Type field displays a numerical representation of the different controller models and connected Access Points in the current system.
4 RF Domain Screen RF Domains allow administrators to assign configuration data to multiple devices deployed in a common coverage area, such as in a floor, building or site. Each RF Domain contains policies that can determine a Smart RF or WIPS configuration.RF Domains enable administrators to override WLAN SSID name and VLAN assignments. This enables the deployment of a global WLAN across multiple sites and unique SSID name or VLAN assignments to groups of Access Points servicing the global WLAN.
4 FIGURE 5 RF Domain screen - Health tab Refer to the following RF Domain health information for member devices: • The Domain field lists the RF Domain manager reporting utilization statistics. The MAC address displays as a link that can be selected to display RF Domain information in at more granular level. • The Devices field displays the total number of devices and the status of the devices in the network as a graph.
4 • 60-100 - Good quality Select a Radio Id to view all the statistics for the selected radio in detail. • The Client Quality table displays RF quality for the worst five performing clients.It is a function of the transmit retry rate in both directions and the error rate. This area of the screen displays the average quality index across all the defined RF Domain on the wireless controller.
4 5. Select the Inventory tab. FIGURE 6 RF Domain screen - Inventory tab The Inventory tab displays information on the devices managed by RF Domain member devices in the controller, service platform or Access Point managed network. The Inventory screen enables an administrator to overview of the number and state of the devices in the selected RF Domain. Information is displayed in easy to read tables and graphs. • The Device Types table displays the devices types populating the RF Domain.
4 • The WLANs table displays a list of WLANs utilized by RF Domain member devices. The table is ordered by WLAN member device radio count and their number of connected clients. Use this information to assess whether the WLAN is overly populated by radios and clients contributing to congestion. • The Client of Channels table displays a bar-graph of wireless clients classified by their frequency. Information for each channel is further classified by their 802.11x band.
4 FIGURE 7 Wireless Controller screen - Health tab Refer to the Device Details table for information about the selected controller or service platform The following information is displayed: • Hostname - Lists the administrator assigned name of the controller or service platform. • Device MAC - Lists the factory encoded MAC address of the controller or service platform. • Type - Indicates the type of controller or service platform.
4 • RAM - Displays the amount of RAM available for use in this system. • System Clock - Displays the current time set on the controller or service platform. The Adopted Devices Health (w/ cluster members) displays a graph of Access Points in the system with the available Access Points in green and unavailable Access Points in red. The Radio RF Quality Index provides a table of RF quality on a per radio basis. It is a measure of the overall effectiveness of the RF environment displayed in percentage.
4 6. Select the Inventory tab. FIGURE 8 Wireless Controller screen - Inventory tab The Inventory tab displays information on the devices managed by the controller or service platform. The Inventory screen enables an administrator to overview of the number and state of controller or service platform managed devices and their utilization. Refer to the following Inventory data: • The Device Types field displays a ratio of devices managed by this controller or service platform in pie chart format.
4 • The WLAN Utilization table displays utilization statistics for controller or service platform WLAN configurations. Information displays in two tables. The first table lists the total number of WLANs managed by this system. The second table lists the top five (5) WLANs in terms of the usage percentage along with the name and network identifying SSID. Access Point Screen The Access Point screen displays system-wide network status for standalone or controller connected Access Points.
4 FIGURE 9 Access Point screen - Health tab The Device Detail field displays the following information about the selected Access Point: • • • • Hostname - Lists the administrator assigned name of the selected Access Point. Device MAC - Lists the factory encoded MAC address of the selected Access Point. Primary IP Address - Lists the IP address assigned to the Access Point as a network identifier. Type - Indicates the Access Point model type.
4 • RAM - Displays the amount of RAM available for use in this system. • System Clock - Displays the current time on the Access Point. The Radio RF Quality Index displays a table of RF quality per radio. It is a measure of the overall effectiveness of the RF environment displayed in percentage. It is a function of the connect rate in both directions, the retry rate and error rate.
4 FIGURE 10 Access Point screen - Inventory tab The information within the Inventory tab is partitioned into the following fields: • The Radios Type field displays the total number of radios utilized by this Access Point. The graph lists the number of radios in both the 2.4 GHz and 5 GHz radio bands. • The WLAN Utilization table displays utilization statistics for controller or service platform WLAN configurations. Information displays in two tables.
4 Network View The Network View functionality displays device association connectivity amongst controllers, service platforms, Access Point radios and wireless clients. This association is represented by a number of different graphs. To review the wireless controller’s Network Topology, select Dashboard > Network View. FIGURE 11 Network View Topology • The screen displays icons for the different views available to the system.
4 • Use the Lock / Unlock icon in the upper right of the screen to prevent users from moving APs around within the specified area.
Chapter Device Configuration 5 Managed devices can either be assigned unique configurations or have existing RF Domain or Profile configurations modified (overridden) to support a requirement that dictates a device’s configuration be customized from the configuration shared by its profiled peer devices. When a device is initially managed by the controller or service platform, it requires several basic configuration parameters be set (system name, deployment location etc.).
5 Lastly, use Configuration > Devices to define and manage a critical resource policy. A critical resource policy defines a list of device IP addresses on the network (gateways, routers etc.). The support of these IP address is interpreted as critical to the health of the network. These devices addresses are pinged regularly by the controller or service platform. If there’s a connectivity issue, an event is generated stating a critical resource is unavailable.
5 Profile Name Lists the profile each listed device is currently a member of. Devices can either belong to a default profile based on model type, or be assigned a unique profile supporting a specific configuration customized to that model. Area List the physical area where the controller or service platform is deployed. This can be a building, region, campus or other area that describes the deployment location.
5 4. The Basic Configuration screen displays by default. FIGURE 2 Basic Configuration screen 5. Set the following Configuration settings for the target device: System Name Provide the selected device a system name up to 64 characters. This is the device name that appears within the RF Domain or Profile the device supports. Area Assign the device an Area name representative of the location the controller or service platform was physically deployed. The name cannot exceed 64 characters.
5 Floor Assign the target a device a building Floor name representative of the location the Access Point was physically deployed. The name cannot exceed 64 characters. Assigning a building Floor name is helpful when grouping devices within the same general coverage area. Floor Number Use the spinner control to assign a numerical floor designation in respect to the floor’s actual location within a building. Set a value from 1 - 4094. the default setting is the 1st floor.
5 Managing Brocade infrastructure devices requires a license key to enable software functionality or define the number of adoptable devices permitted. My Licenses is a Web based online application enabling you to request a license key for license certificates purchased for Brocade products. NOTE For detailed instructions on using My Licenses to add hardware or software licenses and register certificates, refer to the My Licenses Users Guide, available at https://MyLicenses.motorolasolutions.com.
5 FIGURE 3 Device Licenses screen The License screen displays the Device Serial Number of the controller or service platform generating the license key. NOTE When assessing lent and borrowed license information, its important to distinguish between site controllers and NOC controllers. NOC controllers are RFS9510, RFS6000 and RFS7000. Site controllers are RFS4000, RFS6000 and RFS7000.
5 5. Review the AP Licenses table to assess the specific number of adoptions permitted, as dictated by the terms of the current license. AP Adoptions The Device column Lists the total number of AP adoptions made by the controller or service platform. If the installed license count is 10 APs and the number of AP adoptions is 5, 5 additional APs can still be adopted under the terms of the license. The total number of APs adoptions varies by platform, as well as the terms of the license.
5 6. Review the AAP Licenses table to assess the specific number of adoptions permitted, as dictated by the terms of the current license. AAP Adoptions The Device column Lists the total number of AAP adoptions made by the controller or service platform. If the installed license count is 10 APs and the number of AAP adoptions is 5, 5 additional AAPs can still be adopted under the terms of the license. The total number of AAPs adoptions varies by platform, as well as the terms of the license.
5 A certificate authority (CA) is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA certificate. A browser must contain the CA certificate in its Trusted Root Library so it can trust certificates signed by the CA's private key.
5 4. Set the following Management Security certificate configurations: HTTPS Trustpoint Either use the default trustpoint or select the Stored radio button to enable a drop-down menu where an existing certificate/trustpoint can be utilized. To use an existing certificate for this device, select the Launch Manager button.
5 FIGURE 5 Certificate Management - Manage Certificates screen The Certificate Management screen displays with the Manage Certificates tab displayed by default. 2. Select a device from amongst those displayed to review its certificate information. 3. Refer to the All Certificate Details to review the certificate’s properties, self-signed credentials, validity duration and CA information. 4. To optionally import a certificate, select the Import button from the Certificate Management screen.
5 FIGURE 6 Certificate Management - Import New Trustpoint screen 5. Define the following configuration parameters required for the Import of the trustpoint. Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual. URL Provide the complete URL to the location of the trustpoint.
5 A CA is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA certificate. FIGURE 7 Certificate Management - Import CA Certificate screen 8.
5 9. Select OK to import the defined CA certificate. Select Cancel to revert the screen to its last saved configuration. 10. Select the Import CRL button from the Certificate Management screen to optionally import a CRL to a controller or service platform. If a certificate displays within the Certificate Management screen with a CRL, that CRL can be imported. A certificate revocation list (CRL) is a list of certificates that have been revoked or are no longer valid.
5 Define the following configuration parameters required for the Import of the CRL Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint signing the certificate. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters, and an association with an enrolled identity certificate. From Network Select the From Network radio button to provide network address information to the location of the target CRL.
5 FIGURE 9 Certificate Management - Import Signed Cert screen 13. Define the following parameters required for the Import of the CA certificate: Certificate Name Enter the 32 character maximum trustpoint name with which the certificate should be associated. From Network Select the From Network radio button to provide network address information to the location of the signed certificate. The number of additional fields that populate the screen is dependent on the selected protocol.
5 14. Select OK to import the signed certificate. Select Cancel to revert the screen to its last saved configuration 15. To optionally export a trustpoint to a remote location, select the Export button from the Certificate Management screen. Once a certificate has been generated on the controller or service platform’s authentication server, export the self signed certificate. A digital CA certificate is different from a self signed certificate. The CA certificate contains the public and private key pairs.
5 17. Define the following configuration parameters required for the Export of the trustpoint. Trustpoint Name Enter the 32 character maximum name assigned to the trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual. URL Provide the complete URL to the location of the trustpoint. If needed, select Advanced to expand the dialog to display network address information to the location of the trustpoint.
5 FIGURE 11 Certificate Management - RSA Keys screen 3. Select a listed device to review its current RSA key configuration. Each key can have its size and character syntax displayed. Once reviewed, optionally generate a new RSA key, import a key from a selected device, export a key to a remote location or delete a key from a selected device. 4. Select Generate Key to create a new key with a defined size.
5 FIGURE 12 Certificate Management - Generate RSA Keys screen 5. Define the following configuration parameters required for the Import of the key: Key Name Enter the 32 character maximum name assigned to the RSA key. Key Size Use the spinner control to set the size of the key (from 1,024 - 2,048 bits). Brocade recommends leaving this value at the default setting of 1024 to ensure optimum functionality. 6. Select OK to generate the RSA key.
5 FIGURE 13 Certificate Management - Import New RSA Key screen 8. Define the following parameters required for the Import of the RSA key: 64 Key Name Enter the 32 character maximum name assigned to identify the RSA key. Key Passphrase Define the key used by both the controller or service platform and the server (or repository) of the target RSA key. Select the Show to expose the actual characters used in the passphrase.
5 9. Select OK to import the defined RSA key. Select Cancel to revert the screen to its last saved configuration. 10. To optionally export a RSA key to a remote location, select the Export button from the Certificate Management > RSA Keys screen. Export the key to a redundant RADIUS server to import it without generating a second key. If there’s more than one RADIUS authentication server, export the certificate and don’t generate a second key unless you want to deploy two root certificates.
5 12. Select OK to export the defined RSA key. Select Cancel to revert the screen to its last saved configuration. 13. To optionally delete a key, select the Delete button from within the Certificate Management > RSA Keys screen. Provide the key name within the Delete RSA Key screen and select Delete Certificates to remove the certificate. Select OK to proceed with the deletion, or Cancel to revert back to the Certificate Management screen.
5 3. Define the following configuration parameters required to Create New Self-Signed Certificate: Certificate Name Enter the 32 character maximum name assigned to identify the name of the trustpoint associated with the certificate. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters, and an association with an enrolled identity certificate.
5 A certificate signing request (CSR) is a request to a certificate authority to apply for a digital identity certificate. The CSR is a block of encrypted text generated on the server the certificate is used on. It contains the organization name, common name (domain name), locality and country. A RSA key must be either created or applied to the certificate request before the certificate can be generated. A private key is not included in the CSR, but is used to digitally sign the completed request.
5 3. Define the following configuration parameters required to Create New Certificate Signing Request (CSR): RSA Key Select a radio button and use the drop-down menu to set the key used by both the controller or service platform and the server (or repository) of the target RSA key. Optionally select Create New to use new RSA key and provide a 32 character name used to identify the RSA key. Use the spinner control to set the size of the key (from 1,024 - 2,048 bits).
5 NOTE Port mirroring is not supported on NX4500 or NX6500 models, as they only utilize GE ports 1 - 2. Additionally, port mirroring is not supported on uplink (up) ports or wired ports on any controller or service platform model. To set a NX4524 or NX6524 service platform port mirror configuration: 1. Select the Configuration tab from the Web UI. 2. Select Devices from the Configuration tab.
5 5. Set the following Port Mirroring values to define the ports and directions data is spanned on the NX4524 or NX6524 model service platform: Source Select the GE port (1 - 24) used as the data source to span packets to the selected destination port. The packets spanned from the selected source to the destination depend on whether Inbound, Outbound or Any is selected as the direction. A source port cannot be a destination port.
5 2. Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 3. Select a device (by double-clinking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 4. Expand the RF Domain Overrides menu option to display its sub-menu options. 5. Select RF Domain.
5 6. Refer to the Basic Configuration field to review the basic settings defined for the target device’s RF Domain configuration, and optionally assign/remove overrides to and from specific parameters. Location Provide the 64 character maximum deployment location set for the controller or service platform as part of its RF Domain configuration. Contact Enter the 64 character maximum administrative contact for the controller or service platform as part of its RF Domain configuration.
5 12. Refer to the Statistics field to set the following data: Window Index Use the spinner control to set a numerical index used as an identifier for RF Domain statistics. Sample Interval Use the spinner control to define the interval (in seconds) to capture windowed statistics supporting with the listed RF Domain. The default is 5 seconds. Window Size Use the spinner control to set the number of samples used to define RF Domain statistics. The default value is 6 samples. 13.
5 16. Select OK to save the changes and overrides made to the Sensor Appliance Configuration. Selecting Reset reverts the screen to its last saved configuration. 17. Select WLAN Override from within the expanded RF Domain Overrides. NOTE The WLAN Override option does not appear as a sub menu option under RF Domain Overrides for either controllers or service platforms, just Access Points.
5 20. Select OK to save the changes and overrides. Selecting Reset reverts the screen to its last saved configuration. 21. Select the Override VLAN tab to review any VLAN assignment overrides that may have been or optionally add or edit override configurations. FIGURE 21 WLAN Override screen - Override VLAN tab The Override VLANs tab displays the VLANs assigned to the WLAN on the Access Point.
5 Wired 802.1x Configuration 802.1X is an IEEE standard for media-level (Layer 2) access control, providing the capability to permit or deny connectivity based on user or device identity. 802.1X allows port based access using authentication. An 802.1X enabled port can be dynamically enabled or disabled depending on user identity or device connection. Before authentication, the endpoint is unknown, and traffic is blocked. Upon authentication, the endpoint is known and traffic is allowed.
5 5. Review the Wired 802.1x Settings area to configure the following parameters. Dot1x Authentication Control Select this option to globally enable 802.1x authentication. 802.1x authentication is disabled by default. Dot1x AAA Policy Use the drop-down menu to select a AAA policy to associate with wired 802.1x traffic. If a suitable AAA policy does not exist, select the Create icon to create a new policy or the Edit icon to modify an existing policy.
5 FIGURE 23 Profile Overrides - General screen NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 6. Select the IP Routing option (within the Settings field) to enable routing for the device. 7.
5 NOTE RAID controller drive arrays are available within NX9000 series service platforms (RFS9510 models) only. However, they can be administrated on behalf of a NX9000 profile by a different model service platform or controller. NX9000 series service platforms include a single Intel MegaRAID controller (virtual drive) with RAID-1 mirroring support enabled. The online virtual drive supports up to two physical drives that could require hot spare substitution if a drive were to fail. With the Mobility 5.
5 NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device.
5 6. Optionally define the following Cluster Settings and overrides: Cluster Mode A member can be in either an Active or Standby mode. All active member controllers or service platforms can adopt Access Points. Standby members only adopt Access Points when an active member has failed or sees an Access Point that’s not yet adopted. The default cluster mode is Active and enabled for use with the profile.
5 NOTE The Power option only appears within the Profile Overrides menu tree if an Access Point is selected from within the main Devices screen. Power management is configured differently for controllers or service platforms, so the Power screen only displays for Access Points. Use the Power screen to set or override one of two power modes (3af or Auto) for a managed Access Point. When automatic is selected, the Access Point safely operates within available power.
5 FIGURE 25 4. Access Point Profile Power Override screen Use the Power Mode drop-down menu to set or override the Power Mode Configuration on this AP. NOTE Single radio model Access Point’s always operate using a full power configuration. The power management configurations described in this section do not apply to single radio models. When an Access Point is powered on for the first time, the system determines the power budget available to the Access Point.
5 Access Point Adoption Overrides (Access Points Only) Adoption is the process an Access Point uses to discover available controllers or service platforms, pick the most desirable one, establish an association and optionally obtain an image upgrade and configuration. Adoption is configurable and supported within a device profile and applied to other Access Points supported by the profile.
5 FIGURE 26 Access Point Adoption Override screen 5. Define or override the Preferred Group used as optimal group for the Access Point’s adoption. The name of the preferred group cannot exceed 64 characters. 6. Set the following Controller Hello Interval settings manage message exchanges and connection re-establishments between adopting devices: Hello Interval Define an interval (from 1 - 120 seconds) between hello keep alive messages exchanged with the adopting device.
5 Select + Add Row as needed to populate the table with IP Addresses or Hostnames used as Access Point adoption resources into the managed network. Host Use the drop-down menu to specify whether the adoption resource is defined as a (non DNS) IP Address or a Hostname. Once defined, provide the numerical IP or Hostname. A Hostname cannot exceed 64 characters. Pool Use the spinner control to set a pool of either 1 or 2. This is the pool the target controller or service platform belongs to.
5 A screen displays where a controller or service platform’s adoption configuration can be set or overridden for a profile. NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. FIGURE 27 Controller Adoption Override screen 5.
5 6. Set the following Auto Provision Policy parameters: Use NOC Auto-Provisioning Policy Select this option to use the NOC’s auto provisioning policy instead of the policy local to the controller or service platform. The NOC is an elected controller or service platform capable of provisioning all of its peer controllers, service platforms and adopted devices. This setting is disabled by default. Auto-Provisioning Policy Select an auto provisioning policy from the drop-down menu.
5 9. Select OK to save the changes and overrides made to the profile’s adoption configuration. Select Reset to revert to the last saved configuration. Profile Interface Override Configuration A profile’s interface configuration can be defined to support separate physical Ethernet configurations both unique and specific to RFS4000, RFS6000, RFS7000 controllers and NX4500, NX6500 and NX9000 series service platforms.
5 To set a profile’s Ethernet port configuration and potentially apply overrides to the profile’s configuration: 1. Select the Configuration tab from the Web UI. 2. Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 3. Select a target device (by double-clinking it) from amongst those displayed within the Device Configuration screen.
5 7. Refer to the following to assess port status and performance: Name Displays the physical port name reporting runtime data and statistics. Supported ports vary depending on controller or service platform model.
5 FIGURE 29 Profile Overrides - Ethernet Ports Basic Configuration screen 9. Set or override the following Ethernet port Properties: Description Enter a brief description for the controller or service platform port (64 characters maximum). The description should reflect the port’s intended function to differentiate it from others with similar configurations, or perhaps just the name of the physical port.
5 10. Enable or disable the following CDP/LLDP parameters used to configure Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP) for this profile’s Ethernet port configuration: Cisco Discovery Protocol Receive Select this option to allow the CDP to be received on this port. If enabled, the port sends out periodic interface updates to a multicast address to advertise its presence to neighbors. This option is enabled by default.
5 12. Define or override the following Switching Mode parameters applied to the Ethernet port configuration: Mode Select either the Access or Trunk radio button to set the VLAN switching mode over the port. If Access is selected, the port accepts packets only form the native VLANs. Frames are forwarded out the port untagged with no 802.1Q header. All frames received on the port are untagged and are mapped to the native VLAN.
5 FIGURE 30 Profile Overrides - Ethernet Ports Security screen 16. Refer to the Access Control field. As part of the Ethernet port’s security configuration, Inbound IP and MAC address firewall rules are required. Use the Inbound IP Firewall Rules and Inbound MAC Firewall Rules drop-down menus to select or override the firewall rules applied to this profile’s Ethernet port configuration.
5 17. Refer to the Trust field to define or override the following: Trust ARP Responses Select this option to enable ARP trust on this port. ARP packets received on this port are considered trusted, and the information from these packets is used to identify rogue devices within the network. The default value is disabled. Trust DHCP Responses Select this option to enable DHCP trust on this port.
5 FIGURE 31 Profile Overrides - Ethernet Ports Spanning Tree screen 22. Set or override the following parameters for the port’s MSTP configuration: Enable as Edge Port Select this option to define this port as an edge port. Using an edge (private) port, you can isolate devices to prevent connectivity over this port. Link Type Select either the Point-to-Point or Shared radio button. Selecting Point-to-Point indicates the port should be treated as connected to a point-to-point link.
5 Define or override an Instance Index using the spinner control and set the Cost. The default path cost depends on the user defined speed of the port.The cost helps determine the role of the port in the MSTP network. The designated cost is the cost for a packet to travel from this port to the root in the MSTP configuration. The slower the media, the higher the cost.
5 Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 4. Select Profile Overrides from the Device menu to expand it into sub menu options. 5. Select Interface to expand its sub menu options. 6. Select Virtual Interfaces. NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button.
5 8. Select Add to define a new virtual interface configuration, Edit to modify or override the configuration of an existing virtual interface or Delete to permanently remove a selected virtual interface. FIGURE 33 Profile Overrides - Virtual Interfaces Basic Configuration screen The Basic Configuration screen displays by default regardless of a whether a new virtual interface is being created or an existing one is being modified. 9.
5 11. Set or override the following network information from within the IP Addresses field: Enable Zero Configuration Zero configuration can be enabled and set as the Primary or Secondary means of providing IP addresses for the virtual interface. Zero configuration (or zero config) is a wireless connection utility included with Microsoft Windows XP and later as a service dynamically selecting a network to connect based on a user's preferences and various default settings.
5 FIGURE 34 Profile Overrides - Virtual Interfaces Security screen 16. Use the Inbound IP Firewall Rules drop-down menu to select the firewall rule configuration to apply to this virtual interface. The firewall inspects packet traffic to and from connected clients. If a firewall rule does not exist suiting the data protection needs of this virtual interface, select the Create icon to define a new firewall rule configuration or the Edit icon to modify or override an existing configuration.
5 FIGURE 35 Profile Overrides - Virtual Interfaces Security screen 19. Define or override the following parameters from within the OSPF Settings field: Priority Select this option to set the OSPF priority used to select the network designated route. Use the spinner control to set the value from 1 - 255. Cost Select this option to set the cost of the OSPF interface. Use the spinner control to set the value from 1 65,353. Bandwidth Set the OSPF interface bandwidth (in Kbps) from 1 - 10,000,000. 20.
5 Profiles can utilize customized port channel configurations as part of their interface settings. Existing port channel profile configurations can be overridden as the become obsolete for specific device deployments. To define or override a port channel configuration on a profile: 1. Select the Configuration tab from the Web UI. 2. Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 3.
5 7. Refer to the following to review existing port channel configurations and status to determine whether a parameter requires an override: Name Displays the port channel’s numerical identifier assigned when it was created. The numerical name cannot be modified as part of the edit process. Type Displays whether the type is port channel. Description Lists a a short description (64 characters maximum) describing the port channel or differentiating it from others with similar configurations.
5 9. Set or override the following port channel Properties: Description Enter a description for the controller or service platform port channel (64 characters maximum). Admin Status Select the Enabled radio button to define this port channel as active to the profile it supports. Select the Disabled radio button to disable this port channel configuration in the profile. It can be activated at any future time when needed. The default setting is enabled.
5 FIGURE 38 Profile Overrides - Port Channels Security screen 14. Refer to the Access Control field. As part of the port channel’s security configuration, Inbound IP and MAC address firewall rules are required. Use the Inbound IP Firewall Rules and Inbound MAC Firewall Rules drop-down menus to select or override the firewall rules to apply to this profile’s port channel configuration.
5 16. Select OK to save the changes and overrides to the security configuration. Select Reset to revert to the last saved configuration. 17. Select the Spanning Tree tab. FIGURE 39 Profile Overrides - Port Channels Spanning Tree screen 18. Define or override the following PortFast parameters for the port channel’s MSTP configuration: Enable PortFast Select this option to enable drop-down menus for both the Enable Portfast BPDU Filter and Enable Portfast BPDU guard options for the port.
5 Link Type Select either the Point-to-Point or Shared radio button. Selecting Point-to-Point indicates the port should be treated as connected to a point-to-point link. Selecting Shared indicates this port should be treated as having a shared connection. A port connected to a hub is on a shared link, while one connected to a controller or service platform is a point-to-point link. Point-to-Point is the default setting. Cisco MSTP Interoperability Select either the Enable or Disable radio buttons.
5 Mobility provides a dataplane bridge for external network connectivity for Virtual Machines (VMs). VM Interfaces define which IP address is associated with each VLAN ID the service platform is connected to and enables remote service platform administration. Each custom VM can have up to a maximum of two VM interfaces. Each VM interface can be mapped to one of sixteen VMIF ports on the dataplane bridge. This mapping determines the destination for service platform routing.
5 NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 7. Refer to the following to review existing port channel configurations and status to determine whether a parameter requires an override: Name Displays the VM interface numerical identifier assigned when it was created.
5 FIGURE 41 Profile Overrides - VM Interfaces Basic Configuration screen 9. Set or override the following VM interface Properties: Description Enter a description for the controller or service platform VM interface (64 characters maximum). Admin Status Select the Enabled radio button to define this VM interface as active to the profile it supports. Select the Disabled radio button to disable this VM interface configuration in the profile. It can be activated at any future time when needed.
5 10. Define or override the following Switching Mode parameters to apply to the VM Interface configuration: Mode Select either the Access or Trunk radio button to set the VLAN switching mode over the VM interface. If Access is selected, the VM interface accepts packets only from the native VLAN. Frames are forwarded untagged with no 802.1Q header. All frames received on the VMIF port are expected as untagged and are mapped to the native VLAN.
5 FIGURE 42 Profile Overrides - VM Interfaces Security screen 13. Refer to the Access Control field. As part of the VM interface’s security configuration, IP Inbound and MAC Inbound address firewall rules are required. Use the IP Inbound Firewall Rules and MAC Inbound Firewall Rules drop-down menus to select or override the firewall rules to apply to this profile’s VM interface configuration.
5 15. Select OK to save the changes and overrides to the security configuration. Select Reset to revert to the last saved configuration. Radio Override Configuration Profile Interface Override Configuration Access Points can have their radio profile configurations overridden once their radios have successfully associated to the network. To define a radio configuration override from the Access Point’s associated controller or service platform: 1. Select Devices from the Configuration tab.
5 6. Review the following radio configuration data to determine whether a radio configuration requires modification or override to better support the managed network: Name Displays whether the reporting radio is the Access Point’s radio1, radio2 or radio3. Type Displays the type of radio housed by each listed Access Point. Description Displays a brief description of the radio provided by the administrator when the radio’s configuration was added or modified.
5 The Radio Settings tab displays by default. 8. Define or override the following radio configuration parameters from within the Properties field: Description Provide or edit a description (1 - 64 characters in length) for the radio that helps differentiate it from others with similar configurations. Admin Status Either select the Enabled or Disabled radio button to define this radio’s current status within the network.
5 Antenna Mode Set the number of transmit and receive antennas on the Access Point. 1x1 is used for transmissions over just the single “A” antenna, 1x3 is used for transmissions over the “A” antenna and all three antennas for receiving. 2x2 is used for transmissions and receipts over two antennas for dual antenna models. The default setting is dynamic based on the Access Point model deployed and its transmit power settings.
5 10. Set or override the following profile WLAN Properties for the selected Access Point radio: Beacon Interval Set the interval between radio beacons in milliseconds (either 50, 100 or 200). A beacon is a packet broadcast by adopted radios to keep the network synchronized. Included in a beacon is the WLAN service area, radio address, broadcast destination addresses, a time stamp, and indicators about traffic and delivery (such as a DTIM).
5 12. Select the WLAN Mapping/Mesh Mapping tab. FIGURE 45 Profile Overrides - Access Point Radio WLAN Mapping tab 13. Refer to the WLAN/BSS Mappings field to set or override WLAN BSSID assignments for an existing Access Point deployment. Administrators can assign each WLAN its own BSSID. If using a single-radio access point, there are 8 BSSIDs available. If using a dual-radio access point there are 8 BSSIDs for the 802.11b/g/n radio and 8 BSSIDs for the 802.11a/n radio. 14.
5 FIGURE 46 Profile Overrides - Access Point Legacy Mesh tab 17. Refer to the Settings field to define or override basic mesh settings for the Access Point radio. Mesh Use the drop-down to set the mesh mode for this radio. Available options include Disabled, Portal or Client. Setting the mesh mode to Disabled deactivates all mesh activity on this radio. Setting the mesh mode to Portal turns the radio into a mesh portal.
5 19. Select the Advanced Settings tab. FIGURE 47 Profile Overrides - Access Point Radio Advanced Settings tab 20. Refer to the Aggregate MAC Protocol Data Unit (A-MPDU) field to define or override how MAC service frames are aggregated by the Access Point radio. A-MPDU Modes Use the drop-down menu to define the A-MPDU mode supported. Options include Transmit Only, Receive Only, Transmit and Receive and None. The default value is Transmit and Receive.
5 22. Define a RIFS Mode using the drop-down menu in the Miscellaneous section. This value determines whether interframe spacing is applied to Access Point transmissions or received packets, or both, or none. The default mode is Transmit and Receive. Consider setting this value to None for high priority traffic to reduce packet delay. 23. Set or override the following Aeroscout Properties: Forward Select enable to forward Aeroscout packets to a specified MAC address.
5 Off Channel Scan list for 2.4GHz Define a list of channels for off channel scans using the 2.4GHz Access Point radio. Restricting off channel scans to specific channels frees bandwidth otherwise utilized for scanning across all the channels in the 2.4GHz radio band. Max Multicast Set the maximum number (from 0 - 100) of multicast/broadcast messages used to perform off channel scanning. The default setting is four. Scan Interval Set the interval (from 2 - 100 dtims) off channel scans occur.
5 FIGURE 48 Profile Overrides -WAN Backhaul screen NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 6. Refer to the WAN (3G) Backhaul configuration to specify WAN card settings: WAN Interface Name Displays the WAN Interface name for the WAN 3G Backhaul card.
5 8. Define or override the following NAT parameters from within the Network Address Translation (NAT) field: NAT Direction Define the Network Address Translation (NAT) direction. Options include: Inside - The inside network is transmitting data over the network its intended destination. On the way out, the source IP address is changed in the header and replaced by the (public) IP address.
5 When PPPoE client operation is enabled, it discovers an available server and establishes a PPPoE link for traffic slow. When a wired WAN connection failure is detected, traffic flows through the WWAN interface in fail-over mode (if the WWAN network is configured and available). When the PPPoE link becomes accessible again, traffic is redirected back through the access point’s wired WAN link.
5 FIGURE 49 Profile Overrides -PPPoE screen NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 6. Use the Basic Settings field to enable PPPoE and define a PPPoE client Enable PPPoE Select Enable to support a high speed client mode point-to-point connection using the PPPoE protocol.
5 Password Provide the 64 character maximum password used for authentication by the PPPoE client. Authentication Type Use the drop-down menu to specify the authentication type used by the PPPoE client, and whose credentials must be shared by its peer access point. Supported authentication options include None, PAP, CHAP, MSCHAP, and MSCHAP-v2. 8.
5 • • • • • • • • • • • • • • • Overriding a Profile’s DNS Configuration Overriding a Profile’s ARP Configuration Overriding a Profile’s L2TPV3 Configuration Overriding a Profile’s GRE Configuration Overriding a Profile’s IGMP Snooping Configuration Overriding a Profile’s Quality of Service (QoS) Configuration Overriding a Profile’s Spanning Tree Configuration Overriding a Profile’s Routing Configuration Overriding a Profile’s Dynamic Routing (OSPF) Configuration Overriding a Profile’s Forwarding Database
5 5. Select DNS. FIGURE 50 Profile Overrides - Network DNS screen NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 6. Set or override the following Domain Name System (DNS) configuration data: Domain Name Provide or override the default Domain Name used to resolve DNS names.
5 Address Resolution Protocol (ARP) is a protocol for mapping an IP address to a hardware MAC address recognized on the managed network. ARP provides rules for making this correlation and providing address conversion in both directions. ARP assignment s can be overridden as needed, but an override removes the device configuration from the managed profile that may be shared with other similar device models.
5 FIGURE 51 Profile Overrides - Network ARP screen 6. Set or override the following parameters to define the controller or service platform’s ARP configuration: Switch VLAN Interface Use the spinner control to select a VLAN interface (1 - 4094) for an address requiring resolution. IP Address Define the IP address used to fetch a MAC address. MAC Address Displays the target MAC address that’s subject to resolution.
5 Use L2TP V3 to create tunnels for transporting layer 2 frames. L2TP V3 enables controllers, service platforms and Access Points to create tunnels for transporting Ethernet frames to and from bridge VLANs and physical ports. L2TP V3 tunnels can be defined between Mobility devices and other vendor devices supporting the L2TP V3 protocol. Multiple pseudowires can be created within an L2TP V3 tunnel. Mobility supported access points support an Ethernet VLAN pseudowire type exclusively.
5 FIGURE 52 Network - L2TPv3 screen, General tab 5. Set the following General Settings for an L2TPv3 profile configuration: Hostname Define a 64 character maximum host name to specify the name of the host that’s sent tunnel messages. Tunnel establishment involves exchanging 3 message types (SCCRQ, SCCRP and SCCN) with the peer. Tunnel IDs and capabilities are exchanged during the tunnel establishment with the host.
5 FIGURE 53 7. Network - L2TPv3 screen, T2TP tunnel tab Review the following L2TPv3 tunnel configuration data: Name Displays the name of each listed L2TPv3 tunnel assigned upon creation. Local IP Address Lists the IP address assigned as the local tunnel end point address, not the interface IP address. This IP is used as the tunnel source IP address. If this parameter is not specified, the source IP address is chosen automatically based on the tunnel peer IP address.
5 8. Either select Add to create a new L2TPv3 tunnel configuration, Edit to modify an existing tunnel configuration or Delete to remove a tunnel from those available to this profile. FIGURE 54 Network - L2TPv3 screen, Add T2TP Tunnel Configuration 9. If creating a new tunnel configuration, assign it a 31 character maximum Name. 10.
5 Establishment Criteria Specify the establishment criteria for creating a tunnel. The tunnel is only created if this device is one of the following: vrrp-master cluster-master rf-domain-manager The tunnel is always created if Always is selected. This indicates the device need not be any one of the above three (3) to establish a tunnel. VRRP Group Set the VRRP group ID. VRRP groups is only enabled when the Establishment Criteria is set to vrrp-master.
5 Encapsulation Select either IP or UDP as the peer encapsulation protocol. The default setting is IP. UDP uses a simple transmission model without implicit handshakes. UDP Port If UDP encapsulation is selected, use the spinner control to define the UDP encapsulation port. IPSec Secure Enable this option to enable security on the connection between the Access Point and Virtual Controller. IPSec Gateway Specify the IP Address of the IPSec Secure Gateway. 13. Select OK to save the peer configuration.
5 FIGURE 56 Network - L2TPv3 screen, Manual Session tab 19. Refer to the following manual session configurations to determine whether one should be created or modified: IP Address Lists the IP address assigned as the local tunnel end point address, not the interface IP address. This IP is used as the tunnel source IP address. If this parameter is not specified, the source IP address is chosen automatically based on the tunnel peer IP address.
5 FIGURE 57 Network - L2TPv3 screen, Add T2TP Peer Configuration 21. Set the following session parameters: 142 Name Define a 31 character maximum name of this tunnel session. After a successful tunnel connection and establishment, the session is created. Each session name represents a single data stream. IP Address Specify the IP address used to be as tunnel source IP address. If not specified, the tunnel source IP address is selected automatically based on the tunnel peer IP address.
5 Encapsulation Select either IP or UDP as the peer encapsulation protocol. The default setting is IP. UDP uses a simple transmission model without implicit handshakes. UDP Port If UDP encapsulation is selected, use the spinner control to define the UDP encapsulation port. This is the port where the L2TP service is running. Source Type Select a VLAN as the virtual interface source type. Source Value Define the Source Value range (1 - 4,094) to include in the tunnel.
5 The screen displays existing GRE configurations. 5. Select the Add button to create a new GRE tunnel configuration or select an existing tunnel and select Edit to modify its current configuration. To remove an existing GRE tunnel, select it from amongst those displayed and select the Delete button NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied.
5 Native VLAN Set a numerical VLAN ID (1 - 4094) for the native VLAN. The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Additionally, the native VLAN is the VLAN untagged traffic is directed over when using a port in trunk mode. Tag Native VLAN Select this option to tag the native VLAN. The IEEE 802.1Q specification is supported for tagging frames and coordinating VLANs between devices. IEEE 802.
5 The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 2. Select Profile Overrides from the Device menu to expand it into sub menu options. 3. Select Network to expand its sub menu options. 4. Select IGMP Snooping.
5 6. Set or override the following IGMP Querier parameters for the profile’s bridge VLAN configuration: Enable IGMP Querier Select this option to enable IGMP querier. IGMP snoop querier is used to keep host memberships alive. It’s primarily used in a network where there’s a multicast streaming server and hosts subscribed to the server and no IGMP querier present. An IGMP querier sends out periodic IGMP query packets. Interested hosts reply with an IGMP report packet.
5 The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2. Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3. Select Profile Overrides from the Device menu to expand it into sub menu options. 4. Select Network to expand its sub menu options. 5. Select Quality of Service.
5 6. Set or override the following parameters for IP DSCP mappings for untagged frames: DSCP Lists the DSCP value as a 6-bit parameter in the header of every IP packet used for packet classification. 802.1p Priority Assign a 802.1p priority as a 3-bit IP precedence value in the Type of Service field of the IP header used to set the priority. The valid values for this field are 0-7. Up to 64 entries are permitted.
5 2. Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3. Select Profile Overrides from the Device menu to expand it into sub menu options. 4. Select Network to expand its sub menu options. 5. Select Spanning Tree. NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied.
5 MST Revision Level Set a numeric revision value ID for MST configuration information. Set a value from 0 - 255. The default setting is 0. Cisco MSTP Interoperability Select either the Enable or Disable radio buttons to enable/disable interoperability with Cisco’s version of MSTP, which is incompatible with standard MSTP. This setting is disabled by default. Hello Time Set a BPDU hello interval from 1 - 10 seconds.
5 Overriding a Profile’s Routing Configuration Overriding a Profile’s Network Configuration Routing is the process of selecting IP paths within the wireless network to route traffic. Use the Routing screen to set Destination IP and Gateway addresses enabling the assignment of static IP addresses for requesting clients without creating numerous host pools with manual bindings. This eliminates the need for a long configuration file and reduces the resource space required to maintain address pools.
5 FIGURE 62 Static Routes screen 6. Select IP Routing to enable static routes using IP addresses. This sets Destination IP and Gateway addresses enabling the assignment of static IP addresses for requesting clients. This option is enabled by default. 7. Use the drop-down menu to select a Policy Based Routing policy. If a suitable policy is not available, select the Create icon or modify an existing policy-based routing policy by selecting the Edit icon.
5 • Add IP addresses and network masks in the Network Address column. • Provide the Gateway address used to route traffic. • Provide an IP address for the Default Gateway used to route traffic. 9. Refer to the Default Route Priority field and set the following parameters Static Default Route Priority Use the spinner control to set the priority value (1 - 8,000) for the default static route. This is weight (priority) assigned to this route versus others that have been defined. The default setting is 100.
5 totally nssa - Totally nssa is an NSSA using 3 and 4 summary routes are not flooded into this type of area. It is also possible to declare an area both totally stubby and not-so-stubby, which means that the area will receive only the default route from area 0.0.0.0, but can also contain an autonomous system boundary router (ASBR) that accepts external routing information and injects it into the local area, and from the local area into area 0.0.0.0.
5 FIGURE 63 OSPF Settings screen 5. Enable/disable OSPF and provide the following dynamic routing settings: 156 Enable OSPF Select this option to enable OSPF. OSPF is disabled by default. Router ID Select this option to define a router ID (numeric IP address) for this OSPF configuration. This ID must be established in every OSPF instance. If not explicitly configured, the highest logical IP address is duplicated as the router identifier.
5 VRRP State Check Select this option to use OSPF only if the VRRP interface is not in a backup state. The Virtual Router Redundancy Protocol (VRRP) provides automatic assignments of available Internet Protocol (IP) routers to participating hosts. This increases the availability and reliability of routing paths via automatic default gateway selections on an IP subnetwork. This setting is enabled by default. 6.
5 FIGURE 64 OSPF Area Settings screen 12. Review existing Area Settings configurations: Area ID Displays either the IP address or integer representing the OSPF area. Authentication Type Lists the authentication schemes used to validate the credentials of each dynamic route connection. Type Lists the OSPF area type for each listed configuration. 13. Select Add to create a new OSPF configuration, Edit to modify an existing configuration or Delete to remove a configuration.
5 FIGURE 65 OSPF Area Configuration screen 14. Set the OSPF Area configuration. Area ID Use the drop down menu and specify either an IP address or integer for the OSPF area. Authentication Type Select either None, simple-password or message-digest as credential validation scheme used with the OSPF dynamic route. The default setting is None. Type Set the OSPF area type as either stub, totally-stub, nssa, totally-nssa or non-stub.
5 FIGURE 66 OSPF Interface Settings screen 17. Review the following Interface Settings: Name Displays the name defined for the interface configuration. Type Displays the type of interface. Description Lists each interface’s 32 character maximum description. Admin Status Displays whether admin status privileges have been enabled or disabled for the OSPF route’s virtual interface connection. VLAN Lists the VLAN IDs set for each listed OSPF route virtual interface.
5 FIGURE 67 OSPF Virtual Interface - Basic Configuration screen 19. Within the Properties field, enter a 32 character maximum Description to help differentiate the virtual interface configuration used with this OSPF route. Enable/disable Admin Status as needed. They’re enabled by default. 20. Use the IP Addresses field to set how route addresses are defined for the virtual configuration.
5 21. Select Use DHCP to Obtain IP to use internal DHCP server resource as the means of providing requested IP addresses to the OSPF route’s virtual interface. 22. Select Use DHCP to Obtain Gateway/DNS Servers to learn default gateway, name servers and the domain name on just this interface. Once selected, specify an IP address and mask in dot decimal format. 23. Define the NAT Direction as either Inside, Outside or None.
5 27. Refer to the VPN Crypto Map drop down menu to attach an existing crypto map to this virtual interface. New crypto map configuration can be added by selecting the Create icon, or existing configurations can be modified by selecting the Edit icon. 28. Select OK to save the changes to the configuration. Select Reset to revert to the last saved configuration. 29. Select the Dynamic Routing tab. FIGURE 69 OSPF Virtual Interface - Dynamic Routing screen 30.
5 31. Select the authentication type from the Chosen Authentication Type drop-down used to validate credentials within the OSPF dynamic route. Options include simple-password, message-digest, null and None. 32. Select the + Add Row button at the bottom of the MD5 Authentication table to add the Key ID and Password used for an MD5 validation of authenticator credentials.Use the spinner control to set the OSPF message digest authentication key ID. The available range is from 1 - 255.
5 FIGURE 70 Profile Overrides - Network Forwarding Database screen 6. Define or override a Bridge Aging Time between 0, 10-1,000,000 seconds. The aging time defines the interval an entry remains in the a bridge’s forwarding table before being deleted due to lack of activity. If an entry replenishments a destination generating continuous traffic, this timeout value will never be invoked.
5 Overriding a Profile’s Bridge VLAN Configuration Overriding a Profile’s Network Configuration A Virtual LAN (VLAN) is separately administrated virtual network within the same physical managed network. VLANs are broadcast domains defined within switches to allow control of broadcast, multicast, unicast, and unknown unicast within a Layer 2 device. Administrators often need to route traffic to interoperate between different VLANs.
5 FIGURE 71 Profile Overrides - Network Bridge VLAN screen 6. Review the following VLAN configuration parameters to determine whether an override is warranted: VLAN Lists the numerical identifier defined for the Bridge VLAN when it was initially created. The available range is from 1 - 495. This value cannot be modified during the edit process. Description Lists a VLAN description assigned when the VLAN was created or modified.
5 FIGURE 72 Profile Overrides - Network Bridge VLAN screen, General tab The General tab displays by default. 8. If adding a new Bridge VLAN configuration, use the spinner control to define or override a VLAN ID between 1 - 4094. This value must be defined and saved before the General tab can become enabled and the remainder of the settings defined. VLAN IDs 0 and 4095 are reserved and unavailable. 9.
5 10. Set or override the following Extended VLAN Tunnel parameters: Bridging Mode Specify one of the following bridging mode for use on the VLAN. • Automatic - Select automatic mode to let the controller or service platform determine the best bridging mode for the VLAN. • Local - Select Local to use local bridging mode for bridging traffic on the VLAN. • Tunnel - Select Tunnel to use a shared tunnel for bridging traffic on the VLAN.
5 FIGURE 73 Profile Overrides - Network Bridge VLAN screen, IGMP Snooping tab 13. Define the following General settings: Enable IGMP Snooping Select this option to enable IGMP snooping. If disabled, snooping on a per VLAN basis is also disabled. This feature is enabled by default. If disabled, the settings under the bridge configuration are overridden. For example, if IGMP snooping is disabled, but the bridge VLAN is enabled, the effective setting is disabled.
5 15. Define the following IGMP Querier settings: Enable IGMP Querier Select this option to enable IGMP querier. IGMP snoop querier is used to keep host memberships alive. It’s primarily used in a network where there’s a multicast streaming server and hosts subscribed to the server and no IGMP querier present. An IGMP querier sends out periodic IGMP query packets. Interested hosts reply with an IGMP report packet. IGMP snooping is only conducted on wireless radios.
5 FIGURE 74 Profile Overrides - Network Cisco Discovery Protocol screen NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 6. Check the Enable CDP box to enable CDP on the device. 7.
5 4. Select Network to expand its sub menu options. 5. Select Link Layer Discovery Protocol. FIGURE 75 Profile Overrides - Network Link Layer Discovery Protocol screen NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 6.
5 2. Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3. Select Profile Overrides from the Device menu to expand it into sub menu options. 4. Select Network to expand its sub menu options. 5. Select Miscellaneous. NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied.
5 Once a configuration item, such as an ACL, is utilized across remote locations, the Alias used in the configuration item (ACL) is modified to meet local deployment requirement. Any other ACL or other configuration items using the modified alias also get modified, simplifying maintenance at the remote deployment. Aliases have scope depending on where the Alias is defined. Alias are defined with the following scopes: • Global aliases are defined from the Configuration > Network > Alias screen.
5 3. Select Profile Overrides from the Device menu to expand it into sub menu options. 4. Select Network to expand its sub menu options. 5. Select Alias. The Alias screen displays with the Basic Alias tab displayed by default. FIGURE 77 Network Basic Alias screen 6.
5 Use the Vlan Alias field to create unique aliases for VLANs that can be utilized at different deployments. For example, if a VLAN ID is set as 10 for the central network, and the VLAN is set as 26 at a remote location, the VLAN can be overridden at the remote location using an alias. At the remote location, the network is functional with an ID of 26, but utilizes the name defined at the central local network. A new VLAN need not be created specifically at the remote location.
5 10. Select + Add Row to define Network Alias settings: Use the Network Alias field to create aliases for IP networks that can be utilized at different deployments. For example, if a central network ACL defines a network as 192.168.10.0/24, and a remote location’s network range is 172.16.10.0/24, the ACL can be overridden at the remote location to suit their local (but remote) requirement. At the remote location, the ACL functions with the 172.16.10.0/24 network.
5 FIGURE 78 Network Group Alias screen Name Displays the administrator assigned name used with the network group alias. Host Displays all the host aliases configured in the listed network group alias. Displays a blank column if no host alias is defined. Network Displays all network aliases configured in the listed network group alias. Displays a blank column if no network alias is defined. 7.
5 FIGURE 79 Network Group Alias Add screen 9. If adding a new Network Alias Rule, provide it a name up to 32 characters. The network group alias name always starts with a dollar sign ($). 10. Define the following network group alias parameters: Host Specify the Host IP address for up to eight IP addresses supporting network aliasing. Select the down arrow to add the IP address to the table. Network Specify the netmask for up to eight IP addresses supporting network aliasing.
5 1. Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2. Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3. Select Profile Overrides from the Device menu to expand it into sub menu options. 4.
5 FIGURE 81 Network Service Alias Add screen 9. If adding a new Network Service Alias Rule, provide it a name up to 32 characters. Ensure a $ precedes the name. 10. Select + Add Row and provide the following configuration parameters: Protocol Specify the protocol for which the alias has to be created. Use the drop down to select the protocol from eigrp, gre, icmp, igmp, ip, vrrp, igp, ospf, tcp and udp. Select other if the protocol is not listed.
5 Overriding a Profile’s Security Configuration A profile can have its own firewall policy, wireless client role policy, WEP shared key authentication, NAT policy and VPN policy (controllers and service platforms only) applied. If an existing firewall, client role or NAT policy is unavailable, an administrator can be navigated from the Profiles section of the UI to the Configuration > Security portion of the UI to create the required security policy configuration.
5 FIGURE 82 Profile Overrides - General Security screen 6. Refer to the General field to assign or override the following: Firewall Policy Use the drop-down menu to select an existing Firewall policy to use as an additional security mechanism with a profile. All devices using this profile must meet the requirements of the firewall policy to access the network.
5 A certificate revocation list (CRL) is a list of revoked certificates that are no longer valid. A certificate can be revoked if the certificate authority (CA) had improperly issued a certificate, or if a private-key is compromised. The most common reason for revocation is the user no longer being in sole possession of the private key. To define a Certificate Revocation configuration or override: 1. Select Devices from the Configuration tab.
5 7. a. Provide the name of the trustpoint in question within the Trustpoint Name field. The name cannot exceed 32 characters. b. Enter the resource ensuring the trustpoint’s legitimacy within the URL field. c. Use the spinner control to specify an interval (in hours) after which a device copies a CRL file from an external server and associates it with a trustpoint. Select OK to save the changes and overrides made within the Certificate Revocation screen.
5 FIGURE 84 VPN Setup Wizard • Quick Setup Wizard - Use the quick setup wizard to set a minimum number of basic VPN tunnel values. This wizard is designed for novice users, and enables them to setup a VPN configuration with minimum effort. This wizard uses default values for most parameters. • Step By Step Wizard - Use the step-by-step wizard to create a VPN tunnel using settings updated from their minimum default values. This wizard is designed for intermediate users who require some VPN customization.
5 FIGURE 85 VPN Quick Setup Wizard Select Quick Setup from the VPN Wizard screen. Provide the following quick setup information to configure a VPN tunnel: Tunnel Name Provide a name for the tunnel. Tunnel name identifies the tunnel uniquely. Tunnel Type Configure the type of the tunnel. Tunnel can be one of the following types: • Site-to-Site – This tunnel provides a secured connection between two sites (default setting). • Remote Access – This tunnel provides access to a network to remote devices.
5 Authentication Set the authentication used to identify the peers with each other on opposite ends of the VPN tunnel connection. The following can be configured: • Certificate – Use a certificate to authenticate (default value). • Pre-Shared Key – Use a pre-shared key to authenticate. Enter the secret key in the space provided for it. Local Identity Configure the local identity used with this peer configuration for an IKE exchange with the target VPN IPSec peer.
5 FIGURE 86 VPN Step-By-Step Wizard - Step 1 Set the following VPN values for step 1: Tunnel Name Provide a name for the tunnel in the Tunnel Name field. Tunnel Type Select the tunnel type being created. Two types of tunnels can be created. Site to Site (the default setting) is used to create a tunnel between two remote sites. Remote Access is used to create a tunnel between an user device and a network. Interface Select the interface to use.
5 FIGURE 87 VPN Step-By-Step Wizard - Step 2 Set the following VPN quick setup values for step 2: Peer Select the type of peer for this device when forming a tunnel. Peer information can be either an IP Address (default value) or hostname. Provide the IP address or the host name of the peer device. Authentication Configure how devices authenticate on opposite ends of the tunnel connection.
5 If any of the required values within the step 2 screen are not set properly, the third wizard screen will not display until they are properly set. FIGURE 88 VPN Step-By-Step Wizard - Step 3 Set the following IPSec VPN values for step 3: Transform Set 192 The transform set is a set of configurations for creating the VPN tunnel and imposes a security policy on the tunnel. Primarily, the transform set comprises the following: • Encryption – The encryption used for creating the tunnel.
5 Encryption This field is enabled when Create New Policy is selected in Transform Set field. This is the encryption used on data traversing through the tunnel. Select either esp-null, des, 3des, aes, aes-192 or aes-256. Authentication This field is enabled when Create New Policy is selected in Transform Set field. This is how peers authenticate as the source of the packet to the other peers after a VPN tunnel has been created. Select either MD5 or SHA.
5 Review the configuration and select Done initiate the creation of the VPN tunnel. Use the Back button to navigate to the previous screen. Select Close to close the wizard without creating a VPN Tunnel. Advanced VPN Configuration The advanced VPN configuration option does not utilize a setup wizard. Rather, it utilizes and its own screen flow where just about every facet of a VPN tunnel configuration can be set by a qualified network administrator.
5 FIGURE 90 Profile Overrides - Auto IPSec Tunnel screen The Settings field lists those Auto IPSec tunnel policies created thus far. Any of these policies can be selected and applied to a profile NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device.
5 Network Address Translation (NAT) is a technique to modify network address information within IP packet headers in transit. This enables mapping one IP address to another to protect wireless controller managed network address credentials. With typical deployments, NAT is used as an IP masquerading technique to hide private IP addresses behind a single, public facing, IP address.
5 FIGURE 91 Profile Overrides - NAT Pool screen The NAT Pool screen displays by default. The NAT Pool screen lists those NAT policies created thus far. Any of these policies can be selected and applied to a profile. NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 6.
5 FIGURE 92 7. NAT Pool screen If adding a new NAT policy or editing the configuration of an existing policy, define the following parameters: Name If adding a new NAT policy, provide a name to help distinguish it from others with similar configurations. The length cannot exceed 64 characters. IP Address Range Define a range of IP addresses that are hidden from the public Internet. NAT modifies network address information in the defined IP range while in transit across a traffic routing device.
5 FIGURE 93 Profile Overrides - Static NAT screen 11. Select Add to create a new static NAT configuration.
5 12. Set or override the following Source configuration parameters: Protocol Select the protocol for use with source translation (TCP, UDP and Any are available options). TCP is a transport layer protocol used by applications requiring guaranteed delivery. It’s a sliding window protocol handling both time outs and retransmissions. TCP establishes a full duplex virtual connection between two endpoints. Each endpoint is defined by an IP address and a TCP port number.
5 FIGURE 95 NAT Destination screen 14. Select Add to create a new NAT destination configuration or Delete to permanently remove a NAT destination. Existing NAT destinations cannot be edited. FIGURE 96 NAT Destination Add screen 15.
5 Static NAT creates a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network. To share a Web server on a perimeter interface with the Internet, use static address translation to map the actual address to a registered IP address. Static address translation hides the actual address of the server from users on insecure interfaces. Casual access by unauthorized users becomes much more difficult.
5 FIGURE 97 Profile Overrides - Dynamic NAT screen 18. Refer to the following to determine whether a new Dynamic NAT configuration requires creation, edit or deletion: Source List ACL Lists an ACL name to define the packet selection criteria for the NAT configuration. NAT is applied only on packets which match a rule defined in the access list. These addresses (once translated) are not exposed to the outside world when the translation address is used to interact with the remote destination.
5 FIGURE 98 Dynamic NAT Add screen 20. Set or override the following to define the Dynamic NAT configuration: Source List ACL Use the drop-down menu to select an ACL name to define the packet selection criteria for NAT. NAT is applied only to packets which match a rule defined in the access list. These addresses (once translated) are not exposed to the outside world when the translation address is used to interact with a remote destination.
5 Use Bridge NAT to manage Internet traffic originating at a remote site. In addition to traditional NAT functionality, Bridge NAT provides a means of configuring NAT for bridged traffic through an access point. NAT rules are applied to bridged traffic through the access point, and matching packets are NATed to the WAN link instead of being bridged on their way to the router. Using Bridge NAT, a tunneled VLAN (extended VLAN) is created between the NoC and a remote location.
5 FIGURE 99 Security Bridge NAT screen 6. Review the following Bridge NAT configurations to determine whether a new Bridge NAT configuration requires creation or an existing configuration modified or removed. Access List Displays the access list applying IP address access/deny permission rules to the Bridge NAT configuration. Interface Lists the communication medium (outgoing layer 3 interface) between source and destination points.
5 FIGURE 100 Security Source Dynamic NAT screen 8. Select the ACL whose IP rules are applied to the policy based forwarding rule. A new ACL can be defined by selecting the Create icon, or an existing set of IP ACL rules can be modified by selecting the Edit icon. 9. Use the IP Address Range table to configure IP addresses and address ranges that can used to access the Internet. ACL Precedence Set the priority (from 1 - 5000) for the ACL.
5 FIGURE 101 Security Source Dynamic NAT screen 11. Select OK to save the changes made within the Add Row and Source Dynamic NAT screen. Select Reset to revert to the last saved configuration. Overriding a Profile’s VRRP Configuration A default gateway is a critical resource for connectivity. However, it’s prone to a single point of failure. Thus, redundancy for the default gateway is required by the access point.
5 To define the configuration of a VVRP group: 1. Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2. Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3.
5 Description Displays a description assigned to the VRRP configuration when it was either created or modified. The description is implemented to provide additional differentiation beyond the numerical virtual router ID. Virtual IP Addresses Lists the virtual interface IP address used as the redundant gateway address for the virtual route. Interface Displays the interfaces selected on the Access Point to supply VRRP redundancy fail over support.
5 FIGURE 104 VVRP screen 8. If creating a new VRRP configuration, assign a Virtual Router ID from (1 - 255). In addition to functioning as numerical identifier, the ID identifies the virtual router a packet is reporting status for. 9. Define the following VRRP General parameters: Description In addition to an ID assignment, a virtual router configuration can be assigned a textual description (up to 64 characters) to further distinguish it from others with a similar configuration.
5 Preempt Select this option to ensure a high priority backup router is available to preempt a lower priority backup router resource. The default setting is enabled. When selected, the Preempt Delay option becomes enabled to set the actual delay interval for pre-emption. This setting determines if a node with a higher priority can takeover all the Virtual IPs from the nodes with a lower priority.
5 The Device Configuration screen displays a list of devices or peer controllers, service platforms or Access Points. 2. Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3. Select Profile Overrides from the Device menu to expand it into sub menu options. 4. Select Critical Resources.
5 FIGURE 106 Critical Resources screen - Adding a Critical Resource 7. Use the Offline Resource Detection drop-down menu to define how critical resource event messages are generated. Options include Any and All. If selecting Any, an event is generated when the state of any single critical resource changes. If selecting All, an event is generated when the state of all monitored critical resources change. 8.
5 FIGURE 107 Critical Resources screen - Monitor Interval tab 12. Set Monitor Interval as the duration between two successive pings to the critical resource. Define this value in seconds from 5 - 86,400. The default setting is 30 seconds. 13. Set the Source IP for Port-Limited Monitoring to define the IP address used as the source address in ARP packets used to detect a critical resource on a layer 2 interface. Generally, the source address 0.0.0.
5 Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3. Select Profile Overrides from the Device menu to expand it into sub menu options. 4. Select Services. NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device.
5 A captive portal configuration provides secure authenticated controller or service platform access using a standard Web browser. Hotspots provides authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access to the wireless network.
5 Additionally, an administrator can define a profile with unique configuration file and device firmware upgrade support. In a clustered environment, these operations can be performed on one controller or service platform, then propagated to each member of the cluster and onwards to devices managed by each cluster member. To define or override a profile’s management configuration: 1. Select Devices from the Configuration tab.
5 FIGURE 109 Profile Overrides - Management Settings screen NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 5. Refer to the Management Policy field to set or override a management configuration for this profile. A default management policy is also available if no existing policies are usable.
5 Use the drop-down menu to select an existing management policy to apply to this profile. If no management policies exist meeting the data access requirements of this profile, select the Create icon to access screens used to define administration, access control and SNMP configurations. Select an existing policy and select the Edit icon to modify the configuration of an existing management policy. For more information, see Viewing Management Access Policies. 6.
5 8. Refer to the Events E-mail Notification section to define or override how system event notification Emails are sent. SMTP Server Specify either the Hostname or IP Address of the outgoing SMTP server where notification Emails are originated Port of SMTP If a non-standard SMTP port is used on the outgoing SMTP server, select this option and specify a port from 1 - 65,535 for the outgoing SMTP server to use. Sender E-mail Address Specify the Email address from which notification Email is originated.
5 11. Select OK to save the changes and overrides made to the profile’s Management Settings. Select Reset to revert to the last saved configuration. 12. Select Firmware from the Management menu. FIGURE 110 Profile Overrides - Management Firmware screen 13. Refer to the Auto Install via DHCP Option field to configure automatic configuration file and firmware updates.
5 14. Refer to the parameters within the Legacy Device Firmware Management field to set legacy Access Point firmware provisions: Migration Firmware from BR71XX 4.x path Provide a path to a firmware image used to provision BR71XX model Access Points currently utilizing a 4.x version legacy firmware file. Once a valid path is provided, the update is enabled to the version maintained locally for BR71XX models.
5 The Retain Image feature is enabled for all controller and service platform RF domain managers with the flash memory capacity to store firmware images for the selected Access Point models they provision. This feature is disabled for Access Point RF domain managers that do not typically have the flash memory capacity needed. 16. Select OK to save the changes and overrides made to the profile’s configuration. Select Reset to revert to the last saved configuration.
5 FIGURE 112 Mesh Point - Settings Screen 5. Define the following settings from within the General field: MeshConnex Policy If adding a new policy, specify a name for the MeshConnex Policy. The name cannot be edited later with other configuration parameters. Until a viable name is provided, the Settings tab cannot be enabled for configuration. Is Root Select the root behavior of this mesh point. Select True to indicate this mesh point is a root node for this mesh network.
5 NOTE With this most recent release of Brocade Mobility software, an BR7161 model Access Point can be deployed as a vehicular mounted modem (VMM) to provide wireless network access to a mobile vehicle (car, train etc.). A VMM provides layer 2 mobility for connected devices. VMM does not provide layer 3 services, such as IP mobility. For VMM deployment considerations, see Vehicle Mounted Modem (VMM) Deployment Considerations. NOTE When using 4.
5 FIGURE 113 Mesh Point Auto Channel Selection - Dynamic Root Selection screen The Dynamic Root Selection screen displays by default. The Dynamic Root Selection screen provides configuration for the 2.4 GHz and 5.0/4.9 GHz frequencies. 9. Refer to the following. These descriptions are common for configuring either the 2.4 GHZ and 5.0/4.9 GHz frequencies Channel Width Set the channel width the meshpoint’s automatic channel scan assigns to the selected radio.
5 Off-channel Duration Set the duration (from 20 - 250 milliseconds) the scan dwells on each channel when performing an off channel scan. The default is 50 milliseconds. Off-channel Scan Frequency Set the duration (from 1- 60 seconds) between two consecutive off channel scans. The default is 6 seconds. Meshpoint Root: Sample Count Configure the number of scan samples (from 1- 10) performed for data collection before a mesh channel is selected. The default is 5.
5 11. Set the following 2.4 GHz and 5.0/4.9 GHz path method SNR data: Channel Width Set the channel width the meshpoint automatic channel scan assigns to the selected radio. Available options include: • Automatic – Defines the channel width calculation automatically. This is the default value. • 20 MHz – Sets the width between two adjacent channels as 20 MHz. • 40 MHz – Sets the width between two adjacent channels as 40 MHz. Priority Meshpoint Set the meshpoint monitored for automatic channel scans.
5 FIGURE 115 Mesh Point Auto Channel Selection - Root Path Metric screen 13. Set the following Path Method Root Path Metrics (applying to both the 2.4 GHz and 5.0/4.9 GHz frequencies): Channel Width Set the channel width meshpoint automatic channel scan should assign to the selected radio. The available options are: • Automatic – Defines the channel width as calculated automatically. This is the default value. • 20 MHz – Set the width between two adjacent channels as 20 MHz.
5 Meshpoint Root: Sample Count Set the number of scans (from 1- 10) for data collection before a mesh point root is selected. The default is 5. Meshpoint Root: Off-channel Duration Define the duration (from 20 - 250 milliseconds) for scan dwells on each channel, when performing an off channel scan. The default is 50 milliseconds. Meshpoint Root: Channel Switch Delta Configure the delta (from 5 - 35 dBm) that triggers a meshpoint root automatic channel selection when exceeded. The default is 10 dBm.
5 Using an appropriate console terminal and or connection to your device log on to the CLI and follow these steps: rfs6000-xxxxxx>enable rfs6000-xxxxxx #configure terminal Enter configuration commands, one per line. End with CNTL/Z.
5 4. Set the following Light Sensor settings for the BR1240’s sensor module:. Enable Light Sensor Select this option to enable the light sensor on the module. This setting is enabled by default. The light sensor reports whether the BR1240’s deployment location has its lights powered on or off.
5 Select Client Load Balancing from the Advanced menu item. FIGURE 117 Advanced Profile Overrides - Client Load Balancing screen Select the SBC strategy from the drop-down menu to determine how band steering is conducted. Band steering directs 5 GHz-capable clients to that band. When an Access Point hears a request from a client to associate on both the 2.4 GHz and 5 GHz bands, it knows the client is capable of operation in 5 GHz.
5 Enable Balance Band Loads by Radio (within the Band Load Balancing field) to distribute an Access Points client traffic load across both the 2.4 and 5 GHz radio bands. Set the following Channel Load Balancing settings: Balance 2.4 GHz Channel Loads Select this option to balance an Access Point’s 2.4 GHz client load across all channels. This setting is enabled by default. Balance 5 GHz Channel Loads Select this option to balance an Access Point’s 5 GHz client load across all channels.
5 Set the following Band Control values: Max. Band Load Difference Considered Equal Set the maximum load difference (from 1 - 100%) considered equal when comparing band loads. The default setting is 1%. Band Ratio (2.4 GHz) Set the relative load for the 2.4 GHz radio band as a leveled ratio from 1 - 10. The default setting is 0. Band Ratio (5 GHz) Set the relative load for the 5 GHz radio band as a leveled ratio from 1 - 10. The default setting is 0.
5 3. Select Advanced to expand its sub menu items. 4. Select MINT Protocol from the Advanced menu item. FIGURE 118 Advanced Profile Overrides MINT screen - Settings tab The Settings tab displays by default. 5. Refer to the Area Identifier field to define or override the Level 1 and Level 2 Area IDs used by the profile’s MINT configuration. Level 1 Area ID Select the box to enable a spinner control for setting the Level 1 Area ID (1 - 16,777,215). The default value is disabled. 6.
5 8. Define or override the following MINT Link Settings in respect to devices supported by the profile: MLCP IP Select this option to enable MINT Link Creation Protocol (MLCP) by IP Address. MLCP is used to create a UDP/IP link from the device to a neighbor. The neighboring device does not need to be a controller or service platform, it can be another Access Point with a path to the controller or service platform. MLCP VLAN Select this option to enable MINT MLCP by VLAN.
5 FIGURE 120 Advanced Profile MINT screen - IP tab 14. Set the following Link IP parameters to complete the MINT network address configuration: IP Define or override the IP address used by peers for interoperation when supporting the MINT protocol. Port To specify a custom port for MiNT links, select this option and use the spinner control to define or override the port number (1 - 65,535). Routing Level Use the spinner control to define or override a routing level of either 1 or 2.
5 FIGURE 121 Advanced Profile MINT screen - VLAN tab 16. The VLAN tab displays the VLAN, Routing Level, Link Cost, Hello Packet Interval and Adjacency Hold Time devices use to securely communicate amongst one another. Select Add to create a new VLAN link configuration or Edit to override an existing MINT configuration. FIGURE 122 Advanced Profile MINT screen - VLAN tab 17.
5 18. Select OK to save the updates and overrides to the MINT Protocol configuration. Select Reset to revert to the last saved configuration. Advanced Profile Miscellaneous Configuration Overriding a Profile’s Advanced Configuration Refer to the advanced profile’s Miscellaneous menu item to set or override a profile’s NAS configuration. The profile database on the RADIUS server consists of user profiles for each connected network access server (NAS) port.
5 Select the Priority check box (within the RF Domain Manager section) to set a priority value for this specific profile managed device. Once enabled, use the spinner control to set a device priority between 1 - 255. The higher the number set, the higher the priority in the RF Domain manager election process. Configure a Root Path Monitor Interval (from1 - 65,535 seconds) to specify how often to check if the mesh point is up or down.
5 The evaluation is performed using various matching criteria. The matching criteria supported include: MAC Matches the MAC address of a device attempting to be adopted. Either a single MAC address or a range of MAC addresses can be specified. VLAN Matches when adoption over a Layer 2 link matches the VLAN ID of an adoption request. Note that this is a VLAN ID as seen by the recipient of the request, in case of multiple hops over different VLANs this may different from VLAN ID set by the sender.
5 1. Select Configuration > Devices > Auto Provisioning Policy. 2. The Auto-Provisioning screen displays by default. FIGURE 124 Auto-Provisioning screen Use the Auto Provisioning screen to determine whether an existing policy can be used as is, a new Auto Provisioning Policy requires creation or an existing policy requires edit or deletion. 3. Review the following Auto Provisioning parameters: Auto Provisioning Policy Lists the name of each policy when it was created.
5 FIGURE 125 Auto Provisioning Policy screen - Rules tab 3. Review the following Auto Provisioning Policy rule data to determine whether a rule can be used as is, requires edit or whether new rules need to be defined: Rule Precedence Displays the precedence (sequence) the Adoption Policies rules are applied. Rules with the lowest precedence receive the highest priority. This value is set (from 1 - 1000) when adding a new Auto Provisioning Policy rule configuration.
5 Argument 1 The number of arguments vary on the Match Type. This column lists the first argument value. This value is not set as part of the rule creation or edit process. Argument 2 The number of arguments vary on the Match Type. This column lists the second argument value. This value is not set as part of the rule creation or edit process. RF Domain Name Sets the name of the RF Domain to which the device is adopted automatically.
5 5. Specify the following parameters in the Rule screen: Operation Define the operation taken upon receiving an adoption request from an Access Point: the following operations are available: Allow – Allows the normal provisioning of connected Access Points upon request. Deny – Denies (prohibits) the provisioning of connected Access Point upon request.
5 8. Select OK to save the updates to the screen. Selecting Reset reverts the screen to the last saved configuration. Managing an Event Policy Event Policies enable an administrator to create specific notification mechanisms using one, some or all of the SNMP, syslog, forwarding or e-mail notification options available to the controller or service platform. Each listed event can have customized notification settings defined and saved as part of an event policy.
5 1. Select Configuration > Devices > MINT Policy to display the MINT Policy screen. FIGURE 129 MINT Policy Configuration screen 2. Configure the following parameters to configure the MINT policy: Level 2 Area ID Define a Level 2 Area ID for the Mint Policy. The Level 2 Area ID is the global mint area identifier. This area identifier separates two overlapping mint networks and need only be configured if the administrator has two mint networks that share the same packet broadcast domain.
5 250 Brocade Mobility RFS Controller System Reference Guide 53-1003099-01
Chapter Wireless Configuration 6 A Wireless Local Area Network (WLAN) is a data-communications system and wireless local area network that flexibly extends the functionalities of a wired LAN. A WLAN links two or more computers or devices using spread-spectrum or OFDM modulation based technology. A WLAN does not require lining up devices for line-of-sight transmission, and are thus, desirable for wireless networking.
6 FIGURE 1 Configuration > Wireless pane Wireless LAN Policy To review the attributes of existing WLANs and, if necessary, modify their configurations: 1. Select Configuration > Wireless > Wireless LANs to display a high-level display of the existing WLANs.
6 2. Refer to the following (read only) information to assess the attributes of the each WLAN available to the wireless controller: WLAN Displays the name of each available WLAN. Individual WLANs can selected and their SSID and client management properties modified. SSID Displays the name of the SSID assigned to the WLAN when created or last modified. Optionally, select a WLAN and click the Edit button to update the WLAN’s SSID.
6 Basic WLAN Configuration Wireless LAN Policy When creating or modifying a WLAN, the Basic Configuration screen is the first screen that displays as part of the WLAN configuration screen flow. is the Use this screen to enable a WLAN and define its SSID, client behavior and VLAN assignments. 1. Select Configuration > Wireless > Wireless LAN Policy to display a high-level display of the existing WLANs. 2.
6 3. Refer to the WLAN Configuration field to define the following: WLAN If adding a new WLAN, enter its name in the space provided. Spaces between words are not permitted. The name could be a logical representation of the WLAN coverage area (engineering, marketing etc.). If editing an existing WLAN, the WLAN’s name appears at the top of the screen and cannot be modified. The name cannot exceed 32 characters. SSID Enter or modify the Services Set Identification (SSID) associated with the WLAN.
6 WLAN Basic Configuration Deployment Considerations Basic WLAN Configuration Before defining a WLAN’s basic configuration, refer to the following deployment guidelines to ensure the configuration is optimally effective: • Brocade recommends one VLAN be deployed for secure WLANs, while separate VLANs be defined for each WLAN using a legacy encryption scheme or providing guest access.
6 Authentication ensures only known and trusted users or devices access a WLAN. Authentication is enabled per WLAN to verify the identity of both users and devices. Authentication is a challenge and response procedure for validating user credentials such as username, password and sometimes secret-key information. A client must authenticate to an Access Point to receive resources from the network. Controllers and service platforms support EAP, EAP PSK, EAP-MAC, MAC and PSK/None authentication options.
6 802.1x EAP, EAP-PSK and EAP MAC Configuring WLAN Security The Extensible Authentication Protocol (EAP) is the de-facto standard authentication method used to provide secure authenticated access to WLANs. EAP provides mutual authentication, secured credential exchange, dynamic keying and strong encryption. 802.1X EAP can be deployed with WEP, WPA or WPA2 encryption schemes to further protect user information forwarded over WLANs.
6 5. Either select an existing AAA Policy from the drop-down menu or select the Create icon to the right of the AAA Policy parameter to display a screen where new AAA policies can be created. Select the Edit icon to modify the configuration of the selected AAA policy. Authentication, authorization, and accounting (AAA) is a framework for intelligently controlling access to the network, enforcing user authorization policies and auditing and tracking usage.
6 1. Select Configuration > Wireless > Wireless LAN Policy to display available WLANs. 2. Select the Add button to create an additional WLAN, or select and existing WLAN and Edit to modify the security properties of an existing WLAN. 3. Select Security. 4. Select MAC as the Authentication Type. Selecting MAC enables the radio buttons for each encryption option as an additional measure of security for the WLAN. FIGURE 6 MAC Authentication screen 5.
6 Open-system authentication can be referred to as no authentication, since no actual authentication and user credential validation takes place. A client user requests (and is granted) authentication with no credential exchange. FIGURE 7 PSK / None Settings screen NOTE Although None implies no authentication, this option is also used when pre-shared keys are used for encryption (thus the PSK in the description).
6 6. Select the Captive Portal if Primary Authentication Fails check box to enable the captive portal policy if the primary authentication is unavailable. 7. Select the Captive Portal Policy to use with the WLAN from the drop-down menu. If no relevant policies exist, select the Create icon to define a new policy to use with this WLAN or the Edit icon to update the configuration of an existing Captive Portal policy. For more information, see Configuring Captive Portal Policies. 8.
6 3. Select Security. 4. Refer to the MAC Registration section within the WLAN Policy security screen FIGURE 10 WLAN Policy Security screen - MAC Registration 5. Select the Enable option if MAC address registration is required with the selected WLAN. This feature is disabled by default. Use the drop-down menu to select a RADIUS Group Name to associate with MAC registration. If is selected, devices are not associated with a RADIUS group.
6 FIGURE 11 WLAN Policy Security screen - External Controller Field 5. Select the Enable option if WLAN authentication is handled using an external resource. This feature is disabled by default. 6. If using an external resource, use the drop-down menu to select either Hostname or IP Address and enter the server information in the Host field. 7. If a proxy is needed for connection, choose a proxy mode of either Through RF Domain Manager or Through Wireless Controller. If no proxy is needed, select None.
6 FIGURE 12 WPA/WPA2-TKIP screen 5. Define Key Settings. Pre-Shared Key Enter either an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters as the primary string both transmitting and receiving authenticators must share. The alphanumeric string allows character spaces. The string is converted into a numeric value. This passphrase saves the administrator from entering the 256-bit key each time keys are generated. 6. Define Key Rotation values.
6 Brocade recommends rotating the keys so a potential hacker would not have enough data using a single key to attack the deployed encryption scheme. Unicast Rotation Interval Define an interval for unicast key transmission in seconds (30 -86,400). Some clients have issues using unicast key rotation, so ensure you know which kind of clients are impacted before using unicast keys. This feature is disabled by default.
6 WPA2/CCMP is based on the concept of a Robust Security Network (RSN), which defines a hierarchy of keys with a limited lifetime (similar to TKIP). Like TKIP, the keys the administrator provides are used to derive other keys. Messages are encrypted using a 128-bit secret key and a 128-bit block of data. The end result is an encryption scheme as secure as any the wireless controller provides for its associated clients. To configure WPA2-CCMP encryption on a WLAN: 1.
6 5. Define Key Settings. Pre-Shared Key Enter either an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters as the primary string both transmitting and receiving authenticators must share. The alphanumeric string allows character spaces. The string is converted to a numeric value. This passphrase saves the administrator from entering the 256-bit key each time keys are generated. 6. Define Key Rotation values. Unicast messages are addressed to a single device on the network.
6 • WPA2-CCMP supersedes WPA-TKIP and implements all the mandatory elements of the 802.11i standard. WPA2-CCMP introduces a new AES-based algorithm called CCMP which replaces TKIP and WEP and is considered significantly more secure. WEP 64 Configuring WLAN Security Wired Equivalent Privacy (WEP) is a security protocol specified in the IEEE Wireless Fidelity (Wi -Fi) standard. WEP is designed to provide a WLAN with a level of security and privacy comparable to that of a wired LAN.
6 FIGURE 14 WEP 64 screen 5. Configure the following WEP 64 settings: Generate Keys Specify a 4 to 32 character Pass Key and click the Generate button. The pass key can be any alphanumeric string. Brocade wireless devices and their connected clients use the algorithm to convert an ASCII string to the same hexadecimal number. Clients without Brocade adapters need to use WEP keys manually configured as hexadecimal numbers. Keys 1-4 Use the Key #1-4 fields to specify key numbers.
6 • Brocade recommends additional layers of security (beyond WEP) be enabled to minimize the likelihood of data loss and security breaches. WEP enabled WLANs should be mapped to an isolated VLAN with firewall policies restricting access to hosts and suspicious network applications. • WEP enabled WLANs should only be permitted access to resources required by legacy devices. • If WEP support is needed for WLAN legacy device support, 802.
6 FIGURE 15 WEP 128 screen 5. Configure the following WEP 128 settings: Generate Keys Specify a 4 to 32 character Pass Key and click the Generate button. The pass key can be any alphanumeric string. Brocade wireless devices and their connected clients use the algorithm to convert an ASCII string to the same hexadecimal number. Clients without Brocade adapters need to use WEP keys manually configured as hexadecimal numbers. Keys 1-4 Use the Key #1-4 areas to specify key numbers.
6 • Brocade recommends additional layers of security (beyond WEP) be enabled to minimize the likelihood of data loss and security breaches. WEP enabled WLANs should be mapped to an isolated VLAN with firewall policies restricting access to hosts and suspicious network applications. • WEP enabled WLANs should only be permitted access to resources required by legacy devices. • If WEP support is needed for WLAN legacy device support, 802.
6 FIGURE 16 WLAN KeyGuard Configuration screen 5. Configure the following Keyguard settings: Generate Keys Specify a 4 to 32 character Pass Key and click the Generate button. The pass key can be any alphanumeric string. Brocade clients use the algorithm to convert an ASCII string to the same hexadecimal number. Clients without Brocade adapters need to use keys manually configured as hexadecimal numbers. Keys 1-4 Use the Key #1-4 areas to specify key numbers.
6 • Brocade proprietary authentication techniques, can also be enabled on WLANs supporting other Brocade proprietary techniques, such as KeyGuard. • A WLAN using KeyGuard to support legacy Brocade devices should also use largely limited to the support of just those legacy clients using KeyGuard. Configuring WLAN Firewall Support Wireless LAN Policy A firewall is a mechanism enforcing access control, and is considered a first line of defense in protecting proprietary information within the network.
6 FIGURE 17 WLAN Policy Firewall screen The screen displays editable fields for IP Firewall Rules, MAC Firewall Rules, Trust Parameters and Wireless Client Deny limits.
6 Select an existing Inbound IP Firewall Rule and Outbound IP Firewall Rule using the drop-down menu. If no rules exist, select the Create icon to display a screen where Firewall rules can be created. Select the Edit icon to modify the configuration of a selected Firewall policy configuration. 4. If creating a new IP firewall rule, provide a name up to 32 characters. 5. Select the Add button. FIGURE 18 IP Firewall Rules screen 6.
6 FIGURE 20 IP Firewall Rules Add Criteria screen NOTE Only those selected IP ACL filter attributes display. Each value can have its current setting adjusted by selecting that IP ACL’s column to display a pop-up to adjust that one value. Define the following IP firewall rule settings as required: Precedence Specify or modify a precedence for this IP policy between 1-5000. Rules with lower precedence are always applied to packets first.
6 ICMP Code Selecting ICMP as the protocol for the IP rule displays an additional set of ICMP specific options for ICMP type and code. Many ICMP types have a corresponding code, helpful for troubleshooting network issues (0 - Net Unreachable, 1 Host Unreachable, 2 Protocol Unreachable etc.). Start VLAN Select a Start VLAN icon within a table row to set (apply) a start VLAN range for this IP ACL filter.
6 VLAN ID Enter a VLAN ID representative of the shared SSID each user employs to interoperate within the network (once authenticated by the local RADIUS server). The VLAN ID can be between 1 - 4094. Match 802.1P Configures IP DSCP to 802.1p priority mapping for untagged frames. Use the spinner control to define a setting between 0-7. Source and Destination MAC Enter both Source and Destination MAC addresses.
6 Set the following HTTP Analysis options: Forward to Syslog Server: Enable Select the check box to forward any firewall HTTP Analytics to the specified syslog server. Forward to Syslog Server: Host Enter the Hostname or IP Address for the syslog server to forward HTTP Analytics. Forward to Syslog Server: Port Enter the port number utilized by the syslog server.
6 FIGURE 22 WLAN Policy Client Settings screen 4. Define the following Client Settings for the WLAN: Enable Client-to-Client Communication Select this option to enable client to client communication within this WLAN. The default is enabled, meaning clients are allowed to exchange packets with other clients. It does not necessarily prevent clients on other WLANs from sending packets to this WLAN, but as long as this setting also disabled on that WLAN, clients are not permitted to interoperate.
6 Radio Resource Measurement Select this option to enable radio resource measurement capabilities (IEEE 802.11k) on this WLAN. 802.11k improves how traffic is distributed. In a WLAN, each device normally connects to an Access Point with the strongest signal. Depending on the number and locations of the clients, this arrangement can lead to excessive demand on one Access Point and underutilization others, resulting in degradation of overall network performance. With 802.
6 Before defining a WLAN’s client settings, refer to the following deployment guidelines to ensure the configuration is optimally effective: • Clients on the same WLAN associated with an AAP can communicate locally at the AP Level without going through the controller or service platform. If this is undesirable, an Access Point's Client-to-Client Communication option should be disabled.
6 4. Set the following System Log Accounting information: Enable Syslog Accounting Use this option to generate accounting records in standard syslog format (RFC 3164). The feature is disabled by default. Syslog Host Specify the IP address or hostname of the external syslog host where accounting records are routed. Syslog Port Use the spinner control to set the destination UDP port number of the external syslog host where the accounting records are routed.
6 • When a monitored DHCP server resource becomes unavailable To configure WLAN service monitoring: 1. Select Configuration > Wireless LANs > Wireless LAN Policy to display a high-level display of the existing WLANs. 2. Select the Add button to create an additional WLAN or select Edit to modify the properties of an existing WLAN. 3. Select Service Monitoring. FIGURE 24 WLAN Policy Service Monitoring screen 4.
6 7. Refer to the DHCP Server Monitoring field to set the WLAN’s adoption service monitoring configuration. Enable Select enable to monitor activity over the defined DHCP Server. When the connection to the DHCP server is lost, captive portal users are automatically migrated a defined VLAN. The feature is disabled by default. VLAN Select the VLAN users are migrated to when the defined DHCP server resource becomes unavailable. The available range is from 1 - 4,094.
6 4. Refer to the Load Balancing Settings section to configure load balancing for the WLAN. Enforce Client Load Balancing Select this option to enforce a client load balance distribution on this WLAN’s Access Point radios. BR1220, BR1240, and BR71XX models can support 256 clients per Access Point. BR6511model can support up to 128 clients per Access Point. Loads are balanced by ignoring association and probe requests.
6 FIGURE 26 WLAN Policy Advanced screen 4. Refer to the Protected Management Frames (802.11w) field to set a frame protection mode and security association for the WLAN’s advanced configuration. Mode Select a radio button for the mode (either Disabled, Optional or Mandatory). Disabled is the default setting. SA Query Attempts Use the spinner control to set the number of security association query attempts between 1-10. The default value is 5.
6 802.11r is an attempt to undo the burden that security and QoS added to the handoff process, and restore it back to an original four message exchange process. The central application for the 802.11r standard is VOIP using mobile phones within wireless Internet networks. Refer to the Radio Rates field to define selected data rates for both the 2.4 and 5.0 GHz bands. 290 FIGURE 27 Advanced WLAN Rate Settings 2.
6 Define both minimum Basic and optimal Supported rates as required for the 802.11b rates, 802.11g rates and 802.11n supported by the 2.4 GHz band and the 802.11a and 802.11n rates supported by the 5.0 GHz band. These are the supported client rates within this WLAN. 802.11n MCS rates are defined as follows both with and without short guard intervals (SGI): MCS Index Number of Streams 20 MHz No SGI 20 MHz With SGI 40 MHz No SGI 40MHz With SGI 0 1 6.5 7.2 13.5 15 1 1 13 14.4 27 30 2 1 19.
6 802.11ac MCS rates are defined as follows both with and without short guard intervals (SGI): MCS Index 20 MHz No SGI 20 MHz With SGI 40 MHz No SGI 40MHz With SGI 80 MHz No SGI 80MHz With SGI 0 6.5 7.2. 13.5 15 29.3 32.5 1 13 14.4 27 30 58.5 65 2 19.5 21.7 40.5 45 87.8 97.5 3 26 28.9 54 60 117 130 4 39 43.3 81 90 175.5 195 5 52 57.8 108 120 234 260 6 58.5 65 121.5 135 263.3 292.5 7 65 72.2 135 150 292.5 325 8 78 86.
6 FIGURE 29 WLAN Policy Auto Shutdown screen 4. Refer to the Auto Shutdown field to set the WLANs shutdown criteria. Shutdown on Mesh Point Loss Select this option to automatically disable the WLAN when its associated mesh point is unreachable. This setting is disabled by default. Shutdown on Primary Point Select this option to automatically disable the WLAN when its primary port link is unreachable. This setting is disabled by default.
6 QoS provides a data traffic prioritization scheme. QoS reduces congestion from excessive traffic. If there is enough bandwidth for all users and applications (unlikely because excessive bandwidth comes at a very high cost), then applying QoS has very little value. QoS provides policy enforcement for mission-critical applications and/or users that have critical bandwidth requirements when bandwidth is shared by different users and applications.
6 2. Refer to the following read-only information on each listed QoS policy to determine whether an existing policy can be used as is, an existing policy requires edit or a new policy requires creation: WLAN QoS Policy Displays the name assigned to this WLAN QoS policy when it was initially created. The assigned policy name cannot be modified as part of the edit process. Wireless Client Classification Lists each policy’s Wireless Client Classification as defined for this WLAN's intended traffic.
6 Configuring a WLAN’s QoS WMM Settings Using WMM, end-user satisfaction is maintained in a wider variety of environments and traffic conditions. WMM makes it possible for both home networks and Enterprises to decide which data streams are most important and assign them a higher traffic priority. WMM’s prioritization capabilities are based on the four access categories. The higher the access category, the higher the probability to transmit this kind of traffic over the WLAN.
6 3.
6 Wireless Client Classification Use the drop-down menu to select the Wireless Client Classification for this WLAN's intended traffic type. The classification categories are the different WLAN-WMM options available to the radio. Classification types include: WMM – Implies WiFi Multimedia QoS extensions are enabled on this radio. This allows different traffic streams between the wireless client and the Access Point to be prioritized according to the type of traffic (voice, video etc).
6 4. Set the following Voice Access settings for the WLAN’s QoS policy: Transmit Ops Use the slider to set the maximum device transmit duration after obtaining a transmit opportunity. The default value is 47. AIFSN Set the current Arbitrary Inter-frame Space Number (AIFSN) between 2-15. Higher-priority traffic voice categories should have lower AIFSNs than lower-priority traffic categories. This will cause lower-priority traffic to wait longer before attempting access. The default value is 2.
6 7. Set the following Low (Background) Access settings for the WLAN’s QoS policy: Transmit Ops Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity. For higher-priority traffic categories, this value should be set to a low number. The default value is 0. AIFSN Set the current AIFSN between 2-15. Lower priority traffic categories should have higher AIFSNs than higher priority traffic categories.
6 2. Either select the Add button to define a new WLAN QoS policy, or select an existing WLAN QoS policy and select Edit to modify its existing configuration. 3. Select the Rate Limit tab.
6 4. Configure the following parameters in respect to the intended WLAN Upstream Rate Limit, or traffic from the controller or service platform to associated Access Point radios and connected wireless clients: Enable Select the Enable check box to enable rate limiting for data transmitted from the controller or service platform to associated Access Point radios and connected wireless clients. Enabling this option does not invoke rate limiting for data traffic in the downstream direction.
6 6. Configure the following parameters in respect to the intended WLAN Downstream Rate Limit, or traffic from wireless clients to associated Access Point radios and the controller or service platform: Enable Select the Enable radio button to enable rate limiting for data transmitted from the controller or service platform to its associated Access Point radios and connected wireless clients. Enabling this option does not invoke rate limiting for data traffic in the upstream direction.
6 8. Configure the following parameters in respect to the intended Wireless Client Upstream Rate Limit: Enable Select the Enable radio button to enable rate limiting for data transmitted from the client to its associated Access Point radio and connected wireless controller. Enabling this option does not invoke client rate limiting for data traffic in the downstream direction. This feature is disabled by default. Rate Define an upstream rate limit between 50 - 1,000,000 kbps.
6 11. Set the following Wireless Clients Downstream Random Early Detection Threshold settings: Background Traffic Set a percentage value for background traffic in the downstream direction. This is a percentage of the maximum burst size for low priority traffic. Background traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default is 50%. Best Effort Traffic Set a percentage value for best effort traffic in the downstream direction.
6 3. Select the Multimedia Optimizations tab. FIGURE 31 QoS Policy Multimedia Optimizations screen 4. Configure the following parameters in respect to the intended Multicast Mask: Multicast Mask Primary Configure the primary multicast mask defined for each listed QoS policy. Normally all multicast and broadcast packets are buffered until the periodic DTIM interval (indicated in the 802.11 beacon frame), when clients in power save mode wake to check for frames.
6 5. Set the following Accelerated Multicast settings: Disable Multicast Streaming Select this option to disable all multicast streaming on the WLAN. Automatically Detect Multicast Streams Select this option to allow the administrator to have multicast packets converted to unicast to provide better overall airtime utilization and performance.
6 Brocade wireless devices, associated Access Point radios and connected clients support several Quality of Service (QoS) techniques enabling real-time applications (such as voice and video) to co-exist simultaneously with lower priority background applications (such as Web, E-mail and file transfers). A well designed QoS policy should: • Classify and mark data traffic to accurately prioritize and segregate it (by access category) throughout the network.
6 NOTE Statically setting a WLAN WMM access category value only prioritizes traffic from the to the client, not from the client. Rate limits can be applied to WLANs using groups defined locally or externally from a RADIUS server using Brocade Vendor Specific Attributes (VSAs). Rate limits can be applied to authenticating users using 802.1X, captive portal authentication and MAC authentication. Configuring Radio QoS Policies Radio QoS Policy To configure a radio’s QoS policy: 1. .
6 Voice A green check mark indicates that Voice prioritization QoS is enabled on the radio. A red X indicates Voice prioritization QoS is disabled on the radio. Best Effort A green check mark indicates that Best Effort QoS is enabled on the radio. A red X indicates Best Effort QoS is disabled on the radio. Video A green check mark indicates that Video prioritization QoS is enabled on the radio. A red X indicates Video prioritization QoS is disabled on the radio.
6 4. Set the following Voice Access settings for the Radio QoS policy: Transmit Ops Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity. When resources are shared between a Voice over IP (VoIP) call and a low priority file transfer, bandwidth is normally exploited by the file transfer, thus reducing call quality or even causing the call to disconnect.
6 7. Set the following Low (Background) Access settings for the radio QoS policy: Transmit Ops Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity. For higher-priority traffic categories, this value should be set to a low number. The default value is 0. AIFSN Set the current AIFSN between 1-15. Lower priority traffic categories should have higher AIFSNs than higher priority traffic categories.
6 11. Select the Implicit TPSEC check box to require wireless clients to send their traffic specifications to a controller or service platform managed Access Point before they can transmit or receive data. If enabled, this setting applies to just this radio’s QoS policy. This feature is enabled by default. 12. Set the following Voice Access admission control settings for this radio QoS policy: Enable Voice Select the check box to enable admission control for this policy’s voice traffic.
6 14. Set the following Video Access admission control settings for this radio QoS policy: Enable Video Select the check box to enable admission control for this policy’s video traffic. Only video traffic admission control is enabled, not any of the other access categories (each access category must be separately enabled and configured). This feature is disabled by default.
6 FIGURE 35 Radio QoS Policy Multimedia Optimizations screen 17. Set the following Accelerated Multicast settings for this radio QoS policy: Maximum number of wireless clients allowed Specify the maximum number of wireless clients (between 0 and 256) allowed to use accelerated multicast. The default value is 25.
6 With this enhancement, an aggregation delay is set uniquely for each traffic class. For example, voice traffic might not be aggregated, but sent immediately. Whereas, background data traffic is set a delay for aggregating frames, and these aggregated frames are sent. Smart Aggregation Select to enable smart aggregation and dynamically define when an aggregated frame is transmitted. Smart aggregation is enabled by default.
6 An association ACL affords a system administrator the ability to grant or restrict client access by specifying a wireless client MAC address or range of MAC addresses to either include or exclude from connectivity. Association ACLs are applied to WLANs as an additional access control mechanism. They can be applied to WLANs from within a WLAN Policy’s Advanced configuration screen. For more information on applying an existing Association ACL to a WLAN, see Configuring Advanced WLAN Settings.
6 4. Set the following parameters for the creation or modification of the Association ACL: Association ACL If creating an new association ACL, provide a name specific to its function. Avoid naming it after the WLAN it may support. The name cannot exceed 32 characters. Precedence The rules within a WLAN's ACL are applied to packets based on their precedence values. Every rule has a unique sequential precedence value you define. You cannot add two rules’s with the same precedence.
6 Smart RF also provides self-healing functions by monitoring the network in real-time and provides automatic mitigation from potentially problematic events such as radio interference, non-WiFi interference (noise), external WiFi interference, coverage holes and radio failures. Smart RF employs self-healing to enable a WLAN to better maintain wireless client performance and site coverage during dynamic RF environment changes, which typically require manual reconfiguration to resolve.
6 FIGURE 38 Smart RF Policy screen 2. Refer to the following configuration data for existing Smart RF policies: Smart RF Policy Displays the name assigned to the Smart RF policy when it was initially created. The name cannot be modified as part of the edit process. Smart RF Policy Enable Displays a green check mark if Smart RF has been enabled for the listed policy. A red “X” designates the policy as being disabled.
6 FIGURE 39 Smart RF Basic Configuration screen 4. Refer to the Basic Settings field to enable a Smart RF policy and define its sensitivity and detector status. Sensitivity Select a radio button corresponding to the desired Smart RF sensitivity. Options include Low, Medium, High and Custom. Medium, is the default setting. The Custom option allows an administrator to adjust the parameters and thresholds for Interference Recovery, Coverage Hole Recovery and Neighbor Recovery.
6 6. Select OK to update the Smart RF Basic Configuration settings for this policy. Select Reset to revert to the last saved configuration. 7. Select Channel and Power. Use the Channel and Power screen to refine Smart RF power settings over both 5 and 2.4 GHz radios and select channel settings in respect to the device channel usage.
6 8. Refer to the Power Settings field to define Smart RF recovery settings for either the selected 5.0 GHz (802.11a) or 2.4 GHz (802.11bg) radio. 5.0 GHz Minimum Power Use the spinner control to select a 1 - 20 dBm minimum power level for Smart RF to assign to a radio in the 5 GHz band. 4 dBm is the default setting. 5.0 GHz Maximum Power Use the spinner control to select a 1 - 20 dBm maximum power level Smart RF can assign a radio in the 5 GHz band. 17 dBm is the default setting. 2.
6 FIGURE 41 Smart RF Scanning Configuration screen NOTE The monitoring and scanning parameters within the Scanning Configuration screen are only enabled when Custom is selected as the Sensitivity setting from the Basic Configuration screen. 10. Enable or disable Smart Monitoring Enable. The feature is enabled by default. When enabled, detector radios monitor their coverage areas for potential failed peers or coverage area holes requiring transmission adjustments for coverage compensation.
6 11. Set the following OCS Monitoring Awareness Settings for the Smart RF policy: Threshold Select this option and specify a threshold from 10 - 10,000. When the threshold is reached awareness settings are overridden with the values specified in the table. Index Select an Index value from 1 - 3 for awareness overrides. The overrides are executed based on index, with the lowest index being executed first. Day Use the drop-down menu to select a day of the week to apply the override.
6 Select OK to update the Smart RF Scanning Configuration settings for this policy. Select Reset to revert to the last saved configuration. 12. Select Recovery. The Neighbor Recovery tab displays by default. Use the Neighbor, Interference and Coverage Hole recovery tabs to define how 5 and 2.4 GHz radios compensate for failed neighbor radios, interference impacting the Smart RF supported network and detected coverage holes requiring neighbor radio intervention. 13.
6 15. Set the following Dynamic Sample Recovery parameters: Dynamic Sample Enabled Select this option to enable dynamic sampling. Dynamic sampling enables an administrator to define how Smart RF adjustments are triggered by locking retry and threshold values. This setting is disabled by default. Dynamic Sample Retries Set the number of retries (from 1 - 10) attempted before a power level adjustment is implemented to compensate for a potential coverage hole. The default setting is 3.
6 Channel Hold Time Defines the minimum time between channel changes during neighbor recovery. Set the time in either Seconds (0 - 86,400), Minutes (0 - 1,440) or Hours (0 - 24) or Days (0 - 1). The default setting is 30 minutes. Client Threshold Use the spinner to set a client threshold for the Smart RF policy between 1 - 255.
6 20. Set the following Coverage Hole Recovery for 2.4 GHz and 5.0 GHz parameters: Client Threshold Use the spinner to set a client threshold for the Smart RF policy between 1 - 255. This is the minimum number of clients a radio should have associated in order for coverage hole recovery to trigger. The default setting is 1. SNR Threshold Use the spinner control to set a signal to noise threshold (between 1 - 75 dB).
6 MeshConnex Policy MeshConnex is a mesh networking technology that is comparable to the 802.11s mesh networking specification. MeshConnex meshing uses a hybrid proactive/on-demand path selection protocol, similar to Ad hoc On Demand Distance Vector (AODV) routing protocols. This allows it to form efficient paths using multiple attachment points to a distribution WAN, or form purely ad-hoc peer-to-peer mesh networks in the absence of a WAN.
6 Control VLAN Displays the VLAN (virtual interface ID) for the control VLAN on each of the configured mesh points. Allowed VLANs Displays the list of VLANs allowed on each configured mesh point. Security Mode Displays the security assigned to each configured mesh point. The field displays None for no security or PSK for pre-shared key authentication. Mesh QoS Policy Displays the mesh Quality of Service policy associated to each configured mesh point. 3.
6 Control VLAN Use the spinner control to specify a VLAN to carry meshpoint control traffic. The valid range for control VLAN is between 1 and 4094. The default value is VLAN 1. Allowed VLANs Specify the VLANs allowed to pass traffic on the mesh point. Separate all VLANs with a comma. To specify a range of allowed VLANs separate the starting VLAN and the ending VLAN with a hyphen. Neighbor Inactivity Timeout Specify a timeout in seconds, minutes, hours or days, up to a maximum of 1 day.
6 10. Select OK to save the changes made to the configuration. Select Reset to revert to the last saved configuration. 11. Select the Radio Rates tab. FIGURE 48 Radio Rate Settings Set the following Radio Rates for both the 2.4 and 5 GHz radio bands: 2.4 GHz Mesh Point Click the Select button to configure radio rates for the 2.4 GHz band. Define both minimum Basic and optimal Supported rates as required for the 802.11b rates, 802.11g rates and 802.11n rates supported by the 2.4 GHz band.
6 334 FIGURE 49 Advanced Rate Settings 2.
6 Define both minimum Basic and optimal Supported rates as required for the 802.11b rates, 802.11g rates and 802.11n rates supported by the 2.4 GHz band and 802.11a and 802.11n rates supported by the 5.0 GHz radio band. These are the rates wireless client traffic is supported within this mesh point. If supporting 802.11n, select a Supported MCS index. Set a MCS (modulation and coding scheme) in respect to the radio’s channel width and guard interval.
6 2. Refer to the following configuration data for existing Smart RF policies: Mesh QoS Policy Displays the administrator assigned name of each mesh QoS policy. Mesh Tx Rate Limit Displays whether or not a Mesh Tx Rate Limit is enabled for each Mesh QoS policy. When the rate limit is enabled a green check mark is displayed, when it is disabled a red X is displayed. Mesh Rx Rate Limit Displays whether or not a Mesh Rx Rate Limit is enabled for each Mesh QoS policy.
6 FIGURE 52 Mesh QoS Policy Rate Limit screen 4. Configure the following parameters in respect to the intended From Air Upstream Rate Limit, or traffic from the controller to associated Access Point radios and their associated neighbor: Mesh Tx Rate Limit Select the check box to enable rate limiting for all data received from any mesh point in the mesh network. This feature is disabled by default. Rate Define a receive rate limit between 50 - 1,000,000 kbps.
6 5. Set the following From Air Upstream Random Early Detection Threshold settings for each access category. An early random drop is done when a traffic stream falls below the set threshold. Background Traffic Set a percentage value for background traffic in the transmit direction. This is a percentage of the maximum burst size for low priority traffic. Background traffic exceeding the defined threshold is dropped and a log message is generated.
6 7. Set the following To Air Downstream Random Early Detection Threshold settings for each access category. An early random drop occurs when the amount of tokens for a traffic stream falls below the set threshold. Background Traffic Set a percentage value for background traffic in the receive direction. This is a percentage of the maximum burst size for low priority traffic. Background traffic exceeding the defined threshold is dropped and a log message is generated.
6 9. Set the following Neighbor Settings From Air Upstream Random Early Detection Threshold for each access category: Background Traffic Set a percentage value for background traffic in the transmit direction. This is a percentage of the maximum burst size for low priority traffic. Background traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default threshold is 50%.
6 FIGURE 53 Mesh QoS Policy Multimedia Optimizations screen 14. Set the following Accelerated Multicast settings: Disable Multicast Streaming Select this option to disable all Multicast Streaming on the mesh point. Automatically Detect Multicast Streams Select this option to allow the administrator to have multicast packets that are being bridged converted to unicast to provide better overall airtime utilization and performance.
6 Passpoint Policy A passpoint policy provides an interoperable platform for streamlining Wi-Fi access to Access Points deployed as public hotspots. Passpoint is supported across a wide range of wireless network deployment scenarios and client devices. The Passpoint Policy screen displays a list of passpoint polices for network hotspots. Each passpoint policy can be selected to edit its properties. If no exiting passpoint policies supports the required deployment, select Add to create a new policy.
6 FIGURE 55 Passpoint Policy - Add/Edit screen Brocade Mobility RFS Controller System Reference Guide 53-1003099-01 343
6 Refer to the Basic Configuration field to set the following: Access Network Type Use the drop-down menu to select the network access method for this passpoint policy.
Chapter Network Configuration 7 Controllers, service platforms and Access Points allow packet routing customizations and route resources be defined for deployment specific routing configurations. For more information on the options available, refer to the following: • • • • L2TP V3 Configuration AAA Policy AAA TACACS Policy Network Alias L2TP V3 Configuration L2TP V3 is an IETF standard used for transporting different types of layer 2 frames in an IP network.
7 NOTE If connecting an Ethernet port to another Ethernet port, the pseudowire type must be Ethernet port, if connecting an Ethernet VLAN to another Ethernet VLAN, the pseudowire type must be Ethernet VLAN. To define an L2TP V3 tunnel configuration: Select Configuration > Network > L2TP V3. FIGURE 1 L2TP V3 Policy screen The L2TP V3 screen lists the policy configurations defined thus far.
7 Rx Window Size Displays the number of packets that can be received without sending an acknowledgement. Tx Window Size Displays the number of packets that can be transmitted without receiving an acknowledgement. Failover Delay Lists the time (in either seconds or minutes) for establishing a tunnel after a failover (VRRP/RF Domain/Cluster). Force L2 Path Recovery Lists whether force L2 path recovery is enabled (as defined by a green checkmark) or disabled (as defined by a red X).
7 Retry Count Use the spinner control to define how many retransmission attempts are made before determining a target tunnel peer is not reachable. The available range is from 1 - 10, with a default value of 5. Retry Time Out Use the spinner control to define the interval (in seconds) before initiating a retransmission of a L2TP V3 signaling message. The available range is from 1 - 250, with a default value of 5.
7 RADIUS security server in the form of accounting records. Each accounting record is comprised of AV pairs and is stored on the access control server. The data can be analyzed for network management, client billing, and/or auditing. Accounting methods must be defined through AAA. When AAA accounting is activated, it’s applied equally to all interfaces on the access servers. To define unique WLAN AAA configurations: 1. Select Configuration > Network > AAA Policy to display existing AAA policies.
7 FIGURE 4 AAA Policy - RADIUS Authentication screen 4. Refer to the following AAA authentication policy data. Server ID Displays the numerical server index (1-6) for the accounting server when added to the list available. Host Displays the IP address or hostname of the RADIUS authentication server. Port Displays the port on which the RADIUS server listens to traffic within the network. The port range is 1 to 65,535. The default port is 1812.
7 5. Select a configuration from the table and select Edit, or select Add to create a new RADIUS authentication policy. FIGURE 5 AAA Policy - Add RADIUS Authentication Server 6. Define the following Settings to add or modify a AAA RADIUS authentication server configuration: Server ID Define the numerical server index (1-6) for the authentication server when added to the list available. Host Specify the IP address or hostname of the RADIUS authentication server.
7 Request Attempts Specify the number of attempts a client can retransmit a missed frame to the RADIUS server before it times out of the authentication session. The available range is between 1 and 10 attempts. The default is 3 attempts. Request Timeout Specify the time between 1 and 60 seconds for the re-transmission of request packets. If this time is exceeded, the authentication session is terminated.
7 9. Select an accounting configuration from the table and select Edit, or select Add to create a new RADIUS accounting configuration: Server ID Displays the numerical server index (1-6) for the accounting server assigned when added to the Mobility operating system. Host Displays the IP address or hostname of the RADIUS authentication server. Port Displays the port on which the RADIUS server listens to traffic within the network. The port range is 1 to 65,535. The default port is 1813.
7 FIGURE 7 AAA Policy - Add RADIUS Accounting Server 11. Define the following Settings to add or modify AAA RADIUS accounting server configuration: Server ID Displays the numerical server index (1-6) for the accounting server when added to the list available. Host Specify the IP address or hostname of the RADIUS accounting server. Port Define or edit the port on which the RADIUS accounting server listens to traffic within the network. The port range is 1 to 65,535. The default port is 1813.
7 Request Attempts Displays the number of attempts a client can retransmit a missed frame to the RADIUS accounting server before it times out of the authentication session. The available range is between 1 and 10 attempts. The default is 3 attempts. Request Timeout Specify the time for the re-transmission of request packets. The default is 5 seconds. If this time is exceeded, the authentication session is terminated.
7 FIGURE 8 AAA Policy - Settings screen 14. Set the Protocol for MAC, Captive-Portal Authentication. The authentication protocol Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) when the server is used for any non-EAP authentication. PAP is the default setting. 15. Set the following RADIUS Accounting settings: Accounting Packet Type Set the RADIUS Accounting request packet type. Options include Stop Only, Start/Stop and Start/Interim/Stop.
7 16. Set the following RADIUS Address Format settings: Format Select the format of the MAC address used in the RADIUS accounting packets. Case Lists whether the MAC address is sent using uppercase or lowercase characters. The default setting is uppercase. Attributes Lists whether the format specified applies only to the username/password in mac-auth or for all attributes that include a MAC address, such as calling-station-id or called-station-id. 17.
7 To define a unique AAA TACACS configuration: 1. Select the Configuration tab from the Web UI. Select Network. Select AAA TACACS Policy to display a high level display of existing AAA policies. The Authentication, Authorization, and Accounting (AAA) TACACS screen lists existing AAA policies. Any of these policies can be selected and applied to a controller, service platform or Access Point. FIGURE 9 Authentication, Authorization, and Accounting (AAA) TACACS screen 2.
7 FIGURE 10 AAA TACACS Policy - Authentication 5. Refer to the following AAA TACACS policy authentication information: Server Id Lists the numerical server index (1-2) for each authentication server when added to the list available to the controller, service platform or Access Point. Host Displays the IP address or hostname set for the AAA TACACS authentication server. Port Displays the port the TACACS authentication server listens to traffic. The port range is 1 - 65,535. The default port is 49.
7 FIGURE 11 AAA TACACS Policy - Authentication Server NOTE Only 2 AAA TACACS Authentication servers can be configured at a time. 7. Define the following settings to add or modify a AAA TACACS authentication server configuration: Server Id Set numerical server index (1-2) for the authentication server when added to the list of available TACACS authentication server resources. Host Specify the IP address or hostname of the AAA TACACS server.
7 Click the Accounting tab. FIGURE 12 AAA TACACS Policy - Accounting 8. Refer to the following AAA TACACS policy accounting details to determine whether new policies require creation or existing policies require modification: Server Id Displays the numerical server index (1-2) for the accounting server when added to the list available to the controller, service platform or Access Point. Host Displays the IP address or hostname of the AAA TACACS accounting server.
7 FIGURE 13 AAA TACACS Policy - Accounting Server NOTE Only 2 AAA TACACS accounting servers can be configured at a time. 10. Define the following settings to add or modify AAA TACACS accounting server configuration: Server Id Set numerical server index (1-2) for a new accounting server. Host Specify the IP address or hostname of the AAA TACACS accounting server. Port Define or edit the port on which the AAA TACACS server listens to traffic. The port range is 1 65,535. The default port is 49.
7 FIGURE 14 AAA TACACS Policy - Authorization 11. Refer to the following AAA TACACS policy authorization server information to assess whether new or modified server configurations are warranted: Server Id Displays the numerical server index (1-2) for the authorization server when added to the list available to the controller, service platform or Access Point. Host Displays the IP address or hostname of the AAA TACACS authorization server. Port Displays the port the TACACS server listens to traffic.
7 FIGURE 15 AAA TACACS Policy - Authorization Server NOTE Only 2 AAA TACACS authorization servers can be configured at a time. 13. Define the following to add or modify AAA TACACS authorization server configuration: Server Id Set numerical server index (1-2) for the authorization server. Host Specify the IP address or hostname of the TACACS authorization server. Port Define or edit the port on which the AAA TACACS server listens to traffic. The port range is 1 65,535. The default port is 49.
7 FIGURE 16 AAA TACACS Policy - Settings Brocade Mobility RFS Controller System Reference Guide 53-1003099-01 365
7 14. Set the following AAA TACACS Accounting server configuration parameters: Access Method Specify access methods for accounting server connections. • All – Accounting is performed for all types of access with none given priority. • Console – Accounting is performed for console access only. • SSH – Accounting is performed only for access through SSH. • Telnet – Accounting is performed only for access through Telnet.
7 Select + Add Row and set the following Service Protocol Settings parameters: Service Name Provide a 30 character maximum shell service for user authorization. Service Protocol Enter a protocol for user authentication using the service. NOTE A maximum or 5 entries can be made in the Service Protocol Settings table. Select OK to save the updates. Select Reset to revert to last saved configuration.
7 For more information, refer to the following: • Network Basic Alias • Network Group Alias • Network Service Alias Network Basic Alias A basic alias is a set of configurations consisting of VLAN, Host, Network and Address Range alias configurations. A VLAN alias is a configuration for optimal VLAN re-use and management for local and remote deployments. A host alias configuration is for a particular host device’s IP address.
7 FIGURE 17 Network Basic Alias screen 3. Select + Add Row to define VLAN Alias settings: Use the Vlan Alias field to create unique aliases for VLANs that can be utilized at different deployments. For example, if a VLAN ID is set as 10 for the central network, and the VLAN is set as 26 at a remote location, the VLAN can be overridden at the remote location using an alias. At the remote location, the network is functional with an ID of 26, but utilizes the name defined at the central local network.
7 Use the Address Range Alias field to create aliases for IP address ranges that can be utilized at different deployments. For example, if an ACL defines a pool of network addresses as 192.168.10.10 through 192.168.10.100 for an entire network, and a remote location’s network range is 172.16.13.20 through 172.16.13.110, the remote location’s ACL can be overridden using an alias. At the remote location, the ACL works with the 172.16.13.20-110 address range.
7 Use the Network Alias field to create aliases for IP networks that can be utilized at different deployments. For example, if a central network ACL defines a network as 192.168.10.0/24, and a remote location’s network range is 172.16.10.0/24, the ACL can be overridden at the remote location to suit their local (but remote) requirement. At the remote location, the ACL functions with the 172.16.10.0/24 network. A new ACL need not be created specifically for the remote deployment.
7 FIGURE 18 Network Group Alias screen Name Displays the administrator assigned name used with the network group alias. Host Displays all the host aliases configured in the listed network group alias. Displays a blank column if no host alias is defined. Network Displays all network aliases configured in the listed network group alias. Displays a blank column if no network alias is defined. 4.
7 FIGURE 19 Network Group Alias Add screen 6. If adding a new Network Alias Rule, provide it a name up to 32 characters. The network group alias name always starts with a dollar sign ($). 7. Define the following network alias parameters: Host Specify the Host IP address for up to eight IP addresses supporting network aliasing. Select the down arrow to add the IP address to the table. Network Specify the netmask for up to eight IP addresses supporting network aliasing.
7 To define a service alias configuration: 1. Select Configuration > Network from the Web UI. 2. Select Alias from the Network menu options on the left-hand side of the UI. 3. Select the Network Service Alias tab. The screen displays existing network service alias configurations. FIGURE 20 Network Service Alias screen 4. Select Add to create a new policy, Edit to modify the attributes of an existing policy or Delete to remove obsolete policies. 5.
7 FIGURE 21 Network Service Alias Add screen 6. If adding a new Service Alias Rule, provide it a name up to 32 characters. Ensure a $ precedes the name. 7. Select + Add Row and provide the following configuration parameters: Protocol Specify the protocol for which the alias has to be created. Use the drop down to select the protocol from eigrp, gre, icmp, igmp, ip, vrrp, igp, ospf, tcp and udp. Select other if the protocol is not listed.
7 Network Deployment Considerations Before defining a L2TPV3 configuration, refer to the following deployment guidelines to ensure the configuration is optimally effective: • In respect to L2TP V3, data transfers on the pseudowire can start as soon as session establishment corresponding to the pseudowire is complete. • In respect to L2TP V3, the control connection keep-alive mechanism of L2TP V3 can serve as a monitoring mechanism for the pseudowires associated with a control connection.
Chapter 8 Profile Configuration Profiles enable administrators to assign a common set of configuration parameters and policies to controllers, service platforms and Access Points. Profiles can be used to assign common or unique network, wireless and security parameters to devices across a large, multi segment, site. The configuration parameters within a profile are based on the hardware model the profile was created to support.
8 User defined profiles are manually created for each supported controller, service platform and Access Point model. User defined profiles can be manually assigned or automatically assigned to Access Points using an AP Auto provisioning policy. AP Adoption policies provide the means to easily assign profiles to Access Points based on model, serial number, VLAN ID, DHCP option, IP address (subnet) and MAC address.
8 4. Review the following information on existing profiles: Profile Lists the user-assigned name defined for each profile when created. Profile names cannot be edited with a profiles configuration. Type Displays the device type (and subsequent device specific configuration) supported by each listed profile. Available device types include: BR650 BR6511 BR1220 BR71XX AP81xx RFS4000 RFS6000 RFS7000 NX45xx NX65xx NX9000 Auto Provisioning Policy Displays the auto provisioning policy applied to this profile.
8 • Profile Services Configuration • Profile Management Configuration • Advanced Profile Configuration General Profile Configuration Each profile requires a provisioning policy and clock synchronization settings as part of its general configuration. Each profile can have a unique provisioning policy and system time.
8 FIGURE 2 General Profile - screen 5. If creating a new profile, provide a name (up to 32 characters) within the Profile parameter field. 6. Use the Type drop-down menu to specify the Brocade device model for which the profile applies. Profiles can only be applied to the same device type selected when the profile is initially created. 7. Refer to the Location field to define the device’s deployment location area.
8 9. Select + Add Row below the Network Time Protocol (NTP) table to define the configurations of NTP server resources used to obtain system time. Set the following parameters to define the NTP configuration: Server IP Set the IP address of each server added as a potential NTP resource. Key Number Select the number of the associated authentication peer key for the NTP resource. Key Enter a 64 character maximum key used when the autokey setting is set to false (disabled).
8 Profile Cluster Configuration (Controllers and Service Platforms Only) Configuration and network monitoring are two tasks a network administrator faces as a network grows in terms of the number of managed devices. Such scalability requirements lead network administrators to look for managing and monitoring each node from a single centralized management entity.
8 5. Define the following Cluster Settings parameters to set this profile’s cluster mode and deployment settings: Cluster Mode A member can be in either an Active or Standby mode. All active member can adopt Access Points. Standby members only adopt Access Points when an active member has failed or sees an Access Point not adopted by a controller or service platform. The default cluster mode is Active and enabled for use with the profile.
8 • A cluster member cannot adopt more APs than its hardware capacity allows. This is important when the number of pooled AP and AAP licenses exceeds the aggregated AP and AAP capacity available after a cluster member has failed. A cluster supported profile should be designed to ensure adequate AP and AAP capacity exists to address failure scenarios involving both APs and AAPs.
8 FIGURE 4 Provisioning Policy - Adoption screen Within the Controller Group field, use the Preferred Group item to set an optimal group for the Access Point’s adoption. The name of the preferred group cannot exceed 64 characters. Select the check box to define a VLAN the Access Point’s associating controller or service platform is reachable on. VLANs 0 and 4,094 are reserved and cannot be used by a controller or service platform VLAN.
8 Select + Add Row as needed to populate the table with IP Addresses or Hostnames used as Access Point adoption resources into the managed network. Host Use the drop-down menu to specify whether the adoption resource is defined as a (non DNS) IP Address or a Hostname. Once defined, provide the numerical IP or Hostname. A Hostname cannot exceed 64 characters. Pool Use the spinner control to set a pool of either 1 or 2. This is the pool the target controller or service platform belongs to.
8 FIGURE 5 Provisioning Policy - Adoption screen Within the Controller Group field, use the Group item to set provide the controller group this controller or service platform belongs to. A preferred group can also be selected for the adoption of this controller or service platform. The name of the preferred group cannot exceed 64 characters.
8 Set the following Controller Adoption Settings settings: Allow Adoption of Devices Select either Access Points or Controllers (or both) to refine whether this controller or service platform can adopt just networked Access Points or peer controller devices as well. Allow Adoption of this Controller Select the option to enable this controller or service platform to be capable of adoption by other controllers or service platforms.
8 Profile 80.21x Configuration 802.1X provides administrators secure, identity based access control as another data protection option to utilize with a device profile. 802.1X is an IEEE standard for media-level (Layer 2) access control, offering the capability to permit or deny network connectivity based on the identity of the user or device. Select the Configuration tab from the Web UI. Select Profiles from the Configuration tab. Select Manage Profiles from the Configuration > Profiles menu.
8 Profile Interface Configuration A profile’s interface configuration can be defined to support separate physical Ethernet configurations both unique and specific to RFS4000, RFS6000, RFS7000 series controllers and NX4500, NX6500 and NX9000 series service platforms.
8 3. Select Ethernet Ports. The Ethernet Ports screen displays configuration, runtime status and statistics regarding the physical ports on the controller or service platform. FIGURE 7 Ethernet Ports screen 4. Refer to the following to assess port status and performance: Name Displays the physical port name reporting runtime data and statistics. Supported ports vary depending on controller or service platform model.
8 Mode Displays the profile’s switching mode as currently either Access or Trunk (as defined within the Ethernet Port Basic Configuration screen). If Access is selected, the listed port accepts packets only from the native VLAN. Frames are forwarded out the port untagged with no 802.1Q header. All frames received on the port are expected as untagged and mapped to the native VLAN. If set to Trunk, the port allows packets from a list of VLANs added to the trunk.
8 6. Set the following Ethernet port Properties: Description Enter a brief description for the port (64 characters maximum). The description should reflect the port’s intended function to differentiate it from others with similar configurations or perhaps just the name of the physical port. Admin Status Select the Enabled radio button to define this port as active to the profile it supports. Select the Disabled radio button to disable this physical port in the profile.
8 8. Define the following Switching Mode parameters to apply to the Ethernet port configuration: Mode Select either the Access or Trunk radio button to set the VLAN switching mode over the port. If Access is selected, the port accepts packets only form the native VLANs. Frames are forwarded out the port untagged with no 802.1Q header. All frames received on the port are expected as untagged and are mapped to the native VLAN.
8 FIGURE 9 Ethernet Ports - Security screen 12. Refer to the Access Control field. As part of the port’s security configuration, Inbound IP and MAC address firewall rules are required. Use the Inbound IP Firewall Rules and Inbound MAC Firewall Rules drop-down menus to select the firewall rules to apply to this profile’s Ethernet port configuration. The firewall inspects IP and MAC traffic flows and detects attacks typically not visible to traditional wired firewall appliances. 13.
8 NOTE Some vendor solutions with VRRP enabled send ARP packets with Ethernet SMAC as a physical MAC and inner ARP SMAC as VRRP MAC. If this configuration is enabled, a packet is allowed, despite a conflict existing. 15. Set the following 802.1X Settings: Host Mode Use the drop-down menu to select the host mode configuration to apply to this port. Options include single-host or multi-host. The default setting is single-host. Guest VLAN Specify a guest VLAN for this port from 1 - 4094.
8 FIGURE 10 Ethernet Ports - Spanning Tree screen 19. Define the following PortFast parameters for the port’s MSTP configuration: Enable PortFast Select the check box to enable fast transitions and drop-down menus for both the Enable Portfast BPDU Filter and Enable Portfast BPDU guard options for the port. This setting is disabled by default. PortFast BPDU Filter Select enable to invoke a BPDU filter for this portfast enabled port.
8 Link Type Select either the Point-to-Point or Shared radio button. Selecting Point-to-Point indicates the port should be treated as connected to a point-to-point link. Selecting Shared indicates this port should be treated as having a shared connection. A port connected to a hub is on a shared link, while one the connected to a controller or service platform is a point-to-point link. Cisco MSTP Interoperability Select either the Enable or Disable radio buttons.
8 A Virtual Interface is required for layer 3 (IP) access or to provide layer 3 service on a VLAN. The Virtual Interface defines which IP address is associated with each connected VLAN ID. A Virtual Interface is created for the default VLAN (VLAN 1) to enable remote administration. A Virtual Interface is also used to map VLANs to IP address ranges. This mapping determines the destination networks for routing.
8 FIGURE 12 Virtual Interfaces - Basic Configuration screen The Basic Configuration screen displays by default, regardless of a whether a new Virtual Interface is created or an existing one is being modified. 6. If creating a new Virtual Interface, use the VLAN ID spinner control to define a numeric ID from 1 - 4094. 7.
8 Primary IP Address Define the IP address for the VLAN associated Virtual Interface. Use DHCP to Obtain IP Select this option to allow DHCP to provide the IP address for the Virtual Interface. Selecting this option disables the Primary IP address field. Use DHCP to obtain Gateway/DNS Servers Select this option to allow DHCP to obtain a default gateway address, and DNS resource for one virtual interface.
8 FIGURE 13 Virtual Interfaces - Security screen 13. Use the Inbound IP Firewall Rules drop-down menu to select the firewall rule configuration to apply to this Virtual Interface. The firewall inspects and packet traffic to and from connected clients. If a firewall rule does not exist suiting the data protection needs of this Virtual Interface, select the Create icon to define a new firewall rule configuration or the Edit icon to modify an existing configuration.
8 1. Select Configuration > Profiles > Interface. 2. Expand the Interface menu to display its submenu options. 3. Select Port Channels. The Port Channels screen displays. FIGURE 14 Port Channels screen 4. Refer to the following to review existing port channel configurations and their current status: Name Displays the port channel’s numerical identifier assigned to it when it was created. The numerical name cannot be modified as part of the edit process.
8 FIGURE 15 Port Channels - Basic Configuration screen 6. Set the following port channel Properties: Description Enter a brief description for the controller or service platform port channel (64 characters maximum). The description should reflect the port channel’s intended function. Admin Status Select the Enabled radio button to define this port channel as active to the profile it supports. Select the Disabled radio button to disable this port channel configuration within the profile.
8 8. Define the following Switching Mode parameters to apply to the port channel configuration: Mode Select either the Access or Trunk radio button to set the VLAN switching mode over the port channel. If Access is selected, the port channel accepts packets only form the native VLANs. Frames are forwarded out the port untagged with no 802.1Q header. All frames received on the port are expected as untagged and are mapped to the native VLAN.
8 FIGURE 16 Port Channels - Security screen 11. Refer to the Access Control section. As part of the port channel’s security configuration, Inbound IP and MAC address firewall rules are required. Use the Inbound IP Firewall Rules and Inbound MAC Firewall Rules drop-down menus to select firewall rules to apply to this profile’s port channel configuration. The firewall inspects IP and MAC traffic flows and detects attacks typically not visible to traditional wired firewall appliances.
8 14. Select the Spanning Tree tab. FIGURE 17 Port Channels - Spanning Tree screen 15. Define the following PortFast parameters for the port channel’s MSTP configuration: Enable PortFast Select the check box to enable drop-down menus for both the port Enable Portfast BPDU Filter and Enable Portfast BPDU guard options. This setting is disabled by default. PortFast BPDU Filter Select Enable to invoke a BPDU filter for this portfast enabled port channel.
8 16. Set the following MSTP Configuration parameters for the port channel: Enable as Edge Port Select the check box to define this port as an edge port. Using an edge (private) port, you can isolate devices to prevent connectivity over this port channel. This setting is disabled by default. Link Type Select either the Point-to-Point or Shared radio button. Selecting Point-to-Point indicates the port should be treated as connected to a point-to-point link.
8 VM Interface Configuration Profile Interface Configuration Mobility provides a dataplane bridge for external network connectivity for Virtual Machines (VMs). VM Interfaces define which IP address is associated with each VLAN ID the service platform is connected to and enables remote service platform administration. Each custom VM can have up to a maximum of two VM interfaces. Each VM interface can be mapped to one of sixteen VMIF ports on the dataplane bridge.
8 4. Refer to the following to review VM interface configurations and status: Name Displays the VM interface numerical identifier assigned when it was created. The numerical name cannot be modified as part of the edit process. Type Displays whether the type is VM interface. Description Lists a short description (64 characters maximum) describing the VM interface or differentiating it from others with similar configurations.
8 FIGURE 19 Profile - VM Interfaces Basic Configuration screen 6. Set the following VM interface Properties: Description Enter a brief description for the controller or service platform VM interface (64 characters maximum). Admin Status Select the Enabled radio button to define this VM interface as active to the profile it supports. Select the Disabled radio button to disable this VM interface configuration in the profile. It can be activated at any future time when needed.
8 7. Set the following Switching Mode parameters to apply to the VM Interface configuration: Mode Select either the Access or Trunk radio button to set the VLAN switching mode over the VM interface. If Access is selected, the VM interface accepts packets only from the native VLAN. Frames are forwarded untagged with no 802.1Q header. All frames received on the VMIF port are expected as untagged and are mapped to the native VLAN.
8 FIGURE 20 Profile - VM Interfaces Security screen 10. Refer to the Access Control field. As part of the VM interface’s security configuration, IP Inbound and MAC Inbound address firewall rules are required. Use the IP Inbound Firewall Rules and MAC Inbound Firewall Rules drop-down menus to select the firewall rules to apply to this profile’s VM interface configuration. The firewall inspects IP and MAC traffic flows and detects attacks typically not visible to traditional wired firewall appliances.
8 Access Point Radio Configuration Profile Interface Configuration Access Points can have their radio configurations modified by once their radios have successfully associated to an adopting. Take care not to modify an Access Point’s configuration using its resident Web UI, CLI or SNMP interfaces when managed by a profile, or risk the Access Point having a configuration independent from the profile until the profile can be uploaded to the Access Point again.
8 Admin Status A green checkmark defines the listed radio as active and enabled with its supported profile. A red “X” defines the radio as currently disabled. RF Mode Displays whether each listed radio is operating in the 802.11a/n or 802.11b/g/n radio band. If the radio is a dedicated sensor, it will be listed as a sensor to define the radio as not providing typical WLAN support. If the radio is a client-bridge, it provides a typical bridging function and does not provide WLAN support.
8 6. Define the following radio configuration parameters from within the Properties field: Description Provide or edit a description (1 - 64 characters in length) for the radio that helps differentiate it from others with similar configurations. Admin Status Select the Enabled radio button to define this radio as active to the profile it supports. Select the Disabled radio button to disable this radio configuration within the profile. It can be activated at any future time when needed.
8 Enable Antenna Diversity Select this box to enable antenna diversity on supported antennas. Antenna diversity uses two or more antennas to increase signal quality and strength. This option is disabled by default. Wireless Client Power Select this option to specify the transmit power on supported wireless clients. If this is enabled set a client power level between 0 to 20 dBm. This option is disabled by default.
8 8. Set the following profile WLAN Properties for the selected Access Point radio. Beacon Interval Set the interval between radio beacons in milliseconds (either 50, 100 or 200). A beacon is a packet broadcast by adopted radios to keep the network synchronized. The beacon includes the WLAN service area, radio address, broadcast destination addresses, time stamp and indicators about traffic and delivery such as a DTIM.
8 Select either Inline or Promiscuous mode to allow the packets the radio is switching to also be used by the WIPS analysis module. This feature can be enabled in two modes: an inline mode where the wips sensor receives the packets from the radios with radio operating in normal mode. A promiscuous mode where the radio is configured to a mode where it receives all packets on the channel whether the destination address is the radio or not, and the wips module can analyze them. 10.
8 FIGURE 24 Profile - Access Point Legacy Mesh tab 15. Refer to the Settings field to define mesh settings for the Access Point radio. Mesh Use the drop-down menu to set the mesh mode for this radio. Available options are Disabled, Portal or Client. Setting the mesh mode to Disabled deactivates all mesh activity on this radio. Setting the mesh mode to Portal turns the radio into a mesh portal. This will start the radio beaconing immediately and accept connections from other mesh nodes.
8 16. Refer to the Preferred Peer Device table to add mesh peers. For each peer added, enter its MAC Address and a Priority between 1 and 6. The lower the priority number the higher priority it'll be given when connecting to mesh infrastructure. 17. Select the + Add Row button to add preferred peer devices for the radio to connect to in mesh mode. 18. Select the Advanced Settings tab.
8 19. Refer to the Aggregate MAC Protocol Data Unit (A-MPDU) field to define how MAC service frames are aggregated by the Access Point radio. A-MPDU Modes Use the drop-down menu to define the A-MPDU mode supported. Options include Transmit Only, Receive Only, Transmit and Receive and None. The default value is Transmit and Receive. Using the default value, long frames can be both sent and received (up to 64 KB). When enabled, define either a transmit or receive limit (or both).
8 23. Refer to the Sniffer Redirect (Packet Capture) field to define the radio’s captured packet configuration. Host for Redirected Packets If packets are re-directed from a connected Access Point radio, define an IP address for a resource (additional host system) used to capture the re-directed packets. This address is the numerical (non DNS) address of the host used to capture the re-directed packets.
8 FIGURE 26 Profile -WAN Backhaul screen 4. Refer to the WAN (3G) Backhaul configuration to specify WAN card settings: WAN Interface Name Displays the WAN Interface name for the WAN 3G Backhaul card. Enable WAN (3G) Select this option to enable 3G WAN card support on the device. A supported 3G card must be connected to the device for this feature to work. 5.
8 6. Define the following NAT parameters from within the Network Address Translation (NAT) field: NAT Direction Define the Network Address Translation (NAT) direction. Options include: Inside - The inside network is transmitting data over the network its intended destination. On the way out, the source IP address is changed in the header and replaced by the (public) IP address.
8 When the Access Point initiates a PPPoE session, it first performs a discovery to identify the Ethernet MAC address of the PPPoE client and establish a PPPoE session ID. In discovery, the PPPoE client discovers a server to host the PPPoE connection. To create a PPPoE point-to-point configuration 1. Select Configuration > Profiles > Interface. 2. Expand the Interface menu to display its submenu options. 3. Select PPPoE. FIGURE 27 Profile -PPPoE screen 4.
8 5. Define the following Authentication parameters for PPPoE client interoperation: Username Provide the 64 character maximum username used for authentication support by the PPPoE client. Password Provide the 64 character maximum password used for authentication by the PPPoE client. Authentication Type Use the drop-down menu to specify authentication type used by the PPPoE client, and whose credentials must be shared by its peer Access Point.
8 • Power over Ethernet is supported on RFS4000 and RFS6000 model controllers and NX4524 and NX6524 model service platforms only. When enabled, the controller supports 802.3af PoE on each of its ge ports. • When changing from a default DHCP address to a fixed IP address, set a static route first. This is critical when the controller or service platform is being accessed from a subnet not directly connected to the controller or service platform and the default route was set from DHCP.
8 As a resource is accessed (using human-friendly hostnames), it’s possible to access the resource even if the underlying machine friendly notation name changes. Without DNS, in the simplest terms, you would need to remember a series of numbers (123.123.123.123) instead of an easy to remember domain name (for example, www.domainname.com). To define the DNS configuration: 1. Select Configuration > Profiles > Network. 2. Expand the Network menu to display its submenu options. 3. Select DNS.
8 ARP Profile Network Configuration Address Resolution Protocol (ARP) is a protocol for mapping an IP address to a hardware MAC address recognized on the network. ARP provides protocol rules for making this correlation and providing address conversion in both directions. When an incoming packet destined for a host arrives, ARP is used to find a physical host or MAC address that matches the IP address.
8 5. Set the following parameters to define the ARP configuration: Switch VLAN Interface Use the spinner control to select a VLAN interface for an address requiring resolution. IP Address Define the IP address used to fetch a MAC Address. MAC Address Set the target MAC address subject to resolution. This is the MAC used for mapping an IP address to a MAC address recognized on the network. Device Type Specify the device type the ARP entry supports. Host is the default setting. 6.
8 NOTE If connecting an Ethernet port to another Ethernet port, the pseudowire type must be Ethernet port, if connecting an Ethernet VLAN to another Ethernet VLAN, the pseudowire type must be Ethernet VLAN. To define an L2TPV3 configuration for an Access Point profile: 1. Select Configuration > Profiles > Network. 2. Expand the Network menu to display its submenu options. 3. Expand the Network menu and select L2TPv3.
8 5. Select the L2TPv3 Tunnel tab. FIGURE 31 Network - L2TPv3 screen, T2TP tunnel tab 6. Review the following L2TPv3 tunnel configuration data: Name Displays the name of each listed L2TPv3 tunnel assigned upon creation. Local IP Address Lists the IP address assigned as the local tunnel end point address, not the interface IP address. This IP is used as the tunnel source IP address. If this parameter is not specified, the source IP address is chosen automatically based on the tunnel peer IP address.
8 FIGURE 32 Network - L2TPv3 screen, Add T2TP Tunnel Configuration 8. If creating a new tunnel configuration, assign it a 31 character maximum Name. 9. Define the following Settings required for the L2TP tunnel configuration: Local IP Address Enter the IP address assigned as the local tunnel end point address, not the interface IP address. This IP is used as the tunnel source IP address.
8 Establishment Criteria Specify the establishment criteria for creating a tunnel. The tunnel is only created if this device is one of the following: vrrp-master cluster-master rf-domain-manager The tunnel is always created if Always is selected. This indicates the device need not be any one of the above three (3) to establish a tunnel. VRRP Group Set the VRRP group ID. VRRP groups is only enabled when the Establishment Criteria is set to vrrp-master.
8 Encapsulation Select either IP or UDP as the peer encapsulation protocol. The default setting is IP. UDP uses a simple transmission model without implicit handshakes. UDP Port If UDP encapsulation is selected, use the spinner control to define the UDP encapsulation port. IPSec Secure Enable this option to enable security on the connection between the Access Point and the Virtual Controller. IPSec Gateway Specify the IP Address of the IPSec’s secure gateway resource used to protect tunnel traffic.
8 Native VLAN Select this option to provide a VLAN ID that will not be tagged in tunnel establishment and packet transfer. 17. Select OK to save the changes within the T2TP Tunnel screen. Select Reset to revert the screen to its last saved configuration. 18. Select the Manual Session tab. After a successful tunnel connection and establishment, individual sessions can be created. Each session is a single data stream.
8 Name Lists the name assigned to each listed manual session. Remote Session ID Lists the remote session ID passed in the establishment of the tunnel session. 20. Select Add to create a new manual session, Edit to modify an existing session configuration or Delete to remove a selected manual session. FIGURE 36 Network - L2TPv3 screen, Add T2TP Peer Configuration 21. Set the following session parameters: Name Define a 31 character maximum name for this tunnel session.
8 MTU Define the session maximum transmission unit (MTU) as the size (in bytes) of the largest protocol data unit the layer can pass between tunnel peers in this session. A larger MTU means processing fewer packets for the same amount of data. Remote Session ID Use the spinner control to set the remote session ID passed in the establishment of the tunnel session. Assign an ID in the range of 1 - 4,294,967,295. Encapsulation Select either IP or UDP as the peer encapsulation protocol.
8 4. Select the Add button to create a new GRE tunnel configuration or select an existing tunnel and select Edit to modify its current configuration. To remove an existing GRE tunnel, select it from amongst those displayed and select the Delete button. FIGURE 37 Profile - Network GRE screen 5. If creating a new GRE configuration, assign it a name to distinguish its configuration. 6.
8 Tag Native VLAN 7. Select this option to tag the native VLAN. The IEEE 802.1Q specification is supported for tagging frames and coordinating VLANs between devices. IEEE 802.1Q adds four bytes to each frame identifying the VLAN ID for upstream devices that the frame belongs. If the upstream Ethernet device does not support IEEE 802.1Q tagging, it does not interpret the tagged frames. When VLAN tagging is required between devices, both devices must support tagging and be configured to accept tagged VLANs.
8 FIGURE 38 Profile - Network IGMP Snooping screen 2. Define or override the following General IGMP parameters configuration: Enable IGMP Snooping Select this option to enable IGMP snooping. If disabled, snooping on a per VLAN basis is also disabled. This feature is enabled by default. If disabled, the settings under the bridge configuration are overridden. For example, if IGMP snooping is disabled, but the bridge VLAN is enabled, the effective setting is disabled.
8 3. Set or override the following IGMP Querier parameters for the profile’s bridge VLAN configuration: Enable IGMP Querier Select this option to enable IGMP querier. IGMP snoop querier is used to keep host memberships alive. It’s primarily used in a network where there’s a multicast streaming server and hosts subscribed to the server and no IGMP querier present. An IGMP querier sends out periodic IGMP query packets. Interested hosts reply with an IGMP report packet.
8 FIGURE 39 Profile - Network QoS screen 4. Set the following parameters for IP DSCP mappings for untagged frames: DSCP Lists the DSCP value as a 6-bit parameter in the header of every IP packet used for packet classification. 802.1p Priority Assign a 802.1p priority as a 3-bit IP precedence value in the Type of Service field of the IP header used to set the priority. The valid values for this field are 0-7. Up to 64 entries are permitted.
8 The Multiple Spanning Tree Protocol (MSTP) provides an extension to STP to optimize the usefulness of VLANs. MSTP allows for a separate spanning tree for each VLAN group, and blocks all but one of the possible alternate paths within each spanning tree topology. If there’s just one VLAN in the access point managed network, a single spanning tree works fine.
8 FIGURE 40 Profile - Network Spanning Tree screen 4. Set the following MSTP Configuration parameters MSTP Enable Select this option to enable MSTP for this profile. MSTP is disabled by default, so if requiring different (groups) of VLANs with the profile supported network segment. Max Hop Count Define the maximum number of hops the BPDU will consider valid in the spanning tree topology. The available range is from 7 -127. The default setting is 20.
8 Maximum Age Use the spinner control to set the maximum time (in seconds) to listen for the root bridge. The root bridge is the spanning tree bridge with the smallest (lowest) bridge ID. Each bridge has a unique ID and a configurable priority number, the bridge ID contains both. The available range is from 6 - 40. The default setting is 20. 5. Set the following PortFast parameters for the profile configuration: PortFast BPDU Filter Select Enable to invoke a BPDU filter for this portfast enabled port.
8 FIGURE 41 Static Routes screen 4. Select IP Routing to enable static routes using IP addresses. This option is enabled by default. 5. Use the drop-down menu to select a Policy Based Routing policy. If a suitable policy is not available, click the add button to create a new policy. 6. Select Add Row + as needed to include single rows with in the static IPv4 route table. 7. Add IP addresses and network masks in the Network Address column. 8. Provide the Gateway used to route traffic. 9.
8 Open Shortest Path First (OSPF) is a link-state interior gateway protocol (IGP). OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets.
8 FIGURE 42 OSPF Settings screen 4. Enable/disable OSPF and provide the following dynamic routing settings: Enable OSPF Select this option to enable OSPF for this Access Point. OSPF is disabled by default. Router ID Select this option to define a router ID (numeric IP address) for this Access Point. This ID must be established in every OSPF instance. If not explicitly configured, the highest logical IP address is duplicated as the router identifier.
8 5. Set the following OSPF Overload Protection settings: Number of Routes Use the spinner control to set the maximum number of OSPN routes permitted. The available range is from 1 - 4,294,967,295. Retry Count Set the maximum number of retries (OSPF resets) permitted before the OSPF process is shut down. The available range is from 1 - 32. The default setting is 5. Retry Time Out Set the duration (in seconds) the OSPF process remains off before initiating its next retry.
8 FIGURE 43 OSPF Area Settings screen 11. Review existing Area Setting configurations: Area ID Displays either the IP address or integer representing the OSPF area. Authentication Type Lists the authentication schemes used to validate the credentials of dynamic route connections. Type Lists the OSPF area type in each listed configuration. 12. Select Add to create a new OSPF configuration, Edit to modify an existing configuration or Delete to remove a configuration.
8 FIGURE 44 OSPF Area Configuration screen 13. Set the OSPF Area configuration. Area ID Use the drop down menu and specify either an IP address or Integer for the OSPF area. Authentication Type Select either None, simple-password or message-digest as the credential validation scheme used with the OSPF dynamic route. The default setting is None. Type Set the OSPF area type as either stub, totally-stub, nssa, totally-nssa or non-stub.
8 FIGURE 45 OSPF Interface Settings screen 16. Review existing Interface Settings using the following: Name Displays the name defined for the interface configuration. Type Displays the type of interface. Description Lists each interface’s 32 character maximum description. Admin Status Displays whether administrative privileges have been enabled (with a green checkmark) or disabled (defined by a red X) for the OSPF route’s virtual interface connection.
8 FIGURE 46 OSPF Interface - Basic Configuration screen 18. Within the Properties field, enter a 32 character maximum Description to help differentiate the virtual interface configuration used with this OSPF route. Enable/disable Admin Status privileges as needed. They’re enabled by default. 19. Use the IP Addresses area to set how route addresses are created for the virtual configuration.
8 22. Refer to the DHCP Relay field to set or override the DHCP relay server configuration used with the virtual interface.: Respond to DHCP Relay Packets Select the Respond to DHCP Relay Packets option to allow the onboard DHCP server to respond to relayed DHCP packets on this interface. This setting is disabled by default. DHCP Relay Provide IP addresses for DHCP server relay resources. The interface VLAN and gateway should have their IP addresses set.
8 27. Use the VPN Crypto Map drop-down menu to select or override the Crypto Map configuration applied to this virtual interface. Crypto Map entries are sets of configuration parameters for encrypting packets passing through the VPN Tunnel. If a Crypto Map configuration does not exist suiting the needs of this virtual interface, select the Create icon to define a new Crypto Map configuration or the Edit icon to modify an existing configuration. 28. Select OK to save the changes to the configuration.
8 FIGURE 48 Forwarding Database screen 4. Define a Bridge Aging Time between 0, 10-1,000,000 seconds. The aging time defines the length of time an entry remains in the a bridge’s forwarding table before being deleted due to inactivity. If an entry replenishments a destination generating continuous traffic, this timeout value will never be invoked.
8 A Virtual LAN (VLAN) is separately administrated virtual network within the same physical managed network. VLANs are broadcast domains defined to allow control of broadcast, multicast, unicast, and unknown unicast within a Layer 2 device. Administrators often need to route traffic to interoperate between different VLANs. Bridging VLANs are only for non-routable traffic, like tagged VLAN frames destined to some other device which will untag it.
8 4. Review the following VLAN configuration parameters to determine whether an override is warranted: VLAN Lists the numerical identifier defined for the Bridge VLAN when initially created. The available range is from 1 - 4095. This value cannot be modified during the edit process. Description Lists a description of the VLAN assigned when it was created or modified.
8 6. If adding a new Bridge VLAN configuration, use the spinner control to define a VLAN ID between 1 - 4094. This value must be defined and saved before the General tab can become enabled and the remainder of the settings defined. VLAN IDs 0 and 4095 are reserved and unavailable. 7.
8 FIGURE 51 Bridge VLAN - IGMP Snooping Tab 12. Define the following General parameters for the bridge VLAN configuration: The Internet Group Management Protocol (IGMP) is a protocol used for managing members of IP multicast groups. Controller and service platforms listen to IGMP network traffic and forward IGMP multicast packets to radios on which the interested hosts are connected. On the wired side of the network, the wired interfaces are flooded.
8 14. Set the following IGMP Querier parameters for the profile’s bridge VLAN configuration: Enable IGMP Querier IGMP snoop querier is used to keep host memberships alive. It’s primarily used in a network where there’s a multicast streaming server, hosts subscribed to the server and no IGMP querier present. An IGMP querier sends out periodic IGMP query packets. Interested hosts reply with an IGMP report packet. IGMP snooping is only conducted on wireless radios.
8 FIGURE 52 Profile - Network Cisco Discovery Protocol screen 4. Check the Enable CDP box to enable the Cisco Discovery Protocol on the device. 5. Refer to the Hold Time field and use the spinner control to define a hold time between 10 1800 seconds for transmitted CDP Packets. The default value is 180 seconds. 6. Refer to the Timer field and use the spinner control to define a interval between 5 - 900 seconds to transmit CDP Packets. The default value is 60 seconds. 7.
8 FIGURE 53 Profile - Network Link Layer Discovery Protocol screen 4. Check the Enable LLDP box to enable Link Layer Discovery Protocol on the device. 5. Refer to the Hold Time field and use the spinner control to define a hold time from 10 - 1800 seconds for transmitted LLDP packets. The default value is 180 seconds. 6. Refer to the Timer field and use the spinner control to define the interval between 5 - 900 seconds to transmit LLDP packets. The default value is 60 seconds. 7.
8 FIGURE 54 Profile Miscellaneous screen 4. Refer to the DHCP Settings section to configure miscellaneous DHCP Settings. Include Hostname in DHCP Request Select Include Hostname in DHCP Request to include a hostname in a DHCP lease for a requesting device. This feature is disabled by default. DHCP Persistent Lease Enables a persistent DHCP lease for a requesting device. A persistent DHCP lease assigns the same IP Address and other network information to the device each time it renews its DHCP lease.
8 • Global aliases are defined from the Configuration > Network > Alias screen. Global aliases are available for use globally across all devices, profiles and RF Domains in the system. • Profiles aliases are defined from the Configuration > Devices > System Profile > Network > Alias screen. Profile aliases are available for use to a specific group of wireless controllers or access points. Alias values defined in a profile override the alias values defined within global aliases.
8 FIGURE 55 Basic Alias screen 4. Select + Add Row to define VLAN Alias settings: Use the Vlan Alias field to create unique aliases for VLANs that can be utilized at different deployments. For example, if a VLAN ID is set as 10 for the central network, and the VLAN is set as 26 at a remote location, the VLAN can be overridden at the remote location using an alias. At the remote location, the network is functional with an ID of 26, but utilizes the name defined at the central local network.
8 Use the Address Range Alias field to create aliases for IP address ranges that can be utilized at different deployments. For example, if an ACL defines a pool of network addresses as 192.168.10.10 through 192.168.10.100 for an entire network, and a remote location’s network range is 172.16.13.20 through 172.16.13.110, the remote location’s ACL can be overridden using an alias. At the remote location, the ACL works with the 172.16.13.20-110 address range.
8 Use the Network Alias field to create aliases for IP networks that can be utilized at different deployments. For example, if a central network ACL defines a network as 192.168.10.0/24, and a remote location’s network range is 172.16.10.0/24, the ACL can be overridden at the remote location to suit their local (but remote) requirement. At the remote location, the ACL functions with the 172.16.10.0/24 network. A new ACL need not be created specifically for the remote deployment.
8 FIGURE 56 Network Group Alias screen Name Displays the administrator assigned name used with the network group alias. Host Displays all the host aliases configured in the listed network group alias. Displays a blank column if no host alias is defined. Network Displays all network aliases configured in the listed network group alias. Displays a blank column if no network alias is defined. 5.
8 FIGURE 57 7. Network Group Alias Add screen If adding a new Network Alias Rule, provide it a name up to 32 characters. The network group alias name always starts with a dollar sign ($). 8. Define the following network group alias parameters: Host Specify the Host IP address for up to eight IP addresses supporting network aliasing. Select the down arrow to add the IP address to the table. Network Specify the netmask for up to eight IP addresses supporting network aliasing.
8 1. Select Configuration > Profiles > Network. 2. Expand the Network menu to display its submenu options 3. Select Alias. 4. Select the Network Service Alias tab. The screen displays existing network service alias configurations. FIGURE 58 Network Service Alias screen 5. Select Add to create a new policy, Edit to modify the attributes of an existing policy or Delete to remove obsolete policies. 6. Select the added row to expand it into configurable parameters for defining the service alias rule.
8 FIGURE 59 7. Network Service Alias Add screen If adding a new Network Service Alias Rule, provide it a name up to 32 characters. Ensure a $ precedes the name. 8. Select + Add Row and provide the following configuration parameters: Protocol Specify the protocol for which the alias has to be created. Use the drop down to select the protocol from eigrp, gre, icmp, igmp, ip, vrrp, igp, ospf, tcp and udp. Select other if the protocol is not listed.
8 Before defining a profile’s network configuration, refer to the following deployment guidelines to ensure the profile configuration is optimally effective: • Administrators often need to route traffic between different VLANs. Bridging VLANs are only for non-routable traffic, like tagged VLAN frames destined to some other device which will untag it. When a data frame is received on a port, the VLAN bridge determines the associated VLAN based on the port of reception.
8 FIGURE 60 Security - Settings screen 6. Refer to the General field to assign or create the following security policy’s to the profile: Firewall Policy Use the drop-down menu to select an existing Firewall Policy to use as an additional security mechanism with this profile. All devices using this profile must meet the requirements of the firewall policy to access the network.
8 Select an Advanced WIPS Policy from the drop-down menu. Define an advanced WIPS configuration to optionally remove (terminate) unwanted device connections, and sanction (allow) or unsanaction (disallow) specific events within the managed network. If an existing Advanced WIPS policy does not meet the profile’s data protection requirements, select the Create icon to create a new configuration that can be applied to the profile.
8 7. a. Provide the name of the trustpoint in question within the Trustpoint Name field. The name cannot exceed 32 characters. b. Enter the resource ensuring the trustpoint’s legitimacy within the URL field. c. Use the spinner control to specify an interval (in hours) after which a device copies a CRL file from an external server and associates it with a trustpoint. Select OK to save the changes made within the Certificate Revocation screen. Select Reset to revert to the last saved configuration.
8 FIGURE 62 Profile Security - VPN IKE Policy screen Select either the IKEv1 or IKEv2 radio button to enforce VPN peer key exchanges using either IKEv1 or IKEv2. IKEv2 provides improvements from the original IKEv1 design (improved cryptographic mechanisms, NAT and firewall traversal, attack resistance etc.) and is recommended in most deployments. The appearance of the IKE Policy screens differ depending on the selected IKEv1 or IKEv2 mode.
8 Name If creating a new IKE policy, assign it a 32 character maximum name to help differentiate this IKE configuration from others with similar parameters. DPD Keep Alive Configure the IKE keep alive message interval used for dead peer detection on the remote end of the IPSec VPN tunnel. Set this value in either Seconds (10 - 3,600), Minutes (1 - 60) or Hours (1). The default setting is 30 seconds. This setting is required for both IKEv1 and IKEV2.
8 Authentication Select an authentication hash algorithm used by the peers to exchange credential information. Options include SHA and MD5. The default setting is SHA. Select OK to save the changes made within the IKE Policy screen. Select Reset to revert to the last saved configuration. Select the Delete Row icon as needed to remove a peer configuration. Select the Peer Configuration tab to assign additional network address and IKE settings to the an intended VPN tunnel peer destination.
8 IKE Policy Name Lists the IKEv1 or IKE v2 policy used with each listed peer configuration. If a policy requires creation, select the Create button. Select Add to define a new peer configuration, Edit to modify an existing configuration or Delete to remove an existing peer configuration. The parameters that can de defined for the peer configuration vary depending on whether IKEv1 or IKEv2 was selected.
8 Select OK to save the changes made within the peer configuration screen. Select Reset to revert to the last saved configuration. Select the Transform Set tab. Create or modify Transform Set configurations to specify how traffic is protected. FIGURE 64 Profile Security - VPN Transform Set screen Review the following attributes of existing Transform Set configurations: Name Lists the 32 character maximum name assigned to each listed transform set upon creation.
8 FIGURE 65 Profile Security - VPN Transform Set create/modify screen Define the following settings for the new or modified transform set configuration: Name If creating a new transform set, define a 32 character maximum name to differentiate this configuration from others with similar attributes. Authentication Algorithm Set the transform sets’s authentication scheme used to validate identity credentials. Use the drop-down menu to select either HMAC-SHA or HMAC-MD5. The default setting is HMAC-SHA.
8 FIGURE 66 Profile Security - VPN Crypto Map screen Review the following Crypto Map configuration parameters to assess their relevance: Name Lists the 32 character maximum name assigned for each crypto map upon creation. This name cannot be modified as part of the edit process. Type Displays the site-to-site-manual, site-to-site-auto or remote VPN configuration defined for each listed cyrpto map configuration.
8 FIGURE 67 Profile Security - VPN Crypto Map Add / Edit screen Review the following before determining whether to add or modify a crypto map configuration Sequence Each crypto map configuration uses a list of entries based on a sequence number. Specifying multiple sequence numbers within the same crypto map, provides the flexibility to connect to multiple peers from the same interface, based on the sequence number (from 1 1,000).
8 FIGURE 68 Profile Security - VPN Crypto Map Entry screen Define the following Settings to set the crypto map configuration: 488 Sequence Each crypto map configuration uses a list of entries based on a sequence number. Specifying multiple sequence numbers within the same crypto map extends connection flexibility to multiple peers on the same interface, based on this selected sequence number (from 1 - 1,000).
8 Lifetime (kB) Select this option to define a connection volume lifetime (in kilobytes) for the duration of an IPSec VPN security association. Once the set volume is exceeded, the association is timed out. Use the spinner control to set the volume from 500 - 2,147,483,646 kilobytes. Lifetime (seconds) Select this option to define a lifetime (in seconds) for the duration of an IPSec VPN security association. Once the set value is exceeded, the association is timed out.
8 Select either the IKEv1 or IKEv2 radio button to enforce peer key exchanges over the remote VPN server using either IKEv1 or IKEv2. IKEv2 provides improvements from the original IKEv1 design (improved cryptographic mechanisms, NAT and firewall traversal, attack resistance etc.) and is recommended in most deployments. The appearance of the screen differs depending on the selected IKEv1 or IKEv2 mode.
8 FIGURE 70 Profile Security - Remote VPN Client screen Set the following Remote VPN Client Configuration settings: Shutdown Select this option to shutdown the remote VPN client. Transform Set Use the drop-down menu to select the transform set configuration to apply to remote client VPN connections. A transform set is a combination of security protocols, algorithms and other settings applied to IPSec protected client traffic. .
8 FIGURE 71 Profile Security - Global VPN Settings screen Define the following IPSec Global settings: df bit Select the DF bit handling technique used for the ESP encapsulating header. Options include Clear, set and copy. The default setting is Copy. IPsec Lifetime (kB) Set a connection volume lifetime (in kilobytes) for the duration of an IPSec VPN security association. Once the set volume is exceeded, the association is timed out.
8 DPD Retries Use the spinner control to define the number of keep alive messages sent to an IPSec VPN client before the tunnel connection is defined as dead. The available range is from 1 - 100. The default number of messages is 5. NAT KeepAlive Define the interval (or frequency) for NAT keep alive messages for dead peer detection. Options include Seconds (10 - 3,600), Minutes (1 - 60) and Hours (1). The default setting is 20 seconds.
8 4. Select Security. 5. Select Auto IPSec Tunnel. FIGURE 72 Security Auto IPSec Tunnel screen 6. The Auto IPSec Tunnel screen displays by default. Refer to the Settings field to set an Auto IPSec Tunnel configuration for use with this profile. Group ID Define a 1 - 64 character group identifier for an IKE exchange supporting auto IPSec tunnel secure peers.
8 Network Address Translation (NAT) is a technique to modify network address information within IP packet headers in transit across a traffic routing device. This enables mapping one IP address to another to protect network address credentials. With typical deployments, NAT is used as an IP masquerading technique to hide private IP addresses behind a single, public facing, IP address.
8 FIGURE 74 7. Security NAT Pool screen If adding a new NAT policy or editing the configuration of an existing policy, define the following parameters: Name If adding a new NAT policy, provide a name to help distinguish it from others with similar configurations. The length cannot exceed 64 characters. IP Address Range Define a range of IP addresses hidden from the public Internet. NAT modifies network address information in the defined IP range while in transit across a traffic routing device.
8 FIGURE 75 Static NAT screen 11. Select Add to create a new static NAT configuration. Existing NAT source configurations are not editable.
8 12. Set or override the following Source configuration parameters: Protocol Select the protocol for use with source translation (TCP, UDP and Any are available options). TCP is a transport layer protocol used by applications requiring guaranteed delivery. It’s a sliding window protocol handling both time outs and retransmissions. TCP establishes a full duplex virtual connection between two endpoints. Each endpoint is defined by an IP address and a TCP port number.
8 FIGURE 77 NAT Destination screen 14. Select Add to create a new NAT destination configuration. Existing NAT destination configurations are not editable.
8 FIGURE 78 NAT Destination Add screen 15. Set the following Destination configuration parameters: Protocol Select the protocol for use with static translation. TCP, UDP and Any are available options. TCP is a transport layer protocol used by applications requiring guaranteed delivery. It’s a sliding window protocol handling both timeouts and retransmissions. TCP establishes a full duplex virtual connection between two endpoints. Each endpoint is defined by an IP address and a TCP port number.
8 Dynamic NAT translates the IP address of packets from one interface to another interface based on configured conditions. Dynamic NAT requires packets be switched through a NAT router to generate translations in the translation table. FIGURE 79 Dynamic NAT screen 18. Refer to the following to determine whether a new Dynamic NAT configuration requires creation, edit or deletion: Source List ACL Lists an ACL name to define the packet selection criteria for the NAT configuration.
8 FIGURE 80 Source ACL List screen 20. Set the following to define the Dynamic NAT configuration: Source List ACL Use the drop-down menu to select an ACL name to define the packet selection criteria for NAT. NAT is applied only on packets which match a rule defined in the access list. These addresses (once translated) are not exposed to the outside world when the translation address is used to interact with the remote destination.
8 Use Bridge NAT to manage Internet traffic originating at a remote site. In addition to traditional NAT functionality, Bridge NAT provides a means of configuring NAT for bridged traffic through an Access Point. NAT rules are applied to bridged traffic through the Access Point, and matching packets are NATed to the WAN link instead of being bridged on their way to the router. Using Bridge NAT, a tunneled VLAN (extended VLAN) is created between the NoC and a remote location.
8 NAT Pool Lists the names of existing NAT pools used with the Bridge NAT configuration. This displays only when the Overload Type is NAT Pool. Overload IP Lists the address used globally and collectively for numerous local addresses. Overload Type Lists the overload type used with the listed IP ACL rule. Set as either NAT Pool, One Global Address or Interface IP Address. ACL Precedence Lists the administrator assigned priority set for the ACL.
8 10. Select + Add Row to set IP address range settings for the Bridge NAT configuration. FIGURE 83 Security Source Dynamic NAT screen 11. Select OK to save the changes made within the Add Row and Source Dynamic NAT screen. Select Reset to revert to the last saved configuration.
8 • Brocade RFS4000 and RFS6000 model wireless controllers can provide outbound NAT services for hosts connected to multiple VLANs. For small deployments, VLANs should be terminated within a RFS4000 wireless controller providing site routing services. For medium-scale deployments, VLANs are typically terminated on a L3 (IP layer) or L2 (Ethernet layer). VRRP Configuration A default gateway is a critical resource for connectivity. However, it’s prone to a single point of failure.
8 FIGURE 84 Profile - VRRP screen 3. Review the following VRRP configuration data to assess if a new VRRP configuration is required or if an existing VRRP configuration requires modification or removal: Virtual Router ID Lists a numerical index (1 - 254) used to differentiate VRRP configurations. The index is assigned when a VRRP configuration is initially defined. This ID identifies the virtual router a packet is reporting status for.
8 FIGURE 85 VVRP screen - Version tab VRRP version 3 (RFC 5798) and 2 (RFC 3768) are options for router redundancy. Version 3 supports sub-second (centisecond) VRRP failover and support services over virtual IP. For more information on the VRRP protocol specifications (available publicly) refer to http://www.ietf.org/rfc/rfc3768.txt (version 2) and http://www.ietf.org/rfc/rfc5798.txt (version 3). 5.
8 FIGURE 86 VVRP screen 6. If creating a new VRRP configuration, assign a Virtual Router ID from (1 - 255). In addition to functioning as numerical identifier, the ID identifies the Access Point’s virtual router a packet is reporting status for. 7. Define the following VRRP General parameters: Description In addition to an ID assignment, a virtual router configuration can be assigned a textual description (up to 64 characters) to further distinguish it from others with a similar configuration.
8 Preempt Select this option to ensure a high priority backup router is available to preempt a lower priority backup router resource. The default setting is enabled. When selected, the Preempt Delay option becomes enabled to set the actual delay interval for pre-emption. This setting determines if a node with a higher priority can takeover all the Virtual IPs from the nodes with a lower priority.
8 2. Select Critical Resources. FIGURE 87 Critical Resources screen - List of Critical Resources tab The screen lists the destination IP addresses or interfaces (VLAN, WWAN, or PPPoE) used for critical resource connection. IP addresses can be monitored directly by the controller or service platform, whereas a VLAN, WWAN or PPPoE must be monitored behind an interface. 3. Ensure the Activate Critical Resources Policy button is selected to enable the parameters within the screen.
8 FIGURE 88 Critical Resources screen - Adding a Critical Resource 5. Use the Offline Resource Detection drop-down menu to define how critical resource event messages are generated. Options include Any and All. If selecting Any, an event is generated when the state of any single critical resource changes. If selecting All, an event is generated when the state of all monitored critical resources change. 6.
8 FIGURE 89 Critical Resources screen - Monitor Interval tab 10. Set Monitor Interval as the duration between two successive pings to the critical resource. Define this value in seconds from 5 - 86,400. The default setting is 30 seconds. 11. Set the Source IP for Port-Limited Monitoring to define the IP address used as the source address in ARP packets used to detect a critical resource on a layer 2 interface. Generally, the source address 0.0.0.
8 FIGURE 90 Profile Services screen 5. Refer to the Captive Portal Hosting section to select or set a guest access configuration (captive portal) for use with this profile. A captive portal is guest access policy for providing guests temporary and restrictive access to the network. A captive portal provides secure authenticated access using a standard Web browser.
8 Either select an existing captive portal policy or select the Create button to create a new captive portal configuration that can be applied to this profile. Existing policies can be modified by selecting the Edit icon. For more information, see Setting the DHCP Configuration. 7. Use the RADIUS Server Policy drop-down menu to select an existing RADIUS server policy to use as a user validation security mechanism with this profile.
8 3. Select Manage Profiles from the Configuration > Profiles menu. 4. Select Management. 5. Expand the Management menu item to display its sub menu options. 6. Select Settings from the Management menu. FIGURE 91 7. Profile Management Settings screen Refer to the Management Policy field to select or set a management configuration for use with this profile. A default management policy is also available if no existing policies are usable.
8 8. Refer to the Message Logging field to define how the profile logs system events. It’s important to log individual events to discern an overall pattern that may be negatively impacting performance using the configuration defined for this profile. Enable Message Logging Select this option to enable the profile to log system events to a user defined log file or a syslog server. Selecting this check box enables the rest of the parameters required to define the profile’s logging configuration.
8 Sender Email Address Specify the 64 character maximum email address from which notification emails are originated. This is the from address on notification emails. Recipient’s E-mail Address Specify up to 6 Email addresses to be the recipient’s of event Email notifications. Username for SMTP Server Specify the username of the sender on the outgoing SMTP server. Many SMTP servers require users to authenticate with a username and password before sending email through the server.
8 FIGURE 92 Profile Management Firmware screen 15. Refer to the Auto Install via DHCP Option section to configure automatic configuration file and firmware updates. Enable Configuration Update Select the Enable Configuration Update radio button (from within the Automatic Configuration Update field) to enable automatic configuration file updates for the profile from an external location.
8 16. Refer to the parameters within the Legacy Device Firmware Management field to set legacy Access Point firmware provisions: Migration Firmware from BR71XX 4.x path Provide a path to a firmware image used to provision BR71XX model Access Points currently utilizing a 4.x version legacy firmware file. Once a valid path is provided, the update is enabled to the version maintained locally for BR71XX models.
8 The Retain Image feature is enabled for all controller and service platform RF domain managers with the flash memory capacity to store firmware images for the selected Access Point models they provision. This feature is disabled for Access Point RF domain managers that do not typically have the flash memory capacity needed. 19. Select OK to save the changes made to the profile maintenance Heartbeat tab. Select Reset to revert to the last saved configuration.
8 FIGURE 93 Profile - Mesh Point screen 5. Refer to the Mesh Point screen to view existing Mesh Points. If an existing Mesh Point configuration does not meet your requirements, select the Add button to create a new mesh point configuration or the Edit button to modify the parameters of an existing mesh point configuration. The Mesh Point screen displays the Settings tab by default.
8 FIGURE 94 Mesh Point - Settings Screen 6. Define the following Settings: MeshConnex Policy If adding a new policy, specify a name for the MeshConnex Policy. The name cannot be edited later with other configuration parameters. Until a viable name is provided, the Settings tab cannot be enabled for configuration. Is Root Select the root behavior of this mesh point. Select True to indicate this mesh point is a root node for this mesh network.
8 Monitor Critical Resources Enable this feature to allow dynamic conversion of a mesh point from root to non-root when there is a critical resource failure. This option is disabled by default. Monitor Primary Port Link Enable this feature to allow dynamic conversion of a mesh point from root to non-root during a link down event. This option is disabled by default. Wired Peer Excluded Select this option to exclude a mesh from forming a link with another mesh device that's a wired peer.
8 FIGURE 95 Mesh Point Auto Channel Selection - Dynamic Root Selection screen The Dynamic Root Selection screen displays by default. The Dynamic Root Selection screen provides configuration options for the 2.4 GHz and 5.0/4.9 GHz frequencies. 10. Set the following values (common to both 2.4 GHZ and 5.0/4.9 GHz): Channel Width Set the channel width the meshpoint’s automatic channel scan assigns to the selected radio.
8 Off-channel Duration Set the duration (from 20 - 250 milliseconds) the scan dwells on each channel when performing an off channel scan. The default is 50 milliseconds. Off-channel Scan Frequency Set the duration (from 1- 60 seconds) between two consecutive off channel scans. The default is 6 seconds. Meshpoint Root - Sample Count Configure the number of scan samples (from 1- 10) performed for data collection before a mesh channel is selected. The default is 5.
8 12. Set the following 2.4 GHz and 5.0/4.9 GHz path method SNR data: Channel Width Set the channel width the meshpoint automatic channel scan assigns to the selected radio. Available options include: • Automatic – Defines the channel width calculation automatically. This is the default value. • 20 MHz – Sets the width between two adjacent channels as 20 MHz. • 40 MHz – Sets the width between two adjacent channels as 40 MHz. Priority Meshpoint Set the meshpoint monitored for automatic channel scans.
8 FIGURE 97 Mesh Point Auto Channel Selection - Root Path Metric screen 14. Set the following Path Method Root Path Metrics (applying to both the 2.4 GHz and 5.0/4.9 GHz frequencies): Channel Width Set the channel width meshpoint automatic channel scan should assign to the selected radio. The available options are: • Automatic – Defines the channel width as calculated automatically. This is the default value. • 20 MHz – Set the width between two adjacent channels as 20 MHz.
8 Meshpoint Root: Sample Count Set the number of scans (from 1- 10) for data collection before a mesh point root is selected. The default is 5. Meshpoint Root: Off-channel Duration Define the duration (from 20 - 250 milliseconds) for scan dwells on each channel, when performing an off channel scan. The default is 50 milliseconds. Meshpoint Root: Channel Switch Delta Configure the delta (from 5 - 35 dBm) that triggers a meshpoint root automatic channel selection when exceeded. The default is 10 dBm.
8 rfs6000-xxxxxx #configure terminal Enter configuration commands, one per line. End with CNTL/Z. rfs6000-xxxxxx (config)#profile BR71XX Non-Root BR71XX rfs6000-xxxxxx (config-profile-Non-Root-BR71XX)#misconfiguration-recovery-time 0 rfs6000-xxxxxx (config-profile-Non-Root-BR71XX) Setting a Profile’s Environmental Sensor Configuration (BR1240 Only) An BR1240 sensor module is a USB environmental sensor extension to an BR1240 model Access Point.
8 5. Set the following Light Sensor settings for the BR1240’s sensor module:. Enable Light Sensor Select this option to enable the light sensor on the module. This setting is enabled by default. The light sensor reports whether the Access Point’s has its lights powered on or off. Polling Time to Determine if Light is On/Off Define an interval in Seconds (2 - 201) or Minutes (1 - 4) for the sensor module to poll its environment to assess light intensity to determine whether lighting is on or off.
8 2. Select Profiles from the Configuration tab. 3. Select Manage Profiles from the Configuration > Profiles menu. 4. Select Advanced and expand the menu item.
8 FIGURE 99 Advanced Profile - Client Load Balancing screen Select the SBC strategy from the drop-down menu to determine how band steering is conducted. Band steering directs 5 GHz-capable clients to that band. When an Access Point hears a request from a client to associate on both the 2.4 GHz and 5 GHz bands, it knows the client is capable of operation in 5 GHz. Band steering steers the client by responding only to the 5 GHz association request and not the 2.4 GHz request.
8 Enable Balance Band Loads by Radio to distribute an Access Points client traffic load across both the 2.4 and 5 GHz radio bands. Set the following Channel Load Balancing settings: Balance 2.4 GHz Channel Loads Select this option to balance an Access Point’s 2.4 GHz client load across all channels available to that model SKU. This setting is enabled by default. Balance 5 GHz Channel Loads Select this option to balance an Access Point’s 5 GHz client load across all channels available to that model SKU.
8 Max. 5 GHz Difference Considered Equal Set the maximum load difference (from 1 - 100%) considered equal when comparing 5 GHz client loads. The default setting is 1%. Min. Value to Trigger 5 Ghz Channel Balancing Set the threshold (from 1 - 100%) beyond which channel load balancing is triggered in the 5 GHz radio band. The default setting is 5%. Weightage given to Client Count Set the weightage (from 1- 100%) applied to client count calculations in the 5 GHz radio band. The default setting is 90%.
8 FIGURE 100 Advanced Profile MINT screen - Settings tab The Settings tab displays by default. 2. Refer to the Area Identifier field to define the Level 1 and Level 2 Area IDs used by the profile’s MINT configuration. Level 1 Area ID Select the check box to enable a spinner control for setting the Level 1 Area ID between 1 4,294,967,295. The default value is disabled. 3.
8 6. Select Tunnel Controller Load Balancing (Level 1) (if available to your controller) to enable load balancing through a WLAN tunnel controller. 7. If Tunnel Controller load balancing is enabled for your controller, enter the name of the designated WLAN tunnel controller. 8. Select OK to save the changes made to the Settings tab. Select Reset to revert to the last saved configuration. 9.
8 FIGURE 102 Advanced Profile MINT screen - IP Add tab 11. Set the following Link IP parameters to complete the MINT network address configuration: IP Define the IP address used by peers for interoperation when supporting the MINT protocol. Port To specify a custom port for MiNT links, select this option and use the spinner control to define the port number between 1 and 65,535. Routing Level Use the spinner control to define a routing level of either 1 or 2.
8 FIGURE 103 Advanced Profile MINT screen - VLAN tab 13. The VLAN tab displays the VLAN, Routing Level, Link Cost, Hello Packet Interval and Adjacency Hold Time managed devices use to securely communicate amongst one another. Select Add to create a new VLAN link configuration or Edit to modify an existing MINT configuration.
8 14. Set the following VLAN parameters to complete the MINT configuration: VLAN Define a VLAN ID between 1 - 4,094 used by peers for interoperation when supporting the MINT protocol. Routing Level Use the spinner control to define a routing level of either 1 or 2. Link Cost Use the spinner control to define a link cost between 1 - 10,000. The default value is 100. Hello Packet Interval Set an interval in either Seconds (1 - 120) or Minutes (1 - 2) for the transmission of hello packets.
8 FIGURE 105 Advanced Profile Miscellaneous screen Set a NAS-Identifier Attribute up to 253 characters. This is the RADIUS NAS-Identifier attribute that typically identifies the controller or service platform where a RADIUS message originates. Set a NAS-Port-Id Attribute up to 253 characters in length. This is the RADIUS NAS port ID attribute which identifies the device port where a RADIUS message originates. 2.
8 4. Select the Priority check box (within the RF Domain Manager section) to set a priority value for this specific profile managed device. Once enabled, use the spinner control to set a device priority between 1 - 255. The higher the number set, the higher the priority in the RF Domain manager election process. 5. Set the Meshpoint Behavior as either an External (Fixed) unit or a mobile Vehicle Mounted unit. 6.
Chapter Rf Domain Configuration 9 About RF Domains A controller or service platform's configuration is composed of numerous elements including RF Domains, profiles, policies, WLANs and device specific configurations. RF Domains are used to assign regulatory, location and relevant policies to controllers and service platforms. RF Domains are required, and each controller or service platform must be assigned at least one default RF Domain.
9 User Defined RF Domains Configure and deploy user defined RF Domains for single or multiple sites when controllers or service platforms require unique regulatory and regional configurations, or unique Smart RF and WIPS policies. User defined RF Domains can be used to: • Assign unique Smart RF or WIPS policies to Access Points deployed on different floors or buildings within a site. • Assign unique regional or regulatory configurations to Access Points deployed in different states or countries.
9 FIGURE 1 RF Domain screen 3. Use the following (read only) information to determine whether a new RF Domain policy requires creation, or an existing RF Domain requires edit or deletion: RF Domain Lists each policy’s name, as assigned when it was created. The RF Domain name cannot be changed as part of the edit process. Only one RF Domain can be assigned to a controller or service platform. Location Displays the physical location assigned to the RF Domain.
9 FIGURE 2 RF Domain Browser 5. Once the data within the RF Domain screen and RF Domain Browser is reviewed, determine whether a new policy requires creation, or if an existing policy requires edit or deletion. The management of RF Domains entails the following: • • • • • RF Domain Basic Configuration RF Domain Sensor Configuration RF Client Name Configuration RF Domain Overrides RF Domain Network Alias RF Domain Basic Configuration To set a RD Domain basic configuration: 1.
9 3. Define the following Basic Configuration parameters for the RF Domain: RF Domain If creating a new RF Domain, assign it a name representative of its intended function. The name cannot exceed 32 characters. The name cannot be changed as part of the edit process. Location Assign the physical location of the controller or service platform RF Domain. This name could be as specific as the floor of a building, or as generic as an entire site.
9 When a radio fails or is faulty, a Smart RF policy can used provide automatic recovery by instructing neighboring Access Points to increase their transmit power to compensate for the coverage loss. Once correct Access Point placement has been established, Smart-RF can optionally be leveraged for automatic detector radio selection. Smart-RF uses detector radios to monitor RF events and can be used to ensure adequate detector coverage is available.
9 7. Refer to the Statistics field to define how RF Domain stats and updated. Update Interval Set an interval of 0 or from 5-3600 seconds for update retrievals. Window Index Use the spinner control to set a numerical index used as an identifier for each RF Domain statistics defined. Sample Interval Use the spinner control to define the interval (in seconds) to capture windowed statistics supporting the listed RF Domain configuration. The default is 5 seconds.
9 FIGURE 3 RF Domain - Sensor WIPS screen 3. Either select the + Add Row button to create a new WIPS server configuration or highlight an existing Sensor Server Configuration and select the Delete icon to remove it. 4. Use the spinner control to assign a numerical Server ID to each WIPS server defined. The server with the lowest defined ID is the first reached by the controller or service platform. The default ID is 1. 5.
9 FIGURE 4 RF Domain Client Configuration screen 3. Either select the + Add Row button to create a new client configuration or highlight an existing configuration and select the Delete icon to remove it. 4. Enter the client’s factory coded MAC address. 5. Assign a Name to the RF Domain member Access Point’s connected client to assist in its easy recognition. 6. Select OK to save the changes to the configuration, or select Reset to revert to the last saved configuration.
9 FIGURE 5 RF Domain Override SSID screen The Overrides screen is partitioned into two tabs, with the Override SSID screen displayed by default. 3. Either select the + Add button to create a new Override SSID configuration. Highlight an existing Sensor Server Configuration and select the Delete icon to remove it from the table. 4. Use the WLAN drop-down menu to select an existing WLAN to be supplied an override SSID.
9 FIGURE 6 RF Domain Override VLAN screen 8. Either select Add to define a new VLAN override configuration, choose an existing WLAN and select Edit to change the override VLAN and limit or select Delete to remove a WLAN’s override VLAN configuration. FIGURE 7 RF Domain Override VLAN Add screen 9. Use the VLAN spinner control to change the add additional VLANs for WLAN client connection. By default, VLAN 1 is configured for any selected WLAN.
9 10. Use the Wireless Client Limit spinner control to set the client user limit for the VLAN. The maximum allowed client limit is 8192 per VLAN. VLANs can be defined from 1 - 4094. The default setting is 0. 11. Select OK to save the changes to the Override VLAN configuration, or select Reset to Revert to the last saved configuration.
9 • RF Domain Network Service Alias RF Domain Basic Alias A basic alias is a set of configurations consisting of VLAN, Host, Network and Address Range alias configurations. A VLAN alias is a configuration for optimal VLAN re-use and management for local and remote deployments. A host alias configuration is for a particular host device’s IP address. A network alias configuration is utilized for an IP address on a particular network. An address range alias is a configuration for a range of IP addresses.
9 FIGURE 8 RF Domain Network Basic Alias screen 4. Select + Add Row to define VLAN Alias settings: Use the Vlan Alias field to create unique aliases for VLANs that can be utilized at different deployments. For example, if a VLAN ID is set as 10 for the central network, and the VLAN is set as 26 at a remote location, the VLAN can be overridden at the remote location using an alias.
9 Use the Address Range Alias field to create aliases for IP address ranges that can be utilized at different deployments. For example, if an ACL defines a pool of network addresses as 192.168.10.10 through 192.168.10.100 for an entire network, and a remote location’s network range is 172.16.13.20 through 172.16.13.110, the remote location’s ACL can be overridden using an alias. At the remote location, the ACL works with the 172.16.13.20-110 address range.
9 Use the Network Alias field to create aliases for IP networks that can be utilized at different deployments. For example, if a central network ACL defines a network as 192.168.10.0/24, and a remote location’s network range is 172.16.10.0/24, the ACL can be overridden at the remote location to suit their local (but remote) requirement. At the remote location, the ACL functions with the 172.16.10.0/24 network. A new ACL need not be created specifically for the remote deployment.
9 FIGURE 9 RF Domain Network Group Alias screen Name Displays the administrator assigned name used with the network group alias. Host Displays all the host aliases configured in the listed network group alias. Displays a blank column if no host alias is defined. Network Displays all network aliases configured in the listed network group alias. Displays a blank column if no network alias is defined. 5.
9 FIGURE 10 7. RF Domain Network Group Alias Add screen If adding a new Network Alias Rule, provide it a name up to 32 characters. The network group alias name always starts with a dollar sign ($). 8. Define the following network group alias parameters: Host Specify the Host IP address for up to eight IP addresses supporting network aliasing. Select the down arrow to add the IP address to the table. Network Specify the netmask for up to eight IP addresses supporting network aliasing.
9 1. Select Configuration > RF Domains from the Web UI. The RF Domain screen displays within the main portion of the Web UI, and the RF Domain Browser displays in the lower, left-hand, portion of the Web UI. 2. From the RF Domain screen, either select the Add button or highlight an existing RF Domain and select Edit. An existing policy can also be modified by selecting it directly from the RF Domain browser. 3. Expand the Network menu item and select Alias. 4. Select the Network Service Alias tab.
9 FIGURE 12 7. RF Domain Network Service Alias Add screen If adding a new Network Service Alias Rule, provide it a name up to 32 characters. Ensure a $ precedes the name. 8. Select + Add Row and provide the following configuration parameters: Protocol Specify the protocol for which the alias has to be created. Use the drop down to select the protocol from eigrp, gre, icmp, igmp, ip, vrrp, igp, ospf, tcp and udp. Select other if the protocol is not listed.
9 • Controllers or service platforms utilizes a default RF Domain. Access Points are assigned to this default RF Domain as they are discovered. The default RF Domain can be used for single site deployments, where regional, regulatory and RF policies are common between devices. • User defined RF Domains must be manually assigned to controllers or service platforms, but can be manually or automatically assigned to Access Points.
9 564 Brocade Mobility RFS Controller System Reference Guide 53-1003099-01
Chapter Security Configuration 10 When protecting wireless traffic to and from a wireless controller or service platform, the administrator should not lose sight of the security solution in it's entirety, since the chain is as weak as its weakest link. Brocade Mobility 5 network provides seamless data protection and user validation to protect and secure data at each vulnerable point in the network.
10 Rules comprise conditions and actions. A condition describes a traffic stream of packets. Define constraints on the source and destination device, the service (for example, protocols and ports), and the incoming interface. An action describes what should occur to packets matching the conditions set. For example, if the packet stream meets all conditions, traffic is permitted, authenticated and sent to the destination device.
10 2. Refer to the following configuration data for existing wireless firewall policies: Firewall Policy Displays the name assigned to the policy when created. The name cannot be modified as part of the edit process. Status Displays a green check mark if the policy has been enabled. A red “X” designates the policy as disabled. Proxy ARP Displays a green check mark if Proxy ARP routing has been enabled. A red “X” designates Proxy ARP as disabled. 3.
10 FIGURE 2 Wireless Firewall Add/Edit Denial of Service screen 2. The Settings window contains a list of all of the Denial of Service (DoS) attacks that the wireless controller’s firewall has filters for. Each DoS filter contains the following four items: Event The Event column lists the name of each DoS attack. Enable Checking Enable box sets the Firewall Policy to filter the associated DoS attack based on the selection in the Action column.
10 Denial of Service Attacks Table Refer to the following for a summary of each Denial of Service attack the firewall can filter. Ascend The Ascend DoS attacks are a series of attacks that target known vulnerabilities in various versions of Ascend routers. Broadcast/Multicast ICMP Broadcast or Multicast ICMP DoS attacks are a series of attacks that take advantage of ICMP behavior in response to echo replies.
10 TCP FIN Scan Hackers use the TCP FIN scan to identify listening TCP port numbers based on how the target device reacts to a transaction close request for a TCP port (even though no connection may exist before these close requests are made). This type of scan can get through basic firewalls and boundary routers that filter on incoming TCP packets with the Finish (FIN) and ACK flag combination. The TCP packets used in this scan include only the TCP FIN flag setting.
10 Firewall Policy Storm Control Adding and Editing Wireless Firewall Policies The firewall maintains a facility to control packet storms. Storms are packet bombardments that exceed the high threshold value configured for an interface. During a storm, packets are throttled until the rate falls below the configured rate, severely impacting performance for the RF Domain manager interface. Thresholds are configured in terms of packets per second.
10 4. Refer to the Storm Control Logging field to define how storm events are logged. Traffic Type Use the drop-down menu to define the traffic type for which the Storm Control logging configuration applies. Options include ARP, Broadcast, Multicast and Unicast. Logging Select the check box to activate the spinner control used for specifying the standard log level used if a Storm Control attack is detected. The default log level is Warning. 5.
10 3. Refer to the General field to enable or disable the following firewall configuration parameters: Enable Proxy ARP Select this check box to allow the Firewall Policy to use Proxy ARP responses for this policy on behalf of another device. Proxy ARP allows the firewall to handle ARP routing requests for devices behind the firewall. This feature is enabled by default. DHCP Broadcast to Unicast Select this check box to enable the conversion of broadcast DHCP offers to unicast.
10 4. The firewall policy allows traffic filtering at the application layer using the Application Layer Gateway feature. The Application Layer Gateway provides filters for the following common protocols: FTP ALG Check this check box to allow FTP traffic through the firewall using its default ports. This feature is enabled by default. TFTP ALG Check this check box to allow TFTP traffic through the firewall using its default ports. This feature is enabled by default.
10 Stateless FIN/RESET Flow Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540) or Hours (1 - 9). The default setting is 10 seconds. ICMP Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540) or Hours (1 - 9). The default setting is 30 seconds. UDP Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540) or Hours (1 - 9). The default setting is 90 seconds.
10 1. Select Configuration > Security > Wireless Firewall > MAC Firewall Rules to display existing IP Firewall Rule policies. FIGURE 5 MAC Firewall Rules screen 2. Select + Add Row to create a new MAC Firewall Rule. Select an existing policy and click Edit to modify the attributes of that rule’s configuration. 3. Select the added row to expand it into configurable parameters for defining the MAC based firewall rule.
10 FIGURE 6 MAC Firewall Rules Add/Edit screen 4. If adding a new MAC Firewall Rule, provide a name up to 32 characters. 5. Define the following parameters for the MAC Firewall Rule: Allow Every MAC firewall rule is made up of matching criteria rules. The action defines what to do with the packet if it matches the specified criteria. The following actions are supported: Deny - Instructs the firewall to prevent a packet from proceeding to its destination.
10 Action The following actions are supported: Log - Events are logged for archive and analysis. Mark - Modifies certain fields inside the packet and then permits them. Therefore, mark is an action with an implicit permit. - VLAN 802.1p priority. - DSCP bits in the IP header. - TOS bits in the IP header. Mark, Log - Conducts both mark and log functions. Ethertype Use the drop-down menu to specify an Ethertype of either ipv6, arp, wisp, or monitor 8021q.
10 IP based firewalls function like Access Control Lists (ACLs) to filter/mark packets, as opposed to filtering packets on layer 2 ports. IP firewalls implement uniquely defined access control policies, so if you don't have an idea of what kind of access to allow or deny, a firewall is of little value, and could provide a false sense of network security. IP based firewall rules are specific to source and destination IP addresses and the unique rules and precedence orders assigned.
10 FIGURE 8 IP Firewall Rules Add screen 4. IP firewall configurations can either be modified as a collective group of variables or selected and updated individually as their filtering attributes require a more refined update. Select the Edit Rule icon to the left of a particular IP firewall rule configuration to update its parameters collectively.
10 FIGURE 10 IP Firewall Rules Add Criteria screen NOTE Only those selected IP ACL filter attributes display. Each value can have its current setting adjusted by selecting that IP ACL’s column to display a pop-up to adjust that one value. 5. Define the following IP firewall rule settings as required: Precedence Specify or modify a precedence for this IP policy between 1-5000. Rules with lower precedence are always applied to packets first.
10 ICMP Code Selecting ICMP as the protocol for the IP rule displays an additional set of ICMP specific options for ICMP type and code. Many ICMP types have a corresponding code, helpful for troubleshooting network issues (0 - Net Unreachable, 1 - Host Unreachable, 2 - Protocol Unreachable etc.). Start VLAN Select a Start VLAN icon within a table row to set (apply) a start VLAN range for this IP ACL filter.
10 FIGURE 11 Wireless IPS screen The LDAP Settings tab displays by default.
10 In the Configuration section define the following LDAP server parameters: LDAP Query If LDAP attributes are enabled for the selected wireless client role policy, select an LDAP query mode of either Internal (Self) or Through Wireless Controller. Select Internal (Self) to use local LDAP server resources configured in the LDAP Server Options. Dead Period When using an external LDAP server, select the Dead Period between 60 and 300 seconds.
10 FIGURE 13 Wireless Client Roles screen 3. Refer to the following configuration data for existing roles: Role Name Displays the name assigned to the client role policy when it was initially created. Precedence Displays the precedence number associated with each role. Precedence numbers determine the order a role is applied. Roles with lower numbers are applied before those with higher numbers.
10 FIGURE 14 Wireless Client Roles screen - Settings tab 5. If creating a new role, assign it a Role Name to help differentiate it from others that may have a similar configuration. The role policy name cannot exceed 64 characters. The name cannot be modified as part of the edit process. 6. Within the Role Precedence field, use the spinner control to set a numerical precedence value between 1 - 10,000. Precedence determines the order a role is applied.
10 8. Refer to the Match Expressions field to create filter rules based on AP locations, SSIDs and RADIUS group memberships. AP Location Use the drop-down menu to specify the location of an Access Point matched in a RF Domain or the Access Point’s resident configuration. Select one of the following filter options: Exact - The role is only applied to Access Points with the exact location string specified in the role.
10 14. Select the Firewall Rules tab to set default Firewall rules for Inbound and Outbound IP and MAC Firewall rules. FIGURE 15 Wireless Client Roles screen - Default Firewall Rules tab A firewall is a mechanism enforcing access control, and is considered a first line of defense in protecting proprietary information within the network.
10 Precedence Specify or modify a precedence for this IP policy between 1-5000. Rules with lower precedence are always applied to packets first. If modifying a precedence to apply a higher integer, it will move down the table to reflect its lower priority. Action Every IP Firewall rule is made up of matching criteria rules. The action defines the packet’s disposition if it matches the specified criteria.
10 ICMP Code Selecting ICMP as the protocol for the IP rule displays an additional set of ICMP specific options for ICMP type and code. Many ICMP types have a corresponding code, helpful for troubleshooting network issues (0 - Net Unreachable, 1 - Host Unreachable, 2 - Protocol Unreachable etc.). Start VLAN Select a Start VLAN icon within a table row to set (apply) a start VLAN range for this IP ACL filter.
10 MAC Firewall Rules If creating a new MAC Firewall rule, assign it a name (up to 64 characters) to help differentiate it from others that may have similar configurations. Allow Every MAC Firewall rule is made up of matching criteria rules. The action defines what to do with the packet if it matches the specified criteria. The following actions are supported: Deny - Instructs the Firewall to prohibit a packet from proceeding to its destination.
10 Action The following actions are supported: Log - Logs the event when this rule is applied to a wireless clients association attempt. Mark - Modifies certain fields inside the packet and then permits them. Therefore, mark is an action with an implicit permit. - VLAN 802.1p priority. - DSCP bits in the header. - TOS bits in the header. Mark, Log — Applies both log and mark actions. Ethertype Use the drop-down menu to specify an Ethertype. An EtherType is a two-octet field within an Ethernet frame.
10 FIGURE 16 Security - Device Fingerprinting - Client Identity screen Select Add to create a new client identity policy, Edit to modify a selected policy or Delete to remove obsolete policies from the list of those available. Client identity policies use signatures to identify and group clients. Signatures are sets of attributes unique to the device model and manufacturer.
10 FIGURE 17 Security - Device Fingerprining - Client Signature Optionally select Pre-defined and choose from a list of pre-defined client identities. Once selected, the DHCP Match Criteria field is populated with fingerprints for the selected client identity. To create a custom identity configuration, select Custom and provide a name in the adjacent field. Select the OK button at the bottom of the screen.
10 Match Type Use the drop-down menu to select how signatures are matched. Available options include: • Exact – The complete signature string matches the string specified in the Option Value field. • Starts-with – The signature is checked if it starts with the string specified in the Option Value field. • Contains – The signature is checked if it contains the string specified in the Option Value field. Value Format Use the drop-down menu to select the character format of the value being checked.
10 Device fingerprinting relies on specific information sent by a client when acquiring an IP address and configuration information from a DHCP server. Device fingerprinting uses the DHCP options sent by the wireless client in DHCP request or discover packets to derive a signature specific to a device class. For example, Apple devices have a different signature from Android devices. The signature is used to classify the devices and assign permissions and restrictions on each class.
10 Intrusion Prevention Wireless Intrusion Protection Systems (WIPS) provides continuous protection against wireless threats and acts as an additional layer of security complementing wireless VPNs and encryption and authentication policies. WIPS is supported through the use of dedicated sensor devices designed to actively detect and locate unauthorized AP devices. After detection, they use mitigation techniques to block the devices by manual termination or air lockdown.
10 The Wireless IPS screen displays by default. The Wireless IPS screen lists existing WIPS policies if any are configured. Any of these existing WIPS policies can be selected and applied. FIGURE 20 Wireless IPS screen 3. Refer to the following for existing WIPS policies: WIPS Policy Displays the name assigned to the WIPS policy when it was initially created. The name cannot be modified as part of the edit process.
10 FIGURE 21 WIPS Policy screen - Settings tab 6. If creating a new WIPS Policy, assign it name to help differentiate it from others that may have a similar configuration. The policy name cannot exceed 64 characters. The name cannot be modified as part of the edit process. 7. Within the Wireless IPS Status field, select either the Enabled or Disabled radio button to either activate or de-activate the WIPS policy. The default setting is enabled. 8.
10 9. Refer to the Rogue AP Detection field to define the following detection settings for this WIPS policy: Enable Rogue AP Detection Select the checkbox to enable the detection of unauthorized (unsanctioned) devices fro this WIPS policy. The default setting is disabled. Wait Time to Determine AP Status Define a wait time in either Seconds (10 - 600) or Minutes (1 - 10) before a detected AP is interpreted as a rogue (unsanctioned) device, and potentially removed. The default interval is 1 minute.
10 FIGURE 22 WIPS Events screen - Excessive tab The Excessive tab lists a series of events that can impact the performance of the network. An administrator can enable or disable the filtering of each listed event and set the thresholds required for the generation of the event notification and filtering action. An Excessive Action Event is an event where an action is performed repetitively and continuously. DoS attacks come under this category.
10 14. Select OK to save the updates to the to excessive actions configuration used by the WIPS policy. Select Reset to revert to the last saved configuration. 15. Select the MU Anomaly tab: FIGURE 23 WIPS Events screen - MU Anomaly tab MU anomaly events are suspicious events by wireless clients that can compromise the security and stability of the network. Use this MU anomaly screen to configure the intervals clients can be filtered upon the generation of each defined event. 16.
10 18. Select the AP Anomaly tab. FIGURE 24 WIPS Events screen - AP Anomaly tab AP anomaly events are suspicious frames sent by a neighboring APs. Use this screen to determine whether an event is enabled for tracking. Set the following AP Anomaly Events parameters: Name Displays the name of the AP anomaly event representing a potential threat to the network. This column lists the event being tracked against the defined thresholds set for interpreting the event as excessive or permitted.
10 FIGURE 25 WIPS Signatures screen 21. The WIPS Signatures screen displays the following read-only data: Name Lists the name (in the top left-hand corner) assigned to each signature when it was created. A signature name cannot be modified as part of the edit process. Signature Displays whether the signature is enabled. A green checkmark defines the signature as enabled. A red “X” defines the signature as disabled. Each signature is disabled by default.
10 FIGURE 26 WIPS Signatures Configuration screen 23. If adding anew WIPS signature, define a Name to distinguish it from others with similar configurations. The name cannot exceed 64 characters. 24. Set the following network address information for a new or modified WIPS Signature: Enable Signature Select the check box to enable the WIPS signature for use with the profile. The default signature is enabled. BSSID MAC Define a BSS ID MAC address used for matching and filtering with the signature.
10 25. Refer to Thresholds field to set signature threshold limitations used as filtering criteria. Client Threshold Specify the threshold limit per client that, when exceeded, signals the event. The configurable range is from 1 - 65,535. Radio Threshold Specify the threshold limit per radio that, when exceeded, signals the event. The configurable range is from 1 - 65,535. 26.
10 3. Review to the following to determine whether a new Advanced WIPS policy requires creation or edit. Advanced WIPS Policy Lists the name of each Advanced WIPS Policy. Wireless Controller Port Displays the port number where the advanced WIPS daemon resides. Device Categorization Lists the device categorization currently being used by each WIPS policy to classify a set of device permissions (authorized, unauthorized etc.) 4.
10 6. Define the following Settings for the Advanced WIPS policy: Wireless Controller Port Use the spinner control to set the port the advanced WIPS daemon listens over. The default port is 8,443. Device Categorization Set the device categorization as sanctioned, unsanctioned etc. Select the Create icon to create a new Device Category configuration, or the Edit icon to modify the configuration of an existing configuration. 7.
10 10. Select the radio button corresponding to the Sanctioned, Unsanctioned or Neighboring option for each listed event. 11. Review a description of each event by highlighting it the table and revising the Description displayed on the right-hand of the screen. 12. The Events List contains the following events to either authorize, unauthorize or interpret as neighboring for the Advanced WIPS policy: • Accidental Association - An authorized station has connected to an unauthorized or ignored Access Point.
10 • WLAN Jack Attack - DoS attack in which the WLAN Jack tool is used to send de-authentication frames to wireless clients using the spoofed MAC address of the real AP. This leads the clients to de-authenticate and drop their wireless connections. 13. Select OK to save the updates to the Advanced WIPS Events List. Select Reset to revert to the last saved configuration.
10 3. Select Add to create a new Device Categorization policy, Edit to modify the attributes of a selected existing policy or Delete to remove obsolete policies from the list of those available. FIGURE 30 WIPS Device Categorization Configuration screen 4. If creating a new Device Categorization policy, provide it a Name (up to 64 characters) to distinguish this policy from others with similar configurations. Select OK to save the name and enable the remaining parameters on the screen. 5.
10 Classification Use the drop-down menu to designate the target device as either sanctioned (True) or unsanctioned (False). The default setting is False, categorizing this device as unsanctioned. Thus, each added device requires authorization. A green checkmark designates the device as sanctioned, while a red “X” defines the device as unsanctioned. Device Type Use the drop-down menu to designate the target device as either an Access Point (True) or other (False).
Chapter Services Configuration 11 Controllers and service platforms natively support services to provide guest user access to the network, lease DHCP IP addresses to requesting clients and provide RADIUS client authentication.
11 The Captive Portal screen displays the configurations of existing policies. New policies can be created, existing policies can be modified or existing policies deleted. FIGURE 1 Captive Portal Policy screen 3. Refer to the following captive portal policy parameters to determine whether a new policy requires creation, or an existing policy requires edit or deletion: Captive Portal Policy Displays the name assigned to the captive portal policy when initially created.
11 A Basic Configuration screen displays by default. Define the policy’s security, access and whitelist basic configuration before actual HTML pages can be defined for guest user access requests.
11 5. Define the following Settings for the captive portal policy: Captive Portal Policy If creating a new policy, assign a name representative of its access permissions, location or intended wireless client user base. If editing an existing captive portal policy, the policy name cannot be modified. The name cannot exceed 32 characters. Captive Portal Server Mode Set the mode as either Internal (Self), Centralized or Centralized Controller.
11 8. Set the following Client Settings to define client VLAN assignments, and the duration clients are allowed captive portal access and when they’re timed out due to inactivity: Radius VLAN Assignment Select this option to enable client VLAN assignments using the RADIUS server. If, as part of the authentication process, the RADIUS server returns a client’s VLAN-ID in a RADIUS access-accept packet, and this feature is enabled, all client traffic is forwarded on the post authentication VLAN.
11 b. Provide a numerical IP address or Hostname within the DNS Entry parameter for each destination IP address or host included in the Whitelist. c. Use the Match Suffix parameter to match any hostname or domain name as a suffix. The default setting is disabled. d. If necessary, select the radio button of an existing Whitelist entry and select the - Delete icon to remove the entry from the Whitelist. 11.
11 FIGURE 4 Captive Portal Policy Internal Web Page screen The Login screen prompts the user for a username and password to access the captive portal and proceed to either the Terms and Conditions page (if used) or the Welcome page. The Terms and Conditions page provides conditions that must be agreed to before captive portal access is permitted. The Welcome page asserts a user has logged in successfully and can access the captive portal.
11 17. Provide the following information for the Login, Terms and Conditions, Welcome, Fail and No Service tabs: Organization Name Set any organizational specific name or identifier which clients see during login. Title Text Set the title text displayed on the pages when wireless clients access captive portal pages. The text should be in the form of a page title describing the respective function of each page and should be unique to each function.
11 20. Select the Externally Hosted radio button if hosting the captive portal on an external server resource.
11 FIGURE 5 Captive Portal Policy Externally Hosted Web Page screen Login URL Define the complete URL for the location of the Login screen. The Login screen prompts the user for a username and password to access either the Terms and Conditions or Welcome page. Agreement URL Define the complete URL for the location of the Terms and Conditions page. The Terms and Conditions page provides conditions that must be agreed to before wireless client access is provided.
11 1. Select Configuration > Services. The upper, left-hand, side of the user interface displays a Services menu pane where Captive Portal, DHCP and RADIUS configuration options can be selected. 2. Select Captive Portals. The Captive Portal screen displays the configurations of existing policies. New policies can be created, existing policies can be modified or existing policies deleted. 3. Select DNS Whitelist FIGURE 6 Captive Portal DNS Whitelist screen 4.
11 FIGURE 7 Captive Portal Whitelist screen b. Provide a numerical IP address or Hostname within the DNS Entry parameter for each destination IP address or host included in the Whitelist. c. Use the Match Suffix parameter to match any hostname or domain name as a suffix. The default setting is disabled. d. If necessary, select the radio button of an existing Whitelist entry and select the - Delete icon to remove the entry from the Whitelist.
11 • Guest access services should be defined in a manner whereby end-user traffic doesn’t cause network congestion. • Brocade recommends a valid certificate be issued and installed on all devices providing captive portal access to the WLAN and wireless network. The certificate should be issued from a public certificate authority ensuring guests can access the captive portal without browser errors.
11 FIGURE 8 DHCP Server Policy screen 2. Review the following DHCP server configurations (at a high level) to determine whether a new server policy requires creation, an existing policy requires modification or an existing policy requires deletion: DHCP Server Policy Lists the name assigned to each DHCP server policy when it was initially created. The name assigned to a DHCP server policy cannot be modified as part of the policy edit process. However, obsolete policies can be deleted as needed.
11 1. Select Configuration > Services > DHCP Server Policy. The DHCP Server Policy screen displays the DHCP Pool tab by default. FIGURE 9 DHCP Server Policy screen - DHCP Pool tab 2. Review the following DHCP pool configurations to determine if an existing pool can be used as is, a new one requires creation or edit, or a pool requires deletion: DHCP Pool Displays the name assigned to the network pool when created.
11 FIGURE 10 DHCP Pools screen - Basic Settings tab If adding or editing a DHCP pool, the DHCP Pool screen displays the Basic Settings tab by default. Define the required parameters for the Basic Settings, Static Bindings and Advanced tabs to complete the creation of the DHCP pool. 4. Set the following General parameters from within the Basic Settings tab: DHCP Pool If adding a new pool, a name is required. The pool is the range of IP addresses defined for DHCP assignment or lease.
11 a. Select the + Add Row button at the bottom of the IP addresses field to add a new range. Select the radio button of an existing IP address range and select the Delete icon to remove it from the list of those available. b. Enter a viable range of IP addresses in the IP Start and IP End columns. This is the range of addresses available for assignment to requesting clients. c.
11 7. Review the following to determine if a static binding can be used as is, a new binding requires creation or edit, or if a binding requires deletion: Client Identifier Type Lists whether the reporting client is using a hardware address or client identifier as its identifier type within requests to the DHCP server. Value Lists the hardware address or client identifier assigned to the client when added or last modified.
11 9. Define the following General parameters to complete the creation of the static binding configuration: IP Address Set the IP address of the client using this host pool for DHCP resources. Domain Name Provide a domain name of the current interface. Domain names aren’t case sensitive and can contain alphabetic or numeric letters or a hyphen. A fully qualified domain name (FQDN) consists of a host name plus a domain name. For example, computername.domain.com.
11 15. Select the Advanced tab to define additional NetBIOS and Dynamic DNS parameters. FIGURE 13 DHCP Pools screen - Advanced tab 16. The addition or edit of the network pool’s advanced settings requires the following General parameters be set: Boot File Enter the name of the boot file used with this pool. Boot files (Boot Protocol) can be used to boot remote systems over the network. BOOTP messages are encapsulated inside UDP messages so requests and replies can be forwarded.
11 a. Select the + Add Row button to add individual options. Assign each a Global DHCP Option Name to help differentiate it from others with similar configurations. Select the radio button of an existing option and select Delete to remove it from the list. b. Assign a Value to each option from 1 - 254. A vendor-specific option definition only applies to the vendor class for which it’s defined. 19.
11 FIGURE 14 DHCP Server Policy screen - Global Settings tab 3. Set the following parameters within the Configuration field: Ignore BOOTP Requests Select the checkbox to ignore BOOTP requests. BOOTP (boot protocol) requests boot remote systems within the network. BOOTP messages are encapsulated inside UDP messages and forwarded. This feature is disabled by default, so unless selected, BOOTP requests are forwarded. Ping Timeout Set an interval (from 1 -10 seconds) for the DHCP server ping timeout.
11 DHCP Class Policy Configuration The local DHCP server assigns IP addresses to DHCP enabled wireless clients based on user class option names. Clients with a defined set of user class option names are identified by their user class name. The DHCP server can assign IP addresses from as many IP address ranges as defined by the administrator.
11 FIGURE 15 DHCP Class Name Add screen 5. If adding a new DHCP Class Name, assign a name representative of the device class supported. The DHCP user class name should not exceed 32 characters. 6. Select a row within the Value column to enter a 32 character maximum value string. 7. Select the Multiple User Class check box to enable multiple option values for the user class. This allows the user class to transmit multiple option values to DHCP servers supporting multiple user class options. 8.
11 Setting the RADIUS Configuration Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software enabling remote access servers to authenticate users and authorize their access. RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients send authentication requests to the local RADIUS server containing user authentication and network service access information.
11 • Rate limit traffic To access RADIUS Groups menu: 1. Select the Configuration tab from the main menu. 2. Select the Services tab from the Configuration menu. 3. Select RADIUS > Groups from the Configuration > Services menu. The browser displays a list of the existing groups. FIGURE 16 RADIUS Group screen 4.
11 Creating RADIUS Groups To create a RADIUS group: 1. Select Configuration tab from the main menu. 2. Select the Services tab from the Configuration menu. 3. Select RADIUS > Groups from the Configuration > Services menu. 4. Click the Add to create a new RADIUS group, Edit to modify the configuration of an existing group or Delete to permanently remove a selected group. FIGURE 17 RADIUS Group Policy Add screen 5.
11 Rate Limit to Air Select the checkbox to set the rate limit from clients within the RADIUS group. Use the spinner to set value from 100-1,000,000 kbps. Setting a value of 0 disables rate limiting. Management Group Select this option to designate this RADIUS group as a management group. This feature is disabled by default. If set as management group, assign member roles (System-Admin, Help Desk etc.) using the Role drop-down menu.
11 FIGURE 18 RADIUS User Pool screen The RADIUS User Pool screen lists the default pool along with any other admin created user pool. 4. Select Add to create a new user pool, Edit to modify the configuration of an existing pool or Delete to remove a selected pool. 5. If creating a new pool, assign it a name up to 32 characters and select Continue. The name should be representative of the users comprising the pool and/or the temporary or permanent access privileges assigned.
11 6. Refer to the following User Pool configurations to discern when specific user IDs have access to RADIUS resources: User Id Displays the unique alphanumeric string identifying this user. This is the ID assigned to the user when created and cannot be modified with the rest of the configuration. Guest User Specifies (with a green check) the user has guest access and temporary permissions to the local RADIUS server. The terms of the guest access can be set uniquely for each user.
11 8. Refer the following fields in the User screen to create a new user Id with unique access privileges: User Id Assign a unique alphanumeric string identifying this user. The Id cannot exceed 64 characters. Password Provide a password unique to this user ID. The password cannot exceed 32 characters. Select the Show checkbox to expose the password’s actual character string, leaving the option unselected displays the password as a string of asterisks (*).
11 FIGURE 21 RADIUS Server Policy screen 5. Select a server policy from the Server Policy Browser. The user has the option of adding a new policy, modifying an existing one, or deleting a policy. RADIUS Server Policy Lists the administrator assigned policy name defined upon creation of the server policy. RADIUS User Pools Lists the user pools assigned to this server policy.
11 6. Select the Copy button to copy the settings of a selected (existing) RADIUS server configuration to a new or existing policy. When selected, a small dialogue displays prompting the administrator to enter the name of policy to copy the existing policy settings to. Enter the name of the RADIUS server policy receiving the existing server policy settings within the Copy To field and select the Copy button to initiate the configuration copy operation.
11 9. If creating a new policy, assign it a RADIUS Server Policy name up to 32 characters. 10. Configure the following Settings required in the creation or modification of the server policy: RADIUS User Pools Select the user pools (groups of existing client users) to apply to this server policy. Up to 32 policies can be applied. If there is not an existing user pool configuration suitable for the deployment, select the Create link and define a new configuration.
11 12. Select + Add Row within the Authentication field to define the following Authentication Data Source rules for the RADIUS server policy: Precedence Use the spinner control to set the numeric precedence (priority) for this authentication data source rule. Rules with the lowest precedence receive the highest priority. Set the value between 1 - 5000. This value is mandatory. SSID Enter or modify the SSID associated with the authentication data source rule. The maximum number of characters is 32.
11 Refer to the following to add RADIUS clients, proxy server configurations, LDAP server configurations and review deployment considerations impacting the effectiveness of the RADIUS supported deployment: • Configuring RADIUS Clients • Configuring a RADIUS Proxy • Configuring an LDAP Server Configuration Configuring RADIUS Clients A RADIUS client is a mechanism to communicate with a central server to authenticate users and authorize access to the network.
11 4. Specify a Shared Secret for authenticating the RADIUS client. Shared secrets verify RADIUS messages with RADIUS enabled device configured with the same shared secret. Select the Show checkbox to expose the shared secret’s actual character string, leaving the option unselected displays the shared secret as a string of asterisks (*). 5. Click OK button to save the server policy’s client configuration. Click the Reset button to revert to the last saved configuration.
11 2. Enter the Proxy server retry delay time in the Proxy Retry Delay field. Enter a value from 5 -10 seconds. This is the interval the RADIUS server waits before making an additional connection attempt. The default delay interval is 5 seconds. 3. Enter the Proxy server retry count value in the Proxy Retry Count field. Set from 3 - 6 to define the number of retries sent to the proxy server before giving up the request. The default retry count is 3 attempts. 4.
11 FIGURE 25 RADIUS Server Policy screen - LDAP tab 2. Refer to the following to determine whether an LDAP server can be used as is, a server configuration requires creation or modification or a configuration requires deletion and permanent removal. Redundancy Displays whether the listed LDAP server IP address has been defined as a primary or secondary server resource.
11 FIGURE 26 LDAP Server Add screen 4. Set the following Network address information required for the connection to an external LDAP server resource: Redundancy Define whether this LDAP server is a primary or secondary server resource. Primary servers are always queried for connection first. However, designating at least one secondary server is a good practice to ensure RADIUS user information is available if a primary server were to become unavailable.
11 5. Set the following Access address information required for the connection to the external LDAP server resource: Bind DN Specify the distinguished name to bind with the LDAP server. The DN is the name that uniquely identifies an entry in the LDAP directory. A DN is made up of attribute value pairs, separated by commas. Base DN Specify a distinguished name (DN) that establishes the base object for the search. The base object is the point in the LDAP tree at which to start searching.
11 With forward caching, content is temporarily stored on the local network and can be retrieved by users without routing the request to an external server on the Internet. This typically requires changes to client devices to proxy requests through a forward caching proxy server. Transparent caching acts as an intermediary for the origin server(s) and returns cached content to clients as if the data originated from the associated servers.
11 Protocols Lists the protocols enabled for forwarding smart caching proxy requests. VLANs Lists the virtual LANs defined for the smart caching proxy. The available range is from 1 - 4,094. Cache Size Displays the size of service platform content cache disc storage available for Web content (in gigabytes). The available range is from 1 - 32 gigabytes. The default is 16 gigabytes. Access Logging A green check mark in this column defines access logging as enabled.
11 FIGURE 28 Smart Caching - Basic Settings screen 5. If creating a new smart caching policy, assign it a Name representative of its access permissions, location or intended client user base. If editing an existing smart caching policy, the policy name cannot be modified. The name cannot exceed 32 characters. Select Enable Smart Caching to make Web content available locally on devices networked with a NX4500 or NX6500 series service platform.
11 Set the following Forward Proxy parameters Enable Forward Proxy Select this option to allow this device to act as a forward proxy on specified VLANs. This setting is disabled by default. When selected, additional forward proxy settings require configuration. IP Address Set the IP address where the forward smart caching proxy server is listening.
11 This is the list of URLs whose content is pre fetched into the service platform's cache. The pre fetch function is performed immediately or can be scheduled at a certain time based on configuration. 11. Select OK to save the smart caching basic settings configuration. Select Reset to revert to the last saved configuration. HTTP Access Rules HTTP access rules are a set of access control rules that determine whether to permit or deny an HTTP request.
11 Review the following HTTP Access Rules to determine whether a rule configuration requires creation or modification: Precedence Precedence value (1 - 100) of each listed HTTP access rule. Permit A green check mark defines Permit as enabled. A red “X” defines Permit as disabled (denied). When enabled, HTTP requests that match this rule are permitted. If not enabled, HTTP requests that match this rule are denied. Source IP Match against the source (origination) IP address of the HTTP request.
11 FIGURE 30 HTTP Access Rule - Add/Edit screen 2. Set the following HTTP Access Rules: Precedence Set a precedence value to determine the order HTTP access rules are applied. The available range is 1 - 100. The lower the integer, the high the priority. Permit When enabled, HTTP requests that match this rule are permitted. If not enabled, HTTP requests that match this rule are denied. The default setting is disabled.
11 Cache Rules Cache rules are a set of rules that determine whether to cache or not based on a set of parameters that include source and destination IP, destination domain and destination domain regex. Cache rules define the source and destination IP addresses, destination domain names and expression types for smart caching.
11 Refer to the following Cache Rules to determine whether a cache rule configuration requires creation or modification: Precedence Lists the order (from 1 - 100) smart caching rules are applied. The lower the integer, the higher the precedence. Permit A green check mark defines caching as permitted and enabled. A red “X” defines caching as disabled. When enabled, content is cached locally on the service platform. Content is not cached on the service platform if disabled. The default setting is enabled.
11 FIGURE 32 Cache Rules - Add/Edit screen 2. Set the following Cache Rules: Precedence Set a value determining the order cache access rules are applied. The available range is from 1 - 100. Permit When enabled, cache requests that match this rule are permitted. If not enabled, cache requests that match this rule are denied. The default setting is enabled, making it available locally to requesting devices. Source IP Set the source (origination) IP address transmitted with the caching request.
11 To review aging rules for a smart caching policy: 1. Select Configuration tab from the main menu. 2. Select the Services tab from the Configuration menu. The upper, left-hand, side of the user interface displays a Services menu pane where Captive Portal, DHCP Server Policy, RADIUS and Smart Caching configuration options can be selected. 3. Select Smart Caching. 4. Select Add to create a new policy or Edit to modify an existing policy. 5. Select the Aging Rules tab.
11 Minimum Age This is the time an object without an explicit expiry time is considered fresh. A response can't be stale unless its time in the cache exceeds the minimum value. Maximum Age Lists the maximum period (as an upper limit) on how long objects without an explicit expiry time are considered fresh. A response cannot be fresh unless the period in the cache is less than the maximum time.
11 Set the following Aging Rules to determine the duration of cached Web content on the service platform: Precedence Set the order HTTP access rules are applied. The available range is from 1 - 100. URL Regex Set the regular expressions used to match a part of a requested URL, including the transfer protocol and origin server hostname. Case Sensitive Select this option to enable case sensitivity for the URL regex. When disabled, case sensitivity is ignored.The default is disabled.
11 FIGURE 35 Smart Caching - URL List Name screen Refer to the URL List Name table to review the administrator assigned name applied to the URL list policy upon creation. Select Add to create a URL lists policy. Select an existing policy and click Edit to modify, Delete to remove or Copy to copy the settings of a selected (existing) URL lists policy. Adding or Editing URL Lists Use the URL Entries screen to define URLs for smart caching.
11 FIGURE 36 URL List Name - Add/Edit screen 2. Select + Add Row to display configurable parameters for defining a URL and its depth. 3. If creating a new URL lists policy, assign it a Name. If editing an existing URL Lists policy, the policy name cannot be modified. The name cannot exceed 32 characters. Set the following URL Lists parameters: URL Set the requested URL monitored and routed according to existing cache content policies.This value is mandatory.
Chapter Management Access 12 Controllers and service platforms have mechanisms to allow/deny device access for separate interfaces and protocols (HTTP, HTTPS, Telnet, SSH or SNMP). Management access can be enabled/disabled as required for unique policies. The Management Access functionality is not meant to function as an ACL (in routers or other firewalls), where administrators specify and customize specific IPs to access specific interfaces.
12 FIGURE 1 Management Browser screen The Management Policy screen displays existing management policies and their unique protocol support configurations. FIGURE 2 Management Policy screen 3.
12 A green check mark indicates controller or service platform device access is allowed using the listed protocol. A red X indicates device access is denied using the listed protocol. Management Policy Displays the name of the Management Access policy assigned when initially created. The name cannot be updated when modifying a policy. Telnet Telnet provides a command line interface to a remote host over TCP. Telnet provides no encryption, but it does provide a measure of authentication.
12 Once the new name is defined, the screen’s four tabs become enabled, with the contents of the Administrators tab displayed by default. Refer to the following to define the configuration of the new Management Access policy: • Creating an Administrator Configuration - Use the Administrators tab to create specific users, assign them permissions to specific protocols and set specific administrative roles for the network.
12 The controller or service platform authenticates users using the integrated local database. When user credentials are presented the controller or service platform validates the username and password against the local database and assigns permissions based on the associated roles assigned. The controller or service platform can also deny the authentication request if the user is attempting to access a management interface not specified in the account’s access mode list.
12 FIGURE 4 Administrators screen 3. If creating a new administrator, enter a user name in the User Name field. This is a mandatory field for new administrators and cannot exceed 32 characters. Optimally assign a name representative of the user and role. 4. Provide a strong password for the administrator within the Password field, once provided, Reconfirm the password to ensure its accurately entered. This is a mandatory field. 5. Select Access options to define the permitted access for the user.
12 6. Select the Administrator Role for the administrator using this profile. Only one role can be assigned. Superuser Select this option to assign complete administrative rights to the user. This entails all the roles listed for all the other administrative roles. System The System role provides permissions to configure general settings like NTP, boot parameters, licenses, perform image upgrades, auto install, manager redundancy/clustering and control access.
12 In the following example, a controller has two IP interfaces defined with VLAN10 hosting management and network services and VLAN70 providing guest services. For security the guest network is separated from all trusted VLANs by a firewall. Interface Description IP Address Management VLAN10 Services Yes Yes VLAN70 Guest Yes No By default, management services are accessible on both VLAN10 and VLAN70, and that’s not desirable to an administrator.
12 FIGURE 5 Management Policy screen - Access Control tab 2. Set the following parameters required for Telnet access: Enable Telnet Select the checkbox to enable Telnet device access. Telnet provides a command line interface to a remote host over TCP. Telnet provides no encryption, but it does provide a measure of authentication. Telnet access is disabled by default. Telnet Port Set the port on which Telnet connections are made (1 - 65,535). The default port is 23.
12 4. Set the following HTTP/HTTPS parameters: Enable HTTP Select the checkbox to enable HTTP device access. HTTP provides limited authentication and no encryption. Enable HTTPS Select the checkbox to enable HTTPS device access. HTTPS (Hypertext Transfer Protocol Secure) is more secure plain HTTP. HTTPS provides both authentication and data encryption as opposed to just authentication (as is the case with HTTP).
12 8. Select OK to update the access control configuration. Select Reset to the last saved configuration. Setting the Authentication Configuration Adding or Editing a Management Access Policy Refer to the Authentication tab to define how user credential validation is conducted on behalf of a Management Access policy. If utilizing an external authentication resource, an administrator can optionally apply a TACACS policy.
12 3. Select OK to update the authentication configuration. Select Reset to the last saved configuration. Setting the SNMP Configuration Adding or Editing a Management Access Policy Optionally use the Simple Network Management Protocol (SNMP) to communicate with devices within the network. SNMP is an application layer protocol that facilitates the exchange of management information between the controller or service platform and a managed device.
12 FIGURE 7 Management Policy screen - SNMP tab 2. Enable or disable SNMP v1, SNMPv2 or SNMPv3. Enable SNMPv1 SNMP v1exposes a device’s management data so it can be managed remotely. Device data is exposed as variables that can be accessed and modified as text strings, with version 1 being the original (rudimentary) implementation. SNMPv1 is enabled by default. Enable SNMPv2 Select the checkbox to enable SNMPv2 support. SNMPv2 provides device management using a hierarchical set of variables.
12 3. Set the SNMP v1/v2 Community String configuration. Use the + Add Row function as needed to add additional SNMP v1/2 community strings, or select an existing community string’s radio button and select the Delete icon to remove it. Community Define a public or private community designation. By default, SNMPv2 community strings on most devices are set to public, for the read-only community string, and private for the read-write community string.
12 FIGURE 8 Management Policy screen - SNMP Traps tab 2. Select the Enable Trap Generation checkbox to enable trap generation using the trap receiver configuration defined. This feature is disabled by default. 3. Refer to the Trap Receiver table to set the configuration of the external resource dedicated to receiving trap information. Select Add Row + as needed to add additional trap receivers. Select the Delete icon to permanently remove a trap receiver.
12 Mobility and ADSP must be consistent in the manner events are reported up through a network hierarchy to ensure optimal interoperability and event reporting. To provide such consistency, Mobility has added support for an ADSP-like hierarchal tree. The tree resides within Mobility, and ADSP reads it from Mobility and displays the network hierarchy in its own ADSP interface. The hierarchal tree can also be used to launch ADSP modules (like Spectrum Analyzer) directly from Mobility.
12 FIGURE 9 Hierarchal Tree screen 4. To add a Country, Region, City or Campus to the tree, select System from the upper, left-hand, portion of the Tree Setup screen. An add child link displays on the right-hand side of the display. If adding a Country, select a deployment country from the Type drop-down menu and use the Name drop-down menu to scroll to the country of deployment where the RF Domain resides.
12 NOTE If a tree container (country, region, city or campus) has a red box around it, it either has invalid attributes or a RF Domain requires addition. 5. Select the add RF Domain link at the right-hand side of any container to display an Unmapped RF Domain screen. 6. Provide the default RF Domain name whose deployment area and floor is mapped graphically, and whose events are shared between Mobility and ADSP. Select Add to display the Rf Domain within its respective place in the tree hierarchy.
12 folder,localhost,FloorTLab,,Floor,3,US/Southeast/Alpharetta/Sanctuary Park/The Falls 1125/Queens In the CSV file, configure specific tree node properties. Index 1 : Record Type. This value is always 'folder'. Import/export allows the configuration of folder nodes only. Leaf nodes cannot be configured like devices. Index 2 : Server Name. This value is always 'localhost' as we are supporting the import/export from localhost only. Index 3 : Name. This configures the name/label of the tree node.
12 • Use management interfaces providing encryption and authentication. Management services like HTTPS, SSH and SNMPv3 should be used when possible, as they provide both data privacy and authentication. • By default, SNMPv2 community strings on most devices are set to public for the read-only community string and private for the read-write community string. Legacy Brocade devices may use other community strings by default.
Chapter 13 Diagnostics Resident diagnostic capabilities enable administrators to understand how devices are performing and troubleshoot issues impacting device performance. Performance and diagnostic information is collected and measured on Brocade controllers and service platforms for any anomalies potentially causing a key processes to fail. Numerous tools are available within the Diagnostics menu.
13 FIGURE 1 Fault Management Filter Events screen Use the Filter Events screen to create filters for managing detected events. Events can be filtered based on severity, module received, source MAC, device MAC and client MAC address. 2. Define the following Customize Event Filters parameters for the Fault Management configuration: Severity Set the filtering severity.
13 3. Select the Add to Active Filters button to create a new filter and add it to the Active Event Filters table. When added, the filter uses the current configuration defined in the Customize Event Filters field. 4. Refer to the Active Event Filters table to set the following parameters for the Fault Management configuration: a. To activate all the events in the Active Events Filters table, select the Enable All Events button. To stop event generation, select Disable All Events. b.
13 6. Define the following Customize Event Filters parameters for the Fault Management configuration: Timestamp Displays the Timestamp (time zone specific) when the fault occurred. Module Displays the module used to track the event. Events detected by other module are not tracked. Message Displays error or status messages for each event listed. Severity Displays the severity of the event as defined for tracking from the Configuration screen.
13 9. Within the Controller(s) tab, select the controller from the Select a Controller field to filter events to display. To filter messages further, select a RF Domain from the Filter by RF Domain field. 10. Within the Access Point(s) tab, select the RF Domain from the Select a RF Domain field to filter events to display. To filter messages further, select a device from the Filter by Device field. 11.
13 FIGURE 4 Crash file information 2. Refer to the following crash file information for the selected device. File Name Displays the name of the file generated when a crash event occurred. This is the file available for copy to an external location for archive and remote administration. Size Lists the size of the crash file, as this information is often needed when copying files to an external location. Last Modified Displays the time stamp of the most recent update to the file.
13 Once a target device has been selected its debugging information displays within the NETCONF Viewer by default. FIGURE 5 UI Debugging screen - NETCONF Viewer 2. Use the NETCONF Viewer to review NETCONF information. NETCONF is a tag-based configuration protocol for Brocade devices. Messages are exchanged using XML tags. 3. The Real Time NETCONF Messages area lists an XML representation of any message generated by the system. The main display area of the screen is updated in real time. 4.
13 696 Brocade Mobility RFS Controller System Reference Guide 53-1003099-01
Chapter 14 Operations The functions within the controller or service platform’s Operations menu allow firmware and configuration files management and certificate generation for managed devices. In a clustered environment, these operations can be performed on one controller or service platform, then propagated to each member of the cluster and onwards to the devices managed by each cluster member. A certificate links identity information with a public key enclosed in the certificate.
14 Operations Summary Device Operations The Summary screen displays by default when the Operations is selected from the controller or service platform’s main menu bar. The Summary screen displays firmware information for a specific device selected from either the RF Domain or Network tabs on the left-hand side of the screen. NOTE When displaying the Summary screen at the RF Domain level of the UI’s hierarchal tree, the screen does not display a field for a device’s Primary and Secondary firmware image.
14 1. Refer to the following to determine whether a firmware image needs to be updated for the selected device, or a device requires a restart or revert to factory default settings. Version Displays the primary and secondary firmware image version from the wireless controller. Build Date Displays the date the primary and secondary firmware image was built for the selected device. Install Date Displays the date the firmware was installed for the selected device.
14 5. Provide the following information to accurately define the location of the target device firmware file: Protocol Select the protocol used for updating the device firmware. Available options include: • tftp • ftp • sftp • http • cf • usb1-4 Port Use the spinner control or manually enter the value to define the port used by the protocol for firmware updates. This option is not valid for cf, or usb1-4. Host Provide the hostname or numeric IP address of the server used to update the firmware.
14 FIGURE 3 Device Upgrade List screen 5. Select a controller, service platform or Access Point model from the Device Type List drop-down menu. This is the device model intended to provision firmware to the devices selected within the All Devices table below. NOTE If selecting the Device Upgrade screen from the RF Domain level of the UI’s hierarchal tree, there’s an additional Upgrade from Controller option to the right of the Device Type List.
14 Use the No Reboot option to keep from rebooting after an upgrade. Select Staggered Reboot to avoid upgrading devices simultaneously and risk bringing down the network. When selected, devices are rebooted incrementally to preserve network availability. 8. Use the All Devices table to select controller, service platform and Access Point models for firmware updates from the device model selected from the Device Type List.
14 12. Selecting Advanced lists additional options for the device’s firmware image file location: Protocol Select the protocol for device firmware file management and transfer. Available options include: • tftp • ftp • sftp • http • cf Port Designate the port for transferring the firmware files used in the upgrade operation. Enter the port number directly or use the spinner control.
14 15. Refer to the Upgrade Status field to assess the completion of in-progress upgrades. Number of devices currently being upgraded Lists the number of firmware upgrades currently in-progress and downloading for selected devices. Once the device has the image it requires a reboot to implement the firmware image. Number of devices currently being booted Lists the number devices currently booting after receiving an upgrade image.
14 FIGURE 6 Upgrade History screen 19. Refer to the following Upgrade History status: Hostname Displays the administrator assigned Hostname for each listed controller, service platform or Access Point that’s received an update. Device Type Displays the controller, service platform or Access Point model upgraded by a firmware update operation. MAC Address Displays the device Media Access Control (MAC) or hardware address for a device that’s received an update.
14 Controllers and service platforms maintain a File Browser allowing an administrator to review the files residing on a controller or service platform’s internal or external memory resource. Directories can be created and maintained for each File Browser location and folders and files can be moved and deleted as an administrator interprets necessary. NOTE The File Management tab is not available at the RF Domain level of the UI’s hierarchal tree.
14 3. If needed, use the Create Folder utility to create a folder that servers as a directory for some or all of the files for a selected memory resource. 4. Select Transfer File to invoke a subscreen where the local or server file source and target (destination) are defined as well as the file transfer protocol and external destination location or resource. For more information, see Managing File Transfers. 5.
14 2. Set the following file management source and target directions as well as the configuration parameters of the required file management activity: Source Select the source of the file transfer. Select Server to indicate the source of the file is a remote server. Select Local to indicate the source of the file is local to this controller or service platform. File If the source is Local, enter the name of the file to be transferred. Protocol Select the protocol for file management.
14 To restart controller or service platform adopted Access Points: 1. Select the Operations > Devices > Adopted AP Restart FIGURE 9 Adopted AP Restart screen 2. The Adopted AP Restart table displays the following information for each Adopted AP: Hostname Displays the specified Hostname for each known Access Point. MAC Address Displays the primary Media Access Control (MAC) or hardware address for each known Access Point. Type Displays the Access Point model number for each adopted Access Point.
14 Captive Portal Configuration Device Operations A captive portal is an access policy that provides temporary and restrictive access to the controller or service platform managed wireless network. A captive portal policy provides secure authenticated access using a standard Web browser. Captive portals provide authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access the wireless network.
14 2. Use the Captive Portal List drop-down menu to select an existing captive portal configuration to upload to an Access Point and display to requesting client devices as they login and adhere to the terms required for captive portal access. NOTE If selecting the Captive Portal Pages screen from the RF Domain level of the UI’s hierarchal tree, there’s an additional Upload from Controller option to the right of the Captive Portal List drop-down menu.
14 Set the following protocols, ports and network address information for sending image files to captive portal provisioning Access Points: Protocol Define the protocol (transfer medium) used to forward the image files to the Access Points provisioning captive portal files to requesting clients. Available options include: • tftp • ftp • sftp • http The protocol parameter is required only when Server is selected as the Source and the Advanced option is used.
14 Refer to the Status tab to review the progress of Captive Portal Pages upload. Hostname Displays the hostname of the recipient device to which the captive portal files are directed. MAC Displays the factory encoded MAC address of the recipient device. State Displays the target device’s current operational state within the controller or service platform managed network. Progress Displays the completion progress of each captive portal upload operation.
14 FIGURE 13 RAID screen 3. Conduct the following array diagnostic operations from within the RAID Manage Array field: silence Select silence to stop (silence) the service platform’s RAID controller array alarm. When a drive is rendered offline for any reason, the service platform’s array controller alarm is invoked. locate-stop Select locate-stop to stop the LEDs of all the drives within the array. check-start Select check-start to initiate a consistency check on the RAID array. 4.
14 Re-elect Controller Device Operations Use the Controller Re-election screen to identity available Access Point resources within a selected RF Domain and optionally make some, or all, of the Access Points available to initiate tunnel connections. NOTE Take care when selecting Access Points for controller re-election, as client connections may be broken on upon re-election. Ensure an elected Access Point's client load can be compensated by another Access Point in the same RF Domain.
14 8. Refer to the Available APs column, and use the > button to move the selected Access Point into the list of Selected APs available for RF Domain Manager candidacy. Use the >> button to move all listed Access Points into the Selected APs table. The re-election process can be achieved through the selection of an individual Access Point, or through the selection of several Access Points with a specific Tunnel Controller Name matching the selected Access Points. 9.
14 1. Select Operations > Manage Certificates. 2. Select a device from amongst those displayed in either the RF Domain or Network panes on the left-hand side of the screen. FIGURE 15 Manage Certificates screen 3. Select a device from amongst those displayed to review its certificate usage within the controller or service platform managed network. 4. Refer to the All Certificate Details to review the certificate’s properties, self-signed credentials, validity period and CA information. 5.
14 FIGURE 16 Import New Trustpoint screen 6. To optionally import a CA certificate to the controller or service platform, select the Import CA button from the Import New Trustpoint screen. A CA is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA certificate.
14 FIGURE 17 Import New Trustpoint - Import CA screen Define the following configuration parameters required for the Import CA of the CA certificate: Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint signing the certificate. A trustpoint represents a CA/identity pair containing the identity of the CA, CA specific configuration parameters, and an association with an enrolled identity certificate. URL Provide the complete URL to the location of the trustpoint.
14 7. Select OK to import the defined CA certificate. Select Cancel to revert the screen to its last saved configuration. 8. Select the Import CRL button from the Import New Trustpoint screen to optionally import a CRL to the controller or service platform. If a certificate displays within the Certificate Management screen with a CRL, that CRL can be imported into the controller or service platform.
14 9. Define the following configuration parameters required for the Import of the CRL Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint signing the certificate. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters, and an association with an enrolled identity certificate. From Network Select the From Network radio button to provide network address information to the location of the target CRL.
14 FIGURE 19 Import New Trustpoint - Import Signed Cert 12. Define the following parameters required for the Import of the Signed Certificate: Trustpoint Name Enter the 32 character maximum trustpoint name with which the certificate should be associated. From Network Select the From Network radio button to provide network address information to the location of the signed certificate. The number of additional fields that populate the screen is dependent on the selected protocol.
14 13. Select OK to import the signed certificate. Select Cancel to revert the screen to its last saved configuration 14. To optionally export a trustpoint from the controller or service platform to a remote location, select the Export button from the Certificate Management screen. Once a certificate has been generated on the controller or service platform’s authentication server, export the self signed certificate. A digital CA certificate is different from a self signed certificate.
14 15. Define the following configuration parameters required for the Export of the trustpoint. Trustpoint Name Enter the 32 character maximum name assigned to the trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual. URL Provide the complete URL to the location of the trustpoint. If needed, select Advanced to expand the dialog to display network address information to the location of the trustpoint.
14 FIGURE 21 Certificate Management - RSA Keys screen 2. Select a listed device to review its current RSA key configuration. Each key can have its size and character syntax displayed. Once reviewed, optionally generate a new RSA key, import a key from a selected device, export a key from the controller or service platform to a remote location or delete a key from a selected device. 3. Select Generate Key to create a new key with a defined size.
14 FIGURE 22 Certificate Management - Generate RSA Keys screen 4. Define the following configuration parameters required for the Import of the key: Key Name Enter the 32 character maximum name assigned to the RSA key. Key Size Use the spinner control to set the size of the key (from 1,024 - 2,048 bits). Brocade recommends leaving this value at the default setting of 1024 to ensure optimum functionality. 5. Select OK to generate the RSA key.
14 FIGURE 23 7. Certificate Management - Import New RSA Key screen Define the following parameters required for the Import of the RSA key: Key Name Enter the 32 character maximum name assigned to identify the RSA key. Key Passphrase Define the key used by both the controller or service platform and the server (or repository) of the target RSA key. Select the Show to expose the actual characters used in the passphrase. Leaving the Show unselected displays the passphrase as a series of asterisks “*”.
14 9. To optionally export a RSA key from the controller or service platform to a remote location, select the Export button from the Certificate Management > RSA Keys screen. Export the key to a redundant RADIUS server to import it without generating a second key. If there’s more than one RADIUS authentication server, export the certificate and don’t generate a second key unless you want to deploy two root certificates. FIGURE 24 Certificate Management - Export RSA Key screen 10.
14 12. To optionally delete a key, select the Delete button from within the Certificate Management > RSA Keys screen. Provide the key name within the Delete RSA Key screen and select Delete Certificates to remove the certificate. Select OK to proceed with the deletion, or Cancel to revert back to the Certificate Management screen. Certificate Creation Certificates The Create Certificate screen provides the facility for creating new self-signed certificates.
14 2. Define the following configuration parameters required to Create New Self-Signed Certificate: Certificate Name Enter the 32 character maximum name assigned to identify the name of the trustpoint associated with the certificate. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters, and an association with an enrolled identity certificate.
14 A RSA key must be either created or applied to the certificate request before the certificate can be generated. A private key is not included in the CSR, but is used to digitally sign the completed request. The certificate created with a particular CSR only worked with the private key generated with it. If the private key is lost, the certificate is no longer functional.
14 4. Define the following configuration parameters required to Create New Certificate Signing Request (CSR): RSA Key To create a new RSA key, select Create Key to define a 32 character maximum name used to identify the RSA key. Use the spinner control to set the size of the key (from 1,024 - 2,048 bits). Brocade recommends leaving this value at the default setting of 1024 to ensure optimum functionality. To use an existing key, select Use Existing and select a key from the drop-down me 5.
14 Smart RF is supported in standalone and clustered environments. In standalone environments, the individual controller or service platform manages the calibration and monitoring phases. In clustered environments, a single controller or service platform is elected a Smart Scan master and the remaining cluster members operate as Smart RF clients.
14 FIGURE 27 Smart RF screen 4. Refer to the following to determine whether a Smart RF calibration or an interactive calibration is required: Hostname Displays the assigned Hostname for each member of the RF Domain. AP MAC Address Displays the hardware encoded MAC address assigned to each Access Point radio within the selected RF Domain. This value cannot be modified as past of a calibration activity.
14 Power This column displays the transmit power level for the listed Access Point MAC address after an Interactive Calibration resulted in an adjustment. This is the new power level defined by Smart RF to compensate for a coverage hole. Smart Sensor Defines whether a listed Access Point is smart sensor on behalf of the other Access Point radios comprising the RF Domain. State Displays the current state of the Smart RF managed Access Point radio. Possible states include: Normal, Offline and Sensor.
14 736 Brocade Mobility RFS Controller System Reference Guide 53-1003099-01
Chapter 15 Statistics This chapter describes statistics displayed by the graphical user interface (GUI). Statistics are available for controllers or service platforms and their managed devices. A Smart RF statistical history is available to assess adjustments made to device configurations to compensate for detected coverage holes or device failures.
15 Health System Statistics The Health screen displays the overall performance of the controller or service platform managed network (system). This includes device availability, overall RF quality, resource utilization and network threat perception. To display the health of the wireless controller managed network: 1. Select the Statistics menu from the Web UI. 2. Select the System node from the left navigation pane. 3. Select Health from the left-hand side of the UI. FIGURE 1 System - Health screen 4.
15 6. The Traffic Utilization table displays the top 5 RF Domains with the most effective resource utilization. Utilization is dependent on the number of devices connected to the RF Domain. Top 5 Displays the top 5 RF Domains in terms of usage index. Utilization index is a measure of how efficiently the domain is utilized. This value is defined as a percentage of current throughput relative to the maximum possible throughput.
15 The Inventory screen displays information about the physical hardware managed within the system by its member controller or service platforms. Use this information to assess the overall performance of wireless controller managed devices. To display the inventory statistics: 1. Select the Statistics menu from the Web UI. 2. Select the System node from the left navigation pane. 3. Select Inventory from the left-hand side of the UI. FIGURE 2 System - Inventory screen 4.
15 6. The Clients table displays the total number of wireless clients managed by the controller or service platform. This Top Client Count table lists the top 5 RF Domains, in terms of the number of wireless clients adopted: Top Client Displays the client index of each listed top performing client. RF Domain Displays the name of the client RF Domain. Last Update Displays the UTC timestamp when the client count was last reported. 7.
15 The Adopted Devices screen provides the following: Adopted Device Displays administrator assigned hostname of the adopted device. Select the adopted device to display configuration and network address information in greater detail. Type Displays the adopted Access Point’s model type. RF Domain Name Displays the domain the adopted AP has been assigned to. Select the RF Domain to display configuration and network address information in greater detail.
15 FIGURE 4 System - Pending Adoptions screen The Pending Adoptions screen displays the following: MAC Address Displays the MAC address of the device pending adoption. Select the MAC address to view device configuration and network address information in greater detail. Type Displays the AP type. IP Address Displays the current IP Address of the device pending adoption.
15 To view offline device potentially available for adoption by the controller or service platform: 1. Select the Statistics menu from the Web UI. 2. Select the System node from the left navigation pane. 3. Select Offline Devices from the left-hand side of the UI. FIGURE 5 System - Offline Devices screen The Offline Devices screen provides the following: Hostname Lists the administrator assigned hostname provided when the device was added to the controller or service platform managed network.
15 Device Upgrade System Statistics The Device Upgrade screen displays available licenses for devices within a cluster. It displays the total number of AP licenses. To view a licenses statistics within the controller or service platform managed network: 1. Select the Statistics menu from the Web UI. 2. Select the System node from the left navigation pane. 3. Select Device Upgrade from the left-hand side of the UI. FIGURE 6 System - Device Upgrade screen 4.
15 Retries Count Displays the number of retries required in an update operation. State Displays the done or failed state of an upgrade operation. Clear History Select Clear History to clear the screen of its current status and begin a new data collection. Refresh Select Refresh to update the screen’s statistics counters to their latest values. Licenses System Statistics The Licenses statistics screen displays available licenses for devices within a cluster.
15 4. The Local Licenses table provides the following information: Cluster/Hostname Lists the administrator assigned cluster hostname whose license count and utilization is tallied in this Local Licenses table. AP Licenses Installed Lists the number of Access Point connections available to this controller or service platform under the terms of the current license.
15 7. The Featured Licenses area provides the following information: Hostname Displays the administrator assigned hostname of the controller, service platform or Access Point whose potentially implemented a advanced security, WIPS or Analytics feature licenses. Advanced Security Displays whether the separately licensed Advanced Security application is installed for each hostname. Advanced WIPS Displays whether a separately licensed Advanced WIPS application is installed for each hostname.
15 The RF Domain screens display status for a selected RF domain. This includes the RF Domain health and device inventory, wireless clients and Smart RF functionality. RF Domains allow administrators to assign regional, regulatory and RF configuration to devices deployed in a common coverage area such as on a building floor, or site.
15 FIGURE 8 RF Domain - Health screen 4. The Domain field displays the name of the RF Domain manager. The RF Domain manager is the focal point for the radio system and acts as a central registry of applications, hardware and capabilities. It also serves as a mount point for all the different pieces of the hardware system file. 5. The Devices field displays the total number of online versus offline devices in the RF Domain, and an exploded pie chart depicts their status. 6.
15 7. Refer to the Radio Quality table for RF Domain member radios requiring administration to improve performance: Worst 5 Radios Displays five radios with the lowest average quality in the RF Domain. Radio ID Lists each radio’s administrator defined hostname and its radio designation (radio 1, radio 2 or radio 3). Radio Type Displays the radio type as either 5 GHz or 2.4 GHz. 8.
15 13. The Traffic Statistics statistics table displays the following information for transmitted and received packets: Total Bytes Displays the total bytes of data transmitted and received within the Access Point RF Domain. Total Packets Lists the total number of data packets transmitted and received within the Access Point RF Domain. User Data Rate Lists the average user data rate within the Access Point RF Domain.
15 FIGURE 9 RF Domain - Inventory screen 4. The Device Types table displays the total members in the RF Domain. The exploded pie chart depicts the distribution of RF Domain members by controller and Access Point model type. 5. The Radios by Band field displays the total number of radios using 802.11an and 802.11bgn bands within the RF Domain. The number of radios designated as sensors is also represented. 6.
15 Client Count List the number of connected clients to each listed RF Domain member Access Point. Radio Lists each radio’s administrator defined hostname and its radio designation (radio 1, radio 2 etc.). Radio Band Lists each client’s operational radio band. Location Displays system assigned deployment location for the client. 8. Refer to the WLANs table to review RF Domain WLAN, radio and client utilization.
15 FIGURE 10 RF Domain - Devices screen Device Displays the system assigned name of each device that’s a member of the RF Domain. The name displays as a link that can be selected to display configuration and network address information in greater detail. AP MAC Address Displays each device’s factory encoded MAC address as its hardware identifier. Type Displays each device model within the selected RF Domain. Client Count Displays the number of clients connected with each listed device.
15 3. Select AP Detection from the RF Domain menu. FIGURE 11 RF Domain - AP Detection screen The AP Detection screen displays the following: BSSID Displays the Broadcast Service Set ID (SSID) of the network to which the detected Access Point belongs. Channel Displays the channel of operation used by the detected Access Point. The channel must be utilized by both the Access Point and its connected client and be approved for the target deployment country.
15 3. Select Wireless Clients from the RF Domain menu. FIGURE 12 RF Domain - Wireless Clients screen The Wireless Clients screen displays the following: MAC Address Displays the hostname (MAC address) of each listed wireless client. This address is hard-coded at the factory and can not be modified. The hostname address displays as a link that can be selected to display configuration and network address information in greater detail.
15 RF Domain Name Lists each client’s RF Domain membership as defined by its connected Access Point and associated controller or service platform. Disconnect All Clients Select the Disconnect All Clients button to terminate each listed client’s connection and RF Domain membership. Disconnect Client Select a specific client MAC address and select the Disconnect Client button to terminate this client’s connection and RF Domain membership.
15 The Device Upgrade screen displays the following for RF Domain member devices: Upgraded By Device Lists the name of the device performing an update on behalf of a peer device. Type Displays the model of the device receiving an update. An updating Access Point must be of the same model as the Access point receiving the update.
15 FIGURE 14 RF Domain - Wireless LANs screen The Wireless LANs screen displays the following: WLAN Name Displays the name assigned to each WLAN upon its creation within the controller or service platform managed network. SSID Displays the Service Set ID (SSID) assigned to the WLAN upon its creation within the controller or service platform managed network. Traffic Index Displays the traffic utilization index of each listed WLAN, which measures how efficiently the traffic medium is used.
15 The Radio screens displays information on RF Domain member Access Point radios. Use these screens to troubleshooting radio issues negatively impacting RF Domain performance. For more information, refer to the following: • Status • RF Statistics • Traffic Statistics Status To view the RF Domain radio statistics: 1. Select the Statistics menu from the Web UI. 2. Select a RF Domain from under the System node on the top, left-hand side, of the screen. 3.
15 Channel Current (Config) Displays the current channel each listed RF Domain member Access Point radio is broadcasting on. Configured Channel Lists each radio’s defined operating channel to help assess if the radio is no longer transmitting on its configured channel. Neighbor radios are often required to assist non-functioning peers in the same coverage area. Power Current (Config) Displays the current power level the radio is using for its transmissions.
15 The RF Statistics screen displays the following: Radio Displays the name assigned to each listed RF Domain member radio. Each name displays as a link that can be selected to display radio information in greater detail. Signal Displays the power of listed RF Domain member radio signals in dBm. Noise Lists the level of noise (in - X dbm format) reported by each listed RF Domain member Access Point. SNR Displays the signal to noise ratio (SNR) of each listed RF Domain member radio.
15 FIGURE 17 RF Domain - Radio Traffic Statistics screen The Radio Traffic screen displays the following: Radio Displays the name assigned to each listed RF Domain member Access Point radio. Each name displays as a link that can be selected to display radio information in greater detail. Tx Bytes Displays the total number of bytes transmitted by each RF Domain member Access Point radio. This includes all user data as well as any management overhead data.
15 Mesh networking enables users to wirelessly access broadband applications anywhere (even in a moving vehicle). Initially developed for secure and reliable military battlefield communications, mesh technology supports public safety, public access and public works. Mesh technology reduces the expense of wide-scale networks, by leveraging Wi-Fi enabled devices already deployed. To view Mesh statistics for RF Domain member Access Point and their connected clients: 1.
15 2. Select a RF Domain from under the System node on the top, left-hand side, of the screen. 3. Select Mesh Point. The MCX Geographical View displays by default. FIGURE 19 RF Domain - Mesh Point MCX Geographical View screen The MCX Geographical View screen displays a map where icons of each device in the RF Domain is overlaid. This provides a geographical overview of the location of each RF Domain member device. 4.
15 FIGURE 20 RF Domain - Mesh Point MCX Logical View screen The Concentric and Hierarchical buttons define how the mesh point is displayed in the MCX Logical View screen. In the Concentric mode, the mesh is displayed as a concentric arrangement of devices with the root mesh at the centre and the other mesh device arranged around it. In the Hierarchical arrangement, the root node of the mesh is displayed at the top of the mesh tree and the relationship of the mesh nodes are displayed as such.
15 FIGURE 21 RF Domain - Mesh Point Device Type screen The Root field displays the Mesh ID and MAC Address of the configured root mesh points in the RF Domain. 8. The Non Root field displays the Mesh ID and MAC Address of all configured non-root mesh points in the RF Domain. displays the Mesh ID and MAC Address of all configured non-root mesh points in the RF Domain. 9.
15 Is Root A root mesh point is defined as a mesh point connected to the WAN and provides a wired backhaul to the network. (Yes/No) Meshpoint Identifier The MP identifier is used to distinguish between other mesh points both on the same device and on other devices. This is used by a user to setup the preferred root configuration. Interface ID The IFID uniquely identifies an interface associated with the MPID. Each mesh point on a device can be associated with one or more interfaces.
15 The Root tab displays the following: Mesh Point Name Displays the name of each configured mesh point in the RF Domain. Recommended Displays the root that is recommended by the mesh routing layer. Root MPID The MP identifier is used to distinguish between other mesh points both on the same device and on other devices. This is used by a user to setup the preferred root configuration. Next Hop IFID The IFID of the next hop. The IFID is the MAC Address on the destination device.
15 Radio Interface This indicates the interface that is used by the device to communicate with this neighbor. The values are 2.4 and 5.8, indicating the frequency of the radio that is used to communicate with the neighbor. Mesh Root Hops The number of devices between the neighbor and its root mesh point. If the neighbor is a root mesh point, this value will be 0. If the neighbor is not a root mesh point but it has a neighbor that is a root mesh point, this value will be 1.
15 Interface ID The IFID uniquely identifies an interface associated with the MPID. Each mesh point on a device can be associated with one or more interfaces. State Displays the Link State for each mesh point: • Init - indicates the link has not been established or has expired. • Enabled - indicates the link is available for communication. • Failed - indicates the attempt to establish the link failed and cannot be retried yet.
15 FIGURE 22 RF Domain - Mesh Point Device Brief Info screen The All Roots and Mesh Points field displays the following: MAC Displays the MAC Address of each configured mesh point in the RF Domain. Mesh Point Name Displays the name of each configured mesh point in the RF Domain. Hostname Displays the administrator assigned hostname for each configured mesh point in the RF Domain.
15 11. The MeshPoint Details field on the bottom portion of the screen displays tabs for General, Path, Root, Multicast Path, Neighbors, Security and Proxy. Refer to the following: The General tab displays the following: Mesh Point Name Displays the name of each configured mesh point in the RF Domain. MAC Displays the MAC Address of each configured mesh point in the RF Domain. Hostname Displays the hostname for each configured mesh point in the RF Domain.
15 State Indicates whether the path is currently Valid of Invalid. Binding Indicates whether the path is bound or unbound. Timeout The timeout interval in seconds. The interpretation this value will vary depending on the value of the state. If the state is Init or In Progress, the timeout duration has no significance. If the state is Enabled, the timeout duration indicates the amount of time left before the security validity check is initiated.
15 The Neighbors tab displays the following: Mesh Point Name Displays the name of each configured mesh point in the RF Domain. Destination Addr The destination is the endpoint of mesh path. It may be a MAC address or a mesh point ID. Neighbor MP ID The MAC Address that the device uses to define the mesh point in the device that the neighbor is a part of. It is used to distinguish the device that is the neighbor.
15 The Security tab displays the following: Mesh Point Name Displays the name of each configured mesh point in the RF Domain. Destination Addr The destination is the endpoint of mesh path. It may be a MAC address or a mesh point ID. Radio Interface This indicates the interface that is used by the device to communicate with this neighbor. The values are 2.4 and 5.8, indicating the frequency of the radio that is used to communicate with the neighbor.
15 FIGURE 23 RF Domain - Mesh Point Device Data Transmit screen Review the following transmit and receive statistics for Mesh nodes: Data Bytes (Bytes): Transmitted Bytes Displays the total amount of data, in Bytes, that has been transmitted by mesh points in the RF Domain. Data Bytes (Bytes): Received Bytes Displays the total amount of data, in Bytes, that has been received by mesh points in the RF Domain.
15 Data Packets Throughput (Kbps): Total Packets Displays the total amount of data, in packets, transmitted and received by mesh points in the RF Domain. Data Rates (bps): Transmit Data Rate Displays the average data rate, in kbps, for all data transmitted by mesh points in the RF Domain. Data Rates (bps): Receive Data Rate Displays the average data rate, in kbps, for all data received by mesh points in the RF Domain.
15 The Mesh Points section provides the following information: Mesh Points Displays the Mesh ID and MAC Address of all configured non-root Mesh Points in the RF Domain. The Details section is split into 7 tabs The General tab provides the following information: Mesh Point Name Displays the name of each configured Mesh Point in the RF Domain. MAC Displays the MAC Address of each configured Mesh Point in the RF Domain. Hostname Displays the hostname for each configured Mesh Point in the RF Domain.
15 Path State Indicates whether the path is currently Valid of Invalid. Bound Indicates whether the path is bound or unbound. Path Timeout The timeout interval in mili-seconds. The interpretation this value will vary depending on the value of the state. Sequence The sequence number aslo known as the destination sequence number. It is updated whenever a mesh point receives new information about the sequence number from RREQ, RREP, or RERR messages that may be received related to that destination.
15 The Neighbors tab provides the following information: 782 Mesh Point Name Displays the name of each configured Mesh Point in the RF Domain. MP ID Displays the MeshID (MAC Address) of each Mesh Point in the RF Domain. Neighbor MP ID The MAC Address that the device uses to define the Mesh Point in the device that the neighbor is a part of. It is used to distinguish the device that is the neighbor.
15 Link Metric This value shows the computed path metric from the device to the neighbor Mesh Point using this interface. The lower the number the better the possibility that the neighbor will be chosen as the path to the Root Mesh Point. Root Metric The computed path metric between the neighbor and their Root Mesh Point. Rank The rank is the level of importance and is used for automatic resource management. 8 – The current next hop to the recommended root.
15 The Proxy tab provides the following information: Mesh Point Name Displays the name of each configured Mesh Point in the RF Domain. MP ID The MP identifier is used to distinguish between other Mesh Points both on the same device and on other devices. This is used by a user to setup the preferred root configuration. Proxy Address Displays the MAC Address of the proxy used in the mesh point. Age Displays the age of the proxy connection for each of the mesh points in the RF Domain.
15 FIGURE 24 RF Domain - Smart RF Summary screen 5. The Channel Distribution table lists how RF Domain member devices are utilizing different channels to optimally support connect devices and avoid congestion and interference with neighboring devices. Assess whether the channel spectrum is being effectively utilized and whether channel changes are warranted to improve RF Domain member device performance. 6.
15 7. Review the Top 5 Active Radios to assess the significance of any Smart RF initiated compensations versus their reported top performance. Radio MAC Lists the hardware encoded MAC address of each listed top performing RF Domain member device radio. RF Band Displays the top performing radio’s operation band. This may help administrate whether more changes were required in the 2.4 GHz band then 5 GHz or vice versa.
15 FIGURE 25 RF Domain - Smart RF Details screen Refer to the Neighbors table to review the attributes of neighbor radio resources available for Smart RF radio compensations for other RF Domain member device radios. Individual Access Point hostnames can selected and the RF Domain member radio can reviewed in greater detail. Attenuation is a measure of the reduction of signal strength during transmission.
15 FIGURE 26 RFDomain - Smart RF Energy Graph 12. Select Smart RF History to review the descriptions and types of Smart RF events impacting RF Domain member devices.
15 The SMART RF History screen displays the following RF Domain member historical data: Time Displays a time stamp when Smart RF status was updated on behalf of a Smart RF adjustment within the selected RF Domain. Type Lists a high-level description of the Smart RF activity initiated for a RF Domain member device.
15 FIGURE 28 RF Domain - WIPS Client Blacklist screen The WIPS Client Blacklist screen displays the following: Event Name Displays the name of the blacklisting wireless intrusion event detected by a RF Domain member Access Point. Blacklisted Client Displays the MAC address of the unauthorized (blacklisted) client intruding the RF Domain. Time Blacklisted Displays the time when the wireless client was blacklisted by a RF Domain member Access Point.
15 FIGURE 29 RF Domain - WIPS Events screen The WIPS Events screen displays the following: Event Name Displays the event name of the intrusion detected by a RF Domain member Access Point. Reporting AP Displays the MAC address of the RF Domain member Access Point reporting the event. Originating Device Displays the MAC address of the device generating the event. Detector Radio Displays Access Point radio number detecting the event.
15 To view the RF Domain captive portal statistics: 1. Select the Statistics menu from the Web UI. 2. Select a RF Domain from under the System node on the top, left-hand side, of the screen. 3. Select Captive Portal from the RF Domain menu. FIGURE 30 RF Domain - Captive Portal The screen displays the following Captive Portal data for requesting clients: Client MAC Displays the MAC address of each listed client requesting captive portal access to the controller or service platform managed network.
15 The Wireless Controller screen displays information about peer controllers or service platforms and their connected Access Points. As members of a cluster, a controller or service platform manages its own network and is ready to assume the load of an offline peer. The screen displays detailed statistics which include network health, inventory of devices, wireless clients, adopted APs, rogue APs and WLANs.
15 Health Controller Statistics The Health screen displays details such as hostname, device name, RF Domain name, radio RF quality and client RF quality. To view controller or service platform device health data: 1. Select the Statistics tab from the Web UI. 2. Select a Wireless Controller node from the left navigation pane. 3. Select Health from the left-hand side of the UI.
15 The Device Details field displays the following: Hostname Displays the administrator assigned hostname of the controller or service platform. Device MAC Displays the MAC address of the controller. Primary IP Lists the network address used by this controller or service platform as a network identifier. Type Displays the controller (Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000.) or service platform (NX4500, NX4524, NX6500, NX6524 or NX9000 series) type.
15 The Client RF Quality Index field displays the RF quality of the clients. Use this table to troubleshoot radios not optimally performing: Worst 5 Displays the five client radios with the lowest quality indices. Client MAC Displays the MAC address of the client. Retry Rate Displays the excessive retry rate of each listed controller or service platform managed client. 4. Select Refresh to update the statistics counters to their latest values.
15 FIGURE 32 Wireless Controller - Device screen The System field displays the following: Model Number Displays the model number for the selected controller or service platform. Serial Number Displays the serial number factory encoded on the controller or service platform at the factory. Version Displays the unique alphanumeric firmware version name for the controller or service platform firmware. Boot Partition Displays the boot partitioning type.
15 The System Resources field displays the following: Available Memory (MB) Displays the available memory (in MB) available on the selected controller or service platform. Total Memory (MB) Displays the controller or service platform’s total memory. Currently Free RAM Displays the Access Point’s free RAM space. If its very low, free up some space by closing some processes. Recommended RAM Displays the recommended RAM required for routine operation.
15 The Upgrade Status field displays firmware upgrade statistics. The table provides the following: Upgrade Status Displays whether the image upgrade was successful. Upgrade Status Time Displays the time of the upgrade. The AP Licenses field displays the following: AP Licenses Displays the number of AP licenses currently available on the controller or service platform. This value represents the maximum number of licenses the controller or service platform can adopt.
15 3. Select Cluster Peers from the left-hand side of the UI. FIGURE 33 Wireless Controller - Cluster Peers screen The Cluster Peers screen displays the following: Wireless Controller Displays the IP addresses of current cluster member controller or service platform. The name displays in the form of a link that can be selected to display a detailed description of the controller or service platform’s configuration. MAC Address Displays the MAC addresses of current cluster members.
15 To view the upgrade statistics: 1. Select the Statistics menu from the Web UI. 2. Select a Wireless Controller node from the left navigation pane. 3. Select Device Upgrade. FIGURE 34 Wireless Controller - AP Upgrade screen The Upgrade screen displays the following information: Upgraded By Device Displays the MAC address of the controller or service platform that performed the upgrade operation.
15 Port mirroring is not supported on NX4500 or NX6500 models, as they only utilize GE ports 1 - 2. Additionally, port mirroring is not supported on uplink (up) ports or wired ports on any controller or service platform model. To view NX4524 or NX6524 model service platform port mirroring statistics: 1. Select the Statistics tab from the Web UI. 2. Select a Wireless Controller node from the left navigation pane. 3. Select Mirroring from the left-hand side of the UI.
15 • AP Adoption History • Pending Adoptions To view device adoption statistics: 1. Select the Statistics menu from the Web UI. 2. Select a Wireless Controller node from the left navigation pane. 3. Select Adoption > Adopted Devices from the left-hand side of the UI. FIGURE 36 Wireless Controller - Adopted APs screen The Adopted Devices screen displays the following: Device Displays the name assigned to the adopted device by the management software.
15 AP Adoption History Controller Statistics The AP Adoption History screen displays a list of devices adopted to the controller or service platform managed network. Use this screen to view a list of devices and their current status. To view adopted AP Adoption History statistics: 1. Select the Statistics menu from the Web UI. 2. Select a Wireless Controller node from the left navigation pane. 3. Select Adoption > AP Adoption History from the left-hand side of the UI.
15 1. Select the Statistics menu from the Web UI. 2. Select a Wireless Controller node from the left navigation pane. 3. Select Adoption > Pending Adoptions from the left-hand side of the UI. FIGURE 38 Wireless Controller - Pending Adoptions screen The Pending Adoptions screen provides the following MAC Address Displays the MAC address of the device pending adoption. Type Displays the AP’s model type. IP Address Displays the current IP address of the device pending adoption.
15 2. Select a Wireless Controller node from the left navigation pane. 3. Select AP Detection from the left-hand side of the UI. FIGURE 39 Wireless Controller - AP Detection screen The AP Detection screen displays the following: Unsanctioned AP Displays the MAC address of unsanctioned APs detected within the controller or service platform radio coverage area. Unsanctioned APs are detected APs without deployment approval. Reporting AP Lists the Access Point whose radio detected the unsanctioned AP.
15 The Wireless Clients screen displays read only device information for wireless clients associated with the selected controller or service platform. Use this information to assess if configuration changes are required to improve network performance. To view a controller or service platform’s connected wireless client statistics: 1. Select the Statistics menu from the Web UI. 2. Select a Wireless Controller node from the left navigation pane. 3. Select Wireless Clients from the left-hand side of the UI.
15 VLAN Displays the VLAN ID the client’s connected Access Point has defined as a virtual interface. Last Active Displays the time when this wireless client was last seen (or detected) by a device within the controller or service platform managed network. Disconnect Client Select a specific client and select the Disconnect Client button to terminate this client’s connection to its controller or service platform connected Access Point radio.
15 The Wireless LANs screen displays the following: WLAN Name Displays the name of the WLANs the controller or service platform is currently utilizing for client connections and QoS segregation. SSID Displays the Service Set ID each listed WLAN is using as an identifier. Traffic Index Displays the traffic utilization index, which measures how efficiently the traffic medium is used. It’s defined as the percentage of current throughput relative to the maximum possible throughput.
15 FIGURE 42 Wireless Controller - Policy Based Routing screen The Policy Based Routing screen displays the following: Precedence Lists the numeric precedence (priority) assigned to each listed PBR configuration. A route-map consists of multiple entries, each carrying a precedence value. An incoming packet is matched against the route-map with the highest precedence (lowest numerical value).
15 To view the radio statistics: 1. Select the Statistics menu from the Web UI. 2. Select a Wireless Controller node from the left navigation pane. 3. Select Radio from the left-hand side of the UI. FIGURE 43 Wireless Controller - Radio Status screen The Radios Status screen provides the following information: Radio Displays the model and numerical value assigned to the radio as its unique identifier.
15 FIGURE 44 Wireless Controller - Radio RF Statistics screen The RF Statistics screen provides the following information: Radio Displays the name assigned to each listed radio. Each radio name displays as a link that can be selected to display radio information in greater detail. Signal Displays the power of each listed radio signals in dBm. SNR Displays the signal to noise ratio (SNR) of each listed radio.
15 FIGURE 45 Wireless Controller - Radio Traffic Statistics screen The Traffic Statistics screen provides the following information: Radio Displays the name assigned to each listed radio. Each radio name displays as a link that can be selected to display radio configuration and network address information in greater detail. Tx Bytes Displays the amount of transmitted data in bytes for each radio. Rx Bytes Displays the amount of received data in bytes for each radio.
15 2. Select a Wireless Controller node from the left navigation pane. 3. Select Mesh from the left-hand side of the UI. FIGURE 46 Wireless Controller - Mesh screen The Mesh screen displays the following: Client Displays the name assigned to each mesh client when added to the controller or service platform managed network. Client Radio MAC Displays the factory encoded Media Access Control (MAC) address of each device within the controller or service platform managed mesh network.
15 1. Select the Statistics menu from the Web UI. 2. Select a Wireless Controller node from the left navigation pane. 3. Expand the Interfaces menu from the left-hand side of the UI. 4. Select General.
15 The General table displays the following: Name Displays the name of the controller or service platform interface ge1, up 1etc. Interface MAC Address Displays the MAC address of the interface. IP Address IP address of the interface. IP Address Type Displays the IP address type, either IPv4 or IPv6. Secondary IP Displays a list of secondary IP resources assigned to this interface. Hardware Type Displays the networking technology.
15 The Traffic table displays the following: Good Octets Sent Displays the number of octets (bytes) with no errors sent by the interface. Good Octets Received Displays the number of octets (bytes) with no errors received by the interface. Good Packets Sent Displays the number of good packets transmitted. Good Packets Received Displays the number of good packets received. Mcast Pkts Sent Displays the number of multicast packets sent through the interface.
15 The Receive Errors table displays the following: Rx Frame Errors Displays the number of frame errors received at the interface. A frame error occurs when data is received, but not in an expected format. Rx Length Errors Displays the number of length errors received at the interface. Length errors are generated when the received frame length was either less or over the Ethernet standard. Rx FIFO Errors Displays the number of FIFO errors received at the interface.
15 2. Select a Wireless Controller node from the left navigation pane. 3. Expand the Interfaces menu from the left-hand side of the UI. 4. Select Network Graph. FIGURE 48 Wireless Controller - Interface Network Graph screen RAID Statistics Controller Statistics RAID statistics are available to assist an administrator in assessing the status of the service platform’s RAID array, including each physical drive.
15 FIGURE 49 Wireless Controller - RAID Status screen 4. The Status field displays the following: Size Lists the size of the RAID drive array. The size is the total physical memory space available on the two physical drives comprising the active RAID controller. State Displays whether the drive array is currently in an optimal operation state or degraded, and in need of administration to perform diagnostics and perhaps prepare a standby drive for hot spare replacement.
15 6. Use the Physical Drives field to assess the RAID array’s drive utilization and whether the drives are currently online: Slot Lists RAID array’s drive slot utilization. Since there is only one RAID array controller reporting status to the service platform, its important to know if other drive slots house hot spare drives available as additional resources should one of the dedicated drives fail.
15 FIGURE 50 Wireless Controller - Power Status screen The Power Status provides the following information for supported controllers or service platforms: Device Displays the administrator assigned device name for the controller or service platform. Temperature Displays the internal system temperature for the controller or service platform. PoE Enabled Displays whether or not Power over Ethernet (PoE) is enabled for the controller or service platform.
15 Power Consumption Displays the current amount of power being consumed by PoE devices on the controller or service platform. Non-Standard PoE power budget Displays the amount of voltage allocated to non 802.3af or 802.3at PoE devices. Port Name Displays the GE port name for each PoE capable port on the controller or service platform. Voltage Displays the voltage in use by each PoE capable port on the controller or service platform.
15 FIGURE 51 Wireless Controller - PPPoE screen The Configuration Information field screen displays the following: Shutdown Displays whether a high speed client mode point-to-point connection has been enabled using the PPPoE protocol. A green checkmark defines the connection as enabled. A red X defines the connection as shutdown. Service Lists the 128 character maximum PPPoE client service name provided by the service provider.
15 The Connection Status table lists the MAC address, SID, Service information MTU and status of each route destination peer. To provide this point-to-point connection, each PPPoE session learns the Ethernet address of a remote PPPoE client, and establishes a session. PPPoE uses both a discover and session phase to identify a client and establish a point-to-point connection. By using such a connection, a wireless WAN failover is available to maintain seamless network access if the Wired WAN were to fail 5.
15 FIGURE 52 826 Wireless Controller - OSPF Summary tab Brocade Mobility RFS Controller System Reference Guide 53-1003099-01
15 The Summary tab describes the following data fields: General The general field displays the router ID assigned for this OSPF connection, RFC compliance information and LSA data. OSPF version 2 was originally defined within RFC versions 1583 and 2328. The general field displays whether compliance to these RFCs have been satisfied.
15 FIGURE 53 Wireless Controller - OSPF Neighbor Info tab The Neighbor Info tab describes the following: Router ID Displays the router ID assigned for this OSPF connection. The router is a level three Internet Protocol packet switch. This ID must be established in every OSPF instance. If not explicitly configured, the highest logical IP address is duplicated as the router identifier.
15 OSPF Area Details OSPF An OSPF network is subdivided into routing areas (with 32 bit area identifiers) to simplify administration and optimize traffic utilization. Areas are logical groupings of hosts and networks, including routers having interfaces connected to an included network. Each area maintains a separate link state database whose information may be summarized towards the rest of the network.
15 Network LSA Displays which routers are joined together by the designated router on a broadcast segment (e.g. Ethernet). Type 2 LSAs are flooded across their own area only. The link state ID of the type 2 LSA is the IP interface address of the designated route. Summary LSA The summary LSA is generated by ABR to leak area summary address info into another areas. ABR generates more than one summary LSA for an area if the area addresses cannot be properly aggregated by only one prefix.
15 FIGURE 55 Wireless Controller - OSPF External Routes tab External routes are external to area, originate from other routing protocols (or different OSPF processes) and are inserted into OSPF using redistribution. A stub area is configured not to carry external routes. Each external route can be tagged by the advertising router, enabling the passing of additional information between routers.
15 FIGURE 56 Wireless Controller - OSPF Network Routes tab Network routes support more than two routers, with the capability of addressing a single physical message to all attached routers (broadcast). Neighboring routers are discovered dynamically using OSPF hello messages. This use of the hello protocol takes advantage of broadcast capability. An OSPF network route makes further use of multicast capabilities, if they exist. Each pair of routers on the network is assumed to communicate directly.
15 FIGURE 57 Wireless Controller - OSPF Router Routes tab An internal (or router) route connects to one single OSPF area. All of its interfaces connect to the area in which it is located and does not connect to any other area. 8. Select the Refresh button (within any of the four OSPF Routes tabs) to update the statistics counters to their latest values OSPF Interface OSPF An OSPF interface is the connection between a router and one of its attached networks.
15 FIGURE 58 Wireless Controller - OSPF Interface tab The OSPF Interface tab describes the following: Interface Name Displays the IP addresses and mask defined as the virtual interface for dynamic OSPF routes. Zero config and DHCP can be used to generate route addresses, or a primary and secondary address can be manually provided. Interface Index Lists the numerical index used for the OSPF interface. This interface ID is in the hello packets establishing the OSPF network connection.
15 To view OSPF state statistics: 1. Select the Statistics menu from the Web UI. 2. Select a Wireless Controller node from the left navigation pane. 3. Select OSPF from the left-hand side of the UI. 4. Select the OSPF State tab. FIGURE 59 Wireless Controller - OSPF State tab The OSPF State tab describes the following: OSPF state Displays the OSPF link state amongst neighbors within the OSPF topology.
15 L2TPv3 Controller Statistics Use L2TP V3 to create tunnels for transporting layer 2 frames. L2TP V3 enables a controller or service platform to create tunnels for transporting Ethernet frames to and from bridge VLANs and physical ports. L2TP V3 tunnels can be defined between Mobility devices and other devices supporting the L2TP V3 protocol. To review a selected controller or service platform’s L2TPv3 statistics: 1. Select the Statistics menu from the Web UI. 2.
15 The L2TPv3 screen displays the following: Tunnel Name Displays the name of each listed L2TPv3 tunnel assigned upon creation. Each listed tunnel name can be selected as a link to display session data specific to that tunnel. The Sessions screen displays cookie size information as well as psuedowire information specific to the selected tunnel. Data is also available to define whether the tunnel is a trunk session and whether tagged VLANs are used.
15 2. Select a Wireless Controller node from the left navigation pane. 3. Select VRRP. FIGURE 61 Wireless Controller - VRRP screen 4. Refer to the Global Error Status field to review the various sources of packet errors logged during the implementation of the virtual route. Errors include the mismatch of authentication credentials, invalid packet checksums, invalid packet types, invalid virtual route IDs, TTL errors, packet length errors and invalid (non matching) VRRP versions. 5.
15 State Displays the current state of each listed virtual router ID. Clear Router Status Select the Clear Router Status button to clear the Router Operations Summary table values to zero and begin new data collections. Clear Global Error Status Select the Clear Global Error Status button to clear the Global Error Status table values to zero and begin new data collections. Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.
15 5. Refer to the following List of Critical Resources:. Critical Resource Name Lists the name of the resource being monitored by the controller or service platform. Via Lists the VLAN used by the critical resource as a virtual interface. the VLAN displays as a link than can be selected to list configuration and network address information in greater detail. Status Defines the operational state of each listed critical resource VLAN interface (Up or Down).
15 The LDAP Agent Status screen displays the following: LDAP Agent Primary Lists the primary IP address of a remote LDAP server resource used by the controller or service platform to validate PEAP-MS-CHAP v2 authentication requests. When a RADIUS server policy’s data source is set to LDAP, this is the first resource for authentication requests.
15 FIGURE 64 Wireless Controller – GRE Tunnel screen The GRE Tunnels screen describes the following: GRE State Displays the current operational state of the GRE tunnel. Peer IP Address Displays the IP address of the peer device on the remote end of the GRE tunnel. Tunnel Id Displays the session ID of an established GRE tunnel. This ID is only viable while the tunnel is operational and does not carry to subsequent sessions.
15 2. Select the Wireless Controller node from the left navigation pane. 3. Select Dot1x from the left-hand side of the UI. FIGURE 65 Wireless Controller – Dot1x screen 4. Refer to the following Dot1xAuth statistics: AAA Policy Lists the AAA policy currently being utilized for authenticating user requests. Guest Vlan Control Lists whether guest VLAN control has been allowed (or enabled). This is the VLAN traffic is bridged on if the port is unauthorized and guest VLAN globally enabled.
15 Client MAC Lists the MAC address of requesting clients seeking authentication over the listed port. Guest VLAN Lists the guest VLAN utilized for the listed port. This is the VLAN traffic is bridged on if the port is unauthorized and guest VLAN globally enabled. Host Lists whether the host is a single entity or not. Pstatus Lists whether the listed port has been authorized for Dot1x network authentication. 6.
15 FIGURE 66 Wireless Controller - Network ARP screen The ARP Entries screen displays the following: IP Address Displays the IP address of the client being resolved on behalf of the controller or service platform. ARP MAC Address Displays the MAC address of the device where an IP address is being resolved. Type Defines whether the entry was added statically or created dynamically in respect to network traffic. Entries are typically static.
15 FIGURE 67 Wireless Controller - Network Route Entries screen The Route Entries screen provides the following information: Destination Displays the IP address of the destination route address. FLAGS The flag signifies the condition of the direct or indirect route. A direct route is where the destination is directly connected to the forwarding host. With an indirect route, the destination host is not directly connected to the forwarding host.
15 2. Select a Wireless Controller node from the left navigation pane. 3. Expand the Network menu from the left-hand side of the UI. 4. Select Bridge. FIGURE 68 Wireless Controller - Network Bridge screen The Bridge screen displays the following: Bridge Name Displays the numeric ID of the network bridge. MAC Address Displays the MAC address of each listed bridge. Interface Displays the controller or service platform physical port interface the bridge uses to transfer packets.
15 1. Select the Statistics menu from the Web UI. 2. Select a Wireless Controller node from the left navigation pane. 3. Expand the Network menu from the left-hand side of the UI. 4. Select IGMP. FIGURE 69 Wireless Controller - Network DHCP Options screen The Group field describes the following: VLAN Displays the group VLAN where the multicast transmission is conducted. Group Address Displays the Multicast Group ID supporting the statistics displayed.
15 MiNT IDs Lists MiNT IDs for each listed VLAN. MiNT provides the means to secure access point profile communications at the transport layer. Using MiNT, an access point can be configured to only communicate with other authorized (MiNT enabled) access points of the same model. Query Interval Lists the IGMP query interval implemented when the querier functionality is enabled. The default value is 60 seconds. Version Lists the multicast router IGMP version compatibility as either version 1, 2 or 3.
15 The DHCP Options screen describes the following: Server Information Lists server information specific to each DHCP server resource available to requesting clients for the dynamic assignment of IP addresses. Image File Displays the image file name. BOOTP or the bootstrap protocol can be used to boot diskless clients. An image file is sent from the boot server. The file contains the operating system image. DHCP servers can be configured to support BOOTP.
15 The Cisco Discovery Protocol screen displays the following: Capabilities Displays the capabilities code for cisco neighbors as either Router, Trans Bridge, Source Route Bridge, Switch, Host, IGMP or Repeater. Device ID Displays the configured device ID or name for each device in the table. Local Port Displays the local port name for each CDP capable device. Platform Displays the model number of the CDP capable device. Port ID Displays the identifier for the local port.
15 The Link Layer Discovery Protocol screen displays the following: Capabilities Displays the Access Point capabilities code as either Router, Trans Bridge, Source Route Bridge, Switch, Host, IGMP or Repeater. Device ID Displays the configured device ID or name for each device in the table. Enabled Capabilities Displays which LLDP capabilities are currently utilized by the listed device. Local Port Displays the physical local port name for each LLDP capable device.
15 FIGURE 73 Wireless Controller - DHCP Server General screen The Status table defines the following: Interfaces Displays the controller or service platform interface used with the DHCP resource for IP address provisioning. State Displays the current operational state of the DHCP server to assess its availability as a viable IP provisioning resource. 5. The DDNS Bindings table displays the following: IP Address Displays the IP address assigned to the requesting client.
15 The DHCP Binding screen displays DHCP binding information such as expiry time, client IP addresses and their MAC address. Controllers and service platforms build and maintain a DHCP snooping table (DHCP binding database). A controller or service platform uses the snooping table to identify and filter untrusted messages. The DHCP binding database keeps track of DHCP addresses assigned to ports, as well as filtering DHCP messages from untrusted ports.
15 Viewing DHCP Server Networks Information DHCP Server The DHCP server maintains a pool of IP addresses and client configuration parameters (default gateway, domain name, name servers etc). On receiving a valid client request, the server assigns the requestor an IP address, a lease (the validity of time), and other IP configuration parameters.
15 A firewall is designed to block unauthorized access while permitting authorized communications. It’s a device or a set of devices configured to permit or deny computer applications based on a set of rules.
15 Viewing Denial of Service Statistics Firewall A denial-of-service attack (DoS attack), or distributed denial-of-service attack, is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out a DoS attack may vary, it generally consists of a concerted effort to prevent an Internet site or service from functioning efficiently.
15 The Denial of Service screen displays the following: Attack Type Displays the DoS attack type. The controller or service platform supports enabling or disabling 24 different DoS attack filters. Count Displays the number of times each DoS attack was observed by the controller or service platform’s firewall. Last Occurrence Displays the amount of time since the DoS attack has been observed by the controller or service platform’s firewall.
15 FIGURE 78 Wireless Controller - Firewall IP Firewall Rules screen The IP Firewall Rules screen displays the following: Precedence Displays the precedence (priority) applied to packets. Every rule has a unique precedence value between 1 - 5000. You cannot add two rules with the same precedence value. Friendly String This is a string that provides more information as to the contents of the rule. This is for information purposes only.
15 To view MAC firewall rules: 1. Select the Statistics menu from the Web UI. 2. Select a Wireless Controller node from the left navigation pane. 3. Expand the Firewall menu from the left-hand side of the UI. 4. Select MAC Firewall Rules. FIGURE 79 Wireless Controller - Firewall MAC Firewall Rules screen The MAC Firewall Rules screen displays the following: Precedence Displays the precedence (priority) applied to packets.
15 Network Address Translation (NAT) is a technique to modify network address information within IP packet headers in transit. This enables mapping one IP address to another to protect wireless controller managed network address credentials. With typical deployments, NAT is used as an IP masquerading technique to hide private IP addresses behind a single, public facing, IP address.
15 Reverse Source Port Displays the internal network port for reverse facing NAT translations. Reverse Dest IP Displays the external network destination IP address for reverse facing NAT translations. Reverse Dest Port Displays the external network destination port for reverse facing NAT translations. Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.
15 The DHCP Snooping screen displays the following: MAC Address Displays the MAC address of the client. Node Type Displays the NetBios node with an IP pool from which IP addresses can be issued to client requests on this interface. IP Address Displays the IP address used for DHCP discovery and requests between the DHCP server and DHCP clients. Netmask Displays the subnet mask used for DHCP discovery and requests between the DHCP server and DHCP clients.
15 IKESA VPN The IKESA screen allows for the review of individual peer security association statistics. 1. Select the Statistics menu from the Web UI. 2. Select a Wireless Controller node from the left navigation pane. 3. Select VPN and expand the menu to reveal its sub menu items. 4. Select IKESA. FIGURE 82 Wireless Controller - VPN IKESA screen Review the following VPN peer security association statistics: Peer Lists IDs for peers sharing security associations (SA) for tunnel interoperability.
15 To view IPSec VPN status for tunnelled peers: 1. Select the Statistics menu from the Web UI. 2. Select a Wireless Controller node from the left navigation pane. 3. Select VPN and expand the menu to reveal its sub menu items. 4. Select IPSec. FIGURE 83 Wireless Controller - VPN IPSec screen Review the following VPN peer security association statistics: Peer Lists IP addresses for peers sharing security associations (SA) for tunnel interoperability.
15 Viewing Certificate Statistics Controller Statistics The Secure Socket Layer (SSL) protocol is used to ensure secure transactions between Web servers and browsers. This protocol uses a third-party, a certificate authority, to identify one end or both ends of the transactions. A browser checks the certificate issued by the server before establishing a connection.
15 FIGURE 84 Wireless Controller - Certificates Trustpoint screen The Certificate Details field displays the following: Subject Name Describes the entity to which the certificate is issued. Alternate Subject Name Lists alternate subject information about the certificate as provided to the certificate authority. Issuer Name Displays the name of the organization issuing the certificate. Serial Number Lists the unique serial number of the certificate.
15 IS CA Indicates whether this certificate is an authority certificate (Yes/No). Is Self Signed Displays whether the certificate is self-signe d (Yes/No). Server Certification Present Displays whether a server certification is present or not (Yes/No). CRL Present Displays whether a Certificate Revocation List (CRL) is present (Yes/No). A CRL contains a list of subscribers paired with digital certificate status. The list displays revoked certificates along with the reasons for revocation.
15 FIGURE 85 Wireless Controller - Certificates RSA Keys screen The RSA Key Details field describes the size (in bits) of the desired key. If not specified, a default key size of 1024 is used. The RSA Public Key field describes the public key’s character set used for encrypting messages. This key is known to everyone. 5. Select the Refresh button to update the screen’s statistics counters to their latest values.
15 1. Select the Statistics menu from the Web UI. 2. Select a Wireless Controller node from the left navigation pane. 3. Select WIPS and expand the menu to reveal its sub menu items. 4. Select Client Blacklist. FIGURE 86 Wireless Controller - WIPS Client Blacklist screen The Client Blacklist screen displays the following: Event Name Displays the name of the detected wireless intrusion resulting in a blacklisting of the client from controller or service platform resources.
15 2. Select a Wireless Controller node from the left navigation pane. 3. Select WIPS and expand the menu to reveal its sub menu items. 4. Select WIPS Events FIGURE 87 Wireless Controller - WIPS Events screen The WIPS Events screen displays the following: Event Name Displays the name of the detected intrusion event. Reporting AP Displays the hostname of the AP reporting each intrusion.
15 • • • • Viewing General WIPS Statistics Viewing Detected AP Statistics Viewing Detected Clients Viewing Event History Viewing General WIPS Statistics Advanced WIPS The General WIPS screen describes WIPS server and sensor address information, version and connection state. 1. Select the Statistics menu from the Web UI. 2. Select a Wireless Controller node from the left navigation pane. 3. Select Advanced WIPS and expand the menu to reveal its sub menu items. 4. Select General.
15 Viewing Detected AP Statistics Advanced WIPS The Detected APs screen displays network address and connection status for APs within the controller or service platform managed network. To view detected AP stats: 1. Select the Statistics menu from the Web UI. 2. Select a Wireless Controller node from the left navigation pane. 3. Select Advanced WIPS and expand the menu to reveal its sub menu items. 4. Select Detected APs.
15 Viewing Detected Clients Advanced WIPS The Detected Clients screen lists clients detected within the controller or service platform managed network that are not connected to an approved Access Point radio. To view the detected clients statistics: 1. Select the Statistics menu from the Web UI. 2. Select a Wireless Controller node from the left navigation pane. 3. Select Advanced WIPS and expand the menu to reveal its sub menu items. 4. Select Detected Clients.
15 The Event History lists WIPS events triggered, then logged by the controller or service platform. To view a WIPS event history: 1. Select the Statistics menu from the Web UI. 2. Select a Wireless Controller node from the left navigation pane. 3. Select Advanced WIPS and expand the menu to reveal its sub menu items. 4. Select Events History.
15 2. Select a Wireless Controller node from the left navigation pane. 3. Select Sensor Servers from the left-hand side of the controller or service platform UI. FIGURE 92 Wireless Controller - Sensor Server screen The Sensor Servers screen displays the following: IP Address Displays a list of sensor server IP addresses. These are sensor resources available to the controller or service platform. Port Displays the port on which this server is listening.
15 FIGURE 93 Wireless Controller - Captive Portal screen The Captive Portal screen displays the following: Client MAC Displays the requesting client’s MAC address. The MAC displays as a link that can be selected to display client configuration and network address information in greater detail. Client IP Displays the requesting client’s IP address. Captive Portal Displays the captive portal page’s IP address. Authentication Displays the authentication status of the requesting client.
15 Viewing NTP Status Network Time The NTP Status screen displays performance (status) information relative to the NTP association status. Verify the NTP status to assess the controller or service platform’s current NTP resource. To view the NTP status of a managed network: 1. Select the Statistics menu from the Web UI. 2. Select a Wireless Controller node from the left navigation pane. 3. Select Network Time and expand the menu to reveal its sub menu items. 4. Select NTP Status.
15 Root Delay The total round-trip delay in seconds. This variable can take on both positive and negative values, depending on relative time and frequency offsets. The values that normally appear in this field range from negative values (a few milliseconds) to positive values (several hundred milliseconds). Root Dispersion The difference between the time on the root NTP server and it’s reference clock. The reference clock is the clock used by the NTP server to set its own clock.
15 The NTP Associations screen provides the controller or service platform’s current NTP associations: Delay Time Displays the round-trip delay (in seconds) for SNTP broadcasts between the SNTP server and the controller or service platform. Display Displays the time difference between the peer NTP server and the onboard wireless controller clock. Offset Displays the calculated offset between the controller or service platform and the SNTP server.
15 The Smart Caching Utilization screen is an administrator’s resource for service platform storage capacity and data availability. Use this screen to help assess the number of requests for cached Web content maintained locally on the service platform versus the total number of requests for all the service platform’s locally maintained data. To review service platform Smart Cache utilization: 1. Select the Statistics menu from the Web UI. 2. Select a Wireless Controller node from the left navigation pane.
15 Bandwidth Cache (Kbps) Displays the bandwidth available to cached data transfers on the service platform. Total Requests Lists the total number of client requests for the data residing locally on the service platform. This figure is the combined number of cached data and non-cached data requests. Requests from Cache Lists the total number of requests for cached Web content maintained locally on the service platform.
15 5. Refer to the Data field to assess the specific data types requested from the service platform’s temporary Web content cache: Duration Lists the duration period cached data (Web content) has been available on the service platform’s local disk storage. Total Audio (KB) Displays the total amount audio data (in KB) currently residing locally on the service platform.
15 FIGURE 98 Wireless Controller - Smart Caching Active Requests screen 5. Refer to the following client Web content active request information: Client IP Lists the network IP address the client is using as a network identifier within the service platform managed network. Each listed client has requested access to URL data (Web content) cached locally on the service platform. Requested URL Displays the URL (Web content) requested by the listed client IP from the service platform’s cached local data.
15 FIGURE 99 Wireless Controller - Smart Caching Client List screen 5. Refer to the following Client List data to review the attributes of those mobile devices requesting cached Web content from the service platform: Hostname Lists the administrator assigned hostname applied to the client when it was added to the list of clients connected to a service platform associated Access Point.
15 • • • • • • • • • • • • • • • • • • • • • • • • • Wireless LANs Policy Based Routing Radios Mesh Interfaces RTLS PPPoE OSPF L2TPv3 Tunnels VRRP Critical Resources LDAP Agent Status GRE Tunnels Dot1x Network DHCP Server Firewall VPN Certificates WIPS Sensor Servers Captive Portal Network Time Load Balancing Environmental Sensors (BR1240 Models Only) Health Access Point Statistics The Health screen displays a selected Access Point’s hardware version and software version.
15 FIGURE 100 Access Point - Health screen The Device Details field displays the following information: Hostname Displays the AP’s unique name as assigned within the controller or service platform managed network. A hostname is assigned to a device connected to a computer network. Device MAC Displays the MAC address of the AP. This is factory assigned and cannot be changed. Primary AP Displays the IP address of assigned to this device either through DHCP or through static IP assignment.
15 The Radio RF Quality Index field displays the following: RF Quality Index Displays Access Point radios having very low quality indices. RF quality index indicates the overall RF performance. The RF quality indices are: • 0 – 50 (poor) • 50 – 75 (medium) • 75 – 100 (good) Radio Id Displays a radio’s hardware encoded MAC address The ID appears as a link that can be selected to show radio utilization in greater detail. Radio Type Identifies whether the radio is a 2.4 or 5 GHz.
15 FIGURE 101 Access Point - Device screen The System field displays the following: Model Number Displays the model of the selected Access Point to help distinguish its exact SKU and country of operation. Serial Number Displays the numeric serial number set for the Access Point. Version Displays the software (firmware) version on the Access Point. Boot Partition Displays the boot partition type. Fallback Enabled Displays whether this option is enabled.
15 The System Resources field displays the following: Available Memory (MB) Displays the available memory (in MB) available on the Access Point. Total Memory (MB) Displays the Access Point’s total memory. Currently Free RAM Displays the Access Point’s free RAM space. If its very low, free up some space by closing some processes. Recommended Free RAM Displays the recommended RAM required for routine operation. Current File Description Displays the Access Point’s current file description.
15 The Firmware Images field displays the following: Primary Build Date Displays the build date when this Access Point firmware version was created. Primary Install Date Displays the date this version was installed. Primary Version Displays the primary version string. Secondary Build Date Displays the build date when this version was created. Secondary Install Date Displays the date this secondary version was installed. Secondary Version Displays the secondary version string.
15 FIGURE 102 Access Point - Device Upgrade screen The Device Upgrade screen displays the following Upgraded By Device Displays the device that performed the upgrade. Type Displays the model of the Access Point. The updating Access Point must be of the same model as the Access Point receiving the update. Device Hostname Displays the administrator assigned hostname of the device receiving the update. History ID Displays a unique timestamp for the upgrade event.
15 Adopted APs Adoption The Adopted APs screen lists Access Points adopted by the selected Access Point, their RF Domain memberships and network service information. To view adopted Access Point statistics: 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3. Expand the Adoption menu item. 4. Select Adopted APs.
15 Adopted By Lists the adopting Access Point. Adoption time Displays each listed Access Point’s time of adoption. Startup Time Displays each listed Access Point’s in service time since last offline. Refresh Select the Refresh button to update the screen’s statistics counters to their latest values. AP Adoption History Adoption The AP Adoption History screen displays a list of peer Access Points and their adoption event status. To review a selected Access Point’s adoption history: 1.
15 AP Self Adoption History Adoption The AP Self Adoption History displays an event history of peer Access Points that have adopted to the selected Access Point. 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen). Expand the a RF Domain, select a controller, and select one of its connected Access Points. 3. Expand the Adoption menu item. 4. Select AP Self Adoption History.
15 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen). Expand the a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3. Expand the Adoption menu item. 4. Select Pending Adoptions. FIGURE 106 Access Point - Pending Adoptions screen The Pending Adoptions screen provides the following: MAC Address Displays the MAC address of the device pending adoption.
15 2. Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3. Select AP Detection. FIGURE 107 Access Point - AP Detection The AP Detection screen displays the following: Unsanctioned AP Displays the MAC address of a detected Access Point that is yet to be authorized for interoperability within the Access Point managed network.
15 The Wireless Clients screen displays credential information for wireless clients associated with an Access Point. Use this information to assess if configuration changes are required to improve network performance. To view wireless client statistics: 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3.
15 VLAN Displays the VLAN ID each listed client is currently mapped to as a virtual interface for Access Point interoperability. Last Active Displays the time when this wireless client was last seen (or detected) by a device within the Access Point managed network. Disconnect Client Select a specific client MAC address and select the Disconnect Client button to terminate this client’s connection to its Access Point.
15 The Wireless LANs screen displays the following: WLAN Name Displays the name of the WLAN the Access Point is currently using for client transmissions. SSID Displays each listed WLAN’s Service Set ID (SSID) used as the WLAN’s network identifier. Traffic Index Displays the traffic utilization index, which measures how efficiently the WLAN’s traffic medium is used. It’s defined as the percentage of current throughput relative to maximum possible throughput.
15 FIGURE 110 Access Point - Policy Based Routing screen The Policy Based Routing screen displays the following: Precedence Lists the numeric precedence (priority) assigned to each listed PBR configuration. A route-map consists of multiple entries, each carrying a precedence value. An incoming packet is matched against the route-map with the highest precedence (lowest numerical value).
15 Radios Access Point Statistics The Radio statistics screens display information on Access Point radios. The actual number of radios depend on the Access Point model and type. This screen displays information on a per radio basis. Use this information to refine and optimize the performance of each radio and therefore improve network performance. The Access Point’s radio statistics screens provide details about associated radios. It provides radio ID, radio type, RF quality index etc.
15 FIGURE 111 Access Point - Radio Status screen The radio Status screen provides the following information: Radio Displays the name assigned to the radio as its unique identifier. The name displays in the form of a link that can be selected to launch a detailed screen containing radio throughout data. Radio MAC Displays the factory encoded hardware MAC address assigned to the radio. Radio Type Displays the radio as either supporting the 2.4 or 5 GHZ radio band.
15 FIGURE 112 Access Point - Radio RF Statistics screen The RF Statistics screen lists the following: Radio Displays the name assigned to the radio as its unique identifier. The name displays in the form of a link that can be selected to launch a detailed screen containing radio throughout data. Signal Displays the radio’s current power level in - dBm. SNR Displays the signal to noise ratio of the radio’s associated wireless clients.
15 To view the Access Point radio traffic statistics: 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3. Expand Radios. 4. Select Traffic Statistics.
15 Mesh Access Point Statistics The Mesh screen provides detailed statistics on each Mesh capable client available within the selected Access Point’s radio coverage area. To view the Mesh statistics: 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3. Select Mesh.
15 Interfaces Access Point Statistics The Interface screen provides detailed statistics on each of the interfaces available on the selected Access Point. Use this screen to review the statistics for each interface. Interfaces vary amongst supported Access Point models. To review Access Point interface statistics: 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen).
15 The General table displays the following: Name Displays the name of the Access Point interface ge1, vlan1 etc. Interface MAC Address Displays the MAC address of the interface. IP Address IP address of the interface. IP Address Type Displays the IP address type, either IPv4 or IPv6. Secondary IP Displays a list of secondary IP resources assigned to this interface. Hardware Type Displays the networking technology. Index Displays the unique numerical identifier for the interface.
15 Ucast Pkts Sent Displays the number of unicast packets sent through the interface. Ucast Pkts Received Displays the number of unicast packets received through the interface. Bcast Pkts Sent Displays the number of broadcast packets sent through the interface. Bcast Pkts Received Displays the number of broadcast packets received through the interface. Packet Fragments Displays the number of packet fragments transmitted or received through the interface.
15 The Transmit Errors field displays the following: Tx Errors Displays the number of packets with errors transmitted on the interface. Tx Dropped Displays the number of transmitted packets dropped from the interface. Tx Aborted Errors Displays the number of packets aborted on the interface because a clear-to-send request was not detected. Tx Carrier Errors Displays the number of carrier errors on the interface. This generally indicates bad Ethernet hardware or bad cabling.
15 FIGURE 116 Access Point- Interface Network Graph screen RTLS Access Point Statistics The real time locationing system (RTLS) enables accurate location determination and presence detection capabilities for Wi-Fi-based devices, Wi-Fi-based active RFID tags and passive RFID tags. While the operating system does not support locationing locally, it does report the locationing statistics of both Aeroscout and Ekahau tags. To review a selected Access Point’s RTLS statistics: 1.
15 FIGURE 117 Access Point - RTLS screen The Access Point RTLS screen displays the following for Aeroscout tags: Engine IP Lists the IP address of the Aeroscout locationing engine. Engine Port Displays the port number of the Aeroscout engine. Send Count Lists the number location determination packets sent by the locationing engine. Recv Count Lists the number location determination packets received by the locationing engine.
15 The Access Point RTLS screen displays the following for Ekahau tags: Tag Reports Displays the number of tag reports received from locationing equipped radio devices supporting RTLS. Refresh Select the Refresh button to update the screen’s statistics counters to their latest values. PPPoE Access Point Statistics The PPPoE statistics screen displays stats derived from the AP’s access to high-speed data and broadband networks.
15 The Configuration Information field screen displays the following: Shutdown Displays whether a high speed client mode point-to-point connection has been enabled using the PPPoE protocol. Service Lists the 128 character maximum PPPoE client service name provided by the service provider. DSL Modem Network (VLAN) Displays the PPPoE VLAN (client local network) connected to the DSL modem. This is the local network connected to DSL modem.
15 OSPF Summary OSPF To view OSPF summary statistics: 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an Access Point for statistical observation. 3. Select OSPF. The Summary tab displays by default.
15 The Summary tab describes the following information fields: General The general field displays the router ID assigned for this OSPF connection, RFC compliance information and LSA data. OSPF version 2 was originally defined within RFC versions 1583 and 2328. The general field displays whether compliance to these RFCs have been satisfied.
15 FIGURE 120 Access Point - OSPF Neighbor Info tab The Neighbor Info tab describes the following: Router ID Displays the router ID assigned for this OSPF connection. The router is a level three Internet Protocol packet switch. This ID must be established in every OSPF instance. If not explicitly configured, the highest logical IP address is duplicated as the router identifier. However, since the router identifier is not an IP address, it does not have to be a part of any routable subnet in the network.
15 OSPF Area Details OSPF An OSPF network is subdivided into routing areas (with 32 bit area identifiers) to simplify administration and optimize traffic utilization. Areas are logical groupings of hosts and networks, including routers having interfaces connected to an included network. Each area maintains a separate link state database whose information may be summarized towards the rest of the network.
15 Router LSA Lists the Link State Advertisements of the router supporting each listed area ID. The router LSA reports active router interfaces, IP addresses, and neighbors. Network LSA Displays which routers are joined together by the designated router on a broadcast segment (e.g. Ethernet). Type 2 LSAs are flooded across their own area only. The link state ID of the type 2 LSA is the IP interface address of the designated route.
15 FIGURE 122 Access Point - OSPF External Routes tab External routes are external to area, originate from other routing protocols (or different OSPF processes) and are inserted into OSPF using redistribution. A stub area is configured not to carry external routes. Each external route can be tagged by the advertising router, enabling the passing of additional information between routers.
15 FIGURE 123 Access Point - OSPF Network Routes tab Network routes support more than two routers, with the capability of addressing a single physical message to all attached routers (broadcast). Neighboring routers are discovered dynamically using OSPF hello messages. This use of the hello protocol takes advantage of broadcast capability. An OSPF network route makes further use of multicast capabilities, if they exist. Each pair of routers on the network is assumed to communicate directly.
15 FIGURE 124 Access Point - OSPF Router Routes tab An internal (or router) route connects to one single OSPF area. All of its interfaces connect to the area in which it is located and does not connect to any other area. 8. Select the Refresh button (within any of the four OSPF Routes tabs) to update the statistics counters to their latest values. OSPF Interface OSPF An OSPF interface is the connection between a router and one of its attached networks.
15 FIGURE 125 Access Point - OSPF Interface tab The OSPF Interface tab describes the following: Interface Name Displays the IP addresses and mask defined as the virtual interface for dynamic OSPF routes. Zero config and DHCP can be used to generate route addresses, or a primary and secondary address can be manually provided. Interface Index Lists the numerical index used for the OSPF interface. This interface ID is in the hello packets establishing the OSPF network connection.
15 2. Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an Access Point for statistical observation. 3. Select OSPF. 4. Select the OSPF State tab. FIGURE 126 Access Point OSPF - State tab The OSPF State tab describes the following: OSPF state Displays the OSPF link state amongst neighbors within the OSPF topology. Link state information is maintained in a link-state database (LSDB) which is a tree image of the entire network topology.
15 Access Points use L2TP V3 to create tunnels for transporting layer 2 frames. L2TP V3 enables an Access Point to create tunnels for transporting Ethernet frames to and from bridge VLANs and physical ports. L2TP V3 tunnels can be defined between Mobility devices and other devices supporting the L2TP V3 protocol. To review a selected Access Point’s L2TPv3 statistics: 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen).
15 CTRL Connection ID Displays the router ID(s) sent in tunnel establishment messages with a potential peer device. Up Time Lists the amount of time the L2TP connection has remained established amongst peers sharing the L2TPv3 tunnel connection. The Up Time is displayed in a Days: Hours: Minutes: Seconds: format. If D:0 H:0 M:0 S:0 is displayed, the tunnel connection is not currently established. Encapsulation Protocol Displays either IP or UDP as the peer encapsulation protocol.
15 FIGURE 128 Access Point - VRRP screen 4. Refer to the Global Error Status field to review the various sources of packet errors logged during the implementation of the virtual route. Errors include the mismatch of authentication credentials, invalid packet checksums, invalid packet types, invalid virtual route IDs, TTL errors, packet length errors and invalid (non matching) VRRP versions. 5.
15 Critical Resources Access Point Statistics The Critical Resources statistics screen displays a list of device IP addresses on the network (gateways, routers etc.). These IP addresses are critical to the health of the controller or service platform managed network. These device addresses are pinged regularly by managed Access Points. If there’s a connectivity issue, an event is generated stating a critical resource is unavailable.
15 The Access Point Critical Resource screen displays the following: Critical Resource Name Lists the name of the critical resource monitored by the Access Point. Critical resources are device IP addresses on the network (gateways, routers etc.). These IP addresses are critical to the health of the network. These device addresses are pinged regularly by Access Points. If there’s a connectivity issue, an event is generated stating a critical resource is unavailable.
15 FIGURE 130 Access Point - LDAP Agent Status screen The LDAP Agent Status screen displays the following: LDAP Agent Primary Lists the primary IP address of a remote LDAP server resource used by the Access Point to validate PEAP-MS-CHAP v2 authentication requests. When a RADIUS server policy’s data source is set to LDAP, this is the first resource for authentication requests.
15 FIGURE 131 Access Point - GRE Tunnels screen The Access Point GRE Tunnels screen displays the following: GRE State Displays the current operational state of the GRE tunnel. Peer IP Address Displays the IP address of the peer device on the remote end of the GRE tunnel. Tunnel Id Displays the session ID of an established GRE tunnel. This ID is only viable while the tunnel is operational.
15 2. Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3. Select Dot1x from the left-hand side of the UI. FIGURE 132 Access Point – Dot1x screen 4. Refer to the following Dot1xAuth statistics: AAA Policy Lists the AAA policy currently being utilized for authenticating user requests. Guest Vlan Control Lists whether guest VLAN control has been allowed (or enabled).
15 5. Review the following Dot1x Auth Ports utilization information: Name Lists the Access Point ge ports subject to automatic connection and authentication using Dot1x. Auth SM Lists the current authentication state of the listed port. Auth VLAN Lists the virtual interface utilized post authentication. BESM Lists whether an authentication request is pending on the listed port. Client MAC Lists the MAC address of requesting clients seeking authentication over the listed port.
15 Address Resolution Protocol (ARP) is a protocol for mapping an IP address to a device address recognized in the local network. An address is 32 bits long. In an Ethernet local area network, however, addresses for attached devices are 48 bits long. (The physical machine address is also known as a MAC address.) A table, usually called the ARP cache, is used to maintain a correlation between each MAC address and its corresponding IP address.
15 To view route entries: 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3. Select Network and expand the menu to reveal its sub menu items. 4. Select Route Entries.
15 The Bridge screen provides details about the Integrate Gateway Server (IGS), which is a router connected to an Access Point. The IGS performs the following: • • • • Issues IP addresses Throttles bandwidth Permits access to other networks Times out old logins The Bridging screen also provides information about the Multicast Router (MRouter), which is a router program that distinguishes between multicast and unicast packets and how they should be distributed along the Multicast Internet.
15 6. Select Refresh to update the counters to their latest values. IGMP Network Internet Group Management Protocol (IGMP) is a protocol used for managing members of IP multicast groups. The Access Point listens to IGMP network traffic and forwards the IGMP multicast packets to radios on which the interested hosts are connected. On the wired side of the network, the Access Point floods all the wired interfaces.
15 The Multicast Router (MRouter) field displays the following: VLAN Displays the group VLAN where the multicast transmission is conducted. Learn Mode Displays the learning mode used by the router as either Static or PIM-DVMRP. Port Members Displays the ports on which multicast clients have been discovered by the multicast router. For example, ge1, radio1, etc. MiNT IDs Lists MiNT IDs for each listed VLAN. MiNT provides the means to secure Access Point profile communications at the transport layer.
15 FIGURE 137 Access Point - Network DHCP Options screen The DHCP Options screen displays the following: Server Information Displays the DHCP server hostname used on behalf of the Access Point. Image File Displays the image file name. BOOTP or the bootstrap protocol can be used to boot diskless clients. An image file is sent from the boot server. The image file contains the image of the operating system the client will run. DHCP servers can be configured to support BOOTP.
15 4. Select Cisco Discovery Protocol. FIGURE 138 Access Point - Network CDP screen The Cisco Discovery Protocol screen displays the following: Capabilities Displays the capabilities code for the device as either Router, Trans Bridge, Source Route Bridge, Host, IGMP or Repeater. Device ID Displays the configured device ID or name for each listed device. Local Port Displays the local port name (Access Point physical port) for each CDP capable device.
15 4. Select Link Layer Discovery. FIGURE 139 Access Point - Network LLDP screen The Link Layer Discovery Protocol screen displays the following: Capabilities Displays the capabilities code for the device as either Router, Trans Bridge, Source Route Bridge, Host, IGMP or Repeater. Device ID Displays the configured device ID or name for each device in the table. Enabled Capabilities Displays which device capabilities are currently enabled.
15 2. Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3. Select DHCP and expand the menu to reveal its sub menu items. 4. Select General. FIGURE 140 Access Point - DHCP Server General screen The Status table defines the following: Interfaces Displays the Access Point interface used with the DHCP resource for IP address provisioning.
15 5. The DDNS Bindings table displays the following: IP Address Displays the IP address assigned to the requesting client. Name Displays the domain name mapping corresponding to the listed IP address. 6. The DHCP Manual Bindings table displays the following: IP Address Displays the IP address for clients requesting DHCP provisioning resources. Client Id Displays the client’s ID used to differentiate requesting clients.
15 FIGURE 141 Access Point - DHCP Server Bindings screen The DHCP Bindings screen displays the following: Expiry Time Displays the expiration of the lease used by a requesting client for DHCP resources. IP Address Displays the IP address for each DHCP resource requesting client. DHCP MAC Address Displays the hardware encoded MAC address (client Id) of each DHCP resource requesting client.
15 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen). Expand the a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3. Select DHCP and expand the menu to reveal its sub menu items. 4. Select Networks. The DHCP Networks screen displays the following: FIGURE 142 Access Point - DHCP Network screen Name Displays the name of the DHCP pool.
15 This screen is partitioned into the following: • • • • • • Packet Flows Denial of Service IP Firewall Rules MAC Firewall Rules NAT Translations DHCP Snooping Packet Flows Firewall The Packet Flows screen displays data traffic packet flow utilization. The chart represents the different protocol flows supported, and displays a proportional view of the flows in respect to their percentage of data traffic utilized. The Total Active Flows graph displays the total number of flows supported.
15 FIGURE 143 Access Point - Firewall Packet Flows screen Denial of Service Firewall A denial-of-service attack (DoS attack) or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out a DoS attack may vary, it generally consists of concerted efforts to prevent an Internet site or service from functioning efficiently.
15 FIGURE 144 Access Point - Firewall Denial of Service screen The Denial of Service screen displays the following: Attack Type Displays the Denial of Service (DoS) attack type. Count Displays the number of times the Access Point’s firewall has detected each listed DoS attack. Last Occurrence Displays the when the attack event was last detected by the Access Point firewall. Clear All Select the Clear All button to clear the screen of its current status and begin a new data collection.
15 FIGURE 145 Access Point - Firewall IP Firewall Rules screen The IP Firewall Rules screen displays the following: Precedence Displays the precedence value applied to packets. The rules within an Access Control Entries (ACL) list are based on precedence values. Every rule has a unique precedence value between 1 and 5000. You cannot add two rules with the same precedence. Friendly String The friendly string provides information as to which firewall the rules apply.
15 FIGURE 146 Access Point - Firewall MAC Firewall Rules screen The MAC Firewall Rules screen displays the following information: Precedence Displays a precedence value, which are applied to packets. The rules within an Access Control Entries (ACL) list are based on their precedence. Every rule has a unique precedence between 1 and 5000. You cannot add two rules with the same precedence value. Friendly String This is a string that provides information as to which firewall the rules apply.
15 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3. Select Firewall and expand the menu to reveal its sub menu items. 4. Select NAT Translations.
15 When DHCP servers are allocating IP addresses to clients on the LAN, DHCP snooping can be configured to better enforce the security on the LAN to allow only clients with specific IP/MAC addresses. 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3. Select Firewall and expand the menu to reveal its sub menu items. 4.
15 Lease Time When a DHCP server allocates an address for a DHCP client, the client is assigned a lease (which expires after a designated interval defined by the administrator). The lease time is the time an IP address is reserved for re-connection after its last use. Using very short leases, DHCP can dynamically reconfigure networks in which there are more computers than there are available IP addresses.
15 FIGURE 149 Access Point - VPN IKESA screen 5. Review the following VPN peer security association statistics: Peer Lists peer IDs for peers sharing security associations (SA) for tunnel interoperability. When a peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its destination. Version Displays each peer’s IKE version used for auto IPSec secure authentication with the IPSec gateway and other controllers or service platforms.
15 FIGURE 150 Access Point - VPN IPSec screen 5. Review the following VPN peer security association statistics: Peer Lists IP addresses for peers sharing security associations (SAs) for tunnel interoperability. When a peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its destination. Local IP Address Displays each listed peer’s local tunnel end point IP address. This address represents an alternative to an interface IP address.
15 • Trustpoints • RSA Keys Trustpoints Certificates Each certificate is digitally signed by a trustpoint. The trustpoint signing the certificate can be a certificate authority, corporate or individual. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters and an association with an enrolled identity certificate. 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen).
15 The Certificate Details field displays the following: Subject Name Lists details about the entity to which the certificate is issued. Alternate Subject Name Displays alternative details to the information specified under the Subject Name field. Issuer Name Displays the name of the organization issuing the certificate. Serial Number The unique serial number of the certificate issued.
15 FIGURE 152 Access Point - Certificate RSA Keys screen The RSA Key Details field displays the size (in bits) of the desired key. If not specified, a default key size of 1024 is used. The RSA Public Key field lists the public key used for encrypting messages. 5. Periodically select the Refresh button to update the screen’s statistics counters to their latest values.
15 This Client Blacklist displays blacklisted clients detected by this Access Point using WIPS. Blacklisted clients are not allowed to associate to this Access Points. To view the WIPS client blacklist for this Access Point: 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3.
15 2. Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3. Select WIPS and expand the menu to reveal its sub menu items. 4. Select WIPS Events. FIGURE 154 Access Point - WIPS Events screen The WIPS Events screen provides the following: Event Name Displays the name of the detected wireless intrusion event.
15 3. Select Sensor Servers. FIGURE 155 Access Point - Sensor Servers screen The Sensor Servers screen displays the following: IP Address/Hostname Displays a list of sensor server IP addresses or administrator assigned hostnames. These are the server resources available to the Access Point for the management of data uploaded from dedicated sensors. Port Displays the numerical port where the sensor server is listening. Unconnected server resources are not able to provide sensor reporting.
15 FIGURE 156 Access Point - Captive Portal screen The Captive Portal screen displays the following: Client MAC Displays the MAC address of requesting wireless clients. The client address displays as a link that can be selected to display configuration and network address information in greater detail. Client IP Displays the IP addresses of captive portal resource requesting wireless clients. Captive Portal Displays the IP address of the captive portal page.
15 • NTP Association NTP Status Network Time To view the Network Time statistics of an Access Point: 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3. Select Network Time.
15 Root Delay The total round-trip delay in seconds. This variable can take on both positive and negative values, depending on relative time and frequency offsets. The values that normally appear in this field range from negative values (a few milliseconds) to positive values (several hundred milliseconds). Root Dispersion The difference between the time on the root NTP server and its reference clock. The reference clock is the clock used by the NTP server to set its own clock.
15 The NTP Association screen displays the following: Delay Time Displays the round-trip delay (in seconds) for broadcasts between the NTP server and the Access Point. Display Displays the time difference between the peer NTP server and the Access Point’s clock. Offset Displays the calculated offset between the Access Point and the NTP server. The Access Point adjusts its clock to match the server’s time value. The offset gravitates towards zero, but never completely reduces its offset to zero.
15 FIGURE 159 Access Point - Load Balancing screen The Load Balancing screen displays the following: Load Balancing Select any of the options to display any or all of the following information in the graph below: AP Load, 2.4GHz Load, 5GHz Load, and Channel. The graph section displays the load percentages for each of the selected variables over a period of time, which can be altered using the slider below the upper graph.
15 An BR1240 sensor module is a USB environmental sensor extension to an AP-8132 model Access Point. It provides a variety of sensing mechanisms, allowing the monitoring and reporting of the BR1240's radio coverage area. The output of the sensor's detection mechanisms are viewable using either the Environmental Sensor screen. To view an BR1240 model Access Point’s environmental statistics: 1. Select the Statistics menu from the Web UI. 2.
15 Light intensity is measured by the sensor in lumens. The table displays the Current Light Intensity (lumens) and a 20 Minute Average of Light Intensity (lumens). Compare these two items to determine whether the deployment location remains consistently lit, as an administrator can power off the Access Point’s radios when no activity is detected in the immediate deployment area. For more information, see Setting a Profile’s Environmental Sensor Configuration (BR1240 Only) on page 8-530. 5.
15 Temperature is measured in centigrade. The table displays the Current Temperature (centigrade) and a 20 Minute Average Temperature (centigrade). Compare these two items to determine whether the BR1240’s deployment location remains consistently heated. For more information on enabling the sensor, see Setting a Profile’s Environmental Sensor Configuration (BR1240 Only) on page 8-530. 9. Refer to the Temperature Trend Over Last Hour graph to assess the fluctuation in ambient temperature over the last hour.
15 Motion is measured in intervals. The table displays the Current Motion (count per interval) and a 20 Minute Average Motion (count per interval). Compare these two items to determine whether the BR1240’s deployment location remains consistently occupied by client users. For more information on enabling the sensor, see Setting a Profile’s Environmental Sensor Configuration (BR1240 Only) on page 8-530. 13.
15 Humidity is measured in percentage. The table displays the Current Humidity (percent) and a 20 Minute Average Humidity (percent). Compare these two items to determine whether the BR1240’s deployment location remains consistently humid (often a by-product of temperature). For more information on enabling the sensor, see Setting a Profile’s Environmental Sensor Configuration (BR1240 Only) on page 8-530. 17.
15 FIGURE 164 Wireless Client - Health screen The Wireless Client field displays the following: Client MAC Displays the factory encoded MAC address of the selected wireless client. Hostname Lists the hostname assigned to the client when initially managed by the controller, service platform or Access Point. Vendor Displays the vendor name (manufacturer) of the wireless client. State Displays the current operational state of the wireless client.
15 The User Details field displays the following: Username Displays the unique name of the administrator or operator managing the client’s connected Access Point, controller or service platform. Authentication Lists the authentication scheme applied to the client for interoperation with the Access Point. Encryption Lists the encryption scheme applied to the client for interoperation with the Access Point.
15 The Traffic Utilization table displays the following: Total Bytes Displays the total bytes processed by the Access Point’s connected wireless client. Total Packets Displays the total number of packets processed by the wireless client. User Data Rate Displays the average user data rate in both directions. Physical Layer Rate Displays the average packet rate at the physical layer in both directions. Tx Dropped Packets Displays the number of packets dropped during transmission.
15 FIGURE 165 Wireless Client - Details screen The Wireless Client field displays the following: SSID Displays the client’s Service Set ID (SSID). Hostname Lists the hostname assigned to the client when initially managed by the controller, service platform or Access Point managed network. Device Type Displays the client device type providing the details to the operating system.
15 Role Lists the client’s defined role in the controller, service platform or Access Point managed network. Role Policy Lists the user role set for the client as it became a controller, service platform or Access Point managed device. Client Identity Displays the unique vendor identity of the listed device as it appears to its adopting controller or service platform. Client Identity Precedence Lists the numeric precedence this client uses in establishing its identity amongst its peers.
15 The Association field displays the following: AP Displays the MAC address of the client’s connected Access Point. BSS Displays the Basic Service Set (BSS) the Access Point belongs to. A BSS is a set of stations that can communicate with one another. Radio Number Displays the Access Point radio the wireless client is connected to. Radio Type Displays the radio type. The radio can be 802.11b, 802.11bg, 802.11bgn, 802.11a or 802.11an.
15 2. Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, an Access Point, then a connected client. 3. Select Traffic. FIGURE 166 Wireless Client - Traffic screen Traffic Utilization statistics employ an index, which measures how efficiently the traffic medium is used. It’s defined as the percentage of current throughput relative to the maximum possible throughput.
15 Rx Errors Displays the errors encountered by the client during data transmission. The higher the error rate, the less reliable the connection or data transfer between client and connected Access Point. Rx Actions Displays the number of receive actions during data transmission with the client’s connected Access Point. Rx Probes Displays the number of probes sent.
15 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, an Access Point, then a connected client. 3. Select WMM TPSEC. FIGURE 167 Wireless Client - WMM TPSEC screen The top portion of the screen displays the TSPEC stream type and whether the client has roamed.
15 Refer to the Association History screen to review this client’s Access Point connections. Hardware device identification, operating channel and GHz band data is listed for each Access Point. The Association History can help determine whether the client has connected to its target Access Point and maintained its connection, or has roamed and been supported by unplanned Access Points in the controller or service platform managed network. To view a selected client’s association history: 1.
15 Use the client Graph to assess a connected client’s radio performance and diagnose performance issues that may be negatively impacting performance. Up to three selected performance variables can be charted at one time. The graph uses a Y-axis and a X-axis to associate selected parameters with their performance measure. To view a graph of this client’s statistics: 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen).
15 To access the developer interface: 1. Connect to controller using its existing IP address, but append /stats to the end of the IP address as follows: http:///stats or https:///stats The following login screen displays for the developer interface: FIGURE 170 Developer Interface - Login screen 2. Provide the same Username and Password credentials you’re currently utilizing for a typical controller login.
15 FIGURE 172 Developer Interface -File Download screen 2. Open the zip archive and review the Readme file to assess the contents and how they can be leveraged for API creation and modification. Sample Ruby Client A sample ruby client is provided as part of this package. The Ruby client can be used as a sample to pull statistics data from NXAnalytics. The response from NXAnalytics is in JSON format. Contents Readme.txt file. Ruby script files: NXAStatsClient.rb NXARESTClient.rb NXAResultsJSONParser.
15 Additional Ruby Gems needed to run the sample client are the following. - ipaddress - json - rest-client Please install the gems before running the sample client.
15 Refer to the toolkit’s API functionality to review a collection of APIs for specifc feature groups, including captive portals, client associations and disassociations, client stats, RF Domains. To review the toolkit’s canned set of APIs: 1. Select API from the Web UI. FIGURE 173 Developer Interface - API 2. Select an available feature from the catalog of features. An administrator can either launch a query for a selected feature or select catalog to expose the schema for a selected feature. 3.
15 FIGURE 174 Developer Interface - API Raw Query Interface 4. Select Go to initiate the query for the selected item.
15 FIGURE 175 Developer Interface - API Raw Query Results The results of the query display the values currently set for the selected feature. This information cannot be manipulated as a configurable API attribute, though this information can be utilized as criteria for API attribute creation. 5. From the NX2 Features Interface, select a feature from those available and select catalog.
15 FIGURE 176 Developer Interface - API Catalog The catalog item selection displays the values currently set for the selected feature. As with queries, this information cannot be manipulated as a configurable API attribute, though this information can be utilized as criteria for API attribute creation.
15 990 Brocade Mobility RFS Controller System Reference Guide 53-1003099-01
Chapter 16 Analytics A RFS9510 model service platforms (NOC) can provide granular and robust analytic reporting for a RFS4000, RFS6000 or RFS7000 controller managed network. Using analytics, data is collected and reported at varying intervals. Analytic data is culled from WLANs at either the system, RF Domain, controller/service platform or Access Point level. Analytics can parse and process events within the NOC managed network as events are received.
16 FIGURE 1 System Analytics - Captive Portal screen 3. Refer to the upper, right-hand, portion of the analytics interface and define the trending period for the data displayed. Options include Last 1 Day, Last 3 Days, Last 1 Week, Last 2 Weeks, Last 3 Weeks, Last 1 Month, Last 2 Months or Last 3 Months. Today is the default setting for trending analytics data. 4.
16 Search Terms Lists the number of unique clients who searched for using a search term. Each display option lists the search term and the number of times each term was searched by a connected captive portal client. For example, if there’s two clients (clients A and B), and client A searched for "brocade" 5 times and B searched for "brocade" 2 times. The count would be 2 and not 7. As with URLs, search terms are normalized (aggregated daily).
16 6. Refer to the following Client Analytics trended at the selected interval: Hostname Lists the administrator assigned hostname set for each listed client when connected to the controller, service platform or Access Point managed network. Mac Address Displays the factory encoded MAC address for the listed client as a hardware manufacturing ID.
16 7. The Web Activity field display by default with the following content trended in the selected interval: Bandwidth Displays the client’s Web activity bandwidth utilization in Bits per second (Bps) in either chart or table format. URL Visited Displays URLs visited by a selected client in either chart or table format. Either display contains the Web destination URL and the number of times the URL was accessed by the client.
16 FIGURE 5 System Analytics - Client RF screen 11. Refer to the following client RF analytics trended in the selected interval: RF Quality Index Displays the overall effectiveness of the system-wide RF environment as a percentage of the connect rate in both directions.
16 13. Refer to the following system-wide power level, channel and coverage Smart RF analytics trended in real-time at the administrator defined interval: Power Level Changes Displays the number of Smart RF power level compensations made for the system’s RF Domains during the defined analytic reporting interval.
16 FIGURE 7 RF Domain Analytics - Traffic screen 5. Refer to the upper, right-hand, portion of the analytics interface and define the trending period for the data displayed. Options include Last 1 Day, Last 3 Days, Last 1 Week, Last 2 Weeks, Last 3 Weeks, Last 1 Month, Last 2 Months or Last 3 Months. Today is the default setting for trending analytics data. 6.
16 Bandwidth Usage Lists RF Domain member bandwidth utilization (in Kbps) to help an administrator assess periods os sustainable versus unsustainable activity. Average Client Count per AP Displays RF Domain member Access Points and their connected client counts. Assess whether particular client counts are excessive, and whether loads can be better distributed amongst RF Domain member Access Points. Client analytics are trended every 75 minutes.
16 8. Refer to the following RF analytics trended for a selected RF Domain: RF Quality Index Displays the trended graph of the effectiveness of a selected RF Domain’s RF environment as a percentage of the connect rate in both directions. The RF quality index value can be interpreted as: • 0 – 20 (Very low utilization) • 20 – 40 (Low utilization) • 40 – 60 (Moderate utilization) • 60 and above (High utilization).
16 11. Refer to the following RF Domain power level, channel and coverage adjustment Smart RF analytics: Total Power Changes Lists the total trended number of power compensations required by RF Domain member radios to account for the power load requirements of offline or poor performing radios. Total Channel Changes Lists the total trended number of channel compensations required by RF Domain member radios to account for the channel support requirements offline or poor performing radios.
16 FIGURE 10 Wireless Controller Analytics screen 4. Optionally select the Resource Usage button to display a subscreen trending the service platform’s RAM Usage (in MB) and Disk Usage (in GB). Periodically revisit the service platform’s resource usage to assess whether resources are jeopardized at certain times of the day or repeatable patterns are observable that can assist in administration. 5.
16 4. Use the Radio drop-down menu to refine whether traffic statistics are reported an Access Point’s 2.4 or 5 GHz radio. Refer to the arrow icon located in the top, right-hand, side of each panel to define whether the display is in Chart format, a Table or whether you would like the output for that parameter saved as a PDF report at a user specified location. FIGURE 11 Access Point Analytics - Traffic screen 5.
16 7. Select RF to display Access Point RF quality analytics. FIGURE 12 8. Access Point Analytics - RF screen Refer to the following RF analytics trended for a selected Access Point: RF Quality Index Displays the trended graph of the effectiveness of a selected Access Point’s RF environment as a percentage of the connect rate in both directions.
16 Review the following within the Event Monitor to assess if an individual event requires further administration to improve network performance: Severity Lists the severity for each analytic event. Severity levels include 0 - Emergency, 1 - Alert, 2 - Critical, 3 - Errors, 4 - Warning, 5 - Notice, 6 - Info and 7 - Debug. The default logging level is 4.
