53-1001944-01 September 2010 Brocade Mobility RFS7000-GR Controller System Reference Guide Supporting software release 4.1.0.
Copyright © 2010 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, IronPoint, IronShield, IronView, IronWare, JetCore, NetIron, SecureIron, ServerIron, StorageX, and TurboIron are registered trademarks, and DCFM, Extraordinary Networks, and SAN Health are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.
Table of Contents 1 Overview 1 In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Hardware overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Physical specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing switch licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 How to use the filter option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 4 Network Setup 75 In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing adopted access ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Viewing unadopted access ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Access port configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Discovery Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Viewing discovered switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Locationing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting IKE policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 Viewing SA statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 Configuring IPSec VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Displaying the main diagnostic interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467 Switch environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467 CPU performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
General troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507 Wireless switch issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507 Access Port Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
x Brocade Mobility RFS7000-GR Controller System Reference Guide 53-1001944-01
About This Document In this chapter • Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi • Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi • Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi • Web support sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
bold text Identifies command names Identifies the names of user-manipulated GUI elements Identifies keywords Identifies text to enter at the GUI or CLI italic text Provides emphasis Identifies variables Identifies document titles code text Identifies CLI output For readability, command names in the narrative portions of this guide are presented in mixed lettercase: for example, controllerShow. In actual examples, command lettercase is often all lowercase.
DANGER A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations. Web support sites Customer Support Web Site Brocade Support Central Web site, located at www.brocade.com/support provides information and online assistance including developer tools, software downloads, product manuals and online repair requests. Downloads http://www.brocade.
xiv Brocade Mobility RFS7000-GR Controller System Reference Guide 53-1001944-01
Chapter 1 Overview In this chapter • Hardware overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 • Software overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 • Standards support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 A Brocade wireless controller is a centralized management solution for wireless networking.
1 Hardware overview Physical specifications The physical dimensions and operating parameters of the Brocade Mobility RFS7000-GR Controller include: Width 440mm (17.32 in) Height 44.45mm (1.75 in) Depth 390.8mm (15.38 in) Weight 6.12 Kg (13.5 lbs) Operating Temperature 0°C - 40°C (32°F - 104°F) Operating Humidity 5% - 85% RH, non-condensing A power cord is not supplied with a Brocade Mobility RFS7000-GR Controller. Use only a correctly rated power cord certified for the country of operation.
Software overview 1 Software overview The switch includes a robust set of features.
1 Software overview Text based configuration The configuration is stored in a human readable format (as a set of CLI commands). Diagnostics The following diagnostics are available: 1. In-service Diagnostics – In-service diagnostics provide a range of automatic health monitoring features ensuring both the system hardware and software are in working order.
Software overview 1 Log message format is similar to the format used by syslog messages (RFC 3164). Log messages include message severity, source (facility), the time the message was generated and a textual message describing the situation triggering the event. For more information on using the switch logging functionality, see “Configuring system logging” on page 473. Process monitor The switch Process Monitor checks to ensure processes under its control are up and running.
1 Software overview • The switch can provide NTP support for user authentication. • Secure Network Time Protocol (SNTP) clients can be configured to synchronize switch time with an external NTP server. For information on configuring the switch to support SNTP, see “Configuring secure NTP” on page 258. Password recovery The access point has a means of restoring its password to its default value.
Software overview 1 Adaptive AP An adaptive AP (AAP) is a Brocade Mobility 7131N-FGR Access Point adopted by a wireless switch. The management of an AAP is conducted by the switch, once the Access Point connects to the switch and receives its AAP configuration. An AAP provides: • • • • local 802.
1 Software overview 802.11bg • Dual mode b/g protection – ERP builds on the payload data rates of 1 and 2 Mbit/s that use DSSS modulation and builds on the payload data rates of 1, 2, 5.5, and 11 Mbit/s, that use DSSS, CCK, and optional PBCC modulations. ERP provides additional payload data rates of 6, 9, 12, 18, 24, 36, 48, and 54 Mbit/s. The transmission and reception capability for 1, 2, 5.5, 11, 6, 12, and 24 Mbit/s data rates is mandatory.
Software overview 1 8. A RADIUS server authenticates the user. 9. Upon successful authentication, the user is directed to a Welcome Page that lists (among other things) an Acceptable Use Policy. 10. The user agrees to the usage terms and is granted access to the Internet. (or other network services). To setup a hotspot, create a WLAN ESSID and select Hotspot authentication from the Authentication menu.
1 Software overview When an AP fails, the Tx Power/Supported rates of APs neighboring the failed AP are adjusted. The Tx power is increased and/or Supported rates are decreased. When the failed AP becomes operational again, Neighbor AP’s Tx Power/Supported rates are brought back to the levels before the self healing operation changed them. The switch detects an AP failure when: • AP stops sending heartbeats. • AP beacons are no longer being sent.
Software overview • • • • 1 The maximum number of WLANs per switch The maximum number of Access Ports adopted per switch The maximum number of MUs per switch The maximum number of MUs per Access Port. The actual number of Access Ports adoptable by a switch is defined by the switch licenses or the total licenses in the cluster in which this switch is a member. AP and MU load balancing Fine tune a network to evenly distribute data and/or processing across available resources.
1 Software overview Interswitch Layer 2 roaming An associated MU (connected to a switch) can roam to another Access Port connected to a different switch. Both switches must be on the same Layer 2 domain. Authentication information is not shared between the switches, nor are buffered packets on one switch transferred to the other. Pre-authentication between the switch and MU allows faster roaming.
Software overview 1 802.11e QoS 802.11e enables real-time audio and video streams to be assigned a higher priority over data traffic. The switch supports the following 802.11e features: • • • • • • • • Basic WMM WMM Linked to 802.1p Priorities WMM Linked to DSCP Priorities Fully Configurable WMM Admission Control Unscheduled-APSD TSPEC Negotiation Block ACKQBSS Beacon Element 802.1p support 802.1p is a standard for providing QoS in 802-based networks. 802.
1 Software overview 1. When a new AP is adopted, it scans each channel. However, the switch does not forward traffic at this time. 2. The switch then selects the least crowded channel based on the noise and traffic detected on each channel. 3. The algorithm used is a simplified maximum entropy algorithm for each radio, where the signal strength from adjoining AP's/MU's associated to adjoining AP's is minimized. 4.
Software overview 1 • Unicast From Mobile Unit – Frames are decrypted, converted from 802.11 to 802.3 and switched to the wired side of the VLAN dynamically assigned to the mobile device. If the destination is another mobile device on the wireless side, the frame is encrypted and switched over the air. • Unicast To Mobile Unit – The frame is checked to ensure the VLAN is same as that assigned to the mobile device. It is then converted to an 802.11 frame, encrypted, and sent over the air.
1 Software overview • • • • DHCP user class options DDNS VLAN enhancements Interface management DHCP servers Dynamic Host Configuration Protocol (DHCP) allows hosts on an IP network to request and be assigned IP addresses as well as discover information about the network to which they are attached. Each subnet may be configured with its own address pool. Whenever a DHCP client requests an IP address, the DHCP server assigns an IP address from that subnet’s address pool.
Software overview 1 • You can now configure a set of allowed VLANs on a trunk port. Packets received on this port that belong to other VLANs are discarded. Interface management The switch’s physical interfaces auto-negotiate speed and duplex. The switch also allows: • Manual bandwidth configuration of a physical interface speed to 10/100/1000Mbps. • Manual duplex configuration of a physical interface to Full Duplex or Half Duplex.
1 Software overview • • • • Local RADIUS server IPSec VPN NAT Certificate management Encryption and authentication The switch can implement the following encryption and authentication types: • • • • WEP WPA WPA2 Keyguard-WEP WEP Wired Equivalent Privacy (WEP) is an encryption scheme used to secure wireless networks. WEP was intended to provide comparable confidentiality to a traditional wired network, hence the name.
Software overview 1 MU authentication The switch uses the following authentication schemes for MU association: • Kerberos • 802.1x EAP • MAC ACL Refer to “Editing the WLAN configuration” on page 100 for additional information. Kerberos Kerberos allows for mutual authentication and end-to-end encryption. All traffic is encrypted and security keys are generated on a per-client basis. Keys are never shared or reused, and are automatically distributed in a secure manner.
1 Software overview MU to MU disallow Use MU to MU Disalllow to restrict MU to MU communication within a WLAN. The default is ‘no’, which allows MUs to exchange packets with other MUs. It does not prevent MUs on other WLANs from sending packets to this WLAN. You would have to enable MU to MU Disallow on the other WLAN. To define how MU to MU traffic is permitted for a WLAN, see “Editing the WLAN configuration” on page 100. 802.1x authentication 802.
Software overview 1 The Access Port does not make use of any parameters (such as MAC based authentication, VLAN based etc.) configured on RADIUS Server. WIPS The Brocade Wireless Intrusion Protection Software (WIPS) monitors for any presence of unauthorized rogue Access Points. Unauthorized attempts to access the WLAN is generally accompanied by anomalous behavior as intruding MUs try to find network vulnerabilities.
1 Software overview SNMP Trap on discovery An SNMP trap is sent for each detected and Rogue AP. Rogue APs are only detected, and notification is provided via a SNMP trap. NOTE Wired side scanning for Rogue APs using WNMP is not supported. Similarly, RADIUS lookup for approved AP is not provided. Authorized AP lists Configure a list of authorized Access Ports based on their MAC addresses.
Software overview 1 • Remote VPN — Provides remote user ability to access company resources from outside the company premises. The switch supports: • • • • • IPSec termination for site to site IPSec termination for remote access IPSec traversal of firewall filtering IPSec traversal of NAT IPSec/L2TP (client to switch) NAT Network Address Translation (NAT) is supported for packets routed by the switch.
1 Software overview • Brocade Mobility 7131N-FGR Access Point 24 Brocade Mobility RFS7000-GR Controller System Reference Guide 53-1001944-01
Software overview 1 1.1 IEEE standards support IEEE Standard Supported Notes IEEE 802.11a Yes The IEEE 802.11a standard is fully supported on the following Switch Platforms: • Brocade Mobility RFS7000-GR Controller The IEEE 802.11a standard is fully supported on the following AP Platforms: • Brocade Mobility 7131N-FGR Access Point Access Point IEEE 802.11b Yes The IEEE 802.11b standard is fully supported on the following Switch Platforms: • Brocade Mobility RFS7000-GR Controller The IEEE 802.
1 26 Software overview IEEE Standard Supported Notes IEEE 802.11i Yes We fully support the 802.11i standard for encryption and authentication. Additionally we also implement 802.11i PMK Caching, Opportunistic PMK Caching and Pre-Authentication. The IEEE 802.11i standard is fully supported on the following Switch Platforms: • Brocade Mobility RFS7000-GR Controller The IEEE 802.
Software overview IEEE Standard Supported Notes IEEE 802.1x Yes Full support IEEE 802.1x authentication ether with a fully functional integrated RADIUS server built into our RF Switches and Access Points or an external RADIUS server such as Microsoft IAS, Microsoft NPS, Cisco Secure ACS, Free RADIUS and Juniper Steel Belted RADIUS (to name a few).
1 28 Software overview IEEE Standard Supported Notes IEEE 802.3ab Yes The IEEE 802.3ab (1000BASE-T) standard is fully supported on the following Switch Platforms: • Brocade Mobility RFS7000-GR Controller The IEEE 802.3ab (1000BASE-T) standard is fully supported on the following AP Platforms: • Brocade Mobility 7131N-FGR Access Point Access Point IEEE 802.3z Yes The IEEE 802.
Standards support 1 Standards support Standard Supported Notes RFC 768 UDP Yes The Brocade Mobility RFS7000-GR Controller supports IP, UDP, TCP for various management and control functions and Switch -> AP communications. RFC 791 IP Yes In addition we provide full IP4 routing support on the RF Switch as well as support IPv4 on our wired / wireless stateful inspection firewall.
1 Standards support Standard Supported RFC 2408 ISAKMP Yes RFC 2409 IKE Yes RFC 2451 ESP CBC-Mode Cipher Algorithms Yes RFC 2459 Internet X.
Standards support Standard Supported RFC 2616 HTTP Yes RFC 2674 Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering, and Virtual LAN Extensions Yes RFC 2819 RMON MIB Yes RFC 2863 Interfaces Group MIB Yes RFC 3164 Syslog Yes RFC 3414 User-Based Security Model (USM) for SNMPv3 Yes RFC 3418 MIB for SNMP Yes Web-based: HTTP/HTTPS Yes Command-line interface: Telnet, SSH, serial port Yes Brocade Mobility RFS7000-GR Controller System Reference Guide 53-1001944-
1 32 Standards support Brocade Mobility RFS7000-GR Controller System Reference Guide 53-1001944-01
Chapter Controller Web UI Access and Image Upgrades 2 In this chapter • • • • Accessing the switch Web UI Switch password recovery Upgrading the switch image Auto installation Accessing the switch Web UI Web UI requirements The switch Web UI is accessed using Internet Explorer version 5.5 (or later) and SUN JRE (Java Runtime Environment) 1.5 (or later). Refer to the Sun Microsystems Web site for information on downloading JRE.
2 Accessing the switch Web UI 1. Point the browser to the IP address assigned to the wired Ethernet port (port 2). Specify a secure connection using the https:// protocol. The switch login screen displays: 2. Enter the Username admin, and Password admin123. Both are case-sensitive. Click the Login button. NOTE If using HTTP to login into the switch, you may encounter a Warning screen if a self-signed certificate has not been created and implemented for the switch.
Switch password recovery 2 Once the Web UI is accessed, the Switch main menu item displays a configuration tab with high-level switch information. Click the Show Dashboard button to display an overall indicator of switch health.
2 Auto installation The individual features (config, cluster-config and image) can be enabled separately using the CLI, SNMP or Web UI. If a feature is disabled, it is skipped when auto install is triggered. For manual configuration (where the URLs for the configuration and image files are not supplied by DHCP), the URLs can be specified using the CLI, SNMP or Applet. Use the CLI to define the expected firmware image version.
Auto installation 2 The "enables" are cleared using the no autoinstall URLs and the version string are stored in the configuration file as text and can be cleared using an empty pair of double quotes to denote the blank string. In the following example, define the three URLs and the expected version of the image file, then enable all three features for the auto install. RF Switch(config)#autoinstall config url ftp://ftp:ftp@192.9.200.
2 38 Auto installation Brocade Mobility RFS7000-GR Controller System Reference Guide 53-1001944-01
Chapter Controller Information 3 In this chapter This chapter describes the Switch main menu information used to configure the switch.
3 Viewing the switch interface Setting the switch country code When initially logging into the system, the switch requests that you enter the correct country code for your region. If a country code is not configured, a warning message will display stating that an incorrect country setting will lead to the illegal use of the switch. Consequently, selecting the correct country is extremely important.
Viewing the switch interface Uptime Displays the current operational time for the device name defined within the System Name field. Uptime is the cumulative time since the switch was last rebooted or lost power. Firmware Displays the current firmware version running on the switch. This version should be periodically compared to the most recent version available on the Brocade Web site, as versions with increased functionality are periodically released.
3 Viewing the switch interface Click the Show Dashboard button (within the Switch screen’s Configuration tab) to display the current health of the switch.
Viewing the switch interface Management IP Displays the management IP address of the switch. Access Ports Displays the total number of Access Ports adopted by the switch. Mobile Units Displays the total number of MUs associated with the switch. Up Time Displays the actual switch uptime. The Up Time is the current operational time of the device defined within the System Name field. Uptime is the cumulative time since the switch was last rebooted or lost power. 3 1.
3 Viewing the switch interface • system Viewing switch statistics The Switch Statistics tab displays an overview of the recent network traffic and RF status for the switch. To display the Switch Statistics tab: 1. Select Switch from the main menu tree. 2. Click the Switch Statistics tab at the top of the Switch screen. 3.
Viewing switch port information Avg. Bit Speed Displays the average bit speed for the switch over last 30 seconds and 1 hour. Use the average bit speed value to help determine overall network speeds and troubleshoot network congestion. % Non-unicast pkts Displays the percentage of non-unicast packets seen (received & transmitted) by the switch over last 30 seconds and 1 hour. Non-unicast traffic includes both multicast and broadcast traffic.
3 Viewing switch port information The port types are defined as follows: GE# GE ports are available on the Brocade Mobility RFS7000-GR Controller. GE ports on the Brocade Mobility RFS7000-GR Controller can be RJ-45 or fiber ports which support 10/100/1000Mbps. ME# ME ports are available on the Brocade Mobility RFS7000-GR Controller platforms. ME ports are out-of-band management ports which can be used to manage the switch via CLI or Web UI even when the other ports on the switch are unreachable.
Viewing switch port information Name Displays the current port name. On the Brocade Mobility RFS7000-GR Controller, the available ports are named as follows: Brocade Mobility RFS7000-GR Controller: ge1, ge2, ge3, ge4, me1 Aggregation Membership The Aggregation Membership value displays the channel group the port is a member of. MAC Address Displays the port’s MAC Address. This value is read-only, set at the factory and cannot be modified.
3 Viewing switch port information A Port Change Warning screen displays, stating any change to the port setting could disrupt access to the switch. Communication errors may occur even if modifications made are successful. 3. Click the OK button to continue. Optionally, select the Don’t show this message again for the rest of the session , checkbox to prevent the pop-up from being displayed for the rest of the session.. 4.
Viewing switch port information Duplex Modify the duplex status by selecting one of the following options: • Half • Full • Auto Channel Group Optionally, set the Channel Group defined for the port. The switch bundles individual Ethernet links (over the selected channel) into a single logical link that provides bandwidth between the switch and another switch or host. The port speed used is dependant on the Duplex value selected (full, half or auto).
3 Viewing switch port information 1. Select Switch > Ports from the main menu tree. 2. Select the Runtime tab to display the following read-only information: Name Displays the port’s current name. MAC Address Displays the port’s MAC Address. This value is read-only, set at the factory and cannot be modified. Oper Status Displays the link status of the port. The port status can be either Up or Down. Speed Displays the current speed of the data transmitted and received over the port.
Viewing switch port information 3 1. Select Switch > Ports from the main menu tree. 2. Select the Statistics tab. 3. Refer to the Statistics tab to display the following read-only information: Name Defines the port name. On the Brocade Mobility RFS7000-GR Controller the available ports are named as follows: Brocade Mobility RFS7000-GR Controller: ge1, ge2, ge3, ge4, me1 Bytes In Displays the total number of bytes received by the port.
3 Viewing switch port information Detailed port statistics To view detailed statistics for a port: 1. Select a port from the table displayed within the Statistics screen. 2. Click the Details button. 3. The Interface Statistics screen displays. This screen displays the following statistics for the selected port: 52 Name Displays the port name. MAC Address Displays physical address information associated with the interface. This address is read-only (hard-coded at the factory) and cannot be modified.
Viewing switch port information Output Unicast Packets Displays the number of unicast packets (packets directed towards a single destination address) transmitted from the interface. Output NonUnicast Packets Displays the number of unicast packets transmitted from the interface. Output Total Packets Displays the total number of packets transmitted from the interface. Output Packets Dropped Displays the number of transmitted packets dropped from the interface.
3 Viewing switch port information The Interface Statistics screen displays for the selected port. The screen provides the option to view the following: • • • • • • • • • • Input Bytes Input Pkts Dropped Output Pkts Total Output Pkts Error Input Pkts Total Input Pkts Error Output Pkts NUCast Input Pkts NUCast Output Bytes Output Pkts Dropped 3. Display any of the above by selecting the checkbox associated with it. NOTE You are not allowed to select (display) more than four parameters at any given time.
Viewing switch configurations 3 Viewing switch configurations Use the Configurations screen to review the configuration files available to the switch. The details of each configuration can be viewed individually. Optionally, edit the file to modify its name or use the file as the switch startup configuration. A file can be deleted from the list of available configurations or transferred to a user specified location.
3 Viewing switch configurations 2. To view the contents of a config file in detail, select a config file by selecting a row from the table and click the View button. For more information, see “Viewing the detailed contents of a config file” on page 56. 3. Select a configuration (other than the start-up-config or running config) and click the Install button to install the file on the switch and replace the existing startup-config file.
Viewing switch configurations 3 Use the up and down navigation facilities on the right-hand side of the screen to view the entire page. 3. The Page parameter displays the portion of the configuration file in the main viewing area. The total number of pages in the file are displayed to the right of the current page. The total number of lines in the file display in the Status field at the bottom of the screen. Scroll to corresponding pages as required to view the entire contents of the file.
3 Viewing switch configurations • server to switch • local disk to switch To transfer the contents of a configuration file: 1. Click the Transfer Files button on the bottom of the Configuration screen. 2. Refer to the Source field to define the location and address information for the source config file. From Select the location representing the source file’s current location using the From drop-down menu. Options include Server, Local Disk and Switch. File Specify a source file for the file transfer.
Viewing switch firmware information 3 6. Click the Abort button to cancel the file transfer process before it is complete. 7. Click the Close button to exit the Transfer screen and return to the Config Files screen. Once a file is transferred, there is nothing else to be saved within the Transfer screen. Viewing switch firmware information The switch can store (retain) two software versions (primary and secondary). Information supporting the two versions displays within the Firmware screen.
3 Viewing switch firmware information Built Time Displays the time the version was created (built). Do not confuse the Built Time with the time the firmware was last loaded on the switch. Install Time The Install Time is the time this version was loaded with on the switch. Periodically review this information to assess the relevance of older files. 3. Refer to the Patch field for a listing of those Patches available to the switch. The name and version of each patch file is displayed.
Viewing switch firmware information 3 5. Refer to the Status field for the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet. The Status field displays error messages if something goes wrong in the transaction between the applet and the switch. 6. Click the OK button to commit the changes made and exit the screen. Updating the switch firmware Use the Update screen to update the firmware version currently used by the switch.
3 Switch file management 7. Enter the username for SFTP server login in the User ID field. 8. Enter the password for SFTP server login in the Password field. 9. Enter the complete file path for the file that contains the firmware update in the Path field. 10. Click the Do Update button to initiate the update. A warning prompt displays. Upon confirming the firmware update, the switch reboots and completes the firmware update.
Switch file management 3 1. Select Switch > File Management from the main menu tree. 2. Refer to the Source field to specify the details of the source file. From Use the From drop-down menu to select the source file’s current location. The options include Wireless Switch and Server. The following transfer options are possible: • wireless switch to wireless switch • wireless switch to server • server to wireless switch.
3 Switch file management 1. Select Wireless Switch from the From drop-down menu 2. Use the Browse button to locate a target file for the file transfer. 3. Use the To drop-down menu (within the Target field) and select Wireless Switch. This defines the location of the file. 4. Use the Browse button to define a location for the transferred file. 5. Click the Transfer button to complete the file transfer. 6. The Message section in the main menu area displays the file transfer message. 7.
Switch file management 3 1. Refer to the Source field to specify the source file. Use the From drop-down menu and select Wireless Switch. 2. Use the Browse button and select a file for transfer. 3. Use the To drop-down menu (within the Target field) and select Server. This defines the transfer location of the configuration file. Enter the file location marked to store the transferred file. 4. Use the Using drop down-menu to configure the log file transfer by using SFTP.
3 Switch file management 1. Refer to the Source field to specify the details of the source file. Use the From drop-down menu and select Server. 2. Provide the name of the File. 3. Use the Using drop-down menu to configure whether the file transfer is conducted using SFTP. SFTP transfers require a valid user ID and password. 4. Enter an IP Address of the server receiving the configuration file. Ensure the IP address is valid or risk jeopardizing the success of the file transfer. 5.
Switch file management 3 Viewing files Use the File System tab to review the files available to the switch. The switch maintains the following file types: • flash • nvram • system NOTE USB1, USB2 and Compact Flash are available on the Brocade Mobility RFS7000-GR Controller. Transfer files between the switch and the server from any one of the above mentioned locations. Since compact flash (CF) and USB are external memory locations, the File System window displays the status of these devices.
3 Configuring automatic updates Available Displays the current status of the memory resource. By default, nvram and system are always available. • A green check indicates the device is currently connected to the switch and is available. • A red “X” indicates the device is currently not available. Formatted This displays the format status of the memory devices. This ensures that the external and internal memory device store the files securely.
Configuring automatic updates 3 2. Refer to the Switch Configuration field to enable and define the configuration for automatic configuration file updates. If enabled, the located (updated) configuration file will be used with the switch the next time the switch boots. Enable Select the Enable checkbox to allow an automatic configuration file update when a newer (updated) file is detected (upon the boot of the switch) at the specified IP address.
3 Viewing the switch alarm log File Name (With Path) Provide the complete and accurate path to the location of the firmware files on the server. This path must be accurate to ensure the file is retrieved. Protocol/Device Use the Protocol drop-down menu to specify the SFTP or resident switch FLASH medium used for the file update from the server. FLASH is the default setting. Password Enter the password required to access the server.
Viewing the switch alarm log 3 3. Select either of the two available options to view alarm log information: View By Page Select the View By Page radio button to view alarm log information on a per page basis. Use the View By Page option to page through alarm logs. If there are a large number of alarms, the user can navigate to the page that has been completely loaded. All operations can be performed on the currently loaded data.
3 Viewing switch licenses Viewing alarm log details Use the Details option when additional information is required for a specific alarm to make an informed decision on whether to delete, acknowledge or export the alarm. To review switch alarm details: 1. Select Switch > Alarm Log from the main menu tree. 1. Select an alarm and click the Details button. 2. Refer to the Alarm Details and Alarm Message for the following information: Description Displays the details of the alarm log event.
Viewing switch licenses 3 1. Select Switch > Licenses from the main menu tree. 2. Refer to the Install License field for the following information: License Key Enter the license key required to install a particular feature. The license key is returned when you supply the switch serial number to Brocade support. Feature Name Enter the name of the feature you wish to install/upgrade using the license. Serial Number Displays the serial number of the switch used for generating the license key. 3.
3 How to use the filter option License Usage Lists the number of license in use. Determine whether this number adequately represents the number of switches needed to deploy. License Key The license key for the feature installed/upgraded. How to use the filter option Use the Filter Option to sort the display details of screen that employ the filtering option as a means of sorting how data is displayed within the screen. 1.
Chapter Network Setup 4 In this chapter This chapter describes the Network Setup menu information used to configure the switch.
4 Displaying the network interface 1. Select Network from the main menu tree. 2. Refer to the following information to discern if configuration changes are warranted: 76 DNS Servers Displays the number of DNS Servers configured thus far for use with the switch. For more information, see “Viewing network IP information” on page 77. IP Routes Displays the number of IP routes for routing packets to a defined destination. For information on defining IP Routes, see “Configuring IP forwarding” on page 79.
Viewing network IP information 4 The Apply and Revert buttons are greyed out within this screen, as there is no data to be configured or saved. Viewing network IP information Use the Internet Protocol screen to view and configure network associated IP details.
4 Viewing network IP information 3. The Domain Name System tab displays DNS details in a tabular format. Server IP Address Displays the IP address of the domain name server(s) the system can use for resolving domain names to IP addresses. Domain look up order is determined by the order of the servers listed. The first server queried is the first server displayed. Therefore, ensure obsolete addresses are periodically removed.
Viewing network IP information 4 1. Click the Global Settings button in the main Domain Network System screen. A Configuration screen displays for editing the DNS settings of the server. 2. Select the Domain Look Up checkbox to enable the switch to query domain name servers to resolve domain names to IP addresses. NOTE The order of look up is determined by the order of the servers within Domain Name System tab. The first server queried is the first server displayed. 3.
4 Viewing network IP information 3. The read-only IP Forwarding tab displays the current status between VLANs. To toggle the status of routing between VLANs, use the Enable/Disable options located at the bottom of the screen. The following details display in the table: 80 Destination Subnet Displays the mask used for destination subnet entries. The Subnet Mask is the IP mask used to divide internet addresses into blocks (known as subnets). A value of 255.255.255.0 will support 256 IP addresses.
Viewing network IP information 4 4. Select an entry and click the Delete button to remove the selected entry from the IP forwarding table. 5. Click the Add button to create a new static route. For more information, see “Adding a new static route” on page 81. 6. Click Enable (to allow) or Disable (to deny) routing between VLANs. Adding a new static route Use the Add screen to add a new destination subnet, subnet mask and gateway for routing packets to a defined destination.
4 Viewing and configuring Layer 2 virtual LANs Viewing address resolution The Address Resolution table displays the mapping of layer three (IP) addresses to layer two (MAC) addresses. To view address resolution details: 1. Select Network > Internet Protocol from the main tree menu. 2. Select the Address Resolution tab. 3. Refer to the Address Resolution table for the following information: Interface Displays the name of the actual interface where the IP address was found (typically a VLAN).
Viewing and configuring Layer 2 virtual LANs 4 advantages of a VLAN, is when a computer is physically moved to another location, it can stay on the same VLAN without reconfiguration. The switch can support multiple VLANs. Use the Layer 2 Virtual LANs screen to view and configure VLANs by Port and Ports by VLAN information. Refer to the following VLAN configuration activities: • Viewing and configuring VLANs by port • Viewing and configuring ports by VLAN Viewing and configuring VLANs by port 1.
4 Viewing and configuring Layer 2 virtual LANs NOTE For Adaptive AP to work properly with Brocade Mobility RFS7000-GR Controller you need to have independent and extended WLANs mapped to a different VLAN than the ge port. 3. Select a record from the table and click the Edit button to modify the record. For more information, see “Editing the details of an existing VLAN by port” on page 84. Editing the details of an existing VLAN by port To revise the configuration of an existing VLAN: 1.
Viewing and configuring Layer 2 virtual LANs 4 5. Use the Edit screen to modify the following: Name Displays a read only field and with the name of the Ethernet to which the VLAN is associated. Mode Use the drop-down menu to select the mode. It can be either: • Access – This Ethernet interface accepts packets only form the native VLANs. If this mode is selected, the Allowed VLANs field is unavailable. • Trunk–The Ethernet interface allows packets from the given list of VLANs you can add to the trunk.
4 Viewing and configuring Layer 2 virtual LANs VLAN details display within the VLANs by Port tab. 3. Highlight an existing VLAN and click the Edit button. The system displays a Port VLAN Change Warning message. Be advised, changing VLAN designations could disrupt access to the switch.
Configuring switch virtual interfaces 4 4. Click OK to continue. A new window displays wherein the VLAN assignments can be modified for the selected VLAN. NOTE On the Brocade Mobility RFS7000-GR Controller, the available ports are ge1, ge2, ge3 and ge4. 5. Change VLAN port designations as required. 6. Click OK to use the changes to the running configuration and close the dialog. 7. Click Cancel to close the dialog without committing updates to the running configuration.
4 Configuring switch virtual interfaces 1. Select Network > Switch Virtual Interface from the main tree menu. 2. Select the Configuration tab. The following configuration details display in the table: Name Displays the name of the virtual interface. VLAN ID Displays the VLAN ID associated with the interface. DHCP Enabled Displays whether the DHCP client is enabled or not. A green check mark defines the DHCP client as enabled for the interface. A red X means the interface is disabled.
Configuring switch virtual interfaces 4 4. Select a record from the table and click the Delete button to remove the configuration from the list of switch virtual interfaces. 5. Click the Add button to add a new configuration to the switch virtual interface. For more information, see “Adding a virtual interface” on page 89. 6. Select an interface as click the Startup button to invoke the selected interface the next time the switch is booted. 7.
4 Configuring switch virtual interfaces Select the Add button (within the Secondary IP Addresses field) to define additional addresses from a sub screen. Choose an existing secondary address and select Edit or Delete to revise or remove a secondary address. 9. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 10.
Configuring switch virtual interfaces 4 3. If necessary, modify the Description of the VLAN, to make it representative of the VLAN’s intended operation within the switch managed network. 4. Unselect the Use DHCP to obtain IP Address automatically checkbox to assign IP addresses manually and you do not want DHCP to provide them. 5. Use the Primary IP Address field to manually enter the IP address for the virtual interface. 6. Enter the Subnet Mask for the IP address. 7.
4 Configuring switch virtual interfaces 1. Select Network > Switch Virtual Interface from the main tree menu. 2. Select the Statistics tab. Refer to the following to assess the network throughput of existing virtual interfaces: 92 Name Displays the user defined interface name. The corresponding statistics are displayed along the row. The statistics are the total traffic to the interface since its creation. Bytes In Displays the number of bytes coming into the interface.
Configuring switch virtual interfaces Packets In Error Displays the number of error packets coming into the interface. • Runt frames — Packets shorter than the minimum Ethernet frame length (64 bytes). • CRC errors — The Cyclical Redundancy Check (CRC) is the 4 byte field at the end of every frame the receiving station uses to interpret if the frame is valid. If the CRC value computed by the interface does not match the value at the end of frame, it is considered as a CRC error.
4 Configuring switch virtual interfaces 3. The Interface Statistics screen displays with the following content: Name Displays the title of the logical interface selected. MAC Address Displays physical address information associated with the interface. This address is read-only (hard-coded at the factory) and cannot be modified. Input Bytes Displays the number of bytes received by the interface.
Configuring switch virtual interfaces 4 To view detailed graphical statistics for a selected interface: 1. Select a record from the table displayed in the Statistics screen. 2. Click the Graph button. 3. The Interface Statistics screen displays.
4 Viewing and configuring switch WLANs Viewing and configuring switch WLANs A wireless LAN (WLAN) is a local area network (LAN) without wires. WLANs transfer data through the air using radio frequencies instead of cables. The WLAN screen displays a high-level overview of the WLANs created for the switch managed network. Use this data as necessary to the WLANs that are active, their VLAN assignments, updates to a WLAN’s description and their current authentication and encryption scheme.
Viewing and configuring switch WLANs 4 1. Select Network > Wireless LANs from the main menu tree. 2. Click the Configuration tab. The Configuration tab displays the following details: Index Displays the WLAN’s numerical identifier. The WLAN index range is from 1 to the maximum number of WLANs supported by the switch. An index can be helpful to differentiate a WLAN from other WLANs with similar configurations.
4 Viewing and configuring switch WLANs Independent Mode Determines whether the WLAN is functioning as an independent or extended WLAN in regards its support of adaptive AP (AAP) operation. Independent WLANs (defined by a green checkmark) are local to an AAP and configured from the switch. Specify a WLAN as independent for no traffic to be forward to the switch. Independent WLANs behave like WLANs as used on a a standalone Access Point.
Viewing and configuring switch WLANs 4 Click OK to save updates to the Global WLAN Settings screen. Click Cancel to disregard changes and revert back to the previous screen. Checkbox options within the Global WLAN Settings screen include: MU Proxy ARP handling Enables Proxy ARP handling for MUs. Proxy ARP is provided for MU’s in PSP mode whose IP address is known. The WLAN generates an ARP reply on behalf of a MU, if the MU’s IP address is known.
4 Viewing and configuring switch WLANs Editing the WLAN configuration Security measures for the switch and its WLANs are critical. Use the available switch security options to protect each WLAN from wireless vulnerabilities, and secure the transmission of RF packets between WLANs and the MU traffic they support. The user has the capability of configuring separate security policies for each WLAN. Each security policy can be configured based on the authentication (Kerberos, 802.
Viewing and configuring switch WLANs 4 • Authentication • Encryption • Advanced 5. The Switch field displays the IP address of the cluster member associated with each WLAN. When clustering is enabled on the switch and Cluster GUI is enabled the Switch field will be available on the Wireless LAN screen. For information on configuring enabling Cluster GUI, see Managing clustering using the Web UI. 6.
4 Viewing and configuring switch WLANs NOTE If the WLAN is to support AAP, the Independent Mode (AAP Only) checkbox must be selected. Additionally, the Access Point must have its auto discovery option enabled to be discovered by the switch. For information on configuring an Access Point for AAP support, see “Adaptive AP management” on page 488. NOTE For a RADIUS supported VLAN to function, the "Dynamic Assignment" checkbox must be enabled for the WLAN supporting the VLAN.
Viewing and configuring switch WLANs Use Voice Prioritization Select the Use Voice Prioritization option if Voice is used on the WLAN. This gives priority to voice packets and voice management packets and is supported only on certain legacy Motorola VOIP phones. Enable SVP Enabling SVP (Spectralink Voice Prioritization) allows the switch to identify and prioritize traffic from Spectralink/Polycomm phones. Secure Beacon Closed system is the secure beacon feature for not answering broadcast SSID.
4 Viewing and configuring switch WLANs 11. The Syslog... button is greyed out within the screen are there is no data to be configured.IClick OK to use the changes to the running configuration and close the dialog. 12. Click Cancel to close the dialog without committing updates to the running configuration. Assigning multiple VLANs per WLAN The switch allows the mapping of a WLAN to more than one VLAN.
Viewing and configuring switch WLANs 4 8. Select a row from the Multiple VLAN Mapping table and click the Remove button to delete the mapping of a VLAN to a WLAN. 9. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 10. Click OK to use the changes to the running configuration and close the dialog. 11.
4 Viewing and configuring switch WLANs The RADIUS Config... button on the bottom of the screen will become enabled. Ensure a primary and optional secondary RADIUS Server have been configured to authenticate users requesting access to the EAP 802.1x supported WLAN. For more information, see “Configuring external RADIUS Server support” on page 117. 4. Click the Config button to the right of the 802.1X EAP checkbox. The 802.1x EAP screen displays. 5.
Viewing and configuring switch WLANs 4 A WLAN screen displays with the WLAN’s existing configuration. Refer to the Authentication and Encryption columns to assess the WLAN’s existing security configuration. 4. Select the Kerberos button from within the Authentication field. NOTE Kerberos requires at least one encryption scheme be enabled (WEP 128 or other). If neither WEP 128 or KeyGuard is enabled, WEP 128 will automatically be enabled for use with Kerberos. 5.
4 Viewing and configuring switch WLANs The switch enables hotspot operators to provide user authentication and accounting without a special client application. The switch uses a traditional Internet browser as a secure authentication device. Rather than rely on built-in 802.11security features to control association privileges, configure a WLAN with no WEP (an open network). The switch issues an IP address using a DHCP server, authenticates the user and grants the user access the Internet.
Viewing and configuring switch WLANs 4 • Internal - three HTML pages with basic functionality are made available on the switch's onboard HTTP server. The HTML pages are pre-created to collect login credentials through Login.htm, send them to a RADIUS server and display a Welcome.htm or a Faliure.htm depending on the result of the authentication attempt. For more information, see “Configuring an internal hotspot” on page 109.
4 Viewing and configuring switch WLANs 3. Select the Hotspot button from within the Authentication field. Ensure Internal is selected from within the This WLAN’s Web Pages are of the drop-down menu. 4. Click the Login tab and enter the title, header, footer Small Logo URL, Main Logo URL and Descriptive Text you would like to display when users login to the switch maintained hotspot. 110 Title Text Displays the HTML text displayed on the Welcome page when using the switch’s internal Web server.
Viewing and configuring switch WLANs 4 5. Click the Welcome tab and enter the title, header, footer Small Logo URL, Main Logo URL and Descriptive Text you would like to display when users successfully authenticate with the switch maintained hotspot. Title Text The Title Text specifies the HTML title text displayed on the Welcome page when using the internal Web server. This option is only available if Internal is chosen from the drop-down menu above.
4 Viewing and configuring switch WLANs NOTE In multi-switch hotspot environments if a single switch’s internal pages are configured for authentication on the other switches, those switches will redirect to their own internal pages instead. In these environments is recommended to use an external server for all of the switches. 8. Check the Use System Name in Hotspot URL to use the System Name specified on the main Switch configuration screen as part of the hotspot address. 9.
Viewing and configuring switch WLANs 4 3. Select the Hotspot button from within the Authentication field. Ensure External is selected from within the This WLAN’s Web Pages are of the drop-down menu. 4. Refer to the External Web Pages field and provide the Login, Welcome and Failed Page URLs used by the external Web server to support the hotspot. Login Page URL Define the complete URL for the location of the Login page.
4 Viewing and configuring switch WLANs NOTE When using an external hotspot page for redirection, certain HTML codes must be included on the pages to properly redirect to the switch. For the Login and Welcome pages, the following code must be modified: form action="https ://:444/cgi-bin/hslogin.cgi" method="POST " For the Welcome page the following code must also be modified: href="http:///login.
Viewing and configuring switch WLANs 4 4. Select the Hotspot button from within the Authentication field. Ensure Advanced is selected from within the This WLAN’s Web Pages are of the drop-down menu. NOTE Advanced hotspot configuration is not permissible using the switch Web UI. Refer to the switch CLI or other advanced configuration options to define a hotspot with advanced properties. However, the switch can still install and maintain directories containing Web page content. 5.
4 Viewing and configuring switch WLANs f. Specify the appropriate Path name to the hotspot configuration on the local system disk or server. g. Once the location and settings for the advanced hotspot configuration have been defined, click the Install button to use the hotspot configuration with the switch. 6. Refer to the Allow List field, and enter any IP address (for internal or external Web sites) that may be accessed by the Hotspot user without authentication. 7.
Viewing and configuring switch WLANs 4 5. Click the Config button next to the MAC Authentication option to open a dialogue where the format of MAC Addresses can be configured. The MAC Authentication Format setting determines the text format that MAC addresses are transmitted when using MAC-Auth authentication 6. Select a format for MAC Addresses used in MAC Authentication: • No delimiter: The 12 digit MAC Address is in a format with no spaces or delimeters.
4 Viewing and configuring switch WLANs The switch ships with a default configuration defining the local RADIUS Server as the primary authentication source (default users are admin with superuser privileges and operator with monitor privileges). No secondary authentication source is specified. However, Brocade recommends using an external RADIUS Server as the primary user authentication source and the local switch RADIUS Server as the secondary user authentication source.
Viewing and configuring switch WLANs 4 5. Select the RADIUS Conig... button. The RADIUS Configuration screen displays for defining an external RADIUS or NAC Server. The RADIUS Configuration screen contains tabs for defining both the RADIUS and NAC server settings. For NAC overview and configuration information, see “Configuring NAC server support” on page 122. 6. Refer to the Server field and define the following credentials for a primary and secondary RADIUS server.
4 Viewing and configuring switch WLANs NOTE The RADIUS or NAC server’s Timeout and Retries should be less than what is defined for an MU’s timeout and retries. If the MU’s time is less than the server’s, a fall back to the secondary server will not work. 7. Refer to the Accounting field and define the following credentials for a primary and secondary RADIUS Server. Accounting Server Address Enter the IP address of the primary and secondary server acting as the RADIUS accounting server.
Viewing and configuring switch WLANs 4 • Brocade user privilege values • User login source Configuring Brocade specific RADIUS Server user privilege values The following recommended RADIUS Server user privilege settings specify access privilege levels for those accessing the switch managed network. To define user privilege values, assign the following attributes in the external RADIUS Server: 1. Set the attribute number to 1 and its type as "integer." 2.
4 Viewing and configuring switch WLANs Configuring NAC server support There is an increasing proliferation of insecure devices (laptops, mobile computers, PDA, smart-phones) accessing WiFi networks. These devices often lack proper anti-virus software and can potentially infect the network they access. Device compliance per an organization’s security policy must be enforced using NAC. A typical security compliance check entails verifying the right operating system patches, anti-virus software etc.
Viewing and configuring switch WLANs 4 6. .Select the NAC tab to configure NAC support. 7. Refer to the Server field and define the following credentials for a primary and secondary NAC server. NAC Server Address Enter the IP address of the primary and secondary NAC server. NAC Server Port Enter the TCP/IP port number for the primary and secondary server. The default port is 1812.
4 Viewing and configuring switch WLANs NOTE The server’s Timeout and Retries should be less than what is defined for an MU’s timeout and retries. If the MU’s time is less than the server’s, a fall back to the secondary server will not work. 8. Refer to the Accounting field and define the following credentials for a primary and secondary NAC Server. Accounting Server Address Enter the IP address of the primary and secondary server acting as the NAC accounting server.
Viewing and configuring switch WLANs 4 Configuring different encryption types To configure the WLAN data encryption options available on the switch, refer to the following: • Configuring WEP 64 • Configuring WEP 128 / KeyGuard • Configuring WPA/WPA2 using TKIP and CCMP Configuring WEP 64 Wired Equivalent Privacy (WEP) is a security protocol specified in the IEEE Wireless Fidelity (Wi-Fi) standard. WEP is designed to provide a WLAN with a level of security and privacy comparable to that of a wired LAN.
4 Viewing and configuring switch WLANs The pass key can be any alphanumeric string. The switch, other proprietary routers and Brocade MUs use the algorithm to convert an ASCII string to the same hexadecimal number. MUs without Brocade adapters need to use WEP keys manually configured as hexadecimal numbers. 6. Use the Key #1-4 areas to specify key numbers. The key can be either a hexadecimal or ASCII. For WEP 64 (40-bit key), the keys are 10 hexadecimal characters in length or 5 ASCII characters.
Viewing and configuring switch WLANs 4 5. Specify a 4 to 32 character Pass Key and click the Generate button. The pass key can be any alphanumeric string. The switch and Brocade MUs use the algorithm to convert an ASCII string to the same hexadecimal number. MUs without Brocade adapters need to use WEP keys manually configured as hexadecimal numbers. 6. Use the Key #1-4 areas to specify key numbers. The key can be either a hexadecimal or ASCII.
4 Viewing and configuring switch WLANs Configuring WPA/WPA2 using TKIP and CCMP Wi-Fi Protected Access (WPA) is a robust encryption scheme specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11i. WPA provides more sophisticated data encryption than WEP. WPA is designed for corporate networks and small-business environments where more wireless traffic allows quicker discovery of encryption keys by an unauthorized person. WPA's encryption method is Temporal Key Integrity Protocol (TKIP).
Viewing and configuring switch WLANs 4 5. Select the Broadcast Key Rotation checkbox to enable periodically changing the broadcast key for this WLAN. Only broadcast key changes when required by associated MUs to reduce the transmissions of sensitive key information. This value is enabled by default. 6. Refer to the Update broadcast keys every field to specify a time period (in seconds) for broadcasting encryption-key changes to MUs.
4 Viewing and configuring switch WLANs • 18191A1B1C1D1E1F • 2021222324252627 • 28292A2B2C2D2E2F 8. Optionally select one of the following from within the Fast Roaming (8021x only) field. PMK Caching Select Pairwise Master Key (PMK) caching to store Pairwise Master Key derived from 802.1x authentication between a client device and its authenticator. When a client roams between devices, the client’s credentials no longer need to completely reauthenticated (a process that can take up to 100 milliseconds).
Viewing and configuring switch WLANs 4 1. Select Network > Wireless LANs from the main menu tree. 2. Click the Statistics tab. 3. Refer to the following details displayed within the table: Last 30s Click the Last 30s radio button to display statistics for the WLAN over the last 30 seconds. This option is helpful when troubleshooting issues as they actually occur. Last Hr Click the Last Hr radio button to displays statistics for the WLAN over the last 1 hour.
4 Viewing and configuring switch WLANs % Non-UNI Displays the percentage of the total packets for the selected WLAN that are non-unicast packets. Non-unicast packets include broadcast and multicast packets. Retries Displays the average number of retries for all MUs associated with the selected WLAN. 4. To view WLAN statistics in greater detail, select a WLAN and click the Statistics button. For more information, see “Viewing WLAN statistics in detail” on page 132.
Viewing and configuring switch WLANs 4 The Details screen displays the WLAN statistics of the selected WLAN. The Details screen contains the following fields: • • • • Information Traffic RF Status Errors Information in black represents the statistics from the last 30 seconds and information in blue represents statistics from the last hour. 4. Refer to the Information field for the following information: ESSID Displays the Service Set ID (SSID) for the selected WLAN.
4 Viewing and configuring switch WLANs Avg MU Noise Displays the average RF noise for all MUs associated with the selected WLAN. The number in black represents this statistic for the last 30 seconds and the number in blue represents this statistic for the last hour. Avg MU SNR Displays the average Signal to Noise Ratio (SNR) for all MUs associated with the selected WLAN. The Signal to Noise Ratio is an indication of overall RF performance on your wireless network. 7.
Viewing and configuring switch WLANs 4 1. Select a WLAN from the table displayed in the Statistics screen. 2. Click the Graph button. The WLAN Statistics screen displays for the select port.
4 Viewing and configuring switch WLANs Viewing WLAN switch statistics The Switch Statistics screen displays the sum of all WLAN statistics. The Switch Statistics screen is optimal for displaying a snapshot of overall WLAN traffic on your switch. To view detailed statistics for a WLAN: 1. Select a Network > Wireless LANs from the main menu tree. 2. Click the Statistics tab. 3. Select a WLAN from the table displayed in the Statistics screen and click the Switch Statistics button. 4.
Viewing and configuring switch WLANs 4 Configuring WMM Use the WMM tab to review a WLAN’s current index (numerical identifier), SSID, description, current enabled/disabled designation, and Access Category. To view existing WMM Settings: 1. Select Network > Wireless LANs from the main menu tree. 2. Click the WMM tab. The WMM tab displays the following information: Idx Displays the WLANs numerical identifier. This field is displayed in a two part format.
4 Viewing and configuring switch WLANs AIFSN Displays the current Arbitrary Inter-frame Space Number (AIFSN). Higher-priority traffic categories should have lower AIFSNs than lower-priority traffic categories. This will causes lower-priority traffic to wait longer before trying attempting access. Transmit Ops Displays the maximum duration a device can transmit after obtaining a transmit opportunity. For higher-priority traffic categories, this value should be set to a low number.
Viewing and configuring switch WLANs 4 With a drastic increase in bandwidth absorbing network traffic (VOIP, multimedia etc.), the importance of data prioritization is critical to effective network management. Refer to the following fields within the QoS Mapping screen to optionally revise the existing settings to in respect to the data traffic requirements for this WLAN. Access Category to 802.1p Optionally revise the 802.
4 Viewing and configuring switch WLANs 3. Select a Access Category from the table and click the Edit button to launch a dialog with WMM configuration for that radio. 4. Refer to the Edit WMM screen for the following information: 140 SSID Displays the Service Set ID (SSID) associated with the selected WMM index. This SSID is read-only and cannot be modified within this screen. Access Category Displays the Access Category for the intended radio traffic.
Viewing and configuring switch WLANs Max Retries Define a maximum number of retries for each Access Category. Use DSCP or 802.1p Select the DSCP or 802.1p radio buttons to choose between DSCP and 802.1p. 4 5. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 6. Click OK to use the changes to the running configuration and close the dialog. 7.
4 Viewing and configuring switch WLANs 1. Select Network > Wireless LANs from the main menu tree. 2. Select the NAC Include List Configuration tab to view and configure NAC enabled devices. 3. The Include Lists field displays the list of devices that can be included on a WLAN (a printer for example). Use the Add button to add a device for configuration on a WLAN. A maximum of 6 MAC addressees are allowed per device. For more information, see “Adding an include list to a WLAN” on page 143.
Viewing and configuring switch WLANs 4 Adding an include list to a WLAN To add a device to a WLAN’s include list configuration: 1. Select Network > Wireless LANs from the main menu tree. 2. Select the NAC Include tab to view and configure NAC Include enabled devices. 3. Click on the Add button in the Include Lists area. 4. Enter the name of the device to include for NAC authentication. 5. Refer to the Status field. It displays the current state of the requests made from the applet.
4 Viewing and configuring switch WLANs 5. Enter a valid MAC Address of the device you wish to add. 6. Optionally, enter the MAC Mask for the device you wish to add. 7. Refer to the Status field. It displays the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet. The Status field displays error messages if something goes wrong in the transaction between the applet and the switch. 8.
Viewing and configuring switch WLANs 4 Configuring the NAC exclusion list The switch provides a means to bypass NAC for 802.1x devices without a NAC agent. For Brocade handheld devices (like the MC9000), authentication is achieved using an exclusion list. A list of MAC addresses (called an exclusion list) can be added to each WLAN. Each has a separate configuration for the RADIUS server (which only conducts EAP authentication). An exclusion list is a global index-based configuration.
4 Viewing and configuring switch WLANs 4. Use the Add button (within the List Configuration field) to add devices excluded from NAC compliance on a WLAN. You can create up to 32 lists (both include and exclude combined together) and 64 MAC entries maximum per list. For more information, see “Configuring devices on the exclude list” on page 146. 5. The Configured WLANs field displays the available switch WLANs. Associate a list item in the Exclude Lists field with multiple WLANs.
Viewing and configuring switch WLANs 4 3. Click on the Add button in the List Configuration field. 4. The List Name displays the read-only name of the list for which you wish to add more devices. 5. Enter the Host Name for the device you wish to add for the selected exclude list. 6. Enter a valid MAC Address for the device you wish to add. 7. Optionally, enter the MAC Mask for the device you wish to add. 8. Refer to the Status field. It displays the current state of the requests made from the applet.
4 Viewing and configuring switch WLANs 3. Select a item from the Exclude List’s List Name field and click the Edit button (within the Configured WLANs field). 4. Map the selected list item with as many WLANs as needed (be selecting the WLAN’s checkbox). Use the Select All button to associate each WLAN with the selected list item. 5. To remove the WLAN Mappings, select the Deselect All button to clear the mappings. 6.
Viewing and configuring switch WLANs 4 2. Add a host entry to the include list. This adds a specified MAC entry/MAC range into the client’s include list. RF Switch(config-wireless-client-list) #station pc1 AA:BB:CC:DD:EE:FF RF Switch(config-wireless-client-list) # 3. Associate the include list to a WLAN. This adds the client’s include list into the WLAN. RF Switch(config-wireless-client-list) #wlan 1 RF Switch(config-wireless-client-list) # Creating an exclude list To create a NAC Exclude List: 1.
4 Viewing associated MU details 3. MUs not NAC authenticated use RADIUS for authentication. To configure the WLAN’s RADIUS settings: a. Configure the RADIUS server’s IP address. RF Switch(config-wireless) #wlan 1 RADIUS-server primary 192.168.1.30 RF Switch(config-wireless) # b. Configure the server’s RADIUS Key RF Switch(config-wireless) #wlan 1 RADIUS-server primary RADIUS-key my-rad-secret RF Switch(config-wireless )# c. Configure the secondary RADIUS server’s IP address.
Viewing associated MU details 4 1. Select Network > Mobile Units from the main menu tree. 2. Click the Status tab. The Status screen displays the following read-only device information for MUs interoperating within the switch managed network. Station Index Displays a numerical device recognition identifier for a specific MU. MAC Address Each MU has a unique Media Access Control (MAC) address through which it is identified. This address is burned into the ROM of the MU.
4 Viewing associated MU details Radio Index The Radio Index is a numerical device recognition identifier for MU radios. The index is helpful to differentiate device radios when a particular MU has more than one radio. Radio Type The Radio Type defines the radio used by the adopted MU. The switch supports 802.11a, 802.11b and 802.11g single radio MUs as well as dual radio 802.11ab, 802.11bg, 802.11an and 802.11bgn MUs. 3.
Viewing associated MU details 4 3. Select a MU from the table in the Status screen and click the Details button. 4. Refer to the following read-only MU’s transmit and receive statistics:. MAC Address Displays the Hardware or Media Access Control (MAC) address for the MU. IP Address Displays the unique IP address for the MU. Use this address as necessary throughout the applet for filtering and device intrusion recognition and approval. Power Save Displays the current PSP state of the MU.
4 Viewing associated MU details Voice Displays whether or not the MU is a voice capable device. Traffic from a voice enabled MU is handled differently than traffic from MUs without this capability. MUs grouped to particular WLANs can be prioritized to transmit and receive voice traffic over data traffic. WMM Displays WMM usage status for the MU, including the Access Category currently in use.
Viewing associated MU details 4 4. Check the Trigger Beacon Request box to enable Radio Resource Management services on the selected MU. 5. In the Measurement Duration field, enter a time interval between 500-1000(in K-us) to specify how often the Radio Resource Measurement services will poll the selected MU for traffic information. 6. Click OK to use the changes to the running configuration and close the dialog.
4 Viewing associated MU details MAC Address Each MU has a unique Media Access Control (MAC) address through which it is identified. This address is burned into the ROM of the MU. MAC Name The MAC Name is a user created name used to identify individual mobile unit MAC Addresses with a user friendly name. To edit an existing entry, double click the MAC Name and type in the new name. 4.
Viewing associated MU details 4 NOTE The Brocade Mobility RFS7000-GR Controller supports 8192 MUs. To view MU statistics details: 1. Select Network > Mobile Units from the main menu tree. 2. Click the Statistics tab. 3. Select the Last 30s checkbox to display MU statistics gathered over the last 30 seconds. This option is helpful for assessing MU performance trends in real-time. 4. Select the Last HR checkbox to display MU statistics gathered over the last hour.
4 Viewing associated MU details Throughput Mbps Displays the average throughput in Mbps between the selected MU and the Access Port. The Rx column displays the average throughput in Mbps for packets received on the selected MU from the Access Port. The Tx column displays the average throughput for packets sent on the selected MU from the Access Port. Bit Speed (Avg.) Mpbs Displays the average bit speed in Mbps for the selected MU. This includes all packets sent and received.
Viewing associated MU details 4 The Details screen displays WLAN statistics for the selected WLAN, including: • • • • Information Traffic RF Status Errors Information in black represents the statistics from the last 30 seconds and information in blue represents statistics from the last hour. Use both sets of data to trend stats in real time versus a measurable period (1 hour). 4.
4 Viewing associated MU details % Gave Up Pkts Displays the percentage of packets the switch gave up on for the selected MU. % of Undecryptable Pkts Displays the percentage of undecryptable packets (packets that could not be processed) for the selected MU. 8. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 9.
Viewing associated MU details 4 Viewing voice statistics The Voice Statistics screen displays read-only statistics for each MU. Use this information to assess if configuration changes are required to improve network performance. If a more detailed set of MU statistics is required, select a MU from the table and click the Details button. To view MU voice statistics details: 1. Select Network > Mobile Units from the main menu tree. 2. Click the Voice Statistics tab. 3.
4 Viewing Access Port Information R Factor Displays the average call quality using the R Factor scale. The R Factor method rates voice quality on a scale of 0 to 120. An R Factor score lesser than 70 indicates the users are not satisfied with the voice quality of the calls. MOS-CQ Displays the average call quality using the Mean Opinion Score (MOS). The MOS scale rates call quality on a scale 1-5. An MOS score lesser than 3.5 indicates the users are not satisfied with the voice quality of the calls.
Viewing Access Port Information 4 1. Select Network > Access Port Radios from the main menu tree. 2. Click the Configuration tab. 3. Refer to the table for the following information: Switch The Switch field displays the IP address of the cluster member associated with each Access Port radio. When clustering is enabled on the switch and Cluster GUI is enabled the Switch field will be available on the Access Port radio configuration screen.
4 Viewing Access Port Information 4. Refer to the Properties field for the following Desired Channel When the radio’s channel is configured statically, the Actual Channel and Desired Channel are the same. If using ACS (Automatic Channel Selection), the switch selects a channel for the radio. The Desired Channel displays “ACS” and the Actual channel displays the channel selected for the radio. When set to Random, the applet determines the channel’s designation.
Viewing Access Port Information 4 11. When using clustering and the Cluster GUI feature is enabled, a pulldown menu will be availble to select which cluster members’ Access Port radios are displayed. To view Access Port radios from all cluster members, select All from the pulldown menu. To view Access Port radios from a specific cluster member, select that member’s IP address from the pulldown menu. 12.
4 Viewing Access Port Information 5. To use the AP as a Client Bridge check the Client Bridge checkbox and configure the following information: Mesh Network Name When Client Bridge is enabled, enter the name of the Mesh Network that the selected radio will be a Client Bridge on. Max Client Bridge Mesh Associations When Client Bridge is enabled, specify the maximum number of base bridges per client bridge in a an AP Mesh Network.
Viewing Access Port Information 4 5. To enable the automatic adoption of non-configured radios on the network, select the Adopt unconfigured radios automatically option. Default radio settings are applied to Access Ports when automatically adopted. Enable this option to allow adoption even when the Access Port is not configured. Default radio settings are applied to Access Ports adopted automatically. 6.
4 Viewing Access Port Information 7. Check the Use Default Values option checkbox to set the Username and Password to factory default values. The Access Port can get disconnected if the 802.1x authenticator is not configured accordingly. NOTE 802.1x username and password information is only passed to adopted Access Ports when the Username and Password are set. Any AP adopted after this does not automatically receive a username and password.
Viewing Access Port Information 4 4. Click the Edit button to display a screen containing settings for the selected radio. 5. The Switch field displays the IP address of the cluster member associated with each Access Port radio. When clustering is enabled on the switch and Cluster GUI is enabled the Switch field will be available on the Access Port Radio edit screen. For information on configuring enabling Cluster GUI, see “Managing clustering using the Web UI” on page 280. 6. In the Radio Descr.
4 Viewing Access Port Information 10. Select the Enable Enhanced Probe Table checkbox to enable an adopted Access Port or Access Point radio to forward the probes required to obtain MU RSSI information. RSSI data (as obtained by at least three detecting radios) can be used by the Brocade RFMS application to triangulate the location of a MU on a site map representative of the actual physical dimensions of the switch radio coverage area.
Viewing Access Port Information 4 17. In most cases, the default settings for the Advanced Properties are sufficient. If needed, additional Advanced Properties can be modified for the following: Antenna Diversity Use the drop-down menu to configure the Antenna Diversity settings for Access Ports using external antennas. Options include: • Full Diversity - Utilizes both antennas to provide antenna diversity. • Primary Only - Enables only the primary antenna.
4 Viewing Access Port Information Beacon Interval Specify a beacon interval in units of 1,024 microseconds (K-us). This is a multiple of the DTIM value, for example, 100: 10. (See "DTIM Period," below). A beacon is a packet broadcast by the adopted Access Ports to keep the network synchronized. Included in a beacon is information such as the WLAN service area, the radio-port address, the broadcast destination addresses, a time stamp, and indicators about traffic and delivery such as a DTIM.
Viewing Access Port Information 4 20. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 21. If clustering is configured and the Cluster GUI feature is enabled the Apply to Cluster feature will be available. Click the Apply to Cluster button to apply the AP radio settings to all members in the cluster.
4 Viewing Access Port Information Supported rates allow an 802.11 network to specify the data rate it supports. When a MU attempts to join the network, it checks the data rate used on the network. If a rate is selected as a basic rate, it is automatically selected as a supported rate. The basic default rates for an 802.11a radio differ from those 802.11b default rates, as an 802.11a radio can support a maximum data rate of 54Mbps, while an 802.11b radio can support a maximum data rate of 11Mbps. 4.
Viewing Access Port Information 4 5. Use the AP Type drop-down menu to define the radio type you would like to add. If adding a Brocade Mobility 7131N-FGR Access Point, the Access Port conversion will render the Access Point a “thin” Access Port. 6. From the Radio Settings section, select the radio type checkboxes corresponding to the type of AP radio used.Available radio types are dependant on the AP Type selected above. 7. Enter a numerical value in the Radio Index field for each selected radio.
4 Viewing Access Port Information 1. Select Network > Access Port Radios from the main menu tree. 2. Click the Statistics tab. 3. To select the time frame for the radio statistics, select either Last 30s or Last Hr above the statistics table. • Select the Last 30s radio button to display statistics for the last 30 seconds for the radio. • Select the Last Hr radio button to display statistics from the last hour for the radio. 4.
Viewing Access Port Information % Non-UNI Displays the percentage of packets for the selected radio that are non-unicast packets. Non-unicast packets include broadcast and multicast packets. Retries Displays the average number of retries for all MUs associated with the selected radio. 4 5. Select a radio from those displayed and click the Details button for additional radio information in rae data format. For more information, see “Viewing AP statistics in detail” on page 177. 6.
4 Viewing Access Port Information 5. Refer to the Traffic field for the following information: Pkts per second Displays the average total packets per second that cross the selected radio. The Rx column displays the average total packets per second received on the selected radio. The Tx column displays the average total packets per second sent on the selected radio. The number in black represents this statistic for the last 30 seconds and the number in blue represents this statistic for the last hour.
Viewing Access Port Information 4 Viewing AP statistics in graphical format The Access Port Radios Statistics tab has an option for displaying detailed Access Port radio statistics in a graph. This information can be used to chart associated switch radio performance and help diagnose radio performance issues. To view the MU Statistics in a graphical format: 1. Select a Network > Access Port Radios from the main menu tree. 2. Click the Statistics tab. 3.
4 Viewing Access Port Information 3. Select a radio from the table to view WLAN assignment information. The WLAN Assignment tab is divided into two fields; Select Radios and Assigned WLANs. 4. Refer to the Select Radios field for the following information: Index Displays the numerical index (device identifier) used with the radio. Use this index (along with the radio description) to differentiate the radio from other radios with similar configurations. Description Displays a description of the Radio.
Viewing Access Port Information 4 3. Select a radio from the table and click the Edit button. The Select Radio/BSS field displays the WLANs associated to each of the BSSIDs used by the radios within the radio table. Use Select/Change Assigned WLANs field to edit the WLAN assignment. 4. Select any of the WLANs from the table to unassign/disable it from the list of available WLANs. 5. Refer to the Status field for the current state of the requests made from applet.
4 Viewing Access Port Information 1. Select Network > Access Port Radios from the main menu tree. 2. Click the WMM tab. WMM information displays per radio with the following information: Index Displays the identifier assigned to each Radio index, each index is assigned a unique identifier such as (1/4, 1/3, etc.). AP Displays the name of the Access Port associated with the index. The Access Port name comes from the description field in the Radio Configuration screen.
Viewing Access Port Information 4 4. Select a radio and click the Edit button to modify its properties. For more information, see “Editing WMM settings” on page 183. Editing WMM settings Use the Edit screen to modify a WMM profile's properties (AIFSN, Tx Op, Cw Min and CW Max). Modifying these properties may be necessary as Access Categories are changed and transmit intervals need to be adjusted to compensate for larger data packets and contention windows.
4 Viewing Access Port Information 7. Enter a value between 0 and 15 for the Extended Contention Window maximum(ECW Max) value. The ECW Max is combined with the ECW Min to make the Contention Window. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority (video or voice) traffic. 8. Refer to the Status field for the current state of the requests made from applet.
Viewing Access Port Information 4 Bandwidth information displays per radio with the following data: Index The Index is the numerical index (device identifier) used with the device radio. Use this index (along with the radio name) to differentiate the radio from other device radios. Description The displayed name is the name used with the device radio. Use this name (along with the radio index) to differentiate the radio from other device radios.
4 Viewing Access Port Information 5. Click OK to save the changes. 6. Repeat steps 3 through 5 for each radio you wish to add to groups. 7. When you have finished adding radios to groups, click the Apply button on the Configuration tab to save your changes. 8. To verify the radio groups click on the Groups tab to view configured radio groups. For more information on viewing radio groups refer to “Viewing access point radio groups” on page 186.
Viewing Access Port Information 4 1. Select Network > Access Port Radios from the main menu tree. 2. Click the VCAC Statistics tab. 3. The following statistics are displayed: Index Displays the numberical identifier assigned to each Acess Port. Description Displays the names assigned to each of the APs. The AP name can be configured on the Access Port Radios Configuration page. Total Voice Calls Displays the total number of voice calls attempted for each Access Port.
4 Viewing Access Port Information 1. Select Network > Access Port Radios from the main menu tree. 2. Click the Mesh Statistics tab. 3. The following statistics are displayed: 188 Mesh Index Displays the numberical identifier assigned to each mesh member AP. MAC Address Displays the Media Access Control(MAC) address for each Access Port. Connection Type Displays the connection type for each Access Port. Radio Index The Radio Index is a numerical value assigned to the radio as a unique identifier.
Viewing Access Port Information 4 Smart RF When invoked by an administrator, Smart RF (or self-monitoring at run time) instructs radios to change to a specific channel and begin beaconing using their maximum available transmit power. Within a well planned deployment, any associated radio should be reachable by at least one other radio. The Smart RF feature records signals received from its neighbors as well as signals from external, un-managed radios.
4 Viewing Access Port Information 1. Select Network > Access Port Radios from the main menu tree. 2. Click the Smart RF tab. 3. The following Smart RF details are displayed: 190 MAC Address Displays the Media Access Control (MAC) Address of each of the APs in the table. Index Displays the numberical identifier assigned to each detector AP used in Smart RF calibration. AP Name Displays the names assigned to each of the APs. The AP name can be configured on the Access Port Radios Configuration page.
Viewing Access Port Information Lock Rescuers Displays whether or not each Access Port is locked to group of rescuer APs. Switch IP Displays the IP address of the switch. 4 4. To view the details of individual radio Smart RF information, select a radio from the list and click the Details button 5. The Radio Details section shows individual section displays the following information: Description Displays a description of the Radio.
4 Viewing Access Port Information AP Name Displays the name assigned to the AP. The AP name can be configured on the Access Port Radios Configuration page. AP Type Displays the type of Access Port detected. The switches support Brocade Mobility 7131N-FGR Access Points. Radio Type Displays the radio type of the corresponding APs. Available type are: • 802.11a • 802.11an • 802.11bg • 802.11bgn AP Location Displays the current location for the selected AP.
Viewing Access Port Information 4 3. Select a radio from the table and click the Edit button. The radio settings are divided into the following three sections: • Properties • Radio Rescuer Settings • Advanced Properties 4. The Properties section displays the follwing information: Description Displays a description of the Radio. Modify the description as required to name the radio by its intended coverage area or function. MAC Address Displays the Media Access Control (MAC) Address of the selected AP.
4 Viewing Access Port Information AP Name Displays the name assigned to the AP. The AP name can be configured on the Access Port Radios Configuration page. AP Type Displays the type of Access Port detected. The switche supports Brocade Mobility 7131N-FGR Access Points. Radio Type Displays the radio type of the corresponding APs. Available type are: • 802.11a • 802.11an • 802.11bg • 802.11bgn AP Location Displays the current location for the selected AP.
Viewing Access Port Information 4 Viewing Smart RF history To view Smart RF history: 1. Select Network > Access Port Radios from the main menu tree. 2. Click the Smart RF tab 3. Click the Smart RF History button 4. The Smart RF History window displays the Index number and Assignment History of Smart RF activity. Configuring Smart RF settings To configure Smart RF settings: 1. Select Network > Access Port Radios from the main menu tree. 2.
4 Viewing Access Port Information 3. Click the Smart RF Settings button 4. Click the Check All Boxes option in the Smart RF Global Settings dialogue to check every box in the configuration window. To uncheck all boxes click this box a second time. 5. Check the Enable Smart RF Module box to enable Smart RF functions on the switch.
Viewing Access Port Information Assign - Tx Power Check this box to enable automatic assignment of transmit power. Assign - Rescuers Check this box to enable automatic assignment of rescuers along with rescuing power. Available The Available box lists all available channels for Smart RF. Configured The Configured box lists all channels enabled for Smart RF. Add To add a channel to the configured list, select one or more channels from the Available box and click the Add button.
4 Viewing Access Port Information 11. Click the Calibration Status button to open a dialogue with the following calibration status information: Last Calibration Start Time Displays the date and time that the last Smart RF calibration began. Last Calibration End Time Displays the date and time that the last Smart RF calibration ended. Next Calibration Start Time Displays the date and time scheduled for the next Smart RF calibration.
Viewing Access Port Information 4 1. Select Network > Access Port Radios from the main menu tree. 2. Click the Voice Statistics tab. 3. The following statistics are displayed: Index Displays the numberical identifier assigned to each Acess Port. Description Displays the names assigned to each of the APs. The AP name can be configured on the Access Port Radios Configuration page. Type Displays the radio type of the corresponding APs. Available type are: • 802.11a • 802.11an • 802.11b • 802.
4 Viewing access port adoption defaults 4. Selecting a radio from the table will display the following details of individual calls: Index Displays the numberical identifier assigned to each MU. Protocol Displays which voice protocol is being used for the selected call. Voice protocols include: • SIP • TPSEC • Spectralink • H.323 Successful Calls Displays the number of successful calls for the displayed MUs. Avg Call Quality R Factor Displays the average call quality using the R Factor scale.
Viewing access port adoption defaults 4 1. Select Network > Access Port Adoption Defaults from the main menu tree. 2. Click the Configuration tab. 3. Refer to the following information as displayed within the Configuration tab: Type Displays whether the radio is an 802.11a radio or an 802.11 bg model radio Placement Displays the default placement when an radio auto-adopts and takes on the default settings. Options include Indoor or Outdoor. Default is Indoor.
4 Viewing access port adoption defaults - Configure a DNS Server to resolve an existing name into the IP of the switch. The Access Port has to get DNS server information as part of its DHCP information. The default DNS name requested by an access point is “Symbol-CAPWAP-Address”. However, since the default name is configurable, it can be set as a factory default to whatever value is needed.
Viewing access port adoption defaults 4 The Properties field displays the Model family for the selected Access Port. The Model is read only and cannot be modified. The Radio Type displays the radio type (802.11a or 802.11bg). This value is read only and cannot be modified 5. To use this radio as a detector to identify rogue APs on your network, check the box titled Dedicate this AP as Detector AP. Setting this radio as a detector will dedicate this radio to detecting rogue APs on the network.
4 Viewing access port adoption defaults 13. In most cases, the default settings for the Advanced Properties section are sufficient for most users. If needed, additional radio settings can be modified for the following properties: 204 Antenna Diversity Use the drop-down menu to configure the Antenna Diversity settings for Access Ports using external antennas. Options include: • Full Diversity: Utilizes both antennas to provide antenna diversity. • Primary Only: Enables only the primary antenna.
Viewing access port adoption defaults Beacon Interval Specify a beacon interval in units of 1,000 microseconds (K-us). This is a multiple of the DTIM value, for example, 100: 10. (See "DTIM Period," below). A beacon is a packet broadcast by the adopted Access Ports to keep the network synchronized. Included in a beacon is information such as the WLAN service area, the radio-port address, the broadcast destination addresses, a time stamp, and indicators about traffic and delivery such as a DTIM.
4 Viewing access port adoption defaults To configure a radio’s rate settings: 1. Click the Rate Settings button in the radio edit screen to launch a screen wherein rate settings can be defined for the radio. 2. Check the boxes next to all Basic Rates you want supported by this radio. Basic Rates are used for management frames, broadcast traffic and multicast frames. If a rate is selected as a basic rate it is automatically selected as a supported rate. 3.
Viewing access port adoption defaults 4 The options field (Option 189) contains a list of switch IP addresses available for the Access Port. 3. The system administrator now programs these options into the DHCP server. 4. If the Access Port finds the list, it sends a unidirectional Hello packet (encapsulated in a UDP/IP frame) to each switch on the list. 5. Each switch that receives such a packet responds with a Parent response.
4 Viewing access port adoption defaults 1. Select Network > Access Port Adoption Defaults from the main menu tree. 2. Click the WLAN Assignment tab. The Assigned WLANs tab displays two fields: Select Radios/BSS and Select/Change Assigned WLANs. 3. With the Select Radios/BSS field, select the radio type to configure (802.11a or 802.11bgn) from the Select Radio drop-down menu. 4. Select the desired BSS from the BSS list or select a Radio (802.11a or 802.11bgn) to modify. 5.
Viewing access port adoption defaults 4 6. Click Apply to save the changes made within the screen. 7. Click Revert to cancel the changes made and revert back to the last saved configuration. Configuring WMM Use the WMM tab to review each radio type, as well as the Access Category that defines the data (Video, Voice, Best Effort and Background) the radio has been configured to process. Additionally, the WMM tab displays the transmit intervals defined for the target access category.
4 Viewing access port adoption defaults ECW Min The ECW Min is combined with the ECW Max to define the Contention Window. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic. ECW Max The ECW Max is combined with the ECW Min to make the Contention Window. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic. 4.
Configuring access ports 4 5. Enter a number between 0 and 65535 for the Transmit Ops value. The Transmit Ops value is the maximum duration a device can transmit after obtaining a transmit opportunity. For Higher-priority traffic categories, this value should be set higher. 6. Enter a value between 0 and 15 for the Contention Window minimum value. The ECW Minimum is combined with the ECW Maximum to make the Contention Window. From this range, a random number is selected for the back off mechanism.
4 Configuring access ports 1. Select Network > Access Port from the main menu tree. 2. Click the Adopted AP tab. 3. Refer to the Adopted AP screen for the following information: 212 Switch The Switch field displays the IP address of the cluster member associated with each AP. When clustering is enabled on the switch and Cluster GUI is enabled the Switch field will be available on the AP configuration screen.
Configuring access ports Radio Indices 4 Displays the indices of the radios belonging to the selected Access Port. These indices are equivalent to a numerical device recognition identifier (index) for the radio. Number of Adopted APs The Number of Adopted APs is the total number of Access Ports currently adopted by Switch. 4. When using clustering and the Cluster GUI feature is enabled, a pulldown menu will be availble to select which cluster members’ APs are displayed.
4 Configuring access ports 1. Select Network > Access Port from the main menu tree. 2. Click the Unadopted AP tab. The Unadopted AP tab displays the following information: Index Displays a numerical identifier used to associate a particular Access Port with a set of statistics and can help differentiate the Access Port from other Access Ports with similar attributes. MAC Address Displays the unique Hardware or Media Access Control (MAC) address for the Access Port.
Configuring access ports 4 - Configure DHCP option 189 to specify each switch IP address. - Configure a DNS Server to resolve an existing name into the IP of the switch. The Access Port has to get DNS server information as part of its DHCP information. The default DNS name requested by a Brocade Mobility 7131N-FGR Access Point is “Symbol-CAPWAP-Address”. However, since the default name is configurable, it can be set as a factory default to whatever value is needed.
4 Configuring access ports 1. Select Network > Access Port from the main menu tree. 2. Click the Configuration tab. 3. Select an Access Port from the table and click the Edit button 4. Configure the Country and VLAN Tagging for the selected AP: Country Select the Country that the Access Port will be configured to operate in. AP Native VLAN for LAN1 Select whether the native VLAN for the Access Port on LAN1 will be Tagged or Untagged.
Configuring access ports 4 Configuring Adaptive AP firmware Refer to the AP Firmware tab to view the Access Port and Adaptive AP firmware image associated with each adopted Access Port or Adaptive AP. The screen allows you to update the firmware image for Adaptive APs that associate with the switch. To view AP firmware information: 1. Select Network > Access Port from the main menu tree. 2. Click the AP Firmware tab. 1. Enable or disable Adaptive AP Automatic Update (AAP Automatic Update).
4 Configuring access ports 5. To delete an existing AP firmware image, highlight an AP image type and click the Delete button. Adding a new AP firmware image To modify the AP Firmware Image settings: 1. Select Network Setup > Access Port from the main menu tree. 2. Click the AP Firmware tab. 3. Click the Add button to display a screen to configure the AP Image Type and AP Image File. 4. Specify the AP Image Type. 5. Specify the AP Image File. You can browse the switch filesystems using the browser icon.
Multiple spanning tree 4 6. Modify the AP Image File as necessary. You can browse the switch filesystems using the browser icon. AP images must be on the flash, system, nvram or usb filesystems in order for them to be selected. 7. Click the OK button to save the changes and return to the AP Firmware tab.Multiple Spanning Tree Multiple spanning tree Multiple Spanning Tree Protocol (MSTP) provides a VLAN-aware protocol and algorithm to create and maintain a loop-free network.
4 Multiple spanning tree To configure the switch for MSTP support, configure the region name and the revision on each switch being configured. This region name is unique to each region. Then create one or more instances and assign IDs. VLANs are then assigned to instances. These instances must be configured on switches that interoperate with the same VLAN assignments. Port cost, priority and global parameters can then be configured for individual ports and instances.
Multiple spanning tree Supported Versions Displays the different versions of STP supported. Protocol Version Displays the current protocol version in use. Available MSTP protocol versions are: • forceNonStp • forceLegacyDot1d • forceDot1w • autoDot1s • unknown MST Config. Name Enter a name for the MST region. This is used when configuring multiple regions within the network. Each switch running MSTP is configured with a unique MST region name.
4 Multiple spanning tree CIST Bridge HelloTime Set the CIST Hello Time (in seconds). After the defined interval all bridges in a bridged LAN exchange BPDUs. The hello time is the time interval (in seconds) the device waits between BPDU transmissions. A very low value leads to excessive traffic on the network, whereas a higher value delays the detection of a topology change. This value is used by all instances. Bridge Hello Time Displays the configured Hello Time.
Multiple spanning tree 4 1. Select Network > Multiple Spanning Tree from the main menu tree. 2. Select the Bridge Instance tab. The Bridge Instance tab displays the following: ID Displays the ID of the MSTP instance. Bridge Priority Displays the bridge priority for the associated instance. The Bridge Priority is assigned to an individual bridge based on whether it is selected as the root bridge. The lower the priority, the greater likelihood the bridge becoming the root for this instance.
4 Multiple spanning tree 3. Click the Add button. 4. Enter a value between 1 and 15 as the Instance ID. 5. Click OK to save and commit the changes. 6. The Bridge Instance tab with now display the new instance ID. 7. Click Cancel to disregard the new Bridge Instance ID. Associating VLANs to a bridge instance 1. Select Network > Multiple Spanning Tree from the main menu tree. 2. Select the Bridge Instance tab. 3.
Multiple spanning tree 4 1. Select Network > Multiple Spanning Tree from the main menu tree. 2. Select the Port tab The Port tab displays the following information (ensure you scroll to the right to view the numerous port variables described): Index Displays the port index. Admin MAC Enable Displays the status of the Admin MAC. Change the status using the Edit button. A green check mark indicates the Admin MAC Enable status is active/enabled.
4 226 Multiple spanning tree AdminPort PortFast Bpdu Guard Displays whether the BPDU Guard is currently enabled for this port. When set for a bridge, all portfast-enabled ports having the bpdu-guard set to default shut down the port on receiving the BPDU. When this occurs, the BPDU is not processed. OperPort PortFast Bpdu Guard Displays the whether BPDU Guard is currently enabled for this port.
Multiple spanning tree Admin Point-to-Point Displays the point-to-point status as ForceTrue or ForceFalse. ForceTrue indicates this port should be treated as connected to a point-to-point link. ForceFalse indicates this port should be treated as having a shared connection. Oper Point-to-Point Displays whether the listed port index is configured to connect to another port through a point-to-point link.
4 Multiple spanning tree Port FastBPDU Guard Enable this option to change the status of the Port Fast BPDU Guard. Port Version Select a value to reconfigure the port version. Port Path Cost Port Path Cost Displays the path cost for the specified port index. The default path cost depends on the speed of the interface.
Multiple spanning tree 4 1. Select Network > Multiple Spanning Tree from the main menu tree. 2. Select the PortInstance tab. The Port Instance table displays the following: ID Displays the instance ID. Index Displays the port index. State Displays the MSTP state for the port for that instance. Role Displays the MSTP state of the port. Internal Root Cost Displays the Internal Root Cost of a path associated with an interface.
4 IGMP Snooping Editing a port instance configuration To edit and reconfigure Port Instance parameters. 1. Select a row from the port table and click the Edit button. Most of the MSTP Port Instance parameters can be reconfigured, as indicated below. Port Instance ID Read only indicator of the instance ID used as a basis for other modifications. Port Index Read only indicator of the port index used as a basis for other modifications.
IGMP Snooping 4 1. Select Network > IGMP Snooping from the main menu tree. 2. Select the IGMP Snoop Config tab The IGMP Snoop Config tab displays the following information: Snoop Enable Select to enable IGMP Snooping on the switch. If disabled, snooping on a per VLAN basis is also disabled. Unknown Multicast Forward Select to enable the switch to forward Multicast packets from unregistered Multicast Groups. If disabled, Unknown Multicast Forward on a per VLAN basis is also disabled.
4 IGMP Snooping The IGMP Snoop Querier is used to keep host memberships alive. It is primarily used in a network where there is a Multicast Streaming Server and hosts that subscribe to the Multicast server and there is no IGMP Querier present. The switch can perform the role of an IGMP Querier. An IGMP Querier sends out periodic IGMP Query packets. Interested hosts reply with IGMP Report packet. IGMP Snooping is only done on wireless portals. IGMP Multicast packets are flooded on wired ports.
IGMP Snooping VLAN Index The index of the selected VLAN. Enable The enable state of IGMP Snoop Querier on this VLAN. Version The IGMP version in use. Present Timeout The time duration in seconds after which, the switch's querier takes over the role of IGMP querier for this VLAN. Max Response Time The maximum time allowed in seconds before sending a responding report for a host. Operational State The current operational state of IGMP Querier for this VLAN.
4 234 IGMP Snooping Brocade Mobility RFS7000-GR Controller System Reference Guide 53-1001944-01
Chapter Controller Services 5 In this chapter This chapter describes the Services main menu information available for the following switch configuration activities.
5 Displaying the services interface 1. Select Services from the main menu tree. 2. Refer to the Services Summary field for the following information relating to configurable values within the Services main menu item. 236 DHCP Servers Displays whether DHCP is enabled and the current configuration. For information on configuring DHCP Server support, see “DHCP server settings” on page 237. NTP Time Management Displays whether time management is currently enabled or disabled.
DHCP server settings 5 DHCP server settings The DHCP server settings section contains the following activities: • • • • • • • • • Configuring the switch DHCP server Viewing the attributes of existing host pools Configuring excluded IP address information Configuring the DHCP server relay Viewing DDNS bindings Viewing DHCP bindings Reviewing DHCP dynamic bindings Configuring the DHCP user class Configuring DHCP pool class Configuring the switch DHCP server The switch contains an internal Dynamic Host Co
5 DHCP server settings 1. Select Services > DHCP Server from the main menu tree. 2. Select the Enable DHCP Server checkbox to enable the switch’s internal DHCP Server for use with global pools. 3. Select the Ignore BOOTP checkbox to bypass a BOOTP request. 4. Define an interval (from 1 -10 seconds) for the Ping timeout variable. The switch uses the timeout to intermittently ping and discover whether the client requested IP address is already used. 5.
DHCP server settings 5 8. Click the Add button to create a new DHCP pool. For more information, see “Adding a new DHCP pool” on page 240. 9. Click the Options button to associate values to options, as defined using the Options Setup functionality. The values associated to options are local to the pool with which they are associated For more information, see “Configuring DHCP global options” on page 242. 10.
5 DHCP server settings NOTE The network IP address and subnet mask of the pool are required to match the addresses of the layer 3 interface for addresses to be supported on that interface. 9. Within the Lease Time field, define one of the two kinds of leases the DHCP Server assigns to its clients: • Infinite - If selected, the client can used the assigned address indefinitely. • Actual Interval - Select this checkbox to manually define the interval for clients to use the DHCP server assigned addresses.
DHCP server settings 5 1. Select Services > DHCP Server from the main menu tree. 2. Click the Add button at the bottom of the screen. 3. Enter the Pool Name from which IP addresses can be issued to client requests on this interface. 4. Provide the Domain name as appropriate for the interface using the pool. 5. Enter the NetBios Node used with this particular pool.
5 DHCP server settings 7. From the Network field, use the Associated Interface drop-down menu to define the switch interface is used for the newly created DHCP configuration. Use VLAN1 as a default interface if no others have been defined. Additionally, define the IP Address and Subnet Mask used for DHCP discovery and requests between the DHCP Server and DHCP clients.
DHCP server settings 5 1. Select Services > DHCP Server from the main menu tree. 2. Highlight an existing pool name from within either the Configuration or Host Pool tab and click the Options Setup button at the bottom of the screen 3. Click the Insert button to display an editable field wherein the name and value of the DHCP option can be added. 4.
5 DHCP server settings 1. Select Services > DHCP Server from the main menu tree. 2. Highlight an existing pool name from within either the Configuration or Host Pool tabs and click the DDNS button at the bottom of the screen. 3. Enter a Domain Name which represents the forward zone in the DNS server. For example test.net. 4. Define the TTL (Time to Live) to specify the validity of DDNS records. The maximum value is 864000 seconds. 5.
DHCP server settings 5 1. Select Services > DHCP Server from the main menu tree. 2. Select the Host Pool tab 3. Refer to the following information to assess whether the existing group of DHCP pools is sufficient: Pool Name Displays the name of the IP pool from which IP addresses can be issued to DHCP client requests on this interface. The pool is the range of IP addresses for which addresses can be assigned.
5 DHCP server settings 7. Click the Options button to insert a global pool name into the list of available pools. For more information, see “Configuring DHCP global options” on page 242. 8. Click the DDNS button to configure a DDNS domain and server address that can be used with the list of available pools. For more information, see “Configuring DHCP server DDNS values” on page 243.
DHCP server settings 5 Configuring the DHCP server relay Refer to the Relay tab to view the current DHCP Relay configurations for available switch VLAN interfaces. The Relay tab also displays the VLAN interfaces for which the DHCP Relay is enabled/configured. The Gateway Interface address information is helpful in selecting the interface suiting the data routing requirements between the External DHCP Server and DHCP client (present on one of the switch’s available VLANs).
5 DHCP server settings 1. Select Services > DHCP Server from the main menu tree. 2. Click the Relay tab. 3. Refer to the Interfaces field for the names of the interfaces available to route information between the DHCP Server and DHCP clients. If this information is insufficient, consider creating a new IP pool or edit an existing pool. 4. Click the Edit button to modify the properties displayed on an existing DHCP pool. Refer to step 7 for the information that can be modified for the DHCP relay. 5.
DHCP server settings 5 6. Click the Add button to create a new DHCP pool. a. Use the Interface drop-down menu to assign the interface used for the DHCP relay. As VLANs are added to the switch, the number of interfaces available grows. b. Add Servers as needed to supply DHCP relay resources. c. Click OK to save and add the changes to the running configuration and close the dialog. d. Click Cancel to close the dialog without committing updates to the running configuration.
5 DHCP server settings 1. Select Services > DHCP Server from the main menu tree. 2. Select the DDNS Bindings tab. 3. Refer to the contents of the DDNS Bindings tab for the following information: IP Address Displays the IP address assigned to the client. Domain Name Displays the domain name mapping corresponding to the IP address listed in the left-hand side of the tab. 4. Click the Export button to display a screen used to export DDNS Binding information to a secure location.
DHCP server settings 5 1. Select Services > DHCP Server from the main menu tree. 2. Select the Bindings tab. 3. Refer to the contents of the Bindings tab for the following information: IP Address Displays a IP address for each client with a listed MAC address. This column is read-only and cannot be modified. MAC Address / Client ID Displays the MAC address (client hardware ID) of the client using the switch’s DHCP Server to access switch resources. The MAC address is read-only and cannot be modified.
5 DHCP server settings 1. Select Services > DHCP Server from the main menu tree. 2. Select the Dynamic Bindings tab. 3. Refer to the contents of the Dynamic Bindings tab for the following: IP Address Displays the IP address for each client whose MAC Address is listed in the MAC Address / Client ID column. This column is read-only and cannot be modified. MAC Address / Client ID Displays the MAC address (client hardware ID) of the client using the switch’s DHCP Server to access switch resources.
DHCP server settings 5 The DHCP server assigns IP addresses from multiple IP address ranges. The DHCP user class associates a particular range of IP addresses to a device in such a way that all devices of that type are assigned IP addresses from the defined range. To view the attributes of existing host pools: 1. Select Services > DHCP Server from the main menu tree. 2. Select the User Class tab to view the DHCP user class and its associated user class option names. 3.
5 DHCP server settings 1. Select Services > DHCP Server from the main menu tree. 2. Select the User Class tab. 3. Click the Add button from the User Class Name section. The DHCP server groups clients based on user class option values. DHCP Clients with the defined set of user class option values are identified by class. a. Enter the User Class Name to create a new client. The DHCP user class name should not exceed 32 characters. b.
DHCP server settings 5 3. Select an existing DHCP user class name from the list and click on the Edit button from the DHCP User Class Name section. a. The User Class Name is a display field and cannot be modified. b. Either add or modify the Option Values as required to suit the changing needs of your network. The option values should not exceed 50 characters. c. Select the Multiple User Class Option checkbox to enable multiple option values for the user class.
5 DHCP server settings 1. Select Services > DHCP Server from the main menu tree. 2. Select the Pool Class tab to view the DHCP pool class details. 3. Refer to the Pool Class Names field to configure a pool class. A pre configured pool and class must exist to configure a pool class. The Address Ranges section displays the address ranges associated with the pool class. 4. Click the Edit button to modify the properties displayed for an existing DHCP Pool Class Name.
DHCP server settings 5 6. Refer to the Pool Class Address Range field to revise an address range. A maximum of 4 address ranges can be assigned to a class. 7. a. Use the Insert button to revise the Start IP and End IP address range for a class. b. Select a address range and click Remove to delete that particular address range. Refer to the Status field. It displays the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet.
5 Configuring secure NTP 8. Click OK to save the new configuration and close the dialog window. 9. Click Cancel to close the dialog without committing updates to the running configuration. Configuring secure NTP Secure Network Time Protocol (SNTP) is central for networks that rely on their switch to supply system time. Without an SNTP implementation, switch time is unpredictable, which can result in data loss, failed processes and compromised security.
Configuring secure NTP 5 1. Select Services > Secure NTP from the main menu tree. 2. Select the Configuration tab. 3. An ACL Id must be created before it is selectable from any of the drop-down menus. Refer to the Access Group field to define the following: Full Access Supply a numeric ACL ID from the drop-down menu to provide the ACL full access. Only Control Queries Supply a numeric ACL ID from the drop-down menu to provide the ACL only control query access to SNTP resources.
5 Configuring secure NTP Clock Stratum Define how many hops (from 1 to 15) the switch is from a SNTP time source. The switch automatically chooses the SNTP resource with the lowest stratum number. The SNTP supported switch is careful to avoid synchronizing to a server that may not be accurate. Thus, the SNTP enabled switch never synchronizes to a machine not synchronized itself.
Configuring secure NTP 5 1. Select Services > Secure NTP from the main menu tree. 2. Select the Symmetric Keys tab. 3. Refer to the Symmetric Key screen to view the following information. Key ID Displays a Key ID between 1-65534. The Key ID is a abbreviation allowing the switch to reference multiple passwords. This makes password migration easier and more secure between the switch and its NTP resource.
5 Configuring secure NTP . 6. Enter a Key ID between 1-65534. The Key ID is a Key abbreviation allowing the switch to reference multiple passwords. This makes password migration easier and more secure between the switch and its NTP resource. 7. Enter an authentication Key Value used to secure the credentials of the NTP server providing system time to the switch. 8. Select the Trusted Key checkbox to use a trusted key.
Configuring secure NTP 5 1. Select Services > Secure NTP from the main menu tree. 2. Select the NTP Neighbor tab. 3. Refer to the following information (as displayed within the NTP Neighbor tab) to assess whether an existing neighbor configuration can be used as is, if an existing configuration requires modification or a new configuration is required. IP Address/Hostname Displays the numeric IP address of the resource (peer or server) providing switch SNTP resources.
5 Configuring secure NTP 6. Click the Add button to define a new peer or server configuration that can be added to the existing configurations displayed within the NTP Neighbor tab. For more information, see “Adding an NTP neighbor” on page 264. Adding an NTP neighbor To add a new NTP peer or server neighbor configuration to those available for synchronization: 1. Select Services > Secure NTP from the main menu tree. 2. Select the NTP Neighbor tab. 3. Click the Add button. 4.
Configuring secure NTP 5 NOTE If this checkbox is selected, the AutoKey Authentication checkbox is disabled, and the switch is required to use Symmetric Key Authentication for credential verification with its NTP resource. Additionally, if this option is selected, the broadcast server cannot be selected as a preferred source. 7. Enter the IP Address of the peer or server providing SNTP synchronization. 8.
5 Configuring secure NTP 1. Select Services > Secure NTP from the main menu tree. 2. Select the NTP Associations tab. 3. Refer to the following SNTP Association data for each SNTP association displayed: 266 Address Displays the numeric IP address of the SNTP resource (Server) providing SNTP updates to the switch. Reference Displays the address of the time source the switch is synchronized to. Stratum Displays how many hops the switch is from a SNTP time source.
Configuring secure NTP 5 NOTE Select an existing NTP association and click the Details button to display additional information useful in discerning whether the association should be maintained. Viewing NTP status Refer to the NTP Status tab to display performance (status) information relative to the switch’s current NTP association.
5 Configuring secure NTP 1. Select Services > Secure NTP from the main menu tree. 2. Select the NTP Status tab. 3. Refer to the SNTP Status field to review the accuracy and performance of the switch’s ability to synchronize with a NTP server: 268 Leap Indicates if a second will be added or subtracted to SNTP packet transmissions, or if the transmissions are synchronized. Stratum Displays how many hops the switch is from its current NTP time source.
Configuring switch redundancy & clustering 5 Configuring switch redundancy & clustering Configuration and network monitoring are two tasks a network administrator faces as a network grows in terms of the number of managed nodes (switches, routers, wireless devices etc.). Such scalability requirements lead network administrators to look for managing and monitoring each node from a single centralized management entity.
5 Configuring switch redundancy & clustering After sending the command to other members, the cluster-management protocol (at WS1) waits for a response from the members of the redundancy group. Upon receiving a response from each member, WS1 updates the user’s screen and allows the user to enter/execute the next command.
Configuring switch redundancy & clustering 5 • Managing clustering using the Web UI Configuring redundancy settings To configure switch redundancy: 1. Select Services > Redundancy from the main menu tree. The Redundancy screen displays with the Configuration tab selected. NOTE MUs on an independent WLAN will not see any disruptions on a switch fail-over. 2. Refer to the Configuration field to define the following: Enable Redundancy Select this checkbox to enable/disable clustering.
5 Configuring switch redundancy & clustering Heartbeat Period The Heartbeat Period is the interval heartbeat messages are sent. Heartbeat messages discover the existence and status of other members within the group. Configure an interval between 1 and 255 seconds. The default value is 5 seconds. Hold Time Define the Hold Time for a redundancy group. If there are no heartbeats received from a peer during the hold time, the peer is considered down.
Configuring switch redundancy & clustering 5 3. To enable Dynamic AP Load Balancing check the Enable Dynamic AP Load Balancing box and configure the parameters below: Runtime/Schedule Select Runtime or Schedule to determine when load balancing will run. If Runtime is selected, load balancing will initiate anytime a new active switch is added to the redundancy group. If Schedule is selected you can configure a start date and time to execute load balancing.
5 Configuring switch redundancy & clustering 1. Select Services > Redundancy from the main menu tree. The Redundancy screen displays with the Configuration tab selected. 2. Select the Status tab. 3. Refer to the Status field to assess the current state of the redundancy group. 274 Redundancy state is Displays the state of the redundancy group. When the redundancy feature is disabled, the state is “Disabled.” When enabled, it goes to a “Startup” state.
Configuring switch redundancy & clustering Adoption capacity in group Displays the combined AP adoption capability for each switch radio comprising the cluster. Compare this value with the adoption capacity on this switch to determine if the cluster members have adequate adoption capabilities. Rogue Access Ports in group Displays the cumulative number of rogue APs detected by the members of the group.
5 Configuring switch redundancy & clustering 2. Select the Member tab. 3. Refer to the following information within the Member tab: 276 IP Address Displays the IP addresses of the redundancy group member. Status Displays the current status of this group member. This status could have the following values: • Configured - The member is configured on the current wireless service module. • Seen - Heartbeats can be exchanged between the current switch and this member.
Configuring switch redundancy & clustering 5 4. Select a row, and click the Details button to display additional details for this member. For more information, see “Displaying redundancy member details” on page 277. 5. Select a row and click the Delete button to remove a member from the redundancy group. The redundancy group should be disabled to conduct an Add or Delete operation. 6. Click the Add button to add a member to the redundancy group.
5 Configuring switch redundancy & clustering 4. Refer to the following redundancy member information: 278 IP Address Displays the IP addresses of the members of the redundancy group. There are a minimum of 2 members needed to define a redundancy group, including this current module. Status Displays the current status of this group member. This status could have the following values: • Configured - The member is configured on the current wireless service module.
Configuring switch redundancy & clustering 5 5. Refer to the Status field. The Status is the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet. The Status field displays error messages if something goes wrong in the transaction between the applet and the switch. 6. Click Close to close the dialog without committing updates to the running configuration.
5 Configuring switch redundancy & clustering • A cluster license is re-calculated whenever a new switch brings existing licenses to a group or an existing switch’s license value changes (increases or decreases). • A simple switch reboot will not initiate a new cluster license calculation, provided the re-booted switch does not come up with different installed license. • A change to an installed license during runtime initiates a cluster license calculation.
Layer 3 Mobility 5 1. Select Services > Redundancy from the main menu tree The Redundancy screen displays with the Configuration tab selected 2. Configure redundancy settings using the Command Line Interface or the using the Web UI as described in Chapter , Configuring redundancy settings. 3. Add any redundancy group members using the Command Line Interface or using the Web UI as described in Chapter , Configuring redundancy group membership. 4.
5 Layer 3 Mobility • Reviewing Layer 3 MU status Configuring Layer 3 Mobility Layer 3 mobility is a mechanism enabling a MU to maintain the same Layer 3 address while roaming throughout a multi-VLAN network. This enables transparent routing of IP datagrams to MUs during their movement, so data sessions can be maintained while they roam (in for voice applications in particular). Layer 3 mobility maintains TCP/UDP sessions in spite of roaming among different IP subnets.
Layer 3 Mobility 5 • Data traffic for roamed MUs is tunneled between switches by encapsulating the entire Layer 2 packet inside GRE with a proprietary code-point. • When MUs roam within the same VLAN (Layer 2 Roaming), the behavior is retained by re-homing the MU to the new switch so extra hops are avoided while forwarding data traffic. • MUs can be assigned IP addresses statically or dynamically.
5 Layer 3 Mobility Once the settings are applied, MUs within these WLANs can roam amongst different subnets. 6. Select the Enable Mobility checkbox to enable a MU to maintain the same Layer 3 address while roaming throughout a multi-VLAN network. 7. Select the All WLANs On button to enable mobility for each WLAN listed. If unsure if you want to enable mobility for each WLAN, manually select just those you want to enable. 8. Select the All WLANs Off button to disable mobility for each WLAN listed. 9.
Layer 3 Mobility 5 Use this information to determine whether a new IP address needs to be added to the list or an existing address needs to be removed. 4. Select an IP address from those displayed and click the Delete button to remove the address from the list available for MU Layer 3 roaming amongst subnets. 5. Click the Add button to display a screen used for adding the IP address to the list of addresses available for MU Layer 3 roaming.
5 Layer 3 Mobility 2. Select the Peer Statistics tab. 3. Refer to the following information within the Peer Statistics tab: 286 Peer IP Displays the IP addresses of the peer switches within the mobility domain. Each peer can support up to 500 MUs. JOIN Events sent/rcvd Displays the number of JOIN messages sent and received. JOIN messages advertise the presence of MUs entering the mobility domain for the first time.
Layer 3 Mobility L2-ROAMs sent/rcvd Displays the number of Layer 2 ROAM messages sent and received. When a MU roams to a new switch on a different layer 3 network (MU is mapped to a different VLAN ID), it sends a L3-ROAM message to the home switch with the new IP information for the current switch it is associated with. The L3-ROAM message is then forwarded by the home switch to each peer. L3-ROAMs sent/rcvd Displays the number of Layer 3 ROAM messages sent and received.
5 Configuring self healing 3. Refer to the following information within the MU Status tab: MU Mac Displays the factory hardcoded MAC address of the MU. This value is set at the factory and cannot be modified. MU IP Addr Displays the IP Address the MU is using within the mobility domain. Home Sw IP Displays the MU’s home switch IP Address.
Configuring self healing 5 1. Select Services > Self Healing from the main menu tree. The Self Healing page launches with the Configuration tab displayed. 2. Select the Enable Neighbor Recovery checkbox. Enabling Neighbor Recovery is required to conduct manual neighbor detection. 3.
5 Configuring self healing 1. Select Services > Self Healing from the main menu tree. The Self Healing page launches with the Configuration tab displayed. 2. Select the Neighbor Details tab. The top right-hand corner displays whether neighbor recovery is currently enabled or disabled. To change the state, click the Enable Neighbor Recovery checkbox within the Configuration tab. 3. Refer to the following information as displayed within the Neighbor Recovery screen.
Configuring self healing 5 4. Highlight an existing neighbor and click the Edit button to launch a screen designed to modify the self healing action and/or neighbors for the radio. For more information, see “Editing the properties of a neighbor” on page 291. 5. Select the Remove Neighbors button to remove all neighbors from the selected radio’s neighbor list. 6. Click the Detect Neighbors button to auto-determine neighbors for the radios.
5 Configuring switch discovery • None - The radio takes no action at all when its neighbor radio fails. • Open Rates - The radio will default to factory-default rates when its neighbor radio fails. • Raise Power - The radio raises its transmit power to the maximum provided its power is lower than the maximum permissible value. • Both - The radio will open its rates as well as raise its power. 5. Click the Add -> button to move a radio from the Available Radios list to the Neighbor Radios list.
Configuring switch discovery 5 1. Select Services > Discovery from the main menu tree. The Discovery page launches with the Discovery Profiles tab displayed 2. Refer to the following information within the Discovery Profiles tab to discern whether an existing profile can be used as is, requires modification (or deletion) or if a new discovery profile is required. Index Displays the numerical identifier used to differentiate this profile from others with similar configurations.
5 Configuring switch discovery 6. Click the Start Discovery button to display a Read Community String (SNMP v2) or V3 Authentication (SNMP v3) screen. When Start Discovery is selected the switch prompts the user to verify their SNMP credentials against the SNMP credentials of discovered devices. SNMP v2 and v3 credentials must be verified before the switch displays discovered devices within the Recently Found Devices table.
Configuring switch discovery 5 3. Define the following parameters for the new switch discovery profile: Profile Name Define a user-assigned name used to title the profile. The profile name should associate the profile with the group of devices or area where the discovered devices should be located. Start IP Address Enter the starting numeric (non DNS) IP address from where the search for available network devices is conducted.
5 Configuring switch discovery 3. Refer to the following within the Recently Found Devices screen to discern whether a located device should be deleted from the list or selected to have its Web UI launched and its current configuration modified. IP Address Displays the IP address of the discovered switch. This IP address obviously falls within the range of IP addresses specified for the discovery profile used for the device search.
Locationing 5 Once removed, the located device cannot be selected and its Web UI displayed. 5. Select a discovered device from amongst those located and displayed within the Recently Found Devices screen and click the Launch button to display the Web UI for that switch. NOTE When launching the Web UI of a discovered device, take care not to make configuration changes rendering the device ineffective in respect to its current configuration.
5 Locationing RTLS overview Locationing (also called Real Time Location-based Services and Real Time Location Application Services) delivers end-user applications based on: • The location of mobile devices (devices with location enabling technology, such as a WiFi supported handheld, Wi-Fi laptop or cell phone) • The location of an attached tag (a location enabled mobile device in miniaturized form, for example a WiFi tag, UWB tag or RFID tag that is attached to a person, vehicles or a package) A Brocad
Locationing 5 To configure your site parameters: 1. .Select Services > RTLS from the main menu tree. 2. Select the Site tab. 3. Enter a Name and optionally a Description for the site:. Name Enter a name for the site where locationing is deployed. This is for identification purposes only. Description Provide a description of the site where locationing is deployed. This is an optional field. 4. When mapping out a site for locationing an origin point must be selected in one of the corners of the site.
5 Locationing Height Enter the height of the site. The size is either in feet or meters depending on which unit of measure is selected below. The acceptable range for height is 0-20m or 0-180ft. Height is an optional parameter and is not taken into account by the locationing algorithm. Unit Use the pulldown menu to select the unit of measure used for dimensions. The options are feet or meters. 5.
Locationing 5 3. Click the Add button.. Configuring SOLE parameters To configure the switch’s internal SOLE locationing engine: 1. .Services > RTLS from the main menu tree. 2. Select the SOLE tab. 3. Check the Locate All Mobile-Units checkbox to locate all MUs known to the switch across all WLANs. This will also disable manual entry of MU MAC addresses in the field below. This takes effect immediately when the box is checked. 4. Enter a value for the MU Locate Interval in seconds.
5 Locationing 5. Click the Apply button to save the MU Locate Interval value. 6. Click the Revert button to cancel any changes made within MU Locate Interval value and revert back to the last saved configuration. NOTE AP coordinates can only be configured in the Command Line Interface. For more information on configuring AP coordinates please consult the Brocade Mobility RFS7000-GR Controller CLI Reference Guide. 7.
Locationing 5 Configuring Aeroscout parameters To configure the switch to work with an external Aeroscout RTLS engine: 1. .Services > RTLS from the main menu tree. 2. Select the Aeroscout tab. 3. Check the Enable checkbox to globally enable Aeroscout RTLS support on the switch. This takes effect immediately when the box is checked. 4. Enter the Multicast MAC Address used for all Aeroscout tags to send updates via multicast to the MAC address specified.
5 Locationing Last Msg RX Time Displays the Date and Time that the last message was received from the external Aeroscout RTLS engine. No. of TX Msgs Displays the number of messages transmitted by the switch to the external Aeroscout RTLS engine. Last Msg TX Time Displays the Date and Time that the last message was sent to the external Aeroscout RTLS engine. No. of Tag Reports Displays the number of Tag Reports received from the external Aeroscout RTLS engine. 8.
Locationing 5 1. .Services > RTLS from the main menu tree. 2. Select the Ekahau tab. 3. Check the Enable checkbox to globally enable Ekahau support on the switch. This takes effect immediately when the box is checked. 4. Enter the Multicast MAC Address used for all Ekahau tags to send updates via multicast to the MAC address specified. Typically the MAC address will start with 01-0C-CC-XX-XX-XX.
5 Locationing No. of TX Msgs Displays the number of messages transmitted by the switch to the external Ekahau RTLS engine. Last Msg TX Time Displays the Date and Time that the last message was sent to the external Ekahau RTLS engine. No. of Tag Reports Displays the number of Tag Reports received from the external Ekahau RTLS engine. 10. To use the onboard SOLE engine to locate Ekahau tags check the Enable checkbox. This is enabled immediately after checking the box. 11.
Chapter Controller Security 6 In this chapter This chapter describes the security mechanisms available to the switch.
6 Displaying the main security interface 1. Select Security from the main menu tree. 2. Refer to the following information to discern if configuration changes are warranted: Access Port Intrusion Detection Displays the Enabled or Disabled state of the switch to detect potentially hostile Access Ports (the definition of which defined by you). Once detected, these devices can be added to a list of devices either approved or denied from interoperating within the switch managed network.
AP intrusion detection 6 AP intrusion detection Use the Access Point Detection menu options to view and configure the detection of other Access Points.
6 AP intrusion detection 3. Enable AP assisted scanning and timeout intervals as required. Enable Select the Enable checkbox to enable associated Access Ports to detect potentially hostile Access Points (the definition of which defined by you). Once detected, the Access Points can be added to a list of APs either approved or denied from interoperating within the switch managed network.
AP intrusion detection ESSID Displays the ESSIDs of the Allowed AP(s). The addresses displayed are defined by clicking the Add button and entering a specific MAC address or by allowing all MAC addresses to be allowed. The list of MAC addresses allowed can be modified by highlighting an existing entry, clicking the Edit button and revising the properties of the MAC address. Type Displays the Access Port or Adaptive AP model or each allowed AP. 6 8.
6 AP intrusion detection 5. Refer to the BSS MAC Address field to define the following: Any MAC Address/Specific MAC Address Click the Any MAC Address radio button to allow any MAC address detected on the network as an Allowed AP. This is not necessary if a specific MAC address is used with this index. Click the second radio button to enter a specific MAC address as an Allowed AP. Use this option if (for network security) you want to restrict the number of MAC Addresses to a single MAC address. 6.
AP intrusion detection 6 1. Select Security > Access Port Intrusion Detection from the main menu. 2. Select the Authorized/IgnoredAPs tab. 3. The Authorized/Ignored APs table displays the following information: BSS MAC Address Displays the MAC Address of each approved AP. These MAC addresses are Access Points observed on the network meeting the criteria (MAC and ESSIDs) of allowed APs.
6 AP intrusion detection Unauthorized APs (AP reported) Use the Unapproved APs (AP Reported) tab to review Access Points detected by associated switch Access Port radios and are restricted from operation within the switch managed network. The criteria for restriction was defined using the Security > Access Port Intrusion Detection > Configuration screen. To view Access Port detected unapproved Access Points: 1. Select Security > Access Port Intrusion Detection from the main menu tree. 2.
AP intrusion detection ESSID 6 Displays the ESSID of each Unapproved AP. These ESSIDs are device ESSIDs observed on the network, but have yet to be added to the list of Approved APs and are therefore interpreted as a threat. If an ESSID displays on the list incorrectly, click the Allow button and add the ESSID to a new Allowed AP index. Rogue-detected on wire 4. The Number of Unauthorized APs is simply the sum of all of Unapproved Radio MAC Addresses detected. 5.
6 AP intrusion detection 3. The Unauthorized APs (MU Reported) table displays the following information: BSS MAC Address Displays the MAC Address of each Unapproved AP. These MAC addresses are Access Points observed on the network (by associated MUs), but have yet to be added to the list of approved APs, and are therefore interpreted as a threat on the network. Reporting MU Displays the numerical value for the detecting MU.
AP intrusion detection 6 1. Select Security > Access Port Intrusion Detection from the main menu tree. 2. Click on the AP Containment tab. The AP Containment screen is divided into two sections, configuration and rogue AP information. 3. To enable the AP containment feature, check the Enable Containment checkbox and specify a Containment Interval between 20 and 5000 milliseconds. The Containment Interval field determines the interval after which broadcast 802.11 de-authentication messages will be sent.
6 MU intrusion detection MU intrusion detection Unauthorized attempts to access the switch managed LAN by MUs / APs / other Rogue devices are a significant threat to the network, and one that is very pervasive currently. The switch has several means to protect against threats from intruding devices, trying to find network vulnerabilities. Use the switch’s Wireless Intrusion Detection facility to view and configure wireless intrusion related information.
MU intrusion detection 6 4. Refer to the Violation Parameters field to define threshold values that trigger an alarm: Violation Type Displays the name of the violation for which threshold values are set in the MU, radio and switch columns. Trigger Against (Auth, Unauth, Ignore) Displays what conditions will trigger the violation parameter against Authorized APs, Unauthorized APs and Ignored APs. If a violation is triggered by an AP type it will display with a green check box.
6 MU intrusion detection 6. Click on Apply button to save the configuration. 7. Click on Revert to rollback to the previous configuration. Viewing filtered MUs Periodically check the Filtered MUs tab to review MUs filtered by the switch for incurring a violation based on the settings defined within the Configuration tab. Each MU listed can be deleted from the list or its attributes exported to a user defined location.
Configuring firewalls and access control lists Violation Type 6 Displays the reason the violation occurred for each detected MU. Use the Violation Type to discern whether the detected MU is truly a threat on the switch managed network (and must be removed) or can be interpreted as a non threat. The following violation types are possible: • Excessive Probes • Excessive Association • Excessive Disassociation • Excessive Authentication failure • Excessive Crypto replays • Excessive 802.
6 Configuring firewalls and access control lists Use the Wireless Firewall screen to view, add and configure access control configurations. Typically, an ACL consists of series of entries called an Access Control Entry (ACE). Each ACE defines the rule which defines whether the packets needs to be switched/routed or needs to be dropped.
Configuring firewalls and access control lists 6 Router ACLs Router ACLs are applied to Layer 3 or VLAN interfaces. If an ACL is already applied in a particular direction on an interface, applying a new one will replace the existing ACL. Router ACLs are applicable only if the switch acts as a gateway, and traffic is inbound only. The switch supports two types of Router ACLs: • Standard IP ACL—Uses the source IP address as matching criteria.
6 Configuring firewalls and access control lists • Extended IP ACL— Uses a source IP address, destination IP address and IP protocol type as basic matching criteria. It can also include other parameters specific to a protocol type, like the source and destination ports for TCP/UDP protocols. • MAC Extended ACL— Uses source and destination MAC addresses and VLAN ID. It optionally, also uses Ethertype information. Port ACLs are also stateful and are not applied on every packet switched through the switch.
Configuring firewalls and access control lists 6 In general, a Wireless-LAN ACL can be used to filter wireless to wireless, wireless to wired and wired to wireless traffic. Typical wired to wired traffic can be filtered using a Layer 2 port based ACL rather than a WLAN ACL. Each WLAN is assumed to be a virtual Layer 2 port. Configure one IP and one MAC ACL on the virtual WLAN port. In contrast to Layer 2 ACLs, a WLAN ACL can be enforced on both the Inbound and Outbound direction.
6 Configuring firewalls and access control lists NOTE ACEs with lower precedence are always applied first to packets. Therefore, it is advised to add more specific entries in the ACL first then the general ones. While displaying the ACL, the entries are displayed in an ascending order of precedence. Attaching an ACL on a WLAN interface/port Use the Attach-WLAN tab to view and assign an ACL to a WLAN on the switch. If a MAC ACL is being attached, create a ACL entry to allow arp with least precedence.
Configuring firewalls and access control lists 6 5. Select a WLAN (by row) and click Edit to modify the WLAN Index, IP ACL and MAC ACL values. 6. Select a row and click the Delete button to delete the ACL from the list available (but not from the switch). 7. Click the Add button to add an ACL to a WLAN interface. For more information, see “Adding or editing a new ACL WLAN configuration” on page 327.
6 Configuring firewalls and access control lists 1. Select Security > Wireless Firewall from the main menu tree. 2. Click the Security Policy tab. 3. Click the Attach-L2/L3 tab. 4. Refer to the following information as displayed within the Attach tab: Interface The interface to which the switch is configured.
Configuring firewalls and access control lists 6 3. Click the Attach-L2/L3 tab. 4. Click the Add button. 5. Use the Interface drop-down menu to select the interface to configure on the switch. Available options include – ge 1-8, up 1, VLAN 1 (plus those VLANs created thus far) and Tunnel n (where n equals the name(s) of those tunnels created thus far). 6. Use the IP ACL drop-down menu to select an IP ACL used as the inbound IP for the layer 2 or layer 3 interface. 7.
6 Configuring firewalls and access control lists 3. Click the Attach Role tab. 4. Refer to the following information as displayed within the Attach Role tab: Role Priority Displays the priority assigned to the role as determined by the Sequence Number associated with the role. Role Name Displays the role name assigned to each role. Role names are assigned when they are added from the Security > Wireless Firewall > Configuration > Role tab.
Configuring firewalls and access control lists 6 4. Click the Add button. 5. Select a Role Name from the drop-down menu. Role Names can be added in the Configuration > Role tab. 6. Use the ACL drop-down menu to select an ACL to associate with the Role Name. 7. Select Inbound or Outbound to apply the new role to the appropriate interface. 8. Set a Precedence level for the ACL. The valid range is between 1 and 100 with the lower the precedence numbers getting higher priorty. 9.
6 Configuring firewalls and access control lists 4. The Attach AAP WLAN tab contains the following read-only information: WLAN Index The WLAN Index displays the list of attached WLANs with ACLs. IP ACL Displays the IP ACL configured for the WLAN interface in the inbound/outbound direction. Direction Displays the MAC ACL configured for the WLAN interface in the inbound/outbound direction. 5. Select an interface and click on Edit to modify the WLAN Index, IP ACL and MAC ACL values.
Configuring firewalls and access control lists IP ACL Select an IP ACL configured for the WLAN interface in the inbound/outbound direction. Inbound/Outbound Select either the Inbound or Outbound radio button to define which direction the ACL applies. 6 5. Refer to the Status field for the state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 6.
6 Configuring firewalls and access control lists Attaching adaptive AP LANs Use the Attach AAP LAN screen to view and assign the ACL to a physical interface or VLAN on the switch. To display the AAP LANs page: 1. Select Security > Wireless Firewall from the main menu tree. 2. Click on the Security Policy tab. 3. Click on the Wireless Filters tab. 4. The Attach AAP LAN tab contains the following read-only information: AP MAC Address Displays the MAC Address of all Adaptive APs.
Configuring firewalls and access control lists 6 3. Click on the Wireless Filters tab. 4. On the Attach AAP WLAN tab select a WLAN and click the Edit button:: AP MAC Address Displays the MAC Address of the selected Adaptive AP. This value cannot be modified. LAN Index The LAN Index displays the list of attached Adaptive AP LANs with ACLs. ACL ID: Inbound Edit the Inbound ACL ID for the selected Adaptive AP. ACL ID: Outbound Edit the Outbound ACL ID for the selected Adaptive AP. 5.
6 Configuring firewalls and access control lists 4. The Wireless Filters tab contains the following read-only information: MU-ACL Index Displays a numerical identifier used to associate a particular ACL to a range of MAC addresses (or a single MAC address) that are either allowed or denied access to the switch managed network. Starting MAC Displays the beginning MAC Address (for this specific Index) either allowed or denied access to the switch managed network.
Configuring firewalls and access control lists 6 6. If the properties of an existing filter fulfill to your needs but still require modification to better filter devices, select the Edit button. For more information see, “Editing an existing wireless filter” on page 337. 7. If an existing filter is now obsolete, select it from those listed and click the Delete button. 8. Click the Add button to create a new filter. For more information, see “Adding a new wireless filter” on page 338. 9.
6 Configuring firewalls and access control lists 6. The MU-ACL Index is used as an identifier for a MAC Address range and allow/deny ACL designation. The available index range is 1 - 1000. However, the index is not editable, only its starting/ending MAC range and allow/deny designation. If a new index is needed, create a new filter. 7. Modify the existing Starting MAC for the target Index or leave the Starting MAC value as is and just modify the Ending MAC Address or Allow/Deny designation. 8.
Configuring firewalls and access control lists 6 Define an Index (numerical identifier) for the ACL and the starting and ending MAC address range for devices allowed/denied access to the switch managed network. 5. Enter an Index numerical value (1 -1000) in the MU-ACL Index field. The MU-ACL Index is a numerical identifier used to associate a particular ACL to a range of MAC addresses (or a single MAC address) either allowed or denied access to the switch managed network.
6 Configuring firewalls and access control lists Associating an ACL with WLAN Use the Membership screen to define a name for the ACL index and map the index to WLANs (1-32) requiring membership permission restrictions. To associate a filter ACL index with a WLAN: 1. Select Security > Wireless Firewall from the main menu tree. 2. Click the Security Policy tab. 3. Click the Wireless Filters tab. 4. Select one or more of the existing ACLs from the filters list. 5. Click the Memberships button. 6.
Configuring firewalls and access control lists 6 Configuring the firewall Configure the Firewall to create either standard/extended ip or extended MAC access control lists. To configure the Firewall: 1. Select Security > Wireless Firewall from the main tree menu. 2. Click the Configuration tab. 3. Click the ACL tab. 4. Add a new ACL entry as explained in , Adding a new ACL. 5.
6 Configuring firewalls and access control lists Adding a new ACL When a packet is received by the switch, the switch compares the packet against the ACL to verify the packet has the required permissions to be forwarded. Often, ACLs need to be added as client permission changes during switch operation. To create a new ACL: 1. Select Security > Wireless Firewall from the main tree menu. 2. Click the Configuration tab. 3. Click on the ACL tab to view the list of ACLs currently associated with the switch. 4.
Configuring firewalls and access control lists 6 4. Click the Add button within the Associated Rules field. 5. Use the Precedence field to enter a precedence (priority) value between 1 and 5000. The rules within an ACL will be applied to packets based on their precedence value. Rules with lower precedence are always applied first. NOTE If adding an access control entry to an ACL using the switch SNMP interface, Precedence is a required parameter. 6.
6 Configuring firewalls and access control lists Editing an existing rule As network and access permission requirements change, existing ACL rules need to be modified to be relevant with new client access requests. To modify an existing ACL rule: 1. Select Security > Wireless Firewall from the main tree menu. 2. Click the Configuration tab. 3. Click the ACL tab. 4. Select an ACL from the ACLs field. The rules associated with the selected ACL display in the Associated Rules section. 5.
Configuring firewalls and access control lists 6 9. If mark is selected from within the Operations drop-down menu, the Attribute to mark field becomes enabled. If necessary, select the 802.1p (0 - 7) or TOS(0 - 255) checkbox and define the attribute receiving priority with this ACL mark designation. 10. From within the Filters field, modify (if necessary) the Source Mask Length from the drop-down menu. The source is the source address of the network or host in dotted decimal format.
6 Configuring firewalls and access control lists Interface Name Displays the interface associated with the Layer 2 firewall. Available Layer 2 interfaces are ge 1-8 and up1. ARP Rate Displays the Address Resolution Protocol (ARP) rate. Rates can be between 1 and 1000000 DHCP Trust Displays the DHCP trust status for the selected L2 interface. Any DHCP packets from a DHCP server connected to the selected interface is considered trusted.
Configuring firewalls and access control lists 6 4. Click the Add button. 5. Configure the following values for each new Layer 2 configuration: Interface Name Assign the interface to be associated with the Layer 2 firewall. Available Layer 2 interfaces are ge 1-8 and up1. ARP Rate Specify the Address Resolution Protocol (ARP) rate. Rates can be between 1 and 1000000. DHCP Trust Select to enable DHCP trust on this interface.
6 Configuring firewalls and access control lists Configuring WLAN firewall rules To review WLAN firewall rules: 1. Select Security > Wireless Firewall from the main tree menu. 2. Click the Configuration tab. 3. Click the WLAN tab. 4. The WLAN tab contains the following information: WLAN Index Displays the WLAN index number. This number is configured on the wireless LAN configuration page. Broadcast Storm Threshold Displays the Broadcast Storm Threshold for each interface.
Configuring firewalls and access control lists MU Deauthenticate Displays whether or not mobile unit deauthentication is enabled for each WLAN. If MU Deauthenticate is enabled any associated mobile unit which hit the thresholds configured for Allowed MU denies per second will be deauthenticated. If MU Deauthenticate is enabled a green checkmark will be displayed. When it is disabled a red “X” will be displayed. DHCP Trust Displays the DHCP trust status for the selected WLAN.
6 Configuring firewalls and access control lists 4. Click the Add button. 5. To create a new WLAN Firewall rule configure the following information: WLAN Index Select a WLAN index number from the pulldown menu. This number is configured on the wireless LAN configuration page. Broadcast Storm Threshold Enter the Broadcast Storm Threshold for each interface.
Configuring firewalls and access control lists ARP Trust Select to enable ARP trust on this WLAN. ARP packets received on this interface are considered trusted and information from these packets is used to identify rogue devices. ARP Rate Enter the Address Resolution Protocol (ARP) threshold.The ARP threshold determines the number of ARP packets permissible per second. Rates can be between 0 and 1000000 6 6. Refer to the Status field for the state of the requests made from applet.
6 Configuring firewalls and access control lists Logging Level The Logging Level field displays the level of Syslog logging enabled for each DoS Attack filter. The logging level uses standard Syslog levels of: • Emergency • Alert • Critical • Error • Warning • Notice • Info • Debug • None To change the logging level, click on the specific field and choose the logging level from the pulldown menu. Attack Count Displays the number of times that each DoS attack have been observed by the switch firewall.
Configuring firewalls and access control lists 6 11. Click the Revert button to cancel any changes made within the DoS Attach screen and revert back to the last saved configuration. Configuring the role To view configured roles: 1. Select Security > Wireless Firewall from the main tree menu. 2. Click the Configuration tab. 3. Click the Role tab. 4. Role configuration screen displays the following information: Sequence Number Displays the sequence number associated with each role.
6 Configuring firewalls and access control lists MU MAC Address Displays the MU MAC Address filters, if any, applied to each role. The MU MAC Address filters can be set when the role is created or may be edited by selecting a role and clicking the Edit button. Group Name Displays the RADIUS Group name, if any, that is associated with each role.The Group Name filters can be set when the role is created or may be edited by selecting a role and clicking the Edit button. 5.
Configuring firewalls and access control lists 6 5. To create a new role configure the following information: Sequence Number Enter a sequence number to be associated with each role. Sequence numbers determine the order that role are applied. Roles with lower sequence numbers are applied before those with higher sequence numbers. Sequence numbers are assigned when a role is created and cannot be edited. Role Name Enter a name for each role.
6 Configuring firewalls and access control lists 6. Refer to the Status field for the state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 7. Click OK to use the changes to the running configuration and close the dialog. 8. Click Cancel to close the dialog without committing updates to the running configuration. Configuring firewall logging options To view firewall logging rules: 1.
Configuring firewalls and access control lists 6 4. Select the Syslog logging levels for each of the following log types: ARP Log The ARP Log field displays the level of Syslog logging enabled for excessive ARP on an interface. The logging level uses standard Syslog levels of: • Emergency • Alert • Critical • Error • Warning • Notice • Info • Debug • Disabled To change the logging level, click on the specific field and choose the logging level from the pulldown menu.
6 Configuring firewalls and access control lists Multicast Log The Multicast Log field displays the level of syslog logging enabled for excessive multicast on an interface. The logging level uses standard Syslog levels of: • Emergency • Alert • Critical • Error • Warning • Notice • Info • Debug • Disabled To change the logging level, click on the specific field and choose the logging level from the pulldown menu.
Configuring firewalls and access control lists 6 3. From the Statistics section select the Statistics tab. 4. Refer to the following information as displayed within the Statistics tab: Interface Interface displays the physical/virtual interfaces used to add the ACL association to the switch. Action Displays the permit, deny or mark designation for the ACL. If the action is to mark, the packet is tagged for priority. Protocol Displays the permit, deny or mark designation for the ACL.
6 Configuring firewalls and access control lists 5. Select an interface and click the Details button to display a more robust set of statistics for the selected interface. 6. Click the Export to export the selected ACL attribute to a user specified location. Viewing DHCP Snoop Entry statistics To review DHCP Snoop Entry statistics: 1. Select Security > Wireless Firewall from the main menu tree. 2. Click the Statistics tab.
Configuring firewalls and access control lists 6 3. From the Statistics section select the DHCP Snoop Entry tab. 4. Refer to the following information as displayed within the DHCP Snoop Entry tab: Client IP Address Displays the DHCP Client IP Address for each entry. VLAN ID Displays the VLAN ID number, if any, for each entry in the DHCP Snoop Entry table. MAC Address Displays the MAC Address of each DHCP Client, DHCP Server or Router in the table. Type Displays the type for each DHCP Snoop Entry.
6 Configuring firewalls and access control lists 3. From the Statistics section select the Role tab. 4. Refer to the following information as displayed within the Role tab: Role Name Displays the Role Names for all roles that are active and have mobile units associated with them. Assigned MUs Clicking on a Role Name will display all mobile units that are associated with the selected role. Viewing Adaptive AP LAN statistics To review Adaptive AP LAN statistics: 1.
Configuring firewalls and access control lists 6 3. From the Statistics section select the AAP LAN tab. 4. Refer to the following information as displayed within the AAP LAN tab: AP MAC Address Displays the MAC Address of all Adaptive APs. Inbound: ACL ID Displays the Inbound ACL ID for each attached Adaptive AP. ACL IDs can be modified in the Edit screen. Inbound: Hit Count Displays the number of times each AAP LAN Inbound ACL has been triggered.
6 Configuring NAT information 3. From the Statistics section select the AAP WLAN tab. 4. Refer to the following information as displayed within the AAP WLAN tab: ACL ID Displays the ACL ID for each attached AAP WLAN ACL. ACL IDs can be modified in the Security Policy Edit screen. Direction Displays the direction either Inbound or Outbound for the AAP WLAN ACL. Hit Count Displays the number of times each AAP WLAN ACL has been triggered.
Configuring NAT information 6 NAT enables network administrators to move a Web or FTP Server to another host without having to troubleshoot broken links. Change the inbound mapping with the new inside local address to reflect the new host. Configure changes to your internal network seemlessly since the only external IP address either belongs to the switch or from a pool of global addresses.
6 Configuring NAT information 3. Refer to the following information as displayed within the Dynamic Translation tab. Type Displays the NAT type as either: • Inside - Applies NAT on packets arriving on interfaces marked as inside. These interfaces should be private networks not accessible from outside (public) networks. • Outside - Applies NAT on packets coming in on interfaces marked as outside. These switch interfaces should be public or outside networks accessible from anywhere on the Internet.
Configuring NAT information 6 3. Click the Add button. 4. Define the NAT Type from the drop-down menu. Options include: • Inside - The set of networks subject to translation. These are the internal addresses you are trying to prevent from being exposed to the outside world. • Outside - All other addresses. Usually these are valid addresses located on the Internet. Outside addresses pose no risk if exposed over a publicly accessible network. 5. Define the NAT Direction from the drop-down menu.
6 Configuring NAT information Defining static NAT translations Static NAT creates a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network. To share a Web server on a perimeter interface with the Internet, use static address translation to map the actual address to a registered IP address. Static address translation hides the actual address of the server from users on insecure interfaces. Casual access by unauthorized users becomes much more difficult.
Configuring NAT information 6 3. Refer to the following information as displayed within the Static Translation tab. Type Displays the NAT type as either: • Inside - The set of networks subject to translation. These are the internal addresses you are trying to prevent from being exposed to the outside world. • Outside - All other addresses. Usually valid addresses located on the Internet. Outside addresses pose no risk if exposed over a publicly accessible network.
6 Configuring NAT information 3. Click the Add button. 4. Define the NAT Type from the drop-down menu. Options include: • Inside - The set of networks subject to translation. These are the internal addresses you are trying to prevent from being exposed to the outside world. • Outside - All other addresses (usually valid addresses located on the Internet). Outside addresses pose no risk if exposed over a publicly accessible network. 5. Define the NAT Direction from the drop-down menu.
Configuring NAT information 6 10. Displays the Global Port used to for the translation between the switch and its NAT destination. 11. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something is wrong in the transaction between the applet and the switch. 12. Click OK to use the changes to the running configuration and close the dialog. 13. Click Cancel to close the dialog without committing updates to the running configuration.
6 Configuring NAT information 3. Refer to the following information as displayed within the Interface tab: Interface Displays the VLAN used as the inside or outside NAT type. All defined VLANs are available from the drop-down menu for use as the interface. Type Displays the NAT type as either: • Inside - The set of switch-managed networks subject to translation. These are the internal addresses you are trying to prevent from being exposed to the outside world. • Outside - All other addresses.
Configuring NAT information 6 Viewing NAT status Use the Status tab to review the NAT translations configured thus far for the switch. The Status tab displays the inside and outside local and global IP addresses. To view and configure a NAT interface: 1. Select Security > NAT from the main menu tree. 2. Click on the Status tab.. 3. Refer to the following to assess the validity and total NAT translation configurations available to the switch.
6 Configuring IKE settings Configuring IKE settings IKE (also known as ISAKMP) is the negotiation protocol enabling two hosts to agree on how to build an IPSec security association. To configure the security appliance for virtual private networks, set global IKE parameters that apply system wide and define IKE policies peers negotiate to establish a VPN tunnel. IKE protocol is an IPSec standard protocol used to ensure security for VPN negotiation, and remote host or network access.
Configuring IKE settings 6 1. Select Security > IKE Settings from the main menu tree. 2. Click the Configurations tab. During IKE negotiations, peers must identify themselves to one another. Thus, the configuration you define is the identification medium for device recognition. 3. Set a Keep Alive interval (in seconds) the switch uses for monitoring the continued presence of a peer and report of the client's continued presence. The client notifies you when the peer is no longer present.
6 Configuring IKE settings 9. If the properties of an existing peer IP address and key are no longer relevant and cannot be edited, click the Add button to create a new pre-shared key a.
Configuring IKE settings 6 A IKE policy matches when they have the same encryption, hash, authentication and Diffie-Hellman settings. The SA lifetime must also be less than or equal to the lifetime in the policy sent. If the lifetimes do not match, the shorter lifetime applies. If no match exists, IKE refuses negotiation. To view the current set of IKE policies: 1. Select Security > IKE Settings from the main menu tree. 2. Click the IKE Policies tab. 3.
6 Configuring IKE settings Authentication Type Displays the authentication scheme used to validate the identity of each peer. Pre-shared keys do not scale accurately with a growing network but are easier to maintain in a small network. Options include: • Pre-shared Key - Uses pre-shared keys. • RSA Signature - Uses a digital certificate with keys generated by the RSA signatures algorithm. SA Lifetime (sec.) Displays an integer for the SA lifetime in seconds.
Configuring IKE settings 6 6. If the properties of an existing policy are no longer relevant and cannot be edited to be useful, click the Add button to define a new policy.
6 Configuring IKE settings a. Configure a set of attributes for the new IKE policy: Sequence Number Define the sequence number for the IKE policy. The available range is from 1 to 10,000 with 1 being the highest priority value. Encryption Set the encryption method used to protect the data transmitted between peers. Options include: • DES 56-bit DES-CBC. The default value. • 3DES - 168-bit Triple DES. • AES - 128-bit AES. • AES 192 - 192-bit AES. • AES 256 - 256-bit AES.
Configuring IKE settings 6 1. Select Security > IKE Settings from the main menu tree. 2. Click the SA Statistics tab. 3. Refer to the information displayed within SA Statistics tab to discern the following: Index Displays the alpha-numeric name (index) used to identify individual SAs. Phase 1 done Displays whether this index is completed with the phase 1 (authentication) credential exchanged between peers. Created Date Displays the exact date the SA was configured for each index displayed.
6 Configuring IPSec VPN 4. Select an index and click the Details button to display a more robust set of statistics for the selected index. Use this information to discern whether changes to an existing IKE configuration is warranted or if a new configuration is required. 5. Click the Stop Connection button to terminate the statistic collection of the selected IKE peer. Configuring IPSec VPN Use IPSec Virtual Private Network (VPN) to define secure tunnels between two peers.
Configuring IPSec VPN 6 IPSec sessions and permits Certification Authority (CA) support for a manageable, scalable IPSec implementation. If you do not want IKE with your IPSec implementation, disable it for IPSec peers. You cannot have a mix of IKE-enabled and IKE-disabled peers within your IPSec network. • Configure security associations parameters The use of manual security associations is a result of a prior arrangement between switch users and the IPSec peer.
6 Configuring IPSec VPN Defining the IPSec configuration Use the IPSec VPN Configuration tab to view the attributes of existing VPN tunnels and modify the security association lifetime and keep alive intervals used to maintain the sessions between VPN peers. From the Configuration tab, transform sets can be created as existing sets, modified or deleted. 1. Select Security > IPSec VPN from the main menu tree. 2. Click the Configuration tab. 3.
Configuring IPSec VPN 6 4. Refer to the Transform Sets field to view the following data: Name Displays a transform set identifier used to differentiate transform sets. The index is helpful when transform sets with similar attributes need to be revised or discarded. ESP Encryption Scheme Displays the ESP Encryption Transform used with the index. Options include: • • • • • • None - No ESP encryption is used with the transform set. ESP-DES - ESP with the 56-bit DES encryption algorithm.
6 Configuring IPSec VPN 1. Select Security > IPSec VPN from the main menu tree. 2. Click the Configuration tab. 3. Select an existing transform set and click the Edit button. 4. Revise the following information as required to render the existing transform set useful. Name The name is read-only and cannot be modified unless a new transform set is created. ESP Encryption Scheme Select the Use ESP checkbox (if necessary) to modify the ESP Encryption Scheme.
Configuring IPSec VPN 6 Adding a new transform set A transform set represents a combination of security protocols and algorithms. During the IPSec security association negotiation, peers agree to use a particular transform set for protecting data flow. If the attributes of an existing transform set no longer lend themselves useful, and an existing transform set is not required, create a new transform set to meet the needs of your network. To edit the attributes of an existing transform set: 1.
6 Configuring IPSec VPN 5. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 6. Click OK to use the changes to the running configuration and close the dialog. 7. Click Cancel to close the dialog without committing updates to the running configuration.
Configuring IPSec VPN 6 4. Click the IP Range tab to view the following:. Index Enter the index assigned to the range of IP addresses displayed in the Starting and Ending IP Address ranges. This index is used to differentiate the index from others with similar IP addresses. Starting IP Address Enter the numerical IP address used as the starting address for the range defined. If the Ending IP address is left blank, only the starting address is used for the remote destination.
6 Configuring IPSec VPN 1. Select Security > IPSec VPN from the main menu tree. 2. Select the Authentication tab. 3. Define whether IPSec VPN user authentication is conducted using a RADIUS Server (by selecting the RADIUS radio button), by a user-defined set of names and password (by selecting the User Table radio button) or if no authentication is used for credential verification (by selecting the No Authentication radio button). 4. Enter a NAS ID for the NAS port.
Configuring IPSec VPN 7. 6 Select an existing server and click the Delete button to remove it from list of available RADIUS Servers. Only delete a server if its configuration does not provide a valid authentication medium. 8. If you require a new RADIUS Server be configured, click the Add button. Set this server’s designation as a primary or secondary RADIUS Server (using the checkboxes), define the server IP address, port and shared secret password. Click OK when completed to save the changes. 9.
6 Configuring IPSec VPN Configuring Crypto Maps Crypto Maps allow you to set restrictions preventing peers with specific certificates (especially certificates with particular DNs) from accessing selected encrypted interfaces. If restricting access, specify a fewer number of Crypto Maps (referring to large identity sections) instead of specifying a large number of Crypto Maps (referring to small identity sections). To define the Crypto Map configuration: 1.
Configuring IPSec VPN 6 1. Select Security > IPSec VPN from the main menu tree. 2. Click the Crypto Maps tab and select Crypto Map Entries. 3. Review the following Crypto Map attributes to determine if an existing Crypto Map requires revision, deletion or if a new Crypto Map needs to be created. Priority / Seq Displays the numerical priority assigned to each Crypto Map. Name Displays the user-assigned name for this specific Crypto Map.
6 Configuring IPSec VPN 5. Select an existing Crypto Map and click the Delete button to remove it from the list of available. 6. Click the Add button to define the attributes of a new Crypto Map. 394 a. Assign a Seq # (sequence number) to distinguish one Crypto Map from the another. b. Assign the Crypto Map a Name to differentiate from others with similar configurations. c.
Configuring IPSec VPN 7. 6 j. Refer to the Peers (add choices) field and use the Add and Delete functions as necessary to add or remove existing peers. For information on adding or modifying peers, see “Crypto Map peers” on page 395. k. Refer to the Transform Sets (select one) field to select and assign a transform set for v with Crypto Map. Again, a transform set represents a combination of security protocols and algorithms.
6 Configuring IPSec VPN 5. Select an existing Crypto Map and click the Delete button to remove it from the list of those available to the switch. 6. If a new peer requires creation, click the Add button. 7. a. Define the Seq # /Name for the new peer. b. Enter the name of the IKE Peer used with the Crypto Map to build an IPSec security association. Click OK to save the configuration of the new Crypto Map peer.
Configuring IPSec VPN 6 1. Select Security > IPSec VPN from the main menu tree. 2. Click the Crypto Maps tab and select Manual SAs. 3. Refer to the read-only information displayed within the Manual SAs tab to determine whether a Crypto Map (with a manually defined security association) requires modification or if a new one requires creation. Priority / Seq # Displays the Seq # (sequence number) used to determine priority. The lower the number the higher the priority.
6 Configuring IPSec VPN 6. If a new Crypto Map manual security association requires creation, click the Add button. 7. a. Define the Seq #. The sequence number determines priority among Crypto Maps. The lower the number, the higher the priority. b. Provide a unique Name for this Crypto Map to differentiate it from others with similar configurations. c. Enter the name of the IKE Peer used to build an IPSec security association. d.
Configuring IPSec VPN 6 To review, revise or add a Crypto Map transform set: 1. Select Security > IPSec VPN from the main menu tree. 2. Click the Crypto Maps tab and select Transform Sets. 3. Refer to the read-only information displayed within the Transform Sets tab to determine whether a Crypto Map transform set requires modification or a new one requires creation. Priority / Seq # Displays the Seq # (sequence number) used to determine priority.
6 Configuring IPSec VPN 6. If a new Crypto Map transform set requires creation, click the Add button. 7. a. Select the Seq #/Name. b. Enter the name of the Transform set used with the Crypto Map. Click OK when completed to save the configuration of the Crypto Map transform set. Crypto Map interfaces To review the interfaces currently available to the Crypto Maps or assign an interface: NOTE A Crypto Map cannot get applied to more than one interface at a time.
Configuring IPSec VPN 6 1. Select Security > IPSec VPN from the main menu tree. 2. Click the Crypto Maps tab and select Interfaces. 3. Refer to the following read-only information displayed within the Interfaces tab. Name Lists the name of the Crypto Maps available for the interface. Interface Name Displays the name of the interface through which IPSec traffic flows.
6 Configuring IPSec VPN 1. Select Security > IPSec VPN from the main menu tree. 2. Click the IPSec SAs tab. 3. Refer to the following security association data: Index Displays the numerical (if defined) ID for the security association. Use the index to differentiate the index from others with similar configurations. Local Peer Displays the name of the local peer at the near side of the VPN connection. Remote Peer Displays the name of the remote peer at the far side of the VPN connection.
Configuring the RADIUS Server 6 The following navigation and pagination options are available: View All Displays all SAs in one screen. View By Page Use this option to split the list into pages and view them one page at a time. The following controls are enabled when the View By Page option is selected. << Use this control to navigate to the first page. < Use this control to navigate to the previous page. Page Use this text box to enter the page number to jump directly to.
6 Configuring the RADIUS Server The switch’s local RADIUS server stores the authentication data locally, but can also be configured to use a remote user database. A RADIUS server as the centralized authentication server is an excellent choice for performing accounting. RADIUS can significantly increase security by centralizing password management. NOTE The switch can be configured to use its own local RADIUS server or an external RADIUS server you define and configure.
Configuring the RADIUS Server 6 The RADIUS server validates the user’s credentials and challenges information received in the RADIUS access request frames. If the user is authorized and authenticated, the client is granted access by sending a RADIUS access accept frame. The frame is transmitted to the client in an EAPoL frame format. RADIUS RADIUS User database User group names and associated users (in each group) can be created in the local database.
6 Configuring the RADIUS Server Proxy to external RADIUS Server Proxy realms are configured on the switch, which has the details of the external RADIUS server to which the corresponding realm users are to be proxied. The obtained user ID is parsed in a (user@realm, realm/user, user%realm, user/realm) format to determine which proxy RADIUS server is to be used. LDAP An external data source based on LDAP can be used to authorize users.
Configuring the RADIUS Server 6 3. Click the Start the RADIUS server link to use the switch’s own RADIUS server to authenticate users accessing the switch managed network. Again, this is recommended as the secondary means of authenticating users. 4. Set a Timeout interval (between 5 and 10 seconds) to define how long the switch waits for a reply to a RADIUS request before retransmitting the request. The default value is 5.
6 Configuring the RADIUS Server RADIUS client configuration A RADIUS client implements a client/server mechanism enabling the switch to communicate with a central server to authenticate users and authorize access to the switch managed network. A RADIUS client is often an embedded device since it alleviates the need to store detailed user information locally. To configure RADIUS client support: 1. Select Security > RADIUS Server from the main menu. 2. Ensure the Configuration tab is selected. 3.
Configuring the RADIUS Server 6 1. Select Security > RADIUS Server from the main menu. 2. Select the Authentication tab. 3. Refer to the Authentication field to define the following RADIUS authentication information: EAP and Auth Type Specify the EAP type for the RADIUS server. • PEAP uses a TLS layer on top of EAP as a carrier for other EAP modules. PEAP is an ideal choice for networks using legacy EAP authentication methods.
6 Configuring the RADIUS Server Cert Trustpoint Click the View/Change button to specify the trustpoint from which the RADIUS server automatically grants certificate enrollment requests. A trustpoint is a representation of a CA or identity pair. A trustpoint contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate. If the server certificate trustpoint is not used, the default trustpoint is used instead.
Configuring the RADIUS Server 6 Configuring RADIUS users Refer to the Users tab to view the current set of users and groups assigned for the RADIUS server. The Users tab is employed when Local is selected as the Auth Data Source within the Authentication & Accounting tab. The user information is ignored if an LDAP server is used for authentication. To define the RADIUS user permissions for switch access: 1. Select Security > RADIUS Server from the main menu. 2. Select the Users tab. 3.
6 Configuring the RADIUS Server If the group assignment is insufficient, use the Edit or Add functions to modify/create users or modify their existing group assignments. For guest users, only the password is editable. For normal (non-guest) users, the password and group association can be modified. To modify the attributes of an existing user, select the user from the list and click the Edit button.
Configuring the RADIUS Server 6 a. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. b. Click OK to use the changes to the running configuration and close the dialog. c.
6 Configuring the RADIUS Server 1. Select Security > RADIUS Server from the main menu. 2. Select the Groups tab. 3. Refer to the user groups listed to review the following read-only attributes for each group: 414 Name Displays the unique name assigned to each group. The group name should be indicative of the user population within and their shared activity within the switch managed network.
Configuring the RADIUS Server Rate limit Uplink Displays the rate limit from the wireless client to the network when using RADIUS authentication. The rate limit of 0 disables rate limiting for this direction. Any rate limit obtained through RADIUS server authentication overwrites the initial user rate limit for the given MU. Rate limit Downlink Displays the rate limit from the network to the wireless client when using RADIUS authentication.
6 Configuring the RADIUS Server Modify the existing group’s guest designation, VLAN ID, access period and WLAN assignment. 7. If an existing group is no longer needed (perhaps obsolete in function), select the group and click the Delete button to permanently remove the group from the list. The group can only be removed if all the users in the group are removed first. 8. To create a new group, click the Add button and provide the following information.
Configuring the RADIUS Server 6 10. Click OK to use the changes to the running configuration and close the dialog. 11. Click Cancel to close the dialog without committing updates to the running configuration. Viewing RADIUS accounting logs Accounting logs contain information about the use of remote access services by users. This information is of great assistance in partitioning local versus remote users and how to best accommodate each.
6 Creating server certificates Creating server certificates Use the Server Certificates screen to view existing self-signed certificate values. The values displayed are read-only.
Creating server certificates 6 1. Select Security > Server Certificates from the main menu tree. 2. Select the Trustpoints tab. A panel (on the far left of the screen) displays currently enrolled trustpoints. The Server Certificate and CA Root Certificate tabs display read-only credentials for the certificates in use by the switch. A table displays the following Issued To and Issued By details for each: Issued To Country (C) Displays the country of usage for which the certificate was assigned.
6 Creating server certificates Organizational Unit (OU) If a unit exists within the organization that is representative of the certificate issuer, that name should be displayed here. Common Name (CN) If there is a common name (IP address) for the organizational unit issuing the certificate, it displays here. Validity Issued On Displays the date the certificate was originally issued. Expires On Displays the expiration date for the certificate. 3.
Creating server certificates 6 1. Select Security > Server Certificates from the main menu tree. 2. Click the Certificate Wizard button on the bottom of the screen. 3. Use this wizard for: • Creating a new self-signed certificate or certificate request • Uploading an external certificate • Delete Operations 4. Select the Create new certificate radio button to generate a new self-signed certificate or prepare a certificate request which can be sent to a Certificate Authority (CA).
6 Creating server certificates 1. Select the Create new self-signed certificate /certificate request radio button in the wizard and click the Next button. The second page of the wizard contains three editable fields, Select Certificate Operation, Select a Trustpoint, and Specify a key for you new certificate. 2. Use the second page to create either a self signed certificate or prepare a certificate request.
Creating server certificates 6 Select a trustpoint for the new certificate. • Use existing trustpoint - Select an existing trustpoint from the drop-down menu. • Create a new trustpoint - Provide a name for the new trustpoint in the space provided. To specify a key for a new certificate, select one of the following: • Automatically generate a key — Automatically generates a key for the trustpoint. • Use existing key — Specify an existing key using the drop-down menu.
6 Creating server certificates If generating a new self-signed certificate (as selected in page 2 of the wizard), the wizard continues the installation. Use the third page of the wizard to enter a unique trustpoint name and other credentials required to create the new certificate. 3. Select the Configure the trustpoint checkbox to enable the new self signed certificate configured as a trustpoint. 4.
Creating server certificates Organization Define an Organization for the organization used in the Self-Signed Certificate. By default, it is Brocade, Inc. The user is allowed to modify the Organization name. This is a required field. Organization Unit Enter an Org. Unit for the name of the organization unit used in the Self-Signed Certificate. By default, it is Wireless Switch Division. This is a required field.
6 Creating server certificates If you selected to prepare a certificate request in the page 2, the wizard continues, prompting the user for the required information to complete the certificate request. Click Next to continue. 9. Check the Copy the certificate request to clipboard option to add the contents of the certificate request to the clipboard which can then be copied to other locations. 10.
Creating server certificates 6 Using the wizard delete operation The wizard can also be used to delete entire trustpoints, the certificate used with a trustpoint or the CA root certificate use with a trustpoint. Delete trustpoint properties as they become obsolete or the properties of a certificate are no longer relevant to the operation of the switch.
6 Creating server certificates 1. Select the Delete Operations radio button and click the Next button.
Creating server certificates 6 The next page of the wizard is used to delete a trustpoint. 2. Select and use the Delete trustpoint and all certificates inside it drop-down menu to define the target trustpoint for removal. 3. Select and use the Remove certificates from this trustpoint drop-down menu define the trustpoint that will have either its Server Certificate or CA Root Certificate removed 4. Click the Next button to proceed and complete the trustpoint removal.
6 Creating server certificates 1. Select Security > Server Certificates from the main menu tree. 2. Select the Keys tab. The Keys tab displays the following: Key Name Displays the name of the key pair generated separately, or automatically when selecting a certificate. Specify the option within the wizard. Key Sizes Displays the size of the desired key. If not specified, a default key size of 1024 is used. 3. Highlight a Key from the table and click the Delete button to delete it from the switch. 4.
Creating server certificates 6 3. Click the Add button at the bottom of the screen. 4. Enter a Key Label in the space provided to specify a name for the new key pair. 5. Define the Key Size between 1024 and 2048 bytes. 6. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 7. Click OK to save the changes to the running configuration and close the dialog. 8.
6 Configuring enhanced beacons and probes The drop-down menu contains the log files listed within the Server Certificate screen. 6. Use the To drop-down menu to define whether the target log file is to be sent to the system's local disk (Local Disk) or to an external server (Server). 7. Provide the name of the file to be transferred to the location specified within the Target field. 8. Use the Using drop down-menu to configure whether the log file transfer is sent using FTP or TFTP. 9.
Configuring enhanced beacons and probes 6 Configuring the beacon table The Beacon Table is used to detect rogue APs. An adopted 7131N-FGR in dependent mode transmits beacons and MUs send a probe request to the AP for association. The adopted 7131N-FGR in dependent mode (on receipt of the probe request) sends a probe response and forms an AP-MU association.
6 Configuring enhanced beacons and probes 3. Select the Enable Enhanced Beacon Table checkbox to allow the AP to receive beacons and association information. 4. Use Scan Interval value to enter the interval used by the radio between scans. The radio scans each channel for the defined interval. The default value is 10 seconds. 5. Use the Scan Time value to enter the duration of the scan. The radio scans each channel for the defined interval. The default value is 100 milliseconds. 6.
Configuring enhanced beacons and probes 6 9. Click Apply to save changes to the screen. Navigating away from the screen without clicking the Apply button results in changes being discarded. 10. Click the Revert button to undo the changes to the screen and revert to the last saved configuration. Configuring the probe table Define enhanced probes to detect rogue MUs within the network. An adopted 7131N-FGR in dependent mode transmits beacons and the MUs sends a probe request to the AP for association.
6 Configuring enhanced beacons and probes 6. The Preferred MUs table lists the MAC Addresses for all preferred MUs. 7. Select a MU from the Preferred MUs table and click the Delete button to remove the MU from the table. 8. Click the Add button to open a dialogue and add the MAC Address of a preferred MU to the table. 9. 802.11a Radios: Click the Enable All button to allow an AP’s 802.11a radio to receive MU probe requests and forward them to the switch. 10. 802.
Configuring enhanced beacons and probes 6 1. Select Security > Enhanced Probe/Beacon Table from the main menu tree. 2. Select the Beacons Found tab. 3. Refer to the following information as displayed within the Beacons Found tab. Portal MAC Displays the MAC address of the unadopted AP detected by the enhanced beacon supported AP. Rogue AP MAC Displays the MAC address of the enhanced beacon supported AP. Signal Strength (dBm) Displays the signal strength when the unadopted AP was detected.
6 Configuring enhanced beacons and probes 1. Select Security > Enhanced Probe/Beacon Table from the main menu tree. 2. Select the Probes Found tab. 3. Refer to the following information as displayed within the Probes Found tab. Portal MAC Displays the MAC address of the unadopted MU picked detected by the Enhanced Probes enabled AP. MU MAC Displays the MAC address of the Enhanced Probe detected MU. Signal Strength (dBm) Displays the signal strength when the unadopted MU was detected.
Chapter Controller Management 7 In this chapter This chapter describes the Management Access main menu items used to configure the switch. This chapter consists of the following switch management activities: • • • • • • Displaying the Management Access Interface Configuring Access Control Configuring SNMP Access Configuring SNMP Traps Configuring SNMP trap receivers Configuring management users NOTE HTTPS must be enabled to access the switch applet.
7 Configuring Access Control 1. Select Management Access from the main menu tree. 2. Refer to the Current Status field to review the following read-only information: Firmware In Use The Firmware In Use value displays the software version currently running on the switch. Use this information to assess whether a firmware update would improve the switch feature set and functionality. Log Output The Log Output value displays the target location for log files output by the switch.
Configuring Access Control 7 1. Select Management Access > Access Control from the main menu tree. 2. Refer to the Management Settings field to enable or disable the following switch interfaces: Secure Management (on Management VLAN only) Select this checkbox to allow management VLAN access to switch resources. The management VLAN is used to establish an IP connection to the switch from a workstation connected to a port in the VLAN.
7 Configuring SNMP Access Maximum number of Applet Sessions per User (1-100) Specify the number of concurrent connections to the applet. Applet Session Inactivity Interval (1-1440) Specify an inactivity limit in minutes, before the applet expires an inactive session. NOTE You cannot establish a SSH session with the switch when a RSA Key with a length of 360 is associated with the SSH-Server. 3. Click the Apply button to save changes made to the screen since the last saved configuration. 4.
Configuring SNMP Access 7 SNMP Version 3 (SNMPv3) adds security and remote configuration capabilities to previous versions. The SNMPv3 architecture introduces the User-based Security Model (USM) for message security and the View-based Access Control Model (VACM) for access control. The architecture supports the concurrent use of different security, access control, and message processing techniques. Refer to the v3 screen to review the current SNMP v3 configuration.
7 Configuring SNMP Access Encryption Displays the current Encryption Standard (DES) protocol the user must satisfy for SNMP v3 access to the switch. Click the Edit button to modify the password required to change encryption keys. Status Displays whether this specific SNMP v3 User Name is active on the switch. For more information, . 4. Highlight an existing v3 entry and click the Edit button to modify the password for the Auth Protocol and Priv Protocol.
Configuring SNMP Access 7. 7 Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 8. Click Cancel to close the dialog without committing updates to the running configuration. Accessing Message Parameters Refer to the Message Parameters screen for the SNMP values. To edit the values in the Message Parameters: 1.
7 Configuring SNMP Access To edit an SNMP v3 user profile: 1. Select Management Access > SNMP Access from the main menu tree. 2. Select the Statistics tab from within the SNMP Access screen. 3. Refer to the following read-only statistics displayed within the SNMP Access Statistics screen: 446 V3 Metrics Displays the individual SNMP Access events capable of having a value tracked for them.
Configuring SNMP Traps 7 Configuring SNMP Traps Use the SNMP Trap Configuration screen to enable or disable individual traps or by functional trap groups. It is also used for modifying the existing threshold conditions values for individual trap descriptions.
7 Configuring SNMP Traps 4. Select an individual trap, by expanding the node in the tree view, to view a high-level description of this specific trap within the Trap Description field. You can also select a trap family category heading (such as "Redundancy" or "NSM") to view a high-level description of the traps within that trap category. Redundancy Displays a list of sub-items (trap options) specific to the Redundancy (clustering) configuration option.
Configuring SNMP Traps 7 Those sub-items previously enabled (with a check to the left) now display with an "X" to the left of them. 10. Click Apply to save the trap configurations enabled using the Enable or Enable all sub-items options. 11. Click Revert to discard any updates and revert back to its last saved configuration. Configuring E-mail notifications To enable e-mail notification: 1. Select Management Access > SNMP Trap Configuration from the main menu tree. 2.
7 Configuring SNMP Traps User Name Enter the username for the user which will be sending outgoing mail through the SMTP server. Password Enter the password associated with the above username. Enable Authentication Check the Enable Authentication box to enable support for SMTP Authentication which is required for certain outgoing SMTP servers. 4. Configure the mail-to section of the page as follows: To Address(es) Specify an e-mail address or addresses that notifications will be sent to.
Configuring SNMP Traps 7 1. Select Management Access > SNMP Trap Configuration from the main menu tree. 2. Click the Wireless Statistics Thresholds tab. 3. Refer to the following information for thresholds descriptions, conditions, editable threshold values and units of measurement. Threshold Name (Description) Displays the target metric for the data displayed to the right of the item. It defines a performance criteria used as a target for trap configuration.
7 Configuring SNMP Traps 4. Select a threshold and click the Edit button to display a screen wherein threshold settings for the MU, AP and WLAN can be modified. Adjust the values as needed (between 0 -100) to initiate a trap when the value is exceeded for the MU, AP or WLAN. Ensure the value set is realistic, in respect to the number of MUs and APs supporting WLANs within the switch managed network. 5.
Configuring SNMP trap receivers 7 # Threshold Name Condition Station Range Radio Range WLAN Range Wireless Service Units Range 3 Average Bit Speed Less than A decimal number greater than 0.00 and less than or equal to 54.00 A decimal number greater than 0.00 and less than or equal to 54.00 A decimal number greater than 0.00 and less than or equal to 54.00 N/A Mbps 4 Average MU Signal Worse than A decimal number less than -0.00 and greater than or equal to -120.
7 Configuring SNMP trap receivers 1. Select Management Access > SNMP Trap Receivers from the main menu tree. 2. Refer to the following SNMP trap receiver data to assess whether modifications are required. Destination Address The Destination Address defines the numerical (non DNS name) destination IP address for receiving traps sent by the SNMP agent. Port The Port specifies a destination User Datagram Protocol (UDP) receiving traps.
Configuring SNMP trap receivers 7 Add trap receivers as needed if the existing trap receiver information is insufficient. For more information, see “Adding SNMP trap receivers” on page 455. Editing SNMP trap receivers Use the Edit screen to modify the trap receiver’s IP Address, Port Number and v2c or v3 designation. Consider adding a new receiver before editing an existing one or risk overwriting a valid receiver.
7 Configuring management users 1. Select Management Access > SNMP Trap Receivers from the main menu tree. 2. Click the Add button at the bottom of the screen. 3. Create a new (non DNS name) destination IP address for the new trap receiver to be used for receiving the traps sent by the SNMP agent. 4. Define a Port Number for the trap receiver. 5. Use the Protocol Options drop-down menu to specify the trap receiver as either a SNMP v3 receiver. 6.
Configuring management users 7 1. Select Management Access > Users from the main menu tree. 2. Click the Local Users tab. The Local User window consists of 2 fields: • Users – Displays the users currently authorized to use the switch. By default, the switch has two default user types, Admin and Operator. • Privileges – This frame displays the privileges assigned to different type of user. 3. Select the user (Admin, Operator or user defined) from the Users frame.
7 Configuring management users 1. Select Management Access > Users from the main menu tree. 2. Click the Add button within the Local Users tab. 3. Enter the login name for the user in the Username field. Ensure this name is practical and identifiable to the user. 4. Enter the authentication password for the new user in the Password field and reconfirm the same again in the Confirm Password field. 5.
Configuring management users 7 NOTE By default, the switch is HTTPS enabled with a self signed certificate. This is required since the Web UI uses HTTPS for user authentication. 6. Select the access modes to assign to the new user from the options provided in the Access Modes panel. Select one or more of the following options: Console This option provides the new user access to the switch using the console. SSH This option provides the new user access to the switch using SSH.
7 Configuring management users 5. Select the user role from the options provided in the Associated Roles field. Select one or more of the following options: Monitor If necessary, modify user permissions without any administrative rights. The Monitor option provides read-only permissions. Help Desk Manager Optionally assign this role to someone who typically troubleshoots and debugs problems reported by the customer.
Configuring management users 7 The Status is the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 8. Click on OK to complete the modification of the users privileges. 9. Click Cancel to revert back to the last saved configuration without saving any of your changes.
7 Configuring management users 7. Optionally, click the Generate button to automatically create a username and password for each guest user. 8. Repeat this process as necessary until all required guest users have been created with relevant passwords and start/end guest group permissions. Configuring switch authentication The switch provides the capability to proxy authenticate requests to a remote RADIUS server.
Configuring management users 7 If authentication services are not available, due to technical reasons, then select the option provided in the panel to avail read-only access. 4. Click the Apply button to commit the authentication method for the switch. 5. Click the Revert button to rollback to the previous authentication configuration. 6. Refer to the bottom half of the Authentication screen to view the RADIUS Servers configured for switch authentication. The servers are listed in order of their priority.
7 Configuring management users 3. Select an existing RADIUS Server from those listed and click the Edit button at the bottom of the screen. 4. Modify the following RADIUS Server attributes as necessary: RADIUS Server Index Displays the read-only numerical Index value for the RADIUS Server to help distinguish this server from other servers with a similar configuration (if necessary). The maximum number that can be assigned is 32.
Configuring management users 7 Adding an external RADIUS Server The attributes of a new RADIUS Server can be defined by the switch to provide a new user authentication server. Once the server is configured and added, it displays within the Authentication tab as an option available to the switch. To define the attributes of a new RADIUS Server: 1. Select Management Access > Users from the main menu tree. The Users screen displays. 2. Select the Authentication tab. 3.
7 Configuring management users 7. Click Cancel to revert back to the last saved configuration without saving any of your changes. External RADIUS Server settings When using an external RADIUS Server with the switch, ensure that the following values are configured on your server to ensure maximum compatability with the switch. Vendor ID Vendor ID The Brocade vendor ID is 1991 RADIUS VSAs There are two RADIUS VSAs used for management user authentication.
Chapter 8 Diagnostics In this chapter This chapter describes the various diagnostic features available for monitoring switch performance. This chapter consists of the following switch diagnostic activities: • • • • Displaying the main diagnostic interface Configuring system logging Debugging the applet Configuring a ping NOTE HTTPS must be enabled to access the switch applet. Ensure HTTPS access has been enabled before using the login screen to access the switch applet.
8 Displaying the main diagnostic interface 1. Select Diagnostics from the main tree menu. 2. Select the Environment tab (opened by default). 3. The Environment displays the following fields: • Settings • Temperature Sensors • Fans 4. In the Settings field, select the Enable Diagnostics checkbox to enable/disable diagnostics and set the monitoring interval.
Displaying the main diagnostic interface 8 8. Click the Revert button to revert back to the last saved configuration. CPU performance Use the CPU tab to view and define the CPU’s load statistics. Load limits can be assessed for the last one minute, five minutes and 15 minutes to better gauge switch loads over differing periods of network activity. 1. Select Diagnostics from the main tree menu. 2. Select the CPU tab. 3. The CPU screen consists of 2 fields: • Load Limits • CPU Usage 4.
8 Displaying the main diagnostic interface Switch memory allocation Use the Memory tab to periodically assess the switch’s memory load. 1. Select Diagnostics from the main tree menu. 2. Select the Memory tab. The Memory tab is partitioned into the following two fields: • RAM • Buffer 3. Refer to the RAM field to view the percentage of CPU memory in use (in a pie chart format). 4. Refer to the Free Limit value to change the CPUs memory allocation limits.
Displaying the main diagnostic interface 8 Switch disk allocation The Disk tab contains parameters related to the various disk partitions on the switch. It also displays available space in the external drives (compact flash etc). 1. Select Diagnostics from the main tree menu. 2. Select the Disk tab. 3. This Disk tab displays the status of the switch flash, nvram and system disk resources. Each field displays the following: Free Space Limit Define a Free Space Limit in percentage for the var filesystem.
8 Displaying the main diagnostic interface 1. Select Diagnostics from the main tree menu. 2. Select the Processes tab 3. The Processes tab has 2 fields: • General • Processes by highest memory consumption 4. Refer to the General field to review the number of processes in use and percentage of memory usage per process.
Configuring system logging 8 1. Select Diagnostics from the main tree menu. 2. Select the Other Resources tab. Keep the Cache allocation in line with cache expectations required within the switch managed network. 3. Define the maximum limit for each resource accordingly as you expect these resources to be utilized within the switch managed network. 4. Click the Apply button to commit and apply any changes to any of the resources maximum limit. 5.
8 Configuring system logging 1. Select Diagnostics > System Logging from the main menu tree. 2. Select the Log Options tab. 3. Select the Enable Logging Module checkbox to enable the switch to log system events to a user defined log file or a syslog server. 4. Select the Enable Logging to Buffer checkbox to enable the switch to log system events to a buffer. The log levels are categorized by their severity. The default level is 3, (errors detected by the switch).
Configuring system logging d. 8 Optionally, use the Server 3 parameter to specify the numerical (non DNS name) IP address of a third syslog server to log system events if the first two syslog servers are unavailable. NOTE 255.255.255.255 is accepted as a valid entry for the IP address of a logging server. 7. Use the Logging aggregation time parameter to define the increment (or interval) system events are logged (0-60 seconds). The shorter the interval, the sooner the event is logged. 8.
8 Configuring system logging 3. The File Mgmt tab displays existing log files. Refer to the following for log file details: Name Displays a read-only list of the log files (by name) created since the last time the display was cleared. To define the type of log files created, click the Log Options tab to enable logging and define the log level. Size (Bytes) Displays the log file size in bytes. This is the current size of the file, if modifications were made, they have been accounted for.
Configuring system logging 8 3. Select an individual log file whose properties you wish to display in detail and click the View button. 4. Refer to the following for information on the elements that can be viewed within a log file: Timestamp Displays the date, year and time of day the log file was initially created. This value only states the time the file was initiated, not the time it was modified or appended. Module Displays the name of the switch logging the target event.
8 Configuring system logging Mnemonic Use the Mnemonic as a text version of the severity code information. A mnemonic is convention for the classification, organization, storage and recollection of switch information. Description Displays a high-level overview of the event, and (when applicable) message type, error or completion codes for further clarification of the event. Use this information for troubleshooting or for data collection. 5.
Debugging the applet 8 8. If Server has been selected as the source, use the Using drop down-menu to configure whether the log file transfer is conducted using FTP or TFTP. 9. If Server has been selected as the source, enter the IP Address of the destination server or system receiving the log file. Ensure the IP address is valid or risk jeopardizing the success of the log file transfer. 10.
8 Debugging the applet 1. Select Diagnostics > Applet Debugging from the main menu. 2. To use this window, select the Enable Web-UI Debug Mode checkbox. The Applet Debugging field is partitioned into the following editable fields: • • • • Send log message to a file. Use SNMP v2 only. Message Severity. What kinds of message should be seen. 3. Select the Send log message to a file checkbox if you wish to store the log message.
Configuring a ping 8 The What Kinds of messages should be seen field allows you to select a range of parameters for returned messages while debugging. Move your mouse pointer over a message checkbox for a message description. a. Click the Advanced button to display the entire list of message categories when bugs are raised. Select the checkboxes corresponding to the message types you would like to receive. Each message category is enabled by default.
8 Configuring a ping 2. Refer to the following information displayed within the Configuration tab: Description Displays the user assigned description of the ping test. The name is read-only. Use this title to determine whether this test can be used as is or if a new ping test is required. Destination IP Displays the IP address of the target device. This is the numeric destination for the device sent the ping packets.
Configuring a ping 8 3. Modify the following information (as needed) to edit the existing ping test: Description If necessary, modify the description for the ping test. Ensure this description is representative of the test, as this is the description displaying within the Configuration tab. Destination IP If necessary, modify the IP address of the target device. This is the numeric (non DNS address) destination for the device transmitted the ping packets. No.
8 Configuring a ping 1. Select Diagnostics > Ping from the main menu. 2. Click the Add button at the bottom of the Configuration tab. 3. Enter the following information to define the properties of the new ping test: Test Name Enter a short name for the ping test to describe either the target destination of the ping packet or the ping test’s expected result. Use the name provided in combination with the ping test description to convey the overall function of the test.
Configuring a ping 8 Viewing ping statistics Refer to the Statistics tab for an overview of the overall success of the ping test with the destination IP addresses displayed within the screen. Use this information to determine whether the destination IP represents a device offering the switch a viable connection to either extend the switch’s existing radio coverage area or provide support for additional MUs within an existing network segment. To view ping test statistics: 1.
8 486 Configuring a ping Average RTT Displays the average round trip time for ping packets transmitted between the switch and its destination IP address. Use this value as a general baseline (along with packets sent vs packets received) for the overall connection and association potential between the switch and target device. Last Response Displays the time (in seconds) the switch last “heard” the destination IP address over the switch managed network.
Appendix A Adaptive AP In this chapter An adaptive AP (AAP) is a Brocade Mobility 7131N-FGR Access Point that can adopt like a Brocade Mobility 650 Access Point (Layer 3). The management of an AAP is conducted by the switch, once the Access Point connects to a Brocade Mobility RFS7000-GR Controller and receives its AAP configuration. An AAP provides: • • • • local 802.
A In this chapter • • • • Securing data tunnels between the switch and AAP Adaptive AP switch failure Remote Site Survivability (RSS) Adaptive mesh support For an understanding of how AAP support should be configured for the Access Point and its connected switch, see How the AP receives its adaptive configuration. For an overview of how to configure both the Access Point and switch for basic AAP connectivity and operation, see Establishing basic Adaptive AP connectivity.
In this chapter A Auto discovery using DHCP Extended Global Options 189, 190, 191, 192 can be used or Embedded Option 43 - Vendor Specific options can be embedded in Option 43 using the vendor class identifier: BrocadeAP.51xx.
A In this chapter NOTE For a review of some important considerations impacting the use of extended and independent WLANs within an AAP deployment, see Adaptive AP deployment considerations. Configuration updates An AAP receives its configuration from the switch initially as part of its adoption sequence. Subsequent configuration changes on the switch are reflected on an AAP when applicable.
In this chapter A Remote Site Survivability (RSS) RSS can be used to turn off RF activity on an AAP if it loses adoption (connection) to the switch. RSS State Independent WLANs Extended WLANs RSS Enabled WLAN continues beaconing WLAN continues beaconing but AP does allow clients to associate on that WLAN RSS Disabled WLAN stops beaconing WLAN stops beaconing NOTE For a dependant AAP, independent WLANs continue to beacon for three days in the absence of a switch.
A In this chapter 1. Go to Network> Access Port Radios and click on the Global Settings button. 2. Uncheck the Adopt Unconfigured Radios Automatically option to prevent the switch from automatically adopting new APs when they are connected to the switch. 3. Configure the client bridge back haul WLAN, base bridge and client bridge radios on the switch using the Command Line Interface (CLI) commands listed below.
In this chapter A B.1.13 AAP RADIUS proxy support When an Adaptive AP is adopted to a central switch over a WAN Link, the switch configures the Adaptive AP for a WLAN with RADIUS authentication from a RADIUS server residing at the central site. When the Adaptive AP gets a RADIUS MU associated, it sends the RADIUS packets on the wired side with its own IP Address as the source IPof the request and the Destination IP Address of the RADIUS Server.
A Supported Adaptive AP topologies Supported Adaptive AP topologies The following AAP topologies are supported: • • • • Extended WLANs only Independent WLANs only Extended WLANs with independent WLANs Extended VLAN with mesh networking Topology deployment considerations When reviewing the AAP topologies describes in the section, be cognizant of the following considerations to optimize the effectiveness of the deployment: • An AAP firmware upgrade will not be performed at the time of adoption from the
How the AP receives its adaptive configuration A Extended WLANs only An extended WLAN configuration forces all MU traffic through the switch. No wireless traffic is locally bridged by the AAP. Each extended WLAN is mapped to the Access Point's virtual LAN2 subnet. By default, the Access Point's LAN2 is not enabled and the default configuration is set to static with IP addresses defined as all zeros.
A How the AP receives its adaptive configuration Only WLAN, VLAN extension and radio configuration items are defined for the AAP by its connected switch. None of the other Access Point configuration items (RADIUS, DHCP, NAT, Firewall etc.) are configurable from the connected switch. After the AP downloads a configuration file from the switch, it obtains the version number of the image it should be running. The switch does not have the capacity to hold the Access Point’s firmware image and configuration.
Establishing basic Adaptive AP connectivity A Adjust each AAP’s radio configuration as required. This includes WLAN-radio mappings and radio parameters. WLAN-VLAN mappings and WLAN parameters are global and cannot be defined on a per radio basis. WLANs can be assigned to a radio as done today for a Mobility 650 model Access Port. Optionally, configure WLANs as independent and assign to AAPs as needed. 3. Configure each VPN tunnel with the VLANs to be extended to it.
A Establishing basic Adaptive AP connectivity 1. Select System Configuration -> Adaptive AP Setup from the Access Point’s menu tree. 2. Select the Auto Discovery Enable checkbox. Enabling auto discovery will allow the AAP to be detected by a switch once its connectivity medium has been configured (by completing steps 3-6). NOTE Auto discovery must be enabled for a switch to detect an AP. 3. Enter up to 12 Switch IP Addresses constituting the target switches available for AAP connection.
Establishing basic Adaptive AP connectivity A 1. Refer to Adopting an Adaptive AP manually and define the AAP switch connection parameters. 2. Export the AAP’s configuration to a secure location. Either import the configuration manually to other APs or the same AP later (if you elect to default its configuration). Use DHCP option 186 and 187 to force a download of the configuration file during startup (when it receives a DHCP offer).
A Establishing basic Adaptive AP connectivity 3. Ensure the Adopt unconfigured radios automatically option is NOT selected. When disabled, there is no automatic adoption of non-configured radios on the network. Additionally, default radio settings will NOT be applied to Access Ports when automatically adopted. NOTE For IPSec deployments, refer to Sample switch configuration file for IPSec and independent WLAN and take note of the CLI commands in red and associated comments in green.
Establishing basic Adaptive AP connectivity A NOTE Additionally, a WLAN can be defined as independent using the "wlan independent" command from the config-wireless context. NOTE For AAP to work properly with a Brocade Mobility RFS7000-GR Controller you need to have independent and extended WLANs mapped to a different VLAN than the ge port.
A Establishing basic Adaptive AP connectivity Once an AAP is adopted by the switch, it displays within the switch Access Port Radios screen (under the Network parent menu item) as a Brocade Mobility 7131N-FGR Access Point within the AP Type column.
Establishing basic Adaptive AP connectivity A Sample switch configuration file for IPSec and independent WLAN The following constitutes a sample switch configuration file supporting an AAP IPSec with Independent WLAN configuration. Please note new AAP specific CLI commands in red and relevant comments in blue. The sample output is as follows: ! ! configuration of RFS7000-GR ! version 1.
A Establishing basic Adaptive AP connectivity license AP xyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyx yxyxxyxyxyx ! wireless no adopt-unconf-radio enable manual-wlan-mapping enable wlan 1 enable wlan 1 ssid qs5-ccmp wlan 1 vlan 200 wlan 1 encryption-type ccmp wlan 1 dot11i phrase 0 admin123 wlan 2 enable wlan 2 ssid qs5-tkip wlan 2 vlan 210 wlan 2 encryption-type tkip wlan 2 dot11i phrase 0 admin123 wlan 3 enable wlan 3 ssid qs5-wep128 wlan 3 vlan 220 wlan 3 encryption
Establishing basic Adaptive AP connectivity A radio 4 channel-power indoor 48 4 radio 4 rss enable radio 4 client-bridge bridge-select-mode auto radio 4 client-bridge ssid Mesh radio 4 client-bridge mesh-timeout 0 radio 4 client-bridge enable radio default-11a rss enable radio default-11bg rss enable radio default-11b rss enable no ap-ip default-ap switch-ip ! RADIUS-server local ! To create an IPSEC Transform Set ! crypto ipsec transform-set AAP-TFSET esp-aes-256 esp-sha-hmac mode tunnel ! To create a Cr
A Establishing basic Adaptive AP connectivity interface vlan1 ip address dhcp ! To attach a Crypto Map to a VLAN Interface ! crypto map AAP-CRYPTOMAP ! sole ! ip route 157.235.0.0/16 157.235.92.2 ip route 172.0.0.0/8 157.235.92.2 ! ntp server 10.10.10.
Appendix Troubleshooting B In this chapter This appendix provides basic troubleshooting information and workarounds to known conditions the user may encounter. Wherever possible, it includes possible suggestions or solutions to resolve the issues. It is divided into the following section: • General troubleshooting • Troubleshooting SNMP issues • Security issues General troubleshooting This section describes common system issues and what to look for while diagnosing the cause of a problem.
B General troubleshooting The table below provides suggestions to troubleshoot this issue. Possible Problem Suggestions to Correct Switch has no power • • All else... Verify power cables, fuses, UPS power. The front panel LEDs lights up when power is applied to the switch. Have a qualified electrician check the power source to which the switch is connected. Contact Brocade Support.
General troubleshooting B Web UI is sluggish, does not refresh properly, or does not respond When configuring the switch, it is easy to overlook the fact that the host computer is running the browser while the Brocade Mobility RFS7000-GR Controller is providing the data to the browser. Occasionally, while using the Web UI the switch does not respond or appears to be running very slow; this could be a symptom of the host computer or the network, and not the switch itself.
B General troubleshooting Possible Problem Suggestions to Correct Settings in terminal emulation program are incorrectly set Check the serial port settings in the serial terminal emulation program being used. The correct settings are: All else... Terminal Type VT-100 Port Any COM port Terminal Settings 19200 bps transfer rate 8 data bits no parity 1 stop bit no flow control Contact Brocade Support.
General troubleshooting B Access ports are not responding Access Ports are not responding. The table below provides suggestions to troubleshoot this issue. Possible Problem Suggestions to Correct Access Port not responding after converting to a Detector AP When converting a Brocade Mobility 7131N-FGR Access Point to an Intrusion Detection Sensor, the conversion requires approximately 60 seconds. All else... Contact Brocade Support.
B General troubleshooting MUs cannot associate and/or authenticate with access ports MUs cannot associate and/or authenticate with Access Ports. The table below provides suggestions to troubleshoot this issue. Possible Problem Suggestions to Correct Preamble differences Verify that the preamble type matches between switch and MUs. Try a different setting. Device key issues Verify in Syslog that there is not a high rate of decryption error messages. This could indicate that a device key is incorrect.
Troubleshooting SNMP issues B The table below provides suggestions to troubleshoot this issue. Possible Problem Suggestions to Correct Fragmentation • • • All else... Do not allow VoIP traffic when operating on a flat network (no routers or smart switches). Move to a trunked Ethernet port. Move to a different configuration. Contact Brocade Support. Excessive memory leak Excessive memory leak. The table below provides suggestions to troubleshoot this issue.
B Security issues Not able to SNMP WALK for a GET • Check whether the MIB browser has IP connectivity to the SNMP agent on the the switch. Use IP Ping from the client system which has the MIB Browser. • Check if the community string is the same at the agent side and the manager (MIB Browser) side. The community name is case sensitive. MIB not visible in the MIB browser The filename.mib file should be first compiled using a MIB compiler, which creates a smidb file.
Security issues B To access the Brocade Mobility RFS7000-GR Controller using password recovery: CAUTION Using this recovery procedure erases the switch’s current configuration and data files from the switch /flash dir. Only the switch’s license keys are retained. You should be able to log in using the default username and password (admin/admin123) and restore the switch’s previous configuration (only if it has been exported to a secure location before the password recovery procedure was invoked). 1.
B Security issues RADIUS Server does not start upon enable Ensure the following have been attempted: • Import valid server and CA certificates • Add a RADIUS client in AAA context • Ensure that key password in AAA/EAP context is set to the key used to generate imported certificates • DO NOT forget to SAVE! RADIUS Server does not reply to my requests Ensure the following have been attempted: • Add a RADIUS client in RADIUS server configuration with the Switch’s VLAN interface, IP address and subnet, wh
Rogue AP detection troubleshooting B Authentication using LDAP fails Ensure the following have been attempted: • • • • Is LDAP server reachable? Have all LDAP attributes been configured properly? Dbtype must be set to LDAP in AAA configuration Save the current configuration VPN Authentication using onboard RADIUS server fails Ensure the following have been attempted: • Ensure that the VPN user is present in AAA users • This VPN user MUST NOT added to any group.
B Troubleshooting Firewall configuration issues • Enable rogueap detection global flag. • After enabling rogueap and anyone of the detection mechanisms, look in the roguelist context for detected APs. If no entries are found, do the following: • Check the global rogueap flag by doing a show in rogueap context. It should display Rogue AP status as "enable" and should also the status of the configured detection scheme. • Check for the "Brocade AP" flag in rulelist context.
Troubleshooting Firewall configuration issues B Disabling of telnet, ftp and web traffic from hosts on the untrusted side does not work. 1. Check the configuration for the desired LAN under FW context (which is under configure context). CLI - configure fw 2. Check whether ftp, telnet and web are in the denied list. In this case, web is https traffic and not http. 3. Ensure that "network policy" and "Ethernet port" set to the LAN is correct.
B 520 Troubleshooting Firewall configuration issues Brocade Mobility RFS7000-GR Controller System Reference Guide 53-1001944-01
Appendix How To Tutorials C In this chapter This appendix provides How To style tutorials for many of the more important features supported by the switch: • Wireless IDS Wireless IDS Threats to WLANs are numerous and are potentially devastating to business and day to day operations. Security issues ranging from unauthorized access points (APs) or 802.11 attacks can plague a WLAN and jeopardize sensitive information as well as performance.
C Wireless IDS Unauthorized Access Point Detection Unauthorized AP detection is a feature directly integrated into the RF switch. When enabled, it allows the switch to monitor the RF environment for unauthorized APs. Unauthorized APs can be reported to the RF switch from managed radios configured to perform scanning or from Brocade Mobile Units (MUs) detecting and reporting visible APs when roaming.
Wireless IDS C Unauthorized AP containment can be performed by adding APs in the unauthorized AP list to a containment list. Once added the Brocade Mobility RFS7000-GR Controller will co-ordinate mitigation using Brocade Mobility 7131N-FGR Access Points by sending broadcast 802.11 de-authentication frames to each MU spoofing the unauthorized APs MAC address.
C Wireless IDS Excessive Probes TKIP Countermeasures Excessive EAP Start Frames Frames with Non-Changing WEP IV Null Destination Detect Adhoc Networks Same Source / Destination MAC De-Authentication from Broadcast Source MAC Source Multicast MAC Invalid Sequence Number Wireless Intrusion Detection Violations As shown in table above, the RF Switch can detect numerous violations, each with a configurable threshold for monitoring the specific violation on an MU, radio and switch.
Configuring a Wireless IDS Deployment C • Multiple Detection Technologies - Provides accurate and comprehensive detection by applying multiple detection technologies including signature analysis, protocol abuse and anomalous behavior in conjunction with correlation across multiple sensors. • Location Based Security - Provides location of unauthorized devices and activities using Brocade WLAN infrastructure.
C Configuring a Wireless IDS Deployment Components The information in this document is based on the following Brocade hardware and software versions: 1 x Brocade Mobility RFS7000-GR Controller 5 x Brocade Mobility 7131N-FGR Access Points. Unauthorized AP Detection As shown in figure below, a switch is deployed at a site with four Brocade Mobility 7131N-FGR Access Points. The administrator wants to enable unauthorized AP detection to be proactively alerted when any APs are added or removed from the site.
Configuring a Wireless IDS Deployment C 4. Within the Network > Access Port Radio > Configuration screen, refer to the Properties field and check the option Single-channel scan for Unapproved APs (for radios 1- 4 and 7-8) and Dedicate this AP as a Detector AP (for radios 5-6). In this example radios 1-4 and 7-8 will be configured for single channel scanning and radios 5-6 are configured as dedicated detectors. 5. From the switch menu tree select Security > Access Point Detection. 6.
C Configuring a Wireless IDS Deployment 7. Select the Enable to checkbox globally enable unauthorized AP detection on the switch. Click Apply. NOTE If Brocade devices are being deployed, you can optionally enable MU Assisted Scanning, which leverages Brocade client extensions on Brocade devices to provide additional detection. 8. From the switch menu tree select Security > Access Point Detection. 9. Select the Unapproved APs (AP Reported) tab. Detected APs are listed in this table.
Configuring a Wireless IDS Deployment C 10. Select Save (from the lower left-hand corner) to apply the changes. Unauthorized AP Containment Unauthorized AP containment can be enabled on the RF Switch to provide temporary remediation if an unauthorized AP is placed at the site. Once enabled, the RF Switch provides RF countermeasures against any unauthorized AP MAC addresses added to the containment list.
C Configuring a Wireless IDS Deployment 3. Select the Enable Containment checkbox. Select Apply. 4. Select the Unapproved APs (AP Reported) tab. NOTE Care should be taken when using unauthorized AP containment to ensure containment is not being performed on authorized neighboring APs. 5. To contain an unauthorized AP, select an entry from the Unapproved APs list and click Contain. This adds the MAC address of the unauthorized AP to the AP Containment list.
Configuring a Wireless IDS Deployment C 6. Select the AP Containment tab. The unauthorized AP is listed in the containment list. You can manually add additional unauthorized AP MAC addresses to the containment list or remove unauthorized APs as needed. 7. Select Save (from the lower left-hand corner) to apply the changes. Mobile Unit Intrusion Detection Mobile unit (MU) intrusion detection can enabled on the RF Switch to provide proactive protection against active intrusion attempts.
C Configuring a Wireless IDS Deployment Switch Applet Configuration The following configuration example demonstrates how to enable mobile unit intrusion detection for excessive authentication failures using the Web UI: 1. From the switch menu tree select Security > Mobile Unit Intrusion Detection. 2. Select the Configuration tab.
Configuring a Wireless IDS Deployment C 3. In the Detection Window field, specify the detection window interval (in seconds) the RF Switch uses to scan for violations. In this example, a 60 second detection window is defined. Click Apply. 4. Within the Violation Parameters table, locate Excessive Authentication failure then enter a threshold value in the Mobile Unit, Radio and Switch fields. 5.
C Configuring a Wireless IDS Deployment Any MUs violating an event are listed in the table. 7. Select Save (from the lower left-hand corner) to apply the changes. SNMP Traps To alert users of unauthorized APs and intrusion events, an RFMS server should defined on the RF Switch as an SNMP trap receiver, and the detection of unauthorized APs and intrusion detection traps should be enabled.
Configuring a Wireless IDS Deployment C 3. Go to Management Access > SNMP Traps. 4. Enter the IP Address of the RFMS server. 5. Under Protocol Options, select the SNMP version. Click OK. 6. From the menu tree select Management Access > SNMP Trap Configuration. 7. Select the Configuration tab.
C Configuring a Wireless IDS Deployment 8. In the All Traps tree, locate Wireless > AP Detection, then select the Unapproved AP detected and Unapproved AP removed traps. Select Enable Trap. 9. Click Apply. 10. From the menu tree select Management Access > SNMP Trap Configuration. 11. Select the Configuration tab. 12. In the All Traps tree, locate Wireless > Intrusion Detection, then select the Excessive violation from mobile unit, Excessive violation from radio and Excessive violation from switch traps.
Configuring a Wireless IDS Deployment C 13. Click Apply. 14. From within the Configuration tab, select the Allow Traps to be generated option then click Apply. 15. Select Save (from the lower left-hand corner) to apply the changes. SNMP traps for unauthorized APs and MU intrusion detection violations are forwarded to RFMS.
C Configuring a Wireless IDS Deployment management secure ip domain-name eselab.com ip name-server 192.168.10.5 no bridge multiple-spanning-tree enable bridge-forward country-code us logging buffered 7 logging console 4 logging host 192.168.10.5 snmp-server community public ro snmp-server community private rw snmp-server engineid netsnmp 6b8b456748daa1a5 snmp-server location Johnson City TN snmp-server contact kevin.marshall@Brocade.
Configuring a Wireless IDS Deployment C wlan 2 authentication-type hotspot wlan 2 hotspot webpage-location advanced wlan 2 RADIUS server primary 192.168.10.14 wlan 2 RADIUS server primary RADIUS-key 0 ESELAB wlan 2 RADIUS accounting server primary 192.168.10.
C Configuring a Wireless IDS Deployment radio 7 bss 1 1 radio 7 channel-power indoor 48 17 radio 7 on-channel-scan radio add 8 00-15-70-D5-DA-CE 11bg ap7131N-FGR radio 8 description 7131N-FGR-4-BG radio 8 bss 1 1 radio 8 bss 2 2 radio 8 bss 3 3 radio 8 channel-power indoor 1 4 radio 8 on-channel-scan radio 8 short-preamble no ap-ip default-ap switch-ip ap-detection enable ids detect-window 60 ids ex-ops authentication-fails threshold mu 10 ids ex-ops authentication-fails threshold radio 10 ids ex-ops auth
Configuring a Wireless IDS Deployment C switchport access vlan 10 ! interface ge8 switchport access vlan 10 ! interface me1 no ip address ! interface up1 description Uplink switchport mode trunk switchport trunk native vlan 10 switchport trunk native tagged switchport trunk allowed vlan none switchport trunk allowed vlan add 10,12,40,70,80, ! interface vlan1 no ip address shutdown ! interface vlan10 management description SERVICES ip address 192.168.10.
C 542 Configuring a Wireless IDS Deployment Brocade Mobility RFS7000-GR Controller System Reference Guide 53-1001944-01
