Best Practices Guide OmniVista 3600 Air Manager 8.2.
Copyright Alcatel-Lucent and the Alcatel-Lucent Enterprise logo are trademarks of Alcatel-Lucent. To view other trademarks used by affiliated companies of ALE Holding, visit: enterprise.alcatel-lucent.com/trademarks. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Neither ALE Holding nor any of its affiliates assumes any responsibility for inaccuracies contained herein.
Contents Overview Understanding Alcatel-Lucent Topology Prerequisites for Integrating Alcatel-Lucent Infrastructure Configuring OV3600 for Global Alcatel-Lucent Infrastructure Disabling Rate Limiting in OV3600 Setup > General Entering Credentials in Device Setup > Communication Setting Up Recommended Timeout and Retries Setting Up Time Synchronization Manually Setting the Clock on a switch Enabling Support for Channel Utilization And Statistics OV3600 Setup switch Setup (Master And Local) Configuring an
Changing RAPIDS Based on switch Classification 35 Appendix A CLI Commands 37 Enable Channel Utilization Events Enable Stats With the AOS-W CLI Offload WMS Using the AOS-W CLI AOS-W CLI Pushing Configs from Master to Local switches Disable Debugging Utilizing the AOS-W CLI Restart WMS on Local switches Configure AOS-W CLI when not Offloading WMS Copy and Paste to Enable Proper Traps with the AOS-W CLI 37 37 37 37 38 38 38 38 39 Appendix B OV3600 Data Acquisition Methods Appendix C WMS Offload Details
Chapter 1 Overview This document provides best practices for leveraging OmniVista 3600 Air Manager to monitor and manage your Alcatel-Lucent infrastructure, which provides a wealth of functionality such as firewall, VPN, remote AP, IDS, IPS, and ARM, as well as an abundance of statistical information. Follow the simple guidelines in this document to garner the full benefit of your Alcatel-Lucent infrastructure.
| Overview OmniVista 3600 Air Manager 8.2.
Chapter 2 Configuring OV3600 for Global Alcatel-Lucent Infrastructure This section explains how to configure OV3600 to globally manage your Alcatel-Lucent infrastructure.
3. Enter the SNMP Community String. Be sure to note the community string because it must match the SNMP trap community string, which is configured later in this document. Figure 3: Credentials in Device Setup > Communication 4. Enter the required information for configuration and basic monitoring: l Telnet/SSH user name l Telnet/SSH password l Enable mode password 5.
Setting Up Recommended Timeout and Retries 1. In the Device Setup > Communication page, locate the SNMP Setting section. 2. Change the SNMP Timeout setting to a value or either 3, 4, or 5. This is the number of seconds that OV3600 will wait for a response from a device after sending an SNMP request, so a smaller number is more ideal. 3. Change the SNMP Retries value to 10.
2. In the Additional OV3600 Services section, set Enable AMON Data Collection to Yes, and set Prefer AMON vs SNMP Polling to Yes. 3. Click Save. Figure 5: AMON Data Collection Setting in OV3600 Setup > General switch Setup (Master And Local) Enabling these commands on AOS-W versions prior to 6.0.1.0 can result in performance issues on the switch. If you are running previous firmware versions such as AOS-W 6.0.0.0, you should upgrade to AOS-W 6.0.1 (to obtain RF utilization metrics) or 6.
Chapter 3 Configuring an Alcatel-Lucent Group It is prudent to establish one or more Alcatel-Lucent Groups within OV3600. During the discovery process you will move new discovered switches into this group. This section contains the following topics: l "Basic Monitoring Configuration" on page 11 l "Advanced Configuration " on page 12 Basic Monitoring Configuration 1. Navigate to Groups > List. 2. Select Add. 3.
Figure 6: SNMP Polling Periods section of Groups > Basic 5. Locate the Aruba/Alcatel-Lucent section of this page. See Figure 7. 6. Configure the proper SNMP Version for monitoring the Alcatel-Lucent infrastructure. Figure 7: Group SNMP Version for Monitoring 7. Click Save and Apply when you are done. Advanced Configuration Refer to the OmniVista 3600 Air Manager 8.2.4 Controller Configuration Guide for detailed instructions. 12 | Configuring an Alcatel-Lucent Group OmniVista 3600 Air Manager 8.2.
Chapter 4 Discovering Alcatel-Lucent Infrastructure OV3600 utilizes the Alcatel-Lucent topology to efficiently discover downstream infrastructure. This section guides you through the process of discovering and managing your Alcatel-Lucent device infrastructure.
Figure 8: Alcatel-Lucent Credentials in Device Setup > Add 4. Enter the required fields for configuration and basic monitoring: n Telnet/SSH user name n Telnet/SSH password n Enable password 5.
If you are using SNMPv3, and the switch's date/time is incorrect, the SNMP agent will not respond to SNMP requests from the OV3600 SNMP manager. This will result in the switch and all of its downstream access points showing as Down in OV3600. 6. Assign the switch to a Group and Folder. 7. Ensure that the Monitor Only option is selected. If you select Manage read/write, OV3600 will push the group setting configuration, and existing device configurations will be deleted/overwritten. 8. Select Add. 9.
| Discovering Alcatel-Lucent Infrastructure OmniVista 3600 Air Manager 8.2.
Chapter 5 OV3600 and Alcatel-Lucent Integration Strategies This section describes strategies for integrating OV3600 and Alcatel-Lucent devices and contains the following topics: l "Integration Goals" on page 17 l "Example Use Cases" on page 18 l "Prerequisites for Integration" on page 19 l "Enable switch Statistics Using OV3600" on page 19 l "WMS Offload with OV3600" on page 20 l "Define OV3600 as a Trap Host Using the AOS-W CLI" on page 21 l "Understanding WMS Offload Impact on Alcatel-Lucent
l IDS Tracking does not require WMS Offload in an all-master or master/local environment. l IDS Tracking does require enable stats in a master/local environment. l WMS Offload will hide the Security Summary tab on master switch’s web interface. l WMS Offload encompasses enable stats or enable stats is a subset of WMS Offload.
When to Define OV3600 as a Trap Host l You want to track IDS events within the OV3600 UI. l You are in the process of converting their older third-party WLAN devices to Alcatel-Lucent devices and want a unified IDS dashboard for all WLAN infrastructure. l You want to relate Auth failures to a client device, AP, Group of APs, and switch. OV3600 provides this unique correlation capability. See "Define OV3600 as a Trap Host Using the AOS-W CLI" on page 21.
Figure 10: Offload WMS Database field in Groups > Basic 6. Select Save and Apply. 7. Select Save. This will push a set of commands via SSH to all Alcatel-Lucent local switches. OV3600 must have read/write access to the switches in order to push these commands. This process will not reboot your switches. If you do not follow the above steps, local switches will not be configured to populate statistics. This decreases OV3600's capability to trend client signal information and to properly locate devices.
2. Select Save and Apply. This will push a set of commands via SSH to all Alcatel-Lucent master switches. If the switch does not have an SNMPv3 user that matches the OV3600 database it will automatically create a new SNMPv3 user. OV3600 must have read/write access to the switches to push these commands 3. Navigate to Groups > Basic and locate the Alcatel-Lucent section. 4. Set the Offload WMS Database field to Yes. This process will not reboot your switches.
See "AOS-W CLI" on page 37 for the full command that can be copied and pasted directly into the AOS-W CLI. (switch-Name) (config) # write mem Ensure the source IP of the traps match the IP that OV3600 uses to manage the switch, see Figure 11. Navigate to APs/Devices > Monitor to validate the IP address in the Device Info section. Figure 11: Verify IP Address on APs/Devices > Monitor Page Verify that there is a SNMPv2 community string that matches the SNMP Trap community string on the switch.
n IDS events data and reports appear on OV3600’s Reports > Generated > IDS Events page. Figure 12: Security Summary on the Master switch See "Rogue Device Classification" on page 32 for more information about security, IDS, WIPS, WIDS, classification, and RAPIDS. OmniVista 3600 Air Manager 8.2.
| OV3600 and Alcatel-Lucent Integration Strategies OmniVista 3600 Air Manager 8.2.
Chapter 6 Alcatel-Lucent Specific Capabilities This section discusses Alcatel-Lucent specific capabilities in OV3600 and contains the following topics: l "Alcatel-Lucent Traps for RADIUS Auth and IDS Tracking" on page 25 l "Remote AP Monitoring" on page 26 l "ARM and Channel Utilization Information" on page 27 l "Viewing switch License Information" on page 32 l "Rogue Device Classification" on page 32 l "Rules-Based Controller Classification" on page 35 Alcatel-Lucent Traps for RADIUS Auth and
Figure 14: IDS Events in OV3600 Remote AP Monitoring To monitor remote APs, follow these steps: 1. From the APs/Devices > List page, filter on the Remote Device column to find remote devices. 2. To view detailed information about the remote device, select the device name. The page illustrated in Figure 15 appears. 26 | Alcatel-Lucent Specific Capabilities OmniVista 3600 Air Manager 8.2.
Figure 15: Remote AP Detail Page You can also see if there are users plugged into the wired interfaces in the Connected Clients list below the Clients and Usage graphs at the bottom of this page. This feature is only available when the remote APs are in split tunnel and tunnel modes. ARM and Channel Utilization Information ARM statistics and Channel utilization are very powerful tools for diagnosing capacity and other issues in your WLAN. 1.
Figure 16: ARM and Channel Utilization Graphs See the OmniVista 3600 Air Manager 8.2 User Guide more information about the data that displays in the Radio Statistics page for these devices. VisualRF and Channel Utilization 1. Navigate to a floor plan by navigating to VisualRF > Floor Plans page. 2. Click the list link at the top of the Floor Plans page, and select a floor plan from the list. 3. Click the View tab 4. Select the Overlays menu. 5. Select the Ch. Utilization overlay. 6.
Figure 17: Overlays Figure 18: Channel Utilization in VisualRF (Interference/2.4 GHz) OmniVista 3600 Air Manager 8.2.
Configuring Channel Utilization Triggers 1. Navigate to System > Triggers and select Add. 2. Select Channel Utilization from the Type drop-down menu as seen on Figure 19: Figure 19: Channel Utilization Trigger 3. Enter the duration evaluation period. 4. Click the Add New Trigger Condition button. 5. Create a trigger condition for Radio Type and select the frequency to evaluate. 6. Select total, receive, transmit, or interference trigger condition. 7. Set up any restrictions or notifications.
Figure 20: Channel Utilization alerts To view channel utilization alerts on the System > Alerts page: 1. Navigate to the System > Alerts page. 2. Sort the table using the Trigger Type column to display Channel Utilization alerts. Figure 21: Channel Utilization alerts on the System > Alerts page View Channel Utilization in RF Health Reports 1. Navigate to Reports > Generated. 2. Find and select an RF Health report. 3.
Figure 22: Channel Utilization in an RF Health Report (partial view) Viewing switch License Information Follow these steps to view your switch’s license information in OV3600: 1. Navigate to the APs/Devices > List page and select a switch. 2. Navigate to the APs/Devices > Monitor page for that switch. 3. In the Device Info table at the top of the page, select the Licenses link. A pop-up window appears listing all licenses.
Table 2: WIPS/WIDS to OV3600 switch Classification Matrix (Continued) OV3600 switch Classification AOS-W (WIPS/WIDS) Valid Valid Suspected Valid Suspected Valid Suspected Neighbor Interfering Neighbor Known Interfering Suspected Rogue Suspected Rogue Rogue Rogue Contained Rogue DOS To check and reclassify rogue devices, follow these steps: 1. Navigate to the RAPIDS > Detail page for a rogue device (see Figure 24 below). 2.
device classification reflected in the switch's WebUI and in the OV3600 WebUI will probably not match, because the switch/APs do not reclassify rogue devices frequently. To update a group of devices' switch classification to match the AOS-W device classification, navigate to RAPIDS > List and utilize the Modify Devices checkbox combined with the multiple sorting a filtering features.
Rules-Based Controller Classification This section contains the following topics: l "Using RAPIDS Defaults for Controller Classification" on page 35 l "Changing RAPIDS Based on switch Classification" on page 35 Using RAPIDS Defaults for Controller Classification 1. Navigate to the RAPIDS > Rules page and select the pencil icon beside the rule that you want to change. 2. In the Classification drop-down list, select Use Controller Classification (see Figure 26 below). 3. Click Save.
Figure 27: Configure Rules for Classification 4. Click Add. A new Controller Classification field displays. 5. Select the desired switch classification to use as an evaluation in RAPIDS. 6. Click Save. 36 | Alcatel-Lucent Specific Capabilities OmniVista 3600 Air Manager 8.2.
Appendix A CLI Commands Enable Channel Utilization Events Enabling these commands on AOS-W versions prior to 6.1 can result in performance issues on the switch. To enable channel utilization events utilizing the Alcatel-Lucent AOS-W CLI, use SSH to access a local or master switch’s command-line interface, enter enable mode, and issue the following commands: (switch-Name) # configure terminal Enter Configuration commands, one per line.
This command creates an SNMPv3 user on the switch with the authentication protocol configured to SHA and privacy protocol DES. The user and password must be at least eight characters because the Net-SNMP package in OV3600 adheres to this IETF recommendation. AOS-W automatically creates Auth and Privacy passwords from this single password. If mobility-manager is already using a preconfigured SNMPv3 user, ensure the privacy and authentication passwords are the same. Example: mobility-manager 10.2.32.
(switch-Name) # configure terminal Enter Configuration commands, one per line.
wlsxNAdhocNetworkBridgeDetectedSta wlsxNAdhocUsingValidSSID wlsxNAPMasterStatusChange wlsxNAuthServerReqTimedOut wlsxNDisconnectStationAttack wlsxNIpSpoofingDetected wlsxNodeRateAnomalyAP wlsxNodeRateAnomalySta wlsxNSignatureMatch wlsxNSignatureMatchAirjack wlsxNSignatureMatchAsleap wlsxNSignatureMatchDeauthBcast wlsxNSignatureMatchDisassocBcast wlsxNSignatureMatchNetstumbler wlsxNSignatureMatchNullProbeResp wlsxNSignatureMatchWellenreiter wlsxNStaUnAssociatedFromUnsecureAP wlsxNUserAuthenticationFailed wls
You will need to issue the write mem command. OmniVista 3600 Air Manager 8.2.
Appendix B OV3600 Data Acquisition Methods The tables below describe the different methods through which OV3600 acquires data from Alcatel-Lucent devices on the network. The tables use the following symbols: l ç Initiated by OV3600 l è Initiated by Controller, or Instant Virtual Controller l é Initiated by OV3600 to a separate device Table 4: Data Flow between Controllers and OV3600 Data Type SNMP 802.
Table 4: Data Flow between Controllers and OV3600 (Continued) Data Type SNMP Traps SSH AMON NMAP FTP/TFTP DNS Notes When AMON is used for client monitoring, OV3600 uses this at startup time to get current user status. é Firmware Images ç Images are sent to controller over FTP/TFTP. They can be transferred to OV3600 via HTTPS. è IDS Events ç è Lync/UCC/Voice ç Available in OV3600 8.0 and later.
Table 4: Data Flow between Controllers and OV3600 (Continued) Data Type SNMP SSH AMON ç Rogue Classification Rogue Clients Traps PAPI HTTPS ICMP NMAP FTP/TFTP DNS ç Notes If WMS Offload enabled, OmniVista 3600 Air Manager updates rogue classifications on a controller using PAPI; otherwise it's done with SNMP. ç è Syslog VisualRF Syslog ç è VisualRF's client data comes from OV3600, which gets its data from SNMP + AMON.
Appendix C WMS Offload Details WMS Offload instructs the master switch to stop correlating ARM, WIPS, and WIDS state information among its local switches because OV3600 will assume this responsibility. Figure 28 depicts how OV3600 communicates state information with local switches. Figure 28: ARM/WIPS/WIDS Classification Message Workflow State Correlation Process 1. AP-1-3-1 hears rogue device A. 2.
Using OV3600 as a Master Device State Manager OV3600 offers the following benefits as a master device state manager: l Ability to correlate state among multiple master switches. This will reduce delays in containing a rogue device or authorizing a valid device when devices roam across a large campus. l Ability to correlate state of third party access points with ARM. This will ensure that Alcatel-Lucent infrastructure inter-operates more efficiently in a mixed infrastructure environment.
Appendix D Increasing Location Accuracy This appendix describes the impact that band steering can have on location accuracy. It also explains how RTLS can be used to increase location accuracy. Understand Band Steering's Impact on Location Band steering can negatively impact location accuracy when testing in a highly mobile environment. The biggest hurdles to overcome are scanning times in 5 GHz frequency.
Figure 30: Typical Tag Deployment Prerequisites You will need the following information to monitor and manage your Alcatel-Lucent infrastructure. l Ensure that the OV3600 server is already monitoring Alcatel-Lucent infrastructure. l Ensure that the WMS Offload process is complete. l Ensure that the firewall configuration for port 5050 (default port) supports bidirectional UDP communication between the OV3600 server's IP address and each access point's IP address.
Enable RTLS on the switch RTLS can only be enabled on the master switch and it will automatically be propagated to all local switches. SSH into master switch, enter enable mode, and issue the following commands: (switch-Name) # configure terminal Enter Configuration commands, one per line.
Troubleshooting RTLS You can use either the WebUI or CLI to ensure the RTLS service is running on your OV3600 server. Using the WebUI to See Status 1. In the OV3600 WebUI, navigate to the System > Status page. 2. Scroll down through the Services list to locate the RTLS service, as shown below. Figure 32: RTLS System Status Wi-Fi Tag Setup Guidelines l Ensure that the tags can be heard by at least three access points from any given location. The recommended value is four APs.