HP Unified Wired-WLAN Products Web-Based Configuration Guide HP 830 Unified Wired-WLAN PoE+ Switch Series HP 850 Unified Wired-WLAN Appliance HP 870 Unified Wired-WLAN Appliance HP 11900/10500/7500 20G Unified Wired-WLAN Module Part number: 5998-4801 Software version: 3507P22 (HP 830 PoE+ Switch Series) 2607P22 (HP 850 Appliance) 2607P22 (HP 870 Appliance) 2507P22 (HP 11900/10500/7500 20G Module) Document version: 6W101-20140418
Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents About the Web-based configuration guide for HP unified wired-WLAN products ················································· 1 Typical network scenarios ················································································································································ 1 HP 850 unified wired-WLAN appliance network scenario ················································································· 1 HP 11900/10500/7500 20G module network scenario ··················
Displaying Displaying Displaying Displaying Displaying client detailed information ················································································································ 61 client statistics ····································································································································· 63 client roaming information ················································································································ 65 RF ping inform
Configuring ports for a mirroring group···················································································································· 103 Port mirroring configuration example ························································································································ 104 Network requirements ········································································································································· 104 Configuration procedure ···
Configuring ARP attack protection························································································································· 157 Overview······································································································································································· 157 ARP detection ······················································································································································· 157 Sou
Basic concepts of link aggregation ··················································································································· 203 Link aggregation modes ····································································································································· 204 Load sharing mode of an aggregation group·································································································· 206 Configuration guidelines ···························
Configuring NAT ····················································································································································· 247 Overview······································································································································································· 247 NAT control ······················································································································································
Terminology ························································································································································· 311 Client access ························································································································································ 311 WLAN data security ··········································································································································· 314 Client a
Configuring WLAN roaming ····························································································································· 445 Displaying client information······························································································································ 445 WLAN roaming configuration examples··················································································································· 446 Intra-AC roaming configuration example ···
Configuring the portal service ···································································································································· 511 Configuring advanced parameters for portal authentication ·················································································· 515 Configuring a portal-free rule ····································································································································· 517 Customizing authentication pag
Retrieving and displaying a CRL ································································································································ 591 Certificate management configuration example ······································································································· 591 Configuring WLAN security ··································································································································· 597 WLAN security overview ········
Priority mapping overview ································································································································· 651 Configuring priority mapping ···························································································································· 651 Configuring a QoS policy ··········································································································································· 654 Class ···················
Verifying the configuration ································································································································· 696 Bandwidth guarantee configuration example ··········································································································· 697 Network requirements ········································································································································· 697 Configuring the wireless services
AP provision configuration example ················································································································· 780 Band navigation configuration example··········································································································· 784 VLAN pool configuration example ···················································································································· 786 Multicast optimization configuration example ············
Subscription service ············································································································································ 856 Related information ······················································································································································ 856 Documents ···························································································································································· 856
About the Web-based configuration guide for HP unified wired-WLAN products The Web-based configuration guide describes the Web functions of the HP 830 series PoE+ unified wired-WLAN switches, HP 850/870 unified wired-WLAN appliances, and HP 11900/10500/7500 20G unified wired-WLAN modules. The functions include quick start, Web login, wireless service configuration, security and authentication configurations, QoS configuration, and advanced settings.
HP 11900/10500/7500 20G module network scenario As shown in Figure 2: • The HP 11900/10500/7500 20G module is installed on a Layer 2 or Layer 3 switch. • The switch is connected to APs directly or over an IP network. • Clients access the network through the APs. Figure 2 Network diagram HP 830 switch/HP 870 appliance network scenario NOTE: The network scenarios of HP 830 switches and HP 870 appliances are the same. This document uses the HP 830 switch network scenario.
Figure 3 Network diagram Feature matrix The HP 11900/10500/7500 20G module adopts the OAA architecture. It works as an OAP card on a switch to exchange data and status and control information with the switch through their internal interfaces. Do not configure services such as QoS rate limit and 802.1X authentication on the internal interfaces. The controller engine and switching engine of an HP 830 switch or HP 870 appliance adopt the OAA architecture.
Table 1 Feature matrix Module Device Feature HP 11900/105 00/7500 20G unified wired-WLA N module HP 830 24-port PoE+ unified wired-WL AN switch controller engine HP 830 8-port PoE+ unified wired-WL AN switch controller engine HP 850 Unified Wired-WLA N Appliance HP 870 unified wired-WLA N appliance controller engine Licens e mana geme nt Supports 128 concurrent APs by default, and can be extended to support 1024 concurrent APs.
Feature HP 11900/105 00/7500 20G unified wired-WLA N module HP 830 24-port PoE+ unified wired-WL AN switch controller engine HP 830 8-port PoE+ unified wired-WL AN switch controller engine HP 850 Unified Wired-WLA N Appliance HP 870 unified wired-WLA N appliance controller engine AC backup Yes. No. No. Yes. Yes. 1+1 fast backup (Hello interval) Yes. (The hello interval is in the range of 30 to 2000 and defaults to 2000.) No. No. Yes.
Web overview This chapter describes the Web interface, functions available on the Web interface, Web user levels you must have to perform a function, and common icons and buttons on the Web pages. Web interface The Web interface consists of the navigation tree, title area, and body area.
Web user level Web user levels, ranging from low to high, are visitor, monitor, configure, and management. A user with a higher level has all the operating rights of a user with a lower level. • Visitor—Users can use the network diagnostic tools ping and Trace Route, but they can neither access the device data nor configure the device. • Monitor—Users can only access the device data, but they cannot configure the device.
Function menu Device Mainte nance Description User level Software Upgrade Upload the file to be upgraded from the local host to upgrade the system software. Management Reboot Reboot the device. Management Diagnostic Information Generate a diagnostic information file, view the file, or save the file to the local host. Management Display the system date and time. Configure Manually set the system date and time. Configure Display configurations about system time zone and daylight saving time.
Function menu Description User level Super Password Configure the password for a lower-level user to switch from the current access level to the management level. Configure Create Create a Web, FTP, or Telnet user. Configure Modify Modify Web, FTP, or Telnet user information. Configure Remove Remove a Web, FTP, or Telnet user. Configure Switch To Managemen t Switch the current user level to the management level. Monitor Display and refresh SNMP configuration and statistics information.
Function menu Description User level Display configuration information of gratuitous ARP. Monitor Configure gratuitous ARP. Management Display the configuration information of ARP detection. Monitor Configure ARP detection. Management Display the configuration information of source MAC address based ARP attack detection, ARP active acknowledgement, and ARP packet source MAC address consistency check.
Function menu Description User level Configure the status of a DHCP service and advanced configuration information of DHCP relay, add or delete a DHCP group, and modify the status of the DHCP relay agent on an interface. Configure Display the status of the DHCP Snooping function, and the trusted and untrusted attributes of a port, and view the DHCP Snooping user information. Monitor Configure the status of the DHCP Snooping function, and modify the trusted and untrusted attributes of a port.
Function menu Static Address Translation Internal Server Application Layer Protocol Detection AP Setup AP Auto AP AP Group Access Service Access Service Forwarding Policy Wireless Service Mesh Service Mesh Service Mesh Policy Global Setup Description User level Create, modify, or delete an address pool, and configure dynamic address translation. Configure Display information about static address mapping, and configure static address translation.
Function menu Mesh Channel Optimize Mesh Link Info Mesh Link Test Roam Group Roam Roam Client Radio Rate Channel Scan Operation Radio Calibration Parameters Radio Group Antenna Switch 802.11a Spectrum Analysis 802.11bg Description User level Display radio information and channel switch information in a mesh network. Monitor Configure mesh channel optimization. Configure Display mesh link status information. Monitor Monitor mesh link status and refresh mesh link status information.
Function menu Description User level Display spectrum analysis status. Monitor Enable spectrum analysis. Configure Interfering Device Display and refresh interfering device status. Monitor Channel Quality Display and refresh channel quality status. Monitor Display the global 802.1X information and 802.1X information of a port. Monitor Configure the global 802.1X features and 802.1X features of a port.
Function menu User Profile Entity Domain Certificate Management Certificate CRL AP Monitor Rule List Rogue Detection Monitor Record History Record Security WIDS Setup WIDS History Record Statistics Filter Blacklist Description User level Add, modify, and remove guest users. Management Display user profile configuration information. Monitor Add, modify, remove, enable, and disable user profiles. Configure Display information about PKI entities.
Function menu Description User level Clear dynamic blacklist and static blacklist; enable dynamic blacklist; add entries to the static blacklist. Configure Display white list. Monitor Clear white list and add entries to the white list. Configure Summary Display the configurations of the authorized IP, the associated IPv4 ACL rule list, and the associated IPv6 ACL rule list. Management Setup Configure the authorized IP. Management Display, add, modify, and remove user isolation configuration.
Function menu Description User level Display radio statistics, including WMM status and detailed radio information. Monitor Display radio statistics, including WMM status and detailed radio information, and clear the radio statistics. Configure Display client statistics, including WMM status and detailed client information. Monitor Display client statistics, including WMM status and detailed client information, and clear the client statistics.
Function menu Description User level Setup Apply a QoS policy to a port. Configure Remove Remove the QoS policy from the port. Configure Display the QoS policy applied to a WLAN-ESS port. Monitor Configure the QoS policy applied to a WLAN-ESS port. Configure Display the country/region code. Monitor Modify the country/region code. Configure Display the address of the backup AC. Monitor Configure the address of the backup AC. Configure Display the status of the AC.
Function menu BAS AC VLAN Pool Multicast Optimization Guest Access Tunnel High Reliability Stateful Failover Global Setting DPD Peer IKE Security Proposal Security Associat ion VPN Applicat ion IPSec Security Proposal Description User level Set band navigation parameters. Configure Display BAS AC settings. Monitor Configure an AC as BAS AC and set BAS AC parameters. Configure Display VLAN pool information, number of online clients for each VLAN, and VLAN pool binding information.
Function menu Description User level Create, modify, or delete an IPsec security policy. Configure Security Associat ion Display IPsec security association information. Monitor Delete an IPsec security association. Configure Packet Statistics Display IPsec packet statistics. Monitor Clear IPsec packet statistics. Configure Common items on the Web pages Buttons and icons Table 3 Commonly used buttons and icons Button and icon Description Applies the configuration on the current page.
Page display The Web interface can display contents by pages, as shown in Figure 5. You can set the number of entries displayed per page, and view the contents on the first, previous, next, and last pages, or go to any page that you want to check. NOTE: A list can contain a maximum of 20000 entries if displayed in pages.
• Advanced search—Advanced search function: As shown in Figure 5, you can click the Advanced Search link to open the advanced search page, as shown in Figure 7. Specify the search criteria, and click Apply to display the entries that match the criteria. Figure 7 Advanced search Take the ARP table shown in Figure 5 as an example. If you want to search for the ARP entries with 000f at the beginning of the MAC address, and IP address range being 192.168.100.130 to 192.168.100.140, follow these steps: 1.
Figure 9 Advanced search function example (2) Figure 10 Advanced search function example (3) Sort function The Web interface provides you with the basic functions to display entries in certain orders. On a list page, you can click the blue heading item of each column to sort the entries based on the heading item you selected. After your clicking, the heading item is displayed with an arrow beside it as shown in Figure 11.
Figure 11 Basic sorting function example (based on IP address in the descending order) 24
Logging in to the Web interface You can log in to the Web interface of the switching engine through HTTP. Figure 12 Web-based network management environment Restrictions and guidelines To ensure a successful login, verify that your operating system and Web browser meet the requirements, and follow the guidelines in this section.
• If you are using a Mozilla Firefox browser, you must enable JavaScript (see "Enabling JavaScript in a Firefox browser"). Enabling securing settings in a Microsoft Internet Explorer browser 1. Launch the Internet Explorer, and select Tools > Internet Options from the main menu. 2. Select the Security tab, and select the content zone where the target Website resides, as shown in Figure 13. Figure 13 Internet Explorer settings (1) 3. Click Custom Level. 4.
Figure 14 Internet Explorer settings (2) 5. Click OK to save your settings. Enabling JavaScript in a Firefox browser 1. Launch the Firefox browser, and select Tools > Options. 2. In the Options dialog box, click the Content icon, and select Enable JavaScript.
Figure 15 Firefox browser settings 3. Click OK to save your settings. Others • Make sure the management PC and the device can reach each other. • Do not use the Back, Next, Refresh buttons provided by the browser. Using these buttons might result in Web page display problems. • To ensure correct display of Web page contents after software upgrade or downgrade, clear data cached by the browser before you log in. • Up to 24 users can concurrently log in to the device through the Web interface.
Logging in to the Web interface You can use the following default settings to log in to the Web interface through HTTP: • Username—admin • Password—admin • IP address of VLAN-interface 1 of the device—192.168.0.100. To log in to the switching engine through HTTP: 1. Connect the GigabitEthernet interface of the device to a PC by using a crossover Ethernet cable. By default, all interfaces belong to VLAN 1.
Figure 17 Selecting a country/region code Logging out of the Web interface CAUTION: You cannot log out by directly closing the browser. To log out of the Web interface: 1. Save the current configuration. Because the system does not save the current configuration automatically, HP recommends that you perform this step to avoid loss of configuration. 2. Click Logout in the upper-right corner of the Web interface, as shown in Figure 18.
Figure 18 Web-based configuration interface (1) Navigation area (2) Body area 31 (3) Title area
Quick Start Quick Start wizard home page From the navigation tree, select Quick Start to enter the home page of the Quick Start wizard. Figure 19 Home page of the Quick Start wizard Basic configuration 1. On the home page of the Quick Start wizard, click start. The basic configuration page appears.
Figure 20 Basic configuration page 2. Configure the parameters as described in Table 4. Table 4 Configuration items Item System Name Description Specify the name of the current device. By default, the system name of the device is HP. Country/Region Code Select the code of the country in which you are located. This field defines the radio frequency characteristics, such as the power and the total number of channels for frame transmission.
Figure 21 Admin Configuration page 2. Configure the parameters as described in Table 5. Table 5 Configuration items Item Description Password Specify the password for user Admin to use to log into the device, in cipher text. Confirm Password Enter the password again to confirm the password. Select the attribute for the password encryption method: Password Encryption • Reversible • Irreversible IP configuration 1. On the Admin Configuration page, click Next. The IP Configuration page appears.
Figure 22 IP Configuration page 2. Configure the parameters as described in Table 6. Table 6 Configuration items Item Description IP Address Specify the IP address of VLAN-interface 1. This IP address is used for logging in to the device. The default is 192.168.0.100. Mask Default Gateway Specify the IP address mask of VLAN-interface 1. By default, the mask is 24 bits long. Specify the IP address of the default gateway that connects the device to the network.
Figure 23 Wireless configuration page 2. Configure the parameters as described in Table 7. Table 7 Configuration items Item Description Select the authentication type for the wireless service: Primary Service Authentication type • None—Performs no authentication. • User authentication (802.1X)—Performs 802.1X authentication. • Portal—Performs Portal authentication. Wireless Service Specify the Service Set Identifier (SSID). Select this box to go to the 7/13: Encryption Configuration step.
Figure 24 RADIUS Configuration page 4. Configure the parameters as described in Table 8. Table 8 Configuration items Item Description Select the type of the RADIUS server: • extended—Specifies extended RADIUS server, which is usually an IMC Service Type server. In this case, the RADIUS client (access device) and the RADIUS server exchange packets based on the specifications and packet format definitions of a private RADIUS protocol. • standard—Specifies the standard RADIUS server.
Portal configuration 1. On the wireless configuration page, select Portal for the Primary Service Authentication Type field. 2. Click Next. The RADIUS Configuration page appears. 3. After you complete RADIUS configuration, click Next. The Portal Configuration page appears. Figure 25 Portal configuration page 4. Configure the parameters as described in Table 9. Table 9 Configuration items Item Description Server-name Specify the system name of the portal server.
Item Description Specify the portal authentication method to be used: • Direct—Before authentication, a user manually configures an IP address or directly obtains a public IP address through DHCP, and can access only the portal server and predefined free websites. After passing authentication, the user can access the network resources. The authentication process of direct authentication is simpler than that of the re-DHCP authentication.
Table 10 Configuration items Item Description Specify whether to use WEP keys provided automatically or use static WEP keys. • Enable—Use WEP keys provided automatically. • Disable—Use static WEP keys. Provide Key Automatically By default, static WEP keys are used. After you select Enable, WEP104 is displayed for WEP. IMPORTANT: Automatically provided WEP keys must be used together with 802.1X authentication. Therefore, this option is available only after you select User authentication (802.
Figure 27 AP Configuration page 3. Configure the parameters as described in Table 11. Table 11 Configuration items Item Description AP Name Enter the name of the AP. Model Select the model of the AP. Specify the serial ID of the AP. • If the Auto box is not selected, you need to manually enter a serial ID. • If the Auto box is selected, the AC automatically searches the serial ID of the Serial ID AP.
Item Description Select the working channel. The channel list for the radio depends on the country/region code and radio mode, and it varies with device models. Channel Auto: Specifies the automatic channel mode. With Auto specified, the AC evaluates the quality of channels in the wireless network, and selects the best channel as the working channel. After the channel is changed, the power list is refreshed. Select the transmission power.
Displaying information summary Device information You can view the following information on the Device Info menu: • Device information • System resource state • Device interface information • Recent system logs (five at most) After logging in to the Web interface, you enter the Summary > Device Info page. Figure 29 Device info page Select the refresh mode from the Refresh Period list.
Field Description Product Information Display the product information. Display the location of the device. Device Location To configure the device location information, select Device > SNMP > Setup. For more information, see "Configuring SNMP." Display the contact information for device maintenance. Contact Information To configure the contact information, select Device > SNMP > Setup. For more information, see "Configuring SNMP." SerialNum Display the serial number of the device.
Recent system logs Table 15 Field description Field Description Time Display the time when the system logs are generated. Level Display the level of the system logs. Description Display the contents of the system logs. For more information about system logs, click More below the Recent System Operation Logs area to enter the Device > Syslog > Loglist page to view the logs. For more information, see "Managing logs." Displaying WLAN service 1.
Table 16 Field description Field Description Service Template Number Service template number. SSID Service set identifier (SSID) for the ESS. Description Description for the service template. If no description is configured, this field displays Not Configured. Binding Interface Name of the interface bound with the service template. Service Template Type Service template type. Authentication Method Type of authentication used. WLAN service of the clear type only uses open system authentication.
Figure 31 Displaying detailed information about the WLAN service (crypto type) Table 17 Field description Field Description Service Template Number Service template number. SSID SSID for the ESS. Description Description for the service template. If no description is configured, this field displays Not Configured. Binding Interface Name of the interface bound with the service template. Service Template Type Service template type.
Field Description SSID-hide • Disable—The SSID is advertised in beacon frames. • Enable—Disables the advertisement of the SSID in beacon frames. WEP Key Index WEP key index used for encrypting or decrypting frames. WEP key mode: WEP Key Mode • HEX—The WEP key is a hexadecimal number string. • ASCII—The WEP key is a character string. WEP Key WEP key. Cipher Suite Cipher suite: AES-CCMP, TKIP, WEP40, WEP104, or WEP128. TKIP Countermeasure Time(s) TKIP countermeasure time in seconds.
Displaying WLAN service statistics Figure 32 Displaying WLAN service statistics 49
Displaying connection history information for the WLAN service Figure 33 Displaying connection history information for the WLAN service Displaying AP Displaying WLAN service information for an AP 1. Select Summary > AP from the navigation tree. 2. Click the Wireless Service tab on the page. 3. Click the name of the specified AP to view the WLAN service information for the AP.
Figure 34 Displaying WLAN service information Displaying AP connection history information 1. Select Summary > AP from the navigation tree. 2. Click the Connection History tab. 3. Click the name of the specified AP to view the connection history information for the AP.
Figure 35 Displaying AP connection history information Displaying AP radio information 1. Select Summary > AP from the navigation tree. 2. Click the Radio tab. 3. Click the name of the specified AP to view the radio statistics about the AP.
Figure 36 Displaying AP radio information The Noise Floor item in the table indicates various random electromagnetic waves that occur during the wireless communication. For an environment with a high noise floor, you can improve the signal-to-noise ratio (SNR) by increasing the transmit power or reducing the noise floor. The Service Type item in the table has these options: None, Access, and Mesh. Resource Usage represents the resource utilization of a radio within a certain period.
Field Total Frames Description Total number of frames (probe response frames and beacon frames) transmitted. Total Frames = Unicast Frames + Broadcast/Multicast Frames + Others. Unicast Frames Number of unicast frames (excluding probe response frames) transmitted. Broadcast/Multicast Frames Number of broadcast or multicast frames (excluding beacon frames) transmitted. Others Total number of other type of frames transmitted. Discard Frames Number of frames discarded.
Figure 37 Displaying tunnel latency information Displaying AP detailed information 1. Select Summary > AP from the navigation tree. 2. Click the Detail tab on the page. 3. Click the name of the specified AP to view the detailed information about the AP.
Table 19 Field description Field Description APID Access point identifier. AP System Name Access point name. Map Configuration Configuration file mapped to the AP. Current state of the AP: • ImageDownload—The AP is downloading the version. If the ImageDownload state persists, check the following: 1) The version of the fit AP saved on the AC matches with the version that the AC requires; 2) The space of the flash is enough. • Idle—The AP is idle.
Field Description Transmitted data packets Number of transmitted data packets. Received data packets Number of received data packets. Configuration Failure Count Count of configuration request message failures. Last Failure Reason Last configuration request failure reason. Last reboot reason of the AP: Last Reboot Reason • Normal—The AP was powered off. • Crash—The AP crashed, and the information is needed for analysis.
Field Description Basic BSSID MAC address of the AP. Current BSS Count Number of BSSs connected with the AP. Running Clients Count Number of clients currently running. Wireless Mode Wireless mode: 802.11a, 802.11b, 802.11g, 802.11an, or 802.11gn. Client Dot11n-only • Enabled—Only 802.11n clients can be associated with the AP. • Disabled—802.11a/b/g/n clients can be associated with the AP. Channel Band-width Channel bandwidth: 20 MHz or 40 MHz. Secondary channel information for 802.
Field Description Transmission power on the radio: • If one-time (transmit power control) is adopted, the configured transmit Configured Power(dBm) power is displayed. • If auto TPC is adopted, two values are displayed, with the first being the maximum power, and the second auto (number), where number in the brackets represents the actual power. Interference (%) Interference observed on the operating channel, in percentage. Channel Load (%) Load observed on the operating channel, in percentage.
Figure 39 Displaying AP connection records Table 20 Field description Field Description Connection status: Status • Discovery—The AC only receives discovery packets from the AP. • Join—The AP fails to connect with the AC due to tunnel failure. • Run—The AP has successfully connected with the AC, and the AP is running. • Offline—The AP has successfully connected with the AC, but the AP is offline.
Field Description Add to Blacklist Add the selected client to the static blacklist, which you can display by selecting Security > Filter from the navigation tree. Reset Statistic Clear statistics of the specified client. Disconnect Log off the selected client. Displaying client detailed information 1. Select Summary > Client from the navigation tree. 2. Click the Detail Information tab on the page. 3. Click the name of the specified client to view the detailed information about the client.
Field Description Username of the client. • The field is displayed as –NA– if the client adopts plain-text User Name authentication or an authentication method that does not require a username. • The field is irrelevant to the portal authentication method. If the client uses the portal authentication method, the field does not display the portal username of the client. AP Name Name of the AP. Radio Id Radio ID of the client. Service Template Number Service template number of the client.
Field Description Rx/Tx Rate Represents the frame transmission/reception rate of the client, including data, management, and control frames. For the AC + fit AP mode, there is a delay because the Rx Rate is transmitted from AP to AC periodically depending on the statistics interval. Client Type Client type: RSN, WPA, or Pre-RSN. Authentication Method Authentication method: open system or shared key. AKM Method AKM suite used: Dot1X or PSK.
Figure 42 Displaying client statistics Table 23 Field description Field Description AP Name Name of the associated access point. Radio Id Radio ID. SSID SSID of the AP. BSSID BSSID of the AP. MAC Address MAC Address of the client. RSSI Received signal strength indication. This value indicates the client signal strength detected by the AP. Transmitted Frames Number of transmitted frames. Back Ground(Frames/Bytes) Statistics of background traffic, in frames or in bytes.
actually sent. You can collect statistics of priority queues carried in Dot11E or WMM packets. Otherwise, statistics collection of priority queues on the receive end might fail. Displaying client roaming information 1. Select Summary > Client from the navigation tree. 2. Click the Roam Information tab on the page. 3. Click the name of the specified client to view the roaming information about the client.
2. Click the Link Test Information tab on the page. 3. Click the name of the specified client to view the link test information about the client. Figure 44 Displaying link test information Table 25 Field description Field Description No./MCS • Rate number for a non-802.11n client. • MCS value for an 802.11n client. Rate(Mbps) Rate at which the radio interface sends wireless ping frames. TxCnt Number of wireless ping frames that the radio interface sent.
Figure 45 Displaying beacon measurement reports Table 26 Field description Field Description MAC Address MAC address of the client. Total Number of Reports Number of beacon measurement reports. Channel Channel number. BSSID Basic service set identifier. Regulatory Class Regulatory class: 12 or 5. For more information, see the 802.11k protocols. Antenna ID Antenna identifier. SSID Service set identifier.
Managing licenses Some features can be used only after you register them by using an enhanced license. A license is purchased. It provides the serial number for registering the features and includes a description for the features. Registering an enhanced license IMPORTANT: After registering an enhanced license, you must reboot the device to validate the newly added features. To register an enhanced license: 1. Select Device > License from the navigation tree. 2. Click the Enhanced License tab.
Displaying registered enhanced licenses 1. Select Device > License from the navigation tree. 2. Click the Enhanced License tab. The page in Figure 46 appears. 3. View the registered enhanced licenses at the lower part of the page. Table 28 Field description Field Description Feature Name Name of the feature registered. Activation key of the license.
Configuring basic device settings The device basic information feature allows you to: • Set the system name of the device. The configured system name will be displayed at the top of the navigation bar. • Set the idle timeout period for a logged-in user. The system logs an idle user off the Web for security purposes after the configured period. Configuring system name 1. Select Device > Basic from the navigation tree The page for configuring the system name appears.
3. Set the Web idle timeout for a logged-in user. 4. Click Apply.
Maintaining devices Upgrading software IMPORTANT: During a software upgrade, avoid performing any operation on the Web interface. Otherwise, the upgrade operation might be interrupted. A boot file, also known as the system software or device software, is an application file used to boot the device. Software upgrade allows you to obtain a target application file from the local host and set the file as the boot file to be used at the next reboot.
Item Description Specify the type of the boot file for the next boot: File Type • Main—Boots the device. • Backup—Boots the device when the main boot file is unavailable. Specify whether to overwrite the file with the same name. If a file with the same name already exists, overwrite it without any prompt Reboot after the upgrade is finished. If you do not select the option, when you rename a file with the same name, the system prompts "The file has existed.", and you cannot upgrade the software.
If you do not select the box next to Check whether the current configuration is saved in the next startup configuration file, the system reboots the device automatically. 6. Log in again in to the Web interface after the device reboots. Generating the diagnostic information file Each module has its own running information. Typically, you need to view the output information for each individual module.
NOTE: • During the generation of the diagnostic file, do not perform any operation on the Web interface. • To view this file after the diagnostic file is generated successfully, select Device > File Management, or download this file to the local host. For more information, see "Managing files.
Configuring the system time Configure a correct system time so that the device can work with other devices correctly. System time allows you to display and set the device system time, system time zone, and daylight saving time on the Web interface. You can set the system time using manual configuration or automatic synchronization of NTP server time. Changing the system clock on each device within a network is time-consuming and does not guarantee clock precision.
Configuring the system time 1. Select Device > System Time from the navigation tree. The page in Figure 53 appears. 2. Click the System Time Configuration calendar button. The calendar page appears. Figure 54 Configuring the system time 3. Modify the system time either in the System Time Configuration field, or through the calendar page. You can perform the following operations on the calendar page: a. Click Today to set the current date on the calendar to the current system date of the local host.
Figure 55 Configuring the network time 3. Configure system time parameters, as described in Table 30. 4. Click Apply. Table 30 Configuration items Item Description Clock status Display the synchronization status of the system clock. Set the IP address of the local clock source to 127.127.1.u, where u is in the range of 0 to 3, representing the NTP process ID.
Item Description Key 1 Set NTP authentication key. The NTP authentication feature should be enabled for a system running NTP in a network where there is a high security demand. This feature enhances the network security by means of client-server key authentication, which prohibits a client from synchronizing with a device that has failed authentication. Key 2 You can set two authentication keys, each of which is composed of a key ID and key string. • ID is the ID of a key.
Item Description Adjust the system clock for daylight saving time changes, which means adding one hour to the current system time. Click Adjust clock for daylight saving time changes to expand the option, as shown in Figure 57. You can configure the daylight saving time changes in either of the following ways: Adjust clock for daylight saving time changes • Specify that the daylight saving time starts on a specific date and ends on a specific date.
2. Click the Net Time tab. The Net Time tab page appears. Figure 59 Configuring the switch as the NTP server of the AC 3. Enter 24 for the ID of key 1, and aNiceKey for the key string. Enter 1.0.1.12 in the NTP Server 1 box and 24 in the Reference Key ID box. 4. Click Apply. Verifying the configuration After you complete the configuration, the current system time displayed on the System Time page is the same for AC and Switch.
Managing logs System logs contain a large amount of network and device information, including running status and configuration changes. System logs allow administrators to monitor network and device operation. With system logs, administrators can take corresponding actions against network and security problems. The system sends system logs to the following destinations: • Console. • Monitor terminal, which is a user terminal that has login connections through the AUX, VTY, or TTY user interface.
2. View system logs. Table 32 Field description Field Description Time/Date Display the time/date when system logs are generated. Source Display the module that generates system logs. Display the system information levels. The information is classified into eight levels depending on severity: Level • • • • • • • • Emergency—The system is unusable. Alert—Action must be taken immediately. Critical—Critical conditions. Error—Error conditions. Warning—Warning conditions.
Figure 61 Setting the loghost 3. Configure the log host, as described in Table 33. 4. Click Apply. Table 33 Configuration items Item IPv4/Domain IPv6 Loghost IP/Domain Description Set the IPv4 address, domain name, or IPv6 address of the log host. You can specify up to four log hosts. Setting buffer capacity and refresh interval 1. Select Device > Syslog from the navigation tree. 2. Click the Log Setup tab. The syslog configuration page appears.
Figure 62 Syslog configuration page 3. Configure buffer capacity and refresh interval, as described in Table 34. 4. Click Apply. Table 34 Configuration items Item Description Buffer Capacity Set the number of logs that can be stored in the log buffer of the Web interface. Set the refresh period on the log information displayed on the Web interface.
Managing the configuration Backing up the configuration Configuration backup allows you to perform the following operations: • Open and view the configuration file for the next startup. • Back up the configuration file for the next startup to the host of the current user. To back up the configuration: 1. Select Device > Configuration from the navigation tree. The page for backing up configuration appears. Figure 63 Backing up the configuration 2. Click the upper Backup button.
Figure 64 Restoring the configuration 3. Click the upper Browse button. The file upload dialog box appears. You can select the .cfg file to be uploaded. 4. Click Apply. Saving the configuration IMPORTANT: • HP recommends that you do not perform any operation on the Web interface while the configuration is being saved. • The system does not support saving the configuration of two or more consecutive users. The system prompts the users to try again if one user's configuration is being saved.
Initializing the configuration This operation restores the system to factory defaults, delete the current configuration file, and reboot the device. To initialize the configuration: 1. Select Device > Configuration from the navigation tree. 2. Click the Initialize tab. The initialize confirmation page appears. Figure 66 Initializing the configuration 3. Click Restore Factory-Default Settings to restore the system to factory defaults.
Managing files The device saves critical files, such as host, software and configuration files, into the storage device, and the system provides file management for users to manage those files. There are different types of storage media, such as flash and compact flash (CF). Different devices support different types of storage devices. For more information, see "About the Web-based configuration guide for HP unified wired-WLAN products." Displaying file list 1.
2. Select a file from the list. You can select one file at a time. 3. Click Download File. The File Download dialog box appears. You can select to open the file or to save the file to a specified path. Uploading a file IMPORTANT: HP recommends that you do not perform any operation on the Web interface during the upgrade procedure. 1. Select Device > File Management from the navigation tree. The page in Figure 67 appears. 2. Select the disk to save the file in the Upload File box. 3.
Managing interfaces Interface management overview An interface is the point of interaction for exchanging data between entities. There are two types of interfaces: physical and logical. A physical interface refers to an interface that physically exists as a hardware component, for example, Ethernet interfaces. A logical interface is an interface that can implement data switching but does not exist physically, and must be created manually, for example, VLAN interfaces.
Figure 68 Displaying interface information 2. Click an interface name in the Name column to display the statistics of that interface. The page for displaying interface statistics appears. Figure 69 Displaying interface statistics Creating an interface 1. Select Device > Interface from the navigation tree. The page in Figure 68 appears.
2. Click Add. The page for creating an interface appears. Figure 70 Creating an interface 3. Configure the interface, as described in Table 35. 4. Click Apply. Table 35 Configuration items Item Description Interface Name Set the type and number of a logical interface. If you are creating a Layer 3 Ethernet subinterface, set the VLANs associated with the subinterface. VID This parameter is available only for Layer 3 Ethernet subinterfaces.
Item Description Set the maximum segment size (MSS) for IP packets on the interface. TCP MSS Support for this configuration item depends on the interface type. All Layer 3 interfaces support MTU Set the way for the interface to obtain an IP address, include: • None—Select this option if you do not want to assign an IP address for the interface. • Static Address—Select the option to manually assign an IP address and mask for the interface.
The page for modifying a Layer 2 interface appears. Figure 71 Modifying a Layer 2 physical interface 3. Modify the information about the Layer 2 physical interface, as described in Table 36. 4. Click Apply. Table 36 Configuration items Item Description Enable or disable the interface. Port State In some cases, modification to the interface parameters does not take effect immediately. You need to shut down and then bring up the interface to make the modification take effect.
Item Description Set the duplex mode of the interface. Duplex • Auto—Auto-negotiation. • Full—Full duplex. • Half—Half duplex. Set the link type of the current interface, which can be access, hybrid, or trunk. For more information, see Table 37. Link Type IMPORTANT: To change the link type of a port from trunk to hybrid or vice versa, you must first set its link type to access. Set the default VLAN ID of the hybrid or trunk port.
Item Description Set the maximum number of MAC addresses the interface can learn. Available options include: Max MAC Count • User Defined—Select this option to set the limit manually. • No Limited—Select this option to set no limit. Set broadcast suppression. You can suppress broadcast traffic by percentage or by PPS: • ratio—Sets the maximum percentage of broadcast traffic to the total transmission Broadcast Suppression capability of an Ethernet interface.
The page for modifying a Layer 3 interface appears. Figure 72 Modifying a Layer 3 physical interface 3. Modify the information about the Layer 3 interface. The configuration items of modifying the Layer 3 interface are similar to those for creating an interface. Table 38 describes configuration items that apply to modifying a Layer 3 interface. 4. Click Apply. Table 38 Configuration items Item Description Interface Type Set the interface type, which can be Electrical port, Optical port, or None.
Item Description Display and set the interface status. • Connected indicates that the current status of the interface is up and connected. You can click Disable to shut down the interface. • Not connected indicates that the current status of the interface is up but not connected. You can click Disable to shut down the interface. Interface Status • Administratively Down indicates that the interface is shut down by the administrator. You can click Enable to bring up the interface.
Figure 74 Creating VLAN-interface 100 c. Select Vlan-interface from the Interface Name list, and enter the interface ID 100. d. Select the Static Address option for IP Config, enter the IP address 10.1.1.2, and select 24 (255.255.255.0) from the Mask list. e. Click Apply.
Configuring port mirroring Port mirroring includes local port mirroring and remote port mirroring. Unless otherwise specified, port mirroring described in this chapter refers to local port mirroring. Support for port mirroring depends on the device model. For more information, see "About the Web-based configuration guide for HP unified wired-WLAN products.
POS CPOS Serial MP-group Depending on the device model, you can configure the following types of ports as the monitor port: • Layer 2 Ethernet Layer 3 Ethernet Tunnel • To ensure normal operation of your device, do not enable STP, MSTP, or RSTP on the monitor port. • On some types of devices, you can configure a member port in link aggregation as the monitor port. • Other restrictions on the monitor port depend on the device model.
Figure 76 Adding a mirroring group 3. Configure the mirroring group, as described in Table 39. 4. Click Apply. Table 39 Configuration items Item Description Mirroring Group ID ID of the mirroring group. Type Specify the type of the mirroring group. Local means adding a local mirroring group. Configuring ports for a mirroring group 1. Select Device > Port Mirroring from the navigation tree. 2. Click Modify Port. The page for configuring ports for a mirroring group appears.
Figure 77 Configuring ports for a mirroring group 3. Configure port information for the mirroring group, as described in Table 40. 4. Click Apply and the progress bar appears. 5. Click Close when the progress bar prompts that the configuration is complete. Table 40 Configuration items Item Description Mirroring Group ID ID of the mirroring group to be configured. Set the types of the ports to be configured: Port Type • Monitor Port—Configures the monitor port for the mirroring group.
• Packets from the AP access the AC through GigabitEthernet 1/0/1. • The server is connected to GigabitEthernet 1/0/2 of the AC. Configure port mirroring to monitor the bidirectional traffic on GigabitEthernet 1/0/1 of the AC on the server. To meet the network requirements, perform the following tasks on the AC: • Configure GigabitEthernet 1/0/1 of the AC as a mirroring port. • Configure GigabitEthernet 1/0/2 of the AC as the monitor port. Figure 78 Network diagram Configuration procedure 1.
a. Click the Modify Port tab. b. Select 1 – Local for Mirroring Group ID, Mirror Port for Port Type, both for Stream Orientation, and GigabitEthernet 1/0/1 from the interface name list. c. Click Apply. The progress bar appears. d. Click Close when the progress bar prompts that the configuration is complete. Figure 80 Configuring a mirroring port 3. Configure the monitor port: a. Click the Modify Port tab. b.
Figure 81 Configuring the monitor port 107
Managing users In the user management part, you can perform the following configuration: • Create a local user, and set the password, access level, and service type for the user. • Set the super password for switching the current Web user level to the management level. • Switch the current Web user access level to the management level. Creating a user 1. Select Device > Users from the navigation tree. 2. Click the Create tab. The page for creating local users appears. Figure 82 Creating a user 3.
Item Description Set the access level for a user. Users of different levels can perform different operations. The following Web user levels, from low to high, are available:. • Visitor—Users of this level can perform the ping and traceroute operations, but they cannot access the device data or configure the device. Access Level • Monitor—Users of this level can only access the device data but cannot configure the device.
3. Set the super password, as described in Table 42. 4. Click Apply. Table 42 Configuration items Item Description Set the operation type: Create/Remove • Create—Configure or modify the super password. • Remove—Remove the current super password. Password Set the password for a user to switch to the management level. Confirm Password Enter the same password again. Otherwise, the system prompts that the two passwords are not consistent when you apply the configuration.
Configuring SNMP SNMP overview Simple Network Management Protocol (SNMP) is an Internet standard protocol widely used for a management station to access and manage the devices on a network. SNMP shields the physical differences between various devices and realizes automatic management of products from different manufacturers. An SNMP enabled network comprises the network management system (NMS) and agents. The NMS manages agents by exchanging management information through SNMP.
Task Remarks Optional. Configuring an SNMP view After creating SNMP views, you can specify an SNMP view for an SNMP group to limit the MIB objects that can be accessed by the SNMP group. Configuring an SNMP community Required. Optional. Configuring SNMP trap function Allows you to configure that the agent can send SNMP traps to the NMS, and configure information about the target host of the SNMP traps. By default, an agent is allowed to send SNMP traps to the NMS.
The SNMP configuration page appears. Figure 85 Configuring SNMP settings 2. Configure SNMP settings on the upper part of the page, as described in Table 45. 3. Click Apply. Table 45 Configuration items Item Description SNMP Specify to enable or disable SNMP agent.
Item Description Configure the local engine ID. Local Engine ID The validity of a user after it is created depends on the engine ID of the SNMP agent. If the engine ID when the user is created is not identical to the current engine ID, the user is invalid. Maximum Packet Size Configure the maximum size of an SNMP packet that the agent can receive/send. Contact Set a character string to describe the contact information for system maintenance.
Figure 87 Creating an SNMP view (1) 4. Enter the view name. 5. Click Apply. The page in Figure 88 appears. Figure 88 Creating an SNMP view (2) 6. Configure the parameters, as described in Table 46. 7. Click Add. 8. Repeat steps 6 and 7 to add more rules for the SNMP view. 9. Click Apply. To cancel the view, click Cancel. Table 46 Configuration items Item Description View Name Set the SNMP view name.
Adding rules to an SNMP view 1. Select Device > SNMP from the navigation tree. 2. Click the View tab. The page in Figure 89 appears. 3. Click the icon of the target view. The Add rule for the view ViewDefault window appears. Figure 89 Adding rules to an SNMP view 4. Configure the parameters, as described in Table 46. 5. Click Apply. NOTE: You can modify the rules of a view in the page you enter by clicking the Configuring an SNMP community 1. Select Device > SNMP from the navigation tree. 2.
Figure 91 Creating an SNMP Community 4. Configure SNMP community settings, as described in Table 47. 5. Click Apply. Table 47 Configuration items Item Description Community Name Set the SNMP community name. Configure the access rights: Access Right • Read only—The NMS can perform read-only operations to the MIB objects when it uses this community name to access the agent.
Figure 92 SNMP group 3. Click Add. The Add SNMP Group page appears. Figure 93 Creating an SNMP group 4. Configure SNMP group settings, as described in Table 48. 5. Click Apply. Table 48 Configuration items Item Description Group Name Set the SNMP group name. Select the security level for the SNMP group: Security Level Read View • NoAuth/NoPriv—No authentication no privacy. • Auth/NoPriv—Authentication without privacy. • Auth/Priv—Authentication and privacy.
Item Notify View Description Select the notify view of the SNMP group. The notify view can send trap messages. If no notify view is configured, the agent does not send traps to the NMS. Associate a basic ACL with the group to restrict the source IP address of SNMP packets. You can configure to allow or prohibit SNMP packets with a specific source IP address to restrict the intercommunication between the NMS and the agent. ACL Configuring an SNMP user 1. Select Device > SNMP from the navigation tree. 2.
Figure 95 Creating an SNMP user 4. Configure SNMP user settings, as described in Table 49. 5. Click Apply. Table 49 Configuration items Item Description User Name Set the SNMP user name. Select the security level for the SNMP group: Security Level • NoAuth/NoPriv—No authentication no privacy. • Auth/NoPriv—Authentication without privacy. • Auth/Priv—Authentication and privacy. Select an SNMP group to which the user belongs.
Item Description Authentication Password Set the authentication password when the security level is Auth/NoPriv or Auth/Priv. Confirm Authentication Password The confirm authentication password must be the same as the authentication password. Privacy Mode Select a privacy mode (including DES56, AES128, and 3DES) when the security level is Auth/Priv. Privacy Password Set the privacy password when the security level is Auth/Priv.
Figure 97 Adding a target host of SNMP traps 6. Configure the settings for the target host, as described in Table 50. 7. Click Apply. Table 50 Configuration items Item Description Set the destination IP address or domain. Destination IP Address Security Name Select the IP address type: IPv4/Domain or IPv6, and then type the corresponding IP address or domain in the field according to the IP address type.
Displaying SNMP packet statistics 1. Select Device > SNMP from the navigation tree. The page for displaying SNMP packet statistics appears. Figure 98 SNMP packet statistics SNMPv1/SNMPv2c configuration example Network requirements As shown in Figure 99, the NMS (1.1.1.2/24) uses SNMPv1 or SNMPv2c to manage the AC (1.1.1.1/24), and the AC automatically sends traps to report events to the NMS. Figure 99 Network diagram Vlan-int2 1.1.1.1/24 AC Agent NMS 1.1.1.2/24 Configuring the AC (SNMP agent) 1.
c. Select the v1 and v2c boxes, as shown in Figure 100. d. Click Apply. Figure 100 Enabling SNMP agent 2. Configure an SNMP read-only community: a. Click the Community tab. b. Click Add. c. Enter public in the Community Name field and select Read only from the Access Right list, as shown in Figure 101. d. Click Apply. Figure 101 Creating an SNMP read-only community 3. Configure an SNMP read/write community: a. Click Add on the Community tab. b.
Figure 102 Creating an SNMP read/write community 4. Enable the agent to send SNMP traps: a. Click the Trap tab. b. Select the Enable SNMP Trap box. c. Click Apply. Figure 103 Enabling the agent to send SNMP traps 5. Configure an SNMP trap target host: a. Click the Trap tab. b. Click Add. c. Select the IPv4/Domain option, enter the destination address 1.1.1.2, enter public in the Security Name field, and select v1 from the Security Model list, as shown in Figure 104.
Figure 104 Adding an SNMP trap target host Configuring the NMS IMPORTANT: The configuration on the NMS must be consistent with the configuration on the agent. Otherwise, you cannot perform corresponding operations. To configure the NMS: 1. Specify the SNMPv1 or SNMPv2c version. 2. Create a read-only community named public. 3. Create a read/write community named private. For more information about configuration procedure on the NMS, see the NMS user manual.
Figure 105 Network diagram Vlan-int2 1.1.1.1/24 AC Agent NMS 1.1.1.2/24 Configuring the AC (SNMP agent) 1. Enable SNMP agent: a. Select Device > SNMP from the navigation tree. b. Select the Enable option to enable the SNMP agent, and select v3 for SNMP Version, as shown in Figure 106. c. Click Apply. Figure 106 Enabling SNMP agent 2. Configure an SNMP view: a. Click the View tab. b. Click Add. The page in Figure 107 appears. c. Enter view1 in the field. d. Click Apply. The page in Figure 108 appears.
Figure 107 Creating an SNMP view (1) Figure 108 Creating an SNMP view (2) 3. Configure an SNMP group: a. Click the Group tab. b. Click Add. The page in Figure 109 appears. c. Enter group1 in the field of Group Name, select view1 from the Read View box, and select view1 from the Write View box. d. Click Apply.
Figure 109 Creating an SNMP group 4. Configure an SNMP user: a. Click the User tab. b. Click Add. The page in Figure 110 appears. c. Enter user1 in the User Name field. d. Select Auth/Priv from the Security Level list. e. Select group1 from the Group Name list. f. Select MD5 from the Authentication Mode list. g. Enter authkey in the Authentication Password and Confirm Authentication Password fields. h. Select DES56 from the Privacy Mode list. i.
Figure 110 Creating an SNMP user 5. Enable the agent to send SNMP traps: a. Click the Trap tab The page in Figure 111 appears. b. Select the Enable SNMP Trap box. c. Click Apply.
6. Add target hosts of SNMP traps: a. Click Add on the Trap tab. The page in Figure 112 appears. b. Select the destination IP address type as IPv4/Domain, enter the destination address 1.1.1.2. c. Enter the user name user1, select v3 from the Security Model list, and select Auth/Priv from the Security Level list. d. Click Apply. Figure 112 Adding target hosts of SNMP traps Configuring the NMS IMPORTANT: The configuration on the NMS must be consistent with the configuration on the agent.
Configuring loopback You can check whether an Ethernet port works correctly by performing the Ethernet port loopback test. During the test the port cannot correctly forward data packets. Ethernet port loopback test can be an internal loopback test or an external loopback test. • In an internal loopback test, self loop is established in the switching chip to check whether there is a chip failure related to the functions of the port. • In an external loopback test, a self-loop header is used on the port.
Figure 113 Loopback test configuration page 2. Configure the loopback test parameters, as described in Table 51. Table 51 Configuration items Item Testing type 3. Description External Set the loopback test type to External or Internal. Internal Support for the test type depends on the device model. Click Test to start the loopback test. After the test is completed, the test result appears in the Result box.
Figure 114 Loopback test result (for internal loopback test) 134
OAP management Overview An Open Application Platform (OAP) module can work in synergy with a device within OAA. For an NMS that is based on SNMP UDP domain, the device and the OAP module are separate SNMP agents. Physically, the two SNMP agents are at the same managed object. Logically, the two SNMP agents belong to different systems and manage their own MIB objects independently.
Configuring MAC addresses MAC address configurations related to interfaces apply only to Layer 2 Ethernet interfaces. This chapter provides information about the management of static and dynamic MAC address entries. It does not provide information about multicast MAC address entries. Overview A device maintains a MAC address table for frame forwarding.
Figure 116 MAC address table of the device MAC address Port MAC A 1 MAC B 1 MAC C 2 MAC D 2 MAC A MAC C MAC B MAC D Port 1 Port 2 Configuring a MAC address entry 1. Select Network > MAC from the navigation tree. The system automatically displays the MAC tab, which shows all the MAC address entries on the device. Figure 117 The MAC tab 2. Click Add in the bottom to enter the page for creating MAC address entries.
Figure 118 Creating a MAC address entry 3. Configure the MAC address entry, as described in Table 52. 4. Click Apply. Table 52 Configuration items Item Description MAC Set the MAC address to be added. Set the type of the MAC address entry: • static—Static MAC address entries that never age out. • dynamic—Dynamic MAC address entries that will age out. • blackhole—Blackhole MAC address entries that never age out.
Figure 119 Setting the aging time for MAC address entries 3. Set the aging time, as described in Table 53. 4. Click Apply. Table 53 Configuration items Item Description No-aging Specify that the MAC address entry never ages out. Aging Time Set the aging time for the MAC address entry. MAC address configuration example Network requirements Use the MAC address table management function of the Web-based NMS. Create a static MAC address 00e0-fc35-dc71 for Ten-GigabitEthernet 1/0/1 in VLAN 1.
Figure 120 Creating a static MAC address entry 140
Configuring VLANs Overview Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect (CSMA/CD) mechanism. The medium is shared, so collisions and excessive broadcasts are common on an Ethernet. To address this issue, virtual LAN (VLAN) was introduced to break a LAN down into separate VLANs. VLANs are isolated from each other at Layer 2. A VLAN is a bridging domain, and all broadcast traffic is contained within it, as shown in Figure 121.
Recommended configuration procedure Step Remarks 1. Creating a VLAN Required. 2. Modifying a VLAN Required. 3. Modifying a port Select either task. Configure the untagged member ports and tagged member ports of the VLAN, or remove ports from the VLAN. Creating a VLAN 1. Select Network > VLAN from the navigation tree. The system automatically selects the VLAN tab and enters the page shown in Figure 122.
Figure 123 Creating a VLAN Modifying a VLAN 1. Select Network > VLAN from the navigation tree. The system automatically selects the VLAN tab and enters the page shown in Figure 122. 2. Click the icon of the VLAN you want to modify to enter the page shown in Figure 124. Figure 124 Modifying a VLAN 3. Configure the description and port members for the VLAN, as described in Table 54. 4. Click Apply. Table 54 Configuration items Item Description ID Display the ID of the VLAN to be modified.
Item Description Untagged Member Find the port to be modified and select the Untagged Member, Tagged Member, or Not a Member option for the port: • Untagged—Indicates that the port sends the traffic of the VLAN with the VLAN tag removed. • Tagged—Indicates that the port sends the traffic of the VLAN without Port Tagged Member removing the VLAN tag. • Not a Member—Removes the port from the VLAN.
Table 55 Configuration items Item Description Port Display the port to be modified. Untagged Member Display the VLAN(s) to which the port belongs as an untagged member. Tagged Member Display the VLAN(s) to which the port belongs as a tagged member. Untagged Tagged Select the Untagged, Tagged, or Not a Member option: • Untagged—Indicates that the port sends the traffic of the VLAN with the VLAN tag removed.
c. Enter VLAN IDs 2,6-50,100. d. Click Apply. Figure 128 Creating a VLAN 2. Configure Ten-GigabitEthernet 1/0/1 as an untagged member of VLAN 100: a. Enter 100 in the VLAN Range field. b. Click Select to display only the information of VLAN 100.
Figure 129 Selecting a VLAN c. Click the icon of VLAN 100. d. On the page that appears, select the Untagged Member option for port Ten-GigabitEthernet 1/0/1. e. Click Apply.
Figure 130 Modifying a VLAN 3. Configure Ten-GigabitEthernet 1/0/1 as a tagged member of VLAN 2, and VLAN 6 through VLAN 50: a. Select Network > VLAN from the navigation tree and then select the Port tab. b. Click the icon of port Ten-GigabitEthernet 1/0/1. c. On the page that appears, select the Tagged option, and enter VLAN IDs 2, 6-50. Figure 131 Modifying a port d. Click Apply. A dialog box appears asking you to confirm the operation. e. Click Apply in the dialog box.
Figure 132 Confirmation dialog box Configuring the switch The configuration on Switch is similar to the configuration on the AC.
Configuring ARP Overview Introduction to ARP The Address Resolution Protocol (ARP) is used to resolve an IP address into an Ethernet MAC address (or physical address). In an Ethernet LAN, a device uses ARP to resolve the IP address of the next hop to the corresponding MAC address. For more information about ARP, see Layer 3 Configuration Guide.
Figure 133 Displaying ARP entries Creating a static ARP entry 1. Select Network > ARP Management from the navigation tree to enter the default ARP Table page shown in Figure 133. 2. Click Add . The New Static ARP Entry page appears. Figure 134 Adding a static ARP entry 3. Configure the static ARP entry, as described in Table 56. 4. Click Apply. Table 56 Configuration items Item Description IP Address Enter an IP address for the static ARP entry.
Item Description MAC Address Enter a MAC address for the static ARP entry. Advanced Options VLAN ID Port Enter a VLAN ID and specify a port for the static ARP entry. The VLAN ID must be the ID of the VLAN that has already been created, and the port must belong to the VLAN. The corresponding VLAN interface must have been created. Removing ARP entries 1. Select Network > ARP Management from the navigation tree to enter the default ARP Table page shown in Figure 133. 2.
Static ARP configuration example Network requirements As shown in Figure 136: • The switch is installed with the HP 11900/10500/7500 20G Unified Wired-WLAN module to act as the AC. • GigabitEthernet 3/0/1 of the AC is connected to the router, and belongs to VLAN 100. To enhance communication security between the AC and the router, configure a static ARP entry on the AC. Figure 136 Network diagram Configuration procedure 1. Create VLAN 100: a.
Figure 138 Adding Ten-GigabitEthernet 1/0/1 to VLAN 100 3. Configure VLAN-interface 100 and its IP address: a. Select Device > Interface from the navigation tree. b. Click Add. The configuration page appears. c. Select Vlan-interface from the Interface Name list, and enter 100. d. Select the Static Address option for IP Config, enter 192.168.1.2 for IP Address, and select 24 (255.255.255.0) for Mask. e. Click Apply.
Figure 139 Configuring VLAN-interface 100 4. Create a static ARP entry: a. Select Network > ARP Management from the navigation tree to enter the default ARP Table page. b. Click Add. The page for creating a static ARP entry appears. c. Enter 192.168.1.1 for IP Address, enter 00e0-fc01-0000 for MAC Address, and select the Advanced Options option. d. Enter 100 for VLAN ID, and select Ten-GigabitEthernet1/0/1 from the Port list. e. Click Apply.
Figure 140 Creating a static ARP entry 156
Configuring ARP attack protection Overview Although ARP is easy to implement, it does not provide any security mechanism and is prone to network attacks and viruses, which threaten LAN security. This chapter describes features that a device can use to detect and prevent attacks. ARP detection The ARP detection feature enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks.
ARP active acknowledgement works before the gateway creates or modifies an ARP entry to avoid generating any incorrect ARP entry. For more information about its working mechanism, see ARP Attack Protection Technology White Paper. ARP packet source MAC address consistency check This feature enables a gateway device to filter out ARP packets with the source MAC address in the Ethernet header different from the sender MAC address in the ARP message. The gateway device can thus learn correct ARP entries.
Item Description Select trusted ports and untrusted ports. Trusted Ports To add ports to the Trusted Ports list box, select one or multiple ports from the Untrusted Ports list box and click the << button. To remove ports from the Trusted Ports list box, select one or multiple ports from the list box and click the >> button. Select the ARP packet validity check mode: • Discards the ARP packet whose sender MAC address is different from the source MAC address in the Ethernet header.
Table 59 Configuration items Item Description Select the detection mode for source MAC address based ARP attack detection: Detection Mode • Disable—The source MAC address attack detection is disabled. • Filter Mode—The device generates an alarm and filters out ARP packets sourced from a MAC address if the number of matching ARP packets exceeds the specified value within 5 seconds.
Configuring IGMP snooping Overview IGMP snooping runs on a Layer 2 switch as a multicast constraining mechanism to improve multicast forwarding efficiency. It creates Layer 2 multicast forwarding entries from IGMP packets that are exchanged between the hosts and the router. As shown in Figure 144, when IGMP snooping is not enabled, the Layer 2 switch floods multicast packets to all hosts.
Step Remarks Required. Enable IGMP snooping in the VLAN and configure the IGMP snooping version and querier feature. By default, IGMP snooping is disabled in a VLAN. 2. Configuring IGMP snooping on a VLAN IMPORTANT: • IGMP snooping must be enabled globally before it can be enabled in a VLAN. • After enabling IGMP snooping in a VLAN, do not enable IGMP or PIM on the corresponding VLAN interface, and vice versa.
Figure 145 Basic IGMP snooping configurations Configuring IGMP snooping on a VLAN 1. Select Network > IGMP snooping from the navigation tree to enter the basic configuration page shown in Figure 145. 2. Click the icon corresponding to the VLAN to enter the page where you can configure IGMP snooping in the VLAN, as shown in Figure 146.
Figure 146 Configuring IGMP snooping in the VLAN 3. Configure IGMP snooping, as described in Table 60. 4. Click Apply. Table 60 Configuration items Item Description VLAN ID This field displays the ID of the VLAN to be configured. IGMP snooping Enable or disable IGMP snooping in the VLAN. You can proceed with the subsequent configurations only if Enable is selected. By configuring an IGMP snooping version, you configure the versions of IGMP messages that IGMP snooping can process.
Item Description Enable or disable the IGMP snooping querier function. Querier On an IP multicast network that runs IGMP, a Layer 3 device acts as an IGMP querier. It sends IGMP queries, establishes and maintains multicast forwarding entries for correct multicast traffic forwarding at the network layer. On a network without Layer 3 multicast devices, no IGMP querier-related function can be implemented because a Layer 2 device does not support IGMP.
Table 61 Configuration items Item Description Select the port on which advanced IGMP snooping features are to be configured. Port After a port is selected, advanced features configured on this port are displayed at the lower part of the page. VLAN ID Specify a VLAN in which you can configure the fast leave function for the port or the maximum number of multicast groups allowed on the port. Configure the maximum number of multicast groups that the port can join.
Figure 148 Displaying entry information 3. Click the icon corresponding to an entry to display the detailed information of the entry, as shown in Figure 149. Figure 149 Detailed information of an entry Table 62 Field description Field Description VLAN ID ID of the VLAN to which the entry belongs. Source Multicast source address, where 0.0.0.0 indicates all multicast sources. Group Multicast group address. Router port All router ports. Member port All member ports.
Figure 150 Network diagram Configuring Router A Enable IP multicast routing, enable PIM-DM on each interface, and enable IGMP on Ethernet 1/1. (Details not shown.) Configuring the AC 1. Create VLAN 100: a. Select Network > VLAN from the navigation tree to enter the VLAN displaying page. b. Click Add. c. Enter the VLAN ID 100. d. Click Apply. Figure 151 Creating VLAN 100 2. Configure Ten-GigabitEthernet 1/0/1 as untagged members of VLAN 100: a.
Figure 152 Adding a port to the VLAN 3. Enable IGMP snooping globally: a. Select Network > IGMP snooping from the navigation tree to enter the basic configuration page. b. Select the Enable option for IGMP Snooping. c. Click Apply. Figure 153 Enabling IGMP snooping globally 4. Enable IGMP snooping and the function for dropping unknown multicast data on VLAN 100: a. Click the icon corresponding to VLAN 100. b.
Figure 154 Configuring the VLAN Configuring the switch Configure GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 as the untagged members of VLAN 100. (Details not shown.) Verifying the configuration Display the IGMP snooping multicast entry information on AC. 1. Select Network > IGMP snooping from the navigation tree to enter the basic configuration page. 2. Click the plus sign (+) in front of Show Entries to view IGMP snooping multicast entries, as shown in Figure 155.
Figure 156 Information about an IGMP snooping multicast entry 171
Configuring IPv4 and IPv6 routing The term router in this document refers to routers, access controllers, unified switches, and access controller modules. Overview Upon receiving a packet, a router determines the optimal route based on the destination address and forwards the packet to the next router in the path. When the packet reaches the last router, it forwards the packet to the destination host. Routing provides the path information that guides the forwarding of packets.
Figure 157 IPv4 active route table Table 63 Field description Field Destination IP Address Mask Protocol Preference Description Destination IP address and subnet mask of the IPv4 route. Protocol that discovered the IPv4 route. Preference value for the IPv4 route. The smaller the number, the higher the preference. Next Hop Next hop IP address of the IPv4 route. Interface Outgoing interface of the IPv4 route. Packets destined for the specified network segment will be sent out of the interface.
Figure 158 Creating an IPv4 static route 3. Specify relevant information, as described in Table 64. 4. Click Apply. Table 64 Configuration items Item Description Destination IP Address Enter the destination host or network IP address, in dotted decimal notation. Mask Enter the mask of the destination IP address. You can enter a mask length or a mask in dotted decimal notation. Set a preference value for the static route. The smaller the number, the higher the preference.
Figure 159 Displaying the IPv6 active route table Table 65 Field description Field Destination IP Address Prefix Length Protocol Preference Description Destination IP address and prefix length of the IPv6 route. Protocol that discovered the IPv6 route. Preference value for the IPv6 route. The smaller the number, the higher the preference. Next Hop Next hop IP address of the IPv6 route. Interface Outgoing interface of the IPv6 route.
Figure 160 Creating an IPv6 static route 3. Specify relevant information, as described in Table 66. 4. Click Apply. Table 66 Configuration items Item Description Destination IP Address Enter the destination host or network IP address, in the X:X::X:X format. The 128-bit destination IPv6 address is a hexadecimal address with eight parts separated by colons (:). Each part is represented by a 4-digit hexadecimal integer. Prefix Length Enter the prefix length of the destination IPv6 address.
Figure 161 Network diagram Configuration outlines 1. On Switch A, configure a default route with Switch B as the next hop. 2. On Switch B, configure one static route with Switch A as the next hop and the other with AC as the next hop. 3. On AC, configure a default route with Switch B as the next hop. Configuration procedure 1. Configure a default route with the next hop address 1.1.4.2 on Switch A. 2. Configure two static routes on Switch B: one with destination address 1.1.2.
Verifying the configuration 1. Display the route table: Enter the IPv4 route page of Switch A, Switch B, and AC, respectively, to verify that the newly configured static routes are displayed as active routes on the page. 2. Ping Host B from Host A (assuming both hosts run Windows XP): C:\Documents and Settings\Administrator>ping 1.1.3.2 Pinging 1.1.3.2 with 32 bytes of data: Reply from 1.1.3.2: bytes=32 time=1ms TTL=128 Reply from 1.1.3.2: bytes=32 time=1ms TTL=128 Reply from 1.1.3.
a. Select Network > IPv6 Routing from the navigation tree. b. Click the Create tab to enter the IPv6 static route configuration page, as shown in Figure 164. c. Enter :: for Destination IP Address, select 0 for Prefix Length, and enter 5::2 for Next Hop. d. Click Apply. Figure 164 Configuring a default route Verifying the configuration 1.
Configuring DHCP DHCP overview After the DHCP client is enabled on an interface, the interface can dynamically obtain an IP address and other configuration parameters from the DHCP server. This facilitates configuration and centralized management. For more information about the DHCP client configuration, see "Managing interfaces." For more information about DHCP, see Layer 3 Configuration Guide.
DHCP snooping overview IMPORTANT: The DHCP snooping-enabled device must be between the DHCP client and relay agent, or between the DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server. As a DHCP security feature, DHCP snooping can implement the following functionality: • Records IP-to-MAC mappings of DHCP clients. • Ensures DHCP clients to obtain IP addresses from authorized DHCP servers.
Step Remarks Required. Use at least one method. IMPORTANT: 2. Creating an address pool for the DHCP server Creating a static address pool for the DHCP server Creating a dynamic address pool for the DHCP server • If the DHCP server and DHCP clients are on the same subnet, make sure the address pool is on the same network segment as the DHCP server enabled-interface. Otherwise, the clients will fail to obtain IP addresses.
Figure 167 Enabling DHCP Creating a static address pool for the DHCP server 1. Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown in Figure 167. 2. Select the Static option in the Address Pool field to view all static address pools. 3. Click Add.
Figure 168 Creating a static address pool 4. Configure the static address pool, as described in Table 67. 5. Click Apply. Table 67 Configuration items Item Description IP Pool Name Enter the name of a static address pool. IP Address Enter an IP address and select a subnet mask for the static address pool. Mask The IP address cannot be the IP address of any interface on the DHCP server. Otherwise, an IP address conflict may occur and the bound client cannot obtain an IP address correctly.
Item Description Enter the DNS server addresses for the client. DNS Server Address To allow the client to access a host on the Internet through DNS, you need to specify a DNS server address. Up to eight DNS servers can be specified in a DHCP address pool, separated by commas. Enter the WINS server addresses for the client. WINS Server Address If b-node is specified for the client, you do not need to specify any WINS server address.
Item Description Enter an IP address segment for dynamic allocation. IP Address To avoid address conflicts, the DHCP server excludes the IP addresses used by gateways or FTP servers from dynamic allocation. Mask Lease Duration You can enter a mask length or a mask in dotted decimal notation. Unlimited. Configure the address lease duration for the address pool. days/hours/minutes/seconds. Unlimited indicates the infinite duration. Enter the domain name suffix for the client.
Figure 170 Configuring a DHCP server interface Displaying information about assigned IP addresses 1. Select Network > DHCP > DHCP Server from the navigation tree to enter the page, as shown in Figure 167. 2. Click Addresses in Use in the Address In Use field on the lowest part of the page to view information about the IP address assigned from the address pool. Figure 171 Displaying addresses in use Table 69 Field description Field Description IP Address Assigned IP address.
Recommended configuration procedure (for DHCP relay agent) Step 1. Remarks Enabling DHCP and configuring advanced parameters for the DHCP relay agent Required. Enable DHCP globally and configure advanced DHCP parameters. By default, global DHCP is disabled. Required. 2. Creating a DHCP server group To improve reliability, you can specify several DHCP servers as a group on the DHCP relay agent and correlate a relay agent interface with the server group.
Enabling DHCP and configuring advanced parameters for the DHCP relay agent 1. Select Network > DHCP from the navigation tree. 2. Click the DHCP Relay tab. Figure 172 DHCP relay agent configuration page 3. Select the Enable option for DHCP Service. 4. Click Display Advanced Configuration to expand the advanced DHCP relay agent configuration field, as shown in Figure 173.
Figure 173 Advanced DHCP relay agent configuration field 5. Configure the advanced DHCP relay agent parameters, as described in Table 70. 6. Click Apply. You must also click Apply for enabling the DHCP service. Table 70 Configuration items Item Description Enable or disable unauthorized DHCP server detection. There are unauthorized DHCP servers on networks, which reply to DHCP clients with incorrect IP addresses.
2. Click the DHCP Relay tab to enter the page shown in Figure 172. 3. In the Server Group field, click Add to enter the page shown in Figure 174. Figure 174 Creating a server group 4. Specify the DHCP server group information, as described in Table 71. 5. Click Apply. Table 71 Configuration items Item Server Group ID Description Enter the ID of a DHCP server group. You can create up to 20 DHCP server groups. Enter the IP address of a server in the DHCP server group.
Table 72 Configuration items Item Description Interface Name This field displays the name of a specific interface. DHCP Relay Enable or disable the DHCP relay agent on the interface. If the DHCP relay agent is disabled, the DHCP server is enabled on the interface. Enable or disable IP address check. Address Match Check Server Group ID With this function enabled, the DHCP relay agent checks whether a requesting client's IP and MAC addresses match a binding (dynamic or static) on the DHCP relay agent.
Table 73 Configuration items Item Description IP Address Enter the IP address of a DHCP client. MAC Address Enter the MAC address of the DHCP client. Select the Layer 3 interface connected with the DHCP client. IMPORTANT: Interface Name The interface of a static binding entry must be configured as a DHCP relay agent. Otherwise, address entry conflicts may occur. Recommended configuration procedure (for DHCP snooping) Step 1. Remarks Enabling DHCP snooping Required.
Figure 178 Enabling DHCP snooping Configuring DHCP snooping functions on an interface 1. Select Network > DHCP from the navigation tree. 2. Click the DHCP Snooping tab to enter the page shown in Figure 178. 3. In the Interface Config field, click the icon of a specific interface. Figure 179 Configuring DHCP snooping functions on an interface 4. Configure the parameters, as described in Table 74. 5. Click Apply.
Item Description Interface State Configure the interface as trusted or untrusted. Option 82 Support Configure DHCP snooping to support Option 82 or not. Select the handling strategy for DHCP requests containing Option 82. The strategies include: Option 82 Strategy • Drop—The message is discarded if it contains Option 82. • Keep—The message is forwarded without its Option 82 being changed.
DHCP configuration examples DHCP server configuration example Network requirements As shown in Figure 181, the DHCP client on subnet 10.1.1.0/24 obtains an IP address dynamically from the DHCP server (AC). The IP address of VLAN-interface 2 of the AC is 10.1.1.1/24. In subnet 10.1.1.0/24, the address lease duration is ten days and twelve hours and the gateway address is 10.1.1.1. Figure 181 Network diagram Configuration procedure 1. Enable DHCP: a.
Figure 182 Enabling DHCP 2. Enable the DHCP server on VLAN-interface 2: (This operation can be omitted because the DHCP server is enabled on the interface by default.) a. In the Interface Config field, click the icon of VLAN-interface 2. b. Select the Enable option for DHCP Server. c. Click Apply. Figure 183 Enabling the DHCP server on VLAN-interface 2 3. Configure a dynamic address pool for the DHCP server: a. Select the Dynamic option in the Address Pool field (default setting), and click Add.
c. Enter 10 days 12 hours 0 minutes 0 seconds for Lease Duration, and enter 10.1.1.1 for Gateway Address. d. Click Apply. Figure 184 Configuring a dynamic address pool for the DHCP server DHCP relay agent configuration example Network requirements As shown in Figure 185, VLAN-interface 1 on the DHCP relay agent (AC) connects to the network where DHCP clients reside. The IP address of VLAN-interface 1 is 10.10.1.1/24 and the IP address of VLAN-interface 2 is 10.1.1.1/24.
d. Click Apply. Figure 186 Enabling DHCP 2. Configure a DHCP server group: a. In the Server Group field, click Add. b. Enter 1 for Server Group ID, and 10.1.1.1 for IP Address. c. Click Apply. Figure 187 Adding a DHCP server group 3. Enable the DHCP relay agent on VLAN-interface 1: a. In the Interface Config field, click the 199 icon of VLAN-interface 1.
b. Select the Enable option for DHCP Relay, and select 1 for Server Group ID. c. Click Apply. Figure 188 Enabling the DHCP relay agent on an interface and correlate it with a server group DHCP snooping configuration example Network requirements As shown in Figure 189, a DHCP snooping device (the switch) is installed with the HP 11900/10500/7500 20G Unified Wired-WLAN module to act as the AC. The AC is connected to a DHCP server through GigabitEthernet 3/0/2, and to an AP through GigabitEthernet 3/0/1.
Figure 190 Enabling DHCP snooping 2. Configure DHCP snooping functions on Ten-GigabitEthernet 1/0/1: a. Click the icon of Ten-GigabitEthernet 1/0/1 on the interface list. b. Select the Trust option for Interface State. c. Click Apply. Figure 191 Configuring DHCP snooping functions on Ten-GigabitEthernet 1/0/1 3. Display clients' IP-to-MAC bindings: a. Select Network > DHCP from the navigation tree. b. Click the DHCP Snooping tab. c.
Figure 192 Displaying clients' IP-to-MAC bindings 202
Configuring link aggregation and LACP Overview Link aggregation aggregates multiple physical Ethernet ports into one logical link, also called an aggregation group. It allows you to increase bandwidth by distributing traffic across the member ports in the aggregation group. In addition, it provides reliable connectivity because these member ports can dynamically back up each other. Support for link aggregation depends on the device model.
Operational key An operational port is a configuration set that link aggregation control automatically assigns each port based on port attributes when aggregating ports. The configuration set contains the port rate, duplex mode, and link state configuration. In an aggregation group, all Selected ports are assigned the same operational key. Class-two configurations The contents of class-two configurations are listed in Table 76.
• Static aggregation limits the number of Selected ports in an aggregation group. When the upper limit is not reached, all the candidate selected ports become Selected ports. When the upper limit is exceeded, the system sets the candidate selected ports with larger port numbers to Unselected state to keep the number of Selected ports in the correct range. • If all member ports are down, the system sets their states to Unselected.
• In an aggregation group, a candidate Selected port must have the same port attributes and class-two configurations as the reference port. To keep these configurations consistent, you should configure the port correctly. • Changing port attributes or class-two configuration for a port might change the Select state of the port and other member ports. This might affect services. HP recommends that you do change operations with caution.
The peer port of a Selected port is an Unselected port, which might result in exceptions in upper-layer protocol and traffic forwarding. Recommended link aggregation and LACP configuration procedures Recommended static aggregation group configuration procedure Task Remarks Required. Creating a link aggregation group. Create a static aggregate interface and configure member ports for the static aggregation group automatically created by the system when you create the aggregate interface.
Task Remarks Optional. Displaying LACP-enabled port information. Perform this task to view detailed information of LACP-enabled ports and the corresponding remote (partner) ports. Creating a link aggregation group 1. Select Network > Link Aggregation from the navigation tree. 2. Click Create. Figure 193 Creating a link aggregation group 3. Configure a link aggregation group as described in Table 77. 4. Click Apply.
The Summary tab is displayed by default. The list on the upper part of the page displays information about all the aggregate interfaces. 2. Select an aggregate interface from the list. The list on the lower part of the page displays detailed information about the member ports of the associated link aggregation group. Figure 194 Displaying aggregate interface information Table 78 Field description Field Aggregation interface Description Type and ID of the aggregate interface.
Field Description Reason for being Unselected Reason why the state of a member port is Unselected. For a selected member port, this field displays a hyphen (-). Setting LACP priority 1. Select Network > LACP from the navigation tree. 2. Click Setup. Figure 195 Setup tab 3. In the Set LACP enabled port(s) parameters area, set the port priority, and select the desired ports. 4. Click Apply in the area. Table 79 Configuration items Item Description Port Priority Set the LACP priority.
Displaying LACP-enabled port information 1. Select Network > LACP from the navigation tree. The Summary tab is displayed by default. The upper part of the page displays a list of all LACP-enabled ports on the device and information about them. Table 80 describes the fields. 2. Select a port on the port list. 3. Click View Details. Detailed information about the peer port appears on the lower part of the page. Table 81 describes the fields.
Field Description Port Port where LACP is enabled. LACP State State of LACP on the port. Port Priority LACP priority of the port. State Active state of the port. If a port is Selected, its state is active and the ID of the aggregation group it belongs to will be displayed. Inactive Reason Reason code indicating why a port is inactive (or Unselected) for receiving/transmitting user data. For the meanings of the reason codes, see the bottom of the page shown in Figure 196.
Figure 197 Network diagram Configuration procedure You can create a static or dynamic link aggregation group to achieve load balancing. Method 1: Create a static link aggregation group 1. Select Network > Link Aggregation from the navigation tree. 2. Click Create. 3. Configure static link aggregation group 1: a. Enter link aggregation interface ID 1. b. Select the Static (LACP Disabled) option for the aggregate interface type. c.
7. Configure dynamic aggregation group 1: a. Enter link aggregation interface ID 1. b. Select the Dynamic (LACP Enabled) option for aggregate interface type. c. Select GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3. 8. Click Apply.
Configuring DNS Overview Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into corresponding IP addresses. With DNS, you can use simple domain names in some applications and the DNS server translates them into correct IP addresses. There are two types of DNS services: static and dynamic. After a user specifies a name, the device checks the local static name resolution table for an IP address.
Recommended configuration procedure Configuring static name resolution table Step Remarks Required. Configuring static name resolution table By default, no host name-to-IP address mappings are configured in the static domain name resolution table. Configuring dynamic domain name resolution Step Remarks 1. Configuring dynamic domain name resolution 2. Adding a DNS server address 3. Adding a domain name suffix 4. Clearing dynamic DNS cache Required. This function is disabled by default.
Figure 200 Static domain name resolution configuration page 2. Click Add. Figure 201 Creating a static domain name resolution entry 3. Configure the parameters, as described in Table 82. 4. Click Apply. Table 82 Configuration items Item Description Host Name Configure the mapping between a host name and an IP address in the static domain mane table. Host IP Address Each host name corresponds to only one IP address.
Figure 202 Dynamic domain name resolution configuration page Configuring DNS proxy 1. Select Network > DNS from the navigation tree. 2. Click the Dynamic tab to enter the page shown in Figure 202. 3. Select the Enable option for DNS Proxy. 4. Click Apply. Adding a DNS server address 1. Select Network > DNS from the navigation tree. 2. Click the Dynamic tab to enter the page shown in Figure 202. 3. Click Add IP to enter the page shown in Figure 203. 4.
Figure 203 Adding a DNS server address Adding a domain name suffix 1. Select Network > DNS from the navigation tree. 2. Click the Dynamic tab to enter the page shown in Figure 202. 3. Click Add Suffix to enter the page shown in Figure 204. 4. Enter a DNS suffix in the DNS Domain Name Suffix field. 5. Click Apply. Figure 204 Adding a domain name suffix Clearing dynamic DNS cache 1. Select Network > DNS from the navigation tree. 2. Click the Dynamic tab to enter the page shown in Figure 202.
DNS configuration example Network requirements As shown in Figure 205: • The IP address of the DNS server is 2.1.1.2/16 and the DNS server has a com zone, which stores the mapping between domain name host and IP address 3.1.1.1/16. • The AC serves as a DNS client, and uses dynamic domain name resolution. Configure the AC so that the AC can access the host by using a simple domain name rather than an IP address.
Figure 206 Creating a zone 2. Create a mapping between host name and IP address: a. In Figure 207, right click zone com, and then select New Host. Figure 207 Adding a host b. In the dialog box shown in Figure 208, enter host name host and IP address 3.1.1.1. c. Click Add Host.
Figure 208 Adding a mapping between domain name and IP address Configuring the AC 1. Enable dynamic domain name resolution. a. Select Network > DNS from the navigation tree. b. Click the Dynamic tab c. Select the Enable option for Dynamic DNS. d. Click Apply. Figure 209 Enabling dynamic domain name resolution 2.
a. Click Add IP in Figure 209 to enter the page for adding a DNS server IP address. b. Enter 2.1.1.2 for DNS Server IP Address. c. Click Apply. Figure 210 Adding a DNS server address 3. Configure the domain name suffix: • Click Add Suffix in Figure 209. • Enter com for DNS Domain Name Suffix. • Click Apply.
Figure 212 Ping operation 224
Configuring DDNS Support for DDNS depends on the device model. For more information, see "About the Web-based configuration guide for HP unified wired-WLAN products." Overview DNS allows you to access nodes in networks using their domain names. However, it provides only the static mappings between domain names and IP addresses. When you use a domain name to access a node whose IP address has changed, your access fails because DNS leads you to the IP address where the node no longer resides.
With the DDNS client configured, a device can dynamically update the latest mapping between its domain name and IP address on the DNS server through DDNS servers at www.3322.org or www.oray.cn for example. Configuration prerequisites • Visit the website of a DDNS service provider, register an account, and apply for a domain name for the DDNS client.
Figure 215 Creating a DDNS entry 3. Configure DDNS, as described in Table 83. 4. Click Apply. Table 83 Configuration items Item Description Domain Name Specify the DDNS entry name, which uniquely identifies the DDNS entry. Server Provider Select the DDNS server provider, which can be 3322.org or PeanutHull. Specify the DDNS server's domain name. Server settings After a server provider is selected, its DDNS server domain name appears automatically:. • If the server provider is 3322.
Item Description Specify the interval for sending DDNS update requests after DDNS update is enabled. IMPORTANT: • A DDNS update request is immediately initiated when the primary IP address Interval of the interface changes or the link state of the interface changes from Down to Up, no matter whether the interval expires.
Figure 216 Network diagram www.3322.org DDNS server Dialer 1 IP network AC DDNS client 1.1.1.1 DNS server Configuration prerequisite Before configuring DDNS on the AC, complete the following tasks: • Create an account at http://www.3322.org/ (account name: steven and password: nevets). • Add the AC's host name-to-IP address mapping to the DNS server. • Make sure the devices are reachable to each other. Configuring the AC 1. Enable dynamic domain name resolution: a.
2. Configure the DNS server IP address: a. Select Network > DNS > Dynamic from the navigation tree. The page for enabling dynamic domain name resolution appears, as shown in Figure 217. b. Click Add IP. c. Enter 1.1.1.1 for DNS Server IP Address, as shown in Figure 218. d. Click Apply. Figure 218 Configuring the DNS server IP address 3. Configure DDNS: a. Select Network > DNS > DDNS from the navigation tree. b. Click Add. The page for configuring DDNS appears. c.
Figure 219 Configuring DDNS Verifying the configuration # Verify that the AC notifies the DNS server of its new domain name-to-IP address mapping through the DDNS server provided by www.3322.org whenever its IP address changes. Therefore, the AC can always provide Web service at whatever.3322.org.
Configuring PPPoE Support for PPPoE depends on the device model. For more information, see "About the Web-based configuration guide for HP unified wired-WLAN products." Overview Point-to-Point Protocol over Ethernet (PPPoE) uses the client/server model. It establishes point-to-point links over Ethernet, and encapsulates PPP packets in Ethernet frames.
Configuring a PPPoE client 1. Select Network > PPPoE from the navigation tree. The system automatically enters the Client page. Figure 221 PPPoE client information 2. Click Add to enter the page for creating a PPPoE client. Figure 222 Creating a PPPoE client 3. Configure the parameters for the PPPoE client, as described in Table 84. 4. Click Apply.
Table 84 Configuration items Task Remarks Dialer Interface Configure the number of the dialer interface. Username Configure the username and password used by the PPPoE client in authentication. Password The username and password must be configured together, or not configured at all. Configure the way the dialer interface obtains its IP address: IP Config • None—Does not configure an IP address. • Static Address—Statically configures an IP address and subnet mask for the interface.
Figure 223 Statistics Table 85 Field description Field Description Interface Ethernet interface where the PPPoE session belongs. This field is null when the PPPoE session is bundled with a VLAN interface. Session Number PPPoE session ID. Received Packets Number of received packets in the PPPoE session. Received Bytes Number of received bytes in the PPPoE session. Dropped Packets (Received) Number of dropped packets which are received in the PPPoE session.
Figure 224 Summary Table 86 Field description Field Description Session Number PPPoE session ID. Dialer Interface Number Number of the dialer interface corresponding to the PPPoE session. Interface Ethernet interface where the PPPoE session belongs. This field is null when the PPPoE session is bundled with a VLAN interface. Client-MAC MAC address of the PPPoE client. Server-MAC MAC address of the PPPoE server. PPPoE session state: • IDLE—PPPoE client negotiation is not performed.
Configuring the PPPoE client 1. Configure the PPPoE client: a. Select Network > PPPoE from the navigation tree. The system automatically enters the Client page. b. Click Add. The page for creating a PPPoE client appears, as shown in Figure 226. c. Enter 1 as the dialer interface name. d. Enter user1 as the username. e. Enter hello as the password. f. Select PPP Negotiate for IP config. g. Select Vlan-interface1 for Bundled Interface. h. Select Always Online for Session Type. i. Click Apply.
1. Select Network > PPPoE from the navigation tree of the AC, and click the Session tab. 2. Select Summary Information for Information Type. Figure 227 shows that the PPP session is completed.
Managing services Overview The service management module provides the following types of services: FTP, Telnet, SSH, SFTP, HTTP and HTTPS. You can enable or disable the services as needed to enhance the performance and security of the system, and achieve secure management of the device. To prevent attacks of illegal users on services, the service management module allows you to do the following configurations: • Modify HTTP and HTTPS port numbers. • Associate the FTP, HTTP, or HTTPS service with an ACL.
Defines certificate attribute-based access control policy for the device to control the access right of the client, to avoid attacks from illegal clients. • Configuring service management 1. Select Network > Service from the navigation tree to enter the service management configuration page. Figure 228 Service management 2. Enable or disable various services on the page, as described in Table 87. 3. Click Apply.
Item Description Set the port number for HTTP service. Port Number You can view this configuration item by clicking the expanding button in front of HTTP. IMPORTANT: When you modify a port, make sure the port is not used by another service. ACL Enable HTTPS service Associate the HTTP service with an ACL. Only the clients that pass the ACL filtering are permitted to use the HTTP service. You can view this configuration item by clicking the expanding button in front of HTTP.
Using diagnostic tools Ping You can use the ping function to check whether a device with a specified address is reachable, and to examine network connectivity. A successful execution of the ping command includes the following steps: 1. The source device sends an ICMP echo request (ECHO-REQUEST) to the destination device. 2. The destination device responds by sending an ICMP echo reply (ECHO-REPLY) to the source device after receiving the ICMP echo request. 3.
Ping operation IPv4 ping operation 1. Select Diagnostic Tools > Ping from the navigation tree to enter the IPv4 Ping configuration page. 2. Click the expansion button before Advanced Setup to display the configurations of the advanced parameters of IPv4 ping operation. Figure 229 IPv4 ping configuration page 3. Enter the IPv4 address or host name of the destination device in the Destination IP address or host name field. 4. Set the advanced parameters for the IPv4 ping operation. 5.
Figure 230 IPv4 ping operation results IPv6 ping operation 1. Select Diagnostic Tools > Ping from the navigation tree. 2. Click the IPv6 Ping tab to enter the IPv6 ping configuration page. 3. Expand Advanced Setup to display the configurations of the advanced parameters of IPv6 ping operation.
4. Enter the IPv6 address or host name of the destination device in the Destination IP address or host name field. 5. Set the advanced parameters for the IPv6 ping operation. 6. Click Start to execute the ping command. 7. View the result in the Summary field. Figure 232 IPv6 ping operation results Trace route operation The Web interface does not support trace route on IPv6 addresses.
Figure 233 Trace Route configuration page 3. Enter the destination IP address or host name in the field. 4. Click Start to execute the trace route command. 5. View the result in the Summary field.
Configuring NAT Overview Network Address Translation (NAT) provides a way to translate an IP address in the IP packet header to another IP address. NAT enables a large number of private users to access the Internet by using a small number of public IP addresses. NAT effectively alleviates the depletion of IP addresses. A private IP address is used only in an internal network, and a public or external IP address is used on the Internet and is globally unique.
b. Looks up its NAT table for the mapping. c. Replaces the destination address with the private address of 192.168.1.3. d. Sends the new packet to the internal host. The NAT operation is transparent to the terminals involved. The external server believes that the IP address of the internal PC is 20.1.1.1 and is unaware of the private address 192.168.1.3. As a result, NAT hides the private network from external networks.
The number of public IP addresses that a NAT device needs is usually less than the number of internal hosts because not all internal hosts access external networks simultaneously. The number of public IP addresses is related to the number of internal hosts that might access external networks simultaneously during peak hours. NAPT Network Address Port Translation (NAPT) is a variation of basic NAT.
In Figure 237, when the NAT device receives a packet destined for the public IP address of the internal server, it performs the following actions: 1. Looks up the NAT entries. 2. Translates the destination address and port number in the packet to the private IP address and port number of the internal server.
Low-priority address pool An address pool is a set of consecutive public IP addresses used for dynamic NAT. A NAT gateway selects addresses from the address pool and uses them as the translated source IP addresses. To implement NAT for stateful failover (asymmetric-path), you must configure the same address pool on both devices so that one device can take over when the other device fails.
Table 88 Dynamic NAT configuration task list Task Remarks Creating an address pool Required for configuring NAPT and many-to-many NAT. Required. Configuring dynamic NAT Configure dynamic NAT on an interface. Static NAT Mappings between external and internal network addresses are manually configured. Static NAT can meet fixed access requirements of a few users. Table 89 Static NAT configuration task list Task Remarks Creating a static address mapping Enabling static NAT on an interface Required.
Figure 239 Dynamic NAT TIP: You can click the ID link of an ACL to view details about the ACL, and create and delete ACL rules. For more information about ACL configuration, see "Configuring ACLs." 2. Click Add in the Address Pool area. The Add NAT Address Pool page appears. Figure 240 Adding a NAT address pool 3. Create an IP address pool, as described in Table 90. 4. Click Apply. Table 90 Configuration items Item Description Index Specify the index of an address pool.
Item Description Configure the address pool as a low-priority or a non low-priority address pool. Low priority IMPORTANT: This configuration item is applicable for asymmetric-path stateful failover only. The low priority settings for the local and peer devices must be different. Configuring dynamic NAT 1. Select Network > NAT from the navigation tree. The Dynamic NAT page appears. 2. Click Add in the Dynamic NAT area to enter the Add Dynamic NAT page. Figure 241 Adding dynamic NAT 3.
Item Description Select an address translation mode: • PAT—Refers to NAPT. In this mode, associating an ACL with an address pool translates both IP addresses and port numbers. Address Transfer • No-PAT—Refers to many-to-many NAT. In this mode, associating an ACL with an address pool translates only IP addresses. • Easy IP—In this mode, the NAT gateway directly uses an interface's public IP address as the translated IP address, and uses an ACL to match IP packets.
2. Click Add in the Static Address Mapping area. The Add Static Address Mapping page appears. Figure 243 Adding static address mapping 3. Configure a static address mapping, as described in Table 92. 4. Click Apply. Table 92 Configuration items Item Description Internal IP Address Enter an internal IP address for the static address mapping. Global IP Address Enter a public IP address for the static address mapping. Mask Enter a mask for the IP address.
3. Enable static NAT on an interface, as described in Table 93. 4. Click Apply. Table 93 Configuration items Item Description Interface Name Select an interface to which static NAT is applied. Enable track to VRRP Configure whether to associate static NAT on an interface with a VRRP group, and specify the VRRP group to be associated.
Figure 246 Adding an internal server 4. Configure the internal server, as described in Table 94. 5. Click Apply. Configuring advanced internal server settings 1. Click Advanced in the page shown in Figure 247. The Advanced Configuration page appears. Figure 247 Internal server advanced configuration 2. Configure the internal server, as described in Table 94.
3. Click Apply. Table 94 Configuration items Item Description Interface Specify an interface to which the internal server policy is applied. Select the protocol to be carried by IP (Only available in advanced configuration). Select from the drop-down list. Protocol Type External IP Address For advanced configuration, if the selected protocol type is neither 6(TCP) nor 17(UDP), you can only specify a mapping between an internal IP address and an external IP address.
Item Description Enable track to VRRP Configure whether to associate the internal server on an interface with a VRRP group, and specify the VRRP group to be associated. When two network devices deliver both stateful failover and dynamic NAT, follow these guidelines: • Make sure the public address of an internal server on an interface is associated with VRRP Group only one VRRP group. Otherwise, the system associates the public address with the VRRP group having the highest group ID.
NAT configuration examples Address translation configuration example Network requirements As shown in Figure 249, a company has three public IP addresses ranging from 202.38.1.1/24 to 202.38.1.3/24, and a private network segment of 10.110.0.0/16. Specifically, the company requires that the internal users on subnet 10.110.10.0/24 can access the Internet through NAT. Figure 249 Network diagram Configuring the AC 1. Configure an ACL 2001 to permit internal users in subnet 10.110.10.
Figure 251 Configuring ACL 2001 to permit users on network 10.110.10.0/24 to access the Internet To prohibit other users to access the Internet: a. Select Deny for Action, as shown in Figure 252. b. Click Add. Figure 252 Configuring ACL 2001 to prohibit other users to access the Internet 2. Configure a NAT address pool 0, including public addresses of 202.38.1.2 and 202.38.1.3. a. Select Network > NAT from the navigation tree. The Dynamic NAT page appears. b. Click Add in Address Pool.
Figure 253 Configuring NAT address pool 0 3. Configure dynamic NAT: a. Click Add in the Dynamic NAT area. The Add Dynamic NAT page appears. b. Select Vlan-interface2 for Interface and enter 2001 for ACL. c. Select PAT for Address Transfer. d. Enter 0 for Address Pool Index. e. Click Apply. Figure 254 Configuring dynamic NAT Internal server configuration example Network requirements As illustrated in Figure 255, a company provides two Web servers and one FTP server for external users to access.
• External hosts can access internal servers using public address 202.38.1.1/24. • Port 8080 is used for Web server 2. Figure 255 Network diagram Configuring the internal server 1. Configure the FTP server: a. Select Network > NAT from the navigation tree. b. Click the Internal Server tab. c. Click Add in the Internal Server area. The Add Internal Server page appears. d. Select Vlan-interface2 for Interface. e. Select the Assign IP Address option, and enter 202.38.1.1. f.
2. Configure Web server 1: a. Click Add in the Internal Server area. The Add Internal Server page appears. b. Select Vlan-interface2 for Interface c. Select the Assign IP Address option, and enter 202.38.1.1. d. Select the first option for Global Port and enter 80. e. Enter 10.110.10.1 for Internal IP. f. Select www for Service Type. g. Click Apply. Figure 257 Configuring internal Web server 1 3. Configure Web server 2: a. Click Add in the Internal Server area. The Add Internal Server page appears. b.
Figure 258 Configuring internal Web server 2 266
Configuring ALG Application Level Gateway (ALG) processes the payload information of application layer packets to make sure data connections can be established. Usually, NAT translates only IP address and port information in packet headers and does not analyze fields in application layer payloads. However, the packet payloads of some protocols may contain IP address or port information, which might cause problems if not translated.
Figure 259 ALG-enabled FTP application in passive mode Inside network Outside network NAT Host Device FTP-ALG enabled FTP server FTP_CMD(“PASV”) FTP_CMD(“PASV”) FTP_EnterPassive(“IP1, Port1”) ALG IP1, Port1-------> IP2, Port2 FTP_EnterPassive(“IP2, Port2”) FTP_Connet(IP2, Port2) FTP_Connet(IP1, Port1) The communication process includes the following steps: 1. Establishing a control connection. The host sends a TCP connection request to the server.
Configuration procedure By default, ALG is enabled for all protocols. To enable ALG for protocols: 1. Select Network > ALG from the navigation tree. The Application Layer Inspection page appears. Figure 260 ALG configuration 2. Add target application protocols to the Selected Application Protocols list to enable ALG for them. 3. Click Apply.
Figure 261 Network diagram Internet 192.168.1.1/24 FTP server AC Vlan-int1 5.5.5.1/24 Host Local: 192.168.1.2 Global: 5.5.5.10 Configuration procedure 1. Enable ALG for FTP. (By default, ALG is enabled for FTP, and this step can be skipped.) a. Select Network > ALG from the navigation tree. b. Add ftp to the Selected Application Protocols list, as shown in Figure 262. c. Click Apply. Figure 262 Enabling ALG for FTP 2. Configure ACL 2001: a. Select QoS > ACL IPv4 from the navigation tree. b.
Figure 263 Adding basic ACL e. Click the Basic Setup tab. f. Select 2001 for ACL. g. Select Permit for Action, as shown in Figure 264. h. Click Apply. Figure 264 Configuring a rule for basic ACL 3. Configure the NAT address pool: a. Select Network > NAT from the navigation tree. The Dynamic NAT page appears. b. Click Add in the Address Pool area. The Add NAT Address Pool page appears. c. Enter 1 for Index. d. Enter 5.5.5.9 for Start IP Address. e. Enter 5.5.5.11 for End IP Address. f. Click Apply.
Figure 265 Adding a NAT address pool 4. Configure dynamic NAT: a. Click Add in the Dynamic NAT area. The Add Dynamic NAT page appears. b. Select Vlan-interface1 for Interface.. c. Enter 2001 for ACL. d. Select PAT for Address Transfer. e. Enter 1 for Address Pool Index. f. Click Apply. Figure 266 Configuring dynamic NAT 5. Configure an internal FTP server a. Select Network > NAT from the navigation tree. b. Click the Internal Server tab. c. Click Add in the Internal Server area.
g. Enter 192.168.1.2 for Internal IP. h. Select ftp for Service Type. i. Click Apply. Figure 267 Adding an internal FTP server SIP ALG configuration example Network requirements As shown in Figure 268, a company uses the private network segment 192.168.1.0/24, and has four public network addresses: 5.5.5.1, 5.5.5.9, 5.5.5.10, and 5.5.5.11. SIP UA 1 is on the internal network and SIP UA 2 is on the outside network.
c. Click Apply. Figure 269 Enabling ALG for SIP 2. Configure ACL 2001: a. Select QoS > ACL IPv4 from the navigation tree. b. Click the Add tab. c. Enter 2001 for ACL Number, as shown in Figure 270. d. Click Apply. Figure 270 Adding basic ACL e. Click the Basic Setup tab. f. Select 2001 for ACL, and Permit for Action. Select the Source IP Address box and enter 192.168.1.0. Enter 0.0.0.255 for Source Wildcard, as shown in Figure 264. g. Click Add.
Figure 271 Configuring an ACL rule to permit packets sourced from 192.168.1.0/24 To prohibit other users to access the Internet: a. Select Deny for Action, as shown in Figure 272. b. Click Add. Figure 272 Configuring an ACL rule to deny packets 3. Configure the NAT address pool: a. Select Network > NAT from the navigation tree. The Dynamic NAT page appears. b. Click Add in the Address Pool area. The Add NAT Address Pool page appears. c. Enter 1 for Index. d. Enter 5.5.5.9 for Start IP Address. e.
Figure 273 Adding a NAT address pool 4. Configure dynamic NAT: a. Click Add in the Dynamic NAT area. The Add Dynamic NAT page appears. b. Select Vlan-interface2 for Interface.. c. Enter 2001 for ACL. d. Select PAT for Address Transfer. e. Enter 1 for Address Pool Index. f. Click Apply. Figure 274 Configuring dynamic NAT NBT ALG configuration example Network requirements As shown in Figure 275, a company using the private network segment 192.168.1.0/24 wants to provide NBT services to the outside.
• The WINS server uses 5.5.5.10 as its external IP address. • Host B can access the WINS server and Host A by using host names. Figure 275 Network diagram Configuration procedure 1. Enable ALG for NBT. (By default, ALG is enabled for NBT, and this step can be skipped.) a. Select Network > ALG from the navigation tree. b. Add nbt to the Selected Application Protocols list. c. Click Apply. Figure 276 Enabling ALG for NBT 2. Configure static NAT: a. Select Network > NAT from the navigation tree. b.
e. Enter 5.5.5.9 for Global IP Address. f. Click Apply. Figure 277 Adding a static address mapping 3. Configure static NAT for an interface: a. Click Add in the Interface Static Translation area. b. Select Vlan-interface2 for Interface Name, as shown in Figure 278. c. Click Apply. Figure 278 Configuring static NAT for an interface 4. Configure an internal WINS server: a. Select Network > NAT > Internal Server from the navigation tree. b. Click the Internal Server tab. c.
Figure 279 Configuring an internal WINS server j. Click Add in the Internal Server area. Configure an interval WINS server, which is similar to the configuration shown in Figure 279. k. Click Advanced Configuration. l. Select Vlan-interface2 for Interface. m. Select 17(UDP) as the protocol type. n. Enter 5.5.5.10 as the external IP address and 138 as the global port. o. Enter 192.168.1.2 as the internal IP address and 138 as the internal port. p. Click Apply. q. Click Add in the Internal Server area.
Configuring APs AC-AP tunnel As shown in Figure 280, an AC and an AP establish a data tunnel to forward data packets and a control tunnel to forward control packets used for AP configuration and management. The AC can automatically configure and manage APs based on the information provided by the administrator. Figure 280 Network diagram Auto AP The auto AP feature enables an AC to automatically associate with APs. It can greatly reduce your workload when you deploy a wireless network with many APs.
When you delete an AP from an AP group (equal to adding the AP to the default AP group) or add an AP to an AP group, the AP restarts, and clears its configuration except the serial number. After the AP is added to the new AP group, the AP uses the configuration of the new AP group. The following operations might fail on some member APs: • Select 5 GHz wireless services. • Select 2.4 GHz wireless services. • Enable a 5 GHz radio. • Enable a 2.4 GHz radio. • Set a working mode.
Figure 282 Adding an AP 3. Create the AP as described in Table 96. 4. Click Apply. Table 96 Configuration items Item Description AP Name Set the AP name. Model AP model. Specify the serial ID: • Auto—Use the auto serial ID function together with the auto AP function. For more Serial ID information about configuring auto AP, see "Configuring auto AP." • Manual—Enter an AP serial ID. By default, Auto is used. Setting AP parameters 1. Select AP > AP Setup from the navigation tree. 2.
Figure 283 AP setup 3. Configure the AP as described in Table 97. 4. Click Apply. Table 97 Configuration items Item Description AP Name Rename the AP. Select a country/region code. By default, no country/region code is configured for an AP, and the global country/region code applies. If both country/region code and global country/region code are configured, the AP uses its own country/region code. For how to configure the global country/region code, see "Configuring advanced settings.
Item Description Select the radio type, which can be one of the following values: Radio Type • • • • • 802.11a. 802.11b. 802.11g. 802.11n (2.4 GHz) 802.11n (5 GHz) The value depends on the AP model and radio type. Specify the serial ID: • Auto—Use the auto serial ID function together with the auto AP function. For how to configure auto AP, see "Configuring auto AP." Serial ID • Manual—Enter an AP serial ID. IMPORTANT: A serial ID uniquely identifies an AP.
Figure 284 Advanced setup 4. Configure advanced settings for the AP as described in Table 98. 5. Click Apply. Table 98 Configuration items Item Description AP connection priority. AP Connection Priority Specify the AP connection priority on the AC. A greater value represents a high priority. This option needs to be used together with the AC backup function. For more information about AC backup, see "Configuring advanced settings." • Enable—Enable the AP to respond to broadcast probe requests.
Item Description Specify a name for the configuration file (the file must exist in the storage medium of the AC) and map the specified configuration file to the AP. The configuration file takes effect when the tunnel is in Run state. When the configuration file takes effect, the AP uses the commands in the configuration file, but does not save the configuration. Configuration File When local forwarding is enabled, you can use the configuration file to configure the AP.
Item Description Remote AP provides a wireless solution for remote branches and offices. It enables you to configure and control remote APs from the headquarters over the Internet without deploying an AC in each office or branch. As shown in the figure below, the AC manages the remote APs over the Internet.
Item Description • Enable—Enable Bonjour gateway for the AP. • Disable—Disable Bonjour gateway for the AP. Bonjour Gateway Bonjour Policy By default, Bonjour gateway is enabled for the AP. Bonjour gateway takes effect only after you enable it both globally and for an AP. You can enable Bonjour gateway for the AP on the AP > AP Setup or AP > AP Group page, and enable Bonjour gateway globally on the Advanced Setup > Bonjour Gateway page. Apply the specified Bonjour policy.
Figure 285 Configuring auto AP b. Enable auto AP as described in Table 99. c. Click Apply. Table 99 Configuration items Item Description • Enable—Enable the auto AP function. You must also select Auto from the Serial ID list on the AP setup page to use the auto AP function. • Disable—Disable the auto AP function. Auto AP By default, the auto AP function is disabled. IMPORTANT: For network security, disable the auto-AP function when all APs have connected to the AC.
• Local auto-AP authentication In local authentication mode, the AC directly authenticates APs by serial ID or by MAC address, and uses the ACL option to specify the ACL rules for authenticating auto APs. Assume you adopt local authentication by serial ID. When an auto AP connects to the AC, the AC uses the serial ID of the AP to match ACL rules. If the serial ID matches a permit rule, the auto AP passes the authentication and connects to the AC.
Table 100 Configuration items Item Description • Enable—Enable the auto-AP authentication function. • Disable—Disable the auto-AP authentication function. AP Authentication By default, auto APs are not authenticated. IMPORTANT: • Auto-AP authentication only takes effect on auto APs. • Auto-AP authentication does not take effect on online auto APs. Authenticate Method • MAC Address—The AC authenticates APs by MAC address. • Serial ID—The AC authenticates APs by serial ID.
Figure 287 Enabling unauthenticated auto APs to pass authentication and provide WLAN services • Click Accept to change the status of an auto AP to Permitted and add the MAC address or serial ID of the auto AP to the specified ACL number. The system generates a permit rule. • Click Reject to deny the access of an unauthenticated auto AP and add the MAC address or serial ID of the auto AP to the specified ACL number. The system generates a deny rule.
Figure 289 Renaming an AP 2. Select AP Rename, and enter a new AP name. 3. Click Apply. Converting an auto AP to a configured AP The configured APs are named by their MAC addresses. To convert an auto AP to a configured AP: 1. Select the boxes for the target auto APs when auto APs appear on the Web interface of the AC. 2. Click Persistent. Figure 290 Converting an auto AP to a configured AP Enabling converting auto APs to configured APs 1. Select AP > Auto AP from the navigation tree. 2.
Table 101 Configuration items Item Description • Enable—Enable the function. • Disable—Disable the function. Auto Persistent By default, this function is disabled. This option takes effect only for auto APs that go online. To convert APs that have been online to configured APs, you can only use the previous two methods. Configuring an AP group Creating an AP group 1. Select AP > AP Group from the navigation tree. 2. Click Add. Figure 292 Creating an AP group 3.
For an auto AP that is already in the default group default_group, if its IP address matches the subnet of a non-default AP group, the AC adds it to this AP group. • Configuration procedure 1. Select AP > AP Group from the navigation tree. 2. Click the icon for the target AP group. Figure 293 Configuring the IP address match criteria for an AP group 3. Configuring the IP address match criteria as described in Table 102. 4. Click Apply.
Figure 294 Adding an AP into an AP group 3. Configure the AP group as described in Table 103. 4. Click Apply. Table 103 Configuration items Item Description AP Group Name Display the name of the selected AP group. Description Select this option to configure a description for the AP group. Add an AP into an AP group. • To add the APs to the Selected AP List, click the APs to be added to the AP group, and click the << button in the AP List area.
The following operations might fail on some member APs: • Select 5 GHz wireless services. • Select 2.4 GHz wireless services. • Enable a 5 GHz radio. • Enable a 2.4 GHz radio. • Set a working mode. • Set a country/region code Configuring basic settings 1. Select AP > AP Group from the navigation tree. 2. Click the icon for the target AP group.
Figure 295 Configuring basic settings 3. Configure the AP group as described in Table 104. 4. Click Apply. Table 104 Configuration items Item Description AP Group Name Name of the specified AP group. Description Select this option to configure a description for the AP group.
Item Description Bind a wireless service to the 5 GHz radio. Selected 5GHz Wireless Service List You can bind a wireless service to the radio of the AP on the AP > AP Group page and then on the Wireless Service > Access Service page. However, the total number of wireless services bound to the radio on the two pages cannot exceed the maximum number of wireless services allowed by the radio. Bind a wireless service to the 2.4 GHz radio. Selected 2.
Configuring advanced settings Figure 296 Configuring advanced settings Table 105 Configuration items Item Description For more information about the configurations of items not listed in the table, see Table 97 and Table 98. A member AP uses the country/region code of the AP group even if the AP does not support the code. In such cases, the AP uses the global country/region code. Configure the work mode. • Normal—An AP operating in normal mode transmits but does not monitor user data.
Item Statistics Interval Description Configure the interval at which an AP sends statistics reports. The statistics report covers radio decryption error, radio statistics, and so on. Configure the AP version upgrade function. Version Upgrade You can configure the AP version upgrade function on the Advanced Setup > AC Setup, AP > AP Group, or AP > AP Setup page. You can upgrade specified APs by configuring AP version upgrade functions on different pages.
Figure 298 Configuring a user profile 302
6. Configure the user profile as described in Table 106. 7. Click Apply. For more information about user profile, see "Configuring users." Table 106 Configuration item Item Description Specify the AP groups permitted in the user profile. AP Group list permitted Select the AP groups in the AP group list and click the << button to add them to the Selected AP group list. The available AP groups are AP groups you configured on the page you enter by selecting AP > AP Group.
Figure 300 Creating an AP 2. Configure wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Click Add. c. On the page that appears, set the service name to service1, select the wireless service type Clear, and click Apply. Figure 301 Creating a wireless service 3. Enable the wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Select the service1 box. c. Click Enable.
4. Bind an AP to a wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Click the icon for the wireless service service1 to enter the page for binding an AP. c. Select the box before ap with radio mode 802.11n (2.4 GHz). d. Click Bind. Figure 303 Binding an AP e. Select AP > AP Setup from the navigation tree. You can see that the AP is in IDLE state. Figure 304 AP status before auto AP is enabled 5. Enable 802.11gn radio a.
Figure 305 Enabling 802.11gn radio 6. Enable auto AP a. Select AP > Auto AP from the navigation tree. b. Select Enable from the Auto AP list. c. Click Apply. Figure 306 Configuring auto AP d. After enabling auto AP, click Refresh to view the auto AP. Figure 307 Viewing the auto AP Verifying the configuration • Select AP > AP Setup from the navigation tree. You can see that the AP is in run state. • The client can successfully associate with the AP and access the WLAN network.
Figure 308 Viewing the online clients Auto-AP authentication configuration example Network requirements As shown in Figure 309, enable the auto-AP function, and configure auto-AP authentication on the AC to permit AP 1 and deny AP 2. Use the DHCP server to assign IP addresses to authenticated APs. Use the RADIUS server to authenticate the unauthenticated AP (AP 3 in this example). The serial IDs of AP 1, AP 2, and AP 3 are CN2AD330S7, CN2AD330S8, and CN2AD330S9, respectively.
Figure 310 Creating ACL 202 2. Configure a permit rule to allow AP 1 with the serial ID CN2AD330S7 and a deny rule to deny AP 2 with the serial ID CN2AD330S8. a. Select QoS > ACL IPv4 from the navigation tree. b. Click the Wireless Setup tab. c. Select 202 from the ACL list and add two ACL rules as shown in Figure 311. d. Click Apply. Figure 311 Configuring ACL rules 3. Configure the auto AP function: a. Select AP > Auto AP from the navigation tree. b. Select Enable for Auto AP. c.
Figure 312 Configuring auto AP 4. Display the auto AP status: To display auto AP status, click Refresh. Figure 313 Displaying auto AP status 5. Enable the unauthenticated auto AP to pass authentication and provide WLAN services: a. Select the box to the left of the target AP. b. Click Accept.
Figure 314 Enabling the unauthenticated auto AP to pass authentication and provide WLAN services Verifying the configuration • AP 1 matches the permit rule, so it can connect to the AC. • AP 2 matches the deny rule, so it cannot connect to the AC. • AP 3 does not match any rule, so it is authenticated by the remote RADIUS server. If it passes the authentication, it can connect to the AC to provide WLAN services.
Configuring access services Wireless Local Area Networks (WLAN) provide the following services: • Connectivity to the Internet • Secured WLAN access with different authentication and encryption methods • Seamless roaming of WLAN clients in a mobility domain Access service overview Terminology • Wireless client—A handheld computer or laptop with a wireless Network Interface Card (NIC) or a terminal supporting WiFi can be a WLAN client.
A wireless client periodically sends probe request frames and obtains wireless network information from received probe response frames. Active scanning includes the following modes: Active scanning without an SSID—The client periodically sends a probe request frame without an SSID on each of its supported channels. APs that receive the probe request send a probe response, which includes the available wireless network information. The client associates with the AP with the strongest signal.
Figure 318 Passive scanning Authentication To secure wireless links, APs perform authentication on wireless clients. A wireless client must pass authentication before it can access a wireless network. 802.11 define two authentication methods: open system authentication and shared key authentication. • Open system authentication Open system authentication is the default authentication algorithm and is the simplest of the available authentication algorithms. It is a null authentication algorithm.
Figure 320 Shared key authentication process Association To access a wireless network through an AP, a client must associate with that AP. After the client passes authentication on the AP, the client sends an association request to the AP. The AP verifies the capability information in the association request to determine the capability supported by the wireless client. Then it sends an association response to notify the client of the association result.
Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP provides advantages over WEP, and provides more secure protection for WLAN, as follows: TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption, TKIP encryption uses 128–bit RC4 encryption algorithm, and increases the length of IVs from 24 bits to 48 bits. TKIP allows for dynamic key negotiation to avoid static key configuration.
Figure 321 Local MAC authentication Permitted MAC address list: 0009-5bcf-cce3 0011-9548-4007 000f-e200-00a2 Client: 0009-5bcf-cce3 Client: 0011-9548-4007 AC L2 switch AP Client: 001a-9228-2d3e Remote Authentication Dial-In User Service-based MAC authentication—When RADIUS-based MAC authentication is used, if the device finds that the current client is an unknown client, it sends an unsolicited authentication request to the RADIUS server.
channel and the other acting as the secondary channel. They can also work together as a 40-MHz channel, which provides a simple way to double the data rate. Improving channel utilization • 802.11n introduces the A-MPDU frame format. By using only one PHY header, each A-MPDU can accommodate multiple Message Protocol Data Units (MPDUs) which have their PHY headers removed. This reduces the overhead in transmission and the number of ACK frames to be used, and improves network throughput.
Figure 323 Configuring access service 2. Click Add. Figure 324 Creating a wireless service 3. Configure the wireless service as described in Table 107. 4. Click Apply. Table 107 Configuration items Item Description Set the SSID, a case-sensitive string of 1 to 32 characters, which can contain letters, digits, underlines, and spaces. Wireless Service Name Set an SSID as unique as possible. For security, the company name should not be contained in the SSID.
Figure 325 Configuring clear-type wireless service 3. Configure basic settings for the clear-type wireless service as described in Table 108. 4. Click Apply. Table 108 Configuration items Item Description WLAN ID Display the selected WLAN ID. Wireless Service Display the selected SSID. Specify a description for the wireless service. By default, no description is specified for a wireless service.
Item Description • Enable—Disable the advertisement of the SSID in beacon frames. • Disable—Enable the advertisement of the SSID in beacon frames. By default, the SSID is advertised in beacon frames. IMPORTANT: SSID Hide • If the advertisement of the SSID in beacon frames is disabled, the SSID must be configured for the clients to associate with the AP. • Disabling the advertisement of the SSID in beacon frames does not improve wireless security.
Figure 326 Configuring advanced settings for the clear-type wireless service 3. Configure advanced settings for the clear-type wireless service as described in Table 109. 4. Click Apply.
Table 109 Configuration items Item Description • Remote Forwarding—The AC performs data forwarding. Centralized forwarding includes 802.3 centralized forwarding and 802.11 centralized forwarding. With 802.3 centralized forwarding, APs change incoming 802.11 frames to 802.3 frames and tunnel the 802.3 frames to the AC. With 802.11 centralized forwarding, APs directly tunnel incoming 802.11 frames to the AC. • Local Forwarding—APs directly forward data frames.
Item Description • Active—The AP sends a beacon measurement requests to the client. Upon receiving the request, the client broadcasts probe requests on all supported channels and sets a measurement duration timer. At the end of the measurement duration, the client compiles all received beacons and probe responses into a measurement report. • Beacon-table—The AP sends a beacon measurement request to a client.
Configuring security settings for a clear-type wireless service 1. Select Wireless Service > Access Service from the navigation tree. 2. Click the icon for the target clear-type wireless service. Figure 327 Configuring security settings for the clear-type wireless service 3. Configure security settings for the clear-type wireless service as described in Table 110. 4. Click Apply.
Item Description TIP: There are multiple security modes. The following rules explain the port security mode names: • userLogin indicates port-based 802.1X authentication. • mac indicates MAC address authentication. • The authentication mode before Else is used preferentially. If the authentication fails, the authentication after Else might be used depending on the protocol type of the packets to be authenticated. • The authentication modes before Or and after Or have the same priority.
Item Description MAC Authentication Select MAC Authentication. Select an existing domain from the list. The default domain is system. To create a domain, select Authentication > AAA from the navigation tree, click the Domain Setup tab, and enter a new domain name in the Domain Name field. Domain • The selected domain name applies to only the current wireless service, and all clients accessing the wireless service use this domain for authentication and authorization.
Item Description Select an existing domain from the list. The default domain is system. To create a domain, select Authentication > AAA from the navigation tree, click the Domain Setup tab, and enter a new domain name in the Domain Name field. Mandatory Domain • The selected domain name applies to only the current wireless service, and all clients accessing the wireless service use this domain for authentication and authorization. • Do not delete a domain name in use.
Figure 330 Configuring port security for the other four security modes (mac-else-userlogin-secure is taken for example) Table 113 Configuration items Item Description • mac-else-userlogin-secure—This mode is the combination of the mac-authentication and userlogin-secure modes. MAC authentication has a higher priority than the userlogin-secure mode. Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication. When it receives an 802.
Item Description The default domain is system. To create a domain, select Authentication > AAA from the navigation tree, click the Domain Setup tab, and enter a new domain name in the Domain Name field. • EAP—Use the Extensible Authentication Protocol (EAP). With EAP Authentication Method authentication, the authenticator encapsulates 802.1X user information in the EAP attributes of RADIUS packets and sends the packets to the RADIUS server for authentication.
Configuring crypto-type wireless service Configuring basic settings for a crypto-type wireless service 1. Select Wireless Service > Access Service from the navigation tree. 2. Click the icon for the target crypto-type wireless service. Figure 331 Configuring crypto-type wireless service 3. Configure basic settings for the crypto-type wireless service as described in Table 108. 4. Click Apply. Configuring advanced settings for a crypto-type wireless service 1.
Figure 332 Configuring advanced settings for the crypto-type wireless service 3. Configure advanced settings for the crypto-type wireless service as described in Table 114. 4. Click Apply.
Table 114 Configuration items Item Description • Remote Forwarding—The AC performs data forwarding. Centralized forwarding comprises 802.3 centralized forwarding and 802.11 centralized forwarding. With 802.3 centralized forwarding, APs change incoming 802.11 frames to 802.3 frames and tunnel the 802.3 frames to the AC. With 802.11 centralized forwarding, APs directly tunnel incoming 802.11 frames to the AC. • Local Forwarding—APs directly forward data frames.
Item Description • Active—The AP sends a beacon measurement requests to the client. Upon receiving the request, the client broadcasts probe requests on all supported channels and sets a measurement duration timer. At the end of the measurement duration, compiles all received beacons and probe responses into a measurement report. • Beacon-table—The AP sends a beacon measurement request to a Beacon-measurement Type client.
Item Description • Enable—Enable fast association. • Disable—Disable fast association. Fast Association By default, fast association is disabled. When fast association is enabled, the device does not perform band navigation and load balancing calculations for associated clients. IP Verify Source See "Configuring source IP address verification." Configure the AP to deauthenticate the clients or drop the packets when it receives the packets from unknown clients.
a. The client sends an association or a reassociation request to the AP. b. Upon receiving the request, the AP sends a response to inform the client that the request is denied and the client can associate later. The response contains an association comeback time specified by the pmf association-comeback command. c. The AP sends an SA Query request to the client. − If the AP receives an SA Query response within the timeout time, it determines that the client is online.
Figure 334 Passive SA Query To configure management frame protection: 1. Select Wireless Service > Access Service from the navigation tree. 2. Click the icon for the target crypto-type wireless service. Figure 335 Configuring management frame protection for a crypto-type wireless service 3. Configure management frame protection for a crypto-type wireless service as described in Table 115. 4. Click Apply.
Item Description SA Query Timeout If the AP receives no SA Query response within the timeout time, it resends the request. SA Query Retry The retransmission time for an AP to retransmit SA Query requests. Configuring security settings for a crypto-type wireless service 1. Select Wireless Service > Access Service from the navigation tree. 2. Click the icon for the target crypto-type wireless service. Figure 336 Configuring security settings for the crypto-type wireless service 3.
Table 116 Configuration items Item Description • Open-System—No authentication. With this authentication mode enabled, all the clients will pass the authentication. • Shared-Key—The two parties need to have the same shared key configured for this authentication mode. You can select this option only when the WEP encryption mode is used. • Open-System and Shared-Key—You can select both open-system and shared-key authentication.
Item Description • Enable—A WEP key is dynamically assigned. • Disable—A static WEP key is used. By default, a static WEP key is used. When you enable this function, the WEP option is automatically set to wep104. Provide Key Automatically IMPORTANT: • This function must be used together with 802.1X authentication. • When dynamic WEP encryption is configured, the WEP key used to encrypt unicast frames is negotiated between client and server.
Figure 337 Configuring mac and psk port security Table 117 Configuration items Item Description Port Mode mac and psk: MAC-based authentication must be performed on access users first. If MAC-based authentication succeeds, an access user is required to use the pre-configured PSK to negotiate with the device. Access to the port is allowed only after the negotiation succeeds.
Figure 338 Configuring psk port security Table 118 Configuration items Item Description Port Mode psk: An access user must use the pre-shared key (PSK) that is pre-configured to negotiate with the device. The access to the port is allowed only after the negotiation succeeds. Max User Control the maximum number of users allowed to access the network through the port. • pass-phrase—Enter a PSK in the form of a character string.
Service type Authenticati on mode Encryption type Selected Security IE Required Open-System Unselected Crypto Shared-Key Unavailable Selected Unavailable Unavailable Required Open-System and Shared-Key Unselected Unavailable WEP encryption/key ID WEP encryption is available The key ID can be 2, 3, or 4. WEP encryption is required The key ID can be 1, 2, 3 or 4. WEP encryption is required The key ID can be 1, 2, 3 or 4. WEP encryption is required The key ID can be 1, 2, 3 or 4.
• You can click Disconnect on the Summary > Client page on the AC to log off locally authenticated clients. • For the local authentication mode and backup authentication mode, if the AC-AP connection fails, do not modify the configuration on the AC before the connection recovers because the AC verifies the configuration after the connection recovers. If the configuration is inconsistent, online clients might be logged off.
Figure 341 Configuring an authentication mode 3. Select Central, Local, or Backup from the Authentication Mode list. 4. Click Apply. Configuring source IP address verification Source IP address verification is intended to improve wireless network security by filtering and blocking illegal packets.
For a client using an IPv4 address, the AP can obtain the IP address assigned to the client in the DHCPv4 packets exchanged between the DHCP server and the client, and bind the IP address with the MAC address of the client.
Figure 343 Configuring source IP address verification 3. Select IPv4 or IPv6 for IP Verify Source. By default, the source IP address verification function is disabled. 4. Click Apply.
NOTE: • For a client using an SSID configured with source IP address verification, if it accesses the network through AP local authentication, the source IP address verification feature is effective but the IP-MAC binding entry for the client cannot be displayed on the AC. For more information about local authentication, see "Configuring an authentication mode.
Figure 345 Binding an AP radio to a wireless service 3. Select the radio to be bound. 4. Click Bind. Binding an AP radio to a VLAN Traffic of different services is identified by SSIDs. Locations are identified by APs. Users at different locations access different services. For a user roaming between different APs, you can provide services for the user based on its access AP.
Figure 346 Schematic diagram for WLAN support for AP-based access VLAN recognition RADIUS server AC 1 HA AC 2 IACTP tunnel FA VLAN 2 VLAN 3 VLAN 3 Intra AC roaming VLAN 3 Inter AC roaming AP 1 AP 2 AP 3 AP 4 Client 1 Client 1 Client 1 Client 2 As shown in Figure 346, Client 1 goes online through AP 1 and belongs to VLAN 3. When Client 1 roams within an AC or between ACs, Client 1 always belongs to VLAN 3.
Enabling a radio 1. Select Radio > Radio from the navigation tree. Figure 347 Enabling 802.11n radio 2. Select the box of the target radio. 3. Click Enable. Displaying detailed information about a wireless service Displaying detailed information about a clear-type wireless service 1. Select Wireless Service > Access Service from the navigation tree. 2. Click the specified clear-type wireless service to see its detailed information.
Figure 348 Displaying detailed information about a clear-type wireless service Table 120 Field description Field Description Service Template Number Current service template number. SSID Service set identifier. Description Description for the service template. Not Configured means no description is configured. Binding Interface Name of the WLAN-ESS interface bound with the service template. Service Template Type Service template type. Type of authentication used.
Field Description SSID-hide • Disable—SSID advertisement is enabled. • Enable—SSID advertisement is disabled, and the AP does not advertise the SSID in the beacon frames. Forwarding mode: Bridge Mode • Local Forwarding—The AP forwards the data. • Remote Forwarding—The AC forwards the data. Service template status, which can be: Service Template Status • Enable—The wireless service is enabled. • Disable—The wireless service is disabled.
Figure 349 Displaying detailed information about a crypto-type wireless service Table 121 Field description Field Description Service Template Number Current service template number. SSID Service set identifier. Description Description for the service template. Not Configured means no description is configured. Binding Interface Name of WLAN-ESS the interface bound with the service template. Service Template Type Service template type. Security IE Security IE: WPA or WPA2(RSN).
Field Description SSID-hide • Disable—SSID advertisement is enabled. • Enable—SSID advertisement is disabled, and the AP does not advertise the SSID in the beacon frames. Cipher Suite Cipher suite: AES-CCMP, TKIP, or WEP40/WEP104/WEP128. WEP Key Index WEP key index for encryption or de-encryption frames. WEP key mode: WEP Key Mode • HEX—WEP key in hexadecimal format. • ASCII—WEP key in the format of string. WEP Key WEP key. TKIP Countermeasure Time(s) TKIP MIC failure holdtime, in seconds.
Configuring policy-based forwarding If the AC adopts the local authentication mode, it also uses the local forwarding mode. Configuration of policed-based forwarding mode is invalid. For more information about authentication modes, see "Configuring an authentication mode." Before you can apply a forwarding policy, create a forwarding policy and specify forwarding rules. The ACL sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a rule with a higher ID.
Figure 350 Creating a forwarding policy 4. Create a forwarding policy as described in Table 122. 5. Click Add. 6. Click Apply. Table 122 Configuration items Item Description Create a forwarding policy. Policy Name You can create 1000 forwarding policies at most. ACL Type Choose IPv4 or IPv6. ACL Number Specify the ACL number. • Remote—Use the centralized Forwarding Policy Rule forwarding mode to forward packets. Behavior • Local—Use the local forwarding mode to forward packets.
Category Match criteria IPv4 advanced ACL IPv6 advanced ACL Ethernet frame header ACL IP Source and destination IP addresses TCP and UDP Source and destination port numbers ICMP Message type and message code of specified ICMP packets Source and destination MAC addresses Applying a forwarding policy to an access service 1. Select Wireless Service > Access Service from the navigation tree. 2. Click the icon for the target wireless service.
Figure 351 Applying a forwarding policy to an access service 3. Apply the forwarding policy to the access service as described in Table 124. 4. Click Apply.
Table 124 Configuration Items Item Description Forwarding Mode Select Forwarding Policy Based from the list to enable the policy-based forwarding mode. IMPORTANT: Forwarding policies are only available to packets sent by clients. Forwarding policy name. Forwarding Policy IMPORTANT: This field can be null when you apply a forwarding policy to the user profile. Applying a forwarding policy to a user profile 1.
Figure 353 Network diagram Configuration guidelines Select a correct district code. Configuring the AC 1. Create an AP: a. Select AP > AP Setup from the navigation tree. b. Click Add. c. On the page that appears, set the AP name to ap, select the AP model MSM460-WW, select Manual from the Serial ID list, and enter the serial ID of the AP. d. Click Apply. Figure 354 Creating an AP 2. Configure a wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Click Add. c.
b. On the page that appears, select service1 and click Enable. Figure 356 Enabling wireless service 4. Bind an AP radio to a wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Click the icon for the wireless service service1. c. On the page that appears, select the box to the left of the radio type 802.11n(2.4GHz). d. Click Bind.
5. Enable 802.11n(2.4GHz) radio: a. Select Radio > Radio from the navigation tree. b. Select the box to the left of the radio mode 802.11n(2.4GHz). c. Click Enable. Figure 358 Enabling 802.11n(2.4GHz) radio Verifying the configuration • The client can successfully associate with the AP and access the WLAN network. • You can view the online clients on the page that you enter by selecting Summary > Client from the navigation tree.
Figure 360 Network diagram Configuring the AC 1. Create an AP: a. Select AP > AP Setup from the navigation tree. b. Click Add. c. On the page that appears, set the AP name to ap, select the AP model MSM460-WW, select Manual from the Serial ID list, enter the AP serial ID, and click Apply. Figure 361 Creating an AP 2. Create a wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Click Add. c.
e. Click Apply. Figure 363 Configuring security settings 4. Enable wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Select psk. c. Click Enable. Figure 364 Enabling wireless service 5. Bind an AP radio to a wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Click the icon for the wireless service psk. c. On the page that appears, select the box to the left of the radio mode 802.11n(2.4GHz) and click Bind.
Figure 365 Binding an AP radio 6. Enable 802.11n(2.4GHz) radio: a. Select Radio > Radio from the navigation tree. b. Select the ap box to the left of 802.11n(2.4GHz). c. Click Enable. Figure 366 Enabling 802.11n(2.4GHz) radio Configuring the client 1. Launch the client, and refresh the network list. 2. Select the configured service in Choose a wireless network (PSK in this example).
3. Click Connect. 4. In the popup dialog box, enter the key (12345678 in this example), and then click Connect. Figure 367 Configuring the client The client has the same pre-shared PSK key as the AP, so the client can associate with the AP.
Figure 368 The client is associated with the AP Verifying the configuration • The client can successfully associate with the AP and access the WLAN network. • You can view the online clients on the page you enter by selecting Summary > Client from the navigation tree. Local MAC authentication configuration example Network requirements AC is connected to AP through a Layer 2 switch, and they are in the same network. Perform MAC authentication on the client.
b. Click Add. c. On the page that appears, set the AP name to ap, select the AP model MSM460-WW, select Manual from the Serial ID list, enter the AP serial ID, and click Apply. Figure 370 Creating an AP 2. Create a wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Click Add. c. On the page that appears, set the service name to mac-auth, select the wireless service type clear, and click Apply. Figure 371 Creating a wireless service 3.
Figure 372 Configuring security settings 4. Enable wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Select the mac-auth box. c. Click Enable. Figure 373 Enabling wireless service 5. Configure a MAC authentication list: a. Select Wireless Service > Access Service from the navigation tree. b. Click MAC Authentication List.
c. On the page that appears, add a local user in the MAC Address field. 0014-6c8a-43ff is used in this example. d. Click Add. Figure 374 Adding a MAC authentication list 6. Bind an AP radio to a wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Click the icon for the wireless service mac-auth. c. On the page that appears, select the box to the left of the radio mode 802.11n(2.4GHz) and click Bind. Figure 375 Binding an AP radio 7. Enable 802.11n (2.
Figure 376 Enabling 802.11n(2.4GHz) radio Configuring the client 1. Launch the client, and refresh the network list. 2. Select the configured service in Choose a wireless network (mac-auth in this example). 3. Click Connect. Figure 377 Configuring the client Verifying the configuration • The client can successfully associate with the AP and access the WLAN.
• You can view the online clients on the page you enter by selecting Summary > Client. Remote MAC authentication configuration example Network requirements As shown in Figure 378, perform remote MAC authentication on the client. • Use the intelligent management center (IMC) as the RADIUS server for authentication and authorization. On the RADIUS server, configure the client's username and password as the MAC address of the client and the shared key as expert. The IP address of the RADIUS server is 10.18.
Figure 379 Configuring RADIUS 3. Configure AAA: a. From the navigation tree, select Authentication > AAA. b. Optional: On the Domain Setup tab, create a new ISP domain. This example uses the default domain system. c. On the Authentication tab, select the ISP domain system, select the LAN-access AuthN box, select the authentication mode RADIUS, select the authentication scheme mac-auth from the Name list, and click Apply. Figure 380 Configuring the AAA authentication method for the ISP domain d.
Figure 381 Configuring the AAA authorization method for the ISP domain f. Click Apply. 4. Create an AP: a. Select AP > AP Setup from the navigation tree. b. Click Add. c. On the page that appears, set the AP name to ap, select the AP model MSM460-WW, select Manual from the Serial ID list, enter the AP serial ID, and click Apply. Figure 382 Configuring an AP 5. Configure wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Click Add. c.
Figure 383 Creating a wireless service 6. Configure MAC authentication: After you create a wireless service, the wireless service configuration page appears. a. In the Security Setup area, select Open-System from the Authentication Type list. b. Select the Port Set box, and select mac-authentication from the Port Mode list. c. Select the MAC Authentication box, and select system from the Domain list. d. Click Apply. Figure 384 Configuring security settings 7. Enable the wireless service: a.
Figure 385 Enabling the wireless service 8. Bind an AP radio to the wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Click the icon for the wireless service mac-auth. c. Select the box of the AP with the radio mode 802.11n(2.4GHz). d. Click Bind. Figure 386 Binding an AP radio to a wireless service 9. Enable 802.11n(2.4GHz) radio: a. Select Radio > Radio from the navigation tree. b. Select the ap 802.11n(2.4GHz) box of the target AP. c. Click Enable.
Figure 387 Enabling 802.11n(2.4GHz) radio Configuring the RADIUS server The following example uses IMC (IMC PLAT 5.1 SP1 (E0202P05) and IMC UAM 5.1 (E0301)) to illustrate the basic configuration of the RADIUS server. To configure the RADIUS server: 1. Add an access device: a. Click the Service tab in the IMC platform. b. Select User Access Manager > Access Device Management from the navigation tree. c. Click Add. d.
d. On the page that appears, set the service name to mac, keep the default values for other parameters, and click Apply. Figure 389 Adding a service 3. Add an account: a. Click the User tab. b. Select User > All Access Users from the navigation tree. c. Click Add. d. On the page that appears, enter username 00146c8a43ff, set the account name and password both to 00146c8a43ff, select the service mac, and click Apply.
• Use IMC as a RADIUS server for authentication and authorization. On the RADIUS server, configure the client's username as user, password as dot1x, and shared key as expert. The IP address of the RADIUS server is 10.18.1.88. • On the AC, configure the shared key as expert, and configure the AC to remove the domain name of a username before sending it to the RADIUS server. The IP address of the AC is 10.18.1.1. Figure 391 Network diagram Configuring the AC 1. Assign an IP address to the AC: a.
Figure 392 Configuring RADIUS 3. Configure AAA: a. Select Authentication > AAA from the navigation tree. In this example, the default ISP domain system is used. You can create a new ISP domain if needed. b. (Optional.) On the Domain Setup tab, create a new ISP domain. This example uses the default domain system. c. On the Authentication tab, select the ISP domain system, select the LAN-access AuthN box, select the authentication mode RADIUS, select the authentication scheme 802.
d. On the Authorization tab, select the domain name system, select the LAN-access AuthZ box, select the authorization mode RADIUS, select the authorization scheme 802.1x from the Name list, and click Apply. Figure 394 Configuring the AAA authorization method for the ISP domain 4. Create an AP: a. Select AP > AP Setup from the navigation tree. b. Click Add. c.
Figure 396 Creating a wireless service 6. Configure 802.1X authentication: After you create a wireless service, the wireless service configuration page appears. a. In the Security Setup area, select Open-System from the Authentication Type list, select the Cipher Suite box, select AES from the Cipher Suite list, and select WPA2 from the Security IE list. b. Select the Port Set box, and select userlogin-secure-ext from the Port Mode list. c. Select system from the Mandatory Domain list. d.
Figure 398 Enabling the wireless service 8. Bind an AP radio to the wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Click the icon for the wireless service dot1x. c. Select the box of the AP with the radio mode 802.11n(2.4GHz). d. Click Bind.
9. Enable 802.11n(2.4GHz) radio: a. Select Radio > Radio from the navigation tree. b. Select the box of the AP with the radio mode 802.11n(2.4GHz). c. Click Enable. Figure 400 Enabling 802.11n(2.4GHz) radio Configuring the RADIUS server The following example uses IMC (IMC PLAT 5.1 SP1 (E0202P05) and IMC UAM 5.1 (E0301)) to illustrate the basic configuration of the RADIUS server. Make sure a certificate has been installed on the RADIUS server. To configure the RADIUS server: 1. Add an access device: a.
2. Add a service: a. Click the Service tab. b. Select User Access Manager > Service Configuration from the navigation tree. c. Click Add. d. On the page that appears, set the service name to dot1x, and set the Certificate Type to EAP-PEAP AuthN and the Certificate Sub Type to MS-CHAPV2 AuthN, and click Apply. Figure 402 Adding a service 3. Add an account: a. Click the User tab. b. Select User > All Access Users from the navigation tree. c. Click Add. d.
Configuring the wireless client 1. Double click the icon at the bottom right corner of your desktop. The Wireless Network Connection Status window appears. 2. Click Properties in the General tab. The Wireless Network Connection Properties window appears. 3. In the Wireless Networks tab, select wireless network with the SSID dot1x, and then click Properties. The dot1x Properties window appears. 4. In the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties. 5.
Figure 404 Configuring the wireless client (1) 387
Figure 405 Configuring the wireless client (2) 388
Figure 406 Configuring the wireless client (3) Verifying the configuration • After the user enters username user and password dot1x in the popup dialog box, the client can associate with the AP and access the WLAN. • You can view the online clients on the page you enter by selecting Summary > Client. Dynamic WEP encryption-802.1X authentication configuration example Network requirements Perform dynamic WEP encryption-802.1X authentication on the client.
Figure 407 Network diagram Configuration procedure 1. Assign an IP address for the AC: See "Assign an IP address to the AC:." 2. Configure a RADIUS scheme: See "Configure a RADIUS scheme:." 3. Configure AAA: See "Configure AAA:." 4. Configure the AP: See "Create an AP:." 5. Create a wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Click Add. c.
g. Disable Handshake and Multicast Trigger (recommended). h. Click Apply. Figure 409 Configuring security settings 7. Enable the wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. On the page that appears, select the dot1x box and click Enable.
8. Bind an AP radio to the wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Click the icon for the wireless service dot1x. c. On the page that appears, select the box of 802.11n(2.4GHz) and click Bind. Figure 411 Binding an AP radio to a wireless service 9. Enable 802.11n(2.4GHz) radio: See "Enable 802.11n(2.4GHz) radio:." 10. Configure the RADIUS server: See "Configuring the RADIUS server." Configuring the wireless client 1.
Figure 412 Configuring the wireless client (1) 6. On the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties. 7. In the popup window, clear Validate server certificate, and click Configure. 8. In the popup dialog box, clear Automatically use my Windows logon name and password (and domain if any), and then click OK.
Figure 413 Configuring the wireless client (2) 394
Figure 414 Configuring the wireless client (3) Verifying the configuration • After the user enters username user and password dot1x in the popup dialog box, the client can associate with the AP and access the WLAN. • You can view the online clients on the page you enter by selecting Summary > Client.
Adding commands to the configuration file of the AP port-security enable domain branch.net authentication lan-access local authorization lan-access local accounting lan-access local local-user 00-14-6c-8a-43-ff password simple 00-14-6c-8a-43-ff service-type lan-access mac-authentication user-name-format mac-address with-hyphen lowercase Then save the configuration file with the name map.cfg, and upload it to the storage media of the AC.
Figure 416 Configuring an ISP domain 2. Create an AP: a. Select AP > AP Setup from the navigation tree. b. Click Add. c. On the page that appears, set the AP name to ap, select the AP model MSM460-WW, select Manual from the Serial ID list, enter the serial ID of the AP, and click Apply. Figure 417 Creating an AP 3. Configure wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Click Add. c.
Figure 418 Creating a wireless service 4. Configure backup client authentication: After you create a wireless service, you will enter the wireless service configuration page. Select Backup from the Authentication Mode list and then configure local MAC authentication on the page.
Figure 419 Configuring backup client authentication 5. Configure local MAC authentication: a. In the Security Setup area, select Open-System from the Authentication Type list. b. Select the Port Set box, and select mac-authentication from the Port Mode list. c. Select the MAC Authentication box, and select branch.net from the Domain list. Make sure the mandatory authentication domain and the ISP domain in the configuration file are the same. d. Click Apply.
Figure 420 Configuring local MAC authentication 6. Enable wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Select the mac-auth box. c. Click Enable. Figure 421 Enabling wireless service 7. Configure a MAC authentication list: a. Select Wireless Service > Access Service from the navigation tree.
b. Click MAC Authentication List. c. Add a local user in the MAC Address field. 00-14-6c-8a-43-ff is used in this example. d. Click Add. Figure 422 Adding a MAC authentication list 8. Enable remote AP and download the configuration file to the AP: a. Select AP > AP Setup from the navigation tree. b. Click the icon for the target AP in the list. The page for configuring an AP appears. c. Expand Advanced Setup, set the configuration file to map.cfg, and select Enable from the Remote AP list. d.
9. Bind an AP radio to a wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Click the icon for the wireless service mac-auth. c. Select the box to the left of ap with the radio mode 802.11n(2.4GHz). d. Click Bind. Figure 424 Binding an AP radio 10. Enable 802.11n(2.4GHz) radio: a. Select Radio > Radio Setup from the navigation tree. b. Select the box to the left of ap with the radio mode 802.11n(2.4GHz). c. Click Enable. Figure 425 Enabling 802.11n(2.
11. Verify the configuration: When the connection between AP and AC is correct, clients associated with the AP can access the network after passing centralized authentication. Select Summary > Client from the navigation tree to view detailed client information. The Central field in the output shows that the AC authenticates the clients. When the connection between AC and AP fails, clients associated with the AP are not logged off and the AP authenticates new clients.
authorization default radius-scheme rad accounting default radius-scheme rad Then save the file with the name map.cfg, and upload it to the storage media on the AC. Configuring the AC 1. Configure the AP: a. Select AP > AP Setup from the navigation tree. b. Click Add. c. On the page that appears, set the AP name to ap, select the AP model MSM460-WW, select Manual from the Serial ID list, enter the serial ID of the AP, and click Apply. Figure 427 Configuring the AP 2. Configure wireless service: a.
Figure 429 Configuring local client authentication 4. Configure 802.1X authentication: After you create a wireless service, the wireless service configuration page appears. a. In the Security Setup area, select the Open-System from the Authentication Type list. b. Select the Cipher Suite box, select AES from the Cipher Suite list, and select WPA2 from the Security IE list. c. Select the Port Set box, and select userlogin-secure-ext from the Port Mode list. d. Select cams from the Mandatory Domain list.
e. Select EAP from the Authentication Method list. f. Disable Handshake and Multicast Trigger (recommended). g. Click Apply. Figure 430 Security setup 5. Enable the wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Select the dot1x box. c. Click Enable. Figure 431 Enabling the wireless service 6. Enable remote AP and download the configuration file to the AP: a. Select AP > AP Setup from the navigation tree.
b. Click the icon for the target AP in the list. The page for configuring an AP appears. c. Expand Advanced Setup, set the configuration file to map.cfg, and select Enable from the Remote AP list. d. Click Apply. Figure 432 Enabling remote AP 7. Bind an AP radio to the wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Click the icon for the wireless service dot1x. c. Select the box for the AP with the radio mode 802.11n(2.4GHz). d. Click Bind.
Figure 433 Binding an AP radio to a wireless service 8. Enable 802.11n(2.4GHz) radio: a. Select Radio > Radio from the navigation tree. b. Select the box for the AP with the radio mode 802.11n(2.4GHz). c. Click Enable. Figure 434 Enabling 802.11n(2.4GHz) radio 9. Verify the configuration: The AP performs 802.1X authentication on clients through the RADIUS server whenever the AC-AP connection fails or not.
Policy-based forwarding configuration example Network requirements Configure policy-based forwarding so that both the centralized forwarding mode and the local forwarding mode can be achieved for one SSID.
Figure 436 Creating a forwarding policy (1) 2. Configure forwarding policy us: a. Select Wireless Service > Access Service from the navigation tree. b. Click the Forwarding Policy tab. c. Click Add. d. On the page that appears, create forwarding policy us as described in Figure 437. e. Click Apply.
Figure 437 Creating a forwarding policy (2) 3. Configure 802.1X authentication method: See "Remote 802.1X authentication configuration example." 4. Download the configuration file to the AP: a. Select AP > AP Setup from the navigation tree, click the icon for the target AP. b. Click Advanced Setup, and specify the configuration file as ACL.cfg. c. Click Apply.
Figure 438 Downloading the configuration file to the AP 5. Apply the forwarding policy to the access service: a. Select Wireless Service > Access Service from the navigation tree. b. Click the icon for the target wireless service. c. Select the forwarding mode Forwarding Policy Based, specify the forwarding policy as st, select the packets format 802.3, and click Apply.
Figure 439 Applying the forwarding policy to the access service 6. Apply the forwarding policy to the user profile: a. Select Authentication > User from the navigation tree. b. Click the User Profile tab. c. Click Add. d. Click Apply. e. On the page that appears, select the box of the user profile, and click Enable.
Figure 440 Specifying the user profile name Verifying the configuration The forwarding policy applied to the user profile has a higher priority and the forwarding policy us takes effect. • Use an IPv4 client to ping the IP address that connects the AP to the AC. The ICMP packet matches ACL 3000 and is forwarded by the AC. Before the CAPWAP encapsulation, the AP transfers 802.11 frames to 802.3 frames. • Use an IPv6 client to ping the IP address that connects the AP to the AC.
Configuring mesh services A WLAN mesh network allows for wireless connections between APs, making the WLAN more mobile and flexible. Also, you can establish multi-hop wireless links between APs. In these ways, a WLAN mesh network differs from a traditional WLAN. However, from the perspective of end users, a WLAN mesh network is no different from a traditional WLAN.
Deployment scenarios One-hop mesh link backhaul deployment As shown in Figure 441, the MAP is a dual-radio AP, with one radio for WLAN access and the other for mesh link backhaul. You can configure the MAC address of the MPP connected to the MAP to establish a mesh link between them. Figure 441 One-hop mesh link backhaul HP supports up to 4 MAPs on a single MPP as shown in Figure 442.
Figure 443 Two-hop mesh backhaul deployment (1) HP supports up to 4 MPs on a single MPP and up to 4 MAPs on a single MP as shown in Figure 444. Figure 444 Two-hop mesh backhaul deployment (2) MAP 1 mesh-link mesh-link AC MP 1 mesh-link PC1 mesh-link MAP 4 MP 2 mesh-link MPP MAP 13 MP 3 mesh-link mesh-link mesh-link MP 4 MAP 16 Configuring mesh service Configuring mesh service Creating a mesh service 1. Select Wireless Service > Mesh Service from the navigation tree. 2.
Figure 445 Configuring mesh service 3. Click Add. Figure 446 Creating a mesh service 4. Configure the mesh service as described in Table 125. 5. Click Apply. Table 125 Configuration items Item Description Mesh Service Name Name of the created mesh service. Configuring a mesh service 1. Select Wireless Service > Mesh Service from the navigation tree. 2. Click the Mesh Service tab. 3. Click the icon for the target mesh service.
Figure 447 Configuring mesh service 4. Configure the mesh service as described in Table 126. 5. Click Apply. Table 126 Configuration items Item Description Mesh Service Display the selected mesh service name. VLAN (Tagged) Enter the ID of the VLAN whose packets are to be sent tagged. VLAN (Tagged) indicates that the port sends the traffic of the VLAN without removing the VLAN tag. VLAN (Untagged) Enter the ID of the VLAN whose packets are to be sent untagged.
Item Description Pre-shared key, which takes one of the following values: • A string of 8 to 63 characters. • A valid hexadecimal number of 64 bits. Preshared Key Binding an AP radio to a mesh service 1. Select Wireless Service > Mesh Service from the navigation tree. 2. Click the 3. Select the radio to be bound. 4. Click Bind. icon. Figure 448 Binding an AP radio to a mesh service Enabling a mesh service 1. Select Wireless Service > Mesh Service from the navigation tree. 2.
3. Click a mesh service to see its detailed information. Figure 450 Displaying detailed mesh service information Table 127 Field description Field Description Mesh Profile Number Mesh service number. Mesh ID Mesh ID of the mesh service. Binding Interface Mesh interface bound to the mesh service. MKD service status: MKD Service • Enable—The MKD service is enabled. • Disable—The MKD service is disabled. Link Keep Alive Interval Interval to send keep-alive packets.
Figure 451 Mesh policy configuration page 3. Click Add. Figure 452 Creating a mesh policy 4. Configure the mesh policy as described in Table 128. 5. Click Apply. Table 128 Configuration items Item Description Name of the created mesh policy. Mesh Policy Name The created mesh policies use the contents of the default mesh policy default_mp_plcy. Configuring a mesh policy 1. Select Wireless Service > Mesh Service from the navigation tree. 2. Click the Mesh Policy tab. 3.
Figure 453 Configuring a mesh policy 4. Configure the mesh policy as described in Table 129. 5. Click Apply. Table 129 Configuration items Item Description Mesh Policy Display the name of the created mesh policy. Link establishment By default, link initiation is enabled. Set the link hold time. Minimum time to hold a link An active link remains up within the link hold time, even if the link switch margin is reached. This mechanism is used to avoid frequent link switch.
Item Description Set the link switch margin. Minimum margin rssi If the RSSI of the new link is greater than that of the current active link by the link switch margin, active link switch will occur. This mechanism is used to avoid frequent link switch. Set link saturation RSSI. Maximum rssi to hold a link This is the upper limit of RSSI on the active link. If the value is reached, the chipset is saturated and link switch will occur. Interval between probe requests Set the probe request interval.
Figure 454 Displaying detailed mesh policy information Table 130 Field description Field Description MP Policy Name Name of the mesh policy. Mesh Link Initiation Whether link initiation is enabled or not. Authenticator role status: Authenticator Role • Enable—The authenticator role is enabled. • Disable—The authenticator role is disabled. Max Links Maximum number of links on a device using this mesh policy.
Mesh global setup Mesh basic setup 1. Select Wireless Service > Mesh Service from the navigation tree. 2. Click the Global Setup tab. Figure 455 Configuring basic mesh settings 3. Configure the basic mesh settings as described in Table 131. 4. Click Apply. Table 131 Configuration items Item Description MKD-ID Make sure the MAC address configured is unused and has the correct vendor specific part. The MAC address of an AC should not be configured as the MKD ID.
2. Click the Global Setup tab. Figure 456 Enabling mesh portal service 3. Select the AP for which mesh portal service is to be enabled. 4. Click Enable. Configuring a working channel You can configure a working channel by using one of the following methods. No matter which method is used, as long as an AP detects radar signals on its working channel, the AP and any other AP that establish a mesh link switch to another available working channel. In some countries, most available channels on the 802.
Figure 457 Configuring a radio 2. On the page that appears, select a specified channel from the Channel list. 3. Click Apply. NOTE: Specify a working channel for the radios of the MAP and MPP. Specify the same working channel for the radio of the MAP and the radio of the MPP. Auto Set the working channel mode on the MPP and MAP to auto so that the working channel is automatically negotiated when a WDS link is established between the MPP and MAP.
Figure 458 Enabling a radio 2. Select the radio mode to be enabled. 3. Click Enable. Configuring a peer MAC address 1. Select Wireless Service > Mesh Service from the navigation tree. 2. Click 3. Select the AP radio to be bound, and click the . icon. Figure 459 Configuring a peer MAC address 4. Configure the peer MAC address as described in Table 132. 5. Click Apply. Table 132 Configuration items Item Description Peer MAC Address The mesh feature supports two topologies.
Configuring mesh DFS Displaying radio information 1. Select Wireless Service > Mesh Service from the navigation tree. 2. Click the Mesh Channel Optimize tab. 3. Click the specified mesh network, and click the Radio Info tab. Figure 460 Displaying radio information Displaying channel switch information 1. Select Wireless Service > Mesh Service from the navigation tree. 2. Click the Mesh Channel Optimize tab. 3.
NOTE: • If you select Auto or Close for dynamic channel selection on the Global Setup tab, when you enter the Mesh Channel Optimize page, the Channel Optimize button is grayed out, and you cannot perform the operation. • If you select manual DFS on the Global Setup tab, select mesh networks where DFS will be performed, and then click Channel Optimize to complete DFS. In auto mode, DFS is performed at the calibration interval. In manual mode, DFS is performed one time.
Figure 463 Displaying mesh link test information 3. Select the box of the target AP. 4. Click Begin. WLAN mesh configuration example Network requirements As shown in Figure 464, establish a mesh link between the MAP and the MPP. Configure 802.11n (5GHz) on the MAP so that the client can access the network. 1. Establish a mesh link between the MPP and the MAP by following these steps: Configure MAP and MPP—Select AP > AP Setup from the navigation tree, and click Add to configure MAP and MPP.
a. Select AP> AP Setup from the navigation tree. b. Click Add. c. On the page that appears, set the AP name to map, select the AP model MSM460-WW, select Manual from the Serial ID list, enter the AP serial ID, and click Apply. Figure 465 Configuring an AP d. Configure MPP by following the same steps. 2. Create a mesh service: a. Select Wireless Service > Mesh Service from the navigation tree. b. Click the Mesh Service tab. c. Click Add. d.
b. Click the icon for the mesh service outdoor. c. Select the AP radios to be bound. d. Click Bind. Figure 468 Binding an AP radio to a mesh service 4. Enable the mesh service: a. Select Wireless Service > Mesh Service from the navigation tree. Figure 469 Enabling the mesh service b. Select the mesh service to be enabled. c. Click Enable. 5. (Optional) Configure a mesh policy. NOTE: By default, the default mesh policy default_mp_plcy already exists.
Figure 470 Configuring mesh portal service 7. Configure the same working channel and enable the radio on the MAP and MPP: a. Select Radio > Radio from the navigation tree. b. Click the icon for the target MAP. Figure 471 Configuring the working channel c. Select the channel 153 to be used from the Channel list. d. Click Apply.
You can follow this step to configure the working channel for the MPP. The working channel of the radio on the MPP must be the same as the working channel of the radio on the MAP. 8. Enable radio: a. Select Radio > Radio from the navigation tree. b. Select the radio modes to be enabled for the MAP and MPP. c. Click Enable. Figure 472 Enabling radio Verifying the configuration • The mesh link between the MAP and the MPP has been established, and they can ping each other. • After 802.11n(2.
Figure 473 Network diagram Configuration guidelines • Configure a peer MAC address for each radio interface. Configure the MAC addresses of AP 2 through AP 5 on AP 1, and configure the MAC address of only AP 1 on AP 2 through AP 5. • Set the value of maximum links that an MP can form in a mesh network (The default value is 2. It must be set to 4 in this example.). For more information, see "Configuring a mesh policy.
Configuration procedure The mesh configuration is the same as the normal WLAN mesh configuration. For configuration procedures, see "WLAN mesh configuration example." Perform the following operations after completing mesh configuration: 1. (Optional) Set a calibration interval: a. Select Radio > Calibration from the navigation tree. b. Click the Parameters tab. c. On the page that appears, enter the calibration interval 3 and click OK.
Figure 475 Setting mesh calibration interval 439
2. Configure mesh DFS: a. Select Wireless Service > Mesh Service from the navigation tree. b. Click the Global Setup tab. c. On the page that appears, select the Manual box for Dynamic Channel Select. d. Click Apply. Figure 476 Configuring mesh DFS 3. Enable one time DFS for the mesh network: a. Select Wireless Service > Mesh Service from the navigation tree. b. Click the Mesh Channel Optimize tab. c. Select the outdoor mesh network. d. Click Channel Optimize.
Figure 478 Displaying mesh channel switching information 441
Configuring an IACTP tunnel and WLAN roaming IACTP tunnel The Inter AC Tunneling Protocol (IACTP) provides a generic packet encapsulation and transport mechanism for ACs to securely communicate with each other. IACTP provides a control tunnel to exchange control messages, and a data tunnel to transmit data packets between ACs. IACTP supports both IPv4 and IPv6. WLAN roaming, AC backup, and AC-BAS collaboration must support IACTP for inter-AC communication.
Figure 479 Configuring an IACTP tunnel 2. Configure an IACTP tunnel as described in Table 134. 3. Click Apply. Table 134 Configuration items Item Description IACTP Tunnel • Enable—Enable IACTP service. • Disable—Disable IACTP service. IP Type Select IPv4 or IPv6. Source Address Source address of the IACTP protocol. Optional. MD5: Select the MD5 authentication mode. Auth Mode Auth Key The control message integrity can be verified when the MD5 authentication mode is selected.
Figure 480 Adding a member to the IACTP tunnel 2. Add a member to the IACTP tunnel as described in Table 135. 3. Click Add. 4. Click Apply. Table 135 Configuration items Item Description Add the IP address of an AC to a roaming group. IP Address IMPORTANT: When you configure a roaming group, the roaming group name configured for the ACs in the same roaming group must be the same. Configure the VLAN to which the roaming group member belongs. VLAN This configuration item is optional.
Configuring WLAN roaming Configuring WLAN roaming 1. Select Roam > Roam Group from the navigation tree. Figure 481 Configuring WLAN roaming 2. Select Enable to the right of Client Roaming. By default, WLAN roaming is enabled. 3. Click Apply. Displaying client information 1. Select Roam > Roam Client from the navigation tree. Figure 482 Displaying client information 2. View the detailed information and roaming information of the client by clicking a target client.
WLAN roaming configuration examples Intra-AC roaming configuration example Network requirements As shown in Figure 483, an AC has two APs associated and all of them are in VLAN 1. A client is associated with AP 1. Configure intra-AC roaming so that the client can associate with AP 2 when roaming to AP 2. Figure 483 Network diagram Configuration guidelines When you configure intra-AC roaming, the SSIDs of the two APs must be the same.
c. On the page that appears, set the service name to Roam, and click Apply. NOTE: For information about how to configure the authentication mode, see "Configuring access services." Fast roaming can be implemented only when the RSN+802.1X authentication mode is adopted. 3. Enable wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Select the Roam box. c. Click Enable. 4. Bind AP radios to the wireless service: a.
Figure 485 Enabling radio Verifying the configuration 1. Display the roaming information of the client: a. Select Summary > Client from the navigation tree. b. Click the Roam Information tab. c. Click the desired client to view the roaming information of the client. From the roaming information, you can see that the client accesses the WLAN through AP 1, and the BSSID of AP 1 is 000f-e27b-3d90 (see Figure 486.). Figure 486 Client status before intra-AC roaming d. Click Refresh.
Figure 487 Client status after intra-AC roaming 2. View the Roam Status field: a. Select Summary > Client from the navigation tree. You are placed in the Detail Information tab. b. Click the desired client. Intra-AC roam association appears in the Roam Status field. Figure 488 Verifying intra-AC roaming Inter-AC roaming configuration example Network requirements As shown in Figure 489, two ACs that each are connected to an AP are connected through a Layer 2 switch. Both ACs are in the same network.
Figure 489 Network diagram Configuration guidelines Follow these guidelines when you configure inter-AC roaming: • The SSIDs and the authentication and encryption modes of two APs should be the same. • An IACTP tunnel must be configured on both of the two ACs. Configuring AC 1 and AC 2 If remote authentication is required in the authentication mode you select, configure the RADIUS server. For information about how to configure the RADIUS server, see "Configuring RADIUS." 1.
Figure 490 Configuring an IACTP tunnel on AC 1 d. Configure the IACTP tunnel on AC 2. The source address is the IP address of AC 2, and the member address is the IP address of AC 1. (Details not shown.) Verifying the configuration 1. Verify the status of the IACTP tunnel: a. On AC 1, select Roam > Roam Group from the navigation tree. You can see that the group member 192.168.1.101 is in Run state. Figure 491 Verifying the IACTP tunnel state (1) b.
Figure 492 Verifying the IACTP tunnel state (2) 2. Display the client information: a. After the client roams from AP 1 to AP 2, select Roam > Roam Client on AC 1. You can see that the client roams out of 192.168.1.100. Figure 493 Viewing client information b. Select Roam > Roam Client on AC 2. You can see that the client roams in to 192.168.1.1.100. 3. View connection information about the client that is associated with the AP, and the Roam Status field in the client detailed information: a.
Figure 494 Verifying inter-AC roaming 4. View the BSSID field: a. Before roaming, select Summary > Client from the navigation tree on AC 1, select the Detail Information tab, and click the desired client to view the roaming information of the client. The roaming information in Figure 495 shows that the client connects to the WLAN through AP 1, and the BSSID of AP 1 is 000f-e27b-3d90. Figure 495 Client status before inter-AC roaming b.
Figure 496 Client status after intra-AC roaming 454
Configuring WLAN RRM Radio overview Radio frequency (RF) refers to electrical signals that can be transferred over the space to a long distance. 802.11b/g in the IEEE 802.11 standards operates at the 2.4 GHz band, 802.11a operates at the 5 GHz band, and 802.11n operates at both the 2.4 GHz and 5 GHz bands. Radio frequency is allocated in bands, each of which corresponds to a range of frequencies. WLAN RRM overview WLAN radio resource management (RRM) is a scalable radio resource management solution.
Figure 497 Dynamic channel adjustment Transmit power control Traditionally, an AP uses the maximum power to cover an area as large as possible. However, this method affects the operation of surrounding wireless devices. Transmit power control (TPC) is used to select a proper transmission power for each AP to satisfy both coverage and usage requirements.
Figure 498 Power reduction As shown in Figure 499, when AP 3 fails or goes offline, the other APs increase their transmission power to cover the signal blackhole.
Figure 499 Power increasing Spectrum analysis WLAN systems operate on shared bands. Many devices, such as microwave ovens, cordless phones, and Bluetooth devices also operate on these bands and can negatively affect the WLAN systems. The spectrum analysis feature is designed to solve this problem. Spectrum analysis delivers the following functions: • Identifies five types of interferences and provides interference device reports.
• With RRM collaboration enabled, if the detected channel quality is lower than the threshold, the AC automatically adjusts the working channel upon detecting a channel with a higher quality. Administrators can view the interference information on the AC, or view real-time spectrum analysis data on the NMS to locate and remove the interferences. For more information about WIDS, see "Configuring WLAN security." Configuring radios Configuring radio parameters 1.
Figure 501 802.11ac radio setup 3. Configure the radio as described in Table 136. Table 136 Configuration items Item Description AP Name Display the selected AP. Radio Unit Display the selected AP's radios. Radio Mode Display the selected AP's radio mode. Transmit Power Maximum radio transmission power, which varies with country/region codes, channels, AP models, radio modes and antenna types. If you adopt the 802.
Item Description 802.11n can bond two adjacent 20-MHz channels together to form a 40-MHz channel. During data forwarding, the two 20-MHz channels can work separately with one acting as the primary channel and the other acting as the secondary channel. This provides a simple way of doubling the data rate. By default, the channel bandwidth of the 802.11n radio (5 GHz) is 40 MHz, and that of the 802.11n radio (2.4 GHz) is 20 MHz. 802.
Item Description Select the A-MSDU option to enable A-MSDU. A-MSDU Multiple MSDUs can be aggregated into a single A-MSDU. This reduces the MAC header overhead and improves MAC layer forwarding efficiency. At present, only A-MSDUs can be received. IMPORTANT: When 802.11n radios are used in a mesh WLAN, make sure they have the same A-MSDU configuration. Select the A-MPDU option to enable A-MPDU. A-MPDU 802.11n introduces the Aggregated MAC Protocol Data Unit (A-MPDU) frame format.
Figure 502 Radio setup (advanced setup) 5. Configure the radio as described in Table 137, and click Apply. Table 137 Configuration items Item Description Preamble is a pattern of bits at the beginning of a frame so that the receiver can sync up and be ready for the real data. • Short preamble—Short preamble improves network performance. Preamble Therefore, this option is always selected. • Long preamble—Long preamble ensures compatibility between access point and some legacy client devices.
Item Description Client Max Count Maximum number of clients that can be associated with one radio. Specify the maximum length of frames that can be transmitted without fragmentation. When the length of a frame exceeds the specified fragment threshold value, it is fragmented. • In a wireless network where error rate is high, you can decrease the Fragment Threshold fragment threshold by a rational value.
Item Description Long Retry Threshold Number of retransmission attempts for unicast frames larger than the RTS/CTS threshold. Short Retry Threshold Number of retransmission attempts for unicast frames smaller than the RTS/CTS threshold if no acknowledgment is received for it. Max Receive Duration Interval for which a frame received by an AP can stay in the buffer memory. • On—Enable STBC. • Off—Disable STBC. By default, Space-timed block coding (STBC) is enabled.
Figure 503 Enabling radio 2. Select the box of the target radio. 3. Click Enable. Locking the channel 1. Select Radio > Radio from the navigation tree. Figure 504 Locking a channel 2. Select the box of the target radio. 3. Click Lock Channel. Channel locking takes effect only when the AC adopts the auto mode. For more information about automatic channel adjustment, see "Configuring radio parameters.
Locking the power 1. Select Radio > Radio from the navigation tree. Figure 505 Locking the current power 2. Select the box of the target radio. 3. Click Lock Power. After you lock the power, the AC automatically sets the transmission power to the adjusted power value so that the AP can use the adjusted power when the AC is rebooted. For transmission power configuration, see "Configuring radio parameters.
Figure 506 Setting 802.11a/802.11b/802.11g rates 2. Configure 802.11a/802.11b/802.11g rates as described in Table 138, and click Apply.
Table 138 Configuration items Item Description Configure rates (in Mbps) for 802.11a. By default: • Mandatory rates—6, 12, and 24. • Supported rates—9, 18, 36, 48, and 54. • Multicast rate—Automatically selected from the mandatory rates. The transmission 802.11a rate of multicasts in a BSS is selected from the mandatory rates supported by all the clients. Configure rates (in Mbps) for 802.11b. By default: • Mandatory rates—1 and 2. • Supported rates—5.5 and 11.
MCS index Number of spatial streams Modulation 3 1 4 Data rate (Mbps) 800ns GI 400ns GI 16-QAM 26.0 28.9 1 16-QAM 39.0 43.3 5 1 64-QAM 52.0 57.8 6 1 64-QAM 58.5 65.0 7 1 64-QAM 65.0 72.2 8 2 BPSK 13.0 14.4 9 2 QPSK 26.0 28.9 10 2 QPSK 39.0 43.3 11 2 16-QAM 52.0 57.8 12 2 16-QAM 78.0 86.7 13 2 64-QAM 104.0 115.6 14 2 64-QAM 117.0 130.0 15 2 64-QAM 130.0 144.
• Mandatory rates must be supported by the AP and the clients that want to associate with the AP. • Supported rates allow some clients that support both mandatory and supported rates to choose higher rates when communicating with the AP. • Multicast MCS: Specifies 802.11n multicast data rates. Configuring 802.11n rates 1. Select Radio > Rate from the navigation tree. Figure 507 Setting 802.11n rate 2. Configure the 802.11n rate as described in Table 141, and click Apply.
VHT-MCS data rate tables for 20 MHz, 40 MHz, and 80 MHz are shown in Table 142, Table 143, and Table 144, respectively. For the entire table, see IEEE Draft P802.11ac_D5.0. The value range for NSS is 1 to 8, and the value range for VHT-MCS index in each NSS is 0 to 9. NOTE: Support for NSS depends on the device model. Table 142 VHT-MCS data rate table (20 MHz Nss =1) VHT-MCS index Modulation 0 Data rate (Mbps) 800ns GI 400ns GI BPSK 6.5 7.2 1 QPSK 13.0 14.4 2 QPSK 19.5 21.7 3 16-QAM 26.
Table 144 VHT-MCS data rate table (80 MHz Nss =1) MCS index Modulation 0 Data rate (Mbps) 800ns GI 400ns GI BPSK 29.3 32.5 1 QPSK 58.5 65.0 2 QPSK 87.8 97.5 3 16-QAM 117.0 130.0 4 16-QAM 175.5 195.0 5 64-QAM 234.0 260.0 6 64-QAM 263.3 292.5 7 64-QAM 292.5 325.0 8 256-QAM 351.0 390.0 9 256-QAM 390.0 433.3 NSS is divided into the following types: • Mandatory NSS—Mandatory NSS must be supported by the AP and the clients that want to associate with the AP.
Table 145 Configuration items Item Description Select Mandatory Maximum NSS and set the maximum 802.11ac mandatory NSS. Mandatory Maximum NSS IMPORTANT: If you select the 802.11n and 802.11ac or 802.11ac option, you must configure the mandatory maximum NSS. Set the multicast NSS for 802.11ac. The multicast NSS is adopted only when all the clients use 802.11ac. If a non 802.11ac client exists, multicast traffic is transmitted at a rate determined by the client type.
2. Configure channel scanning as described in Table 146, and click Apply. Table 146 Configuration items Item Description Set the scan mode. Scan Mode • Auto—Legal channels with the scanning mode under country/region code are scanned. • All—All the channels of the radio band are scanned. Scan Non-802.11h Channel Some of 802.11h channels, also called radar channels, overlap some 802.11a channels. If the device operates on an overlapping channel, the service quality of the WLAN might be affected.
Item Description To avoid selecting improper channels, you can exclude specific channels from automatic channel selection. The excluded channels will not be available for initial channel selection, DFS, and mesh DFS. This feature does not affect rogue detection and WIDS. Select a channel and add it to the 5GHz Excluded Channel or 2.4GHz Excluded Channel. By default, no channels exist in the 5GHz Excluded Channel or 2.4GHz Excluded Channel.
• If channel persistence is executed on a locked channel, the channel is unlocked. The device automatically saves the channel value through the Channel option on the Radio page. After AC reboots, AP continues to use the persistent channel. Configuration procedure 1. Select Radio > Calibration from the navigation tree. 2. Click the Operation tab. 3. Select the box of the target AP. 4. Click Channel Persistent.
The device executes power persistence on the adjusted power. If the adjusted power value is not the default value set through the Transmit Power option on the Radio page, the device automatically saves the power value. After the AC reboots, the AP continues to use the adjusted power. Setting parameters 1. Select Radio > Calibration from the navigation tree. 2. Click the Parameters tab.
Figure 512 Setting channel calibration 479
3. Configure channel calibration as described in Table 147, and click Apply. Table 147 Configuration items Item Description • RTS/CTS—Use RTS/CTS mode to implement 802.11g protection. 802.11g Protection Mode Before sending data to a client, an AP sends an RTS packet to the client, ensuring that all the devices within the coverage of the AP do not send data in the specified time after receiving the RTS packet.
Item Description • Close—Disable the DFS function. • Auto—With auto DFS enabled, an AC performs DFS for a radio Dynamic Channel Select when certain trigger conditions are met on the channel, and returns the result to the AP after a calibration interval (the default calibration interval is 8 minutes, which can be set through the Calibration Interval option). After that, the AC will make DFS decisions at the calibration interval automatically.
Item Description • Close—Disable transmit power control (TPC). • Auto—With auto TPC enabled, the AC performs TPC for an AP upon certain interference and returns the result to the AP after a calibration interval (the default calibration interval is 8 minutes, which can be set through the Calibration Interval option). After that, the AC makes TPC decisions at the calibration interval automatically.
3. Click Add. The Radio Group page appears. Figure 513 Configuring a radio group 4. Configure the radio group as described in Table 148, and click Apply. Table 148 Configuration items Item Description Group ID ID of the radio group Description Channel Holddown Interval Power Holddown Interval Description for the radio group. By default, a radio group has no description.
Calibration operations If RRM is not enabled, or the radio to be displayed works on a fixed channel, you can only view the work channel and the power of the radio on the Operations tab in the Radio > Calibration page. Other information such as interference observed and the number of neighbors is displayed when RRM is enabled, that is, dynamic power selection or automatic dynamic frequency selection is enabled. For the configuration of RRM parameters, see "Setting parameters." Displaying channel status 1.
Figure 515 Neighbor information Table 150 Field description Field Description AP MAC Address MAC address of a neighbor AP. Channel No Running channel. Interference (%) Duration of all invalid packets detected on a channel. RSSI (dBm) Received signal strength indication (RSSI) of the AP, in dBm. AP Type AP type, managed or unmanaged. Displaying history information History information is available only if channel switching or power adjustment occurs after RRM is enabled.
Figure 516 History information Table 151 Field description Field Description Radio Radio ID of the AP. Basic BSSID MAC address of the AP. Chl Channel on which the radio operates in case of the change of channel or power. Power Power of the radio in case of the change of channel or power. Load Load observed on the radio in percentage in case of the change of channel or power. Util Utilization of the radio in percentage in case of the change of channel or power.
Figure 517 Antenna switch Configuring spectrum analysis IMPORTANT: Support for this feature depends on the device model. Configuring the operating mode for an AP The channels that an AP can detect depend on the operating mode of the AP: • When operating in normal mode, an AP can only detect interference devices and channel quality, and collect FFT data for its working channel. • When operating in monitor or hybrid mode, the channels that an AP can detect depend on the scan channel command.
Figure 518 Spectrum analysis Enabling spectrum analysis The AP begins to detect interferences and channel quality, and collects FFT data when spectrum analysis is enabled. Table 152 Configuration items Item Description Spectrum Analysis • Enable—Enable spectrum analysis. • Disable—Disable spectrum analysis. By default, spectrum analysis is disabled. Enable spectrum analysis on a radio See "Enabling spectrum analysis on a radio.
Configuring event-driven RRM This function enables the AC to start calculating the channel quality, and switch to a new channel with a higher quality when the channel quality is lower than the sensitivity level. Table 153 Configuration items Item Description Event Driven RRM • Enable—Enable event-driven RRM. • Disable—Disable event-driven RRM. By default, spectrum analysis does not trigger channel adjustment. Sensitivity Threshold • High—Specify the high sensitivity threshold.
Enabling spectrum analysis on a radio 1. Select Radio > Spectrum Analysis from the navigation tree. 2. Click Radio. Figure 519 Enabling spectrum analysis 3. Select the radio for which spectrum analysis is to be enabled. 4. Click Enable. Displaying interference device state 1. Select Radio > Spectrum Analysis from the navigation tree. 2. Click Interference Info. You can view the non-802.11 interference devices detected by the AP.
2. Click Channel Quality Info. Figure 521 Displaying channel quality information Manual channel adjustment configuration example Network requirements As shown in Figure 522, configure manual channel adjustment on the AC so that the AC can perform manual channel adjustment when the channel of AP 1 is unavailable. Figure 522 Network diagram Configuration guidelines If you select manual channel adjustment, click Channel Optimize on the Operation tab every time you perform manual channel adjustment.
Figure 523 Configuring manual channel adjustment 492
3. Perform manual channel adjustment: a. Select Radio > Calibration from the navigation tree. b. On the Operation tab, select the box of the target radio. c. Click Channel Optimize. Figure 524 Performing manual channel adjustment Verifying the configuration • You can view the channel status on the Operation tab you enter by selecting Radio > Calibration from the navigation tree. • After you perform manual channel calibration, the AC informs the adjusted channel to the AP after a calibration interval.
Figure 525 Network diagram Configuration procedure 1. Before you configure automatic power adjustment, configure AP 1 through AP 4 on the AC to establish a connection between the AC and each AP. For the related configuration, see "Configuring access services." 2. Configure automatic power adjustment: a. Select Radio > Calibration from the navigation tree. b. Click the Parameters tab. c. Select Auto from the Dynamic Power Select list. d. Click Apply.
Figure 526 Configuring automatic power adjustment 495
Verifying the configuration • You can view the power of each AP on the Operation tab you enter by selecting Radio > Calibration from the navigation tree. • When AP 4 joins (the adjacency number becomes 3), the maximum number of neighbors reaches the upper limit (3 by default), and the AC performs power adjustment after the calibration interval.
Figure 528 Configuring automatic channel and power adjustment 497
3. Configure a radio group: a. Select Radio > Calibration from the navigation tree. b. Click Radio Group. c. Click Add. d. On the page that appears, enter the channel holddown interval 20 and enter the power holddown interval 30. e. In the Radios Available area, select the target radios and click << to add them into the Radios Selected area. f. Click Apply.
Figure 530 Network diagram Configuration procedure 1. Configure AP 1 to operate in normal mode. For more information, see "Configuring WLAN access." 2. Configure AP 2 to operate in monitor mode. For more information, see "Configuring WLAN security." 3. Enable spectrum analysis on a specified radio: a. Select Radio > Spectrum Analysis from the navigation tree. b. Click Radio. Figure 531 Configuring radio c. Select the radio with the radio mode 802.11n(2.4 GHz). d. Click Enable. 4.
c. Enable spectrum analysis, disable channel quality trap (enabled by default), and keep Microwave oven and Bluetooth in the Trap on Device Types area (remove other devices from the area by selecting them and clicking >>). d. Click OK. Figure 532 Configuring spectrum analysis Verifying the configuration • Select Radio > Spectrum Analysis from the navigation tree, and click Interference Info to display information about the non-802.11 interferences detected by AP 2.
Configuring 802.1X 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for the security of wireless LANs (WLANs). It has been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication.
• Port-based access control—Once an 802.1X user passes authentication on a port, any subsequent user can access the network through the port without authentication. When the authenticated user logs off, all other users are logged off. • MAC-based access control—Each user is authenticated separately on a port. When a user logs off, no other online users are affected. 802.1X timers This section describes the timers used on an 802.
Configuration procedure Task Description Required. 1. Configuring 802.1X globally Enable 802.1X authentication globally and configure the authentication method and advanced parameters. By default, 802.1X authentication is disabled globally. Required. 2. Configuring 802.1X on a port Enable 802.1X authentication on specified ports and configure 802.1X parameters for the ports. By default, 802.1X authentication is disabled on a port. Configuring 802.1X globally 1.
• Whether the RADIUS server supports EAP packets. • The authentication methods supported by the 802.1X client and the RADIUS server. If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP authentication initiated by an H3C iNode 802.1X client, you can use both EAP termination and EAP relay. To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay. 4. Click Advanced to expand the advanced 802.1X configuration area.
Item Description Re-Authentication Period Set the periodic online user re-authentication timer. Set the client and server timeout timers. Supplicant Timeout Time Server Timeout Time TIP: You can set the client timeout timer to a high value in a low-performance network, and adjust the server timeout timer to adapt to the performance of different authentication servers. In most cases, the default settings are sufficient. For more information about 802.1X timers, see "802.1X timers.
3. Configure 802.1X features on a port, as described in Table 157. 4. Click Apply. Table 157 Configuration items Item Description Select the port to be enabled with 802.1X authentication. Only 802.1X-disabled ports are available. Port 802.1X configuration takes effect on ports only when 802.1X is enabled both globally and on the ports. NOTE: 802.1X is mutually exclusive with the link aggregation group or service loopback group configuration on a port.
Item Description Specify whether to enable periodic online user re-authentication on the port. Periodic online user re-authentication tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL, and VLAN. The re-authentication interval is specified by the Re-Authentication Period setting in Table 156.
Feature Relationship description Port intrusion protection on a port that performs MAC-based access control The 802.1X guest VLAN function has higher priority than the block MAC action, but lower priority than the shutdown port action of the port intrusion protection feature. Configuration prerequisites • Create the VLAN to be specified as the 802.1X guest VLAN. • If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger at the CLI. (802.
Configuring portal authentication Overview Portal authentication helps control access to the Internet. It is also called Web authentication. A website implementing portal authentication is called a portal website. With portal authentication, an access device redirects all users to the portal authentication page. All users can access the free services provided on the portal website. However, to access the Internet, a user must pass portal authentication.
2. On the authentication homepage/authentication dialog box, the user enters and submits the authentication information, which the portal server then transfers to the access device. 3. Upon receipt of the authentication information, the access device communicates with the authentication/accounting server for authentication and accounting. 4. After successful authentication, the access device checks whether there is a corresponding security policy for the user.
Step 2. Remarks Configuring advanced parameters for portal authentication Optional. Specify an auto redirection URL, set the time that the device must wait before redirecting an authenticated user to the auto redirection URL, and add Web proxy server port numbers. Optional. Configure a portal-free rule, specifying the source and destination information for packet filtering. 3.
Figure 538 Portal server configuration 2. Click Add to enter the portal service application page. Figure 539 Portal service application 3. Configure the portal application settings as described in Table 160. 4. Click Apply.
Table 160 Configuration items Item Description Interface Specify the Layer 3 interface to be enabled with portal authentication. Specify the portal server to be applied on the specified interface. Options include: • Select Server—Select an existing portal server from the Portal Server list. • New Server—If you select Add under this option from the list, the portal server Portal Server configuration area, as shown in Figure 540, will be displayed at the lower part of the page.
Figure 540 Adding a portal server Table 161 Configuration items Item Description Server Name Enter a name for the remote portal server. IP Enter the IP address of the remote portal server. Key Enter the shared key to be used for communication between the device and the remote portal server. Port Enter the port number of the remote portal server. Specify the URL for HTTP packets redirection, in the format http://ip-address. By default, the IP address of the portal server is used in the URL.
Item Description IP Specify the IP address of the local portal server. You need to specify the IP address of the interface where the local portal server is applied. Specify the URL for HTTP packets redirection, in the format http://ip-address/portal/logon.htm or https://ip-address/portal/logon.htm (depending on the protocol type). By default, the IP address of the local portal server is used in the URL.
Figure 542 Advanced configuration 3. Configure the advanced parameters as described in Table 163. 4. Click Apply. Table 163 Advanced portal parameters Item Description Add the Web proxy server ports to allow HTTP requests proxied by the specified proxy servers to trigger portal authentication. By default, only HTTP requests that are not proxied can trigger portal authentication. Different clients may have different Web proxy configurations.
Item Description Wait-Time Period of time that the device must wait before redirecting an authenticated portal user to the auto redirection URL. Configuring a portal-free rule 1. From the navigation tree, select Authentication > Portal. 2. Click the Free Rule tab. Figure 543 Portal-free rule configuration 3. Click Add. The page for adding a new portal-free rule appears. Figure 544 Adding a portal-free rule 4. Configure the portal-free rule as described in Table 164. 5. Click Apply.
Table 164 Configuration items Item Description Number Specify the sequence number of the portal-free rule. Source-interface Source IP address Mask Specify the source interface of the portal-free rule. The SSIDs in the list are the corresponding SSIDs of the wireless ESS interfaces. Specify the source IP address and mask of the portal-free rule. Specify the source MAC address of the portal-free rule.
Table 165 Main authentication page file names Main authentication page File name Logon page. logon.htm Logon success page. logonSuccess.htm Logon failure page. logonFail.htm Online page. Pushed after the user gets online for online notification. System busy page. Pushed when the system is busy or the user is in the logon process. Logoff success page. online.htm busy.htm logoffSuccess.htm Page request rules The local portal server supports only Post and Get requests.
Page file compression and saving rules • A set of authentication page files must be compressed into a standard .zip file. The name of a .zip file can contain only letters, numbers, and underscores. The .zip file of the default authentication pages must be saved with name defaultfile.zip. • The set of authentication pages must be located in the root directory of the .zip file.
If a user refreshes the logon success or online page, or jumps to another website from either of the pages, the device also logs off the user. Google Chrome browsers do not support this function. Make sure that the browser of an authentication client permits pop-ups or permits pop-ups from the access device.
Figure 545 Network diagram RADIUS server 1.1.1.2/24 Vlan-int2 192.168.1.1/24 Client AP Vlan-int3 3.3.3.3/24 Vlan-int4 1.1.1.1/24 IP network AC SSID: abc Gateway: 192.168.1.1/24 Configuration prerequisites Complete the follow tasks before you perform the portal configuration: • Configure IP addresses for the devices, as shown in Figure 545, and make sure they can reach each other. • Configure PKI domain test, and make sure that a local certificate and a CA certificate are obtained successfully.
Figure 546 Configuring the RADIUS scheme 2. Configure ISP domain test as the default domain: a. From the navigation tree, select Authentication > AAA. The Domain Setup tab appears. b. Enter the domain name test, and select Enable from the Default Domain list. c. Click Apply.
Figure 547 Creating an ISP domain 3. Configure an authentication method for the ISP domain: a. Click the Authentication tab. b. Select the domain name test. c. Select the Default AuthN option, and then select RADIUS as the authentication mode. d. From the Name list, select system to use it as the authentication scheme e. Click Apply. A configuration progress dialog box appears. f. After the configuration process is complete, click Close.
Figure 548 Configuring the authentication method for the ISP domain 4. Configure an authorization method for the ISP domain: a. Click the Authorization tab. b. Select the Default AuthZ option, and then select RADIUS as the authorization mode. c. From the Name list, select system to use it as the authorization scheme d. Click Apply. A configuration progress dialog box appears e. After the configuration process is complete, click Close. Figure 549 Configuring the authorization method for the ISP domain 5.
The configuration progress dialog box appears g. After the configuration process is complete, click Close. Figure 550 Configuring the accounting method for the ISP domain 6. Create an AP: a. From the navigation tree, select AP > AP Setup. b. Click Create. c. Enter the AP name ap1. d. Select model MSM460-WW. e. Select the manual mode for serial ID, and then enter the serial ID CN2AD330S8. f. Click Apply. Figure 551 Creating an AP 7. Create a wireless service: a.
Figure 552 Creating a wireless service d. On the page as shown in Figure 553, enter 2 in the VLAN (Untagged) field, enter 2 in the Default VLAN field, and click Apply. A configuration progress dialog box appears. Figure 553 Configuring parameters for the wireless service e. After the configuration process is complete, click Close. 8. Enable the wireless service: a. On wireless service list as shown in Figure 554, select the wireless service abc. b. Click Enable.
Figure 554 Enabling the wireless service 9. Bind an AP radio with the wireless service: a. On the wireless service list, click the icon in the Operation column of wireless service abc. b. On the page that appears, select ap1 with the radio mode of 802.11n(2.4GHz). c. Click Bind. A configuration progress dialog box appears. d. After the configuration process is complete, click Close.
Figure 555 Binding an AP radio 10. Enable radio: a. From the navigation tree, select Radio > Radio. b. Select ap1 with the radio mode of 802.11n(2.4GHz). c. Click Enable.
Figure 556 Enabling 802.11n(2.4GHz) radio 11. Configure portal authentication: a. From the navigation tree, select Authentication > Portal. b. Click Add. c. Configure a local portal server: − Select interface Vlan-interface2. − Select Enable Local Server for Portal Server. − Select Direct as the authentication method. − Select the authentication domain test. − Enter 192.168.1.1 as the server IP address. − Select HTTPS as the protocol type. − Select test as the PKI domain.
Figure 557 Portal service application 12. Configure a portal-free rule for Bridge-Aggregation 1: a. Click the Free Rule tab. b. Click Add. c. On the page that appears, enter the rule number 0, and select the source interface Bridge-Aggregation1. d. Click Apply.
Figure 558 Configuring a portal-free rule for Bridge-Aggregation 1 Verifying the configuration When a user accesses subnet 1.1.1.0/24 by using a Web browser, the user is redirected to page https://192.168.1.1/portal/logon.htm. After entering the correct username and password on the webpage, the user passes the authentication.
Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It provides the following security functions: • Authentication—Identifies users and determines whether a user is valid. • Authorization—Grants user rights and controls user access to resources and services. For example, a user who has successfully logged in to the device can be granted read and print permissions to the files on the device.
Figure 560 Determining the ISP domain for a user by the username You can configure different authentication, authorization, and accounting methods for users in an ISP domain. Or you can configure a set of default methods for an ISP domain. These default methods are used for users for whom no specific AAA methods are configured. AAA manages users in the same ISP domain based on their access types. The device supports the following user access types: • LAN users—Users on a LAN who must pass 802.
Step 2. 3. 4. Remarks Configuring authentication methods for the ISP domain Configuring authorization methods for the ISP domain Configuring accounting methods for the ISP domain Optional. Configure authentication methods for various types of users. By default, all types of users use local authentication. Optional. Specify the authorization methods for various types of users. By default, all types of users use local authorization. Required. Specify the accounting methods for various types of users.
Table 166 Configuration items Item Description Enter an ISP domain name for uniquely identifying the domain. Domain Name You can enter a new domain name to create a domain, or specify an existing domain to change its status (whether it is the default domain). Specify whether to use the ISP domain as the default domain. Options include: Default Domain • Enable—Uses the domain as the default domain. • Disable—Uses the domain as a non-default domain. There can only be one default domain at a time.
Item Description Configure the default authentication method and secondary authentication method for all types of users. Options include: • HWTACACS—HWTACACS authentication. You must specify the HWTACACS scheme Default AuthN Name Secondary Method to be used. • • • • Local—Local authentication. None—No authentication. This method trusts all users and is not for general use. RADIUS—RADIUS authentication. You must specify the RADIUS scheme to be used.
Configuring authorization methods for the ISP domain 1. From the navigation tree, select Authentication > AAA. 2. Click the Authorization tab to enter the authorization method configuration page. Figure 563 Authorization method configuration page 3. Configure authorization methods for different types of users in the domain, as described in Table 168. 4. Click Apply. A configuration progress dialog box appears. 5. After the configuration progress is complete, click Close.
Item Description Configure the authorization method and secondary authorization method for LAN users. LAN-access AuthZ Options include: Name • • • • Secondary Method Local—Local authorization. None—This method trusts all users and assigns default rights to them. RADIUS—RADIUS authorization. You must specify the RADIUS scheme to be used. Not Set—The device uses the settings in the Default AuthZ area for LAN users. Configure the authorization method and secondary authorization method for login users.
Figure 564 Accounting method configuration page 3. Configure accounting methods for different types of users in the domain, as described in Table 169. 4. Click Apply. A configuration progress dialog box appears. 5. After the configuration progress is complete, click Close. Table 169 Configuration items Item Description Select an ISP domain Select the ISP domain for which you want to specify accounting methods. Specify whether to enable the accounting optional feature.
Item Description Configure the accounting method and secondary accounting method for login users. Options include: Login Accounting Name Secondary Method • HWTACACS—HWTACACS accounting. You must specify the HWTACACS scheme to be used. • • • • Local—Local accounting. None—No accounting. RADIUS—RADIUS accounting. You must specify the RADIUS scheme to be used. Not Set—The device uses the settings in the Default Accounting area for login users.
b. Click Add. c. Enter telnet as the username. d. Enter abcd as the password. e. Enter abcd again to confirm the password. f. Select Reversible as the password encryption method. g. Select Common User as the user type. h. Select Configure as the level. i. Select Telnet as the service type. j. Click Apply. Figure 566 Configuring the local user 2. Configure ISP domain test: a. From the navigation tree, select Authentication > AAA. The Domain Setup page appears, as shown in Figure 567. b.
Figure 567 Configuring ISP domain test 3. Configure the ISP domain to use local authentication for login users: a. From the navigation tree, select Authentication > AAA. b. Click the Authentication tab. c. Select the domain test. d. Select the Login AuthN option, and then select the authentication method Local. e. Click Apply. A configuration progress dialog box appears. f. After the configuration progress is complete, click Close.
Figure 568 Configuring the ISP domain to use local authentication for login users 4. Configure the ISP domain to use local authorization for login users: a. From the navigation tree, select Authentication > AAA. b. Click the Authorization tab. c. Select the domain test. d. Select the Login AuthZ option, and then select the authorization method Local. e. Click Apply. A configuration progress dialog box appears. f. After the configuration progress is complete, click Close.
Verifying the configuration Telnet to the AC and enter the username telnet@test and password abcd. You are serviced as a user in domain test.
Configuring RADIUS The Remote Authentication Dial-In User Service (RADIUS) protocol implements Authentication, Authorization, and Accounting (AAA). RADIUS uses the client/server model. It can protect networks against unauthorized access, and is often used in network environments where both high security and remote user access are required. RADIUS defines the packet format and message transfer mechanism, and uses UDP as the transport layer protocol for encapsulating RADIUS packets.
Configuring a RADIUS scheme A RADIUS scheme defines a set of parameters that the device uses to exchange information with the RADIUS servers. There might be authentication servers and accounting servers, or primary servers and secondary servers. The parameters mainly include the IP addresses of the servers, the shared keys, and the RADIUS server type. By default, no RADIUS scheme exists. To configure a RADIUS scheme: 1. From the navigation tree, select Authentication > RADIUS.
Table 170 Configuration items Item Description Select the type of the RADIUS servers supported by the device: • Standard—Standard RADIUS servers. The RADIUS client and server Server Type communicate by using the standard RADIUS protocol and packet format defined in RFC 2865/2866 or later. • Extended—Extended RADIUS servers, usually running on IMC. The RADIUS client and server communicate by using the proprietary RADIUS protocol and packet format.
Figure 572 Advanced configuration area 6. Configure the advanced parameters.
Table 171 Configuration items Item Description Set the shared key for RADIUS authentication packets and that for RADIUS accounting packets. Authentication Key Confirm Authentication Key Accounting Key Confirm Accounting Key The RADIUS client and the RADIUS authentication/accounting server use MD5 to encrypt RADIUS packets. They verify the validity of packets through the specified shared key.
Item Description Realtime Accounting Attempts Set the maximum number of attempts for sending a real-time accounting request. Specify the unit for data flows sent to the RADIUS server: Unit for Data Flows • • • • Byte. Kilo-byte. Mega-byte. Giga-byte. The traffic measurement units on the device must be the same as the units configured on the RADIUS servers. Specify the unit for data packets sent to the RADIUS server: Unit for Packets • • • • One-packet. Kilo-packet. Mega-packet. Giga-packet.
Item Description Specify the source IP address for the device to use in RADIUS packets sent to the RADIUS server. The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS. If it is, the server processes the packet.
Item Description Accounting-On Interval Set the interval for sending accounting-on packets. This field is configurable only when the Send accounting-on packets option is selected. Accounting-On Attempts Set the maximum number of accounting-on packets transmission attempts. This field is configurable only when the Send accounting-on packets option is selected. Attribute Interpretation 7. Enable or disable the device to interpret the RADIUS class attribute as CAR parameters.
RADIUS configuration example Network requirements As shown in Figure 574, a RADIUS server running on IMC uses UDP port 1812 to provide authentication and authorization service. Configure the AC to do the following: • Use the RADIUS server for Telnet user authentication and authorization. • Remove domain names from the usernames sent to the server. On the RADIUS server, configure a Telnet user account with the username hello@bbb and the password abc, and set the EXEC privilege level to 3 for the user.
The RADIUS scheme configuration page refreshes and the added server appears in the server list, as shown in Figure 576. f. Click Apply. Figure 576 RADIUS scheme configuration 2. Create an ISP domain named bbb: a. From the navigation tree, select Authentication > AAA. The domain setup page appears. b. Enter bbb in the Domain Name field. c. Click Apply.
Figure 577 Creating an ISP domain 3. Configure an authentication method for the ISP domain: a. Click the Authentication tab. b. Select the domain name bbb. c. Select the Default AuthN option, and then select the authentication mode RADIUS. d. From the Name list, select the RADIUS scheme system to use it as the authentication scheme. e. Click Apply. A configuration progress dialog box appears. f. After the configuration progress is complete, click Close.
Figure 578 Configuring an authentication method for the ISP domain 4. Configure an authorization method for the ISP domain: a. Click the Authorization tab. b. Select the domain name bbb. c. Select the Default AuthZ option, and then select the authorization mode RADIUS. d. From the Name list, select the RADIUS scheme system to use it as the authorization scheme. e. Click Apply. A configuration progress dialog box appears. f. After the configuration progress is complete, click Close.
Figure 580 Enabling the Telnet service 6. At the CLI, configure the VTY user interfaces to use AAA for user access control. system-view [AC] user-interface vty 0 4 [AC-ui-vty0-4] authentication-mode scheme [AC-ui-vty0-4] quit Verifying the configuration Telnet to the AC and enter the username hello@bbb and password abc. You can log in and access commands of level 0 through level 3.
Configuring the local EAP service In some simple application environments, you may want to use a NAS to authenticate users locally, instead of deploying AAA servers for user authentication. When the Extensible Authentication Protocol (EAP) is used for user authentication, configure the local EAP authentication server to cooperate with local authentication method of AAA for local EAP authentication. For more information about AAA, see "Configuring AAA." Configuration procedure 1.
Item Description Specify the EAP authentication methods: • MD5—Uses Message Digest 5 (MD5) for authentication. • TLS—Uses the Transport Layer Security (TLS) protocol for authentication. • PEAP-MSCHAPV2—Uses the Protected Extensible Authentication Protocol (PEAP) for authentication and uses the Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2) for authentication in the established TLS tunnel.
To use the authentication method of EAP-TLS, configure the network properties of the connection and the client certificate correctly on the client. For information about configuring PKI domain test, requesting a local certificate, and retrieving a CA certificate, see "Managing certificates." Configuration procedure 1. Configure local user usera: a. From the navigation tree, select Authentication > Users. b. Click Add. c. Enter the username usera and password 1234, and select the service type LAN-access.
Figure 584 Configuring a local EAP server 4. Configure the AP: a. From the navigation tree, select AP > AP Setup. b. Click Add. c. Enter the AP name ap1. d. Select the device model MSM460-WW. e. Select Manual and enter the serial number in the field below the list. f. Click Apply. Figure 585 Configuring the AP 5. Create the wireless service: a. From the navigation tree, select Wireless Service > Access Service. b. Click Add. c. Enter the wireless service name 802.1x-auth. d.
Figure 586 Creating a wireless service 6. Configure the wireless service: a. Expand the Security Setup area. b. Select the authentication type Open-System. c. Select the Cipher Suite option, and then select a cipher suite from the list as needed. This example uses AES and TKIP. d. Select WPA and WPA2 as the security IE. e. Expand the Port Security area. f. Select the Port Set option, and then select the port mode userlogin-secure-ext. g.
Figure 587 Wireless service configuration page 7. Enable the wireless service: a. On the access service list page, select the wireless service named 802.1x-auth. b. Click Enable. A progress dialog box appears. c. After the configuration process is complete, click Close.
8. Bind the AP's radio mode with the wireless service: a. In the wireless service list, click the icon for wireless service 802.1x-auth. b. Select the AP named ap1 with the radio mode 802.11n(2.4GHz). c. Click Bind. A progress dialog box appears. d. After the configuration process is complete, click Close. Figure 589 Binding the radio mode with the wireless service 9. Enable 802.11n (2.4GHz): a. From the navigation tree, select Radio > Radio. b. Select the AP named ap1 with the radio mode 802.11n(2.
Verifying the configuration When a client passes EAP authentication to access the wireless network, you can successfully ping the client from the AC.
Configuring users Overview This module allows you to configure local users, user groups, guests, and user profiles. Local user A local user represents a set of user attributes configured on a device (such as the user password, user type, service type, and authorization attribute). It is uniquely identified by the username. For a user requesting a network service to pass local authentication, you must add an entry as required in the local user database of the device.
Configuring a local user 1. From the navigation tree, select Authentication > Users. The local user management page appears, displaying information about all local users including common users, guest administrator, and guests. NOTE: On the Local User tab, you can modify a guest user, but the user type changes to another one after your modification. Figure 591 Local user list 2. Click Add. The local user configuration page appears. On this page, you can create a local user of any type except guest.
Figure 592 Local user configuration page 3. Configure a local user as described in Table 174. 4. Click Apply. Table 174 Configuration items Item Description User-name Specify a name for the local user. Password Confirm Password Encryption Group Enter and confirm the password of the local user. IMPORTANT: Make sure the password does not include leading spaces, because they will be ignored. Select a password encryption method: Reversible or Irreversible. Select a user group for the local user.
Item Description Select an authorization level for the local user: Visitor, Monitor, Configure, or Management, in ascending order of priority. A local user has the rights of the specified level and all levels lower than the specified level (if any). • Visitor—A user of this level can perform ping and trace route operations but cannot read any data from the device or configure the device. • Monitor—A user of this level can read data from the device but cannot configure the Level device.
Figure 593 User group list 3. Click Add to enter the user group configuration page. Figure 594 User group configuration page 4. Add a user group as described in Table 175. 5. Click Apply. Table 175 Configuration items Item Description Group-name Specify a name for the user group. Level Select an authorization level for the user group: Visitor, Monitor, Configure, or Management, in ascending order of priority.
Item Description Specify whether to allow a guest to join the user group. Allow Guest Accounts IMPORTANT: By default, the system provides a group named system for guest accounts. The group cannot be modified. Configuring a guest Two categories of administrators can configure guests: guest administrators and administrators of the management level. A guest administrator manages guests through the Web interface. For information about the user type and authorization level, see Table 174.
Figure 596 Guest configuration page 4. Configure a single guest or a batch of guests as described in Table 176. 5. Click Apply. Table 176 Configuration items Item Description Create Users in a Batch Specify whether to create guests in a batch. Username Specify a name for the guest when users are not created in a batch. Specify the username prefix and number for guests to be created in a batch.
Configuring a guest by a guest administrator 1. Log in to the AC as a guest administrator, and then select Authentication > User from the navigation tree. The guest management page appears. Figure 597 Guest management page 2. Click Add to enter the guest configuration page. Figure 598 Guest configuration page 3. Configure the guest as described in Table 176. 4. Click Apply.
NOTE: The guest accounts are also displayed in the local user list. You can click the icon to edit the guest information and authorization attributes. of a guest in the list Configuring a user profile Configuration guidelines When you configure a user profile, use the following configuration guidelines: • By default, a newly added user profile is disabled. • A user profile takes effect and the authentication server notifies users of authentication results only after the user profile is enabled.
Figure 600 User profile name configuration item 4. Enter a profile name profile. 5. Click Apply. The user profile configuration page appears.
Figure 601 User profile configuration page 6. Configure the profile as described in Table 177.
7. Click Apply. 8. From the page displaying the existing user profiles, select the user profile to be enabled. 9. Click Enable. Table 177 Configuration items Item Description Userprofile name This field displays the user profile name. Qos-out policy Select a QoS policy in the outbound direction. Qos-in policy Select a QoS policy in the inbound direction. limited-out rate Specify the rate limit in the outbound direction. limited-in rate Specify the rate limit in the inbound direction.
Managing certificates Overview The Public Key Infrastructure (PKI) is a general security infrastructure for providing information security through public key technologies. It is the most widely applied encryption mechanism currently. H3C's PKI system provides certificate management for IP Security (IPsec), and Secure Sockets Layer (SSL). PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt data. The key pair consists of a private key and a public key.
The SCEP plug-in is not required when you use the RSA Keon software as the CA. In this case, you need to specify CA as the authority for certificate request when you configure the PKI domain. • Configuration procedures The system supports the following PKI certificate request modes: • Manual—In manual mode, you must retrieve a CA certificate, generate a local RSA key pair, and submit a local certificate request for an entity.
Step Remarks Required. Certificate retrieval serves the following purposes: • Locally store the certificates associated with the local security domain for improved query efficiency and reduced query count, 4. Retrieving the CA certificate • Prepare for certificate verification. IMPORTANT: If a local CA certificate already exists, you cannot perform the CA certificate retrieval operation. This will avoid possible mismatch between certificates and registration information resulting from relevant changes.
Configuration procedure for automatic request Step Remarks Required. Create a PKI entity and configure the identity information. 1. Creating a PKI entity A certificate is the binding of a public key and the identity information of an entity, where the identity information is identified by an entity distinguished name (DN). A CA uniquely identifies a certificate applicant by entity DN. The parameter settings of an entity DN, optional or required, must be compliant to the CA certificate issue policy.
Figure 602 PKI entity list 2. Click Add to enter the PKI entity configuration page. Figure 603 PKI entity configuration page 3. Configure the parameters as described in Table 178. 4. Click Apply. Table 178 Configuration items Item Description Entity Name Enter the name for the PKI entity. Common Name Enter the common name for the entity. IP Address Enter the IP address of the entity. Enter the fully qualified domain name (FQDN) for the entity.
Item Description Country/Region Code Enter the country or region code for the entity. State Enter the state or province for the entity. Locality Enter the locality for the entity. Organization Enter the organization name for the entity. Organization Unit Enter the unit name for the entity. Creating a PKI domain 1. From the navigation tree, select Authentication > Certificate Management. 2. Click the Domain tab. Figure 604 PKI domain list 3.
4. Configure the parameters as described in Table 179. 5. Click Apply. Table 179 Configuration items Item Description Domain Name Enter the name for the PKI domain. By default, the device contains a PKI domain named local_domain. Enter the identifier of the trusted CA. CA Identifier An entity requests a certificate from a trusted CA. The trusted CA takes the responsibility of certificate registration, distribution, and revocation, and query. In offline mode, this item is optional.
Item Description Specify the fingerprint used for verifying the CA root certificate. After receiving the root certificate of the CA, an entity needs to verify the fingerprint of the root certificate, namely, the hash value of the root certificate content. This hash value is unique to every certificate. If the fingerprint of the root certificate does not match the one configured for the PKI domain, the entity will reject the root certificate.
Figure 606 Certificate configuration page 3. Click Create Key to enter RSA key pair parameter configuration page. Figure 607 Key pair parameter configuration page 4. Set the key length. 5. Click Apply. Destroying the RSA key pair 1. From the navigation tree, select Authentication > Certificate Management. 2. Click the Certificate tab. 3. Click Destroy Key to enter RSA key pair destruction page. 4. Click Apply to destroy the existing RSA key pair and the corresponding local certificate.
Figure 608 Key pair destruction page Retrieving and displaying a certificate You can download an existing CA certificate or local certificate from the CA server, and save it locally. To do so, you can use offline mode or online mode. In offline mode, you can retrieve a certificate by an out-of-band means like FTP, disk, email and then import it into the local PKI system. The retrieved CA certificate and local certificate are saved as files named domain-name_ca.cer and domain-name_local.
Item Description Enable Offline Mode Select this option to retrieve a certificate by an out-of-band means like FTP, disk, or email, and then import the certificate into the local PKI system. Specify the path and name of the certificate file if you retrieve the certificate in offline mode. Get File From Device Get File From PC • If the certificate file is saved on the device, select Get File From Device, and then specify the path of the file on the device.
Requesting a local certificate 1. From the navigation tree, select Authentication > Certificate Management. 2. Click the Certificate tab. 3. Click Request Cert to enter the local certificate request page. Figure 611 Local certificate request page 4. Configure the parameters as described in Table 181. Table 181 Configuration items Item Description Domain Name Select the PKI domain for the certificate. By default, the list displays the default PKI domain local_domain.
Retrieving and displaying a CRL 1. From the navigation tree, select Authentication > Certificate Management. 2. Click the CRL tab. Figure 613 CRL page 3. Click Retrieve CRL to retrieve the CRL of a domain. 4. Click View CRL for the domain to display the contents of the CRL.
• The AC acquires CRLs for certificate verification. Figure 615 Network diagram Configuring the CA server 1. Create a CA server named myca. In this example, you must first configure the basic attributes of Nickname and Subject DN on the CA server: the nickname is the name of the trusted CA, and the subject DN is the DN attributes of the CA, including the common name (CN), organization unit (OU), organization (O), and country (C). Leave the default values of the other attributes. 2.
Figure 616 Configuring a PKI entity 2. Create a PKI domain. a. Click the Domain tab. b. Click Add. c. Enter torsa as the PKI domain name. d. Enter myca as the CA identifier. e. Select aaa as the local entity. f. Select CA as the authority for certificate request. g. Enter http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 as the URL for certificate request.
Figure 617 Configuring a PKI domain 3. Generate an RSA key pair. a. Click the Certificate tab. b. Click Create Key to enter the page. c. Enter 1024 for the key length. d. Click Apply to generate an RSA key pair.
Figure 618 Generating an RSA key pair 4. Retrieve the CA certificate. a. Click the Certificate tab. b. Click Retrieve Cert. c. Select torsa as the PKI domain. d. Select CA as the certificate type. e. Click Apply. Figure 619 Retrieving the CA certificate 5. Request a local certificate. a. Click the Certificate tab. b. Click Request Cert. c. Select torsa for the PKI domain. d. Select Password, and then enter challenge-word as the password. e. Click Apply.
Figure 620 Requesting a local certificate 6. Retrieve the CRL. a. Click the CRL tab. b. Click Retrieve CRL for the PKI domain torsa. Figure 621 Retrieving the CRL Verifying the configuration After the configuration, you can select Certificate Management > Certificate from the navigation tree to view detailed information about the retrieved CA certificate and local certificate, or select Certificate Management > CRL from the navigation tree to view detailed information about the retrieved CRL.
Configuring WLAN security WLAN security overview 802.11 networks are susceptible to a wide array of threats such as unauthorized access points and clients, ad hoc networks, and Denial of Service (DoS) attacks. Rogue devices are a serious threat to enterprise security. To ensure security, the wireless intrusion detection system (WIDS) is introduced.
Figure 622 Monitor AP for rogue detection • Hybrid mode—An AP can both scan devices in the WLAN and provide WLAN data services. Figure 623 Hybrid AP for rogue detection Taking countermeasures against rogue device attacks You can enable the countermeasures on a monitor AP. The monitor AP downloads an attack list from the AC according to the countermeasure mode, and takes countermeasures against detected rogue devices.
Figure 624 Taking countermeasures against rogue devices WIDS attack detection The WIDS attack detection function detects intrusions or attacks on a WLAN network, and informs the network administrator of the attacks by recording information or sending logs.
spoofed de-authentication frame can cause a client to get de-authenticated from the network and can affect the normal operation of the WLAN. At present, spoofing attack detection counters this type of attack by detecting broadcast de-authentication and disassociation frames sent on behalf of an AP. When such a frame is received, it is identified as a spoofed frame, and the attack is immediately logged.
Figure 625 Network diagram for WLAN client access control • In the topology above, three APs are connected to an AC. Configure whitelist and static blacklist entries on the AC, which will send all the entries to the APs. If the MAC address of a station, Client 1 for example, is present in the blacklist, it cannot access any of the APs. If only Client 1 is present in the whitelist, it can access any of the APs, and other clients cannot access any of the APs. • Enable dynamic blacklist function on the AC.
Figure 626 AP monitor configuration 2. On the AP Monitor tab, select the AP to be configured and click the icon. Figure 627 AP operating mode configuration 3. Configure the AP operating mode as described in Table 182. An AP operating in hybrid mode can provide WLAN data services as well as scanning devices in the WLAN, so WLAN service configurations are needed. An AP operating in monitor mode cannot provide WLAN data services, so WLAN service configurations are not needed.
4. Click Apply. Configuring detection rules Configuring detection rules is to configure rogue device classification rules. An AC classifies devices as rogues and friends based on the configured classification rules. • Identify whether an AP is a rogue. Figure 628 Identifying whether an AP is a rogue • Identify whether a client is a rogue.
Figure 629 Identifying whether a client is a rogue Client In the static attack list? Yes No or the list is not configured In the permitted MAC address list? No or the list is not configured Yes Check if AP (BSSID) associated with the client is legal No Yes Legal client (Friend) • Illegal client (Rogue) Identify whether an ad hoc network or a wireless bridge is a rogue.
Configuring detection rule lists 1. Select Security > Rogue Detection from the navigation tree. 2. Click the Rule List tab. Figure 631 Configuring a rule list 3. Configure the rule list as described in Table 183. Table 183 Configuration items Item List Type 4. Description • • • • MAC—Add MAC addresses to be permitted after selecting this option. Wireless Service—Add SSIDs to be permitted after selecting this option. Vendor—Specify vendors to be permitted after selecting this option.
Figure 632 Configuring a MAC address list 5. Configure the MAC address list as described in Table 184. Table 184 Configuration items 6. Item Description MAC Enter the permitted MAC address in the box. Select the existent devices If you select this option, the MAC address table displays MAC addresses of the current devices. Select the MAC addresses to be permitted. Click Apply.
Figure 633 Common configuration 3. Perform common configuration as described in Table 185. Table 185 Configuration items Item Countermeasures Setting Description Configure the AP to take countermeasures against rouge devices while providing wireless services. • Interval—The interval at which the AP takes countermeasures. • Max Device Number—The maximum number of rouge devices that the AP can take countermeasures against.
Figure 634 Monitor record Table 186 Field description Type Type Description • • • • • • r—Rogue device. p—Permitted device. a—Ad hoc device. w—AP. b—Wireless bridge. c—Client. For example, pw represents a permitted AP while rb represents a rogue wireless bridge. The device considers all ad hoc devices and wireless bridges as rogue devices. Displaying history record 1. Select Security > Rogue Detection from the navigation tree. 2. Click the History Record tab.
Figure 635 History record page Configuring WIDS Configuring WIDS 1. Select Security > WIDS from the navigation tree. Figure 636 Configuring WIDS 2. On the WIDS Setup tab, configure WIDS as described in Table 187. Table 187 Configuration items Item Flood Attack Detect 3. Description If you select the option, flood attack detection is enabled. It is disabled by default. Spoofing Attack Detect If you select the option, spoofing attack detection is enabled. It is disabled by default.
Figure 637 Displaying history information Displaying statistics information 1. Select Security > WIDS from the navigation tree. 2. Click the Statistics tab.
Configuring the blacklist and whitelist functions A static blacklist or whitelist configured on an AC applies to all APs connected to the AC, while a dynamic blacklist applies to APs that receive attack frames. For more information, see "Blacklist and whitelist." Configuring dynamic blacklist 1. Select Security > Filter from the navigation tree. Figure 639 Configuring a dynamic blacklist 2. On the Blacklist tab, configure the dynamic blacklist as described in Table 188. Table 188 Configuration items 3.
2. On the Blacklist tab, click Static. Figure 640 Configuring a static blacklist 3. Click Add Static. Figure 641 Adding static blacklist 4. Add a static blacklist as described in Table 189. Table 189 Configuration items 5. Item Description MAC Address Select MAC Address, and then add a MAC address to the static blacklist. Select from Connected Clients If you select the option, the table below lists the current existing clients.
Configuring whitelist 1. Select Security > Filter from the navigation tree. 2. Click the Whitelist tab. Figure 642 Configuring a whitelist 3. Click Add. Figure 643 Adding a whitelist 4. Add a whitelist as described in Table 190. Table 190 Configuration items Item Description MAC Address Select MAC Address, and then add a MAC address to the whitelist. Select from Connected Clients If you select the option, the table below this option lists the current existing clients.
5. Click Apply. Rogue detection configuration example Network requirements As shown in Figure 644, a monitor AP (AP 2 with serial ID SZ001) and AP 1 (serial ID SZ002) are connected to an AC through a Layer 2 switch. • AP 1 operates in normal mode and provides WLAN data services only. • AP 2 operates in monitor mode, and scans all 802.11g frames in the WLAN. • Client 1 (MAC address 000f-e215-1515), Client 2 (MAC address 000f-e215-1530), and Client 3 (MAC address 000f-e213-1235) are connected to AP 1.
c. On the page that appears, set the AP name to ap, select the AP model MSM460-WW, select Manual, and enter the serial ID of AP 2. d. Click Apply. Figure 645 AP configuration e. Select Security > Rogue Detection from the navigation tree. f. On the AP Monitor tab, click the icon for the target AP. g. Select the operating mode Monitor. h. Click Apply. Figure 646 AP operating mode configuration 3. Enable the 802.11n(2.4GHz) radio mode: a. Select Radio > Radio from the navigation tree. b.
Figure 647 Radio configuration 4. Configure rogue detection rules: a. Select Security > Rogue Detection from the navigation tree. b. Click the Rule List tab and click Add. c. On the page that appears, enter 000f-e215-1515, 000f-e215-1530, and 000f-e213-1235 in the MAC Address field, and then click Apply.
d. Select Attacker, and click Add. Enter 000f-e220-405e in the MAC Address field and click Apply. Figure 649 Adding MAC addresses to the attacker list 5. Enable countermeasures against the static rogue device: a. Select Security > Rogue Detection from the navigation tree. b. Click the AP Monitor tab, and click Common Set. c. Select Static Rogue Device. This is because the MAC address of Client 4 is added manually to the attacker list. d. Click Apply.
Figure 650 Common configuration 618
Configuring user isolation User isolation overview Without user isolation, all the devices in the same VLAN can access each other directly. This causes security problems. User isolation can solve this problem. • When an AC configured with user isolation receives unicast packets, broadcast packets or multicast packets from a wireless client to another wireless client in the same VLAN, the AC determines whether to isolate the two devices according to the configured list of permitted MAC addresses.
Figure 651 User communication After user isolation is enabled As shown in Figure 651, user isolation is enabled on the AC. The client, the server and the host in VLAN 2 access the Internet through the gateway. • If you add the MAC address of the gateway to the permitted MAC address list, the client, the server and the host in the same VLAN are isolated, but they can access the Internet.
Figure 652 Configuring user isolation 3. Configure user isolation as described in Table 191. Table 191 Configuration items Item Description VLAN ID Specify the VLAN in which user isolation is enabled. Specify the MAC addresses to be permitted by the AC. For more information, see "After user isolation is enabled." AccessMAC • Enter a MAC address in the field next to the Add button. • Click Add to add the MAC address to the permitted MAC list.
Figure 653 Displaying user isolation summary User isolation configuration example Network requirements As shown in Figure 654, isolate Client A, Client B, and Host A in VLAN 2 from one another while allowing them to access the Internet. The MAC address of the gateway is 000f-e212-7788. Figure 654 Network diagram Configuration procedure 1. Configure wireless service: For information about how to configure wireless service, see "Configuring access services.
2. Configure user isolation: a. Select Security > User Isolation from the navigation tree. b. Click Add. c. On the page that appears, enter the VLAN ID 2, add MAC address 000f-e212-7788 to the permitted MAC address list, and click Apply.
Configuring authorized IP The authorized IP function associates the HTTP or Telnet service with an ACL to filter the requests of clients. Only clients that pass the ACL filtering can access the device. Before configuring authorized IP, you must create and configure the ACL. For ACL configuration, see "Configuring QoS." 1. Select Security > Authorized IP from the navigation tree. 2. Click the Setup tab. Figure 656 Configuring authorized IP 3. Configure authorized IP as described in Table 192.
Configuring session management This function is used to verify packets through transport layer protocols. The session management feature tracks the status of connections by inspecting the transport layer protocol (TCP or UDP) information, and performs unified status maintenance and management for all connections. Basic session management settings include: • Configuring whether to enable unidirectional traffic detection.
Figure 657 Session configuration 2. Configure basic settings as described in Table 193.
Table 193 Configuration items Item Description Enable or disable unidirectional traffic detection. • When unidirectional traffic detection is enabled, the session Enable unidirectional traffic detection management feature processes both the unidirectional and bidirectional traffic. • When unidirectional traffic detection is disabled, the session management feature processes only the bidirectional traffic. Configure the persistent session rule according to the ID of an ACL.
Displaying session table information 1. Select Security > Session Table from the navigation tree, and click the Session Summary tab. The session table appears. Figure 658 Session table Table 194 Field description 2. Field Description Init Src IP Source IP address and port number of packets from the session initiator. Init Dest IP Destination IP address and port number of packets from the session initiator.
Table 195 Field description Field Description Protocol Transport layer protocol, which can be TCP, UDP, ICMP, or RAWIP. Session status: State • • • • • • • • • • Accelerate. SYN. TCP-EST. FIN. UDP-OPEN. UDP-READY. ICMP-OPEN. ICMP-CLOSED. RAWIP-OPEN. RAWIP-READY. TTL Remaining lifetime of the session. Initiator: VD / ZONE / VPN / IP / PORT Initiator's virtual device/security zone/VPN instance/IP address/port number.
Configuring ACL and QoS ACL overview An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number. ACLs are primarily used for packet filtering. You can use ACLs in QoS, security, and other feature modules for identifying traffic. The packet drop or forwarding decisions varies with the modules that use ACLs. ACLs include the following categories.
delivers packets to their destinations as best it can, without any guarantee for such issues as delay, jitter, packet loss ratio, and reliability. This service policy is only suitable for applications insensitive to bandwidth and delay, such as WWW, file transfer and email. New requirements from new applications The Internet has been growing along with the fast development of networking technologies.
When you configure queuing for a traffic behavior: • In a policy, the total bandwidth assigned to the AF and EF classes cannot be greater than the available bandwidth of the interface to which the policy applies. The total bandwidth percentage assigned to the AF and EF classes cannot be greater than 100%. In the same policy, the same bandwidth unit must be used to configure bandwidth for AF classes and EF classes, either absolute bandwidth value or percent.
Recommended Ethernet frame header ACL configuration procedure Ethernet frame header ACLs, also called "Layer 2 ACLs," match packets based on Layer 2 protocol header fields, such as source MAC address, destination MAC address, 802.1p priority (VLAN priority), and link layer protocol type. To configure an Ethernet frame header ACL: Step Remarks Optional. 1. Adding a time range 2. Add an Ethernet frame header ACL 3.
Recommended IPv6 advanced ACL configuration procedure IPv6 advanced ACLs match packets based on the source IPv6 addresses, destination IPv6 addresses, packet priorities, protocols carried over IPv6, and other protocol header fields such as the TCP/UDP source port number, TCP/UDP destination port number, ICMPv6 message type, and ICMPv6 message code. Compared to IPv6 basic ACLs, IPv6 advanced ACLs allow more flexible and accurate filtering. To configure an IPv6 advanced ACL: Step Remarks Optional. 1.
Figure 660 Adding a time range 3. Configure the time range information, as described in Table 196. 4. Click Apply. Table 196 Configuration items Item Description Time Range Name Set the name for the time range. • Start Time—Set the start time of the periodic time range. • End Time—Set the end time of the periodic time range. The end time must be later than the start time.
Adding an ACL 1. Select QoS > ACL IPv4 from the navigation tree. 2. Click the Add tab to enter the ACL adding page, as shown in Figure 661. Figure 661 Adding an ACL 3. Configure the ACL information, as described in Table 197. 4. Click Apply. Table 197 Configuration items Item Description Set the number of the ACL. ACL Number • • • • WLAN-AP ACL—200 to 299. IPv4 basic ACL—2000 to 2999. IPv4 advanced ACL—3000 to 3999. Ethernet frame header ACL—4000 to 4999.
Configuring a rule for an IPv4 basic ACL 1. Select QoS > ACL IPv4 from the navigation tree. 2. Click the Basic Setup tab. Figure 662 Configuring an IPv4 basic ACL 3. Configure an IPv4 basic ACL, as described in Table 198. 4. Click Add. Table 198 Configuration items Item ACL Description Select the IPv4 basic ACL for which you want to configure rules. Available ACLs are IPv4 basic ACLs. Select the Rule ID option and enter a number for the rule.
Item Description Select this option to keep a log of matched IPv4 packets. Check Logging A log entry contains the ACL rule number, operation for the matched packets, protocol that IP carries, source/destination address, source/destination port number, and number of matched packets. NOTE: Do not select this option for an AC, because an AC does not support logging.
Figure 663 Configuring an IPv4 advanced ACL 3. Configure an IPv4 advanced ACL rule, as described in Table 199. 4. Click Add.
Table 199 Configuration items Item Description ACL Select the IPv4 advanced ACL for which you want to configure rules. Available ACLs are IPv4 advanced ACLs. Select the Rule ID option and enter a number for the rule. If you do not specify the rule number, the system assigns one automatically. Rule ID IMPORTANT: If the rule number you specify already exists, this procedure modifies the configuration of the existing rule.
Item Description TCP Connection Established Operation Source Port - TCP/UDP Port Operation Port Select this option to make the rule match packets used for establishing and maintaining TCP connections. These items are available only when you select 6 TCP from the Protocol list. Select the operations, and enter the source port numbers and destination port numbers as required. These items are available only when you select 6 TCP or 17 UDP from the Protocol list.
Figure 664 Configuring a rule for an Ethernet frame header ACL 3. Configure an Ethernet frame header ACL rule, as described in Table 200. 4. Click Add. Table 200 Configuration items Item ACL Description Select the Ethernet frame header ACL for which you want to configure rules. Available ACLs are Ethernet frame header ACLs. Select the Rule ID option and enter a number for the rule. If you do not specify the rule number, the system assigns one automatically.
Item Description Source MAC Address MAC Address Filter Source Mask Destination MAC Address Destination Mask COS(802.1p priority) LSAP Type Select the Source MAC Address option and enter a source MAC address and wildcard. Select the Destination MAC Address option and enter a destination MAC address and wildcard. Specify the 802.1p priority for the rule.
4. Click Add. Table 201 Configuration items Item Description ACL Select the WLAN-AP ACL for which you want to configure rules. Specify an ID for the rule. Rule ID If you do not specify the rule ID, the system will assign one automatically. If the rule ID you specify already exists, the following operations modify the configuration of the rule. Select the action to be performed for APs matching the rule: Action MAC address MAC Mask Serial ID • Permit—Allows matched APs. • Deny—Drops matched APs.
Table 202 Configuration items Item Description Enter a number for the IPv6 ACL. ACL Number • IPv6 basic ACL—2000 to 2999. • IPv6 advanced ACL—3000 to 3999. For an IPv6 basic or advanced ACLs, its ACL number and name must be unique in IPv6. Select a match order for the ACL: Match Order • Config—Packets are compared against ACL rules in the order the rules are configured. • Auto—Packets are compared against ACL rules in the depth-first match order. Description Set the description for the ACL.
Table 203 Configuration items Item Description Select Access Control List (ACL) Select the IPv6 basic ACL for which you want to configure rules. Available ACLs are IPv6 basic ACLs. Select the Rule ID option and enter a number for the rule. If you do not specify the rule number, the system assigns one automatically. Rule ID IMPORTANT: If the rule number you specify already exists, this procedure modifies the configuration of the existing rule.
Figure 668 Configuring a rule for an IPv6 advanced ACL 3. Configure the IPv6 advanced ACL rule information, as described in Table 204. 4. Click Add. Table 204 Configuration items Item Description Select Access Control List (ACL) Select the IPv6 advanced ACL for which you want to configure rules. Available ACLs are IPv6 advanced ACLs. Select the Rule ID option and enter a number for the rule. Rule ID If you do not specify the rule number, the system assigns one automatically.
Item Description Select the operation to be performed for IPv6 packets matching the rule: Operation • Permit—Allows matched packets to pass. • Deny—Drops matched packets. Select this option to apply the rule to only non-first fragments. Check Fragment If you do not select this option, the rule applies to all fragments and non-fragments. NOTE: Do not select this option for an AC, because an AC does not support fragmentation. Select this option to keep a log of matched IPv6 packets.
Item Description Operator Source Port To Port Operator TCP/UDP Port Port Select the operators, and enter the source port numbers and destination port numbers as required. These items are available only when you select 6 TCP or 17 UDP from the Protocol list. Different operators have different configuration requirements for the port number fields: • Not Check—The following port number fields cannot be configured.
Figure 669 Configuring rate limit on a port 3. Configure rate limit, as described in Table 205. 4. Click Apply. Table 205 Configuration items Item Please select an interface type Rate Limit Description Select the types of interfaces to be configured with rate limit. The interface types available for selection depend on your device model. Select Enable or Disable to enable or disable rate limit on the specified port.
Configuring the priority trust mode of a port Priority mapping overview When a packet enters a device, the device assigns a set of QoS priority parameters to the packet based on a certain priority field carried in the packet and sometimes might modify its priority, according to certain rules depending on device status. This process is called "priority mapping". The set of QoS priority parameters decides the scheduling priority and forwarding priority of the packet.
Figure 670 Configuring priority trust mode 2. Configure the priority trust mode of the interfaces, as described in Table 206. 3. Click Apply. Table 206 Configuration items Item Description Select the type of the ports to be configured. The interface types available for selection depend on your device model. Please select the interface type IMPORTANT: If a WLAN-ESS interface in use has WLAN-DBSS interfaces created on it, its priority cannot be modified.
Item Description Select the priority trust mode: • Dot1p—Uses the 802.1p priority of received packets for mapping. • Dscp—Uses the DSCP value of received packets for mapping. • Dot11e—Uses the 802.11e priority of received packets for mapping. This Trust Mode option is applicable to only WLAN-ESS interfaces. IMPORTANT: Support for priority trust modes depends on the interface type. The supported priority trust modes are shown in the Trust Mode list. Specify the ports to be configured.
Item Remarks Set the local precedence value for the port. Priority Local precedence is allocated by the device and has only local significance. A local precedence value corresponds to an output queue. A packet with higher local precedence is assigned to a higher priority output queue to be preferentially scheduled. Set the priority trust mode of the port: • Untrust—Uses the port priority rather than a packet priority value for priority mapping. Trust Mode • Dot1p—Uses the 802.
QoS policy configuration procedure Step Remarks 1. Adding a class 2. Configuring traffic classification rules 3. Adding a traffic behavior 4. Configuring actions for a traffic behavior 5. Adding a policy Required. Add a class and specify the operation of the class. Required. Configure match criteria for the class. Required. Add a traffic behavior. Use either method. Configure various actions for the traffic behavior. Required. Add a policy. Required. 6.
Figure 673 Adding a class 3. Configure the class information, as described in Table 208. 4. Click Add. Table 208 Configuration items Item Description Classifier Name Specify a name for the classifier to be added. Specify the logical relationship between rules of the classifier: • And—Specifies the relationship between the rules in a class as logic AND. The device considers a packet belongs to a class only when the packet matches all the rules in the class.
Figure 674 Configuring classification rules 3. Configuration classification rules, as described in Table 209. 4. Click Apply. A progress dialog box appears. 5. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
Table 209 Configuration items Item Description Please select a classifier Select an existing classifier in the list. Define a rule to match all packets. Any Select the option to match all packets. Define a rule to match DSCP values. If multiple rules are configured for a class, the new configuration does not overwrite the previous. DSCP You can configure up to eight DSCP values at a time. If multiple identical DSCP values are specified, the system considers them as a single value.
Item Description Define a rule to match the customer 802.1p precedence values. Customer 802.1p If multiple rules are configured for a class, the new configuration does not overwrite the previous. You can configure up to eight Dot1p values at a time. If multiple identical Dot1p values are specified, the system considers them as a single value. The relationship between different Dot1p values is OR. After configuration, all the Dot1p values are arranged in ascending order automatically.
Adding a traffic behavior 1. Select QoS > Behavior from the navigation tree. 2. Click the Add tab. 3. Set the traffic behavior name. 4. Click Add. Figure 675 Adding a traffic behavior Configuring actions for a traffic behavior 1. Select QoS > Behavior from the navigation tree. 2. Click the Setup tab.
Figure 676 Setting a traffic behavior 3. Configure the traffic behavior actions, as described in Table 210. 4. Click Apply. A progress dialog box appears. 5. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds. Table 210 Configuration items Item Description Please select a behavior Select an existing behavior in the list.
Item Description CIR Set the committed information rate (CIR), the average traffic rate. CBS Set the committed burst size (CBS), number of bits that can be sent in each interval. Discard Set the action to perform for exceeding packets. After selecting the Red option, you can select one of the following options: Red Pass • Discard—Drops the exceeding packet. • Pass—Permits the exceeding packet to pass through. • Remark DSCP Pass—Resets the DSCP value for the exceeding packet and then sends it.
Item Description Configure the packet filtering action. After selecting the Filter option, select one item in the following list: Filter • Permit—Forwards the packet. • Deny—Drops the packet. • Not Set—Cancels the packet filtering action. Configure the traffic accounting action. Accounting Select the Accounting option and select Enable or Disable in the following list to enable/disable the traffic accounting action. TIP: This configuration item is not supported. Adding a policy 1.
Figure 678 Setting a policy 3. Configure classifier-behavior associations, as described in Table 211. 4. Click Apply. Table 211 Configuration items Item Description Please select a policy Select an existing policy in the list. Classifier Name Select an existing classifier in the list. Behavior Name Select an existing behavior in the list. Applying a policy to a port 1. Select QoS > Port Policy from the navigation tree. 2. Click the Setup tab.
Figure 679 Applying a policy to a port 3. Select a policy and apply the policy to the specified ports, as described in Table 212. 4. Click Apply. Table 212 Configuration items Item Description Please select a policy Select an existing policy in the list. Set the direction in which you want to apply the policy: Direction Please select port(s) • Inbound—Applies the policy to the incoming packets of the specified ports. • Outbound—Applies the policy to the outgoing packets of the specified ports.
Figure 680 Service policy 2. Click the icon for a wireless service. Figure 681 Service policy setup 3. Apply the policy to the wireless service, as described in Table 213. 4. Click Apply. Table 213 Configuration items Item Remarks WLAN ID Display the selected WLAN ID.
Item Remarks WLAN Service Display the specified WLAN service to which you want to apply a QoS policy. Inbound Policy Apply the QoS policy to the packets received by the wireless service. Outbound Policy Apply the QoS policy to the packets sent by the wireless service. Set the priority trust mode: • Untrust—Trusts the port priority. • Dscp—Uses the DSCP values of received packets for mapping. • 802.11e—Uses the 802.11e priority of received 802.11 packets for mapping.
a. Select QoS > Time Range from the navigation tree. b. Click the Add tab. c. On the page as shown in Figure 683, enter the time range name test-time, select the Periodic Time Range option, set the Start Time to 8:00 and the End Time to 18:00, and select the options Sun through Sat. d. Click Apply. Figure 683 Defining a time range covering 8:00 to 18:00 every day 2. Add an IPv4 advanced ACL: a. Select QoS > ACL IPv4 from the navigation tree. b. Click the Add tab. c. Enter the ACL number 3000. d.
Figure 684 Adding an IPv4 advanced ACL 3. Define an ACL rule for traffic to the FTP server: a. Click the Advanced Setup tab. b. On the page as shown in Figure 685, select 3000 in the ACL list, select the Rule ID option, and enter rule ID 2. c. Select Permit in the Action list. d. Select the Destination IP Address option, and enter IP address 10.1.1.1 and destination wildcard 0.0.0.0. e. Select test-time in the Time Range list. f. Click Add.
Figure 685 Defining an ACL rule for traffic to the FTP server 4. Add a class: a. Select QoS > Classifier from the navigation tree. b. Click the Add tab.
c. On the page as shown in Figure 686, enter the class name class1. d. Click Add. Figure 686 Adding a class 5. Define classification rules: a. Click the Setup tab. b. On the page as shown in Figure 687, select the class name class1 in the list, select the ACL IPv4 option, and select ACL 3000 in the following list. c. Click Apply. A progress dialog box appears. d. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
Figure 687 Defining classification rules 6. Add a traffic behavior: a. Select QoS > Behavior from the navigation tree. b. Click the Add tab. c. On the page as shown in Figure 688, enter the behavior name behavior1. d. Click Add.
Figure 688 Adding a traffic behavior 7. Configure actions for the traffic behavior: a. Click the Setup tab. b. On the page as shown in Figure 689, select behavior1 in the list, select the Filter option, and then select Deny in the following list. c. Click Apply. A progress dialog box appears. d. Click Close when the progress dialog box prompts that the configuration succeeds.
Figure 689 Configuring actions for the behavior 8. Add a policy: a. Select QoS > QoS Policy from the navigation tree. b. Click the Add tab. c. On the page as shown in Figure 690, enter the policy name policy1. d. Click Add.
Figure 690 Adding a policy 9. Configure classifier-behavior associations for the policy: a. Click the Setup tab. b. On the page as shown in Figure 691, select policy1, select class1 in the Classifier Name list, and select behavior1 in the Behavior Name list. c. Click Apply. Figure 691 Configuring classifier-behavior associations for the policy 10. Apply the QoS policy in the inbound direction of the wireless service named service1: a. Select QoS > Service Policy from the navigation tree. b.
Figure 692 Applying the QoS policy in the inbound direction of WLAN service service1 Verifying the configuration After you complete these configurations, the QoS policy is successfully applied to the wireless service named service1. The wireless clients cannot access the FTP server at IP address 10.1.1.1/24 from 8:00 to 18:00 every day, but they can do that at any other time.
Configuring wireless QoS Overview An 802.11 network offers wireless access based on the carrier sense multiple access with collision avoidance (CSMA/CA) channel contention. All clients accessing the WLAN have equal channel contention opportunities. All applications carried on the WLAN use the same channel contention parameters. A live WLAN, however, is required to provide differentiated access services to address diversified requirements of applications for bandwidth, delay, and jitter. When IEEE 802.
WMM protocol overview The distributed coordination function (DCF) in 802.11 stipulates that access points (APs) and clients use the CSMA/CA access mechanism. APs or clients listen to the channel before they hold the channel for data transmission. When the specified idle duration of the channel times out, APs or clients randomly select a backoff slot within the contention window to perform backoff. The device that finishes backoff first gets the channel. With 802.
To use a high-priority access category, a client must send a request to the AP. The AP returns a positive or negative response based on either of the following admission control policy: • Channel utilization-based admission policy—The AP calculates the total time that the existing high-priority access categories occupy the channel in one second, and then calculates the time that the requesting traffic will occupy the channel in one second.
Figure 694 Wireless QoS 2. Select the option in front of the radio unit to be configured. 3. Click Enable. By default, wireless QoS is enabled. NOTE: The WMM protocol is the foundation of the 802.11n protocol. When the radio operates in 802.11n (5 GHz) or 802.11n (2.4 GHz) radio mode, you must enable WMM. Otherwise, the associated 802.11n clients might fail to communicate. Setting the SVP service 1. Select QoS > Wireless QoS from the navigation tree.
Figure 696 Mapping SVP service to an access category 3. Configure SVP mapping, as described in Table 214. 4. Click Apply. Table 214 Configuration items Item Description AP Name Displays the selected AP. Radio Displays the selected AP's radio. Select the option before SVP Mapping, and then select an access category for SVP service: SVP Mapping • • • • AC-VO. AC-VI. AC-BE. AC-BK. NOTE: SVP mapping is applicable only to non-WMM clients. Setting CAC admission policy 1.
Figure 697 Setting CAC admission policy 3. Configure the CAC admission policy, as described in Table 215. 4. Click Apply. Table 215 Configuration items Item Client Number Channel Utilization Description Users-based admission policy, or the maximum number of clients allowed to be connected. A client is counted only once, even if it is using both AC-VO and AC-VI. By default, the users-based admission policy applies, with the maximum number of users being 20.
5. Click Apply. Table 216 Configuration items Item Description AP Name Displays the selected AP. Radio Displays the selected AP's radio. Priority type Displays the priority type. AIFSN Arbitration inter-frame spacing number used by the AP. TXOP Limit Transmission opportunity limit used by the AP. ECWmin Exponent of CWmin used by the AP. ECWmax Exponent of CWmax used by the AP. If you select the option before No ACK, the No ACK policy is used by the AP.
Configuration procedure 1. Select QoS > Wireless QoS from the navigation tree. By default, the Wireless QoS tab is displayed. 2. Click the icon in the Operation column for the desired AP. 3. On the client EDCA list, click the (AC_BK, for example). icon in the Operation column for the desired priority type Figure 699 Setting client EDCA parameters 4. Configure the client EDCA parameters, as described in Table 218. 5. Click Apply.
Access category TXOP Limit AIFSN ECWmin ECWmax AC-VO 47 2 2 3 Displaying radio statistics 1. Select QoS > Wireless QoS from the navigation tree. 2. Click the Radio Statistics tab. 3. Click an AP to see its details. Figure 700 Displaying the radio statistics Table 220 Filed description Field Description AP ID AP ID. AP Name AP name. Radio Radio ID. Client EDCA update count Number of client EDCA parameter updates. QoS mode: QoS mode • WMM—The client is a QoS client.
Field Description Radio chip max TXOPLimit Maximum TXOPLimit allowed by the radio chip. Radio chip max ECWmax Maximum ECWmax allowed by the radio chip. Client accepted Number of clients that have been admitted to access the radio, including the number of clients that have been admitted to access the AC-VO and the AC-VI queues. Total request mediumtime(us) Total requested medium time, including that of the AC-VO and the AC-VI queues.
Field Description QoS mode: QoS Mode • WMM—QoS mode is enabled. • None—QoS mode is not enabled. Max SP length Maximum service period. AC Access category. APSD attribute of an access category: • • • • State T—The access category is trigger-enabled. D—The access category is delivery-enabled. T | D—The access category is both trigger-enabled and delivery-enabled. L—The access category is of legacy attributes. Assoc State APSD attribute of the four access categories when a client accesses the AP.
Figure 702 Setting wireless service-based client rate limiting 4. Configure service-based client rate limiting, as described in Table 222. 5. Click Apply. Table 222 Configuration items Item Description WLAN ID Display the selected WLAN ID. Wireless Service Select an existing wireless service. Set the traffic direction: Direction • Inbound—Traffic from client to AP. • Outbound—Traffic from AP to client. Set a rate limiting mode: Mode • Static—Limits the rate of each client to a fixed value.
Figure 703 Setting radio-based client rate limiting 4. Configure radio-based client rate limiting, as described in Table 223. 5. Click Apply. Table 223 Configuration items Item Description Radio List List of radios available. You can create the rate limiting rules for one or multiple radios. Traffic direction: Direction • Inbound—Traffic from clients to the AP. • Outbound—Traffic from the AP to clients. • Both—Both inbound and outbound traffic.
To improve bandwidth use efficiency when ensuring bandwidth use fairness among wireless services, use the bandwidth guarantee function. Bandwidth guarantee makes sure all traffic from each BSS can pass through when the network is not congested, and each BSS can get the guaranteed bandwidth when the network is congested. For example, suppose you guarantee SSID1, SSID2, and SSID3 25%, 25%, and 50% of the bandwidth.
Setting guaranteed bandwidth percents 1. Select QoS > Wireless QoS from the navigation tree. 2. Select a radio from the bandwidth guarantee setup list, and click the Operation column. icon for the radio in the Figure 705 Setting guaranteed bandwidth 3. Set the guaranteed bandwidth, as described in Table 225. 4. Click Apply.
Figure 706 Enabling the bandwidth guarantee function Displaying guaranteed bandwidth settings 1. Select QoS > Wireless QoS from the navigation tree on the left. 2. Click Bandwidth Guarantee. 3. Click the specified radio unit of the AP on the list under the Bandwidth Guarantee title bar. Figure 707 Displaying guaranteed bandwidth settings CAC service configuration example Network requirements As shown in Figure 708, a WMM-enabled AP accesses the Ethernet. Enable CAC for AC-VO and AC-VI on the AP.
Figure 708 Network diagram Configuring the wireless service 1. Configure the AP, and establish a connection between the AC and the AP. For related configurations, see "Configuring access services." Follow the steps in the related configuration example to establish a connection between the AC and the AP. Configuring CAC 1. Select QoS > Wireless QoS from the navigation tree. By default, the Wireless QoS tab is displayed. 2. Make sure WMM is enabled. Figure 709 Wireless QoS configuration page 3.
7. Enable CAC for AC_VI in the same way. (Details not shown.) 8. Select QoS > Wireless QoS from the navigation tree. By default, the Wireless QoS tab is displayed. 9. Click the icon in the Operation column for the desired AP. 10. Select the Client Number option, and then enter 10. 11. Click Apply.
Configuring the wireless service For the configuration procedure, see "Configuring access services." Configuring static rate limiting 1. Select QoS > Wireless QoS from the navigation tree. 2. Click Client Rate Limit. 3. Select Inbound from the Direction list, and click 4. Configure static rate limiting: . a. Select Static from the Mode list. b. Enter 1024 in the Per-Client Rate field. 5. Click Apply. Figure 713 Configuring static rate limiting Verifying the configuration 1.
Figure 714 Network diagram Configuring the wireless service For the configuration procedure, see "Configuring access services." Configuring dynamic rate limiting 1. Select QoS > Wireless QoS from the navigation tree. 2. Click Client Rate Limit. 3. Select service2 from the Wireless Service list, select Inbound from the Direction list, and click 4. Configure dynamic rate limiting: . a. Select Dynamic from the Mode list. b. Enter 8000 in the Total Rate field. 5. Click Apply.
Bandwidth guarantee configuration example Network requirements As shown in Figure 716, three wireless clients use wireless services research, office, and entertain to access the wireless network. To make sure the enterprise network works properly, guarantee the office service 20% of the bandwidth, the research service 80%, and the entertain service none. Figure 716 Network diagram Configuring the wireless services For the configuration procedure, see "Configuring access services.
5. Click the icon in the Operation column for 802.11a to enter the page for setting guaranteed bandwidth, as shown in Figure 718. 6. Set the guaranteed bandwidth: a. Set the guaranteed bandwidth percent to 80 for wireless service research. b. Set the guaranteed bandwidth percent to 20 for wireless service office. c. Set the guaranteed bandwidth percent to 0 for wireless service entertain. 7. Click Apply.
Verifying the configuration • Send traffic from the AP to the three wireless clients at a rate lower than 30000 kbps. The rate of traffic from the AP to the three wireless clients is not limited. • Send traffic at a rate higher than 6000 kbps from the AP to Client 1 and at a rate higher than 24000 kbps from the AP to Client 2. The total rate of traffic rate from the AP to the two wireless clients exceeds 30000 kbps.
Configuring advanced settings Advanced settings overview Country/Region code Radio frequencies for countries and regions vary based on country regulations. A country/region code determines characteristics such as frequency range, channel, and transmit power level. Configure the valid country/region code for a WLAN device to meet the specific country regulations. 1+1 AC backup Support for the 1+1 backup feature might vary depending on your device model.
• Primary AC recovery: Primary AC provides a mechanism to make sure the primary AC is chosen in precedence by APs as an active AC. When the primary AC goes down, the APs switch to connect to the standby AC. As soon as the active AC recovers, the APs automatically connect to the primary AC again. Figure 721 Primary AC recovery AC 1 is the primary AC with the connection priority of 7, and it establishes a connection with the AP. AC 2 acts as the secondary AC.
Client information backup In a network environment as shown in Figure 722, to prevent clients from going offline due to unexpected primary/backup AC switchover, the ACs must support the stateful failover function. This feature enables the primary AC to send client information in real time to the backup AC through an IACTP tunnel, ensuring consistency of client information on the two ACs. When a switchover occurs, the backup AC immediately takes over services for online clients to ensure service continuity.
• To view detailed client information on the primary and backup ACs, select Summary > Client from the navigation tree, click the Detailed Information tab, and select the target client. In the command output, if the client information, except the state (Running for the primary AC, Running(Backup) for the backup AC), is consistent on the two ACs, the basic client information has been synchronized.
Figure 723 Requirement of WLAN load-balancing implementation Load-balancing modes The AC supports two load balancing modes: session mode and traffic mode. • Session mode load-balancing: Session-mode load balancing is based on the number of clients associated with the AP/radio. As shown in Figure 724, Client 1 is associated with AP 1, and Client 2 through Client 6 are associated with AP 2.
Traffic snapshot is considered for traffic mode load balancing. As shown in Figure 725, Client 1 and Client 2 that run 802.11g are associated with AP 1. The AC has traffic-mode load balancing configured: the maximum traffic threshold is 10%, and the maximum traffic gap is 20%. Then, Client 3 wants to access the WLAN through AP 1. The maximum traffic threshold and traffic gap (between AP 1 and AP 2) have been reached on AP 1, so AP 1 rejects the request. Finally, Client 3 associates with AP 2.
client has been denied more than the specified maximum times, the AP considers that the client is unable to associate with any other AP, and it accepts the association request from the client. Configuring the AC to accept APs with a different software version An AP is a zero-configuration device. It can automatically discover an AC after it is powered on. To make sure an AP can associate with an AC, their software versions must be consistent by default, which complicates maintenance.
Architecture of the wireless location system A wireless location system is composed of three parts: devices or sources to be located, location information receivers, and location systems. • Devices or sources to be located include Tags (small, portable RFIDs, which are usually placed or glued to the assets to be located) of a location server company or Mobile Units (MU), and MUs (wireless terminals or devices running 802.11). The tags and MUs can send wireless messages periodically.
NOTE: • For more information about monitor mode and hybrid mode, see "Configuring WLAN security." • An AP operates in normal mode when it functions as a WLAN access point. For more information, see "Configuring access services." After the processes, the AP begins to collect Tag and MU messages.
Figure 726 Network diagram AP provision AP provision enables you to configure network settings for fit APs on the AC. The AC automatically assigns these settings to the fit APs in run state over tunnel connections. The settings are stored in the proprietary configuration file on each AP and take effect after the AP restarts. This feature avoids configuring network settings for APs one by one from a terminal, reducing the work load in large WLAN networks. Band navigation The 2.
Multicast optimization WLAN selects the lowest transmit rate for multicast packets and provides no multicast retransmission mechanism. Therefore, WLAN cannot meet the requirements of some multicast applications that are not delay-sensitive but are data-integrity sensitive, such as HD VoD.
Guest access tunnel A guest access tunnel redirects guest traffic to the external network of a company, providing WLAN access for guests and ensuring data security in the external network at the same time. The guest access tunnel function is realized through an aggregation AC and an edge AC. The edge AC is deployed in the internal network to provide access and authentication services to internal users. The aggregation AC is deployed in the external network to process guest traffic.
Working mechanism IMPORTANT: • The Bonjour gateway discards queries received from the wired network. • The Bonjour gateway filters queries and responses according to user-defined Bonjour policy. For more information, see "Configuring a Bonjour policy." • Bonjour service advertisement snooping The service devices send Bonjour responses to advertise their supporting services.
Figure 730 Bonjour query snooping and response Configuring WLAN advanced settings Setting a country/region code 1. Select Advanced > Country/Region Code from the navigation tree. Figure 731 Setting a country/region code 2. Configure a country/region code as described in Table 226. 3. Click Apply. Table 226 Configuration items Item Description Select a country/region code. Country/Region Code Configure the valid country/region code for a WLAN device to meet the country regulations.
• An AC's fixed country/region code cannot be changed, and all managed fit APs whose country/region codes are not fixed must use the AC's fixed country/region code. • A fit AP's fixed country/region code cannot be changed, and the fit AP can only use the country/region code. • If an AC and a managed fit AP use different fixed country/region codes, the fit AP uses its own fixed country/region code. Configuring 1+1 AC backup Configuring an AP connection priority 1.
Table 227 Configuration items Item Description AP Connection Priority Set the priority for the AP connection to the AC. Configuring 1+1 AC backup 1. Select Advanced > AC Backup from the navigation tree. Figure 733 Configuring AC backup 2. Configure an IP address for the backup AC as described in Table 228. 3. Click Apply. Table 228 Configuration items Item IPv4 Description Enter the IPv4 address of the backup AC.
Configuring 1+1 fast backup 1. Select Advanced > AC Backup from the navigation tree to enter the page shown in Figure 733. 2. Configure fast backup as described in Table 229. 3. Click Apply. Table 229 Configuration items Item Description Fast Backup Mode • disable—Disable fast backup. • enable—Enable fast backup. By default, fast backup is disabled. Hello Interval Heartbeat interval for an AC connection.
Figure 734 Status information Table 230 Field description Field Description AP Name Display the AP connecting to the AC. Status Current status of the AC. Vlan ID ID of the VLAN to which the port belongs. Domain ID Domain to which the AC belongs. Link status of the AC connection: Link State Peer Board MAC • Close—No connection is established. • Init—The connection is being set up. • Connect—The connection has been established. MAC address of the peer AC. Status of the peer AC.
2. Click the icon for the target AP. 3. Expand Advanced Setup to enter the page as shown in Figure 732. 4. Configure a connection priority as described in Table 227. 5. Click Apply. Configuring 1+N AC backup 1. Select AP > AP Setup from the navigation tree. 2. Click the 3. Expand Advanced Setup. icon for the target AP. Figure 735 Configuring 1+N AC backup 4. Configure 1+N backup as described in Table 231. 5. Click Apply.
Table 231 Configuration items Item Description Backup AC IPv4 Address Set the IPv4 address of the backup AC. Backup AC IPv6 Address Set the IPv6 address of the backup AC. If the global backup AC is also configured on the page you enter by selecting Advanced > AC Backup, the configuration on this page is used first.
When the radio mode is 802.11n, the page shown in Figure 738 appears. Select an MCS index value to specify the 802.11n transmission rate. For more information about MCS, see "Configuring radios." Figure 738 Selecting an MCS index (802.11n) When the radio mode is 802.11ac, the page shown in Figure 739 appears. Select a VHT MCS index value and a VHT NSS index value to specify the 802.11ac transmission rate. For more information about VHT MCS and VHT NSS, see "Configuring radios.
2. Click the icon for the target AP. Figure 741 Testing busy rate of channels 3. Configure channel busy test as described in Table 232. 4. Click Start to start the testing. Table 232 Configuration items Item Description AP Name Display the AP name. Radio Unit Display the radio unit of the AP. Radio Mode Display the radio mode of the AP. Test Time Per Channel Set a time period in seconds within which a channel is tested.
The fast association function is disabled. By default, the fast association function is disabled. For more information about fast association, see "Configuring access services." • Recommended configuration procedure Task Remarks 1. Configuring a load balancing mode N/A 2. Configuring group-based load balancing HP recommends that you complete Configuring a load balancing mode first. A load balancing group takes effect only when a load balancing mode is configured. 3.
2. Configure traffic-mode load balancing: a. Select Advanced > Load Balance from the navigation tree. b. Select Traffic from the Load Balance Mode list. c. Click Apply. Figure 743 Setting traffic-mode load balancing Table 234 Configuration items Item Description Select Traffic. Load Balance Mode The function is disabled by default. Traffic Load balancing is carried out for a radio when the traffic threshold and traffic gap threshold are reached.
Figure 744 Configuring a load balancing group 4. Configure a load balancing group as described in Table 235. 5. Click Apply. Table 235 Configuration items Item Remarks Group ID Display the ID of the load balancing group. Description Configure a description for the load balancing group. By default, the load balancing group has no description. • In the Radios Available area, select the target radios, and then click << to add them to Radio List the Radios Selected area.
Table 236 Configuration items Item Remarks Maximum denial count of client association requests. Max Denial Count If a client has been denied more than the specified maximum times, the AP considers that the client is unable to associate with any other AP and accepts the association request from the client. Load balancing RSSI threshold. RSSI Threshold A client may be detected by multiple APs. An AP considers a client whose RSSI is lower than the load balancing RSSI threshold to be not detected.
Item Description Software Version Enter the software version of the AC in the correct format. Switching to fat AP 1. Select Advanced > AP Setup from the navigation tree. 2. Click the Switch to Fat AP tab. 3. Select the desired AP. 4. Click Switch to Fat AP to perform AP working mode switchover. NOTE: Before you switch the work mode, you must download the fat AP software to the AP. Configuring wireless location 1. Select Advanced > Wireless Location from the navigation tree.
Table 238 Configuration items Item Description • Enable—Enable the wireless location function. The device begins to listen to packets when wireless location is enabled. • Disable—Disable wireless location. To ensure the location function, complete the configuration on the location server and AC: • On the location server—Configure whether to locate Tags or MUs, Tag Location Function message multicast address, and dilution factor on the location server.
configuration information in the cache, and when the 10-minute timer is reached, it saves the cache information in the flash. • If the AP reboots within 10 minutes after receiving the first configuration message, and no configuration is saved in the flash, it does not send a reboot message to the location server. Configuring wireless sniffer Configuring radio-based wireless sniffer When configuring radio-based wireless sniffer, follow these guidelines: • Auto APs do not support wireless sniffer.
5. Click the icon for the target radio. Table 239 Configuration items Item Description The maximum number of packets that can be captured. If you set a new value for this option, the packets that have been captured are cleared. Capture Limit IMPORTANT: • You cannot change the value when the device is capturing packets. • Once the limit is exceeded, the device stops capturing packets. Name of the file to which the packets are saved. Filename By default, the name is CaptureRecord.
5. Enter Ethernet frame ACL ID in the Capture ACL field. 6. Click Start. Configuring AP provision If you change the provision settings for an associated AP, save the settings to the proprietary configuration file of the AP, and restart the AP to validate the new settings. Configuring global provision information 1. Select Advanced > AP Provision from the navigation tree. 2. Click the Global Provision tab. Figure 749 Configuring global provision information 3.
2. Click the Non Provision APs tab. Figure 750 Configuring non provision APs 3. Select the box for the target AP. 4. Configure the AP as described in Table 241. Table 241 Configuration items Item Description Change to Provision AP Select an AP and click this button to change the selected AP to a provision AP. Select an AP and click this button to delete the proprietary configuration file of the selected AP. Delete Provision IMPORTANT: • The Delete Provision operation applies to only running APs.
Figure 751 Configuring provision APs 3. Select the box for the target AP. 4. Configure the AP as described in Table 242. Table 242 Configuration items Item Description Change to Non Provision AP Select an AP and click this button to change the selected AP to a non-provision AP. Apply Provision Select an AP and click this button to save the provision settings to the proprietary configuration file of the selected AP.
Figure 752 Configuring AP provision settings 6. Configure AP provision settings as described in Table 243. 7. Click Apply. Table 243 Configuration items Item Description IPv4 Address IPv4 address of the management VLAN interface of the AP. IPv4 Mask IPv4 address mask. IPv6 Address IPv6 address of the management VLAN interface of the AP. IPv6 Prefix Length Length of IPv6 address prefix. Gateway IPv4 Address IPv4 address of the gateway. Gateway IPv6 Address IPv6 address of the gateway.
Item Description IPsec Key Select this option to configure the IPsec key used by the AP. Initial Country Code Initial country code used by the AP. 802.1X Client Function • Disable. • Enable. By default, the 802.1X client function is disabled. 802.1X Client Username Configure the username for the AP when it operates as an 802.1X client. 802.1X Client Password Configure the password for the AP when it operates as an 802.1X client. 802.
Figure 753 Configuring band navigation 2. Configure band navigation as described in Table 244. 3. Click Apply. Table 244 Configuration items Item Description Band Navigation • Enable—Enable band navigation. • Disable—Disable band navigation. By default, band navigation is disabled globally. Session Threshold Gap • Session Threshold—Session threshold for clients on the 5 GHz band. • Gap—Session gap, which is the number of clients on the 5 GHz band minus the number of clients on the 2.4 GHz band.
Configuring a VLAN pool Creating a VLAN pool 1. Select Advanced > VLAN Pool from the navigation tree. 2. Click Add. Figure 754 Creating a VLAN pool 3. Configure VLAN pool as described in Table 245. 4. Click Apply. Table 245 Configuration items Item Description Specify the name for a VLAN pool. VLAN Pool By default, no VLAN pool exists. You can create up to 32 VLAN pools. Configure the VLAN list in a VLAN pool. VLAN List By default, no VLAN list exists in a VLAN pool.
Binding a VLAN pool to a specific wireless service Enable MAC VLAN for the wireless service to be bound to the VLAN pool. Configure the MAC VLAN function on the Wireless Service > Access Service page. To bind a VLAN pool to a service template: 1. Select Wireless Service > Access Service from the navigation tree. 2. Click the icon for the target wireless service. Figure 755 Binding a VLAN pool to a wireless service 3. Select the AP radio mode to be bound. 4.
Figure 756 Displaying number of clients for each VLAN ID This page displays the number of clients that obtain VLAN IDs through the VLAN pool, but not the clients that obtain VLAN IDs through other methods such as a server-assigned VLAN. 3. Click the VLAN Pool Bound Info tab and click the target VLAN pool name. You can display the VLAN pool binding information.
AC fails, a large number of APs upload multicast optimization entries to the new primary AC. To avoid congestion, the multicast optimization entries will be synchronized to the new primary AC in two minutes. Enabling multicast optimization 1. Select Advanced > Multicast Optimization from the navigation tree. Figure 758 Configuring multicast optimization 2. Configure multicast optimization as described in Table 246. 3. Click Apply.
Item Description • Pause Multicast Optimization for All Clients—Invalidate the multicast optimization function. A new client can join a multicast group and receive multicast packets, and a multicast optimization entry can be created for the client. However, the multicast optimization function for all clients in the multicast group becomes invalid. When the number of clients drops below the upper limit, the multicast optimization function takes effect again.
Field Description Total number of clients served by multicast optimization. Total Clients If a client joins multiple multicast groups, the client is counted as multiple clients. For example, if a client has joined two multicast groups through a radio, the client is counted as two clients by multicast optimization. Operating status of the multicast optimization function: Action • Optimize—The multicast optimization function is operating. • Halt—The multicast optimization function is halted.
Figure 760 Configuring the edge AC 2. On the page that appears, select Edge AC and configure the parameters as shown in Table 248. 3. Click Add. 4. Click Apply. Table 248 Configuration items Item Description Keep-Alive Time Specify the interval at which the edge AC sends keep-alive requests to aggregation ACs. Aggregation AC Address Specify the IPv4 address of the aggregation AC to be configured on the edge AC. VLAN Specify a guest VLAN name.
Figure 761 Configuring the aggregation AC 2. On the page that appears, select Aggregation AC and configure the parameters as shown in Table 249. 3. Click Add. 4. Click Apply. Table 249 Configuration items Item Description Edge AC Address Specify the IP address of the edge AC to be configured on the aggregation AC. VLAN Specify a guest VLAN by its name. Viewing guest access tunnels Select Advanced > Guest Tunnel from the navigation tree.
Enabling Bonjour gateway 1. Select Advanced > Bonjour Gateway from the navigation tree. Figure 763 Enabling Bonjour gateway 2. On the page that appears, select Bonjour Gateway and configure the parameters as shown in Table 250. 3. Click Apply. Table 250 Configuration items Item Description • Disable—Disable Bonjour gateway globally. • Enable—Enable Bonjour gateway globally. Bonjour Gateway By default, Bonjour gateway is disabled globally.
Configuring a Bonjour policy A service policy contains service type configuration and VLAN configuration. The AC forwards queries and responses according to the following rules: • For a query, if the service type in the query does not match the specified service type, the AC discards the query. • For a response, the AC forwards it only when it matches service type, IP address, and instance name. • The AC can forward queries and responses only to the VLANs in the configured VLAN lists.
Item Service VLAN Access VLAN Description Configure the VLANs to which the AC can forward queries and responses. By default, the AC cannot forward queries and responses. Allow the AC to forward queries and responses to the VLANs to which the clients belong. By default, the AC cannot forward queries and responses. Service Rule List Service Type Service Rule Specify the type of service that can be queried by clients. Table 252 lists some Bonjour protocols by their names and service type strings.
Service type Protocol name telnet Remote Login webdav WebDav File System workstation Workgroup Manager xserveraid Xerver RAID Applying a Bonjour policy You can apply a Bonjour policy on the Wireless Service > Access Service, AP > AP Setup, AP > AP group, and Authentication > User pages. If you apply a Bonjour policy to an AP group, the Bonjour policy takes effect on all APs in the AP group.
• When AC 1 recovers, no switchover to AC 1 occurs, in which case AC 2 remains the active AC, and AC 1 acts as the standby AC. This is because the AP connection on AC 1 does not have the highest priority. Figure 766 Network diagram Configuration guidelines • The wireless services configured on the two ACs should be consistent. • Specify the IP address of the backup AC on each AC. • AC backup has no relation to the access authentication method.
Figure 767 Configuring the AP connection priority 7. Select Advance > AC Backup from the navigation tree. You are placed on the Setup tab. 8. On the page that appears, select the IPv4 box, set the IP address of the backup AC to 1.1.1.5, and select enable to enable the fast backup mode. 9. Click Apply.
Figure 768 Configuring the IP address of the backup AC Configuring AC 2 1. Configure AP to establish a connection between AC 2 and AP. For more information about configurations, see "Configuring access services." 2. Leave the default value of the AP connection priority unchanged. (Details not shown.) 3. Select Advanced > AC Backup from the navigation tree. 4. On the page that appears, select the IPv4 box, set the address of the backup AC to 1.1.1.4, and select enable to enable the fast backup mode.
Figure 769 Configuring the address of the backup AC Verifying the configuration 1. When AC 1 operates correctly, view the AP status on AC 1 and AC 2, respectively. The AP connection priority on AC 1 is set to 6 (the higher one), so AC 1 becomes the active AC. The AP establishes a connection to AC 1 based on priority. a. On AC 1, select Advanced > AC Backup from the navigation tree. b. Click the Status tab. The status information shows that AC 1 is the active AC.
Figure 770 Displaying the AP status on AC 1 c. On AC 2, select Advanced > AC Backup from the navigation tree. d. Click the Status tab. The information shows that AC 1 is acting as the standby AC.
2. When AC 1 goes down, the standby AC (AC 2) detects the failure immediately through the heartbeat detection mechanism. Then AC 2 takes over to become the new active AC, providing services to AP. On AC 2 (the new active AC), display the AP status. (Details not shown.) The information shows that AC 2 has become the active AC. On AC 2, display the client information. (Details not shown.
5. Set the connection priority to 7. 6. Click Apply. Figure 773 Configuring the AP connection priority for AP 1 Configuring AC 2 1. Configure AC 2 so that a connection is set up between AC 2 and AP 2. For more information about configurations, see "Configuring access services." 2. Set the AP connection priority to 7. The configuration steps are the same as the steps on AC 1 (Details not shown.). 3. Configure AC 3 (the backup AC): a. Configure the related information for AP 1 and AP 2.
e. Enter 1.1.1.3 in the Backup AC IPv4 Address field. f. Click Apply. Figure 774 Backing up the IP address of AC 1 g. Select AP > AP Setup from the navigation tree. h. Click the icon for the target AP. i. Expand Advanced Setup. j. Enter 1.1.1.4 in the Backup AC IPv4 Address field. k. Click Apply.
Figure 775 Backing up the IP address of AC 2 Verifying the configuration 1. When AC 1 goes down, AC 3 becomes the new active AC. 2. When AC 1 recovers, the AP connecting to AC 3 connects to AC 1 again. This is because the highest AP connection priority of 7 on AC 1 ensures an automatic switchover. Client information backup configuration example Network requirements As shown in Figure 776, AC 1 and AC 2 support stateful failover. AC 1 is the primary AC.
Figure 776 Network diagram Configuration procedure Complete the following configurations on both AC 1 and AC 2. 1. Build an IACTP tunnel. For more information, see "Configuring WLAN roaming." 2. Configure AC backup. For more information, see "Configuring 1+1 AC backup." 3. Configure client information backup: a. Select Advanced > AC Backup from the navigation tree. You are placed on the Setup tab. b. Click Enable to the right of Backup Client Information. c. Click Apply.
Figure 778 Displaying the client status on AC 1 The page shows that the client is in Running status, which means the client is associated with the primary AC AC 1 because AC 1 has a higher connection priority. b. Select Summary > Client from the navigation tree, click the Detail Information tab, and select the target client to view its detailed information.
information. If the information on the two ACs is consistent, the client roaming information has been synchronized. 2. When AC 1 fails, AC 2 becomes the primary AC. During the switchover, clients are not logged off and can access network through AC 2. AP-based session-mode load balancing configuration example Network requirements • As shown in Figure 780, all APs operate in 802.11g mode. Client 1 is associated with AP 1. Client 2 through Client 6 are associated with AP 2.
Figure 781 Setting session-mode load balancing Verifying the configuration Client 1 is associated with AP 1, and Client 2 through Client 6 are associated with AP 2. Because the number of clients associated with AP 1 reaches 5 and the session gap between AP 2 and AP 1 reaches 4, Client 7 is associated with AP 1. AP-based traffic-mode load balancing configuration example Network requirements • As shown in Figure 782, all APs operate in 802.11g mode.
Figure 782 Network diagram Configuration guidelines An AP starts traffic-mode load balancing only when both the maximum traffic threshold and maximum traffic gap are reached. Configuration procedure 1. Before you configure load balancing, configure AP 1 and AP 2 on the AC to establish a connection between the AC and each AP. For the related configuration, see "Configuring access services." 2. Configure traffic-mode load balancing: a. Select Advanced > Load Balance from the navigation tree. b.
Figure 783 Setting traffic-mode load balancing Verifying the configuration Client 1 and Client 2 are associated with AP 1. Add Client 3 to the network. When the maximum traffic threshold and traffic gap are reached on AP 1, Client 3 is associated with AP 2. Group-based session-mode load balancing configuration example Network requirements • As shown in Figure 784, all APs operate in 802.11g mode. Client 1 is associated with AP 1.
Figure 784 Network diagram Configuration procedure 1. Before you configure load balancing, configure AP 1 and AP 2 on the AC to establish a connection between the AC and each AP. For the related configuration, see "Configuring access services." 2. Configure load balancing: a. Select Advanced > Load Balance from the navigation tree. b. On the Load Balance tab, select Session from the Load Balance Mode list, enter the threshold 5, and use the default value for the gap. c.
3. Configure a load balancing group: a. Select Advanced > Load Balance from the navigation tree. b. Click the Load Balance Group tab. c. Click Add. d. On the page that appears, select ap1. radio 2 and ap2. radio 2 in the Radios Available area, click << to add them to the Radios Selected area, and click Apply. Figure 786 Configuring a load balancing group Verifying the configuration • Radio 2 of AP 1 and radio 2 of AP 2 are in the same load balancing group.
• Traffic-mode load balancing is required only on radio 2 of AP 1 and radio 2 of AP 2. Therefore, add them to a load balancing group. Figure 787 Network diagram AC L2 Switch AP 1 AP 3 AP 2 Client 1 Client 2 Client 3 Configuration procedure 1. Before you configure load balancing, configure AP 1 and AP 2 on the AC to establish a connection between the AC and each AP. For the related configuration, see "Configuring access services." 2. Configure load balancing: a.
Figure 788 Configuring traffic load balancing 3. Configure a load balancing group: a. Select Advanced > Load Balance from the navigation tree. b. Click the Load Balance Group tab. c. Click Add. d. On the page that appears, select ap1. radio 2 and ap2. radio 2 in the Radios Available area, click << to add them to the Radios Selected area, and click Apply.
Figure 789 Configuring a load balancing group Verifying the configuration • Radio 2 of AP 1 and radio 2 of AP 2 are in the same load balancing group, and the radio of AP 3 does not belong to any load balancing group. Because load balancing takes effect only on radios in a load balancing group, AP 3 does not take part in load balancing. • Assume Client 3 wants to associate with AP 1.
Figure 790 Network diagram AP 1 AC AP 2 Switch AP 3 Configuration procedures Before the configuration, assume that you have configured the three APs in AP > AP Setup. 1. Configure an AP group: a. Select AP > AP Group from the navigation tree. b. On the page that appears, click Add to create an AP group named update. 2. Enable the AP version upgrade function for AP 1 and AP 2: a. Select ap1 and ap2 from the AP List, click the Selected AP List. b. Select Enable from the Firmware Update list. c.
Figure 791 Configuring AP version upgrade (1) 769
3. Disable the AP version upgrade function for AP 3: a. Select AP > AP Setup from the navigation tree. b. Click the icon for AP 3. c. Select Disable from the Firmware Update list. d. Click Apply. Figure 792 Configuring AP version upgrade (2) 4. Download the AP version to the AC. (Details not shown.) 5. Upgrade the AC's version to B108D001 and reset the AC.
Wireless location configuration example Network requirements As shown in Figure 793, AP 1, AP 2, and AP 3 operate in normal mode. They send the collected tag and MU messages to an AE (the location server), which performs location calculation and then sends the data to the graphics software. You can obtain the location information of the rogue AP, APs, and clients by using maps, forms or reports.
Figure 794 Creating an AP 4. Select Wireless Service > Access Service from the navigation tree. 5. Click Add. 6. On the page that appears, specify the Wireless Service Name as service, select clear from the Wireless Service Type list, and click Apply. Figure 795 Creating a wireless service 7. Select Wireless Service > Access Service from the navigation tree. 8. On the page that appears, select the box to the left of service. 9. Click Enable.
Figure 796 Enabling the wireless service 10. Select Wireless Service > Access Service from the navigation tree. 11. On the page that appears, click the icon for wireless service service. 12. Select the box to the left of 802.11n(2.4GHz). 13. Click Bind.
Figure 797 Binding the wireless service to a radio Enabling 802.11n 1. Select Radio > Radio from the navigation tree. 2. Select the target AP. 3. Click Enable.
Figure 798 Enabling 802.11n (2.4 GHz) Enabling wireless location 1. Select Advanced > Wireless Location from the navigation tree. 2. On the page that appears, perform the following tasks: a. Select Enable for Location Function. b. Select Aero Scout for Protocol Type. c. Select Dynamic for Address Acquisition Method. d. Select Tag Mode and MU Mode for ap1, ap2, and ap3. 3. Click Apply.
Figure 799 Enabling wireless location Verifying the configuration You can display the location information of the rogue AP, APs, and clients by using maps, forms or reports. Wireless sniffer configuration example Network requirements As shown in Figure 800, configure a Capture AP, and enable wireless sniffer on this AP to capture wireless packets. The captured packets are then saved in a .dmp file for troubleshooting.
Figure 800 Network diagram Client AP 1 Switch Capture AP AC Rogue AP AP 2 PDA PC Configuring Capture_AP 1. Select AP > AP Setup from the navigation tree. 2. Click Add. 3. On the page that appears, enter the AP name capture_ap, select the model MSM460-WW, select Manual from the Serial ID list, enter the AP serial ID in the field, and click Apply. Figure 801 Creating a Capture AP 4. Select Radio > Radio from the navigation tree. 5. Click the 6. Select 6 from the Channel list. 7.
Figure 802 Setting the channel 8. Select Radio > Radio from the navigation tree. 9. Select the target AP. 10. Click Enable.
Figure 803 Enabling 802.11n (2.4 GHz) Configuring and enabling wireless sniffer 1. Select Advanced > Wireless Sniffer from the navigation tree. 2. On the page that appears, enter the capture limit 5000, enter the file name CapFile, and click Apply. 3. Click the icon for radio 802.11g.
Verifying the configuration • Capture AP captures wireless packets and saves the packets to a CAP file in the default storage medium. Administrators can download the file to the PC and get the packet information by using tools such as Ethereal. • When the total number of captured packets reaches the upper limit, Capture AP stops capturing packets.
Figure 806 Configuring global provision 2. Configure AP 1 and AP 2 as provision APs: a. Select Advanced > AP Provision from the navigation tree. b. Click the Non Provision APs tab. Figure 807 Configuring non provision APs c. Select the boxes to the left of ap1 and ap2. d. Click Change to Provision AP. e. Click the Provision APs tab.
Figure 808 Configuring provision APs f. Click the icon for ap1. g. Assign the following network settings to AP 1: − IPv4 address 1.1.1.1 and mask 24. − 802.1X client function. − Username test and password test. − Authentication method peap-mschapv2. h. Click Apply Provision. Figure 809 Configuring AP provision information i. Assign the following network settings to AP 2: − IPv4 address 1.1.1.2 and mask 24.
j. − 802.1X client function. − Username test and password test. − Authentication method peap-mschapv2. Click the Provision APs tab. Figure 810 Configuring provision APs k. Select the boxes to the left of ap1 and ap2. l. Click Apply Provision. Configuring AC 2 Configure wireless service on AC 2. For more information, see "Configuring access services." Verifying the configuration 1. On AC 1, select Summary > AP from the navigation tree. Figure 811 AP information page 2.
Figure 812 AP information page on AC 2 Band navigation configuration example Network requirements As shown in Figure 813, Client 1 through Client 4 try to associate with AP 1, and the two radios of AP 1 operate at 5 GHz and 2.4 GHz, respectively. Client 1, Client 2, and Client 3 are dual-band clients, and Client 4 is a single-band (2.4 GHz) client. Configure band navigation to direct clients to different radios of the AP.
b. Click Add. c. On the page that appears, set the service name to band-navigation, select the wireless service type Clear, and click Apply. 3. Enable wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Set the band-navigation box. c. Click Enable. 4. Bind an AP radio to the wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Click the icon for the wireless service band-navigation. c.
Figure 815 Configuring band navigation Verifying the configuration Client 1 and Client 2 are associated with the 5 GHz radio of AP 1, and Client 4 can only be associated with the 2.4 GHz radio of AP 1. Because the number of clients on the 5 GHz radio has reached the upper limit 2, and the gap between the number of clients on the 5 GHz radio and 2.4 GHz radio has reached the session gap 1, Client 3 will be associated with the 2.4 GHz radio of AP 1.
c. Click Apply. Figure 817 Creating a VLAN pool 2. Create an AP: a. Select AP > AP Setup from the navigation tree. b. Click Add. c. On the page that appears, enter the AP name ap, select the model MSM460-WW, select Manual from the Serial ID list, and enter the AP serial ID in the field. d. Click Apply. 3. Configure wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Click Add. c.
Figure 818 Enabling MAC VLAN 4. Enable wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Select the office box. c. Click Enable. 5. Bind an AP radio to the wireless service: a. Select Wireless Service > Access Service from the navigation tree. b. Click the icon for the wireless service office. c. Select the box with radio type 802.11n(2.4GHz). d. Select the Binding VLAN pool option and select the target VLAN pool from the Binding VLAN pool list. e. Click Bind.
Figure 819 Binding a VLAN pool to a wireless service 6. Enable 802.11n(2.4GHz) radio: a. Select Radio > Radio Setup from the navigation tree. b. Select the box to the left of ap with the radio mode 802.11n(2.4GHz). c. Click Enable. Verifying the configuration • Select Advanced > VLAN Pool from the navigation tree to display the number of clients in each VLAN in the VLAN pool.
Figure 820 Network diagram Configuring the AC 1. Select Advanced > Multicast Optimization from the navigation tree. 2. Set the Aging Time to 300 seconds, the Multicast Optimization Max Clients to 2, and Max Client Limit Exceeded Action to Exclude New Clients for Multicast Optimization. 3. Click Apply. 4. Select the target wireless service. 5. Click Enable. Figure 821 Configuring multicast optimization Verifying the configuration Client 1 and Client 2 are associated with a radio of the AP.
Guest access tunnel configuration example Network requirements As shown in Figure 822, AC 1 is an edge AC and AC 2 is an aggregation AC. Configure a guest access tunnel so that guest traffic is separated from the traffic of the inner network. Guests get online through guest VLAN VLAN 5. Figure 822 Network diagram Configuring AC 1 Before configuring the edge AC, complete the following configurations: • Configure wireless services on AC 1. For more information, see "Configuring access services".
2. On the page that appears, select Aggregation AC, enter 192.168.2.1 as the Edge AC Address, and specify VLAN 5 as the guest VLAN. 3. Click Add. 4. Click Apply. Figure 824 Configuring the aggregation AC Verifying the configuration • Select Advanced > Guest Tunnel from the navigation tree. You can see that the guest access tunnel is in Up state. • Select Summary > Client from the navigation tree. You can see that guests get online through VLAN 5.
Configuration procedures 1. Configure wireless services on the AC. (Details not shown.) 2. Configure the DHCP server to assign an IP address of the AC as the gateway IP address of the clients. (Details not shown.) 3. Enable Bonjour gateway: a. Select Advanced > Bonjour Gateway from the navigation tree, and click the Bonjour Gateway tab. b. Select Enable for Bonjour Gateway. c. Click Apply. Figure 826 Enabling Bonjour gateway 4. Configure Bonjour policy teacher: a.
Figure 827 Configuring Bonjour policies 6. Apply Bonjour policy teacher: a. Select Wireless Service > Access Service from the navigation tree, and click the wireless service teacher. icon for b. Specify Bonjour Policy as teacher. c. Click Apply. 7. Apply Bonjour policy student to wireless service student in the same way Bonjour policy teacher is applied to wireless service teacher. (Details not shown.
Figure 828 Applying Bonjour policies Verifying the configuration 1. Select Advanced > Bonjour Gateway from the navigation tree, and click the Bonjour Service tab. You can see that the AC can discover the services of both Apple TV and Print. 2. Select Summary > Client from the navigation tree, and click the Detailed Information tab. You can see that iPad 1 can discover only the service of Print and iPad 2 can discover the services of both Apple TV and Print.
Configuring stateful failover NOTE: Support for the stateful failover feature might vary depending on your device model. For more information, see "About the Web-based configuration guide for HP unified wired-WLAN products." Overview Introduction to stateful failover Some customers require their wireless networks to be highly reliable to ensure continuous data transmission.
Figure 830 Network diagram for stateful failover Internet GE1/0/2 Tagged VLAN: 2 GE1/0/2 Tagged VLAN: 2 AP Host VLAN 2 Failover link AC 1 AC 2 Stateful failover states Stateful failover includes the following states: • Silence—The device has just started, or is transiting from synchronization state to independence state. • Independence—The silence timer has expired, but no failover link is established.
• To back up portal or 802.1X related information from the active device to the standby device, you must configure portal or 802.1X to support stateful failover besides the configurations described in this chapter. For more information, see "About the Web-based configuration guide for HP unified wired-WLAN products." • Stateful failover can be implemented only between two devices rather than among more than two devices. Configuring stateful failover 1.
Item Description Set the backup VLAN. After a VLAN is configured as a backup VLAN, the interfaces in the VLAN are used to transmit stateful failover packets. IMPORTANT: Backup VLAN • A device uses VLAN tag+protocol number to identify stateful failover packets, and broadcasts stateful failover packets to the peer within the backup VLAN. Therefore, HP recommends not configuring other services (such as voice VLAN) for a backup VLAN to avoid impact on the operation of stateful failover.
Configuring AC 1 1. Configure AC 1 to support link backup between AC and AP to make sure traffic can be switched to AC 2 when AC 1 fails: a. From the navigation tree, select Advanced > AC Backup. The default Setup page appears. b. Select IPv4 and enter the IPv4 address of AC 2 (8.190.1.61) as the backup AC address, and select Enable from the Fast Backup Mode list. c. Click Apply. Figure 834 Setup page 2. Configure stateful failover: a. Select High reliability > Stateful Failover from the navigation tree.
Figure 835 Configuring stateful failover 3. Configure RADIUS scheme system: a. Select Authentication > RADIUS from the navigation tree. b. Click Add. The RADIUS scheme configuration page appears. c. Enter system for Scheme Name, select Extended for Server Type, and select Without domain name for Username Format. d. Click Add in the RADIUS Server Configuration field. The Add RADIUS Server page appears. e. Select Primary Authentication for Server Type, specify an IPv4 address 8.1.1.
Figure 837 Configuring a RADIUS accounting server l. After the configurations are complete, click Apply on the RADIUS scheme configuration page. Figure 838 RADIUS scheme configuration page 4. Configure AAA authentication scheme for ISP domain system: a. Select Authentication > AAA from the navigation tree. b. Click the Authentication tab. c. Select system from the Select an ISP domain list, select the Default AuthN box, select RADIUS from the list, and select system from the Name list. d. Click Apply.
Figure 839 Configuring AAA authentication scheme for the ISP domain 5. Configure AAA authorization scheme for ISP domain system: a. Click the Authorization tab. b. Select system from the Select an ISP domain list, select the Default AuthZ box, select RADIUS from the list, and select system from the Name list. c. Click Apply. A dialog box appears, showing the configuration progress. d. After the configuration is successfully applied, click Close.
Figure 841 Configuring AAA accounting scheme for the ISP domain 7. Configure portal authentication: a. Select Authentication > Portal from the navigation tree. The default Portal Server configuration page appears. b. Click Add. c. Select Vlan-interface1 from the Interface list, Add from the Portal Server list, and Direct from the Method list, and select system for Authentication Domain. d. Enter newpt for Server Name, 8.1.1.16 for IP, expert for Key, 50100 for Port, and http://8.1.1.
Figure 842 Configuring a portal server 8. Add a portal-free rule: a. Click the Free Rule tab. b. Click Add. c. Enter 0 for Number, and select Bridge-Aggregation1 as the source interface. d. Click Apply.
9. Configure portal to support stateful failover at the command line interface (CLI): # Specify AC 1's device ID to be used in stateful failover mode as 1, and specify portal group 2 for interface VLAN-interface 1. system-view [AC1]interface Vlan-interface 1 [AC1-Vlan-interface1]portal backup-group 2 # Configure the virtual IP address of VRRP group 1 as 8.190.1.100, and specify the priority of AC 1 as 200. AC 2 uses the default priority. [AC1-Vlan-interface1]vrrp vrid 1 virtual-ip 8.190.1.
Configuring IKE Support for VPN depends on the device model. For more information, see "About the Web-based configuration guide for HP unified wired-WLAN products." Overview Built on a framework defined by the ISAKMP, IKE provides automatic key negotiation and SA establishment services for IPsec. This simplifies the application, management, configuration and maintenance of IPsec dramatically.
2. Phase 2—Using the ISAKMP SA established in phase 1, the two peers negotiate to establish IPsec SAs. Figure 844 IKE exchange process in main mode As shown in Figure 844, the main mode of IKE negotiation in phase 1 involves three pairs of messages: • SA exchange—Used for negotiating the security policy. • Key exchange—Used for exchanging the Diffie-Hellman public value and other values like the random number. Key data is generated in this stage.
Relationship between IKE and IPsec Figure 845 Relationship between IKE and IPsec Figure 845 illustrates the relationship between IKE and IPsec: • IKE is an application layer protocol using UDP and functions as the signaling protocol of IPsec. • IKE negotiates SAs for IPsec and delivers negotiated parameters and generated keys to IPsec. • IPsec uses the SAs set up through IKE negotiation for encryption and authentication of IP packets.
Step Remarks Required when IKE peers need to specify an IKE proposal. An IKE proposal defines a set of attributes describing how IKE negotiation should take place. You can create multiple IKE proposals with different preferences. The preference of an IKE proposal is represented by its sequence number, and the smaller the sequence number, the higher the preference. 2. Configuring an IKE proposal Two peers must have at least one pair of matched IKE proposals for successful IKE negotiation.
Configuring global IKE parameters 1. From the navigation tree, select VPN > IKE. The IKE Global Configuration page appears. Figure 846 IKE global configuration page 2. Configure global IKE parameters, as described in Table 255. 3. Click Apply. Table 255 Configuration items Item Description Enter a name for the local security gateway.
Figure 847 IKE proposal list 3. Click Add. The IKE Proposal Configuration page appears. Figure 848 Adding an IKE proposal 4. Configure the IKE proposal parameters, as described in Table 256. 5. Click Apply. Table 256 Configuration items Item Description Enter the IKE proposal number. IKE Proposal Number Authentication Method The number also stands for the priority of the IKE proposal, with a smaller value meaning a higher priority.
Item Authentication Algorithm Description Select the authentication algorithm to be used by the IKE proposal. Options include: • SHA1—Uses HMAC-SHA1. • MD5—Uses HMAC-MD5. Select the encryption algorithm to be used by the IKE proposal. Options include: Encryption Algorithm • • • • • DES-CBC—Uses the DES algorithm in CBC mode and 56-bit keys for encryption. 3DES-CBC—Uses the 3DES algorithm in CBC mode and 168-bit keys for encryption.
Figure 850 Adding an IKE DPD detector 4. Configure the IKE DPD parameters, as described in Table 257. 5. Click Apply. Table 257 Configuration items Item Description DPD Name Enter a name for the IKE DPD. DPD Query Triggering Interval Enter the interval after which DPD is triggered if no IPsec protected packets is received from the peer. DPD Packet Retransmission Interval Enter the interval after which DPD packet retransmission will occur if no DPD response is received.
Figure 852 Adding an IKE peer 4. Configure the IKE peer parameters, as described in Table 258. 5. Click Apply. Table 258 Configuration items Item Description Peer Name Enter a name for the IKE peer. Select the IKE negotiation mode in phase 1, which can be Main or Aggressive. IMPORTANT: • If you configure one end of an IPsec tunnel to obtain an IP address IKE Negotiation Mode dynamically, the IKE negotiation mode must be Aggressive.
Item Description Select the local ID type for IKE negotiation phase 1. Options include: • IP Address—Uses an IP address as the ID in IKE negotiation. • FQDN—Uses the FQDN type as the ID in IKE negotiation. If this option is selected, type a name string without any at sign (@) for the local security gateway, for example, foo.bar.com. Local ID Type • User FQDN—Uses a user FQDN type as the ID in IKE negotiation.
Item Description Enable the NAT traversal function for IPsec/IKE. The NAT traversal function must be enabled if a NAT security gateway exists in an IPsec/IKE VPN tunnel. Enable the NAT traversal function IMPORTANT: To save IP addresses, ISPs often deploy NAT gateways on public networks to allocate private IP addresses to users.
Field Description Status of the SA. Possible values include: • • • • RD—Ready. The SA has already been established and is ready for use. ST—Stayalive. The local end is the tunnel negotiation initiator. RL—Replaced. The tunnel has been replaced and will be cleared soon. FD—Fading. The soft lifetime expires but the tunnel is still in use. The tunnel will be deleted when the hard lifetime expires. • TO—Timeout. The SA has received no keepalive packets after the last Flag keepalive timeout.
Configuring AC 1 1. Configure IP addresses for the interfaces, and assign the interfaces to security zones. (Details not shown.) 2. Create ACL 3101: a. From the navigation tree, select QoS > ACL IPv4. b. Click the Add tab. c. Enter the ACL number 3101, and select the match order Config. d. Click Apply. Figure 855 Creating ACL 3101 e. Click the Advanced Setup tab. f. Select the ACL 3101. g. Select Permit from the Action list. h. Select Source IP Address, and enter 10.1.1.0 and 0.0.0.
Figure 856 Configuring a rule to allow packets from subnet 10.1.1.0/24 to subnet 10.1.2.0/24 3. Configure an IKE peer named peer: a. From the navigation tree, select VPN > IKE. b. Click the Peer tab. c. Click Add. d. Enter the peer name peer. e. Select the negotiation mode Main. f. Enter the remote gateway IP address 2.2.2.2. g. Select Pre-Shared Key, and enter the pre-shared key abcde in the Key and Confirm Key fields. h. Click Apply.
Figure 857 Configuring an IKE peer named peer 4. Create an IKE proposal numbered 10: a. From the navigation tree, select VPN > IKE. b. Click the Proposal tab. c. Click Add. d. Enter the IKE proposal number 10. e. Select the authentication method Preshared Key. f. Select the authentication algorithm MD5. g. Set the SA lifetime to 5000 seconds. h. Click Apply.
Figure 858 Creating an IKE proposal numbered 10 5. Create an IPsec proposal named tran1: a. From the navigation tree, select VPN > IPSec. b. Click the Proposal tab. c. Click Add. d. From the IPSec Proposal Configuration Wizard page, select Custom mode. e. Enter the IPsec proposal name tran1. f. Select the packet encapsulation mode Tunnel. g. Select the security protocol ESP. h. Select the authentication algorithm SHA1. i. Select the encryption algorithm DES. j. Click Apply.
6. Create an IPsec policy named map1: a. From the navigation tree, select VPN > IPSec. b. Click the Policy tab. c. Click Add. d. Enter the IPsec policy name map1. e. Enter the sequence number 10. f. Select the IKE peer peer. g. Select the IPsec proposal tran1 from the Available Proposal list, and click <<. h. Enter the ACL number 3101. i. Click Apply.
7. Apply the IPsec policy to VLAN-interface 1: a. From the navigation tree, select VPN > IPSec. The IPSec Application page appears. b. Click the 无法显示链接的图像。该文 件可能已被移动、重命名或 删除。请验证该链接是否指 向正确的文件和位置。 icon for interface Vlan-interface1. c. Select policy map1. d. Click Apply. Figure 861 Applying the IPsec policy to interface VLAN-interface 1 8. Configure a static route to Host 2: a. From the navigation tree, select Network > IPv4 Routing. b. Click the Add tab. c. Enter 10.1.2.0 as the destination IP address.
d. Click Apply. e. Click the Advanced Setup tab. f. Select Permit from the Action list. g. Select Source IP Address, and enter 10.1.2.0 and 0.0.0.255 as the source IP address and mask. h. Select Destination IP Address, and enter 10.1.1.0 and 0.0.0.255 as the destination IP address and mask. i. 3. Click Apply. Configure an IKE peer named peer: a. From the navigation tree, select VPN > IKE. b. Click the Peer tab. c. Click Add. d. Enter the peer name peer. e. Select the negotiation mode Main. f.
6. Apply the IPsec policy to VLAN-interface 1: a. From the navigation tree, select VPN > IPSec. The IPSec Application page appears. b. Click the 无法显示链接的图像。该文 件可能已被移动、重命名或 删除。请验证该链接是否指 向正确的文件和位置。 icon for interface Vlan-interface1. c. Select policy map1. d. Click Apply. 7. Configure a static route to Host 1: a. From the navigation tree, select Network > IPv4 Routing. b. Click Add. c. Enter 10.1.1.0 as the destination IP address. d. Enter 255.255.255.0 as the mask. e. Enter 1.1.1.1 as the next hop. f.
Configuring IPsec Overview IP Security (IPsec) is a security framework defined by IETF for securing IP communications. It is a Layer 3 VPN technology that transmits data in a secure tunnel established between two endpoints. IPsec guarantees the confidentiality, integrity, and authenticity of data and provides anti-replay service at the IP layer in an insecure network environment: • Confidentiality—The sender encrypts packets before transmitting them over the Internet.
Security association A security association is an agreement negotiated between two communicating parties called IPsec peers. It comprises a set of parameters for data protection, including security protocols, encapsulation mode, authentication and encryption algorithms, and privacy keys and their lifetime. SAs can be set up manually or through IKE. An SA is unidirectional. At least two SAs are needed to protect data flows in a bidirectional communication.
Authentication algorithms and encryption algorithms • Authentication algorithms IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers calculate message digests for each packet. If the resulting digests are identical, the packet is considered intact. IPsec supports the following hash algorithms for authentication: MD5—Takes a message of arbitrary length as input and produces a 128-bit message digest.
Figure 864 An IPsec VPN You can advertise the static routes created by IPsec RRI in the internal network. IPsec RRI can quickly create new routes for forwarding IPsec VPN traffic when an active link fails in a load balanced or stateful failover environment, or when IPsec VPN traffic cannot reach the peer gateway through the default local gateway. IPsec RRI dynamically creates static routes based on IPsec SAs.
Figure 865 IPsec stateful failover LAN Virtual router 2 Master Backup Failover link Device B Virtual router 1 el Device A IP se c tu nn Internet Device C LAN As shown in Figure 865, Device A and Device B form an IPsec stateful failover system and Device A is elected the master in the VRRP group. When Device A operates correctly, it establishes an IPsec tunnel to Device C, and synchronizes its IPsec service data to Device B.
If you enable both IPsec and QoS on an interface, traffic of an IPsec SA might be put into different queues by QoS, causing some packets to be sent out of order. As IPsec performs anti-replay operation, packets outside the anti-replay window in the inbound direction might be discarded, resulting in packet loss. When using IPsec together with QoS, make sure they use the same classification rules. IPsec classification rules depend on the referenced ACL rules.
Step Remarks Required. Configure an IPsec policy by specifying the parameters directly or using a created IPsec policy template. The device supports only IPsec policies that use IKE. 4. Configuring an IPsec policy An IPsec policy group is a collection of IPsec policies with the same name but different sequence numbers. The smaller the sequence number, the higher the priority of the IPsec policy in the policy group.
Use of the Permit/Deny Actions in ACLs IPsec uses ACLs to identify data flows. An ACL is a collection of ACL rules. Each ACL rule is a deny or permit statement. A permit statement identifies a data flow protected by IPsec, and a deny statement identifies a data flow that is not protected by IPsec. IPsec uses referenced ACL to match against packets. The matching process stops once a match is found or ends with no match hit.
Figure 867 ACL 3000 configuration on Device A Figure 868 ACL 3001 configuration on Device A Figure 869 IPsec policy configuration on Device A The configurations on Device B are shown in Figure 870 and Figure 871.
Figure 870 ACL 3001 configuration on Device B Figure 871 IPsec policy configuration on Device B Mirror image ACLs To make sure that SAs can be set up and the traffic protected by IPsec locally can be processed correctly at the remote peer, on the remote peer, create a mirror image ACL rule for each ACL rule created at the local peer. As shown in Figure 872, ACL rules on Device B are mirror images of the rules on Device A.
If the ACL rules on the peers do not form mirror images of each other, SAs can be set up only when both of the following requirements are met: • The range specified by an ACL rule on one peer is covered by its counterpart ACL rule on the other peer. As shown in Figure 873, the range specified by the ACL rule configured on Device A is covered by its counterpart on Device B. • The peer with the narrower rule initiates SA negotiation.
Figure 874 IPsec proposal list 3. Click Add. The IPSec Proposal Configuration Wizard page appears. Figure 875 IPsec proposal configuration wizard page 4. Click Suite mode. Figure 876 IPsec proposal configuration in suite mode 5. Enter a name for the IPsec proposal. 6. Select an encryption suite for the proposal. An encryption suite specifies the IP packet encapsulation mode, security protocol, and authentication and encryption algorithms to be used.
Tunnel-AH-MD5-ESP-3DES—Uses the ESP and AH security protocols successively, making ESP use the 3DES encryption algorithm and perform no authentication, and making AH use the MD5 authentication algorithm. All these suites use the tunnel mode for IP packet encapsulation. 7. Click Apply. Configuring an IPsec proposal in custom mode 1. From the navigation tree, select VPN > IPSec. 2. Click the Proposal tab. The IPsec proposal list page as shown in Figure 874 appears. 3. Click Add.
Item AH Authentication Algorithm Description Select an authentication algorithm for AH when the security protocol setting is AH or AH-ESP. Available authentication algorithms include MD5 and SHA1. Select an authentication algorithm for ESP when the security protocol setting is ESP or AH-ESP. ESP Authentication Algorithm You can select MD5 or SHA1, or leave it null so the ESP performs no authentication. IMPORTANT: The ESP authentication algorithm and ESP encryption algorithm cannot be both null.
Figure 879 Adding an IPsec policy template 4. Configure an IPsec policy template, as described in Table 261. 5. Click Apply. Table 261 Configuration items Item Description Template Name Enter a name for the IPsec policy template. Enter a sequence number for the IPsec policy template. Sequence Number IKE Peer In an IPsec policy template group, an IPsec policy template with a smaller sequence number has a higher priority. Select an IKE peer for the IPsec policy template.
Item Description Select up to six IPsec proposals for the IPsec policy template. IPSec Proposal IPsec SAs can be set up only when the IPsec peers have at least one matching IPsec proposal. If no matching IPsec proposal is available, the IPsec SAs cannot be established, and the packets that need to be protected are discarded. Enable and configure the PFS feature or disable the feature. Options include: • • • • PFS dh-group1—Uses the 768-bit Diffie-Hellman group.
Configuring an IPsec policy 1. From the navigation tree, select VPN > IPSec. 2. Click the Policy tab. The IPsec policy list page appears. Figure 880 IPsec policy list 3. Click Add. The Add IPSec Policy page appears.
Figure 881 Adding an IPsec policy 4. Configure an IPsec policy, as described in Table 262. 5. Click Apply. Table 262 Configuration items Item Description Policy Name Enter a name for the IPsec policy. Enter a sequence number for the IPsec policy. Sequence Number In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.
Item Description Select an IPsec policy template. IMPORTANT: Template If you select an IPsec policy template, all subsequent configuration items except the aggregation setting are unavailable. Select an IKE peer for the IPsec policy. IKE Peer You configure IKE peers by selecting VPN > IKE from the navigation tree. Select up to six IPsec proposals for the IPsec policy. IPSec Proposal IPsec SAs can be set up only when the IPsec peers have at least one matching IPsec proposal.
Item Description Enable or disable IPsec RRI. When enabling IPsec RRI, you can specify a next hop and change the preference of the static routes. After an outbound IPsec SA is created, IPsec RRI automatically creates a static route to the peer private network. You do not have to manually configure the static route. IMPORTANT: Reverse Route Injection • If you enable IPsec RRI and do not configure the static route, the SA negotiation must be initiated by the remote gateways.
3. Select an IPsec policy for the interface. 4. Click Apply. Viewing IPsec SAs 1. From the navigation tree, select VPN > IPSec. 2. Click the IPSec SA tab. The IPsec SA list page appears. Figure 884 IPsec SA list Table 263 Field description Field Description Source IP IP address of the local end of the IPsec SA. Destination IP IP address of the remote end of the IPsec SA. SPI SPI of the IPsec SA. Security Protocol Security protocol that the IPsec SA uses.
Figure 885 Packet statistics IPsec configuration example Network requirements As shown in Figure 886, an enterprise branch accesses the headquarters through IPsec VPN. Configure the IPsec VPN as follows: • Configure an IPsec tunnel between AC 1 and AC 1 to protect traffic between the headquarters subnet 10.1.1.0/24 and the branch subnet 10.1.2.0/24. • Configure the tunnel to use the security protocol ESP, encryption algorithm DES, and authentication algorithm SHA-1.
a. From the navigation tree, select QoS > ACL IPv4. b. Click the Add tab. c. Enter the ACL number 3101, and select the match order Config. d. Click Apply. Figure 887 Creating ACL 3101 e. Click the Advanced Setup tab. f. Select the ACL number 3101. g. Select Permit from the Action list. h. Select Source IP Address, and enter 10.1.1.0 and 0.0.0.255 as the source IP address and mask. i. Select Destination IP Address, and enter 10.1.2.0 and 0.0.0.255 as the destination IP address and mask. j. Click Apply.
Figure 888 Configuring a rule to permit packets from 10.1.1.0/24 to 10.1.2.0/24 3. Configure an IPsec proposal named tran1: a. From the navigation tree, select VPN > IPSec. b. Click the Proposal tab. c. Click Add. d. On the page that appears, select Custom mode. e. Enter the IPsec proposal name tran1. f. Select the packet encapsulation mode Tunnel. g. Select the security protocol ESP. h. Select the authentication algorithm SHA1. i. Select the encryption algorithm DES. j. Click Apply.
Figure 889 Configuring IPsec proposal tran1 4. Configure the IKE peer: a. From the navigation tree, select VPN > IKE. b. Click the Peer tab. c. Click Add. d. Enter the peer name peer. e. Select the negotiation mode Main. f. Enter the remote gateway IP address 2.2.3.1. g. Select Pre-Shared Key, and enter abcde for both the Key and Confirm Key fields. h. Click Apply.
Figure 890 Configuring an IKE peer 5. Configure an IPsec policy: a. From the navigation tree, select VPN > IPSec. b. Click the Policy tab. c. Click Add. d. Enter the policy name map1. e. Enter the sequence number 10. f. Select the IKE peer peer. g. Select the IPsec proposal tran1 and click <<. h. Enter the ACL number 3101. i. Select Enable for RRI. j. Enter the next hop address 2.2.2.2. k. Click Apply.
Figure 891 Configuring an IPsec policy 6. Apply the IPsec policy to VLAN-interface 1: a. From the navigation tree, select VPN > IPSec. The page for the IPSec Application tab appears. b. Click the icon of interface Vlan-interface 1. c. Select the policy of map1. d. Click Apply.
Figure 892 Applying IPsec policy to VLAN-interface 1 Configuring Device B The configuration steps on Device B are similar to those on Device A. The configuration pages are not shown. 1. Configure IP addresses for the interfaces, and assign the interfaces to the target zones. (Details not shown.) 2. Define an ACL to permit traffic from subnet 10.1.2.0/24 to subnet 10.1.1.0/24: a. From the navigation tree, select QoS > ACL IPv4. b. Click the Add tab. c.
g. Select the security protocol ESP. h. Select the authentication algorithm SHA1. 5. i. Select the encryption algorithm DES. j. Click Apply. Configure IKE peer peer: a. From the navigation tree, select VPN > IKE. b. Click the Peer tab. c. Click Add. d. Enter the peer name peer. e. Select the negotiation mode Main. f. Enter the remote gateway IP address 2.2.2.1. g. Select Pre-Shared Key, and enter abcde for both the Key and Confirm Key fields. h. Click Apply. 6. Configure IPsec policy map1: a.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index ABCDEFGILMNOPQRSTUVW Configuration guidelines,172 A Configuration guidelines,76 AAA configuration example,541 Configuration guidelines,631 AC-AP tunnel,280 Configuration guidelines,101 Access service overview,311 Configuration guidelines,797 ACL and QoS configuration example,667 Configuration guidelines,579 ACL overview,630 Configuration guidelines,831 Adding a DNS server address,218 Configuration guidelines,546 Adding a domain name suffix,219 Configuration guidelines,132 Adding a mem
Configuring accounting methods for the ISP domain,539 Configuring rate limit,649 Configuring ACLs,833 Configuring service management,240 Configuring advanced parameters for portal authentication,515 Configuring SNMP trap function,121 Configuring rogue device detection,601 Configuring spectrum analysis,487 Configuring an ACL,632 Configuring stateful failover,798 Configuring an AP,281 Configuring static name resolution table,216 Configuring an AP group,294 Configuring system name,70 Configuring
Displaying client statistics,686 IPv4 and IPv6 static route configuration examples,176 Displaying clients,60 L Displaying file list,89 Link aggregation and LACP configuration example,212 Displaying IGMP snooping multicast entry information,166 Local client authentication configuration example,403 Local EAP service configuration example,560 Displaying interface information and statistics,91 Local MAC authentication configuration example,367 Displaying LACP-enabled port information,211 Logging in t
Restrictions and guidelines,25 Overview,796 Overview,101 Retrieving and displaying a certificate,588 P Retrieving and displaying a CRL,591 Rogue detection configuration example,614 Ping,242 Ping operation,243 S Policy-based forwarding configuration example,409 Saving the configuration,87 Port mirroring configuration example,104 Selecting an antenna,486 Port mirroring configuration task list,102 Setting buffer capacity and refresh interval,84 Portal authentication configuration example,521 Sett
Wireless service-based static rate limiting configuration example,694 W Web interface,6 WLAN mesh configuration example,432 Web user level,7 WLAN roaming configuration examples,446 Web-based NM functions,7 WLAN roaming overview,442 Wireless configuration,35 WLAN RRM overview,455 Wireless service configuration example,359 WLAN security overview,597 Wireless service-based dynamic rate limiting configuration example,695 WPA-PSK authentication configuration example,362 863
