HP Unified Wired-WLAN Products WLAN Configuration Guide HP 830 Unified Wired-WLAN PoE+ Switch Series HP 850 Unified Wired-WLAN Appliance HP 870 Unified Wired-WLAN Appliance HP 11900/10500/7500 20G Unified Wired-WLAN Module Part number: 5998-4800 Software version: 3507P22 (HP 830 PoE+ Switch Series) 2607P22 (HP 850 Appliance) 2607P22 (HP 870 Appliance) 2507P22 (HP 11900/10500/7500 20G Module) Document version: 6W101-20140418
Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Configuring WLAN interfaces····································································································································· 1 WLAN-ESS interface ························································································································································· 1 Entering WLAN-ESS interface view ························································································································ 1 Configuri
Mapping a service template to the radio ··········································································································· 31 Enabling a radio ··················································································································································· 32 Configuring 802.
Displaying and maintaining WLAN security ······································································································ 89 WLAN security configuration examples ······················································································································ 90 PSK authentication configuration example ········································································································· 90 MAC and PSK authentication configuration example ·······
Configuring interference trap thresholds ··················································································································· 137 Displaying and maintaining WLAN RRM·················································································································· 138 Load balancing ···························································································································································· 138 Overview ············
Configuring WMM ······················································································································································ 178 Configuration restrictions and guidelines ········································································································· 178 Configuration procedure ···································································································································· 179 Displaying and maintaining W
Configuring a VLAN pool······································································································································· 221 Configuring a VLAN pool on a radio ························································································································ 221 Displaying and maintaining VLAN pool···················································································································· 222 VLAN pool configuration example
Configuring client information backup ·················································································································· 259 Configuring client information backup ······················································································································ 260 Displaying and maintaining client information backup ··························································································· 260 Client information backup configuration examp
Configuring the rate algorithm ··································································································································· 315 Enabling channel sharing adjustment ························································································································ 315 Enabling channel reuse adjustment ···························································································································· 316 Disabling buffering o
Configuring WLAN interfaces WLAN-ESS interface WLAN-ESS interfaces are virtual Layer 2 interfaces. They operate like Layer 2 Ethernet ports of the access link type. They also support multiple Layer 2 protocols. A WLAN-ESS interface can also be used as a template for configuring WLAN-DBSS interfaces. WLAN-DBSS interfaces created on a WLAN-ESS interface adopt the configuration of the WLAN-ESS interface. Entering WLAN-ESS interface view Step Command Remarks 1. Enter system view. system-view N/A 2.
Step 4. Command Configure a MAC authentication guest VLAN. mac-authentication guest-vlan WLAN-DBSS interface WLAN-DBSS interfaces are virtual Layer 2 interfaces. They operate like Layer 2 Ethernet ports of the access link type. They also support multiple Layer 2 protocols and 802.1X. A WLAN-DBSS interface created on a WLAN-ESS interface adopts the configuration of the WLAN-ESS interface.
Displaying and maintaining WLAN interfaces Task Display information about WLAN-ESS interfaces. Display information about WLAN-DBSS interfaces. Display information about WLAN mesh interfaces.
Configuring WLAN access This chapter describes how to configure WLAN access. WLAN access overview WLAN access provides the following services: • WLAN client connectivity to conventional 802.3 LANs • Secured WLAN access with different authentication and encryption methods • Seamless roaming of WLAN clients in a mobility domain Terminology • Wireless Client—A handheld computer or laptop with a wireless NIC or a terminal that supports WiFi.
Figure 1 Establishing a client access Scanning Wireless clients use active scanning and passive scanning to obtain information about surrounding wireless networks. • Active scanning A wireless client periodically sends probe request frames and obtains wireless network information from received probe response frames. Active scanning includes the following modes: { Active scanning without an SSID—The client periodically sends a probe request frame without an SSID on each of its supported channels.
Figure 3 Active scanning with an SSID Passive scanning • A wireless client listens to the beacon frames periodically sent by APs to discover surrounding wireless networks. Passive scanning is used when a client wants to save battery power. Typically, VoIP clients adopt passive scanning. Figure 4 Passive scanning Authentication To secure wireless links, APs perform authentication on wireless clients. A wireless client must pass authentication before it can access a wireless network. 802.
Task Description Configuring tunnel management Required. Managing APs Optional. Configuring a WLAN service template Required. Configuring radio parameters Required. Configuring an AP group Optional. Shutting down all LEDs on APs Optional. Enabling SNMP traps for the WLAN module Optional. Configuring client IP address monitoring Optional. Enabling WLAN You must enable WLAN before you can use WLAN services. To enable WLAN: Step Command Remarks 1. Enter system view. system-view N/A 2.
• If an AP is not configured with a country/region code, the AP uses the global country/region code. • If an AP is configured with a country/region code, the AP uses its own country/region code. • If the global country/region code and the country/region code for an AP conflict, the AC disconnects the AP. You need to configure a right country/region code for the AP to reconnect it to the AC. • Some ACs and fit APs have a fixed country/region code that cannot be modified.
Clients can associate with auto APs but the administrator cannot change the configuration of auto APs. Do not use the MAC address of an AP as the ap-name in the wlan ap ap-name model model-name command. The AC names auto APs by using their MAC addresses. Enable the auto-AP function. • After you enable the auto-AP function, the AC automatically associates with all APs and names the APs by using their MAC addresses.
username and password and sends them to the authentication server. If the remote authentication succeeds, the AC accepts the AP. If not, the AC denies the AP. You can also use remote authentication to authenticate all auto APs. The "unauthenticated AP" status is only available for local authentication. For remote authentication, the authentication result can only be "authentication failed" or "authentication succeeded.
To enable unauthenticated auto APs to pass authentication and provide WLAN services: Step Command Remarks N/A 1. Enter system view. system-view 2. Enable the AC to accept unauthenticated auto APs. wlan ap-authentication permit-unauthenticated 3. Enable one or all unauthenticated auto APs to pass authentication and provide services and generate ACL rules. Optional.
Configuring parameters for an AP Perform this task to configure parameters for an AP on the AC. The AC automatically assigns the parameters to the AP after the AP establishes a tunnel with it and enters Run state. To configure parameters for an AP: Step 1. Enter system view. Command Remarks system-view N/A Optional. 2. Set the discovery policy. wlan lwapp discovery-policy unicast 3. Specify the AP name and its model number and enter AP template view.
Step Command Remarks Optional. 13. Set the network access server (NAS)-PORT-ID for the AP. nas-port-id text 14. Set the NAS-ID for the AP. nas-id text By default, no NAS-ID is configured for an AP. 15. Return to system view. quit N/A 16. Configure a WLAN service template and enter service template view. wlan service-template service-template-number { clear | crypto } You cannot change an existing template to another type. By default, no NAS-PORT-ID is configured for an AP. Optional. 17.
the AC accepts negotiation requests sent by any AP. If multiple APs with different pre-shared keys need to establish IPsec tunnels with the AC, their IP address ranges cannot overlap. For more information about the remote-address command, see Security Command Reference. { 5. To make sure SAs between the AC and an AP can be removed after the AP disconnects from the AC, perform the following configurations: − Configure the Dead Peer Detection (DPD) function.
security proposal, and adopt only the main IKE negotiation mode. For more information about IPsec commands, see Security Command Reference. { You can configure an IPsec policy that uses IKE only by referencing an IPsec policy template. { To use the digital signature authentication method: { { 6. − Execute the authentication-method rsa-signature command to specify the RSA signatures as the authentication method. − Execute the certificate domain command to configure a PKI domain for the certificate.
Configuring the echo interval for an AP The AP sends echo requests to the AC at the echo interval, and the AC responds to echo requests by sending echo responses. The AC or AP tears down the tunnel if one of the following cases occurs: • The AC does not receive an echo request from the AP within three times the echo interval. • The AP does not receive an echo response from the AC within three times the echo interval. To configure the echo interval: Step Command Remarks 1. Enter system view.
Configuring AP traffic protection Configure AP traffic protection to avoid frequent AP reboots caused by traffic that exceeds the AP's capability. To configure AP traffic protection: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter AP template view. wlan ap ap-name [ model model-name [ id ap-id ] ] You must specify the model name when you create an AP template. 3. Set the CIR for packets sent from AC to AP.
NOTE: If you enable the version upgrade function on the AC after an AC-AP tunnel is established, restart the AP manually so that the AP can automatically download a new version from the AC. Upgrading all APs Step Command Remarks N/A 1. Enter system view. system-view 2. Enable or disable the AP version upgrade function for all APs. wlan ap-firmware-update { disable | enable } 3. Return to user view. quit N/A 4. Reset the AP. reset wlan ap { all | name ap-name | unauthenticated } Optional.
Step 5. Reset the specified AP. Command Remarks reset wlan ap name ap-name Optional. Configuring a WLAN service template Creating a service template and specifying an SSID Step 1. Enter system view. Command Remarks system-view N/A You cannot change an existing service template to another type. 2. Create a WLAN service template and enter WLAN service template view.
Binding a WLAN-ESS interface to the service template Step Command Remarks 1. Enter system view. system-view N/A 2. Create a WLAN service template and enter WLAN service template view. wlan service-template service-template-number { clear | crypto } You cannot change an existing service template to another type. 3. Bind the WLAN-ESS interface to the service template. bind wlan-ess interface-index By default, no interface is bound to the service template.
Step 3. Enable the local forwarding mode. Command Remarks client forwarding-mode local [ vlan vlan-id-list ] By default, an AP forwards client data frames to the AC for centralized forwarding. Configuring the policy-based forwarding mode If the AC adopts the local authentication mode, it also uses the local forwarding mode. Configuration of policed-based forwarding mode is invalid. For more information about authentication modes, see "Configuring client authentication.
To configure policy-based forwarding: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a forwarding policy and enter forwarding policy view. wlan forwarding-policy policy-name By default, no forwarding policy exists. 3. Configure forwarding rules. classifier acl { acl-number | ipv6 acl6-number } behavior { local | remote } By default, no forwarding rule is configured. 4. Return to system view. quit N/A 5. Create a WLAN service template.
you change the configuration, the AC might log off online clients because of inconsistent configurations. Networking modes For local authentication, you can use the following networking modes if an authentication server is needed. The networking mode shown in Figure 7 is recommended. In this mode, the authentication server is deployed at the AP side. Online clients are not logged off even if the connection between AP and AC fails.
Configuring the maximum number of associated clients Step Command Remarks 1. Enter system view. system-view N/A 2. Create a WLAN service template and enter WLAN service template view. wlan service-template service-template-number { clear | crypto } You cannot change an existing service template to another type. 3. Configure the maximum number of clients allowed to associate with a radio. client max-count max-number The default is 124.
Step Command 4. Configure the beacon measurement type. beacon-measurement type { active | beacon-table | passive } 5. Configure the interval at which the AP sends beacon request to clients. beacon-measurement interval interval Remarks Optional. By default, the beacon-table bacon measurement mode is adopted. Optional. By default, the interval is 60 seconds. Enabling fast association Step Command Remarks 1. Enter system view. system-view N/A 2.
Step 3. Enable the service template. Command Remarks service-template enable By default, the service template is disabled. Configuring radio parameters Configuring basic radio parameters Step Command Remarks 1. Enter system view. system-view N/A 2. Enter AP template view. wlan ap ap-name [ model model-name [ id ap-id ] ] You must specify the model name when you create an AP template. 3. Enter radio view.
Step Command Remarks Optional. 8. Enable the green energy management function. By default, the green energy management function is disabled. green-energy-management enable This function is only applicable to APs that support 802.11n and that can transmit at least two spatial streams. Optional. 9. Configure the MIMO type for the radio. By default, the MIMO type is not configured. mimo { 1x1 | 2x2 | 3x3 } This function is only applicable to APs that support 802.
Step Command Remarks Optional. By default, STBC is enabled. Enabling STBC improves the SNR of the receiver and data transmission reliability. 13. Enable Space-timed Block-Coding (STBC). stbc enable STBC can be used for wireless access and mesh links. When you enable STBC on a mesh link, HP recommends that you enable STBC on both the sender and receiver to get best performance.
Step Command 4. Set the DTIM counter. 5. Specify the maximum length of packets that can be transmitted without fragmentation. 6. Set the maximum number of retransmission attempts for frames larger than the RTS threshold. dtim counter Optional. By default, the DTIM counter is 1. Optional. fragment-threshold size By default, the fragment threshold is 2346 bytes. The specified fragment threshold must be an even number. Optional. long-retry threshold count By default, the long retry threshold is 4.
Step 1. Enter system view. 2. Enable automatic creation of radio policies by the SNMP set operation. Command Remarks system-view N/A Optional. wlan radio-policy auto-create snmp By default, automatic creation of radio policies by the SNMP operation is disabled. Configuring 802.11n As the next generation wireless LAN technology, 802.11n supports both 2.4GHz and 5GHz bands. It provides higher throughput by using the following methods: • Increasing bandwidth: 802.
Step Command Remarks Optional. 5. Enable access permission only for 802.11n clients. client dot11n-only 6. Enable the short GI function. short-gi enable By default, an 802.11a/n radio permits both 802.11a and 802.11an clients to access, and an 802.11g/n radio permits both 802.11g and 802.11gn clients to access. Optional. By default, the short GI function is enabled. Optional. 7. Enable the A-MSDU function. a-msdu enable By default, the A-MSDU function is enabled.
Step Map a service template to the current radio. 4. Command Remarks service-template service-template-number [ vlan-id vlan-id ] | [ vlan-pool vlan-pool-name ] [ nas-port-id nas-port-id | nas-id nas-id ] [ ssid-hide ] Optional. Command Remarks You can map multiple service templates to the current radio. By default, no mapping exists between a service template and a radio. Enabling a radio Step 1. Enter system view. system-view N/A 2. Enable/disable WLAN radios.
Step Command Remarks Optional. 5. Enable access permission for 802.11n and 802.11ac clients. 6. Enable access permission for 802.11ac clients. client dot11n-only By default, an 802.11ac radio permits 802.11a, 802.11a/n, and 802.11ac clients to access. Optional. client dot11ac-only By default, an 802.11ac radio permits 802.11a, 802.11a/n, and 802.11ac clients to access. Optional. 7. Enable the short GI function. short-gi enable By default, the short GI function is enabled. Optional. 8.
Creating an AP group Step Command Remarks 1. Enter system view. system-view N/A 2. Create an AP group and enter its view. wlan ap-group group-name By default, a default group default_group exists. All APs belong to the default group. Configuring IP address match criteria for an AP group Perform this task to manage APs by matching IP addresses.
APs in an AP group. For more information about these commands, see WLAN Command Reference. To configure an AP group: Step 1. Enter system view. Command Remarks system-view N/A By default, a default AP group default_group exists and all APs belong to this group. 2. Create an AP group and enter AP group view. wlan ap-group group-name 3. Configure a description for the AP group. description string 4. Enable the AP to respond to probe requests with null SSID from clients.
Step 13. Configure the interval for the AP to send statistics report. Command Remarks Optional. statistics-interval interval By default, the AP sends statistics report at an interval of 50 seconds. Optional. 14. Set the AP to operate in hybrid mode. device-detection enable By default, the AP operates in normal mode and only provides WLAN data services. For more information about the command, see WLAN Command Reference. Optional. 15. Set the AP to operate in monitor mode.
Step Command Remarks Optional. By default, the sFlow function in an AP group is enabled. 21. Enable sFlow on 2.4 GHz radios of APs in the AP group. dot11bg sflow enable For more information about sFlow, see Network Management and Monitoring Configuration Guide and Network Management and Monitoring Command Reference. 22. Map a service template to the 2.4 GHz radios of APs in the AP group. dot11bg service-template service-template-number [ vlan-id vlan-id | vlan-pool vlan-pool-name ] Optional.
Configuring the interval for an AP to send statistics report Step Command Remarks 1. Enter system view. system-view N/A 2. Enter AP template view. wlan ap ap-name [ model model-name [ id ap-id ] ] You must specify the model name when you create an AP template. 3. Configure the interval to send statistics reports. statistics-interval interval The default interval is 50 seconds. Configuring the memory utilization threshold for an AP Step Command Remarks 1. Enter system view.
Step 2. Enable the automatic heating function. Command Remarks wlan ap-execute { all | name ap-name } heatfilm { disable | enable } By default, the automatic heating function is disabled. Shutting down all LEDs on APs Step Command Remarks 1. Enter system view. system-view N/A 2. Enter AP template view. wlan ap ap-name [ model model-name [ id ap-id ] ] You must specify the model name when you create an AP template. 3. Shut down all LEDs on all online APs using the current AP template.
Configuring client IP address monitoring This task monitors IPv4 address changes of wireless clients, except wireless clients that use Portal or MAC address authentication. The AC monitors the IP address of a client as follows: If the client obtains an IP address through DHCP: • a. The AP obtains the IP address of the client from the DHCPv4 packets transferred between the client and the DHCP server. b. The AP sends the IP address entry to the AC. c. The AC prints Syslog messages.
Task Command Remarks Display AP information. display wlan ap { all | name ap-name | unauthenticated } [ verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display AP address information. display wlan ap { all | name ap-name } address [ | { begin | exclude | include } regular-expression ] Available in any view. Display AP connection records.
Task Command Remarks Display the connection history for all APs bound to a service template. display wlan statistics service-template service-template-number connect-history [ | { begin | exclude | include } regular-expression ] Available in any view. Display WLAN client information. display wlan client { ap ap-name [ radio radio-number ] | mac-address mac-address | service-template service-template-number } [ verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view.
Configuring a remote AP Remote AP provides a wireless solution for remote branches and offices. It enables you to configure and control remote APs from the headquarters over the Internet without deploying an AC in each office or branch. As shown in Figure 8, the AC manages the remote APs over the Internet.
Configuring WLAN access control Configuring AP-based access control Support for the AP group function depends on the device model. For more information, see About the Configuration Guides for HP Unified Wired-WLAN Products. Some wireless service providers need to control the access positions of clients. For example, as shown in Figure 9, the provider needs to connect wireless clients 1, 2 and 3 to the wired network through APs 1, 2, and 3, respectively.
Step 2. Enter user profile view. Command Remarks user-profile profile-name If the user profile does not exist, create it first. By default, no AP group is applied to the user profile. 3. Apply the AP group to the user profile. wlan permit-ap-group value For more information about user profile, see Security Configuration Guide. 4. Return to system view. quit N/A By default, the user profile is not enabled. 5. Enable the user profile.
Step Command Remarks By default, the user profile is not enabled. 5. Enable the user profile. user-profile profile-name enable The user profile needs to be enabled to take effect. For more information about user access control and user profile, see Security Configuration Guide. WLAN access configuration examples The configuration examples were created on the 11900/10500/7500 20G unified wired-WLAN module and might vary with device models.
# Create a clear-type WLAN service template, configure the SSID of the service template as service and bind the WLAN-ESS interface to this service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid service [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] client max-count 10 [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Configure a radio policy.
Figure 11 Network diagram Configuration procedure 1. Configure the AC: # Enable WLAN. system-view [AC] wlan enable # Create a WLAN ESS interface. system-view [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] quit # Create a clear-type WLAN service template, configure the SSID of the service template as service, and bind the WLAN-ESS interface to this service template.
[AC-WLAN-ESS10] port-security preshared-key pass-phrase 12345678 [AC-WLAN-ESS10] port-security tx-key-type 11key [AC-WLAN-ESS10] quit # Create a crypto-type WLAN service template, configure the SSID of the service template as service and bind the WLAN-ESS interface to this service template.
Configuration procedure 1. Configure the AC: # Create a WLAN ESS interface. system-view [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] quit # Define a clear-type WLAN service template, configure its SSID as service, and bind the WLAN-ESS interface to this service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid service [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Configure a radio policy.
Figure 13 Network diagram Configuration procedure 1. Configure the AC: # Create ACL 202. system-view [AC] acl number 202 # Configure ACL rules to permit AP 1 with serial ID CN2AD330S7 and deny AP 2 with serial ID CN2AD330S8. [AC-acl-ap-202] rule permit serial-id CN2AD330S7 [AC-acl-ap-202] rule deny serial-id CN2AD330S8 [AC-acl-ap-202] quit # Enable the serial-ID authentication method. [AC] wlan ap-authentication method serial-id # Use ACL 202 to match auto APs.
# Enable the auto AP function. [AC] wlan auto-ap enable # Enable auto-AP authentication. [AC] wlan ap-authentication enable 2. Verify the configuration: { AP 1 matches the permit rule, so it can connect to the AC. { AP 2 matches the deny rule, so it cannot connect to the AC. { AP 3 does not match any rule, so it is authenticated by the remote RADIUS server. If it passes the authentication, it can connect to the AC to provide WLAN services.
system-view [AC] wlan ap ap2 model MSM460-WW [AC-wlan-ap-ap2] provision [AC-wlan-ap-ap2-prvs] tunnel encryption ipsec pre-shared-key simple 12345 # Save the configuration to the wlan_ap_cfg.wcfg file of AP 2. [AC-wlan-ap-ap2-prvs] save wlan ap provision name ap2 [AC-wlan-ap-ap2-prvs] quit [AC-wlan-ap-ap2] quit # Create AP 3 and enter AP configuration view, configure AP 3 to use IPsec key abcde to encrypt the control and data tunnels.
[AC] ike peer ap3 [AC-ike-peer-ap3] remote-address 10.1.1.21 10.1.1.30 [AC-ike-peer-ap3] pre-shared-key abcde [AC-ike-peer-ap3] dpd dpd [AC-ike-peer-ap3] quit # Create an IPsec policy template with the name pt and the sequence number 1. [AC] ipsec policy-template pt 1 # Configure the IPsec policy to reference IPsec transform set tran1 and IKE peer ap2.
Figure 15 Network diagram Configuration procedure Before the configuration, make sure the AC and the authentication server, and the AP and the authentication server can reach each other. (Details not shown.) 1. Configure the DHCP server to assign subnet 136.100.0.0/16 to the AP. For more information about configuring DHCP server, see Layer 3 Configuration Guide. 2. Configure the configuration file: # Write and save the configuration file with the name map.txt.
# Specify the AP's serial number. This example uses serial number CN33G67024. [AC-wlan-ap-officeap1] serial-id CN33G67024 # Download configuration file map.txt to the AP. [AC-wlan-ap-officeap1] map-configuration map.txt # Enter AP provision view. [AC-wlan-ap-officeap1] provision # Specify the IPsec key used to encrypt the control tunnel. [AC-wlan-ap-officeap1-prvs] tunnel encryption ipsec pre-shared-key simple 123456 # Enable the AP to use IPsec to encrypt the data tunnel.
[AC-pki-domain-eap] crl url http://8.1.1.105/CertEnroll/wlan.crl [AC-pki-domain-eap] ldap-server ip 8.1.1.105 [AC-pki-domain-eap] quit # Create IKE proposal 1 and specify the 1024-bit Diffie-Hellman group for the IKE proposal. [AC] ike proposal 1 [AC-ike-proposal-1] dh group2 # Configure IKE proposal 1 to use the RSA digital signature method. [AC-ike-proposal-1] authentication-method rsa-signature # Use 128-bit AES in CBC mode as the encryption algorithm.
Verifying the configuration 1. Verify that AP officeap1 has been associated with the AC.
transmitting entity: responder --------------------------------------------local ip: 136.100.100.77 local id type: DER_ASN1_DN local id: CN=eap remote ip: 136.100.0.1 remote id type: DER_ASN1_DN remote id: CN=ap authentication-method: RSA_SIG authentication-algorithm: SHA encryption-algorithm: AES_CBC_128 life duration(sec): 86400 remaining key duration(sec): 12441 exchange-mode: MAIN diffie-hellman group: GROUP2 nat traversal: NO 6.
acl ipv6 number 3001 rule 0 permit icmpv6 icmp6-type echo-request undo user-profile aaa enable user-profile aaa wlan forwarding-policy us user-profile aaa enable 2. 3. Configure the authentication server: { Configure the shared key for AC authentication packets as 12345678. { Specify the name and password for the client. { Make sure the name of the user profile is aaa. (Details not shown.) Configure the AC: # Create forwarding policy st.
# Create authentication domain test, and specify the RADIUS authentication, authorization, and accounting schemes as rad. [AC] domain test [AC-isp-test] authentication lan-access radius-scheme rad [AC-isp-test] authorization lan-access radius-scheme rad [AC-isp-test] accounting lan-access radius-scheme rad [AC-isp-test] quit # Configure mandatory authentication domain test for 802.1X clients on interface WLAN-ESS 1.
[AC-user-profile-aaa] quit [AC] user-profile aaa enable Verifying the configuration Verify that the forwarding policy us takes effect because the forwarding policy in the user profile has a higher priority. • Use an IPv4 client to ping the IP address that connects the AP to the AC. The ICMP packet matches ACL 3000 and is forwarded by the AC. • Use an IPv6 client to ping the IP address that connects the AP to the AC. The ICMPv6 packet matches ACL 3001 and is forwarded by the AP. 802.
2. Verify the configuration: { { The clients can associate with the APs and access the WLAN. You can use the display wlan client verbose command to view the online clients. The command output displays information about 802.11n clients. 802.11ac configuration example Network requirements As shown in Figure 18, deploy an 802.11ac network to provide high-rate access for multimedia applications. The AP provides a plain-text wireless service with SSID 11acservice.
Backup client authentication configuration example Network requirements As shown in Figure 19, configure backup client authentication on the AC to achieve the following purposes: • The AC authenticates clients in the branch. • When the AC-AP connection fails, the AP authenticates clients and does not log off online clients. A new client can go online by using local authentication. • When the connection recovers, the AP logs off all clients and the AC re-authenticates clients.
# Enable port security. [AC] port-security enable # Enable MAC authentication and specify branch.net as the authentication domain. The authentication domain must be the same as the domain created in the configuration file of the AP. [AC] interface wlan-ess 1 [AC-WLAN-ESS1] port-security port-mode mac-authentication [AC-WLAN-ESS1] mac-authentication domain branch.net [AC-WLAN-ESS1] quit # Configure the type of user accounts for MAC authentication users.
Deploy the RADIUS server at the AP side so associated 802.1X clients are not logged off when the connection between the branch and headquarters fails. Figure 20 Network diagram Branch RADIUS server Headquarter Internet AC AP Client Configuration procedure 1. Add the following commands to the configuration file of the AP: port-security enable dot1x authentication-method eap radius scheme rad primary authentication 192.168.100.254 primary accounting 192.168.100.
# Configure a crypto-type service template, configure the SSID of the service template as local1x, and specify the encryption type as AES-CCMP. [AC] wlan service-template 1 crypto [AC-wlan-st-1] ssid local1x [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] cipher-suite ccmp [AC-wlan-st-1] security-ie rsn # Specify the local authentication mode.
Figure 21 Network diagram AP 1 AC AP 2 Switch AP 3 Configuration procedure Before the following configurations, assume that you have configured AP templates for the three APs on the AC. # Create AP group update, and add AP 1 and AP 2 to it. system-view [AC] wlan ap-group update [AC-ap-group-update] ap ap1 ap2 # Enable the AP version update function for the AP group.
The version of the AC is B96D001, and the three APs are all of version B109D001. Figure 22 Network diagram AP 1 AC AP 2 Switch AP 3 Configuration procedure Assume that you have completed the following configurations: • Configure AP templates for the three APs on the AC • Enable the AC to accept AP 1, AP 2, and AP 3 with the software version MSM460-WW Ver.C V100R001B109D001, MSM430-WW Ver.C V100R001B109D001, and MSM466-WW Ver.C V100R001B109D001, respectively.
The version of the AC and three APs are all of version B109D001. Figure 23 Network diagram AP 1 AC AP 2 Switch AP 3 Configuration procedure Before the following configurations, assume that you have configured AP templates for the three APs on the AC. To configure AC and AP version rollback: # Download the AC version B96D001 to the AC. # Download the AP version B96D001 to the AC. # Enable the AC to accept AP 3 with the software version MSM460-WW Ver.C V100R001B109D001. [AC] wlan apdb MSM460-WW Ver.
Figure 24 Network diagram Configuration procedure 1. Configure the AC: # Enable port security. system-view [AC] port-security enable # Enable EAP authentication mode. [AC] dot1x authentication-method eap # Create a RADIUS scheme. [AC] radius scheme wlan-user-policy # Specify the RADIUS server and keys for authentication and accounting. [AC-radius-wlan-user-policy] server-type extended [AC-radius-wlan-user-policy] primary authentication 10.100.100.
[AC] interface wlan-ess 1 [AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC-WLAN-ESS1] port-security tx-key-type 11key [AC-WLAN-ESS1] undo dot1x multicast-trigger [AC-WLAN-ESS1] undo dot1x handshake [AC-WLAN-ESS1] quit # Configure a service template.
Verifying the configuration The AP group applied in the user profile contains only AP 1, so a client can only access the WLAN through AP 1. AP group configuration for inter-AC roaming Network requirements As shown in Figure 26, AC 1 and AC 2 belong to the same mobility group. Configure an AP group on the ACs so a client can still access the WLAN when it moves between APs.
# Define a crypto type WLAN service template, configure the SSID as abc, and bind the WLAN-ESS interface to this service template. [AC1] wlan service-template 1 crypto [AC1-wlan-st-1] ssid abc [AC1-wlan-st-1] bind wlan-ess 1 [AC1-wlan-st-1] authentication-method open-system [AC1-wlan-st-1] cipher-suite ccmp [AC1-wlan-st-1] security-ie rsn [AC1-wlan-st-1] service-template enable [AC1-wlan-st-1] quit # Create an AP template named ap1, and its model is MSM460-WW.
[AC2-WLAN-ESS1] undo dot1x multicast-trigger [AC2-WLAN-ESS1] undo dot1x handshake [AC2-WLAN-ESS1] quit # Define a crypto type WLAN service template, configure the SSID as abc, and bind the WLAN-ESS interface to this service template.
Client IP address monitoring configuration example Network requirements As shown in Figure 27, the AC serves as the DHCP server. The AP and the client obtain IP addresses from the DHCP server. Configure the client IP address monitoring function on the AC to monitor the IP address changes of the client. Figure 27 Network diagram Configuration procedure 1. Configure the DHCP service on the AC: # Enable the DHCP service.
Configuring WLAN security Overview This chapter describes WLAN security configuration. Authentication modes To secure wireless links, wireless clients must be authenticated before accessing the AP. 802.11 links define two authentication mechanisms: open system authentication and shared key authentication. • Open system authentication: Open system authentication is the default authentication algorithm and is the simplest of the available authentication algorithms. It is a null authentication algorithm.
Figure 29 Shared key authentication process WLAN data security WLAN networks are more susceptible than wired networks to attacks. All WLAN devices share the same medium and every device can receive data from any other sending device. Plain-text data is transmitted over the WLAN if there is no security service. To secure data transmission, 802.11 protocols provide encryption methods to ensure that devices without the correct key cannot read encrypted data. 1.
{ 3. TKIP offers MIC and countermeasures. If a packet fails the MIC, the data may be tampered, and the system could be attacked. If two packets fail the MIC in a specified period, the AP automatically takes countermeasures. For example, the AP will not provide services in a specified period to prevent attacks. AES-CCMP encryption CTR with CCMP is based on the CCM of the AES encryption algorithm. CCM combines CTR for confidentiality and CBC-MAC for authentication and integrity.
• WI-FI Protected Access—Enhanced Security Implementation Based On IEEE P802.11i Standard-Aug 2004 • Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements—802.11, 1999 • IEEE Standard for Local and metropolitan area networks "Port-Based Network Access Control" 802.1X™- 2004 • 802.
Step Command Remarks Optional. By default, open system authentication is adopted. • The shared-key authentication Enable the authentication method. 3. authentication-method { open-system | shared-key } can be adopted only when WEP encryption is used, and you must configure the authentication-method shared-key command. • For RSN and WPA, the authentication method must be open system authentication. Configuring the PTK lifetime A pairwise transient key (PTK) is generated through a 4-way handshake.
Configuring GTK rekey based on time Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN service template view. wlan service-template service-template-number crypto N/A 3. Enable GTK rekey. gtk-rekey enable By default, GTK rekey is enabled. 4. Configure the GTK rekey interval. gtk-rekey method time-based [ time ] By default, the interval is 86400 seconds. Optional. 5. Configure the device to start GTK rekey when a client goes offline.
Step Enable the WPA-IE in the beacon and probe responses. 3. Command Remarks security-ie wpa By default, WPA-IE is disabled. Configuring RSN security IE An RSN is a security network that only allows the creation of robust security network associations (RSNAs). An RSN can be identified by the indication in the RSN Information Element (IE) of beacon frames. It provides greater protection than WEP and WPA. Step Command Remarks 1. Enter system view. system-view N/A 2.
Step Command Remarks 3. Enable the WEP cipher suite. cipher-suite { wep40 | wep104 | wep128 } By default, no cipher suite is selected. 4. Configure the WEP default key. wep default-key { 1 | 2 | 3 | 4 } { wep40 | wep104 | wep128 } { pass-phrase | raw-key } [ cipher | simple ] key By default, the WEP default key index number is 1. 5. Specify a key index number. wep key-id { 1 | 2 | 3 | 4 } Optional. 2. By default, the key index number is 1.
Configuring TKIP cipher suite Message integrity check (MIC) is used to prevent attackers from modifying data. It ensures data security by using the Michael algorithm. When a MIC error occurs, the device considers that the data has been modified and the system is being attacked. Upon detecting the attack, TKIP is suspended during the countermeasure interval and no TKIP associations can be established. The operating mode cannot be negotiated as 802.
Step Command Remarks 2. Enter WLAN-ESS interface view. interface wlan-ess interface-number N/A 3. Enable 802.11 key negotiation. port-security tx-key-type 11key By default, 802.11 key negotiation is not enabled. 4. Configure the pre-shared key. port-security preshared-key { pass-phrase | raw-key } [ cipher | simple ] key By default, no pre-shared key is configured. 5. Enable the PSK port security mode. port-security port-mode psk N/A Configuring 802.1X authentication Step Command 1.
Step 5. Configure the pre-shared key. Command Remarks port-security preshared-key { pass-phrase | raw-key } key The key is a string of 8 to 63 characters, or a 64-digit hex number. Specifying a key derivation type A key derivation type takes effect only when the authentication type is PSK or 802.1X. To specify a key derivation type: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a service template and enter its view.
Step 3. Command Enable management frame protection. Remarks By default, management frame protection is disabled. pmf { mandatory | optional } If you select mandatory, HP recommends that you specify the key derivation type as sha256. Configuring auto SA Query If management frame protection is enabled, the AP uses SA Query to secure connections with clients. SA Query includes active SA Query and passive SA Query. • Active SA Query.
a. The client triggers the SA Query mechanism upon receiving an unencrypted deassociation or deauthentication frame. b. The client sends an SA Query request to the AP. c. The AP responds with an SA Query response. d. The client determines the AP is online because it receives the SA Query response. The client does not go offline. Figure 31 Passive SA Query To configure active SA Query: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a service template and enter its view.
Task Command Remarks Display client information. display wlan client { ap ap-name [ radio radio-number ] | mac-address mac-address | service-template service-template-number } [ verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display MAC address authentication information. display mac-authentication [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display the MAC address information of port security.
Figure 32 Network diagram Configuration procedure 1. Configure the AC: # Configure port security. system-view [AC] port-security enable # Configure WLAN port security, configure the authentication mode as PSK, and the pre-shared key as 12345678.
MAC and PSK authentication configuration example Network requirements Perform MAC and PSK authentication on the client. Figure 33 Network diagram Configuring the AC # Enable port security. system-view [AC] port-security enable # Configure WLAN port security, using MAC-and-PSK authentication.
[AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] quit [AC-wlan-ap-ap1] quit # Create a RADIUS scheme rad, and specify the extended RADIUS server type. [AC] radius scheme rad [AC-radius-rad] server-type extended # Configure the IP addresses of the primary authentication server and accounting server as 10.18.1.88. [AC-radius-rad] primary authentication 10.18.1.88 [AC-radius-rad] primary accounting 10.18.1.88 # Configure the shared key for RADIUS authentication/accounting packets as 12345678.
Figure 34 Adding an access device 2. Add a service: a. Click the Service tab and then select User Access Manager > Service Configuration from the navigation tree. The Service Configuration page appears. b. Click Add. The Add Service Configuration page appears, as shown in Figure 35. c. Set the service name to mac, keep the default values for other parameters, and click OK. Figure 35 Adding a service 3. Add an account: a.
Figure 36 Adding an access user account Verifying the configuration • After the client passes the MAC address authentication, the client can associate with the AP and access the WLAN. • You can use the display wlan client verbose command, the display connection command, and the display mac-authentication command to view the online clients. 802.1X authentication configuration example Network requirements As shown in Figure 37, perform 802.1X authentication on the client.
[AC] radius scheme rad [AC-radius-rad] server-type extended # Configure the IP addresses of the primary authentication server and accounting server as 10.18.1.88. [AC-radius-rad] primary authentication 10.18.1.88 [AC-radius-rad] primary accounting 10.18.1.88 # Configure the shared key for RADIUS authentication/accounting packets as 12345678.
[AC-wlan-ap-ap1-radio-1] radio enable Configuring the RADIUS server This section uses IMC PLAT 5.1 SP1 (E0202P05) and IMC UAM 5.1 (E0301). 1. Add the AC to the IMC Platform as an access device: a. Log in to IMC, click the Service tab, and select User Access Manager > Access Device Management > Access Device from the navigation tree. The Access Device page appears. b. Click Add. The Add Access Device page appears, as shown in Figure 38. c.
Figure 39 Adding a service 3. Add an account: a. Click the User tab, and select Access User View > All Access Users from the navigation tree. The All Access User page appears. b. Click Add. The Add Access User page appears, as shown in Figure 40. c. In the Access Information area, enter username user, set the account name to user and password to dot1x, select the service dot1x, and click OK. Figure 40 Adding an access user account Verifying the configuration 1. The client can pass 802.
Dynamic WEP encryption-802.1X authentication configuration example Network requirements As shown in Figure 41, perform dynamic WEP encryption. Figure 41 Network diagram Configuration procedure 1. Configure the AC: # Enable port security. system-view [AC] port-security enable # Configure the 802.1X authentication mode as EAP. [AC] dot1x authentication-method eap # Create a RADIUS scheme rad, and specify the extended RADIUS server type.
[AC-WLAN-ESS1] dot1x mandatory-domain bbb # Set the port mode for WLAN-ESS 1 to userlogin-secure-ext. [AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext # Disable the multicast trigger function and the online user handshake function. [AC-WLAN-ESS1] undo dot1x multicast-trigger [AC-WLAN-ESS1] undo dot1x handshake [AC-WLAN-ESS1] quit # Create service template 1 of crypto type, configure its SSID as dot1x, and configure dynamic WEP encryption.
RSN For RSN, the WLAN-WSEC module supports only CCMP and TKIP ciphers as the pair wise ciphers. The WEP cipher suites are only used as group cipher suites. Below are the cipher suite combinations that WLAN-WSEC supports for RSN. (WEP40, WEP104 and WEP128 are mutually exclusive).
Unicast cipher Broadcast cipher Authentication method Security Type TKIP TKIP PSK WPA CCMP WEP40 802.1X WPA CCMP WEP104 802.1X WPA CCMP WEP128 802.1X WPA CCMP TKIP 802.1X WPA CCMP CCMP 802.1X WPA TKIP WEP40 802.1X WPA TKIP WEP104 802.1X WPA TKIP WEP128 802.1X WPA TKIP TKIP 802.1X WPA Pre-RSN For Pre-RSN stations, the WLAN-WSEC module supports only WEP cipher suites. (WEP40, WEP104 and WEP128 are mutually exclusive).
Configuring IACTP tunnel and WLAN roaming Support for this feature depends on the device model. IACTP tunnel The Inter AC Tunneling Protocol (IACTP) provides a generic packet encapsulation and transport mechanism for ACs to securely communicate with each other. IACTP provides a control tunnel to exchange control messages, and a data tunnel to transmit data packets between ACs. IACTP supports both IPv4 and IPv6. WLAN roaming, AC backup, and AC-BAS collaboration must support IACTP for inter-AC communication.
WLAN roaming topologies WLAN roaming topologies consist of: • Intra-AC roaming topology • Inter-AC roaming topology • Intra-FA roaming topology • Inter-FA roaming topology • Roam-back topology Intra-AC roaming Figure 42 Intra-AC roaming AC IP network Fast-roam association Intra-AC roam association AP 1 AP 2 Intra-AC roaming 1. A client is associated with AP 1, which is connected to an AC. 2. The client disassociates with AP 1 and roams to AP 2 connected to the same AC. 3.
Inter-AC roaming Figure 43 Inter-AC roaming 1. A client is associated with AP 1, which is connected to AC 1. 2. The client disassociates with AP 1 and roams to AP 2 connected to AC 2. 3. The client is associated with AP 2 through inter-AC roam association. Before inter-AC roaming, AC 1 must synchronize the client information with AC 2 through an IACTP tunnel.
3. The client is associated with AP 2 through inter-AC roam association. Before inter-AC roaming, AC 1 must synchronize the client information with AC 2 through an IACTP tunnel. 4. The client then disassociates with AP 2 and roams to AP 3 which is also connected to AC 2. The client is associated with AP 3 through intra-FA roam association. Inter-FA roaming Figure 45 Inter-FA roaming 1. A client is associated with AP 1, which is connected to AC 1. 2.
Roam-back Figure 46 Roam-back 1. A client is associated with AP 1, which is connected to AC 1. 2. The client disassociates with AP 1 and roams to AP 3 connected to AC 2. Now AC 2 is the FA for the client. 3. The client is associated with AP 3 through inter-AC roam association. Before inter-AC roaming, AC 1 must synchronize the client information with AC 2 through an IACTP tunnel. 4. The client then disassociates with AP 3 and roams back to AP 2 or AP 1 connected to AC 1, which is its HA.
Step 7. Enable the IACTP service for the group. Command Remarks mobility-group enable By default, IACTP service is disabled. ACs in a mobility group must have the same user profile configurations. For more information about user profile, see Security Configuration Guide. Isolating tunnels in a mobility group This feature ensures that tunnels in a mobility group do not forward packets to each other. To isolate tunnels in a mobility group: Step Command Remarks 1. Enter system view.
Task Command Remarks Display the roam-track information of a client on the HA. display wlan client roam-track mac-address mac-address [ | { begin | exclude | include } regular-expression ] Available in any view. Display the WLAN client roaming information. display wlan client { roam-in | roam-out } [ member { ip IPv4-address | ipv6 IPv6-address } ] [ verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view.
Figure 47 Network diagram RADIUS server 10.18.1.5/24 AC 10.18.1.1/24 L2 Switch VLAN 1 VLAN 1 AP 1 AP 2 Roaming Client Configuration procedure For wireless service configuration, see "Configuring WLAN access." A client has inter-AC fast roaming capability only if it uses 802.1X (RSN) authentication. If you select an authentication mode involving remote authentication, configure the corresponding RADIUS server. For more information, see "Configuring WLAN security." 1.
# Configure the 802.1X authentication method as EAP. [AC] dot1x authentication-method eap # Create a RADIUS scheme rad, and specify the extended RADIUS server type. [AC] radius scheme rad [AC-radius-rad] server-type extended # Configure the IP addresses of the primary authentication server and accounting server as 10.18.1.5. [AC-radius-rad] primary authentication 10.18.1.5 [AC-radius-rad] primary accounting 10.18.1.5 # Configure the shared key for RADIUS authentication/accounting packets as 12345678.
[AC-wlan-ap-ap2-radio-1] service-template 1 [AC-wlan-ap-ap2-radio-1] radio enable [AC-wlan-ap-ap2-radio-1] return 2. Verify the configuration: After the client roams to AP 2, use the display wlan client verbose command to display detailed client information. You should find that the AP name and BSSID fields have been changed to those of AP 2. You can also use the display wlan client roam-track mac-address command to view client roaming track information.
[AC1-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC1-WLAN-ESS1] port-security tx-key-type 11key # Disable the multicast trigger function and the online user handshake function. [AC1-WLAN-ESS1] undo dot1x multicast-trigger [AC1-WLAN-ESS1] undo dot1x handshake [AC1-WLAN-ESS1] quit # Create service template 1 of crypto type, configure its SSID as inter-roam, and bind WLAN-ESS1 to inter-roam.
# Configure the serial ID of AP 1 as CN2AD330S8. [AC1-wlan-ap-ap1] serial-id CN2AD330S8 [AC1-wlan-ap-ap1] radio 1 type dot11an # Bind service template inter-roam to radio 1. [AC1-wlan-ap-ap1-radio-1] service-template 1 [AC1-wlan-ap-ap1-radio-1] radio enable [AC1-wlan-ap-ap1-radio-1] quit [AC1-wlan-ap-ap1] quit # Enable service template 1. [AC1] wlan service-template 1 [AC1-wlan-st-1] service-template enable [AC1-wlan-st-1] quit # Create mobility group roam, specify the tunnel source IP as 10.18.1.
[AC2] dot1x authentication-method eap # Create a RADIUS scheme rad, and specify the extended RADIUS server type. [AC2] radius scheme rad [AC2-radius-rad] server-type extended # Configure the IP addresses of the primary authentication server and accounting server as 10.18.1.88. [AC2-radius-rad] primary authentication 10.18.1.5 [AC2-radius-rad] primary accounting 10.18.1.5 # Configure the shared key for RADIUS authentication/accounting packets as 12345678.
[AC2-wlan-mg-roam] roam enable # Enable mobility group. [AC2-wlan-mg-roam] mobility-group enable 3. Verify the configuration: You can use the display wlan client roam-out command on AC 1 to display roamed out client information, and use the display wlan client roam-in command on AC 2 to display roamed in client information. You can also use the display wlan client roam-track mac-address command to view client roaming track information on AC 1.
Configuring WLAN RRM Overview Radio signals are susceptible to surrounding interference. The causes of radio signal attenuation in different directions are very complex. Make careful plans before deploying a WLAN network. After WLAN deployment, the running parameters must still be adjusted because the radio environment is always varying due to interference from mobile obstacles, microwave ovens and so on.
Figure 49 Dynamic channel adjustment Transmit power control Traditionally, an AP uses the maximum power to cover an area as large as possible. This method, however, affects the operation of surrounding wireless devices. Transmit power control (TPC) is used to select a proper transmission power for each AP to satisfy both coverage and usage requirements.
Figure 50 Power reduction As shown in Figure 51, when AP 3 fails or goes offline, the other APs increase their transmission power to cover the signal blackhole.
Figure 51 Power increasing Configuration task list Task Remarks Configuring data transmit rates Optional Configuring the maximum bandwidth Optional Configuring 802.11g protection Optional Configuring 802.
Task Remarks Configuring TPC Optional Executing power persistence Optional Configuring a radio group Optional Configuring scan parameters Optional Configuring power constraint Optional Configuring interference trap thresholds Optional Configuring data transmit rates Configuring 802.11a/802.11b/802.11g rates Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A Optional. By default: 3. Configure rates (in Mbps) for 802.11a.
Configuring 802.11n rates Configuration of mandatory and supported 802.11n rates is achieved by specifying the maximum Modulation and Coding Scheme (MCS) index. The MCS data rate table shows relations between data rates, MCS indexes, and parameters that affect data rates. A sample MCS data rate table (20 MHz) is shown in Table 2, and a sample MCS data rate table (40 MHz) is shown in Table 3. For the whole table, see IEEE 802.11n-2009. Support for MCS indexes depends on the device model.
MCS index Number of spatial streams Modulation 22 3 23 3 Data rate (Mbps) 800ns GI 400ns GI 64-QAM 175.5 195.0 64-QAM 195.0 216.7 Table 3 MCS data rate table (40 MHz) MCS index Number of spatial streams Modulation 0 1 1 Data rate (Mbps) 800ns GI 400ns GI BPSK 13.5 15.0 1 QPSK 27.0 30.0 2 1 QPSK 40.5 45.0 3 1 16-QAM 54.0 60.0 4 1 16-QAM 81.0 90.0 5 1 64-QAM 108.0 120.0 6 1 64-QAM 121.5 135.0 7 1 64-QAM 135.0 150.0 8 2 BPSK 27.0 30.
• Supported rates—These are higher rates supported by the AP besides the mandatory rates. Supported rates allow some clients that support both mandatory and supported rates to choose higher rates when communicating with the AP. • Multicast rates—These are rates that are supported by the AP besides the mandatory rates. Multicast rates allow clients to send multicast packets at the multicast rates. When you specify the maximum MCS index, you actually specify a range.
Table 4 VHT-MCS data rate table (20 MHz Nss =1) VHT-MCS index Modulation 0 Data rate (Mbps) 800ns GI 400ns GI BPSK 6.5 7.2 1 QPSK 13.0 14.4 2 QPSK 19.5 21.7 3 16-QAM 26.0 28.9 4 16-QAM 39.0 43.3 5 64-QAM 52.0 57.8 6 64-QAM 58.5 65.0 7 64-QAM 65.0 72.2 8 256-QAM 78.0 86.7 9 not valid Table 5 VHT-MCS data rate table (40 MHz Nss =1) MCS index Modulation 0 Data rate (Mbps) 800ns GI 400ns GI BPSK 13.5 15.0 1 QPSK 27.0 30.0 2 QPSK 40.5 45.0 3 16-QAM 54.
MCS index Modulation 6 Data rate (Mbps) 800ns GI 400ns GI 64-QAM 263.3 292.5 7 64-QAM 292.5 325.0 8 256-QAM 351.0 390.0 9 256-QAM 390.0 433.3 NSS is divided into the following types: • Mandatory NSS—Mandatory NSS must be supported by the AP and the clients that want to associate with the AP. • Supported NSS—Supported NSS allows some clients that support both mandatory NSS and supported NSS to choose higher rates when communicating with the AP.
Configuring channel exclusion To avoid selecting improper channels, you can exclude specific channels from automatic channel selection. The excluded channels will not be available for initial automatic channel selection, DFS, and mesh DFS. This feature does not affect rogue detection and WIDS. Follow these guidelines when you configure channel exclusion: • The channel exclusion list is not restricted by the country/region code.
Step Command • 802.11a: dot11a max-bandwidth 11a-bandwidth • 802.11b: Configure the maximum bandwidth. 3. dot11b max-bandwidth 11b-bandwidth • 802.11g: dot11g max-bandwidth 11g-bandwidth • 802.11n: dot11nmax-bandwidth 11n-bandwidth Remarks By default: • The maximum bandwidth for 802.11a is 30000 kbps. • The maximum bandwidth for 802.11b is 7000 kbps. • The maximum bandwidth for 802.11g is 30000 kbps. • The maximum bandwidth for 802.11n is 250000 kbps.
receiving the RTS packet, the client sends a CTS packet. This makes sure all devices within the coverage of the client do not send data within the specified time. CTS-to-Self—An AP uses its MAC address to send a CTS packet before it sends data to a client. This ensures that all devices within the coverage of the AP do not send data within the specified time. • To configure the 802.11g protection mode: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view.
Step Enter WLAN RRM view. 2. Command Remarks wlan rrm N/A Optional. Enable 802.11n protection. 3. dot11n protection enable By default, 802.11n protection is disabled. Enabling 802.11n protection reduces network performance. Configuring 802.11n protection mode 802.11n protection modes include RTS/CTS and CTS-to-self: • RTS/CTS—An AP sends an RTS packet before sending data to a client.
To configure auto DFS: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A • dot11a calibrate-channel 3. Enable auto DFS. self-decisive • dot11bg calibrate-channel By default, auto DFS is disabled. self-decisive • dot11a calibration-interval 4. Specify the calibration interval. minutes • dot11bg calibration-interval By default, the calibration interval is 8 minutes.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A • dot11a crc-error-threshold 3. Configure the CRC error threshold. percent • dot11bg crc-error-threshold percent • dot11a interference-threshold 4. Configure the interference threshold. percent • dot11bg interference-threshold percent Optional. The default is 20. Optional. The default is 50. • dot11a tolerance-level 5. Configure the tolerance level.
Executing one-time mesh DFS When you execute one-time mesh DFS on an AP, the AC performs DFS when the working channel of the AP meets a trigger condition, and informs the adjusted channel to the AP after a calibration interval. If you want the AC to perform DFS for the AP, you must execute one-time mesh DFS again. To execute one-time mesh DFS: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A 3. Enable dynamic mesh channel selection.
Configuring auto-TPC With auto TPC enabled, the AC performs TPC for an AP upon certain interference and informs the adjusted power to the AP after a calibration interval. After that, the AC makes TPC decisions at the calibration interval automatically. To configure auto TPC: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A • dot11a calibrate-power 3. Enable auto TPC for the band.
Configuring TPC trigger parameters Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A Configure the maximum number of neighbors and specify the neighbor AP that performs power detection. • dot11a adjacency-factor 3. neighbor • dot11bg adjacency-factor neighbor Optional. By default, the maximum number of neighbors is 3, and the neighbor AP that performs power detection is the AP whose signal strength is the third among all neighbors.
Step 3. Command Execute power persistence on all radios. dot11a calibrate-power persistent Configuring a radio group With DFS or TPC configured for a radio, the AC calculates the channel quality or power of the radio at the calibration interval. When the result meets a trigger condition, the AC selects a new channel or power for the radio. In an environment where interference is serious, frequent channel or power adjustments might affect user access to the WLAN network.
The autochannel-set avoid-dot11h command applies to channel adjustment. To configure scan parameters: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A 3. Set the scan mode. scan channel { auto | all } 4. Set the scan type. scan type { active | passive } 5. Set the scan report interval. scan report-interval seconds Optional. By default, the scan mode is auto. Optional. By default, the scan type is passive. Optional.
Step Command Remarks Optional. 3. Configure the adjacent channel interference trap threshold. adjacent-channel interference trap threshold value 4. Configure the co-channel interference trap threshold. co-channel interference trap threshold value By default, the adjacent channel interference trap threshold is 60 dBm. Optional. By default, the co-channel interference trap threshold is 60 dBm. Displaying and maintaining WLAN RRM Task Command Remarks Display WLAN RRM information.
Requirement of WLAN load-balancing implementation As shown in Figure 52, Client 6 wants to associate with AP 3. AP 3 has reached its maximum load, so it rejects the association request. Client 6 tries to associate with AP 1 or AP 2, but it cannot receive signals from these two APs, so it has to resend an association request to AP 3. Therefore, to implement load-balancing, the APs must be managed by the same AC, and the clients can find the APs.
Figure 53 Network diagram AC L2 Switch Client 6 AP 1 AP 2 Client 1 Client 5 Client 2 Client 7 • Client 4 Client 3 Traffic mode load-balancing: Traffic snapshot is considered for traffic mode load balancing. As shown in Figure 54, Client 1 and Client 2 that run 802.11g are associated with AP 1. The AC has traffic-mode load balancing configured: the maximum traffic threshold is 10% and the maximum traffic gap is 20%. Then, Client 3 wants to access the WLAN through AP 1.
{ AP-based load balancing APs can carry out either session-mode or traffic-mode load balancing as configured. An AP starts load balancing when the maximum threshold and gap are reached. It does not accept any association requests unless the load decreases below the maximum threshold or the gap is less than the maximum gap.
Task Remarks Optional. Configuring parameters that affect load balancing This configuration takes effect for both AP-based load balancing and radio group load balancing. Displaying and maintaining load balancing Optional. Configuring a load balancing mode Prerequisites Before you configure load balancing, make sure of the following: • The target APs are associated with the same AC. • The clients can find the APs. • The fast association function is disabled.
• The target APs are associated with the same AC. • The clients can find the APs. • The fast association function is disabled. By default, the fast association function is disabled. For more information about fast association, see "Configuring WLAN access." • A load balancing mode has been configured. For more information, see "Configuring a load balancing mode." Configuring a load balancing group Step Command Remarks 1. Enter system view. system-view N/A 2.
Displaying and maintaining load balancing Task Command Remarks Display load balancing configuration. display wlan load-balance-group { group-id | all } [ | { begin | exclude | include } regular-expression ] Available in any view. Display basic RRM configurations. display wlan rrm [ | { begin | exclude | include } regular-expression ] Available in any view. Display the MAC addresses of all the neighbors of the specified AP. display wlan load-balance neighbor-list ap ap-name Available in any view.
Configuration prerequisites To enable band navigation to operate correctly, make sure of the following: • The fast association function is disabled. By default, the fast association function is disabled. For more information about fast association, see "Configuring WLAN access." • Band navigation is enabled for the AP. By default, band navigation is enabled for the AP. • The SSID is bound to the 2.4 GHz and 5 GHz radios of the AP. Enabling band navigation globally Step Command Remarks 1.
Step Command Remarks Optional. By default, band navigation load balancing is disabled. 3. Configure load balancing session threshold and session gap. band-navigation balance session session [ gap gap ] If you disable this function, the AP does not prohibit clients from associating with the 802.11a radio even if the 802.11a radio is overloaded. If you enable this function, the AP prefers accepting dual-band clients on their 802.11g radio if the 802.11a radio is overloaded. 4. 5. Optional.
Configuring auto DFS Network requirements As shown in Figure 55, configure auto DFS on AC so that the AC can perform channel adjustment when the channel of AP 1 is unavailable. Figure 55 Network diagram Configuration procedure # Create a WLAN ESS interface. system-view [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create service template 1 of clear type, configure its SSID as channel-adjust, and bind WLAN-ESS1 to channel-adjust.
Verifying the configuration You can use the display wlan ap { all | name apname } rrm-status command to display the channel information of the AP. When the channel is unavailable, AC will change it, for example, from channel 1 to channel 6 after the calibration interval (configured with the dot11bg calibration-interval command and defaulting to 8 minutes). After the channel change, you can use the display wlan ap { all | name apname } rrm-history command to check the specific reason.
Figure 57 Network diagram Client AP 1 AP 2 AC L2 Switch AP 3 AP 4 Configuration procedure # Create a WLAN ESS interface. system-view [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create service template 1 of clear type, configure its SSID as power-adjust, and bind WLAN-ESS1 to power-adjust.
# Specify the maximum number of neighbors, the power adjustment threshold, and the minimum transmission power. [AC-wlan-rrm] dot11bg adjacency-factor 3 [AC-wlan-rrm] dot11bg calibrate-power threshold 65 [AC-wlan-rrm] dot11bg calibrate-power min 1 Verifying the configuration When AP 4 joins, the number of neighbors reaches 3. Assume the signal strength of AP 4 is the third among all neighbors (AP 2, AP 3, and AP 4). AP 4 becomes the neighbor AP that perform power detection.
system-view [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create service template 1 of clear type, configure its SSID as rrm-adjust, and bind WLAN-ESS1 to the service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid rrm-adjust [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1, and its model is MSM460-WW.
Verifying the configuration • The working channel of radio 2 of AP 1 and that of AP 2 do not change within 20 minutes after each automatic channel adjustment. • The power of radio 2 of AP 1 and that of AP 2 do not change within 30 minutes after each automatic power adjustment. Load balancing configuration examples The configuration examples were created on the 11900/10500/7500 20G unified wired-WLAN module and might vary with device models.
Configuration procedure # Enable session-mode load balancing, and configure the maximum number of sessions and the maximum load gap as 5 and 4, respectively. system-view [AC] wlan rrm [AC-wlan-rrm] load-balance session 5 gap 4 [AC-wlan-rrm] quit # Create a WLAN ESS interface. [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create service template 1 of clear type, configure its SSID as session-balance, and bind WLAN-ESS1 to session-balance.
Configuring traffic-mode load balancing Network requirements • As shown in Figure 60, all APs operate in 802.11gn mode. Client 1 and Client 2 are associated with AP1, and no client is associated with AP 2. • Configure traffic-mode load balancing on the AC. The traffic threshold is 40% and the maximum load gap is 10%. Figure 60 Network diagram Configuration procedure # Enable traffic-mode load balancing and configure the traffic threshold and the maximum load gap as 40% and 10%, respectively.
[AC] wlan ap ap1 model MSM460-WW # Configure the serial ID of AP 1 as CN2AD330S8. [AC-wlan-ap-ap1] serial-id CN2AD330S8 [AC-wlan-ap-ap1] radio 2 type dot11gn # Bind service template 1 to radio 2 of AP 1. [AC-wlan-ap-ap1-radio-2] service-template 1 [AC-wlan-ap-ap1-radio-2] radio enable [AC-wlan-ap-ap1-radio-2] return # Create an AP template named ap2 and its model is MSM460-WW. system-view [AC] wlan ap ap2 model MSM460-WW # Configure the serial ID of AP 2 as CN2AD330S9.
Figure 61 Network diagram Configuration procedure 1. Configure APs on the AC: # Create a WLAN ESS interface. system-view [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create service template 1 of clear type, configure its SSID as session-balance, and bind WLAN-ESS1 to the service template.
system-view [AC] wlan ap ap2 model MSM460-WW # Configure the serial ID of AP 2 as CN2AD330S9. [AC-wlan-ap-ap2] serial-id CN2AD330S9 [AC-wlan-ap-ap2] radio 2 type dot11gn # Bind service template 1 to radio 2 of AP 2. [AC-wlan-ap-ap2-radio-2] service-template 1 [AC-wlan-ap-ap2-radio-2] radio enable [AC-wlan-ap-ap2-radio-2] return 2. Configure the load balancing mode: # Enable session-mode load balancing, and configure the maximum number of sessions and the maximum load gap as 5 and 4, respectively.
Figure 62 Network diagram Configuration procedure 1. Configure APs on the AC: # Create a WLAN ESS interface. system-view [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create service template 1 of clear type, configure its SSID as traffic-balance, and bind WLAN-ESS1 to the service template.
system-view [AC] wlan ap ap2 model MSM460-WW # Configure the serial ID of AP 2 as CN2AD330S9. [AC-wlan-ap-ap2] serial-id CN2AD330S9 [AC-wlan-ap-ap2] radio 2 type dot11gn # Bind service template 1 to radio 2 of AP 2. [AC-wlan-ap-ap2-radio-2] service-template 1 [AC-wlan-ap-ap2-radio-2] radio enable [AC-wlan-ap-ap2-radio-2] quit [AC-wlan-ap-ap2] quit 2.
Figure 63 Network diagram Configuration procedure # Enable band navigation. system-view [AC] wlan rrm [AC-wlan-rrm] band-navigation enable [AC-wlan-rrm] quit # Create a WLAN-ESS interface. [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create service template 1 of clear type, configure its SSID as band-navigation, and bind WLAN-ESS1 to the service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid band-navigation [AC-wlan-st-1] bind wlan-ess 1 # Disable fast association. (Optional.
# Configure the band navigation load balancing session threshold as 2, and session gap as 1. system-view [AC] wlan rrm [AC-wlan-rrm] band-navigation balance session 2 gap 1 Verifying the configuration Verify the following items: • Client 1 and Client 2 are associated with the 5 GHz radio of AP 1, and Client 4 can only be associated with the 2.4 GHz radio of AP 1. • AP 1 directs Client 3 to its 2.
Configuring WLAN IDS Overview 802.11 networks are susceptible to a wide array of threats such as unauthorized access points and clients, ad hoc networks, and DoS attacks. Rogue devices are a serious threat to enterprise security. Wireless intrusion detection system (WIDS) is used for the early detection of malicious attacks and intrusions on a wireless network. WIPS helps to protect enterprise networks and users from unauthorized wireless access.
Taking countermeasures against rogue device attacks You can enable the countermeasures function on a monitor AP. The monitor AP downloads an attack list from the AC and takes countermeasures against the rogue devices based on the configured countermeasures mode. For example, if the countermeasures mode is config, the monitor AP only takes countermeasures against rogue devices in the static attack list.
However, if a WLAN device generates IVs in an insecure way, for example, if it uses a fixed IV for all frames, the shared secret key may be exposed to any potential attackers. When the shared secret key is compromised, the attacker can access network resources. Weak IV detection counters this attack by verifying the IVs in WEP frames. Whenever a frame with a weak IV is detected, it is immediately logged.
Figure 64 Frame filtering • In the topology, three APs are connected to an AC. Configure whitelist and static blacklist entries on the AC, which sends all the entries to the APs. If the MAC address of a station, Client 1 for example, is present in the blacklist, it cannot access any of the APs. If only Client 1 is present in the whitelist, it can access any of the APs, and other clients cannot access any of the APs. • Enable the dynamic blacklist function on the AC.
• In monitor mode, an AP scans all Dot11 frames in the WLAN, but cannot provide WLAN services. An AP operating in this mode cannot provide WLAN service, and you do not need to configure a service template. • In hybrid mode, an AP can both scan devices in the WLAN and provide WLAN services. For an AP operating in this mode, you need to configure a service template so that the AP can provide WLAN service when scanning devices. To configure the AP operating mode: Step Command Remarks 1.
Figure 65 Determining if an AP is a rogue • Determine whether a client is a rogue.
Figure 66 Determining if a client is a rogue • Determine if an ad hoc network or a wireless bridge is a rogue.
To configure the detection rules: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN IDS view. wlan ids N/A 3. Add the MAC address of a client or AP to the static attack list. device attack mac-address mac-address Optional. Add the MAC address of a client or AP to the permitted MAC address list. device permit mac-address mac-address 5. Add an SSID to the permitted SSID list. device permit ssid ssid 6. Add a vendor ID to the permitted vendor list.
Step 3. Add the MAC address of a client or AP to the static attack list. Command Remarks device attack mac-address mac-address Optional. By default, the attack list is empty. Configuring the countermeasures mode The countermeasures mode can be set to control the devices for which countermeasures are taken. Based on the configuration, monitor APs can take countermeasures against devices present in its static attack list, all rogue devices, only rogue APs, or only ad hoc clients.
Task Command Remarks Display the history of attacks detected in the WLAN system. display wlan ids rogue-history [ | { begin | exclude | include } regular-expression ] Available in any view. Display the list of permitted MAC addresses, the list of permitted SSIDs, or the list of permitted vendor OUIs. display wlan ids permitted { mac-address | ssid | vendor } [ | { begin | exclude | include } regular-expression ] Available in any view. Clear the list of detected entities in WLAN.
• WLAN IDS permits devices present in the static whitelist. You can add entries into or delete entries from the list. • WLAN IDS denies devices present in the static blacklist. You can add entries into or delete entries from the list. • WLAN IDS or WLAN IPS adds dynamically detected attack devices into the dynamic blacklist. You can set a lifetime in seconds for dynamic blacklist entries. After the lifetime of an entry expires, the device entry will be removed from the dynamic blacklist.
Task Command Remarks Display whitelist entries. display wlan whitelist [ | { begin | exclude | include } regular-expression ] Available in any view. Clear dynamic blacklist entries. reset wlan dynamic-blacklist { mac-address mac-address | all } Available in user view. WLAN IDS configuration examples The configuration examples were created on the 11900/10500/7500 20G unified wired-WLAN module and might vary with device models.
Figure 68 Network diagram Configuration procedure # Create a WLAN ESS interface. system-view [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create service template 1 of clear type, configure its SSID as normal, and bind WLAN-ESS1 to normal.
# Configure IDS rules to allow Client 1, Client 2, and Client 3 to connect to the WLAN network to use WLAN services provided by AP 1. system-view [AC] wlan ids [AC-wlan-ids] device permit mac-address 000f-e215-1515 [AC-wlan-ids] device permit mac-address 000f-e215-1530 [AC-wlan-ids] device permit mac-address 0015-e213-1235 # Configure Client 4 (rogue client), configure the countermeasures mode, and enable countermeasures.
Configuring WLAN QoS Overview An 802.11 network offers contention-based wireless access. To provide applications with QoS services, IEEE developed 802.11e for the 802.11-based WLAN architecture. While IEEE 802.11e was being standardized, Wi-Fi Alliance defined the Wi-Fi Multimedia (WMM) standard to allow QoS provision devices of different vendors to interoperate. WMM makes a WLAN network capable of providing QoS services.
WMM defines a set of EDCA parameters for each AC queue, covering the following: • Arbitration inter-frame spacing number (AIFSN)—Different from the 802.11 protocol where the idle duration (set using DIFS) is a constant value, WMM can define an idle duration per AC queue. The idle duration increases as the AIFSN value increases (see Figure 70 for the AIFS durations).
U-APSD power-save mechanism U-APSD improves the 802.11 APSD power-saving mechanism. When associating clients with AC queues, you can specify some AC queues as trigger-enabled, some AC queues as delivery-enabled, and the maximum number of data packets that can be delivered after receiving a trigger packet. Both the trigger attribute and the delivery attribute can be modified when flows are established using CAC. When a client sleeps, the delivery-enabled AC queue packets destined for the client are buffered.
Configuration procedure Step Command Remarks 1. Enter system view. system-view N/A 2. Create a radio policy and enter radio policy view. wlan radio-policy radio-policy-name N/A By default, WMM is enabled. The 802.11n protocol stipulates that all 802.11n clients support WLAN QoS. Therefore, when the radio operates in 802.11an or 802.11gn mode, you should enable WMM. Otherwise, the associated 802.11n clients may fail to communicate. 3. Enable WMM. wmm enable 4.
AC queue AIFSN ECWmin ECWmax TXOP Limit AC-VO queue 2 2 3 47 Table 8 Default EDCA parameters for APs AC queue AIFSN ECWmin ECWmax TXOP Limit AC-BK queue 7 4 10 0 AC-BE queue 3 4 6 0 AC-VI queue 1 3 4 94 AC-VO queue 1 2 3 47 Displaying and maintaining WMM Task Command Remarks Display radio or client WMM configuration information.
aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends that you set their link type to be the same. Basic WMM configuration example 1. Network requirements As shown in Figure 71, AP and AC are in the same network. Enable WMM on AC, so that AP and the client can prioritize the traffic. Figure 71 Network diagram 2. Configuration procedure system-view # Create interface WLAN-ESS 1.
AC-VI queues. In this way, clients in the AC-VO and AC-VI queues can be guaranteed of enough bandwidth. Figure 72 Network diagram 2. Configuration procedure system-view # Create interface WLAN-ESS 1. [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] quit # Create a clear-type WLAN service template, configure its SSID as market, and bind WLAN-ESS 1 to the service template.
To guarantee the highest priority for the AC-VO queue, set ECWmin and ECWmax to 0 for the AC-VO queue of AP. Figure 73 Network diagram 2. Configuration procedure system-view # Create interface WLAN-ESS 1. [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] quit # Configure a clear-type WLAN service template, configure its SSID as market, and bind WLAN-ESS 1 to the service template.
Figure 74 Network diagram 2. Configuration procedure # Create a class named wmm and configure the class to match packets with an IP precedence value level of 7. system-view [AC] traffic classifier wmm [AC-classifier-wmm] if-match ip-precedence 7 [AC-classifier-wmm] quit # Create a behavior named wmm and configure the behavior to mark packets with a local precedence value of 7.
# Configure the serial ID of AP 1 as CN2AD330S8. [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Bind service template 1 and radio policy radiopolicy1 to interface Radio 1. [AC-wlan-ap-ap1] radio 1 type dot11an [AC-wlan-ap-ap1-radio-1] channel 149 [AC-wlan-ap-ap1-radio-1] radio-policy radiopolicy1 [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable After the configuration, the AC maps IP precedence 7 to local precedence 7.
To improve bandwidth use efficiency when ensuring bandwidth use fairness among WLAN services, use the bandwidth guaranteeing function. Bandwidth guaranteeing makes sure all traffic from each BSS can pass through freely when the network is not congested, and each BSS can get the guaranteed bandwidth when the network is congested. For example, suppose you guarantee SSID1, SSID2, and SSID3 25%, 25%, and 50% of the bandwidth.
When configuring the 11900/10500/7500 20G unified wired-WLAN module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP 11900/10500/7500 20G Unified Wired-WLAN Module Basic Configuration Guide. By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch and an 870 appliance are Access interfaces in VLAN 1.
[AC-wlan-st-1] ssid research [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] cipher-suite ccmp [AC-wlan-st-1] security-ie rsn [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create service template 2 of the crypto type, and set the SSID as office for service template 2.
ap1 1 802.11an 2 20% -------------------------------------------------------------------------------- 1. When the total traffic rate from the AP to all clients is lower than 10000 kbps, the rate of traffic from the AP to any client is not limited. 2. Suppose the rate of traffic from the AP to Client 1 exceeds 2000 kbps, the rate of traffic from the AP to Client 2 exceeds 8000 kbps, and the rate of traffic from the AP to all clients exceeds 10000 kbps.
Step Command Remarks 2. Enter AP template view. wlan ap ap-name [ model model-name [ id ap-id ] ] N/A 3. Enter radio view. radio radio-number [ type { dot11a | dot11an | dot11b | dot11g | dot11gn } ] N/A 4. Configure radio-based client rate limiting. client-rate-limit direction { inbound | outbound } mode { dynamic | static } cir cir By default, radio-based client rate limiting is disabled.
Figure 76 Network diagram Client 1 AC Switch AP Client 2 Configuration procedure # Enable the WLAN service. (Optional, because the WLAN service is enabled by default.) system-view [AC] wlan enable # Create a WLAN-ESS interface. [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create a WLAN service template of the clear type, configure its SSID as service, and bind interface WLAN-ESS 1 to the service template.
-------------------------------------------------------------------------------Service Template Direction Mode CIR(kbps) -------------------------------------------------------------------------------1 Inbound Static 8000 1 Outbound Dynamic 8000 -------------------------------------------------------------------------------- 1. When only Client 1 accesses the WLAN through SSID service, the available bandwidth is limited to around 8000 kbps. 2.
Configuring WLAN mesh link Overview A WLAN mesh network allows for wireless connections between APs, making the WLAN more mobile and flexible. A WLAN mesh network is no different from a traditional WLAN for end users. Basic concepts Concept Description Access controller (AC) Device that controls and manages all the APs in the WLAN. Mesh point (MP) An IEEE 802.11 entity that contains an IEEE 802.
Deployment scenarios One-hop mesh link backhaul deployment As shown in Figure 77, the MAP is a dual-radio AP, with one radio for WLAN access and the other for mesh link backhaul. You can configure the MAC address of the MPP connected to the MAP to establish a mesh link between them. Figure 77 One-hop mesh link backhaul HP supports up to 4 MAPs on a single MPP as shown in Figure 78.
Figure 79 Two-hop mesh backhaul deployment (1) HP supports up to 4 MPs on a single MPP and 4 MAPs on a single MP as shown in Figure 80. Figure 80 Two-hop mesh backhaul deployment (2) MAP 1 mesh-link AC MP 1 mesh-link mesh-link PC1 mesh-link MAP 4 MP 2 mesh-link MPP MAP 13 MP 3 mesh-link mesh-link mesh-link MP 4 MAP 16 Protocols and standards • Draft P802.11s_D1.06 • ANSI/IEEE Std 802.11, 1999 Edition • IEEE Std 802.11a • IEEE Std 802.11b • IEEE Std 802.11g • IEEE Std 802.
WLAN mesh configuration task list Task Remarks Configuring an MKD ID Required. Configuring mesh port security Required. Configuring a mesh profile Required. Configuring mesh portal service Optional. Configuring an MP policy Optional. Mapping a mesh profile to the radio of an MP Required. Mapping an MP policy to the radio of an MP Required. Specifying a mesh working channel Required. Specifying a peer on the radio Required. Displaying and maintaining WLAN mesh link Optional.
Configuring a mesh profile A mesh profile is created and mapped to an MP so that it can provide mesh services to other MPs that have the same mesh profile mapped. To configure a mesh profile: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a mesh profile and enter mesh profile view. wlan mesh-profile mesh-profile-number N/A 3. Configure the mesh ID. mesh-id mesh-id-name By default, no mesh ID is set for the mesh profile. 4. Bind a WLAN mesh interface.
Configuring an MP policy Link formation and maintenance are driven by the attributes specified in the MP policy. To configure an MP policy: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an MP policy and enter MP policy view. wlan mp-policy policy-name By default, there is a default MP policy default_mp_plcy, which cannot be deleted or modified. 3. Enable link initiation. link-initiation enable 4. Configure the maximum number of links.
Mapping a mesh profile to the radio of an MP For an MP to advertise mesh capabilities, a mesh profile should be mapped to the radio of the MP. To map a mesh profile to a radio: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter AP template view. wlan ap ap-name [ model model-name [ id ap-id ] ] The model number needs to be specified only during new AP template creation. 3. Enter radio view.
In some countries, most available channels on the 802.11a band are radar channels. HP recommends you use the auto mode to establish mesh links on the 802.11a band. Specifying a peer on the radio Specify the MAC addresses of allowed peers on the local radio interface. To specify a peer MAC address on a radio: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter AP template view.
When configuring the 11900/10500/7500 20G unified wired-WLAN module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP 11900/10500/7500 20G Unified Wired-WLAN Module Basic Configuration Guide. By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch and an 870 appliance are Access interfaces in VLAN 1.
# Set the mesh ID as outdoor for mesh profile 1, and enable the mesh profile. [AC] wlan mesh-profile 1 [AC-wlan-mshp-1] mesh-id outdoor [AC-wlan-mshp-1] mesh-profile enable [AC-wlan-mshp-1] quit # A default MP policy exists by default. You can also configure an MP policy. The default MP policy is used in this example. 2. Configure MPP: # Create AP template mpp of model MSM460-WW, and configure its serial ID.
After 802.11gn is configured on the MAP, the client and the AC can ping each other, and the client can access the network through the mesh link. Verifying the configuration # Display the mesh link information on the AC.
[AC-wlan-mesh1] quit # Create mesh profile 1, and bind the WLAN mesh interface to it. [AC] wlan mesh-profile 1 [AC-wlan-mshp-1] bind wlan-mesh 1 [AC-wlan-mshp-1] quit # Configure an MKD-ID (an MKD-ID exists by default, and you can omit this command). [AC] wlan mkd-id 0eab-01cd-ef00 # Enable the MKD service. [AC] mkd-service enable mesh-profile 1 # Set the mesh ID to outdoor for mesh profile 1, and enable the mesh profile.
[AC-wlan-ap-mp-radio-1] quit [AC-wlan-ap-mp] quit 4. Configure MAP: # Create an AP template map of the model MSM460-WW, and configure its serial ID. [AC] wlan ap map model MSM460-WW [AC-wlan-ap-map] serial-id CN2AD330F3 # Create radio 1, specify channel 149, and map mesh profile 1 to the radio.
# Display the client information on the AC. display wlan client Total Number of Clients : 1 Client Information SSID: HP -------------------------------------------------------------------------------MAC Address User Name APID/RID IP Address VLAN -------------------------------------------------------------------------------2477-0374-0304 -NA- 3 /2 192.168.100.
Configuration download failure for zeroconfig device Symptom A zero-configuration device forms links but configuration download does not happen. Analysis • Channel configuration may be wrong. • The mapped mesh profile may be wrong. 1. Go to radio view and use the display this command. 2. Verify that the channel is the same as the MPP. If not, change the channel by using the channel command. 3. Verify that the mesh profile mapped to the radio is the same as that mapped to the MPP's radio.
PMKMA delete is received by MPP for MP Symptom After the MPP comes up, an MP tries to connect to it. During this process, the AC will receive a number of PMKMA requests, and send back PMKMA responses. After that, PMKMA delete is sent to the MPP for the MP. Analysis Verify if intrusion detection is enabled. Solution If intrusion detection is enabled, disable it.
Configuring WLAN sniffer Specific software is required to analyze the captured packets. To common users, HP recommends not using the WLAN sniffer function. Wireless tracing is limited and is intended for support only and assisting additional troubleshooting tool only. In a wireless network, it is difficult to locate signal interference and packet collision by debugging information or terminal display information of WLAN devices.
specified CAP file in the default storage medium. The default storage medium varies with device models. • The working mode of the AP cannot be changed with the work-mode monitor or device-detection enable command when it is capturing packets. • When you configure client-based WLAN sniffer, you need to create an Ethernet frame header ACL and configure the permit statement in the ACL rule. The configured ACL rule is used to match the MAC addresses of clients you want to capture.
Displaying and maintaining WLAN sniffer Task Command Remarks Display information about WLAN sniffer enabled APs. display wlan capture [ | { begin | exclude | include } regular-expression ] Available in any view. WLAN sniffer configuration examples The configuration examples were created on the 11900/10500/7500 20G unified wired-WLAN module and might vary with device models.
1. Configure WLAN services on the AC. For more information, see "Configuring WLAN access." 2. Configure the radio-based WLAN sniffer function: # Enable radio-based WLAN sniffer on Radio 2 of the AP named captureap. system-view [AC] wlan capture start ap captureap radio 2 Verifying the configuration # Verify that Radio 2 on the AP is capturing packets.
[AC-acl-ethernetframe-4400] quit [AC] wlan capture start client acl 4400 Verifying the configuration # Display information about the client-based WLAN sniffer function. [AC] display wlan capture WLAN Capture -------------------------------------------------------------------------------Capture Type : Client ACL : 4400 Capture Limit : 10000 File Name : CaptureRecord.
Configuring AP provision AP provision allows you to configure network settings for fit APs on an AC. The AC automatically assigns these settings to the fit APs in run state over AC-AP connections. This feature avoids configuring APs one by one from a terminal, greatly reducing the work load in large WLAN networks. Configuring basic network settings for an AP If you change the network settings for an associated AP, you need to save the settings to the wlan_ap_cfg.
Step Command Remarks Optional. By default, no AC is specified for the AP. 7. Specify an AC so that the AP can discover the AC. ac { host-name host-name | ip ip-address | ipv6 ipv6-address } The IPv6 address of an AC cannot be the link local address. The wlan ap-provision ac command applies to all APs, and the ac command in AP provision view applies to the current AP. If you configure both commands, the configuration in AP provision view applies to the current AP. Optional.
Step Command 13. Specify an IP address for the management VLAN interface of the AP. ip address ip-address { mask | mask-length } Remarks Optional. By default, no IP address is specified. Optional. 14. Specify an IPv6 address for the management VLAN interface of the AP. ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } 15. Specify the gateway of the AP. gateway { ip ip- address | ipv6 ipv6-address } By default, no IPv6 address is specified. The management of the AP is VLAN 1.
1. Make sure the AC and AP have established a tunnel with each other. 2. Apply the 802.1X authentication configuration to the wlan_ap_cfg.wcfg file of the AP through AP provision function. 3. Enable 802.1X authentication on the access device. 4. Reboot the AP. To configure an AP to support the 802.1X client function: Step Command Remarks 1. Enter system view. system-view N/A 2. Specify the AP name and enter AP template view.
switch. For more information, see HP 11900/10500/7500 20G Unified Wired-WLAN Module Basic Configuration Guide. By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch and an 870 appliance are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends that you set their link type to be the same.
# Enable the 802.1X client function on the Ethernet interface on AP 1. [AC1-wlan-ap-ap1-prvs] dot1x supplicant enable [AC1-wlan-ap-ap1-prvs] quit [AC1-wlan-ap-ap1] quit # Enter AP 2 provision view, and configure the IP address of the management VLAN interface of AP 2 as 1.1.1.2. [AC1] wlan ap ap2 model MSM460-WW [AC1-wlan-ap-ap2] provision [AC1-wlan-ap-ap2-prvs] ip address 1.1.1.2 24 # Configure AP 2 to use username test and password test when it operates as an 802.
# Create an AP template named ap2, and specify its model and serial ID. [AC2] wlan ap ap2 model MSM460-WW [AC2-wlan-ap-ap2] serial-id CN2AD330S9 [AC2-wlan-ap-ap2] description L3office # Specify the radio type as 802.11g and channel as 11. [AC2-wlan-ap-ap2] radio 2 type dot11g [AC2-wlan-ap-ap2-radio-2] channel 11 [AC2-wlan-ap-ap2-radio-2] service-template 1 [AC2-wlan-ap-ap2-radio-2] radio enable Verifying the configuration Verify that AP 1 and AP 2 can establish a connection with AC 2 after reboot.
Configuring a VLAN pool A VLAN pool comprises a group of VLANs. It can assign VLAN IDs only to wireless clients. Configuring a VLAN pool on a radio Perform this task to configure a VLAN pool and bind it to a service template on a radio of an AP. The radio assigns clients to different VLANs in the pool. This mechanism avoids the situation that too many clients reside in the same VLAN. To configure a VLAN pool on a radio: Step Command Remarks 1. Enter system view. system-view N/A 2.
Displaying and maintaining VLAN pool Task Command Remarks Display VLAN pool statistics about a VLAN pool. display wlan statistics client vlan-pool vlan-pool-name [ | { begin | exclude | include } regular-expression ] Available in any view. VLAN pool configuration example The configuration examples were created on the 11900/10500/7500 20G unified wired-WLAN module and might vary with device models.
[AC] wlan service-template 1 clear [AC-wlan-st-1] ssid service [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create VLAN pool office, and add VLANs 2 through 5 to the VLAN pool. [AC] wlan vlan-pool office [AC-wlan-vp-office] vlan-id 2 to 5 [AC-wlan-vp-office] quit # Create AP template named ap1. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Bind the VLAN pool office to the service template on radio 2.
Configuring wireless location Overview Wireless location is a technology to locate, track and, monitor specific assets by using WiFi-based Radio Frequency Identification (RFID) and sensors. APs send collected Tag or MU messages to a location server. The location server performs location calculation and sends the results to the graphics software. You can view the location information of the assets in maps, forms, and reports provided by the software.
{ { { When the AP operates in normal mode and is bound to an enabled wireless service, it can locate wireless clients associated or not associated with it or other wireless devices, including Tags. The wireless location system considers wireless clients associated with the AP as wireless clients, and considers wireless clients or other wireless devices not associated with the AP as unknown devices.
On the wireless device—Configure a wireless location method, dynamic wireless location or static wireless location. The wireless location method determines the way the AP gets an IP address of the location server and determines the functions you can configure. • Bind an AP to at least one wireless service and enable the wireless service when you configure wireless location on the AC.
Step Command Remarks Optional. 13. Create an AP group and enter its view. wlan ap-group group-name By default, all APs belong to the default AP group default_group. 14. Specify an IPv4 address for the wireless location server. rfid-tracking engine-address engine-address By default, no IPv4 address is configured for the location server.
After the configuration, the AP waits for the configuration message sent by the location server, and after receiving that message, starts to receive and report Tag and MU messages. In addition, the AP reports its IP address change and reboot events to the location server so that the location server can respond in time. To report a reboot event after reboot, the AP must use the IP address and port information of the location server stored in its Flash.
Figure 88 Network diagram Configuration restrictions and guidelines When you configure wireless location, follow these restrictions and guidelines: • To implement wireless location, configure at least three APs to operate in monitor or hybrid mode. • An AP monitors clients on different channels periodically. If the Tag message sending interval is configured as 1 second, the AP scans and reports Tag messages every half a minute.
[AC-wlan-ap-ap1-radio-1] return # Enable dynamic wireless location. system-view [AC] wlan rfid-tracking dynamic [AC] wlan rfid-tracking enable [AC] wlan ap ap1 [AC-wlan-ap-ap1] radio 1 [AC-wlan-ap-ap1-radio-1] rfid-tracking mode all [AC-wlan-ap-ap1-radio-1] return Verifying the configuration # Display wireless location radio information.
Configuring multicast optimization WLAN selects the lowest transmit rate for multicast packets and provides no multicast retransmission mechanism. Therefore, WLAN cannot meet the requirements of some multicast applications that are not delay sensitive but data-integrity sensitive such as HD VoD. The multicast optimization feature can solve these problems by enabling APs to convert multicasts packets to unicast packets.
Configuring multicast optimization Enable IGMP snooping on the AC before enabling multicast optimization. Configure the aging time of multicast optimization entries to be greater than the aging time of IGMP snooping dynamic member ports. To enable multicast optimization to operate properly in a WLAN roam environment, make sure the multicast optimization function is enabled with the multicast optimization enable command on all ACs on IACTP tunnels.
Displaying and maintaining multicast optimization Task Command Remarks Display multicast optimization information. display wlan multicast optimization { all | ap-name ap-name radio radio-id } [ | { begin | exclude | include } regular-expression ] Available in any view. Multicast optimization configuration example The configuration examples were created on the 11900/10500/7500 20G unified wired-WLAN module and might vary with device models.
# Enable multicast optimization. system-view [Sysname] wlan service-template 1 clear [Sysname-wlan-st-1] ssid service [Sysname-wlan-st-1] multicast optimization enable [Sysname-wlan-st-1] quit # Configure the aging time for multicast optimization entries as 300 seconds. [Sysname] wlan multicast optimization aging-time 300 # Configure the maximum number of clients supported by multicast optimization as 2.
Configuring spectrum analysis For more information about WIDS, see "Configuring WLAN IDS." WLAN systems operate on shared bands. Many devices, such as microwave ovens, cordless phones, and Bluetooth devices also operate on these bands and can negatively affect the WLAN systems. The spectrum analysis feature is designed to solve this problem. Spectrum analysis delivers the following functions: • Identifies 12 types of interferences and provides interference device reports.
Enabling spectrum analysis When spectrum analysis is enabled, an AP monitors interference devices and channel quality and collects FFT data. To enable spectrum analysis: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A • On 5 GHz radios: 3. Enable spectrum analysis globally. dot11a spectrum-analysis enable • On 2.4 GHz radios: By default, spectrum analysis is disabled globally.
Step Command Remarks • On 5 GHz radios: 3. Enable the AC to send SNMP traps to the NMS when detecting an interference device. dot11a spectrum-analysis trap device enable • On 2.4 GHz radios: dot11bg spectrum-analysis trap device enable Optional. By default, the AC sends SNMP traps to the NMS when detecting an interference device. Optional. • On 5 GHz radios: 4. Enable the AC to send SNMP traps to the NMS when detecting a specified interference device.
To enable spectrum analysis to trigger channel adjustment: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A • On 5 GHz radios: 3. Specify the sensitivity level that triggers channel adjustment. dot11a calibrate-channel sensitivity { high | low | medium } • On 2.4 GHz radios: dot11bg calibrate-channel sensitivity { high | low | medium } Optional. By default, the sensitivity level that triggers channel adjustment is medium. • On 5 GHz radios: 4.
Figure 91 Network diagram NMS Client AP 1 AC Microwave oven Switch Bluetooth device AP 2 Configuration procedure # Configure AP 1 to operate in normal mode. For more information, see "WLAN Access Configuration." # Configure AP 2 to operate in monitor mode, and enable spectrum analysis on radio 2 of AP 2.
Configuring a guest access tunnel A guest access tunnel redirects guest traffic to the external network of a company. It provides WLAN access for guests and ensuring data security in the external network at the same time. The guest access tunnel function is realized through an aggregation AC and an edge AC. The edge AC is deployed in the internal network to provide access and authentication services to internal users. The aggregation AC is deployed in the external network to process guest traffic.
{ VLANs assigned by the VLAN pool. { VLANs authorized by the authentication server. The priorities of these VLANs are in ascending order. VLAN specified when you bind a service template and VLAN assigned by the VLAN pool have the same priority. Configuration procedure To establish a guest access tunnel, you must configure both an aggregation AC and an edge AC. After you complete the configuration, the aggregation AC and edge AC communicate with each other by following these steps: 1.
Step Command Remarks 2. Specify the current AC as the aggregation AC. wlan guest-tunnel aggregation-ac N/A 3. Configure an edge AC on the aggregation AC. edge-ac ip ipv4-address vlan vlan-id-list By default, no edge AC information is available on the aggregation AC. Displaying and maintaining guest access tunnels Task Command Remarks Display configuration and status of guest access tunnels.
Configuration procedure 1. Configure AC 1: # Specify AC 1 as the edge AC. system-view [AC1] wlan guest-tunnel edge-ac # Specify AC 2 as the aggregation AC and VLAN 5 as the guest VLAN. [AC1-wlan-edge-ac] aggregation-ac ip 192.168.2.3 source ip 192.168.2.1 vlan 5 # Create a WLAN service template, configure the SSID of this service template as guest, and bind the WLAN-ESS interface to the template.
{ { { VLAN 5 is in the list of permitted VLAN of WLAN-ESS TUNNEL interfaces on AC 1 and AC 2. The number of sent packets on the WLAN-ESS TUNNEL interface on AC 1 is the same as the number of received packets on the WLAN-ESS TUNNEL interface on AC 2. AC 1 forwarded guest traffic to AC 2.
Configuring Bonjour gateway Bonjour is a set of zero configuration network protocols developed by Apple Inc based on Multicast DNS (mDNS) services. Bonjour is designed to make network configuration easier for users. It enables Apple devices to automatically advertise service information and enables clients to automatically discover Apple devices without obtaining information about the devices. However, Bonjour supports only link-local multicast addresses.
Figure 94 Bonjour service advertisement snooping Bonjour query snooping and response When a client queries for a service that is not in the service-device mapping table, the Bonjour gateway forwards the query. After receiving a response, the Bonjour gateway adds the service information to the service-device mapping table and forwards the response to the client. As shown in Figure 95, Bonjour query snooping and response operates as follows: 1.
Figure 95 Bonjour query snooping and response Configuring Bonjour gateway The Bonjour gateway supports centralized forwarding, local forwarding, and policy-based forwarding. Enable multicast optimization on the Bonjour gateway for media traffic services such as video and audio. Enabling Bonjour gateway Bonjour gateway takes effect only after you enable it both globally and for an AP. You can enable Bonjour gateway for an AP in AP template view or AP group view.
Configuring a Bonjour policy A service policy contains service type configuration and VLAN configuration. The AC forwards queries and responses according to the following rules: • For a query, if the service type in the query does not match the specified service type, the AC discards the query. • For a response, the AC forwards it only when it matches service type, IP address, and instance name. • The AC can forward queries and responses only to the VLANs in the configured VLAN lists.
Step 3. Apply a Bonjour policy to the AP template. Command Remarks bonjour-policy policy-name By default, no Bonjour policy is applied to an AP template. To apply a Bonjour policy to an AP group: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an AP group and enter AP group view. wlan ap-group group-name By default, all APs belong to the default AP group default_group. 3. Apply a Bonjour policy to the AP group.
• The clients are associated with the same BSS. • The clients query for the same service. • The number of clients meeting the above conditions reaches the threshold within 500 ms. To configure the threshold for starting sending multicast responses: Step Command Remarks N/A 1. Enter system view. system-view 2. Configure the threshold for starting sending multicast responses. wlan bonjour-gateway halt-multicast threshold threshold-number Optional.
Task Command Remarks Display information about Bonjour services discovered by clients. display wlan client verbose [ | { begin | exclude | include } regular-expression ] Available in any view. display wlan ap { all | name ap-name } verbose [ | { begin | exclude | include } regular-expression ] Available in any view. display wlan service-template [ service-template-number ] [ | { begin | exclude | include } regular-expression ] Available in any view.
3. Configure Bonjour gateway: # Enable Bonjour gateway globally. system-view [AC] wlan bonjour-gateway enable # Create Bonjour policy teacher to allow clients getting online through SSID teacher to query services in VLAN 3 and VLAN 4. [AC] wlan bonjour-policy teacher [AC-wlan-bp-teacher] service vlan 3 4 # Create Bonjour policy student to allow clients getting online through SSID student to query services in VLAN 4.
Configuring AC backup Overview AC backup enables each AP to establish tunnels with a primary AC and a backup AC. The two ACs must have the same configuration for each AP. The primary AC provides services to all APs. If the primary AC fails, the backup AC becomes the new primary AC to provide services. The two ACs use a heartbeat mechanism to make sure the failure of the primary AC is quickly detected by the backup AC.
Figure 98 Active/active mode AC 1 AP 1 AC 2 AP 2 AC backup As shown in Figure 99, AC 1 is the primary AC that provides services to AP 1, AP 2, AP 3, and AP 4 through primary tunnels. AC 2 is the backup AC that connects to APs through backup tunnels. When AC 1 fails, AC 2 can quickly detect the failure, and become the primary AC to provide services to APs. All APs change backup tunnels to AC 2 to primary tunnels. When AC 1 recovers, it still acts as the backup AC.
• To modify the wireless configurations of an AP, modify the configurations on the backup AC first to make sure the AP information can be backed up properly. • The two ACs must have the same AP configuration. Otherwise, after a primary/backup switchover, the AP might fail to work.
Step Command Remarks Optional. 8. 9. By default, the VLAN ID is 1. Specify the VLAN ID for the ports transmitting data between ACs. hot-backup vlan vlan-id Specify the heartbeat interval between ACs. hot-backup hellointerval hellointerval 10. Specify the delay for an AP to switch from a primary AC to a backup AC. wlan backup-ac switch-delay time Support for this feature depends on your device model. For more information, see About the Configuration Guides for HP Unified Wired-WLAN Products.
Figure 100 Network diagram DHCP server AC 1 10.18.1.1/24 L2 switch AP Client AC 2 10.18.1.2/24 Configuration procedure 1. Configure AC 1: # Create a WLAN ESS interface. system-view [AC1] interface WLAN-ESS 1 [AC1-WLAN-ESS1] quit # Create a clear-type WLAN service template, configure the SSID of the service template as service, and bind interface WLAN-ESS 1 to this service template.
[AC2-wlan-st-1] ssid service [AC2-wlan-st-1] bind WLAN-ESS 1 [AC2-wlan-st-1] authentication-method open-system [AC2-wlan-st-1] service-template enable [AC2-wlan-st-1] quit # Specify the backup AC address. [AC2] wlan backup-ac ip 10.18.1.1 # Configure the AP on AC 2. [AC2] wlan ap ap1 model MSM460-WW [AC2-wlan-ap-ap1] serial-id CN2AD330S8 [AC2-wlan-ap-ap1] radio 1 type dot11an [AC2-wlan-ap-ap1-radio-1] service-template 1 [AC2-wlan-ap-ap1-radio-1] radio enable 3.
Configuring client information backup In a network environment shown in Figure 101, to prevent clients from going offline because of unexpected primary/backup AC switchover, the ACs must support client information backup. This feature enables the primary AC to send client information in real time to the backup AC through an IACTP tunnel, ensuring consistency of client information on the two ACs.
Execute the display wlan client roam-track mac-address command on both the primary and backup ACs to view roam-track information of the clients. If the information on the two ACs is consistent, the client roaming information has been synchronized. • Configuring client information backup CAUTION: • The two ACs must have the same AP configuration view settings for an AP. Otherwise, after a primary/backup switchover, the AP might fail to work.
Client information backup configuration example The configuration examples were created on the 11900/10500/7500 20G unified wired-WLAN module and might vary with device models. When configuring the 11900/10500/7500 20G unified wired-WLAN module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP 11900/10500/7500 20G Unified Wired-WLAN Module Basic Configuration Guide.
[AC-wlan-ap-ap1] priority level 7 [AC-wlan-ap-ap1] radio 1 type dot11an [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] quit [AC-wlan-ap-ap1] quit # Configure a mobility group, specify the IACTP tunnel source IP address as 1.1.1.4, and specify the tunnel destination address as 1.1.1.5. [AC] wlan mobility-group roam [AC-wlan-mg-roam] source ip 1.1.1.5 [AC-wlan-mg-roam] member ip 1.1.1.4 # Enable the mobility group.
3. Verify the configuration: { { { After the clients get online, you can execute the display wlan client verbose command on AC 1 to view detailed information about the clients and on AC 2 to verify that the client information has been synchronized between AC 1 and AC 2. Execute the display wlan client roam-track command on both ACs to view roam-track information of the clients. If the information on the two ACs is consistent, the client roaming information has been synchronized.
Configuring uplink detection Configuring uplink detection Uplink detection makes sure when the uplink of an AC fails, clients can access external networks through APs connected to another AC whose uplink operates properly. As shown in Figure 103, when the uplink of the AC fails, the uplink detection function can detect the failure and disable the radio on the AP. If the uplink recovers, the AC enables the radio on the AP.
When configuring the 11900/10500/7500 20G unified wired-WLAN module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP 11900/10500/7500 20G Unified Wired-WLAN Module Basic Configuration Guide. By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch or an 870 appliance are Access interfaces in VLAN 1.
Configuring WIPS Overview 802.11 networks are susceptible to a wide array of threats such as interferences, attackers, rogue clients, and ambient wireless devices. Wireless intrusion prevention system (WIPS) protects enterprise networks and users against unauthorized wireless access according to user-defined security policies. Terminology Virtual security domain You can divide a WLAN into multiple domains called virtual security domains.
Misconfigured AP WIPS uses wireless service information, such as SSID, cipher suite, security IE, and authentication method, configured on the AC as wireless service information. APs matching these policies are considered as correctly configured APs. Otherwise, they are considered as misconfigured APs. Wireless device classification WIPS identifies wireless devices by monitoring wireless packets and classifies them into different categories.
Figure 105 AP classification flow Client classification WIPS classifies detected clients into the following types: • Authorized client—Clients permitted in the WLAN. For example, a client in the permitted device list associated with an authorized AP or a client associated with an authorized AP through an encrypted authentication method. The latter is also added to the permitted device list if authentication is enabled on the AP and non-WEP encryption mode is used.
Figure 106 Client classification flow Wireless attack detection WIPS detects attacks on a wireless network by listening to 802.11 frames and generates alarms to notify the administrator. WIPS supports detection of spoofing, Ad hoc network, prohibited channel, DoS attack, flood attack, and attacks to the WIPS system. Spoofing attack detection In a spoofing attack, the attacker sends frames on behalf of another device.
DoS attack detection WIPS considers attacks to the association tables of the wireless devices as DoS attacks. DoS attacks disable APs from processing client requests by taking advantage of vulnerabilities of WLAN protocols. • Authentication DoS attacks An authentication DoS attack floods the association table of an AP by imitating many clients sending authentication requests to the AP.
AP then sends the buffered data frames to the client. If the client is in power save mode, the data frames will be discarded and the client cannot receive any data frames. AP flood The Fake AP tool is a commonly used tool to protect your WLAN. The tool generates beacon frames imitating a large number of counterfeit APs to protect legitimate APs. However, this tool can cause problems such as bandwidth consumption, misleading legitimate clients, and interference with WIPS.
alarms. In addition, you can configure the quiet time after an alarm is generated to avoid generating power saving attack alarms. Power saving attack detection In this attack, an attacker sends a NULL probe response to an AP. As a result, the AP considers that the client is power saving mode, and caches the frame for the client. The client cannot obtain the frame because it is power saving mode. The frame will be discarded after the aging time.
Redundant IE detection This function is applicable to all management frames. During the packet resolution process, if an IE is neither a necessary IE to the packet nor a reserved IE, the packet is determined as a malformed packet. Invalid packet length detection This function is applicable to all management frames. After the packet payload is resolved, if the remaining length of the IE is not zero, the packet is determined as a malformed packet.
Invalid disassociation code detection This function is applicable to disassociation frames. When the reason code of a disassociation frame is 0 or is in the range of 67 to 65535, which is a reserved value and meaningless, the packet is determined as a malformed packet. Oversized SSID detection This function is applicable to beacon, probe request, probe response, and association request frames. When the length of the SSID of a packet is larger than 32, the packet is determined as a malformed packet.
Figure 107 Network diagram Operating in an existing WLAN You can deploy WIPS in an existing WLAN by adding sensors operating in monitor mode, or by configuring APs as sensors operating in hybrid mode, as shown in Figure 108. Figure 108 Network diagram WIPS AC Switch Switch AP Switch AP AP Sensor in monitor mode AP Sensor in hybrid mode WLAN IPS configuration task list Task Remarks Enabling WIPS Required. Configuring a sensor Required.
Task Remarks Configuring a hotspot list Optional. Configuring an AP classification rule Optional. Configuring an attack detection policy Optional. Configuring a signature rule Optional. Configuring a signature policy Optional. Adding a MAC address to the permitted or prohibited device list Optional. Configuring a permitted channel list Optional. Configuring a virtual security domain Optional. Configuring countermeasures Optional. Configuring an alarm-ignored device list Optional.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter AP template view. wlan ap ap-name model model-name N/A 3. Enter radio view. radio radio-number [ type { dot11a | dot11an | dot11b | dot11g | dot11gn } ] The default setting of this command varies by AP model. 4. Configure the operating mode of the sensor. wips detect mode { access-first | detect-first | detect-only | middle } By default, no operating mode is configured for the sensor.
Importing and exporting OUI information An Organizational Unique Identifier (OUI) is the first three bytes of the MAC address of a device. It is the vendor identification of the device. An AC automatically imports a standard OUI file to the OUI library of WIPS after bootup. You can also write the OUI information in standard OUI file format to a configuration file, and execute the import wips-cfg-file oui command to import the configuration file to the OUI library of WIPS.
Configuring an AP classification rule Perform this task to configure AP classification rules. You can specify a type or severity level for APs matching a classification rule. AP severity levels indicate the impact of potential-authorized APs, potential-rogue APs, potential-external APs, or unrecognized APs to the WLAN. A higher severity level indicates more serious impact to the WLAN. If multiple AP classification rules exist, you can specify their precedence.
Step Command Remarks Optional. 11. Match the AP duration. sub-rule duration { greater-than min-value | less-than max-value | between min-value max-value } 12. Match number of associated clients. sub-rule client-on-ap { greater-than min-value | less-than max-value | between min-value max-value } Optional. 13. Match number of detected APs by the current sensor. sub-rule discovered-ap { greater-than min-value | less-than max-value | between min-value max-value } Optional. 14. Match OUIs or vendors.
Step 9. Command Enable reassociation DoS attack detection. detect dos-reassociation [ quiet-time time-value ] 10. Enable authentication DoS attack detection. detect dos-authentication [ quiet-time time-value ] 11. Enable EAPOL-Start DoS attack detection. detect dos-eapol-start [ quiet-time time-value ] 12. Enable AP flooding detection. detect ap-flood [ quiet-time time-value ] 13. Enable weak IV detection. detect weak-iv [ quiet-time time-value ] 14.
Step Command 22. Enable all detections in the current attack detection policy. Remarks Optional. detect all By default, all-detection is not disabled. Configuring a malformed packet detection policy This task allows you to configure different malformed packet detection policies for different virtual security domains as needed. To configure a malformed packet detection policy: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WIPS view.
Step 10. Configure the sensor to send a log or alarm to the AC when it detects an oversized key in an EAPOL frame. 11. Configure the sensor to send a log or alarm to the AC when it detects a malformed authentication frame. Command Remarks Optional. detect overflow-eapol-key action { log | trap }* Optional. detect malformed-auth action { log | trap }* detect malformed-assoc-req action { log | trap }* 13. Configure the sensor to send a log or alarm to the AC when it detects a malformed HT IE.
Step Command 20. Configure the sensor to send a log or alarm when it detects an authentication/association request frame with a broadcast or multicast source address. 21. Configure the sensor to send a log or alarm when it detects a malformed packet of any type specified in the policy. Remarks Optional.
Signature rule ID 2 3 4 5 6 7 8 9 10 Rule name broadcast_deauth_fl ood disassoc_flood broadcast_disassoc _flood eapol_logoff_flood eap_success_flood eap_failure_flood pspoll_flood cts_flood rts_flood Description Remarks Detects broadcast deauthentication flood. By default, the track method is per-mac, statistics collection period is 10 seconds, the maximum matching times is 5, and the quiet time is 900 seconds. Detects unicast diassociation flood.
Configuring a signature rule WIPS allows you to configure signature rules, for example, specifying the frame type, MAC address, and SSID for packets, to increase the packet identification and attack detection capabilities of the WIPS system. To configure a signature rule: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WIPS view. wlan ips N/A Create a signature rule.
Step Command Remarks Optional. 8. Configure the quiet time for the signature rule. quiet-time time By default, the quiet time for a user-defined signature rule is 900 seconds and that for a system-defined signature rule depends on the specific system-defined signature rule. Optional. 9. Match all the criteria in the signature rule. By default, a packet is considered as matching a user-defined signature rule as long as it matches any match criterion of the rule.
Configuring a signature policy A signature policy contains a set of signature rules. You can configure signature policies and apply them to different virtual security domains as needed. To configure a signature policy: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WIPS view. wlan ips N/A By default, a virtual security domain uses the signature policy named default. You cannot create or delete the default signature policy. 3. Configure a signature policy.
Configuring a permitted channel list You can configure a permitted channel list in a WLAN, so WIPS will generate alarms when detecting packet transmission on any channel not in the permitted channel list. To configure a permitted channel list: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WIPS view. wlan ips N/A By default, channels allowed by the current country code are permitted channels. 3. Configure a permitted channel list.
Step Command Remarks Optional. 7. Configure a signature policy for the virtual security domain. signature-policy policy-name 8. Configure a countermeasures policy for the virtual security domain. countermeasure-policy policy-name By default, a virtual security domain uses the attack detection policy named default. Optional. By default, a virtual security domain uses the countermeasures policy named default.
Configuring a countermeasures policy A countermeasures policy applied to a virtual security domain takes countermeasures against the wireless devices in the static countermeasures list defined by the policy. To configure a countermeasures policy: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WIPS view. wlan ips N/A 3. Configure a countermeasures policy. countermeasure-policy policy-name By default, a countermeasures policy named default list exists.
Step Command Remarks 15. Add the MAC address of a wireless device to the static countermeasures address list. countermeasure static mac-address By default, no countermeasures are taken on wireless devices. Configuring an alarm-ignored device list For wireless devices in an alarm-ignored device list, WIPS only monitors them but does not generate any alarms for them. To configure an alarm-ignored device list: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WIPS view.
Configuring the information update interval for wireless devices If you do not configure the information update interval for wireless devices, a sensor notifies the AC to update the wireless device information only when it detects any information change such as working channel, authentication mode, and security method.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WIPS view. wlan ips N/A 3. Configure the interval to re-classify wireless devices. timer reclassification time By default, the interval for WIPS to re-classify the detected APs and clients is 600 seconds. Configuring the maximum size of WIPS logs WIPS logs include system event logs and error packet logs. Perform this task to specify the maximum sizes for the two types of logs.
Configuring the WIPS device type for an AP You can only configure the WIPS device type for authorized APs, external APs, misconfigured APs, and rogue APs. To configure the WIPS device type for an AP in WIPS view: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WIPS view. wlan ips N/A 3. Configure the WIPS device type for an AP.
Task Command Remarks Display statistics about the specified or all entries in the countermeasures list of the specified or all virtual security domains. display wlan ips [ vsd vsd-name ] countermeasure-devices [ static [ countermeasure | pending | idle ] | dynamic [ countermeasure | pending ] | mac-address mac-addr ] [ verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about the devices in the specified or all virtual security domains.
Task Command Remarks Display the WIPS status of the network or the specified virtual security domain. display wlan ips summary [ vsd vsd-name ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display permitted device list information. display wlan ips trustlist [ static | dynamic | mac-address mac-addr ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display policy information for the specified or all virtual security domains.
aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends that you set their link type to be the same. WIPS policy application Network requirements In an internal wireless network using 802.11g, APs use permitted channels 1, 6, and 11. The network is divided into a lab area and an office area, each of which adopts its own WIPS policies. AP 1, AP 2, AP 3, and AP 4 use permitted channels as their working channels.
# Add channels 1, 6, and 11 to the permitted channel list. system-view [AC]wlan ips [AC-wlan-ips]permit-channel 1 6 11 # Enable WIPS globally. [AC-wlan-ips]wips enable [AC-wlan-ips]quit 2. Configure WIPS policies for the lab area: # Configure sensor 1 to operate in detect-only mode and use 802.11gn.
[AC-wlan-ap-sensor2-radio-2] service-template 1 [AC-wlan-ap-sensor2-radio-2] channel 1 [AC-wlan-ap-sensor2-radio-2] radio enable [AC-wlan-ap-sensor2-radio-2] quit [AC-wlan-ap-sensor2] quit # Configure attack detection policy office to enable Ad hoc detection and prohibited channel detection.
Source: Source 1 : c4ca-d9f0-8ba0 VSD: -NA- Detail Information: In the VSD vsd_lab, detect AP invalid OUI 11-11-11, MAC 1111-11f0-43cc. --------------------------------------------------------------------------------------- The output shows that Sensor 1 detects AP 6 that uses invalid OUI 111111 in virtual security domain vsd_lab. 2. Execute the display wlan ips vsd vsd_lab devices verbose command to display information about the wireless devices in the virtual security domain vsd_lab.
Reported Time : 2013-08-06/16:08:49 - 2013-08-06/16:08:49 Aggregate times : 1 Causer : 000f-e203-3320 Source: Source 1 : c4ca-d9f0-8ba0 VSD: vsd_lab Detail Information: In the VSD vsd_lab, detect AP spoofing, MAC 000f-e203-3320. ------------------------------------------------------------------------------------- The output shows that MAC spoofing is performed on AP 1 with the MAC address 000f-e203-3320 in the virtual security domain vsd_lab. 4.
6. Execute the display wlan ips vsd vsd_office devices verbose command to display information about devices in the virtual security domain vsd_office. [AC] display wlan ips vsd vsd_office devices verbose Detected Wireless Devices -------------------------------------------------------------------------------VSD: vsd_office Total Number of APs: 4 -------------------------------------------------------------------------------BSSID : 0023-54de-ef32 Vendor: Hewlett-Packard Development Company, L.P.
Reporting Sensor : 1 Sensor 1 : Sensor2 RadioId : 1 RSSI : 14 Last Reported Time : 2013-08-06/16:38:21 Attached Clients : 1 Client 1 : 0023-54de-ecf2 -------------------------------------------------------------------------------Total Number of Clients: 2 -------------------------------------------------------------------------------MAC Address: 0012-f0cc-3f54 Vendor: Intel Corporate BSSID : 0023-54de-ef32 Status : Active State : Association Classification : misassociation RadioType :
Applied to Countermeasure-policies Countermeasure records : officecmp : 2013-08-06/18:59:42 - 2013-08-06/18:59:42 Pending ------------------------------------------------------------------------------------- The output shows that in the virtual security domain vsd_office, Client 4 with the MAC address 0012-f0cc-3f54 is classified as a misassociated client, and it is dynamically added to the countermeasures list. The device that takes countermeasures against the client is Sensor 2.
[AC-wlan-ap-sensor1-radio-1]radio enable [AC-wlan-ap-sensor1-radio-1]quit [AC-wlan-ap-sensor1]quit # Create an AP named sensor 2 and configure it to operate in hybrid mode.
duplicated-ie : 0 redundant-ie : 0 invalid-pkt-length : 0 illegal-ibss-ess : 0 invalid-source-address : 0 overflow-eapol-key : 0 malformed-auth : 0 malformed-assoc-req : 0 malformed-ht-ie : 0 large-duration : 0 null-probe-resp : 0 invalid-deauth-code : 0 invalid-disassoc-code : 0 overflow-ssid : 0 fata-jack : 0 [AC] display wlan ips statistics sensor sensor2 malformed-counter Sensor name: sensor2 In the VSD: VSD_2 Malformation-Specify Count ------------------
duplicated-ie : 566 redundant-ie : 1255 invalid-pkt-length : 488 illegal-ibss-ess : 154 invalid-source-address : 889 overflow-eapol-key : 463 malformed-auth : 445 malformed-assoc-req : 0 malformed-ht-ie : 789 large-duration : 0 null-probe-resp : 0 invalid-deauth-code : 0 invalid-disassoc-code : 0 overflow-ssid : 0 fata-jack : 878 ------------------------------------------------------------------------ 5.
6. Enable only sensor 2. The output on the AC shows that the AC has received alarms for malformed packets at specified intervals. 7. Execute the display wlan ips statistics sensor sensor-name malformed-counter command to display malformed packet statistics.
Aggregate times : 424 Causer : 000e-ff00-0f04 Source: Source 1 : 000f-e3a1-a050 VSD: VSD_2 Detail Information: In the VSD han, detect the device 000e-ff00-0f04 launching a redundant-ie m alformed packet. --------------------------------------------------------------------------- You can view the log information for the malformed packets through the information center.
[AC-wlan-ips] quit # Create an AP named sensor and configure the sensor to operate in detect-only mode. [AC] wlan ap sensor model MSM460-WW [AC-wlan-ap-sensor] serial-id CN2AD330S9 [AC-wlan-ap-sensor] radio 1 [AC-wlan-ap-sensor-radio-1] wips detect mode detect-only [AC-wlan-ap-sensor-radio-1] radio enable [AC-wlan-ap-sensor-radio-1] quit [AC-wlan-ap-sensor] quit # Configure signature rule sig1 to detect attacks and collect statistics by MAC address.
Reported Time : 2013-08-07/16:06:17 - 2013-08-07/16:06:17 Aggregate times : 1 Causer : 3ce5-a644-1c50 Source: Source 1 : c4ca-d9f0-8ba0 VSD: vsd_1 Detail Information: In the VSD vsd_1, detect a disassociation-flood attack to the device 3ce5-a644-1c50.
Optimizing WLAN Proper channel planning and power control policies during WLAN deployment are important for good performance. However, in live WLAN networks, channel overlapping, collisions, and interference can easily occur because the none-overlapping channels are limited but the number of WLAN devices always increases. This chapter describes a set of features used to improve the quality and stability of live WLAN networks.
Step 2. Enable fair scheduling. Command Remarks wlan option fair-schedule enable By default, fair scheduling is disabled. Ignoring weak signals When an AP detects weak signals from a remote client, it considers the channel is occupied and does not forward other packets. This feature can avoid the impact of weak signals by enabling an AP to ignore packets whose signal strength is lower than a specific RSSI.
Enabling traffic shaping based on link status Clients near an AP have high RSSI while clients at the border of the coverage area of the AP have low RSSI. When the network is busy, the weak clients occupy the working channel of the AP for a long time because of their lower speeds. That affects the clients with good RSSI. The traffic shaping feature identifies the weak clients by checking their signal strength and packet loss ratio.
To enable channel sharing adjustment: Step Command Remarks N/A 1. Enter system view. system-view 2. Enable channel sharing adjustment and specify the power level. wlan option channel-share power-level By default, the power level is 30. Do not enable channel sharing adjustment and channel reuse adjustment at the same time. Enabling channel reuse adjustment CAUTION: • Do not enable channel sharing adjustment and channel reuse adjustment at the same time.
Step Command Remarks By default, buffering of multicasts and broadcasts is enabled. 2. Disable buffering of multicasts and broadcasts. undo wlan option broadcast-buffer enable Disabling buffering of multicasts and broadcasts improves multicast performance in specific scenarios such as multicast-based training, but clients in sleep state will lose some broadcast and multicast packets. Enabling per-packet TPC An AP typically uses a high and fixed transmit power to cover an area as large as possible.
Enabling the AP to receive all broadcasts This feature enables an AP to receive all broadcasts so that the AP can detect spoofing attacks for all BSSs. Support for this feature depends on the AP model. APs that do not support this feature will ignore this configuration obtained from the AC. Disable this feature when it is not needed because receiving all broadcasts affects the normal operation of an AP. To enable the AP to receive all broadcasts: Step Command Remarks 1. Enter system view.
Configuring the maximum transmission times for probe responses This feature reduces the number of probe responses sent by a radio to achieve better performance. To configure the maximum transmission times for probe responses: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the maximum transmission times for probe responses. wlan option probe-response-try trynum By default, the maximum transmission times for probe responses is 2.
Optimizing a high-density WLAN Network requirements Deploy a WLAN in a six-floor dormitory building. Each floor has 20 dormitory rooms, and each room has an average of four wireless clients. Deploy four APs at each floor, and connect them to an AC through a Layer-2 switch in the wiring closet of the floor.
[AC-wlan-st-1] quit 3. Configure the APs: Configure all the APs on the AC. The following takes an AP as an example. # Create AP template ap1 with the model MSM460-WW, and specify the serial ID as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Apply the service template 1 to radio 1 and enable the radio. [AC-wlan-ap-ap1] radio 1 [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] quit [AC-wlan-ap-ap1] quit 4.
Figure 113 Network diagram L2 Switch Client 1 Client 2 AC AP 1 10.10.1.1/24 AP 2 DHCP server 10.10.1.2/24 Configuration procedure 1. Configure IP addresses for devices as shown in Figure 113. (Details not shown.) 2. Configure the AC: Configure a WLAN service. For more information about WLAN service configuration, see "Configuring WLAN access." The following configures a clear-type WLAN service. # Create interface WLAN-ESS 1.
[AC-wlan-ap-ap1-radio-2] quit [AC-wlan-ap-ap1] quit 4. Set the multicast rate for 802.11a and 802.11g packets to 24 Mbps, specify the maximum mandatory MCS index for 802.11n packets as 76, and specify the multicast MCS index for 802.11n packets as 8: [AC] wlan rrm [AC-wlan-rrm] dot11a multicast-rate 24 [AC-wlan-rrm] dot11g multicast-rate 24 [AC-wlan-rrm] dot11n mandatory maximum-mcs 76 [AC-wlan-rrm] dot11n multicast-rate 8 [AC-wlan-rrm] quit 5.
[AC] wlan service-template 1 clear [AC-wlan-st-1] ssid Clear-Test [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit 3. Configure the APs: Configure all the APs on the AC. The following takes an AP as an example. # Create AP template ap1 with the model MSM460-WW, and specify the serial ID as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Apply the service template 1 to radio 1 and enable radio 1.
Figure 115 Network diagram L2 Switch Client 1 Client 2 AC AP 1 10.10.1.1/24 AP 2 DHCP server 10.10.1.2/24 Configuration procedure 1. Configure IP addresses and masks for devices as shown in Figure 115. (Details not shown.) 2. Configure the AC: Configure a WLAN service. For more information about WLAN service configuration, see "Configuring WLAN access." The following configures a clear-type WLAN service. # Create interface WLAN-ESS 1.
# Create AP template ap2 with the model MSM460-WW, and specify the serial ID as CN2AD330S9. [AC] wlan ap ap2 model MSM460-WW [AC-wlan-ap-ap2] serial-id CN2AD330S9 # Apply the service template 1 to radio 1 and enable radio 1. [AC-wlan-ap-ap2] radio 1 [AC-wlan-ap-ap2-radio-1] service-template 1 [AC-wlan-ap-ap2-radio-1] radio enable 5. Verify the configuration: Adjust the locations of APs and clients so that Client 1 and Client 2 can only establish a connection with AP 1 and AP 2, respectively.
[AC-wlan-st-1] ssid Clear-Test [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit 3. Configure the APs: Configure all the APs on the AC. The following takes an AP as an example. # Create AP template ap1 with the model MSM460-WW, and specify the serial ID as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Apply the service template 1 to radio 1 and enable radio 1.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index ABCDEGILMORSTUVW Configuring an MP policy,198 A Configuring AP operating mode,165 AC backup configuration example,256 Configuring attack detection,171 Adding a MAC address to the permitted or prohibited device list,288 Configuring auto AP,8 Configuring band navigation,144 AP provision configuration example,217 Configuring bandwidth guaranteeing,185 B Configuring basic network settings for an AP,214 Band navigation configuration example,159 Configuring blacklist and whitelist,171 Benefits,
Configuring the memory utilization threshold for an AP,38 Enabling per-packet TPC,317 Configuring the number of AP requests for getting online that an AC can process per second,7 Enabling SNMP traps for the WLAN module,39 Configuring the rate algorithm,315 Enabling the AP to trigger client reconnection,317 Enabling rate limit based on client type,318 Enabling the AP to receive all broadcasts,318 Configuring the WIPS device type for an AP,295 Enabling traffic shaping based on link status,315 Configu
S WLAN access configuration task list,6 Shutting down all LEDs on APs,39 WLAN access overview,4 WLAN IDS configuration examples,173 Specifying a country/region code,7 WLAN IDS configuration task list,165 Specifying a mesh working channel,199 WLAN IPS configuration examples,297 Specifying a peer on the radio,200 WLAN IPS configuration task list,275 Spectrum analysis configuration example,238 WLAN mesh configuration examples,200 Supported combinations for ciphers,100 WLAN mesh configuration task
