WESM zl Management and Configuration Guide WT.01.28 and greater

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

Power over Ethernet

HP ProCurve Wireless Edge Services zl Module and

Management and Configuration Guide

March 2010

ProCurve Redundant Wireless Services zl Module

Summary of content (1098 pages)

PAGE 1
HP ProCurve Wireless Edge Services zl Module and ProCurve Redundant Wireless Services zl Module Management and Configuration Guide March 2010 Power over Ethernet
PAGE 2
PAGE 3
ProCurve Wireless Edge Services zl Module and ProCurve Redundant Wireless Services zl Module March 2010 WT.01.
PAGE 4
© Copyright 2007-2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. All Rights Reserved. This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of HewlettPackard.
PAGE 5
Contents 1 Introduction Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 ProCurve Wireless Edge Services zl Module . . . . . . . . . . . . . . . . . . . . 1-4 Wireless Networks and WLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 The Interface Between the Wireless and Wired Networks . . . . . . . . . . . . . 1-7 Layer 2 and Layer 3 Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 6
2 Configuring the ProCurve Wireless Edge Services zl Module Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Management Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 The Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 7
Viewing NTP Associations and Status . . . . . . . . . . . . . . . . . . . . . . . . . . 2-158 Viewing Secure NTP Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-163 Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-166 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-166 Configuring Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 8
Configuring Global WLAN Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-75 Enabling the WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-76 VLAN Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-80 WLAN-Based VLAN Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-82 Identity-Based, or Dynamic, VLAN Assignment . . . . . . . . . . . . . . . . . . .
PAGE 9
6 IP Services—IP Settings, DHCP, and DNS Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Viewing VLAN Interfaces and Enabling Secure Management . . . . . . . . . . 6-4 Assigning an IP Address to a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 Deleting the IP Address Assigned to a VLAN . . . . .
PAGE 10
Configuring ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10 Creating ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10 Configuring Rules for ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13 Applying ACLs to Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-26 Using ACLs with DHCP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 11
Configuring Fast Layer 2 Roaming for WPA/WPA2 with 802.1X . 9-12 Configuring Layer 3 Mobility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-15 Configuring Layer 3 Mobility Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-16 Specifying Layer 3 Mobility Peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-19 Enabling Layer 3 Mobility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-20 Verifying and Managing Layer 3 Mobility . . . .
PAGE 12
11 RADIUS Server Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 Configuring the Internal RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 Enabling Authentication to the Internal Server on a WLAN . .
PAGE 13
Configuring WLAN Memberships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-78 Exporting and Importing MAC Standard ACLs (Filters) . . . . . . . . . . . . 12-82 Network Self Healing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-89 Neighbor Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-89 Interference Avoidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 14
erase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-21 exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-22 help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-22 halt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-23 logout . . . . . . . . . . . . . . . . . .
PAGE 15
interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-67 ip (global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-67 licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-71 logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-72 logout . . . . . . . . . . . . . . . . . . . . . . .
PAGE 16
mac-auth-local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-113 proxy-arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-114 radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-114 self-heal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-118 wlan . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 17
show redundancy-history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-149 show redundancy-members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-150 show running-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-151 show securitymgr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-153 show sflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 18
show wireless unapproved-aps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-180 show wireless web-auth-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-181 show wireless wireless-module-statistics . . . . . . . . . . . . . . . . . . . . . . . A-182 show wireless wlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-183 Support Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 19
1 Introduction Contents ProCurve Wireless Edge Services zl Module . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Wireless Networks and WLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 The Interface Between the Wireless and Wired Networks . . . . . . . . . . . . . 1-7 Communicating with RPs: Radio Port VLANs . . . . . . . . . . . . . . . . . . 1-8 Communicating with the Ethernet Network: Uplink VLANs . . . . . .
PAGE 20
Introduction Contents Traffic Management and QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-46 SVP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-48 WMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-48 WLAN Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-49 Voice Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 21
Introduction Contents Layer 2 and Layer 3 Roaming Between RPs and Modules . . . . . . . . . . . . . . . 1-81 Roaming Between RPs on a Single Wireless Edge Services zl Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-81 Roaming Between RPs on Different Wireless Edge Services zl Modules at Layer 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-82 Roaming Between RPs on Different Wireless Edge Services zl Modules at Layer 3 . . . . . . . . . . .
PAGE 22
Introduction ProCurve Wireless Edge Services zl Module ProCurve Wireless Edge Services zlModule The ProCurve Wireless Edge Services zl Module transforms a ProCurve Switch 5400zl Series or ProCurve Switch 8200zl Series into a wireless services-enabled switch. Together with one or more radio ports (RPs), this wireless services-enabled switch creates a Wireless LAN System. With its default RP license, each Wireless Edge Services zl Module can support up to 12 RPs (for a total of 24 radios).
PAGE 23
Introduction ProCurve Wireless Edge Services zl Module ■ receives traffic from wireless stations via RPs and places this traffic into the correct VLAN to be forwarded into the wired network ■ adopts connecting RPs and automatically deploys configurations to them Depending on how you configure the Wireless Edge Services zl Module, it may also: ■ enforce users’ 802.
PAGE 24
Introduction ProCurve Wireless Edge Services zl Module A wireless LAN (WLAN), as opposed to a wireless network, refers more precisely to a set of wireless stations that connect to one or more RPs using the same SSID, or network name. (For a more technical definition of a WLAN, as well as its relation to an SSID, an extended service set (ESS), a basic service set (BSS), and a basic SSID (BSSID), see “ESS” on page 1-55.
PAGE 25
Introduction ProCurve Wireless Edge Services zl Module After bridging the traffic to the VLAN, the Wireless Edge Services can handle the traffic in a variety of ways at both Layer 2 and Layer 3. You will learn about these capabilities later in this chapter; first you must understand more precisely how the module joins the wireless and wired networks, receiving and forwarding traffic on its downlink and uplink ports.
PAGE 26
Introduction ProCurve Wireless Edge Services zl Module Note The rule that the Wireless Edge Services zl Module receives RP traffic on its downlink port and a Radio Port VLAN has one exception. When an RP is adopted at Layer 3, it can communicate with the module on either the uplink or the downlink port. The only rule for the VLAN on which an RP is adopted at Layer 3 is that this VLAN be tagged on only one of the internal ports.
PAGE 27
Introduction ProCurve Wireless Edge Services zl Module Figure 1-1. Auto-Provisioned Radio Port VLANs Note If, for whatever reason, you do not want an RP placed in the default Radio Port VLAN, you can manually create a different Radio Port VLAN on the wireless services-enabled switch. (In this case, you should turn off auto-provisioning.) The instructions in “Manually Establishing a Radio Port VLAN” on page 1-9 apply to a wireless services-enabled switch as well as to an infrastructure switch.
PAGE 28
Introduction ProCurve Wireless Edge Services zl Module The wireless services-enabled switch still uses auto-provisioning to create VLAN 2100 and tag the module’s internal downlink port for this VLAN. However, you must configure the infrastructure switch’s port that connects to the RP as an untagged member of the Radio Port VLAN. Remember that the external switch interfaces that link the infrastructure switch and the wireless services-enabled switch must also carry traffic on the Radio Port VLAN.
PAGE 29
Introduction ProCurve Wireless Edge Services zl Module Although it is usually a good idea to use auto-provisioning on the wireless servicesenabled switch and to create the same Radio Port VLAN on the infrastructure switches that directly connect to RPs, you can use any valid VLAN numbers for Radio Port VLANs. Simply remember to tag the Wireless Edge Services zl Module’s downlink port for that VLAN. In Figure 1-3, the network administrator has decided to use VLAN 300 for one of the RPs.
PAGE 30
Introduction ProCurve Wireless Edge Services zl Module Note You might also need to perform some configuration tasks on the wireless servicesenabled switch, such as raising the maximum number of VLANs. (See the management and configuration guide for your zl switch. Dynamically Establishing a Radio Port VLAN. If the RP authenticates itself to a RADIUS server, this server may send a dynamic VLAN assignment to the switch to which the RP connects.
PAGE 31
Introduction ProCurve Wireless Edge Services zl Module By default, the only uplink VLAN is VLAN 1, and the module’s internal uplink port is tagged for this VLAN. As for any switch port, you must tag the uplink port for other VLANs if you want the module to forward network traffic in those VLANs. The Wireless Edge Services zl Modulenever forwards untagged traffic to thewireless services-enabled switch. However, you do not have to tag the uplink for every VLAN that you create on the module.
PAGE 32
Introduction ProCurve Wireless Edge Services zl Module Figure 1-5. Routing Traffic to VLANs Used on the Wired Network Forwarding Traffic Between the Wireless Network and the Ethernet Network In summary, the Wireless Edge Services zl Module follows this process to forward traffic that is sent from wireless stations (via RP radios) into the Ethernet network: 1-14 1. The module receives wireless traffic on its internal downlink port in a Radio Port VLAN. 2.
PAGE 33
Introduction ProCurve Wireless Edge Services zl Module 4. The module determines whether it is acting as the router for thistraffic and takes action accordingly: a. If the module is acting as router (that is, the frame’s destination MAC address belongs to the module), the module looks up the route for the packet’s destination. However, before forwarding the traffic, the module applies any controls, such as manual IP ACLs, configured on the VLAN on which the traffic arrived. (See “ACLs” on page 1-38.
PAGE 34
Introduction ProCurve Wireless Edge Services zl Module 4. The module encapsulates the 802.11 frame. The encapsulation header includes a tag for the Radio Port VLAN specified for the radio to which the destination station has associated. 5. The module forwards the traffic toward its destination on its downlink port. Layer 2 and Layer 3 Operation You have been introduced to how the Wireless Edge Services zl Module receives, processes, and forwards traffic.
PAGE 35
Introduction ProCurve Wireless Edge Services zl Module The module can also act at Layer 3 on traffic received on its uplink port, which can be tagged for one or several VLANs. Note Never tag the internal uplink and the downlink ports for the same VLAN. In total, the Wireless Edge Services zl Module can support up to eight VLAN interfaces with IP addresses and Layer 3 functionality.
PAGE 36
Introduction ProCurve Wireless Edge Services zl Module The module then forwards the traffic to the wireless services-enabled switch at Layer 2, and the same devices that route and controltraffic from traditional users can handle traffic from the wireless users. In this scenario, the module may perform few or none of the Layer 3 functions listed in “Wireless Edge Services zl Module Operations” on page 1-16.
PAGE 37
Introduction ProCurve Wireless Edge Services zl Module ■ Configure that VLAN on wired infrastructure devices. The devices should be able to route traffic in and out of the VLAN. ■ Tag the Wireless Edge Services zl Module’s uplink port for the VLAN. Figure 1-8 shows a wireless network that separates VLANs used on the wireless network from VLANs used on the wired network. In this network, wired devices route traffic from the wireless network. Figure 1-7.
PAGE 38
Introduction ProCurve Wireless Edge Services zl Module Figure 1-8 shows a wireless network that separates VLANs used on the wireless network from VLANs used on the wired network. In this network, the Wireless Edge Services zl Module routes traffic from the wireless network. Figure 1-8.
PAGE 39
Introduction ProCurve Wireless Edge Services zl Module Note The instructions in the rest of this section are based on the assumption that the same VLAN ID corresponds to the same subnetwork throughout your network. This assumption is usually, but not always, true. The important consideration for roaming is that modules assign traffic in the same WLAN to the same subnetwork. Sometimes, however, your network design makes it impossible for modules to forward traffic on the same subnetworks.
PAGE 40
Introduction ProCurve Wireless Edge Services zl Module Figure 1-9. Designing VLANs for a Wireless Network That Includes Multiple Modules Now that you have considered the services that your Wireless Edge Services zl Module should provide, you can start to look at individual services in more detail. The following sections describe the capabilities of the module, including, in addition to the Layer 3 services introduced above, the module’s many capabilities in securing and managing the wireless network.
PAGE 41
Introduction ProCurve Wireless Edge Services zl Module DHCP Services The Wireless Edge Services zl Module can provide one of these DHCP services on any VLAN interface to which you have assigned a static IP address: ■ DHCP server—The module issues configurations (which are stored in a network pool) to stations in the VLAN. You can configure up to one network pool for each VLAN. You can also create host pools, each of which contains a fixed address for a single device.
PAGE 42
Introduction ProCurve Wireless Edge Services zl Module A Wireless Edge Services zl Module supports three types of authentication: ■ 802.1X authentication ■ Web-Auth ■ RADIUS MAC authentication Alternatively, the Wireless Edge Services zl Module can allow stations to connect to a WLAN without authenticating formally. In this case, an encryption key usually acts as a password. The authentication types are implemented as part of a WLAN’s settings.
PAGE 43
Introduction ProCurve Wireless Edge Services zl Module 4. If the user sends the corr ect credentials (which may take various forms, including a digital certificate or a username and password), the RADIUS server sends an authentication acknowledgement. 5. If you have configured the WLAN to use encryption, the authentication process includes generating a per-session encryption key for WEP or a pairwise (peruser) master key (PMK) for WPA.
PAGE 44
Introduction ProCurve Wireless Edge Services zl Module Figure 1-10 illustrates the Web-Auth process. Figure 1-10. Web-Auth Process After users authenticate, the Wireless Edge Services zl Module can control users’ network access with dynamic ACLs stored in the external RADIUS server’s database (perhaps configured with software such asProCurve IDM). You can also control the VLAN associated with Web-Auth with manual ACLs.
PAGE 45
Introduction ProCurve Wireless Edge Services zl Module You can add eitherWEP or WPA/WPA2 encryption to a WLANthat uses Web-Auth. Users must then know the encryption key inorder to connect tothe network and even reach the login page. MAC Authentication. The Wireless Edge Services zl Module can also control which wireless stations connect to a WLAN according to their MAC, or hardwarebased, addresses. This option is best suited for small networks and for devices without user interfaces.
PAGE 46
Introduction ProCurve Wireless Edge Services zl Module The module processes ACLs in order of index number, stopping when it first finds a match. It filters out any stations selected by a deny listbefore these stations associate with a particular WLAN. The module allows all stations either selected by an allow list or not selected by any list to associate. Whether the station can forward traffic in the WLAN depends on whether it completes any further authentication required by the WLAN.
PAGE 47
Introduction ProCurve Wireless Edge Services zl Module Note • EAP-Transport Layer Security (TLS) • EAP-Tunneled TLS (TTLS) • PEAP with Microsoft CHAP version 2 (MS-CHAP v2) • EAP-Subscriber Identity Module (SIM) • EAP-Generic Token Card (GTC) In 802.1X, the supplicant and the authentication server, not the authenticator, agree on the EAP method.
PAGE 48
Introduction ProCurve Wireless Edge Services zl Module EAP Methods. This section gives a brief overview of common EAP methods so that you can choose the method best for your environment. EAP-TLS uses digital certificates and an automatic TLS handshake to authenticate both stations and servers. This method requires a full public key infrastructure (PKI). EAP-TTLS and PEAP support wireless stations that do not use digital certificates.
PAGE 49
Introduction ProCurve Wireless Edge Services zl Module Encryption Options for WLANs A wireless network is an open medium. Anyone with a wireless network interface card (NIC) can intercept traffic and attempt to read it. Encryption, therefore, is required for any degree of security.
PAGE 50
Introduction ProCurve Wireless Edge Services zl Module Table 1-2 lists the encryption options that are available with each authentication option. Table 1-2. Options for Authentication and Encryption on the Wireless Edge Services zl Module Authentication Option Encryption Options Name of Security Provided 802.1X • dynamic WEP • WEP with 64-bit or 128-bit keys • WPA/WPA2 with 802.1X • WPA/WPA2: – with TKIP – with AES – with both TKIP and AES (802.
PAGE 51
Introduction ProCurve Wireless Edge Services zl Module Controlling Traffic with Policies To this point, the overview of the Wireless Edge Services zl Module’s security capabilities has focused on thesecurity that module provides in the wirelessnetwork.
PAGE 52
Introduction ProCurve Wireless Edge Services zl Module The Wireless Edge Services zl Module can read these attributes from an external RADIUS server: ■ VLAN assignment ■ ACL ■ rate limit, which applies to ingress traffic (traffic from the wireless station to the network) Remember that the Wireless Edge Services zl Module can also act as a RADIUS server. The module supports only dynamic VLAN assignments on its internal RADIUS server.
PAGE 53
Introduction ProCurve Wireless Edge Services zl Module Controlling Traffic Manually. You can also control traffic according to manually created rules on the Wireless Edge Services zl Module; however, such policies are generally less flexible. You can control these settings: ■ VLAN assignment—When configuring VLAN assignments manually, you must assign an entire WLAN to the same VLAN. For example, suppose users A, B, and C connect to WLAN 1.
PAGE 54
Introduction ProCurve Wireless Edge Services zl Module Wireless Edge Services zl Module Firewall The section above introduced you to the idea of controlling traffic with policies. The Wireless Edge Services zl Module’s firewall is one of the components that helps you to do so. The module’s firewall examines routed packets.
PAGE 55
Introduction ProCurve Wireless Edge Services zl Module You should take these steps to ensure that a firewall screens traffic in between a WLAN and your private, wired network: 1. Map the WLAN to a VLAN ID that exists only on the Wireless Edge Services zl Module (or possibly on this module and other modules that support the same WLAN). 2. Enable routing on the Wireless Edge Services zl Module. The module should route all wireless traffic destined to the private network.
PAGE 56
Introduction ProCurve Wireless Edge Services zl Module Figure 1-14. Setting up VLANs to Ensure the Firewall Checks Wireless Traffic ACLs. In addition to screening traffic for signs of an attack, the Wireless Edge Services zl Module’s firewall can enforce policies that you create. These policies are called ACLs, and they affect traffic inbound on an interface. Note IP ACLs applied to VLAN interfaces only affect traffic routed to another VLAN. ACLs applied to physical interfaces affect all inbound traffic.
PAGE 57
Introduction ProCurve Wireless Edge Services zl Module MAC extended ACLs, like MAC standard ACLs, filter traffic according to information in the Layer 2 header. However, the extended ACL provides many more options for filters, including destination MAC address, 802.1p priority value, and the type of encapsulated protocol. For example, you can permitIPv4 traffic but drop IPv6 traffic. The IP ACLs operate at Layer 3. A standard IP ACL filterstraffic according to source IP address only.
PAGE 58
Introduction ProCurve Wireless Edge Services zl Module • ■ The Wireless Edge Services zl Module receives the traffic on its uplink port from the wireless services-enabled switch; the traffic is tagged for the VLAN interface. You can apply one IP ACL and one MAC extended ACL to each physical interface. The two physical interfaces are the internal uplink and downlink ports. TheACL applies to all traffic that arrives on the port in any VLAN.
PAGE 59
Introduction ProCurve Wireless Edge Services zl Module NAT. NAT, another function the Wireless Edge Services zl Module’s firewall offers, modifies addresses in packets’ IP headers. The module supports NAT on both source addresses and destination addresses. The Wireless Edge Services zl Module has the following capabilities: ■ Dynamic source NAT with port mapping—The module translates multiple source addresses to a single new address, which is one of the module’s own IP addresses.
PAGE 60
Introduction ProCurve Wireless Edge Services zl Module all private source addresses to a single public IP addressthat is known onthe Internet. If hosts on the Internet need to access a device in your private network, such as a Web server, the NAT device performs destination NAT in the other direction, translating traffic destined for the publicly known IP address to the correct private IP address.
PAGE 61
Introduction ProCurve Wireless Edge Services zl Module Digital signatures, created by a public-private key pair, authenticate data. To create the digital signature, a key pair relies on asymmetric encryption, which means that data encrypted by a private key is decrypted by the corresponding public key. A host “signs” data by encrypting it with its private key—something only that host can do because only it knows the private key.
PAGE 62
Introduction ProCurve Wireless Edge Services zl Module ■ HTTPS access—The module’s server certificate authenticates the module to your Web browser. ■ RADIUS authentication services—802.1X authentication with EAP requires mutual authentication. In other words,the module’s internal RADIUS server must send a server certificate and authenticate to supplicants.
PAGE 63
Introduction ProCurve Wireless Edge Services zl Module Figure 1-16 illustrates which traffic is affected by each QoS mechanism. Figure 1-16. QoS Mechanisms Supported by the Wireless Edge Services zl Module This chapter will discuss these features at a high level; to learn how to configure them, see Chapter 4: “Wireless Local Area Networks (WLANs).” SVP SVP maintains a high QoS in the wireless network, specifically for VoWLAN devices that are SVP-capable.
PAGE 64
Introduction ProCurve Wireless Edge Services zl Module WMM WMM is a more comprehensive QoS solution because it can provide differentiated handling for any type of traffic based on its priority. Like 802.1p and Differentiated Services (DiffServ) in Ethernet networks, WMM divides traffic into multiple priority queues and then assigns different settings to each queue.
PAGE 65
Introduction ProCurve Wireless Edge Services zl Module WLAN Classification WMM allows RPs toqueue frames according to priority marking. Alternatively, RPs can place all traffic that is destined to stations associated with a particular WLAN in the same queue. The four queues are the same as the four access categories (ACs) for WMM (Voice, Video, Best Effort, and Background), and the RPs use the same parameters for transmitting traffic in those queues that they would use for WMM.
PAGE 66
Introduction ProCurve Wireless Edge Services zl Module RP Licensing Each Wireless Edge Services zl Module (J9051A) includes an RP license, allowing it to adopt and manage up to 12 RPs. This nonremovable RP license ships with the module. Note Because an RP can include two built-in radios, the Wireless Edge Services zl Module can manage up to twice as many radios as it can adopt RPs. With the default RP license, the module can manage up to 24 radios.
PAGE 67
Introduction ProCurve Wireless Edge Services zl Module Table 1-4.
PAGE 68
Introduction Radio Ports Radio Ports Because the RPs are a critical component of the wireless network—establishing the actual radio signal and transmitting wireless traffic to and from stations—you should understand how these RPs function. The Wireless Edge Services zl Module can manage the following ProCurve RPs: ■ RP 210—includes one 802.11bg radio. The radio has two omnidirectional diversity antennas. ■ RP 220—includes two radios, one 802.11a and one 802.11bg.
PAGE 69
Introduction Radio Ports 802.11 Overview 802.11 is the IEEE standard for wireless networks. It specifies Physical Layer standards such as radio channel frequencies and the modulation techniques used to encode data. At the Data Link Layer, the standard also specifies the format for 802.11 frames. At its most fundamental level, an 802.11 network can be defined as a set of devices that communicates over the same medium.
PAGE 70
Introduction Radio Ports The 802.11a standard enables data rates from 6.0 Mbps to 54 Mbps, depending on the quality of the signal level. Overhead and competition for the shared medium often lowers actual throughput to about half the theoretical data rate. The second radio on the RP 220 and on the RP 230 supports 802.11a. 802.11b. This standard defines the Physical Layer for wireless networks that operate in the 2.4 GHz band—one of the radio bands available to any private entity.
PAGE 71
Introduction Radio Ports The second radio on the RP 220 and on the RP 230 supports 802.11a. 802.11 Frames In addition to Physical Layer standards, 802.11 defines Data Link Layer standards. 802.
PAGE 72
Introduction Radio Ports Figure 1-18. BSS A BSS operates in infrastructure mode, which means that instead of communicating with each other, wireless stations communicate with an RP. This is the typical mode for a wireless network used to grant mobile users access to an Ethernet network, as well as the mode in which the ProCurve RPs operate. (See Figure 1-19.) A wireless station must send all traffic to its RP. However, the RP can then forward the traffic to another station in the BSS.
PAGE 73
Introduction Radio Ports Figure 1-19. Infrastructure Mode BSSID The BSSID is the RP’s MAC address in a BSS. (See Figure 1-18.) Wireless stations in a BSS address all frames to the BSSID. ESS An ESS is a set of BSSs that share a common network name, or SSID. An ESS may consist of many RPs, and on the PhysicalLayer each ofthese RPs manages a different shared medium. However, logically all of the RPs and the stations they support are part of the same network, identified by the same SSID.
PAGE 74
Introduction Radio Ports Figure 1-20. ESS Similarly, when configuring the Wireless Edge Services zl Module, you are often more interested in the WLAN to which users connect than in the particular RP to which a user connects at any given moment. SSID Versus BSSID As indicated above, the SSID identifies a group of BSSs thatmake up a single WLAN. All frames transmitted in a WLAN are marked with this SSID.
PAGE 75
Introduction Radio Ports It is important to understand the relationship between SSIDs and BSSIDs. An SSID identifies a WLAN; the two are connected with a one-to-one correspondence. As a MAC address, a BSSID identifies an RP in that WLAN— one of the perhaps many RPs that offer wireless stations a connection to that WLAN. Like switches that can carry traffic for multiple VLANs, most RPs, including the ProCurve RPs, can support multiple WLANs, each of which is identified by its own SSID.
PAGE 76
Introduction Radio Ports The two radios on a single RP generally support the same WLANs, as shown in Table 1-5. However, using advanced mode configuration, you can enable different WLANs on an RP’s two built-in radios; in this case, a single RP with two radios can support up to 32 WLANs. Using advanced mode configuration raises several concerns that are discussed in Chapter 4: “Wireless Local Area Networks (WLANs).
PAGE 77
Introduction Radio Ports For example, WLAN 1 and WLAN 5 have been assigned to the same BSSID. The RP advertises the SSID for WLAN 1 in the beacon frame from that BSSID, but not the SSID for WLAN 5. However, if a wireless station sends a probe request for WLAN 5’s SSID, then the RP responds, and the station canassociate. In other words, WLAN 1 operates in open system, and WLAN 5 operates in closed system.
PAGE 78
Introduction Radio Ports Masters communicate with managed stations; they do not communicate with each other. In other words, one RP does not send traffic to another RP, but simply transits traffic from wireless stations toward the Wireless Edge Services zl Module and from the module back to wireless stations. The Wireless Edge Services zl Module collects traffic from one or more RPs.
PAGE 79
Introduction Radio Ports ■ used by its 802.11 mode ■ allowed by the regulatory rules in its country For instructions on configuring a radio as a detector, see Chapter 12: “Wireless Network Management.” Configuring the ProCurve RPs The RPs 210, 220, and 230 do not include a management interface. You configure these devices by configuring the Wireless Edge Services zl Module, which automatically deploys configurations to adopted RPs.
PAGE 80
Introduction Radio Ports Therefore, you can configure radio settings in two ways: for all RP radios or for particular radios. The Wireless Edge Services zl Module handles all WLAN settings. Indeed, one of the advantages of the Wireless Edge Services zl Module is that you can more quickly and easily establish a WLAN throughout an entire wireless network. (If necessary, you can use advanced mode configuration to disable a WLAN on a particular RP. See Chapter 4: “Wireless Local Area Networks (WLANs).
PAGE 81
Introduction Radio Ports Setting 802.11a 802.11bg DTIM period (beacons) 2 2 Self healing offset 0 0 In the Web browser interface, you change these configurations from the Network Setup > Radio Adoption Defaults screen, as described in Chapter 3: “Radio Port Configuration.” You can thensave these settings as customized radio adoption default configurations. If you make a change to the radio adoption default configuration, the change only takes effect for newly adopted RPs.
PAGE 82
Introduction Radio Ports only the higher data rates of 802.11g, but a radio in another area, which includes 802.11b stations, to operate in mixed mode. Or, you might want to dedicate a single RP as a detector. In such circumstances, you can configure settings that apply only to a particular radio or radios. The module then deploys this new configuration to the targeted radios.
PAGE 83
Introduction Radio Ports ■ Hello messages—signal the RP’s presence and desire to be adopted. The hellos, which are Layer 2 broadcasts, ensure that the Wireless Edge Services zlModule detects the RP even if intervening switches do not support LLDP. ■ 802.1X EAP messages—authenticate the RP to the network (see “802.1X Client” on page 1-70 for more information). The Radio Port VLAN must be properly established in order for the discovery messages to reach the module.
PAGE 84
Introduction Radio Ports Figure 1-22. Communications Between an RP and the Wireless Edge Services zl Module If you must place your RP on a different subnetwork from the Radio Port VLAN, the messages listed above fail to receive a response from the Wireless Edge Services zl Module.
PAGE 85
Introduction Radio Ports Figure 1-23.
PAGE 86
Introduction Radio Ports When a Wireless Edge Services zl Module receives an adoption request from an unadopted RP—whether as a broadcast or as a targeted message—the module must decide whether or not to adopt the RP. You can configure the module to automatically adopt any identified, nonconfigured RP. The simple plug-in installation makes this option ideal, as long as your organization secures access toits network devices.
PAGE 87
Introduction Radio Ports Figure 1-24. Deploying a Configuration Managing RPs in a Self-Healing Network A Wireless Edge Services zl Module collects a variety of information from managed RPs. For example, RPs configured as detectors report information about neighboring APs. The module then processes this information into lists of authorized and unauthorized APs, according to rules that you configure.
PAGE 88
Introduction Radio Ports The Wireless Edge Services zl Module also collects information about the wireless network in order to improve its functioning. For example, if you enable interference avoidance, the module has RPs change their channel when they report excessive congestion. Intrusion detection is one useful self-healing feature. The Wireless Edge Services zl Module can also implement neighbor recovery and create a highly availability, selfhealing network.
PAGE 89
Introduction Radio Ports RP Deployment Requirements This section provides a brief overview of features on the ProCurve RPs that affect their deployment. For information about installing your RPs, refer to the appropriate Installation and Getting Started Guide. Power over Ethernet (PoE) PoE, based on the IEEE 802.3af standard, defines a mechanism by which a device receives power over the Ethernet cable on which it also sends and receives data. ProCurve RPs 210, 220, and 230 must be powered by PoE.
PAGE 90
Introduction Redundancy Groups Redundancy Groups A good network design builds in redundancy so that, in the unlikely event of a hardware or link failure, users continue to access the resources that they need.
PAGE 91
Introduction Redundancy Groups Rules of Redundancy Groups A redundancy group consists of up to 12 members; each member is either a primary module or a redundant module. Up to four modules can be installed in the same wireless services-enabled switch. Within the redundancy group, you can combine primary and redundant modules in any proportion. For example, you could have two primary modules and one redundant module; or you could group three primary modules and four redundant modules.
PAGE 92
Introduction Redundancy Groups Redundancy Group Operation Modes Group members can operate in either active mode or standby mode. The type of module (primary or redundant) has no relation to the operation mode. You can place a primary module in standby mode, or more typically, you can place a redundant module in active mode. An active redundant module adds capacity by loading balancing RPs with other members of the group.
PAGE 93
Introduction Redundancy Groups Figure 1-25. Redundancy Module Adopting RPs To provide consistent service, the standby member continues to support the RPs even after the active member comes back up.
PAGE 94
Introduction Redundancy Groups Remember that standby members support all the same services as th e active members, so you must configure the same wireless settings on all members of a redundancy group. A simple way to ensure successful failover is to upload one module’s configuration onto each other module, edit the configuration with module-specific settings (such as IP address and redundancy group settings), and save the edited configurations.
PAGE 95
Introduction Layer 2 and Layer 3 Roaming Between RPs and Modules Layer 2 and Layer 3 Roaming Between RPs and Modules One of the principle attractions of wireless networking is the mobility that it offers users, and users oftenwant to roam further than the range of a single radio. The 802.11 standard gives guidelines for roaming between the coverage areas, or cells, provided by two APs (or RPs), but leaves the implementation largely to the makers of wireless network interface cards (NICs).
PAGE 96
Introduction Layer 2 and Layer 3 Roaming Between RPs and Modules In other words, the module functions much like a single, high-capability AP with many remote radios (the RPs). Therefore, when a station disassociates from one RP and reassociates with another RP adopted by the same module, the module already has in place the association, the authentication, and the encryption keys. The roam is fast and seamless. The Wireless Edge Services zl Module also supports these 802.
PAGE 97
Introduction Layer 2 and Layer 3 Roaming Between RPs and Modules PMK caching speeds roaming only if the Wireless Edge Services zl Module already has a PMK for the station.To create this PMK, the station must complete 802.1X authentication. Traditionally, 802.1X authentication occurs only when the station actually associates to one ofthe module’s RPs. To speed roaming, the station can complete 802.1X authentication to a module in advance before roaming.
PAGE 98
Introduction Layer 2 and Layer 3 Roaming Between RPs and Modules into different VLANs, complicating the roaming process. When a station roams to an RP adopted by a different module, the station’s IP address is no longer valid, and the station loses its active sessions. Wireless Edge Services zl Modules use network, or Layer 3, roaming to solve this problem. Figure 1-26 illustrates a network that requires Layer 3 roaming.
PAGE 99
Introduction Layer 2 and Layer 3 Roaming Between RPs and Modules correctly place WLAN A traffic on different VLANs. If both used the same VLAN ID, the modules would treat roaming between their RPs as Layer 2 roaming and the roaming would not be seamless. To implement Layer 3 roaming, Wireless Edge Services zl Modules perform these functions: ■ Establish a Layer 3 mobility domain—A domain can include up to 12 modules, or peers, each of which can support up to 4096 stations.
PAGE 100
Introduction Layer 2 and Layer 3 Roaming Between RPs and Modules 1-82
PAGE 101
2 Configuring the ProCurve Wireless Edge Services zl Module Contents Management Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 The Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 Determining the Dynamic IP Address or Assigning a Static Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 Accessing the Web Browser Interface . . . . . . . . . . . . . . . . . .
PAGE 102
Configuring the ProCurve Wireless Edge Services zl Module Contents Controlling Management Access to the Module . . . . . . . . . . . . . . . . . . . . 2-27 Enabling HTTP and HTTPS Access to the Module . . . . . . . . . . . . . . 2-27 Choosing SNMP Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29 Setting Up the Internal FTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32 Changing the Password for the Default SNMP v3 Users (Operator or Manager) . . . . . . . . .
PAGE 103
Configuring the ProCurve Wireless Edge Services zl Module Contents Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-86 Viewing Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-87 Transferring, or Copying, Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-89 Transferring Configuration Files from an FTP or TFTP Server to the Wireless Edge Services zl Module . . . . . . . . . . . . . . . .
PAGE 104
Configuring the ProCurve Wireless Edge Services zl Module Contents Enabling Secure Network Time Protocol (NTP) . . . . . . . . . . . . . . . . . . . . . . 2-138 Secure NTP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-138 NTP Modes and Communications . . . . . . . . . . . . . . . . . . . . . . . . . . 2-139 NTP Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-139 Secure NTP Enhancements . . . . . . . . . . . . . . . . .
PAGE 105
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Management Interfaces To configure and manage the ProCurve Wireless Edge Services zl Module, you can use one of the following management interfaces: ■ Web browser interface—Accessed through a Web browser, this intuitive interface provides comprehensive information to help you manage and monitor your company’s wireless services. The menus and online help guide you through configuration steps.
PAGE 106
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Determining the Dynamic IP Address or Assigning a Static Address Initially, you must access the Wireless Edge Services zl Module through the CLI of the wireless services-enabled switch zl—either to determine the IP address that is assigned to the module through a Dynamic Host Configuration Protocol (DHCP) server or to assign the module a static IP address.
PAGE 107
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces You access the Wireless Edge Services zl Module CLI with the same rights (either manager or operator) that you have to the switch CLI. For example, when you enter wireless-services command from the switch enable mode context, you also enter the module enable mode context: ProCurve(wireless-services-C)# Determine the IP Address Assigned by the DHCP Server.
PAGE 108
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Note Be careful when you change the default gateway IP address. The Wireless Edge Services zl Module allows you to set more than one default gateway (and default route). However, only the gateway configured first is active. Therefore, you cannot change the gatewayby simply re-enteringthe ip default-gateway command. Instead first delete the old gateway; then specify the new gateway.
PAGE 109
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Accessing the Web Browser Interface You can access the Web browser interface in one of two ways: ■ Enter the IP address (or hostname) assigned to the Wireless Edge Services zl Module as the URL in your Web browser ■ Access the Web browser interface for the wireless services-enabled switch Entering the IP Address in a Web Browser.
PAGE 110
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Accessing the Web Browser Interface for the Wireless Services-Enabled Switch. You can also access the module’s Web browser interface from the Web browser interface for the wireless services-enabled switch. (Like the module’s Web browser interface, the switch’s Web browser interface uses Java applets.) To access the switch’s Web browser interface, enter the IP address forthe management interface as the URL in your Web browser.
PAGE 111
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Logging In to the Web Browser Interface Whichever way you attempt to access the Web browser interface, you are prompted to enter a username and password. (See Figure 2-2.) Figure 2-2. Logging In to the Module’s Web Browser Interface In the Username field, enter manager, and in the Password field, enter the default password procurve. (The Wireless Edge Services zl Module also supports the operator user.
PAGE 112
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Overview of the Web Browser Interface The Web browser interface includes a navigation bar on the left. (See Figure 2-3.) Using this navigation bar, you can access: ■ Information screens that help you manage and troubleshoot your wireless services ■ Configuration screens that allow you to tailor wireless services for your particular environment Navigation bar Figure 2-3.
PAGE 113
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces ■ running-config—When the Wireless Edge Services zl Module loads the startupconfig, all the configurations become part of the running-config, which is held in RAM. When you make and apply configuration changes in the Web browser interface, these changes become part of the running-config as well.
PAGE 114
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Save changes to startup-config Remove unapplied changes Apply changes to running-config Access online help Figure 2-4. Applying or Saving Changes Logging Out or Refreshing the Screen In addition to the Save link, the Web browser interface includes three links at the top of the screen: Note ■ Refresh—updates the screen with current information ■ Support—links you to ProCurve Networking’s Web site at www.hp.
PAGE 115
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-5. Help Navigator Screen From the Help Navigator screen, you can select one of the following tabs: ■ Content—The Content tab provides a list of available topics. You simply double click a topic to view the Help information. ■ Search—The Search tab allows you to enter keywords or boolean expressions to find all the information about a specific topic.
PAGE 116
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Using Filtering Options Filtering allows you to limit the amount of data displayed on a configuration screen by narrowing the criteria that is displayed. You can usethe filtering options on certain configuration screens in order to list items that meet certain criteria. Screens that can be filtered contain a Show Filtering Options link, as shown in the example in Figure 2-6. Figure 2-6.
PAGE 117
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Filters affect the display. The filter selects rows according to values in columns. For example, you can filter the Network Setup > WLANs screen to display rows only for those WLANs that list Web-Auth in the Authentication column. Click the Show Filtering Options link to begin creating a filter. Figure 2-7.
PAGE 118
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces When you select two criteria, you must use Boolean operators to link the two: ■ AND—Only rows that match both criteria display. ■ OR—Rows that match either or both criteria display. In the fields to the right of the drop-down menus (see Figure 2-7 on page 2-17), you create the actual filter. The format for the filter depends on the type of column: ■ Match operators—for columns that include a string.
PAGE 119
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-8. Filtering Options WLANs Example 2. In the Filter Options section, on the first line, use the first drop-down menu to select the criterionfor the filter. The drop-down menu includes the name of every column in the screen. In the example in Figure 2-8, you can select from Index, Enabled, SSID, and so on. 3.
PAGE 120
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces 4. If you are also filtering for a second criterion, on the second line, use the dropdown menu to select the Boolean operator for linking the two criteria: • AND—to list items that meet the criteria on both lines • OR—to list items that meet the criteria on either line The OR operator is not an “exclusive OR” operator; it will list items that meet the criteria on either or both lines. 5.
PAGE 121
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces 6. Note After you set the filter criteria, click the Filter Entire Table button. Only the tunnels that match the filter are now listed on the screen. If you want, you can refine your filter criteria and click the Filter Entire Table button again. Throughout the Wireless Edge Services zl Module interface (whether or not you are using filtering), you cansort data lines by clicking on the respective column headings.
PAGE 122
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces When you are prompted for a password, enter the password for the manager user on the wireless services-enabled switch. Accessing the Switch CLI Through a Telnet or SSH Session You can also use a Telnet or SSH application to access the CLI for the wireless services-enabled switch. For instructions on establishing a Telnet or SSH session, see the management and configuration guide for your switch.
PAGE 123
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces From the enable context, you can enter show commands to view information about the Wireless Edge Services zl Module, and you can perform some operations such as erasing the startup-config file and copying configuration files to and from the module. To make configuration changes, however, you must move to the global configuration context.
PAGE 124
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Security In addition to supporting the latest security standards for wireless communications, the Wireless Edge Services zl Module allows you to secure management access. To protect communications between the Wireless Edge Services zl Module and your management workstation, the module supports secure hypertext transfer protocol (HTTPS) over Secure Socket Layer (SSL), and SNMP v3.
PAGE 125
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces SNMP Communities. SNMP v1/v2c uses communities to control various types of management access. In order for an SNMPv1/v2c server to access the SNMP agent running on a device such as the Wireless Edge Services zl Module, the server must know at least one of the community names configured on the device. Each community name is assigned an access control: read-only or read-write.
PAGE 126
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces ■ Operator—The operator has read-only access, which means the operator can only view information. When a user accesses the Web browser interface using the operator name and password, buttons (such as Apply or Edit) that allow you to make configuration changes are unusable. (These buttons are dimmed or missing from the screen, as shown in Figure 2-10.
PAGE 127
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Controlling Management Access to the Module This section teaches you how to control Web management access to the Wireless Edge Services zl Module.
PAGE 128
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-11. Management > Web Access Control Screen 2. Uncheck the Enable HTTP box to disable insecure HTTP access to the Wireless Edge Services zl Module. Check the box to re-enable this server. 3. Uncheck the Enable HTTPS box to disable HTTPS access to the Wireless Edge Services zl Module. Check the box to re-enable this server. 4.
PAGE 129
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces By default, the HTTPS server submits the self-signed certificate in the defaulttrustpoint. The HTTPS Trustpoint drop-down menu includes this trustpoint and any other trustpoint configured on the module. The drop-menu also includes the option. Select this option to open the Certificates Wizard, which guides you through the process of creating or installing a certificate.
PAGE 130
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-12. Management > Web Access Control Screen 2. Uncheck the Enable SNMP v2 box to disable SNMP v2 access to the Wireless Edge Services zl Module. Check the box to re-enable such access. 3. Uncheck the Enable SNMP v3 box to disable SNMP v3 access to the Wireless Edge Services zl Module. A screen is displayed, warning you that disabling SNMP v3 locks you out of the Web browser interface.
PAGE 131
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-13. Disable SNMP V3 Warning If you are sure that you want to disable SNMP v3 and Web access, click the Yes button. You have one more chance to change your mind: you must click the Apply button in the Management > Web Access Control screen to actually disable the server. 4. Configure other SNMP options: a.
PAGE 132
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Setting Up the Internal FTP Server The Wireless Edge Services zl Module includes an FTP server, which can send files stored in the module’s flash memory to FTP clients. For example, you could upload a configuration file directly from one module to another—eliminating the middle step of transferring the file to an external FTP server. The FTP server has these properties: ■ Port—The server listens on the standard FTP port, 21.
PAGE 133
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Browse button Figure 2-14. Setting Up the Internal FTP Server 3. In the Password box, enter a string, which can include alphanumeric and special characters. 4. In the Root Dir field, specify the name of the directory with the files that clients will request. For example, enter flash:/. The module searches for files in the flash directory.
PAGE 134
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces To use the browse button to select the root directory, follow these steps: 1. Click the Browse button next to the Root Dir field. The Select Directory file screen is displayed. This screen displays three buttons, one for each of the Wireless Edge Services zl Module’s three file systems: 2.
PAGE 135
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces 3. In the left section, select the directory in which the Wireless Edge Services zl Module searches for requested files. Click the directory once to choose the directory. Its name is displayed in the field at the bottom of the screen. Click the directory twice to view and select subdirectories within that directory.
PAGE 136
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Table 2-1. Default Passwords for the Operator and Manager Users User Password operator operator manager procurve To protect your network, you should change the passwords for both users. Because the usernames and passwords are managed through SNMP v3, you must select a password that meets SNMP v3 standards: the password must be at least eight characters. The password does not only authenticate the user.
PAGE 137
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-17. Management > SNMP Access > V3 Screen 2. Select the username that you want to modify, and then click the Edit button. The Edit SnmpV3 screen is displayed.
PAGE 138
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-18. Edit SnmpV3 Screen for “manager” User 2-38 3. In the Old Password field, enter the current password. 4. In the New Password and Confirm Password fields, enter the new password. 5. Click the OK button.
PAGE 139
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Changing Passwords for the Default Users Through Web-User Settings. To change the passwords for the manager or operator user through their Web-User settings, follow these steps: 1. Select Management > Web-Users > Local Users. Figure 2-19. Default Users in the Management > Web-Users > Local Users Screen 2. Select the user for which you want to change the password. 3. Click the Edit button. The Edit User screen is displayed.
PAGE 140
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-20. Editing a Web-User 4. In the Password and Confirm Password fields, enter a new password between 8 and 32 characters. The password can include spaces and special characters. 5. Click the OK button. 6. Click the Save link to copy these changes to the Wireless Edge Services zl Module’s startup-config.
PAGE 141
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Web-User Roles.
PAGE 142
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces – – – • install licenses add digital certificates configure SNMP and system logging set up secure NTP (Special > Secure NTP screens) ■ WebUser Administrator—add guest user accounts to the Wireless Edge Services zl Module’s internal RADIUS database. The database must already include at least one guest group. ■ SuperUser—complete read-write access to the module. The default user account, manager, has this role.
PAGE 143
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-21. Management > Web-Users > Local Users Screen 2. Click the Add button. The Add User screen is displayed.
PAGE 144
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-22. Adding a Web-User 3. In the User Name field, enter a string between 1 and 28 characters. You can include spaces and special characters. 4. In the Password and Confirm Password fields, enter a password between 8 and 32 characters. The password can include spaces and special characters. 5. Check the boxes in the Associated Roles section to assign one or more roles to this user.
PAGE 145
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces The user’s password is at least 8 characters. ■ SNMP v3 requires a password of at least this length. Your RADIUS server, however, may or may not neforce such a requirement. (For example, the Wireless Edge Services zl Module’s internal server does not.) Check the accounts for users that need management access to the module and, ifnecessary, set a new password of the correct length.
PAGE 146
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Syntax: aaa authentication login default local Then configure at least one user in the local list: Syntax: username password The password must be between 8 and 32 characters. Then assign the user rights sufficient to correct the problem.
PAGE 147
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces 3. Choose the primary authentication method from the Preferred method dropdown menu. You can choose local (which is the list of local users configured on the Local Users tab) or radius. 4. If you want to use both authentication methods, chose the other method from the Alternate method drop-down menu. If the preferred method fails, the alternate is attempted.
PAGE 148
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-24. Specifying the RADIUS Server To Authenticate Web-Users b. Specify the server’s IP address in the Radius Server IP Address field. c. Enter your server’s port in the Radius Server Port field. Typically, enter 1812. The valid range is from 0 to 65535. d. In the next field, specify the number of times that the module attempts to connect the RADIUS server if it does not receive a reply.
PAGE 149
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces 8. Click the Save link to copy these changes to the Wireless Edge Services zl Module’s startup-config. Logging In to the Module as a WebUser Administrator WebUser Administrators, with their very limited rights, access a single screen, from which they can manage guest accounts on the local RADIUS database. Note A guest account is a temporary user account, and the user must belong to a guest group.
PAGE 150
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-25. Guest Registration Screen From this screen, the WebUser Administrator can: ■ create guest accounts ■ view all guest accounts ■ delete guest accounts ■ print records for the guest accounts added during the current management session Creating Guest Accounts on the Local RADIUS Database Follow these steps to add a guest user account: 1.
PAGE 151
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-26. Creating a Guest Account as a WebUser Administrator 2. Enter the username in the User Name field. The username can be up to 64 characters and can include alphanumeric and special characters. Alternatively, click the Create button to have the Wireless Edge Services zl Module OS automatically generate a random username. 3. In the Password field, enter the user’s password.
PAGE 152
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces 4. In the User Group drop-down menu, select the name of a guest group policy. The group policy determines the days of the week and the times of day at which the user is allowed to access the network. The group policy can also dictate a dynamic VLAN assignment. (However, dynamic assignment must be enabled on the WLAN to which the guest connects for this setting to take effect.) The WebUser Administrator cannot create groups.
PAGE 153
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces 7. The interface asks you to confirm the creation of the account. Click the Yes button. At any time before you submit the guest account, you can click the Clear button to erase the settings. When you are finished managing the guest accounts, click the Logoff link. You do not need to take any further step to save your changes to the startup-config.
PAGE 154
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-27. Viewing and Deleting Guest Accounts as the WebUser Administrator 3. The screen displays a list of all guest user accounts and the start and end time for these accounts. When you select an account, the Assigned Groups section displays the group of which the user is a member. 4. To delete a user, select the user and click the Delete button. 5.
PAGE 155
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Printing Records of Guest Accounts You can also print records of guest accounts. A record includes: ■ the username ■ the password (in plaintext) ■ the time and date at which the account starts and expires You can only print accounts created during the current management session. This requirement protects guest users’ passwords.
PAGE 156
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces 2. Click the Print link at the top of the screen. The Print screen is displayed. If you have not yet created a guest account, you receive an error message. You must click the Submit button before you can print the record of an account. Figure 2-29. Printing a User Record 3. From the drop-down menu, choose the username for the account that you want to print. The account information is displayed below. 4.
PAGE 157
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Radio Port Adoption By default, the Wireless Edge Services zl Module automatically adopts radio ports (RPs) that it detects on the network. For more security, you can disable automatic RP adoption and configure the module to adopt only those RPs for which you manually enter the Media Access Control (MAC) address.
PAGE 158
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption ■ The Wireless Edge Services zl Module’s downlink port must be a taggedmember of the Radio Port VLAN (by default, VLAN 2100). ■ The switch port that connects to the RP must be an untagged member of the Radio Port VLAN. ■ Each switch interface that carries traffic between the RP and the module must be either a tagged or untagged member of the Radio Port VLAN, as your network requires.
PAGE 159
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Figure 2-31. RPs Attached to the Wireless Services-Enabled Switch Are Automatically Assigned to a Radio Port VLAN Attaching RPs to Infrastructure Switches If you connect an RP to an infrastructure switch, rather than to the wireless servicesenabled switch, the VLAN memberships are not automatically created on the infrastructure switch.
PAGE 160
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Figure 2-32. Radio Port VLAN for an Indirectly Connected RP Instead of using the default Radio Port VLAN, you can use any VLAN in your network—even a VLAN that is used to transmit wired traffic. In this case, you must manually tag the downlink port for this VLAN and configure other switch ports for this VLAN as described above.
PAGE 161
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Note Generally, you should simply assign RPs to the default Radio Port VLAN ID (2100). Assigning RPs to a VLAN also used inyour Ethernet network can introduce problems because you must never tag both the uplink and the downlink port for the same VLAN. Such a configuration would cause the Wireless Edge Services zl Module to ignore the downlink port. Figure 2-33.
PAGE 162
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Note You might also need to perform some configuration tasks on the wireless servicesenabled switch, such as raising the maximum number of VLANs.
PAGE 163
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Figure 2-34. RPs Requiring Layer 3 Adoption An RP first attempts to beadopted at Layer 2. If Layer 2adoption fails, the RP initiates Layer 3 adoption. The RP sends a DHCP request so that it can begin to communicate at Layer 3. After receiving an IP address, the RP attempts to contact the Wireless Edge Services zl Module at Layer 3.
PAGE 164
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption ■ the correct bootloader code The bootloader codeallows the RP to request a DHCP configuration and contact the Wireless Edge Services zl Module at Layer 3. If the RP did not ship with this code, it must first be adopted at Layer 2 by a Wireless Edge Services zl Module. The instructions for enabling Layer 3 adoption explain how to determine your RP’s bootloader code version and, if necessary, update the code.
PAGE 165
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Note If a firewall separates your RPs from your Wireless Edge Services zl Module, you must ensure that this firewall allows the RPs adoption messages. The RPs send these messages on UDP port 24576; do not filter this port. The next sections describe in more detail the two strategies for enabling Layer 3 adoption of RPs.
PAGE 166
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Boot code Figure 2-35. Checking an RP’s Bootloader Code Through the Module’s Web Browser Interface With the new bootloader code, the RP can complete Layer 3 adoption. You can now install the RP in its final location, and as long as you set up other requirements described below, the RP will be adopted at Layer 3. 2.
PAGE 167
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption 10.4.1.30 10.4.1.40 10.4.2.35 4. Ensure that all necessary helper addresses are in place in your network infrastructure so that the RP’s DHCP request can reach the server. 5. Ensure that the RP’s default gateway can reach the IP addresses specified in option 189. 6.
PAGE 168
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Boot code Figure 2-36. Checking an RP’s Bootloader Code Through the Module’s Web Browser Interface With the new bootloader code, the RP can complete Layer 3 adoption. You can now install the RP in its final location, and as long as you set up other requirements described below, the RP will be adopted at Layer 3. 2.
PAGE 169
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption b. Access the module CLI and enter these commands: ProCurve(wireless-services-C)# configure ProCurve(wireless-services-C)(config)# wireless ProCurve(wireless-services-C)(config-wireless)# radio dns-name [XX:XX:XX:XX:XX:XX] Replace with the name specified for the module on the DNS server. The name can be up to 127 characters.
PAGE 170
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption This RP was adopted at Layer 3 Figure 2-37. Verifying Layer 3 Adoption in the Device Information > Radio Adoption Statistics The screen should list the Layer 3 RP just as it lists other RPs. However, the IP Address field shows the Layer 3 RP’s IP address. (This field shows N/A for Layer 2 RPs.) Note The IP address is for informational purposes only.
PAGE 171
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption There is one possible drawback to automatically adopting RPs, however. The Wireless Edge Services zl Module could potentially adopt an unauthorized RP. This unauthorized RP would be treated exactly asan authorized RP, receiving settings for your network’s WLANs and sending traffic into the Ethernet network.
PAGE 172
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Configuring Manual Adoption for RPs To manually adopt RPs, you must edit the global settings for RPs. Complete these steps: 1. Select Network Setup > Radio and click the Configuration tab. Figure 2-38. Network Setup > Radio Screen 2. 2-72 Click the Global Settings button. The Global screen is displayed.
PAGE 173
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Figure 2-39. Network Setup > Radio > Global Settings Screen 3. Uncheck the Adopt unconfigured radios automatically box. 4. Click the OK button to apply the change to the running-config. 5. Find the MAC address of the RPs that you want to manually adopt by selecting Device Information > Radio Adoption Statistics and clicking the Unadopted tab. The unadopted RPs and their MAC addresses are listed on this screen. 6.
PAGE 174
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Figure 2-40. Device Information > Radio Adoption Statistics Screen 7. Click the Adopt button at the bottom of the screen. The Add Radio screen is displayed. Figure 2-41.
PAGE 175
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption 8. If you selected an unadopted RP before clicking the Add button, the RP MAC Address field displays the MAC address of that RP. Otherwise, enter the RP’s Ethernet MAC address. 9. In the Radio Settings section, check the boxes for the radio types that you want— 802.11a or 802.11bg (or both). 10. For each radio type that you select, in the corresponding Radio Index field, enter a number to identify this RP.
PAGE 176
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption 2. In the RP MAC Address field, enter the MAC address for the RP’s Ethernet interface. 3. In the Radio Settings section, check the boxes for the radio types that you want— 802.11a or 802.11bg (or both). 4. For each radio type that you select, in the corresponding Radio Index field, enter a number to identify this RP. 5. Click the OK button.
PAGE 177
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Set the adoption preference ID to match the module that should adopt the RP. Figure 2-44. Radio Configuration Radio Settings Then enter a value from 1 to 65535 in the Adoption Preference ID field. Match the ID that you set for the Wireless Edge Services zl Module that should adopt this RP. Remember: RPs do not store their own radioconfigurations; they receive them from a Wireless Edge Services zl Module.
PAGE 178
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption For a more efficient alternative, have one module pre-adopt all RPs and edit the radio configurations on that module. Then copy those configuration to other modules in the Wireless LAN System. For more information on configuring adoption preference IDs, see “Setting up Adoption Preference IDs to Control RP Adoption” on page 10-23 of Chapter 10: “Redundancy Groups.
PAGE 179
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption The default username and password on all ProCurve 200 Series RPs are admin and procurve. ProCurve Networking suggests that you use pre-adoption to change these settings, using a Wireless Edge Services zl Module to load new credentials on your organization’s RPs. You can then movethese RPs to their final locations and be sure that only these RPs can connect to your network. Configuring 802.
PAGE 180
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Figure 2-46. Configure Port Authentication Screen 4. 5. • Check the Use Default Values box to use the default username and password: – username: admin – password: procurve • Or, in the Username and Password fields, enter the username and password that you want to use. Click the OK button, and then click the OK button on the Global screen.
PAGE 181
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance System Maintenance The Web browser interface allows you to manage: ■ software images ■ configuration files ■ SNMP support ■ password encryption Software Images The Wireless Edge Services zl Module maintains two software images: ■ primary ■ secondary Typically, the primary image loads when the Wireless Edge Services zl Module is rebooted.
PAGE 182
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Viewing the Software Images To view the version of the primary and secondary images, access the Management > System Maint.—Software screen. (See Figure 2-47.) Figure 2-47. Management > System Maint.—Software Screen The Management > System Maint.—Software screen includes the following fields: 2-82 ■ Image—This field indicates whether the image is the primary or secondary image.
PAGE 183
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance ■ Built Time—This field reports the date and time that this software image was created. ■ Install Time—This field reports the date and time that this software image was updated on the Wireless Edge Services zl Module. Selecting the Software Image That Is Used to Reboot You can specify which software image the Wireless Edge Services zl Module will use the next time it is rebooted—the primary or the secondary.
PAGE 184
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Figure 2-49. Management > System Maint.—Software Screen 2. Click the Global Settings button at the bottom of the screen. The Software Global Settings screen is displayed. Figure 2-50. Global Settings Screen for Software 3. 2-84 Uncheck the Enable Image Failover box, and then click the OK button. The change is applied to the running-config.
PAGE 185
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance 4. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. Manually Updating the Software Image ProCurve Networking periodically updates the software image for the Wireless Edge Services zl Module.You can configure the module to automatically contact an Update Server and download the new image when the module is rebooted, or you can manually update the image.
PAGE 186
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance 6. In the Port field, if needed, change the port number for your FTP or TFTP server. In most cases, the defaults (port 21 for FTP, port 69 for TFTP) should apply to your server. 7. In the IP Address field, enter the IP address of the FTP or TFTP server. 8. If you are using an FTP server, enter the login credentials for that server. 9. a. In the User ID field, enter the username. b.
PAGE 187
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Table 2-3. Configuration Files Stored in Internal Flash Name of Configuration File Location in Internal Flash startup-config NVRAM other configuration files flash Viewing Configuration Files To view a configuration file, select Management > System Maint.—Config Files.
PAGE 188
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance To view the contents of a configuration file, select the file and click the View button at the bottom of the screen. For example, you might want to view the startup-config file. (See Figure 2-53.) Figure 2-53. Viewing the Contents of the startup-config Click the Refresh button to update the information displayed in the screen. Click the Close button to return to the Management > System Maint.—Config Files screen.
PAGE 189
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Transferring, or Copying, Files The Web browser interface allows you to transfer, or copy, configuration files. You simply specify a source and a destination for the transfer. Valid selections are listed in Table 2-4: Table 2-4.
PAGE 190
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Figure 2-54. Management > System Maint.—Config Files > Transfer Screen 3. In the Source section, specify the source as an FTP or TFTP server: a. In the From field, use the drop-down menu to select Server. b. In the File field, enter the name of the configuration file. c. In the Using field, use the drop-down menu to select either FTP or TFTP. d.
PAGE 191
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance The Web browser interface is restricted and does not support copying directly to the running configuration.To immediately write to the running configuration, use the CLI. 5. Click the Transfer button. In the Status section at the bottom of the screen, a message is displayed, reporting whether the transfer was successful.
PAGE 192
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance 3. In the Target section, specify the destination. Choose a destination from the To drop-down menu: • Wireless Services Module—copy the file to another location on the module • Server—copy the file to an external FTP or TFTP server • Local Disk—copy the file to the workstation on which you are running the Web browser The Target fields below change depending on the target type.
PAGE 193
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Browse button Figure 2-56. Transferring a File to a New Location on the Module At any point during the transfer, you can click the Abort button to cancel the process. After you have finished transferring files, click the Close button. Copying a File to an External Server. Follow these steps to upload a file to an external FTP or TFTP server: 1.
PAGE 194
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance At any point during the transfer, you can click the Abort button to cancel the process. After you have finished transferring files, click the Close button. Copying a File to the Local Disk. To specify the local hard disk as the destination, follow these steps: 1. Complete steps 1 to 3 in “Transferring Configuration Files from the Wireless Edge Services zl Module to Another Destination” on page 2-91. 2.
PAGE 195
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Browse button Figure 2-58. Browse Button To use the browse button to search and manage the Wireless Edge Services zl Module’s directory structure, follow these steps: 1. In the Target section, click the Browse button next to the File field. The Select Config file screen is displayed. This screen displays three buttons, one for each of the Wireless Edge Services zl Module’s three file systems: 2.
PAGE 196
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Subdirectories (or folders) Flash file system Files saved in this directory Figure 2-59. Select Config file Screen The nvram stores the startup-config, and the system memory (volatile) holds the running-config. 3. In the left section, choose the folder in which you want to save the file. 4. Alternatively, create a new folder (in the flash memory only). a. Click the New Folder button. The New Folder screen is displayed.
PAGE 197
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance 5. Choose the filename. The path to the folder you have selected is displayed in the field at the bottom of the screen. Files in this folder display to the right. You can select one of these files and write over it, or you can choose a new file. To create a new file add the filename to the path in the field at the bottom of the screen. For example: flash/ myfolder/configA. 6. Click the OK button. 7.
PAGE 198
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Returning the Startup-Config File to Factory Default Settings Although you cannot delete the startup-config file if you are using the Web browser interface, you can return this file to factory defaults. Complete these steps: 1. On the Management > System Maint.—Config Files screen, click the Restore Defaults button. A prompt is displayed, asking you to verify that you want to return the startup-config file to factory defaults.
PAGE 199
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Checking the Software Image File When the Wireless Edge Services zl Module reboots, it checks the Update Server settings that you have configured to ensurethat it is usingthe correct software image. If the module is already using the softwareimage that you specified, it simply reboots and then checks the configuration file. (See “Checking the Configuration File” on page 2-99.
PAGE 200
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance If the startup-config is corrupted, the checksums will not match, and the module will request the configuration file from the location specified in the Update Server settings. When the module receives the configuration file from the Update Server, it compares the checksum that it saved for the startup-config with this file’s checksum.
PAGE 201
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Configure the update server to ignore checksums Figure 2-63.
PAGE 202
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Table 2-5.
PAGE 203
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Table 2-6 shows which software image and configuration file are loaded in other circumstances. Table 2-6.
PAGE 204
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Configuring the Update Server Settings To configure the Update Server settings, complete these steps: 1. Select Management > System Maint.—Update Server. Figure 2-64. Management > System Maint.—Update Server Screen 2-104 2. Check the Update Server Unreachable box if you do not want the Wireless Edge Services zl Module to use the Update Server. 3.
PAGE 205
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance 5. 6. Enter the login credentials for the FTP server. a. In the User ID field, enter the username. b. In the Password field, enter the password for this username. In the Software section, configure the version number, filename and path for the software image. a. In the Version field, enter the version of the software image that is stored on the FTP or TFTP server. b.
PAGE 206
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Other types display in plaintext, by default: ■ passwords for users in the local RADIUS database ■ shared secrets for the RADIUS servers specified in WLAN settings ■ shared secret for globally configured RADIUS servers (used for authentication, authorization, and accounting [AAA]) ■ WEP keys ■ WPA/WPA2 preshared keys (PSK) However, you can configure SHA256-AES256 encryption for these five types of passwords.
PAGE 207
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Set the encryption key for passwords Figure 2-65. ConfigPasswdEn Button 2. Click the ConfigPasswdEn button. Figure 2-66.
PAGE 208
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance 3. Set the key that encrypts passwords in the Password and Confirm Password fields. The key can be between 8 and 32 alphanumeric and special characters. 4. Click the OK button.
PAGE 209
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting SNMP Traps and Error Reporting SNMP is an industry-standard protocol that allows you to manage and monitor a variety of network devices from a central location. Specifically, you can configure these SNMP-compliant devices and apply consistent security and management policies to these devices across your network. By default, the Wireless Edge Services zl Module supports SNMP v1, v2, and v3.
PAGE 210
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting Modifying SNMP v2 Communities By default, the Wireless Edge Services zl Module names the read-only community “public” and the read-write community private. To change the community name or access control setting for these communities, complete these steps: 1. Select Management > SNMP Access > v1/v2c. Figure 2-67. Management > SNMP Access > V1/V2c Screen 2.
PAGE 211
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting Figure 2-68. Edit SNMPV1/V2c Screen 3. In the Community Name field, enter the new name for the community. 4. In the Access Control field, use the drop-down menu to select the access control. 5. Click the OK button. The changes are applied to the running-config. 6. Click the Save link at the top of the Web browser interface to save the changes to the startup-config.
PAGE 212
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting Figure 2-69. Management > SNMP Access > Statistics Screen SNMP Traps To generate alarm logs, you must enable the Wireless Edge Services zl Module to generate SNMP traps, and you must enable specific SNMP traps. For example, you may want the module to generate an alarm if file system space becomes low or if a user fails to authenticate.
PAGE 213
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting Enabling SNMP Traps By default, all SNMP trapsare disabled. To enable SNMP traps, complete thesesteps: 1. Select Management > SNMP Trap Configuration and click the Configuration tab. Figure 2-70.
PAGE 214
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting 2-114 • DHCP • Radius • SNMP • Wireless 2. Check the Allow Traps to be generated box. 3. To view the SNMP traps in a category, click the Plus ( + ) sign next to the category. To view the SNMP traps in all categories, click the Expand all items button. 4. To enable all the traps, select All Traps and click the Enable all sub-items button. 5.
PAGE 215
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting Figure 2-71. Enabling SNMP Traps on the Management > SNMP Trap Configuration Screen 7. Click the Apply button to save the change to the running-config. 8. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. Disabling SNMP Traps To disable an SNMP trap that you previously enabled, complete these steps: 1.
PAGE 216
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting Figure 2-72. Management > SNMP Trap Configuration > Wireless Statistics Thresholds Screen Table 2-7 shows which thresholds you can set for stations, radios, and WLANs, and for the Wireless Edge Services zl Module itself.
PAGE 217
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting Table 2-7.
PAGE 218
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting Figure 2-73. Management > SNMP Trap Receivers Screen 2. Click the Add button. The Add Trap receivers screen is displayed. Figure 2-74. Add Trap Receivers Screen 3. 2-118 In the IP Address field, enter the IP address of the SNMP server.
PAGE 219
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting 4. In the Port Number field, enter the port on which your SNMP server listens for traps. The valid range is from 1 to 65535. The default port is 162. 5. Chose v2c or v3 from the Protocol Options drop-down menu. 6. Click the OK button. The configuration change is applied to the running-config. 7. Click the Save link at the top of the Web browser interface to save the changes to the startup-config.
PAGE 220
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting 2. Select the snmptrap user and click the Edit button. Figure 2-76. Changing the Password for SNMP v3 Traps 2-120 3. In the Old Password field, enter the current password—by default, trapuser. 4. In the New Password and Confirm Password fields, enter the new password. 5. Click the OK button.
PAGE 221
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting View Information about SNMP Receivers. After you define an SNMP server, the server is displayed in the Management > SNMP Trap Receivers screen. Figure 2-77. Management > SNMP Trap Receivers Screen You can view the following information about that server: ■ Destination Address—the IP address of the SNMP server ■ Port—the port number that the module uses to communicate with the SNMP server.
PAGE 222
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses Edit an SNMP Trap Receiver. If you define an SNMP trap receiver and later need to change its IP address, complete these steps: 1. Select Management > SNMP Trap Receivers. 2. Click the Edit button. 3. You can change these settings: • IP address • port To change the SNMP version, you must delete the receiver from the Management > SNMP Trap Receivers screen and re-add it with the correct version. 4. Click the OK button.
PAGE 223
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses Table 2-8.
PAGE 224
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses Figure 2-78.
PAGE 225
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses In situations such as this one, you can uninstall the Wireless Services Module 48 RP License from the Wireless Edge Services zl Module in the North building. You can then install the Wireless Services Module 48 RP License on the Wireless Edge Services zl Module in the South building. Now the North module supports 60 RPs while the South module supports 120.
PAGE 226
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses Figure 2-79.
PAGE 227
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses Only the Wireless Edge Services zl Module has RP licenses. The Redundant Wireless Services zl Module does not include radio port licenses and cannot independently adopt radio ports. When the Redundant Wireless Services zl Module is configured as part of a redundancy group, however, it can adopt radio ports under certain circumstances (such as if the Wireless Edge Services zl Module fails or if itis assigned an active role).
PAGE 228
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses Understanding the Numbers: IDs and Keys Installing and uninstalling the Wireless Services Module 12 RP License or the Wireless Services Module 48 RP License involves several different numbers: ■ Registration ID—The Wireless Services Module RP Licenses include a registration ID. You do not input this number to install the license.
PAGE 229
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses Figure 2-80. My ProCurve Web Portal 4. Click ProCurve Device Software. You can now begin to generate a license key. (See Figure 2-81.
PAGE 230
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses Figure 2-81. Enter the Registration ID 2-130 5. Enter the registration ID that you located in step 1 in the Registration ID field and click Next. The Hardware ID page is displayed. 6. Find out the hardware ID for the Wireless Edge Services zl Module. a. Open a second browser (if you have not already done so) and access the Web browser interface for the Wireless Edge Services zl Module. b.
PAGE 231
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses Figure 2-82. The License-Install Summary Screen c. Click the Install button at the bottom of the screen. The Install License (Step 1 and Step 2) screen is displayed. (See Figure 2-83.) Figure 2-83.
PAGE 232
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses d. In the Step 1—Generate Hardware ID section, click the Gen-Hw-ID button. e. When a number is displayed in the System Generated Hardware Id field, copy it (using Ctrl-C) or write it down. (Copying the number is easier and more accurate.) You must enter this number on the My ProCurve Web portal. 7. Return to the My ProCurve Web portal. In the Enter Hardware ID# field, paste (using Ctrl-V) or enter the hardware ID. 8.
PAGE 233
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses 2. Select Management > Licenses and click the License-Install Summary tab. 3. Highlight the license that you want to uninstall and click the Uninstall button at the bottom of the screen. The Un-Install License screen is displayed. (See Figure 2-84.) Figure 2-84. Un-Install License Screen 4. For Feature-Group, accept the default setting of radio ports. 5. For FG-specific-data, enter 12 or 48.
PAGE 234
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses Note If you forget or misplace the uninstall verification key, you can view it by selecting Management > Licenses and clicking the License_Uninstall Summary tab. Alternately, you can enter the show licenses uninstalled command from the CLI. This command displays the last uninstall verification key that was generated by the Wireless Edge Services zl Module. 9. Access the My ProCurve Web portal at http://my.procurve.
PAGE 235
Configuring the ProCurve Wireless Edge Services zl Module Setting System Information— Name, Time, and Country Code To transfer the Wireless Services Module 12 RP License or 48RP License to another Wireless Edges Services zl Module, complete the installation steps described in “Installing RP Licenses” on page 2-128.
PAGE 236
Configuring the ProCurve Wireless Edge Services zl Module Setting System Information— Name, Time, and Country Code Figure 2-87. Network Setup Screen Follow these steps to configure the system information, which the Wireless Edge Services zl Module reports to an SNMP server: 1. Name module by entering a string in the System Name field. The string can include spaces and special characters. The default name is “Wireless Services.
PAGE 237
Configuring the ProCurve Wireless Edge Services zl Module Setting System Information— Name, Time, and Country Code Enter the date in this format, in which MM is the number of the month, DD is the date, and YYYY is the year: MM/DD/YYYY 2. Enter the current time in the Time field. Use this format, in which HH is the hour in the 24-hour clock and MM is the minutes: HH:MM 3. Choose your time zone from the Time Zone drop-down menu. The menu lists many countries and cities from which you can choose.
PAGE 238
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Enabling Secure Network Time Protocol (NTP) Because the Wireless Edge Services zl Module supports NTP, you can configure the module to take its time from an NTP server. This ensures that the module is always using the correct time, which helps you maintain and monitor your company’s wireless services.
PAGE 239
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) NTP defines two additional modes: ■ Peer mode—Peers operate on anequal level. Peers act as both clients and servers to each other. They send each other control queries either to synchronize their clocks entirely or simply to exchange information. ■ Broadcast mode—Broadcast mode is similar to client-server mode.
PAGE 240
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Figure 2-88. NTP Clock Stratum Levels The devices at stratum 0 are GPS clocks or other radio clocks. These devices are not attached to the network but are locally connected to computers. Computers at stratum 1 are attached to stratum 0 devices. Stratum 1 devices can act as time servers for timing requests from stratum 2 servers via NTP. Computers at stratum 2 send NTP requests tostratum 1 servers.
PAGE 241
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Several organizations on the Internet offer NTP servers at stratums 1 through 3. Some require you to purchase the service, and others grant it for free. You can configure your Wireless Edge Services zl Module to communicate with one of these servers and then, acting as a server, pass the time on to clients in your network.
PAGE 242
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Configuring a Secure NTP Server As an NTP server, the Wireless Edge Services zl Module sends the time to stations and devices that request this information. To obtain the correct time, it can use its internal clock, exchange messages with other servers in your network (called its NTP neighbors), or both. To configure secure NTP, first determine the module’s function in your network’s NTP implementation: 1.
PAGE 243
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Configuring Secure NTP Options To configure a Secure NTP server, complete these steps: 1. Select Special Features > Secure NTP > Configuration. Figure 2-89. Special Features > Secure NTP > Configuration Screen 2. Optionally, in the Other Settings section, check the Authenticate Time Sources box.
PAGE 244
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) 4. If you checked the Act as NTP Master Clock box (in step 3), in the Clock Stratum field, enter how many hops (from 1 to 15) the Wireless Edge Services zl Module is from an NTP time source. Valid values are from 1 to 15, although your clock stratum value should be at least 2 (because you are not actuallyconnected to a stratum0 device).
PAGE 245
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Applying ACLs to NTP Services For additional security, you can set access controls on the NTP messages that your Wireless Edge Services zl Module receives. The module only accepts a particular type of message if the ACL applied to that type permits it. You will first need to configure the AC Ls for NTP resource access before completing this task. (See Chapter 7: “Access Control Lists (ACLs).
PAGE 246
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) You can control four types of access to NTP resources: ■ Full Access—The Wireless Edge Services zl Module accepts all messages from devices permitted by the associated ACL and will synchronize with these devices. This is typically the type of access that you would grant your NTP neighbors. ■ Only Control Queries—The module accepts only control queries from devices permitted by the ACL.
PAGE 247
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Configuring Authentication for Secure NTP When the Wireless Edge Services zl Module requires authentication for secure NTP, it drops all NTP packetsunless they are encrypted with the correct key. Authentication ensures that the server providing system timeto the Wireless Edge Services zl Module is trusted.
PAGE 248
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Figure 2-91. Enabling Auto Key for Secure NTP 3. 2-148 In the Auto Key field, use the drop-down menu to enable auto key: • Host Enabled—The Wireless Edge Services zl Module requires clients and neighbors to use auto key to authenticate themselves. • Client only Enabled—The module uses auto key only to authenticate itself to a server. 4. Click the Apply button. 5.
PAGE 249
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) 6. Click the Save link. 7. Make sure that your Wireless Edge Services zl Module has the proper certificates. See “Digital Certificates” on page 2-163. Adding Symmetric Keys. Symmetric key authentication uses a single (symmetric) key for encryption and decryption. Because both the sender and the receiver must know the same key, it is also referred to as shared key cryptography.
PAGE 250
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Figure 2-92. Special Features > Secure NTP > Symmetric Keys Screen 3. Click the Add button. The ADD screen is displayed. (See Figure 2-93.) Figure 2-93. Add Symmetric Key Screen 4. In the Key ID field, enter the key ID, from 1 through 65534. 5. In the Key Value field, enter any string up to 32 characters for the authentication key value.
PAGE 251
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) To configure an NTP neighbor, complete these steps: 1. Select Special Features > Secure NTP and click the NTP Neighbor tab. Figure 2-94. Special Features > Secure NTP > NTP Neighbor Screen 2. Click the Add button. The Add Neighbor screen is displayed.
PAGE 252
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Figure 2-95. Add Neighbor Screen 3. 4. 2-152 Select the neighbor type: • Peer—A peer is another NTP server in a close relationship with your Wireless Edge Services zl Module. The module synchronizes with its peers, and at any given moment, only one peer in the group acts as the NTP server.
PAGE 253
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) 5. In the NTP Version field, use the drop-down menu to select the version of NTP to use with this configuration. Although the latest version of the NTP implementation is NTPv4, the official Internet standard is NTPv3. 6. Select the authentication method: • No Authentication—No authentication is used.
PAGE 254
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Figure 2-96. Special Features > Secure NTP > NTP Neighbor Screen 2. 2-154 Click the Add button. The Add Neighbor screen is displayed.
PAGE 255
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Figure 2-97. Add Neighbor Screen 3. Select Broadcast Server for the neighbor type. 4. In the IP Address field, enter the broadcast address for themodule’s subnetwork. For example, you want the module to run the broadcast server on its VLAN 8 interface, which has the address 10.4.8.30/24. Enter 10.4.8.255. 5.
PAGE 256
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) 7. If you selected Symmetric Key Authentication in step 6, in the Key ID field, enter the symmetric key ID. The key ID references the symmetric keythat you created earlier. (See “Adding Symmetric Keys” on page 2-149). You must configure clients in this network to match the key referenced by the ID. 8. Click the OK button.
PAGE 257
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Figure 2-98. Special Features > Secure NTP > NTP Associations Screen The screen includes the following fields: ■ Address—the numeric IP address of the resource providing NTP updates to the switch Typically, the NTP system is a peer or server that you have configured as your Wireless Edge Services zl Module’s neighbor.
PAGE 258
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) ■ Peer Poll—the maximum interval between successive messages, in seconds (always a power of 2 value, such as 8 or 64). ■ Reach—the status of the last eight NTP messages displayed in octal format. If an NTP packet reaches the resource successfully, the packet is assigned the value of 1. Otherwise, it is assigned a value of 0. The results for eight packets make up an eight-digit binary number.
PAGE 259
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Figure 2-99. Details Screen The Details screen includes the following additional information: ■ Association—state of the association ■ Sanity—an indicator of the “sanity” of NTP packets. The sanity indicates whether the time sent by the resource seems reasonable based on time from other resources.
PAGE 260
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) ■ Host Mode—the Wireless Edge Services zl Module’s mode: client—The module is associated witha resource which operatesin server mode. The module polls the server, but does not respond to polls from the server. If the server sends valid NTP packets, the module may synchronize with it. server—The module allows itself to polled by clients that want to synchronize with it. The module does not poll the clients.
PAGE 261
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) ■ Root Dispersion—a 32-bit unsigned fixed-point number indicating the nominal error relative to the primary reference source, in seconds with fraction point between bits 15 and 16. The values that normally are displayed in this field range from 0 to several hundred milliseconds. ■ Reach—displays the peer reachability (bit string, in octal).
PAGE 262
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Figure 2-100.Special Features > Secure NTP > Secure NTP Status Screen The following information is listed on the screen: 2-162 ■ Leap—the time source’s leap state, that is, whether it inserts leap seconds. ■ Stratum—how many hops time source is from a clock. ■ Reference—the address of the time source to which the Wireless Edge Services zl Module is synchronized.
PAGE 263
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates ■ Clock Offset—the calculated offset, in seconds, between the module and the source. The module adjusts its clock to match the server’s time value. The offset gravitates toward zero over time, but is never completely reduced to zero. ■ Root delay—the total round-trip delay, in seconds. This variable can take on both positive and negative values, depending on the relative time and frequency offsets.
PAGE 264
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates A certificate itself consists of: ■ the host’s identification information ■ the host’s public key ■ the function used to hash the certificate ■ the CA’s digital signature A host authenticates itself by sending its certificate, to which it appends its digital signature. It creates the digital signature by hashing the certificate and thenencrypting the hash with its private key.
PAGE 265
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates ■ CRL This element is optional, but recommended to prevent your module from accepting invalid certificates. Your CA should provide you with a CRL. You must complete these tasks to configure a self-signed certificate: 1. Optionally, pre-create a specific key for the certificate. Typically, however, you can allow the module to automatically generate a key when you create the certificate. 2.
PAGE 266
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Figure 2-101.Management > Certificate Management Screen The Management > Certificate Management screen has two main tabs: 2-166 ■ Trustpoints—This screen lists the trustpoints on the Wireless Edge Services zl Module and the certificates associated with each trustpoint. The left panel displays all trustpoints configured on your module. Initially, the only trustpoint is the “default-trustpoint.
PAGE 267
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Using the Certificates Wizard Use the Certificates Wizard to: ■ create a new certificate, either as a self-signed certificate or a certificate request to be sent to a CA ■ upload a certificate (either a server certificate or a CA certificate) from an external source ■ delete trustpoints, certificates, or keys You can complete all necessary tasks for creating or installing certificates through the Certificates Wizard.
PAGE 268
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Figure 2-102.Certificates Wizard Welcome Screen On this screen, you can select the certificate operations that you want to perform, which are documented in the following sections.
PAGE 269
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Creating a Self-Signed Certificate. To create a new self-signed certificate, complete these steps: 1. On the Certificates Wizard Welcome screen, in theSelect a certificate operation section, select Create a new certificate. 2. Click the Next button. The screen shown in Figure 2-103 is displayed. Figure 2-103.Certificates Wizard Options Screen (Self-Signed Certificate) 3.
PAGE 270
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates 4. 5. Note • Use existing trustpoint—You can select a trustpoint that you have created previously from the drop-down menu. (This option is available only when an existing trustpoint does not have a current certificate.) • Create a new trustpoint—Enter the trustpoint name in the field.
PAGE 271
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Figure 2-104.Certificate Credentials Screen (Self-Signed Certificate) 7. If you specified in step 4 that you are creating a new trustpoint, check the Configure the trustpoint box to configure the trustpoint. 8. Select Automatically generate certificate with default values to generate a certificate with default credential values.
PAGE 272
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates 9. • Organization—your organization (typically your company name) • Organizational Unit—your organizational unit (typically your department name) • Common Name—the URL that youuse to access the Web browser interface. The text that you enter must exactly the URL exactly and cannot include spaces or special characters other than periods ( . ) and hyphens ( - ). For example: WirelessServices.procurve.
PAGE 273
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Figure 2-105.Certificates Wizard Options Screen (Certificate Request) 3. In the Select a certificate operation section, selectPrepare a certificate request to send to a certificate authority. 4. In the Select a trustpoint for the new certificate section, select one of the following: 5. • Use existing trustpoint—You can select a trustpoint that you have created previously from the drop-down menu.
PAGE 274
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Note • Use existing key—Use a key pair that you created previously; Select the key from the drop-down menu. • Create a new key—Create a new key pair for this certificate that you can also use for future certificates. – In he tKey Label field, enter a name for the key. – In he tKey Size field, enter the key size,from 1,024 through 2,048 bytes.
PAGE 275
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Note • Country—the two-character country code (abbreviation) for your country • State—the state or province in which the module operates • City—the city in which the module operates • Organization—your organization (typically your company name) • Organizational Unit—your organizational unit (typically your department name) • Common Name—the URL that youuse to access the Web browser interface.
PAGE 276
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Figure 2-107.Copy or Save Certificate Request Screen 10. To save the text of the certificate request to send to a CA, you can do either (or both) of the following: • Check the Copy the certificate request to clipboard box; After you click the Next button in step 11, you can paste the text into a text file.
PAGE 277
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates v. For FTP, enter the username and password. vi. Leave the Path field blank to save to the server’s base directory. Or enter a valid directory path on the server. To save the certificate request to the workstation running the Web browser, follow these steps: i. In the To drop-down menu, select Local Disk. ii. Choose a name for the request and enter it in the File field with a valid path. For example: C:/myrequest.
PAGE 278
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Figure 2-108.Certificates Wizard—Uploading a Certificate 1. 2-178 Click the Next button. The screen shown in Figure 2-109 is displayed.
PAGE 279
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Figure 2-109.Upload Certificate to Trustpoint Screen 2. 3. In the Select a trustpoint to upload the certificate section, select one of the following: • Use existing trustpoint—to upload the certificate to an existing trustpoint; use the drop-down menu to select the trustpoint. • Create a new trustpoint—to upload the certificate to a new trustpoint; enter the name of the new trustpoint in the field.
PAGE 280
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates You can select either or both certificates toupload. However, you can only upload a certain type of certificateif the selected trustpointdoes not already include that type. If you want to upload a new certificate, first delete the current certificate. See “Deleting Trustpoints, Certificates, and Keys” on page 2-180. 4.
PAGE 281
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Figure 2-110.Certificates Wizard—Deleting Certificates 2. Click the Next button. The screen shown in Figure 2-111 is displayed.
PAGE 282
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Figure 2-111.Certificate Wizard Delete Operations Screen 3. Select your delete operations: • To delete an entire trustpoint, select Delete trustpoint and all certificates inside it. Then use the drop-down menu to select the trustpoint to delete. This selection deletes the trustpoint and everything it contains, including certificates, a certificate request, and a CRL. • 4.
PAGE 283
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates 5. On the confirmation screen, click the Next button to confirm the deletion. Or, click the Cancel button to cancel the deletion. 6. After the deletion is complete, on the completion screen that is displayed, click the Finish button. 7. Click the Save link at the top of the Web browser interface to save the changes to the startup-config.
PAGE 284
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates ■ server certificate ■ CA certificate ■ CRL Transferring Trustpoints from the Wireless Edge Services zl Module to a Server To transfer a trustpoint from the Wireless Edge Services zl Module to a server, complete these steps: 1. Select Management > Certificate Management and click the Trustpoints tab. 2. Click the Transfer Trustpoints button. The Transfer Trustpoints screen is displayed. 3.
PAGE 285
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates 7. In the Port field, enter the respective FTP or TFTP port number; the default port number (port 21 for FTP, port 69 for TFTP) should apply in most cases. 8. In the IP Address field, enter the IP address of the FTP or TFTP server. 9. If you are using an FTP server, enter the login credentials. a. In the User ID field, enter the username for your account on the FTP server. b.
PAGE 286
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates 3. In the Source section, select Server from the From field. 4. In the File field, enter the filename of the source trustpoint file. 5. In the Using drop-down menu, select the protocol for the external server, either FTP or TFTP. 6. In the Port field, enter the respective FTP or TFTP port number; the default port number (port 21 for FTP, port 69 for TFTP) should apply in most cases. 7.
PAGE 287
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Note You can also create keys within the Certificates Wizard when you create certificate requests and self-signed certificates; see “Creating Certificates” on page 2-168 for more information. To create a key, complete these steps: 1. Select Management > Certificate Management and click the Keys tab. Figure 2-114.Management > Server Certificates > Keys Screen 2. Click the Add button. The Add Key screen is displayed.
PAGE 288
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Figure 2-115.Add Key Screen 3. In the Key Name field, enter a name for the key. Enter between 2 and 64 characters. The only permissible special characteris “_”. 4. In the Key Size field, enter the key size, from 1,024 through 2,048 bytes. 5. Click the OK button. Transferring Keys You can transfer key pairs to a secure location for archiving.
PAGE 289
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Figure 2-116.Transfer Keys from Wireless Edge Services zl Module 4. Use the next drop-down menu to select the key to be transferred. 5. In the Pass phrase field, enter a passphrase, which can include spacesand special characters. The passphrase encrypts the key pair, and, although optional, is recommended for security. In order to decrypt and use the key, a person must know the correct passphrase. 6.
PAGE 290
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates ii. e. 9. In the Password field, enter the password for this username. In the Path field, enter the path where the key will be saved on the server. (If you are using a TFTP server, this field may not be required.) If you specified Local Disk in step 6, click the browse button to choose the directory in which to save the key. 10. Click the Transfer button.
PAGE 291
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates 5. If you selected Server as the source in step 3, in the Source section, specify the following for the key transfer source: a. From the Using drop-down menu, select the protocol for the key transfer, either FTP or TFTP. b. In the Port field, enter the respective FTP or TFTP port number; the default port number (port 21 for FTP, port 69 for TFTP) should apply in most cases. c.
PAGE 292
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates 2-192
PAGE 293
3 Radio Port Configuration Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Country-Code and Regulatory Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 Configuring Radio Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 Creating a Radio Adoption Default Configuration . . . . . . . . . . . . . . . . . . . 3-8 Viewing and Configuring Properties . . . . . . . .
PAGE 294
Radio Port Configuration Overview Overview The ProCurve Wireless Edge Services zl Module manages the ProCurve Radio Ports (RPs) 210, 220, and 230. Using their Ethernet port and one or two radios, these IEEE 802.11-compliant RPs grant wireless stations access to an Ethernet network. RPs provide the radio signal and the physical connection to wireless users, but little intelligence on their own.
PAGE 295
Radio Port Configuration Overview In addition, the ProCurve RPs improve quality of service (QoS) in the wireless network with support for Wi-Fi Multimedia (WMM). Each radio can divide outbound wireless traffic into four queues based on priority value or on WLAN. For example, voice traffic (if appropriately marked) is placed in the highest-priority queue. The default settings for each queue are designed to provide a high QoS for voice and video traffic from RPs toassociated stations.
PAGE 296
Radio Port Configuration Country-Code and Regulatory Procedures Country-Code and Regulatory Procedures While IEEE has codified the international wireless network specifications and standards, each country has its ownregulations for legal frequenciesand wireless use requirements. It is important to be aware of your country’s standards when configuring your network. Setting a device’s country code configures it to use radio settings that are legal in that country.
PAGE 297
Radio Port Configuration Configuring Radio Settings Refer to http://www.hp.com/rnd/support/manuals/rports.htm for information about each country’s regulations and permissible radio settings. Configuring Radio Settings You configure radio settings for the ProCurve RPs 210, 220, and 230 through the Wireless Edge Services zl Module. The ProCurve RP 220 and 230 each have two built-in radios; one radio supports 802.11a standards while the other supports 802.11bg standards.
PAGE 298
Radio Port Configuration Configuring Radio Settings Figure 3-2. Default Configuration Screen for a Radio Type The screen for configuring the radio adoption default settings is labeled Network Setup > Radio Adoption Defaults > Configuration > Edit. The top left on the screen reads Configuration, and the top right displays the radio type: 802.11a or 802.11bg. For ease of reference, this guide will call that screen a radio type’s default Configuration screen.
PAGE 299
Radio Port Configuration Configuring Radio Settings Figure 3-3. Configuration Screen for a Radio Be careful to make configuration changes on the correct screen. Otherwise, the changes will not take effect as expected. Table 3-1 summarizes how you edit the radio configurations and how the Wireless Edge Services zl Module deploys them. For more information, see Chapter 1: “Introduction.” Table 3-1.
PAGE 300
Radio Port Configuration Configuring Radio Settings Creating a Radio Adoption Default Configuration The Wireless Edge Services zl Module stores two radio adoption default configurations, one for 802.11a radios and one for 802.11bg radios. It deploys the configurations to radios on any unconfigured RP that it adopts. These configurations only affect newly adopted radios.
PAGE 301
Radio Port Configuration Configuring Radio Settings As described above, you establish settings for a radio adoption default configuration from a radio type’s default Configuration screen. To access this screen, complete these steps: 1. Select Network Setup > Radio Adoption Defaults and click the Configuration tab. This screen includes two rows, one for 802.11a and one for 802.11bg.
PAGE 302
Radio Port Configuration Configuring Radio Settings Model Radio Type Background AP detection Dedicated to detecting rogue APs Figure 3-5. Radio Adoption Default Configuration Properties This screen includes three sections: Properties, Radio Settings, and Advanced Properties. In the following sections, you will learn how to configure each of the settings on this screen. Viewing and Configuring Properties For the most part, you view, rather than configure, settings in this section.
PAGE 303
Radio Port Configuration Configuring Radio Settings When you configure this setting as part of the default configuration, you dedicate all radios of that 802.11 mode. For example, if your network does not include any stations that use 802.11a mode, you could dedicate all 802.11a radios in your network to scanning for rogue APs. (Note, however, that these radios will only detect APs operating in an 802.11a channel.) Note As a security measure, you can configure all RPs to be adopted as detectors.
PAGE 304
Radio Port Configuration Configuring Radio Settings ■ channel selection method ■ transmit power ■ rate settings You should configure the settings in this order; the radio placement setting dictates available channel options, and the channel selection method affects available power levels. Placement Channel Selection Power Options Rate Setting Figure 3-6. Radio Adoption Default Configuration Radio Settings Defining the Radio Placement. You can configure a radio for indoor use or for outdoor use.
PAGE 305
Radio Port Configuration Configuring Radio Settings Unless you are certain that all RPs will operate outdoors, you should leave the Placement setting at Indoors for the radio adoption default configurations. You can override the setting for outdoor RP radios after they are installed. (See “Configuring Radio Settings for a Particular Radio” on page 3-29.) To define the RP placement, complete these steps: 1. Select Network Setup > Radio Adoption Defaults and click the Configuration tab. 2.
PAGE 306
Radio Port Configuration Configuring Radio Settings Setting the Desired Radio Power. After you have selected a channel, you must select the radio power. Available settings are determined by previously defined channel and location settings. A radio’s power determines the broadcast radio frequency (RF) signal strength in dBm.
PAGE 307
Radio Port Configuration Configuring Radio Settings Figure 3-7. Rate Settings Screen On this screen, you can setbasic and supported rates. The data rates displayed depend on which type of radio you are configuring. The basic rates are rates for which RP radios advertise support.
PAGE 308
Radio Port Configuration Configuring Radio Settings To select basic data rates for newly adoptedradios of a particular type,complete these steps: 1. 2. Access the Rate Settings screen for the radio type: a. Select Network Setup > Radio Adoption Defaults and click the Configuration tab. b. Select the radio type and click the Edit button. c. Click the Rate Settings button.
PAGE 309
Radio Port Configuration Configuring Radio Settings To deselect all of a radio’s data rates at once, click the Clear All Rates button. Remember, however, that you must configure at least one basic data rate for the radio. Otherwise, an errormessage will be displayed when you click the OK button, as shown in Figure 3-8. Figure 3-8. Clear All Rates Error Message.
PAGE 310
Radio Port Configuration Configuring Radio Settings Options Max Stations Antenna Mode Units Adoption Pref ID Short Preamble Figure 3-9. Radio Adoption Default Configuration Advanced Properties Setting the Antenna Mode. A diversity antenna consists of two closely spaced matching antennas designed to minimize small gaps in coverage: the RP automatically selects the antenna that provides the strongest signal to a particular station.
PAGE 311
Radio Port Configuration Configuring Radio Settings Note If your network includes a mix of models in the ProCurve RP 200 Series, or a mix of external antenna types, you should also customize the antenna mode for specific radio configurations. See “Configuring Advanced Properties for a Particular Radio” on page 3-31. To configure newly adopted radios to use a specific antenna mode, complete these steps: 1. Select Network Setup > Radio Adoption Defaults and click the Configuration tab. 2.
PAGE 312
Radio Port Configuration Configuring Radio Settings ■ ■ ■ Note Set the radio adoption default preference ID to match the Wireless Edge Services zl Module’s adoption preference ID, which allows the module to adopt any RPs that it detects. To move an RP to a different module, change the preference ID for one of the radios on that particular RP. (See “Configuring Advanced Properties for a Particular Radio” on page 3-31.
PAGE 313
Radio Port Configuration Configuring Radio Settings There are two types of preambles: a long preamble and a short preamble. It takes a maximum of 192 ms to process the long preamble and 96 ms to process the short preamble. Because the short preamble yields about 50 percent savings in frame overhead, it can improve the throughput of a network, particularly one transmitting traffic such as VoWLAN and streaming video frames. However, 802.11b devices do not support the short preamble, and by default, RP 802.
PAGE 314
Radio Port Configuration Configuring Radio Settings You can set an RTS threshold size, in bytes, which determines when an RTS/CTS exchange must be made. If a station wants to send a data frame larger than the threshold size, it must exchange RTS/CTS frames with the radio. Otherwise, it can follow typical 802.11 procedures. It is important to consider the needs of your wireless network when setting this threshold.
PAGE 315
Radio Port Configuration Configuring Radio Settings 3. In the Advanced Properties section, enter a value in the Beacon Interval field. This value determines the time that the radio allows between sending beacons. You specify the beacon interval in units of 1,000 ms. The default setting is 100,000 ms. 4. Click the OK button. Setting the DTIM Period. The DTIM is a known string of bits that can be sent in a beacon frame.
PAGE 316
Radio Port Configuration Configuring Radio Settings Like the radio’s normal power setting, the self healing offset is configured in terms of dBm. The default value is 0. For additional information on determining an appropriate offset value, see the documentation shipped with the RP. To set the default self healing offset for radios in a network that uses neighbor recovery, complete these steps: Note 1. Select Network Setup > Radio Adoption Defaults and click the Configuration tab. 2.
PAGE 317
Radio Port Configuration Configuring Radio Settings Figure 3-10. Network Setup > Radio > Configuration Screen The Network Setup > Radio > Configuration screen lists all of the radios that the Wireless Edge Services zl Module has identified and their currentsettings and status. Radios are listed by index number. (The first radio that the module identifies is typically assigned the first index, and so on.) Radios are further identified by a name and a type.
PAGE 318
Radio Port Configuration Configuring Radio Settings Note An RP does not have to be adopted before you create a configuration for its radio (or radios); it can simply be identified in the list. An an unadopted radio might display in the list because: ■ the module had once adopted the RP ■ you added the RP radio manually using the Add button To create the configuration, select the unadopted radio, click the Edit button, and configure the settings.
PAGE 319
Radio Port Configuration Configuring Radio Settings To view the Configuration screen for a particular radio, complete these steps: 1. Select Network Setup > Radio and click the Configuration tab. 2. Select the radio that you want to configure and click the Edit button. Like the default Configuration screen for a radio type, a particular radio’s Configuration screen includes three sections: Properties, Radio Settings, and Advanced Properties. These are described in the following sections.
PAGE 320
Radio Port Configuration Configuring Radio Settings Setting the Radio Description. While configuring a radio description will not affect radio functions, doing so can save time and effort when managing or troubleshooting your wireless network. The default radio description is “RADIO” followed by the radio’s index number. For example, the radio that has been assigned to index 1 has “RADIO1” as its description. It is often a good idea to describe a radio according to its intended coverage area or function.
PAGE 321
Radio Port Configuration Configuring Radio Settings To configure a single-channel scan, complete these steps: 1. Select Network Setup > Radio > Configuration. 2. Select the radio that you want to configure and click the Edit button. 3. Check the Single-channel scan for Unapproved APs box. 4. Click the OK button. Base Radio MAC. The MAC address displayed in the Properties section is the hardware MAC address for that radio.
PAGE 322
Radio Port Configuration Configuring Radio Settings The Actual column also helps you to monitor your wireless network. For example, even if a radio uses ACS to select its channel, you may want to know which channel the radio has selected. Placement Actual Column Channel Selection Power Options Figure 3-12. Radio Configuration Radio Settings To change the radio settings, complete these steps: 1. Select Network Setup > Radio and click the Configuration tab. 2.
PAGE 323
Radio Port Configuration Configuring Radio Settings 5. If you want, in the Desired Channel field, use the drop-down menu to select either: • Random • ACS • a specific channel number Channel numbers will vary, depending on the type of radio (802.11a or 802.11bg) that you are configuring, the radio’s country code, and the radio’s placement (indoors or outdoors). 6. If you want, in the Desired Power (dBm) field, use the drop-down menu to select a non-default transmit power.
PAGE 324
Radio Port Configuration Configuring Radio Settings ■ Short Preambles only (802.11 bg radios only) ■ RTS Threshold ■ Beacon Interval ■ DTIM Period ■ Self Healing Offset See “Setting Advanced Radio Properties” onpage 3-17 for more information on each setting. Setting the DTIM Period is slightly different for the targeted radio configuration; see “Setting DTIM Periods for a Particular Radio” on page 3-32. You can alter any of these settings for a particular radio.
PAGE 325
Radio Port Configuration Configuring Radio Settings To find the BSSID used by your WLAN (with normal configuration), see Table 3-3. Advanced mode configuration allows you to change these assignments. (See “Configuration Options: Normal Versus Advanced Mode” on page 4-4 of Chapter 4: “Wireless Local Area Networks (WLANs).”) Table 3-3.
PAGE 326
Radio Port Configuration Configuring Radio Settings 3. In the Advanced Properties section, click the DTIM Periods button. The DTIM Periods screen is displayed. Figure 3-14. DTIM Periods 4. In the field for each BSS, enter the number of beacons between DTIMs. 5. Click the OK button. Configuring Multiple Radios at Once To save time, you can configure settings for multiple radios at once. Hold down as you select the radios and click the Edit button. The Configuration screen is displayed.
PAGE 327
Radio Port Configuration Configuring Radio Settings For certain parameters, you can either edit the setting for all radios or allow each radio to keep its current setting. These parameters are: ■ placement (for radios of the same type) ■ antenna mode Other settings become identical for every selected radio after you click theOK button. Running ACS If you have configured one or more radios to use ACS, you can have the Wireless Edge Services zl Module reinitiate the ACS process.
PAGE 328
Radio Port Configuration Configuring Radio Settings 3. On the pop-up menu that is displayed, select Run ACS Now. The Wireless Edge Services zlModule scans all channels and discovers which radios are adopted and using which channels. The mo dule then analyzes the radios’ channels and moves each ACS-enabled radio to the channel where it is least likely to experience interference from other radios. (See Figure 3-16.) Figure 3-16.
PAGE 329
Radio Port Configuration Configuring Radio Settings Resetting a Radio It may become necessary for you to reboot an RP. For a dual-radio RP (such as the RP 220 or 230), you can either reset the entire RP or only one of its radios. Complete these steps: 1. Select Network Setup > Radio and click the Configuration tab. 2. Select the radio that you want to reset and click the Tools button. Reset Radio1 Figure 3-17. Resetting a Radio 3. On the pop-up menu that is displayed, select Reset.
PAGE 330
Radio Port Configuration Configuring Radio Settings 4. Select a reset option: • If you click the Reset Radio only button, only the selected radio will reset. • If you click the Reset entire Radio Port button, the RP for the selected radio will reset, along with both radios on the same RP. Each radio will reset with its specific configuration (not with the radio adoption default configuration). Managing RP Radios You can perform severalactions on an RP radio in the Network Setup > Radio screen.
PAGE 331
Radio Port Configuration Configuring Radio Settings Figure 3-19. Add Radio Screen Enter the RP’s Ethernet MAC addressin the RP MAC Address field. Then choose the appropriate radio or radios for the RP and assign them index numbers not currently used on this Wireless Edge Services zl Module. Click OK, and you can then select and edit the configuration for this RP’s radios before the RP is even adopted.
PAGE 332
Radio Port Configuration Configuring Radio Settings LLDP Button Figure 3-20. LLDP Button The LLDP screen is displayed. If you select a radio before clicking the LDAP button, the MAC Address field is automatically filled with the RP’s Ethernet MAC address. See Figure 3-21.
PAGE 333
Radio Port Configuration Configuring Radio Settings Figure 3-21. LLDP Screen You might have already customized the radio’s name. Select Set Radio Name as LLDP Name to use this name for the LLDP name as well. Alternatively, manually enter a name in the LLDP Name field. (The name can include alphanumeric and special characters, as well as spaces.) In the MAC Address field, enter the Ethernet MAC address of the RP. Or enter 00-00-00-00-00-00 to apply the LLDP name to all radios. Then click the OK button.
PAGE 334
Radio Port Configuration Considerations for Enabling Client Roaming Considerations for Enabling Client Roaming A mobile station may roam back and forthbetween several RPs. Ideally, such roaming is hidden from wireless users, who do not need to know when they connect to a new RP. They simply want their applications to continue functioning smoothly. A station itself determines when it needs to roam (typically, in order to associate to a radio with a better signal).
PAGE 335
Radio Port Configuration Quality of Service (QoS) on RP Radios ■ the antenna type The RP 210’s and RP 230’s internal radios use omnidirectional diversity antennas, which send out the signal in all directions equally. The two antennas of the diversity antenna ensure even coverage over the area. You can install a variety of external antennas on the RP220. These antennas can be diversity or non-diversity.
PAGE 336
Radio Port Configuration Quality of Service (QoS) on RP Radios For more precise prioritization, you can enable Wi-Fi Multimedia (WMM) on a WLAN. WMM WMM, which is Wi-Fi’s implementation of a portion of the IEEE 802.11e-2005 ratified specification for wireless QoS enhancements, includes packet prioritization, scheduled access, and call admission control.
PAGE 337
Radio Port Configuration Quality of Service (QoS) on RP Radios You can view theparameters that RP radios apply toeach queue by selecting Network Setup > Radio and clicking the WMM tab. Figure 3-22. Network Setup > Radio > WMM Screen For more information about WMM and other QoS mechanisms, see “Traffic Management (QoS)” on page 4-88 of Chapter 4: “Wireless Local Area Networks (WLANs).
PAGE 338
Radio Port Configuration Quality of Service (QoS) on RP Radios Any transmission delays can have an adverse effect on voice traffic. In addition to priority queuing, SVP-enabled RPs and phone handsets transmit voice packets in a coordinated fashion, using a zero backoff interval and thereby eliminating delays introduced by random backoff intervals. The RPs 210, 220, and 230 are all SVP compliant. You enable this feature in the WLAN configuration. See Chapter 4: “Wireless Local Area Networks (WLANs).
PAGE 339
4 Wireless Local Area Networks (WLANs) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 Configuration Options: Normal Versus Advanced Mode . . . . . . . . . . . . . . . . . 4-4 Normal Mode Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 Why Use Normal Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 Enabling WLANs Using Normal Mode . . . . . . . . . . .
PAGE 340
Wireless Local Area Networks (WLANs) Contents Configuring Accounting on a WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-68 Enabling Logging to a Syslog Server on a WLAN . . . . . . . . . . . . . . 4-69 Enabling RADIUS Accounting on a WLAN . . . . . . . . . . . . . . . . . . . 4-71 Configuring Global WLAN Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-75 Enabling the WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 341
Wireless Local Area Networks (WLANs) Overview Overview A wireless LAN (WLAN) is a LAN that uses a wireless medium; typically it provides wireless stations a connection to a private LAN, the Internet, or both. The WLAN might include multiple radio ports (RPs), each of which is identified by an individual basic service set identifier (BSSID), but supports the same service set identifier (SSID). Stations associated to one RP can roam to another RP that provides access to the same WLAN (shares the same SSID).
PAGE 342
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Configuration Options: Normal Versus Advanced Mode When the Wireless Edge Services zl Module deploys a WLAN’s configuration to an RP, it assigns the SSID associated with that WLAN toa BSSID on the RP’s radio (or radios). You can configure the module to assign WLANs to RPs inone oftwo modes: normal or advanced.
PAGE 343
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Enabling WLANs Using Normal Mode In normal mode, to configure and activate WLANs, you complete these steps: 1. Configure the SSID, VLAN, and other options for each WLAN that you want to include in your network. See “Configuring a WLAN” on page 4-26 for instructions on how to do so. 2. On the Network Setup > WLAN Setup screen, select the WLANs and click Enable.
PAGE 344
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Figure 4-2 shows the screen in which you can verify that radios have received the WLAN assignment. Figure 4-2. Assigning WLANs to a Radio (Normal) To view the screen in Figure4-2, select Network Setup > Radio and click the WLAN Assignment tab. Select a radio, and information is displayed in the area in the right of the screen, called Assigned WLANs.
PAGE 345
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Figure 4-3. Assigning WLANs to the Second Radio (Normal) You must understand that these assignments are constant: WLAN 2 is always assigned to BSSID 2, even if you have not enabled WLAN 1. Enabling More Than Four WLANs Using Normal Mode Using normal mode, you can configure and enable up to 16 WLANs, which all adopted RP radios will support.
PAGE 346
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode As always, if the RP includes two radios, every WLAN is assigned to a BSSID on each. This process is illustrated in the figures below. Figure 4-4.
PAGE 347
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Figure 4-5. Viewing Six WLANs Assigned to a Radio (Normal) RP radios send beacon frames to announce the WLANs that they support. The source of a beacon frame isa BSSID, andeach beacon can includeonly one SSID. Therefore, if you enable more than four WLANs, RPs support all of them, but only announce the first four.
PAGE 348
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode In other words, with normal configuration, WLANs 5 through 16 always operate in partially closed system. If you want these WLANs to operate in completely closed system, you should disable responses to probe requests. You cannot disable closed system. See “Enabling Closed System Operations” on page 4-64 to learn more about configuring this features described above.
PAGE 349
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Table 4-1. WLAN Assignment to BSSID SSIDs for WLANs BSSID 1, 5, 9, 13 1 2, 6, 10, 14 2 3, 7, 11, 15 3 4, 8, 12, 16 4 When deciding which WLAN index number to use for a WLAN, keep in mind that this number determines on which BSSID RPs carry that WLAN’s traffic. You should generally avoid mixing bulk data and time-sensitive data such as voice on the same BSSID.
PAGE 350
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Why Use Advanced Mode Reasons that you might use advanced mode include: ■ You want to restrict access to a WLAN to a certain area. For example, if a WLAN allows wireless users to access sensitive financial information, you might not want your network to support that WLAN, even protected by encryption, in a public lobby. Advanced mode allows you to assign a WLAN to certain RPs only, so you control where the WLAN exists.
PAGE 351
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode ■ You want your RPs to announce more than four SSIDs. While a single RP radio can only beacon four SSIDs, it is possible to customize WLAN assignments so that different RP radios beacon different SSIDs. That is, you can configure certain WLANs as the primary WLANs on some of your organization’s RPs, and other WLANs as primary on others.
PAGE 352
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Figure 4-8. Global WLAN Settings Screen c. Check the Advanced Configuration box, and then click the OK button. 3. Enable the WLANs. 4. You must now manually assign the WLANs to RP radios. You can do this in two ways: • You can manually assign WLANs as a part of a default configuration to be sent to any newly adopted RP.
PAGE 353
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Manually Assigning WLANs to the Radio Adoption Default Configuration. Configure the radio adoption default configuration to customize the WLANs that the Wireless Edge Services zl Module sends to all newly adopted radios. This configuration actually divides into two parts—one for 802.11a radios and one for 802.11bg radios.
PAGE 354
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Figure 4-9. Configuring an Area-Specific WLAN Note Depending on whether you enable WLANs or advanced mode configuration first, the radio adoption configuration begins with either the normal WLAN assignment or an empty WLAN assignment. Leaving the WLAN assignment in the default configurations empty is not necessarily undesirable: it can increase security.
PAGE 355
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Figure 4-10. Customizing WLAN Assignment for the Radio Adoption Default (Advanced Mode) 2. Choose the radio type from the Select Radio drop-down menu. If your network includes radios of both types, you should remember to configure a default WLAN assignment for each. Typically, these assignments should match. Note You can assign WLANs to the radio as a whole or to individual BSSIDs. 3.
PAGE 356
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Figure 4-11. Assigning WLANs to a BSSID in the Default Configuration 6. In the Primary WLAN drop-down menu, choose the WLAN for which the radio should beacon the SSID. 7. If you want to assign more WLANs to the radio, select another BSSID and repeat steps 5 and 6. 8. Click the Apply button. Manually Assigning WLANs to a Specific Radio. Select this option to alter the WLAN assignment on a specific radio.
PAGE 357
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode 3. Click the Edit button. The Network Setup > Radio > Assign Wireless Lans to Radios screen is displayed. (See Figure 4-12.) Figure 4-12. Assigning WLANs to a Specific RP Radio 4. You can assign SSIDs either to the radio as a whole or to a specific BSSID.
PAGE 358
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode 6. Alternatively, you can assign a WLAN to a specific BSSID on the radio: a. In the left area, Select Radio/BSS, select that BSSID. b. Check the Assign box for each WLAN thatyou want to assign to the BSSID. You can select up to four WLANs, but as always, the beacons only include one. Figure 4-13. Assigning WLANs to a BSSID on a Radio 4-20 c.
PAGE 359
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode 7. Click the Apply button, and then click the Close button. The screen such as that in Figure 4-14 is displayed; you can check your configuration in the Assigned WLAN area. Figure 4-14.
PAGE 360
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Figure 4-15. Manually Assigning WLANs to an RP Radio Figure 4-14 shows the Network Setup > Radio screen in which you would check this configuration. If you had assigned a fifth WLAN to the radio, then two SSIDs would be assigned to BSSID 1, and beacons would advertise only one of these SSIDs.
PAGE 361
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode 3. On the Network Setup > WLAN Setup screen, select the WLANs, and then click Enable. 4. Click the Global Settings button. The Global WLAN Settings screen is displayed. 5. Check the Advanced Configuration box, and then click the OK button. 6. If necessary, tailor the radio adoption default configurations: 7. a. Select Network Setup > Radio Adoption Defaults and click the WLAN Assignment tab. b.
PAGE 362
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode ■ the radio adoption default configuration for 802.11bg radios ■ the configuration for every RP radio adopted by your module To disable advanced mode configuration, complete these steps: 1. Click Network Setup > WLAN Setup. 2. Click the Global Settings button. The Global WLAN Settings screen is displayed. 3. Uncheck the Advanced Configuration box, and then click the OK button.
PAGE 363
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Click the OK button. You can now either: • check the WLAN assignments on all radios and default configurations, reassigning SSIDs to BSSIDs as described at the beginning of this section • execute a forced disable by clicking the Yes button Click the Yes button to force advanced mode to disable. This option disables advanced mode configuration as well as all WLANs, even those that are compatible with normal mode.
PAGE 364
Wireless Local Area Networks (WLANs) Configuring a WLAN Configuring a WLAN To configure a WLAN, you must set: ■ the SSID ■ the VLAN in which traffic will be forwarded ■ security options, which include: • authentication method • encryption option Optionally, you can configure: ■ ■ advanced settings for individual WLANs, which include: • inter-station blocking • closed system operations • inactivity timeouts global settings for all WLANs, which include: • proxy Address Resolution Protocol (
PAGE 365
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-18. Network Setup > WLAN Setup > Configuration Screen As you can see in Figure4-18, this screen displays the 256 WLANs that are available for configuration. Remember that in normal configuration mode, you can only configure WLANs 1 through 16. On the Wireless Edge Services zl Module, you do not create WLANs as such. The module has already created them; you configure options for and enable the WLANs.
PAGE 366
Wireless Local Area Networks (WLANs) Configuring a WLAN ■ Enabled—Indicates whether the WLAN has been enabled. The Wireless Edge Services zl Module does not deploy a WLAN configuration to RPs until you enable the WLAN. By default, all WLANs are disabled. ■ SSID—Displays the WLAN’s SSID. By default, this SSID simply indicates the WLAN’s index number. You will change this to a network name when you configure the WLAN. ■ Description—Describes the WLAN so that you can quickly see its purpose.
PAGE 367
Wireless Local Area Networks (WLANs) Configuring a WLAN The screen illustrated in Figure 4-19 is displayed: this is the Edit screen for the selected WLAN. On this screen, you configure settings for your WLAN. Figure 4-19. Editing a WLAN In the Configuration section, you create the WLAN’s basic settings. Configure security standards in the Authentication and Encryption sections. If you choose an authentication option that requires a RADIUS server, the RADIUS Config...
PAGE 368
Wireless Local Area Networks (WLANs) Configuring a WLAN Setting Basic Configuration Options: SSID and VLAN Interface You must set the following options in the Configuration section of a WLAN’s Edit screen: ■ the SSID The SSID identifies the WLAN; stations associated to the same SSID are in the same WLAN regardless of the RP radioto which they have associated.
PAGE 369
Wireless Local Area Networks (WLANs) Configuring a WLAN To configure these options, follow these steps: 1. Access the Edit screen for the WLAN, as described in “Configuring a WLAN” on page 4-26. 2. Under Configuration, in the SSID field, enter the SSID that you have selected for this WLAN. Figure 4-20. Configuring the SSID When you enable the WLAN, the Wireless Edge Services zl Module automatically configures this SSID on all adopted RP radios (as long as you are using normal mode).
PAGE 370
Wireless Local Area Networks (WLANs) Configuring a WLAN For example, if this WLANprovides network access for sales representativesin conference rooms, you could enter “Sales/Conference Rooms.” (This information is for reference only and is not sent to the RPs nor broadcast to wireless stations.) 4. In the VLAN ID field, specify the VLAN to which the module maps wireless traffic. The VLAN ID can be a value from 1 to 4096. Figure 4-21. Setting the VLAN ID 5.
PAGE 371
Wireless Local Area Networks (WLANs) Configuring a WLAN If the WLAN uses Web-Auth set the DHCP lease for the WLAN’s static VLAN very low. This allows the station to request a new IP address in the dynamic VLAN after the user authenticates. 6. Continue configuring the WLAN. See “Configuring Security Options” on page 4-33. (Or click OK to apply the settings and close the Edit screen.
PAGE 372
Wireless Local Area Networks (WLANs) Configuring a WLAN You configure authentication methods as part of each individual WLAN’s settings, and, as far as that WLAN is concerned, they are mutually exclusive. For example, a WLAN can require stations to authenticate using 802.1X or using Web-Auth, but not both. However, one WLAN can require 802.1X and a different WLAN, Web-Auth. The MAC authentication configured on a WLAN is MAC authentication to a RADIUS server.
PAGE 373
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-22. Enabling 802.1X Authentication To configure 802.1X authentication for a WLAN, complete these steps: 1. Click Network Setup > WLAN Setup. 2. Select the WLAN and click the Edit button. 3. Under Authentication, select 802.1X EAP. 4. Optionally, click the Config button next to 802.
PAGE 374
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-23. Specifying 802.1X EAP Settings a. Enter a value in the Station Timeout field to control how long the module will wait for a station to authenticate itself. The Station Timeout can be from 1 to 60 seconds, and the default setting is 5 seconds. b. Enter a value in the Station Retries field to control how many times the module will reissue a challenge to the station.
PAGE 375
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-24. Radius Configuration Screen 6. In the Radius Configuration screen, under Server, specify settings for your network’s RADIUS servers. Enter settings for your primary server in the fields in the Primary column: a. In theRADIUS Server Address field, specify the IP address of your network’s primary RADIUS server. To use the module’s internal server, enter 127.0.0.1. b.
PAGE 376
Wireless Local Area Networks (WLANs) Configuring a WLAN c. In the RADIUS Shared Secret field, enter a character string up to 127 characters. The RADIUS server uses the secret to identify the Wireless Edge Services zl Module as a legitimate client. You must match the secret configured for the module in your RADIUS server’s configuration. If you are using the module’s internal server, you do not need to enter a shared secret. d. 7.
PAGE 377
Wireless Local Area Networks (WLANs) Configuring a WLAN Web-Auth. Web-Auth allows wireless stations that do not support 802.1X to authenticate to a RADIUS server. Web-Auth is an easy-to-use option that is often selected for wireless networks that provide Internet orlimited network access toa broad range of users. The instructions below simply guide you through the most basic Web-Auth settings.
PAGE 378
Wireless Local Area Networks (WLANs) Configuring a WLAN 3. Note Under Authentication, select Web-Auth. On the configuration screens that appear in this procedure, you can quickly get the WLAN running by completing these minimal steps. (Learn more about the process in Chapter 5: “Web Authentication for Mobile Users.”) 4. Click the Config button next to Web-Auth. The Web-Auth screen is displayed. Figure 4-26. Configuring the Allow 5.
PAGE 379
Wireless Local Area Networks (WLANs) Configuring a WLAN 6. Leave other settings at their defaults and click the OK button. 7. Web-Auth requires a RADIUS server to act as the authentication server. Click the Radius Config button at the bottom of the screen. The Radius Configuration screen is displayed. Figure 4-27. Radius Configuration Screen 8. In the Radius Configuration screen, under Server, specify settings for your network’s RADIUS servers.
PAGE 380
Wireless Local Area Networks (WLANs) Configuring a WLAN The default value is 1812. c. In the RADIUS Shared Secret field, enter a character string up to 127 characters. The RADIUS server uses the secret to identify the Wireless Edge Services zl Module as a legitimate client. You must match the secret configured for the module in your RADIUS server’s configuration. If you are using the module’s internal server, you do not need to enter a shared secret. d. 9.
PAGE 381
Wireless Local Area Networks (WLANs) Configuring a WLAN MAC Authentication. The MAC Authentication option refers to RADIUS MAC authentication. When a station attempts to associate with the WLAN, the Wireless Edge Services zl Module forwards the station’s MAC address in a request to a RADIUS server. The RADIUS server decides whether the station can associate. To configure MAC authentication, complete these steps: 1. Access the Edit screen for the WLAN: a.
PAGE 382
Wireless Local Area Networks (WLANs) Configuring a WLAN 3. This authentication option requires a RADIUS server to act asthe authentication server. Click the Radius Config button at the bottom of the screen. The Radius Configuration screen is displayed. Figure 4-29. Radius Configuration Screen for MAC Authentication 4. In the Radius Configuration screen, under Server, specify settings for your network’s RADIUS servers. Enter settings for your primary server in the fields in the Primary column: a.
PAGE 383
Wireless Local Area Networks (WLANs) Configuring a WLAN To use the module’s internal server, enter 127.0.0.1. b. Leave the RADIUS Port field at the default value unless you know that your server uses a different port. The default value is 1812. c. In the RADIUS Shared Secret field, enter a character string up to 127 characters. The RADIUS server uses the secret to identify the Wireless Edge Services zl Module as a legitimate client.
PAGE 384
Wireless Local Area Networks (WLANs) Configuring a WLAN 9. In the MAC Address section, choose the format in which the Wireless Edge Services zl Module forwards the MAC address. The module sends the station’s MAC address as the username and the password in the RADIUS request. The username and password must match exactly those in the account against which the RADIUS server checks them. For example, if the account uses delimiters in the MAC address, the module must use delimiters in the same places.
PAGE 385
Wireless Local Area Networks (WLANs) Configuring a WLAN Table 4-2.
PAGE 386
Wireless Local Area Networks (WLANs) Configuring a WLAN Note By default, all WLANs use open-key authentication for WEP, which means that all stations can associate. However, the Wireless Edge Services zl Module quietly drops any incorrectly encrypted frames, ensuring that only stations that have the correct key can forward data and truly connect to the WLAN. An alternative to open-key authentication, shared-key authentication, has been denigrated because it leaks information about the WEP key.
PAGE 387
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-30. Configuring WEP Encryption with No Authentication 2. Under Authentication, select No Authentication. 3. Under Encryption, check either the WEP 64 or WEP 128 box. 4. Click the corresponding Config button. The WEP 64 or WEP 128 screen is displayed.
PAGE 388
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-31. Configuring a Static WEP Key 5. Specify the static key. The Wireless Edge Services zl Module provides several options for configuring static keys: • It can automatically generate four hex keys from a manually entered pass key. Enter a string from 4 to 32 characters in the Pass Key field and click the Generate button.
PAGE 389
Wireless Local Area Networks (WLANs) Configuring a WLAN The number of characters for the key depends on the WEP key length and on the format in which you enter the key. Table 4-3 summarizes these requirements. Table 4-3. Key Length for Static WEP Keys Key Length Format Characters 64-bit Hexadecimal 10 ASCII 5 Hexadecimal 26 ASCII 13 128-bit The key next to the selected circle (Key 1 in Figure 4-31) is the key that currently encrypts and decrypts data.
PAGE 390
Wireless Local Area Networks (WLANs) Configuring a WLAN 1. Access the Edit screen for the WLAN that is to use dynamic WEP: a. Select Network Setup > WLAN Setup and click the Configuration tab. b. Select the WLAN and click the Edit button. The Edit screen is displayed. (See Figure 4-30.) 2. Enable 802.1X authentication and specify the RADIUS server. (See “802.1X EAP” on page 4-34.) 3. On the WLAN’s Edit screen, under Encryption, check either the WEP 64 or WEP 128 box, as shown in Figure 4-32.
PAGE 391
Wireless Local Area Networks (WLANs) Configuring a WLAN Do not select the Config button to configure the WEP key; the RADIUS server automatically generates and sends the dynamic WEP keys to successfully authenticated users. If you click the Config button, the message in Figure 4-33 is displayed. The message does not indicate a problem: it simply informs you that you have completed all necessary steps for configuring encryption on this WLAN. Figure 4-33.
PAGE 392
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-34. Configuring WPA/WPA2 Encryption Table 4-4 displays the types of stations supported by each option. It also lists which protocols each option uses to generate group (multicast and broadcast) keys and to generate pairwise (per-session) keys.
PAGE 393
Wireless Local Area Networks (WLANs) Configuring a WLAN Table 4-4.
PAGE 394
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-35. Advanced Options for WPA/WPA2 b. If you want, check the Broadcast Key Rotation box. Because all stations must use the same broadcast key, this key is clearly more vulnerable to hackers than the per-session keys. Periodically changing the broadcast key helps to protect your WLAN. By default, the Wireless Edge Services zl Module does not rotate the broadcast key.
PAGE 395
Wireless Local Area Networks (WLANs) Configuring a WLAN Check these boxes to enable the Wireless Edge Services zl Module’s fast roaming capabilities: – PMK Caching—The RP and the wireless station agree on a PMK identifier for their session, which each stores even after the station disassociates. If the wireless station roams back to the RP, the two can quickly exchange the PMK identifier and renegotiate necessary keys, instead of completing the entire authentication process.
PAGE 396
Wireless Local Area Networks (WLANs) Configuring a WLAN a. Select Network Setup > WLAN Setup and click the Configuration tab. b. Select the WLAN and click the Edit button. The Edit screen is displayed. (See Figure 4-30.) 2. Under Authentication, select No Authentication. 3. Under Encryption, select your encryption protocol: • To use TKIP, check the WPA/WPA2-TKIP box. The Wireless Edge Services zl Module and wireless stations will use TKIP for all encryption.
PAGE 397
Wireless Local Area Networks (WLANs) Configuring a WLAN b. Enter the preshared key. As always, you should select a key that conforms to the highest security standards. The longer the key and the more special characters it contains, the more secure it is. (The key must be at least 22 characters to withstand a brute force attack.) You can enter the key in one of two ways: – Select ASCII Passphrase, and then enter a password of from 8 to 63 characters. Users must enter the same characters to access the WLAN.
PAGE 398
Wireless Local Area Networks (WLANs) Configuring a WLAN Table 4-5.
PAGE 399
Wireless Local Area Networks (WLANs) Configuring a WLAN Table 4-6.
PAGE 400
Wireless Local Area Networks (WLANs) Configuring a WLAN For increased security, you can prevent two wireless stations in a particular WLAN from communicating with each other. You have three options for controlling wireless station-to-station traffic in a particular WLAN: ■ allow all inter-station traffic When a wireless station attempts to communicate with another station in the WLAN, the Wireless Edge Services zl Module forwards the packet toward the second station’s RP.
PAGE 401
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-37. Controlling Inter-Station Traffic 3. Click the OK button. Remember that this setting applies to a WLAN; it does not apply to an RP as a whole, which might associate with stations in several WLANs. If you want to prevent the Wireless Edge Services zl Module from forwarding traffic between wireless stations in different WLANs, you must configure this option for both WLANs.
PAGE 402
Wireless Local Area Networks (WLANs) Configuring a WLAN Enabling Closed System Operations Wireless stations have two ways that they can discover the SSID for a WLAN: ■ RPs send beacons that include the SSID for the WLAN. All wireless stations listen for beacons. ■ RPs answer probes from stations requesting the RP to send all SSIDs that it supports. RPs can only beacon the SSIDs for the four primary WLANs (with normal configuration, WLANs 1 through 4).
PAGE 403
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-38. Enabling Closed System 2. In the Advanced section, check the Closed System box. 3. Uncheck the Answer Broadcast ESS box to prevent RPs from telling wireless stations the SSID in response to probes. 4. Click the OK button.
PAGE 404
Wireless Local Area Networks (WLANs) Configuring a WLAN Configuring the Inactivity Timeout Users do not always bother to disconnect from wireless connections when they turn off or leave theirstations. Although the user is no longer truly connected, the Wireless Edge Services zl Module continues to store the station’s association. On an RP nearing its maximum number of stations, an unterminated association can prevent a new station from connecting to the wireless network.
PAGE 405
Wireless Local Area Networks (WLANs) Configuring a WLAN Inactivity Timeout field Figure 4-39. Setting the Inactivity Timeout 2. Under Advanced, in the Inactivity Timeout field, enter a value from 60 seconds (one hour) through 86400 seconds (one day). The default timeout is 1800 seconds (30 minutes). In Figure 4-39, the administrator has lowered the timeout to 300 seconds (five minutes). 3. Click the OK button.
PAGE 406
Wireless Local Area Networks (WLANs) Configuring a WLAN You can configure the module to use these types of accounting: ■ syslog—The Wireless Edge Services zl Module forwards logs about stations in this WLAN to a syslog server. ■ RADIUS—The Wireless Edge Services zl Module sends messages to a RADIUS accounting server when a station connects or disconnects and, optionally, at universally throughout the connection.
PAGE 407
Wireless Local Area Networks (WLANs) Configuring a WLAN Select the Accounting Mode Figure 4-40. Enabling Syslog Accounting on a WLAN 3. In the Advanced section, in the Accounting Mode field, use the drop-down menu to select Syslog. 4. Click the Syslog Config button. The Accounting screen is displayed.
PAGE 408
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-41. Specifying the Syslog Server 5. In the Syslog Server IP field, specify the Syslog server’s IP address. 6. In the Syslog Server Port field, enter your server’s UDP port or keep the default 514. 7. Click the OK button. 8. In the WLAN’s Edit screen, click the OK button. 9. Click the Save link at the top of the Web browser interface to save the changes to the startup-config.
PAGE 409
Wireless Local Area Networks (WLANs) Configuring a WLAN Select the Accounting Mode Figure 4-42. Enabling RADIUS Accounting for a WLAN 3. In the Advanced section, in the Accounting Mode field, use the drop-down menu to select Radius. Users must authenticate to a RADIUS server for RADIUS accounting to function. Select 802.1X EAP, Web-Auth, or MAC Authentication for the authentication method. 4. Click the Radius Config button. The Radius Configuration screen is displayed.
PAGE 410
Wireless Local Area Networks (WLANs) Configuring a WLAN Accounting settings Figure 4-43. Specifying the Accounting Server in the Radius Configuration Screen To enforce RADIUS accounting, the WLAN must use 802.1X authentication, Web-Auth, or MAC authentication for the Authentication mode. 5. Configure settings for the primary accounting server in the Primary column of the Accounting section. a. Specify the server’s IP address in the Accounting Server Address field.
PAGE 411
Wireless Local Area Networks (WLANs) Configuring a WLAN c. In the Accounting Shared Secret field, enter a string up to 127 characters long. (The string can include alphanumeric and special characters.) The accounting server uses the shared secret to verify that reports are from a legitimate source. The key you specify must match the key configured for the module in the accounting server’s client configurations. If you are using the module’s internal server, you don’t need to specify akey. 6.
PAGE 412
Wireless Local Area Networks (WLANs) Configuring a WLAN Configuring Global WLAN Settings The ProCurve Wireless Edge Services zl Module also supports these features: ■ Proxy ARP—With this feature enabled, the Wireless Edge Services zl Module responds to ARP requests on behalf of its wireless stations, reducing overhead in the wireless network. ■ Shared-key authentication—Open and shared-key authentication apply to WLANs that use WEP encryption.
PAGE 413
Wireless Local Area Networks (WLANs) Configuring a WLAN Note The Advanced Configuration selection refers to howSSIDs are assigned to RP radios; see “Advanced Mode Configuration” on page 4-11. 4. Click the OK button. Enabling the WLAN RPs in your wireless network will not support the WLAN until you enable it. To enable the WLAN, complete these steps: 1. Select Network Setup > WLAN Setup and click the Configuration tab. 2. Select the WLAN that you want to enable.
PAGE 414
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-45. Enabling a WLAN As long as you are operating in normal mode, all radios on all RPs that the Wireless Edge Services zl Module has adopted or will adopt support the enabled WLANs. You can confirm that RPs are actually supporting the enabled WLANs by selecting Network Setup > Radio and checking the WLAN Assignment tab. Select an RP radio to view which SSIDs are mapped to that radio’s BSSIDs.
PAGE 415
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-46. Viewing the WLANs Assigned to Radios in the Default Configuration The radio supports all five WLANs. However, some of the WLANs share a BSSID. For example, when BSS 1 is selected in the section on the left,the section on the right shows the two WLANs that share this BSSID. See Figure 4-47.
PAGE 416
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-47. Viewing the WLANs Assigned to a BSSID in the Default Configuration To review how the Wireless Edge Services zl Module assigns WLANs to RP radios, see “Normal Mode Configuration” on page 4-4.
PAGE 417
Wireless Local Area Networks (WLANs) VLAN Assignment VLAN Assignment The instructions for configuring a WLAN include the basic mechanics for assigning all traffic from a WLAN to a VLAN. This section will explain in more depth when and why you would assign one WLAN to one VLAN and another WLAN to another VLAN.
PAGE 418
Wireless Local Area Networks (WLANs) VLAN Assignment The Wireless Edge Services zl Module determines the VLAN to which to assign incoming wireless traffic based on one of two criteria: ■ the wireless user’s identity ■ the wireless station’s WLAN You configure WLAN-based VLAN assignments manually. (See “Setting Basic Configuration Options: SSID and VLAN Interface” on page 4-30.) Identity or user-based VLAN assignments are dynamic and received from an authentication server.
PAGE 419
Wireless Local Area Networks (WLANs) VLAN Assignment WLAN-Based VLAN Assignment You configure WLAN-based VLAN assignment by manually assigning the WLAN to a VLAN. Typically, you complete this step at the same time that you configure the SSID and security settings, as described in “Setting Basic Configuration Options: SSID and VLAN Interface” on page 4-30 and as shown in Figure 4-49. Figure 4-49.
PAGE 420
Wireless Local Area Networks (WLANs) VLAN Assignment Figure 4-50. Network Setup > WLAN Setup > VLAN Assignment Screen In the first two columns, the Network Setup > WLAN Setup > VLAN Assignment screen shows this information for each WLAN: ■ Description (if configured) ■ SSID All the VLANs to which at least one WLAN has been assigned compose the subsequent columns, as shown in Figure 4-50. The check mark indicates to which interface the WLAN has been assigned.
PAGE 421
Wireless Local Area Networks (WLANs) VLAN Assignment See “Identity-Based, or Dynamic, VLAN Assignment” on page 4-86 for an explanation of how the Wireless Edge Services zl Module can dynamically match WLAN traffic to multiple VLANs. Considerations for WLAN-Based VLAN Assignment By default, all WLANs are mapped to VLAN 1. In some networks that use multiple VLANs, this VLAN is reserved for the management VLAN.
PAGE 422
Wireless Local Area Networks (WLANs) VLAN Assignment ■ Who will be connecting to this WLAN? • Guests—In this case as well, you could assign the WLAN to a VLAN reserved for wireless users. Network administrators could then control traffic from that VLANappropriately—for example, limiting wireless users to Internet access or to certain network servers.
PAGE 423
Wireless Local Area Networks (WLANs) VLAN Assignment Note When the Wireless Edge Services zl module places traffic in a VLAN, it tags it for that VLAN. You must remember to tag the module’s uplink port for each VLAN to which you manually assign a WLAN. (For more on configuring the wireless servicesenabled switch, see the Wireless Edge Services zl Module Supplement to the ProCurve 6200yl/5400zl/3500yl Management and Configuration.
PAGE 424
Wireless Local Area Networks (WLANs) VLAN Assignment Identity-Based, or Dynamic, VLAN Assignment The Wireless Edge Services zl Module can also divide traffic from wireless users into VLANs based on those users’ identities.
PAGE 425
Wireless Local Area Networks (WLANs) VLAN Assignment 5. On the RADIUS server, configure users’ VLAN assignments. a. See “Creating a Group” on page 11-12 in Chapter 11: “RADIUS Server” to learn how to configure VLAN assignments on the Wireless Edge Services zl Module’s internal RADIUS server. b. One of the easiest ways to configure the assignment on an external server itself is via an Identity Driven Management (IDM) agent installed on the server.
PAGE 426
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Traffic Management (QoS) Contemporary users demand more from wireless connections—more bandwidth and more multimedia applications—but they also demand less jitter and fewer dropped calls. The ProCurve Wireless Edge Services zl Module helps RPs to deliver a high QoS for voice, video, and other high-priority or time-sensitive traffic.
PAGE 427
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-52. QoS Mechanisms Supported by the Wireless Edge Services zl Module SVP SVP maintains a high QoS specifically for VoWLAN devices that are SVP-capable. SVP is implemented in wireless phones, wireless APs, and SpectraLink servers. This IEEE 802.
PAGE 428
Wireless Local Area Networks (WLANs) Traffic Management (QoS) To enable SVP support, complete these steps: 1. Note Access the Edit screen for the WLAN that includes voice devices: a. Select Network Setup > WLAN Setup and click the Configuration tab. b. Select the WLAN and click the Edit button. The Edit screen is displayed. 2. Under Advanced, check the Enable SVP box. 3. Click the OK button. Remember that you are enabling SVP support on the WLAN, not on a particular RP.
PAGE 429
Wireless Local Area Networks (WLANs) Traffic Management (QoS) The Wireless Edge Services zl Module can use WMM to prioritize the following traffic: ■ traffic sent from RP radios to wireless stations ■ traffic sent from wireless stations to RP radios Priority Queuing and ACs. Table 4-7 shows the ACs into which RPs and wireless stations can divide traffic. Table 4-7.
PAGE 430
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Table 4-8. Priority Values for WMM ACs Queue Number AC 802.1p Priority DSCP 1 Background 1, 2 8-23 2 Best Effort 0, 3 0-7. 24-31 3 Video 4, 5 32-47 4 Voice 6, 7 48-63 By default, the module uses 802.1p priorityto place traffic in a queue. You can choose DSCP instead; see “Customizing Station WMM Parameters” on page 4-100. Priority Queuing on Traffic Transmitted from RPs to Wireless Stations.
PAGE 431
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-53. Using WMM to Prioritize Traffic Transmitted from RPs to Wireless Stations Priority Queuing on Traffic Transmitted from Wireless Stations to RPs. Only when you enable WMM on a WLAN, WMM-enabled stations also implement priority queuing on traffic they transmit. RPs broadcast station WMM parameters throughout the WLAN. WMM-enabled stations queue traffic according to 802.
PAGE 432
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-54. Using WMM to Prioritize Traffic Transmitted From Wireless Stations to RPs Note that the station WMM parameters can differ from the RP WMM parameters. Enabling WMM on a WLAN Enabling WMM on a WLAN, enables the following: ■ RP radios use QoS marks (802.1p, by default) to queue traffic destined to stations in this WLAN Radios grant better QoS to high priority queues by using different parameters to transmit traffic in those queues.
PAGE 433
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Enable WMM Figure 4-55. Enabling WMM on a WLAN 2. Under Advanced, in the Access Category drop-down menu, select Automatic/ WMM. 3. Click the OK button. The next section explains how to make some advanced configurations for WMM. Changing the Protocol that Prioritizes Traffic and Enabling Admission Control As discussed earlier, when you enable WMM, wireless devices queue frames according to QoS marks.
PAGE 434
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Another advanced WMM parameter is admission control, a feature available for Video and Voice queues. The more stations that use high priority settings, the less effect those settings have. Admission control restricts the number of stations in a wireless cell that can use the high priority settings by forcing stations to check with the RP first. To configure these advanced options, follow these steps: 1.
PAGE 435
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-57. Editing Station EDCA (WMM) Parameters 3. Select the prioritization protocol used by your wireless stations: • 802.1p is a Layer 2 protocol that marks traffic in the VLAN tag for one of eight priorities. • DSCP is a Layer 3 protocol that marks traffic in the IP header for one of 64 priorities. Wireless devices queue frames according to the priority marked by the selected protocol. For example, if you select 802.
PAGE 436
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Note If you change the protocol for one queue, the setting automatically changes in the other three queues for the WLAN; in other words, the setting applies to the WLAN as a whole. (It does not make sense to use 802.1p to queue some traffic, but queue other traffic according to DSCP.) 4. To restrict the number of stations allowed to use the settings for this queue, check the Admission Control box and enter a value from 1 to 255.
PAGE 437
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-58. Station WMM Parameters Figure 4-58 shows the default settings for WMM queues. As you can see, each WLAN has its own four queues. This is because RPs broadcast one set of station parameters to all stations in a WLAN. They can broadcast another set of station parameters to all stations in another WLAN (if that WLAN uses WMM). The Idx column lists the WLAN and the queue number.
PAGE 438
Wireless Local Area Networks (WLANs) Traffic Management (QoS) A green check markin the WLAN Enabled column indicates that RPs in your network currently support this WLAN; a green check mark in the WMM Enabled column indicates that RPs are allowed to send the WMM parameters to stations (Access Category is Automatic/WMM.) In Figure 4-58, four WLANs are active and enabled. However, only two (MyWLAN and Test) implement WMM prioritization on wireless station to RP traffic.
PAGE 439
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-59. Station WMM Parameters 2. Select the queue for which you want to alter the settings, and then click the Edit button. The Edit WMM screen is displayed.
PAGE 440
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-60. Editing Station EDCA (WMM) Parameters 3. View the SSID and Access Category settings to verify that you are configuring the correct queue. In Figure 4-60, the Best Effort queue (queue 1) in MyWLAN is being customized. 4. Enter the desired values in the AIFSN, Transmit Ops, CW Minimum, and CW Maximum fields. The values for the AIFSN and Transmit Ops are in ms.
PAGE 441
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Again, take great care in establishing these settings. ProCurve Networking cannot guarantee any behavior. However, you can keep these tips in mind: • The lower the AIFSN and the CW minimum values, the lower the latency for traffic in the queue, and in a congested network, the higher the throughput. In a congested network, raising the AIFSN or the CWminimum of lowpriority queues canimprove QoS for high-priority.
PAGE 442
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Like other radio settings, you can alter: ■ the WMM queue parameters that the Wireless Edge Services zl Module sends to newly adopted radios ■ the WMM queue parameters used by particular radios To customize the RP WMM parameters, complete these steps: 1. 2.
PAGE 443
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-61. Network Setup > Radio > WMM Screen 3. To change the parameters for a particular queue, select the queue and click the Edit button. The Edit WMM screen is displayed. Figure 4-62. Edit WMM Screen for Radio 1’s Voice AC 4. To change the AIFSN value, enter a new value between 0 and 15 in the AIFSN field. This value is in ms. 5. To change the Transmit Ops value, enter a new value between 0 and 65,535 in the Transmit Ops field.
PAGE 444
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Customizing How QoS Marks Map to ACs As discussed earlier, enabling WMM on a WLAN allows wireless devices to queue traffic according to either an 802.1p or DSCP. Table 4-9 shows the default mapping of values to priority queues. Table 4-9. Priority Values for WMM ACs Queue Number AC 802.1p Priority DSCP 1 Background 1, 2 8-23 2 Best effort 0, 3 0-7.
PAGE 445
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-63. Customizing QoS Mappings 3. Use the Access Category to 802.1p section to configure the Wireless Edge Services zl Module, to mark incoming wireless traffic with a QoS value for priority handling in the wired network. Click a field in the 802.1p Prioritization column. Then enter a value between 0 and 7. The module marks traffic that arrives in this AC with this 802.1p value. 4. If you are using 802.
PAGE 446
Wireless Local Area Networks (WLANs) Traffic Management (QoS) 5. If you are using DSCP to prioritize traffic in at least one WLAN, configure the QoS mappings in the DSCP to Access Category section. To select the AC to which a particular DSCP maps, click the Access Category column in the row for that value. Then choose Best Effort, Background, Video, or Voice from the drop-down menu. 6. Click the OK button.
PAGE 447
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-64. Setting a WLAN’s AC 2. Choose the name of an AC from the Access Category drop-down menu in the Advanced section.
PAGE 448
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Enabling Prioritization of Voice Traffic Voice prioritization improves the QoS for traffic destined to VoWLAN devices. The Wireless Edge Services zlModule configures RPs to monitor all packets from stations in a WLAN; if the IP type in a packet’s header indicates that it is a voice packet, the module marks all traffic destined to the packet’s source ashigh-priority voice packets.
PAGE 449
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Set the multicast address for voice traffic Figure 4-65. Setting the Multicast Address 3. Under Advanced, in the MCast Addr 1 field, enter the address for voice traffic. 4. If you want, enter a second address in the MCast Addr 2 field. 5. Click the OK button.
PAGE 450
Wireless Local Area Networks (WLANs) Traffic Management (QoS) 4-112
PAGE 451
5 Web Authentication for Mobile Users Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 The Web-Auth Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Authentication Through a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 Web Pages for the Login Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6 Allow List . . . . . . . . . . . . . . . . .
PAGE 452
Web Authentication for Mobile Users Overview Overview With the ProCurve Wireless Edge Services zl Module, you can require mobile users to authenticate by entering their login credentials on a Web page. Like other authentication methods, Web authentication (Web-Auth) is verified through a Remote Access Dial In User Service (RADIUS) server. You can use Web-Auth to provide limited network services for mobile users who visit your company’s office.
PAGE 453
Web Authentication for Mobile Users Overview The Web-Auth Process To provide limited network access to mobile users through Web-Auth, you set up a Dynamic Host Configuration Protocol (DHCP) server and instruct the users to configure their stations to receive a dynamic IP addressfrom this server. (This DHCP server can be an external server or the Wireless Edge Services zl Module’s internal server.
PAGE 454
Web Authentication for Mobile Users Overview After a station successfully receives an IP address and associates with the WLAN, the station enters the Web-Auth state. (See Figure 5-2.) In this state, the station can access only the network devices that you have added to the Web-Auth Allow list. This list includes the IP address of any device that you want unauthenticated users to be able to access.
PAGE 455
Web Authentication for Mobile Users Overview Figure 5-2. The Web-Auth Process Authentication Through a RADIUS Server To allow mobile users to access the Internet and selectedservices on your company’s network, you configure Web-Auth as the authentication method for a WLAN and define a RADIUS server that verifies each user’s login credentials. You can specify both a primary RADIUS server and a secondary RADIUS server, ensuring high availability.
PAGE 456
Web Authentication for Mobile Users Overview Web Pages for the Login Process To enable authentication through the Web, the Wireless Edge Services zl Module provides three default Web pages that guide users through the login process: ■ Login page—When users associate with a WLAN that is configured for Web-Auth and try to access a valid Web site, their Web browser is redirected to the login page, and they are prompted to enter a username and password. (See Figure 5-3.) Figure 5-3.
PAGE 457
Web Authentication for Mobile Users Overview Figure 5-4. Default Welcome Page ■ Failed page—If users do not enter a valid username and password on the login page, the failed page is displayed. This page includes a link back to the Login screen. (See Figure 5-5.) Figure 5-5. Default Failed Page You can use the default Web pages as they are, or you can modify them for your environment. You can change the text that displays and add your organization’s logo.
PAGE 458
Web Authentication for Mobile Users Overview Table 5-1 shows the location of these pagesin the Wireless Edge Services zlModule’s file system. When you enable Web-Auth and choose to usethese pages, the OS copies them to a directory for that WLAN. For example, if you use Web-Auth on WLAN 1, the login page is saved as flash:/hotspot/wlan1/login.html. In Table 5-1, X indicates the WLAN’s index number. Table 5-1.
PAGE 459
Web Authentication for Mobile Users Overview The Wireless Edge Services zl Module automatically permits certain station traffic, even when the destination is not on the Allow list: ■ DHCP requests—The station must receive an IP address before it can access the Web login page and authenticate. ■ Domain Name System (DNS) requests—The station must attempt to reach a valid IP address in order for the Wireless Edge Services zl Module to redirect the browser to the login page.
PAGE 460
Web Authentication for Mobile Users Configuring Web-Auth Note The Wireless Edge Services zl Module automatically allows unauthenticated stations access to the IP address on the static VLAN for the Web-Auth WLAN. (Such access is necessary for the stations to complete Web-Auth.) Even though management access to the module is protected by a password, you might want to protect such access further. Make sure to assign the Web-Auth WLAN to a different VLAN than the module’s management VLAN.
PAGE 461
Web Authentication for Mobile Users Configuring Web-Auth Configuring Basic Options and Accessing the Web-Auth Screen To configure a WLAN to use Web-Auth, complete these steps: 1. Select Network Setup > WLAN Setup > Configuration. Figure 5-6.
PAGE 462
Web Authentication for Mobile Users Configuring Web-Auth 2. Select the WLAN thatyou want to use Web-Auth, and then click the Edit button. The Edit screen is displayed. Figure 5-7. WLAN Edit Screen 3. Under Configuration, enter an SSID for this WLAN in the SSID field. 4. In the Description field, you can enter information that will help you identify this WLAN. This field is optional. 5. By default, the Wireless Edge Services zl Module places all wireless traffic in VLAN 1.
PAGE 463
Web Authentication for Mobile Users Configuring Web-Auth Note For more information about configuring SSIDs, VLANs, and advanced configuration options, such as interstation blocking and voice prioritization, see Chapter 4: “Wireless Local Area Networks (WLANs).” 6. Under Authentication, select Web-Auth. 7. Click the Radius Config button at the bottom of the screen. The Radius Configuration screen is displayed. Figure 5-8.
PAGE 464
Web Authentication for Mobile Users Configuring Web-Auth 8. In the fields in the Server area, define the primary RADIUS server under the Primary heading. a. In the RADIUS Server Address field, enter the IP address of the RADIUS server that authenticates users. Enter 127.0.0.1 if you are using the Wireless Edge Services zl Module’s internal RADIUS server. b. In the RADIUS Port field, leave the port number at the default value (1812) unless your RADIUS server uses a different port. c.
PAGE 465
Web Authentication for Mobile Users Configuring Web-Auth Figure 5-9. Configuring the Login Page 15. Select the location for the Web-Auth Web pages from the drop-down menu at the top of the screen. You can select one of three options for these Web pages: • Internal—three default pages stored on the Wireless Edge Services zl Module • External—three pages stored on an external Web server • Advanced—pages that you have loaded ontothe Wireless Edge Services zl Module’s flash memory 16.
PAGE 466
Web Authentication for Mobile Users Configuring Web-Auth Configuring Internal Web-Auth Pages At its factory default settings, the Wireless Edge Services zl Module includes three pages for Web-Auth. See “Web Pages for the Login Process” on page 5-6 for descriptions and illustrations of these default pages. You can customize the text and add your company’s logo to the default pages. Follow these steps: Note 1. Complete the steps described in “Configuring Web-Auth” on page 5-10. 2.
PAGE 467
Web Authentication for Mobile Users Configuring Web-Auth Header text Descriptive text The small logo displays beneath the Log in button Footer text Figure 5-10. Displaying a Small Logo on the Web-Auth Login Page e. In the Main Logo URL field, enter the name of a logo file to include a logo at the top of the login page. (See Figure 5-11.) You must copy this logo to the flash on the Wireless Edge Services zl Module.
PAGE 468
Web Authentication for Mobile Users Configuring Web-Auth The main logo is displayed at the top of the page Header text Descriptive text Footer text Figure 5-11. Displaying the Main Logo on the Web-Auth Login Page 4. Configure the welcome page, which mobile users see if they enter a valid username and password and the RADIUS server authenticates them. a. 5-18 Click the Welcome tab. (See Figure 5-12.
PAGE 469
Web Authentication for Mobile Users Configuring Web-Auth Figure 5-12. Configuring the Welcome Page Note b. In the Title Text field, accept the default text shown on the screen, or enter the text that you want to use. c. In the Header Text field, accept the defaulttext shown on the screen,or enter the text that you want users to see when they log in. (See Figure 5-13.) If you customize the Header Text, Footer Text, or Descriptive Text fields, you can enter a maximum of 1,024 characters. d.
PAGE 470
Web Authentication for Mobile Users Configuring Web-Auth e. In the Small Logo URL field, enter the name of a logo file to include a small logo on the welcome page. (See Figure 5-13.) You must copy this logo to the flash on the Wireless Edge Services zl Module. (For instructions on how to copy the logo file to flash, see “Copying Logo Files to the Module’s Flash” on page 5-33.
PAGE 471
Web Authentication for Mobile Users Configuring Web-Auth The main logo is displayed at the top of the page Header text Descriptive text Disconnect link Duration of the connection Figure 5-14. Displaying the Main Logo on the Web-Auth Welcome Page 5. Configure the failed page, which mobile users see if they enter an invalid username and password. a. Click the Failed tab. (See Figure 5-15.
PAGE 472
Web Authentication for Mobile Users Configuring Web-Auth Figure 5-15. Configuring the Failed Page Note b. In the Title Text field, accept the default text shown on the screen, or change the text as needed. c. In the Header Text field, accept the defaulttext shown on the screen,or enter the text that you want users to see if they fail to log in. (See Figure 5-16.) If you customize the Header Text, Footer Text, or Descriptive Text fields, you can enter a maximum of 1,024 characters. d.
PAGE 473
Web Authentication for Mobile Users Configuring Web-Auth e. In the Small Logo URL field, enter the name of a logo file to include a small logo on the failed page. (See Figure 5-16.) You must copy this logo to the module’s flash. (For instructions on how to copy the logo file to flash, see “Copying Logo Files to the Module’s Flash” on page 5-33.) Header text Descriptive text Link to the login page The small logo is displayed above the footer Footer text Figure 5-16.
PAGE 474
Web Authentication for Mobile Users Configuring Web-Auth The main logo is displayed at the top of the page Header text Descriptive text Link to the login page Footer text Figure 5-17. Displaying the Main Logo on the Web-Auth Failed Page 6. Configure the Allow list as described in “Configuring the Allow List” on page 5-28. Configuring Web-Auth to an External Web Server The Wireless Edge Services zl Module can implement Web-Auth using pages stored on an external Web server.
PAGE 475
Web Authentication for Mobile Users Configuring Web-Auth Figure 5-18. Specifying the URL for Web-Auth Pages That Are Stored on an External Web Server 4. 5. Under External Web Pages, specify the correct URL for each page. a. In the Login Page URL field, specify the URL of the login page, which users see when they try to access a Web site. For example, youmight enter a URL such as http://192.168.1.1/login.html or http://www.yourcompany.com/ login.html. b.
PAGE 476
Web Authentication for Mobile Users Configuring Web-Auth Loading Custom Pages onto the Wireless Edge Services zl Module’s Internal Server (Advanced) As discussed earlier, the Wireless Edge Services zl Module can act as the Web server for Web-Auth. As an alternative to using the module’s default (pre-configured) Web-Auth pages, you can load your own pages onto the module. This advanced option gives you greater freedom in designing your Web pages than simply customizing the text on the default pages.
PAGE 477
Web Authentication for Mobile Users Configuring Web-Auth Figure 5-19. Configuring Advanced Web-Auth 5. In the File field, enter the name of the directory that contains the custom Web pages. 6. Select the type of server that stores the directory (FTP or TFTP) from the Using drop-down menu. 7. Enter the server’s IP address and port in the IP Address and Port fields. The default port for FTP is 21, and the default port for TFTP is 69. 8.
PAGE 478
Web Authentication for Mobile Users Configuring Web-Auth 9. In the Path field, specify the name of the server directory in which the file that you are loading is stored. If the file is stored in the server’s base directory, leave the field empty. For some FTP servers, you might need to enter /. To specify a directory within the base directory, include (/)—for example, / MyDirectory. 10. Click the Install button. The file immediately copies to the module’s flash. 11.
PAGE 479
Web Authentication for Mobile Users Configuring Web-Auth Figure 5-20. Configuring the Allow List 2. You should be on the Web-Auth screen for the WLAN. In theAllow List section on the right side of the screen, add up to 10 IP addresses. a. If you have specified External for the Web-Auth page type, enter the IP address of the external Web server: i. Under the Allow List heading, select one of the 0.0.0.0 addresses. ii. In the Change field, enter the address for the Web server. iii. Click the Change button.
PAGE 480
Web Authentication for Mobile Users Configuring Web-Auth Note When you add a device’s IP address to the Allow list, that device ispublicly available; no network authentication is required to access the device. Any user can access the device—unless that device (like the Wireless Edge Services zl Module) has its own authentication requirements. 3. Verify that you have configured the Web pages as described in earlier sections of this chapter. 4.
PAGE 481
Web Authentication for Mobile Users Configuring Web-Auth Figure 5-21. Configuring Encryption for a WLAN that Enforces Web-Auth 2. In the Encryption section, check the box for your selection. 3. If you have selected a WEP encryption type, click its Config button and specify the WEP keys. You can enter up to four keys. The currently selected key acts as the password.
PAGE 482
Web Authentication for Mobile Users Configuring Web-Auth 4. If you have selected a WPA encryption type, click its Config button and specify the preshared key. See “Configuring WPA/WPA2-PSK” on page 4-57 of Chapter 4: “Wireless Local Area Networks (WLANs)” for more information on configuring the preshared key. 5. Click the OK button to close theWLAN Edit screen and save your configuration changes to the running-config. You are returned to the Network Setup > WLAN Setup > Configuration screen.
PAGE 483
Web Authentication for Mobile Users Copying Logo Files to the Module’s Flash Copying Logo Files to the Module’s Flash If you want to display your company’s logo on the Web-Auth login, welcome, or failed page, you must copy the logo file to the appropriate directory on the Wireless Edge Services zl Module’s flash. The module’s flash contains a hotspot directory that, in turn, contains a subdirectory for each WLAN on the module.
PAGE 484
Web Authentication for Mobile Users Copying Logo Files to the Module’s Flash 3. 4. Specify the source for the file transfer: a. In the From field under Source, use the drop-down menu to select Server. b. In the File field, enter the name of the logo file. c. In the Using field, use the drop-down menu to select either FTP or TFTP. d. In the IP Address field, enter the IP address of the FTP or TFTP server. e. If you are using an FTP server, enter the login credentials. i.
PAGE 485
Web Authentication for Mobile Users Configuring Custom Web-Auth Pages Figure 5-24. Management > System Maint.—Config Files > Transfer Screen 5. Click the Transfer button. In the Status area at the bottom of the screen, a message is displayed, reporting whether the transfer was successful. Configuring Custom Web-Auth Pages You can design your own Web-Auth pages and either store them on an external server or upload them to the Wireless Edge Services zl Module’s flash memory (advanced configuration).
PAGE 486
Web Authentication for Mobile Users Configuring Custom Web-Auth Pages Configuring the CGI Commands for the Login Page When you create the login page, you can include any text and graphical elements that you want as long as you include the CGI code shown in Figure 5-25 (for an external page) or Figure 5-26 (for a custom page stored on the module). The required code includes the commands that submit the user’s login credentials to the Wireless Edge Services zl Module.
PAGE 487
Web Authentication for Mobile Users Configuring Custom Web-Auth Pages Figure 5-26. CGI Code Required for the Login Page Stored on the Module The CGI code in Figure 5-25 and Figure 5-26 creates the Username field, the Password field, and the Log In button shown in Figure 5-27. Figure 5-27.
PAGE 488
Web Authentication for Mobile Users Configuring Custom Web-Auth Pages 5-38
PAGE 489
6 IP Services—IP Settings, DHCP, and DNS Contents IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Viewing VLAN Interfaces and Enabling Secure Management . . . . . . . . . . 6-3 Assigning an IP Address to a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 Deleting the IP Address Assigned to a VLAN . . . . . . . . . . . . . . . . . . . . . . 6-6 Editing the IP Address Assigned to a VLAN . . . . . . . . . . . . . .
PAGE 490
IP Services—IP Settings, DHCP, and DNS Contents Configuring Extended DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-37 Setting Up Global Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-37 Specifying the Value for an Extended Option in a DHCP Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-39 Configuring Dynamic DNS (DDNS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-41 Viewing DHCP Bindings . . . . .
PAGE 491
IP Services—IP Settings, DHCP, and DNS IP Settings IP Settings To function as a Layer 3 device, the Wireless Edge Services zl Module requires only one IP address, usually assigned to the default management interface. (The default management interface is virtual LAN [VLAN] 1.) For some network environments, however, you may want to assign IP addresses to other VLANs. To do so, you must create VLAN interfaces.
PAGE 492
IP Services—IP Settings, DHCP, and DNS IP Settings Viewing VLAN Interfaces and Enabling Secure Management To view the VLANs that have been assigned IP addresses, select Network Setup > Ethernet > Configuration. Figure 6-1. Network Setup > Ethernet > Configuration Screen The following information is listed for each VLAN: ■ Name ■ VLAN ID ■ DHCP Enabled This column has a green check mark ifthe DHCP client is enabled on this VLAN (so that the VLAN receives a dynamic address).
PAGE 493
IP Services—IP Settings, DHCP, and DNS IP Settings ■ Status This column reports whether or not the VLAN was created successfully. ■ Management Interface Only one VLAN can be selected as the management interface, and that VLAN is identified with a green check mark. All other VLANs show a red x in the Management Interface field. When secure management is enabled, you can access the Wireless Edge Services zl Module’s Web browser interface only through the IP address assigned to thisVLAN.
PAGE 494
IP Services—IP Settings, DHCP, and DNS IP Settings 4. Configure the IP address: a. Check the Use DHCP to obtain IP Address automatically box if you want the VLAN to receive an IP address through a DHCP server. Do not check this box if you want the Wireless Edge Service zl Module to act as the DHCP server when stations successfully associate to this VLAN. As a DHCP server, the module would, of course, require a static address on the VLAN. b.
PAGE 495
IP Services—IP Settings, DHCP, and DNS IP Settings Editing the IP Address Assigned to a VLAN If you need to change the IPaddress that is assigned to a VLAN, complete these steps: 1. Select Network Setup > Ethernet > Configuration. 2. Select the VLAN and click the Edit button. The Configuration screen for the VLAN interface is displayed. Figure 6-3. Configuration Screen for the vlan1 Interface 3. Change the settings as needed and then click the OK button. 4.
PAGE 496
IP Services—IP Settings, DHCP, and DNS IP Settings Figure 6-4. Network Setup > Ethernet > Statistics Screen You can view the following information: 6-8 ■ Name—VLAN ID (also referred to as the interface). ■ Bytes In—total number of bytes received on the interface. ■ Packets In—total number of packets received on the interface, including packets dropped and error packets. ■ Packets In Dropped—number of incoming packets that are dropped.
PAGE 497
IP Services—IP Settings, DHCP, and DNS IP Settings ■ ■ Packets Out Dropped—number of outgoing packets dropped. Conditions that result in dropped packets include: • The output queue assigned to the interface is saturated. • Collisions have occurred. Packets Out Error—number of outgoing packets with errors such as malformed packets. To view more detailed information about a VLAN, select that VLAN and click the Details button at the bottom of the screen. The Interface Statistics screen is displayed.
PAGE 498
IP Services—IP Settings, DHCP, and DNS IP Settings Viewing a Graph for VLANs That Are Assigned IP Addresses The Wireless Edge Services zl Module can create graphs of statistics for VLANs that have been assigned an IP address. Such graphs display how the statistics change over time. To view a graph, follow these steps: 1. Select Network Setup > Ethernet > Statistics. Figure 6-6. Network Setup > Ethernet > Statistics 6-10 2. Select a VLAN from the list. 3. Click the Graph button.
PAGE 499
IP Services—IP Settings, DHCP, and DNS IP Settings Figure 6-7. Interface Statistics Graph To generate a graph, you must select the statistic that you want to track. Initially, the graph shows input bytes. You can choose any of the statistics displayed in the Details screen (refer to “Viewing Statistics for VLANs That Are Assigned IP Addresses” on page 6-7 for more information about a statistic). Select the appropriate box for the statistic you want to view.
PAGE 500
IP Services—IP Settings, DHCP, and DNS IP Routing IP Routing As discussed in Chapter 1: “Introduction,” the Wireless Edge Services zl Module and its internal uplink port operate at Layer3 of the Open Systems Interconnection (OSI) model. As part of this Layer 3 functionality, the Wireless Edge Services zl Module maintains a route table. You can view the route table, which automatically lists directly connected interfaces, and you can add static routes to the route table.
PAGE 501
IP Services—IP Settings, DHCP, and DNS IP Routing Figure 6-8. Network Setup > Internet Protocol > IP Forwarding Screen If you assign an IP address to any other VLAN (as described in “IP Settings” on page 6-3), the Wireless Edge Services zl Module recognizes the subnetwork attached to that VLAN and lists it as a directly connected route. To view the module’s route table, select Network Setup > Internet Protocol and click the IP Forwarding tab. (See Figure 6-8.
PAGE 502
IP Services—IP Settings, DHCP, and DNS IP Routing ■ Protocol—lists the name of the protocol through which the route was obtained. Routes can be obtained in the following ways: • DHCP—Routes can be included with the IP address that the module receives from a DHCP server. • Static—Routes can be entered manually. • Connected—Routes can be directly connected to an interface.
PAGE 503
IP Services—IP Settings, DHCP, and DNS IP Routing 6. Click the OK button to apply the change to the running-config. 7. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. To delete a route, select the route from list in the Network Setup > Internet Protocol > IP Forwarding screen. Then click the Delete button.
PAGE 504
IP Services—IP Settings, DHCP, and DNS IP Routing Although you can add another default route manually (or, from the CLI, specify another default gateway), only one default route is active—the first route configured. To avoid confusion, ProCurve Networking recommends that you delete all but one default route. This route has no effect unless you delete the first route Two default routes Figure 6-11.
PAGE 505
IP Services—IP Settings, DHCP, and DNS IP Routing Figure 6-12. Add Static Route Screen 7. Click the OK button to apply the change to the running-config. 8. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. Address Resolution Table The Wireless Edge Services zl Module maintains an address resolution table, which displays the media access control (MAC) addresses associated with particular IP addresses.
PAGE 506
IP Services—IP Settings, DHCP, and DNS IP Routing Figure 6-13. Network Setup > Internet Protocol > Address Resolution Screen The Interface column lists the VLAN on which the IP address can be reached, and the Type column indicates how the module learned to map that IP address to that MAC address. For example, in Figure 6-13, Dynamic indicates that the module learned the mapping by listening to frames received from the device at 10.4.1.100.
PAGE 507
IP Services—IP Settings, DHCP, and DNS DNS Client DNS Client DNS is the Internet protocol for translating domain names or hostnames into IP addresses. The hostname is the familiar, alphanumeric name for a host on the Internet (for example, www.hp.com), and the IP address is the 32-bit address that devices on a TCP/IP network use to reach each other. DNS allows users to enter more readily memorable and intuitive hostnames rather than IP addresses.
PAGE 508
IP Services—IP Settings, DHCP, and DNS DNS Client Figure 6-14. Network Setup > Internet Protocol > Domain Name System Screen 2. Click the Add button at the bottom of the screen. The Add DNS Server screen is displayed. Figure 6-15. Add DNS Server Screen 6-20 3. In the Server IP Address field, enter the IP address of the DNS server. 4. Click the OK button. The DNS server is now listed on the Network Setup > Internet Protocol > Domain Name System screen. 5.
PAGE 509
IP Services—IP Settings, DHCP, and DNS DNS Client Deleting a DNS Server If you want to remove a DNS server that is listed on the Network Setup > Internet Protocol > Domain Name System screen, complete these steps: 1. Select Network Setup > Internet Protocol and click the Domain Name System tab. 2. Select the DNS server that you want to delete and click the Delete button at the bottom of the screen. A prompt is displayed, asking if you want to delete the item. 3.
PAGE 510
IP Services—IP Settings, DHCP, and DNS DHCP Server DHCP Server The Wireless Edge Services zl Module can function as a DHCP server. Although the module can provide DHCP services for your entire network, it is more appropriately used as the DHCP server for your wireless network. Overview A DHCP server issues dynamic configurations to stations. The DHCP server on the Wireless Edge Services zl Module can assign stations a variety of settings, or options, in the configuration.
PAGE 511
IP Services—IP Settings, DHCP, and DNS DHCP Server As a DHCP server, the Wireless Edge Services zl Module can also implement dynamic DNS (DDNS), which updates a DNS server whenever a host’s IP address changes. Finally, the Wireless Edge Services zl Module supports DHCP relay. Configuring the DHCP Server If you want the Wireless Edge Services zl Module to assign IP addresses to devices on your network, you must configure it as a DHCP server by following the steps outlined in the following sections.
PAGE 512
IP Services—IP Settings, DHCP, and DNS DHCP Server A host pool contains a single fixed IP address and is designated to a specific device. When that device sends a DHCP request, the Wireless Edge Services zl Module recognizes its MAC address (or client identifier) and assigns the device the fixed IP address. Use host pools for devices that require a dynamic address but also a stable address that never changes.
PAGE 513
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-17. Network Setup > DHCP Server > Configuration Screen 2. Click the Add button. The Add Pool screen is displayed.
PAGE 514
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-18. Add Pool Screen for Network Pools 3. In the Pool Name field, enter a name for the pool. You can enter up to 255 alphanumeric characters (no special characters). The name is typically a descriptive text string that helps identify the purpose of the pool or the set of clients that it is intended to serve. 4. 6-26 In the Domain field, enter the domain name for the network on which the Wireless Edge Services zl Module is running.
PAGE 515
IP Services—IP Settings, DHCP, and DNS DHCP Server 5. In the Associated Interface field, use the drop-down menu to select the VLAN interface that you want to associate with this network pool. This drop-down menu includes all of the Wireless Module’s configured interfaces (such as VLAN 1). The IP address and subnet mask assigned to the associated interface are automatically inserted into the appropriate fields. 6.
PAGE 516
IP Services—IP Settings, DHCP, and DNS DHCP Server 9. If necessary, set options for a network that uses NetBIOS: a. In the NetBios Node field, use the drop-down menu to select the NetBIOS node type. The NetBIOS node type determines how stations resolve NetBIOS names to IP addresses, whether by broadcasting messages, byusing a WINS server (peer-to-peer), or by a combination of the two. You can select one of four options: – b (Broadcast) – h (Hybrid) – m (Mixed) – p (Peer-to-Peer) b.
PAGE 517
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-19. Network Setup > DHCP Server > Host Pool Screen 2. Click the Add button. The Add Pool screen is displayed.
PAGE 518
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-20. Add Pool Screen for Host Pools 3. In the Pool Name field, enter the name of the pool to which this IP address will belong. For example, you might enter the name of the device. The name can include up to 255 alphanumeric characters. 4. In the IP Address field, enter the fixed address for this device.
PAGE 519
IP Services—IP Settings, DHCP, and DNS DHCP Server 6. Enter either a hexadecimal client identifier (ID) in the Client ID field or a MAC address in the Hardware Address field, but not both. When a device sends a DHCP request, the request includes a client ID, either a customized ID or the device’s MAC address. The Wireless Edge Services zl Module uses this value to match the device to the correct host pool and fixed IP address.
PAGE 520
IP Services—IP Settings, DHCP, and DNS DHCP Server Excluding Addresses from a Network Pool You may sometimes want to prevent the DHCP server from assigning specific IP addresses within the network pool or pools that you have configured. For example, you would not want the DHCP server to assign an IP address that is already configured statically on another network device. In such cases, simply add exclusions to the DHCP server configuration.
PAGE 521
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-22. Network Setup > DHCP Server > Excluded Screen 5. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. You can specify multiple ranges. Enabling the DHCP Server To enable the DHCP server, complete these steps: 1. Select Network Setup > DHCP Server > Configuration. 2. Check the Enable DHCP Server box.
PAGE 522
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-23. Enabling the DHCP Server 3. Click the Apply button. 4. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. To disable the DHCP server, uncheck theEnable DHCP Server box and click the Apply button.
PAGE 523
IP Services—IP Settings, DHCP, and DNS DHCP Server Configuring Global DHCP Settings: Ignoring BOOTP and Setting the Ping Interval Two global settings apply to the Wireless Edge Services zl Module’s internal DHCP server: ■ Ignoring BOOTP requests—BOOTP is an earlier protocol that uses the same ports as DHCP. Like DHCP, BOOTP enables stations to receive dynamic configurations, typically including the name and location of a boot file.
PAGE 524
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-24. Configuring Global DHCP Settings 2. Check the Ignore Bootp box to configure the module to ignore BOOTP requests. Checking the box allows the BOOTP requests to continue on to a BOOTP server. 3. Enter a value from 1 through 10 seconds in the Ping time interval field. The default setting is 1 second. 4. Click the Apply button.
PAGE 525
IP Services—IP Settings, DHCP, and DNS DHCP Server Setting Up Global Options To define the extended options to be used byyour DHCP server, complete these steps: 1. Select Network Setup > DHCP Server > Configuration. 2. Click the Options Setup button. The Global Options screen is displayed. Figure 6-25. Global Options Screen 3. Click the Insert button. 4. Enter an alphanumeric string in the Name field to identify the option. The string cannot include special characters or spaces.
PAGE 526
IP Services—IP Settings, DHCP, and DNS DHCP Server Reserved Names user-class next-server dynamic-bootp 5. In the Code field, enter a valuebetween 0 and 254. You should enter the standard code for the option that you are defining. Again, some DHCP codes are reserved for the DHCP options configured when you set up the pool. You cannot alter the codes listed in Table 6-2. Table 6-2. Reserved Code 6.
PAGE 527
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-26. Defining a Global Option for DHCP 7. Click the Insert button again if you need to add more options. 8. When you are finished setting up the options, click the OK button. 9. Click the Save link at the top of the Web browser interface to save the changes to the startup-config.
PAGE 528
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-27. Specifying the Value for an Extended Option 5. Click the Name field. It turns into a drop-down menu that includes the names of all of the options defined globally. (See “Setting Up Global Options” on page 6-37.) 6. In the Value field, enter either an IP address or an alphanumeric string, depending on whether the type specified for the global option is ip or ascii.
PAGE 529
IP Services—IP Settings, DHCP, and DNS DHCP Server You enable and configure DDNS separatelyfor each DHCP pool, which can beeither a network pool or a host pool. Complete these steps: 1. Select Network Setup > DHCP Server > Configuration. 2. To configure DDNS for a network pool, complete these steps and then proceed to step 3: a. Select one of the pools in the Network Pool section. (See “Creating a Network Pool” on page 6-24 for instructions on creating the pool.) b. Click the DDNS button.
PAGE 530
IP Services—IP Settings, DHCP, and DNS DHCP Server 4. Specify the time-to-live for updates in the TTL field. This setting determines the time in seconds that the Wireless Edge Services zl Module waits for a reply from the DDNS server. The valid range is from 1 through 65,535 seconds. 5. 6.
PAGE 531
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-29. Viewing DHCP Bindings The screen displays a list of leases, with information in these columns: ■ IP Address—the IP address assigned to the station ■ MAC Address/Client ID—the station’s MAC address or, if it sent a customized ID, its ID ■ Type—the method that the Wireless Edge Services zl Module used to select the IP address Automatic indicates that the module chose the IP address from a network pool.
PAGE 532
IP Services—IP Settings, DHCP, and DNS DHCP Server Configuring DHCP Relay Your network might already include a DHCP server. The Wireless Edge Services zl Module can provide DHCP relay services to this server. A DHCP server serves only clients on the same subnetwork or VLAN. DHCP relay passes DHCP requests from clients on one subnetwork to a DHCP server on a different subnetwork, eliminating the need for a DHCP server on each local network segment.
PAGE 533
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-30. Network Setup > DHCP Server > Relay Screen 2. Click the Add button. The Add Relay Information screen is displayed.
PAGE 534
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-31. Add Relay Information Screen 3. In the Interface field, use the drop-down menuto select the VLAN interface that receives the DHCP requests. 4. In the Server fields, enter the IP addresses for up to four DHCP servers. In each applicable Gateway field, use the drop-down menu to specify the corresponding interfaces by which the DHCP servers may be reached.
PAGE 535
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-32. Viewing DHCP Relay Configurations You can select the DHCP relay configurationfor an interface and edit or delete it by clicking the corresponding buttons.
PAGE 536
IP Services—IP Settings, DHCP, and DNS DHCP Server 6-48
PAGE 537
7 Access Control Lists (ACLs) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Stateful ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 ACL Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Standard IP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Extended IP ACLs . . .
PAGE 538
Access Control Lists (ACLs) Overview Overview You can configure access control lists (ACLs) on the ProCurve Wireless Edge Services zl Module to control traffic to and from wireless stations. An ACL is an ordered list of rules that select packets according to header information and dictate whether the module should permit (forward) or deny (drop) those packets. ACLs allow you to control wireless users’ network rights.
PAGE 539
Access Control Lists (ACLs) Overview ACL Types The Wireless Edge Services zl Module supports two basic ACL types: ■ IP ACLs—based on the IP header (Layer 3) IP ACLs control traffic inbound on an interface. They can apply to the Wireless Edge Services zlModule’s virtual LAN (VLAN) interfaces or toits two physical interfaces: the internal uplink and downlink ports. If applied to aVLAN interace, the IP ACLs control routed traffic.
PAGE 540
Access Control Lists (ACLs) Overview You can apply an extended IP ACL to inbound traffic on either a logical (VLAN) interface or a physical (internal uplink or downlink) interface. Again, an ACL on a logical interface only affects traffic that the Wireless Edge Services zl Module actually routes. MAC Standard ACLs MAC standard ACLs permit and deny traffic according to the source MAC address in the frame.
PAGE 541
Access Control Lists (ACLs) Overview All ACLs include an implicit “deny any” rule at the end. In other words, if traffic does not match any of the ACL’s rules, the ACL drops the traffic. MAC standard ACLs, which are configured as filters for local MAC authentication, are the exception. They include an implicit “permit any” rule at the end. See “MAC Filters(Local MAC Authentication)” on page 12-75 of Chapter 12: “Wireless Network Management.
PAGE 542
Access Control Lists (ACLs) Overview ■ protocol By default, a rule matches all IP packets, but you can limit the rule to a specific protocol including: • ICMP • TCP • UDP ■ for ICMP packets, ICMP type and ICMP code ■ for TCP and UDP packets, source and destination ports In this way, you can control traffic according to the application. For example, configure a rule to select Web traffic by specifying the TCP protocol and destination port 80.
PAGE 543
Access Control Lists (ACLs) Overview Remember, the operation only affects traffic that meets all of the criteria of the rule. Also, the operation is explicit. That is, the module performs the operation on selected traffic, but does not perform the opposite action on traffic that is not selected. Instead, the module attempts to match the traffic against the next rule in order of precedence. However, all ACLsinclude an implicit deny any rule at the end,which drops all traffic not selected by other rules.
PAGE 544
Access Control Lists (ACLs) Overview ACL Strategies The Wireless Edge Services zl Module’s ACLs can enforce a variety of flexible policies. Within a given rule, or among the rules in a given ACL, you can combine filter criteria—for example, to filter based on a port number and source and destination addresses, or based on an Ethertype and a WLAN index value, and so on.
PAGE 545
Access Control Lists (ACLs) Configuring ACLs As you configure ACLs, remember that they always have an implicit “deny any” operation at the end; any traffic not specifically permitted by the rules within an ACL will be denied. Configuring ACLs To configure an ACL, you must complete these steps: 1. Create the list and select the ACL type. 2. Create a series of ordered permit, deny, or mark rules. 3. Apply the list to an interface.
PAGE 546
Access Control Lists (ACLs) Configuring ACLs Figure 7-1. Security > ACLs > Configuration Screen 2. 7-10 Click the Add button. The Add ACL screen is displayed. (See Figure 7-2.
PAGE 547
Access Control Lists (ACLs) Configuring ACLs Figure 7-2. Add ACL Screen 3. In the ACL Type field, use the drop-down menu to select either the standard IP, extended IP, or MAC extended ACL type. 4. In the ACL ID field, specify the ACL ID, which uniquely identifies the ACL. ACL IDs can be either an ASCII string or a numeric value. Follow these rules: • String names for ACL IDs can contain alphanumeric characters, including hyphen ( - ) and underline ( _ ) characters.
PAGE 548
Access Control Lists (ACLs) Configuring ACLs The numeric value of the ACL ID does not affect the precedence of ACLs. However, precedence is important for the rules inside of a particular ACL; you will set these precedence values later when you configure ACL rules. 5. Click the OK button. The ACL is now listed in the ACLs section of the Security > ACLs > Configuration screen. Figure 7-3. Security > ACLs > Configuration with ACL Configuring Rules for ACLs After you create an ACL, you must add rules to it.
PAGE 549
Access Control Lists (ACLs) Configuring ACLs You can configure up to 500 rules for each ACL, no matter what its type. Creating Rules for Standard IP ACLs The standard IP ACL offers a variety of options for rules. However, some of these options only take effect on certain interfaces. As you create the rule, keep in mind the interface for which you are designing this ACL. In Table 7-3, an X under the interface means that the option is supported for that interface. Table 7-3.
PAGE 550
Access Control Lists (ACLs) Configuring ACLs Figure 7-4. Add Rule Screen for Standard IP ACLs 3. In the Precedence field, specify the precedence for the rule, from 1 through 5,000. The Wireless Edge Services zl Module processes rules in ascending order (starting at 1, moving to 2, and so on). As you assign precedence values to rules for a given ACL, consider using nonconsecutive numbers (for example, 10, 20, 30, and so on), in case you need to insert new rules “between” existing rules later. 4.
PAGE 551
Access Control Lists (ACLs) Configuring ACLs 6. If you selected the mark operation in step 4, under Attribute to mark, select one of the following: • 802.1p—Then specify the traffic service class value, from 0 through 7. • TOS—Then specify the value for the TOS octet, from 0 through 255. Standard DSCP values are from 0 through 63. Remember that higher values typically mark traffic for better QoS. 7.
PAGE 552
Access Control Lists (ACLs) Configuring ACLs Creating Rules for Extended IP ACLs Configuring rules for an extended IP ACL is similar to configuring rules for standard IP ACLs. However, these rules can also select traffic by protocol, application, and destination IP address. Refer to Table 7-4 to verify that a particular option is supported for the interface to which you plan to apply the ACL. An X under the interface means that the option is supported for that interface. Table 7-4.
PAGE 553
Access Control Lists (ACLs) Configuring ACLs Figure 7-5. Add Rule Screen for Extended IP ACLs 3. In the Precedence field, specify the precedence for the rule, from 1 through 5,000. The Wireless Edge Services zl Module processes rules in ascending order (starting at 1, moving to 2, and so on). As you assign precedence values to rules for a given ACL, consider using nonconsecutive numbers (for example, 10, 20, 30, and so on) in case you need to insert new rules in between existing rules later. 4.
PAGE 554
Access Control Lists (ACLs) Configuring ACLs Note The mark operation only takes effect if you apply this ACL to a physical interface. 5. Optionally, check the Logging box to allow the module to keep track of the number of packets matched to this rule. 6. If you selected the mark operation in step 4, under Attribute to mark, select one of the following: • 802.1p—Then specify the traffic service class value, from 0 through 7. • TOS—Then specify the value for the TOS octet, from 0 through 255.
PAGE 555
Access Control Lists (ACLs) Configuring ACLs The ICMP Type and ICMP Code settings are based on the first 16 bits of the 32-bit ICMPv6 message packet, illustrated in Figure 7-7. Figure 7-7. ICMPv6 Message Packet In the ICMPv6 message packet: – The ICMP type value is based on the first eight bits (bits 0 through 7). ICMP type values from 0 through 127 are used for error messages, and ICMP type values from 128 through 255 are used for information messages.
PAGE 556
Access Control Lists (ACLs) Configuring ACLs ICMP Type Type Description ICMP Code Code Description 3 Time Exceeded message 0 Hop limit exceeded in transit 1 Fragment reassembly time exceeded 0 Erroneous header field encountered 1 Unrecognized Next Header type encountered 2 Unrecognized IPv6 option encountered 4 Parameter Problem message 128 Echo Request message 0 129 Echo Reply message 0 Figure 7-8. TCP/UDP Options Screen b.
PAGE 557
Access Control Lists (ACLs) Configuring ACLs You do not have to specify both source and destination ports. Set the destination port to control traffic associated with a particular VLAN. For example, set the destination port to 80 to select HTML traffic. Click the OK button to return to the Add Rule screen and finish configuring other filters. 9. In the Source Wildcard/Mask field, use the drop-down menu to select one of the following: • any—The rule will apply to traffic from any IP address.
PAGE 558
Access Control Lists (ACLs) Configuring ACLs Creating Rules for MAC Extended ACLs To create a rule for a MAC extended ACL, complete these steps: 1. On the Security > ACLs > Configuration screen, in the ACL section, select a MAC extended ACL. 2. Click the Add button under Associated Rules. The Add Rule screen is displayed. Figure 7-9.
PAGE 559
Access Control Lists (ACLs) Configuring ACLs 3. In the Precedence field, specify the precedence for the rule, from 1 through 5,000. The Wireless Edge Services zl Module processes rules in ascending order (starting at 1, moving to 2, and so on). As you assign precedence values to rules for a given ACL, consider using nonconsecutive numbers (for example, 10, 20, 30, and so on) in case you need to insert new rules in between existing rules later. 4.
PAGE 560
Access Control Lists (ACLs) Configuring ACLs Note You should never specify a WLAN index for an ACL that you apply to the uplink port. Traffic from the uplink port is not marked for a WLAN, so the rule will not select any traffic. 9. Optionally, check the box to filter frames according to the following criteria: • Vlan ID—Select traffic with the specified VLAN ID Valid values range from 1 through 4,095. • 802.1p Priority—Select traffic with the specified QoS class. Valid values range from 0 through 7.
PAGE 561
Access Control Lists (ACLs) Configuring ACLs Applying ACLs to Interfaces An ACL does not take effect on the Wireless Edge Services zl Module until you apply it to an interface. Although you can create and configure many ACLs, you are limited in the number of ACLs that you can apply: ■ You can apply one IP ACL to each logical (VLAN) interface. See “IP Settings” on page 6-3 in Chapter 6: “IP Services—IP Settings, DHCP, and DNS” to learn how to create a VLAN interface.
PAGE 562
Access Control Lists (ACLs) Configuring ACLs Figure 7-10. Security > ACLs > Attach 2. Click the Add button. The Add ACL Association screen is displayed. Figure 7-11.
PAGE 563
Access Control Lists (ACLs) Configuring ACLs 3. 4. From the Interface drop-down menu, select one of the following interfaces: • uplink—the module’s internal uplink port • downlink—the module’s internal downlink port • an uplink VLAN configured on the module Select the ACL to control incoming traffic on the selected interface. The options available depend on the type of interface: • For VLAN interfaces, select an IP-type ACL from the IP ACL drop-down menu.
PAGE 564
Access Control Lists (ACLs) Configuring ACLs Viewing ACL Statistics You should check ACLs and verify that they are selecting traffic as they should. To view statistics for your ACLs, select Security > ACLs and click the Statistics tab. You can alternatively select Security > ACL Statistics. Figure 7-12. Security > ACLs > Statistics Screen ACL statistics are displayed on the screen. (If you do not see any statistics, you may need to edit your rules and check the Logging box.
PAGE 565
Access Control Lists (ACLs) Configuring ACLs Table 7-6. Action IDs for ACL Statistics ID Protocol 2 drop—a deny rule 3 forward—a permit or mark rule ■ Protocol—protocol for selected packets Table 7-7 provides a key for the protocols. Table 7-7.
PAGE 566
Access Control Lists (ACLs) Configuring ACLs Figure 7-13. Security > ACLs > Details Screen In addition to the information that you viewed on the Security > ACLs > Statistics screen, you can monitor the traffic associated with this rule. Total Flows reports the total number of sessions established using this rule and typically matches the value for Times Used. Active Flows shows how many of those sessions are still active.
PAGE 567
8 Configuring Network Address Translation (NAT) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Translating Between an Inside and an Outside Network . . . . . . . . . . . . . . 8-3 Local and Global Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 NAT Implementation Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 Dynamic, or Many-to-One, NAT . . . . . . . .
PAGE 568
Configuring Network Address Translation (NAT) Overview Overview You can configure the ProCurve Wireless Edge Services zl Module to perform Network Address Translation (NAT) on traffic routed between two subnetworks— typically, traffic exchanged between the wireless and the wired network. The module can translate either the source or the destination IP address in apacket’s IP header to a new address. The Wireless Edge Services zl Module allows you to implement NAT in several different ways.
PAGE 569
Configuring Network Address Translation (NAT) Overview Figure 8-1. Dividing Interfaces into Inside and Outside Interfaces The Wireless Edge Services zl Module alwaysperforms NAT on traffic as the traffic arrives on an interface.Because the module can apply NA T to both inside and outside interfaces, it can perform NAT in both directions. Note When the Wireless Edge Services zl Module maps wireless traffic to a VLAN, that traffic is considered to have arrived on the VLAN interface.
PAGE 570
Configuring Network Address Translation (NAT) Overview NAT Implementation Methods On the Wireless Edge Services zl Module, you can configure: ■ dynamic NAT ■ static NAT Dynamic NAT affects only source IP addresses while static NAT can translate either source or destination IP addresses. Dynamic, or Many-to-One, NAT Perhaps the most common implementation of NAT is dynamic NAT, sometimes called many-to-one NAT because it allows multiple stations to share the same IP address after translation.
PAGE 571
Configuring Network Address Translation (NAT) Overview Figure 8-2 illustrates this configuration, which allows wireless stations to use IP addresses local to the wireless network but still to open sessions with servers in the Ethernet network. Figure 8-2. Dynamic Source NAT on Wireless Traffic You can also implement NAT on the module to ready wireless traffic for transmission to the Internet—if you do not have another device that does so.
PAGE 572
Configuring Network Address Translation (NAT) Overview Dynamic NAT for Wired Traffic You can configure dynamic NAT for traffic bound from the wired network to the wireless network. In this case, the Wireless Edge Services zl Module translates wired devices’ IP addresses to one of the module’s own IP addresses. You might use dynamic NAT on wired traffic when your wireless network receives a great deal of public traffic.
PAGE 573
Configuring Network Address Translation (NAT) Overview Port Address Translation for Dynamic NAT To enable multiple users to share one IP address, the Wireless Edge Services zl Module uses port address translation in conjunction with NAT. When the module translates a local IP address to a global address, it assigns each local addressa unique port number, as shown in Table 8-1.
PAGE 574
Configuring Network Address Translation (NAT) Overview this wireless network is much like the Internet—filled with untrusted users—you should implement the same types of securitymeasures that you put in place for users who access your network from the Internet. Configure destination NAT to allow wireless users to send traffic toward a server’s publicly known address. The Wireless Edge Services zl Moduletranslates the traffic’s destination address to the correct local address.
PAGE 575
Configuring Network Address Translation (NAT) Overview One principle to remember: on the Wireless Edge Services zl Module, you define which VLANs are inside interfaces and which are outside. Figure 8-4 shows a configuration in whichthe VLAN used in the Ethernet network is an outside interface. So you configure the destination NAT on inside interfaces (these interfaces receive traffic that is destined to the outside VLAN).
PAGE 576
Configuring Network Address Translation (NAT) Overview Figure 8-5. Outside Destination NAT with Port Forwarding When the module translates the destination IP address, it can also perform port translation, assigning the traffic to the particular port used by the destination device.
PAGE 577
Configuring Network Address Translation (NAT) Overview Static NAT on Source Addresses Static source NAT is an alternative to dynamic source NAT. However, instead of allowing many stations to share one global address, static source NAT sets up a oneto-one correspondence between a particular IP address and a translated IP address. Use this option only when relatively few devices in one network (inside or outside) need to access devices in the other network.
PAGE 578
Configuring Network Address Translation (NAT) Overview However, for destination NAT, the local address is actually the address as it appears across the border betweeninside and outside.This is because packets, pre-translation, are destined to the IP address that the originating station knows for the destination device, not the destination’s actual IP address. In Figure 8-5 on page 8-10, for example, the local address is 10.1.1.1. Table 8-2 summarizes this terminology. Table 8-2.
PAGE 579
Configuring Network Address Translation (NAT) Planning the NAT Configuration Planning the NAT Configuration Before you access the Security > NAT screen and begin to set up NAT for your wireless network, you should plan your configuration: 1. Consider your company’s network topology and security needs and determine the requirements for NAT. In other words, which NAT methods do you need to configure, and which traffic should be translated. 2. Record the IP addresses necessary for your NAT configuration.
PAGE 580
Configuring Network Address Translation (NAT) Planning the NAT Configuration ■ You want to conceal IP addresses used in your LAN from wireless users. Separate the VLANs for wired traffic from the VLANs for wireless traffic: When you specify the uplink VLANs in which the Wireless Edge Services zl Module places traffic from WLANs, choose different VLANs from those already used in the wired network. Next, define the wired VLANs as inside interfaces and define the wireless VLANs as outside interfaces.
PAGE 581
Configuring Network Address Translation (NAT) Planning the NAT Configuration Record Necessary IP Addresses and Select the NAT Implementation Method As part of your NAT planning, you should record: ■ local address—the address or addresses that will be translated ■ global address—the address that willreplace the local address when the module applies NAT You should also determine which NAT implementation method you are using.
PAGE 582
Configuring Network Address Translation (NAT) Planning the NAT Configuration Figure 8-7. Dynamic NAT on a Sample Network For this NAT implementation, you would record the IP addresses specified in the DHCP pool and configure an ACL that selects those addresses. Table 8-3 lists the actual IP addresses that you would record for the sample network shown in Figure 8-7. Table 8-3.
PAGE 583
Configuring Network Address Translation (NAT) Planning the NAT Configuration Planning the Configuration for Static NAT For static NAT, you manually specify the IP address and port settings within each NAT configuration. You must configure a separate static definition specifically for each IP address that your Wireless Edge Services zl Module must translate.
PAGE 584
Configuring Network Address Translation (NAT) Planning the NAT Configuration Figure 8-8. Outside Destination NAT with Port Translation on a Sample Network In Figure 8-8, the VLAN for wireless stations is the inside interface, so the W eb server is an outside device. Therefore you must set up inside destination NAT. You could alternatively define the Web server’s VLAN as the inside interface, in which case you would configure outside destination NAT.
PAGE 585
Configuring Network Address Translation (NAT) Planning the NAT Configuration Table 8-4. Recording Addresses for Outside Destination NAT NAT Interface Type NAT Address Type Local or Global Address Local or Global Port Recorded Recorded Ports Addresses for the for the Sample Sample Network Network Inside Destination Local (outside device’s IP Local (port to which the 10.1.1.
PAGE 586
Configuring Network Address Translation (NAT) Configuring Standard ACLs for Dynamic NAT Configuring Standard ACLs for Dynamic NAT To configure dynamic translation, you use a standard ACL to select the IP addresses that the Wireless Edge Services zl Module NATs. Although you can use any ACL that you have configured, you will probably want to configure ACLs to meet the specific requirements for your NAT implementation.
PAGE 587
Configuring Network Address Translation (NAT) Configuring NAT The full procedure for adding rules to ACLs is documented in Chapter 7: “Access Control Lists (ACLs).” The following rule guidelines apply to ACLs used for NAT: ■ In the Operation field, the permit operation means that traffic will be subject to NAT; the deny operation meansthat traffic will not be subject to NAT. (The mark operation does not apply to NAT.
PAGE 588
Configuring Network Address Translation (NAT) Configuring NAT • Static translation—configured to specific IP addresses and ports; any configuration changes are made within the NAT configuration itself. Defining Interfaces as Outside or Inside NAT configurations have no effect until you map interfaces to NAT by defining particular interfaces as outside or inside.
PAGE 589
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-11. Add Interface Screen 3. In the Interfaces field, use the drop-down menu to select an interface configured on the module. 4. In the Type field, use the drop-down menu to select either Inside (Private) or Outside (Public). 5. Click the OK button. The interface is now listed on the Security > NAT > Interfaces screen.
PAGE 590
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-12. Interface Assignment in Security > NAT > Interfaces Screen Configuring Dynamic NAT For each NAT configuration that will use dynamic NAT, you must first set up an ACL. This ACL contains rules that select the source addresses for traffic to be translated. For information about creating this ACL, see Chapter 7: “Access Control Lists (ACLs)” and “Configuring Standard ACLs for Dynamic NAT” on page 8-20.
PAGE 591
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-13. Security > NAT > Dynamic Translation Screen 2. Click the Add button. The Add Dynamic Translation screen is displayed. Figure 8-14.
PAGE 592
Configuring Network Address Translation (NAT) Configuring NAT 3. In the NAT Interface field, use the drop-down menu toselect the type of interfaces to which the module applies NAT: • Inside (Private)—traffic that arrives from the inside network In other words, inside NAT applies to incoming traffic on an inside interface; typically, the inside traffic should be bound to the outside network.
PAGE 593
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-15. Dynamic NAT Configuration in the Security > NAT > Dynamic Translation Screen Configuring Static Translation Static translation sets up a one-to-onecorrespondence between asource or destination IP address and a translated IP address. The configuration steps depend on whether you configuring static source NAT or static destination NAT.
PAGE 594
Configuring Network Address Translation (NAT) Configuring NAT To configure a static source translation, complete these steps: 1. Select Security > NAT and click the Static Translation tab. Figure 8-16. Security > NAT > Static Translation Screen 2. 8-28 Click the Add button. The Add Static Translation screen is displayed.
PAGE 595
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-17. Add Static Translation Screen 3. In the NAT section, select the Interface Type and Address Type: a. The Interface Type determines to which interfaces the Wireless Edge Services zl Module applies the static NAT definition: – Outside (Public)—incoming traffic on an outside interface – Inside (Private)—incoming traffic on an inside interface b.
PAGE 596
Configuring Network Address Translation (NAT) Configuring NAT Table 8-5. Determining the IP Address for the Local Address Field Interface Type Address Type IP Address for the Local Address Field Inside (Private) Source IP address of an inside device as it appears on the inside network Outside (Public) Source IP address of an outside device as it appears on the outside network For example, for source NAT, enter the configured IP address assigned to a device in its own network.
PAGE 597
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-18. Static NAT Definition in the Security > NAT > Static Translation Screen Configuring Static Destination NAT The Wireless Edge Serviceszl Module stands between two networks that use different IP addresses. Destination NAT allows clients in one network to open sessions with servers in the other network. You must configure destination NAT statically. To configure a static destination translation, complete these steps: 1.
PAGE 598
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-19. Security > NAT > Static Translation Screen 2. 8-32 Click the Add button. The Add Static Translation screen is displayed.
PAGE 599
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-20. Add Static Translation Screen 3. In the NAT section, select the Interface Type and Address Type: a. The Interface Type determines to which interfaces the Wireless Edge Services zl Module applies the static NAT definition: – Outside (Public)—incoming traffic on an outside interface – Inside (Private)—incoming traffic on an inside interface b.
PAGE 600
Configuring Network Address Translation (NAT) Configuring NAT This setting, which is available only for destination NAT, allows you to configure port forwarding. Choose the protocol for the application for which you are creating the NAT definition. For example, if you are setting up destination NAT to allow wireless stations to reach your Web server, select TCP. 5. In the Before Translation section, specify the IP address and port to the traffic to be translated is destined. a.
PAGE 601
Configuring Network Address Translation (NAT) Configuring NAT Table 8-8.
PAGE 602
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-21. Static NAT Definition in the Security > NAT > Static Translation Screen Viewing NAT Status To view current translations, select Security > NAT and click the Status tab. Alternatively, you can select Security and click the NAT Status tab. (See Figure 8-22.
PAGE 603
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-22. Security > NAT > Status Screen Each active session to which the Wireless Edge Services zl Module has applied NAT is displayed in a row.
PAGE 604
Configuring Network Address Translation (NAT) Configuring NAT The number after a colon indicates the port. For example, the module has translated the source IP addresses in the first three rows to the same global source address, but different port numbers. On the other hand, for a session using static destination NAT on outside traffic, the translation appears in the Outside-Global and Outside-Local columns.
PAGE 605
Configuring Network Address Translation (NAT) Configuring NAT The logged information is saved to a comma-separated values (CSV) file on your workstation, which lets you: ■ save information that might be important later, while keeping logs or statistics clear for future events ■ send a file to support staff for troubleshooting help ■ pool information from multiple devices in a central location ■ track patterns of network activity 8-39
PAGE 606
Configuring Network Address Translation (NAT) Configuring NAT 8-40
PAGE 607
9 Fast Layer 2 Roaming and Layer 3 Mobility Contents Overview 2 Layer 2 Roaming on a Single Wireless Edge Services zl Module . . . . . . . 9-2 Fast Layer 2 Roaming for WPA/WPA2 with 802.1X . . . . . . . . . . . . . . . . . 9-3 Pre-authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3 Layer 2 Roaming on a Web-Auth WLAN Between Different Wireless Edge Services zl Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 Layer 3 Mobility . . . . .
PAGE 608
Fast Layer 2 Roaming and Layer 3 Mobility Overview Overview The type of roaming that your ProCurve Wireless Edge Services zl Modules support depends on your network topology and module configurations, as well as on other factors.
PAGE 609
Fast Layer 2 Roaming and Layer 3 Mobility Overview Fast Layer 2 Roaming for WPA/WPA2 with 802.1X WPA’s Temporal Key Integrity Protocol (TKIP) (and WPA2’s Counter Mode CBCMAC Protocol [CCMP]) derive encryption keys from a unique Pairwise Master Key (PMK) for each association with a wireless station. Because the PMK is necessary for the station and the Wireless Edge Services zl Moduleto communicate, the module must ensure that it maintains the key for a roaming station.
PAGE 610
Fast Layer 2 Roaming and Layer 3 Mobility Overview The 802.11i standard (on which WPA is modeled) includes a section on preauthentication, a mechanism that speeds up Layer 2 roaming. A station can associate to only one RP and Wireless Edge Services zl Module at a time. However, the station can detect beacons from other RPs—including RPs connected to other modules.
PAGE 611
Fast Layer 2 Roaming and Layer 3 Mobility Overview user’s credentials to all modulesin the group. The other modules cache the credentials so that they are ready to be sent to the RADIUS server should the user later roam to one of these modules. Note that the redundancy group solution does not enable the Web-Auth WLAN to include any more RPs than the single module solution: a redundancy group, just like a single module, has a 156 RP limit.
PAGE 612
Fast Layer 2 Roaming and Layer 3 Mobility Overview Figure 9-1. Network Requiring Layer 3 Mobility To implement Layer 3 mobility, Wireless Edge Services zl Modules perform these functions: ■ The modules support a Layer 3 mobility domain. The area in which stations can roam freely (no matter which subnetworks are supported in that area of the wired network) is the Layer 3 mobility domain. The Wireless Edge Services zl Modules in the roaming domain are referred to as peers.
PAGE 613
Fast Layer 2 Roaming and Layer 3 Mobility Overview ■ The modules store informationabout all stations associated to any module in the Layer 3 mobility domain. The Wireless Edge Services zl Module responsible for handling a station’s traffic is that station’s home module (HM). All the peers in the Layer3 roaming domain must track all stations’ HM and HMVLAN.
PAGE 614
Fast Layer 2 Roaming and Layer 3 Mobility Overview Figure 9-2. Layer 2 and Layer 3 Roaming Domains Roaming Behavior This section summarizes which features you must configure on your Wireless Edge Services zl Modules to enable the best possible roaming behavior in various circumstances. Keep in mind that this section discusses the behavior the modules support. Stations’ capabilities also affect roaming.
PAGE 615
Fast Layer 2 Roaming and Layer 3 Mobility Overview The previous sections have introduced you to different types of roaming, which are defined briefly as follows: ■ Fast roaming—A fast roam is under 50 milliseconds. Fast roaming, as a standard, refers to pre-authentication as specified by 802.11i, which applies only to WPA/WPA2 with 802.1X. However, other types of roaming might be under 50 milliseconds. When a roam is described as fast, it also is assumed to be seamless.
PAGE 616
Fast Layer 2 Roaming and Layer 3 Mobility Overview Table 9-1.
PAGE 617
Fast Layer 2 Roaming and Layer 3 Mobility Overview ■ When a WLAN enforces Web-Auth, you must configure a redundancy group for seamless Layer 2 roaming between RPs on different modules. See Chapter 10: “Redundancy Groups” to learn how to create such a group. ■ You must configure a Layer 3 mobility domain for Layer 3 roaming. Layer 3 roaming is seamless, but not fast. See “Configuring Layer 3 Mobility” on page 9-15.
PAGE 618
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Fast Layer 2 Roaming for WPA/WPA2 with 802.1X Configuring Fast Layer 2 Roaming for WPA/WPA2 with 802.1X Fast roaming facilitates roaming in a WLAN that requires WPA/WPA2 with 802.1X authentication. That is, it speeds the process of a station connecting to a new RP and possibly a new Wireless Edge Services zl Module: ■ putting necessary encryption keys in place ■ when necessary, completing 802.
PAGE 619
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Fast Layer 2 Roaming for WPA/WPA2 with 802.1X Figure 9-3. Configuring Settings for a WLAN That Uses Pre-Authentication 5. Click the Config button next to the encryption standard. A screen for editing the encryption options is displayed.
PAGE 620
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Fast Layer 2 Roaming for WPA/WPA2 with 802.1X Figure 9-4. Enabling Pre-Authentication 6. Check the box for Pre-authentication. Remember that pre-authentication messages do not cross subnetwork (VLAN) boundaries, so the module receives them only from modules or APs that assign the WLAN to the same subnetwork. 7. By default, PMK Caching and Opportunistic Key Caching are enabled and you should leave them so.
PAGE 621
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Layer 3 Mobility 9. Click the OK button in the Edit screen for the WLAN. 10. Remember to save your configuration. Configuring Layer 3 Mobility You must complete these tasks to configure Layer 3 mobility: 1. Configure Layer 3 mobility settings for the local Wireless Edge Services zl Module: • IP address • WLANs on which Layer 3 mobility is enabled 2. Specify the peers’ IP addresses. 3. Enable Layer 3 mobility. 4.
PAGE 622
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Layer 3 Mobility Configuring Layer 3 Mobility Settings The first step in establishing a Layer 3 mobility domain is configuring local Layer 3 mobility settings on your Wireless Edge Services zl Module.
PAGE 623
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Layer 3 Mobility 2. Specify a valid IP address on this Wireless Edge Services zl Module. You have two options: • Select Use Default Management Interface to use the address on the management VLAN. • Select Use this Local Address and manually enter an IP address. 3. Optionally, change the value in the Roam Interval field. 4. A station that roams at Layer 3 must maintain its association with its HM.
PAGE 624
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Layer 3 Mobility Figure 9-7 displays an example configuration. Figure 9-7. Configuring Layer 3 Mobility Settings Specifying Layer 3 Mobility Peers Other Wireless Edge Services zl Modules in the Layer 3 mobility domain are called peers. To specify their addresses, complete these steps: 9-18 1. Select Network Setup > Layer 3 Mobility and click the Peer List tab. 2. Click the Add button.
PAGE 625
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Layer 3 Mobility Figure 9-8. Adding a Layer 3 Mobility Peer 3. Enter the peer’s IP address in the Add screen. 4. Click the OK button. Repeat steps 2 through 4 to add multiple peers (up to 11). Enabling Layer 3 Mobility After configuring your Layer 3 mobility settings and specifying peers, you enable Layer 3 mobility by completing these steps: 1. Select Network Setup > Layer 3 Mobility and click the Configuration tab. 2.
PAGE 626
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Layer 3 Mobility Figure 9-9. 9-20 Enabling Layer 3 Mobility 3. Click the Apply button. 4. Click the Save link to write the configuration to the startup-config.
PAGE 627
Fast Layer 2 Roaming and Layer 3 Mobility Verifying and Managing Layer 3 Mobility Verifying and Managing Layer 3 Mobility To verify that Layer 3 mobility is functioning correctly, check the following: ■ The local Wireless Edge Services zl Module begins communicating with its peers. ■ Stations that roam to an RP adopted by a Wireless Edge Services zl Module on a different VLAN preserve their IP addresses and active sessions.
PAGE 628
Fast Layer 2 Roaming and Layer 3 Mobility Verifying and Managing Layer 3 Mobility The Idle status indicates that the local Wireless Edge Services zl Module has not enabled Layer 3 roaming. Even if the Enable Mobility box is checked, the module does not enable Layer 3 mobility until you specify a valid local IP address. A Wireless Edge Services zl Module that remains at the Active-Connecting or Passive-Connecting status also cannot connect to the peer.
PAGE 629
Fast Layer 2 Roaming and Layer 3 Mobility Verifying and Managing Layer 3 Mobility Track the messages described above to verify that your Wireless Edge Services zl Modules send the correctmessages when your station completes the roams illustrated in Figure 9-11. Figure 9-11. Difference Between a Layer 2 Roam and a Layer 3 Roam To track the messages, select Network Setup > Layer 3 Mobility and click the Peer Statistics tab. A screen displays all peers, which are identified by their IP address.
PAGE 630
Fast Layer 2 Roaming and Layer 3 Mobility Verifying and Managing Layer 3 Mobility ■ the number of L2-Roams sent to and received from that peer ■ the number of L3-Roams sent to and received from that peer Figure 9-12. Viewing Peer Statistics Click the Clear Statistics button to erase the current statistics and start the counters over again.
PAGE 631
Fast Layer 2 Roaming and Layer 3 Mobility Verifying and Managing Layer 3 Mobility To test Layer 3 roaming, move a station from one RP’s cell to the cell of an RP supported by a different Wireless Edge Services zl Module. Verify that the station’s IP address remains the same and sessions remain active. You can also verify a Layer 3 roam from your module’s Web browser interface. To view information about stations, select Network Setup > Layer 3 Mobility and click the Station Status tab.
PAGE 632
Fast Layer 2 Roaming and Layer 3 Mobility Verifying and Managing Layer 3 Mobility ■ Curr Module IP—CM IP address ■ Roam—This column tracks Layer 3 roams. The station is considered to be in a roaming state (green check mark) if its CM differs from its HM. In Figure 9-13, the 10.4.1.30 Wireless Edge Services zl Module is the HM for three stations associated with the wireless network, and the 10.4.2.30 module is the HM for one station. However, one of the 10.4.1.
PAGE 633
10 Redundancy Groups Contents High Availability for Wireless Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 Redundant Wireless Services zl Module . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 Redundancy Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 Active or Standby Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 Adopting RPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 634
Redundancy Groups High Availability for Wireless Services High Availability for Wireless Services For many companies, wireless access has become as critical to their business as traditional wired access. Recognizing the importance of wireless access, ProCurve Networking has designed its wireless services with high availability in mind. To protect the availability of your company’s wireless services, purchase multiple Wireless Edge Services zlModules and place them in a redundancy group.
PAGE 635
Redundancy Groups High Availability for Wireless Services Redundancy Group A redundancy group can contain up to twelve modules: ■ at least one Wireless Edge Services zl Module ■ up to 11 other Wireless Edge Services zl Modules or Redundant Wireless Services zl Modules, in any combination For example, the group can include one Wireless Edge Services zl Modules (primary module) and two Redundant Wireless Services zl Module (redundant modules).
PAGE 636
Redundancy Groups High Availability for Wireless Services Figure 10-1. Failover Capabilities for the Wireless Edge Services zl Module Active or Standby Mode When you configure a module to be part of a redundancy group, you must select a mode, which determines the module’s role in the group.
PAGE 637
Redundancy Groups High Availability for Wireless Services ■ Standby mode—In standby mode, the module is primarily responsible for providing failover capabilities if a module in active mode becomes unavailable. (A module in standby mode can adopt RPs in the circumstances described in “Adopting RPs” on page 10-5.) Both Wireless Edge Services zl Modules and Redundant Wireless Services zl Modules support both modes.
PAGE 638
Redundancy Groups High Availability for Wireless Services Adopting RPs in Standby Mode In standby mode, a redundancy group member adopts RPs only in certain circumstances: ■ The standby member does notreceive a heartbeat from an active member for the length of time specified in the hold period option. In a group with multiple active members, the standby member takes action should even one member fail. ■ All active members fail to adopt an RP, although the group has enough RP licenses to adopt the RP.
PAGE 639
Redundancy Groups High Availability for Wireless Services ■ one Wireless Edge Services zl Module with the default license (for 12 RPs) ■ one Redundant Wireless Services zl Module The redundancy group has two licenses and can adopt 24 RPs. All members of the redundancy group share the group’s licenses. Any activemember can use the groups’ licenses to adopt an RP at any time.
PAGE 640
Redundancy Groups High Availability for Wireless Services If redundancy is not enabled for a module, it is in the disabled state. Figure 10-2 illustrates the process of establishing a redundancy group between two modules. Figure 10-2. Stages of Establishing a Redundancy Group Creating Matching Configurations for the Redundancy Group To establish a redundancy group, modules must support the same redundancy group settings.
PAGE 641
Redundancy Groups High Availability for Wireless Services [VLANs] and redundancy group settings) and save the configuration to the each module’s startup-config. If you later change the configuration of one module, you must remember to make the same change to other modules. Redundancy Group Configuration Mode Context Alternatively, you can use the redundancy group configuration mode in the CLI to configure settings that are pushed to all members of the group.
PAGE 642
Redundancy Groups Configuring a Redundancy Group Note At most four managers can access a group’s redundancy group configuration mode context at once. For more information on CLI commands, see Appendix A: “ProCurve Wireless Edge Services zl Module Command Line Reference.” Redundancy Group Behavior When a Member Fails Members of a redundancy group listen for heartbeats from every other member.
PAGE 643
Redundancy Groups Configuring a Redundancy Group Table 10-2. Configuring IP Addresses for a Redundancy Group Setting Configuring a Redundancy Group on Primary Module A Configuring a Redundancy Configuring a Redundancy Group on Redundant Module B Group on Redundant Module C Interface IP 192.168.1.10 (IP address of the default management interface on the primary module) 192.168.1.59 (IP address of the default management interface on redundant module A) 192.168.1.
PAGE 644
Redundancy Groups Configuring a Redundancy Group Figure 10-3. Network Setup > Redundancy Group > Configuration Screen 2. Note In the Interface IP field, enter the IP address of the module that you are configuring. The redundancy feature uses this IP address to send heartbeat and update messages to the other modules in the redundancy group. (When you configure the redundancy group on the other modules, you enter this IP address when you add a member.
PAGE 645
Redundancy Groups Configuring a Redundancy Group 3. In the Redundancy Group ID field, enter a number for the group. Each redundancy group on your network must have a unique group ID, and you must use the same group ID for each member of the group. You can enter any number from 1 through 65535. 4. Choose the Mode: • Select Active to allow the module to adopt RPs in all circumstances (as long as the group has sufficient licenses).
PAGE 646
Redundancy Groups Configuring a Redundancy Group not hear any heartbeats from the first member, which is waiting for the spanning tree to be established before transmitting messages. The second member assumes that the first member is down and may attempt to adopt RPs when it should not. When you select theHandle STP convergence box, the module waits 50 seconds, which is the standard time period allowed for STP convergence, before attempting to establish the redundancy group. 9.
PAGE 647
Redundancy Groups Configuring a Redundancy Group Figure 10-5. Add Members Screen 3. Enter the IP address of one of the other modules in the redundancy group. This address should match the address that you configure for the Interface IP in the other module’s redundancy group settings. 4. Click the OK button. The module is now listed on the Network Setup > Redundancy Group > Member screen. 5. Repeat this step for each additional module in the redundancy group.
PAGE 648
Redundancy Groups Configuring a Redundancy Group Figure 10-6. Redundancy Group Enabled 10-16 3. Click the Apply button to save the configuration to the running-config. 4. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. 5. Access the Web browser interfaces for each of the other modules in the redundancy group and configure those modules in the same way.
PAGE 649
Redundancy Groups Configuring a Redundancy Group Viewing Information about the Redundancy Group To view information about the redundancy group, select Network Setup > Redundancy Group and select the State tab. Figure 10-7. Network Setup > Redundancy Group > State Screen After the primary module and the redundant modules establish a redundancy group, each module tracks the following information about the group: ■ Redundancy state is—This field lists the current state of the module.
PAGE 650
Redundancy Groups Configuring a Redundancy Group 10-18 ■ Module Authorization Level—This field displays the number of RPs this module’s licenses allow it to adopt when it functions on its own. The authorization level for a redundant module, however, is taken from the level of the primary module with the most licenses. ■ Protocol Version—When the modules attempt to establish a redundancy group, each module includes its protocol version in the update messages sent during the discovery stage.
PAGE 651
Redundancy Groups Configuring a Redundancy Group Other fields in the Network Setup > Redundancy Group > State screen allow you to monitor activity both on this particular module and throughout the group. For example, you can compare the Unapproved Radio Ports on this module value to the Unapproved Radio Ports in the group value to see whether this module’s RPs seem to detect more rogue APs—a sign of a possible security issue in a particular location of your network.
PAGE 652
Redundancy Groups Configuring a Redundancy Group History At the bottom of the Network Setup > Redundancy Group > Configuration screen, you can alsoview the history of redundancy events that have occurred on this module. Figure 10-8. Redundancy Group History The module records an event each time its redundancy state changes. For example, when you enable redundancy on the module, its state changes to startup, and the module records this event in the history. (The most recent events are listed first.
PAGE 653
Redundancy Groups Configuring a Redundancy Group Viewing Information about the Other Members of the Redundancy Group In addition to viewing information about the redundancy group, you can view information about the other members of the group. Select Network Setup > Redundancy Group and click the Member tab. Figure 10-9.
PAGE 654
Redundancy Groups Configuring a Redundancy Group • Not Seen—The module can no longer exchange heartbeats with the member. • Established—The module and this member have successfully established a redundancy group.
PAGE 655
Redundancy Groups Configuring a Redundancy Group ■ Updates Received—the number of updates that the module has received from this member ■ Radio Portals—the number of radios adopted by this member (some RPs have two radios) ■ Associated Stations—the number of stations associated to RPs adopted by this member ■ Rogue AP—the number of unapproved APs detected by RPs adopted by this member ■ Self Healing Radios—the number of radios adopted by this member that are configured for self healing When you ha
PAGE 656
Redundancy Groups Configuring a Redundancy Group 2. Assign RPs to the modules that should adopt them. Record the Ethernet MAC addresses for the RPs in a table such as Table 10-3 on page 10-26. 3. On every module in the redundancy group, configure the redundancy settings and enable redundancy. Verify that all members are connected. 4. On every active module in the redundancy group, set the adoption preference ID that you assigned that module in step 1.
PAGE 657
Redundancy Groups Configuring a Redundancy Group 8. Note After you have created a configuration for every RP in your network on every active module, reset the RPs. The correct module should now adopt each RP. If your redundancy group includes multiple standby members, you might want to control which standby members adopt particular RPs if an active member fails. Assign every standby member an adoption preference ID. Then set the IDs just as you would for a group of active members.
PAGE 658
Redundancy Groups Configuring a Redundancy Group Table 10-3.
PAGE 659
Redundancy Groups Configuring a Redundancy Group Configure an Adoption Preference for the Module To set an adoption preference for the module itself, complete these steps: 1. Select Network Setup > Radio and click the Configuration tab. 2. Click the Global Settings button. The Global screen is displayed. (See Figure 10-11.) Figure 10-11.Global Settings Screen 3. In the Module Adoption Preference ID field, enter a number, and then click the OK button. 4.
PAGE 660
Redundancy Groups Configuring a Redundancy Group Figure 10-12.Network Setup > Radio > Configuration Screen 2. Select the radio or radios to which you want to assign the adoption preference ID. Hold down Ctrl while selecting the radios to select multiple radios and assign them the same ID. 3. Click the Edit button. The radios’ Edit screen is displayed. If you have selected multiple radios, the screen has limited configurable options. (See Figure 10-13.) However, you can change the adoption preference ID.
PAGE 661
Redundancy Groups Configuring a Redundancy Group Figure 10-13.Network Setup > Radio > Edit Screen for Multiple Radios 5. Click the OK button. 6. Click the Save link to copy the radio configurations to the startup-config. Configure an Adoption Preference for Newly Adopted Radios To configure an adoption preference ID for all adopted RPs, edit the radio adoption default configuration. Complete these steps: 1. Select Network Setup > Radio Adoption Defaults and click the Configuration tab.
PAGE 662
Redundancy Groups Configuring a Redundancy Group Figure 10-14.Network Setup > Radio Adoption Defaults > Configuration Screen 2. 10-30 Select a radio type and click the Edit button. The Configuration screen is displayed. (See Figure 10-15.
PAGE 663
Redundancy Groups Configuring a Redundancy Group Figure 10-15.802.11bg Configuration Screen 3. Under Advanced Properties, in the Adoption Preference ID field, enter a preference ID, and then click the OK button. 4. Click the Save link at the top of the Web browser interface to save the changes to the startup-config.
PAGE 664
Redundancy Groups Configuring a Redundancy Group Reverting RPs Adopted by a Standby Member to the Active Member When an active member of a redundancy group fails, a standby member of the group adopts the RPs. For continuity of service, the standby member continues to support the RPs even when the active member comes back online. However, eventually you may want to return the RPs to the original module. You can manually revert a standby module, which means that you force it to unadopt all of its RPs.
PAGE 665
Redundancy Groups Configuring a Redundancy Group Figure 10-16.Revert Now Button in the Network Setup > Redundancy Group > Configuration Screen The module immediately unadopts all RPs when you click the button. The RPs are adopted by any active member that can accept them, not necessarily the recovered module. However, either load balancing or adoption preference IDs, will probably guide most of the RPs toward the recovered module.
PAGE 666
Redundancy Groups Configuring a Redundancy Group 10-34
PAGE 667
11 RADIUS Server Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 Configuring the Internal RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 Choosing the Authentication Type for 802.1X/EAP . . . . . . . . . . . . . 11-5 Specifying the RADIUS Server’s Digital Certificate . . . . . . . . . . . . .
PAGE 668
RADIUS Server Overview Overview A Remote Access Dial In User Service (RADIUS) server provides centralized authentication (and sometimes accounting) for a network. The RADIUS protocol regulates communications between network access servers (NASs) and RADIUS servers. The NASs are devices such as switches and Wireless Edge Services zl Modules, which provide network access to stations. First, however, they can force the stations to authenticate themselves.
PAGE 669
RADIUS Server RADIUS Authentication RADIUS Authentication The Wireless Edge Services zl Module’s RADIUS authentication server fulfils these roles: ■ ■ ■ decides whether a user can connect to a WLAN that enforces one of these types of security: • 802.
PAGE 670
RADIUS Server RADIUS Authentication Table 11-1. EAP Methods EAP Type Characteristics EAP-TLS The wireless station and the module’s RADIUS server exchange digital certificates in a three-step TLS handshake. EAP-TTLS with MD5 • The module’s RADIUS server authenticates itself with a digital certificate and creates a secure TLS tunnel with the wireless station. • Inside the secure tunnel, the wireless station submits a username and a hashed (MD5) password.
PAGE 671
RADIUS Server RADIUS Authentication Depending on your environment, you might also need to complete these tasks: ■ Specify proxy RADIUS servers to which the local RADIUS server forwards queries—This step allows the Wireless Edge Services zl Module to relay authentication requests in certain domains to external servers. ■ Specify RADIUS clients, which query the local RADIUS server—This step allows the module to authenticate users whoconnect to different NASs—in both the wired and wireless network.
PAGE 672
RADIUS Server RADIUS Authentication Table 11-2.
PAGE 673
RADIUS Server RADIUS Authentication Choose the EAP method for 802.1X authentication Figure 11-2. Choosing the EAP Method 2. From the 802.1x EAP/Auth Type drop-down menu, select a method. Select all to allow users to authenticate with any of the supported methods. 3. Next, choose your server’s digital certificates (explained in the section below). Or click the Apply button and, when the screen is displayed asking you to restart the server, click the Yes button.
PAGE 674
RADIUS Server RADIUS Authentication Specifying the RADIUS Server’s Digital Certificate As an authentication server, the Wireless Edge Services zl Module requires various certificates: ■ a server certificate No matter which EAP type you select, the internal RADIUS server must authenticate itself using a digital certificate. By default, the module identifies itself to users with the server certificate in the default-trustpoint.
PAGE 675
RADIUS Server RADIUS Authentication 3. If you have selected EAP-TLS, choose a trustpoint from the CA Cert Trustpoint drop-down menu. Select the trustpoint in which you loaded the CA certificate for the CA that signs users’ digital certificates. This trustpoint should typically match the one you selected for the Cert Trustpoint. Again, you can select to open the Certificates Wizard. 4. Next choose the source for authentication data (explained in the section below).
PAGE 676
RADIUS Server RADIUS Authentication Choose the location for user credentials Figure 11-3. Choosing the Source for Credentials 11-10 2. In the Auth Data Source field, use the drop-down menu to select the source for policies and credentials, either local or ldap. 3. Click the Apply button and, when the screen is displayed asking you to restart the server, click the Yes button. 4. Click the Save link to copy the configuration to the startup-config.
PAGE 677
RADIUS Server RADIUS Authentication Depending on your choice, you must complete one of the following tasks: ■ configure the local database (see “Configuring the Local RADIUS Database” on page 11-12) ■ configure LDAP server settings and at least one groupin the local database (see “Using LDAP for the Data Source” on page 11-19) Table 11-3 explains the requirements for configuring credentials for each EAP method, depending on whether the Wireless Edge Services zl Module uses its local database or an LDAP
PAGE 678
RADIUS Server RADIUS Authentication Configuring the Local RADIUS Database You must complete the following tasks to configure the local database: 1. Create groups, which define policies for users. 2. Add user accounts to the group. Creating a Group.
PAGE 679
RADIUS Server RADIUS Authentication 2. Click the Add button. The ADD screen is displayed. Figure 11-5. Adding a RADIUS Server Group 3. In the Name field, enter a meaningful name—for example, “Faculty.” 4. In the VLAN ID field, enter the dynamic VLAN for users in this group. If you enter 0, the Wireless Edge Services zl Module assigns the user to the VLAN configured for the user’s WLAN. You should not use dynamic VLANs with Web-Auth.
PAGE 680
RADIUS Server RADIUS Authentication 5. Specify the times of day when users in this group can connect to the wireless network. a. In the Time of Access Start field, enter the earliest time that users can connect. b. In the Time Access End field, enter the latest time users can connect. Always enter times in four digits, the first two digits being the hour in the 24-hour clock and the second two digits being the minutes.
PAGE 681
RADIUS Server RADIUS Authentication To modify a group, select it and click the Edit button. In the EDIT screen that is displayed, configure the settings just as you would for a new group. (However, you cannot change the group’s name nor whether it is a normal or guest group.) When you are finished, click the OK button. To delete a group, select it in the Network Setup > Local RADIUS Server > Groups screen and click the Delete button.
PAGE 682
RADIUS Server RADIUS Authentication Figure 11-6. Creating a User in the Local RADIUS Database 3. In the User ID field, enter the username. The username can be up to 64 characters and can include alphanumeric and special characters. 4. Check the Guest User box if this is a temporary account for a guest. 5. In the Password and Confirm Password fields, specify the user’s password. The password can be up to 21 characters and can include alphanumeric and special characters.
PAGE 683
RADIUS Server RADIUS Authentication Note By default, this password is displayed in plaintext in the Wireless Edge Services zl Module’s configuration. To learn how to encrypt the password, see “Password Encryption” on page 2-105 of Chapter 2: “Configuring the ProCurve Wireless Edge Services zl Module.” 6. For a guest user, you must specify the period during which the account is active.
PAGE 684
RADIUS Server RADIUS Authentication The guest account is active only for the period between the two times. To alter the times, follow these steps: a. In the Start Date & Time field, enter the date and time atwhich this account is enabled.
PAGE 685
RADIUS Server RADIUS Authentication You must never assign a user to groups with overlapping access days or times: such a configuration prevents you from determining which policy applies to the user during the overlapping times. For example, if one group allows access at all times and another group allows access only during normal work hours, you cannot assign a user to both groups. During the day, the policies would conflict. 9. Click the OK button.
PAGE 686
RADIUS Server RADIUS Authentication The internal RADIUS server verifies that these conditions are met. To do so, it must bind to the LDAP server and perform searches, looking up the user’s account and group memberships and verifying the user’s password. See “Configuring the Internal RADIUS Server to Bind to an LDAP Server” on page 11-20. To determine whether the user’s group is currently allowed access, the server checks the policy stored for that group on its internal database.
PAGE 687
RADIUS Server RADIUS Authentication Figure 11-8. Configuring LDAP Settings 4. In the IP Address and Port # fields, specify your LDAP server’s IP address and port. The port number can be from1 through 65535. The default port for LDAP is389.
PAGE 688
RADIUS Server RADIUS Authentication 5. Configure the information that the internal RADIUS server submits to bind to the LDAP server: a. In the Bind DN field, enter the distinguished name for an administrator account on the LDAP server. For example, enter: cn=Administrator,cn=Users,dc=mydomain,dc=com The administrator account must be in the domain that you specify in step 5. b. 6. In the Bind Password field, enter the password for the name that you specified above.
PAGE 689
RADIUS Server RADIUS Authentication 8. In the Password Attribute field, specify the attribute that stores a user’s password. When looking up a user’s account, the internal RADIUS server also requests a check on the user’s password (or, depending on the EAP type, a hash of that password). The string that you enter in the Password Attribute field determines the attribute name that the server requests. Match the attribute name used by your LDAP server—commonly “userPassword” or “User-Password.” 9.
PAGE 690
RADIUS Server RADIUS Authentication 10. In the Group Membership Attribute field, specify the attribute that stores auser’s group memberships. The internal RADIUS server requests this attribute in the search for the user accounts. The attribute is commonly named “memberOf” or “radiusGroupName.” 11. In the Group Attribute field, specify the attribute that your LDAP server uses to store the name of a group object. The internal RADIUS server uses this attribute as part of the search with the group filter.
PAGE 691
RADIUS Server RADIUS Authentication Figure 11-9.
PAGE 692
RADIUS Server RADIUS Authentication 2. Click the Add button, The ADD screen is displayed. Figure 11-10.Adding a RADIUS Server Group 3. In the Name field, enter a name that matches the name of a group on your directory server. This is the group thatis allowed wireless access; make sure that all potential wireless users are members. (Or create multiple groups.) The name you assign the group must match exactly the group name as stored on your LDAP server.
PAGE 693
RADIUS Server RADIUS Authentication You should be careful when using dynamic VLANs with Web-Auth. The user’s station receives an IP address in the static VLAN before the user can login and receive the dynamic VLAN assignment. So you must set the lease for the DHCP address in the static VLAN very low. Then the station will automatically renew its address soon after it receives the dynamic assignment. Note You must enable dynamic VLANs in the WLAN to which users connect for this setting to take effect.
PAGE 694
RADIUS Server RADIUS Authentication To specify the proxy RADIUS server, complete these steps: 1. Select Network Setup > Local RADIUS Server > Configuration. Figure 11-11.Network Setup > Radius Server > Configuration Screen 11-28 2. In the lower section of the screen, click the Domain Proxy Servers tab. 3. Click the Add button. The ADD screen is displayed.
PAGE 695
RADIUS Server RADIUS Authentication Figure 11-12.Adding a Domain Proxy Server 4. In the Realm Name field, enter the domain name for users who authenticate to the domain proxy server. When a user submits hisor her username, the Wireless Edge Serviceszl Module’s internal server checks the domain name. If this name matches the name in the Realm Name field, the internal RADIUS server queries the proxy server specified below. For example, you enter“procurve.com” in theRealm Name field.
PAGE 696
RADIUS Server RADIUS Authentication Figure 11-13.Viewing Domain Proxy Servers 8. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. Specifying Global RADIUS Settings Global RADIUS settings regulate the Wireless Edge Services zl Module’s RADIUS server’s communications with proxy RADIUS servers. To configure these settings, follow these steps: 1. Select Network Setup > Local RADIUS Server > Configuration. 2.
PAGE 697
RADIUS Server RADIUS Authentication 3. In the Retries field, specify the number of times the module should re-send a proxy request that times out. The default number of retries is 3 (which means that the module will send up to four requests). Valid values are from 3 to 6. 4. Click the OK button to apply the settings, remembering to save your configuration by clicking the Save link.
PAGE 698
RADIUS Server RADIUS Authentication If the client has more than one IP address, make sure to specify the address that it includes in RADIUS requests. 5. In the Shared Secret field, enter the client’s password. Of course, you must specify this same password when you configure the client device to query this module. 6. Click the OK button. The client is displayed in the Network Setup > Radius Server > Configuration screen under the Clients tab. 7.
PAGE 699
RADIUS Server RADIUS Authentication Enabling Authentication to the Internal Server on a WLAN WLANs that use the following authentication methods require authentication to a RADIUS server: ■ 802.1X ■ Web-Auth ■ MAC Authentication In Chapter 4: “Wireless Local Area Networks (WLANs),” you learned how to configure a WLAN to require authentication to an external RADIUS server. This section explains how to configure the Wireless Edge Services zl Module’s internal RADIUS server to take over authentication.
PAGE 700
RADIUS Server RADIUS Authentication Figure 11-16.WLAN Edit Screen 11-34 3. If you have configured the RADIUS server to place users in dynamic VLANs, check the Dynamic Assignment box. 4. Configure other WLAN settings as described in Chapter 4: “Wireless Local Area Networks (WLANs).” 5. In the Authentication section, select 802.1X EAP, Web-Auth, or MAC Authentication. 6. Click the RADIUS Config…button at the bottom of the screen. The Radius Configuration screen is displayed.
PAGE 701
RADIUS Server RADIUS Authentication Figure 11-17.Configuring a WLAN to Require Authentication to the Internal RADIUS Server 7. Specify 127.0.0.1 in the primary RADIUS server’s RADIUS Server Address field. 8. Do not enter anything in the RADIUS Shared Secret field. By default, the module can communicate with the internal server. If you enter a string in this field, the module’s internal server will no longer work on this WLAN.
PAGE 702
RADIUS Server RADIUS Accounting • 9. Configure the loopback interface (127.0.0.1) as a client for the internal RADIUS server. Specify the new secret for the client. See “Adding RADIUS Clients” on page 11-31. If you want the module’s RADIUS server to periodically re-authenticate stations, check the Re-authentication box. Then specify how often (in seconds) stations re-authenticate in the Re-authentication Period field.
PAGE 703
RADIUS Server RADIUS Accounting You choose which messages the module sends. A message includes information such as the identity of the user, the duration of the session, and the bandwidth consumed. Table 11-4 shows a complete list of fields in the report. Some fields are present in all messages; others are specific to certain types of messages. Table 11-4.
PAGE 704
RADIUS Server RADIUS Accounting Field Meaning Acct-Output-Packets • number of packets sent by the station over the entire duration of the session (stop message) • number of packets sent by the station since the beginning of the session (interim message) Acct-Input-Octets • number of bytes received by the station over the entire duration of the session (stop message) • number of bytes received by the station since the beginning of the session (interim message) Acct-Output-Octets • number of bytes sen
PAGE 705
RADIUS Server RADIUS Accounting Figure 11-18.Enabling RADIUS Accounting for a WLAN 3. In the Advanced section, in the Accounting Mode field, use the drop-down menu to select Radius. 4. Click the Radius Config button. The Radius Configuration screen is displayed.
PAGE 706
RADIUS Server RADIUS Accounting Figure 11-19.Specifying the Accounting Server in the Radius Configuration Screen To enforce RADIUS accounting, the WLAN must use 802.1X authentication, Web-Auth, or MAC authentication for the Authentication mode. 5. Configure settings for the primary accounting server in the Primary column of the Accounting section. a. Specify the server’s IP address in the Accounting Server Address field.
PAGE 707
RADIUS Server RADIUS Accounting b. Leave the default port: 1813. c. You should not specify a key when you use the module’s internal server. If you have already specified a key, erase the Accounting Shared Secret field. 6. Optionally, configure settings for a secondary server by completing the fields in the Secondary column of the Accounting section. 7. From the Accounting Mode drop-down menu, choose when the Wireless Edge Services zl Module forwards a message to its internal server: 8.
PAGE 708
RADIUS Server RADIUS Accounting Figure 11-20.Network Setup > Local RADIUS Server > Accounting Logs Screen The panel at the left of the screen shows the directories in the main RADIUS accounting directory (flash:/log/radius). By default, RADIUS reports are logged to the radacct directory, which you can see in Figure 11-20. Double-click the directory name to view log files within the directory.
PAGE 709
RADIUS Server RADIUS Accounting Figure 11-21.Viewing RADIUS Accounting Log Files Within a Directory The screen displays the following information for each log file: ■ Filename—accounting.log, for the default file ■ Type—Log, for logged reports ■ Size—the size of the file in bytes A log file might include multiple RADIUS accounting messages. As the Wireless Edge Services zl Module’s internal RADIUS server receives the messages, it adds them to the log file.
PAGE 710
RADIUS Server RADIUS Accounting Note 11-44 The module only creates accounting logs for its own activities as RADIUS server if you specifically enable RADIUS accounting to the internal server on a WLAN. See “Enabling Accounting to the Internal RADIUS Server on a WLAN” on page 11-38.
PAGE 711
12 Wireless Network Management Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3 Monitoring the Wireless Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4 Wireless Stations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4 Viewing Wireless Stations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4 Disconnecting a Wireless Station . .
PAGE 712
Wireless Network Management Contents Configuring Station Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-58 Configuring Thresholds for Station Intrusion Detection . . . . . . . . . . . . . 12-59 Configuring the Module to Report Station Intrusion . . . . . . . . . . . . . . . . 12-60 Viewing Blocked Stations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-62 Logging and Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 713
Wireless Network Management Overview Overview In this chapter you will learn howto monitor and manage your wireless network.
PAGE 714
Wireless Network Management Monitoring the Wireless Network • ■ average statistics for all traffic to and from all RPs adopted by a module RPs When troubleshooting, you can compare the various wireless statistics to determine, for example, whether congestion seems to be problem throughout a WLAN or is centered on a particular RP or group of RPs. Wireless Stations The Wireless Edge Services zl Module storesinformation about the associations that adopted RPs have established with wireless stations.
PAGE 715
Wireless Network Management Monitoring the Wireless Network The screen displays this information for each station associated with one of the WLANs on this module: ■ Station Index—Stations are listed in the order in which they associated. ■ MAC Address—Each station’s Media Access Control (MAC) address is listed. ■ IP Address—A station must receive an IP address to receive complete network connectivity.
PAGE 716
Wireless Network Management Monitoring the Wireless Network entered correctly and that the station’s VLAN assignment is correct. The administrator can also troubleshoot the network’s Dynamic Host Configuration Protocol (DHCP) setup. You can also save information about one or more wireless stations to a commaseparated file on your workstation. Select the stations, and then click the Export button. (Use the Ctrl or Shift keys to select more than one station.
PAGE 717
Wireless Network Management Monitoring the Wireless Network As the figure shows, the station’s MAC address is already listed in the Starting MAC and Ending MAC fields, allowing you to quickly create a MAC filter to prevent the station from reaccessing the wireless network. You should also take steps to prevent the user from using another station (with a different MAC address) to access the wireless network.
PAGE 718
Wireless Network Management Monitoring the Wireless Network Figure 12-4.
PAGE 719
Wireless Network Management Monitoring the Wireless Network In addition to the information that is listed on the Device Information > Wireless Stations screen (such as MAC address, IP address, Power Save, WLAN, and VLAN), you can view: ■ Authentication—This field displays the authentication method used—802.1X Extensible Authentication Protocol (EAP), Web authentication (Web-Auth), MAC authentication, or none.
PAGE 720
Wireless Network Management Monitoring the Wireless Network ■ Roam Count (No de-authentication)—The module tracks the number of times that the station has de-authenticated, which indicates the number of times that the station has roamed away from the module (not between RPs on the same module). ■ IDM Attributes—If you are usingProCurve Identity Driven Manager (IDM), this section lists IDM settings received for the user accessing the network through this station.
PAGE 721
Wireless Network Management Monitoring the Wireless Network Figure 12-5.
PAGE 722
Wireless Network Management Monitoring the Wireless Network Wireless Statistics for Stations Like the Device Information > Wireless Stations screen, the Device Information > Wireless Statistics screen lists every station associated with RPs adopted by the Wireless Edge Services zl Module. However, this screen focuses on activity on the connection. Figure 12-6.
PAGE 723
Wireless Network Management Monitoring the Wireless Network A high number of retries can indicate interference or excessive congestion. Wireless phones, which send traffic to a multicast address, may have a high percentage of nonunicast traffic. For traditional stations, a high percentage of nonunicast traffic can be normal for brief periods—for example, when the station first associates and requests a DHCP address.
PAGE 724
Wireless Network Management Monitoring the Wireless Network The Station Properties section displays the same information that is listed on the Device Information > Wireless Stations screen, including the station’s MAC and IP address. However, you can also see whether the station supports QoS capabilities such as Voice and WMM. You can use the Traffic section to monitor the quality and performance of the connection.
PAGE 725
Wireless Network Management Monitoring the Wireless Network 1. Select Device Information > Wireless Statistics. 2. Select the station (identified by MAC address) from the list. Graph button Figure 12-8. Graph Button in the Device Information > Wireless Statistics Screen 3. Click the Graph button. The Station Statistics screen is displayed.
PAGE 726
Wireless Network Management Monitoring the Wireless Network Figure 12-9. Station Statistics Graph The Station Statistics screen displays the station’s MAC address and IP address in the upper right corner. To generate a graph, you must select the statistic that you want to track. (Initially, the graph shows packets per sec.
PAGE 727
Wireless Network Management Monitoring the Wireless Network ■ Throughput (Mbps)—the actual throughput for data transmitted and received by this station • TX Tput (Mbps)—actual throughput for data transmitted by this station • RX Tput (Mbps)—actual throughput for data received by this station ■ Avg Bits per sec—average bit speed for all traffic sent and received by this station ■ NUcast Pkts—percentage of multicast and broadcast packets (as compared to total packets) ■ Avg Retries—average number of
PAGE 728
Wireless Network Management Monitoring the Wireless Network Figure 12-10.Comparing Station Statistics The x-axis of the graph displays the time—in Figure 12-10 the time is labelled in 10 second intervals. The y-axis adds a label that matches the box that you chose. It also displays the correct units for that type of statistic. A line that is the same color as the y-axis label plots the statistic as it changes over time.
PAGE 729
Wireless Network Management Monitoring the Wireless Network Radio Statistics The Wireless Edge Services zl Module stores information about the wireless network activity on each RP radio. To view these statistics, select Network Setup > Radio and click the Statistics tab. Figure 12-11.Network Setup > Radio > Statistics Screen Every radio adopted by the module is listed, identified by: ■ Index ■ Description ■ Type (802.11a or 802.
PAGE 730
Wireless Network Management Monitoring the Wireless Network These statistics are similar to those described for individual stations in “Wireless Statistics for Stations” on page 12-12. The RF Util percentage compares the radio’s actual utilization to its potential utilization by dividing the throughput by the average Mbps. Again, you can select either Last 30s or Last Hr to view either the most current statistics or statistics over a more extended period.
PAGE 731
Wireless Network Management Monitoring the Wireless Network The Information section describes this radio and shows the number of stations currently associated to it. You should check the Current Channel listing; if the radio is configured with a manual channel but currently uses a different channel, the channel number is listed in red. On the Details screen, statistics for wireless traffic are broken down into received and transmitted traffic.
PAGE 732
Wireless Network Management Monitoring the Wireless Network Graph button Figure 12-13.Graph Button in the Device Information > Wireless Statistics Screen 4. Click the Graph button. The RP Statistics screen is displayed.
PAGE 733
Wireless Network Management Monitoring the Wireless Network Figure 12-14.RP Statistics Graph The RP Statistics screen displays the radio’s name and MAC address in the upper right corner. To generate a graph, you must select the statistic that you want to track. (Initially, the graph shows packets per second.) You can choose any of the statistics displayed in the Details screen for radio statistics. The statistics apply to all stations associated to the radio.
PAGE 734
Wireless Network Management Monitoring the Wireless Network • TX Tput (Mbps)—throughput for data transmitted by this radio • RX Tput (Mbps)—throughput for data received by this radio ■ Avg Bits per sec—average bit speed for traffic when the radio actually transmits or receives it ■ NUcast Pkts—percentage of multicast and broadcast packets sent and received by the radio (as compared to total packets) ■ Avg Retries—average number of times that all stations must retransmit a packet, whether due to a
PAGE 735
Wireless Network Management Monitoring the Wireless Network Figure 12-15.Comparing RP Statistics The x-axis of the graph displays the time—in Figure 12-15, marked at 5 second intervals. The y-axis adds a label that matches your choice. It also displaysthe correct units for that type of statistic. A line that is the same color as the y-axis label plots the statistic as it changes over time. You can select more than one box and compare statistics against each other.
PAGE 736
Wireless Network Management Monitoring the Wireless Network WLAN Statistics To monitor wireless activity on a WLAN-wide scale, select Network Setup > WLAN Setup and click the Statistics tab. Module Statistics button Figure 12-16.Network Setup > WLAN Setup > Statistics Screen This screen lists every WLAN that is enabled on the module. WLANs are identified by: ■ Index (the WLAN’s number) ■ SSID ■ Description ■ VLAN The Stations column shows the number of stations currently connected to that WLAN.
PAGE 737
Wireless Network Management Monitoring the Wireless Network The remaining columns display statistics similar to those described in “Wireless Statistics for Stations” on page 12-12; however, these statistics are averages for all stations in the WLAN: ■ Throughput Mbps—the total throughput for all data transmitted in the WLAN in Mbps ■ Bit Speed (Avg.
PAGE 738
Wireless Network Management Monitoring the Wireless Network Select a WLAN and click this button to view: ■ the percentage of packets in this WLAN transmitted at each data rate ■ the percentage of packets in this WLAN that required a certain number of retries (for 0 to 15) Figure 12-18.Module Statistics Screen Click the Refresh button to update the statistics. When you have finished viewing the screen, click the Close button.
PAGE 739
Wireless Network Management Monitoring the Wireless Network Figure 12-19.WLAN Statistics Details The Information section shows settings for this WLAN including: ■ SSID ■ VLAN ■ security settings • authentication type • encryption type The Information section also displays the numberof stations associated to the WLAN and of radios mapped to the WLAN. (If the Wireless Edge Services zl Module is using normal mode configuration, all adopted radios are mapped to the WLAN.
PAGE 740
Wireless Network Management Monitoring the Wireless Network terms of packets per second, total throughput in Mbps, and average speed in Mbps. The Web browser interface further breaks down statistics into received and transmitted traffic. The RF Status section displays statistics dealing with the status of the radio medium.
PAGE 741
Wireless Network Management Monitoring the Wireless Network Graph button Figure 12-20.Graph Button in the Device Information > Wireless Statistics Screen 3. Select the WLAN. 4. Click the Graph button. The WLAN Statistics screen is displayed.
PAGE 742
Wireless Network Management Monitoring the Wireless Network Figure 12-21.WLAN Statistics Graph The WLAN Statistics screen displays the WLAN’s SSID and static VLAN ID in the upper right corner. To generate a graph, you must select the statistic that you want to track. (Initially, the graph shows packets per second.) You can choose any of the statistics displayed in the Details screen for WLAN statistics. (Refer to “Viewing Detailed WLAN Statistics” on page 12-28 for more information on a statistic.
PAGE 743
Wireless Network Management Monitoring the Wireless Network • TX Tput (Mbps)—throughput for data transmitted in this WLAN • RX Tput (Mbps)—throughput for data received in this WLAN ■ Avg Bits per sec—average bit speed for all traffic transmitted and received in the WLAN ■ NUcast Pkts—percentage of multicast and broadcast packets sent and received in the WLAN (as compared to total packets) ■ Avg Retries—average number of times that all stations and radios in the WLAN must retransmit a packet, wheth
PAGE 744
Wireless Network Management Monitoring the Wireless Network Figure 12-22.Comparing WLAN Statistics The x-axis of the graph displays the time—in Figure 12-22, marked at 5 second intervals. The y-axis adds a label that matches your choice. It also displaysthe correct units for that type of statistic. A line that is the same color as the y-axis label plots the statistic as it changes over time. You can select up to four boxes at once and compare statistics against each other.
PAGE 745
Wireless Network Management Monitoring the Wireless Network Figure 12-23.Network Setup > Module Statistics Screen The top of the screen displays: ■ the number of stations currently associated with RPs on this module ■ the number of RPs adopted by this module ■ the number of RP radios adopted by this module The Traffic section contains statistics similar to those discussed in “Wireless Statistics for Stations” on page 12-12: ■ Pkts per second ■ Throughput in Mbps ■ Avg.
PAGE 746
Wireless Network Management Monitoring the Wireless Network You can use the RF Status section to monitor the quality of radio media on a networkwide level, and you can use the Errors section to look for problems with congestion or interference. You can then examine these statistics for radios or for WLANs to pinpoint the source of a problem.
PAGE 747
Wireless Network Management Monitoring the Wireless Network Figure 12-24.Device Information > Radio Adoption Statistics > Adopted RP Screen Select the Adopted RP tab to view the RPs that the module has actually adopted, and the Unadopted RP tab to view other detected RPs. The number of RPs adopted by this module is listed at the bottom of the Device Information > Radio Adoption Statistics > Adopted RP screen.
PAGE 748
Wireless Network Management Monitoring the Wireless Network ■ Radio Indices—The RP includes one or two radios. These radios are listed on the Network Setup > Radio > Configuration screen according to the indices displayed in this column. You can configure settings for these radios on that screen. (See Chapter 3: “Radio Port Configuration.”) If you have configured manual radio adoption, the module may detect RPs that it is not authorized to adopt.
PAGE 749
Wireless Network Management AP Detection AP Detection People may introduce unauthorized APs into your network for several reasons. Sometimes attackers set up rogue APs in your environment, hoping to lure wireless users to authenticate to them instead of to your network’s RPs. In this way, attackers can collect sensitive information, including passwords with which they can then access your private network and view, steal, or damage data.
PAGE 750
Wireless Network Management AP Detection Figure 12-26.Configuring and Managing AP Detection Configuring AP Detection By default, AP detection is disabled. To configure AP detection, you must complete two main steps: you must enable AP detection, and you must configure at least one radio to scan for APs.
PAGE 751
Wireless Network Management AP Detection Table 12-1. Comparing Single-Channel Detectors and Dedicated Detectors Single-Channel Detector Dedicated Detector Radio passively listens for beacons Radio actively sends probe requests Radio listens on its own channel only Radio sends probes on all channels in its frequency that are allowed by its country’s regulations Radio supports wireless stations Radio does not support wireless stations Figure 12-27.
PAGE 752
Wireless Network Management AP Detection You can configure a radio as a single-channel detector or a dedicated detector in one of two ways: ■ as part of an override configuration for a particular radio For example, your organization might install an RP that is entirely dedicated to searching out rogue APs. Another reason to dedicate a radio as a detector is so it can monitor all nearby RPs in your wireless network and take action if an RP experiences problems.
PAGE 753
Wireless Network Management AP Detection Figure 12-28.Enabling AP Detection and Configuring Settings b. Check the Enable box. c. Customize the timeout setting for approved and unapproved APs. (For more information about approved and unapproved APs, see “Creating Lists of Detected APs” on page 12-46.) – Approved AP timeout—specifies how long the module retains information about APs that you have defined as allowed.
PAGE 754
Wireless Network Management AP Detection Figure 12-29.Dedicating a Radio as a Detector 12-44 d. On the radio’s Configuration screen, check the option that you want for AP detection: – Dedicate this Radio as a Detector – Single-channel scan for Unapproved APs e. Click the OK button.
PAGE 755
Wireless Network Management AP Detection Figure 12-30.Viewing the Radio State The radio state should now be listed as Detector on the Network Setup > Radio > Configuration screen, as shown in Figure 12-30. Note The Wireless Edge Services zl Modulestores the configuration for a particular radio with its MAC address so that this configuration persists even if the radio powers down. For more information on radio configurations, see Chapter 3: “Radio Port Configuration.” 3.
PAGE 756
Wireless Network Management AP Detection Figure 12-31.Network Setup > Radio Adoption Default > Configuration Screen 4. b. Select the radio type (802.11a, 802.1b, or 802.11bg). c. Click the Edit button. d. On the radio type’s Configuration screen, check the option that you want for AP detection: – Dedicate this Radio as a Detector – Single-channel scan for Unapproved APs e. Click the OK button. Click the Save link at the top of the screen to save your changes to the startupconfig.
PAGE 757
Wireless Network Management AP Detection You should configure the module to allow APs that meet certain criteria—for example, that are part of your wireless network. The module then moves these APs to an approved APs list so that they do not clutter the unapproved list and make it difficult for you to identify actual threats to network security.
PAGE 758
Wireless Network Management AP Detection Figure 12-32.Viewing Allowed APs 2. Click the Add button. 3. In the Index field, enter a value from 1 through 200. Each rule must have aunique index. By default, the field displays the next available index number. 4. Create one of the three types of rules: a. 12-48 Allow an AP with a particular MAC address no matter what WLAN it supports, as shown in Figure 12-33: i. Select the second field under Radio MAC Address and then enter the address. ii.
PAGE 759
Wireless Network Management AP Detection Figure 12-33.Allowing a Particular AP Based on MAC Address b. Allow any AP that is a member of a particular WLAN, as shown in Figure 12-34: i. Select the second field under SSID and then enter the WLAN’s SSID. ii. Leave the Radio MAC Address selection at Any MAC Address.
PAGE 760
Wireless Network Management AP Detection Figure 12-34.Allowing Any AP in a Particular WLAN c. 12-50 Allow a particular AP only if it is a member of the correct WLAN, as shown in Figure 12-35: i. Select the Radio MAC Address field and then enter the address. ii. Select the SSID field and then enter the WLAN’s SSID.
PAGE 761
Wireless Network Management AP Detection Figure 12-35.Allowing a Particular AP in a Particular WLAN 5. Click the OK button. The AP is now listed in the Allowed APs section of the Special Features > Access Point Detection > Configuration screen. Monitoring Detected APs You should periodically check the unapproved APs list for rogue APs. You may also want to configure the Wireless Edge Services zl Module to automatically generate and send an alarm whenever a radio detects an unapproved AP.
PAGE 762
Wireless Network Management AP Detection Figure 12-36.Viewing the Unapproved APs List Note You can also view thislist by selectingDevice Information > Access Point Detection and clicking the Unapproved APs tab. However, you can only view information about APs on the other screen; you cannot allow the APs as described below. As shown in Figure 12-36, the list includes the following information for each AP: 12-52 ■ BSS MAC Address—This address is the AP’s BSSID.
PAGE 763
Wireless Network Management AP Detection ■ SSID—If a radio has an unapproved MAC address but one of your WLAN’s SSIDs, this may signal a hacker phishing for passwords and other sensitive data. If this list becomes too long and unmanageable, you should take one or more of these steps: ■ Lower the timeout value for unapproved APs. (See “Configuring AP Detection” on page 12-40.) ■ Move legitimate APs to the approved APs list. Allowing an Unapproved AP.
PAGE 764
Wireless Network Management AP Detection 3. Click the OK button. In a way, allowing an AP is like acknowledging an alarm. You are letting other administrators know that you have checked the potential threat. This feature is particularly useful for allowing APs that do not belong to your network—so you cannot create a rule to allow them in advance—but that you have verified as legitimate APs in a nearby organization.
PAGE 765
Wireless Network Management AP Detection Configuring the Module to Report Unapproved APs You can configure theWireless Edge Services zl Module to trigger a Simple Network Management Protocol (SNMP) trap whenever a radio detects an unapproved AP. Complete these steps: 1. Select Management > SNMP Trap Configuration > Configuration. Figure 12-39.Management > SNMP Trap Configuration > Configuration Screen 2. Expand the Wireless heading and then the RP Detection heading. 3.
PAGE 766
Wireless Network Management AP Detection Figure 12-40.Enabling an SNMP Trap for AP Detection 5. Click the Apply button. If an RP detects an external AP, a log is displayed on the Device Information > Alarm Log screen, as shown in Figure 12-41.
PAGE 767
Wireless Network Management AP Detection Figure 12-41.Receiving an Alarm about an External AP The module will log the alarm,as well as forward it to a trap receiver (if one has been specified). (For instructions on configuring the trap receiver, see “SNMP Traps” on page 2-112 of Chapter 2: “Configuring the ProCurve Wireless Edge Services zl Module.
PAGE 768
Wireless Network Management Configuring Station Intrusion Detection Configuring Station Intrusion Detection AP detection protects your network against unauthorized APs. The Wireless Edge Services zl Module canalso guard against hackers who usestations to launchattacks.
PAGE 769
Wireless Network Management Configuring Station Intrusion Detection Configuring Thresholds for Station Intrusion Detection To configure station intrusion detection, complete these steps: 1. Select Special Features > Station Intrusion Detection > Configuration. Figure 12-42.Configuring Station Intrusion Detection 2. In the Detection Window field, enter a value from 5 through 300 seconds. This setting determines the length of time to which each threshold applies.
PAGE 770
Wireless Network Management Configuring Station Intrusion Detection 4. Set the Radio threshold value for each violation type. If met, the violation will be logged. Enter a number from 0 through 65,535. Note: Setting a violation parameter to 0 will disable the option. 5. Similarly, set the Wireless Module threshold value for each violation type. If met, the violation will be logged. Enter a number from 0 through 65,535. Note: Setting a violation parameter to 0 will disable the option.
PAGE 771
Wireless Network Management Configuring Station Intrusion Detection Figure 12-43.Enabling Intrusion Detection Traps 3. Select Intrusion Detection and click the Enable all sub-items button. (Alternatively, select one of the sub-items and click the Enable button.) 4. Make sure that the Allow Traps to be generated box is checked. 5. Click the Apply button. The module will log the alarm,as well as forward it to a trap receiver (if one has been specified).
PAGE 772
Wireless Network Management Logging and Alarms Viewing Blocked Stations If a station exceeds the thresholds that you set, the Wireless Edge Services zl Module blocks the station. You can view any stations that have been blocked by selecting Special Features > Station Intrusion Detection and clicking the Filtered Stations tab. Figure 12-44.
PAGE 773
Wireless Network Management Logging and Alarms ■ an external server Events are ranked according to severity, as shown in Table 12-2. The lower the number, the greater the risk to network functionality. Table 12-2. Event Severity Level Severity 0 Emergency 1 Alert 2 Critical 3 Error 4 Warning 5 Notice 6 Info 7 Debugs The Wireless Edge Services zl Module can also log alarms, which it receives when an SNMP trap is triggered.
PAGE 774
Wireless Network Management Logging and Alarms Configuring Logging To configure logging, select Management > System Logging > Log Options. Enabling Logging As shown in Figure 12-45, logging is enabled by default, and the Wireless Edge Services zl Module logs events to: ■ Its buffer—The module saves events that have collected in the buffer to its local log as they occur. Viewing this log is described in “Viewing Events in the Local Log File” on page 12-66.
PAGE 775
Wireless Network Management Logging and Alarms Figure 12-45.Configuring Logging The Logging aggregation time sets the time between the receipt of identical messages and a new message. Any message is immediately printed, unless it is identical to the previous one. If it is identical, then a counter is incremented instead. If a different message arrives, then the accumulated count is printed (%MGMT-4V12AUTHERROR: Last message repeated x times), followed by the new message.
PAGE 776
Wireless Network Management Logging and Alarms Figure 12-46.Forwarding Logs to an External Syslog Server 2. Check the Enable logging to Syslog Server box. 3. From the corresponding drop-down menu, select the lowest severity for logs that the module will forward. The default level is level 6, Info. 4. In the Server Facility field, use the drop-down menu to select the facility that your syslog server uses to receive such logs. Local7 is typically reserved for network devices. 5.
PAGE 777
Wireless Network Management Logging and Alarms The top section of the screen displays files of logs that the module has stored. Each file is identified by its name, its size in bytes, the time at which it was created, and the time at which it was last modified (that is, when a new event was added to it). The local log file stores the events that the Wireless Edge Services zl Module logs to its buffer. You can view the types of events in a file by selecting the file.
PAGE 778
Wireless Network Management Logging and Alarms Figure 12-48.Viewing Logged Events The most recent events are listed at the top of the screen. The color code helps you to quickly identify the most important events (that is, those with the lowest level, or greatest severity). For each event, the log reports: 12-68 ■ Time stamp—Remember to look at the time stamp to make sure that you are not examining obsolete logs. (Quickly checking the time stamp when you preview the log file can also save you time.
PAGE 779
Wireless Network Management Logging and Alarms ■ Mnemonic—This field includes an abbreviated identification of the type of event. ■ Description—The description gives you the most information about the event. You can click on any column headingto organize events accordingto the information in that column. The bottom of the screen shows you which line in the log file that you are currently examining.
PAGE 780
Wireless Network Management Logging and Alarms To transfer the local log file, complete these steps: 1. Click the Transfer Files button. The Transfer screen is displayed. Figure 12-49.Transferring Log Files to a Server or Workstation 2. In the From field in the Source section, use the drop-down menu to select Wireless Services Module. In the File field, use the drop-down menu to select the log file that you want to transfer. 3. Select the destination for the file.
PAGE 781
Wireless Network Management Logging and Alarms – 4. Path—Enter the path for the directory in which the destination file should be saved. Depending on your server, you may or may not need to enter / before the directory name. Leave this field empty (or simply enter /) to save the file to the server’s default directory. Click the Transfer button. Managing the Alarm Log In order for the Wireless Edge Services zl Module to log an alarm, you must activate the corresponding trap.
PAGE 782
Wireless Network Management Logging and Alarms ■ Index—Alarms are numbered in the order in which they were received. ■ Status—If the alarm has been acknowledged, then an administrator has seen it and presumably dealt with it.
PAGE 783
Wireless Network Management Logging and Alarms Details When you do not know what an alarm means, or when you need direction in solving the problem indicated, you should view alarm details. Select the alarm from the list, and then click the Details button. The screen that is displayed points you toward the cause of the alarm and possible solutions for an associated problem. (See Figure 12-51.) Figure 12-51.
PAGE 784
Wireless Network Management Logging and Alarms Acknowledge alarms Delete alarms Export alarms off the module Figure 12-52.Using Buttons in the Device Information > Alarm Log Screen Acknowledge Sometimes you will want to store an alarm in the log even after you have viewed it, either because you want another administrator to see it or because you want to track a particular pattern of activity. In this case, instead of deleting the alarm, you should click the Acknowledge button to change its status.
PAGE 785
Wireless Network Management MAC Filters (Local MAC Authentication) To export the information in one or more alarms, select those alarms and click the Export button. On the screen that is displayed, select a filename and a location for the logs, which are saved as a comma-separated file. MAC Filters (Local MAC Authentication) The Wireless Edge Services zl Module can control which wireless stations connect to a WLAN according to their MAC, or hardware-based, addresses.
PAGE 786
Wireless Network Management MAC Filters (Local MAC Authentication) • ■ Deny ACLs—If the module matches a station to this ACL, it blocks all traffic from the station, and the station cannot associate to the WLAN. By default, the module allows all stations. Unless you explicitly deny a station in an ACL, it can connect. You will generally follow one of two strategies for MAC authentication: ■ Deny all stations except a select group of authorized stations.
PAGE 787
Wireless Network Management MAC Filters (Local MAC Authentication) Figure 12-53.Security > MAC Filters Screen 2. Click the Add button. The Add ACL screen is displayed. Figure 12-54.
PAGE 788
Wireless Network Management MAC Filters (Local MAC Authentication) 3. Enter a value from 1 through 1,000 in the Station-ACL Index field. Each ACL must have a unique index number. Pay close attention to this number because, when a station matches more than one entry, only the entry with the lowest number affects the station. 4. Enter a range of MAC addresses, placing the first address in the Starting MAC field and the last address in the Ending MAC field.
PAGE 789
Wireless Network Management MAC Filters (Local MAC Authentication) Figure 12-55.Assigning ACLs to WLANs 3. Check the boxes for the WLANs to which you want to apply the ACL. WLANs are displayed by index (not SSID). The module will use the ACL to filter traffic on the selected WLANs. If you have selected multiple ACLs, they are listed in separate columns by index number. (See Figure 12-56.
PAGE 790
Wireless Network Management MAC Filters (Local MAC Authentication) Figure 12-56.Assigning ACLs to WLANs 4. Click the OK button. When you select this ACL on the Security > Wireless Filters screen, the selected WLANs appear in the Associated WLANs section. (See Figure 12-57.) In this screen, you can view the WLAN’s SSID, as well as other security options for that WLAN.
PAGE 791
Wireless Network Management MAC Filters (Local MAC Authentication) Figure 12-57.Associating ACLs with WLANs Note that it is possible to prevent a station from associating to one WLAN but to allow the station to associate to another. Just as you can make an ACL a member of more than one WLAN, you can associate more than one ACL to a WLAN. The module filters traffic first against the ACL with the lowest index number, then against the ACL with the next lowest number, and so on.
PAGE 792
Wireless Network Management MAC Filters (Local MAC Authentication) Exporting and Importing MAC Standard ACLs (Filters) You can export the MAC standard ACLs (filters) configured on the Wireless Edge Services zl Module to the local disk of the management station. Exporting the ACLs enables you to archive them and also toupload them to another device that needs to enforce the same policies. The filters save as a .cvs file, which you can open with a spreadsheet application.
PAGE 793
Wireless Network Management MAC Filters (Local MAC Authentication) Export button Figure 12-58.Exporting ACLs 3. Click the Export button. 4. A dialog screen is displayed for saving the file to the local disk of your management station. Name the file and choose the directory in which to save it. Then confirm the save. 5. A screen reports that the export was successful. Click the OK button. Figure 12-59.
PAGE 794
Wireless Network Management MAC Filters (Local MAC Authentication) Importing MAC Standard ACLs Instead of (or in addition to) manually configuring MAC standard ACLs (filters) on your Wireless Edge Services zl Module, you can import a .cvs file that includes these ACLs to your module. The file should be saved on the local disk ofyour management station. You can create the ACLs file using a spreadsheet application. Include four columns for each ACL.
PAGE 795
Wireless Network Management MAC Filters (Local MAC Authentication) To import MAC standard ACLs to your Wireless Edge Services zl Module, follow these steps: 1. Select Security > MAC Filters. 2. Click the Import button. Import button Figure 12-60.Importing ACLs 3. A dialog screen is displayed for choosing the file from the local disk of your management station. Find your file and confirm the import. 4. A screen reports the results of the import.
PAGE 796
Wireless Network Management MAC Filters (Local MAC Authentication) Figure 12-61.ACL Import Result 5. Click the OK button. 6. For the imported ACLs to take effect, you must assign them WLAN memberships: a. Select the new ACLs. You can select multiple ACLs by holding down Ctrl as you select them. b. Click the Memberships button. c. Check boxes to assign the ACLs to WLANs. d. Click the OK button. See “Configuring WLAN Memberships” on page 12-78 for more information. Resolving Import Errors.
PAGE 797
Wireless Network Management MAC Filters (Local MAC Authentication) Figure 12-62.ACL Import Result Screen Error Messages Errors include: ■ messages informing you that a field contains an invalid value: • “ACL index must be an integer” • “Invalid starting MAC.” • “Invalid ending MAC.” • “ACL mode must be either Allow or Deny” As explained earlier, each line in the file must include four fields with valid values for index number, MAC addresses, and ACL mode (allow or deny).
PAGE 798
Wireless Network Management Network Self Healing Make one of two choices: • Click the OK button, and import the file despite the conflict. The module retains all of its already-configured ACLs. However, any non-conflicting ACLs are imported normally. • Click the Cancel button, and cancel theimport. The module retails all of its already-configured ACLs, and no new ACLs are saved to the module.
PAGE 799
Wireless Network Management Network Self Healing Neighbor Recovery When enabled on the Wireless Edge Services zl Module, neighbor recovery can automatically configure radios to change their settings to compensate for another radio’s failure. Both the Wireless Edge Services zl Module and RP radios monitor for failed radios. The RPs monitor neighbors by listening for beacons from RPs that they have learned that they can hear on their channel.
PAGE 800
Wireless Network Management Network Self Healing Figure 12-63.Enabling Neighbor Recovery 2. Check the Enable Neighbor Recovery box. 3. Click the Apply button. An RP radio only responds to the loss of a radio if that radio is defined as one of its neighbors. To further configure neighbor recovery, you must: ■ specify neighbors ■ specify the action that a radio takes if one of its neighbors fails Select Special Features > Self Healing and click the Neighbor Details tab.
PAGE 801
Wireless Network Management Network Self Healing Figure 12-64.Neighbor Relationships The screen lists all RP radios adopted by this module, displaying this information for each: ■ Radio Index—index number ■ Description—name ■ Type—802.11bg or 802.
PAGE 802
Wireless Network Management Network Self Healing Specifying Neighbors Manually Keep these concepts in mind as you configure neighbors: ■ The neighbor relationship is reciprocal: if you configure a neighbor list on radio 1 that includes radio 3, radio 3’s neighbor list automatically adds radio 1. (See Figure 12-64.
PAGE 803
Wireless Network Management Network Self Healing 2. Select a radio and click the Edit button. The Edit Neighbor screen is displayed. (See Figure 12-66.) Figure 12-66.Editing Neighbors The available RP radios—those adopted by this module—are listed on the left under Available Radios: these are potential neighbors. 3. To add a neighbor, select a radio from the field on the left and then click the Add button. The radio moves to the right; it is now the neighbor of the radio that you are editing.
PAGE 804
Wireless Network Management Network Self Healing You return to the Special Features > Self Healing > Neighbor Details screen, on which you can confirm the neighbors in the Neighbor Radio Indices column for the radio that you were editing. Note that the neighbors also display the edited radio in their Neighbor Radio Indices column. Configuring Radios to Automatically Detect Neighbors Instead of manually configuring neighbors, you can haveRP radios detect each other and choose their own neighbors.
PAGE 805
Wireless Network Management Network Self Healing For example, one radio in your network might operate in G-only mode (that is, it supports higher data rates only) while a nearby radio also supports the lower data rates of 802.11b. You might configure the first radio to add the lower data rates so that it can support both types of stations if the second fails.
PAGE 806
Wireless Network Management Network Self Healing ■ both raise its transmit power and open its data rates (see Figure 12-68) Sometimes you lower radios’ transmit power so that closely grouped RPs can support higher data rates within their relatively small coverage areas. When an RP radio raises its transmit power to take over a failed neighbor’s coverage area, it can no longer support high data rates for all stations (some are too far away).
PAGE 807
Wireless Network Management Network Self Healing Figure 12-69.Defining the Action 3. 4. In the Self Healing Action field, use the drop-down menu to select the action: • Open Rates—to configure the radio to support all data rates • Raise Power—to configure the radio to raise its power to the legal maximum. See “Configuring a Self Healing Offset” on page 12-97 to determine whether you will need to configure a self healing offset. • Both—to configure the radio ot take both of these actions.
PAGE 808
Wireless Network Management Network Self Healing 1. Select Network Setup > Radio > Configuration. 2. Select the radio and click the Edit button. The Configuration screen for the selected radio is displayed. (See Figure 12-70.) Self Healing Offset Figure 12-70.Configuring the Self Healing Offset Option 3. In the Advanced Properties section, enter a value in theSelf Healing Offset field. Base the offset on the radio’s antenna gain and the rules of your regulatory domain as explained in http://www.hp.
PAGE 809
Wireless Network Management Network Self Healing 1. Every time a wireless station’s packet fails to reach its destination, presumably because of a collision, the station resends the packet. For each RP radio, the module tracks the average number of times in the last 30 seconds that stations reattempted to send a packet. 2. If a radio’s average retries exceeds a specified threshold, the module assumes that the excessive collisions are causedby another device operating on the same channel.
PAGE 810
Wireless Network Management Network Self Healing a. b. In the Average Retries field, enter a value from 1 through 15 to set the threshold for the number of times stations must resend frames during a 30-second interval. The default value is 14, which means that, if in a 30-second interval the average station must resend a packet 15 times, the radio will select a new channel. Resending packets 14 times implies a relatively high latency, and you can lower the threshold.
PAGE 811
13 sFlow Agent Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2 Flow Sampling by the sFlow Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2 Counter Polling by the sFlow Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3 sFlow Receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4 Configuring sFlow Receiver Instances . . . . . . . . . . . . .
PAGE 812
sFlow Agent Overview Overview The Procurve Wireless Edge Services zl Module contains an sFlow agent. The sFlow agent samples traffic, treating the traffic that arrives on each adopted RP radio as a separate flow. In other words, the module’s sFlow agent monitors each radio much as a switch might monitor each physical interface. The sFlow agent forwards traffic information to an sFlowcollector. Another term for an sFlow collector is an sFlow receiver.
PAGE 813
sFlow Agent Overview On the Wireless Edge Services zl Module, data sources are RP radios, and “n,” the packet sampling rate, is configurable per-radio and sampling instance (up to six per radio). In other words, the module orders radios to send approximately every “nth” packet to the module’s sFlow agent to be sampled, packaged, and sent to the sFlow receiver or receivers. Note Only 802.11 data frames are sampled. The sFlow agent does not sample management and control frames such as beacons.
PAGE 814
sFlow Agent Overview The sFlow agent obtains the counters by periodically polling radios. The agent polls radios as needed to fill datagrams most efficiently. However, you can configure the maximum time that can elapse before a radio must be polled. sFlow Receiver The sFlow receiver, which receives samples from agents all over the network, combines and analyzes the samples to produce a picture of network activity. This picture can be quite detailed.
PAGE 815
sFlow Agent Overview The sFlow receiver reserves the instance by writing its owner string into that instance on the sFlow receiver table. The receiver also configures a receiver timeout value for itself. The agent counts down the receiver timeout; when the timeout nears expiration, the sFlow receiver can reset the timeout to a higher value if it wants to retain control of the instance. But if the receiver no longer needs samples from the agent, it allows the timeout to expire.
PAGE 816
sFlow Agent Configuring sFlow Using the Web Browser Interface Configuring sFlow Using the Web Browser Interface The Wireless Edge Services zl Module’s sFlow agent is enabled by default. If your sFlow receiver (sometimes called an sFlow collector) can control the agent through SNMP, you do not need to configure the module further. You can check the module’s sFlow agent and verify that it is compatible with your sFlow receiver’s SNMP capabilities. Select Special Features > sFlow > Agent. Figure 13-1.
PAGE 817
sFlow Agent Configuring sFlow Using the Web Browser Interface ■ Organization—HP. The sFlow receiver must also know the organization to identify the implementation of sFlow on this agent. ■ Revision—the Wireless Edge Services zl Module’s current software image. ■ Address Type—the protocol version for IP addresses. ■ Address—the Wireless Edge Services zl Module’s management VLAN IP address. (Note: sFlow uses the "management VLAN" IP address, not just any management IP address.
PAGE 818
sFlow Agent Configuring sFlow Using the Web Browser Interface When you specify the receiver manually, you must configure a variety of settings that the sFlow receiver would otherwise configure itself. These settings include not only the receiver’s IP address and port, but also how the module’s sFlow agent packages the samples. Follow these steps: 1. Select Special Features > sFlow and select the Receiver tab. Figure 13-2. Special Features > sFlow > Receiver Screen 13-8 2.
PAGE 819
sFlow Agent Configuring sFlow Using the Web Browser Interface Figure 13-3. Receiver Configuration Screen 4. In the Owner field, enter a string to identify the sFlow receiver. 5. In the Time Out field, specify a value in seconds from 1 to 999999999 (roughly 31 years). The timeout reserves this receiver instance for the specified receiver for the set amount of time. Generally, when you configure an sFlow receiver instance manually, you should set the timeout very high (to days or weeks).
PAGE 820
sFlow Agent Configuring sFlow Using the Web Browser Interface If your sFlow receiver does not support the 802.11 extension, select Convert to Ethernet from the drop-down menu. The module’s sFlow agent then packages 802.11 samples to appear as Ethernet samples. Note that some receivers, such as PCM Plus, automatically set this option to match their capabilities. 10. Click the OK button. The value in the Time Out field begins to decrement immediately.
PAGE 821
sFlow Agent Configuring sFlow Using the Web Browser Interface Figure 13-4. Special Features > sFlow > Flow Sampling Screen The Wireless Edge Services zl Module’s sFlow agent begins sampling a flow when either of two conditions are met: ■ An sFlow receiver contacts the module’s sFlow agent and claims an open flow sampling instance (the Receiver Instance column displays 0). In this case, the receiver configures the sampling rate.
PAGE 822
sFlow Agent Configuring sFlow Using the Web Browser Interface Figure 13-5. Flow Sampling Configuration Screen 4. From the Receiver Instance drop-down menu, choose the receiver index number associated with the sFlow receiver to which the module should send the samples. To easily track which settings apply to a specific sFlow collector, match the sFlow instance number to the receiver instance number. However, matching the numbers is not mandatory.
PAGE 823
sFlow Agent Configuring sFlow Using the Web Browser Interface 6. Optionally, alter the value in the Maximum Header Size field to set the amount of data (in bytes) included in a sample. The module samples the specified number of bytes. For example, if you set the Maximum Header Size to 100, the module places the first 100 bytes of every sampled frame in a datagram. The value should match the size of the frame and packet header so that the entire header isforwarded.
PAGE 824
sFlow Agent Configuring sFlow Using the Web Browser Interface Figure 13-6. Special Features > sFlow > Counter Polling Screen The separate instances allow the agent to report counters to up to six sFlow receivers. By default, counter polling is disabled: theinstances are not mapped to receivers and the polling interval is set to 0.
PAGE 825
sFlow Agent Configuring sFlow Using the Web Browser Interface 3. Click the Edit button. The Counter Polling Configuration screen is displayed. For the Data Source, the screen displays the index and name of the radio that the module’s agent polls. The sFlow Instance shows which of the six instances you are currently configuring. Figure 13-7. Counter Polling Configuration 4. Select 4, 5, or 6 from the Receiver Instance drop-down menu.
PAGE 826
sFlow Agent Configuring sFlow Using the Web Browser Interface 13-16
PAGE 827
A ProCurve Wireless Services zl Module Command Line Reference Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-7 Manager Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-8 acknowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-9 archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 828
ProCurve Wireless Services zl Module Command Line Reference Contents rename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-32 rmdir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-33 service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-33 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 829
ProCurve Wireless Services zl Module Command Line Reference Contents sflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-84 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-86 snmp-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-96 spanning-tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 830
ProCurve Wireless Services zl Module Command Line Reference Contents Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-128 Show Commands (All Contexts) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-130 show access-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-130 show aclstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 831
ProCurve Wireless Services zl Module Command Line Reference Contents show snmp-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-156 show startup-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-157 show terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-158 show time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 832
ProCurve Wireless Services zl Module Command Line Reference Contents Support Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-185 Support Commands (All Contexts) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-187 support clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-187 support copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 833
ProCurve Wireless Services zl Module Command Line Reference Overview Overview This chapter describes the commands provided by the CLI. The CLI commands can be broken down into their respective context groups. Command Group Description Page Manager Commands run from the Manager Context. A-8 Global Configuration Commands run from the Global Context. A-52 Interface Configuration Commands run from the Interface Context. A-104 Wireless Configuration Commands run from the Wireless Context.
PAGE 834
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Manager Commands These commands are used to configure the manager commands on the radio port. A-8 Command Function Page acknowledge alarm-log (all | <1-65535> ) Acknowledges alarms. A-9 archive tar (create | table | xtract) Creates, lists, or extracts a tar file. A-10 cd (DIR|) Changes directory. A-10 clear (alarm-log | arp | logging| wireless-statistics) Clears cache and reporting logs.
PAGE 835
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Command Function Page redundancy-group-cli-config Enables redundancy group config context. A-31 reload Performs a cold restart. A-31 rename FILENAME NEWFILENAME Renames a file. A-32 rmdir DIR Deletes a directory. A-32 service Enables service commands. A-33 show Shows running system information. A-85 support Enables support functions. A-44 telnet WORD | WORD PORT Opens a telnet connection.
PAGE 836
ProCurve Wireless Services zl Module Command Line Reference Manager Commands archive This command creates, lists, or extracts a tar file. Syntax archive tar /(create | table | xtract) • create - Create a tar file. – FILE - File or dir to archive [archive tar /create (FILE|URL) .FILE] – URL - Tar file URL URLs: tftp:///path/file ftp://:@/path/file http:///path/ file sftp://@/path/file • table - List files from a tar file. – FILE - Tar filename Files: flash:/path/file [archive tar /table (FILE|URL)] .
PAGE 837
ProCurve Wireless Services zl Module Command Line Reference Manager Commands N/A Command Mode Manager Example HPswitch#cd HPswitch# HPswitch#cd TESTDIR HPswitch# change master passwd This command changes the password of the logged-in user. Syntax change-master-psswd (PASSWD) • change-master-passwd Default Setting N/A Command Mode Manager Example HPswitch#change-master-psswd HPswitch# HPswitch# HPswitch# clear This command resets specified cache and reporting logs.
PAGE 838
ProCurve Wireless Services zl Module Command Line Reference Manager Commands • • • • • • – new- Clear new alarms. arp - Clear arp cache. crypto (ipsec | isakmp) - Clear encryption subsystem. – ipsec - Flush the IPSec SA + sa - Clear all IPSec SA’s. + A.B.C.D - Clear all IPSec SA’s for a given peer. – isakmp - Flush the ISAKMP database. + sa - Clear all IKE SA’s. + A.B.C.D - Clear all IKE SA’s for a given peer. ip (dhcp) - Internet protocol – dhcp - DHCP server configuration.
PAGE 839
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Example HPswitch#clear arp HPswitch# HPswitch#clear logging HPswitch# HPswitch#clear layer3-mobility station all configure This command enters the configure context. Syntax configure (terminal|) • terminal - Configure from the terminal (optional). Default Setting N/A Command Mode Manager Example HPswitch#configure terminal ProCurve (wireless-services-B)(config)# copy This command copies from one file to another.
PAGE 840
ProCurve Wireless Services zl Module Command Line Reference Manager Commands • URL -URL from which to copy. – URLs: tftp:// /path/file ftp://:@ /path/file Filenames are case sensitive and limited to 45 chars. Default Setting N/A Command Mode Manager Example HPswitch#copy ftp://ftp:ftp@172.20.15.5/test.conf switch:my.conf ProCurve (wireless-services-B)# debug This command provides debugging functions. The no command negates the trace.
PAGE 841
ProCurve Wireless Services zl Module Command Line Reference Manager Commands – – – – – snmp SN MP logs station S tation logs system System call logs wips WIP S sensor logs wisp WISP logs • ccstats Cell controller (Wireless) debugging messages – word CCStats module to be debugged • certmgr Certificate manager debugging messages – all trace error and info messages from Certificate Manager – error trace error messages from Certificate Manager – info trace informational messages from Certificate Manager
PAGE 842
ProCurve Wireless Services zl Module Command Line Reference Manager Commands – – • peer Peer establishment system System events nsm Network Service Module (NSM) – all Enable all debugging – events NSM events – kernel NSM kernel – packet NSM packets + detail Detailed information display + recv NSM receive packets - detail Detailed information display ++ send NSM send packets +++ detail Detailed information display A-16 • pktdrvr Pktdrvr (kernel wireless) debugging messages – all trace all messages from
PAGE 843
ProCurve Wireless Services zl Module Command Line Reference Manager Commands – – – – – – – – – – • general Gen eral heartbeats Heartbeats processing init Redundancy initialization packets Packet processing proc Process flow shutdown Shut down process states Redundancy state machine subagent Sub agent timer T imer handling warnings Wa rnings securitymgr Security Manager Debugging Messages – all Trace all messages from SecurityManager – debug Trace general debug messages from SecurityManager – error Trace
PAGE 844
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Example HPswitch#debug mgmt cgi HPswitch# HPswitch#no debug mgmt sys HPswitch# diff This command displays differences between two files. Syntax diff (FILE | URL) (FILE | URL) • FILE -Display the differences between FILE. – FILE - Display the differences between FILE. – URL - Display the differences between URL. • URL -Display the differences between URL. – FILE - Display the differences between FILE.
PAGE 845
ProCurve Wireless Services zl Module Command Line Reference Manager Commands • • • recursive- Display recursive files. DIR- Display list of all available files in the file path. all-filesystems - Display list of all available filesystems.
PAGE 846
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Example Two HPswitch# dir /recursive ------------------------------------------------------------------Directory of flash:/ drwx 1024 Wed Dec 7 17:06:32 2005 hotspot drwx 1024 Thu Dec 8 09:31:07 2005 crashinfo drwx 80 Mon Feb 13 09:35:10 2006 log Directory of flash:/hotspot drwx 1024 Wed Feb 1 17:19:19 2006 lib drwx 1024 Wed Feb 1 17:19:19 2006 cgi-bin Directory of flash:/hotspot/lib -rwx 58476 Tue Jan 31 13:12:09 2006 libpthread.
PAGE 847
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Example HPswitch#edit TESTFILE GNU nano 1.2.
PAGE 848
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Example HPswitch#erase FILE HPswitch exit This command ends current mode and reverts to previous mode. Syntax exit Default Setting N/A Command Mode Manager Example HPswitch#exit HPswitch help This command provides a description of the interactive help system.
PAGE 849
ProCurve Wireless Services zl Module Command Line Reference Manager Commands halt This command halts the wireless module. Syntax halt Default Setting N/A Command Mode Manager Example HPswitch#halt Wireless module will be halted, do you want to continue? y ProCurve (config)# logout This command exits from the CLI.
PAGE 850
ProCurve Wireless Services zl Module Command Line Reference Manager Commands mkdir This command creates a directory. Syntax mkdir DIR • DIR - Directory name. Default Setting N/A Command Mode Manager Example HPswitch#mkdir TESTDIR HPswitch# more This command displays the contents of a file. Syntax more FILE • FILE- File name.
PAGE 851
ProCurve Wireless Services zl Module Command Line Reference Manager Commands no This command negates a command or sets its defaults.
PAGE 852
ProCurve Wireless Services zl Module Command Line Reference Manager Commands - err Er rors – - sys Sy stem mobility L3 Mobility + all All debugging (except "forwarding") + cc ccserver events + error Er ror + forwarding Dataplane forwarding - AA-BB-CC-DD-EE-FF MAC address of the Station + mu MU events and state changes - packet Control Packets - peer Peer establishment – - system System events nsm Network Service Module (NSM) + all Enable all debugging + events NSM events + kernel NSM kernel + packet NSM
PAGE 853
ProCurve Wireless Services zl Module Command Line Reference Manager Commands + all Debugging all + ccmsg Msg exchange with CC + config Configuration processing + errors Err ors + general General + heartbeats Heartbeats processing + init Redu ndancy initialization + packets Packet processing + proc Process flow + shutdown Sh utdown process + states Redundancy state machine + subagent Subag ent + timer Timer handling – + warnings W arnings securitymgr Security Manager Debugging Messages + all Trace all mess
PAGE 854
ProCurve Wireless Services zl Module Command Line Reference Manager Commands + error trace error messages from wirelessstatistics + info trace info messages from wirelessstatistics • page Toggle paging • service Supp ort Commands – radius Disable radius server • support Supp ort Commands – diag D iagnostics + enable Disable in service diagnostics + period Set to default period – + watchdog disable the watchdog pm Proces s Monitor + maxsysrestarts Maximum number of times PM will restart the system bec
PAGE 855
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Example HPswitch#no debug HPswitch page This command enables pausing of output to the screen. The no command disables the pausing of the output. Syntax page Default Setting N/A Command Mode Manager Example HPswitch#page HPswitch# ping This command sends ICMP echo request packets to another node on the network. Syntax ping WORD • WORD - Hostname or IP address of the host.
PAGE 856
ProCurve Wireless Services zl Module Command Line Reference Manager Commands – – Normal response - The normal response occurs in one to ten seconds, depending on network traffic. Destination does not respond - If the host does not respond, a “timeout” appears in ten seconds. ?? repetition <1-1000> timeout <1-256> – – Destination unreachable - The gateway for this destination indicates that the destination is unreachable.
PAGE 857
ProCurve Wireless Services zl Module Command Line Reference Manager Commands redundancy-group-cli-config This command enables redundancy group configuration context. Syntax redundancy-group-cli-config (enable) • enable Enable redundancy group config context Default Setting N/A Command Mode Manager Example HPswitch#redundancygroupcliconfig enable HPswitch reload This command halts and performs a warm reboot.
PAGE 858
ProCurve Wireless Services zl Module Command Line Reference Manager Commands rename This command renames a file. Syntax rename FILE • FILE - File to be renamed. – FILE - New file name. Default Setting N/A Command Mode Manager Example To validate the name change, use the DIR command.
PAGE 859
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Command Mode Manager Example To validate the directory is deleted, use the DIR command. HPswitch#rmdir TESTDIR HPswitch# HPswitch#dir Directory of flash:/ drwx drwx drwx -rw-rw- 1024 1024 80 43 37 Tue Thu Fri Fri Fri Oct Feb Feb Feb Feb 1 16 17 17 17 00:14:16 15:37:09 12:48:10 10:19:52 10:20:47 2002 2006 2006 2006 2006 hotspot crashinfo log TESTFILE2 TESTFILE HPswitch# service This command enables service commands.
PAGE 860
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Syntax show (accesslist | aclstats | alarmlog | commands | crypto | debug | dhcp | file | flash | ftp | history | hostname | interfaces | ip | layer3mobility | ldap | licenses | logging | mac | management | ntp | passwordencryption | privilage | proxyarpdb | radius | redundancygroup | redundancyhistory | redundancymembers | runningconfig | securitymgr | sflow | snmp | snmpserver | sntp | startupconfig | terminal | time | timezone
PAGE 861
ProCurve Wireless Services zl Module Command Line Reference Manager Commands – isakmp Show ISAKMP + policy po licy - <110000> priorityall isakmp policies – + sa All Crypto ISAKMP Security Association key Authentication key management + mypubkey Show public keys assoicated with the switch – - rsa Show Rsa public keys map C rypto maps + interface Crypto maps for an interface.
PAGE 862
ProCurve Wireless Services zl Module Command Line Reference Manager Commands + uplink Ethernet Interface + vlan Vla n Interface – – – - <1-4094> Vlan Id accesslist List IP access lists arp Address Resolution Protocol (ARP) ddns D DNS Configuration – + binding DNS Address bindings dhcp DHCP Server Configuration + binding DHCP Address bindings + pool DHCP Pools – – – – - WORD DHCP pool name dhcpvendoroptions DHCP Option 43 parameters received from DHCP server dns DNS nameservers domain Default domain fo
PAGE 863
ProCurve Wireless Services zl Module Command Line Reference Manager Commands + peer Peer eventlogs – + station Mobileunit eventlogs forwarding Stations in the Forwarding Plane – – + AA-BB-CC-DD-EE-FF MAC address of the Station global Global Mobility parameters peer Mobility peers + A.B.C.
PAGE 864
ProCurve Wireless Services zl Module Command Line Reference Manager Commands • – + A.B.C.D/M client ip address / mask proxy proxy information – + WORD proxy realm name raduser Radius user information – – + WORD Existing User name in the local radius database trustpoint Radius trustpoint configuration config Display configured redundancy group information. redundancygroup Display redundancy group parameters – runtime Display runtime redundancy group information.
PAGE 865
ProCurve Wireless Services zl Module Command Line Reference Manager Commands • sntp Display simple NTP configuration • startupconfig Contents of startup configuration • terminal Display terminal configuration parameters • time Display system clock • timezone Di splay timezone • updserver Display update server parameters.
PAGE 866
ProCurve Wireless Services zl Module Command Line Reference Manager Commands – + wirelesstowired Mappings used when traffic is switched from wireless to the wired side radio Radio related commands + beacontable The RadiotoRadio beacon table + config Radi o configuration - <11000> A single radio index - default11a default 11a configuration template - default11bg default 11bg configuration template + monitortable The RadiotoRadio monitoring table + statistics Radi o statistics - <11000> A single radio index
PAGE 867
ProCurve Wireless Services zl Module Command Line Reference Manager Commands + cz Czech Republic + de German y + dk Denm ark + do Dominican Republic + ec Ecuad or + ee Esto nia + eg Eg ypt + es Spain + fi Finl and + fr France + gb United Kingdom + gr Greece + gt Guatemala + gu Gu am + hk Hong Kong + hn Hon duras + hr Croatia + ht Haiti + hu H ungary + id Indo nesia + ie Ireland + il Is rael + in Indi a + is Iceland + it Italy + jo Jordan + jp Jap an + kr Sout h Korea + kw Ku wait + kz Kazakhstan + li Liech
PAGE 868
ProCurve Wireless Services zl Module Command Line Reference Manager Commands + ma M orocco + mt Malta + mx M exico + my M alaysia + nl N etherlands + no No rway + nz New Zealand + om Om an + pe Per u + ph Ph ilippines + pk Pak istan + pl Pol and + pt Portug al + qa Qat ar + ro Rom ania + ru Russia + sa Saudi Arabia + se Sweden + sg S ingapore + si Slo venia + sk Slovak Republic + th Th ailand + tr Tu rkey + tw Ta iwan + ua Uk raine + us United States + uy U ruguay + ve V enezuela + vn V ietnam – + za So u
PAGE 869
ProCurve Wireless Services zl Module Command Line Reference Manager Commands – selfhealconfig SelfHealing Configuration Parameters + <11000> A single radio index – + all All Configured radios station Details of associated stations + <14096> Index of station + AA-BB-CC-DD-EE-FF MAC address of station + radio Show mobileunits associated to this radio - <11000> A single radio index + statistics station rf statistics - AA-BB-CC-DD-EE-FF MAC address of station ++ detail Detailed station statistics + wlan Sho
PAGE 870
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Example HPswitch#show aclstats vlan HPswitch support This command enables support functions. Syntax support (clear | copy | diag | diagshell | encrypt | pm | prompt | rp | savecli | securitymgr | set | show | tethereal | wireless) • clear Reset functions – all Remove all core, dump and panic files – clitree Remove clitree.
PAGE 871
ProCurve Wireless Services zl Module Command Line Reference Manager Commands ++ <065535> buffer usage warning limit 065535 - 2k 2k byte buffer limit ++ <065535> buffer usage warning limit 065535 - 32 32 byte buffer limit ++ <065535> buffer usage warning limit 065535 - 32k 32k byte buffer limit ++ <065535> buffer usage warning limit 065535 - 4k 4k byte buffer limit ++ <065535> buffer usage warning limit 065535 - 512 512 byte buffer limit ++ <065535> buffer usage warning limit 065535 - 64 64 byte buffer limi
PAGE 872
ProCurve Wireless Services zl Module Command Line Reference Manager Commands + load agregate processor load - 1 during the previous minute ++ WORD percentage load from 0.0 to 100.0 - 15 during the previous 15 minutes ++ WORD percentage load from 0.0 to 100.0 - 5 during the previous five minutes ++ WORD percentage load from 0.0 to 100.
PAGE 873
ProCurve Wireless Services zl Module Command Line Reference Manager Commands • pm Proces s Monitor – maxsysrestarts Maximum number of times PMwill restart the system because of a failed processes – <15> Maximum number of system restarts sysrestart Enable PM to restart the system when a processes fails • prompt En able crashinfo prompt – crashinfo Enable crashinfo prompt • rp radioport serviceability parameters – forcedump trigger the radioport to send a crashdump to the wirelessmodule • savecli Sa
PAGE 874
ProCurve Wireless Services zl Module Command Line Reference Manager Commands – pm Pro cess Monitor + history State changes for a process, the time they happened and the events that triggered them - WORD Process name – – – - all All processes process show processes (sorted by memory usage) reboothistory Show reboot history rp radioport serviceability parameters – – – – + beaconcount radioport beacon count (cumulative number of beacons sent) startuplog Show startup log temperature Display CPU temperatur
PAGE 875
ProCurve Wireless Services zl Module Command Line Reference Manager Commands N/A Command Mode Manager Example HPswitch#support clear all HPswitch telnet This command opens a telnet connection. Syntax telnet WORD • WORD - IP address or hostname of a remote system. – PORT - TCP Port number. Default Setting N/A Command Mode Manager Example This example displays an incomplete route telnet message. HPswitch#telnet 10.1.0.9 23 telnet: Unable to connect to remote host (10.1.0.
PAGE 876
ProCurve Wireless Services zl Module Command Line Reference Manager Commands – <61-1920> - Number of characters on a screen line. Default Setting N/A Command Mode Manager Example HPswitch#terminal length 1000 HPswitch# HPswitch#terminal width 1900 HPswitch# upgrade This command upgrades the software image. Syntax upgrade URL • URL - Location of firmware image.
PAGE 877
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Default Setting N/A Command Mode Manager Example HPswitch#upgrade-abort HPswitch# write This command writes the running configuration to memory or terminal. Syntax write memory | terminal • memory - Write to NV memory. • terminal - Write to terminal.
PAGE 878
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Example HPswitch#write terminal ! ! configuration of ProCurveWLANModule Wireless Services version WS.01.XX.0551Sw6 ! version 1.
PAGE 879
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Command Function end Ends current mode and changes back to Manager mode. A-63 exit Ends current mode. A-63 [no] fallback (Negates) Configures software fallback commands. A-65 help Displays the interactive help system. A-65 [no] hostname (Negates) Sets system’s network name. A-66 [no] interface (Negates) Selects an interface to configure. A-67 [no] ip (Negates) Interface protocol.
PAGE 880
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands aaa This command enables authentication, authorization and accounting configuration parameters.
PAGE 881
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands --- PORT_RANGE port: range <102465535> ++ 2 Password is encrypted with passwordencryption secret --- WORD shared secret upto 32 characters +++ authport RADIUS server authentication port --- PORT_RANGE port: range <102465535> -- WORD shared secret upto 32 characters +++ authport RADIUS server authentication port --- PORT_RANGE port: range <102465535> Default Setting N/A Command Mode Global Example HPswitch#aaa authentication login
PAGE 882
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands boot This command reboots the wireless module. Syntax boot flash (primary | secondary ) • flash - Specifies the boot image to use after reboot. – primary - Primary image. – secondary - Secondary image.
PAGE 883
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands country-code This command configures the country of operation. All existing radio configuration will be erased. Syntax country • country_code - A two character code tha t identifies the country of operation. See Table A-1 on page A-57 for a full list of the codes. Table A-1.
PAGE 884
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Country Code Country Code Country Code Country Code Bermuda BM Hong Kong HK Mozambique MZ Tajikstan TJ Bolivia BO Hungary HU Myanmar MM Thailand TH Bosnia and Herzegovina BA Iceland IS Nambia NA Trinidad and Tobago TT Botswana BW India IN Netherlands NL Tunisia TN Brazil BR Indonesia ID New Zealand NZ Turkey TR Brunei Darussalam BN Iran, Islamic Repubic Of IR Nicaragua NI Turkmeni
PAGE 885
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Example HPswitch#configure HPswitch(config)#country-code us HPswitch(config)# crypto This command cconfigures encryption related commands.
PAGE 886
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands + espaes256 ESP transform using AES cipher (256 bits) + espdes ESP transform using DES cipher (56 bits) + espmd5hmac ESP transform using HMACMD5 auth - esp3des ESP transform using 3DES cipher (168 bits) -espaes ESP transform using AES cipher -espaes192 ESP transform using AES cipher (192 bits) - espaes256 ESP transform using AES cipher (256 bits) -espdes ESP transform using DES cipher (56 bits) + espshahmac ESP transform using HMACS
PAGE 887
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands ++ A.B.C.D Peer IP address - hostname define shared key with hostname – ++ WORD hostname of peer with whom the key is shared peer remo te peer + address Identity of remote peer is ipaddress - A.B.C.
PAGE 888
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands ++ dynamic dynamic map entry for XAUTH with modeconfig or ipsecl2tp configuration - ipsecmanual IPSEC w/manual keying ++ dynamic dynamic map entry for XAUTH with modeconfig or ipsecl2tp configuration • pki Public Key Infrastructure commands – authenticate Authenticate and import ca certificate + WORD T rustpoint Name - URL URL to get the ca certificate fromURLs: tftp:///path/file ftp:/ /:@/path/file - terminal Copy & Paste mode of
PAGE 889
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands – trustpoint Create and configure a trustpoint + WORD Trustpoint Name Default Setting N/A Command Mode Global Example HPswitch#crypto ipsec securityassociation lifetime kilobytes WORD HPswitch end This command ends the current mode and changes to the Manager mode.
PAGE 890
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Command Mode Global Example This example shows how to return to the previous command levels starting from the Manager Configuration mode and finally logging out of the CLI session. HPswitch#exit ProCurve (config)#exit ProCurve#exit ProCurve>exit Do you want to log out [y/n]?y Do you want to save your current configuration?n Connection to host lost.
PAGE 891
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands fallback This command configures software fallback feature. The no command negates the enabling of the fallback feature. Syntax fallback (enable) no fallback (enable) • enable - Enables software fallback feature. Failure to boot with configured "use on boot" image allows booting with other image. No command disables the fallback feature.
PAGE 892
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Example HPswitch#help CLI provides advanced help feature. When you need help, anytime at the command line please press '?'. If nothing matches, the help list will be empty and you must backup until entering a '?' shows the available options. Two styles of help are provided: 1. Full help is available when you are ready to enter a command argument (e.g. 'show ?') and describes each possible argument. 2.
PAGE 893
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands interface This command provides an interface selection to configure.
PAGE 894
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands • defaultgateway Configure default gateway – A.B.C.D IP gateway address • dhcp DHCP Server configuration – bootp BOOTP specific configuration – + ignore Configure DHCP Server to ignore BOOTP requests excludedaddress Prevent DHCP Server from assigning certain addresses + A.B.C.D Low IP Address – - A.B.C.
PAGE 895
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands - static Specify static local>global mapping ++ A.B.C.D Inside local IP address (A.B.C.D) -- <165535> Inside local Port +++ tcp T ransmission Control Protocol ++ A.B.C.D Inside global IP address (A.B.C.D) -- <165535> Inside global Port +++ udp User Datatgram Protocol ++ A.B.C.D Inside global IP address (A.B.C.D) -- <165535> Inside global Port ++ A.B.C.D Inside global IP address (A.B.C.
PAGE 896
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands ++ WORD Access list name -- interface Select an Interface +++ IFNAME Interface Name overload Overload -- static Specify static local>global mapping ++ A.B.C.D Outside local IP address (A.B.C.D) -- A.B.C.D Outside global IP address (A.B.C.D) +++ <165535> Outside global Port • route Establish static routes – A.B.C.D IP destination prefix + A.B.C.D IP destination prefix mask – - A.B.C.D IP gateway address A.B.C.
PAGE 897
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands licenses This command configures licensing parameters. Syntax licenses (hardwareid | install | uninstall) • hardwareid Generate a hardware Id for license registration process. – radioports Feature group • install Install the specified license key. – radioports Feature group + WORD License key: 44 byte char string encrypted with hardware id • uninstall Uninstall a set of licenses previously installed on the blade.
PAGE 898
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands logging This command modifies message logging facilities. The no command negates the logging configuration.
PAGE 899
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands • monitor Set terminal lines logging level – <07> Logging severity level – alerts Immediate action needed (severity=1) – critical Critical conditions (severity=2) – debugging Debugging messages (severity=7) – emergencies System is unusable (severity=0) – errors Error conditions (severity=3) – informational Informational messages (severity=6) – notifications Normal but significant conditions (severity=5) – warnings Warning condition
PAGE 900
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Command Mode Global Example HPswitch#logout HPswitch mac This command enables configuration of MAC access lists. Syntax mac (accesslist) • accesslist A CL Config – extended MAC Extended ACL + WORD Name of ACL.
PAGE 901
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Default Setting N/A Command Mode Global Example HPswitch#management HPswitch no This command enables user to negate a command or set its defaults. Syntax no Default Setting N/A Command Mode Global Example HPswitch#no ntp HPswitch ntp This command enables user to configure NTP.
PAGE 902
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands – + <13001999> Standard IP access list (expanded range) serve Provide server and query access + <199> Standard IP access list – + <13001999> Standard IP access list (expanded range) serveonly Provide only server access + <199> Standard IP access list + <13001999> Standard IP access list (expanded range) • authenticate Authenticate time sources • authenticationkey Authentication key for trusted time sources – <165534> K ey num
PAGE 903
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands ++ version Configure NTP version + prefer Prefer this peer when possible + version Configure NTP version • server Config ure NTP server – WORD IP address of peer + autokey Configure autokey peer authentication scheme - prefer Prefer this peer when possible - version Co nfigure NTP version + key Co nfigure peer authentication key - <165534> Peer key number ++ prefer Prefer this peer when possible ++ version Configure NTP version + p
PAGE 904
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Default Setting Disabled Command Mode Global Configuration Example HPswitch#configure HPswitch(config)#password-encryption secret 2 pass HPswitch(config)# Related Commands show password-encryption (page A-145) proxyarp This command adds a proxy ARP entry in the ARP database. Syntax proxyarp (A.B.C.D) • A.B.C.D ARP Target IP address Default Setting N/A Command Mode Global Example HPswitch#proxyarp A.B.C.
PAGE 905
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands + authport UDP port for RADIUS authentication server (default is 1812) - <065536> Po rt Number ++ key Perserver encryption key (overrides default) -- 0 Password is specified UNENCRYPTED +++ LINE Text for this server's key, upto 127 characters -- 2 Password is encrypted with passwordencryption secret +++ LINE Text for this server's key, upto 127 characters -- LINE Text for this server's key, upto 127 characters ++ retransmit Number o
PAGE 906
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands --- 0 Password is specified UNENCRYPTED ++++ LINE Text for this server's key, upto 127 characters --- 2 Password is encrypted with passwordencryption secret ++++ LINE Text for this server's key, upto 127 characters --- LINE Text for this server's key, upto 127 characters ++ key Perserver encryption key (overrides default) -- 0 Password is specified UNENCRYPTED +++ LINE Text for this server's key, upto 127 characters -- 2 Password is
PAGE 907
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands --- LINE Text for this server's key, upto 127 characters ++ retransmit Number of retries to active server (overrides default) -- <0100> Number of retries to this server for a transaction +++ key Perserver encryption key (overrides default) --- 0 Password is specified UNENCRYPTED ++++ LINE Text for this server's key, upto 127 characters --- 2 Password is encrypted with passwordencryption secret ++++ LINE Text for this server's key, u
PAGE 908
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands redundancy This command enables user to configure redundancy group parameters. The no negates the configuration. Syntax redundancy (discoveryperiod | enable | groupid | handlestp | heartbeatperiod | holdperiod | interfaceip | manualrevert | memberip | mode) • discoveryperiod Set the redundancy discovery interval. – <1060> discovery time in secs (default is 30) • enable Enable redundancy protocol.
PAGE 909
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Example HPswitch#configure HPswitch(config)#redundancy HPswitch(config)#redundancy HPswitch(config)#redundancy HPswitch(config)#redundancy HPswitch(config)#redundancy HPswitch(config)#redundancy HPswitch(config)#redundancy HPswitch(config)#redundancy HPswitch(config)# interfaceip 10.10.1.20 memberip 10.10.1.
PAGE 910
N/A Command Mode Global Example HPswitch#service dhcp HPswitch sflow This command configures or unclaims an sflow sampling receiver. Syntax sflow (<13>) • <13> Select one of three possible sFlow receiver tables – destination IP address of sFlow collector/management station + A.B.C.D IP address (e.g. 10.0.0.1) -- 80211toethernet Sampled interfaces will emulate Ethernet interfaces for sFlow collectors and management applications that don't support the sFlow 802.
PAGE 911
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands -- <5065535> Specify N, where 1/N is the number of packets sampled + RADIO A list (eg: 1,3,7) or range (eg: 37) of radio indices -- 0 Disabl e sampling -- <5065535> Specify N, where 1/N is the number of packets sampled Default Setting N/A Command Mode Global Example HPswitch#sflow <13> destination A.B.C.D 80211toethernet HPswitch show This command shows running system information.
PAGE 912
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands • alarm-log Display all alarms currently in the system – <165535> Display details for specific alarm id – acknowledged Display acknowledged alarmscurrently in the system – all Display all alarms currently in the system – count Display count of alarms currently in the system – new Display new alarms currently in the system – severitytolimit Display all alarms having specified or higher severity + critical Display all critical alarms
PAGE 913
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands – – • config Display DHCP Server configuration status Display whether DHCP Server is running or not file Disp lay filesystem information – information Display file information – + FILE Display information on FILE systems List filesystems • flash Display boot status.
PAGE 914
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands + vlan Vla n Interface – - <14094> Vl an Id nat Network Address Translation (NAT) + interfaces NAT Configuration on Interfaces + translations NAT translations - inside Insid e ++ destination Desti nation ++ source Source - outside Ou tside ++ destination Desti nation ++ source Source – - verbose NAT Translations in realtime route IP routing table + A.B.C.D Network in the IP routing table to display + A.B.C.D/M IP prefix /, e.g.
PAGE 915
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands + secondary secondary LDAP server • licenses Installed licenses – uninstalled uninstalled licenses • logging Show logging configuration and buffer • mac Media Access Control – accesslist List MAC access lists • management Display L3 Managment Interface name • ntp Network time protocol – associations NTP associations – + detail Sho w detail status NTP Status • password-encryption password encryption – status Display passw
PAGE 916
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands • sflow Display sFlow parameters – <16> Select one of six possible sFlow receiver tables + destination Displays information about the collector/managementstation to which the samplingpolling data is sent + samplingpolling Displays information about sampling and polling - <11000> A single radio index – • - RADIO A list (eg: 1,3,7) or range (eg: 37) of radio indices agent Displays readonly agent information snmp Display SNMP engin
PAGE 917
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands - outdoor radio is placed outdoor + 11bg radio is of type 802.
PAGE 918
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands + ar Ar gentina + at Au stria + au Au stralia + ba Bo snia Herzegovina + be Belg ium + bg Bu lgaria + bh Bahrai n + bm Berm uda + br Brazil + bs Baham as + by Belarus + ca Canada + ch Switz erland + cl Chile + cn China + co Colo mbia + cr Costa Rica + cy Cyprus + cz Czech Republic + de German y + dk Denm ark + do Dominican Republic + ec Ecuad or + ee Esto nia + eg Eg ypt + es Spain + fi Finl and + fr France + gb United Kingdom + gr
PAGE 919
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands + ht Haiti + hu H ungary + id Indo nesia + ie Ireland + il Is rael + in Indi a + is Iceland + it Italy + jo Jordan + jp Jap an + kr Sout h Korea + kw Ku wait + kz Kazakhstan + li Liecht enstein + lk Sri Lanka + lt Lit huania + lu Lux embourg + lv Latvia + ma M orocco + mt Malta + mx M exico + my M alaysia + nl N etherlands + no No rway + nz New Zealand + om Om an + pe Per u + ph Ph ilippines + pk Pak istan + pl Pol and + pt Portug a
PAGE 920
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands + se Sweden + sg S ingapore + si Slo venia + sk Slovak Republic + th Th ailand + tr Tu rkey + tw Ta iwan + ua Uk raine + us United States + uy U ruguay + ve V enezuela + vn V ietnam – + za So uth Africa rp Status of adopted radioport + <148> The index of the radioport for detailed information – – – + AA-BB-CC-DD-EE-FF The MAC address of a radioport for detailed information rpimages List of radioport images on the wireless module
PAGE 921
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands + clients Wired web authentication clients – + config Wired web authentication configuration parameters wirelessmodulestatistics wi relessmodule statistics – + detail Detailed wirelessmodule statistics wlan Wireless LAN related parameters + config Wlan configuration - <132> A wlan index <132> - all All wlans in configuration - enabled Only wlans that are currently enabled + statistics WLAN statistics - <132> A wlan index <132> ++
PAGE 922
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands – • LINE - Identification of the contact person for this managed node. enable - Enables SNMP traps. – TRAPS - Enable SNMP traps. +cluster - Enable cluster traps. +miscellaneous - Enable miscellaneous traps. -lowFsSpace - Available file system space is lower than the limit. -processMaxRestrartsReached - Process has reached max restart. +nsm - Enable nsm traps. - dhcpIPChanged - DHCP IP changed. +snmp - Enable SNMP traps.
PAGE 923
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands ++deniedAssocationOnCapability - Wireless station denied association due to unsupported capability. ++deniedAssocationOnErr - Wireless station denied association due to internal error. ++deniedAssocationOnInvalidWPAWPA2IE - Wireless station denied association due to invalid/absent WPA/WPA2 IE ++deniedAssocationOnRates - Wireless station denied association due to incompatible transmission rates.
PAGE 924
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands ++undecrypt-percent-greater-than - Percentage of undecryptable pkts is greater than. - wireless-module - Modify wireless-module rate traps. ++num-stations-greater-than - Number of associated station is greater than. ++pktsps-greater-than - Packets per second is greater than. ++tput-greater-than - Throughput in Mbps is greater than. • host - SNMP server host. – A.B.C.D - SNMP server host IP address.
PAGE 925
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands SNMP v3: enabled Command Mode Global Configuration Example HPswitch# configure HPswitch(config)#snmp-server community private restricted HPswitch(config)#snmp-server contact Paul HPswitch(config)#snmp-server location 2F R19 Related Commands show snmp (page A-153) spanning-tree This command enable spanning tree commands. Syntax spanning-tree (mst) • mst - Multiple spanning tree.
PAGE 926
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Default Setting Enabled Command Mode Global Configuration Example HPswitch#configure HPswitch(config)#time 20:32:26 HPswitch(config)# Related Commands show time (page A-157) timezone This command configures timezone parameters.The no command negates this configuration. Syntax timezone (TIMEZONE) no timezone • TIMEZONE - File containing the timezone. Enter to traverse through a list of files.
PAGE 927
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands upd-server This command configures autoinstall update server parameters. The no command negates this configuration.
PAGE 928
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Related Commands show upd-server (page A-158) username This command enables user name authentication.
PAGE 929
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Example HPswitch#username WORD access console HPswitch wireless This command accesses the wireless context. This section does not detail the commands in the wireless context, refer to the Wireless Context Command Section.
PAGE 930
ProCurve Wireless Services zl Module Command Line Reference Interface Commands wlan-acl This command enable spanning tree commands. Syntax wlan-acl <1-256> • <1-256> - WLAN index. Default Setting Disabled Command Mode Global Configuration Example HPswitch#configure HPswitch(config)#wlan-acl HPswitch(config)# Interface Commands These commands are used to configure the Interface Context commands. A-104 Command Function Page [no] description (Negates) Interface specific description.
PAGE 931
ProCurve Wireless Services zl Module Command Line Reference Interface Commands Command Function Page show Detailed in Show Command Section A128 support Detailed in Support Command Section A183 description (interface) This command configures a description for the interface. The no command negates this configuration. Syntax description (LINE ) no description • LINE - Characters describing this interface.
PAGE 932
ProCurve Wireless Services zl Module Command Line Reference Interface Commands – – A.B.C.D/M - IP address (e.g. 10.0.0.1/8). dhcp - Use DHCP Client to obtain IP address for this interface. Default Setting unassigned (DHCP) Command Mode Interface Configuration Example HPswitch#configure HPswitch(config)#interface vlan1 HPswitch(config-if)#ip 10.0.0.
PAGE 933
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands mtu This command sets the mtu value for the vlan interface. Syntax mtu (<512-1500>) • <512-1500> - MTU in bytes. Default Setting N/A Command Mode Interface Configuration Example HPswitch#configure HPswitch(config)#interface vlan1 HPswitch(config-if)#mtu 600 HPswitch(config-if)# Wireless Commands These commands are used to configure the Wireless Context commands.
PAGE 934
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands Command Function Page help Detailed in Manager Command Section A-23 ids Intrusion detection configuration commands. A-111 logout Detailed in Manager Command Section A-23 [no] mac-auth-local (Negates) Establishes local mac authentication list. A113 [no] proxy-arp (Negates) Responds to ARP requests from the RON to AWLAN on behalf of stations. 114 [no] radio (Negates) Radio configuration commands.
PAGE 935
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands Example HPswitch#configure HPswitch(config)#wireless HPswitch(config-wireless)#adopt-unconf-radio enable HPswitch(config-wireless)# adoption-pref-id This command configures a preference identifier for this wireless module. All radios configured with this preference identifier are more likelyto be adopted by this blade . The no command negates this configuration.
PAGE 936
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands Disabled Command Mode Wireless Configuration Example HPswitch#configure HPswitch(config)#wireless HPswitch(config-wireless)#advanced-config enable HPswitch(config-wireless)# Related Commands show running-config (page A-150) ap-detection This command configures the periodic detection of nearby access points. The no command disables ap-detection.
PAGE 937
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands Disabled Command Mode Wireless Configuration Example HPswitch#configure HPswitch(config)#wireless HPswitch(config-wireless)#ap-detection approved add 2 any any HPswitch(config-wireless)#ap-detection enable HPswitch(config-wireless)#ap-detection timeout 65 HPswitch(config-wireless)#ap-detection max-aps 200 HPswitch(config-wireless)# Related Commands show wireless ap-detection-config (page A-162) dot11-shared-key-auth This comma
PAGE 938
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands Example HPswitch(wireless-services-E(config-wireless)#dot11-sharedkey-auth enable HPswitch(wireless-services-E(config-wireless)# ids This command configures the Intrusion Detection configuration commands. The no command negates the configuration.
PAGE 939
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands mac-auth-local This command configures the local MAC authentication list. The no command disables the configuration. Syntax mac-auth-local no mac-auth-local • <1-1000> - MAC Auth local entry. – allow - Allow stations that match this rule to associate. +MAC - Starting MAC address in AA-BB-CC-DD-EE-FF format. - MAC - Ending MAC address in AA-BB-CC-DD-EE-FF format. – ++WORD - A list (eg: 1,3,7) or range (eg: 3-7) of wlan indices.
PAGE 940
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands proxy-arp This command responds to ARP requests from the RON to WLAN on behalf of stations. The no command disables the support for the proxy-arp response. Syntax proxy-arp (enable) no proxy-arp enable • enable- Enables support for proxy arp.
PAGE 941
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands The radio (<1-1000> | RADIO | all-11a | all-llbg | default-11a | default-11bg) commands share the following parameters: – adoption-pref-id - A preference identifier for this radio port. The radio port is more likely to be adopted by a wireless module that is its preferred wireless module. – +<1-65535> - The ID. antenna-mode - Antenna diversity mode. +diversity - Full Diversity (both antennas). +primary - Primary Antenna only.
PAGE 942
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands +<1-1000> - A single radio index. +default-11a - Default 11a configuration template. – – – – – – +default-11bg - Default 11bg configuration template. detector - Dedicate s this radio as a detector. No stations can associate to a detector. dtim-period - DTIM period (number of beacons between successive DTIMs). +<1-50> - DTIM period. max-stations - Maximum number of stations allowed to associate. +<1-64> - Number of stations.
PAGE 943
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands -burst - Transmit-opportunity: an interval of time when a particular WMM STA has the right to initiate transmissions onto the wireless medium. ++<0-65535> - The transmit-opportunity in 32 microSecond units. -cw - Contention Window parameters: wireless stations pick a number between 0 and the minimum contention window to wait before retrying transmission.
PAGE 944
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands Examples HPswitch#configure HPswitch(config)#wireless HPswitch(config-wireless)#radio 1 adoption-pref-id 5 HPswitch(config-wireless)#radio 1 antenna-mode diversity HPswitch(config-wireless)#radio 1 beacon-interval 50 HPswitch(config-wireless)#radio 1 channel-power indoor acs 10 Regulatory parameter values depend on country of operation and radio type.Refer to documentation for more regulatory information.
PAGE 945
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands – retries - The average number retries to cause a radio to re-run auto channel selection. +Number - A decimal number between 0.0 and 15.0. • neighbor-recovery - Neighbor recovery configuration commands. – action- Radio self healing action when neighbors are detected down. +both - Raise the power to max and open all rates. +none - Do nothing. +open-rates - Open all rates. – – +raise-power - Raise the power to max.
PAGE 946
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands wlan This command configures the wireless LAN parameters. The no command negates the WLAN parameter configuration. Syntax wlan ( <1-32> | WLAN ) no wlan • <1-1000> - A single WLAN index. • WLAN - A list (eg: 1,3,7) or range (eg: 3-7) of WLAN indices. The radio (<1-1000> | WLAN ) commands share the following parameters: – authentication-type - The authentication type of this WLAN. +eap - EAP authentication (802.1X).
PAGE 947
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands ++LINE - A passphrase between 8 and 63 characters long. - LINE - A passphrase between 8 and 63 characters long. +pmk-caching - Enables the use of cached pairwise master keys (fast roaming with eap/802.1X. – – +tkip-cntrmeas-hold-time - Configure the hold-time, in seconds, for which clients are blocked when tkip countermeasures are taken. <0-65535> Default is 60. Set to 0 to effectively disable TKIP Countermeasures.
PAGE 948
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands +wmm - 802.11e / Wireless MultiMedia parameters. -8021p - Use 802.1p frame priority (field in the VLAN tag) to determine packet priority. -background - Background traffic [DSCP: 0x08, 0x10] [802.1d: 1, 2] -best effort - Best effort traffic [DSCP: 0x00, 0x18] [802.1d: 0, 3] -dscp - Use DSCP (Differentiated Services Code Point) bits in the IP header to determine packet priority. -enable - Enables 802.
PAGE 949
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands -primary - Primary radius server. -secondary- Primary radius server. The primary and secondary commands share these parameters: ++A.B.C.D - Radius server IP address. - -auth-port - Radius server authentication port (default:1812). +++<1024-65535> - Radius server authentication port (default:1812). ++radius-key- Radius server shared secret, up to 127 characters. - - 0 - Password is specified UNENCRYPTED.
PAGE 950
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands +webpage - Modify web-auth page parameters. -external - Modify web-auth External page. -internal - Modify web-auth Internal page. The external and internal commands share these parameters: ++failure - Users are redirected to thiswebpage if they fail authentication. ++login - Users are prompted for their username and password on this webpage. ++welcome - Users are redirected to this webpage after they authenticate successfully.
PAGE 951
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands ++hex - Keys as ascii characters (5 characters for wep64, 13 for wep128). The hex and ascii commands share these parameters: - -0 - Password is specified UNENCRYPTED. +++WORD - Key (10 hex or 5 ascii characters for wep64, 26 hex or 13 ascii characters for wep128). - -2 - Password is encrypted with password-encryption secret. +++WORD - Key (10 hex or 5 ascii characters for wep64, 26 hex or 13 ascii characters for wep128).
PAGE 952
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands Related Commands show wireless wlan statistics (page A-181) A-126
PAGE 953
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands wlan-prioritization This command uses WLAN priority weights to determine packet order. The no command disables this support. queueing Syntax wlan-prioritization (enable) no wlan-prioritization enable • enable- Enables prioritization across wireless LANs.
PAGE 954
ProCurve Wireless Services zl Module Command Line Reference Show Commands Show Commands These commands are common commands used to display configured parameters in all contexts. Command Function Page Show Commands (All Contexts) A-128 show access-list Displays IP access lists. A-130 show aclstats Displays ACL statistics. A-130 show alarm-log Displays list of alarms occurring since boot. A-131 show commands Shows command lists. A-131 show crypto Displays encryption related commands.
PAGE 955
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Command Function Page show privilege Displays current privileges. show proxy-arpdb Displays proxyARP entries in ARP database. A-146 show radius Displays RADIUS configuration information. A-146 show redundancy-group Displays redundancy group parameters. A-150 show redundancy-history Displays state transition history of the wireless module.
PAGE 956
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) show access-list This command displays IP access lists.
PAGE 957
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Example HPswitch#show aclstats HPswitch# show alarm-log This command displays all alarms since the last boot.
PAGE 958
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) show commands Default Setting N/A Command Mode Manager Example HPswitch#show commands acknowledge alarm-log (all|<1-65535>) acknowledge alarm-log (all|<1-65535>) cd (DIR|) cd (DIR|) clear alarm-log (new|all|acknowledged|<1-65535>) clear alarm-log (new|all|acknowledged|<1-65535>) clear alarm-log (new|all|acknowledged|<1-65535>) clear alarm-log (new|all|acknowledged|<1-65535>) clear arp (IFNAME|) clear arp (IFNAME|) cl
PAGE 959
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) + securityassociation securityas sociation - lifetime lifetim e + transformset tr ansformset – - WORD transform set name or all transform sets isakmp Show ISAKMP + policy po licy - <110000> priorityall isakmp policies – + sa All Crypto ISAKMP Security Association key Authentication key management + mypubkey Show public keys assoicated with the switch – - rsa Show Rsa public keys map C rypto maps + interface Crypto
PAGE 960
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) show debug This command displays debugging setting. Syntax show debug Default Setting N/A Command Mode Manager Example HPswitch#show debug debugging is off HPswitch# show dhcp This command displays DHCP server information.
PAGE 961
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Syntax show file (information | systems) – information Display file information – + FILE Display information on FILE systems List filesystems Default Setting N/A Command Mode Manager Example HPswitch#show file information TESTFILE flash:TESTFILE: type is text file HPswitch# HPswitch#show file systems File Systems: Size(b) Free(b) Type Prefix opaque system: 4058112 2691072 flash nvram: 5057536 2764800 flash flash
PAGE 962
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Example HPswitch#show flash Image Build Date -----------------------Primary Nov 17 22:16:26 2005 Secondary Nov 17 22:16:26 2005 Current Boot Next Boot Software Fallback HPswitch# Install Date -------------------Nov 22 15:18:17 2005 Nov 21 13:10:07 2005 : Primary : Primary : Enabled show ftp This command displays ftp server configuration.
PAGE 963
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Command Mode Manager Example HPswitch#show history 1 show hostname 2 show history HPswitch# show hostname This command displays the network name of the system. Syntax show hostname Default Setting N/A Command Mode Manager Example HPswitch#show hostname Configured hostname : Wireless Services HPswitch# show interfaces In the wireless-services context, this command displays interface status and configuration.
PAGE 964
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Default Setting N/A Command Mode Manager Example HPswitch#show interfaces dnlink Interface dnlink Hardware Type Ethernet, Interface Mode Layer 2, address is 00-01-e6-f5-86-fc index=2, metric=1, mtu=1500, (PAL-IF) Speed: Admin Auto, Operational 1G, Maximum 1G Duplex: Admin Auto, Operational Full input packets 1372779, bytes 457008862, dropped 0, multicast packets 0 input errors 0, leng
PAGE 965
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) – – – – dhcpvendoroptions DHCP Option 43 parameters received from DHCP server dns DNS nameservers domain Default domain for DNS interface IP interface status and configuration + IFNAME Interface name + tunnel T unnel Interface - <132> T unnel Id + vlan Vla n Interface – - <14094> Vl an Id nat Network Address Translation (NAT) + interfaces NAT Configuration on Interfaces + translations NAT translations - inside Insid
PAGE 966
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Examples HPswitch#show ip arp IP Address MAC Address 192.168.15.1 00-14-bf-bf-72-30 HPswitch# show ip dns 68.87.76.178 68.87.66.196 Interface vlan1 Type dynamic dynamic dynamic HPswitch# show ip domain IP dns-lookup : Enable Domain Name : hsd1.ca.comcast.net. HPswitch# show ip interface vlan1 Interface IP-Address vlan1 192.168.15.
PAGE 967
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) + A.B.C.
PAGE 968
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) show licenses This command displays installed licenses. Syntax show licenses (uninstalled) • uninstalled - Display uninstalled licenses.
PAGE 969
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Example HPswitch#show logging Syslog logging: enabled Aggregation time: disabled Console logging: level debugging Monitor logging: disabled Buffer logging: disabled Trap logging: disabled Log Buffer (0 bytes): HPswitch# • passwordencryption passw ord encryption – status Display passwordencryption status show mac This command displays the media access control list.
PAGE 970
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Default Setting N/A Command Mode Manager Example HPswitch#show management Mgmt Interface: vlan1 HPswitch# show ntp This command displays network time protocol.
PAGE 971
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) show password-encryption This command displays password encryption parameters. Syntax show password-encryption (status) • status - Displays password-encryption status. Default Setting N/A Command Mode Manager Example HPswitch#show password-encryption status Password encryption is disabled HPswitch# show privilege This command shows current privilege level.
PAGE 972
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) show proxy-arpdb This command display proxyARP entries in ARP database. Syntax show proxy-arpdb Default Setting N/A Command Mode Manager Example HPswitch#show proxy-arpdb HPswitch# show radius This command displays RADIUS configuration information.
PAGE 973
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Command Mode Manager Example HPswitch#show radius configuration Radius Server Configuration --------------------------Server Status : enabled Data Source : local HPswitch# • redundancygroup Display redundancy group parameters – runtime Display runtime redundancy group information. • redundancyhistory Display state transition history of the wireless module.
PAGE 974
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Examples: These examples display runtime and group information. HPswitch#show redundancy-group runtime Redundancy Group Runtime Information Redundancy Protocol Version : Redundancy Group Authorization Level : Radio Ports Adopted by Group : Radio Ports Adopted by this Module : Redundancy State : Established Peer(s) Count : Redundancy Group Connectivity status : 1.
PAGE 975
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Command Mode Manager Example HPswitch#show redundancy-history State Transition History Time Event Triggered State --------------------------------------------------------Apr 25 07:42:30 2006 Redundancy Disabled Disabled HPswitch# show redundancy-members This command displays redundancy group parameters. Syntax show redundancy-members (A.B.C.D | brief) – – A.B.C.
PAGE 976
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) show running-config This command displays current operating configuration. Syntax show running-config (include-factory) • include-factory - Include the factory defaults.
PAGE 977
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Example HPswitch#show running-config ! configuration of ProCurveWLANModule Wireless Services version WS.01.03 on Tue6 ! version 1.0 ! no country-code redundancy group-id 50 redundancy interface-ip 10.10.1.20 redundancy holdtime-period 20 redundancy discovery-period 10 redundancy handle-stp enable redundancy member-ip 10.10.1.
PAGE 978
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) show securitymgr This command displays securitymgr event logs. Syntax show securitymgr (event-logs) – event-logs Displays securitymgr event log. Default Setting N/A Command Mode Manager Example HPswitch#show securitymgr event-logs Event Logs ======================== 1> Tue Jan 23 2007 17:30:07: CORRUPT_PACKET: source vlan1: udp: Src 15.29.37.
PAGE 979
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) + sampling-polling Displays information about sampling and polling - <11000> A single radio index – - RADIO A list (eg: 1,3,7) or range (eg: 37) of radio indices agent D isplays read-only agent information. Default Setting N/A Command Mode Manager Example HPswitch#show sflow agent #Version : 1.3;HP;WS.02.01.24258R Agent Address : 15.255.124.152 HPswitch show snmp This command displays snmp engine parameters.
PAGE 980
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Examples HPswitch#show snmp user userName manager operator access rw ro engineId 0000000c000000007f000001 0000000c000000007f000001 Auth MD5 MD5 Priv DES DES HPswitch#show snmp-server traps ---------------------------------------------------------------------Global enable flag for Traps N ---------------------------------------------------------------------Enable flag status for Individual Traps -------------------
PAGE 981
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) show snmp-server This command displays SNMP server information. Syntax snmp-server (traps) – traps Displays trap-enable flags.
PAGE 982
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Default Setting N/A Command Mode Manager Example HPswitch#show startup-config ! factory default configuration ! prompt to include indication of crash files support prompt crash-info ! vlan 1 gets an IP address via DHCP interface vlan1 ip address dhcp ! web and snmp are enabled to allow the management java applet to function ip web-management snmp-server manager v2 snmp-server manager v3 snmp-server user manager v3 en
PAGE 983
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) show time This command displays the system clock. Syntax show time Default Setting N/A Command Mode Manager Example HPswitch#show time Feb 21 16:56:46 2006 HPswitch# show timezone This command displays the timezone.
PAGE 984
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) show upd-server This command displays update server parameters. Syntax show upd-server Default Setting N/A Command Mode Manager Example HPswitch#show upd-server Terminal Type: vt100 Length: 24 Width: 80 ProCurve(wireless-services-A)*#show time Feb 21 16:56:46 2006 ProCurve(wireless-services-A)*#show timezone Timezone is Etc/UTC ProCurve(wireless-services-A)*#show upd-server Unreachable : FALSE Address : 0.0.0.
PAGE 985
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Command Mode Manager Example HPswitch#show upgrade-status Last Image Upgrade Status : Successful Last Image Upgrade Time : Tue Nov 22 15:18:17 2005 HPswitch#show upgrade-status detail Last Image Upgrade Status : Successful Last Image Upgrade Time : Tue Nov 22 15:18:17 2005 -------------------------------------------------------var2 is 13 percent full /tmp is 35 percent full Free Memory 187880 kB FWU invoked via Linux
PAGE 986
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Command Mode Manager Example HPswitch#show version ProCurveWLANModule version WS.01.XX.0551Swami Copyright (c) 2005 Symbol Technologies, Inc. Booted from primary. Switch uptime is 0 days, 2 hours 37 minutes CPU is AMD Athlon(tm) Processor 256112 kB of on-board RAM ide device hda disk model TOSHIBA THNCF256MBA capacity 500736 blocks, cache 2 HPswitch#show version verbose ProCurveWLANModule version WS.01.XX.
PAGE 987
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Default Setting N/A Command Mode Manager Example HPswitch#show users Line PID User 130 vty 0 0 HPswitch# Uptime 07:26:26 Location 0 show vlans This command displays vlan information.
PAGE 988
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Show Commands (Wireless) This section details the show commands pertaining to the wireless parameters. show wireless ap-detection-config This command displays detected radio port configuration parameters.
PAGE 989
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Command Mode Manager Configuration Context Global Configuration Context Interface Configuration Context Wireless Configuration Context Example HPswitch(config-wireless)#show wireless approved-aps 0 Approved APs found Bss Mac | Rpt Rd | Ch | Last Seen | Ssid -----------------------------------------------------------------------------00-14-C2-B3-01-70 3 1 0 SSID 1 HPswitch(config-wireless)# show wireless channel-power Thi
PAGE 990
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Example HPswitch(config-wireless)#show wireless channel-power 11a indoor Channel Max Power (dBm) Radar Detected 36 (5180 MHz) 17 40 (5200 MHz) 17 44 (5220 MHz) 17 48 (5240 MHz) 17 149 (5745 MHz) 20 153 (5765 MHz) 20 157 (5785 MHz) 20 161 (5805 MHz) 20 165 (5825 MHz) 20 HPswitch(config-wireless)#show wireless channel-power 11bg indoor Channel Max Power (dBm) 1 (2412 MHz) 20 2 (2417 MHz) 20 3 (2422 MHz) 20 4 (2427 MHz) 20 5
PAGE 991
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Example HPswitch(config-wireless)#show wireless config country-code : us adoption-pref-id : 1 proxy-arp : disabled wlan-prioritization : disabled adopt-unconf-radio : enabled dot11-shared-key-auth: disabled ap-detection : enabled advanced-config : disabled HPswitch(config-wireless)# show wireless country-code-list This command displays a list of supported country names and two letter ISO 3166 codes.
PAGE 992
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) show wireless ids This command displays intrusion detection parameters. Syntax show wireless ids (filter-list) + filter-list Displays the list of currently filtered stations.
PAGE 993
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Command Mode Manager Configuration Context Global Configuration Context Interface Configuration Context Wireless Configuration Context Example HPswitch(wireless-services E)#show wireless mac-auth-local HPswitch(config-wireless)# show wireless multicast-packet-limit This command displaysmulticast-packet limit.
PAGE 994
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) show wireless phrase-to-key This command displays the WEP keys generated by a passphrase. Syntax show wireless phrase-to-key (wep128 | wep64) • wep128 - Displays WEP128 keys. – WORD - Passphrase between 4 and 32 characters. • wep64 - Displays WEP64 keys. – WORD - Passphrase between 4 and 32 characters.
PAGE 995
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Default Setting N/A Command Mode Manager Configuration Context Global Configuration Context Interface Configuration Context Wireless Configuration Context Example HPswitch(config-wireless)#show DSCP value 0 1 2 3 4 5 6 7 24 25 8 9 10 11 12 13 14 15 16 17 32 33 34 35 36 37 38 39 40 41 48 49 50 51 52 53 54 55 56 57 802.
PAGE 996
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) – + unadopted List of unadopted radios rp Status of an adopted radio port.
PAGE 997
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Command Mode Manager Configuration Context Global Configuration Context Interface Configuration Context Wireless Configuration Context Example HPswitch#show wireless radio-status # Radio Port MAC Start BSS Radio State Channel Pwr 1] 00-14-C2-A0-1B-3E 00-14-C2-A0-8F-A4 11bg normal 1 (rnd) 2] 00-14-C2-A0-1B-3E 00-14-C2-A0-CF-F0 11a normal 48 (rnd) 3] 00-14-C2-A0-0B-EC 00-14-C2-A0-4E-EC 11bg normal 11 (rnd) 4] 00-14-C2-A0-0B
PAGE 998
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) + co Colo mbia + cr Costa Rica + cy Cyprus + cz Czech Republic + de German y + dk Denm ark + do Dominican Republic + ec Ecuad or + ee Esto nia + eg Eg ypt + es Spain + fi Finl and + fr France + gb United Kingdom + gr Greece + gt Guatemala + gu Gu am + hk Hong Kong + hn Hon duras + hr Croatia + ht Haiti + hu H ungary + id Indo nesia + ie Ireland + il Is rael + in Indi a + is Iceland + it Italy + jo Jordan + jp Jap an + kr S
PAGE 999
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) + lt Lit huania + lu Lux embourg + lv Latvia + ma M orocco + mt Malta + mx M exico + my M alaysia + nl N etherlands + no No rway + nz New Zealand + om Om an + pe Per u + ph Ph ilippines + pk Pak istan + pl Pol and + pt Portug al + qa Qat ar + ro Rom ania + ru Russia + sa Saudi Arabia + se Sweden + sg S ingapore + si Slo venia + sk Slovak Republic + th Th ailand + tr Tu rkey + tw Ta iwan + ua Uk raine + us United States + u
PAGE 1000
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Command Mode Manager Configuration Context Global Configuration Context Interface Configuration Context Wireless Configuration Context Example HPswitch(config-wireless)#show wireless regulatory us 802.11a Outdoor Channels : 52 56 60 64 149 153 157 161 165 Power(dBm): 20 20 20 20 20 20 20 20 20 802.11a Indoor Channels : 36 40 44 48 52 56 60 64 149 153 157 161 165 Power(dBm): 17 17 17 17 20 20 20 20 20 20 20 20 20 802.
PAGE 1001
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Command Mode Manager Configuration Context Global Configuration Context Interface Configuration Context Wireless Configuration Context Example HPswitch(config-wireless)#show wireless rp Number of radio-ports adopted : 2 Available licenses : 34 Clustering enabled : N Clustering mode : active # Mac Radios [indices] Model Number 1 00-14-C2-A0-1B-3E 2 [ 1 2 ] ProCurve Radio Port 230 2 00-14-C2-A0-0B-EC 2 [ 3 4 ] ProCurve Radi
PAGE 1002
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Example HPswitch(config-wireless)#show wireless rp-images Idx Image-File Version Release Date 1 ProCurve-200-Series 00.02-27 [00] 04 Feb 2006 Size (bytes) 293320 HPswitch(config-wireless)# show wireless rp-unadopted This command displays a list of unadopted radio-port.
PAGE 1003
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Default Setting N/A Command Mode Manager Configuration Context Global Configuration Context Interface Configuration Context Wireless Configuration Context Example HPswitch(config-wireless)#show wireless self-heal-config interference-avoidance : disabled retries : 14.
PAGE 1004
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Command Mode Manager Configuration Context Global Configuration Context Interface Configuration Context Wireless Configuration Context Example HPswitch(config-wireless)#show wireless station Number of stations associated: 0 HPswitch(config-wireless)# show wireless unapproved-aps This command displays the unapproved APs seen by radio-port scans.
PAGE 1005
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Example HPswitch(config-wireless)#show wireless unapproved-aps Detected 32 unapproved APs (from 32 AP scan reports) Bss Mac | Rpt Rd | Ch | dBm | Last Seen | SSID ----------------------------------------------------------------00-14-C2-A5-2C-F0 1 6 -46 0 secs J1 00-14-C2-B3-01-70 1 6 -40 0 secs SSID 1 00-30-AB-28-7F-11 1 6 -49 0 secs wireless-g HPswitch(config-wireless)# show wireless web-auth-config This comm
PAGE 1006
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Example HPswitch(config-wireless)#show wireless web-auth-config WLAN: 1 status: disabled description: ssid: SSID 1 Page-Location: internal Radius Server Parameters: primary server : IP address: 0.0.0.0 authentication-port: 1812 radius-key: secondary server : IP address: 0.0.0.
PAGE 1007
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Example HPswitch(config-wireless)#show wireless wireless-module-statistics stations Associated : 0 Radios adopted : 4 ------ Traffic ------------------------------------------------------- Pkts per sec: Throughput: Mbps Avg bit speed: % Non-unicast pkts: Total Rx Tx ---------------- ---------------- ---------------30s 1hr 30s 1hr 30s 1hr 0.00 0.00 0.00 0.00 0.00 0.00 pps 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.
PAGE 1008
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Command Mode Manager Configuration Context Global Configuration Context Interface Configuration Context Wireless Configuration Context Example HPswitch(config-wireless)#show wireless wlan config # enabled ssid authentication encryption vlan/tunnel 1 N SSID 1 none none vlan 1 2 N SSID 2 none none vlan 1 3 N SSID 3 none none vlan 1 4 N SSID 4 none none vlan 1 5 N SSID 5 none none vlan 1 6 N SSID 6 none none vlan 1 7 N SSID
PAGE 1009
ProCurve Wireless Services zl Module Command Line Reference Support Commands Support Commands These commands are common commands used for advanced support duties in all contexts. Command Function Page Support Commands (All Context) support clear (all | cores | dumps | panics | pm ) Displays command history for switch. A-184 support copy tech-support URL Displays resets the functions. A-184 [no] support diag (enable | period) (Negate) Configures diagnostics.
PAGE 1010
ProCurve Wireless Services zl Module Command Line Reference Support Commands (All Contexts) Support Commands (All Contexts) This section details the support commands available to all contexts. support clear This command resets the functions. Syntax support clear (all | clitree | cores | dumps | panics | pm ) • all - Removes all core, dump, panic, and pm files. • clitree - Removes clitree.html • cores - Removes all core files. • dumps - Removes all dump files.
PAGE 1011
ProCurve Wireless Services zl Module Command Line Reference Support Commands (All Contexts) ftp://:@/path/file scp://@/path/fileDefault Setting Default Setting N/A Command Mode Manager Example HPswitch#support copy tech-support tftp://192.168.1.10/ testfile HPswitch# support diag This command configures diagnostics. The no command negates the diagnostics.
PAGE 1012
ProCurve Wireless Services zl Module Command Line Reference Support Commands (All Contexts) - <0-65535> - buffer usage warning limit. + <64> - 64k byte buffer limit. - <0-65535> - buffer usage warning limit. + <8> - 8k byte buffer limit. – - <0-65535> - buffer usage warning limit. fan - Fan speed limit. + <1> - Fan number - low - Low speed limit. – – – – – ++ <1000-15000> - Limit value. filesys - File system freespace limit. inodes - File system inodes limit. load - Agregate processorload.
PAGE 1013
ProCurve Wireless Services zl Module Command Line Reference Support Commands (All Contexts) Example HPswitch#support diag enable HPswitch# support diag-shell This command provides diagnostic shell access. The no command negates the shell access. Syntax support diag-shell Default Setting N/A Command Mode Manager Example HPswitch#support diag-shell Diagnostic shell started for testing diag > support encrypt This command encrypts password or key.
PAGE 1014
ProCurve Wireless Services zl Module Command Line Reference Support Commands (All Contexts) Command Mode Manager Example HPswitch#support encrypt secret 2 Word plaintest LINE HPswitch# support pm This command supports the process monitor. The no command negates the process configuration. Syntax support pm (max-sys-restarts | sys-restart) • max-sys-restarts - Maximum number of times PM will restart the system because of failure. – <1-5> - Number of system restarts.
PAGE 1015
ProCurve Wireless Services zl Module Command Line Reference Support Commands (All Contexts) Command Mode Manager Example HPswitch#support prompt crash-info HPswitch# support save-cli This command saves cli tree for all modes in HTML format. Syntax support save-cli Default Setting N/A Command Mode Manager Example HPswitch#support save-cli CLI command tree is saved as clitree.html. This tree can be viewed via web at http:///cli/ clitree.
PAGE 1016
ProCurve Wireless Services zl Module Command Line Reference Support Commands (All Contexts) Default Setting command-history (200), reboot-history (50), and upgrade-history (50) Command Mode Manager Example HPswitch#support set command-history 100 HPswitch# support show This command shows running system information.
PAGE 1017
ProCurve Wireless Services zl Module Command Line Reference Support Commands (All Contexts) +all - All processes. • process - Displays process activity in real time. • reboot-history - Shows reboot history. • rp- Radio-port serviceability parameters. – adopt-history - Radio-port adopt-history. +XX-XX-XX-XX-XX-XX - Radio-port MAC. • startup-log - Shows startup log. • temperature - Displays CPU temperature. • upgrade-history - Shows upgrade history • wireless - Shows wireless parameters.
PAGE 1018
ProCurve Wireless Services zl Module Command Line Reference Support Commands (All Contexts) HPswitch#support show info 4.0M out of 4.0M available for logs. 6.7M out of 8.2M available for history. 3.5M out of 4.8M available for crashinfo. List of Files: /flash/crashinfo/ccsrvr.dump 0 Nov 1 09:57 /var/log/messages.log 0 Feb 27 09:09 /var/log/startup.log 11.2k Feb 27 09:09 /var2/history/command.history 834 Feb 27 15:17 /var2/history/reboot.history 3.4k Feb 27 09:09 /var2/history/upgrade.history 1.
PAGE 1019
ProCurve Wireless Services zl Module Command Line Reference Support Commands (Wireless) Support Commands (Wireless) This section details the support commands available for the Wireless parameters. support wireless dump-core This command creates a core file of the ccsrvr process. Syntax support wireless dump-core Default Setting Enabled Command Mode Manager Example HPswitch(config-wireless)#support wireless dump-core HPswitch(config-wireless)# support wireless dump-state This command creates a ccsrvr.
PAGE 1020
ProCurve Wireless Services zl Module Command Line Reference Support Commands (Wireless) support wireless rate-scale This command enables wireless rate scaling. The no command negates the configuration of the wireless parameters. Syntax support wireless rate-scale no support wireless rate-scale • rate-scale - Enable wireless rate scaling (default).
PAGE 1021
B License Statements The Apache Software License, Version 1.1 Copyright (C) 1999 The Apache Software Foundation. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
PAGE 1022
License Statements BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
PAGE 1023
License Statements for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org. 5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project. 6.
PAGE 1024
License Statements all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com). Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used.
PAGE 1025
License Statements HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.
PAGE 1026
License Statements CMU AND THE REGENTS OF THE UNIVERSITY OF CALIFORNIA DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.
PAGE 1027
License Statements ---- Part 3: Cambridge Broadband Ltd. copyright notice (BSD) ----Portions of this code are copyright (c) 2001-2003, Cambridge Broadband Ltd. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
PAGE 1028
License Statements Sun, Sun Microsystems, the Sun logo and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
PAGE 1029
License Statements * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of Sparta, Inc nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
PAGE 1030
License Statements THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
PAGE 1031
License Statements Copyright (c) 2000-2004 Dug Song All rights reserved, all wrongs reversed. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
PAGE 1032
License Statements LInux LOader (LILO) program code, documentation, and auxiliary programs are Copyright 1992-1998 Werner Almesberger. Copyright 1999-2004 John Coffman. All rights reserved. License ------Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
PAGE 1033
License Statements Copyright (c) 1998-2003,2004 Free Software Foundation, Inc.
PAGE 1034
License Statements THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
PAGE 1035
License Statements zlib.h -- interface of the 'zlib' general purpose compression library version 1.2.3, July 18th, 2005 Copyright (C) 1995-2005 Jean-loup Gailly and Mark Adler This software is provided "AS IS", without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.
PAGE 1036
License Statements As far as I am concerned, the code I have written for this software can be used freely for any purpose. Any derived versions of this software must be clearly marked as such, and if the derived work is incompatible with the protocol description in the RFC file, it must be called by a name other than "ssh" or "Secure Shell".
PAGE 1037
License Statements NO WARRANTY -----------BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
PAGE 1038
License Statements 3) ssh-keyscan was contributed by David Mazieres under a BSD-style license. Copyright 1995, 1996 by David Mazieres . Modification and redistribution in source and binary forms is permitted provided that due credit is given to the author and the OpenBSD project by leaving this copyright notice intact. 4) The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto is in the public domain and distributed with the following license: version 3.
PAGE 1039
License Statements are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3.
PAGE 1040
License Statements Chris Adams Corinna Vinschen Cray Inc. Denis Parker Gert Doering Jakob Schlyter Jason Downs Juha YrjMichael Stone Networks Associates Technology, Inc. Solar Designer Todd C. Miller Wayne Schroeder William Jones Darren Tucker Sun Microsystems Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.
PAGE 1041
License Statements notice you can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp b) snprintf replacement Copyright Patrick Powell 1995 This code is based on code written by Patrick Powell (papowell@astart.
PAGE 1042
License Statements HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Some code is licensed under an ISC-style license, to the following copyright holders: Internet Software Consortium. Todd C.
PAGE 1043
License Statements MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
PAGE 1044
License Statements Protocol Distribution Version 4 and are acknowledged as authors of this work. 1. [1]Mark Andrews Leitch atomic clock controller 2. [2]Bernd Altmeier hopf Elektronik serial line and PCI-bus devices 3. [3]Viraj Bais and [4]Clayton Kirkwood port to WindowsNT 3.5 4. [5]Michael Barone GPSVME fixes 5. [6]Jean-Francois Boudreault
PAGE 1045
License Statements 27.[30]Craig Leres 4.4BSD port, ppsclock, Magnavox GPS clock driver 28.[31]George Lindholm SunOS 5.1 port 29.[32]Louis A. Mamakos MD5-based authentication 30.[33]Lars H. Mathiesen adaptation of foundation code for Version 3 as specified in RFC-1305 31.[34]Danny Mayer Network I/O, Windows Port, Code Maintenance 32.[35]David L. Mills
PAGE 1046
License Statements 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37. 38. 39. 40. 41. 42. 43. 44. B-26 mailto:%20mark_andrews@isc.org mailto:%20altmeier@atlsoft.de mailto:%20vbais@mailman1.intel.co mailto:%20kirkwood@striderfm.intel.com mailto:%20michael.barone@lmco.com mailto:%20Jean-Francois.Boudreault@viagenie.qc.ca mailto:%20karl@owl.HQ.ileaf.com mailto:%20greg.brackley@bigfoot.com mailto:%20Marc.Brett@westgeo.
PAGE 1047
License Statements 45. 46. 47. 48. 49. 50. 51. 52. 53. 54. 55. mailto:%20mrapple@quack.kfu.com mailto:%20jack@innovativeinternet.com mailto:%20schnitz@unipress.com mailto:%20shields@tembel.org mailto:%20pebbles.jpl.nasa.gov mailto:%20harlan@pfcs.com mailto:%20ken@sdd.hp.com mailto:%20ajit@ee.udel.edu mailto:%20tsuruoka@nc.fukuoka-u.ac.jp mailto:%20vixie@vix.com mailto:%20Ulrich.Windl@rz.uni-regensburg.de Copyright (c) 2004-2005 by Internet Systems Consortium, Inc.
PAGE 1048
License Statements development, and available for ALPHA testing. So for your protection as much as mine, I'd prefer that it not appear in a some distribution --especially not a CD-ROM distribution! The most recent officially distributed version can be found at http://e2fsprogs.sourceforge.net. If you need to make a distribution, that's the one you should use. If there is some reason why you'd like a more recent version that is still in ALPHA testing for your distribution, please contact me (tytso@mit.
PAGE 1049
License Statements want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.
PAGE 1050
License Statements (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program).
PAGE 1051
License Statements These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works.
PAGE 1052
License Statements means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable.
PAGE 1053
License Statements so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.
PAGE 1054
License Statements this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this.
PAGE 1055
License Statements To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found.
PAGE 1056
License Statements Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library.
PAGE 1057
License Statements want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library, or if you modify it.
PAGE 1058
License Statements changing the library, is in some sense simply using the library, and is analogous to running a utility program or application program. However, in a textual and legal sense, the linked executable is a combined work, a derivative of the original library, and the ordinary General Public License treats it as such.
PAGE 1059
License Statements The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".
PAGE 1060
License Statements charge to all third parties under the terms of this License. d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.
PAGE 1061
License Statements version instead if you wish.) notices. Do not make any other change in these Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. 4.
PAGE 1062
License Statements unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. 6.
PAGE 1063
License Statements d) Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it.
PAGE 1064
License Statements distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. 10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions.
PAGE 1065
License Statements 12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 13.
PAGE 1066
License Statements 16.
PAGE 1067
License Statements Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the library, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the library `Frob' (a library for tweaking knobs) written by James Random Hacker.
PAGE 1068
License Statements THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
PAGE 1069
License Statements and as a part of the software program in whole or part. Users may copy or modify Sun RPC without charge, but are not authorized to license or distribute it to anyone else except as part of a product or program developed by the user. SUN RPC IS PROVIDED "AS IS" WITH NO WARRANTIES OF ANY KIND INCLUDING THE WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
PAGE 1070
License Statements Carnegie Mellon University Pittsburgh PA 15213-3890 or Software.Distribution@CS.CMU.EDU any improvements or extensions that they make and grant Carnegie Mellon the rights to redistribute these changes. The file if_ppp.h is under the following CMU license: Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.
PAGE 1071
License Statements Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
PAGE 1072
License Statements followed. 2. Redistributions of source code must retain the authors' copyright notice(s), this list of conditions, and the following disclaimer. 3. Redistributions in binary form must reproduce the authors' copyright notice(s), this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution. 4. [The copyright holder has authorized the removal of this clause.] 5.
PAGE 1073
License Statements Copyright (c) 2001, Dr Brian Gladman, Worcester, UK. All rights reserved. LICENSE TERMS ------------The free distribution and use of this software in both source and binary form is allowed (with or without changes) provided that: 1. distributions of this source code include the above copyright notice, this list of conditions and the following disclaimer 2.
PAGE 1074
License Statements sFlow License LICENSE AGREEMENT PLEASE READ THIS LICENSE AGREEMENT ("AGREEMENT") CAREFULLY BEFORE REPRODUCING OR IN ANY WAY UTILIZING THE sFlow(R) SOFTWARE ("SOFTWARE") AND/OR ANY ACCOMPANYING DOCUMENTATION ("DOCUMENTATION") AND/OR THE RELATED SPECIFICATIONS ("SPECIFICATIONS"). YOUR REPRODUCTION OR USE OF THE SOFTWARE AND/OR THE DOCUMENTATION AND/OR THE SPECIFICATIONS CONSTITUTES YOUR ACCEPTANCE OF THE TERMS AND CONDITIONS OF THIS AGREEMENT.
PAGE 1075
License Statements "Trademark" means InMon's "sFlow(R)" trademark. 2. License Grant. 2.1 Software, Documentation and Specifications License Grant.
PAGE 1076
License Statements In the event InMon determines that Licensee is not complying with its obligations under clauses (i)-(v) above, InMon shall notify Licensee of such non-compliance, and if Licensee fails to correct such noncompliance within three (3) months, InMon may immediately terminate this Agreement as provided under paragraph 7 below and pursue any and all actions and remedies as it deems necessary, including, but not limited to breach of contract. 3. Ownership.
PAGE 1077
License Statements 7. Term and Termination. The term of this Agreement will begin on the Effective Date, which shall be deemed to be the date of delivery of the Software and/or Documentation and/or specifications to Licensee, and shall continue indefinitely unless and until terminated by Licensee's giving written notice of termination to InMon, or by InMon pursuant to InMon's termination rights as set forth in Section 2.3 above.
PAGE 1078
License Statements 8.5 Choice of Law and Forum. This Agreement shall be governed by and construed under the laws of the State of California, without giving effect to such state's conflict of laws principles.
PAGE 1079
License Statements InMon Corp. 580 California Street, 5th Floor, San Francisco, CA 94104 Phone: (415) 283-3260 URL: www.inmon.com Email: info@inmon.
PAGE 1080
License Statements B-60
PAGE 1081
Index Numerics 5400zl Series See wireless services-enabled switch 802.11 frame types … 1-56 management frames … 1-56 overview … 1-54 802.11 replay attack … 12-58 802.11a defined … 1-54 radio adoption defaults for … 3-9 802.11b defined … 1-55 radio adoption defaults for … 3-9 802.11g 802.11g only … 3-16 defined … 1-55 radio adoption defaults for … 3-9 802.11h … 1-55 802.
PAGE 1082
viewing statistics … 7-29 action ID … 7-30 details … 7-30 protocol ID … 7-30 times used … 7-30 ACS See auto-channel select active mode for redundancy group … 1-78, 10-4 address resolution table … 6-17 adoption automatic versus manual … 2-70 failure, reasons for … 1-78 Layer 2 auto-provisioning … 2-58 connecting RP to infrastructure switch … 2-59 connecting RP to wireless services-enabled switch … 2-58 network requirements for … 2-58 Layer 3 compared to Layer 2 … 2-57 customizing RPs’ DNS request … 2-68 defa
PAGE 1083
encryption options with … 4-48 local MAC … 4-34, 12-75 MAC standard ACL … 1-40 open-key … 4-49 options for WLAN … 1-24 RADIUS MAC … 1-28, 4-43 See also 802.1X See also MAC authentication See also Web-Auth shared-key … 4-75 Web-Auth … 1-26, 4-39, 5-2 authentication failure attack … 12-58 auto-channel select configuring for specific radio … 3-32 configuring in radio adoption defaults … 3-13 running … 3-37, 3-41 auto-provisioning … 1-8, 2-58 B basic rate settings 802.
PAGE 1084
enabling on WLAN … 4-65 primary WLAN and … 1-62 command line interface See CLI configuration files deleting … 2-97 managing … 2-86 startup-config, returning to factory defaults … 2-98 transferring … 2-89 viewing … 2-87 contention window See CW Max See CW Min counter polling defined … 13-3 interval … 13-16 manually activating … 13-14 country code … 2-136, 3-4 CRL uploading … 2-187 CW Max defined … 4-92 radio … 4-108 station … 4-104 CW Min defined … 4-92 radio … 4-108 station … 4-104 D decryption attack … 12
PAGE 1085
servers adding … 6-19 deleting … 6-21 domain name system See DNS domain proxy RADIUS server settings for … 11-30 specifying … 11-28 downlink port … 1-7, 1-8 DTIM period defined … 3-23 different value for each BSSID … 3-34 specifying for specific radio … 3-34 specifying in radio adoption defaults … 3-24 dynamic DNS … 6-41 client update … 6-43 server update … 6-43 Dynamic Frequency Selection … 1-55 Dynamic Host Configuration Protocol See DHCP pool See DHCP relay See DHCP requests … 6-22 See DHCP server … 6-22
PAGE 1086
defined … 13-2 manually activating … 13-11 rate … 13-13 sample size … 13-14 See also sFlow FTP server external downloading files from … 2-89 saving files to … 2-93 internal … 2-32 G group internal RADIUS … 11-12 See also RADIUS database group attribute … 11-24 group filter … 11-23 group membership attribute … 11-24 H hardware ID … 2-128 help, online … 2-14 hidden stations defined … 3-21 setting RTS threshold for radio adoption defaults … 3-22 specific radio … 3-33 high availability See redundancy group ho
PAGE 1087
default DNS request … 2-64 DHCP option 189 … 2-65 DNS lookup … 2-67 network requirements for … 2-62 of radio ports … 1-68 RP requirements for … 2-63 verifying … 2-69 Layer 3 device module as a … 6-3 Layer 3 mobility configuration steps … 9-15 dynamic VLANs with … 9-15 enabling … 9-20 enabling on a WLAN … 9-18 IDM location domain with … 9-7 IP address, for local module … 9-16 monitoring stations … 9-26, 12-10 overview … 9-6 peers adding … 9-19 messages to and from … 9-23 monitoring … 9-22 tunneling with … 9-
PAGE 1088
standard IP ACL … 7-16 module statistics button … 12-27 screen … 12-34 multicast address … 4-113 multicast key … 4-56 My ProCurve Web Portal registering on … 2-127 N NAT applying to an interface … 8-24 configuration steps … 8-24 defining interface for … 8-24 destination configuring … 8-33 uses … 8-9 dynamic ACL for … 8-22, 8-28 configuring … 8-26 overloaded interface … 8-28 port address translation … 8-8 uses … 8-5 global address defined … 8-4, 8-12 specifying for destination … 8-36 specifying for source …
PAGE 1089
encryption in config … 2-105 roaming and … 2-106 See also key Web browser interface … 2-11 password attribute … 11-23 PKI … 1-45 PMK caching defined … 9-3 enabling … 4-58, 9-14 required for pre-authentication … 9-14 PoE … 1-75 port address translation … 8-8 See also NAT … 8-8 port authentication … 1-74 power over Ethernet … 1-75 power save DTIM period … 3-23, 3-34 viewing station support for … 12-5 pre-authentication enabling … 4-58, 9-14 overview … 9-3 PMK caching required for … 9-14 precedence ACLs, for …
PAGE 1090
adoption automatic … 2-70 boot code for … 2-65 DNS name for Layer 3 … 2-68 in redundancy group … 10-5 Layer 2 … 2-58 Layer 3 … 2-62 manual … 2-70, 2-72 adoption preference ID … 3-19 BSSIDs … 1-60 configuring … 3-5 deleting, or unadopting … 3-40 deployment requirements … 1-75 detector mode for radio … 1-63 failure … 12-89 licenses … 1-50, 2-122 additive … 1-51, 2-122 hardware ID … 2-128 installing … 2-127, 2-128 license key … 2-128 radio port … 2-135 redundancy group and … 10-6 registration ID … 2-128 uninst
PAGE 1091
basic … 3-16 cell size and … 3-45 specifying for specific radio … 3-32 specifying in radio adoption defaults … 3-15 supported … 3-16 re-authentication … 4-38, 4-46 reconnaissance attack … 12-58 redundancy software image failover … 2-81, 2-83 redundancy group … 1-76 active mode … 10-4 RP adoption … 10-5 configuration mode context … 10-9 configuring … 10-11 defined … 10-3 enabling … 10-16 example of … 10-4 failover capabilities explained … 10-2 history of events … 10-21 licenses for RPs … 10-6 members adding
PAGE 1092
hierarchy … 2-139 overview … 2-138 peer mode … 2-139 Secure Shell access … 2-24 security adopting RPs as detectors … 3-11 authentication … 4-33 encryption … 1-32, 4-19, 4-47 for management access … 2-24 See also authentication See also encryption WLAN … 4-33 self healing … 12-89 interference avoidance … 12-100 See also interference avoidance neighbor recovery … 12-89 See also neighbor recovery offset radio adoption defaults … 3-24 specific radio configuration … 3-33 serial session accessing CLI through … 2-
PAGE 1093
defined … 7-3 source address filter … 7-16 standby mode for redundancy group … 1-78, 10-5 startup-config factory default … 2-86 returning, to factory defaults … 2-98 saving changes in CLI … 2-23 saving changes to … 2-12, 2-13 viewing … 2-88 stateful ACLs … 7-2 static index (radio) … 1-67, 3-30 static NAT configuring … 8-29 overview and uses … 8-8 station See wireless station station intrusion detection overview … 12-58 reporting to SNMP server … 12-60 thresholds … 12-59 time to filter … 12-60 viewing blocke
PAGE 1094
dynamic or user-based considerations for … 4-87 enabling … 4-87 prohibited … 4-32 tagging on uplink port … 4-88 Web-Auth with … 5-9 dynamic-based or user-based authentication required … 4-87 for Web-Auth … 5-9 IP address assigning … 6-5 editing … 6-7 maximum … 6-3 uses … 6-3 Radio Port … 1-8 radio port automatic creation of … 2-58 tagging on uplink port … 4-86 tagging the uplink port … 1-18 uplink … 1-12, 4-33, 4-88 user-based or dynamic … 1-36 viewing, with IP addresses … 6-7, 6-10 WLAN mapped to … 4-30, 4
PAGE 1095
roles … 2-41 WEP dynamic (802.
PAGE 1096
enabling on a WLAN … 4-95 overview … 4-91 prioritization … 1-48, 3-46 priority queuing … 4-92 QoS mapping … 4-108 queue parameters customizing for radios (adoption defaults) … 4-106 customizing for radios (specific) … 4-106 customizing for stations … 4-102 defined … 4-92 viewing stations’ … 4-100 RP parameters … 3-47 RP to wireless station … 4-93 viewing station support for … 12-9 wireless station to RP … 4-94 WPA/WPA2 802.
PAGE 1097
PAGE 1098
Technology for better business outcomes To learn more, visit www.hp.com/go/procurve/ © Copyright 2007-2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.