WESM zl Management and Configuration Guide WT.01.XX and greater

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

Management and

Configuration Guide

www.procurve.com

ProCurve Wireless Edge Services zl Module and

ProCurve Redundant Wireless Services zl Module

Summary of content (1118 pages)

PAGE 1
Management and Configuration Guide ProCurve Wireless Edge Services zl Module and ProCurve Redundant Wireless Services zl Module www.procurve.
PAGE 2
PAGE 3
ProCurve Wireless Edge Services zl Module and ProCurve Redundant Wireless Services zl Module August 2007 WT.01.
PAGE 4
© Copyright 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. All Rights Reserved. This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard.
PAGE 5
Contents 1 Introduction Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 ProCurve Wireless Edge Services zl Module . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Wireless Networks and WLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 The Interface Between the Wireless and Wired Networks . . . . . . . . . 1-7 Communicating with RPs: Radio Port VLANs . . . . . . . . . . . . . . . .
PAGE 6
Traffic Management and QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-46 SVP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-48 WMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-48 WLAN Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-49 Voice Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 7
Layer 2 and Layer 3 Roaming Between RPs and Modules . . . . . . . . . . . . . 1-81 Roaming Between RPs on a Single Wireless Edge Services zl Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-81 Roaming Between RPs on Different Wireless Edge Services zl Modules at Layer 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-82 Roaming Between RPs on Different Wireless Edge Services zl Modules at Layer 3 . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 8
Controlling Management Access to the Module . . . . . . . . . . . . . . . . . 2-27 Enabling HTTP and HTTPS Access to the Module . . . . . . . . . . . 2-27 Choosing SNMP Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29 Setting Up the Internal FTP Server . . . . . . . . . . . . . . . . . . . . . . . . 2-32 Changing the Password for the Default SNMP v3 Users (Operator or Manager) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-35 Configuring Web-Users . . . .
PAGE 9
Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-86 Viewing Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-87 Transferring, or Copying, Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-89 Transferring Configuration Files from an FTP or TFTP Server to the Wireless Edge Services zl Module . . . . . . . . . . . . .
PAGE 10
Setting System Information— Name, Time, and Country Code . . . . . . . 2-136 Enabling Secure Network Time Protocol (NTP) . . . . . . . . . . . . . . . . . . . . 2-138 Secure NTP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-138 NTP Modes and Communications . . . . . . . . . . . . . . . . . . . . . . . . 2-139 NTP Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-139 Secure NTP Enhancements . . . . . . . . . . . . . . . . . .
PAGE 11
3 Radio Port Configuration Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Country-Code and Regulatory Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 Configuring Radio Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 12
Advanced Mode Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11 Why Use Advanced Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12 Enabling WLANs Using Advanced Mode Configuration . . . . . . . 4-13 Using Normal and Advanced Mode Together . . . . . . . . . . . . . . . . 4-22 Changing from Advanced Mode to Normal Mode Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-23 Configuring a WLAN . . . . . . . .
PAGE 13
WMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-91 Prioritization with WMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-92 Enabling WMM on a WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-95 Changing the Protocol that Prioritizes Traffic and Enabling Admission Control . . . . . . . . . . . . . . . . . . . . . . . . . . 4-97 Viewing Station WMM Parameters . . . . . . . . . . . . . . . . . . . . . . .
PAGE 14
6 IP Services—IP Settings, DHCP, and DNS Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Viewing VLAN Interfaces and Enabling Secure Management . . . . . . . 6-4 Assigning an IP Address to a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 Deleting the IP Address Assigned to a VLAN . . . . . . . .
PAGE 15
7 Access Control Lists (ACLs) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Stateful ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 ACL Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 16
NAT Implementation Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 Dynamic, or Many-to-One, NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 Dynamic NAT for Wireless Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 Dynamic NAT for Wired Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7 Port Address Translation for Dynamic NAT . . . . . . . . . . . . . . . . . . 8-8 Static, or One-to-One, NAT . . . . . . . . . . . . . . . . . . . . .
PAGE 17
Configuring Fast Layer 2 Roaming for WPA/WPA2 with 802.1X . . . . . . 9-12 Configuring Layer 3 Mobility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-15 Configuring Layer 3 Mobility Settings . . . . . . . . . . . . . . . . . . . . . . . . . 9-16 Specifying Layer 3 Mobility Peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-19 Enabling Layer 3 Mobility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 18
Setting up Adoption Preference IDs to Control RP Adoption . . . . . 10-24 Configure an Adoption Preference for the Module . . . . . . . . . . 10-28 Configure an Adoption Preference for Targeted Radios . . . . . 10-28 Configure an Adoption Preference for Newly Adopted Radios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-30 Reverting RPs Adopted by a Standby Member to the Active Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 19
12 Wireless Network Management Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3 Monitoring the Wireless Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4 Wireless Stations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4 Viewing Wireless Stations .
PAGE 20
Logging and Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-63 Configuring Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-64 Enabling Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-64 Forwarding Logs to an External Server . . . . . . . . . . . . . . . . . . . 12-65 Viewing Events in the Local Log File . . . . . . . . . . . . . . . . . . . . .
PAGE 21
13 sFlow Agent Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2 Flow Sampling by the sFlow Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2 Counter Polling by the sFlow Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3 sFlow Receiver . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 22
18
PAGE 23
1 Introduction Contents ProCurve Wireless Edge Services zl Module . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Wireless Networks and WLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 The Interface Between the Wireless and Wired Networks . . . . . . . . . 1-7 Communicating with RPs: Radio Port VLANs . . . . . . . . . . . . . . . . 1-8 Communicating with the Ethernet Network: Uplink VLANs . . . 1-12 Forwarding Traffic Between the Wireless Network and the Ethernet Network . . . .
PAGE 24
Introduction Contents Traffic Management and QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-46 SVP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-48 WMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-48 WLAN Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-49 Voice Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 25
Introduction Contents Layer 2 and Layer 3 Roaming Between RPs and Modules . . . . . . . . . . . . 1-81 Roaming Between RPs on a Single Wireless Edge Services zl Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-81 Roaming Between RPs on Different Wireless Edge Services zl Modules at Layer 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-82 Roaming Between RPs on Different Wireless Edge Services zl Modules at Layer 3 . . . . . . . . . . . . . . .
PAGE 26
Introduction ProCurve Wireless Edge Services zl Module ProCurve Wireless Edge Services zl Module The ProCurve Wireless Edge Services zl Module transforms a ProCurve Switch 5400zl Series or ProCurve Switch 8200zl Series into a wireless servicesenabled switch. Together with one or more radio ports (RPs), this wireless services-enabled switch creates a Wireless LAN System. With its default RP license, each Wireless Edge Services zl Module can support up to 12 RPs (for a total of 24 radios).
PAGE 27
Introduction ProCurve Wireless Edge Services zl Module Among other functions, the Wireless Edge Services zl Module: ■ manages a set of wireless LANs (WLANs)—each of which is identified by a service set identifier (SSID) and defines various network and security policies ■ receives traffic from wireless stations via RPs and places this traffic into the correct VLAN to be forwarded into the wired network ■ adopts connecting RPs and automatically deploys configurations to them Depending on how you config
PAGE 28
Introduction ProCurve Wireless Edge Services zl Module The Wireless Edge Services zl Module acts the Wireless LAN System’s brain. The RPs produce the wireless signal, but the module enforces wireless authentication, generates and encrypts wireless frames, and sets all other policies in the Wireless LAN System as a whole. A large part of the Wireless Edge Services zl Module’s duties lie in establishing the settings for WLANs.
PAGE 29
Introduction ProCurve Wireless Edge Services zl Module Note Although you configure the Wireless Edge Services zl Module to assign WLAN traffic to a particular VLAN, a WLAN in the wireless network does not necessarily have a one-to-one relationship with a VLAN in the Ethernet network. The module can tag traffic received from several WLANs for the same VLAN. Conversely, by implementing user-based VLANs, the module can tag traffic from different stations in the same WLAN for different VLANs.
PAGE 30
Introduction ProCurve Wireless Edge Services zl Module Communicating with RPs: Radio Port VLANs The Wireless Edge Services zl Module uses a Radio Port VLAN to send traffic to and receive traffic from the RPs it adopts. The RPs are designed to isolate traffic that they transmit into your network until the Wireless Edge Services zl Module can control this traffic. An RP encapsulates each wireless frame, leaving the 802.11 header and any encryption intact, and forwards it to the module on the Radio Port VLAN.
PAGE 31
Introduction ProCurve Wireless Edge Services zl Module Figure 1-1 shows the VLAN tagging if auto-provisioning remains enabled on the wireless services-enabled switch. Figure 1-1. Auto-Provisioned Radio Port VLANs Note If, for whatever reason, you do not want an RP placed in the default Radio Port VLAN, you can manually create a different Radio Port VLAN on the wireless services-enabled switch. (In this case, you should turn off autoprovisioning.
PAGE 32
Introduction ProCurve Wireless Edge Services zl Module Manually Establishing a Radio Port VLAN. If you connect an RP to an infrastructure switch instead of directly connecting it to the wireless servicesenabled switch, you must manually establish the Radio Port VLAN on that infrastructure switch. The wireless services-enabled switch still uses auto-provisioning to create VLAN 2100 and tag the module’s internal downlink port for this VLAN.
PAGE 33
Introduction ProCurve Wireless Edge Services zl Module Although it is usually a good idea to use auto-provisioning on the wireless services-enabled switch and to create the same Radio Port VLAN on the infrastructure switches that directly connect to RPs, you can use any valid VLAN numbers for Radio Port VLANs. Simply remember to tag the Wireless Edge Services zl Module’s downlink port for that VLAN. In Figure 1-3, the network administrator has decided to use VLAN 300 for one of the RPs.
PAGE 34
Introduction ProCurve Wireless Edge Services zl Module Note You might also need to perform some configuration tasks on the wireless services-enabled switch, such as raising the maximum number of VLANs. (See the management and configuration guide for your zl switch. Dynamically Establishing a Radio Port VLAN. If the RP authenticates itself to a RADIUS server, this server may send a dynamic VLAN assignment to the switch to which the RP connects.
PAGE 35
Introduction ProCurve Wireless Edge Services zl Module By default, the only uplink VLAN is VLAN 1, and the module’s internal uplink port is tagged for this VLAN. As for any switch port, you must tag the uplink port for other VLANs if you want the module to forward network traffic in those VLANs. The Wireless Edge Services zl Module never forwards untagged traffic to the wireless services-enabled switch. However, you do not have to tag the uplink for every VLAN that you create on the module.
PAGE 36
Introduction ProCurve Wireless Edge Services zl Module Figure 1-5 illustrates a network in which the Wireless Edge Services zl Module assigns traffic from WLAN 1 to VLAN 24, a VLAN reserved for wireless traffic. In this network, the wireless station receives an IP address from the module’s internal DHCP server, and the module routes the station’s traffic to servers in the private, Ethernet network. Figure 1-5.
PAGE 37
Introduction ProCurve Wireless Edge Services zl Module 3. The module assigns the traffic to the VLAN specified in that station’s association. 4. The module determines whether it is acting as the router for this traffic and takes action accordingly: a. If the module is acting as router (that is, the frame’s destination MAC address belongs to the module), the module looks up the route for the packet’s destination.
PAGE 38
Introduction ProCurve Wireless Edge Services zl Module 2. The module applies controls to the traffic, if any are configured. The controls can include: • a user-based ACL or rate-limit assigned by ProCurve IDM • a manual IP or MAC extended ACL applied to the uplink port • a manual IP ACL applied to the VLAN interface 3. The module creates the correct 802.11 frame, drawing on information specified in the association with the destination station. The module also encrypts the frame, if necessary. 4.
PAGE 39
Introduction ProCurve Wireless Edge Services zl Module Wireless Edge Services zl Module Operations The downlink port does not have an IP address; it is tagged for the Radio Port VLAN, and the module does not require an IP address on this VLAN. The Wireless Edge Services zl Module operates at Layer 2 on its downlink port. On the downlink port, the module receives encapsulated 802.11 frames. It decapsulates and processes these frames and then bridges them to an Ethernet subnetwork (VLAN).
PAGE 40
Introduction ProCurve Wireless Edge Services zl Module Determining the Layer 3 Services Your Wireless Edge Services zl Module Should Provide When you are designing your network, you must consider which operations you want the Wireless Edge Services zl Module to perform on wireless and wired traffic. The answer often lies in the degree to which you want to separate wireless traffic from your Ethernet network.
PAGE 41
Introduction ProCurve Wireless Edge Services zl Module Reserving VLANs for Wireless Users On the other hand, wireless networks are different from wired networks— different in the services that they provide and different in the level of trust that they inspire. You might use your wireless network to grant access to limited services, such as only email and the Internet. You might open the wireless network to guests and less trusted users.
PAGE 42
Introduction ProCurve Wireless Edge Services zl Module On the other hand, you might want the Wireless Edge Services zl Module itself to router, filter, and otherwise control traffic. In this case, follow this design: ■ Have the Wireless Edge Services zl Module map a WLAN to a VLAN reserved for wireless stations. (Or set up dynamic VLAN assignments for wireless users.) ■ Terminate that VLAN on the module. In other words, do not tag the module’s uplink port for the VLAN. ■ Enable routing on the module.
PAGE 43
Introduction ProCurve Wireless Edge Services zl Module Figure 1-8. Reserving VLANs for Wireless Stations—Wireless Edge Services zl Module Routes Reserving VLANs for Wireless Users in a Network with Multiple Wireless Edge Services zl Modules A network that has more than one Wireless Edge Services zl Module introduces another factor that you must consider: roaming between the modules.
PAGE 44
Introduction ProCurve Wireless Edge Services zl Module Note The instructions in the rest of this section are based on the assumption that the same VLAN ID corresponds to the same subnetwork throughout your network. This assumption is usually, but not always, true. The important consideration for roaming is that modules assign traffic in the same WLAN to the same subnetwork. Sometimes, however, your network design makes it impossible for modules to forward traffic on the same subnetworks.
PAGE 45
Introduction ProCurve Wireless Edge Services zl Module Figure 1-9. Designing VLANs for a Wireless Network That Includes Multiple Modules Now that you have considered the services that your Wireless Edge Services zl Module should provide, you can start to look at individual services in more detail. The following sections describe the capabilities of the module, including, in addition to the Layer 3 services introduced above, the module’s many capabilities in securing and managing the wireless network.
PAGE 46
Introduction ProCurve Wireless Edge Services zl Module DHCP Services The Wireless Edge Services zl Module can provide one of these DHCP services on any VLAN interface to which you have assigned a static IP address: ■ DHCP server—The module issues configurations (which are stored in a network pool) to stations in the VLAN. You can configure up to one network pool for each VLAN. You can also create host pools, each of which contains a fixed address for a single device.
PAGE 47
Introduction ProCurve Wireless Edge Services zl Module A Wireless Edge Services zl Module supports three types of authentication: ■ 802.1X authentication ■ Web-Auth ■ RADIUS MAC authentication Alternatively, the Wireless Edge Services zl Module can allow stations to connect to a WLAN without authenticating formally. In this case, an encryption key usually acts as a password. The authentication types are implemented as part of a WLAN’s settings.
PAGE 48
Introduction ProCurve Wireless Edge Services zl Module 3. The station and the authentication server authenticate each other (the exact process differs, depending on the EAP method they choose). The Wireless Edge Services zl Module receives the EAP messages from the wireless station (via the RP) and repackages them as RADIUS messages for the RADIUS server. Conversely, the module extracts EAP messages for the wireless station from RADIUS messages from the server. 4.
PAGE 49
Introduction ProCurve Wireless Edge Services zl Module Figure 1-10 illustrates the Web-Auth process. Figure 1-10. Web-Auth Process After users authenticate, the Wireless Edge Services zl Module can control users’ network access with dynamic ACLs stored in the external RADIUS server’s database (perhaps configured with software such as ProCurve IDM). You can also control the VLAN associated with Web-Auth with manual ACLs.
PAGE 50
Introduction ProCurve Wireless Edge Services zl Module You can add either WEP or WPA/WPA2 encryption to a WLAN that uses WebAuth. Users must then know the encryption key in order to connect to the network and even reach the login page. MAC Authentication. The Wireless Edge Services zl Module can also control which wireless stations connect to a WLAN according to their MAC, or hardware-based, addresses. This option is best suited for small networks and for devices without user interfaces.
PAGE 51
Introduction ProCurve Wireless Edge Services zl Module The module processes ACLs in order of index number, stopping when it first finds a match. It filters out any stations selected by a deny list before these stations associate with a particular WLAN. The module allows all stations either selected by an allow list or not selected by any list to associate. Whether the station can forward traffic in the WLAN depends on whether it completes any further authentication required by the WLAN.
PAGE 52
Introduction ProCurve Wireless Edge Services zl Module ■ Note 802.1X with EAP—The module acts as the 802.1X authenticator, and the external RADIUS server is the authentication server. The Wireless Edge Services module has been certified for these EAP methods: • EAP-Transport Layer Security (TLS) • EAP-Tunneled TLS (TTLS) • PEAP with Microsoft CHAP version 2 (MS-CHAP v2) • EAP-Subscriber Identity Module (SIM) • EAP-Generic Token Card (GTC) In 802.
PAGE 53
Introduction ProCurve Wireless Edge Services zl Module ■ LDAP-compliant server—The Wireless Edge Services zl Module can bind to an Lightweight Directory Access Protocol (LDAP)-compliant server. The LDAP-compliant server stores the login credentials, and you configure the module to bind to the server and perform searches for a user’s password and group. The group configuration in the module’s local database determines when wireless users can connect and the VLAN to which they are assigned. EAP Methods.
PAGE 54
Introduction ProCurve Wireless Edge Services zl Module Table 1-1 compares EAP methods and the support that the Wireless Edge Services zl Module provides for them. Table 1-1.
PAGE 55
Introduction ProCurve Wireless Edge Services zl Module WEP did not succeed at creating per-frame keys for several reasons that are beyond the scope of this overview to describe. You simply need to know that, in an enterprise setting, you should always use the more secure WPA or WPA2. WPA requires TKIP, a protocol that implements key mixing to successfully create per-frame keys.
PAGE 56
Introduction ProCurve Wireless Edge Services zl Module Table 1-2 lists the encryption options that are available with each authentication option. Table 1-2. Options for Authentication and Encryption on the Wireless Edge Services zl Module Authentication Option Encryption Options Name of Security Provided 802.1X • dynamic WEP • WEP with 64-bit or 128-bit keys • WPA/WPA2 with 802.1X • WPA/WPA2: – with TKIP – with AES – with both TKIP and AES (802.
PAGE 57
Introduction ProCurve Wireless Edge Services zl Module Controlling Traffic with Policies To this point, the overview of the Wireless Edge Services zl Module’s security capabilities has focused on the security that module provides in the wireless network.
PAGE 58
Introduction ProCurve Wireless Edge Services zl Module The Wireless Edge Services zl Module can read these attributes from an external RADIUS server: ■ VLAN assignment ■ ACL ■ rate limit, which applies to ingress traffic (traffic from the wireless station to the network) Remember that the Wireless Edge Services zl Module can also act as a RADIUS server. The module supports only dynamic VLAN assignments on its internal RADIUS server.
PAGE 59
Introduction ProCurve Wireless Edge Services zl Module If you are using your Wireless Edge Services zl Module’s internal RADIUS server, you can set this user-based policy: VLAN ID. Controlling Traffic Manually. You can also control traffic according to manually created rules on the Wireless Edge Services zl Module; however, such policies are generally less flexible.
PAGE 60
Introduction ProCurve Wireless Edge Services zl Module Wireless Edge Services zl Module Firewall The section above introduced you to the idea of controlling traffic with policies. The Wireless Edge Services zl Module’s firewall is one of the components that helps you to do so. The module’s firewall examines routed packets.
PAGE 61
Introduction ProCurve Wireless Edge Services zl Module You should take these steps to ensure that a firewall screens traffic in between a WLAN and your private, wired network: 1. Map the WLAN to a VLAN ID that exists only on the Wireless Edge Services zl Module (or possibly on this module and other modules that support the same WLAN). 2. Enable routing on the Wireless Edge Services zl Module. The module should route all wireless traffic destined to the private network.
PAGE 62
Introduction ProCurve Wireless Edge Services zl Module Figure 1-14. Setting up VLANs to Ensure the Firewall Checks Wireless Traffic ACLs. In addition to screening traffic for signs of an attack, the Wireless Edge Services zl Module’s firewall can enforce policies that you create. These policies are called ACLs, and they affect traffic inbound on an interface. Note IP ACLs applied to VLAN interfaces only affect traffic routed to another VLAN. ACLs applied to physical interfaces affect all inbound traffic.
PAGE 63
Introduction ProCurve Wireless Edge Services zl Module MAC extended ACLs, like MAC standard ACLs, filter traffic according to information in the Layer 2 header. However, the extended ACL provides many more options for filters, including destination MAC address, 802.1p priority value, and the type of encapsulated protocol. For example, you can permit IPv4 traffic but drop IPv6 traffic. The IP ACLs operate at Layer 3. A standard IP ACL filters traffic according to source IP address only.
PAGE 64
Introduction ProCurve Wireless Edge Services zl Module • ■ The Wireless Edge Services zl Module receives the traffic on its uplink port from the wireless services-enabled switch; the traffic is tagged for the VLAN interface. You can apply one IP ACL and one MAC extended ACL to each physical interface. The two physical interfaces are the internal uplink and downlink ports. The ACL applies to all traffic that arrives on the port in any VLAN.
PAGE 65
Introduction ProCurve Wireless Edge Services zl Module NAT. NAT, another function the Wireless Edge Services zl Module’s firewall offers, modifies addresses in packets’ IP headers. The module supports NAT on both source addresses and destination addresses. The Wireless Edge Services zl Module has the following capabilities: ■ Dynamic source NAT with port mapping—The module translates multiple source addresses to a single new address, which is one of the module’s own IP addresses.
PAGE 66
Introduction ProCurve Wireless Edge Services zl Module Uses for NAT. Typically, NAT works at the interface between two networks controlled by separate entities. For example, you are probably familiar with how NAT functions on the Internet. The NAT device sits between your private network and the Internet. It intercepts packets sent from the private network to the Internet, changing all private source addresses to a single public IP address that is known on the Internet.
PAGE 67
Introduction ProCurve Wireless Edge Services zl Module PKI and Digital Certificates The Wireless Edge Services zl Module’s security capabilities often require it to authenticate itself with a digital certificate and the data it sends with a digital signature. Digital signatures, created by a public-private key pair, authenticate data. To create the digital signature, a key pair relies on asymmetric encryption, which means that data encrypted by a private key is decrypted by the corresponding public key.
PAGE 68
Introduction ProCurve Wireless Edge Services zl Module You can load these certificates to the module from an FTP server, a TFTP server, or the local disk of the management station. Before creating a certificate or certificate request, the Wireless Edge Services zl Module must generate a public/private key pair. The module can create RivestShamir-Adleman (RSA) keys of between 1024 and 2048 bytes. Each certificate can use a unique key pair, or multiple certificates can share a key pair.
PAGE 69
Introduction ProCurve Wireless Edge Services zl Module The Wireless Edge Services zl Module manages wireless traffic with several QoS mechanisms, ensuring that each type of traffic receives the necessary level of service. The module supports the following QoS protocols, which you can enable on a WLAN-to-WLAN basis: ■ SpectraLink Voice Priority (SVP) ■ priority queuing based on WMM or on a WLAN classification These protocols improve QoS in the wireless network.
PAGE 70
Introduction ProCurve Wireless Edge Services zl Module This chapter will discuss these features at a high level; to learn how to configure them, see Chapter 4: “Wireless Local Area Networks (WLANs).” SVP SVP maintains a high QoS in the wireless network, specifically for VoWLAN devices that are SVP-capable. SVP is implemented in wireless phone handsets, wireless APs, and SpectraLink servers. This IEEE 802.
PAGE 71
Introduction ProCurve Wireless Edge Services zl Module Figure 1-17. Enabling WMM on a WLAN For more instruction on configuring these settings, see Chapter 4: “Wireless Local Area Networks (WLANs)” and Chapter 3: “Radio Port Configuration.” WLAN Classification WMM allows RPs to queue frames according to priority marking. Alternatively, RPs can place all traffic that is destined to stations associated with a particular WLAN in the same queue.
PAGE 72
Introduction ProCurve Wireless Edge Services zl Module WFQ The Wireless Edge Services zl Module queues traffic outbound to RPs according to the RP and the WLAN to which it is destined. Each different WLAN on each different RP has its own queue. Management Capabilities and sFlow You can manage the ProCurve Wireless Edge Service zl Module through either a command line interface (CLI) or its intuitive Web browser interface.
PAGE 73
Introduction ProCurve Wireless Edge Services zl Module You can purchase two types of additive licenses: ■ a license which allows the Wireless Edge Services zl Module to adopt 12 additional RPs ■ a license which allows the Wireless Edge Services zl Module to adopt 48 additional RPs You can install any combination of these licenses. The Wireless Edge Service zl Module can adopt a maximum of 156 radios. For networks that require between 12 and 48 RPs, purchase additive 12 RP Licenses.
PAGE 74
Introduction ProCurve Wireless Edge Services zl Module For example, suppose you install an additive 48 RP License on a Wireless Edge Services zl Module so that it can adopt 60 RPs. Later, you decide that a different module should support additional RPs. You uninstall the additive license from the first module and install it on the second. In other words, if you need to move RPs within your network, you can move RP licenses instead of moving an entire module.
PAGE 75
Introduction Radio Ports Radio Ports Because the RPs are a critical component of the wireless network—establishing the actual radio signal and transmitting wireless traffic to and from stations—you should understand how these RPs function. The Wireless Edge Services zl Module can manage the following ProCurve RPs: ■ RP 210—includes one 802.11bg radio. The radio has two omnidirectional diversity antennas. ■ RP 220—includes two radios, one 802.11a and one 802.11bg.
PAGE 76
Introduction Radio Ports 802.11 Overview 802.11 is the IEEE standard for wireless networks. It specifies Physical Layer standards such as radio channel frequencies and the modulation techniques used to encode data. At the Data Link Layer, the standard also specifies the format for 802.11 frames. At its most fundamental level, an 802.11 network can be defined as a set of devices that communicates over the same medium.
PAGE 77
Introduction Radio Ports The 802.11a standard enables data rates from 6.0 Mbps to 54 Mbps, depending on the quality of the signal level. Overhead and competition for the shared medium often lowers actual throughput to about half the theoretical data rate. The second radio on the RP 220 and on the RP 230 supports 802.11a. 802.11b. This standard defines the Physical Layer for wireless networks that operate in the 2.4 GHz band—one of the radio bands available to any private entity.
PAGE 78
Introduction Radio Ports Many countries require support for 802.11h as a condition to using certain 802.11a channels. The countries operate military radar on those channels; With 802.11h, the private radios to share the channels without interfering with the military. The second radio on the RP 220 and on the RP 230 supports 802.11a. 802.11 Frames In addition to Physical Layer standards, 802.11 defines Data Link Layer standards. 802.
PAGE 79
Introduction Radio Ports Figure 1-18. BSS A BSS operates in infrastructure mode, which means that instead of communicating with each other, wireless stations communicate with an RP. This is the typical mode for a wireless network used to grant mobile users access to an Ethernet network, as well as the mode in which the ProCurve RPs operate. (See Figure 1-19.
PAGE 80
Introduction Radio Ports A wireless station must send all traffic to its RP. However, the RP can then forward the traffic to another station in the BSS. For tighter security, you can block these inter-station communications entirely, or you can force them to pass through the Wireless Edge Services zl Module, where ACLs can be applied. See “Controlling Inter-Station Traffic” on page 4-63 of Chapter 4: “Wireless Local Area Networks (WLANs).” Figure 1-19.
PAGE 81
Introduction Radio Ports Figure 1-20. ESS Similarly, when configuring the Wireless Edge Services zl Module, you are often more interested in the WLAN to which users connect than in the particular RP to which a user connects at any given moment. SSID Versus BSSID As indicated above, the SSID identifies a group of BSSs that make up a single WLAN. All frames transmitted in a WLAN are marked with this SSID.
PAGE 82
Introduction Radio Ports It is important to understand the relationship between SSIDs and BSSIDs. An SSID identifies a WLAN; the two are connected with a one-to-one correspondence. As a MAC address, a BSSID identifies an RP in that WLAN— one of the perhaps many RPs that offer wireless stations a connection to that WLAN. Like switches that can carry traffic for multiple VLANs, most RPs, including the ProCurve RPs, can support multiple WLANs, each of which is identified by its own SSID.
PAGE 83
Introduction Radio Ports The two radios on a single RP generally support the same WLANs, as shown in Table 1-5. However, using advanced mode configuration, you can enable different WLANs on an RP’s two built-in radios; in this case, a single RP with two radios can support up to 32 WLANs. Using advanced mode configuration raises several concerns that are discussed in Chapter 4: “Wireless Local Area Networks (WLANs).
PAGE 84
Introduction Radio Ports If the RP supports multiple WLANs, it may send different beacons, each containing a different SSID. However, the RP can transmit only as many different beacon frames as it has BSSIDs. This means that even if a ProCurve RP supports more than four WLANs, it can advertise only the first four. For example, WLAN 1 and WLAN 5 have been assigned to the same BSSID. The RP advertises the SSID for WLAN 1 in the beacon frame from that BSSID, but not the SSID for WLAN 5.
PAGE 85
Introduction Radio Ports ■ It receives authentication requests, which the Wireless Edge Services zl Module forwards to the authentication server. ■ It receives association requests from wireless stations, which it forwards to the Wireless Edge Services zl Module for response. ■ It receives data traffic from associated wireless stations and forwards this traffic to an upstream Ethernet device, or if permitted, to other wireless stations. ■ It forwards return traffic to associated wireless stations.
PAGE 86
Introduction Radio Ports You can configure two types of detectors to search for these unauthorized APs: ■ single-channel detector ■ dedicated detector The single-channel detector listens passively for beacons from APs. It listens only on its own radio channel and can simultaneously respond to association requests from wireless stations. The dedicated detector, on the other hand, does not respond to association requests from wireless stations.
PAGE 87
Introduction Radio Ports ■ Advanced radio settings—You will learn more about these options in Chapter 3: “Radio Port Configuration.” ■ WLAN assignment—When you enable a WLAN, the Wireless Edge Services zl Module automatically configures radios to support that WLAN. It creates a radio configuration that specifies which SSIDs should be assigned to which of the radio’s BSSIDs. Note If you use advanced mode configuration, then you must manually specify the WLAN assignment for a radio configuration.
PAGE 88
Introduction Radio Ports Table 1-6. Factory Default Settings for Radio Adoption Default Configurations Setting 802.11a 802.11bg Placement Indoors Indoors Channel Random Random Power Depends on country code Depends on country code Rate settings (in Mbps) Basic: 6, 12, 24 Basic: 1, 2, 5.5, 11 Supported: 6, 9, 12, 18, 24, 36, Supported: 1, 2, 5.
PAGE 89
Introduction Radio Ports Table 1-7. Radio Adoption Default Configuration WLAN Assignment Setting 802.11a / 802.11bg BSSID 1 SSIDs for: WLAN 1 (5, 9, 13) BSSID 2 SSIDs for: WLAN 2 (6, 10, 14) BSSID 3 SSIDs for: WLAN 3 (7, 11, 15) BSSID 4 SSIDs for: WLAN 4 (8, 12, 16) You can use advanced mode configuration to change these settings. See Chapter 4: “Wireless Local Area Networks (WLANs).
PAGE 90
Introduction Radio Ports You configure settings for particular radios from the Network Setup > Radio screens, as described in Chapter 3: “Radio Port Configuration.” The Wireless Edge Services zl Module still automatically manages WLAN assignments for these radios (unless you are using advanced mode configuration). Note The Wireless Edge Services zl Module associates the radio’s MAC address with the override configuration, so it persists even if the RP is powered down.
PAGE 91
Introduction Radio Ports Figure 1-22. Communications Between an RP and the Wireless Edge Services zl Module If you must place your RP on a different subnetwork from the Radio Port VLAN, the messages listed above fail to receive a response from the Wireless Edge Services zl Module.
PAGE 92
Introduction Radio Ports ■ DNS requests—request the IP address for the Wireless Edge Services zl Module. If the RP does not receive option 189 from the DHCP server, it uses DNS to discover the module’s IP address. At its factory settings, the RP requests the IP address for this hostname: PROCURVE-WESM. The RP also adds the domain suffix that it received in the DHCP configuration. For example: PROCURVE-WESM.procurve.
PAGE 93
Introduction Radio Ports Figure 1-23.
PAGE 94
Introduction Radio Ports When a Wireless Edge Services zl Module receives an adoption request from an unadopted RP—whether as a broadcast or as a targeted message—the module must decide whether or not to adopt the RP. You can configure the module to automatically adopt any identified, nonconfigured RP. The simple plug-in installation makes this option ideal, as long as your organization secures access to its network devices.
PAGE 95
Introduction Radio Ports Figure 1-24. Deploying a Configuration Managing RPs in a Self-Healing Network A Wireless Edge Services zl Module collects a variety of information from managed RPs. For example, RPs configured as detectors report information about neighboring APs. The module then processes this information into lists of authorized and unauthorized APs, according to rules that you configure.
PAGE 96
Introduction Radio Ports The Wireless Edge Services zl Module also collects information about the wireless network in order to improve its functioning. For example, if you enable interference avoidance, the module has RPs change their channel when they report excessive congestion. Intrusion detection is one useful self-healing feature. The Wireless Edge Services zl Module can also implement neighbor recovery and create a highly availability, self-healing network.
PAGE 97
Introduction Radio Ports RP Deployment Requirements This section provides a brief overview of features on the ProCurve RPs that affect their deployment. For information about installing your RPs, refer to the appropriate Installation and Getting Started Guide. Power over Ethernet (PoE) PoE, based on the IEEE 802.3af standard, defines a mechanism by which a device receives power over the Ethernet cable on which it also sends and receives data. ProCurve RPs 210, 220, and 230 must be powered by PoE.
PAGE 98
Introduction Redundancy Groups Redundancy Groups A good network design builds in redundancy so that, in the unlikely event of a hardware or link failure, users continue to access the resources that they need.
PAGE 99
Introduction Redundancy Groups Rules of Redundancy Groups A redundancy group consists of up to 12 members; each member is either a primary module or a redundant module. Up to two modules can be installed in the same wireless services-enabled switch. Within the redundancy group, you can combine primary and redundant modules in any proportion. For example, you could have two primary modules and one redundant module; or you could group three primary modules and four redundant modules.
PAGE 100
Introduction Redundancy Groups Redundancy Group Operation Modes Group members can operate in either active mode or standby mode. The type of module (primary or redundant) has no relation to the operation mode. You can place a primary module in standby mode, or more typically, you can place a redundant module in active mode. An active redundant module adds capacity by loading balancing RPs with other members of the group.
PAGE 101
Introduction Redundancy Groups Figure 1-25. Redundancy Module Adopting RPs To provide consistent service, the standby member continues to support the RPs even after the active member comes back up.
PAGE 102
Introduction Redundancy Groups Remember that standby members support all the same services as the active members, so you must configure the same wireless settings on all members of a redundancy group. A simple way to ensure successful failover is to upload one module’s configuration onto each other module, edit the configuration with module-specific settings (such as IP address and redundancy group settings), and save the edited configurations.
PAGE 103
Introduction Layer 2 and Layer 3 Roaming Between RPs and Modules Layer 2 and Layer 3 Roaming Between RPs and Modules One of the principle attractions of wireless networking is the mobility that it offers users, and users often want to roam further than the range of a single radio. The 802.11 standard gives guidelines for roaming between the coverage areas, or cells, provided by two APs (or RPs), but leaves the implementation largely to the makers of wireless network interface cards (NICs).
PAGE 104
Introduction Layer 2 and Layer 3 Roaming Between RPs and Modules In other words, the module functions much like a single, high-capability AP with many remote radios (the RPs). Therefore, when a station disassociates from one RP and reassociates with another RP adopted by the same module, the module already has in place the association, the authentication, and the encryption keys. The roam is fast and seamless. The Wireless Edge Services zl Module also supports these 802.
PAGE 105
Introduction Layer 2 and Layer 3 Roaming Between RPs and Modules However, Wireless Edge Services zl Modules supports these mechanisms to facilitate and speed roaming between RPs adopted by different modules: ■ PMK caching—enables fast roaming back to a module in a WLAN that requires WPA/WPA2 with 802.1X. A station disassociates from one of the module’s RPs and moves to an RP on a different module. As far as the first module knows, the station has left the WLAN.
PAGE 106
Introduction Layer 2 and Layer 3 Roaming Between RPs and Modules Roaming Between RPs on Different Wireless Edge Services zl Modules at Layer 3 Roaming always occurs within a WLAN—that is, a station can roam only to another RP if that RP supports the same SSID. Otherwise, the station does not roam; it connects to a new network. For the roaming described in the previous sections, the roaming station’s traffic arrives in the same VLAN when it is bridged into the Ethernet network.
PAGE 107
Introduction Layer 2 and Layer 3 Roaming Between RPs and Modules Figure 1-26. Network Requiring Layer 3 Roaming Note It is important that the difference in subnetwork be reflected in different VLAN IDs because Layer 3 roaming relies on a changing VLAN ID to detect a Layer 3 roam. In other words, the two modules in Figure 1-26, which are in different subnetworks, correctly place WLAN A traffic on different VLANs.
PAGE 108
Introduction Layer 2 and Layer 3 Roaming Between RPs and Modules ■ When necessary, tunnel traffic back to a station’s HM—Every module in the Layer 3 roaming domain establishes a tunnel to every other module. A module tunnels traffic only when necessary, which is when a station that has an HM on a different VLAN roams to the module. If a station that has an HM on the same VLAN roams to the module, the module simply becomes the station’s new HM.
PAGE 109
2 Configuring the ProCurve Wireless Edge Services zl Module Contents Management Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 The Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 Determining the Dynamic IP Address or Assigning a Static Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 Accessing the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . .
PAGE 110
Configuring the ProCurve Wireless Edge Services zl Module Contents Controlling Management Access to the Module . . . . . . . . . . . . . . . . . 2-27 Enabling HTTP and HTTPS Access to the Module . . . . . . . . . . . 2-27 Choosing SNMP Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29 Setting Up the Internal FTP Server . . . . . . . . . . . . . . . . . . . . . . . . 2-32 Changing the Password for the Default SNMP v3 Users (Operator or Manager) . . . . . . . . . . . . . . . . . .
PAGE 111
Configuring the ProCurve Wireless Edge Services zl Module Contents Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-86 Viewing Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-87 Transferring, or Copying, Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-89 Transferring Configuration Files from an FTP or TFTP Server to the Wireless Edge Services zl Module . . . . . . . . . . . . .
PAGE 112
Configuring the ProCurve Wireless Edge Services zl Module Contents Enabling Secure Network Time Protocol (NTP) . . . . . . . . . . . . . . . . . . . 2-138 Secure NTP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-138 NTP Modes and Communications . . . . . . . . . . . . . . . . . . . . . . . . 2-139 NTP Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-139 Secure NTP Enhancements . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 113
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Management Interfaces To configure and manage the ProCurve Wireless Edge Services zl Module, you can use one of the following management interfaces: ■ Web browser interface—Accessed through a Web browser, this intuitive interface provides comprehensive information to help you manage and monitor your company’s wireless services. The menus and online help guide you through configuration steps.
PAGE 114
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Determining the Dynamic IP Address or Assigning a Static Address Initially, you must access the Wireless Edge Services zl Module through the CLI of the wireless services-enabled switch zl—either to determine the IP address that is assigned to the module through a Dynamic Host Configuration Protocol (DHCP) server or to assign the module a static IP address.
PAGE 115
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Replace with the letter for the chassis slot in which the Wireless Edge Services zl Module is installed. For example, if the module is installed in chassis slot C, you would enter: ProCurve# wireless-services c You access the Wireless Edge Services zl Module CLI with the same rights (either manager or operator) that you have to the switch CLI.
PAGE 116
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces The command saves to the running-config as a default route in which the gateway IP address is the IP address of the next hop. For example, you enter: ProCurve(wireless-services-C) (config)# ip default-gateway 10.1.10.1 The running-config displays: ip route 0.0.0.0/0 10.1.10.1 Note Be careful when you change the default gateway IP address.
PAGE 117
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Enable Secure Management. Secure management forces managers to access the Wireless Edge Services zl Module at the IP address configured on the management VLAN. For example, you configure VLAN 2 as the management VLAN, and the module’s IP address on VLAN 2 is 10.1.2.30. The module also has an IP address on VLAN 4, 10.1.4.30.
PAGE 118
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Accessing the Web Browser Interface for the Wireless ServicesEnabled Switch. You can also access the module’s Web browser interface from the Web browser interface for the wireless services-enabled switch. (Like the module’s Web browser interface, the switch’s Web browser interface uses Java applets.) To access the switch’s Web browser interface, enter the IP address for the management interface as the URL in your Web browser.
PAGE 119
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Logging In to the Web Browser Interface Whichever way you attempt to access the Web browser interface, you are prompted to enter a username and password. (See Figure 2-2.) Figure 2-2. Logging In to the Module’s Web Browser Interface In the Username field, enter manager, and in the Password field, enter the default password procurve. (The Wireless Edge Services zl Module also supports the operator user.
PAGE 120
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Overview of the Web Browser Interface The Web browser interface includes a navigation bar on the left. (See Figure 2-3.) Using this navigation bar, you can access: ■ Information screens that help you manage and troubleshoot your wireless services ■ Configuration screens that allow you to tailor wireless services for your particular environment Navigation bar Figure 2-3.
PAGE 121
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces ■ running-config—When the Wireless Edge Services zl Module loads the startup-config, all the configurations become part of the running-config, which is held in RAM. When you make and apply configuration changes in the Web browser interface, these changes become part of the runningconfig as well.
PAGE 122
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Save changes to startup-config Remove unapplied changes Apply changes to running-config Access online help Figure 2-4. Applying or Saving Changes Logging Out or Refreshing the Screen In addition to the Save link, the Web browser interface includes three links at the top of the screen: Note ■ Refresh—updates the screen with current information ■ Support—links you to ProCurve Networking’s Web site at http://www.procurve.
PAGE 123
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-5. Help Navigator Screen From the Help Navigator screen, you can select one of the following tabs: ■ Content—The Content tab provides a list of available topics. You simply double click a topic to view the Help information. ■ Search—The Search tab allows you to enter keywords or boolean expressions to find all the information about a specific topic.
PAGE 124
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Using Filtering Options Filtering allows you to limit the amount of data displayed on a configuration screen by narrowing the criteria that is displayed. You can use the filtering options on certain configuration screens in order to list items that meet certain criteria. Screens that can be filtered contain a Show Filtering Options link, as shown in the example in Figure 2-6. Figure 2-6.
PAGE 125
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Filters affect the display. The filter selects rows according to values in columns. For example, you can filter the Network Setup > WLANs screen to display rows only for those WLANs that list Web-Auth in the Authentication column. Click the Show Filtering Options link to begin creating a filter. Figure 2-7.
PAGE 126
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces When you select two criteria, you must use Boolean operators to link the two: ■ AND—Only rows that match both criteria display. ■ OR—Rows that match either or both criteria display. In the fields to the right of the drop-down menus (see Figure 2-7 on page 2-17), you create the actual filter. The format for the filter depends on the type of column: ■ Match operators—for columns that include a string.
PAGE 127
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-8. Filtering Options WLANs Example 2. In the Filter Options section, on the first line, use the first drop-down menu to select the criterion for the filter. The drop-down menu includes the name of every column in the screen. In the example in Figure 2-8, you can select from Index, Enabled, SSID, and so on. 3.
PAGE 128
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces 4. If you are also filtering for a second criterion, on the second line, use the drop-down menu to select the Boolean operator for linking the two criteria: • AND—to list items that meet the criteria on both lines • OR—to list items that meet the criteria on either line The OR operator is not an “exclusive OR” operator; it will list items that meet the criteria on either or both lines. 5.
PAGE 129
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces 6. Note After you set the filter criteria, click the Filter Entire Table button. Only the tunnels that match the filter are now listed on the screen. If you want, you can refine your filter criteria and click the Filter Entire Table button again. Throughout the Wireless Edge Services zl Module interface (whether or not you are using filtering), you can sort data lines by clicking on the respective column headings.
PAGE 130
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces When you are prompted for a password, enter the password for the manager user on the wireless services-enabled switch. Accessing the Switch CLI Through a Telnet or SSH Session You can also use a Telnet or SSH application to access the CLI for the wireless services-enabled switch. For instructions on establishing a Telnet or SSH session, see the management and configuration guide for your switch.
PAGE 131
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces From the enable context, you can enter show commands to view information about the Wireless Edge Services zl Module, and you can perform some operations such as erasing the startup-config file and copying configuration files to and from the module. To make configuration changes, however, you must move to the global configuration context.
PAGE 132
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Security In addition to supporting the latest security standards for wireless communications, the Wireless Edge Services zl Module allows you to secure management access. To protect communications between the Wireless Edge Services zl Module and your management workstation, the module supports secure hypertext transfer protocol (HTTPS) over Secure Socket Layer (SSL), and SNMP v3.
PAGE 133
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces SNMP v3 encrypts management communications. For example, SNMP v3 support secures messages between the Java applet running the Web browser interface and your management workstation even when you use HTTP, rather than HTTPS. SNMP Communities. SNMP v1/v2c uses communities to control various types of management access.
PAGE 134
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces In addition, SNMP v3 secures communications between the user and the managed device, transforming the traffic with an encryption algorithm, an authentication algorithm, or both. Default SNMP v3 Users—Manager and Operator. There are two default users: ■ Manager—The manager has read-write access, which means the manager can configure settings and view information.
PAGE 135
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces The operator user is particularly useful if you want to assign a new IT staff member the task of monitoring certain module functions; however, you do not want this IT staff member to change the existing configuration. In this case, you could give this IT staff member the password for the operator user but reserve the manager user password for only senior-level IT staff.
PAGE 136
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-11. Management > Web Access Control Screen 2. Uncheck the Enable HTTP box to disable insecure HTTP access to the Wireless Edge Services zl Module. Check the box to re-enable this server. 3. Uncheck the Enable HTTPS box to disable HTTPS access to the Wireless Edge Services zl Module. Check the box to re-enable this server. 4.
PAGE 137
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces By default, the HTTPS server submits the self-signed certificate in the default-trustpoint. The HTTPS Trustpoint drop-down menu includes this trustpoint and any other trustpoint configured on the module. The drop-menu also includes the option. Select this option to open the Certificates Wizard, which guides you through the process of creating or installing a certificate.
PAGE 138
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-12. Management > Web Access Control Screen 2. Uncheck the Enable SNMP v2 box to disable SNMP v2 access to the Wireless Edge Services zl Module. Check the box to re-enable such access. 3. Uncheck the Enable SNMP v3 box to disable SNMP v3 access to the Wireless Edge Services zl Module. A screen is displayed, warning you that disabling SNMP v3 locks you out of the Web browser interface.
PAGE 139
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-13. Disable SNMP V3 Warning If you are sure that you want to disable SNMP v3 and Web access, click the Yes button. You have one more chance to change your mind: you must click the Apply button in the Management > Web Access Control screen to actually disable the server. 4. Configure other SNMP options: a.
PAGE 140
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Setting Up the Internal FTP Server The Wireless Edge Services zl Module includes an FTP server, which can send files stored in the module’s flash memory to FTP clients. For example, you could upload a configuration file directly from one module to another— eliminating the middle step of transferring the file to an external FTP server. The FTP server has these properties: ■ Port—The server listens on the standard FTP port, 21.
PAGE 141
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Browse button Figure 2-14. Setting Up the Internal FTP Server 3. In the Password box, enter a string, which can include alphanumeric and special characters. 4. In the Root Dir field, specify the name of the directory with the files that clients will request. For example, enter flash:/. The module searches for files in the flash directory.
PAGE 142
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces To use the browse button to select the root directory, follow these steps: 1. Click the Browse button next to the Root Dir field. The Select Directory file screen is displayed. This screen displays three buttons, one for each of the Wireless Edge Services zl Module’s three file systems: 2.
PAGE 143
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces 3. In the left section, select the directory in which the Wireless Edge Services zl Module searches for requested files. Click the directory once to choose the directory. Its name is displayed in the field at the bottom of the screen. Click the directory twice to view and select subdirectories within that directory.
PAGE 144
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Table 2-1. Default Passwords for the Operator and Manager Users User Password operator operator manager procurve To protect your network, you should change the passwords for both users. Because the usernames and passwords are managed through SNMP v3, you must select a password that meets SNMP v3 standards: the password must be at least eight characters. The password does not only authenticate the user.
PAGE 145
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-17. Management > SNMP Access > V3 Screen 2. Select the username that you want to modify, and then click the Edit button. The Edit SnmpV3 screen is displayed.
PAGE 146
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-18. Edit SnmpV3 Screen 3. In the Old Password field, enter the current password. 4. In the New Password and Confirm Password fields, enter the new password. 5. Click the OK button. If you change the password for the manager user, you are logged out of the Web browser interface and must enter the new password in order to log back in to the interface.
PAGE 147
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Changing Passwords for the Default Users Through Web-User Settings. To change the passwords for the manager or operator user through their Web-User settings, follow these steps: 1. Select Management > Web-Users > Local Users. Figure 2-19. Default Users in the Management > Web-Users > Local Users Screen 2. Select the user for which you want to change the password. 3. Click the Edit button. The Edit User screen is displayed.
PAGE 148
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-20. Editing a Web-User 4. In the Password and Confirm Password fields, enter a new password between 8 and 32 characters. The password can include spaces and special characters. 5. Click the OK button. 6. Click the Save link to copy these changes to the Wireless Edge Services zl Module’s startup-config.
PAGE 149
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces By default, the module uses its local list to authenticate the users. Web-User Roles.
PAGE 150
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces • complete any task in the Management screens, including: – control access to the Web browser interface, including adding and editing Web-users – configure the Update Server – manage configuration files and software images – install licenses – add digital certificates – configure SNMP and system logging • set up secure NTP (Special > Secure NTP screens) ■ WebUser Administrator—add guest user accounts to the Wireless Edge S
PAGE 151
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-21. Management > Web-Users > Local Users Screen 2. Click the Add button. The Add User screen is displayed.
PAGE 152
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-22. Adding a Web-User 3. In the User Name field, enter a string between 1 and 28 characters. You can include spaces and special characters. 4. In the Password and Confirm Password fields, enter a password between 8 and 32 characters. The password can include spaces and special characters. 5. Check the boxes in the Associated Roles section to assign one or more roles to this user.
PAGE 153
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Make sure that the configuration on the RADIUS server meets these requirements: The user’s password is at least 8 characters. ■ SNMP v3 requires a password of at least this length. Your RADIUS server, however, may or may not enforce such a requirement. (For example, the Wireless Edge Services zl Module’s internal server does not.
PAGE 154
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Note If you do not correctly configure the RADIUS server, you can lock yourself out of the Wireless Edge Services zl Module Web browser interface. To fix the problem, access the module CLI through the wireless servicesenabled switch.
PAGE 155
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-23. Configuring Authentication for Web-Users 3. Choose the primary authentication method from the Preferred method drop-down menu. You can choose local (which is the list of local users configured on the Local Users tab) or radius. 4. If you want to use both authentication methods, chose the other method from the Alternate method drop-down menu. If the preferred method fails, the alternate is attempted.
PAGE 156
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces 5. Optionally, check the If authentication services are unavailable, allow readonly access box. All users are granted read-only (monitor) access when the selected authentication services are unavailable. If you do not check the box and authentication services become unavailable, users will have not access to the Web browser interface at all. (They must access the module CLI from the wireless services-enabled switch CLI.) 6.
PAGE 157
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces c. Enter your server’s port in the Radius Server Port field. Typically, enter 1812. The valid range is from 0 to 65535. d. In the next field, specify the number of times that the module attempts to connect the RADIUS server if it does not receive a reply. For example, if you enter 3, the module attempts to reach the RADIUS server four times, at the most. It then considers the authentication service unavailable.
PAGE 158
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-25. Guest Registration Screen From this screen, the WebUser Administrator can: ■ create guest accounts ■ view all guest accounts ■ delete guest accounts ■ print records for the guest accounts added during the current management session Creating Guest Accounts on the Local RADIUS Database Follow these steps to add a guest user account: 1.
PAGE 159
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-26. Creating a Guest Account as a WebUser Administrator 2. Enter the username in the User Name field. The username can be up to 64 characters and can include alphanumeric and special characters. Alternatively, click the Create button to have the Wireless Edge Services zl Module OS automatically generate a random username. 3. In the Password field, enter the user’s password.
PAGE 160
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces 4. In the User Group drop-down menu, select the name of a guest group policy. The group policy determines the days of the week and the times of day at which the user is allowed to access the network. The group policy can also dictate a dynamic VLAN assignment. (However, dynamic assignment must be enabled on the WLAN to which the guest connects for this setting to take effect.) The WebUser Administrator cannot create groups.
PAGE 161
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces – Specify how long the account remains active from the Access Periods drop-down menu. You can choose a length from one to six days. You can also choose one to three weeks or one to three months. The Wireless Edge Services zl Module OS automatically sets the expiry date and time based on start date and time and the specified period of validity.
PAGE 162
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Figure 2-27. Viewing and Deleting Guest Accounts as the WebUser Administrator 3. The screen displays a list of all guest user accounts and the start and end time for these accounts. When you select an account, the Assigned Groups section displays the group of which the user is a member. 4. To delete a user, select the user and click the Delete button. 5.
PAGE 163
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces Printing Records of Guest Accounts You can also print records of guest accounts. A record includes: ■ the username ■ the password (in plaintext) ■ the time and date at which the account starts and expires You can only print accounts created during the current management session. This requirement protects guest users’ passwords.
PAGE 164
Configuring the ProCurve Wireless Edge Services zl Module Management Interfaces 2. Click the Print link at the top of the screen. The Print screen is displayed. If you have not yet created a guest account, you receive an error message. You must click the Submit button before you can print the record of an account. Figure 2-29. Printing a User Record 3. From the drop-down menu, choose the username for the account that you want to print. The account information is displayed below. 4.
PAGE 165
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Radio Port Adoption By default, the Wireless Edge Services zl Module automatically adopts radio ports (RPs) that it detects on the network. For more security, you can disable automatic RP adoption and configure the module to adopt only those RPs for which you manually enter the Media Access Control (MAC) address.
PAGE 166
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Network Requirements for Layer 2 Adoption Before the Wireless Edge Services zl Module can adopt an RP that is connected to your network, the module must detect that RP. Detection is dependent upon network connectivity: all the network interfaces between the module and the RP must be correctly configured to carry traffic in the Radio Port VLAN.
PAGE 167
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Figure 2-31. RPs Attached to the Wireless Services-Enabled Switch Are Automatically Assigned to a Radio Port VLAN Attaching RPs to Infrastructure Switches If you connect an RP to an infrastructure switch, rather than to the wireless services-enabled switch, the VLAN memberships are not automatically created on the infrastructure switch.
PAGE 168
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Figure 2-32. Radio Port VLAN for an Indirectly Connected RP Instead of using the default Radio Port VLAN, you can use any VLAN in your network—even a VLAN that is used to transmit wired traffic. In this case, you must manually tag the downlink port for this VLAN and configure other switch ports for this VLAN as described above.
PAGE 169
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Note Generally, you should simply assign RPs to the default Radio Port VLAN ID (2100). Assigning RPs to a VLAN also used in your Ethernet network can introduce problems because you must never tag both the uplink and the downlink port for the same VLAN. Such a configuration would cause the Wireless Edge Services zl Module to ignore the downlink port. Figure 2-33.
PAGE 170
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Note You might also need to perform some configuration tasks on the wireless services-enabled switch, such as raising the maximum number of VLANs.
PAGE 171
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Figure 2-34. RPs Requiring Layer 3 Adoption An RP first attempts to be adopted at Layer 2. If Layer 2 adoption fails, the RP initiates Layer 3 adoption. The RP sends a DHCP request so that it can begin to communicate at Layer 3. After receiving an IP address, the RP attempts to contact the Wireless Edge Services zl Module at Layer 3.
PAGE 172
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption ■ the correct bootloader code The bootloader code allows the RP to request a DHCP configuration and contact the Wireless Edge Services zl Module at Layer 3. If the RP did not ship with this code, it must first be adopted at Layer 2 by a Wireless Edge Services zl Module. The instructions for enabling Layer 3 adoption explain how to determine your RP’s bootloader code version and, if necessary, update the code.
PAGE 173
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption The RP appends the domain suffix that it received through DHCP. For example: PROCURVE-WESM.procurve.com • Note You can change the name that the RP looks up. However, this option requires you to pre-adopt the RP at Layer 2. If a firewall separates your RPs from your Wireless Edge Services zl Module, you must ensure that this firewall allows the RPs adoption messages.
PAGE 174
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Boot code Figure 2-35. Checking an RP’s Bootloader Code Through the Module’s Web Browser Interface With the new bootloader code, the RP can complete Layer 3 adoption. You can now install the RP in its final location, and as long as you set up other requirements described below, the RP will be adopted at Layer 3. 2.
PAGE 175
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption 3. Whichever type of configuration you choose for the RP, add option 189 to the configuration. For the option’s value, specify up to three IP addresses of Wireless Edge Services zl Modules. Separate the addresses with spaces. For example: 10.4.1.30 10.4.1.40 10.4.2.35 4. Ensure that all necessary helper addresses are in place in your network infrastructure so that the RP’s DHCP request can reach the server. 5.
PAGE 176
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Boot code Figure 2-36. Checking an RP’s Bootloader Code Through the Module’s Web Browser Interface With the new bootloader code, the RP can complete Layer 3 adoption. You can now install the RP in its final location, and as long as you set up other requirements described below, the RP will be adopted at Layer 3. 2.
PAGE 177
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption b. Access the module CLI and enter these commands: ProCurve(wireless-services-C)# configure ProCurve(wireless-services-C)(config)# wireless ProCurve(wireless-services-C)(config-wireless)# radio dns-name [XX:XX:XX:XX:XX:XX] Replace with the name specified for the module on the DNS server. The name can be up to 127 characters.
PAGE 178
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption This RP was adopted at Layer 3 Figure 2-37. Verifying Layer 3 Adoption in the Device Information > Radio Adoption Statistics The screen should list the Layer 3 RP just as it lists other RPs. However, the IP Address field shows the Layer 3 RP’s IP address. (This field shows N/A for Layer 2 RPs.) Note The IP address is for informational purposes only.
PAGE 179
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption There is one possible drawback to automatically adopting RPs, however. The Wireless Edge Services zl Module could potentially adopt an unauthorized RP. This unauthorized RP would be treated exactly as an authorized RP, receiving settings for your network’s WLANs and sending traffic into the Ethernet network.
PAGE 180
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Configuring Manual Adoption for RPs To manually adopt RPs, you must edit the global settings for RPs. Complete these steps: 1. Select Network Setup > Radio and click the Configuration tab. Figure 2-38. Network Setup > Radio Screen 2. 2-72 Click the Global Settings button. The Global screen is displayed.
PAGE 181
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Figure 2-39. Network Setup > Radio > Global Settings Screen 3. Uncheck the Adopt unconfigured radios automatically box. 4. Click the OK button to apply the change to the running-config. 5. Find the MAC address of the RPs that you want to manually adopt by selecting Device Information > Radio Adoption Statistics and clicking the Unadopted tab. The unadopted RPs and their MAC addresses are listed on this screen. 6.
PAGE 182
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Figure 2-40. Device Information > Radio Adoption Statistics Screen 7. Click the Adopt button at the bottom of the screen. The Add Radio screen is displayed. Figure 2-41.
PAGE 183
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption 8. If you selected an unadopted RP before clicking the Add button, the RP MAC Address field displays the MAC address of that RP. Otherwise, enter the RP’s Ethernet MAC address. 9. In the Radio Settings section, check the boxes for the radio types that you want—802.11a or 802.11bg (or both). 10. For each radio type that you select, in the corresponding Radio Index field, enter a number to identify this RP.
PAGE 184
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption 2. In the RP MAC Address field, enter the MAC address for the RP’s Ethernet interface. 3. In the Radio Settings section, check the boxes for the radio types that you want—802.11a or 802.11bg (or both). 4. For each radio type that you select, in the corresponding Radio Index field, enter a number to identify this RP. 5. Click the OK button.
PAGE 185
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption You set an RP’s ID by selecting one of its radios in the Network Setup > Radio > Configuration screen and clicking the Edit button. Set the adoption preference ID to match the module that should adopt the RP. Figure 2-44. Radio Configuration Radio Settings Then enter a value from 1 to 65535 in the Adoption Preference ID field. Match the ID that you set for the Wireless Edge Services zl Module that should adopt this RP.
PAGE 186
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption You can create a radio configuration manually by clicking the Add button in the Network Setup > Radio > Configuration screen and entering the RP’s Ethernet MAC address. You can then edit the configuration and set the adoption preference ID to match the module that should adopt that RP. For a more efficient alternative, have one module pre-adopt all RPs and edit the radio configurations on that module.
PAGE 187
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption The default username and password on all ProCurve 200 Series RPs are admin and procurve. ProCurve Networking suggests that you use pre-adoption to change these settings, using a Wireless Edge Services zl Module to load new credentials on your organization’s RPs. You can then move these RPs to their final locations and be sure that only these RPs can connect to your network. Configuring 802.
PAGE 188
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Adoption Figure 2-46. Configure Port Authentication Screen 4. 5. Note • Check the Use Default Values box to use the default username and password: – username: admin – password: procurve • Or, in the Username and Password fields, enter the username and password that you want to use. Click the OK button, and then click the OK button on the Global screen.
PAGE 189
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance System Maintenance The Web browser interface allows you to manage: ■ software images ■ configuration files ■ SNMP support ■ password encryption Software Images The Wireless Edge Services zl Module maintains two software images: ■ primary ■ secondary Typically, the primary image loads when the Wireless Edge Services zl Module is rebooted.
PAGE 190
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Viewing the Software Images To view the version of the primary and secondary images, access the Management > System Maint.—Software screen. (See Figure 2-47.) Figure 2-47. Management > System Maint.—Software Screen The Management > System Maint.—Software screen includes the following fields: 2-82 ■ Image—This field indicates whether the image is the primary or secondary image.
PAGE 191
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance ■ Built Time—This field reports the date and time that this software image was created. ■ Install Time—This field reports the date and time that this software image was updated on the Wireless Edge Services zl Module. Selecting the Software Image That Is Used to Reboot You can specify which software image the Wireless Edge Services zl Module will use the next time it is rebooted—the primary or the secondary.
PAGE 192
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance If you do not want the Wireless Edge Services zl Module to automatically reboot using the other image, you can disable this failover capability. Complete these steps: 1. Select Management > System Maint.—Software. Figure 2-49. Management > System Maint.—Software Screen 2. Click the Global Settings button at the bottom of the screen. The Software Global Settings screen is displayed. Figure 2-50.
PAGE 193
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance 3. Uncheck the Enable Image Failover box, and then click the OK button. The change is applied to the running-config. 4. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. Manually Updating the Software Image ProCurve Networking periodically updates the software image for the Wireless Edge Services zl Module.
PAGE 194
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance 5. In the Using field, use the drop-down menu to select FTP or TFTP, depending on the type of server that you have. 6. In the Port field, if needed, change the port number for your FTP or TFTP server. In most cases, the defaults (port 21 for FTP, port 69 for TFTP) should apply to your server. 7. In the IP Address field, enter the IP address of the FTP or TFTP server. 8.
PAGE 195
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Table 2-3. Configuration Files Stored in Internal Flash Name of Configuration File Location in Internal Flash startup-config NVRAM other configuration files flash Viewing Configuration Files To view a configuration file, select Management > System Maint.—Config Files.
PAGE 196
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance To view the contents of a configuration file, select the file and click the View button at the bottom of the screen. For example, you might want to view the startup-config file. (See Figure 2-53.) Figure 2-53. Viewing the Contents of the startup-config Click the Refresh button to update the information displayed in the screen. Click the Close button to return to the Management > System Maint.—Config Files screen.
PAGE 197
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Transferring, or Copying, Files The Web browser interface allows you to transfer, or copy, configuration files. You simply specify a source and a destination for the transfer. Valid selections are listed in Table 2-4: Table 2-4.
PAGE 198
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Figure 2-54. Management > System Maint.—Config Files > Transfer Screen 3. In the Source section, specify the source as an FTP or TFTP server: a. In the From field, use the drop-down menu to select Server. b. In the File field, enter the name of the configuration file. c. In the Using field, use the drop-down menu to select either FTP or TFTP. d.
PAGE 199
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance 4. 5. In the Target section, specify the destination as the Wireless Edge Services zl Module: a. In the To field, use the drop-down menu to select Wireless Services Module. b. In the File field, enter the name that you want to give to the configuration file. Click the Transfer button. In the Status section at the bottom of the screen, a message is displayed, reporting whether the transfer was successful.
PAGE 200
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance 3. In the Target section, specify the destination. Choose a destination from the To drop-down menu: • Wireless Services Module—copy the file to another location on the module • Server—copy the file to an external FTP or TFTP server • Local Disk—copy the file to the workstation on which you are running the Web browser The Target fields below change depending on the target type.
PAGE 201
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Browse button Figure 2-56. Transferring a File to a New Location on the Module At any point during the transfer, you can click the Abort button to cancel the process. After you have finished transferring files, click the Close button. Copying a File to an External Server. Follow these steps to upload a file to an external FTP or TFTP server: 1.
PAGE 202
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance 8. Click the Transfer button. In the Status section at the bottom of the screen, a message is displayed, reporting whether the transfer was successful. At any point during the transfer, you can click the Abort button to cancel the process. After you have finished transferring files, click the Close button. Copying a File to the Local Disk. To specify the local hard disk as the destination, follow these steps: 1.
PAGE 203
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Managing the Directory Structure and Browsing for Files The Browse button appears when are choosing where to download files to the Wireless Edge Services zl Module. Browse button Figure 2-58. Browse Button To use the browse button to search and manage the Wireless Edge Services zl Module’s directory structure, follow these steps: 1. In the Target section, click the Browse button next to the File field.
PAGE 204
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Subdirectories (or folders) Flash file system Files saved in this directory Figure 2-59. Select Config file Screen The nvram stores the startup-config, and the system memory (volatile) holds the running-config. 3. In the left section, choose the folder in which you want to save the file. 4. Alternatively, create a new folder (in the flash memory only). a. Click the New Folder button. The New Folder screen is displayed.
PAGE 205
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance 5. Choose the filename. The path to the folder you have selected is displayed in the field at the bottom of the screen. Files in this folder display to the right. You can select one of these files and write over it, or you can choose a new file. To create a new file add the filename to the path in the field at the bottom of the screen. For example: flash/myfolder/configA. 6. Click the OK button. 7.
PAGE 206
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Rather than trying to delete the startup-config file when you are using the Web browser interface, you should return the file to factory default settings, as explained in the next section. (You can enter the erase command in the CLI to delete the startup-config. The module then uses the factory default startupconfig file.
PAGE 207
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance ■ server username and password (for FTP server) ■ location of the software image on the Update Server ■ software image that the module should use ■ location of configuration file ■ location of a redundancy configuration file—a common configuration for an entire redundancy group, an optional supplement to (not replacement for) the configuration file Checking the Software Image File When the Wireless Edge Services zl Module
PAGE 208
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Whatever name you give the file that you save to the Update Server, it should always contain the same configuration that is saved on the module’s startupconfig. When you change the startup-config, you should immediately copy the new file to the Update Server. When you save the startup-config file and the Update Server is enabled, the Wireless Edge Services zl Module saves a checksum of the startup-config.
PAGE 209
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance ■ Ensure that the Update Server is available when the Wireless Edge Services zl Module reboots. If the module must request an image or configuration file, but the Update Server is unavailable for any reason, the module uses its current image to reboot and loads the factory default startup-config. ■ Ensure that the latest software image and a file named “startup-config” are saved on the Update Server.
PAGE 210
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Table 2-5 lists the image and configuration file that the Wireless Edge Services zl Module uses if: ■ the image file specified in the Update Server settings is the image file that the module is already using ■ the Update Server is enabled, but no settings are configured for the image file and the configuration file location ■ the Update Server is unavailable Table 2-5.
PAGE 211
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Table 2-6 shows which software image and configuration file are loaded in other circumstances. Table 2-6.
PAGE 212
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Configuring the Update Server Settings To configure the Update Server settings, complete these steps: 1. Select Management > System Maint.—Update Server. Figure 2-64. Management > System Maint.—Update Server Screen 2-104 2. Check the Update Server Unreachable box if you do not want the Wireless Edge Services zl Module to use the Update Server. 3.
PAGE 213
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance 5. 6. Enter the login credentials for the FTP server. a. In the User ID field, enter the username. b. In the Password field, enter the password for this username. In the Software section, configure the version number, filename and path for the software image. a. In the Version field, enter the version of the software image that is stored on the FTP or TFTP server. b.
PAGE 214
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance By default, only two types of passwords are encrypted when you view the configuration: ■ SNMP v3 user passwords ■ Web-User passwords (encrypted by SHA) Other types display in plaintext, by default: ■ passwords for users in the local RADIUS database ■ shared secrets for the RADIUS servers specified in WLAN settings ■ shared secret for globally configured RADIUS servers (used for authentication, authorization, and accountin
PAGE 215
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance Set the encryption key for passwords Figure 2-65. ConfigPasswdEn Button 2. Click the ConfigPasswdEn button. Figure 2-66.
PAGE 216
Configuring the ProCurve Wireless Edge Services zl Module System Maintenance 3. Set the key that encrypts passwords in the Password and Confirm Password fields. The key can be between 8 and 32 alphanumeric and special characters. 4. Click the OK button.
PAGE 217
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting SNMP Traps and Error Reporting SNMP is an industry-standard protocol that allows you to manage and monitor a variety of network devices from a central location. Specifically, you can configure these SNMP-compliant devices and apply consistent security and management policies to these devices across your network. By default, the Wireless Edge Services zl Module supports SNMP v1, v2, and v3.
PAGE 218
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting You can also set up traps using the SNMP v3 trap user. Modifying SNMP v2 Communities By default, the Wireless Edge Services zl Module names the read-only community “public” and the read-write community private. To change the community name or access control setting for these communities, complete these steps: 1. Select Management > SNMP Access > v1/v2c. Figure 2-67. Management > SNMP Access > V1/V2c Screen 2.
PAGE 219
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting Figure 2-68. Edit SNMPV1/V2c Screen 3. In the Community Name field, enter the new name for the community. 4. In the Access Control field, use the drop-down menu to select the access control. 5. Click the OK button. The changes are applied to the running-config. 6. Click the Save link at the top of the Web browser interface to save the changes to the startup-config.
PAGE 220
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting To view SNMP statistics, select Management > SNMP Access and click the Statistics tab. Figure 2-69. Management > SNMP Access > Statistics Screen SNMP Traps To generate alarm logs, you must enable the Wireless Edge Services zl Module to generate SNMP traps, and you must enable specific SNMP traps.
PAGE 221
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting Enabling SNMP Traps By default, all SNMP traps are disabled. To enable SNMP traps, complete these steps: 1. Select Management > SNMP Trap Configuration and click the Configuration tab. Figure 2-70.
PAGE 222
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting The SNMP traps for the Wireless Edge Services zl Module are divided into the following categories: 2-114 • Redundancy • Miscellaneous • NSM • Mobility • DHCP • Radius • SNMP • Wireless 2. Check the Allow Traps to be generated box. 3. To view the SNMP traps in a category, click the Plus ( + ) sign next to the category. To view the SNMP traps in all categories, click the Expand all items button. 4.
PAGE 223
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting Figure 2-71. Enabling SNMP Traps on the Management > SNMP Trap Configuration Screen 7. Click the Apply button to save the change to the running-config. 8. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. Disabling SNMP Traps To disable an SNMP trap that you previously enabled, complete these steps: 1.
PAGE 224
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting 4. Click the Apply button to save the change to the running-config. 5. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. Setting Thresholds You can set the thresholds that determine when SNMP traps are generated. Select Management > SNMP Trap Configuration and click the Wireless Statistics Thresholds tab. Figure 2-72.
PAGE 225
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting Table 2-7.
PAGE 226
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting Figure 2-73. Management > SNMP Trap Receivers Screen 2. Click the Add button. The Add Trap receivers screen is displayed. Figure 2-74. Add Trap Receivers Screen 3. 2-118 In the IP Address field, enter the IP address of the SNMP server.
PAGE 227
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting 4. In the Port Number field, enter the port on which your SNMP server listens for traps. The valid range is from 1 to 65535. The default port is 162. 5. Chose v2c or v3 from the Protocol Options drop-down menu. 6. Click the OK button. The configuration change is applied to the runningconfig. 7. Click the Save link at the top of the Web browser interface to save the changes to the startup-config.
PAGE 228
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting 2. Select the trap user and click the Edit button. Figure 2-76. Changing the Password for SNMP v3 Traps 2-120 3. In the Old Password field, enter the current password—by default, “procurve.” 4. In the New Password and Confirm Password fields, enter the new password. 5. Click the OK button.
PAGE 229
Configuring the ProCurve Wireless Edge Services zl Module SNMP Traps and Error Reporting View Information about SNMP Receivers. After you define an SNMP server, the server is displayed in the Management > SNMP Trap Receivers screen. Figure 2-77. Management > SNMP Trap Receivers Screen You can view the following information about that server: ■ Destination Address—the IP address of the SNMP server ■ Port—the port number that the module uses to communicate with the SNMP server.
PAGE 230
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses Edit an SNMP Trap Receiver. If you define an SNMP trap receiver and later need to change its IP address, complete these steps: 1. Select Management > SNMP Trap Receivers. 2. Click the Edit button. 3. You can change these settings: • IP address • port To change the SNMP version, you must delete the receiver from the Management > SNMP Trap Receivers screen and re-add it with the correct version. 4. Click the OK button.
PAGE 231
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses Table 2-8.
PAGE 232
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses Figure 2-78.
PAGE 233
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses In situations such as this one, you can uninstall the Wireless Services Module 48 RP License from the Wireless Edge Services zl Module in the North building. You can then install the Wireless Services Module 48 RP License on the Wireless Edge Services zl Module in the South building. Now the North module supports 60 RPs while the South module supports 120.
PAGE 234
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses Figure 2-79.
PAGE 235
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses Only the Wireless Edge Services zl Module has RP licenses. The Redundant Wireless Services zl Module does not include radio port licenses and cannot independently adopt radio ports. When the Redundant Wireless Services zl Module is configured as part of a redundancy group, however, it can adopt radio ports under certain circumstances (such as if the Wireless Edge Services zl Module fails or if it is assigned an active role).
PAGE 236
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses If you have not yet registered with the My ProCurve Web portal, visit http://my.procurve.com and follow the registration instructions. Understanding the Numbers: IDs and Keys Installing and uninstalling the Wireless Services Module 12 RP License or the Wireless Services Module 48 RP License involves several different numbers: ■ Registration ID—The Wireless Services Module RP Licenses include a registration ID.
PAGE 237
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses Figure 2-80. My ProCurve Web Portal 4. Click ProCurve Device Software. You can now begin to generate a license key. (See Figure 2-81.
PAGE 238
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses Figure 2-81. Enter the Registration ID 5. Enter the registration ID that you located in step 1 in the Registration ID field and click Next. The Hardware ID page is displayed. 6. Find out the hardware ID for the Wireless Edge Services zl Module. a. Open a second browser (if you have not already done so) and access the Web browser interface for the Wireless Edge Services zl Module. b.
PAGE 239
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses Figure 2-82. The License-Install Summary Screen c. Click the Install button at the bottom of the screen. The Install License (Step 1 and Step 2) screen is displayed. (See Figure 2-83.) Figure 2-83.
PAGE 240
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses d. In the Step 1—Generate Hardware ID section, click the Gen-Hw-ID button. e. When a number is displayed in the System Generated Hardware Id field, copy it (using Ctrl-C) or write it down. (Copying the number is easier and more accurate.) You must enter this number on the My ProCurve Web portal. 7. Return to the My ProCurve Web portal. In the Enter Hardware ID# field, paste (using Ctrl-V) or enter the hardware ID. 8.
PAGE 241
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses To simplify the process of uninstalling a license, you may want to use two Web browsers as you complete these steps: 1. Access the Web browser interface for the Wireless Edge Services zl Module. 2. Select Management > Licenses and click the License-Install Summary tab. 3. Highlight the license that you want to uninstall and click the Uninstall button at the bottom of the screen. The Un-Install License screen is displayed.
PAGE 242
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses 8. Note When the uninstall verification key is displayed, copy the key (using Ctrl-C) or write it down. (Copying the key is easier and more accurate.) You will enter the key on the My ProCurve portal. If you forget or misplace the uninstall verification key, you can view it by selecting Management > Licenses and clicking the License_Uninstall Summary tab.
PAGE 243
Configuring the ProCurve Wireless Edge Services zl Module Radio Port Licenses 13. Paste (using Ctrl-V) or enter the uninstall verification key in the Uninstall verification ID# field, and the click the Next button. My ProCurve Web portal generates and displays a new registration ID. The portal emails the registration ID to you and maintains a record of it. 14. To view your registration IDs, click the View available reg IDS link on the My ProCurve Web portal.
PAGE 244
Configuring the ProCurve Wireless Edge Services zl Module Setting System Information— Name, Time, and Country Code Setting System Information— Name, Time, and Country Code Access the Network Setup screen to configure system information: ■ system name and other information that the Wireless Edge Services zl Module reports to an SNMP server ■ the time and time zone for the internal clock ■ the country code You can also view information about the wireless services-enabled switch and reset passwords for
PAGE 245
Configuring the ProCurve Wireless Edge Services zl Module Setting System Information— Name, Time, and Country Code Follow these steps to configure the system information, which the Wireless Edge Services zl Module reports to an SNMP server: 1. Name module by entering a string in the System Name field. The string can include spaces and special characters. The default name is “Wireless Services.” Note that, by default, RPs send DNS requests for “Wireless Services” when attempting to be adopted at Layer 3.
PAGE 246
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) The country code configures the Wireless Edge Services zl Module to choose legal channels and transmit powers for RP radios. You must set the country code before the module can adopt RPs. Follow these steps: 1. From the Country drop-down menu, select your country. 2. The Wireless Edge Services zl Module OS warns you that you must select the correct country code. Click the OK button. 3.
PAGE 247
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) NTP Modes and Communications NTP relies on the standard client-server relationship: ■ Clients send time requests to servers. ■ Servers respond with the time. The Wireless Edge Services zl Module can operate as both a client and a server. To configure the module as a client, you must configure an NTP neighbor that acts as the module’s server.
PAGE 248
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Figure 2-88. NTP Clock Stratum Levels The devices at stratum 0 are GPS clocks or other radio clocks. These devices are not attached to the network but are locally connected to computers. Computers at stratum 1 are attached to stratum 0 devices. Stratum 1 devices can act as time servers for timing requests from stratum 2 servers via NTP. Computers at stratum 2 send NTP requests to stratum 1 servers.
PAGE 249
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Several organizations on the Internet offer NTP servers at stratums 1 through 3. Some require you to purchase the service, and others grant it for free. You can configure your Wireless Edge Services zl Module to communicate with one of these servers and then, acting as a server, pass the time on to clients in your network.
PAGE 250
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) By encrypting the cookie with the client’s public key, the server ensures that only the client can use the cookie. The client, for its part, must initially trust the server. After this initial trust, the client knows that the same server is sending the time because only that server has the cookie that generates the correct keys.
PAGE 251
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) • Add up to three neighbors. The correct neighbor configuration depends on your network’s NTP implementation: – Your module acts as the master clock and is your network’s only time server. No neighbors are required. – Your module acts as your network’s only time server and receives its time from one or more servers on the Internet. Specify up to three Internet servers as neighbors in server mode.
PAGE 252
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Configuring Secure NTP Options To configure a Secure NTP server, complete these steps: 1. Select Special Features > Secure NTP > Configuration. Figure 2-89. Special Features > Secure NTP > Configuration Screen 2. Optionally, in the Other Settings section, check the Authenticate Time Sources box.
PAGE 253
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) 4. If you checked the Act as NTP Master Clock box (in step 3), in the Clock Stratum field, enter how many hops (from 1 to 15) the Wireless Edge Services zl Module is from an NTP time source. Valid values are from 1 to 15, although your clock stratum value should be at least 2 (because you are not actually connected to a stratum 0 device).
PAGE 254
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Applying ACLs to NTP Services For additional security, you can set access controls on the NTP messages that your Wireless Edge Services zl Module receives. The module only accepts a particular type of message if the ACL applied to that type permits it. You will first need to configure the ACLs for NTP resource access before completing this task. (See Chapter 7: “Access Control Lists (ACLs).
PAGE 255
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) You can control four types of access to NTP resources: ■ Full Access—The Wireless Edge Services zl Module accepts all messages from devices permitted by the associated ACL and will synchronize with these devices. This is typically the type of access that you would grant your NTP neighbors. ■ Only Control Queries—The module accepts only control queries from devices permitted by the ACL.
PAGE 256
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Configuring Authentication for Secure NTP When the Wireless Edge Services zl Module requires authentication for secure NTP, it drops all NTP packets unless they are encrypted with the correct key. Authentication ensures that the server providing system time to the Wireless Edge Services zl Module is trusted.
PAGE 257
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Figure 2-91. Enabling Auto Key for Secure NTP 3. In the Auto Key field, use the drop-down menu to enable auto key: • Host Enabled—The Wireless Edge Services zl Module requires clients and neighbors to use auto key to authenticate themselves. • Client only Enabled—The module uses auto key only to authenticate itself to a server. 4. Click the Apply button. 5.
PAGE 258
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) 6. Click the Save link. 7. Make sure that your Wireless Edge Services zl Module has the proper certificates. See “Digital Certificates” on page 2-166. Adding Symmetric Keys. Symmetric key authentication uses a single (symmetric) key for encryption and decryption. Because both the sender and the receiver must know the same key, it is also referred to as shared key cryptography.
PAGE 259
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Figure 2-92. Special Features > Secure NTP > Symmetric Keys Screen 3. Click the Add button. The ADD screen is displayed. (See Figure 2-93.) Figure 2-93. Add Symmetric Key Screen 4. In the Key ID field, enter the key ID, from 1 through 65534.
PAGE 260
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) 5. In the Key Value field, enter any string up to 32 characters for the authentication key value. This key must match the key configured on the neighbor for which you specify this key ID. 6. To define this key as a trusted key, check the Trusted Key box. The Wireless Edge Services zl Module considers a neighbor that uses this key to be a trusted source.
PAGE 261
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Figure 2-94. Special Features > Secure NTP > NTP Neighbor Screen 2. Click the Add button. The Add Neighbor screen is displayed.
PAGE 262
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Figure 2-95. Add Neighbor Screen 3. 4. 2-154 Select the neighbor type: • Peer—A peer is another NTP server in a close relationship with your Wireless Edge Services zl Module. The module synchronizes with its peers, and at any given moment, only one peer in the group acts as the NTP server.
PAGE 263
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) 5. In the NTP Version field, use the drop-down menu to select the version of NTP to use with this configuration. Although the latest version of the NTP implementation is NTPv4, the official Internet standard is NTPv3. 6. Select the authentication method: • No Authentication—No authentication is used.
PAGE 264
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Figure 2-96. Special Features > Secure NTP > NTP Neighbor Screen 2. 2-156 Click the Add button. The Add Neighbor screen is displayed.
PAGE 265
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Figure 2-97. Add Neighbor Screen 3. Select Broadcast Server for the neighbor type. 4. In the IP Address field, enter the broadcast address for the module’s subnetwork. For example, you want the module to run the broadcast server on its VLAN 8 interface, which has the address 10.4.8.30/24. Enter 10.4.8.255. 5.
PAGE 266
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) 7. If you selected Symmetric Key Authentication in step 6, in the Key ID field, enter the symmetric key ID. The key ID references the symmetric key that you created earlier. (See “Adding Symmetric Keys” on page 2-150). You must configure clients in this network to match the key referenced by the ID. 8. Click the OK button.
PAGE 267
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Figure 2-98. Special Features > Secure NTP > NTP Associations Screen The screen includes the following fields: ■ Address—the numeric IP address of the resource providing NTP updates to the switch Typically, the NTP system is a peer or server that you have configured as your Wireless Edge Services zl Module’s neighbor.
PAGE 268
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) ■ When—the number of seconds since a message has been received from the remote resource ■ Peer Poll—the maximum interval between successive messages, in seconds (always a power of 2 value, such as 8 or 64). ■ Reach—the status of the last eight NTP messages displayed in octal format. If an NTP packet reaches the resource successfully, the packet is assigned the value of 1.
PAGE 269
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Figure 2-99. Details Screen The Details screen includes the following additional information: ■ Association—state of the association ■ Sanity—an indicator of the “sanity” of NTP packets. The sanity indicates whether the time sent by the resource seems reasonable based on time from other resources.
PAGE 270
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) ■ Host Mode—the Wireless Edge Services zl Module’s mode: client—The module is associated with a resource which operates in server mode. The module polls the server, but does not respond to polls from the server. If the server sends valid NTP packets, the module may synchronize with it. server—The module allows itself to polled by clients that want to synchronize with it.
PAGE 271
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) ■ Root Dispersion—a 32-bit unsigned fixed-point number indicating the nominal error relative to the primary reference source, in seconds with fraction point between bits 15 and 16. The values that normally are displayed in this field range from 0 to several hundred milliseconds.
PAGE 272
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) Figure 2-100.Special Features > Secure NTP > Secure NTP Status Screen The following information is listed on the screen: 2-164 ■ Leap—the time source’s leap state, that is, whether it inserts leap seconds. ■ Stratum—how many hops time source is from a clock. ■ Reference—the address of the time source to which the Wireless Edge Services zl Module is synchronized.
PAGE 273
Configuring the ProCurve Wireless Edge Services zl Module Enabling Secure Network Time Protocol (NTP) ■ Clock Offset—the calculated offset, in seconds, between the module and the source. The module adjusts its clock to match the server’s time value. The offset gravitates toward zero over time, but is never completely reduced to zero. ■ Root delay—the total round-trip delay, in seconds. This variable can take on both positive and negative values, depending on the relative time and frequency offsets.
PAGE 274
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Digital Certificates The Wireless Edge Services zl Module supports digital certificates, which are used to identify a host uniquely. The Wireless Edge Services zl Module uses certificates for several purposes: ■ HTTPS access—The module’s server certificate authenticates the module to your Web browser. ■ RADIUS authentication services—802.
PAGE 275
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates A host authenticates itself by sending its certificate, to which it appends its digital signature. It creates the digital signature by hashing the certificate and then encrypting the hash with its private key. When the peer receives the digital certificate, the peer extracts the host’s public key and hash function. The peer decrypts and unhashes the signature and compares it to the certificate.
PAGE 276
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates You must complete these tasks to configure a self-signed certificate: 1. Optionally, pre-create a specific key for the certificate. Typically, however, you can allow the module to automatically generate a key when you create the certificate. 2. Use the Certificates Wizard to create the certificate. You must complete these tasks to install a server certificate signed by a CA: 1.
PAGE 277
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Figure 2-101.Management > Certificate Management Screen The Management > Certificate Management screen has two main tabs: ■ Trustpoints—This screen lists the trustpoints on the Wireless Edge Services zl Module and the certificates associated with each trustpoint. The left panel displays all trustpoints configured on your module. Initially, the only trustpoint is the “default-trustpoint.
PAGE 278
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Using the Certificates Wizard Use the Certificates Wizard to: ■ create a new certificate, either as a self-signed certificate or a certificate request to be sent to a CA ■ upload a certificate (either a server certificate or a CA certificate) from an external source ■ delete trustpoints, certificates, or keys You can complete all necessary tasks for creating or installing certificates through the Certificates Wizard.
PAGE 279
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Figure 2-102.Certificates Wizard Welcome Screen On this screen, you can select the certificate operations that you want to perform, which are documented in the following sections.
PAGE 280
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Creating a Self-Signed Certificate. To create a new self-signed certificate, complete these steps: 1. On the Certificates Wizard Welcome screen, in the Select a certificate operation section, select Create a new certificate. 2. Click the Next button. The screen shown in Figure 2-103 is displayed. Figure 2-103.Certificates Wizard Options Screen (Self-Signed Certificate) 3.
PAGE 281
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates 4. 5. Note In the Select a trustpoint for the new certificate section, select one of the following: • Use existing trustpoint—You can select a trustpoint that you have created previously from the drop-down menu. (This option is available only when an existing trustpoint does not have a current certificate.) • Create a new trustpoint—Enter the trustpoint name in the field.
PAGE 282
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Figure 2-104.Certificate Credentials Screen (Self-Signed Certificate) 2-174 7. If you specified in step 4 that you are creating a new trustpoint, check the Configure the trustpoint box to configure the trustpoint. 8. Select Automatically generate certificate with default values to generate a certificate with default credential values.
PAGE 283
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Alternatively, select Enter certificate credentials and enter the following credentials for the certificate: 9.
PAGE 284
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates To obtain a certificate signed by a CA, you must first generate a certificate request. Complete these steps: 1. On the Certificates Wizard Welcome screen, in the Select a certificate operation section, select Create a new certificate. 2. Click the Next button. The screen shown in Figure 2-105 is displayed. Figure 2-105.Certificates Wizard Options Screen (Certificate Request) 3.
PAGE 285
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates 4. 5. Note In the Select a trustpoint for the new certificate section, select one of the following: • Use existing trustpoint—You can select a trustpoint that you have created previously from the drop-down menu. (This option is available only when an existing trustpoint does not have a current certificate.) • Create a new trustpoint—Enter the trustpoint name in the field.
PAGE 286
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Figure 2-106.Certificate Credentials Screen (Certificate Request) 7.
PAGE 287
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Note • Email Address—a valid email address for you or the person responsible for managing the Wireless Edge Services zl Module. This field is optional. • FQDN—the module’s fully qualified domain name. This field is optional. • IP Address—the IP address for the certificate. This field is optional. • Password—a password that must be entered to install the certificate. This field is optional.
PAGE 288
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Figure 2-107.Copy or Save Certificate Request Screen 10. To save the text of the certificate request to send to a CA, you can do either (or both) of the following: • Check the Copy the certificate request to clipboard box; After you click the Next button in step 11, you can paste the text into a text file.
PAGE 289
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates iii. Choose FTP or TFTP from the Using drop-down menu, and, if necessary choose the port for your server. (The default port is usually correct.) iv. Specify the server’s IP address. v. For FTP, enter the username and password. vi. Leave the Path field blank to save to the server’s base directory. Or enter a valid directory path on the server.
PAGE 290
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Figure 2-108.Certificates Wizard—Uploading a Certificate 1. 2-182 Click the Next button. The screen shown in Figure 2-109 is displayed.
PAGE 291
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Figure 2-109.Upload Certificate to Trustpoint Screen 2. 3. In the Select a trustpoint to upload the certificate section, select one of the following: • Use existing trustpoint—to upload the certificate to an existing trustpoint; use the drop-down menu to select the trustpoint. • Create a new trustpoint—to upload the certificate to a new trustpoint; enter the name of the new trustpoint in the field.
PAGE 292
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates You can select either or both certificates to upload. However, you can only upload a certain type of certificate if the selected trustpoint does not already include that type. If you want to upload a new certificate, first delete the current certificate. See “Deleting Trustpoints, Certificates, and Keys” on page 2-184. 4.
PAGE 293
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Figure 2-110.Certificates Wizard—Deleting Certificates 2. Click the Next button. The screen shown in Figure 2-111 is displayed.
PAGE 294
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Figure 2-111.Certificate Wizard Delete Operations Screen 3. Select your delete operations: • To delete an entire trustpoint, select Delete trustpoint and all certificates inside it. Then use the drop-down menu to select the trustpoint to delete. This selection deletes the trustpoint and everything it contains, including certificates, a certificate request, and a CRL.
PAGE 295
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates 4. Click the Next button. 5. On the confirmation screen, click the Next button to confirm the deletion. Or, click the Cancel button to cancel the deletion. 6. After the deletion is complete, on the completion screen that is displayed, click the Finish button. 7. Click the Save link at the top of the Web browser interface to save the changes to the startup-config.
PAGE 296
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates When you transfer a trustpoint, you copy these elements (if included in that particular trustpoint): ■ server certificate ■ CA certificate ■ CRL Transferring Trustpoints from the Wireless Edge Services zl Module to a Server To transfer a trustpoint from the Wireless Edge Services zl Module to a server, complete these steps: 1. Select Management > Certificate Management and click the Trustpoints tab. 2.
PAGE 297
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates 6. From the Using drop-down menu, select the protocol for the trustpoint transfer, either FTP or TFTP. 7. In the Port field, enter the respective FTP or TFTP port number; the default port number (port 21 for FTP, port 69 for TFTP) should apply in most cases. 8. In the IP Address field, enter the IP address of the FTP or TFTP server. 9. If you are using an FTP server, enter the login credentials. a.
PAGE 298
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Figure 2-113.Transfer Trustpoints from Server Screen 3. In the Source section, select Server from the From field. 4. In the File field, enter the filename of the source trustpoint file. 5. In the Using drop-down menu, select the protocol for the external server, either FTP or TFTP. 6.
PAGE 299
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates 12. Click the Transfer button. In the Status section at the bottom of the screen, a message is displayed, reporting whether the transfer was successful. 13. After the trustpoint transfer is complete, click the Close button. Certificate Keys A certificate relies on a public/private key pair. You can use the same key pair for multiple certificates, or you can use a different pair for each certificate.
PAGE 300
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Figure 2-114.Management > Server Certificates > Keys Screen 2. Click the Add button. The Add Key screen is displayed. Figure 2-115.
PAGE 301
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates 3. In the Key Name field, enter a name for the key. Enter between 2 and 64 characters. The only permissible special character is “_”. 4. In the Key Size field, enter the key size, from 1,024 through 2,048 bytes. 5. Click the OK button. Transferring Keys You can transfer key pairs to a secure location for archiving.
PAGE 302
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates Figure 2-116.Transfer Keys from Wireless Edge Services zl Module 4. Use the next drop-down menu to select the key to be transferred. 5. In the Pass phrase field, enter a passphrase, which can include spaces and special characters. The passphrase encrypts the key pair, and, although optional, is recommended for security. In order to decrypt and use the key, a person must know the correct passphrase. 2-194 6.
PAGE 303
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates 9. d. If you are using an FTP server, enter the login credentials. i. In the User ID field, enter the username for your account on the FTP server. ii. In the Password field, enter the password for this username. e. In the Path field, enter the path where the key will be saved on the server. (If you are using a TFTP server, this field may not be required.
PAGE 304
Configuring the ProCurve Wireless Edge Services zl Module Digital Certificates 4. In the Key Name field, enter the filename of the source key file. If you selected Local Disk as the source in step 3, include the path with the filename. 5. If you selected Server as the source in step 3, in the Source section, specify the following for the key transfer source: a. From the Using drop-down menu, select the protocol for the key transfer, either FTP or TFTP. b.
PAGE 305
3 Radio Port Configuration Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Country-Code and Regulatory Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 Configuring Radio Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 Creating a Radio Adoption Default Configuration . . . . . . . . . . . . . . . . 3-8 Viewing and Configuring Properties . . . . . . . . . . . . . . . .
PAGE 306
Radio Port Configuration Overview Overview The ProCurve Wireless Edge Services zl Module manages the ProCurve Radio Ports (RPs) 210, 220, and 230. Using their Ethernet port and one or two radios, these IEEE 802.11-compliant RPs grant wireless stations access to an Ethernet network. RPs provide the radio signal and the physical connection to wireless users, but little intelligence on their own.
PAGE 307
Radio Port Configuration Overview The ProCurve RPs 210, 220, and 230 support client roaming, which allows a mobile wireless station to maintain connectivity while moving from one radio coverage area to another. This chapter will give you a few guidelines for setting up wireless coverage to facilitate seamless roaming.
PAGE 308
Radio Port Configuration Country-Code and Regulatory Procedures Country-Code and Regulatory Procedures While IEEE has codified the international wireless network specifications and standards, each country has its own regulations for legal frequencies and wireless use requirements. It is important to be aware of your country’s standards when configuring your network. Setting a device’s country code configures it to use radio settings that are legal in that country.
PAGE 309
Radio Port Configuration Configuring Radio Settings Refer to http://www.hp.com/rnd/support/manuals/rports.htm for information about each country’s regulations and permissible radio settings. Configuring Radio Settings You configure radio settings for the ProCurve RPs 210, 220, and 230 through the Wireless Edge Services zl Module. The ProCurve RP 220 and 230 each have two built-in radios; one radio supports 802.11a standards while the other supports 802.11bg standards.
PAGE 310
Radio Port Configuration Configuring Radio Settings Figure 3-2. Default Configuration Screen for a Radio Type The screen for configuring the radio adoption default settings is labeled Network Setup > Radio Adoption Defaults > Configuration > Edit. The top left on the screen reads Configuration, and the top right displays the radio type: 802.11a or 802.11bg. For ease of reference, this guide will call that screen a radio type’s default Configuration screen.
PAGE 311
Radio Port Configuration Configuring Radio Settings Figure 3-3. Configuration Screen for a Radio Be careful to make configuration changes on the correct screen. Otherwise, the changes will not take effect as expected. Table 3-1 summarizes how you edit the radio configurations and how the Wireless Edge Services zl Module deploys them. For more information, see Chapter 1: “Introduction.” Table 3-1.
PAGE 312
Radio Port Configuration Configuring Radio Settings Creating a Radio Adoption Default Configuration The Wireless Edge Services zl Module stores two radio adoption default configurations, one for 802.11a radios and one for 802.11bg radios. It deploys the configurations to radios on any unconfigured RP that it adopts. These configurations only affect newly adopted radios.
PAGE 313
Radio Port Configuration Configuring Radio Settings As described above, you establish settings for a radio adoption default configuration from a radio type’s default Configuration screen. To access this screen, complete these steps: 1. Select Network Setup > Radio Adoption Defaults and click the Configuration tab. This screen includes two rows, one for 802.11a and one for 802.11bg.
PAGE 314
Radio Port Configuration Configuring Radio Settings Model Radio Type Background AP detection Dedicated to detecting rogue APs Figure 3-5. Radio Adoption Default Configuration Properties This screen includes three sections: Properties, Radio Settings, and Advanced Properties. In the following sections, you will learn how to configure each of the settings on this screen. Viewing and Configuring Properties For the most part, you view, rather than configure, settings in this section.
PAGE 315
Radio Port Configuration Configuring Radio Settings When you configure this setting as part of the default configuration, you dedicate all radios of that 802.11 mode. For example, if your network does not include any stations that use 802.11a mode, you could dedicate all 802.11a radios in your network to scanning for rogue APs. (Note, however, that these radios will only detect APs operating in an 802.11a channel.) Note As a security measure, you can configure all RPs to be adopted as detectors.
PAGE 316
Radio Port Configuration Configuring Radio Settings Configuring Radio Settings Configure the basic radio settings in the default Configuration screen’s Radio Settings section, as shown in Figure 3-6. These settings include: ■ radio placement ■ channel selection method ■ transmit power ■ rate settings You should configure the settings in this order; the radio placement setting dictates available channel options, and the channel selection method affects available power levels.
PAGE 317
Radio Port Configuration Configuring Radio Settings overcome distance-based signal loss, but an indoor RP should broadcast at a lower power to accommodate closer stations and minimize interference with other local RPs. In addition, some countries allow certain channels to be used only outdoors. Unless you are certain that all RPs will operate outdoors, you should leave the Placement setting at Indoors for the radio adoption default configurations.
PAGE 318
Radio Port Configuration Configuring Radio Settings 3. In the Desired Channel field, use the drop-down menu to select either Random or ACS. 4. Click the OK button. If you want to set channels manually, then you must do so for particular radios after they are adopted. (See “Configuring Radio Settings for a Particular Radio” on page 3-31). Setting the Desired Radio Power. After you have selected a channel, you must select the radio power.
PAGE 319
Radio Port Configuration Configuring Radio Settings Note A warning box may be displayed, reminding you to be careful when setting a power for a radio that is using external antennas. Verify that the power and channel settings are within local limits, and then click the OK button. Configuring Rate Settings. You can specify the data rates, in Mbps, that default radios support for traffic passing between the radio and a station.
PAGE 320
Radio Port Configuration Configuring Radio Settings The basic rates are rates for which RP radios advertise support. A radio uses and allows stations to use basic rates for: ■ management frames ■ broadcast frames ■ multicast frames Such frames are sent to all stations associated to a basic service set (BSS); therefore, if an RP is to support 802.11b stations, it must use only the rates (1, 2, 5.5, and 11 Mbps) supported by those slower stations. If an 802.11bg radio does not need to support 802.
PAGE 321
Radio Port Configuration Configuring Radio Settings In addition, even when you have selected g rates (such as 6, 12, and 24) for the basic rates, you should consider allowing b rates (1, 2, 5.5, and 11) for the supported rates. 802.11b stations still cannot connect to the WLAN, but RPs and 802.11g stations can use the b rates to avoid interference from any 802.11b stations that might be in the vicinity.
PAGE 322
Radio Port Configuration Configuring Radio Settings The RTS Threshold, Beacon Interval, and Self Healing Offset fields are accompanied by a column that describes the units in which these settings are configured. For example, the RTS threshold is configured in bytes, and the beacon interval is configured in units of 1,000 microseconds (or 1 millisecond). Options Max Stations Antenna Mode Units Adoption Pref ID Short Preamble Figure 3-9.
PAGE 323
Radio Port Configuration Configuring Radio Settings You can select one of three options for the antenna mode: diversity, primary, and secondary. The Diversity option requires the RP radio to have a diversity antenna (either internal or external). If an RP radio uses a non-diversity external antenna, you must specify to which connector you have attached it by selecting Primary or Secondary.
PAGE 324
Radio Port Configuration Configuring Radio Settings A Wireless Edge Services zl Module preferentially adopts RPs that have the same ID as the module itself. (See “Configure an Adoption Preference for the Module” on page 10-28 in Chapter 10: “Redundancy Groups” for instructions on setting this ID.
PAGE 325
Radio Port Configuration Configuring Radio Settings To force another Wireless Edge Services zl Module to adopt a particular radio, change the radio’s preference ID to the ID on that second module, as explained in “Configuring Advanced Properties for a Particular Radio” on page 3-33. Enabling Support for a Short Preamble. As part of the 802.11 standards, stations and radios are required to prepend a preamble to transmitted frames.
PAGE 326
Radio Port Configuration Configuring Radio Settings Stations can avoid transmitting at the same time by exchanging RTS and Clear to Send (CTS) packets with the RP. A wireless station sends an RTS packet to notify the radio that it would like to transmit. If the channel is clear, the radio sends a CTS packet to the requesting station. This procedure clears the air for a specific transmission when many stations may be contending for transmission time.
PAGE 327
Radio Port Configuration Configuring Radio Settings Setting the Beacon Interval. A beacon is an 802.11 management frame that is broadcast by an RP radio to advertise its presence as a network point of access and to keep the network synchronized.
PAGE 328
Radio Port Configuration Configuring Radio Settings The default DTIM period on all BSSIDs is 2 beacons. To set the default number of beacons between DTIMs that radios in your network broadcast, complete these steps: 1. Select Network Setup > Radio Adoption Defaults and click the Configuration tab. 2. Select the radio type and click the Edit button. 3. In the DTIM field, enter the number of beacons between DTIMs. 4. Click the OK button. Setting the Self Healing Offset.
PAGE 329
Radio Port Configuration Configuring Radio Settings Creating a Radio Configuration for a Particular Radio When the Wireless Edge Services zl Module is powered on, it can identify and adopt the RPs that are connected to the network. In “Creating a Radio Adoption Default Configuration” on page 3-8, you learned how to configure the settings that the module deploys to RPs when first adopted. In this section, you will learn about configuring override settings for particular identified radios.
PAGE 330
Radio Port Configuration Configuring Radio Settings Figure 3-10. Network Setup > Radio > Configuration Screen The Network Setup > Radio > Configuration screen lists all of the radios that the Wireless Edge Services zl Module has identified and their current settings and status. Radios are listed by index number. (The first radio that the module identifies is typically assigned the first index, and so on.) Radios are further identified by a name and a type.
PAGE 331
Radio Port Configuration Configuring Radio Settings Note An RP does not have to be adopted before you create a configuration for its radio (or radios); it can simply be identified in the list. An an unadopted radio might display in the list because: ■ the module had once adopted the RP ■ you added the RP radio manually using the Add button To create the configuration, select the unadopted radio, click the Edit button, and configure the settings.
PAGE 332
Radio Port Configuration Configuring Radio Settings To view the Configuration screen for a particular radio, complete these steps: 1. Select Network Setup > Radio and click the Configuration tab. 2. Select the radio that you want to configure and click the Edit button. Like the default Configuration screen for a radio type, a particular radio’s Configuration screen includes three sections: Properties, Radio Settings, and Advanced Properties. These are described in the following sections.
PAGE 333
Radio Port Configuration Configuring Radio Settings Setting the Radio Description. While configuring a radio description will not affect radio functions, doing so can save time and effort when managing or troubleshooting your wireless network. The default radio description is “RADIO” followed by the radio’s index number. For example, the radio that has been assigned to index 1 has “RADIO1” as its description. It is often a good idea to describe a radio according to its intended coverage area or function.
PAGE 334
Radio Port Configuration Configuring Radio Settings Configuring a Radio as a Single-Channel Detector for Unapproved APs. A dedicated detector radio sends probes for unapproved APs on all allowed channels in its frequency, but does not support wireless stations. To allow an RP radio to detect some APs, while still supporting stations, enable the radio to scan for rogue APs only on its own channel. To configure a single-channel scan, complete these steps: 1. Select Network Setup > Radio > Configuration. 2.
PAGE 335
Radio Port Configuration Configuring Radio Settings Configuring Radio Settings for a Particular Radio The Radio Settings section on a particular radio’s Configuration screen includes the same options as the corresponding section in a radio type’s default Configuration screen. However, the section also includes an Actual column to the right of the settings that displays the channel and power level that the radio is actually using.
PAGE 336
Radio Port Configuration Configuring Radio Settings 3. In the Placement field, use the drop-down menu to select the placement, Indoors or Outdoors. It is very important that the radio’s placement be accurate. (See “Defining the Radio Placement” on page 3-12 for more information.) 4. In the Actual column (see Figure 3-12), view the channel that was selected, either randomly or using ACS, when the radio was adopted. You can now select a channel manually. 5.
PAGE 337
Radio Port Configuration Configuring Radio Settings Configuring Advanced Properties for a Particular Radio The Advanced Properties section of a radio’s Configuration screen includes, in most cases, the same settings as the corresponding section in radio types’ default Configuration screens: ■ Antenna Mode ■ Maximum Stations ■ Adoption Preference ID ■ Short Preambles only (802.
PAGE 338
Radio Port Configuration Configuring Radio Settings Setting DTIM Periods for a Particular Radio. For radio adoption defaults, you specify a single value for the DTIM period (the number of beacons between DTIMs). (See “Setting the DTIM Period” on page 3-23.) However, a particular RP radio sends out beacons on each of its four BSSIDs, and the Wireless Edge Services zl Module allows you to set a different DTIM period for each BSSID.
PAGE 339
Radio Port Configuration Configuring Radio Settings Set different DTIM periods for the radio’s four BSSIDs Figure 3-13. Radio Configuration Radio Settings 3. In the Advanced Properties section, click the DTIM Periods button. The DTIM Periods screen is displayed. Figure 3-14. DTIM Periods 4. In the field for each BSS, enter the number of beacons between DTIMs. 5. Click the OK button.
PAGE 340
Radio Port Configuration Configuring Radio Settings Configuring Multiple Radios at Once To save time, you can configure settings for multiple radios at once. Hold down as you select the radios and click the Edit button. The Configuration screen is displayed. You can edit the configuration much as you would for a single radio. However, certain parameters are grayed out; these parameters are restricted to configuration on one radio at a time.
PAGE 341
Radio Port Configuration Configuring Radio Settings Running ACS is one of the Tools Figure 3-15. Running ACS on All RP Radios 2. Click the Tools button. 3. On the pop-up menu that is displayed, select Run ACS Now. The Wireless Edge Services zl Module scans all channels and discovers which radios are adopted and using which channels. The module then analyzes the radios’ channels and moves each ACS-enabled radio to the channel where it is least likely to experience interference from other radios.
PAGE 342
Radio Port Configuration Configuring Radio Settings Figure 3-16. Running ACS Resetting a Radio It may become necessary for you to reboot an RP. For a dual-radio RP (such as the RP 220 or 230), you can either reset the entire RP or only one of its radios. Complete these steps: 3-38 1. Select Network Setup > Radio and click the Configuration tab. 2. Select the radio that you want to reset and click the Tools button.
PAGE 343
Radio Port Configuration Configuring Radio Settings Reset Radio1 Figure 3-17. Resetting a Radio 3. On the pop-up menu that is displayed, select Reset. The Confirm Reset screen is displayed. Figure 3-18. Resetting a Radio 4. Select a reset option: • If you click the Reset Radio only button, only the selected radio will reset. • If you click the Reset entire Radio Port button, the RP for the selected radio will reset, along with both radios on the same RP.
PAGE 344
Radio Port Configuration Configuring Radio Settings Managing RP Radios You can perform several actions on an RP radio in the Network Setup > Radio screen. Select the radio from the list and clicking the buttons at the bottom of the screen: ■ Click the Edit button to alter a radio’s configuration. The Configuration screen for that radio is displayed. (See “Configuring Radio Settings for a Particular Radio” on page 3-31.) ■ Click the Delete button to delete a radio configuration and unadopt the radio.
PAGE 345
Radio Port Configuration Configuring Radio Settings Enter the RP’s Ethernet MAC address in the RP MAC Address field. Then choose the appropriate radio or radios for the RP and assign them index numbers not currently used on this Wireless Edge Services zl Module. Click OK, and you can then select and edit the configuration for this RP’s radios before the RP is even adopted. ■ ■ Click the Tools button to view a pop-up menu with the following options: • Reset—Select this option to reboot the radio.
PAGE 346
Radio Port Configuration Configuring Radio Settings LLDP Button Figure 3-20. LLDP Button The LLDP screen is displayed. If you select a radio before clicking the LDAP button, the MAC Address field is automatically filled with the RP’s Ethernet MAC address. See Figure 3-21.
PAGE 347
Radio Port Configuration Configuring Radio Settings Figure 3-21. LLDP Screen You might have already customized the radio’s name. Select Set Radio Name as LLDP Name to use this name for the LLDP name as well. Alternatively, manually enter a name in the LLDP Name field. (The name can include alphanumeric and special characters, as well as spaces.) In the MAC Address field, enter the Ethernet MAC address of the RP. Or enter 00-00-00-00-00-00 to apply the LLDP name to all radios. Then click the OK button.
PAGE 348
Radio Port Configuration Considerations for Enabling Client Roaming Considerations for Enabling Client Roaming A mobile station may roam back and forth between several RPs. Ideally, such roaming is hidden from wireless users, who do not need to know when they connect to a new RP. They simply want their applications to continue functioning smoothly. A station itself determines when it needs to roam (typically, in order to associate to a radio with a better signal).
PAGE 349
Radio Port Configuration Considerations for Enabling Client Roaming Setting the power level lower than the maximum can help you provide seamless coverage. Place RPs more closely together and configure self healing, as described in “Network Self Healing” on page 12-89 of Chapter 12: “Wireless Network Management.” ■ the antenna type The RP 210’s and RP 230’s internal radios use omnidirectional diversity antennas, which send out the signal in all directions equally.
PAGE 350
Radio Port Configuration Quality of Service (QoS) on RP Radios Quality of Service (QoS) on RP Radios All traffic on a radio shares the same medium. So an RP radio may queue traffic for multiple WLANs together. By default, RPs queue traffic according to the classification of the WLAN to which it belongs. Because, by default, this classification is normal for all WLANs, all traffic receives the same handling. That is, each frame must contend for the medium on equal footing.
PAGE 351
Radio Port Configuration Quality of Service (QoS) on RP Radios Each outbound radio queue is defined by different WMM parameters, which determine how the RP contends for the medium in order to transmit frames in that queue.
PAGE 352
Radio Port Configuration Quality of Service (QoS) on RP Radios For more information about WMM and other QoS mechanisms, see “Traffic Management (QoS)” on page 4-89 of Chapter 4: “Wireless Local Area Networks (WLANs).” To learn how to customize RP WMM parameters, see “Viewing and Customizing RP WMM Parameters” on page 4-105 on Chapter 4: “Wireless Local Area Networks (WLANs).
PAGE 353
4 Wireless Local Area Networks (WLANs) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 Configuration Options: Normal Versus Advanced Mode . . . . . . . . . . . . . . 4-4 Normal Mode Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 Why Use Normal Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 Enabling WLANs Using Normal Mode . . . . . . . . . . . . . . . . . .
PAGE 354
Wireless Local Area Networks (WLANs) Contents Configuring Accounting on a WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-68 Enabling Logging to a Syslog Server on a WLAN . . . . . . . . . . . . . 4-69 Enabling RADIUS Accounting on a WLAN . . . . . . . . . . . . . . . . . . 4-71 Configuring Global WLAN Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-75 Enabling the WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-76 VLAN Assignment . .
PAGE 355
Wireless Local Area Networks (WLANs) Overview Overview A wireless LAN (WLAN) is a LAN that uses a wireless medium; typically it provides wireless stations a connection to a private LAN, the Internet, or both. The WLAN might include multiple radio ports (RPs), each of which is identified by an individual basic service set identifier (BSSID), but supports the same service set identifier (SSID). Stations associated to one RP can roam to another RP that provides access to the same WLAN (shares the same SSID).
PAGE 356
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Configuration Options: Normal Versus Advanced Mode When the Wireless Edge Services zl Module deploys a WLAN’s configuration to an RP, it assigns the SSID associated with that WLAN to a BSSID on the RP’s radio (or radios). You can configure the module to assign WLANs to RPs in one of two modes: normal or advanced.
PAGE 357
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Enabling WLANs Using Normal Mode In normal mode, to configure and activate WLANs, you complete these steps: 1. Configure the SSID, VLAN, and other options for each WLAN that you want to include in your network. See “Configuring a WLAN” on page 4-26 for instructions on how to do so. 2. On the Network Setup > WLAN Setup screen, select the WLANs and click Enable.
PAGE 358
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Figure 4-2 shows the screen in which you can verify that radios have received the WLAN assignment. Figure 4-2. Assigning WLANs to a Radio (Normal) To view the screen in Figure 4-2, select Network Setup > Radio and click the WLAN Assignment tab. Select a radio, and information is displayed in the area in the right of the screen, called Assigned WLANs.
PAGE 359
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Figure 4-3. Assigning WLANs to the Second Radio (Normal) You must understand that these assignments are constant: WLAN 2 is always assigned to BSSID 2, even if you have not enabled WLAN 1. Enabling More Than Four WLANs Using Normal Mode Using normal mode, you can configure and enable up to 16 WLANs, which all adopted RP radios will support.
PAGE 360
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode As always, if the RP includes two radios, every WLAN is assigned to a BSSID on each. This process is illustrated in the figures below. Figure 4-4.
PAGE 361
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Figure 4-5. Viewing Six WLANs Assigned to a Radio (Normal) RP radios send beacon frames to announce the WLANs that they support. The source of a beacon frame is a BSSID, and each beacon can include only one SSID. Therefore, if you enable more than four WLANs, RPs support all of them, but only announce the first four.
PAGE 362
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode In other words, with normal configuration, WLANs 5 through 16 always operate in partially closed system. If you want these WLANs to operate in completely closed system, you should disable responses to probe requests. You cannot disable closed system. See “Enabling Closed System Operations” on page 4-65 to learn more about configuring this features described above.
PAGE 363
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Table 4-1. WLAN Assignment to BSSID SSIDs for WLANs BSSID 1, 5, 9, 13 1 2, 6, 10, 14 2 3, 7, 11, 15 3 4, 8, 12, 16 4 When deciding which WLAN index number to use for a WLAN, keep in mind that this number determines on which BSSID RPs carry that WLAN’s traffic. You should generally avoid mixing bulk data and time-sensitive data such as voice on the same BSSID.
PAGE 364
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Why Use Advanced Mode Reasons that you might use advanced mode include: ■ You want to restrict access to a WLAN to a certain area. For example, if a WLAN allows wireless users to access sensitive financial information, you might not want your network to support that WLAN, even protected by encryption, in a public lobby. Advanced mode allows you to assign a WLAN to certain RPs only, so you control where the WLAN exists.
PAGE 365
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode ■ You want your RPs to announce more than four SSIDs. While a single RP radio can only beacon four SSIDs, it is possible to customize WLAN assignments so that different RP radios beacon different SSIDs. That is, you can configure certain WLANs as the primary WLANs on some of your organization’s RPs, and other WLANs as primary on others.
PAGE 366
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Figure 4-8. Global WLAN Settings Screen c. Check the Advanced Configuration box, and then click the OK button. 3. Enable the WLANs. 4. You must now manually assign the WLANs to RP radios. You can do this in two ways: • You can manually assign WLANs as a part of a default configuration to be sent to any newly adopted RP.
PAGE 367
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Manually Assigning WLANs to the Radio Adoption Default Configuration. Configure the radio adoption default configuration to customize the WLANs that the Wireless Edge Services zl Module sends to all newly adopted radios. This configuration actually divides into two parts—one for 802.11a radios and one for 802.11bg radios.
PAGE 368
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Figure 4-9. Configuring an Area-Specific WLAN Note Depending on whether you enable WLANs or advanced mode configuration first, the radio adoption configuration begins with either the normal WLAN assignment or an empty WLAN assignment. Leaving the WLAN assignment in the default configurations empty is not necessarily undesirable: it can increase security.
PAGE 369
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Figure 4-10. Customizing WLAN Assignment for the Radio Adoption Default (Advanced Mode) 2. Note Choose the radio type from the Select Radio drop-down menu. If your network includes radios of both types, you should remember to configure a default WLAN assignment for each. Typically, these assignments should match. You can assign WLANs to the radio as a whole or to individual BSSIDs. 3.
PAGE 370
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Figure 4-11. Assigning WLANs to a BSSID in the Default Configuration 6. In the Primary WLAN drop-down menu, choose the WLAN for which the radio should beacon the SSID. 7. If you want to assign more WLANs to the radio, select another BSSID and repeat steps 5 and 6. 8. Click the Apply button. Manually Assigning WLANs to a Specific Radio. Select this option to alter the WLAN assignment on a specific radio.
PAGE 371
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode 3. Click the Edit button. The Network Setup > Radio > Assign Wireless Lans to Radios screen is displayed. (See Figure 4-12.) Figure 4-12. Assigning WLANs to a Specific RP Radio 4. You can assign SSIDs either to the radio as a whole or to a specific BSSID.
PAGE 372
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode 6. Alternatively, you can assign a WLAN to a specific BSSID on the radio: a. In the left area, Select Radio/BSS, select that BSSID. b. Check the Assign box for each WLAN that you want to assign to the BSSID. You can select up to four WLANs, but as always, the beacons only include one. Figure 4-13. Assigning WLANs to a BSSID on a Radio 4-20 c.
PAGE 373
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode 7. Click the Apply button, and then click the Close button. The screen such as that in Figure 4-14 is displayed; you can check your configuration in the Assigned WLAN area. Figure 4-14.
PAGE 374
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Figure 4-15. Manually Assigning WLANs to an RP Radio Figure 4-14 shows the Network Setup > Radio screen in which you would check this configuration. If you had assigned a fifth WLAN to the radio, then two SSIDs would be assigned to BSSID 1, and beacons would advertise only one of these SSIDs.
PAGE 375
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode 3. On the Network Setup > WLAN Setup screen, select the WLANs, and then click Enable. 4. Click the Global Settings button. The Global WLAN Settings screen is displayed. 5. Check the Advanced Configuration box, and then click the OK button. 6. If necessary, tailor the radio adoption default configurations: 7. a. Select Network Setup > Radio Adoption Defaults and click the WLAN Assignment tab. b.
PAGE 376
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode You must check the WLAN assignment for all of the following configurations: ■ the radio adoption default configuration for 802.11a radios ■ the radio adoption default configuration for 802.11bg radios ■ the configuration for every RP radio adopted by your module To disable advanced mode configuration, complete these steps: 1. Click Network Setup > WLAN Setup. 2. Click the Global Settings button.
PAGE 377
Wireless Local Area Networks (WLANs) Configuration Options: Normal Versus Advanced Mode Figure 4-17. Failing to Disable Advanced Configuration Click the OK button. You can now either: • check the WLAN assignments on all radios and default configurations, reassigning SSIDs to BSSIDs as described at the beginning of this section • execute a forced disable by clicking the Yes button Click the Yes button to force advanced mode to disable.
PAGE 378
Wireless Local Area Networks (WLANs) Configuring a WLAN Configuring a WLAN To configure a WLAN, you must set: ■ the SSID ■ the VLAN in which traffic will be forwarded ■ security options, which include: • authentication method • encryption option Optionally, you can configure: ■ ■ advanced settings for individual WLANs, which include: • inter-station blocking • closed system operations • inactivity timeouts global settings for all WLANs, which include: • proxy Address Resolution Protocol (
PAGE 379
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-18. Network Setup > WLAN Setup > Configuration Screen As you can see in Figure 4-18, this screen displays the 256 WLANs that are available for configuration. Remember that in normal configuration mode, you can only configure WLANs 1 through 16. On the Wireless Edge Services zl Module, you do not create WLANs as such. The module has already created them; you configure options for and enable the WLANs.
PAGE 380
Wireless Local Area Networks (WLANs) Configuring a WLAN ■ Enabled—Indicates whether the WLAN has been enabled. The Wireless Edge Services zl Module does not deploy a WLAN configuration to RPs until you enable the WLAN. By default, all WLANs are disabled. ■ SSID—Displays the WLAN’s SSID. By default, this SSID simply indicates the WLAN’s index number. You will change this to a network name when you configure the WLAN. ■ Description—Describes the WLAN so that you can quickly see its purpose.
PAGE 381
Wireless Local Area Networks (WLANs) Configuring a WLAN The screen illustrated in Figure 4-19 is displayed: this is the Edit screen for the selected WLAN. On this screen, you configure settings for your WLAN. Figure 4-19. Editing a WLAN In the Configuration section, you create the WLAN’s basic settings. Configure security standards in the Authentication and Encryption sections. If you choose an authentication option that requires a RADIUS server, the RADIUS Config...
PAGE 382
Wireless Local Area Networks (WLANs) Configuring a WLAN Setting Basic Configuration Options: SSID and VLAN Interface You must set the following options in the Configuration section of a WLAN’s Edit screen: ■ the SSID The SSID identifies the WLAN; stations associated to the same SSID are in the same WLAN regardless of the RP radio to which they have associated.
PAGE 383
Wireless Local Area Networks (WLANs) Configuring a WLAN To configure these options, follow these steps: 1. Access the Edit screen for the WLAN, as described in “Configuring a WLAN” on page 4-26. 2. Under Configuration, in the SSID field, enter the SSID that you have selected for this WLAN. Figure 4-20. Configuring the SSID When you enable the WLAN, the Wireless Edge Services zl Module automatically configures this SSID on all adopted RP radios (as long as you are using normal mode).
PAGE 384
Wireless Local Area Networks (WLANs) Configuring a WLAN For example, if this WLAN provides network access for sales representatives in conference rooms, you could enter “Sales/Conference Rooms.” (This information is for reference only and is not sent to the RPs nor broadcast to wireless stations.) 4. In the VLAN ID field, specify the VLAN to which the module maps wireless traffic. The VLAN ID can be a value from 1 to 4096. Figure 4-21. Setting the VLAN ID 5.
PAGE 385
Wireless Local Area Networks (WLANs) Configuring a WLAN If the WLAN uses Web-Auth set the DHCP lease for the WLAN’s static VLAN very low. This allows the station to request a new IP address in the dynamic VLAN after the user authenticates. 6. Continue configuring the WLAN. See “Configuring Security Options” on page 4-33. (Or click OK to apply the settings and close the Edit screen.
PAGE 386
Wireless Local Area Networks (WLANs) Configuring a WLAN The Wireless Edge Services zl Module supports three types of authentication: ■ 802.1X Extensible Authentication Protocol (EAP) ■ Web authentication (Web-Auth) ■ Media Access Control (MAC) authentication You configure authentication methods as part of each individual WLAN’s settings, and, as far as that WLAN is concerned, they are mutually exclusive. For example, a WLAN can require stations to authenticate using 802.
PAGE 387
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-22. Enabling 802.1X Authentication To configure 802.1X authentication for a WLAN, complete these steps: 1. Click Network Setup > WLAN Setup. 2. Select the WLAN and click the Edit button. 3. Under Authentication, select 802.1X EAP. 4. Optionally, click the Config button next to 802.
PAGE 388
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-23. Specifying 802.1X EAP Settings a. Enter a value in the Station Timeout field to control how long the module will wait for a station to authenticate itself. The Station Timeout can be from 1 to 60 seconds, and the default setting is 5 seconds. b. Enter a value in the Station Retries field to control how many times the module will reissue a challenge to the station.
PAGE 389
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-24. Radius Configuration Screen 6. In the Radius Configuration screen, under Server, specify settings for your network’s RADIUS servers. Enter settings for your primary server in the fields in the Primary column: a. In the RADIUS Server Address field, specify the IP address of your network’s primary RADIUS server. To use the module’s internal server, enter 127.0.0.1. b.
PAGE 390
Wireless Local Area Networks (WLANs) Configuring a WLAN c. In the RADIUS Shared Secret field, enter a character string up to 127 characters. The RADIUS server uses the secret to identify the Wireless Edge Services zl Module as a legitimate client. You must match the secret configured for the module in your RADIUS server’s configuration. If you are using the module’s internal server, you do not need to enter a shared secret. d. 7.
PAGE 391
Wireless Local Area Networks (WLANs) Configuring a WLAN Web-Auth. Web-Auth allows wireless stations that do not support 802.1X to authenticate to a RADIUS server. Web-Auth is an easy-to-use option that is often selected for wireless networks that provide Internet or limited network access to a broad range of users. The instructions below simply guide you through the most basic Web-Auth settings.
PAGE 392
Wireless Local Area Networks (WLANs) Configuring a WLAN 3. Note Under Authentication, select Web-Auth. On the configuration screens that appear in this procedure, you can quickly get the WLAN running by completing these minimal steps. (Learn more about the process in Chapter 5: “Web Authentication for Mobile Users.”) 4. Click the Config button next to Web-Auth. The Web-Auth screen is displayed. Figure 4-26.
PAGE 393
Wireless Local Area Networks (WLANs) Configuring a WLAN 5. On the Web-Auth screen, under Allow List, add the IP addresses that unauthorized stations are allowed to access. The Wireless Edge Services zl Module automatically handles traffic such as DHCP and Domain Name System (DNS) requests. Therefore, even if you do not add any IP addresses to the Allow list, Web-Auth using the internal pages functions correctly. 6. Leave other settings at their defaults and click the OK button. 7.
PAGE 394
Wireless Local Area Networks (WLANs) Configuring a WLAN 8. In the Radius Configuration screen, under Server, specify settings for your network’s RADIUS servers. Enter settings for your primary server in the fields in the Primary column: a. In the RADIUS Server Address field, specify the IP address of your network’s primary RADIUS server. To use the module’s internal server, enter 127.0.0.1. b. Leave the RADIUS Port field at the default value unless you know that your server uses a different port.
PAGE 395
Wireless Local Area Networks (WLANs) Configuring a WLAN 12. Optionally, enter a value in the DSCP/TOS field to prioritize traffic to the RADIUS server. Valid values range from 0 through 63. 13. Leave the other settings at their defaults and click the OK button. 14. You should now configure the encryption options. See “Configuring Encryption” on page 4-47. MAC Authentication. The MAC Authentication option refers to RADIUS MAC authentication.
PAGE 396
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-28. Enabling MAC Authentication 4-44 2. Under Authentication, select MAC Authentication. 3. This authentication option requires a RADIUS server to act as the authentication server. Click the Radius Config button at the bottom of the screen. The Radius Configuration screen is displayed.
PAGE 397
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-29. Radius Configuration Screen for MAC Authentication 4. In the Radius Configuration screen, under Server, specify settings for your network’s RADIUS servers. Enter settings for your primary server in the fields in the Primary column: a. In the RADIUS Server Address field, specify the IP address of your network’s primary RADIUS server. To use the module’s internal server, enter 127.0.0.1.
PAGE 398
Wireless Local Area Networks (WLANs) Configuring a WLAN b. Leave the RADIUS Port field at the default value unless you know that your server uses a different port. The default value is 1812. c. In the RADIUS Shared Secret field, enter a character string up to 127 characters. The RADIUS server uses the secret to identify the Wireless Edge Services zl Module as a legitimate client. You must match the secret configured for the module in your RADIUS server’s configuration.
PAGE 399
Wireless Local Area Networks (WLANs) Configuring a WLAN 9. In the MAC Address section, choose the format in which the Wireless Edge Services zl Module forwards the MAC address. The module sends the station’s MAC address as the username and the password in the RADIUS request. The username and password must match exactly those in the account against which the RADIUS server checks them. For example, if the account uses delimiters in the MAC address, the module must use delimiters in the same places.
PAGE 400
Wireless Local Area Networks (WLANs) Configuring a WLAN Table 4-2 displays the names that this management and configuration guide uses for combinations of authentication and encryption options. Table 4-2.
PAGE 401
Wireless Local Area Networks (WLANs) Configuring a WLAN Note By default, all WLANs use open-key authentication for WEP, which means that all stations can associate. However, the Wireless Edge Services zl Module quietly drops any incorrectly encrypted frames, ensuring that only stations that have the correct key can forward data and truly connect to the WLAN. An alternative to open-key authentication, shared-key authentication, has been denigrated because it leaks information about the WEP key.
PAGE 402
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-30. Configuring WEP Encryption with No Authentication 4-50 2. Under Authentication, select No Authentication. 3. Under Encryption, check either the WEP 64 or WEP 128 box. 4. Click the corresponding Config button. The WEP 64 or WEP 128 screen is displayed.
PAGE 403
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-31. Configuring a Static WEP Key 5. Specify the static key. The Wireless Edge Services zl Module provides several options for configuring static keys: • It can automatically generate four hex keys from a manually entered pass key. Enter a string from 4 to 32 characters in the Pass Key field and click the Generate button.
PAGE 404
Wireless Local Area Networks (WLANs) Configuring a WLAN The number of characters for the key depends on the WEP key length and on the format in which you enter the key. Table 4-3 summarizes these requirements. Table 4-3. Key Length for Static WEP Keys Key Length Format Characters 64-bit Hexadecimal 10 ASCII 5 Hexadecimal 26 ASCII 13 128-bit The key next to the selected circle (Key 1 in Figure 4-31) is the key that currently encrypts and decrypts data.
PAGE 405
Wireless Local Area Networks (WLANs) Configuring a WLAN To configure this type of security for a WLAN, complete these steps: 1. Access the Edit screen for the WLAN that is to use dynamic WEP: a. Select Network Setup > WLAN Setup and click the Configuration tab. b. Select the WLAN and click the Edit button. The Edit screen is displayed. (See Figure 4-30.) 2. Enable 802.1X authentication and specify the RADIUS server. (See “802.1X EAP” on page 4-34.) 3.
PAGE 406
Wireless Local Area Networks (WLANs) Configuring a WLAN Do not select the Config button to configure the WEP key; the RADIUS server automatically generates and sends the dynamic WEP keys to successfully authenticated users. If you click the Config button, the message in Figure 4-33 is displayed. The message does not indicate a problem: it simply informs you that you have completed all necessary steps for configuring encryption on this WLAN. Figure 4-33.
PAGE 407
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-34. Configuring WPA/WPA2 Encryption Table 4-4 displays the types of stations supported by each option. It also lists which protocols each option uses to generate group (multicast and broadcast) keys and to generate pairwise (per-session) keys.
PAGE 408
Wireless Local Area Networks (WLANs) Configuring a WLAN Table 4-4.
PAGE 409
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-35. Advanced Options for WPA/WPA2 b. If you want, check the Broadcast Key Rotation box. Because all stations must use the same broadcast key, this key is clearly more vulnerable to hackers than the per-session keys. Periodically changing the broadcast key helps to protect your WLAN. By default, the Wireless Edge Services zl Module does not rotate the broadcast key.
PAGE 410
Wireless Local Area Networks (WLANs) Configuring a WLAN Fast roaming speeds authentication to a new RP, which can be the most time-consuming phase of the roam, so it only applies to WLANs that use 802.1X authentication. Check these boxes to enable the Wireless Edge Services zl Module’s fast roaming capabilities: – PMK Caching—The RP and the wireless station agree on a PMK identifier for their session, which each stores even after the station disassociates.
PAGE 411
Wireless Local Area Networks (WLANs) Configuring a WLAN For more information on WPA/WPA2 encryption, see the introduction to “Configuring WPA/WPA2 with 802.1X” on page 4-54. To configure WPA/WPAPSK on a WLAN complete these steps: 1. Access the Edit screen for the WLAN that is to use WPA/WPA2-PSK: a. Select Network Setup > WLAN Setup and click the Configuration tab. b. Select the WLAN and click the Edit button. The Edit screen is displayed. (See Figure 4-30.) 2.
PAGE 412
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-36. Configuring a Key for WPA/WPA2 Encryption with No Authentication b. Enter the preshared key. As always, you should select a key that conforms to the highest security standards. The longer the key and the more special characters it contains, the more secure it is. (The key must be at least 22 characters to withstand a brute force attack.
PAGE 413
Wireless Local Area Networks (WLANs) Configuring a WLAN In the Update broadcast keys every field, you can enter any value from 60 seconds (one minute) through 86,400 seconds (one day). The shorter the rotation period, the more secure, but also the more overhead added by the key redistribution. 6. Click the OK button to apply your settings and close the WPA/WPA2 screen. 7. Click the OK button in the WLAN’s Edit screen to apply your settings.
PAGE 414
Wireless Local Area Networks (WLANs) Configuring a WLAN Configuring Encryption for a WLAN that Uses Web-Auth. Web-Auth occurs after a station connects to the WLAN and, by itself, provides no encryption. To protect the users’ data within the wireless network, you can add WEP or WPA/WPA2 encryption. In this case, users must first enter a WEP or WPA key to connect to the WLAN. Then, when they attempt to access a Web site, they must submit their username and password for Web-Auth.
PAGE 415
Wireless Local Area Networks (WLANs) Configuring a WLAN You will learn how to configure other advanced settings, which deal with QoS capabilities, in “Traffic Management (QoS)” on page 4-89. Controlling Inter-Station Traffic Often, a wireless network serves simply to connect mobile users to your Ethernet network or to the Internet.
PAGE 416
Wireless Local Area Networks (WLANs) Configuring a WLAN 2. In the Inter-station Traffic drop-down menu under Advanced, choose how the module treats inter-station traffic: • Drop packets • Allow Packets • Forward through switch The default setting is to allow inter-station traffic. Figure 4-37. Controlling Inter-Station Traffic 3. 4-64 Click the OK button.
PAGE 417
Wireless Local Area Networks (WLANs) Configuring a WLAN Remember that this setting applies to a WLAN; it does not apply to an RP as a whole, which might associate with stations in several WLANs. If you want to prevent the Wireless Edge Services zl Module from forwarding traffic between wireless stations in different WLANs, you must configure this option for both WLANs. Note Remember to consider whether a RPs must forward traffic between devices such as Voice-over-WLAN (VoWLAN) phones.
PAGE 418
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-38. Enabling Closed System 4-66 2. In the Advanced section, check the Closed System box. 3. Uncheck the Answer Broadcast ESS box to prevent RPs from telling wireless stations the SSID in response to probes. 4. Click the OK button.
PAGE 419
Wireless Local Area Networks (WLANs) Configuring a WLAN Configuring the Inactivity Timeout Users do not always bother to disconnect from wireless connections when they turn off or leave their stations. Although the user is no longer truly connected, the Wireless Edge Services zl Module continues to store the station’s association. On an RP nearing its maximum number of stations, an unterminated association can prevent a new station from connecting to the wireless network.
PAGE 420
Wireless Local Area Networks (WLANs) Configuring a WLAN Inactivity Timeout field Figure 4-39. Setting the Inactivity Timeout 2. Under Advanced, in the Inactivity Timeout field, enter a value from 60 seconds (one hour) through 86400 seconds (one day). The default timeout is 1800 seconds (30 minutes). In Figure 4-39, the administrator has lowered the timeout to 300 seconds (five minutes). 3. Click the OK button.
PAGE 421
Wireless Local Area Networks (WLANs) Configuring a WLAN You can configure the module to use these types of accounting: ■ syslog—The Wireless Edge Services zl Module forwards logs about stations in this WLAN to a syslog server. ■ RADIUS—The Wireless Edge Services zl Module sends messages to a RADIUS accounting server when a station connects or disconnects and, optionally, at universally throughout the connection.
PAGE 422
Wireless Local Area Networks (WLANs) Configuring a WLAN Select the Accounting Mode Figure 4-40. Enabling Syslog Accounting on a WLAN 4-70 3. In the Advanced section, in the Accounting Mode field, use the drop-down menu to select Syslog. 4. Click the Syslog Config button. The Accounting screen is displayed.
PAGE 423
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-41. Specifying the Syslog Server 5. In the Syslog Server IP field, specify the Syslog server’s IP address. 6. In the Syslog Server Port field, enter your server’s UDP port or keep the default 514. 7. Click the OK button. 8. In the WLAN’s Edit screen, click the OK button. 9. Click the Save link at the top of the Web browser interface to save the changes to the startup-config.
PAGE 424
Wireless Local Area Networks (WLANs) Configuring a WLAN Select the Accounting Mode Figure 4-42. Enabling RADIUS Accounting for a WLAN 3. In the Advanced section, in the Accounting Mode field, use the drop-down menu to select Radius. Users must authenticate to a RADIUS server for RADIUS accounting to function. Select 802.1X EAP, Web-Auth, or MAC Authentication for the authentication method. 4. 4-72 Click the Radius Config button. The Radius Configuration screen is displayed.
PAGE 425
Wireless Local Area Networks (WLANs) Configuring a WLAN Accounting settings Figure 4-43. Specifying the Accounting Server in the Radius Configuration Screen To enforce RADIUS accounting, the WLAN must use 802.1X authentication, Web-Auth, or MAC authentication for the Authentication mode. 5. Configure settings for the primary accounting server in the Primary column of the Accounting section. a. Specify the server’s IP address in the Accounting Server Address field.
PAGE 426
Wireless Local Area Networks (WLANs) Configuring a WLAN c. In the Accounting Shared Secret field, enter a string up to 127 characters long. (The string can include alphanumeric and special characters.) The accounting server uses the shared secret to verify that reports are from a legitimate source. The key you specify must match the key configured for the module in the accounting server’s client configurations. If you are using the module’s internal server, you don’t need to specify a key. 6.
PAGE 427
Wireless Local Area Networks (WLANs) Configuring a WLAN 11. Click the OK button. 12. In the WLAN’s Edit screen, click the OK button. 13. Click the Save link at the top of the Web browser interface to save the changes to the startup-config.
PAGE 428
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-44. Global WLAN Settings Screen 3. Note Check the boxes for the features that you want to enable. The Advanced Configuration selection refers to how SSIDs are assigned to RP radios; see “Advanced Mode Configuration” on page 4-11. 4. Click the OK button. Enabling the WLAN RPs in your wireless network will not support the WLAN until you enable it. To enable the WLAN, complete these steps: 1.
PAGE 429
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-45. Enabling a WLAN As long as you are operating in normal mode, all radios on all RPs that the Wireless Edge Services zl Module has adopted or will adopt support the enabled WLANs. You can confirm that RPs are actually supporting the enabled WLANs by selecting Network Setup > Radio and checking the WLAN Assignment tab. Select an RP radio to view which SSIDs are mapped to that radio’s BSSIDs.
PAGE 430
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-46. Viewing the WLANs Assigned to Radios in the Default Configuration The radio supports all five WLANs. However, some of the WLANs share a BSSID. For example, when BSS 1 is selected in the section on the left, the section on the right shows the two WLANs that share this BSSID. See Figure 4-47.
PAGE 431
Wireless Local Area Networks (WLANs) Configuring a WLAN Figure 4-47. Viewing the WLANs Assigned to a BSSID in the Default Configuration To review how the Wireless Edge Services zl Module assigns WLANs to RP radios, see “Normal Mode Configuration” on page 4-4.
PAGE 432
Wireless Local Area Networks (WLANs) VLAN Assignment VLAN Assignment The instructions for configuring a WLAN include the basic mechanics for assigning all traffic from a WLAN to a VLAN. This section will explain in more depth when and why you would assign one WLAN to one VLAN and another WLAN to another VLAN.
PAGE 433
Wireless Local Area Networks (WLANs) VLAN Assignment users. On the other hand, you might tag the port for the wired VLANs (depending on whether the module has VLAN interfaces for those VLANs or simply knows routes to them). The Wireless Edge Services zl Module determines the VLAN to which to assign incoming wireless traffic based on one of two criteria: ■ the wireless user’s identity ■ the wireless station’s WLAN You configure WLAN-based VLAN assignments manually.
PAGE 434
Wireless Local Area Networks (WLANs) VLAN Assignment WLAN-Based VLAN Assignment You configure WLAN-based VLAN assignment by manually assigning the WLAN to a VLAN. Typically, you complete this step at the same time that you configure the SSID and security settings, as described in “Setting Basic Configuration Options: SSID and VLAN Interface” on page 4-30 and as shown in Figure 4-49. Figure 4-49.
PAGE 435
Wireless Local Area Networks (WLANs) VLAN Assignment Figure 4-50. Network Setup > WLAN Setup > VLAN Assignment Screen In the first two columns, the Network Setup > WLAN Setup > VLAN Assignment screen shows this information for each WLAN: ■ Description (if configured) ■ SSID All the VLANs to which at least one WLAN has been assigned compose the subsequent columns, as shown in Figure 4-50. The check mark indicates to which interface the WLAN has been assigned.
PAGE 436
Wireless Local Area Networks (WLANs) VLAN Assignment See “Identity-Based, or Dynamic, VLAN Assignment” on page 4-87 for an explanation of how the Wireless Edge Services zl Module can dynamically match WLAN traffic to multiple VLANs. Considerations for WLAN-Based VLAN Assignment By default, all WLANs are mapped to VLAN 1. In some networks that use multiple VLANs, this VLAN is reserved for the management VLAN.
PAGE 437
Wireless Local Area Networks (WLANs) VLAN Assignment ■ Who will be connecting to this WLAN? • Guests—In this case as well, you could assign the WLAN to a VLAN reserved for wireless users. Network administrators could then control traffic from that VLAN appropriately—for example, limiting wireless users to Internet access or to certain network servers.
PAGE 438
Wireless Local Area Networks (WLANs) VLAN Assignment Note When the Wireless Edge Services zl module places traffic in a VLAN, it tags it for that VLAN. You must remember to tag the module’s uplink port for each VLAN to which you manually assign a WLAN. (For more on configuring the wireless services-enabled switch, see the Wireless Edge Services zl Module Supplement to the ProCurve 6200yl/5400zl/3500yl Management and Configuration.
PAGE 439
Wireless Local Area Networks (WLANs) VLAN Assignment Identity-Based, or Dynamic, VLAN Assignment The Wireless Edge Services zl Module can also divide traffic from wireless users into VLANs based on those users’ identities.
PAGE 440
Wireless Local Area Networks (WLANs) VLAN Assignment 5. On the RADIUS server, configure users’ VLAN assignments. a. See “Creating a Group” on page 11-12 in Chapter 11: “RADIUS Server” to learn how to configure VLAN assignments on the Wireless Edge Services zl Module’s internal RADIUS server. b. One of the easiest ways to configure the assignment on an external server itself is via an Identity Driven Management (IDM) agent installed on the server.
PAGE 441
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Traffic Management (QoS) Contemporary users demand more from wireless connections—more bandwidth and more multimedia applications—but they also demand less jitter and fewer dropped calls. The ProCurve Wireless Edge Services zl Module helps RPs to deliver a high QoS for voice, video, and other high-priority or time-sensitive traffic.
PAGE 442
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-52. QoS Mechanisms Supported by the Wireless Edge Services zl Module SVP SVP maintains a high QoS specifically for VoWLAN devices that are SVPcapable. SVP is implemented in wireless phones, wireless APs, and SpectraLink servers. This IEEE 802.
PAGE 443
Wireless Local Area Networks (WLANs) Traffic Management (QoS) The Wireless Edge Services zl Module can configure RPs to support SVP— that is, to recognize SVP frames, place them in priority queues, and transmit them with a zero backoff time. If your network includes a SpectraLink server and SVP-capable phones, you should enable this support in the WLAN that includes these phones. To enable SVP support, complete these steps: 1. Note Access the Edit screen for the WLAN that includes voice devices: a.
PAGE 444
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Prioritization with WMM WMM improves QoS by dividing traffic into priority queues, one for each of four access categories (ACs). The higher the AC, the higher the QoS the traffic requires. The Wireless Edge Services zl Module can use WMM to prioritize the following traffic: ■ traffic sent from RP radios to wireless stations ■ traffic sent from wireless stations to RP radios Priority Queuing and ACs.
PAGE 445
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Table 4-8. Priority Values for WMM ACs Queue Number AC 802.1p Priority DSCP 1 Background 1, 2 8-23 2 Best Effort 0, 3 0-7. 24-31 3 Video 4, 5 32-47 4 Voice 6, 7 48-63 By default, the module uses 802.1p priority to place traffic in a queue. You can choose DSCP instead; see “Customizing Station WMM Parameters” on page 4-102. Priority Queuing on Traffic Transmitted from RPs to Wireless Stations.
PAGE 446
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-53. Using WMM to Prioritize Traffic Transmitted from RPs to Wireless Stations Priority Queuing on Traffic Transmitted from Wireless Stations to RPs. Only when you enable WMM on a WLAN, WMM-enabled stations also implement priority queuing on traffic they transmit. RPs broadcast station WMM parameters throughout the WLAN. WMMenabled stations queue traffic according to 802.
PAGE 447
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-54. Using WMM to Prioritize Traffic Transmitted From Wireless Stations to RPs Note that the station WMM parameters can differ from the RP WMM parameters. Enabling WMM on a WLAN Enabling WMM on a WLAN, enables the following: ■ RP radios use QoS marks (802.1p, by default) to queue traffic destined to stations in this WLAN Radios grant better QoS to high priority queues by using different parameters to transmit traffic in those queues.
PAGE 448
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Enable WMM Figure 4-55. Enabling WMM on a WLAN 2. Under Advanced, in the Access Category drop-down menu, select Automatic/WMM. 3. Click the OK button. The next section explains how to make some advanced configurations for WMM.
PAGE 449
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Changing the Protocol that Prioritizes Traffic and Enabling Admission Control As discussed earlier, when you enable WMM, wireless devices queue frames according to QoS marks. The default protocol for the QoS mark is 802.1p. However, you can change the protocol to DSCP by accessing advanced WMM parameters. Another advanced WMM parameter is admission control, a feature available for Video and Voice queues.
PAGE 450
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-56. Station EDCA (WMM) Parameters 2. 4-98 Select the queue for which you want to alter the settings, and then click the Edit button. The Edit WMM screen is displayed.
PAGE 451
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-57. Editing Station EDCA (WMM) Parameters 3. Select the prioritization protocol used by your wireless stations: • 802.1p is a Layer 2 protocol that marks traffic in the VLAN tag for one of eight priorities. • DSCP is a Layer 3 protocol that marks traffic in the IP header for one of 64 priorities. Wireless devices queue frames according to the priority marked by the selected protocol. For example, if you select 802.
PAGE 452
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Note If you change the protocol for one queue, the setting automatically changes in the other three queues for the WLAN; in other words, the setting applies to the WLAN as a whole. (It does not make sense to use 802.1p to queue some traffic, but queue other traffic according to DSCP.) 4. To restrict the number of stations allowed to use the settings for this queue, check the Admission Control box and enter a value from 1 to 255.
PAGE 453
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-58. Station WMM Parameters Figure 4-58 shows the default settings for WMM queues. As you can see, each WLAN has its own four queues. This is because RPs broadcast one set of station parameters to all stations in a WLAN. They can broadcast another set of station parameters to all stations in another WLAN (if that WLAN uses WMM). The Idx column lists the WLAN and the queue number.
PAGE 454
Wireless Local Area Networks (WLANs) Traffic Management (QoS) A green check mark in the WLAN Enabled column indicates that RPs in your network currently support this WLAN; a green check mark in the WMM Enabled column indicates that RPs are allowed to send the WMM parameters to stations (Access Category is Automatic/WMM.) In Figure 4-58, four WLANs are active and enabled. However, only two (MyWLAN and Test) implement WMM prioritization on wireless station to RP traffic.
PAGE 455
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-59. Station WMM Parameters 2. Select the queue for which you want to alter the settings, and then click the Edit button. The Edit WMM screen is displayed.
PAGE 456
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-60. Editing Station EDCA (WMM) Parameters 3. View the SSID and Access Category settings to verify that you are configuring the correct queue. In Figure 4-60, the Best Effort queue (queue 1) in MyWLAN is being customized. 4. Enter the desired values in the AIFSN, Transmit Ops, CW Minimum, and CW Maximum fields. The values for the AIFSN and Transmit Ops are in ms.
PAGE 457
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Again, take great care in establishing these settings. ProCurve Networking cannot guarantee any behavior. However, you can keep these tips in mind: • The lower the AIFSN and the CW minimum values, the lower the latency for traffic in the queue, and in a congested network, the higher the throughput. In a congested network, raising the AIFSN or the CW minimum of low-priority queues can improve QoS for high-priority.
PAGE 458
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Like other radio settings, you can alter: ■ the WMM queue parameters that the Wireless Edge Services zl Module sends to newly adopted radios ■ the WMM queue parameters used by particular radios To customize the RP WMM parameters, complete these steps: 1. 2.
PAGE 459
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-61. Network Setup > Radio > WMM Screen 3. To change the parameters for a particular queue, select the queue and click the Edit button. The Edit WMM screen is displayed.
PAGE 460
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-62. Edit WMM Screen for Radio 1’s Voice AC 4. To change the AIFSN value, enter a new value between 0 and 15 in the AIFSN field. This value is in ms. 5. To change the Transmit Ops value, enter a new value between 0 and 65,535 in the Transmit Ops field. This value is in ms. 6. To change the CW Min, enter a new value between 0 and 15 in the CW Minimum field. The CW Min is 2 to the power of this value, minus 1, in ms.
PAGE 461
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Table 4-9. Priority Values for WMM ACs Queue Number AC 802.1p Priority DSCP 1 Background 1, 2 8-23 2 Best effort 0, 3 0-7. 24-31 3 Video 4, 5 32-47 4 Voice 6, 7 48-63 The mapping of priority value to AC occurs as traffic is prepared for transmission in a WLAN.
PAGE 462
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-63. Customizing QoS Mappings 3. Use the Access Category to 802.1p section to configure the Wireless Edge Services zl Module, to mark incoming wireless traffic with a QoS value for priority handling in the wired network. Click a field in the 802.1p Prioritization column. Then enter a value between 0 and 7. The module marks traffic that arrives in this AC with this 802.1p value. 4. If you are using 802.
PAGE 463
Wireless Local Area Networks (WLANs) Traffic Management (QoS) 5. If you are using DSCP to prioritize traffic in at least one WLAN, configure the QoS mappings in the DSCP to Access Category section. To select the AC to which a particular DSCP maps, click the Access Category column in the row for that value. Then choose Best Effort, Background, Video, or Voice from the drop-down menu. 6. Click the OK button.
PAGE 464
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Figure 4-64. Setting a WLAN’s AC 2. Choose the name of an AC from the Access Category drop-down menu in the Advanced section.
PAGE 465
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Enabling Prioritization of Voice Traffic Voice prioritization improves the QoS for traffic destined to VoWLAN devices. The Wireless Edge Services zl Module configures RPs to monitor all packets from stations in a WLAN; if the IP type in a packet’s header indicates that it is a voice packet, the module marks all traffic destined to the packet’s source as high-priority voice packets.
PAGE 466
Wireless Local Area Networks (WLANs) Traffic Management (QoS) Set the multicast address for voice traffic Figure 4-65. Setting the Multicast Address 4-114 3. Under Advanced, in the MCast Addr 1 field, enter the address for voice traffic. 4. If you want, enter a second address in the MCast Addr 2 field. 5. Click the OK button.
PAGE 467
5 Web Authentication for Mobile Users Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 The Web-Auth Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Authentication Through a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . 5-5 Web Pages for the Login Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6 Allow List . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 468
Web Authentication for Mobile Users Overview Overview With the ProCurve Wireless Edge Services zl Module, you can require mobile users to authenticate by entering their login credentials on a Web page. Like other authentication methods, Web authentication (Web-Auth) is verified through a Remote Access Dial In User Service (RADIUS) server. You can use Web-Auth to provide limited network services for mobile users who visit your company’s office.
PAGE 469
Web Authentication for Mobile Users Overview The Web-Auth Process To provide limited network access to mobile users through Web-Auth, you set up a Dynamic Host Configuration Protocol (DHCP) server and instruct the users to configure their stations to receive a dynamic IP address from this server. (This DHCP server can be an external server or the Wireless Edge Services zl Module’s internal server.
PAGE 470
Web Authentication for Mobile Users Overview After a station successfully receives an IP address and associates with the WLAN, the station enters the Web-Auth state. (See Figure 5-2.) In this state, the station can access only the network devices that you have added to the Web-Auth Allow list. This list includes the IP address of any device that you want unauthenticated users to be able to access.
PAGE 471
Web Authentication for Mobile Users Overview Figure 5-2. The Web-Auth Process Authentication Through a RADIUS Server To allow mobile users to access the Internet and selected services on your company’s network, you configure Web-Auth as the authentication method for a WLAN and define a RADIUS server that verifies each user’s login credentials. You can specify both a primary RADIUS server and a secondary RADIUS server, ensuring high availability.
PAGE 472
Web Authentication for Mobile Users Overview Web Pages for the Login Process To enable authentication through the Web, the Wireless Edge Services zl Module provides three default Web pages that guide users through the login process: ■ Login page—When users associate with a WLAN that is configured for Web-Auth and try to access a valid Web site, their Web browser is redirected to the login page, and they are prompted to enter a username and password. (See Figure 5-3.) Figure 5-3.
PAGE 473
Web Authentication for Mobile Users Overview Figure 5-4. Default Welcome Page ■ Failed page—If users do not enter a valid username and password on the login page, the failed page is displayed. This page includes a link back to the Login screen. (See Figure 5-5.) Figure 5-5. Default Failed Page You can use the default Web pages as they are, or you can modify them for your environment. You can change the text that displays and add your organization’s logo.
PAGE 474
Web Authentication for Mobile Users Overview Table 5-1 shows the location of these pages in the Wireless Edge Services zl Module’s file system. When you enable Web-Auth and choose to use these pages, the OS copies them to a directory for that WLAN. For example, if you use Web-Auth on WLAN 1, the login page is saved as flash:/hotspot/wlan1/ login.html. In Table 5-1, X indicates the WLAN’s index number. Table 5-1.
PAGE 475
Web Authentication for Mobile Users Overview The Wireless Edge Services zl Module automatically permits certain station traffic, even when the destination is not on the Allow list: ■ DHCP requests—The station must receive an IP address before it can access the Web login page and authenticate. ■ Domain Name System (DNS) requests—The station must attempt to reach a valid IP address in order for the Wireless Edge Services zl Module to redirect the browser to the login page.
PAGE 476
Web Authentication for Mobile Users Configuring Web-Auth Note The Wireless Edge Services zl Module automatically allows unauthenticated stations access to the IP address on the static VLAN for the Web-Auth WLAN. (Such access is necessary for the stations to complete Web-Auth.) Even though management access to the module is protected by a password, you might want to protect such access further. Make sure to assign the Web-Auth WLAN to a different VLAN than the module’s management VLAN.
PAGE 477
Web Authentication for Mobile Users Configuring Web-Auth Configuring Basic Options and Accessing the Web-Auth Screen To configure a WLAN to use Web-Auth, complete these steps: 1. Select Network Setup > WLAN Setup > Configuration. Figure 5-6.
PAGE 478
Web Authentication for Mobile Users Configuring Web-Auth 2. Select the WLAN that you want to use Web-Auth, and then click the Edit button. The Edit screen is displayed. Figure 5-7. WLAN Edit Screen 3. Under Configuration, enter an SSID for this WLAN in the SSID field. 4. In the Description field, you can enter information that will help you identify this WLAN. This field is optional. 5. By default, the Wireless Edge Services zl Module places all wireless traffic in VLAN 1.
PAGE 479
Web Authentication for Mobile Users Configuring Web-Auth Note For more information about configuring SSIDs, VLANs, and advanced configuration options, such as interstation blocking and voice prioritization, see Chapter 4: “Wireless Local Area Networks (WLANs).” 6. Under Authentication, select Web-Auth. 7. Click the Radius Config button at the bottom of the screen. The Radius Configuration screen is displayed. Figure 5-8.
PAGE 480
Web Authentication for Mobile Users Configuring Web-Auth 8. In the fields in the Server area, define the primary RADIUS server under the Primary heading. a. In the RADIUS Server Address field, enter the IP address of the RADIUS server that authenticates users. Enter 127.0.0.1 if you are using the Wireless Edge Services zl Module’s internal RADIUS server. b. In the RADIUS Port field, leave the port number at the default value (1812) unless your RADIUS server uses a different port. c.
PAGE 481
Web Authentication for Mobile Users Configuring Web-Auth Figure 5-9. Configuring the Login Page 15. Select the location for the Web-Auth Web pages from the drop-down menu at the top of the screen. You can select one of three options for these Web pages: • Internal—three default pages stored on the Wireless Edge Services zl Module • External—three pages stored on an external Web server • Advanced—pages that you have loaded onto the Wireless Edge Services zl Module’s flash memory 16.
PAGE 482
Web Authentication for Mobile Users Configuring Web-Auth Configuring Internal Web-Auth Pages At its factory default settings, the Wireless Edge Services zl Module includes three pages for Web-Auth. See “Web Pages for the Login Process” on page 5-6 for descriptions and illustrations of these default pages. You can customize the text and add your company’s logo to the default pages. Follow these steps: Note 1. Complete the steps described in “Configuring Web-Auth” on page 5-10. 2.
PAGE 483
Web Authentication for Mobile Users Configuring Web-Auth Header text Descriptive text The small logo displays beneath the Log in button Footer text Figure 5-10. Displaying a Small Logo on the Web-Auth Login Page e. In the Main Logo URL field, enter the name of a logo file to include a logo at the top of the login page. (See Figure 5-11.) You must copy this logo to the flash on the Wireless Edge Services zl Module.
PAGE 484
Web Authentication for Mobile Users Configuring Web-Auth The main logo is displayed at the top of the page Header text Descriptive text Footer text Figure 5-11. Displaying the Main Logo on the Web-Auth Login Page 4. Configure the welcome page, which mobile users see if they enter a valid username and password and the RADIUS server authenticates them. a. 5-18 Click the Welcome tab. (See Figure 5-12.
PAGE 485
Web Authentication for Mobile Users Configuring Web-Auth Figure 5-12. Configuring the Welcome Page Note b. In the Title Text field, accept the default text shown on the screen, or enter the text that you want to use. c. In the Header Text field, accept the default text shown on the screen, or enter the text that you want users to see when they log in. (See Figure 5-13.) If you customize the Header Text, Footer Text, or Descriptive Text fields, you can enter a maximum of 1,024 characters. d.
PAGE 486
Web Authentication for Mobile Users Configuring Web-Auth e. In the Small Logo URL field, enter the name of a logo file to include a small logo on the welcome page. (See Figure 5-13.) You must copy this logo to the flash on the Wireless Edge Services zl Module. (For instructions on how to copy the logo file to flash, see “Copying Logo Files to the Module’s Flash” on page 5-33.
PAGE 487
Web Authentication for Mobile Users Configuring Web-Auth The main logo is displayed at the top of the page Header text Descriptive text Disconnect link Duration of the connection Figure 5-14. Displaying the Main Logo on the Web-Auth Welcome Page 5. Configure the failed page, which mobile users see if they enter an invalid username and password. a. Click the Failed tab. (See Figure 5-15.
PAGE 488
Web Authentication for Mobile Users Configuring Web-Auth Figure 5-15. Configuring the Failed Page Note b. In the Title Text field, accept the default text shown on the screen, or change the text as needed. c. In the Header Text field, accept the default text shown on the screen, or enter the text that you want users to see if they fail to log in. (See Figure 5-16.) If you customize the Header Text, Footer Text, or Descriptive Text fields, you can enter a maximum of 1,024 characters. d.
PAGE 489
Web Authentication for Mobile Users Configuring Web-Auth e. In the Small Logo URL field, enter the name of a logo file to include a small logo on the failed page. (See Figure 5-16.) You must copy this logo to the module’s flash. (For instructions on how to copy the logo file to flash, see “Copying Logo Files to the Module’s Flash” on page 5-33.) Header text Descriptive text Link to the login page The small logo is displayed above the footer Footer text Figure 5-16.
PAGE 490
Web Authentication for Mobile Users Configuring Web-Auth The main logo is displayed at the top of the page Header text Descriptive text Link to the login page Footer text Figure 5-17. Displaying the Main Logo on the Web-Auth Failed Page 6. Configure the Allow list as described in “Configuring the Allow List” on page 5-28. Configuring Web-Auth to an External Web Server The Wireless Edge Services zl Module can implement Web-Auth using pages stored on an external Web server.
PAGE 491
Web Authentication for Mobile Users Configuring Web-Auth Figure 5-18. Specifying the URL for Web-Auth Pages That Are Stored on an External Web Server 4. 5. Under External Web Pages, specify the correct URL for each page. a. In the Login Page URL field, specify the URL of the login page, which users see when they try to access a Web site. For example, you might enter a URL such as http://192.168.1.1/login.html or http:// www.yourcompany.com/login.html. b.
PAGE 492
Web Authentication for Mobile Users Configuring Web-Auth Loading Custom Pages onto the Wireless Edge Services zl Module’s Internal Server (Advanced) As discussed earlier, the Wireless Edge Services zl Module can act as the Web server for Web-Auth. As an alternative to using the module’s default (preconfigured) Web-Auth pages, you can load your own pages onto the module. This advanced option gives you greater freedom in designing your Web pages than simply customizing the text on the default pages.
PAGE 493
Web Authentication for Mobile Users Configuring Web-Auth Figure 5-19. Configuring Advanced Web-Auth 5. In the File field, enter the name of the directory that contains the custom Web pages. 6. Select the type of server that stores the directory (FTP or TFTP) from the Using drop-down menu. 7. Enter the server’s IP address and port in the IP Address and Port fields. The default port for FTP is 21, and the default port for TFTP is 69. 8.
PAGE 494
Web Authentication for Mobile Users Configuring Web-Auth 9. In the Path field, specify the name of the server directory in which the file that you are loading is stored. If the file is stored in the server’s base directory, leave the field empty. For some FTP servers, you might need to enter /. To specify a directory within the base directory, include (/)—for example, /MyDirectory. 10. Click the Install button. The file immediately copies to the module’s flash. 11.
PAGE 495
Web Authentication for Mobile Users Configuring Web-Auth Figure 5-20. Configuring the Allow List 2. You should be on the Web-Auth screen for the WLAN. In the Allow List section on the right side of the screen, add up to 10 IP addresses. a. If you have specified External for the Web-Auth page type, enter the IP address of the external Web server: i. Under the Allow List heading, select one of the 0.0.0.0 addresses. ii. In the Change field, enter the address for the Web server. iii.
PAGE 496
Web Authentication for Mobile Users Configuring Web-Auth Note When you add a device’s IP address to the Allow list, that device is publicly available; no network authentication is required to access the device. Any user can access the device—unless that device (like the Wireless Edge Services zl Module) has its own authentication requirements. 3. Verify that you have configured the Web pages as described in earlier sections of this chapter. 4.
PAGE 497
Web Authentication for Mobile Users Configuring Web-Auth Figure 5-21. Configuring Encryption for a WLAN that Enforces Web-Auth 2. In the Encryption section, check the box for your selection. 3. If you have selected a WEP encryption type, click its Config button and specify the WEP keys. You can enter up to four keys. The currently selected key acts as the password.
PAGE 498
Web Authentication for Mobile Users Configuring Web-Auth 4. If you have selected a WPA encryption type, click its Config button and specify the preshared key. See “Configuring WPA/WPA2-PSK” on page 4-58 of Chapter 4: “Wireless Local Area Networks (WLANs)” for more information on configuring the preshared key. 5. Click the OK button to close the WLAN Edit screen and save your configuration changes to the running-config. You are returned to the Network Setup > WLAN Setup > Configuration screen.
PAGE 499
Web Authentication for Mobile Users Copying Logo Files to the Module’s Flash Copying Logo Files to the Module’s Flash If you want to display your company’s logo on the Web-Auth login, welcome, or failed page, you must copy the logo file to the appropriate directory on the Wireless Edge Services zl Module’s flash. The module’s flash contains a hotspot directory that, in turn, contains a subdirectory for each WLAN on the module.
PAGE 500
Web Authentication for Mobile Users Copying Logo Files to the Module’s Flash 3. 4. Specify the source for the file transfer: a. In the From field under Source, use the drop-down menu to select Server. b. In the File field, enter the name of the logo file. c. In the Using field, use the drop-down menu to select either FTP or TFTP. d. In the IP Address field, enter the IP address of the FTP or TFTP server. e. If you are using an FTP server, enter the login credentials. i.
PAGE 501
Web Authentication for Mobile Users Copying Logo Files to the Module’s Flash Figure 5-24. Management > System Maint.—Config Files > Transfer Screen 5. Click the Transfer button. In the Status area at the bottom of the screen, a message is displayed, reporting whether the transfer was successful.
PAGE 502
Web Authentication for Mobile Users Configuring Custom Web-Auth Pages Configuring Custom Web-Auth Pages You can design your own Web-Auth pages and either store them on an external server or upload them to the Wireless Edge Services zl Module’s flash memory (advanced configuration). The custom Web-Auth pages must include a login page, a welcome page, and a failed page. However, in addition to those pages, you can configure links to as many other pages as you desire.
PAGE 503
Web Authentication for Mobile Users Configuring Custom Web-Auth Pages <
PAGE 504
Web Authentication for Mobile Users Configuring Custom Web-Auth Pages Configuring the CGI Commands for the Welcome Page Like the login page, the welcome page can include any text and graphical elements that you want as long as you include the CGI code that the Wireless Edge Services zl Module needs to handle Web-Auth properly. The welcome page requires just one line of CGI code, which provides a Disconnect link: ■ for an external Web page—
PAGE 505
6 IP Services—IP Settings, DHCP, and DNS Contents IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Viewing VLAN Interfaces and Enabling Secure Management . . . . . . . 6-3 Assigning an IP Address to a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 Deleting the IP Address Assigned to a VLAN . . . . . . . . . . . . . . . . . . . . 6-6 Editing the IP Address Assigned to a VLAN . . . . . . . . . . . . . . . . . . . . .
PAGE 506
IP Services—IP Settings, DHCP, and DNS Contents Configuring Extended DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . 6-37 Setting Up Global Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-37 Specifying the Value for an Extended Option in a DHCP Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-39 Configuring Dynamic DNS (DDNS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-41 Viewing DHCP Bindings . . . . . . . . . .
PAGE 507
IP Services—IP Settings, DHCP, and DNS IP Settings IP Settings To function as a Layer 3 device, the Wireless Edge Services zl Module requires only one IP address, usually assigned to the default management interface. (The default management interface is virtual LAN [VLAN] 1.) For some network environments, however, you may want to assign IP addresses to other VLANs. To do so, you must create VLAN interfaces.
PAGE 508
IP Services—IP Settings, DHCP, and DNS IP Settings Viewing VLAN Interfaces and Enabling Secure Management To view the VLANs that have been assigned IP addresses, select Network Setup > Ethernet > Configuration. Figure 6-1. Network Setup > Ethernet > Configuration Screen The following information is listed for each VLAN: ■ Name ■ VLAN ID ■ DHCP Enabled This column has a green check mark if the DHCP client is enabled on this VLAN (so that the VLAN receives a dynamic address).
PAGE 509
IP Services—IP Settings, DHCP, and DNS IP Settings ■ Status This column reports whether or not the VLAN was created successfully. ■ Management Interface Only one VLAN can be selected as the management interface, and that VLAN is identified with a green check mark. All other VLANs show a red x in the Management Interface field. When secure management is enabled, you can access the Wireless Edge Services zl Module’s Web browser interface only through the IP address assigned to this VLAN.
PAGE 510
IP Services—IP Settings, DHCP, and DNS IP Settings 4. Configure the IP address: a. Check the Use DHCP to obtain IP Address automatically box if you want the VLAN to receive an IP address through a DHCP server. Do not check this box if you want the Wireless Edge Service zl Module to act as the DHCP server when stations successfully associate to this VLAN. As a DHCP server, the module would, of course, require a static address on the VLAN. b.
PAGE 511
IP Services—IP Settings, DHCP, and DNS IP Settings Editing the IP Address Assigned to a VLAN If you need to change the IP address that is assigned to a VLAN, complete these steps: 1. Select Network Setup > Ethernet > Configuration. 2. Select the VLAN and click the Edit button. The Configuration screen for the VLAN interface is displayed. Figure 6-3. Configuration Screen for the vlan1 Interface 3. Change the settings as needed and then click the OK button. 4.
PAGE 512
IP Services—IP Settings, DHCP, and DNS IP Settings Figure 6-4. Network Setup > Ethernet > Statistics Screen You can view the following information: 6-8 ■ Name—VLAN ID (also referred to as the interface). ■ Bytes In—total number of bytes received on the interface. ■ Packets In—total number of packets received on the interface, including packets dropped and error packets. ■ Packets In Dropped—number of incoming packets that are dropped.
PAGE 513
IP Services—IP Settings, DHCP, and DNS IP Settings ■ ■ Packets Out Dropped—number of outgoing packets dropped. Conditions that result in dropped packets include: • The output queue assigned to the interface is saturated. • Collisions have occurred. Packets Out Error—number of outgoing packets with errors such as malformed packets. To view more detailed information about a VLAN, select that VLAN and click the Details button at the bottom of the screen. The Interface Statistics screen is displayed.
PAGE 514
IP Services—IP Settings, DHCP, and DNS IP Settings Viewing a Graph for VLANs That Are Assigned IP Addresses The Wireless Edge Services zl Module can create graphs of statistics for VLANs that have been assigned an IP address. Such graphs display how the statistics change over time. To view a graph, follow these steps: 1. Select Network Setup > Ethernet > Statistics. Figure 6-6. Network Setup > Ethernet > Statistics 6-10 2. Select a VLAN from the list. 3. Click the Graph button.
PAGE 515
IP Services—IP Settings, DHCP, and DNS IP Settings Figure 6-7. Interface Statistics Graph To generate a graph, you must select the statistic that you want to track. Initially, the graph shows input bytes. You can choose any of the statistics displayed in the Details screen (refer to “Viewing Statistics for VLANs That Are Assigned IP Addresses” on page 6-7 for more information about a statistic). Select the appropriate box for the statistic you want to view.
PAGE 516
IP Services—IP Settings, DHCP, and DNS IP Routing IP Routing As discussed in Chapter 1: “Introduction,” the Wireless Edge Services zl Module and its internal uplink port operate at Layer 3 of the Open Systems Interconnection (OSI) model. As part of this Layer 3 functionality, the Wireless Edge Services zl Module maintains a route table. You can view the route table, which automatically lists directly connected interfaces, and you can add static routes to the route table.
PAGE 517
IP Services—IP Settings, DHCP, and DNS IP Routing Figure 6-8. Network Setup > Internet Protocol > IP Forwarding Screen If you assign an IP address to any other VLAN (as described in “IP Settings” on page 6-3), the Wireless Edge Services zl Module recognizes the subnetwork attached to that VLAN and lists it as a directly connected route. To view the module’s route table, select Network Setup > Internet Protocol and click the IP Forwarding tab. (See Figure 6-8.
PAGE 518
IP Services—IP Settings, DHCP, and DNS IP Routing ■ Protocol—lists the name of the protocol through which the route was obtained. Routes can be obtained in the following ways: • DHCP—Routes can be included with the IP address that the module receives from a DHCP server. • Static—Routes can be entered manually. • Connected—Routes can be directly connected to an interface.
PAGE 519
IP Services—IP Settings, DHCP, and DNS IP Routing 6. Click the OK button to apply the change to the running-config. 7. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. To delete a route, select the route from list in the Network Setup > Internet Protocol > IP Forwarding screen. Then click the Delete button.
PAGE 520
IP Services—IP Settings, DHCP, and DNS IP Routing Although you can add another default route manually (or, from the CLI, specify another default gateway), only one default route is active—the first route configured. To avoid confusion, ProCurve Networking recommends that you delete all but one default route. This route has no effect unless you delete the first route Two default routes Figure 6-11.
PAGE 521
IP Services—IP Settings, DHCP, and DNS IP Routing Figure 6-12. Add Static Route Screen 7. Click the OK button to apply the change to the running-config. 8. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. Address Resolution Table The Wireless Edge Services zl Module maintains an address resolution table, which displays the media access control (MAC) addresses associated with particular IP addresses.
PAGE 522
IP Services—IP Settings, DHCP, and DNS IP Routing Figure 6-13. Network Setup > Internet Protocol > Address Resolution Screen The Interface column lists the VLAN on which the IP address can be reached, and the Type column indicates how the module learned to map that IP address to that MAC address. For example, in Figure 6-13, Dynamic indicates that the module learned the mapping by listening to frames received from the device at 10.4.1.100.
PAGE 523
IP Services—IP Settings, DHCP, and DNS DNS Client DNS Client DNS is the Internet protocol for translating domain names or hostnames into IP addresses. The hostname is the familiar, alphanumeric name for a host on the Internet (for example, www.procurve.com), and the IP address is the 32-bit address that devices on a TCP/IP network use to reach each other. DNS allows users to enter more readily memorable and intuitive hostnames rather than IP addresses.
PAGE 524
IP Services—IP Settings, DHCP, and DNS DNS Client Figure 6-14. Network Setup > Internet Protocol > Domain Name System Screen 2. Click the Add button at the bottom of the screen. The Add DNS Server screen is displayed. Figure 6-15. Add DNS Server Screen 6-20 3. In the Server IP Address field, enter the IP address of the DNS server. 4. Click the OK button. The DNS server is now listed on the Network Setup > Internet Protocol > Domain Name System screen. 5.
PAGE 525
IP Services—IP Settings, DHCP, and DNS DNS Client Deleting a DNS Server If you want to remove a DNS server that is listed on the Network Setup > Internet Protocol > Domain Name System screen, complete these steps: 1. Select Network Setup > Internet Protocol and click the Domain Name System tab. 2. Select the DNS server that you want to delete and click the Delete button at the bottom of the screen. A prompt is displayed, asking if you want to delete the item. 3.
PAGE 526
IP Services—IP Settings, DHCP, and DNS DHCP Server DHCP Server The Wireless Edge Services zl Module can function as a DHCP server. Although the module can provide DHCP services for your entire network, it is more appropriately used as the DHCP server for your wireless network. Overview A DHCP server issues dynamic configurations to stations. The DHCP server on the Wireless Edge Services zl Module can assign stations a variety of settings, or options, in the configuration.
PAGE 527
IP Services—IP Settings, DHCP, and DNS DHCP Server As a DHCP server, the Wireless Edge Services zl Module can also implement dynamic DNS (DDNS), which updates a DNS server whenever a host’s IP address changes. Finally, the Wireless Edge Services zl Module supports DHCP relay. Configuring the DHCP Server If you want the Wireless Edge Services zl Module to assign IP addresses to devices on your network, you must configure it as a DHCP server by following the steps outlined in the following sections.
PAGE 528
IP Services—IP Settings, DHCP, and DNS DHCP Server When you use network pools, you can also specify a range of excluded addresses, which are addresses in a pool that the Wireless Edge Services zl Module is not allowed to assign. Use the excluded addresses to protect IP addresses on your network that you want to remain fixed, such as the IP addresses of routers and DNS servers. A host pool contains a single fixed IP address and is designated to a specific device.
PAGE 529
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-17. Network Setup > DHCP Server > Configuration Screen 2. Click the Add button. The Add Pool screen is displayed.
PAGE 530
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-18. Add Pool Screen for Network Pools 3. In the Pool Name field, enter a name for the pool. You can enter up to 255 alphanumeric characters (no special characters). The name is typically a descriptive text string that helps identify the purpose of the pool or the set of clients that it is intended to serve. 4. 6-26 In the Domain field, enter the domain name for the network on which the Wireless Edge Services zl Module is running.
PAGE 531
IP Services—IP Settings, DHCP, and DNS DHCP Server 5. In the Associated Interface field, use the drop-down menu to select the VLAN interface that you want to associate with this network pool. This drop-down menu includes all of the Wireless Module’s configured interfaces (such as VLAN 1). The IP address and subnet mask assigned to the associated interface are automatically inserted into the appropriate fields. 6.
PAGE 532
IP Services—IP Settings, DHCP, and DNS DHCP Server 9. If necessary, set options for a network that uses NetBIOS: a. In the NetBios Node field, use the drop-down menu to select the NetBIOS node type. The NetBIOS node type determines how stations resolve NetBIOS names to IP addresses, whether by broadcasting messages, by using a WINS server (peer-to-peer), or by a combination of the two. You can select one of four options: – b (Broadcast) – h (Hybrid) – m (Mixed) – p (Peer-to-Peer) b.
PAGE 533
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-19. Network Setup > DHCP Server > Host Pool Screen 2. Click the Add button. The Add Pool screen is displayed.
PAGE 534
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-20. Add Pool Screen for Host Pools 3. In the Pool Name field, enter the name of the pool to which this IP address will belong. For example, you might enter the name of the device. The name can include up to 255 alphanumeric characters. 4. In the IP Address field, enter the fixed address for this device.
PAGE 535
IP Services—IP Settings, DHCP, and DNS DHCP Server 6. Enter either a hexadecimal client identifier (ID) in the Client ID field or a MAC address in the Hardware Address field, but not both. When a device sends a DHCP request, the request includes a client ID, either a customized ID or the device’s MAC address. The Wireless Edge Services zl Module uses this value to match the device to the correct host pool and fixed IP address.
PAGE 536
IP Services—IP Settings, DHCP, and DNS DHCP Server Excluding Addresses from a Network Pool You may sometimes want to prevent the DHCP server from assigning specific IP addresses within the network pool or pools that you have configured. For example, you would not want the DHCP server to assign an IP address that is already configured statically on another network device. In such cases, simply add exclusions to the DHCP server configuration.
PAGE 537
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-22. Network Setup > DHCP Server > Excluded Screen 5. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. You can specify multiple ranges. Enabling the DHCP Server To enable the DHCP server, complete these steps: 1. Select Network Setup > DHCP Server > Configuration. 2. Check the Enable DHCP Server box.
PAGE 538
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-23. Enabling the DHCP Server 3. Click the Apply button. 4. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. To disable the DHCP server, uncheck the Enable DHCP Server box and click the Apply button.
PAGE 539
IP Services—IP Settings, DHCP, and DNS DHCP Server Configuring Global DHCP Settings: Ignoring BOOTP and Setting the Ping Interval Two global settings apply to the Wireless Edge Services zl Module’s internal DHCP server: ■ Ignoring BOOTP requests—BOOTP is an earlier protocol that uses the same ports as DHCP. Like DHCP, BOOTP enables stations to receive dynamic configurations, typically including the name and location of a boot file.
PAGE 540
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-24. Configuring Global DHCP Settings 2. Check the Ignore Bootp box to configure the module to ignore BOOTP requests. Checking the box allows the BOOTP requests to continue on to a BOOTP server. 3. Enter a value from 1 through 10 seconds in the Ping time interval field. The default setting is 1 second. 4. 6-36 Click the Apply button.
PAGE 541
IP Services—IP Settings, DHCP, and DNS DHCP Server Configuring Extended DHCP Options The Wireless Edge Services zl Module allows you to configure extended DHCP options for both network and host pools. For example, in addition to assigning clients a DNS server address, you might want to assign them a Network Time Protocol (NTP) server address. An NTP server address is defined through option 42. To configure extended DHCP options, you first define globally which extended option or options you will use.
PAGE 542
IP Services—IP Settings, DHCP, and DNS DHCP Server Table 6-1. Names Not Allowed for Global DHCP Options Reserved Names subnet-mask routers domain-name-servers domain-name broadcast-address netbios-name-servers netbios-node-type bootfile-name user-class next-server dynamic-bootp In the Code field, enter a value between 0 and 254. You should enter the standard code for the option that you are defining. 5. Again, some DHCP codes are reserved for the DHCP options configured when you set up the pool.
PAGE 543
IP Services—IP Settings, DHCP, and DNS DHCP Server 6. The Type drop-down menu includes two options: ip and ascii. The setting that you select determines the type of value that you enter when you actually configure the option in a pool. (See “Specifying the Value for an Extended Option in a DHCP Pool” on page 6-39.) In this example, you are setting up an option to specify an IP address for an NTP server, so you select ip. Selecting ascii allows you to enter alphanumeric characters for the option.
PAGE 544
IP Services—IP Settings, DHCP, and DNS DHCP Server 3. 4. To configure an option for a host pool, complete these steps and then proceed to step 4: a. Click the Host Pool tab. b. Select one of the pools. (See “Creating a Host Pool” on page 6-28 for instructions on creating the pool.) c. Click the Options button. The Pool Options screen is displayed. In the Pool Options screen, click the Insert button. Figure 6-27. Specifying the Value for an Extended Option 6-40 5. Click the Name field.
PAGE 545
IP Services—IP Settings, DHCP, and DNS DHCP Server Configuring Dynamic DNS (DDNS) A DNS server resolves hostnames to IP addresses. For the DNS server to function correctly, clearly its table must include the correct IP address for each hostname. However, a device that acts as a DHCP client might unexpectedly receive a new IP address, invalidating the DNS server’s hostname table. DDNS addresses this problem by updating a DNS server whenever a client’s IP address changes.
PAGE 546
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-28. Configuring DDNS 3. In the Domain Name field, enter an alphanumeric string. In DDNS updates, a client’s name follows this format: • user class, if the client has sent such a class • client’s MAC address • the domain name that you specify in this step For example, an update might identify a client as follows: 00:C0:49:F7:82:13.procurve.com. 4. Specify the time-to-live for updates in the TTL field.
PAGE 547
IP Services—IP Settings, DHCP, and DNS DHCP Server 5. 6. From the Automatic Update drop-down menu, select which device sends the dynamic updates: • Select Server Update to have the Wireless Edge Services zl Module send an update whenever one of its DHCP clients accepts an IP address from it. • Select Client Update to have each DHCP client send an update when it receives an IP address from the DHCP server. In this case, the client must support DDNS. • Select Off to disable automatic updates.
PAGE 548
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-29. Viewing DHCP Bindings The screen displays a list of leases, with information in these columns: ■ IP Address—the IP address assigned to the station ■ MAC Address/Client ID—the station’s MAC address or, if it sent a customized ID, its ID ■ Type—the method that the Wireless Edge Services zl Module used to select the IP address Automatic indicates that the module chose the IP address from a network pool.
PAGE 549
IP Services—IP Settings, DHCP, and DNS DHCP Server Configuring DHCP Relay Your network might already include a DHCP server. The Wireless Edge Services zl Module can provide DHCP relay services to this server. A DHCP server serves only clients on the same subnetwork or VLAN. DHCP relay passes DHCP requests from clients on one subnetwork to a DHCP server on a different subnetwork, eliminating the need for a DHCP server on each local network segment.
PAGE 550
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-30. Network Setup > DHCP Server > Relay Screen 2. 6-46 Click the Add button. The Add Relay Information screen is displayed.
PAGE 551
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-31. Add Relay Information Screen 3. In the Interface field, use the drop-down menu to select the VLAN interface that receives the DHCP requests. 4. In the Server fields, enter the IP addresses for up to four DHCP servers. In each applicable Gateway field, use the drop-down menu to specify the corresponding interfaces by which the DHCP servers may be reached.
PAGE 552
IP Services—IP Settings, DHCP, and DNS DHCP Server Figure 6-32. Viewing DHCP Relay Configurations You can select the DHCP relay configuration for an interface and edit or delete it by clicking the corresponding buttons.
PAGE 553
7 Access Control Lists (ACLs) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Stateful ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 ACL Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Standard IP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Extended IP ACLs . . . . .
PAGE 554
Access Control Lists (ACLs) Overview Overview You can configure access control lists (ACLs) on the ProCurve Wireless Edge Services zl Module to control traffic to and from wireless stations. An ACL is an ordered list of rules that select packets according to header information and dictate whether the module should permit (forward) or deny (drop) those packets. ACLs allow you to control wireless users’ network rights.
PAGE 555
Access Control Lists (ACLs) Overview ACL Types The Wireless Edge Services zl Module supports two basic ACL types: ■ IP ACLs—based on the IP header (Layer 3) IP ACLs control traffic inbound on an interface. They can apply to the Wireless Edge Services zl Module’s virtual LAN (VLAN) interfaces or to its two physical interfaces: the internal uplink and downlink ports. If applied to a VLAN interace, the IP ACLs control routed traffic.
PAGE 556
Access Control Lists (ACLs) Overview ■ TCP and UDP source and destination ports ■ WLAN index—the index number (1 through 256) of the WLAN through which the packet arrived (for physical interfaces only) You can apply an extended IP ACL to inbound traffic on either a logical (VLAN or tunnel) interface or a physical (internal uplink or downlink) interface. Again, an ACL on a logical interface only affects traffic that the Wireless Edge Services zl Module actually routes.
PAGE 557
Access Control Lists (ACLs) Overview For all ACL types, rules include the following specifications: ■ precedence—the order in which the rule is processed ■ filters—the criteria by which a rule selects packets ■ operation—the action that the Wireless Edge Services zl Module takes on traffic selected by a rule All ACLs include an implicit “deny any” rule at the end. In other words, if traffic does not match any of the ACL’s rules, the ACL drops the traffic.
PAGE 558
Access Control Lists (ACLs) Overview Extended IP ACL rules can include these additional filters: ■ destination IP address The filter can select: ■ • all addresses • a single address • a range of addresses, specified by subnetwork address and a prefix length protocol By default, a rule matches all IP packets, but you can limit the rule to a specific protocol including: • ICMP • TCP • UDP ■ for ICMP packets, ICMP type and ICMP code ■ for TCP and UDP packets, source and destination ports In
PAGE 559
Access Control Lists (ACLs) Overview Operation The module takes one of the following actions on packets selected by a rule: ■ deny—the module drops the selected traffic ■ permit—the module forwards the selected traffic ■ mark—the module marks the selected traffic for a certain type of QoS and forwards the traffic Permit and Deny. These operations allow you to control users’ network access. Remember, the operation only affects traffic that meets all of the criteria of the rule.
PAGE 560
Access Control Lists (ACLs) Overview Table 7-1. Standard QoS for 802.1p Classes Priority Value Service Type 1 and 2 lowest priority (background) 0 and 3 default priority (best effort) 4 and 5 higher priority (video and voice) 6 and 7 highest priority (network control traffic) ■ TOS—a mechanism for implementing QoS at Layer 3 The value for the IP header’s one-byte TOS field can range from 0 through 255.
PAGE 561
Access Control Lists (ACLs) Overview You may want to mark time-sensitive traffic, which is often destined to one of UDP’s real-time ports, for higher QoS.
PAGE 562
Access Control Lists (ACLs) Configuring ACLs Configuring ACLs To configure an ACL, you must complete these steps: 1. Create the list and select the ACL type. 2. Create a series of ordered permit, deny, or mark rules. 3. Apply the list to an interface. Do not complete the final step if you are using a standard IP ACL for a function other than controlling traffic. These functions include: ■ NAT—The ACL selects traffic for dynamic source NAT; you specify the ACL in the NAT configuration.
PAGE 563
Access Control Lists (ACLs) Configuring ACLs Figure 7-1. Security > ACLs > Configuration Screen 2. Click the Add button. The Add ACL screen is displayed. (See Figure 7-2.
PAGE 564
Access Control Lists (ACLs) Configuring ACLs Figure 7-2. Add ACL Screen 3. In the ACL Type field, use the drop-down menu to select either the standard IP, extended IP, or MAC extended ACL type. 4. In the ACL ID field, specify the ACL ID, which uniquely identifies the ACL. ACL IDs can be either an ASCII string or a numeric value.
PAGE 565
Access Control Lists (ACLs) Configuring ACLs 5. Click the OK button. The ACL is now listed in the ACLs section of the Security > ACLs > Configuration screen. Figure 7-3. Security > ACLs > Configuration with ACL Configuring Rules for ACLs After you create an ACL, you must add rules to it. These rules actually select and control the traffic.
PAGE 566
Access Control Lists (ACLs) Configuring ACLs Creating Rules for Standard IP ACLs The standard IP ACL offers a variety of options for rules. However, some of these options only take effect on certain interfaces. As you create the rule, keep in mind the interface for which you are designing this ACL. In Table 7-3, an X under the interface means that the option is supported for that interface. Table 7-3.
PAGE 567
Access Control Lists (ACLs) Configuring ACLs Figure 7-4. Add Rule Screen for Standard IP ACLs 3. In the Precedence field, specify the precedence for the rule, from 1 through 5,000. The Wireless Edge Services zl Module processes rules in ascending order (starting at 1, moving to 2, and so on). As you assign precedence values to rules for a given ACL, consider using nonconsecutive numbers (for example, 10, 20, 30, and so on), in case you need to insert new rules “between” existing rules later. 4.
PAGE 568
Access Control Lists (ACLs) Configuring ACLs 6. If you selected the mark operation in step 4, under Attribute to mark, select one of the following: • 802.1p—Then specify the traffic service class value, from 0 through 7. • TOS—Then specify the value for the TOS octet, from 0 through 255. Standard DSCP values are from 0 through 63. Remember that higher values typically mark traffic for better QoS. 7.
PAGE 569
Access Control Lists (ACLs) Configuring ACLs Creating Rules for Extended IP ACLs Configuring rules for an extended IP ACL is similar to configuring rules for standard IP ACLs. However, these rules can also select traffic by protocol, application, and destination IP address. Refer to Table 7-4 to verify that a particular option is supported for the interface to which you plan to apply the ACL. An X under the interface means that the option is supported for that interface. Table 7-4.
PAGE 570
Access Control Lists (ACLs) Configuring ACLs Figure 7-5. Add Rule Screen for Extended IP ACLs 3. In the Precedence field, specify the precedence for the rule, from 1 through 5,000. The Wireless Edge Services zl Module processes rules in ascending order (starting at 1, moving to 2, and so on). As you assign precedence values to rules for a given ACL, consider using nonconsecutive numbers (for example, 10, 20, 30, and so on) in case you need to insert new rules in between existing rules later. 4.
PAGE 571
Access Control Lists (ACLs) Configuring ACLs Note The mark operation only takes effect if you apply this ACL to a physical interface. 5. Optionally, check the Logging box to allow the module to keep track of the number of packets matched to this rule. 6. If you selected the mark operation in step 4, under Attribute to mark, select one of the following: • 802.1p—Then specify the traffic service class value, from 0 through 7. • TOS—Then specify the value for the TOS octet, from 0 through 255.
PAGE 572
Access Control Lists (ACLs) Configuring ACLs The ICMP Type and ICMP Code settings are based on the first 16 bits of the 32-bit ICMPv6 message packet, illustrated in Figure 7-7. Figure 7-7. ICMPv6 Message Packet In the ICMPv6 message packet: – The ICMP type value is based on the first eight bits (bits 0 through 7). ICMP type values from 0 through 127 are used for error messages, and ICMP type values from 128 through 255 are used for information messages.
PAGE 573
Access Control Lists (ACLs) Configuring ACLs ICMP Type Type Description ICMP Code Code Description 3 Time Exceeded message 0 Hop limit exceeded in transit 1 Fragment reassembly time exceeded 0 Erroneous header field encountered 1 Unrecognized Next Header type encountered 2 Unrecognized IPv6 option encountered 4 Parameter Problem message 128 Echo Request message 0 129 Echo Reply message 0 Figure 7-8. TCP/UDP Options Screen b.
PAGE 574
Access Control Lists (ACLs) Configuring ACLs You do not have to specify both source and destination ports. Set the destination port to control traffic associated with a particular VLAN. For example, set the destination port to 80 to select HTML traffic. Click the OK button to return to the Add Rule screen and finish configuring other filters. 9. In the Source Wildcard/Mask field, use the drop-down menu to select one of the following: • any—The rule will apply to traffic from any IP address.
PAGE 575
Access Control Lists (ACLs) Configuring ACLs Creating Rules for MAC Extended ACLs To create a rule for a MAC extended ACL, complete these steps: 1. On the Security > ACLs > Configuration screen, in the ACL section, select a MAC extended ACL. 2. Click the Add button under Associated Rules. The Add Rule screen is displayed. Figure 7-9.
PAGE 576
Access Control Lists (ACLs) Configuring ACLs 3. In the Precedence field, specify the precedence for the rule, from 1 through 5,000. The Wireless Edge Services zl Module processes rules in ascending order (starting at 1, moving to 2, and so on). As you assign precedence values to rules for a given ACL, consider using nonconsecutive numbers (for example, 10, 20, 30, and so on) in case you need to insert new rules in between existing rules later. 4.
PAGE 577
Access Control Lists (ACLs) Configuring ACLs Note You should never specify a WLAN index for an ACL that you apply to the uplink port. Traffic from the uplink port is not marked for a WLAN, so the rule will not select any traffic. 9. Optionally, check the box to filter frames according to the following criteria: • Vlan ID—Select traffic with the specified VLAN ID Valid values range from 1 through 4,095. • 802.1p Priority—Select traffic with the specified QoS class. Valid values range from 0 through 7.
PAGE 578
Access Control Lists (ACLs) Configuring ACLs Applying ACLs to Interfaces An ACL does not take effect on the Wireless Edge Services zl Module until you apply it to an interface. Although you can create and configure many ACLs, you are limited in the number of ACLs that you can apply: ■ You can apply one IP ACL to each logical (VLAN or tunnel) interface. See “IP Settings” on page 6-3 in Chapter 6: “IP Services—IP Settings, DHCP, and DNS” to learn how to create a VLAN interface.
PAGE 579
Access Control Lists (ACLs) Configuring ACLs Figure 7-10. Security > ACLs > Attach 2. Click the Add button. The Add ACL Association screen is displayed. Figure 7-11.
PAGE 580
Access Control Lists (ACLs) Configuring ACLs 3. 4. From the Interface drop-down menu, select one of the following interfaces: • uplink—the module’s internal uplink port • downlink—the module’s internal downlink port • an uplink VLAN configured on the module Select the ACL to control incoming traffic on the selected interface. The options available depend on the type of interface: • For VLAN interfaces, select an IP-type ACL from the IP ACL drop-down menu.
PAGE 581
Access Control Lists (ACLs) Configuring ACLs Viewing ACL Statistics You should check ACLs and verify that they are selecting traffic as they should. To view statistics for your ACLs, select Security > ACLs and click the Statistics tab. You can alternatively select Security > ACL Statistics. Figure 7-12. Security > ACLs > Statistics Screen ACL statistics are displayed on the screen. (If you do not see any statistics, you may need to edit your rules and check the Logging box.
PAGE 582
Access Control Lists (ACLs) Configuring ACLs Table 7-6. Action IDs for ACL Statistics ID Protocol 2 drop—a deny rule 3 forward—a permit or mark rule ■ Protocol—protocol for selected packets Table 7-7 provides a key for the protocols. Table 7-7.
PAGE 583
Access Control Lists (ACLs) Configuring ACLs Figure 7-13. Security > ACLs > Details Screen In addition to the information that you viewed on the Security > ACLs > Statistics screen, you can monitor the traffic associated with this rule. Total Flows reports the total number of sessions established using this rule and typically matches the value for Times Used. Active Flows shows how many of those sessions are still active.
PAGE 584
Access Control Lists (ACLs) Configuring ACLs 7-32
PAGE 585
8 Configuring Network Address Translation (NAT) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Translating Between an Inside and an Outside Network . . . . . . . . . . . 8-3 Local and Global Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 NAT Implementation Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 Dynamic, or Many-to-One, NAT . . . . . . . . . . . . . . .
PAGE 586
Configuring Network Address Translation (NAT) Contents Configuring Standard ACLs for Dynamic NAT . . . . . . . . . . . . . . . . . . . . . . 8-22 Configuring NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-24 Defining Interfaces as Outside or Inside . . . . . . . . . . . . . . . . . . . . . . . 8-24 Configuring Dynamic NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26 Configuring Static Translation . . . . . . . . . . . . . .
PAGE 587
Configuring Network Address Translation (NAT) Overview Overview You can configure the ProCurve Wireless Edge Services zl Module to perform Network Address Translation (NAT) on traffic routed between two subnetworks—typically, traffic exchanged between the wireless and the wired network. The module can translate either the source or the destination IP address in a packet’s IP header to a new address. The Wireless Edge Services zl Module allows you to implement NAT in several different ways.
PAGE 588
Configuring Network Address Translation (NAT) Overview Figure 8-1. Dividing Interfaces into Inside and Outside Interfaces The Wireless Edge Services zl Module always performs NAT on traffic as the traffic arrives on an interface. Because the module can apply NAT to both inside and outside interfaces, it can perform NAT in both directions. Note When the Wireless Edge Services zl Module maps wireless traffic to a VLAN, that traffic is considered to have arrived on the VLAN interface.
PAGE 589
Configuring Network Address Translation (NAT) Overview NAT Implementation Methods On the Wireless Edge Services zl Module, you can configure: ■ dynamic NAT ■ static NAT Dynamic NAT affects only source IP addresses while static NAT can translate either source or destination IP addresses. Dynamic, or Many-to-One, NAT Perhaps the most common implementation of NAT is dynamic NAT, sometimes called many-to-one NAT because it allows multiple stations to share the same IP address after translation.
PAGE 590
Configuring Network Address Translation (NAT) Overview Figure 8-2 illustrates this configuration, which allows wireless stations to use IP addresses local to the wireless network but still to open sessions with servers in the Ethernet network. Figure 8-2. Dynamic Source NAT on Wireless Traffic You can also implement NAT on the module to ready wireless traffic for transmission to the Internet—if you do not have another device that does so.
PAGE 591
Configuring Network Address Translation (NAT) Overview Dynamic NAT for Wired Traffic You can configure dynamic NAT for traffic bound from the wired network to the wireless network. In this case, the Wireless Edge Services zl Module translates wired devices’ IP addresses to one of the module’s own IP addresses. You might use dynamic NAT on wired traffic when your wireless network receives a great deal of public traffic.
PAGE 592
Configuring Network Address Translation (NAT) Overview In fact, instead of configuring dynamic source NAT to conceal private addresses, you might want to configure only destination NAT. The Wireless Edge Services zl Module automatically performs source NAT on the traffic returning from the server. Port Address Translation for Dynamic NAT To enable multiple users to share one IP address, the Wireless Edge Services zl Module uses port address translation in conjunction with NAT.
PAGE 593
Configuring Network Address Translation (NAT) Overview Static NAT on Destination Addresses One reason to use destination NAT is to allow wireless users to access servers on your internal LAN, while still concealing the servers’ IP addresses. This use is particularly important when you open your wireless network to the public.
PAGE 594
Configuring Network Address Translation (NAT) Overview Figure 8-4. Outside Destination NAT One principle to remember: on the Wireless Edge Services zl Module, you define which VLANs are inside interfaces and which are outside. Figure 8-4 shows a configuration in which the VLAN used in the Ethernet network is an outside interface. So you configure the destination NAT on inside interfaces (these interfaces receive traffic that is destined to the outside VLAN).
PAGE 595
Configuring Network Address Translation (NAT) Overview The Wireless Edge Services zl Module would then translate the destination IP addresses of all traffic destined to port 80 to the Web server’s private IP address (the address on wired network). Likewise, the module would translate all traffic destined to port 21 to the FTP server’s private IP address. Figure 8-5.
PAGE 596
Configuring Network Address Translation (NAT) Overview When the module translates the destination IP address, it can also perform port translation, assigning the traffic to the particular port used by the destination device. Static NAT on Source Addresses Static source NAT is an alternative to dynamic source NAT. However, instead of allowing many stations to share one global address, static source NAT sets up a one-to-one correspondence between a particular IP address and a translated IP address.
PAGE 597
Configuring Network Address Translation (NAT) Overview Figure 8-6. Local Addresses However, for destination NAT, the local address is actually the address as it appears across the border between inside and outside. This is because packets, pre-translation, are destined to the IP address that the originating station knows for the destination device, not the destination’s actual IP address. In Figure 8-5 on page 8-11, for example, the local address is 10.1.1.1. Table 8-2 summarizes this terminology.
PAGE 598
Configuring Network Address Translation (NAT) Overview Table 8-2.
PAGE 599
Configuring Network Address Translation (NAT) Planning the NAT Configuration Planning the NAT Configuration Before you access the Security > NAT screen and begin to set up NAT for your wireless network, you should plan your configuration: 1. Consider your company’s network topology and security needs and determine the requirements for NAT. In other words, which NAT methods do you need to configure, and which traffic should be translated. 2. Record the IP addresses necessary for your NAT configuration.
PAGE 600
Configuring Network Address Translation (NAT) Planning the NAT Configuration ■ You want to conceal IP addresses used in your LAN from wireless users. Separate the VLANs for wired traffic from the VLANs for wireless traffic: When you specify the uplink VLANs in which the Wireless Edge Services zl Module places traffic from WLANs, choose different VLANs from those already used in the wired network. Next, define the wired VLANs as inside interfaces and define the wireless VLANs as outside interfaces.
PAGE 601
Configuring Network Address Translation (NAT) Planning the NAT Configuration Record Necessary IP Addresses and Select the NAT Implementation Method As part of your NAT planning, you should record: ■ local address—the address or addresses that will be translated ■ global address—the address that will replace the local address when the module applies NAT You should also determine which NAT implementation method you are using.
PAGE 602
Configuring Network Address Translation (NAT) Planning the NAT Configuration Figure 8-7. Dynamic NAT on a Sample Network For this NAT implementation, you would record the IP addresses specified in the DHCP pool and configure an ACL that selects those addresses. Table 8-3 lists the actual IP addresses that you would record for the sample network shown in Figure 8-7. Table 8-3.
PAGE 603
Configuring Network Address Translation (NAT) Planning the NAT Configuration Planning the Configuration for Static NAT For static NAT, you manually specify the IP address and port settings within each NAT configuration. You must configure a separate static definition specifically for each IP address that your Wireless Edge Services zl Module must translate.
PAGE 604
Configuring Network Address Translation (NAT) Planning the NAT Configuration Figure 8-8. Outside Destination NAT with Port Translation on a Sample Network In Figure 8-8, the VLAN for wireless stations is the inside interface, so the Web server is an outside device. Therefore you must set up inside destination NAT. You could alternatively define the Web server’s VLAN as the inside interface, in which case you would configure outside destination NAT.
PAGE 605
Configuring Network Address Translation (NAT) Planning the NAT Configuration Table 8-4. Recording Addresses for Outside Destination NAT NAT Interface Type NAT Address Type Local or Global Address Local or Global Port Recorded Recorded Ports Addresses for the for the Sample Sample Network Network Inside Destination Local (outside device’s IP Local (port to which the 10.1.1.
PAGE 606
Configuring Network Address Translation (NAT) Configuring Standard ACLs for Dynamic NAT Configuring Standard ACLs for Dynamic NAT To configure dynamic translation, you use a standard ACL to select the IP addresses that the Wireless Edge Services zl Module NATs. Although you can use any ACL that you have configured, you will probably want to configure ACLs to meet the specific requirements for your NAT implementation.
PAGE 607
Configuring Network Address Translation (NAT) Configuring Standard ACLs for Dynamic NAT The full procedure for adding rules to ACLs is documented in Chapter 7: “Access Control Lists (ACLs).” The following rule guidelines apply to ACLs used for NAT: ■ In the Operation field, the permit operation means that traffic will be subject to NAT; the deny operation means that traffic will not be subject to NAT. (The mark operation does not apply to NAT.
PAGE 608
Configuring Network Address Translation (NAT) Configuring NAT Configuring NAT To configure NAT, follow these steps: 1. Enable routing. See “IP Routing” on page 6-12 of Chapter 6: “IP Services—IP Settings, DHCP, and DNS.” 2. Define interfaces as inside or outside interfaces. When you create a NAT definition, you will select whether this definition applies to inside or outside traffic.
PAGE 609
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-10. Security > NAT > Interfaces Screen 2. Click the Add button. The Add Interface screen is displayed. Figure 8-11. Add Interface Screen 3. In the Interfaces field, use the drop-down menu to select an interface configured on the module.
PAGE 610
Configuring Network Address Translation (NAT) Configuring NAT 4. In the Type field, use the drop-down menu to select either Inside (Private) or Outside (Public). 5. Click the OK button. The interface is now listed on the Security > NAT > Interfaces screen. Figure 8-12. Interface Assignment in Security > NAT > Interfaces Screen Configuring Dynamic NAT For each NAT configuration that will use dynamic NAT, you must first set up an ACL.
PAGE 611
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-13. Security > NAT > Dynamic Translation Screen 2. Click the Add button. The Add Dynamic Translation screen is displayed. Figure 8-14.
PAGE 612
Configuring Network Address Translation (NAT) Configuring NAT 3. In the NAT Interface field, use the drop-down menu to select the type of interfaces to which the module applies NAT: • Inside (Private)—traffic that arrives from the inside network In other words, inside NAT applies to incoming traffic on an inside interface; typically, the inside traffic should be bound to the outside network.
PAGE 613
Configuring Network Address Translation (NAT) Configuring NAT The definition for dynamic translation is now listed on the Security > NAT > Dynamic Translation screen. Remember: the translation does not take effect unless you define an interface as the type on which you configured dynamic NAT. (See “Defining Interfaces as Outside or Inside” on page 8-24.) Figure 8-15.
PAGE 614
Configuring Network Address Translation (NAT) Configuring NAT Configuring Static Source NAT When the Wireless Edge Services zl Module stands between two networks that use different IP addresses, static source NAT allows a device in one network to reach devices in the other network. The module translates traffic’s source address so that the device that sent the traffic appears to have a valid IP address in the other network.
PAGE 615
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-17. Add Static Translation Screen 3. In the NAT section, select the Interface Type and Address Type: a. The Interface Type determines to which interfaces the Wireless Edge Services zl Module applies the static NAT definition: – Outside (Public)—incoming traffic on an outside interface – Inside (Private)—incoming traffic on an inside interface b.
PAGE 616
Configuring Network Address Translation (NAT) Configuring NAT Table 8-5. Determining the IP Address for the Local Address Field Interface Type Address Type IP Address for the Local Address Field Inside (Private) Source IP address of an inside device as it appears on the inside network Outside (Public) Source IP address of an outside device as it appears on the outside network For example, for source NAT, enter the configured IP address assigned to a device in its own network.
PAGE 617
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-18. Static NAT Definition in the Security > NAT > Static Translation Screen Configuring Static Destination NAT The Wireless Edge Services zl Module stands between two networks that use different IP addresses. Destination NAT allows clients in one network to open sessions with servers in the other network. You must configure destination NAT statically. To configure a static destination translation, complete these steps: 1.
PAGE 618
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-19. Security > NAT > Static Translation Screen 2. 8-34 Click the Add button. The Add Static Translation screen is displayed.
PAGE 619
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-20. Add Static Translation Screen 3. In the NAT section, select the Interface Type and Address Type: a. The Interface Type determines to which interfaces the Wireless Edge Services zl Module applies the static NAT definition: – Outside (Public)—incoming traffic on an outside interface – Inside (Private)—incoming traffic on an inside interface b.
PAGE 620
Configuring Network Address Translation (NAT) Configuring NAT 4. Select either TCP or UDP in the Protocol drop-down menu. This setting, which is available only for destination NAT, allows you to configure port forwarding. Choose the protocol for the application for which you are creating the NAT definition. For example, if you are setting up destination NAT to allow wireless stations to reach your Web server, select TCP. 5.
PAGE 621
Configuring Network Address Translation (NAT) Configuring NAT Table 8-8.
PAGE 622
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-21. Static NAT Definition in the Security > NAT > Static Translation Screen Viewing NAT Status To view current translations, select Security > NAT and click the Status tab. Alternatively, you can select Security and click the NAT Status tab. (See Figure 8-22.
PAGE 623
Configuring Network Address Translation (NAT) Configuring NAT Figure 8-22. Security > NAT > Status Screen Each active session to which the Wireless Edge Services zl Module has applied NAT is displayed in a row.
PAGE 624
Configuring Network Address Translation (NAT) Configuring NAT The number after a colon indicates the port. For example, the module has translated the source IP addresses in the first three rows to the same global source address, but different port numbers. On the other hand, for a session using static destination NAT on outside traffic, the translation appears in the Outside-Global and Outside-Local columns.
PAGE 625
Configuring Network Address Translation (NAT) Configuring NAT The logged information is saved to a comma-separated values (CSV) file on your workstation, which lets you: ■ save information that might be important later, while keeping logs or statistics clear for future events ■ send a file to support staff for troubleshooting help ■ pool information from multiple devices in a central location ■ track patterns of network activity 8-41
PAGE 626
Configuring Network Address Translation (NAT) Configuring NAT 8-42
PAGE 627
9 Fast Layer 2 Roaming and Layer 3 Mobility Contents Overview 2 Layer 2 Roaming on a Single Wireless Edge Services zl Module . . . . 9-2 Fast Layer 2 Roaming for WPA/WPA2 with 802.1X . . . . . . . . . . . . . . . 9-3 Pre-authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3 Layer 2 Roaming on a Web-Auth WLAN Between Different Wireless Edge Services zl Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 Layer 3 Mobility . . . . . . . . . . . . . .
PAGE 628
Fast Layer 2 Roaming and Layer 3 Mobility Overview Overview The type of roaming that your ProCurve Wireless Edge Services zl Modules support depends on your network topology and module configurations, as well as on other factors.
PAGE 629
Fast Layer 2 Roaming and Layer 3 Mobility Overview Fast Layer 2 Roaming for WPA/WPA2 with 802.1X WPA’s Temporal Key Integrity Protocol (TKIP) (and WPA2’s Counter Mode CBC-MAC Protocol [CCMP]) derive encryption keys from a unique Pairwise Master Key (PMK) for each association with a wireless station. Because the PMK is necessary for the station and the Wireless Edge Services zl Module to communicate, the module must ensure that it maintains the key for a roaming station.
PAGE 630
Fast Layer 2 Roaming and Layer 3 Mobility Overview The 802.11i standard (on which WPA is modeled) includes a section on preauthentication, a mechanism that speeds up Layer 2 roaming. A station can associate to only one RP and Wireless Edge Services zl Module at a time. However, the station can detect beacons from other RPs—including RPs connected to other modules.
PAGE 631
Fast Layer 2 Roaming and Layer 3 Mobility Overview authenticates to one module, that module uses the redundancy group communications to transmit the user’s credentials to all modules in the group. The other modules cache the credentials so that they are ready to be sent to the RADIUS server should the user later roam to one of these modules.
PAGE 632
Fast Layer 2 Roaming and Layer 3 Mobility Overview Figure 9-1. Network Requiring Layer 3 Mobility To implement Layer 3 mobility, Wireless Edge Services zl Modules perform these functions: ■ The modules support a Layer 3 mobility domain. The area in which stations can roam freely (no matter which subnetworks are supported in that area of the wired network) is the Layer 3 mobility domain. The Wireless Edge Services zl Modules in the roaming domain are referred to as peers.
PAGE 633
Fast Layer 2 Roaming and Layer 3 Mobility Overview ■ The modules store information about all stations associated to any module in the Layer 3 mobility domain. The Wireless Edge Services zl Module responsible for handling a station’s traffic is that station’s home module (HM). All the peers in the Layer 3 roaming domain must track all stations’ HM and HM VLAN.
PAGE 634
Fast Layer 2 Roaming and Layer 3 Mobility Overview Figure 9-2. Layer 2 and Layer 3 Roaming Domains Roaming Behavior This section summarizes which features you must configure on your Wireless Edge Services zl Modules to enable the best possible roaming behavior in various circumstances. Keep in mind that this section discusses the behavior the modules support. Stations’ capabilities also affect roaming.
PAGE 635
Fast Layer 2 Roaming and Layer 3 Mobility Overview The previous sections have introduced you to different types of roaming, which are defined briefly as follows: ■ Fast roaming—A fast roam is under 50 milliseconds. Fast roaming, as a standard, refers to pre-authentication as specified by 802.11i, which applies only to WPA/WPA2 with 802.1X. However, other types of roaming might be under 50 milliseconds. When a roam is described as fast, it also is assumed to be seamless.
PAGE 636
Fast Layer 2 Roaming and Layer 3 Mobility Overview Table 9-1.
PAGE 637
Fast Layer 2 Roaming and Layer 3 Mobility Overview ■ When a WLAN enforces Web-Auth, you must configure a redundancy group for seamless Layer 2 roaming between RPs on different modules. See Chapter 10: “Redundancy Groups” to learn how to create such a group. ■ You must configure a Layer 3 mobility domain for Layer 3 roaming. Layer 3 roaming is seamless, but not fast. See “Configuring Layer 3 Mobility” on page 9-15.
PAGE 638
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Fast Layer 2 Roaming for WPA/WPA2 with 802.1X Configuring Fast Layer 2 Roaming for WPA/WPA2 with 802.1X Fast roaming facilitates roaming in a WLAN that requires WPA/WPA2 with 802.1X authentication. That is, it speeds the process of a station connecting to a new RP and possibly a new Wireless Edge Services zl Module: ■ putting necessary encryption keys in place ■ when necessary, completing 802.
PAGE 639
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Fast Layer 2 Roaming for WPA/WPA2 with 802.1X Figure 9-3. Configuring Settings for a WLAN That Uses Pre-Authentication 5. Click the Config button next to the encryption standard. A screen for editing the encryption options is displayed.
PAGE 640
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Fast Layer 2 Roaming for WPA/WPA2 with 802.1X Figure 9-4. Enabling Pre-Authentication 6. Check the box for Pre-authentication. Remember that pre-authentication messages do not cross subnetwork (VLAN) boundaries, so the module receives them only from modules or APs that assign the WLAN to the same subnetwork. 7. By default, PMK Caching and Opportunistic Key Caching are enabled and you should leave them so.
PAGE 641
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Layer 3 Mobility 8. Click the OK button. 9. Click the OK button in the Edit screen for the WLAN. 10. Remember to save your configuration. Configuring Layer 3 Mobility You must complete these tasks to configure Layer 3 mobility: 1. Configure Layer 3 mobility settings for the local Wireless Edge Services zl Module: • IP address • WLANs on which Layer 3 mobility is enabled 2. Specify the peers’ IP addresses. 3. Enable Layer 3 mobility. 4.
PAGE 642
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Layer 3 Mobility Table 9-2. Other Configurations Necessary for Layer 3 Roaming Configuration Necessary Settings WLAN configuration (for each WLAN on which Layer 3 mobility is enabled) • SSID and security settings are the same as peers’ settings. • VLAN ID is different from at least some peers’ VLAN settings. Different subnetworks must have different VLAN IDs. • Dynamic VLAN assignment is disabled.
PAGE 643
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Layer 3 Mobility Figure 9-5. Network Setup > Layer 3 Mobility > Configuration Screen 2. Specify a valid IP address on this Wireless Edge Services zl Module. You have two options: • Select Use Default Management Interface to use the address on the management VLAN. • Select Use this Local Address and manually enter an IP address. 3. Optionally, change the value in the Roam Interval field. 4.
PAGE 644
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Layer 3 Mobility 5. The section at the bottom on the screen displays all WLANs on this module. Check the boxes for the WLANs on which you want to enable Layer 3 mobility. Enabled WLANs are displayed in boldface. You can use the All WLANs On and All WLANs Off buttons to quickly select and deselect WLANs. You might see the screen shown in Figure 9-6 when you attempt to check a WLAN’s box. Figure 9-6.
PAGE 645
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Layer 3 Mobility Figure 9-7. Configuring Layer 3 Mobility Settings Specifying Layer 3 Mobility Peers Other Wireless Edge Services zl Modules in the Layer 3 mobility domain are called peers. To specify their addresses, complete these steps: 1. Select Network Setup > Layer 3 Mobility and click the Peer List tab. 2. Click the Add button.
PAGE 646
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Layer 3 Mobility Figure 9-8. Adding a Layer 3 Mobility Peer 3. Enter the peer’s IP address in the Add screen. 4. Click the OK button. Repeat steps 2 through 4 to add multiple peers (up to 11). Enabling Layer 3 Mobility After configuring your Layer 3 mobility settings and specifying peers, you enable Layer 3 mobility by completing these steps: 9-20 1. Select Network Setup > Layer 3 Mobility and click the Configuration tab. 2.
PAGE 647
Fast Layer 2 Roaming and Layer 3 Mobility Configuring Layer 3 Mobility Figure 9-9. Enabling Layer 3 Mobility 3. Click the Apply button. 4. Click the Save link to write the configuration to the startup-config.
PAGE 648
Fast Layer 2 Roaming and Layer 3 Mobility Verifying and Managing Layer 3 Mobility Verifying and Managing Layer 3 Mobility To verify that Layer 3 mobility is functioning correctly, check the following: ■ The local Wireless Edge Services zl Module begins communicating with its peers. ■ Stations that roam to an RP adopted by a Wireless Edge Services zl Module on a different VLAN preserve their IP addresses and active sessions.
PAGE 649
Fast Layer 2 Roaming and Layer 3 Mobility Verifying and Managing Layer 3 Mobility The Idle status indicates that the local Wireless Edge Services zl Module has not enabled Layer 3 roaming. Even if the Enable Mobility box is checked, the module does not enable Layer 3 mobility until you specify a valid local IP address. A Wireless Edge Services zl Module that remains at the Active-Connecting or Passive-Connecting status also cannot connect to the peer.
PAGE 650
Fast Layer 2 Roaming and Layer 3 Mobility Verifying and Managing Layer 3 Mobility ■ L3-Roams—When a Wireless Edge Services zl Module receives a reassociation request from a station with a different HM VLAN than the module uses, it determines that a Layer 3 roam is necessary. The new module becomes the station’s current module (CM), sends an L3-Roam message to the HM, and begins tunneling the station’s traffic back to the HM.
PAGE 651
Fast Layer 2 Roaming and Layer 3 Mobility Verifying and Managing Layer 3 Mobility To track the messages, select Network Setup > Layer 3 Mobility and click the Peer Statistics tab. A screen displays all peers, which are identified by their IP address. (See Figure 9-12.
PAGE 652
Fast Layer 2 Roaming and Layer 3 Mobility Verifying and Managing Layer 3 Mobility Viewing a Station’s Status A successful Layer 3 roam should meet these criteria: ■ The station roams seamlessly at Layer 2—that is, the station reassociates and re-authenticates in the background. ■ The station maintains its IP address. ■ The Wireless Edge Services zl Module that supports the station’s new RP becomes the station’s CM and tunnels traffic back to the station’s HM.
PAGE 653
Fast Layer 2 Roaming and Layer 3 Mobility Verifying and Managing Layer 3 Mobility Figure 9-13. Viewing a Station’s Status The screen displays the following information for every station associated with any Wireless Edge Services zl Module in the Layer 3 mobility domain: ■ Station MAC—station MAC address ■ Station IP—station IP address ■ Home Module IP—HM IP address ■ Home Module VLAN—HM VLAN ID ■ Curr Module IP—CM IP address ■ Roam—This column tracks Layer 3 roams.
PAGE 654
Fast Layer 2 Roaming and Layer 3 Mobility Verifying and Managing Layer 3 Mobility In Figure 9-13, the 10.4.1.30 Wireless Edge Services zl Module is the HM for three stations associated with the wireless network, and the 10.4.2.30 module is the HM for one station. However, one of the 10.4.1.30 module’s stations has roamed to an RP supported by the 10.4.2.30 module. Because these two modules are on different VLANs, the roam occurred at Layer 3.
PAGE 655
10 Redundancy Groups Contents High Availability for Wireless Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 Redundant Wireless Services zl Module . . . . . . . . . . . . . . . . . . . . . . . . 10-2 Redundancy Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 Active or Standby Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 Adopting RPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 656
Redundancy Groups High Availability for Wireless Services High Availability for Wireless Services For many companies, wireless access has become as critical to their business as traditional wired access. Recognizing the importance of wireless access, ProCurve Networking has designed its wireless services with high availability in mind. To protect the availability of your company’s wireless services, purchase multiple Wireless Edge Services zl Modules and place them in a redundancy group.
PAGE 657
Redundancy Groups High Availability for Wireless Services The redundant module has its own software image and configuration file. Before a redundant module can deliver wireless services for your network, you must configure it to provide those services—just as you would configure a primary module.
PAGE 658
Redundancy Groups High Availability for Wireless Services Figure 10-1. Failover Capabilities for the Wireless Edge Services zl Module Active or Standby Mode When you configure a module to be part of a redundancy group, you must select a mode, which determines the module’s role in the group.
PAGE 659
Redundancy Groups High Availability for Wireless Services ■ Standby mode—In standby mode, the module is primarily responsible for providing failover capabilities if a module in active mode becomes unavailable. (A module in standby mode can adopt RPs in the circumstances described in “Adopting RPs” on page 10-5.) Both Wireless Edge Services zl Modules and Redundant Wireless Services zl Modules support both modes.
PAGE 660
Redundancy Groups High Availability for Wireless Services Adopting RPs in Standby Mode In standby mode, a redundancy group member adopts RPs only in certain circumstances: ■ The standby member does not receive a heartbeat from an active member for the length of time specified in the hold period option. In a group with multiple active members, the standby member takes action should even one member fail. ■ All active members fail to adopt an RP, although the group has enough RP licenses to adopt the RP.
PAGE 661
Redundancy Groups High Availability for Wireless Services The number of licenses for the redundancy group equals the number of licenses installed on the group member with the most licenses.
PAGE 662
Redundancy Groups High Availability for Wireless Services compare their redundancy group settings to ensure that they are the same. If the modules are not using the same settings, they cannot establish a functioning redundancy group. ■ Online state—If the modules can reach each other and they are using the same redundancy group settings, they change their status to online. In this state, a standby module can take over for an active module if the active module becomes unavailable.
PAGE 663
Redundancy Groups High Availability for Wireless Services Creating Matching Configurations for the Redundancy Group To establish a redundancy group, modules must support the same redundancy group settings. Typically, you also want all modules in the redundancy group to provide the same wireless services. You can use one module’s configuration file as a starting point for configuring other modules.
PAGE 664
Redundancy Groups High Availability for Wireless Services You cannot enter some commands from the redundancy group configuration mode context. For example, you cannot configure IP settings and redundancy group settings. These you must set on members on an individual basis. If you paste a configuration file into the redundancy group configuration mode context, the invalid commands simply do not take effect.
PAGE 665
Redundancy Groups Configuring a Redundancy Group Configuring a Redundancy Group When you configure a redundancy group, you must define the following on each module that is a member of the group: ■ the interface IP address for the module that you are configuring ■ the member IP addresses (which are the IP addresses for the other modules in the redundancy group) These two settings enable each module to send messages to and receive messages from other modules.
PAGE 666
Redundancy Groups Configuring a Redundancy Group Configuring Redundancy Group Settings Redundancy group settings must match on all members of the group. (However, each member has its own IP address.) To configure the redundancy group settings a module, complete these steps: 1. Select Network Setup > Redundancy Group and click the Configuration tab. Figure 10-3. Network Setup > Redundancy Group > Configuration Screen 2.
PAGE 667
Redundancy Groups Configuring a Redundancy Group Note If you have assigned an IP address to more than one VLAN on the module, you should use the IP address assigned to the default management interface (which, by default, is VLAN 1). If you decide to enter the IP address for a different VLAN, however, you must ensure that the redundancy traffic (such as the heartbeat and update messages) can be transmitted to the other module in the group.
PAGE 668
Redundancy Groups Configuring a Redundancy Group 7. In the Hold Period field, accept the default setting of 15 seconds, or enter a number from 1 through 255 seconds. This setting determines the number of seconds that the module waits when it does not receive a heartbeat from another module in the redundancy group. If no heartbeats are received for the number of seconds specified in the hold period, the module determines that the other module in the group is unavailable.
PAGE 669
Redundancy Groups Configuring a Redundancy Group Figure 10-4. Network Setup > Redundancy Group > Member Screen 2. Click the Add button. The Add Members screen is displayed. Figure 10-5.
PAGE 670
Redundancy Groups Configuring a Redundancy Group 3. Enter the IP address of one of the other modules in the redundancy group. This address should match the address that you configure for the Interface IP in the other module’s redundancy group settings. 4. Click the OK button. The module is now listed on the Network Setup > Redundancy Group > Member screen. 5. Repeat this step for each additional module in the redundancy group.
PAGE 671
Redundancy Groups Configuring a Redundancy Group Figure 10-6. Redundancy Group Enabled 3. Click the Apply button to save the configuration to the running-config. 4. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. 5. Access the Web browser interfaces for each of the other modules in the redundancy group and configure those modules in the same way.
PAGE 672
Redundancy Groups Configuring a Redundancy Group Viewing Information about the Redundancy Group To view information about the redundancy group, select Network Setup > Redundancy Group and select the State tab. Figure 10-7. Network Setup > Redundancy Group > State Screen After the primary module and the redundant modules establish a redundancy group, each module tracks the following information about the group: ■ Redundancy state is—This field lists the current state of the module.
PAGE 673
Redundancy Groups Configuring a Redundancy Group ■ Module Authorization Level—This field displays the number of RPs this module’s licenses allow it to adopt when it functions on its own. The authorization level for a redundant module, however, is taken from the level of the primary module with the most licenses. ■ Protocol Version—When the modules attempt to establish a redundancy group, each module includes its protocol version in the update messages sent during the discovery stage.
PAGE 674
Redundancy Groups Configuring a Redundancy Group Other fields in the Network Setup > Redundancy Group > State screen allow you to monitor activity both on this particular module and throughout the group. For example, you can compare the Unapproved Radio Ports on this module value to the Unapproved Radio Ports in the group value to see whether this module’s RPs seem to detect more rogue APs—a sign of a possible security issue in a particular location of your network.
PAGE 675
Redundancy Groups Configuring a Redundancy Group History At the bottom of the Network Setup > Redundancy Group > Configuration screen, you can also view the history of redundancy events that have occurred on this module. Figure 10-8. Redundancy Group History The module records an event each time its redundancy state changes. For example, when you enable redundancy on the module, its state changes to startup, and the module records this event in the history. (The most recent events are listed first.
PAGE 676
Redundancy Groups Configuring a Redundancy Group Viewing Information about the Other Members of the Redundancy Group In addition to viewing information about the redundancy group, you can view information about the other members of the group. Select Network Setup > Redundancy Group and click the Member tab. Figure 10-9.
PAGE 677
Redundancy Groups Configuring a Redundancy Group • Not Seen—The module can no longer exchange heartbeats with the member. • Established—The module and this member have successfully established a redundancy group.
PAGE 678
Redundancy Groups Configuring a Redundancy Group ■ Updates Received—the number of updates that the module has received from this member ■ Radio Portals—the number of radios adopted by this member (some RPs have two radios) ■ Associated Stations—the number of stations associated to RPs adopted by this member ■ Rogue AP—the number of unapproved APs detected by RPs adopted by this member ■ Self Healing Radios—the number of radios adopted by this member that are configured for self healing When you ha
PAGE 679
Redundancy Groups Configuring a Redundancy Group 1. Assign a different adoption preference ID to each active module in the redundancy group. Record the IDs in a table such as Table 10-3 on page 10-27. 2. Assign RPs to the modules that should adopt them. Record the Ethernet MAC addresses for the RPs in a table such as Table 10-3 on page 10-27. 3. On every module in the redundancy group, configure the redundancy settings and enable redundancy. Verify that all members are connected. 4.
PAGE 680
Redundancy Groups Configuring a Redundancy Group 7. Copy the targeted radio configurations to every active module in the network. You can use the redundancy group configuration mode context to speed this process. For example, you could view the running-config of the module that adopted the RPs and copy the radio configurations. Then paste these commands in the global configuration mode context of the redundancy group configuration mode. 8.
PAGE 681
Redundancy Groups Configuring a Redundancy Group Table 10-3.
PAGE 682
Redundancy Groups Configuring a Redundancy Group Configure an Adoption Preference for the Module To set an adoption preference for the module itself, complete these steps: 1. Select Network Setup > Radio and click the Configuration tab. 2. Click the Global Settings button. The Global screen is displayed. (See Figure 10-11.) Figure 10-11.Global Settings Screen 3. In the Module Adoption Preference ID field, enter a number, and then click the OK button. 4.
PAGE 683
Redundancy Groups Configuring a Redundancy Group Figure 10-12.Network Setup > Radio > Configuration Screen 2. Select the radio or radios to which you want to assign the adoption preference ID. Hold down Ctrl while selecting the radios to select multiple radios and assign them the same ID. 3. Click the Edit button. The radios’ Edit screen is displayed. If you have selected multiple radios, the screen has limited configurable options. (See Figure 10-13.) However, you can change the adoption preference ID.
PAGE 684
Redundancy Groups Configuring a Redundancy Group Figure 10-13.Network Setup > Radio > Edit Screen for Multiple Radios 5. Click the OK button. 6. Click the Save link to copy the radio configurations to the startup-config. Configure an Adoption Preference for Newly Adopted Radios To configure an adoption preference ID for all adopted RPs, edit the radio adoption default configuration. Complete these steps: 1. 10-30 Select Network Setup > Radio Adoption Defaults and click the Configuration tab.
PAGE 685
Redundancy Groups Configuring a Redundancy Group Figure 10-14.Network Setup > Radio Adoption Defaults > Configuration Screen 2. Select a radio type and click the Edit button. The Configuration screen is displayed. (See Figure 10-15.
PAGE 686
Redundancy Groups Configuring a Redundancy Group Figure 10-15.802.11bg Configuration Screen 3. Under Advanced Properties, in the Adoption Preference ID field, enter a preference ID, and then click the OK button. 4. Click the Save link at the top of the Web browser interface to save the changes to the startup-config.
PAGE 687
Redundancy Groups Configuring a Redundancy Group Reverting RPs Adopted by a Standby Member to the Active Member When an active member of a redundancy group fails, a standby member of the group adopts the RPs. For continuity of service, the standby member continues to support the RPs even when the active member comes back online. However, eventually you may want to return the RPs to the original module. You can manually revert a standby module, which means that you force it to unadopt all of its RPs.
PAGE 688
Redundancy Groups Configuring a Redundancy Group Figure 10-16.Revert Now Button in the Network Setup > Redundancy Group > Configuration Screen The module immediately unadopts all RPs when you click the button. The RPs are adopted by any active member that can accept them, not necessarily the recovered module. However, either load balancing or adoption preference IDs, will probably guide most of the RPs toward the recovered module.
PAGE 689
11 RADIUS Server Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 Configuring the Internal RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . 11-4 Choosing the Authentication Type for 802.1X/EAP . . . . . . . . . . . 11-5 Specifying the RADIUS Server’s Digital Certificate . . . . . . . . . . .
PAGE 690
RADIUS Server Overview Overview A Remote Access Dial In User Service (RADIUS) server provides centralized authentication (and sometimes accounting) for a network. The RADIUS protocol regulates communications between network access servers (NASs) and RADIUS servers. The NASs are devices such as switches and Wireless Edge Services zl Modules, which provide network access to stations. First, however, they can force the stations to authenticate themselves.
PAGE 691
RADIUS Server RADIUS Authentication RADIUS Authentication The Wireless Edge Services zl Module’s RADIUS authentication server fulfils these roles: ■ ■ ■ decides whether a user can connect to a WLAN that enforces one of these types of security: • 802.
PAGE 692
RADIUS Server RADIUS Authentication Table 11-1. EAP Methods EAP Type Characteristics EAP-TLS The wireless station and the module’s RADIUS server exchange digital certificates in a three-step TLS handshake. EAP-TTLS with MD5 • The module’s RADIUS server authenticates itself with a digital certificate and creates a secure TLS tunnel with the wireless station. • Inside the secure tunnel, the wireless station submits a username and a hashed (MD5) password.
PAGE 693
RADIUS Server RADIUS Authentication Depending on your environment, you might also need to complete these tasks: ■ Specify proxy RADIUS servers to which the local RADIUS server forwards queries—This step allows the Wireless Edge Services zl Module to relay authentication requests in certain domains to external servers. ■ Specify RADIUS clients, which query the local RADIUS server— This step allows the module to authenticate users who connect to different NASs—in both the wired and wireless network.
PAGE 694
RADIUS Server RADIUS Authentication Table 11-2.
PAGE 695
RADIUS Server RADIUS Authentication Choose the EAP method for 802.1X authentication Figure 11-2. Choosing the EAP Method 2. From the 802.1x EAP/Auth Type drop-down menu, select a method. Select all to allow users to authenticate with any of the supported methods. 3. Next, choose your server’s digital certificates (explained in the section below). Or click the Apply button and, when the screen is displayed asking you to restart the server, click the Yes button.
PAGE 696
RADIUS Server RADIUS Authentication Specifying the RADIUS Server’s Digital Certificate As an authentication server, the Wireless Edge Services zl Module requires various certificates: ■ a server certificate No matter which EAP type you select, the internal RADIUS server must authenticate itself using a digital certificate. By default, the module identifies itself to users with the server certificate in the default-trustpoint.
PAGE 697
RADIUS Server RADIUS Authentication Then follow these steps: 1. Select Network Setup > Radius Server and click the Authentication tab. 2. In the Cert Trustpoint drop-down menu, select the trustpoint in which you have loaded the server certificate for RADIUS authentication. Selecting opens the Certificates Wizard and guides you through the creation or installation of certificates. 3. If you have selected EAP-TLS, choose a trustpoint from the CA Cert Trustpoint drop-down menu.
PAGE 698
RADIUS Server RADIUS Authentication Choose the location for user credentials Figure 11-3. Choosing the Source for Credentials 11-10 2. In the Auth Data Source field, use the drop-down menu to select the source for policies and credentials, either local or ldap. 3. Click the Apply button and, when the screen is displayed asking you to restart the server, click the Yes button. 4. Click the Save link to copy the configuration to the startup-config.
PAGE 699
RADIUS Server RADIUS Authentication Depending on your choice, you must complete one of the following tasks: ■ configure the local database (see “Configuring the Local RADIUS Database” on page 11-12) ■ configure LDAP server settings and at least one group in the local database (see “Using LDAP for the Data Source” on page 11-19) Table 11-3 explains the requirements for configuring credentials for each EAP method, depending on whether the Wireless Edge Services zl Module uses its local database or an LDA
PAGE 700
RADIUS Server RADIUS Authentication Configuring the Local RADIUS Database You must complete the following tasks to configure the local database: 1. Create groups, which define policies for users. 2. Add user accounts to the group. Creating a Group.
PAGE 701
RADIUS Server RADIUS Authentication 2. Click the Add button. The ADD screen is displayed. Figure 11-5. Adding a RADIUS Server Group 3. In the Name field, enter a meaningful name—for example, “Faculty.” 4. In the VLAN ID field, enter the dynamic VLAN for users in this group. If you enter 0, the Wireless Edge Services zl Module assigns the user to the VLAN configured for the user’s WLAN. You should not use dynamic VLANs with Web-Auth.
PAGE 702
RADIUS Server RADIUS Authentication 5. Specify the times of day when users in this group can connect to the wireless network. a. In the Time of Access Start field, enter the earliest time that users can connect. b. In the Time Access End field, enter the latest time users can connect. Always enter times in four digits, the first two digits being the hour in the 24-hour clock and the second two digits being the minutes.
PAGE 703
RADIUS Server RADIUS Authentication To modify a group, select it and click the Edit button. In the EDIT screen that is displayed, configure the settings just as you would for a new group. (However, you cannot change the group’s name nor whether it is a normal or guest group.) When you are finished, click the OK button. To delete a group, select it in the Network Setup > Local RADIUS Server > Groups screen and click the Delete button.
PAGE 704
RADIUS Server RADIUS Authentication Figure 11-6. Creating a User in the Local RADIUS Database 3. In the User ID field, enter the username. The username can be up to 64 characters and can include alphanumeric and special characters. 4. Check the Guest User box if this is a temporary account for a guest. 5. In the Password and Confirm Password fields, specify the user’s password. The password can be up to 21 characters and can include alphanumeric and special characters.
PAGE 705
RADIUS Server RADIUS Authentication Note By default, this password is displayed in plaintext in the Wireless Edge Services zl Module’s configuration. To learn how to encrypt the password, see “Password Encryption” on page 2-105 of Chapter 2: “Configuring the ProCurve Wireless Edge Services zl Module.” 6. For a guest user, you must specify the period during which the account is active.
PAGE 706
RADIUS Server RADIUS Authentication The guest account is active only for the period between the two times. To alter the times, follow these steps: a. In the Start Date & Time field, enter the date and time at which this account is enabled.
PAGE 707
RADIUS Server RADIUS Authentication You must never assign a user to groups with overlapping access days or times: such a configuration prevents you from determining which policy applies to the user during the overlapping times. For example, if one group allows access at all times and another group allows access only during normal work hours, you cannot assign a user to both groups. During the day, the policies would conflict. 9. Click the OK button.
PAGE 708
RADIUS Server RADIUS Authentication ■ enters a password that matches the password in this account (or, for TLS, has a valid digital certificate) ■ is listed in the directory as member of a group currently allowed access The internal RADIUS server verifies that these conditions are met. To do so, it must bind to the LDAP server and perform searches, looking up the user’s account and group memberships and verifying the user’s password.
PAGE 709
RADIUS Server RADIUS Authentication 2. From the Auth Data Source drop-down menu, select ldap. 3. In the LDAP Server Details section, click the Primary tab. Figure 11-8. Configuring LDAP Settings 4. In the IP Address and Port # fields, specify your LDAP server’s IP address and port. The port number can be from 1 through 65535. The default port for LDAP is 389.
PAGE 710
RADIUS Server RADIUS Authentication 5. Configure the information that the internal RADIUS server submits to bind to the LDAP server: a. In the Bind DN field, enter the distinguished name for an administrator account on the LDAP server. For example, enter: cn=Administrator,cn=Users,dc=mydomain,dc=com The administrator account must be in the domain that you specify in step 5. b. 6. In the Bind Password field, enter the password for the name that you specified above.
PAGE 711
RADIUS Server RADIUS Authentication 8. In the Password Attribute field, specify the attribute that stores a user’s password. When looking up a user’s account, the internal RADIUS server also requests a check on the user’s password (or, depending on the EAP type, a hash of that password). The string that you enter in the Password Attribute field determines the attribute name that the server requests. Match the attribute name used by your LDAP server—commonly “userPassword” or “User-Password.” 9.
PAGE 712
RADIUS Server RADIUS Authentication The RADIUS server replaces with the string that you enter in the Group Attribute field. (See step 11). The server replaces with the name of the group configured in the local RADIUS database. 10. In the Group Membership Attribute field, specify the attribute that stores a user’s group memberships. The internal RADIUS server requests this attribute in the search for the user accounts.
PAGE 713
RADIUS Server RADIUS Authentication Follow these steps to configure the group and set policies for it: 1. Select Network Setup > Radius Server and click the Groups tab. Figure 11-9.
PAGE 714
RADIUS Server RADIUS Authentication 2. Click the Add button, The ADD screen is displayed. Figure 11-10.Adding a RADIUS Server Group 3. In the Name field, enter a name that matches the name of a group on your directory server. This is the group that is allowed wireless access; make sure that all potential wireless users are members. (Or create multiple groups.) The name you assign the group must match exactly the group name as stored on your LDAP server.
PAGE 715
RADIUS Server RADIUS Authentication You should be careful when using dynamic VLANs with Web-Auth. The user’s station receives an IP address in the static VLAN before the user can login and receive the dynamic VLAN assignment. So you must set the lease for the DHCP address in the static VLAN very low. Then the station will automatically renew its address soon after it receives the dynamic assignment. Note You must enable dynamic VLANs in the WLAN to which users connect for this setting to take effect.
PAGE 716
RADIUS Server RADIUS Authentication To specify the proxy RADIUS server, complete these steps: 1. Select Network Setup > Local RADIUS Server > Configuration. Figure 11-11.Network Setup > Radius Server > Configuration Screen 11-28 2. In the lower section of the screen, click the Domain Proxy Servers tab. 3. Click the Add button. The ADD screen is displayed.
PAGE 717
RADIUS Server RADIUS Authentication Figure 11-12.Adding a Domain Proxy Server 4. In the Realm Name field, enter the domain name for users who authenticate to the domain proxy server. When a user submits his or her username, the Wireless Edge Services zl Module’s internal server checks the domain name. If this name matches the name in the Realm Name field, the internal RADIUS server queries the proxy server specified below. For example, you enter “procurve.com” in the Realm Name field.
PAGE 718
RADIUS Server RADIUS Authentication Figure 11-13.Viewing Domain Proxy Servers 8. Click the Save link at the top of the Web browser interface to save the changes to the startup-config. Specifying Global RADIUS Settings Global RADIUS settings regulate the Wireless Edge Services zl Module’s RADIUS server’s communications with proxy RADIUS servers. To configure these settings, follow these steps: 1. Select Network Setup > Local RADIUS Server > Configuration. 2.
PAGE 719
RADIUS Server RADIUS Authentication 3. In the Retries field, specify the number of times the module should re-send a proxy request that times out. The default number of retries is 3 (which means that the module will send up to four requests). Valid values are from 3 to 6. 4. Click the OK button to apply the settings, remembering to save your configuration by clicking the Save link.
PAGE 720
RADIUS Server RADIUS Authentication If the client has more than one IP address, make sure to specify the address that it includes in RADIUS requests. 5. In the Shared Secret field, enter the client’s password. Of course, you must specify this same password when you configure the client device to query this module. 6. Click the OK button. The client is displayed in the Network Setup > Radius Server > Configuration screen under the Clients tab. 7.
PAGE 721
RADIUS Server RADIUS Authentication Enabling Authentication to the Internal Server on a WLAN WLANs that use the following authentication methods require authentication to a RADIUS server: ■ 802.1X ■ Web-Auth ■ MAC Authentication In Chapter 4: “Wireless Local Area Networks (WLANs),” you learned how to configure a WLAN to require authentication to an external RADIUS server. This section explains how to configure the Wireless Edge Services zl Module’s internal RADIUS server to take over authentication.
PAGE 722
RADIUS Server RADIUS Authentication Figure 11-16.WLAN Edit Screen 11-34 3. If you have configured the RADIUS server to place users in dynamic VLANs, check the Dynamic Assignment box. 4. Configure other WLAN settings as described in Chapter 4: “Wireless Local Area Networks (WLANs).” 5. In the Authentication section, select 802.1X EAP, Web-Auth, or MAC Authentication. 6. Click the RADIUS Config… button at the bottom of the screen. The Radius Configuration screen is displayed.
PAGE 723
RADIUS Server RADIUS Authentication Figure 11-17.Configuring a WLAN to Require Authentication to the Internal RADIUS Server 7. Specify 127.0.0.1 in the primary RADIUS server’s RADIUS Server Address field.
PAGE 724
RADIUS Server RADIUS Authentication 8. Do not enter anything in the RADIUS Shared Secret field. By default, the module can communicate with the internal server. If you enter a string in this field, the module’s internal server will no longer work on this WLAN. If you do change the secret, you can fix the problem in one of two ways: 9. • Clear the RADIUS Shared Secret field and click OK. The secret returns to the default. • Configure the loopback interface (127.0.0.
PAGE 725
RADIUS Server RADIUS Accounting RADIUS Accounting RADIUS accounting tracks users’ activity and consumption of network resources. NASs, such as the Wireless Edge Services zl Module, send reports that summarize users’ activity to a centralized RADIUS accounting server. A company might analyze the reports for security auditing and traffic management. Or the company might submit the reports to a billing server in order to charge users for wireless access.
PAGE 726
RADIUS Server RADIUS Accounting Table 11-4.
PAGE 727
RADIUS Server RADIUS Accounting Field Meaning Acct-Input-Octets • number of bytes received by the station over the entire duration of the session (stop message) • number of bytes received by the station since the beginning of the session (interim message) Acct-Output-Octets • number of bytes sent by the station over the entire duration of the session (stop message) • number of bytes sent by the station since the beginning of the session (interim message) Acct-Terminate-Cause the reason that the stat
PAGE 728
RADIUS Server RADIUS Accounting Figure 11-18.Enabling RADIUS Accounting for a WLAN 11-40 3. In the Advanced section, in the Accounting Mode field, use the drop-down menu to select Radius. 4. Click the Radius Config button. The Radius Configuration screen is displayed.
PAGE 729
RADIUS Server RADIUS Accounting Figure 11-19.Specifying the Accounting Server in the Radius Configuration Screen To enforce RADIUS accounting, the WLAN must use 802.1X authentication, Web-Auth, or MAC authentication for the Authentication mode.
PAGE 730
RADIUS Server RADIUS Accounting 5. Configure settings for the primary accounting server in the Primary column of the Accounting section. a. Specify the server’s IP address in the Accounting Server Address field. To use the Wireless Edge Services zl Module’s internal server for accounting, enter 127.0.0.1. You can use the internal RADIUS server for accounting both when the internal RADIUS server is the authentication server and when an external server is the authentication server. b.
PAGE 731
RADIUS Server RADIUS Accounting Viewing the Internal RADIUS Server’s Accounting Logs When you set up RADIUS accounting to the Wireless Edge Services zl Module’s internal server, the module stores messages about user activity as accounting logs. The directory for the logs is flash:/log/radius. To view the log file in the Web browser interface, select Network Setup > Local RADIUS Server and click the Accounting Logs tab. Figure 11-20.
PAGE 732
RADIUS Server RADIUS Accounting Figure 11-21.Viewing RADIUS Accounting Log Files Within a Directory The screen displays the following information for each log file: ■ Filename—accounting.log, for the default file ■ Type—Log, for logged reports ■ Size—the size of the file in bytes A log file might include multiple RADIUS accounting messages. As the Wireless Edge Services zl Module’s internal RADIUS server receives the messages, it adds them to the log file.
PAGE 733
RADIUS Server RADIUS Accounting Note The module only creates accounting logs for its own activities as RADIUS server if you specifically enable RADIUS accounting to the internal server on a WLAN. See “Enabling Accounting to the Internal RADIUS Server on a WLAN” on page 11-39.
PAGE 734
RADIUS Server RADIUS Accounting 11-46
PAGE 735
12 Wireless Network Management Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3 Monitoring the Wireless Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4 Wireless Stations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4 Viewing Wireless Stations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4 Disconnecting a Wireless Station . . . . . . .
PAGE 736
Wireless Network Management Contents Configuring Station Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . 12-58 Configuring Thresholds for Station Intrusion Detection . . . . . . . . . 12-59 Configuring the Module to Report Station Intrusion . . . . . . . . . . . . 12-60 Viewing Blocked Stations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-62 Logging and Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 737
Wireless Network Management Overview Overview In this chapter you will learn how to monitor and manage your wireless network.
PAGE 738
Wireless Network Management Monitoring the Wireless Network Monitoring the Wireless Network This section explains how you can access information about wireless stations and wireless network activity. It then provides some tips for interpreting this information.
PAGE 739
Wireless Network Management Monitoring the Wireless Network Figure 12-1. Viewing Wireless Station Associations The screen displays this information for each station associated with one of the WLANs on this module: ■ Station Index—Stations are listed in the order in which they associated. ■ MAC Address—Each station’s Media Access Control (MAC) address is listed. ■ IP Address—A station must receive an IP address to receive complete network connectivity.
PAGE 740
Wireless Network Management Monitoring the Wireless Network Although power save extends a station’s battery life, it might result in jittery performance for real-time applications. If a user complains of low quality of service (QoS) and you see that the user’s station implements power save, you could suggest that the user disable this feature. ■ WLAN—The index number of the WLAN to which the station has connected is listed. (This column does not show the service set identifier [SSID]).
PAGE 741
Wireless Network Management Monitoring the Wireless Network Figure 12-2. Preventing a Station from Reconnecting to the Wireless Network If you click the Yes button, the Filter dialog box is displayed. (See Figure 12-3.) Figure 12-3. Creating a Filter to Block an Unauthorized User’s Access As the figure shows, the station’s MAC address is already listed in the Starting MAC and Ending MAC fields, allowing you to quickly create a MAC filter to prevent the station from reaccessing the wireless network.
PAGE 742
Wireless Network Management Monitoring the Wireless Network Figure 12-4.
PAGE 743
Wireless Network Management Monitoring the Wireless Network In addition to the information that is listed on the Device Information > Wireless Stations screen (such as MAC address, IP address, Power Save, WLAN, and VLAN), you can view: ■ Authentication—This field displays the authentication method used— 802.1X Extensible Authentication Protocol (EAP), Web authentication (Web-Auth), MAC authentication, or none.
PAGE 744
Wireless Network Management Monitoring the Wireless Network ■ Roam Count (No de-authentication)—The module tracks the number of times that the station has de-authenticated, which indicates the number of times that the station has roamed away from the module (not between RPs on the same module). ■ IDM Attributes—If you are using ProCurve Identity Driven Manager (IDM), this section lists IDM settings received for the user accessing the network through this station.
PAGE 745
Wireless Network Management Monitoring the Wireless Network Figure 12-5.
PAGE 746
Wireless Network Management Monitoring the Wireless Network Wireless Statistics for Stations Like the Device Information > Wireless Stations screen, the Device Information > Wireless Statistics screen lists every station associated with RPs adopted by the Wireless Edge Services zl Module. However, this screen focuses on activity on the connection. Figure 12-6.
PAGE 747
Wireless Network Management Monitoring the Wireless Network A high number of retries can indicate interference or excessive congestion. Wireless phones, which send traffic to a multicast address, may have a high percentage of nonunicast traffic. For traditional stations, a high percentage of nonunicast traffic can be normal for brief periods—for example, when the station first associates and requests a DHCP address.
PAGE 748
Wireless Network Management Monitoring the Wireless Network The Station Properties section displays the same information that is listed on the Device Information > Wireless Stations screen, including the station’s MAC and IP address. However, you can also see whether the station supports QoS capabilities such as Voice and WMM. You can use the Traffic section to monitor the quality and performance of the connection.
PAGE 749
Wireless Network Management Monitoring the Wireless Network Viewing a Graph of Wireless Station Statistics The Wireless Edge Services zl Module can create a graph of statistics for a wireless station. This graph displays how the statistics change over time. To view this graph, follow these steps: 1. Select Device Information > Wireless Statistics. 2. Select the station (identified by MAC address) from the list. Graph button Figure 12-8.
PAGE 750
Wireless Network Management Monitoring the Wireless Network Figure 12-9. Station Statistics Graph The Station Statistics screen displays the station’s MAC address and IP address in the upper right corner. To generate a graph, you must select the statistic that you want to track. (Initially, the graph shows packets per sec.
PAGE 751
Wireless Network Management Monitoring the Wireless Network ■ Throughput (Mbps)—the actual throughput for data transmitted and received by this station • TX Tput (Mbps)—actual throughput for data transmitted by this station • RX Tput (Mbps)—actual throughput for data received by this station ■ Avg Bits per sec—average bit speed for all traffic sent and received by this station ■ NUcast Pkts—percentage of multicast and broadcast packets (as compared to total packets) ■ Avg Retries—average number of
PAGE 752
Wireless Network Management Monitoring the Wireless Network Figure 12-10.Comparing Station Statistics The x-axis of the graph displays the time—in Figure 12-10 the time is labelled in 10 second intervals. The y-axis adds a label that matches the box that you chose. It also displays the correct units for that type of statistic. A line that is the same color as the y-axis label plots the statistic as it changes over time.
PAGE 753
Wireless Network Management Monitoring the Wireless Network When you have finished viewing the graph, click the Close button. Radio Statistics The Wireless Edge Services zl Module stores information about the wireless network activity on each RP radio. To view these statistics, select Network Setup > Radio and click the Statistics tab. Figure 12-11.Network Setup > Radio > Statistics Screen Every radio adopted by the module is listed, identified by: ■ Index ■ Description ■ Type (802.11a or 802.
PAGE 754
Wireless Network Management Monitoring the Wireless Network ■ % Non-UNI ■ Retries These statistics are similar to those described for individual stations in “Wireless Statistics for Stations” on page 12-12. The RF Util percentage compares the radio’s actual utilization to its potential utilization by dividing the throughput by the average Mbps. Again, you can select either Last 30s or Last Hr to view either the most current statistics or statistics over a more extended period.
PAGE 755
Wireless Network Management Monitoring the Wireless Network The Information section describes this radio and shows the number of stations currently associated to it. You should check the Current Channel listing; if the radio is configured with a manual channel but currently uses a different channel, the channel number is listed in red. On the Details screen, statistics for wireless traffic are broken down into received and transmitted traffic.
PAGE 756
Wireless Network Management Monitoring the Wireless Network Graph button Figure 12-13.Graph Button in the Device Information > Wireless Statistics Screen 4. Click the Graph button. The RP Statistics screen is displayed.
PAGE 757
Wireless Network Management Monitoring the Wireless Network Figure 12-14.RP Statistics Graph The RP Statistics screen displays the radio’s name and MAC address in the upper right corner. To generate a graph, you must select the statistic that you want to track. (Initially, the graph shows packets per second.) You can choose any of the statistics displayed in the Details screen for radio statistics. The statistics apply to all stations associated to the radio.
PAGE 758
Wireless Network Management Monitoring the Wireless Network ■ Throughput (Mbps)—total throughput for data transmitted and received by this radio • TX Tput (Mbps)—throughput for data transmitted by this radio • RX Tput (Mbps)—throughput for data received by this radio ■ Avg Bits per sec—average bit speed for traffic when the radio actually transmits or receives it ■ NUcast Pkts—percentage of multicast and broadcast packets sent and received by the radio (as compared to total packets) ■ Avg Retries—
PAGE 759
Wireless Network Management Monitoring the Wireless Network Figure 12-15.Comparing RP Statistics The x-axis of the graph displays the time—in Figure 12-15, marked at 5 second intervals. The y-axis adds a label that matches your choice. It also displays the correct units for that type of statistic. A line that is the same color as the y-axis label plots the statistic as it changes over time. You can select more than one box and compare statistics against each other.
PAGE 760
Wireless Network Management Monitoring the Wireless Network WLAN Statistics To monitor wireless activity on a WLAN-wide scale, select Network Setup > WLAN Setup and click the Statistics tab. Module Statistics button Figure 12-16.Network Setup > WLAN Setup > Statistics Screen This screen lists every WLAN that is enabled on the module. WLANs are identified by: ■ Index (the WLAN’s number) ■ SSID ■ Description ■ VLAN The Stations column shows the number of stations currently connected to that WLAN.
PAGE 761
Wireless Network Management Monitoring the Wireless Network The remaining columns display statistics similar to those described in “Wireless Statistics for Stations” on page 12-12; however, these statistics are averages for all stations in the WLAN: ■ Throughput Mbps—the total throughput for all data transmitted in the WLAN in Mbps ■ Bit Speed (Avg.
PAGE 762
Wireless Network Management Monitoring the Wireless Network Select a WLAN and click this button to view: ■ the percentage of packets in this WLAN transmitted at each data rate ■ the percentage of packets in this WLAN that required a certain number of retries (for 0 to 15) Figure 12-18.Module Statistics Screen Click the Refresh button to update the statistics. When you have finished viewing the screen, click the Close button.
PAGE 763
Wireless Network Management Monitoring the Wireless Network Figure 12-19.WLAN Statistics Details The Information section shows settings for this WLAN including: ■ SSID ■ VLAN ■ security settings • authentication type • encryption type The Information section also displays the number of stations associated to the WLAN and of radios mapped to the WLAN. (If the Wireless Edge Services zl Module is using normal mode configuration, all adopted radios are mapped to the WLAN.
PAGE 764
Wireless Network Management Monitoring the Wireless Network reports speed in terms of packets per second, total throughput in Mbps, and average speed in Mbps. The Web browser interface further breaks down statistics into received and transmitted traffic. The RF Status section displays statistics dealing with the status of the radio medium.
PAGE 765
Wireless Network Management Monitoring the Wireless Network Graph button Figure 12-20.Graph Button in the Device Information > Wireless Statistics Screen 3. Select the WLAN. 4. Click the Graph button. The WLAN Statistics screen is displayed.
PAGE 766
Wireless Network Management Monitoring the Wireless Network Figure 12-21.WLAN Statistics Graph The WLAN Statistics screen displays the WLAN’s SSID and static VLAN ID in the upper right corner. To generate a graph, you must select the statistic that you want to track. (Initially, the graph shows packets per second.) You can choose any of the statistics displayed in the Details screen for WLAN statistics. (Refer to “Viewing Detailed WLAN Statistics” on page 12-28 for more information on a statistic.
PAGE 767
Wireless Network Management Monitoring the Wireless Network ■ Throughput (Mbps)—total throughput for data transmitted and received in this WLAN • TX Tput (Mbps)—throughput for data transmitted in this WLAN • RX Tput (Mbps)—throughput for data received in this WLAN ■ Avg Bits per sec—average bit speed for all traffic transmitted and received in the WLAN ■ NUcast Pkts—percentage of multicast and broadcast packets sent and received in the WLAN (as compared to total packets) ■ Avg Retries—average numb
PAGE 768
Wireless Network Management Monitoring the Wireless Network Figure 12-22.Comparing WLAN Statistics The x-axis of the graph displays the time—in Figure 12-22, marked at 5 second intervals. The y-axis adds a label that matches your choice. It also displays the correct units for that type of statistic. A line that is the same color as the y-axis label plots the statistic as it changes over time. You can select up to four boxes at once and compare statistics against each other.
PAGE 769
Wireless Network Management Monitoring the Wireless Network Figure 12-23.Network Setup > Module Statistics Screen The top of the screen displays: ■ the number of stations currently associated with RPs on this module ■ the number of RPs adopted by this module ■ the number of RP radios adopted by this module The Traffic section contains statistics similar to those discussed in “Wireless Statistics for Stations” on page 12-12: ■ Pkts per second ■ Throughput in Mbps ■ Avg.
PAGE 770
Wireless Network Management Monitoring the Wireless Network You can use the RF Status section to monitor the quality of radio media on a network-wide level, and you can use the Errors section to look for problems with congestion or interference. You can then examine these statistics for radios or for WLANs to pinpoint the source of a problem.
PAGE 771
Wireless Network Management Monitoring the Wireless Network Figure 12-24.Device Information > Radio Adoption Statistics > Adopted RP Screen Select the Adopted RP tab to view the RPs that the module has actually adopted, and the Unadopted RP tab to view other detected RPs. The number of RPs adopted by this module is listed at the bottom of the Device Information > Radio Adoption Statistics > Adopted RP screen.
PAGE 772
Wireless Network Management Monitoring the Wireless Network ■ SW Version—You should verify that the software version with which the RP loads is up-to-date. ■ Radio Indices—The RP includes one or two radios. These radios are listed on the Network Setup > Radio > Configuration screen according to the indices displayed in this column. You can configure settings for these radios on that screen. (See Chapter 3: “Radio Port Configuration.
PAGE 773
Wireless Network Management AP Detection AP Detection People may introduce unauthorized APs into your network for several reasons. Sometimes attackers set up rogue APs in your environment, hoping to lure wireless users to authenticate to them instead of to your network’s RPs. In this way, attackers can collect sensitive information, including passwords with which they can then access your private network and view, steal, or damage data.
PAGE 774
Wireless Network Management AP Detection Figure 12-26.Configuring and Managing AP Detection Configuring AP Detection By default, AP detection is disabled. To configure AP detection, you must complete two main steps: you must enable AP detection, and you must configure at least one radio to scan for APs.
PAGE 775
Wireless Network Management AP Detection Table 12-1. Comparing Single-Channel Detectors and Dedicated Detectors Single-Channel Detector Dedicated Detector Radio passively listens for beacons Radio actively sends probe requests Radio listens on its own channel only Radio sends probes on all channels in its frequency that are allowed by its country’s regulations Radio supports wireless stations Radio does not support wireless stations Figure 12-27.
PAGE 776
Wireless Network Management AP Detection You can configure a radio as a single-channel detector or a dedicated detector in one of two ways: ■ as part of an override configuration for a particular radio For example, your organization might install an RP that is entirely dedicated to searching out rogue APs. Another reason to dedicate a radio as a detector is so it can monitor all nearby RPs in your wireless network and take action if an RP experiences problems.
PAGE 777
Wireless Network Management AP Detection Figure 12-28.Enabling AP Detection and Configuring Settings b. Check the Enable box. c. Customize the timeout setting for approved and unapproved APs. (For more information about approved and unapproved APs, see “Creating Lists of Detected APs” on page 12-46.) – Approved AP timeout—specifies how long the module retains information about APs that you have defined as allowed.
PAGE 778
Wireless Network Management AP Detection Figure 12-29.Dedicating a Radio as a Detector 12-44 d. On the radio’s Configuration screen, check the option that you want for AP detection: – Dedicate this Radio as a Detector – Single-channel scan for Unapproved APs e. Click the OK button.
PAGE 779
Wireless Network Management AP Detection Figure 12-30.Viewing the Radio State The radio state should now be listed as Detector on the Network Setup > Radio > Configuration screen, as shown in Figure 12-30. Note The Wireless Edge Services zl Module stores the configuration for a particular radio with its MAC address so that this configuration persists even if the radio powers down. For more information on radio configurations, see Chapter 3: “Radio Port Configuration.” 3.
PAGE 780
Wireless Network Management AP Detection Figure 12-31.Network Setup > Radio Adoption Default > Configuration Screen 4. b. Select the radio type (802.11a, 802.1b, or 802.11bg). c. Click the Edit button. d. On the radio type’s Configuration screen, check the option that you want for AP detection: – Dedicate this Radio as a Detector – Single-channel scan for Unapproved APs e. Click the OK button. Click the Save link at the top of the screen to save your changes to the startup-config.
PAGE 781
Wireless Network Management AP Detection You should configure the module to allow APs that meet certain criteria—for example, that are part of your wireless network. The module then moves these APs to an approved APs list so that they do not clutter the unapproved list and make it difficult for you to identify actual threats to network security.
PAGE 782
Wireless Network Management AP Detection Figure 12-32.Viewing Allowed APs 2. Click the Add button. 3. In the Index field, enter a value from 1 through 200. Each rule must have a unique index. By default, the field displays the next available index number. 4. Create one of the three types of rules: a. 12-48 Allow an AP with a particular MAC address no matter what WLAN it supports, as shown in Figure 12-33: i. Select the second field under Radio MAC Address and then enter the address. ii.
PAGE 783
Wireless Network Management AP Detection Figure 12-33.Allowing a Particular AP Based on MAC Address b. Allow any AP that is a member of a particular WLAN, as shown in Figure 12-34: i. Select the second field under SSID and then enter the WLAN’s SSID. ii. Leave the Radio MAC Address selection at Any MAC Address.
PAGE 784
Wireless Network Management AP Detection Figure 12-34.Allowing Any AP in a Particular WLAN c. 12-50 Allow a particular AP only if it is a member of the correct WLAN, as shown in Figure 12-35: i. Select the Radio MAC Address field and then enter the address. ii. Select the SSID field and then enter the WLAN’s SSID.
PAGE 785
Wireless Network Management AP Detection Figure 12-35.Allowing a Particular AP in a Particular WLAN 5. Click the OK button. The AP is now listed in the Allowed APs section of the Special Features > Access Point Detection > Configuration screen. Monitoring Detected APs You should periodically check the unapproved APs list for rogue APs. You may also want to configure the Wireless Edge Services zl Module to automatically generate and send an alarm whenever a radio detects an unapproved AP.
PAGE 786
Wireless Network Management AP Detection Figure 12-36.Viewing the Unapproved APs List Note You can also view this list by selecting Device Information > Access Point Detection and clicking the Unapproved APs tab. However, you can only view information about APs on the other screen; you cannot allow the APs as described below. As shown in Figure 12-36, the list includes the following information for each AP: 12-52 ■ BSS MAC Address—This address is the AP’s BSSID.
PAGE 787
Wireless Network Management AP Detection ■ Last Seen (In Seconds)—This column indicates how recent the information is. ■ SSID—If a radio has an unapproved MAC address but one of your WLAN’s SSIDs, this may signal a hacker phishing for passwords and other sensitive data. If this list becomes too long and unmanageable, you should take one or more of these steps: ■ Lower the timeout value for unapproved APs. (See “Configuring AP Detection” on page 12-40.) ■ Move legitimate APs to the approved APs list.
PAGE 788
Wireless Network Management AP Detection 2. If you so desire, you can change these settings. (For example, you could allow the MAC address, but any SSID.) 3. Click the OK button. In a way, allowing an AP is like acknowledging an alarm. You are letting other administrators know that you have checked the potential threat.
PAGE 789
Wireless Network Management AP Detection If a rogue AP is on this list, you should reconfigure the rule that allowed it. For example, to screen APs you may need to use MAC addresses instead of, or in addition to, SSIDs. Configuring the Module to Report Unapproved APs You can configure the Wireless Edge Services zl Module to trigger a Simple Network Management Protocol (SNMP) trap whenever a radio detects an unapproved AP. Complete these steps: 1.
PAGE 790
Wireless Network Management AP Detection Figure 12-40.Enabling an SNMP Trap for AP Detection 5. Click the Apply button. If an RP detects an external AP, a log is displayed on the Device Information > Alarm Log screen, as shown in Figure 12-41.
PAGE 791
Wireless Network Management AP Detection Figure 12-41.Receiving an Alarm about an External AP The module will log the alarm, as well as forward it to a trap receiver (if one has been specified). (For instructions on configuring the trap receiver, see “SNMP Traps” on page 2-112 of Chapter 2: “Configuring the ProCurve Wireless Edge Services zl Module.
PAGE 792
Wireless Network Management Configuring Station Intrusion Detection Configuring Station Intrusion Detection AP detection protects your network against unauthorized APs. The Wireless Edge Services zl Module can also guard against hackers who use stations to launch attacks.
PAGE 793
Wireless Network Management Configuring Station Intrusion Detection Configuring Thresholds for Station Intrusion Detection To configure station intrusion detection, complete these steps: 1. Select Special Features > Station Intrusion Detection > Configuration. Figure 12-42.Configuring Station Intrusion Detection 2. In the Detection Window field, enter a value from 5 through 300 seconds. This setting determines the length of time to which each threshold applies.
PAGE 794
Wireless Network Management Configuring Station Intrusion Detection 4. Set a Radio threshold and a Wireless Module threshold for: • Excessive Probes • Excessive Association • Excessive Disassociation • Excessive Authentication failure • Excessive Crypto replays • Excessive 802.11 replays • Excessive Decryption failures • Excessive Unassociated Frames • Excessive EAP Start Frames Again, enter a number from 0 through 65,535. 5.
PAGE 795
Wireless Network Management Configuring Station Intrusion Detection Figure 12-43.Enabling Intrusion Detection Traps 3. Select Intrusion Detection and click the Enable all sub-items button. (Alternatively, select one of the sub-items and click the Enable button.) 4. Make sure that the Allow Traps to be generated box is checked. 5. Click the Apply button. The module will log the alarm, as well as forward it to a trap receiver (if one has been specified).
PAGE 796
Wireless Network Management Configuring Station Intrusion Detection Viewing Blocked Stations If a station exceeds the thresholds that you set, the Wireless Edge Services zl Module blocks the station. You can view any stations that have been blocked by selecting Special Features > Station Intrusion Detection and clicking the Filtered Stations tab. Figure 12-44.
PAGE 797
Wireless Network Management Logging and Alarms Logging and Alarms The Wireless Edge Services zl Module generates logs for various events that occur on a system; these logs report on messages that the module receives and actions that the module takes. The module can log events to: ■ its buffer ■ the console ■ an external server Events are ranked according to severity, as shown in Table 12-2. The lower the number, the greater the risk to network functionality. Table 12-2.
PAGE 798
Wireless Network Management Logging and Alarms Table 12-3.
PAGE 799
Wireless Network Management Logging and Alarms Figure 12-45.Configuring Logging You can configure the module to store events for up to 60 seconds before logging them, by entering a value in the Logging aggregation time field. (If the value is 0, then events are logged immediately.) Forwarding Logs to an External Server You can also configure the Wireless Edge Services zl Module to forward logs to up to three external syslog servers. Complete these steps: 1.
PAGE 800
Wireless Network Management Logging and Alarms Figure 12-46.Forwarding Logs to an External Syslog Server 2. Check the Enable logging to Syslog Server box. 3. From the corresponding drop-down menu, select the lowest severity for logs that the module will forward. The default level is level 6, Info. 4. In the Server Facility field, use the drop-down menu to select the facility that your syslog server uses to receive such logs. Local7 is typically reserved for network devices. 5.
PAGE 801
Wireless Network Management Logging and Alarms The top section of the screen displays files of logs that the module has stored. Each file is identified by its name, its size in bytes, the time at which it was created, and the time at which it was last modified (that is, when a new event was added to it). The local log file stores the events that the Wireless Edge Services zl Module logs to its buffer. You can view the types of events in a file by selecting the file.
PAGE 802
Wireless Network Management Logging and Alarms Figure 12-48.Viewing Logged Events The most recent events are listed at the top of the screen. The color code helps you to quickly identify the most important events (that is, those with the lowest level, or greatest severity). For each event, the log reports: 12-68 ■ Time stamp—Remember to look at the time stamp to make sure that you are not examining obsolete logs. (Quickly checking the time stamp when you preview the log file can also save you time.
PAGE 803
Wireless Network Management Logging and Alarms ■ Mnemonic—This field includes an abbreviated identification of the type of event. ■ Description—The description gives you the most information about the event. You can click on any column heading to organize events according to the information in that column. The bottom of the screen shows you which line in the log file that you are currently examining.
PAGE 804
Wireless Network Management Logging and Alarms To transfer the local log file, complete these steps: 1. Click the Transfer Files button. The Transfer screen is displayed. Figure 12-49.Transferring Log Files to a Server or Workstation 2. In the From field in the Source section, use the drop-down menu to select Wireless Services Module. In the File field, use the drop-down menu to select the log file that you want to transfer. 3. Select the destination for the file.
PAGE 805
Wireless Network Management Logging and Alarms – 4. Path—Enter the path for the directory in which the destination file should be saved. Depending on your server, you may or may not need to enter / before the directory name. Leave this field empty (or simply enter /) to save the file to the server’s default directory. Click the Transfer button. Managing the Alarm Log In order for the Wireless Edge Services zl Module to log an alarm, you must activate the corresponding trap.
PAGE 806
Wireless Network Management Logging and Alarms For each alarm, the screen displays this information: ■ Index—Alarms are numbered in the order in which they were received. ■ Status—If the alarm has been acknowledged, then an administrator has seen it and presumably dealt with it.
PAGE 807
Wireless Network Management Logging and Alarms Details When you do not know what an alarm means, or when you need direction in solving the problem indicated, you should view alarm details. Select the alarm from the list, and then click the Details button. The screen that is displayed points you toward the cause of the alarm and possible solutions for an associated problem. (See Figure 12-51.) Figure 12-51.
PAGE 808
Wireless Network Management Logging and Alarms Acknowledge alarms Delete alarms Export alarms off the module Figure 12-52.Using Buttons in the Device Information > Alarm Log Screen Acknowledge Sometimes you will want to store an alarm in the log even after you have viewed it, either because you want another administrator to see it or because you want to track a particular pattern of activity. In this case, instead of deleting the alarm, you should click the Acknowledge button to change its status.
PAGE 809
Wireless Network Management MAC Filters (Local MAC Authentication) ■ pool information from multiple devices in a central location ■ track patterns of network activity To export the information in one or more alarms, select those alarms and click the Export button. On the screen that is displayed, select a filename and a location for the logs, which are saved as a comma-separated file.
PAGE 810
Wireless Network Management MAC Filters (Local MAC Authentication) Configuring MAC Standard ACLs (Filters) When configuring ACLs on the module, keep these rules in mind: ■ ACLs are ordered by index number. ■ The module processes ACLs that are applied to a WLAN starting with the ACL that has the lowest index number. The module stops processing the ACLs as soon as it finds a match for the station’s MAC address.
PAGE 811
Wireless Network Management MAC Filters (Local MAC Authentication) Figure 12-53.Security > MAC Filters Screen 2. Click the Add button. The Add ACL screen is displayed. Figure 12-54.
PAGE 812
Wireless Network Management MAC Filters (Local MAC Authentication) 3. Enter a value from 1 through 1,000 in the Station-ACL Index field. Each ACL must have a unique index number. Pay close attention to this number because, when a station matches more than one entry, only the entry with the lowest number affects the station. 4. Enter a range of MAC addresses, placing the first address in the Starting MAC field and the last address in the Ending MAC field.
PAGE 813
Wireless Network Management MAC Filters (Local MAC Authentication) Figure 12-55.Assigning ACLs to WLANs 3. Check the boxes for the WLANs to which you want to apply the ACL. WLANs are displayed by index (not SSID). The module will use the ACL to filter traffic on the selected WLANs. If you have selected multiple ACLs, they are listed in separate columns by index number. (See Figure 12-56.
PAGE 814
Wireless Network Management MAC Filters (Local MAC Authentication) Figure 12-56.Assigning ACLs to WLANs 4. Click the OK button. When you select this ACL on the Security > Wireless Filters screen, the selected WLANs appear in the Associated WLANs section. (See Figure 12-57.) In this screen, you can view the WLAN’s SSID, as well as other security options for that WLAN.
PAGE 815
Wireless Network Management MAC Filters (Local MAC Authentication) Figure 12-57.Associating ACLs with WLANs Note that it is possible to prevent a station from associating to one WLAN but to allow the station to associate to another. Just as you can make an ACL a member of more than one WLAN, you can associate more than one ACL to a WLAN. The module filters traffic first against the ACL with the lowest index number, then against the ACL with the next lowest number, and so on.
PAGE 816
Wireless Network Management MAC Filters (Local MAC Authentication) With this configuration, only the stations allowed by ACLs 2 and 3 can connect to MyWLAN. Notice that the network administrators have numbered the ACL that denies all stations as 100. They can add ACLs to allow other stations, and as long as these ACLs have an index number lower than 100, the Wireless Edge Services zl Module will process them before it processes the ACL that denies all stations.
PAGE 817
Wireless Network Management MAC Filters (Local MAC Authentication) Export button Figure 12-58.Exporting ACLs 3. Click the Export button. 4. A dialog screen is displayed for saving the file to the local disk of your management station. Name the file and choose the directory in which to save it. Then confirm the save. 5. A screen reports that the export was successful. Click the OK button. Figure 12-59.
PAGE 818
Wireless Network Management MAC Filters (Local MAC Authentication) Importing MAC Standard ACLs Instead of (or in addition to) manually configuring MAC standard ACLs (filters) on your Wireless Edge Services zl Module, you can import a .cvs file that includes these ACLs to your module. The file should be saved on the local disk of your management station. You can create the ACLs file using a spreadsheet application. Include four columns for each ACL.
PAGE 819
Wireless Network Management MAC Filters (Local MAC Authentication) To import MAC standard ACLs to your Wireless Edge Services zl Module, follow these steps: 1. Select Security > MAC Filters. 2. Click the Import button. Import button Figure 12-60.Importing ACLs 3. A dialog screen is displayed for choosing the file from the local disk of your management station. Find your file and confirm the import. 4. A screen reports the results of the import.
PAGE 820
Wireless Network Management MAC Filters (Local MAC Authentication) Figure 12-61.ACL Import Result 5. Click the OK button. 6. For the imported ACLs to take effect, you must assign them WLAN memberships: a. Select the new ACLs. You can select multiple ACLs by holding down Ctrl as you select them. b. Click the Memberships button. c. Check boxes to assign the ACLs to WLANs. d. Click the OK button. See “Configuring WLAN Memberships” on page 12-78 for more information. Resolving Import Errors.
PAGE 821
Wireless Network Management MAC Filters (Local MAC Authentication) Figure 12-62.ACL Import Result Screen Error Messages Errors include: ■ messages informing you that a field contains an invalid value: • “ACL index must be an integer” • “Invalid starting MAC.” • “Invalid ending MAC.” • “ACL mode must be either Allow or Deny” As explained earlier, each line in the file must include four fields with valid values for index number, MAC addresses, and ACL mode (allow or deny).
PAGE 822
Wireless Network Management MAC Filters (Local MAC Authentication) ■ “ACL index already exists - please choose another” The ACL in the line indicated conflicts with an ACL already configured on the Wireless Edge Services zl Module. That is, they have the same index number. Make one of two choices: • Click the OK button, and import the file despite the conflict. The module retains all of its already-configured ACLs. However, any nonconflicting ACLs are imported normally.
PAGE 823
Wireless Network Management Network Self Healing Network Self Healing Self healing keeps your wireless network functioning optimally in response to changing conditions.
PAGE 824
Wireless Network Management Network Self Healing ■ Neighbors no longer receive beacons from the radio. An RP checks the beacons that it has received every 30 seconds. If the RP has not received beacons from a neighbor in the last two seconds, it reports that neighbor as down. In other words, an RP considers a neighbor failed when it loses contact with that neighbor for more than two seconds; however, the RP only checks whether it has lost contact with a neighbor every 30 seconds.
PAGE 825
Wireless Network Management Network Self Healing An RP radio only responds to the loss of a radio if that radio is defined as one of its neighbors. To further configure neighbor recovery, you must: ■ specify neighbors ■ specify the action that a radio takes if one of its neighbors fails Select Special Features > Self Healing and click the Neighbor Details tab. Figure 12-64.
PAGE 826
Wireless Network Management Network Self Healing You can configure the neighbors in one of two ways: manually or with automatic neighbor detection. Specifying Neighbors Manually Keep these concepts in mind as you configure neighbors: ■ The neighbor relationship is reciprocal: if you configure a neighbor list on radio 1 that includes radio 3, radio 3’s neighbor list automatically adds radio 1. (See Figure 12-64.
PAGE 827
Wireless Network Management Network Self Healing All RP radios adopted by this module are listed. 2. Select a radio and click the Edit button. The Edit Neighbor screen is displayed. (See Figure 12-66.) Figure 12-66.Editing Neighbors The available RP radios—those adopted by this module—are listed on the left under Available Radios: these are potential neighbors. 3. To add a neighbor, select a radio from the field on the left and then click the Add button.
PAGE 828
Wireless Network Management Network Self Healing 6. Click the OK button. You return to the Special Features > Self Healing > Neighbor Details screen, on which you can confirm the neighbors in the Neighbor Radio Indices column for the radio that you were editing. Note that the neighbors also display the edited radio in their Neighbor Radio Indices column.
PAGE 829
Wireless Network Management Network Self Healing Selecting the Self-Healing Action The Wireless Edge Services zl Module can configure RPs to take one of several actions in response to a failed neighbor. A radio can: ■ open its data rates so that it supports both 802.11g and 802.11b stations For example, one radio in your network might operate in G-only mode (that is, it supports higher data rates only) while a nearby radio also supports the lower data rates of 802.11b.
PAGE 830
Wireless Network Management Network Self Healing Figure 12-68.Self Healing Action for Neighbor Recovery ■ both raise its transmit power and open its data rates (see Figure 12-68) Sometimes you lower radios’ transmit power so that closely grouped RPs can support higher data rates within their relatively small coverage areas. When an RP radio raises its transmit power to take over a failed neighbor’s coverage area, it can no longer support high data rates for all stations (some are too far away).
PAGE 831
Wireless Network Management Network Self Healing ■ take no action Remember that radios are always neighbors to each other. However, you might want one radio to respond to the failure of a second radio, but you might not want the second radio to respond to the failure of the first radio. For example, the second radio might be in a more important location. When editing the second radio, configure it to take no action.
PAGE 832
Wireless Network Management Network Self Healing Figure 12-69.Defining the Action 3. 4. In the Self Healing Action field, use the drop-down menu to select the action: • Open Rates—to configure the radio to support all data rates • Raise Power—to configure the radio to raise its power to the legal maximum. See “Configuring a Self Healing Offset” on page 12-98 to determine whether you will need to configure a self healing offset. • Both—to configure the radio to take both of these actions.
PAGE 833
Wireless Network Management Network Self Healing The Wireless Edge Services zl Module subtracts the offset from the maximum power allowed in your regulatory domain to define the maximum power for that radio. To configure this parameter, complete these steps: 1. Select Network Setup > Radio > Configuration. 2. Select the radio and click the Edit button. The Configuration screen for the selected radio is displayed. (See Figure 12-70.) Self Healing Offset Figure 12-70.
PAGE 834
Wireless Network Management Network Self Healing Interference Avoidance Also called dynamic channel selection, interference avoidance helps your RP radios choose the best channel in your environment at the moment. If the Wireless Edge Services zl Module detects interference on a radio’s current channel, it has the radio use Auto-Channel Selection (ACS) to choose a new channel. The module implements this procedure for interference avoidance: 1.
PAGE 835
Wireless Network Management Network Self Healing Figure 12-71.Enabling Interference Avoidance 2. Select the Enable Interference Avoidance box. 3. Typically, you should leave the settings for this feature at their defaults. However, you can customize them: a. In the Average Retries field, enter a value from 1 through 15 to set the threshold for the number of times stations must resend frames during a 30-second interval.
PAGE 836
Wireless Network Management Network Self Healing b. In the Hold Time field, enter a time from 0 through 65,535 seconds. This setting determines how long a radio must wait in between selecting a new channel and again running ACS. If you set this value too low, then radios might begin to run ACS continuously, preventing stations from associating to them. By default, the Hold Time is set at 3,600 seconds (one hour). 4. 12-102 Click the Apply button.
PAGE 837
13 sFlow Agent Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2 Flow Sampling by the sFlow Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2 Counter Polling by the sFlow Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3 sFlow Receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4 Configuring sFlow Receiver Instances . . . . . . . . . . . . . . . . . . .
PAGE 838
sFlow Agent Overview Overview The Procurve Wireless Edge Services zl Module contains an sFlow agent. The sFlow agent samples traffic, treating the traffic that arrives on each adopted RP radio as a separate flow. In other words, the module’s sFlow agent monitors each radio much as a switch might monitor each physical interface. The sFlow agent forwards traffic information to an sFlow collector. Another term for an sFlow collector is an sFlow receiver.
PAGE 839
sFlow Agent Overview On the Wireless Edge Services zl Module, data sources are RP radios, and “n,” the packet sampling rate, is configurable per-radio and sampling instance (up to six per radio). In other words, the module orders radios to send approximately every “nth” packet to the module’s sFlow agent to be sampled, packaged, and sent to the sFlow receiver or receivers. Note Only 802.11 data frames are sampled. The sFlow agent does not sample management and control frames such as beacons.
PAGE 840
sFlow Agent Overview Counter polling works with flow sampling to create a more comprehensive picture of network traffic. The counters for total traffic supplement the more detailed information collected for samples. The sFlow agent obtains the counters by periodically polling radios. The agent polls radios as needed to fill datagrams most efficiently. However, you can configure the maximum time that can elapse before a radio must be polled.
PAGE 841
sFlow Agent Overview The Wireless Edge Services zl Module can accommodate up to six sFlow receivers. The module’s receiver instances can be configured in one of three ways: 1. The sFlow receiver contacts the module’s agent and uses SNMP to reserve and configure a receiver instance (only instances 4, 5, and 6). The sFlow receiver reserves the instance by writing its owner string into that instance on the sFlow receiver table. The receiver also configures a receiver timeout value for itself.
PAGE 842
sFlow Agent Overview You must specify all settings, including the sFlow receiver’s IP address and port, as well as owner string and timeout. To enable packet sampling or counter polling, you must configure an available sFlow instance of the appropriate type. Then match the instance to the receiver instance. This chapter focuses on configuring sFlow manually through the Web browser interface.
PAGE 843
sFlow Agent Configuring sFlow Using the Web Browser Interface Configuring sFlow Using the Web Browser Interface The Wireless Edge Services zl Module’s sFlow agent is enabled by default. If your sFlow receiver (sometimes called an sFlow collector) can control the agent through SNMP, you do not need to configure the module further. You can check the module’s sFlow agent and verify that it is compatible with your sFlow receiver’s SNMP capabilities. Select Special Features > sFlow > Agent. Figure 13-1.
PAGE 844
sFlow Agent Configuring sFlow Using the Web Browser Interface ■ sFlow MIB Version—the agent’s MIB version. The MIB specifies how the agent extracts and bundles sampled data, and the sFlow receiver must support the agent’s MIB. The Wireless Edge Services zl Module’s MIB version is 1.3, so your sFlow collector’s version must also be at least 1.3. ■ Organization—HP. The sFlow receiver must also know the organization to identify the implementation of sFlow on this agent.
PAGE 845
sFlow Agent Configuring sFlow Using the Web Browser Interface Appendix A: “ProCurve Wireless Edge Services zl Module Command Line Reference.”) The other receiver instances (4, 5, and 6), you can configure through the Web browser interface. When you specify the receiver manually, you must configure a variety of settings that the sFlow receiver would otherwise configure itself. These settings include not only the receiver’s IP address and port, but also how the module’s sFlow agent packages the samples.
PAGE 846
sFlow Agent Configuring sFlow Using the Web Browser Interface Figure 13-3. Receiver Configuration Screen 4. In the Owner field, enter a string to identify the sFlow receiver. 5. In the Time Out field, specify a value in seconds from 1 to 999999999 (roughly 31 years). The timeout reserves this receiver instance for the specified receiver for the set amount of time. Generally, when you configure an sFlow receiver instance manually, you should set the timeout very high (to days or weeks).
PAGE 847
sFlow Agent Configuring sFlow Using the Web Browser Interface 9. From the 802.11 Map drop-down menu, choose how the module’s sFlow agent creates the sample. The default setting is Unchanged; the module creates the sample as specified by the 802.11 extensions to sFlow. For example, it includes the 802.11 header. If your sFlow receiver does not support the 802.11 extension, select Convert to Ethernet from the drop-down menu. The module’s sFlow agent then packages 802.
PAGE 848
sFlow Agent Configuring sFlow Using the Web Browser Interface Figure 13-4. Special Features > sFlow > Flow Sampling Screen The Wireless Edge Services zl Module’s sFlow agent begins sampling a flow when either of two conditions are met: ■ An sFlow receiver contacts the module’s sFlow agent and claims an open flow sampling instance (the Receiver Instance column displays 0). In this case, the receiver configures the sampling rate.
PAGE 849
sFlow Agent Configuring sFlow Using the Web Browser Interface Figure 13-5. Flow Sampling Configuration Screen 4. From the Receiver Instance drop-down menu, choose the receiver index number associated with the sFlow receiver to which the module should send the samples. To easily track which settings apply to a specific sFlow collector, match the sFlow instance number to the receiver instance number. However, matching the numbers is not mandatory.
PAGE 850
sFlow Agent Configuring sFlow Using the Web Browser Interface Of course, the activity on a radio changes over time, so there are no absolute rules for determining the best sampling rate. 6. Optionally, alter the value in the Maximum Header Size field to set the amount of data (in bytes) included in a sample. The module samples the specified number of bytes. For example, if you set the Maximum Header Size to 100, the module places the first 100 bytes of every sampled frame in a datagram.
PAGE 851
sFlow Agent Configuring sFlow Using the Web Browser Interface Figure 13-6. Special Features > sFlow > Counter Polling Screen The separate instances allow the agent to report counters to up to six sFlow receivers. By default, counter polling is disabled: the instances are not mapped to receivers and the polling interval is set to 0.
PAGE 852
sFlow Agent Configuring sFlow Using the Web Browser Interface 3. Click the Edit button. The Counter Polling Configuration screen is displayed. For the Data Source, the screen displays the index and name of the radio that the module’s agent polls. The sFlow Instance shows which of the six instances you are currently configuring. Figure 13-7. Counter Polling Configuration 4. Select 4, 5, or 6 from the Receiver Instance drop-down menu.
PAGE 853
A ProCurve Wireless Services zl Module Command Line Reference Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-7 Manager Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-8 acknowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-9 archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 854
ProCurve Wireless Services zl Module Command Line Reference Contents rename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-32 rmdir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-33 service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-33 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 855
ProCurve Wireless Services zl Module Command Line Reference Contents sflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-84 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-86 snmp-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-96 spanning-tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 856
ProCurve Wireless Services zl Module Command Line Reference Contents Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-128 Show Commands (All Contexts) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-130 show access-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-130 show aclstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 857
ProCurve Wireless Services zl Module Command Line Reference Contents show snmp-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-156 show sntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-156 show startup-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-157 show terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-158 show time . .
PAGE 858
ProCurve Wireless Services zl Module Command Line Reference Contents Support Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-185 Support Commands (All Contexts) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-187 support clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-187 support copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-187 support diag . .
PAGE 859
ProCurve Wireless Services zl Module Command Line Reference Overview Overview This chapter describes the commands provided by the CLI. The CLI commands can be broken down into their respective context groups. Command Group Description Page Manager Commands run from the Manager Context. A-8 Global Configuration Commands run from the Global Context. A-53 Interface Configuration Commands run from the Interface Context. A-105 Wireless Configuration Commands run from the Wireless Context.
PAGE 860
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Manager Commands These commands are used to configure the manager commands on the radio port. A-8 Command Function acknowledge alarm-log (all | <1-65535> ) Acknowledges alarms. Page A-9 archive tar (create | table | xtract) Creates, lists, or extracts a tar file. A-10 cd (DIR|) Changes directory. A-11 clear (alarm-log | arp | logging| wireless-statistics) Clears cache and reporting logs.
PAGE 861
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Command Function Page redundancy-group-cli-config Enables redundancy group config context. A-31 reload Performs a cold restart. A-31 rename FILENAME NEWFILENAME Renames a file. A-32 rmdir DIR Deletes a directory. A-33 service Enables service commands. A-33 show Shows running system information. A-86 support Enables support functions. A-44 telnet WORD | WORD PORT Opens a telnet connection.
PAGE 862
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Example HPswitch#acknowledge alarm-log 65535 HPswitch# archive This command creates, lists, or extracts a tar file. Syntax archive tar /(create | table | xtract) • create - Create a tar file. – FILE - File or dir to archive [archive tar /create (FILE|URL) .FILE] – URL - Tar file URL URLs: tftp:///path/file ftp://:@/path/file http:/// path/file sftp://@/path/file • table - List files from a tar file.
PAGE 863
ProCurve Wireless Services zl Module Command Line Reference Manager Commands cd This command changes the current directory. Syntax cd (DIR | ) • DIR - Change current directory to DIR. Default Setting N/A Command Mode Manager Example HPswitch#cd HPswitch# HPswitch#cd TESTDIR HPswitch# change master passwd This command changes the password of the logged-in user.
PAGE 864
ProCurve Wireless Services zl Module Command Line Reference Manager Commands clear This command resets specified cache and reporting logs. Syntax clear (alarm-log | arp | crypto | ip | layer3-mobility | logging | wireless-statistics ) • • • • • • • A-12 alarm-log (<1-65535> | acknowledged |all | new) - Clear alarm log. – <1-65535> - Clear specific alarm id. – acknowledged - Clear acknowledged alarms. – all - Clear all alarms. – new- Clear new alarms. arp - Clear arp cache.
PAGE 865
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Default Setting Command Mode Manager Example HPswitch#clear arp HPswitch# HPswitch#clear logging HPswitch# HPswitch#clear layer3-mobility station all configure This command enters the configure context. Syntax configure (terminal|) • terminal - Configure from the terminal (optional).
PAGE 866
ProCurve Wireless Services zl Module Command Line Reference Manager Commands – • Files: flash: /path/file nvram: startup-pconfig system: running-config Filenames are case sensitive and limited to 45 chars. URL -URL from which to copy. – URLs: tftp:// /path/file ftp://:@ /path/file Filenames are case sensitive and limited to 45 chars. Default Setting N/A Command Mode Manager Example HPswitch#copy ftp://ftp:ftp@172.20.15.5/test.conf switch:my.
PAGE 867
ProCurve Wireless Services zl Module Command Line Reference Manager Commands – – – – – – – – – – – 13-mob Layer3 mobility logs media Encapsulation media logs radio Radio logs radio-port Radio-port logs radius Radius client logs self-heal Self-healing logs snmp SNMP logs station Station logs system System call logs wips WIPS sensor logs wisp WISP logs • ccstats Cell controller (Wireless) debugging messages – word CCStats module to be debugged • certmgr Certificate manager debugging messages – all trace
PAGE 868
ProCurve Wireless Services zl Module Command Line Reference Manager Commands • – – – cc ccserver events error Error forwarding Dataplane forwarding – – – – AA-BB-CC-DD-EE-FF MAC address of the Station mu MU events and state changes packet Control Packets peer Peer establishment system System events nsm Network Service Module (NSM) – all Enable all debugging – events NSM events – kernel NSM kernel – packet NSM packets + detail Detailed information display + recv NSM receive packets - detail Detailed in
PAGE 869
ProCurve Wireless Services zl Module Command Line Reference Manager Commands – – – err trace error messages from local radius server info trace error, warning and informational messages from radius server warn trace error and warning messages from radius server • redundancy Redundancy Protocol debugging messages – all Debugging all – ccmsg Msg exchange with CC – config Configuration processing – errors Errors – general General – heartbeats Heartbeats processing – init Redundancy initialization – packets
PAGE 870
ProCurve Wireless Services zl Module Command Line Reference Manager Commands – – – all trace all mesaages from wirelessstatistics error trace error messages from wirelessstatistics info trace info messages from wirelessstatistics Default Setting N/A Command Mode Manager Example HPswitch#debug mgmt cgi HPswitch# HPswitch#no debug mgmt sys HPswitch# diff This command displays differences between two files. Syntax diff (FILE | URL) (FILE | URL) • FILE -Display the differences between FILE.
PAGE 871
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Example HPswitch#diff TESTFILE TESTFILE2 --- TESTFILE +++ TESTFILE2 @@ -1 +1 @@ -testing edit, view, and delete file. +testing edit, erase, and contents of file. HPswitch# dir This command displays list of available files on the filesystem. Syntax dir (all | recursive |) (DIR | all-filesystems |) • • • • all - Display all available files. recursive- Display recursive files.
PAGE 872
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Example Two HPswitch# dir /recursive ------------------------------------------------------------------Directory of flash:/ drwx 1024 Wed Dec 7 17:06:32 2005 hotspot drwx 1024 Thu Dec 8 09:31:07 2005 crashinfo drwx 80 Mon Feb 13 09:35:10 2006 log Directory of flash:/hotspot drwx 1024 Wed Feb 1 17:19:19 2006 lib drwx 1024 Wed Feb 1 17:19:19 2006 cgi-bin Directory of flash:/hotspot/lib -rwx 58476 Tue Jan 31 13:12:09 2006 libpthread.
PAGE 873
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Example HPswitch#edit TESTFILE GNU nano 1.2.
PAGE 874
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Example HPswitch#erase FILE HPswitch exit This command ends current mode and reverts to previous mode. Syntax exit Default Setting N/A Command Mode Manager Example HPswitch#exit HPswitch help This command provides a description of the interactive help system.
PAGE 875
ProCurve Wireless Services zl Module Command Line Reference Manager Commands halt This command halts the wireless module. Syntax halt Default Setting N/A Command Mode Manager Example HPswitch#halt Wireless module will be halted, do you want to continue? y ProCurve (config)# logout This command exits from the CLI.
PAGE 876
ProCurve Wireless Services zl Module Command Line Reference Manager Commands mkdir This command creates a directory. Syntax mkdir DIR • DIR - Directory name. Default Setting N/A Command Mode Manager Example HPswitch#mkdir TESTDIR HPswitch# more This command displays the contents of a file. Syntax more FILE • FILE- File name.
PAGE 877
ProCurve Wireless Services zl Module Command Line Reference Manager Commands no This command negates a command or sets its defaults.
PAGE 878
ProCurve Wireless Services zl Module Command Line Reference Manager Commands - cgi CGI - err Errors – - sys System mobility L3 Mobility + all All debugging (except "forwarding") + cc ccserver events + error Error + forwarding Dataplane forwarding - AA-BB-CC-DD-EE-FF MAC address of the Station + mu MU events and state changes - packet Control Packets - peer Peer establishment – - system System events nsm Network Service Module (NSM) + all Enable all debugging + events NSM events + kernel NSM kernel + pac
PAGE 879
ProCurve Wireless Services zl Module Command Line Reference Manager Commands – + all Turn off all the debugging for radius redundancy Redundancy Protocol Debugging messages + all Debugging all + ccmsg Msg exchange with CC + config Configuration processing + errors Errors + general General + heartbeats Heartbeats processing + init Redundancy initialization + packets Packet processing + proc Process flow + shutdown Shutdown process + states Redundancy state machine + subagent Subagent + timer Timer handling
PAGE 880
ProCurve Wireless Services zl Module Command Line Reference Manager Commands – + subagent Subagent wirelessstatistics wireless statistics + all trace all mesaages from wirelessstatistics + error trace error messages from wirelessstatistics + info trace info messages from wirelessstatistics • page Toggle paging • service Support Commands – radius Disable radius server • support Support Commands – diag Diagnostics + enable Disable in service diagnostics + period Set to default period – + watchdog dis
PAGE 881
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Command Mode Manager Example HPswitch#no debug HPswitch page This command enables pausing of output to the screen. The no command disables the pausing of the output. Syntax page Default Setting N/A Command Mode Manager Example HPswitch#page HPswitch# ping This command sends ICMP echo request packets to another node on the network. Syntax ping WORD • WORD - Hostname or IP address of the host.
PAGE 882
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Command Usage • Use the ping command to see if another site on the network can be reached. • The following are some results of the ping command: – Normal response - The normal response occurs in one to ten seconds, depending on network traffic. – Destination does not respond - If the host does not respond, a “timeout” appears in ten seconds.
PAGE 883
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Example HPswitch#pwd flash:/ HPswitch# redundancy-group-cli-config This command enables redundancy group configuration context. Syntax redundancy-group-cli-config (enable) • enable Enable redundancy group config context Default Setting N/A Command Mode Manager Example HPswitch#redundancygroupcliconfig enable HPswitch reload This command halts and performs a warm reboot.
PAGE 884
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Example HPswitch#reload Wireless module will be rebooted,do you want to continue? (y/n): y Do you want to save current configuration? (y/n):y ProCurve(config)# rename This command renames a file. Syntax rename FILE • FILE - File to be renamed. – FILE - New file name. Default Setting N/A Command Mode Manager Example To validate the name change, use the DIR command.
PAGE 885
ProCurve Wireless Services zl Module Command Line Reference Manager Commands rmdir This command deletes a directory. Syntax rmdir DIR • DIR - Directory to be deleted. Default Setting N/A Command Mode Manager Example To validate the directory is deleted, use the DIR command.
PAGE 886
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Command Mode Manager Example HPswitch#service radius restart HPswitch show This command shows running system information.
PAGE 887
ProCurve Wireless Services zl Module Command Line Reference Manager Commands + informational Display all informational or higher severity alarms + major Display all major or higher severity alarms + normal Display all normal or higher severity alarms + warning Display all warning or higher severity alarms • commands Show command lists • crypto encryption module – ipsec Show IPSEC policy + sa IPSec Security Association + securityassociation securityassociation - lifetime lifetime + transformset transform
PAGE 888
ProCurve Wireless Services zl Module Command Line Reference Manager Commands • flash Display boot status.
PAGE 889
ProCurve Wireless Services zl Module Command Line Reference Manager Commands + translations NAT translations - inside Inside ++ destination Destination ++ source Source - outside Outside ++ destination Destination ++ source Source – - verbose NAT Translations in realtime route IP routing table + A.B.C.D Network in the IP routing table to display + A.B.C.D/M IP prefix /, e.g., 35.0.0.
PAGE 890
ProCurve Wireless Services zl Module Command Line Reference Manager Commands • mac Media Access Control – accesslist List MAC access lists • management Display L3 Managment Interface name • ntp Network time protocol – associations NTP associations – • passwordencryption password encryption – status Display passwordencryption status • privilege Show current privilege level • proxyarpdb Display proxyARP entries in ARP database • radius RADIUS configuration commands – configuration radius server
PAGE 891
ProCurve Wireless Services zl Module Command Line Reference Manager Commands + destination Displays information about the collector/managementstation to which the samplingpolling data is sent + samplingpolling Displays information about sampling and polling - <11000> A single radio index – • - RADIO A list (eg: 1,3,7) or range (eg: 37) of radio indices agent Displays readonly agent information snmp Display SNMP engine parameters – user snmp user to show + manager show manager info + operator show operato
PAGE 892
ProCurve Wireless Services zl Module Command Line Reference Manager Commands - outdoor radio is placed outdoor + 11bg radio is of type 802.
PAGE 893
ProCurve Wireless Services zl Module Command Line Reference Manager Commands + ar Argentina + at Austria + au Australia + ba Bosnia Herzegovina + be Belgium + bg Bulgaria + bh Bahrain + bm Bermuda + br Brazil + bs Bahamas + by Belarus + ca Canada + ch Switzerland + cl Chile + cn China + co Colombia + cr Costa Rica + cy Cyprus + cz Czech Republic + de Germany + dk Denmark + do Dominican Republic + ec Ecuador + ee Estonia + eg Egypt + es Spain + fi Finland + fr France + gb United Kingdom + gr Greece + gt Gua
PAGE 894
ProCurve Wireless Services zl Module Command Line Reference Manager Commands + ht Haiti + hu Hungary + id Indonesia + ie Ireland + il Israel + in India + is Iceland + it Italy + jo Jordan + jp Japan + kr South Korea + kw Kuwait + kz Kazakhstan + li Liechtenstein + lk Sri Lanka + lt Lithuania + lu Luxembourg + lv Latvia + ma Morocco + mt Malta + mx Mexico + my Malaysia + nl Netherlands + no Norway + nz New Zealand + om Oman + pe Peru + ph Philippines + pk Pakistan + pl Poland + pt Portugal + qa Qatar + ro R
PAGE 895
ProCurve Wireless Services zl Module Command Line Reference Manager Commands + se Sweden + sg Singapore + si Slovenia + sk Slovak Republic + th Thailand + tr Turkey + tw Taiwan + ua Ukraine + us United States + uy Uruguay + ve Venezuela + vn Vietnam – + za South Africa rp Status of adopted radioport + <148> The index of the radioport for detailed information – – – + AA-BB-CC-DD-EE-FF The MAC address of a radioport for detailed information rpimages List of radioport images on the wireless module rpunadop
PAGE 896
ProCurve Wireless Services zl Module Command Line Reference Manager Commands + clients Wired web authentication clients – + config Wired web authentication configuration parameters wirelessmodulestatistics wirelessmodule statistics – + detail Detailed wirelessmodule statistics wlan Wireless LAN related parameters + config Wlan configuration - <132> A wlan index <132> - all All wlans in configuration - enabled Only wlans that are currently enabled + statistics WLAN statistics - <132> A wlan index <132> +
PAGE 897
ProCurve Wireless Services zl Module Command Line Reference Manager Commands • copy Copy from one file to another – techsupport Copy extensive system information useful to technical support for troubleshooting a problem + URL URL to which to copy URLs: tftp:///path/file ftp://:@/path/ file http:///path/file sftp://@/path/file • diag Diagnostics – enable Enable in service diagnostics – limit diagnostic limit command + buffer buffer usage warning limit - 128 128 byte buffer limit ++ <065535> buffer usage
PAGE 898
ProCurve Wireless Services zl Module Command Line Reference Manager Commands + fan Fan speed limit - <11> Fan number ++ low Low speed limit -- <100015000> Limit value from 1000 to 15,000 + filesys file system freespace limit - etc2 /etc2 file system ++ WORD limit as a percentage - flash /flash file system ++ WORD limit as a percentage - ram /ram file system ++ WORD limit as a percentage + inodes file system inode limit - etc2 /etc2 file system ++ WORD limit as a percentage - flash /flash file system ++ WOR
PAGE 899
ProCurve Wireless Services zl Module Command Line Reference Manager Commands + temperature temperature limit - <18> temperature sensor number ++ critical critical temperature limit -- WORD 0.0 250.0 ++ high high temperature limit -- WORD 0.0 250.0 ++ low low temperature limit – -- WORD 0.0 250.
PAGE 900
ProCurve Wireless Services zl Module Command Line Reference Manager Commands – upgradehistory Set size of upgrade history (default: 50) + <10100> History size • show Show running system information – autoinstallstatus Autoinstall status – chassis Chassis Details – cli Show CLI tree of current mode – commandhistory Display command (except show commands) history.
PAGE 901
ProCurve Wireless Services zl Module Command Line Reference Manager Commands + station station serviceability parameters - history station history ++ XXXXXXXXXXXX station MAC • tethereal Dump and analyze network traffic – LINE tethereal options in the format [V (print detailed packet)] [x (hex dump of packet)] [p (no promiscuous mode for interface)] [n (disable name resolution)] [c ] [h (detailed help)] [E (to capture ESPD) ][e (capture nonEspd packets)] [f ] [i ] [W (wisp packet only)] [s ] [r (read cont
PAGE 902
ProCurve Wireless Services zl Module Command Line Reference Manager Commands Default Setting N/A Command Mode Manager Example This example displays an incomplete route telnet message. HPswitch#telnet 10.1.0.9 23 telnet: Unable to connect to remote host (10.1.0.9): No route to host HPswitch# terminal This command sets terminal line parameters. Syntax terminal length | width • length - Set number of lines on a screen. – <2-1000> - Number of lines on a screen. • width - Set width of display terminal.
PAGE 903
ProCurve Wireless Services zl Module Command Line Reference Manager Commands upgrade This command upgrades the software image. Syntax upgrade URL • URL - Location of firmware image. – URLs: tftp:///path/file ftp://:@/path/file Default Setting N/A Command Mode Manager Example HPswitch#upgrade tftp://192.168.1.10/WS.00.01.img HPswitch# upgrade-abort This command aborts an ongoing upgrade.
PAGE 904
ProCurve Wireless Services zl Module Command Line Reference Manager Commands write This command writes the running configuration to memory or terminal. Syntax write memory | terminal • memory - Write to NV memory. • terminal - Write to terminal. Default Setting N/A Command Mode Manager Example HPswitch#write terminal ! ! configuration of ProCurveWLANModule Wireless Services version WS.01.XX.0551Sw6 ! version 1.
PAGE 905
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands GlobalCommands These commands are used to configure the global commands. Command Function Page aaa Enables authentication, authorization and accounting configuration parameters. A-54 acess-list Adds an access control list (ACL) entry. A-56 boot Reboots wireless module. A-56 cls Clears the display screen. A-57 country-code Configures the country code. A-57 crypto Encryption related commands.
PAGE 906
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Command Function Page radius-server Enables radius server mode. A-79 [no]redundancy (Negates) Configures redundancy group parameters. A-82 service Control the use of network services. A-33 sflow Configures or unclaims an sflow sampling receiver. A-84 show Shows running system information. A-86 [no] snmp-server (Negates) Modify SNMP server parameters. A-96 spanning-tree Spanning tree commands.
PAGE 907
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands • nas identifies the NAS originating the RADIUS access request (for VPN only) – WORD A string of up to 64 characters • vpnauthentication RADIUS setting – primary primay radius server + A.B.C.
PAGE 908
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Default Setting N/A Command Mode Global Example HPswitch#aaa authentication login default local HPswitch access-list This command adds an access control list (ACL) entry. Syntax access-list (See switch reference.) Default Setting N/A Command Mode Global Example HPswitch#access-list HPswitch boot This command reboots the wireless module.
PAGE 909
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Command Mode Global Configuration Example HPswitch#configure HPswitch(config#boot flash primary Wireless module will be rebooted, do you want to continue? (y/n): y Do you want to save current configuration? (y/n):n ProCurve(config)# cls This command clears the display screen. Syntax cls Default Setting N/A Command Mode Global Example HPswitch#cls HPswitch country-code This command configures the country of operation.
PAGE 910
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Table A-1.
PAGE 911
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Country Code Country Code Country Code Country Code Brunei Darussalam BN Iran, Islamic Repubic Of IR Nicaragua NI Turkmenistan TM Bulgaria BG Iraq IQ Nigeria NG Ukraine UA Cambodia KH Ireland IE Norway NO United Arab Emirates AE Canada CA Israel IL Oman OM United Kingdom GB Chile CL Italy IT Pakistan PK United States US China CN Jamaica JM Palestinian Territory, Occupied PS Urugua
PAGE 912
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands crypto This command cconfigures encryption related commands.
PAGE 913
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands - esp3des ESP transform using 3DES cipher (168 bits) -espaes ESP transform using AES cipher -espaes192 ESP transform using AES cipher (192 bits) - espaes256 ESP transform using AES cipher (256 bits) -espdes ESP transform using DES cipher (56 bits) + espshahmac ESP transform using HMACSHA auth - esp3des ESP transform using 3DES cipher (168 bits) - espaes ESP transform using AES cipher - espaes192 ESP transform using AES cipher (192 b
PAGE 914
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands – peer remote peer + address Identity of remote peer is ipaddress - A.B.C.
PAGE 915
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands ++ dynamic dynamic map entry for XAUTH with modeconfig or ipsecl2tp configuration • pki Public Key Infrastructure commands – authenticate Authenticate and import ca certificate + WORD Trustpoint Name - URL URL to get the ca certificate from URLs: tftp:///path/file ftp://:@/path/file - terminal Copy & Paste mode of enrollment + WORD Trustpoint Name enroll Generate certificate request or selfsigned certificate for the trustpoint - r
PAGE 916
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Default Setting N/A Command Mode Global Example HPswitch#crypto ipsec securityassociation lifetime kilobytes WORD HPswitch end This command ends the current mode and changes to the Manager mode. Syntax end Default Setting N/A Command Mode Global Configuration Example HPswitch#configure HPswitch(config)#end HPswitch# exit This command ends current mode and down to previous mode.
PAGE 917
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Example This example shows how to return to the previous command levels starting from the Manager Configuration mode and finally logging out of the CLI session. HPswitch#exit ProCurve (config)#exit ProCurve#exit ProCurve>exit Do you want to log out [y/n]?y Do you want to save your current configuration?n Connection to host lost. fallback This command configures software fallback feature.
PAGE 918
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands help This command displays the interactive help system. Syntax help Default Setting N/A Command Mode Global Example HPswitch#help CLI provides advanced help feature. When you need help, anytime at the command line please press '?'. If nothing matches, the help list will be empty and you must backup until entering a '?' shows the available options. Two styles of help are provided: 1.
PAGE 919
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Default Setting Wireless Services Command Mode Global Configuration Example HPswitch#configure HPswitch(config)#hostname EXHOSTNAME ProCurve(wireless-services-B)(config)# Related Commands show hostname (page A-138) interface This command provides an interface selection to configure.
PAGE 920
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands ip (global) This command configures Internet Protocol (IP) parameters. The no command negates this configuration.
PAGE 921
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands • domain Set default domain for DNS – WORD Domain string (e.g. company.com) • http Hyper Text Terminal Protocol (HTTP) – securetrustpoint Trustpoint to be used for secure connection + WORD Trustpoint Name • local IP address range assigned to VPN client using Modeconfig or IPSec with L2TP – pool specify address range + default default group tag - lowipaddress Lowest range for IP address ++ A.B.C.
PAGE 922
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands – +++ <165535> Inside global Port outside Outside address translation + destination Destination address translation -- static Specify static local>global mapping ++ A.B.C.D Outside local IP address (A.B.C.D) -- <165535> Outside local Port +++ tcp Transmission Control Protocol --- A.B.C.D Outside global IP address (A.B.C.D) ++++ <165535> Outside global Port +++ udp User Datatgram Protocol --- A.B.C.D Outside global IP address (A.B.
PAGE 923
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Default Setting N/A Command Mode Global Example HPswitch#configure HPswitch(config)#ip route 10.0.0.1/4 255.255.255.0 HPswitch(config)#ip routing HPswitch(config)#ip web-management HPswitch(config)# Related Commands show ip (page A-139) licenses This command configures licensing parameters. Syntax licenses (hardwareid | install | uninstall) • hardwareid Generate a hardware Id for license registration process.
PAGE 924
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Example HPswitch#configure HPswitch#licenses hardwareid radioports The hardware Id for package radio-ports is SG528WC011-H-EXAMPLE-8KJKPT6-T67XT6P-3GT8QJ9 HPswitch(config)# HPswitch(config)# Related Commands show licenses (page A-143) logging This command modifies message logging facilities. The no command negates the logging configuration.
PAGE 925
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands • facility Syslog facility in which log messages are sent – local0 Syslog facility local0 – local1 Syslog facility local1 – local2 Syslog facility local2 – local3 Syslog facility local3 – local4 Syslog facility local4 – local5 Syslog facility local5 – local6 Syslog facility local6 – local7 Syslog facility local7 • host Configure remote host to receive log messages – A.B.C.
PAGE 926
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands logout This command exits user from the CLI. Syntax logout Default Setting N/A Command Mode Global Example HPswitch#logout HPswitch mac This command enables configuration of MAC access lists. Syntax mac (accesslist) • accesslist ACL Config – extended MAC Extended ACL + WORD Name of ACL.
PAGE 927
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands management This command enables configuration of MAC access lists. Syntax management (secure) • secure Limits local access to the switch (web/telnet/etc.) to the management interface. Default Setting N/A Command Mode Global Example HPswitch#management HPswitch no This command enables user to negate a command or set its defaults.
PAGE 928
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands ntp This command enables user to configure NTP.
PAGE 929
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands • broadcastdelay Estimated roundtrip delay – <1999999> Roundtrip delay in microseconds • master Act as a NTP master clock – <115> Stratum number • peer Configure NTP peer – WORD Name/IP address of peer + autokey Configure autokey peer authentication scheme - prefer Prefer this peer when possible - version Configure NTP version + key Configure peer authentication key - <165534> Peer key number ++ prefer Prefer this peer when pos
PAGE 930
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Example HPswitch#ntp accessgroup peer <199> HPswitch password-encryption This command encrypts passwords in configuration. The no command negates the encryption. Syntax password-encryption (secret) no password-encryption • secret - Encrypts passwords with secret phrase. – 2 - Type of encryption SHA256-AES256. +LINE - Passphrase for encryption.
PAGE 931
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Command Mode Global Example HPswitch#proxyarp A.B.C.D HPswitch radius-server This command enables radius server mode. Syntax radius-server (host | key | local | transmit | timeout) • host Specify a RADIUS server – A.B.C.
PAGE 932
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands ++++ LINE Text for this server's key, upto 127 characters --- LINE Text for this server's key, upto 127 characters ++ timeout Time to wait for this RADIUS server to reply (overrides default) -- <11000> Timeout value in seconds to wait for server to reply +++ key Perserver encryption key (overrides default) --- 0 Password is specified UNENCRYPTED ++++ LINE Text for this server's key, upto 127 characters --- 2 Password is encrypted wi
PAGE 933
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands +++ LINE Text for this server's key, upto 127 characters -- LINE Text for this server's key, upto 127 characters ++ retransmit Number of retries to active server (overrides default) -- <0100> Number of retries to this server for a transaction +++ key Perserver encryption key (overrides default) --- 0 Password is specified UNENCRYPTED ++++ LINE Text for this server's key, upto 127 characters --- 2 Password is encrypted with passworde
PAGE 934
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands --- 2 Password is encrypted with passwordencryption secret ++++ LINE Text for this server's key, upto 127 characters --- LINE Text for this server's key, upto 127 characters • key Encryption key shared with the radius servers – 0 Password is specified UNENCRYPTED – + LINE Text of shared key, upto 127 characters 2 Password is encrypted with passwordencryption secret – + LINE Text of shared key, upto 127 characters LINE Text of sh
PAGE 935
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands • groupid Set the redundancy group id – <165535> Redundancy group Id • handlestp Delay the redundancy protocol state machine exec, considering STP – enable Set handlestp to true • heartbeatperiod Set the redundancy heartbeat interval. – <1255> heartbeat interval in secs (default is 5) • holdperiod Set the redundancy hold interval.
PAGE 936
service This command enables user to control the use of network services.
PAGE 937
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands • <13> Select one of three possible sFlow receiver tables – destination IP address of sFlow collector/management station + A.B.C.D IP address (e.g. 10.0.0.1) -- 80211toethernet Sampled interfaces will emulate Ethernet interfaces for sFlow collectors and management applications that don't support the sFlow 802.
PAGE 938
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Example HPswitch#sflow <13> destination A.B.C.D 80211toethernet HPswitch show This command shows running system information.
PAGE 939
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands + normal Display all normal or higher severity alarms + warning Display all warning or higher severity alarms • commands Show command lists • crypto encryption module – ipsec Show IPSEC policy + sa IPSec Security Association + securityassociation securityassociation - lifetime lifetime + transformset transformset – - WORD transform set name or all transform sets isakmp Show ISAKMP + policy policy - <110000> priorityall isakmp po
PAGE 940
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands • hostname Display system's network name • interfaces Interface status and configuration – IFNAME Interface name – dnlink Dnlink Interface – tunnel Tunnel Interface – – + <132> Tunnel Id uplink Uplink Interface vlan Vlan Interface + <14094> Vlan Id • ip Internet Protocol (IP) – accessgroup Display ACLs attached to an interface + IFNAME Interface name + dnlink Ethernet Interface Id + uplink Ethernet Interface + vlan Vlan Interf
PAGE 941
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands ++ source Source - outside Outside ++ destination Destination ++ source Source – - verbose NAT Translations in realtime route IP routing table + A.B.C.D Network in the IP routing table to display + A.B.C.D/M IP prefix /, e.g., 35.0.0.
PAGE 942
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands • ntp Network time protocol – associations NTP associations – + detail Show detail status NTP Status • password-encryption password encryption – status Display passwordencryption status • privilege Show current privilege level • radius RADIUS configuration commands – configuration radius server configuration parameters – eap Eap parameters – + configuration Eap configuration group Radius group configuration – + WORD Exist
PAGE 943
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands – • - RADIO A list (eg: 1,3,7) or range (eg: 37) of radio indices agent Displays readonly agent information snmp Display SNMP engine parameters – user snmp user to show + manager show manager info + operator show operator info + snmptrap show trap info • snmp-server Display SNMP engine parameters – traps Display Trap enable flags + wireless-statistics Display wirelessstats rate traps - radio Display radio rate traps - station Di
PAGE 944
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands – + filterlist Display the list of currently filtered stations macauthlocal list out the macauthlocal entries – – + <11000> macauthlocal entry to display multicast-packet-limit multicastpacketlimit phrase-to-key display the WEP keys generated by a passphrase + wep128 display WEP128 keys - LINE the passphrase (between 4 and 32 characters) + wep64 display WEP64 keys – - LINE the passphrase (between 4 and 32 characters) qos-mappin
PAGE 945
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands + bh Bahrain + bm Bermuda + br Brazil + bs Bahamas + by Belarus + ca Canada + ch Switzerland + cl Chile + cn China + co Colombia + cr Costa Rica + cy Cyprus + cz Czech Republic + de Germany + dk Denmark + do Dominican Republic + ec Ecuador + ee Estonia + eg Egypt + es Spain + fi Finland + fr France + gb United Kingdom + gr Greece + gt Guatemala + gu Guam + hk Hong Kong + hn Honduras + hr Croatia + ht Haiti + hu Hungary + id Indonesi
PAGE 946
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands + is Iceland + it Italy + jo Jordan + jp Japan + kr South Korea + kw Kuwait + kz Kazakhstan + li Liechtenstein + lk Sri Lanka + lt Lithuania + lu Luxembourg + lv Latvia + ma Morocco + mt Malta + mx Mexico + my Malaysia + nl Netherlands + no Norway + nz New Zealand + om Oman + pe Peru + ph Philippines + pk Pakistan + pl Poland + pt Portugal + qa Qatar + ro Romania + ru Russia + sa Saudi Arabia + se Sweden + sg Singapore + si Slovenia
PAGE 947
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands + tw Taiwan + ua Ukraine + us United States + uy Uruguay + ve Venezuela + vn Vietnam – + za South Africa rp Status of adopted radioport + <148> The index of the radioport for detailed information – – – + AA-BB-CC-DD-EE-FF The MAC address of a radioport for detailed information rpimages List of radioport images on the wireless module rpunadopted List of unadopted radioport selfhealconfig SelfHealing Configuration Parameters + <110
PAGE 948
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands - <132> A wlan index <132> - all All wlans in configuration - enabled Only wlans that are currently enabled + statistics WLAN statistics - <132> A wlan index <132> ++ detail Detailed wlan statistics • wlan-acl WLAN based ACLs – <1-256> Display ACLs attached to the specified WLAN id – all Display ACLs attached to WLAN ports Default Setting N/A Command Mode Global Example HPswitch#show accesslist <199> HPswitch snmp-server This c
PAGE 949
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands -lowFsSpace - Available file system space is lower than the limit. -processMaxRestrartsReached - Process has reached max restart. +nsm - Enable nsm traps. - dhcpIPChanged - DHCP IP changed. +snmp - Enable SNMP traps. -authentication - Enable authentication trap. -coldstart - Enable coldStart trap. -linkdown - Enable linkDown trap. -linkup - Enable linkUp trap. +upd-server - Enable upd-server traps.
PAGE 950
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands ++deniedAssocationOnInvalidWPAWPA2IE - Wireless station denied association due to invalid/absent WPA/WPA2 IE ++deniedAssocationOnRates - Wireless station denied association due to incompatible transmission rates. ++deniedAssocationOnSSID - Wireless station denied association due to invalid SSID. ++deniedAssocationOnShortPream - Wireless station denied association due to lack of short preamble support.
PAGE 951
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands - wireless-module - Modify wireless-module rate traps. ++num-stations-greater-than - Number of associated station is greater than. ++pktsps-greater-than - Packets per second is greater than. ++tput-greater-than - Throughput in Mbps is greater than. • host - SNMP server host. – A.B.C.D - SNMP server host IP address. • location - Text for MIB object sysLocation. • manager - Enable SNMP manager.
PAGE 952
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Command Mode Global Configuration Example HPswitch# configure HPswitch(config)#snmp-server community private restricted HPswitch(config)#snmp-server contact Paul HPswitch(config)#snmp-server location 2F R19 Related Commands show snmp (page A-154) spanning-tree This command enable spanning tree commands. Syntax spanning-tree (mst) • mst - Multiple spanning tree.
PAGE 953
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Default Setting Enabled Command Mode Global Configuration Example HPswitch#configure HPswitch(config)#time 20:32:26 HPswitch(config)# Related Commands show time (page A-158) timezone This command configures timezone parameters.The no command negates this configuration. Syntax timezone (TIMEZONE) no timezone • TIMEZONE - File containing the timezone. Enter to traverse through a list of files.
PAGE 954
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands upd-server This command configures autoinstall update server parameters. The no command negates this configuration.
PAGE 955
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Related Commands show upd-server (page A-159) username This command enables user name authentication.
PAGE 956
ProCurve Wireless Services zl Module Command Line Reference GlobalCommands Example HPswitch#username WORD access console HPswitch wireless This command accesses the wireless context. This section does not detail the commands in the wireless context, refer to the Wireless Context Command Section. Syntax wireless Default Setting N/A Command Mode Global Configuration Example HPswitch#configure HPswitch(config)#wireless HPswitch(config-wireless)# wlan-acl This command enable spanning tree commands.
PAGE 957
ProCurve Wireless Services zl Module Command Line Reference Interface Commands Example HPswitch#configure HPswitch(config)#wlan-acl HPswitch(config)# Interface Commands These commands are used to configure the Interface Context commands. Command Function Page [no] description (Negates) Interface specific description. A105 end Detailed in Global Command Section. A-64 exit Detailed in Manager Command Section.
PAGE 958
ProCurve Wireless Services zl Module Command Line Reference Interface Commands Command Mode Interface Configuration Example HPswitch#configure HPswitch(config)#interface vlan1 HPswitch(config-if)#description EXAMDES HPswitch(config-if)# Related Commands show interfaces (page A-138) ip (interface) This command configures ip parameters of the interface. The no command negates this configuration. Syntax ip (address) no ip address • address - Configures an internet protocol address of an interface. – A.B.
PAGE 959
ProCurve Wireless Services zl Module Command Line Reference Interface Commands management This command configures the selected interface as the management interface. Syntax management Default Setting N/A Command Mode Interface Configuration Example HPswitch#configure HPswitch(config)#interface vlan1 HPswitch(config-if)#management HPswitch(config-if)# Related Commands show management (page A-144) mtu This command sets the mtu value for the vlan interface.
PAGE 960
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands Wireless Commands These commands are used to configure the Wireless Context commands. A-108 Command Function Page [no] adopt-unconf-radio (Negates) Adopts an unconfigured radio. A-109 [no] adoption-pref-id (Negates) Configures a preference identifier. A-109 [no] advanced-config (Negates) Enables advanced configuration. A-110 [no] ap-detection (Negates) Configures neighboring access point detection.
PAGE 961
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands adopt-unconf-radio This command adopts a radio even if its not yet configured. The default templates are used for configuration. The no command negates this configuration. Syntax adopt-unconf-radio (enable) no adopt-unconf-radio enable • enable - Enables the adoption of unconfigured radios.
PAGE 962
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands Example HPswitch#configure HPswitch(config)#wireless HPswitch(config-wireless)#adoption-pref-id 600 HPswitch(config-wireless)# advanced-config This command allows advanced configuration of wlan settings . The no command negates this configuration. Syntax advanced-config no advanced-config • enable - Enables support for the advanced configuration.
PAGE 963
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands – add - Add an entry to the approved AP list . +<1-200> - Index where this approved entry will be added: <1200>. - MAC - MAC address in AA-BB-CC-DD-EE-FF format. ++LINE - A string of up to 32 characters. ++any - Any SSID. - any - Any MAC address. ++LINE - A string of up to 32 characters. ++any - Any SSID. • enable - Allow radio-ports to look for APs.
PAGE 964
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands dot11-shared-key-auth This command enables support for 802.11 shared key authentication. The no command negates the support. NOTE Shared key authentication has known weaknesses that can compromise your WEP key. It should only be configured to accommodate wireless stations that are unable to carry out Open-System authentication.
PAGE 965
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands • filter-ageout - Set the number of seconds to filter a station that set off IDS. – <0-65535> - Time in seconds.
PAGE 966
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands Command Mode Wireless Configuration Example HPswitch#configure HPswitch(config)#wireless HPswitch(config-wireless)#mac-auth-local 10 allow 00-14-bdbe-72-00 00-14-bd-be-72-02 1 HPswitch(config-wireless)# Related Commands show wireless mac-auth-local entries (page A-131) proxy-arp This command responds to ARP requests from the RON to WLAN on behalf of stations. The no command disables the support for the proxy-arp response.
PAGE 967
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands radio This command configures the radio parameters. The no command negates the radio parameter configuration. Note To configure many of the radio parameters, you must first configure the country code. See country code. Syntax radio ( <1-1000> | RADIO | add | all-11a | all-11bg | configure-8021X | default-11a | default11bg ) no radio • <1-1000> - A single radio index.
PAGE 968
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands – - WLAN - A list (eg: 1,3,7) or range (eg: 3-7) of WLAN indices. When a BSS is also specified, the first WLAN will be used as the primary WLAN. When the auto option is used, the system will automatically assign the first four WLANs as primaries on their respective BSS. channel-power - Location, channel and transmit power level. +indoor - Indoor location. +outdoor - Outdoor location.
PAGE 969
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands – +{1,2,5p5,6,9,11,12,18,24,36,48,54} - Mbps. +{basic1,basic2,basic5p5,basic6,basic9,basic11,basic12,basic18,basic2 4,basic36,basic48,basic54} - Mbps. +default - Factory default rates based on radio-type. +range - All rates enabled, the lowest one set to basic. – +throughput - All rates basic (note: only g clients allowed on 11bg . wmm - 802.11e / Wireless MultiMedia parameters.
PAGE 970
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands +WORD - 802.1X username. -password - Specify the 802.1X password the radio-port must use. ++WORD - 802.1X password.
PAGE 971
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands self-heal This command configures the self-healing commands. The no command negates the configuration. Syntax self-heal (interference-avoidance| neighbor-recovery) no self-heal • interference-avoidance - Interference Avoidance configuration. – enable - Enables/disables interference avoidance. – hold-time - The number of seconds to disable interference avoidance after a detection.
PAGE 972
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands Example HPswitch#configure HPswitch(config)#wireless HPswitch(config-wireless)#self-heal enable HPswitch(config-wireless)#self-heal HPswitch(config-wireless)#self-heal neighbors 5 5 HPswitch(config-wireless)#self-heal neighbor-detect HPswitch(config-wireless)# interference-avoidance neighbor-recovery enable neighbor-recovery neighbor-recovery run- Related Commands show wireless self-heal-config (page A-178) wlan This command c
PAGE 973
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands -2 - Password is encrypted with password-encryption secret. ++WORD - The 256 bit (64 hex characters) long key. -WORD - The 256 bit (64 hex characters) long key. +key-rotation - Controls the periodic update of the broadcast keys of all associated stations. -enable - Enables key rotation. +key-rotation-interval - Configures the broadcast key rotation interval. -<60-86400> - The key rotation interval in seconds.
PAGE 974
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands +mcast1 - The Egress prioritization multicast mask. - MAC - MAC address in AA-BB-CC-DD-EE-FF format. +mcast2 - MAC address in AA-BB-CC-DD-EE-FF format. - MAC - MAC address in AA-BB-CC-DD-EE-FF format. +prioritize-voice - Prioritize voice frames over general data frames (applies non-WMM station). +svp - Support for Spectralink Voice Prioritization. - enable - Enable Spectralink Voice Prioritization support on this WLAN.
PAGE 975
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands ++cw - Contention Window parameters: wireless stations pick a number between 0 and the minimum contention window to wait before retrying transmission. Stations then double their wait time on a collision, until it reaches the maximum contention window. - -<0-15> - cwMin: The minimum contention window. The actual value used is (2^cwMin - 1). +++<0-15> - cwMax: The maximum contention window. The actual value used is (2^cwMax - 1).
PAGE 976
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands +timeout - Time the wireless module waits for a response from the radius server before retrying. - <1-60> - Timeout in seconds. ++retransmit- Number of retries before the wireless module will give up and disassociate the station. – - - <1-10> - Retry count. station - Modifies Radius/802.1X supplicant related parameters. +timeout - Time the wireless module waits for a response from the radius server before retrying.
PAGE 977
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands - -description - Text that is displayed as the main body (normal font, middle of page) of the webpage. - -footer - Text that is displayed at the footer (smaller font, bottom section ) of the webpage. - -header - Text that is displayed as a header (large font, top section) of the webpage. - -main-logo - Main image (large size) that will be served up by the local webpage. Appears between the header and description on the webpage.
PAGE 978
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands +phrase - Specify a passphrase from which the keys are to be derived. -LINE - The passphrase between 4 and 32 characters long. +web-default-key - Configures the transmit key index. -<1-4>- The key index to be used for transmission from AP to MU.
PAGE 979
ProCurve Wireless Services zl Module Command Line Reference Wireless Commands wlan-prioritization This command uses WLAN priority weights to determine packet queueing order. The no command disables this support. Syntax wlan-prioritization (enable) no wlan-prioritization enable • enable- Enables prioritization across wireless LANs.
PAGE 980
ProCurve Wireless Services zl Module Command Line Reference Show Commands Show Commands These commands are common commands used to display configured parameters in all contexts. Command Function Page Show Commands (All Contexts) A-128 show access-list Displays IP access lists. A-130 show aclstats Displays ACL statistics. A-130 show alarm-log Displays list of alarms occurring since boot. A-131 show commands Shows command lists. A-132 show crypto Displays encryption related commands.
PAGE 981
ProCurve Wireless Services zl Module Command Line Reference Show Commands Command Function Page show password-encryption Displays password encryption. A-151 show privilege Displays current privileges. A-146 show proxy-arpdb Displays proxyARP entries in ARP database. A-147 show radius Displays RADIUS configuration information. A-147 show redundancy-group Displays redundancy group parameters. A-151 show redundancy-history Displays state transition history of the wireless module.
PAGE 982
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Show Commands (All Contexts) This section details the show commands displayed in all available contexts. show access-list This command displays IP access lists.
PAGE 983
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Default Setting N/A Command Mode Manager Example HPswitch#show aclstats HPswitch# show alarm-log This command displays all alarms since the last boot.
PAGE 984
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Example HPswitch#show alarm-log No Alarms in the alarm log HPswitch# show commands This command displays command lists.
PAGE 985
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Example HPswitch#show commands acknowledge alarm-log (all|<1-65535>) acknowledge alarm-log (all|<1-65535>) cd (DIR|) cd (DIR|) clear alarm-log (new|all|acknowledged|<1-65535>) clear alarm-log (new|all|acknowledged|<1-65535>) clear alarm-log (new|all|acknowledged|<1-65535>) clear alarm-log (new|all|acknowledged|<1-65535>) clear arp (IFNAME|) clear arp (IFNAME|) clear logging clear wireless-statistics configure (terminal
PAGE 986
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) – + sa All Crypto ISAKMP Security Association key Authentication key management + mypubkey Show public keys assoicated with the switch – - rsa Show Rsa public keys map Crypto maps + interface Crypto maps for an interface.
PAGE 987
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Default Setting N/A Command Mode Manager Example HPswitch#show debug debugging is off HPswitch# show dhcp This command displays DHCP server information.
PAGE 988
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Default Setting N/A Command Mode Manager Example HPswitch#show file information TESTFILE flash:TESTFILE: type is text file HPswitch# HPswitch#show file systems File Systems: Size(b) Free(b) Type Prefix opaque system: 4058112 2691072 flash nvram: 5057536 2764800 flash flash: - network tftp: - network ftp: - network scp: HPswitch# show flash This command displays flash information.
PAGE 989
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Example HPswitch#show flash Image Build Date -----------------------Primary Nov 17 22:16:26 2005 Secondary Nov 17 22:16:26 2005 Current Boot Next Boot Software Fallback HPswitch# Install Date -------------------Nov 22 15:18:17 2005 Nov 21 13:10:07 2005 Version -------------WS.01.XX.0551Swami WS.01.XX.0551Swami : Primary : Primary : Enabled show ftp This command displays ftp server configuration.
PAGE 990
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Command Mode Manager Example HPswitch#show history 1 show hostname 2 show history HPswitch# show hostname This command displays the network name of the system. Syntax show hostname Default Setting N/A Command Mode Manager Example HPswitch#show hostname Configured hostname : Wireless Services HPswitch# show interfaces This command displays interface status and configuration.
PAGE 991
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Default Setting N/A Command Mode Manager Example HPswitch#show interfaces dnlink Interface dnlink Hardware Type Ethernet, Interface Mode Layer 2, address is 00-01-e6-f5-86-fc index=2, metric=1, mtu=1500, (PAL-IF) Speed: Admin Auto, Operational 1G, Maximum 1G Duplex: Admin Auto, Operational Full input packets 1372779, bytes 457008862, dropped 0, multicast packets 0 input errors 0, leng
PAGE 992
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) – – – – dhcpvendoroptions DHCP Option 43 parameters received from DHCP server dns DNS nameservers domain Default domain for DNS interface IP interface status and configuration + IFNAME Interface name + tunnel Tunnel Interface - <132> Tunnel Id + vlan Vlan Interface – - <14094> Vlan Id nat Network Address Translation (NAT) + interfaces NAT Configuration on Interfaces + translations NAT translations - inside Inside ++
PAGE 993
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Examples HPswitch#show ip arp IP Address MAC Address 192.168.15.1 00-14-bf-bf-72-30 HPswitch# show ip dns 68.87.76.178 68.87.66.196 Interface vlan1 Type dynamic dynamic dynamic HPswitch# show ip domain IP dns-lookup : Enable Domain Name : hsd1.ca.comcast.net. HPswitch# show ip interface vlan1 Interface IP-Address vlan1 192.168.15.
PAGE 994
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) + A.B.C.
PAGE 995
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) show licenses This command displays installed licenses. Syntax show licenses (uninstalled) • uninstalled - Display uninstalled licenses.
PAGE 996
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Example HPswitch#show logging Syslog logging: enabled Aggregation time: disabled Console logging: level debugging Monitor logging: disabled Buffer logging: disabled Trap logging: disabled Log Buffer (0 bytes): HPswitch# • passwordencryption password encryption – status Display passwordencryption status show mac This command displays the media access control list.
PAGE 997
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Default Setting N/A Command Mode Manager Example HPswitch#show management Mgmt Interface: vlan1 HPswitch# show ntp This command displays network time protocol.
PAGE 998
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) show password-encryption This command displays password encryption parameters. Syntax show password-encryption (status) • status - Displays password-encryption status. Default Setting N/A Command Mode Manager Example HPswitch#show password-encryption status Password encryption is disabled HPswitch# show privilege This command shows current privilege level.
PAGE 999
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) show proxy-arpdb This command display proxyARP entries in ARP database. Syntax show proxy-arpdb Default Setting N/A Command Mode Manager Example HPswitch#show proxy-arpdb HPswitch# show radius This command displays RADIUS configuration information.
PAGE 1000
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Command Mode Manager Example HPswitch#show radius configuration Radius Server Configuration --------------------------Server Status : enabled Data Source : local HPswitch# • redundancygroup Display redundancy group parameters – runtime Display runtime redundancy group information. • redundancyhistory Display state transition history of the wireless module.
PAGE 1001
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Examples: These examples display runtime and group information. HPswitch#show redundancy-group runtime Redundancy Group Runtime Information Redundancy Protocol Version : Redundancy Group Authorization Level : Radio Ports Adopted by Group : Radio Ports Adopted by this Module : Redundancy State : Established Peer(s) Count : Redundancy Group Connectivity status : 1.
PAGE 1002
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Command Mode Manager Example HPswitch#show redundancy-history State Transition History Time Event Triggered State --------------------------------------------------------Apr 25 07:42:30 2006 Redundancy Disabled Disabled HPswitch# show redundancy-members This command displays redundancy group parameters. Syntax show redundancy-members (A.B.C.D | brief) – – A.B.C.
PAGE 1003
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) show running-config This command displays current operating configuration. Syntax show running-config (include-factory) • include-factory - Include the factory defaults.
PAGE 1004
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Example HPswitch#show running-config ! configuration of ProCurveWLANModule Wireless Services version WS.01.03 on Tue6 ! version 1.0 ! no country-code redundancy group-id 50 redundancy interface-ip 10.10.1.20 redundancy holdtime-period 20 redundancy discovery-period 10 redundancy handle-stp enable redundancy member-ip 10.10.1.
PAGE 1005
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) show securitymgr This command displays securitymgr event logs. Syntax show securitymgr (event-logs) – event-logs Displays securitymgr event log. Default Setting N/A Command Mode Manager Example HPswitch#show securitymgr event-logs Event Logs ======================== 1> Tue Jan 23 2007 17:30:07: CORRUPT_PACKET: source vlan1: udp: Src 15.29.37.
PAGE 1006
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) + sampling-polling Displays information about sampling and polling - <11000> A single radio index – - RADIO A list (eg: 1,3,7) or range (eg: 37) of radio indices agent Displays read-only agent information. Default Setting N/A Command Mode Manager Example HPswitch#show sflow agent #Version : 1.3;HP;WS.02.01.24258R Agent Address : 15.255.124.152 HPswitch show snmp This command displays snmp engine parameters.
PAGE 1007
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Examples HPswitch#show snmp user userName manager operator access rw ro engineId 0000000c000000007f000001 0000000c000000007f000001 Auth MD5 MD5 Priv DES DES HPswitch#show snmp-server traps ---------------------------------------------------------------------Global enable flag for Traps N ---------------------------------------------------------------------Enable flag status for Individual Traps -------------------
PAGE 1008
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) show snmp-server This command displays SNMP server information. Syntax snmp-server (traps) – traps Displays trap-enable flags.
PAGE 1009
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Default Setting N/A Command Mode Manager Example HPswitch#show sntp Simple NTP is Disabled Simple NTP Servers: No Simple NTP servers are configured HPswitch# show startup-config This command displays contents of startup configuration.
PAGE 1010
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) show terminal This command displays terminal configuration parameters. Syntax show terminal Default Setting N/A Command Mode Manager Example HPswitch#show terminal Terminal Type: vt100 Length: 24 Width: 80 HPswitch# show time This command displays the system clock.
PAGE 1011
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) show timezone This command displays the timezone. Syntax show timezone Default Setting N/A Command Mode Manager Example HPswitch#show timezone Timezone is Etc/UTC HPswitch# show upd-server This command displays update server parameters.
PAGE 1012
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Example HPswitch#show upd-server Terminal Type: vt100 Length: 24 Width: 80 ProCurve(wireless-services-A)*#show time Feb 21 16:56:46 2006 ProCurve(wireless-services-A)*#show timezone Timezone is Etc/UTC ProCurve(wireless-services-A)*#show upd-server Unreachable : FALSE Address : 0.0.0.
PAGE 1013
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Example HPswitch#show upgrade-status Last Image Upgrade Status : Successful Last Image Upgrade Time : Tue Nov 22 15:18:17 2005 HPswitch#show upgrade-status detail Last Image Upgrade Status : Successful Last Image Upgrade Time : Tue Nov 22 15:18:17 2005 -------------------------------------------------------var2 is 13 percent full /tmp is 35 percent full Free Memory 187880 kB FWU invoked via Linux shell Update Params: t
PAGE 1014
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Example HPswitch#show version ProCurveWLANModule version WS.01.XX.0551Swami Copyright (c) 2005 Symbol Technologies, Inc. Booted from primary. Switch uptime is 0 days, 2 hours 37 minutes CPU is AMD Athlon(tm) Processor 256112 kB of on-board RAM ide device hda disk model TOSHIBA THNCF256MBA capacity 500736 blocks, cache 2 HPswitch#show version verbose ProCurveWLANModule version WS.01.XX.
PAGE 1015
ProCurve Wireless Services zl Module Command Line Reference Show Commands (All Contexts) Command Mode Manager Example HPswitch#show users Line PID User 130 vty 0 0 HPswitch# Uptime 07:26:26 Location 0 show vlans This command displays vlan information.
PAGE 1016
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Show Commands (Wireless) This section details the show commands pertaining to the wireless parameters. show wireless ap-detection-config This command displays detected radio port configuration parameters.
PAGE 1017
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Command Mode Manager Configuration Context Global Configuration Context Interface Configuration Context Wireless Configuration Context Example HPswitch(config-wireless)#show wireless approved-aps 0 Approved APs found Bss Mac | Rpt Rd | Ch | Last Seen | Ssid -----------------------------------------------------------------------------00-14-C2-B3-01-70 3 1 0 SSID 1 HPswitch(config-wireless)# show wireless channel-power Thi
PAGE 1018
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Example HPswitch(config-wireless)#show wireless channel-power 11a indoor Channel Max Power (dBm) Radar Detected 36 (5180 MHz) 17 40 (5200 MHz) 17 44 (5220 MHz) 17 48 (5240 MHz) 17 149 (5745 MHz) 20 153 (5765 MHz) 20 157 (5785 MHz) 20 161 (5805 MHz) 20 165 (5825 MHz) 20 HPswitch(config-wireless)#show wireless channel-power 11bg indoor Channel Max Power (dBm) 1 (2412 MHz) 20 2 (2417 MHz) 20 3 (2422 MHz) 20 4 (2427 MHz) 20 5
PAGE 1019
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Example HPswitch(config-wireless)#show wireless config country-code : us adoption-pref-id : 1 proxy-arp : disabled wlan-prioritization : disabled adopt-unconf-radio : enabled dot11-shared-key-auth: disabled ap-detection : enabled advanced-config : disabled HPswitch(config-wireless)# show wireless country-code-list This command displays a list of supported country names and two letter ISO 3166 codes.
PAGE 1020
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) show wireless ids This command displays intrusion detection parameters. Syntax show wireless ids (filter-list) + filter-list Displays the list of currently filtered stations.
PAGE 1021
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Command Mode Manager Configuration Context Global Configuration Context Interface Configuration Context Wireless Configuration Context Example HPswitch(config-wireless)#show wireless mac-auth-local [need output] HPswitch(config-wireless)# show wireless multicast-packet-limit This command displaysmulticast-packet limit.
PAGE 1022
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) show wireless phrase-to-key This command displays the WEP keys generated by a passphrase. Syntax show wireless phrase-to-key (wep128 | wep64) • wep128 - Displays WEP128 keys. – WORD - Passphrase between 4 and 32 characters. • wep64 - Displays WEP64 keys. – WORD - Passphrase between 4 and 32 characters.
PAGE 1023
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Default Setting N/A Command Mode Manager Configuration Context Global Configuration Context Interface Configuration Context Wireless Configuration Context Example HPswitch(config-wireless)#show DSCP value 0 1 2 3 4 5 6 7 24 25 8 9 10 11 12 13 14 15 16 17 32 33 34 35 36 37 38 39 40 41 48 49 50 51 52 53 54 55 56 57 802.
PAGE 1024
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) – + unadopted List of unadopted radios rp Status of an adopted radio port.
PAGE 1025
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Command Mode Manager Configuration Context Global Configuration Context Interface Configuration Context Wireless Configuration Context Example HPswitch#show wireless radio-status # Radio Port MAC Start BSS Radio State Channel Pwr 1] 00-14-C2-A0-1B-3E 00-14-C2-A0-8F-A4 11bg normal 1 (rnd) 2] 00-14-C2-A0-1B-3E 00-14-C2-A0-CF-F0 11a normal 48 (rnd) 3] 00-14-C2-A0-0B-EC 00-14-C2-A0-4E-EC 11bg normal 11 (rnd) 4] 00-14-C2-A0-0B
PAGE 1026
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) + co Colombia + cr Costa Rica + cy Cyprus + cz Czech Republic + de Germany + dk Denmark + do Dominican Republic + ec Ecuador + ee Estonia + eg Egypt + es Spain + fi Finland + fr France + gb United Kingdom + gr Greece + gt Guatemala + gu Guam + hk Hong Kong + hn Honduras + hr Croatia + ht Haiti + hu Hungary + id Indonesia + ie Ireland + il Israel + in India + is Iceland + it Italy + jo Jordan + jp Japan + kr South Korea + k
PAGE 1027
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) + lt Lithuania + lu Luxembourg + lv Latvia + ma Morocco + mt Malta + mx Mexico + my Malaysia + nl Netherlands + no Norway + nz New Zealand + om Oman + pe Peru + ph Philippines + pk Pakistan + pl Poland + pt Portugal + qa Qatar + ro Romania + ru Russia + sa Saudi Arabia + se Sweden + sg Singapore + si Slovenia + sk Slovak Republic + th Thailand + tr Turkey + tw Taiwan + ua Ukraine + us United States + uy Uruguay + ve Venezu
PAGE 1028
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Command Mode Manager Configuration Context Global Configuration Context Interface Configuration Context Wireless Configuration Context Example HPswitch(config-wireless)#show wireless regulatory us 802.11a Outdoor Channels : 52 56 60 64 149 153 157 161 165 Power(dBm): 20 20 20 20 20 20 20 20 20 802.11a Indoor Channels : 36 40 44 48 52 56 60 64 149 153 157 161 165 Power(dBm): 17 17 17 17 20 20 20 20 20 20 20 20 20 802.
PAGE 1029
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Command Mode Manager Configuration Context Global Configuration Context Interface Configuration Context Wireless Configuration Context Example HPswitch(config-wireless)#show wireless rp Number of radio-ports adopted : 2 Available licenses : 34 Clustering enabled : N Clustering mode : active # Mac Radios [indices] Model Number 1 00-14-C2-A0-1B-3E 2 [ 1 2 ] ProCurve Radio Port 230 2 00-14-C2-A0-0B-EC 2 [ 3 4 ] ProCurve Radi
PAGE 1030
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Example HPswitch(config-wireless)#show wireless rp-images Idx Image-File Version Release Date 1 ProCurve-200-Series 00.02-27 [00] 04 Feb 2006 Size (bytes) 293320 HPswitch(config-wireless)# show wireless rp-unadopted This command displays a list of unadopted radio-port.
PAGE 1031
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Default Setting N/A Command Mode Manager Configuration Context Global Configuration Context Interface Configuration Context Wireless Configuration Context Example HPswitch(config-wireless)#show wireless self-heal-config interference-avoidance : disabled retries : 14.
PAGE 1032
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Command Mode Manager Configuration Context Global Configuration Context Interface Configuration Context Wireless Configuration Context Example HPswitch(config-wireless)#show wireless station Number of stations associated: 0 HPswitch(config-wireless)# show wireless unapproved-aps This command displays the unapproved APs seen by radio-port scans.
PAGE 1033
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Example HPswitch(config-wireless)#show wireless unapproved-aps Detected 32 unapproved APs (from 32 AP scan reports) Bss Mac | Rpt Rd | Ch | dBm | Last Seen | SSID ----------------------------------------------------------------00-14-C2-A5-2C-F0 1 6 -46 0 secs J1 00-14-C2-B3-01-70 1 6 -40 0 secs SSID 1 00-30-AB-28-7F-11 1 6 -49 0 secs wireless-g HPswitch(config-wireless)# show wireless web-auth-config This comm
PAGE 1034
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Example HPswitch(config-wireless)#show wireless web-auth-config WLAN: 1 status: disabled description: ssid: SSID 1 Page-Location: internal Radius Server Parameters: primary server : IP address: 0.0.0.0 authentication-port: 1812 radius-key: secondary server : IP address: 0.0.0.
PAGE 1035
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Example HPswitch(config-wireless)#show wireless wireless-module-statistics stations Associated : 0 Radios adopted : 4 ------ Traffic ------------------------------------------------------- Pkts per sec: Throughput: Mbps Avg bit speed: % Non-unicast pkts: Total Rx Tx ---------------- ---------------- ---------------30s 1hr 30s 1hr 30s 1hr 0.00 0.00 0.00 0.00 0.00 0.00 pps 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.
PAGE 1036
ProCurve Wireless Services zl Module Command Line Reference Show Commands (Wireless) Command Mode Manager Configuration Context Global Configuration Context Interface Configuration Context Wireless Configuration Context Example HPswitch(config-wireless)#show wireless wlan config # enabled ssid authentication encryption vlan/tunnel 1 N SSID 1 none none vlan 1 2 N SSID 2 none none vlan 1 3 N SSID 3 none none vlan 1 4 N SSID 4 none none vlan 1 5 N SSID 5 none none vlan 1 6 N SSID 6 none none vlan 1 7 N SSID
PAGE 1037
ProCurve Wireless Services zl Module Command Line Reference Support Commands Support Commands These commands are common commands used for advanced support duties in all contexts. Command Function Page Support Commands (All Context) support clear (all | cores | dumps | Displays command history for switch. panics | pm ) A-187 support copy tech-support URL A-187 Displays resets the functions. [no] support diag (enable | period) (Negate) Configures diagnostics.
PAGE 1038
ProCurve Wireless Services zl Module Command Line Reference Support Commands Command Function Page Support Commands (Wireless) [no]support wireless dump-core A-186 Creates a core file of the ccsrvr process. A-196 [no] support wireless dump-scale Creates a ccsrvr.dump file in nvram with internal state information. A-196 [no]support wireless rate-scale Enables wireless rate scaling (default) A-197 support wireless request-rp-log This command requests a radio port log.
PAGE 1039
ProCurve Wireless Services zl Module Command Line Reference Support Commands (All Contexts) Support Commands (All Contexts) This section details the support commands available to all contexts. support clear This command resets the functions. Syntax support clear (all | clitree | cores | dumps | panics | pm ) • all - Removes all core, dump, panic, and pm files. • clitree - Removes clitree.html • cores - Removes all core files. • dumps - Removes all dump files.
PAGE 1040
ProCurve Wireless Services zl Module Command Line Reference Support Commands (All Contexts) URLs: tftp:///path/file ftp://:@/path/file scp://@/path/fileDefault Setting Default Setting N/A Command Mode Manager Example HPswitch#support copy tech-support tftp://192.168.1.10/ testfile HPswitch# support diag This command configures diagnostics. The no command negates the diagnostics.
PAGE 1041
ProCurve Wireless Services zl Module Command Line Reference Support Commands (All Contexts) - <0-65535> - buffer usage warning limit. + <512> - 512k byte buffer limit. - <0-65535> - buffer usage warning limit. + <64> - 64k byte buffer limit. - <0-65535> - buffer usage warning limit. + <8> - 8k byte buffer limit. – - <0-65535> - buffer usage warning limit. fan - Fan speed limit. + <1> - Fan number - low - Low speed limit. – – – – – ++ <1000-15000> - Limit value. filesys - File system freespace limit.
PAGE 1042
ProCurve Wireless Services zl Module Command Line Reference Support Commands (All Contexts) Command Mode Manager Example HPswitch#support diag enable HPswitch# support diag-shell This command provides diagnostic shell access. The no command negates the shell access. Syntax support diag-shell Default Setting N/A Command Mode Manager Example HPswitch#support diag-shell Diagnostic shell started for testing diag > support encrypt This command encrypts password or key.
PAGE 1043
ProCurve Wireless Services zl Module Command Line Reference Support Commands (All Contexts) Default Setting N/A Command Mode Manager Example HPswitch#support encrypt secret 2 Word plaintest LINE HPswitch# support pm This command supports the process monitor. The no command negates the process configuration. Syntax support pm (max-sys-restarts | sys-restart) • max-sys-restarts - Maximum number of times PM will restart the system because of failure. – <1-5> - Number of system restarts.
PAGE 1044
ProCurve Wireless Services zl Module Command Line Reference Support Commands (All Contexts) Default Setting N/A Command Mode Manager Example HPswitch#support prompt crash-info HPswitch# support save-cli This command saves cli tree for all modes in HTML format. Syntax support save-cli Default Setting N/A Command Mode Manager Example HPswitch#support save-cli CLI command tree is saved as clitree.html. This tree can be viewed via web at http:///cli/ clitree.
PAGE 1045
ProCurve Wireless Services zl Module Command Line Reference Support Commands (All Contexts) • upgrade-history - Set size of upgrade history. Default: 50. – <10-100> - History size. Default Setting command-history (200), reboot-history (50), and upgrade-history (50) Command Mode Manager Example HPswitch#support set command-history 100 HPswitch# support show This command shows running system information.
PAGE 1046
ProCurve Wireless Services zl Module Command Line Reference Support Commands (All Contexts) • pm - Process Monitor. – history - States changes for a process, the time they happened and the events that triggered them. +WORD - Process name. +all - All processes. • process - Displays process activity in real time. • reboot-history - Shows reboot history. • rp- Radio-port serviceability parameters. – adopt-history - Radio-port adopt-history. +XX-XX-XX-XX-XX-XX - Radio-port MAC.
PAGE 1047
ProCurve Wireless Services zl Module Command Line Reference Support Commands (All Contexts) HPswitch#support show info 4.0M out of 4.0M available for logs. 6.7M out of 8.2M available for history. 3.5M out of 4.8M available for crashinfo. List of Files: /flash/crashinfo/ccsrvr.dump 0 Nov 1 09:57 /var/log/messages.log 0 Feb 27 09:09 /var/log/startup.log 11.2k Feb 27 09:09 /var2/history/command.history 834 Feb 27 15:17 /var2/history/reboot.history 3.4k Feb 27 09:09 /var2/history/upgrade.history 1.
PAGE 1048
ProCurve Wireless Services zl Module Command Line Reference Support Commands (Wireless) Support Commands (Wireless) This section details the support commands available for the Wireless parameters. support wireless dump-core This command creates a core file of the ccsrvr process. Syntax support wireless dump-core Default Setting Enabled Command Mode Manager Example HPswitch(config-wireless)#support wireless dump-core HPswitch(config-wireless)# support wireless dump-state This command creates a ccsrvr.
PAGE 1049
ProCurve Wireless Services zl Module Command Line Reference Support Commands (Wireless) support wireless rate-scale This command enables wireless rate scaling. The no command negates the configuration of the wireless parameters. Syntax support wireless rate-scale no support wireless rate-scale • rate-scale - Enable wireless rate scaling (default).
PAGE 1050
ProCurve Wireless Services zl Module Command Line Reference Support Commands (Wireless) A-198
PAGE 1051
Appendix B The Apache Software License, Version 1.1 Copyright (C) 1999 The Apache Software Foundation. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
PAGE 1052
LICENSE ISSUES -------------The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org. OpenSSL License --------------Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
PAGE 1053
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).
PAGE 1054
Original SSLeay License ----------------------Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc.
PAGE 1055
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.] Various copyrights apply to this package, listed in various separate parts below. Please make sure that you read all the parts.
PAGE 1056
Copyright (c) 2001-2003, Networks Associates Technology, Inc All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
PAGE 1057
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ---- Part 4: Sun Microsystems, Inc. copyright notice (BSD) ----Copyright 2003 Sun Microsystems, Inc.
PAGE 1058
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
PAGE 1059
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright (c) 1991, 1992 Paul Kranenburg Copyright (c) 1993 Branko Lankester Copyright (c) 1993 Ulrich Pegelow Copyright (c) 1995, 1996 Michael Elizabeth Chastain Copyright (c) 1993, 1994, 1995, 1996 Rick Sladkey Copyright (C) 1998-2001 Wichert Akkerman All rights reserved.
PAGE 1060
Copyright (c) 2000-2004 Dug Song All rights reserved, all wrongs reversed. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
PAGE 1061
LInux LOader (LILO) program code, documentation, and auxiliary programs are Copyright 1992-1998 Werner Almesberger. Copyright 1999-2004 John Coffman. All rights reserved. License ------Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
PAGE 1062
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
PAGE 1063
thttpd.c - tiny/turbo/throttling HTTP server Copyright 1995,1998,1999,2000,2001 by Jef Poskanzer . All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
PAGE 1064
zlib.h -- interface of the 'zlib' general purpose compression library version 1.2.3, July 18th, 2005 Copyright (C) 1995-2005 Jean-loup Gailly and Mark Adler This software is provided "AS IS", without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.
PAGE 1065
restrictive); see below for details. [However, none of that term is relevant at this point in time. All of these restrictively licenced software components which he talks about have been removed from OpenSSH, i.e.
PAGE 1066
contributed by CORE SDI S.A. under a BSD-style license. Cryptographic attack detector for ssh - source code Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that this copyright notice is retained. THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A.
PAGE 1067
5) One component of the ssh source code is under a 3-clause BSD license, held by the University of California, since we pulled these parts from original Berkeley code. Copyright (c) 1983, 1990, 1992, 1993, 1995 The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.
PAGE 1068
Corinna Vinschen Cray Inc. Denis Parker Gert Doering Jakob Schlyter Jason Downs Juha YrjMichael Stone Networks Associates Technology, Inc. Solar Designer Todd C. Miller Wayne Schroeder William Jones Darren Tucker Sun Microsystems Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
PAGE 1069
Apart from the previously mentioned licenses, various pieces of code in the openbsd-compat/ subdirectory are licensed as follows: Some code is licensed under a 3-term BSD license, to the following copyright holders: Todd C. Miller Theo de Raadt Damien Miller Eric P. Allman The Regents of the University of California Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.
PAGE 1070
Some code is licensed under a MIT-style license to the following copyright holders: Free Software Foundation, Inc.
PAGE 1071
*********************************************************************** * * * Copyright (c) David L.
PAGE 1072
23.[25]Poul-Henning Kamp Oncore driver (Original author) 24.[26]Frank Kardel [27] PARSE driver (14 reference clocks), STREAMS modules for PARSE, support scripts, syslog cleanup 25.[28]William L. Jones RS/6000 AIX modifications, HPUX modifications 26.[29]Dave Katz RS/6000 AIX port 27.[30]Craig Leres 4.4BSD port, ppsclock, Magnavox GPS clock driver 28.
PAGE 1073
3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37. 38. 39. 40. 41. 42. 43. 44. 45. 46. 47. 48. 49. 50. 51. 52. 53. 54. 55. mailto:%20vbais@mailman1.intel.co mailto:%20kirkwood@striderfm.intel.com mailto:%20michael.barone@lmco.com mailto:%20Jean-Francois.Boudreault@viagenie.qc.ca mailto:%20karl@owl.HQ.ileaf.com mailto:%20greg.brackley@bigfoot.com mailto:%20Marc.Brett@westgeo.com mailto:%20Piete.Brooks@cl.cam.ac.
PAGE 1074
Copyright (c) 2004-2005 by Internet Systems Consortium, Inc. ("ISC") Copyright (c) 1995-2003 by Internet Software Consortium Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.
PAGE 1075
GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble -------The licenses for most software are designed to take away your freedom to share and change it.
PAGE 1076
patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
PAGE 1077
a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole.
PAGE 1078
form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4.
PAGE 1079
patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices.
PAGE 1080
12.
PAGE 1081
be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker.
PAGE 1082
GNU LIBRARY GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. [This is the first released version of the library GPL. It is numbered 2 because it goes with version 2 of the ordinary GPL.
PAGE 1083
Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that companies distributing free software will individually obtain patent licenses, thus in effect transforming the program into proprietary software. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License, which was designed for utility programs.
PAGE 1084
GNU LIBRARY GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License Agreement applies to any software library which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Library General Public License (also called "this License"). Each licensee is addressed as "you".
PAGE 1085
2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) The modified work must itself be a software library. b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change.
PAGE 1086
instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy.
PAGE 1087
whether or not they are linked directly with the Library itself. 6. As an exception to the Sections above, you may also compile or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications.
PAGE 1088
distribute. 7.
PAGE 1089
refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances.
PAGE 1090
WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU.
PAGE 1091
You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the library, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the library `Frob' (a library for tweaking knobs) written by James Random Hacker.
PAGE 1092
UC Berkeley and by Digital Equipment Corporation. are under the following license: The DEC portions Portions Copyright (C) 1993 by Digital Equipment Corporation.
PAGE 1093
All Rights Reserved. Permission to use, copy, modify and distribute this software and its documentation is hereby granted, provided that both the copyright notice and this permission notice appear in all copies of the software, derivative works or modified versions, and any portions thereof, and that both notices appear in supporting documentation. CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS" CONDITION.
PAGE 1094
Copyright (c) 2000, Intel Corporation All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
PAGE 1095
THIS SOFTWARE IS PROVIDED BY ITS AUTHORS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
PAGE 1096
ALTERNATIVELY, provided that this notice is retained in full, this product may be distributed under the terms of the GNU General Public License (GPL), in which case the provisions of the GPL apply INSTEAD OF those given above. Copyright (c) 2004 Linus Torvalds Copyright (c) 2004 Red Hat, Inc., James Morris
PAGE 1097
sFlow License LICENSE AGREEMENT PLEASE READ THIS LICENSE AGREEMENT ("AGREEMENT") CAREFULLY BEFORE REPRODUCING OR IN ANY WAY UTILIZING THE sFlow(R) SOFTWARE ("SOFTWARE") AND/OR ANY ACCOMPANYING DOCUMENTATION ("DOCUMENTATION") AND/OR THE RELATED SPECIFICATIONS ("SPECIFICATIONS"). YOUR REPRODUCTION OR USE OF THE SOFTWARE AND/OR THE DOCUMENTATION AND/OR THE SPECIFICATIONS CONSTITUTES YOUR ACCEPTANCE OF THE TERMS AND CONDITIONS OF THIS AGREEMENT.
PAGE 1098
implemented, on Licensee Hardware and Products, and (v) distribute any Products that include the Software, the Documentation, or software in which the Specifications have been implemented. 2.2 Trademark License.
PAGE 1099
6. Limitation of Liability.
PAGE 1100
the Northern District of California or the state courts of the State of California for the County of San Francisco. 8.6 U.S. Government Licenses. The Software and Documentation are considered a "commercial item" as that term is defined at 48 C.F.R 2.101, or "commercial computer software" and "commercial computer software documentation" as such terms are used in 48 C.F.R 12.212 of the Federal Acquisition Regulations and its successors, and 48 C.F.R. 227.7202 of the DoD FAR Supplement and its successors. 8.
PAGE 1101
Index Numerics 5400zl Series See wireless services-enabled switch 802.11 frame types … 1-56 management frames … 1-56 overview … 1-54 802.11 replay attack … 12-58 802.11a defined … 1-54 radio adoption defaults for … 3-9 802.11b defined … 1-55 radio adoption defaults for … 3-9 802.11g 802.11g only … 3-16 defined … 1-55 radio adoption defaults for … 3-9 802.11h … 1-55 802.
PAGE 1102
viewing statistics … 7-29 action ID … 7-30 details … 7-30 protocol ID … 7-30 times used … 7-30 ACS See auto-channel select active mode for redundancy group … 1-78, 10-4 address resolution table … 6-17 adoption automatic versus manual … 2-70 failure, reasons for … 1-78 Layer 2 auto-provisioning … 2-58 connecting RP to infrastructure switch … 2-59 connecting RP to wireless services-enabled switch … 2-58 network requirements for … 2-58 Layer 3 compared to Layer 2 … 2-57 customizing RPs’ DNS request … 2-68 defa
PAGE 1103
options for WLAN … 1-24 RADIUS MAC … 1-28, 4-43 See also 802.1X See also MAC authentication See also Web-Auth shared-key … 4-75 Web-Auth … 1-26, 4-39, 5-2 authentication failure attack … 12-58 auto-channel select configuring for specific radio … 3-32 configuring in radio adoption defaults … 3-13 running … 3-37, 3-41 auto-provisioning … 1-8, 2-58 B basic rate settings 802.
PAGE 1104
configuration files deleting … 2-97 managing … 2-86 startup-config, returning to factory defaults … 2-98 transferring … 2-89 viewing … 2-87 contention window See CW Max See CW Min counter polling defined … 13-3 interval … 13-16 manually activating … 13-14 country code … 2-136, 3-4 CRL uploading … 2-187 CW Max defined … 4-92 radio … 4-108 station … 4-104 CW Min defined … 4-92 radio … 4-108 station … 4-104 D decryption attack … 12-58 default gateway single active … 2-8 specifying in the CLI … 2-7 delivery tr
PAGE 1105
domain name system See DNS domain proxy RADIUS server settings for … 11-30 specifying … 11-28 downlink port … 1-7, 1-8 DTIM period defined … 3-23 different value for each BSSID … 3-34 specifying for specific radio … 3-34 specifying in radio adoption defaults … 3-24 dynamic DNS … 6-41 client update … 6-43 server update … 6-43 Dynamic Frequency Selection … 1-55 Dynamic Host Configuration Protocol See DHCP pool See DHCP relay See DHCP requests … 6-22 See DHCP server … 6-22 dynamic index (radio) … 1-67, 3-30 dy
PAGE 1106
flow sampling defined … 13-2 manually activating … 13-11 rate … 13-13 sample size … 13-14 See also sFlow FTP server external downloading files from … 2-89 saving files to … 2-93 internal … 2-32 G group internal RADIUS … 11-12 See also RADIUS database group attribute … 11-24 group filter … 11-23 group membership attribute … 11-24 H hardware ID … 2-128 help, online … 2-14 hidden stations defined … 3-21 setting RTS threshold for radio adoption defaults … 3-22 specific radio … 3-33 high availability See redun
PAGE 1107
Layer 3 adoption compared to Layer 2 … 2-57 customizing RPs’ DNS request … 2-68 default DNS request … 2-64 DHCP option 189 … 2-65 DNS lookup … 2-67 network requirements for … 2-62 of radio ports … 1-68 RP requirements for … 2-63 verifying … 2-69 Layer 3 device module as a … 6-3 Layer 3 mobility configuration steps … 9-15 dynamic VLANs with … 9-15 enabling … 9-20 enabling on a WLAN … 9-18 IDM location domain with … 9-7 IP address, for local module … 9-16 monitoring stations … 9-26, 12-10 overview … 9-6 peers
PAGE 1108
marking traffic … 7-7 extended IP ACL … 7-19 MAC extended ACL … 7-24 overview … 7-7 physical port required … 7-26 standard IP ACL … 7-16 module statistics button … 12-27 screen … 12-34 multicast address … 4-113 multicast key … 4-56 My ProCurve Web Portal registering on … 2-127 N NAT applying to an interface … 8-24 configuration steps … 8-24 defining interface for … 8-24 destination configuring … 8-33 uses … 8-9 dynamic ACL for … 8-22, 8-28 configuring … 8-26 overloaded interface … 8-28 port address transla
PAGE 1109
password changing manager or operator … 2-35 encryption in config … 2-105 roaming and … 2-106 See also key Web browser interface … 2-11 password attribute … 11-23 PKI … 1-45 PMK caching defined … 9-3 enabling … 4-58, 9-14 required for pre-authentication … 9-14 PoE … 1-75 port address translation … 8-8 See also NAT … 8-8 port authentication … 1-74 power over Ethernet … 1-75 power save DTIM period … 3-23, 3-34 viewing station support for … 12-5 pre-authentication enabling … 4-58, 9-14 overview … 9-3 PMK cachi
PAGE 1110
radio port … 1-53, 3-2 802.
PAGE 1111
MAC authentication, for … 4-44, 11-36 overview … 11-2 Web-Auth, for … 4-41, 5-13 rate limit, user-based … 4-88 rate settings 802.
PAGE 1112
S secure management … 2-9, 2-29 secure Network Time Protocol See secure NTP secure NTP ACLs controlling access to … 2-146 authentication … 2-141 broadcast mode … 2-139 client/server mode … 2-139 configuration steps client … 2-142 server … 2-142 hierarchy … 2-139 overview … 2-138 peer mode … 2-139 Secure Shell access … 2-24 security adopting RPs as detectors … 3-11 authentication … 4-33 encryption … 1-32, 4-19, 4-47 for management access … 2-24 See also authentication See also encryption WLAN … 4-33 self hea
PAGE 1113
source NAT configuring dynamic … 8-26 configuring static … 8-30 uses for dynamic … 8-5 uses for static … 8-12 SSH access … 2-24 SSID assigned to BSSID advanced mode … 4-17 normal mode … 3-34, 4-4, 4-11 defined … 1-59 selecting beaconed SSID … 4-18, 4-20 WLAN and … 4-30, 4-31 standard IP ACL defined … 7-3 source address filter … 7-16 standby mode for redundancy group … 1-78, 10-5 startup-config factory default … 2-86 returning, to factory defaults … 2-98 saving changes in CLI … 2-23 saving changes to … 2-12,
PAGE 1114
V W video classifying WLAN as … 4-112 WMM queue for … 4-93, 4-109 video traffic radio settings for beacon interval … 3-23, 3-33 DTIM period … 3-23, 3-33 WMM parameters … 3-47 WMM queue for … 4-92 VLAN assignment considerations … 4-84 assignment tab … 4-82 dynamic or user-based considerations for … 4-87 enabling … 4-87 prohibited … 4-32 tagging on uplink port … 4-88 Web-Auth with … 5-9 dynamic-based or user-based authentication required … 4-87 for Web-Auth … 5-9 IP address assigning … 6-5 editing … 6-7 max
PAGE 1115
WebUser Administrator adding guest accounts as … 2-50 creating … 2-42 defined … 2-42 deleting guest accounts as … 2-53 printing guest accounts as … 2-55 viewing guest accounts as … 2-53 Web-Users authenticating … 2-44 creating … 2-42 roles … 2-41 WEP dynamic (802.
PAGE 1116
WMM 802.
PAGE 1117
PAGE 1118
Technical information in this document is subject to change without notice. © Copyright 2007 Hewlett-Packard Development Company, L.P. Reproduction, adaptation, or translation without prior written permission is prohibited except as allowed under the copyright laws.