Meru System Director Configuration Guide Release 5.1 Copyright © Meru Networks, Inc., 2003– 2012. All rights reserved. Other names and brands may be claimed as the property of others. January 2012 Document Number: 882-20050 Rev A Rel 5.
END USER SOFTWARE LICENSE AGREEMENT IMPORTANT: This end user software license Agreement (this “Agreement”) is a legal agreement between the end user (“Customer”) of the software accompanying this Agreement (the “Software”) and Meru Networks, Inc. (“Meru”).
Software or Documentation by any third party other than agents and representatives working on Customer’s behalf; or (d) rent, lease, loan, distribute, assign or transfer the Software unless expressly permitted in writing by Meru or by this Agreement.
set forth in FAR 52.227-14(g), Rights in Data—General (June 1987) and FAR 52.227-19, Commercial Computer Software—Restricted Rights (June 1987), or if under Department of Defense, DFAR 252.227-7015(b), Technical Data—Commercial Items (June 2004) and DFAR 227.7202-3(a) June 2005) in accordance with this Agreement. If Customer is a governmental entity that has a need for rights not addressed above in this Article 5, it must negotiate a separate agreement with Meru.
vi
Contents About This Guide . . . . . . . . . . . . . . . . . . . . . . xvii What’s New in this 5.1 Edition. . . . . . . . . . . . . . . . . xvii Audience . . . . . . . . . . . . . . . . . . . . . . . . xviii Other Sources of Information . . . . . . . . . . . . . . . . . . xix Web Resources . . . . . . . . . . . . . . . . . . . . . . xix Meru Publications . . . . . . . . . . . . . . . . . . . . . xix Guide to Typographic Conventions . . . . . . . . . . . . . . . . xix Syntax Notation . . . . . . . . . . . .
What is E(z)RF Network Manager? . . . . . . . . . . . . . . . . Chapter 3 Managing System Files . . . . . . . . . . . . . . . . . . . . 19 About the CFS . . . . . . . . . . . . Working with Local Directories . . . . . Viewing Directory and File Information. Changing to Another Directory. . . . Chapter 4 17 . . . . . . . . . . . . . . . . . . . . 19 20 20 21 Working with Configuration Files . . . . . . . . . . . . . . . . Changing the Running Configuration . . . . . . . . . . . . . .
AeroScout Compounded Report . . Dilution Timeout . . . . . . . Generic AP Notification . . . . . . Configure AeroScout Integration tool . . . . . . . . . . . . . . . for Receiving . . . . . . . . 45 . . . . . . . . 45 . . . . . . . . 46 the Generic AP Notification46 Configure Controller Security . . . . . . . . . . . . . . . . . . 47 Configure Controller Redundancy. . . . . . . . . . . . . . . . . 47 System Director Communication Ports . . . . . . . . . . . . . . . 47 Chapter 5 Configuring an ESS . . .
Chapter 6 Enable Multicast From the Web UI . . . . . . . . . . . . . . Enable Multicast with the CLI . . . . . . . . . . . . . . . . View Mapping Between VLANs and ESS Profiles . . . . . . . . . . 76 76 76 Bridging with AirFortress and AppleTalk . . . . . . . . . . . . . . FortressTech Layer 2 Bridging . . . . . . . . . . . . . . . . AppleTalk Layer 2 Bridging . . . . . . . . . . . . . . . . . 77 77 77 GRE ESSID Feature . . . . . . . . . . . . . . . . . . . . . 77 Band Steering Feature . . . . . . .
Chapter 7 Chapter 8 Configuring Network Interfaces . . . . . . . . . . . . . . . 109 Configuring Basic Networking for the Interface . . . . . . . . . . . 802.11d Support . . . . . . . . . . . . . . . . . . . . 109 110 Dual-Ethernet Operation. . . . . . . . . Configuring Dual Ethernet . . . . . . . Configuring a Redundant Interface . . . Configuring an Active Interface . . . . Viewing FastEthernet Interface Information . Interface and Networking Commands . . . 110 110 111 111 111 112 . . . . . . . . .
Configure RSA SecurID . . . . . . . . . . . . . . . . . . . 139 Chapter 9 Chapter 10 Configure MAC Filtering . . . . . . . . . . . Configure MAC Filtering . . . . . . . . . . Configure a Deny MAC Filtering List . . . . . Configure a Remote Radius Server for MAC Filtering Configure an ESS Profile for MAC Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 141 142 143 144 Security Certificates . . . . .
CLI Example - Create Guest User ID Optionally Configure Pre-Authentication Captive Portal With N+1. . . . . . Troubleshooting Captive Portal . . . Chapter 11 . . . Captive . . . . . . . . . . 177 178 179 179 Third-Party Captive Portal Solutions. . . . . . . . . . . . . . . Configure Third-Party Captive Portal With the Web UI . . . . . . . Configure Third-Party Captive Portal With the CLI . . . . . . . . 179 180 180 Configure a Radius Server for Captive Portal Authentication . . . . . .
Configure AP Power Supply, Channel Width, and MIMO Mode with CLI . . 214 Configure an AP’s Radios with the CLI . . . . . . . . Summary of Radio Interface Configuration Commands Set Radio Transmit Power with the CLI . . . . . . . Enable and Disable Short Preambles with the CLI . . . Set a Radio to Scan for Rogue APs with the CLI . . . . Enable or Disable a Radio Interface with the CLI. . . . Set a Radio to Support 802.11n Only with the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Wireless Peer-to-Peer Qos Rules . . . . . . . . Prioritize Peer-to-Peer . . . . . . . . . . Peer-to-Peer Blocking . . . . . . . . . . 802.11n Video Service Module (ViSM) . . . . . . Implementing ViSM . . . . . . . . . . . Configuring Call Admission Control and Load Balancing Chapter 16 . . . . . . . . . . with . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing and Configuring an Enterprise Mesh System . . .
Error Messages . . . . . . . . . . . . . . . . . . . . . . 289 System Logs . . . . . . . . . . . Station Log Events . . . . . . . . MAC Filtering Station Log Events . . Key Exchange Station Log Events . . Authentication Station Log Events . 1X/WPA/WPA2 Authentication Station DHCP Station Log Events . . . . . Captive Portal Station Log Event . . . . . . . . . . . . . . . . . . . . . . Log Events . . . . . . . . System Diagnostics . . . . . . . . . . . Radio diagnostics . . . . . . . . . .
About This Guide This guide describes the various options for configuring the Meru Wireless LAN System. The architecture and fundamental operations of system are described. What’s New in this 5.1 Edition The previous edition of this guide covered System Director 5.0. The new or changed topics for this System Director 5.
Audience U-APSD support has been added for the AP1000 series. Refer to “Configure U-APSD” on page 70 for more details. DFS support has been added for the AP1000 series. This feature requires no configuration, is always on, and cannot be disabled. SIP over TCP communication has been implemented. Refer to “Optimizing Voice Over IP” on page 241 for additional details on configuring a Voice over IP deployment. Several new AP models have been implemented: AP400i, AP400is, OAP433, and AP1000e.
Other Sources of Information Other Sources of Information Additional information is available in the following Web site, Meru publications, and external references. Web Resources For the first 90 days after you buy a Meru controller, you have access to online support. If you have a support contract, you have access for the length of the contract.
Syntax Notation Courier font Identifies file names, folder names, computer screen output, and text in syntax descriptions that you are required to type. Ctrl- Denotes that the Ctrl key should be used in conjunction with another key, for example, Ctrl-D means hold down the Ctrl and press the D key. Keys are shown in capitals, but are not case sensitive.
Contacting Meru The following figure shows a sample of syntax notation. [no] action target {keyword|keyword} [argument ...] One or more repeated values Choose between the enclosed elements Keyword or command within a submode. Command or action. In some cases, action takes you to another command mode. The optional no form disables the command; without the no, enables or re-enables. Note: Many commands have a default setting or value, listed in the Default section of the command page.
Contacting Meru xxii Meru System Director Configuration Guide © 2012 Meru Networks, Inc.
Chapter 1 CLI Concepts This chapter presents tips for working with the System Director command line interface (CLI). It describes the various command modes, provides some tips for getting help, using the history functions, and customizing the prompt and terminal characteristics.
CLI Command Modes — If you log in as the user guest , you are placed in user EXEC mode. From there, you must type the enable command and the password for user admin before you can enter privileged EXEC mode. 3. Start executing commands. CLI Command Modes The CLI is divided into different command modes, each with its own set of commands and in some modes, one or more submodes. Entering a question mark (?) at the system prompt provides a list of commands available at the current mode.
Command Line-Only Commands Global Configuration Mode You make changes to the running configuration by using the Global Configuration mode and its many submodes. Once you save the configuration, the settings are stored and restarted when the controller reboots. From the Global Configuration mode, you can navigate to various submodes (or branches), to perform more specific configuration functions. Some configuration submodes are security, qosrules, vlan, and so forth.
Command Line-Only Commands exit quit more (including more running-config, more log-file, more running-script) prompt rename terminal history|size|length|width traceroute show history show running-config show terminal Config Mode Commands do ip username ftp|scp|sftp ip password ftp|scp|sftp show context Commands that Invoke Applications or Scripts calendar set timezone set|menu date capture-packets analyze-capture debug diagnostics[-controller] ping pwd shut
Abbreviating Commands show memory show cpu-utilization show processes show flash show qosflows show scripts show station details show syslog-host show log autochannel rogue-ap log clear telnet syslog-host Abbreviating Commands You only have to enter enough characters for the CLI to recognize the command as unique.
Using No and Default Forms of Commands Subnet Mask for allowed IP/Subnet to pass through Captive portal : 0.0.0.0 Using No and Default Forms of Commands Almost every configuration command has a no form. In general, use the no form to: 1. Disable a feature or function. 2. Reset a command to its default values. 3. Reverse the action of a command. 4. Use the command without the no form to reenable a disabled feature or to reverse the action of a no command.
Using Command History To list keywords or arguments, enter a question mark (?) in place of a keyword or argument. Include a space before the ?. This form of help is called command syntax help, because it reminds you which keywords or arguments are applicable based on the command, keywords, and arguments you already have entered. Table 1: Examples of Help Commands Command Purpose (prompt)# help Displays a brief description of the help system.
Using Command History Recall commands Disable the command history feature Setting the Command History Buffer Size By default, the CLI records ten command lines in its history buffer.
Finding Words in show Command Output Disabling the Command History Feature The terminal history feature is automatically enabled.
Manipulating Terminal Characteristics Commands to Customize CLI Prompt To customize the CLI prompt for your system, use one of the following commands in Global Configuration mode: Table 2: Commands to Customize the CLI Prompt Command prompt string no prompt default prompt Purpose Customizes the CLI prompt. Disables the display of the CLI prompt. Sets the prompt to the default, which is the hostname.
Ending a Session Setting the terminal length to a non-zero value turns on paging. When the output length exceeds the terminal length, the output is paused and a ---More--- is displayed: 1. If the space bar is pressed at the ---More--- prompt, another page of output is displayed. 2. If the ENTER key is pressed at the ---More--- prompt, a single line of output is displayed. 3. If any other character at the ---More--- prompt, this signifies the end of output and the command prompt is displayed.
Ending a Session 12 Meru System Director Configuration Guide © 2012 Meru Networks, Inc.
Chapter 2 System Director Web UI Concepts Access System Director by entering the IP address of the controller in a browser (see Browsers below). The Web UI interface that displays operates from three menus. Configuration © 2012 Meru Networks, Inc.
How Does the GUI Relate to CLI Commands? How Does the GUI Relate to CLI Commands? Most System Director tasks can be accomplished using either the CLI or the GUI. Some commands can only be done with one or the other. The chart below gives some examples of this. You can refer to the illustration on the previous page or click the indicated links on the UI Interface. I need to know...
How Does the GUI Relate to CLI Commands? I need to know...
Browsers Browsers System Director supports these browsers: Internet Explorer versions 6, 7, and 8 on both Windows XP and Vista Firefox on Windows XP Safari on MAC OS Opera and Chrome are not supported. Internet Explorer Caching Settings Be sure to turn off caching on any computer using Internet Explorer version 6 or 7, because dashboard updates are frequently ignored with caching on. To configure Windows Internet Explorer, follow these steps: 1.
What is E(z)RF Network Manager? Figure 2: Internet Browsing Settings 3. Select the option Every time I visit the web page. 4. Click OK. The dashboard will now be updated every time the statistics change. Note that no configuration is needed for Mozilla Firefox. What is E(z)RF Network Manager? E(z)RF Network Manager is a Meru product that manages multiple controllers. ESS, Security, VLAN, GRE and Radius profiles can all be configured either from E(z)RF Network Manager or from the controller.
What is E(z)RF Network Manager? 18 Meru System Director Configuration Guide © 2012 Meru Networks, Inc.
Chapter 3 Managing System Files This chapter describes how to work with the Controller File System (CFS), which provides a single interface for managing all files available for use with Meru controllers. This chapter contains the following sections: About the CFS Working with Configuration Files Manipulating System Files Upgrading System Images Summary of File System Commands About the CFS The CFS allows you to manage the controller operating system (System Director) and its configuration files.
About the CFS To accomplish these tasks you need to use the CFS to manipulate files. The CFS allows you to perform the following tasks: Display information about files within a directory The display information includes the file name, size, and date of modification. Navigate to different directories You can navigate to different directories and list the files in a directory. Copy files The CFS allows you to copy files on the controller via a pathname or to manipulate remote files.
About the CFS For example, to display the contents of the images directory: controller# dir total 10 total 70 drwxr-xr-x 8 root root 1024 Jan 30 11:00 meru-3.6-45 drwxrwxr-x 8 522 522 1024 Feb 21 2008 meru-3.6-46 -rw-r--r-1 root root 2233 Feb 19 02:07 meru.user-diagnostics.Dickens.2008-02-19.02-07-17.tar.gz -rw-r--r-1 root root 3195 Feb 19 02:17 meru.user-diagnostics.Dickens.2008-02-19.02-17-17.tar.gz -rw-r--r-1 root root 3064 Feb 21 00:50 meru.user-diagnostics.Dickens.2008-02-21.00-50-50.tar.
Working with Configuration Files Working with Configuration Files Configuration files direct the functions of the controller. Commands in the configuration file are parsed by the CLI and executed when the system is booted from the database, or when you enter commands at the CLI in a configuration mode. There are two types of configuration files used by the CLI: The startup database file (startup-config) is executed at system startup.
Manipulating System Files Table 3: Steps to Modify the Running Configuration Command Purpose controller(config)# end Ends the configuration session and exits EXEC mode. NOTE: You need to press the Ctrl and Z keys simultaneously. or controller(config)# Ctrl-Z controller(config)# Ctrl-C Cancels any changes and reverts to the previous mode.
Manipulating System Files The following example uses secure FTP to access the file named meru-3.7-config on a server named ftp.merunetworks.com. This example uses the username admin and the password secret to access this server: controller# copy sftp://admin:secret@ftp.merunetworks.com/meru-3.7-config. For SCP (secure copy), replace the prefix sftp with scp.
Upgrading System Images Setting a Remote Username and Password The secure remote file transfer commands require a remote username and password on each request to a server. The CLI uses the user name and password specified in the dir or copy command to authenticate with the remote file servers. If you do not want to type the user name and password for each secure remote file transfer command, you can set these values for the duration of your session using the ip ftp, ip sftp, or ip scp commands.
Summary of File System Commands Summary of File System Commands The following lists the available file system commands in privileged EXEC mode. Command controller> cd [filesystem] Purpose Sets the default directory on the Flash memory device. If no directory name is specified, this sets the default directory to images.
Summary of File System Commands Command controller# copy running-config ftp|sftp|scp:[[[//username:password]@ location/directory]/filename] Purpose Copies the running configuration file to an FTP, SFTP, or SCP server, for example: controller# copy running-config ftp://user1:userpass@server1/jan01-config controller# copy running-config scp://user1:userpass@server1/jan01-config controller# copy running-config startup-config Saves the running-configuration to the startup configuration to make it persistent
Summary of File System Commands Command controller# upgrade ap version | same [id | range | all] Purpose Upgrades the access point image to the same version of system software that the controller is running. id—Upgrades the access point with the specified ID to the same version of system software that the controller is running. range—Upgrades a range of APs, specified as a list using commas and dashes, without spaces or wildcards. AP IDs must be listed in ascending order.
Chapter 4 Managing the System This chapter describes procedures for configuring controllers and managing the system. This chapter contains the following sections: Configure Basic Controller Parameters During Setup Configure Controller Parameters From the Web UI Configure Controller Parameters From the CLI System Licensing Configuring E(z)RF Location Manager 802.
Configure Controller Parameters From the Web UI To start the setup script, at the Privileged EXEC prompt, type setup. Refer to the “Initial Setup” chapter of the Meru System Director Getting Started Guide for an example session using the setup command. Configure Controller Parameters From the Web UI To add a new controller, click Configuration > Devices > Controller > Add. To reconfigure an existing controller, click Configuration > Devices > Controller > select a controller > Settings.
Configure Controller Parameters From the CLI Whether or not Dynamic Frequency Selection (DFS) is enforced. For installations within the United States, enforcing DFS means that channels 52-64 (5.25-5.35 GHz), 100-116 (5.47-5.725 GHz), and 136-140 (5.68-5.70 GHz) conform to DFS regulations, protecting radar from interference on these channels. The number of minutes of station inactivity that causes a client to time out is set by the Station Aging Out Period.
Configure Controller Parameters From the CLI Limit Wireless Client Access to the Controller From the CLI Administrators wishing to block access to the controller management utilities for wireless clients can do so with the no management access command. When wireless management access is blocked, all packets sent to the controller by wireless clients are dropped except for those used for Captive Portal.
Configure Controller Parameters From the CLI Limit Wired Client Access to the Controller With QoS Rules To control access to the controller from wired network devices, you can configure rule-based IP ACL lists using the qosrules command. This section provides qosrule examples for several types of configurations. The following is an example that blocks management access (on TCP and UDP) to the controller (at 192.168.1.2) for all devices except the host at 192.168.1.7.
Configure Controller Parameters From the CLI controller(config-qosrule)# controller(config-qosrule)# controller(config-qosrule)# controller(config-qosrule)# controller(config-qosrule)# controller(config-qosrule)# dstip 192.168.1.2 dstip-match dstmask 255.255.255.255 dstport 8081 action forward end The following qosrules block all hosts from accessing the Controller using TCP/UDP.
System Licensing Configure Time Services From the CLI We recommend that you configure controllers to synchronize their system clock with a Network Time Protocol (NTP) server. This ensures the system time is accurate and standardized with other systems. Accurate and standardized system time is important for alarms, traces, syslog, and applications such as cryptography that use timestamps as a parameter for key management and lifetime control.
System Licensing Configure a License with the Web UI To see your license from the CLI, use the following commands: controller# show controller controller# show license controller# show license-file active You need a license for any of the following optional features if you plan to enable them with release 5.
Configuring E(z)RF Location Manager AP300 Licensing Changed in Release 4.0 and Later Before release 4.0, all AP300 units were recognized as AP320, N-capable APs. Because AP300 licensing has been applied in System Director release 4.0, now AP320, AP310, AP302, AP301, AP311, and AP320i are individually recognized and require the appropriate licenses to be N-capable. This could affect upgraded AP300 units because licenses are required for specific radios.
802.11n Video Service Module (ViSM) Rate Limiting : off Capture frames sent by other APs in the network : on MC3K-1# For a detailed explanation of the packet capture profile commands, see the Troubleshooting chapter of the Meru System Director Configuration Guide. 802.11n Video Service Module (ViSM) Video streaming has the low latency and loss requirements of voice with the high-throughput requirements of data.
Using AeroScout Using AeroScout The AeroScout System version 3 (but not version 2) product works with Meru controllers and AP300 (in Virtual Cell or non-Virtual Cell mode) and AP150 (in non-Virtual Cell mode only) to locate and track tagged assets to deliver direct benefits such as process automation and theft prevention. Tags are small, battery-powered devices attached to equipment or personnel. See AeroScout’s web site for more detailed information about the various tags available from AeroScout.
Using AeroScout Figure 3: Figure 1 – AeroScout Network Diagram In addition to Meru standard Wi-Fi infrastructure, AeroScout Location Receivers and Exciters can be deployed for time-different of arrival (TDOA) locationing and choke points respectively. Configuring AeroScout Tracking tags is done from the AeroScout product using a Meru controller and APs.
Using AeroScout For this reason, the combination of AeroScout’s solution architecture with Meru’s Virtual Cell deployments and Air Traffic Control TM technology provide a more accurate location for tags. In other words, Meru’s APs can all be deployed in a single channel with a virtualized BSSID, thereby providing more reference points for the tag messages and a more accurate location.
Using AeroScout Figure 4: AeroScout Tag Protocol Messages AeroScout Tag AP Controller AeroScout Engine Tag Message Tag Message 1 Request Version 2 Version Report Tag Message 3a Get Status 3 Get Status Tag Message 4 Status Response 4a Status Response 5a Set Configuration 5 Set Configuration Tag Message Tag Message Tag Message 6 ACK 6a ACK 7a Set Tags Mode(Start) 7 Set Tags Mode(Start) 8 ACK 8a ACK Tag Message Tag Report Tag Report Tag Message Tag Report Tag Report Tag Message Tag Rep
Using AeroScout AeroScout Syslog Error Messages Error Condition Severity Message Cannot create a ATS critical AeroScout Manager mailbox AeroScoutMgr mailbox creation failed Cannot set AeroScout mode in the driver critical Cannot set AeroScout mode to enable/disable Invalid AE messages warning Unknown Message Code[0xXX] Data length error.
Using AeroScout The AeroScout Engine determines the coordinates and sends it to AeroScout MobileView. The AeroScout Mobile View uses location data to display maps, enable searches, create alerts, manage assets, work with third-parties, and much more. Figure 5: Aeroscout Mobile Unit Wi-Fi Mobile Units (MUs) can be located, if associated to some access point, or while transmitting broadcast messages.
Using AeroScout Configuring AeroScout Tracking tags is preformed from the AeroScout product using a Meru controller and APs. To configure a Meru controller to work with AeroScout, use the command aeroscout enable, as shown below: default# sh aeroscout Aeroscout Parameters Enable/Disable : enable Aeroscout Engine IP Address : 0.0.0.
Using AeroScout 1. Dilution Factor 2. Dilution Timeout Meru Mobile Unit reporting supports and implements only Dilution Timeout. The Dilution Timeout allows to set a limitation for the amount of time with no Mobile Unit messages from a specific Mobile Unit.
Configure Controller Security In the scenario where the AP's come online and go offline, change the AeroScout Configuration parameter on the controller. The Controller sends a generic AP Notification for all the AP's on the Controller and the AeroScout Integration Tool acknowledges to the controller's notification for each generic AP Notification. Configure Controller Security See the chapter Configuring Security in this guide.
System Director Communication Ports Traffic 48 Port HTTP TCP/8080 HTTPS TCP/443 Inter-controller roaming UDP/9394 Meru L3 AP COMM UDP/5000 Licensing - for connections initiated from within the controller only for licensing purposes (e.g.
Chapter 5 Configuring an ESS A basic service set (BSS) is the basic building block of an IEEE 802.11 wireless LAN; one access point together with all associated clients is called a BSS. An AP acquires its clients by broadcasting its name (SSID) which is picked up by clients within range. Clients can then respond, establishing a connection. It is legitimate for multiple access points to share the same SSID if they provide access to the same network as part of an Extended Service Set (ESS).
Add an ESS with the Web UI Add an ESS with the Web UI ESS profiles can be configured either from E(z)RF Network Manager or from the controller. You can tell where an ESS profile was configured by checking the read-only field Owner; the Owner is either nms-server or controller. AP300/AP400 is designed to use either a Virtual Cell ESS or a non-Virtual Cell ESS, but not both at once. AP1000 is designed to use a Virtual Cell ESS and a non-Virtual Cell ESS simultaneously.
Add an ESS with the Web UI 5. In the Primary Radius Accounting Server list, select either the name of a previously configured Radius accounting server profile or the No RADIUS option. Selecting the No RADIUS option means that no Radius accounting messages will be sent for clients connecting to this ESSID profile. For more information, see the authentication chapter Radius Accounting for Clients. 6.
Add an ESS with the Web UI — On: (default) Access points automatically join an ESS profile and are configured with its parameters. — Off: Prevents access points from automatically joining an ESS profile. The user is now allowed to add multiple interfaces on the ESS Profile screen. Perform the following steps to add multiple interfaces: On the ESS Profile - Update screen select the New APs Join ESS profile as Off. This option prevents the APs from automatically joining an ESS profile.
Add an ESS with the Web UI Caution! Multicasting is allowed only when an ESS profile has a one-to-one mapping with the default VLAN for this ESS profile. No other ESS profile can use the same VLAN and security rules associated with this ESS profile must not redirect traffic to another VLAN. Multicasting is an advanced feature. Enable multicasting only if you need to use a multicast application.
Add an ESS with the Web UI Note: If you set Virtual Cell on for an ESS used with AP300s or AP400s and then turn it off, Virtual Cell capability is removed from the interface and must be added to the interface again if Virtual Cell is turned on again in the ESS. To add the SSID back to AP300 or AP400, the best option is to delete the ESS profile and then re-add it. Alternately, you can add a BSSID to each and every interface manually.
Add an ESS with the Web UI — Bridged: (Bridged mode was formerly Remote AP mode.) In bridged mode, data packets are not passed between AP300/AP1000 and the controller; only control plane packets are passed. When bridged mode is configured in 5.1, an AP300 or AP1000 can be installed and managed at a location separated from the controller by a WAN or ISP, for example at a satellite office. The controller monitors the remote APs through a keep-alive signal.
Add an ESS with the Web UI 5GHz band. Band steering is also useful for directing multicast traffic. For this command to work as clients are added, also set the field New APs Join ESS to on. For more explanation, see Band Steering Feature in this chapter.Band Steering Mode options are: — Band Steering Disabled — Band Steering to A band: Infrastructure attempts to steer all A-Capable wireless clients to the 5GHz band when they connect to this ESS.
When is Virtual Cell Really on for an AP? When is Virtual Cell Really on for an AP? AP1000 is always ready to use Virtual Cell or Virtual Port; no configuration at the radio level is necessary. To enable either of them, simply configure them as on in each ESS profile. If neither is desired, the AP can be used in a non-virtual (or legacy) environment. For AP300, Virtual Cell is enabled on the radio interface by default, and it can be disabled as desired.
Adding an ESS with the CLI controller# configure terminal controller(config)# essid corp-users controller(config-essid)# Enable and Disable The Enable and Disable field represents all the Enabled and Disabled services of a profile. If a specific ESS profile is Disabled, the NMS deletes all the Services that belong to the ESS profile. If a specific ESS profile is Enabled, the NMS creates all the Services that belong to the ESS profile.
Adding an ESS with the CLI meruwpa enable meruwpa meruwpa on none meruwpa2psk enable meruwpa2psk meruwpa2psk on none ESS Profile(3) MERUCNTRL# sh essid meru ESS Profile ESS Profile Name Enable/Disable SSID Security Profile Name Primary RADIUS Accounting Server Secondary RADIUS Accounting Server Accounting Interim Interval (seconds) Beacon Interval (msec) SSID Broadcast Bridging New AP's Join ESS Tunnel Interface Type VLAN Name GRE Tunnel Profile Name Allow Multicast Flag Silent Client Polling V
Adding an ESS with the CLI AN Supported Transmit Rates (Mbps) AN Base Transmit Rates (Mbps) AN Supported HT Transmit Rates (MCS) 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,1 5 AN Base HT Transmit Rates (MCS) Owner MERUCNTRL# : 6,9,12,18,24,36,48,54 : 6,12,24 : : none : controller Security Profiles for an ESS ESS profiles and Security profiles can be configured either from E(z)RF Network Manager or from the controller.
Adding an ESS with the CLI The DTIM period can be a value from 1 through 255. The default DTIM period is 1. Setting the DTIM period to a higher value decreases the frequency of broadcasts sent by the access point. If power save is enabled on clients that are connected to access points, clients “wake up” less if fewer broadcasts are sent, which conserves battery life for the clients. Only the behavior of clients currently in power-save mode is affected by the DTIM period value.
Adding an ESS with the CLI Configuring ESSID Joining of Access Points with the CLI By default, when a new access point is plugged into the WLAN, it joins all ESSIDs that are configured to have new access points automatically join upon discovery and a BSSID is created. After you are satisfied with your WLAN configuration, you can disable the automatic joining so that new access points do not change your configuration.
Adding an ESS with the CLI 2. Configure each radio for Virtual Cell by following these steps: a. Click Configure > Wireless > Radio b. Select a radio. c. Set Virtual Cell as “On” d. Save the configuration. Note: Configure multiple radios with Bulk Update. Configuring Virtual Cell Support for AP300 or AP400 with the CLI Virtual Cell is enabled by default on Meru APs.
Adding an ESS with the CLI 802.11n only mode Virtual Cell mode : off : on <- To turn Virtual Cell off, use this version of the command: vcell22(config-if-802)# no virtual-cell Note: All APs on the same channel in a Virtual Cell must have the same setting for these values: RF-Mode Channel Width N-only Mode Configuring Virtual Cell Support for AP150 AP150 Virtual Cell is enabled by default.
Adding an ESS with the CLI Restricted by the number of clients supported by the controller Restricted by the number of AP radios On AP300/AP400, the theoretical maximum number of Virtual Ports is 128 per radio. Meru’s best practices recommendation is to have no more than 64 per radio. Restricted by Virtual Cell There is a hard limit of 2007 Virtual Ports per Virtual Cell. This number is set by the standard of having no more than 2007 associations per single BSSID.
Adding an ESS with the CLI Configuring Probe Response Threshold: ap 7> radio help prt radio {probe-resp | prt} assigned |all |threshold |maxresp set probe response assigned/rssi threshold/max response count.
Adding an ESS with the CLI default(config-essid)# silent-client-enable default(config-essid)# no silent-client-enable default(config-essid)# end Configuring Data Transmit Rates with the CLI Note: The AP150 does not support configuration of the Base/Supported data rates. The default settings in use for these products are: 802.11b: Base (1,2,5.5,11), Supported (1,2,5.5,11) 802.11bg: Base (1,2,5.5,11), Supported (all) 802.
Adding an ESS with the CLI — 802.11an valid rates are 6, 9, 12, 18, 24, 36, 48, and 54 Mbps, or all — 802.11an-mcs valid rates are MCS 0, MCS 1, MCS 2, MCS 3, MCS 4, MCS 5, MCS 6, MCS 7, MCS 8, MCS 9, MCS 10, MCS 11, MCS 12, MCS 13, MCS 14, MCS 15, or all — 802.11bgn-mcs valid rates are MCS 0, MCS 1, MCS 2, MCS 3, MCS 4, MCS 5, MCS 6, MCS 7, MCS 8, MCS 9, MCS 10, MCS 11, MCS 12, MCS 13, MCS 14, MCS 15, or all All base rates must be entered as supported rates.
Adding an ESS with the CLI controller(config-essid)# To remove a VLAN assignment from an ESSID, use the no vlan name command.
Adding an ESS with the CLI the CLI using the ESSID command apsdsupport or you can configure APSD support for an ESSID from the Web UI (Configuration > Wireless > ESSID and then turn on U-APSD). Configure U-APSD APSD settings are configured per ESS and APSD support is on by default; this setting only affects AP300/AP400/AP1000. To configure APSD from the Web UI, click Configuration > Wireless > ESS > select an ESS from the list > set APSD Support to on.
Adding an ESS with the CLI Configure Virtual Cell Overflow with the Web UI To set up Virtual Cell Overflow from the Web UI, follow these steps: 1. Create a Virtual Cell ESS by following the directions Add an ESS with the Web UI. Be sure that the setting for Virtual Cell is set to On. 2. Create a non-Virtual Cell ESS by following the directions Add an ESS with the Web UI. Be sure that the setting for Virtual Cell is set to Off.
Bridging Versus Tunneling Virtual Port Overflow for WMM Support APSD Support DTIM Period (number of beacons) Dataplane Mode AP VLAN Tag AP VLAN Priority Countermeasure Multicast MAC Transparency Band Steering Mode Band Steering Timeout(seconds) : : : : : : : : : : : : off vcell_ESS off off 1 tunneled 0 off on off disable 5 Bridging Versus Tunneling The bridged AP feature allows APs to be installed and managed at locations separated from the controller by a WAN or ISP, for example, in a satellite office.
Bridging Versus Tunneling QoS rules and firewall rules Dynamic Flow detection (for SIP/H.323) Captive Portal L3 mobility Radius-based VLAN assignment DHCP relay Example of Bridged AP Deployment The following figure is an example of remote bridged AP deployment. Notice that AP1 is configured for L2/local mode, AP2 is configured L2/Remote mode, AP3 is configured L3/local mode, and AP4 is configured for L3/Remote AP mode. The controller, AP1 and AP2 are located in the same 10.0.10.
Multicasting Feature Configure a Bridged AP For complete UI directions, see Add an ESS with the Web UI or click Configuration > Wireless > ESS and select an ESS to edit. To configure a bridged AP for an existing ESSID with the CLI, follow these steps: 1.
Multicasting Feature on the network. Multicasting is an advanced feature and can cause subtle changes in your network. By default, multicasting is disabled and should be enabled only for specific circumstances.
Multicast MAC Transparency Feature Command to see which multicast groups are currently active: show igmp-snoop forwarding-table Command to see which stations have joined multicast groups: show igmp-snoop subscription-table Multicast MAC Transparency Feature This feature enables MAC transparency for tunneled multicast, which is needed for some clients to receive multicast packets. Multicasting is an advanced feature and can cause subtle changes in your network. By default, multicasting is disabled.
Bridging with AirFortress and AppleTalk Bridging with AirFortress and AppleTalk Wireless bridging with Fortress Technology AirFortress gateway and AppleTalk networks can be configured to extend ESSID functionality. FortressTech Layer 2 Bridging FortressTech Layer 2 bridging and encryption with Fortress Technology AirFortress gateway allows an administrator to configure FortressTech encryption on one or more ESSIDs.
Band Steering Feature You can leave all voice-capable clients the B/G channels (where bandwidth is not a concern) and move data-only clients to the A bands to achieve higher data rates. To use band steering for ABGN traffic, you could use A-Steering to direct dual mode clients with A capability to the 5GHz band and use N-Steering to direct all dual mode clients with AN capability to the 5GHz band. Band steering is also useful for directing multicast traffic.
Band Steering Feature Band Steering Timeout(seconds) : 5 This example sets band steering to the A channel on the existing ESS named Bandsteeress: default# configure terminal default(config)# essid Bandsteeress default(config-essid)# dataplane default(config-essid)# dataplane bridged default(config-essid)# band-steering-mode a-steering default(config-essid)# end default# sh essid Bandsteeress ESS Profile Name SSID Security Profile Name Primary Radius Accounting Server Secondary Radius Accounting Server Ac
Band Steering Feature ESS Profile ESS Profile Name SSID Security Profile Name Primary Radius Accounting Server Secondary Radius Accounting Server Accounting Interim Interval (seconds) Beacon Interval (msec) SSID Broadcast Bridging New AP's Join ESS Tunnel Interface Type VLAN Name GRE Tunnel Profile Name Allow Multicast Flag Silent Client Polling Enable Virtual Cell WMM Support DTIM Period (number of beacons) Virtual Cell Type Dataplane Mode B Supported Transmit Rates (Mbps) A Supported Transmit Rates (Mbps
Band Steering Feature Meru(config-essid)# end Meru# show essid meru ESS Profile ESS Profile Name Enable/Disable SSID Security Profile Name Primary RADIUS Accounting Server Secondary RADIUS Accounting Server Accounting Interim Interval (seconds) Beacon Interval (msec) SSID Broadcast Bridging New AP's Join ESS Tunnel Interface Type VLAN Name GRE Tunnel Profile Name Allow Multicast Flag Silent Client Polling Virtual Cell Virtual Port WMM Support APSD Support DTIM Period (number of beacons) Dataplane Mode AP
Band Steering Feature 2.
Band Steering Feature AN Supported HT Transmit Rates (MCS) 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 AN Base HT Transmit Rates (MCS) Owner : : none : controller SSID Broadcast for Vport The SSID Broadcast for Vport function is designed to improve connectivity when using Cisco phones. Configuration of SSID Broadcast for Vport The SSID Broadcast for Vport option is similar to that for the ESSID configuration parameter.
Multiple ESSID Mapping Example for configuring the option to till association from IOSCLI: default# conf terminal default(config)# essid assign default(config-essid)# publish-essid-vport till-association default(config-essid)# end Multiple ESSID Mapping The following configuration example shows how to create three ESSIDs and map them to three different VLANs to separate guest users, corporate users, and retail traffic. The first ESSID, guest-users, is mapped to a VLAN named guest.
Multiple ESSID Mapping controller# configure terminal controller(config)# essid guest-users controller(config-essid)# security-profile default controller(config-essid)# vlan guest controller(config-essid)# exit controller(config)# essid corp-users controller(config-essid)# security-profile corp-access controller(config-essid)# vlan corp controller(config-essid)# exit controller(config)# essid retail-users controller(config-essid)# security-profile retail-access controller(config-essid)# vlan retail control
Bridged AP300 in a Remote Location Bridged AP300 in a Remote Location When bridged mode is configured in an ESSID, an AP using that ESSID can be installed and managed at a location separated from the controller by a WAN or ISP, for example at a satellite office. The controller monitors remote APs with a keep-alive signal. Remote APs exchange control information, including authentication and accounting information, with the controller but cannot exchange data.
Utilizing Multiple IPs on a Single MAC Utilizing Multiple IPs on a Single MAC In current Meru implementations, a typical client machine (or station) is granted a single IP Address per wireless adapter in use. However, with the growing use of Virtual Machine models (provided by VMware, Parallels, etc.), a single station can run multiple Operating Systems from a single client.
Utilizing Multiple IPs on a Single MAC 88 Meru System Director Configuration Guide © 2012 Meru Networks, Inc.
Chapter 6 Implementing Redundancy There are three options available for controller redundancy: Redundant Ethernet: With this Ethernet link level redundancy, if one Ethernet link goes down, another Ethernet link on the same controller will take over. N+1: With this controller level redundancy, if one controller goes down, a designated slave controller will take over for the failed master controller.
Redundant Ethernet For any redundancy option to work without issues, make sure that the VLANs are the same across all the ports on the external manageable switch. With N+1, the backup controller must be in the same subnet as the primary controllers. With DHCP Option 43, you can specify a primary and backup controllers for the APs and with this configuration, the backup controller can be in a different subnet from the primary controller.
N+1 Redundancy Configure Redundant Ethernet Failover With the CLI The following commands configure Ethernet interface 2 on a controller as a backup to Ethernet interface 1. Do this by issuing the option redundant for the type command as shown below.
N+1 Redundancy A set of master controllers and a standby slave controller are configured via static IP addressing to reside in the same subnet, and are considered to be an N+1 cluster. The standby slave monitors the availability of the master controllers in the cluster by receiving advertisement messages sent by the masters over a well known UDP port at expected intervals.
N+1 Redundancy N+1 with Non-Revertive Mode Previously, N+1 feature was incapable of providing an option to control the failback operation. This means, an active slave relinquishes a master's role as soon as the master becomes operational. The service downtime is doubled, when the fail over and fall back happens without the administrator's control. To control the fail back operation a Non-Revertive feature is introduced.
N+1 Redundancy Figure 10: Example N+1 Redundancy Network Deployment Configuring the N+1 Clusters This can only be configured using the CLI and up to five masters and one slave. You will need passwords for all controllers involved in the N+1 configuration. A summary of the steps to configure and start N+1 follows: Step 1. 94 Command Description nplus1 start master On each master, start N+1 redundancy. Meru System Director Configuration Guide © 2012 Meru Networks, Inc.
N+1 Redundancy Step 2. 3. Command Description nplus1 start slave Start N+1on the slave controller. nplus1 add master_hostname master_IP_address Add the master controller’s hostname and IP address to the slave’s cluster list. Starting N+1 on Master Controllers N+1 must first be started on the Master Controllers. To configure a master controller: 1. On each master controller, enter configuration mode and start the N+1 software: master# configure terminal master(config)# nplus1 start master 2.
N+1 Redundancy 2. Check that the software has started on the slave with the show nplus1 command (note that no masters display in the Master Controllers list): Slave(config)# do show nplus1 The system is not fully operational -------------------------------------------------------------------------slave(config)# do show nplus1 Current State : Passive Non-Revertive mode : Disable Wait to Restore (WTR) : 8 minutes Master Timeout : 5 keepalives Slave IP : 192.168.10.
N+1 Redundancy ScaleMasterThree 10.1.1.10 Enable Yes - 0 5.0-xx Monitoring the N+1 Installation The show nplus1 command allows you to check the current controller configuration and show the status of the controller. Some sample output displays are included to show the information displayed in the various controller states.
N+1 Redundancy The descriptions of the display fields are provided in the following table: Field Description Hostname Hostname of the master controller IP Address Static IP address assigned to the master controller Status of N+1 redundancy on the master: Admin Enable—N+1 redundancy has been enabled on the master Disable—N+1 redundancy has been disabled Ability of the slave to assume active slave for the master: Yes—Slave and master model/system director version Switch number are compatib
N+1 Redundancy Field Description If Switch is No, describes why switch cannot be made: Down: Master has been disabled by the user SW Mismatch: The system director software is out of sync (update the Master Controller). No Access: The Passive Slave was not able to access the Master because it did not receive a copy of the configuration. This is a rare message that occurs if show nplus1 is executed almost immediately after adding a controller.
N+1 Redundancy Master Controllers Hostname IP Address Admin ---------------------------------------------3000-1 10.1.1.10 Disabled 3000-1# Note: Slave configuration commands are not operable when the Slave is Active. 3000-1# configure terminal 3000-1(config)# nplus1 add 3000-3 10.1.1.
N+1 Redundancy Scheduling revert on Active slave A revert can scheduled only on the active slave or passive to active slave state. Before scheduling a revert, a non-revertive must be enabled.
N+1 Redundancy Changing the WTR Interval To provide stability and reduce unintended failback flip-flopping, a Wait to Restore (WTR) count-down timer is used to count down before the Standby slave can again take over the role of a Master unit it recently relinquished. By default, this interval is set for 8 minutes, but can be changed to a number of minutes from 1 to 20 minutes.
N+1 Redundancy 3000-1# configure terminal 3000-1(config)# nplus1 stop 3000-1(config)# exit Replacing a Master Controller Should a Master Controller in the cluster need to be replaced, the following summarizes the steps needed to replace a Master Controller. 1. On the Slave Controller, disable the failed Master Controller: 3000-slave# configure terminal 3000-slave(config)# nplus1 disable 3000-slave(config)# exit 2.
N+1 Redundancy Setting the syslog Debug Level The nplus1set debugloglevel command sets the level of verboseness for the N+1 log messages. The level can be set from 0 to 3, where 1 is the least verbose. The default 0 setting disables syslog messaging. 3000-slave(config)# nplus1 setdebugloglevel 1 N+1 Syslog Messages Syslog messages are generated and sent to a log file on the syslog server configured with the syslog-host command.
N+1 Redundancy For MC: master_ip State: SW Mismatch -> No Access Saved Config does not exist Software mismatch was resolved, but the Master Controller is not accessible from the Slave Controller and cannot provide redundancy. Ensure that the Master Controller is accessible using the command nplus1 access master_ip. For MC: master_ip State: WTR Set-> WTR - Copyback Done Failback process has begun, WTR timer initiated and is in the process of counting down, and the Master Controller is accessible.
Option 43 The active slave is now in control. If the first active slave Ethernet interface goes down, the slave controller fails over to the second Ethernet interface. To revert the failover, verify that the first interface on the Slave controller is up and running. Then, bring up the first interface of the original Master controller. The N+1 active slave becomes a passive slave and the original N+1 master becomes the N+1 Master again.
Option 43 AP Aware Redundancy using DNS Configure APs with L3 preferred and the controller name as the hostname of the controller. Configure a DNS entry to resolve the primary hostname on the DNS server. Configure a DNS entry to resolve the secondary hostname on the DNS server. Configure the hostname of the primary controller on the AP with L3 preferred mode. © 2012 Meru Networks, Inc.
Option 43 108 Meru System Director Configuration Guide © 2012 Meru Networks, Inc.
Chapter 7 Configuring Network Interfaces One of the first steps when setting up a controller is to configure the networking parameters using the setup program, as described in the Meru System Director Getting Started Guide. If you did not run the setup program, or if you want to change the settings that were configured with the setup script, you can use the commands described in the section Configuring Basic Networking for the Interface.
Dual-Ethernet Operation 802.11d Support The original 802.11 standard defined operation in only a few regulatory domains (countries). 802.11d added the ability for 802.11 WLAN equipment to operate in additional countries by advertising the country code in the beacon. Devices pick up the country code and adjust communication accordingly. You do not have to configure or enable this feature; the Meru implementation currently works automatically for all countries listed in setup.
Dual-Ethernet Operation Note: Do not insert an Ethernet cable into the second Ethernet port until it has been configured as active or redundant. Configuring a Redundant Interface See the chapter Implementing Redundancy. Configuring an Active Interface The following commands configure Ethernet port 2 as an active interface that can be used to support a VLAN or GRE (Generic Routing Encapsulation) tunneling.
Dual-Ethernet Operation Interface and Networking Commands The following interface and networking configuration commands are available. Table 4: Interface and Networking Commands Command Purpose controller(config)# interface FastEthernet controller interface-index Specify the controller interface index (0-31) and enter FastEthernet interface configuration submode. controller(config)# ip address ip-address mask Specifies the IP address and subnet mask for the controller.
Chapter 8 Configuring Security System Director provides industry-standard security options that can be implemented according to the requirements of the ESSID (and VLAN, if so configured) to protect the site’s wireless and, as a result, wired LAN infrastructure.
Configure a Security Profile With the Web UI 2. Set up the Certificate Server or Radius server configuration (see the Radius server documentation for instructions). 3. Configure Security Profiles based on the type of security required (continue with the following sections). 4. Configure one or more ESSIDs (see the chapter Configuring an ESS for directions) and assign the VLAN and Security Profile to them.
Configure a Security Profile With the Web UI — CCMP/TKIP: Use the Counter Mode with Cipher Block Chaining (CCMP) encryption protocol that replaces TKIP, the mandatory protocol in WPA, and WEP. For more information, see TKIP. If you select WEP64 or WEP128, you need to specify a WEP key, as described in step 6. If you specify TKIP for WPA-PSK or CCMP-AES for WPA2-PSK, a pre-shared key must be set, as described in step 12. 5.
Configure a Security Profile With the Web UI — On: The controller initiates 802.1X authentication by sending an EAP-REQUEST packet to the client. By default, this feature is enabled. — Off: The client sends an EAP-START packet to the controller to initiate 802.1X authentication. If you select this option, the controller cannot initiate 802.1X authentication. 13. 802.1x Termination: 802.1x-Termination is provided by IOSCLI and Controller GUI, to perform configuration on per-security profile basis.
Configure a Security Profile With the Web UI 20. In the MAC Filtering list, select one of the following: — On: Enables MAC Filtering for this security profile. — Off: Disables MAC Filtering for this security profile. 21. In the Firewall Capability drop-down list, select one of the following: — Configured: The controller defines the policy through configuration of the Firewall filter-id. — Radius-configured: The Radius server provides the policy after successful 802.1X authentication of the user.
Configure a Security Profile With the Web UI a Security Profile that configures WPA/WPA2, leverages the site’s 802.1X user authentication and includes TKIP or CCMP encryption. Once associated with this profile, users and enterprises can be assured of a high level of data protection. You can mix WPA and WPA2 security in System Director release 3.6 and later. To configure these security options see the sections Configure a Security Profile With the Web UI and Configure WPA2 With the CLI.
Encryption Support Encryption Support Meru Wireless LAN System offers CCMP-AES for WPA2 and TKIP for WPA. A key difference between WPA and WPA2 is the underlying encryption method. For WPA2 it is CCMP/AES and for WPA it is TKIP/RC4. Descriptions of these technologies are provided in this section. Meru also supports the original 802.11encryption protocols provided by WEP64 and WEP128. We recommend using the more secure CCMP, or the TKIP encryption solution if your site’s client hardware cannot support CCMP.
Encryption Support WLANs because the walls containing the network do not necessarily bind radio waves. WEP seeks to establish protection similar to that offered by the wired network's physical security measures by encrypting data transmitted over the WLAN. Data encryption protects the vulnerable wireless link between clients and access points.
Configure GRE Tunnels Before transmission takes place, WEP combines the key stream with the payload and ICV through a bit-wise XOR process, which produces cipher text (encrypted data). WEP includes the IV in the clear (unencrypted) within the first few bytes of the frame body. The receiving station uses this IV along with the shared secret key supplied by the user of the receiving station to decrypt the payload portion of the frame body.
Configure GRE Tunnels Figure 11: Example GRE Tunneling Configuration To configure GRE tunneling, create the GRE tunnel profile as well as an ESSID that specifies the GRE tunnel and also references a Security Profile. GRE can also be configured from E(z)RF Network Manager.
Configure GRE Tunnels default# show gre GRE Name vlan1 gre1 Remote External Address Tunnel IP address 172.27.0.162 12.12.12.12 172.27.0.206 13.13.13.13 GRE Configuration(2 entries) Tunnel IP Netmask 255.255.0.0 255.255.0.
Configure a Security Profile With the CLI Configure a Security Profile With the CLI The controller supports the ability to define multiple Security Profiles that can be assigned to different wireless LAN extended service sets (ESS) according to the level and type of security required. A Security Profile is a list of parameters that define how security is handled within an ESS.
Configure a Security Profile With the CLI The 802.1x Termination is configured separately for PEAP and TTLS. Configure 802.1X Radius Security With the CLI To allow WLAN access to your site’s 802.1X authorized and authenticated users, set up 802.1X Radius authentication. To do this: Create a global Radius Server Profile that specifies how to communicate with the primary Radius server in your network. If an optional secondary Radius server is to be used, a separate profile is also created for it.
Configure a Security Profile With the CLI default(config)# exit 802.1X PTK Rekey With the 802.1X PTK rekey feature, whenever the rekey interval expires, the Access Point sends a unicast key and a broadcast key to the client. These two key packets are NOT encrypted. To enable 802.1X PTK rekey, enter the following command from the Security Profile configuration: (n can be from 0 to 65535 (60 minutes), and is specified in seconds) default(config-security)# rekey period n To disable 802.
Configure a Security Profile With the CLI Table 5: Commands to Configure the 802.1X Radius Servers Command Purpose key key Specifies the shared secret text string used by the controller for the Radius profile (required parameter if password-type is shared-secret). Maximum 64 characters.
Configure a Security Profile With the CLI Table 6: Commands Used to Create Security Profiles radius-server secondary profile Optional. In Security Profile configuration, specifies the Radius profile containing the configuration parameters for the secondary Radius server. rekey multicast-enable Optional. In Security Profile configuration, enable the multicast key broadcast. [no] 8021x-network-initiation In Security Profile configuration, determines 802.1X initiation method.
Configure a Security Profile With the CLI Example WPA2-PSK Configuration To configure security with the Web UI, click Configuration > Security > Profile. Click Help for option details. When setting the PSK key with the CLI, use a key from 8 to 63 ASCII characters (the characters ! \ " ? must be escaped with the backslash (\) character; for example \! \?) or 64 hex characters (hex keys must be prefixed with “0x” or the key will not work).
Configure a Security Profile With the CLI Opportunistic PMK Caching for WPA Opportunistic PMK caching allows the controller, acting as the 802.1X authenticator, to cache the results of a full 802.1X authentication so that if a client roams to any AP associated with that controller, the wireless client needs to perform only the 4-way handshake and determine new pair-wise transient keys. PMK caching is supported only for KDDI phones when using WPA with TKIP and 802.1X authentication.
Configure a Security Profile With the CLI WPA GTK Rekey With the WPA GTK rekey feature, whenever the group-rekey interval expires, the Access Point sends a broadcast key to the client. This key packet is encrypted.
Configure a Security Profile With the CLI Table 7: Commands to Configure WPA/WPA2 Command Purpose psk key key Sets the key for a WPA2/PSK/WPA-PSK configuration. Assign one PSK per ESSID that uses this Security Profile. The key can be: hexadecimal characters (that is, 0-9,a-f, A-F). Example: 0xa0a1a2a3a4a5a6a7a8a9aaabac or 0x12345678901234567890abcdef... 8 to 63 ASCII characters (the characters ! \ " ? must be escaped with the backslash (\) character; for example \! \?).
Configure a Security Profile With the CLI Example 802.11 WEP Configuration The following example creates the profile named wep-voice that supports a static 128-bit WEP encryption for voice users. The static WEP key is defined as voice and uses the third key index position on a user station’s WEP key definition.
Configure a Security Profile With the CLI Profile Name Filter L2 Mode default clear captive-portal clear wep wep 802.1x 802.1x wpa wpa wpapsk wpa-psk wpa2 wpa2 wpa2psk wpa2-psk Security Profile Table(8) Data Encrypt Firewall none none wep64 wep128 tkip tkip ccmp ccmp To view the details of an individual Security Profile, use the show security-profile profile-name command.
Policy Enforcement Module Policy Enforcement Module The optional Policy Enforcement Module feature makes it possible to control network content by dropping/allowing traffic based on configured policies applied on a firewall tag associated with a user group. This includes Captive Portal users in release 3.7 and later. Meru’s firewall is generic, and can be used to prevent any subnet to subnet communication, for specific ports or all ports.
Policy Enforcement Module default(config-qosrule)# default(config-qosrule)# default(config-qosrule)# default(config-qosrule)# default(config-qosrule)# default(config-qosrule)# default(config)# exit action drop firewall-filter-id 1 firewall-filter-id-match on qosrule-logging on qosrule-logging-frequency 30 exit To check the configuration of the policy, use the show qosrule command: default# show qosrule ID Dst IP Action Drop Dst Mask Firewall Filter 0.0.0.0 0.0.0.0 h323 capture head 2 0.0.0.0 0.0.0.
Proactive Spectrum Manager Proactive Spectrum Manager Proactive Spectrum Manager, designed for single channel deployment, takes a top-level view into the channel spectrum, then recommends the best channels) for network operation. The PSM dashboard presents a goodness value for all channels and recommended channels of operation for the network using a chart with green (good) and red (don’t use) bars.
RSA SecurID Authentication 5. Optionally change the Adaption Interval from 30 to a value of either zero or 5 10080 seconds. (The values 1-4 seconds are not supported.) The adaptation interval determines how often channels can be automatically changed for this controller. 6. Click Start Wizard. 7. Confirm by clicking OK twice. Click Graph Help to see what the chart colors mean. Click Details on either chart to see numeric values for the green bars in the charts.
RSA SecurID Authentication RSA SecurID Server (Authentication Manager) RSA Authentication Agent RSA SecurID Authenticator Token and Code Each RSA SecurID token includes a factory-encoded, unique ‘seed.’ The token uses this unique seed to generate an authentication code at fixed intervals (for example 60 seconds). By utilizing the built-in-clock time and the unique seed, the authentication code keeps changing at fixed intervals. Since the token's clock and the server's clock are synchronized.
Configure MAC Filtering default(config-radius)# ip-address default(config-radius)# key secure-secret default(config-radius)# exit Configure MAC Filtering MAC filtering controls a user station’s access to the WLAN by permitting or denying access based on specific MAC addresses. A MAC address is unique to each IEEE 802-compliant networking device. In 802.
Configure MAC Filtering The following table summarizes the controller/Radius Server settings. RADIUS Server Setting disabled MAC Filtering enabled no MAC filtering RADIUS MAC filtering only enabled allow client in Permit list only check Permit list first; if not in Permit list, check RADIUS server Deny ACL Deny list used only if not in Deny list, check RADIUS server disabled Permit ACL enabled Configure MAC Filtering MAC filtering can be set up for both the controller and the Radius Server.
Configure MAC Filtering 00:0c:e6:12:07:41 After creating the text file, transfer the file to the controller’s /images directory. Use the CLI copy command to transfer the file to the controller. Check that the file has been copied using the dir command.
Configure MAC Filtering To import a list of MAC addresses to deny, create a text file listing all the MAC addresses, and import the text file. When creating the text file to be imported, only include one MAC address, in hexadecimal format (xx:xx:xx:xx:xx:xx), per line.
Security Certificates For more information on configuring a Radius profile, see “Configure 802.1X Radius Security With the CLI” on page 125. Configure an ESS Profile for MAC Filtering Control is provided per ESS via settings in its Security Profile to turn off or on global MAC Filtering settings. For example, if controller-based MAC filtering or if Radius Server MAC Filtering is enabled, the command no macfiltering disables those settings for the ESS.
Security Certificates Figure 16: Sample Certificates Returned by CA (Server, Intermediate, and Root) Note: Generate Certificate Signing Requests (CSR) directly on the controller using the Web UI. Generate a CSR on a Controller To create a Certificate Request, follow these steps from the controller that needs a certificate: 1. Click Configuration > Certificate Management > Server Certificates. The Server Certificate window displays. 2. Click Add. The Certificate Add window displays. 3.
Security Certificates 1. Click Configuration > Certificate Management > Trusted Root CA 2. Click Import. 3. Browse to the Root CA file and select it. 4. Click Open and give the Certificate an appropriate alias name. You can also open the certificate in any text editor and copy/paste the Certificate's PEM text into the “Certificate PEM” blank text area shown below. 5. Click Import. You should see a message indicating that the import was successful. 6. Click OK > Close. 7.
Security Certificates Figure 18: Applications to Use Certificate a 3. Click to select the Captive Portal or Web Administration & Management Application entry or shift-click to select both. 4. Click Apply. 5. Click Close. 6. To ensure that the certificate is applied and activated correctly, use the reload-security command from the system’s CLI. The Apache Web Server needs to be restarted after successfully assigning a certificate to be used by Captive Portal and/or Management Applications.
Security Certificates Error Message Why It Appeared How to Correct Problem Certificate already exists (with either same alias name or different alias name) Certificate has already been imported. Do nothing. Certificate Public key verification failed You selected an alias name that is different from the certificate’s CSR alias name. Select the alias name that you used when creating the CSR for this certificate.
Chapter 9 Authentication There are three authentication methods available for administrators and two methods available for users. Administrators can be authenticated with Radius, TACACS+ or Local authentication. Users can be authenticated with Radius or Local authentication. Radius Authentication Conceptual 802.1X Model for Radius Authentication The conceptual model for 802.1X authentication looks like this: Figure 19: Conceptual Model for 802.
Radius Authentication 1. Depending on the EAP type, you may first need to obtain a digital certificate from the Certificate Server. 2. Using EAP as end user, contact the AP in order to be authenticated. 3. The AP forwards the request to the controller. 4. The controller acts as a Radius client and sends the request to the Radius server. 5.
Radius Authentication You can also skip step 6 above and select the Primary Radius Profile Name and Secondary Radius Profile Name directly from the ESS as part of step 7. Configure Radius Authentication for Administrators With the Web UI Configure Radius authentication for all administrators by following these steps: 1. Click Configuration > User Management > Setup. 2. Select Radius for Authentication Type at the top of the screen. See Figure 21. 3.
Radius Authentication 9. Add administrators on the Radius server using these three levels. 1 Operator is the lowest authentication level and also the default. Operators can see statistics and results but cannot make any configuration changes. 10 Administrators can also do general configuration changes, but cannot upgrade APs or controllers, nor can they upgrade System Director versions using Telnet. The cannot configure an NMS server, NTP server, change the system password, date or time (all CLI).
Radius Authentication ramcntrl(0)(config-auth-mode)# secondary-radius-ip 172.18.1.7 ramcntrl(0)(config-auth-mode)# secondary-radius-secret RadiusS ramcntrl(0)(config-auth-mode)# exit ramcntrl(0)(config)# exit ramcntrl(0)# sh authentication-mode Administrative User Management AuthenticationType : radius Primary RADIUS IP Address : 172.18.1.3 Primary RADIUS Port : 1812 Primary RADIUS Secret Key : ***** Secondary RADIUS IP Address : 172.18.1.
Radius Authentication Service-Type(6) = Value:Login(1) User-Password(2) = Value: MESSAGE: Access-Accept ATTRIBUTES: Framed-Protocol(7) = PPP(1) Service-Type(6) = Framed-User(2) Class(25) Message-Authenticator(80) OPTIONAL ATTRIBUTES (depends on EAP type): EAP-Message(79) OPTIONAL ATTRIBUTES (required for Radius-assigned VLAN): Tunnel-Medium-Type(65) = 802(6) Tunnel-Type(64) = VLAN(13) Tunnel-Private-Group-Id (81) = OPTIONAL ATTRIBUTES (depends on Radi
Radius Authentication attempt that made it switch is discarded and the next Radius access that occurs goes to the Secondary Radius server. After about fifteen minutes, access reverts to the Primary Radius Server. In every Radius message (Start, Interim Update and Stop), the following attributes are included: Table 9: Radius Accounting Attributes Radius Attribute Description Session-ID Client IP Address-Current Time - The session time returned from the radius server has priority.
Radius Authentication Table 9: Radius Accounting Attributes Radius Attribute Description Acct-Input-Packets* Number of packets received on this port (interface) and sent in Accounting-Request when Accounting status type is STOP Acct-Output-Packets* Number of packets sent on this port (interface) and sent in Accounting-Request when Accounting status type is STOP Acct-Output-Octets* Number of octets sent on this port (interface) and sent in Accounting-Request when Accounting status type is STOP Acct-
Radius Authentication Table 10: Radius Authentication Attributes Radius Attribute Description NAS-Port Unique value = essid << 11 | Sta AID NAS-Port-Type Type of the physical port used for authentication = 19 Called-Station-Id Own MAC Address: ESSID Name Called-Station-Id Own MAC Address Calling-Station-Id STA MAC Address Framed-MTU Max Radius MTU = 1250 Connect-Info Radio Band of Station VLAN ID Vlan Id of the ESS profile to which client is trying to connect. Only available for 802.
Radius Authentication Table 10: Radius Authentication Attributes Radius Attribute Description EAP Message Returned by Radius server Tunnel-Medium-Type Indicates the transport medium like ipv4, ipv6. In CP, valid only if VPN is set. Also sent in Access-Request in case of CP. Tunnel-Type The type of tunnel, in our case should be VLAN i.e. 13. If anything else is received, treat as ACCESS-REJECT. In CP, valid only if VPN is set. Also sent in Access-Request in case of CP.
TACACS+ Authentication A list of acceptable SSIDs that does not include the ID Connection is not accepted The Radius server should return the allowed SSID(s) in a Vendor-specific attribute (VSA) with Vendor code 9 and attribute number 1 in the Access-Accept message. The attribute value should be string format. The string should say ssid= where is replaced by the actual SSID (also known as the ESSID).
TACACS+ Authentication 10 Administrators can also do general configuration changes, but cannot upgrade APs or controllers, nor can they upgrade System Director versions using Telnet. The cannot configure an NMS server, NTP server, change the system password, date or time (all CLI). They cannot create admins nor can they set the authentication mode for a controller (GUI and CLI). Administrators cannot add or remove licensing. 15 SuperUser administrators can perform all configurations on the controller.
TACACS+ Authentication Administrative User Management AuthenticationType : Primary RADIUS IP Address : Primary RADIUS Port : Primary RADIUS Secret Key : Secondary RADIUS IP Address : Secondary RADIUS Port : Secondary RADIUS Secret Key : Primary TACACS+ IP Address : Primary TACACS+ Port : Primary TACACS+ Secret Key : Secondary TACACS+ IP Address : Secondary TACACS+ Port : Secondary TACACS+ Secret Key : ramcntrl(0)# tacacs+ 172.18.1.3 1812 ***** 172.18.1.7 1812 ***** 172.18.1.5 49 ***** 172.18.1.
Local Admin Authentication 7. Optionally repeat steps 4, 5 and 6 for a secondary TACACS+ server. 8. Click OK. 9. Add administrators on the TACACS+ server using these three levels. 1 Operator is the lowest authentication level and also the default. Operators can see statistics and results but cannot make any configuration changes. 10 Administrators can also do general configuration changes, but cannot upgrade APs or controllers, nor can they upgrade System Director versions using Telnet.
Local Admin Authentication CLI Example for Configuring a Local Admin ramcntrl(0)# configure terminal ramcntrl(0)(config)# authentication-mode global ramcntrl(0)(config-auth-mode)# authentication-type local ramcntrl(0)(config-auth-mode)# exit ramcntrl(0)(config)# exit ramcntrl(0)# sh authentication-mode Administrative User Management AuthenticationType : local Primary RADIUS IP Address : 0.0.0.0 Primary RADIUS Port : 1812 Primary RADIUS Secret Key : ***** Secondary RADIUS IP Address : 0.0.0.
Local Admin Authentication Figure 22: Setting Local Authentication for Admins 5. Provide the user name for a local administrator. 6. Provide a password for that local administrator. 7. Enter a privilege level, 15 (Superuser), 10 (Admin), or 1 (Operator); see the descriptions for each level below. 8. Click OK. 164 Meru System Director Configuration Guide © 2012 Meru Networks, Inc.
802.1X Authentication 802.1X Authentication Authentication in the 802.11 standard is focused more on wireless LAN connectivity than on verifying user or station identity. For enterprise wireless security to scale to hundreds or thousands of users, an authentication framework that supports centralized user authentication must be used in addition to the WEP type specified by 802.11, or by using WPA/WPA2, which incorporates TKIP/CCMP-AES and 802.1X authentication. The use of IEEE 802.
802.1X Authentication EAP-TLS EAP-TLS (Transport Layer Security) provides certificate-based mutual authentication between the client and the network. It relies on client and server certificates to provide authentication and can be used to dynamically generate user-based and session-based encryption keys to secure subsequent communications between the WLAN client and the access point.
802.1X Authentication Provider Microso ft Microso ft Funk MS Cisco Authentication Attributes One way Mutual Mutual Mutual Mutual Deployment Difficulty Easy Difficul t Modera te Modera te Modera te Wireless Security Poorest Highest High High High The following notes apply to the authentication mechanisms above: 1. MD5 is not typically used as it only provides one-way authentication.
802.1X Authentication 168 Meru System Director Configuration Guide © 2012 Meru Networks, Inc.
Chapter 10 Captive Portals for Temporary Users If you want to give limited wireless access to a group of users, use Captive Portal. Captive Portal is a feature designed to isolate temporary users on a network, for example guests in a company or students using a library. If Captive Portal is enabled, the HTTP protocol over Secure Socket Layer (SSL, also known as HTTPS) provides an encrypted login interchange with the Radius server until the user is authenticated and authorized.
Configuring Meru Captive Portal Optionally Customize and Use Your Own HTML Pages If you want to create custom Captive Portal login and success pages with your own logos and credentials, complete the directions in this section. You do not need to do this if you plan to use all of the default Captive Portal pages provided by Meru Networks (see login example in Figure 23).
Configuring Meru Captive Portal Create Custom Pages The easiest way to create your own set of custom pages is to download Meru default files and use the two customizable ones (Login page and Success page) as templates, giving the two altered HTML pages new names. To do this, follow these steps: 1. Get the template files. Click Maintenance > Captive Portal > Customization > Get Files. A zip file called zip.tar.gz is downloaded to your computer. When the zip.tar.gz file is unzipped, you see the folder html.
Configuring Meru Captive Portal 4. If you want to remove the word Meru or make any other changes in the four remaining files loginformWebAuthRetry.html, logoff User.html, loggedoff.html, or logoffUserFailed.html, alter the default files that you downloaded in Step 1 and import them as you did in Step 3. All five sets of Portal pages (default, CP1, CP2, CP3, and CP4) will then use the default files that you altered. These four files have only one version. See Figure 25.
Configuring Meru Captive Portal Determine who will see which pages. Point to two custom Captive Portal pages with the CLI command web custom CaptivePortal[1|2] landing-file-name success-file-name . Then, point to the network or subnet for the custom captive portal pages with web custom CaptivePortal[1|2] subnet mask .
Configuring Meru Captive Portal indicate which subset of users should see the custom pages by following these steps: 1. Make sure that security logging is set to on by clicking Configuration > Security > Profile and then selecting a security profile from the list. The security logging setting is near the bottom of the Security Profile Table. This setting must be set to on for Captive Portal configuration to work. 2. Click Maintenance > Captive Portal > Custom CP.
Configuring Meru Captive Portal Note: The L3 User Session Timeout field is used for specific clients that have issues in which they get de-authenticated upon entering sleep mode. This field specifies that the controller will retain these clients in memory for the specified number of minutes before the client is dropped from the captive portal authentication state. 7. Click OK. The custom HTML files are now configured.
Configuring Meru Captive Portal MC3K-1(config)# exit MC3K-1# MC3K-1# show guest-user Guest User Name Service Start Time Guest 01/01/2010 00:00:00 Guest User Table(1 entry) Service End Time 01/01/2011 00:00:00 The commands in this section show how to configure Captive Portal. The Radius server user configuration is performed separately, and is vendor-specific. (Check the Customer Service website for applicable Application Notes.
Configuring Meru Captive Portal The guest user features of both releases are as follows. Guest User Feature Supported Number of users 32 Add/delete users yes Change user’s password yes Time of day login yes Day of month login yes Assigned to local administrators yes CLI Example - Create Guest User ID This CLI example creates the guest user named Guest: MC3K-1 configure terminal MC3K-1(config)# guest-user ? Enter the name of the guest user.
Configuring Meru Captive Portal There is an additional option for Local Authentication so that when local authentication for a Captive Portal user fails, Radius authentication is automatically checked; this option is called Local and Radius. From the Web UI, configure this by clicking Configuration > Security > Captive Portal > select an SSL Server > Captive Portal Authentication Type drop-down box (see below).
Third-Party Captive Portal Solutions The last entry in the filter should be a rule that drops all other traffic, so that traffic other than the passthrough will not be allowed to transverse the Captive Portal without authentication. Captive Portal With N+1 Captive Portal changes are propagated in an Nplus1 environment as follows. When a slave takes over a master, it uses the master's Captive Portal pages. If changes are made on that active slave, that change is not automatically propagated to the master.
Third-Party Captive Portal Solutions Configure Third-Party Captive Portal With the Web UI Indicate that a third-party Captive Portal solution will be used in the Security Profile by setting Captive Portal Authentication Method to external. For complete directions, see Configure a Security Profile With the Web UI. Indicate that a third-party Captive Portal solution will be used in the Captive Portal configuration by setting Captive Portal External URL to the URL of the Captive Portal box: 1.
Configure a Radius Server for Captive Portal Authentication controller1# change_mac_state 172.18.19.14 on ftp_only controller1# controller1x# change_mac_state 172.18.19.14 ? off Web Auth mode off. on Web Auth mode on. controller1# change_mac_state 172.18.19.14 off ? Enter the Filter Id. controller1# change_mac_state 172.18.19.
Configure a Radius Server for Captive Portal Authentication Controller(config)# ssl-server captive-portal authentication-type ? local Set Authentication Type to local. local-radius Set Authentication Type to Local and Radius. radius Set Authentication Type to radius. The following example configures an authentication Radius profile named radius-auth-pri.
Chapter 11 Rogue AP Detection and Mitigation Rogue APs are unauthorized wireless access points. These rogues can be physically connected to the wired network or they can be outside the building in a neighbor's network or they can be in a hacker’s parked car. Valid network users should not be allowed to connect to the rogue APs because rogues pose a security risk to the corporate network.
To prevent clients of unauthorized APs from accessing your network, enable the options for both scanning for the presence of rogue APs and mitigating the client traffic originating from them. These features are set globally from either the CLI or Web UI, with the controller managing the lists of allowable and blocked WLAN BSSIDs and coordinating the set of APs (the mitigating APs) that perform mitigation when a rogue AP is detected.
Configuring Rogue AP Mitigation with Web UI Configuring Rogue AP Mitigation with Web UI To prevent clients of unauthorized APs from accessing your network, enable the options for both scanning for the presence of rogue APs and mitigating the client traffic originating from them. These features are set globally, with the controller managing the lists of allowable and blocked WLAN BSSIDs and coordinating the set of APs (the Mitigating APs) that perform mitigation when a rogue AP is detected.
Configuring Rogue AP Mitigation with Web UI Alter the List of Allowed APs with the Web UI To change the list of allowed APs, follow these steps: 1. From the Web UI, click Configuration > Wireless IDS/IPS > Rogue APs > Allowed APs. The Allowed APs screen appears. See Figure 28. Figure 28: Web UI List of Allowed APs 2. To add a BSSID to the list, click Add. a. In the BSSID boxes, type the BSSID, in hexadecimal format, of the permitted access point. b. To add the BSSID to the ACL, click OK. 3.
Configuring Rogue AP Mitigation with Web UI 3. To add an AP to the blocked list, click Add. a. In the BSSID box, type the BSSID, in hexadecimal format, of the access point. b. Add the BSSID to the ACL, by clicking OK. 4. The blocked BSSID now appears on the list with the following information: — BSSID The access point's BSSID. — Creation Time The timestamp of when the blocked AP entry was created. — Last Reported Time The time the AP was last discovered.
Configuring Rogue AP Detection Using the CLI network are mitigated. When Block clients seen on the wire is selected and the BSSID of the wired rogue client is entered in the blocked list (see Alter the List of Blocked APs with the Web UI) only listed clients are mitigated. 4. In the Rogue AP Aging box, type the amount of time that passes before the rogue AP alarm is cleared if the controller no longer detects the rogue. The value can be from 60 through 86,400 seconds. 5.
Configuring Rogue AP Detection Using the CLI Table 12: CLI Commands for Configuring Rogue Detection Rogue Detection Command Action rogue-ap acl Adds to list of allowed BSSIDs rogue-ap blocked Adds to list of blocked BSSIDs show rogue-ap globals Displays current rogue data.
Configuring Rogue AP Detection Using the CLI ----------------00:0c:e6:cd:cd:cd -------------11/02 01:05:54 -------------11/02 01:06:20 The commands to enable and confirm the rogue AP detection state are as follows: controller (config)# rogue-ap detection controller# show rogue-ap globals Global Settings Detection : on Mitigation : none Rogue AP Aging (seconds) : 60 Number of Candidate APs : 3 Number of Mitigating APs : 5 Scanning time in ms : 100 Operational time in ms : 400 Max mitigation frames sent p
Modifying Detection and Mitigation CLI Settings Modifying Detection and Mitigation CLI Settings The default settings that are configured for the rogue AP detection and mitigation features are adequate for most situations. However, many default settings can be changed if your network requires lighter or heavier scanning and/or mitigation services. The following is the list of rogue-ap commands: controller (config)# rogue-ap ? acl Add a new rogue AP ACL entry. aging Sets the aging of alarms for rogue APs.
Modifying Detection and Mitigation CLI Settings Changing the Number of Mitigating APs with the CLI By default, three Mitigating APs are selected by the controller to perform scanning and mitigation. This number can be set to a high of 20 APs or down to 1 AP, depending on the needs of your network.
Modifying Detection and Mitigation CLI Settings Changing the Minimum RSSI with the CLI RSSI is the threshold for which APs attempt to mitigate rogues; if the signal is very week (distant AP), APs won’t try to mitigate it. The command to change the minimum RSSI (Received Signal Strength Indication) level, over which a station will be mitigated is rogue-ap min-rssi. A level range of 0 of -100 is supported, with -100 being the default setting.
Modifying Detection and Mitigation CLI Settings Max mitigation frames sent per channel : 10 Scanning Channels : 1,2,3,4,5,6,7,8,9,10,11,36,40,44,48,52, 56,60,64,149,153,157,161,165 RSSI Threshold for Mitigation : -100 Modify Rogue Detection and Mitigation Settings with the CLI The default settings that are configured for the rogue AP detection and mitigation features are adequate for most situations.
Modifying Detection and Mitigation CLI Settings Changing the Number of Mitigating APs with the CLI By default, three mitigating APs are selected by the controller to perform scanning and mitigation. This number can be set to a high of 20 APs or down to 1 AP, depending on the needs of your network, although we do not recommend assigning a high number of APs for mitigation because they can interfere with each other while mitigating the rogue.
Modifying Detection and Mitigation CLI Settings Changing the Minimum RSSI with the CLI RSSI is the threshold for which APs attempt to mitigate rogues; if the signal is very week (distant AP), APs won’t try to mitigate it. The command to change the minimum RSSI (Received Signal Strength Indication) level, over which a station will be mitigated is rogue-ap min-rssi. A level range of 0 of -100 is supported, with -100 being the default setting.
Modifying Detection and Mitigation CLI Settings Figure 30: Web UI List of Allowed APs 2. To add a BSSID to the list, click Add. a. In the BSSID boxes, type the BSSID, in hexadecimal format, of the permitted access point. b. To add the BSSID to the ACL, click OK. 3. To delete a BSSID from the list, select the BSSID, click Delete, then OK. Alter the List of Blocked APs with the Web UI To change the list of allowed APs, follow these steps: 1.
Modifying Detection and Mitigation CLI Settings — Last Reported Time The time the AP was last discovered. If this field is blank, the AP has not been discovered yet. 5. To remove a blocked BSSID from the ACL, select the checkbox of the blocked AP entry you want to delete, click Delete, and then click OK. Configure Scanning and Mitigation Settings with the Web UI To configure rogue AP scanning and mitigation settings, follow these steps: 1.
Troubleshooting Rogue Mitigation 6. In the Scanning time in ms text box, enter the amount of time Mitigating APs will scan the scanning channels for rogue APs. This can be from 100 to 500 milliseconds. 7. In the Operational time in ms text box, enter the amount of time Mitigating APs will spend in operational mode on the home channel. This can be from 100 to 5000 milliseconds. 8.
Troubleshooting Rogue Mitigation 200 Meru System Director Configuration Guide © 2012 Meru Networks, Inc.
Chapter 12 Configuring VLANs A virtual local area network (VLAN) is a broadcast domain that can span across wired or wireless LAN segments. Each VLAN is a separate logical network. Several VLANs can coexist within any given network, logically segmenting traffic by organization or function. In this way, all systems used by a given organization can be interconnected independent of physical location. This has the benefit of limiting the broadcast domain and increasing security.
Bridged APs in a VLAN In order to map an ESSID to a VLAN, the VLAN must first be configured. To create a VLAN from the CLI, use the command vlan name tag id. The name can be up to 16 alphanumeric characters long and the tag id between 1 and 4,094.
Delete a VLAN Virtual Port Radius profile for Mac Filtering/1x/WPA/WPA2 Standard DSCP/802.1q to AC mapping defined in WMM Radius profile for Mac Filtering/1x/WPA/WPA2 Bridged VLANs do not support: Meru rule-based QoS rules. Instead, bridged VLANs support a standard DSCP/802.1q to AC mapping defined in WMM. Display of mobiles’ DHCP addresses Printing IP address changes or discoveries in a station log Captive Portal related Radius profiles RADIUS assigned VLANs (even with 802.
More About VLANs in the Security chapter. VLANs and GRE tunnels can coexist within any given network, logically segmenting traffic by organization or function. In this way, all systems used by a given organization can be interconnected, independent of physical location. This has the benefit of limiting the broadcast domain and increasing security.
Chapter 13 Configuring Access Points This chapter includes instructions for the following: How AP Discovery Works Add and Configure an AP with the Web UI Configure an AP’s Radios with the Web UI Add and Configure an AP with the CLI Configure an AP’s Radios with the CLI Configuring an AP’s Radio Channels Supported Modes of Operation for APs Configure Gain for External Antennas Automatic AP Upgrade Viewing AP Status How AP Discovery Works There are three types of access point discovery:
Add and Configure an AP with the Web UI “wlan-controller.” This presumes the DNS server knows the domain name where the controller is located. The domain name can be entered via the AP configuration or it can be obtained from the DHCP server, but without it, an Layer 3-configured AP will fail to find a controller. Alternately, you can configure the AP to point to the controller's IP directly (if the controller has a static IP configuration).
Figure 32: Add an AP to the Network 2. Provide the following values and then click OK. Field Description AP ID (required) Unique AP numeric identifier up to 9999 characters long AP Name (required) Alphanumeric string up to 64 characters long assigned as identifier for the access point. Note that it can be helpful to name the AP something descriptive, such as a means of indicating its location in the building.
Add and Configure an AP with the Web UI Field Description Floor (optional) Alphanumeric string up to 64 characters long Contact (optional) Alphanumeric string up to 64 characters long LED Mode (optional) Sets LED appearance on AP300/AP400 and AP1000. Normal: LEDs are as described in the Access Point Installation Guide Node ID: Not supported in release 5.1 Blink: Sets all LEDs flashing; this is useful to locate one AP. The blink sequence is unique for different AP models.
Configure an AP’s Radios with the Web UI Field Description Power Supply Type (AP300 only—not configurable with AP400) 802.3-af: Default AP300 power supply. Select this when using a traditional PoE. This power supply type supports 2x2 MIMO mode on both radios; both radios cannot run 3x3 MIMO with this PoE. 802.3-at: Select when using a higher-powered, next generation PoE. This power supply type supports 3x3 MIMO mode on AP320 and AP400. 5V-DC: Select when AP300 is plugged into a wall outlet.
Configure an AP’s Radios with the Web UI Field Description Channel In the drop-down list, select the channel number for the wireless interface to use. The channel numbers displayed depend on the RF Band Selection and the regulatory domain for each country; for example, in the United States 802.11b shows channels 1 through 11 and 802.11a shows channels 36, 40, 44, etc. Two access points can belong to the same virtual AP only if they are on the same channel.
Add and Configure an AP with the CLI Field Description 802.11n Only Mode 802.11n only mode is for AP300/AP400/AP1000s with N capability. Select: On: to support only 802.11n Off: (default) to support 802.11an or 802.1bgn Virtual Cell Virtual Cell Mode enables Virtual Cell for AP300/AP400 only.
Add and Configure an AP with the CLI Command Purpose connectivity l2-only | l2-preferred | l3-preferred For AP300/AP400, AP100, and AP150, this setting configures Layer 2 or Layer 3 connectivity to the controller. Using either L3 or L2 preferred also invokes AP connectivity mode where additional connectivity configuration can be done.
Add and Configure an AP with the CLI Configure a Layer 3 AP with the CLI The following commands can be used to set up a Layer 3 configuration for an AP not in the same subnet as the controller. It specifies the AP will obtain its IP address from DHCP, which allows it to use a DNS server for obtaining its IP address.
Add and Configure an AP with the CLI Configure AP Power Supply, Channel Width, and MIMO Mode with CLI Set the power supply type, channel width, and MIMO mode by following these steps: 1. Open a terminal session on the controller. 2. Enter configuration mode by with the command terminal configuration at the CLI prompt. 3. Select the AP with the command ap #, for example, AP1: default(config)# ap 1 4. Set the power supply value to 5V-DC for AP Power, 802.3af Power Over Ethernet, 802.
Configure an AP’s Radios with the CLI Configure an AP’s Radios with the CLI Before you can configure any radio settings, you need to enter radio interface configuration mode. To do this, follow these steps: Table 15: Entering Radio Interface Configuration Mode Command Purpose configure terminal Enter global configuration mode. interface Dot11Radio Enter interface configuration for the specified AP and radio interface.
Configure an AP’s Radios with the CLI Table 16: Commands available in Radio Interface Configuration Mode Command Purpose n-only-mode (new in 3.6) Supports only 802.11n clients on the radio to improve performance. power Note: Obsolete. Use localpower command instead preamble-short Enables or disables short preambles. protection-mode Configures 802.11b/g interoperability mode. This setting defaults to auto and should not be changed without consulting Meru Support.
Configure an AP’s Radios with the CLI 802.11a Channel Maximum Transmit Power (dBm) for United States 36 17 40 23 44 23 48 23 52 30 56 30 60 30 64 30 100 30 104 30 108 30 112 30 116 30 120 30 124 30 128 30 132 30 136 30 140 30 149 36 153 36 157 36 161 36 165 36 © 2012 Meru Networks, Inc.
Configure an AP’s Radios with the CLI Use the localpower command in the Dot11Radio interface configuration mode to configure the maximum power level. localpower max-level For example, to set the 802.11a radio maximum power to 15, type localpower 15 Enable and Disable Short Preambles with the CLI The radio preamble, also called the header, is a section of data at the head of a packet that contains information that the access point and client devices need when sending and receiving packets.
Configuring an AP’s Radio Channels Set a Radio to Support 802.11n Only with the CLI To set an AP320 radio interface to support only 802.11n clients, and thus improve throughput, from the Dot11Radio interface configuration mode use the command: n-only-mode To disable the 802.11n-only support, use the command: no n-only-mode Note that All APs on the same channel in a Virtual Cell must have the same setting for n-only mode.
Replacing APs To assign a channel, use the Dot11Radio interface command channel. With the Web UI, configure a channel by clicking Configuration > Wireless > Radio, select a radio and then select a Channel from the drop-down list. Replacing APs Note: Replacing one AP model with another usually preserves the settings of the original configuration. A newer AP may have settings that the older one does not; those settings will be set to the default.
Supported Modes of Operation for APs (Replace the old APs with the new APs) Supported Modes of Operation for APs AP300/AP400 and AP1000 with two radios can have both set to 5.0 GHz, but both radios cannot be set to 2.4 GHz. If you want to use both radios on 2.4 GHz, put the radios on separate channels.
When APs are in a Virtual Cell ESSID Security AP300/AP400/AP1000 Realize These 11n Benefits Clear and WPA2 All 11n benefits are realized. WEP and WPA No 11n benefits are realized. Clients behave like legacy ABG clients. Mixed Mode 11n performance in ESS configured for mixed mode depends on kind of application used in the network. Only WPA2 clients connected to mixed mode have 11n benefits. WPA clients behave like legacy ABG clients.
Automatic AP Upgrade Note: The antenna gain value can never exceed the local power of the radios as set in the Dot 11 physical configuration. Automatic AP Upgrade The automatic AP upgrade features is enabled by default. It allows an AP’s firmware to be automatically upgraded by the controller when the AP joins the WLAN. An AP cannot provide service (and consequently be part of the WLAN) if its firmware is at a different level than that of the controller.
Viewing AP Status Audit Polling Period (seconds)/0 disable Polling Software Version Network Device Id System Id Default AP Init Script DHCP Relay Passthrough Controller Model Country Setting America : : : : : : : : 60 3.
Viewing AP Status Table 17: Commands to View System Status Command Purpose show ap-siblings Displays the AP Siblings table. APs operating in the same channel that can hear each other are AP-siblings. APs can hear beacons with RSSI as low as -80 to -85dbm, but RSSI values lower than this are not heard. show ap-swap Displays the access point replacement table. show ess-ap Displays the ESS-AP table for the access point. show interfaces Dot11radio Displays the configuration of the wireless interface.
Viewing AP Status 226 Meru System Director Configuration Guide © 2012 Meru Networks, Inc.
Chapter 14 Intercontroller Roaming When a wireless client can maintain connection from one AP to another, this is roaming. When a client can roam between APs on different controllers on different IP subnets without losing its IP address, roaming becomes inter-controller roaming. Meru Networks’ Intercontroller Roaming feature (ICR) provides IP-IP tunnel-based routing between a group of controllers (a roaming domain) to support IP address mobility for stations.
How Inter-Controller Roaming Works After 802.11 re-authentication takes place on a subsequent AP and controller, the station’s original IP address and connectivity are preserved. (Note that the QoS flows are not handed off across the roaming domain.) Note that intercontroller roaming does not support the dynamic addition or deletion of peers or anchored ESSIDs to/from the roaming domain. Before adding/deleting any peers to/from the existing list, stop the roaming-domain using the command stop.
ICR Limitations ICR Limitations Each controller is identified by one IP address and this must be the virtual IP address in the Meru interface. No controller IP interface address that participates in a roaming domain can reside in VLAN interface. This address is used as the end-point of inter-controller tunnels. Stations can use VLAN-connected ESSIDs. Each controller maintains a list of roaming group members as IP addresses.
ICR Limitations 230 Meru System Director Configuration Guide © 2012 Meru Networks, Inc.
Chapter 15 Configuring Quality of Service Quality of Service rules evaluate and prioritize network traffic types. For example, you can prioritize phone calls (VoIP) or prioritize a certain department in a company. This chapter describes QoS settings for Meru Wireless LAN System.
Configuring QoS Rules With the Web UI Figure 34: Add a QoS Rule 3. In the ID field, type a unique numeric identifier for the QoS rule. The valid range is from 0 to 6000. 4. In the Destination IP fields, type the destination IP address to be used as criteria for matching the QoS rule. The destination IP address is used with the destination subnet mask to determine matching. 5. In the Destination Netmask fields, type the subnet mask for the destination IP address. 6.
Configuring QoS Rules With the Web UI If you are also using a QoS protocol detector, you must match the network protocol with the type of QoS protocol. Use the following network protocol and QoS protocol matches: — UDP: SIP — TCP: H.323v1 or SIP 11. In the Firewall Filter ID field, enter the filter-ID to be used (per-user or per-ESS), if Policy Enforcement Module configuration is enabled (optional feature). This ID must be between 1 and 16 alphanumeric characters. 12.
Configuring QoS Rules With the Web UI 19. In the Priority box, type the priority at which the flow is placed in a best-effort queue. Packets in a higher priority best-effort queue are transmitted by access points before packets in lower-priority queues, but after packets for reserved flows. Priority can be a value from 0 through 8, with 0 specifying no priority and 8 specifying the highest priority. The default value is 0.
Configuring QoS Rules With the Web UI More About the Match Checkbox and Flow Class Checkbox The two checkboxes Match and Flow Class operate independently from each other; they perform two different functions. Match will almost always be used because checking this box indicates that the setting on the left must match - this sets the matching criteria for the QoS rule. You can check more than one matching criteria. Matching is the first phase of QoS rule execution - see the green box in Figure 35.
Configuring QoS Rules With the Web UI Figure 35: How QoS Rules Work 1. MATCH CRITERIA 2. Take Action Note: 3. Rate Limit During creation of a QoS rule, at least one Match Flow flag must be selected or else the system will not allow the user to proceed. 236 Meru System Director Configuration Guide © 2012 Meru Networks, Inc.
Configuring QoS Rules With the CLI Configuring QoS Rules With the CLI To configure QoS rules with the CLI, you need to be in QoS Rule configuration mode. Enter configure terminal, then specify a QoS rule with the command qosrule < rule-id>. See the chart below for the options for these two commands. Command Purpose configure terminal Enter global configuration mode. qosrule rule-id netprotocol {6|17|protocolnumber} qosprotocol {H323v1|sip|none} Enter QoS Rule configuration for the specified rule ID.
Configuring QoS Rules With the CLI Command Purpose dstip ip Destination IP in the format 255.255.255.255. dstmask ipmask Destination netmask in the format 255.255.255.255 dstport port Destination port number from 0 to 65535. srcip ip Source IP in the format 255.255.255.255. srcmask ipmask Source netmask in the format 255.255.255.255. srcport port Source port number from 0 to 65535. action {forward | capture | drop} Action to take for packets matching the rule.
Configuring QoS Rules With the CLI Command Purpose avgpacketrate rate Average packet rate: from 0 to 200 packets per second. If this is a non-zero value, then the TSpec token bucket rate must also be a non-zero value, and priority cannot be set to a non-zero value. Defaults to 0. tokenbucketrate rate TSpec token bucket rate, from 0 to 1000 Kbps or 1-64 Mbps, depending on the box checked.
Configuring QoS Rules With the CLI controller controller controller controller controller controller controller (config-qosrule)# (config-qosrule)# (config-qosrule)# (config-qosrule)# (config-qosrule)# (config-qosrule)# (config-qosrule)# dstip subnet_IP_addr (for example,172.27.128.0) dstmask subnet_mask (for example, 255.255.192.
Optimizing Voice Over IP Optimizing Voice Over IP Transmitting voice over IP (VoIP) connections is, in most senses, like any other network application. Packets are transmitted and received from one IP address to another. The voice is encoded into binary data at one end and decoded at the other end. In some sense, voice is just another form of data. However, there are a few special problems.
Optimizing Voice Over IP In practice, this means that if your VoIP devices are configured correctly, that is, if they know how to find their SIP or H.323v1 server and the servers understand how to find them, then the VoIP devices should work when communicating over the Meru Meru Wireless LAN System without any special configuration.
Global QoS Settings 7 8 0.0.0.0 other forward 0.0.0.0 other forward 0.0.0.0 head 0.0.0.0 head 5200 0.0.0.0 0 0.0.0.0 0.0.0.0 0.0.0.0 0 17 5200 17 QoS and Firewall Rules(6 entries) The first two pre-configured QoS rules give priority to H.323v1 traffic sent to and from TCP port 1720 respectively. The next two QoS rules give priority to SIP traffic sent to and from UDP/TCP port 5060 respectively. Rules 7 and 8 are for Vocera badges and use port 5200 with UDP.
Global QoS Settings Table 18: Global Quality-of-Service Parameters Command Purpose qosvars tcpttl ttl-value Time-to-live for TCP protocol, in seconds. qosvars udpttl ttl-value Time-to-live for UDP protocol, in seconds. qosvars bwscaling value Scale factor for Tspec bandwidth, in percent. May range from 1% to as high as 100% ; 100% is typical qosvars cac-deauth {on | off} Configures the optional 802.11 de-authentication behavior.
Rate Limiting QoS Rules Table 18: Global Quality-of-Service Parameters Command Purpose Station Assignment Aging Time (s) Sets the time period after which stations will begin aging out. Maximum Calls Per Interference Region Specifies the number of calls that are permitted in a given interference area. Rate Limiting QoS Rules Rate limiting controls the overall traffic throughput sent or received on a network interface.
Rate Limiting QoS Rules Source Port flow class : none Network Protocol : 6 Network Protocol match : on Network Protocol flow class : on Firewall Filter ID : Filter Id match : none Filter Id Flow Class : none Packet minimum length : 0 Packet Length match : none Packet Length flow class : none Packet maximum length : 0 QoS Protocol : other Average Packet Rate : 0 Action : forward Drop Policy : head Token Bucket Rate : 46875 Priority : 0 Traffic Control : on DiffServ Codepoint : disabled Qos Rule Logging : on
Rate Limiting QoS Rules Controller1# sh qosrule 23 QoS and Firewall Rules ID: 23 ID Class flow class : on Destination : 10.11.31.0 (this is the subnet to be rate limited) Destination IP match : on Destination IP flow class : on Destination Netmask : 255.255.255.0 Destination Port : 0 Destination Port match : none Destination Port flow class : none Source IP : 0.0.0.0 Source Netmask : 0.0.0.
Configuring Codec Rules Id Class flow class : on Destination IP : 10.11.31.0 (this is the subnet to be rate limited) Destination IP match : on Destination IP flow class : none Destination Netmask : 255.255.255.0 Destination Port : 0 Destination Port match : none Destination Port flow class : none Source IP : 0.0.0.0 Source Netmask : 0.0.0.
Configuring Codec Rules The SIP ptime attribute is an optional part of the SIP Specification. It allows a SIP media device to advertise, in milliseconds, the packetization rate of the RTP media stream. For example, if ptime is set to the value “20” the SIP device sends 1 RTP packet to the other party every 20 milliseconds. With this specification, the Meru Meru Wireless LAN System can accurately reserve QoS bandwidth based on the Codec and Packetization rate.
Configuring Codec Rules Command Purpose configure terminal Enter global configuration mode. qoscodec rule-id codec type qosprotocol {H323v1|sip|none} tokenbucketrate tbr maxdatagramsize maxdg minpolicedunit minpol samplerate sr Enter QoS Codec configuration for the specified rule ID. Use show qoscodec to obtain a list of rule IDs. The following are the required parameters: codec. Enter the Codec type after at the Codec keyword. The acceptable Codec types are given below. qosprotocol.
Configuring Codec Rules Type Description dv14.2 DV14.2 Audio: Payload Type 6, Bit Rate 64Kbps g711a G711 Audio: Payload Type 8, G.711, A-law, Bit Rate 64 Kbps g711u G711 Audio: Payload Type 0, G.711, U-law, Bit Rate 64 Kbps g721 G721 Audio: Payload Type 2, Bit Rate 32 Kbps g722 Audio: Payload Type 9, Bit Rate 64 Kbps, 7KHz g7221 G7221 Audio: Payload Type *, Bit-Rate 24 Kbps, 16KHz g7221-32 G7221 Audio: Payload Type *, Bit-Rate 32 Kbps, 16KHz g723.1 G7231 Audio: Payload Type 4, G.723.
QoS Statistics Display Commands Table 19: QoS CODEC Configuration Mode Commands Command Purpose tokenbucketsize size Token bucket size in bytes. From 0 to 16,000 bytes. Defaults to 8. peakrate rate Traffic spec peak rate. From 0 to 1,000,000 bytes/second. Defaults to 0. rspecrate rate Reservation spec rate. From 0 to 1,000,000 bytes/second. Defaults to 0. rspecslack slack Reservation spec slack. From 0 to 1,000,000 microseconds. Defaults to 0.
More QoS Rule Examples 00:0f:86:12:1d:7c 10.0.220.119 1 AP-1 off 00:00:00:00:00:00 10.0.220.241 0 101 off sip connected Phone Call Table(1 entry) controller# 5381 100 69 Displaying Call Admission Details To view the current calls supported by APs, use the show statistics call-admission-control ap command.
More QoS Rule Examples ID : 23 ID Class flow class : on Destination IP : 10.11.31.115 (this is the client to be rate limited) Destination IP match : on Destination IP flow class : on Destination Netmask : 255.255.255.255 Destination Port : 0 Destination Port match : none Destination Port flow class : none Source IP : 0.0.0.0 Source Netmask : 0.0.0.
More QoS Rule Examples QoS and Firewall Rules ID : 11 Id Class flow class : on Destination IP : 172.18.85.12 Destination IP match : on Destination IP flow class : none Destination Netmask : 255.255.255.255 Destination Port : 0 Destination Port match : none Destination Port flow class : none Source IP : 172.18.85.11 Source Netmask : 255.255.255.
More QoS Rule Examples qosrule 60 netprotocol 0 qosprotocol none firewall-filter-id "" id-flow on dstip 0.0.0.0 dstmask 0.0.0.0 dstport 53 dstport-match on dstport-flow on srcip 0.0.0.0 srcmask 0.0.0.0 srcport 0 action forward droppolicy tail priority 0 avgpacketrate 0 tokenbucketrate 0 dscp disabled qosrulelogging off qosrule-logging-frequency 60 packet-min-length 0 packet-max-length 0 no trafficcontrol exit qosrule 61 netprotocol 0 qosprotocol none firewall-filter-id "" id-flow on dstip 0.0.0.
More QoS Rule Examples srcip-match on srcip-flow on srcmask 255.255.255.0 srcport 0 action drop droppolicy tail priority 0 avgpacketrate 0 tokenbucketrate 0 dscp disabled qosrulelogging off qosrule-logging-frequency packet-min-length 0 packet-max-length 0 no trafficcontrol 60 802.11n Video Service Module (ViSM) Video streaming has the low latency and loss requirements of voice with the high-throughput requirements of data.
More QoS Rule Examples Configuring Call Admission Control and Load Balancing with the CLI To help shape a global Quality of Service for calls and traffic, Call Admission Control (CAC) and client load balancing can be set per AP or BSSID. CAC commands can set threshold levels for the number of new SIP connections (calls) that can exist per AP or BSSID to ensure a global amount of bandwidth is available.
Chapter 16 Wireless Backbones With Enterprise Mesh Enterprise Mesh is an optional (separately licensed) wireless replacement for the Ethernet links connecting APs to controllers. Deploy the Enterprise Mesh system to replace a switched wired backbone with a completely wireless 802.11 backbone, while providing similar levels of throughput, QoS, and service fidelity. At this time, AP300/AP400 and AP100 do not support mesh.
For best performance, avoid collisions between adjacent small clouds by creating each cloud on a separate channel. A cloud is defined as a set of APs communicating along a backhaul topology path to/from a gateway AP. In a typical deployment, limit siblings without going to great lengths to modify power settings. Since traffic is sent unicast, some collisions will occur within the cloud, caused by siblings.
Intermediate APs Intermediate APs (AP150 or OAP180) connect upstream to the gateway AP and downstream to other intermediate APs or leaf APs via a wireless backhaul link. Intermediate AP have no wired connection to the network and are configured for wireless mode. Leaf APs Leaf APs (AP150 or OAP180), at the edge of the Enterprise Mesh network connect upstream to a gateway or intermediate AP and provide service to 802.11 clients. Leaf APs are configured for wireless mode.
Installing and Configuring an Enterprise Mesh System Installing and Configuring an Enterprise Mesh System Determine Antenna Placement An Enterprise Mesh uses APs (as repeaters) to extend the range of wireless coverage. An AP in a Enterprise Mesh configuration is directed to look for a signal from a Parent AP. (A Parent-AP ID is the AP ID of the of the intermediate AP providing backhaul connectivity). As such, antenna placement and reception is important for the optimum performance of the system.
Installing and Configuring an Enterprise Mesh System Phase 1: Connect Controller and APs with an Ethernet Switch 1. Connect all APs directly to a controller through a switch or hub. 2. Power on the controller. 3. Connect the APs to a power source using either separate power supplies or Power over Ethernet (PoE) connections. 4. If the controller does not have an assigned IP address, configure with the following, otherwise, skip to step 5: a. Connect a computer to the controller using a serial cable. b.
Installing and Configuring an Enterprise Mesh System To configure the Enterprise Mesh setup, you will configure one AP at a time (in order), moving from the gateway out toward to leaf. Define the Channel of Operation for the Backhaul Link The backhaul channel configuration on the 802.11a radio is configured on the gateway AP and replicated to the remaining wireless Enterprise Mesh APs when they are added to the mesh network via the parent AP configuration.
Installing and Configuring an Enterprise Mesh System Connectivity Layer Dataplane Encryption AP Role Parent MAC Address Parent AP ID Link Probing Duration AP Model AP Label Sensor AP ID Hardware Revision Power Supply Type AP Indoor/Outdoor type : : : : : : : : : : : : L2 off access 00:00:00:00:00:00 0 120 OAP180 ATS5 0 802.3-af Indoor Note the output values for the AP Role, Parent AP ID, and Dataplane Encryption parameters. Initially all new APs have the default values shown above. 2.
Installing and Configuring an Enterprise Mesh System Default(config-ap)# Default(config-ap)# Default(config-ap)# Default)# reload ap parent-ap 3 dataplane-encryption on end 4 You can also configure these Enterprise Mesh parameters from the Web UI interface. Check the Configuration Before Phase 3 Provisioning the wrong AP parameters can make the mesh backbone unable to reconnect. Also, it is difficult to debug a setup once the APs are in unreachable places.
Installing and Configuring an Enterprise Mesh System Each Enterprise Mesh node has a forwarding address that contains the destination for the next hop, which provides the basic forwarding mechanism. As a packet moves towards the root of the Enterprise Mesh tree, the wds-table records the route that will be used when the packet is returned. To ensure that the topology and dataplane-encryption in each AP is correct, issue the following command for each AP: show ap 1 ...
Enterprise Mesh Troubleshooting 3. Unplug APs with power supplies. 4. Remove the Ethernet wires from the first level of wireless APs (in this example, AP-2). 5. Repeat steps 2 -3 for the second level (in this example, AP-3) of a connectivity tree and check that they connect to the intermediaries. 6. Repeat steps 2 -3 for the third level (in this example, AP-4) of a connectivity tree and check that they connect to the intermediaries. 7.
Enterprise Mesh Troubleshooting Problem Possible Cause & Solution Wireless APs were correct but are no longer pointing to their designated parent AP. If, for any reason, an AP stops functioning, the rest of the downstream chain of wireless APs will lose connection. If this happens, restore the configured setup by first restoring the gateway AP to operation, then turning off the wireless APs. Turn the APs back on in order and operation.
Enterprise Mesh Troubleshooting 2. Associate with the ESSID. The ESSID is beaconing, but hidden (the hidden-bit is set in beacons) so do this: a. Open Network Connections (Network Places -> View Network Connections) b. Open View the available networks from the Intel(R) PRo/Wireless Connection. c. Change the order of preferred Networks from the left panel under Related tasks d.
Enterprise Mesh Troubleshooting # wbscli wbs mgr cli wbs { {display | show} {config | flash | table | help} | config { parent-mac | channel | country-code | encryption { on | off } | role {wireless | gateway} | help } # wbscli display flash wbs mgr cli CliDisplay WBS parent-mac is ff:ff:ff:ff:ff:ff WBS channel is 40 WBS country-code is 840 WBS encryption is off WBS role is gateway. # wbscli config channel 44 wbs mgr cli CliConfig channel : 44.
Enterprise Mesh Troubleshooting 272 Meru System Director Configuration Guide © 2012 Meru Networks, Inc.
Chapter 17 Configuring SNMP The SNMP Agent offers the network administrator performance management and fault management features, with the collection of statistics as well as notification of unusual events via traps.
Features Features The following protocols are supported for the read function only (not write): RFC-1214 SNMPv1/v2c Meru WLAN systems SNMP Architecture Figure 38: SNMP Network Management Architecture SNMP manager (HP OpenView) AP AP Ethernet POWER PMC2 HDD WDT PW COM1 LAN3 USB1 USB0 HS RST PWR LED RESET Controller (with SNMP agent) AP 00146 PMC1 The Meru Wireless LAN System SNMP network management architecture follows the client-server architecture as illustrated in the diagram.
SNMP Architecture meaning of the messages communicated between the managers and agents. Meru Meru Wireless LAN System provides support for traps, gets, and MIB walk functions only. Neither read nor write privilege gives the SNMP manager access to the community strings. The controller can have an unlimited number of read and read/write community strings.
SNMP Configuration Download the MIB Tables for Management Applications If you are using a third-party SNMP-based Network Manager program, you will need to integrate the Meru Meru Wireless LAN System proprietary MIB tables that allow the manager program to manage controllers and APs. The MIB tables are available in a compressed (zipped) file that can be copied from the controller to an off-box location. To download the enterprise MIB Tables, contained in the file mibs.tar.
SNMP Configuration Read-only. Management stations with the community string can view all objects in the MIB, but cannot modify them. Read-write. This gives read and write access to authorized management stations to all objects in the MIB. To configure community strings, enter privileged EXEC mode, and follow these steps: Table 21: Configuring SNMP Community Strings Command Purpose configure terminal Enter global configuration mode.
SNMP Configuration Table 22: Configure SNMP Trap Managers Command Purpose configure terminal Enter global configuration mode. snmp-server trap community-string hostIP Specify the recipient of the trap message: For community-string, specify the string to send with the notification operation. For hostIP, specify the name or address of the host (the targeted recipient). end Return to privileged EXEC mode. show running-config Verify your entries.
SNMP Configuration SNMP Traps These are important traps for the Meru Meru Wireless LAN System: No Case Trap ID Scenario 1 Controller Down SNMP Poll When a controller goes down or loses IP connectivity, SNMP Manager detects that the controller is down with an SNMP polling mechanism. 2 Controller Up Cold Start trap When a controller comes up, the SNMP Agent generates a trap on the SNMP server. 3 NPlus1 Master Down mwlMasterDown in meru-wlanmib.
SNMP Configuration mwlRogueApDetected New in version 3.
SNMP Configuration Objects That Monitor System Status Through SNMP/OID Use the SNMP get operation to monitor these objects: No Case OID Shows 1 System Uptime mwWncVarsUpTime in mwConfigController.my system uptime 2 System Operational mwWncVarsOperationalS tate in mwConfigController.my system’s current operational status Status 3 System Availability Status mwWncVarsAvailabilityStasystem’s current available status. tus in mwConfigController.my 4 AP Uptime mwApUpTime in mwConfigAp.
SNMP Configuration Table 23: Configure SNMP Description, Contact and Location Command Purpose snmp-server description text Sets the system description string. For example: snmp-server description main controller end Return to privileged EXEC mode show running-config Verify your entries. copy running-config startup-config (Optional) Save your entries in the configuration file.
Enabling, Disabling, and Reloading SNMP 3. Provide an SNMP Community Name, Client IP Address, and select a privilege level such as read-write. 4. Click OK. Set up the trap community with a specific IP address with these commands: 5. Click Configuration > SNMP > Setup > SNMP Trap Management > Add. 6. Provide a Trap Community and Trap Destination IP Address. 7. Click OK. Set up 3rd Party Vendors Meru MIB files should be compiled and loaded on SNMP manager to be used with Meru controller.
Enabling, Disabling, and Reloading SNMP Security levels for user authentication using entity shared secret keys Message time stamps Data secrecy using encryption Control of user access to MIB information based on the need to know Security Levels SNMPv3 provides both security levels and security models. A security level is the permitted level of security within a security model.
Enabling, Disabling, and Reloading SNMP Model Level Authentication Encryption What Happens v1 noAuthNoPriv Community String No Uses a community string match for authentication v2c noAuthNoPriv Community String No Uses a community string match for authentication v3 noAuthNoPriv Username No Uses a username match for authentication v3 authNoPriv MD5 or SHA No Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms DES Provides authentication based on the HMAC-MD5 or HMAC
Enabling, Disabling, and Reloading SNMP SNMPv3 Notifications: Meru does not support SNMPv3 trap/inform. Along with the supported SNMPv3 feature (read only), Meru Network controllers still provide both SNMPv1/v2c accessibility using the existing snmp-community table and SNMPv1 trap using snmp-trap community table. 286 Meru System Director Configuration Guide © 2012 Meru Networks, Inc.
Chapter 18 Troubleshooting Where Do I Start? Error Messages System Logs System Diagnostics Capturing Packets FTP Error Codes Where Do I Start? We recommend that you start troubleshooting as follows: Problem Web UI or CLI? Involves? Strategy Web UI stations View station log history by clicking Monitor > Diagnostics > Station Web UI radios View radio log history by clicking Monitor > Diagnostics > Radio View station-log history with one of these commands: station-log show-mac=
Where Do I Start? Problem Web UI or CLI? Involves? Strategy View controller-log history with the command diagnostics-controller CLI controller If the problem is reproducible/occurring continually, log your terminal session, enter the station-log interface with the command station-log, and add the affected MAC address using the command station add . If you DON'T know the MAC address, type event all all to capture all events for all MAC addresses.
Error Messages Error Messages The following are common error messages that may occur either at the controller or at an AP. Message Text Explanation May be observed on the AP command line or in trace log output from an AP after a full diagnostics gather. [07/20 13:02:11.122] 1m[35m**Warning**[0m WMAC: Wif(0):SetTsf() TSF[00000000:000006e3] -> [00000033:77491cfd]thr[000 00000:03938700] [07/31 14:01:33.
System Logs System Logs The 5.1 system log records the following: Configuration changes (CLI or GUI) Key commands Events and operations Errors The CLI command show log lists the entire log. To view the system log files from the Web UI, click Maintenance > Syslog > View Syslog Files. Figure 39: Syslog Files Table Facility Name can be one of these eight sources of information: Facility Security Messages contain...
System Logs Facility NMS Messages contain... Network Manager Server syslog messages Mobility Handoff or redirect messages Bulk Update Any use of the bulk update commands available from the GUI are noted here. The Bulk Update function, accessed from the AP Configuration, Wireless Interfaces Configuration, and Antenna Property pages, updates a group of selected APs.
System Logs Entry Meaning Line Line number of the syslog file where the entry is located Priority Severity of the entry. Possible priorities are: debug, info, notice, warning, error, err, crit, alert, emerg, panic. Three-letter mnemonic assigned to the entry: CAP = Captive Portal RED = redirect Mnemonic FOR = forward WAU = WebAuth user authentication WST = Web Server Event WPW = Web UI user password administration Time Date and time when the entry was logged.
System Logs Station Log Events Station log event messages are displayed in this format: [object name, field name , field name …]” Log Category : “nms”, Priority : ‘info”, Mnemonic : “CONFIG” The following chart describes some common station log events. Event Condition That Triggers Event Interpretation A mobile station is assigned to AP::ESSID::BSSID. A mobile station is assigned to the BSSID.
System Logs Event Condition That Triggers Event Interpretation 00:16:6f:3b:17:a9|IP Address Discovered| fails due to one of local IPs A Mobile station is detected trying to use the controller’s IP address. The system blocks IP traffic from the station using the IP address. 00:16:6f:3b:17:a9|IP Address Discovered| ip update not performed.
System Logs Syslog Message Description Controller rebooted by admin Controller has been manually rebooted. The boot image version on the AP does not match that required for the version of the AP software. AP Boot Image Version Mismatch Action: The boot image must be upgraded using the upgrade ap command with the boot image option before attempting to upgrade the AP software version. The AP failed to initialize properly.
System Logs Syslog Message Description WLAN services stopped on controller System Director processes have been stopped. WST:WS Serving... Web server new event message. WPW :@ changed password The specified System Director user has either successfully changed their password (OK) or was unable to change the password (FAILED). MAC Filtering Station Log Events Seven events are defined for MAC Filtering log events.
System Logs Event Condition That Triggers Event Interpretation | 00:66:77:c2:02:01 | Mac Filtering | Radius authentication succeeded (vlan 0) Radius authentication is enabled, and a Radius accept response message is received. A mobile station goes to the next stage or assignment. | 00:66:77:c2:02:06 | Mac Filtering | Radius authentication failed Radius authentication is enabled, and a Radius reject response message is received. A mobile station cannot proceed to the next stage or assignment.
System Logs Event Condition That Triggers Event 00:16:6f:3b:17:a9 |1X Authentication | M5 WPA GTK Rekey Negotiation sent The system sends a fifth key exchange message for WPA or WPA-PSK modes. 00:16:6f:3b:17:a9 |1X Authentication | M6 The system receives a sixth key exchange message from a station for WPA or WPA-PSK modes. This is the last message of a key exchange for WPA or WPA-PSK. It indicates a successful key exchange.
System Logs Authentication Station Log Events Event Condition That Triggers Event 00:16:6f:3b:17:a9 |802.11 State |state change A station successfully completes the 802.11 authentication phase on AP::BSSID. 00:16:6f:3b:17:a9 |802.11 State |state change A station successfully completes the 802.
System Logs Event Condition That Triggers Event Interpretation A state change from associated to unauthenticated can happen because: 00:16:6f:3b:17:a9 |802.11 State |state change Station ages out. The default aging out period is 30 minutes. The aging out period of 802.11 associated stations is different from the aging out period of an assigned stations.
System Logs Event Condition That Triggers Event 00:16:6f:3b:17:a9 |802.11 State | handoff Interpretation This event is generated only if a mobile station is associated to the ESS of a Virtual Cell or a Virtual Port. The abbreviations mean the following: Station is handed off from an AP to another AP.
System Logs DHCP Station Log Events Event Condition That Triggers Event Interpretation The system receives EAPOL_START message from a station associated to an ESSID::BSSID pair. There are two auth methods; WAP2_EAP or WPA_EAP. The standard states that this message is optional. The system sends an EAP Identity Request to the station. The system tries this message up to four times with one second intervals. As authentication proceeds, the EAP ID increases by one.
System Logs Event Condition That Triggers Event Interpretation Three cases trigger this event: 00:16:6f:3b:17:a9|1X Authentication| Sending EAP Failure to station, (identifier 1) An EAP failure message is sent to a station. 00:16:6f:3b:17:a9|1X Authentication| Radius Access-Reject received The system receives a Radius Reject message from a Radius server. 00:16:6f:3b:17:a9|1X Authentication| Backend Authentication Failure The system receives a Radius Reject message from a Radius server.
System Diagnostics Captive Portal Station Log Event Event Condition That Triggers Event Interpretation 00:16:6f:3b:17:a9|CP User Authentication| authenticated The system gets a Radius Accept message. A user is authenticated successfully.
System Diagnostics Figure 41: Radio Diagnostics 4. Check the four charts for these radio trends: Chart What it tells you Why you might want to know this Throughput Sum of upstream and downstream traffic for the radio Users are experiencing slow response in the area covered by this AP Noise Level How much unwanted energy is present in the received radio signals Users are experiencing connection problems or low transmission speeds in the region covered by this AP © 2012 Meru Networks, Inc.
System Diagnostics Chart What it tells you Why you might want to know this Associated Stations How many clients are using this AP Find out if you need to add another AP (consult your reseller for specific AP deployment recommendations) Current Value Packet retries, loss %, channel utilization, and management overhead for the radio Users are experiencing slow response in the area covered by this AP Station diagnostics Each client on an AP can be studied individually by looking at the station diagno
System Diagnostics Figure 42: Station Diagnostics 4. Check the four charts for these station trends: — Throughput — Loss % — Signal Strength — Airtime Utilization 5. Click Help for explanations for the charts. Inferences Inferences are best guesses as to what could be wrong with your wireless network. Check a controller, AP, and station by looking at the diagnostic inferences: 1. Click Monitor > Diagnostics > Inferences. 2.
System Diagnostics Figure 43: Diagnostic Inferences The first part of the message is the issue and level of severity. In the example above, there is an IP conflict which is a critical issue. The information in a Station Entry is listed below. You can read it or alternately cut and paste the MAC address into the Station Diagnostics window. Figure 44: Decoding a Station Entry Sample Station Entry Inference Rule #8 matched : IP Address Update 32 times within 360 seconds. [IP 172.27.0.
System Diagnostics Station Inference Messages Some possible station rules and messages are: # Station Message Remarks 1 MAC Filter ACL Success Station executed MAC filtering ACL authentication 2 MAC Filter ACL Failure Station exceeded threshold of MAC filtering ACL authentication attempts 3 MAC Filter Radius Success Station executed MAC filtering Radius authentication 4 MAC Filter Radius Failure Station exceeded threshold of MAC filtering Radius authentication attempts Station exceeded thres
System Diagnostics # Station Message Remarks Station exceeded threshold of 802.1x key exchange attempts. An AP detected either of the following conditions of 1X authentication failure between the AP and the client; EAPoL handshaking failed EAPoL handshaking timed out Another possible cause is that Hostapd detected one of the following conditions of 1X authentication and 802.
System Diagnostics Controller Message What it tells you DHCP server reached DHCP Server required for IP address assignment is reachable DHCP server unreachable DHCP Server required for IP address assignment is unreachable Gateway reached Gateway unreachable Default gateway for client sub-network is reachable Default gateway for client sub-network is unreachable Radius server reached Radius server required for client authentication is reachable Radius server unreachable Radius server required fo
Capturing Packets What Else Can I learn From A Diagnostic Event? Examine the details of a particular event by copying a MAC address from a Web UI screen such as Figure 43, pasting it into the Station Diagnostics window (Monitor > Diagnostics > Station) and then clicking Start Diagnostics. Figure 45: Results of pasting a MAC address into the Station Diagnostics window Scroll down to the bottom of the screen and click Show Buffered Diagnostics.
Capturing Packets captured information to be stored and archived externally. Use these CLI commands to send captured packets from APs to a hardware device or program. This command is required to use Location Manager. To Do this: Using this command: Enter pcap mode and create a packet-capture-profile either updates an existing packet capture profile. profile or creates a new profile and then enters pcap mode where the rest of these commands are used.
Capturing Packets To Do this: Using this command: Limit bandwidth used. token-bucket-size sets the token bucket size. Download the configuration to the APs and start capturing packets. enable-profile turns on a packet capture profile. For a detailed explanation of all packet capture commands, see the Troubleshooting chapter of the Meru System Director Command Reference. Packet Capture Profile Example - WireShark To do this, you need an external system running WireShark.
Capturing Packets What to Look For In Capture-Packet Results When discovery is via L3, the results of capture-packet should be a UDP port 9292 packet from the AP to the controller followed by a second UDP 9292 packet from the controller to the AP. After the two UDP packets, there should be about nine UDP port 5000 packets. Check the time deltas between packets; there should only be tenths of a second between packets.
FTP Error Codes FTP Error Codes This section lists the possible error codes for FTP downloads. The codes are industry standard reporting codes. 100 Codes—The requested action is being taken. Expect a reply before proceeding with a new command. 110 Restart marker reply.In this case, the text is exact and not left to the particular implementation; it must read: MARK yyyy = mmmm Where yyyy is User-process data stream marker, and mmmm server's equivalent marker (note the spaces between markers and "=").
FTP Error Codes 421 Service not available, closing control connection. (May be a reply to any command if the service knows it must shut down.)` 425 Can't open data connection. 426 Connection closed; transfer aborted. 450 Requested file action not taken. File unavailable (e.g., file busy). 451 Requested action aborted: local error in processing. 452 Requested action not taken. Insufficient storage space in system. 500 Codes—The command was not accepted and the requested action did not take place.
FTP Error Codes 318 Meru System Director Configuration Guide © 2012 Meru Networks, Inc.
Chapter 19 Alarms No. Alarm Severity 1. Source Explanation Alarm link up information all controller models Physical link on controller is up. Alarm link down critical all controller models Physical link on the controller is down; check the connection. Alarm auth fail information controller models An administrator failed to log in to the GUI due to an authentication failure. all AP models An AP is down.
No. Alarm Severity Source Explanation 7. 8. AP software version mismatch critical all AP models The software version on the AP does not match the version on the controller. Automatic AP upgrade must have been turned off. Update the AP from the controller with either the CLI command upgrade ap same force or upgrade ap same all force. You can also turn automatic upgrade back on by with the CLI command auto-ap-upgrade enable. AP init failure major all AP models AP initialization failed.
No. Alarm Severity Source 13. Explanation A switchover from the Primary Authentication Radius Server to the Secondary Authentication Radius Server occurred. When this message occurs, the Primary Radius server is configured but not reachable and the Secondary Radius server is both configured and reachable. Radius Server Switchover major all controller models This message is generated only for 802.1x switchover, not for Captive Portal switchover.
No. Alarm Severity Source 15. Explanation A switchover from the Secondary Authentication Radius Server to the Primary Authentication Radius Server occurred. This alarm was generated while doing Radius fall back to the primary server after 15 minutes. Restore Primary Radius Server major all controller models This message is generated only for 802.1x primary Radius restore, not for Captive Portal restore.
No. Alarm Severity Source 17. Explanation An attempted switchover from one Accounting Radius Server to the other server failed.When this message occurs, the Primary Accounting Radius server is configured but not reachable and the Secondary Accounting Radius server is not configured. Acct Radius server switchover failed major all controller models This message is generated only for 802.1x switchover failure, not for Captive Portal switchover fail lure.
324 Meru System Director Configuration Guide © 2012 Meru Networks, Inc.
Glossary This glossary contains a collection of terms and abbreviations used in this document. ABCDEFGHIJKLMNOPQRSTUVWXY Numerals 10BaseT An IEEE standard (802.3) for operating 10 megabits per second (Mbps) Ethernet networks (LANs) over twisted pair cabling and using baseband transmission methods. 100baseT A Fast Ethernet standard (802.3u) that allows up to 100 Mbps and uses the CSMA/CD LAN access method. 3DES Triple Des.
802.11i Supports the 128-bit Advanced Encryption Standard (AES) and Temporal Key Integrity Protocol (TKIP) along with 802.1X authentication and key management features for increased WLAN security capabilities. 802.11j Provides enhancements to the current 802.11 standard to support the 4.9GHz - 5GHz band for operations in Japan. 802.11k Due for ratification in 2005, the 802.
are eliminated and all access points on a network can share a single radio channel. It also load balances traffic across channels when using Channel Layering, ensuring that each channel ATS Access Transaction Station. Alternative term for access point. attenuation The reduction of RF signal strength due to the presence of an obstacle, such as a wall or person. The amount of attenuation caused by a particular object will vary depending upon its composition.
have the same BSSID, thus virtualizing the network from the client's perspective. When Virtual Ports are used, each client sees a different BSSID, appearing to get its own private AP. See also ESSID. C Co-channel Interference Radio interference that occurs when two transmitters use the same frequency without being closely synchronized. Legacy wireless systems cannot achieve this kind of synchronization, so access points or cell towers that transmit on one channel must be spaced far apart.
CSMA-CA CSMA/CA is the principle medium access method employed by IEEE 802.11 WLANs. It is a "listen before talk" method of minimizing (but not eliminating) collisions caused by simultaneous transmission by multiple radios. IEEE 802.11 states collision avoidance method rather than collision detection must be used, because the standard employs half duplex radios-radios capable of transmission or reception-but not both simultaneously.
EAP - TTLS Extensible Authentication Protocol with Tunneled Transport Layer Security. EAP-TTLS uses a combination of certificates and password challenge and response for authentication within an 802.1X environment. TTLS supports authentication methods defined by EAP, as well as the older Challenge Handshake Authentication Protocol (CHAP), Password Authentication Protocol (PAP), Microsoft CHAP (MS-CHAP), and MS-CHAPV2.
gateway In the wireless world, a gateway is an access point with additional software capabilities such as providing NAT and DHCP. Gateways may also provide VPN support, roaming, firewalls, various levels of security, etc. H Handoff The transfer of a link from one access point to another as a client moves through a network.
ogies: Frequency Hopping Spread Spectrum (FHSS), Direct Sequence Spread Spectrum (DSSS) and Infrared. WECA's focus is on 802.11b, an 11 Mbps high-rate DSSS standard for wireless networks. infrastructure mode A client setting providing connectivity to an AP. As compared to Ad-Hoc mode, whereby PCs communicate directly with each other, clients set in Infrastructure Mode all pass data through a central AP.
J K L LAN Local Area Network. A system of connecting PCs and other devices within the same physical proximity for sharing resources such as an Internet connections, printers, files and drives. When Wi-Fi is used to connect the devices, the system is known as a Wireless LAN or WLAN. LDAP Lightweight Directory Access Protocol. A set of protocols for accessing information directories conforming to the X.500 standard. LWAPP Lightweight Access Point Protocol.
mobile professional A salesperson or a "road warrior" who travels frequently and requires the ability to regularly access his or her corporate networks, via the Internet, to post and retrieve files and data and to send and receive e-mail. multipath The process or condition in which radiation travels between source and receiver via more than one propagation path due to reflection, refraction, or scattering. N NAT NetwOrk Address Translation.
Pooling Virtualization technique in which multiple physical resources are combined into a single virtual resource. Examples include the multiple disk drives in a virtual storage array, the multiple CPUs in a modern server and the multiple access points in a Meru Virtual Cell.
POTS Plain Old Telephone Service. Standard analog telephone service (an acronym for Plain Old Telephone Service). proxy server Used in larger companies and organizations to improve network operations and security, a proxy server is able to prevent direct communication between two or more networks. The proxy server forwards allowable data requests to remote servers and/or responds to data requests directly from stored remote server data. PSTN Public Switched Telephone Network.
RF prediction The process of predicting WLAN characteristics, such as throughput and coverage area, based upon imported building characteristics and sample WLAN design configurations. RF triangulation A common method used for 802.11 device tracking whereby 3 or more Access Points compare RSSI information to triangulate in on a device's location.
Single Channel Term sometimes used to describe a network in which all access points operate on the same channel, such as one using Virtual Cell technology. Single channel operation is more spectrally efficient than a microcell architecture and necessary for the use of Virtual Cells and network-controlled handoff. Single Channel improves security by making intrusion detection easier and location tracking more accurate, as every AP automatically receives transmissions from every client within range.
switch A type of hub that efficiently controls the way multiple devices use the same network so that each can operate at optimal performance. A switch acts as a networks traffic cop: rather than transmitting all the packets it receives to all ports as a hub does, a switch transmits packets to only the receiving port. T TCP Transmission Control Protocol. A protocol used along with the Internet Protocol (IP) to send data in the form of individual units (called packets) between computers over the Internet.
network itself automatically routes all radio connections through the most appropriate AP. This maximizes bandwidth, simplifies network management and conserves radio spectrum for scalability and redundancy. Virtual Port An enhancement to the Virtual Cell architecture which partitions the network so that each client device has its own private network with a unique BSSID. From the client's perspective, it gets its own dedicated AP to which it remains connected no matter where it travels in the network.
WSM Wi-Fi Scheduled Media. The Wi-Fi Alliance's emerging standard for QoS that is based upon the HCF portion of the 802.11e standard, which dedicates bandwidth segments to specific data types. WSM is going to have less of a focus in the enterprise space than its WME counterpart. WPA Wi-Fi Protected Access. The Wi-Fi Alliance put together WPA as a data encryption method for 802.11 Wireless LANs. WPA is an industry-supported, pre-standard version of 802.
342 Meru System Director Configuration Guide © 2012 Meru Networks, Inc.
MERU NETWORKS, INC. Limited Product Warranty This Limited Product Warranty applies to the original end-user customer of the Meru product which you purchased for your own use, and not for resale (“Product”), from Meru Networks, Inc. (“Meru”) or its authorized reseller (“Reseller”).
— Use of the Product with software, interfacing, parts or supplies not supplied by Meru. The warranty on the Product does not apply if the Product is sold, or in the case of software, licensed, for free for evaluation or demonstration purposes.
the defect, in either its original package or packaging providing the Product with a degree of protection equivalent to that of the original packaging, to Meru at the address below. You agree to obtain adequate insurance to cover loss or damage to the Product during shipment. If you obtain an RMA# and return the defective Product as described above, you agree to bear the cos of returning, and prior to receipt by Meru, you assume risk of any loss or damage to the Product.
SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES. IN ANY EVENT, THE CUMULATIVE LIABILITY OF MERU OR ITS RESELLER FOR ALL CLAIMS WHATSOEVER RELATED TO THE PRODUCT OR THE SERVICE WILL NOT EXCEED THE PRICE YOU PAID FOR THE PRODUCT OR SERVICES GIVING RISE TO SUCH CLAIMS. THE LIMITATIONS SET FORTH HEREIN ARE INTENDED TO LIMIT THE LIABILITY OF MERU AND ITS RESELLERS AND SHALL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY.
Meru Networks, Inc. 894 Ross Drive Sunnyvale, CA 94087 408-215-5300 www.merunetworks.