RFS7000 Series RF Switch System Reference Guide
MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. Symbol is a registered trademark of Symbol Technologies, Inc. All other product or service names are the property of their respective owners. © Motorola, Inc. 2008. All rights reserved.
About this Guide Introduction This guide provides information about using the RFS7000 Series RF Switch. NOTE Screens and windows pictured in this guide are samples and can differ from actual screens. Documentation Set The documentation set for the RFS7000 Series Switch is partitioned into the following guides to provide information for specific user needs. • RFS7000 Installation Guide - describes the basic setup and configuration required to transition to more advanced configuration of the switch.
iv RFS7000 Series Switch System Reference Guide Notational Conventions The following additional notational conventions are used in this document: • Italics are used to highlight the following: - Chapters and sections in this and related documents - Dialog box, window and screen names - Drop-down list and list box names - Check box and radio button names - Icons on a screen. • GUI text is used to highlight the following: - Screen names - Menu items - Button names on a screen.
Contents Chapter 1. Overview Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1 Physical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-2 Power Cord Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-2 Power Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-2 Cabling Requirements . . . . . . . . .
vi RFS7000 Series Switch System Reference Guide Power Save Polling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wireless Layer 2 Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Automatic Channel Selection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . WMM-Unscheduled APSD. . . . . . . . . . . . . . . . . . . . . .
Table of Contents Viewing the Ports Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-12 Detailed Port Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-13 Viewing the Port Statistics Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-15 Viewing Switch Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-16 Viewing the Detailed Contents of a Config File . . . . . . . . . .
viii RFS7000 Series Switch System Reference Guide Configuring Authentication Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-33 Configuring Different Encryption Types . . . . . . . . . . . . . . . . . . . . . . . . . .4-50 Viewing WLAN Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-55 Viewing WLAN Statistics Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-56 Viewing WLAN Statistics in a Graphical Format. . . . . . . . .
Table of Contents Viewing Access Port Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-117 Viewing Adopted Access Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-117 Viewing Unadopted Access Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-119 Multiple Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-120 Configuring a Bridge . . . . . . . . . . . . . . . .
x RFS7000 Series Switch System Reference Guide Layer 3 Mobility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-46 Configuring Layer 3 Mobility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-46 Defining the Layer 3 Peer List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-49 Reviewing Layer 3 Peer List Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table of Contents Reviewing ACL Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-31 Configuring NAT Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-33 Defining Dynamic NAT Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-33 Adding a New Dynamic NAT Configuration . . . . . . . . . . . . . . . . . . . . . .6-35 Defining Static NAT Translations . . . . . . . . . . . . . . . . . . . . . . .
xii RFS7000 Series Switch System Reference Guide Configuring Enhanced Beacons and Probes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-96 Configuring the Beacon Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-96 Configuring the Probe Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-99 Reviewing the Beacons Found Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-100 Reviewing the Probes Report. . . . . . .
Table of Contents Reviewing Panic Snapshots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing Panic Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Transferring Panic Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Debugging the Applet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring a Ping . . . . . . . . . . . . . . . . . .
xiv RFS7000 Series Switch System Reference Guide
Overview The RFS7000 switch is a centralized management solution for wireless networking. It connects to non-legacy access ports through L2 or L3 (L2 is preferable, if the situation allows it). Access ports function as radio antennas for data traffic management and routing. System configuration and intelligence for the wireless network resides with the switch. The switch uses access ports to bridge data to and from wireless devices.
1-2 Overview Access ports do not have software or firmware upon initial receipt from the factory. When the access port is first powered on and cleared for the network, the switch initializes the access port and installs a small firmware file automatically. Installation and firmware upgrades are automatic and transparent. 1.1.1 Physical Specifications The physical dimensions and operating parameters of the switch include: Width 440mm (17.32 in) Height 44.45mm (1.75 in) Depth 390.8mm (15.
1-3 Overview 1.1.1.3 Cabling Requirements *LJDELW (WKHUQHW 5- V *LJDELW (WKHUQHW 6)3V &RQVROH FRQQHFWRU &RPSDFW )ODVK 2XW RI EDQG PDQDJHPHQW SRUW 0( 3RUW 86% SRUWV V\PB The RFS7000 has four RJ-45 Gigabit Ethernet ports, four Gigabit SFP (fiber) ports, one out-of-band management port and one console connector. The illustration below displays each of ports and the cables or devices attaching to them.
1-4 Overview 1.1.2 System Status LED Codes The RFS7000 has four vertically-stacked LEDs on its front panel. Each of the switch’s Gigabit Ethernet ports have two status LEDs. These LEDs display two colors (green & amber), and three lit states (solid, blinking, and off). The following tables describe the combinations of LED colors and states for the System Status LEDs and the Gigabit Ethernet LEDs. 1.1.2.
Overview Switch Status (Redundant System) System Status 1 LED System Status 2 LED Event Off Off Power off Green Solid Off No redundancy feature enabled Green Blinking Green Solid Redundant system failed over and adopting ports Green Blinking Alternating Green Blinking & Amber Blinking Redundant system not failed over.
1-6 Overview 1.1.2.2 RJ-45 Gigabit Ethernet LEDs 3RUW VSHHG 3RUW VWDWXV V\PB 3RUW 3RUW VSHHG VWDWXV RJ-45 Port Speed LED Port Speed LED Event Off 10 Mbps Green Solid 100 Mbps Green Blinking 1000 Mbps Amber Blinking Port fault RJ-45 Port Status LED Port Status LED Event Off No link or administratively shut down Green Solid Link present Green Blinking Activity: Transmit and receive Amber Blinking Link fault 1.1.2.
Overview 1-7 SFP Port Speed LED Port Speed LED Event Green Blinking 1000 Mbps Amber Blinking Module or Tx/Rx fault loss SFP Port Status LED Port Status LED Event Off No link or administratively shut down Green Solid Link present / Operational Amber Blinking Module or Tx/Rx fault loss 1.1.2.
1-8 Overview • • • Management Features Security Features Access Port Support NOTE The Motorola RF Management Software is a recommended utility to plan the deployment of the switch and view its configuration once operational in the field. Motorola RFMS can help optimize the positioning and configuration of a switch in respect to a WLAN’s MU throughput requirements and can help detect rogue devices. For more information, refer to the Motorola Web site. 1.2.
Overview 1-9 1.2.1.3 Configuration Management The system supports redundant storage of configuration files to protect against corruption during a write operation and ensures (at any given time) a valid configuration file exists. If a configuration file has failed to completely execute, it is rolled back and the pre-write file is used. Text Based Configuration The configuration is stored in a human readable format (a set of CLI commands). 1.2.1.
1-10 Overview The log message format is similar to the format used by syslog messages (RFC 3164). Log messages include message severity, source (facility), the time the message was generated and a textual message describing the situation triggering the event. For more information on using the switch logging functionality, see Configuring System Logging on page 8-9. 1.2.1.7 Process Monitor The switch process monitor constantly checks to ensure processes under its control are up and running.
Overview • • • 1-11 The switch can be configured to provide NTP services to NTP clients. The switch can provide NTP support for user authentication. Secure Network Time Protocol (SNTP) clients can be configured to synchronize switch time with an external NTP server. For information on configuring the switch to support SNTP, see Configuring Secure NTP on page 5-24. 1.2.1.11 Password Recovery The switch has a provision enabling the restoration of its factory default configuration if a password is lost.
1-12 Overview The switch can be discovered using one of the following mechanisms: • DHCP • Switch fully qualified domain name (FQDN) • Static IP addresses The benefits of an AAP deployment include: • Centralized Configuration Management & Compliance - Wireless configurations across distributed sites can be centrally managed by the wireless switch or cluster. • WAN Survivability - Local WLAN services at a remote sites are unaffected in the case of a WAN outage.
Overview 1-13 1.2.2.3 Proxy-ARP Proxy ARP is provided for MU's in PSP mode whose IP address is known. The WLAN generates an ARP reply on behalf of a MU, if the MU's IP address is known. The ARP reply contains the MAC address of the MU (not the MAC address of switch). Thus, the MU is not woken to send ARP replies (increasing battery life and conserving wireless bandwidth). If an MU goes into PSP mode without transmitting at least one packet, its Proxy ARP will not work for such an MU. 1.2.2.
1-14 Overview 1.2.2.5 IDM (Identity Driven Management) Radius authentication is performed for all protocols using a Radius-based authentication scheme such as EAP. Identity driven management is provided using a Radius client. The following IDMs are supported: • • • User based SSID authentication — Denies authentication to MUs if associated to a SSID configured differently in their Radius server. User based VLAN assignment — Allows the switch to extract VLAN information from the Radius server.
Overview 1-15 Detector APs Configure an AP in either – Data mode (the regular mode) or Detector mode. In Detector mode, the AP scans all channels at a configurable rate and forwards received beacons the switch. The switch uses the received information to establish a receive signal strength baseline over a period of time and initiates self-healing procedures (if necessary). Neighbor Configuration Neighbor detect is a mechanism allowing an AP to detect its neighbors and their signal strength.
1-16 Overview MU Balancing Across Multiple APs As per the 802.11 standard, AP and MU association is a process conducted independently of the switch. 802.11 provides message elements used by the MU firmware to influence the roaming decision. The switch implements the following MU load balancing techniques: • • 802.11e admission control — 1 byte: channel utilization % and 1 byte: MU count is sent in QBSS Load Element in beacons to MU.
Overview 1-17 PMKs among themselves. This allows an MU to roam to an AP that it has not previously visited and reuse a PMK from another AP to skip the 802.1x authentication. Interswitch Layer 2 Roaming An associated MU (connected to a particular wireless switch) can roam to another access port connected to a different wireless switch. Both switches must be on the same L2 domain.
1-18 Overview 802.11e QoS 802.11e enables real-time audio and video streams to be assigned a higher priority over regular data. The switch supports the following 802.11e features: • • • • • • • • Basic WMM WMM Linked to 802.1p Priorities WMM Linked to DSCP Priorities Fully Configurable WMM Admission Control Unscheduled-APSD TSPEC Negotiation Block ACKQBSS Beacon Element 802.1p support 802.1p is a standard for providing QoS in 802-based networks. 802.
Overview 1-19 1.2.2.14 Automatic Channel Selection Automatic channel selection works as follows: 1. When a new AP is adopted, it scans each channel. However, the switch does not forward traffic at this time. 2. The switch then selects the least crowded channel based on the noise and traffic detected on each channel. 3. The algorithm used is a simplified maximum entropy algorithm for each radio, where the signal strength from adjoining AP's/MU's associated to adjoining AP's is minimized. 4.
1-20 Overview • Unicast From Mobile Unit – Frames are decrypted, converted from 802.11 to 802.3 and switched to the wired side of the VLAN dynamically assigned to the mobile device. If the destination is another mobile device on the wireless side, the frame is encrypted and switched over the air. • Unicast To Mobile Unit – The frame is checked to ensure that in addition to the destination MAC address matching that of the mobile device, the VLAN is same as that assigned to the mobile device.
Overview 1-21 1.2.3 Wired Switching The switch includes the following wired switching features: • • • • DHCP Servers DDNS VLAN Enhancements Interface Management 1.2.3.1 DHCP Servers Dynamic Host Configuration Protocol (DHCP) allows hosts on an IP network to request and be assigned IP addresses, and discover information about the network to which they are attached. Configure address pools for each subnet.
1-22 Overview 1.2.3.4 Interface Management The switch permits a physical interface to Auto Negotiate, Full Duplex or Half Duplex. The switch also allows: • • Manual bandwidth configuration of a physical interface to 10/100/1000Mbps. This is only permitted if duplex is not set to Auto Negotiate. Manual configuration of administrative shutdown of a physical interface. 1.2.
Overview • 1-23 Certificate Management 1.2.5.1 Encryption and Authentication WEP Wired Equivalent Privacy (WEP) is an encryption scheme used to secure wireless networks. WEP was intended to provide comparable confidentiality to a traditional wired network, hence the name. WEP had many serious weaknesses and hence was superseded by Wi-Fi Protected Access (WPA). Regardless, WEP still provides a level of security that can deter casual snooping.
1-24 Overview 802.1x EAP 802.1x EAP is the most secure authentication mechanism for wireless networks and includes EAP-TLS, EAP-TTLS and PEAP. The switch is a proxy for Radius packets. An MU does a full 802.11 authentication and association and begins transferring data frames. The switch realizes the MU needs to authenticate with a Radius server and denies any traffic not Radius related. Once Radius completes its authentication process, the MU is allowed to send other data traffic.
Overview 1-25 When you initially switch packets on an out-of-the-box AP300 port, it immediately attempts to authenticate using 802.1x. Since 802.1x supports supplicant initiated authentication, the AP300 attempts to initiate the authentication process. On reset (all resets including power-up), an AP300 sends an EAPOL start message every time it sends a Hello message (periodically every 1 second). The EAPOL start is the supplicant initiated attempt to become authenticated.
1-26 Overview 1.2.5.9 Rogue AP Detection The switch supports the following rogue AP detection mechanisms: • • • • • Motorola RFMS Support RF scan by Access Port on all channels SNMP Trap on discovery Authorized AP Lists Rogue AP Report • Motorola RFMS Support NOTE The Motorola RF Management Software is recommended to plan the deployment of the switch.
Overview 1-27 Authorized AP Lists Configure a list of authorized access ports based on their MAC addresses. The switch evaluates the APs against the configured authorized list after obtaining Rogue AP information from one of the 2 mechanisms as mentioned in Rogue AP Detection on page 1-26. Rogue AP Report After determining which are authorized APs and which are Rogue, the switch prepares a report.
1-28 • • Overview Site-Site VPN — For example, a company branching office traffic to another branch office traffic with an unsecured link between the two locations. Remote VPN — Provides remote user ability to access company resources from outside the company premises. The switch supports: • • • • • IPSec termination for site to site IPSec termination for remote access IPSec traversal of firewall filtering IPSec traversal of NAT IPSec/L2TP (client to switch) 1.2.5.
Overview • 1-29 TCP Bad Sequence number Apart from detecting the above attacks, the firewall also performs sanity checks on every packet. These sanity checks can drop a packet if the packet is malformed. A log message is generated whenever a packet gets dropped due to these sanity checks. Logging provides details explaining the reason for dropping a packet along with the packet information - source IP, destination IP, source port, destination port, IP protocol etc.
1-30 Overview 1.2.5.16 NAC There is an increasing proliferation of insecure devices (laptops, mobile computers, PDA, smart-phones) accessing WiFi networks. These devices often lack proper anti-virus software and can potentially infect the network they access. Device compliance per an organization’s security policy must be enforced using NAC. A typical security compliance check entails verifying the right operating system patches, anti-virus software etc.
Switch Web UI Access & Image Upgrades 2.1 Accessing the Switch Web UI 2.1.1 Web UI Requirements The switch Web UI is accessed using Internet Explorer version5.5 (or later) and SUN JRE (Java Runtime Environment) 1.5 (or later). Refer to the Sun Microsystems Web site for information on downloading JRE. NOTE To successfully access the switch Web UI through a firewall, UDP port 161 must be open in order for the switch’s SNMP backend to function. To prepare Internet Explorer to run the Web UI: 1.
2-2 Installing the System Iamge 2.1.2 Connecting to the Switch Web UI To display the Web UI, launch a Web browser on a computer with the capability of accessing the switch. NOTE Ensure you have HTTP connectivity to the switch, as HTTP is a required to launch the switch Web UI from a browser. To display the switch Web UI: 1. Point the browser to the IP address assigned to the wired Ethernet port (port 2). Specify a secure connection using the https:// protocol. The switch login screen displays: 2.
Switch Web UI Access & Image Upgrades 2-3 switch, view the status of the switch’s Ethernet connections and view switch CPU and memory utilization statistics. NOTE The chapters within this System Reference Guide are arranged to be complimentary with the main menu items in the menu tree of the Web UI. Refer to this content to configure switch network addressing, security and diagnostics as required. 2.
2-4 Installing the System Iamge
Switch Information This chapter describes the Switch main menu information used to configure the RFS7000. This chapter consists of the following sections: • Viewing the Switch Interface • Viewing Switch Port Information • Viewing Switch Configurations • Viewing Switch Firmware Information • Switch File Management • Configuring Automatic Updates • Viewing the Switch Alarm Log • Viewing Switch Licenses • How to use the Filter Option NOTE HTTPS must be enabled to access the switch applet.
3-2 Switch Information NOTE The Motorola RF Management Software is a recommended utility to plan the deployment of the switch and view its interface statistics once operational in the field. Motorola RFMS can help optimize the positioning and configuration of a switch (and its associated radios) in respect to a WLAN’s MU throughput requirements and can help detect rogue devices. For more information, refer to the Motorola Web site.
Switch Information 3-3 2. Select the Configuration tab 3. The system prompts the user for the correct Country code after the first login. A warning message could display stating that an incorrect country setting will lead to an illegal use of the switch. Selecting the correct country is extremely important. Each country has its own regulatory restrictions concerning electromagnetic emissions (channel range) and the maximum RF signal strength transmitted.
3-4 Switch Information AP Licenses Displays the number of access port licenses currently available for the switch. This value represents the maximum number of access ports the switch is licensed to adopt. Date (MM/DD/YYYY) Displays the day, month and year currently used with the switch. 5. ! Time Displays the time of day used by the switch. Time Zone Use the drop-down menu to specify the time zone used with the switch.
Switch Information 3-5 The Dashboard screen displays the current health of the switch and is divided into the following fields: • • • • • Alarms Ports Environment CPU Memory File Systems Apart from the sections mentioned above, it also displays the following: Displays the Redundancy State of the switch. The status can be either Enabled or Disabled. • Enabled — Displays green. • Disabled — Displays yellow. Displays the current Firmware version running on the wireless switch.
3-6 Switch Information Displays the switch uptime. The Uptime is the current operational time defined within the System Name field. Uptime is the cumulative time since the switch was rebooted or lost power. 1. Refer to the Alarms field for details of all the unacknowledged alarms generated during the past 48 hours. The alarms are classified as: • Critical — Denoted by a red indicator. These alarms warrant immediate attention. • Major — Denoted by a yellow indicator. These alarms warrant attention.
Switch Information 3-7 2. Click the Switch Statistics tab at the top of the Switch screen. 3. Refer to the following read-only information about associated MUs: Number of MUs Associated Displays the total number of MUs currently associated to the switch. Number of APs Adopted Displays the total number of access ports currently adopted by the switch. Number of Radios Adopted Displays the total number of radios currently adopted by the switch. 4.
3-8 Switch Information Average Noise Displays the average RF noise for all MUs associated with the selected WLAN. MU noise for the last 30 seconds is displayed in black and the number in blue represents MU noise for the last hour. Average SNR (dB) Displays the average Signal to Noise Ratio (SNR) for all MUs associated with the switch. The Signal to Noise Ratio is an indication of overall RF performance on your wireless network. 6.
Switch Information 3-9 2. Select the Configuration tab to display the following read-only information: Name Displays the port name. Aggregation Membership Displays the Channel Group defined for the port (if any). The switch bundles individual Ethernet links (over the selected channel) into a single logical link that provides bandwidth between the switch and another switch or host. The port speed used is dependant on whether full or half duplex is selected.
3-10 Switch Information 3.2.1.1 Editing the Port Configuration To modify the port configuration: 1. Select a port from the table displayed within the Configuration tab. 2. Click the Edit button. A Port Change Warning screen displays, stating any change to the port setting could disrupt access to the switch. Communication errors may occur even if modifications made are successful. 3. Click the OK button to continue. 4. Use the Edit screen to modify the configuration for the selected port.
Switch Information Medium Displays the current (read-only) connection medium used by this port. Read-only details about the port’s cabling connection also display within the Edit screen. This information should be used to help assess what configuration should be set for this port. 5. Click the OK button to commit the changes made to the port configurations. 6. Click Cancel to disregard any changes and revert back to the last saved configuration. 3.2.
3-12 Switch Information MTU Displays the maximum transmission unit (MTU) setting configured on the port. The MTU value represents the largest packet size that can be sent over a link. The MTU is determined by the underlying network, but must be taken into account at the IP level. IP packets (which can be up to 64K bytes each) must be packaged into lowerlevel packets of the appropriate size for the underlying network(s) and re-assembled on the other end.
Switch Information Packets Out Displays the total number of packets transmitted (sent) by the port. A low value could be an indication of a network problem. Packets Out Dropped Displays the total number of transmitted packets dropped. A high value may be an indication of network issues. Packets Out Error Displays the total number of erroneous transmitted packets. 3-13 4. Select a port and click on Details button to see the detailed port statistics.
3-14 Switch Information Input Packets Dropped Displays the number of received packets dropped at the interface by the input Queue of the hardware unit /software module associated with the interface. Packets are dropped when the input Queue of the interface is full or unable to handle incoming traffic. Input Packets Error Displays the number of received packets with errors at the interface.
Switch Information 3-15 3.2.3.2 Viewing the Port Statistics Graph The switch continuously collects data for port statistics. Even when the port statistics graph is closed, data is still tallied. Periodically display the port statistics graph for assessing the latest information. To view a detailed graph for a port: 1. Select a port from the table displayed in the Statistics screen. 2. Click the Graph button. The Interface Statistics screen displays for the selected port.
3-16 Switch Information 4. Click on the Close button to exit the screen without saving changes. 3.3 Viewing Switch Configurations Use the Configurations screen to review the configuration files available to the switch. The details of each configuration can be viewed individually. Optionally, edit the file to modify its name or use the file as the switch startup configuration. A file can be deleted from the list of available configurations or transferred to a user specified location.
Switch Information Created Displays the date and time each configuration file was created. Use this information as a baseline for troubleshooting problems by comparing event log data with configuration file creation data. Modified Displays the date and time each configuration file was last modified. Compare this column against the Created column to discern which files were modified and make informed decisions whether existing files should be further modified or deleted.
3-18 Switch Information 2. Click the View button to see the contents of the selected configuration file. 3. The Main screen displays the contents of the configuration file. Use the up and down navigation facilities on the right-hand side of the screen to view the entire file. 4. The Page parameter displays the portion of the configuration file currently displayed in the main viewing area. The total number of pages in the file are displayed to the right of the current page.
Switch Information 3-19 To transfer the contents of a configuration file: 1. Click the Transfer Files button on the bottom of the Configuration screen. 2. Refer to the Source field to define the location and address information for the source config file. From Select the location representing the source file’s current location using the From drop-down menu. Options include Server, Local Disk and Wireless Switch. File Specify a source file for the file transfer.
3-20 Switch Information File Browser (icon) If the target specified is Wireless Switch, click the File Browser icon to specify the target file’s location on the switch. The target location can be any of the three file systems on the switch: Flash, System or NVRAM. In addition to the three built-in file systems additional targets are CF, for Compact Flash and USB1 and USB2 for USB flash memory drives.
Switch Information 3-21 3.4 Viewing Switch Firmware Information The switch can store two software versions. Information about the two versions displays within the Firmware screen. The Version column displays the version string. The Build Time is the date and time each version was generated. Install represents the date and time the upgrade was performed. Next Boot indicates which version should be used on the next reboot.
3-22 Switch Information Built Time Displays the time the version was created (built). Do not confuse the Built Time with the time the firmware was last loaded on the switch. Install Time The Install Time is the time this version was loaded with on the switch. 3. Refer to the Patch field for a listing of those Patches available to the switch. The name and version of each patch file is displayed. Each patch file has an associated .txt file to go with it.
Switch Information 3-23 This firmware version will now be invoked after the next reboot of the switch. 5. Refer to the Status field for the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet. The Status field displays error messages if something goes wrong in the transaction between the applet and the switch. 6. Click the OK button to commit the changes made and exit the screen. 3.4.
3-24 6. 7. 8. 9. 10. Switch Information a. Use FTP to get the firmware update from a File Transfer Protocol (FTP) server. A user account must be established on the FTP server specified for the firmware update. b. Use TFTP to get the firmware update from a Trivial File Transfer Protocol (TFTP) server. Enter the IP address for the FTP or TFTP server in the IP address field. Enter the username for FTP server login in the User ID field. Enter the password for FTP server login in the Password field.
Switch Information 3-25 3.5 Switch File Management Use the File Management screen to transfer configuration file to and from the switch and review the files available. The File Management screen consists of the following tabs: • Transfer Files • File System 3.5.1 Transferring Files Use the Transfer Files tab to transfer files to and from the switch. Transferring files is recommended to keep files in a secure location.
3-26 Switch Information 2. Refer to the Source field to specify the details of the source file. From Use the From drop-down menu to select the source file’s current location. The options include Wireless Switch and Server. The following transfer options are possible: • Wireless Switch to Wireless Switch • Wireless Switch to Server • Server to Wireless Switch. The parameters displayed in the Source and Target fields differ based on the above selection.
Switch Information 3-27 3.5.1.2 Transferring a file from a Wireless Switch to a Server To transfer a file from the switch to a Server: 1. Refer to the Source field to specify the source file. Use the From drop-down menu and select Wireless Switch. 2. Use the Browse button and select a file for transfer. 3. Use the To drop-down menu (within the Target field) and select Server. This defines the transfer location of the configuration file. Enter the file location marked to store the transferred file. 4.
3-28 Switch Information 2. Provide the name of the File. 3. Use the Using drop-down menu to configure whether the file transfer is conducted using FTP, TFTP or HTTP. FTP transfers require a valid user ID and password. 4. Enter an IP Address of the server receiving the configuration file. Ensure the IP address is valid or risk jeopardizing the success of the file transfer. 5. Enter the User ID credentials required to transfer the configuration file from a FTP server. 6.
Switch Information 3-29 3.5.2 Viewing Files Use the File System tab to review the files available to the switch. The switch maintains the following file types: • flash • nvram • system • Compact Flash • USB 1 • USB 2 Transfer files between the switch and the server from any one of the above mentioned locations. Since compact flash (CF) and USB are external memory locations, the File System window displays the status of these devices.
3-30 Switch Information Formatted This displays the format status of the memory devices. This ensures that the external and internal memory device store the files securely. A formatted memory device is less prone to crash and loss of data. • A green tick mark indicates the device is currently connected to the switch and is available. • A red cross mark indicates the device is currently not available. 4.
Switch Information 3-31 2. Refer to the Switch Configuration field to enable and define the configuration for automatic configuration file updates. If enabled, the located (updated) configuration file will be used with the switch the next time the switch boots Enable Select the Enable checkbox to allow an automatic configuration file update when a newer (updated) file is detected (upon the boot of the switch) at the specified IP address.
3-32 Switch Information 4. Refer to the Firmware field to enable and define the configuration for automatic firmware updates. If enabled, the located (updated) switch firmware is used with the switch the next time the switch boots. Enable Select the Enable checkbox to allow an automatic firmware update when a new (updated) version is detected (upon the boot of the switch) at the specified IP address. IP Address Define the IP address of the server where the firmware files reside.
Switch Information 1. Select Switch > Alarm Log from the main menu tree. 2. Select either of the two available filter options to view alarm log information: View By Page Select the View By Page radio button to view alarm log information on a per page basis. Use the View By Page option to display alarm logs in pages. If there are a large number of alarms, the user can navigate to the page that has been completely loaded. All operations can be performed on the currently loaded data.
3-34 Switch Information Severity Displays the severity level of the event. Use this (non numerical and verbal) description to assess the criticality of the alarms. Severity levels include: • Critical • Major • Warning • Informational • Normal Module Name Displays the module name that triggered this alarm. Use this information to assess if this alarm is a recurring problem with or if it is an isolated incident. Type Displays the alarm type.
Switch Information 2. Select an alarm and click the Details button. 3. Refer to the Alarm Details and Alarm Message for the following information: Description Displays the details of the alarm log event. This information can be used in conjunction with the Solution and Possible Causes items to troubleshoot the event and determine how the event can be avoided in the future. Solution Displays a possible solution to the alarm event. The solution should be attempted first to rectify the described problem.
3-36 Switch Information 3.8 Viewing Switch Licenses Use the Licenses screen to install and add a new licenses on the switch. To install a new license: 1. Select Switch > Licenses from the main menu tree. 2. Refer to the Install License field for the following information: License Key Enter the license key required to install a particular feature. The license key is provided when you supply the switch serial number to Motorola support.
Switch Information 3-37 3.9 How to use the Filter Option Use the Filter Option to sort the display details of screen that employ the filtering option as a means of sorting how data is displayed within the screen. 1. Click the Show Filtering Option to expand the Filter Option zone, whenever it appears in any screen. 2. Enter the filter criteria as per the options provided in the Filter Option zone. 3. The fields in the Filter Option zone are populated with the parameters of the screen in which it appears.
3-38 Switch Information
Network Setup This chapter describes the Network Setup menu information used to configure the switch.
4-2 Network Setup 4.1 Displaying the Network Interface The main Network interface displays a high-level overview of the configuration (default or otherwise) as defined within the Network main menu. Use the information to determine if items require additional configuration using the sub-menu items under the main Network menu item. NOTE When the switch’s configuration is successfully updated (using the Web UI), the effected screen is closed without informing the user their change was successful.
Network Setup 4-3 2. Refer to the following information to discern if configuration changes are warranted: DNS Servers Displays the number of DNS Servers configured thus far for use with the switch. For more information, see Viewing Network IP Information on page 4-4. IP Routes Displays the number of IP routes for routing packets to a defined destination. For information on defining IP Routes, see Configuring IP Forwarding on page 4-6.
4-4 Network Setup 4.2 Viewing Network IP Information Use the Internet Protocol screen to view and configure network associated IP details. The Internet Protocol screen contains tabs supporting the following configuration activities: • • • Configuring DNS Configuring IP Forwarding Viewing Address Resolution 4.2.1 Configuring DNS Use the Domain Name System tab to view Server address information and delete or add severs to the list of servers available. To configure DNS: 1.
Network Setup 4-5 4. Select an IP Address from the table and click the Delete button to remove the selected entry from the list. 5. Click the Add button to display a screen used to add another domain name server. For more information, see Adding an IP Address for a DNS Server on page 4-5. 6. Click the Global Settings button to open a screen that allows domain lookup to be enabled/disabled and the domain name specified. For more information, see Configuring Global Settings on page 4-5. 4.2.1.
4-6 Network Setup 2. Select the Domain Look Up checkbox to enable the switch to query domain name servers to resolve domain names to IP addresses. NOTE The look up order is determined by the order of the servers within Domain Name System tab. The first server queried is the first server displayed. 3. Enter a Domain Name in the text field. This is the switch’s domain. 4. Refer to the Status field for the current state of the requests made from applet.
Network Setup Subnet Mask Displays the mask used for destination subnet entries. The Subnet Mask is the IP mask used to divide internet addresses into blocks (known as subnets). A value of 255.255.255.0 will support 256 IP addresses. Gateway Address Displays the IP address of the Gateway used to route the packets to the specified destination subnet. Do not set the gateway address to any VLAN interface used by the switch.
4-8 Network Setup 2. In the Destination Subnet field, enter an IP address to route packets to a specific destination address. 3. Enter a subnet mask for the destination subnet in the Subnet Mask field. The Subnet Mask is the IP mask used to divide internet addresses into blocks known as subnets. A value of 255.255.255.0 support 256 IP addresses. 4. In the Gateway Address field, enter the IP address of the gateway used to route the packets to the specified destination subnet.
Network Setup 4-9 4. Click the Clear button to remove the selected ARP entry if no longer usable. 4.3 Viewing and Configuring Layer 2 Virtual LANs A virtual LAN (VLAN) is similar to a Local Area Network (LAN), however devices do not need to be connected to the same segment physically. Devices operate as if connected to the same LAN, but could be connected at different physical connections across the LAN segment.
4-10 Network Setup Mode It can be either Access or Trunk. • Access– This ethernet interface accepts packets only form the native VLANs. • Trunk–The Ethernet interface allows packets from the given list of VLANs you add to the trunk. Native VLAN Displays the tag assigned to the native VLAN. Allowed VLANs Displays VLAN tags allowed on this interface. 2. Select a record from the table and click the Edit button to modify the record.
Network Setup 4-11 5. Use the Edit screen to modify the following: Name Displays a read only field with the name of the port to which the VLAN is associated. Mode Use the drop-down menu to select the mode. It can be either: • Access– This Ethernet interface accepts packets only form the native VLANs. If this mode is selected, the Allowed VLANs field is unavailable. • Trunk–The Ethernet interface allows packets from the given list of VLANs you can add to the trunk.
4-12 Network Setup VLAN details display within the VLANs by Port tab. 3. Refer to the following information as displayed within the VLANs by Port tab: VLAN Displays the name of each VLAN configured on the switch. ge# The VLAN and ge columns display the VLAN association status of each VLAN on the switch. If a VLAN is associated with a ge port, the column displays a green checkmark. If the ge port is not associated with the VLAN, the column displays a red X mark. 4.
Network Setup 3. 4-13 Highlight an existing VLAN and click the Edit button. The system displays a Port VLAN Change Warning message. Be advised, changing VLAN designations could disrupt access to the switch. 4. Click OK to continue. A new window displays wherein the VLAN assignments can be modified for the selected VLAN. 5. Change VLAN port designations as required. VLAN Displays a read-only field and with the name of the VLAN selected. ge# Displays the ge ports on the switch.
4-14 Network Setup Use the Switch Virtual Interfaces screen to view and configure VLAN interfaces. This screen contains two tabs supporting the following activities: • • Configuring the Virtual Interface Viewing Virtual Interface Statistics 4.4.1 Configuring the Virtual Interface Use the Configuration screen to view and configure virtual interface details. 1. Select Network > Switch Virtual Interface from the main tree menu. 2. Select the Configuration tab.
Network Setup Management Interface 4-15 A green checkmark within this column defines this VLAN as currently used by the switch. This designates the interface settings used for global switch settings in case of conflicts. For example, if multiple SVIs are configured with DHCP enabled on each, the switch could have multiple domain names assigned from different DHCP servers The one assigned over the selected Management Interface would be the only one used by the switch.
4-16 Network Setup 5. Provide a Description for the VLAN, representative of the VLAN’s intended operation within the switch managed network. 6. The Primary IP Settings field consists of the following: a. Select Use DHCP to obtain IP Address automatically to allow DHCP to provide the IP address for the virtual interface. Selecting this option disables the IP address field. b. Enter the IP Address for the VLAN associated virtual interface. c. Enter the Subnet Mask for the IP address. 7.
Network Setup 4-17 2. Select the Configuration tab and click the Edit button. The screen displays with the name of the VLAN displayed in the upper left-hand side. The VLAN ID cannot be modified and should be used to associate the VLAN ID with the description and IP address assignments defined. 3. If necessary, modify the Description of the VLAN, to make it representative of the VLAN’s intended operation within the switch managed network. 4.
4-18 Network Setup 2. Select the Statistics tab. 3. Refer to the following to assess the network throughput of existing virtual interfaces: Name Displays the user defined interface name. The corresponding statistics are displayed along the row. The statistics are the total traffic to the interface since its creation. Bytes In Displays the number of bytes coming into the interface. The status is not self-updated. To view the current status, click the Details button.
Network Setup Packets In Error Displays the number of error packets coming into the interface. It includes: • Runt frames — Packets shorter than the minimum Ethernet frame length (64 bytes). • CRC errors — The Cyclical Redundancy Check (CRC) is the 4 byte field at the end of every frame the receiving station uses to interpret if the frame is valid. If the CRC value computed by the interface does not match the value at the end of frame, it is considered as a CRC error.
4-20 Network Setup 4.4.2.1 Viewing Virtual Interface Statistics To view detailed virtual interface statistics: 1. Select a virtual interface from the Statistics tab. 2. Click the Details button. 3. The Interface Statistics screen displays the following granular content for the selected interface: Name Displays the title of the logical interface selected. MAC Address Displays physical address information associated with the interface.
Network Setup Output Unicast Packets Displays the number of unicast packets (packets directed towards a single destination address) transmitted from the interface. Output NonUnicast Packets Displays the number of unicast packets transmitted from the interface. Output Total Packets Displays the total number of packets transmitted from the interface. Output Packets Dropped Displays the number of transmitted packets dropped at the interface.
4-22 Network Setup NOTE Do not select more than four parameters at any given time. 4. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 5. Click Close to close the dialog.
Network Setup 4-23 4.5 Viewing and Configuring Switch WLANs A wireless LAN (WLAN) is a local area network (LAN) without wires. WLANs transfer data through the air using radio frequencies instead of cables. The WLAN screen displays a high-level overview of the WLANs created for the switch managed network. Use this data as necessary to the WLANs that are active, their VLAN assignments, updates to a WLAN’s description and their current authentication and encryption scheme.
4-24 Network Setup The Configuration tab displays the following details: Index Displays the WLAN’s numerical identifier. The WLAN index range is from 1 to 256. An index can be helpful to differentiate a WLAN from other WLANs with similar configurations. Enabled Refer to the Enabled parameter to discern whether the specified WLAN is enabled or disabled. When enabled, a green check mark displays. When disabled, a red "X" displays.
Network Setup 4-25 3. Click the Edit button to display a screen where WLAN information, encryption and authentication settings can be viewed or changed. For more information, see Editing the WLAN Configuration on page 4-27. 4. Click the Enable button to enable the selected WLAN. When enabled, a green check mark displays. When disabled, a red "X" displays. Enabled WLANs are display in a number of different switch Web UI configurations for additional configuration activities.
4-26 Network Setup Manual Mapping of WLANs Use this option (its selected by default) for custom WLAN to Radio mappings. When Advanced Configuration is disabled, the user cannot conduct Radio – WLAN mapping. Additionally, the user cannot enable WLANs with an index from 17 to 32. Once the Advanced Configuration option is enabled, the following conditions must be satisfied (to successfully disable it). No WLANs with index 17 to 32 should be enabled.
Network Setup 4-27 4.5.1.1 Editing the WLAN Configuration Security measures for the switch and its WLANs are critical. Use the available switch security options to protect each WLAN from wireless vulnerabilities, and secure the transmission of RF packets between WLANs and the MU traffic they support. The user has the capability of configuring separate security policies for each WLAN. Each security policy can be configured based on the authentication (Kerberos, 802.
4-28 Network Setup The Wireless LANs Edit screen is divided into the following user-configurable fields: • Configuration • Authentication • Encryption • Advanced 5. Refer to the Configuration field to define the following WLAN values ESSID Displays the Extended Service Set ID (ESSID) associated with each WLAN. If changing the ESSID, ensure the value used is unique. Description If editing an existing WLAN, ensure its description is updated accordingly to best describe the intended function of the WLAN.
Network Setup 6. Refer to the Authentication field to select amongst the following options: 802.1X EAP A Radius server is used to authenticate users. For detailed information on configuring EAP for the WLAN, see Configuring 802.1x EAP on page 4-33. Kerberos A Kerberos server is used to authenticate users. For detailed information on configuring Kerberos for the WLAN, see Configuring Kerboros on page 4-34. Hotspot A Hotspot is used to authenticate users in a unique network segment (hotspot).
4-30 Network Setup WPA2-CCMP WPA2 is a newer 802.11i standard that provides even stronger wireless security than Wi-Fi Protected Access (WPA) and WEP. CCMP is the security standard used by the Advanced Encryption Standard (AES). AES serves the same function TKIP does for WPATKIP. CCMP computes a Message Integrity Check (MIC) using the proven Cipher Block Chaining (CBC) technique. Changing just one bit in a message produces a totally different result.
Network Setup Access Category 4-31 Displays the Access Category for the intended traffic. The Access Categories different WLAN-WMM options available to the radio. The Access Category types are: • Automatic/WMM – Optimized for WMM • Voice – Optimized for voice traffic • Video – Optimized for video traffic • • Normal – Optimized for best effort traffic Low – Optimized for background traffic.
4-32 Network Setup pool representative of the WLAN. The switch tracks the number of MUs per VLAN, and assigns the least used/ loaded VLAN to the MU. This number is tracked on a per-WLAN basis. To assign multiple VLANs to a WLAN: 1. Select Network > Wireless LANs from the main menu tree. 2. Select an existing WLAN from those displayed within the Configuration tab and click the Edit button. A WLAN screen displays with the WLAN’s existing configuration. 3. Revise the VLAN ID (if necessary).
Network Setup 4-33 10. Click OK to use the changes to the running configuration and close the dialog. 11. Click Cancel to close the dialog without committing updates to the running configuration NOTE In a cluster environment with multiple switches, ensure the VLAN list is consistent across all switches. 4.5.1.3 Configuring Authentication Types Refer to the following to configure the WLAN authentication options available on the switch: • • • • Configuring 802.
4-34 Network Setup The 802.1x EAP screen displays. 5. Configure the Advanced field as required to define MU timeout and retry information for the authentication server. MU Timeout Define an interval (between 1- 300 seconds) for the switch’s retransmission of EAP-Request packets. The default is 5 seconds. MU Max Retries Specify the maximum number of times the switch retransmits an EAP-Request frame to the client before it times out the authentication session.
Network Setup 4-35 5. Click the Config button to the right of the Kerberos checkbox. The Kerberos screen displays. 6. Specify a case-sensitive Realm Name. The realm name is the name domain/realm name of the KDC Server. A realm name functions similarly to a DNS domain name. In theory, the realm name is arbitrary. However, in practice a Kerberos realm is named by uppercasing the DNS domain name associated with hosts in the realm. 7.
4-36 Network Setup 2. External Web-pages 3. Customized internal Web page (using the Advanced feature in hotspot configuration) When a user visits a public hotspot and wants to browse a Web page, they can boot up their laptop and associate with the local Wi-Fi network by entering the correct SSID. They then start a browser. The hotspot access controller forces this un-authenticated user to a Welcome page from the hotspot Operator that allows the user to login with a username and password.
Network Setup 4-37 3. Select the Hotspot button from within the Authentication field. The Radius Config... button on the bottom of the screen becomes enabled. Ensure a primary and optional secondary Radius Server have been configured to authenticate users requesting access to the hotspot supported WLAN. For more information, see Configuring External Radius Server Support on page 4-43. 4. Click the Config button to the right of the Hotspot checkbox.
4-38 Network Setup 3. Select the Hotspot button from within the Authentication field. Ensure Internal is selected from within the This WLAN’s Web Pages are of the drop-down menu. 4. Click the Login tab and enter the title, header, footer Small Logo URL, Main Logo URL and Descriptive Text you would like to display when users login to the switch maintained hotspot. Title Text Displays the HTML text displayed on the Welcome page when using the switch’s internal Web server.
Network Setup Descriptive Text 4-39 Specify any additional text containing instructions or information for the users who access the Failed page. This option is only available if Internal is chosen from the drop-down menu. The default text is: “Either the username and password are invalid, or service is unavailable at this time.” 5. Refer to the Allow List field, and enter any IP address (for internal or external Web sites) accessed by the Hotspot user without authentication.
4-40 Network Setup 3. Select the Hotspot button from within the Authentication field. Ensure External is selected from within the This WLAN’s Web Pages are of the drop-down menu. 4. Refer to the External Web Pages field and provide the Login, Welcome and Failed Page URLs used by the external Web server to support the hotspot. Login Page URL Define the complete URL for the location of the Login page. The Login screen will prompt the hotspot user for a username and password to access the Welcome page.
Network Setup NOTE 4-41 When using an external hotspot page for redirection, certain HTML codes must be included on the pages to properly redirect to the switch. For the Login and Welcome pages, the following code must be modified: form action="https ://:444/cgi-bin/hslogin.cgi" method="POST " For the Welcome page the following code must also be modified: href="http:///login.
4-42 Network Setup Ensure Advanced is selected from within the This WLAN’s Web Pages are of the drop-down menu. NOTE Advanced hotspot configuration is not permissible using the switch Web UI. Refer to the switch CLI or other advanced configuration options to define a hotspot with advanced properties. However, the switch can still install and maintain directories containing Web page content. 5.
Network Setup f. 4-43 Specify the appropriate Path to the hotspot configuration on the local system disk or server. g. Once the location and settings for the advanced hotspot configuration have been defined, click the Install button to use that hotspot configuration with the switch. 6. Refer to the Allow List field, and enter any IP address (for internal or external Web sites) that can be accessed by the Hotspot user without authentication.
4-44 ! Network Setup CAUTION If using an external Radius Server as the primary authentication source and no secondary source is specified (either external or local), all users attempting to access the switch managed network will be granted access if the primary server becomes unreachable. To configure an external Radius Server for EAP 802.1x, Hotspot or Dynamic MAC ACL WLAN support: ! 1. 2. 3. 4.
Network Setup 4-45 The Radius Configuration screen contains tabs for defining both the Radius and NAC server settings. For a NAC overview, see Configuring NAC Server Support on page 4-47. 6. Refer to the Server field and define the following credentials for a primary and secondary Radius server. RADIUS Server Address Enter the IP address of the primary and secondary server acting as the Radius user authentication data source.
4-46 Network Setup Server Retries ! Enter a value between 1 and 100 to indicate the number of times the switch attempts to reach the primary or secondary Radius server before giving up. CAUTION The Radius or NAC server’s Timeout and Retries should be less than what is defined for an MU’s timeout and retries. If the MU’s time is less than the server’s, a fall back to the secondary server will not work. 7.
Network Setup 4-47 11. Click Cancel to revert back to the last saved configuration and move back to the Network > Wireless LANs > Edit screen. Configuring an External Radius Server for Optimal Switch Support The switch’s external Radius Server should be configured with Motorola RFS7000 specific attributes to best utilize the user privilege values assignable by the Radius Server.
4-48 Network Setup 6. Select the NAC tab to configure NAC support. 7. Refer to the Server field and define the following credentials for a primary and secondary NAC server. NAC Server Address Enter the IP address of the primary and secondary NAC server. NAC Server Port Enter the TCP/IP port number for the primary and secondary server. The default port is 1812. NAC Shared Secret Provide a shared secret (password) for user credential authentication with the primary or secondary NAC server.
Network Setup ! 4-49 CAUTION The server’s Timeout and Retries should be less than what is defined for an MU’s timeout and retries. If the MU’s time is less than the server’s, a fall back to the secondary server will not work. 8. Refer to the Accounting field and define the following credentials for a primary and secondary NAC Server. Accounting Server Address Enter the IP address of the primary and secondary server acting as the NAC accounting server.
4-50 Network Setup 4.5.1.4 Configuring Different Encryption Types To configure the WLAN data encryption options available on the switch, refer to the following: • • • Configuring WEP 64 Configuring WEP 128 / KeyGuard Configuring WPA/WPA2 using TKIP and CCMP Configuring WEP 64 Wired Equivalent Privacy (WEP) is a security protocol specified in the IEEE Wireless Fidelity (Wi-Fi) standard. WEP is designed to provide a WLAN with a level of security and privacy comparable to that of a wired LAN.
Network Setup 4-51 6. Use the Key #1-4 areas to specify keys. The key can be either a hexadecimal or ASCII string. For WEP 64 (40-bit key), the keys are 10 hexadecimal characters in length or 5 ASCII characters. Select one of these keys for activation by clicking its radio button. Default (hexadecimal) keys for WEP 64 include: Key 1 1011121314 Key 2 2021222324 Key 3 3031323334 Key 4 4041424344 7.
4-52 Network Setup 5. Specify a 4 to 32 character Pass Key and click the Generate button. The pass key can be any alphanumeric string. The switch and MUs use the algorithm to convert an ASCII string to the same hexadecimal number. MUs without Motorola adapters need to use WEP keys manually configured as hexadecimal numbers. 6. Use the Key #1-4 areas to specify key numbers. The key can be either a hexadecimal or ASCII. The keys are 26 hexadecimal characters in length or 13 ASCII characters.
Network Setup 4-53 WPA's encryption method is Temporal Key Integrity Protocol (TKIP). TKIP addresses WEP’s weaknesses with a re-keying mechanism, a per-packet mixing function, a message integrity check, and an extended initialization vector. WPA also provides strong user authentication based on 802.1x EAP. WPA2 is a newer 802.11i standard that provides even stronger wireless security than WPA and WEP. CCMP is the security standard used by the Advanced Encryption Standard (AES).
4-54 Network Setup Only broadcast key changes when required to reduce the transmissions of sensitive key information. This value is enabled by default. 6. Refer to the Update broadcast keys every field to specify a time period (in seconds) for broadcasting encryption-key changes to MUs. Set key broadcasts to a shorter interval (at least 60 seconds) for tighter security on wireless connections. Set key broadcasts to a longer interval (at most, 86400 seconds) to extend key times for wireless connections.
Network Setup 4-55 10. Click OK to use the changes to the running configuration and close the dialog. 11. Click Cancel to close the dialog without committing updates to the running configuration. 4.5.2 Viewing WLAN Statistics The Statistics screen displays read-only statistics for each WLAN. Use this information to assess if configuration changes are required to improve network performance. If a more detailed set of WLAN statistics is required, select a WLAN from the table and click the Details button.
4-56 Network Setup VLAN The VLAN parameter displays the name of the VLAN the WLAN is associated with. MUs Lists the number of MUs associated with the WLAN. Throughput Mbps Throughput Mbps is the average throughput in Mbps on the selected WLAN. The Rx value is the average throughput in Mbps for packets received on the selected WLAN. The Tx value is the average throughput for packets sent on the selected WLAN. Avg Mbps Displays the average bit speed in Mbps for the selected WLAN.
Network Setup 4-57 3. Select a WLAN from the table displayed in the Statistics screen and click the Details button. The Details screen displays the WLAN statistics of the selected WLAN. The Details screen contains the following fields: • Information • Traffic • RF Status • Errors Information in black represents the statistics from the last 30 seconds and information in blue represents statistics from the last hour. 4.
4-58 Network Setup 5. Refer to the Traffic field for the following information (both received and transmitted): Pkts per second Displays the average total packets per second that cross the selected WLAN. The Rx column displays the average total packets per second received on the selected WLAN. The Tx column displays the average total packets per second sent on the selected WLAN.
Network Setup 4-59 8. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 9. Click OK to use the changes to the running configuration and close the dialog. 10. Click Cancel to close the dialog without committing updates to the running configuration. 4.5.2.
4-60 Network Setup • • • • • • Undecr Pkts RXPkts per sec RX Tput (Mbps) Avg Retries Avg SNR (dB) # Radios NOTE You cannot select (and trend) more than four parameters at any given time. 3. Select any of the above listed parameters by clicking on the checkbox associated with it. 4. Click the Close button to exit the screen. 4.5.2.3 Viewing WLAN Switch Statistics The Switch Statistics screen is recommended for displaying individual WLAN packet data rate and retry information.
Network Setup 4-61 3. Select a WLAN from the table displayed in the Statistics screen and click the Switch Statistics button. 4. Refer to the Packet Rates field to review the number of packets both transmitted (Tx) and received (Rx) at data rates from 1.0 to 54.0 Mbps. If a large number of packets are sent and received at a slower data rate, then perhaps the switch is not adequately positioned or configured to support the MUs within that WLAN.
4-62 Network Setup 1. Select Network > Wireless LANs from the main menu tree. 2. Click the WMM tab. The WMM tab displays the following information: Idx Displays a WLAN’s numeric identifier. The WLAN index range is from 1 to 256. SSID Displays the Service Set ID (SSID) associated with each WLAN. Description Displays a brief description of the WLAN. WLAN enabled Displays the status of the WLAN. A Green check defines the WLAN as enabled and a Red "X" means it is disabled.
Network Setup Transmit Ops Displays the maximum duration a device can transmit after obtaining a transmit opportunity. For higher-priority traffic categories, this value should be set to a low number. CW Min The CW Min is combined with the CW Max to make the Contention screen. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic. CW Max The CW Max is combined with the CW Min to make the Contention screen.
4-64 Network Setup DSCP to Access Category Set the access category accordingly in respect to its DSCP importance for this WLAN’s target network traffic. Differentiated Services Code Point (DSCP) is a field in an IP packet that enables different levels of service to be assigned to network traffic. This is achieved by marking each packet on the network with a DSCP code and appropriating to it the corresponding level of service or priority.
Network Setup 4-65 4.5.3.1 Editing WMM Setting Use the WMM Edit screen to modify existing Access Category settings for the WLAN selected within the WMM screen. This could be necessary in instances when data traffic has changed and high-priority traffic (video and voice) must be accounted for by modifying AIFSN Transmit Ops and CW values. To edit existing WMM Settings: 1. Select Network > WLAN Setup from the main menu tree. 2. Click the WMM tab. 3.
4-66 Network Setup AIFSN Define the current Arbitrary Inter-frame Space Number (AIFSN). Higher-priority traffic categories should have lower AIFSNs than lower-priority traffic categories. This will causes lower-priority traffic to wait longer before trying to access the medium. Transmit Ops Define the maximum duration a device can transmit after obtaining a transmit opportunity. For higher-priority traffic categories, this value should be set to a low number.
Network Setup 4-67 • Conduct a NAC check for MU's connecting to the WLAN as well as perform an additional exclude function, by attaching an exclude list to the WLAN. • Not perform NAC validation for all MUs connecting to the WLAN. • Include a few MU’s for NAC validation and bypass the rest of the MU’s. To view the attributes of a NAC Inclusion list: 1. Select Network > Wireless LANs from the main menu tree. 2. Select the NAC Include List Configuration tab to view and configure NAC enabled devices.
4-68 Network Setup 4.5.4.1 Adding an Include List to a WLAN To add a device to a WLAN’s include list configuration: 1. Select Network > Wireless LANs from the main menu tree. 2. Select the NAC Include tab to view and configure NAC Include enabled devices. 3. Click on the Add button in the Include Lists area. 4. Enter the name of the device to include for NAC authentication. 5. Refer to the Status field. It displays the current state of the requests made from the applet.
Network Setup 4-69 7. Refer to the Status field. It displays the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet. The Status field displays error messages if something goes wrong in the transaction between the applet and the switch. 8. Click OK to save and add the new configuration and close the dialog window. 9. Click Cancel to close the dialog without committing updates to the running configuration. 4.5.4.
4-70 Network Setup 4.5.5 Configuring the NAC Exclusion List The switch provides a means to bypass NAC for 802.1x devices without a NAC agent. For Motorola handheld devices (like the MC9000), authentication is achieved using an exclusion list. A list of MAC addresses (called an exclusion list) can be added to each WLAN. Each has a separate configuration for the Radius server (which only conducts EAP authentication). An exclusion list is a global index-based configuration.
Network Setup 4-71 and 64 MAC entries maximum per list. For more information, see Configuring Devices on the Exclude List on page 4-71. 5. The Configured WLANs field displays the available switch WLANs. Associate a list item in the Exclude Lists field with multiple WLANs. For information on mapping NAC Exclude list’s items to WLANs, see Mapping Include List Items to WLANs on page 4-69. 6. To delete a device, select it from the Exclude List and click the Delete button. 7.
4-72 Network Setup 3. Click on the Add button within the List Configuration field. 4. The List Name displays the read-only name of the list for which you wish to add more devices. 5. Enter the Host Name for the device you wish to add for the selected exclude list. 6. Enter a valid MAC Address for the device that you wish to add. 7. Optionally, enter the MAC Mask for the device you wish to add. 8. Refer to the Status field. It displays the current state of the requests made from the applet.
Network Setup 4-73 3. Select a item from the Exclude List’s List Name field and click the Edit button (within the Configured WLANs field). 4. Map the selected list item with as many WLANs as needed (be selecting the WLAN’s checkbox). Use the Select All button to associate each WLAN with the selected list item. 5. To remove the WLAN Mappings, select the Deselect All button to clear the mappings. 6. Refer to the Status field for a display of the current state of the requests made from the applet.
4-74 Network Setup 2. Add a host entry to the include list. This adds a specified MAC entry/MAC range into the client’s include list. RFS7000(config-wireless-client-list)#station pc1 AA:BB:CC:DD:EE:FF RFS7000(config-wireless-client-list)# 3. Associate the include list to a WLAN. This adds the client’s include list into the WLAN. RFS7000(config-wireless-client-list)#wlan 1 RFS7000(config-wireless-client-list)# 4.5.6.2 Creating an Exclude List To create a NAC Exclude List: 1. Define the NAC include list.
Network Setup 4-75 RFS7000(config-wireless)#wlan 1 nac-server secondary radius-key my secret-2 RFS7000(config-wireless)# 3. MUs not NAC authenticated use Radius for authentication. To configure the WLAN’s Radius settings: a. Configure the Radius server’s IP address. RFS7000(config-wireless)#wlan 1 radius-server primary 192.168.1.30 RFS7000(config-wireless)# b. Configure the server’s Radius Key RFS7000(config-wireless)#wlan 1 radius-server primary radius-key my-radsecret RFS7000(config-wireless)# c.
4-76 Network Setup 4.6 Viewing Associated MUs The Mobile Units screen displays read-only device information for MUs interoperating with the switch managed network. The Mobile Units screen consists tabs supporting the following configuration activities: • • Viewing MU Status Viewing MU Statistics NOTE The Motorola RF Management Software is a recommended utility to plan the deployment of the switch and view its configuration once operational.
Network Setup IP Address Displays the unique IP address for the MU. Use this address as necessary throughout the applet for filtering and device intrusion recognition and approval. Only MAC addresses are displayed within the MU IDS filtered list. Ready Displays whether the MU is ready for switch interoperation. Values are Yes and No. Power Save Displays the current (read-only) Power-Save-Poll (PSP) state of the MU. The Power Save field has two potential settings.
4-78 Network Setup 3. Select a MU from the table in the Status screen and click the Details button. 4. Refer to the following read-only MU’s transmit and receive statistics:. MAC Address Displays the hardware or Media Access Control (MAC) address for the MU. IP Address Displays the unique IP address for the MU. Use this address as necessary throughout the applet for filtering and device intrusion recognition and approval. Power Save Displays the current PSP state of the MU.
Network Setup Base Radio MAC Displays the SSID of the access port when initially adopted by the switch. BSS Address Displays the MU’s BSSID. Voice Displays whether or not the MU is a voice capable device. Traffic from a voice enabled MU is handled differently than traffic from MUs without this capability. MUs grouped to particular WLANs can be prioritized to transmit and receive voice traffic over data traffic. WMM Displays WMM usage status for the MU, including the Access Category currently in use.
4-80 Network Setup 3. Select the Last 30s checkbox to display MU statistics gathered over the last 30 seconds. This option is helpful for assessing MU performance trends in real-time. 4. Select the Last HR checkbox to display MU statistics gathered over the last hour. This option is helpful for assessing performance trends over a measurable period. 5.
Network Setup 4-81 3. Select a MU from the table displayed in the Statistics screen and click the Details button. The Details screen displays statistics for the selected MU, including: • Station Details • Traffic • RF Status • Errors Information in black represents the statistics from the last 30 seconds and information in blue represents statistics from the last hour. Use both sets of data to trend stats in real time versus a measurable period (1 hour). 4.
4-82 Network Setup WMM Displays WMM usage status for the MU, including the access category currently in use. Use this information to assess whether the MU is using the correct WMM settings in relation to its intended data traffic type. 5. Refer to the Traffic field for the following information: Pkts per second Displays the average packets per second received by the MU. The Rx column displays the average packets per second received on the selected MU.
Network Setup 4-83 3. Select a MU from the table displayed in the Statistics screen and click the Graph button. 4. Select a checkbox to display that metric charted within the graph. Do not select more than four checkboxes at any one time. 5. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 6.
4-84 Network Setup 4.7 Viewing Access Port Radio Information The Access Port Radios screen displays a high-level overview of the APs created for use within the switch managed network. Use this data as necessary to verify the APs that are active, their VLAN assignments, updates to a APs description as well as their current authentication and encryption schemes. NOTE Each switch can support a maximum of 256 access ports. However, port adoption per switch is determined by the number of licenses acquired.
Network Setup 2. Click the Configuration tab. 3. Refer to the table for the following information: Index Displays the numerical index (device identifier) used with the device radio. Use this index (along with the radio name) to differentiate the radio from other device radios. Description Displays a user assigned name for the radio. AP Type Displays the type of access port detected. The switch supports Motorola AP-300 model access ports. Type Use the Type to identify whether the radio is 802.
4-86 Network Setup 4. Select a radio index and refer to the Properties field for the following Desired Channel When the radio’s channel is configured statically, the Actual Channel and Desired Channel are the same. If using ACS (Automatic Channel Selection), the switch selects a channel for the radio. The Desired Channel displays “ACS” and the Actual channel displays the channel selected for the radio. When set to Random, the applet determines the channel’s designation.
Network Setup 4-87 1. Select Network > Access Port Radios from the main menu tree. 2. Click the Configuration tab. 3. Click the Global Settings button to display a screen containing global settings which apply to all radios on the switch. 4. Set an Adoption Preference ID value between 1 and 65535. To define a radio as preferred, the access port preference ID should be same as the adoption preference ID. The adoption preference ID is used for AP load-balancing.
4-88 Network Setup 5. Enter the 802.1x Username assigned to the access port. 6. Enter the 802.1x Password (for the corresponding username) providing authorization for access port authorization adoption. 7. Check the Use Default Values option checkbox to set the Username and Password to factory default values. The access port can get disconnected if the 802.1x authenticator is not configured accordingly. NOTE 802.
Network Setup 4-89 3. Select a radio to edit from the table. 4. Click the Edit button to display a screen containing settings for the selected radio. 5. In the Radio Descr. field, enter a brief description to differentiate the radio. The description is used to describe radios of the same type and can be used to locate a radio if there are any problems. 6.
4-90 Network Setup 10. From within the Radio Settings field, define the Placement of the access port as either Indoors or Outdoors. An access port can be set for Indoors or Outdoors use depending on the model and the placement location. Power settings and channel selection options differ based on each country's regulatory rules and whether or not the unit is placed indoors or outdoors. 11. Select a channel for communications between the access port and its associated MUs within the Desired Channel field.
Network Setup Adoption Preference ID Displays the preference ID of the switch.The value can be set between 1 and 65535. To define the radios as preferred, the access port preference ID should be same as adoption preference ID. The adoption preference ID is used for AP load-balancing. A switch will preferentially adopt APs which have the same adoptionpreference-ID as the switch itself. Short Preambles only If using an 802.11bg radio, select this checkbox for the radio to transmit using a short preamble.
4-92 Network Setup Self Healing Offset When an access port increases its power to compensate for a failure, power is increased to the country's regulatory maximum. Set the Self Healing Offset to reduce the country's regulatory maximum power if access ports are situated close to each other or if an access port uses an external antenna. DTIM Periods Select the DTIM periods button to specify a period for Delivery Traffic Indication Messages (DTIM) for BSS IDs 1-4.
Network Setup 4-93 Supported rates allow an 802.11 network to specify the data rate it supports. When a MU attempts to join the network, it checks the data rate used on the network. If a rate is selected as a basic rate, it is automatically selected as a supported rate. The basic default rates for an 802.11a radio differ from those 802.11b default rates, as an 802.11a radio can support a maximum data rate of 54Mbps, while an 802.11b radio can support a maximum data rate of 11Mbps. 4.
4-94 Network Setup 3. Click the Add button to display a screen containing settings for adding a new radio 4. Enter the device MAC Address (the physical MAC address of the radio). Ensure this address is the actual hard-coded MAC address of the device. 5. Select the radio type checkboxes corresponding to the type of AP radio used. 6. Enter a numerical value in the Radio Index field for each selected radio. The Radio Index is a numerical value assigned to the radio as a unique identifier.
Network Setup 4-95 2. Click the Statistics tab. 3. To define the time frame for the radio statistics, select either Last 30s or Last Hr above the statistics table. • Select the Last 30s radio button to display statistics for the last 30 seconds. • Select the Last Hr radio button to display statistics from the last hour. 4. Refer to the table for the following information: Index Displays the numerical index (device identifier) used with the radio.
4-96 Network Setup Retries Displays the average number of retries for all MUs associated with the selected radio. 5. Select a radio from those displayed and click the Details button for additional radio information. For more information, see Viewing APs Details on page 4-96. 6. Select a radio and click the Graph button to display radio performance data in statistical format. For more information, see Viewing an AP’s Graph on page 4-98. 4.7.2.
Network Setup MAC Address Displays the Hardware or Media Access Control (MAC) address for the access port. Access ports with dual radios have a unique hardware address for each radio. Num Associated MUs Displays the number of MUs currently associated with the radio. AP Type Displays the access port model. Radio Type Displays whether the access port radio is an 802.11a or 802.11bg radio. Current Channel Displays the channel the access port is currently passing traffic on.
4-98 Network Setup Avg Station SNR Displays the average Signal to Noise Ratio (SNR) for all MUs associated with the selected radio. The Signal to Noise Ratio is an indication of overall RF performance on your wireless network. 7. Refer to the Errors field for the following information: Avg Num of retries Displays the average number of retries for all MUs associated with the selected radio.
Network Setup 4-99 3. Select a radio index from the table displayed in the Statistics screen and click the Graph button. 4. Select a checkbox to display that metric charted within the graph. Do not select more than four checkboxes at any one time. 5. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 6.
4-100 Network Setup 4. Select a radio from the table to view WLAN assignment information. The WLAN Assignment tab is divided into two fields; Select Radios and Assigned WLANs. 5. Refer to the Select Radios field for the following information: Index Displays the numerical index (device identifier) used with the radio. Use this index (along with the radio description) to differentiate the radio from other radios with similar configurations. Description Displays a description of the Radio.
Network Setup 4-101 2. Click the WLAN Assignment tab. 3. Select a radio from the table and click the Edit button. The Select Radio/BSS field displays the WLANs associated to each of the BSSIDs used by the radios within the radio table. Use Select/Change Assigned WLANs field to edit the WLAN assignment. 4. Select any of the WLANs from the table to unassign/disable them from the list of available WLANs. 5. Refer to the Status field for the current state of the requests made from applet.
4-102 Network Setup WMM information displays per radio with the following information: Index Displays the identifier assigned to each WLAN index, each index is assigned a unique identifier such as (1/4, 1/3, etc.). AP Displays the name of the access port associated with the index. The access port name comes from the description field in the Radio Configuration screen. Access Category Displays the Access Category currently in use. There are four categories: Video, Voice, Best Effort and Background.
Network Setup 4-103 4.7.4.1 Editing WMM Settings Use the Edit screen to modify a WMM profile's properties (AIFSN, Tx Op, Cw Min and CW Max). Modifying these properties may be necessary as Access Categories are changed and transmit intervals need to be adjusted to compensate for larger data packets and contention windows. To edit existing WMM Settings: 1. Select Network > Access Port Radios from the main menu tree. 2. Click the WMM tab. 3.
4-104 Network Setup The CW Maximum is combined with the CW Minimum to define the Contention Window. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic. 8. Select the Admission Control checkbox to enable the restriction of MUs using the WMM policy. This may be useful when multimedia traffic would be negatively impacted by an abundance of MU traffic.
Network Setup Description Displays the description defined for the radio when initially added to the switch managed network. This information can be useful in associating the radio’s intended support function with the bandwidth priority assigned. QoS Weight The QoS weight displayed represents each radio’s transmission priority within the WLAN the radio has been assigned to operate in. A single radio can have different weights within different WLANs based on its intended priority.
4-106 Network Setup 2. Select the Configuration tab. 3. Refer to the following information as displayed within the Configuration tab: Type Displays whether the radio is an 802.11a radio or an 802.11 bg model radio. Placement Displays the default placement when an radio auto-adopts and takes on default settings. Options include; Indoor or Outdoor. The default is Indoor. Channel Displays the default channel used when the radio auto-adopts and takes on the default settings.
Network Setup 4-107 4. To modify a radio’s adoption defaults, select a radio and click the Edit button. For more information, see Editing Default Radio Adoption Settings on page 4-107. ! CAUTION An access port is required to have a DHCP provided IP address before attempting layer 3 adoption, otherwise it will not work. Additionally, the access port must be able to find the IP addresses of the switches on the network.
4-108 Network Setup 4. Click the Edit button to display a screen to change the radio adoption default values for the selected radio type (either 802.11a or 802.11bg). The Properties field displays the model family for the selected access port. The model is read-only and cannot be modified. The Radio Type displays the radio type (802.11a or 802.11bg). This value is also read only and cannot be modified. 5.
Network Setup 4-109 9. Within the Radio Settings field, configure the Placement of the radio as either Indoors or Outdoors (using the Placement drop-down menu). The setting will affect the channel and power levels. The default is Indoor. 10. Select a channel for communications between the access port and MUs using the Desired Channel drop-down menu. The selection of the channel determines available power levels.
4-110 Network Setup Short Preambles only If using a 802.11bg radio, select this checkbox for the radio to transmit using a short preamble. Short preambles improve throughput. However, some devices (SpectraLink phones) require long preambles. This checkbox does not display if using an 802.11a radio. RTS Threshold Specify a Request To Send (RTS) threshold (in bytes) for use by the WLAN's adopted access ports.
Network Setup DTIM Periods 4-111 Select the DTIM Periods button to specify a period for Delivery Traffic Indication Messages (DTIM) for BSSIDs 1 through 4. This is a divisor of the beacon interval (in milliseconds), for example, 10 : 100. A DTIM is periodically included in the beacon frame transmitted from adopted access ports. The DTIM period determines how often the beacon contains a DTIM, for example, 1 DTIM for every 10 beacons. The highest interval permitted is 50 per BSS.
4-112 Network Setup Supported Rates allow an 802.11 network to specify the data rate it supports. When a station attempts to join the network, it checks the data rate used on the network. If a rate is selected as a basic rate it is automatically selected as a supported rate. 4. Click the Clear all rates button to uncheck all of the Basic and Supported rates. 5. Refer to the Status field for the current state of the requests made from applet.
Network Setup 4-113 3. The system administrator programs these options into the DHCP server. 4. If the access port finds the list, it sends a unidirectional hello packet (encapsulated in a UDP/IP frame) to each switch on the list. 5. Each switch that receives a packet responds with a parent response. 4.8.3 Configuring WLAN Assignment Use the WLAN Assignment tab to assign WLANs and security schemes to existing WLAN indexes. To view existing WLAN Assignments: 1.
4-114 Network Setup 2. Click the WLAN Assignment tab. The WLAN Assignment tab displays two fields: Select Radios/BSS and Select/Change Assigned WLANs. 3. Within the Select Radios/BSS field, select the radio type (802.11a or 802.11bg) from the Select Radio drop-down menu. 4. Select the desired BSS from the BSS list or select a Radio (802.11a or 802.11bg) to modify. 5.
Network Setup 4-115 6. Click Apply to save the changes made within the screen. 7. Click Revert to cancel the changes made and revert back to the last saved configuration. 4.8.4 Configuring WMM Use the WMM tab to review each radio type, as well as the Access Category that defines the data (Video, Voice, Best Effort and Background) the radio has been configured to process. Additionally, the WMM tab displays the transmit intervals defined for the target access category. To view existing WMM Settings: 1.
4-116 Network Setup CW Min The CW Min is combined with the CW Max to define the Contention Window. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic. CW Max The CW Max is combined with the CW Min to make the Contention Window. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic. 4.
Network Setup 4-117 The Transmit Ops value is the maximum duration a device can transmit after obtaining a transmit opportunity. For Higher-priority traffic categories, this value should be set higher. 6. Enter a value between 0 and 15 for the Contention Window minimum value. The CW Minimum is combined with the CW Maximum to make the Contention Window. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic. 7.
4-118 Network Setup 2. Click the Adopted AP tab. 3. Refer to the Adopted AP screen for the following information: MAC Address Displays the radio's first MAC address when it is adopted by the switch. Model Displays the model number of the access port. Serial Displays the serial number of the access port, and is used for switch management purposes. It is read-only and cannot be modified. HW Version Displays the hardware version of the access port.
Network Setup 4-119 5. Click the Convert to Sensor button to convert the selected adopted AP to a sensor that can be used with the Wireless Intrusion Protection System (WIPS) application. WIPS uses sensors to collect data transmitted by 802.11a and 802.11b/g compliant devices and sends the data to a centralized server for analysis and correlation. Sensors are passive devices that function primarily in listen-only mode. A single sensor can monitor multiple APs.
4-120 Network Setup MAC Address Displays the unique Hardware or Media Access Control (MAC) address for the access port. Access ports with dual radios will have a unique MAC address for each radio. The MAC address is hard coded at the factory and cannot be modified. Last Seen (In Seconds) Displays the time the access port was last seen (observed within the switch managed network). This value is expressed in seconds.
Network Setup • • • • 4-121 Common Spanning (CST) – MST runs a single spanning tree instance (called the Common Spanning Tree) that interconnects all the bridges in a network. This instance treats each region as a single bridge. In all other ways, it operates exactly like Rapid Spanning Tree (RSTP). Common and Internal Spanning Trees (CIST) – CIST contains all of the ISTs and bridges not formally configured into a region.
4-122 Network Setup 4.10.1 Configuring a Bridge Use the Bridge tab to configure the Bridge. This window displays bridge configuration details for the switch. To configure the MSTP bridge: 1. Select Network > Multiple Spanning Tree from the main menu tree. 2. Select the Bridge tab (should be the displayed tab by default). 3. Refer to the MSTP Parameter field to view or set the following: Global MSTP Status Use the drop-down menu to define MSTP status. The default is Enabled.
Network Setup MST Revision Level Assign a MST revision level number to the MST region to which the device belongs. Each switch running is configured with a unique MST name and revision number. This helps when the switch has different VLANs that belong to different MSTP regions. The MST Revision Level specifies the revision level MSTP. Error Disable Timeout Select this option to enable an error disable-timeout facility.
4-124 Network Setup CIST Bridge HelloTime Set the CIST Hello Time (in seconds). After the defined interval all bridges in a bridged LAN exchange BPDUs. The hello time is the time interval (in seconds) the device waits between BPDU transmissions. If this is the root bridge, the value is equal to the configured Hello Time. A very low value leads to excessive traffic on the network, whereas a higher value delays the detection of a topology change. This value is used by all instances.
Network Setup 4-125 4.10.2 Viewing and Configuring Bridge Instance Details The Bride Instance tab displays the number of MST instance created and VLANS associated with it. To view and configure the MSTP bridge instance: 1. Select Network > Multiple Spanning Tree from the main menu tree. 2. Select the Bridge Instance tab. The Bridge Instance tab displays the following: ID Displays the ID of the MST instance. Bridge Priority Displays the bridge priority for the associated instance.
4-126 Network Setup 2. Select the Bridge Instance tab. 3. Click the Add button. 4. Enter a value between 1 and 15 as the Instance ID. 5. Click OK to save and commit the changes. The Bridge Instance tab with now display the new instance ID. 6. Click Cancel to disregard the new Bridge Instance ID. 4.10.2.2 Associating VLANs to a Bridge Instance To associate VLANs to a bridge instance: 1. Select Network > Multiple Spanning Tree from the main menu tree. 2. Select the Bridge Instance tab. 3.
Network Setup 4-127 2. Select the Port tab The Port tab displays the following information (ensure you scroll to the right to view the numerous port variables described): Index Displays the port index. Admin MAC Enable Displays the status of the Admin MAC. Change the status using the Edit button. A green check mark indicates the Admin MAC Enable status is active/enabled. Oper MAC Enable This field displays the status of the Oper MAC Enable. You can change the status using the Edit button.
4-128 Network Setup OperPort PortFast Bpdu Filter Displays a portfast BPDU filter for the oper port. The Spanning Tree Protocol sends BPDUs from all ports. Enabling the BPDU Filter feature ensures PortFastenabled oper ports do not transmit or receive BPDUs. AdminPort PortFast Bpdu Guard Displays the AdminPort PortFast BPDU Guard feature. When set for a bridge, all portfast-enabled ports having the bpdu-guard set to default shut down the port on receiving the BPDU.
Network Setup Protocol Migration If enabled, protocol migration enables the switch (when running MST) to interoperate with legacy 802.1d switches. If the listed index receives a legacy 802.1D configuration BPDU, it only sends 802.1D BPDUs over its port. A green checkmark defines the listed index as supporting protocol migration, and a red “X” defines the listed index as having protocol migration disabled.
4-130 Network Setup 4.10.3.1 Editing a MST Port Configuration To edit and reconfigure MSTP Port parameters. 1. Select a row from the port table and click the Edit button. The following MST Port parameters can be reconfigured. Port Index Displays the read-only Port Index. Admin MAC Enable Displays the status of the Admin MAC Enable. A green check mark indicates the status as enabled and a red X indicates the status as disabled.
Network Setup Port Path Cost Define the path cost for the specified port index. The cost is 1,000 Mbps (1 gigabit per second) divided by the bandwidth of the segment connected to the port. Therefore, a 10 Mbps connection would have a cost of (1,000/10) 100. Admin Point-to-Point status Define the point-to-point status as ForceTrue or ForceFalse. ForceTrue indicates this port should be treated as connected to a point-to-point link.
4-132 Network Setup 2. Select the PortInstance tab. The Port Instance table displays the following: ID Displays the port instance ID. Index Displays the port index. State Displays the availability status of the port. Role Displays the state of the port. It can be either Enabled or Disabled. Internal Root Cost Displays the Internal Root Cost of a path associated with an interface. The lower the path cost, the greater likelihood of the interface becoming the root.
Network Setup 4.10.4.1 Editing a Port Instance Configuration To edit and reconfigure Port Instance parameters. 1. Select a row from the port table and click the Edit button. Most of the MST Port Instance parameters can be reconfigured, as indicated below. Port Instance ID Read only indicator of the instance ID used as a basis for other modifications. Port Index Read only indicator of the port index used as a basis for other modifications.
4-134 Network Setup
Switch Services This chapter describes the Services main menu information available for the following switch configuration activities.
5-2 Switch Services 5.1 Displaying the Services Interface Refer to the Services main menu interface to review a summary describing the availability of several central features within the Services main menu item. NOTE When the switch’s configuration is successfully updated (using the Web UI), the effected screen is closed without informing the user their change was successful. However, if an error were to occur, the error displays within the effected screen’s Status field.
Switch Services Redundancy Service Displays whether Redundancy is currently enabled or disabled. One or more switches can be configured as members of a redundancy group to significantly reduce the chance of a disruption in service to WLANs and associated MUs in the event of failure of a switch or intermediate network failure. For more information, see Configuring Switch Redundancy on page 5-35. Layer 3 Mobility Displays whether Layer 3 Mobility is currently enabled or disabled.
5-4 Switch Services 5.2 DHCP Server Settings The DHCP Server Settings screen displays tabs supporting the following configuration activities: • • • • • Configuring the Switch DHCP Server Configuring Existing Host Pools Configuring Excluded IP Address Information Configuring DHCP Server Relay Information Viewing DDNS Bindings • Viewing DHCP Bindings • Reviewing DHCP Dynamic Bindings • Configuring DHCP User Class • Configuring DHCP Pool Class 5.2.
Switch Services 5-5 The DHCP Server screen displays with the Configuration tab displayed. 2. Select the Enable DHCP Server checkbox to enable the switch’s internal DHCP Server for use with global pools. 3. Select the Ignore BOOTP checkbox to bypass a BOOTP request. 4. Define an interval (from 1 -10 seconds) for the ping timeout variable. The switch uses the timeout to intermittently ping and discover whether the client requested IP address is already used. 5.
5-6 Switch Services 8. Click the Add button to create a new DHCP pool. For more information, see Adding a New DHCP Pool on page 5-7. 9. Click the Options button to associate values to options, as defined using the Options Setup functionality. The values associated to options are local to the pool with which they are associated. For more information, see Configuring DHCP Global Options on page 5-9. 10.
Switch Services 5-7 • Infinite - If selected, the client can use the assigned address indefinitely. • Actual Interval - Select this checkbox to manually define the interval for clients to use the DHCP server assigned addresses. The default lease time is 1 day, with a minimum setting of 1 minute. 10. Within the Servers field, change the server type used with the pool and use the Insert and Remove buttons to add and remove the IP addresses of the routers used. 11.
5-8 Switch Services 2. Click the Add button at the bottom of the screen. 3. Enter the name of the IP pool from which IP addresses can be issued to client requests on this interface. 4. Provide the Domain name as appropriate for the interface using the pool. 5. Enter the NetBios Node used with this particular pool. The NetBios Node could have one of the following types: • A b-broadcast (broadcast node) uses broadcasting to query nodes on the network for the owner of a NetBIOS name.
Switch Services 5-9 Additionally, define the network IP Address and Subnet Mask used for DHCP discovery and requests between the DHCP Server and DHCP clients. NOTE The network IP address and subnet mask of the pool are required to match the addresses of the layer 3 interface in order for the addresses to be supported through that interface. 8.
5-10 Switch Services 4. Name the option as appropriate, assign a Code (numerical identifier) and use the Type drop-down options to specify a value of ip or ascii to the DHCP global option. 5. Highlight an entry from within the Global Options screen and click the Remove button to delete the name and value. 6. Click OK to save and add the changes to the running configuration and forward the updates to the other peer switches comprising the mobility domain. 7. Refer to the Status field.
Switch Services 5-11 5. Use the Automatic Update drop-down menu to specify whether the automatic update feature is on or off. Select Server update to enable a DDNS update from the DHCP server. Select Client update to get the DDNS updates from DHCP clients. 6. Select the Enable Multiple User Class if multiple user class support is needed. 7. Use the DDNS Servers field to define the IP addresses of the DNS servers. 8. Click OK to save and add the changes to the running configuration and close the dialog. 9.
5-12 Switch Services IP Address Displays the IP address for the client using the pool name listed. Hardware Address Displays the type of interface used to pass DHCP discover and request exchanges between the switch DHCP server and DHCP clients. The Hardware Address field also displays the address of the DHCP client for whom the static IP is reserved. Client Name Displays the name of the client requesting DHCP Server support over this interface.
Switch Services 5-13 2. Click the Excluded tab. The Excluded tab displays “fixed” IP addresses statically assigned and unavailable for assignment with a pool. 3. Click the Edit button to modify the IP address range displayed. For more information, see Editing the Properties of an Existing DHCP Pool on page 5-6. 4. To delete an existing DHCP pool from the list of those available to the switch, highlight the pool from within the Network Pool field and click the Delete button. 5.
5-14 Switch Services In the illustration above, a DHCP relay address has been configured on subnet 2 (The CLI equivalent is “ip helper-address ”). When configuring a DHCP Relay address, specify the other interface where the external DHCP Server can be reached. In this example, that interface is subnet1. The DHCP relay agent must listen on both subnet1 and subnet2.
Switch Services 5-15 3. Refer to the Interfaces field for the names of the interfaces available to route information between the DHCP Server and DHCP clients. If this information is insufficient, consider creating a new IP pool or edit an existing pool. 4. Refer to the Gateway Information field for DHCP Server and Gateway Interface IP addresses. Ensure these address are not in conflict with the addresses used to route data between the DHCP Server and client.
5-16 Switch Services assignable IP addresses. DNS is a service, which maintains a database to map a given name to an IP address used for communication on the Internet. The dynamic assignment of IP addresses makes it necessary to update the DNS database to reflect the current IP address for a given name. To view detailed DDNS Binding information: 1. Select Services > DHCP Server from the main menu tree. 2. Select the DDNS Bindings tab. 3.
Switch Services 5-17 2. Click the Bindings tab. 3. Refer to the contents of the Bindings tab for the following: IP Address Displays a IP address for each client with a listed MAC address. This column is read-only and cannot be modified. Expiration Displays the end point for the address listed in the IP Address column. 4. Click the Export button to display a screen used to export the DHCP Binding information to a secure location.
5-18 Switch Services 5.2.7 Reviewing DHCP Dynamic Bindings Dynamic DHCP bindings automatically map a hardware address to an IP address from a pool of available addresses. The Dynamic Bindings tab displays only automatic bindings. To view detailed Dynamic Binding information: 1. Select Services > DHCP Server from the main menu tree. 2. Select the Dynamic Bindings tab. 3.
Switch Services 5-19 5.2.8 Configuring DHCP User Class The DHCP server assigns IP addresses to clients based on user class option names. Clients with a defined set of user class options are identified by user class name. The DHCP server assigns IP addresses from multiple IP address ranges. The DHCP user class associates a particular range of IP addresses to a device in such a way that all devices of that type are assigned IP addresses from the defined range.
5-20 Switch Services 5.2.8.1 Adding a New DHCP User Class Name A DHCP user class name can be configured with a maximum of 8 user class option values. To view and configure the user class options associated with the particular class: 1. Select Services > DHCP Server from the main menu tree. 2. Select the User Class tab. 3. Click the Add button from the User Class Name field. The DHCP server groups clients based on user class option values.
Switch Services 5-21 3. Select an existing DHCP user class from the list and click the Edit button from the User Class Name field. a. The User Class Name cannot be modified. b. Either add or modify the Option Values as required to suit the changing needs of your network. The option values should not exceed 32 characters. c. Select the Multiple User Class Option checkbox to enable multiple option values for the user class.
5-22 Switch Services 5.2.9 Configuring DHCP Pool Class The DHCP server can associate multiple classes to each pool. Each class in a pool is assigned an exclusive range of IP addresses. DHCP clients are matched against classes. If the client matches one of the classes assigned to the pool, it’s assigned the IP address from the range assigned to the class. If the client does not match any of the classes in the pool, it’s assigned the IP address from the pool’s default range (if configured).
Switch Services 5-23 5.2.9.1 Editing an Existing DHCP Pool Class Name The Edit Pool Class Configuration dialog is used to edit the association of a DHCP pool name to a DHCP class name. It is also used to configure a maximum of 4 pool class address range. To revise an existing DHCP pool class name: 1. Select Services > DHCP Server from the main menu tree. 2. Select the Pool Class tab. 3. Click the Edit button from the Pool Class Names field. 4.
5-24 Switch Services 4. Use the Pool Name field to define a new pool name. Enter the pool name created using Adding a New DHCP Pool on page 5-7. 5. Use the Class Name field to associate an existing class, created using Adding a New DHCP User Class Name on page 5-20. 6. The Pool Class Address Range field is used to assign address range to the class inside the pool. A maximum of 4 address ranges can be assigned to a class. a. Use the Insert button to enter the Start IP and End IP address range for a class.
Switch Services 2. 5-25 Select the Configuration tab. 3. Refer to the Access Group field to define ACL IDs. An ACL ID must be created before it is selectable from a drop-down menu. To create an ACL ID, see ACL Configuration on page 6-19. Full Access Supply a numeric ACL ID from the drop-down menu to provide the ACL full access. Only Control Queries Supply a numeric ACL ID from the drop-down menu to provide the ACL only control query access to SNTP resources.
5-26 Switch Services Clock Stratum Define how many hops (from 1 to 15) the switch is from a SNTP time source. The switch automatically chooses the SNTP resource with the lowest stratum number. The SNTP supported switch is careful to avoid synchronizing to a server that may not be accurate. Thus, the SNTP enabled switch never synchronizes to a machine not synchronized itself.
Switch Services 2. 5-27 Select the Symmetric Keys tab. 3. Refer to the Symmetric Key screen to view the following information. Key ID Displays a Key ID between 1-65534. The Key ID is a abbreviation allowing the switch to reference multiple passwords. This makes password migration easier and more secure between the switch and its NTP resource. Key Value Displays the authentication value used to secure the credentials of the server providing system time to the switch.
5-28 2. Switch Services Select the Symmetric Key tab. 3. Click the Add button. 4. Enter a Key ID between 1-65534. The Key ID is a abbreviation allowing the switch to reference multiple passwords. This makes password migration easier and more secure between the switch and its NTP resource. 5. Enter the authentication Key Value used to secure the credentials of the NTP server providing system time to the switch. 6. Select the Trusted Key checkbox to use a trusted key.
Switch Services 2. 5-29 Select the NTP Neighbor tab. 3. Refer to the following information (as displayed within the NTP Neighbor tab) to assess whether an existing neighbor configuration can be used as is, if an existing configuration requires modification or a new configuration is required. IP Address/Hostname Displays the numeric IP address of the resource (peer or server) providing switch SNTP resources. Ensure the server is on the same subnet as the switch to provide SNTP support.
5-30 Switch Services 6. Click the Add button to define a new peer or server configuration that can be added to the existing configurations displayed within the NTP Neighbor tab.For more information, see Adding an NTP Neighbor on page 5-30. 5.3.4 Adding an NTP Neighbor To add a new NTP peer or server neighbor configuration to those available for synchronization: 1. Select Services > Secure NTP from the main menu tree. 2. Select the NTP Neighbor tab. 3. Click the Add button. 4.
Switch Services 5-31 (and switch) must be on the same subnet. NTP broadcasts reduce configuration complexity since both the switch and its NTP resources can be configured to send and receive broadcast messages. NOTE If this checkbox is selected, the AutoKey Authentication checkbox is disabled, and the switch is required to use Symmetric Key Authentication for credential verification with its NTP resource.
5-32 Switch Services 2. Select the NTP Associations tab. 3. Refer to the following SNTP Association data for each SNTP association displayed: Address Displays the numeric IP address of the SNTP resource (Server) providing SNTP updates to the switch. Reference Clock Displays the address of the time source the switch is synchronized with. Stratum Displays how many hops the switch is from a SNTP time source. The switch automatically chooses the SNTP resource with the lowest stratum.
Switch Services Offset (sec) Displays the calculated offset between the switch and SNTP server. The switch adjusts its clock to match the server's time value. The offset gravitates toward zero over time, but never completely reduces its offset to zero. Dispersion (sec) Displays how scattered the time offsets are (in seconds) from a SNTP time server 5-33 4.
5-34 Switch Services 5.3.6 Viewing NTP Status Refer to the NTP Status tab to display performance (status) information relative to the switch’s current NTP association. Verifying the switch’s SNTP status is important to assess which resource the switch is currently getting its system time from, as well as the time server’s current differences in time attributes as compared to the current switch time.
Switch Services Precision Displays the precision (accuracy) of the switch’s time clock (in Hz). The values that normally appear in this field range from -6 for mains-frequency clocks to -20 for microsecond clocks found in some workstations. Reference time Displays the time stamp at which the local clock was last set or corrected. Clock Offset Displays the time differential between switch time and the NTP resource. Root delay The total round-trip delay in seconds.
5-36 Switch Services switches at the same time. This is done by the cluster-protocol running on WS1, by duplicating the commands and sending them to the group over the virtual connection. After sending the command to other members, the cluster-management protocol (at WS1) waits for a response from the members of the redundancy group. Upon receiving a response from each member, WS1 updates the user’s screen and allows the user to enter/execute the next command.
Switch Services 5-37 To view status and membership data and define a redundancy group configuration, refer to the following: • Reviewing Redundancy Status • Configuring Redundancy Group Membership To configure switch redundancy: 1. Select Services > Redundancy from the main menu tree. The Redundancy screen displays with the Configuration tab selected. 2. Refer to the Redundancy field to define the following: Enable Redundancy Select this checkbox to enable/disable clustering.
5-38 Switch Services Heartbeat Period The Heartbeat Period is the interval heartbeat messages are sent. Heartbeat messages discover the existence and status of other members within the group. Configure an interval between 1 and 255 seconds. The default value is 5seconds. Hold Time Define the Hold Time for a redundancy group. If there are no heartbeats received from a peer during the hold time, the peer is considered down. In general, the hold period is configured for three times the heartbeat period.
Switch Services 5-39 3. Refer to the History field to view the current state of the redundancy group. State Displays the new state (status) of the redundancy group after a Trigger event. Time Displays the Timestamp (time zone specific) when the state change occurred. Trigger Displays the event causing the redundancy group state change on the switch. Description Displays a redundancy event description defining the redundancy group state change on the switch.
5-40 Switch Services 3. Refer to the Status field to assess the current state of the redundancy group. Redundancy state is Displays the state of the redundancy group. When the redundancy feature is disabled, the state is “Disabled.” When enabled, it goes to a “Startup” state. From “Startup” it goes to a “Discovery” state immediately if the STP convergence is not enabled. Otherwise, it remains in “Startup” for a period of 50 seconds (the standard STP convergence time).
Switch Services Connectivity Status Displays the current connectivity status of the cluster membership. Access Ports on this switch Displays the total of the number of access ports adopted by this switch. Adoption capacity on this switch Displays the AP adoption capability for this switch. Compare this value with the adoption capacity for the entire cluster to determine if the cluster members (or this switch) have adequate adoption capabilities.
5-42 Switch Services 2. Select the Member tab. 3. Refer to the following information within the Member tab: IP Address Displays the IP addresses of the selected redundancy group member. Status Displays the current status of this group member. This status could have the following values: • Configured - The member is configured on the current switch. • Seen - Heartbeats can be exchanged between the current switch and this member.
Switch Services 5-43 4. Select a row, and click the Details button to display additional details for this member. For more information, see Displaying Redundancy Member Details on page 5-43. 5. Select a row and click the Delete button to remove a member from the redundancy group. The redundancy group should be disabled to conduct an Add or Delete operation. 6. Click the Add button to add a member to the redundancy group. The redundancy group should be disabled to conduct an Add or Delete operation.
5-44 Switch Services Status Displays the current status of this group member. This status could have the following values: • Configured - The member is configured on the current wireless service module. • Seen - Heartbeats can be exchanged between the current switch and this member. • Invalid - Critical redundancy configuration parameter(s) of the peer (heartbeat time, discovery time, hold time, Redundancy ID, Redundancy Protocol version of this member) do not match this switch’s parameters.
Switch Services Self Healing Radios 5-45 Displays the number of self healing radios on each detected member. These radios can be invaluable if other radios within the redundancy group were to experience problems requiring healing by another radio. 5. Refer to the Status field. The Status is the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet.
5-46 Switch Services • Do not allow different port speed/duplex settings on members. Each members should have the settings. • In a redundancy group of three switches (S1, S2 and S3), if S1 has X licenses, S2 has Y licenses and S3 has Z licenses, the license count is X+Y+Z (the aggregation of each switch). • A cluster license is re-calculated whenever a new switch brings existing licenses to a group or an existing switch’s license value changes (increases or decreases).
Switch Services 5-47 and ARP are tunneled through the home switch. The IP address for the MU is assigned from the VLAN to which the MU belongs (as determined by the home switch). The current switch is the switch in the mobility domain an MU is currently associated to. The current switch changes as the MU roams and establishes different associations. The current switch is responsible for delivering data packets from the MU to its home switch and vice-versa.
5-48 Switch Services The Layer 3 Mobility screen appears with the Configuration tab displayed. 2. Select the Use Default Management Interface checkbox to use the switch’s default management interface IP address for MUs roaming amongst different Layer 3 subnets. The IP address displayed to the right of the checkbox is used by Layer 3 MU traffic. 3.
Switch Services 5-49 5.5.2 Defining the Layer 3 Peer List The Layer 3 Peer List contains the IP addresses MUs are using to roam amongst various subnets. This screen is helpful in displaying the IP addresses available to those MUs requiring access to different subnet resources. To define the Layer 3 Peer List: 1. Select Services > Layer 3 Mobility from the main menu tree. The Layer 3 Mobility screen appears with the Configuration tab displayed. 2. Select the Peer List tab. 3.
5-50 Switch Services Enter the IP addresses in the area provided and click the OK button to add the addresses to the list displayed within the Peer List screen. 5.5.3 Reviewing Layer 3 Peer List Statistics When a MU roams to a current switch on the same layer 3 network, it sends a L2-ROAM message to the home switch to indicate the MU has roamed within the same VLAN. The old home switch forwards the information to all its peers.
Switch Services JOIN Events sent/rcvd Displays the number of JOIN messages sent and received. JOIN messages advertise the presence of MUs entering the mobility domain for the first time. When a MU (currently not present in the MU database) associates with a switch, it immediately sends a JOIN message to the host switch with MAC, VLAN and IP information (both current and home switch IP info). The home switch forwards the JOIN to all its peers (except the one from which it received the original message).
5-52 Switch Services 2. Select the MU Status tab. 3. Refer to the following information within the MU Status tab: MU MAC Displays the factory hardcoded MAC address of the MU. This value is set at the factory and cannot be modified. Thus, it should be consistent as the MU roams within the mobility domain. MU IP Addr Displays the IP address the MU is using within the mobility domain.
Switch Services 5-53 5.6 Configuring Self Healing The switch supports a feature called Self Healing that enables radios to take corrective action when one or more radios fail. To enable the feature the user must specify radio neighbors that would self heal if either one goes down. The neighbor radios do not have to be of the same type. Therefore, an 11bg radio can be the neighbor of a 11a radio and either of them can self heal when one of them fails.
5-54 Switch Services 4. Click the Apply button to save the changes made within this screen. Clicking Apply overwrites the previous configuration. 5. Click the Revert button to disregard any changes made within this screen and revert back to the last saved configuration. 5.6.1 Configuring Self Healing Neighbor Details The Neighbor Details page displays all the radios configured on the switch and their neighbor designations. To configure self-healing on the switch: 1.
Switch Services Action 5-55 Displays the self healing action configured for the radio. Options include: • Raise Power - The transmit power of the radio is increased when a neighbor radio is not functioning as expected. • Open Rates - Data rates are decreased to support all rates when a neighbor radio is not functioning as expected. • Both - Increases power and data rate when a neighbor radio is not functioning as expected. • None - No action is taken when a neighbor radio is not functioning as expected.
5-56 Switch Services 3. Select an existing neighbor and click the Edit button. The radio index and description display in the upper right corner of the screen. The Available Radios value represents the radios that can be added as a neighbor for the target radio. Neighbor Radios are existing radios (neighbors). 4. Select one of the following four actions from the Self Healing Action drop-down menu: • None - The radio takes no action at all when a neighbor radio fails.
Switch Services 5-57 5.7 Configuring Switch Discovery Switch discovery enables the SNMP discovery (location) of devices. To discover devices in the specified range of IP addresses, the switch Web UI sends SNMP GET requests (using the user specified SNMP v2 or v 3 version) to all IP addresses on the specified network.
5-58 Switch Services 2. Refer to the following information within the Discovery Profiles tab to discern whether an existing profile can be used as is, requires modification (or deletion) or if a new discovery profile is required. Index Displays the numerical identifier used to differentiate this profile from others with similar configurations. The index is supplied to new profiles sequentially. Profile Name Displays the user-assigned name for the profile.
Switch Services 5-59 If SNMP v3 is used with a discovering profile, a V3 Authentication screen displays. The User Name and Password are required to match the name used by the remote network management software of the discovered switch When the credentials of the V2 Read Community or V3 Authentication screens are satisfied, the switch discovery process begins. 7. If necessary, click the Stop Discovery button (enabled only during the discovery operation) to stop the discovery operation. 5.7.1.
5-60 Switch Services SNMP Version Use the drop-down menu to define the SNMP version (either v2 or v3) used for discovering available network devices. 4. Refer to the Status field for an update of the edit process. The Status is the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet. The Status field displays error messages if something goes wrong in the transaction between the applet and the switch. 5.
Switch Services 5-61 3. Refer to the following within the Recently Found Devices tab to discern whether a located device should be deleted from the list or selected to have its Web UI launched and its current configuration modified. IP Address Displays the IP address of the discovered switch. This IP address obviously falls within the range of IP addresses specified for the discovery profile used for the device search.
5-62 Switch Services 5.8 Configuring SOLE Support The switch has the ability to use Smart Opportunistic Location Engine (SOLE) adapters to assist in the locationing of devices within the switch managed network. The switch currently supports the use of AeroScout SOLE adapters. AeroScout adapters use standard wireless networks to locate assets and utilize the switch managed network to assist in asset tracking, process automation, theft prevention and increased utilization and bandwidth.
Switch Services 5-63 The Enabled column displays a green checkmark next to the SOLE adapter once enabled. A Red X defines the adapter as disabled. NOTE In order to set the listening MAC in each radio you must use the radio command in the switch’s Command Line Interface (CLI). An example of the command syntax is:. #radio <1-n> tag-type aeroscout listen-addr 01-0c-cc-00-00-00 3. Click the Disable button to disable a selected SOLE adapter.
5-64 Switch Services 5.8.3 Reviewing SOLE Statistics Periodically review SOLE statistics to determine the extent of the message traffic transmitted and received over the SOLE adapter. To review SOLE statistics: 1. Select Services > SOLE from the main menu tree. 2. Select the Statistics tab. 3. Review the following information within the Statistics tab: Type Displays the configuration type for each SOLE adapter. Currently the only supported type is Aeroscout.
Switch Security This chapter describes the security mechanisms available to the switch.
6-2 Switch Security 6.1 Displaying the Main Security Interface Refer to main Security interface for a high level overview of device intrusion and switch access permission options. NOTE When the switch’s configuration is successfully updated (using the Web UI), the effected screen is closed without informing the user their change was successful. However, if an error were to occur, the error displays within the effected screen’s Status field and the screen remains displayed.
Switch Security 6-3 2. Refer to the following information to discern if configuration changes are warranted: Access Port Intrusion Detection Displays the Enabled or Disabled state of the switch to detect potentially hostile access ports (the definition of which defined by you). Once detected, these devices can be added to a list of devices either approved or denied from interoperating within the switch managed network. For more information, see AP Intrusion Detection on page 6-4.
6-4 Switch Security 6.2 AP Intrusion Detection Use the Access Point Detection menu options to view and configure network related IP information. The Access Point Detection screen consists of the following tabs: • • • Enabling and Configuring AP Detection Approved APs (Reported by APs) Unapproved APs (Reported by APs) • Unapproved APs (Reported by MUs) 6.2.
Switch Security 6-5 Approved AP timeout Define a value (in seconds) the switch uses to timeout (previously approved) access points that have not communicated with the switch. The range is from 1-65535 seconds, with a default of 300 seconds. This value is helpful for continually re-validating access points that interoperate within the switch managed network. Unapproved AP timeout Define a value (in seconds) the switch uses to remove access points that have not communicated with the switch.
6-6 Switch Security 6.2.1.1 Adding or Editing an Allowed AP To add a new range or modify the address range used to designate devices as Allowed APs: 1. Select Security > Access Point Intrusion Detection from the main tree menu. 2. Click the Configuration tab. 3. Select an existing Allowed AP and click the Edit button to modify the properties of an existing Allowed AP or click the Add button to define the attributes of a new Allowed AP. 4.
Switch Security 6-7 6.2.2 Approved APs (Reported by APs) Those access points detected and approved for operation within the switch managed network can be separately displayed to assess the reporting (detecting) AP, the channel of operation, the last time the AP was observed on the network and the ESSID. Use this information to assess if an approved access point was incorrectly defined as approved and requires categorization as an unapproved and disallowed AP. To review the attributes of allowed APs: 1.
6-8 Switch Security 5. Click on the Export button to export the contents of the table to a Comma Separated Values file (CSV). 6.2.3 Unapproved APs (Reported by APs) Use the Unapproved APs (Reported by APs) tab to review access points detected by associated switch access port radios and are restricted from operation within the switch managed network. The criteria for restriction was defined using the Security > Access Port Intrusion Detection > Configuration screen.
Switch Security 6-9 Last Seen (In Seconds) Displays the time (in seconds) the Unapproved AP was last seen on the network by the detecting AP. ESSID Displays the ESSID of each Unapproved AP. These ESSIDs are device ESSIDs observed on the network, but have yet to be added to the list of Approved APs and are therefore interpreted as a threat. If an ESSID displays on the list incorrectly, click the Allow button and add the ESSID to a new Allowed AP index. 4.
6-10 Switch Security 3. The Unapproved APs (Reported by MUs) table displays the following information: BSS MAC Address Displays the MAC Address of each Unapproved AP. These MAC addresses are access points observed on the network (by associated MUs), but have yet to be added to the list of approved APs, and are therefore interpreted as a threat on the network. Reporting MU Displays the numerical value for the detecting MU.
Switch Security 6-11 2. Click the Configuration tab. 3. Within the Collection Settings field, set the Detection Window interval (in seconds) the switch uses to scan for MU violations. The available range is from 5 - 300 seconds with a default value of 5 seconds. 4. Refer to the Violation Parameters field to define threshold values that trigger an alarm: ! Violation Type Displays the name of the violation for which threshold values are set in the MU, radio and switch columns.
6-12 Switch Security 5. When using the Frames with known bad ESSIDs violation parameter it is necessary to enter a list of known bad ESSIDs for the violation parameter. To enter this information, select Frames with known bad ESSIDs and then click the Bad Essid Config button to launch a dialogue box where bad ESSIDs can be added and removed. NOTE If using the Frames with known bad ESSIDs violation parameter if no ESSIDs are entered in the Bad Essid Config dialogue, this parameter will not function. 6.
Switch Security Violation Type Displays the reason the violation occurred for each detected MU. Use the Violation Type to discern whether the detected MU is truly a threat on the switch managed network (and must be removed) or can be interpreted as a non threat. The following violation types are possible: • Excessive Probes • Excessive Association • Excessive Disassociation • Excessive Authentication failure • Excessive Crypto replays • Excessive 802.
6-14 Switch Security 6.4 Configuring Wireless Filters Use filters to either allow or deny a MAC address (or groups of MAC addresses) from associating with the switch. Refer to the Wireless Filters screen to review the properties of existing switch filters. A filter can be selected from those available and edited or deleted. Additionally, a new filter can be added if an existing filter does not adequately express the MU’s address range required. To display the Wireless Filters main page: 1.
Switch Security 6-15 3. Refer to the Associated WLANs field for following WLAN Index Highlight an Index to display the name(s) of the WLANs currently associated with this particular Index. Click the Membership button to map available WLANs to this filter. ESSID Displays the SSID required by the devices comprising this WLAN. Authentication Displays the authentication scheme configured for the devices comprising this WLAN.
6-16 Switch Security The user can modify an ACL Index (numerical identifier) for the ACL, and edit the starting an ending MAC address range for the devices allowed or denied access to the switch managed network. 4. The MU-ACL Index is used as an identifier for a MAC Address range and allow/deny ACL designation. The available index range is 1 - 1000. However, the index is not editable, only its starting/ending MAC range and allow/deny designation. If a new index is needed, create a new filter. 5.
Switch Security 6-17 Define an Index (numerical identifier) for the ACL and the starting and ending MAC address range for devices allowed/denied access to the switch managed network. 3. Enter an Index numerical value (1 -1000) in the MU-ACL Index field. The MU-ACL Index is a numerical identifier used to associate a particular ACL to a range of MAC addresses (or a single MAC address) either allowed or denied access to the switch managed network.
6-18 Switch Security 4. Select the box to the right of each WLAN you want associated with the ACL. Selecting a WLAN maps it the MAC address range and allow or deny designation assigned to it. Consequently, be sure you are not restricting MU traffic for a WLAN that requires those MAC addresses to interact with the switch. 5. Refer to the Status field for the current state of the requests made from applet.
Switch Security 6-19 6.5 ACL Configuration An Access Control List (ACL) is a sequential collection of permit and deny conditions that apply to switch data packets. When a packet is received on an interface, the switch compares the fields in the packet against any applied ACLs to verify the packet has the required permissions to be forwarded, based on the criteria specified in the access lists. NOTE If a packet does not meet any of the criteria specified in the ACL, then the packet is dropped.
6-20 Switch Security For more information, see: • Router ACLs • Port ACLs • Wireless LAN ACLs • ACL Actions 6.5.1.1 Router ACLs Router ACLs are applied to Layer 3 or VLAN interfaces. If an ACL is already applied in a particular direction on an interface, applying a new one will replace the existing ACL. Router ACLs are applicable only if the switch acts as a gateway, and traffic is inbound only.
Switch Security 6-21 6.5.1.2 Port ACLs The switch supports Port ACLs on physical interfaces and inbound traffic only. The following Port ACLs are supported: • Standard IP ACL— Uses a source IP address as matching criteria. • Extended IP ACL— Uses a source IP address, destination IP address and IP protocol type as basic matching criteria. It can also include other parameters specific to a protocol type, like the source and destination ports for TCP/UDP protocols.
6-22 Switch Security NOTE Only a Port ACL supports a mark action. With Router ACLs, a mark is treated as a permit and the packet is allowed without modifications. 6.5.1.5 Precedence Order The rules within an ACL are applied to packets based on their precedence values. Every rule has a unique precedence value between 1 and 5000. You cannot add two rules’s with the same precedence value.
Switch Security 6-23 The ACLs field displays the list of ACLs currently associated with the switch. An ACL contains an ordered list of ACEs. Each ACE specifies a permit or deny designation and a set of conditions the packet must satisfy to match the ACE. Because the switch stops testing conditions after the first match, the order of conditions in the list is critical. 4.
6-24 Switch Security 3. Click on the Add button. 4. Select an ACL Type from the drop-down menu. The following options are available: • Standard IP List – Uses source IP addresses for matching operations • Extended IP List – Uses source and destination IP addresses and optional protocol type information for matching operations • MAC Extended List – Uses source and destination MAC addresses, VLAN ID and optional protocol type information. 5. Enter a numeric index name for the ACL in the ACL ID field. 6.
Switch Security 6-25 3. Click the Add button within the Associated Rules field. 4. Use the Precedence field to enter a precedence (priority) value between 1 and 5000. The rules within an ACL will be applied to packets based on their precedence value. Rules with lower precedence are always applied first. NOTE If adding an access control entry to an ACL using the switch SNMP interface, Precedence is a required parameter. 5.
6-26 Switch Security 9. If the selected Protocol is tcp or udp, click the Protocol Options button to configure the source and destination Port. 10. Use the Source Address field to enter the IP address from where the packets are sourced. 11. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something is wrong in the transaction between the applet and the switch. 12.
Switch Security 6-27 The rules within an ACL are applied to packets based on their precedence value. Rules with lower precedence are always applied first. NOTE If adding an access control entry to an ACL using the switch SNMP interface, Precedence is a required parameter. 6. Use the Operation drop-down menu (if necessary) to modify the permit, deny or mark designation for the ACL. If the action is to mark, the packet is tagged for priority. 7.
6-28 Switch Security 2. Click the Attach-L2/L3 tab. 3. Refer to the following information as displayed within the Attach - L2/L3 tab: Interface Displays the interface on which the ACL is applied. Available interfaces include ge1, ge2, ge3, ge4 and VLAN1. IP ACL Displays an IP ACL attached to the L2 or L3 interface in the inbound direction. MAC ACL Displays the MAC ACL attached to the L2 interface in the inbound direction. 4.
Switch Security 6-29 3. Click on the Add button. 4. Use the Interface drop-down menu to select the interface to configure on the switch. Available options include – ge1, ge2, ge3, ge4, and VLAN1. As additional VLANs are created, they also become available. 5. Use the IP ACL drop-down menu to select an IP ACL to attach to the L2 or L3 interface used in the inbound direction. 6. Use the MAC ACL drop-down menu to select a MAC ACL to attach to a L2 interface used in the inbound direction.
6-30 Switch Security 6.5.4 Attaching an ACL on a WLAN Interface/Port Use the Attach-WLAN tab to view and assign an ACL to a WLAN on the switch. By default, arp is not supported. Create a MAC ACL to allow arp on the switch. NOTE WLAN based ACLs allows users to enforce rules/ACLs on both the inbound and outbound direction, as opposed to L2 ACLs, which just support the inbound direction. To attach an interface: 1. Select Security > ACLs from the main menu tree. 2. Click the Attach-WLAN tab. 3.
Switch Security 6-31 6.5.4.1 Adding or Editing a New ACL WLAN Configuration After creating an ACL, it can be applied to one or more WLANs on the switch. To attach an ACL to a WLAN: 1. Select Security > ACLs from the main menu tree. 2. Click on the Attach-WLAN tab. 3. Click the Add button. 4. Define a WLAN Index between 1 and 256. If editing the ACL configuration, the index is read only and cannot be modified. 5. Use the IP ACL drop-down menu to select an IP ACL to configure for the WLAN interface. 6.
6-32 Switch Security 2. Click the Statistics tab. 3. Refer to the following information as displayed within the Statistics tab: Interface Displays the ge1, ge2, ge3, ge 4 or VLAN 1 interface used to add the ACL association to the switch. As additional VLANs are added beyond the default VLAN1, they too become available. Action Displays the permit, deny or mark designation for the ACL. If the action is to mark, the packet is tagged for priority or “type of service.
Switch Security 6-33 6.6 Configuring NAT Information Network Address Translation (NAT) provides the translation of an Internet Protocol (IP) address within one network to a different, known IP address within another network. NAT involves re-writing the source and/or destination addresses of IP packets as they pass through a router or firewall. Most systems use NAT to enable multiple hosts on a private network to access the Internet using a single public IP address.
6-34 Switch Security 2. Click on the Dynamic Translation tab. 3. Refer to the following information as displayed within the Dynamic Translation tab. Type Direction Access List Displays the NAT type as either: • Inside - Applies NAT on packets arriving on interfaces marked as inside. These interfaces should be private networks not accessible from outside (public) networks. • Outside - Applies NAT on packets coming in on interfaces marked as outside.
Switch Security Interface 6-35 Defines the interface through which packets are routed. The source IP address and source port number (only if IP protocol is TCP or UDP) of packets is changed to the interface IP address and a random port number. 4. Select an existing NAT configuration and click the Edit button to modify the settings of this existing NAT configuration. The fields within the Edit screen are similar to those displayed when adding a new NAT configuration. 5.
6-36 Switch Security back to the specific internal private class IP address in order to reach the LAN over the switch managed network. 6. Use the Access List drop-down menu to select the list of addresses used during NAT translation. These addresses (once translated) will not be exposed to the outside world when the translation address is used to interact with the remote destination. 7.
Switch Security 6-37 3. Refer to the following information as displayed within the Static Translation tab. Type Direction Displays the NAT type as either: • Inside - The set of networks subject to translation. These are the internal addresses you are trying to prevent from being exposed to the outside world. • Outside - All other addresses. Usually valid addresses located on the Internet. Outside addresses pose no risk if exposed over a publicly accessible network.
6-38 Switch Security 6.6.2.1 Adding a New Static NAT Configuration If the existing NAT configurations displayed with the Configuration prove unsuitable for translation, consider creating a new one. To define a new NAT configuration: 1. Select Security > NAT from the main menu tree. 2. Click on the Static Translation tab. 3. Click the Add button. 4. Define the NAT Type from the drop-down menu. Options include: • Inside - The set of networks subject to translation.
Switch Security NOTE 6-39 After selecting (and saving) a protocol type of TCP or UDP (using the Web UI), the switch CLI will not display the selected protocol type or provide an option to configure it. Ensure both the protocol and port are defined using the Web UI. 9. Enter the Global Address to assign to a host in the outside network. This should be interpreted as a secure address. 10. Displays the Global Port used to for the translation between the switch and its NAT destination. 11.
6-40 Switch Security 3. Refer to the following information as displayed within the Interface tab: Interface Displays the particular VLAN used as the inside or outside NAT type. All defined VLANs are available from the drop-down menu for use as the interface. Type Displays the NAT type as either: • Inside - The set of switch-managed networks subject to translation. These are the internal addresses you are trying to prevent from being exposed to the outside world. • Outside - All other addresses.
Switch Security 6-41 6.6.4 Viewing NAT Status Use the Status tab to review the NAT translations configured thus far for the switch. The Status tab displays the inside and outside local and global IP addresses. To view and configure a NAT interface: 1. Select Security > NAT from the main menu tree. 2. Click on the Status tab. 3. Refer to the following to assess the validity and total NAT translation configurations available to the switch.
6-42 Switch Security 6.7 Configuring IKE Settings IKE (also known as ISAKMP) is the negotiation protocol enabling two hosts to agree on how to build an IPSec security association. To configure the security appliance for virtual private networks, set global IKE parameters that apply system wide and define IKE policies peers negotiate to establish a VPN tunnel. IKE protocol is an IPSec standard protocol used to ensure security for VPN negotiation, and remote host or network access.
Switch Security 6-43 2. Click the Configurations tab. During IKE negotiations, peers must identify themselves to one another. Thus, the configuration you define is the identification medium for device recognition. 3. Set a Keep Alive interval (in seconds) the switch uses for monitoring the continued presence of a peer and report of the client's continued presence. The client notifies you when the peer is no longer present. The default interval is 10 seconds. 4.
6-44 Switch Security 8. Select an existing entry and click the Delete button to remove it. 9. If the properties of an existing peer IP address, key and aggressive mode designation are no longer relevant and cannot be edited, click the Add button to create a new pre-shared key. a.
Switch Security 6-45 A IKE policy matches when they have the same encryption, hash, authentication and Diffie-Hellman settings. The SA lifetime must also be less than or equal to the lifetime in the policy sent. If the lifetimes do not match, the shorter lifetime applies. If no match exists, IKE refuses negotiation. To view the current set of IKE policies: 1. Select Security > IKE Settings from the main menu tree. 2. Click the IKE Policies tab. 3.
6-46 Switch Security Authentication Type Displays the authentication scheme used to validate the identity of each peer. Pre-shared keys do not scale accurately with a growing network but are easier to maintain in a small network. Options include: • Pre-shared Key - Uses pre-shared keys. • RSA Signature- Uses a digital certificate with keys generated by the RSA signatures algorithm. SA Lifetime Displays an integer for the SA lifetime. The default is 60 seconds.
Switch Security 6-47 a. Configure a set of attributes for the new IKE policy: Priority Define the priority for the IKE policy. The available range is from 1 to 65,543, with 1 being the highest priority value. Encryption Set the encryption method used to protect the data transmitted between peers. Options include: • DES 56-bit DES-CBC. The default value. • 3DES - 168-bit Triple DES. • AES - 128-bit AES. • AES 192 - 192-bit AES. • AES 256 - 256-bit AES.
6-48 Switch Security 2. Click the SA Statistics tab. 3. Refer to the information displayed within SA Statistics tab to discern the following: Index Displays the alpha-numeric name (index) used to identify individual SAs. Phase 1 done Displays whether this index is completed with the phase 1 (authentication) credential exchanged between peers. Created Date Displays the exact date the SA was configured for each index displayed.
Switch Security 6-49 4. Select an index and click the Details button to display a more robust set of statistics for the selected index. Use this information to discern whether changes to an existing IKE configuration is warranted or if a new configuration is required. 5. Click the Stop Connection button to terminate the statistic collection of the selected IKE peer. 6.8 Configuring IPSec VPN Use IPSec Virtual Private Network (VPN) to define secure tunnels between two peers.
6-50 Switch Security security association, allows encryption keys to change during IPSec sessions and permits Certification Authority (CA) support for a manageable, scalable IPSec implementation. If you do not want IKE with your IPSec implementation, disable it for IPSec peers. You cannot have a mix of IKEenabled and IKE-disabled peers within your IPSec network.
Switch Security 6-51 6.8.1 Defining the IPSec Configuration Use the IPSec VPN Configuration tab to view the attributes of existing VPN tunnels and modify the security association lifetime and keep alive intervals used to maintain the sessions between VPN peers. From the Configuration tab, transform sets can be created as existing sets, modified or deleted. 1. Select Security > IPSec VPN from the main menu tree. 2. Click the Configuration tab. 3.
6-52 Switch Security 4. Refer to the Transform Sets field to view the following data: Name Displays a transform set identifier used to differentiate transform sets. The index is helpful when transform sets with similar attributes need to be revised or discarded. AH Authentication Scheme Displays the AH Transform Authentication scheme used with the index. Options include: • None - No AH authentication is used. • AH-MD5-HMAC - AH with the MD5 (HMAC variant) authentication algorithm.
Switch Security 6-53 4. Revise the following information as required to render the existing transform set useful. Name The name is read-only and cannot be modified unless a new transform set is created. AH Authentication Scheme Select the Use AH checkbox (if necessary) to modify the AH Transform Authentication scheme. Options include: • None - No AH authentication is used. • AH-MD5-HMAC - AH with the MD5 (HMAC variant) authentication algorithm.
6-54 Switch Security 5. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 6. Click OK to use the changes to the running configuration and close the dialog. 7. Click Cancel to close the dialog without committing updates to the running configuration. 6.8.1.2 Adding a New Transform Set A transform set represents a combination of security protocols and algorithms.
Switch Security ESP Encryption Scheme 6-55 Select the Use ESP checkbox to define the ESP Encryption Scheme. Options include: • None - No ESP encryption is used with the transform set. • ESP-DES - ESP with the 56-bit DES encryption algorithm. • ESP-3DES - ESP with 3DES, ESP with AES. • ESP-AES - ESP with 3DES, ESP with AES (128 bit key). • ESP-AES 192 - ESP with 3DES, ESP with AES (192 bit key). • ESP-AES 256- ESP with 3DES, ESP with AES (256 bit key).
6-56 Switch Security 2. Click the Remote tab. 3. Refer to the Configuration field to define the following: DNS Server Enter the numerical IP address of the DNS Server used to route information to the remote destination of the IPSec VPN. WINS Server Enter the numerical IP address of the WINS Server used to route information to the remote destination of the IPSec VPN. Apply Click Apply to save any updates made to the screen.
Switch Security 6-57 7. To add a new range of IP addresses, click the Add button (within the IP Range tab) and define the range in the fields provided. Click OK when completed to save the changes. 8. Click Cancel to disregard the changes and revert to the last saved configuration. 6.8.3 Configuring IPSEC VPN Authentication If IKE is not used for establishing security associations, there is no negotiation of security associations.
6-58 Switch Security radio button) or if no authentication is used for credential verification (by selecting the No Authentication radio button). 4. Enter a NAS ID for the NAS port. The profile database on the Radius server consists of user profiles for each physical network access server (NAS) port connected. Every profile contains a profile matched to a username representing a physical port.
Switch Security 6-59 10. Click the Add button to display a screen used to add a new User and Password. Enter a User Name and Password and confirm. Click OK to save the changes. 11. To change an existing user’s password, select the user from within the User Table and click the Change Password button. Change and confirm the updated password. 12. If necessary, select an existing user and click the Delete button to remove that user from the list available within the User Table. 6.8.
6-60 Switch Security 2. Click the Crypto Maps tab. The Crypto Maps screen is divided into 5 tabs, each serving a different function in the overall Crypto Map configuration. Refer to the following: • Crypto Map Entries • Crypto Map Peers • Crypto Map Manual SAs • Crypto Map Transform Sets • Crypto Map Interfaces 6.8.4.1 Crypto Map Entries To review, revise or add Crypto Map entries: 1. Select Security > IPSec VPN from the main menu tree. 2.
Switch Security 6-61 Number of Peers Displays the number of peers used by each Crypto Map displayed. SA Lifetime (secs) Displays a SA Lifetime (in seconds) that forces the periodical expiration and re-negotiation of peer credentials. Thus, continually validating the peer relationship. SA Lifetime (Kb) Causes the security association to time out after the specified amount of traffic (in kilobytes) has passed through the IPSec tunnel (using the security association).
6-62 Switch Security c. Use the None, Domain Name or Host Name radio buttons to select and enter the fully qualified domain or host name of the host exchanging identity information. d. Define a SA Lifetime (secs) to define an interval (in seconds) that (when expired) forces a new association negotiation. e. Define a SA Lifetime (Kb) to time out the security association after the specified amount of traffic (in kilobytes) has passed through the IPSec tunnel using the security association. f.
Switch Security 6-63 2. Click the Crypto Maps tab and select Peers. 3. Refer to the read-only information displayed within the Peers tab to determine whether a peer configuration (among those listed) requires modification or a new peer requires creation. Priority / Seq # Displays each peer’s Seq # (sequence number) to distinguish one from the other. Crypto Map Name Displays the name assigned to the peer to differentiate it from others with similar configurations.
6-64 Switch Security 6. If a new peer requires creation, click the Add button. a. Define the Seq # /Name for the new peer. b. Enter the name of the IKE Peer used with the Crypto Map to build an IPSec security association. 7. Click OK when completed to save the configuration of the new Crypto Map peer. 6.8.4.3 Crypto Map Manual SAs To review, revise or add a Crypto Map using a manually defined security association: 1. Select Security > IPSec VPN from the main menu tree. 2.
Switch Security 6-65 3. Refer to the read-only information displayed within the Manual SAs tab to determine whether a Crypto Map with a manually defined security association requires modification or a new one requires creation. Priority / Seq # Displays the Seq # (sequence number) used to determine priority. The lower the number, the higher the priority. Name Displays the name assigned to the security association.
6-66 Switch Security d. Use the ACL ID drop-down menu to permit a Crypto Map data flow using the permissions within the selected ACL. e. Select either the AH or ESP radio button to define whether the Crypto Map’s manual security association is an AH Transform Authentication scheme or an ESP Encryption Transform scheme. The AH SPI or ESP SPI fields and key fields become enabled depending on which radio button is selected. f.
Switch Security 6-67 3. Refer to the read-only information displayed within the Transform Sets tab to determine whether a Crypto Map transform set requires modification or a new one requires creation. Priority / Seq # Displays the Seq # (sequence number) used to determine priority. Name Displays the name assigned to the Crypto Map that’s using the transform set. Transform Set Displays the transform set representing a combination of security protocols and algorithms.
6-68 Switch Security 2. Click the Crypto Maps tab and select Interfaces. 3. Refer to the following read-only information displayed within the Interfaces tab. Name Lists the name of the Crypto Maps available for the interface. Interface Name Displays the name of the interface through which IPSec traffic flows.
Switch Security 6-69 6.8.5 Viewing IPSec Security Associations Refer to the IPSec SAs tab to review the various security associations (SAs) between the local and remote peers comprising an IPSec VPN connection. The IPSec SA tab also displays the authentication and encryption schemes used between the VPN peers as well other device address information. To display IPSec VPN security associations: 1. Select Security > IPSec VPN from the main menu tree. 2. Click the IPSec SAs tab. 3.
6-70 Switch Security 4. Use the page navigation facility (found on top of the table next to the Show Filtering Options link) to view the list of security associations. The switch can display a maximum of 600 security associations. To enable a search through the list, the Security > IPSec VPN screen provides a page navigation facility. Up to 30 security associations display per page. The following navigation and pagination options are available: View All Use this option to view all the SAs in one screen.
Switch Security 6-71 6.9 Configuring the Radius Server Remote Authentication Dial-In User Service (Radius) is a client/server protocol and software enabling remote access servers to communicate with the switch to authenticate users and authorize their access to the switch managed network. For an overview on the switch’s Radius deployment, see Radius Overview on page 6-71.
6-72 Switch Security • PEAP and GTC • PEAP and MSCHAPv2 Apart from EAP authentication, the switch allows the enforcement of user-based policies. User-based policies include dynamic VLAN assignment and access based on time of day. The switch uses a default trustpoint. A certificate is required for EAP TTLS,PEAP and TLS Radius authentication (configured with the Radius service). Dynamic VLAN assignment is achieved based on the Radius server response.
Switch Security 6-73 6.9.1.2 Authentication of Terminal/Management User(s) The local Radius server can be used to authenticate users. A normal user (with a password) should be created in the local database. These users should not be a part of any group. 6.9.1.3 Access Policy Access policies are defined for a group created in the local database. Each user is authorized based on the access policies defined for the groups to which the user belongs.
6-74 Switch Security authentication source if a user does not exist in the local Server’s database, since the primary method has rejected the authentication attempt. For instructions on configuring an external Radius Server, as well as defining Radius Server settings specific for use with an RFS7000 model switch, see Configuring External Radius Server Support on page 4-43. 6.9.3 Defining the Radius Configuration To configure Radius support on the switch: 1.
Switch Security 6-75 7. Click the Revert button to cancel any changes made within the Global Settings field and revert back to the last saved configuration. NOTE The appearance of the bottom portion of the Configuration tab differs depending on whether Clients or Proxy Servers is selected. Select the Clients tab to display the IP Address and Subnet Mask of existing Radius clients. Existing clients can be modified or new clients added. For more information, see Radius Client Configuration on page 6-75.
6-76 Switch Security 6.9.3.2 Radius Proxy Server Configuration The switch can send Radius requests to a properly configured proxy Radius server. A user's access request is sent to a proxy server if it cannot be authenticated by a local server. The switch forwards the access request to a proxy server that can authenticate the user based on the realm. The proxy server checks the information in the user access request and either accepts or rejects the request.
Switch Security 6-77 6.9.4 Configuring Radius Authentication and Accounting Deploy one or more Radius servers to configure user authentication, EAP type and the user database. Radius accounting supplies administrators with user data as Radius sessions are started and terminated. To define the Radius authentication and accounting configuration: 1. Select Security > Radius Server from the main menu. 2. Select the Authentication tab. 3.
6-78 Switch Security Cert Trustpoint Click the View/Change button to specify the trustpoint from which the Radius server automatically grants certificate enrollment requests. A trustpoint is a representation of a CA or identity pair. A trustpoint contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate. If the server certificate trustpoint is not used, the default trustpoint is used instead.
Switch Security 6-79 6. Click the Revert button to cancel any changes made within the screen and revert back to the last saved configuration. 6.9.5 Configuring Radius Users Refer to the Users tab to view the current set of users and groups assigned for the Radius server. The Users tab is employed when Local is selected as the Auth Data Source within the Authentication & Accounting tab. The user information is ignored if an LDAP server is used for authentication.
6-80 Switch Security If the group assignment is insufficient, use the Edit or Add functions to modify/create users or modify their existing group assignments. For guest users, only the password is editable. For normal (nonguest) users, the password and group association can be modified. Modify the existing user’s guest designation, password, expiry date and group assignments as required to reflect the user’s current local Radius authentication requirements. 5.
Switch Security Confirm Password Re-enter (confirm) the password used to add the user to the list of approved users displayed within the Users tab. Current Switch Time Displays the read only switch time. This is the time used for expiry data and time. Expiry Date & Time Defines the date and time (in dd:MM:yyyy-hh:mm) format to timeout users with temporary permissions. Available Groups Use the Available Groups Add -> and Remove <- functions to map groups (for inclusion) for this specific user.
6-82 Switch Security 6.9.6 Configuring Radius User Groups The Groups tab displays a list of all groups in the local Radius server's database. The groups are listed in the order added. The existing configuration for each group is displayed to provide the administrator the option of using a group as is, modifying an existing group’s properties or creating a new group. To access the configuration of existing user groups: 1. Select Security > Radius Server from the main menu. 2. Select the Groups tab. 3.
Switch Security Time of Access End 6-83 Displays the time each group’s user base will loose access privileges. After this time, users within this group will not be authenticated by the local Radius server. However, if a user is part of a different group that has not exceeded their access interval, then the user may still interoperate with the switch (remain authenticated) as part of that group. 4.
6-84 Switch Security Available WLANs Use the Available WLANs Add -> and Remove <- functions to move WLANs for this new group from the available list to the configured list. Once on the configured list (and the changes applied), the members of this group can interoperate with the switch on these WLANs (once authenticated by the local Radius server). Configured WLANs The Configured WLANs columns displays the WLANs this new group can operate within (once users are configured).
Switch Security 6-85 6.9.7 Viewing Radius Accounting Logs Accounting logs contain information about the use of remote access services by users. This information is of great assistance in partitioning local versus remote users and how to best accommodate each. Remote user information can be archived to a location outside of the switch for periodic network and user permission administration. To display the Radius accounting logs: 1. Select Security > Radius Server from the main menu. 2.
6-86 Switch Security 6.10 Creating Server Certificates Use the Server Certificates screen to view existing self-signed certificate values. The values displayed are read-only.
Switch Security 6-87 2. Select the Trustpoints tab. A panel (on the far left of the screen) displays currently enrolled trustpoints. The Server Certificate and CA Root Certificate tabs display read-only credentials for the certificates in use by the switch. A table displays the following Issued To and Issued By details for each: Issued To Country (C) Displays the country of usage for which the certificate was assigned.
6-88 Switch Security Organization (O) Displays the organization representing the certificate authority Organizational Unit If a unit exists within the organization that is representative of the certificate issuer, that name should be displayed here. Common Name If there is a common name (IP address) for the organizational unit issuing the certificate, it displays here. Validity Issued On Displays the date the certificate was originally issued.
Switch Security 6-89 Using the Wizard to Create a New Certificate To generate a new self-signed certificate or prepare a certificate request: 1. Select the Create new self-signed certificate /certificate request radio button in the wizard and click the Next button. The second page of the wizard contains three editable fields, Select Certificate Operation, Select a Trustpoint,and Specify a key for you new certificate. 2.
6-90 Switch Security Select a trustpoint for the new certificate. • Use existing trustpoint - Select an existing trustpoint from the drop-down menu. • Create a new trustpoint - Provide a name for the new trustpoint in the space provided. To specify the key for the new certificate, select one of the following options: • Automatically generate a key — Select this option to automatically generate a key for the trustpoint. • Use existing key — Select an existing key using the drop-down menu.
Switch Security 6-91 If generating a new self-signed certificate (as selected in page 2 of the wizard), the wizard continues the installation. Use the third page of the wizard to enter a unique trustpoint name and other credentials required to create the new certificate. 3. Select the Configure the trustpoint checkbox to enable the new self signed certificate to be configured as a trustpoint. 4.
6-92 Switch Security Organization Unit Enter an Org. Unit for the name of the organization unit used in the Self-Signed Certificate. By default, it is Wireless Switch Division. This is a required field. Common Name Define a Common Name for the URL of the switch. This is a required value. The Common Name must match the URL used in the browser when invoking the switch applet. Email Address Provide an email address used as the contact address for issues relating to this certificate request.
Switch Security FQDN Enter a fully qualified domain name (FQDN) as an unambiguous domain name that specifies the node's position in the DNS tree hierarchy absolutely. To distinguish an FQDN from a regular domain name, a trailing period is added (somehost.example.com). An FQDN differs from a regular domain name by its absoluteness; as a suffix is not added IP Address Specify the switch IP address used as the switch destination for certificate requests. 6-93 11.
6-94 Switch Security 6.10.2 Configuring Trustpoint Associated Keys Trustpoint keys allow a user to use different Rivest, Shamir, an Adelman (RSA) key pairs. Therefore, the switch can maintain a different key pair for each certificate to significantly enhance security. To configure the keys associated with trustpoints: 1. Select Security > Server Certificates from the main menu tree. 2. Select the Keys tab.
Switch Security 6-95 6.10.2.1 Adding a New Key If none of the keys listed within the Keys tab are suitable for use with a certificate, consider creating a new key pair. 1. Select Security > Server Certificates from the main menu tree. 2. Select the Keys tab. 3. Click the Add button at the bottom of the screen. 4. Enter a Key Name in the space provided to specify a name for the new key pair. 5. Define the Key Size between 1024 and 2048 in the space provided. 6.
6-96 Switch Security The drop-down menu contains the log files listed within the Server Certificate screen. 6. Use the To drop-down menu to define whether the target log file is to be sent to the system's local disk (Local Disk) or to an external server (Server). 7. Provide the name of the file to be transferred to the location specified within the Target field. 8. Use the Using drop down-menu to configure whether the log file transfer will be sent using FTP or TFTP. 9.
Switch Security 6-97 When enabling an Enhanced Beacon, the switch allows adopted access ports to periodically scan for rogue APs on different channels without disassociating MUs. The beacons collected in the scan are passed on to the switch so required information is gathered to locate a particular rogue AP. Refer to Editing AP Settings on page 4-88 to enable an AP to forward beacons and association information for AP radios to detect rogue APs. The switch uses a set of 802.11a and 802.
6-98 Switch Security 4. Use Scan Interval value to enter the interval used by the radio between scans. The radio scans each channel for the defined interval. The default value is 10 seconds. 5. Use the Scan Time value to enter the duration of the scan. The radio scans each channel for the defined interval. The default value is 100 milliseconds. 6. Use the Max Number of APs value to configure the number of detected APs displayed in the Beacon Found table. The available range is from 0 to 512. 7.
Switch Security 6-99 Enable all Select the Enable button (within the 802.11bg Radios field) to enable all the 802.11bg radios receive enhanced beacons. Disable all Select the Disable button (within the 802.11bg Radios field) to disable all the 802.11bg radios from receiving enhanced beacons. 9. Click Apply to save changes to the screen. Navigating away from the screen without clicking the Apply button results in changes being discarded. 10.
6-100 Switch Security 4. Define a Window Time (from 10 to 60 seconds) to set an interval used by the AP to record MU probe requests. The MU radio probe entry with the highest signal strength during the window period is recorded in the table. 5. Set a Maximum Numbers of MU’s (from 0 to 512) to define the number of MUs configured in the switch table. The default value is 50 MUs. 6. The Preferred MUs table lists the MAC Addresses for all preferred MUs. 7.
Switch Security 6-101 2. Select the Beacons Found tab. 3. Refer to the following information as displayed within the Beacons Found tab. Portal MAC The MAC address of the unadopted AP detected by the enhanced beacon supported AP. Rogue AP MAC The MAC address of the enhanced beacon supported AP. Signal Strength (dBm) The signal strength when the unadopted AP was detected. Heard Channel The channel frequency when the unadopted AP was detected. Hear Time The time when the unadopted AP was detected.
6-102 Switch Security 6.11.4 Reviewing the Probes Report Refer to the Probes Found tab to view the enhanced Probe report created by the switch. The table displays probe information collected during the AP’s channel scan. The information displayed within the Probes Found tab is read-only with no user configurable parameters. To view the enhanced beacons table report: 1. Select Security > Enhanced Probe/Beacon Table from the main menu tree. 2. Select the Probes Found tab. 3.
Switch Management This chapter describes the Management Access main menu items used to configure the switch. This chapter consists of the following switch management activities: • • • • • • Displaying the Management Access Interface Configuring Access Control Configuring SNMP Access Configuring SNMP Traps Configuring SNMP Trap Receivers Configuring Management Users NOTE HTTPS must be enabled to access the switch applet.
7-2 Switch Management 7.1 Displaying the Management Access Interface Refer to the main Management Access interface for a high-level overview of the current switch firmware version and the current switch log output configuration. Use this information to discern whether a switch firmware upgrade is required (by checking the Website for a newer version) and if the switch is outputting log data appropriately.
Switch Management 7-3 7.2 Configuring Access Control Refer to the Access Control screen to allow/deny management access to the switch using the different protocols (HTTP, HTTPS, Telnet, SSH or SNMP) available to users. Access options are either enabled or disabled as required. The Access Control screen is not meant to function as an ACL (in routers or other firewalls), where you can specify and customize specific IPs to access specific interfaces. To configure access control settings: 1.
7-4 Switch Management Retries Define the number of retries the switch uses to connect to the SNMP interface if the first attempt fails. The default value is 3 retry attempts. Timeout When the provided interval is exceeded, the user is logged out of the SNMP session and forced re-initiate their connection. The default value is 10 minutes. Enable HTTP Select this checkbox to enable HTTP access to the switch.
Switch Management 7-5 4. Click the Revert button to revert the screen back to its last saved configuration. Changes made since the contents of the screen were last applied are discarded. 7.3 Configuring SNMP Access Use the SNMP Access menu to view and configure existing SNMP v1/v2 and SNMP v3 values and their current access control settings. You can also view the SNMP V2/V3 events and their current values.
7-6 Switch Management 1. Select Management Access > SNMP Access > v1/v2 from the main menu tree. 2. Refer to the Community Name and Access Control parameters for the following information: Community Name Displays the read-only or read-write name used to associate a siteappropriate name for the community. The name is required to match the name used within the remote network management software. Click the Edit button to modify an existing Community Name.
Switch Management 7-7 2. Select an existing Community Name from those listed and click the Edit button. 3. Modify the Community Name used to associate a site-appropriate name for the community. The name revised from the original entry is required to match the name used within the remote network management software. 4. Modify the existing read-only (R) access or read/write (RW) access for the community.
7-8 Switch Management 2. Select the V3 tab from within the SNMP Access screen. 3. Refer to the fields within the V3 screen for the following information: User Name Displays a read-only SNMP v3 username of operator or Admin. An operator typically has an Access Control of read-only and an Admin typically has an Access Control of read/write. Access Control Displays a read-only (R) access or read/write (RW) access for the v3 user.
Switch Management 7-9 7.3.2.1 Editing a SNMP v3 Authentication and Privacy Password The Edit screen enables the user to modify the password required to change the authentication keys. Updating the password requires logging off of the system. Updating the existing password creates new authentication and encryption keys. To edit an SNMP v3 user profile: 1. Select Management Access > SNMP Access from the main menu tree. 2. Select the v3 tab from within the SNMP Access screen. 3.
7-10 Switch Management 2. Select the Statistics tab from within the SNMP Access screen. 3. Refer to the following read-only statistics displayed within the SNMP Access Statistics screen: V2/V3 Metrics Displays the individual SNMP Access events capable of having a value tracked for them. The metrics range from general SNMP events (such as the number of SNMP packets in and out) to specific error types that can be used for troubleshooting SNMP events (such as Bad Value and Read-Only errors).
Switch Management 7-11 7.4 Configuring SNMP Traps Use the SNMP Trap Configuration screen to enable or disable individual traps or by functional trap groups. It is also used for modifying the existing threshold conditions values for individual trap descriptions. Refer to the tabs within the SNMP Trap Configuration screen to conduct the following configuration activities: • • Enabling Trap Configuration Configuring Trap Thresholds 7.4.
7-12 Switch Management Redundancy Displays a list of sub-items (trap options) specific to the Redundancy (clustering) configuration option. Select an individual trap within this subsection and click the Enable button to enable this specific trap or highlight the trap family parent item and click Enable all sub-items to enable all traps within the Cluster category.
Switch Management Wireless 7-13 Displays the list of sub-items (trap options) specific to Wireless configuration. These include traps specific to wireless interoperability between the switch and its associated devices. Select an individual trap and click the Enable button to enable a specific trap or highlight the Wireless trap family parent item and click Enable all sub-items to enable all traps within the Wireless category. 5.
7-14 Switch Management 2. Click the Wireless Statistics Thresholds tab. 3. Refer to the following information for thresholds descriptions, conditions, editable threshold values and units of measurement. Threshold Name (Description) Displays the target metric for the data displayed to the right of the item. It defines a performance criteria used as a target for trap configuration. Threshold Conditions Displays the criteria used for generating a trap for the specific event.
Switch Management Unit of Threshold Values 7-15 Displays the measurement value used to define whether a threshold value has been exceeded. Typical values include Mbps, retries and %. For information on specific values, see Wireless Trap Threshold Values on page 7-15. 4. Select a threshold and click the Edit button to display a screen wherein threshold settings for the MU, AP and WLAN can be modified. Each screen is slightly different as threshold parameters are unique.
7-16 Switch Management Table 7.1 Wireless Traps Threshold values # Threshold Name Condition 2 Throughput Station Range Radio Range WLAN Range Wireless Service Range Greater than A decimal number greater than 0.00 and less than or equal to 100000.00 A decimal number greater than 0.00 and less than or equal to 100000.00 A decimal number greater than 0.00 and less than or equal to 100000.00 A decimal Mbps number greater than 0.00 and less than or equal to 100000.
Switch Management 7-17 7.5 Configuring SNMP Trap Receivers Refer to the Trap Receivers screen to review the attributes of existing SNMP trap receivers (including destination address, port, community, retry count, timeout and trap version). A new v2c or v3 trap receiver can be added to the existing list by clicking the Add button. To configure the attributes of SNMP trap receivers: 1. Select Management Access > SNMP Trap Receivers from the main menu tree. 2.
7-18 Switch Management Remove Trap Receivers as needed if the destination address information is no longer available on the system. 5. Click the Add button to display a sub-screen used to assign a new Trap Receiver IP Address, Port Number and v2c or v3 designation to the new trap. Add trap receivers as needed if the existing trap receiver information is insufficient. For more information, see Adding SNMP Trap Receivers on page 7-19. 7.5.
Switch Management 7-19 7.5.2 Adding SNMP Trap Receivers The SNMP Add screen is designed to create a new SNMP trap receiver. Use the Add screen to create a new trap receiver IP Address, Port Number and v2c or v3 designation. Add new destination trap receivers as required to suit the various traps enabled and their function in supporting the switch managed network. To add a new SNMP trap receiver: 1. Select Management Access > SNMP Trap Receivers from the main menu tree. 2.
7-20 Switch Management 7.6 Configuring Management Users Refer to the Users screen to view the administrative privileges assigned to different switch users. You can modify the roles and access modes assigned to each user. The Users screen also allows you to configure the authentication methods used by the switch.
Switch Management 7-21 4. Click on the Edit button to modify the associated roles and access modes of the selected user. By default, the switch has two default users – Admin and Operator. Admin’s role is that of a superuser and Operator the role will be monitored (read only). 5. Click on Add button to add and assign rights to a new user. 6. Click on Delete button to delete the selected user from the Users frame. 7.6.1.
7-22 Switch Management Help Desk Manager Assign this role to someone who typically troubleshoots and debugs problems reported by the customer. The Help Desk Manager typically runs troubleshooting utilities (like a sniffer), executes service commands, views/retrieves logs and reboots the switch. Network Administrator The Network Administrator has privileges to configure all wired and wireless parameters like IP config, VLANs, L2/L3 security, WLANs, radios, IDS and hotspot.
Switch Management 7-23 4. Enter the new authentication password for the user in the Password field and reconfirm within the Confirm Password field. 5. Select the user role from the options provided in the Associated Roles field. Select one or more of the following options: Monitor If necessary, modify user permissions without any administrative rights. The Monitor option provides read-only permissions.
7-24 Switch Management 7.6.1.3 Creating a Guest Admin and Guest User Optionally, create a guest administrator for creating guest users with specific usernames, start and expiry times and passwords. Each guest user can be assigned access to specific user groups to ensure they are limited to just the group information they need, and nothing additional. To create a guest administrator: 1. Select Management Access > Users from the main menu tree. 2. Click the Add button. 3.
Switch Management 7-25 6. Add guest users by name, start date and time, expiry date and time and user group. 7. Optionally, click the Generate button to automatically create a username and password for each guest user. 8. Repeat this process as necessary until all required guest users have been created with relevant passwords and start/end guest group permissions. 7.6.2 Configuring Switch Authentication The switch provides the capability to proxy authenticate requests to a remote Radius server.
7-26 Switch Management 2. Select the Authentication tab. 3. Refer to the Authentication methods field to set a preferred and alternative authentication method: Preferred Method Select the preferred method for authentication. Options include: • None - No authentication • Local - The user employs a local user authentication resource. This is the default setting. • Radius - Uses an external Radius Server. Alternate Method Select an alternate method for authentication.
Switch Management Shared secret Displays the shared secret used to verify Radius messages (with the exception of the Access-Request message) are sent by a Radius-enabled device configured with the same shared secret. The shared secret is a case-sensitive string (password) that can include letters, numbers, or symbols. Ensure the shared secret is at least 22 characters long to protect the Radius server from brute-force attacks.
7-28 Switch Management Time to wait for Revise (if necessary) the maximum time (in seconds) the switch Radius Server to reply waits for the Radius Server’s acknowledgment of authentication request packets before the switch times out of the session. The configurable range is between 1 - 1000 seconds. Encryption key shared Enter the encryption key the switch and Radius Server share and with Radius Server must validate before the user authentication scheme provided by the Radius Server can be initiated. 5.
Switch Management 7-29 Time to wait for Define the maximum time (in seconds) the switch waits for the Radius Server to reply Radius Server’s acknowledgment of authentication request packets before the switch times out of the session. The configurable range is between 1 - 1000 seconds. Encryption key shared Enter the encryption key the switch and Radius Server share and with Radius Server must validate before the user based authentication provided by the Radius Server can be initiated. 5.
7-30 Switch Management
Diagnostics This chapter describes the various diagnostic features available for monitoring switch performance. This chapter consists of the following switch diagnostic activities: • • • • • • Displaying the Main Diagnostic Interface Configuring System Logging Reviewing Core Snapshots Reviewing Panic Snapshots Debugging the Applet Configuring a Ping NOTE HTTPS must be enabled to access the switch applet. Ensure HTTPS access has been enabled before using the login screen to access the switch applet.
8-2 Diagnostics 8.1 Displaying the Main Diagnostic Interface Use the main diagnostic screen to monitor the following switch features: • • • • • • Switch Environment CPU Performance Switch Memory Allocation Switch Disk Allocation Switch Memory Processes Other Switch Resources NOTE When the switch’s configuration is successfully updated (using the Web UI), the effected screen is closed without informing the user their change was successful.
Diagnostics 8-3 3. The Environment displays the following fields: • Settings • Temperature Sensors • Fans 4. In the Settings field, select the Enable Diagnostics checkbox to enable/disable diagnostics and set the monitoring interval. The monitoring interval is the interval the switch uses to update the information displayed within the CPU, Memory, Disk, Processes and Other Resources tabs. Keep the monitoring interval at a shorter time increment when periods of heavy wireless traffic are anticipated.
8-4 Diagnostics 2. Select the CPU tab. 3. The CPU screen consists of 2 fields: • Load Limits • CPU Usage 4. The Load Limits field displays the maximum CPU load limits for the last 1, 5, and 15 minutes. The limits displayed coincide with periods of increased or decreased switch activity. The maximum CPU load threshold can be manually configured. 5. The CPU Usage field displays the real time CPU consumption values from the switch.
Diagnostics 8-5 8.1.3 Switch Memory Allocation Use the Memory tab to periodically assess the switch’s CPU load. 1. Select Diagnostics from the main tree menu. 2. Select the Memory tab. The Memory tab displays the following two fields: • RAM • Buffer 3. Refer to the RAM field to view the percentage of CPU memory in use (in a pie chart format). 4. Refer to the Free Limit value to change the CPUs memory allocation limits.
8-6 Diagnostics 5. The Buffers field displays buffer usage information. It consists of a table with the following information: Name The name of the buffer. Usage Buffers current usage Limit The buffer limit. 6. Click the Apply button to commit and apply the changes. 7. Click the Revert button to revert back to the last saved configuration. 8.1.4 Switch Disk Allocation The Disk tab contains parameters related to the various disk partitions on the switch.
Diagnostics 8-7 8.1.5 Switch Memory Processes The Processes tab displays the number of processes in use and percentage of memory usage limit per process. 1. Select Diagnostics from the main tree menu. 2. Select the Processes tab 3. The Processes tab has 2 fields: • General • Processes by highest memory consumption 4. Refer to the General field to review the number of processes in use and percentage of memory usage per process.
8-8 Diagnostics 8.1.6 Other Switch Resources The Other Resources tab displays the memory allocation of Packet Buffer, IP Route Cache and File Descriptors. 1. Select Diagnostics from the main tree menu. 2. Select the Other Resources tab. Keep the Cache allocation in line with cache expectations required within the switch managed network. 3. Define the maximum limit for each resource accordingly as you expect these resources to be utilized within the switch managed network. 4.
Diagnostics 8-9 8.2 Configuring System Logging Use the System Logging screen for logging system events. Its important to log individual switch events to discern an overall pattern that may be negatively impacting switch performance. The System Logging screen consist of the following tabs: • • Log Options File Management 8.2.1 Log Options Use the Log Options tab to enable logging and define the medium used to capture system events and append them to the log file.
8-10 Diagnostics 6. Select the Enable Logging to Syslog Server checkbox to enable the switch to log system events send them to an external syslog server. Selecting this option also enables the Server Facility feature. Use the drop-down menu to select the desired log level for tracking system events to a local log file. a. Use the Server Facility drop-down menu to specify the local server facility (if used) for the transfer. b.
Diagnostics 8-11 2. Select the File Mgmt tab. 3. The File Mgmt tab displays existing log files. Refer to the following for log file details: Name Displays a read-only list of the log files (by name) created since the last time the display was cleared. To define the type of log files created, click the Log Options tab to enable logging and define the log level. Size (Bytes) Displays the log file size in bytes.
8-12 Diagnostics 7. Click the Transfer Files button to display a sub-screen wherein log files can be sent to an external location (defined by you) using a user-defined file transfer medium. Transferring files is recommended when the log file is frequently cleared, but an archive of the log files is required in a safe location. For more information on transferring individual log files, see Transferring Log Files on page 8-14. 8.2.2.
Diagnostics Severity The Severity level coincides with the logging levels defined within the Log Options tab. Use these numeric identifiers to assess the criticality of the displayed event. The severity levels include: • 0 - Emergency • 1 - Alert • 2 - Critical • 3 - Errors • 4 - Warning • 5 - Notice • 6 - Info • 7 - Debug Mnemonic Use the Mnemonic as a text version of the severity code information.
8-14 Diagnostics 8.2.2.2 Transferring Log Files If a system log contains data that may require archiving, consider using the Transfer Files screen to export the log file to an external location (that you designate) where there is no risk of deleting the contents of the log. To transfer a log file to a user specified location: 1. Select Diagnostics > System Logging > File Mgt from the main menu tree. 2. Select a target log file to transfer and click the Transfer File button. 3.
Diagnostics 8-15 8.3 Reviewing Core Snapshots Use the Core Snapshots screen to view the core snapshots (system events and process failures with a .core extension) logged by the system. Core snapshots are issues impacting switch core (or distribution layer). Once reviewed, core files can be deleted or transferred for archive. To view the core snapshots available on the switch: 1. Select Diagnostics > Core Snapshots from the main menu tree. 2.
8-16 Diagnostics 8.3.1 Transferring Core Snapshots Use the Transfer screen to define a source for transferring core snapshot files to a secure location for potential archive. To transfer core snapshots to a user defined location: 1. Select Diagnostics > Core Snapshots from the main menu tree. 2. Select a target file, and select the Transfer Files button. 3. Use the From drop-down menu to specify the location from which the log file is sent.
Diagnostics 8-17 8.4 Reviewing Panic Snapshots Refer to the Panic Snapshots screen for an overview of the panic files available. Typically, panic files refer to switch events interpreted as critical conditions (and thus requiring prompt attention). Use the information displayed within the screen to make informed decisions whether a target file should be discarded or transferred to a secure location for permanent archive. To review the current panic snapshots on the switch: 1.
8-18 Diagnostics 6. Click the Transfer button to open the transfer dialogue to transfer the file to another location. For more information, see Transferring Panic Files on page 8-18. 8.4.1 Viewing Panic Details Use the View facility to review the entire contents of a panic snapshot before transferring or deleting the file. The view screen enables you to display the entire file. To review Panic Snapshots: 1. Select Diagnostics > Panic Snapshots from the main menu. 2.
Diagnostics 8-19 6. Provide the name of the file to be transferred to the location specified within the File field. 7. If Server has been selected as the target, use the Using drop down-menu to configure whether the panic file transfer will be sent using FTP or TFTP. 8. If Server has been selected as the target, enter the IP Address of destination server or system receiving the target panic file. 9.
8-20 Diagnostics • Send log message to a file. • Use SNMP v2 only. • Message severity. • What kinds of messages should be seen. 3. Select the Send log message to a file checkbox if you wish to store the log message. Enabling this checkbox allows you to select the file location where you wish to store the log message. 4. Select the Use SNMP V2 only checkbox to use SNMP v2 to debug the applet. Check whether you have access to SNMP v2 by clicking on the Test SNMP V2 access button.
Diagnostics 8-21 1. Select Diagnostics > Ping from the main menu. 2. Refer to the following information displayed within the Configuration tab: Description Displays the user assigned description of the ping test. The name is read-only. Use this title to determine whether this test can be used as is or if a new ping test is required. Destination IP Displays the IP address of the target device. This is the numeric destination for the device sent the ping packets.
8-22 Diagnostics 8.6.1 Modifying the Configuration of an Existing Ping Test The properties of an existing ping tests can be modified to ping an existing (known) device whose network address attributes may have changed and require modification to connect (ping) to it. To modify the attributes of an existing ping test: 1. Select Diagnostics > Ping from the main menu. 2. Highlight an existing ping test within the Configuration tab and select the Edit button. 3.
Diagnostics 8-23 8.6.2 Adding a New Ping Test If the attributes of an existing ping test do not satisfy the requirements of a new connection test, and you do not want to modify an existing test, a new test can be created and added to the list of existing ping tests displayed within the Configuration tab. To create a new ping test and add it to the list of existing tests: 1. Select Diagnostics > Ping from the main menu. 2. Click the Add button at the bottom of the Configuration tab. 3.
8-24 Diagnostics 4. Click OK to save and add the changes to the running configuration and close the dialog. 5. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch 6. Click Cancel to return back to the Configuration tab without implementing changes. 8.6.
Diagnostics Min RTT Displays the quickest round trip time for ping packets transmitted from the switch to its destination IP address. This may reflect the time when data traffic was at its lowest for the two devices. Max RTT Displays the longest round trip time for ping packets transmitted from the switch to its destination IP address. This may reflect the time when data traffic was at its most congested for the two devices.
8-26 Diagnostics
Appendix A Customer Support Motorola’s Enterprise Mobility Support Center If you have a problem with your equipment, contact Enterprise Mobility support at emb.support@motorola.com When contacting Enterprise Mobility support, please provide the following information: • Serial number of the unit • Model number or product name • Software type and version number Motorola responds to calls by email, telephone or fax within the time limits set forth in support agreements.
A-2 RFS7000 Series Switch System Reference Guide
Appendix B Adaptive AP B.1 Adaptive AP Overview An adaptive AP (AAP) is an AP-51XX access point that can adopt like an AP300 (L3). The management of an AAP is conducted by the switch, once the access point connects to a Motorola WS5100 or RFS7000 model switch and receives its AAP configuration. An AAP provides: • • • • local 802.11 traffic termination local encryption/decryption local traffic bridging the tunneling of centralized traffic to the wireless switch.
B-2 RFS7000 Series Switch System Reference Guide B.1.1 Where to Go From Here Refer to the following for a further understanding of AAP operation: • • • • • • • • • • • “B.1.2 Adaptive AP Management” “B.1.3 Types of Adaptive APs” “B.1.4 Licensing” “B.1.5 Switch Discovery” “B.1.6 Securing a Configuration Channel Between Switch and AP” “B.1.7 Adaptive AP WLAN Topology” “B.1.8 Configuration Updates” “B.1.9 Securing Data Tunnels between the Switch and AAP” “B.1.10 Adaptive AP Switch Failure” “B.1.
Appendix B: Adaptive AP B - 3 B.1.3 Types of Adaptive APs Two low priced AP-5131 SKU configurations are being introduced allowing customers to take advantage of the adaptive AP architecture and to reduce deployment costs. These dependent mode AP configurations are a software variant of the AP-5131 and will be functional only after the access point is adopted by a wireless switch.
B-4 RFS7000 Series Switch System Reference Guide B.1.5 Switch Discovery For an AP-51XX to function as an AAP (regardless of mode), it needs to connect to a switch to receive its configuration. There are two methods of switch discovery: • • “B.1.5.1 Auto Discovery using DHCP” “B.1.5.2 Manual Adoption Configuration” NOTE To support switch discovery, a RFS7000 model switch must be running firmware version 1.1 or higher. The access point must running firmware version 2.0 or higher. B.1.5.
Appendix B: Adaptive AP B - 5 ** The AP-51xx uses an encryption key to hash passphrases and security keys. To obtain the encryption passphrase, configure an AP-51xx with the passphrase and export the configuration file. B.1.5.2 Manual Adoption Configuration A manual switch adoption of an AAP can be conducted using: • • Static FQDN - A switch fully qualified domain name can be specified to perform a DNS lookup and switch discovery.
B-6 RFS7000 Series Switch System Reference Guide B.1.7 Adaptive AP WLAN Topology An AAP can be deployed in the following WLAN topologies: • • • Extended WLANs - Extended WLANs are the centralized WLANs created on the switch Independent WLANs - Independent WLANs are local to an AAP and can be configured from the switch. You must specify a WLAN as independent to stop traffic from being forwarded to the switch. Independent WLANs behave like WLANs on a standalone access point.
Appendix B: Adaptive AP B - 7 B.1.11 Remote Site Survivability (RSS) RSS can be used to turn off RF activity on an AAP if it loses adoption (connection) to the switch. RSS State Independent WLANs Extended WLANs RSS Enabled WLAN continues beaconing WLAN continues beaconing but AP does allow clients to associate on that WLAN RSS Disabled WLAN stops beaconing WLAN stops beaconing NOTE For a dependant AAP, independent WLANs continue to beacon for three days in the absence of a switch. B.1.
B-8 RFS7000 Series Switch System Reference Guide B.2 Supported Adaptive AP Topologies The following AAP topologies are supported with the RFS7000: • • • • “B.2.2 Extended WLANs Only” “B.2.3 Independent WLANs Only” “B.2.3 Extended WLANs with Independent WLANs” “B.2.
Appendix B: Adaptive AP B - 9 B.2.1 Topology Deployment Considerations When reviewing the AAP topologies describes in the section, be cognizant of the following considerations to optimize the effectiveness of the deployment: • • • • • An AAP firmware upgrade will not be performed at the time of adoption from the wireless switch. Instead, the firmware is upgraded using the AP-51x1’s firmware update procedure (manually or using the DHCP Auto Update feature).
B - 10 RFS7000 Series Switch System Reference Guide B.2.4 Extended VLAN with Mesh Networking Mesh networking is an extension of the existing wired network. There is no special configuration required, with the exception of setting the mesh and using it within one of the two extended VLAN configurations. NOTE The mesh backhaul WLAN must be an independent WLAN mapped to LAN2.
Appendix B: Adaptive AP B - 11 To avoid a lengthy broken connection with the switch, Motorola recommends generating an SNMP trap when the AAP loses adoption with the switch. NOTE For additional information (in greater detail) on the AP configuration activities described above, see “B.4.1 Adaptive AP Configuration”. B.3.3 Configuring the Switch for Adaptive AP Adoption The tasks described below are configured on a RFS7000 model switch.
B - 12 RFS7000 Series Switch System Reference Guide B.4.1 Adaptive AP Configuration An AAP can be manually adopted by the switch, adopted using a configuration file (consisting of the adaptive parameters) pushed to the access point or adopted using DHCP options. Each of these adoption techniques is described in the sections that follow. B.4.1.1 Adopting an Adaptive AP Manually To manually enable the access point’s switch discovery method and connection medium required for adoption: 1.
Appendix B: Adaptive AP B - 13 5. Select the Enable AP-Switch Tunnel option to allow AAP configuration data to reach a switch using a secure VPN tunnel. 6. If using IPSec as the tunnel resource, enter the IPSec Passkey to ensure IPSec connectivity. 7. Click Apply to save the changes to the AAP setup. NOTE The manual AAP adoption described above can also be conducted using the access point’s CLI interface using the admin(system.aapsetup)> command. B.4.1.
B - 14 RFS7000 Series Switch System Reference Guide 3. Ensure the Adopt unconfigured radios automatically option is NOT selected. When disabled, there is no automatic adoption of non-configured radios on the network. Additionally, default radio settings will NOT be applied to access ports when automatically adopted. NOTE For IPSec deployments, refer to “B.4.4. Sample Switch Configuration File for IPSec and Independent WLAN” and take note of the CLI commands in red and associated comments in green.
Appendix B: Adaptive AP B - 15 NOTE Additionally, a WLAN can be defined as independent using the "wlan independent" command from the config-wireless context.
B - 16 RFS7000 Series Switch System Reference Guide Once an AAP is adopted by the switch, it displays within the switch Access Port Radios screen (under the Network parent menu item) as an AP-5131 or AP-5181 within the AP Type column. B.4.
Appendix B: Adaptive AP B - 17 B.4.4. Sample Switch Configuration File for IPSec and Independent WLAN The following constitutes a sample RFS7000 switch configuration file supporting an AAP IPSec with Independent WLAN configuration. Please note new AAP specific CLI commands in red and relevant comments in blue. The sample output is as follows: ! ! configuration of RFS7000 RFS7000-1 version 1.1.0.0-016D ! version 1.
B - 18 RFS7000 Series Switch System Reference Guide ! ip http server ip http secure-trustpoint default-trustpoint ip http secure-server ip ssh no service pm sys-restart timezone America/Los_Angeles license AP xyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxxyxyxyx ! wireless no adopt-unconf-radio enable manual-wlan-mapping enable wlan 1 enable wlan 1 ssid qs5-ccmp wlan 1 vlan 200 wlan 1 encryption-type ccmp wlan 1 dot11i phrase 0 Symbol123 wlan 2 enable wlan 2 ssid qs5-
Appendix B: Adaptive AP B - 19 radio 1 rss enable radio add 2 00-15-70-00-79-30 11a aap5131 radio 2 bss 1 5 radio 2 bss 2 1 radio 2 bss 3 2 radio 2 channel-power indoor 48 8 radio 2 rss enable radio 2 base-bridge max-clients 12 radio 2 base-bridge enable radio add 3 00-15-70-00-79-12 11bg aap5131 radio 3 bss 1 3 radio 3 bss 2 4 radio 3 bss 3 2 radio 3 channel-power indoor 6 8 radio 3 rss enable radio add 4 00-15-70-00-79-12 11a aap5131 radio 4 bss 1 5 radio 4 bss 2 6 radio 4 channel-power indoor 48 4 radio
B - 20 RFS7000 Series Switch System Reference Guide switchport trunk allowed vlan add 1-9,100,110,120,130,140,150,160,170, switchport trunk allowed vlan add 180,190,200,210,220,230,240,250, static-channel-group 1 ! interface ge2 switchport access vlan 1 ! interface ge3 switchport mode trunk switchport trunk native vlan 1 switchport trunk allowed vlan none switchport trunk allowed vlan add 1-9,100,110,120,130,140,150,160,170, switchport trunk allowed vlan add 180,190,200,210,220,230,240,250, static-channel-
MOTOROLA INC. 1303 E. ALGONQUIN ROAD SCHAUMBURG, IL 60196 http://www.motorola.