background image

Deployment Guide

3

HiveAP Compliance Information

Federal Communication Commission Interference 

Statement

This equipment has been tested and found to comply with the limits for

a Class B  digital device,  pursuant  to  Part 15  of the FCC  Rules.  These

limits  are  designed  to  provide  reasonable  protection  against  harmful

interference  in  a  residential  installation.  This  equipment  generates,

uses and  can radiate radio frequency energy  and, if not installed and

used  in  accordance  with  the  instructions,  may  cause  harmful

interference to radio communications. However, there is no guarantee

that  interference  will  not  occur  in  a  particular  installation.  If  this

equipment  does  cause  harmful  interference  to  radio  or  television

reception, which can be determined by turning the equipment off and

on, the user is encouraged to try to correct the interference by one of

the following measures:

Reorient or relocate the receiving antenna

Increase the separation between the equipment and receiver

Connect the equipment into an outlet on a circuit different from

that to which the receiver is connected

Consult the dealer or an experienced radio/TV technician for help

FCC Caution:

 Any changes or modifications not expressly approved by

the party responsible for compliance could void the user's authority to

operate this equipment. This device complies with Part 15 of the FCC

Rules.  Operation  is  subject  to  the  following  two  conditions:  (1)  This

device  may  not cause  harmful  interference,  and  (2)  this  device  must

accept  any  interference  received,  including  interference  that  may

cause undesired operation.

Important: FCC Radiation Exposure Statement

This equipment complies  with  FCC radiation exposure limits set forth

for  an  uncontrolled  environment.  This  equipment  should  be  installed

and  operated  with  a  minimum  distance  of  20  centimeters  (8  inches)

between the radiator and your body. This transmitter must not be co-

located  or  operating  in  conjunction  with  any  other  antenna  or

transmitter.

Wireless 5 GHz Band Statements

High power radars are  allocated as primary  users (meaning they have

priority) of the 5250-5350 MHz and 5650-5850 MHz bands. These radars

could cause  interference and/or  damage  to the HiveAP  when  used  in

Canada.

The term "IC" before the radio certification number only signifies that

Industry Canada technical specifications were met.

Industry Canada - Class B

This digital apparatus does not exceed the Class B limits for radio noise

emissions from digital apparatus as set out in the interference-causing

equipment  standard  entitled  "Digital  Apparatus,"  ICES-003  of  Industry

Canada.

Cet appareil num

é

rique respecte les limites de bruits radio

é

lectriques

applicables  aux  appareils  num

é

riques  de  Classe  B  prescrites  dans  la

norme  sur  le  mat

é

rial  brouilleur:  "Appareils  Num

é

riques,"  NMB-003

é

dict

é

e par l'Industrie.

EC Conformance Declaration

Marking  by  the  above  symbol  indicates  compliance  with  the  Essential

Requirements of the R&TTE Directive of the European Union (1999/5/

EC). This equipment meets the following conformance standards:

EN 60950-1 (IEC 60950-1) - Product Safety

EN 301 893 - Technical requirements for 5 GHz radio equipment

EN 300 328 - Technical requirements for 2.4 GHz radio equipment

EN  301  489-1  /  EN  301  489-17  -  EMC  requirements  for  radio

equipment

Countries of Operation and Conditions of Use in the 

European Community

This device is intended to be operated in all countries of the European

Community.  Requirements  for  indoor  vs.  outdoor  operation,  license

requirements  and  allowed  channels  of  operation  apply  in  some

countries as described below.

Note:

  The  user  must  use  the  configuration  utility  provided  with  this

product to ensure the channels of operation are  in conformance with

the  spectrum  usage  rules  for  European  Community  countries  as

described below.

This device requires that the user or installer properly enter the

current  country  of  operation  in  the  command  line  interface  as

described in the user guide, before operating this device.

This  device  will  automatically  limit  the  allowable  channels

determined  by  the  current  country  of  operation.  Incorrectly

entering the country of operation may result in illegal operation

and may cause harmful interference to other systems. The user is

obligated  to  ensure  the  device  is  operating  according  to  the

channel  limitations,  indoor/outdoor  restrictions  and  license

requirements for each European Community country as described

in this document.

This  device  employs  a  radar  detection  feature  required  for

European Community operation in the 5 GHz band. This feature is

automatically enabled when the country of operation is correctly

configured for any European Community country. The presence of

nearby  radar  operation  may  result  in  temporary  interruption  of

operation  of  this  device.  The  radar  detection  feature  will

automatically restart operation on a channel free of radar.

The 5 GHz Turbo Mode feature is not allowed for operation in any

European Community country. The current setting for this feature

is found in the 5 GHz 802.11a Radio Settings Window as described

in the user guide.

The  5  GHz  radio's  Auto  Channel  Select  setting  described  in  the

user guide must always remain enabled to ensure that automatic 5

GHz channel selection complies with European requirements. The

current setting for this feature is found in the 5 GHz 802.11a Radio

Settings Window as described in the user guide.

This  device  is  restricted  to  indoor  use  when  operated  in  the

European Community using the 5.15 - 5.35 GHz band: Channels 36,

40,  44,  48,  52,  56,  60,  64.  See  table  below  for  allowed  5  GHz

channels by country.

This device may be operated indoors or outdoors in all countries of

the European Community using the 2.4 GHz band: Channels 1 - 13,

except where noted below.

Summary of Contents for HiveAP 20 ag

Page 1: ...Aerohive Deployment Guide...

Page 2: ...marks and registered trademarks are the property of their respective companies Information in this document is subject to change without notice No part of this document may be reproduced or transmitte...

Page 3: ...pareils Num riques NMB 003 dict e par l Industrie EC Conformance Declaration Marking by the above symbol indicates compliance with the Essential Requirements of the R TTE Directive of the European Uni...

Page 4: ...z Channels in Each European Community Country Allowed Frequency Bands Allowed Channel Numbers Countries 5 15 5 25 GHz 36 40 44 48 Austria Belgium 5 15 5 35 GHz 36 40 44 48 52 56 60 64 France Switzerla...

Page 5: ...r SELV Bedingungen betrieben werden Power Cord Set U S A and Canada The cord set must be UL approved and CSA certified Minimum specifications for the flexible cord No 18 AWG not longer than 2 meters o...

Page 6: ...HiveAP Compliance Information 6 Aerohive...

Page 7: ...nager 23 Installing and Connecting to the HiveManager GUI 25 Introduction the the HiveManager GUI 28 Detaching Windows 29 Cloning Configurations 29 Sorting Displayed Data 30 Multiselecting 30 HiveMana...

Page 8: ...iveOS 65 Common Default Settings and Commands 66 Configuration Overview 67 Device Level Configurations 67 Policy Level Configurations 68 Chapter 6 Deployment Examples CLI 69 Example 1 Deploying a Sing...

Page 9: ...ibuted control WLAN solution that offers greater mobility security quality of service and radio control This guide combines product information with installation instructions This chapter covers the f...

Page 10: ...operate at either of the two radio frequencies 2 4 GHz for IEEE 802 11b g and 5 GHz for IEEE 802 11a For details see Antennas on page 14 Status LEDs The status LEDs convey operational states for syste...

Page 11: ...justs for 802 3af Alternative A and B methods of PoE Reset Button The reset button allows you to reboot the device or reset the HiveAP to its factory default settings Insert a paper clip or something...

Page 12: ...able with an RJ 45 Connector 802 3af Alternative A Data and Power on the Same Wires 802 3af Alternative B Data and Power on Separate Wires Pin Data Signal MDI MDI X MDI or MDI X 1 Transmit DC DC 2 Tra...

Page 13: ...ined below Power Dark No power Steady green Powered on and the firmware is running normally Steady amber Firmware is booting up or is being updated Blinking amber Alarm indicating firmware failure LAN...

Page 14: ...ional Radiation Pattern The pair of fixed dual band antennas can operate at different frequencies concurrently one antenna at 2 4 GHz IEEE 802 11b g and the other at 5 GHz IEEE 802 11a and they can al...

Page 15: ...command If you do not enter this command the subinterface uses the remaining fixed antenna that remains connected to radio 2 the external antenna only disables the adjacent fixed antenna MOUNTING THE...

Page 16: ...x 2 5 cm H x 12 5 cm D Weight 1 5 lb 0 68 kg Antennas Two fixed dual band 802 11a b g antennas and two RP SMA connectors for detachable single band 802 11a or 802 11b g antennas Serial port DB 9 bits...

Page 17: ...llations of HiveAPs Template based configurations that simplify the deployment of large numbers of HiveAPs Scheduled firmware upgrades on HiveAPs by location Exportation of detailed information on Hiv...

Page 18: ...make a console connection using an RS 232 or null modem cable The pin assignments are the same as those on the HiveAP see Ethernet and Console Ports on page 12 The management station from which you m...

Page 19: ...ptimum operating temperature Be sure that air flow through the system fan vents is not obstructed Serial Number The serial number AC Power Inlet The three prong AC power inlet is a C14 chassis plug th...

Page 20: ...follows Bits per second 9600 Data bits 8 Parity none Stop bits 1 Flow control none Status LEDs The two status LEDs on the front of the HiveManager indicate various states of activity through their co...

Page 21: ...ending on the layout of your equipment rack you might need to mount the HiveManager in reverse To do that move the brackets to the left and right sides near the rear before mounting it Figure 5 Mounti...

Page 22: ...H x 15 13 16 D 42 7 cm W x 4 4 cm H x 40 2 cm D Weight 13 75 lb 6 24 kg Serial port male DB 9 RS 232 port bits per second 9600 data bits 8 parity none stop bits 1 flow control none USB port standard T...

Page 23: ...roaming and automatic RF radio frequency management On the management plane the HiveManager provides centralized configuration monitoring and reporting of multiple HiveAPs These three planes are shown...

Page 24: ...the HiveManager GUI including a summary of the configuration workflow Finally the chapter concludes with the procedures for updating HiveAP firmware and HiveManager software The sections are as follow...

Page 25: ...able to connect the HiveManager to the network you must first set the IP address netmask of its MGT interface so that it is in the subnet to which you plan to cable it To do this you can use the star...

Page 26: ...traffic Both the HiveManager and HiveAP management traffic would need to flow on the operational network because the MGT interface would need to be on that network so that the HiveManager could commun...

Page 27: ...owser window might appear blank for several seconds at the start This is normal After a few seconds a download status bar appears onscreen that allows you to monitor the progress of the download and i...

Page 28: ...nfigurations to multiple HiveAPs at once A brief overview of this functionality is presented in the following sections Main Window This is the primary window in which you set and view various paramete...

Page 29: ...Window Cloning Configurations When you need to configure multiple similar objects you can save time by configuring just the first object cloning it and then making slight modifications to the subseque...

Page 30: ...to make the same modifications to all of them at one time Figure 8 Selecting Two User Profiles to Change the Comment By default displayed objects are sorted alphabetically by name By clicking the head...

Page 31: ...ain and is enabled by default on all HiveAPs If the HiveAPs and HiveManager are in different subnets then you must configure the DHCP server to include option 225 in its responses to DHCPDISCOVER and...

Page 32: ...e file If the file is in the root directory of the TFTP server you can leave this field empty Image Name Type the name of the HiveOS image file 5 Click HiveAP Management Managed HiveAPs 6 In the Manag...

Page 33: ...ype the directory path and software file name or click Browse navigate to the software file and select it 2 Click OK to save the new software and reboot the HiveManager later or Reset to reboot the Hi...

Page 34: ...server the default port number for TFTP is 69 Image Path Enter the path to the HiveOS image file If the file is in the root directory of the TFTP server you can leave this field empty Image Name Type...

Page 35: ...s The general design of the deployment is shown in Figure 1 Figure 1 Deployment Overview You can look at any of the following examples individually to study how to configure a specific feature or view...

Page 36: ...e 49 Define sets of authentication and encryption services that wireless clients and HiveAPs use when communicating with each other Example 5 Setting Management Service Parameters on page 52 Configure...

Page 37: ...r GUI you create a png file showing the three buildings HQ B1 HQ B2 and Branch 1 By using this drawing at the top level you can display icons for each floor of each building You can then click an icon...

Page 38: ...level names Default Icon floor Default Map Click Browse select corp_offices png and then click Select Level 2 Level Name HQ B1 F1 Note that spaces are not allowed in map level names Default Icon floo...

Page 39: ...lect the icon drag it to the position where you want it to be and then click Save After adding the CorpOffices map really an illustration showing three buildings two floor plans for the first and seco...

Page 40: ...format and string2 is the name of the map snmp location string1 string2 For example if you install a HiveAP in the northwest corner on the first floor of building 1 enter snmp location northwest_corn...

Page 41: ...e 000120 to be able to distinguish it from other HiveAPs later 1 Make copies of the maps you uploaded to the HiveManager label them and take them with you when installing the HiveAPs 2 When you instal...

Page 42: ...o that they can prioritize it see Example 3 Defining User Profiles and QoS Settings on page 45 You also define a MAC filter using the same OUI for use when configuring an SSID to which you only want V...

Page 43: ...ss 6 Although all these services are critical for IP telephony to function properly voice traffic is the least resistant to delay and TFTP and HTTP file downloads are the most resistant Therefore you...

Page 44: ...n Permit Map to Class 2 Best Effort 1 Comment For phone file downloads Logging Select the check box to enable the logging of traffic classified to this class Clear the check box to disable logging 9 T...

Page 45: ...and visiting guests The user profile settings maximum traffic forwarding rates and the WRR weighted round robin weights for each user profile is shown in Figure 7 Figure 7 User Profiles and their For...

Page 46: ...The weight defines a preference for forwarding traffic It does not specify a percentage or an amount Its value is relative to other weights However you can see an automatically calculated percentage...

Page 47: ...ile 1 Click HiveAP Configuration QoS Policies User Profiles IT Clone button The Clone User Profile dialog box appears 2 In the Profile Name field type Emp and then click OK The Emp User Profile dialog...

Page 48: ...bandwidth that all users belonging to this profile can use This setting provides guests with a basic amount of available traffic Entire User Profile Weight 5 Because wireless access for guests is main...

Page 49: ...n method CCMP AES Authentication method EAP 802 1X Employees use the RADIUS server specified in Setting AAA RADIUS Settings on page 55 to authenticate themselves using IEEE 802 1X guest Key method Aut...

Page 50: ...sts can only associate with the guest SSID because that is the only one the receptionist tells them about when they arrive voip SSID 1 Click HiveAP Configuration SSID Profiles Add button The New SSID...

Page 51: ...is is read only because the key management choice requires this authentication method guest SSID 1 Click HiveAP Configuration SSID Profiles Add button The New SSID Profile dialog box appears 2 On the...

Page 52: ...agement services set hq you define parameters for the following services Two DNS Domain Name Service servers one primary and one secondary DNS server both at headquarters One syslog server and one SNM...

Page 53: ...e critical the HiveAP sends the syslog server all messages whose severity level is critical alert or emergency If you choose emergency the HiveAPs send only emergency level messages Comment Type a use...

Page 54: ...tem clock with the server The default interval is 1440 minutes once a day The possible range is from 60 minutes once an hour to 10 080 minutes once a week NTP Server Configuration Click Add enter the...

Page 55: ...Process 1 Click HiveAP Configuration AAA RADIUS Add button The New RADIUS Profile dialog box appears 2 Enter the following RADIUS Configuration Name auth 1 You cannot use spaces in the RADIUS profile...

Page 56: ...ialog box click OK RADIUS Server Attributes On the two RADIUS servers also referred to as RADIUS home servers define the HiveAPs as RADIUS clients 1 Also configure the following attributes for the rea...

Page 57: ...ations are more appropriately applied to smaller sets of devices or at the individual device level itself In this example you create device group hq1 for the corporate headquarters and add user group...

Page 58: ...ed to a different radio operating in separate frequency bands Radio 1 supports IEEE 802 11b g and operates in the 2 4 GHz band and radio 2 supports IEEE 802 11a and operates in the 5 GHz band This is...

Page 59: ...Bind Radio Mode 11b g 13 Click in the empty User Profile cell to activate the drop down list choose Guests select Default set the VLAN ID as 3 and then click OK The New SSID User Profile VLAN Mapping...

Page 60: ...racters If the string has any blank spaces enclose the entire string within double quotation marks for example password string Hive2 1 Click HiveAP Configuration Hive Profiles Hive1 Clone button The C...

Page 61: ...re 13 Figure 13 Assigning Device Settings to HiveAPs In addition to assigning device settings to the HiveAPs you also change their login settings Finally you update the HiveAPs with the new configurat...

Page 62: ...In the HiveAP dialog box click the General tab and then enter the following Device Group Choose the device group that you want to assign to the selected HiveAPs In this example there are two device gr...

Page 63: ...selected HiveAPs The password can be any alphanumeric string from 5 to 8 characters Confirm Password To confirm the accuracy of the password enter it again The HiveManager sends the new login setting...

Page 64: ...Chapter 4 HiveManager Examples 64 Aerohive...

Page 65: ...n provide the following services that autonomous APs cannot Consistent QoS quality of service policy enforcement across all hive members Coordinated and predictive wireless access control that provide...

Page 66: ...mode access backhaul wifi0 radio profile radio_g0 wifi1 radio profile radio_a0 To change the radio profile of the wifi0 or wifi1 interface to a different previously defined profile interface wifi0 wi...

Page 67: ...he management of a HiveAP and its connectivity to wireless clients the wired network and other hive members The following list contains some key areas of device level configurations and relevant comma...

Page 68: ...ation authorization and accounting settings for IEEE 802 1X authentication aaa radius server While the configuration of most HiveOS features involves one or more related commands to define and apply a...

Page 69: ...hem sequentially Doing so will help build an understanding of the fundamentals involved in configuring HiveAPs If you want to view just the CLI commands used in the examples see CLI Commands for Examp...

Page 70: ...twork Step 1 Log in through the console port 1 Connect the power cable from the DC power connector on the HiveAP to the AC DC power adaptor that ships with the device as an option and connect that to...

Page 71: ...ne its protocol suite and preshared key N38bu7Adr0n3 in standard ASCII American Standard Code for Information Interchange text interface wifi0 1 ssid employee You assign the SSID to the subinterface w...

Page 72: ...led POE for Power over Ethernet on the chassis automatically receives its IP address through DHCP Dynamic Host Configuration Protocol Step 5 Check that clients can form associations and access the net...

Page 73: ...HiveAP 1 and 2 over a wireless link see Figure 2 Figure 2 Three HiveAPs in a Hive Note The security protocol suite for hive communications is WPA AES psk Note If all hive members can communicate over...

Page 74: ...ement for QoS Quality of Service and security hive hive1 password s1r70ckH07m3s You define the password that hive members use to derive the preshared key for securing backhaul communications with each...

Page 75: ...2 to send backhaul communications to each other wirelessly as a backup path in case either member loses its wired connection to the network 2 Connect an Ethernet cable from the PoE port on HiveAP 2 to...

Page 76: ...Chapter 6 Deployment Examples CLI 76 Aerohive 6 Check that HiveAP 3 has associated with the other members at the wireless level...

Page 77: ...ty with each other associate a client in wireless network 1 with HiveAP 1 the SSID employee is already defined on clients in wireless network 1 see Deploying a Single HiveAP Then check if HiveAP 1 for...

Page 78: ...the following modifications to the hive set up in Deploying a Hive Configure settings for the RADIUS server on the HiveAPs Change the SSID parameters on the HiveAPs and wireless clients to use IEEE 8...

Page 79: ...define HiveAP 1 as an access device on the RADIUS server in step 5 exit Step 3 Configure HiveAP 2 and HiveAP 3 1 Log in to HiveAP 2 through its console port 2 Configure HiveAP 2 with the same commands...

Page 80: ...on and connect to the employee SSID Then contact a network resource such as a web server 2 Log in to the HiveAP CLI and check that you can see the MAC address or the associated client and an indicatio...

Page 81: ...Protocol version 3 on TCP port 110 Then you create classifier profiles that reference these traffic to class mappings You bind the profiles to the wifi0 1 and eth0 interfaces so that hive members map...

Page 82: ...dicate the user group to which the hive members then assign users Note The HiveAP assigns all traffic that you do not specifically map to an Aerohive class to class 2 which by default uses WRR with a...

Page 83: ...ou can prioritize e mail traffic above other types of traffic that the HiveAP assigns to class 2 by default 3 Map services to Aerohive classes qos classifier map service mms qos 5 qos classifier map s...

Page 84: ...fic When you enter any one of the above commands the HiveAP automatically sets the maximum bandwidth for all members of the user group to which you later apply this policy and the bandwidth for any in...

Page 85: ...ing to the user profile employee net with group ID 2 On the RADIUS server you must configure group ID 2 as one of the RADIUS attributes that the RADIUS server returns when authenticating users see ste...

Page 86: ...ve config exit 3 Log in to HiveAP 3 and enter the same commands Step 5 Configure RADIUS server attributes 1 Log in to the RADIUS server and define the three HiveAPs as RADIUS clients 2 Configure the f...

Page 87: ...on page 70 ssid employee ssid employee security protocol suite wpa auto psk ascii key N38bu7Adr0n3 interface wifi0 1 ssid employee save config Commands for Example 2 Enter the following commands to c...

Page 88: ...nfigure the hive members to support IEEE 802 1X authentication in Using IEEE 802 1X Authentication on page 78 HiveAP 1 aaa radius server first 10 1 1 10 shared secret s3cr3741n4bl0X ssid employee secu...

Page 89: ...s classifier profile wifi0 1 voice service qos classifier profile eth0 voice mac qos classifier profile eth0 voice service interface wifi0 1 qos classifier wifi0 1 voice interface eth0 qos classifier...

Page 90: ...vice mms tcp 1755 service smtp tcp 25 service pop3 tcp 110 qos classifier map service mms qos 5 qos classifier map service smtp qos 3 qos classifier map service pop3 qos 3 qos classifier profile wifi0...

Reviews: