Extreme Networks Summit WM3000 Series Reference Manual Download Page 309 | Manualshive

Page: 309 / 513

background image

Summit WM3000 Series Controller System Reference Guide

309

7

Controller Security

This chapter describes the security mechanisms available to the controller. This chapter describes the
following security configuration activities:

●

Displaying the Main Security Interface on page 309

●

AP Intrusion Detection on page 310

●

Configuring Firewalls and Access Control Lists on page 319

●

Configuring NAT Information on page 356

●

Configuring IKE Settings on page 366

●

Configuring IPSec VPN on page 374

●

Configuring the Radius Server on page 396

●

Creating Server Certificates on page 411

Displaying the Main Security Interface

Refer to main

Security

interface for a high level overview of device intrusion and controller access

permission options.

NOTE

When the controller’s configuration is successfully updated (using the Web UI), the affected screen is closed without
informing the user their change was successful. However, if an error were to occur, the error displays within the
affected screen’s Status field remains displayed. In the case of file transfer operations, the transfer screen remains
open during the transfer operation and remains open upon completion (with status displayed within the Status field).

To view main menu security information:

«
...
307
308
309
310
311
...
»

Summary of Contents for Summit WM3000 Series

Page 1: ... Monroe Street Santa Clara California 95051 888 257 3000 408 579 2800 http www extremenetworks com Published December 2009 Part Number 100352 00 Rev 01 Summit WM3000 Series Controller System Reference Guide Software Version 4 0 ...

Page 2: ...SummitStack Triumph Unified Access Architecture Unified Access RF Manager UniStack the Extreme Networks logo the Alpine logo the BlackDiamond logo the Extreme Turbodrive logo the Summit logos and the Powered by ExtremeXOS logo are trademarks or registered trademarks of Extreme Networks Inc or its subsidiaries in the United States and or other countries sFlow is a registered trademark of InMon Corp...

Page 3: ...ogging 18 Process Monitor 18 Hardware Abstraction Layer and Drivers 19 Redundancy 19 Secure Network Time Protocol SNTP 19 Wireless Switching 20 Physical Layer Features 20 Proxy ARP 21 HotSpot IP Redirect 21 IDM Identity Driven Management 21 Voice Prioritization 22 Wireless Capacity 22 AP Load Balancing 22 Wireless Roaming 23 Power Save Polling 23 QoS 23 Wireless Layer 2 Switching 24 Automatic Chan...

Page 4: ...ard Details 46 Summit WM3600 Controller Dashboard 47 Summit WM3700 Controller Dashboard 49 Viewing Controller Statistics 51 Viewing Controller Port Information 53 Viewing the Port Configuration 53 Editing the Port Configuration 55 Viewing the Ports Runtime Status 57 Reviewing Port Statistics 57 Detailed Port Statistics 59 Viewing the Port Statistics Graph 60 Power over Ethernet PoE 61 Editing Port...

Page 5: ...tual Interface 103 Viewing Virtual Interface Statistics 104 Viewing Virtual Interface Statistics 106 Viewing the Virtual Interface Statistics Graph 107 Viewing and Configuring Controller WLANs 109 Configuring WLANs 109 Editing the WLAN Configuration 113 Assigning Multiple VLANs per WLAN 118 Configuring Authentication Types 119 Configuring Different Encryption Types 140 Viewing WLAN Statistics 145 ...

Page 6: ...dth 198 Viewing Mesh Statistics 198 Voice Statistics 200 Viewing Access Point Adoption Defaults 202 Configuring AP Adoption Defaults 202 Editing Default Access Point Adoption Settings 204 Configuring WLAN Assignment 209 Configuring WMM 210 Editing Access Point Adoption WMM Settings 211 Configuring Access Points 212 Viewing Adopted Access Points 212 Viewing Unadopted Access Points 214 Configuring A...

Page 7: ...s 261 Defining a NTP Neighbor Configuration 263 Adding an NTP Neighbor 265 Viewing NTP Associations 266 Viewing NTP Status 268 Configuring Controller Redundancy and Clustering 270 Configuring Redundancy Settings 272 Reviewing Redundancy Status 275 Configuring Redundancy Group Membership 277 Displaying Redundancy Member Details 279 Adding a Redundancy Group Member 281 Redundancy Group License Aggre...

Page 8: ...2 Creating a Role Based Firewall Rule 333 Configuring a Role 334 Creating a New Role 336 Configuring Wireless Filters 338 Editing an Existing Wireless Filter 340 Adding a new Wireless Filter 341 Associating an ACL with a WLAN 342 L2 Level Attack Detection and Mitigation 343 Port Level Configuration 345 Configuring WLAN Firewall Rules 346 WLAN Level Configuration 348 Configuring Denial of Service D...

Page 9: ...y Server Configuration 401 Configuring Radius Authentication and Accounting 402 Configuring Radius Users 404 Configuring Radius User Groups 407 Viewing Radius Accounting Logs 410 Creating Server Certificates 411 Using Trustpoints to Configure Certificates 412 Creating a Server CA Root Certificate 413 Configuring Trustpoint Associated Keys 419 Adding a New Key 420 Transferring Keys 421 Chapter 8 Co...

Page 10: ...e Management 463 Viewing the Entire Contents of Individual Log Files 464 Transferring Log Files 466 Reviewing Core Snapshots 467 Transferring Core Snapshots 468 Reviewing Panic Snapshots 468 Viewing Panic Details 470 Transferring Panic Files 470 Debugging the Applet 471 Configuring a Ping 472 Modifying the Configuration of an Existing Ping Test 474 Adding a New Ping Test 475 Viewing Ping Statistic...

Page 11: ...c and Independent WLAN 494 Appendix C Troubleshooting Information 499 General Troubleshooting 499 Wireless Controller Issues 499 Controller Does Not Boot Up 499 Controller Does Not Obtain an IP Address through DHCP 500 Unable to Connect to the Controller using Telnet or SSH 500 Web UI is Sluggish Does Not Refresh Properly or Does Not Respond 501 Console Port is Not Responding 501 Access Point Issu...

Page 12: ...ADIUS server fails 509 Accounting does not work with external RADIUS Accounting server 509 Troubleshooting RADIUS Accounting Issues 509 Rogue AP Detection Troubleshooting 509 Troubleshooting Firewall Configuration Issues 510 A Wired Host Host 1 or Wireless Host Host 2 on the untrusted side is not able to connect to the Wired Host Host 3 on the trusted side 510 A wired Host Host 1 on the trusted si...

Page 13: ...roller has a unique Installation Guide which describes the basic hardware setup and configuration required to transition to more advanced configuration of the controllers Summit WM3000 Series Controller System Reference Guide Describes configuration of the Extreme Networks Summit Wireless LAN Controllers using the Web UI Summit WM3000 Series Controller CLI Reference Guide Describes the Command Lin...

Page 14: ...o highlight the following Chapters and sections in this and related documents Dialog box window and screen names Drop down list and list box names Check box and radio button names Icons on a screen GUI text is used to highlight the following Screen names Menu items Button names on a screen bullets indicate Action items Lists of alternatives Lists of required steps that are not necessarily sequenti...

Page 15: ...d outbound traffic on the wireless network They provide security network service and system management applications Access points are 48V Power over Ethernet devices The Altitude 3510 AP is powered by standard 802 3af POE source The Altitude 3550 outdoor AP must by powered by a special Extreme Networks POE injector Power Tap the AP receives configurations from the controller once it is adopted The...

Page 16: ...nterface CLI for initial configuration An initial configuration is described within the Installation Guide shipped with each controller Software Overview The controller includes a robust set of features The features are listed and described in the following sections Infrastructure Features on page 16 Wireless Switching on page 20 Wired Switching on page 26 Management Features on page 27 Security F...

Page 17: ...g Support The following licensing information is utilized when upgrading the controller The maximum numbers of AP licenses a controller can adopt is dependant on the number purchased Configuration Management The controller supports the redundant storage of configuration files to protect against corruption during a write operation and ensure at any given time a valid configuration file exists If wr...

Page 18: ...s to capture incoming and outgoing packets in a buffer The controller also collects statistics for RF activity Ethernet port activity etc RF statistics include roaming stats packet counters octets tx rx signal noise SNR retry and information for each MU Tracing Logging Log messages are well defined and documented system messages with various destinations They are numbered and referenced by ID Each...

Page 19: ...rent subnets APs are load balanced across members of the group Licenses are aggregated across the group When a new member joins the group the new member can leverage the Access Point adoption license s of existing members Each member of the redundancy group including the reporting controller is capable of displaying cluster performance statistics for all members in addition to their own Centralize...

Page 20: ...DFS is required for at least one of the frequency bands that are allowed in the country TPC Transmit Power Control TPC meets the regulatory requirement for maximum power and mitigation for each channel TPC functionality is enabled automatically for every AP that operates on the channel 802 11bg Dual mode b g protection Effective Radiated Power ERP builds on the payload data rates of 1 and 2 Mbit s...

Page 21: ...requires them to authenticate before granting access to the WLAN The following is a typical sequence for hotspot access 1 A visitor with a laptop requires hotspot access at a site 2 A user ID Password and hotspot extended service set ID ESSID is issued by the site receptionist or IT staff 3 The user connects their laptop to this ESSID 4 The laptop receives its IP configuration via DHCP 5 The user ...

Page 22: ... PSP MU s For more information on configuring voice prioritization for a target WLAN see Configuring WMM on page 196 Wireless Capacity Wireless capacity specifies the maximum numbers of MUs Access Points and wireless networks usable by a controller Wireless capacity is largely independent of performance Aggregate controller performance is divided among the controller clients MUs and Access Points ...

Page 23: ...ller International Roaming The wireless controller supports international roaming per the 802 11d specification Power Save Polling An MU uses Power Save Polling PSP to reduce power consumption When an MU is in PSP mode the controller buffers its packets and delivers them using the delivery traffic indication message DTIM interval The PSP Poll packet polls the AP for buffered packets The PSP null d...

Page 24: ...d a file transfer bandwidth is normally exploited by the file transfer possibly reducing the quality of the conversation With QoS a VoIP conversation a real time session receives priority maintaining a high level of voice quality Voice QoS ensures Strict Priority Spectralink Prioritization VOIP Prioritization IP ToS Field Multicast Prioritization Data QoS The controller supports the following data...

Page 25: ...ort bi directional frame exchanges between a voice STA and its AP Dynamic VLAN Support There are four packet flows supported when the controller is configured to operate with multiple VLAN per WLAN Unicast From Mobile Unit Frames are decrypted converted from 802 11 to 802 3 and switched to the wired side of the VLAN dynamically assigned to the mobile device If the destination is another mobile dev...

Page 26: ...ed VLAN overrides the statically assigned VLAN If the Radius assigned VLAN is among the VLANs assigned to a WLAN it is available for VLAN assignment in the future If the Radius assigned VLAN is not one of the VLANs assigned to a WLAN it is not available for future VLAN assignment To configure Multiple VLANs for a single WLAN see Assigning Multiple VLANs per WLAN on page 118 Wired Switching The con...

Page 27: ...ncreases the pool of assignable IP addresses DNS maintains a database to map a given name to an IP address used for communication on the Internet The dynamic assignment of IP addresses makes it necessary to update the DNS database to reflect the current IP address for a given name Dynamic DNS updates the DNS database to reflect the correct mapping of a given name to an IP address VLAN Enhancements...

Page 28: ...y of system status Heat map support for RF deployment Secure guest access with specific permission intervals Controller discovery enabling users to discover each Extreme Networks controller on the specified network Security Features Controller security can be classified into wireless security and wired security The controller includes the following wireless security features Encryption and Authent...

Page 29: ...erates new encryption keys each time a MU associates with an Access Point Protocols including 802 1X EAP and Radius are used for strong authentication WPA2 also supports the TKIP and the AES Counter Mode CBC MAC Protocol AES CCMP encryption protocols For information on configuring WPA for a WLAN see Configuring WPA WPA2 using TKIP and CCMP on page 143 MU Authentication The controller uses the foll...

Page 30: ...N The default is no which allows MUs to exchange packets with other MUs It does not prevent MUs on other WLANs from sending packets to this WLAN You would have to enable MU to MU Disallow on the other WLAN To define how MU to MU traffic is permitted for a WLAN see Editing the WLAN Configuration on page 113 802 1x Authentication 802 1x Authentication cannot be disabled its always enabled 802 1x aut...

Page 31: ...hannel It passes the beacons to the controller as it receives them without any modification The controller processes these beacon messages to generate the list of APs This process of detecting a Rogue AP is non disruptive and none of the MUs are disassociated during this process The Access Point will only scan on its present channel By choosing this option for detection all capable Access Points w...

Page 32: ...y the packet is dropped If the action is permit the packet is allowed If the action is to mark the packet is tagged for priority The controller supports the following types of ACLs NOTE An ACL is located at the AP for locally bridged traffic and at the controller for tunneled traffic IP Standard ACLs IP Extended ACLs MAC Extended ACLs Wireless LAN ACLs For information on creating an ACL see Config...

Page 33: ...e network Static NAT Static NAT is similar to Port NAT with the only difference being that it allows the user to configure a source NAT IP address and or destination NAT IP address to which all the packets will be NATted to The source NAT IP address is used when hosts on a private network are trying to access a host on a public network A destination NAT IP address can be used for public hosts to t...

Page 34: ... Series Controller System Reference Guide 34 NAC authentication for MU s that do not have NAC 802 1x support printers phones PDAs etc For information on configuring NAC support see Configuring NAC Server Support on page 138 ...

Page 35: ... order for the controller s SNMP backend to function To prepare Internet Explorer to run the Web UI 1 Open Internet Explorer s Tools Internet Options panel and select the Advanced tab 2 Uncheck the following checkboxes Use HTTP 1 1 Java console enabled requires restart Java logging enabled JIT compiler for virtual enabled requires restart Accessing the Summit WM Controller for the First Time You c...

Page 36: ...he controller quickly assess the last 5 alarms generated by the controller view the status of the controller s Ethernet connections and view controller CPU and memory utilization statistics Defining Basic Controller Settings When initially logging into the system the controller requests that you enter the correct country code for your region If a country code is not configured a warning message di...

Page 37: ...y the radio coverage type it supports and physical location For example second floor engineering Contact Displays a Contact value for system administration and troubleshooting This name should be the network administrator responsible for controller operations Uptime Displays the current operational time for the device name defined within the System Name field Uptime is the cumulative time since th...

Page 38: ... a means of restoring its password to its default value Doing so also reverts the controller s security radio and power management configuration to their default settings Only an installation professional should reset the controller password and promptly define a new restrictive password For details on the password recovery feature see Controller Password Recovery on page 506 CAUTION Only a qualif...

Page 39: ...ately using the CLI SNMP or Web UI If a feature is disabled it is skipped when auto install is triggered For manual configuration where the URLs for the configuration and image files are not supplied by DHCP the URLs can be specified using the CLI SNMP or Applet Use the CLI to define the expected firmware image version If the image version is not specified the controller will derive it from the he...

Page 40: ...bles are set using the autoinstall feature command WLANController en WLANController conf t WLANController config autoinstall image WLANController config autoinstall config WLANController config autoinstall cluster config After this configuration update any controller reboot with DHCP enabled on the RON port will trigger an auto install provided the DHCP Server is configured with appropriate option...

Page 41: ...ll image WLANController config show autoinstall feature enabled URL config yes ftp ftp ftp 173 9 234 1 Controller config cluster cfg yes ftp ftp ftp 173 9 234 1 Controller cluster config image yes ftp ftp ftp 147 11 1 11 Controller images WM3600 img expected image version 4 0 0 0 XXXXX Once again for DHCP option based auto install the URLs is ignored and those passed by DHCP are not stored Wheneve...

Page 42: ...Controller Web UI Access and Image Upgrades Summit WM3000 Series Controller System Reference Guide 42 ...

Page 43: ...d in numerous additional locations throughout the controller applet NOTE The Extreme Networks Wireless LAN Controller Wireless Management Suite WMS is a recommended utility to plan the deployment of the controller and view its interface statistics once operational in the field Extreme Networks WMS can help optimize the positioning and configuration of a controller and its associated radios in resp...

Page 44: ...oller Consequently selecting the correct country is extremely important Each country has its own regulatory restrictions concerning electromagnetic emissions channel range and the maximum RF signal strength transmitted To ensure compliance with national and local laws be sure to set the Country value correctly CAUTION Changing to a new country code will overwrite the Country settings for all adopt...

Page 45: ...Location parameters together to optionally define the controller name by the radio coverage type it supports and physical location For example second floor engineering Contact Displays a Contact value for system administration and troubleshooting This name should be the network administrator responsible for controller operations Uptime Displays the current operational time for the device name defi...

Page 46: ...before hitting the Apply button for any changes to be reverted 9 Click the Apply button to save the updates to the Time Zone or Country parameters specifically Controller Dashboard Details Each Extreme Networks wireless LAN controller platform contains a dashboard which represents a high level graphical overview of central controller processes and hardware When logging into the controller the dash...

Page 47: ...ference Guide 47 Summit WM3600 Controller Dashboard The Dashboard screen displays the current health of the controller and is divided into fields representing the following important diagnostics Alarms Ports Environment CPU Memory File Systems ...

Page 48: ...ays the Redundancy State of the controller The status can be either Enabled or Disabled Enabled Defined a green state Disabled Defined by a yellow state Firmware Displays the Firmware version of the current software running on the wireless controller Management IP Displays the Management IP address of the controller Access Points Displays the total number of Access Points adopted by the controller...

Page 49: ...t immediate attention Major Denoted by a yellow indicator These alarms warrant attention Others Denoted by a blue indicator Redundancy State Displays the Redundancy State of the controller The status can be either Enabled or Disabled Enabled Defined a green state Disabled Defined by a yellow state Firmware Displays the Firmware version of the current software running on the wireless controller Man...

Page 50: ...ange set by the user 4 The CPU Memory section displays the free memory available with the RAM 5 The File Systems section displays the free file system available for flash nvram system Severity Displays the severity of the alarm It can be either Critical or Major Last Occurrence Displays the time when the alarm was reported Message Displays the message associated with the alarm Occurrences Displays...

Page 51: ...total number of radios currently adopted by the controller Pkts per second Displays the packet transmission rate for received and transmitted packets over last 30 seconds and 1 hour Throughput Displays the traffic throughput for packets received packets transmitted and total packets over last 30 seconds and 1 hour Avg Bit Speed Displays the average bit speed for the controller over last 30 seconds...

Page 52: ...n indication of overall RF performance on the wireless network Average Number of Retries Displays the average number of retries for all MUs associated with the controller The number in black represents average retries for the last 30 seconds and the number in blue represents average retries for the last hour If the Average Number of Retries starts increasing this indicates that MUs are not getting...

Page 53: ...or requires modification for use within the controller managed network GE Gigabit Ethernet GE ports are available on the Summit WM3600 and Summit WM3700 platforms GE ports on the Summit WM3600 are RJ 45 which support 10 100 1000Mbps GE ports on the Summit WM3700 can be RJ 45 or fiber ports which support 10 100 1000Mbps ME Management Ethernet ME ports are available on the Summit WM3600 and Summit W...

Page 54: ...iting the Port Configuration on page 55 Name Displays the current port name The port names available vary by controller Summit WM3600 ge1 ge2 ge3 ge4 ge5 ge6 ge7 ge8 me1 up1 Summit WM3700 ge1 ge2 ge3 ge4 me1 MAC Address Displays the port s MAC Address This value is read only set at the factory and cannot be modified Admin Status Displays whether the port is currently Up or Down Speed Displays the ...

Page 55: ...A Port Change Warning screen displays stating any change to the port setting could disrupt access to the controller Communication errors may occur even if modifications made are successful 3 Click the OK button to continue Optionally select the Don t show this message again for the rest of the session checkbox to disable the pop up 4 Use the Edit screen to modify the following port configurations ...

Page 56: ...bandwidth between the controller and another controller or host The port speed used is dependant on the Duplex value selected full half or auto If a segment within a channel fails traffic previously carried over the failed link is routed to the remaining segments within the channel A trap is sent upon a failure identifying the controller channel and failed link Description Enter a brief descriptio...

Page 57: ...erformance To view the runtime configuration details of the controller ports 1 Select Controller Port from the main menu tree 2 Select the Statistics tab Name Displays the port s current name MAC Address Displays the port s MAC Address This value is read only set at the factory and cannot be modified Oper Status Displays the link status of the port The port status can be either Up or Down Speed Di...

Page 58: ...ys the total number of packets received by the port Packets In Dropped Displays the number of packets dropped by the port If the number appears excessive a different port could be required Packets In Error Displays the number of erroneous packets received by the port If the number appears excessive try using a different port and see if the problem persists Bytes Out Displays the total number of by...

Page 59: ...roadcast Packets received on the interface Input Total Packets Displays the total number of packets received on the interface Input Packets Dropped Displays the number of received packets dropped by the interface by the input Queue of the hardware unit software module associated with the VLAN Packets are dropped when the input Queue is full or unable to processing incoming traffic Input Packets Er...

Page 60: ...sing the latest information To view a detailed graph for a port 1 Select a port from the table displayed in the Statistics screen 2 Click the Graph button The Interface Statistics screen displays for the selected port The screen provides the option to view the following Output NonUnicast Packets Displays the number of unicast packets transmitted from the interface Output Total Packets Displays the...

Page 61: ...iven time 4 Click on the Close button to exit out of the screen Power over Ethernet PoE NOTE Power over Ethernet is only supported on the Summit WM3600 controller The following information only applies to the Summit WM3600 controller The Summit WM3600 controller supports 802 3af Power over Ethernet PoE on each of its eight ge ports The PoE screen allows users to monitor the power consumption of th...

Page 62: ...to save the changes Power Budget Displays the total watts available for Power over Ethernet on the controller Power Consumption Displays the total watts in use by Power over Ethernet on the controller Power Usage Threshold for Sending Trap Specify a percentage of power usage as the threshold before the controller sends an SNMP trap The percentage is a percentage of the total power budget of the co...

Page 63: ...lower Priority level 5 Set the Power Limit in watts for this port s PoE usage Setting the Power Limit places a cap on the maximum amount of power which can be drawn from the selected port Class Displays the IEEE Power Classification for each port Class Number Maximum Power Required from Controller 0 unknown 15 4 Watts 1 4 Watts 2 7 Watts 3 15 4 Watts Priority Displays the priority mode for each of...

Page 64: ...ations or transferred to a user specified location NOTE To view the entire controller configuration using SNMP the controller CLI provides a better medium to review the entire controller configuration NOTE The Extreme Networks Wireless LAN Controller Management Software WMS is a recommended utility to plan the deployment of the controller and view its configuration once operational in the field Ex...

Page 65: ... startup config file If a file for example sample config is selected a message displays stating When sample config is installed it will replace start up config Are you sure you want to install sample config Click Yes to continue Name Displays the name of each existing configuration file Size Bytes Displays the size in bytes of each available configuration file Created Displays the date and time ea...

Page 66: ...utton If startup config is deleted a prompt displays stating the default controller startup config will automatically take its place The controller running config cannot be deleted 5 To restore the system s default configuration and revert back to factory default click the Restore Defaults button NOTE After setting the controller to revert to factory default settings the system must be rebooted be...

Page 67: ...nts of the selected configuration file Use the up and down navigation facilities on the right hand side of the screen to view the entire page 3 The Page parameter displays the portion of the configuration file in the main viewing area The total number of pages in the file are displayed to the right of the current page The total number of lines in the file display in the Status field at the bottom ...

Page 68: ... if something goes wrong in the transaction between the applet and the controller 5 Click the Transfer button when ready to move the target file to the specified location Repeat the process as necessary to move each desired configuration file to the specified location From Select the location representing the source file s current location using the From drop down menu Options include Server Local...

Page 69: ...ys the version string The Build Time is the date and time each version was generated Install represents the date and time the upgrade was performed Next Boot indicates which version should be used on the next reboot The Next Boot version should match the Running Version unless the system has failed over to another version To view the firmware files available to the controller 1 Select Controller F...

Page 70: ...ove a patch select it from amongst those displayed within the Patch field and click the Remove Patch button Editing the Controller Firmware The Edit screen enables the user to select a firmware file and designate it as the version used the next time the controller is booted 1 Select the primary firmware image from the Firmware screen 2 Click the Edit button The Firmware screen displays the current...

Page 71: ... image from the table in the Firmware screen 2 Click the Global Settings button 3 Select the Enable Image Failover checkbox to load an alternative firmware version if the WLAN module fails to load the selected version successfully after 2 reboot attempts 4 Refer to the Status field for the current state of the requests made from the applet Requests are any SET GET operation from the applet The Sta...

Page 72: ...an transfer firmware files using USB 6 Enter the IP address for the FTP or TFTP server in the IP address field 7 Enter the username for FTP server login in the User ID field 8 Enter the password for FTP server login in the Password field 9 Enter the complete file path for the file that contains the firmware update in the Path field 10 Click the Do Update button to initiate the update A warning pro...

Page 73: ...iles Use the Transfer Files screen to transfer files to and from the controller Transferring files is recommended to keep files in a secure location The following file transfer options are available Wireless Controller to Wireless Controller Wireless Controller to Server Server to Wireless Controller To define the properties of the file transfer configuration 1 Select Controller File Management fr...

Page 74: ...ines the location of the file From Use the From drop down menu to select the source file s current location The options include Wireless Controller and Server The following transfer options are possible Wireless Controller to Wireless Controller Wireless Controller to Server Server to Wireless Controller The parameters displayed in the Source and Target fields differ based on the above selection T...

Page 75: ...ansfer 3 Use the To drop down menu within the Target field and select Server This defines the transfer location of the configuration file Enter the file location marked to store the transferred file 4 Use the Using drop down menu to configure whether the log file transfer is conducted using FTP TFTP HTTP or SFTP This field display the default port for FTP TFTP HTTP or SFTP The value in this field ...

Page 76: ...ort the file transfer Transferring a file from a Server to a Wireless Controller To transfer a file from a Server to the controller 1 Refer to the Source field to specify the details of the source file Use the From drop down menu and select Server 2 Provide the name of the File 3 Use the Using drop down menu to configure whether the file transfer is conducted using FTP TFTP or HTTP FTP transfers r...

Page 77: ...fer Viewing Files Use the File System tab to review the files available to the controller The controller maintains the following file types flash nvram system Compact Flash USB 1 USB 2 NOTE USB 1 is available on the Summit WM3600 and Summit WM3700 controllers USB2 and Compact Flash are only available on the Summit WM3700 controller Transfer files between the controller and the server from any one ...

Page 78: ...firmware and configuration every time the controller is booted If updates are found since the last time the Name Displays the memory locations available to the controller Available Displays the current status of the memory resource By default nvram and system are always available A green check indicates the device is currently connected to the controller and is available A red X indicates the devi...

Page 79: ... to enable and define the configuration for automatic configuration file updates If enabled the located updated configuration file will be used with the controller the next time it boots Enable Select the Enable checkbox to allow an automatic configuration file update when a newer updated file is detected upon the boot of the controller at the specified IP address IP Address Define the IP address ...

Page 80: ...tected when the controller is booted it will be uploaded to the controller and used upon the next boot of the controller User ID Enter the User ID required to access the FTP or TFTP server File Name With Path Provide the complete and accurate path to the location of the cluster files on the server This path must be accurate to ensure the most recent file is retrieved Protocol Use the Protocol drop...

Page 81: ...elect either of the two available options to view alarm log information 4 Refer to the table within the Alarm Log screen for the following information View By Page Select the View By Page radio button to view alarm log information on a per page basis Use the View By Page option to page through alarm logs If there are a large number of alarms the user can navigate to the page that has been complete...

Page 82: ...Message for the following information Index Displays the unique numerical identifier for trap events alarms generated in the system Use the index to help differentiate an alarm from others with similar attributes Status Displays the current state of the requests made from the applet Requests are any SET GET operation from the applet The Status displays error messages if something goes wrong in the...

Page 83: ...his information can be used in conjunction with the Solution and Possible Causes items to troubleshoot the event and determine how the event can be avoided in the future Solution Displays a possible solution to the alarm event The solution should be attempted first to rectify the described problem Possible Causes Describes the probable causes that could have raised this specific alarm Determine wh...

Page 84: ... the filtering operation displays at the bottom of the table 4 Click the Turn Off Filtering button to disable the filtering option for the screen where it appears Filtering status when filtering is turned off displays at the bottom of the table 5 Click the Hide Filtering Option button to hide the Filter Option zone License Key Enter the license key required to install a particular feature The lice...

Page 85: ...nning Tree on page 217 Configuring IGMP Snooping on page 230 Displaying the Network Interface The main Network interface displays a high level overview of the configuration default or otherwise as defined within the Network main menu Use the information to determine if items require additional configuration using the sub menu items under the main Network menu item NOTE When the controller s config...

Page 86: ...age 99 Wireless LANs Displays the number of WLANs currently defined on the controller The controller has 32 default WLANs New WLANs can be added as needed and their descriptions VLAN assignments and security schemes modified By default all WLANs are displayed with default values The Summit WM3600 supports a maximum of 32 WLANs The Summit WM3700 supports a maximum of 256 WLANS For more information ...

Page 87: ...he Internet Protocol screen contains tabs supporting the following configuration activities Configuring DNS Configuring IP Forwarding Viewing Address Resolution Configuring DNS Use the Domain Name System tab to view Server address information and delete or add severs to the list of servers available To configure DNS 1 Select Network Internet Protocol from the main tree menu ...

Page 88: ... the Global Settings button to open a screen that allows the domain lookup to be enabled disabled and the domain name to be specified For more information see Configuring Global Settings on page 89 Server IP Address Displays the IP address of the domain name server s the system can use for resolving domain names to IP addresses Domain look up order is determined by the order of the servers listed ...

Page 89: ...ween the applet and the controller 4 Click OK to use the changes to the running configuration and close the dialog 5 Click Cancel to close the dialog without committing updates to the running configuration Configuring Global Settings Use the Global Settings screen to query domain name servers to resolve domain names to IP addresses Use this screen to enable disable the Domain look up which allows ...

Page 90: ...roller 5 Click OK to use the changes to the running configuration and close the dialog 6 Click Cancel to close the dialog without committing updates to the running configuration Configuring IP Forwarding The IP Forwarding table lists all the routing entries to route the packets to a specific destination To view the IP forwarding configuration 1 Select Network Internet Protocol from the main tree m...

Page 91: ...used to divide internet addresses into blocks known as subnets Subnet Mask Displays the mask used for destination subnet entries The Subnet Mask is the IP mask used to divide internet addresses into blocks known as subnets A value of 255 255 255 0 will support 256 IP addresses Gateway Address Displays the IP address of the Gateway used to route the packets to the specified destination subnet Do no...

Page 92: ... addresses 4 In the Gateway Address field enter the IP address of the gateway used to route the packets to the specified destination subnet Do not set the gateway address to any VLAN interface used by the controller 5 Refer to the Status field for the current state of the requests made from applet This field displays error messages if something goes wrong in the transaction between the applet and ...

Page 93: ... menu 2 Select the Address Resolution tab 3 Refer to the Address Resolution table for the following information Interface Displays the name of the actual interface where the IP address was found typically a VLAN IP Address Displays the IP address being resolved MAC Address Displays the MAC address corresponding to the IP address being resolved Type Defines whether the entry was added statically or...

Page 94: ... physical points but react as if it were connected directly One of the biggest advantages of a VLAN is when a computer is physically moved to another location it can stay on the same VLAN without reconfiguration The controller can support multiple VLANs Use the Layer 2 Virtual LANs screen to view and configure VLANs by Port and Ports by VLAN information Refer to the following VLAN configuration ac...

Page 95: ...system prompts you with a Port VLAN Change Warning message stating communication disruptions could occur with the controller 3 Click OK to continue Name Displays the name of the VLAN to which the controller is currently connected Mode It can be either Access or Trunk Access This ethernet interface accepts packets only from the native VLANs Trunk The Ethernet interface allows packets from the given...

Page 96: ...ented by function or application rather than a traditional LAN segmentation based on physical location VLANs allow a greater level of Name Displays a read only field and with the name of the Ethernet to which the VLAN is associated Mode Use the drop down menu to select the mode It can be either Access This Ethernet interface accepts packets only from the native VLANs If this mode is selected the A...

Page 97: ...d enable changes to the network infrastructure without physically disconnecting network equipment To view VLAN by Port information 1 Select Network Layer 2 Virtual LANs from the main menu tree 2 Select the Ports by VLAN tab VLAN details display within the VLANs by Port tab ...

Page 98: ...indow displays wherein the VLAN assignments can be modified for the selected VLAN NOTE The ports available vary by controller On the Summit WM3600 the available ports are ge1 ge2 ge3 ge4 ge5 ge6 ge7 ge8 and up1 On the Summit WM3700 the available ports are ge1 ge2 ge3 and ge4 5 Change VLAN port designations as required 6 Click OK to use the changes to the running configuration and close the dialog ...

Page 99: ...d to map a VLANs to IP address ranges This mapping determines the destination networks for controller routing Each IP address range IP Address and Subnet Mask can be mapped to one and only one VLAN ID A VLAN ID does not require an IP address be defined on the controller Each VLAN ID must be mapped to a physical port using the Layer 2 Virtual LANs configuration to communicate with the rest of the n...

Page 100: ...e VLAN ID Displays the VLAN ID associated with the interface DHCP Enabled Displays whether the DHCP client is enabled or not A green check mark defines the DHCP client as enabled for the interface A red X means the interface is disabled Primary IP Address Displays the IP address for the virtual interface Primary Subnet Mask Displays the subnet mask assigned for this interface Admin Status Displays...

Page 101: ...ick the Shutdown button to disable the selected interface Adding a Virtual Interface To add a new controller virtual interface 1 Select Network Controller Virtual Interface from the main tree menu 2 Select the Configuration tab 3 Click on the Add button Management Interface A green checkmark within this column defines this VLAN as currently used by the controller This designates the interface sett...

Page 102: ...E Only one virtual interface can be set as the management interface 8 Use the Secondary IP Addresses field to define additional IP addresses to associate with VLAN IDs The address provided in this field is used if the primary IP address is unreachable Select the Add button within the Secondary IP Addresses field to define additional addresses from a sub screen Choose an existing secondary address ...

Page 103: ...fy the Description of the VLAN to make it representative of the VLAN s intended operation within the controller managed network 4 Unselect the Use DHCP to obtain IP Address automatically checkbox to assign IP addresses manually and you do not want DHCP to provide them 5 Use the Primary IP Address field to manually enter the IP address for the virtual interface 6 Enter the Subnet Mask for the IP ad...

Page 104: ...ation about packet level statistics and errors at the interface To view virtual interface statistics 1 Select Network Controller Virtual Interface from the main tree menu 2 Select the Statistics tab Refer to the following to assess the network throughput of existing virtual interfaces Name Displays the user defined interface name The corresponding statistics are displayed along the row The statist...

Page 105: ...station uses to interpret if the frame is valid If the CRC value computed by the interface does not match the value at the end of frame it is considered as a CRC error Late collisions A late collision is any collision that occurs after the first 64 octets of data have been sent by the sending station Late collisions are not normal and are usually the result of out of specification cabling or a mal...

Page 106: ...f packets received at the interface Input Packets Dropped Displays the number of packets dropped at the interface by the input Queue of the hardware unit software module associated with the VLAN interface Packets are dropped when the input Queue of the interface is full or unable to handle incoming traffic Input Packets Error Displays the number of packets with errors at the interface Input Packet...

Page 107: ... information as network performance information is required To view detailed graphical statistics for a selected interface 1 Select a record from the table displayed in the Statistics screen 2 Click the Graph button 3 The Interface Statistics screen displays The Interface Statistics screen provides the option of viewing graphical statistics for the following parameters Input Bytes Input Pkts Dropp...

Page 108: ... four parameters may be selected at any given time 4 Refer to the Status field for the current state of the requests made from applet This field displays error messages if something goes wrong in the transaction between the applet and the controller 5 Click Close to close the dialog ...

Page 109: ...s supporting the following configuration activities Configuring WLANs Viewing WLAN Statistics Configuring WMM Configuring the NAC Inclusion List Configuring the NAC Exclusion List Configuring WLANs Refer to the Configuration screen for a high level overview of the WLANs created for use within the controller managed network Use this data as necessary to keep current of active WLANs their VLAN assig...

Page 110: ...le and click the Enable or Disable button ESSID Displays the Service Set ID associated with each WLAN Click the Edit button to modify the value to a new unique SSID Description Displays a short description of the associated WLAN Click the Edit button to modify the value the WLAN description VLAN s Displays the name of the VLAN ID s of the VLAN s this WLAN is mapped to The VLAN ID can be between 1 ...

Page 111: ...enabled a green check mark displays When disabled a red X displays To enable or disable a WLAN select it from the table and click the Enable or Disable button The Disable button is only available when the selected WLAN is enabled 7 When using clustering and the Cluster GUI feature is enabled a drop down menu will be available to select which cluster members WLANs are displayed To view WLANs from a...

Page 112: ...r MU s in PSP mode whose IP address is known The WLAN generates an ARP reply on behalf of a MU if the MU s IP address is known The ARP reply contains the MAC address of the MU not the MAC address of WLAN Module Thus the MU does not awaken to send ARP replies helping to increase battery life and conserve bandwidth If an MU goes into PSP mode without transmitting at least one packet its Proxy ARP wi...

Page 113: ... description VLAN ID assignment inter WLAN communication definition and encryption and authentication scheme To edit WLAN configuration settings NOTE The VLAN ID is not associated with tagging Tagging is used on the controller trunk and not on an individual WLAN 1 Select Network Wireless LANs from the main menu tree 2 Click the Configuration tab 3 Select a WLAN to modify from the table Manual mapp...

Page 114: ...Summit WM3000 Series Controller System Reference Guide 114 4 Click the Edit button The Wireless LANs Edit screen is divided into the following user configurable fields Configuration Authentication Encryption Advanced ...

Page 115: ...ke the WLAN available to support mesh networking Only WLANs defined for mesh networking support should have this checkbox selected VLAN ID Assign the revised VLAN ID for this WLAN Select the Dynamic Assignment checkbox for an user based VLAN assignment when 802 1x EAP Authentication is used Since the VLAN ID pertains to just this VLAN there is no tagging involved Dynamic Assignment With any authen...

Page 116: ...ust one bit in a message produces a totally different result For detailed information on configuring CCMP for the WLAN see Configuring WPA WPA2 using TKIP and CCMP on page 143 Accounting Mode If using a Syslog server to conduct accounting for the controller select the Syslog option from the Accounting Mode drop down menu Once selected a Syslog Config button is enabled on the bottom of the Network ...

Page 117: ...dle time limit in seconds The default value is 1800 seconds Access Category Displays the Access Category for the intended traffic The Access Categories are the different WLAN WMM options available to the radio The Access Category types are Automatic WMM Optimized for WMM Voice Optimized for voice traffic Voice packets receive priority Video Optimized for video traffic Video packets receive priorit...

Page 118: ...r this WLAN By default all WLANs are initially assigned to VLAN 1 4 Select the Dynamic Assignment checkbox for an user based VLAN assignment with Radius for this WLAN 5 Select the Assign Multiple VLAN s button to map a WLAN to more than one VLAN This displays the Multiple VLAN Mapping screen 6 Configure the Multiple VLAN Mapping for WLAN table as required to add or remove multiple VLANS for the se...

Page 119: ... 802 1x EAP authentication protocol to both wired and wireless LAN applications The EAP process begins when an unauthenticated supplicant MU tries to connect with an authenticator in this case the authentication server The controller passes EAP packets from the client to an authentication server on the wired side of the controller All other packet types are blocked until the authentication server ...

Page 120: ... airports hotels and college campuses The controller enables hotspot operators to provide user authentication and accounting without a special client application The controller uses a traditional Internet browser as a secure authentication device Rather than rely on built in 802 11security features to control association privileges configure a WLAN with no WEP an open network The controller issues...

Page 121: ...button from within the Authentication field The Radius Config button on the bottom of the screen becomes enabled Ensure a primary and optional secondary Radius Server have been configured to authenticate users requesting access to the hotspot supported WLAN For more information see Configuring External Radius Server Support on page 133 4 Click the Config button to the right of the Hotspot checkbox...

Page 122: ...e pre created to collect login credentials through Login htm send them to a Radius server and display a Welcome htm or a Faliure htm depending on the result of the authentication attempt NOTE When using an internal hotspot ensure that traffic can pass on TCP port 444 between the controller s internal Web server and the hotspot clients To create a hotspot maintained by the controller s own internal...

Page 123: ...oller s internal Web server This option is only available if Internal is chosen from the drop down menu Footer Text Displays the HTML footer text displayed on the Failed page when using the controller s internal Web server This option is only available if Internal is chosen from the drop down menu Small Logo URL Displays the URL for a small logo image displayed on the Failed page when using the co...

Page 124: ... the drop down menu above Main Logo URL The Main Logo URL is the URL for the main logo image displayed on the Welcome page when using the internal Web server This option is only available if Internal is chosen from the drop down menu above Descriptive Text Specify any additional text containing instructions or information for the users who access the Welcome page on the internal Web server This op...

Page 125: ...ximum Hotspot Simultaneous Users to set a limit on the number of concurrent unique hotspot users for the selected WLAN 11 Refer to the Status field for the current state of the requests made from applet This field displays error messages if something goes wrong in the transaction between the applet and the controller 12 Click OK to use the changes to the running configuration and close the dialog ...

Page 126: ...RL Define the complete URL for the location of the Login page The Login screen will prompt the hotspot user for a username and password to access the Welcome page Ensure the RADIUS server port number is included in the URL using the following format http 192 168 0 70 444 wlan2 login html Welcome Page URL Define the complete URL for the location of the Welcome page The Welcome page assumes the hots...

Page 127: ... the System Name specified on the main Controller configuration screen as part of the hotspot address 7 Specify the maximum Hotspot Simultaneous Users to set a limit on the number of concurrent unique hotspot users for the selected WLAN 8 Check the Logout on Browser Close button to logout hotspot users from the network when they close their web browsers 9 Refer to the Status field for the current ...

Page 128: ...s selected from within the This WLAN s Web Pages are of the drop down menu NOTE Advanced hotspot configuration is not permissible using the controller Web UI Refer to the controller CLI or other advanced configuration options to define a hotspot with advanced properties However the controller can still install and maintain directories containing Web page content 5 Once the properties of the advanc...

Page 129: ...e Use System Name in Hotspot URL to use the System Name specified on the main Controller configuration screen as part of the hotspot address 8 Specify the maximum Hotspot Simultaneous Users to set a limit on the number of concurrent unique hotspot users for the selected WLAN 9 Check the Logout on Browser Close button to logout hotspot users from the network when they close their web browsers 10 Re...

Page 130: ...ion The following is an example of just the CLI needed to support the local Radius server configuration wlan 2 enable wlan 2 description XTRM GUEST wlan 2 ssid XTRM GUEST wlan 2 vlan 70 wlan 2 authentication type hotspot wlan 2 mu mu disallow wlan 2 hotspot webpage location advanced wlan 2 radius server primary 192 168 10 14 wlan 2 radius server primary radius key 0 ESELAB wlan 2 radius reauth 360...

Page 131: ...nt ether using the CLI s copy command or TFTP FTP in the hotspot configuration you can also use Controller File Management The example below displays samples both from a file manager and the controller CLI of the directory and files used by an advanced hotspot These examples use pages supporting various graphics files These pages also use a HTML style sheet to define certain elements Create custom...

Page 132: ...size 20 name f_pass td tr tr td colspan 2 align center input type submit name submit value Log In td tr form table Welcome Page The welcome html page displays upon successful authentication On the welcome page you ll want to include a simple welcome message as well as the following URL allowing users to manually disconnect from the hotspot a href cgi bin hslogout cgi Disconnect a Failed Page The f...

Page 133: ...h no spaces or delimeters Colin delimiter The 12 digit MAC Address is in a format separated by colons after every pair Dash delimiter The 12 digit MAC Address is in a format separated by dashes after every pair Dot delimiter per four The 12 digit MAC Address is in a format separated by periods after every four digits Middle Dash delimiter The 12 digit MAC Address is in a format separated in the mi...

Page 134: ...al Radius Server as either a primary or secondary authentication source it must be specified appropriately To configure an external Radius Server for EAP 802 1x Hotspot or Dynamic MAC ACL WLAN support NOTE To optimally use an external Radius Server with the controller Extreme Networks recommends defining specific external Server attributes to best utilize user privilege values for specific control...

Page 135: ...ation screen contains tabs for defining both the Radius and NAC server settings For NAC overview and configuration information see Configuring NAC Server Support on page 138 6 Refer to the Server field and define the following credentials for a primary and secondary Radius server ...

Page 136: ...cate the number of times the controller attempts to reach the primary or secondary Radius server before giving up Dynamic Authorization Authorization amongst the Radius servers is conducted dynamically as they connect and disconnect periodically Accounting Server Address Enter the IP address of the primary and secondary server acting as the Radius accounting server Accounting Port Enter the TCP IP...

Page 137: ...cation access f Set the Superuser Role value to 32768 grants full read write access to the controller 3 Specify multiple privileges for a single user by specifying different attributes as needed The privilege values can be ORed and specified once For example if a user needs monitor read only and helpdesk access configure the Radius Server with two attributes Once with a value 1 for monitor access ...

Page 138: ...twork access is restricted by quarantining the MU Using NAC the controller hardware and software grants access to specific network devices NAC performs a user and MU authorization check for devices without a NAC agent NAC verifies a MU s compliance with the controller s security policy The controller supports only EAP 802 1x NAC However the controller provides a mean to bypass NAC authentication f...

Page 139: ...Summit WM3000 Series Controller System Reference Guide 139 ...

Page 140: ...rter WEP algorithm for a hacker to duplicate but WEP 64 may be all that a small business user needs for the simple encryption of wireless data However networks that require more security are at risk from a WEP flaw The existing 802 11 standard alone offers administrators no effective method to update keys To configure WEP 64 1 Select Network Wireless LANs from the main menu tree 2 Select an existi...

Page 141: ...ers Select one of these keys for activation by clicking its radio button Default hexadecimal keys for WEP 64 include 7 If you feel it necessary to restore the WEP algorithm back to its default settings click the Restore Default WEP Keys button This may be the case if you feel the latest defined WEP algorithm has been compromised and longer provides its former measure of data security 8 Refer to th...

Page 142: ...ication and Encryption columns to assess the WLAN s existing security configuration 3 Select the WEP 128 button from within the Encryption field 4 Click the Config button to the right of the WEP 128 checkbox The WEP 128 screen displays 5 Specify a 4 to 32 character Pass Key and click the Generate button The pass key can be any alphanumeric string The controller and the Motorola MUs which are suppo...

Page 143: ...thentication based on 802 1x EAP WPA2 is a newer 802 11i standard that provides even stronger wireless security than WPA and WEP CCMP is the security standard used by the Advanced Encryption Standard AES AES serves the same function TKIP does for WPA TKIP CCMP computes a Message Integrity Check MIC using the proven Cipher Block Chaining CBC technique Changing just one bit in a message produces a t...

Page 144: ...y Settings field as needed to set an ASCII Passphrase and key values NOTE The Web UI does not support saving passphrases in encrypted format To save passphrases in an encrypted format configure the passphrases using the Command Line Interface Refer to the Summit WM3000 Series Controller CLI Reference Guide for details on configuring passphrases using the CLI Default hexadecimal 256 bit keys for WP...

Page 145: ...d close the dialog 10 Click Cancel to close the dialog without committing updates to the running configuration Viewing WLAN Statistics The Statistics screen displays read only statistics for each WLAN Use this information to assess if configuration changes are required to improve network performance If a more detailed set of WLAN statistics is required select a WLAN from the table and click the De...

Page 146: ...e no statistical information to display 6 To view WLAN statistics in a graphical format select a WLAN and click the Graph button For more information see Viewing WLAN Statistics in a Graphical Format on page 149 Last 30s Click the Last 30s radio button to display statistics for the WLAN over the last 30 seconds This option is helpful when troubleshooting issues as they actually occur Last Hr Click...

Page 147: ... a WLAN requires modification to meet network expectations To view detailed statistics for a WLAN 1 Select a Network Wireless LANs from the main menu tree 2 Click the Statistics tab 3 Select a WLAN from the table displayed in the Statistics screen and click the Details button The Details screen displays the WLAN statistics of the selected WLAN The Details screen contains the following fields Infor...

Page 148: ...r the last 30 seconds and the number in blue represents this statistic for the last hour Non unicast Pkts Displays the percentage of the total packets for the selected WLAN that are non unicast Non unicast packets include broadcast and multicast packets The number in black represents this statistic for the last 30 seconds and the number in blue represents this statistic for the last hour Avg MU Si...

Page 149: ... updates to the running configuration Viewing WLAN Statistics in a Graphical Format The controller Web UI continuously collects WLAN statistics even when the graph is not displayed Periodically display the WLAN statistics graph for the latest WLAN throughput and performance information To view detailed graphical statistics for a WLAN 1 Select a WLAN from the table displayed in the Statistics scree...

Page 150: ...e above listed parameters by clicking on the checkbox associated with it 4 Click the Close button to exit the screen Viewing WLAN Controller Statistics The Controller Statistics screen displays the sum of all WLAN statistics The Controller Statistics screen is optimal for displaying a snapshot of overall WLAN traffic on your controller To view detailed statistics for a WLAN 1 Select a Network Wire...

Page 151: ...troller Extreme Networks WMS can help optimize the positioning and configuration of a controller in respect to a WLAN s MU throughput requirements For more information refer to the Extreme Networks Web site 5 Refer to the Retry Counts field to review the number packets requiring retransmission from the controller 6 Refer to the Status field for the current state of the requests made from applet Th...

Page 152: ...displayed in a two part format The first number is the WLAN index and the second number is a sub index corresponding to the access category Click the Edit button to modify this property SSID Displays the Service Set ID SSID associated with each WLAN Description Displays a brief description of the WLAN WLAN enabled Displays the status of the WLAN A Green check defines the WLAN as enabled and a Red ...

Page 153: ...rbitrary Inter frame Space Number AIFSN Higher priority traffic categories should have lower AIFSNs than lower priority traffic categories This will causes lower priority traffic to wait longer before trying attempting access Transmit Ops Displays the maximum duration a device can transmit after obtaining a transmit opportunity For higher priority traffic categories this value should be set to a l...

Page 154: ...fer to the following fields within the QoS Mapping screen to optionally revise the existing settings to in respect to the data traffic requirements for this WLAN Access Category to 802 1p Optionally revise the 802 1p Prioritization for each access category to prioritize the network traffic expected on this WLAN 802 1p to Access Category Set the access category accordingly in respect to its importa...

Page 155: ...he main menu tree 2 Click the WMM tab 3 Select a Access Category from the table and click the Edit button to launch a dialog with WMM configuration for that radio 4 Refer to the Edit WMM screen for the following information DSCP to Access Category Set the access category accordingly in respect to its DSCP importance for this WLAN s target network traffic Differentiated Services Code Point DSCP is ...

Page 156: ...entication is achieved using 802 1x The controller authenticates 802 1x enabled devices using one of the following SSID Displays the Service Set ID SSID associated with the selected WMM index This SSID is read only and cannot be modified within this screen Access Category Displays the Access Category for the intended radio traffic The Access Categories are the different WLAN WMM options available ...

Page 157: ...dation for MUs connecting to the WLAN Include a few MU s for NAC validation and bypass the rest of the MU s To view the attributes of a NAC Include list 1 Select Network Wireless LANs from the main menu tree 2 Select the NAC Include List Configuration tab to view and configure NAC enabled devices 3 The Include Lists field displays the list of devices that can be included on a WLAN a printer for ex...

Page 158: ...d click on the Delete button Adding an Include List to a WLAN To add a device to a WLAN s include list configuration 1 Select Network Wireless LANs from the main menu tree 2 Select the NAC Include tab to view and configure NAC Include enabled devices 3 Click on the Add button in the Include Lists area 4 Enter the name of the device to include for NAC authentication 5 Refer to the Status field It d...

Page 159: ...T GET operation from the applet The Status field displays error messages if something goes wrong in the transaction between the applet and the controller 8 Click OK to save and add the new configuration and close the dialog window 9 Click Cancel to close the dialog without committing updates to the running configuration Mapping Include List Items to WLANs To assign include list items to a one or m...

Page 160: ...l to close the dialog without committing updates to the running configuration Configuring the NAC Exclusion List The controller provides a means to bypass NAC for 802 1x devices without a NAC agent For Motorola handheld devices like the MC9000 which are supported by the Extreme Networks Summit WM3000 series controller authentication is achieved using an exclusion list A list of MAC addresses calle...

Page 161: ...ton to add a device that can be excluded on a WLAN For more information see Adding an Exclude List to the WLAN on page 162 The List Configuration field displays a list of MAC addresses that can be excluded from a WLAN You can add more than one device to this list 4 Use the Add button within the List Configuration field to add devices excluded from NAC compliance on a WLAN You can create up to 32 l...

Page 162: ...tion 5 Refer to the Status field It displays the current state of the requests made from the applet Requests are any SET GET operation from the applet The Status field displays error messages if something goes wrong in the transaction between the applet and the controller 6 Click OK to save and add the new configuration and close the dialog window 7 Click Cancel to close the dialog without committ...

Page 163: ...equests are any SET GET operation from the applet The Status field displays error messages if something goes wrong in the transaction between the applet and the controller 9 Click OK to save and add the new configuration and close the dialog window 10 Click Cancel to close the dialog without committing updates to the running configuration Mapping Exclude List Items to WLANs To assign exclude list ...

Page 164: ...rror messages if something goes wrong in the transaction between the applet and the controller 7 Click OK to save and add the new configuration and close the dialog window 8 Click Cancel to close the dialog without committing updates to the running configuration NAC Configuration Examples Using the Controller CLI The following are NAC include list exclude list and WLAN configuration examples using...

Page 165: ...exclude list WLANController config wireless client list station pc10 AB BC CD DE EF FA WLANController config wireless client list 3 Associate the exclude list to a WLAN WLANController config wireless client list wlan 1 WLANController config wireless client list Configuring the WLAN for NAC Many handheld devices are required to bypass NAC and a few laptops and desktops are required to be NAC valida...

Page 166: ...92 168 1 40 WLANController config wireless d Configure the secondary server s Radius Key WLANController config wireless wlan 1 radius server secondary radius key my rad secret 2 WLANController config wireless 4 Configure the NAC server s timeout and re transmit settings The timeout parameter configures the duration for which the controller waits for a response from the Radius server before attempt...

Page 167: ... help optimize controller positioning and configuration in respect to a WLAN s MU throughput requirements and can help detect rogue devices For more information refer to the Extreme Networks Web site Viewing MU Status To view MU Status is detail 1 Select Network Mobile Units from the main menu tree 2 Click the Status tab The Status screen displays the following read only device information for MUs...

Page 168: ...tent of the table to a Comma Separated Values file CSV 7 Click the Edit MAC Name button to change the MAC name associated with the selected MU s MAC Address MAC Address Each MU has a unique Media Access Control MAC address through which it is identified This address is burned into the ROM of the MU MAC Name Displays the MAC name associated with each MU s MAC Address The MAC Name is a user created ...

Page 169: ...tate of the MU This field has two potential settings PSP indicates if the MU is operating in PSP mode In PSP the MU runs enough power to check for beacons and is otherwise inactive CAM indicates the MU is continuously aware of all radio traffic CAM is recommended for MUs transmitting frequently WLAN Displays of the WLAN the MU is currently associated with VLAN Displays the VLAN parameter for the n...

Page 170: ...rts 802 11a only and 802 11g MUs Base Radio MAC Displays the SSID of the Access Point when initially adopted by the controller BSS Address Displays the MU s BSSID Voice Displays whether or not the MU is a voice capable device Traffic from a voice enabled MU is handled differently than traffic from MUs without this capability MUs grouped to particular WLANs can be prioritized to transmit and receiv...

Page 171: ...me for the MU being added to the list 4 Click OK to use the changes to the running configuration and close the dialog 5 Click Cancel to close the dialog without committing updates to the running configuration Viewing MU Statistics The Statistics screen displays read only statistics for each MU Use this information to assess if configuration changes are required to improve network performance If a ...

Page 172: ...played within the MU Statistics table Radio Index Displays a numerical identifier used to associate a particular Radio with a set of statistics The Index is helpful for distinguishing the radio from other radios with a similar configuration AP Type Displays the type of AP the MU is currently associated to Use this information to discern whether the MU is optimally supported by this radio versus ot...

Page 173: ...e period 1 hour 4 Refer to the Information field for the following information Throughput Mbps Displays the average throughput in Mbps between the selected MU and the Access Point The Rx column displays the average throughput in Mbps for packets received on the selected MU from the Access Point The Tx column displays the average throughput for packets sent on the selected MU from the Access Point ...

Page 174: ...the applet and the controller Pkts per second Displays the average packets per second received by the MU The Rx column displays the average packets per second received on the selected MU The Tx column displays the average packets per second sent on the selected MU Throughput Displays the average throughput in Mbps between the MU and the Access Point The Rx column displays the average throughput in...

Page 175: ...statistics details 1 Select Network Mobile Units from the main menu tree 2 Click the Voice Statistics tab 3 Refer to following details as displayed for voice data traffic with MUs Call Index Displays a numerical identifier used to associate a particular voice call with a set of statistics The Index is helpful for distinguishing the call from others with similar attributes MAC Address Displays the ...

Page 176: ...pdates to a APs description as well as their current authentication and encryption schemes NOTE The Summit WM3600 can support a maximum of 256 Access Points The Summit WM3700 can support a maximum of 1024 Access Points However port adoption per controller is determined by the number of licenses acquired Call State Displays the call state of the MU s call session Call Codec Displays the call codec ...

Page 177: ...screen consists of the following tabs Configuring Access Point Radios Viewing AP Statistics Configuring WLAN Assignment Configuring WMM Configuring Access Point Radio Bandwidth Viewing Mesh Statistics Voice Statistics Configuring Access Point Radios Refer to the Configuration tab to view existing radio configurations available to the controller After reviewing the radios listed you have the option...

Page 178: ...o AP Type Displays the type of Access Point detected The controllers support Extreme Networks AP35XX model Access Points Type Use the Type to identify whether the radio is 802 11a radio or an 802 11bg radio Adopted Displays the radio s adoption status If the radio is adopted a green check displays If the radio is not adopted a red X displays Parent AP MAC Address Displays the Access Point s Ethern...

Page 179: ...annel and Desired Channel are the same If using ACS Automatic Channel Selection the controller selects a channel for the radio The Desired Channel displays ACS and the Actual channel displays the channel selected for the radio When set to Random the applet determines the channel s designation AP Manufacturer Displays the kind of AP listed by each index Actual Channel When the radio s channel is co...

Page 180: ...hen using clustering and the Cluster GUI feature is enabled a drop down menu will be available to select which cluster members Access Point radios are displayed To view Access Point radios from all cluster members select All from the drop down menu To view Access Point radios from a specific cluster member select that member s IP address from the drop down menu 11 Click the Global Settings button ...

Page 181: ...on to open a new dialogue with port authentication configuration information 8 Click OK to save the changes and return to the previous screen Port Authentication To configure the port authentication settings on an Access Point 1 Select Network Access Point Radios from the main menu tree 2 Click the Configuration tab 3 Click the Global Settings button 4 Click the Configure Port Authentication butto...

Page 182: ... screen display can vary slightly depending on whether the Access Point radio is an 802 11a or 802 11bg model To edit a radio s configuration 1 Select Network Access Point Radios from the main menu tree 2 Click the Configuration tab 3 Select a radio to edit from the table 4 Click the Edit button to display a screen containing settings for the selected radio 5 For the Radio Descr enter a brief desc...

Page 183: ... Configuration screen 10 From within the Radio Settings field define the Placement of the Access Point as either Indoors or Outdoors An Access Point can be set for Indoors or Outdoors use depending on the model and the placement location Power settings and channel selection options differ based on each country s regulatory rules and whether or not the unit is placed indoors or outdoors 11 Select a...

Page 184: ...se the drop down menu to configure the Antenna Diversity settings for Access Points using external antennas Options include Full Diversity Utilizes both antennas to provide antenna diversity Primary Only Enables only the primary antenna Secondary Only Enables only the secondary antenna Antenna Diversity should only be enabled if the Access Point has two matching external antennas Default value is ...

Page 185: ...ices used are 802 11g or 802 11a only The proper co existence of 802 11b and 802 11g is ensured thru RTS CTS mechanism On 802 11g radios CTS to self is enabled irrespective of whether or not 11b rates are enabled or disabled When ERP Protection is ON the 11bg radio will perform a CTS to self before it transmits the frame Beacon Interval Specify a beacon interval in units of 1 024 microseconds K us...

Page 186: ...rates for the target radio This allows the radio to sync with networks using varying data rates and allows the radio to default to a predefined set of data rates when higher data rates cannot be maintained To configure Rate Settings for a radio 1 Click the Rate Settings button within the radio edit screen to launch a new screen with rate setting information 2 Check the boxes next to all the Basic ...

Page 187: ...for inclusion within the Configuration screen Use the Add screen to add the new radio s MAC address and define its radio type To add a Radio to the controller 1 Select Network Access Point Radios from the main menu 2 Click the Configuration tab 3 Click the Add button to display at screen containing settings for adding a radio NOTE Once an AP has been added to a controller its country setting can b...

Page 188: ...re will be available Click the Apply to Cluster button to apply the AP radio settings to all members in the cluster 10 Click OK to use the changes to the running configuration and close the dialog 11 Click Cancel to close the dialog without committing updates to the running configuration Defining the AP Radios Mesh Configuration A separate mesh configuration can be set for each AP radio Define mes...

Page 189: ...k Extreme Networks recommends creating and naming a WLAN specifically for mesh networking support to differentiate the Mesh supported WLAN from non Mesh supported WLANs Mesh Time Out Define whether one of the radio s beacons uses an uplink connection The Mesh Timeout value is not available on a single radio AP since the radio would have to stop beaconing and go into scan mode to determine if a bas...

Page 190: ...e the radio from other device radios Type Identifies whether the radio is an 802 11a radio or an 802 11 bg radio MUs Displays the number of MUs currently associated with the Access Point Throughput Mbps Displays the average throughput in Mbps for the selected radio The Rx column displays the average throughput in Mbps for packets received on the selected radio The Tx column displays the average th...

Page 191: ...sh screen contents after making changes to the filtering criteria When filtering is disabled a message is displayed at the bottom of the screen Similarly when filtering is enabled the filtering criteria is displayed at the same place on the screen Viewing AP Statistics in Detail The Details screen provides additional and more specific traffic performance and error information for the selected radi...

Page 192: ... number in black represents this statistic for the last 30 seconds and the number in blue represents this statistic for the last hour Avg Bit Speed Displays the average bit speed in Mbps on the selected radio This includes all packets that are sent and received The number in black represents this statistic for the last 30 seconds and the number in blue represents this statistic for the last hour N...

Page 193: ...ics tab 3 Select a radio index from the table displayed in the Statistics screen and click the Graph button 4 Select a checkbox to display that metric charted within the graph Do not select more than four checkboxes at any one time 5 Refer to the Status field for the current state of the requests made from applet This field displays error messages if something goes wrong in the transaction between...

Page 194: ...ust be the primary WLAN 5 Select a WLAN Assignment by index and click the Edit button at the bottom of the screen to modify its properties For more information see Editing a WLAN Assignment on page 194 Editing a WLAN Assignment The properties of an existing WLAN assignment can be modified to meet the changing needs of your network In order to edit WLAn assignment the WLAN must allow manual radio m...

Page 195: ...d to edit the WLAN assignment 4 Use the Primary WLAN drop down menu to select a Primary WLAN used for mapping enabled WLANs 5 Select any of the WLANs available within the table to assign them to the selected Primary WLAN 6 Refer to the Status field for the current state of the requests made from applet This field displays error messages if something goes wrong in the transaction between the applet...

Page 196: ... Point associated with the index The Access Point name comes from the description field in the Radio Configuration screen Access Category Displays the Access Category currently in use There are four categories Video Voice Best Effort and Background Click the Edit button to change the current Access Category Ensure the Access Category reflects the radio s intended network traffic AIFSN Displays the...

Page 197: ...h a screen displaying the WMM configuration for that radio 4 Enter a number between 0 and 15 for the AIFSN value for the selected radio The AIFSN value is the current Arbitrary Inter frame Space Number Higher priority traffic categories should have lower AIFSNs than lower priority traffic categories This will causes lower priority traffic to wait longer before trying to access the medium 5 Enter a...

Page 198: ...d from the radio for the WLAN For information on revising the weight assigned to each radio in respect to its intended operation within its assigned WLAN see Editing the WLAN Configuration on page 113 To view existing radio bandwidth weight settings 1 Select Network Access Point Radios from the main menu tree 2 Click the Bandwidth tab Bandwidth information displays per radio with the following dat...

Page 199: ...ress Displays the Media Access Control MAC address for each Access Point Connection Type Displays the connection type for each Access Point Radio Index The Radio Index is a numerical value assigned to the radio as a unique identifier For example 1 2 or 3 The index is helpful for differentiating radios of similar type and configuration Type Displays the radio type of the corresponding APs Available...

Page 200: ...e Voice Statistics tab 3 Click the Last 30s radio button to display Voice statistics for the last 30 seconds This option is helpful when troubleshooting issues as they actually occur 4 Click the Last Hr radio button to displays Voice statistics for the last 1 hour This metric is helpful in baselining events over a one hour interval 5 The following statistics are displayed Non UNI Non Uni is the pe...

Page 201: ...otal number of packets dropped by each Access Point Delay to AP Displays the current delay time for each Access Point MUs Associated Displays the total number of mobile units associated with each Access Point Index Displays the numerical identifier assigned to each MU Protocol Displays which voice protocol is being used for the selected call Voice protocols include Spectralink H 323 Successful Cal...

Page 202: ...lts Use the Access Point Adoption Defaults screen to configure the current radio adoption configurations assigning WLANs and security schemes and to review each radio type as well as the Access Category that defines which data type Video Voice Best Effort and Background the radio has been configured to process It has the following tabs Configuring AP Adoption Defaults Configuring WLAN Assignment C...

Page 203: ...rn off filtering and display all information Use this button and the Filter Entire Table button to refresh screen contents after making changes to the filtering criteria When filtering is disabled a message is displayed at the bottom of the screen Similarly when filtering is enabled the filtering criteria is displayed at the same place on the screen Type Displays whether the radio is an 802 11a ra...

Page 204: ...mation as part of its DHCP information The controller IP address should be the IP address where APs are adopted It should not be set to 0 0 0 0 Editing Default Access Point Adoption Settings Use the Edit screen to dedicate a target radio as a detector radio as well as change the radios settings placement power and channel and advanced properties antenna setting maximum associations adoption prefer...

Page 205: ... will fail to be set as a detector 6 Select the Single channel scan for Unapproved APs checkbox to enable the controller to detect rogue devices using its only its current channel of operation 7 Within the Radio Settings field configure the Placement of the radio as either Indoors or Outdoors The setting will affect the selection channel and power levels Default is Indoor 8 Select a channel for co...

Page 206: ...ings for the Advanced Properties section are sufficient for most users If needed additional radio settings can be modified for the following properties Antenna Diversity Use the drop down menu to configure the Antenna Diversity settings for Access Points using external antennas Options include Full Diversity Utilizes both antennas to provide antenna diversity Primary Only Enables only the primary ...

Page 207: ...le RTS CTS unless the network and all the devices used are 802 11g or 802 11a only The proper co existence of 802 11b and 802 11g is ensured thru RTS CTS mechanism On 802 11g radios CTS to self is enabled irrespective of whether or not 11b rates are enabled or disabled When ERP Protection is ON the 11bg radio will perform a CTS to self before it transmits the frame Beacon Interval Specify a beacon...

Page 208: ... of basic and supported rates for the target radio This allows the radio to sync with networks using varying data rates and allows the radio to default to a predefined set of data rates when higher data rates cannot be maintained To configure a radio s rate settings 1 Click the Rate Settings button in the radio edit screen to launch a screen wherein rate settings can be defined for the radio 2 Che...

Page 209: ...on between the applet and the controller 6 Click OK to use the changes to the running configuration and close the dialog 7 Click Cancel to close the dialog without committing updates to the running configuration Configuring WLAN Assignment Use the WLAN Assignment tab to assign WLANs and security schemes To view existing WLAN Assignments 1 Select Network Access Point Adoption Defaults from the main...

Page 210: ...adio was selected the applet will automatically assign one WLAN to each BSS in order and that WLAN will be set as the Primary WLAN for the BSS The primary WLAN is the only SSID to broadcast on the beacon Other WLANs are present and respond to probe responses from mobile units If the number of WLANs selected is greater than the number of BSSIDs the remaining WLANs are included with the last BSS Ass...

Page 211: ... cannot be modified Access Category Displays the Access Category currently in use There are four categories Video Voice Best Effort and Background Click the Edit button to change the current Access Category Ensure the Access Category reflects the radios intended network traffic AIFSN Displays the current Arbitrary Inter frame Space Number AIFSN Higher priority traffic categories should have lower ...

Page 212: ... is selected for the back off mechanism Lower values are used for higher priority traffic 7 Enter a value between 0 and 15 for the Contention Window maximum value The CW Maximum is combined with the CW Minimum to make the Contention Window From this range a random number is selected for the back off mechanism Lower values are used for higher priority traffic 8 Refer to the Status field for the cur...

Page 213: ...elpful when troubleshooting problems with the Access Point IP Address Displays the IP address of the adopted Access Point Bootloader Displays the software version the Access Point boots from This information can be helpful when troubleshooting problems Protocol Version Displays the version of the interface protocol between the Access Point and the controller This information can be helpful when tr...

Page 214: ...utton at the bottom of the screen to display a screen wherein the properties of a new radio can be added for adoption to the controller When displayed the screen prompts for the MAC address and type of radio Complete the fields and click the OK button to add the radio 4 Click the Export button at the bottom of the screen to export the contents of the table to a Comma Separated Values file CSV Inde...

Page 215: ...P option 189 to specify each controller IP address Configure a DNS Server to resolve an existing name into the IP of the controller The Access Point has to get DNS server information as part of its DHCP information Configuring AP Firmware Refer to the AP Firmware tab to view the Access Point firmware image associated with each adopted Access Point The screen allows you to update the firmware image...

Page 216: ...are from the system use the Edit option Adding a New AP Firmware Image To add AP Firmware Image settings NOTE The AP firmware image must exist in the Controller file system CF or USB before it can be added to the AP firmware image path using this function Use the Controller File Management screen to copy the image to the Controller For more information see Controller File Management on page 73 1 S...

Page 217: ...s in order for them to be selected NOTE If you want to delete a firmware image keep in mind the delete functionality only deletes the mapping of an AP image type and image file it does not delete the image file from the system To delete the AP image firmware from the system use the Edit option from within the AP Firmware tab 7 Click the OK button to save the changes and return to the AP Firmware t...

Page 218: ...unning legacy STP and RSTP implementations Multiple Spanning Tree Instance MSTI The MSTI is identified by an MSTP identifier MSTPid value from 1 to 15 This defines an individual instance of a spanning tree One or more VLANs can be assigned to an MSTI A VLAN cannot be assigned to multiple MSTIs The multiple spanning tree instance 0 is always present VLANs not explicitly assigned to an instance are ...

Page 219: ... following Global MSTP Status Use the drop down menu to define MSTP status The default is Enabled Max Hop Count Displays the maximum allowed hops for a BPDU Bridge Protocol Data Unit in an MSTP region This value is used by all the MSTP instances Supported Versions Displays the different versions of STP supported Protocol Version Displays the current protocol version in use Available MSTP protocol ...

Page 220: ...ble BPDU guard for all portfast enabled ports When the BPDU Guard feature is set for bridge all portfast enabled ports of the bridge that have BPDU set to default shutdown the port on receiving a BPDU Hence no BPDUs are processed Admin Cisco Mode Select this checkbox to enable interoperability with Cisco s Admin version of MSTP which is incompatible with standard MSTP Operator Cisco Mode Select th...

Page 221: ...opology changes before forwarding frames In addition each port needs time to listen for conflicting information that would make it return to a blocking state otherwise temporary data loops may result CIST Bridge Forward Delay Displays the configured forward delay period CIST Bridge Maximum Age Enter the CIST bridge maximum age received from the root bridge The max age is the maximum time in second...

Page 222: ...s assigned to an individual bridge based on whether it is selected as the root bridge The lower the priority the greater likelihood the bridge becoming the root for this instance Bridge ID Bridge ID Displays the bridge id of the bridge for this instance Designated Root Displays the ID of the root bridge that sent the BPDU received on this port Internal Root Cost Displays the configured path cost o...

Page 223: ...he Bridge Instance tab with now display the new instance ID 7 Click Cancel to disregard the new Bridge Instance ID Associating VLANs to a Bridge Instance 1 Select Network Multiple Spanning Tree from the main menu tree 2 Select the Bridge Instance tab 3 Select an ID from the table within the Bridge Instance tab and click on the Add VLANs button 4 Enter a VLAN ID between 1 to 4094 in the VLAN ID fie...

Page 224: ... ensure you scroll to the right to view the numerous port variables described Index Displays the port index Admin MAC Enable Displays the status of the Admin MAC Change the status using the Edit button A green check mark indicates the Admin MAC Enable status is active enabled Oper MAC Enable This field displays the status of the Oper MAC Enable You can change the status using the Edit button A gre...

Page 225: ... BPDU When this occurs the BPDU is not processed OperPort PortFast Bpdu Guard Displays the whether BPDU Guard is currently enabled for this port When the OperPort PortFast BPDU Guard feature is set for a bridge all portfast enabled ports that have the bpdu guard set to default shut down the port on receiving a BPDU When this occurs the BPDU is not processed Port Version Displays the port version a...

Page 226: ...a legacy 802 1D configuration BPDU it only sends 802 1D BPDUs over its port from that point on Enable this option to restart detection of whether the port is connected to an MSTP capable bridge or a legacy 802 1 bridge Admin Edge Port A green checkmark defines the listed index enabled as an Admin Edge Port and a red X defines the listed index as not being an Admin Edge Port Enable it only on ports...

Page 227: ...nable guard root for this port Typically each guard root port is a designated port unless two or more ports within the root bridge are connected together If the bridge receives superior BPDUs on a guard root enabled port the guard root moves the port to a root inconsistent STP state This state is equivalent to a listening state No data is forwarded across the port Thus the guard root enforces the ...

Page 228: ...000 1000000000 bits sec 20000 10000000000 bits sec 2000 100000000000 bits sec 200 1000000000000 bits sec 20 1000000000000 bits sec 2 Admin Point to Point status Define the point to point status as ForceTrue or ForceFalse ForceTrue indicates this port should be treated as connected to a point to point link ForceFalse indicates this port should be treated as having a shared connection A port connect...

Page 229: ...Root Cost Displays the Internal Root Cost of a path associated with an interface The lower the path cost the greater likelihood of the interface becoming the root Designated Bridge Displays the ID of the bridge that sent the best BPDU Designated Port Designated Port Displays the ID of the port that is the designated port for that instance Priority Displays the port priority set for that port and i...

Page 230: ...ion between hosts and routers by processing layer 3 packets IGMP packets sent in a multicast network The goal of IGMP is to learn multicast router ports and snoop IGMP join requests reports to build a portal list to forward multicast packet to interested hosts only on that Portal thus optimizing the flooding of multicast packets Port Instance ID Read only indicator of the instance ID used as a bas...

Page 231: ...sn t receive a report message for a particular group for a period of time the router assumes there are no more members of the group on the link The IGMP Snooping screen is partitioned into two tabs supporting the following activities IGMP Snooping Configuration IGMP Snoop Querier Configuration IGMP Snooping Configuration To view and configure IGMP snooping 1 Select Network IGMP Snooping from the m...

Page 232: ...hich snooping and unknown multicast forward is enabled or disabled Snoop Enable Displays whether IGMP snooping is enabled disabled on the VLAN Index listed Unknown Multicast Forward Displays whether unknown multicast traffic is enabled disabled on the VLAN Index listed Learning Mode Displays the learning mode the controller uses to listen to messages to detect router ports with IGMP snooping Modes...

Page 233: ... under circumstances where the user wants to accommodate a query loss due to a multicast router being down or a query loss in the network The present timeout is used to detect query loss and activate the controller querier Controller topology changes are roaming clients Joining or going away is handled by proxy querying which is part of IGMP snoop functionality not the querier On wired side all mu...

Page 234: ... IP address on the controller used while generating the general IGMP query Present Timeout 60 300 Secs The snooping controller does not rely on IGMP group leave announcements to determine when entries should be removed from the forwarding table It implements a last membership query mechanism such as the router side functionality of the IGMP protocol as described in the IGMP and MLD specifications ...

Page 235: ... its non router ports Define a timeout value as required between 60 300 seconds Hosts that have silently opted out without sending a leave message are discarded if they do not respond with join reports on the next query interval Max Response Time Defines the maximum response time for the controller to receive a report If the controller does not receive a report it discards this port If it receives...

Page 236: ...Network Setup Summit WM3000 Series Controller System Reference Guide 236 6 Select OK to save the edits to the configuration Selecting Cancel reverts the configuration to its previous settings ...

Page 237: ... Services main menu item NOTE When the controller s configuration is successfully updated using the Web UI the affected screen is closed without informing the user their change was successful However if an error were to occur the error displays within the affected screen s Status field In the case of file transfer operations the transfer screen remains open during the transfer operation and remain...

Page 238: ...ermitted to use the leased IP address NTP Time Management Displays whether time management is currently enabled or disabled Network Time Protocol NTP manages time and or network clock synchronization within the controller managed network NTP is a client server implementation Redundancy Service Displays whether Redundancy is currently enabled or disabled One or more controllers can be configured as...

Page 239: ...e Enable DHCP Server checkbox to enable the controller s internal DHCP Server for use with global pools 3 Select the Ignore BOOTP checkbox to bypass a BOOTP request 4 Define an interval from 1 10 seconds for the Ping timeout variable The controller uses the timeout to intermittently ping and discover whether the client requested IP address is already used 5 Refer to the following as displayed with...

Page 240: ... the screen being lost 13 Click the Revert button to display the last saved configuration Unapplied changes are not saved and must be re entered Editing the Properties of an Existing DHCP Pool The properties of an existing pool can be modified to suit the changing needs of your network To modify the properties of an existing pool 1 Select Services DHCP Server from the main menu tree 2 Select an ex...

Page 241: ... to its clients Infinite If selected the client can used the assigned address indefinitely Actual Interval Select this checkbox to manually define the interval for clients to use the DHCP server assigned addresses The default lease time is 1 day with a minimum setting of 1 minute 10 Within the Servers field change the server type used with the pool and use the Insert and Remove buttons to add and ...

Page 242: ...er the name of the IP pool from which IP addresses can be issued to client requests on this interface 4 Provide the Domain name as appropriate for the interface using the pool 5 Enter the NetBios Node used with this particular pool The NetBios Node could have one of the following types ...

Page 243: ...s clients Infinite If selected the client can use the assigned address indefinitely Actual Interval Select this checkbox to manually define the interval for clients to use DHCP supplied addresses The default lease time is 1 day with a minimum setting of 60 seconds and a maximum value of 946080000 seconds 9 Within the Servers field change the server type used with the pool and use the Insert and Re...

Page 244: ...ng configuration and forward the updates to the other peer controllers comprising the mobility domain 7 Refer to the Status field The Status is the current state of the requests made from the applet Requests are any SET GET operation from the applet The Status field displays error messages if something goes wrong in the transaction between the applet and the controller 8 Click Cancel to close the ...

Page 245: ... addresses of the DNS servers 8 Click OK to save and add the changes to the running configuration and close the dialog 9 Refer to the Status field The Status is the current state of the requests made from the applet Requests are any SET GET operation from the applet The Status field displays error messages if something goes wrong in the transaction between the applet and the controller 10 Click Ca...

Page 246: ...HCP client requests on this interface The pool is the range of IP addresses for which addresses can be assigned IP Address Displays the IP address for the client on this interface using the pool name listed Hardware Address Displays the type of interface used to pass DHCP discover and request exchanges between the controller DHCP server and DHCP Clients The Hardware Address field also displays the...

Page 247: ... Server DDNS Values on page 244 Configuring Excluded IP Address Information The DHCP Server may have some IP addresses unavailable when assigning IP address ranges for a pool If IP addresses have been manually assigned and fixed they need to be made available for the administrator to exclude from possible selection To view excluded IP address ranges 1 Select Services DHCP Server from the main menu...

Page 248: ...nt on one of the controller s available VLANs NOTE DHCP Server and relay can run on different controller VLAN interfaces In the illustration above a DHCP relay address has been configured on subnet 2 The CLI equivalent is ip helper address subnet1 External DHCP Server IP subnet1 Interface Name When configuring a DHCP Relay address specify the other interface where the external DHCP Server can be r...

Page 249: ...uld not be set to a VLAN interface used by the controller 5 Click the Edit button to modify the properties displayed on an existing DHCP pool Refer to step 7 for the information that can be modified for the DHCP relay 6 To delete an existing DHCP pool from the list of those available to the controller highlight the pool from within the Network Pool field and click the Delete button NOTE The interf...

Page 250: ...nning configuration Viewing DDNS Bindings The DDNS Bindings tab displays mappings between client IP addresses and domain names DDNS keeps a domain name linked to a changing IP address Typically when a user connects to a network the user s ISP assigns an unused IP address from a pool of IP addresses usually done through a DHCP server This address is only valid for a limited time The mechanism of dy...

Page 251: ...imes There are two types of bindings manual and automatic Manual bindings map a hardware address to a IP address statically Automatic bindings dynamically map a hardware address to an IP address from a pool of available addresses To view detailed binding information 1 Select Services DHCP Server from the main menu tree 2 Select the Bindings tab IP Address Displays the IP address assigned to the cl...

Page 252: ...address from a pool of available addresses The Dynamic Bindings tab displays only automatic bindings To view detailed Dynamic DHCP Binding Status information 1 Select Services DHCP Server from the main menu tree 2 Select the Dynamic Bindings tab IP Address Displays a IP address for each client with a listed MAC address This column is read only and cannot be modified MAC Address Client ID Displays ...

Page 253: ...y their user class name The DHCP server assigns IP addresses from multiple IP address ranges The DHCP user class associates a particular range of IP addresses to a device in such a way that all devices of that type are assigned IP addresses from the defined range To view the attributes of existing host pools 1 Select Services DHCP Server from the main menu tree 2 Select the User Class tab to view ...

Page 254: ...the Edit button to modify the properties displayed for an existing DHCP User Class Name For more information see Editing the Properties of an Existing DHCP User Class on page 255 7 To delete an existing DHCP user class and its associated option names from the list available to the DHCP server select the user class from the User Class Name field and click Delete Adding a New DHCP User Class A DHCP ...

Page 255: ...user class options d Click OK to save and add the new configuration e Refer to the Status field It displays the current state of the requests made from the applet Requests are any SET GET operation from the applet The Status field displays error messages if something goes wrong in the transaction between the applet and the controller f Click Cancel to close the dialog without committing updates to...

Page 256: ...equests are any SET GET operation from the applet The Status field displays error messages if something goes wrong in the transaction between the applet and the controller f Click Cancel to close the dialog without committing updates to the running configuration Configuring DHCP Pool Class The DHCP server can associate multiple classes to each pool Each class in a pool is assigned an exclusive ran...

Page 257: ...Names field and click the Delete button 6 Click the Add button create a new pool class name For more information see Adding a New DHCP Pool Class on page 258 Editing an Existing DHCP Pool Class The Edit DHCP Pool Class Configuration dialog is used to edit the association of a DHCP pool name to a DHCP class name It is also used to configure a maximum of 4 pool class address range To revise an exist...

Page 258: ...o the running configuration Adding a New DHCP Pool Class The Add DHCP Pool Class Configuration dialog is used to associate an existing class created using Adding a New DHCP User Class on page 254 to an existing pool created using Adding a New DHCP Pool on page 241 It is also used to configure a maximum of 4 pool class address range To add a new DHCP pool class 1 Select Services DHCP Server from th...

Page 259: ...ed server to supply system time or can use several forms of SNTP messaging to sync system time with network traffic authenticated and secure for controller interoperation NOTE Often the controller NTP status will not be adequately updated after modifying the NTP configuration Periodically check the controller NTP status when making changes to ensure the proper time is displayed as it may take awhi...

Page 260: ...access to SNTP resources Server and Query Access Enter a numeric ACL ID from the drop down menu to provide the ACL Server and Query access to SNTP resources Only Server Access Provide a numeric ACL ID from the drop down menu to provide the ACL only server access to SNTP resources Authenticate Time Sources Select this checkbox to ensure credential authentication takes place between the SNTP server ...

Page 261: ...y chooses the SNTP resource with the lowest stratum number The SNTP supported controller is careful to avoid synchronizing to a server that may not be accurate Thus the SNTP enabled controller never synchronizes to a machine not synchronized itself The SNTP enabled controller compares the time reported by several sources and does not synchronize to a time source whose time is significantly differe...

Page 262: ...ion allowing the controller to reference multiple passwords This makes password migration easier and more secure between the controller and its NTP resource Key Value Displays the authentication value used to secure the credentials of the server providing system time to the controller Trusted Key If a checkmark appears a trusted key has been associated with a domain name A trusted key is added whe...

Page 263: ... operation from the applet The Status field displays error messages if something goes wrong in the transaction between the applet and the controller 10 Click OK to save and add the changes to the running configuration and close the dialog 11 Click Cancel to close the dialog without committing updates to the running configuration Defining a NTP Neighbor Configuration The controller s NTP associatio...

Page 264: ...ver is on the same subnet as the controller to provide SNTP support Neighbor Type Displays whether the NTP resource is a Peer another associated peer device capable of SNTP support or a Server a dedicated NTP server resource This designation is made when adding or editing an NTP neighbor Key ID Displays whether AutoKey Authentication or Symmetric Key Authentication is used to secure the interactio...

Page 265: ...ure NTP from the main menu tree 2 Select the NTP Neighbor tab 3 Click the Add button 4 Select the Peer checkbox if the SNTP neighbor is a peer to the controller non FTP server within the controller s current subnet 5 Select the Server checkbox if the neighbor is a server within the controller s current subnet 6 Select the Broadcast Server checkbox to allow the controller to listen over the network...

Page 266: ... The controller sends its designated public key to the server for credential verification and the two exchange messages This option is disabled when the Broadcast Server checkbox is selected 12 Select the Symmetric Key Authentication checkbox to use a single symmetric key for encryption and decryption Since both the sender and the receiver must know the same key it is also referred to as shared ke...

Page 267: ...ources and does not synchronize to a time source whose time is significantly different than others even if its stratum is lower When Displays the date and time when the SNTP association was initiated Has the association been trouble free over that time Peer Poll Displays the maximum interval between successive messages in seconds to the nearest power of two Reach Displays the status of the last ei...

Page 268: ... to display performance status information relative to the controller s current NTP association Verifying the controller s SNTP status is important to assess which resource the controller is currently getting its system time from as well as the time server s current differences in time attributes as compared to the current controller time CAUTION After an NTP synchronization using a Symmetric Key ...

Page 269: ...sion accuracy of the controller s time clock in Hz The values that normally appear in this field range from 6 for mains frequency clocks to 20 for microsecond clocks found in some workstations Reference time Displays the time stamp at which the local clock was last set or corrected Clock Offset Displays the time differential between controller time and the NTP resource Root delay The total round t...

Page 270: ...e All members can be configured using a common file cluster config using DHCP options This functionality provides an alternative method for configuring members collectively from a centralized location instead of configuring specific redundancy parameters on individual controllers Configure each controller in the cluster by logging in to one participating controller The administrator does not need ...

Page 271: ...responses This time based response mechanism eliminates the possibility of indefinite response hangs and allows for quicker redundancy group configuration There is no fixed master slave relationship between members Typically a controller can be considered a master for the command it originates Responding members can be considered slaves with respect to that command This virtual master slave relati...

Page 272: ...llowing Configuring Redundancy Settings Reviewing Redundancy Status Configuring Redundancy Group Membership Redundancy Group License Aggregation Rules Managing Clustering Using the Web UI Configuring Redundancy Settings To configure controller redundancy 1 Select Services Redundancy from the main menu tree The Redundancy screen displays with the Configuration tab selected ...

Page 273: ...beat period Meaning if three consecutive heartbeats are not received from the peer the peer is assumed down and unreachable The hold time is required to be longer than the heartbeat interval Configure a hold time between 10 and 255 seconds The default is 15 seconds Critical Resource Enter the IP address of the critical resource When the heartbeat is lost this resource will be checked for reachabil...

Page 274: ...arts a timer based on the auto revert interval At the expiry of auto revert interval if the primary controller is still up the standby controller releases all adopted APs and goes back to a monitoring mode The expiry timer either will be stopped or restarted if the primary controller goes down and comes up during the auto revert interval Revert Now Reverts an active fail over standby controller to...

Page 275: ... tree The Redundancy screen displays with the Configuration tab selected 2 Select the Status tab 3 Refer to the Status field to assess the current state of the redundancy group State Displays the new state status of the redundancy group after a Trigger event has occurred Time Displays the Timestamp time zone specific when the state change occurred Trigger Displays the event causing the redundancy ...

Page 276: ...ndance of rogues has been located by a particular controller and thus escalates a security issue with a particular controller Radios in group Displays the combined number sum of radios a amongst all the members of the redundancy group Mobile Units in group Displays the combined number of MU associations for the members of the redundancy group Compare this number with the number of MUs on this cont...

Page 277: ...are a minimum of 2 members needed to comprise a Redundancy Group including the initiating controller To configure controller redundancy memberships 1 Select Services Redundancy from the main menu tree The Redundancy screen displays with the Configuration tab selected 2 Select the Member tab Mobile Units on this controller Displays the number of MUs currently associated with the radio s used with t...

Page 278: ...ntroller Services Summit WM3000 Series Controller System Reference Guide 278 3 Refer to the following information within the Member tab IP Address Displays the IP addresses of the redundancy group member ...

Page 279: ...ighlight a member of the group and select the Details button Status Displays the current status of this group member This status could have the following values Configured The member is configured on the current wireless service module Seen Heartbeats can be exchanged between the current controller and this member Invalid Critical redundancy configuration parameter s of the peer heartbeat time dis...

Page 280: ...roller and this member Invalid Critical redundancy configuration parameter s of the peer heartbeat time discovery time hold time Redundancy ID Redundancy Protocol version of this member do not match this controller s parameters Not Seen The member is no more seen by this controller Established The member is fully established with this current module and licensing information already been exchanged...

Page 281: ...his member Is the selected version complimentary with this controller s version First Seen Displays the time this member was first seen by the controller Last Seen Displays the time this member was last seen by the controller Mode The Redundancy Mode could be Active or Standby depending on the mode configuration on the member Refer to the Configuration screen to change the mode HB Sent Displays th...

Page 282: ...es S2 has Y licenses and S3 has Z licenses the license count is X Y Z the aggregation of each controller A cluster license is re calculated whenever a new controller brings existing licenses to a group or an existing controller s license value changes increases or decreases A simple controller reboot will not initiate a new cluster license calculation provided the re booted controller does not com...

Page 283: ...ndancy group is not operating with all its license contributing members Managing Clustering Using the Web UI Managing clustering in the Web UI is done through the Cluster GUI feature The Cluster GUI feature updates many key screens in the Web UI allowing you to see APs and MUs managed by all active members of a cluster To enable the Cluster GUI feature 1 Select Services Redundancy from the main me...

Page 284: ...ayer 3 mobility maintains TCP UDP sessions in spite of roaming among different IP subnets Layer 3 mobility is supported only for extended WLAN traffic not for the independent WLAN traffic A mobility domain comprises of a network of controllers among which an MU can roam seamlessly without changing its IP address Each controller in the mobility domain needs a mobility domain string identifier so MU...

Page 285: ...ing problems with working with MUs from different legacy devices which do not support Layer 2 switching Support for a maximum of 20 peers each handling up to a maximum of 500 MUs A full mesh of GRE tunnels can be established between mobility peers Each tunnel is between a pair of controllers and can handle data traffic for all MUs for all VLANs associated directly or indirectly with the MU Data tr...

Page 286: ...rent subnets 5 Refer to the table of WLANs and select the checkboxes of those WLANs you wish to enable Layer 3 mobility for Once the settings are applied MUs within these WLANs can roam amongst different subnets 6 Select the Enable Mobility checkbox to enable a MU to maintain the same Layer 3 address while roaming throughout a multi VLAN network 7 Select the All WLANs On button to enable mobility ...

Page 287: ...r 3 Mobility screen appears with the Configuration tab displayed 2 Select the Peer List tab 3 Refer to the contents of the Peer List for existing IP addresses and Layer 3 MU session status Use this information to determine whether a new IP address needs to be added to the list or an existing address needs to be removed 4 Select an IP address from those displayed and click the Delete button to remo...

Page 288: ...l its peers The MU is basically re synchronized to the new current controller but keeps its old IP address The same procedure is followed even if the new current controller is on a different layer 3 subnet but uses the same VLAN ID overlapping VLAN scenario Tracking these message counts is important to gauge the behavior within the mobility domain The Layer 3 Mobility screen contains a tab dedicat...

Page 289: ...ept the one from which it received the original message JOIN messages are always originated by the current controller JOIN messages are also used during the home controller selection phase to inform a candidate home controller about a MU The current controller selects the home controller based on its local selection mechanism and sends a JOIN message to the home controller that is forwarded it to ...

Page 290: ...enu tree 2 Select the MU Status tab L2 ROAMs sent rcvd Displays the number of Layer 2 ROAM messages sent and received When a MU roams to a new controller on a different layer 3 network MU is mapped to a different VLAN ID it sends a L3 ROAM message to the home controller with the new IP information for the current controller it is associated with The L3 ROAM message is then forwarded by the home co...

Page 291: ...coverage area and MU support base within the controller managed network Use the Discovery Profiles tab to view existing SNMP search profiles using a user defined range of IP addresses Existing profiles can be modified or deleted and new profiles can be added as needed Refer MU MAC Displays each listed Client s factory coded hardware address MU IP Address Lists each Client s assigned network IP add...

Page 292: ...is allows users to perform other configuration operations when discovery is running in the background Configuring Discovery Profiles To configure controller discovery 1 Select Services Discovery from the main menu tree The Discovery page launches with the Discovery Profiles tab displayed 2 Refer to the following information within the Discovery Profiles tab to discern whether an existing profile c...

Page 293: ...t be verified before the controller displays discovered devices within the Recently Found Devices table If SNMP v2 is used with a discovering profile a Read Community String screen displays The Community String entered is required to match the name used by the remote network management software of the discovered controller If SNMP v3 is used with a discovering profile a V3 Authentication screen di...

Page 294: ...overy process begins When completed the Discovery Results screen displays listing the name and network address attributes of those discovered devices Click Launch to make a discovered device s configuration available to the detecting controller Select Save to retain the discovery results with the detecting controller 7 Review the following information pertaining to the discovered device ...

Page 295: ...vered device is capable of sharing locationing information with the discovery profile Redundancy Group Id If the discovered device is a member of a redundancy group the group name is listed Number of APs Displays the number of APs managed by the controller capable of detecting the listed device Software Version Lists the software version currently running on each discovered device Product Displays...

Page 296: ...Each discovered device compatible with the locating controller is displayed in a shaded color to distinguish it from non compatible devices The controller Web UI enables users display the Web UI of the discovered device in a separate browser window To view the devices located by the controller 1 Select Services Discovery from the main menu tree 2 Select the Recently Found Devices tab Profile Name ...

Page 297: ...new search Software Version Displays the software version running on the discovered device Product Displays the name of the device discovered by the device search If the list of devices discovered is unsatisfactory consider configuring a new discovery policy and launching a new search Redundancy Group ID If the discovered device is part of a redundancy group its cluster ID displays within this col...

Page 298: ...ivers end user applications based on The location of mobile devices devices with location enabling technology such as a WiFi supported handheld Wi Fi laptop or cell phone The location of an attached tag a location enabled mobile device in miniaturized form for example a WiFi tag UWB tag or RFID tag that is attached to a person vehicles or a package An Extreme Networks WLAN controller can facilitat...

Page 299: ...e verifiers near me tags as installed in the facility Runtime RF environment SOLE is capable of providing locationing from external 3rd party location engines such as Aeroscout and Ekahau SOLE also has a self learning process that adapts with a changing environment SOLE also provides an open platform for supporting new architectures future algorithms or newer asset types Defining Site Parameters I...

Page 300: ...into the field below 5 Define the Dimensions used to define the site size Name Enter a name for the site where locationing is deployed This is for identification purposes only Description Provide a description of the site where locationing is deployed This is an optional field Length Enter the length of the site This is the X axis of your site map based on the origin point of 0 0 The size is eithe...

Page 301: ...coordinate is relative to the origin point of 0 0 in the upper left corner of the site map This value is user configured and not detected by the controller For information on how to configure AP location information see Adding AP Location Information on page 301 Location Y Coordinate Displays the value of the Y Coordinate for each AP The Y coordinate is relative to the origin point of 0 0 in the u...

Page 302: ...ference Guide 302 4 Provide the AP s MAC address and X Y and Z coordinates 5 Select OK when completed to save your AP configuration Configuring SOLE Parameters To configure the controller s internal SOLE locationing engine 1 Services RTLS from the main menu tree ...

Page 303: ...e Interval value 6 Click the Revert button to cancel any changes made within MU Locate Interval value and revert back to the last saved configuration NOTE AP coordinates can only be configured in the Command Line Interface For more information on configuring AP coordinates please consult the Summit WM3000 Series Controller CLI Reference Guide 7 The MU MAC table allows you to manually add or remove...

Page 304: ...roscout Parameters To configure the controller to work with an external Aeroscout RTLS engine 1 Services RTLS from the main menu tree MAC Lists the MAC Addresses of all MUs which have been located by the controller Location X Coordinate Displays the value of the X Coordinate for each located MU The X coordinate is relative to the origin point of 0 0 in the upper left corner of the site map Locatio...

Page 305: ...d 5 Click the Apply button to save the Multicast MAC Address value 6 Click the Revert button to cancel any changes made within Multicast MAC Address value and revert back to the last saved configuration 7 If the Multicast MAC Address is configured and Aeroscout support is enabled the following information will be displayed 8 To use the onboard SOLE engine to locate Aeroscout tags check the Enable ...

Page 306: ...controller to work with an external Ekahau RTLS engine 1 Services RTLS from the main menu tree MAC Lists the MAC Addresses of all MUs which have been located by the controller Location X Coordinate Displays the value of the X Coordinate for each located MU The X coordinate is relative to the origin point of 0 0 in the upper left corner of the site map Location Y Coordinate Displays the value of th...

Page 307: ...y must be configured 5 Specify the IP Address of the Ekahau RTLS engine server 6 Enter the Port number used to communicate with the Ekahau RTLS engine The port range must be between 1000 and 9000 7 Click the Apply button to save the Multicast MAC Address IP Address and Port information 8 Click the Revert button to cancel any changes made within Multicast MAC Address IP Address and Port settings an...

Page 308: ...OTE Zone configuration can be defined using the CLI interface only For information on Zone Configuration please see the Summit WM3000 Series Controller CLI Reference Guide MAC Lists the MAC Addresses of all MUs which have been located by the controller Location X Coordinate Displays the value of the X Coordinate for each located MU The X coordinate is relative to the origin point of 0 0 in the upp...

Page 309: ... on page 396 Creating Server Certificates on page 411 Displaying the Main Security Interface Refer to main Security interface for a high level overview of device intrusion and controller access permission options NOTE When the controller s configuration is successfully updated using the Web UI the affected screen is closed without informing the user their change was successful However if an error ...

Page 310: ...on page 310 Wireless Filters Displays the state of the filters used to either allow or deny a MAC address or groups of MAC addresses from associating with the controller For more information see Configuring Firewalls and Access Control Lists on page 319 Certificates Displays the number of Server and CA certificates currently used by the controller For more information see Creating Server Certifica...

Page 311: ...nd Configuring AP Detection Use the Configuration screen to allow the controller to detect potentially hostile Access Points set the number of detected APs allowed and define the timeout and threshold values used for detection The controller can enable both Access Points and MUs to scan and detect Access Points within the controller managed network Continually re validating the credentials of asso...

Page 312: ...ther approved or denied from interoperating within the controller managed network Approved AP timeout Define a value in seconds the controller uses to timeout previously approved Access Points that have not communicated with the controller The range is from 1 65535 seconds with a default of 300 seconds This value is helpful for continually re validating Access Points that interoperate within the c...

Page 313: ...lect the Enable checkbox to enable associated MUs to detect potentially hostile Access Points the definition of which defined by you Once detected these devices can be added to a list of Access Points either approved or denied from interoperating within the controller managed network Refresh Time Define a value in seconds associated MUs use to scan for Access Points The range is from 300 86400 sec...

Page 314: ...dialog 9 Click Cancel to close the dialog without committing updates to the running configuration Any MAC Address Specific MAC Address Click the Any MAC Address radio button to allow any MAC address detected on the network as an Allowed AP This is not necessary if a specific MAC address is used with this index Click the second radio button to enter a specific MAC address as an Allowed AP Use this ...

Page 315: ...he main menu 2 Select the Approved APs tab 3 The Approved APs table displays the following information BSS MAC Address Displays the MAC Address of approved APs These MAC addresses are APs observed on the network meeting the criteria MAC and ESSIDs of allowed APs Reporting Radio Displays the numerical value assigned to the radio used with the specific device MAC Address and SSID listed for this app...

Page 316: ...ng the Security Access Point Detection Configuration screen To view Access Point detected unapproved Access Points 1 Select Security Access Point Detection from the main menu tree 2 Click on the Unapproved APs Reported by APs tab 3 The Unapproved APs Reported by APs table displays the following information BSS MAC Address Displays the MAC Address of each Unapproved AP These MAC addresses are Acces...

Page 317: ...efined within the MU Assisted Scan field To view unapproved Access Points detected by controller radio associated MUs 1 Select Security Access Point Detection from the main menu tree 2 Click on the Unapproved APs Reported by MUs tab Channel Displays the channel the Unapproved AP is currently transmitting on Signal Strength dbm Displays the Relative Signal Strength Indicator RSSI for the detected a...

Page 318: ...ciated MUs but have yet to be added to the list of approved APs and are therefore interpreted as a threat on the network Reporting MU Displays the numerical value for the detecting MU Last Seen Seconds Displays the time in seconds the Unapproved AP was last seen on the network by the detecting MU Use this interval to determine whether the detected MU is still a viable threat Click on the Configura...

Page 319: ...an overview of how the controller uses an ACL to filter permissions to the controller managed network go to ACL Overview on page 319 ACL Overview An ACL contains an ordered list of Access Control Entries ACEs Each ACE specifies an action and a set of conditions that a packet must satisfy in order to match the ACE The order of conditions in the list is critical because the controller stops testing ...

Page 320: ...ers specific to a protocol type like source and destination port for TCP UDP protocols Router ACLs are stateful and are not applied on every packet routed through the controller Whenever a packet is received from a Layer 3 interface it is examined against existing sessions to determine if it belongs to an established session ACLs are applied on the packet in the following manner 1 If the packet ma...

Page 321: ... ID It optionally also uses Ethertype information Port ACLs are also stateful and are not applied on every packet controllered through the controller Whenever a packet is received inbound it is examined against existing sessions to determine if it belongs to an established session ACLs are applied on the packet in the following manner 1 If the packet matches an existing session it is not matched a...

Page 322: ... IP and one MAC ACL on the virtual WLAN port In contrast to Layer 2 ACLs a WLAN ACL can be enforced on both the Inbound and Outbound direction ACL Actions Every ACE within an ACL is made up of an action and matching criteria The action defines what to do with the packet if it matches the specified criteria The following actions are supported deny Instructs the ACL not to allow a packet to proceed ...

Page 323: ...tries for example in between 10 and 20 If an entry with a max precedence value of 5000 exists you cannot add a new entry with a higher precedence value In such a case the system displays an error stating Rule with max precedence value exists Either delete the entry or add new entries with precedence values less than 5000 A user can add a maximum of 500 ACE s in an ACL Rules within an ACL are displ...

Page 324: ...requirements select it from amongst the existing ACLs and click the Delete button 7 Use the Add button within the ACLs field to add an additional ACL For more information see Adding a New ACL on page 324 8 To reset the Hit Count number click the Clear button 9 Refer to the Associated Rules field to assess the rules and precedence associated with each ACL If necessary rules and can be added or exis...

Page 325: ...ended List Uses source and destination MAC addresses VLAN ID and optional protocol information 6 Enter a numeric index name for the ACL in the ACL ID field 7 Refer to the Status field for the current state of the requests made from applet This field displays error messages if something goes wrong in the transaction between the applet and the controller 8 Click OK to use the changes to the running ...

Page 326: ...e action is to mark the packet is tagged for priority 7 Select the Logging checkbox to generate log messages when a packet has been forwarded denied or marked based on the criteria specified in the access lists 8 If mark is selected from within the Operations drop down menu the Attribute to mark field is enabled Select the 802 1p 0 7 or TOS 0 255 or DSCP 0 63 checkbox and define the attribute rece...

Page 327: ...pdates to the running configuration Editing an Existing Rule As network and access permission requirements change existing ACL rules need to be modified to be relevant with new client access requests To modify an existing ACL rule 1 Select Security Wireless Firewall from the main tree menu 2 Click the Configuration tab 3 Click the ACL tab 4 Select an ACL from the ACLs field The rules associated wi...

Page 328: ...elect a Source Wildcard Mask from the drop down menu The Source Wildcard Mask is the size of the network or host in mask format The mask length defines a match based on the Network Host NOTE If an Extended IP ACL is used a Destination Wildcard Mask and Destination Address are required 12 Refer to the Status field for the state of the requests made from applet This field displays error messages if ...

Page 329: ...Configuration on page 329 Adding or Editing a New ACL WLAN Configuration After creating an ACL it can be applied to one or more WLANs on the controller To attach an ACL to a WLAN 1 Select Security Wireless Firewall from the main menu tree 2 Click the Security Policy tab 3 Click the Attach WLAN tab 4 Click the Add button to create a new ACL WLAN association or highlight an existing association and ...

Page 330: ...of the requests made from applet This field displays error messages if something goes wrong in the transaction between the applet and the controller 10 Click OK to use the changes to the running configuration and close the dialog 11 Click Cancel to close the dialog without committing updates to the running configuration Attaching an ACL Layer 2 Layer 3 Configuration Use the Attach L2 L3 screen to ...

Page 331: ...ing a New ACL Layer 2 Layer 3 Configuration After creating an ACL it can be applied to one or more interfaces On a Layer 3 interface Layer 2 interface ACLs can be applied only in an inbound direction To add an ACL interface to the controller 1 Select Security Wireless Firewall from the main menu tree 2 Click the Security Policy tab 3 Click the Attach L2 L3 tab Interface The interface to which the ...

Page 332: ...op down menu to select an MAC ACL used as the MAC IP for the layer 2 interface 8 Refer to the Status field for the state of the requests made from applet This field displays error messages if something goes wrong in the transaction between the applet and the controller 9 Click OK to use the changes to the running configuration and close the dialog 10 Click Cancel to close the dialog without commit...

Page 333: ...ct Security Wireless Firewall from the main menu tree 2 Click the Security Policy tab 3 Click the Attach Role tab Role Priority Displays the priority assigned to the role as determined by the Sequence Number associated with the role Role Name Displays the role name assigned to each role Role names are assigned when they are added from the Security Wireless Firewall Configuration Role tab Direction...

Page 334: ...s between 1 and 100 with the lower the precedence numbers getting higher priority 9 Refer to the Status field for the state of the requests made from applet This field displays error messages if something goes wrong in the transaction between the applet and the controller 10 Click OK to use the changes to the running configuration and close the dialog 11 Click Cancel to close the dialog without co...

Page 335: ... cannot be edited Role Name Displays the name of each role The role name is configured when the role is created and cannot be edited AP Location Displays the AP Location filters if any applied to each role The AP location filters can be set when the role is created or may be edited by selecting a role and clicking the Edit button ESSID Displays the ESSID filters if any applied to each role The ESS...

Page 336: ...ystem Reference Guide 336 Creating a New Role To add new role 1 Select Security Wireless Firewall from the main tree menu 2 Click the Configuration tab 3 Click the Role tab 4 Click the Add button 5 To create a new role configure the following information ...

Page 337: ...le will be applied when the ESSID contains the string specified in the role Not Contains The role will be applied when the ESSID does not contain the string specified in the role Any The role is applied to any ESSID Group Name Select a Group Name filter if any to apply to the role Available Group Name filters are Exact The role will only be applied when the exact Radius Group Name string specified...

Page 338: ...g controller filters A filter can be selected from those available and edited or deleted Additionally a new filter can be added if an existing filter does not adequately express the MU s address range required To display the Wireless Filters main page 1 Select Security Wireless Firewall from the main menu tree 2 Click on the Security Policy tab 3 Click on the Wireless Filters tab 4 The Wireless Fi...

Page 339: ...ACL to a range of MAC addresses or a single MAC address that are either allowed or denied access to the controller managed network Starting MAC Displays the beginning MAC Address for this specific Index either allowed or denied access to the controller managed network Ending MAC Displays the ending MAC Address for this specific Index either allowed or denied access to the controller managed networ...

Page 340: ...ndex numerical identifier for the ACL and edit the starting an ending MAC address range for the devices allowed or denied access to the controller managed network 6 The MU ACL Index is used as an identifier for a MAC Address range and allow deny ACL designation The available index range is 1 1000 However the index is not editable only its starting ending MAC range and allow deny designation If a n...

Page 341: ...k Cancel to close the dialog without committing updates to the running configuration Adding a new Wireless Filter Use the Add screen to create a new index and define a new address permission range Once created an allow or deny designation can be applied to the new filter ACL To create a new filter ACL 1 Select Security Wireless Firewall from the main menu tree 2 Select the Security Policy tab 3 Se...

Page 342: ... drop down menu to select Allow or Deny This rule applies to MUs within the specified Starting and Ending MAC Address range For example if the adoption rule is to Allow access is granted for all MUs within the specified range 10 Refer to the Status field for the current state of the requests made from applet This field displays error messages if something goes wrong in the transaction between the ...

Page 343: ...t requires those MAC addresses to interact with the controller 7 Refer to the Status field for the state of the requests made from applet This field displays error messages if something goes wrong in the transaction between the applet and the controller 8 Click OK to use the changes to the running configuration and close the dialog 9 Click Cancel to close the dialog without committing updates to t...

Page 344: ...P Trust Displays whether or not the ARP is trusted by the Layer 2 firewall If ARP is trusted ARP traffic will not be subjected to the Layer 2 firewall rules When the ARP interface is trusted a green checkmark will be displayed When the ARP interface is not trusted a red X will be displayed Broadcast Storm Threshold Displays the Broadcast Storm Threshold for each interface When the rate of broadcas...

Page 345: ...alls below the configured rate Thresholds are configured in terms of packets per second The threshold range is 1 1000000 packets per second Interface Name Assign the interface to be associated with the Layer 2 firewall Available Layer 2 interfaces are ge 1 8 and up1 ARP Rate Specify the Address Resolution Protocol ARP rate Rates can be between 1 and 1000000 DHCP Trust Configure whether or not the ...

Page 346: ...of broadcast packets exceeds the high threshold configured for an interface packets are throttled till the rate falls below the configured rate Thresholds are configured in terms of packets per second The threshold range is 1 1000000 packets per second Multicast Storm Threshold Configure the Multicast Storm Threshold for each interface When the rate of multicast packets exceeds the high threshold ...

Page 347: ...ackets per second The threshold range is 0 1000000 packets per second Unknown Unicast Storm Displays the Unknown Unicast Storm Threshold for each interface When the rate of unknown unicast packets exceeds the high threshold configured for an interface packets are throttled till the rate falls below the configured rate Thresholds are configured in terms of packets per second The threshold range is ...

Page 348: ...k the WLAN tab 4 Click the Add button DHCP Trust Displays whether the Interface is DHCP trusted or not If the interface is DHCP trusted then the DHCP Request will forward to the External DHCP Server otherwise it will not Always the Internal DHCP servers are trusted in nature When ever the interface is DHCP trusted then it is marked as GREEN and if it not DHCP trusted it will mark in RED X ARP Trus...

Page 349: ...ed till the rate falls below the configured rate Thresholds are configured in terms of packets per second The valid threshold range is 0 1000000 packets per second Unknown Unicast Storm Enter the Unknown Unicast Storm Threshold for each interface When the rate of unknown unicast packets exceeds the high threshold configured for an interface packets are throttled till the rate falls below the confi...

Page 350: ...e Configuration tab 3 Click the DoS Attack tab 4 The DoS Attack tab contains the following information DHCP Trust Displays whether the Interface is DHCP trusted or not If the interface is DHCP trusted then the DHCP Request will forward to the External DHCP Server otherwise it will not Always the Internal DHCP servers are trusted in nature When ever the interface is DHCP trusted then it is marked a...

Page 351: ...e Attack filters click on the Disable All button When a DoS Attack filter is disabled a red X will be shown in the Check Enabled column Type Displays the Denial of Service attack type The controller currently supports enabling or disabling 28 types of DoS attack filters Check Enabled This field will show a green checkmark next to the Denial of Service Attack filters that are enabled on the control...

Page 352: ...pply button to save the changes made within the DoS Attach screen 11 Click the Revert button to cancel any changes made within the DoS Attach screen and revert back to the last saved configuration Configuring Firewall Logging Options To view firewall logging rules 1 Select Security Wireless Firewall from the main tree menu 2 Click the Configuration tab 3 Click the Log Options tab 4 Select the Sysl...

Page 353: ...o Debug None To change the logging level click on the specific field and choose the logging level from the drop down menu Broadcast Log The Broadcast Log field displays the level of syslog logging enabled for excessive broadcasts on an interface The logging level uses the same standard Syslog levels To change the logging level click on the specific field and choose the logging level from the drop ...

Page 354: ... is tagged for priority Protocol Displays the permit deny or mark designation for the ACL If the action is to mark the packet is tagged for priority or type of service Low Source IP Displays the Low Source IP Address from where the packets are sourced High Source IP Displays the High Source highest address in available range IP Address from where the packets are sourced Low Destination IP Displays...

Page 355: ...within the DHCP Snoop Entry tab Client IP Address Displays the DHCP Client IP Address for each entry VLAN ID Displays the VLAN ID number if any for each entry in the DHCP Snoop Entry table MAC Address Displays the MAC Address of each DHCP Client DHCP Server or Router in the table Type Displays the type for each DHCP Snoop Entry Available entry types include DHCP Client DHCP Server Router DHCP Serv...

Page 356: ...displayed within the Role tab Configuring NAT Information Network Address Translation NAT provides the translation of an Internet Protocol IP address within one network to a different known IP address within another network One network is designated as the private network while the other is public NAT provides a layer of security by translating private local Ingress Source Displays the MU port num...

Page 357: ...ver to another host without having to troubleshoot broken links Change the inbound mapping with the new inside local address to reflect the new host Configure changes to your internal network seemlessly since the only external IP address either belongs to the controller or from a pool of global addresses The controller NAT configuration process is divided into the following configuration activitie...

Page 358: ...twork to its intended destination On the way out the source IP address is changed in the header and replaced by the public IP address Destination Packets passing through the NAT on the way back to the controller managed LAN are searched against the records kept by the NAT engine The destination IP address is changed back to the specific internal private class IP address to reach the LAN over the c...

Page 359: ... a new one To define a new NAT configuration 1 Select Security NAT from the main menu tree 2 Click on the Dynamic Translation tab 3 Click the Add button 4 Define the NAT Type from the drop down menu Options include Inside The set of networks subject to translation These are the internal addresses you are trying to prevent from being exposed to the outside world Outside All other addresses Usually ...

Page 360: ...es if something goes wrong in the transaction between the applet and the controller 9 Click OK to use the changes to the running configuration and close the dialog 10 Click Cancel to close the dialog without committing updates to the running configuration Defining Static NAT Translations Static NAT creates a permanent one to one mapping between an address on an internal network and a perimeter or ...

Page 361: ...ed by the public IP address Destination Packets passing through the NAT on the way back to the controller managed LAN are searched against to the records kept by the NAT engine There the destination IP address is changed back to the specific internal private class IP address to reach the LAN over the controller managed network Protocol Displays the tcp or udp option selected for use with the stati...

Page 362: ...ilable configurations For more information see Adding a New Dynamic NAT Configuration on page 359 Adding a New Static NAT Configuration If existing NAT configurations prove unsuitable for translation consider creating a new one To define a new NAT configuration 1 Select Security NAT from the main menu tree 2 Click on the Static Translation tab 3 Click the Add button 4 Define the NAT Type from the ...

Page 363: ... controller and its NAT destination 8 Use the Protocol drop down menu to select either TCP or UDP as the protocol NOTE After selecting and saving a protocol type of TCP or UDP using the Web UI the controller CLI will not display the selected protocol type or provide an option to configure it Ensure both the protocol and port are defined using the Web UI 9 Enter the Global Address to assign to a ho...

Page 364: ...terfaces available 6 If modifying an existing interface is not a valid option consider configuring a new interface To define a new NAT interface a Click the Add button from within the Interfaces tab Interface Displays the VLAN used as the inside or outside NAT type All defined VLANs are available from the drop down menu for use as the interface Type Displays the NAT type as either Inside The set o...

Page 365: ...located on the Internet Outside addresses pose no risk if exposed over a publicly accessible network d Refer to the Status field for the state of the requests made from applet This field displays error messages if something goes wrong in the transaction between the applet and the controller e Click OK to use the changes to the running configuration and close the dialog f Click Cancel to close the ...

Page 366: ...VPN tunnel IKE protocol is an IPSec standard protocol used to ensure security for VPN negotiation and remote host or network access IKE provides an automatic means of negotiation and authentication for communication between two or more parties IKE manages IPSec keys automatically Inside Global Displays the internal global pool of addresses allocated out of the controller s private address space bu...

Page 367: ...Defining the IKE Configuration Refer to the Configuration tab to enable or disable IKE and define the IKE identity for exchanging identities and aggressive mode Aggressive mode reduces messages exchanged when establishing IKE SAs used in phase 2 Use IKE to specify IPSec tunnel attributes for an IPSec peer and initiate an IKE aggressive mode negotiation with the tunnel attributes This feature is be...

Page 368: ...E Settings field to rollback to the previous configuration 6 Refer to the Pre shared Keys field to review the following information NOTE Please note that RSA keys are not supported for IKE negotiation on this controller 7 Highlight an existing set of pre shared Keys and click the Edit button to revise the existing peer IP address key and aggressive mode designation 8 Select an existing entry and c...

Page 369: ...pplet This field displays error messages if something is wrong in the transaction between the applet and the controller e Click OK to use the changes to the running configuration and close the dialog f Click Cancel to close the dialog without committing updates to the running configuration Setting IKE Policies Each IKE negotiation is divided into two phases Phase 1 creates the first tunnel protect...

Page 370: ...sts IKE refuses negotiation To view the current set of IKE policies 1 Select Security IKE Settings from the main menu tree 2 Click the IKE Policies tab 3 Refer to the values displayed within the IKE Policies tab to determine if an existing policy requires revision removal or a new policy requires creation Sequence Number Displays the sequence number for the IKE policy The available range is from 1...

Page 371: ... smaller digest and is somewhat faster than SHA 1 Authentication Type Displays the authentication scheme used to validate the identity of each peer Pre shared keys do not scale accurately with a growing network but are easier to maintain in a small network Options include Pre shared Key Uses pre shared keys RSA Signature Uses a digital certificate with keys generated by the RSA signatures algorith...

Page 372: ...56 bit DES CBC The default value 3DES 168 bit Triple DES AES 128 bit AES AES 192 192 bit AES AES 256 256 bit AES Hash Value Define the hash algorithm used to ensure data integrity The hash value validates a packet comes from its intended source and has not been modified in transit Options include SHA The default value MD5 MD5 has a smaller digest and is somewhat faster than SHA 1 Authentication Ty...

Page 373: ...o identify connection attributes IKE can negotiate and establish its own SA An IKE SA is used by IKE only and is bi directional To view SA statistics 1 Select Security IKE Settings from the main menu tree 2 Click the SA Statistics tab 3 Refer to the information displayed within SA Statistics tab to discern the following SA Lifetime Define an integer for the SA lifetime The default is 60 seconds Wi...

Page 374: ...o apply to IPSec protected traffic The Internet Key Exchange IKE protocol is a key management protocol standard used in conjunction with the IPSec standard IKE automatically negotiates IPSec security associations and enables IPSec secure communications without costly manual configuration To support IPSec VPN functionality the following configuration activities are required Configure a DHCP Sever t...

Page 375: ...he new security associations Therefore specify lists such as lists of acceptable transforms within the Crypto Map entry Apply Crypto Map sets to Interfaces Assign a Crypto Map set to each interface through which IPSec traffic flows The security appliance supports IPSec on all interfaces Assigning the Crypto Map set to an interface instructs the security appliance to evaluate all the traffic agains...

Page 376: ...ter the specified amount of traffic in kilobytes have passed through the IPSec tunnel using the security association The default value is 4608000 Kb Apply Click Apply to save any updates you may have made to the screen Revert Click the Revert button to disregard any changes you have made and revert back to the last saved configuration Name Displays a transform set identifier used to differentiate ...

Page 377: ...t 1 Select Security IPSec VPN from the main menu tree 2 Click the Configuration tab 3 Select an existing transform set and click the Edit button ESP Encryption Scheme Displays the ESP Encryption Transform used with the index Options include None No ESP encryption is used with the transform set ESP DES ESP with the 56 bit DES encryption algorithm ESP 3DES ESP with 3DES ESP with AES ESP AES ESP with...

Page 378: ...entication algorithm ESP Encryption Scheme Select the Use ESP checkbox if necessary to modify the ESP Encryption Scheme Options include None No ESP encryption is used with the transform set ESP DES ESP with the 56 bit DES encryption algorithm ESP 3DES ESP with 3DES ESP with AES ESP AES ESP with 3DES ESP with AES 128 bit key ESP AES 192 ESP with 3DES ESP with AES 192 bit key ESP AES 256 ESP with 3D...

Page 379: ...nd algorithms During the IPSec security association negotiation peers agree to use a particular transform set for protecting data flow If the attributes of an existing transform set no longer lend themselves useful and an existing transform set is not required create a new transform set to meet the needs of your network To edit the attributes of an existing transform set 1 Select Security IPSec VP...

Page 380: ...n menu tree 2 Click the Remote tab AH Authentication Scheme Select the Use AH checkbox to define the AH Transform Authentication scheme Options include None No AH authentication is used AH MD5 HMAC AH with the MD5 HMAC variant authentication algorithm AH SHA HMAC AH with the SHA HMAC variant authentication algorithm ESP Encryption Scheme Select the Use ESP checkbox to define the ESP Encryption Sch...

Page 381: ...used to route information to the remote destination of the IPSec VPN Apply Click Apply to save any updates made to the screen Revert Click the Revert button to disregard changes and revert back to the last saved configuration Index Enter the index assigned to the range of IP addresses displayed in the Starting and Ending IP Address ranges This index is used to differentiate the index from others w...

Page 382: ...onfiguring IPSEC VPN Authentication If IKE is not used for establishing security associations there is no negotiation of security associations Consequently the configuration information in both systems must be the same for traffic to be processed successfully by the IPSec resource Select the Authentication tab to define the credential verification mechanisms used with the IPSEC VPN configuration T...

Page 383: ... 5 If the Radius Server radio button is selected the following server information displays within the Radius tab 6 Select an existing Radius Server and click the Edit button to modify its designation as a primary or secondary Radius Server IP address port NAS ID and shared secret password Extreme Networks recommends only modifying an existing Radius Server when its current configuration is no long...

Page 384: ...ame and Password and confirm Click OK to save the changes 11 To change an existing user s password select the user from within the User Table and click the Change Password button Change and confirm the updated password 12 If necessary select an existing user and click the Delete button to remove that user from the list available within the User Table Configuring Crypto Maps Crypto Maps allow you t...

Page 385: ... or if a new Crypto Map needs to be created Priority Seq Displays the numerical priority assigned to each Crypto Map Name Displays the user assigned name for this specific Crypto Map This name can be modified using the Edit function or a new Crypto Map can be created by clicking the Add button Mode Config Displays a green checkmark for the Crypto Map used with the current interface A X is displaye...

Page 386: ...ing Crypto Map and click the Delete button to remove it from the list of available 6 Click the Add button to define the attributes of a new Crypto Map a Assign a Seq sequence number to distinguish one Crypto Map from the another b Assign the Crypto Map a Name to differentiate from others with similar configurations SA Lifetime Kb Causes the security association to time out after the specified amou...

Page 387: ...ou to configure pre shared keys as Radius tunnel attributes for IP Security IPSec peers j Optionally select the SA Per Host checkbox to specify that separate IPSec SAs should be requested for each source destination host pair k Optionally select the Mode Config checkbox to allow the new Crypto Map to be implemented using the aggressive mode if selected from the Mode drop down menu l Refer to the P...

Page 388: ...m amongst those displayed and click the Edit button 5 Select an existing Crypto Map and click the Delete button to remove it from the list of those available to the controller 6 If a new peer requires creation click the Add button Priority Seq Displays each peer s Seq sequence number to distinguish one from the other Crypto Map Name Displays the name assigned to the peer to differentiate it from o...

Page 389: ...sed with the Crypto Map to build an IPSec security association 7 Click OK to save the configuration of the new Crypto Map peer Crypto Map Manual SAs To review revise or add a Crypto Map using a manually defined security association 1 Select Security IPSec VPN from the main menu tree 2 Click the Crypto Maps tab and select Manual SAs ...

Page 390: ... to remove it from the list of those available to the controller 6 If a new Crypto Map manual security association requires creation click the Add button Priority Seq Displays the Seq sequence number used to determine priority the lower the number the higher the priority Name Displays the name assigned to the security association IKE Peer Displays the IKE peer used with the Crypto Map to build an ...

Page 391: ...y association is an AH Transform Authentication scheme or an ESP Encryption Transform scheme The AH SPI or ESP SPI fields become enabled depending on the radio button selected f Define the In AH SPI and Auth Keys or In Esp and Cipher Keys depending on which option has been selected g Use the Transform Set drop down menu to select the transform set representing a combination of security protocols a...

Page 392: ... requires modification or a new one requires creation 4 Select an existing Crypto Map and click the Edit button to revise its Seq Name and Transform Set 5 Select an existing entry from the table and click the Delete button to remove it from the list 6 If a new Crypto Map transform set requires creation click the Add button Priority Seq Displays the Seq sequence number used to determine priority Na...

Page 393: ... Map transform set Crypto Map Interfaces To review the interfaces currently available to the Crypto Maps or assign an interface NOTE A Crypto Map cannot get applied to more than one interface at a time To apply the same Crypto Map settings to multiple interfaces create a unique Crypto Map for each interface 1 Select Security IPSec VPN from the main menu tree 2 Click the Crypto Maps tab and select ...

Page 394: ...nfiguration Also adding new peers through the new sequence numbers and reassigning the Crypto Map does not break existing connections Viewing IPSec Security Associations Refer to the IPSec SAs tab to review the various security associations SAs between the local and remote peers comprising an IPSec VPN connection The IPSec SA tab displays the authentication and encryption schemes used between the ...

Page 395: ...ge Index Displays the numerical if defined ID for the security association Use the index to differentiate the index from others with similar configurations Local Peer Displays the name of the local peer at the near side of the VPN connection Remote Peer Displays the name of the remote peer at the far side of the VPN connection ESP SPI In SPI specified in the Encapsulating Security Payload ESP inbo...

Page 396: ...ounting Logs NOTE For hotspot deployment Extreme Networks recommends using the controller s internal Radius server and built in user database This is the easiest setup option and offers a high degree of security and accountability Radius Overview Radius enables centralized management of controller authentication data usernames and passwords When a MU attempts to associate to the Radius supported c...

Page 397: ...m EAP authentication the controller allows the enforcement of user based policies User based policies include dynamic VLAN assignment and access based on time of day The controller uses a default trustpoint A certificate is required for EAP TTLS PEAP and TLS Radius authentication configured with the Radius service Dynamic VLAN assignment is achieved based on the Radius server response A user who a...

Page 398: ...nter his her credentials Once the authentication and authorization phases are successful only User1 is able to access WLAN1 for the allowed duration but not any other WLAN Each user group can be configured to be a part of one VLAN All the users in that group are assigned the same VLAN ID if dynamic VLAN authorization has been enabled on the WLAN Proxy to External Radius Server Proxy realms are con...

Page 399: ...s to authenticate users using the external Radius Server If an external Radius Server is unreachable the controller reverts to the local Server s user database to authenticate users However if the external Radius server is reachable but rejects the user or if the user is not found in the external Server s database the controller will not revert to the local Radius Server and the authentication att...

Page 400: ...added For more information see Radius Client Configuration on page 400 Select the Proxy Servers tab to display the ID suffix IP address and Port Number of existing Radius proxy servers Existing servers can be modified or new proxy servers added For more information see Radius Proxy Server Configuration on page 401 Radius Client Configuration A Radius client implements a client server mechanism ena...

Page 401: ...iguration The controller can be configured to send Radius requests to a proxy radius server A user s access request is sent to a proxy server if it cannot be authenticated by a local server The proxy server forwards the access request to a proxy server that can authenticate the user The proxy server checks the information in the user access request and either accepts or rejects the request If the ...

Page 402: ...nsitive string that can include letters numbers or symbols Make the shared secret at least 22 characters long to protect the Radius server from brute force attacks The max length of the shared secret is 31 characters f Refer to the Status field for the current state of the requests made from applet This field displays error messages if something goes wrong in the transaction between the applet and...

Page 403: ...e Use Auth Data Source drop down menu to select the data source for the local Radius server If Local is selected the controller s internal user database serves as the data source for user authentication Refer to the Users and Groups tabs to define user and group permissions for the controller s local Radius server If LDAP is selected the controller uses the data within an LDAP server Cert Trustpoi...

Page 404: ...rustpoint is a representation of a CA or identity pair A trustpoint contains the identity of the CA CA specific configuration parameters and an association with one enrolled identity certificate If a CA trustpoint is not specified the default trustpoint s CA certificate is used as a CA certificate If the Default trustpoint does not have a CA certificate the server certificate is used as the CA cer...

Page 405: ...reflect the user s current local Radius authentication requirements 5 If an existing user is no longer needed select the user from those displayed and click the Delete button to permanently remove the user 6 To create a new user for use with the local Radius server click the Add button and provide the following information User ID Displays the username for this specific user The name assigned shou...

Page 406: ...iod to a user defined interval Password Enter the password that adds the user to the list of approved users displayed within the Users tab Confirm Password Re enter confirm the password used to add the user to the list of approved users displayed within the Users tab Current Controller Date Displays the read only controller time This is the time used for expiry data and time sers tab Start Date Ti...

Page 407: ...Cancel to close the dialog without committing updates to the running configuration Configuring Radius User Groups The Groups tab displays a list of all groups in the local Radius server s database The groups are listed in the order added The existing configuration for each group is displayed to provide the administrator the option of using a group as is modifying an existing group s properties or ...

Page 408: ...e VLAN ID s used by each group The VLAN ID is representative of the shared SSID each group member user employs to interoperate with one another within the controller managed network once authenticated by the local Radius server Time of Access Start Displays the time each group is authenticated to interoperate within the controller managed network Each user within the group is authenticated with th...

Page 409: ...ler managed network after each user has been authenticated At least one day is required This value is read only within the Groups tab Click Edit to modify the access assignments of an existing group or click Add to create a new group with unique access assignments 6 To modify the attributes of an existing group select the group from the list of groups displayed and click the Edit button ...

Page 410: ...erver thus restricting their authentication period to a user defined access interval VLAN ID Define the VLAN ID for the new group The VLAN ID is representative of the shared SSID each group member user employs to interoperate within the controller managed network once authenticated by the local Radius server Time of Access Start Set the time the group is authenticated to interoperate Each user wit...

Page 411: ...ficates Use the Server Certificates screen to view existing self signed certificate values The values displayed are read only The Server Certificates screen also allows an administrator to create a certificate request send it to a Certificate Authority CA create a self signed certificate Filename Displays the name of each accounting log file Use this information to differentiate files with similar...

Page 412: ...lect the Trustpoints tab A panel on the far left of the screen displays currently enrolled trustpoints The Server Certificate and CA Root Certificate tabs display read only credentials for the certificates in use by the controller A table displays the following Issued To and Issued By details for each Issued To Country C Displays the country of usage for which the certificate was assigned State ST...

Page 413: ...ard button on the bottom of the screen 3 Use this wizard for Creating a new self signed certificate or certificate request Uploading an external certificate Delete Operations 4 Select the Create new certificate radio button to generate a new self signed certificate or prepare a certificate request which can be sent to a Certificate Authority CA Organizational Unit If a unit exists within the organ...

Page 414: ...ated keys For more information see Using the Wizard Delete Operation on page 418 Using the Wizard to Create a New Certificate To generate a new self signed certificate or prepare a certificate request 1 Select the Create new self signed certificate certificate request radio button in the wizard and click the Next button The second page of the wizard contains three editable fields Select Certificat...

Page 415: ... new trustpoint Provide a name for the new trustpoint in the space provided To specify a key for a new certificate select one of the following Automatically generate a key Automatically generates a key for the trustpoint Use existing key Specify an existing key using the drop down menu Use a new key Select this option to create a new key for the trustpoint Define a key name and size as appropriate...

Page 416: ...the Automatically generate certificate with default values option 6 Provide the following information for the certificate Country Define the Country used in the Self Signed Certificate By default the Country is US The field can be modified by the user to other values This is a required field and must not exceed 2 characters State Enter a State Prov for the state or province name used in the Self S...

Page 417: ...o other locations 10 Check the Save the certificate request option to save the certificate request to an external server and provide the server information in the fields below Organization Unit Enter an Org Unit for the name of the organization unit used in the Self Signed Certificate By default it is VPG This is a required field Email Address Provide an email address used as the contact address f...

Page 418: ...used to delete a trustpoint To Use the To field to define whether the target certificate is to be sent to the system s local disk Local Disk or to an external server Server File Specify a filename for the certificate to be save as on the target server or local disk Using Use the Using drop down menu to configure whether the log file transfer is sent using FTP or TFTP IP Address Specify the server ...

Page 419: ...either its Server Certificate or CA Root Certificate removed 4 Click the Next button to proceed and complete the trustpoint removal Configuring Trustpoint Associated Keys Trustpoint keys allow a user to use different Rivest Shamir an Adelman RSA key pairs Therefore the controller can maintain a different key pair for each certificate to significantly enhance security To configure the keys associat...

Page 420: ...ansfer Keys to archive the keys to a user specified location For more information see Transferring Keys on page 421 Adding a New Key If none of the keys listed within the Keys tab are suitable for use with a certificate consider creating a new key pair 1 Select Security Server Certificates from the main menu tree 2 Select the Keys tab 3 Click the Add button at the bottom of the screen Key Name Dis...

Page 421: ...ave the changes to the running configuration and close the dialog 8 Click Cancel to close the dialog without committing updates to the running configuration Transferring Keys The Transfer screen allows for the transfer of keys to and from the controller to and from a server or local disk Transferring keys is recommended to ensure server certificate key information is available if problems are enco...

Page 422: ... ID credentials required to send the file to the target location Use the user ID for FTP transfers only 11 Enter the Password required to send the file to the target location using FTP 12 Specify the appropriate Path name to the target directory on the local system disk or server as configured using the To parameter If the local server option is selected use the browse button to specify the locati...

Page 423: ...on and if the controller is outputting log data appropriately NOTE When the controller s configuration is successfully updated using the Web UI the affected screen is closed without informing the user their change was successful However if an error were to occur the error displays within the affected screen s Status field and the screen remains displayed In the case of file transfer operations the...

Page 424: ...CL in routers or other firewalls where you can specify and customize specific IPs to access specific interfaces To configure access control settings 1 Select Management Access Access Control from the main menu tree 2 Refer to the Management Settings field to enable or disable the following controller interfaces Secure Management on Management VLAN only Select this checkbox to allow management VLAN...

Page 425: ...r default trustpoint used with a HTTPS session with the controller For information on creating a new certificate see Creating Server Certificates on page 411 Enable FTP Select this checkbox to enable FTP access to the controller File Transfer Protocol FTP is the language used for file transfers across the Web This setting is disabled by default Port Displays the port number used for the FTP sessio...

Page 426: ...ith the SNMP interface NOTE The SNMP facility cannot retrieve a configuration file directly from its SNMP interface First deposit the configuration file to a computer then FTP the file to the controller NOTE When accessing the controller via a SNMP client ensure that UDP traffic is allowed on port 161 for the network being used for the controller and the SNMP client Configuring SNMP v1 v2 Access S...

Page 427: ...match the name used within the remote network management software it is recommended the name be changed appropriately to match a new naming and user requirement used by the management software To modify an existing SNMP v1 v2 Community Name and Access Control setting Community Name Displays the read only or read write name used to associate a site appropriate name for the community The name is req...

Page 428: ...t state of the requests made from applet This field displays error messages if something goes wrong in the transaction between the applet and the controller 7 Click Cancel to return back to the SNMP v1 v2 screen without implementing changes Configuring SNMP v3 Access SNMP Version 3 SNMPv3 adds security and remote configuration capabilities to previous versions The SNMPv3 architecture introduces th...

Page 429: ...y SNMP v3 username of operator or Admin An operator typically has an Access Control of read only and an Admin typically has an Access Control of read write Access Control Displays a read only R access or read write RW access for the v3 user Read only access allows the user when active to retrieve information while read write access grants the user modification privileges Authentication Displays th...

Page 430: ... The Privacy Protocol is also not an editable option 4 Enter the Old Password used to grant Authentication Protocol and Privacy Protocol permissions for the User Profile 5 Enter the New Password then verify the new password within the Confirm New Password area 6 Click OK to save and add the changes to the running configuration and close the dialog 7 Refer to the Status field for the current state ...

Page 431: ... v2 v3 Statistics Refer to the Statistics screen for a read only overview of SNMP V2 V3 events and their current values The screen also displays Usm Statistics SNMP V3 specific events specific to the User based Security Model and their values To edit an SNMP v3 user profile 1 Select Management Access SNMP Access from the main menu tree 2 Select the Statistics tab from within the SNMP Access screen...

Page 432: ...e network Usm Statistics Displays SNMP v3 events specific to Usm The User based Security Model USM decrypts incoming messages The module then verifies authentication data For outgoing messages the USM module encrypts PDUs and generates authentication data The module then passes the PDUs to the message processor which then invokes the dispatcher The USM module s implementation of the SNMP USER BASE...

Page 433: ...p select it and view a brief description that may help your decision Use Expand all items to explode each trap category and view all the traps that can be enabled Traps can either be enabled by group or as individual traps within each parent category To configure SNMP trap definitions 1 Select Management Access SNMP Trap Configuration from the main menu tree 2 Select the Allow Traps to be generate...

Page 434: ...nfiguration option Select an individual trap within this subsection and click the Enable button to enable this specific trap or highlight the Mobility trap family parent item and click Enable all sub items to enable all traps within the Mobility category DHCP Displays a list of sub items trap options specific to the DHCP configuration option Select an individual trap within this subsection and cli...

Page 435: ...o the left now display with a check to the left of them Once the Apply button is clicked the selected items are now active SNMP traps on the system 9 Highlight a sub menu header such as Redundancy or SNMP and click the Disable Trap for sub items sub items button to disable the item as an active SNMP trap Those sub items previously enabled with a check to the left now display with an X to the left ...

Page 436: ...tatistics Thresholds tab Name Enter the hostname of your outgoing SMTP mail server This is the server that is used to deliver outgoing mail Port Specify the port number used by your outgoing SMTP server In many cases this is port 25 User Name Enter the username for the user which will be sending outgoing mail through the SMTP server Password Enter the password associated with the above username En...

Page 437: ...appropriate Threshold Value unique to the MUs within the network For information on specific values see Wireless Trap Threshold Values on page 438 Threshold values for AP Set a threshold value for adopted APs Use the Threshold Name and Threshold Conditions as input criteria to define an appropriate Threshold Value unique to the APs within the network For information on specific values see Wireless...

Page 438: ... the measurement value used to define whether a threshold value has been exceeded Typical values include Mbps retries and For information on specific values see Wireless Trap Threshold Values on page 438 Threshold Name Condition Station Range Radio Range WLAN Range Wireless Controller Range Units 1 Packets per Second Greater than A decimal number greater than 0 00 and less than or equal to 100000 ...

Page 439: ...0 and less than or equal to 100 00 N A 7 Transmitted Packet Average retries Greater than A decimal number greater than 0 00 and less than or equal to 16 00 A decimal number greater than 0 00 and less than or equal to 16 00 A decimal number greater than 0 00 and less than or equal to 16 00 N A Retrie s 8 Undecrypted received packets Greater than A decimal number greater than 0 00 and less than or e...

Page 440: ...ve SNMP trap information Remove Trap Receivers as needed if the destination address information is no longer available on the system 5 Click the Add button to display a sub screen used to assign a new Trap Receiver IP Address Port Number and v2c or v3 designation to the new trap Add trap receivers as needed if the existing trap receiver information is insufficient For more information see Adding S...

Page 441: ...g this existing one 4 Define a Port Number for the trap receiver 5 Use the Protocol Options drop down menu to specify the trap receiver as either a SNMP v2c or v3 receiver 6 Click OK to save and add the changes to the running configuration and close the dialog 7 Refer to the Status field for the current state of the requests made from applet This field displays error messages if something goes wro...

Page 442: ...ing configuration Configuring Management Users Refer to the Users screen to view the administrative privileges assigned to different controller users You can modify the roles and access modes assigned to each user The Users screen also allows you to configure the authentication methods used by the controller Use this screen for the following permission configuration activities Configuring Local Us...

Page 443: ... the rights authorized to the user 4 Click on the Edit button to modify the associated roles and access modes of the selected user By default the controller has two default users Admin and Operator Admin s role is that of a superuser and Operator the role will be monitored read only 5 Click on Add button to add and assign rights to a new user 6 Click on Delete button to delete the selected user fr...

Page 444: ...ides read only permissions Help Desk Manager Assign this role to someone who typically troubleshoots and debugs problems reported by the customer The Help Desk Manager typically runs troubleshooting utilities like a sniffer executes service commands views retrieves logs and reboots the controller Network Administrator The Network Administrator has privileges to configure all wired and wireless par...

Page 445: ...lays error messages if something goes wrong in the transaction between the applet and the controller 8 Click the OK button to create the new user 9 Click Cancel to revert back to the last saved configuration without saving any of your changes Modifying an Existing Local User To create a new local user 1 Select Management Access Users from the main menu tree 2 Select a user from the Users list and ...

Page 446: ...ng any of your changes Monitor If necessary modify user permissions without any administrative rights The Monitor option provides read only permissions Help Desk Manager Optionally assign this role to someone who typically troubleshoots and debugs problems reported by the customer the Help Desk Manager typically runs troubleshooting utilities like a sniffer executes service commands views retrieve...

Page 447: ...n they need and nothing additional NOTE A guest user added from controller Web UI will be 5 minutes ahead of the controller s current time To create a guest administrator 1 Select Management Access Users from the main menu tree 2 Click the Add button within the Local Users tab 3 Enter the new guest admin login name for the user in the Username field 4 Enter the authentication password for the gues...

Page 448: ... the Generate button to automatically create a username and password for each guest user 8 Repeat this process as necessary until all required guest users have been created with relevant passwords and start end guest group permissions Configuring Controller Authentication The controller provides the capability to proxy authenticate requests to a remote Radius Server Refer to the Authentication tab...

Page 449: ...thod for authentication Options include None No authentication Local The user employs a local user authentication resource This is the default setting Radius Uses an external Radius Server Alternate Method Select an alternate method for authentication This drop down menu will not list the option already selected as the preferred method Select any of the remaining authentication methods as an alter...

Page 450: ...on with the controller To modify the attributes of an existing Radius Server 1 Select Management Access Users from the main menu tree The Users screen displays 2 Click on the Authentication tab 3 Select an existing Radius Server from those listed and click the Edit button at the bottom of the screen Shared secret Displays the shared secret used to verify Radius messages with the exception of the A...

Page 451: ...al Radius Server if necessary Ensure this address is a valid IP address and not a DNS name Radius Server Port Change the TCP IP port number for the Radius Server if necessary The port range available for assignment is from 1 65535 Number of retries to communicate with Radius Server Revise if necessary the maximum number of times the controller retransmits a Radius Server frame before it times out ...

Page 452: ...the transaction between the applet and the controller Radius Server IP Address Provide the IP address of the external Radius Server Ensure this address is a valid IP address and not a DNS name Radius Server Port Enter the TCP IP port number for the Radius Server The port range available for assignment is from 1 65535 Number of retries to communicate with Radius Server Enter the maximum number of t...

Page 453: ...elpdesk support access to the controller Nwadmin Role Value is 4 all wired and wireless access to the controller Sysadmin Role Value is 8 System administrator access WebAdmin Role Value is 16 Guest user application access Superuser Role Value is 32768 grants full read write access to the controller To configure multiple roles this value can be configured multiple times with different values for ea...

Page 454: ...SA Name Attribute Number Type Values Extreme Current SSID 2 String Extreme Extreme Wlan Index 4 String Extreme Guest User Expiry Date Time 7 String Extreme Guest User Start Date Time 8 String Extreme Extreme Downlink Limit Kbps 10 Integer Extreme Extreme Uplink Limit Kbps 11 Integer Extreme Extreme User Group 12 String Extreme ...

Page 455: ...ubleshooting of performance issues as they are encountered in the field Displaying the Main Diagnostic Interface The main diagnostic screen contains tabs assessing the performance of the following diagnostics Controller Environment CPU Performance Controller Memory Allocation Controller Disk Allocation Controller Memory Processes Other Controller Resources NOTE When the controller s configuration ...

Page 456: ...U Memory Disk Processes and Other Resources tabs Keep the monitoring interval at a shorter time increment when periods of heavy wireless traffic are anticipated NOTE Enabling controller diagnostics is recommended as the diagnostics facilities provide detailed information on the physical performance of the controller and may provide indicators in advance of actual problems Enabling diagnostics also...

Page 457: ...fine the CPU s load statistics Load limits can be assessed for the last one minute five minutes and 15 minutes to better gauge controller loads over differing periods of network activity 1 Select Diagnostics from the main tree menu 2 Select the CPU tab 3 The CPU screen consists of 2 fields Load Limits CPU Usage 4 The Load Limits field displays the maximum CPU load limits for the last 1 5 and 15 mi...

Page 458: ... back to the last saved configuration Controller Memory Allocation Use the Memory tab to periodically assess the controller s memory load 1 Select Diagnostics from the main tree menu 2 Select the Memory tab The Memory tab is partitioned into the following two fields RAM Buffer 3 Refer to the RAM field to view the percentage of CPU memory in use in a pie chart format 4 Refer to the Free Limit value...

Page 459: ...Select Diagnostics from the main tree menu 2 Select the Disk tab 3 This Disk tab displays the status of the controller flash nvram and system disk resources Each field displays the following Free Space Limit Free INodes Free INode Limit 4 Define the Free Space Limit variable carefully as disk space may be required during periods of high bandwidth traffic and file transfers 5 Click the Apply button...

Page 460: ...cess during periods of increased and network activity and is negotiated amongst the other process as needed during normal periods of controller activity 5 Processes by highest memory consumption displays a graph of the top ten controller processes based on memory consumption Use this information to determine if a spike in consumption with the controller priorities in processing data traffic within...

Page 461: ...ply any changes to any of the resources maximum limit 5 Click the Revert button to revert back to the last saved configuration Configuring System Logging Use the System Logging screen for logging system events Its important to log individual controller events to discern an overall pattern that may be negatively impacting controller performance The System Logging screen consist of the following tab...

Page 462: ...e Logging to Console checkbox to enable the controller to log system events to the system console Use the drop down menu to select the desired log level for tracking system events to a local log file This setting logs warning events and those more severe by default 6 Select the Enable Logging to Syslog Server checkbox to enable the controller to log system events send them to an external syslog se...

Page 463: ...vent is logged 8 Click Apply to save the changes made to the screen This will overwrite the previous configuration 9 Click the Revert button to move the display back to the last saved configuration File Management Use the File Mgt tab to view existing system logs Select a file to display its details in the Preview field Click the View button to display the file s entire contents Once viewed the us...

Page 464: ...also transfer log files using USB Transferring files is recommended when the log file is frequently cleared but an archive of the log files is required in a safe location For more information on transferring individual log files see Transferring Log Files on page 466 Viewing the Entire Contents of Individual Log Files Extreme Networks recommends the entire contents of a log file be viewed to make ...

Page 465: ... Displays the name of the controller logging the target event This metric is important for troubleshooting issues of a more serious priority as it helps isolate the controller resource detecting the problem Severity The Severity level coincides with the logging levels defined within the Log Options tab Use these numeric identifiers to assess the criticality of the displayed event The message sever...

Page 466: ...erver 7 Provide the name of the file to be transferred within the File parameter Ensure the file name is correct or the transfer will not take place 8 If Server has been selected as the source use the Using drop down menu to configure whether the log file transfer is conducted using FTP or TFTP 9 If Server has been selected as the source enter the IP Address of the destination server or system rec...

Page 467: ...er core or distribution layer Once reviewed core files can be deleted or transferred for archive To view core snapshots available on the controller 1 Select Diagnostics Core Snapshots from the main menu tree 2 Refer to the following table headings within the Core Snapshots screen 3 Select a target file and click the Delete button to remove the selected file This option is not recommended until the...

Page 468: ... enter the IP Address of destination server or system receiving the target log file 9 If Server has been selected as the source enter the User ID credentials required to send the file to the target location Use the user ID for FTP transfers only 10 If Server has been selected as the source enter the Password required to send the file to the target location using FTP 11 Specify the appropriate Path...

Page 469: ...y the panic information in greater detail For more information see Viewing Panic Details on page 470 6 Click the Transfer Files button to open the transfer dialogue to transfer the file to another location For more information see Transferring Panic Files on page 470 Name Displays the title of the panic file Panic files are named n panic where n is in the range 0 9 0 is always the oldest saved pan...

Page 470: ...in the Target field to define whether the target panic file is to be sent to the system s local disk Local Disk or to an external server Server 6 Provide the name of the file to be transferred to the location specified within the File field 7 If Server has been selected as the source use the Using drop down menu to configure whether the panic file transfer will be sent using FTP or TFTP 8 If Serve...

Page 471: ...e file transfer click the Abort button to terminate the transfer 15 Click the Close button to exit the dialogue and abandon the transfer Debugging the Applet Refer to the Applet Debugging screen to debug the applet This screen allows you to view and debug system events by a criticality level you define 1 Select Diagnostics Applet Debugging from the main menu 2 To use this window select the Enable ...

Page 472: ...over a message checkbox for a message description a Click the Advanced button to display the entire list of message categories when bugs are raised Select the checkboxes corresponding to the message types you would like to receive Each message category is enabled by default Click the Simple button to minimize this area and hide the available message categories b Click the All Messages button to se...

Page 473: ...ping test The name is read only Use this title to determine whether this test can be used as is or if a new ping test is required Destination IP Displays the IP address of the target device This is the numeric destination for the device sent the ping packets If this address does not accurately reflect the ping destination target the ping test will not be successful Timeout sec Displays the timeout...

Page 474: ...ssary modify the description for the ping test Ensure this description is representative of the test as this is the description displaying within the Configuration tab Destination IP If necessary modify the IP address of the target device This is the numeric non DNS address destination for the device transmitted the ping packets No of Probes If necessary modify the number of packets transmitted to...

Page 475: ...ation to define the properties of the new ping test Test Name Enter a short name for the ping test to describe either the target destination of the ping packet or the ping test s expected result Use the name provided in combination with the ping test description to convey the overall function of the test Description Ensure the description is representative of the test as this is the description di...

Page 476: ...roller a viable connection to either extend the controller s existing radio coverage area or provide support for additional MUs within an existing network segment To view ping test statistics 1 Select Diagnostics Ping from the main menu 2 Select the Statistics tab 3 Refer to the following content within the Statistics tab to assess the connection with the target device Timeout sec Configure the ti...

Page 477: ...ntroller to its destination IP address This may reflect the time when data traffic was at its lowest for the two devices Max RTT Displays the longest round trip time for ping packets transmitted from the controller to its destination IP address This may reflect the time when data traffic was at its most congested for the two devices Average RTT Displays the average round trip time for ping packets...

Page 478: ...Diagnostics Summit WM3000 Series Controller System Reference Guide 478 ...

Page 479: ...ical Assistance Center User Guide at www extremenetworks com go TACUserGuide The Extreme Networks eSupport website provides the latest information on Extreme Networks products including the latest Release Notes troubleshooting downloadable updates or patches as appropriate and other useful information and resources Directions for contacting the Extreme Networks Technical Assistance Centers are als...

Page 480: ...Customer Support Summit WM3000 Series Controller System Reference Guide 480 ...

Page 481: ...ment Compliance Wireless configurations across distributed sites can be centrally managed by the wireless controller or cluster Controller Link Survivability Local WLAN services at a remote sites are unaffected in the case of a controller link failure Securely extend corporate WLAN s to remote sites Small home or office deployments can utilize the feature set of a corporate WLAN from their remote ...

Page 482: ...rewall etc cannot be configured from the controller and must be defined using the access point s resident interfaces before its controller adoption or through Extreme Networks Wireless Management Suite WMS Licensing An adopted AP uses an existing license purchased with a controller Controller Discovery An AP needs to connect to a controller to receive its configuration Auto Discovery using DHCP Ex...

Page 483: ...e access point s LAN ensure the LAN subnet is on a secure channel The AP will connect to the controller and request a configuration AP WLAN Topology An AP can be deployed in the following WLAN topologies Extended WLANs Extended WLANs are centralized WLANs created on the controller All wireless client traffics are tunneled to the controller Independent WLANs Independent WLANs are local to an AP and...

Page 484: ...mote site to the central location already exists the AP does not require IPSec be configured for adoption For sites with no secure link to the central location an AP can be configured to use an IPSec tunnel with AES 256 encryption for adoption The tunnel configuration is automatic on the AP side and requires no manual VPN policy be configured On the controller side configuration updates are requir...

Page 485: ...uring the period when the configuration is applied and mesh links are re established AP Radius Proxy Support When an AP is adopted to a controller over a WAN Link the controller configures the AP for a WLAN with Radius authentication from a Radius server residing at the central site When the AP gets a Radius MU associated it sends the Radius packets on the wired side with its own IP Address as the...

Page 486: ...gies are supported Extended WLANs Only Independent WLANs Only Extended WLANs with Independent WLANs Extended VLAN on Mesh Networking Topology Deployment Considerations When reviewing the AP topologies describes in the section be cognizant of the following considerations to optimize the effectiveness of the deployment There are two LAN interfaces on the AP35xx LAN port LAN1 and LAN2 By default LAN1...

Page 487: ...ged locally by the AP No wireless traffic is tunneled back to the controller Each independent WLAN is mapped to the access point s LAN1 interface The only traffic between the controller and the AP are control messages for example heartbeats statistics and configuration updates Extended WLANs with Independent WLANs An AP can have both extended WLANs and independent WLANs operating in conjunction Wh...

Page 488: ...uration must be done through the controller and not from the AP management console Making changes directly in the AP management console can lead to unstable operation of the AP AP Adoption Pre requisites Adopting an AP3510 model access point requires The appropriate controller licenses providing AP functionality on the controller The correct password to authenticate and connect the AP to the contr...

Page 489: ...on activities described above see Controller Configuration on page 490 Establishing Controller Managed AP Connectivity This section defines the activities required to configure basic AP connectivity with the controller In establishing a basic AP connection both the Access Point and controller require modifications to their respective default configurations For more information see AP Configuration...

Page 490: ...bedded in Vendor Specific Option 43 and sent in the DHCP Offer Controller Configuration An Extreme Networks wireless LAN controller can use default values to adopt an AP as long as a valid license is installed In default mode any AP adoption request is honored until the current controller license limit is reached If you want to control which AP to adopt disable the controller s Adopt unconfigured ...

Page 491: ...nds in red and associated comments in green Any WLAN configured on the controller becomes an extended WLAN by default for an AP 4 Select Network Wireless LANs from the controller main menu tree 5 Select the target WLAN you would like to use for AP support from those displayed and click the Edit button 6 Select the Independent Mode checkbox Selecting the checkbox designates the WLAN as independent ...

Page 492: ... independent using the wlan index independent command from the config wireless context NOTE Avoid mapping independent or extended WLANs to VLANs on the controller s ge port Once an AP is adopted by the controller it displays within the controller s Access Point Radios screen under the Network parent menu item as an AP3510 or AP3550 ...

Page 493: ...ent WLANs mapped to different VLANs ensure the AP s LAN1 interface is connected to a trunk port on the Layer 2 Layer 3 controller and appropriate management and native VLANs are configured The WLAN used for mesh backhaul must always be an independent WLAN The controller configures an AP If manually changing wireless settings on the AP they are not updated on the controller It s a one way configura...

Page 494: ...ded AAP ACL permit ip host 10 10 10 250 any rule precedence 20 spanning tree mst cisco interoperability enable spanning tree mst config name My Name country code us logging buffered 4 logging console 7 logging host 157 235 92 97 logging syslog 7 snmp server sysname WM3600 1 snmp server manager v2 snmp server manager v3 snmp server user snmptrap v3 encrypted auth md5 0x7be2cb56f6060226f15974c936e27...

Page 495: ...an 4 vlan 230 wlan 5 enable wlan 5 ssid Mesh wlan 5 vlan 111 wlan 5 encryption type ccmp wlan 5 dot11i phrase 0 Extreme123 To configure a WLAN as an independent WLAN wlan 5 independent wlan 5 client bridge backhaul enable wlan 6 enable wlan 6 ssid test mesh wlan 6 vlan 250 radio add 1 00 15 70 00 79 30 11bg aap35xx radio 1 bss 1 3 radio 1 bss 2 4 radio 1 bss 3 2 radio 1 channel power indoor 11 8 r...

Page 496: ...d transform and set to the Crypto Map crypto map AAP CRYPTOMAP 10 ipsec isakmp set peer 255 255 255 255 set mode aggressive match address AAP ACL set transform set AAP TFSET interface ge1 controllerport mode trunk controllerport trunk native vlan 1 controllerport trunk allowed vlan none controllerport trunk allowed vlan add 1 9 100 110 120 130 140 150 160 170 controllerport trunk allowed vlan add ...

Page 497: ...d vlan add 1 9 100 110 120 130 140 150 160 170 controllerport trunk allowed vlan add 180 190 200 210 220 230 240 250 interface vlan1 ip address dhcp To attach a Crypto Map to a VLAN Interface crypto map AAP CRYPTOMAP sole ip route 157 235 0 0 16 157 235 92 2 ip route 172 0 0 0 8 157 235 92 2 ntp server 10 10 10 100 prefer version 3 line con 0 line vty 0 24 end ...

Page 498: ...AP Management from Controller Summit WM3000 Series Controller System Reference Guide 498 ...

Page 499: ...problem The following information is included Wireless Controller Issues Access Point Issues Mobile Unit Issues Miscellaneous Issues System Logging Mechanism Wireless Controller Issues This section describes various issues that may occur when working with an Extreme Networks wireless LAN controller Possible issues include Controller Does Not Boot Up Controller Does Not Obtain an IP Address through...

Page 500: ...onfiguration for the controller has DHCP enabled By default the ports have DHCP enabled Otherwise refer to the Summit WM3000 Series Controller CLI Reference Guide Software Version 4 0 or the Summit WM3000 Series Controller System Reference Guide Software Version 4 0 for instructions on enabling the controller interfaces Connect another host configured for DHCP and verify it is getting a DHCP addre...

Page 501: ...s points may try to adopt while country code is not set Set the country name for the controller which is set to none by default Packet storm Check Syslog for any type of a packet storm Overburdened with a large number of Access Points With large numbers of Access Points changing the configuration quickly may cause the controller to not refresh properly at least immediately following configuration ...

Page 502: ...ountry code is set Access points are off network Verify the Access Points are connected to the network and powered on Access points are restricted in configuration Verify the controller is not configured with an access control list that does not allow Access Point adoption verify that Access Point adoption is not set to deny Ensure that the Access Point adoption policy is added with a WLAN Access ...

Page 503: ...rks Support Possible Problem Suggestions to Correct Unadopted Access Point Verify that the controller has adopted the Access Point with which the MU is trying to associate Incorrect ESSID applied to the MU Verify on the MU the correct ESSID has been applied to the MU Ethernet port configuration issues Verify that the Ethernet port connected to thenetwork and has a valid configuration If DHCP is us...

Page 504: ...ation Problems If the controller is configured to use RADIUS authentication check the RADIUS log file for any failure information Encryption or Authentication Problems If you are using Authentication and or Encryption on the controller and the previous troubleshooting steps have not fixed the problem try temporarily disabling Authentication and Encryption to see if that fixes the problem Possible ...

Page 505: ...ntact the agent General error messages on the MIB Browser Timeout No Response The client IP where the MIB browser is present should be made known to the agent Adding SNMP clients through CLI or Web UI can do this Not able to SNMP WALK for a GET Check whether the MIB browser has IP connectivity to the SNMP agent on the the controller Use IP Ping from the client system which has the MIB Browser Chec...

Page 506: ... in the MIB browser preferences Additional Configuration Double check Managers IP Address community string port number read write permissions and snmp version Remember community string is CASE SENSITIVE Security Issues This chapter describes the known troubleshooting techniques for the following data protection activities Controller Password Recovery RADIUS Troubleshooting Troubleshooting RADIUS A...

Page 507: ...tion except license key and user data under flash and reboot the device Do you want to continue y n 2 Press Y to delete the current configuration and reset factory defaults The controller will login into the Web UI with its reverted default configuration If you had exported the controller s previous configuration to an external location it now can be imported back to the controller RADIUS Troubles...

Page 508: ... adding this user Is the user present in a group If yes check if the Wlan being accessed is allowed on the group Check if time of access restrictions permit the user Time of Restriction configured does not work Ensure that date on the system matches your time Authentication fails at exchange of certificates Ensure the following have been attempted Verify that valid certificates were imported If th...

Page 509: ...t of external RADIUS Accounting Server Troubleshooting RADIUS Accounting Issues Use the following guidelines when configuring RADIUS Accounting The RADIUS Accounting records are supported for clients performing 802 1X EAP based authentication or using the Hotspot functionality The user name present in the accounting records could be that of the name in the outer tunnel in authentication methods li...

Page 510: ...le radio as a detectorAP This can be done using the set detectorap command in rogueap context Troubleshooting Firewall Configuration Issues Extreme Networks recommends adhereing to the following guidelines when dealing with problems related to Summit WM3600 or WM3700 Firewall configuration A Wired Host Host 1 or Wireless Host Host 2 on the untrusted side is not able to connect to the Wired Host Ho...

Page 511: ...not work 1 Check the configuration for the desired LAN under FW context which is under configure context CLI configure fw LAN_Name 2 Check whether ftp telnet and web are in the denied list In this case web is https traffic and not http 3 Ensure that network policy and Ethernet port set to the LAN is correct How to block the request from host on untrusted to host on trusted side based on packet cla...

Page 512: ...Troubleshooting Information Summit WM3000 Series Controller System Reference Guide 512 ...

Page 513: ......

Reviews:

No comments

Related manuals for Summit WM3000 Series

Brand: GBD Pages: 12

HomeTec Pro CFF3000

Brand: Abus Pages: 13

Brand: NAVITAS Pages: 7

Brand: Abus Pages: 2

Brand: Gardigo Pages: 8

Brand: Gardigo Pages: 19

Brand: IDTECK Pages: 94

Brand: Measurement Computing Pages: 32

Brand: S&C Pages: 26

Brand: Engineering Solutions Pages: 34

VBA-2E-G11-I/U/PT100-F

Brand: Pepperl+Fuchs Pages: 24

NovoCon S Digital

Brand: Danfoss Pages: 2

Brand: Frico Pages: 8

ACTIVAL VY51 5H006

Brand: Azbil Pages: 20

Brand: Firmtech Pages: 19

Dual Motor Focus Controller

Brand: Pegasus Astro Pages: 16

Brand: Sames Pages: 84

UNDER CONTROL CP-28

Brand: G-Force Pages: 2

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands