Juniper AX411 Configuration And Deployment Manual Download Page 5 | Manualshive

Page: 5 / 25

background image

Copyright © 2011, Juniper Networks, Inc.

5

APPLICATION NOTE - Configuring and deploying the AX411 Wireless Access Point

L3 Management Mode

In this mode, each access point is connected to a different subnet on the branch services gateway. Traffic between
access points is routed and inspected by the branch device.

Figure 2: L3 management mode

Analogous to these, customer traffic can be forwarded using either one of these modes on a per access point basis, i.e.,
any given access point can be connected to the gateway either in L2 or L3 mode. With this in mind, it is important to
understand the different tradeoffs between these modes.

Table 2: L2 vs. L3 Forwarding Mode

FeATuRe

L2 MODe

L3 MODe

Access point to access point
communication (and client to client
communication when clients are in
different access points)

done in hardware at line rate but without
any security inspection.

firewall and uTM services are available,
but at the expense of forwarding
performance.

firewall authentication

Not supported for L2 switched traffic.

yes

Client to client isolation

Not always possible (proxy-arp can be
used to force all client to client traffic to
be sent to the gateway, where security
policies can be enforced).

yes

Qos

Not supported for client to client traffic.

yes

Configuration complexity

simpler configuration, since a single L3
interface is shared between all access
points.

Complex, as each access point is
connected to a different L3 interface, with
each requiring the configuration of an IP
address, a dhCP server, security zones,
and policies.

roaming

Client roaming is supported, if MAC
authentication or no authorization
protocol is used. If authentication is used,
clients will have to log in every time they
associate to a new access point.

roaming will require clients to send a
new dhCP request in order to obtain a
new IP address.

Configuration

The configuration is found under [wlan] hierarchy. In Junos Os release 10.0, each access point has to be configured
individually. Junos Os 10.1 includes the ability to group access points into clusters, where all access points share the
same configuration. Access points in a cluster exchange both configuration and operational information and do not
require operators to make changes to each individual access point. The clustering feature will be discussed in a future
version of this document.

OFFICE

Client

INTERNET

ge-0/0/3.0

192.168.3.1/24

ge-0/0/2.0

192.168.2.1/24

ge-0/0/1.0

192.168.1.1/24

DHCP

Handles out addresses in multiple pools
(192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24)

Ports

All access point facing ports are connected to interfaces
in switching mode and associated to the default vlan

SRX

Series

«
...
3
4
5
6
7
...
»

Summary of Contents for AX411

Page 1: ...APPLICATION NOTE Copyright 2011 Juniper Networks Inc 1 Configuring and Deploying the AX411 Wireless Access Point ...

Page 2: ...Networks Using VAPs 14 Creating a Guest Network Using Firewall Authentication 17 RADIUS Based VLAN Assignment 19 Administration and Monitoring 21 Monitoring 21 Firmware Upgrade 23 Summary 23 Appendix AX411 Wireless LAN Access Point Certification Listing 23 Part Numbers Affected 23 About Juniper Networks 25 Table of Figures Figure 1 L2 management mode 4 Figure 2 L3 management mode 5 Figure 3 L2 man...

Page 3: ...y SRX Series gateways that support PoE Alternatively an external power supply is provided with each access point that can be used when PoE is not available Hardware Requirements Juniper Networks SRX Series for the branch SRX100 line and SRX200 line of services gateways and the SRX650 Services Gateway Software Requirements Juniper Networks Junos operating system release 10 0 or later Description an...

Page 4: ...ach access point The advantage of using this approach is that access points can be connected to any port or given any IP address while still being correctly identified since MAC addresses are fixed Internet Control Message Protocol ICMP is used as a keepalive protocol between each access point and the SRX Series gateway If an access point detects a failure it automatically stops broadcasting any s...

Page 5: ...client to client traffic Yes Configuration complexity Simpler configuration since a single L3 interface is shared between all access points Complex as each access point is connected to a different L3 interface with each requiring the configuration of an IP address a DHCP server security zones and policies Roaming Client roaming is supported if MAC authentication or no authorization protocol is use...

Page 6: ... Access Point address gateway default gateway dot1x supplicant username username password password access point options country country where the AP is located This is used for regulatory purposes The AP will only transmit in the bands allowed by each country station mac filter Allow and deny list of mac addresses used for local mac authentication radio 1 2 quality of service QoS configuration opt...

Page 7: ...rs allow passing per user configuration options centrally managed by the RADIUS server The following table displays the list of RADIUS attributes that can be passed to the AX411 access point as specified in RFC 3580 Table 3 Supported RADIUS Attributes Attribute Name Value Type Defined In Session Timeout 27 integer RFC2865 Tunnel Type 64 integer RFC2868 Tunnel Medium Type 65 integer RFC2868 Tunnel ...

Page 8: ...68 2 1 24 set vlans default vlan id 2 set vlans default l3 interface vlan 2 Routing is trivial there is only a default route pointing to the Internet set routing options static route 0 0 0 0 0 next hop 10 0 1 1 NAT all traffic from the WifiNet to untrust Use the IP address of the egress interface as the new source set security nat source rule set Internet Access from zone WiFiNet set security nat ...

Page 9: ...ss point AP 3 mac address 00 12 cf c5 4c 40 set wlan access point AP 3 access point options country US set wlan access point AP 3 radio 1 virtual access point 0 ssid WifiNet set wlan access point AP 3 radio 1 virtual access point 0 security none set wlan access point AP 3 radio 2 virtual access point 0 ssid WifiNet The AX411 access points use the concept of a Virtual Access Point VAP A VAP appears...

Page 10: ...raffic system services dhcp set security zones security zone WifiNet interfaces fe 0 0 2 0 set security zones security zone WifiNet interfaces fe 0 0 2 0 host inbound traffic system services dhcp set security zones security zone WifiNet interfaces fe 0 0 3 0 set security zones security zone WifiNet interfaces fe 0 0 3 0 host inbound traffic system services dhcp set security policies from zone Wifi...

Page 11: ...r and management traffic INTERNET OFFICE vlan 1 management 10 0 0 1 24 vlan 2 trust 192 168 1 1 24 VLANID 2 Client AP 1 00 de ad 10 75 00 AP 2 00 de ad 10 76 00 AP 3 00 de ad 10 77 00 CorpNet SSID A single broadcast SSID is advertised SRX Series ge 0 0 0 0 untrust 198 0 0 1 24 DHCP Server config set system services dhcp pool name server 4 2 2 2 This pool is used by the management vlan set system s...

Page 12: ... point AP 1 radio 1 virtual access point 0 vlan 2 set wlan access point AP 1 radio 1 virtual access point 0 security none set wlan access point AP 1 radio 2 virtual access point 0 ssid WifiNet set wlan access point AP 1 radio 2 virtual access point 0 vlan 2 set wlan access point AP 1 radio 2 virtual access point 0 security none AP 2 All the other APs are configured the same way MAC Authentication ...

Page 13: ...warded by the SRX Series but they will neither be generated nor proxied by it Figure 6 RADIUS based MAC authentication This configuration almost identical to the one in our previous example specifies the MAC authentication type as RADIUS on a per VAP basis and specifies the RADIUS parameters INTERNET OFFICE SRX Series ge 0 0 0 0 untrust 198 0 0 1 24 ge 0 0 7 0 trust 192 198 254 1 24 Radius Server ...

Page 14: ...ption using Wi Fi Protected Access WPA and RADIUS authentication The Guest zone with a Guest SSID will be open but will only allow HTTP and Domain Name System DNS traffic to the Internet Two VAPs will be used each with a single SSID and each associated to a VLAN Traffic from clients associated to the WifiNet SSID will be tagged using VLAN tag 2 while traffic for the Guest network will be tagged wi...

Page 15: ...ing vlan members WifiNet set interfaces interface range APs unit 0 family ethernet switching vlan members GuestNet set interfaces interface range APs unit 0 family ethernet switching native vlan id default set interfaces ge 0 0 0 unit 0 family inet address 198 0 0 1 24 set interfaces ge 0 0 7 unit 0 family inet address 192 168 254 1 24 set interfaces vlan unit 1 family inet address 192 168 2 1 24 ...

Page 16: ...ntrust policy allow http dns then permit Allow radius traffic from the APs to the radius server set security policies from zone management to zone trust policy allow radius match source address any set security policies from zone management to zone trust policy allow radius match destination address radius set security policies from zone management to zone trust policy allow radius match applicati...

Page 17: ... ge 0 0 0 0 untrust 198 0 0 1 24 Enable the http connections to the vlan 3 interface where the captive portal will be used set system services web management http interface vlan 3 set system services dhcp name server 4 2 2 2 set system services dhcp pool 192 168 2 0 24 address range low 192 168 2 2 set system services dhcp pool 192 168 2 0 24 address range high 192 168 2 254 set system services dh...

Page 18: ...e 0 0 0 0 set security zones security zone WifiNet interfaces vlan 2 host inbound traffic system services dhcp set security zones security zone management interfaces vlan 1 host inbound traffic system services dhcp set security zones security zone management interfaces vlan 1 host inbound traffic system services ping set security zones security zone GuestNet interfaces vlan 3 host inbound traffic ...

Page 19: ...access point AP 1 radio 1 virtual access point 1 ssid GuestNet set wlan access point AP 1 radio 1 virtual access point 1 vlan 3 set wlan access point AP 1 radio 1 virtual access point 1 security none set wlan access point AP 1 radio 2 virtual access point 0 ssid WifiNet set wlan access point AP 1 radio 2 virtual access point 0 vlan 2 set wlan access point AP 1 radio 2 virtual access point 0 securi...

Page 20: ... interfaces interface range APs unit 0 family ethernet switching vlan members GuestNet set interfaces interface range APs unit 0 family ethernet switching native vlan id default set interfaces vlan unit 1 family inet address 192 168 2 1 24 set interfaces vlan unit 2 family inet address 192 168 2 1 24 set interfaces vlan unit 3 family inet address 192 168 3 1 24 set wlan access point AP 1 mac addre...

Page 21: ...mation about a particular access point show wlan access points AP 1 detail Active access point detail information Access Point AP 1 Type External Location Default Location Serial Number 849001007 Firmware Version 10 1 2 3 Access Interface vlan Packet Capture Disabled Ethernet Port MAC Address 00 12 CF C5 4A 40 IPv4 Address 192 168 2 3 Radio1 Status On MAC Address 00 12 CF C5 4A 40 Mode IEEE 802 11...

Page 22: ... VAP0 SSID WifiNet MAC Address 00 12 CF C5 4A 40 VLAN ID 2 Traffic Statistics Input Bytes 24114 Output Bytes 72798 Input Packets 87 Output Packets 401 VAP1 SSID GuestNet MAC Address 00 12 CF C5 4A 41 VLAN ID 3 Traffic Statistics Input Bytes 1113907 Output Bytes 10631368 Input Packets 8805 Output Packets 9169 Radio2 VAP0 SSID WifiNet MAC Address 00 12 CF C5 4A 50 VLAN ID 2 Traffic Statistics Input ...

Page 23: ...411 TW Due to the fact that certain countries have imposed restrictions on the deployment of wireless technologies this document should be used to determine in which countries the AX411 has been certified for shipment In the table below select the AX411 wireless LAN access point model by SKU that needs to be ordered to support appropriate power and channel settings for a particular country listed ...

Page 24: ...411 E Switzerland Yes AX411 E Ukraine No AX411 E United Kingdom Yes AX411 E World W Mexico No AX411 W Turkey No AX411 W Australia Yes AX411 W New Zealand Yes AX411 W Hong Kong Yes AX411 W India Yes AX411 W Philippines No AX411 W Malaysia Yes AX411 W Thailand Yes AX411 W Argentina No AX411 W Brazil Yes AX411 W Chile No AX411 W Columbia No AX411 W Panama No AX411 W Peru No AX411 W Venezuela No AX411...

Page 25: ...d Airside Business Park Swords County Dublin Ireland Phone 35 31 8903 600 EMEA Sales 00800 4586 4737 Fax 35 31 8903 601 APAC Headquarters Juniper Networks Hong Kong 26 F Cityplaza One 1111 King s Road Taikoo Shing Hong Kong Phone 852 2332 3636 Fax 852 2574 7803 Corporate and Sales Headquarters Juniper Networks Inc 1194 North Mathilda Avenue Sunnyvale CA 94089 USA Phone 888 JUNIPER 888 586 4737 or ...

Reviews:

No comments

Related manuals for AX411

Brand: i. Tech Dynamic Pages: 8

Brand: MikroTik Pages: 4

BLUESOCKET 3045

Brand: ADTRAN Pages: 2

Brand: Cambium Networks Pages: 61

Cable/DSL Wireless Broadband4-Port Router

Brand: Aztech Pages: 25

Brand: Planet Pages: 32

Brand: Planet Pages: 27

Brand: Planet Pages: 99

802.11n Wireless ADSL 2/2+ Router ADN-4000

Brand: Planet Pages: 91

Brand: Planet Pages: 108

Brand: Planet Pages: 100

Brand: Planet Pages: 124

Brand: Planet Pages: 125

Brand: Planet Pages: 139

Brand: Planet Pages: 155

AirStation Draft-N WZR-G300N

Brand: Nfiniti Pages: 91

BLUESOCKET 3040

Brand: ADTRAN Pages: 6

BLUESOCKET 2135

Brand: ADTRAN Pages: 8

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands